[svn-upgrade] Integrating new upstream version, strongswan (4.1.1)

2259 files changed, 138702 insertions, 99014 deletions

diff --git a/lib/liblwres/config.h b/AUTHORS
index e69de29bb..e69de29bb 100644
--- a/lib/liblwres/config.h
+++ b/AUTHORS
diff --git a/CREDITS b/CREDITS
index a0c8eb2fa..41aa48338 100644
--- a/CREDITS
+++ b/CREDITS
@@ -107,4 +107,7 @@ The ipsec starter is based on Mathieu Lafon's original work.
 Jan Hutter and Martin Willi developed the scepclient which fully
 supports Cisco's Simple Certificate Enrollment Protocol (SCEP).
 
+Tobias Brunner and Daniel Roethlisberger implemented NAT traversal and dead
+peer detection for the IKEv2 keying daemon.
+
 This file is RCSID $Id: CREDITS,v 1.6 2006/01/22 21:28:27 as Exp $
diff --git a/ChangeLog b/ChangeLog
new file mode 100644
index 000000000..f52898a8e
--- /dev/null
+++ b/ChangeLog
@@ -0,0 +1,1079 @@
+ strongswan-4.1.0 / R:2552 
+===========================
+
+fixed nat detection bug
+OCSP support
+updated NEWS, TODO and man page
+respecting "keyingtries" parameter on IKE_SA setup
+cleanups
+fixed reset()
+not installing a route when policy gets updated
+renamed keyingtries attribute
+adjusted loglevels
+delay OCSP response by 5 seconds
+always update reqid on policy install, fixes dpdaction=hold issue
+EAP-SIM cleanups
+fixed CHILD_SA rekeying/delete bug on 64bit machines
+removed obsolete methods in delete_payload
+Shortened distribution string
+Shortened distribution string
+shortened distribution string
+add daemon.log to web page
+remove /etc/resolv.conf
+version bump to 4.1.0
+added apache2/ocsp log directory to winnetou
+removed killall openssl
+removed killall openssl
+deleted
+deleted
+create apach2/ocsp/ logging directory on winnetou
+do not check for type of dpd action any more
+create /var/log/apache2/ocsp on winnetou
+added
+added
+added
+delete virtual IP addresses after use
+deleted
+added
+fixed case of missing subjectKeyID
+corrected typo
+version bump to 4.1.0
+added
+use CURLOPT_NOSIGNAL
+added --with-sim-reader option to configure script
+some cleanups in eap_sim
+removed dublicated code in eap_authenticator
+log reception of trusted signer certificate
+version bump to 4.1.0
+deleted
+added
+changed OCSPSigner to OCSPSigning
+fixed carry bug in FIPS prf
+user standard cert
+deleted
+deleted
+added
+added
+modified description.txt and evaltest.dat
+version number selection fix
+some cleanups
+cleaned up and fixed DPD handling code
+removed cfg-payload dns test code
+added
+added
+version bump to strongswan-4.1.0 and linux-2.6.20.3
+cosmetics
+increased control debugging output
+added EAP-SIM authentication
+  client side only
+  uses an external SIM reader library specified with SIM_READER_LIB
+  untested
+not detaching from bus when IKE_SA_INIT is retried
+added AES-192/256 proposals to IKE
+added generic EAP_IDENTITY client implementation using peers IKEv2 ID
+fixed compilation warnings and errors when not using curl
+results from the single responses is stored in the corresponding certinfo_t structs
+moved credential_store.h from charon/config/credentials to libstrongswan
+last patch removed, changed CURLOPT_FILE to CURLOPT_WRITEDATA
+fixed memory leak by calling curl_slist_free_all(headers)
+fixed memory leak by calling curl_slist_free_all(headers)
+whitelisting static Curl_getaddrinfo() memory leak
+fixed a certinfo_t memory leak in verify()
+fixed a memory leak in response_t
+ocsp signer certificate and ocsp response signature can be verified
+fixed memleaks when using EAP authentication
+fixed configuration payloads when using EAP
+fixed payload order (again)
+including peers certificate when his certreq is empty
+implemented cookies as initiator
+proper logging of notifies in IKE_SA setup
+disabling routing for IPv6, does not work correctly
+fixed call of add_auth_certificate()
+generalized get_ca_certificate() to get_auth_certificate(auth_flags)
+added fetcher_finalize() to clean up libcurl
+some cleanups
+not installing %any DNS servers
+support of setting and getting authority flags
+support if ocsp signing certificates
+support if ocsp signing certificates
+fixed payload order in IKE_AUTH
+removed SHA2 kernel proposals from default, the kernel doesn't support them yet
+allocation fixes, not complete
+handling "No policy found" properly
+added more debugging output for policy lookup
+returning a (dummy) policy even when TS does not match, so we can properly send a TS_UNACCEPTABLE 
+fixed CHILD_SA creation within existing IKE_SA
+added ocsp_parse_single_response
+ported changes from EAP branch, renabling EAP framework
+added (not yet supported) sha2 algorithms to kernel
+only adding a route if using tunnel mode
+added SHA2 MAC and PRF to default proposal
+added more debug output 
+experimental SHA2 HMAC and PRF implementations
+parsing basic ocsp response
+forgot to assign public.is_ocsp_signer() method
+added parsing level to x509_create_from_chunk()
+added parsing level to x509_create_from_chunk() and added is_ocsp_signer() method
+http post fetching using libcurl implemented
+added fetcher.h and fetcher.c
+added
+corrected @ingroup to utils
+corrected comment
+start ocsp checking only if there are any ocspuris present
+conntrack -F is used to flush the NAT states
+the hostaccess=yes parameters are not needed anymore
+use conntrack -F to flush NAT states
+replaced actual virtual IP addresses by symbolic ones
+removed unnecessary double quotes
+nonce in ocsp_t was not properly initialized
+ocsp request is now fully built but without requestor signature
+starting to build ocsp request
+prevent from initiating  multiple exchanges the same time
+updated apidoc documentation
+fixed notify handling in IKE_AUTH
+moved nonce payload before TS in CHILD_SA setup
+moved REKEY_SA notify to the beginning of the message
+fixed traffic selector redundancy removal code (not completely tested)
+add crl and ocsp uris to linked list after partial verification
+added print hook for certinfo_t printing
+fixed typo
+sending an SPI of 0 as responder when IKE_SA_INIT fails
+iterate certinfos linked list for matching serialNumber
+some cleanups
+not assigning %any virtual IPs to peer anymore
+fixed double free bug
+added
+fixed ID selection bug when peer doesn't include IDr payload
+allowing vendor ID in any messag
+moved listing of crls to local_credential_store and ca
+refactored ca_info_t
+refactored ca_info_t
+fixed netlink socket receiver code
+implemented interface enumeration code with netlink: no getifaddrs reqired anymore
+refactored kernel interface, works reliable again
+implemented get_iface() using RTM_GETADDR
+added support for multi-header netlink messages
+really ugly now, need a lot of refactoring
+added debuggin for interface lookup
+fixed address lookup when !using getifaddrs()
+added firewalling support when using virtual IPs
+added support for 0.0.0.0/0 traffic selectors
+fixed routing to make correct 0.0.0.0/0 routes
+config-payload scenario fixes
+preparations for PLUTO_MY_SOURCEIP
+corrected typo
+added cert with OCSP access info
+dpd now takes 180 s and 5 retransmits
+changed grep to creating aquire job for CHILD SA
+replaced actual virtual IPs by place holders
+virtual-ip scenario has been replaces by config-payload scenario
+added
+added
+added ocsp.h and ocsp.c
+added
+r2398 | tobias | 2007-02-28 16:20:10 +0100 (Wed, 28 Feb 2007) | 2 lines
+virtual ip uml test
+fixed reauthentication when connections other is %any
+merged tasking branch into trunk
+fixed big endian bug in md5 hasher
+cosmetics
+added once flag to certinfo_t
+cosmetics
+added certinfos linked list
+changed ca info to ca
+support of ca info sections
+added support of OCSP accessLocations
+correct interface definition
+added support of OCSP accessLocations
+full support of ca info records
+added the create_crluri_iterator method
+replace ca is realized as del_ca followed by add_ca
+last CA keyword is KW_OCSPURI2
+full support of ca info records
+full support of ca info records
+alphabetically sorting print commands
+listing ca_info items
+replace printf.h by stdio.h
+addin get_keyid() method
+support of ca info records
+support of ca info records
+version bump to 4.0.8
+support of ca info records
+support of ca info records
+typo
+SHA512-HMAC bug fix and hash function self-test support
+SHA512-HMAC bug fix and hash function self-test support
+handle strong SHA-2 signatures in X.509 certificates
+SHA-2 fixes and add-ons
+version bumps
+remove strong certs and keys after test
+added
+using "left" as my host per default, swapping to "right" when needed
+respecting source address when sending packets
+added PRINT_CAINFO hook
+stroke now recognizes the keywords listocspcerts|cainfos|ocsp, rereadocspcerts and purgeocsp
+enable IP forwarding
+prepared support of ca information records and ocsp functionality
+added support of ca information records and ocsp keywords
+enabled adding and deleting ca information records
+fixed starter crash due to freeing default IPSEC_EAPDIR string
+add --eapdir option only if defined in ipsec.conf
+removed eap aka module due nda
+merged EAP framework from branch into trunk
+includes a lot of other modifications
+%T requires time_t ptr
+removed my time_t printf handler patch, applied the one of andreas (64bit save)
+fixed printf() hooks for time
+added support for NULL encryption in ESP
+be more liberal in accepting notifies with a protocol id
+include NO_EXT_SEQUENCE_NUMBER in default proposal
+output peer id if RSA public key is not found
+fixed typo
+version bump to 4.0.8
+added address listing without getifaddrs for uclibc (only IPv4 yet)
+added threads to support multiple simultaneous stroke requests
+renamed all static clone() functions to avoid naming conflicts with uclibc
+sending proper signal to the bus when detecting a dead peer
+added configuration of XAUTH and ModeConfig push mode
+version bump
+version bump
+Cisco XAUTH interoperability
+XAUTH interoperability with Cisco
+removed IPSECPOLICY compile option
+unload xauth_module only if XAUTH_DEFAULT_LIB is defined
+loading the XAUTH module requires libdl
+added some more attributes, inst XAUTH_TYPE in reply
+Mode Config refactoring
+XAUTH fixes and Cisco Unity support
+log APPLICATION_VERSION and UNITY_DDNS_HOSTNAME strings
+added Cisco Unity ModeCfg attributes
+version bump to 4.0.7
+fixed 64 bit issue with print time
+fixed XAUTHResp bug
+included xauth.h
+use uml_mconsole to check end of booting process
+name the created CHILD_SA
+doubled PAYLIMIT to 40 payloads
+version bump
+show rekeying|reauthentication time
+show name of created CHILD_SA
+combined use_in and use_fwd
+corrected typo
+cosmetics
+cosmetics
+fixed an enumeration error, added CISCO_IOS VID
+fixed mismatch in interface definition of get_secret()
+forward declaration of struct state not needed
+cosmetics
+added firewall support to scenario
+updated changelog for 4.0.6
+fixed crash when CA for certrequest not found
+fixed build when !using smartcard
+removed unused debugging code
+updated NEWS for 4.0.6
+
+
+ strongswan-4.0.6 / R:2131 
+===========================
+
+updated NEWS for 4.0.6
+readded tranport mode test using new status output
+removed dublicated host2host-transport test
+fixed reauthentication when using %any hosts
+support for transport in create_child_sa
+include TRANSPORT/TUNNEL information in statusall
+load xauth module via dlopen()
+define path to xauth module
+added host2host-transport scenario
+removed trailing lines
+added XAUTH support
+fixed typo
+added XAUTH server and client support
+load and unload XAUTH module
+added xauth.h and xauth.c
+added enable-cisco-quirks configure option
+added xauth scenarios
+added config option for BEET mode
+fixed reuathentication when connections other host is %any
+fixed host conversion length check
+negated POLICY_REAUTH to POLICY_DONT_REAUTH
+negated POLICY_REAUTH to POLICY_DONT_REAUTH
+enable XAUTH_VID by default
+added support for transport mode and (experimental!) BEET mode
+support for the type=transport/tunnel parameter in charon
+fixed charset & cleanups
+added XAUTH server and client support
+additional parentheses for same_chunk() macro
+renamed to appear in doxygen build
+added a roadmap of the strongSwan project (TODO)
+added some NEWS
+first try to update ipsec.conf manual
+implemented reauthentication using the new reauth=yes|no parameter 
+fixed more uClibc issues
+should compile against a uClibc > 0.9.28 (untested)
+added XAUTH client states
+version bump to 4.0.6
+fixed stddef.h include
+fixed encoding rules string
+updated todo
+fixed some byte-order issues
+fixed HAVE_BACKTRACE checks
+starter Makefile now uses proper $(COMPILE) to build pluto objects
+made backtrace() calls optional to support uClibc
+XAUTH support
+XAUTH support
+fixed bug in ifdef CISCO_QUIRKS
+added XAUTH support
+support of Cisco Unity VID
+added new VIDs
+version bump to 4.0.6
+fixed case with wildcard peer ID and static peer address
+added simple script to port trunk changes into branches
+start kdevelop with project file from actual branch
+updated changelog
+fixed typos
+
+
+ strongswan-4.0.5 / R:1447 
+===========================
+
+fixed typos
+improved selection of ipsec status|statusall <name>
+fixed NEWS (runtime debug level options)
+fixed credits
+fixed very old bug in linked_list's remove_first and remove_last
+proper "ipsec up" signal handling when initiating to %any
+removed iterator hook for replace
+fixed output of proto/port selectors
+cosmetics
+due to console logging, no need for final sleep anymore
+adapted checks to changed ipsec status output
+due to narrowing no need for rightsubnetwithin
+no need to send certreq
+fixed ipsec status|statusall <name>
+log IKE SPIs on a separate line
+redesigned formatting of ipsec status|statusall
+cosmetics
+version bumps of strongSwan, Linux kernel and Gentoo root file system
+corrected description
+added dpd-hold scenario
+added new features
+fixed 64 bit issue
+solved 64 bit issue by changing long to int
+solved 64 bit issue in push/pop stroke interface
+fixed 64 bit issue
+some fixes for doxygen
+better split up of library files "types.h" & "definitions.h"
+centralized all printf specifier character definitions
+reuse of arginfo handlers
+more cleanups
+fixed more AMD64 issues
+added DEBUG_LEVEL compile flag to exclude DBGn() statements
+added nodebug configure script without any debug messages and without -g
+preparations to include certreqs in policy decisions
+do not sent certreq payloads when the peer is known to use PSK
+position of (myself) moved in log output
+do not sent certreq payloads when using self-signed certs
+moved (myself) in log output
+moved typedefs to beginning of files to solve some include problems
+splitted authenticator to have a separate implementation for each auth_method_t
+using va_copy to clone va_lists, should fix proplems on AMD64
+some other cleanups
+do not sanitize '*' character
+fixed SIGSEGV when setup of an additional CHILD_SA fails
+added IKEv2 clarifications RFC
+changed debug level of certreq log output
+cosmetics in debug output
+support of certreq payload in IKE_AUTH messages
+chunk_to_hex() function declaration deleted
+added function certreq_payload_create_from_x509()
+send a certreq as initiator if other_ca is set
+added method get_ca_certificate()
+added methods get_my_ca() and get_other_ca()
+added methods get_my_ca() and get_other_ca()
+added some missing 'AUD' entries
+cosmetics
+cosmetics
+change due to change debug output
+spaces should not be sanitized
+fixed due to new logging concept
+some improvements in signaling code
+include only source NATD payloads really needed
+updated for NAT team
+improved signal handling and emitting
+support of ModeCfg Push mode
+support of mixed RSA/PSK static connections
+support of ipsec statusall in state output
+output of 'DPD active' in ISAKMP SAs
+support of ipsec statusall in state output
+added natip support
+added has_natip flag
+added ModeCfg push policy and states
+added ModeCfg push policy and states
+fixed typo in debug statement
+redesigned list output format
+added 'modeconfig=pull|push' and 'left|rightnatip' keywords
+added has_natip flag
+added has_natip flag
+added 'exit' statement in listcerts,.. case
+fixed two bugs in the time_t and chunk_ct print functions
+redesigned format of print function
+replaced 'times' by 'dates'
+added private flag to asn1_init
+added private flag to asn1_ctx_t
+removed DES-EDE3-CBC only comment
+removed deprecated iterator methods (has_next & current)
+added iterator hook to manipulate iterator the clean way
+linked list cleanups
+added list methods invoke(), destroy_offset(), destroy_function()
+simplified list destruction when destroying its items
+added verbosity level to stroke
+upgrade to new Gentoo root file system and tcpdump command
+added
+deleted
+renamed ikev1 scenario and added ikev2 scenario
+added new scenarios
+Version bumps of UML kernel, Gentoo root file system and strongSwan release
+code cleanups in printf handlers
+added eap authentication draft for ikev2
+updated stroke to allow run-time manipulation of debug levels
+added charondebug config parameter to set debug level at startup
+introduced new logging subsystem using bus:
+  passive listeners can register on the bus
+  active listeners wait for signals actively
+  multiplexing allows multiple listeners to receive debug signals
+  a lot more...
+updated file filter for kdev project
+include CREDITS file in distribution
+moved various scripts in scripts/ dir
+add configure script wrappers
+removed txt files from doxygen
+removed module tests, outdated. We need something more system-test like
+added missing -DDEBUG compile option
+fixed auxillary message data parsing for IPV6 socket
+using SOL_* constants for socket level
+fixed IPV6_PKTINFO setsockopt() to work with most kernel headers
+replaced strerror(errno) with %m printf specifier
+added stronger certs for moon, carol, and dave
+added IPv6 hw and multicast addresses
+adapted to new tcpdump ipv6 output
+multi-level-ca scenarios use unencrypted private key
+added scenario
+fixed timing
+new gentoo root file system
+fixed bug with openldap 2.3
+removed ipsec.conf version information
+carolKey.pem is now protected by 3DES passphrase
+updated net runlevel scripts
+updated net init scripts
+new net configuration format
+HW addresses must be predefined
+cosmetics
+added USE_LIBCURL
+cosmetics
+found libraries are not appended to LIBS anymore
+version bump to 4.0.5
+fixed DPD to survive IKE_SA rekeying
+introduced printf() specifiers for:
+  host_t (%H)
+  identification_t (%D)
+  chunk pointers (%B)
+  memory pointer/length (%b)
+added a signaling bus:
+  receives event and debug messages, sends them to its listeners
+  stream_logger, sys_logger, file_logger added, listen to bus
+some other tweaks here and there
+added often used RFCs and drafts
+DES for private key encryption is not supported
+updated NEWS and ChangeLog for 4.0.4 release
+fixed retransmission policy for responder
+fixed dpd for responder
+added ID_ANY check to matches_binary()
+replaced 'missing value' warning by zero length chunk_t value
+defined maximum hash size
+support of AES-192-CBC private key encryption
+added hostaccess support
+added hostaccess support
+moved auth_method to policy
+added hostaccess support
+added hostaccess support
+more consistent authentication logging
+added hostaccess support
+moved auth_method to policy
+moved auth_method to policy
+added hostaccess support; moved auth_method to policy
+added hostaccess support
+added hostaccess support
+added new test scenarios
+fixed some compiler warnings
+
+
+ strongswan-4.0.4 / R:1289 
+===========================
+
+fixed some compiler warnings
+extended statusall output
+  added job/event-queue statistics
+  added allocation statistics when using LEAK_DETECTIVE
+fixed include typo
+public declaration of all HASH_SIZEs in hasher.h
+support of encrypted private key files
+added copyright notice to sha2_hasher
+included SHA2 in build process
+implemented sha2_hasher which supports SHA-256, SHA-384 and SHA-512
+added support for 3DES encryption algorithm in IKE
+fixed the ids parsing bug
+fixed the ids parsing bug
+updated TODOs
+fixed memleak
+fixed proper handling of id parsing errors
+proper return value when no PSK found
+added HOST_ACCESS for firewall script as default
+more debugging output for PSK authentication
+some cleanups here and there
+added auth_method field
+added auth_method field
+cosmetics
+verify_emsa_pkcs1_signature returns status_t
+cosmetics
+added PSK support
+enabled firewall support
+proper error handling for socket creation
+handle certificate parsing error more generous
+fixed certificate verification bug!
+fixed memleak when receiving invalid certificate
+version bump to 4.0.4
+version bump to 4.0.4
+two new test scenarios
+fixed path to images directory
+implemented updown script to handle firewalling
+add priority management for kernel policy
+let ROUTED policies installed, until manuall removed
+introduced new naming scheme to allow proper shutdown of IKE/CHILD_SAs
+ike_sa_manager cleanups
+implemented handling of dpdaction and dpddelay ipsec.conf parameters
+reuse reqid when a ROUTED child_sa gets INSTALLED
+fixed a bug in retransmission code
+added support for the "keyingtries" ipsec.conf parameter
+added support for the "dpddelay" ipsec.conf parameter
+done some work for "dpdaction" behavior
+some other cleanups and fixes
+fixed a at-least-one-year-old bug which caused crashed in the scheduler
+added raw socket filter for IPv6
+implemented NAT detection for IPv6
+removed unneeded constructor
+initial support for IPv6 (more testing needed)
+  socket works (without v6 filter)
+  traffic selector handle IPv4/v4 cleanly
+    improvements in traffic selector code
+  kernel interface accepts v6 traffic selectors and hosts
+  host_t class has full IPv6 support
+added stddef.h include for compilers which do not support the offsetof() directive
+moved interface enumeration code to socket, where it belongs
+query interfaces every time we need it to respect changes in network config
+added address listing on startup and "ipsec statusall"
+version bump of UML kernel to 2.6.17.11
+fixed crash bug when doing "ipsec down" with an unknown connection
+added name property in CHILD_SA, allows proper status output
+fixed bug which prevented port float when nat is detected
+version bumps
+'sha' and 'sha1' are now treated as synonyms
+updated Changelog and other docs
+
+
+ strongswan-4.0.3 / R:1235 
+===========================
+
+fixed rekeying behavior when proposing an inacceptable DH group (INVALID_KE_PAYLOAD)
+implement proper handling of most simultaneous IKE_SA rekeying cases
+version bump to 4.0.3
+implemented proper refcounting using atomic operations
+implemented IKE_SA rekeying
+	uses ikelifetime, rekeymargin and rekeyfuzz config settings
+	no handling of simultaneus exchanges yet!
+added possibility to route CHILD_SAs, without to set them up
+	support for auto=route parameter
+	support for ipsec route and ipsec unroute
+	initiating of CHILD and/or IKE_SAs based on kernel acquires
+reuse an existing IKE_SA to set up additional CHILD_SAs
+introduced refcounting on policy and connections
+	aren't stored in the IKE_SA anymore, they are queried on the fly
+	are immutable now, allows it to share them
+policy selection based on traffic selectors, leads to valid lookup results
+	rekeying queries the policy based on its traffic selectors
+cleanups in kernel interface code
+added proper traffic selector to string conversion
+some cleanups here & there
+X.509 certificate trust path verification
+added
+fixed UDP decapsulation by adding inbound bypass policy for send socket
+updated mixed tests to new charon output
+corrected DPD entry
+reenabled module tests for charon
+fixed bug which erroneously detected KE payload when rekeying
+added IPsec bypass policy to receiving socket, allows incoming IKE traffic on host2host tunnels when using NAT
+improved logging on verify errors for some payloads
+enforcing IKE_SA shutdown, even when transactions are outstanding
+proper reject of CREATE_CHILD_SA message with KE payload
+added test cases from NAT team
+updated all IKEv2 tests to work with new status output
+added tcpdumpcount function from NATT guys
+added possibility to mount the strongswan tree into all UMLs
+added script for installing from shared tree in all UMLs
+added script to shut down all UMLs properly
+removed in favour of tests from NAT team
+fixed CREATE_CHILD_SA transaction dispatching
+added CHILD_SA states, which allows us to detect further simultaneous transactions
+reimplemented the buggy message id handling
+updated some inline docs
+fixed crypter/signer in/out to conform with standard
+fixed payload order
+added message id logging
+added all currently known notify payload types
+added policy cache to kernel interface
+	allows refcounting of multiple installed policies
+	finally brings us stable simultaneous rekeying
+leak detective blanks memory on free & alloc, allows further membug detection
+code cleanups
+identification_t.matches() supports multiple wildcard counts
+identification_t.matches() supports multiple wildcard counts
+further work done for simultaneous rekeying/delete
+	still some cases which cause trouble
+fixed compiler warnings in parser when using -O2
+reenabled check_expiry
+updated copyright information
+reimplemented CHILD_SA rekeying & delete
+	no simultanous transaction with CHILD_SAs yet!
+removed NAT_TRAVERSAL and VIRTUAL_IP compile options
+removed NAT_TRAVERSAL compile option
+removed NAT_TRAVERSAL and VIRTUAL_IP compile options
+added
+updated NEWS
+added support for leftprotoport and rightprotoport
+improved CHILD_SA output for "ipsec statusall"
+updated whitelist (getprotobynumber)
+redesigned IKE_SA using a transaction mechanism:
+	removed old state machine
+	reimplemented IKE_SA setup and delete
+	implemented dead peer detection
+	implemented keep-alives
+	a lot of fixes
+	no rekeying yet		
+fixed compiler warnings
+made thread ids unsigned again, to avoid negative thread ids on some systems
+fixed memleak when initiating a connection already up
+updated leak detective whitelist
+applied latest NATT patch with some fixes and cleanups
+test currently without firewall
+added
+added
+added
+removed
+removed version information from ipsec.conf
+log entries start with lowcercase character
+restored lost IKEv2 packet suppression
+added USE_LEAK_DETECTIVE option
+fixed natd_hash memory leak
+tests with subdirectory structure
+removed tests
+introduced subdirectory structure
+support of cert payloads
+lowercase log entries
+distributed by ITA
+added support of updown parameter
+generation of default key
+cosmetics
+added support of updown parameter
+version bump to 4.0.2
+added X.509 trust chain verification
+version bump to 4.0.2
+ESP packet size changed
+fixed bad_proposal_syntax bug
+updated ingorelist for stroke_keywords.c
+applied new changes from NATT team
+	DPD only done when no IPsec and IKE traffic processed
+	minor changes here and there
+some message code cleanups
+fixed identification_t clone to apply function pointers
+cleaner error handling on UDP encapsultion sockopt failure
+added mysterious UDP encapsulation socket option to get encapsulation working
+fixed BAD_PROPOSAL_SYNTAX vulnerability
+first merge of NATT code
+fixed testing build
+updated for 4.0.1 release
+updated news for 4.0.1 release
+fixed whitelist detection
+
+
+ strongswan-4.0.1 / R:1144 
+===========================
+
+fixed whitelist detection
+reworked function ignore mechanism to not-report whitelist
+  rather than overriding functions
+fixed execv call args to work when using strictcrl and syslog
+fixed bug: usage of already freed mem
+readded local_credential_store
+added sendcert policy to connection
+some other cleanups
+implemented rereadcrls rereadcacerts
+implemented rereadcrls rereadcacerts
+implemented rereadcrls rereadcacerts
+removed local_credential_store
+fixed SPI when acting as initiator of rekeying
+fixed SPI when rekeying and deleting CHILD_SAs
+change key derivation order to fullfill RFC
+added crl support
+added listcrls
+added chunk_equals_or_null()
+added crl support
+changed tabs from 8 to 4 spaces
+added crl support
+cosmetics
+cosmetics (space)
+fixed compilation error
+updated for release
+fixed aes code, we support now aes128, aes192, aes256 in IKE
+added support for "ike" and "esp" keywords
+fixed bugs in proposal code
+algorithm selection for charon works now with ipsec.conf
+a lot of other fixes
+implemented clean spi allocation behavior when using multiple proposals
+fixed logleve(l) keyword typo
+handling of "rekey=no" parameter added
+changed default algorithms to:
+  ike: aes128-sha-modp2048
+  esp: aes128-sha1, 3des-md5
+added default CRL directory path
+added strictcrlpolicy command line argument
+added option parsing
+added local CRLs
+added rekeying parameters
+corrected some descriptions
+moved RSA key size constraints to definitions.h
+fixed down keyword
+debug and logging improvements
+support for stroke listcerts|listcacerts|listcrls|listall
+support for stroke listcerts|listcacerts|listall and left|rightca=
+gperf creates optimum hash table for stroke keywords
+using same reqid if a child sa rekeys an existing one
+NULL string argument is treated as %any
+add_certificate() now returns pointer to added cert
+cosmetics
+single tests now start up faster
+workaround for peers rekeying at the same time
+loading lifetime policies from ipsec.conf
+old child_sa gets deleted after rekeying
+rekeying almost complete, but:
+	IKE_SA get in an invalid state when both initiate rekeying at the same time,
+corrected type
+improved kernel interface logging
+fixed clone/destroy behavior when not using CAs
+specifying keysize in bits, as it is required in IKEv2
+added generic kernel SA algorithm handling, which brings us:
+        aes-128, aes-256, blowfish, des, 3des and null encryption for CHILD_SAs
+added support for leftsendcert= and left|rightca= parameters
+discard cert if CA basic constraints flag is not set and warn if cert is not valide
+added public methods is_ca() and is_valid()
+changed ASN.1 CONTROL log output to LEVEL2
+cosmetics
+removed unused Makefile
+stroke.h requires libstrongswan/types.h
+fixed compile warnings when using -Wall
+further CHILD_SA rekeying work done:
+	creation of a new CHILD_SA on a expire from a kernel works
+	delete of old CHILD_SA still missing
+	some issues when both initiate rekeing 
+updated INSTALL to conform with autotools
+added a short HACKING introduction
+further work for rekeying:
+  get liftimes from policy
+  added new state
+  initiation of rekeying done
+proposal redone:
+  removed support for AH+ESP proposals
+proper leak detective hook for realloc
+excluded pthread_setspecific from leak detective
+fixed a memleak
+cosmetics
+ipv6-host2host scenario added
+created IPv6 environment
+job management:
+  moved job code from thread_pool to job, jobs have an "execute" method now
+  added two new jobs: delete_child_sa & rekey_child_sa
+kernel interface:
+  listens now for ACQUIRE & EXPIRE
+  supports hard and soft lifetimes
+  fires jobs for delete and rekey child sa
+ike sa manager:
+  can checkout IKE SAs by requid of owned CHILD SAs
+we have now the infrastructure to do the rekeying... :-)
+fixed some memleaks/freebugs
+leak detective works almost usable now (?!)
+added host2host test for ikev2
+fixed host-host tunnel traffic selection, host-host works now
+bug fixed circumventing an assertion in delete_connection when ikev1 is not set
+minimized prefixed on stroke logger output
+charon outputs strongSwan version
+tests with subjectAltNames now
+fixed event queue for events >36min
+included charons module tests to build & dist
+full support of ikev1 and ikev2 connection flags
+cosmetics in log_status output
+use of streq
+added testing files to dist
+  required the use of the "ustar" format to support 
+  filenames longer than 99 chars
+lookup of private key based on keyid of public key
+new functions to add certificates and retrieve private and public keys
+changed log level
+list ca certificates
+computation of SHA-1 hash over publicKeyInfo object
+moved abbreviated thread_id in front of brackets
+added has_key parameter to log_certificates()
+log_certificates() now shows keyid and availability of matching private key
+indented loaded file log entry
+moved TIMETOA_BUF definition to types.h
+moved TIMETOA_BUF definition from asn1.h
+define default CA_CERTIFICATE_DIR
+load all ca certificates
+fixed daemon destruction order to prevent
+  crashes on termination
+fixed memleak when deleting a connection
+updated todo list
+policies contain a connections name now
+  used for initiate and delete
+connections won't get initiated twice anymore
+deleting of connections is now possible, which allows us to use
+  ipsec update and ipsec reload
+changed iterator->remove behavior
+ipsec up|down|route|delete require a connection name
+stroke now uses constant size string buffer
+changed to standard connection log output
+reworked parsing and matching of subjectAltNames
+added memeq() macro
+moved timetoa() from asn1.c to types.c
+corrected type
+some logging improvements and cosmetics
+handle IKE_SA setup without a piggy-packed CHILD_SA
+  more IKEv2 conform
+initiate IKE_SA deletion befor manager destruction
+improved code of chunk_equals
+added streq() macro and defined default BUF_LEN
+typo
+build gets perl and gperf from configure now
+moved built sources to maintainer-clean
+show connection templates in status & statusall
+don't complain on termination of IKEv1 connections
+updated ipsec.conf manual to reflect actual state of
+  keyexchange-parameter
+using hubs instead of switches, which allows us
+  to sniff the traffic from the host system.
+changed config load strategy:
+  starter loads both connections in charon & pluto,
+  charon ignores anything with keyexchange!=ikev2.
+  pluto needs the same behavior.
+ changed build order to fix build error after distclean
+load_end_certificate() now loads certificates
+cosmetics
+moved definition of generalNames_t to identification.h; initialized subjectKeyID, authKeyID and authKeySerialNumber
+moved definition of generalNames_t to identification.h
+corrrected description
+reimplemented proper IKE SA deletion using a seperate state,
+  should conform now to IKEv2
+fixed build when using --enable-leak-detective
+added removed files to svn:ignore
+fixed bug in pluto/Makefile.am
+removed perl-generated oid.c/h from svn,
+  added them to "dist" and "distclean"
+removed lex, yacc and gperf output from svn,
+  added them to "dist" and "distclean"
+storing release revision in svn property "release-revision", because I forget it all the times
+fixed ignorelist, should work now
+added ingorelist for builded files
+re-added doxygen apidoc, buildable with "make apidoc"
+added missing ipsec.conf.5 to distribution :-/
+fixed another typo
+added missing ipsec.conf ipsec.conf.5
+existing ipsec.conf won't get overwritten anymore
+fixed typo in Makefile which corrupted the build
+applied patch from the NAT-T team fixing several typos
+applied patch from andreas, which allows certificate listing via stroke
+added ipsec.conf template and man page back
+removed old Makefiles
+added new strongswan KDevelop project & startup hack
+fixed Revision in changelog fo 4.0.0
+started ChangeLog
+simple script for ChangeLog update via "svn log"
+fixed compliation error using --enable-smartcard
+added test for ikev1-ikev2 mixed mode
+added test ikev2 roadwarrior scenario
+applied andreas's patch
+  logger output improvements
+  testin gupdates
+  and a lot more
+updated testsuite to autotools
+added random source ./configure options
+fixed default-pkcs11 option
+testcommit
+fixed errors when --enable-pkcs11
+added autogen script
+introduced autotools
+  first working version
+  make dist should work
+  things to do:
+    UML testing!
+    more cleanups
+fixed build
+started to rebuild source layout
+fixed stroke error output to starter
+using random SPIs now, but without collision checks
+applied some -W's from strongswan
+fixed that warnings
+removed IKEV2 ifdefs
+applied patch from andreas
+  added charonstart option to config
+  new ikev2 tests for UML
+
+ strongSwan-4.0.0 / R:967
+==========================
+
+removed IKEV2 ifdefs
+applied patch from andreas
+  added charonstart option to config
+  new ikev2 tests for UML
+applied patch from andreas
+  pem loading
+  secrets file parsing
+  ikev2 testcase
+  some other additions here and there
+connection termination is handled cleanly by name now
+fixed bad bug, certs load now cleanly again
+fixed make install (subdir order)
+fixed include path
+added missing script
+finished initial import of strongswan file tree
+removed a lot of old and unused stuff
+moved RFCs from ikev2 into doc dir
+added missing files for starter
+applied patch for charon (this time really)
+import of strongswan-2.7.0
+applied patch for charon
+renamed get_block_size of hasher
+reworked usage of IDs in various states
+using ID_ANY for any, not NULL as before
+initiator sends IDr payload in IKE_AUTH when ID unique
+fixed charon checks
+using status & statusall
+patch for 2.7.0 
+add connection names to connections
+stroke status / ipsec status shows them
+added statusall for stroke
+added status by connection name
+some tests repaired, more to come
+fixed spi conversion
+improved "stroke status" output
+setup PID file after daemon initilization, to correctly inform
+  starter about daemon startup
+added separate implementation for connection_store, credential_store, policy_store
+added folder structure to config
+credentials are fetched solely on IDs now
+identification_t supports now almost all id types
+x509 certificates work with identification_t now
+fixes here, fixes there
+fixed doxygen build
+seperates now in lib and charon
+library initialization done at a central point (library.c)
+some leak_detective fixes
+updated Todos
+fixed log-to-syslog behavior
+added patch against strongswan-2.6.4
+x509 certificate loading with pluto asn1 code
+x509 needs a lot more attention!
+renamed some files
+using asn1 pluto stuff now
+removed, since we use pluto asn1 stuff
+leak detective is usable, but does not show static function names
+  a script which gets address via ldd and resolves address via addr2line would be nice
+fixed a leak in child_sa with new detective ;-)
+some improvements to new asn1 stuff
+to be continued
+fixed bad bugs in kernel interface
+added some logging info
+works now much more stable
+startet importing pluto ASN1 stuff
+der PKCS#1 key loading works (as it did with der_decoder)
+split up in libstrong, charon, stroke, testing done
+new leak detective with malloc hook in library
+  useable, but needs improvements
+logger_manager has now a single instance per library
+  allows use of loggers from any linking prog
+a LOT of other things
+../svn-commit.tmp
+added misssing stroke.h
+improved strokeing
+  down connection
+  status
+some other tweaks
+rewrote a lot of RSA stuff
+done major work for ASN1/decoder
+allow loading of ASN1 der encoded private keys, public keys and certificates
+extracting public key from certificates
+passing certificates from stroke to charon
+=> basic authentication with RSA certificates works!
+starter work on asn1 with der de/encoder
+RSA private and public key can load read key from ASN1 DER
+some other fixes here and there
+rewrite of logger_manager, uses now one instance per context
+cleanups for logger here and there
+removed critical flag check in payload verification (conformance to IKEv2)
+so thats and theres everywere... ;-)
+patch for strongswan-2.6.3
+added charon support for strongswan build process
+ipsec starter supports charon startup and control
+removed old diploma thesis scripts
+some cleanups
+compatibility to strongswan, Makefile can be called by "make programs"
+  and "make install" (ikev2 patch must be applied to strongswan)
+first version of stroke control utility
+moved output to doc/api, since doc is used for other docs now
+some first documentation in english
+removed old eclipse project files
+works quite well now with ipsec.conf & ipsec starter
+belongs to previous commit ;-)
+reworked configuration framework completly
+configuration is now split up in: connections, policies, credentials and daemon config
+further alloc/free fixes needed!
+first attempt for connection loading and starting via "stroke"
+some improvements here and there
+configuration_manager replaced by configuration_t interface
+current configuration_manager is now static_configuration (testing)
+first draft of starter_configuration, which should once interact with ipsec starter (via whack?)
+some cleanups
+socket_t uses RAW socket, which allows parallel service of pluto/charon
+comments and cleanups
+working policy installation and removal
+fixed policy setup bug
+proposal setup implementation begun
+fixed socket code, so we know on which address we receive traffic
+AH/ESP setup in kernel is working now!!! :-)))
+installing of child sa works
+need correct IP adresses to actually use IPsec
+new RFCs of IKEv2, IKEv2 algs and IPSec arch added
+update of IKEv2 clarification document
+refactored ike proposal
+uses now proposal_t, wich is also used by child proposals
+ike key derivation refactored
+crypter_t api has get_key_size now
+some other improvements here and there
+config uses uml hosts alice and bob
+key derivation for child_sa works
+some fixes here and there
+fixed memleaks
+works with new proposal code
+still some(!) memleaks
+fixed alot of bugs in child_proposal
+near to working state ;-)
+dead end implementation
+
+... there is a lot more of it, but nothing of interest
diff --git a/Doxyfile.in b/Doxyfile.in
new file mode 100644
index 000000000..4e7cebb85
--- /dev/null
+++ b/Doxyfile.in
@@ -0,0 +1,220 @@
+# Doxyfile 1.4.1-KDevelop
+
+#---------------------------------------------------------------------------
+# Project related configuration options
+#---------------------------------------------------------------------------
+PROJECT_NAME = "@PACKAGE_NAME@"
+PROJECT_NUMBER = "@PACKAGE_VERSION@"
+OUTPUT_DIRECTORY = apidoc
+CREATE_SUBDIRS = NO
+OUTPUT_LANGUAGE = English
+USE_WINDOWS_ENCODING = NO
+BRIEF_MEMBER_DESC = YES
+REPEAT_BRIEF = YES
+ABBREVIATE_BRIEF = 
+ALWAYS_DETAILED_SEC = NO
+INLINE_INHERITED_MEMB = NO
+FULL_PATH_NAMES = YES
+STRIP_FROM_PATH = 
+STRIP_FROM_INC_PATH = 
+SHORT_NAMES = NO
+JAVADOC_AUTOBRIEF = YES
+MULTILINE_CPP_IS_BRIEF = NO
+DETAILS_AT_TOP = YES
+INHERIT_DOCS = YES
+DISTRIBUTE_GROUP_DOC = NO
+TAB_SIZE = 1
+ALIASES = 
+OPTIMIZE_OUTPUT_FOR_C = NO
+OPTIMIZE_OUTPUT_JAVA = NO
+SUBGROUPING = YES
+#---------------------------------------------------------------------------
+# Build related configuration options
+#---------------------------------------------------------------------------
+EXTRACT_ALL = NO
+EXTRACT_PRIVATE = NO
+EXTRACT_STATIC = NO
+EXTRACT_LOCAL_CLASSES = NO
+EXTRACT_LOCAL_METHODS = NO
+HIDE_UNDOC_MEMBERS = NO
+HIDE_UNDOC_CLASSES = NO
+HIDE_FRIEND_COMPOUNDS = NO
+HIDE_IN_BODY_DOCS = NO
+INTERNAL_DOCS = NO
+CASE_SENSE_NAMES = YES
+HIDE_SCOPE_NAMES = NO
+SHOW_INCLUDE_FILES = YES
+INLINE_INFO = YES
+SORT_MEMBER_DOCS = YES
+SORT_BRIEF_DOCS = NO
+SORT_BY_SCOPE_NAME = NO
+GENERATE_TODOLIST = YES
+GENERATE_TESTLIST = NO
+GENERATE_BUGLIST = YES
+GENERATE_DEPRECATEDLIST = YES
+ENABLED_SECTIONS = 
+MAX_INITIALIZER_LINES = 30
+SHOW_USED_FILES = YES
+SHOW_DIRECTORIES = NO
+FILE_VERSION_FILTER = 
+#---------------------------------------------------------------------------
+# configuration options related to warning and progress messages
+#---------------------------------------------------------------------------
+QUIET = NO
+WARNINGS = YES
+WARN_IF_UNDOCUMENTED = YES
+WARN_IF_DOC_ERROR = YES
+WARN_NO_PARAMDOC = NO
+WARN_FORMAT = "$file:$line: $text"
+WARN_LOGFILE = 
+#---------------------------------------------------------------------------
+# configuration options related to the input files
+#---------------------------------------------------------------------------
+INPUT = src/libstrongswan src/charon
+FILE_PATTERNS = *.h
+RECURSIVE = YES
+EXCLUDE = 
+EXCLUDE_SYMLINKS = NO
+EXCLUDE_PATTERNS = 
+EXAMPLE_PATH = 
+EXAMPLE_PATTERNS = 
+EXAMPLE_RECURSIVE = NO
+IMAGE_PATH = 
+INPUT_FILTER = 
+FILTER_PATTERNS = 
+FILTER_SOURCE_FILES = NO
+#---------------------------------------------------------------------------
+# configuration options related to source browsing
+#---------------------------------------------------------------------------
+SOURCE_BROWSER = NO
+INLINE_SOURCES = NO
+STRIP_CODE_COMMENTS = NO
+REFERENCED_BY_RELATION = NO
+REFERENCES_RELATION = NO
+VERBATIM_HEADERS = YES
+#---------------------------------------------------------------------------
+# configuration options related to the alphabetical class index
+#---------------------------------------------------------------------------
+ALPHABETICAL_INDEX = NO
+COLS_IN_ALPHA_INDEX = 5
+IGNORE_PREFIX = 
+#---------------------------------------------------------------------------
+# configuration options related to the HTML output
+#---------------------------------------------------------------------------
+GENERATE_HTML = YES
+HTML_OUTPUT = .
+HTML_FILE_EXTENSION = .html
+HTML_HEADER = 
+HTML_FOOTER = 
+HTML_STYLESHEET = 
+HTML_ALIGN_MEMBERS = YES
+GENERATE_HTMLHELP = NO
+CHM_FILE = 
+HHC_LOCATION = 
+GENERATE_CHI = NO
+BINARY_TOC = NO
+TOC_EXPAND = NO
+DISABLE_INDEX = YES
+ENUM_VALUES_PER_LINE = 1
+GENERATE_TREEVIEW = YES
+TREEVIEW_WIDTH = 250
+#---------------------------------------------------------------------------
+# configuration options related to the LaTeX output
+#---------------------------------------------------------------------------
+GENERATE_LATEX = NO
+LATEX_OUTPUT = latex
+LATEX_CMD_NAME = latex
+MAKEINDEX_CMD_NAME = makeindex
+COMPACT_LATEX = NO
+PAPER_TYPE = a4wide
+EXTRA_PACKAGES = 
+LATEX_HEADER = 
+PDF_HYPERLINKS = NO
+USE_PDFLATEX = NO
+LATEX_BATCHMODE = NO
+LATEX_HIDE_INDICES = NO
+#---------------------------------------------------------------------------
+# configuration options related to the RTF output
+#---------------------------------------------------------------------------
+GENERATE_RTF = NO
+RTF_OUTPUT = rtf
+COMPACT_RTF = NO
+RTF_HYPERLINKS = NO
+RTF_STYLESHEET_FILE = 
+RTF_EXTENSIONS_FILE = 
+#---------------------------------------------------------------------------
+# configuration options related to the man page output
+#---------------------------------------------------------------------------
+GENERATE_MAN = NO
+MAN_OUTPUT = man
+MAN_EXTENSION = .3
+MAN_LINKS = YES
+#---------------------------------------------------------------------------
+# configuration options related to the XML output
+#---------------------------------------------------------------------------
+GENERATE_XML = NO
+XML_OUTPUT = xml
+XML_SCHEMA = 
+XML_DTD = 
+XML_PROGRAMLISTING = YES
+#---------------------------------------------------------------------------
+# configuration options for the AutoGen Definitions output
+#---------------------------------------------------------------------------
+GENERATE_AUTOGEN_DEF = NO
+#---------------------------------------------------------------------------
+# configuration options related to the Perl module output
+#---------------------------------------------------------------------------
+GENERATE_PERLMOD = NO
+PERLMOD_LATEX = NO
+PERLMOD_PRETTY = YES
+PERLMOD_MAKEVAR_PREFIX = 
+#---------------------------------------------------------------------------
+# Configuration options related to the preprocessor   
+#---------------------------------------------------------------------------
+ENABLE_PREPROCESSING = YES
+MACRO_EXPANSION = YES
+EXPAND_ONLY_PREDEF = NO
+SEARCH_INCLUDES = YES
+INCLUDE_PATH = 
+INCLUDE_FILE_PATTERNS = 
+PREDEFINED = LEAK_DETECTIVE
+EXPAND_AS_DEFINED = 
+SKIP_FUNCTION_MACROS = YES
+#---------------------------------------------------------------------------
+# Configuration::additions related to external references   
+#---------------------------------------------------------------------------
+TAGFILES = 
+GENERATE_TAGFILE = 
+ALLEXTERNALS = NO
+EXTERNAL_GROUPS = YES
+PERL_PATH = /usr/bin/perl
+#---------------------------------------------------------------------------
+# Configuration options related to the dot tool   
+#---------------------------------------------------------------------------
+CLASS_DIAGRAMS = YES
+HIDE_UNDOC_RELATIONS = YES
+HAVE_DOT = NO
+CLASS_GRAPH = YES
+COLLABORATION_GRAPH = YES
+GROUP_GRAPHS = YES
+UML_LOOK = NO
+TEMPLATE_RELATIONS = NO
+INCLUDE_GRAPH = YES
+INCLUDED_BY_GRAPH = YES
+CALL_GRAPH = NO
+GRAPHICAL_HIERARCHY = YES
+DIRECTORY_GRAPH = YES
+DOT_IMAGE_FORMAT = png
+DOT_PATH = 
+DOTFILE_DIRS = 
+MAX_DOT_GRAPH_WIDTH = 1024
+MAX_DOT_GRAPH_HEIGHT = 1024
+MAX_DOT_GRAPH_DEPTH = 0
+DOT_TRANSPARENT = NO
+DOT_MULTI_TARGETS = NO
+GENERATE_LEGEND = YES
+DOT_CLEANUP = YES
+#---------------------------------------------------------------------------
+# Configuration::additions related to the search engine   
+#---------------------------------------------------------------------------
+SEARCHENGINE = NO
diff --git a/INSTALL b/INSTALL
index ff5b2f80c..72c26929a 100644
--- a/INSTALL
+++ b/INSTALL
@@ -1,246 +1,175 @@
                  ---------------------------
-	          strongSwan - Installation
+                  strongSwan - Installation
                  ---------------------------
 
 
 Contents
 --------
 
-   1. Required packages
-   2. Optional packages
-   2.1 libcurl
-   2.2 OpenLDAP
-   2.3 PKCS#11 smartcard library modules
-   3. Building strongSwan with a Linux 2.4 kernel
-   4. Updating strongSwan with a Linux 2.4 kernel
-   5. Building strongSwan with a Linux 2.6 kernel
+   1.   Overview
+   2.   Required packages
+   3.   Optional packages
+   3.1   libcurl
+   3.2   OpenLDAP
+   3.3   PKCS#11 smartcard library modules
+   4.   Kernel configuration
 
-
-1. Required packages
-   -----------------
-
-   In order to be able to build strongSwan you'll need the GNU Multiprecision
-   Arithmetic Library (GMP) available from http://www.swox.com/gmp/.
-
-   The libgmp library and the corresponding header file gmp.h are usually
-   included in the form of one or two packages in the major Linux
-   distributions (SuSE: gmp; Debian unstable:  libgmp3, libgmp3-dev).
-
-
-2. Optional packages
-   -----------------
-
-2.1 libcurl
-    -------
-
-   If you intend to dynamically fetch Certificate Revocation Lists (CRLs)
-   from an HTTP server or as an alternative want to use the Online
-   Certificate Status Protocol (OCSP) then you will need the  libcurl library
-   available from http://curl.haxx.se/.
-
-   In order to keep the library as compact as possible for use with strongSwan
-   you can build libcurl from the sources with the optimized options
-
-       ./configure --prefix=<dir> --without-ssl \
-                   --disable-ldap --disable-telnet \
-                   --disable-dict --disable-gopher \
-                   --disable-debug \
-                   --enable-nonblocking --enable-thread
-
-   As an alternative you can use the ready-made packages included with your
-   favorite Linux distribution (SuSE: curl, curl-devel).
-
-   In order to activate the use of the libcurl library in strongSwan you must
-   set the USE_LIBCURL option in "Makefile.inc":
-
-       # include libcurl support (CRL fetching, OCSP and SCEP)
-       USE_LIBCURL?=true
-
-   Under Gentoo emerge strongSwan with
-
-       USE="curl -ssl" emerge strongswan
-
-
-2.2 OpenLDAP
+1.  Overview
     --------
 
-   If you intend to dynamically fetch Certificate Revocation Lists (CRLs)
-   from an LDAP server  then you will need the libldap library available
-   from http://www.openldap.org/.
-
-    OpenLDAP is usually included  with your Linux distribution. You will need
-   both the run-time and development environments (SuSE: openldap2,
-   openldap2-devel).
-
-   In order to activate the use of the libldap library in strongSwan you must
-   set the USE_LDAP option in "Makefile.inc":
+    The strongSwan 4.x branch introduces a new build environment featuring
+    GNU autotools. This should simplify the build process and package 
+    maintenance.
+    First check for the availability of required packages on your system
+    (section 2.). You may want to include support for additional features, which
+    require other packages to be installed (section 3.).
+    To compile an extracted tarball, run the ./configure script first:
 
-       # include LDAP support (CRL fetching)
-       USE_LDAP?=true
+      ./configure
 
-   Depending upon whether your LDAP server understands the V3 (preferred) or
-   V2 LDAP protocol, uncomment one ot the two following lines:
+    You may want to specify some arguments listed in section 3., or see the
+    available options of the script using "./configure --help".
 
-       # Uncomment to enable dynamic CRL fetching using LDAP V3
-       LDAP_VERSION=3
-       # Uncomment to enable dynamic CRL fetching using LDAP V2
-       #LDAP_VERSION=2
+    After a successful run of the script, run
 
-   The latest OpenLDAP releases use the LDAP V3 protocol, whereas older
-   versions require LDAP V2.
+      make
 
-   Under Gentoo emerge strongSwan with
+    followed by
 
-       USE="ldap -ssl" emerge strongswan
-
-
-2.3 PKCS#11 smartcard library modules
-    ---------------------------------
-
-   If you want to securely store your X.509 certificates and private RSA keys
-   on a smart card or a USB crypto token then you will need a PKCS #11 library 
-   for the smart card of your choice. The OpenSC PKCS#11 library (use
-   versions >= 0.9.4) available from http://www.opensc.org/ supports quite a
-   selection of cards and tokens (e.g. Aladdin eToken Pro32k, Schlumberger
-   Cryptoflex e-gate, Oberthur AuthentIC,  etc.) but requires that a PKCS#15
-   directory structure be present on the smart card. But in principle
-   any other PKCS#11 library could be used since the PKCS#11 API hides the
-   internal data representation on the card.
-
-   For USB crypto token support you must add the OpenCT driver library
-   (version >= 0.6.2) from the OpenSC site, whereas for serial smartcard
-   readers you'll need the pcsc-lite library and the matching driver from the
-   M.U.S.C.L.E project http://www.linuxnet.com/ .
-
-   In order to activate the PKCS#11-based smartcard support in strongSwan
-   you must set the USE_SMARTCARD option in "Makefile.inc":
-
-       #include PKCS11-based smartcard support
-       USE_SMARTCARD?=true
-
-   During compilation no externel smart card libraries must be present.
-   strongSwan directly references a copy of the standard RSAREF pkcs11.h
-   header files stored in the pluto/rsaref sub directory. During compile
-   time a pathname to a default PKCS#11 dynamical library can be specified
-   in "Makefile.inc" 
-
-      # Uncomment this line if using OpenSC <= 0.9.6
-      #PKCS11_DEFAULT_LIB=\"/usr/lib/pkcs11/opensc-pkcs11.so\"
-      # Uncomment tis line if using OpenSC >= 0.10.0
-      PKCS11_DEFAULT_LIB=\"usr/lib/opensc-pkcs11.so\"
-
-   This default path to the easily-obtainable OpenSC library module can be
-   simply overridden during run-time by specifying an alternative path in
-   ipsec.conf pointing to any dynamic PKCS#11 library of your choice.
-
-   config setup
-          pkcs11module="/usr/lib/xyz-pkcs11.so"
+      make install
 
-   Under Gentoo emerge strongSwan with
+    in the usual manner.
 
-       USE="smartcard usb -pam -X" emerge strongswan
+    To check if your kernel fullfills the requirements, see section 4.
 
+    Next add your connections to "/etc/ipsec.conf" and your secrets to 
+    "/etc/ipsec.secrets". Connections that are to be negotiated by the new
+    IKEv2 charon keying daemon should be designated by "keyexchange=ikev2" and 
+    those by the IKEv1 pluto keying daemon either by "keyexchange=ikev1" or
+    the default "keyexchange=ike".
 
-3. Building strongSwan with a Linux 2.4 kernel
-   -------------------------------------------
+    At last start strongSwan with
 
-   * Building strongSwan with a Linux 2.4 kernel requires the presence of the
-     matching kernel sources referenced via the symbolic link /usr/src/linux.
-     The use of the vanilla kernel sources from ftp.kernel.org is strongly
-     recommended.
+      ipsec start
 
-     Before building strongSwan you must have compiled the kernel sources at
-     least once:
 
-         make menuconfig; make dep; make bzImage; make modules
+2.  Required packages
+    -----------------
 
-   * Now change into the  strongswan-2.x.x  source directory.
+    In order to be able to build strongSwan you'll need the GNU Multiprecision
+    Arithmetic Library (GMP) available from http://www.swox.com/gmp/. At least
+    version 4.1.5 of libgmp is required.
 
-     First select any desired compile options in "Makefile.inc" (see section 2.
-     Optional packages). Then in the top source directory type
+    The libgmp library and the corresponding header file gmp.h are usually
+    included in the form of one or two packages in the major Linux
+    distributions (SuSE: gmp; Debian unstable:  libgmp3, libgmp3-dev).
 
-         make menumod
 
-     This command applies an ESP_IN_UDP encapsulation patch which is required
-     for NAT-Traversal to the kernel sources.
+3.  Optional packages
+    -----------------
 
-     In the "Networking options" menu set
+3.1 libcurl
+    -------
 
-         <M> IP Security Protocol (strongSwan IPsec)
+    If you intend to dynamically fetch Certificate Revocation Lists (CRLs)
+    from an HTTP server or as an alternative want to use the Online
+    Certificate Status Protocol (OCSP) then you will need the  libcurl library
+    available from http://curl.haxx.se/.
 
-     in order to build KLIPS as a loadable kernel module "ipsec.o".  Do not
-     forget to save the modified configuration file when leaving "menumod".
+    In order to keep the library as compact as possible for use with strongSwan
+    you can build libcurl from the sources with the optimized options
 
-     The strongSwan userland programs are now automatically built and
-     installed, whereas the  ipsec.o  kernel module and the crypto modules
-     are only built and must be installed with the command
+       ./configure --prefix=<dir> --without-ssl \
+                   --disable-ldap --disable-telnet \
+                   --disable-dict --disable-gopher \
+                   --disable-debug \
+                   --enable-nonblocking --enable-thread
 
-         make minstall
+    As an alternative you can use the ready-made packages included with your
+    favorite Linux distribution (SuSE: curl, curl-devel).
 
-   * If you intend to use the NAT-Traversal feature then you must compile the
-     patched kernel sources again by executing
+    In order to activate the use of the libcurl library in strongSwan you must
+    enable the ./configure switch:
 
-         make bzImage
+       ./configure [...] --enable-http
 
-     and then install and boot the modified kernel.
 
-   * Next add your connections to "/etc/ipsec.conf" and your secrets to
-     "/etc/ipsec.secrets" and start strongSwan with
+3.2 OpenLDAP
+    --------
 
-         ipsec start
+    If you intend to dynamically fetch Certificate Revocation Lists (CRLs)
+    from an LDAP server then you will need the libldap library available
+    from http://www.openldap.org/.
 
+    OpenLDAP is usually included  with your Linux distribution. You will need
+    both the run-time and development environments (SuSE: openldap2,
+    openldap2-devel).
 
-4. Updating strongSwan with a Linux 2.4 kernel
-   -------------------------------------------
+    In order to activate the use of the libldap library in strongSwan you must
+    enable the ./configure switch:
 
-   * If you have already successfully installed  strongSwan and want to update
-     to a newer version then the following shortcut can be taken:
+       ./configure [...] --enable-ldap
 
-     First select any desired compile options in "Makefile.inc" (see section 2.
-     Optional packages). Then in the strongwan-2.x.x top directory type
+    LDAP Protocl version 2 is not supported anymore, --enable-ldap uses always
+    version 3 of the LDAP protocol
 
-         make programs; make install
 
-     followed by
+3.3 PKCS#11 smartcard library modules
+    ---------------------------------
 
-         make module; make minstall
+    If you want to securely store your X.509 certificates and private RSA keys
+    on a smart card or a USB crypto token then you will need a PKCS #11 library 
+    for the smart card of your choice. The OpenSC PKCS#11 library (use
+    versions >= 0.9.4) available from http://www.opensc.org/ supports quite a
+    selection of cards and tokens (e.g. Aladdin eToken Pro32k, Schlumberger
+    Cryptoflex e-gate, Oberthur AuthentIC,  etc.) but requires that a PKCS#15
+    directory structure be present on the smart card. But in principle
+    any other PKCS#11 library could be used since the PKCS#11 API hides the
+    internal data representation on the card.
 
-   * You can then start the updated strongSwan version with
+    For USB crypto token support you must add the OpenCT driver library
+    (version >= 0.6.2) from the OpenSC site, whereas for serial smartcard
+    readers you'll need the pcsc-lite library and the matching driver from the
+    M.U.S.C.L.E project http://www.linuxnet.com/ .
 
-         ipsec restart
+    In order to activate the PKCS#11-based smartcard support in strongSwan
+    you must enable the smartcard ./configure switch:
 
+       ./configure [...] --enable-smartcard
 
-5. Building strongSwan with a Linux 2.6 kernel
-   -------------------------------------------
+    During compilation no externel smart card libraries must be present.
+    strongSwan directly references a copy of the standard RSAREF pkcs11.h
+    header files stored in the pluto/rsaref sub directory. During compile
+    time a pathname to a default PKCS#11 dynamical library can be specified
+    with a ./configure flag:
 
-   * Because the Linux 2.6 kernel comes with a built-in native IPsec stack,
-     you won't need to build the strongSwan kernel modules. Please make sure 
-     that the the following Linux 2.6 IPsec kernel modules are available:
+      ./configure --enable-smartcard --with-default-pkcs11=/path/to/lib.so
 
-         o af_key
-         o ah4
-         o esp4
-         o ipcomp
-         o xfrm_user
-         o xfrm4_tunnel
-	 
-     Also the built-in kernel Cryptoapi modules with selected encryption and 
-     hash algorithms should be available.
+    This default path to the easily-obtainable OpenSC library module can be
+    simply overridden during run-time by specifying an alternative path in
+    ipsec.conf pointing to any dynamic PKCS#11 library of your choice.
 
-   * First select any desired compile options in "Makefile.inc" (see section 2.
-     Optional packages). Then in the  strongwan-2.x.x  top directory type
+    config setup
+          pkcs11module="/usr/lib/xyz-pkcs11.so"
 
-         make programs
 
-     followed by
+4.  Kernel configuration
+    --------------------
 
-         make install
+    The strongSwan 4.x series currently support only 2.6 kernels and its
+    native IPsec stack. Please make sure that the following IPsec kernel
+    modules are available:
 
-   * Next add your connections to "/etc/ipsec.conf" and your secrets to
-     "/etc/ipsec.secrets" and start strongSwan with
+      o af_key
+      o ah4
+      o esp4
+      o ipcomp
+      o xfrm_user
+      o xfrm4_tunnel
 
-         ipsec start
+    These may be built into the kernel or as modules. Modules get loaded
+    automatically at strongSwan startup.
 
------------------------------------------------------------------------------
+    Also the built-in kernel Cryptoapi modules with selected encryption and
+    hash algorithms should be available.
 
-This file is RCSID $Id: INSTALL,v 1.11 2006/05/19 06:44:17 as Exp $
diff --git a/LICENSE b/LICENSE
deleted file mode 100644
index 1dc0f01f0..000000000
--- a/LICENSE
+++ /dev/null
@@ -1,33 +0,0 @@
-Except for the DES library, MD2 and MD5 code, the PKCS#11 headers, and
-linux/net/ipsec/radij.c this software is under the GNU Public License,
-see the file COPYING.
-
-See the file CREDITS for details on origins of more of the code. 
-
-The DES library is under a BSD style license, see
-	linux/crypto/ciphers/des/COPYRIGHT.
-Note that this software has a advertising clause in it. 
-
-The MD2 implementation is from RSA Data Security Inc., so this package must
-include the following phrase: "RSA Data Security, Inc. MD2 Message Digest
-Algorithm"  It is not under the GPL; see details in programs/pluto/md2.c.
-
-The MD5 implementation is from RSA Data Security Inc., so this package must
-include the following phrase: "derived from the RSA Data Security, Inc.
-MD5 Message-Digest Algorithm".  It is not under the GPL; see details in
-linux/net/ipsec/ipsec_md5c.c. 
-
-The PKCS#11 header files in programs/pluto/rsaref/ are from RSA Security Inc.,
-so they must include the following phrase: "RSA Security Inc. PKCS#11
-Cryptographic Token Interface (Cryptoki)". The headers are not under the GPL;
-see details in programs/pluto/rsaref/pkcs11.h.
-
-The linux/net/ipsec/radij.c code is derived from BSD 4.4lite code
-from sys/net/radix.c. 
-
-In addition to the terms set out under the GPL, permission is granted to
-link the software against the libdes, md5c.c, and radij.c libraries just
-mentioned.  
-
-
-
diff --git a/Makefile b/Makefile
deleted file mode 100644
index 9027df9fe..000000000
--- a/Makefile
+++ /dev/null
@@ -1,602 +0,0 @@
-# FreeS/WAN master makefile
-# Copyright (C) 1998-2002  Henry Spencer.
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.6 2006/11/22 05:47:11 as Exp $
-
-
-FREESWANSRCDIR=$(shell pwd)
-export FREESWANSRCDIR
-
-include Makefile.inc
-
-
-
-PATCHES=linux
-# where KLIPS goes in the kernel
-# note, some of the patches know the last part of this path
-KERNELKLIPS=$(KERNELSRC)/net/ipsec
-KERNELCRYPTODES=$(KERNELSRC)/crypto/ciphers/des
-KERNELLIBFREESWAN=$(KERNELSRC)/lib/libfreeswan
-KERNELLIBZLIB=$(KERNELSRC)/lib/zlib
-KERNELLIBCRYPTO=$(KERNELSRC)/lib/libcrypto
-KERNELINCLUDE=$(KERNELSRC)/include
-KERNELALG=$(KERNELKLIPS)/alg
-
-MAKEUTILS=packaging/utils
-ERRCHECK=${MAKEUTILS}/errcheck
-KVUTIL=${MAKEUTILS}/kernelversion
-KVSHORTUTIL=${MAKEUTILS}/kernelversion-short
-
-# kernel details
-# what variant of our patches should we use, and where is it
-KERNELREL=$(shell ${KVSHORTUTIL} ${KERNELSRC}/Makefile)
-
-# directories visited by all recursion
-SUBDIRS=lib programs linux
-
-# declaration for make's benefit
-.PHONY:	def insert kpatch klink klibcryptolink patches _patches _patches2.2 _patches2.4 \
-	klipsdefaults programs install clean distclean \
-	ogo oldgo menugo xgo \
-	omod oldmod menumod xmod \
-	pcf ocf mcf xcf rcf nopromptgo \
-	precheck verset confcheck kernel module kinstall minstall \
-	backup unpatch uinstall install_file_list \
-	snapready relready ready buildready devready uml check taroldinstall \
-	umluserland
-
-
-# dummy default rule
-def:
-	@echo "Please read doc/intro.html or INSTALL before running make"
-	@false
-
-# everything that's necessary to put Klips into the kernel
-insert:	patches klink klipsdefaults
-
-kpatch: unapplypatch applypatch klipsdefaults
-
-unapplypatch:
-	-if [ -f ${KERNELSRC}/freeswan.patch ]; then \
-		echo Undoing previous patches; \
-		cat ${KERNELSRC}/freeswan.patch | (cd ${KERNELSRC} && patch -p1 -R --force -E -z .preipsec --reverse --ignore-whitespace ); \
-	fi
-
-applypatch:
-	echo Now performing forward patches; 
-	make kernelpatch${KERNELREL} | tee ${KERNELSRC}/freeswan.patch | (cd ${KERNELSRC} && patch -p1 -b -z .preipsec --forward --ignore-whitespace )
-
-kdiff:
-	echo Comparing ${KERNELSRC} to ${FREESWANSRCDIR}/linux.
-	packaging/utils/kerneldiff ${KERNELSRC}
-
-# create KERNELKLIPS and populate it with symlinks to the sources
-klink:
-	-[ -L $(KERNELKLIPS)/ipsec_init.c  ] && rm -rf ${KERNELKLIPS}
-	-[ -L $(KERNELCRYPTODES)/cbc_enc.c ] && rm -rf ${KERNELCRYPTODES}
-	-[ -L $(KERNELLIBFREESWAN)/subnettoa.c ] && rm -rf ${KERNELLIBFREESWAN}
-	-[ -L ${KERNELLIBZLIB}/deflate.c   ] && rm -rf ${KERNELLIBZLIB}
-	-[ -L ${KERNELINCLUDE}/freeswan.h  ] && for i in linux/include/*; do rm -f ${KERNELINCLUDE}/$$i; done
-	-[ -L $(KERNELALG)/Makefile ] && rm -rf $(KERNELALG)
-	-[ -L $(KERNELLIBCRYPTO) ] && rm -f $(KERNELLIBCRYPTO)
-	mkdir -p $(KERNELKLIPS)
-	mkdir -p $(KERNELCRYPTODES)
-	mkdir -p $(KERNELLIBFREESWAN)
-	mkdir -p $(KERNELLIBZLIB)
-	mkdir -p $(KERNELALG)
-	$(KLIPSLINK) `pwd`/Makefile.ver 	     $(KERNELKLIPS)
-	$(KLIPSLINK) `pwd`/linux/include/*	     $(KERNELINCLUDE)
-	$(KLIPSLINK) `pwd`/linux/net/ipsec/Makefile* $(KERNELKLIPS)
-	$(KLIPSLINK) `pwd`/linux/net/ipsec/Config.in $(KERNELKLIPS)
-	$(KLIPSLINK) `pwd`/linux/net/ipsec/defconfig $(KERNELKLIPS)
-	$(KLIPSLINK) `pwd`/linux/net/ipsec/*.[ch]    $(KERNELKLIPS)
-	$(KLIPSLINK) `pwd`/linux/net/ipsec/alg/Makefile*           $(KERNELALG)
-	$(KLIPSLINK) `pwd`/linux/net/ipsec/alg/Config.*            $(KERNELALG)
-	$(KLIPSLINK) `pwd`/linux/net/ipsec/alg/ipsec_alg*.[ch]     $(KERNELALG)
-	$(KLIPSLINK) `pwd`/linux/net/ipsec/alg/scripts             $(KERNELALG)
-	# Each ALGo does it own symlinks
-	$(KLIPSLINK) `pwd`/lib/libcrypto             $(KERNELLIBCRYPTO)
-	$(KLIPSLINK) `pwd`/linux/lib/zlib/*.[ch]     $(KERNELLIBZLIB)
-	$(KLIPSLINK) `pwd`/linux/lib/zlib/Makefile*  $(KERNELLIBZLIB)
-	$(KLIPSLINK) `pwd`/linux/lib/libfreeswan/*.[ch]    $(KERNELLIBFREESWAN)
-	$(KLIPSLINK) `pwd`/linux/lib/libfreeswan/Makefile* $(KERNELLIBFREESWAN)
-	$(KLIPSLINK) `pwd`/linux/crypto/ciphers/des/*.[chsS] $(KERNELCRYPTODES)
-	$(KLIPSLINK) `pwd`/linux/crypto/ciphers/des/Makefile* $(KERNELCRYPTODES)
-	sed '/"/s/xxx/$(IPSECVERSION)/' linux/lib/libfreeswan/version.in.c >$(KERNELKLIPS)/version.c
-
-# create libcrypto symlink
-klibcryptolink:
-	-[ -L $(KERNELLIBCRYPTO) ] && rm -f $(KERNELLIBCRYPTO)
-	$(KLIPSLINK) `pwd`/lib/libcrypto             $(KERNELLIBCRYPTO)
-
-# patch kernel
-PATCHER=packaging/utils/patcher
-
-patches:
-	@echo \"make patches\" is obsolete. See \"make kpatch\".
-	exit 1
-
-_patches:
-	echo "===============" >>out.kpatch
-	echo "`date` `cd $(KERNELSRC) ; pwd`" >>out.kpatch
-	$(MAKE) __patches$(KERNELREL) >>out.kpatch
-
-# Linux-2.0.x version
-__patches __patches2.0:
-	@$(PATCHER) -v $(KERNELSRC) Documentation/Configure.help \
-	  'CONFIG_IPSEC' $(PATCHES)/Documentation/Configure.help.fs2_0.patch
-	@$(PATCHER) -v $(KERNELSRC) net/Config.in \
-	  'CONFIG_IPSEC' $(PATCHES)/net/Config.in.fs2_0.patch
-	@$(PATCHER) -v $(KERNELSRC) net/Makefile \
-	  'CONFIG_IPSEC' $(PATCHES)/net/Makefile.fs2_0.patch
-	@$(PATCHER) -v $(KERNELSRC) net/ipv4/af_inet.c \
-	  'CONFIG_IPSEC' $(PATCHES)/net/ipv4/af_inet.c.fs2_0.patch
-# Removed patches, will unpatch automatically.
-	@$(PATCHER) -v $(KERNELSRC) include/linux/proc_fs.h
-	@$(PATCHER) -v $(KERNELSRC) net/core/dev.c
-	@$(PATCHER) -v $(KERNELSRC) net/ipv4/protocol.c
-	@$(PATCHER) -v $(KERNELSRC) drivers/net/Space.c
-	@$(PATCHER) -v $(KERNELSRC) net/netlink.c
-	@$(PATCHER) -v $(KERNELSRC) drivers/isdn/isdn_net.c
-
-# Linux-2.2.x version
-PATCHES24=klips/patches2.3
-__patches2.2:
-	@$(PATCHER) -v -c $(KERNELSRC) Documentation/Configure.help \
-	  'CONFIG_IPSEC' $(PATCHES)/Documentation/Configure.help.fs2_2.patch
-	@$(PATCHER) -v $(KERNELSRC) net/Config.in \
-		'CONFIG_IPSEC' $(PATCHES)/net/Config.in.fs2_2.patch
-	@$(PATCHER) -v $(KERNELSRC) net/Makefile \
-		'CONFIG_IPSEC' $(PATCHES)/net/Makefile.fs2_2.patch
-	@$(PATCHER) -v $(KERNELSRC) net/ipv4/af_inet.c \
-		'CONFIG_IPSEC' $(PATCHES)/net/ipv4/af_inet.c.fs2_2.patch
-	@$(PATCHER) -v $(KERNELSRC) net/ipv4/udp.c \
-		'CONFIG_IPSEC' $(PATCHES)/net/ipv4/udp.c.fs2_2.patch
-	@$(PATCHER) -v $(KERNELSRC) include/net/sock.h \
-		'CONFIG_IPSEC' $(PATCHES)/net/include.net.sock.h.fs2_2.patch
-# Removed patches, will unpatch automatically.
-	@$(PATCHER) -v $(KERNELSRC) include/linux/proc_fs.h
-	@$(PATCHER) -v $(KERNELSRC) net/core/dev.c
-	@$(PATCHER) -v $(KERNELSRC) net/ipv4/protocol.c
-	@$(PATCHER) -v $(KERNELSRC) drivers/net/Space.c
-	@$(PATCHER) -v $(KERNELSRC) include/linux/netlink.h
-	@$(PATCHER) -v $(KERNELSRC) net/netlink/af_netlink.c
-	@$(PATCHER) -v $(KERNELSRC) net/netlink/netlink_dev.c
-	@$(PATCHER) -v $(KERNELSRC) include/linux/socket.h
-	@$(PATCHER) -v $(KERNELSRC) drivers/isdn/isdn_net.c
-
-# Linux-2.4.0 version
-PATCHES22=klips/patches2.2
-__patches2.3 __patches2.4:
-	@$(PATCHER) -v -c $(KERNELSRC) Documentation/Configure.help \
-		'CONFIG_IPSEC' $(PATCHES)/Documentation/Configure.help.fs2_2.patch
-	@$(PATCHER) -v $(KERNELSRC) net/Config.in \
-		'CONFIG_IPSEC' $(PATCHES)/net/Config.in.fs2_4.patch
-	@$(PATCHER) -v $(KERNELSRC) net/Makefile \
-		'CONFIG_IPSEC' $(PATCHES)/net/Makefile.fs2_4.patch
-	@$(PATCHER) -v $(KERNELSRC) net/ipv4/af_inet.c \
-		'CONFIG_IPSEC' $(PATCHES)/net/ipv4/af_inet.c.fs2_4.patch
-	@$(PATCHER) -v $(KERNELSRC) net/ipv4/udp.c \
-		'CONFIG_IPSEC' $(PATCHES)/net/ipv4/udp.c.fs2_4.patch
-	@$(PATCHER) -v $(KERNELSRC) include/net/sock.h \
-		'CONFIG_IPSEC' $(PATCHES)/net/include.net.sock.h.fs2_4.patch
-# Removed patches, will unpatch automatically.
-	@$(PATCHER) -v $(KERNELSRC) include/linux/proc_fs.h
-	@$(PATCHER) -v $(KERNELSRC) net/core/dev.c
-	@$(PATCHER) -v $(KERNELSRC) net/ipv4/protocol.c
-	@$(PATCHER) -v $(KERNELSRC) drivers/net/Space.c
-	@$(PATCHER) -v $(KERNELSRC) include/linux/netlink.h
-	@$(PATCHER) -v $(KERNELSRC) net/netlink/af_netlink.c
-	@$(PATCHER) -v $(KERNELSRC) net/netlink/netlink_dev.c
-	@$(PATCHER) -v $(KERNELSRC) drivers/isdn/isdn_net.c
-
-klipsdefaults:
-	@KERNELDEFCONFIG=$(KERNELSRC)/arch/$(ARCH)/defconfig ; \
-	KERNELCONFIG=$(KCFILE) ; \
-	if ! egrep -q 'CONFIG_IPSEC' $$KERNELDEFCONFIG ; \
-	then \
-		set -x ; \
-		cp -a $$KERNELDEFCONFIG $$KERNELDEFCONFIG.orig ; \
-		chmod u+w $$KERNELDEFCONFIG ; \
-		cat $$KERNELDEFCONFIG $(KERNELKLIPS)/defconfig \
-			>$$KERNELDEFCONFIG.tmp ; \
-		rm -f $$KERNELDEFCONFIG ; \
-		cp -a $$KERNELDEFCONFIG.tmp $$KERNELDEFCONFIG ; \
-		rm -f $$KERNELDEFCONFIG.tmp ; \
-	fi ; \
-	if ! egrep -q 'CONFIG_IPSEC' $$KERNELCONFIG ; \
-	then \
-		set -x ; \
-		cp -a $$KERNELCONFIG $$KERNELCONFIG.orig ; \
-		chmod u+w $$KERNELCONFIG ; \
-		cat $$KERNELCONFIG $(KERNELKLIPS)/defconfig \
-			>$$KERNELCONFIG.tmp ; \
-		rm -f $$KERNELCONFIG ; \
-		cp -a $$KERNELCONFIG.tmp $$KERNELCONFIG ; \
-		rm -f $$KERNELCONFIG.tmp ; \
-	fi
-
-
-
-# programs
-
-checkv199install:
-	if [ -f ${LIBDIR}/pluto ]; \
-	then \
-		echo WARNING: FreeS/WAN 1.99 still installed. ;\
-		echo WARNING: moving ${LIBDIR} to ${LIBDIR}.v1 ;\
-		mv ${LIBDIR} ${LIBDIR}.v1 ;\
-	fi
-
-install:: checkv199install
-
-programs install clean checkprograms::
-	@for d in $(SUBDIRS) ; \
-	do \
-		(cd $$d && $(MAKE) FREESWANSRCDIR=.. $@ ) || exit 1; \
-	done;
-
-clean::
-	rm -rf $(RPMTMPDIR) $(RPMDEST)
-	rm -f out.*build out.*install	# but leave out.kpatch
-	rm -f rpm.spec
-
-distclean:	clean
-	rm -f out.kpatch 
-	if [ -f umlsetup.sh ]; then source umlsetup.sh; if [ -d "$$POOLSPACE" ]; then rm -rf $$POOLSPACE; fi; fi
-
-
-
-# proxies for major kernel make operations
-
-# do-everything entries
-KINSERT_PRE=precheck verset insert
-PRE=precheck verset kpatch klibcryptolink
-POST=confcheck programs kernel install 
-MPOST=confcheck programs module install 
-ogo:		$(PRE) pcf $(POST)
-oldgo:		$(PRE) ocf $(POST)
-nopromptgo:	$(PRE) rcf $(POST)
-menugo:		$(PRE) mcf $(POST)
-xgo:		$(PRE) xcf $(POST)
-omod:		$(PRE) pcf $(MPOST)
-oldmod:		$(PRE) ocf $(MPOST)
-menumod:	$(PRE) mcf $(MPOST)
-xmod:		$(PRE) xcf $(MPOST) 
-
-# preliminaries
-precheck:
-	@if test ! -d $(KERNELSRC) -a ! -L $(KERNELSRC) ; \
-	then \
-		echo '*** cannot find directory "$(KERNELSRC)"!!' ; \
-		echo '*** may be necessary to add symlink to kernel source' ; \
-		exit 1 ; \
-	fi
-	@if ! cd $(KERNELSRC) ; \
-	then \
-		echo '*** cannot "cd $(KERNELSRC)"!!' ; \
-		echo '*** may be necessary to add symlink to kernel source' ; \
-		exit 1 ; \
-	fi
-	@if test ! -f $(KCFILE) ; \
-	then \
-		echo '*** cannot find "$(KCFILE)"!!' ; \
-		echo '*** perhaps kernel has never been configured?' ; \
-		echo '*** please do that first; the results are necessary.' ; \
-		exit 1 ; \
-	fi
-	@if test ! -f $(VERFILE) ; \
-	then \
-		echo '*** cannot find "$(VERFILE)"!!' ; \
-		echo '*** perhaps kernel has never been compiled?' ; \
-		echo '*** please do that first; the results are necessary.' ; \
-		exit 1 ; \
-	fi
-
-# set version code if this is a fresh CVS checkout
-ifeq ($(wildcard cvs.datemark),cvs.datemark)
-verset Makefile.ver: cvs.datemark
-	echo IPSECVERSION=`date -r cvs.datemark +cvs%Y%b%d_%H:%M:%S` >Makefile.ver 
-	rm -f cvs.datemark; 
-else
-verset Makefile.ver: 
-	@grep IPSECVERSION Makefile.ver
-endif
-
-Makefile: Makefile.ver
-
-# configuring (exit statuses disregarded, something fishy here sometimes)
-xcf:
-	-cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) xconfig
-mcf:
-	-cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) menuconfig
-pcf:
-	-cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) config
-
-ocf:
-	-cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) oldconfig 
-
-rcf:
-	cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) oldconfig_nonint </dev/null
-	cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) dep >/dev/null
-
-confcheck:
-	@if test ! -f $(KCFILE) ; \
-	then echo '*** no kernel configuration file written!!' ; exit 1 ; \
-	fi
-	@if ! egrep -q '^CONFIG_IPSEC=[my]' $(KCFILE) ; \
-	then echo '*** IPsec not in kernel config ($(KCFILE))!!' ; exit 1 ; \
-	fi
-	@if ! egrep -q 'CONFIG_IPSEC[ 	]+1' $(ACFILE) && \
-		! egrep -q 'CONFIG_IPSEC_MODULE[ 	]+1' $(ACFILE) ; \
-	then echo '*** IPsec in kernel config ($(KCFILE)),' ; \
-		echo '***	but not in config header file ($(ACFILE))!!' ; \
-		exit 1 ; \
-	fi
-	@if egrep -q '^CONFIG_IPSEC=m' $(KCFILE) && \
-		! egrep -q '^CONFIG_MODULES=y' $(KCFILE) ; \
-	then echo '*** IPsec configured as module in kernel with no module support!!' ; exit 1 ; \
-	fi
-	@if ! egrep -q 'CONFIG_IPSEC_AH[ 	]+1' $(ACFILE) && \
-		! egrep -q 'CONFIG_IPSEC_ESP[ 	]+1' $(ACFILE) ; \
-	then echo '*** IPsec configuration must include AH or ESP!!' ; exit 1 ; \
-	fi
-
-# kernel building, with error checks
-kernel:
-	rm -f out.kbuild out.kinstall
-	# undocumented kernel folklore: clean BEFORE dep. 
-	# we run make dep seperately, because there is no point in running ERRCHECK
-	# on the make dep output.
-	# see LKML thread "clean before or after dep?"
-	( cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) $(KERNCLEAN) $(KERNDEP) )
-	( cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) $(KERNEL) ) 2>&1 | tee out.kbuild
-	@if egrep -q '^CONFIG_MODULES=y' $(KCFILE) ; \
-	then set -x ; \
-		( cd $(KERNELSRC) ; \
-		$(MAKE) $(KERNMAKEOPTS) modules 2>&1 ) | tee -a out.kbuild ; \
-	fi
-	${ERRCHECK} out.kbuild
-
-# this target takes a kernel source tree and it builds a link tree,
-# and then does make oldconfig for each .config file that was found in configs.
-# The location for the disk space required for the link tree is found via
-# $RH_KERNELSRC_POOL
-preprhkern4module:
-	if [ -z "${RH_KERNELSRC_POOL}" ]; then echo Please set RH_KERNELSRC_POOL.; exit 1; fi
-	mkdir -p ${RH_KERNELSRC_POOL}
-	KV=`${KVUTIL} $(RH_KERNELSRC)/Makefile` ; \
-	cd ${RH_KERNELSRC_POOL} && \
-	mkdir -p $$KV && cd $$KV && \
-	for config in ${RH_KERNELSRC}/configs/*; do \
-		basecfg=`basename $$config` ;\
-		mkdir -p ${RH_KERNELSRC_POOL}/$$KV/$$basecfg && \
-		cd ${RH_KERNELSRC_POOL}/$$KV/$$basecfg && \
-		lndir ${RH_KERNELSRC} . && \
-		rm -rf include/asm && \
-		(cd include/linux && sed -e '/#include "\/boot\/kernel.h"/d' <rhconfig.h >rhconfig.h-new && mv rhconfig.h-new rhconfig.h ) && \
-		rm -f include/linux/modules/*.stamp && \
-		make dep && \
-		make oldconfig; \
-	done;
-
-# module-only building, with error checks
-ifneq ($(strip $(MODBUILDDIR)),)
-${MODBUILDDIR}/Makefile : ${FREESWANSRCDIR}/packaging/makefiles/module.make
-	mkdir -p ${MODBUILDDIR}
-	cp ${FREESWANSRCDIR}/packaging/makefiles/module.make ${MODBUILDDIR}/Makefile
-	echo "# "                        >>${MODBUILDDIR}/Makefile
-	echo "# Local Variables: "       >>${MODBUILDDIR}/Makefile
-	echo "# compile-command: \"${MAKE} FREESWANSRCDIR=${FREESWANSRCDIR} ARCH=${ARCH} ${MODULE_FLAGS} MODULE_DEF_INCLUDE=${MODULE_DEF_INCLUDE} ipsec.o\""         >>${MODBUILDDIR}/Makefile
-	echo "# End: "       >>${MODBUILDDIR}/Makefile
-
-# clean out the linux/net/ipsec directory so that VPATH will work properly
-module: ${MODBUILDDIR}/Makefile
-	${MAKE} -C linux/net/ipsec ${MODULE_FLAGS} MODULE_DEF_INCLUDE=${MODULE_DEF_INCLUDE} clean
-	${MAKE} -C ${MODBUILDDIR}  ARCH=${ARCH} ${MODULE_FLAGS} MODULE_DEF_INCLUDE=${MODULE_DEF_INCLUDE} ipsec.o
-	${MAKE} -C ${MODBUILDDIR}  ARCH=${ARCH} ${MODULE_FLAGS} MODULE_DEF_INCLUDE=${MODULE_DEF_INCLUDE} LIBCRYPTO=${FREESWANSRCDIR}/lib/libcrypto MODULE_FLAGS="$(MODULE_FLAGS)" alg_modules
-
-modclean: ${MODBUILDDIR}/Makefile
-	${MAKE} -C ${MODBUILDDIR} clean
-
-# module-only install, with error checks
-minstall:
-	( FSMODLIB=`make -C $(KERNELSRC) -p dummy | ( sed -n -e '/^MODLIB/p' -e '/^MODLIB/q' ; cat > /dev/null ) | sed -e 's/^MODLIB[ :=]*\([^;]*\).*/\1/'` ; \
-	if [ -z "$$FSMODLIB" ] ; then \
-		FSMODLIB=`make -C $(KERNELSRC) -n -p modules_install | ( sed -n -e '/^MODLIB/p' -e '/^MODLIB/q' ; cat > /dev/null ) | sed -e 's/^MODLIB[ :=]*\([^;]*\).*/\1/'` ; \
-	fi ; \
-	if [ -z "$$FSMODLIB" ] ; then \
-		echo "No known place to install module. Aborting." ; \
-		exit 93 ; \
-	fi ; \
-	set -x ; \
-	mkdir -p $$FSMODLIB/kernel/net/ipsec ; \
-	cp $(MODBUILDDIR)/ipsec.o $$FSMODLIB/kernel/net/ipsec ; \
-	mkdir -p $$FSMODLIB/kernel/net/ipsec/alg ; \
-	for i in `sed -n '/IPSEC_ALG/s/CONFIG_IPSEC_ALG_\(.*\)=[Mm]/ipsec_\1.o/p' $(KCFILE) | tr '[A-Z]' '[a-z]'`;do \
-		echo "installing $$i"; \
-		cp $(MODBUILDDIR)/alg/$$i $$FSMODLIB/kernel/net/ipsec/alg ;\
-	done )
-
-else
-module: 
-	${MAKE} -C linux/net/ipsec ARCH=${ARCH} ${MODULE_FLAGS} MODULE_DEF_INCLUDE=${MODULE_DEF_INCLUDE} ipsec.o
-	${MAKE} -C linux/net/ipsec ARCH=${ARCH} ${MODULE_FLAGS} MODULE_DEF_INCLUDE=${MODULE_DEF_INCLUDE} LIBCRYPTO=${FREESWANSRCDIR}/lib/libcrypto MODULE_FLAGS="$(MODULE_FLAGS)" alg_modules
-
-modclean:
-	${MAKE} -C linux/net/ipsec ARCH=${ARCH} ${MODULE_FLAGS} MODULE_DEF_INCLUDE=${MODULE_DEF_INCLUDE} clean
-
-# module-only install, with error checks
-minstall:
-	( FSMODLIB=`make -C $(KERNELSRC) -p dummy | ( sed -n -e '/^MODLIB/p' -e '/^MODLIB/q' ; cat > /dev/null ) | sed -e 's/^MODLIB[ :=]*\([^;]*\).*/\1/'` ; \
-	if [ -z "$$FSMODLIB" ] ; then \
-		FSMODLIB=`make -C $(KERNELSRC) -n -p modules_install | ( sed -n -e '/^MODLIB/p' -e '/^MODLIB/q' ; cat > /dev/null ) | sed -e 's/^MODLIB[ :=]*\([^;]*\).*/\1/'` ; \
-	fi ; \
-	if [ -z "$$FSMODLIB" ] ; then \
-		echo "No known place to install module. Aborting." ; \
-		exit 93 ; \
-	fi ; \
-	set -x ; \
-	mkdir -p $$FSMODLIB/kernel/net/ipsec ; \
-	cp linux/net/ipsec/ipsec.o $$FSMODLIB/kernel/net/ipsec ; \
-	mkdir -p $$FSMODLIB/kernel/net/ipsec/alg ; \
-	for i in `sed -n '/IPSEC_ALG/s/CONFIG_IPSEC_ALG_\(.*\)=[Mm]/ipsec_\1.o/p' $(KCFILE) | tr '[A-Z]' '[a-z]'`;do \
-		echo "installing $$i"; \
-		cp linux/net/ipsec/alg/$$i $$FSMODLIB/kernel/net/ipsec/alg ;\
-	done )
-
-endif
-
-# kernel install, with error checks
-kinstall:
-	rm -f out.kinstall
-	>out.kinstall
-	# undocumented kernel folklore: modules_install must precede install (observed on RHL8.0)
-	@if egrep -q '^CONFIG_MODULES=y' $(KCFILE) ; \
-	then set -x ; \
-		( cd $(KERNELSRC) ; \
-		$(MAKE) $(KERNMAKEOPTS) modules_install 2>&1 ) | tee -a out.kinstall ; \
-	fi
-	( cd $(KERNELSRC) ; $(MAKE) $(KERNMAKEOPTS) install ) 2>&1 | tee -a out.kinstall
-	${ERRCHECK} out.kinstall
-
-kernelpatch2.5:
-	packaging/utils/kernelpatch 2.5
-
-kernelpatch2.4 kernelpatch:
-	packaging/utils/kernelpatch 2.4
-
-kernelpatch2.2:
-	packaging/utils/kernelpatch 2.2
-
-kernelpatch2.0:
-	packaging/utils/kernelpatch 2.0
-
-install_file_list:
-	@for d in $(SUBDIRS) ; \
-	do \
-		(cd $$d && $(MAKE) --no-print-directory FREESWANSRCDIR=.. install_file_list ) || exit 1; \
-	done; 
-
-# take all the patches out of the kernel
-# (Note, a couple of files are modified by non-patch means; they are
-# included in "make backup".)
-unpatch:
-	@echo \"make unpatch\" is obsolete. See make unapplypatch.
-	exit 1
-
-_unpatch:
-	for f in `find $(KERNELSRC)/. -name '*.preipsec' -print` ; \
-	do \
-		echo "restoring $$f:" ; \
-		dir=`dirname $$f` ; \
-		core=`basename $$f .preipsec` ; \
-		cd $$dir ; \
-		mv -f $$core.preipsec $$core ; \
-		rm -f $$core.wipsec $$core.ipsecmd5 ; \
-	done
-
-# uninstall, as much as possible
-uninstall:
-	$(MAKE) --no-print-directory install_file_list | egrep -v '(/ipsec.conf$$|/ipsec.d/)' | xargs rm -f
-
-taroldinstall:
-	tar --ignore-failed-read -c -z -f oldFreeSWAN.tar.gz `$(MAKE) --no-print-directory install_file_list`
-
-# some oddities meant for the developers, probably of no use to users
-
-# make tags and TAGS files from ctags and etags for vi and emacs, respectively.
-tags TAGS: dummy
-	etags `find lib programs linux -name '*.[ch]'`
-	ctags `find lib programs linux -name '*.[ch]'`
-
-dummy:
-
-# at the moment there is no difference between snapshot and release build
-snapready:	buildready
-relready:	buildready
-ready:		devready
-
-# set up for build
-buildready:
-	rm -f dtrmakefile cvs.datemark
-	cd doc ; $(MAKE) -s
-
-uml:	programs checkprograms
-	@echo XXX do some checks to see if all the manual pieces are done.
-	-chmod +x testing/utils/make-uml.sh
-	testing/utils/make-uml.sh `pwd`
-
-umluserland:
-	(touch Makefile.inc && source umlsetup.sh && cd $$POOLSPACE && make $$FREESWANHOSTS $$REGULARHOSTS ) 
-
-
-# DESTDIR is normally set in Makefile.inc
-# These recipes explicitly pass it to the second-level makes so that
-# DESTDIR can be adjusted for building for UML without changing Makefile.inc
-# See	testing/utils/functions.sh
-#	testing/utils/make-uml.sh
-#	testing/utils/uml-functions.sh
-check:	uml Makefile.ver
-ifneq ($(strip(${REGRESSRESULTS})),)
-	mkdir -p ${REGRESSRESULTS}
-endif
-	@for d in $(SUBDIRS); do (cd $$d && $(MAKE) DESTDIR=${DESTDIR} checkprograms || exit 1); done
-	@for d in $(SUBDIRS); \
-	do \
-		echo ===================================; \
-		echo Now making check in $$d; \
-		echo ===================================; \
-		(cd $$d && $(MAKE) DESTDIR=${DESTDIR} check || exit 1);\
-	done
-ifneq ($(strip(${REGRESSRESULTS})),)
-	-perl testing/utils/regress-summarize-results.pl ${REGRESSRESULTS}
-endif
-
-
-rpm:
-	@echo please cd packaging/redhat and
-	@echo run "make RH_KERNELSRC=/some/path/to/kernel/src rpm"
-
-ipkg_strip:
-	@echo "Minimizing size for ipkg binaries..."
-	@cd $(DESTDIR)$(INC_USRLOCAL)/lib/ipsec && \
-	for f in *; do (if file $$f | grep ARM > /dev/null; then ( $(STRIP) --strip-unneeded $$f); fi); done
-	@rm -r $(DESTDIR)$(INC_USRLOCAL)/man
-	@rm -f $(DESTDIR)$(INC_RCDEFAULT)/*.old
-	@rm -f $(DESTDIR)$(INC_USRLOCAL)/lib/ipsec/*.old
-	@rm -f $(DESTDIR)$(INC_USRLOCAL)/libexec/ipsec/*.old
-	@rm -f $(DESTDIR)$(INC_USRLOCAL)/sbin/*.old
-
-ipkg_module:
-	@echo "Moving ipsec.o into temporary location..."
-	KV=$(shell ${KVUTIL} ${KERNELSRC}/Makefile) && \
-	mkdir -p $(FREESWANSRCDIR)/packaging/ipkg/kernel-module/lib/modules/$$KV/net/ipsec
-	KV=$(shell ${KVUTIL} ${KERNELSRC}/Makefile) && \
-	cp linux/net/ipsec/ipsec.o $(FREESWANSRCDIR)/packaging/ipkg/kernel-module/lib/modules/$$KV/net/ipsec/
-	KV=$(shell ${KVUTIL} ${KERNELSRC}/Makefile)
-
-ipkg_clean:
-	rm -rf $(FREESWANSRCDIR)/packaging/ipkg/kernel-module/
-	rm -rf $(FREESWANSRCDIR)/packaging/ipkg/ipkg/
-	rm -f $(FREESWANSRCDIR)/packaging/ipkg/control-freeswan
-	rm -f $(FREESWANSRCDIR)/packaging/ipkg/control-freeswan-module
-
-
-ipkg: programs install ipkg_strip ipkg_module
-	@echo "Generating ipkg..."; 
-	DESTDIR=${DESTDIR} FREESWANSRCDIR=${FREESWANSRCDIR} ARCH=${ARCH} IPSECVERSION=${IPSECVERSION} ./packaging/ipkg/generate-ipkg
-
-
-
-
diff --git a/Makefile.am b/Makefile.am
new file mode 100644
index 000000000..575eb0668
--- /dev/null
+++ b/Makefile.am
@@ -0,0 +1,15 @@
+SUBDIRS = src
+EXTRA_DIST = Doxyfile.in testing CREDITS
+CLEANFILES = apidoc Doxyfile
+
+Doxyfile :	Doxyfile.in
+		sed \
+		-e "s:\@PACKAGE_VERSION\@:$(PACKAGE_VERSION):" \
+		-e "s:\@PACKAGE_NAME\@:$(PACKAGE_NAME):" \
+		$< > $@
+
+apidoc :	Doxyfile
+		doxygen
+
+dist-hook :
+		rm -rf `find $(distdir)/testing -name .svn`
diff --git a/Makefile.in b/Makefile.in
new file mode 100644
index 000000000..436b675c8
--- /dev/null
+++ b/Makefile.in
@@ -0,0 +1,638 @@
+# Makefile.in generated by automake 1.9.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+top_builddir = .
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+INSTALL = @INSTALL@
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+DIST_COMMON = README $(am__configure_deps) $(srcdir)/Makefile.am \
+	$(srcdir)/Makefile.in $(top_srcdir)/configure AUTHORS COPYING \
+	ChangeLog INSTALL NEWS TODO config.guess config.sub depcomp \
+	install-sh ltmain.sh missing
+subdir = .
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \
+ configure.lineno configure.status.lineno
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+SOURCES =
+DIST_SOURCES =
+RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
+	html-recursive info-recursive install-data-recursive \
+	install-exec-recursive install-info-recursive \
+	install-recursive installcheck-recursive installdirs-recursive \
+	pdf-recursive ps-recursive uninstall-info-recursive \
+	uninstall-recursive
+ETAGS = etags
+CTAGS = ctags
+DIST_SUBDIRS = $(SUBDIRS)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+distdir = $(PACKAGE)-$(VERSION)
+top_distdir = $(distdir)
+am__remove_distdir = \
+  { test ! -d $(distdir) \
+    || { find $(distdir) -type d ! -perm -200 -exec chmod u+w {} ';' \
+         && rm -fr $(distdir); }; }
+DIST_ARCHIVES = $(distdir).tar.gz
+GZIP_ENV = --best
+distuninstallcheck_listfiles = find . -type f -print
+distcleancheck_listfiles = find . -type f -print
+ACLOCAL = @ACLOCAL@
+AMDEP_FALSE = @AMDEP_FALSE@
+AMDEP_TRUE = @AMDEP_TRUE@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BUILD_EAP_SIM_FALSE = @BUILD_EAP_SIM_FALSE@
+BUILD_EAP_SIM_TRUE = @BUILD_EAP_SIM_TRUE@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+USE_CISCO_QUIRKS_FALSE = @USE_CISCO_QUIRKS_FALSE@
+USE_CISCO_QUIRKS_TRUE = @USE_CISCO_QUIRKS_TRUE@
+USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
+USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
+USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
+USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
+USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
+USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
+USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
+USE_SMARTCARD_TRUE = @USE_SMARTCARD_TRUE@
+USE_VENDORID_FALSE = @USE_VENDORID_FALSE@
+USE_VENDORID_TRUE = @USE_VENDORID_TRUE@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__fastdepCC_FALSE = @am__fastdepCC_FALSE@
+am__fastdepCC_TRUE = @am__fastdepCC_TRUE@
+am__fastdepCXX_FALSE = @am__fastdepCXX_FALSE@
+am__fastdepCXX_TRUE = @am__fastdepCXX_TRUE@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+eapdir = @eapdir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+SUBDIRS = src
+EXTRA_DIST = Doxyfile.in testing CREDITS
+CLEANFILES = apidoc Doxyfile
+all: all-recursive
+
+.SUFFIXES:
+am--refresh:
+	@:
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      echo ' cd $(srcdir) && $(AUTOMAKE) --gnu '; \
+	      cd $(srcdir) && $(AUTOMAKE) --gnu  \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    echo ' $(SHELL) ./config.status'; \
+	    $(SHELL) ./config.status;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	$(SHELL) ./config.status --recheck
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(srcdir) && $(AUTOCONF)
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(srcdir) && $(ACLOCAL) $(ACLOCAL_AMFLAGS)
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+	-rm -f libtool
+uninstall-info-am:
+
+# This directory's subdirectories are mostly independent; you can cd
+# into them and run `make' without going through this Makefile.
+# To change the values of `make' variables: instead of editing Makefiles,
+# (1) if the variable is set in `config.status', edit `config.status'
+#     (which will cause the Makefiles to be regenerated when you run `make');
+# (2) otherwise, pass the desired values on the `make' command line.
+$(RECURSIVE_TARGETS):
+	@failcom='exit 1'; \
+	for f in x $$MAKEFLAGS; do \
+	  case $$f in \
+	    *=* | --[!k]*);; \
+	    *k*) failcom='fail=yes';; \
+	  esac; \
+	done; \
+	dot_seen=no; \
+	target=`echo $@ | sed s/-recursive//`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    dot_seen=yes; \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	  || eval $$failcom; \
+	done; \
+	if test "$$dot_seen" = "no"; then \
+	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
+	fi; test -z "$$fail"
+
+mostlyclean-recursive clean-recursive distclean-recursive \
+maintainer-clean-recursive:
+	@failcom='exit 1'; \
+	for f in x $$MAKEFLAGS; do \
+	  case $$f in \
+	    *=* | --[!k]*);; \
+	    *k*) failcom='fail=yes';; \
+	  esac; \
+	done; \
+	dot_seen=no; \
+	case "$@" in \
+	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
+	  *) list='$(SUBDIRS)' ;; \
+	esac; \
+	rev=''; for subdir in $$list; do \
+	  if test "$$subdir" = "."; then :; else \
+	    rev="$$subdir $$rev"; \
+	  fi; \
+	done; \
+	rev="$$rev ."; \
+	target=`echo $@ | sed s/-recursive//`; \
+	for subdir in $$rev; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	  || eval $$failcom; \
+	done && test -z "$$fail"
+tags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
+	done
+ctags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \
+	done
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
+	  include_option=--etags-include; \
+	  empty_fix=.; \
+	else \
+	  include_option=--include; \
+	  empty_fix=; \
+	fi; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    test ! -f $$subdir/TAGS || \
+	      tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \
+	  fi; \
+	done; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS: ctags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	$(am__remove_distdir)
+	mkdir $(distdir)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
+	list='$(DISTFILES)'; for file in $$list; do \
+	  case $$file in \
+	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
+	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
+	  esac; \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
+	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
+	    dir="/$$dir"; \
+	    $(mkdir_p) "$(distdir)$$dir"; \
+	  else \
+	    dir=''; \
+	  fi; \
+	  if test -d $$d/$$file; then \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    test -d "$(distdir)/$$subdir" \
+	    || $(mkdir_p) "$(distdir)/$$subdir" \
+	    || exit 1; \
+	    distdir=`$(am__cd) $(distdir) && pwd`; \
+	    top_distdir=`$(am__cd) $(top_distdir) && pwd`; \
+	    (cd $$subdir && \
+	      $(MAKE) $(AM_MAKEFLAGS) \
+	        top_distdir="$$top_distdir" \
+	        distdir="$$distdir/$$subdir" \
+	        distdir) \
+	      || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) \
+	  top_distdir="$(top_distdir)" distdir="$(distdir)" \
+	  dist-hook
+	-find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \
+	  ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \
+	  ! -type d ! -perm -400 -exec chmod a+r {} \; -o \
+	  ! -type d ! -perm -444 -exec $(SHELL) $(install_sh) -c -m a+r {} {} \; \
+	|| chmod -R a+r $(distdir)
+dist-gzip: distdir
+	tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz
+	$(am__remove_distdir)
+
+dist-bzip2: distdir
+	tardir=$(distdir) && $(am__tar) | bzip2 -9 -c >$(distdir).tar.bz2
+	$(am__remove_distdir)
+
+dist-tarZ: distdir
+	tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z
+	$(am__remove_distdir)
+
+dist-shar: distdir
+	shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz
+	$(am__remove_distdir)
+
+dist-zip: distdir
+	-rm -f $(distdir).zip
+	zip -rq $(distdir).zip $(distdir)
+	$(am__remove_distdir)
+
+dist dist-all: distdir
+	tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz
+	$(am__remove_distdir)
+
+# This target untars the dist file and tries a VPATH configuration.  Then
+# it guarantees that the distribution is self-contained by making another
+# tarfile.
+distcheck: dist
+	case '$(DIST_ARCHIVES)' in \
+	*.tar.gz*) \
+	  GZIP=$(GZIP_ENV) gunzip -c $(distdir).tar.gz | $(am__untar) ;;\
+	*.tar.bz2*) \
+	  bunzip2 -c $(distdir).tar.bz2 | $(am__untar) ;;\
+	*.tar.Z*) \
+	  uncompress -c $(distdir).tar.Z | $(am__untar) ;;\
+	*.shar.gz*) \
+	  GZIP=$(GZIP_ENV) gunzip -c $(distdir).shar.gz | unshar ;;\
+	*.zip*) \
+	  unzip $(distdir).zip ;;\
+	esac
+	chmod -R a-w $(distdir); chmod a+w $(distdir)
+	mkdir $(distdir)/_build
+	mkdir $(distdir)/_inst
+	chmod a-w $(distdir)
+	dc_install_base=`$(am__cd) $(distdir)/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \
+	  && dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \
+	  && cd $(distdir)/_build \
+	  && ../configure --srcdir=.. --prefix="$$dc_install_base" \
+	    $(DISTCHECK_CONFIGURE_FLAGS) \
+	  && $(MAKE) $(AM_MAKEFLAGS) \
+	  && $(MAKE) $(AM_MAKEFLAGS) dvi \
+	  && $(MAKE) $(AM_MAKEFLAGS) check \
+	  && $(MAKE) $(AM_MAKEFLAGS) install \
+	  && $(MAKE) $(AM_MAKEFLAGS) installcheck \
+	  && $(MAKE) $(AM_MAKEFLAGS) uninstall \
+	  && $(MAKE) $(AM_MAKEFLAGS) distuninstallcheck_dir="$$dc_install_base" \
+	        distuninstallcheck \
+	  && chmod -R a-w "$$dc_install_base" \
+	  && ({ \
+	       (cd ../.. && umask 077 && mkdir "$$dc_destdir") \
+	       && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" install \
+	       && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" uninstall \
+	       && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" \
+	            distuninstallcheck_dir="$$dc_destdir" distuninstallcheck; \
+	      } || { rm -rf "$$dc_destdir"; exit 1; }) \
+	  && rm -rf "$$dc_destdir" \
+	  && $(MAKE) $(AM_MAKEFLAGS) dist \
+	  && rm -rf $(DIST_ARCHIVES) \
+	  && $(MAKE) $(AM_MAKEFLAGS) distcleancheck
+	$(am__remove_distdir)
+	@(echo "$(distdir) archives ready for distribution: "; \
+	  list='$(DIST_ARCHIVES)'; for i in $$list; do echo $$i; done) | \
+	  sed -e '1{h;s/./=/g;p;x;}' -e '$${p;x;}'
+distuninstallcheck:
+	@cd $(distuninstallcheck_dir) \
+	&& test `$(distuninstallcheck_listfiles) | wc -l` -le 1 \
+	   || { echo "ERROR: files left after uninstall:" ; \
+	        if test -n "$(DESTDIR)"; then \
+	          echo "  (check DESTDIR support)"; \
+	        fi ; \
+	        $(distuninstallcheck_listfiles) ; \
+	        exit 1; } >&2
+distcleancheck: distclean
+	@if test '$(srcdir)' = . ; then \
+	  echo "ERROR: distcleancheck can only run from a VPATH build" ; \
+	  exit 1 ; \
+	fi
+	@test `$(distcleancheck_listfiles) | wc -l` -eq 0 \
+	  || { echo "ERROR: files left in build directory after distclean:" ; \
+	       $(distcleancheck_listfiles) ; \
+	       exit 1; } >&2
+check-am: all-am
+check: check-recursive
+all-am: Makefile
+installdirs: installdirs-recursive
+installdirs-am:
+install: install-recursive
+install-exec: install-exec-recursive
+install-data: install-data-recursive
+uninstall: uninstall-recursive
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-recursive
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-recursive
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-recursive
+	-rm -f $(am__CONFIG_DISTCLEAN_FILES)
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic distclean-libtool \
+	distclean-tags
+
+dvi: dvi-recursive
+
+dvi-am:
+
+html: html-recursive
+
+info: info-recursive
+
+info-am:
+
+install-data-am:
+
+install-exec-am:
+
+install-info: install-info-recursive
+
+install-man:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-recursive
+	-rm -f $(am__CONFIG_DISTCLEAN_FILES)
+	-rm -rf $(top_srcdir)/autom4te.cache
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-recursive
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-recursive
+
+pdf-am:
+
+ps: ps-recursive
+
+ps-am:
+
+uninstall-am: uninstall-info-am
+
+uninstall-info: uninstall-info-recursive
+
+.PHONY: $(RECURSIVE_TARGETS) CTAGS GTAGS all all-am am--refresh check \
+	check-am clean clean-generic clean-libtool clean-recursive \
+	ctags ctags-recursive dist dist-all dist-bzip2 dist-gzip \
+	dist-hook dist-shar dist-tarZ dist-zip distcheck distclean \
+	distclean-generic distclean-libtool distclean-recursive \
+	distclean-tags distcleancheck distdir distuninstallcheck dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-exec install-exec-am \
+	install-info install-info-am install-man install-strip \
+	installcheck installcheck-am installdirs installdirs-am \
+	maintainer-clean maintainer-clean-generic \
+	maintainer-clean-recursive mostlyclean mostlyclean-generic \
+	mostlyclean-libtool mostlyclean-recursive pdf pdf-am ps ps-am \
+	tags tags-recursive uninstall uninstall-am uninstall-info-am
+
+
+Doxyfile :	Doxyfile.in
+		sed \
+		-e "s:\@PACKAGE_VERSION\@:$(PACKAGE_VERSION):" \
+		-e "s:\@PACKAGE_NAME\@:$(PACKAGE_NAME):" \
+		$< > $@
+
+apidoc :	Doxyfile
+		doxygen
+
+dist-hook :
+		rm -rf `find $(distdir)/testing -name .svn`
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/Makefile.inc b/Makefile.inc
deleted file mode 100644
index f09ec409b..000000000
--- a/Makefile.inc
+++ /dev/null
@@ -1,330 +0,0 @@
-# FreeS/WAN pathnames and other master configuration
-# Copyright (C) 2001, 2002  Henry Spencer.
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile.inc,v 1.14 2007/01/29 08:19:56 as Exp $
-
-
-# Variables in this file with names starting with INC_ are not for use
-# by Makefiles which include it; they are subject to change without warning.
-#
-# "Final" and "finally" refer to where the files will end up on the
-# running IPsec system, as opposed to where they get installed by our
-# Makefiles.  (The two are different for cross-compiles and the like,
-# where our Makefiles are not the end of the installation process.)
-# Paths with FINAL in their names are the only ones that the installed
-# software itself depends on.  (Very few things should know about the
-# FINAL paths; think twice and consult Henry before making something new
-# depend on them.)  All other paths are install targets.
-# See also DESTDIR, below.
-
-
-### boilerplate, do not change
-SHELL=/bin/sh
-
-### paths within the source tree
-
-KLIPSINC=${FREESWANSRCDIR}/linux/include
-KLIPSSRC=${FREESWANSRCDIR}/linux/net/ipsec
-
-LIBFREESWANDIR=${FREESWANSRCDIR}/linux/lib/libfreeswan
-FREESWANLIB=${FREESWANSRCDIR}/lib/libfreeswan/libfreeswan.a
-
-LWRESDIR=${FREESWANSRCDIR}/lib/liblwres
-LWRESLIB=${LWRESDIR}/liblwres.a
-
-LIBDESSRCDIR=${FREESWANSRCDIR}/linux/crypto/ciphers/des
-LIBDESLITE=${FREESWANSRCDIR}/lib/libdes/libdes.a
-
-LIBPOLICYDIR=${FREESWANSRCDIR}/linux/lib/libipsecpolicy
-POLICYLIB=${FREESWANSRCDIR}/lib/libipsecpolicy/libipsecpolicy.a
-
-.PHONY:	programs checkprograms clean
-
-### install pathnames
-
-# DESTDIR can be used to supply a prefix to all install targets.
-# (Note that "final" pathnames, signifying where files will eventually
-# reside rather than where install puts them, are exempt from this.)
-# The prefixing is done in this file, so as to have central control over
-# it; DESTDIR itself should never appear in any other Makefile.
-DESTDIR?=
-
-# "local" part of tree, used in building other pathnames
-INC_USRLOCAL=/usr/local
-
-# PUBDIR is where the "ipsec" command goes; beware, many things define PATH
-# settings which are assumed to include it (or at least, to include *some*
-# copy of the "ipsec" command).
-PUBDIR=$(DESTDIR)$(INC_USRLOCAL)/sbin
-
-# BINDIR is where sub-commands get put, FINALBINDIR is where the "ipsec"
-# command will look for them when it is run. Also called LIBEXECDIR.
-FINALLIBEXECDIR=$(INC_USRLOCAL)/libexec/ipsec
-LIBEXECDIR=$(DESTDIR)$(FINALBINDIR)
-
-FINALBINDIR=${FINALLIBEXECDIR}
-BINDIR=${LIBEXECDIR}
-
-
-# SBINDIR is where the user interface command goes.
-FINALSBINDIR=$(INC_USRLOCAL)/sbin
-SBINDIR=$(DESTDIR)$(FINALSBINDIR)
-
-# libdir is where utility files go
-FINALLIBDIR=$(INC_USRLOCAL)/lib/ipsec
-LIBDIR=$(DESTDIR)$(FINALLIBDIR)
-
-
-# where the appropriate manpage tree is located
-# location within INC_USRLOCAL
-INC_MANDIR=man
-# the full pathname
-MANTREE=$(DESTDIR)$(INC_USRLOCAL)/$(INC_MANDIR)
-# all relevant subdirectories of MANTREE
-MANPLACES=man3 man5 man8
-
-# where configuration files go
-FINALCONFFILE?=/etc/ipsec.conf
-CONFFILE=$(DESTDIR)$(FINALCONFFILE)
-
-FINALCONFDIR?=/etc
-CONFDIR=$(DESTDIR)$(FINALCONFDIR)
-
-FINALCONFDDIR?=${FINALCONFDIR}/ipsec.d
-CONFDDIR=$(DESTDIR)$(FINALCONFDDIR)
-
-# sample configuration files go into
-INC_DOCDIR?=share/doc
-FINALEXAMPLECONFDIR=${INC_USRLOCAL}/${INC_DOCDIR}/strongswan
-EXAMPLECONFDIR=${DESTDIR}${FINALEXAMPLECONFDIR}
-
-FINALDOCDIR?=${INC_USRLOCAL}/${INC_DOCDIR}/strongswan
-DOCDIR=${DESTDIR}${FINALDOCDIR}
-
-# where per-conn pluto logs go
-VARDIR?=/var
-LOGDIR?=${VARDIR}/log
-FINALLOGDIR?=${DESTDIR}${LOGDIR}
-
-
-# An attempt is made to automatically figure out where boot/shutdown scripts 
-# will finally go:  the first directory in INC_RCDIRS which exists gets them.
-# If none of those exists (or INC_RCDIRS is empty), INC_RCDEFAULT gets them.
-# With a non-null DESTDIR, INC_RCDEFAULT will be used unless one of the
-# INC_RCDIRS directories has been pre-created under DESTDIR.
-INC_RCDIRS=/etc/rc.d/init.d /etc/rc.d /etc/init.d /sbin/init.d
-INC_RCDEFAULT=/etc/rc.d/init.d
-
-# RCDIR is where boot/shutdown scripts go; FINALRCDIR is where they think
-# will finally be (so utils/Makefile can create a symlink in BINDIR to the
-# place where the boot/shutdown script will finally be, rather than the
-# place where it is installed).
-FINALRCDIR=$(shell for d in $(INC_RCDIRS) ; \
-		do if test -d $(DESTDIR)/$$d ; \
-		then echo $$d ; exit 0 ; \
-		fi ; done ; echo $(INC_RCDEFAULT) )
-RCDIR=$(DESTDIR)$(FINALRCDIR)
-
-
-
-### kernel pathnames
-
-# Kernel location:  where patches are inserted, where kernel builds are done.
-
-# this is a hack using the wildcard to look for existence of a file/dir
-ifneq ($(wildcard /usr/src/linux-2.4),)
-KERNELSRC?=/usr/src/linux-2.4
-else
-KERNELSRC?=/usr/src/linux
-endif
-
-
-# where kernel configuration outputs are located
-KCFILE=$(KERNELSRC)/.config
-ACFILE=$(KERNELSRC)/include/linux/autoconf.h
-VERFILE=$(KERNELSRC)/include/linux/version.h
-
-
-
-### misc installation stuff
-
-# what program to use when installing things
-INSTALL=install
-
-# flags to the install program, for programs, manpages, and config files
-# -b has install make backups (n.b., unlinks original), --suffix controls
-# how backup names are composed.
-# Note that the install procedures will never overwrite an existing config
-# file, which is why -b is not specified for them.
-INSTBINFLAGS=-b --suffix=.old
-INSTMANFLAGS=
-INSTCONFFLAGS=
-
-
-### misc configuration, included here in hopes that other files will not
-### have to be changed for common customizations.
-
-# extra compile flags, for userland and kernel stuff, e.g. -g for debug info
-# (caution, this stuff is still being sorted out, will change in future)
-USERCOMPILE?=-g -O3
-KLIPSCOMPILE=-O3
-
-# command used to link/copy KLIPS into kernel source tree
-# There are good reasons why this is "ln -s"; only people like distribution
-# builders should ever change it.
-KLIPSLINK=ln -s -f
-
-# extra options for use in kernel build
-KERNMAKEOPTS=
-
-# kernel Makefile targets to be done before build
-# Can be overridden if you are *sure* your kernel doesn't need them.  (2.2.xx
-# and later reportedly do not.)
-KERNDEP=dep
-KERNCLEAN=clean
-
-# kernel make name:  zImage for 2.0.xx, bzImage for 2.2.xx and later, and
-# boot on non-x86s (what ever happened to standards?)
-INC_B=$(shell test -d $(DIRIN22) && echo b)
-KERNEL=$(shell if expr " `uname -m`" : ' i.86' >/dev/null ; \
-	then echo $(INC_B)zImage ; \
-	else echo boot ; \
-	fi)
-
-# temporary directory to be used when building RPMs, and where to put the
-# resulting RPM tree
-RPMKERNDIR := $(shell echo `pwd`/tmp.rpmkernel)
-RPMTMPDIR := $(shell echo `pwd`/tmp.rpmbuild)
-RPMDEST := $(shell echo `pwd`/rpms)
-
-# Newer versions of RPM do not permit building of packages with the "rpm" 
-# command. For RedHat systems with older version of RPM, use:
-# RPMBUILD=rpm
-# instead.
-RPMBUILD=rpmbuild
-
-### paths to resources on the host system
-#
-# Set this to a RedHat kernel-sources RPM. This normally extracts into
-# /usr/src/linux-2.4, but you might have extracted it elsewhere with
-# rpm2cpio.
-#
-RH_KERNELSRC?=/usr/src/linux-2.4
-
-## build environment variations
-##
-
-# set this to a place where you have installed a bind9.3 
-# snapshot (20021115 or better). A bind 9.2, particularly a RedHat
-# installed one in RH 7.2, won't work - you wind up depending upon
-# openssl.
-
-BIND9STATICLIBDIR?=/usr/local/lib
-
-# FreeSWAN 3.x will require bind9. 
-USE_LWRES?=false
-
-# whether or not to use iproute2 based commands.
-#
-USE_IPROUTE2?=true
-
-# what kind of firewalling to use:
-#  2.0 	- ipfwadm
-#  2.2  - ipchains
-#  2.4  - iptables
-IPSEC_FIREWALLTYPE=iptables
-
-# include IKEPING in the distribution
-USE_IKEPING?=false
-
-# include support for KEY RR 
-# this will become false in late 2003.
-USE_KEYRR?=true
-
-# include support for KERNEL 2.5/2.6 IPsec in pluto
-USE_KERNEL26?=true
-
-# whether or not pluto sends its strongSwan Vendor ID
-USE_VENDORID?=true
-
-# whether to tolerate some non-conformities (interoperability with Cisco VPN client)
-USE_CISCO_QUIRKS?=false
-
-# whether to support NAT Traversal (aka NAT-T)
-USE_NAT_TRAVERSAL?=true
-
-# whether to support NAT-T in transport mode (needed for Win2K NAT-T Interop)
-USE_NAT_TRAVERSAL_TRANSPORT_MODE?=false
-
-# include libcurl support (currently used for fetching CRLs, OCSP and SCEP)
-USE_LIBCURL?=false
-
-# include LDAP support (currently used for fetching CRLs)
-USE_LDAP?=false
-
-# uncomment this line if using the LDAPv3 protocol
-LDAP_VERSION=3
-# uncomment this line if using the LDAPv2 protocol
-#LDAP_VERSION=2
-
-# include PKCS11-based smartcard support
-USE_SMARTCARD?=false
-
-# Default PKCS11 library
-# Uncomment this line if using OpenSC <= 0.9.6
-#PKCS11_DEFAULT_LIB=\"/usr/lib/pkcs11/opensc-pkcs11.so\"
-# Uncomment this line if using OpenSC >= 0.10.0
-PKCS11_DEFAULT_LIB=\"/usr/lib/opensc-pkcs11.so\"
-# Uncomment and complete this line if using another default library
-#PKCS11_DEFAULT_LIB=\"/usr/lib/...\"
-
-# Uncomment if you want to specify a path to an XAUTH library module
-#XAUTH_DEFAULT_LIB=
-
-# Enable the leak detective to find memory leaks
-USE_LEAK_DETECTIVE?=false
-
-# set this to space where a linked/configured tree can be created by
-# preprhkern4module. Only needed if you are going to be created RPMs
-# outside of a distribution (as the FS team does for RedHat).
-#RH_KERNELSRC_POOL=/c2/freeswan/rh_kern
-
-# the following is a list of symbols which will be used to construct
-# the module goo to identify which module goes with each kernel.
-MODULE_GOO_LIST=irq_stat netif_rx register_sysctl_table send_sig
-MODULE_GOO_LIST+=kmalloc __kfree_skb __ip_select_ident alloc_skb
-MODULE_GOO_LIST+=icmp_send ip_fragment sock_register 
-
-MODULE_DEF_INCLUDE=${FREESWANSRCDIR}/packaging/linus/config-all.h
-MODULE_DEFCONFIG?=${KLIPSSRC}/defconfig
-
-MODULE_FLAGS:=KLIPSMODULE=true TOPDIR=${KERNELSRC} -f ${MODULE_DEFCONFIG} -f Makefile
-
-# supply kernel-configuration ARCH defaults
-ifeq ($(ARCH),)
-ARCH := $(shell uname -m)
-endif
-# always sanitize $(ARCH)
-ARCH := $(shell echo $(ARCH) | sed -e s/i.86/i386/ -e s/sun4u/sparc64/ -e s/arm.*/arm/ -e s/sa110/arm/)
-
-# export everything so that scripts can use them.
-export LIBFREESWANDIR FREESWANSRCDIR FREESWANLIB
-
--include ${FREESWANSRCDIR}/Makefile.ver
-
-# for emacs
-#
-# Local Variables: ;;;
-# mode: makefile ;;;
-# End Variables: ;;;
-#
diff --git a/Makefile.ver b/Makefile.ver
deleted file mode 100644
index 98bef89bb..000000000
--- a/Makefile.ver
+++ /dev/null
@@ -1 +0,0 @@
-IPSECVERSION=2.8.3
diff --git a/CHANGES b/NEWS
index 7b8344fe4..ab92d22e5 100644
--- a/CHANGES
+++ b/NEWS
@@ -1,16 +1,78 @@
-strongswan-2.8.3
+strongswan-4.1.1
+----------------
+
+- Server side cookie support. If to may IKE_SAs are in CONNECTING state,
+  cookies are enabled and protect against DoS attacks with faked source
+  addresses. Number of IKE_SAs in CONNECTING state is also limited per
+  peer address to avoid resource exhaustion. IKE_SA_INIT messages are
+  compared to properly detect retransmissions and incoming retransmits are
+  detected even if the IKE_SA is blocked (e.g. doing OCSP fetches).
+
+- The IKEv2 daemon charon now supports dynamic http- and ldap-based CRL
+  fetching enabled by crlcheckinterval > 0 and caching fetched CRLs
+  enabled by cachecrls=yes.
+
+- Added the configuration options --enable-nat-transport which enables
+  the potentially insecure NAT traversal for IPsec transport mode and
+  --disable-vendor-id which disables the sending of the strongSwan
+  vendor ID.
+
+- Fixed a long-standing bug in the pluto IKEv1 daemon which caused
+  a segmentation fault if a malformed payload was detected in the
+  IKE MR2 message and pluto tried to send an encrypted notification
+  message.
+
+- Added the NATT_IETF_02_N Vendor ID in order to support IKEv1 connections
+  with Windows 2003 Server which uses a wrong VID hash.
+
+
+strongswan-4.1.0
 ----------------
 
 - Support of SHA2_384 hash function for protecting IKEv1
   negotiations and support of SHA2 signatures in X.509 certificates.
 
 - Fixed a serious bug in the computation of the SHA2-512 HMAC
-  function. Introduced testvector-based self-tests of all IKEv1 hash
+  function. Introduced automatic self-test of all IKEv1 hash
   and hmac functions during pluto startup. Failure of a self-test
   currently issues a warning only but does not exit pluto [yet].
 
+- Support for SHA2-256/384/512 PRF and HMAC functions in IKEv2.
+
+- Full support of CA information sections. ipsec listcainfos
+  now shows all collected crlDistributionPoints and OCSP 
+  accessLocations.
+
+- Support of the Online Certificate Status Protocol (OCSP) for IKEv2.
+  This feature requires the HTTP fetching capabilities of the libcurl
+  library which must be enabled by setting the --enable-http configure
+  option.
+
+- Refactored core of the IKEv2 message processing code, allowing better
+  code reuse and separation.
+
+- Virtual IP support in IKEv2 using INTERNAL_IP4/6_ADDRESS configuration
+  payload. Additionally, the INTERNAL_IP4/6_DNS attribute is interpreted
+  by the requestor and installed in a resolv.conf file.
 
-strongswan-2.8.2
+- The IKEv2 daemon charon installs a route for each IPsec policy to use
+  the correct source address even if an application does not explicitly
+  specify it.
+
+- Integrated the EAP framework into charon which loads pluggable EAP library
+  modules. The ipsec.conf parameter authby=eap initiates EAP authentication
+  on the client side, while the "eap" parameter on the server side defines
+  the EAP method to use for client authentication.
+  A generic client side EAP-Identity module and an EAP-SIM authentication
+  module using a third party card reader implementation are included.
+
+- Added client side support for cookies.
+
+- Integrated the fixes done at the IKEv2 interoperability bakeoff, including
+  strict payload order, correct INVALID_KE_PAYLOAD rejection and other minor
+  fixes to enhance interoperability with other implementations.
+
+strongswan-4.0.7
 ----------------
 
 - strongSwan now interoperates with the NCP Secure Entry Client,
@@ -21,44 +83,125 @@ strongswan-2.8.2
   to a default string.
 
 
-strongswan-2.8.1
+strongswan-4.0.6
 ----------------
 
-- Support for extended authentication (XAUTH) in combination
+- IKEv1: Support for extended authentication (XAUTH) in combination
   with ISAKMP Main Mode RSA or PSK authentication. Both client and
   server side were implemented. Handling of user credentials can
   be done by a run-time loadable XAUTH module. By default user
   credentials are stored in ipsec.secrets. 
+	  
+- IKEv2: Support for reauthentication when rekeying
+
+- IKEv2: Support for transport mode
+
+- fixed a lot of bugs related to byte order
+
+- various other bugfixes
+
+
+strongswan-4.0.5
+----------------
+
+- IKEv1: Implementation of ModeConfig push mode via the new connection
+  keyword modeconfig=push allows interoperability with Cisco VPN gateways.
+
+- IKEv1: The command ipsec statusall now shows "DPD active" for all
+  ISAKMP SAs that are under active Dead Peer Detection control.
 
-- Mixed PSK/RSA authentication is now possible between two hosts
-  with static IP addresses.
+- IKEv2: Charon's logging and debugging framework has been completely rewritten.
+  Instead of logger, special printf() functions are used to directly
+  print objects like hosts (%H) identifications (%D), certificates (%Q),
+  etc. The number of debugging levels have been reduced to:
 
+    0 (audit), 1 (control), 2 (controlmore),  3 (raw), 4 (private)
 
-strongswan-2.8.0
+  The debugging levels can either be specified statically in ipsec.conf as
+
+    config setup
+           charondebug="lib 1, cfg 3, net 2"
+
+  or changed at runtime via stroke as
+
+    ipsec stroke loglevel cfg 2
+
+
+strongswan-4.0.4
 ----------------
 
-- Implementation of ModeConfig push mode via the new connection keyword
-  modeconfig=push allows interoperability with Cisco VPN gateways.
+- Implemented full support for IPv6-in-IPv6 tunnels.
+
+- Added configuration options for dead peer detection in IKEv2. dpd_action
+  types "clear", "hold" and "restart" are supported. The dpd_timeout
+  value is not used, as the normal retransmission policy applies to
+  detect dead peers. The dpd_delay parameter enables sending of empty
+  informational message to detect dead peers in case of inactivity.
 
-- The command ipsec statusall now shows "DPD active" for all ISAKMP SAs
-  that are under active Dead Peer Detection control.
+- Added support for preshared keys in IKEv2. PSK keys configured in
+  ipsec.secrets are loaded. The authby parameter specifies the authentication
+  method to authentificate ourself, the other peer may use PSK or RSA.
 
+- Changed retransmission policy to respect the keyingtries parameter.
 
-strongswan-2.7.3
+- Added private key decryption. PEM keys encrypted with AES-128/192/256
+  or 3DES are supported.
+
+- Implemented DES/3DES algorithms in libstrongswan. 3DES can be used to
+  encrypt IKE traffic.
+
+- Implemented SHA-256/384/512 in libstrongswan, allows usage of certificates
+  signed with such a hash algorithm.
+
+- Added initial support for updown scripts. The actions up-host/client and
+  down-host/client are executed. The leftfirewall=yes parameter
+  uses the default updown script to insert dynamic firewall rules, a custom
+  updown script may be specified with the leftupdown parameter.
+
+
+strongswan-4.0.3
 ----------------
 
+- Added support for the auto=route ipsec.conf parameter and the
+  ipsec route/unroute commands for IKEv2. This allows to set up IKE_SAs and 
+  CHILD_SAs dynamically on demand when traffic is detected by the 
+  kernel.
+
+- Added support for rekeying IKE_SAs in IKEv2 using the ikelifetime parameter.
+  As specified in IKEv2, no reauthentication is done (unlike in IKEv1), only
+  new keys are generated using perfect forward secrecy. An optional flag
+  which enforces reauthentication will be implemented later.
+
 - "sha" and "sha1" are now treated as synonyms in the ike= and esp=
   algorithm configuration statements.
 
-- Fixed possible segmentation faults in the eroute, klipsdebug, and 
-  other KLIPS-related auxiliary functions by making the USE_NAT_TRAVERSAL
-  compile-time condition defined in Makefile.inc known in
-  programs/Makefile.program. 
-
 
-strongswan-2.7.2
+strongswan-4.0.2
 ----------------
 
+- Full X.509 certificate trust chain verification has been implemented.
+  End entity certificates can be exchanged via CERT payloads. The current
+  default is leftsendcert=always, since CERTREQ payloads are not supported
+  yet. Optional CRLs must be imported locally into /etc/ipsec.d/crls.
+
+- Added support for leftprotoport/rightprotoport parameters in IKEv2. IKEv2 
+  would offer more possibilities for traffic selection, but the Linux kernel
+  currently does not support it. That's why we stick with these simple 
+  ipsec.conf rules for now.
+
+- Added Dead Peer Detection (DPD) which checks liveliness of remote peer if no
+  IKE or ESP traffic is received. DPD is currently hardcoded (dpdaction=clear,
+  dpddelay=60s).
+
+- Initial NAT traversal support in IKEv2. Charon includes NAT detection
+  notify payloads to detect NAT routers between the peers. It switches
+  to port 4500, uses UDP encapsulated ESP packets, handles peer address
+  changes gracefully and sends keep alive message periodically.
+
+- Reimplemented IKE_SA state machine for charon, which allows simultaneous 
+  rekeying, more shared code, cleaner design, proper retransmission 
+  and a more extensible code base.
+
 - The mixed PSK/RSA roadwarrior detection capability introduced by the
   strongswan-2.7.0 release necessitated the pre-parsing of the IKE proposal
   payloads by the responder right before any defined IKE Main Mode state had
@@ -67,25 +210,63 @@ strongswan-2.7.2
   the state pointer before logging current state information, causing an
   immediate crash of the pluto keying daemon due to a NULL pointer.
 
-  We strongly recommend to update to the 2.7.2 release which fixes this
-  vulnerability to malformed proposal payloads that could otherwise be
-  exploited by Denial-of-Service attacks.
-
-
-strongswan-2.7.1
-----------------
-
-- Calling ipsec up|down|route|unroute with a non-empty connection name
-  caused pluto to crash. As a fix argument checks have been added both
-  to the ipsec command on the sender end and pluto/rcv_whack.c on the
-  receiver end.
-
-- reactivated the PPP pointopoint code in starter/interfaces.c which
-  creates an ipsecN interface when used with Linux 2.4 KLIPS.
 
-- replaced free() by curl_free() in pluto/fetch.c thus fixing pluto
-  crashes occuring on some 64 bit hardware platforms when curl couldn't
-  successfully resolve a DNS request prior to fetching a CRL.
+strongswan-4.0.1
+----------------
+
+- Added algorithm selection to charon: New default algorithms for 
+  ike=aes128-sha-modp2048, as both daemons support it. The default
+  for IPsec SAs is now esp=aes128-sha,3des-md5. charon handles
+  the ike/esp parameter the same way as pluto. As this syntax does
+  not allow specification of a pseudo random function, the same 
+  algorithm as for integrity is used (currently sha/md5). Supported
+  algorithms for IKE:
+    Encryption: aes128, aes192, aes256
+    Integrity/PRF: md5, sha (using hmac)
+    DH-Groups: modp768, 1024, 1536, 2048, 4096, 8192
+  and for ESP:
+    Encryption: aes128, aes192, aes256, 3des, blowfish128, 
+                blowfish192, blowfish256
+    Integrity: md5, sha1
+  More IKE encryption algorithms will come after porting libcrypto into
+  libstrongswan. 
+
+- initial support for rekeying CHILD_SAs using IKEv2. Currently no
+  perfect forward secrecy is used. The rekeying parameters rekey,
+  rekeymargin, rekeyfuzz and keylife from ipsec.conf are now supported
+  when using IKEv2. WARNING: charon currently is unable to handle
+  simultaneous rekeying. To avoid such a situation, use a large
+  rekeyfuzz, or even better, set rekey=no on one peer.
+
+- support for host2host, net2net, host2net (roadwarrior) tunnels
+  using predefined RSA certificates (see uml scenarios for
+  configuration examples).
+
+- new build environment featuring autotools. Features such
+  as HTTP, LDAP and smartcard support may be enabled using
+  the ./configure script. Changing install directories 
+  is possible, too. See ./configure --help for more details.
+
+- better integration of charon with ipsec starter, which allows
+  (almost) transparent operation with both daemons. charon
+  handles ipsec commands up, down, status, statusall, listall,
+  listcerts and allows proper load, reload and delete of connections
+  via ipsec starter.
+
+
+strongswan-4.0.0
+----------------
+
+- initial support of the IKEv2 protocol. Connections in
+  ipsec.conf designated by keyexchange=ikev2 are negotiated 
+  by the new IKEv2 charon keying daemon whereas those marked
+  by keyexchange=ikev1 or the default keyexchange=ike are
+  handled thy the IKEv1 pluto keying daemon. Currently only
+  a limited subset of functions are available with IKEv2
+  (Default AES encryption, authentication based on locally
+  imported X.509 certificates, unencrypted private RSA keys
+  in PKCS#1 file format, limited functionality of the ipsec
+  status command).
 
 
 strongswan-2.7.0
diff --git a/README b/README
index 371a6068c..a37e637da 100644
--- a/README
+++ b/README
@@ -3147,5 +3147,5 @@ by the pluto/xauth.h header file.
   for more details.
 -----------------------------------------------------------------------------
 
-This file is RCSID $Id: README,v 1.39 2007/01/30 14:43:12 as Exp $
+This file is RCSID $Id: README,v 1.38 2007/01/14 18:16:51 as Exp $
 
diff --git a/TODO b/TODO
new file mode 100644
index 000000000..91363e38b
--- /dev/null
+++ b/TODO
@@ -0,0 +1,69 @@
+                 -------------------------
+                  strongSwan - Roadmap
+                 -------------------------
+
+These notes mostly belong to charon, the new IKEv2 daemon. The plan is to
+migrate IKEv1 into charon. It's hard to say how much effort is needed to
+do that, and how much code we can reuse from pluto. But a port IS necessary to
+gain hassle-free confiugration, version negotiation and maintainability.
+
+Roadmap 2007
+============
+
+ Mar  !   - Cookie support, IP filter, other fixes to mature against DoS
+      !   - release IKEv2 p2p NATT draft 00
+      !
+ Apr  !   - PRF in CHILD_SA rekeying
+      !   - configuration managament refactoring
+      !   - credentials backend redesign
+      !   - interface in charon for the XML based SMP management interface
+      !   - reimplement IKEv2 p2p NATT support
+      !
+ May  !   - SMP configuration client
+      !
+ Jun  !   - start with IKEv1 migration strategy
+      !
+ Jul  !
+      !
+ Aug  !
+      !
+ Sep  !
+      !
+ Oct  !
+      !
+ Nov  !
+      !
+ Dec  !
+      !
+
+
+TODO-List
+=========
+
+A set of TODOs. This is only a list of things I write down to not forget them.
+Watch out for TODOs in the code.
+  
+Build system
+------------
+- configure flag which allows to ommit vendor id in pluto
+- reduce printf handlers count to 10, as uClibc does not support more
+
+Certificate support
+-------------------
+- New trustchain mechanism?
+- proper handling of multiple certificate payloads (import order)
+- synchronized CRL fetcher
+- Smartcard interface
+- Attribute certificates
+
+Stroke interface
+----------------
+- add a Rekey-Counter for SAs in "statusall"
+- ipsec statusall bytecount
+- proper handling of CTRL+C console detach (SIG_PIPE)
+
+Misc
+----
+- PFS support for creating/rekeying CHILD_SAs
+- Address pool/backend for virtual IP assignement
+- fix iterator->insert_before/after
diff --git a/aclocal.m4 b/aclocal.m4
new file mode 100644
index 000000000..8fcf50ac3
--- /dev/null
+++ b/aclocal.m4
@@ -0,0 +1,7324 @@
+# generated automatically by aclocal 1.9.6 -*- Autoconf -*-
+
+# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004,
+# 2005  Free Software Foundation, Inc.
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+# libtool.m4 - Configure libtool for the host system. -*-Autoconf-*-
+
+# serial 48 AC_PROG_LIBTOOL
+
+
+# AC_PROVIDE_IFELSE(MACRO-NAME, IF-PROVIDED, IF-NOT-PROVIDED)
+# -----------------------------------------------------------
+# If this macro is not defined by Autoconf, define it here.
+m4_ifdef([AC_PROVIDE_IFELSE],
+         [],
+         [m4_define([AC_PROVIDE_IFELSE],
+	         [m4_ifdef([AC_PROVIDE_$1],
+		           [$2], [$3])])])
+
+
+# AC_PROG_LIBTOOL
+# ---------------
+AC_DEFUN([AC_PROG_LIBTOOL],
+[AC_REQUIRE([_AC_PROG_LIBTOOL])dnl
+dnl If AC_PROG_CXX has already been expanded, run AC_LIBTOOL_CXX
+dnl immediately, otherwise, hook it in at the end of AC_PROG_CXX.
+  AC_PROVIDE_IFELSE([AC_PROG_CXX],
+    [AC_LIBTOOL_CXX],
+    [define([AC_PROG_CXX], defn([AC_PROG_CXX])[AC_LIBTOOL_CXX
+  ])])
+dnl And a similar setup for Fortran 77 support
+  AC_PROVIDE_IFELSE([AC_PROG_F77],
+    [AC_LIBTOOL_F77],
+    [define([AC_PROG_F77], defn([AC_PROG_F77])[AC_LIBTOOL_F77
+])])
+
+dnl Quote A][M_PROG_GCJ so that aclocal doesn't bring it in needlessly.
+dnl If either AC_PROG_GCJ or A][M_PROG_GCJ have already been expanded, run
+dnl AC_LIBTOOL_GCJ immediately, otherwise, hook it in at the end of both.
+  AC_PROVIDE_IFELSE([AC_PROG_GCJ],
+    [AC_LIBTOOL_GCJ],
+    [AC_PROVIDE_IFELSE([A][M_PROG_GCJ],
+      [AC_LIBTOOL_GCJ],
+      [AC_PROVIDE_IFELSE([LT_AC_PROG_GCJ],
+	[AC_LIBTOOL_GCJ],
+      [ifdef([AC_PROG_GCJ],
+	     [define([AC_PROG_GCJ], defn([AC_PROG_GCJ])[AC_LIBTOOL_GCJ])])
+       ifdef([A][M_PROG_GCJ],
+	     [define([A][M_PROG_GCJ], defn([A][M_PROG_GCJ])[AC_LIBTOOL_GCJ])])
+       ifdef([LT_AC_PROG_GCJ],
+	     [define([LT_AC_PROG_GCJ],
+		defn([LT_AC_PROG_GCJ])[AC_LIBTOOL_GCJ])])])])
+])])# AC_PROG_LIBTOOL
+
+
+# _AC_PROG_LIBTOOL
+# ----------------
+AC_DEFUN([_AC_PROG_LIBTOOL],
+[AC_REQUIRE([AC_LIBTOOL_SETUP])dnl
+AC_BEFORE([$0],[AC_LIBTOOL_CXX])dnl
+AC_BEFORE([$0],[AC_LIBTOOL_F77])dnl
+AC_BEFORE([$0],[AC_LIBTOOL_GCJ])dnl
+
+# This can be used to rebuild libtool when needed
+LIBTOOL_DEPS="$ac_aux_dir/ltmain.sh"
+
+# Always use our own libtool.
+LIBTOOL='$(SHELL) $(top_builddir)/libtool'
+AC_SUBST(LIBTOOL)dnl
+
+# Prevent multiple expansion
+define([AC_PROG_LIBTOOL], [])
+])# _AC_PROG_LIBTOOL
+
+
+# AC_LIBTOOL_SETUP
+# ----------------
+AC_DEFUN([AC_LIBTOOL_SETUP],
+[AC_PREREQ(2.50)dnl
+AC_REQUIRE([AC_ENABLE_SHARED])dnl
+AC_REQUIRE([AC_ENABLE_STATIC])dnl
+AC_REQUIRE([AC_ENABLE_FAST_INSTALL])dnl
+AC_REQUIRE([AC_CANONICAL_HOST])dnl
+AC_REQUIRE([AC_CANONICAL_BUILD])dnl
+AC_REQUIRE([AC_PROG_CC])dnl
+AC_REQUIRE([AC_PROG_LD])dnl
+AC_REQUIRE([AC_PROG_LD_RELOAD_FLAG])dnl
+AC_REQUIRE([AC_PROG_NM])dnl
+
+AC_REQUIRE([AC_PROG_LN_S])dnl
+AC_REQUIRE([AC_DEPLIBS_CHECK_METHOD])dnl
+# Autoconf 2.13's AC_OBJEXT and AC_EXEEXT macros only works for C compilers!
+AC_REQUIRE([AC_OBJEXT])dnl
+AC_REQUIRE([AC_EXEEXT])dnl
+dnl
+
+AC_LIBTOOL_SYS_MAX_CMD_LEN
+AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE
+AC_LIBTOOL_OBJDIR
+
+AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl
+_LT_AC_PROG_ECHO_BACKSLASH
+
+case $host_os in
+aix3*)
+  # AIX sometimes has problems with the GCC collect2 program.  For some
+  # reason, if we set the COLLECT_NAMES environment variable, the problems
+  # vanish in a puff of smoke.
+  if test "X${COLLECT_NAMES+set}" != Xset; then
+    COLLECT_NAMES=
+    export COLLECT_NAMES
+  fi
+  ;;
+esac
+
+# Sed substitution that helps us do robust quoting.  It backslashifies
+# metacharacters that are still active within double-quoted strings.
+Xsed='sed -e 1s/^X//'
+[sed_quote_subst='s/\([\\"\\`$\\\\]\)/\\\1/g']
+
+# Same as above, but do not quote variable references.
+[double_quote_subst='s/\([\\"\\`\\\\]\)/\\\1/g']
+
+# Sed substitution to delay expansion of an escaped shell variable in a
+# double_quote_subst'ed string.
+delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g'
+
+# Sed substitution to avoid accidental globbing in evaled expressions
+no_glob_subst='s/\*/\\\*/g'
+
+# Constants:
+rm="rm -f"
+
+# Global variables:
+default_ofile=libtool
+can_build_shared=yes
+
+# All known linkers require a `.a' archive for static linking (except MSVC,
+# which needs '.lib').
+libext=a
+ltmain="$ac_aux_dir/ltmain.sh"
+ofile="$default_ofile"
+with_gnu_ld="$lt_cv_prog_gnu_ld"
+
+AC_CHECK_TOOL(AR, ar, false)
+AC_CHECK_TOOL(RANLIB, ranlib, :)
+AC_CHECK_TOOL(STRIP, strip, :)
+
+old_CC="$CC"
+old_CFLAGS="$CFLAGS"
+
+# Set sane defaults for various variables
+test -z "$AR" && AR=ar
+test -z "$AR_FLAGS" && AR_FLAGS=cru
+test -z "$AS" && AS=as
+test -z "$CC" && CC=cc
+test -z "$LTCC" && LTCC=$CC
+test -z "$LTCFLAGS" && LTCFLAGS=$CFLAGS
+test -z "$DLLTOOL" && DLLTOOL=dlltool
+test -z "$LD" && LD=ld
+test -z "$LN_S" && LN_S="ln -s"
+test -z "$MAGIC_CMD" && MAGIC_CMD=file
+test -z "$NM" && NM=nm
+test -z "$SED" && SED=sed
+test -z "$OBJDUMP" && OBJDUMP=objdump
+test -z "$RANLIB" && RANLIB=:
+test -z "$STRIP" && STRIP=:
+test -z "$ac_objext" && ac_objext=o
+
+# Determine commands to create old-style static archives.
+old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs$old_deplibs'
+old_postinstall_cmds='chmod 644 $oldlib'
+old_postuninstall_cmds=
+
+if test -n "$RANLIB"; then
+  case $host_os in
+  openbsd*)
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$oldlib"
+    ;;
+  *)
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$oldlib"
+    ;;
+  esac
+  old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
+fi
+
+_LT_CC_BASENAME([$compiler])
+
+# Only perform the check for file, if the check method requires it
+case $deplibs_check_method in
+file_magic*)
+  if test "$file_magic_cmd" = '$MAGIC_CMD'; then
+    AC_PATH_MAGIC
+  fi
+  ;;
+esac
+
+AC_PROVIDE_IFELSE([AC_LIBTOOL_DLOPEN], enable_dlopen=yes, enable_dlopen=no)
+AC_PROVIDE_IFELSE([AC_LIBTOOL_WIN32_DLL],
+enable_win32_dll=yes, enable_win32_dll=no)
+
+AC_ARG_ENABLE([libtool-lock],
+    [AC_HELP_STRING([--disable-libtool-lock],
+	[avoid locking (might break parallel builds)])])
+test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes
+
+AC_ARG_WITH([pic],
+    [AC_HELP_STRING([--with-pic],
+	[try to use only PIC/non-PIC objects @<:@default=use both@:>@])],
+    [pic_mode="$withval"],
+    [pic_mode=default])
+test -z "$pic_mode" && pic_mode=default
+
+# Check if we have a version mismatch between libtool.m4 and ltmain.sh.
+#
+# Note:  This should be in AC_LIBTOOL_SETUP, _after_ $ltmain have been defined.
+#        We also should do it _before_ AC_LIBTOOL_LANG_C_CONFIG that actually
+#        calls AC_LIBTOOL_CONFIG and creates libtool.
+#
+_LT_VERSION_CHECK
+
+# Use C for the default configuration in the libtool script
+tagname=
+AC_LIBTOOL_LANG_C_CONFIG
+_LT_AC_TAGCONFIG
+])# AC_LIBTOOL_SETUP
+
+
+# _LT_VERSION_CHECK
+# -----------------
+AC_DEFUN([_LT_VERSION_CHECK],
+[AC_MSG_CHECKING([for correct ltmain.sh version])
+if test "x$ltmain" = "x" ; then
+  AC_MSG_RESULT(no)
+  AC_MSG_ERROR([
+
+*** @<:@Gentoo@:>@ sanity check failed! ***
+*** \$ltmain is not defined, please check the patch for consistency! ***
+])
+fi
+gentoo_lt_version="1.5.22"
+gentoo_ltmain_version=`sed -n '/^[[ 	]]*VERSION=/{s/^[[ 	]]*VERSION=//;p;q;}' "$ltmain"`
+if test "x$gentoo_lt_version" != "x$gentoo_ltmain_version" ; then
+  AC_MSG_RESULT(no)
+  AC_MSG_ERROR([
+
+*** @<:@Gentoo@:>@ sanity check failed! ***
+*** libtool.m4 and ltmain.sh have a version mismatch! ***
+*** (libtool.m4 = $gentoo_lt_version, ltmain.sh = $gentoo_ltmain_version) ***
+
+Please run:
+
+  libtoolize --copy --force
+
+if appropriate, please contact the maintainer of this
+package (or your distribution) for help.
+])
+else
+  AC_MSG_RESULT(yes)
+fi
+])# _LT_VERSION_CHECK
+
+
+# _LT_AC_SYS_COMPILER
+# -------------------
+AC_DEFUN([_LT_AC_SYS_COMPILER],
+[AC_REQUIRE([AC_PROG_CC])dnl
+
+# If no C compiler was specified, use CC.
+LTCC=${LTCC-"$CC"}
+
+# If no C compiler flags were specified, use CFLAGS.
+LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
+
+# Allow CC to be a program name with arguments.
+compiler=$CC
+])# _LT_AC_SYS_COMPILER
+
+
+# _LT_CC_BASENAME(CC)
+# -------------------
+# Calculate cc_basename.  Skip known compiler wrappers and cross-prefix.
+AC_DEFUN([_LT_CC_BASENAME],
+[for cc_temp in $1""; do
+  case $cc_temp in
+    compile | *[[\\/]]compile | ccache | *[[\\/]]ccache ) ;;
+    distcc | *[[\\/]]distcc | purify | *[[\\/]]purify ) ;;
+    \-*) ;;
+    *) break;;
+  esac
+done
+cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+])
+
+
+# _LT_COMPILER_BOILERPLATE
+# ------------------------
+# Check for compiler boilerplate output or warnings with
+# the simple compiler test code.
+AC_DEFUN([_LT_COMPILER_BOILERPLATE],
+[ac_outfile=conftest.$ac_objext
+printf "$lt_simple_compile_test_code" >conftest.$ac_ext
+eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_compiler_boilerplate=`cat conftest.err`
+$rm conftest*
+])# _LT_COMPILER_BOILERPLATE
+
+
+# _LT_LINKER_BOILERPLATE
+# ----------------------
+# Check for linker boilerplate output or warnings with
+# the simple link test code.
+AC_DEFUN([_LT_LINKER_BOILERPLATE],
+[ac_outfile=conftest.$ac_objext
+printf "$lt_simple_link_test_code" >conftest.$ac_ext
+eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_linker_boilerplate=`cat conftest.err`
+$rm conftest*
+])# _LT_LINKER_BOILERPLATE
+
+
+# _LT_AC_SYS_LIBPATH_AIX
+# ----------------------
+# Links a minimal program and checks the executable
+# for the system default hardcoded library path. In most cases,
+# this is /usr/lib:/lib, but when the MPI compilers are used
+# the location of the communication and MPI libs are included too.
+# If we don't find anything, use the default library path according
+# to the aix ld manual.
+AC_DEFUN([_LT_AC_SYS_LIBPATH_AIX],
+[AC_LINK_IFELSE(AC_LANG_PROGRAM,[
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`
+# Check for a 64-bit object if we didn't find anything.
+if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`; fi],[])
+if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+])# _LT_AC_SYS_LIBPATH_AIX
+
+
+# _LT_AC_SHELL_INIT(ARG)
+# ----------------------
+AC_DEFUN([_LT_AC_SHELL_INIT],
+[ifdef([AC_DIVERSION_NOTICE],
+	     [AC_DIVERT_PUSH(AC_DIVERSION_NOTICE)],
+	 [AC_DIVERT_PUSH(NOTICE)])
+$1
+AC_DIVERT_POP
+])# _LT_AC_SHELL_INIT
+
+
+# _LT_AC_PROG_ECHO_BACKSLASH
+# --------------------------
+# Add some code to the start of the generated configure script which
+# will find an echo command which doesn't interpret backslashes.
+AC_DEFUN([_LT_AC_PROG_ECHO_BACKSLASH],
+[_LT_AC_SHELL_INIT([
+# Check that we are running under the correct shell.
+SHELL=${CONFIG_SHELL-/bin/sh}
+
+case X$ECHO in
+X*--fallback-echo)
+  # Remove one level of quotation (which was required for Make).
+  ECHO=`echo "$ECHO" | sed 's,\\\\\[$]\\[$]0,'[$]0','`
+  ;;
+esac
+
+echo=${ECHO-echo}
+if test "X[$]1" = X--no-reexec; then
+  # Discard the --no-reexec flag, and continue.
+  shift
+elif test "X[$]1" = X--fallback-echo; then
+  # Avoid inline document here, it may be left over
+  :
+elif test "X`($echo '\t') 2>/dev/null`" = 'X\t' ; then
+  # Yippee, $echo works!
+  :
+else
+  # Restart under the correct shell.
+  exec $SHELL "[$]0" --no-reexec ${1+"[$]@"}
+fi
+
+if test "X[$]1" = X--fallback-echo; then
+  # used as fallback echo
+  shift
+  cat <<EOF
+[$]*
+EOF
+  exit 0
+fi
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+
+if test -z "$ECHO"; then
+if test "X${echo_test_string+set}" != Xset; then
+# find a string as large as possible, as long as the shell can cope with it
+  for cmd in 'sed 50q "[$]0"' 'sed 20q "[$]0"' 'sed 10q "[$]0"' 'sed 2q "[$]0"' 'echo test'; do
+    # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ...
+    if (echo_test_string=`eval $cmd`) 2>/dev/null &&
+       echo_test_string=`eval $cmd` &&
+       (test "X$echo_test_string" = "X$echo_test_string") 2>/dev/null
+    then
+      break
+    fi
+  done
+fi
+
+if test "X`($echo '\t') 2>/dev/null`" = 'X\t' &&
+   echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` &&
+   test "X$echo_testing_string" = "X$echo_test_string"; then
+  :
+else
+  # The Solaris, AIX, and Digital Unix default echo programs unquote
+  # backslashes.  This makes it impossible to quote backslashes using
+  #   echo "$something" | sed 's/\\/\\\\/g'
+  #
+  # So, first we look for a working echo in the user's PATH.
+
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+  for dir in $PATH /usr/ucb; do
+    IFS="$lt_save_ifs"
+    if (test -f $dir/echo || test -f $dir/echo$ac_exeext) &&
+       test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' &&
+       echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` &&
+       test "X$echo_testing_string" = "X$echo_test_string"; then
+      echo="$dir/echo"
+      break
+    fi
+  done
+  IFS="$lt_save_ifs"
+
+  if test "X$echo" = Xecho; then
+    # We didn't find a better echo, so look for alternatives.
+    if test "X`(print -r '\t') 2>/dev/null`" = 'X\t' &&
+       echo_testing_string=`(print -r "$echo_test_string") 2>/dev/null` &&
+       test "X$echo_testing_string" = "X$echo_test_string"; then
+      # This shell has a builtin print -r that does the trick.
+      echo='print -r'
+    elif (test -f /bin/ksh || test -f /bin/ksh$ac_exeext) &&
+	 test "X$CONFIG_SHELL" != X/bin/ksh; then
+      # If we have ksh, try running configure again with it.
+      ORIGINAL_CONFIG_SHELL=${CONFIG_SHELL-/bin/sh}
+      export ORIGINAL_CONFIG_SHELL
+      CONFIG_SHELL=/bin/ksh
+      export CONFIG_SHELL
+      exec $CONFIG_SHELL "[$]0" --no-reexec ${1+"[$]@"}
+    else
+      # Try using printf.
+      echo='printf %s\n'
+      if test "X`($echo '\t') 2>/dev/null`" = 'X\t' &&
+	 echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` &&
+	 test "X$echo_testing_string" = "X$echo_test_string"; then
+	# Cool, printf works
+	:
+      elif echo_testing_string=`($ORIGINAL_CONFIG_SHELL "[$]0" --fallback-echo '\t') 2>/dev/null` &&
+	   test "X$echo_testing_string" = 'X\t' &&
+	   echo_testing_string=`($ORIGINAL_CONFIG_SHELL "[$]0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
+	   test "X$echo_testing_string" = "X$echo_test_string"; then
+	CONFIG_SHELL=$ORIGINAL_CONFIG_SHELL
+	export CONFIG_SHELL
+	SHELL="$CONFIG_SHELL"
+	export SHELL
+	echo="$CONFIG_SHELL [$]0 --fallback-echo"
+      elif echo_testing_string=`($CONFIG_SHELL "[$]0" --fallback-echo '\t') 2>/dev/null` &&
+	   test "X$echo_testing_string" = 'X\t' &&
+	   echo_testing_string=`($CONFIG_SHELL "[$]0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
+	   test "X$echo_testing_string" = "X$echo_test_string"; then
+	echo="$CONFIG_SHELL [$]0 --fallback-echo"
+      else
+	# maybe with a smaller string...
+	prev=:
+
+	for cmd in 'echo test' 'sed 2q "[$]0"' 'sed 10q "[$]0"' 'sed 20q "[$]0"' 'sed 50q "[$]0"'; do
+	  if (test "X$echo_test_string" = "X`eval $cmd`") 2>/dev/null
+	  then
+	    break
+	  fi
+	  prev="$cmd"
+	done
+
+	if test "$prev" != 'sed 50q "[$]0"'; then
+	  echo_test_string=`eval $prev`
+	  export echo_test_string
+	  exec ${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}} "[$]0" ${1+"[$]@"}
+	else
+	  # Oops.  We lost completely, so just stick with echo.
+	  echo=echo
+	fi
+      fi
+    fi
+  fi
+fi
+fi
+
+# Copy echo and quote the copy suitably for passing to libtool from
+# the Makefile, instead of quoting the original, which is used later.
+ECHO=$echo
+if test "X$ECHO" = "X$CONFIG_SHELL [$]0 --fallback-echo"; then
+   ECHO="$CONFIG_SHELL \\\$\[$]0 --fallback-echo"
+fi
+
+AC_SUBST(ECHO)
+])])# _LT_AC_PROG_ECHO_BACKSLASH
+
+
+# _LT_AC_LOCK
+# -----------
+AC_DEFUN([_LT_AC_LOCK],
+[AC_ARG_ENABLE([libtool-lock],
+    [AC_HELP_STRING([--disable-libtool-lock],
+	[avoid locking (might break parallel builds)])])
+test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes
+
+# Some flags need to be propagated to the compiler or linker for good
+# libtool support.
+case $host in
+ia64-*-hpux*)
+  # Find out which ABI we are using.
+  echo 'int i;' > conftest.$ac_ext
+  if AC_TRY_EVAL(ac_compile); then
+    case `/usr/bin/file conftest.$ac_objext` in
+    *ELF-32*)
+      HPUX_IA64_MODE="32"
+      ;;
+    *ELF-64*)
+      HPUX_IA64_MODE="64"
+      ;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+*-*-irix6*)
+  # Find out which ABI we are using.
+  echo '[#]line __oline__ "configure"' > conftest.$ac_ext
+  if AC_TRY_EVAL(ac_compile); then
+   if test "$lt_cv_prog_gnu_ld" = yes; then
+    case `/usr/bin/file conftest.$ac_objext` in
+    *32-bit*)
+      LD="${LD-ld} -melf32bsmip"
+      ;;
+    *N32*)
+      LD="${LD-ld} -melf32bmipn32"
+      ;;
+    *64-bit*)
+      LD="${LD-ld} -melf64bmip"
+      ;;
+    esac
+   else
+    case `/usr/bin/file conftest.$ac_objext` in
+    *32-bit*)
+      LD="${LD-ld} -32"
+      ;;
+    *N32*)
+      LD="${LD-ld} -n32"
+      ;;
+    *64-bit*)
+      LD="${LD-ld} -64"
+      ;;
+    esac
+   fi
+  fi
+  rm -rf conftest*
+  ;;
+
+x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*|s390*-*linux*|sparc*-*linux*)
+  # Find out which ABI we are using.
+  echo 'int i;' > conftest.$ac_ext
+  if AC_TRY_EVAL(ac_compile); then
+    case `/usr/bin/file conftest.o` in
+    *32-bit*)
+      case $host in
+        x86_64-*linux*)
+          LD="${LD-ld} -m elf_i386"
+          ;;
+        ppc64-*linux*|powerpc64-*linux*)
+          LD="${LD-ld} -m elf32ppclinux"
+          ;;
+        s390x-*linux*)
+          LD="${LD-ld} -m elf_s390"
+          ;;
+        sparc64-*linux*)
+          LD="${LD-ld} -m elf32_sparc"
+          ;;
+      esac
+      ;;
+    *64-bit*)
+      case $host in
+        x86_64-*linux*)
+          LD="${LD-ld} -m elf_x86_64"
+          ;;
+        ppc*-*linux*|powerpc*-*linux*)
+          LD="${LD-ld} -m elf64ppc"
+          ;;
+        s390*-*linux*)
+          LD="${LD-ld} -m elf64_s390"
+          ;;
+        sparc*-*linux*)
+          LD="${LD-ld} -m elf64_sparc"
+          ;;
+      esac
+      ;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+
+*-*-sco3.2v5*)
+  # On SCO OpenServer 5, we need -belf to get full-featured binaries.
+  SAVE_CFLAGS="$CFLAGS"
+  CFLAGS="$CFLAGS -belf"
+  AC_CACHE_CHECK([whether the C compiler needs -belf], lt_cv_cc_needs_belf,
+    [AC_LANG_PUSH(C)
+     AC_TRY_LINK([],[],[lt_cv_cc_needs_belf=yes],[lt_cv_cc_needs_belf=no])
+     AC_LANG_POP])
+  if test x"$lt_cv_cc_needs_belf" != x"yes"; then
+    # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf
+    CFLAGS="$SAVE_CFLAGS"
+  fi
+  ;;
+sparc*-*solaris*)
+  # Find out which ABI we are using.
+  echo 'int i;' > conftest.$ac_ext
+  if AC_TRY_EVAL(ac_compile); then
+    case `/usr/bin/file conftest.o` in
+    *64-bit*)
+      case $lt_cv_prog_gnu_ld in
+      yes*) LD="${LD-ld} -m elf64_sparc" ;;
+      *)    LD="${LD-ld} -64" ;;
+      esac
+      ;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+
+AC_PROVIDE_IFELSE([AC_LIBTOOL_WIN32_DLL],
+[*-*-cygwin* | *-*-mingw* | *-*-pw32*)
+  AC_CHECK_TOOL(DLLTOOL, dlltool, false)
+  AC_CHECK_TOOL(AS, as, false)
+  AC_CHECK_TOOL(OBJDUMP, objdump, false)
+  ;;
+  ])
+esac
+
+need_locks="$enable_libtool_lock"
+
+])# _LT_AC_LOCK
+
+
+# AC_LIBTOOL_COMPILER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS,
+#		[OUTPUT-FILE], [ACTION-SUCCESS], [ACTION-FAILURE])
+# ----------------------------------------------------------------
+# Check whether the given compiler option works
+AC_DEFUN([AC_LIBTOOL_COMPILER_OPTION],
+[AC_REQUIRE([LT_AC_PROG_SED])
+AC_CACHE_CHECK([$1], [$2],
+  [$2=no
+  ifelse([$4], , [ac_outfile=conftest.$ac_objext], [ac_outfile=$4])
+   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+   lt_compiler_flag="$3"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   # The option is referenced via a variable to avoid confusing sed.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:__oline__: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
+   (eval "$lt_compile" 2>conftest.err)
+   ac_status=$?
+   cat conftest.err >&AS_MESSAGE_LOG_FD
+   echo "$as_me:__oline__: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
+   if (exit $ac_status) && test -s "$ac_outfile"; then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings other than the usual output.
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
+       $2=yes
+     fi
+   fi
+   $rm conftest*
+])
+
+if test x"[$]$2" = xyes; then
+    ifelse([$5], , :, [$5])
+else
+    ifelse([$6], , :, [$6])
+fi
+])# AC_LIBTOOL_COMPILER_OPTION
+
+
+# AC_LIBTOOL_LINKER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS,
+#                          [ACTION-SUCCESS], [ACTION-FAILURE])
+# ------------------------------------------------------------
+# Check whether the given compiler option works
+AC_DEFUN([AC_LIBTOOL_LINKER_OPTION],
+[AC_CACHE_CHECK([$1], [$2],
+  [$2=no
+   save_LDFLAGS="$LDFLAGS"
+   LDFLAGS="$LDFLAGS $3"
+   printf "$lt_simple_link_test_code" > conftest.$ac_ext
+   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
+     # The linker can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test -s conftest.err; then
+       # Append any errors to the config.log.
+       cat conftest.err 1>&AS_MESSAGE_LOG_FD
+       $echo "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
+       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+       if diff conftest.exp conftest.er2 >/dev/null; then
+         $2=yes
+       fi
+     else
+       $2=yes
+     fi
+   fi
+   $rm conftest*
+   LDFLAGS="$save_LDFLAGS"
+])
+
+if test x"[$]$2" = xyes; then
+    ifelse([$4], , :, [$4])
+else
+    ifelse([$5], , :, [$5])
+fi
+])# AC_LIBTOOL_LINKER_OPTION
+
+
+# AC_LIBTOOL_SYS_MAX_CMD_LEN
+# --------------------------
+AC_DEFUN([AC_LIBTOOL_SYS_MAX_CMD_LEN],
+[# find the maximum length of command line arguments
+AC_MSG_CHECKING([the maximum length of command line arguments])
+AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
+  i=0
+  teststring="ABCD"
+
+  case $build_os in
+  msdosdjgpp*)
+    # On DJGPP, this test can blow up pretty badly due to problems in libc
+    # (any single argument exceeding 2000 bytes causes a buffer overrun
+    # during glob expansion).  Even if it were fixed, the result of this
+    # check would be larger than it should be.
+    lt_cv_sys_max_cmd_len=12288;    # 12K is about right
+    ;;
+
+  gnu*)
+    # Under GNU Hurd, this test is not required because there is
+    # no limit to the length of command line arguments.
+    # Libtool will interpret -1 as no limit whatsoever
+    lt_cv_sys_max_cmd_len=-1;
+    ;;
+
+  cygwin* | mingw*)
+    # On Win9x/ME, this test blows up -- it succeeds, but takes
+    # about 5 minutes as the teststring grows exponentially.
+    # Worse, since 9x/ME are not pre-emptively multitasking,
+    # you end up with a "frozen" computer, even though with patience
+    # the test eventually succeeds (with a max line length of 256k).
+    # Instead, let's just punt: use the minimum linelength reported by
+    # all of the supported platforms: 8192 (on NT/2K/XP).
+    lt_cv_sys_max_cmd_len=8192;
+    ;;
+
+  amigaos*)
+    # On AmigaOS with pdksh, this test takes hours, literally.
+    # So we just punt and use a minimum line length of 8192.
+    lt_cv_sys_max_cmd_len=8192;
+    ;;
+
+  netbsd* | freebsd* | openbsd* | darwin* | dragonfly*)
+    # This has been around since 386BSD, at least.  Likely further.
+    if test -x /sbin/sysctl; then
+      lt_cv_sys_max_cmd_len=`/sbin/sysctl -n kern.argmax`
+    elif test -x /usr/sbin/sysctl; then
+      lt_cv_sys_max_cmd_len=`/usr/sbin/sysctl -n kern.argmax`
+    else
+      lt_cv_sys_max_cmd_len=65536	# usable default for all BSDs
+    fi
+    # And add a safety zone
+    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
+    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
+    ;;
+
+  interix*)
+    # We know the value 262144 and hardcode it with a safety zone (like BSD)
+    lt_cv_sys_max_cmd_len=196608
+    ;;
+
+  osf*)
+    # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure
+    # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not
+    # nice to cause kernel panics so lets avoid the loop below.
+    # First set a reasonable default.
+    lt_cv_sys_max_cmd_len=16384
+    #
+    if test -x /sbin/sysconfig; then
+      case `/sbin/sysconfig -q proc exec_disable_arg_limit` in
+        *1*) lt_cv_sys_max_cmd_len=-1 ;;
+      esac
+    fi
+    ;;
+  sco3.2v5*)
+    lt_cv_sys_max_cmd_len=102400
+    ;;
+  sysv5* | sco5v6* | sysv4.2uw2*)
+    kargmax=`grep ARG_MAX /etc/conf/cf.d/stune 2>/dev/null`
+    if test -n "$kargmax"; then
+      lt_cv_sys_max_cmd_len=`echo $kargmax | sed 's/.*[[ 	]]//'`
+    else
+      lt_cv_sys_max_cmd_len=32768
+    fi
+    ;;
+  *)
+    # If test is not a shell built-in, we'll probably end up computing a
+    # maximum length that is only half of the actual maximum length, but
+    # we can't tell.
+    SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}}
+    while (test "X"`$SHELL [$]0 --fallback-echo "X$teststring" 2>/dev/null` \
+	       = "XX$teststring") >/dev/null 2>&1 &&
+	    new_result=`expr "X$teststring" : ".*" 2>&1` &&
+	    lt_cv_sys_max_cmd_len=$new_result &&
+	    test $i != 17 # 1/2 MB should be enough
+    do
+      i=`expr $i + 1`
+      teststring=$teststring$teststring
+    done
+    teststring=
+    # Add a significant safety factor because C++ compilers can tack on massive
+    # amounts of additional arguments before passing them to the linker.
+    # It appears as though 1/2 is a usable value.
+    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2`
+    ;;
+  esac
+])
+if test -n $lt_cv_sys_max_cmd_len ; then
+  AC_MSG_RESULT($lt_cv_sys_max_cmd_len)
+else
+  AC_MSG_RESULT(none)
+fi
+])# AC_LIBTOOL_SYS_MAX_CMD_LEN
+
+
+# _LT_AC_CHECK_DLFCN
+# ------------------
+AC_DEFUN([_LT_AC_CHECK_DLFCN],
+[AC_CHECK_HEADERS(dlfcn.h)dnl
+])# _LT_AC_CHECK_DLFCN
+
+
+# _LT_AC_TRY_DLOPEN_SELF (ACTION-IF-TRUE, ACTION-IF-TRUE-W-USCORE,
+#                           ACTION-IF-FALSE, ACTION-IF-CROSS-COMPILING)
+# ---------------------------------------------------------------------
+AC_DEFUN([_LT_AC_TRY_DLOPEN_SELF],
+[AC_REQUIRE([_LT_AC_CHECK_DLFCN])dnl
+if test "$cross_compiling" = yes; then :
+  [$4]
+else
+  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
+  lt_status=$lt_dlunknown
+  cat > conftest.$ac_ext <<EOF
+[#line __oline__ "configure"
+#include "confdefs.h"
+
+#if HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+#include <stdio.h>
+
+#ifdef RTLD_GLOBAL
+#  define LT_DLGLOBAL		RTLD_GLOBAL
+#else
+#  ifdef DL_GLOBAL
+#    define LT_DLGLOBAL		DL_GLOBAL
+#  else
+#    define LT_DLGLOBAL		0
+#  endif
+#endif
+
+/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
+   find out it does not work in some platform. */
+#ifndef LT_DLLAZY_OR_NOW
+#  ifdef RTLD_LAZY
+#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
+#  else
+#    ifdef DL_LAZY
+#      define LT_DLLAZY_OR_NOW		DL_LAZY
+#    else
+#      ifdef RTLD_NOW
+#        define LT_DLLAZY_OR_NOW	RTLD_NOW
+#      else
+#        ifdef DL_NOW
+#          define LT_DLLAZY_OR_NOW	DL_NOW
+#        else
+#          define LT_DLLAZY_OR_NOW	0
+#        endif
+#      endif
+#    endif
+#  endif
+#endif
+
+#ifdef __cplusplus
+extern "C" void exit (int);
+#endif
+
+void fnord() { int i=42;}
+int main ()
+{
+  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
+  int status = $lt_dlunknown;
+
+  if (self)
+    {
+      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
+      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
+      /* dlclose (self); */
+    }
+  else
+    puts (dlerror ());
+
+    exit (status);
+}]
+EOF
+  if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext} 2>/dev/null; then
+    (./conftest; exit; ) >&AS_MESSAGE_LOG_FD 2>/dev/null
+    lt_status=$?
+    case x$lt_status in
+      x$lt_dlno_uscore) $1 ;;
+      x$lt_dlneed_uscore) $2 ;;
+      x$lt_dlunknown|x*) $3 ;;
+    esac
+  else :
+    # compilation failed
+    $3
+  fi
+fi
+rm -fr conftest*
+])# _LT_AC_TRY_DLOPEN_SELF
+
+
+# AC_LIBTOOL_DLOPEN_SELF
+# ----------------------
+AC_DEFUN([AC_LIBTOOL_DLOPEN_SELF],
+[AC_REQUIRE([_LT_AC_CHECK_DLFCN])dnl
+if test "x$enable_dlopen" != xyes; then
+  enable_dlopen=unknown
+  enable_dlopen_self=unknown
+  enable_dlopen_self_static=unknown
+else
+  lt_cv_dlopen=no
+  lt_cv_dlopen_libs=
+
+  case $host_os in
+  beos*)
+    lt_cv_dlopen="load_add_on"
+    lt_cv_dlopen_libs=
+    lt_cv_dlopen_self=yes
+    ;;
+
+  mingw* | pw32*)
+    lt_cv_dlopen="LoadLibrary"
+    lt_cv_dlopen_libs=
+   ;;
+
+  cygwin*)
+    lt_cv_dlopen="dlopen"
+    lt_cv_dlopen_libs=
+   ;;
+
+  darwin*)
+  # if libdl is installed we need to link against it
+    AC_CHECK_LIB([dl], [dlopen],
+		[lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"],[
+    lt_cv_dlopen="dyld"
+    lt_cv_dlopen_libs=
+    lt_cv_dlopen_self=yes
+    ])
+   ;;
+
+  *)
+    AC_CHECK_FUNC([shl_load],
+	  [lt_cv_dlopen="shl_load"],
+      [AC_CHECK_LIB([dld], [shl_load],
+	    [lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-dld"],
+	[AC_CHECK_FUNC([dlopen],
+	      [lt_cv_dlopen="dlopen"],
+	  [AC_CHECK_LIB([dl], [dlopen],
+		[lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"],
+	    [AC_CHECK_LIB([svld], [dlopen],
+		  [lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"],
+	      [AC_CHECK_LIB([dld], [dld_link],
+		    [lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-dld"])
+	      ])
+	    ])
+	  ])
+	])
+      ])
+    ;;
+  esac
+
+  if test "x$lt_cv_dlopen" != xno; then
+    enable_dlopen=yes
+  else
+    enable_dlopen=no
+  fi
+
+  case $lt_cv_dlopen in
+  dlopen)
+    save_CPPFLAGS="$CPPFLAGS"
+    test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H"
+
+    save_LDFLAGS="$LDFLAGS"
+    wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\"
+
+    save_LIBS="$LIBS"
+    LIBS="$lt_cv_dlopen_libs $LIBS"
+
+    AC_CACHE_CHECK([whether a program can dlopen itself],
+	  lt_cv_dlopen_self, [dnl
+	  _LT_AC_TRY_DLOPEN_SELF(
+	    lt_cv_dlopen_self=yes, lt_cv_dlopen_self=yes,
+	    lt_cv_dlopen_self=no, lt_cv_dlopen_self=cross)
+    ])
+
+    if test "x$lt_cv_dlopen_self" = xyes; then
+      wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\"
+      AC_CACHE_CHECK([whether a statically linked program can dlopen itself],
+    	  lt_cv_dlopen_self_static, [dnl
+	  _LT_AC_TRY_DLOPEN_SELF(
+	    lt_cv_dlopen_self_static=yes, lt_cv_dlopen_self_static=yes,
+	    lt_cv_dlopen_self_static=no,  lt_cv_dlopen_self_static=cross)
+      ])
+    fi
+
+    CPPFLAGS="$save_CPPFLAGS"
+    LDFLAGS="$save_LDFLAGS"
+    LIBS="$save_LIBS"
+    ;;
+  esac
+
+  case $lt_cv_dlopen_self in
+  yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;;
+  *) enable_dlopen_self=unknown ;;
+  esac
+
+  case $lt_cv_dlopen_self_static in
+  yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;;
+  *) enable_dlopen_self_static=unknown ;;
+  esac
+fi
+])# AC_LIBTOOL_DLOPEN_SELF
+
+
+# AC_LIBTOOL_PROG_CC_C_O([TAGNAME])
+# ---------------------------------
+# Check to see if options -c and -o are simultaneously supported by compiler
+AC_DEFUN([AC_LIBTOOL_PROG_CC_C_O],
+[AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl
+AC_CACHE_CHECK([if $compiler supports -c -o file.$ac_objext],
+  [_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)],
+  [_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=no
+   $rm -r conftest 2>/dev/null
+   mkdir conftest
+   cd conftest
+   mkdir out
+   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+   lt_compiler_flag="-o out/conftest2.$ac_objext"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:__oline__: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
+   (eval "$lt_compile" 2>out/conftest.err)
+   ac_status=$?
+   cat out/conftest.err >&AS_MESSAGE_LOG_FD
+   echo "$as_me:__oline__: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
+   if (exit $ac_status) && test -s out/conftest2.$ac_objext
+   then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
+     $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
+     if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
+       _LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes
+     fi
+   fi
+   chmod u+w . 2>&AS_MESSAGE_LOG_FD
+   $rm conftest*
+   # SGI C++ compiler will create directory out/ii_files/ for
+   # template instantiation
+   test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files
+   $rm out/* && rmdir out
+   cd ..
+   rmdir conftest
+   $rm conftest*
+])
+])# AC_LIBTOOL_PROG_CC_C_O
+
+
+# AC_LIBTOOL_SYS_HARD_LINK_LOCKS([TAGNAME])
+# -----------------------------------------
+# Check to see if we can do hard links to lock some files if needed
+AC_DEFUN([AC_LIBTOOL_SYS_HARD_LINK_LOCKS],
+[AC_REQUIRE([_LT_AC_LOCK])dnl
+
+hard_links="nottested"
+if test "$_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)" = no && test "$need_locks" != no; then
+  # do not overwrite the value of need_locks provided by the user
+  AC_MSG_CHECKING([if we can lock with hard links])
+  hard_links=yes
+  $rm conftest*
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  touch conftest.a
+  ln conftest.a conftest.b 2>&5 || hard_links=no
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  AC_MSG_RESULT([$hard_links])
+  if test "$hard_links" = no; then
+    AC_MSG_WARN([`$CC' does not support `-c -o', so `make -j' may be unsafe])
+    need_locks=warn
+  fi
+else
+  need_locks=no
+fi
+])# AC_LIBTOOL_SYS_HARD_LINK_LOCKS
+
+
+# AC_LIBTOOL_OBJDIR
+# -----------------
+AC_DEFUN([AC_LIBTOOL_OBJDIR],
+[AC_CACHE_CHECK([for objdir], [lt_cv_objdir],
+[rm -f .libs 2>/dev/null
+mkdir .libs 2>/dev/null
+if test -d .libs; then
+  lt_cv_objdir=.libs
+else
+  # MS-DOS does not allow filenames that begin with a dot.
+  lt_cv_objdir=_libs
+fi
+rmdir .libs 2>/dev/null])
+objdir=$lt_cv_objdir
+])# AC_LIBTOOL_OBJDIR
+
+
+# AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH([TAGNAME])
+# ----------------------------------------------
+# Check hardcoding attributes.
+AC_DEFUN([AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH],
+[AC_MSG_CHECKING([how to hardcode library paths into programs])
+_LT_AC_TAGVAR(hardcode_action, $1)=
+if test -n "$_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)" || \
+   test -n "$_LT_AC_TAGVAR(runpath_var, $1)" || \
+   test "X$_LT_AC_TAGVAR(hardcode_automatic, $1)" = "Xyes" ; then
+
+  # We can hardcode non-existant directories.
+  if test "$_LT_AC_TAGVAR(hardcode_direct, $1)" != no &&
+     # If the only mechanism to avoid hardcoding is shlibpath_var, we
+     # have to relink, otherwise we might link with an installed library
+     # when we should be linking with a yet-to-be-installed one
+     ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)" != no &&
+     test "$_LT_AC_TAGVAR(hardcode_minus_L, $1)" != no; then
+    # Linking always hardcodes the temporary library directory.
+    _LT_AC_TAGVAR(hardcode_action, $1)=relink
+  else
+    # We can link without hardcoding, and we can hardcode nonexisting dirs.
+    _LT_AC_TAGVAR(hardcode_action, $1)=immediate
+  fi
+else
+  # We cannot hardcode anything, or else we can only hardcode existing
+  # directories.
+  _LT_AC_TAGVAR(hardcode_action, $1)=unsupported
+fi
+AC_MSG_RESULT([$_LT_AC_TAGVAR(hardcode_action, $1)])
+
+if test "$_LT_AC_TAGVAR(hardcode_action, $1)" = relink; then
+  # Fast installation is not supported
+  enable_fast_install=no
+elif test "$shlibpath_overrides_runpath" = yes ||
+     test "$enable_shared" = no; then
+  # Fast installation is not necessary
+  enable_fast_install=needless
+fi
+])# AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH
+
+
+# AC_LIBTOOL_SYS_LIB_STRIP
+# ------------------------
+AC_DEFUN([AC_LIBTOOL_SYS_LIB_STRIP],
+[striplib=
+old_striplib=
+AC_MSG_CHECKING([whether stripping libraries is possible])
+if test -n "$STRIP" && $STRIP -V 2>&1 | grep "GNU strip" >/dev/null; then
+  test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
+  test -z "$striplib" && striplib="$STRIP --strip-unneeded"
+  AC_MSG_RESULT([yes])
+else
+# FIXME - insert some real tests, host_os isn't really good enough
+  case $host_os in
+   darwin*)
+       if test -n "$STRIP" ; then
+         striplib="$STRIP -x"
+         AC_MSG_RESULT([yes])
+       else
+  AC_MSG_RESULT([no])
+fi
+       ;;
+   *)
+  AC_MSG_RESULT([no])
+    ;;
+  esac
+fi
+])# AC_LIBTOOL_SYS_LIB_STRIP
+
+
+# AC_LIBTOOL_SYS_DYNAMIC_LINKER
+# -----------------------------
+# PORTME Fill in your ld.so characteristics
+AC_DEFUN([AC_LIBTOOL_SYS_DYNAMIC_LINKER],
+[AC_MSG_CHECKING([dynamic linker characteristics])
+library_names_spec=
+libname_spec='lib$name'
+soname_spec=
+shrext_cmds=".so"
+postinstall_cmds=
+postuninstall_cmds=
+finish_cmds=
+finish_eval=
+shlibpath_var=
+shlibpath_overrides_runpath=unknown
+version_type=none
+dynamic_linker="$host_os ld.so"
+sys_lib_dlsearch_path_spec="/lib /usr/lib"
+if test "$GCC" = yes; then
+  sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+  if echo "$sys_lib_search_path_spec" | grep ';' >/dev/null ; then
+    # if the path contains ";" then we assume it to be the separator
+    # otherwise default to the standard path separator (i.e. ":") - it is
+    # assumed that no part of a normal pathname contains ";" but that should
+    # okay in the real world where ";" in dirpaths is itself problematic.
+    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+  else
+    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+  fi
+else
+  sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
+fi
+need_lib_prefix=unknown
+hardcode_into_libs=no
+
+# when you set need_version to no, make sure it does not cause -set_version
+# flags to be left without arguments
+need_version=unknown
+
+case $host_os in
+aix3*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
+  shlibpath_var=LIBPATH
+
+  # AIX 3 has no versioning support, so we append a major version to the name.
+  soname_spec='${libname}${release}${shared_ext}$major'
+  ;;
+
+aix4* | aix5*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  hardcode_into_libs=yes
+  if test "$host_cpu" = ia64; then
+    # AIX 5 supports IA64
+    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
+    shlibpath_var=LD_LIBRARY_PATH
+  else
+    # With GCC up to 2.95.x, collect2 would create an import file
+    # for dependence libraries.  The import file would start with
+    # the line `#! .'.  This would cause the generated library to
+    # depend on `.', always an invalid library.  This was fixed in
+    # development snapshots of GCC prior to 3.0.
+    case $host_os in
+      aix4 | aix4.[[01]] | aix4.[[01]].*)
+      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
+	   echo ' yes '
+	   echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then
+	:
+      else
+	can_build_shared=no
+      fi
+      ;;
+    esac
+    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
+    # soname into executable. Probably we can add versioning support to
+    # collect2, so additional links can be useful in future.
+    if test "$aix_use_runtimelinking" = yes; then
+      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
+      # instead of lib<name>.a to let people know that these are not
+      # typical AIX shared libraries.
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    else
+      # We preserve .a as extension for shared libraries through AIX4.2
+      # and later when we are not doing run time linking.
+      library_names_spec='${libname}${release}.a $libname.a'
+      soname_spec='${libname}${release}${shared_ext}$major'
+    fi
+    shlibpath_var=LIBPATH
+  fi
+  ;;
+
+amigaos*)
+  library_names_spec='$libname.ixlibrary $libname.a'
+  # Create ${libname}_ixlibrary.a entries in /sys/libs.
+  finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([[^/]]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
+  ;;
+
+beos*)
+  library_names_spec='${libname}${shared_ext}'
+  dynamic_linker="$host_os ld.so"
+  shlibpath_var=LIBRARY_PATH
+  ;;
+
+bsdi[[45]]*)
+  version_type=linux
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
+  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
+  # the default ld.so.conf also contains /usr/contrib/lib and
+  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
+  # libtool to hard-code these into programs
+  ;;
+
+cygwin* | mingw* | pw32*)
+  version_type=windows
+  shrext_cmds=".dll"
+  need_version=no
+  need_lib_prefix=no
+
+  case $GCC,$host_os in
+  yes,cygwin* | yes,mingw* | yes,pw32*)
+    library_names_spec='$libname.dll.a'
+    # DLL is installed to $(libdir)/../bin by postinstall_cmds
+    postinstall_cmds='base_file=`basename \${file}`~
+      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
+      dldir=$destdir/`dirname \$dlpath`~
+      test -d \$dldir || mkdir -p \$dldir~
+      $install_prog $dir/$dlname \$dldir/$dlname~
+      chmod a+x \$dldir/$dlname'
+    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
+      dlpath=$dir/\$dldll~
+       $rm \$dlpath'
+    shlibpath_overrides_runpath=yes
+
+    case $host_os in
+    cygwin*)
+      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
+      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
+      ;;
+    mingw*)
+      # MinGW DLLs use traditional 'lib' prefix
+      soname_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+      if echo "$sys_lib_search_path_spec" | [grep ';[c-zC-Z]:/' >/dev/null]; then
+        # It is most probably a Windows format PATH printed by
+        # mingw gcc, but we are running on Cygwin. Gcc prints its search
+        # path with ; separators, and with drive letters. We can handle the
+        # drive letters (cygwin fileutils understands them), so leave them,
+        # especially as we might pass files found there to a mingw objdump,
+        # which wouldn't understand a cygwinified path. Ahh.
+        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+      else
+        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+      fi
+      ;;
+    pw32*)
+      # pw32 DLLs use 'pw' prefix rather than 'lib'
+      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
+      ;;
+    esac
+    ;;
+
+  linux*)
+    if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then
+      archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+      supports_anon_versioning=no
+      case `$LD -v 2>/dev/null` in
+        *\ [01].* | *\ 2.[[0-9]].* | *\ 2.10.*) ;; # catch versions < 2.11
+        *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
+        *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
+        *\ 2.11.*) ;; # other 2.11 versions
+        *) supports_anon_versioning=yes ;;
+      esac
+      if test $supports_anon_versioning = yes; then
+        archive_expsym_cmds='$echo "{ global:" > $output_objdir/$libname.ver~
+cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+$echo "local: *; };" >> $output_objdir/$libname.ver~
+        $CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
+      else
+        $archive_expsym_cmds="$archive_cmds"
+      fi
+    else
+      ld_shlibs=no
+    fi
+    ;;
+
+  *)
+    library_names_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext} $libname.lib'
+    ;;
+  esac
+  dynamic_linker='Win32 ld.exe'
+  # FIXME: first we should search . and the directory the executable is in
+  shlibpath_var=PATH
+  ;;
+
+darwin* | rhapsody*)
+  dynamic_linker="$host_os dyld"
+  version_type=darwin
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
+  soname_spec='${libname}${release}${major}$shared_ext'
+  shlibpath_overrides_runpath=yes
+  shlibpath_var=DYLD_LIBRARY_PATH
+  shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
+  # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
+  if test "$GCC" = yes; then
+    sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
+  else
+    sys_lib_search_path_spec='/lib /usr/lib /usr/local/lib'
+  fi
+  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
+  ;;
+
+dgux*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+freebsd1*)
+  dynamic_linker=no
+  ;;
+
+kfreebsd*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='GNU ld.so'
+  ;;
+
+freebsd* | dragonfly*)
+  # DragonFly does not have aout.  When/if they implement a new
+  # versioning mechanism, adjust this.
+  if test -x /usr/bin/objformat; then
+    objformat=`/usr/bin/objformat`
+  else
+    case $host_os in
+    freebsd[[123]]*) objformat=aout ;;
+    *) objformat=elf ;;
+    esac
+  fi
+  # Handle Gentoo/FreeBSD as it was Linux
+  case $host_vendor in
+    gentoo)
+      version_type=linux ;;
+    *)
+      version_type=freebsd-$objformat ;;
+  esac
+
+  case $version_type in
+    freebsd-elf*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+      need_version=no
+      need_lib_prefix=no
+      ;;
+    freebsd-*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
+      need_version=yes
+      ;;
+    linux)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+      soname_spec='${libname}${release}${shared_ext}$major'
+      need_lib_prefix=no
+      need_version=no
+      ;;
+  esac
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_os in
+  freebsd2*)
+    shlibpath_overrides_runpath=yes
+    ;;
+  freebsd3.[[01]]* | freebsdelf3.[[01]]*)
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  freebsd3.[[2-9]]* | freebsdelf3.[[2-9]]* | \
+  freebsd4.[[0-5]] | freebsdelf4.[[0-5]] | freebsd4.1.1 | freebsdelf4.1.1)
+    shlibpath_overrides_runpath=no
+    hardcode_into_libs=yes
+    ;;
+  freebsd*) # from 4.6 on
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  esac
+  ;;
+
+gnu*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  ;;
+
+hpux9* | hpux10* | hpux11*)
+  # Give a soname corresponding to the major version so that dld.sl refuses to
+  # link against other versions.
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  case $host_cpu in
+  ia64*)
+    shrext_cmds='.so'
+    hardcode_into_libs=yes
+    dynamic_linker="$host_os dld.so"
+    shlibpath_var=LD_LIBRARY_PATH
+    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    if test "X$HPUX_IA64_MODE" = X32; then
+      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
+    else
+      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
+    fi
+    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+    ;;
+   hppa*64*)
+     shrext_cmds='.sl'
+     hardcode_into_libs=yes
+     dynamic_linker="$host_os dld.sl"
+     shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
+     shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+     library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+     soname_spec='${libname}${release}${shared_ext}$major'
+     sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
+     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+     ;;
+   *)
+    shrext_cmds='.sl'
+    dynamic_linker="$host_os dld.sl"
+    shlibpath_var=SHLIB_PATH
+    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    ;;
+  esac
+  # HP-UX runs *really* slowly unless shared libraries are mode 555.
+  postinstall_cmds='chmod 555 $lib'
+  ;;
+
+interix3*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  ;;
+
+irix5* | irix6* | nonstopux*)
+  case $host_os in
+    nonstopux*) version_type=nonstopux ;;
+    *)
+	if test "$lt_cv_prog_gnu_ld" = yes; then
+		version_type=linux
+	else
+		version_type=irix
+	fi ;;
+  esac
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
+  case $host_os in
+  irix5* | nonstopux*)
+    libsuff= shlibsuff=
+    ;;
+  *)
+    case $LD in # libtool.m4 will add one of these switches to LD
+    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
+      libsuff= shlibsuff= libmagic=32-bit;;
+    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
+      libsuff=32 shlibsuff=N32 libmagic=N32;;
+    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
+      libsuff=64 shlibsuff=64 libmagic=64-bit;;
+    *) libsuff= shlibsuff= libmagic=never-match;;
+    esac
+    ;;
+  esac
+  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
+  shlibpath_overrides_runpath=no
+  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
+  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
+  hardcode_into_libs=yes
+  ;;
+
+# No shared lib support for Linux oldld, aout, or coff.
+linux*oldld* | linux*aout* | linux*coff*)
+  dynamic_linker=no
+  ;;
+
+# This must be Linux ELF.
+linux*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  # This implies no fast_install, which is unacceptable.
+  # Some rework will be needed to allow for fast_install
+  # before this can be enabled.
+  hardcode_into_libs=yes
+
+  # Append ld.so.conf contents to the search path
+  if test -f /etc/ld.so.conf; then
+    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+  fi
+
+  # We used to test for /lib/ld.so.1 and disable shared libraries on
+  # powerpc, because MkLinux only supported shared libraries with the
+  # GNU dynamic linker.  Since this was broken with cross compilers,
+  # most powerpc-linux boxes support dynamic linking these days and
+  # people can always --disable-shared, the test was removed, and we
+  # assume the GNU/Linux dynamic linker is in use.
+  dynamic_linker='GNU/Linux ld.so'
+  ;;
+
+knetbsd*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='GNU ld.so'
+  ;;
+
+netbsd*)
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+    dynamic_linker='NetBSD (a.out) ld.so'
+  else
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    dynamic_linker='NetBSD ld.elf_so'
+  fi
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  ;;
+
+newsos6)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+nto-qnx*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+openbsd*)
+  version_type=sunos
+  sys_lib_dlsearch_path_spec="/usr/lib"
+  need_lib_prefix=no
+  # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs.
+  case $host_os in
+    openbsd3.3 | openbsd3.3.*) need_version=yes ;;
+    *)                         need_version=no  ;;
+  esac
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+    case $host_os in
+      openbsd2.[[89]] | openbsd2.[[89]].*)
+	shlibpath_overrides_runpath=no
+	;;
+      *)
+	shlibpath_overrides_runpath=yes
+	;;
+      esac
+  else
+    shlibpath_overrides_runpath=yes
+  fi
+  ;;
+
+os2*)
+  libname_spec='$name'
+  shrext_cmds=".dll"
+  need_lib_prefix=no
+  library_names_spec='$libname${shared_ext} $libname.a'
+  dynamic_linker='OS/2 ld.exe'
+  shlibpath_var=LIBPATH
+  ;;
+
+osf3* | osf4* | osf5*)
+  version_type=osf
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
+  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
+  ;;
+
+solaris*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  # ldd complains unless libraries are executable
+  postinstall_cmds='chmod +x $lib'
+  ;;
+
+sunos4*)
+  version_type=sunos
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  if test "$with_gnu_ld" = yes; then
+    need_lib_prefix=no
+  fi
+  need_version=yes
+  ;;
+
+sysv4 | sysv4.3*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_vendor in
+    sni)
+      shlibpath_overrides_runpath=no
+      need_lib_prefix=no
+      export_dynamic_flag_spec='${wl}-Blargedynsym'
+      runpath_var=LD_RUN_PATH
+      ;;
+    siemens)
+      need_lib_prefix=no
+      ;;
+    motorola)
+      need_lib_prefix=no
+      need_version=no
+      shlibpath_overrides_runpath=no
+      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
+      ;;
+  esac
+  ;;
+
+sysv4*MP*)
+  if test -d /usr/nec ;then
+    version_type=linux
+    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
+    soname_spec='$libname${shared_ext}.$major'
+    shlibpath_var=LD_LIBRARY_PATH
+  fi
+  ;;
+
+sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
+  version_type=freebsd-elf
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  if test "$with_gnu_ld" = yes; then
+    sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
+    shlibpath_overrides_runpath=no
+  else
+    sys_lib_search_path_spec='/usr/ccs/lib /usr/lib'
+    shlibpath_overrides_runpath=yes
+    case $host_os in
+      sco3.2v5*)
+        sys_lib_search_path_spec="$sys_lib_search_path_spec /lib"
+	;;
+    esac
+  fi
+  sys_lib_dlsearch_path_spec='/usr/lib'
+  ;;
+
+uts4*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+*)
+  dynamic_linker=no
+  ;;
+esac
+AC_MSG_RESULT([$dynamic_linker])
+test "$dynamic_linker" = no && can_build_shared=no
+
+variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
+if test "$GCC" = yes; then
+  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
+fi
+])# AC_LIBTOOL_SYS_DYNAMIC_LINKER
+
+
+# _LT_AC_TAGCONFIG
+# ----------------
+AC_DEFUN([_LT_AC_TAGCONFIG],
+[AC_ARG_WITH([tags],
+    [AC_HELP_STRING([--with-tags@<:@=TAGS@:>@],
+        [include additional configurations @<:@automatic@:>@])],
+    [tagnames="$withval"])
+
+if test -f "$ltmain" && test -n "$tagnames"; then
+  if test ! -f "${ofile}"; then
+    AC_MSG_WARN([output file `$ofile' does not exist])
+  fi
+
+  if test -z "$LTCC"; then
+    eval "`$SHELL ${ofile} --config | grep '^LTCC='`"
+    if test -z "$LTCC"; then
+      AC_MSG_WARN([output file `$ofile' does not look like a libtool script])
+    else
+      AC_MSG_WARN([using `LTCC=$LTCC', extracted from `$ofile'])
+    fi
+  fi
+  if test -z "$LTCFLAGS"; then
+    eval "`$SHELL ${ofile} --config | grep '^LTCFLAGS='`"
+  fi
+
+  # Extract list of available tagged configurations in $ofile.
+  # Note that this assumes the entire list is on one line.
+  available_tags=`grep "^available_tags=" "${ofile}" | $SED -e 's/available_tags=\(.*$\)/\1/' -e 's/\"//g'`
+
+  lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+  for tagname in $tagnames; do
+    IFS="$lt_save_ifs"
+    # Check whether tagname contains only valid characters
+    case `$echo "X$tagname" | $Xsed -e 's:[[-_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890,/]]::g'` in
+    "") ;;
+    *)  AC_MSG_ERROR([invalid tag name: $tagname])
+	;;
+    esac
+
+    if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$" < "${ofile}" > /dev/null
+    then
+      AC_MSG_ERROR([tag name \"$tagname\" already exists])
+    fi
+
+    # Update the list of available tags.
+    if test -n "$tagname"; then
+      echo appending configuration tag \"$tagname\" to $ofile
+
+      case $tagname in
+      CXX)
+	if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
+	    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
+	    (test "X$CXX" != "Xg++"))) ; then
+	  AC_LIBTOOL_LANG_CXX_CONFIG
+	else
+	  tagname=""
+	fi
+	;;
+
+      F77)
+	if test -n "$F77" && test "X$F77" != "Xno"; then
+	  AC_LIBTOOL_LANG_F77_CONFIG
+	else
+	  tagname=""
+	fi
+	;;
+
+      GCJ)
+	if test -n "$GCJ" && test "X$GCJ" != "Xno"; then
+	  AC_LIBTOOL_LANG_GCJ_CONFIG
+	else
+	  tagname=""
+	fi
+	;;
+
+      RC)
+	AC_LIBTOOL_LANG_RC_CONFIG
+	;;
+
+      *)
+	AC_MSG_ERROR([Unsupported tag name: $tagname])
+	;;
+      esac
+
+      # Append the new tag name to the list of available tags.
+      if test -n "$tagname" ; then
+      available_tags="$available_tags $tagname"
+    fi
+    fi
+  done
+  IFS="$lt_save_ifs"
+
+  # Now substitute the updated list of available tags.
+  if eval "sed -e 's/^available_tags=.*\$/available_tags=\"$available_tags\"/' \"$ofile\" > \"${ofile}T\""; then
+    mv "${ofile}T" "$ofile"
+    chmod +x "$ofile"
+  else
+    rm -f "${ofile}T"
+    AC_MSG_ERROR([unable to update list of available tagged configurations.])
+  fi
+fi
+])# _LT_AC_TAGCONFIG
+
+
+# AC_LIBTOOL_DLOPEN
+# -----------------
+# enable checks for dlopen support
+AC_DEFUN([AC_LIBTOOL_DLOPEN],
+ [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])
+])# AC_LIBTOOL_DLOPEN
+
+
+# AC_LIBTOOL_WIN32_DLL
+# --------------------
+# declare package support for building win32 DLLs
+AC_DEFUN([AC_LIBTOOL_WIN32_DLL],
+[AC_BEFORE([$0], [AC_LIBTOOL_SETUP])
+])# AC_LIBTOOL_WIN32_DLL
+
+
+# AC_ENABLE_SHARED([DEFAULT])
+# ---------------------------
+# implement the --enable-shared flag
+# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
+AC_DEFUN([AC_ENABLE_SHARED],
+[define([AC_ENABLE_SHARED_DEFAULT], ifelse($1, no, no, yes))dnl
+AC_ARG_ENABLE([shared],
+    [AC_HELP_STRING([--enable-shared@<:@=PKGS@:>@],
+	[build shared libraries @<:@default=]AC_ENABLE_SHARED_DEFAULT[@:>@])],
+    [p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_shared=yes ;;
+    no) enable_shared=no ;;
+    *)
+      enable_shared=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for pkg in $enableval; do
+	IFS="$lt_save_ifs"
+	if test "X$pkg" = "X$p"; then
+	  enable_shared=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac],
+    [enable_shared=]AC_ENABLE_SHARED_DEFAULT)
+])# AC_ENABLE_SHARED
+
+
+# AC_DISABLE_SHARED
+# -----------------
+# set the default shared flag to --disable-shared
+AC_DEFUN([AC_DISABLE_SHARED],
+[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+AC_ENABLE_SHARED(no)
+])# AC_DISABLE_SHARED
+
+
+# AC_ENABLE_STATIC([DEFAULT])
+# ---------------------------
+# implement the --enable-static flag
+# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
+AC_DEFUN([AC_ENABLE_STATIC],
+[define([AC_ENABLE_STATIC_DEFAULT], ifelse($1, no, no, yes))dnl
+AC_ARG_ENABLE([static],
+    [AC_HELP_STRING([--enable-static@<:@=PKGS@:>@],
+	[build static libraries @<:@default=]AC_ENABLE_STATIC_DEFAULT[@:>@])],
+    [p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_static=yes ;;
+    no) enable_static=no ;;
+    *)
+     enable_static=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for pkg in $enableval; do
+	IFS="$lt_save_ifs"
+	if test "X$pkg" = "X$p"; then
+	  enable_static=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac],
+    [enable_static=]AC_ENABLE_STATIC_DEFAULT)
+])# AC_ENABLE_STATIC
+
+
+# AC_DISABLE_STATIC
+# -----------------
+# set the default static flag to --disable-static
+AC_DEFUN([AC_DISABLE_STATIC],
+[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+AC_ENABLE_STATIC(no)
+])# AC_DISABLE_STATIC
+
+
+# AC_ENABLE_FAST_INSTALL([DEFAULT])
+# ---------------------------------
+# implement the --enable-fast-install flag
+# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
+AC_DEFUN([AC_ENABLE_FAST_INSTALL],
+[define([AC_ENABLE_FAST_INSTALL_DEFAULT], ifelse($1, no, no, yes))dnl
+AC_ARG_ENABLE([fast-install],
+    [AC_HELP_STRING([--enable-fast-install@<:@=PKGS@:>@],
+    [optimize for fast installation @<:@default=]AC_ENABLE_FAST_INSTALL_DEFAULT[@:>@])],
+    [p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_fast_install=yes ;;
+    no) enable_fast_install=no ;;
+    *)
+      enable_fast_install=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for pkg in $enableval; do
+	IFS="$lt_save_ifs"
+	if test "X$pkg" = "X$p"; then
+	  enable_fast_install=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac],
+    [enable_fast_install=]AC_ENABLE_FAST_INSTALL_DEFAULT)
+])# AC_ENABLE_FAST_INSTALL
+
+
+# AC_DISABLE_FAST_INSTALL
+# -----------------------
+# set the default to --disable-fast-install
+AC_DEFUN([AC_DISABLE_FAST_INSTALL],
+[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+AC_ENABLE_FAST_INSTALL(no)
+])# AC_DISABLE_FAST_INSTALL
+
+
+# AC_LIBTOOL_PICMODE([MODE])
+# --------------------------
+# implement the --with-pic flag
+# MODE is either `yes' or `no'.  If omitted, it defaults to `both'.
+AC_DEFUN([AC_LIBTOOL_PICMODE],
+[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+pic_mode=ifelse($#,1,$1,default)
+])# AC_LIBTOOL_PICMODE
+
+
+# AC_PROG_EGREP
+# -------------
+# This is predefined starting with Autoconf 2.54, so this conditional
+# definition can be removed once we require Autoconf 2.54 or later.
+m4_ifndef([AC_PROG_EGREP], [AC_DEFUN([AC_PROG_EGREP],
+[AC_CACHE_CHECK([for egrep], [ac_cv_prog_egrep],
+   [if echo a | (grep -E '(a|b)') >/dev/null 2>&1
+    then ac_cv_prog_egrep='grep -E'
+    else ac_cv_prog_egrep='egrep'
+    fi])
+ EGREP=$ac_cv_prog_egrep
+ AC_SUBST([EGREP])
+])])
+
+
+# AC_PATH_TOOL_PREFIX
+# -------------------
+# find a file program which can recognise shared library
+AC_DEFUN([AC_PATH_TOOL_PREFIX],
+[AC_REQUIRE([AC_PROG_EGREP])dnl
+AC_MSG_CHECKING([for $1])
+AC_CACHE_VAL(lt_cv_path_MAGIC_CMD,
+[case $MAGIC_CMD in
+[[\\/*] |  ?:[\\/]*])
+  lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path.
+  ;;
+*)
+  lt_save_MAGIC_CMD="$MAGIC_CMD"
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+dnl $ac_dummy forces splitting on constant user-supplied paths.
+dnl POSIX.2 word splitting is done only on the output of word expansions,
+dnl not every word.  This closes a longstanding sh security hole.
+  ac_dummy="ifelse([$2], , $PATH, [$2])"
+  for ac_dir in $ac_dummy; do
+    IFS="$lt_save_ifs"
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$1; then
+      lt_cv_path_MAGIC_CMD="$ac_dir/$1"
+      if test -n "$file_magic_test_file"; then
+	case $deplibs_check_method in
+	"file_magic "*)
+	  file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"`
+	  MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
+	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
+	    $EGREP "$file_magic_regex" > /dev/null; then
+	    :
+	  else
+	    cat <<EOF 1>&2
+
+*** Warning: the command libtool uses to detect shared libraries,
+*** $file_magic_cmd, produces output that libtool cannot recognize.
+*** The result is that libtool may fail to recognize shared libraries
+*** as such.  This will affect the creation of libtool libraries that
+*** depend on shared libraries, but programs linked with such libtool
+*** libraries will work regardless of this problem.  Nevertheless, you
+*** may want to report the problem to your system manager and/or to
+*** bug-libtool@gnu.org
+
+EOF
+	  fi ;;
+	esac
+      fi
+      break
+    fi
+  done
+  IFS="$lt_save_ifs"
+  MAGIC_CMD="$lt_save_MAGIC_CMD"
+  ;;
+esac])
+MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
+if test -n "$MAGIC_CMD"; then
+  AC_MSG_RESULT($MAGIC_CMD)
+else
+  AC_MSG_RESULT(no)
+fi
+])# AC_PATH_TOOL_PREFIX
+
+
+# AC_PATH_MAGIC
+# -------------
+# find a file program which can recognise a shared library
+AC_DEFUN([AC_PATH_MAGIC],
+[AC_PATH_TOOL_PREFIX(${ac_tool_prefix}file, /usr/bin$PATH_SEPARATOR$PATH)
+if test -z "$lt_cv_path_MAGIC_CMD"; then
+  if test -n "$ac_tool_prefix"; then
+    AC_PATH_TOOL_PREFIX(file, /usr/bin$PATH_SEPARATOR$PATH)
+  else
+    MAGIC_CMD=:
+  fi
+fi
+])# AC_PATH_MAGIC
+
+
+# AC_PROG_LD
+# ----------
+# find the pathname to the GNU or non-GNU linker
+AC_DEFUN([AC_PROG_LD],
+[AC_ARG_WITH([gnu-ld],
+    [AC_HELP_STRING([--with-gnu-ld],
+	[assume the C compiler uses GNU ld @<:@default=no@:>@])],
+    [test "$withval" = no || with_gnu_ld=yes],
+    [with_gnu_ld=no])
+AC_REQUIRE([LT_AC_PROG_SED])dnl
+AC_REQUIRE([AC_PROG_CC])dnl
+AC_REQUIRE([AC_CANONICAL_HOST])dnl
+AC_REQUIRE([AC_CANONICAL_BUILD])dnl
+ac_prog=ld
+if test "$GCC" = yes; then
+  # Check if gcc -print-prog-name=ld gives a path.
+  AC_MSG_CHECKING([for ld used by $CC])
+  case $host in
+  *-*-mingw*)
+    # gcc leaves a trailing carriage return which upsets mingw
+    ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;;
+  *)
+    ac_prog=`($CC -print-prog-name=ld) 2>&5` ;;
+  esac
+  case $ac_prog in
+    # Accept absolute paths.
+    [[\\/]]* | ?:[[\\/]]*)
+      re_direlt='/[[^/]][[^/]]*/\.\./'
+      # Canonicalize the pathname of ld
+      ac_prog=`echo $ac_prog| $SED 's%\\\\%/%g'`
+      while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do
+	ac_prog=`echo $ac_prog| $SED "s%$re_direlt%/%"`
+      done
+      test -z "$LD" && LD="$ac_prog"
+      ;;
+  "")
+    # If it fails, then pretend we aren't using GCC.
+    ac_prog=ld
+    ;;
+  *)
+    # If it is relative, then search for the first ld in PATH.
+    with_gnu_ld=unknown
+    ;;
+  esac
+elif test "$with_gnu_ld" = yes; then
+  AC_MSG_CHECKING([for GNU ld])
+else
+  AC_MSG_CHECKING([for non-GNU ld])
+fi
+AC_CACHE_VAL(lt_cv_path_LD,
+[if test -z "$LD"; then
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+  for ac_dir in $PATH; do
+    IFS="$lt_save_ifs"
+    test -z "$ac_dir" && ac_dir=.
+    if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
+      lt_cv_path_LD="$ac_dir/$ac_prog"
+      # Check to see if the program is GNU ld.  I'd rather use --version,
+      # but apparently some variants of GNU ld only accept -v.
+      # Break only if it was the GNU/non-GNU ld that we prefer.
+      case `"$lt_cv_path_LD" -v 2>&1 </dev/null` in
+      *GNU* | *'with BFD'*)
+	test "$with_gnu_ld" != no && break
+	;;
+      *)
+	test "$with_gnu_ld" != yes && break
+	;;
+      esac
+    fi
+  done
+  IFS="$lt_save_ifs"
+else
+  lt_cv_path_LD="$LD" # Let the user override the test with a path.
+fi])
+LD="$lt_cv_path_LD"
+if test -n "$LD"; then
+  AC_MSG_RESULT($LD)
+else
+  AC_MSG_RESULT(no)
+fi
+test -z "$LD" && AC_MSG_ERROR([no acceptable ld found in \$PATH])
+AC_PROG_LD_GNU
+])# AC_PROG_LD
+
+
+# AC_PROG_LD_GNU
+# --------------
+AC_DEFUN([AC_PROG_LD_GNU],
+[AC_REQUIRE([AC_PROG_EGREP])dnl
+AC_CACHE_CHECK([if the linker ($LD) is GNU ld], lt_cv_prog_gnu_ld,
+[# I'd rather use --version here, but apparently some GNU lds only accept -v.
+case `$LD -v 2>&1 </dev/null` in
+*GNU* | *'with BFD'*)
+  lt_cv_prog_gnu_ld=yes
+  ;;
+*)
+  lt_cv_prog_gnu_ld=no
+  ;;
+esac])
+with_gnu_ld=$lt_cv_prog_gnu_ld
+])# AC_PROG_LD_GNU
+
+
+# AC_PROG_LD_RELOAD_FLAG
+# ----------------------
+# find reload flag for linker
+#   -- PORTME Some linkers may need a different reload flag.
+AC_DEFUN([AC_PROG_LD_RELOAD_FLAG],
+[AC_CACHE_CHECK([for $LD option to reload object files],
+  lt_cv_ld_reload_flag,
+  [lt_cv_ld_reload_flag='-r'])
+reload_flag=$lt_cv_ld_reload_flag
+case $reload_flag in
+"" | " "*) ;;
+*) reload_flag=" $reload_flag" ;;
+esac
+reload_cmds='$LD$reload_flag -o $output$reload_objs'
+case $host_os in
+  darwin*)
+    if test "$GCC" = yes; then
+      reload_cmds='$LTCC $LTCFLAGS -nostdlib ${wl}-r -o $output$reload_objs'
+    else
+      reload_cmds='$LD$reload_flag -o $output$reload_objs'
+    fi
+    ;;
+esac
+])# AC_PROG_LD_RELOAD_FLAG
+
+
+# AC_DEPLIBS_CHECK_METHOD
+# -----------------------
+# how to check for library dependencies
+#  -- PORTME fill in with the dynamic library characteristics
+AC_DEFUN([AC_DEPLIBS_CHECK_METHOD],
+[AC_CACHE_CHECK([how to recognise dependent libraries],
+lt_cv_deplibs_check_method,
+[lt_cv_file_magic_cmd='$MAGIC_CMD'
+lt_cv_file_magic_test_file=
+lt_cv_deplibs_check_method='unknown'
+# Need to set the preceding variable on all platforms that support
+# interlibrary dependencies.
+# 'none' -- dependencies not supported.
+# `unknown' -- same as none, but documents that we really don't know.
+# 'pass_all' -- all dependencies passed with no checks.
+# 'test_compile' -- check by making test program.
+# 'file_magic [[regex]]' -- check by looking for files in library path
+# which responds to the $file_magic_cmd with a given extended regex.
+# If you have `file' or equivalent on your system and you're not sure
+# whether `pass_all' will *always* work, you probably want this one.
+
+case $host_os in
+aix4* | aix5*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+beos*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+bsdi[[45]]*)
+  lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib)'
+  lt_cv_file_magic_cmd='/usr/bin/file -L'
+  lt_cv_file_magic_test_file=/shlib/libc.so
+  ;;
+
+cygwin*)
+  # func_win32_libid is a shell function defined in ltmain.sh
+  lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
+  lt_cv_file_magic_cmd='func_win32_libid'
+  ;;
+
+mingw* | pw32*)
+  # Base MSYS/MinGW do not provide the 'file' command needed by
+  # func_win32_libid shell function, so use a weaker test based on 'objdump'.
+  lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
+  lt_cv_file_magic_cmd='$OBJDUMP -f'
+  ;;
+
+darwin* | rhapsody*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+freebsd* | kfreebsd*-gnu | dragonfly*)
+  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
+    case $host_cpu in
+    i*86 )
+      # Not sure whether the presence of OpenBSD here was a mistake.
+      # Let's accept both of them until this is cleared up.
+      lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD|DragonFly)/i[[3-9]]86 (compact )?demand paged shared library'
+      lt_cv_file_magic_cmd=/usr/bin/file
+      lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
+      ;;
+    esac
+  else
+    lt_cv_deplibs_check_method=pass_all
+  fi
+  ;;
+
+gnu*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+hpux10.20* | hpux11*)
+  lt_cv_file_magic_cmd=/usr/bin/file
+  case $host_cpu in
+  ia64*)
+    lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|ELF-[[0-9]][[0-9]]) shared object file - IA64'
+    lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so
+    ;;
+  hppa*64*)
+    [lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - PA-RISC [0-9].[0-9]']
+    lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl
+    ;;
+  *)
+    lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|PA-RISC[[0-9]].[[0-9]]) shared library'
+    lt_cv_file_magic_test_file=/usr/lib/libc.sl
+    ;;
+  esac
+  ;;
+
+interix3*)
+  # PIC code is broken on Interix 3.x, that's why |\.a not |_pic\.a here
+  lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so|\.a)$'
+  ;;
+
+irix5* | irix6* | nonstopux*)
+  case $LD in
+  *-32|*"-32 ") libmagic=32-bit;;
+  *-n32|*"-n32 ") libmagic=N32;;
+  *-64|*"-64 ") libmagic=64-bit;;
+  *) libmagic=never-match;;
+  esac
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+# This must be Linux ELF.
+linux*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+netbsd*)
+  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
+    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$'
+  else
+    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so|_pic\.a)$'
+  fi
+  ;;
+
+newos6*)
+  lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (executable|dynamic lib)'
+  lt_cv_file_magic_cmd=/usr/bin/file
+  lt_cv_file_magic_test_file=/usr/lib/libnls.so
+  ;;
+
+nto-qnx*)
+  lt_cv_deplibs_check_method=unknown
+  ;;
+
+openbsd*)
+  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|\.so|_pic\.a)$'
+  else
+    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$'
+  fi
+  ;;
+
+osf3* | osf4* | osf5*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+solaris*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+sysv4 | sysv4.3*)
+  case $host_vendor in
+  motorola)
+    lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib) M[[0-9]][[0-9]]* Version [[0-9]]'
+    lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*`
+    ;;
+  ncr)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  sequent)
+    lt_cv_file_magic_cmd='/bin/file'
+    lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB (shared object|dynamic lib )'
+    ;;
+  sni)
+    lt_cv_file_magic_cmd='/bin/file'
+    lt_cv_deplibs_check_method="file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB dynamic lib"
+    lt_cv_file_magic_test_file=/lib/libc.so
+    ;;
+  siemens)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  pc)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  esac
+  ;;
+
+sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+esac
+])
+file_magic_cmd=$lt_cv_file_magic_cmd
+deplibs_check_method=$lt_cv_deplibs_check_method
+test -z "$deplibs_check_method" && deplibs_check_method=unknown
+])# AC_DEPLIBS_CHECK_METHOD
+
+
+# AC_PROG_NM
+# ----------
+# find the pathname to a BSD-compatible name lister
+AC_DEFUN([AC_PROG_NM],
+[AC_CACHE_CHECK([for BSD-compatible nm], lt_cv_path_NM,
+[if test -n "$NM"; then
+  # Let the user override the test.
+  lt_cv_path_NM="$NM"
+else
+  lt_nm_to_check="${ac_tool_prefix}nm"
+  if test -n "$ac_tool_prefix" && test "$build" = "$host"; then 
+    lt_nm_to_check="$lt_nm_to_check nm"
+  fi
+  for lt_tmp_nm in $lt_nm_to_check; do
+    lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+    for ac_dir in $PATH /usr/ccs/bin/elf /usr/ccs/bin /usr/ucb /bin; do
+      IFS="$lt_save_ifs"
+      test -z "$ac_dir" && ac_dir=.
+      tmp_nm="$ac_dir/$lt_tmp_nm"
+      if test -f "$tmp_nm" || test -f "$tmp_nm$ac_exeext" ; then
+	# Check to see if the nm accepts a BSD-compat flag.
+	# Adding the `sed 1q' prevents false positives on HP-UX, which says:
+	#   nm: unknown option "B" ignored
+	# Tru64's nm complains that /dev/null is an invalid object file
+	case `"$tmp_nm" -B /dev/null 2>&1 | sed '1q'` in
+	*/dev/null* | *'Invalid file or object type'*)
+	  lt_cv_path_NM="$tmp_nm -B"
+	  break
+	  ;;
+	*)
+	  case `"$tmp_nm" -p /dev/null 2>&1 | sed '1q'` in
+	  */dev/null*)
+	    lt_cv_path_NM="$tmp_nm -p"
+	    break
+	    ;;
+	  *)
+	    lt_cv_path_NM=${lt_cv_path_NM="$tmp_nm"} # keep the first match, but
+	    continue # so that we can try to find one that supports BSD flags
+	    ;;
+	  esac
+	  ;;
+	esac
+      fi
+    done
+    IFS="$lt_save_ifs"
+  done
+  test -z "$lt_cv_path_NM" && lt_cv_path_NM=nm
+fi])
+NM="$lt_cv_path_NM"
+])# AC_PROG_NM
+
+
+# AC_CHECK_LIBM
+# -------------
+# check for math library
+AC_DEFUN([AC_CHECK_LIBM],
+[AC_REQUIRE([AC_CANONICAL_HOST])dnl
+LIBM=
+case $host in
+*-*-beos* | *-*-cygwin* | *-*-pw32* | *-*-darwin*)
+  # These system don't have libm, or don't need it
+  ;;
+*-ncr-sysv4.3*)
+  AC_CHECK_LIB(mw, _mwvalidcheckl, LIBM="-lmw")
+  AC_CHECK_LIB(m, cos, LIBM="$LIBM -lm")
+  ;;
+*)
+  AC_CHECK_LIB(m, cos, LIBM="-lm")
+  ;;
+esac
+])# AC_CHECK_LIBM
+
+
+# AC_LIBLTDL_CONVENIENCE([DIRECTORY])
+# -----------------------------------
+# sets LIBLTDL to the link flags for the libltdl convenience library and
+# LTDLINCL to the include flags for the libltdl header and adds
+# --enable-ltdl-convenience to the configure arguments.  Note that
+# AC_CONFIG_SUBDIRS is not called here.  If DIRECTORY is not provided,
+# it is assumed to be `libltdl'.  LIBLTDL will be prefixed with
+# '${top_builddir}/' and LTDLINCL will be prefixed with '${top_srcdir}/'
+# (note the single quotes!).  If your package is not flat and you're not
+# using automake, define top_builddir and top_srcdir appropriately in
+# the Makefiles.
+AC_DEFUN([AC_LIBLTDL_CONVENIENCE],
+[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+  case $enable_ltdl_convenience in
+  no) AC_MSG_ERROR([this package needs a convenience libltdl]) ;;
+  "") enable_ltdl_convenience=yes
+      ac_configure_args="$ac_configure_args --enable-ltdl-convenience" ;;
+  esac
+  LIBLTDL='${top_builddir}/'ifelse($#,1,[$1],['libltdl'])/libltdlc.la
+  LTDLINCL='-I${top_srcdir}/'ifelse($#,1,[$1],['libltdl'])
+  # For backwards non-gettext consistent compatibility...
+  INCLTDL="$LTDLINCL"
+])# AC_LIBLTDL_CONVENIENCE
+
+
+# AC_LIBLTDL_INSTALLABLE([DIRECTORY])
+# -----------------------------------
+# sets LIBLTDL to the link flags for the libltdl installable library and
+# LTDLINCL to the include flags for the libltdl header and adds
+# --enable-ltdl-install to the configure arguments.  Note that
+# AC_CONFIG_SUBDIRS is not called here.  If DIRECTORY is not provided,
+# and an installed libltdl is not found, it is assumed to be `libltdl'.
+# LIBLTDL will be prefixed with '${top_builddir}/'# and LTDLINCL with
+# '${top_srcdir}/' (note the single quotes!).  If your package is not
+# flat and you're not using automake, define top_builddir and top_srcdir
+# appropriately in the Makefiles.
+# In the future, this macro may have to be called after AC_PROG_LIBTOOL.
+AC_DEFUN([AC_LIBLTDL_INSTALLABLE],
+[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+  AC_CHECK_LIB(ltdl, lt_dlinit,
+  [test x"$enable_ltdl_install" != xyes && enable_ltdl_install=no],
+  [if test x"$enable_ltdl_install" = xno; then
+     AC_MSG_WARN([libltdl not installed, but installation disabled])
+   else
+     enable_ltdl_install=yes
+   fi
+  ])
+  if test x"$enable_ltdl_install" = x"yes"; then
+    ac_configure_args="$ac_configure_args --enable-ltdl-install"
+    LIBLTDL='${top_builddir}/'ifelse($#,1,[$1],['libltdl'])/libltdl.la
+    LTDLINCL='-I${top_srcdir}/'ifelse($#,1,[$1],['libltdl'])
+  else
+    ac_configure_args="$ac_configure_args --enable-ltdl-install=no"
+    LIBLTDL="-lltdl"
+    LTDLINCL=
+  fi
+  # For backwards non-gettext consistent compatibility...
+  INCLTDL="$LTDLINCL"
+])# AC_LIBLTDL_INSTALLABLE
+
+
+# AC_LIBTOOL_CXX
+# --------------
+# enable support for C++ libraries
+AC_DEFUN([AC_LIBTOOL_CXX],
+[AC_REQUIRE([_LT_AC_LANG_CXX])
+])# AC_LIBTOOL_CXX
+
+
+# _LT_AC_LANG_CXX
+# ---------------
+AC_DEFUN([_LT_AC_LANG_CXX],
+[AC_REQUIRE([AC_PROG_CXX])
+AC_REQUIRE([_LT_AC_PROG_CXXCPP])
+_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}CXX])
+])# _LT_AC_LANG_CXX
+
+# _LT_AC_PROG_CXXCPP
+# ------------------
+AC_DEFUN([_LT_AC_PROG_CXXCPP],
+[
+AC_REQUIRE([AC_PROG_CXX])
+if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
+    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
+    (test "X$CXX" != "Xg++"))) ; then
+  AC_PROG_CXXCPP
+fi
+])# _LT_AC_PROG_CXXCPP
+
+# AC_LIBTOOL_F77
+# --------------
+# enable support for Fortran 77 libraries
+AC_DEFUN([AC_LIBTOOL_F77],
+[AC_REQUIRE([_LT_AC_LANG_F77])
+])# AC_LIBTOOL_F77
+
+
+# _LT_AC_LANG_F77
+# ---------------
+AC_DEFUN([_LT_AC_LANG_F77],
+[AC_REQUIRE([AC_PROG_F77])
+_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}F77])
+])# _LT_AC_LANG_F77
+
+
+# AC_LIBTOOL_GCJ
+# --------------
+# enable support for GCJ libraries
+AC_DEFUN([AC_LIBTOOL_GCJ],
+[AC_REQUIRE([_LT_AC_LANG_GCJ])
+])# AC_LIBTOOL_GCJ
+
+
+# _LT_AC_LANG_GCJ
+# ---------------
+AC_DEFUN([_LT_AC_LANG_GCJ],
+[AC_PROVIDE_IFELSE([AC_PROG_GCJ],[],
+  [AC_PROVIDE_IFELSE([A][M_PROG_GCJ],[],
+    [AC_PROVIDE_IFELSE([LT_AC_PROG_GCJ],[],
+      [ifdef([AC_PROG_GCJ],[AC_REQUIRE([AC_PROG_GCJ])],
+	 [ifdef([A][M_PROG_GCJ],[AC_REQUIRE([A][M_PROG_GCJ])],
+	   [AC_REQUIRE([A][C_PROG_GCJ_OR_A][M_PROG_GCJ])])])])])])
+_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}GCJ])
+])# _LT_AC_LANG_GCJ
+
+
+# AC_LIBTOOL_RC
+# -------------
+# enable support for Windows resource files
+AC_DEFUN([AC_LIBTOOL_RC],
+[AC_REQUIRE([LT_AC_PROG_RC])
+_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}RC])
+])# AC_LIBTOOL_RC
+
+
+# AC_LIBTOOL_LANG_C_CONFIG
+# ------------------------
+# Ensure that the configuration vars for the C compiler are
+# suitably defined.  Those variables are subsequently used by
+# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
+AC_DEFUN([AC_LIBTOOL_LANG_C_CONFIG], [_LT_AC_LANG_C_CONFIG])
+AC_DEFUN([_LT_AC_LANG_C_CONFIG],
+[lt_save_CC="$CC"
+AC_LANG_PUSH(C)
+
+# Source file extension for C test sources.
+ac_ext=c
+
+# Object file extension for compiled C test sources.
+objext=o
+_LT_AC_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="int some_variable = 0;\n"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='int main(){return(0);}\n'
+
+_LT_AC_SYS_COMPILER
+
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
+
+AC_LIBTOOL_PROG_COMPILER_NO_RTTI($1)
+AC_LIBTOOL_PROG_COMPILER_PIC($1)
+AC_LIBTOOL_PROG_CC_C_O($1)
+AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
+AC_LIBTOOL_PROG_LD_SHLIBS($1)
+AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
+AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
+AC_LIBTOOL_SYS_LIB_STRIP
+AC_LIBTOOL_DLOPEN_SELF
+
+# Report which library types will actually be built
+AC_MSG_CHECKING([if libtool supports shared libraries])
+AC_MSG_RESULT([$can_build_shared])
+
+AC_MSG_CHECKING([whether to build shared libraries])
+test "$can_build_shared" = "no" && enable_shared=no
+
+# On AIX, shared libraries and static libraries use the same namespace, and
+# are all built from PIC.
+case $host_os in
+aix3*)
+  test "$enable_shared" = yes && enable_static=no
+  if test -n "$RANLIB"; then
+    archive_cmds="$archive_cmds~\$RANLIB \$lib"
+    postinstall_cmds='$RANLIB $lib'
+  fi
+  ;;
+
+aix4* | aix5*)
+  if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
+    test "$enable_shared" = yes && enable_static=no
+  fi
+    ;;
+esac
+AC_MSG_RESULT([$enable_shared])
+
+AC_MSG_CHECKING([whether to build static libraries])
+# Make sure either enable_shared or enable_static is yes.
+test "$enable_shared" = yes || enable_static=yes
+AC_MSG_RESULT([$enable_static])
+
+AC_LIBTOOL_CONFIG($1)
+
+AC_LANG_POP
+CC="$lt_save_CC"
+])# AC_LIBTOOL_LANG_C_CONFIG
+
+
+# AC_LIBTOOL_LANG_CXX_CONFIG
+# --------------------------
+# Ensure that the configuration vars for the C compiler are
+# suitably defined.  Those variables are subsequently used by
+# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
+AC_DEFUN([AC_LIBTOOL_LANG_CXX_CONFIG], [_LT_AC_LANG_CXX_CONFIG(CXX)])
+AC_DEFUN([_LT_AC_LANG_CXX_CONFIG],
+[AC_LANG_PUSH(C++)
+AC_REQUIRE([AC_PROG_CXX])
+AC_REQUIRE([_LT_AC_PROG_CXXCPP])
+
+_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+_LT_AC_TAGVAR(allow_undefined_flag, $1)=
+_LT_AC_TAGVAR(always_export_symbols, $1)=no
+_LT_AC_TAGVAR(archive_expsym_cmds, $1)=
+_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=
+_LT_AC_TAGVAR(hardcode_direct, $1)=no
+_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
+_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
+_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
+_LT_AC_TAGVAR(hardcode_minus_L, $1)=no
+_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
+_LT_AC_TAGVAR(hardcode_automatic, $1)=no
+_LT_AC_TAGVAR(module_cmds, $1)=
+_LT_AC_TAGVAR(module_expsym_cmds, $1)=
+_LT_AC_TAGVAR(link_all_deplibs, $1)=unknown
+_LT_AC_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_AC_TAGVAR(no_undefined_flag, $1)=
+_LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
+_LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=no
+
+# Dependencies to place before and after the object being linked:
+_LT_AC_TAGVAR(predep_objects, $1)=
+_LT_AC_TAGVAR(postdep_objects, $1)=
+_LT_AC_TAGVAR(predeps, $1)=
+_LT_AC_TAGVAR(postdeps, $1)=
+_LT_AC_TAGVAR(compiler_lib_search_path, $1)=
+
+# Source file extension for C++ test sources.
+ac_ext=cpp
+
+# Object file extension for compiled C++ test sources.
+objext=o
+_LT_AC_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="int some_variable = 0;\n"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='int main(int, char *[[]]) { return(0); }\n'
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+_LT_AC_SYS_COMPILER
+
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
+
+# Allow CC to be a program name with arguments.
+lt_save_CC=$CC
+lt_save_LD=$LD
+lt_save_GCC=$GCC
+GCC=$GXX
+lt_save_with_gnu_ld=$with_gnu_ld
+lt_save_path_LD=$lt_cv_path_LD
+if test -n "${lt_cv_prog_gnu_ldcxx+set}"; then
+  lt_cv_prog_gnu_ld=$lt_cv_prog_gnu_ldcxx
+else
+  $as_unset lt_cv_prog_gnu_ld
+fi
+if test -n "${lt_cv_path_LDCXX+set}"; then
+  lt_cv_path_LD=$lt_cv_path_LDCXX
+else
+  $as_unset lt_cv_path_LD
+fi
+test -z "${LDCXX+set}" || LD=$LDCXX
+CC=${CXX-"c++"}
+compiler=$CC
+_LT_AC_TAGVAR(compiler, $1)=$CC
+_LT_CC_BASENAME([$compiler])
+
+# We don't want -fno-exception wen compiling C++ code, so set the
+# no_builtin_flag separately
+if test "$GXX" = yes; then
+  _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin'
+else
+  _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=
+fi
+
+if test "$GXX" = yes; then
+  # Set up default GNU C++ configuration
+
+  AC_PROG_LD
+
+  # Check if GNU C++ uses GNU ld as the underlying linker, since the
+  # archiving commands below assume that GNU ld is being used.
+  if test "$with_gnu_ld" = yes; then
+    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir'
+    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+
+    # If archive_cmds runs LD, not CC, wlarc should be empty
+    # XXX I think wlarc can be eliminated in ltcf-cxx, but I need to
+    #     investigate it a little bit more. (MM)
+    wlarc='${wl}'
+
+    # ancient GNU ld didn't support --whole-archive et. al.
+    if eval "`$CC -print-prog-name=ld` --help 2>&1" | \
+	grep 'no-whole-archive' > /dev/null; then
+      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+    else
+      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
+    fi
+  else
+    with_gnu_ld=no
+    wlarc=
+
+    # A generic and very simple default shared library creation
+    # command for GNU C++ for the case where it uses the native
+    # linker, instead of GNU ld.  If possible, this setting should
+    # overridden to take advantage of the native linker features on
+    # the platform it is being used on.
+    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
+  fi
+
+  # Commands to make compiler produce verbose output that lists
+  # what "hidden" libraries, object files and flags are used when
+  # linking a shared library.
+  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
+
+else
+  GXX=no
+  with_gnu_ld=no
+  wlarc=
+fi
+
+# PORTME: fill in a description of your system's C++ link characteristics
+AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries])
+_LT_AC_TAGVAR(ld_shlibs, $1)=yes
+case $host_os in
+  aix3*)
+    # FIXME: insert proper C++ library support
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+  aix4* | aix5*)
+    if test "$host_cpu" = ia64; then
+      # On IA64, the linker does run time linking by default, so we don't
+      # have to do anything special.
+      aix_use_runtimelinking=no
+      exp_sym_flag='-Bexport'
+      no_entry_flag=""
+    else
+      aix_use_runtimelinking=no
+
+      # Test if we are trying to use run time linking or normal
+      # AIX style linking. If -brtl is somewhere in LDFLAGS, we
+      # need to do runtime linking.
+      case $host_os in aix4.[[23]]|aix4.[[23]].*|aix5*)
+	for ld_flag in $LDFLAGS; do
+	  case $ld_flag in
+	  *-brtl*)
+	    aix_use_runtimelinking=yes
+	    break
+	    ;;
+	  esac
+	done
+	;;
+      esac
+
+      exp_sym_flag='-bexport'
+      no_entry_flag='-bnoentry'
+    fi
+
+    # When large executables or shared objects are built, AIX ld can
+    # have problems creating the table of contents.  If linking a library
+    # or program results in "error TOC overflow" add -mminimal-toc to
+    # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
+    # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
+
+    _LT_AC_TAGVAR(archive_cmds, $1)=''
+    _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+    _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=':'
+    _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+
+    if test "$GXX" = yes; then
+      case $host_os in aix4.[[012]]|aix4.[[012]].*)
+      # We only want to do this on AIX 4.2 and lower, the check
+      # below for broken collect2 doesn't work under 4.3+
+	collect2name=`${CC} -print-prog-name=collect2`
+	if test -f "$collect2name" && \
+	   strings "$collect2name" | grep resolve_lib_name >/dev/null
+	then
+	  # We have reworked collect2
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+	else
+	  # We have old collect2
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=unsupported
+	  # It fails to find uninstalled libraries when the uninstalled
+	  # path is not listed in the libpath.  Setting hardcode_minus_L
+	  # to unsupported forces relinking
+	  _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
+	fi
+	;;
+      esac
+      shared_flag='-shared'
+      if test "$aix_use_runtimelinking" = yes; then
+	shared_flag="$shared_flag "'${wl}-G'
+      fi
+    else
+      # not using gcc
+      if test "$host_cpu" = ia64; then
+	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
+	# chokes on -Wl,-G. The following line is correct:
+	shared_flag='-G'
+      else
+	if test "$aix_use_runtimelinking" = yes; then
+	  shared_flag='${wl}-G'
+	else
+	  shared_flag='${wl}-bM:SRE'
+	fi
+      fi
+    fi
+
+    # It seems that -bexpall does not export symbols beginning with
+    # underscore (_), so it is better to generate a list of symbols to export.
+    _LT_AC_TAGVAR(always_export_symbols, $1)=yes
+    if test "$aix_use_runtimelinking" = yes; then
+      # Warning - without using the other runtime loading flags (-brtl),
+      # -berok will link without error, but may produce a broken library.
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)='-berok'
+      # Determine the default libpath from the value encoded in an empty executable.
+      _LT_AC_SYS_LIBPATH_AIX
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
+
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+     else
+      if test "$host_cpu" = ia64; then
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib'
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)="-z nodefs"
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
+      else
+	# Determine the default libpath from the value encoded in an empty executable.
+	_LT_AC_SYS_LIBPATH_AIX
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
+	# Warning - without using the other run time loading flags,
+	# -berok will link without error, but may produce a broken library.
+	_LT_AC_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok'
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok'
+	# Exported symbols can be pulled into shared objects from archives
+	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)='$convenience'
+	_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
+	# This is similar to how AIX traditionally builds its shared libraries.
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+      fi
+    fi
+    ;;
+
+  beos*)
+    if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
+      # Joseph Beckenbach <jrb3@best.com> says some releases of gcc
+      # support --undefined.  This deserves some investigation.  FIXME
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+    else
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    fi
+    ;;
+
+  chorus*)
+    case $cc_basename in
+      *)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+    esac
+    ;;
+
+  cygwin* | mingw* | pw32*)
+    # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
+    # as there is no search path for DLLs.
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+    _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
+    _LT_AC_TAGVAR(always_export_symbols, $1)=no
+    _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+
+    if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+      # If the export-symbols file already is a .def file (1st line
+      # is EXPORTS), use it as is; otherwise, prepend...
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	cp $export_symbols $output_objdir/$soname.def;
+      else
+	echo EXPORTS > $output_objdir/$soname.def;
+	cat $export_symbols >> $output_objdir/$soname.def;
+      fi~
+      $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+    else
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    fi
+  ;;
+      darwin* | rhapsody*)
+        case $host_os in
+        rhapsody* | darwin1.[[012]])
+         _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-undefined ${wl}suppress'
+         ;;
+       *) # Darwin 1.3 on
+         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+           _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
+         else
+           case ${MACOSX_DEPLOYMENT_TARGET} in
+             10.[[012]])
+               _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
+               ;;
+             10.*)
+               _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-undefined ${wl}dynamic_lookup'
+               ;;
+           esac
+         fi
+         ;;
+        esac
+      _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+      _LT_AC_TAGVAR(hardcode_direct, $1)=no
+      _LT_AC_TAGVAR(hardcode_automatic, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
+      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=''
+      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+
+    if test "$GXX" = yes ; then
+      lt_int_apple_cc_single_mod=no
+      output_verbose_link_cmd='echo'
+      if $CC -dumpspecs 2>&1 | $EGREP 'single_module' >/dev/null ; then
+       lt_int_apple_cc_single_mod=yes
+      fi
+      if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+       _LT_AC_TAGVAR(archive_cmds, $1)='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+      else
+          _LT_AC_TAGVAR(archive_cmds, $1)='$CC -r -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+        fi
+        _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+        # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
+          if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+            _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          else
+            _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          fi
+            _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+      else
+      case $cc_basename in
+        xlc*)
+         output_verbose_link_cmd='echo'
+          _LT_AC_TAGVAR(archive_cmds, $1)='$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring'
+          _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
+          _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          ;;
+       *)
+         _LT_AC_TAGVAR(ld_shlibs, $1)=no
+          ;;
+      esac
+      fi
+        ;;
+
+  dgux*)
+    case $cc_basename in
+      ec++*)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      ghcx*)
+	# Green Hills C++ Compiler
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+    esac
+    ;;
+  freebsd[[12]]*)
+    # C++ shared libraries reported to be fairly broken before switch to ELF
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+  freebsd-elf*)
+    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+    ;;
+  freebsd* | kfreebsd*-gnu | dragonfly*)
+    # FreeBSD 3 and later use GNU C++ and GNU ld with standard ELF
+    # conventions
+    _LT_AC_TAGVAR(ld_shlibs, $1)=yes
+    ;;
+  gnu*)
+    ;;
+  hpux9*)
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+    _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+    _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+    _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH,
+				# but as the default
+				# location of the library.
+
+    case $cc_basename in
+    CC*)
+      # FIXME: insert proper C++ library support
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+      ;;
+    aCC*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$CC -b ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      # Commands to make compiler produce verbose output that lists
+      # what "hidden" libraries, object files and flags are used when
+      # linking a shared library.
+      #
+      # There doesn't appear to be a way to prevent this compiler from
+      # explicitly linking system object files so we need to strip them
+      # from the output so that they don't get included in the library
+      # dependencies.
+      output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "[[-]]L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+      ;;
+    *)
+      if test "$GXX" = yes; then
+        _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$CC -shared -nostdlib -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      else
+        # FIXME: insert proper C++ library support
+        _LT_AC_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+    esac
+    ;;
+  hpux10*|hpux11*)
+    if test $with_gnu_ld = no; then
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+      case $host_cpu in
+      hppa*64*|ia64*)
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='+b $libdir'
+        ;;
+      *)
+	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+        ;;
+      esac
+    fi
+    case $host_cpu in
+    hppa*64*|ia64*)
+      _LT_AC_TAGVAR(hardcode_direct, $1)=no
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+    *)
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH,
+					      # but as the default
+					      # location of the library.
+      ;;
+    esac
+
+    case $cc_basename in
+      CC*)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      aCC*)
+	case $host_cpu in
+	hppa*64*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	  ;;
+	ia64*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	  ;;
+	*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	  ;;
+	esac
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	;;
+      *)
+	if test "$GXX" = yes; then
+	  if test $with_gnu_ld = no; then
+	    case $host_cpu in
+	    hppa*64*)
+	      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	      ;;
+	    ia64*)
+	      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	      ;;
+	    *)
+	      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	      ;;
+	    esac
+	  fi
+	else
+	  # FIXME: insert proper C++ library support
+	  _LT_AC_TAGVAR(ld_shlibs, $1)=no
+	fi
+	;;
+    esac
+    ;;
+  interix3*)
+    _LT_AC_TAGVAR(hardcode_direct, $1)=no
+    _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+    # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
+    # Instead, shared libraries are loaded at an image base (0x10000000 by
+    # default) and relocated if they conflict, which is a slow very memory
+    # consuming and fragmenting process.  To avoid this, we pick a random,
+    # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
+    # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
+    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+    ;;
+  irix5* | irix6*)
+    case $cc_basename in
+      CC*)
+	# SGI C++
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+
+	# Archives containing C++ object files must be created using
+	# "CC -ar", where "CC" is the IRIX C++ compiler.  This is
+	# necessary to make sure instantiated templates are included
+	# in the archive.
+	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -ar -WR,-u -o $oldlib $oldobjs'
+	;;
+      *)
+	if test "$GXX" = yes; then
+	  if test "$with_gnu_ld" = no; then
+	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	  else
+	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` -o $lib'
+	  fi
+	fi
+	_LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+	;;
+    esac
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+    _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+    ;;
+  linux*)
+    case $cc_basename in
+      KCC*)
+	# Kuck and Associates, Inc. (KAI) C++ Compiler
+
+	# KCC will only create a shared library if the output file
+	# ends with ".so" (or ".sl" for HP-UX), so rename the library
+	# to its proper name (with version) after linking.
+	_LT_AC_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib ${wl}-retain-symbols-file,$export_symbols; mv \$templib $lib'
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 | grep "ld"`; rm -f libconftest$shared_ext; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath,$libdir'
+	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+
+	# Archives containing C++ object files must be created using
+	# "CC -Bstatic", where "CC" is the KAI C++ compiler.
+	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs'
+	;;
+      icpc*)
+	# Intel C++
+	with_gnu_ld=yes
+	# version 8.0 and above of icpc choke on multiply defined symbols
+	# if we add $predep_objects and $postdep_objects, however 7.1 and
+	# earlier do not add the objects themselves.
+	case `$CC -V 2>&1` in
+	*"Version 7."*)
+  	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+  	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	  ;;
+	*)  # Version 8.0 or newer
+	  tmp_idyn=
+	  case $host_cpu in
+	    ia64*) tmp_idyn=' -i_dynamic';;
+	  esac
+  	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	  ;;
+	esac
+	_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
+	;;
+      pgCC*)
+        # Portland Group C++ compiler
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+  	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir'
+	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+        ;;
+      cxx*)
+	# Compaq C++
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname  -o $lib ${wl}-retain-symbols-file $wl$export_symbols'
+
+	runpath_var=LD_RUN_PATH
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	;;
+    esac
+    ;;
+  lynxos*)
+    # FIXME: insert proper C++ library support
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+  m88k*)
+    # FIXME: insert proper C++ library support
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+  mvs*)
+    case $cc_basename in
+      cxx*)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+    esac
+    ;;
+  netbsd*)
+    if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable  -o $lib $predep_objects $libobjs $deplibs $postdep_objects $linker_flags'
+      wlarc=
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+    fi
+    # Workaround some broken pre-1.5 toolchains
+    output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep conftest.$objext | $SED -e "s:-lgcc -lc -lgcc::"'
+    ;;
+  openbsd2*)
+    # C++ shared libraries are fairly broken
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+  openbsd*)
+    _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+    _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+    if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file,$export_symbols -o $lib'
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+    fi
+    output_verbose_link_cmd='echo'
+    ;;
+  osf3*)
+    case $cc_basename in
+      KCC*)
+	# Kuck and Associates, Inc. (KAI) C++ Compiler
+
+	# KCC will only create a shared library if the output file
+	# ends with ".so" (or ".sl" for HP-UX), so rename the library
+	# to its proper name (with version) after linking.
+	_LT_AC_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
+
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	# Archives containing C++ object files must be created using
+	# "CC -Bstatic", where "CC" is the KAI C++ compiler.
+	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs'
+
+	;;
+      RCC*)
+	# Rational C++ 2.4.1
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      cxx*)
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && echo ${wl}-set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld" | grep -v "ld:"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	;;
+      *)
+	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
+	  _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	  # Commands to make compiler produce verbose output that lists
+	  # what "hidden" libraries, object files and flags are used when
+	  # linking a shared library.
+	  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
+
+	else
+	  # FIXME: insert proper C++ library support
+	  _LT_AC_TAGVAR(ld_shlibs, $1)=no
+	fi
+	;;
+    esac
+    ;;
+  osf4* | osf5*)
+    case $cc_basename in
+      KCC*)
+	# Kuck and Associates, Inc. (KAI) C++ Compiler
+
+	# KCC will only create a shared library if the output file
+	# ends with ".so" (or ".sl" for HP-UX), so rename the library
+	# to its proper name (with version) after linking.
+	_LT_AC_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
+
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	# Archives containing C++ object files must be created using
+	# the KAI C++ compiler.
+	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -o $oldlib $oldobjs'
+	;;
+      RCC*)
+	# Rational C++ 2.4.1
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      cxx*)
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done~
+	  echo "-hidden">> $lib.exp~
+	  $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname -Wl,-input -Wl,$lib.exp  `test -n "$verstring" && echo -set_version	$verstring` -update_registry ${output_objdir}/so_locations -o $lib~
+	  $rm $lib.exp'
+
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld" | grep -v "ld:"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	;;
+      *)
+	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
+	  _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
+	 _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	  # Commands to make compiler produce verbose output that lists
+	  # what "hidden" libraries, object files and flags are used when
+	  # linking a shared library.
+	  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
+
+	else
+	  # FIXME: insert proper C++ library support
+	  _LT_AC_TAGVAR(ld_shlibs, $1)=no
+	fi
+	;;
+    esac
+    ;;
+  psos*)
+    # FIXME: insert proper C++ library support
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+  sunos4*)
+    case $cc_basename in
+      CC*)
+	# Sun C++ 4.x
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      lcc*)
+	# Lucid
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+    esac
+    ;;
+  solaris*)
+    case $cc_basename in
+      CC*)
+	# Sun C++ 4.2, 5.x and Centerline C++
+        _LT_AC_TAGVAR(archive_cmds_need_lc,$1)=yes
+	_LT_AC_TAGVAR(no_undefined_flag, $1)=' -zdefs'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag}  -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+	$CC -G${allow_undefined_flag}  ${wl}-M ${wl}$lib.exp -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
+
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+	_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+	case $host_os in
+	  solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
+	  *)
+	    # The C++ compiler is used as linker so we must use $wl
+	    # flag to pass the commands to the underlying system
+	    # linker. We must also pass each convience library through
+	    # to the system linker between allextract/defaultextract.
+	    # The C++ compiler will combine linker options so we
+	    # cannot just pass the convience library names through
+	    # without $wl.
+	    # Supported since Solaris 2.6 (maybe 2.5.1?)
+	    _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}-z ${wl}defaultextract'
+	    ;;
+	esac
+	_LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+
+	output_verbose_link_cmd='echo'
+
+	# Archives containing C++ object files must be created using
+	# "CC -xar", where "CC" is the Sun C++ compiler.  This is
+	# necessary to make sure instantiated templates are included
+	# in the archive.
+	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs'
+	;;
+      gcx*)
+	# Green Hills C++ Compiler
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
+
+	# The C++ compiler must be used to create the archive.
+	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC $LDFLAGS -archive -o $oldlib $oldobjs'
+	;;
+      *)
+	# GNU C++ compiler with Solaris linker
+	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
+	  _LT_AC_TAGVAR(no_undefined_flag, $1)=' ${wl}-z ${wl}defs'
+	  if $CC --version | grep -v '^2\.7' > /dev/null; then
+	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
+	    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+		$CC -shared -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
+
+	    # Commands to make compiler produce verbose output that lists
+	    # what "hidden" libraries, object files and flags are used when
+	    # linking a shared library.
+	    output_verbose_link_cmd="$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep \"\-L\""
+	  else
+	    # g++ 2.7 appears to require `-G' NOT `-shared' on this
+	    # platform.
+	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -G -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
+	    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+		$CC -G -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
+
+	    # Commands to make compiler produce verbose output that lists
+	    # what "hidden" libraries, object files and flags are used when
+	    # linking a shared library.
+	    output_verbose_link_cmd="$CC -G $CFLAGS -v conftest.$objext 2>&1 | grep \"\-L\""
+	  fi
+
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $wl$libdir'
+	fi
+	;;
+    esac
+    ;;
+  sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7* | sco3.2v5.0.[[024]]*)
+    _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
+    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+    _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+    runpath_var='LD_RUN_PATH'
+
+    case $cc_basename in
+      CC*)
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	;;
+      *)
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	;;
+    esac
+    ;;
+  sysv5* | sco3.2v5* | sco5v6*)
+    # Note: We can NOT use -z defs as we might desire, because we do not
+    # link with -lc, and that would cause any symbols used from libc to
+    # always be unresolved, which means just about no library would
+    # ever link correctly.  If we're not using GNU ld we use -z text
+    # though, which does catch some bad symbols but isn't as heavy-handed
+    # as -z defs.
+    # For security reasons, it is highly recommended that you always
+    # use absolute paths for naming shared libraries, and exclude the
+    # DT_RUNPATH tag from executables and libraries.  But doing so
+    # requires that you compile everything twice, which is a pain.
+    # So that behaviour is only enabled if SCOABSPATH is set to a
+    # non-empty value in the environment.  Most likely only useful for
+    # creating official distributions of packages.
+    # This is a hack until libtool officially supports absolute path
+    # names for shared libraries.
+    _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
+    _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-z,nodefs'
+    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+    _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
+    _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=':'
+    _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport'
+    runpath_var='LD_RUN_PATH'
+
+    case $cc_basename in
+      CC*)
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	;;
+      *)
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	;;
+    esac
+    ;;
+  tandem*)
+    case $cc_basename in
+      NCC*)
+	# NonStop-UX NCC 3.20
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+    esac
+    ;;
+  vxworks*)
+    # FIXME: insert proper C++ library support
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+  *)
+    # FIXME: insert proper C++ library support
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+esac
+AC_MSG_RESULT([$_LT_AC_TAGVAR(ld_shlibs, $1)])
+test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no
+
+_LT_AC_TAGVAR(GCC, $1)="$GXX"
+_LT_AC_TAGVAR(LD, $1)="$LD"
+
+AC_LIBTOOL_POSTDEP_PREDEP($1)
+AC_LIBTOOL_PROG_COMPILER_PIC($1)
+AC_LIBTOOL_PROG_CC_C_O($1)
+AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
+AC_LIBTOOL_PROG_LD_SHLIBS($1)
+AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
+AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
+
+AC_LIBTOOL_CONFIG($1)
+
+AC_LANG_POP
+CC=$lt_save_CC
+LDCXX=$LD
+LD=$lt_save_LD
+GCC=$lt_save_GCC
+with_gnu_ldcxx=$with_gnu_ld
+with_gnu_ld=$lt_save_with_gnu_ld
+lt_cv_path_LDCXX=$lt_cv_path_LD
+lt_cv_path_LD=$lt_save_path_LD
+lt_cv_prog_gnu_ldcxx=$lt_cv_prog_gnu_ld
+lt_cv_prog_gnu_ld=$lt_save_with_gnu_ld
+])# AC_LIBTOOL_LANG_CXX_CONFIG
+
+# AC_LIBTOOL_POSTDEP_PREDEP([TAGNAME])
+# ------------------------------------
+# Figure out "hidden" library dependencies from verbose
+# compiler output when linking a shared library.
+# Parse the compiler output and extract the necessary
+# objects, libraries and library flags.
+AC_DEFUN([AC_LIBTOOL_POSTDEP_PREDEP],[
+dnl we can't use the lt_simple_compile_test_code here,
+dnl because it contains code intended for an executable,
+dnl not a library.  It's possible we should let each
+dnl tag define a new lt_????_link_test_code variable,
+dnl but it's only used here...
+ifelse([$1],[],[cat > conftest.$ac_ext <<EOF
+int a;
+void foo (void) { a = 0; }
+EOF
+],[$1],[CXX],[cat > conftest.$ac_ext <<EOF
+class Foo
+{
+public:
+  Foo (void) { a = 0; }
+private:
+  int a;
+};
+EOF
+],[$1],[F77],[cat > conftest.$ac_ext <<EOF
+      subroutine foo
+      implicit none
+      integer*4 a
+      a=0
+      return
+      end
+EOF
+],[$1],[GCJ],[cat > conftest.$ac_ext <<EOF
+public class foo {
+  private int a;
+  public void bar (void) {
+    a = 0;
+  }
+};
+EOF
+])
+dnl Parse the compiler output and extract the necessary
+dnl objects, libraries and library flags.
+if AC_TRY_EVAL(ac_compile); then
+  # Parse the compiler output and extract the necessary
+  # objects, libraries and library flags.
+
+  # Sentinel used to keep track of whether or not we are before
+  # the conftest object file.
+  pre_test_object_deps_done=no
+
+  # The `*' in the case matches for architectures that use `case' in
+  # $output_verbose_cmd can trigger glob expansion during the loop
+  # eval without this substitution.
+  output_verbose_link_cmd=`$echo "X$output_verbose_link_cmd" | $Xsed -e "$no_glob_subst"`
+
+  for p in `eval $output_verbose_link_cmd`; do
+    case $p in
+
+    -L* | -R* | -l*)
+       # Some compilers place space between "-{L,R}" and the path.
+       # Remove the space.
+       if test $p = "-L" \
+	  || test $p = "-R"; then
+	 prev=$p
+	 continue
+       else
+	 prev=
+       fi
+
+       if test "$pre_test_object_deps_done" = no; then
+	 case $p in
+	 -L* | -R*)
+	   # Internal compiler library paths should come after those
+	   # provided the user.  The postdeps already come after the
+	   # user supplied libs so there is no need to process them.
+	   if test -z "$_LT_AC_TAGVAR(compiler_lib_search_path, $1)"; then
+	     _LT_AC_TAGVAR(compiler_lib_search_path, $1)="${prev}${p}"
+	   else
+	     _LT_AC_TAGVAR(compiler_lib_search_path, $1)="${_LT_AC_TAGVAR(compiler_lib_search_path, $1)} ${prev}${p}"
+	   fi
+	   ;;
+	 # The "-l" case would never come before the object being
+	 # linked, so don't bother handling this case.
+	 esac
+       else
+	 if test -z "$_LT_AC_TAGVAR(postdeps, $1)"; then
+	   _LT_AC_TAGVAR(postdeps, $1)="${prev}${p}"
+	 else
+	   _LT_AC_TAGVAR(postdeps, $1)="${_LT_AC_TAGVAR(postdeps, $1)} ${prev}${p}"
+	 fi
+       fi
+       ;;
+
+    *.$objext)
+       # This assumes that the test object file only shows up
+       # once in the compiler output.
+       if test "$p" = "conftest.$objext"; then
+	 pre_test_object_deps_done=yes
+	 continue
+       fi
+
+       if test "$pre_test_object_deps_done" = no; then
+	 if test -z "$_LT_AC_TAGVAR(predep_objects, $1)"; then
+	   _LT_AC_TAGVAR(predep_objects, $1)="$p"
+	 else
+	   _LT_AC_TAGVAR(predep_objects, $1)="$_LT_AC_TAGVAR(predep_objects, $1) $p"
+	 fi
+       else
+	 if test -z "$_LT_AC_TAGVAR(postdep_objects, $1)"; then
+	   _LT_AC_TAGVAR(postdep_objects, $1)="$p"
+	 else
+	   _LT_AC_TAGVAR(postdep_objects, $1)="$_LT_AC_TAGVAR(postdep_objects, $1) $p"
+	 fi
+       fi
+       ;;
+
+    *) ;; # Ignore the rest.
+
+    esac
+  done
+
+  # Clean up.
+  rm -f a.out a.exe
+else
+  echo "libtool.m4: error: problem compiling $1 test program"
+fi
+
+$rm -f confest.$objext
+
+# PORTME: override above test on systems where it is broken
+ifelse([$1],[CXX],
+[case $host_os in
+interix3*)
+  # Interix 3.5 installs completely hosed .la files for C++, so rather than
+  # hack all around it, let's just trust "g++" to DTRT.
+  _LT_AC_TAGVAR(predep_objects,$1)=
+  _LT_AC_TAGVAR(postdep_objects,$1)=
+  _LT_AC_TAGVAR(postdeps,$1)=
+  ;;
+
+solaris*)
+  case $cc_basename in
+  CC*)
+    # Adding this requires a known-good setup of shared libraries for
+    # Sun compiler versions before 5.6, else PIC objects from an old
+    # archive will be linked into the output, leading to subtle bugs.
+    _LT_AC_TAGVAR(postdeps,$1)='-lCstd -lCrun'
+    ;;
+  esac
+  ;;
+esac
+])
+
+case " $_LT_AC_TAGVAR(postdeps, $1) " in
+*" -lc "*) _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no ;;
+esac
+])# AC_LIBTOOL_POSTDEP_PREDEP
+
+# AC_LIBTOOL_LANG_F77_CONFIG
+# --------------------------
+# Ensure that the configuration vars for the C compiler are
+# suitably defined.  Those variables are subsequently used by
+# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
+AC_DEFUN([AC_LIBTOOL_LANG_F77_CONFIG], [_LT_AC_LANG_F77_CONFIG(F77)])
+AC_DEFUN([_LT_AC_LANG_F77_CONFIG],
+[AC_REQUIRE([AC_PROG_F77])
+AC_LANG_PUSH(Fortran 77)
+
+_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+_LT_AC_TAGVAR(allow_undefined_flag, $1)=
+_LT_AC_TAGVAR(always_export_symbols, $1)=no
+_LT_AC_TAGVAR(archive_expsym_cmds, $1)=
+_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=
+_LT_AC_TAGVAR(hardcode_direct, $1)=no
+_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
+_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
+_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
+_LT_AC_TAGVAR(hardcode_minus_L, $1)=no
+_LT_AC_TAGVAR(hardcode_automatic, $1)=no
+_LT_AC_TAGVAR(module_cmds, $1)=
+_LT_AC_TAGVAR(module_expsym_cmds, $1)=
+_LT_AC_TAGVAR(link_all_deplibs, $1)=unknown
+_LT_AC_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_AC_TAGVAR(no_undefined_flag, $1)=
+_LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
+_LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=no
+
+# Source file extension for f77 test sources.
+ac_ext=f
+
+# Object file extension for compiled f77 test sources.
+objext=o
+_LT_AC_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="      subroutine t\n      return\n      end\n"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code="      program t\n      end\n"
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+_LT_AC_SYS_COMPILER
+
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
+
+# Allow CC to be a program name with arguments.
+lt_save_CC="$CC"
+CC=${F77-"f77"}
+compiler=$CC
+_LT_AC_TAGVAR(compiler, $1)=$CC
+_LT_CC_BASENAME([$compiler])
+
+AC_MSG_CHECKING([if libtool supports shared libraries])
+AC_MSG_RESULT([$can_build_shared])
+
+AC_MSG_CHECKING([whether to build shared libraries])
+test "$can_build_shared" = "no" && enable_shared=no
+
+# On AIX, shared libraries and static libraries use the same namespace, and
+# are all built from PIC.
+case $host_os in
+aix3*)
+  test "$enable_shared" = yes && enable_static=no
+  if test -n "$RANLIB"; then
+    archive_cmds="$archive_cmds~\$RANLIB \$lib"
+    postinstall_cmds='$RANLIB $lib'
+  fi
+  ;;
+aix4* | aix5*)
+  if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
+    test "$enable_shared" = yes && enable_static=no
+  fi
+  ;;
+esac
+AC_MSG_RESULT([$enable_shared])
+
+AC_MSG_CHECKING([whether to build static libraries])
+# Make sure either enable_shared or enable_static is yes.
+test "$enable_shared" = yes || enable_static=yes
+AC_MSG_RESULT([$enable_static])
+
+_LT_AC_TAGVAR(GCC, $1)="$G77"
+_LT_AC_TAGVAR(LD, $1)="$LD"
+
+AC_LIBTOOL_PROG_COMPILER_PIC($1)
+AC_LIBTOOL_PROG_CC_C_O($1)
+AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
+AC_LIBTOOL_PROG_LD_SHLIBS($1)
+AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
+AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
+
+AC_LIBTOOL_CONFIG($1)
+
+AC_LANG_POP
+CC="$lt_save_CC"
+])# AC_LIBTOOL_LANG_F77_CONFIG
+
+
+# AC_LIBTOOL_LANG_GCJ_CONFIG
+# --------------------------
+# Ensure that the configuration vars for the C compiler are
+# suitably defined.  Those variables are subsequently used by
+# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
+AC_DEFUN([AC_LIBTOOL_LANG_GCJ_CONFIG], [_LT_AC_LANG_GCJ_CONFIG(GCJ)])
+AC_DEFUN([_LT_AC_LANG_GCJ_CONFIG],
+[AC_LANG_SAVE
+
+# Source file extension for Java test sources.
+ac_ext=java
+
+# Object file extension for compiled Java test sources.
+objext=o
+_LT_AC_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="class foo {}\n"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='public class conftest { public static void main(String[[]] argv) {}; }\n'
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+_LT_AC_SYS_COMPILER
+
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
+
+# Allow CC to be a program name with arguments.
+lt_save_CC="$CC"
+CC=${GCJ-"gcj"}
+compiler=$CC
+_LT_AC_TAGVAR(compiler, $1)=$CC
+_LT_CC_BASENAME([$compiler])
+
+# GCJ did not exist at the time GCC didn't implicitly link libc in.
+_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+
+_LT_AC_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+
+AC_LIBTOOL_PROG_COMPILER_NO_RTTI($1)
+AC_LIBTOOL_PROG_COMPILER_PIC($1)
+AC_LIBTOOL_PROG_CC_C_O($1)
+AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
+AC_LIBTOOL_PROG_LD_SHLIBS($1)
+AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
+AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
+
+AC_LIBTOOL_CONFIG($1)
+
+AC_LANG_RESTORE
+CC="$lt_save_CC"
+])# AC_LIBTOOL_LANG_GCJ_CONFIG
+
+
+# AC_LIBTOOL_LANG_RC_CONFIG
+# -------------------------
+# Ensure that the configuration vars for the Windows resource compiler are
+# suitably defined.  Those variables are subsequently used by
+# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
+AC_DEFUN([AC_LIBTOOL_LANG_RC_CONFIG], [_LT_AC_LANG_RC_CONFIG(RC)])
+AC_DEFUN([_LT_AC_LANG_RC_CONFIG],
+[AC_LANG_SAVE
+
+# Source file extension for RC test sources.
+ac_ext=rc
+
+# Object file extension for compiled RC test sources.
+objext=o
+_LT_AC_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }\n'
+
+# Code to be used in simple link tests
+lt_simple_link_test_code="$lt_simple_compile_test_code"
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+_LT_AC_SYS_COMPILER
+
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
+
+# Allow CC to be a program name with arguments.
+lt_save_CC="$CC"
+CC=${RC-"windres"}
+compiler=$CC
+_LT_AC_TAGVAR(compiler, $1)=$CC
+_LT_CC_BASENAME([$compiler])
+_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes
+
+AC_LIBTOOL_CONFIG($1)
+
+AC_LANG_RESTORE
+CC="$lt_save_CC"
+])# AC_LIBTOOL_LANG_RC_CONFIG
+
+
+# AC_LIBTOOL_CONFIG([TAGNAME])
+# ----------------------------
+# If TAGNAME is not passed, then create an initial libtool script
+# with a default configuration from the untagged config vars.  Otherwise
+# add code to config.status for appending the configuration named by
+# TAGNAME from the matching tagged config vars.
+AC_DEFUN([AC_LIBTOOL_CONFIG],
+[# The else clause should only fire when bootstrapping the
+# libtool distribution, otherwise you forgot to ship ltmain.sh
+# with your package, and you will get complaints that there are
+# no rules to generate ltmain.sh.
+if test -f "$ltmain"; then
+  # See if we are running on zsh, and set the options which allow our commands through
+  # without removal of \ escapes.
+  if test -n "${ZSH_VERSION+set}" ; then
+    setopt NO_GLOB_SUBST
+  fi
+  # Now quote all the things that may contain metacharacters while being
+  # careful not to overquote the AC_SUBSTed values.  We take copies of the
+  # variables and quote the copies for generation of the libtool script.
+  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \
+    SED SHELL STRIP \
+    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
+    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
+    deplibs_check_method reload_flag reload_cmds need_locks \
+    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
+    lt_cv_sys_global_symbol_to_c_name_address \
+    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
+    old_postinstall_cmds old_postuninstall_cmds \
+    _LT_AC_TAGVAR(compiler, $1) \
+    _LT_AC_TAGVAR(CC, $1) \
+    _LT_AC_TAGVAR(LD, $1) \
+    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1) \
+    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1) \
+    _LT_AC_TAGVAR(lt_prog_compiler_static, $1) \
+    _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1) \
+    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1) \
+    _LT_AC_TAGVAR(thread_safe_flag_spec, $1) \
+    _LT_AC_TAGVAR(whole_archive_flag_spec, $1) \
+    _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1) \
+    _LT_AC_TAGVAR(old_archive_cmds, $1) \
+    _LT_AC_TAGVAR(old_archive_from_new_cmds, $1) \
+    _LT_AC_TAGVAR(predep_objects, $1) \
+    _LT_AC_TAGVAR(postdep_objects, $1) \
+    _LT_AC_TAGVAR(predeps, $1) \
+    _LT_AC_TAGVAR(postdeps, $1) \
+    _LT_AC_TAGVAR(compiler_lib_search_path, $1) \
+    _LT_AC_TAGVAR(archive_cmds, $1) \
+    _LT_AC_TAGVAR(archive_expsym_cmds, $1) \
+    _LT_AC_TAGVAR(postinstall_cmds, $1) \
+    _LT_AC_TAGVAR(postuninstall_cmds, $1) \
+    _LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1) \
+    _LT_AC_TAGVAR(allow_undefined_flag, $1) \
+    _LT_AC_TAGVAR(no_undefined_flag, $1) \
+    _LT_AC_TAGVAR(export_symbols_cmds, $1) \
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1) \
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1) \
+    _LT_AC_TAGVAR(hardcode_libdir_separator, $1) \
+    _LT_AC_TAGVAR(hardcode_automatic, $1) \
+    _LT_AC_TAGVAR(module_cmds, $1) \
+    _LT_AC_TAGVAR(module_expsym_cmds, $1) \
+    _LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1) \
+    _LT_AC_TAGVAR(exclude_expsyms, $1) \
+    _LT_AC_TAGVAR(include_expsyms, $1); do
+
+    case $var in
+    _LT_AC_TAGVAR(old_archive_cmds, $1) | \
+    _LT_AC_TAGVAR(old_archive_from_new_cmds, $1) | \
+    _LT_AC_TAGVAR(archive_cmds, $1) | \
+    _LT_AC_TAGVAR(archive_expsym_cmds, $1) | \
+    _LT_AC_TAGVAR(module_cmds, $1) | \
+    _LT_AC_TAGVAR(module_expsym_cmds, $1) | \
+    _LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1) | \
+    _LT_AC_TAGVAR(export_symbols_cmds, $1) | \
+    extract_expsyms_cmds | reload_cmds | finish_cmds | \
+    postinstall_cmds | postuninstall_cmds | \
+    old_postinstall_cmds | old_postuninstall_cmds | \
+    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
+      # Double-quote double-evaled strings.
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
+      ;;
+    *)
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
+      ;;
+    esac
+  done
+
+  case $lt_echo in
+  *'\[$]0 --fallback-echo"')
+    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\[$]0 --fallback-echo"[$]/[$]0 --fallback-echo"/'`
+    ;;
+  esac
+
+ifelse([$1], [],
+  [cfgfile="${ofile}T"
+  trap "$rm \"$cfgfile\"; exit 1" 1 2 15
+  $rm -f "$cfgfile"
+  AC_MSG_NOTICE([creating $ofile])],
+  [cfgfile="$ofile"])
+
+  cat <<__EOF__ >> "$cfgfile"
+ifelse([$1], [],
+[#! $SHELL
+
+# `$echo "$cfgfile" | sed 's%^.*/%%'` - Provide generalized library-building support services.
+# Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION$TIMESTAMP)
+# NOTE: Changes made to this file will be lost: look at ltmain.sh.
+#
+# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001
+# Free Software Foundation, Inc.
+#
+# This file is part of GNU Libtool:
+# Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# A sed program that does not truncate output.
+SED=$lt_SED
+
+# Sed that helps us avoid accidentally triggering echo(1) options like -n.
+Xsed="$SED -e 1s/^X//"
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+
+# The names of the tagged configurations supported by this script.
+available_tags=
+
+# ### BEGIN LIBTOOL CONFIG],
+[# ### BEGIN LIBTOOL TAG CONFIG: $tagname])
+
+# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
+
+# Shell to use when invoking shell scripts.
+SHELL=$lt_SHELL
+
+# Whether or not to build shared libraries.
+build_libtool_libs=$enable_shared
+
+# Whether or not to build static libraries.
+build_old_libs=$enable_static
+
+# Whether or not to add -lc for building shared libraries.
+build_libtool_need_lc=$_LT_AC_TAGVAR(archive_cmds_need_lc, $1)
+
+# Whether or not to disallow shared libs when runtime libs are static
+allow_libtool_libs_with_static_runtimes=$_LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)
+
+# Whether or not to optimize for fast installation.
+fast_install=$enable_fast_install
+
+# The host system.
+host_alias=$host_alias
+host=$host
+host_os=$host_os
+
+# The build system.
+build_alias=$build_alias
+build=$build
+build_os=$build_os
+
+# An echo program that does not interpret backslashes.
+echo=$lt_echo
+
+# The archiver.
+AR=$lt_AR
+AR_FLAGS=$lt_AR_FLAGS
+
+# A C compiler.
+LTCC=$lt_LTCC
+
+# LTCC compiler flags.
+LTCFLAGS=$lt_LTCFLAGS
+
+# A language-specific compiler.
+CC=$lt_[]_LT_AC_TAGVAR(compiler, $1)
+
+# Is the compiler the GNU C compiler?
+with_gcc=$_LT_AC_TAGVAR(GCC, $1)
+
+# An ERE matcher.
+EGREP=$lt_EGREP
+
+# The linker used to build libraries.
+LD=$lt_[]_LT_AC_TAGVAR(LD, $1)
+
+# Whether we need hard or soft links.
+LN_S=$lt_LN_S
+
+# A BSD-compatible nm program.
+NM=$lt_NM
+
+# A symbol stripping program
+STRIP=$lt_STRIP
+
+# Used to examine libraries when file_magic_cmd begins "file"
+MAGIC_CMD=$MAGIC_CMD
+
+# Used on cygwin: DLL creation program.
+DLLTOOL="$DLLTOOL"
+
+# Used on cygwin: object dumper.
+OBJDUMP="$OBJDUMP"
+
+# Used on cygwin: assembler.
+AS="$AS"
+
+# The name of the directory that contains temporary libtool files.
+objdir=$objdir
+
+# How to create reloadable object files.
+reload_flag=$lt_reload_flag
+reload_cmds=$lt_reload_cmds
+
+# How to pass a linker flag through the compiler.
+wl=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)
+
+# Object file suffix (normally "o").
+objext="$ac_objext"
+
+# Old archive suffix (normally "a").
+libext="$libext"
+
+# Shared library suffix (normally ".so").
+shrext_cmds='$shrext_cmds'
+
+# Executable file suffix (normally "").
+exeext="$exeext"
+
+# Additional compiler flags for building library objects.
+pic_flag=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)
+pic_mode=$pic_mode
+
+# What is the maximum length of a command?
+max_cmd_len=$lt_cv_sys_max_cmd_len
+
+# Does compiler simultaneously support -c and -o options?
+compiler_c_o=$lt_[]_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)
+
+# Must we lock files when doing compilation?
+need_locks=$lt_need_locks
+
+# Do we need the lib prefix for modules?
+need_lib_prefix=$need_lib_prefix
+
+# Do we need a version for libraries?
+need_version=$need_version
+
+# Whether dlopen is supported.
+dlopen_support=$enable_dlopen
+
+# Whether dlopen of programs is supported.
+dlopen_self=$enable_dlopen_self
+
+# Whether dlopen of statically linked programs is supported.
+dlopen_self_static=$enable_dlopen_self_static
+
+# Compiler flag to prevent dynamic linking.
+link_static_flag=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_static, $1)
+
+# Compiler flag to turn off builtin functions.
+no_builtin_flag=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)
+
+# Compiler flag to allow reflexive dlopens.
+export_dynamic_flag_spec=$lt_[]_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)
+
+# Compiler flag to generate shared objects directly from archives.
+whole_archive_flag_spec=$lt_[]_LT_AC_TAGVAR(whole_archive_flag_spec, $1)
+
+# Compiler flag to generate thread-safe objects.
+thread_safe_flag_spec=$lt_[]_LT_AC_TAGVAR(thread_safe_flag_spec, $1)
+
+# Library versioning type.
+version_type=$version_type
+
+# Format of library name prefix.
+libname_spec=$lt_libname_spec
+
+# List of archive names.  First name is the real one, the rest are links.
+# The last name is the one that the linker finds with -lNAME.
+library_names_spec=$lt_library_names_spec
+
+# The coded name of the library, if different from the real name.
+soname_spec=$lt_soname_spec
+
+# Commands used to build and install an old-style archive.
+RANLIB=$lt_RANLIB
+old_archive_cmds=$lt_[]_LT_AC_TAGVAR(old_archive_cmds, $1)
+old_postinstall_cmds=$lt_old_postinstall_cmds
+old_postuninstall_cmds=$lt_old_postuninstall_cmds
+
+# Create an old-style archive from a shared archive.
+old_archive_from_new_cmds=$lt_[]_LT_AC_TAGVAR(old_archive_from_new_cmds, $1)
+
+# Create a temporary old-style archive to link instead of a shared archive.
+old_archive_from_expsyms_cmds=$lt_[]_LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1)
+
+# Commands used to build and install a shared archive.
+archive_cmds=$lt_[]_LT_AC_TAGVAR(archive_cmds, $1)
+archive_expsym_cmds=$lt_[]_LT_AC_TAGVAR(archive_expsym_cmds, $1)
+postinstall_cmds=$lt_postinstall_cmds
+postuninstall_cmds=$lt_postuninstall_cmds
+
+# Commands used to build a loadable module (assumed same as above if empty)
+module_cmds=$lt_[]_LT_AC_TAGVAR(module_cmds, $1)
+module_expsym_cmds=$lt_[]_LT_AC_TAGVAR(module_expsym_cmds, $1)
+
+# Commands to strip libraries.
+old_striplib=$lt_old_striplib
+striplib=$lt_striplib
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predep_objects=$lt_[]_LT_AC_TAGVAR(predep_objects, $1)
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdep_objects=$lt_[]_LT_AC_TAGVAR(postdep_objects, $1)
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predeps=$lt_[]_LT_AC_TAGVAR(predeps, $1)
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdeps=$lt_[]_LT_AC_TAGVAR(postdeps, $1)
+
+# The library search path used internally by the compiler when linking
+# a shared library.
+compiler_lib_search_path=$lt_[]_LT_AC_TAGVAR(compiler_lib_search_path, $1)
+
+# Method to check whether dependent libraries are shared objects.
+deplibs_check_method=$lt_deplibs_check_method
+
+# Command to use when deplibs_check_method == file_magic.
+file_magic_cmd=$lt_file_magic_cmd
+
+# Flag that allows shared libraries with undefined symbols to be built.
+allow_undefined_flag=$lt_[]_LT_AC_TAGVAR(allow_undefined_flag, $1)
+
+# Flag that forces no undefined symbols.
+no_undefined_flag=$lt_[]_LT_AC_TAGVAR(no_undefined_flag, $1)
+
+# Commands used to finish a libtool library installation in a directory.
+finish_cmds=$lt_finish_cmds
+
+# Same as above, but a single script fragment to be evaled but not shown.
+finish_eval=$lt_finish_eval
+
+# Take the output of nm and produce a listing of raw symbols and C names.
+global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
+
+# Transform the output of nm in a proper C declaration
+global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
+
+# Transform the output of nm in a C name address pair
+global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
+
+# This is the shared library runtime path variable.
+runpath_var=$runpath_var
+
+# This is the shared library path variable.
+shlibpath_var=$shlibpath_var
+
+# Is shlibpath searched before the hard-coded library search path?
+shlibpath_overrides_runpath=$shlibpath_overrides_runpath
+
+# How to hardcode a shared library path into an executable.
+hardcode_action=$_LT_AC_TAGVAR(hardcode_action, $1)
+
+# Whether we should hardcode library paths into libraries.
+hardcode_into_libs=$hardcode_into_libs
+
+# Flag to hardcode \$libdir into a binary during linking.
+# This must work even if \$libdir does not exist.
+hardcode_libdir_flag_spec=$lt_[]_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)
+
+# If ld is used when linking, flag to hardcode \$libdir into
+# a binary during linking. This must work even if \$libdir does
+# not exist.
+hardcode_libdir_flag_spec_ld=$lt_[]_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)
+
+# Whether we need a single -rpath flag with a separated argument.
+hardcode_libdir_separator=$lt_[]_LT_AC_TAGVAR(hardcode_libdir_separator, $1)
+
+# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
+# resulting binary.
+hardcode_direct=$_LT_AC_TAGVAR(hardcode_direct, $1)
+
+# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
+# resulting binary.
+hardcode_minus_L=$_LT_AC_TAGVAR(hardcode_minus_L, $1)
+
+# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
+# the resulting binary.
+hardcode_shlibpath_var=$_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)
+
+# Set to yes if building a shared library automatically hardcodes DIR into the library
+# and all subsequent libraries and executables linked against it.
+hardcode_automatic=$_LT_AC_TAGVAR(hardcode_automatic, $1)
+
+# Variables whose values should be saved in libtool wrapper scripts and
+# restored at relink time.
+variables_saved_for_relink="$variables_saved_for_relink"
+
+# Whether libtool must link a program against all its dependency libraries.
+link_all_deplibs=$_LT_AC_TAGVAR(link_all_deplibs, $1)
+
+# Compile-time system search path for libraries
+sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
+
+# Run-time system search path for libraries
+sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
+
+# Fix the shell variable \$srcfile for the compiler.
+fix_srcfile_path="$_LT_AC_TAGVAR(fix_srcfile_path, $1)"
+
+# Set to yes if exported symbols are required.
+always_export_symbols=$_LT_AC_TAGVAR(always_export_symbols, $1)
+
+# The commands to list exported symbols.
+export_symbols_cmds=$lt_[]_LT_AC_TAGVAR(export_symbols_cmds, $1)
+
+# The commands to extract the exported symbol list from a shared archive.
+extract_expsyms_cmds=$lt_extract_expsyms_cmds
+
+# Symbols that should not be listed in the preloaded symbols.
+exclude_expsyms=$lt_[]_LT_AC_TAGVAR(exclude_expsyms, $1)
+
+# Symbols that must always be exported.
+include_expsyms=$lt_[]_LT_AC_TAGVAR(include_expsyms, $1)
+
+ifelse([$1],[],
+[# ### END LIBTOOL CONFIG],
+[# ### END LIBTOOL TAG CONFIG: $tagname])
+
+__EOF__
+
+ifelse([$1],[], [
+  case $host_os in
+  aix3*)
+    cat <<\EOF >> "$cfgfile"
+
+# AIX sometimes has problems with the GCC collect2 program.  For some
+# reason, if we set the COLLECT_NAMES environment variable, the problems
+# vanish in a puff of smoke.
+if test "X${COLLECT_NAMES+set}" != Xset; then
+  COLLECT_NAMES=
+  export COLLECT_NAMES
+fi
+EOF
+    ;;
+  esac
+
+  # We use sed instead of cat because bash on DJGPP gets confused if
+  # if finds mixed CR/LF and LF-only lines.  Since sed operates in
+  # text mode, it properly converts lines to CR/LF.  This bash problem
+  # is reportedly fixed, but why not run on old versions too?
+  sed '$q' "$ltmain" >> "$cfgfile" || (rm -f "$cfgfile"; exit 1)
+
+  mv -f "$cfgfile" "$ofile" || \
+    (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile")
+  chmod +x "$ofile"
+])
+else
+  # If there is no Makefile yet, we rely on a make rule to execute
+  # `config.status --recheck' to rerun these tests and create the
+  # libtool script then.
+  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
+  if test -f "$ltmain_in"; then
+    test -f Makefile && make "$ltmain"
+  fi
+fi
+])# AC_LIBTOOL_CONFIG
+
+
+# AC_LIBTOOL_PROG_COMPILER_NO_RTTI([TAGNAME])
+# -------------------------------------------
+AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_NO_RTTI],
+[AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl
+
+_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=
+
+if test "$GCC" = yes; then
+  _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin'
+
+  AC_LIBTOOL_COMPILER_OPTION([if $compiler supports -fno-rtti -fno-exceptions],
+    lt_cv_prog_compiler_rtti_exceptions,
+    [-fno-rtti -fno-exceptions], [],
+    [_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)="$_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1) -fno-rtti -fno-exceptions"])
+fi
+])# AC_LIBTOOL_PROG_COMPILER_NO_RTTI
+
+
+# AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE
+# ---------------------------------
+AC_DEFUN([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE],
+[AC_REQUIRE([AC_CANONICAL_HOST])
+AC_REQUIRE([AC_PROG_NM])
+AC_REQUIRE([AC_OBJEXT])
+# Check for command to grab the raw symbol name followed by C symbol from nm.
+AC_MSG_CHECKING([command to parse $NM output from $compiler object])
+AC_CACHE_VAL([lt_cv_sys_global_symbol_pipe],
+[
+# These are sane defaults that work on at least a few old systems.
+# [They come from Ultrix.  What could be older than Ultrix?!! ;)]
+
+# Character class describing NM global symbol codes.
+symcode='[[BCDEGRST]]'
+
+# Regexp to match symbols that can be accessed directly from C.
+sympat='\([[_A-Za-z]][[_A-Za-z0-9]]*\)'
+
+# Transform an extracted symbol line into a proper C declaration
+lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^. .* \(.*\)$/extern int \1;/p'"
+
+# Transform an extracted symbol line into symbol name and symbol address
+lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
+
+# Define system-specific variables.
+case $host_os in
+aix*)
+  symcode='[[BCDT]]'
+  ;;
+cygwin* | mingw* | pw32*)
+  symcode='[[ABCDGISTW]]'
+  ;;
+hpux*) # Its linker distinguishes data from code symbols
+  if test "$host_cpu" = ia64; then
+    symcode='[[ABCDEGRST]]'
+  fi
+  lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
+  lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
+  ;;
+linux*)
+  if test "$host_cpu" = ia64; then
+    symcode='[[ABCDGIRSTW]]'
+    lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
+    lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
+  fi
+  ;;
+irix* | nonstopux*)
+  symcode='[[BCDEGRST]]'
+  ;;
+osf*)
+  symcode='[[BCDEGQRST]]'
+  ;;
+solaris*)
+  symcode='[[BDRT]]'
+  ;;
+sco3.2v5*)
+  symcode='[[DT]]'
+  ;;
+sysv4.2uw2*)
+  symcode='[[DT]]'
+  ;;
+sysv5* | sco5v6* | unixware* | OpenUNIX*)
+  symcode='[[ABDT]]'
+  ;;
+sysv4)
+  symcode='[[DFNSTU]]'
+  ;;
+esac
+
+# Handle CRLF in mingw tool chain
+opt_cr=
+case $build_os in
+mingw*)
+  opt_cr=`echo 'x\{0,1\}' | tr x '\015'` # option cr in regexp
+  ;;
+esac
+
+# If we're using GNU nm, then use its standard symbol codes.
+case `$NM -V 2>&1` in
+*GNU* | *'with BFD'*)
+  symcode='[[ABCDGIRSTW]]' ;;
+esac
+
+# Try without a prefix undercore, then with it.
+for ac_symprfx in "" "_"; do
+
+  # Transform symcode, sympat, and symprfx into a raw symbol and a C symbol.
+  symxfrm="\\1 $ac_symprfx\\2 \\2"
+
+  # Write the raw and C identifiers.
+  lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[[ 	]]\($symcode$symcode*\)[[ 	]][[ 	]]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'"
+
+  # Check to see that the pipe works correctly.
+  pipe_works=no
+
+  rm -f conftest*
+  cat > conftest.$ac_ext <<EOF
+#ifdef __cplusplus
+extern "C" {
+#endif
+char nm_test_var;
+void nm_test_func(){}
+#ifdef __cplusplus
+}
+#endif
+int main(){nm_test_var='a';nm_test_func();return(0);}
+EOF
+
+  if AC_TRY_EVAL(ac_compile); then
+    # Now try to grab the symbols.
+    nlist=conftest.nm
+    if AC_TRY_EVAL(NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist) && test -s "$nlist"; then
+      # Try sorting and uniquifying the output.
+      if sort "$nlist" | uniq > "$nlist"T; then
+	mv -f "$nlist"T "$nlist"
+      else
+	rm -f "$nlist"T
+      fi
+
+      # Make sure that we snagged all the symbols we need.
+      if grep ' nm_test_var$' "$nlist" >/dev/null; then
+	if grep ' nm_test_func$' "$nlist" >/dev/null; then
+	  cat <<EOF > conftest.$ac_ext
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+EOF
+	  # Now generate the symbol file.
+	  eval "$lt_cv_sys_global_symbol_to_cdecl"' < "$nlist" | grep -v main >> conftest.$ac_ext'
+
+	  cat <<EOF >> conftest.$ac_ext
+#if defined (__STDC__) && __STDC__
+# define lt_ptr_t void *
+#else
+# define lt_ptr_t char *
+# define const
+#endif
+
+/* The mapping between symbol names and symbols. */
+const struct {
+  const char *name;
+  lt_ptr_t address;
+}
+lt_preloaded_symbols[[]] =
+{
+EOF
+	  $SED "s/^$symcode$symcode* \(.*\) \(.*\)$/  {\"\2\", (lt_ptr_t) \&\2},/" < "$nlist" | grep -v main >> conftest.$ac_ext
+	  cat <<\EOF >> conftest.$ac_ext
+  {0, (lt_ptr_t) 0}
+};
+
+#ifdef __cplusplus
+}
+#endif
+EOF
+	  # Now try linking the two files.
+	  mv conftest.$ac_objext conftstm.$ac_objext
+	  lt_save_LIBS="$LIBS"
+	  lt_save_CFLAGS="$CFLAGS"
+	  LIBS="conftstm.$ac_objext"
+	  CFLAGS="$CFLAGS$_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)"
+	  if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext}; then
+	    pipe_works=yes
+	  fi
+	  LIBS="$lt_save_LIBS"
+	  CFLAGS="$lt_save_CFLAGS"
+	else
+	  echo "cannot find nm_test_func in $nlist" >&AS_MESSAGE_LOG_FD
+	fi
+      else
+	echo "cannot find nm_test_var in $nlist" >&AS_MESSAGE_LOG_FD
+      fi
+    else
+      echo "cannot run $lt_cv_sys_global_symbol_pipe" >&AS_MESSAGE_LOG_FD
+    fi
+  else
+    echo "$progname: failed program was:" >&AS_MESSAGE_LOG_FD
+    cat conftest.$ac_ext >&5
+  fi
+  rm -f conftest* conftst*
+
+  # Do not use the global_symbol_pipe unless it works.
+  if test "$pipe_works" = yes; then
+    break
+  else
+    lt_cv_sys_global_symbol_pipe=
+  fi
+done
+])
+if test -z "$lt_cv_sys_global_symbol_pipe"; then
+  lt_cv_sys_global_symbol_to_cdecl=
+fi
+if test -z "$lt_cv_sys_global_symbol_pipe$lt_cv_sys_global_symbol_to_cdecl"; then
+  AC_MSG_RESULT(failed)
+else
+  AC_MSG_RESULT(ok)
+fi
+]) # AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE
+
+
+# AC_LIBTOOL_PROG_COMPILER_PIC([TAGNAME])
+# ---------------------------------------
+AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_PIC],
+[_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)=
+_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
+_LT_AC_TAGVAR(lt_prog_compiler_static, $1)=
+
+AC_MSG_CHECKING([for $compiler option to produce PIC])
+ ifelse([$1],[CXX],[
+  # C++ specific cases for pic, static, wl, etc.
+  if test "$GXX" = yes; then
+    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
+
+    case $host_os in
+    aix*)
+      # All AIX code is PIC.
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      fi
+      ;;
+    amigaos*)
+      # FIXME: we need at least 68020 code to build shared libraries, but
+      # adding the `-m68020' flag to GCC prevents building anything better,
+      # like `-m68040'.
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4'
+      ;;
+    beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+      # PIC is the default for these OSes.
+      ;;
+    mingw* | os2* | pw32*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'
+      ;;
+    darwin* | rhapsody*)
+      # PIC is the default on this platform
+      # Common symbols not allowed in MH_DYLIB files
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common'
+      ;;
+    *djgpp*)
+      # DJGPP does not support shared libraries at all
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
+      ;;
+    interix3*)
+      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
+      # Instead, we relocate shared libraries at runtime.
+      ;;
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic
+      fi
+      ;;
+    hpux*)
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case $host_cpu in
+      hppa*64*|ia64*)
+	;;
+      *)
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	;;
+      esac
+      ;;
+    *)
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+      ;;
+    esac
+  else
+    case $host_os in
+      aix4* | aix5*)
+	# All AIX code is PIC.
+	if test "$host_cpu" = ia64; then
+	  # AIX 5 now supports IA64 processor
+	  _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	else
+	  _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp'
+	fi
+	;;
+      chorus*)
+	case $cc_basename in
+	cxch68*)
+	  # Green Hills C++ Compiler
+	  # _LT_AC_TAGVAR(lt_prog_compiler_static, $1)="--no_auto_instantiation -u __main -u __premain -u _abort -r $COOL_DIR/lib/libOrb.a $MVME_DIR/lib/CC/libC.a $MVME_DIR/lib/classix/libcx.s.a"
+	  ;;
+	esac
+	;;
+       darwin*)
+         # PIC is the default on this platform
+         # Common symbols not allowed in MH_DYLIB files
+         case $cc_basename in
+           xlc*)
+           _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-qnocommon'
+           _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+           ;;
+         esac
+       ;;
+      dgux*)
+	case $cc_basename in
+	  ec++*)
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    ;;
+	  ghcx*)
+	    # Green Hills C++ Compiler
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      freebsd* | kfreebsd*-gnu | dragonfly*)
+	# FreeBSD uses GNU C++
+	;;
+      hpux9* | hpux10* | hpux11*)
+	case $cc_basename in
+	  CC*)
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive'
+	    if test "$host_cpu" != ia64; then
+	      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
+	    fi
+	    ;;
+	  aCC*)
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive'
+	    case $host_cpu in
+	    hppa*64*|ia64*)
+	      # +Z the default
+	      ;;
+	    *)
+	      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
+	      ;;
+	    esac
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      interix*)
+	# This is c89, which is MS Visual C++ (no shared libs)
+	# Anyone wants to do a port?
+	;;
+      irix5* | irix6* | nonstopux*)
+	case $cc_basename in
+	  CC*)
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+	    # CC pic flag -KPIC is the default.
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      linux*)
+	case $cc_basename in
+	  KCC*)
+	    # KAI C++ Compiler
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,'
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	    ;;
+	  icpc* | ecpc*)
+	    # Intel C++
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
+	    ;;
+	  pgCC*)
+	    # Portland Group C++ compiler.
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fpic'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	    ;;
+	  cxx*)
+	    # Compaq C++
+	    # Make sure the PIC flag is empty.  It appears that all Alpha
+	    # Linux and Compaq Tru64 Unix objects are PIC.
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      lynxos*)
+	;;
+      m88k*)
+	;;
+      mvs*)
+	case $cc_basename in
+	  cxx*)
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-W c,exportall'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      netbsd*)
+	;;
+      osf3* | osf4* | osf5*)
+	case $cc_basename in
+	  KCC*)
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,'
+	    ;;
+	  RCC*)
+	    # Rational C++ 2.4.1
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+	    ;;
+	  cxx*)
+	    # Digital/Compaq C++
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    # Make sure the PIC flag is empty.  It appears that all Alpha
+	    # Linux and Compaq Tru64 Unix objects are PIC.
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      psos*)
+	;;
+      solaris*)
+	case $cc_basename in
+	  CC*)
+	    # Sun C++ 4.2, 5.x and Centerline C++
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
+	    ;;
+	  gcx*)
+	    # Green Hills C++ Compiler
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-PIC'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      sunos4*)
+	case $cc_basename in
+	  CC*)
+	    # Sun C++ 4.x
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	    ;;
+	  lcc*)
+	    # Lucid
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      tandem*)
+	case $cc_basename in
+	  NCC*)
+	    # NonStop-UX NCC 3.20
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
+	case $cc_basename in
+	  CC*)
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	    ;;
+	esac
+	;;
+      vxworks*)
+	;;
+      *)
+	_LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
+	;;
+    esac
+  fi
+],
+[
+  if test "$GCC" = yes; then
+    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
+
+    case $host_os in
+      aix*)
+      # All AIX code is PIC.
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      fi
+      ;;
+
+    amigaos*)
+      # FIXME: we need at least 68020 code to build shared libraries, but
+      # adding the `-m68020' flag to GCC prevents building anything better,
+      # like `-m68040'.
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4'
+      ;;
+
+    beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+      # PIC is the default for these OSes.
+      ;;
+
+    mingw* | pw32* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'
+      ;;
+
+    darwin* | rhapsody*)
+      # PIC is the default on this platform
+      # Common symbols not allowed in MH_DYLIB files
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common'
+      ;;
+
+    interix3*)
+      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
+      # Instead, we relocate shared libraries at runtime.
+      ;;
+
+    msdosdjgpp*)
+      # Just because we use GCC doesn't mean we suddenly get shared libraries
+      # on systems that don't support them.
+      _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
+      enable_shared=no
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic
+      fi
+      ;;
+
+    hpux*)
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case $host_cpu in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
+      *)
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	;;
+      esac
+      ;;
+
+    *)
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+      ;;
+    esac
+  else
+    # PORTME Check for flag to pass linker flags through the system compiler.
+    case $host_os in
+    aix*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      else
+	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp'
+      fi
+      ;;
+      darwin*)
+        # PIC is the default on this platform
+        # Common symbols not allowed in MH_DYLIB files
+       case $cc_basename in
+         xlc*)
+         _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-qnocommon'
+         _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+         ;;
+       esac
+       ;;
+
+    mingw* | pw32* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'
+      ;;
+
+    hpux9* | hpux10* | hpux11*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case $host_cpu in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
+      *)
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
+	;;
+      esac
+      # Is there a better lt_prog_compiler_static that works with the bundled CC?
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive'
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      # PIC (with -KPIC) is the default.
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+      ;;
+
+    newsos6)
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    linux*)
+      case $cc_basename in
+      icc* | ecc*)
+	_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
+        ;;
+      pgcc* | pgf77* | pgf90* | pgf95*)
+        # Portland Group compilers (*not* the Pentium gcc compiler,
+	# which looks to be a dead project)
+	_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fpic'
+	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+        ;;
+      ccc*)
+        _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+        # All Alpha code is PIC.
+        _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+        ;;
+      esac
+      ;;
+
+    osf3* | osf4* | osf5*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      # All OSF/1 code is PIC.
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+      ;;
+
+    solaris*)
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      case $cc_basename in
+      f77* | f90* | f95*)
+	_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ';;
+      *)
+	_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,';;
+      esac
+      ;;
+
+    sunos4*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-PIC'
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    sysv4 | sysv4.2uw2* | sysv4.3*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec ;then
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-Kconform_pic'
+	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      fi
+      ;;
+
+    sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    unicos*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
+      ;;
+
+    uts4*)
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    *)
+      _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
+      ;;
+    esac
+  fi
+])
+AC_MSG_RESULT([$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)])
+
+#
+# Check to make sure the PIC flag actually works.
+#
+if test -n "$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)"; then
+  AC_LIBTOOL_COMPILER_OPTION([if $compiler PIC flag $_LT_AC_TAGVAR(lt_prog_compiler_pic, $1) works],
+    _LT_AC_TAGVAR(lt_prog_compiler_pic_works, $1),
+    [$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)ifelse([$1],[],[ -DPIC],[ifelse([$1],[CXX],[ -DPIC],[])])], [],
+    [case $_LT_AC_TAGVAR(lt_prog_compiler_pic, $1) in
+     "" | " "*) ;;
+     *) _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=" $_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)" ;;
+     esac],
+    [_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
+     _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no])
+fi
+case $host_os in
+  # For platforms which do not support PIC, -DPIC is meaningless:
+  *djgpp*)
+    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
+    ;;
+  *)
+    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)="$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)ifelse([$1],[],[ -DPIC],[ifelse([$1],[CXX],[ -DPIC],[])])"
+    ;;
+esac
+
+#
+# Check to make sure the static flag actually works.
+#
+wl=$_LT_AC_TAGVAR(lt_prog_compiler_wl, $1) eval lt_tmp_static_flag=\"$_LT_AC_TAGVAR(lt_prog_compiler_static, $1)\"
+AC_LIBTOOL_LINKER_OPTION([if $compiler static flag $lt_tmp_static_flag works],
+  _LT_AC_TAGVAR(lt_prog_compiler_static_works, $1),
+  $lt_tmp_static_flag,
+  [],
+  [_LT_AC_TAGVAR(lt_prog_compiler_static, $1)=])
+])
+
+
+# AC_LIBTOOL_PROG_LD_SHLIBS([TAGNAME])
+# ------------------------------------
+# See if the linker supports building shared libraries.
+AC_DEFUN([AC_LIBTOOL_PROG_LD_SHLIBS],
+[AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries])
+ifelse([$1],[CXX],[
+  _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  case $host_os in
+  aix4* | aix5*)
+    # If we're using GNU nm, then we don't want the "-C" option.
+    # -C means demangle to AIX nm, but means don't demangle with GNU nm
+    if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
+      _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols'
+    else
+      _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols'
+    fi
+    ;;
+  pw32*)
+    _LT_AC_TAGVAR(export_symbols_cmds, $1)="$ltdll_cmds"
+  ;;
+  cygwin* | mingw*)
+    _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]] /s/.* \([[^ ]]*\)/\1 DATA/;/^.* __nm__/s/^.* __nm__\([[^ ]]*\) [[^ ]]*/\1 DATA/;/^I /d;/^[[AITW]] /s/.* //'\'' | sort | uniq > $export_symbols'
+  ;;
+  *)
+    _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  ;;
+  esac
+],[
+  runpath_var=
+  _LT_AC_TAGVAR(allow_undefined_flag, $1)=
+  _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=no
+  _LT_AC_TAGVAR(archive_cmds, $1)=
+  _LT_AC_TAGVAR(archive_expsym_cmds, $1)=
+  _LT_AC_TAGVAR(old_archive_From_new_cmds, $1)=
+  _LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1)=
+  _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=
+  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
+  _LT_AC_TAGVAR(thread_safe_flag_spec, $1)=
+  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
+  _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
+  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
+  _LT_AC_TAGVAR(hardcode_direct, $1)=no
+  _LT_AC_TAGVAR(hardcode_minus_L, $1)=no
+  _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
+  _LT_AC_TAGVAR(link_all_deplibs, $1)=unknown
+  _LT_AC_TAGVAR(hardcode_automatic, $1)=no
+  _LT_AC_TAGVAR(module_cmds, $1)=
+  _LT_AC_TAGVAR(module_expsym_cmds, $1)=
+  _LT_AC_TAGVAR(always_export_symbols, $1)=no
+  _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  # include_expsyms should be a list of space-separated symbols to be *always*
+  # included in the symbol list
+  _LT_AC_TAGVAR(include_expsyms, $1)=
+  # exclude_expsyms can be an extended regexp of symbols to exclude
+  # it will be wrapped by ` (' and `)$', so one must not match beginning or
+  # end of line.  Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
+  # as well as any symbol that contains `d'.
+  _LT_AC_TAGVAR(exclude_expsyms, $1)="_GLOBAL_OFFSET_TABLE_"
+  # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
+  # platforms (ab)use it in PIC code, but their linkers get confused if
+  # the symbol is explicitly referenced.  Since portable code cannot
+  # rely on this symbol name, it's probably fine to never include it in
+  # preloaded symbol tables.
+  extract_expsyms_cmds=
+  # Just being paranoid about ensuring that cc_basename is set.
+  _LT_CC_BASENAME([$compiler])
+  case $host_os in
+  cygwin* | mingw* | pw32*)
+    # FIXME: the MSVC++ port hasn't been tested in a loooong time
+    # When not using gcc, we currently assume that we are using
+    # Microsoft Visual C++.
+    if test "$GCC" != yes; then
+      with_gnu_ld=no
+    fi
+    ;;
+  interix*)
+    # we just hope/assume this is gcc and not c89 (= MSVC++)
+    with_gnu_ld=yes
+    ;;
+  openbsd*)
+    with_gnu_ld=no
+    ;;
+  esac
+
+  _LT_AC_TAGVAR(ld_shlibs, $1)=yes
+  if test "$with_gnu_ld" = yes; then
+    # If archive_cmds runs LD, not CC, wlarc should be empty
+    wlarc='${wl}'
+
+    # Set some defaults for GNU ld with shared library support. These
+    # are reset later if shared libraries are not supported. Putting them
+    # here allows them to be overridden if necessary.
+    runpath_var=LD_RUN_PATH
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir'
+    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+    # ancient GNU ld didn't support --whole-archive et. al.
+    if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
+	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+      else
+  	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
+    fi
+    supports_anon_versioning=no
+    case `$LD -v 2>/dev/null` in
+      *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.10.*) ;; # catch versions < 2.11
+      *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
+      *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
+      *\ 2.11.*) ;; # other 2.11 versions
+      *) supports_anon_versioning=yes ;;
+    esac
+
+    # See if GNU ld supports shared libraries.
+    case $host_os in
+    aix3* | aix4* | aix5*)
+      # On AIX/PPC, the GNU linker is very broken
+      if test "$host_cpu" != ia64; then
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	cat <<EOF 1>&2
+
+*** Warning: the GNU linker, at least up to release 2.9.1, is reported
+*** to be unable to reliably create shared libraries on AIX.
+*** Therefore, libtool is disabling shared libraries support.  If you
+*** really care for shared libraries, you may want to modify your PATH
+*** so that a non-GNU linker is found, and then restart.
+
+EOF
+      fi
+      ;;
+
+    amigaos*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+
+      # Samuel A. Falvo II <kc5tja@dolphin.openprojects.net> reports
+      # that the semantics of dynamic libraries on AmigaOS, at least up
+      # to version 4, is to share data among multiple programs linked
+      # with the same dynamic library.  Since this doesn't match the
+      # behavior of shared libraries on other platforms, we can't use
+      # them.
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+      ;;
+
+    beos*)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
+	# Joseph Beckenbach <jrb3@best.com> says some releases of gcc
+	# support --undefined.  This deserves some investigation.  FIXME
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+      else
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+
+    cygwin* | mingw* | pw32*)
+      # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
+      # as there is no search path for DLLs.
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
+      _LT_AC_TAGVAR(always_export_symbols, $1)=no
+      _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+      _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]] /s/.* \([[^ ]]*\)/\1 DATA/'\'' | $SED -e '\''/^[[AITW]] /s/.* //'\'' | sort | uniq > $export_symbols'
+
+      if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
+        _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+	# If the export-symbols file already is a .def file (1st line
+	# is EXPORTS), use it as is; otherwise, prepend...
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	  cp $export_symbols $output_objdir/$soname.def;
+	else
+	  echo EXPORTS > $output_objdir/$soname.def;
+	  cat $export_symbols >> $output_objdir/$soname.def;
+	fi~
+	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+      else
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+
+    interix3*)
+      _LT_AC_TAGVAR(hardcode_direct, $1)=no
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+      # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
+      # Instead, shared libraries are loaded at an image base (0x10000000 by
+      # default) and relocated if they conflict, which is a slow very memory
+      # consuming and fragmenting process.  To avoid this, we pick a random,
+      # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
+      # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      ;;
+
+    linux*)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	tmp_addflag=
+	case $cc_basename,$host_cpu in
+	pgcc*)				# Portland Group C compiler
+	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_addflag=' $pic_flag'
+	  ;;
+	pgf77* | pgf90* | pgf95*)	# Portland Group f77 and f90 compilers
+	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_addflag=' $pic_flag -Mnomain' ;;
+	ecc*,ia64* | icc*,ia64*)		# Intel C compiler on ia64
+	  tmp_addflag=' -i_dynamic' ;;
+	efc*,ia64* | ifort*,ia64*)	# Intel Fortran compiler on ia64
+	  tmp_addflag=' -i_dynamic -nofor_main' ;;
+	ifc* | ifort*)			# Intel Fortran compiler
+	  tmp_addflag=' -nofor_main' ;;
+	esac
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+
+	if test $supports_anon_versioning = yes; then
+	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $output_objdir/$libname.ver~
+  cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+  $echo "local: *; };" >> $output_objdir/$libname.ver~
+	  $CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
+	fi
+      else
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+
+    netbsd*)
+      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
+	wlarc=
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      fi
+      ;;
+
+    solaris*)
+      if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	cat <<EOF 1>&2
+
+*** Warning: The releases 2.8.* of the GNU linker cannot reliably
+*** create shared libraries on Solaris systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.9.1 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+EOF
+      elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+
+    sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
+      case `$LD -v 2>&1` in
+        *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.1[[0-5]].*) 
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	cat <<_LT_EOF 1>&2
+
+*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not
+*** reliably create shared libraries on SCO systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.16.91.0.3 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+_LT_EOF
+	;;
+	*)
+	  if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='`test -z "$SCOABSPATH" && echo ${wl}-rpath,$libdir`'
+	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib'
+	    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname,-retain-symbols-file,$export_symbols -o $lib'
+	  else
+	    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+	  fi
+	;;
+      esac
+      ;;
+
+    sunos4*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      wlarc=
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    *)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+    esac
+
+    if test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no; then
+      runpath_var=
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=
+      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
+    fi
+  else
+    # PORTME fill in a description of your system's linker (not GNU ld)
+    case $host_os in
+    aix3*)
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
+      _LT_AC_TAGVAR(always_export_symbols, $1)=yes
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
+      # Note: this linker hardcodes the directories in LIBPATH if there
+      # are no directories specified by -L.
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+      if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then
+	# Neither direct hardcoding nor static linking is supported with a
+	# broken collect2.
+	_LT_AC_TAGVAR(hardcode_direct, $1)=unsupported
+      fi
+      ;;
+
+    aix4* | aix5*)
+      if test "$host_cpu" = ia64; then
+	# On IA64, the linker does run time linking by default, so we don't
+	# have to do anything special.
+	aix_use_runtimelinking=no
+	exp_sym_flag='-Bexport'
+	no_entry_flag=""
+      else
+	# If we're using GNU nm, then we don't want the "-C" option.
+	# -C means demangle to AIX nm, but means don't demangle with GNU nm
+	if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
+	  _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols'
+	else
+	  _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols'
+	fi
+	aix_use_runtimelinking=no
+
+	# Test if we are trying to use run time linking or normal
+	# AIX style linking. If -brtl is somewhere in LDFLAGS, we
+	# need to do runtime linking.
+	case $host_os in aix4.[[23]]|aix4.[[23]].*|aix5*)
+	  for ld_flag in $LDFLAGS; do
+  	  if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
+  	    aix_use_runtimelinking=yes
+  	    break
+  	  fi
+	  done
+	  ;;
+	esac
+
+	exp_sym_flag='-bexport'
+	no_entry_flag='-bnoentry'
+      fi
+
+      # When large executables or shared objects are built, AIX ld can
+      # have problems creating the table of contents.  If linking a library
+      # or program results in "error TOC overflow" add -mminimal-toc to
+      # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
+      # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
+
+      _LT_AC_TAGVAR(archive_cmds, $1)=''
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=':'
+      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+
+      if test "$GCC" = yes; then
+	case $host_os in aix4.[[012]]|aix4.[[012]].*)
+	# We only want to do this on AIX 4.2 and lower, the check
+	# below for broken collect2 doesn't work under 4.3+
+	  collect2name=`${CC} -print-prog-name=collect2`
+	  if test -f "$collect2name" && \
+  	   strings "$collect2name" | grep resolve_lib_name >/dev/null
+	  then
+  	  # We have reworked collect2
+  	  _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+	  else
+  	  # We have old collect2
+  	  _LT_AC_TAGVAR(hardcode_direct, $1)=unsupported
+  	  # It fails to find uninstalled libraries when the uninstalled
+  	  # path is not listed in the libpath.  Setting hardcode_minus_L
+  	  # to unsupported forces relinking
+  	  _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+  	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+  	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
+	  fi
+	  ;;
+	esac
+	shared_flag='-shared'
+	if test "$aix_use_runtimelinking" = yes; then
+	  shared_flag="$shared_flag "'${wl}-G'
+	fi
+      else
+	# not using gcc
+	if test "$host_cpu" = ia64; then
+  	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
+  	# chokes on -Wl,-G. The following line is correct:
+	  shared_flag='-G'
+	else
+	  if test "$aix_use_runtimelinking" = yes; then
+	    shared_flag='${wl}-G'
+	  else
+	    shared_flag='${wl}-bM:SRE'
+	  fi
+	fi
+      fi
+
+      # It seems that -bexpall does not export symbols beginning with
+      # underscore (_), so it is better to generate a list of symbols to export.
+      _LT_AC_TAGVAR(always_export_symbols, $1)=yes
+      if test "$aix_use_runtimelinking" = yes; then
+	# Warning - without using the other runtime loading flags (-brtl),
+	# -berok will link without error, but may produce a broken library.
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)='-berok'
+       # Determine the default libpath from the value encoded in an empty executable.
+       _LT_AC_SYS_LIBPATH_AIX
+       _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+       else
+	if test "$host_cpu" = ia64; then
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib'
+	  _LT_AC_TAGVAR(allow_undefined_flag, $1)="-z nodefs"
+	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
+	else
+	 # Determine the default libpath from the value encoded in an empty executable.
+	 _LT_AC_SYS_LIBPATH_AIX
+	 _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
+	  # Warning - without using the other run time loading flags,
+	  # -berok will link without error, but may produce a broken library.
+	  _LT_AC_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok'
+	  _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok'
+	  # Exported symbols can be pulled into shared objects from archives
+	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='$convenience'
+	  _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
+	  # This is similar to how AIX traditionally builds its shared libraries.
+	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+	fi
+      fi
+      ;;
+
+    amigaos*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+      # see comment about different semantics on the GNU ld section
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+      ;;
+
+    bsdi[[45]]*)
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=-rdynamic
+      ;;
+
+    cygwin* | mingw* | pw32*)
+      # When not using gcc, we currently assume that we are using
+      # Microsoft Visual C++.
+      # hardcode_libdir_flag_spec is actually meaningless, as there is
+      # no search path for DLLs.
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
+      # Tell ltmain to make .lib files, not .a files.
+      libext=lib
+      # Tell ltmain to make .dll files, not .so files.
+      shrext_cmds=".dll"
+      # FIXME: Setting linknames here is a bad hack.
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
+      # The linker will automatically build a .lib file if we build a DLL.
+      _LT_AC_TAGVAR(old_archive_From_new_cmds, $1)='true'
+      # FIXME: Should let the user specify the lib program.
+      _LT_AC_TAGVAR(old_archive_cmds, $1)='lib /OUT:$oldlib$oldobjs$old_deplibs'
+      _LT_AC_TAGVAR(fix_srcfile_path, $1)='`cygpath -w "$srcfile"`'
+      _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+      ;;
+
+    darwin* | rhapsody*)
+      case $host_os in
+        rhapsody* | darwin1.[[012]])
+         _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-undefined ${wl}suppress'
+         ;;
+       *) # Darwin 1.3 on
+         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+           _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
+         else
+           case ${MACOSX_DEPLOYMENT_TARGET} in
+             10.[[012]])
+               _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
+               ;;
+             10.*)
+               _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-undefined ${wl}dynamic_lookup'
+               ;;
+           esac
+         fi
+         ;;
+      esac
+      _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+      _LT_AC_TAGVAR(hardcode_direct, $1)=no
+      _LT_AC_TAGVAR(hardcode_automatic, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
+      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=''
+      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+    if test "$GCC" = yes ; then
+    	output_verbose_link_cmd='echo'
+        _LT_AC_TAGVAR(archive_cmds, $1)='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+      _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+      _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    else
+      case $cc_basename in
+        xlc*)
+         output_verbose_link_cmd='echo'
+         _LT_AC_TAGVAR(archive_cmds, $1)='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring'
+         _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
+         _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          ;;
+       *)
+         _LT_AC_TAGVAR(ld_shlibs, $1)=no
+          ;;
+      esac
+    fi
+      ;;
+
+    dgux*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    freebsd1*)
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+      ;;
+
+    # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
+    # support.  Future versions do this automatically, but an explicit c++rt0.o
+    # does not break anything, and helps significantly (at the cost of a little
+    # extra space).
+    freebsd2.2*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    # Unfortunately, older versions of FreeBSD 2 do not have this feature.
+    freebsd2*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
+    freebsd* | kfreebsd*-gnu | dragonfly*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    hpux9*)
+      if test "$GCC" = yes; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+
+      # hardcode_minus_L: Not really in the search PATH,
+      # but as the default location of the library.
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+      ;;
+
+    hpux10*)
+      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      if test "$with_gnu_ld" = no; then
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	_LT_AC_TAGVAR(hardcode_direct, $1)=yes
+	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+
+	# hardcode_minus_L: Not really in the search PATH,
+	# but as the default location of the library.
+	_LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+      fi
+      ;;
+
+    hpux11*)
+      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+	case $host_cpu in
+	hppa*64*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	ia64*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	esac
+      else
+	case $host_cpu in
+	hppa*64*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	ia64*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	esac
+      fi
+      if test "$with_gnu_ld" = no; then
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	case $host_cpu in
+	hppa*64*|ia64*)
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='+b $libdir'
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=no
+	  _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+	  ;;
+	*)
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+	  _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+
+	  # hardcode_minus_L: Not really in the search PATH,
+	  # but as the default location of the library.
+	  _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+	  ;;
+	esac
+      fi
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      if test "$GCC" = yes; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='-rpath $libdir'
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+      ;;
+
+    netbsd*)
+      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    newsos6)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    openbsd*)
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+      else
+       case $host_os in
+	 openbsd[[01]].* | openbsd2.[[0-7]] | openbsd2.[[0-7]].*)
+	   _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+	   _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+	   ;;
+	 *)
+	   _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	   _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	   ;;
+       esac
+      fi
+      ;;
+
+    os2*)
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
+      _LT_AC_TAGVAR(archive_cmds, $1)='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
+      _LT_AC_TAGVAR(old_archive_From_new_cmds, $1)='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
+      ;;
+
+    osf3*)
+      if test "$GCC" = yes; then
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+      else
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+      ;;
+
+    osf4* | osf5*)	# as osf3* with the addition of -msym flag
+      if test "$GCC" = yes; then
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+      else
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~
+	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib~$rm $lib.exp'
+
+	# Both c and cxx compiler support -rpath directly
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+      ;;
+
+    solaris*)
+      _LT_AC_TAGVAR(no_undefined_flag, $1)=' -z text'
+      if test "$GCC" = yes; then
+	wlarc='${wl}'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+	  $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp'
+      else
+	wlarc=''
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+  	$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      case $host_os in
+      solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
+      *)
+ 	# The compiler driver will combine linker options so we
+ 	# cannot just pass the convience library names through
+ 	# without $wl, iff we do not link with $LD.
+ 	# Luckily, gcc supports the same syntax we need for Sun Studio.
+ 	# Supported since Solaris 2.6 (maybe 2.5.1?)
+ 	case $wlarc in
+ 	'')
+ 	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract' ;;
+ 	*)
+ 	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}-z ${wl}defaultextract' ;;
+ 	esac ;;
+      esac
+      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+      ;;
+
+    sunos4*)
+      if test "x$host_vendor" = xsequent; then
+	# Use $CC to link under sequent, because it throws in some extra .o
+	# files that make .init and .fini sections work.
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    sysv4)
+      case $host_vendor in
+	sni)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=yes # is this really true???
+	;;
+	siemens)
+	  ## LD is ld it makes a PLAMLIB
+	  ## CC just makes a GrossModule.
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -o $lib $libobjs $deplibs $linker_flags'
+	  _LT_AC_TAGVAR(reload_cmds, $1)='$CC -r -o $output$reload_objs'
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=no
+        ;;
+	motorola)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=no #Motorola manual says yes, but my tests say they lie
+	;;
+      esac
+      runpath_var='LD_RUN_PATH'
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    sysv4.3*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='-Bexport'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+	runpath_var=LD_RUN_PATH
+	hardcode_runpath_var=yes
+	_LT_AC_TAGVAR(ld_shlibs, $1)=yes
+      fi
+      ;;
+
+    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7*)
+      _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
+      _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      runpath_var='LD_RUN_PATH'
+
+      if test "$GCC" = yes; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
+      ;;
+
+    sysv5* | sco3.2v5* | sco5v6*)
+      # Note: We can NOT use -z defs as we might desire, because we do not
+      # link with -lc, and that would cause any symbols used from libc to
+      # always be unresolved, which means just about no library would
+      # ever link correctly.  If we're not using GNU ld we use -z text
+      # though, which does catch some bad symbols but isn't as heavy-handed
+      # as -z defs.
+      _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-z,nodefs'
+      _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=':'
+      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport'
+      runpath_var='LD_RUN_PATH'
+
+      if test "$GCC" = yes; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
+      ;;
+
+    uts4*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    *)
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+      ;;
+    esac
+  fi
+])
+AC_MSG_RESULT([$_LT_AC_TAGVAR(ld_shlibs, $1)])
+test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no
+
+#
+# Do we need to explicitly link libc?
+#
+case "x$_LT_AC_TAGVAR(archive_cmds_need_lc, $1)" in
+x|xyes)
+  # Assume -lc should be added
+  _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
+
+  if test "$enable_shared" = yes && test "$GCC" = yes; then
+    case $_LT_AC_TAGVAR(archive_cmds, $1) in
+    *'~'*)
+      # FIXME: we may have to deal with multi-command sequences.
+      ;;
+    '$CC '*)
+      # Test whether the compiler implicitly links with -lc since on some
+      # systems, -lgcc has to come before -lc. If gcc already passes -lc
+      # to ld, don't add -lc before -lgcc.
+      AC_MSG_CHECKING([whether -lc should be explicitly linked in])
+      $rm conftest*
+      printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+      if AC_TRY_EVAL(ac_compile) 2>conftest.err; then
+        soname=conftest
+        lib=conftest
+        libobjs=conftest.$ac_objext
+        deplibs=
+        wl=$_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)
+	pic_flag=$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)
+        compiler_flags=-v
+        linker_flags=-v
+        verstring=
+        output_objdir=.
+        libname=conftest
+        lt_save_allow_undefined_flag=$_LT_AC_TAGVAR(allow_undefined_flag, $1)
+        _LT_AC_TAGVAR(allow_undefined_flag, $1)=
+        if AC_TRY_EVAL(_LT_AC_TAGVAR(archive_cmds, $1) 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1)
+        then
+	  _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+        else
+	  _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
+        fi
+        _LT_AC_TAGVAR(allow_undefined_flag, $1)=$lt_save_allow_undefined_flag
+      else
+        cat conftest.err 1>&5
+      fi
+      $rm conftest*
+      AC_MSG_RESULT([$_LT_AC_TAGVAR(archive_cmds_need_lc, $1)])
+      ;;
+    esac
+  fi
+  ;;
+esac
+])# AC_LIBTOOL_PROG_LD_SHLIBS
+
+
+# _LT_AC_FILE_LTDLL_C
+# -------------------
+# Be careful that the start marker always follows a newline.
+AC_DEFUN([_LT_AC_FILE_LTDLL_C], [
+# /* ltdll.c starts here */
+# #define WIN32_LEAN_AND_MEAN
+# #include <windows.h>
+# #undef WIN32_LEAN_AND_MEAN
+# #include <stdio.h>
+#
+# #ifndef __CYGWIN__
+# #  ifdef __CYGWIN32__
+# #    define __CYGWIN__ __CYGWIN32__
+# #  endif
+# #endif
+#
+# #ifdef __cplusplus
+# extern "C" {
+# #endif
+# BOOL APIENTRY DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved);
+# #ifdef __cplusplus
+# }
+# #endif
+#
+# #ifdef __CYGWIN__
+# #include <cygwin/cygwin_dll.h>
+# DECLARE_CYGWIN_DLL( DllMain );
+# #endif
+# HINSTANCE __hDllInstance_base;
+#
+# BOOL APIENTRY
+# DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved)
+# {
+#   __hDllInstance_base = hInst;
+#   return TRUE;
+# }
+# /* ltdll.c ends here */
+])# _LT_AC_FILE_LTDLL_C
+
+
+# _LT_AC_TAGVAR(VARNAME, [TAGNAME])
+# ---------------------------------
+AC_DEFUN([_LT_AC_TAGVAR], [ifelse([$2], [], [$1], [$1_$2])])
+
+
+# old names
+AC_DEFUN([AM_PROG_LIBTOOL],   [AC_PROG_LIBTOOL])
+AC_DEFUN([AM_ENABLE_SHARED],  [AC_ENABLE_SHARED($@)])
+AC_DEFUN([AM_ENABLE_STATIC],  [AC_ENABLE_STATIC($@)])
+AC_DEFUN([AM_DISABLE_SHARED], [AC_DISABLE_SHARED($@)])
+AC_DEFUN([AM_DISABLE_STATIC], [AC_DISABLE_STATIC($@)])
+AC_DEFUN([AM_PROG_LD],        [AC_PROG_LD])
+AC_DEFUN([AM_PROG_NM],        [AC_PROG_NM])
+
+# This is just to silence aclocal about the macro not being used
+ifelse([AC_DISABLE_FAST_INSTALL])
+
+AC_DEFUN([LT_AC_PROG_GCJ],
+[AC_CHECK_TOOL(GCJ, gcj, no)
+  test "x${GCJFLAGS+set}" = xset || GCJFLAGS="-g -O2"
+  AC_SUBST(GCJFLAGS)
+])
+
+AC_DEFUN([LT_AC_PROG_RC],
+[AC_CHECK_TOOL(RC, windres, no)
+])
+
+# NOTE: This macro has been submitted for inclusion into   #
+#  GNU Autoconf as AC_PROG_SED.  When it is available in   #
+#  a released version of Autoconf we should remove this    #
+#  macro and use it instead.                               #
+# LT_AC_PROG_SED
+# --------------
+# Check for a fully-functional sed program, that truncates
+# as few characters as possible.  Prefer GNU sed if found.
+AC_DEFUN([LT_AC_PROG_SED],
+[AC_MSG_CHECKING([for a sed that does not truncate output])
+AC_CACHE_VAL(lt_cv_path_SED,
+[# Loop through the user's path and test for sed and gsed.
+# Then use that list of sed's as ones to test for truncation.
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for lt_ac_prog in sed gsed; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
+      if $as_executable_p "$as_dir/$lt_ac_prog$ac_exec_ext"; then
+        lt_ac_sed_list="$lt_ac_sed_list $as_dir/$lt_ac_prog$ac_exec_ext"
+      fi
+    done
+  done
+done
+lt_ac_max=0
+lt_ac_count=0
+# Add /usr/xpg4/bin/sed as it is typically found on Solaris
+# along with /bin/sed that truncates output.
+for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do
+  test ! -f $lt_ac_sed && continue
+  cat /dev/null > conftest.in
+  lt_ac_count=0
+  echo $ECHO_N "0123456789$ECHO_C" >conftest.in
+  # Check for GNU sed and select it if it is found.
+  if "$lt_ac_sed" --version 2>&1 < /dev/null | grep 'GNU' > /dev/null; then
+    lt_cv_path_SED=$lt_ac_sed
+    break
+  fi
+  while true; do
+    cat conftest.in conftest.in >conftest.tmp
+    mv conftest.tmp conftest.in
+    cp conftest.in conftest.nl
+    echo >>conftest.nl
+    $lt_ac_sed -e 's/a$//' < conftest.nl >conftest.out || break
+    cmp -s conftest.out conftest.nl || break
+    # 10000 chars as input seems more than enough
+    test $lt_ac_count -gt 10 && break
+    lt_ac_count=`expr $lt_ac_count + 1`
+    if test $lt_ac_count -gt $lt_ac_max; then
+      lt_ac_max=$lt_ac_count
+      lt_cv_path_SED=$lt_ac_sed
+    fi
+  done
+done
+])
+SED=$lt_cv_path_SED
+AC_MSG_RESULT([$SED])
+])
+
+# Copyright (C) 2002, 2003, 2005  Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# AM_AUTOMAKE_VERSION(VERSION)
+# ----------------------------
+# Automake X.Y traces this macro to ensure aclocal.m4 has been
+# generated from the m4 files accompanying Automake X.Y.
+AC_DEFUN([AM_AUTOMAKE_VERSION], [am__api_version="1.9"])
+
+# AM_SET_CURRENT_AUTOMAKE_VERSION
+# -------------------------------
+# Call AM_AUTOMAKE_VERSION so it can be traced.
+# This function is AC_REQUIREd by AC_INIT_AUTOMAKE.
+AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION],
+	 [AM_AUTOMAKE_VERSION([1.9.6])])
+
+# AM_AUX_DIR_EXPAND                                         -*- Autoconf -*-
+
+# Copyright (C) 2001, 2003, 2005  Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# For projects using AC_CONFIG_AUX_DIR([foo]), Autoconf sets
+# $ac_aux_dir to `$srcdir/foo'.  In other projects, it is set to
+# `$srcdir', `$srcdir/..', or `$srcdir/../..'.
+#
+# Of course, Automake must honor this variable whenever it calls a
+# tool from the auxiliary directory.  The problem is that $srcdir (and
+# therefore $ac_aux_dir as well) can be either absolute or relative,
+# depending on how configure is run.  This is pretty annoying, since
+# it makes $ac_aux_dir quite unusable in subdirectories: in the top
+# source directory, any form will work fine, but in subdirectories a
+# relative path needs to be adjusted first.
+#
+# $ac_aux_dir/missing
+#    fails when called from a subdirectory if $ac_aux_dir is relative
+# $top_srcdir/$ac_aux_dir/missing
+#    fails if $ac_aux_dir is absolute,
+#    fails when called from a subdirectory in a VPATH build with
+#          a relative $ac_aux_dir
+#
+# The reason of the latter failure is that $top_srcdir and $ac_aux_dir
+# are both prefixed by $srcdir.  In an in-source build this is usually
+# harmless because $srcdir is `.', but things will broke when you
+# start a VPATH build or use an absolute $srcdir.
+#
+# So we could use something similar to $top_srcdir/$ac_aux_dir/missing,
+# iff we strip the leading $srcdir from $ac_aux_dir.  That would be:
+#   am_aux_dir='\$(top_srcdir)/'`expr "$ac_aux_dir" : "$srcdir//*\(.*\)"`
+# and then we would define $MISSING as
+#   MISSING="\${SHELL} $am_aux_dir/missing"
+# This will work as long as MISSING is not called from configure, because
+# unfortunately $(top_srcdir) has no meaning in configure.
+# However there are other variables, like CC, which are often used in
+# configure, and could therefore not use this "fixed" $ac_aux_dir.
+#
+# Another solution, used here, is to always expand $ac_aux_dir to an
+# absolute PATH.  The drawback is that using absolute paths prevent a
+# configured tree to be moved without reconfiguration.
+
+AC_DEFUN([AM_AUX_DIR_EXPAND],
+[dnl Rely on autoconf to set up CDPATH properly.
+AC_PREREQ([2.50])dnl
+# expand $ac_aux_dir to an absolute path
+am_aux_dir=`cd $ac_aux_dir && pwd`
+])
+
+# AM_CONDITIONAL                                            -*- Autoconf -*-
+
+# Copyright (C) 1997, 2000, 2001, 2003, 2004, 2005
+# Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# serial 7
+
+# AM_CONDITIONAL(NAME, SHELL-CONDITION)
+# -------------------------------------
+# Define a conditional.
+AC_DEFUN([AM_CONDITIONAL],
+[AC_PREREQ(2.52)dnl
+ ifelse([$1], [TRUE],  [AC_FATAL([$0: invalid condition: $1])],
+	[$1], [FALSE], [AC_FATAL([$0: invalid condition: $1])])dnl
+AC_SUBST([$1_TRUE])
+AC_SUBST([$1_FALSE])
+if $2; then
+  $1_TRUE=
+  $1_FALSE='#'
+else
+  $1_TRUE='#'
+  $1_FALSE=
+fi
+AC_CONFIG_COMMANDS_PRE(
+[if test -z "${$1_TRUE}" && test -z "${$1_FALSE}"; then
+  AC_MSG_ERROR([[conditional "$1" was never defined.
+Usually this means the macro was only invoked conditionally.]])
+fi])])
+
+
+# Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005
+# Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# serial 8
+
+# There are a few dirty hacks below to avoid letting `AC_PROG_CC' be
+# written in clear, in which case automake, when reading aclocal.m4,
+# will think it sees a *use*, and therefore will trigger all it's
+# C support machinery.  Also note that it means that autoscan, seeing
+# CC etc. in the Makefile, will ask for an AC_PROG_CC use...
+
+
+# _AM_DEPENDENCIES(NAME)
+# ----------------------
+# See how the compiler implements dependency checking.
+# NAME is "CC", "CXX", "GCJ", or "OBJC".
+# We try a few techniques and use that to set a single cache variable.
+#
+# We don't AC_REQUIRE the corresponding AC_PROG_CC since the latter was
+# modified to invoke _AM_DEPENDENCIES(CC); we would have a circular
+# dependency, and given that the user is not expected to run this macro,
+# just rely on AC_PROG_CC.
+AC_DEFUN([_AM_DEPENDENCIES],
+[AC_REQUIRE([AM_SET_DEPDIR])dnl
+AC_REQUIRE([AM_OUTPUT_DEPENDENCY_COMMANDS])dnl
+AC_REQUIRE([AM_MAKE_INCLUDE])dnl
+AC_REQUIRE([AM_DEP_TRACK])dnl
+
+ifelse([$1], CC,   [depcc="$CC"   am_compiler_list=],
+       [$1], CXX,  [depcc="$CXX"  am_compiler_list=],
+       [$1], OBJC, [depcc="$OBJC" am_compiler_list='gcc3 gcc'],
+       [$1], GCJ,  [depcc="$GCJ"  am_compiler_list='gcc3 gcc'],
+                   [depcc="$$1"   am_compiler_list=])
+
+AC_CACHE_CHECK([dependency style of $depcc],
+               [am_cv_$1_dependencies_compiler_type],
+[if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then
+  # We make a subdir and do the tests there.  Otherwise we can end up
+  # making bogus files that we don't know about and never remove.  For
+  # instance it was reported that on HP-UX the gcc test will end up
+  # making a dummy file named `D' -- because `-MD' means `put the output
+  # in D'.
+  mkdir conftest.dir
+  # Copy depcomp to subdir because otherwise we won't find it if we're
+  # using a relative directory.
+  cp "$am_depcomp" conftest.dir
+  cd conftest.dir
+  # We will build objects and dependencies in a subdirectory because
+  # it helps to detect inapplicable dependency modes.  For instance
+  # both Tru64's cc and ICC support -MD to output dependencies as a
+  # side effect of compilation, but ICC will put the dependencies in
+  # the current directory while Tru64 will put them in the object
+  # directory.
+  mkdir sub
+
+  am_cv_$1_dependencies_compiler_type=none
+  if test "$am_compiler_list" = ""; then
+     am_compiler_list=`sed -n ['s/^#*\([a-zA-Z0-9]*\))$/\1/p'] < ./depcomp`
+  fi
+  for depmode in $am_compiler_list; do
+    # Setup a source with many dependencies, because some compilers
+    # like to wrap large dependency lists on column 80 (with \), and
+    # we should not choose a depcomp mode which is confused by this.
+    #
+    # We need to recreate these files for each test, as the compiler may
+    # overwrite some of them when testing with obscure command lines.
+    # This happens at least with the AIX C compiler.
+    : > sub/conftest.c
+    for i in 1 2 3 4 5 6; do
+      echo '#include "conftst'$i'.h"' >> sub/conftest.c
+      # Using `: > sub/conftst$i.h' creates only sub/conftst1.h with
+      # Solaris 8's {/usr,}/bin/sh.
+      touch sub/conftst$i.h
+    done
+    echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf
+
+    case $depmode in
+    nosideeffect)
+      # after this tag, mechanisms are not by side-effect, so they'll
+      # only be used when explicitly requested
+      if test "x$enable_dependency_tracking" = xyes; then
+	continue
+      else
+	break
+      fi
+      ;;
+    none) break ;;
+    esac
+    # We check with `-c' and `-o' for the sake of the "dashmstdout"
+    # mode.  It turns out that the SunPro C++ compiler does not properly
+    # handle `-M -o', and we need to detect this.
+    if depmode=$depmode \
+       source=sub/conftest.c object=sub/conftest.${OBJEXT-o} \
+       depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \
+       $SHELL ./depcomp $depcc -c -o sub/conftest.${OBJEXT-o} sub/conftest.c \
+         >/dev/null 2>conftest.err &&
+       grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 &&
+       grep sub/conftest.${OBJEXT-o} sub/conftest.Po > /dev/null 2>&1 &&
+       ${MAKE-make} -s -f confmf > /dev/null 2>&1; then
+      # icc doesn't choke on unknown options, it will just issue warnings
+      # or remarks (even with -Werror).  So we grep stderr for any message
+      # that says an option was ignored or not supported.
+      # When given -MP, icc 7.0 and 7.1 complain thusly:
+      #   icc: Command line warning: ignoring option '-M'; no argument required
+      # The diagnosis changed in icc 8.0:
+      #   icc: Command line remark: option '-MP' not supported
+      if (grep 'ignoring option' conftest.err ||
+          grep 'not supported' conftest.err) >/dev/null 2>&1; then :; else
+        am_cv_$1_dependencies_compiler_type=$depmode
+        break
+      fi
+    fi
+  done
+
+  cd ..
+  rm -rf conftest.dir
+else
+  am_cv_$1_dependencies_compiler_type=none
+fi
+])
+AC_SUBST([$1DEPMODE], [depmode=$am_cv_$1_dependencies_compiler_type])
+AM_CONDITIONAL([am__fastdep$1], [
+  test "x$enable_dependency_tracking" != xno \
+  && test "$am_cv_$1_dependencies_compiler_type" = gcc3])
+])
+
+
+# AM_SET_DEPDIR
+# -------------
+# Choose a directory name for dependency files.
+# This macro is AC_REQUIREd in _AM_DEPENDENCIES
+AC_DEFUN([AM_SET_DEPDIR],
+[AC_REQUIRE([AM_SET_LEADING_DOT])dnl
+AC_SUBST([DEPDIR], ["${am__leading_dot}deps"])dnl
+])
+
+
+# AM_DEP_TRACK
+# ------------
+AC_DEFUN([AM_DEP_TRACK],
+[AC_ARG_ENABLE(dependency-tracking,
+[  --disable-dependency-tracking  speeds up one-time build
+  --enable-dependency-tracking   do not reject slow dependency extractors])
+if test "x$enable_dependency_tracking" != xno; then
+  am_depcomp="$ac_aux_dir/depcomp"
+  AMDEPBACKSLASH='\'
+fi
+AM_CONDITIONAL([AMDEP], [test "x$enable_dependency_tracking" != xno])
+AC_SUBST([AMDEPBACKSLASH])
+])
+
+# Generate code to set up dependency tracking.              -*- Autoconf -*-
+
+# Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005
+# Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+#serial 3
+
+# _AM_OUTPUT_DEPENDENCY_COMMANDS
+# ------------------------------
+AC_DEFUN([_AM_OUTPUT_DEPENDENCY_COMMANDS],
+[for mf in $CONFIG_FILES; do
+  # Strip MF so we end up with the name of the file.
+  mf=`echo "$mf" | sed -e 's/:.*$//'`
+  # Check whether this is an Automake generated Makefile or not.
+  # We used to match only the files named `Makefile.in', but
+  # some people rename them; so instead we look at the file content.
+  # Grep'ing the first line is not enough: some people post-process
+  # each Makefile.in and add a new line on top of each file to say so.
+  # So let's grep whole file.
+  if grep '^#.*generated by automake' $mf > /dev/null 2>&1; then
+    dirpart=`AS_DIRNAME("$mf")`
+  else
+    continue
+  fi
+  # Extract the definition of DEPDIR, am__include, and am__quote
+  # from the Makefile without running `make'.
+  DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"`
+  test -z "$DEPDIR" && continue
+  am__include=`sed -n 's/^am__include = //p' < "$mf"`
+  test -z "am__include" && continue
+  am__quote=`sed -n 's/^am__quote = //p' < "$mf"`
+  # When using ansi2knr, U may be empty or an underscore; expand it
+  U=`sed -n 's/^U = //p' < "$mf"`
+  # Find all dependency output files, they are included files with
+  # $(DEPDIR) in their names.  We invoke sed twice because it is the
+  # simplest approach to changing $(DEPDIR) to its actual value in the
+  # expansion.
+  for file in `sed -n "
+    s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \
+       sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do
+    # Make sure the directory exists.
+    test -f "$dirpart/$file" && continue
+    fdir=`AS_DIRNAME(["$file"])`
+    AS_MKDIR_P([$dirpart/$fdir])
+    # echo "creating $dirpart/$file"
+    echo '# dummy' > "$dirpart/$file"
+  done
+done
+])# _AM_OUTPUT_DEPENDENCY_COMMANDS
+
+
+# AM_OUTPUT_DEPENDENCY_COMMANDS
+# -----------------------------
+# This macro should only be invoked once -- use via AC_REQUIRE.
+#
+# This code is only required when automatic dependency tracking
+# is enabled.  FIXME.  This creates each `.P' file that we will
+# need in order to bootstrap the dependency handling code.
+AC_DEFUN([AM_OUTPUT_DEPENDENCY_COMMANDS],
+[AC_CONFIG_COMMANDS([depfiles],
+     [test x"$AMDEP_TRUE" != x"" || _AM_OUTPUT_DEPENDENCY_COMMANDS],
+     [AMDEP_TRUE="$AMDEP_TRUE" ac_aux_dir="$ac_aux_dir"])
+])
+
+# Do all the work for Automake.                             -*- Autoconf -*-
+
+# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
+# Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# serial 12
+
+# This macro actually does too much.  Some checks are only needed if
+# your package does certain things.  But this isn't really a big deal.
+
+# AM_INIT_AUTOMAKE(PACKAGE, VERSION, [NO-DEFINE])
+# AM_INIT_AUTOMAKE([OPTIONS])
+# -----------------------------------------------
+# The call with PACKAGE and VERSION arguments is the old style
+# call (pre autoconf-2.50), which is being phased out.  PACKAGE
+# and VERSION should now be passed to AC_INIT and removed from
+# the call to AM_INIT_AUTOMAKE.
+# We support both call styles for the transition.  After
+# the next Automake release, Autoconf can make the AC_INIT
+# arguments mandatory, and then we can depend on a new Autoconf
+# release and drop the old call support.
+AC_DEFUN([AM_INIT_AUTOMAKE],
+[AC_PREREQ([2.58])dnl
+dnl Autoconf wants to disallow AM_ names.  We explicitly allow
+dnl the ones we care about.
+m4_pattern_allow([^AM_[A-Z]+FLAGS$])dnl
+AC_REQUIRE([AM_SET_CURRENT_AUTOMAKE_VERSION])dnl
+AC_REQUIRE([AC_PROG_INSTALL])dnl
+# test to see if srcdir already configured
+if test "`cd $srcdir && pwd`" != "`pwd`" &&
+   test -f $srcdir/config.status; then
+  AC_MSG_ERROR([source directory already configured; run "make distclean" there first])
+fi
+
+# test whether we have cygpath
+if test -z "$CYGPATH_W"; then
+  if (cygpath --version) >/dev/null 2>/dev/null; then
+    CYGPATH_W='cygpath -w'
+  else
+    CYGPATH_W=echo
+  fi
+fi
+AC_SUBST([CYGPATH_W])
+
+# Define the identity of the package.
+dnl Distinguish between old-style and new-style calls.
+m4_ifval([$2],
+[m4_ifval([$3], [_AM_SET_OPTION([no-define])])dnl
+ AC_SUBST([PACKAGE], [$1])dnl
+ AC_SUBST([VERSION], [$2])],
+[_AM_SET_OPTIONS([$1])dnl
+ AC_SUBST([PACKAGE], ['AC_PACKAGE_TARNAME'])dnl
+ AC_SUBST([VERSION], ['AC_PACKAGE_VERSION'])])dnl
+
+_AM_IF_OPTION([no-define],,
+[AC_DEFINE_UNQUOTED(PACKAGE, "$PACKAGE", [Name of package])
+ AC_DEFINE_UNQUOTED(VERSION, "$VERSION", [Version number of package])])dnl
+
+# Some tools Automake needs.
+AC_REQUIRE([AM_SANITY_CHECK])dnl
+AC_REQUIRE([AC_ARG_PROGRAM])dnl
+AM_MISSING_PROG(ACLOCAL, aclocal-${am__api_version})
+AM_MISSING_PROG(AUTOCONF, autoconf)
+AM_MISSING_PROG(AUTOMAKE, automake-${am__api_version})
+AM_MISSING_PROG(AUTOHEADER, autoheader)
+AM_MISSING_PROG(MAKEINFO, makeinfo)
+AM_PROG_INSTALL_SH
+AM_PROG_INSTALL_STRIP
+AC_REQUIRE([AM_PROG_MKDIR_P])dnl
+# We need awk for the "check" target.  The system "awk" is bad on
+# some platforms.
+AC_REQUIRE([AC_PROG_AWK])dnl
+AC_REQUIRE([AC_PROG_MAKE_SET])dnl
+AC_REQUIRE([AM_SET_LEADING_DOT])dnl
+_AM_IF_OPTION([tar-ustar], [_AM_PROG_TAR([ustar])],
+              [_AM_IF_OPTION([tar-pax], [_AM_PROG_TAR([pax])],
+	      		     [_AM_PROG_TAR([v7])])])
+_AM_IF_OPTION([no-dependencies],,
+[AC_PROVIDE_IFELSE([AC_PROG_CC],
+                  [_AM_DEPENDENCIES(CC)],
+                  [define([AC_PROG_CC],
+                          defn([AC_PROG_CC])[_AM_DEPENDENCIES(CC)])])dnl
+AC_PROVIDE_IFELSE([AC_PROG_CXX],
+                  [_AM_DEPENDENCIES(CXX)],
+                  [define([AC_PROG_CXX],
+                          defn([AC_PROG_CXX])[_AM_DEPENDENCIES(CXX)])])dnl
+])
+])
+
+
+# When config.status generates a header, we must update the stamp-h file.
+# This file resides in the same directory as the config header
+# that is generated.  The stamp files are numbered to have different names.
+
+# Autoconf calls _AC_AM_CONFIG_HEADER_HOOK (when defined) in the
+# loop where config.status creates the headers, so we can generate
+# our stamp files there.
+AC_DEFUN([_AC_AM_CONFIG_HEADER_HOOK],
+[# Compute $1's index in $config_headers.
+_am_stamp_count=1
+for _am_header in $config_headers :; do
+  case $_am_header in
+    $1 | $1:* )
+      break ;;
+    * )
+      _am_stamp_count=`expr $_am_stamp_count + 1` ;;
+  esac
+done
+echo "timestamp for $1" >`AS_DIRNAME([$1])`/stamp-h[]$_am_stamp_count])
+
+# Copyright (C) 2001, 2003, 2005  Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# AM_PROG_INSTALL_SH
+# ------------------
+# Define $install_sh.
+AC_DEFUN([AM_PROG_INSTALL_SH],
+[AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl
+install_sh=${install_sh-"$am_aux_dir/install-sh"}
+AC_SUBST(install_sh)])
+
+# Copyright (C) 2003, 2005  Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# serial 2
+
+# Check whether the underlying file-system supports filenames
+# with a leading dot.  For instance MS-DOS doesn't.
+AC_DEFUN([AM_SET_LEADING_DOT],
+[rm -rf .tst 2>/dev/null
+mkdir .tst 2>/dev/null
+if test -d .tst; then
+  am__leading_dot=.
+else
+  am__leading_dot=_
+fi
+rmdir .tst 2>/dev/null
+AC_SUBST([am__leading_dot])])
+
+# Check to see how 'make' treats includes.	            -*- Autoconf -*-
+
+# Copyright (C) 2001, 2002, 2003, 2005  Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# serial 3
+
+# AM_MAKE_INCLUDE()
+# -----------------
+# Check to see how make treats includes.
+AC_DEFUN([AM_MAKE_INCLUDE],
+[am_make=${MAKE-make}
+cat > confinc << 'END'
+am__doit:
+	@echo done
+.PHONY: am__doit
+END
+# If we don't find an include directive, just comment out the code.
+AC_MSG_CHECKING([for style of include used by $am_make])
+am__include="#"
+am__quote=
+_am_result=none
+# First try GNU make style include.
+echo "include confinc" > confmf
+# We grep out `Entering directory' and `Leaving directory'
+# messages which can occur if `w' ends up in MAKEFLAGS.
+# In particular we don't look at `^make:' because GNU make might
+# be invoked under some other name (usually "gmake"), in which
+# case it prints its new name instead of `make'.
+if test "`$am_make -s -f confmf 2> /dev/null | grep -v 'ing directory'`" = "done"; then
+   am__include=include
+   am__quote=
+   _am_result=GNU
+fi
+# Now try BSD make style include.
+if test "$am__include" = "#"; then
+   echo '.include "confinc"' > confmf
+   if test "`$am_make -s -f confmf 2> /dev/null`" = "done"; then
+      am__include=.include
+      am__quote="\""
+      _am_result=BSD
+   fi
+fi
+AC_SUBST([am__include])
+AC_SUBST([am__quote])
+AC_MSG_RESULT([$_am_result])
+rm -f confinc confmf
+])
+
+# Fake the existence of programs that GNU maintainers use.  -*- Autoconf -*-
+
+# Copyright (C) 1997, 1999, 2000, 2001, 2003, 2005
+# Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# serial 4
+
+# AM_MISSING_PROG(NAME, PROGRAM)
+# ------------------------------
+AC_DEFUN([AM_MISSING_PROG],
+[AC_REQUIRE([AM_MISSING_HAS_RUN])
+$1=${$1-"${am_missing_run}$2"}
+AC_SUBST($1)])
+
+
+# AM_MISSING_HAS_RUN
+# ------------------
+# Define MISSING if not defined so far and test if it supports --run.
+# If it does, set am_missing_run to use it, otherwise, to nothing.
+AC_DEFUN([AM_MISSING_HAS_RUN],
+[AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl
+test x"${MISSING+set}" = xset || MISSING="\${SHELL} $am_aux_dir/missing"
+# Use eval to expand $SHELL
+if eval "$MISSING --run true"; then
+  am_missing_run="$MISSING --run "
+else
+  am_missing_run=
+  AC_MSG_WARN([`missing' script is too old or missing])
+fi
+])
+
+# Copyright (C) 2003, 2004, 2005  Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# AM_PROG_MKDIR_P
+# ---------------
+# Check whether `mkdir -p' is supported, fallback to mkinstalldirs otherwise.
+#
+# Automake 1.8 used `mkdir -m 0755 -p --' to ensure that directories
+# created by `make install' are always world readable, even if the
+# installer happens to have an overly restrictive umask (e.g. 077).
+# This was a mistake.  There are at least two reasons why we must not
+# use `-m 0755':
+#   - it causes special bits like SGID to be ignored,
+#   - it may be too restrictive (some setups expect 775 directories).
+#
+# Do not use -m 0755 and let people choose whatever they expect by
+# setting umask.
+#
+# We cannot accept any implementation of `mkdir' that recognizes `-p'.
+# Some implementations (such as Solaris 8's) are not thread-safe: if a
+# parallel make tries to run `mkdir -p a/b' and `mkdir -p a/c'
+# concurrently, both version can detect that a/ is missing, but only
+# one can create it and the other will error out.  Consequently we
+# restrict ourselves to GNU make (using the --version option ensures
+# this.)
+AC_DEFUN([AM_PROG_MKDIR_P],
+[if mkdir -p --version . >/dev/null 2>&1 && test ! -d ./--version; then
+  # We used to keeping the `.' as first argument, in order to
+  # allow $(mkdir_p) to be used without argument.  As in
+  #   $(mkdir_p) $(somedir)
+  # where $(somedir) is conditionally defined.  However this is wrong
+  # for two reasons:
+  #  1. if the package is installed by a user who cannot write `.'
+  #     make install will fail,
+  #  2. the above comment should most certainly read
+  #     $(mkdir_p) $(DESTDIR)$(somedir)
+  #     so it does not work when $(somedir) is undefined and
+  #     $(DESTDIR) is not.
+  #  To support the latter case, we have to write
+  #     test -z "$(somedir)" || $(mkdir_p) $(DESTDIR)$(somedir),
+  #  so the `.' trick is pointless.
+  mkdir_p='mkdir -p --'
+else
+  # On NextStep and OpenStep, the `mkdir' command does not
+  # recognize any option.  It will interpret all options as
+  # directories to create, and then abort because `.' already
+  # exists.
+  for d in ./-p ./--version;
+  do
+    test -d $d && rmdir $d
+  done
+  # $(mkinstalldirs) is defined by Automake if mkinstalldirs exists.
+  if test -f "$ac_aux_dir/mkinstalldirs"; then
+    mkdir_p='$(mkinstalldirs)'
+  else
+    mkdir_p='$(install_sh) -d'
+  fi
+fi
+AC_SUBST([mkdir_p])])
+
+# Helper functions for option handling.                     -*- Autoconf -*-
+
+# Copyright (C) 2001, 2002, 2003, 2005  Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# serial 3
+
+# _AM_MANGLE_OPTION(NAME)
+# -----------------------
+AC_DEFUN([_AM_MANGLE_OPTION],
+[[_AM_OPTION_]m4_bpatsubst($1, [[^a-zA-Z0-9_]], [_])])
+
+# _AM_SET_OPTION(NAME)
+# ------------------------------
+# Set option NAME.  Presently that only means defining a flag for this option.
+AC_DEFUN([_AM_SET_OPTION],
+[m4_define(_AM_MANGLE_OPTION([$1]), 1)])
+
+# _AM_SET_OPTIONS(OPTIONS)
+# ----------------------------------
+# OPTIONS is a space-separated list of Automake options.
+AC_DEFUN([_AM_SET_OPTIONS],
+[AC_FOREACH([_AM_Option], [$1], [_AM_SET_OPTION(_AM_Option)])])
+
+# _AM_IF_OPTION(OPTION, IF-SET, [IF-NOT-SET])
+# -------------------------------------------
+# Execute IF-SET if OPTION is set, IF-NOT-SET otherwise.
+AC_DEFUN([_AM_IF_OPTION],
+[m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])])
+
+# Copyright (C) 2001, 2003, 2005  Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# AM_RUN_LOG(COMMAND)
+# -------------------
+# Run COMMAND, save the exit status in ac_status, and log it.
+# (This has been adapted from Autoconf's _AC_RUN_LOG macro.)
+AC_DEFUN([AM_RUN_LOG],
+[{ echo "$as_me:$LINENO: $1" >&AS_MESSAGE_LOG_FD
+   ($1) >&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD
+   ac_status=$?
+   echo "$as_me:$LINENO: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
+   (exit $ac_status); }])
+
+# Check to make sure that the build environment is sane.    -*- Autoconf -*-
+
+# Copyright (C) 1996, 1997, 2000, 2001, 2003, 2005
+# Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# serial 4
+
+# AM_SANITY_CHECK
+# ---------------
+AC_DEFUN([AM_SANITY_CHECK],
+[AC_MSG_CHECKING([whether build environment is sane])
+# Just in case
+sleep 1
+echo timestamp > conftest.file
+# Do `set' in a subshell so we don't clobber the current shell's
+# arguments.  Must try -L first in case configure is actually a
+# symlink; some systems play weird games with the mod time of symlinks
+# (eg FreeBSD returns the mod time of the symlink's containing
+# directory).
+if (
+   set X `ls -Lt $srcdir/configure conftest.file 2> /dev/null`
+   if test "$[*]" = "X"; then
+      # -L didn't work.
+      set X `ls -t $srcdir/configure conftest.file`
+   fi
+   rm -f conftest.file
+   if test "$[*]" != "X $srcdir/configure conftest.file" \
+      && test "$[*]" != "X conftest.file $srcdir/configure"; then
+
+      # If neither matched, then we have a broken ls.  This can happen
+      # if, for instance, CONFIG_SHELL is bash and it inherits a
+      # broken ls alias from the environment.  This has actually
+      # happened.  Such a system could not be considered "sane".
+      AC_MSG_ERROR([ls -t appears to fail.  Make sure there is not a broken
+alias in your environment])
+   fi
+
+   test "$[2]" = conftest.file
+   )
+then
+   # Ok.
+   :
+else
+   AC_MSG_ERROR([newly created file is older than distributed files!
+Check your system clock])
+fi
+AC_MSG_RESULT(yes)])
+
+# Copyright (C) 2001, 2003, 2005  Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# AM_PROG_INSTALL_STRIP
+# ---------------------
+# One issue with vendor `install' (even GNU) is that you can't
+# specify the program used to strip binaries.  This is especially
+# annoying in cross-compiling environments, where the build's strip
+# is unlikely to handle the host's binaries.
+# Fortunately install-sh will honor a STRIPPROG variable, so we
+# always use install-sh in `make install-strip', and initialize
+# STRIPPROG with the value of the STRIP variable (set by the user).
+AC_DEFUN([AM_PROG_INSTALL_STRIP],
+[AC_REQUIRE([AM_PROG_INSTALL_SH])dnl
+# Installed binaries are usually stripped using `strip' when the user
+# run `make install-strip'.  However `strip' might not be the right
+# tool to use in cross-compilation environments, therefore Automake
+# will honor the `STRIP' environment variable to overrule this program.
+dnl Don't test for $cross_compiling = yes, because it might be `maybe'.
+if test "$cross_compiling" != no; then
+  AC_CHECK_TOOL([STRIP], [strip], :)
+fi
+INSTALL_STRIP_PROGRAM="\${SHELL} \$(install_sh) -c -s"
+AC_SUBST([INSTALL_STRIP_PROGRAM])])
+
+# Check how to create a tarball.                            -*- Autoconf -*-
+
+# Copyright (C) 2004, 2005  Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# serial 2
+
+# _AM_PROG_TAR(FORMAT)
+# --------------------
+# Check how to create a tarball in format FORMAT.
+# FORMAT should be one of `v7', `ustar', or `pax'.
+#
+# Substitute a variable $(am__tar) that is a command
+# writing to stdout a FORMAT-tarball containing the directory
+# $tardir.
+#     tardir=directory && $(am__tar) > result.tar
+#
+# Substitute a variable $(am__untar) that extract such
+# a tarball read from stdin.
+#     $(am__untar) < result.tar
+AC_DEFUN([_AM_PROG_TAR],
+[# Always define AMTAR for backward compatibility.
+AM_MISSING_PROG([AMTAR], [tar])
+m4_if([$1], [v7],
+     [am__tar='${AMTAR} chof - "$$tardir"'; am__untar='${AMTAR} xf -'],
+     [m4_case([$1], [ustar],, [pax],,
+              [m4_fatal([Unknown tar format])])
+AC_MSG_CHECKING([how to create a $1 tar archive])
+# Loop over all known methods to create a tar archive until one works.
+_am_tools='gnutar m4_if([$1], [ustar], [plaintar]) pax cpio none'
+_am_tools=${am_cv_prog_tar_$1-$_am_tools}
+# Do not fold the above two line into one, because Tru64 sh and
+# Solaris sh will not grok spaces in the rhs of `-'.
+for _am_tool in $_am_tools
+do
+  case $_am_tool in
+  gnutar)
+    for _am_tar in tar gnutar gtar;
+    do
+      AM_RUN_LOG([$_am_tar --version]) && break
+    done
+    am__tar="$_am_tar --format=m4_if([$1], [pax], [posix], [$1]) -chf - "'"$$tardir"'
+    am__tar_="$_am_tar --format=m4_if([$1], [pax], [posix], [$1]) -chf - "'"$tardir"'
+    am__untar="$_am_tar -xf -"
+    ;;
+  plaintar)
+    # Must skip GNU tar: if it does not support --format= it doesn't create
+    # ustar tarball either.
+    (tar --version) >/dev/null 2>&1 && continue
+    am__tar='tar chf - "$$tardir"'
+    am__tar_='tar chf - "$tardir"'
+    am__untar='tar xf -'
+    ;;
+  pax)
+    am__tar='pax -L -x $1 -w "$$tardir"'
+    am__tar_='pax -L -x $1 -w "$tardir"'
+    am__untar='pax -r'
+    ;;
+  cpio)
+    am__tar='find "$$tardir" -print | cpio -o -H $1 -L'
+    am__tar_='find "$tardir" -print | cpio -o -H $1 -L'
+    am__untar='cpio -i -H $1 -d'
+    ;;
+  none)
+    am__tar=false
+    am__tar_=false
+    am__untar=false
+    ;;
+  esac
+
+  # If the value was cached, stop now.  We just wanted to have am__tar
+  # and am__untar set.
+  test -n "${am_cv_prog_tar_$1}" && break
+
+  # tar/untar a dummy directory, and stop if the command works
+  rm -rf conftest.dir
+  mkdir conftest.dir
+  echo GrepMe > conftest.dir/file
+  AM_RUN_LOG([tardir=conftest.dir && eval $am__tar_ >conftest.tar])
+  rm -rf conftest.dir
+  if test -s conftest.tar; then
+    AM_RUN_LOG([$am__untar <conftest.tar])
+    grep GrepMe conftest.dir/file >/dev/null 2>&1 && break
+  fi
+done
+rm -rf conftest.dir
+
+AC_CACHE_VAL([am_cv_prog_tar_$1], [am_cv_prog_tar_$1=$_am_tool])
+AC_MSG_RESULT([$am_cv_prog_tar_$1])])
+AC_SUBST([am__tar])
+AC_SUBST([am__untar])
+]) # _AM_PROG_TAR
+
diff --git a/config.guess b/config.guess
new file mode 100755
index 000000000..af7f02dc7
--- /dev/null
+++ b/config.guess
@@ -0,0 +1,1519 @@
+#! /bin/sh
+# Attempt to guess a canonical system name.
+#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
+#   2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation,
+#   Inc.
+
+timestamp='2006-07-02'
+
+# This file is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
+# 02110-1301, USA.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+
+# Originally written by Per Bothner <per@bothner.com>.
+# Please send patches to <config-patches@gnu.org>.  Submit a context
+# diff and a properly formatted ChangeLog entry.
+#
+# This script attempts to guess a canonical system name similar to
+# config.sub.  If it succeeds, it prints the system name on stdout, and
+# exits with 0.  Otherwise, it exits with 1.
+#
+# The plan is that this can be called by configure scripts if you
+# don't specify an explicit build system type.
+
+me=`echo "$0" | sed -e 's,.*/,,'`
+
+usage="\
+Usage: $0 [OPTION]
+
+Output the configuration name of the system \`$me' is run on.
+
+Operation modes:
+  -h, --help         print this help, then exit
+  -t, --time-stamp   print date of last modification, then exit
+  -v, --version      print version number, then exit
+
+Report bugs and patches to <config-patches@gnu.org>."
+
+version="\
+GNU config.guess ($timestamp)
+
+Originally written by Per Bothner.
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
+Free Software Foundation, Inc.
+
+This is free software; see the source for copying conditions.  There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
+
+help="
+Try \`$me --help' for more information."
+
+# Parse command line
+while test $# -gt 0 ; do
+  case $1 in
+    --time-stamp | --time* | -t )
+       echo "$timestamp" ; exit ;;
+    --version | -v )
+       echo "$version" ; exit ;;
+    --help | --h* | -h )
+       echo "$usage"; exit ;;
+    -- )     # Stop option processing
+       shift; break ;;
+    - )	# Use stdin as input.
+       break ;;
+    -* )
+       echo "$me: invalid option $1$help" >&2
+       exit 1 ;;
+    * )
+       break ;;
+  esac
+done
+
+if test $# != 0; then
+  echo "$me: too many arguments$help" >&2
+  exit 1
+fi
+
+trap 'exit 1' 1 2 15
+
+# CC_FOR_BUILD -- compiler used by this script. Note that the use of a
+# compiler to aid in system detection is discouraged as it requires
+# temporary files to be created and, as you can see below, it is a
+# headache to deal with in a portable fashion.
+
+# Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still
+# use `HOST_CC' if defined, but it is deprecated.
+
+# Portable tmp directory creation inspired by the Autoconf team.
+
+set_cc_for_build='
+trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ;
+trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ;
+: ${TMPDIR=/tmp} ;
+ { tmp=`(umask 077 && mktemp -d "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } ||
+ { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } ||
+ { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } ||
+ { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ;
+dummy=$tmp/dummy ;
+tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ;
+case $CC_FOR_BUILD,$HOST_CC,$CC in
+ ,,)    echo "int x;" > $dummy.c ;
+	for c in cc gcc c89 c99 ; do
+	  if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then
+	     CC_FOR_BUILD="$c"; break ;
+	  fi ;
+	done ;
+	if test x"$CC_FOR_BUILD" = x ; then
+	  CC_FOR_BUILD=no_compiler_found ;
+	fi
+	;;
+ ,,*)   CC_FOR_BUILD=$CC ;;
+ ,*,*)  CC_FOR_BUILD=$HOST_CC ;;
+esac ; set_cc_for_build= ;'
+
+# This is needed to find uname on a Pyramid OSx when run in the BSD universe.
+# (ghazi@noc.rutgers.edu 1994-08-24)
+if (test -f /.attbin/uname) >/dev/null 2>&1 ; then
+	PATH=$PATH:/.attbin ; export PATH
+fi
+
+UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown
+UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown
+UNAME_SYSTEM=`(uname -s) 2>/dev/null`  || UNAME_SYSTEM=unknown
+UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
+
+if [ "${UNAME_SYSTEM}" = "Linux" ] ; then
+	eval $set_cc_for_build
+	cat << EOF > $dummy.c
+	#include <features.h>
+	#ifdef __UCLIBC__
+	# ifdef __UCLIBC_CONFIG_VERSION__
+	LIBC=uclibc __UCLIBC_CONFIG_VERSION__
+	# else
+	LIBC=uclibc
+	# endif
+	#else
+	LIBC=gnu
+	#endif
+EOF
+	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep LIBC= | sed -e 's: ::g'`
+fi
+
+# Note: order is significant - the case branches are not exclusive.
+
+case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
+    *:NetBSD:*:*)
+	# NetBSD (nbsd) targets should (where applicable) match one or
+	# more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*,
+	# *-*-netbsdecoff* and *-*-netbsd*.  For targets that recently
+	# switched to ELF, *-*-netbsd* would select the old
+	# object file format.  This provides both forward
+	# compatibility and a consistent mechanism for selecting the
+	# object file format.
+	#
+	# Note: NetBSD doesn't particularly care about the vendor
+	# portion of the name.  We always set it to "unknown".
+	sysctl="sysctl -n hw.machine_arch"
+	UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \
+	    /usr/sbin/$sysctl 2>/dev/null || echo unknown)`
+	case "${UNAME_MACHINE_ARCH}" in
+	    armeb) machine=armeb-unknown ;;
+	    arm*) machine=arm-unknown ;;
+	    sh3el) machine=shl-unknown ;;
+	    sh3eb) machine=sh-unknown ;;
+	    *) machine=${UNAME_MACHINE_ARCH}-unknown ;;
+	esac
+	# The Operating System including object format, if it has switched
+	# to ELF recently, or will in the future.
+	case "${UNAME_MACHINE_ARCH}" in
+	    arm*|i386|m68k|ns32k|sh3*|sparc|vax)
+		eval $set_cc_for_build
+		if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \
+			| grep __ELF__ >/dev/null
+		then
+		    # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout).
+		    # Return netbsd for either.  FIX?
+		    os=netbsd
+		else
+		    os=netbsdelf
+		fi
+		;;
+	    *)
+	        os=netbsd
+		;;
+	esac
+	# The OS release
+	# Debian GNU/NetBSD machines have a different userland, and
+	# thus, need a distinct triplet. However, they do not need
+	# kernel version information, so it can be replaced with a
+	# suitable tag, in the style of linux-gnu.
+	case "${UNAME_VERSION}" in
+	    Debian*)
+		release='-gnu'
+		;;
+	    *)
+		release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
+		;;
+	esac
+	# Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM:
+	# contains redundant information, the shorter form:
+	# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
+	echo "${machine}-${os}${release}"
+	exit ;;
+    *:OpenBSD:*:*)
+	UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'`
+	echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE}
+	exit ;;
+    *:ekkoBSD:*:*)
+	echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE}
+	exit ;;
+    *:SolidBSD:*:*)
+	echo ${UNAME_MACHINE}-unknown-solidbsd${UNAME_RELEASE}
+	exit ;;
+    macppc:MirBSD:*:*)
+	echo powerpc-unknown-mirbsd${UNAME_RELEASE}
+	exit ;;
+    *:MirBSD:*:*)
+	echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE}
+	exit ;;
+    alpha:OSF1:*:*)
+	case $UNAME_RELEASE in
+	*4.0)
+		UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'`
+		;;
+	*5.*)
+	        UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'`
+		;;
+	esac
+	# According to Compaq, /usr/sbin/psrinfo has been available on
+	# OSF/1 and Tru64 systems produced since 1995.  I hope that
+	# covers most systems running today.  This code pipes the CPU
+	# types through head -n 1, so we only detect the type of CPU 0.
+	ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^  The alpha \(.*\) processor.*$/\1/p' | head -n 1`
+	case "$ALPHA_CPU_TYPE" in
+	    "EV4 (21064)")
+		UNAME_MACHINE="alpha" ;;
+	    "EV4.5 (21064)")
+		UNAME_MACHINE="alpha" ;;
+	    "LCA4 (21066/21068)")
+		UNAME_MACHINE="alpha" ;;
+	    "EV5 (21164)")
+		UNAME_MACHINE="alphaev5" ;;
+	    "EV5.6 (21164A)")
+		UNAME_MACHINE="alphaev56" ;;
+	    "EV5.6 (21164PC)")
+		UNAME_MACHINE="alphapca56" ;;
+	    "EV5.7 (21164PC)")
+		UNAME_MACHINE="alphapca57" ;;
+	    "EV6 (21264)")
+		UNAME_MACHINE="alphaev6" ;;
+	    "EV6.7 (21264A)")
+		UNAME_MACHINE="alphaev67" ;;
+	    "EV6.8CB (21264C)")
+		UNAME_MACHINE="alphaev68" ;;
+	    "EV6.8AL (21264B)")
+		UNAME_MACHINE="alphaev68" ;;
+	    "EV6.8CX (21264D)")
+		UNAME_MACHINE="alphaev68" ;;
+	    "EV6.9A (21264/EV69A)")
+		UNAME_MACHINE="alphaev69" ;;
+	    "EV7 (21364)")
+		UNAME_MACHINE="alphaev7" ;;
+	    "EV7.9 (21364A)")
+		UNAME_MACHINE="alphaev79" ;;
+	esac
+	# A Pn.n version is a patched version.
+	# A Vn.n version is a released version.
+	# A Tn.n version is a released field test version.
+	# A Xn.n version is an unreleased experimental baselevel.
+	# 1.2 uses "1.2" for uname -r.
+	echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+	exit ;;
+    Alpha\ *:Windows_NT*:*)
+	# How do we know it's Interix rather than the generic POSIX subsystem?
+	# Should we change UNAME_MACHINE based on the output of uname instead
+	# of the specific Alpha model?
+	echo alpha-pc-interix
+	exit ;;
+    21064:Windows_NT:50:3)
+	echo alpha-dec-winnt3.5
+	exit ;;
+    Amiga*:UNIX_System_V:4.0:*)
+	echo m68k-unknown-sysv4
+	exit ;;
+    *:[Aa]miga[Oo][Ss]:*:*)
+	echo ${UNAME_MACHINE}-unknown-amigaos
+	exit ;;
+    *:[Mm]orph[Oo][Ss]:*:*)
+	echo ${UNAME_MACHINE}-unknown-morphos
+	exit ;;
+    *:OS/390:*:*)
+	echo i370-ibm-openedition
+	exit ;;
+    *:z/VM:*:*)
+	echo s390-ibm-zvmoe
+	exit ;;
+    *:OS400:*:*)
+        echo powerpc-ibm-os400
+	exit ;;
+    arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
+	echo arm-acorn-riscix${UNAME_RELEASE}
+	exit ;;
+    arm:riscos:*:*|arm:RISCOS:*:*)
+	echo arm-unknown-riscos
+	exit ;;
+    SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*)
+	echo hppa1.1-hitachi-hiuxmpp
+	exit ;;
+    Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*)
+	# akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE.
+	if test "`(/bin/universe) 2>/dev/null`" = att ; then
+		echo pyramid-pyramid-sysv3
+	else
+		echo pyramid-pyramid-bsd
+	fi
+	exit ;;
+    NILE*:*:*:dcosx)
+	echo pyramid-pyramid-svr4
+	exit ;;
+    DRS?6000:unix:4.0:6*)
+	echo sparc-icl-nx6
+	exit ;;
+    DRS?6000:UNIX_SV:4.2*:7* | DRS?6000:isis:4.2*:7*)
+	case `/usr/bin/uname -p` in
+	    sparc) echo sparc-icl-nx7; exit ;;
+	esac ;;
+    sun4H:SunOS:5.*:*)
+	echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*)
+	echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    i86pc:SunOS:5.*:*)
+	echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    sun4*:SunOS:6*:*)
+	# According to config.sub, this is the proper way to canonicalize
+	# SunOS6.  Hard to guess exactly what SunOS6 will be like, but
+	# it's likely to be more like Solaris than SunOS4.
+	echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    sun4*:SunOS:*:*)
+	case "`/usr/bin/arch -k`" in
+	    Series*|S4*)
+		UNAME_RELEASE=`uname -v`
+		;;
+	esac
+	# Japanese Language versions have a version number like `4.1.3-JL'.
+	echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'`
+	exit ;;
+    sun3*:SunOS:*:*)
+	echo m68k-sun-sunos${UNAME_RELEASE}
+	exit ;;
+    sun*:*:4.2BSD:*)
+	UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null`
+	test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3
+	case "`/bin/arch`" in
+	    sun3)
+		echo m68k-sun-sunos${UNAME_RELEASE}
+		;;
+	    sun4)
+		echo sparc-sun-sunos${UNAME_RELEASE}
+		;;
+	esac
+	exit ;;
+    aushp:SunOS:*:*)
+	echo sparc-auspex-sunos${UNAME_RELEASE}
+	exit ;;
+    # The situation for MiNT is a little confusing.  The machine name
+    # can be virtually everything (everything which is not
+    # "atarist" or "atariste" at least should have a processor
+    # > m68000).  The system name ranges from "MiNT" over "FreeMiNT"
+    # to the lowercase version "mint" (or "freemint").  Finally
+    # the system name "TOS" denotes a system which is actually not
+    # MiNT.  But MiNT is downward compatible to TOS, so this should
+    # be no problem.
+    atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*)
+        echo m68k-atari-mint${UNAME_RELEASE}
+	exit ;;
+    atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*)
+	echo m68k-atari-mint${UNAME_RELEASE}
+        exit ;;
+    *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*)
+        echo m68k-atari-mint${UNAME_RELEASE}
+	exit ;;
+    milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*)
+        echo m68k-milan-mint${UNAME_RELEASE}
+        exit ;;
+    hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*)
+        echo m68k-hades-mint${UNAME_RELEASE}
+        exit ;;
+    *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*)
+        echo m68k-unknown-mint${UNAME_RELEASE}
+        exit ;;
+    m68k:machten:*:*)
+	echo m68k-apple-machten${UNAME_RELEASE}
+	exit ;;
+    powerpc:machten:*:*)
+	echo powerpc-apple-machten${UNAME_RELEASE}
+	exit ;;
+    RISC*:Mach:*:*)
+	echo mips-dec-mach_bsd4.3
+	exit ;;
+    RISC*:ULTRIX:*:*)
+	echo mips-dec-ultrix${UNAME_RELEASE}
+	exit ;;
+    VAX*:ULTRIX*:*:*)
+	echo vax-dec-ultrix${UNAME_RELEASE}
+	exit ;;
+    2020:CLIX:*:* | 2430:CLIX:*:*)
+	echo clipper-intergraph-clix${UNAME_RELEASE}
+	exit ;;
+    mips:*:*:UMIPS | mips:*:*:RISCos)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+#ifdef __cplusplus
+#include <stdio.h>  /* for printf() prototype */
+	int main (int argc, char *argv[]) {
+#else
+	int main (argc, argv) int argc; char *argv[]; {
+#endif
+	#if defined (host_mips) && defined (MIPSEB)
+	#if defined (SYSTYPE_SYSV)
+	  printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0);
+	#endif
+	#if defined (SYSTYPE_SVR4)
+	  printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0);
+	#endif
+	#if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD)
+	  printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0);
+	#endif
+	#endif
+	  exit (-1);
+	}
+EOF
+	$CC_FOR_BUILD -o $dummy $dummy.c &&
+	  dummyarg=`echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` &&
+	  SYSTEM_NAME=`$dummy $dummyarg` &&
+	    { echo "$SYSTEM_NAME"; exit; }
+	echo mips-mips-riscos${UNAME_RELEASE}
+	exit ;;
+    Motorola:PowerMAX_OS:*:*)
+	echo powerpc-motorola-powermax
+	exit ;;
+    Motorola:*:4.3:PL8-*)
+	echo powerpc-harris-powermax
+	exit ;;
+    Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*)
+	echo powerpc-harris-powermax
+	exit ;;
+    Night_Hawk:Power_UNIX:*:*)
+	echo powerpc-harris-powerunix
+	exit ;;
+    m88k:CX/UX:7*:*)
+	echo m88k-harris-cxux7
+	exit ;;
+    m88k:*:4*:R4*)
+	echo m88k-motorola-sysv4
+	exit ;;
+    m88k:*:3*:R3*)
+	echo m88k-motorola-sysv3
+	exit ;;
+    AViiON:dgux:*:*)
+        # DG/UX returns AViiON for all architectures
+        UNAME_PROCESSOR=`/usr/bin/uname -p`
+	if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ]
+	then
+	    if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \
+	       [ ${TARGET_BINARY_INTERFACE}x = x ]
+	    then
+		echo m88k-dg-dgux${UNAME_RELEASE}
+	    else
+		echo m88k-dg-dguxbcs${UNAME_RELEASE}
+	    fi
+	else
+	    echo i586-dg-dgux${UNAME_RELEASE}
+	fi
+ 	exit ;;
+    M88*:DolphinOS:*:*)	# DolphinOS (SVR3)
+	echo m88k-dolphin-sysv3
+	exit ;;
+    M88*:*:R3*:*)
+	# Delta 88k system running SVR3
+	echo m88k-motorola-sysv3
+	exit ;;
+    XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3)
+	echo m88k-tektronix-sysv3
+	exit ;;
+    Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD)
+	echo m68k-tektronix-bsd
+	exit ;;
+    *:IRIX*:*:*)
+	echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'`
+	exit ;;
+    ????????:AIX?:[12].1:2)   # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX.
+	echo romp-ibm-aix     # uname -m gives an 8 hex-code CPU id
+	exit ;;               # Note that: echo "'`uname -s`'" gives 'AIX '
+    i*86:AIX:*:*)
+	echo i386-ibm-aix
+	exit ;;
+    ia64:AIX:*:*)
+	if [ -x /usr/bin/oslevel ] ; then
+		IBM_REV=`/usr/bin/oslevel`
+	else
+		IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
+	fi
+	echo ${UNAME_MACHINE}-ibm-aix${IBM_REV}
+	exit ;;
+    *:AIX:2:3)
+	if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then
+		eval $set_cc_for_build
+		sed 's/^		//' << EOF >$dummy.c
+		#include <sys/systemcfg.h>
+
+		main()
+			{
+			if (!__power_pc())
+				exit(1);
+			puts("powerpc-ibm-aix3.2.5");
+			exit(0);
+			}
+EOF
+		if $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy`
+		then
+			echo "$SYSTEM_NAME"
+		else
+			echo rs6000-ibm-aix3.2.5
+		fi
+	elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then
+		echo rs6000-ibm-aix3.2.4
+	else
+		echo rs6000-ibm-aix3.2
+	fi
+	exit ;;
+    *:AIX:*:[45])
+	IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'`
+	if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then
+		IBM_ARCH=rs6000
+	else
+		IBM_ARCH=powerpc
+	fi
+	if [ -x /usr/bin/oslevel ] ; then
+		IBM_REV=`/usr/bin/oslevel`
+	else
+		IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
+	fi
+	echo ${IBM_ARCH}-ibm-aix${IBM_REV}
+	exit ;;
+    *:AIX:*:*)
+	echo rs6000-ibm-aix
+	exit ;;
+    ibmrt:4.4BSD:*|romp-ibm:BSD:*)
+	echo romp-ibm-bsd4.4
+	exit ;;
+    ibmrt:*BSD:*|romp-ibm:BSD:*)            # covers RT/PC BSD and
+	echo romp-ibm-bsd${UNAME_RELEASE}   # 4.3 with uname added to
+	exit ;;                             # report: romp-ibm BSD 4.3
+    *:BOSX:*:*)
+	echo rs6000-bull-bosx
+	exit ;;
+    DPX/2?00:B.O.S.:*:*)
+	echo m68k-bull-sysv3
+	exit ;;
+    9000/[34]??:4.3bsd:1.*:*)
+	echo m68k-hp-bsd
+	exit ;;
+    hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*)
+	echo m68k-hp-bsd4.4
+	exit ;;
+    9000/[34678]??:HP-UX:*:*)
+	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
+	case "${UNAME_MACHINE}" in
+	    9000/31? )            HP_ARCH=m68000 ;;
+	    9000/[34]?? )         HP_ARCH=m68k ;;
+	    9000/[678][0-9][0-9])
+		if [ -x /usr/bin/getconf ]; then
+		    sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null`
+                    sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
+                    case "${sc_cpu_version}" in
+                      523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0
+                      528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1
+                      532)                      # CPU_PA_RISC2_0
+                        case "${sc_kernel_bits}" in
+                          32) HP_ARCH="hppa2.0n" ;;
+                          64) HP_ARCH="hppa2.0w" ;;
+			  '') HP_ARCH="hppa2.0" ;;   # HP-UX 10.20
+                        esac ;;
+                    esac
+		fi
+		if [ "${HP_ARCH}" = "" ]; then
+		    eval $set_cc_for_build
+		    sed 's/^              //' << EOF >$dummy.c
+
+              #define _HPUX_SOURCE
+              #include <stdlib.h>
+              #include <unistd.h>
+
+              int main ()
+              {
+              #if defined(_SC_KERNEL_BITS)
+                  long bits = sysconf(_SC_KERNEL_BITS);
+              #endif
+                  long cpu  = sysconf (_SC_CPU_VERSION);
+
+                  switch (cpu)
+              	{
+              	case CPU_PA_RISC1_0: puts ("hppa1.0"); break;
+              	case CPU_PA_RISC1_1: puts ("hppa1.1"); break;
+              	case CPU_PA_RISC2_0:
+              #if defined(_SC_KERNEL_BITS)
+              	    switch (bits)
+              		{
+              		case 64: puts ("hppa2.0w"); break;
+              		case 32: puts ("hppa2.0n"); break;
+              		default: puts ("hppa2.0"); break;
+              		} break;
+              #else  /* !defined(_SC_KERNEL_BITS) */
+              	    puts ("hppa2.0"); break;
+              #endif
+              	default: puts ("hppa1.0"); break;
+              	}
+                  exit (0);
+              }
+EOF
+		    (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
+		    test -z "$HP_ARCH" && HP_ARCH=hppa
+		fi ;;
+	esac
+	if [ ${HP_ARCH} = "hppa2.0w" ]
+	then
+	    eval $set_cc_for_build
+
+	    # hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating
+	    # 32-bit code.  hppa64-hp-hpux* has the same kernel and a compiler
+	    # generating 64-bit code.  GNU and HP use different nomenclature:
+	    #
+	    # $ CC_FOR_BUILD=cc ./config.guess
+	    # => hppa2.0w-hp-hpux11.23
+	    # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess
+	    # => hppa64-hp-hpux11.23
+
+	    if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) |
+		grep __LP64__ >/dev/null
+	    then
+		HP_ARCH="hppa2.0w"
+	    else
+		HP_ARCH="hppa64"
+	    fi
+	fi
+	echo ${HP_ARCH}-hp-hpux${HPUX_REV}
+	exit ;;
+    ia64:HP-UX:*:*)
+	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
+	echo ia64-hp-hpux${HPUX_REV}
+	exit ;;
+    3050*:HI-UX:*:*)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#include <unistd.h>
+	int
+	main ()
+	{
+	  long cpu = sysconf (_SC_CPU_VERSION);
+	  /* The order matters, because CPU_IS_HP_MC68K erroneously returns
+	     true for CPU_PA_RISC1_0.  CPU_IS_PA_RISC returns correct
+	     results, however.  */
+	  if (CPU_IS_PA_RISC (cpu))
+	    {
+	      switch (cpu)
+		{
+		  case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break;
+		  case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break;
+		  case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break;
+		  default: puts ("hppa-hitachi-hiuxwe2"); break;
+		}
+	    }
+	  else if (CPU_IS_HP_MC68K (cpu))
+	    puts ("m68k-hitachi-hiuxwe2");
+	  else puts ("unknown-hitachi-hiuxwe2");
+	  exit (0);
+	}
+EOF
+	$CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` &&
+		{ echo "$SYSTEM_NAME"; exit; }
+	echo unknown-hitachi-hiuxwe2
+	exit ;;
+    9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* )
+	echo hppa1.1-hp-bsd
+	exit ;;
+    9000/8??:4.3bsd:*:*)
+	echo hppa1.0-hp-bsd
+	exit ;;
+    *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*)
+	echo hppa1.0-hp-mpeix
+	exit ;;
+    hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* )
+	echo hppa1.1-hp-osf
+	exit ;;
+    hp8??:OSF1:*:*)
+	echo hppa1.0-hp-osf
+	exit ;;
+    i*86:OSF1:*:*)
+	if [ -x /usr/sbin/sysversion ] ; then
+	    echo ${UNAME_MACHINE}-unknown-osf1mk
+	else
+	    echo ${UNAME_MACHINE}-unknown-osf1
+	fi
+	exit ;;
+    parisc*:Lites*:*:*)
+	echo hppa1.1-hp-lites
+	exit ;;
+    C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*)
+	echo c1-convex-bsd
+        exit ;;
+    C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*)
+	if getsysinfo -f scalar_acc
+	then echo c32-convex-bsd
+	else echo c2-convex-bsd
+	fi
+        exit ;;
+    C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*)
+	echo c34-convex-bsd
+        exit ;;
+    C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*)
+	echo c38-convex-bsd
+        exit ;;
+    C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*)
+	echo c4-convex-bsd
+        exit ;;
+    CRAY*Y-MP:*:*:*)
+	echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    CRAY*[A-Z]90:*:*:*)
+	echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \
+	| sed -e 's/CRAY.*\([A-Z]90\)/\1/' \
+	      -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \
+	      -e 's/\.[^.]*$/.X/'
+	exit ;;
+    CRAY*TS:*:*:*)
+	echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    CRAY*T3E:*:*:*)
+	echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    CRAY*SV1:*:*:*)
+	echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    *:UNICOS/mp:*:*)
+	echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit ;;
+    F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
+	FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
+        FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
+        echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
+        exit ;;
+    5000:UNIX_System_V:4.*:*)
+        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
+        FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'`
+        echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
+	exit ;;
+    i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
+	echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
+	exit ;;
+    sparc*:BSD/OS:*:*)
+	echo sparc-unknown-bsdi${UNAME_RELEASE}
+	exit ;;
+    *:BSD/OS:*:*)
+	echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
+	exit ;;
+    *:FreeBSD:*:*)
+	case ${UNAME_MACHINE} in
+	    pc98)
+		echo i386-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
+	    amd64)
+		echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
+	    *)
+		echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
+	esac
+	exit ;;
+    i*:CYGWIN*:*)
+	echo ${UNAME_MACHINE}-pc-cygwin
+	exit ;;
+    i*:MINGW*:*)
+	echo ${UNAME_MACHINE}-pc-mingw32
+	exit ;;
+    i*:windows32*:*)
+    	# uname -m includes "-pc" on this system.
+    	echo ${UNAME_MACHINE}-mingw32
+	exit ;;
+    i*:PW*:*)
+	echo ${UNAME_MACHINE}-pc-pw32
+	exit ;;
+    x86:Interix*:[3456]*)
+	echo i586-pc-interix${UNAME_RELEASE}
+	exit ;;
+    EM64T:Interix*:[3456]*)
+	echo x86_64-unknown-interix${UNAME_RELEASE}
+	exit ;;
+    [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*)
+	echo i${UNAME_MACHINE}-pc-mks
+	exit ;;
+    i*:Windows_NT*:* | Pentium*:Windows_NT*:*)
+	# How do we know it's Interix rather than the generic POSIX subsystem?
+	# It also conflicts with pre-2.0 versions of AT&T UWIN. Should we
+	# UNAME_MACHINE based on the output of uname instead of i386?
+	echo i586-pc-interix
+	exit ;;
+    i*:UWIN*:*)
+	echo ${UNAME_MACHINE}-pc-uwin
+	exit ;;
+    amd64:CYGWIN*:*:* | x86_64:CYGWIN*:*:*)
+	echo x86_64-unknown-cygwin
+	exit ;;
+    p*:CYGWIN*:*)
+	echo powerpcle-unknown-cygwin
+	exit ;;
+    prep*:SunOS:5.*:*)
+	echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit ;;
+    *:GNU:*:*)
+	# the GNU system
+	echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
+	exit ;;
+    *:GNU/*:*:*)
+	# other systems with GNU libc and userland
+	echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-gnu
+	exit ;;
+    i*86:Minix:*:*)
+	echo ${UNAME_MACHINE}-pc-minix
+	exit ;;
+    arm*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
+    avr32*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
+    cris:Linux:*:*)
+	echo cris-axis-linux-${LIBC}
+	exit ;;
+    crisv32:Linux:*:*)
+	echo crisv32-axis-linux-${LIBC}
+	exit ;;
+    frv:Linux:*:*)
+    	echo frv-unknown-linux-${LIBC}
+	exit ;;
+    ia64:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
+    m32r*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
+    m68*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
+    mips:Linux:*:*)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#undef CPU
+	#undef mips
+	#undef mipsel
+	#if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
+	CPU=mipsel
+	#else
+	#if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
+	CPU=mips
+	#else
+	CPU=
+	#endif
+	#endif
+EOF
+	eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n '
+	    /^CPU/{
+		s: ::g
+		p
+	    }'`"
+	test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; }
+	;;
+    mips64:Linux:*:*)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#undef CPU
+	#undef mips64
+	#undef mips64el
+	#if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
+	CPU=mips64el
+	#else
+	#if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
+	CPU=mips64
+	#else
+	CPU=
+	#endif
+	#endif
+EOF
+	eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n '
+	    /^CPU/{
+		s: ::g
+		p
+	    }'`"
+	test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; }
+	;;
+    or32:Linux:*:*)
+	echo or32-unknown-linux-${LIBC}
+	exit ;;
+    ppc:Linux:*:*)
+	echo powerpc-unknown-linux-${LIBC}
+	exit ;;
+    ppc64:Linux:*:*)
+	echo powerpc64-unknown-linux-${LIBC}
+	exit ;;
+    alpha:Linux:*:*)
+	case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
+	  EV5)   UNAME_MACHINE=alphaev5 ;;
+	  EV56)  UNAME_MACHINE=alphaev56 ;;
+	  PCA56) UNAME_MACHINE=alphapca56 ;;
+	  PCA57) UNAME_MACHINE=alphapca56 ;;
+	  EV6)   UNAME_MACHINE=alphaev6 ;;
+	  EV67)  UNAME_MACHINE=alphaev67 ;;
+	  EV68*) UNAME_MACHINE=alphaev68 ;;
+        esac
+	objdump --private-headers /bin/sh | grep ld.so.1 >/dev/null
+	if test "$?" = 0 ; then LIBC="gnulibc1" ; fi
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
+    parisc:Linux:*:* | hppa:Linux:*:*)
+	# Look for CPU level
+	case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in
+	  PA7*) echo hppa1.1-unknown-linux-${LIBC} ;;
+	  PA8*) echo hppa2.0-unknown-linux-${LIBC} ;;
+	  *)    echo hppa-unknown-linux-${LIBC} ;;
+	esac
+	exit ;;
+    parisc64:Linux:*:* | hppa64:Linux:*:*)
+	echo hppa64-unknown-linux-${LIBC}
+	exit ;;
+    s390:Linux:*:* | s390x:Linux:*:*)
+	echo ${UNAME_MACHINE}-ibm-linux
+	exit ;;
+    sh64*:Linux:*:*)
+    	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
+    sh*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
+    sparc:Linux:*:* | sparc64:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+	exit ;;
+    vax:Linux:*:*)
+	echo ${UNAME_MACHINE}-dec-linux-${LIBC}
+	exit ;;
+    x86_64:Linux:*:*)
+	echo x86_64-unknown-linux-${LIBC}
+	exit ;;
+    i*86:Linux:*:*)
+	# The BFD linker knows what the default object file format is, so
+	# first see if it will tell us. cd to the root directory to prevent
+	# problems with other programs or directories called `ld' in the path.
+	# Set LC_ALL=C to ensure ld outputs messages in English.
+	ld_supported_targets=`cd /; LC_ALL=C ld --help 2>&1 \
+			 | sed -ne '/supported targets:/!d
+				    s/[ 	][ 	]*/ /g
+				    s/.*supported targets: *//
+				    s/ .*//
+				    p'`
+        case "$ld_supported_targets" in
+	  elf32-i386)
+		TENTATIVE="${UNAME_MACHINE}-pc-linux-${LIBC}"
+		;;
+	  a.out-i386-linux)
+		echo "${UNAME_MACHINE}-pc-linux-${LIBC}aout"
+		exit ;;
+	  coff-i386)
+		echo "${UNAME_MACHINE}-pc-linux-${LIBC}coff"
+		exit ;;
+	  "")
+		# Either a pre-BFD a.out linker (linux-gnuoldld) or
+		# one that does not give us useful --help.
+		echo "${UNAME_MACHINE}-pc-linux-${LIBC}oldld"
+		exit ;;
+	esac
+	# This should get integrated into the C code below, but now we hack
+	if [ "$LIBC" != "gnu" ] ; then echo "$TENTATIVE" && exit 0 ; fi
+	# Determine whether the default compiler is a.out or elf
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#include <features.h>
+	#ifdef __ELF__
+	# ifdef __GLIBC__
+	#  if __GLIBC__ >= 2
+	LIBC=gnu
+	#  else
+	LIBC=gnulibc1
+	#  endif
+	# else
+	LIBC=gnulibc1
+	# endif
+	#else
+	#if defined(__INTEL_COMPILER) || defined(__PGI) || defined(__SUNPRO_C) || defined(__SUNPRO_CC)
+	LIBC=gnu
+	#else
+	LIBC=gnuaout
+	#endif
+	#endif
+	#ifdef __dietlibc__
+	LIBC=dietlibc
+	#endif
+EOF
+	eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n '
+	    /^LIBC/{
+		s: ::g
+		p
+	    }'`"
+	test x"${LIBC}" != x && {
+		echo "${UNAME_MACHINE}-pc-linux-${LIBC}"
+		exit
+	}
+	test x"${TENTATIVE}" != x && { echo "${TENTATIVE}"; exit; }
+	;;
+    i*86:DYNIX/ptx:4*:*)
+	# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
+	# earlier versions are messed up and put the nodename in both
+	# sysname and nodename.
+	echo i386-sequent-sysv4
+	exit ;;
+    i*86:UNIX_SV:4.2MP:2.*)
+        # Unixware is an offshoot of SVR4, but it has its own version
+        # number series starting with 2...
+        # I am not positive that other SVR4 systems won't match this,
+	# I just have to hope.  -- rms.
+        # Use sysv4.2uw... so that sysv4* matches it.
+	echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION}
+	exit ;;
+    i*86:OS/2:*:*)
+	# If we were able to find `uname', then EMX Unix compatibility
+	# is probably installed.
+	echo ${UNAME_MACHINE}-pc-os2-emx
+	exit ;;
+    i*86:XTS-300:*:STOP)
+	echo ${UNAME_MACHINE}-unknown-stop
+	exit ;;
+    i*86:atheos:*:*)
+	echo ${UNAME_MACHINE}-unknown-atheos
+	exit ;;
+    i*86:syllable:*:*)
+	echo ${UNAME_MACHINE}-pc-syllable
+	exit ;;
+    i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*)
+	echo i386-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    i*86:*DOS:*:*)
+	echo ${UNAME_MACHINE}-pc-msdosdjgpp
+	exit ;;
+    i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*)
+	UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'`
+	if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then
+		echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL}
+	else
+		echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL}
+	fi
+	exit ;;
+    i*86:*:5:[678]*)
+    	# UnixWare 7.x, OpenUNIX and OpenServer 6.
+	case `/bin/uname -X | grep "^Machine"` in
+	    *486*)	     UNAME_MACHINE=i486 ;;
+	    *Pentium)	     UNAME_MACHINE=i586 ;;
+	    *Pent*|*Celeron) UNAME_MACHINE=i686 ;;
+	esac
+	echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION}
+	exit ;;
+    i*86:*:3.2:*)
+	if test -f /usr/options/cb.name; then
+		UNAME_REL=`sed -n 's/.*Version //p' </usr/options/cb.name`
+		echo ${UNAME_MACHINE}-pc-isc$UNAME_REL
+	elif /bin/uname -X 2>/dev/null >/dev/null ; then
+		UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')`
+		(/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486
+		(/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \
+			&& UNAME_MACHINE=i586
+		(/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \
+			&& UNAME_MACHINE=i686
+		(/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \
+			&& UNAME_MACHINE=i686
+		echo ${UNAME_MACHINE}-pc-sco$UNAME_REL
+	else
+		echo ${UNAME_MACHINE}-pc-sysv32
+	fi
+	exit ;;
+    pc:*:*:*)
+	# Left here for compatibility:
+        # uname -m prints for DJGPP always 'pc', but it prints nothing about
+        # the processor, so we play safe by assuming i386.
+	echo i386-pc-msdosdjgpp
+        exit ;;
+    Intel:Mach:3*:*)
+	echo i386-pc-mach3
+	exit ;;
+    paragon:*:*:*)
+	echo i860-intel-osf1
+	exit ;;
+    i860:*:4.*:*) # i860-SVR4
+	if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then
+	  echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4
+	else # Add other i860-SVR4 vendors below as they are discovered.
+	  echo i860-unknown-sysv${UNAME_RELEASE}  # Unknown i860-SVR4
+	fi
+	exit ;;
+    mini*:CTIX:SYS*5:*)
+	# "miniframe"
+	echo m68010-convergent-sysv
+	exit ;;
+    mc68k:UNIX:SYSTEM5:3.51m)
+	echo m68k-convergent-sysv
+	exit ;;
+    M680?0:D-NIX:5.3:*)
+	echo m68k-diab-dnix
+	exit ;;
+    M68*:*:R3V[5678]*:*)
+	test -r /sysV68 && { echo 'm68k-motorola-sysv'; exit; } ;;
+    3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0 | S7501*:*:4.0:3.0)
+	OS_REL=''
+	test -r /etc/.relid \
+	&& OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid`
+	/bin/uname -p 2>/dev/null | grep 86 >/dev/null \
+	  && { echo i486-ncr-sysv4.3${OS_REL}; exit; }
+	/bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
+	  && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;;
+    3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*)
+        /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
+          && { echo i486-ncr-sysv4; exit; } ;;
+    m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*)
+	echo m68k-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    mc68030:UNIX_System_V:4.*:*)
+	echo m68k-atari-sysv4
+	exit ;;
+    TSUNAMI:LynxOS:2.*:*)
+	echo sparc-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    rs6000:LynxOS:2.*:*)
+	echo rs6000-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.0*:*)
+	echo powerpc-unknown-lynxos${UNAME_RELEASE}
+	exit ;;
+    SM[BE]S:UNIX_SV:*:*)
+	echo mips-dde-sysv${UNAME_RELEASE}
+	exit ;;
+    RM*:ReliantUNIX-*:*:*)
+	echo mips-sni-sysv4
+	exit ;;
+    RM*:SINIX-*:*:*)
+	echo mips-sni-sysv4
+	exit ;;
+    *:SINIX-*:*:*)
+	if uname -p 2>/dev/null >/dev/null ; then
+		UNAME_MACHINE=`(uname -p) 2>/dev/null`
+		echo ${UNAME_MACHINE}-sni-sysv4
+	else
+		echo ns32k-sni-sysv
+	fi
+	exit ;;
+    PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort
+                      # says <Richard.M.Bartel@ccMail.Census.GOV>
+        echo i586-unisys-sysv4
+        exit ;;
+    *:UNIX_System_V:4*:FTX*)
+	# From Gerald Hewes <hewes@openmarket.com>.
+	# How about differentiating between stratus architectures? -djm
+	echo hppa1.1-stratus-sysv4
+	exit ;;
+    *:*:*:FTX*)
+	# From seanf@swdc.stratus.com.
+	echo i860-stratus-sysv4
+	exit ;;
+    i*86:VOS:*:*)
+	# From Paul.Green@stratus.com.
+	echo ${UNAME_MACHINE}-stratus-vos
+	exit ;;
+    *:VOS:*:*)
+	# From Paul.Green@stratus.com.
+	echo hppa1.1-stratus-vos
+	exit ;;
+    mc68*:A/UX:*:*)
+	echo m68k-apple-aux${UNAME_RELEASE}
+	exit ;;
+    news*:NEWS-OS:6*:*)
+	echo mips-sony-newsos6
+	exit ;;
+    R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*)
+	if [ -d /usr/nec ]; then
+	        echo mips-nec-sysv${UNAME_RELEASE}
+	else
+	        echo mips-unknown-sysv${UNAME_RELEASE}
+	fi
+        exit ;;
+    BeBox:BeOS:*:*)	# BeOS running on hardware made by Be, PPC only.
+	echo powerpc-be-beos
+	exit ;;
+    BeMac:BeOS:*:*)	# BeOS running on Mac or Mac clone, PPC only.
+	echo powerpc-apple-beos
+	exit ;;
+    BePC:BeOS:*:*)	# BeOS running on Intel PC compatible.
+	echo i586-pc-beos
+	exit ;;
+    SX-4:SUPER-UX:*:*)
+	echo sx4-nec-superux${UNAME_RELEASE}
+	exit ;;
+    SX-5:SUPER-UX:*:*)
+	echo sx5-nec-superux${UNAME_RELEASE}
+	exit ;;
+    SX-6:SUPER-UX:*:*)
+	echo sx6-nec-superux${UNAME_RELEASE}
+	exit ;;
+    Power*:Rhapsody:*:*)
+	echo powerpc-apple-rhapsody${UNAME_RELEASE}
+	exit ;;
+    *:Rhapsody:*:*)
+	echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE}
+	exit ;;
+    *:Darwin:*:*)
+	UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown
+	case $UNAME_PROCESSOR in
+	    unknown) UNAME_PROCESSOR=powerpc ;;
+	esac
+	echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE}
+	exit ;;
+    *:procnto*:*:* | *:QNX:[0123456789]*:*)
+	UNAME_PROCESSOR=`uname -p`
+	if test "$UNAME_PROCESSOR" = "x86"; then
+		UNAME_PROCESSOR=i386
+		UNAME_MACHINE=pc
+	fi
+	echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE}
+	exit ;;
+    *:QNX:*:4*)
+	echo i386-pc-qnx
+	exit ;;
+    NSE-?:NONSTOP_KERNEL:*:*)
+	echo nse-tandem-nsk${UNAME_RELEASE}
+	exit ;;
+    NSR-?:NONSTOP_KERNEL:*:*)
+	echo nsr-tandem-nsk${UNAME_RELEASE}
+	exit ;;
+    *:NonStop-UX:*:*)
+	echo mips-compaq-nonstopux
+	exit ;;
+    BS2000:POSIX*:*:*)
+	echo bs2000-siemens-sysv
+	exit ;;
+    DS/*:UNIX_System_V:*:*)
+	echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE}
+	exit ;;
+    *:Plan9:*:*)
+	# "uname -m" is not consistent, so use $cputype instead. 386
+	# is converted to i386 for consistency with other x86
+	# operating systems.
+	if test "$cputype" = "386"; then
+	    UNAME_MACHINE=i386
+	else
+	    UNAME_MACHINE="$cputype"
+	fi
+	echo ${UNAME_MACHINE}-unknown-plan9
+	exit ;;
+    *:TOPS-10:*:*)
+	echo pdp10-unknown-tops10
+	exit ;;
+    *:TENEX:*:*)
+	echo pdp10-unknown-tenex
+	exit ;;
+    KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*)
+	echo pdp10-dec-tops20
+	exit ;;
+    XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*)
+	echo pdp10-xkl-tops20
+	exit ;;
+    *:TOPS-20:*:*)
+	echo pdp10-unknown-tops20
+	exit ;;
+    *:ITS:*:*)
+	echo pdp10-unknown-its
+	exit ;;
+    SEI:*:*:SEIUX)
+        echo mips-sei-seiux${UNAME_RELEASE}
+	exit ;;
+    *:DragonFly:*:*)
+	echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
+	exit ;;
+    *:*VMS:*:*)
+    	UNAME_MACHINE=`(uname -p) 2>/dev/null`
+	case "${UNAME_MACHINE}" in
+	    A*) echo alpha-dec-vms ; exit ;;
+	    I*) echo ia64-dec-vms ; exit ;;
+	    V*) echo vax-dec-vms ; exit ;;
+	esac ;;
+    *:XENIX:*:SysV)
+	echo i386-pc-xenix
+	exit ;;
+    i*86:skyos:*:*)
+	echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//'
+	exit ;;
+    i*86:rdos:*:*)
+	echo ${UNAME_MACHINE}-pc-rdos
+	exit ;;
+esac
+
+#echo '(No uname command or uname output not recognized.)' 1>&2
+#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2
+
+eval $set_cc_for_build
+cat >$dummy.c <<EOF
+#ifdef _SEQUENT_
+# include <sys/types.h>
+# include <sys/utsname.h>
+#endif
+main ()
+{
+#if defined (sony)
+#if defined (MIPSEB)
+  /* BFD wants "bsd" instead of "newsos".  Perhaps BFD should be changed,
+     I don't know....  */
+  printf ("mips-sony-bsd\n"); exit (0);
+#else
+#include <sys/param.h>
+  printf ("m68k-sony-newsos%s\n",
+#ifdef NEWSOS4
+          "4"
+#else
+	  ""
+#endif
+         ); exit (0);
+#endif
+#endif
+
+#if defined (__arm) && defined (__acorn) && defined (__unix)
+  printf ("arm-acorn-riscix\n"); exit (0);
+#endif
+
+#if defined (hp300) && !defined (hpux)
+  printf ("m68k-hp-bsd\n"); exit (0);
+#endif
+
+#if defined (NeXT)
+#if !defined (__ARCHITECTURE__)
+#define __ARCHITECTURE__ "m68k"
+#endif
+  int version;
+  version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`;
+  if (version < 4)
+    printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version);
+  else
+    printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version);
+  exit (0);
+#endif
+
+#if defined (MULTIMAX) || defined (n16)
+#if defined (UMAXV)
+  printf ("ns32k-encore-sysv\n"); exit (0);
+#else
+#if defined (CMU)
+  printf ("ns32k-encore-mach\n"); exit (0);
+#else
+  printf ("ns32k-encore-bsd\n"); exit (0);
+#endif
+#endif
+#endif
+
+#if defined (__386BSD__)
+  printf ("i386-pc-bsd\n"); exit (0);
+#endif
+
+#if defined (sequent)
+#if defined (i386)
+  printf ("i386-sequent-dynix\n"); exit (0);
+#endif
+#if defined (ns32000)
+  printf ("ns32k-sequent-dynix\n"); exit (0);
+#endif
+#endif
+
+#if defined (_SEQUENT_)
+    struct utsname un;
+
+    uname(&un);
+
+    if (strncmp(un.version, "V2", 2) == 0) {
+	printf ("i386-sequent-ptx2\n"); exit (0);
+    }
+    if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */
+	printf ("i386-sequent-ptx1\n"); exit (0);
+    }
+    printf ("i386-sequent-ptx\n"); exit (0);
+
+#endif
+
+#if defined (vax)
+# if !defined (ultrix)
+#  include <sys/param.h>
+#  if defined (BSD)
+#   if BSD == 43
+      printf ("vax-dec-bsd4.3\n"); exit (0);
+#   else
+#    if BSD == 199006
+      printf ("vax-dec-bsd4.3reno\n"); exit (0);
+#    else
+      printf ("vax-dec-bsd\n"); exit (0);
+#    endif
+#   endif
+#  else
+    printf ("vax-dec-bsd\n"); exit (0);
+#  endif
+# else
+    printf ("vax-dec-ultrix\n"); exit (0);
+# endif
+#endif
+
+#if defined (alliant) && defined (i860)
+  printf ("i860-alliant-bsd\n"); exit (0);
+#endif
+
+  exit (1);
+}
+EOF
+
+$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && SYSTEM_NAME=`$dummy` &&
+	{ echo "$SYSTEM_NAME"; exit; }
+
+# Apollos put the system type in the environment.
+
+test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit; }
+
+# Convex versions that predate uname can use getsysinfo(1)
+
+if [ -x /usr/convex/getsysinfo ]
+then
+    case `getsysinfo -f cpu_type` in
+    c1*)
+	echo c1-convex-bsd
+	exit ;;
+    c2*)
+	if getsysinfo -f scalar_acc
+	then echo c32-convex-bsd
+	else echo c2-convex-bsd
+	fi
+	exit ;;
+    c34*)
+	echo c34-convex-bsd
+	exit ;;
+    c38*)
+	echo c38-convex-bsd
+	exit ;;
+    c4*)
+	echo c4-convex-bsd
+	exit ;;
+    esac
+fi
+
+cat >&2 <<EOF
+$0: unable to guess system type
+
+This script, last modified $timestamp, has failed to recognize
+the operating system you are using. It is advised that you
+download the most up to date version of the config scripts from
+
+  http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.guess
+and
+  http://savannah.gnu.org/cgi-bin/viewcvs/*checkout*/config/config/config.sub
+
+If the version you run ($0) is already up to date, please
+send the following data and any information you think might be
+pertinent to <config-patches@gnu.org> in order to provide the needed
+information to handle your system.
+
+config.guess timestamp = $timestamp
+
+uname -m = `(uname -m) 2>/dev/null || echo unknown`
+uname -r = `(uname -r) 2>/dev/null || echo unknown`
+uname -s = `(uname -s) 2>/dev/null || echo unknown`
+uname -v = `(uname -v) 2>/dev/null || echo unknown`
+
+/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null`
+/bin/uname -X     = `(/bin/uname -X) 2>/dev/null`
+
+hostinfo               = `(hostinfo) 2>/dev/null`
+/bin/universe          = `(/bin/universe) 2>/dev/null`
+/usr/bin/arch -k       = `(/usr/bin/arch -k) 2>/dev/null`
+/bin/arch              = `(/bin/arch) 2>/dev/null`
+/usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null`
+/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null`
+
+UNAME_MACHINE = ${UNAME_MACHINE}
+UNAME_RELEASE = ${UNAME_RELEASE}
+UNAME_SYSTEM  = ${UNAME_SYSTEM}
+UNAME_VERSION = ${UNAME_VERSION}
+EOF
+
+exit 1
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "timestamp='"
+# time-stamp-format: "%:y-%02m-%02d"
+# time-stamp-end: "'"
+# End:
diff --git a/config.sub b/config.sub
new file mode 100755
index 000000000..ae0b3ddff
--- /dev/null
+++ b/config.sub
@@ -0,0 +1,1626 @@
+#! /bin/sh
+# Configuration validation subroutine script.
+#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
+#   2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation,
+#   Inc.
+
+timestamp='2006-07-02'
+
+# This file is (in principle) common to ALL GNU software.
+# The presence of a machine in this file suggests that SOME GNU software
+# can handle that machine.  It does not imply ALL GNU software can.
+#
+# This file is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA
+# 02110-1301, USA.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+
+# Please send patches to <config-patches@gnu.org>.  Submit a context
+# diff and a properly formatted ChangeLog entry.
+#
+# Configuration subroutine to validate and canonicalize a configuration type.
+# Supply the specified configuration type as an argument.
+# If it is invalid, we print an error message on stderr and exit with code 1.
+# Otherwise, we print the canonical config type on stdout and succeed.
+
+# This file is supposed to be the same for all GNU packages
+# and recognize all the CPU types, system types and aliases
+# that are meaningful with *any* GNU software.
+# Each package is responsible for reporting which valid configurations
+# it does not support.  The user should be able to distinguish
+# a failure to support a valid configuration from a meaningless
+# configuration.
+
+# The goal of this file is to map all the various variations of a given
+# machine specification into a single specification in the form:
+#	CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM
+# or in some cases, the newer four-part form:
+#	CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM
+# It is wrong to echo any other type of specification.
+
+me=`echo "$0" | sed -e 's,.*/,,'`
+
+usage="\
+Usage: $0 [OPTION] CPU-MFR-OPSYS
+       $0 [OPTION] ALIAS
+
+Canonicalize a configuration name.
+
+Operation modes:
+  -h, --help         print this help, then exit
+  -t, --time-stamp   print date of last modification, then exit
+  -v, --version      print version number, then exit
+
+Report bugs and patches to <config-patches@gnu.org>."
+
+version="\
+GNU config.sub ($timestamp)
+
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005
+Free Software Foundation, Inc.
+
+This is free software; see the source for copying conditions.  There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
+
+help="
+Try \`$me --help' for more information."
+
+# Parse command line
+while test $# -gt 0 ; do
+  case $1 in
+    --time-stamp | --time* | -t )
+       echo "$timestamp" ; exit ;;
+    --version | -v )
+       echo "$version" ; exit ;;
+    --help | --h* | -h )
+       echo "$usage"; exit ;;
+    -- )     # Stop option processing
+       shift; break ;;
+    - )	# Use stdin as input.
+       break ;;
+    -* )
+       echo "$me: invalid option $1$help"
+       exit 1 ;;
+
+    *local*)
+       # First pass through any local machine types.
+       echo $1
+       exit ;;
+
+    * )
+       break ;;
+  esac
+done
+
+case $# in
+ 0) echo "$me: missing argument$help" >&2
+    exit 1;;
+ 1) ;;
+ *) echo "$me: too many arguments$help" >&2
+    exit 1;;
+esac
+
+# Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any).
+# Here we must recognize all the valid KERNEL-OS combinations.
+maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
+case $maybe_os in
+  nto-qnx* | linux-gnu* | linux-dietlibc | linux-newlib* | linux-uclibc* | \
+  uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* | \
+  storm-chaos* | os2-emx* | rtmk-nova*)
+    os=-$maybe_os
+    basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
+    ;;
+  *)
+    basic_machine=`echo $1 | sed 's/-[^-]*$//'`
+    if [ $basic_machine != $1 ]
+    then os=`echo $1 | sed 's/.*-/-/'`
+    else os=; fi
+    ;;
+esac
+
+### Let's recognize common machines as not being operating systems so
+### that things like config.sub decstation-3100 work.  We also
+### recognize some manufacturers as not being operating systems, so we
+### can provide default operating systems below.
+case $os in
+	-sun*os*)
+		# Prevent following clause from handling this invalid input.
+		;;
+	-dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \
+	-att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \
+	-unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \
+	-convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
+	-c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
+	-harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
+	-apple | -axis | -knuth | -cray)
+		os=
+		basic_machine=$1
+		;;
+	-sim | -cisco | -oki | -wec | -winbond)
+		os=
+		basic_machine=$1
+		;;
+	-scout)
+		;;
+	-wrs)
+		os=-vxworks
+		basic_machine=$1
+		;;
+	-chorusos*)
+		os=-chorusos
+		basic_machine=$1
+		;;
+ 	-chorusrdb)
+ 		os=-chorusrdb
+		basic_machine=$1
+ 		;;
+	-hiux*)
+		os=-hiuxwe2
+		;;
+	-sco6)
+		os=-sco5v6
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco5)
+		os=-sco3.2v5
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco4)
+		os=-sco3.2v4
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco3.2.[4-9]*)
+		os=`echo $os | sed -e 's/sco3.2./sco3.2v/'`
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco3.2v[4-9]*)
+		# Don't forget version if it is 3.2v4 or newer.
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco5v6*)
+		# Don't forget version if it is 3.2v4 or newer.
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco*)
+		os=-sco3.2v2
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-udk*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-isc)
+		os=-isc2.2
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-clix*)
+		basic_machine=clipper-intergraph
+		;;
+	-isc*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-lynx*)
+		os=-lynxos
+		;;
+	-ptx*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'`
+		;;
+	-windowsnt*)
+		os=`echo $os | sed -e 's/windowsnt/winnt/'`
+		;;
+	-psos*)
+		os=-psos
+		;;
+	-mint | -mint[0-9]*)
+		basic_machine=m68k-atari
+		os=-mint
+		;;
+esac
+
+# Decode aliases for certain CPU-COMPANY combinations.
+case $basic_machine in
+	# Recognize the basic CPU types without company name.
+	# Some are omitted here because they have special meanings below.
+	1750a | 580 \
+	| a29k \
+	| alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
+	| alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
+	| am33_2.0 \
+	| arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr | avr32 \
+	| bfin \
+	| c4x | clipper \
+	| d10v | d30v | dlx | dsp16xx | dvp \
+	| fr30 | frv \
+	| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
+	| i370 | i860 | i960 | ia64 \
+	| ip2k | iq2000 \
+	| m32c | m32r | m32rle | m68000 | m68k | m88k \
+	| maxq | mb | microblaze | mcore \
+	| mips | mipsbe | mipseb | mipsel | mipsle \
+	| mips16 \
+	| mips64 | mips64el \
+	| mips64vr | mips64vrel \
+	| mips64orion | mips64orionel \
+	| mips64vr4100 | mips64vr4100el \
+	| mips64vr4300 | mips64vr4300el \
+	| mips64vr5000 | mips64vr5000el \
+	| mips64vr5900 | mips64vr5900el \
+	| mipsisa32 | mipsisa32el \
+	| mipsisa32r2 | mipsisa32r2el \
+	| mipsisa64 | mipsisa64el \
+	| mipsisa64r2 | mipsisa64r2el \
+	| mipsisa64sb1 | mipsisa64sb1el \
+	| mipsisa64sr71k | mipsisa64sr71kel \
+	| mipstx39 | mipstx39el \
+	| mn10200 | mn10300 \
+	| mt \
+	| msp430 \
+	| nios | nios2 \
+	| ns16k | ns32k \
+	| or32 \
+	| pdp10 | pdp11 | pj | pjl \
+	| powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \
+	| pyramid \
+	| sh | sh[1234] | sh[24]a | sh[24]a*eb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
+	| sh64 | sh64le \
+	| sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \
+	| sparcv8 | sparcv9 | sparcv9b | sparcv9v \
+	| spu | strongarm \
+	| tahoe | thumb | tic4x | tic80 | tron \
+	| v850 | v850e \
+	| we32k \
+	| x86 | xscale | xscalee[bl] | xstormy16 | xtensa \
+	| z8k)
+		basic_machine=$basic_machine-unknown
+		;;
+	m6811 | m68hc11 | m6812 | m68hc12)
+		# Motorola 68HC11/12.
+		basic_machine=$basic_machine-unknown
+		os=-none
+		;;
+	m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k)
+		;;
+	ms1)
+		basic_machine=mt-unknown
+		;;
+
+	# We use `pc' rather than `unknown'
+	# because (1) that's what they normally are, and
+	# (2) the word "unknown" tends to confuse beginning users.
+	i*86 | x86_64)
+	  basic_machine=$basic_machine-pc
+	  ;;
+	# Object if more than one company name word.
+	*-*-*)
+		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
+		exit 1
+		;;
+	# Recognize the basic CPU types with company name.
+	580-* \
+	| a29k-* \
+	| alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \
+	| alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \
+	| alphapca5[67]-* | alpha64pca5[67]-* | arc-* \
+	| arm-*  | armbe-* | armle-* | armeb-* | armv*-* \
+	| avr-* | avr32-* \
+	| bfin-* | bs2000-* \
+	| c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \
+	| clipper-* | craynv-* | cydra-* \
+	| d10v-* | d30v-* | dlx-* \
+	| elxsi-* \
+	| f30[01]-* | f700-* | fr30-* | frv-* | fx80-* \
+	| h8300-* | h8500-* \
+	| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
+	| i*86-* | i860-* | i960-* | ia64-* \
+	| ip2k-* | iq2000-* \
+	| m32c-* | m32r-* | m32rle-* \
+	| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
+	| m88110-* | m88k-* | maxq-* | mcore-* \
+	| mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
+	| mips16-* \
+	| mips64-* | mips64el-* \
+	| mips64vr-* | mips64vrel-* \
+	| mips64orion-* | mips64orionel-* \
+	| mips64vr4100-* | mips64vr4100el-* \
+	| mips64vr4300-* | mips64vr4300el-* \
+	| mips64vr5000-* | mips64vr5000el-* \
+	| mips64vr5900-* | mips64vr5900el-* \
+	| mipsisa32-* | mipsisa32el-* \
+	| mipsisa32r2-* | mipsisa32r2el-* \
+	| mipsisa64-* | mipsisa64el-* \
+	| mipsisa64r2-* | mipsisa64r2el-* \
+	| mipsisa64sb1-* | mipsisa64sb1el-* \
+	| mipsisa64sr71k-* | mipsisa64sr71kel-* \
+	| mipstx39-* | mipstx39el-* \
+	| mmix-* \
+	| mt-* \
+	| msp430-* \
+	| nios-* | nios2-* \
+	| none-* | np1-* | ns16k-* | ns32k-* \
+	| orion-* \
+	| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
+	| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \
+	| pyramid-* \
+	| romp-* | rs6000-* \
+	| sh-* | sh[1234]-* | sh[24]a-* | sh[24]a*eb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \
+	| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
+	| sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \
+	| sparclite-* \
+	| sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | strongarm-* | sv1-* | sx?-* \
+	| tahoe-* | thumb-* \
+	| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
+	| tron-* \
+	| v850-* | v850e-* | vax-* \
+	| we32k-* \
+	| x86-* | x86_64-* | xps100-* | xscale-* | xscalee[bl]-* \
+	| xstormy16-* | xtensa-* \
+	| ymp-* \
+	| z8k-*)
+		;;
+	# Recognize the various machine names and aliases which stand
+	# for a CPU type and a company and sometimes even an OS.
+	386bsd)
+		basic_machine=i386-unknown
+		os=-bsd
+		;;
+	3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc)
+		basic_machine=m68000-att
+		;;
+	3b*)
+		basic_machine=we32k-att
+		;;
+	a29khif)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+    	abacus)
+		basic_machine=abacus-unknown
+		;;
+	adobe68k)
+		basic_machine=m68010-adobe
+		os=-scout
+		;;
+	alliant | fx80)
+		basic_machine=fx80-alliant
+		;;
+	altos | altos3068)
+		basic_machine=m68k-altos
+		;;
+	am29k)
+		basic_machine=a29k-none
+		os=-bsd
+		;;
+	amd64)
+		basic_machine=x86_64-pc
+		;;
+	amd64-*)
+		basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	amdahl)
+		basic_machine=580-amdahl
+		os=-sysv
+		;;
+	amiga | amiga-*)
+		basic_machine=m68k-unknown
+		;;
+	amigaos | amigados)
+		basic_machine=m68k-unknown
+		os=-amigaos
+		;;
+	amigaunix | amix)
+		basic_machine=m68k-unknown
+		os=-sysv4
+		;;
+	apollo68)
+		basic_machine=m68k-apollo
+		os=-sysv
+		;;
+	apollo68bsd)
+		basic_machine=m68k-apollo
+		os=-bsd
+		;;
+	aux)
+		basic_machine=m68k-apple
+		os=-aux
+		;;
+	balance)
+		basic_machine=ns32k-sequent
+		os=-dynix
+		;;
+	c90)
+		basic_machine=c90-cray
+		os=-unicos
+		;;
+	convex-c1)
+		basic_machine=c1-convex
+		os=-bsd
+		;;
+	convex-c2)
+		basic_machine=c2-convex
+		os=-bsd
+		;;
+	convex-c32)
+		basic_machine=c32-convex
+		os=-bsd
+		;;
+	convex-c34)
+		basic_machine=c34-convex
+		os=-bsd
+		;;
+	convex-c38)
+		basic_machine=c38-convex
+		os=-bsd
+		;;
+	cray | j90)
+		basic_machine=j90-cray
+		os=-unicos
+		;;
+	craynv)
+		basic_machine=craynv-cray
+		os=-unicosmp
+		;;
+	cr16c)
+		basic_machine=cr16c-unknown
+		os=-elf
+		;;
+	crds | unos)
+		basic_machine=m68k-crds
+		;;
+	crisv32 | crisv32-* | etraxfs*)
+		basic_machine=crisv32-axis
+		;;
+	cris | cris-* | etrax*)
+		basic_machine=cris-axis
+		;;
+	crx)
+		basic_machine=crx-unknown
+		os=-elf
+		;;
+	da30 | da30-*)
+		basic_machine=m68k-da30
+		;;
+	decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn)
+		basic_machine=mips-dec
+		;;
+	decsystem10* | dec10*)
+		basic_machine=pdp10-dec
+		os=-tops10
+		;;
+	decsystem20* | dec20*)
+		basic_machine=pdp10-dec
+		os=-tops20
+		;;
+	delta | 3300 | motorola-3300 | motorola-delta \
+	      | 3300-motorola | delta-motorola)
+		basic_machine=m68k-motorola
+		;;
+	delta88)
+		basic_machine=m88k-motorola
+		os=-sysv3
+		;;
+	djgpp)
+		basic_machine=i586-pc
+		os=-msdosdjgpp
+		;;
+	dpx20 | dpx20-*)
+		basic_machine=rs6000-bull
+		os=-bosx
+		;;
+	dpx2* | dpx2*-bull)
+		basic_machine=m68k-bull
+		os=-sysv3
+		;;
+	ebmon29k)
+		basic_machine=a29k-amd
+		os=-ebmon
+		;;
+	elxsi)
+		basic_machine=elxsi-elxsi
+		os=-bsd
+		;;
+	encore | umax | mmax)
+		basic_machine=ns32k-encore
+		;;
+	es1800 | OSE68k | ose68k | ose | OSE)
+		basic_machine=m68k-ericsson
+		os=-ose
+		;;
+	fx2800)
+		basic_machine=i860-alliant
+		;;
+	genix)
+		basic_machine=ns32k-ns
+		;;
+	gmicro)
+		basic_machine=tron-gmicro
+		os=-sysv
+		;;
+	go32)
+		basic_machine=i386-pc
+		os=-go32
+		;;
+	h3050r* | hiux*)
+		basic_machine=hppa1.1-hitachi
+		os=-hiuxwe2
+		;;
+	h8300hms)
+		basic_machine=h8300-hitachi
+		os=-hms
+		;;
+	h8300xray)
+		basic_machine=h8300-hitachi
+		os=-xray
+		;;
+	h8500hms)
+		basic_machine=h8500-hitachi
+		os=-hms
+		;;
+	harris)
+		basic_machine=m88k-harris
+		os=-sysv3
+		;;
+	hp300-*)
+		basic_machine=m68k-hp
+		;;
+	hp300bsd)
+		basic_machine=m68k-hp
+		os=-bsd
+		;;
+	hp300hpux)
+		basic_machine=m68k-hp
+		os=-hpux
+		;;
+	hp3k9[0-9][0-9] | hp9[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hp9k2[0-9][0-9] | hp9k31[0-9])
+		basic_machine=m68000-hp
+		;;
+	hp9k3[2-9][0-9])
+		basic_machine=m68k-hp
+		;;
+	hp9k6[0-9][0-9] | hp6[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hp9k7[0-79][0-9] | hp7[0-79][0-9])
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k78[0-9] | hp78[0-9])
+		# FIXME: really hppa2.0-hp
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893)
+		# FIXME: really hppa2.0-hp
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[0-9][13679] | hp8[0-9][13679])
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[0-9][0-9] | hp8[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hppa-next)
+		os=-nextstep3
+		;;
+	hppaosf)
+		basic_machine=hppa1.1-hp
+		os=-osf
+		;;
+	hppro)
+		basic_machine=hppa1.1-hp
+		os=-proelf
+		;;
+	i370-ibm* | ibm*)
+		basic_machine=i370-ibm
+		;;
+# I'm not sure what "Sysv32" means.  Should this be sysv3.2?
+	i*86v32)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv32
+		;;
+	i*86v4*)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv4
+		;;
+	i*86v)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv
+		;;
+	i*86sol2)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-solaris2
+		;;
+	i386mach)
+		basic_machine=i386-mach
+		os=-mach
+		;;
+	i386-vsta | vsta)
+		basic_machine=i386-unknown
+		os=-vsta
+		;;
+	iris | iris4d)
+		basic_machine=mips-sgi
+		case $os in
+		    -irix*)
+			;;
+		    *)
+			os=-irix4
+			;;
+		esac
+		;;
+	isi68 | isi)
+		basic_machine=m68k-isi
+		os=-sysv
+		;;
+	m88k-omron*)
+		basic_machine=m88k-omron
+		;;
+	magnum | m3230)
+		basic_machine=mips-mips
+		os=-sysv
+		;;
+	merlin)
+		basic_machine=ns32k-utek
+		os=-sysv
+		;;
+	mingw32)
+		basic_machine=i386-pc
+		os=-mingw32
+		;;
+	miniframe)
+		basic_machine=m68000-convergent
+		;;
+	*mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*)
+		basic_machine=m68k-atari
+		os=-mint
+		;;
+	mipsEE* | ee | ps2)
+		basic_machine=mips64r5900el-scei
+		case $os in
+		    -linux*)
+			;;
+		    *)
+			os=-elf
+			;;
+		esac
+		;;
+	iop)
+		basic_machine=mipsel-scei
+		os=-irx
+		;;
+	dvp)
+		basic_machine=dvp-scei
+		os=-elf
+		;;
+	mips3*-*)
+		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`
+		;;
+	mips3*)
+		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown
+		;;
+	monitor)
+		basic_machine=m68k-rom68k
+		os=-coff
+		;;
+	morphos)
+		basic_machine=powerpc-unknown
+		os=-morphos
+		;;
+	msdos)
+		basic_machine=i386-pc
+		os=-msdos
+		;;
+	ms1-*)
+		basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'`
+		;;
+	mvs)
+		basic_machine=i370-ibm
+		os=-mvs
+		;;
+	ncr3000)
+		basic_machine=i486-ncr
+		os=-sysv4
+		;;
+	netbsd386)
+		basic_machine=i386-unknown
+		os=-netbsd
+		;;
+	netwinder)
+		basic_machine=armv4l-rebel
+		os=-linux
+		;;
+	news | news700 | news800 | news900)
+		basic_machine=m68k-sony
+		os=-newsos
+		;;
+	news1000)
+		basic_machine=m68030-sony
+		os=-newsos
+		;;
+	news-3600 | risc-news)
+		basic_machine=mips-sony
+		os=-newsos
+		;;
+	necv70)
+		basic_machine=v70-nec
+		os=-sysv
+		;;
+	next | m*-next )
+		basic_machine=m68k-next
+		case $os in
+		    -nextstep* )
+			;;
+		    -ns2*)
+		      os=-nextstep2
+			;;
+		    *)
+		      os=-nextstep3
+			;;
+		esac
+		;;
+	nh3000)
+		basic_machine=m68k-harris
+		os=-cxux
+		;;
+	nh[45]000)
+		basic_machine=m88k-harris
+		os=-cxux
+		;;
+	nindy960)
+		basic_machine=i960-intel
+		os=-nindy
+		;;
+	mon960)
+		basic_machine=i960-intel
+		os=-mon960
+		;;
+	nonstopux)
+		basic_machine=mips-compaq
+		os=-nonstopux
+		;;
+	np1)
+		basic_machine=np1-gould
+		;;
+	nsr-tandem)
+		basic_machine=nsr-tandem
+		;;
+	op50n-* | op60c-*)
+		basic_machine=hppa1.1-oki
+		os=-proelf
+		;;
+	openrisc | openrisc-*)
+		basic_machine=or32-unknown
+		;;
+	os400)
+		basic_machine=powerpc-ibm
+		os=-os400
+		;;
+	OSE68000 | ose68000)
+		basic_machine=m68000-ericsson
+		os=-ose
+		;;
+	os68k)
+		basic_machine=m68k-none
+		os=-os68k
+		;;
+	pa-hitachi)
+		basic_machine=hppa1.1-hitachi
+		os=-hiuxwe2
+		;;
+	paragon)
+		basic_machine=i860-intel
+		os=-osf
+		;;
+	pbd)
+		basic_machine=sparc-tti
+		;;
+	pbb)
+		basic_machine=m68k-tti
+		;;
+	pc532 | pc532-*)
+		basic_machine=ns32k-pc532
+		;;
+	pc98)
+		basic_machine=i386-pc
+		;;
+	pc98-*)
+		basic_machine=i386-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentium | p5 | k5 | k6 | nexgen | viac3)
+		basic_machine=i586-pc
+		;;
+	pentiumpro | p6 | 6x86 | athlon | athlon_*)
+		basic_machine=i686-pc
+		;;
+	pentiumii | pentium2 | pentiumiii | pentium3)
+		basic_machine=i686-pc
+		;;
+	pentium4)
+		basic_machine=i786-pc
+		;;
+	pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*)
+		basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentiumpro-* | p6-* | 6x86-* | athlon-*)
+		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*)
+		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentium4-*)
+		basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pn)
+		basic_machine=pn-gould
+		;;
+	power)	basic_machine=power-ibm
+		;;
+	ppc)	basic_machine=powerpc-unknown
+		;;
+	ppc-*)	basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ppcle | powerpclittle | ppc-le | powerpc-little)
+		basic_machine=powerpcle-unknown
+		;;
+	ppcle-* | powerpclittle-*)
+		basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ppc64)	basic_machine=powerpc64-unknown
+		;;
+	ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ppc64le | powerpc64little | ppc64-le | powerpc64-little)
+		basic_machine=powerpc64le-unknown
+		;;
+	ppc64le-* | powerpc64little-*)
+		basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ps2)
+		basic_machine=i386-ibm
+		;;
+	pw32)
+		basic_machine=i586-unknown
+		os=-pw32
+		;;
+	rdos)
+		basic_machine=i386-pc
+		os=-rdos
+		;;
+	rom68k)
+		basic_machine=m68k-rom68k
+		os=-coff
+		;;
+	rm[46]00)
+		basic_machine=mips-siemens
+		;;
+	rtpc | rtpc-*)
+		basic_machine=romp-ibm
+		;;
+	s390 | s390-*)
+		basic_machine=s390-ibm
+		;;
+	s390x | s390x-*)
+		basic_machine=s390x-ibm
+		;;
+	sa29200)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+	sb1)
+		basic_machine=mipsisa64sb1-unknown
+		;;
+	sb1el)
+		basic_machine=mipsisa64sb1el-unknown
+		;;
+	sei)
+		basic_machine=mips-sei
+		os=-seiux
+		;;
+	sequent)
+		basic_machine=i386-sequent
+		;;
+	sh)
+		basic_machine=sh-hitachi
+		os=-hms
+		;;
+	sh64)
+		basic_machine=sh64-unknown
+		;;
+	sparclite-wrs | simso-wrs)
+		basic_machine=sparclite-wrs
+		os=-vxworks
+		;;
+	sps7)
+		basic_machine=m68k-bull
+		os=-sysv2
+		;;
+	spur)
+		basic_machine=spur-unknown
+		;;
+	st2000)
+		basic_machine=m68k-tandem
+		;;
+	stratus)
+		basic_machine=i860-stratus
+		os=-sysv4
+		;;
+	sun2)
+		basic_machine=m68000-sun
+		;;
+	sun2os3)
+		basic_machine=m68000-sun
+		os=-sunos3
+		;;
+	sun2os4)
+		basic_machine=m68000-sun
+		os=-sunos4
+		;;
+	sun3os3)
+		basic_machine=m68k-sun
+		os=-sunos3
+		;;
+	sun3os4)
+		basic_machine=m68k-sun
+		os=-sunos4
+		;;
+	sun4os3)
+		basic_machine=sparc-sun
+		os=-sunos3
+		;;
+	sun4os4)
+		basic_machine=sparc-sun
+		os=-sunos4
+		;;
+	sun4sol2)
+		basic_machine=sparc-sun
+		os=-solaris2
+		;;
+	sun3 | sun3-*)
+		basic_machine=m68k-sun
+		;;
+	sun4)
+		basic_machine=sparc-sun
+		;;
+	sun386 | sun386i | roadrunner)
+		basic_machine=i386-sun
+		;;
+	sv1)
+		basic_machine=sv1-cray
+		os=-unicos
+		;;
+	symmetry)
+		basic_machine=i386-sequent
+		os=-dynix
+		;;
+	t3e)
+		basic_machine=alphaev5-cray
+		os=-unicos
+		;;
+	t90)
+		basic_machine=t90-cray
+		os=-unicos
+		;;
+	tic54x | c54x*)
+		basic_machine=tic54x-unknown
+		os=-coff
+		;;
+	tic55x | c55x*)
+		basic_machine=tic55x-unknown
+		os=-coff
+		;;
+	tic6x | c6x*)
+		basic_machine=tic6x-unknown
+		os=-coff
+		;;
+	tx39)
+		basic_machine=mipstx39-unknown
+		;;
+	tx39el)
+		basic_machine=mipstx39el-unknown
+		;;
+	toad1)
+		basic_machine=pdp10-xkl
+		os=-tops20
+		;;
+	tower | tower-32)
+		basic_machine=m68k-ncr
+		;;
+	tpf)
+		basic_machine=s390x-ibm
+		os=-tpf
+		;;
+	udi29k)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+	ultra3)
+		basic_machine=a29k-nyu
+		os=-sym1
+		;;
+	v810 | necv810)
+		basic_machine=v810-nec
+		os=-none
+		;;
+	vaxv)
+		basic_machine=vax-dec
+		os=-sysv
+		;;
+	vms)
+		basic_machine=vax-dec
+		os=-vms
+		;;
+	vpp*|vx|vx-*)
+		basic_machine=f301-fujitsu
+		;;
+	vxworks960)
+		basic_machine=i960-wrs
+		os=-vxworks
+		;;
+	vxworks68)
+		basic_machine=m68k-wrs
+		os=-vxworks
+		;;
+	vxworks29k)
+		basic_machine=a29k-wrs
+		os=-vxworks
+		;;
+	w65*)
+		basic_machine=w65-wdc
+		os=-none
+		;;
+	w89k-*)
+		basic_machine=hppa1.1-winbond
+		os=-proelf
+		;;
+	xbox)
+		basic_machine=i686-pc
+		os=-mingw32
+		;;
+	xps | xps100)
+		basic_machine=xps100-honeywell
+		;;
+	ymp)
+		basic_machine=ymp-cray
+		os=-unicos
+		;;
+	z8k-*-coff)
+		basic_machine=z8k-unknown
+		os=-sim
+		;;
+	none)
+		basic_machine=none-none
+		os=-none
+		;;
+
+# Here we handle the default manufacturer of certain CPU types.  It is in
+# some cases the only manufacturer, in others, it is the most popular.
+	w89k)
+		basic_machine=hppa1.1-winbond
+		;;
+	op50n)
+		basic_machine=hppa1.1-oki
+		;;
+	op60c)
+		basic_machine=hppa1.1-oki
+		;;
+	romp)
+		basic_machine=romp-ibm
+		;;
+	mmix)
+		basic_machine=mmix-knuth
+		;;
+	rs6000)
+		basic_machine=rs6000-ibm
+		;;
+	vax)
+		basic_machine=vax-dec
+		;;
+	pdp10)
+		# there are many clones, so DEC is not a safe bet
+		basic_machine=pdp10-unknown
+		;;
+	pdp11)
+		basic_machine=pdp11-dec
+		;;
+	we32k)
+		basic_machine=we32k-att
+		;;
+	sh[1234] | sh[24]a | sh[34]eb | sh[1234]le | sh[23]ele)
+		basic_machine=sh-unknown
+		;;
+	sparc | sparcv8 | sparcv9 | sparcv9b | sparcv9v)
+		basic_machine=sparc-sun
+		;;
+	cydra)
+		basic_machine=cydra-cydrome
+		;;
+	orion)
+		basic_machine=orion-highlevel
+		;;
+	orion105)
+		basic_machine=clipper-highlevel
+		;;
+	mac | mpw | mac-mpw)
+		basic_machine=m68k-apple
+		;;
+	pmac | pmac-mpw)
+		basic_machine=powerpc-apple
+		;;
+	*-unknown)
+		# Make sure to match an already-canonicalized machine name.
+		;;
+	*)
+		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
+		exit 1
+		;;
+esac
+
+# Here we canonicalize certain aliases for manufacturers.
+case $basic_machine in
+	*-digital*)
+		basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'`
+		;;
+	*-commodore*)
+		basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'`
+		;;
+	*)
+		;;
+esac
+
+# Decode manufacturer-specific aliases for certain operating systems.
+
+if [ x"$os" != x"" ]
+then
+case $os in
+        # First match some system type aliases
+        # that might get confused with valid system types.
+	# -solaris* is a basic system type, with this one exception.
+	-solaris1 | -solaris1.*)
+		os=`echo $os | sed -e 's|solaris1|sunos4|'`
+		;;
+	-solaris)
+		os=-solaris2
+		;;
+	-svr4*)
+		os=-sysv4
+		;;
+	-unixware*)
+		os=-sysv4.2uw
+		;;
+	-gnu/linux*)
+		os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'`
+		;;
+	# First accept the basic system types.
+	# The portable systems comes first.
+	# Each alternative MUST END IN A *, to match a version number.
+	# -sysv* is not here because it comes later, after sysvr4.
+	-gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
+	      | -*vms* | -sco* | -esix* | -isc* | -aix* | -sunos | -sunos[34]*\
+	      | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \
+	      | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
+	      | -aos* \
+	      | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
+	      | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
+	      | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \
+	      | -openbsd* | -solidbsd* \
+	      | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \
+	      | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
+	      | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
+	      | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
+	      | -chorusos* | -chorusrdb* \
+	      | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
+	      | -mingw32* | -linux-gnu* | -linux-newlib* | -linux-uclibc* \
+	      | -uxpv* | -beos* | -mpeix* | -udk* \
+	      | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
+	      | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
+	      | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \
+	      | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
+	      | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
+	      | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
+	      | -skyos* | -haiku* | -rdos* | -toppers* | -irx*)
+	# Remember, each alternative MUST END IN *, to match a version number.
+		;;
+	-qnx*)
+		case $basic_machine in
+		    x86-* | i*86-*)
+			;;
+		    *)
+			os=-nto$os
+			;;
+		esac
+		;;
+	-nto-qnx*)
+		;;
+	-nto*)
+		os=`echo $os | sed -e 's|nto|nto-qnx|'`
+		;;
+	-sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \
+	      | -windows* | -osx | -abug | -netware* | -os9* | -beos* | -haiku* \
+	      | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*)
+		;;
+	-mac*)
+		os=`echo $os | sed -e 's|mac|macos|'`
+		;;
+	-linux-dietlibc)
+		os=-linux-dietlibc
+		;;
+	-linux*)
+		os=`echo $os | sed -e 's|linux|linux-gnu|'`
+		;;
+	-sunos5*)
+		os=`echo $os | sed -e 's|sunos5|solaris2|'`
+		;;
+	-sunos6*)
+		os=`echo $os | sed -e 's|sunos6|solaris3|'`
+		;;
+	-opened*)
+		os=-openedition
+		;;
+        -os400*)
+		os=-os400
+		;;
+	-wince*)
+		os=-wince
+		;;
+	-osfrose*)
+		os=-osfrose
+		;;
+	-osf*)
+		os=-osf
+		;;
+	-utek*)
+		os=-bsd
+		;;
+	-dynix*)
+		os=-bsd
+		;;
+	-acis*)
+		os=-aos
+		;;
+	-atheos*)
+		os=-atheos
+		;;
+	-syllable*)
+		os=-syllable
+		;;
+	-386bsd)
+		os=-bsd
+		;;
+	-ctix* | -uts*)
+		os=-sysv
+		;;
+	-nova*)
+		os=-rtmk-nova
+		;;
+	-ns2 )
+		os=-nextstep2
+		;;
+	-nsk*)
+		os=-nsk
+		;;
+	# Preserve the version number of sinix5.
+	-sinix5.*)
+		os=`echo $os | sed -e 's|sinix|sysv|'`
+		;;
+	-sinix*)
+		os=-sysv4
+		;;
+        -tpf*)
+		os=-tpf
+		;;
+	-triton*)
+		os=-sysv3
+		;;
+	-oss*)
+		os=-sysv3
+		;;
+	-svr4)
+		os=-sysv4
+		;;
+	-svr3)
+		os=-sysv3
+		;;
+	-sysvr4)
+		os=-sysv4
+		;;
+	# This must come after -sysvr4.
+	-sysv*)
+		;;
+	-ose*)
+		os=-ose
+		;;
+	-es1800*)
+		os=-ose
+		;;
+	-xenix)
+		os=-xenix
+		;;
+	-*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
+		os=-mint
+		;;
+	-aros*)
+		os=-aros
+		;;
+	-kaos*)
+		os=-kaos
+		;;
+	-zvmoe)
+		os=-zvmoe
+		;;
+	-none)
+		;;
+	*)
+		# Get rid of the `-' at the beginning of $os.
+		os=`echo $os | sed 's/[^-]*-//'`
+		echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2
+		exit 1
+		;;
+esac
+else
+
+# Here we handle the default operating systems that come with various machines.
+# The value should be what the vendor currently ships out the door with their
+# machine or put another way, the most popular os provided with the machine.
+
+# Note that if you're going to try to match "-MANUFACTURER" here (say,
+# "-sun"), then you have to tell the case statement up towards the top
+# that MANUFACTURER isn't an operating system.  Otherwise, code above
+# will signal an error saying that MANUFACTURER isn't an operating
+# system, and we'll never get to this point.
+
+case $basic_machine in
+        spu-*)
+		os=-elf
+		;;
+	*-acorn)
+		os=-riscix1.2
+		;;
+	arm*-rebel)
+		os=-linux
+		;;
+	arm*-semi)
+		os=-aout
+		;;
+        c4x-* | tic4x-*)
+        	os=-coff
+		;;
+	# This must come before the *-dec entry.
+	pdp10-*)
+		os=-tops20
+		;;
+	pdp11-*)
+		os=-none
+		;;
+	*-dec | vax-*)
+		os=-ultrix4.2
+		;;
+	m68*-apollo)
+		os=-domain
+		;;
+	i386-sun)
+		os=-sunos4.0.2
+		;;
+	m68000-sun)
+		os=-sunos3
+		# This also exists in the configure program, but was not the
+		# default.
+		# os=-sunos4
+		;;
+	m68*-cisco)
+		os=-aout
+		;;
+	mips*-cisco)
+		os=-elf
+		;;
+	mips*-*)
+		os=-elf
+		;;
+	or32-*)
+		os=-coff
+		;;
+	*-tti)	# must be before sparc entry or we get the wrong os.
+		os=-sysv3
+		;;
+	sparc-* | *-sun)
+		os=-sunos4.1.1
+		;;
+	*-be)
+		os=-beos
+		;;
+	*-haiku)
+		os=-haiku
+		;;
+	*-ibm)
+		os=-aix
+		;;
+    	*-knuth)
+		os=-mmixware
+		;;
+	*-wec)
+		os=-proelf
+		;;
+	*-winbond)
+		os=-proelf
+		;;
+	*-oki)
+		os=-proelf
+		;;
+	*-hp)
+		os=-hpux
+		;;
+	*-hitachi)
+		os=-hiux
+		;;
+	i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent)
+		os=-sysv
+		;;
+	*-cbm)
+		os=-amigaos
+		;;
+	*-dg)
+		os=-dgux
+		;;
+	*-dolphin)
+		os=-sysv3
+		;;
+	m68k-ccur)
+		os=-rtu
+		;;
+	m88k-omron*)
+		os=-luna
+		;;
+	*-next )
+		os=-nextstep
+		;;
+	*-sequent)
+		os=-ptx
+		;;
+	*-crds)
+		os=-unos
+		;;
+	*-ns)
+		os=-genix
+		;;
+	i370-*)
+		os=-mvs
+		;;
+	*-next)
+		os=-nextstep3
+		;;
+	*-gould)
+		os=-sysv
+		;;
+	*-highlevel)
+		os=-bsd
+		;;
+	*-encore)
+		os=-bsd
+		;;
+	*-sgi)
+		os=-irix
+		;;
+	*-siemens)
+		os=-sysv4
+		;;
+	*-masscomp)
+		os=-rtu
+		;;
+	f30[01]-fujitsu | f700-fujitsu)
+		os=-uxpv
+		;;
+	*-rom68k)
+		os=-coff
+		;;
+	*-*bug)
+		os=-coff
+		;;
+	*-apple)
+		os=-macos
+		;;
+	*-atari*)
+		os=-mint
+		;;
+	*)
+		os=-none
+		;;
+esac
+fi
+
+# Here we handle the case where we know the os, and the CPU type, but not the
+# manufacturer.  We pick the logical manufacturer.
+vendor=unknown
+case $basic_machine in
+	*-unknown)
+		case $os in
+			-riscix*)
+				vendor=acorn
+				;;
+			-sunos*)
+				vendor=sun
+				;;
+			-aix*)
+				vendor=ibm
+				;;
+			-beos*)
+				vendor=be
+				;;
+			-hpux*)
+				vendor=hp
+				;;
+			-mpeix*)
+				vendor=hp
+				;;
+			-hiux*)
+				vendor=hitachi
+				;;
+			-unos*)
+				vendor=crds
+				;;
+			-dgux*)
+				vendor=dg
+				;;
+			-luna*)
+				vendor=omron
+				;;
+			-genix*)
+				vendor=ns
+				;;
+			-mvs* | -opened*)
+				vendor=ibm
+				;;
+			-os400*)
+				vendor=ibm
+				;;
+			-ptx*)
+				vendor=sequent
+				;;
+			-tpf*)
+				vendor=ibm
+				;;
+			-vxsim* | -vxworks* | -windiss*)
+				vendor=wrs
+				;;
+			-aux*)
+				vendor=apple
+				;;
+			-hms*)
+				vendor=hitachi
+				;;
+			-mpw* | -macos*)
+				vendor=apple
+				;;
+			-*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
+				vendor=atari
+				;;
+			-vos*)
+				vendor=stratus
+				;;
+		esac
+		basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"`
+		;;
+esac
+
+echo $basic_machine$os
+exit
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "timestamp='"
+# time-stamp-format: "%:y-%02m-%02d"
+# time-stamp-end: "'"
+# End:
diff --git a/configure b/configure
new file mode 100755
index 000000000..96e6d5f72
--- /dev/null
+++ b/configure
@@ -0,0 +1,23369 @@
+#! /bin/sh
+# Guess values for system-dependent variables and create Makefiles.
+# Generated by GNU Autoconf 2.61 for strongSwan 4.1.1.
+#
+# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
+# 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
+# This configure script is free software; the Free Software Foundation
+# gives unlimited permission to copy, distribute and modify it.
+## --------------------- ##
+## M4sh Initialization.  ##
+## --------------------- ##
+
+# Be more Bourne compatible
+DUALCASE=1; export DUALCASE # for MKS sh
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+  emulate sh
+  NULLCMD=:
+  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+  # is contrary to our usage.  Disable this feature.
+  alias -g '${1+"$@"}'='"$@"'
+  setopt NO_GLOB_SUBST
+else
+  case `(set -o) 2>/dev/null` in
+  *posix*) set -o posix ;;
+esac
+
+fi
+
+
+
+
+# PATH needs CR
+# Avoid depending upon Character Ranges.
+as_cr_letters='abcdefghijklmnopqrstuvwxyz'
+as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+as_cr_Letters=$as_cr_letters$as_cr_LETTERS
+as_cr_digits='0123456789'
+as_cr_alnum=$as_cr_Letters$as_cr_digits
+
+# The user is always right.
+if test "${PATH_SEPARATOR+set}" != set; then
+  echo "#! /bin/sh" >conf$$.sh
+  echo  "exit 0"   >>conf$$.sh
+  chmod +x conf$$.sh
+  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
+    PATH_SEPARATOR=';'
+  else
+    PATH_SEPARATOR=:
+  fi
+  rm -f conf$$.sh
+fi
+
+# Support unset when possible.
+if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
+  as_unset=unset
+else
+  as_unset=false
+fi
+
+
+# IFS
+# We need space, tab and new line, in precisely that order.  Quoting is
+# there to prevent editors from complaining about space-tab.
+# (If _AS_PATH_WALK were called with IFS unset, it would disable word
+# splitting by setting IFS to empty value.)
+as_nl='
+'
+IFS=" ""	$as_nl"
+
+# Find who we are.  Look in the path if we contain no directory separator.
+case $0 in
+  *[\\/]* ) as_myself=$0 ;;
+  *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
+done
+IFS=$as_save_IFS
+
+     ;;
+esac
+# We did not find ourselves, most probably we were run as `sh COMMAND'
+# in which case we are not to be found in the path.
+if test "x$as_myself" = x; then
+  as_myself=$0
+fi
+if test ! -f "$as_myself"; then
+  echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
+  { (exit 1); exit 1; }
+fi
+
+# Work around bugs in pre-3.0 UWIN ksh.
+for as_var in ENV MAIL MAILPATH
+do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+done
+PS1='$ '
+PS2='> '
+PS4='+ '
+
+# NLS nuisances.
+for as_var in \
+  LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
+  LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
+  LC_TELEPHONE LC_TIME
+do
+  if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
+    eval $as_var=C; export $as_var
+  else
+    ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+  fi
+done
+
+# Required to use basename.
+if expr a : '\(a\)' >/dev/null 2>&1 &&
+   test "X`expr 00001 : '.*\(...\)'`" = X001; then
+  as_expr=expr
+else
+  as_expr=false
+fi
+
+if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
+  as_basename=basename
+else
+  as_basename=false
+fi
+
+
+# Name of the executable.
+as_me=`$as_basename -- "$0" ||
+$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
+	 X"$0" : 'X\(//\)$' \| \
+	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
+echo X/"$0" |
+    sed '/^.*\/\([^/][^/]*\)\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\/\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\/\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+
+# CDPATH.
+$as_unset CDPATH
+
+
+if test "x$CONFIG_SHELL" = x; then
+  if (eval ":") 2>/dev/null; then
+  as_have_required=yes
+else
+  as_have_required=no
+fi
+
+  if test $as_have_required = yes && 	 (eval ":
+(as_func_return () {
+  (exit \$1)
+}
+as_func_success () {
+  as_func_return 0
+}
+as_func_failure () {
+  as_func_return 1
+}
+as_func_ret_success () {
+  return 0
+}
+as_func_ret_failure () {
+  return 1
+}
+
+exitcode=0
+if as_func_success; then
+  :
+else
+  exitcode=1
+  echo as_func_success failed.
+fi
+
+if as_func_failure; then
+  exitcode=1
+  echo as_func_failure succeeded.
+fi
+
+if as_func_ret_success; then
+  :
+else
+  exitcode=1
+  echo as_func_ret_success failed.
+fi
+
+if as_func_ret_failure; then
+  exitcode=1
+  echo as_func_ret_failure succeeded.
+fi
+
+if ( set x; as_func_ret_success y && test x = \"\$1\" ); then
+  :
+else
+  exitcode=1
+  echo positional parameters were not saved.
+fi
+
+test \$exitcode = 0) || { (exit 1); exit 1; }
+
+(
+  as_lineno_1=\$LINENO
+  as_lineno_2=\$LINENO
+  test \"x\$as_lineno_1\" != \"x\$as_lineno_2\" &&
+  test \"x\`expr \$as_lineno_1 + 1\`\" = \"x\$as_lineno_2\") || { (exit 1); exit 1; }
+") 2> /dev/null; then
+  :
+else
+  as_candidate_shells=
+    as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  case $as_dir in
+	 /*)
+	   for as_base in sh bash ksh sh5; do
+	     as_candidate_shells="$as_candidate_shells $as_dir/$as_base"
+	   done;;
+       esac
+done
+IFS=$as_save_IFS
+
+
+      for as_shell in $as_candidate_shells $SHELL; do
+	 # Try only shells that exist, to save several forks.
+	 if { test -f "$as_shell" || test -f "$as_shell.exe"; } &&
+		{ ("$as_shell") 2> /dev/null <<\_ASEOF
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+  emulate sh
+  NULLCMD=:
+  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+  # is contrary to our usage.  Disable this feature.
+  alias -g '${1+"$@"}'='"$@"'
+  setopt NO_GLOB_SUBST
+else
+  case `(set -o) 2>/dev/null` in
+  *posix*) set -o posix ;;
+esac
+
+fi
+
+
+:
+_ASEOF
+}; then
+  CONFIG_SHELL=$as_shell
+	       as_have_required=yes
+	       if { "$as_shell" 2> /dev/null <<\_ASEOF
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+  emulate sh
+  NULLCMD=:
+  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+  # is contrary to our usage.  Disable this feature.
+  alias -g '${1+"$@"}'='"$@"'
+  setopt NO_GLOB_SUBST
+else
+  case `(set -o) 2>/dev/null` in
+  *posix*) set -o posix ;;
+esac
+
+fi
+
+
+:
+(as_func_return () {
+  (exit $1)
+}
+as_func_success () {
+  as_func_return 0
+}
+as_func_failure () {
+  as_func_return 1
+}
+as_func_ret_success () {
+  return 0
+}
+as_func_ret_failure () {
+  return 1
+}
+
+exitcode=0
+if as_func_success; then
+  :
+else
+  exitcode=1
+  echo as_func_success failed.
+fi
+
+if as_func_failure; then
+  exitcode=1
+  echo as_func_failure succeeded.
+fi
+
+if as_func_ret_success; then
+  :
+else
+  exitcode=1
+  echo as_func_ret_success failed.
+fi
+
+if as_func_ret_failure; then
+  exitcode=1
+  echo as_func_ret_failure succeeded.
+fi
+
+if ( set x; as_func_ret_success y && test x = "$1" ); then
+  :
+else
+  exitcode=1
+  echo positional parameters were not saved.
+fi
+
+test $exitcode = 0) || { (exit 1); exit 1; }
+
+(
+  as_lineno_1=$LINENO
+  as_lineno_2=$LINENO
+  test "x$as_lineno_1" != "x$as_lineno_2" &&
+  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2") || { (exit 1); exit 1; }
+
+_ASEOF
+}; then
+  break
+fi
+
+fi
+
+      done
+
+      if test "x$CONFIG_SHELL" != x; then
+  for as_var in BASH_ENV ENV
+        do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+        done
+        export CONFIG_SHELL
+        exec "$CONFIG_SHELL" "$as_myself" ${1+"$@"}
+fi
+
+
+    if test $as_have_required = no; then
+  echo This script requires a shell more modern than all the
+      echo shells that I found on your system.  Please install a
+      echo modern shell, or manually run the script under such a
+      echo shell if you do have one.
+      { (exit 1); exit 1; }
+fi
+
+
+fi
+
+fi
+
+
+
+(eval "as_func_return () {
+  (exit \$1)
+}
+as_func_success () {
+  as_func_return 0
+}
+as_func_failure () {
+  as_func_return 1
+}
+as_func_ret_success () {
+  return 0
+}
+as_func_ret_failure () {
+  return 1
+}
+
+exitcode=0
+if as_func_success; then
+  :
+else
+  exitcode=1
+  echo as_func_success failed.
+fi
+
+if as_func_failure; then
+  exitcode=1
+  echo as_func_failure succeeded.
+fi
+
+if as_func_ret_success; then
+  :
+else
+  exitcode=1
+  echo as_func_ret_success failed.
+fi
+
+if as_func_ret_failure; then
+  exitcode=1
+  echo as_func_ret_failure succeeded.
+fi
+
+if ( set x; as_func_ret_success y && test x = \"\$1\" ); then
+  :
+else
+  exitcode=1
+  echo positional parameters were not saved.
+fi
+
+test \$exitcode = 0") || {
+  echo No shell found that supports shell functions.
+  echo Please tell autoconf@gnu.org about your system,
+  echo including any error possibly output before this
+  echo message
+}
+
+
+
+  as_lineno_1=$LINENO
+  as_lineno_2=$LINENO
+  test "x$as_lineno_1" != "x$as_lineno_2" &&
+  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || {
+
+  # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
+  # uniformly replaced by the line number.  The first 'sed' inserts a
+  # line-number line after each line using $LINENO; the second 'sed'
+  # does the real work.  The second script uses 'N' to pair each
+  # line-number line with the line containing $LINENO, and appends
+  # trailing '-' during substitution so that $LINENO is not a special
+  # case at line end.
+  # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
+  # scripts with optimization help from Paolo Bonzini.  Blame Lee
+  # E. McMahon (1931-1989) for sed's syntax.  :-)
+  sed -n '
+    p
+    /[$]LINENO/=
+  ' <$as_myself |
+    sed '
+      s/[$]LINENO.*/&-/
+      t lineno
+      b
+      :lineno
+      N
+      :loop
+      s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/
+      t loop
+      s/-\n.*//
+    ' >$as_me.lineno &&
+  chmod +x "$as_me.lineno" ||
+    { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
+   { (exit 1); exit 1; }; }
+
+  # Don't try to exec as it changes $[0], causing all sort of problems
+  # (the dirname of $[0] is not the place where we might find the
+  # original and so on.  Autoconf is especially sensitive to this).
+  . "./$as_me.lineno"
+  # Exit status is that of the last command.
+  exit
+}
+
+
+if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
+  as_dirname=dirname
+else
+  as_dirname=false
+fi
+
+ECHO_C= ECHO_N= ECHO_T=
+case `echo -n x` in
+-n*)
+  case `echo 'x\c'` in
+  *c*) ECHO_T='	';;	# ECHO_T is single tab character.
+  *)   ECHO_C='\c';;
+  esac;;
+*)
+  ECHO_N='-n';;
+esac
+
+if expr a : '\(a\)' >/dev/null 2>&1 &&
+   test "X`expr 00001 : '.*\(...\)'`" = X001; then
+  as_expr=expr
+else
+  as_expr=false
+fi
+
+rm -f conf$$ conf$$.exe conf$$.file
+if test -d conf$$.dir; then
+  rm -f conf$$.dir/conf$$.file
+else
+  rm -f conf$$.dir
+  mkdir conf$$.dir
+fi
+echo >conf$$.file
+if ln -s conf$$.file conf$$ 2>/dev/null; then
+  as_ln_s='ln -s'
+  # ... but there are two gotchas:
+  # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
+  # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
+  # In both cases, we have to default to `cp -p'.
+  ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
+    as_ln_s='cp -p'
+elif ln conf$$.file conf$$ 2>/dev/null; then
+  as_ln_s=ln
+else
+  as_ln_s='cp -p'
+fi
+rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
+rmdir conf$$.dir 2>/dev/null
+
+if mkdir -p . 2>/dev/null; then
+  as_mkdir_p=:
+else
+  test -d ./-p && rmdir ./-p
+  as_mkdir_p=false
+fi
+
+if test -x / >/dev/null 2>&1; then
+  as_test_x='test -x'
+else
+  if ls -dL / >/dev/null 2>&1; then
+    as_ls_L_option=L
+  else
+    as_ls_L_option=
+  fi
+  as_test_x='
+    eval sh -c '\''
+      if test -d "$1"; then
+        test -d "$1/.";
+      else
+	case $1 in
+        -*)set "./$1";;
+	esac;
+	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
+	???[sx]*):;;*)false;;esac;fi
+    '\'' sh
+  '
+fi
+as_executable_p=$as_test_x
+
+# Sed expression to map a string onto a valid CPP name.
+as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
+
+# Sed expression to map a string onto a valid variable name.
+as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
+
+
+
+
+# Check that we are running under the correct shell.
+SHELL=${CONFIG_SHELL-/bin/sh}
+
+case X$ECHO in
+X*--fallback-echo)
+  # Remove one level of quotation (which was required for Make).
+  ECHO=`echo "$ECHO" | sed 's,\\\\\$\\$0,'$0','`
+  ;;
+esac
+
+echo=${ECHO-echo}
+if test "X$1" = X--no-reexec; then
+  # Discard the --no-reexec flag, and continue.
+  shift
+elif test "X$1" = X--fallback-echo; then
+  # Avoid inline document here, it may be left over
+  :
+elif test "X`($echo '\t') 2>/dev/null`" = 'X\t' ; then
+  # Yippee, $echo works!
+  :
+else
+  # Restart under the correct shell.
+  exec $SHELL "$0" --no-reexec ${1+"$@"}
+fi
+
+if test "X$1" = X--fallback-echo; then
+  # used as fallback echo
+  shift
+  cat <<EOF
+$*
+EOF
+  exit 0
+fi
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+
+if test -z "$ECHO"; then
+if test "X${echo_test_string+set}" != Xset; then
+# find a string as large as possible, as long as the shell can cope with it
+  for cmd in 'sed 50q "$0"' 'sed 20q "$0"' 'sed 10q "$0"' 'sed 2q "$0"' 'echo test'; do
+    # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ...
+    if (echo_test_string=`eval $cmd`) 2>/dev/null &&
+       echo_test_string=`eval $cmd` &&
+       (test "X$echo_test_string" = "X$echo_test_string") 2>/dev/null
+    then
+      break
+    fi
+  done
+fi
+
+if test "X`($echo '\t') 2>/dev/null`" = 'X\t' &&
+   echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` &&
+   test "X$echo_testing_string" = "X$echo_test_string"; then
+  :
+else
+  # The Solaris, AIX, and Digital Unix default echo programs unquote
+  # backslashes.  This makes it impossible to quote backslashes using
+  #   echo "$something" | sed 's/\\/\\\\/g'
+  #
+  # So, first we look for a working echo in the user's PATH.
+
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+  for dir in $PATH /usr/ucb; do
+    IFS="$lt_save_ifs"
+    if (test -f $dir/echo || test -f $dir/echo$ac_exeext) &&
+       test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' &&
+       echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` &&
+       test "X$echo_testing_string" = "X$echo_test_string"; then
+      echo="$dir/echo"
+      break
+    fi
+  done
+  IFS="$lt_save_ifs"
+
+  if test "X$echo" = Xecho; then
+    # We didn't find a better echo, so look for alternatives.
+    if test "X`(print -r '\t') 2>/dev/null`" = 'X\t' &&
+       echo_testing_string=`(print -r "$echo_test_string") 2>/dev/null` &&
+       test "X$echo_testing_string" = "X$echo_test_string"; then
+      # This shell has a builtin print -r that does the trick.
+      echo='print -r'
+    elif (test -f /bin/ksh || test -f /bin/ksh$ac_exeext) &&
+	 test "X$CONFIG_SHELL" != X/bin/ksh; then
+      # If we have ksh, try running configure again with it.
+      ORIGINAL_CONFIG_SHELL=${CONFIG_SHELL-/bin/sh}
+      export ORIGINAL_CONFIG_SHELL
+      CONFIG_SHELL=/bin/ksh
+      export CONFIG_SHELL
+      exec $CONFIG_SHELL "$0" --no-reexec ${1+"$@"}
+    else
+      # Try using printf.
+      echo='printf %s\n'
+      if test "X`($echo '\t') 2>/dev/null`" = 'X\t' &&
+	 echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` &&
+	 test "X$echo_testing_string" = "X$echo_test_string"; then
+	# Cool, printf works
+	:
+      elif echo_testing_string=`($ORIGINAL_CONFIG_SHELL "$0" --fallback-echo '\t') 2>/dev/null` &&
+	   test "X$echo_testing_string" = 'X\t' &&
+	   echo_testing_string=`($ORIGINAL_CONFIG_SHELL "$0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
+	   test "X$echo_testing_string" = "X$echo_test_string"; then
+	CONFIG_SHELL=$ORIGINAL_CONFIG_SHELL
+	export CONFIG_SHELL
+	SHELL="$CONFIG_SHELL"
+	export SHELL
+	echo="$CONFIG_SHELL $0 --fallback-echo"
+      elif echo_testing_string=`($CONFIG_SHELL "$0" --fallback-echo '\t') 2>/dev/null` &&
+	   test "X$echo_testing_string" = 'X\t' &&
+	   echo_testing_string=`($CONFIG_SHELL "$0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
+	   test "X$echo_testing_string" = "X$echo_test_string"; then
+	echo="$CONFIG_SHELL $0 --fallback-echo"
+      else
+	# maybe with a smaller string...
+	prev=:
+
+	for cmd in 'echo test' 'sed 2q "$0"' 'sed 10q "$0"' 'sed 20q "$0"' 'sed 50q "$0"'; do
+	  if (test "X$echo_test_string" = "X`eval $cmd`") 2>/dev/null
+	  then
+	    break
+	  fi
+	  prev="$cmd"
+	done
+
+	if test "$prev" != 'sed 50q "$0"'; then
+	  echo_test_string=`eval $prev`
+	  export echo_test_string
+	  exec ${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}} "$0" ${1+"$@"}
+	else
+	  # Oops.  We lost completely, so just stick with echo.
+	  echo=echo
+	fi
+      fi
+    fi
+  fi
+fi
+fi
+
+# Copy echo and quote the copy suitably for passing to libtool from
+# the Makefile, instead of quoting the original, which is used later.
+ECHO=$echo
+if test "X$ECHO" = "X$CONFIG_SHELL $0 --fallback-echo"; then
+   ECHO="$CONFIG_SHELL \\\$\$0 --fallback-echo"
+fi
+
+
+
+
+tagnames=${tagnames+${tagnames},}CXX
+
+tagnames=${tagnames+${tagnames},}F77
+
+exec 7<&0 </dev/null 6>&1
+
+# Name of the host.
+# hostname on some systems (SVR3.2, Linux) returns a bogus exit status,
+# so uname gets run too.
+ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q`
+
+#
+# Initializations.
+#
+ac_default_prefix=/usr/local
+ac_clean_files=
+ac_config_libobj_dir=.
+LIBOBJS=
+cross_compiling=no
+subdirs=
+MFLAGS=
+MAKEFLAGS=
+SHELL=${CONFIG_SHELL-/bin/sh}
+
+# Identity of this package.
+PACKAGE_NAME='strongSwan'
+PACKAGE_TARNAME='strongswan'
+PACKAGE_VERSION='4.1.1'
+PACKAGE_STRING='strongSwan 4.1.1'
+PACKAGE_BUGREPORT=''
+
+# Factoring default headers for most tests.
+ac_includes_default="\
+#include <stdio.h>
+#ifdef HAVE_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+# include <sys/stat.h>
+#endif
+#ifdef STDC_HEADERS
+# include <stdlib.h>
+# include <stddef.h>
+#else
+# ifdef HAVE_STDLIB_H
+#  include <stdlib.h>
+# endif
+#endif
+#ifdef HAVE_STRING_H
+# if !defined STDC_HEADERS && defined HAVE_MEMORY_H
+#  include <memory.h>
+# endif
+# include <string.h>
+#endif
+#ifdef HAVE_STRINGS_H
+# include <strings.h>
+#endif
+#ifdef HAVE_INTTYPES_H
+# include <inttypes.h>
+#endif
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+#ifdef HAVE_UNISTD_H
+# include <unistd.h>
+#endif"
+
+ac_subst_vars='SHELL
+PATH_SEPARATOR
+PACKAGE_NAME
+PACKAGE_TARNAME
+PACKAGE_VERSION
+PACKAGE_STRING
+PACKAGE_BUGREPORT
+exec_prefix
+prefix
+program_transform_name
+bindir
+sbindir
+libexecdir
+datarootdir
+datadir
+sysconfdir
+sharedstatedir
+localstatedir
+includedir
+oldincludedir
+docdir
+infodir
+htmldir
+dvidir
+pdfdir
+psdir
+libdir
+localedir
+mandir
+DEFS
+ECHO_C
+ECHO_N
+ECHO_T
+LIBS
+build_alias
+host_alias
+target_alias
+INSTALL_PROGRAM
+INSTALL_SCRIPT
+INSTALL_DATA
+CYGPATH_W
+PACKAGE
+VERSION
+ACLOCAL
+AUTOCONF
+AUTOMAKE
+AUTOHEADER
+MAKEINFO
+install_sh
+STRIP
+INSTALL_STRIP_PROGRAM
+mkdir_p
+AWK
+SET_MAKE
+am__leading_dot
+AMTAR
+am__tar
+am__untar
+CC
+CFLAGS
+LDFLAGS
+CPPFLAGS
+ac_ct_CC
+EXEEXT
+OBJEXT
+DEPDIR
+am__include
+am__quote
+AMDEP_TRUE
+AMDEP_FALSE
+AMDEPBACKSLASH
+CCDEPMODE
+am__fastdepCC_TRUE
+am__fastdepCC_FALSE
+CPP
+GREP
+EGREP
+confdir
+ipsecdir
+piddir
+eapdir
+USE_LIBCURL_TRUE
+USE_LIBCURL_FALSE
+USE_LIBLDAP_TRUE
+USE_LIBLDAP_FALSE
+USE_SMARTCARD_TRUE
+USE_SMARTCARD_FALSE
+USE_CISCO_QUIRKS_TRUE
+USE_CISCO_QUIRKS_FALSE
+USE_LEAK_DETECTIVE_TRUE
+USE_LEAK_DETECTIVE_FALSE
+BUILD_EAP_SIM_TRUE
+BUILD_EAP_SIM_FALSE
+USE_NAT_TRANSPORT_TRUE
+USE_NAT_TRANSPORT_FALSE
+USE_VENDORID_TRUE
+USE_VENDORID_FALSE
+build
+build_cpu
+build_vendor
+build_os
+host
+host_cpu
+host_vendor
+host_os
+LN_S
+ECHO
+AR
+RANLIB
+CXX
+CXXFLAGS
+ac_ct_CXX
+CXXDEPMODE
+am__fastdepCXX_TRUE
+am__fastdepCXX_FALSE
+CXXCPP
+F77
+FFLAGS
+ac_ct_F77
+LIBTOOL
+LEX
+LEX_OUTPUT_ROOT
+LEXLIB
+YACC
+YFLAGS
+GPERF
+PERL
+LIBOBJS
+LTLIBOBJS'
+ac_subst_files=''
+      ac_precious_vars='build_alias
+host_alias
+target_alias
+CC
+CFLAGS
+LDFLAGS
+LIBS
+CPPFLAGS
+CPP
+CXX
+CXXFLAGS
+CCC
+CXXCPP
+F77
+FFLAGS
+YACC
+YFLAGS'
+
+
+# Initialize some variables set by options.
+ac_init_help=
+ac_init_version=false
+# The variables have the same names as the options, with
+# dashes changed to underlines.
+cache_file=/dev/null
+exec_prefix=NONE
+no_create=
+no_recursion=
+prefix=NONE
+program_prefix=NONE
+program_suffix=NONE
+program_transform_name=s,x,x,
+silent=
+site=
+srcdir=
+verbose=
+x_includes=NONE
+x_libraries=NONE
+
+# Installation directory options.
+# These are left unexpanded so users can "make install exec_prefix=/foo"
+# and all the variables that are supposed to be based on exec_prefix
+# by default will actually change.
+# Use braces instead of parens because sh, perl, etc. also accept them.
+# (The list follows the same order as the GNU Coding Standards.)
+bindir='${exec_prefix}/bin'
+sbindir='${exec_prefix}/sbin'
+libexecdir='${exec_prefix}/libexec'
+datarootdir='${prefix}/share'
+datadir='${datarootdir}'
+sysconfdir='${prefix}/etc'
+sharedstatedir='${prefix}/com'
+localstatedir='${prefix}/var'
+includedir='${prefix}/include'
+oldincludedir='/usr/include'
+docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
+infodir='${datarootdir}/info'
+htmldir='${docdir}'
+dvidir='${docdir}'
+pdfdir='${docdir}'
+psdir='${docdir}'
+libdir='${exec_prefix}/lib'
+localedir='${datarootdir}/locale'
+mandir='${datarootdir}/man'
+
+ac_prev=
+ac_dashdash=
+for ac_option
+do
+  # If the previous option needs an argument, assign it.
+  if test -n "$ac_prev"; then
+    eval $ac_prev=\$ac_option
+    ac_prev=
+    continue
+  fi
+
+  case $ac_option in
+  *=*)	ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;;
+  *)	ac_optarg=yes ;;
+  esac
+
+  # Accept the important Cygnus configure options, so we can diagnose typos.
+
+  case $ac_dashdash$ac_option in
+  --)
+    ac_dashdash=yes ;;
+
+  -bindir | --bindir | --bindi | --bind | --bin | --bi)
+    ac_prev=bindir ;;
+  -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*)
+    bindir=$ac_optarg ;;
+
+  -build | --build | --buil | --bui | --bu)
+    ac_prev=build_alias ;;
+  -build=* | --build=* | --buil=* | --bui=* | --bu=*)
+    build_alias=$ac_optarg ;;
+
+  -cache-file | --cache-file | --cache-fil | --cache-fi \
+  | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c)
+    ac_prev=cache_file ;;
+  -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \
+  | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*)
+    cache_file=$ac_optarg ;;
+
+  --config-cache | -C)
+    cache_file=config.cache ;;
+
+  -datadir | --datadir | --datadi | --datad)
+    ac_prev=datadir ;;
+  -datadir=* | --datadir=* | --datadi=* | --datad=*)
+    datadir=$ac_optarg ;;
+
+  -datarootdir | --datarootdir | --datarootdi | --datarootd | --dataroot \
+  | --dataroo | --dataro | --datar)
+    ac_prev=datarootdir ;;
+  -datarootdir=* | --datarootdir=* | --datarootdi=* | --datarootd=* \
+  | --dataroot=* | --dataroo=* | --dataro=* | --datar=*)
+    datarootdir=$ac_optarg ;;
+
+  -disable-* | --disable-*)
+    ac_feature=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
+    # Reject names that are not valid shell variable names.
+    expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+      { echo "$as_me: error: invalid feature name: $ac_feature" >&2
+   { (exit 1); exit 1; }; }
+    ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'`
+    eval enable_$ac_feature=no ;;
+
+  -docdir | --docdir | --docdi | --doc | --do)
+    ac_prev=docdir ;;
+  -docdir=* | --docdir=* | --docdi=* | --doc=* | --do=*)
+    docdir=$ac_optarg ;;
+
+  -dvidir | --dvidir | --dvidi | --dvid | --dvi | --dv)
+    ac_prev=dvidir ;;
+  -dvidir=* | --dvidir=* | --dvidi=* | --dvid=* | --dvi=* | --dv=*)
+    dvidir=$ac_optarg ;;
+
+  -enable-* | --enable-*)
+    ac_feature=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
+    # Reject names that are not valid shell variable names.
+    expr "x$ac_feature" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+      { echo "$as_me: error: invalid feature name: $ac_feature" >&2
+   { (exit 1); exit 1; }; }
+    ac_feature=`echo $ac_feature | sed 's/[-.]/_/g'`
+    eval enable_$ac_feature=\$ac_optarg ;;
+
+  -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \
+  | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \
+  | --exec | --exe | --ex)
+    ac_prev=exec_prefix ;;
+  -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \
+  | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \
+  | --exec=* | --exe=* | --ex=*)
+    exec_prefix=$ac_optarg ;;
+
+  -gas | --gas | --ga | --g)
+    # Obsolete; use --with-gas.
+    with_gas=yes ;;
+
+  -help | --help | --hel | --he | -h)
+    ac_init_help=long ;;
+  -help=r* | --help=r* | --hel=r* | --he=r* | -hr*)
+    ac_init_help=recursive ;;
+  -help=s* | --help=s* | --hel=s* | --he=s* | -hs*)
+    ac_init_help=short ;;
+
+  -host | --host | --hos | --ho)
+    ac_prev=host_alias ;;
+  -host=* | --host=* | --hos=* | --ho=*)
+    host_alias=$ac_optarg ;;
+
+  -htmldir | --htmldir | --htmldi | --htmld | --html | --htm | --ht)
+    ac_prev=htmldir ;;
+  -htmldir=* | --htmldir=* | --htmldi=* | --htmld=* | --html=* | --htm=* \
+  | --ht=*)
+    htmldir=$ac_optarg ;;
+
+  -includedir | --includedir | --includedi | --included | --include \
+  | --includ | --inclu | --incl | --inc)
+    ac_prev=includedir ;;
+  -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \
+  | --includ=* | --inclu=* | --incl=* | --inc=*)
+    includedir=$ac_optarg ;;
+
+  -infodir | --infodir | --infodi | --infod | --info | --inf)
+    ac_prev=infodir ;;
+  -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*)
+    infodir=$ac_optarg ;;
+
+  -libdir | --libdir | --libdi | --libd)
+    ac_prev=libdir ;;
+  -libdir=* | --libdir=* | --libdi=* | --libd=*)
+    libdir=$ac_optarg ;;
+
+  -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \
+  | --libexe | --libex | --libe)
+    ac_prev=libexecdir ;;
+  -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \
+  | --libexe=* | --libex=* | --libe=*)
+    libexecdir=$ac_optarg ;;
+
+  -localedir | --localedir | --localedi | --localed | --locale)
+    ac_prev=localedir ;;
+  -localedir=* | --localedir=* | --localedi=* | --localed=* | --locale=*)
+    localedir=$ac_optarg ;;
+
+  -localstatedir | --localstatedir | --localstatedi | --localstated \
+  | --localstate | --localstat | --localsta | --localst | --locals)
+    ac_prev=localstatedir ;;
+  -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \
+  | --localstate=* | --localstat=* | --localsta=* | --localst=* | --locals=*)
+    localstatedir=$ac_optarg ;;
+
+  -mandir | --mandir | --mandi | --mand | --man | --ma | --m)
+    ac_prev=mandir ;;
+  -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*)
+    mandir=$ac_optarg ;;
+
+  -nfp | --nfp | --nf)
+    # Obsolete; use --without-fp.
+    with_fp=no ;;
+
+  -no-create | --no-create | --no-creat | --no-crea | --no-cre \
+  | --no-cr | --no-c | -n)
+    no_create=yes ;;
+
+  -no-recursion | --no-recursion | --no-recursio | --no-recursi \
+  | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r)
+    no_recursion=yes ;;
+
+  -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \
+  | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \
+  | --oldin | --oldi | --old | --ol | --o)
+    ac_prev=oldincludedir ;;
+  -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \
+  | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \
+  | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*)
+    oldincludedir=$ac_optarg ;;
+
+  -prefix | --prefix | --prefi | --pref | --pre | --pr | --p)
+    ac_prev=prefix ;;
+  -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*)
+    prefix=$ac_optarg ;;
+
+  -program-prefix | --program-prefix | --program-prefi | --program-pref \
+  | --program-pre | --program-pr | --program-p)
+    ac_prev=program_prefix ;;
+  -program-prefix=* | --program-prefix=* | --program-prefi=* \
+  | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*)
+    program_prefix=$ac_optarg ;;
+
+  -program-suffix | --program-suffix | --program-suffi | --program-suff \
+  | --program-suf | --program-su | --program-s)
+    ac_prev=program_suffix ;;
+  -program-suffix=* | --program-suffix=* | --program-suffi=* \
+  | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*)
+    program_suffix=$ac_optarg ;;
+
+  -program-transform-name | --program-transform-name \
+  | --program-transform-nam | --program-transform-na \
+  | --program-transform-n | --program-transform- \
+  | --program-transform | --program-transfor \
+  | --program-transfo | --program-transf \
+  | --program-trans | --program-tran \
+  | --progr-tra | --program-tr | --program-t)
+    ac_prev=program_transform_name ;;
+  -program-transform-name=* | --program-transform-name=* \
+  | --program-transform-nam=* | --program-transform-na=* \
+  | --program-transform-n=* | --program-transform-=* \
+  | --program-transform=* | --program-transfor=* \
+  | --program-transfo=* | --program-transf=* \
+  | --program-trans=* | --program-tran=* \
+  | --progr-tra=* | --program-tr=* | --program-t=*)
+    program_transform_name=$ac_optarg ;;
+
+  -pdfdir | --pdfdir | --pdfdi | --pdfd | --pdf | --pd)
+    ac_prev=pdfdir ;;
+  -pdfdir=* | --pdfdir=* | --pdfdi=* | --pdfd=* | --pdf=* | --pd=*)
+    pdfdir=$ac_optarg ;;
+
+  -psdir | --psdir | --psdi | --psd | --ps)
+    ac_prev=psdir ;;
+  -psdir=* | --psdir=* | --psdi=* | --psd=* | --ps=*)
+    psdir=$ac_optarg ;;
+
+  -q | -quiet | --quiet | --quie | --qui | --qu | --q \
+  | -silent | --silent | --silen | --sile | --sil)
+    silent=yes ;;
+
+  -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
+    ac_prev=sbindir ;;
+  -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
+  | --sbi=* | --sb=*)
+    sbindir=$ac_optarg ;;
+
+  -sharedstatedir | --sharedstatedir | --sharedstatedi \
+  | --sharedstated | --sharedstate | --sharedstat | --sharedsta \
+  | --sharedst | --shareds | --shared | --share | --shar \
+  | --sha | --sh)
+    ac_prev=sharedstatedir ;;
+  -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \
+  | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \
+  | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \
+  | --sha=* | --sh=*)
+    sharedstatedir=$ac_optarg ;;
+
+  -site | --site | --sit)
+    ac_prev=site ;;
+  -site=* | --site=* | --sit=*)
+    site=$ac_optarg ;;
+
+  -srcdir | --srcdir | --srcdi | --srcd | --src | --sr)
+    ac_prev=srcdir ;;
+  -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*)
+    srcdir=$ac_optarg ;;
+
+  -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \
+  | --syscon | --sysco | --sysc | --sys | --sy)
+    ac_prev=sysconfdir ;;
+  -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \
+  | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*)
+    sysconfdir=$ac_optarg ;;
+
+  -target | --target | --targe | --targ | --tar | --ta | --t)
+    ac_prev=target_alias ;;
+  -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*)
+    target_alias=$ac_optarg ;;
+
+  -v | -verbose | --verbose | --verbos | --verbo | --verb)
+    verbose=yes ;;
+
+  -version | --version | --versio | --versi | --vers | -V)
+    ac_init_version=: ;;
+
+  -with-* | --with-*)
+    ac_package=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
+    # Reject names that are not valid shell variable names.
+    expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+      { echo "$as_me: error: invalid package name: $ac_package" >&2
+   { (exit 1); exit 1; }; }
+    ac_package=`echo $ac_package | sed 's/[-.]/_/g'`
+    eval with_$ac_package=\$ac_optarg ;;
+
+  -without-* | --without-*)
+    ac_package=`expr "x$ac_option" : 'x-*without-\(.*\)'`
+    # Reject names that are not valid shell variable names.
+    expr "x$ac_package" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+      { echo "$as_me: error: invalid package name: $ac_package" >&2
+   { (exit 1); exit 1; }; }
+    ac_package=`echo $ac_package | sed 's/[-.]/_/g'`
+    eval with_$ac_package=no ;;
+
+  --x)
+    # Obsolete; use --with-x.
+    with_x=yes ;;
+
+  -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \
+  | --x-incl | --x-inc | --x-in | --x-i)
+    ac_prev=x_includes ;;
+  -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \
+  | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*)
+    x_includes=$ac_optarg ;;
+
+  -x-libraries | --x-libraries | --x-librarie | --x-librari \
+  | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l)
+    ac_prev=x_libraries ;;
+  -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \
+  | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*)
+    x_libraries=$ac_optarg ;;
+
+  -*) { echo "$as_me: error: unrecognized option: $ac_option
+Try \`$0 --help' for more information." >&2
+   { (exit 1); exit 1; }; }
+    ;;
+
+  *=*)
+    ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='`
+    # Reject names that are not valid shell variable names.
+    expr "x$ac_envvar" : ".*[^_$as_cr_alnum]" >/dev/null &&
+      { echo "$as_me: error: invalid variable name: $ac_envvar" >&2
+   { (exit 1); exit 1; }; }
+    eval $ac_envvar=\$ac_optarg
+    export $ac_envvar ;;
+
+  *)
+    # FIXME: should be removed in autoconf 3.0.
+    echo "$as_me: WARNING: you should use --build, --host, --target" >&2
+    expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+      echo "$as_me: WARNING: invalid host type: $ac_option" >&2
+    : ${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}
+    ;;
+
+  esac
+done
+
+if test -n "$ac_prev"; then
+  ac_option=--`echo $ac_prev | sed 's/_/-/g'`
+  { echo "$as_me: error: missing argument to $ac_option" >&2
+   { (exit 1); exit 1; }; }
+fi
+
+# Be sure to have absolute directory names.
+for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
+		datadir sysconfdir sharedstatedir localstatedir includedir \
+		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
+		libdir localedir mandir
+do
+  eval ac_val=\$$ac_var
+  case $ac_val in
+    [\\/$]* | ?:[\\/]* )  continue;;
+    NONE | '' ) case $ac_var in *prefix ) continue;; esac;;
+  esac
+  { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
+   { (exit 1); exit 1; }; }
+done
+
+# There might be people who depend on the old broken behavior: `$host'
+# used to hold the argument of --host etc.
+# FIXME: To remove some day.
+build=$build_alias
+host=$host_alias
+target=$target_alias
+
+# FIXME: To remove some day.
+if test "x$host_alias" != x; then
+  if test "x$build_alias" = x; then
+    cross_compiling=maybe
+    echo "$as_me: WARNING: If you wanted to set the --build type, don't use --host.
+    If a cross compiler is detected then cross compile mode will be used." >&2
+  elif test "x$build_alias" != "x$host_alias"; then
+    cross_compiling=yes
+  fi
+fi
+
+ac_tool_prefix=
+test -n "$host_alias" && ac_tool_prefix=$host_alias-
+
+test "$silent" = yes && exec 6>/dev/null
+
+
+ac_pwd=`pwd` && test -n "$ac_pwd" &&
+ac_ls_di=`ls -di .` &&
+ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` ||
+  { echo "$as_me: error: Working directory cannot be determined" >&2
+   { (exit 1); exit 1; }; }
+test "X$ac_ls_di" = "X$ac_pwd_ls_di" ||
+  { echo "$as_me: error: pwd does not report name of working directory" >&2
+   { (exit 1); exit 1; }; }
+
+
+# Find the source files, if location was not specified.
+if test -z "$srcdir"; then
+  ac_srcdir_defaulted=yes
+  # Try the directory containing this script, then the parent directory.
+  ac_confdir=`$as_dirname -- "$0" ||
+$as_expr X"$0" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	 X"$0" : 'X\(//\)[^/]' \| \
+	 X"$0" : 'X\(//\)$' \| \
+	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
+echo X"$0" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)[^/].*/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+  srcdir=$ac_confdir
+  if test ! -r "$srcdir/$ac_unique_file"; then
+    srcdir=..
+  fi
+else
+  ac_srcdir_defaulted=no
+fi
+if test ! -r "$srcdir/$ac_unique_file"; then
+  test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .."
+  { echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2
+   { (exit 1); exit 1; }; }
+fi
+ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work"
+ac_abs_confdir=`(
+	cd "$srcdir" && test -r "./$ac_unique_file" || { echo "$as_me: error: $ac_msg" >&2
+   { (exit 1); exit 1; }; }
+	pwd)`
+# When building in place, set srcdir=.
+if test "$ac_abs_confdir" = "$ac_pwd"; then
+  srcdir=.
+fi
+# Remove unnecessary trailing slashes from srcdir.
+# Double slashes in file names in object file debugging info
+# mess up M-x gdb in Emacs.
+case $srcdir in
+*/) srcdir=`expr "X$srcdir" : 'X\(.*[^/]\)' \| "X$srcdir" : 'X\(.*\)'`;;
+esac
+for ac_var in $ac_precious_vars; do
+  eval ac_env_${ac_var}_set=\${${ac_var}+set}
+  eval ac_env_${ac_var}_value=\$${ac_var}
+  eval ac_cv_env_${ac_var}_set=\${${ac_var}+set}
+  eval ac_cv_env_${ac_var}_value=\$${ac_var}
+done
+
+#
+# Report the --help message.
+#
+if test "$ac_init_help" = "long"; then
+  # Omit some internal or obsolete options to make the list less imposing.
+  # This message is too long to be a string in the A/UX 3.1 sh.
+  cat <<_ACEOF
+\`configure' configures strongSwan 4.1.1 to adapt to many kinds of systems.
+
+Usage: $0 [OPTION]... [VAR=VALUE]...
+
+To assign environment variables (e.g., CC, CFLAGS...), specify them as
+VAR=VALUE.  See below for descriptions of some of the useful variables.
+
+Defaults for the options are specified in brackets.
+
+Configuration:
+  -h, --help              display this help and exit
+      --help=short        display options specific to this package
+      --help=recursive    display the short help of all the included packages
+  -V, --version           display version information and exit
+  -q, --quiet, --silent   do not print \`checking...' messages
+      --cache-file=FILE   cache test results in FILE [disabled]
+  -C, --config-cache      alias for \`--cache-file=config.cache'
+  -n, --no-create         do not create output files
+      --srcdir=DIR        find the sources in DIR [configure dir or \`..']
+
+Installation directories:
+  --prefix=PREFIX         install architecture-independent files in PREFIX
+			  [$ac_default_prefix]
+  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
+			  [PREFIX]
+
+By default, \`make install' will install all the files in
+\`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc.  You can specify
+an installation prefix other than \`$ac_default_prefix' using \`--prefix',
+for instance \`--prefix=\$HOME'.
+
+For better control, use the options below.
+
+Fine tuning of the installation directories:
+  --bindir=DIR           user executables [EPREFIX/bin]
+  --sbindir=DIR          system admin executables [EPREFIX/sbin]
+  --libexecdir=DIR       program executables [EPREFIX/libexec]
+  --sysconfdir=DIR       read-only single-machine data [PREFIX/etc]
+  --sharedstatedir=DIR   modifiable architecture-independent data [PREFIX/com]
+  --localstatedir=DIR    modifiable single-machine data [PREFIX/var]
+  --libdir=DIR           object code libraries [EPREFIX/lib]
+  --includedir=DIR       C header files [PREFIX/include]
+  --oldincludedir=DIR    C header files for non-gcc [/usr/include]
+  --datarootdir=DIR      read-only arch.-independent data root [PREFIX/share]
+  --datadir=DIR          read-only architecture-independent data [DATAROOTDIR]
+  --infodir=DIR          info documentation [DATAROOTDIR/info]
+  --localedir=DIR        locale-dependent data [DATAROOTDIR/locale]
+  --mandir=DIR           man documentation [DATAROOTDIR/man]
+  --docdir=DIR           documentation root [DATAROOTDIR/doc/strongswan]
+  --htmldir=DIR          html documentation [DOCDIR]
+  --dvidir=DIR           dvi documentation [DOCDIR]
+  --pdfdir=DIR           pdf documentation [DOCDIR]
+  --psdir=DIR            ps documentation [DOCDIR]
+_ACEOF
+
+  cat <<\_ACEOF
+
+Program names:
+  --program-prefix=PREFIX            prepend PREFIX to installed program names
+  --program-suffix=SUFFIX            append SUFFIX to installed program names
+  --program-transform-name=PROGRAM   run sed PROGRAM on installed program names
+
+System types:
+  --build=BUILD     configure for building on BUILD [guessed]
+  --host=HOST       cross-compile to build programs to run on HOST [BUILD]
+_ACEOF
+fi
+
+if test -n "$ac_init_help"; then
+  case $ac_init_help in
+     short | recursive ) echo "Configuration of strongSwan 4.1.1:";;
+   esac
+  cat <<\_ACEOF
+
+Optional Features:
+  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
+  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
+  --disable-dependency-tracking  speeds up one-time build
+  --enable-dependency-tracking   do not reject slow dependency extractors
+  --enable-http           enable OCSP and fetching of Certificates and CRLs
+                          over HTTP (default is NO). Requires libcurl.
+  --enable-ldap           enable fetching of CRLs from LDAP (default is NO).
+                          Requires openLDAP.
+  --enable-smartcard      enable smartcard support (default is NO).
+  --enable-cisco-quirks   enable support of Cisco VPN client (default is NO).
+  --enable-leak-detective enable malloc hooks to find memory leaks (default is
+                          NO).
+  --enable-eap-sim        build SIM authenication module for EAP (default is
+                          NO).
+  --enable-nat-transport  enable NAT traversal with IPsec transport mode
+                          (default is NO).
+  --disable-vendor-id     disable the sending of the strongSwan vendor ID
+                          (default is NO).
+  --enable-shared[=PKGS]  build shared libraries [default=yes]
+  --enable-static[=PKGS]  build static libraries [default=yes]
+  --enable-fast-install[=PKGS]
+                          optimize for fast installation [default=yes]
+  --disable-libtool-lock  avoid locking (might break parallel builds)
+
+Optional Packages:
+  --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
+  --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
+  --with-default-pkcs11=lib
+                          set the default PKCS11 library other than
+                          "/usr/lib/opensc-pkcs11.so"
+  --with-xauth-module=lib set the path to the XAUTH module
+  --with-random-device=dev
+                          set the device for real random data other than
+                          "/dev/random"
+  --with-resolv-conf=file set the file to store DNS server information other
+                          than "sysconfdir/resolv.conf"
+  --with-urandom-device=dev
+                          set the device for pseudo random data other than
+                          "/dev/urandom"
+  --with-ipsecdir=dir     installation path for ipsec tools other than
+                          "libexecdir/ipsec"
+  --with-piddir=dir       path for PID and UNIX socket files other than
+                          "/var/run"
+  --with-eapdir=dir       path for pluggable EAP modules other than
+                          "ipsecdir/eap"
+  --with-sim-reader=library.so
+                          library containing the sim_run_alg() function for
+                          EAP-SIM
+  --with-gnu-ld           assume the C compiler uses GNU ld [default=no]
+  --with-pic              try to use only PIC/non-PIC objects [default=use
+                          both]
+  --with-tags[=TAGS]      include additional configurations [automatic]
+
+Some influential environment variables:
+  CC          C compiler command
+  CFLAGS      C compiler flags
+  LDFLAGS     linker flags, e.g. -L<lib dir> if you have libraries in a
+              nonstandard directory <lib dir>
+  LIBS        libraries to pass to the linker, e.g. -l<library>
+  CPPFLAGS    C/C++/Objective C preprocessor flags, e.g. -I<include dir> if
+              you have headers in a nonstandard directory <include dir>
+  CPP         C preprocessor
+  CXX         C++ compiler command
+  CXXFLAGS    C++ compiler flags
+  CXXCPP      C++ preprocessor
+  F77         Fortran 77 compiler command
+  FFLAGS      Fortran 77 compiler flags
+  YACC        The `Yet Another C Compiler' implementation to use. Defaults to
+              the first program found out of: `bison -y', `byacc', `yacc'.
+  YFLAGS      The list of arguments that will be passed by default to $YACC.
+              This script will default YFLAGS to the empty string to avoid a
+              default value of `-d' given by some make applications.
+
+Use these variables to override the choices made by `configure' or to help
+it to find libraries and programs with nonstandard names/locations.
+
+_ACEOF
+ac_status=$?
+fi
+
+if test "$ac_init_help" = "recursive"; then
+  # If there are subdirs, report their specific --help.
+  for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue
+    test -d "$ac_dir" || continue
+    ac_builddir=.
+
+case "$ac_dir" in
+.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
+*)
+  ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
+  # A ".." for each directory in $ac_dir_suffix.
+  ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'`
+  case $ac_top_builddir_sub in
+  "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
+  *)  ac_top_build_prefix=$ac_top_builddir_sub/ ;;
+  esac ;;
+esac
+ac_abs_top_builddir=$ac_pwd
+ac_abs_builddir=$ac_pwd$ac_dir_suffix
+# for backward compatibility:
+ac_top_builddir=$ac_top_build_prefix
+
+case $srcdir in
+  .)  # We are building in place.
+    ac_srcdir=.
+    ac_top_srcdir=$ac_top_builddir_sub
+    ac_abs_top_srcdir=$ac_pwd ;;
+  [\\/]* | ?:[\\/]* )  # Absolute name.
+    ac_srcdir=$srcdir$ac_dir_suffix;
+    ac_top_srcdir=$srcdir
+    ac_abs_top_srcdir=$srcdir ;;
+  *) # Relative name.
+    ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix
+    ac_top_srcdir=$ac_top_build_prefix$srcdir
+    ac_abs_top_srcdir=$ac_pwd/$srcdir ;;
+esac
+ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix
+
+    cd "$ac_dir" || { ac_status=$?; continue; }
+    # Check for guested configure.
+    if test -f "$ac_srcdir/configure.gnu"; then
+      echo &&
+      $SHELL "$ac_srcdir/configure.gnu" --help=recursive
+    elif test -f "$ac_srcdir/configure"; then
+      echo &&
+      $SHELL "$ac_srcdir/configure" --help=recursive
+    else
+      echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2
+    fi || ac_status=$?
+    cd "$ac_pwd" || { ac_status=$?; break; }
+  done
+fi
+
+test -n "$ac_init_help" && exit $ac_status
+if $ac_init_version; then
+  cat <<\_ACEOF
+strongSwan configure 4.1.1
+generated by GNU Autoconf 2.61
+
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
+2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
+This configure script is free software; the Free Software Foundation
+gives unlimited permission to copy, distribute and modify it.
+_ACEOF
+  exit
+fi
+cat >config.log <<_ACEOF
+This file contains any messages produced by compilers while
+running configure, to aid debugging if configure makes a mistake.
+
+It was created by strongSwan $as_me 4.1.1, which was
+generated by GNU Autoconf 2.61.  Invocation command line was
+
+  $ $0 $@
+
+_ACEOF
+exec 5>>config.log
+{
+cat <<_ASUNAME
+## --------- ##
+## Platform. ##
+## --------- ##
+
+hostname = `(hostname || uname -n) 2>/dev/null | sed 1q`
+uname -m = `(uname -m) 2>/dev/null || echo unknown`
+uname -r = `(uname -r) 2>/dev/null || echo unknown`
+uname -s = `(uname -s) 2>/dev/null || echo unknown`
+uname -v = `(uname -v) 2>/dev/null || echo unknown`
+
+/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown`
+/bin/uname -X     = `(/bin/uname -X) 2>/dev/null     || echo unknown`
+
+/bin/arch              = `(/bin/arch) 2>/dev/null              || echo unknown`
+/usr/bin/arch -k       = `(/usr/bin/arch -k) 2>/dev/null       || echo unknown`
+/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown`
+/usr/bin/hostinfo      = `(/usr/bin/hostinfo) 2>/dev/null      || echo unknown`
+/bin/machine           = `(/bin/machine) 2>/dev/null           || echo unknown`
+/usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null       || echo unknown`
+/bin/universe          = `(/bin/universe) 2>/dev/null          || echo unknown`
+
+_ASUNAME
+
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  echo "PATH: $as_dir"
+done
+IFS=$as_save_IFS
+
+} >&5
+
+cat >&5 <<_ACEOF
+
+
+## ----------- ##
+## Core tests. ##
+## ----------- ##
+
+_ACEOF
+
+
+# Keep a trace of the command line.
+# Strip out --no-create and --no-recursion so they do not pile up.
+# Strip out --silent because we don't want to record it for future runs.
+# Also quote any args containing shell meta-characters.
+# Make two passes to allow for proper duplicate-argument suppression.
+ac_configure_args=
+ac_configure_args0=
+ac_configure_args1=
+ac_must_keep_next=false
+for ac_pass in 1 2
+do
+  for ac_arg
+  do
+    case $ac_arg in
+    -no-create | --no-c* | -n | -no-recursion | --no-r*) continue ;;
+    -q | -quiet | --quiet | --quie | --qui | --qu | --q \
+    | -silent | --silent | --silen | --sile | --sil)
+      continue ;;
+    *\'*)
+      ac_arg=`echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
+    esac
+    case $ac_pass in
+    1) ac_configure_args0="$ac_configure_args0 '$ac_arg'" ;;
+    2)
+      ac_configure_args1="$ac_configure_args1 '$ac_arg'"
+      if test $ac_must_keep_next = true; then
+	ac_must_keep_next=false # Got value, back to normal.
+      else
+	case $ac_arg in
+	  *=* | --config-cache | -C | -disable-* | --disable-* \
+	  | -enable-* | --enable-* | -gas | --g* | -nfp | --nf* \
+	  | -q | -quiet | --q* | -silent | --sil* | -v | -verb* \
+	  | -with-* | --with-* | -without-* | --without-* | --x)
+	    case "$ac_configure_args0 " in
+	      "$ac_configure_args1"*" '$ac_arg' "* ) continue ;;
+	    esac
+	    ;;
+	  -* ) ac_must_keep_next=true ;;
+	esac
+      fi
+      ac_configure_args="$ac_configure_args '$ac_arg'"
+      ;;
+    esac
+  done
+done
+$as_unset ac_configure_args0 || test "${ac_configure_args0+set}" != set || { ac_configure_args0=; export ac_configure_args0; }
+$as_unset ac_configure_args1 || test "${ac_configure_args1+set}" != set || { ac_configure_args1=; export ac_configure_args1; }
+
+# When interrupted or exit'd, cleanup temporary files, and complete
+# config.log.  We remove comments because anyway the quotes in there
+# would cause problems or look ugly.
+# WARNING: Use '\'' to represent an apostrophe within the trap.
+# WARNING: Do not start the trap code with a newline, due to a FreeBSD 4.0 bug.
+trap 'exit_status=$?
+  # Save into config.log some information that might help in debugging.
+  {
+    echo
+
+    cat <<\_ASBOX
+## ---------------- ##
+## Cache variables. ##
+## ---------------- ##
+_ASBOX
+    echo
+    # The following way of writing the cache mishandles newlines in values,
+(
+  for ac_var in `(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'\''`; do
+    eval ac_val=\$$ac_var
+    case $ac_val in #(
+    *${as_nl}*)
+      case $ac_var in #(
+      *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
+echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
+      esac
+      case $ac_var in #(
+      _ | IFS | as_nl) ;; #(
+      *) $as_unset $ac_var ;;
+      esac ;;
+    esac
+  done
+  (set) 2>&1 |
+    case $as_nl`(ac_space='\'' '\''; set) 2>&1` in #(
+    *${as_nl}ac_space=\ *)
+      sed -n \
+	"s/'\''/'\''\\\\'\'''\''/g;
+	  s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\''\\2'\''/p"
+      ;; #(
+    *)
+      sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p"
+      ;;
+    esac |
+    sort
+)
+    echo
+
+    cat <<\_ASBOX
+## ----------------- ##
+## Output variables. ##
+## ----------------- ##
+_ASBOX
+    echo
+    for ac_var in $ac_subst_vars
+    do
+      eval ac_val=\$$ac_var
+      case $ac_val in
+      *\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
+      esac
+      echo "$ac_var='\''$ac_val'\''"
+    done | sort
+    echo
+
+    if test -n "$ac_subst_files"; then
+      cat <<\_ASBOX
+## ------------------- ##
+## File substitutions. ##
+## ------------------- ##
+_ASBOX
+      echo
+      for ac_var in $ac_subst_files
+      do
+	eval ac_val=\$$ac_var
+	case $ac_val in
+	*\'\''*) ac_val=`echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
+	esac
+	echo "$ac_var='\''$ac_val'\''"
+      done | sort
+      echo
+    fi
+
+    if test -s confdefs.h; then
+      cat <<\_ASBOX
+## ----------- ##
+## confdefs.h. ##
+## ----------- ##
+_ASBOX
+      echo
+      cat confdefs.h
+      echo
+    fi
+    test "$ac_signal" != 0 &&
+      echo "$as_me: caught signal $ac_signal"
+    echo "$as_me: exit $exit_status"
+  } >&5
+  rm -f core *.core core.conftest.* &&
+    rm -f -r conftest* confdefs* conf$$* $ac_clean_files &&
+    exit $exit_status
+' 0
+for ac_signal in 1 2 13 15; do
+  trap 'ac_signal='$ac_signal'; { (exit 1); exit 1; }' $ac_signal
+done
+ac_signal=0
+
+# confdefs.h avoids OS command line length limits that DEFS can exceed.
+rm -f -r conftest* confdefs.h
+
+# Predefined preprocessor variables.
+
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE_NAME "$PACKAGE_NAME"
+_ACEOF
+
+
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE_TARNAME "$PACKAGE_TARNAME"
+_ACEOF
+
+
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE_VERSION "$PACKAGE_VERSION"
+_ACEOF
+
+
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE_STRING "$PACKAGE_STRING"
+_ACEOF
+
+
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT"
+_ACEOF
+
+
+# Let the site file select an alternate cache file if it wants to.
+# Prefer explicitly selected file to automatically selected ones.
+if test -n "$CONFIG_SITE"; then
+  set x "$CONFIG_SITE"
+elif test "x$prefix" != xNONE; then
+  set x "$prefix/share/config.site" "$prefix/etc/config.site"
+else
+  set x "$ac_default_prefix/share/config.site" \
+	"$ac_default_prefix/etc/config.site"
+fi
+shift
+for ac_site_file
+do
+  if test -r "$ac_site_file"; then
+    { echo "$as_me:$LINENO: loading site script $ac_site_file" >&5
+echo "$as_me: loading site script $ac_site_file" >&6;}
+    sed 's/^/| /' "$ac_site_file" >&5
+    . "$ac_site_file"
+  fi
+done
+
+if test -r "$cache_file"; then
+  # Some versions of bash will fail to source /dev/null (special
+  # files actually), so we avoid doing that.
+  if test -f "$cache_file"; then
+    { echo "$as_me:$LINENO: loading cache $cache_file" >&5
+echo "$as_me: loading cache $cache_file" >&6;}
+    case $cache_file in
+      [\\/]* | ?:[\\/]* ) . "$cache_file";;
+      *)                      . "./$cache_file";;
+    esac
+  fi
+else
+  { echo "$as_me:$LINENO: creating cache $cache_file" >&5
+echo "$as_me: creating cache $cache_file" >&6;}
+  >$cache_file
+fi
+
+# Check that the precious variables saved in the cache have kept the same
+# value.
+ac_cache_corrupted=false
+for ac_var in $ac_precious_vars; do
+  eval ac_old_set=\$ac_cv_env_${ac_var}_set
+  eval ac_new_set=\$ac_env_${ac_var}_set
+  eval ac_old_val=\$ac_cv_env_${ac_var}_value
+  eval ac_new_val=\$ac_env_${ac_var}_value
+  case $ac_old_set,$ac_new_set in
+    set,)
+      { echo "$as_me:$LINENO: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
+echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;}
+      ac_cache_corrupted=: ;;
+    ,set)
+      { echo "$as_me:$LINENO: error: \`$ac_var' was not set in the previous run" >&5
+echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;}
+      ac_cache_corrupted=: ;;
+    ,);;
+    *)
+      if test "x$ac_old_val" != "x$ac_new_val"; then
+	{ echo "$as_me:$LINENO: error: \`$ac_var' has changed since the previous run:" >&5
+echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;}
+	{ echo "$as_me:$LINENO:   former value:  $ac_old_val" >&5
+echo "$as_me:   former value:  $ac_old_val" >&2;}
+	{ echo "$as_me:$LINENO:   current value: $ac_new_val" >&5
+echo "$as_me:   current value: $ac_new_val" >&2;}
+	ac_cache_corrupted=:
+      fi;;
+  esac
+  # Pass precious variables to config.status.
+  if test "$ac_new_set" = set; then
+    case $ac_new_val in
+    *\'*) ac_arg=$ac_var=`echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
+    *) ac_arg=$ac_var=$ac_new_val ;;
+    esac
+    case " $ac_configure_args " in
+      *" '$ac_arg' "*) ;; # Avoid dups.  Use of quotes ensures accuracy.
+      *) ac_configure_args="$ac_configure_args '$ac_arg'" ;;
+    esac
+  fi
+done
+if $ac_cache_corrupted; then
+  { echo "$as_me:$LINENO: error: changes in the environment can compromise the build" >&5
+echo "$as_me: error: changes in the environment can compromise the build" >&2;}
+  { { echo "$as_me:$LINENO: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&5
+echo "$as_me: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
+am__api_version="1.9"
+ac_aux_dir=
+for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do
+  if test -f "$ac_dir/install-sh"; then
+    ac_aux_dir=$ac_dir
+    ac_install_sh="$ac_aux_dir/install-sh -c"
+    break
+  elif test -f "$ac_dir/install.sh"; then
+    ac_aux_dir=$ac_dir
+    ac_install_sh="$ac_aux_dir/install.sh -c"
+    break
+  elif test -f "$ac_dir/shtool"; then
+    ac_aux_dir=$ac_dir
+    ac_install_sh="$ac_aux_dir/shtool install -c"
+    break
+  fi
+done
+if test -z "$ac_aux_dir"; then
+  { { echo "$as_me:$LINENO: error: cannot find install-sh or install.sh in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" >&5
+echo "$as_me: error: cannot find install-sh or install.sh in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+# These three variables are undocumented and unsupported,
+# and are intended to be withdrawn in a future Autoconf release.
+# They can cause serious problems if a builder's source tree is in a directory
+# whose full name contains unusual characters.
+ac_config_guess="$SHELL $ac_aux_dir/config.guess"  # Please don't use this var.
+ac_config_sub="$SHELL $ac_aux_dir/config.sub"  # Please don't use this var.
+ac_configure="$SHELL $ac_aux_dir/configure"  # Please don't use this var.
+
+
+# Find a good install program.  We prefer a C program (faster),
+# so one script is as good as another.  But avoid the broken or
+# incompatible versions:
+# SysV /etc/install, /usr/sbin/install
+# SunOS /usr/etc/install
+# IRIX /sbin/install
+# AIX /bin/install
+# AmigaOS /C/install, which installs bootblocks on floppy discs
+# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag
+# AFS /usr/afsws/bin/install, which mishandles nonexistent args
+# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
+# OS/2's system install, which has a completely different semantic
+# ./install, which can be erroneously created by make from ./install.sh.
+{ echo "$as_me:$LINENO: checking for a BSD-compatible install" >&5
+echo $ECHO_N "checking for a BSD-compatible install... $ECHO_C" >&6; }
+if test -z "$INSTALL"; then
+if test "${ac_cv_path_install+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  # Account for people who put trailing slashes in PATH elements.
+case $as_dir/ in
+  ./ | .// | /cC/* | \
+  /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \
+  ?:\\/os2\\/install\\/* | ?:\\/OS2\\/INSTALL\\/* | \
+  /usr/ucb/* ) ;;
+  *)
+    # OSF1 and SCO ODT 3.0 have their own names for install.
+    # Don't use installbsd from OSF since it installs stuff as root
+    # by default.
+    for ac_prog in ginstall scoinst install; do
+      for ac_exec_ext in '' $ac_executable_extensions; do
+	if { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; }; then
+	  if test $ac_prog = install &&
+	    grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
+	    # AIX install.  It has an incompatible calling convention.
+	    :
+	  elif test $ac_prog = install &&
+	    grep pwplus "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
+	    # program-specific install script used by HP pwplus--don't use.
+	    :
+	  else
+	    ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c"
+	    break 3
+	  fi
+	fi
+      done
+    done
+    ;;
+esac
+done
+IFS=$as_save_IFS
+
+
+fi
+  if test "${ac_cv_path_install+set}" = set; then
+    INSTALL=$ac_cv_path_install
+  else
+    # As a last resort, use the slow shell script.  Don't cache a
+    # value for INSTALL within a source directory, because that will
+    # break other packages using the cache if that directory is
+    # removed, or if the value is a relative name.
+    INSTALL=$ac_install_sh
+  fi
+fi
+{ echo "$as_me:$LINENO: result: $INSTALL" >&5
+echo "${ECHO_T}$INSTALL" >&6; }
+
+# Use test -z because SunOS4 sh mishandles braces in ${var-val}.
+# It thinks the first close brace ends the variable substitution.
+test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}'
+
+test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}'
+
+test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
+
+{ echo "$as_me:$LINENO: checking whether build environment is sane" >&5
+echo $ECHO_N "checking whether build environment is sane... $ECHO_C" >&6; }
+# Just in case
+sleep 1
+echo timestamp > conftest.file
+# Do `set' in a subshell so we don't clobber the current shell's
+# arguments.  Must try -L first in case configure is actually a
+# symlink; some systems play weird games with the mod time of symlinks
+# (eg FreeBSD returns the mod time of the symlink's containing
+# directory).
+if (
+   set X `ls -Lt $srcdir/configure conftest.file 2> /dev/null`
+   if test "$*" = "X"; then
+      # -L didn't work.
+      set X `ls -t $srcdir/configure conftest.file`
+   fi
+   rm -f conftest.file
+   if test "$*" != "X $srcdir/configure conftest.file" \
+      && test "$*" != "X conftest.file $srcdir/configure"; then
+
+      # If neither matched, then we have a broken ls.  This can happen
+      # if, for instance, CONFIG_SHELL is bash and it inherits a
+      # broken ls alias from the environment.  This has actually
+      # happened.  Such a system could not be considered "sane".
+      { { echo "$as_me:$LINENO: error: ls -t appears to fail.  Make sure there is not a broken
+alias in your environment" >&5
+echo "$as_me: error: ls -t appears to fail.  Make sure there is not a broken
+alias in your environment" >&2;}
+   { (exit 1); exit 1; }; }
+   fi
+
+   test "$2" = conftest.file
+   )
+then
+   # Ok.
+   :
+else
+   { { echo "$as_me:$LINENO: error: newly created file is older than distributed files!
+Check your system clock" >&5
+echo "$as_me: error: newly created file is older than distributed files!
+Check your system clock" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+test "$program_prefix" != NONE &&
+  program_transform_name="s&^&$program_prefix&;$program_transform_name"
+# Use a double $ so make ignores it.
+test "$program_suffix" != NONE &&
+  program_transform_name="s&\$&$program_suffix&;$program_transform_name"
+# Double any \ or $.  echo might interpret backslashes.
+# By default was `s,x,x', remove it if useless.
+cat <<\_ACEOF >conftest.sed
+s/[\\$]/&&/g;s/;s,x,x,$//
+_ACEOF
+program_transform_name=`echo $program_transform_name | sed -f conftest.sed`
+rm -f conftest.sed
+
+# expand $ac_aux_dir to an absolute path
+am_aux_dir=`cd $ac_aux_dir && pwd`
+
+test x"${MISSING+set}" = xset || MISSING="\${SHELL} $am_aux_dir/missing"
+# Use eval to expand $SHELL
+if eval "$MISSING --run true"; then
+  am_missing_run="$MISSING --run "
+else
+  am_missing_run=
+  { echo "$as_me:$LINENO: WARNING: \`missing' script is too old or missing" >&5
+echo "$as_me: WARNING: \`missing' script is too old or missing" >&2;}
+fi
+
+if mkdir -p --version . >/dev/null 2>&1 && test ! -d ./--version; then
+  # We used to keeping the `.' as first argument, in order to
+  # allow $(mkdir_p) to be used without argument.  As in
+  #   $(mkdir_p) $(somedir)
+  # where $(somedir) is conditionally defined.  However this is wrong
+  # for two reasons:
+  #  1. if the package is installed by a user who cannot write `.'
+  #     make install will fail,
+  #  2. the above comment should most certainly read
+  #     $(mkdir_p) $(DESTDIR)$(somedir)
+  #     so it does not work when $(somedir) is undefined and
+  #     $(DESTDIR) is not.
+  #  To support the latter case, we have to write
+  #     test -z "$(somedir)" || $(mkdir_p) $(DESTDIR)$(somedir),
+  #  so the `.' trick is pointless.
+  mkdir_p='mkdir -p --'
+else
+  # On NextStep and OpenStep, the `mkdir' command does not
+  # recognize any option.  It will interpret all options as
+  # directories to create, and then abort because `.' already
+  # exists.
+  for d in ./-p ./--version;
+  do
+    test -d $d && rmdir $d
+  done
+  # $(mkinstalldirs) is defined by Automake if mkinstalldirs exists.
+  if test -f "$ac_aux_dir/mkinstalldirs"; then
+    mkdir_p='$(mkinstalldirs)'
+  else
+    mkdir_p='$(install_sh) -d'
+  fi
+fi
+
+for ac_prog in gawk mawk nawk awk
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_AWK+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$AWK"; then
+  ac_cv_prog_AWK="$AWK" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_AWK="$ac_prog"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+AWK=$ac_cv_prog_AWK
+if test -n "$AWK"; then
+  { echo "$as_me:$LINENO: result: $AWK" >&5
+echo "${ECHO_T}$AWK" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+  test -n "$AWK" && break
+done
+
+{ echo "$as_me:$LINENO: checking whether ${MAKE-make} sets \$(MAKE)" >&5
+echo $ECHO_N "checking whether ${MAKE-make} sets \$(MAKE)... $ECHO_C" >&6; }
+set x ${MAKE-make}; ac_make=`echo "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'`
+if { as_var=ac_cv_prog_make_${ac_make}_set; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.make <<\_ACEOF
+SHELL = /bin/sh
+all:
+	@echo '@@@%%%=$(MAKE)=@@@%%%'
+_ACEOF
+# GNU make sometimes prints "make[1]: Entering...", which would confuse us.
+case `${MAKE-make} -f conftest.make 2>/dev/null` in
+  *@@@%%%=?*=@@@%%%*)
+    eval ac_cv_prog_make_${ac_make}_set=yes;;
+  *)
+    eval ac_cv_prog_make_${ac_make}_set=no;;
+esac
+rm -f conftest.make
+fi
+if eval test \$ac_cv_prog_make_${ac_make}_set = yes; then
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+  SET_MAKE=
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+  SET_MAKE="MAKE=${MAKE-make}"
+fi
+
+rm -rf .tst 2>/dev/null
+mkdir .tst 2>/dev/null
+if test -d .tst; then
+  am__leading_dot=.
+else
+  am__leading_dot=_
+fi
+rmdir .tst 2>/dev/null
+
+# test to see if srcdir already configured
+if test "`cd $srcdir && pwd`" != "`pwd`" &&
+   test -f $srcdir/config.status; then
+  { { echo "$as_me:$LINENO: error: source directory already configured; run \"make distclean\" there first" >&5
+echo "$as_me: error: source directory already configured; run \"make distclean\" there first" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+# test whether we have cygpath
+if test -z "$CYGPATH_W"; then
+  if (cygpath --version) >/dev/null 2>/dev/null; then
+    CYGPATH_W='cygpath -w'
+  else
+    CYGPATH_W=echo
+  fi
+fi
+
+
+# Define the identity of the package.
+ PACKAGE='strongswan'
+ VERSION='4.1.1'
+
+
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE "$PACKAGE"
+_ACEOF
+
+
+cat >>confdefs.h <<_ACEOF
+#define VERSION "$VERSION"
+_ACEOF
+
+# Some tools Automake needs.
+
+ACLOCAL=${ACLOCAL-"${am_missing_run}aclocal-${am__api_version}"}
+
+
+AUTOCONF=${AUTOCONF-"${am_missing_run}autoconf"}
+
+
+AUTOMAKE=${AUTOMAKE-"${am_missing_run}automake-${am__api_version}"}
+
+
+AUTOHEADER=${AUTOHEADER-"${am_missing_run}autoheader"}
+
+
+MAKEINFO=${MAKEINFO-"${am_missing_run}makeinfo"}
+
+install_sh=${install_sh-"$am_aux_dir/install-sh"}
+
+# Installed binaries are usually stripped using `strip' when the user
+# run `make install-strip'.  However `strip' might not be the right
+# tool to use in cross-compilation environments, therefore Automake
+# will honor the `STRIP' environment variable to overrule this program.
+if test "$cross_compiling" != no; then
+  if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args.
+set dummy ${ac_tool_prefix}strip; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_STRIP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$STRIP"; then
+  ac_cv_prog_STRIP="$STRIP" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_STRIP="${ac_tool_prefix}strip"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+STRIP=$ac_cv_prog_STRIP
+if test -n "$STRIP"; then
+  { echo "$as_me:$LINENO: result: $STRIP" >&5
+echo "${ECHO_T}$STRIP" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_STRIP"; then
+  ac_ct_STRIP=$STRIP
+  # Extract the first word of "strip", so it can be a program name with args.
+set dummy strip; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_STRIP"; then
+  ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_STRIP="strip"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP
+if test -n "$ac_ct_STRIP"; then
+  { echo "$as_me:$LINENO: result: $ac_ct_STRIP" >&5
+echo "${ECHO_T}$ac_ct_STRIP" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+  if test "x$ac_ct_STRIP" = x; then
+    STRIP=":"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    STRIP=$ac_ct_STRIP
+  fi
+else
+  STRIP="$ac_cv_prog_STRIP"
+fi
+
+fi
+INSTALL_STRIP_PROGRAM="\${SHELL} \$(install_sh) -c -s"
+
+# We need awk for the "check" target.  The system "awk" is bad on
+# some platforms.
+# Always define AMTAR for backward compatibility.
+
+AMTAR=${AMTAR-"${am_missing_run}tar"}
+
+
+{ echo "$as_me:$LINENO: checking how to create a ustar tar archive" >&5
+echo $ECHO_N "checking how to create a ustar tar archive... $ECHO_C" >&6; }
+# Loop over all known methods to create a tar archive until one works.
+_am_tools='gnutar plaintar pax cpio none'
+_am_tools=${am_cv_prog_tar_ustar-$_am_tools}
+# Do not fold the above two line into one, because Tru64 sh and
+# Solaris sh will not grok spaces in the rhs of `-'.
+for _am_tool in $_am_tools
+do
+  case $_am_tool in
+  gnutar)
+    for _am_tar in tar gnutar gtar;
+    do
+      { echo "$as_me:$LINENO: $_am_tar --version" >&5
+   ($_am_tar --version) >&5 2>&5
+   ac_status=$?
+   echo "$as_me:$LINENO: \$? = $ac_status" >&5
+   (exit $ac_status); } && break
+    done
+    am__tar="$_am_tar --format=ustar -chf - "'"$$tardir"'
+    am__tar_="$_am_tar --format=ustar -chf - "'"$tardir"'
+    am__untar="$_am_tar -xf -"
+    ;;
+  plaintar)
+    # Must skip GNU tar: if it does not support --format= it doesn't create
+    # ustar tarball either.
+    (tar --version) >/dev/null 2>&1 && continue
+    am__tar='tar chf - "$$tardir"'
+    am__tar_='tar chf - "$tardir"'
+    am__untar='tar xf -'
+    ;;
+  pax)
+    am__tar='pax -L -x ustar -w "$$tardir"'
+    am__tar_='pax -L -x ustar -w "$tardir"'
+    am__untar='pax -r'
+    ;;
+  cpio)
+    am__tar='find "$$tardir" -print | cpio -o -H ustar -L'
+    am__tar_='find "$tardir" -print | cpio -o -H ustar -L'
+    am__untar='cpio -i -H ustar -d'
+    ;;
+  none)
+    am__tar=false
+    am__tar_=false
+    am__untar=false
+    ;;
+  esac
+
+  # If the value was cached, stop now.  We just wanted to have am__tar
+  # and am__untar set.
+  test -n "${am_cv_prog_tar_ustar}" && break
+
+  # tar/untar a dummy directory, and stop if the command works
+  rm -rf conftest.dir
+  mkdir conftest.dir
+  echo GrepMe > conftest.dir/file
+  { echo "$as_me:$LINENO: tardir=conftest.dir && eval $am__tar_ >conftest.tar" >&5
+   (tardir=conftest.dir && eval $am__tar_ >conftest.tar) >&5 2>&5
+   ac_status=$?
+   echo "$as_me:$LINENO: \$? = $ac_status" >&5
+   (exit $ac_status); }
+  rm -rf conftest.dir
+  if test -s conftest.tar; then
+    { echo "$as_me:$LINENO: $am__untar <conftest.tar" >&5
+   ($am__untar <conftest.tar) >&5 2>&5
+   ac_status=$?
+   echo "$as_me:$LINENO: \$? = $ac_status" >&5
+   (exit $ac_status); }
+    grep GrepMe conftest.dir/file >/dev/null 2>&1 && break
+  fi
+done
+rm -rf conftest.dir
+
+if test "${am_cv_prog_tar_ustar+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  am_cv_prog_tar_ustar=$_am_tool
+fi
+
+{ echo "$as_me:$LINENO: result: $am_cv_prog_tar_ustar" >&5
+echo "${ECHO_T}$am_cv_prog_tar_ustar" >&6; }
+
+
+
+
+
+DEPDIR="${am__leading_dot}deps"
+
+ac_config_commands="$ac_config_commands depfiles"
+
+
+am_make=${MAKE-make}
+cat > confinc << 'END'
+am__doit:
+	@echo done
+.PHONY: am__doit
+END
+# If we don't find an include directive, just comment out the code.
+{ echo "$as_me:$LINENO: checking for style of include used by $am_make" >&5
+echo $ECHO_N "checking for style of include used by $am_make... $ECHO_C" >&6; }
+am__include="#"
+am__quote=
+_am_result=none
+# First try GNU make style include.
+echo "include confinc" > confmf
+# We grep out `Entering directory' and `Leaving directory'
+# messages which can occur if `w' ends up in MAKEFLAGS.
+# In particular we don't look at `^make:' because GNU make might
+# be invoked under some other name (usually "gmake"), in which
+# case it prints its new name instead of `make'.
+if test "`$am_make -s -f confmf 2> /dev/null | grep -v 'ing directory'`" = "done"; then
+   am__include=include
+   am__quote=
+   _am_result=GNU
+fi
+# Now try BSD make style include.
+if test "$am__include" = "#"; then
+   echo '.include "confinc"' > confmf
+   if test "`$am_make -s -f confmf 2> /dev/null`" = "done"; then
+      am__include=.include
+      am__quote="\""
+      _am_result=BSD
+   fi
+fi
+
+
+{ echo "$as_me:$LINENO: result: $_am_result" >&5
+echo "${ECHO_T}$_am_result" >&6; }
+rm -f confinc confmf
+
+# Check whether --enable-dependency-tracking was given.
+if test "${enable_dependency_tracking+set}" = set; then
+  enableval=$enable_dependency_tracking;
+fi
+
+if test "x$enable_dependency_tracking" != xno; then
+  am_depcomp="$ac_aux_dir/depcomp"
+  AMDEPBACKSLASH='\'
+fi
+
+
+if test "x$enable_dependency_tracking" != xno; then
+  AMDEP_TRUE=
+  AMDEP_FALSE='#'
+else
+  AMDEP_TRUE='#'
+  AMDEP_FALSE=
+fi
+
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
+set dummy ${ac_tool_prefix}gcc; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_CC="${ac_tool_prefix}gcc"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_CC"; then
+  ac_ct_CC=$CC
+  # Extract the first word of "gcc", so it can be a program name with args.
+set dummy gcc; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_CC"; then
+  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_CC="gcc"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_CC=$ac_cv_prog_ac_ct_CC
+if test -n "$ac_ct_CC"; then
+  { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+echo "${ECHO_T}$ac_ct_CC" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+  if test "x$ac_ct_CC" = x; then
+    CC=""
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    CC=$ac_ct_CC
+  fi
+else
+  CC="$ac_cv_prog_CC"
+fi
+
+if test -z "$CC"; then
+          if test -n "$ac_tool_prefix"; then
+    # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
+set dummy ${ac_tool_prefix}cc; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_CC="${ac_tool_prefix}cc"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+  fi
+fi
+if test -z "$CC"; then
+  # Extract the first word of "cc", so it can be a program name with args.
+set dummy cc; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+  ac_prog_rejected=no
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
+       ac_prog_rejected=yes
+       continue
+     fi
+    ac_cv_prog_CC="cc"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+if test $ac_prog_rejected = yes; then
+  # We found a bogon in the path, so make sure we never use it.
+  set dummy $ac_cv_prog_CC
+  shift
+  if test $# != 0; then
+    # We chose a different compiler from the bogus one.
+    # However, it has the same basename, so the bogon will be chosen
+    # first if we set CC to just the basename; use the full file name.
+    shift
+    ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@"
+  fi
+fi
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+fi
+if test -z "$CC"; then
+  if test -n "$ac_tool_prefix"; then
+  for ac_prog in cl.exe
+  do
+    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
+set dummy $ac_tool_prefix$ac_prog; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+    test -n "$CC" && break
+  done
+fi
+if test -z "$CC"; then
+  ac_ct_CC=$CC
+  for ac_prog in cl.exe
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_CC"; then
+  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_CC="$ac_prog"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_CC=$ac_cv_prog_ac_ct_CC
+if test -n "$ac_ct_CC"; then
+  { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+echo "${ECHO_T}$ac_ct_CC" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+  test -n "$ac_ct_CC" && break
+done
+
+  if test "x$ac_ct_CC" = x; then
+    CC=""
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    CC=$ac_ct_CC
+  fi
+fi
+
+fi
+
+
+test -z "$CC" && { { echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH
+See \`config.log' for more details." >&5
+echo "$as_me: error: no acceptable C compiler found in \$PATH
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }
+
+# Provide some information about the compiler.
+echo "$as_me:$LINENO: checking for C compiler version" >&5
+ac_compiler=`set X $ac_compile; echo $2`
+{ (ac_try="$ac_compiler --version >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler --version >&5") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+{ (ac_try="$ac_compiler -v >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler -v >&5") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+{ (ac_try="$ac_compiler -V >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler -V >&5") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+ac_clean_files_save=$ac_clean_files
+ac_clean_files="$ac_clean_files a.out a.exe b.out"
+# Try to create an executable without -o first, disregard a.out.
+# It will help us diagnose broken compilers, and finding out an intuition
+# of exeext.
+{ echo "$as_me:$LINENO: checking for C compiler default output file name" >&5
+echo $ECHO_N "checking for C compiler default output file name... $ECHO_C" >&6; }
+ac_link_default=`echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'`
+#
+# List of possible output files, starting from the most likely.
+# The algorithm is not robust to junk in `.', hence go to wildcards (a.*)
+# only as a last resort.  b.out is created by i960 compilers.
+ac_files='a_out.exe a.exe conftest.exe a.out conftest a.* conftest.* b.out'
+#
+# The IRIX 6 linker writes into existing files which may not be
+# executable, retaining their permissions.  Remove them first so a
+# subsequent execution test works.
+ac_rmfiles=
+for ac_file in $ac_files
+do
+  case $ac_file in
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;;
+    * ) ac_rmfiles="$ac_rmfiles $ac_file";;
+  esac
+done
+rm -f $ac_rmfiles
+
+if { (ac_try="$ac_link_default"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link_default") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  # Autoconf-2.13 could set the ac_cv_exeext variable to `no'.
+# So ignore a value of `no', otherwise this would lead to `EXEEXT = no'
+# in a Makefile.  We should not override ac_cv_exeext if it was cached,
+# so that the user can short-circuit this test for compilers unknown to
+# Autoconf.
+for ac_file in $ac_files ''
+do
+  test -f "$ac_file" || continue
+  case $ac_file in
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj )
+	;;
+    [ab].out )
+	# We found the default executable, but exeext='' is most
+	# certainly right.
+	break;;
+    *.* )
+        if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no;
+	then :; else
+	   ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
+	fi
+	# We set ac_cv_exeext here because the later test for it is not
+	# safe: cross compilers may not add the suffix if given an `-o'
+	# argument, so we may need to know it at that point already.
+	# Even if this section looks crufty: it has the advantage of
+	# actually working.
+	break;;
+    * )
+	break;;
+  esac
+done
+test "$ac_cv_exeext" = no && ac_cv_exeext=
+
+else
+  ac_file=''
+fi
+
+{ echo "$as_me:$LINENO: result: $ac_file" >&5
+echo "${ECHO_T}$ac_file" >&6; }
+if test -z "$ac_file"; then
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+{ { echo "$as_me:$LINENO: error: C compiler cannot create executables
+See \`config.log' for more details." >&5
+echo "$as_me: error: C compiler cannot create executables
+See \`config.log' for more details." >&2;}
+   { (exit 77); exit 77; }; }
+fi
+
+ac_exeext=$ac_cv_exeext
+
+# Check that the compiler produces executables we can run.  If not, either
+# the compiler is broken, or we cross compile.
+{ echo "$as_me:$LINENO: checking whether the C compiler works" >&5
+echo $ECHO_N "checking whether the C compiler works... $ECHO_C" >&6; }
+# FIXME: These cross compiler hacks should be removed for Autoconf 3.0
+# If not cross compiling, check that we can run a simple program.
+if test "$cross_compiling" != yes; then
+  if { ac_try='./$ac_file'
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+    cross_compiling=no
+  else
+    if test "$cross_compiling" = maybe; then
+	cross_compiling=yes
+    else
+	{ { echo "$as_me:$LINENO: error: cannot run C compiled programs.
+If you meant to cross compile, use \`--host'.
+See \`config.log' for more details." >&5
+echo "$as_me: error: cannot run C compiled programs.
+If you meant to cross compile, use \`--host'.
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }
+    fi
+  fi
+fi
+{ echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+
+rm -f a.out a.exe conftest$ac_cv_exeext b.out
+ac_clean_files=$ac_clean_files_save
+# Check that the compiler produces executables we can run.  If not, either
+# the compiler is broken, or we cross compile.
+{ echo "$as_me:$LINENO: checking whether we are cross compiling" >&5
+echo $ECHO_N "checking whether we are cross compiling... $ECHO_C" >&6; }
+{ echo "$as_me:$LINENO: result: $cross_compiling" >&5
+echo "${ECHO_T}$cross_compiling" >&6; }
+
+{ echo "$as_me:$LINENO: checking for suffix of executables" >&5
+echo $ECHO_N "checking for suffix of executables... $ECHO_C" >&6; }
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  # If both `conftest.exe' and `conftest' are `present' (well, observable)
+# catch `conftest.exe'.  For instance with Cygwin, `ls conftest' will
+# work properly (i.e., refer to `conftest.exe'), while it won't with
+# `rm'.
+for ac_file in conftest.exe conftest conftest.*; do
+  test -f "$ac_file" || continue
+  case $ac_file in
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.o | *.obj ) ;;
+    *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
+	  break;;
+    * ) break;;
+  esac
+done
+else
+  { { echo "$as_me:$LINENO: error: cannot compute suffix of executables: cannot compile and link
+See \`config.log' for more details." >&5
+echo "$as_me: error: cannot compute suffix of executables: cannot compile and link
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+rm -f conftest$ac_cv_exeext
+{ echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5
+echo "${ECHO_T}$ac_cv_exeext" >&6; }
+
+rm -f conftest.$ac_ext
+EXEEXT=$ac_cv_exeext
+ac_exeext=$EXEEXT
+{ echo "$as_me:$LINENO: checking for suffix of object files" >&5
+echo $ECHO_N "checking for suffix of object files... $ECHO_C" >&6; }
+if test "${ac_cv_objext+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.o conftest.obj
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  for ac_file in conftest.o conftest.obj conftest.*; do
+  test -f "$ac_file" || continue;
+  case $ac_file in
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf ) ;;
+    *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'`
+       break;;
+  esac
+done
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+{ { echo "$as_me:$LINENO: error: cannot compute suffix of object files: cannot compile
+See \`config.log' for more details." >&5
+echo "$as_me: error: cannot compute suffix of object files: cannot compile
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+rm -f conftest.$ac_cv_objext conftest.$ac_ext
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_objext" >&5
+echo "${ECHO_T}$ac_cv_objext" >&6; }
+OBJEXT=$ac_cv_objext
+ac_objext=$OBJEXT
+{ echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5
+echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6; }
+if test "${ac_cv_c_compiler_gnu+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+#ifndef __GNUC__
+       choke me
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_compiler_gnu=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_compiler_gnu=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ac_cv_c_compiler_gnu=$ac_compiler_gnu
+
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5
+echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6; }
+GCC=`test $ac_compiler_gnu = yes && echo yes`
+ac_test_CFLAGS=${CFLAGS+set}
+ac_save_CFLAGS=$CFLAGS
+{ echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5
+echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6; }
+if test "${ac_cv_prog_cc_g+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_save_c_werror_flag=$ac_c_werror_flag
+   ac_c_werror_flag=yes
+   ac_cv_prog_cc_g=no
+   CFLAGS="-g"
+   cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_prog_cc_g=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	CFLAGS=""
+      cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  :
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_c_werror_flag=$ac_save_c_werror_flag
+	 CFLAGS="-g"
+	 cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_prog_cc_g=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+   ac_c_werror_flag=$ac_save_c_werror_flag
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5
+echo "${ECHO_T}$ac_cv_prog_cc_g" >&6; }
+if test "$ac_test_CFLAGS" = set; then
+  CFLAGS=$ac_save_CFLAGS
+elif test $ac_cv_prog_cc_g = yes; then
+  if test "$GCC" = yes; then
+    CFLAGS="-g -O2"
+  else
+    CFLAGS="-g"
+  fi
+else
+  if test "$GCC" = yes; then
+    CFLAGS="-O2"
+  else
+    CFLAGS=
+  fi
+fi
+{ echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5
+echo $ECHO_N "checking for $CC option to accept ISO C89... $ECHO_C" >&6; }
+if test "${ac_cv_prog_cc_c89+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_prog_cc_c89=no
+ac_save_CC=$CC
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <stdarg.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+/* Most of the following tests are stolen from RCS 5.7's src/conf.sh.  */
+struct buf { int x; };
+FILE * (*rcsopen) (struct buf *, struct stat *, int);
+static char *e (p, i)
+     char **p;
+     int i;
+{
+  return p[i];
+}
+static char *f (char * (*g) (char **, int), char **p, ...)
+{
+  char *s;
+  va_list v;
+  va_start (v,p);
+  s = g (p, va_arg (v,int));
+  va_end (v);
+  return s;
+}
+
+/* OSF 4.0 Compaq cc is some sort of almost-ANSI by default.  It has
+   function prototypes and stuff, but not '\xHH' hex character constants.
+   These don't provoke an error unfortunately, instead are silently treated
+   as 'x'.  The following induces an error, until -std is added to get
+   proper ANSI mode.  Curiously '\x00'!='x' always comes out true, for an
+   array size at least.  It's necessary to write '\x00'==0 to get something
+   that's true only with -std.  */
+int osf4_cc_array ['\x00' == 0 ? 1 : -1];
+
+/* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters
+   inside strings and character constants.  */
+#define FOO(x) 'x'
+int xlc6_cc_array[FOO(a) == 'x' ? 1 : -1];
+
+int test (int i, double x);
+struct s1 {int (*f) (int a);};
+struct s2 {int (*f) (double a);};
+int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int);
+int argc;
+char **argv;
+int
+main ()
+{
+return f (e, argv, 0) != argv[0]  ||  f (e, argv, 1) != argv[1];
+  ;
+  return 0;
+}
+_ACEOF
+for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \
+	-Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
+do
+  CC="$ac_save_CC $ac_arg"
+  rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_prog_cc_c89=$ac_arg
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext
+  test "x$ac_cv_prog_cc_c89" != "xno" && break
+done
+rm -f conftest.$ac_ext
+CC=$ac_save_CC
+
+fi
+# AC_CACHE_VAL
+case "x$ac_cv_prog_cc_c89" in
+  x)
+    { echo "$as_me:$LINENO: result: none needed" >&5
+echo "${ECHO_T}none needed" >&6; } ;;
+  xno)
+    { echo "$as_me:$LINENO: result: unsupported" >&5
+echo "${ECHO_T}unsupported" >&6; } ;;
+  *)
+    CC="$CC $ac_cv_prog_cc_c89"
+    { echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5
+echo "${ECHO_T}$ac_cv_prog_cc_c89" >&6; } ;;
+esac
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+depcc="$CC"   am_compiler_list=
+
+{ echo "$as_me:$LINENO: checking dependency style of $depcc" >&5
+echo $ECHO_N "checking dependency style of $depcc... $ECHO_C" >&6; }
+if test "${am_cv_CC_dependencies_compiler_type+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then
+  # We make a subdir and do the tests there.  Otherwise we can end up
+  # making bogus files that we don't know about and never remove.  For
+  # instance it was reported that on HP-UX the gcc test will end up
+  # making a dummy file named `D' -- because `-MD' means `put the output
+  # in D'.
+  mkdir conftest.dir
+  # Copy depcomp to subdir because otherwise we won't find it if we're
+  # using a relative directory.
+  cp "$am_depcomp" conftest.dir
+  cd conftest.dir
+  # We will build objects and dependencies in a subdirectory because
+  # it helps to detect inapplicable dependency modes.  For instance
+  # both Tru64's cc and ICC support -MD to output dependencies as a
+  # side effect of compilation, but ICC will put the dependencies in
+  # the current directory while Tru64 will put them in the object
+  # directory.
+  mkdir sub
+
+  am_cv_CC_dependencies_compiler_type=none
+  if test "$am_compiler_list" = ""; then
+     am_compiler_list=`sed -n 's/^#*\([a-zA-Z0-9]*\))$/\1/p' < ./depcomp`
+  fi
+  for depmode in $am_compiler_list; do
+    # Setup a source with many dependencies, because some compilers
+    # like to wrap large dependency lists on column 80 (with \), and
+    # we should not choose a depcomp mode which is confused by this.
+    #
+    # We need to recreate these files for each test, as the compiler may
+    # overwrite some of them when testing with obscure command lines.
+    # This happens at least with the AIX C compiler.
+    : > sub/conftest.c
+    for i in 1 2 3 4 5 6; do
+      echo '#include "conftst'$i'.h"' >> sub/conftest.c
+      # Using `: > sub/conftst$i.h' creates only sub/conftst1.h with
+      # Solaris 8's {/usr,}/bin/sh.
+      touch sub/conftst$i.h
+    done
+    echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf
+
+    case $depmode in
+    nosideeffect)
+      # after this tag, mechanisms are not by side-effect, so they'll
+      # only be used when explicitly requested
+      if test "x$enable_dependency_tracking" = xyes; then
+	continue
+      else
+	break
+      fi
+      ;;
+    none) break ;;
+    esac
+    # We check with `-c' and `-o' for the sake of the "dashmstdout"
+    # mode.  It turns out that the SunPro C++ compiler does not properly
+    # handle `-M -o', and we need to detect this.
+    if depmode=$depmode \
+       source=sub/conftest.c object=sub/conftest.${OBJEXT-o} \
+       depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \
+       $SHELL ./depcomp $depcc -c -o sub/conftest.${OBJEXT-o} sub/conftest.c \
+         >/dev/null 2>conftest.err &&
+       grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 &&
+       grep sub/conftest.${OBJEXT-o} sub/conftest.Po > /dev/null 2>&1 &&
+       ${MAKE-make} -s -f confmf > /dev/null 2>&1; then
+      # icc doesn't choke on unknown options, it will just issue warnings
+      # or remarks (even with -Werror).  So we grep stderr for any message
+      # that says an option was ignored or not supported.
+      # When given -MP, icc 7.0 and 7.1 complain thusly:
+      #   icc: Command line warning: ignoring option '-M'; no argument required
+      # The diagnosis changed in icc 8.0:
+      #   icc: Command line remark: option '-MP' not supported
+      if (grep 'ignoring option' conftest.err ||
+          grep 'not supported' conftest.err) >/dev/null 2>&1; then :; else
+        am_cv_CC_dependencies_compiler_type=$depmode
+        break
+      fi
+    fi
+  done
+
+  cd ..
+  rm -rf conftest.dir
+else
+  am_cv_CC_dependencies_compiler_type=none
+fi
+
+fi
+{ echo "$as_me:$LINENO: result: $am_cv_CC_dependencies_compiler_type" >&5
+echo "${ECHO_T}$am_cv_CC_dependencies_compiler_type" >&6; }
+CCDEPMODE=depmode=$am_cv_CC_dependencies_compiler_type
+
+
+
+if
+  test "x$enable_dependency_tracking" != xno \
+  && test "$am_cv_CC_dependencies_compiler_type" = gcc3; then
+  am__fastdepCC_TRUE=
+  am__fastdepCC_FALSE='#'
+else
+  am__fastdepCC_TRUE='#'
+  am__fastdepCC_FALSE=
+fi
+
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+{ echo "$as_me:$LINENO: checking how to run the C preprocessor" >&5
+echo $ECHO_N "checking how to run the C preprocessor... $ECHO_C" >&6; }
+# On Suns, sometimes $CPP names a directory.
+if test -n "$CPP" && test -d "$CPP"; then
+  CPP=
+fi
+if test -z "$CPP"; then
+  if test "${ac_cv_prog_CPP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+      # Double quotes because CPP needs to be expanded
+    for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp"
+    do
+      ac_preproc_ok=false
+for ac_c_preproc_warn_flag in '' yes
+do
+  # Use a header file that comes with gcc, so configuring glibc
+  # with a fresh cross-compiler works.
+  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+  # <limits.h> exists even on freestanding compilers.
+  # On the NeXT, cc -E runs the code through the compiler's parser,
+  # not just through cpp. "Syntax error" is here to catch this case.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+		     Syntax error
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  :
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  # Broken: fails on valid input.
+continue
+fi
+
+rm -f conftest.err conftest.$ac_ext
+
+  # OK, works on sane cases.  Now check whether nonexistent headers
+  # can be detected and how.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <ac_nonexistent.h>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  # Broken: success on invalid input.
+continue
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  # Passes both tests.
+ac_preproc_ok=:
+break
+fi
+
+rm -f conftest.err conftest.$ac_ext
+
+done
+# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
+rm -f conftest.err conftest.$ac_ext
+if $ac_preproc_ok; then
+  break
+fi
+
+    done
+    ac_cv_prog_CPP=$CPP
+
+fi
+  CPP=$ac_cv_prog_CPP
+else
+  ac_cv_prog_CPP=$CPP
+fi
+{ echo "$as_me:$LINENO: result: $CPP" >&5
+echo "${ECHO_T}$CPP" >&6; }
+ac_preproc_ok=false
+for ac_c_preproc_warn_flag in '' yes
+do
+  # Use a header file that comes with gcc, so configuring glibc
+  # with a fresh cross-compiler works.
+  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+  # <limits.h> exists even on freestanding compilers.
+  # On the NeXT, cc -E runs the code through the compiler's parser,
+  # not just through cpp. "Syntax error" is here to catch this case.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+		     Syntax error
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  :
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  # Broken: fails on valid input.
+continue
+fi
+
+rm -f conftest.err conftest.$ac_ext
+
+  # OK, works on sane cases.  Now check whether nonexistent headers
+  # can be detected and how.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <ac_nonexistent.h>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  # Broken: success on invalid input.
+continue
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  # Passes both tests.
+ac_preproc_ok=:
+break
+fi
+
+rm -f conftest.err conftest.$ac_ext
+
+done
+# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
+rm -f conftest.err conftest.$ac_ext
+if $ac_preproc_ok; then
+  :
+else
+  { { echo "$as_me:$LINENO: error: C preprocessor \"$CPP\" fails sanity check
+See \`config.log' for more details." >&5
+echo "$as_me: error: C preprocessor \"$CPP\" fails sanity check
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
+{ echo "$as_me:$LINENO: checking for grep that handles long lines and -e" >&5
+echo $ECHO_N "checking for grep that handles long lines and -e... $ECHO_C" >&6; }
+if test "${ac_cv_path_GREP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  # Extract the first word of "grep ggrep" to use in msg output
+if test -z "$GREP"; then
+set dummy grep ggrep; ac_prog_name=$2
+if test "${ac_cv_path_GREP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_path_GREP_found=false
+# Loop through the user's path and test for each of PROGNAME-LIST
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_prog in grep ggrep; do
+  for ac_exec_ext in '' $ac_executable_extensions; do
+    ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext"
+    { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue
+    # Check for GNU ac_path_GREP and select it if it is found.
+  # Check for GNU $ac_path_GREP
+case `"$ac_path_GREP" --version 2>&1` in
+*GNU*)
+  ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;;
+*)
+  ac_count=0
+  echo $ECHO_N "0123456789$ECHO_C" >"conftest.in"
+  while :
+  do
+    cat "conftest.in" "conftest.in" >"conftest.tmp"
+    mv "conftest.tmp" "conftest.in"
+    cp "conftest.in" "conftest.nl"
+    echo 'GREP' >> "conftest.nl"
+    "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break
+    diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
+    ac_count=`expr $ac_count + 1`
+    if test $ac_count -gt ${ac_path_GREP_max-0}; then
+      # Best one so far, save it but keep looking for a better one
+      ac_cv_path_GREP="$ac_path_GREP"
+      ac_path_GREP_max=$ac_count
+    fi
+    # 10*(2^10) chars as input seems more than enough
+    test $ac_count -gt 10 && break
+  done
+  rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
+esac
+
+
+    $ac_path_GREP_found && break 3
+  done
+done
+
+done
+IFS=$as_save_IFS
+
+
+fi
+
+GREP="$ac_cv_path_GREP"
+if test -z "$GREP"; then
+  { { echo "$as_me:$LINENO: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5
+echo "$as_me: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+else
+  ac_cv_path_GREP=$GREP
+fi
+
+
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_path_GREP" >&5
+echo "${ECHO_T}$ac_cv_path_GREP" >&6; }
+ GREP="$ac_cv_path_GREP"
+
+
+{ echo "$as_me:$LINENO: checking for egrep" >&5
+echo $ECHO_N "checking for egrep... $ECHO_C" >&6; }
+if test "${ac_cv_path_EGREP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if echo a | $GREP -E '(a|b)' >/dev/null 2>&1
+   then ac_cv_path_EGREP="$GREP -E"
+   else
+     # Extract the first word of "egrep" to use in msg output
+if test -z "$EGREP"; then
+set dummy egrep; ac_prog_name=$2
+if test "${ac_cv_path_EGREP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_path_EGREP_found=false
+# Loop through the user's path and test for each of PROGNAME-LIST
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_prog in egrep; do
+  for ac_exec_ext in '' $ac_executable_extensions; do
+    ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext"
+    { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue
+    # Check for GNU ac_path_EGREP and select it if it is found.
+  # Check for GNU $ac_path_EGREP
+case `"$ac_path_EGREP" --version 2>&1` in
+*GNU*)
+  ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;;
+*)
+  ac_count=0
+  echo $ECHO_N "0123456789$ECHO_C" >"conftest.in"
+  while :
+  do
+    cat "conftest.in" "conftest.in" >"conftest.tmp"
+    mv "conftest.tmp" "conftest.in"
+    cp "conftest.in" "conftest.nl"
+    echo 'EGREP' >> "conftest.nl"
+    "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break
+    diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
+    ac_count=`expr $ac_count + 1`
+    if test $ac_count -gt ${ac_path_EGREP_max-0}; then
+      # Best one so far, save it but keep looking for a better one
+      ac_cv_path_EGREP="$ac_path_EGREP"
+      ac_path_EGREP_max=$ac_count
+    fi
+    # 10*(2^10) chars as input seems more than enough
+    test $ac_count -gt 10 && break
+  done
+  rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
+esac
+
+
+    $ac_path_EGREP_found && break 3
+  done
+done
+
+done
+IFS=$as_save_IFS
+
+
+fi
+
+EGREP="$ac_cv_path_EGREP"
+if test -z "$EGREP"; then
+  { { echo "$as_me:$LINENO: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5
+echo "$as_me: error: no acceptable $ac_prog_name could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+else
+  ac_cv_path_EGREP=$EGREP
+fi
+
+
+   fi
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_path_EGREP" >&5
+echo "${ECHO_T}$ac_cv_path_EGREP" >&6; }
+ EGREP="$ac_cv_path_EGREP"
+
+
+{ echo "$as_me:$LINENO: checking for ANSI C header files" >&5
+echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6; }
+if test "${ac_cv_header_stdc+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <float.h>
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_header_stdc=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_header_stdc=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+if test $ac_cv_header_stdc = yes; then
+  # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <string.h>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  $EGREP "memchr" >/dev/null 2>&1; then
+  :
+else
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+fi
+
+if test $ac_cv_header_stdc = yes; then
+  # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <stdlib.h>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  $EGREP "free" >/dev/null 2>&1; then
+  :
+else
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+fi
+
+if test $ac_cv_header_stdc = yes; then
+  # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
+  if test "$cross_compiling" = yes; then
+  :
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <ctype.h>
+#include <stdlib.h>
+#if ((' ' & 0x0FF) == 0x020)
+# define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
+# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
+#else
+# define ISLOWER(c) \
+		   (('a' <= (c) && (c) <= 'i') \
+		     || ('j' <= (c) && (c) <= 'r') \
+		     || ('s' <= (c) && (c) <= 'z'))
+# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c))
+#endif
+
+#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
+int
+main ()
+{
+  int i;
+  for (i = 0; i < 256; i++)
+    if (XOR (islower (i), ISLOWER (i))
+	|| toupper (i) != TOUPPER (i))
+      return 2;
+  return 0;
+}
+_ACEOF
+rm -f conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  :
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+( exit $ac_status )
+ac_cv_header_stdc=no
+fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+fi
+
+
+fi
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
+echo "${ECHO_T}$ac_cv_header_stdc" >&6; }
+if test $ac_cv_header_stdc = yes; then
+
+cat >>confdefs.h <<\_ACEOF
+#define STDC_HEADERS 1
+_ACEOF
+
+fi
+
+# On IRIX 5.3, sys/types and inttypes.h are conflicting.
+
+
+
+
+
+
+
+
+
+for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \
+		  inttypes.h stdint.h unistd.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  eval "$as_ac_Header=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	eval "$as_ac_Header=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+
+{ echo "$as_me:$LINENO: checking whether byte ordering is bigendian" >&5
+echo $ECHO_N "checking whether byte ordering is bigendian... $ECHO_C" >&6; }
+if test "${ac_cv_c_bigendian+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  # See if sys/param.h defines the BYTE_ORDER macro.
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <sys/types.h>
+#include <sys/param.h>
+
+int
+main ()
+{
+#if  ! (defined BYTE_ORDER && defined BIG_ENDIAN && defined LITTLE_ENDIAN \
+	&& BYTE_ORDER && BIG_ENDIAN && LITTLE_ENDIAN)
+ bogus endian macros
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  # It does; now see whether it defined to BIG_ENDIAN or not.
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <sys/types.h>
+#include <sys/param.h>
+
+int
+main ()
+{
+#if BYTE_ORDER != BIG_ENDIAN
+ not big endian
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_c_bigendian=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_c_bigendian=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	# It does not; compile a test program.
+if test "$cross_compiling" = yes; then
+  # try to guess the endianness by grepping values into an object file
+  ac_cv_c_bigendian=unknown
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+short int ascii_mm[] = { 0x4249, 0x4765, 0x6E44, 0x6961, 0x6E53, 0x7953, 0 };
+short int ascii_ii[] = { 0x694C, 0x5454, 0x656C, 0x6E45, 0x6944, 0x6E61, 0 };
+void _ascii () { char *s = (char *) ascii_mm; s = (char *) ascii_ii; }
+short int ebcdic_ii[] = { 0x89D3, 0xE3E3, 0x8593, 0x95C5, 0x89C4, 0x9581, 0 };
+short int ebcdic_mm[] = { 0xC2C9, 0xC785, 0x95C4, 0x8981, 0x95E2, 0xA8E2, 0 };
+void _ebcdic () { char *s = (char *) ebcdic_mm; s = (char *) ebcdic_ii; }
+int
+main ()
+{
+ _ascii (); _ebcdic ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  if grep BIGenDianSyS conftest.$ac_objext >/dev/null ; then
+  ac_cv_c_bigendian=yes
+fi
+if grep LiTTleEnDian conftest.$ac_objext >/dev/null ; then
+  if test "$ac_cv_c_bigendian" = unknown; then
+    ac_cv_c_bigendian=no
+  else
+    # finding both strings is unlikely to happen, but who knows?
+    ac_cv_c_bigendian=unknown
+  fi
+fi
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+int
+main ()
+{
+
+  /* Are we little or big endian?  From Harbison&Steele.  */
+  union
+  {
+    long int l;
+    char c[sizeof (long int)];
+  } u;
+  u.l = 1;
+  return u.c[sizeof (long int) - 1] == 1;
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_c_bigendian=no
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+( exit $ac_status )
+ac_cv_c_bigendian=yes
+fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+fi
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_c_bigendian" >&5
+echo "${ECHO_T}$ac_cv_c_bigendian" >&6; }
+case $ac_cv_c_bigendian in
+  yes)
+
+cat >>confdefs.h <<\_ACEOF
+#define WORDS_BIGENDIAN 1
+_ACEOF
+ ;;
+  no)
+     ;;
+  *)
+    { { echo "$as_me:$LINENO: error: unknown endianness
+presetting ac_cv_c_bigendian=no (or yes) will help" >&5
+echo "$as_me: error: unknown endianness
+presetting ac_cv_c_bigendian=no (or yes) will help" >&2;}
+   { (exit 1); exit 1; }; } ;;
+esac
+
+confdir='${sysconfdir}'
+
+
+
+
+
+# Check whether --with-default-pkcs11 was given.
+if test "${with_default_pkcs11+set}" = set; then
+  withval=$with_default_pkcs11; cat >>confdefs.h <<_ACEOF
+#define PKCS11_DEFAULT_LIB "$withval"
+_ACEOF
+
+else
+  cat >>confdefs.h <<_ACEOF
+#define PKCS11_DEFAULT_LIB "/usr/lib/opensc-pkcs11.so"
+_ACEOF
+
+
+fi
+
+
+
+# Check whether --with-xauth-module was given.
+if test "${with_xauth_module+set}" = set; then
+  withval=$with_xauth_module; cat >>confdefs.h <<_ACEOF
+#define XAUTH_DEFAULT_LIB "$withval"
+_ACEOF
+
+fi
+
+
+
+# Check whether --with-random-device was given.
+if test "${with_random_device+set}" = set; then
+  withval=$with_random_device; cat >>confdefs.h <<_ACEOF
+#define DEV_RANDOM "$withval"
+_ACEOF
+
+else
+  cat >>confdefs.h <<_ACEOF
+#define DEV_RANDOM "/dev/random"
+_ACEOF
+
+
+fi
+
+
+# Check whether --with-resolv-conf was given.
+if test "${with_resolv_conf+set}" = set; then
+  withval=$with_resolv_conf; cat >>confdefs.h <<_ACEOF
+#define RESOLV_CONF "$withval"
+_ACEOF
+
+else
+  cat >>confdefs.h <<_ACEOF
+#define RESOLV_CONF "${sysconfdir}/resolv.conf"
+_ACEOF
+
+
+fi
+
+
+
+# Check whether --with-urandom-device was given.
+if test "${with_urandom_device+set}" = set; then
+  withval=$with_urandom_device; cat >>confdefs.h <<_ACEOF
+#define DEV_URANDOM "$withval"
+_ACEOF
+
+else
+  cat >>confdefs.h <<_ACEOF
+#define DEV_URANDOM "/dev/urandom"
+_ACEOF
+
+
+fi
+
+
+
+# Check whether --with-ipsecdir was given.
+if test "${with_ipsecdir+set}" = set; then
+  withval=$with_ipsecdir; ipsecdir="$withval"
+
+else
+  ipsecdir="${libexecdir}/ipsec"
+
+
+fi
+
+
+
+# Check whether --with-piddir was given.
+if test "${with_piddir+set}" = set; then
+  withval=$with_piddir; piddir="$withval"
+
+else
+  piddir="/var/run"
+
+
+fi
+
+
+
+# Check whether --with-eapdir was given.
+if test "${with_eapdir+set}" = set; then
+  withval=$with_eapdir; eapdir="$withval"
+
+else
+  eapdir="${ipsecdir}/eap"
+
+
+fi
+
+
+
+# Check whether --with-sim-reader was given.
+if test "${with_sim_reader+set}" = set; then
+  withval=$with_sim_reader; cat >>confdefs.h <<_ACEOF
+#define SIM_READER_LIB "$withval"
+_ACEOF
+
+
+fi
+
+
+# Check whether --enable-http was given.
+if test "${enable_http+set}" = set; then
+  enableval=$enable_http; if test x$enableval = xyes; then
+        http=true
+        cat >>confdefs.h <<\_ACEOF
+#define LIBCURL 1
+_ACEOF
+
+    fi
+
+fi
+
+
+
+if test x$http = xtrue; then
+  USE_LIBCURL_TRUE=
+  USE_LIBCURL_FALSE='#'
+else
+  USE_LIBCURL_TRUE='#'
+  USE_LIBCURL_FALSE=
+fi
+
+
+# Check whether --enable-ldap was given.
+if test "${enable_ldap+set}" = set; then
+  enableval=$enable_ldap; if test x$enableval = xyes; then
+        ldap=true
+        cat >>confdefs.h <<\_ACEOF
+#define LIBLDAP 1
+_ACEOF
+
+    fi
+
+fi
+
+
+
+if test x$ldap = xtrue; then
+  USE_LIBLDAP_TRUE=
+  USE_LIBLDAP_FALSE='#'
+else
+  USE_LIBLDAP_TRUE='#'
+  USE_LIBLDAP_FALSE=
+fi
+
+
+# Check whether --enable-smartcard was given.
+if test "${enable_smartcard+set}" = set; then
+  enableval=$enable_smartcard; if test x$enableval = xyes; then
+        smartcard=true
+        cat >>confdefs.h <<\_ACEOF
+#define SMARTCARD 1
+_ACEOF
+
+    fi
+
+fi
+
+
+
+if test x$smartcard = xtrue; then
+  USE_SMARTCARD_TRUE=
+  USE_SMARTCARD_FALSE='#'
+else
+  USE_SMARTCARD_TRUE='#'
+  USE_SMARTCARD_FALSE=
+fi
+
+
+# Check whether --enable-cisco-quirks was given.
+if test "${enable_cisco_quirks+set}" = set; then
+  enableval=$enable_cisco_quirks; if test x$enableval = xyes; then
+        cisco_quirks=true
+    fi
+
+fi
+
+
+
+if test x$cisco_quirks = xtrue; then
+  USE_CISCO_QUIRKS_TRUE=
+  USE_CISCO_QUIRKS_FALSE='#'
+else
+  USE_CISCO_QUIRKS_TRUE='#'
+  USE_CISCO_QUIRKS_FALSE=
+fi
+
+
+# Check whether --enable-leak-detective was given.
+if test "${enable_leak_detective+set}" = set; then
+  enableval=$enable_leak_detective; if test x$enableval = xyes; then
+        leak_detective=true
+    fi
+
+fi
+
+
+
+if test x$leak_detective = xtrue; then
+  USE_LEAK_DETECTIVE_TRUE=
+  USE_LEAK_DETECTIVE_FALSE='#'
+else
+  USE_LEAK_DETECTIVE_TRUE='#'
+  USE_LEAK_DETECTIVE_FALSE=
+fi
+
+
+# Check whether --enable-eap-sim was given.
+if test "${enable_eap_sim+set}" = set; then
+  enableval=$enable_eap_sim; if test x$enableval = xyes; then
+        eap_sim=true
+    fi
+
+fi
+
+
+
+if test x$eap_sim = xtrue; then
+  BUILD_EAP_SIM_TRUE=
+  BUILD_EAP_SIM_FALSE='#'
+else
+  BUILD_EAP_SIM_TRUE='#'
+  BUILD_EAP_SIM_FALSE=
+fi
+
+
+# Check whether --enable-nat-transport was given.
+if test "${enable_nat_transport+set}" = set; then
+  enableval=$enable_nat_transport; if test x$enableval = xyes; then
+        nat_transport=true
+    fi
+
+fi
+
+
+
+if test x$nat_transport = xtrue; then
+  USE_NAT_TRANSPORT_TRUE=
+  USE_NAT_TRANSPORT_FALSE='#'
+else
+  USE_NAT_TRANSPORT_TRUE='#'
+  USE_NAT_TRANSPORT_FALSE=
+fi
+
+
+# Check whether --enable-vendor-id was given.
+if test "${enable_vendor_id+set}" = set; then
+  enableval=$enable_vendor_id; if test x$enableval = xyes; then
+        vendor_id=true
+     else
+        vendor_id=false
+    fi
+else
+  vendor_id=true
+
+fi
+
+
+
+if test x$vendor_id = xtrue; then
+  USE_VENDORID_TRUE=
+  USE_VENDORID_FALSE='#'
+else
+  USE_VENDORID_TRUE='#'
+  USE_VENDORID_FALSE=
+fi
+
+
+
+# Find a good install program.  We prefer a C program (faster),
+# so one script is as good as another.  But avoid the broken or
+# incompatible versions:
+# SysV /etc/install, /usr/sbin/install
+# SunOS /usr/etc/install
+# IRIX /sbin/install
+# AIX /bin/install
+# AmigaOS /C/install, which installs bootblocks on floppy discs
+# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag
+# AFS /usr/afsws/bin/install, which mishandles nonexistent args
+# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
+# OS/2's system install, which has a completely different semantic
+# ./install, which can be erroneously created by make from ./install.sh.
+{ echo "$as_me:$LINENO: checking for a BSD-compatible install" >&5
+echo $ECHO_N "checking for a BSD-compatible install... $ECHO_C" >&6; }
+if test -z "$INSTALL"; then
+if test "${ac_cv_path_install+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  # Account for people who put trailing slashes in PATH elements.
+case $as_dir/ in
+  ./ | .// | /cC/* | \
+  /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \
+  ?:\\/os2\\/install\\/* | ?:\\/OS2\\/INSTALL\\/* | \
+  /usr/ucb/* ) ;;
+  *)
+    # OSF1 and SCO ODT 3.0 have their own names for install.
+    # Don't use installbsd from OSF since it installs stuff as root
+    # by default.
+    for ac_prog in ginstall scoinst install; do
+      for ac_exec_ext in '' $ac_executable_extensions; do
+	if { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; }; then
+	  if test $ac_prog = install &&
+	    grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
+	    # AIX install.  It has an incompatible calling convention.
+	    :
+	  elif test $ac_prog = install &&
+	    grep pwplus "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
+	    # program-specific install script used by HP pwplus--don't use.
+	    :
+	  else
+	    ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c"
+	    break 3
+	  fi
+	fi
+      done
+    done
+    ;;
+esac
+done
+IFS=$as_save_IFS
+
+
+fi
+  if test "${ac_cv_path_install+set}" = set; then
+    INSTALL=$ac_cv_path_install
+  else
+    # As a last resort, use the slow shell script.  Don't cache a
+    # value for INSTALL within a source directory, because that will
+    # break other packages using the cache if that directory is
+    # removed, or if the value is a relative name.
+    INSTALL=$ac_install_sh
+  fi
+fi
+{ echo "$as_me:$LINENO: result: $INSTALL" >&5
+echo "${ECHO_T}$INSTALL" >&6; }
+
+# Use test -z because SunOS4 sh mishandles braces in ${var-val}.
+# It thinks the first close brace ends the variable substitution.
+test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}'
+
+test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}'
+
+test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
+
+# Check whether --enable-shared was given.
+if test "${enable_shared+set}" = set; then
+  enableval=$enable_shared; p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_shared=yes ;;
+    no) enable_shared=no ;;
+    *)
+      enable_shared=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for pkg in $enableval; do
+	IFS="$lt_save_ifs"
+	if test "X$pkg" = "X$p"; then
+	  enable_shared=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac
+else
+  enable_shared=yes
+fi
+
+
+# Check whether --enable-static was given.
+if test "${enable_static+set}" = set; then
+  enableval=$enable_static; p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_static=yes ;;
+    no) enable_static=no ;;
+    *)
+     enable_static=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for pkg in $enableval; do
+	IFS="$lt_save_ifs"
+	if test "X$pkg" = "X$p"; then
+	  enable_static=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac
+else
+  enable_static=yes
+fi
+
+
+# Check whether --enable-fast-install was given.
+if test "${enable_fast_install+set}" = set; then
+  enableval=$enable_fast_install; p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_fast_install=yes ;;
+    no) enable_fast_install=no ;;
+    *)
+      enable_fast_install=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for pkg in $enableval; do
+	IFS="$lt_save_ifs"
+	if test "X$pkg" = "X$p"; then
+	  enable_fast_install=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac
+else
+  enable_fast_install=yes
+fi
+
+
+# Make sure we can run config.sub.
+$SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 ||
+  { { echo "$as_me:$LINENO: error: cannot run $SHELL $ac_aux_dir/config.sub" >&5
+echo "$as_me: error: cannot run $SHELL $ac_aux_dir/config.sub" >&2;}
+   { (exit 1); exit 1; }; }
+
+{ echo "$as_me:$LINENO: checking build system type" >&5
+echo $ECHO_N "checking build system type... $ECHO_C" >&6; }
+if test "${ac_cv_build+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_build_alias=$build_alias
+test "x$ac_build_alias" = x &&
+  ac_build_alias=`$SHELL "$ac_aux_dir/config.guess"`
+test "x$ac_build_alias" = x &&
+  { { echo "$as_me:$LINENO: error: cannot guess build type; you must specify one" >&5
+echo "$as_me: error: cannot guess build type; you must specify one" >&2;}
+   { (exit 1); exit 1; }; }
+ac_cv_build=`$SHELL "$ac_aux_dir/config.sub" $ac_build_alias` ||
+  { { echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&5
+echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&2;}
+   { (exit 1); exit 1; }; }
+
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_build" >&5
+echo "${ECHO_T}$ac_cv_build" >&6; }
+case $ac_cv_build in
+*-*-*) ;;
+*) { { echo "$as_me:$LINENO: error: invalid value of canonical build" >&5
+echo "$as_me: error: invalid value of canonical build" >&2;}
+   { (exit 1); exit 1; }; };;
+esac
+build=$ac_cv_build
+ac_save_IFS=$IFS; IFS='-'
+set x $ac_cv_build
+shift
+build_cpu=$1
+build_vendor=$2
+shift; shift
+# Remember, the first character of IFS is used to create $*,
+# except with old shells:
+build_os=$*
+IFS=$ac_save_IFS
+case $build_os in *\ *) build_os=`echo "$build_os" | sed 's/ /-/g'`;; esac
+
+
+{ echo "$as_me:$LINENO: checking host system type" >&5
+echo $ECHO_N "checking host system type... $ECHO_C" >&6; }
+if test "${ac_cv_host+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test "x$host_alias" = x; then
+  ac_cv_host=$ac_cv_build
+else
+  ac_cv_host=`$SHELL "$ac_aux_dir/config.sub" $host_alias` ||
+    { { echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&5
+echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_host" >&5
+echo "${ECHO_T}$ac_cv_host" >&6; }
+case $ac_cv_host in
+*-*-*) ;;
+*) { { echo "$as_me:$LINENO: error: invalid value of canonical host" >&5
+echo "$as_me: error: invalid value of canonical host" >&2;}
+   { (exit 1); exit 1; }; };;
+esac
+host=$ac_cv_host
+ac_save_IFS=$IFS; IFS='-'
+set x $ac_cv_host
+shift
+host_cpu=$1
+host_vendor=$2
+shift; shift
+# Remember, the first character of IFS is used to create $*,
+# except with old shells:
+host_os=$*
+IFS=$ac_save_IFS
+case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac
+
+
+{ echo "$as_me:$LINENO: checking for a sed that does not truncate output" >&5
+echo $ECHO_N "checking for a sed that does not truncate output... $ECHO_C" >&6; }
+if test "${lt_cv_path_SED+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  # Loop through the user's path and test for sed and gsed.
+# Then use that list of sed's as ones to test for truncation.
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for lt_ac_prog in sed gsed; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
+      if $as_executable_p "$as_dir/$lt_ac_prog$ac_exec_ext"; then
+        lt_ac_sed_list="$lt_ac_sed_list $as_dir/$lt_ac_prog$ac_exec_ext"
+      fi
+    done
+  done
+done
+lt_ac_max=0
+lt_ac_count=0
+# Add /usr/xpg4/bin/sed as it is typically found on Solaris
+# along with /bin/sed that truncates output.
+for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do
+  test ! -f $lt_ac_sed && continue
+  cat /dev/null > conftest.in
+  lt_ac_count=0
+  echo $ECHO_N "0123456789$ECHO_C" >conftest.in
+  # Check for GNU sed and select it if it is found.
+  if "$lt_ac_sed" --version 2>&1 < /dev/null | grep 'GNU' > /dev/null; then
+    lt_cv_path_SED=$lt_ac_sed
+    break
+  fi
+  while true; do
+    cat conftest.in conftest.in >conftest.tmp
+    mv conftest.tmp conftest.in
+    cp conftest.in conftest.nl
+    echo >>conftest.nl
+    $lt_ac_sed -e 's/a$//' < conftest.nl >conftest.out || break
+    cmp -s conftest.out conftest.nl || break
+    # 10000 chars as input seems more than enough
+    test $lt_ac_count -gt 10 && break
+    lt_ac_count=`expr $lt_ac_count + 1`
+    if test $lt_ac_count -gt $lt_ac_max; then
+      lt_ac_max=$lt_ac_count
+      lt_cv_path_SED=$lt_ac_sed
+    fi
+  done
+done
+
+fi
+
+SED=$lt_cv_path_SED
+{ echo "$as_me:$LINENO: result: $SED" >&5
+echo "${ECHO_T}$SED" >&6; }
+
+
+# Check whether --with-gnu-ld was given.
+if test "${with_gnu_ld+set}" = set; then
+  withval=$with_gnu_ld; test "$withval" = no || with_gnu_ld=yes
+else
+  with_gnu_ld=no
+fi
+
+ac_prog=ld
+if test "$GCC" = yes; then
+  # Check if gcc -print-prog-name=ld gives a path.
+  { echo "$as_me:$LINENO: checking for ld used by $CC" >&5
+echo $ECHO_N "checking for ld used by $CC... $ECHO_C" >&6; }
+  case $host in
+  *-*-mingw*)
+    # gcc leaves a trailing carriage return which upsets mingw
+    ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;;
+  *)
+    ac_prog=`($CC -print-prog-name=ld) 2>&5` ;;
+  esac
+  case $ac_prog in
+    # Accept absolute paths.
+    [\\/]* | ?:[\\/]*)
+      re_direlt='/[^/][^/]*/\.\./'
+      # Canonicalize the pathname of ld
+      ac_prog=`echo $ac_prog| $SED 's%\\\\%/%g'`
+      while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do
+	ac_prog=`echo $ac_prog| $SED "s%$re_direlt%/%"`
+      done
+      test -z "$LD" && LD="$ac_prog"
+      ;;
+  "")
+    # If it fails, then pretend we aren't using GCC.
+    ac_prog=ld
+    ;;
+  *)
+    # If it is relative, then search for the first ld in PATH.
+    with_gnu_ld=unknown
+    ;;
+  esac
+elif test "$with_gnu_ld" = yes; then
+  { echo "$as_me:$LINENO: checking for GNU ld" >&5
+echo $ECHO_N "checking for GNU ld... $ECHO_C" >&6; }
+else
+  { echo "$as_me:$LINENO: checking for non-GNU ld" >&5
+echo $ECHO_N "checking for non-GNU ld... $ECHO_C" >&6; }
+fi
+if test "${lt_cv_path_LD+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -z "$LD"; then
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+  for ac_dir in $PATH; do
+    IFS="$lt_save_ifs"
+    test -z "$ac_dir" && ac_dir=.
+    if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
+      lt_cv_path_LD="$ac_dir/$ac_prog"
+      # Check to see if the program is GNU ld.  I'd rather use --version,
+      # but apparently some variants of GNU ld only accept -v.
+      # Break only if it was the GNU/non-GNU ld that we prefer.
+      case `"$lt_cv_path_LD" -v 2>&1 </dev/null` in
+      *GNU* | *'with BFD'*)
+	test "$with_gnu_ld" != no && break
+	;;
+      *)
+	test "$with_gnu_ld" != yes && break
+	;;
+      esac
+    fi
+  done
+  IFS="$lt_save_ifs"
+else
+  lt_cv_path_LD="$LD" # Let the user override the test with a path.
+fi
+fi
+
+LD="$lt_cv_path_LD"
+if test -n "$LD"; then
+  { echo "$as_me:$LINENO: result: $LD" >&5
+echo "${ECHO_T}$LD" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+test -z "$LD" && { { echo "$as_me:$LINENO: error: no acceptable ld found in \$PATH" >&5
+echo "$as_me: error: no acceptable ld found in \$PATH" >&2;}
+   { (exit 1); exit 1; }; }
+{ echo "$as_me:$LINENO: checking if the linker ($LD) is GNU ld" >&5
+echo $ECHO_N "checking if the linker ($LD) is GNU ld... $ECHO_C" >&6; }
+if test "${lt_cv_prog_gnu_ld+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  # I'd rather use --version here, but apparently some GNU lds only accept -v.
+case `$LD -v 2>&1 </dev/null` in
+*GNU* | *'with BFD'*)
+  lt_cv_prog_gnu_ld=yes
+  ;;
+*)
+  lt_cv_prog_gnu_ld=no
+  ;;
+esac
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_gnu_ld" >&5
+echo "${ECHO_T}$lt_cv_prog_gnu_ld" >&6; }
+with_gnu_ld=$lt_cv_prog_gnu_ld
+
+
+{ echo "$as_me:$LINENO: checking for $LD option to reload object files" >&5
+echo $ECHO_N "checking for $LD option to reload object files... $ECHO_C" >&6; }
+if test "${lt_cv_ld_reload_flag+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_ld_reload_flag='-r'
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_ld_reload_flag" >&5
+echo "${ECHO_T}$lt_cv_ld_reload_flag" >&6; }
+reload_flag=$lt_cv_ld_reload_flag
+case $reload_flag in
+"" | " "*) ;;
+*) reload_flag=" $reload_flag" ;;
+esac
+reload_cmds='$LD$reload_flag -o $output$reload_objs'
+case $host_os in
+  darwin*)
+    if test "$GCC" = yes; then
+      reload_cmds='$LTCC $LTCFLAGS -nostdlib ${wl}-r -o $output$reload_objs'
+    else
+      reload_cmds='$LD$reload_flag -o $output$reload_objs'
+    fi
+    ;;
+esac
+
+{ echo "$as_me:$LINENO: checking for BSD-compatible nm" >&5
+echo $ECHO_N "checking for BSD-compatible nm... $ECHO_C" >&6; }
+if test "${lt_cv_path_NM+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$NM"; then
+  # Let the user override the test.
+  lt_cv_path_NM="$NM"
+else
+  lt_nm_to_check="${ac_tool_prefix}nm"
+  if test -n "$ac_tool_prefix" && test "$build" = "$host"; then
+    lt_nm_to_check="$lt_nm_to_check nm"
+  fi
+  for lt_tmp_nm in $lt_nm_to_check; do
+    lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+    for ac_dir in $PATH /usr/ccs/bin/elf /usr/ccs/bin /usr/ucb /bin; do
+      IFS="$lt_save_ifs"
+      test -z "$ac_dir" && ac_dir=.
+      tmp_nm="$ac_dir/$lt_tmp_nm"
+      if test -f "$tmp_nm" || test -f "$tmp_nm$ac_exeext" ; then
+	# Check to see if the nm accepts a BSD-compat flag.
+	# Adding the `sed 1q' prevents false positives on HP-UX, which says:
+	#   nm: unknown option "B" ignored
+	# Tru64's nm complains that /dev/null is an invalid object file
+	case `"$tmp_nm" -B /dev/null 2>&1 | sed '1q'` in
+	*/dev/null* | *'Invalid file or object type'*)
+	  lt_cv_path_NM="$tmp_nm -B"
+	  break
+	  ;;
+	*)
+	  case `"$tmp_nm" -p /dev/null 2>&1 | sed '1q'` in
+	  */dev/null*)
+	    lt_cv_path_NM="$tmp_nm -p"
+	    break
+	    ;;
+	  *)
+	    lt_cv_path_NM=${lt_cv_path_NM="$tmp_nm"} # keep the first match, but
+	    continue # so that we can try to find one that supports BSD flags
+	    ;;
+	  esac
+	  ;;
+	esac
+      fi
+    done
+    IFS="$lt_save_ifs"
+  done
+  test -z "$lt_cv_path_NM" && lt_cv_path_NM=nm
+fi
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_path_NM" >&5
+echo "${ECHO_T}$lt_cv_path_NM" >&6; }
+NM="$lt_cv_path_NM"
+
+{ echo "$as_me:$LINENO: checking whether ln -s works" >&5
+echo $ECHO_N "checking whether ln -s works... $ECHO_C" >&6; }
+LN_S=$as_ln_s
+if test "$LN_S" = "ln -s"; then
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no, using $LN_S" >&5
+echo "${ECHO_T}no, using $LN_S" >&6; }
+fi
+
+{ echo "$as_me:$LINENO: checking how to recognise dependent libraries" >&5
+echo $ECHO_N "checking how to recognise dependent libraries... $ECHO_C" >&6; }
+if test "${lt_cv_deplibs_check_method+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_file_magic_cmd='$MAGIC_CMD'
+lt_cv_file_magic_test_file=
+lt_cv_deplibs_check_method='unknown'
+# Need to set the preceding variable on all platforms that support
+# interlibrary dependencies.
+# 'none' -- dependencies not supported.
+# `unknown' -- same as none, but documents that we really don't know.
+# 'pass_all' -- all dependencies passed with no checks.
+# 'test_compile' -- check by making test program.
+# 'file_magic [[regex]]' -- check by looking for files in library path
+# which responds to the $file_magic_cmd with a given extended regex.
+# If you have `file' or equivalent on your system and you're not sure
+# whether `pass_all' will *always* work, you probably want this one.
+
+case $host_os in
+aix4* | aix5*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+beos*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+bsdi[45]*)
+  lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib)'
+  lt_cv_file_magic_cmd='/usr/bin/file -L'
+  lt_cv_file_magic_test_file=/shlib/libc.so
+  ;;
+
+cygwin*)
+  # func_win32_libid is a shell function defined in ltmain.sh
+  lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
+  lt_cv_file_magic_cmd='func_win32_libid'
+  ;;
+
+mingw* | pw32*)
+  # Base MSYS/MinGW do not provide the 'file' command needed by
+  # func_win32_libid shell function, so use a weaker test based on 'objdump'.
+  lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
+  lt_cv_file_magic_cmd='$OBJDUMP -f'
+  ;;
+
+darwin* | rhapsody*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+freebsd* | kfreebsd*-gnu | dragonfly*)
+  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
+    case $host_cpu in
+    i*86 )
+      # Not sure whether the presence of OpenBSD here was a mistake.
+      # Let's accept both of them until this is cleared up.
+      lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD|DragonFly)/i[3-9]86 (compact )?demand paged shared library'
+      lt_cv_file_magic_cmd=/usr/bin/file
+      lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
+      ;;
+    esac
+  else
+    lt_cv_deplibs_check_method=pass_all
+  fi
+  ;;
+
+gnu*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+hpux10.20* | hpux11*)
+  lt_cv_file_magic_cmd=/usr/bin/file
+  case $host_cpu in
+  ia64*)
+    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - IA64'
+    lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so
+    ;;
+  hppa*64*)
+    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - PA-RISC [0-9].[0-9]'
+    lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl
+    ;;
+  *)
+    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|PA-RISC[0-9].[0-9]) shared library'
+    lt_cv_file_magic_test_file=/usr/lib/libc.sl
+    ;;
+  esac
+  ;;
+
+interix3*)
+  # PIC code is broken on Interix 3.x, that's why |\.a not |_pic\.a here
+  lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so|\.a)$'
+  ;;
+
+irix5* | irix6* | nonstopux*)
+  case $LD in
+  *-32|*"-32 ") libmagic=32-bit;;
+  *-n32|*"-n32 ") libmagic=N32;;
+  *-64|*"-64 ") libmagic=64-bit;;
+  *) libmagic=never-match;;
+  esac
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+# This must be Linux ELF.
+linux*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+netbsd*)
+  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
+    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$'
+  else
+    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so|_pic\.a)$'
+  fi
+  ;;
+
+newos6*)
+  lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (executable|dynamic lib)'
+  lt_cv_file_magic_cmd=/usr/bin/file
+  lt_cv_file_magic_test_file=/usr/lib/libnls.so
+  ;;
+
+nto-qnx*)
+  lt_cv_deplibs_check_method=unknown
+  ;;
+
+openbsd*)
+  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|\.so|_pic\.a)$'
+  else
+    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$'
+  fi
+  ;;
+
+osf3* | osf4* | osf5*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+solaris*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+sysv4 | sysv4.3*)
+  case $host_vendor in
+  motorola)
+    lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib) M[0-9][0-9]* Version [0-9]'
+    lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*`
+    ;;
+  ncr)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  sequent)
+    lt_cv_file_magic_cmd='/bin/file'
+    lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [LM]SB (shared object|dynamic lib )'
+    ;;
+  sni)
+    lt_cv_file_magic_cmd='/bin/file'
+    lt_cv_deplibs_check_method="file_magic ELF [0-9][0-9]*-bit [LM]SB dynamic lib"
+    lt_cv_file_magic_test_file=/lib/libc.so
+    ;;
+  siemens)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  pc)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  esac
+  ;;
+
+sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+esac
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_deplibs_check_method" >&5
+echo "${ECHO_T}$lt_cv_deplibs_check_method" >&6; }
+file_magic_cmd=$lt_cv_file_magic_cmd
+deplibs_check_method=$lt_cv_deplibs_check_method
+test -z "$deplibs_check_method" && deplibs_check_method=unknown
+
+
+
+
+# If no C compiler was specified, use CC.
+LTCC=${LTCC-"$CC"}
+
+# If no C compiler flags were specified, use CFLAGS.
+LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
+
+# Allow CC to be a program name with arguments.
+compiler=$CC
+
+# Check whether --enable-libtool-lock was given.
+if test "${enable_libtool_lock+set}" = set; then
+  enableval=$enable_libtool_lock;
+fi
+
+test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes
+
+# Some flags need to be propagated to the compiler or linker for good
+# libtool support.
+case $host in
+ia64-*-hpux*)
+  # Find out which ABI we are using.
+  echo 'int i;' > conftest.$ac_ext
+  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+    case `/usr/bin/file conftest.$ac_objext` in
+    *ELF-32*)
+      HPUX_IA64_MODE="32"
+      ;;
+    *ELF-64*)
+      HPUX_IA64_MODE="64"
+      ;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+*-*-irix6*)
+  # Find out which ABI we are using.
+  echo '#line 5513 "configure"' > conftest.$ac_ext
+  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+   if test "$lt_cv_prog_gnu_ld" = yes; then
+    case `/usr/bin/file conftest.$ac_objext` in
+    *32-bit*)
+      LD="${LD-ld} -melf32bsmip"
+      ;;
+    *N32*)
+      LD="${LD-ld} -melf32bmipn32"
+      ;;
+    *64-bit*)
+      LD="${LD-ld} -melf64bmip"
+      ;;
+    esac
+   else
+    case `/usr/bin/file conftest.$ac_objext` in
+    *32-bit*)
+      LD="${LD-ld} -32"
+      ;;
+    *N32*)
+      LD="${LD-ld} -n32"
+      ;;
+    *64-bit*)
+      LD="${LD-ld} -64"
+      ;;
+    esac
+   fi
+  fi
+  rm -rf conftest*
+  ;;
+
+x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*|s390*-*linux*|sparc*-*linux*)
+  # Find out which ABI we are using.
+  echo 'int i;' > conftest.$ac_ext
+  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+    case `/usr/bin/file conftest.o` in
+    *32-bit*)
+      case $host in
+        x86_64-*linux*)
+          LD="${LD-ld} -m elf_i386"
+          ;;
+        ppc64-*linux*|powerpc64-*linux*)
+          LD="${LD-ld} -m elf32ppclinux"
+          ;;
+        s390x-*linux*)
+          LD="${LD-ld} -m elf_s390"
+          ;;
+        sparc64-*linux*)
+          LD="${LD-ld} -m elf32_sparc"
+          ;;
+      esac
+      ;;
+    *64-bit*)
+      case $host in
+        x86_64-*linux*)
+          LD="${LD-ld} -m elf_x86_64"
+          ;;
+        ppc*-*linux*|powerpc*-*linux*)
+          LD="${LD-ld} -m elf64ppc"
+          ;;
+        s390*-*linux*)
+          LD="${LD-ld} -m elf64_s390"
+          ;;
+        sparc*-*linux*)
+          LD="${LD-ld} -m elf64_sparc"
+          ;;
+      esac
+      ;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+
+*-*-sco3.2v5*)
+  # On SCO OpenServer 5, we need -belf to get full-featured binaries.
+  SAVE_CFLAGS="$CFLAGS"
+  CFLAGS="$CFLAGS -belf"
+  { echo "$as_me:$LINENO: checking whether the C compiler needs -belf" >&5
+echo $ECHO_N "checking whether the C compiler needs -belf... $ECHO_C" >&6; }
+if test "${lt_cv_cc_needs_belf+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+     cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  lt_cv_cc_needs_belf=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	lt_cv_cc_needs_belf=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+     ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_cc_needs_belf" >&5
+echo "${ECHO_T}$lt_cv_cc_needs_belf" >&6; }
+  if test x"$lt_cv_cc_needs_belf" != x"yes"; then
+    # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf
+    CFLAGS="$SAVE_CFLAGS"
+  fi
+  ;;
+sparc*-*solaris*)
+  # Find out which ABI we are using.
+  echo 'int i;' > conftest.$ac_ext
+  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+    case `/usr/bin/file conftest.o` in
+    *64-bit*)
+      case $lt_cv_prog_gnu_ld in
+      yes*) LD="${LD-ld} -m elf64_sparc" ;;
+      *)    LD="${LD-ld} -64" ;;
+      esac
+      ;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+
+
+esac
+
+need_locks="$enable_libtool_lock"
+
+
+
+for ac_header in dlfcn.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+else
+  # Is the header compilable?
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_header_compiler=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_header_compiler=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
+
+# Is the header present?
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <$ac_header>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  ac_header_preproc=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  ac_header_preproc=no
+fi
+
+rm -f conftest.err conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
+
+# So?  What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+  yes:no: )
+    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
+    ac_header_preproc=yes
+    ;;
+  no:yes:* )
+    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
+echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
+
+    ;;
+esac
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  eval "$as_ac_Header=\$ac_header_preproc"
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+
+fi
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+ac_ext=cpp
+ac_cpp='$CXXCPP $CPPFLAGS'
+ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
+if test -z "$CXX"; then
+  if test -n "$CCC"; then
+    CXX=$CCC
+  else
+    if test -n "$ac_tool_prefix"; then
+  for ac_prog in g++ c++ gpp aCC CC cxx cc++ cl.exe FCC KCC RCC xlC_r xlC
+  do
+    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
+set dummy $ac_tool_prefix$ac_prog; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_CXX+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$CXX"; then
+  ac_cv_prog_CXX="$CXX" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_CXX="$ac_tool_prefix$ac_prog"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+CXX=$ac_cv_prog_CXX
+if test -n "$CXX"; then
+  { echo "$as_me:$LINENO: result: $CXX" >&5
+echo "${ECHO_T}$CXX" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+    test -n "$CXX" && break
+  done
+fi
+if test -z "$CXX"; then
+  ac_ct_CXX=$CXX
+  for ac_prog in g++ c++ gpp aCC CC cxx cc++ cl.exe FCC KCC RCC xlC_r xlC
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_ac_ct_CXX+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_CXX"; then
+  ac_cv_prog_ac_ct_CXX="$ac_ct_CXX" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_CXX="$ac_prog"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_CXX=$ac_cv_prog_ac_ct_CXX
+if test -n "$ac_ct_CXX"; then
+  { echo "$as_me:$LINENO: result: $ac_ct_CXX" >&5
+echo "${ECHO_T}$ac_ct_CXX" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+  test -n "$ac_ct_CXX" && break
+done
+
+  if test "x$ac_ct_CXX" = x; then
+    CXX="g++"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    CXX=$ac_ct_CXX
+  fi
+fi
+
+  fi
+fi
+# Provide some information about the compiler.
+echo "$as_me:$LINENO: checking for C++ compiler version" >&5
+ac_compiler=`set X $ac_compile; echo $2`
+{ (ac_try="$ac_compiler --version >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler --version >&5") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+{ (ac_try="$ac_compiler -v >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler -v >&5") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+{ (ac_try="$ac_compiler -V >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler -V >&5") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+
+{ echo "$as_me:$LINENO: checking whether we are using the GNU C++ compiler" >&5
+echo $ECHO_N "checking whether we are using the GNU C++ compiler... $ECHO_C" >&6; }
+if test "${ac_cv_cxx_compiler_gnu+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+#ifndef __GNUC__
+       choke me
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_cxx_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_compiler_gnu=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_compiler_gnu=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ac_cv_cxx_compiler_gnu=$ac_compiler_gnu
+
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_cxx_compiler_gnu" >&5
+echo "${ECHO_T}$ac_cv_cxx_compiler_gnu" >&6; }
+GXX=`test $ac_compiler_gnu = yes && echo yes`
+ac_test_CXXFLAGS=${CXXFLAGS+set}
+ac_save_CXXFLAGS=$CXXFLAGS
+{ echo "$as_me:$LINENO: checking whether $CXX accepts -g" >&5
+echo $ECHO_N "checking whether $CXX accepts -g... $ECHO_C" >&6; }
+if test "${ac_cv_prog_cxx_g+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_save_cxx_werror_flag=$ac_cxx_werror_flag
+   ac_cxx_werror_flag=yes
+   ac_cv_prog_cxx_g=no
+   CXXFLAGS="-g"
+   cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_cxx_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_prog_cxx_g=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	CXXFLAGS=""
+      cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_cxx_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  :
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cxx_werror_flag=$ac_save_cxx_werror_flag
+	 CXXFLAGS="-g"
+	 cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_cxx_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_prog_cxx_g=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+   ac_cxx_werror_flag=$ac_save_cxx_werror_flag
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_prog_cxx_g" >&5
+echo "${ECHO_T}$ac_cv_prog_cxx_g" >&6; }
+if test "$ac_test_CXXFLAGS" = set; then
+  CXXFLAGS=$ac_save_CXXFLAGS
+elif test $ac_cv_prog_cxx_g = yes; then
+  if test "$GXX" = yes; then
+    CXXFLAGS="-g -O2"
+  else
+    CXXFLAGS="-g"
+  fi
+else
+  if test "$GXX" = yes; then
+    CXXFLAGS="-O2"
+  else
+    CXXFLAGS=
+  fi
+fi
+ac_ext=cpp
+ac_cpp='$CXXCPP $CPPFLAGS'
+ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
+
+depcc="$CXX"  am_compiler_list=
+
+{ echo "$as_me:$LINENO: checking dependency style of $depcc" >&5
+echo $ECHO_N "checking dependency style of $depcc... $ECHO_C" >&6; }
+if test "${am_cv_CXX_dependencies_compiler_type+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then
+  # We make a subdir and do the tests there.  Otherwise we can end up
+  # making bogus files that we don't know about and never remove.  For
+  # instance it was reported that on HP-UX the gcc test will end up
+  # making a dummy file named `D' -- because `-MD' means `put the output
+  # in D'.
+  mkdir conftest.dir
+  # Copy depcomp to subdir because otherwise we won't find it if we're
+  # using a relative directory.
+  cp "$am_depcomp" conftest.dir
+  cd conftest.dir
+  # We will build objects and dependencies in a subdirectory because
+  # it helps to detect inapplicable dependency modes.  For instance
+  # both Tru64's cc and ICC support -MD to output dependencies as a
+  # side effect of compilation, but ICC will put the dependencies in
+  # the current directory while Tru64 will put them in the object
+  # directory.
+  mkdir sub
+
+  am_cv_CXX_dependencies_compiler_type=none
+  if test "$am_compiler_list" = ""; then
+     am_compiler_list=`sed -n 's/^#*\([a-zA-Z0-9]*\))$/\1/p' < ./depcomp`
+  fi
+  for depmode in $am_compiler_list; do
+    # Setup a source with many dependencies, because some compilers
+    # like to wrap large dependency lists on column 80 (with \), and
+    # we should not choose a depcomp mode which is confused by this.
+    #
+    # We need to recreate these files for each test, as the compiler may
+    # overwrite some of them when testing with obscure command lines.
+    # This happens at least with the AIX C compiler.
+    : > sub/conftest.c
+    for i in 1 2 3 4 5 6; do
+      echo '#include "conftst'$i'.h"' >> sub/conftest.c
+      # Using `: > sub/conftst$i.h' creates only sub/conftst1.h with
+      # Solaris 8's {/usr,}/bin/sh.
+      touch sub/conftst$i.h
+    done
+    echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf
+
+    case $depmode in
+    nosideeffect)
+      # after this tag, mechanisms are not by side-effect, so they'll
+      # only be used when explicitly requested
+      if test "x$enable_dependency_tracking" = xyes; then
+	continue
+      else
+	break
+      fi
+      ;;
+    none) break ;;
+    esac
+    # We check with `-c' and `-o' for the sake of the "dashmstdout"
+    # mode.  It turns out that the SunPro C++ compiler does not properly
+    # handle `-M -o', and we need to detect this.
+    if depmode=$depmode \
+       source=sub/conftest.c object=sub/conftest.${OBJEXT-o} \
+       depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \
+       $SHELL ./depcomp $depcc -c -o sub/conftest.${OBJEXT-o} sub/conftest.c \
+         >/dev/null 2>conftest.err &&
+       grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 &&
+       grep sub/conftest.${OBJEXT-o} sub/conftest.Po > /dev/null 2>&1 &&
+       ${MAKE-make} -s -f confmf > /dev/null 2>&1; then
+      # icc doesn't choke on unknown options, it will just issue warnings
+      # or remarks (even with -Werror).  So we grep stderr for any message
+      # that says an option was ignored or not supported.
+      # When given -MP, icc 7.0 and 7.1 complain thusly:
+      #   icc: Command line warning: ignoring option '-M'; no argument required
+      # The diagnosis changed in icc 8.0:
+      #   icc: Command line remark: option '-MP' not supported
+      if (grep 'ignoring option' conftest.err ||
+          grep 'not supported' conftest.err) >/dev/null 2>&1; then :; else
+        am_cv_CXX_dependencies_compiler_type=$depmode
+        break
+      fi
+    fi
+  done
+
+  cd ..
+  rm -rf conftest.dir
+else
+  am_cv_CXX_dependencies_compiler_type=none
+fi
+
+fi
+{ echo "$as_me:$LINENO: result: $am_cv_CXX_dependencies_compiler_type" >&5
+echo "${ECHO_T}$am_cv_CXX_dependencies_compiler_type" >&6; }
+CXXDEPMODE=depmode=$am_cv_CXX_dependencies_compiler_type
+
+
+
+if
+  test "x$enable_dependency_tracking" != xno \
+  && test "$am_cv_CXX_dependencies_compiler_type" = gcc3; then
+  am__fastdepCXX_TRUE=
+  am__fastdepCXX_FALSE='#'
+else
+  am__fastdepCXX_TRUE='#'
+  am__fastdepCXX_FALSE=
+fi
+
+
+
+
+if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
+    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
+    (test "X$CXX" != "Xg++"))) ; then
+  ac_ext=cpp
+ac_cpp='$CXXCPP $CPPFLAGS'
+ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
+{ echo "$as_me:$LINENO: checking how to run the C++ preprocessor" >&5
+echo $ECHO_N "checking how to run the C++ preprocessor... $ECHO_C" >&6; }
+if test -z "$CXXCPP"; then
+  if test "${ac_cv_prog_CXXCPP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+      # Double quotes because CXXCPP needs to be expanded
+    for CXXCPP in "$CXX -E" "/lib/cpp"
+    do
+      ac_preproc_ok=false
+for ac_cxx_preproc_warn_flag in '' yes
+do
+  # Use a header file that comes with gcc, so configuring glibc
+  # with a fresh cross-compiler works.
+  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+  # <limits.h> exists even on freestanding compilers.
+  # On the NeXT, cc -E runs the code through the compiler's parser,
+  # not just through cpp. "Syntax error" is here to catch this case.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+		     Syntax error
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_cxx_preproc_warn_flag$ac_cxx_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  :
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  # Broken: fails on valid input.
+continue
+fi
+
+rm -f conftest.err conftest.$ac_ext
+
+  # OK, works on sane cases.  Now check whether nonexistent headers
+  # can be detected and how.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <ac_nonexistent.h>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_cxx_preproc_warn_flag$ac_cxx_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  # Broken: success on invalid input.
+continue
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  # Passes both tests.
+ac_preproc_ok=:
+break
+fi
+
+rm -f conftest.err conftest.$ac_ext
+
+done
+# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
+rm -f conftest.err conftest.$ac_ext
+if $ac_preproc_ok; then
+  break
+fi
+
+    done
+    ac_cv_prog_CXXCPP=$CXXCPP
+
+fi
+  CXXCPP=$ac_cv_prog_CXXCPP
+else
+  ac_cv_prog_CXXCPP=$CXXCPP
+fi
+{ echo "$as_me:$LINENO: result: $CXXCPP" >&5
+echo "${ECHO_T}$CXXCPP" >&6; }
+ac_preproc_ok=false
+for ac_cxx_preproc_warn_flag in '' yes
+do
+  # Use a header file that comes with gcc, so configuring glibc
+  # with a fresh cross-compiler works.
+  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+  # <limits.h> exists even on freestanding compilers.
+  # On the NeXT, cc -E runs the code through the compiler's parser,
+  # not just through cpp. "Syntax error" is here to catch this case.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+		     Syntax error
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_cxx_preproc_warn_flag$ac_cxx_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  :
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  # Broken: fails on valid input.
+continue
+fi
+
+rm -f conftest.err conftest.$ac_ext
+
+  # OK, works on sane cases.  Now check whether nonexistent headers
+  # can be detected and how.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <ac_nonexistent.h>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_cxx_preproc_warn_flag$ac_cxx_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  # Broken: success on invalid input.
+continue
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  # Passes both tests.
+ac_preproc_ok=:
+break
+fi
+
+rm -f conftest.err conftest.$ac_ext
+
+done
+# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
+rm -f conftest.err conftest.$ac_ext
+if $ac_preproc_ok; then
+  :
+else
+  { { echo "$as_me:$LINENO: error: C++ preprocessor \"$CXXCPP\" fails sanity check
+See \`config.log' for more details." >&5
+echo "$as_me: error: C++ preprocessor \"$CXXCPP\" fails sanity check
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+ac_ext=cpp
+ac_cpp='$CXXCPP $CPPFLAGS'
+ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
+
+fi
+
+
+ac_ext=f
+ac_compile='$F77 -c $FFLAGS conftest.$ac_ext >&5'
+ac_link='$F77 -o conftest$ac_exeext $FFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_f77_compiler_gnu
+if test -n "$ac_tool_prefix"; then
+  for ac_prog in g77 xlf f77 frt pgf77 cf77 fort77 fl32 af77 xlf90 f90 pgf90 pghpf epcf90 gfortran g95 xlf95 f95 fort ifort ifc efc pgf95 lf95 ftn
+  do
+    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
+set dummy $ac_tool_prefix$ac_prog; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_F77+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$F77"; then
+  ac_cv_prog_F77="$F77" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_F77="$ac_tool_prefix$ac_prog"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+F77=$ac_cv_prog_F77
+if test -n "$F77"; then
+  { echo "$as_me:$LINENO: result: $F77" >&5
+echo "${ECHO_T}$F77" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+    test -n "$F77" && break
+  done
+fi
+if test -z "$F77"; then
+  ac_ct_F77=$F77
+  for ac_prog in g77 xlf f77 frt pgf77 cf77 fort77 fl32 af77 xlf90 f90 pgf90 pghpf epcf90 gfortran g95 xlf95 f95 fort ifort ifc efc pgf95 lf95 ftn
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_ac_ct_F77+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_F77"; then
+  ac_cv_prog_ac_ct_F77="$ac_ct_F77" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_F77="$ac_prog"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_F77=$ac_cv_prog_ac_ct_F77
+if test -n "$ac_ct_F77"; then
+  { echo "$as_me:$LINENO: result: $ac_ct_F77" >&5
+echo "${ECHO_T}$ac_ct_F77" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+  test -n "$ac_ct_F77" && break
+done
+
+  if test "x$ac_ct_F77" = x; then
+    F77=""
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    F77=$ac_ct_F77
+  fi
+fi
+
+
+# Provide some information about the compiler.
+echo "$as_me:$LINENO: checking for Fortran 77 compiler version" >&5
+ac_compiler=`set X $ac_compile; echo $2`
+{ (ac_try="$ac_compiler --version >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler --version >&5") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+{ (ac_try="$ac_compiler -v >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler -v >&5") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+{ (ac_try="$ac_compiler -V >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler -V >&5") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+rm -f a.out
+
+# If we don't use `.F' as extension, the preprocessor is not run on the
+# input file.  (Note that this only needs to work for GNU compilers.)
+ac_save_ext=$ac_ext
+ac_ext=F
+{ echo "$as_me:$LINENO: checking whether we are using the GNU Fortran 77 compiler" >&5
+echo $ECHO_N "checking whether we are using the GNU Fortran 77 compiler... $ECHO_C" >&6; }
+if test "${ac_cv_f77_compiler_gnu+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+      program main
+#ifndef __GNUC__
+       choke me
+#endif
+
+      end
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_f77_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_compiler_gnu=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_compiler_gnu=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ac_cv_f77_compiler_gnu=$ac_compiler_gnu
+
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_f77_compiler_gnu" >&5
+echo "${ECHO_T}$ac_cv_f77_compiler_gnu" >&6; }
+ac_ext=$ac_save_ext
+ac_test_FFLAGS=${FFLAGS+set}
+ac_save_FFLAGS=$FFLAGS
+FFLAGS=
+{ echo "$as_me:$LINENO: checking whether $F77 accepts -g" >&5
+echo $ECHO_N "checking whether $F77 accepts -g... $ECHO_C" >&6; }
+if test "${ac_cv_prog_f77_g+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  FFLAGS=-g
+cat >conftest.$ac_ext <<_ACEOF
+      program main
+
+      end
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_f77_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_prog_f77_g=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_prog_f77_g=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_prog_f77_g" >&5
+echo "${ECHO_T}$ac_cv_prog_f77_g" >&6; }
+if test "$ac_test_FFLAGS" = set; then
+  FFLAGS=$ac_save_FFLAGS
+elif test $ac_cv_prog_f77_g = yes; then
+  if test "x$ac_cv_f77_compiler_gnu" = xyes; then
+    FFLAGS="-g -O2"
+  else
+    FFLAGS="-g"
+  fi
+else
+  if test "x$ac_cv_f77_compiler_gnu" = xyes; then
+    FFLAGS="-O2"
+  else
+    FFLAGS=
+  fi
+fi
+
+G77=`test $ac_compiler_gnu = yes && echo yes`
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
+
+# Autoconf 2.13's AC_OBJEXT and AC_EXEEXT macros only works for C compilers!
+
+# find the maximum length of command line arguments
+{ echo "$as_me:$LINENO: checking the maximum length of command line arguments" >&5
+echo $ECHO_N "checking the maximum length of command line arguments... $ECHO_C" >&6; }
+if test "${lt_cv_sys_max_cmd_len+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+    i=0
+  teststring="ABCD"
+
+  case $build_os in
+  msdosdjgpp*)
+    # On DJGPP, this test can blow up pretty badly due to problems in libc
+    # (any single argument exceeding 2000 bytes causes a buffer overrun
+    # during glob expansion).  Even if it were fixed, the result of this
+    # check would be larger than it should be.
+    lt_cv_sys_max_cmd_len=12288;    # 12K is about right
+    ;;
+
+  gnu*)
+    # Under GNU Hurd, this test is not required because there is
+    # no limit to the length of command line arguments.
+    # Libtool will interpret -1 as no limit whatsoever
+    lt_cv_sys_max_cmd_len=-1;
+    ;;
+
+  cygwin* | mingw*)
+    # On Win9x/ME, this test blows up -- it succeeds, but takes
+    # about 5 minutes as the teststring grows exponentially.
+    # Worse, since 9x/ME are not pre-emptively multitasking,
+    # you end up with a "frozen" computer, even though with patience
+    # the test eventually succeeds (with a max line length of 256k).
+    # Instead, let's just punt: use the minimum linelength reported by
+    # all of the supported platforms: 8192 (on NT/2K/XP).
+    lt_cv_sys_max_cmd_len=8192;
+    ;;
+
+  amigaos*)
+    # On AmigaOS with pdksh, this test takes hours, literally.
+    # So we just punt and use a minimum line length of 8192.
+    lt_cv_sys_max_cmd_len=8192;
+    ;;
+
+  netbsd* | freebsd* | openbsd* | darwin* | dragonfly*)
+    # This has been around since 386BSD, at least.  Likely further.
+    if test -x /sbin/sysctl; then
+      lt_cv_sys_max_cmd_len=`/sbin/sysctl -n kern.argmax`
+    elif test -x /usr/sbin/sysctl; then
+      lt_cv_sys_max_cmd_len=`/usr/sbin/sysctl -n kern.argmax`
+    else
+      lt_cv_sys_max_cmd_len=65536	# usable default for all BSDs
+    fi
+    # And add a safety zone
+    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
+    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
+    ;;
+
+  interix*)
+    # We know the value 262144 and hardcode it with a safety zone (like BSD)
+    lt_cv_sys_max_cmd_len=196608
+    ;;
+
+  osf*)
+    # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure
+    # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not
+    # nice to cause kernel panics so lets avoid the loop below.
+    # First set a reasonable default.
+    lt_cv_sys_max_cmd_len=16384
+    #
+    if test -x /sbin/sysconfig; then
+      case `/sbin/sysconfig -q proc exec_disable_arg_limit` in
+        *1*) lt_cv_sys_max_cmd_len=-1 ;;
+      esac
+    fi
+    ;;
+  sco3.2v5*)
+    lt_cv_sys_max_cmd_len=102400
+    ;;
+  sysv5* | sco5v6* | sysv4.2uw2*)
+    kargmax=`grep ARG_MAX /etc/conf/cf.d/stune 2>/dev/null`
+    if test -n "$kargmax"; then
+      lt_cv_sys_max_cmd_len=`echo $kargmax | sed 's/.*[ 	]//'`
+    else
+      lt_cv_sys_max_cmd_len=32768
+    fi
+    ;;
+  *)
+    # If test is not a shell built-in, we'll probably end up computing a
+    # maximum length that is only half of the actual maximum length, but
+    # we can't tell.
+    SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}}
+    while (test "X"`$SHELL $0 --fallback-echo "X$teststring" 2>/dev/null` \
+	       = "XX$teststring") >/dev/null 2>&1 &&
+	    new_result=`expr "X$teststring" : ".*" 2>&1` &&
+	    lt_cv_sys_max_cmd_len=$new_result &&
+	    test $i != 17 # 1/2 MB should be enough
+    do
+      i=`expr $i + 1`
+      teststring=$teststring$teststring
+    done
+    teststring=
+    # Add a significant safety factor because C++ compilers can tack on massive
+    # amounts of additional arguments before passing them to the linker.
+    # It appears as though 1/2 is a usable value.
+    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2`
+    ;;
+  esac
+
+fi
+
+if test -n $lt_cv_sys_max_cmd_len ; then
+  { echo "$as_me:$LINENO: result: $lt_cv_sys_max_cmd_len" >&5
+echo "${ECHO_T}$lt_cv_sys_max_cmd_len" >&6; }
+else
+  { echo "$as_me:$LINENO: result: none" >&5
+echo "${ECHO_T}none" >&6; }
+fi
+
+
+
+
+# Check for command to grab the raw symbol name followed by C symbol from nm.
+{ echo "$as_me:$LINENO: checking command to parse $NM output from $compiler object" >&5
+echo $ECHO_N "checking command to parse $NM output from $compiler object... $ECHO_C" >&6; }
+if test "${lt_cv_sys_global_symbol_pipe+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+# These are sane defaults that work on at least a few old systems.
+# [They come from Ultrix.  What could be older than Ultrix?!! ;)]
+
+# Character class describing NM global symbol codes.
+symcode='[BCDEGRST]'
+
+# Regexp to match symbols that can be accessed directly from C.
+sympat='\([_A-Za-z][_A-Za-z0-9]*\)'
+
+# Transform an extracted symbol line into a proper C declaration
+lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^. .* \(.*\)$/extern int \1;/p'"
+
+# Transform an extracted symbol line into symbol name and symbol address
+lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode \([^ ]*\) \([^ ]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
+
+# Define system-specific variables.
+case $host_os in
+aix*)
+  symcode='[BCDT]'
+  ;;
+cygwin* | mingw* | pw32*)
+  symcode='[ABCDGISTW]'
+  ;;
+hpux*) # Its linker distinguishes data from code symbols
+  if test "$host_cpu" = ia64; then
+    symcode='[ABCDEGRST]'
+  fi
+  lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
+  lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
+  ;;
+linux*)
+  if test "$host_cpu" = ia64; then
+    symcode='[ABCDGIRSTW]'
+    lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
+    lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
+  fi
+  ;;
+irix* | nonstopux*)
+  symcode='[BCDEGRST]'
+  ;;
+osf*)
+  symcode='[BCDEGQRST]'
+  ;;
+solaris*)
+  symcode='[BDRT]'
+  ;;
+sco3.2v5*)
+  symcode='[DT]'
+  ;;
+sysv4.2uw2*)
+  symcode='[DT]'
+  ;;
+sysv5* | sco5v6* | unixware* | OpenUNIX*)
+  symcode='[ABDT]'
+  ;;
+sysv4)
+  symcode='[DFNSTU]'
+  ;;
+esac
+
+# Handle CRLF in mingw tool chain
+opt_cr=
+case $build_os in
+mingw*)
+  opt_cr=`echo 'x\{0,1\}' | tr x '\015'` # option cr in regexp
+  ;;
+esac
+
+# If we're using GNU nm, then use its standard symbol codes.
+case `$NM -V 2>&1` in
+*GNU* | *'with BFD'*)
+  symcode='[ABCDGIRSTW]' ;;
+esac
+
+# Try without a prefix undercore, then with it.
+for ac_symprfx in "" "_"; do
+
+  # Transform symcode, sympat, and symprfx into a raw symbol and a C symbol.
+  symxfrm="\\1 $ac_symprfx\\2 \\2"
+
+  # Write the raw and C identifiers.
+  lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[ 	]\($symcode$symcode*\)[ 	][ 	]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'"
+
+  # Check to see that the pipe works correctly.
+  pipe_works=no
+
+  rm -f conftest*
+  cat > conftest.$ac_ext <<EOF
+#ifdef __cplusplus
+extern "C" {
+#endif
+char nm_test_var;
+void nm_test_func(){}
+#ifdef __cplusplus
+}
+#endif
+int main(){nm_test_var='a';nm_test_func();return(0);}
+EOF
+
+  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+    # Now try to grab the symbols.
+    nlist=conftest.nm
+    if { (eval echo "$as_me:$LINENO: \"$NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist\"") >&5
+  (eval $NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && test -s "$nlist"; then
+      # Try sorting and uniquifying the output.
+      if sort "$nlist" | uniq > "$nlist"T; then
+	mv -f "$nlist"T "$nlist"
+      else
+	rm -f "$nlist"T
+      fi
+
+      # Make sure that we snagged all the symbols we need.
+      if grep ' nm_test_var$' "$nlist" >/dev/null; then
+	if grep ' nm_test_func$' "$nlist" >/dev/null; then
+	  cat <<EOF > conftest.$ac_ext
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+EOF
+	  # Now generate the symbol file.
+	  eval "$lt_cv_sys_global_symbol_to_cdecl"' < "$nlist" | grep -v main >> conftest.$ac_ext'
+
+	  cat <<EOF >> conftest.$ac_ext
+#if defined (__STDC__) && __STDC__
+# define lt_ptr_t void *
+#else
+# define lt_ptr_t char *
+# define const
+#endif
+
+/* The mapping between symbol names and symbols. */
+const struct {
+  const char *name;
+  lt_ptr_t address;
+}
+lt_preloaded_symbols[] =
+{
+EOF
+	  $SED "s/^$symcode$symcode* \(.*\) \(.*\)$/  {\"\2\", (lt_ptr_t) \&\2},/" < "$nlist" | grep -v main >> conftest.$ac_ext
+	  cat <<\EOF >> conftest.$ac_ext
+  {0, (lt_ptr_t) 0}
+};
+
+#ifdef __cplusplus
+}
+#endif
+EOF
+	  # Now try linking the two files.
+	  mv conftest.$ac_objext conftstm.$ac_objext
+	  lt_save_LIBS="$LIBS"
+	  lt_save_CFLAGS="$CFLAGS"
+	  LIBS="conftstm.$ac_objext"
+	  CFLAGS="$CFLAGS$lt_prog_compiler_no_builtin_flag"
+	  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && test -s conftest${ac_exeext}; then
+	    pipe_works=yes
+	  fi
+	  LIBS="$lt_save_LIBS"
+	  CFLAGS="$lt_save_CFLAGS"
+	else
+	  echo "cannot find nm_test_func in $nlist" >&5
+	fi
+      else
+	echo "cannot find nm_test_var in $nlist" >&5
+      fi
+    else
+      echo "cannot run $lt_cv_sys_global_symbol_pipe" >&5
+    fi
+  else
+    echo "$progname: failed program was:" >&5
+    cat conftest.$ac_ext >&5
+  fi
+  rm -f conftest* conftst*
+
+  # Do not use the global_symbol_pipe unless it works.
+  if test "$pipe_works" = yes; then
+    break
+  else
+    lt_cv_sys_global_symbol_pipe=
+  fi
+done
+
+fi
+
+if test -z "$lt_cv_sys_global_symbol_pipe"; then
+  lt_cv_sys_global_symbol_to_cdecl=
+fi
+if test -z "$lt_cv_sys_global_symbol_pipe$lt_cv_sys_global_symbol_to_cdecl"; then
+  { echo "$as_me:$LINENO: result: failed" >&5
+echo "${ECHO_T}failed" >&6; }
+else
+  { echo "$as_me:$LINENO: result: ok" >&5
+echo "${ECHO_T}ok" >&6; }
+fi
+
+{ echo "$as_me:$LINENO: checking for objdir" >&5
+echo $ECHO_N "checking for objdir... $ECHO_C" >&6; }
+if test "${lt_cv_objdir+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  rm -f .libs 2>/dev/null
+mkdir .libs 2>/dev/null
+if test -d .libs; then
+  lt_cv_objdir=.libs
+else
+  # MS-DOS does not allow filenames that begin with a dot.
+  lt_cv_objdir=_libs
+fi
+rmdir .libs 2>/dev/null
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_objdir" >&5
+echo "${ECHO_T}$lt_cv_objdir" >&6; }
+objdir=$lt_cv_objdir
+
+
+
+
+
+case $host_os in
+aix3*)
+  # AIX sometimes has problems with the GCC collect2 program.  For some
+  # reason, if we set the COLLECT_NAMES environment variable, the problems
+  # vanish in a puff of smoke.
+  if test "X${COLLECT_NAMES+set}" != Xset; then
+    COLLECT_NAMES=
+    export COLLECT_NAMES
+  fi
+  ;;
+esac
+
+# Sed substitution that helps us do robust quoting.  It backslashifies
+# metacharacters that are still active within double-quoted strings.
+Xsed='sed -e 1s/^X//'
+sed_quote_subst='s/\([\\"\\`$\\\\]\)/\\\1/g'
+
+# Same as above, but do not quote variable references.
+double_quote_subst='s/\([\\"\\`\\\\]\)/\\\1/g'
+
+# Sed substitution to delay expansion of an escaped shell variable in a
+# double_quote_subst'ed string.
+delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g'
+
+# Sed substitution to avoid accidental globbing in evaled expressions
+no_glob_subst='s/\*/\\\*/g'
+
+# Constants:
+rm="rm -f"
+
+# Global variables:
+default_ofile=libtool
+can_build_shared=yes
+
+# All known linkers require a `.a' archive for static linking (except MSVC,
+# which needs '.lib').
+libext=a
+ltmain="$ac_aux_dir/ltmain.sh"
+ofile="$default_ofile"
+with_gnu_ld="$lt_cv_prog_gnu_ld"
+
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}ar", so it can be a program name with args.
+set dummy ${ac_tool_prefix}ar; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_AR+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$AR"; then
+  ac_cv_prog_AR="$AR" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_AR="${ac_tool_prefix}ar"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+AR=$ac_cv_prog_AR
+if test -n "$AR"; then
+  { echo "$as_me:$LINENO: result: $AR" >&5
+echo "${ECHO_T}$AR" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_AR"; then
+  ac_ct_AR=$AR
+  # Extract the first word of "ar", so it can be a program name with args.
+set dummy ar; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_ac_ct_AR+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_AR"; then
+  ac_cv_prog_ac_ct_AR="$ac_ct_AR" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_AR="ar"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_AR=$ac_cv_prog_ac_ct_AR
+if test -n "$ac_ct_AR"; then
+  { echo "$as_me:$LINENO: result: $ac_ct_AR" >&5
+echo "${ECHO_T}$ac_ct_AR" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+  if test "x$ac_ct_AR" = x; then
+    AR="false"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    AR=$ac_ct_AR
+  fi
+else
+  AR="$ac_cv_prog_AR"
+fi
+
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args.
+set dummy ${ac_tool_prefix}ranlib; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_RANLIB+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$RANLIB"; then
+  ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+RANLIB=$ac_cv_prog_RANLIB
+if test -n "$RANLIB"; then
+  { echo "$as_me:$LINENO: result: $RANLIB" >&5
+echo "${ECHO_T}$RANLIB" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_RANLIB"; then
+  ac_ct_RANLIB=$RANLIB
+  # Extract the first word of "ranlib", so it can be a program name with args.
+set dummy ranlib; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_RANLIB"; then
+  ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_RANLIB="ranlib"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB
+if test -n "$ac_ct_RANLIB"; then
+  { echo "$as_me:$LINENO: result: $ac_ct_RANLIB" >&5
+echo "${ECHO_T}$ac_ct_RANLIB" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+  if test "x$ac_ct_RANLIB" = x; then
+    RANLIB=":"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    RANLIB=$ac_ct_RANLIB
+  fi
+else
+  RANLIB="$ac_cv_prog_RANLIB"
+fi
+
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args.
+set dummy ${ac_tool_prefix}strip; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_STRIP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$STRIP"; then
+  ac_cv_prog_STRIP="$STRIP" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_STRIP="${ac_tool_prefix}strip"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+STRIP=$ac_cv_prog_STRIP
+if test -n "$STRIP"; then
+  { echo "$as_me:$LINENO: result: $STRIP" >&5
+echo "${ECHO_T}$STRIP" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_STRIP"; then
+  ac_ct_STRIP=$STRIP
+  # Extract the first word of "strip", so it can be a program name with args.
+set dummy strip; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_STRIP"; then
+  ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_STRIP="strip"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP
+if test -n "$ac_ct_STRIP"; then
+  { echo "$as_me:$LINENO: result: $ac_ct_STRIP" >&5
+echo "${ECHO_T}$ac_ct_STRIP" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+  if test "x$ac_ct_STRIP" = x; then
+    STRIP=":"
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    STRIP=$ac_ct_STRIP
+  fi
+else
+  STRIP="$ac_cv_prog_STRIP"
+fi
+
+
+old_CC="$CC"
+old_CFLAGS="$CFLAGS"
+
+# Set sane defaults for various variables
+test -z "$AR" && AR=ar
+test -z "$AR_FLAGS" && AR_FLAGS=cru
+test -z "$AS" && AS=as
+test -z "$CC" && CC=cc
+test -z "$LTCC" && LTCC=$CC
+test -z "$LTCFLAGS" && LTCFLAGS=$CFLAGS
+test -z "$DLLTOOL" && DLLTOOL=dlltool
+test -z "$LD" && LD=ld
+test -z "$LN_S" && LN_S="ln -s"
+test -z "$MAGIC_CMD" && MAGIC_CMD=file
+test -z "$NM" && NM=nm
+test -z "$SED" && SED=sed
+test -z "$OBJDUMP" && OBJDUMP=objdump
+test -z "$RANLIB" && RANLIB=:
+test -z "$STRIP" && STRIP=:
+test -z "$ac_objext" && ac_objext=o
+
+# Determine commands to create old-style static archives.
+old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs$old_deplibs'
+old_postinstall_cmds='chmod 644 $oldlib'
+old_postuninstall_cmds=
+
+if test -n "$RANLIB"; then
+  case $host_os in
+  openbsd*)
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$oldlib"
+    ;;
+  *)
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$oldlib"
+    ;;
+  esac
+  old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
+fi
+
+for cc_temp in $compiler""; do
+  case $cc_temp in
+    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
+    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
+    \-*) ;;
+    *) break;;
+  esac
+done
+cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+
+
+# Only perform the check for file, if the check method requires it
+case $deplibs_check_method in
+file_magic*)
+  if test "$file_magic_cmd" = '$MAGIC_CMD'; then
+    { echo "$as_me:$LINENO: checking for ${ac_tool_prefix}file" >&5
+echo $ECHO_N "checking for ${ac_tool_prefix}file... $ECHO_C" >&6; }
+if test "${lt_cv_path_MAGIC_CMD+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  case $MAGIC_CMD in
+[\\/*] |  ?:[\\/]*)
+  lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path.
+  ;;
+*)
+  lt_save_MAGIC_CMD="$MAGIC_CMD"
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+  ac_dummy="/usr/bin$PATH_SEPARATOR$PATH"
+  for ac_dir in $ac_dummy; do
+    IFS="$lt_save_ifs"
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/${ac_tool_prefix}file; then
+      lt_cv_path_MAGIC_CMD="$ac_dir/${ac_tool_prefix}file"
+      if test -n "$file_magic_test_file"; then
+	case $deplibs_check_method in
+	"file_magic "*)
+	  file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"`
+	  MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
+	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
+	    $EGREP "$file_magic_regex" > /dev/null; then
+	    :
+	  else
+	    cat <<EOF 1>&2
+
+*** Warning: the command libtool uses to detect shared libraries,
+*** $file_magic_cmd, produces output that libtool cannot recognize.
+*** The result is that libtool may fail to recognize shared libraries
+*** as such.  This will affect the creation of libtool libraries that
+*** depend on shared libraries, but programs linked with such libtool
+*** libraries will work regardless of this problem.  Nevertheless, you
+*** may want to report the problem to your system manager and/or to
+*** bug-libtool@gnu.org
+
+EOF
+	  fi ;;
+	esac
+      fi
+      break
+    fi
+  done
+  IFS="$lt_save_ifs"
+  MAGIC_CMD="$lt_save_MAGIC_CMD"
+  ;;
+esac
+fi
+
+MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
+if test -n "$MAGIC_CMD"; then
+  { echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5
+echo "${ECHO_T}$MAGIC_CMD" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+if test -z "$lt_cv_path_MAGIC_CMD"; then
+  if test -n "$ac_tool_prefix"; then
+    { echo "$as_me:$LINENO: checking for file" >&5
+echo $ECHO_N "checking for file... $ECHO_C" >&6; }
+if test "${lt_cv_path_MAGIC_CMD+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  case $MAGIC_CMD in
+[\\/*] |  ?:[\\/]*)
+  lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path.
+  ;;
+*)
+  lt_save_MAGIC_CMD="$MAGIC_CMD"
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+  ac_dummy="/usr/bin$PATH_SEPARATOR$PATH"
+  for ac_dir in $ac_dummy; do
+    IFS="$lt_save_ifs"
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/file; then
+      lt_cv_path_MAGIC_CMD="$ac_dir/file"
+      if test -n "$file_magic_test_file"; then
+	case $deplibs_check_method in
+	"file_magic "*)
+	  file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"`
+	  MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
+	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
+	    $EGREP "$file_magic_regex" > /dev/null; then
+	    :
+	  else
+	    cat <<EOF 1>&2
+
+*** Warning: the command libtool uses to detect shared libraries,
+*** $file_magic_cmd, produces output that libtool cannot recognize.
+*** The result is that libtool may fail to recognize shared libraries
+*** as such.  This will affect the creation of libtool libraries that
+*** depend on shared libraries, but programs linked with such libtool
+*** libraries will work regardless of this problem.  Nevertheless, you
+*** may want to report the problem to your system manager and/or to
+*** bug-libtool@gnu.org
+
+EOF
+	  fi ;;
+	esac
+      fi
+      break
+    fi
+  done
+  IFS="$lt_save_ifs"
+  MAGIC_CMD="$lt_save_MAGIC_CMD"
+  ;;
+esac
+fi
+
+MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
+if test -n "$MAGIC_CMD"; then
+  { echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5
+echo "${ECHO_T}$MAGIC_CMD" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+  else
+    MAGIC_CMD=:
+  fi
+fi
+
+  fi
+  ;;
+esac
+
+enable_dlopen=no
+enable_win32_dll=no
+
+# Check whether --enable-libtool-lock was given.
+if test "${enable_libtool_lock+set}" = set; then
+  enableval=$enable_libtool_lock;
+fi
+
+test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes
+
+
+# Check whether --with-pic was given.
+if test "${with_pic+set}" = set; then
+  withval=$with_pic; pic_mode="$withval"
+else
+  pic_mode=default
+fi
+
+test -z "$pic_mode" && pic_mode=default
+
+# Check if we have a version mismatch between libtool.m4 and ltmain.sh.
+#
+# Note:  This should be in AC_LIBTOOL_SETUP, _after_ $ltmain have been defined.
+#        We also should do it _before_ AC_LIBTOOL_LANG_C_CONFIG that actually
+#        calls AC_LIBTOOL_CONFIG and creates libtool.
+#
+{ echo "$as_me:$LINENO: checking for correct ltmain.sh version" >&5
+echo $ECHO_N "checking for correct ltmain.sh version... $ECHO_C" >&6; }
+if test "x$ltmain" = "x" ; then
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+  { { echo "$as_me:$LINENO: error:
+
+*** [Gentoo] sanity check failed! ***
+*** \$ltmain is not defined, please check the patch for consistency! ***
+" >&5
+echo "$as_me: error:
+
+*** [Gentoo] sanity check failed! ***
+*** \$ltmain is not defined, please check the patch for consistency! ***
+" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+gentoo_lt_version="1.5.22"
+gentoo_ltmain_version=`sed -n '/^[ 	]*VERSION=/{s/^[ 	]*VERSION=//;p;q;}' "$ltmain"`
+if test "x$gentoo_lt_version" != "x$gentoo_ltmain_version" ; then
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+  { { echo "$as_me:$LINENO: error:
+
+*** [Gentoo] sanity check failed! ***
+*** libtool.m4 and ltmain.sh have a version mismatch! ***
+*** (libtool.m4 = $gentoo_lt_version, ltmain.sh = $gentoo_ltmain_version) ***
+
+Please run:
+
+  libtoolize --copy --force
+
+if appropriate, please contact the maintainer of this
+package (or your distribution) for help.
+" >&5
+echo "$as_me: error:
+
+*** [Gentoo] sanity check failed! ***
+*** libtool.m4 and ltmain.sh have a version mismatch! ***
+*** (libtool.m4 = $gentoo_lt_version, ltmain.sh = $gentoo_ltmain_version) ***
+
+Please run:
+
+  libtoolize --copy --force
+
+if appropriate, please contact the maintainer of this
+package (or your distribution) for help.
+" >&2;}
+   { (exit 1); exit 1; }; }
+else
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+fi
+
+
+# Use C for the default configuration in the libtool script
+tagname=
+lt_save_CC="$CC"
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
+# Source file extension for C test sources.
+ac_ext=c
+
+# Object file extension for compiled C test sources.
+objext=o
+objext=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="int some_variable = 0;\n"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='int main(){return(0);}\n'
+
+
+# If no C compiler was specified, use CC.
+LTCC=${LTCC-"$CC"}
+
+# If no C compiler flags were specified, use CFLAGS.
+LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
+
+# Allow CC to be a program name with arguments.
+compiler=$CC
+
+
+# save warnings/boilerplate of simple test code
+ac_outfile=conftest.$ac_objext
+printf "$lt_simple_compile_test_code" >conftest.$ac_ext
+eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_compiler_boilerplate=`cat conftest.err`
+$rm conftest*
+
+ac_outfile=conftest.$ac_objext
+printf "$lt_simple_link_test_code" >conftest.$ac_ext
+eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_linker_boilerplate=`cat conftest.err`
+$rm conftest*
+
+
+
+lt_prog_compiler_no_builtin_flag=
+
+if test "$GCC" = yes; then
+  lt_prog_compiler_no_builtin_flag=' -fno-builtin'
+
+
+{ echo "$as_me:$LINENO: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
+echo $ECHO_N "checking if $compiler supports -fno-rtti -fno-exceptions... $ECHO_C" >&6; }
+if test "${lt_cv_prog_compiler_rtti_exceptions+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_prog_compiler_rtti_exceptions=no
+  ac_outfile=conftest.$ac_objext
+   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+   lt_compiler_flag="-fno-rtti -fno-exceptions"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   # The option is referenced via a variable to avoid confusing sed.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:7827: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>conftest.err)
+   ac_status=$?
+   cat conftest.err >&5
+   echo "$as_me:7831: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s "$ac_outfile"; then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings other than the usual output.
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
+       lt_cv_prog_compiler_rtti_exceptions=yes
+     fi
+   fi
+   $rm conftest*
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_rtti_exceptions" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_rtti_exceptions" >&6; }
+
+if test x"$lt_cv_prog_compiler_rtti_exceptions" = xyes; then
+    lt_prog_compiler_no_builtin_flag="$lt_prog_compiler_no_builtin_flag -fno-rtti -fno-exceptions"
+else
+    :
+fi
+
+fi
+
+lt_prog_compiler_wl=
+lt_prog_compiler_pic=
+lt_prog_compiler_static=
+
+{ echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
+echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
+
+  if test "$GCC" = yes; then
+    lt_prog_compiler_wl='-Wl,'
+    lt_prog_compiler_static='-static'
+
+    case $host_os in
+      aix*)
+      # All AIX code is PIC.
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	lt_prog_compiler_static='-Bstatic'
+      fi
+      ;;
+
+    amigaos*)
+      # FIXME: we need at least 68020 code to build shared libraries, but
+      # adding the `-m68020' flag to GCC prevents building anything better,
+      # like `-m68040'.
+      lt_prog_compiler_pic='-m68020 -resident32 -malways-restore-a4'
+      ;;
+
+    beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+      # PIC is the default for these OSes.
+      ;;
+
+    mingw* | pw32* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      lt_prog_compiler_pic='-DDLL_EXPORT'
+      ;;
+
+    darwin* | rhapsody*)
+      # PIC is the default on this platform
+      # Common symbols not allowed in MH_DYLIB files
+      lt_prog_compiler_pic='-fno-common'
+      ;;
+
+    interix3*)
+      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
+      # Instead, we relocate shared libraries at runtime.
+      ;;
+
+    msdosdjgpp*)
+      # Just because we use GCC doesn't mean we suddenly get shared libraries
+      # on systems that don't support them.
+      lt_prog_compiler_can_build_shared=no
+      enable_shared=no
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	lt_prog_compiler_pic=-Kconform_pic
+      fi
+      ;;
+
+    hpux*)
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case $host_cpu in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
+      *)
+	lt_prog_compiler_pic='-fPIC'
+	;;
+      esac
+      ;;
+
+    *)
+      lt_prog_compiler_pic='-fPIC'
+      ;;
+    esac
+  else
+    # PORTME Check for flag to pass linker flags through the system compiler.
+    case $host_os in
+    aix*)
+      lt_prog_compiler_wl='-Wl,'
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	lt_prog_compiler_static='-Bstatic'
+      else
+	lt_prog_compiler_static='-bnso -bI:/lib/syscalls.exp'
+      fi
+      ;;
+      darwin*)
+        # PIC is the default on this platform
+        # Common symbols not allowed in MH_DYLIB files
+       case $cc_basename in
+         xlc*)
+         lt_prog_compiler_pic='-qnocommon'
+         lt_prog_compiler_wl='-Wl,'
+         ;;
+       esac
+       ;;
+
+    mingw* | pw32* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      lt_prog_compiler_pic='-DDLL_EXPORT'
+      ;;
+
+    hpux9* | hpux10* | hpux11*)
+      lt_prog_compiler_wl='-Wl,'
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case $host_cpu in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
+      *)
+	lt_prog_compiler_pic='+Z'
+	;;
+      esac
+      # Is there a better lt_prog_compiler_static that works with the bundled CC?
+      lt_prog_compiler_static='${wl}-a ${wl}archive'
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      lt_prog_compiler_wl='-Wl,'
+      # PIC (with -KPIC) is the default.
+      lt_prog_compiler_static='-non_shared'
+      ;;
+
+    newsos6)
+      lt_prog_compiler_pic='-KPIC'
+      lt_prog_compiler_static='-Bstatic'
+      ;;
+
+    linux*)
+      case $cc_basename in
+      icc* | ecc*)
+	lt_prog_compiler_wl='-Wl,'
+	lt_prog_compiler_pic='-KPIC'
+	lt_prog_compiler_static='-static'
+        ;;
+      pgcc* | pgf77* | pgf90* | pgf95*)
+        # Portland Group compilers (*not* the Pentium gcc compiler,
+	# which looks to be a dead project)
+	lt_prog_compiler_wl='-Wl,'
+	lt_prog_compiler_pic='-fpic'
+	lt_prog_compiler_static='-Bstatic'
+        ;;
+      ccc*)
+        lt_prog_compiler_wl='-Wl,'
+        # All Alpha code is PIC.
+        lt_prog_compiler_static='-non_shared'
+        ;;
+      esac
+      ;;
+
+    osf3* | osf4* | osf5*)
+      lt_prog_compiler_wl='-Wl,'
+      # All OSF/1 code is PIC.
+      lt_prog_compiler_static='-non_shared'
+      ;;
+
+    solaris*)
+      lt_prog_compiler_pic='-KPIC'
+      lt_prog_compiler_static='-Bstatic'
+      case $cc_basename in
+      f77* | f90* | f95*)
+	lt_prog_compiler_wl='-Qoption ld ';;
+      *)
+	lt_prog_compiler_wl='-Wl,';;
+      esac
+      ;;
+
+    sunos4*)
+      lt_prog_compiler_wl='-Qoption ld '
+      lt_prog_compiler_pic='-PIC'
+      lt_prog_compiler_static='-Bstatic'
+      ;;
+
+    sysv4 | sysv4.2uw2* | sysv4.3*)
+      lt_prog_compiler_wl='-Wl,'
+      lt_prog_compiler_pic='-KPIC'
+      lt_prog_compiler_static='-Bstatic'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec ;then
+	lt_prog_compiler_pic='-Kconform_pic'
+	lt_prog_compiler_static='-Bstatic'
+      fi
+      ;;
+
+    sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
+      lt_prog_compiler_wl='-Wl,'
+      lt_prog_compiler_pic='-KPIC'
+      lt_prog_compiler_static='-Bstatic'
+      ;;
+
+    unicos*)
+      lt_prog_compiler_wl='-Wl,'
+      lt_prog_compiler_can_build_shared=no
+      ;;
+
+    uts4*)
+      lt_prog_compiler_pic='-pic'
+      lt_prog_compiler_static='-Bstatic'
+      ;;
+
+    *)
+      lt_prog_compiler_can_build_shared=no
+      ;;
+    esac
+  fi
+
+{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic" >&5
+echo "${ECHO_T}$lt_prog_compiler_pic" >&6; }
+
+#
+# Check to make sure the PIC flag actually works.
+#
+if test -n "$lt_prog_compiler_pic"; then
+
+{ echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic works" >&5
+echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic works... $ECHO_C" >&6; }
+if test "${lt_prog_compiler_pic_works+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_prog_compiler_pic_works=no
+  ac_outfile=conftest.$ac_objext
+   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+   lt_compiler_flag="$lt_prog_compiler_pic -DPIC"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   # The option is referenced via a variable to avoid confusing sed.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:8095: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>conftest.err)
+   ac_status=$?
+   cat conftest.err >&5
+   echo "$as_me:8099: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s "$ac_outfile"; then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings other than the usual output.
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
+       lt_prog_compiler_pic_works=yes
+     fi
+   fi
+   $rm conftest*
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_works" >&5
+echo "${ECHO_T}$lt_prog_compiler_pic_works" >&6; }
+
+if test x"$lt_prog_compiler_pic_works" = xyes; then
+    case $lt_prog_compiler_pic in
+     "" | " "*) ;;
+     *) lt_prog_compiler_pic=" $lt_prog_compiler_pic" ;;
+     esac
+else
+    lt_prog_compiler_pic=
+     lt_prog_compiler_can_build_shared=no
+fi
+
+fi
+case $host_os in
+  # For platforms which do not support PIC, -DPIC is meaningless:
+  *djgpp*)
+    lt_prog_compiler_pic=
+    ;;
+  *)
+    lt_prog_compiler_pic="$lt_prog_compiler_pic -DPIC"
+    ;;
+esac
+
+#
+# Check to make sure the static flag actually works.
+#
+wl=$lt_prog_compiler_wl eval lt_tmp_static_flag=\"$lt_prog_compiler_static\"
+{ echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5
+echo $ECHO_N "checking if $compiler static flag $lt_tmp_static_flag works... $ECHO_C" >&6; }
+if test "${lt_prog_compiler_static_works+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_prog_compiler_static_works=no
+   save_LDFLAGS="$LDFLAGS"
+   LDFLAGS="$LDFLAGS $lt_tmp_static_flag"
+   printf "$lt_simple_link_test_code" > conftest.$ac_ext
+   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
+     # The linker can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test -s conftest.err; then
+       # Append any errors to the config.log.
+       cat conftest.err 1>&5
+       $echo "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
+       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+       if diff conftest.exp conftest.er2 >/dev/null; then
+         lt_prog_compiler_static_works=yes
+       fi
+     else
+       lt_prog_compiler_static_works=yes
+     fi
+   fi
+   $rm conftest*
+   LDFLAGS="$save_LDFLAGS"
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_prog_compiler_static_works" >&5
+echo "${ECHO_T}$lt_prog_compiler_static_works" >&6; }
+
+if test x"$lt_prog_compiler_static_works" = xyes; then
+    :
+else
+    lt_prog_compiler_static=
+fi
+
+
+{ echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
+echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6; }
+if test "${lt_cv_prog_compiler_c_o+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_prog_compiler_c_o=no
+   $rm -r conftest 2>/dev/null
+   mkdir conftest
+   cd conftest
+   mkdir out
+   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+   lt_compiler_flag="-o out/conftest2.$ac_objext"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:8199: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>out/conftest.err)
+   ac_status=$?
+   cat out/conftest.err >&5
+   echo "$as_me:8203: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s out/conftest2.$ac_objext
+   then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
+     $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
+     if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
+       lt_cv_prog_compiler_c_o=yes
+     fi
+   fi
+   chmod u+w . 2>&5
+   $rm conftest*
+   # SGI C++ compiler will create directory out/ii_files/ for
+   # template instantiation
+   test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files
+   $rm out/* && rmdir out
+   cd ..
+   rmdir conftest
+   $rm conftest*
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_c_o" >&6; }
+
+
+hard_links="nottested"
+if test "$lt_cv_prog_compiler_c_o" = no && test "$need_locks" != no; then
+  # do not overwrite the value of need_locks provided by the user
+  { echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
+echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6; }
+  hard_links=yes
+  $rm conftest*
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  touch conftest.a
+  ln conftest.a conftest.b 2>&5 || hard_links=no
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  { echo "$as_me:$LINENO: result: $hard_links" >&5
+echo "${ECHO_T}$hard_links" >&6; }
+  if test "$hard_links" = no; then
+    { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
+echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
+    need_locks=warn
+  fi
+else
+  need_locks=no
+fi
+
+{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
+echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; }
+
+  runpath_var=
+  allow_undefined_flag=
+  enable_shared_with_static_runtimes=no
+  archive_cmds=
+  archive_expsym_cmds=
+  old_archive_From_new_cmds=
+  old_archive_from_expsyms_cmds=
+  export_dynamic_flag_spec=
+  whole_archive_flag_spec=
+  thread_safe_flag_spec=
+  hardcode_libdir_flag_spec=
+  hardcode_libdir_flag_spec_ld=
+  hardcode_libdir_separator=
+  hardcode_direct=no
+  hardcode_minus_L=no
+  hardcode_shlibpath_var=unsupported
+  link_all_deplibs=unknown
+  hardcode_automatic=no
+  module_cmds=
+  module_expsym_cmds=
+  always_export_symbols=no
+  export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  # include_expsyms should be a list of space-separated symbols to be *always*
+  # included in the symbol list
+  include_expsyms=
+  # exclude_expsyms can be an extended regexp of symbols to exclude
+  # it will be wrapped by ` (' and `)$', so one must not match beginning or
+  # end of line.  Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
+  # as well as any symbol that contains `d'.
+  exclude_expsyms="_GLOBAL_OFFSET_TABLE_"
+  # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
+  # platforms (ab)use it in PIC code, but their linkers get confused if
+  # the symbol is explicitly referenced.  Since portable code cannot
+  # rely on this symbol name, it's probably fine to never include it in
+  # preloaded symbol tables.
+  extract_expsyms_cmds=
+  # Just being paranoid about ensuring that cc_basename is set.
+  for cc_temp in $compiler""; do
+  case $cc_temp in
+    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
+    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
+    \-*) ;;
+    *) break;;
+  esac
+done
+cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+
+  case $host_os in
+  cygwin* | mingw* | pw32*)
+    # FIXME: the MSVC++ port hasn't been tested in a loooong time
+    # When not using gcc, we currently assume that we are using
+    # Microsoft Visual C++.
+    if test "$GCC" != yes; then
+      with_gnu_ld=no
+    fi
+    ;;
+  interix*)
+    # we just hope/assume this is gcc and not c89 (= MSVC++)
+    with_gnu_ld=yes
+    ;;
+  openbsd*)
+    with_gnu_ld=no
+    ;;
+  esac
+
+  ld_shlibs=yes
+  if test "$with_gnu_ld" = yes; then
+    # If archive_cmds runs LD, not CC, wlarc should be empty
+    wlarc='${wl}'
+
+    # Set some defaults for GNU ld with shared library support. These
+    # are reset later if shared libraries are not supported. Putting them
+    # here allows them to be overridden if necessary.
+    runpath_var=LD_RUN_PATH
+    hardcode_libdir_flag_spec='${wl}--rpath ${wl}$libdir'
+    export_dynamic_flag_spec='${wl}--export-dynamic'
+    # ancient GNU ld didn't support --whole-archive et. al.
+    if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
+	whole_archive_flag_spec="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+      else
+  	whole_archive_flag_spec=
+    fi
+    supports_anon_versioning=no
+    case `$LD -v 2>/dev/null` in
+      *\ [01].* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
+      *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
+      *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
+      *\ 2.11.*) ;; # other 2.11 versions
+      *) supports_anon_versioning=yes ;;
+    esac
+
+    # See if GNU ld supports shared libraries.
+    case $host_os in
+    aix3* | aix4* | aix5*)
+      # On AIX/PPC, the GNU linker is very broken
+      if test "$host_cpu" != ia64; then
+	ld_shlibs=no
+	cat <<EOF 1>&2
+
+*** Warning: the GNU linker, at least up to release 2.9.1, is reported
+*** to be unable to reliably create shared libraries on AIX.
+*** Therefore, libtool is disabling shared libraries support.  If you
+*** really care for shared libraries, you may want to modify your PATH
+*** so that a non-GNU linker is found, and then restart.
+
+EOF
+      fi
+      ;;
+
+    amigaos*)
+      archive_cmds='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+      hardcode_libdir_flag_spec='-L$libdir'
+      hardcode_minus_L=yes
+
+      # Samuel A. Falvo II <kc5tja@dolphin.openprojects.net> reports
+      # that the semantics of dynamic libraries on AmigaOS, at least up
+      # to version 4, is to share data among multiple programs linked
+      # with the same dynamic library.  Since this doesn't match the
+      # behavior of shared libraries on other platforms, we can't use
+      # them.
+      ld_shlibs=no
+      ;;
+
+    beos*)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	allow_undefined_flag=unsupported
+	# Joseph Beckenbach <jrb3@best.com> says some releases of gcc
+	# support --undefined.  This deserves some investigation.  FIXME
+	archive_cmds='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+      else
+	ld_shlibs=no
+      fi
+      ;;
+
+    cygwin* | mingw* | pw32*)
+      # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, ) is actually meaningless,
+      # as there is no search path for DLLs.
+      hardcode_libdir_flag_spec='-L$libdir'
+      allow_undefined_flag=unsupported
+      always_export_symbols=no
+      enable_shared_with_static_runtimes=yes
+      export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS] /s/.* \([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols'
+
+      if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
+        archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+	# If the export-symbols file already is a .def file (1st line
+	# is EXPORTS), use it as is; otherwise, prepend...
+	archive_expsym_cmds='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	  cp $export_symbols $output_objdir/$soname.def;
+	else
+	  echo EXPORTS > $output_objdir/$soname.def;
+	  cat $export_symbols >> $output_objdir/$soname.def;
+	fi~
+	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+      else
+	ld_shlibs=no
+      fi
+      ;;
+
+    interix3*)
+      hardcode_direct=no
+      hardcode_shlibpath_var=no
+      hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
+      export_dynamic_flag_spec='${wl}-E'
+      # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
+      # Instead, shared libraries are loaded at an image base (0x10000000 by
+      # default) and relocated if they conflict, which is a slow very memory
+      # consuming and fragmenting process.  To avoid this, we pick a random,
+      # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
+      # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
+      archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      archive_expsym_cmds='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      ;;
+
+    linux*)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	tmp_addflag=
+	case $cc_basename,$host_cpu in
+	pgcc*)				# Portland Group C compiler
+	  whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_addflag=' $pic_flag'
+	  ;;
+	pgf77* | pgf90* | pgf95*)	# Portland Group f77 and f90 compilers
+	  whole_archive_flag_spec='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_addflag=' $pic_flag -Mnomain' ;;
+	ecc*,ia64* | icc*,ia64*)		# Intel C compiler on ia64
+	  tmp_addflag=' -i_dynamic' ;;
+	efc*,ia64* | ifort*,ia64*)	# Intel Fortran compiler on ia64
+	  tmp_addflag=' -i_dynamic -nofor_main' ;;
+	ifc* | ifort*)			# Intel Fortran compiler
+	  tmp_addflag=' -nofor_main' ;;
+	esac
+	archive_cmds='$CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+
+	if test $supports_anon_versioning = yes; then
+	  archive_expsym_cmds='$echo "{ global:" > $output_objdir/$libname.ver~
+  cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+  $echo "local: *; };" >> $output_objdir/$libname.ver~
+	  $CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
+	fi
+      else
+	ld_shlibs=no
+      fi
+      ;;
+
+    netbsd*)
+      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+	archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
+	wlarc=
+      else
+	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      fi
+      ;;
+
+    solaris*)
+      if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
+	ld_shlibs=no
+	cat <<EOF 1>&2
+
+*** Warning: The releases 2.8.* of the GNU linker cannot reliably
+*** create shared libraries on Solaris systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.9.1 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+EOF
+      elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	ld_shlibs=no
+      fi
+      ;;
+
+    sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
+      case `$LD -v 2>&1` in
+        *\ [01].* | *\ 2.[0-9].* | *\ 2.1[0-5].*)
+	ld_shlibs=no
+	cat <<_LT_EOF 1>&2
+
+*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not
+*** reliably create shared libraries on SCO systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.16.91.0.3 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+_LT_EOF
+	;;
+	*)
+	  if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	    hardcode_libdir_flag_spec='`test -z "$SCOABSPATH" && echo ${wl}-rpath,$libdir`'
+	    archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib'
+	    archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname,-retain-symbols-file,$export_symbols -o $lib'
+	  else
+	    ld_shlibs=no
+	  fi
+	;;
+      esac
+      ;;
+
+    sunos4*)
+      archive_cmds='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      wlarc=
+      hardcode_direct=yes
+      hardcode_shlibpath_var=no
+      ;;
+
+    *)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	ld_shlibs=no
+      fi
+      ;;
+    esac
+
+    if test "$ld_shlibs" = no; then
+      runpath_var=
+      hardcode_libdir_flag_spec=
+      export_dynamic_flag_spec=
+      whole_archive_flag_spec=
+    fi
+  else
+    # PORTME fill in a description of your system's linker (not GNU ld)
+    case $host_os in
+    aix3*)
+      allow_undefined_flag=unsupported
+      always_export_symbols=yes
+      archive_expsym_cmds='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
+      # Note: this linker hardcodes the directories in LIBPATH if there
+      # are no directories specified by -L.
+      hardcode_minus_L=yes
+      if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then
+	# Neither direct hardcoding nor static linking is supported with a
+	# broken collect2.
+	hardcode_direct=unsupported
+      fi
+      ;;
+
+    aix4* | aix5*)
+      if test "$host_cpu" = ia64; then
+	# On IA64, the linker does run time linking by default, so we don't
+	# have to do anything special.
+	aix_use_runtimelinking=no
+	exp_sym_flag='-Bexport'
+	no_entry_flag=""
+      else
+	# If we're using GNU nm, then we don't want the "-C" option.
+	# -C means demangle to AIX nm, but means don't demangle with GNU nm
+	if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
+	  export_symbols_cmds='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
+	else
+	  export_symbols_cmds='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
+	fi
+	aix_use_runtimelinking=no
+
+	# Test if we are trying to use run time linking or normal
+	# AIX style linking. If -brtl is somewhere in LDFLAGS, we
+	# need to do runtime linking.
+	case $host_os in aix4.[23]|aix4.[23].*|aix5*)
+	  for ld_flag in $LDFLAGS; do
+  	  if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
+  	    aix_use_runtimelinking=yes
+  	    break
+  	  fi
+	  done
+	  ;;
+	esac
+
+	exp_sym_flag='-bexport'
+	no_entry_flag='-bnoentry'
+      fi
+
+      # When large executables or shared objects are built, AIX ld can
+      # have problems creating the table of contents.  If linking a library
+      # or program results in "error TOC overflow" add -mminimal-toc to
+      # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
+      # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
+
+      archive_cmds=''
+      hardcode_direct=yes
+      hardcode_libdir_separator=':'
+      link_all_deplibs=yes
+
+      if test "$GCC" = yes; then
+	case $host_os in aix4.[012]|aix4.[012].*)
+	# We only want to do this on AIX 4.2 and lower, the check
+	# below for broken collect2 doesn't work under 4.3+
+	  collect2name=`${CC} -print-prog-name=collect2`
+	  if test -f "$collect2name" && \
+  	   strings "$collect2name" | grep resolve_lib_name >/dev/null
+	  then
+  	  # We have reworked collect2
+  	  hardcode_direct=yes
+	  else
+  	  # We have old collect2
+  	  hardcode_direct=unsupported
+  	  # It fails to find uninstalled libraries when the uninstalled
+  	  # path is not listed in the libpath.  Setting hardcode_minus_L
+  	  # to unsupported forces relinking
+  	  hardcode_minus_L=yes
+  	  hardcode_libdir_flag_spec='-L$libdir'
+  	  hardcode_libdir_separator=
+	  fi
+	  ;;
+	esac
+	shared_flag='-shared'
+	if test "$aix_use_runtimelinking" = yes; then
+	  shared_flag="$shared_flag "'${wl}-G'
+	fi
+      else
+	# not using gcc
+	if test "$host_cpu" = ia64; then
+  	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
+  	# chokes on -Wl,-G. The following line is correct:
+	  shared_flag='-G'
+	else
+	  if test "$aix_use_runtimelinking" = yes; then
+	    shared_flag='${wl}-G'
+	  else
+	    shared_flag='${wl}-bM:SRE'
+	  fi
+	fi
+      fi
+
+      # It seems that -bexpall does not export symbols beginning with
+      # underscore (_), so it is better to generate a list of symbols to export.
+      always_export_symbols=yes
+      if test "$aix_use_runtimelinking" = yes; then
+	# Warning - without using the other runtime loading flags (-brtl),
+	# -berok will link without error, but may produce a broken library.
+	allow_undefined_flag='-berok'
+       # Determine the default libpath from the value encoded in an empty executable.
+       cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`
+# Check for a 64-bit object if we didn't find anything.
+if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`; fi
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+
+       hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath"
+	archive_expsym_cmds="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+       else
+	if test "$host_cpu" = ia64; then
+	  hardcode_libdir_flag_spec='${wl}-R $libdir:/usr/lib:/lib'
+	  allow_undefined_flag="-z nodefs"
+	  archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
+	else
+	 # Determine the default libpath from the value encoded in an empty executable.
+	 cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`
+# Check for a 64-bit object if we didn't find anything.
+if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`; fi
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+
+	 hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath"
+	  # Warning - without using the other run time loading flags,
+	  # -berok will link without error, but may produce a broken library.
+	  no_undefined_flag=' ${wl}-bernotok'
+	  allow_undefined_flag=' ${wl}-berok'
+	  # Exported symbols can be pulled into shared objects from archives
+	  whole_archive_flag_spec='$convenience'
+	  archive_cmds_need_lc=yes
+	  # This is similar to how AIX traditionally builds its shared libraries.
+	  archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+	fi
+      fi
+      ;;
+
+    amigaos*)
+      archive_cmds='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+      hardcode_libdir_flag_spec='-L$libdir'
+      hardcode_minus_L=yes
+      # see comment about different semantics on the GNU ld section
+      ld_shlibs=no
+      ;;
+
+    bsdi[45]*)
+      export_dynamic_flag_spec=-rdynamic
+      ;;
+
+    cygwin* | mingw* | pw32*)
+      # When not using gcc, we currently assume that we are using
+      # Microsoft Visual C++.
+      # hardcode_libdir_flag_spec is actually meaningless, as there is
+      # no search path for DLLs.
+      hardcode_libdir_flag_spec=' '
+      allow_undefined_flag=unsupported
+      # Tell ltmain to make .lib files, not .a files.
+      libext=lib
+      # Tell ltmain to make .dll files, not .so files.
+      shrext_cmds=".dll"
+      # FIXME: Setting linknames here is a bad hack.
+      archive_cmds='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
+      # The linker will automatically build a .lib file if we build a DLL.
+      old_archive_From_new_cmds='true'
+      # FIXME: Should let the user specify the lib program.
+      old_archive_cmds='lib /OUT:$oldlib$oldobjs$old_deplibs'
+      fix_srcfile_path='`cygpath -w "$srcfile"`'
+      enable_shared_with_static_runtimes=yes
+      ;;
+
+    darwin* | rhapsody*)
+      case $host_os in
+        rhapsody* | darwin1.[012])
+         allow_undefined_flag='${wl}-undefined ${wl}suppress'
+         ;;
+       *) # Darwin 1.3 on
+         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+           allow_undefined_flag='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
+         else
+           case ${MACOSX_DEPLOYMENT_TARGET} in
+             10.[012])
+               allow_undefined_flag='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
+               ;;
+             10.*)
+               allow_undefined_flag='${wl}-undefined ${wl}dynamic_lookup'
+               ;;
+           esac
+         fi
+         ;;
+      esac
+      archive_cmds_need_lc=no
+      hardcode_direct=no
+      hardcode_automatic=yes
+      hardcode_shlibpath_var=unsupported
+      whole_archive_flag_spec=''
+      link_all_deplibs=yes
+    if test "$GCC" = yes ; then
+    	output_verbose_link_cmd='echo'
+        archive_cmds='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+      module_cmds='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
+      archive_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+      module_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    else
+      case $cc_basename in
+        xlc*)
+         output_verbose_link_cmd='echo'
+         archive_cmds='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring'
+         module_cmds='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
+         archive_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          module_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          ;;
+       *)
+         ld_shlibs=no
+          ;;
+      esac
+    fi
+      ;;
+
+    dgux*)
+      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_libdir_flag_spec='-L$libdir'
+      hardcode_shlibpath_var=no
+      ;;
+
+    freebsd1*)
+      ld_shlibs=no
+      ;;
+
+    # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
+    # support.  Future versions do this automatically, but an explicit c++rt0.o
+    # does not break anything, and helps significantly (at the cost of a little
+    # extra space).
+    freebsd2.2*)
+      archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
+      hardcode_libdir_flag_spec='-R$libdir'
+      hardcode_direct=yes
+      hardcode_shlibpath_var=no
+      ;;
+
+    # Unfortunately, older versions of FreeBSD 2 do not have this feature.
+    freebsd2*)
+      archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_direct=yes
+      hardcode_minus_L=yes
+      hardcode_shlibpath_var=no
+      ;;
+
+    # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
+    freebsd* | kfreebsd*-gnu | dragonfly*)
+      archive_cmds='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
+      hardcode_libdir_flag_spec='-R$libdir'
+      hardcode_direct=yes
+      hardcode_shlibpath_var=no
+      ;;
+
+    hpux9*)
+      if test "$GCC" = yes; then
+	archive_cmds='$rm $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      else
+	archive_cmds='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      fi
+      hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
+      hardcode_libdir_separator=:
+      hardcode_direct=yes
+
+      # hardcode_minus_L: Not really in the search PATH,
+      # but as the default location of the library.
+      hardcode_minus_L=yes
+      export_dynamic_flag_spec='${wl}-E'
+      ;;
+
+    hpux10*)
+      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+	archive_cmds='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      if test "$with_gnu_ld" = no; then
+	hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
+	hardcode_libdir_separator=:
+
+	hardcode_direct=yes
+	export_dynamic_flag_spec='${wl}-E'
+
+	# hardcode_minus_L: Not really in the search PATH,
+	# but as the default location of the library.
+	hardcode_minus_L=yes
+      fi
+      ;;
+
+    hpux11*)
+      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+	case $host_cpu in
+	hppa*64*)
+	  archive_cmds='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	ia64*)
+	  archive_cmds='$CC -shared ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+	  archive_cmds='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	esac
+      else
+	case $host_cpu in
+	hppa*64*)
+	  archive_cmds='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	ia64*)
+	  archive_cmds='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+	  archive_cmds='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	esac
+      fi
+      if test "$with_gnu_ld" = no; then
+	hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
+	hardcode_libdir_separator=:
+
+	case $host_cpu in
+	hppa*64*|ia64*)
+	  hardcode_libdir_flag_spec_ld='+b $libdir'
+	  hardcode_direct=no
+	  hardcode_shlibpath_var=no
+	  ;;
+	*)
+	  hardcode_direct=yes
+	  export_dynamic_flag_spec='${wl}-E'
+
+	  # hardcode_minus_L: Not really in the search PATH,
+	  # but as the default location of the library.
+	  hardcode_minus_L=yes
+	  ;;
+	esac
+      fi
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      if test "$GCC" = yes; then
+	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+      else
+	archive_cmds='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+	hardcode_libdir_flag_spec_ld='-rpath $libdir'
+      fi
+      hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
+      hardcode_libdir_separator=:
+      link_all_deplibs=yes
+      ;;
+
+    netbsd*)
+      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+	archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
+      else
+	archive_cmds='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
+      fi
+      hardcode_libdir_flag_spec='-R$libdir'
+      hardcode_direct=yes
+      hardcode_shlibpath_var=no
+      ;;
+
+    newsos6)
+      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_direct=yes
+      hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
+      hardcode_libdir_separator=:
+      hardcode_shlibpath_var=no
+      ;;
+
+    openbsd*)
+      hardcode_direct=yes
+      hardcode_shlibpath_var=no
+      if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+	archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
+	hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
+	export_dynamic_flag_spec='${wl}-E'
+      else
+       case $host_os in
+	 openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*)
+	   archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+	   hardcode_libdir_flag_spec='-R$libdir'
+	   ;;
+	 *)
+	   archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	   hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
+	   ;;
+       esac
+      fi
+      ;;
+
+    os2*)
+      hardcode_libdir_flag_spec='-L$libdir'
+      hardcode_minus_L=yes
+      allow_undefined_flag=unsupported
+      archive_cmds='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
+      old_archive_From_new_cmds='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
+      ;;
+
+    osf3*)
+      if test "$GCC" = yes; then
+	allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*'
+	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+      else
+	allow_undefined_flag=' -expect_unresolved \*'
+	archive_cmds='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+      fi
+      hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
+      hardcode_libdir_separator=:
+      ;;
+
+    osf4* | osf5*)	# as osf3* with the addition of -msym flag
+      if test "$GCC" = yes; then
+	allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*'
+	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
+      else
+	allow_undefined_flag=' -expect_unresolved \*'
+	archive_cmds='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+	archive_expsym_cmds='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~
+	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib~$rm $lib.exp'
+
+	# Both c and cxx compiler support -rpath directly
+	hardcode_libdir_flag_spec='-rpath $libdir'
+      fi
+      hardcode_libdir_separator=:
+      ;;
+
+    solaris*)
+      no_undefined_flag=' -z text'
+      if test "$GCC" = yes; then
+	wlarc='${wl}'
+	archive_cmds='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+	  $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp'
+      else
+	wlarc=''
+	archive_cmds='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	archive_expsym_cmds='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+  	$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
+      fi
+      hardcode_libdir_flag_spec='-R$libdir'
+      hardcode_shlibpath_var=no
+      case $host_os in
+      solaris2.[0-5] | solaris2.[0-5].*) ;;
+      *)
+ 	# The compiler driver will combine linker options so we
+ 	# cannot just pass the convience library names through
+ 	# without $wl, iff we do not link with $LD.
+ 	# Luckily, gcc supports the same syntax we need for Sun Studio.
+ 	# Supported since Solaris 2.6 (maybe 2.5.1?)
+ 	case $wlarc in
+ 	'')
+ 	  whole_archive_flag_spec='-z allextract$convenience -z defaultextract' ;;
+ 	*)
+ 	  whole_archive_flag_spec='${wl}-z ${wl}allextract`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}-z ${wl}defaultextract' ;;
+ 	esac ;;
+      esac
+      link_all_deplibs=yes
+      ;;
+
+    sunos4*)
+      if test "x$host_vendor" = xsequent; then
+	# Use $CC to link under sequent, because it throws in some extra .o
+	# files that make .init and .fini sections work.
+	archive_cmds='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      hardcode_libdir_flag_spec='-L$libdir'
+      hardcode_direct=yes
+      hardcode_minus_L=yes
+      hardcode_shlibpath_var=no
+      ;;
+
+    sysv4)
+      case $host_vendor in
+	sni)
+	  archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  hardcode_direct=yes # is this really true???
+	;;
+	siemens)
+	  ## LD is ld it makes a PLAMLIB
+	  ## CC just makes a GrossModule.
+	  archive_cmds='$LD -G -o $lib $libobjs $deplibs $linker_flags'
+	  reload_cmds='$CC -r -o $output$reload_objs'
+	  hardcode_direct=no
+        ;;
+	motorola)
+	  archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  hardcode_direct=no #Motorola manual says yes, but my tests say they lie
+	;;
+      esac
+      runpath_var='LD_RUN_PATH'
+      hardcode_shlibpath_var=no
+      ;;
+
+    sysv4.3*)
+      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_shlibpath_var=no
+      export_dynamic_flag_spec='-Bexport'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	hardcode_shlibpath_var=no
+	runpath_var=LD_RUN_PATH
+	hardcode_runpath_var=yes
+	ld_shlibs=yes
+      fi
+      ;;
+
+    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7*)
+      no_undefined_flag='${wl}-z,text'
+      archive_cmds_need_lc=no
+      hardcode_shlibpath_var=no
+      runpath_var='LD_RUN_PATH'
+
+      if test "$GCC" = yes; then
+	archive_cmds='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
+      ;;
+
+    sysv5* | sco3.2v5* | sco5v6*)
+      # Note: We can NOT use -z defs as we might desire, because we do not
+      # link with -lc, and that would cause any symbols used from libc to
+      # always be unresolved, which means just about no library would
+      # ever link correctly.  If we're not using GNU ld we use -z text
+      # though, which does catch some bad symbols but isn't as heavy-handed
+      # as -z defs.
+      no_undefined_flag='${wl}-z,text'
+      allow_undefined_flag='${wl}-z,nodefs'
+      archive_cmds_need_lc=no
+      hardcode_shlibpath_var=no
+      hardcode_libdir_flag_spec='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
+      hardcode_libdir_separator=':'
+      link_all_deplibs=yes
+      export_dynamic_flag_spec='${wl}-Bexport'
+      runpath_var='LD_RUN_PATH'
+
+      if test "$GCC" = yes; then
+	archive_cmds='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
+      ;;
+
+    uts4*)
+      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_libdir_flag_spec='-L$libdir'
+      hardcode_shlibpath_var=no
+      ;;
+
+    *)
+      ld_shlibs=no
+      ;;
+    esac
+  fi
+
+{ echo "$as_me:$LINENO: result: $ld_shlibs" >&5
+echo "${ECHO_T}$ld_shlibs" >&6; }
+test "$ld_shlibs" = no && can_build_shared=no
+
+#
+# Do we need to explicitly link libc?
+#
+case "x$archive_cmds_need_lc" in
+x|xyes)
+  # Assume -lc should be added
+  archive_cmds_need_lc=yes
+
+  if test "$enable_shared" = yes && test "$GCC" = yes; then
+    case $archive_cmds in
+    *'~'*)
+      # FIXME: we may have to deal with multi-command sequences.
+      ;;
+    '$CC '*)
+      # Test whether the compiler implicitly links with -lc since on some
+      # systems, -lgcc has to come before -lc. If gcc already passes -lc
+      # to ld, don't add -lc before -lgcc.
+      { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
+echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; }
+      $rm conftest*
+      printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+      if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } 2>conftest.err; then
+        soname=conftest
+        lib=conftest
+        libobjs=conftest.$ac_objext
+        deplibs=
+        wl=$lt_prog_compiler_wl
+	pic_flag=$lt_prog_compiler_pic
+        compiler_flags=-v
+        linker_flags=-v
+        verstring=
+        output_objdir=.
+        libname=conftest
+        lt_save_allow_undefined_flag=$allow_undefined_flag
+        allow_undefined_flag=
+        if { (eval echo "$as_me:$LINENO: \"$archive_cmds 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\"") >&5
+  (eval $archive_cmds 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+        then
+	  archive_cmds_need_lc=no
+        else
+	  archive_cmds_need_lc=yes
+        fi
+        allow_undefined_flag=$lt_save_allow_undefined_flag
+      else
+        cat conftest.err 1>&5
+      fi
+      $rm conftest*
+      { echo "$as_me:$LINENO: result: $archive_cmds_need_lc" >&5
+echo "${ECHO_T}$archive_cmds_need_lc" >&6; }
+      ;;
+    esac
+  fi
+  ;;
+esac
+
+{ echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
+echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6; }
+library_names_spec=
+libname_spec='lib$name'
+soname_spec=
+shrext_cmds=".so"
+postinstall_cmds=
+postuninstall_cmds=
+finish_cmds=
+finish_eval=
+shlibpath_var=
+shlibpath_overrides_runpath=unknown
+version_type=none
+dynamic_linker="$host_os ld.so"
+sys_lib_dlsearch_path_spec="/lib /usr/lib"
+if test "$GCC" = yes; then
+  sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+  if echo "$sys_lib_search_path_spec" | grep ';' >/dev/null ; then
+    # if the path contains ";" then we assume it to be the separator
+    # otherwise default to the standard path separator (i.e. ":") - it is
+    # assumed that no part of a normal pathname contains ";" but that should
+    # okay in the real world where ";" in dirpaths is itself problematic.
+    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+  else
+    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+  fi
+else
+  sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
+fi
+need_lib_prefix=unknown
+hardcode_into_libs=no
+
+# when you set need_version to no, make sure it does not cause -set_version
+# flags to be left without arguments
+need_version=unknown
+
+case $host_os in
+aix3*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
+  shlibpath_var=LIBPATH
+
+  # AIX 3 has no versioning support, so we append a major version to the name.
+  soname_spec='${libname}${release}${shared_ext}$major'
+  ;;
+
+aix4* | aix5*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  hardcode_into_libs=yes
+  if test "$host_cpu" = ia64; then
+    # AIX 5 supports IA64
+    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
+    shlibpath_var=LD_LIBRARY_PATH
+  else
+    # With GCC up to 2.95.x, collect2 would create an import file
+    # for dependence libraries.  The import file would start with
+    # the line `#! .'.  This would cause the generated library to
+    # depend on `.', always an invalid library.  This was fixed in
+    # development snapshots of GCC prior to 3.0.
+    case $host_os in
+      aix4 | aix4.[01] | aix4.[01].*)
+      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
+	   echo ' yes '
+	   echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then
+	:
+      else
+	can_build_shared=no
+      fi
+      ;;
+    esac
+    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
+    # soname into executable. Probably we can add versioning support to
+    # collect2, so additional links can be useful in future.
+    if test "$aix_use_runtimelinking" = yes; then
+      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
+      # instead of lib<name>.a to let people know that these are not
+      # typical AIX shared libraries.
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    else
+      # We preserve .a as extension for shared libraries through AIX4.2
+      # and later when we are not doing run time linking.
+      library_names_spec='${libname}${release}.a $libname.a'
+      soname_spec='${libname}${release}${shared_ext}$major'
+    fi
+    shlibpath_var=LIBPATH
+  fi
+  ;;
+
+amigaos*)
+  library_names_spec='$libname.ixlibrary $libname.a'
+  # Create ${libname}_ixlibrary.a entries in /sys/libs.
+  finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
+  ;;
+
+beos*)
+  library_names_spec='${libname}${shared_ext}'
+  dynamic_linker="$host_os ld.so"
+  shlibpath_var=LIBRARY_PATH
+  ;;
+
+bsdi[45]*)
+  version_type=linux
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
+  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
+  # the default ld.so.conf also contains /usr/contrib/lib and
+  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
+  # libtool to hard-code these into programs
+  ;;
+
+cygwin* | mingw* | pw32*)
+  version_type=windows
+  shrext_cmds=".dll"
+  need_version=no
+  need_lib_prefix=no
+
+  case $GCC,$host_os in
+  yes,cygwin* | yes,mingw* | yes,pw32*)
+    library_names_spec='$libname.dll.a'
+    # DLL is installed to $(libdir)/../bin by postinstall_cmds
+    postinstall_cmds='base_file=`basename \${file}`~
+      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
+      dldir=$destdir/`dirname \$dlpath`~
+      test -d \$dldir || mkdir -p \$dldir~
+      $install_prog $dir/$dlname \$dldir/$dlname~
+      chmod a+x \$dldir/$dlname'
+    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
+      dlpath=$dir/\$dldll~
+       $rm \$dlpath'
+    shlibpath_overrides_runpath=yes
+
+    case $host_os in
+    cygwin*)
+      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
+      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
+      ;;
+    mingw*)
+      # MinGW DLLs use traditional 'lib' prefix
+      soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+      if echo "$sys_lib_search_path_spec" | grep ';[c-zC-Z]:/' >/dev/null; then
+        # It is most probably a Windows format PATH printed by
+        # mingw gcc, but we are running on Cygwin. Gcc prints its search
+        # path with ; separators, and with drive letters. We can handle the
+        # drive letters (cygwin fileutils understands them), so leave them,
+        # especially as we might pass files found there to a mingw objdump,
+        # which wouldn't understand a cygwinified path. Ahh.
+        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+      else
+        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+      fi
+      ;;
+    pw32*)
+      # pw32 DLLs use 'pw' prefix rather than 'lib'
+      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      ;;
+    esac
+    ;;
+
+  linux*)
+    if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then
+      archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+      supports_anon_versioning=no
+      case `$LD -v 2>/dev/null` in
+        *\ 01.* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
+        *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
+        *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
+        *\ 2.11.*) ;; # other 2.11 versions
+        *) supports_anon_versioning=yes ;;
+      esac
+      if test $supports_anon_versioning = yes; then
+        archive_expsym_cmds='$echo "{ global:" > $output_objdir/$libname.ver~
+cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+$echo "local: *; };" >> $output_objdir/$libname.ver~
+        $CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
+      else
+        $archive_expsym_cmds="$archive_cmds"
+      fi
+    else
+      ld_shlibs=no
+    fi
+    ;;
+
+  *)
+    library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib'
+    ;;
+  esac
+  dynamic_linker='Win32 ld.exe'
+  # FIXME: first we should search . and the directory the executable is in
+  shlibpath_var=PATH
+  ;;
+
+darwin* | rhapsody*)
+  dynamic_linker="$host_os dyld"
+  version_type=darwin
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
+  soname_spec='${libname}${release}${major}$shared_ext'
+  shlibpath_overrides_runpath=yes
+  shlibpath_var=DYLD_LIBRARY_PATH
+  shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
+  # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
+  if test "$GCC" = yes; then
+    sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
+  else
+    sys_lib_search_path_spec='/lib /usr/lib /usr/local/lib'
+  fi
+  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
+  ;;
+
+dgux*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+freebsd1*)
+  dynamic_linker=no
+  ;;
+
+kfreebsd*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='GNU ld.so'
+  ;;
+
+freebsd* | dragonfly*)
+  # DragonFly does not have aout.  When/if they implement a new
+  # versioning mechanism, adjust this.
+  if test -x /usr/bin/objformat; then
+    objformat=`/usr/bin/objformat`
+  else
+    case $host_os in
+    freebsd[123]*) objformat=aout ;;
+    *) objformat=elf ;;
+    esac
+  fi
+  # Handle Gentoo/FreeBSD as it was Linux
+  case $host_vendor in
+    gentoo)
+      version_type=linux ;;
+    *)
+      version_type=freebsd-$objformat ;;
+  esac
+
+  case $version_type in
+    freebsd-elf*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+      need_version=no
+      need_lib_prefix=no
+      ;;
+    freebsd-*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
+      need_version=yes
+      ;;
+    linux)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+      soname_spec='${libname}${release}${shared_ext}$major'
+      need_lib_prefix=no
+      need_version=no
+      ;;
+  esac
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_os in
+  freebsd2*)
+    shlibpath_overrides_runpath=yes
+    ;;
+  freebsd3.[01]* | freebsdelf3.[01]*)
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
+  freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
+    shlibpath_overrides_runpath=no
+    hardcode_into_libs=yes
+    ;;
+  freebsd*) # from 4.6 on
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  esac
+  ;;
+
+gnu*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  ;;
+
+hpux9* | hpux10* | hpux11*)
+  # Give a soname corresponding to the major version so that dld.sl refuses to
+  # link against other versions.
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  case $host_cpu in
+  ia64*)
+    shrext_cmds='.so'
+    hardcode_into_libs=yes
+    dynamic_linker="$host_os dld.so"
+    shlibpath_var=LD_LIBRARY_PATH
+    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    if test "X$HPUX_IA64_MODE" = X32; then
+      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
+    else
+      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
+    fi
+    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+    ;;
+   hppa*64*)
+     shrext_cmds='.sl'
+     hardcode_into_libs=yes
+     dynamic_linker="$host_os dld.sl"
+     shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
+     shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+     library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+     soname_spec='${libname}${release}${shared_ext}$major'
+     sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
+     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+     ;;
+   *)
+    shrext_cmds='.sl'
+    dynamic_linker="$host_os dld.sl"
+    shlibpath_var=SHLIB_PATH
+    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    ;;
+  esac
+  # HP-UX runs *really* slowly unless shared libraries are mode 555.
+  postinstall_cmds='chmod 555 $lib'
+  ;;
+
+interix3*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  ;;
+
+irix5* | irix6* | nonstopux*)
+  case $host_os in
+    nonstopux*) version_type=nonstopux ;;
+    *)
+	if test "$lt_cv_prog_gnu_ld" = yes; then
+		version_type=linux
+	else
+		version_type=irix
+	fi ;;
+  esac
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
+  case $host_os in
+  irix5* | nonstopux*)
+    libsuff= shlibsuff=
+    ;;
+  *)
+    case $LD in # libtool.m4 will add one of these switches to LD
+    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
+      libsuff= shlibsuff= libmagic=32-bit;;
+    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
+      libsuff=32 shlibsuff=N32 libmagic=N32;;
+    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
+      libsuff=64 shlibsuff=64 libmagic=64-bit;;
+    *) libsuff= shlibsuff= libmagic=never-match;;
+    esac
+    ;;
+  esac
+  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
+  shlibpath_overrides_runpath=no
+  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
+  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
+  hardcode_into_libs=yes
+  ;;
+
+# No shared lib support for Linux oldld, aout, or coff.
+linux*oldld* | linux*aout* | linux*coff*)
+  dynamic_linker=no
+  ;;
+
+# This must be Linux ELF.
+linux*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  # This implies no fast_install, which is unacceptable.
+  # Some rework will be needed to allow for fast_install
+  # before this can be enabled.
+  hardcode_into_libs=yes
+
+  # Append ld.so.conf contents to the search path
+  if test -f /etc/ld.so.conf; then
+    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+  fi
+
+  # We used to test for /lib/ld.so.1 and disable shared libraries on
+  # powerpc, because MkLinux only supported shared libraries with the
+  # GNU dynamic linker.  Since this was broken with cross compilers,
+  # most powerpc-linux boxes support dynamic linking these days and
+  # people can always --disable-shared, the test was removed, and we
+  # assume the GNU/Linux dynamic linker is in use.
+  dynamic_linker='GNU/Linux ld.so'
+  ;;
+
+knetbsd*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='GNU ld.so'
+  ;;
+
+netbsd*)
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+    dynamic_linker='NetBSD (a.out) ld.so'
+  else
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    dynamic_linker='NetBSD ld.elf_so'
+  fi
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  ;;
+
+newsos6)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+nto-qnx*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+openbsd*)
+  version_type=sunos
+  sys_lib_dlsearch_path_spec="/usr/lib"
+  need_lib_prefix=no
+  # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs.
+  case $host_os in
+    openbsd3.3 | openbsd3.3.*) need_version=yes ;;
+    *)                         need_version=no  ;;
+  esac
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+    case $host_os in
+      openbsd2.[89] | openbsd2.[89].*)
+	shlibpath_overrides_runpath=no
+	;;
+      *)
+	shlibpath_overrides_runpath=yes
+	;;
+      esac
+  else
+    shlibpath_overrides_runpath=yes
+  fi
+  ;;
+
+os2*)
+  libname_spec='$name'
+  shrext_cmds=".dll"
+  need_lib_prefix=no
+  library_names_spec='$libname${shared_ext} $libname.a'
+  dynamic_linker='OS/2 ld.exe'
+  shlibpath_var=LIBPATH
+  ;;
+
+osf3* | osf4* | osf5*)
+  version_type=osf
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
+  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
+  ;;
+
+solaris*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  # ldd complains unless libraries are executable
+  postinstall_cmds='chmod +x $lib'
+  ;;
+
+sunos4*)
+  version_type=sunos
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  if test "$with_gnu_ld" = yes; then
+    need_lib_prefix=no
+  fi
+  need_version=yes
+  ;;
+
+sysv4 | sysv4.3*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_vendor in
+    sni)
+      shlibpath_overrides_runpath=no
+      need_lib_prefix=no
+      export_dynamic_flag_spec='${wl}-Blargedynsym'
+      runpath_var=LD_RUN_PATH
+      ;;
+    siemens)
+      need_lib_prefix=no
+      ;;
+    motorola)
+      need_lib_prefix=no
+      need_version=no
+      shlibpath_overrides_runpath=no
+      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
+      ;;
+  esac
+  ;;
+
+sysv4*MP*)
+  if test -d /usr/nec ;then
+    version_type=linux
+    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
+    soname_spec='$libname${shared_ext}.$major'
+    shlibpath_var=LD_LIBRARY_PATH
+  fi
+  ;;
+
+sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
+  version_type=freebsd-elf
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  if test "$with_gnu_ld" = yes; then
+    sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
+    shlibpath_overrides_runpath=no
+  else
+    sys_lib_search_path_spec='/usr/ccs/lib /usr/lib'
+    shlibpath_overrides_runpath=yes
+    case $host_os in
+      sco3.2v5*)
+        sys_lib_search_path_spec="$sys_lib_search_path_spec /lib"
+	;;
+    esac
+  fi
+  sys_lib_dlsearch_path_spec='/usr/lib'
+  ;;
+
+uts4*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+*)
+  dynamic_linker=no
+  ;;
+esac
+{ echo "$as_me:$LINENO: result: $dynamic_linker" >&5
+echo "${ECHO_T}$dynamic_linker" >&6; }
+test "$dynamic_linker" = no && can_build_shared=no
+
+variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
+if test "$GCC" = yes; then
+  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
+fi
+
+{ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
+echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6; }
+hardcode_action=
+if test -n "$hardcode_libdir_flag_spec" || \
+   test -n "$runpath_var" || \
+   test "X$hardcode_automatic" = "Xyes" ; then
+
+  # We can hardcode non-existant directories.
+  if test "$hardcode_direct" != no &&
+     # If the only mechanism to avoid hardcoding is shlibpath_var, we
+     # have to relink, otherwise we might link with an installed library
+     # when we should be linking with a yet-to-be-installed one
+     ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, )" != no &&
+     test "$hardcode_minus_L" != no; then
+    # Linking always hardcodes the temporary library directory.
+    hardcode_action=relink
+  else
+    # We can link without hardcoding, and we can hardcode nonexisting dirs.
+    hardcode_action=immediate
+  fi
+else
+  # We cannot hardcode anything, or else we can only hardcode existing
+  # directories.
+  hardcode_action=unsupported
+fi
+{ echo "$as_me:$LINENO: result: $hardcode_action" >&5
+echo "${ECHO_T}$hardcode_action" >&6; }
+
+if test "$hardcode_action" = relink; then
+  # Fast installation is not supported
+  enable_fast_install=no
+elif test "$shlibpath_overrides_runpath" = yes ||
+     test "$enable_shared" = no; then
+  # Fast installation is not necessary
+  enable_fast_install=needless
+fi
+
+striplib=
+old_striplib=
+{ echo "$as_me:$LINENO: checking whether stripping libraries is possible" >&5
+echo $ECHO_N "checking whether stripping libraries is possible... $ECHO_C" >&6; }
+if test -n "$STRIP" && $STRIP -V 2>&1 | grep "GNU strip" >/dev/null; then
+  test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
+  test -z "$striplib" && striplib="$STRIP --strip-unneeded"
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+else
+# FIXME - insert some real tests, host_os isn't really good enough
+  case $host_os in
+   darwin*)
+       if test -n "$STRIP" ; then
+         striplib="$STRIP -x"
+         { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+       else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+       ;;
+   *)
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+    ;;
+  esac
+fi
+
+if test "x$enable_dlopen" != xyes; then
+  enable_dlopen=unknown
+  enable_dlopen_self=unknown
+  enable_dlopen_self_static=unknown
+else
+  lt_cv_dlopen=no
+  lt_cv_dlopen_libs=
+
+  case $host_os in
+  beos*)
+    lt_cv_dlopen="load_add_on"
+    lt_cv_dlopen_libs=
+    lt_cv_dlopen_self=yes
+    ;;
+
+  mingw* | pw32*)
+    lt_cv_dlopen="LoadLibrary"
+    lt_cv_dlopen_libs=
+   ;;
+
+  cygwin*)
+    lt_cv_dlopen="dlopen"
+    lt_cv_dlopen_libs=
+   ;;
+
+  darwin*)
+  # if libdl is installed we need to link against it
+    { echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
+echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6; }
+if test "${ac_cv_lib_dl_dlopen+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ldl  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char dlopen ();
+int
+main ()
+{
+return dlopen ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_dl_dlopen=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_lib_dl_dlopen=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
+echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6; }
+if test $ac_cv_lib_dl_dlopen = yes; then
+  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
+else
+
+    lt_cv_dlopen="dyld"
+    lt_cv_dlopen_libs=
+    lt_cv_dlopen_self=yes
+
+fi
+
+   ;;
+
+  *)
+    { echo "$as_me:$LINENO: checking for shl_load" >&5
+echo $ECHO_N "checking for shl_load... $ECHO_C" >&6; }
+if test "${ac_cv_func_shl_load+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define shl_load to an innocuous variant, in case <limits.h> declares shl_load.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define shl_load innocuous_shl_load
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char shl_load (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef shl_load
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char shl_load ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_shl_load || defined __stub___shl_load
+choke me
+#endif
+
+int
+main ()
+{
+return shl_load ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_func_shl_load=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_func_shl_load=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_func_shl_load" >&5
+echo "${ECHO_T}$ac_cv_func_shl_load" >&6; }
+if test $ac_cv_func_shl_load = yes; then
+  lt_cv_dlopen="shl_load"
+else
+  { echo "$as_me:$LINENO: checking for shl_load in -ldld" >&5
+echo $ECHO_N "checking for shl_load in -ldld... $ECHO_C" >&6; }
+if test "${ac_cv_lib_dld_shl_load+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ldld  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char shl_load ();
+int
+main ()
+{
+return shl_load ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_dld_shl_load=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_lib_dld_shl_load=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_dld_shl_load" >&5
+echo "${ECHO_T}$ac_cv_lib_dld_shl_load" >&6; }
+if test $ac_cv_lib_dld_shl_load = yes; then
+  lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-dld"
+else
+  { echo "$as_me:$LINENO: checking for dlopen" >&5
+echo $ECHO_N "checking for dlopen... $ECHO_C" >&6; }
+if test "${ac_cv_func_dlopen+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define dlopen to an innocuous variant, in case <limits.h> declares dlopen.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define dlopen innocuous_dlopen
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char dlopen (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef dlopen
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char dlopen ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_dlopen || defined __stub___dlopen
+choke me
+#endif
+
+int
+main ()
+{
+return dlopen ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_func_dlopen=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_func_dlopen=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_func_dlopen" >&5
+echo "${ECHO_T}$ac_cv_func_dlopen" >&6; }
+if test $ac_cv_func_dlopen = yes; then
+  lt_cv_dlopen="dlopen"
+else
+  { echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
+echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6; }
+if test "${ac_cv_lib_dl_dlopen+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ldl  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char dlopen ();
+int
+main ()
+{
+return dlopen ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_dl_dlopen=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_lib_dl_dlopen=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
+echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6; }
+if test $ac_cv_lib_dl_dlopen = yes; then
+  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
+else
+  { echo "$as_me:$LINENO: checking for dlopen in -lsvld" >&5
+echo $ECHO_N "checking for dlopen in -lsvld... $ECHO_C" >&6; }
+if test "${ac_cv_lib_svld_dlopen+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lsvld  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char dlopen ();
+int
+main ()
+{
+return dlopen ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_svld_dlopen=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_lib_svld_dlopen=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_svld_dlopen" >&5
+echo "${ECHO_T}$ac_cv_lib_svld_dlopen" >&6; }
+if test $ac_cv_lib_svld_dlopen = yes; then
+  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"
+else
+  { echo "$as_me:$LINENO: checking for dld_link in -ldld" >&5
+echo $ECHO_N "checking for dld_link in -ldld... $ECHO_C" >&6; }
+if test "${ac_cv_lib_dld_dld_link+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ldld  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char dld_link ();
+int
+main ()
+{
+return dld_link ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_dld_dld_link=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_lib_dld_dld_link=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_dld_dld_link" >&5
+echo "${ECHO_T}$ac_cv_lib_dld_dld_link" >&6; }
+if test $ac_cv_lib_dld_dld_link = yes; then
+  lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-dld"
+fi
+
+
+fi
+
+
+fi
+
+
+fi
+
+
+fi
+
+
+fi
+
+    ;;
+  esac
+
+  if test "x$lt_cv_dlopen" != xno; then
+    enable_dlopen=yes
+  else
+    enable_dlopen=no
+  fi
+
+  case $lt_cv_dlopen in
+  dlopen)
+    save_CPPFLAGS="$CPPFLAGS"
+    test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H"
+
+    save_LDFLAGS="$LDFLAGS"
+    wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\"
+
+    save_LIBS="$LIBS"
+    LIBS="$lt_cv_dlopen_libs $LIBS"
+
+    { echo "$as_me:$LINENO: checking whether a program can dlopen itself" >&5
+echo $ECHO_N "checking whether a program can dlopen itself... $ECHO_C" >&6; }
+if test "${lt_cv_dlopen_self+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  	  if test "$cross_compiling" = yes; then :
+  lt_cv_dlopen_self=cross
+else
+  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
+  lt_status=$lt_dlunknown
+  cat > conftest.$ac_ext <<EOF
+#line 10544 "configure"
+#include "confdefs.h"
+
+#if HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+#include <stdio.h>
+
+#ifdef RTLD_GLOBAL
+#  define LT_DLGLOBAL		RTLD_GLOBAL
+#else
+#  ifdef DL_GLOBAL
+#    define LT_DLGLOBAL		DL_GLOBAL
+#  else
+#    define LT_DLGLOBAL		0
+#  endif
+#endif
+
+/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
+   find out it does not work in some platform. */
+#ifndef LT_DLLAZY_OR_NOW
+#  ifdef RTLD_LAZY
+#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
+#  else
+#    ifdef DL_LAZY
+#      define LT_DLLAZY_OR_NOW		DL_LAZY
+#    else
+#      ifdef RTLD_NOW
+#        define LT_DLLAZY_OR_NOW	RTLD_NOW
+#      else
+#        ifdef DL_NOW
+#          define LT_DLLAZY_OR_NOW	DL_NOW
+#        else
+#          define LT_DLLAZY_OR_NOW	0
+#        endif
+#      endif
+#    endif
+#  endif
+#endif
+
+#ifdef __cplusplus
+extern "C" void exit (int);
+#endif
+
+void fnord() { int i=42;}
+int main ()
+{
+  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
+  int status = $lt_dlunknown;
+
+  if (self)
+    {
+      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
+      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
+      /* dlclose (self); */
+    }
+  else
+    puts (dlerror ());
+
+    exit (status);
+}
+EOF
+  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then
+    (./conftest; exit; ) >&5 2>/dev/null
+    lt_status=$?
+    case x$lt_status in
+      x$lt_dlno_uscore) lt_cv_dlopen_self=yes ;;
+      x$lt_dlneed_uscore) lt_cv_dlopen_self=yes ;;
+      x$lt_dlunknown|x*) lt_cv_dlopen_self=no ;;
+    esac
+  else :
+    # compilation failed
+    lt_cv_dlopen_self=no
+  fi
+fi
+rm -fr conftest*
+
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_dlopen_self" >&5
+echo "${ECHO_T}$lt_cv_dlopen_self" >&6; }
+
+    if test "x$lt_cv_dlopen_self" = xyes; then
+      wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\"
+      { echo "$as_me:$LINENO: checking whether a statically linked program can dlopen itself" >&5
+echo $ECHO_N "checking whether a statically linked program can dlopen itself... $ECHO_C" >&6; }
+if test "${lt_cv_dlopen_self_static+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  	  if test "$cross_compiling" = yes; then :
+  lt_cv_dlopen_self_static=cross
+else
+  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
+  lt_status=$lt_dlunknown
+  cat > conftest.$ac_ext <<EOF
+#line 10644 "configure"
+#include "confdefs.h"
+
+#if HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+#include <stdio.h>
+
+#ifdef RTLD_GLOBAL
+#  define LT_DLGLOBAL		RTLD_GLOBAL
+#else
+#  ifdef DL_GLOBAL
+#    define LT_DLGLOBAL		DL_GLOBAL
+#  else
+#    define LT_DLGLOBAL		0
+#  endif
+#endif
+
+/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
+   find out it does not work in some platform. */
+#ifndef LT_DLLAZY_OR_NOW
+#  ifdef RTLD_LAZY
+#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
+#  else
+#    ifdef DL_LAZY
+#      define LT_DLLAZY_OR_NOW		DL_LAZY
+#    else
+#      ifdef RTLD_NOW
+#        define LT_DLLAZY_OR_NOW	RTLD_NOW
+#      else
+#        ifdef DL_NOW
+#          define LT_DLLAZY_OR_NOW	DL_NOW
+#        else
+#          define LT_DLLAZY_OR_NOW	0
+#        endif
+#      endif
+#    endif
+#  endif
+#endif
+
+#ifdef __cplusplus
+extern "C" void exit (int);
+#endif
+
+void fnord() { int i=42;}
+int main ()
+{
+  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
+  int status = $lt_dlunknown;
+
+  if (self)
+    {
+      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
+      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
+      /* dlclose (self); */
+    }
+  else
+    puts (dlerror ());
+
+    exit (status);
+}
+EOF
+  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then
+    (./conftest; exit; ) >&5 2>/dev/null
+    lt_status=$?
+    case x$lt_status in
+      x$lt_dlno_uscore) lt_cv_dlopen_self_static=yes ;;
+      x$lt_dlneed_uscore) lt_cv_dlopen_self_static=yes ;;
+      x$lt_dlunknown|x*) lt_cv_dlopen_self_static=no ;;
+    esac
+  else :
+    # compilation failed
+    lt_cv_dlopen_self_static=no
+  fi
+fi
+rm -fr conftest*
+
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_dlopen_self_static" >&5
+echo "${ECHO_T}$lt_cv_dlopen_self_static" >&6; }
+    fi
+
+    CPPFLAGS="$save_CPPFLAGS"
+    LDFLAGS="$save_LDFLAGS"
+    LIBS="$save_LIBS"
+    ;;
+  esac
+
+  case $lt_cv_dlopen_self in
+  yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;;
+  *) enable_dlopen_self=unknown ;;
+  esac
+
+  case $lt_cv_dlopen_self_static in
+  yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;;
+  *) enable_dlopen_self_static=unknown ;;
+  esac
+fi
+
+
+# Report which library types will actually be built
+{ echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5
+echo $ECHO_N "checking if libtool supports shared libraries... $ECHO_C" >&6; }
+{ echo "$as_me:$LINENO: result: $can_build_shared" >&5
+echo "${ECHO_T}$can_build_shared" >&6; }
+
+{ echo "$as_me:$LINENO: checking whether to build shared libraries" >&5
+echo $ECHO_N "checking whether to build shared libraries... $ECHO_C" >&6; }
+test "$can_build_shared" = "no" && enable_shared=no
+
+# On AIX, shared libraries and static libraries use the same namespace, and
+# are all built from PIC.
+case $host_os in
+aix3*)
+  test "$enable_shared" = yes && enable_static=no
+  if test -n "$RANLIB"; then
+    archive_cmds="$archive_cmds~\$RANLIB \$lib"
+    postinstall_cmds='$RANLIB $lib'
+  fi
+  ;;
+
+aix4* | aix5*)
+  if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
+    test "$enable_shared" = yes && enable_static=no
+  fi
+    ;;
+esac
+{ echo "$as_me:$LINENO: result: $enable_shared" >&5
+echo "${ECHO_T}$enable_shared" >&6; }
+
+{ echo "$as_me:$LINENO: checking whether to build static libraries" >&5
+echo $ECHO_N "checking whether to build static libraries... $ECHO_C" >&6; }
+# Make sure either enable_shared or enable_static is yes.
+test "$enable_shared" = yes || enable_static=yes
+{ echo "$as_me:$LINENO: result: $enable_static" >&5
+echo "${ECHO_T}$enable_static" >&6; }
+
+# The else clause should only fire when bootstrapping the
+# libtool distribution, otherwise you forgot to ship ltmain.sh
+# with your package, and you will get complaints that there are
+# no rules to generate ltmain.sh.
+if test -f "$ltmain"; then
+  # See if we are running on zsh, and set the options which allow our commands through
+  # without removal of \ escapes.
+  if test -n "${ZSH_VERSION+set}" ; then
+    setopt NO_GLOB_SUBST
+  fi
+  # Now quote all the things that may contain metacharacters while being
+  # careful not to overquote the AC_SUBSTed values.  We take copies of the
+  # variables and quote the copies for generation of the libtool script.
+  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \
+    SED SHELL STRIP \
+    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
+    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
+    deplibs_check_method reload_flag reload_cmds need_locks \
+    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
+    lt_cv_sys_global_symbol_to_c_name_address \
+    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
+    old_postinstall_cmds old_postuninstall_cmds \
+    compiler \
+    CC \
+    LD \
+    lt_prog_compiler_wl \
+    lt_prog_compiler_pic \
+    lt_prog_compiler_static \
+    lt_prog_compiler_no_builtin_flag \
+    export_dynamic_flag_spec \
+    thread_safe_flag_spec \
+    whole_archive_flag_spec \
+    enable_shared_with_static_runtimes \
+    old_archive_cmds \
+    old_archive_from_new_cmds \
+    predep_objects \
+    postdep_objects \
+    predeps \
+    postdeps \
+    compiler_lib_search_path \
+    archive_cmds \
+    archive_expsym_cmds \
+    postinstall_cmds \
+    postuninstall_cmds \
+    old_archive_from_expsyms_cmds \
+    allow_undefined_flag \
+    no_undefined_flag \
+    export_symbols_cmds \
+    hardcode_libdir_flag_spec \
+    hardcode_libdir_flag_spec_ld \
+    hardcode_libdir_separator \
+    hardcode_automatic \
+    module_cmds \
+    module_expsym_cmds \
+    lt_cv_prog_compiler_c_o \
+    exclude_expsyms \
+    include_expsyms; do
+
+    case $var in
+    old_archive_cmds | \
+    old_archive_from_new_cmds | \
+    archive_cmds | \
+    archive_expsym_cmds | \
+    module_cmds | \
+    module_expsym_cmds | \
+    old_archive_from_expsyms_cmds | \
+    export_symbols_cmds | \
+    extract_expsyms_cmds | reload_cmds | finish_cmds | \
+    postinstall_cmds | postuninstall_cmds | \
+    old_postinstall_cmds | old_postuninstall_cmds | \
+    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
+      # Double-quote double-evaled strings.
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
+      ;;
+    *)
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
+      ;;
+    esac
+  done
+
+  case $lt_echo in
+  *'\$0 --fallback-echo"')
+    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'`
+    ;;
+  esac
+
+cfgfile="${ofile}T"
+  trap "$rm \"$cfgfile\"; exit 1" 1 2 15
+  $rm -f "$cfgfile"
+  { echo "$as_me:$LINENO: creating $ofile" >&5
+echo "$as_me: creating $ofile" >&6;}
+
+  cat <<__EOF__ >> "$cfgfile"
+#! $SHELL
+
+# `$echo "$cfgfile" | sed 's%^.*/%%'` - Provide generalized library-building support services.
+# Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION$TIMESTAMP)
+# NOTE: Changes made to this file will be lost: look at ltmain.sh.
+#
+# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001
+# Free Software Foundation, Inc.
+#
+# This file is part of GNU Libtool:
+# Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# A sed program that does not truncate output.
+SED=$lt_SED
+
+# Sed that helps us avoid accidentally triggering echo(1) options like -n.
+Xsed="$SED -e 1s/^X//"
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+
+# The names of the tagged configurations supported by this script.
+available_tags=
+
+# ### BEGIN LIBTOOL CONFIG
+
+# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
+
+# Shell to use when invoking shell scripts.
+SHELL=$lt_SHELL
+
+# Whether or not to build shared libraries.
+build_libtool_libs=$enable_shared
+
+# Whether or not to build static libraries.
+build_old_libs=$enable_static
+
+# Whether or not to add -lc for building shared libraries.
+build_libtool_need_lc=$archive_cmds_need_lc
+
+# Whether or not to disallow shared libs when runtime libs are static
+allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes
+
+# Whether or not to optimize for fast installation.
+fast_install=$enable_fast_install
+
+# The host system.
+host_alias=$host_alias
+host=$host
+host_os=$host_os
+
+# The build system.
+build_alias=$build_alias
+build=$build
+build_os=$build_os
+
+# An echo program that does not interpret backslashes.
+echo=$lt_echo
+
+# The archiver.
+AR=$lt_AR
+AR_FLAGS=$lt_AR_FLAGS
+
+# A C compiler.
+LTCC=$lt_LTCC
+
+# LTCC compiler flags.
+LTCFLAGS=$lt_LTCFLAGS
+
+# A language-specific compiler.
+CC=$lt_compiler
+
+# Is the compiler the GNU C compiler?
+with_gcc=$GCC
+
+# An ERE matcher.
+EGREP=$lt_EGREP
+
+# The linker used to build libraries.
+LD=$lt_LD
+
+# Whether we need hard or soft links.
+LN_S=$lt_LN_S
+
+# A BSD-compatible nm program.
+NM=$lt_NM
+
+# A symbol stripping program
+STRIP=$lt_STRIP
+
+# Used to examine libraries when file_magic_cmd begins "file"
+MAGIC_CMD=$MAGIC_CMD
+
+# Used on cygwin: DLL creation program.
+DLLTOOL="$DLLTOOL"
+
+# Used on cygwin: object dumper.
+OBJDUMP="$OBJDUMP"
+
+# Used on cygwin: assembler.
+AS="$AS"
+
+# The name of the directory that contains temporary libtool files.
+objdir=$objdir
+
+# How to create reloadable object files.
+reload_flag=$lt_reload_flag
+reload_cmds=$lt_reload_cmds
+
+# How to pass a linker flag through the compiler.
+wl=$lt_lt_prog_compiler_wl
+
+# Object file suffix (normally "o").
+objext="$ac_objext"
+
+# Old archive suffix (normally "a").
+libext="$libext"
+
+# Shared library suffix (normally ".so").
+shrext_cmds='$shrext_cmds'
+
+# Executable file suffix (normally "").
+exeext="$exeext"
+
+# Additional compiler flags for building library objects.
+pic_flag=$lt_lt_prog_compiler_pic
+pic_mode=$pic_mode
+
+# What is the maximum length of a command?
+max_cmd_len=$lt_cv_sys_max_cmd_len
+
+# Does compiler simultaneously support -c and -o options?
+compiler_c_o=$lt_lt_cv_prog_compiler_c_o
+
+# Must we lock files when doing compilation?
+need_locks=$lt_need_locks
+
+# Do we need the lib prefix for modules?
+need_lib_prefix=$need_lib_prefix
+
+# Do we need a version for libraries?
+need_version=$need_version
+
+# Whether dlopen is supported.
+dlopen_support=$enable_dlopen
+
+# Whether dlopen of programs is supported.
+dlopen_self=$enable_dlopen_self
+
+# Whether dlopen of statically linked programs is supported.
+dlopen_self_static=$enable_dlopen_self_static
+
+# Compiler flag to prevent dynamic linking.
+link_static_flag=$lt_lt_prog_compiler_static
+
+# Compiler flag to turn off builtin functions.
+no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag
+
+# Compiler flag to allow reflexive dlopens.
+export_dynamic_flag_spec=$lt_export_dynamic_flag_spec
+
+# Compiler flag to generate shared objects directly from archives.
+whole_archive_flag_spec=$lt_whole_archive_flag_spec
+
+# Compiler flag to generate thread-safe objects.
+thread_safe_flag_spec=$lt_thread_safe_flag_spec
+
+# Library versioning type.
+version_type=$version_type
+
+# Format of library name prefix.
+libname_spec=$lt_libname_spec
+
+# List of archive names.  First name is the real one, the rest are links.
+# The last name is the one that the linker finds with -lNAME.
+library_names_spec=$lt_library_names_spec
+
+# The coded name of the library, if different from the real name.
+soname_spec=$lt_soname_spec
+
+# Commands used to build and install an old-style archive.
+RANLIB=$lt_RANLIB
+old_archive_cmds=$lt_old_archive_cmds
+old_postinstall_cmds=$lt_old_postinstall_cmds
+old_postuninstall_cmds=$lt_old_postuninstall_cmds
+
+# Create an old-style archive from a shared archive.
+old_archive_from_new_cmds=$lt_old_archive_from_new_cmds
+
+# Create a temporary old-style archive to link instead of a shared archive.
+old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds
+
+# Commands used to build and install a shared archive.
+archive_cmds=$lt_archive_cmds
+archive_expsym_cmds=$lt_archive_expsym_cmds
+postinstall_cmds=$lt_postinstall_cmds
+postuninstall_cmds=$lt_postuninstall_cmds
+
+# Commands used to build a loadable module (assumed same as above if empty)
+module_cmds=$lt_module_cmds
+module_expsym_cmds=$lt_module_expsym_cmds
+
+# Commands to strip libraries.
+old_striplib=$lt_old_striplib
+striplib=$lt_striplib
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predep_objects=$lt_predep_objects
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdep_objects=$lt_postdep_objects
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predeps=$lt_predeps
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdeps=$lt_postdeps
+
+# The library search path used internally by the compiler when linking
+# a shared library.
+compiler_lib_search_path=$lt_compiler_lib_search_path
+
+# Method to check whether dependent libraries are shared objects.
+deplibs_check_method=$lt_deplibs_check_method
+
+# Command to use when deplibs_check_method == file_magic.
+file_magic_cmd=$lt_file_magic_cmd
+
+# Flag that allows shared libraries with undefined symbols to be built.
+allow_undefined_flag=$lt_allow_undefined_flag
+
+# Flag that forces no undefined symbols.
+no_undefined_flag=$lt_no_undefined_flag
+
+# Commands used to finish a libtool library installation in a directory.
+finish_cmds=$lt_finish_cmds
+
+# Same as above, but a single script fragment to be evaled but not shown.
+finish_eval=$lt_finish_eval
+
+# Take the output of nm and produce a listing of raw symbols and C names.
+global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
+
+# Transform the output of nm in a proper C declaration
+global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
+
+# Transform the output of nm in a C name address pair
+global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
+
+# This is the shared library runtime path variable.
+runpath_var=$runpath_var
+
+# This is the shared library path variable.
+shlibpath_var=$shlibpath_var
+
+# Is shlibpath searched before the hard-coded library search path?
+shlibpath_overrides_runpath=$shlibpath_overrides_runpath
+
+# How to hardcode a shared library path into an executable.
+hardcode_action=$hardcode_action
+
+# Whether we should hardcode library paths into libraries.
+hardcode_into_libs=$hardcode_into_libs
+
+# Flag to hardcode \$libdir into a binary during linking.
+# This must work even if \$libdir does not exist.
+hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec
+
+# If ld is used when linking, flag to hardcode \$libdir into
+# a binary during linking. This must work even if \$libdir does
+# not exist.
+hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld
+
+# Whether we need a single -rpath flag with a separated argument.
+hardcode_libdir_separator=$lt_hardcode_libdir_separator
+
+# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
+# resulting binary.
+hardcode_direct=$hardcode_direct
+
+# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
+# resulting binary.
+hardcode_minus_L=$hardcode_minus_L
+
+# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
+# the resulting binary.
+hardcode_shlibpath_var=$hardcode_shlibpath_var
+
+# Set to yes if building a shared library automatically hardcodes DIR into the library
+# and all subsequent libraries and executables linked against it.
+hardcode_automatic=$hardcode_automatic
+
+# Variables whose values should be saved in libtool wrapper scripts and
+# restored at relink time.
+variables_saved_for_relink="$variables_saved_for_relink"
+
+# Whether libtool must link a program against all its dependency libraries.
+link_all_deplibs=$link_all_deplibs
+
+# Compile-time system search path for libraries
+sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
+
+# Run-time system search path for libraries
+sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
+
+# Fix the shell variable \$srcfile for the compiler.
+fix_srcfile_path="$fix_srcfile_path"
+
+# Set to yes if exported symbols are required.
+always_export_symbols=$always_export_symbols
+
+# The commands to list exported symbols.
+export_symbols_cmds=$lt_export_symbols_cmds
+
+# The commands to extract the exported symbol list from a shared archive.
+extract_expsyms_cmds=$lt_extract_expsyms_cmds
+
+# Symbols that should not be listed in the preloaded symbols.
+exclude_expsyms=$lt_exclude_expsyms
+
+# Symbols that must always be exported.
+include_expsyms=$lt_include_expsyms
+
+# ### END LIBTOOL CONFIG
+
+__EOF__
+
+
+  case $host_os in
+  aix3*)
+    cat <<\EOF >> "$cfgfile"
+
+# AIX sometimes has problems with the GCC collect2 program.  For some
+# reason, if we set the COLLECT_NAMES environment variable, the problems
+# vanish in a puff of smoke.
+if test "X${COLLECT_NAMES+set}" != Xset; then
+  COLLECT_NAMES=
+  export COLLECT_NAMES
+fi
+EOF
+    ;;
+  esac
+
+  # We use sed instead of cat because bash on DJGPP gets confused if
+  # if finds mixed CR/LF and LF-only lines.  Since sed operates in
+  # text mode, it properly converts lines to CR/LF.  This bash problem
+  # is reportedly fixed, but why not run on old versions too?
+  sed '$q' "$ltmain" >> "$cfgfile" || (rm -f "$cfgfile"; exit 1)
+
+  mv -f "$cfgfile" "$ofile" || \
+    (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile")
+  chmod +x "$ofile"
+
+else
+  # If there is no Makefile yet, we rely on a make rule to execute
+  # `config.status --recheck' to rerun these tests and create the
+  # libtool script then.
+  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
+  if test -f "$ltmain_in"; then
+    test -f Makefile && make "$ltmain"
+  fi
+fi
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+CC="$lt_save_CC"
+
+
+# Check whether --with-tags was given.
+if test "${with_tags+set}" = set; then
+  withval=$with_tags; tagnames="$withval"
+fi
+
+
+if test -f "$ltmain" && test -n "$tagnames"; then
+  if test ! -f "${ofile}"; then
+    { echo "$as_me:$LINENO: WARNING: output file \`$ofile' does not exist" >&5
+echo "$as_me: WARNING: output file \`$ofile' does not exist" >&2;}
+  fi
+
+  if test -z "$LTCC"; then
+    eval "`$SHELL ${ofile} --config | grep '^LTCC='`"
+    if test -z "$LTCC"; then
+      { echo "$as_me:$LINENO: WARNING: output file \`$ofile' does not look like a libtool script" >&5
+echo "$as_me: WARNING: output file \`$ofile' does not look like a libtool script" >&2;}
+    else
+      { echo "$as_me:$LINENO: WARNING: using \`LTCC=$LTCC', extracted from \`$ofile'" >&5
+echo "$as_me: WARNING: using \`LTCC=$LTCC', extracted from \`$ofile'" >&2;}
+    fi
+  fi
+  if test -z "$LTCFLAGS"; then
+    eval "`$SHELL ${ofile} --config | grep '^LTCFLAGS='`"
+  fi
+
+  # Extract list of available tagged configurations in $ofile.
+  # Note that this assumes the entire list is on one line.
+  available_tags=`grep "^available_tags=" "${ofile}" | $SED -e 's/available_tags=\(.*$\)/\1/' -e 's/\"//g'`
+
+  lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+  for tagname in $tagnames; do
+    IFS="$lt_save_ifs"
+    # Check whether tagname contains only valid characters
+    case `$echo "X$tagname" | $Xsed -e 's:[-_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890,/]::g'` in
+    "") ;;
+    *)  { { echo "$as_me:$LINENO: error: invalid tag name: $tagname" >&5
+echo "$as_me: error: invalid tag name: $tagname" >&2;}
+   { (exit 1); exit 1; }; }
+	;;
+    esac
+
+    if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$" < "${ofile}" > /dev/null
+    then
+      { { echo "$as_me:$LINENO: error: tag name \"$tagname\" already exists" >&5
+echo "$as_me: error: tag name \"$tagname\" already exists" >&2;}
+   { (exit 1); exit 1; }; }
+    fi
+
+    # Update the list of available tags.
+    if test -n "$tagname"; then
+      echo appending configuration tag \"$tagname\" to $ofile
+
+      case $tagname in
+      CXX)
+	if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
+	    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
+	    (test "X$CXX" != "Xg++"))) ; then
+	  ac_ext=cpp
+ac_cpp='$CXXCPP $CPPFLAGS'
+ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
+
+
+
+
+archive_cmds_need_lc_CXX=no
+allow_undefined_flag_CXX=
+always_export_symbols_CXX=no
+archive_expsym_cmds_CXX=
+export_dynamic_flag_spec_CXX=
+hardcode_direct_CXX=no
+hardcode_libdir_flag_spec_CXX=
+hardcode_libdir_flag_spec_ld_CXX=
+hardcode_libdir_separator_CXX=
+hardcode_minus_L_CXX=no
+hardcode_shlibpath_var_CXX=unsupported
+hardcode_automatic_CXX=no
+module_cmds_CXX=
+module_expsym_cmds_CXX=
+link_all_deplibs_CXX=unknown
+old_archive_cmds_CXX=$old_archive_cmds
+no_undefined_flag_CXX=
+whole_archive_flag_spec_CXX=
+enable_shared_with_static_runtimes_CXX=no
+
+# Dependencies to place before and after the object being linked:
+predep_objects_CXX=
+postdep_objects_CXX=
+predeps_CXX=
+postdeps_CXX=
+compiler_lib_search_path_CXX=
+
+# Source file extension for C++ test sources.
+ac_ext=cpp
+
+# Object file extension for compiled C++ test sources.
+objext=o
+objext_CXX=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="int some_variable = 0;\n"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='int main(int, char *[]) { return(0); }\n'
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+
+# If no C compiler was specified, use CC.
+LTCC=${LTCC-"$CC"}
+
+# If no C compiler flags were specified, use CFLAGS.
+LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
+
+# Allow CC to be a program name with arguments.
+compiler=$CC
+
+
+# save warnings/boilerplate of simple test code
+ac_outfile=conftest.$ac_objext
+printf "$lt_simple_compile_test_code" >conftest.$ac_ext
+eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_compiler_boilerplate=`cat conftest.err`
+$rm conftest*
+
+ac_outfile=conftest.$ac_objext
+printf "$lt_simple_link_test_code" >conftest.$ac_ext
+eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_linker_boilerplate=`cat conftest.err`
+$rm conftest*
+
+
+# Allow CC to be a program name with arguments.
+lt_save_CC=$CC
+lt_save_LD=$LD
+lt_save_GCC=$GCC
+GCC=$GXX
+lt_save_with_gnu_ld=$with_gnu_ld
+lt_save_path_LD=$lt_cv_path_LD
+if test -n "${lt_cv_prog_gnu_ldcxx+set}"; then
+  lt_cv_prog_gnu_ld=$lt_cv_prog_gnu_ldcxx
+else
+  $as_unset lt_cv_prog_gnu_ld
+fi
+if test -n "${lt_cv_path_LDCXX+set}"; then
+  lt_cv_path_LD=$lt_cv_path_LDCXX
+else
+  $as_unset lt_cv_path_LD
+fi
+test -z "${LDCXX+set}" || LD=$LDCXX
+CC=${CXX-"c++"}
+compiler=$CC
+compiler_CXX=$CC
+for cc_temp in $compiler""; do
+  case $cc_temp in
+    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
+    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
+    \-*) ;;
+    *) break;;
+  esac
+done
+cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+
+
+# We don't want -fno-exception wen compiling C++ code, so set the
+# no_builtin_flag separately
+if test "$GXX" = yes; then
+  lt_prog_compiler_no_builtin_flag_CXX=' -fno-builtin'
+else
+  lt_prog_compiler_no_builtin_flag_CXX=
+fi
+
+if test "$GXX" = yes; then
+  # Set up default GNU C++ configuration
+
+
+# Check whether --with-gnu-ld was given.
+if test "${with_gnu_ld+set}" = set; then
+  withval=$with_gnu_ld; test "$withval" = no || with_gnu_ld=yes
+else
+  with_gnu_ld=no
+fi
+
+ac_prog=ld
+if test "$GCC" = yes; then
+  # Check if gcc -print-prog-name=ld gives a path.
+  { echo "$as_me:$LINENO: checking for ld used by $CC" >&5
+echo $ECHO_N "checking for ld used by $CC... $ECHO_C" >&6; }
+  case $host in
+  *-*-mingw*)
+    # gcc leaves a trailing carriage return which upsets mingw
+    ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;;
+  *)
+    ac_prog=`($CC -print-prog-name=ld) 2>&5` ;;
+  esac
+  case $ac_prog in
+    # Accept absolute paths.
+    [\\/]* | ?:[\\/]*)
+      re_direlt='/[^/][^/]*/\.\./'
+      # Canonicalize the pathname of ld
+      ac_prog=`echo $ac_prog| $SED 's%\\\\%/%g'`
+      while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do
+	ac_prog=`echo $ac_prog| $SED "s%$re_direlt%/%"`
+      done
+      test -z "$LD" && LD="$ac_prog"
+      ;;
+  "")
+    # If it fails, then pretend we aren't using GCC.
+    ac_prog=ld
+    ;;
+  *)
+    # If it is relative, then search for the first ld in PATH.
+    with_gnu_ld=unknown
+    ;;
+  esac
+elif test "$with_gnu_ld" = yes; then
+  { echo "$as_me:$LINENO: checking for GNU ld" >&5
+echo $ECHO_N "checking for GNU ld... $ECHO_C" >&6; }
+else
+  { echo "$as_me:$LINENO: checking for non-GNU ld" >&5
+echo $ECHO_N "checking for non-GNU ld... $ECHO_C" >&6; }
+fi
+if test "${lt_cv_path_LD+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -z "$LD"; then
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+  for ac_dir in $PATH; do
+    IFS="$lt_save_ifs"
+    test -z "$ac_dir" && ac_dir=.
+    if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
+      lt_cv_path_LD="$ac_dir/$ac_prog"
+      # Check to see if the program is GNU ld.  I'd rather use --version,
+      # but apparently some variants of GNU ld only accept -v.
+      # Break only if it was the GNU/non-GNU ld that we prefer.
+      case `"$lt_cv_path_LD" -v 2>&1 </dev/null` in
+      *GNU* | *'with BFD'*)
+	test "$with_gnu_ld" != no && break
+	;;
+      *)
+	test "$with_gnu_ld" != yes && break
+	;;
+      esac
+    fi
+  done
+  IFS="$lt_save_ifs"
+else
+  lt_cv_path_LD="$LD" # Let the user override the test with a path.
+fi
+fi
+
+LD="$lt_cv_path_LD"
+if test -n "$LD"; then
+  { echo "$as_me:$LINENO: result: $LD" >&5
+echo "${ECHO_T}$LD" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+test -z "$LD" && { { echo "$as_me:$LINENO: error: no acceptable ld found in \$PATH" >&5
+echo "$as_me: error: no acceptable ld found in \$PATH" >&2;}
+   { (exit 1); exit 1; }; }
+{ echo "$as_me:$LINENO: checking if the linker ($LD) is GNU ld" >&5
+echo $ECHO_N "checking if the linker ($LD) is GNU ld... $ECHO_C" >&6; }
+if test "${lt_cv_prog_gnu_ld+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  # I'd rather use --version here, but apparently some GNU lds only accept -v.
+case `$LD -v 2>&1 </dev/null` in
+*GNU* | *'with BFD'*)
+  lt_cv_prog_gnu_ld=yes
+  ;;
+*)
+  lt_cv_prog_gnu_ld=no
+  ;;
+esac
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_gnu_ld" >&5
+echo "${ECHO_T}$lt_cv_prog_gnu_ld" >&6; }
+with_gnu_ld=$lt_cv_prog_gnu_ld
+
+
+
+  # Check if GNU C++ uses GNU ld as the underlying linker, since the
+  # archiving commands below assume that GNU ld is being used.
+  if test "$with_gnu_ld" = yes; then
+    archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+    archive_expsym_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+
+    hardcode_libdir_flag_spec_CXX='${wl}--rpath ${wl}$libdir'
+    export_dynamic_flag_spec_CXX='${wl}--export-dynamic'
+
+    # If archive_cmds runs LD, not CC, wlarc should be empty
+    # XXX I think wlarc can be eliminated in ltcf-cxx, but I need to
+    #     investigate it a little bit more. (MM)
+    wlarc='${wl}'
+
+    # ancient GNU ld didn't support --whole-archive et. al.
+    if eval "`$CC -print-prog-name=ld` --help 2>&1" | \
+	grep 'no-whole-archive' > /dev/null; then
+      whole_archive_flag_spec_CXX="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+    else
+      whole_archive_flag_spec_CXX=
+    fi
+  else
+    with_gnu_ld=no
+    wlarc=
+
+    # A generic and very simple default shared library creation
+    # command for GNU C++ for the case where it uses the native
+    # linker, instead of GNU ld.  If possible, this setting should
+    # overridden to take advantage of the native linker features on
+    # the platform it is being used on.
+    archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
+  fi
+
+  # Commands to make compiler produce verbose output that lists
+  # what "hidden" libraries, object files and flags are used when
+  # linking a shared library.
+  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
+
+else
+  GXX=no
+  with_gnu_ld=no
+  wlarc=
+fi
+
+# PORTME: fill in a description of your system's C++ link characteristics
+{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
+echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; }
+ld_shlibs_CXX=yes
+case $host_os in
+  aix3*)
+    # FIXME: insert proper C++ library support
+    ld_shlibs_CXX=no
+    ;;
+  aix4* | aix5*)
+    if test "$host_cpu" = ia64; then
+      # On IA64, the linker does run time linking by default, so we don't
+      # have to do anything special.
+      aix_use_runtimelinking=no
+      exp_sym_flag='-Bexport'
+      no_entry_flag=""
+    else
+      aix_use_runtimelinking=no
+
+      # Test if we are trying to use run time linking or normal
+      # AIX style linking. If -brtl is somewhere in LDFLAGS, we
+      # need to do runtime linking.
+      case $host_os in aix4.[23]|aix4.[23].*|aix5*)
+	for ld_flag in $LDFLAGS; do
+	  case $ld_flag in
+	  *-brtl*)
+	    aix_use_runtimelinking=yes
+	    break
+	    ;;
+	  esac
+	done
+	;;
+      esac
+
+      exp_sym_flag='-bexport'
+      no_entry_flag='-bnoentry'
+    fi
+
+    # When large executables or shared objects are built, AIX ld can
+    # have problems creating the table of contents.  If linking a library
+    # or program results in "error TOC overflow" add -mminimal-toc to
+    # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
+    # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
+
+    archive_cmds_CXX=''
+    hardcode_direct_CXX=yes
+    hardcode_libdir_separator_CXX=':'
+    link_all_deplibs_CXX=yes
+
+    if test "$GXX" = yes; then
+      case $host_os in aix4.[012]|aix4.[012].*)
+      # We only want to do this on AIX 4.2 and lower, the check
+      # below for broken collect2 doesn't work under 4.3+
+	collect2name=`${CC} -print-prog-name=collect2`
+	if test -f "$collect2name" && \
+	   strings "$collect2name" | grep resolve_lib_name >/dev/null
+	then
+	  # We have reworked collect2
+	  hardcode_direct_CXX=yes
+	else
+	  # We have old collect2
+	  hardcode_direct_CXX=unsupported
+	  # It fails to find uninstalled libraries when the uninstalled
+	  # path is not listed in the libpath.  Setting hardcode_minus_L
+	  # to unsupported forces relinking
+	  hardcode_minus_L_CXX=yes
+	  hardcode_libdir_flag_spec_CXX='-L$libdir'
+	  hardcode_libdir_separator_CXX=
+	fi
+	;;
+      esac
+      shared_flag='-shared'
+      if test "$aix_use_runtimelinking" = yes; then
+	shared_flag="$shared_flag "'${wl}-G'
+      fi
+    else
+      # not using gcc
+      if test "$host_cpu" = ia64; then
+	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
+	# chokes on -Wl,-G. The following line is correct:
+	shared_flag='-G'
+      else
+	if test "$aix_use_runtimelinking" = yes; then
+	  shared_flag='${wl}-G'
+	else
+	  shared_flag='${wl}-bM:SRE'
+	fi
+      fi
+    fi
+
+    # It seems that -bexpall does not export symbols beginning with
+    # underscore (_), so it is better to generate a list of symbols to export.
+    always_export_symbols_CXX=yes
+    if test "$aix_use_runtimelinking" = yes; then
+      # Warning - without using the other runtime loading flags (-brtl),
+      # -berok will link without error, but may produce a broken library.
+      allow_undefined_flag_CXX='-berok'
+      # Determine the default libpath from the value encoded in an empty executable.
+      cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_cxx_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`
+# Check for a 64-bit object if we didn't find anything.
+if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`; fi
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+
+      hardcode_libdir_flag_spec_CXX='${wl}-blibpath:$libdir:'"$aix_libpath"
+
+      archive_expsym_cmds_CXX="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+     else
+      if test "$host_cpu" = ia64; then
+	hardcode_libdir_flag_spec_CXX='${wl}-R $libdir:/usr/lib:/lib'
+	allow_undefined_flag_CXX="-z nodefs"
+	archive_expsym_cmds_CXX="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
+      else
+	# Determine the default libpath from the value encoded in an empty executable.
+	cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_cxx_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`
+# Check for a 64-bit object if we didn't find anything.
+if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`; fi
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+
+	hardcode_libdir_flag_spec_CXX='${wl}-blibpath:$libdir:'"$aix_libpath"
+	# Warning - without using the other run time loading flags,
+	# -berok will link without error, but may produce a broken library.
+	no_undefined_flag_CXX=' ${wl}-bernotok'
+	allow_undefined_flag_CXX=' ${wl}-berok'
+	# Exported symbols can be pulled into shared objects from archives
+	whole_archive_flag_spec_CXX='$convenience'
+	archive_cmds_need_lc_CXX=yes
+	# This is similar to how AIX traditionally builds its shared libraries.
+	archive_expsym_cmds_CXX="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+      fi
+    fi
+    ;;
+
+  beos*)
+    if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+      allow_undefined_flag_CXX=unsupported
+      # Joseph Beckenbach <jrb3@best.com> says some releases of gcc
+      # support --undefined.  This deserves some investigation.  FIXME
+      archive_cmds_CXX='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+    else
+      ld_shlibs_CXX=no
+    fi
+    ;;
+
+  chorus*)
+    case $cc_basename in
+      *)
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+    esac
+    ;;
+
+  cygwin* | mingw* | pw32*)
+    # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, CXX) is actually meaningless,
+    # as there is no search path for DLLs.
+    hardcode_libdir_flag_spec_CXX='-L$libdir'
+    allow_undefined_flag_CXX=unsupported
+    always_export_symbols_CXX=no
+    enable_shared_with_static_runtimes_CXX=yes
+
+    if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
+      archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+      # If the export-symbols file already is a .def file (1st line
+      # is EXPORTS), use it as is; otherwise, prepend...
+      archive_expsym_cmds_CXX='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	cp $export_symbols $output_objdir/$soname.def;
+      else
+	echo EXPORTS > $output_objdir/$soname.def;
+	cat $export_symbols >> $output_objdir/$soname.def;
+      fi~
+      $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+    else
+      ld_shlibs_CXX=no
+    fi
+  ;;
+      darwin* | rhapsody*)
+        case $host_os in
+        rhapsody* | darwin1.[012])
+         allow_undefined_flag_CXX='${wl}-undefined ${wl}suppress'
+         ;;
+       *) # Darwin 1.3 on
+         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+           allow_undefined_flag_CXX='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
+         else
+           case ${MACOSX_DEPLOYMENT_TARGET} in
+             10.[012])
+               allow_undefined_flag_CXX='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
+               ;;
+             10.*)
+               allow_undefined_flag_CXX='${wl}-undefined ${wl}dynamic_lookup'
+               ;;
+           esac
+         fi
+         ;;
+        esac
+      archive_cmds_need_lc_CXX=no
+      hardcode_direct_CXX=no
+      hardcode_automatic_CXX=yes
+      hardcode_shlibpath_var_CXX=unsupported
+      whole_archive_flag_spec_CXX=''
+      link_all_deplibs_CXX=yes
+
+    if test "$GXX" = yes ; then
+      lt_int_apple_cc_single_mod=no
+      output_verbose_link_cmd='echo'
+      if $CC -dumpspecs 2>&1 | $EGREP 'single_module' >/dev/null ; then
+       lt_int_apple_cc_single_mod=yes
+      fi
+      if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+       archive_cmds_CXX='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+      else
+          archive_cmds_CXX='$CC -r -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+        fi
+        module_cmds_CXX='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+        # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
+          if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+            archive_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          else
+            archive_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          fi
+            module_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+      else
+      case $cc_basename in
+        xlc*)
+         output_verbose_link_cmd='echo'
+          archive_cmds_CXX='$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring'
+          module_cmds_CXX='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
+          archive_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          module_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          ;;
+       *)
+         ld_shlibs_CXX=no
+          ;;
+      esac
+      fi
+        ;;
+
+  dgux*)
+    case $cc_basename in
+      ec++*)
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+      ghcx*)
+	# Green Hills C++ Compiler
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+    esac
+    ;;
+  freebsd[12]*)
+    # C++ shared libraries reported to be fairly broken before switch to ELF
+    ld_shlibs_CXX=no
+    ;;
+  freebsd-elf*)
+    archive_cmds_need_lc_CXX=no
+    ;;
+  freebsd* | kfreebsd*-gnu | dragonfly*)
+    # FreeBSD 3 and later use GNU C++ and GNU ld with standard ELF
+    # conventions
+    ld_shlibs_CXX=yes
+    ;;
+  gnu*)
+    ;;
+  hpux9*)
+    hardcode_libdir_flag_spec_CXX='${wl}+b ${wl}$libdir'
+    hardcode_libdir_separator_CXX=:
+    export_dynamic_flag_spec_CXX='${wl}-E'
+    hardcode_direct_CXX=yes
+    hardcode_minus_L_CXX=yes # Not in the search PATH,
+				# but as the default
+				# location of the library.
+
+    case $cc_basename in
+    CC*)
+      # FIXME: insert proper C++ library support
+      ld_shlibs_CXX=no
+      ;;
+    aCC*)
+      archive_cmds_CXX='$rm $output_objdir/$soname~$CC -b ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      # Commands to make compiler produce verbose output that lists
+      # what "hidden" libraries, object files and flags are used when
+      # linking a shared library.
+      #
+      # There doesn't appear to be a way to prevent this compiler from
+      # explicitly linking system object files so we need to strip them
+      # from the output so that they don't get included in the library
+      # dependencies.
+      output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "[-]L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+      ;;
+    *)
+      if test "$GXX" = yes; then
+        archive_cmds_CXX='$rm $output_objdir/$soname~$CC -shared -nostdlib -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      else
+        # FIXME: insert proper C++ library support
+        ld_shlibs_CXX=no
+      fi
+      ;;
+    esac
+    ;;
+  hpux10*|hpux11*)
+    if test $with_gnu_ld = no; then
+      hardcode_libdir_flag_spec_CXX='${wl}+b ${wl}$libdir'
+      hardcode_libdir_separator_CXX=:
+
+      case $host_cpu in
+      hppa*64*|ia64*)
+	hardcode_libdir_flag_spec_ld_CXX='+b $libdir'
+        ;;
+      *)
+	export_dynamic_flag_spec_CXX='${wl}-E'
+        ;;
+      esac
+    fi
+    case $host_cpu in
+    hppa*64*|ia64*)
+      hardcode_direct_CXX=no
+      hardcode_shlibpath_var_CXX=no
+      ;;
+    *)
+      hardcode_direct_CXX=yes
+      hardcode_minus_L_CXX=yes # Not in the search PATH,
+					      # but as the default
+					      # location of the library.
+      ;;
+    esac
+
+    case $cc_basename in
+      CC*)
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+      aCC*)
+	case $host_cpu in
+	hppa*64*)
+	  archive_cmds_CXX='$CC -b ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	  ;;
+	ia64*)
+	  archive_cmds_CXX='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	  ;;
+	*)
+	  archive_cmds_CXX='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	  ;;
+	esac
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	;;
+      *)
+	if test "$GXX" = yes; then
+	  if test $with_gnu_ld = no; then
+	    case $host_cpu in
+	    hppa*64*)
+	      archive_cmds_CXX='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	      ;;
+	    ia64*)
+	      archive_cmds_CXX='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	      ;;
+	    *)
+	      archive_cmds_CXX='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	      ;;
+	    esac
+	  fi
+	else
+	  # FIXME: insert proper C++ library support
+	  ld_shlibs_CXX=no
+	fi
+	;;
+    esac
+    ;;
+  interix3*)
+    hardcode_direct_CXX=no
+    hardcode_shlibpath_var_CXX=no
+    hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir'
+    export_dynamic_flag_spec_CXX='${wl}-E'
+    # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
+    # Instead, shared libraries are loaded at an image base (0x10000000 by
+    # default) and relocated if they conflict, which is a slow very memory
+    # consuming and fragmenting process.  To avoid this, we pick a random,
+    # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
+    # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
+    archive_cmds_CXX='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+    archive_expsym_cmds_CXX='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+    ;;
+  irix5* | irix6*)
+    case $cc_basename in
+      CC*)
+	# SGI C++
+	archive_cmds_CXX='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+
+	# Archives containing C++ object files must be created using
+	# "CC -ar", where "CC" is the IRIX C++ compiler.  This is
+	# necessary to make sure instantiated templates are included
+	# in the archive.
+	old_archive_cmds_CXX='$CC -ar -WR,-u -o $oldlib $oldobjs'
+	;;
+      *)
+	if test "$GXX" = yes; then
+	  if test "$with_gnu_ld" = no; then
+	    archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	  else
+	    archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` -o $lib'
+	  fi
+	fi
+	link_all_deplibs_CXX=yes
+	;;
+    esac
+    hardcode_libdir_flag_spec_CXX='${wl}-rpath ${wl}$libdir'
+    hardcode_libdir_separator_CXX=:
+    ;;
+  linux*)
+    case $cc_basename in
+      KCC*)
+	# Kuck and Associates, Inc. (KAI) C++ Compiler
+
+	# KCC will only create a shared library if the output file
+	# ends with ".so" (or ".sl" for HP-UX), so rename the library
+	# to its proper name (with version) after linking.
+	archive_cmds_CXX='tempext=`echo $shared_ext | $SED -e '\''s/\([^()0-9A-Za-z{}]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
+	archive_expsym_cmds_CXX='tempext=`echo $shared_ext | $SED -e '\''s/\([^()0-9A-Za-z{}]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib ${wl}-retain-symbols-file,$export_symbols; mv \$templib $lib'
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 | grep "ld"`; rm -f libconftest$shared_ext; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+
+	hardcode_libdir_flag_spec_CXX='${wl}--rpath,$libdir'
+	export_dynamic_flag_spec_CXX='${wl}--export-dynamic'
+
+	# Archives containing C++ object files must be created using
+	# "CC -Bstatic", where "CC" is the KAI C++ compiler.
+	old_archive_cmds_CXX='$CC -Bstatic -o $oldlib $oldobjs'
+	;;
+      icpc*)
+	# Intel C++
+	with_gnu_ld=yes
+	# version 8.0 and above of icpc choke on multiply defined symbols
+	# if we add $predep_objects and $postdep_objects, however 7.1 and
+	# earlier do not add the objects themselves.
+	case `$CC -V 2>&1` in
+	*"Version 7."*)
+  	  archive_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+  	  archive_expsym_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	  ;;
+	*)  # Version 8.0 or newer
+	  tmp_idyn=
+	  case $host_cpu in
+	    ia64*) tmp_idyn=' -i_dynamic';;
+	  esac
+  	  archive_cmds_CXX='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	  archive_expsym_cmds_CXX='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	  ;;
+	esac
+	archive_cmds_need_lc_CXX=no
+	hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir'
+	export_dynamic_flag_spec_CXX='${wl}--export-dynamic'
+	whole_archive_flag_spec_CXX='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
+	;;
+      pgCC*)
+        # Portland Group C++ compiler
+	archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+  	archive_expsym_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+
+	hardcode_libdir_flag_spec_CXX='${wl}--rpath ${wl}$libdir'
+	export_dynamic_flag_spec_CXX='${wl}--export-dynamic'
+	whole_archive_flag_spec_CXX='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+        ;;
+      cxx*)
+	# Compaq C++
+	archive_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname  -o $lib ${wl}-retain-symbols-file $wl$export_symbols'
+
+	runpath_var=LD_RUN_PATH
+	hardcode_libdir_flag_spec_CXX='-rpath $libdir'
+	hardcode_libdir_separator_CXX=:
+
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	;;
+    esac
+    ;;
+  lynxos*)
+    # FIXME: insert proper C++ library support
+    ld_shlibs_CXX=no
+    ;;
+  m88k*)
+    # FIXME: insert proper C++ library support
+    ld_shlibs_CXX=no
+    ;;
+  mvs*)
+    case $cc_basename in
+      cxx*)
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+    esac
+    ;;
+  netbsd*)
+    if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+      archive_cmds_CXX='$LD -Bshareable  -o $lib $predep_objects $libobjs $deplibs $postdep_objects $linker_flags'
+      wlarc=
+      hardcode_libdir_flag_spec_CXX='-R$libdir'
+      hardcode_direct_CXX=yes
+      hardcode_shlibpath_var_CXX=no
+    fi
+    # Workaround some broken pre-1.5 toolchains
+    output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep conftest.$objext | $SED -e "s:-lgcc -lc -lgcc::"'
+    ;;
+  openbsd2*)
+    # C++ shared libraries are fairly broken
+    ld_shlibs_CXX=no
+    ;;
+  openbsd*)
+    hardcode_direct_CXX=yes
+    hardcode_shlibpath_var_CXX=no
+    archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
+    hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir'
+    if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+      archive_expsym_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file,$export_symbols -o $lib'
+      export_dynamic_flag_spec_CXX='${wl}-E'
+      whole_archive_flag_spec_CXX="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+    fi
+    output_verbose_link_cmd='echo'
+    ;;
+  osf3*)
+    case $cc_basename in
+      KCC*)
+	# Kuck and Associates, Inc. (KAI) C++ Compiler
+
+	# KCC will only create a shared library if the output file
+	# ends with ".so" (or ".sl" for HP-UX), so rename the library
+	# to its proper name (with version) after linking.
+	archive_cmds_CXX='tempext=`echo $shared_ext | $SED -e '\''s/\([^()0-9A-Za-z{}]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
+
+	hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir'
+	hardcode_libdir_separator_CXX=:
+
+	# Archives containing C++ object files must be created using
+	# "CC -Bstatic", where "CC" is the KAI C++ compiler.
+	old_archive_cmds_CXX='$CC -Bstatic -o $oldlib $oldobjs'
+
+	;;
+      RCC*)
+	# Rational C++ 2.4.1
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+      cxx*)
+	allow_undefined_flag_CXX=' ${wl}-expect_unresolved ${wl}\*'
+	archive_cmds_CXX='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && echo ${wl}-set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+
+	hardcode_libdir_flag_spec_CXX='${wl}-rpath ${wl}$libdir'
+	hardcode_libdir_separator_CXX=:
+
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld" | grep -v "ld:"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	;;
+      *)
+	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
+	  allow_undefined_flag_CXX=' ${wl}-expect_unresolved ${wl}\*'
+	  archive_cmds_CXX='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+
+	  hardcode_libdir_flag_spec_CXX='${wl}-rpath ${wl}$libdir'
+	  hardcode_libdir_separator_CXX=:
+
+	  # Commands to make compiler produce verbose output that lists
+	  # what "hidden" libraries, object files and flags are used when
+	  # linking a shared library.
+	  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
+
+	else
+	  # FIXME: insert proper C++ library support
+	  ld_shlibs_CXX=no
+	fi
+	;;
+    esac
+    ;;
+  osf4* | osf5*)
+    case $cc_basename in
+      KCC*)
+	# Kuck and Associates, Inc. (KAI) C++ Compiler
+
+	# KCC will only create a shared library if the output file
+	# ends with ".so" (or ".sl" for HP-UX), so rename the library
+	# to its proper name (with version) after linking.
+	archive_cmds_CXX='tempext=`echo $shared_ext | $SED -e '\''s/\([^()0-9A-Za-z{}]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
+
+	hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir'
+	hardcode_libdir_separator_CXX=:
+
+	# Archives containing C++ object files must be created using
+	# the KAI C++ compiler.
+	old_archive_cmds_CXX='$CC -o $oldlib $oldobjs'
+	;;
+      RCC*)
+	# Rational C++ 2.4.1
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+      cxx*)
+	allow_undefined_flag_CXX=' -expect_unresolved \*'
+	archive_cmds_CXX='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+	archive_expsym_cmds_CXX='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done~
+	  echo "-hidden">> $lib.exp~
+	  $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname -Wl,-input -Wl,$lib.exp  `test -n "$verstring" && echo -set_version	$verstring` -update_registry ${output_objdir}/so_locations -o $lib~
+	  $rm $lib.exp'
+
+	hardcode_libdir_flag_spec_CXX='-rpath $libdir'
+	hardcode_libdir_separator_CXX=:
+
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld" | grep -v "ld:"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	;;
+      *)
+	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
+	  allow_undefined_flag_CXX=' ${wl}-expect_unresolved ${wl}\*'
+	 archive_cmds_CXX='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+
+	  hardcode_libdir_flag_spec_CXX='${wl}-rpath ${wl}$libdir'
+	  hardcode_libdir_separator_CXX=:
+
+	  # Commands to make compiler produce verbose output that lists
+	  # what "hidden" libraries, object files and flags are used when
+	  # linking a shared library.
+	  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
+
+	else
+	  # FIXME: insert proper C++ library support
+	  ld_shlibs_CXX=no
+	fi
+	;;
+    esac
+    ;;
+  psos*)
+    # FIXME: insert proper C++ library support
+    ld_shlibs_CXX=no
+    ;;
+  sunos4*)
+    case $cc_basename in
+      CC*)
+	# Sun C++ 4.x
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+      lcc*)
+	# Lucid
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+    esac
+    ;;
+  solaris*)
+    case $cc_basename in
+      CC*)
+	# Sun C++ 4.2, 5.x and Centerline C++
+        archive_cmds_need_lc_CXX=yes
+	no_undefined_flag_CXX=' -zdefs'
+	archive_cmds_CXX='$CC -G${allow_undefined_flag}  -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	archive_expsym_cmds_CXX='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+	$CC -G${allow_undefined_flag}  ${wl}-M ${wl}$lib.exp -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
+
+	hardcode_libdir_flag_spec_CXX='-R$libdir'
+	hardcode_shlibpath_var_CXX=no
+	case $host_os in
+	  solaris2.[0-5] | solaris2.[0-5].*) ;;
+	  *)
+	    # The C++ compiler is used as linker so we must use $wl
+	    # flag to pass the commands to the underlying system
+	    # linker. We must also pass each convience library through
+	    # to the system linker between allextract/defaultextract.
+	    # The C++ compiler will combine linker options so we
+	    # cannot just pass the convience library names through
+	    # without $wl.
+	    # Supported since Solaris 2.6 (maybe 2.5.1?)
+	    whole_archive_flag_spec_CXX='${wl}-z ${wl}allextract`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}-z ${wl}defaultextract'
+	    ;;
+	esac
+	link_all_deplibs_CXX=yes
+
+	output_verbose_link_cmd='echo'
+
+	# Archives containing C++ object files must be created using
+	# "CC -xar", where "CC" is the Sun C++ compiler.  This is
+	# necessary to make sure instantiated templates are included
+	# in the archive.
+	old_archive_cmds_CXX='$CC -xar -o $oldlib $oldobjs'
+	;;
+      gcx*)
+	# Green Hills C++ Compiler
+	archive_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
+
+	# The C++ compiler must be used to create the archive.
+	old_archive_cmds_CXX='$CC $LDFLAGS -archive -o $oldlib $oldobjs'
+	;;
+      *)
+	# GNU C++ compiler with Solaris linker
+	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
+	  no_undefined_flag_CXX=' ${wl}-z ${wl}defs'
+	  if $CC --version | grep -v '^2\.7' > /dev/null; then
+	    archive_cmds_CXX='$CC -shared -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
+	    archive_expsym_cmds_CXX='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+		$CC -shared -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
+
+	    # Commands to make compiler produce verbose output that lists
+	    # what "hidden" libraries, object files and flags are used when
+	    # linking a shared library.
+	    output_verbose_link_cmd="$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep \"\-L\""
+	  else
+	    # g++ 2.7 appears to require `-G' NOT `-shared' on this
+	    # platform.
+	    archive_cmds_CXX='$CC -G -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
+	    archive_expsym_cmds_CXX='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+		$CC -G -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
+
+	    # Commands to make compiler produce verbose output that lists
+	    # what "hidden" libraries, object files and flags are used when
+	    # linking a shared library.
+	    output_verbose_link_cmd="$CC -G $CFLAGS -v conftest.$objext 2>&1 | grep \"\-L\""
+	  fi
+
+	  hardcode_libdir_flag_spec_CXX='${wl}-R $wl$libdir'
+	fi
+	;;
+    esac
+    ;;
+  sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7* | sco3.2v5.0.[024]*)
+    no_undefined_flag_CXX='${wl}-z,text'
+    archive_cmds_need_lc_CXX=no
+    hardcode_shlibpath_var_CXX=no
+    runpath_var='LD_RUN_PATH'
+
+    case $cc_basename in
+      CC*)
+	archive_cmds_CXX='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_CXX='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	;;
+      *)
+	archive_cmds_CXX='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_CXX='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	;;
+    esac
+    ;;
+  sysv5* | sco3.2v5* | sco5v6*)
+    # Note: We can NOT use -z defs as we might desire, because we do not
+    # link with -lc, and that would cause any symbols used from libc to
+    # always be unresolved, which means just about no library would
+    # ever link correctly.  If we're not using GNU ld we use -z text
+    # though, which does catch some bad symbols but isn't as heavy-handed
+    # as -z defs.
+    # For security reasons, it is highly recommended that you always
+    # use absolute paths for naming shared libraries, and exclude the
+    # DT_RUNPATH tag from executables and libraries.  But doing so
+    # requires that you compile everything twice, which is a pain.
+    # So that behaviour is only enabled if SCOABSPATH is set to a
+    # non-empty value in the environment.  Most likely only useful for
+    # creating official distributions of packages.
+    # This is a hack until libtool officially supports absolute path
+    # names for shared libraries.
+    no_undefined_flag_CXX='${wl}-z,text'
+    allow_undefined_flag_CXX='${wl}-z,nodefs'
+    archive_cmds_need_lc_CXX=no
+    hardcode_shlibpath_var_CXX=no
+    hardcode_libdir_flag_spec_CXX='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
+    hardcode_libdir_separator_CXX=':'
+    link_all_deplibs_CXX=yes
+    export_dynamic_flag_spec_CXX='${wl}-Bexport'
+    runpath_var='LD_RUN_PATH'
+
+    case $cc_basename in
+      CC*)
+	archive_cmds_CXX='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_CXX='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	;;
+      *)
+	archive_cmds_CXX='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_CXX='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	;;
+    esac
+    ;;
+  tandem*)
+    case $cc_basename in
+      NCC*)
+	# NonStop-UX NCC 3.20
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+    esac
+    ;;
+  vxworks*)
+    # FIXME: insert proper C++ library support
+    ld_shlibs_CXX=no
+    ;;
+  *)
+    # FIXME: insert proper C++ library support
+    ld_shlibs_CXX=no
+    ;;
+esac
+{ echo "$as_me:$LINENO: result: $ld_shlibs_CXX" >&5
+echo "${ECHO_T}$ld_shlibs_CXX" >&6; }
+test "$ld_shlibs_CXX" = no && can_build_shared=no
+
+GCC_CXX="$GXX"
+LD_CXX="$LD"
+
+
+cat > conftest.$ac_ext <<EOF
+class Foo
+{
+public:
+  Foo (void) { a = 0; }
+private:
+  int a;
+};
+EOF
+
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  # Parse the compiler output and extract the necessary
+  # objects, libraries and library flags.
+
+  # Sentinel used to keep track of whether or not we are before
+  # the conftest object file.
+  pre_test_object_deps_done=no
+
+  # The `*' in the case matches for architectures that use `case' in
+  # $output_verbose_cmd can trigger glob expansion during the loop
+  # eval without this substitution.
+  output_verbose_link_cmd=`$echo "X$output_verbose_link_cmd" | $Xsed -e "$no_glob_subst"`
+
+  for p in `eval $output_verbose_link_cmd`; do
+    case $p in
+
+    -L* | -R* | -l*)
+       # Some compilers place space between "-{L,R}" and the path.
+       # Remove the space.
+       if test $p = "-L" \
+	  || test $p = "-R"; then
+	 prev=$p
+	 continue
+       else
+	 prev=
+       fi
+
+       if test "$pre_test_object_deps_done" = no; then
+	 case $p in
+	 -L* | -R*)
+	   # Internal compiler library paths should come after those
+	   # provided the user.  The postdeps already come after the
+	   # user supplied libs so there is no need to process them.
+	   if test -z "$compiler_lib_search_path_CXX"; then
+	     compiler_lib_search_path_CXX="${prev}${p}"
+	   else
+	     compiler_lib_search_path_CXX="${compiler_lib_search_path_CXX} ${prev}${p}"
+	   fi
+	   ;;
+	 # The "-l" case would never come before the object being
+	 # linked, so don't bother handling this case.
+	 esac
+       else
+	 if test -z "$postdeps_CXX"; then
+	   postdeps_CXX="${prev}${p}"
+	 else
+	   postdeps_CXX="${postdeps_CXX} ${prev}${p}"
+	 fi
+       fi
+       ;;
+
+    *.$objext)
+       # This assumes that the test object file only shows up
+       # once in the compiler output.
+       if test "$p" = "conftest.$objext"; then
+	 pre_test_object_deps_done=yes
+	 continue
+       fi
+
+       if test "$pre_test_object_deps_done" = no; then
+	 if test -z "$predep_objects_CXX"; then
+	   predep_objects_CXX="$p"
+	 else
+	   predep_objects_CXX="$predep_objects_CXX $p"
+	 fi
+       else
+	 if test -z "$postdep_objects_CXX"; then
+	   postdep_objects_CXX="$p"
+	 else
+	   postdep_objects_CXX="$postdep_objects_CXX $p"
+	 fi
+       fi
+       ;;
+
+    *) ;; # Ignore the rest.
+
+    esac
+  done
+
+  # Clean up.
+  rm -f a.out a.exe
+else
+  echo "libtool.m4: error: problem compiling CXX test program"
+fi
+
+$rm -f confest.$objext
+
+# PORTME: override above test on systems where it is broken
+case $host_os in
+interix3*)
+  # Interix 3.5 installs completely hosed .la files for C++, so rather than
+  # hack all around it, let's just trust "g++" to DTRT.
+  predep_objects_CXX=
+  postdep_objects_CXX=
+  postdeps_CXX=
+  ;;
+
+solaris*)
+  case $cc_basename in
+  CC*)
+    # Adding this requires a known-good setup of shared libraries for
+    # Sun compiler versions before 5.6, else PIC objects from an old
+    # archive will be linked into the output, leading to subtle bugs.
+    postdeps_CXX='-lCstd -lCrun'
+    ;;
+  esac
+  ;;
+esac
+
+
+case " $postdeps_CXX " in
+*" -lc "*) archive_cmds_need_lc_CXX=no ;;
+esac
+
+lt_prog_compiler_wl_CXX=
+lt_prog_compiler_pic_CXX=
+lt_prog_compiler_static_CXX=
+
+{ echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
+echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
+
+  # C++ specific cases for pic, static, wl, etc.
+  if test "$GXX" = yes; then
+    lt_prog_compiler_wl_CXX='-Wl,'
+    lt_prog_compiler_static_CXX='-static'
+
+    case $host_os in
+    aix*)
+      # All AIX code is PIC.
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	lt_prog_compiler_static_CXX='-Bstatic'
+      fi
+      ;;
+    amigaos*)
+      # FIXME: we need at least 68020 code to build shared libraries, but
+      # adding the `-m68020' flag to GCC prevents building anything better,
+      # like `-m68040'.
+      lt_prog_compiler_pic_CXX='-m68020 -resident32 -malways-restore-a4'
+      ;;
+    beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+      # PIC is the default for these OSes.
+      ;;
+    mingw* | os2* | pw32*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      lt_prog_compiler_pic_CXX='-DDLL_EXPORT'
+      ;;
+    darwin* | rhapsody*)
+      # PIC is the default on this platform
+      # Common symbols not allowed in MH_DYLIB files
+      lt_prog_compiler_pic_CXX='-fno-common'
+      ;;
+    *djgpp*)
+      # DJGPP does not support shared libraries at all
+      lt_prog_compiler_pic_CXX=
+      ;;
+    interix3*)
+      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
+      # Instead, we relocate shared libraries at runtime.
+      ;;
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	lt_prog_compiler_pic_CXX=-Kconform_pic
+      fi
+      ;;
+    hpux*)
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case $host_cpu in
+      hppa*64*|ia64*)
+	;;
+      *)
+	lt_prog_compiler_pic_CXX='-fPIC'
+	;;
+      esac
+      ;;
+    *)
+      lt_prog_compiler_pic_CXX='-fPIC'
+      ;;
+    esac
+  else
+    case $host_os in
+      aix4* | aix5*)
+	# All AIX code is PIC.
+	if test "$host_cpu" = ia64; then
+	  # AIX 5 now supports IA64 processor
+	  lt_prog_compiler_static_CXX='-Bstatic'
+	else
+	  lt_prog_compiler_static_CXX='-bnso -bI:/lib/syscalls.exp'
+	fi
+	;;
+      chorus*)
+	case $cc_basename in
+	cxch68*)
+	  # Green Hills C++ Compiler
+	  # _LT_AC_TAGVAR(lt_prog_compiler_static, CXX)="--no_auto_instantiation -u __main -u __premain -u _abort -r $COOL_DIR/lib/libOrb.a $MVME_DIR/lib/CC/libC.a $MVME_DIR/lib/classix/libcx.s.a"
+	  ;;
+	esac
+	;;
+       darwin*)
+         # PIC is the default on this platform
+         # Common symbols not allowed in MH_DYLIB files
+         case $cc_basename in
+           xlc*)
+           lt_prog_compiler_pic_CXX='-qnocommon'
+           lt_prog_compiler_wl_CXX='-Wl,'
+           ;;
+         esac
+       ;;
+      dgux*)
+	case $cc_basename in
+	  ec++*)
+	    lt_prog_compiler_pic_CXX='-KPIC'
+	    ;;
+	  ghcx*)
+	    # Green Hills C++ Compiler
+	    lt_prog_compiler_pic_CXX='-pic'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      freebsd* | kfreebsd*-gnu | dragonfly*)
+	# FreeBSD uses GNU C++
+	;;
+      hpux9* | hpux10* | hpux11*)
+	case $cc_basename in
+	  CC*)
+	    lt_prog_compiler_wl_CXX='-Wl,'
+	    lt_prog_compiler_static_CXX='${wl}-a ${wl}archive'
+	    if test "$host_cpu" != ia64; then
+	      lt_prog_compiler_pic_CXX='+Z'
+	    fi
+	    ;;
+	  aCC*)
+	    lt_prog_compiler_wl_CXX='-Wl,'
+	    lt_prog_compiler_static_CXX='${wl}-a ${wl}archive'
+	    case $host_cpu in
+	    hppa*64*|ia64*)
+	      # +Z the default
+	      ;;
+	    *)
+	      lt_prog_compiler_pic_CXX='+Z'
+	      ;;
+	    esac
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      interix*)
+	# This is c89, which is MS Visual C++ (no shared libs)
+	# Anyone wants to do a port?
+	;;
+      irix5* | irix6* | nonstopux*)
+	case $cc_basename in
+	  CC*)
+	    lt_prog_compiler_wl_CXX='-Wl,'
+	    lt_prog_compiler_static_CXX='-non_shared'
+	    # CC pic flag -KPIC is the default.
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      linux*)
+	case $cc_basename in
+	  KCC*)
+	    # KAI C++ Compiler
+	    lt_prog_compiler_wl_CXX='--backend -Wl,'
+	    lt_prog_compiler_pic_CXX='-fPIC'
+	    ;;
+	  icpc* | ecpc*)
+	    # Intel C++
+	    lt_prog_compiler_wl_CXX='-Wl,'
+	    lt_prog_compiler_pic_CXX='-KPIC'
+	    lt_prog_compiler_static_CXX='-static'
+	    ;;
+	  pgCC*)
+	    # Portland Group C++ compiler.
+	    lt_prog_compiler_wl_CXX='-Wl,'
+	    lt_prog_compiler_pic_CXX='-fpic'
+	    lt_prog_compiler_static_CXX='-Bstatic'
+	    ;;
+	  cxx*)
+	    # Compaq C++
+	    # Make sure the PIC flag is empty.  It appears that all Alpha
+	    # Linux and Compaq Tru64 Unix objects are PIC.
+	    lt_prog_compiler_pic_CXX=
+	    lt_prog_compiler_static_CXX='-non_shared'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      lynxos*)
+	;;
+      m88k*)
+	;;
+      mvs*)
+	case $cc_basename in
+	  cxx*)
+	    lt_prog_compiler_pic_CXX='-W c,exportall'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      netbsd*)
+	;;
+      osf3* | osf4* | osf5*)
+	case $cc_basename in
+	  KCC*)
+	    lt_prog_compiler_wl_CXX='--backend -Wl,'
+	    ;;
+	  RCC*)
+	    # Rational C++ 2.4.1
+	    lt_prog_compiler_pic_CXX='-pic'
+	    ;;
+	  cxx*)
+	    # Digital/Compaq C++
+	    lt_prog_compiler_wl_CXX='-Wl,'
+	    # Make sure the PIC flag is empty.  It appears that all Alpha
+	    # Linux and Compaq Tru64 Unix objects are PIC.
+	    lt_prog_compiler_pic_CXX=
+	    lt_prog_compiler_static_CXX='-non_shared'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      psos*)
+	;;
+      solaris*)
+	case $cc_basename in
+	  CC*)
+	    # Sun C++ 4.2, 5.x and Centerline C++
+	    lt_prog_compiler_pic_CXX='-KPIC'
+	    lt_prog_compiler_static_CXX='-Bstatic'
+	    lt_prog_compiler_wl_CXX='-Qoption ld '
+	    ;;
+	  gcx*)
+	    # Green Hills C++ Compiler
+	    lt_prog_compiler_pic_CXX='-PIC'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      sunos4*)
+	case $cc_basename in
+	  CC*)
+	    # Sun C++ 4.x
+	    lt_prog_compiler_pic_CXX='-pic'
+	    lt_prog_compiler_static_CXX='-Bstatic'
+	    ;;
+	  lcc*)
+	    # Lucid
+	    lt_prog_compiler_pic_CXX='-pic'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      tandem*)
+	case $cc_basename in
+	  NCC*)
+	    # NonStop-UX NCC 3.20
+	    lt_prog_compiler_pic_CXX='-KPIC'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
+	case $cc_basename in
+	  CC*)
+	    lt_prog_compiler_wl_CXX='-Wl,'
+	    lt_prog_compiler_pic_CXX='-KPIC'
+	    lt_prog_compiler_static_CXX='-Bstatic'
+	    ;;
+	esac
+	;;
+      vxworks*)
+	;;
+      *)
+	lt_prog_compiler_can_build_shared_CXX=no
+	;;
+    esac
+  fi
+
+{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_CXX" >&5
+echo "${ECHO_T}$lt_prog_compiler_pic_CXX" >&6; }
+
+#
+# Check to make sure the PIC flag actually works.
+#
+if test -n "$lt_prog_compiler_pic_CXX"; then
+
+{ echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic_CXX works" >&5
+echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic_CXX works... $ECHO_C" >&6; }
+if test "${lt_prog_compiler_pic_works_CXX+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_prog_compiler_pic_works_CXX=no
+  ac_outfile=conftest.$ac_objext
+   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+   lt_compiler_flag="$lt_prog_compiler_pic_CXX -DPIC"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   # The option is referenced via a variable to avoid confusing sed.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:12980: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>conftest.err)
+   ac_status=$?
+   cat conftest.err >&5
+   echo "$as_me:12984: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s "$ac_outfile"; then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings other than the usual output.
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
+       lt_prog_compiler_pic_works_CXX=yes
+     fi
+   fi
+   $rm conftest*
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_works_CXX" >&5
+echo "${ECHO_T}$lt_prog_compiler_pic_works_CXX" >&6; }
+
+if test x"$lt_prog_compiler_pic_works_CXX" = xyes; then
+    case $lt_prog_compiler_pic_CXX in
+     "" | " "*) ;;
+     *) lt_prog_compiler_pic_CXX=" $lt_prog_compiler_pic_CXX" ;;
+     esac
+else
+    lt_prog_compiler_pic_CXX=
+     lt_prog_compiler_can_build_shared_CXX=no
+fi
+
+fi
+case $host_os in
+  # For platforms which do not support PIC, -DPIC is meaningless:
+  *djgpp*)
+    lt_prog_compiler_pic_CXX=
+    ;;
+  *)
+    lt_prog_compiler_pic_CXX="$lt_prog_compiler_pic_CXX -DPIC"
+    ;;
+esac
+
+#
+# Check to make sure the static flag actually works.
+#
+wl=$lt_prog_compiler_wl_CXX eval lt_tmp_static_flag=\"$lt_prog_compiler_static_CXX\"
+{ echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5
+echo $ECHO_N "checking if $compiler static flag $lt_tmp_static_flag works... $ECHO_C" >&6; }
+if test "${lt_prog_compiler_static_works_CXX+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_prog_compiler_static_works_CXX=no
+   save_LDFLAGS="$LDFLAGS"
+   LDFLAGS="$LDFLAGS $lt_tmp_static_flag"
+   printf "$lt_simple_link_test_code" > conftest.$ac_ext
+   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
+     # The linker can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test -s conftest.err; then
+       # Append any errors to the config.log.
+       cat conftest.err 1>&5
+       $echo "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
+       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+       if diff conftest.exp conftest.er2 >/dev/null; then
+         lt_prog_compiler_static_works_CXX=yes
+       fi
+     else
+       lt_prog_compiler_static_works_CXX=yes
+     fi
+   fi
+   $rm conftest*
+   LDFLAGS="$save_LDFLAGS"
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_prog_compiler_static_works_CXX" >&5
+echo "${ECHO_T}$lt_prog_compiler_static_works_CXX" >&6; }
+
+if test x"$lt_prog_compiler_static_works_CXX" = xyes; then
+    :
+else
+    lt_prog_compiler_static_CXX=
+fi
+
+
+{ echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
+echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6; }
+if test "${lt_cv_prog_compiler_c_o_CXX+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_prog_compiler_c_o_CXX=no
+   $rm -r conftest 2>/dev/null
+   mkdir conftest
+   cd conftest
+   mkdir out
+   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+   lt_compiler_flag="-o out/conftest2.$ac_objext"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:13084: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>out/conftest.err)
+   ac_status=$?
+   cat out/conftest.err >&5
+   echo "$as_me:13088: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s out/conftest2.$ac_objext
+   then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
+     $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
+     if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
+       lt_cv_prog_compiler_c_o_CXX=yes
+     fi
+   fi
+   chmod u+w . 2>&5
+   $rm conftest*
+   # SGI C++ compiler will create directory out/ii_files/ for
+   # template instantiation
+   test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files
+   $rm out/* && rmdir out
+   cd ..
+   rmdir conftest
+   $rm conftest*
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o_CXX" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_c_o_CXX" >&6; }
+
+
+hard_links="nottested"
+if test "$lt_cv_prog_compiler_c_o_CXX" = no && test "$need_locks" != no; then
+  # do not overwrite the value of need_locks provided by the user
+  { echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
+echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6; }
+  hard_links=yes
+  $rm conftest*
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  touch conftest.a
+  ln conftest.a conftest.b 2>&5 || hard_links=no
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  { echo "$as_me:$LINENO: result: $hard_links" >&5
+echo "${ECHO_T}$hard_links" >&6; }
+  if test "$hard_links" = no; then
+    { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
+echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
+    need_locks=warn
+  fi
+else
+  need_locks=no
+fi
+
+{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
+echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; }
+
+  export_symbols_cmds_CXX='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  case $host_os in
+  aix4* | aix5*)
+    # If we're using GNU nm, then we don't want the "-C" option.
+    # -C means demangle to AIX nm, but means don't demangle with GNU nm
+    if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
+      export_symbols_cmds_CXX='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
+    else
+      export_symbols_cmds_CXX='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
+    fi
+    ;;
+  pw32*)
+    export_symbols_cmds_CXX="$ltdll_cmds"
+  ;;
+  cygwin* | mingw*)
+    export_symbols_cmds_CXX='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS] /s/.* \([^ ]*\)/\1 DATA/;/^.* __nm__/s/^.* __nm__\([^ ]*\) [^ ]*/\1 DATA/;/^I /d;/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols'
+  ;;
+  *)
+    export_symbols_cmds_CXX='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  ;;
+  esac
+
+{ echo "$as_me:$LINENO: result: $ld_shlibs_CXX" >&5
+echo "${ECHO_T}$ld_shlibs_CXX" >&6; }
+test "$ld_shlibs_CXX" = no && can_build_shared=no
+
+#
+# Do we need to explicitly link libc?
+#
+case "x$archive_cmds_need_lc_CXX" in
+x|xyes)
+  # Assume -lc should be added
+  archive_cmds_need_lc_CXX=yes
+
+  if test "$enable_shared" = yes && test "$GCC" = yes; then
+    case $archive_cmds_CXX in
+    *'~'*)
+      # FIXME: we may have to deal with multi-command sequences.
+      ;;
+    '$CC '*)
+      # Test whether the compiler implicitly links with -lc since on some
+      # systems, -lgcc has to come before -lc. If gcc already passes -lc
+      # to ld, don't add -lc before -lgcc.
+      { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
+echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; }
+      $rm conftest*
+      printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+      if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } 2>conftest.err; then
+        soname=conftest
+        lib=conftest
+        libobjs=conftest.$ac_objext
+        deplibs=
+        wl=$lt_prog_compiler_wl_CXX
+	pic_flag=$lt_prog_compiler_pic_CXX
+        compiler_flags=-v
+        linker_flags=-v
+        verstring=
+        output_objdir=.
+        libname=conftest
+        lt_save_allow_undefined_flag=$allow_undefined_flag_CXX
+        allow_undefined_flag_CXX=
+        if { (eval echo "$as_me:$LINENO: \"$archive_cmds_CXX 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\"") >&5
+  (eval $archive_cmds_CXX 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+        then
+	  archive_cmds_need_lc_CXX=no
+        else
+	  archive_cmds_need_lc_CXX=yes
+        fi
+        allow_undefined_flag_CXX=$lt_save_allow_undefined_flag
+      else
+        cat conftest.err 1>&5
+      fi
+      $rm conftest*
+      { echo "$as_me:$LINENO: result: $archive_cmds_need_lc_CXX" >&5
+echo "${ECHO_T}$archive_cmds_need_lc_CXX" >&6; }
+      ;;
+    esac
+  fi
+  ;;
+esac
+
+{ echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
+echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6; }
+library_names_spec=
+libname_spec='lib$name'
+soname_spec=
+shrext_cmds=".so"
+postinstall_cmds=
+postuninstall_cmds=
+finish_cmds=
+finish_eval=
+shlibpath_var=
+shlibpath_overrides_runpath=unknown
+version_type=none
+dynamic_linker="$host_os ld.so"
+sys_lib_dlsearch_path_spec="/lib /usr/lib"
+if test "$GCC" = yes; then
+  sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+  if echo "$sys_lib_search_path_spec" | grep ';' >/dev/null ; then
+    # if the path contains ";" then we assume it to be the separator
+    # otherwise default to the standard path separator (i.e. ":") - it is
+    # assumed that no part of a normal pathname contains ";" but that should
+    # okay in the real world where ";" in dirpaths is itself problematic.
+    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+  else
+    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+  fi
+else
+  sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
+fi
+need_lib_prefix=unknown
+hardcode_into_libs=no
+
+# when you set need_version to no, make sure it does not cause -set_version
+# flags to be left without arguments
+need_version=unknown
+
+case $host_os in
+aix3*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
+  shlibpath_var=LIBPATH
+
+  # AIX 3 has no versioning support, so we append a major version to the name.
+  soname_spec='${libname}${release}${shared_ext}$major'
+  ;;
+
+aix4* | aix5*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  hardcode_into_libs=yes
+  if test "$host_cpu" = ia64; then
+    # AIX 5 supports IA64
+    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
+    shlibpath_var=LD_LIBRARY_PATH
+  else
+    # With GCC up to 2.95.x, collect2 would create an import file
+    # for dependence libraries.  The import file would start with
+    # the line `#! .'.  This would cause the generated library to
+    # depend on `.', always an invalid library.  This was fixed in
+    # development snapshots of GCC prior to 3.0.
+    case $host_os in
+      aix4 | aix4.[01] | aix4.[01].*)
+      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
+	   echo ' yes '
+	   echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then
+	:
+      else
+	can_build_shared=no
+      fi
+      ;;
+    esac
+    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
+    # soname into executable. Probably we can add versioning support to
+    # collect2, so additional links can be useful in future.
+    if test "$aix_use_runtimelinking" = yes; then
+      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
+      # instead of lib<name>.a to let people know that these are not
+      # typical AIX shared libraries.
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    else
+      # We preserve .a as extension for shared libraries through AIX4.2
+      # and later when we are not doing run time linking.
+      library_names_spec='${libname}${release}.a $libname.a'
+      soname_spec='${libname}${release}${shared_ext}$major'
+    fi
+    shlibpath_var=LIBPATH
+  fi
+  ;;
+
+amigaos*)
+  library_names_spec='$libname.ixlibrary $libname.a'
+  # Create ${libname}_ixlibrary.a entries in /sys/libs.
+  finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
+  ;;
+
+beos*)
+  library_names_spec='${libname}${shared_ext}'
+  dynamic_linker="$host_os ld.so"
+  shlibpath_var=LIBRARY_PATH
+  ;;
+
+bsdi[45]*)
+  version_type=linux
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
+  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
+  # the default ld.so.conf also contains /usr/contrib/lib and
+  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
+  # libtool to hard-code these into programs
+  ;;
+
+cygwin* | mingw* | pw32*)
+  version_type=windows
+  shrext_cmds=".dll"
+  need_version=no
+  need_lib_prefix=no
+
+  case $GCC,$host_os in
+  yes,cygwin* | yes,mingw* | yes,pw32*)
+    library_names_spec='$libname.dll.a'
+    # DLL is installed to $(libdir)/../bin by postinstall_cmds
+    postinstall_cmds='base_file=`basename \${file}`~
+      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
+      dldir=$destdir/`dirname \$dlpath`~
+      test -d \$dldir || mkdir -p \$dldir~
+      $install_prog $dir/$dlname \$dldir/$dlname~
+      chmod a+x \$dldir/$dlname'
+    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
+      dlpath=$dir/\$dldll~
+       $rm \$dlpath'
+    shlibpath_overrides_runpath=yes
+
+    case $host_os in
+    cygwin*)
+      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
+      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
+      ;;
+    mingw*)
+      # MinGW DLLs use traditional 'lib' prefix
+      soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+      if echo "$sys_lib_search_path_spec" | grep ';[c-zC-Z]:/' >/dev/null; then
+        # It is most probably a Windows format PATH printed by
+        # mingw gcc, but we are running on Cygwin. Gcc prints its search
+        # path with ; separators, and with drive letters. We can handle the
+        # drive letters (cygwin fileutils understands them), so leave them,
+        # especially as we might pass files found there to a mingw objdump,
+        # which wouldn't understand a cygwinified path. Ahh.
+        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+      else
+        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+      fi
+      ;;
+    pw32*)
+      # pw32 DLLs use 'pw' prefix rather than 'lib'
+      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      ;;
+    esac
+    ;;
+
+  linux*)
+    if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then
+      archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+      supports_anon_versioning=no
+      case `$LD -v 2>/dev/null` in
+        *\ 01.* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
+        *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
+        *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
+        *\ 2.11.*) ;; # other 2.11 versions
+        *) supports_anon_versioning=yes ;;
+      esac
+      if test $supports_anon_versioning = yes; then
+        archive_expsym_cmds='$echo "{ global:" > $output_objdir/$libname.ver~
+cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+$echo "local: *; };" >> $output_objdir/$libname.ver~
+        $CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
+      else
+        $archive_expsym_cmds="$archive_cmds"
+      fi
+    else
+      ld_shlibs=no
+    fi
+    ;;
+
+  *)
+    library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib'
+    ;;
+  esac
+  dynamic_linker='Win32 ld.exe'
+  # FIXME: first we should search . and the directory the executable is in
+  shlibpath_var=PATH
+  ;;
+
+darwin* | rhapsody*)
+  dynamic_linker="$host_os dyld"
+  version_type=darwin
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
+  soname_spec='${libname}${release}${major}$shared_ext'
+  shlibpath_overrides_runpath=yes
+  shlibpath_var=DYLD_LIBRARY_PATH
+  shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
+  # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
+  if test "$GCC" = yes; then
+    sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
+  else
+    sys_lib_search_path_spec='/lib /usr/lib /usr/local/lib'
+  fi
+  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
+  ;;
+
+dgux*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+freebsd1*)
+  dynamic_linker=no
+  ;;
+
+kfreebsd*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='GNU ld.so'
+  ;;
+
+freebsd* | dragonfly*)
+  # DragonFly does not have aout.  When/if they implement a new
+  # versioning mechanism, adjust this.
+  if test -x /usr/bin/objformat; then
+    objformat=`/usr/bin/objformat`
+  else
+    case $host_os in
+    freebsd[123]*) objformat=aout ;;
+    *) objformat=elf ;;
+    esac
+  fi
+  # Handle Gentoo/FreeBSD as it was Linux
+  case $host_vendor in
+    gentoo)
+      version_type=linux ;;
+    *)
+      version_type=freebsd-$objformat ;;
+  esac
+
+  case $version_type in
+    freebsd-elf*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+      need_version=no
+      need_lib_prefix=no
+      ;;
+    freebsd-*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
+      need_version=yes
+      ;;
+    linux)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+      soname_spec='${libname}${release}${shared_ext}$major'
+      need_lib_prefix=no
+      need_version=no
+      ;;
+  esac
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_os in
+  freebsd2*)
+    shlibpath_overrides_runpath=yes
+    ;;
+  freebsd3.[01]* | freebsdelf3.[01]*)
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
+  freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
+    shlibpath_overrides_runpath=no
+    hardcode_into_libs=yes
+    ;;
+  freebsd*) # from 4.6 on
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  esac
+  ;;
+
+gnu*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  ;;
+
+hpux9* | hpux10* | hpux11*)
+  # Give a soname corresponding to the major version so that dld.sl refuses to
+  # link against other versions.
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  case $host_cpu in
+  ia64*)
+    shrext_cmds='.so'
+    hardcode_into_libs=yes
+    dynamic_linker="$host_os dld.so"
+    shlibpath_var=LD_LIBRARY_PATH
+    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    if test "X$HPUX_IA64_MODE" = X32; then
+      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
+    else
+      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
+    fi
+    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+    ;;
+   hppa*64*)
+     shrext_cmds='.sl'
+     hardcode_into_libs=yes
+     dynamic_linker="$host_os dld.sl"
+     shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
+     shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+     library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+     soname_spec='${libname}${release}${shared_ext}$major'
+     sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
+     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+     ;;
+   *)
+    shrext_cmds='.sl'
+    dynamic_linker="$host_os dld.sl"
+    shlibpath_var=SHLIB_PATH
+    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    ;;
+  esac
+  # HP-UX runs *really* slowly unless shared libraries are mode 555.
+  postinstall_cmds='chmod 555 $lib'
+  ;;
+
+interix3*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  ;;
+
+irix5* | irix6* | nonstopux*)
+  case $host_os in
+    nonstopux*) version_type=nonstopux ;;
+    *)
+	if test "$lt_cv_prog_gnu_ld" = yes; then
+		version_type=linux
+	else
+		version_type=irix
+	fi ;;
+  esac
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
+  case $host_os in
+  irix5* | nonstopux*)
+    libsuff= shlibsuff=
+    ;;
+  *)
+    case $LD in # libtool.m4 will add one of these switches to LD
+    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
+      libsuff= shlibsuff= libmagic=32-bit;;
+    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
+      libsuff=32 shlibsuff=N32 libmagic=N32;;
+    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
+      libsuff=64 shlibsuff=64 libmagic=64-bit;;
+    *) libsuff= shlibsuff= libmagic=never-match;;
+    esac
+    ;;
+  esac
+  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
+  shlibpath_overrides_runpath=no
+  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
+  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
+  hardcode_into_libs=yes
+  ;;
+
+# No shared lib support for Linux oldld, aout, or coff.
+linux*oldld* | linux*aout* | linux*coff*)
+  dynamic_linker=no
+  ;;
+
+# This must be Linux ELF.
+linux*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  # This implies no fast_install, which is unacceptable.
+  # Some rework will be needed to allow for fast_install
+  # before this can be enabled.
+  hardcode_into_libs=yes
+
+  # Append ld.so.conf contents to the search path
+  if test -f /etc/ld.so.conf; then
+    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+  fi
+
+  # We used to test for /lib/ld.so.1 and disable shared libraries on
+  # powerpc, because MkLinux only supported shared libraries with the
+  # GNU dynamic linker.  Since this was broken with cross compilers,
+  # most powerpc-linux boxes support dynamic linking these days and
+  # people can always --disable-shared, the test was removed, and we
+  # assume the GNU/Linux dynamic linker is in use.
+  dynamic_linker='GNU/Linux ld.so'
+  ;;
+
+knetbsd*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='GNU ld.so'
+  ;;
+
+netbsd*)
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+    dynamic_linker='NetBSD (a.out) ld.so'
+  else
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    dynamic_linker='NetBSD ld.elf_so'
+  fi
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  ;;
+
+newsos6)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+nto-qnx*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+openbsd*)
+  version_type=sunos
+  sys_lib_dlsearch_path_spec="/usr/lib"
+  need_lib_prefix=no
+  # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs.
+  case $host_os in
+    openbsd3.3 | openbsd3.3.*) need_version=yes ;;
+    *)                         need_version=no  ;;
+  esac
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+    case $host_os in
+      openbsd2.[89] | openbsd2.[89].*)
+	shlibpath_overrides_runpath=no
+	;;
+      *)
+	shlibpath_overrides_runpath=yes
+	;;
+      esac
+  else
+    shlibpath_overrides_runpath=yes
+  fi
+  ;;
+
+os2*)
+  libname_spec='$name'
+  shrext_cmds=".dll"
+  need_lib_prefix=no
+  library_names_spec='$libname${shared_ext} $libname.a'
+  dynamic_linker='OS/2 ld.exe'
+  shlibpath_var=LIBPATH
+  ;;
+
+osf3* | osf4* | osf5*)
+  version_type=osf
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
+  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
+  ;;
+
+solaris*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  # ldd complains unless libraries are executable
+  postinstall_cmds='chmod +x $lib'
+  ;;
+
+sunos4*)
+  version_type=sunos
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  if test "$with_gnu_ld" = yes; then
+    need_lib_prefix=no
+  fi
+  need_version=yes
+  ;;
+
+sysv4 | sysv4.3*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_vendor in
+    sni)
+      shlibpath_overrides_runpath=no
+      need_lib_prefix=no
+      export_dynamic_flag_spec='${wl}-Blargedynsym'
+      runpath_var=LD_RUN_PATH
+      ;;
+    siemens)
+      need_lib_prefix=no
+      ;;
+    motorola)
+      need_lib_prefix=no
+      need_version=no
+      shlibpath_overrides_runpath=no
+      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
+      ;;
+  esac
+  ;;
+
+sysv4*MP*)
+  if test -d /usr/nec ;then
+    version_type=linux
+    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
+    soname_spec='$libname${shared_ext}.$major'
+    shlibpath_var=LD_LIBRARY_PATH
+  fi
+  ;;
+
+sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
+  version_type=freebsd-elf
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  if test "$with_gnu_ld" = yes; then
+    sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
+    shlibpath_overrides_runpath=no
+  else
+    sys_lib_search_path_spec='/usr/ccs/lib /usr/lib'
+    shlibpath_overrides_runpath=yes
+    case $host_os in
+      sco3.2v5*)
+        sys_lib_search_path_spec="$sys_lib_search_path_spec /lib"
+	;;
+    esac
+  fi
+  sys_lib_dlsearch_path_spec='/usr/lib'
+  ;;
+
+uts4*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+*)
+  dynamic_linker=no
+  ;;
+esac
+{ echo "$as_me:$LINENO: result: $dynamic_linker" >&5
+echo "${ECHO_T}$dynamic_linker" >&6; }
+test "$dynamic_linker" = no && can_build_shared=no
+
+variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
+if test "$GCC" = yes; then
+  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
+fi
+
+{ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
+echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6; }
+hardcode_action_CXX=
+if test -n "$hardcode_libdir_flag_spec_CXX" || \
+   test -n "$runpath_var_CXX" || \
+   test "X$hardcode_automatic_CXX" = "Xyes" ; then
+
+  # We can hardcode non-existant directories.
+  if test "$hardcode_direct_CXX" != no &&
+     # If the only mechanism to avoid hardcoding is shlibpath_var, we
+     # have to relink, otherwise we might link with an installed library
+     # when we should be linking with a yet-to-be-installed one
+     ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, CXX)" != no &&
+     test "$hardcode_minus_L_CXX" != no; then
+    # Linking always hardcodes the temporary library directory.
+    hardcode_action_CXX=relink
+  else
+    # We can link without hardcoding, and we can hardcode nonexisting dirs.
+    hardcode_action_CXX=immediate
+  fi
+else
+  # We cannot hardcode anything, or else we can only hardcode existing
+  # directories.
+  hardcode_action_CXX=unsupported
+fi
+{ echo "$as_me:$LINENO: result: $hardcode_action_CXX" >&5
+echo "${ECHO_T}$hardcode_action_CXX" >&6; }
+
+if test "$hardcode_action_CXX" = relink; then
+  # Fast installation is not supported
+  enable_fast_install=no
+elif test "$shlibpath_overrides_runpath" = yes ||
+     test "$enable_shared" = no; then
+  # Fast installation is not necessary
+  enable_fast_install=needless
+fi
+
+
+# The else clause should only fire when bootstrapping the
+# libtool distribution, otherwise you forgot to ship ltmain.sh
+# with your package, and you will get complaints that there are
+# no rules to generate ltmain.sh.
+if test -f "$ltmain"; then
+  # See if we are running on zsh, and set the options which allow our commands through
+  # without removal of \ escapes.
+  if test -n "${ZSH_VERSION+set}" ; then
+    setopt NO_GLOB_SUBST
+  fi
+  # Now quote all the things that may contain metacharacters while being
+  # careful not to overquote the AC_SUBSTed values.  We take copies of the
+  # variables and quote the copies for generation of the libtool script.
+  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \
+    SED SHELL STRIP \
+    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
+    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
+    deplibs_check_method reload_flag reload_cmds need_locks \
+    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
+    lt_cv_sys_global_symbol_to_c_name_address \
+    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
+    old_postinstall_cmds old_postuninstall_cmds \
+    compiler_CXX \
+    CC_CXX \
+    LD_CXX \
+    lt_prog_compiler_wl_CXX \
+    lt_prog_compiler_pic_CXX \
+    lt_prog_compiler_static_CXX \
+    lt_prog_compiler_no_builtin_flag_CXX \
+    export_dynamic_flag_spec_CXX \
+    thread_safe_flag_spec_CXX \
+    whole_archive_flag_spec_CXX \
+    enable_shared_with_static_runtimes_CXX \
+    old_archive_cmds_CXX \
+    old_archive_from_new_cmds_CXX \
+    predep_objects_CXX \
+    postdep_objects_CXX \
+    predeps_CXX \
+    postdeps_CXX \
+    compiler_lib_search_path_CXX \
+    archive_cmds_CXX \
+    archive_expsym_cmds_CXX \
+    postinstall_cmds_CXX \
+    postuninstall_cmds_CXX \
+    old_archive_from_expsyms_cmds_CXX \
+    allow_undefined_flag_CXX \
+    no_undefined_flag_CXX \
+    export_symbols_cmds_CXX \
+    hardcode_libdir_flag_spec_CXX \
+    hardcode_libdir_flag_spec_ld_CXX \
+    hardcode_libdir_separator_CXX \
+    hardcode_automatic_CXX \
+    module_cmds_CXX \
+    module_expsym_cmds_CXX \
+    lt_cv_prog_compiler_c_o_CXX \
+    exclude_expsyms_CXX \
+    include_expsyms_CXX; do
+
+    case $var in
+    old_archive_cmds_CXX | \
+    old_archive_from_new_cmds_CXX | \
+    archive_cmds_CXX | \
+    archive_expsym_cmds_CXX | \
+    module_cmds_CXX | \
+    module_expsym_cmds_CXX | \
+    old_archive_from_expsyms_cmds_CXX | \
+    export_symbols_cmds_CXX | \
+    extract_expsyms_cmds | reload_cmds | finish_cmds | \
+    postinstall_cmds | postuninstall_cmds | \
+    old_postinstall_cmds | old_postuninstall_cmds | \
+    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
+      # Double-quote double-evaled strings.
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
+      ;;
+    *)
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
+      ;;
+    esac
+  done
+
+  case $lt_echo in
+  *'\$0 --fallback-echo"')
+    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'`
+    ;;
+  esac
+
+cfgfile="$ofile"
+
+  cat <<__EOF__ >> "$cfgfile"
+# ### BEGIN LIBTOOL TAG CONFIG: $tagname
+
+# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
+
+# Shell to use when invoking shell scripts.
+SHELL=$lt_SHELL
+
+# Whether or not to build shared libraries.
+build_libtool_libs=$enable_shared
+
+# Whether or not to build static libraries.
+build_old_libs=$enable_static
+
+# Whether or not to add -lc for building shared libraries.
+build_libtool_need_lc=$archive_cmds_need_lc_CXX
+
+# Whether or not to disallow shared libs when runtime libs are static
+allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes_CXX
+
+# Whether or not to optimize for fast installation.
+fast_install=$enable_fast_install
+
+# The host system.
+host_alias=$host_alias
+host=$host
+host_os=$host_os
+
+# The build system.
+build_alias=$build_alias
+build=$build
+build_os=$build_os
+
+# An echo program that does not interpret backslashes.
+echo=$lt_echo
+
+# The archiver.
+AR=$lt_AR
+AR_FLAGS=$lt_AR_FLAGS
+
+# A C compiler.
+LTCC=$lt_LTCC
+
+# LTCC compiler flags.
+LTCFLAGS=$lt_LTCFLAGS
+
+# A language-specific compiler.
+CC=$lt_compiler_CXX
+
+# Is the compiler the GNU C compiler?
+with_gcc=$GCC_CXX
+
+# An ERE matcher.
+EGREP=$lt_EGREP
+
+# The linker used to build libraries.
+LD=$lt_LD_CXX
+
+# Whether we need hard or soft links.
+LN_S=$lt_LN_S
+
+# A BSD-compatible nm program.
+NM=$lt_NM
+
+# A symbol stripping program
+STRIP=$lt_STRIP
+
+# Used to examine libraries when file_magic_cmd begins "file"
+MAGIC_CMD=$MAGIC_CMD
+
+# Used on cygwin: DLL creation program.
+DLLTOOL="$DLLTOOL"
+
+# Used on cygwin: object dumper.
+OBJDUMP="$OBJDUMP"
+
+# Used on cygwin: assembler.
+AS="$AS"
+
+# The name of the directory that contains temporary libtool files.
+objdir=$objdir
+
+# How to create reloadable object files.
+reload_flag=$lt_reload_flag
+reload_cmds=$lt_reload_cmds
+
+# How to pass a linker flag through the compiler.
+wl=$lt_lt_prog_compiler_wl_CXX
+
+# Object file suffix (normally "o").
+objext="$ac_objext"
+
+# Old archive suffix (normally "a").
+libext="$libext"
+
+# Shared library suffix (normally ".so").
+shrext_cmds='$shrext_cmds'
+
+# Executable file suffix (normally "").
+exeext="$exeext"
+
+# Additional compiler flags for building library objects.
+pic_flag=$lt_lt_prog_compiler_pic_CXX
+pic_mode=$pic_mode
+
+# What is the maximum length of a command?
+max_cmd_len=$lt_cv_sys_max_cmd_len
+
+# Does compiler simultaneously support -c and -o options?
+compiler_c_o=$lt_lt_cv_prog_compiler_c_o_CXX
+
+# Must we lock files when doing compilation?
+need_locks=$lt_need_locks
+
+# Do we need the lib prefix for modules?
+need_lib_prefix=$need_lib_prefix
+
+# Do we need a version for libraries?
+need_version=$need_version
+
+# Whether dlopen is supported.
+dlopen_support=$enable_dlopen
+
+# Whether dlopen of programs is supported.
+dlopen_self=$enable_dlopen_self
+
+# Whether dlopen of statically linked programs is supported.
+dlopen_self_static=$enable_dlopen_self_static
+
+# Compiler flag to prevent dynamic linking.
+link_static_flag=$lt_lt_prog_compiler_static_CXX
+
+# Compiler flag to turn off builtin functions.
+no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag_CXX
+
+# Compiler flag to allow reflexive dlopens.
+export_dynamic_flag_spec=$lt_export_dynamic_flag_spec_CXX
+
+# Compiler flag to generate shared objects directly from archives.
+whole_archive_flag_spec=$lt_whole_archive_flag_spec_CXX
+
+# Compiler flag to generate thread-safe objects.
+thread_safe_flag_spec=$lt_thread_safe_flag_spec_CXX
+
+# Library versioning type.
+version_type=$version_type
+
+# Format of library name prefix.
+libname_spec=$lt_libname_spec
+
+# List of archive names.  First name is the real one, the rest are links.
+# The last name is the one that the linker finds with -lNAME.
+library_names_spec=$lt_library_names_spec
+
+# The coded name of the library, if different from the real name.
+soname_spec=$lt_soname_spec
+
+# Commands used to build and install an old-style archive.
+RANLIB=$lt_RANLIB
+old_archive_cmds=$lt_old_archive_cmds_CXX
+old_postinstall_cmds=$lt_old_postinstall_cmds
+old_postuninstall_cmds=$lt_old_postuninstall_cmds
+
+# Create an old-style archive from a shared archive.
+old_archive_from_new_cmds=$lt_old_archive_from_new_cmds_CXX
+
+# Create a temporary old-style archive to link instead of a shared archive.
+old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds_CXX
+
+# Commands used to build and install a shared archive.
+archive_cmds=$lt_archive_cmds_CXX
+archive_expsym_cmds=$lt_archive_expsym_cmds_CXX
+postinstall_cmds=$lt_postinstall_cmds
+postuninstall_cmds=$lt_postuninstall_cmds
+
+# Commands used to build a loadable module (assumed same as above if empty)
+module_cmds=$lt_module_cmds_CXX
+module_expsym_cmds=$lt_module_expsym_cmds_CXX
+
+# Commands to strip libraries.
+old_striplib=$lt_old_striplib
+striplib=$lt_striplib
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predep_objects=$lt_predep_objects_CXX
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdep_objects=$lt_postdep_objects_CXX
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predeps=$lt_predeps_CXX
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdeps=$lt_postdeps_CXX
+
+# The library search path used internally by the compiler when linking
+# a shared library.
+compiler_lib_search_path=$lt_compiler_lib_search_path_CXX
+
+# Method to check whether dependent libraries are shared objects.
+deplibs_check_method=$lt_deplibs_check_method
+
+# Command to use when deplibs_check_method == file_magic.
+file_magic_cmd=$lt_file_magic_cmd
+
+# Flag that allows shared libraries with undefined symbols to be built.
+allow_undefined_flag=$lt_allow_undefined_flag_CXX
+
+# Flag that forces no undefined symbols.
+no_undefined_flag=$lt_no_undefined_flag_CXX
+
+# Commands used to finish a libtool library installation in a directory.
+finish_cmds=$lt_finish_cmds
+
+# Same as above, but a single script fragment to be evaled but not shown.
+finish_eval=$lt_finish_eval
+
+# Take the output of nm and produce a listing of raw symbols and C names.
+global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
+
+# Transform the output of nm in a proper C declaration
+global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
+
+# Transform the output of nm in a C name address pair
+global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
+
+# This is the shared library runtime path variable.
+runpath_var=$runpath_var
+
+# This is the shared library path variable.
+shlibpath_var=$shlibpath_var
+
+# Is shlibpath searched before the hard-coded library search path?
+shlibpath_overrides_runpath=$shlibpath_overrides_runpath
+
+# How to hardcode a shared library path into an executable.
+hardcode_action=$hardcode_action_CXX
+
+# Whether we should hardcode library paths into libraries.
+hardcode_into_libs=$hardcode_into_libs
+
+# Flag to hardcode \$libdir into a binary during linking.
+# This must work even if \$libdir does not exist.
+hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec_CXX
+
+# If ld is used when linking, flag to hardcode \$libdir into
+# a binary during linking. This must work even if \$libdir does
+# not exist.
+hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld_CXX
+
+# Whether we need a single -rpath flag with a separated argument.
+hardcode_libdir_separator=$lt_hardcode_libdir_separator_CXX
+
+# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
+# resulting binary.
+hardcode_direct=$hardcode_direct_CXX
+
+# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
+# resulting binary.
+hardcode_minus_L=$hardcode_minus_L_CXX
+
+# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
+# the resulting binary.
+hardcode_shlibpath_var=$hardcode_shlibpath_var_CXX
+
+# Set to yes if building a shared library automatically hardcodes DIR into the library
+# and all subsequent libraries and executables linked against it.
+hardcode_automatic=$hardcode_automatic_CXX
+
+# Variables whose values should be saved in libtool wrapper scripts and
+# restored at relink time.
+variables_saved_for_relink="$variables_saved_for_relink"
+
+# Whether libtool must link a program against all its dependency libraries.
+link_all_deplibs=$link_all_deplibs_CXX
+
+# Compile-time system search path for libraries
+sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
+
+# Run-time system search path for libraries
+sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
+
+# Fix the shell variable \$srcfile for the compiler.
+fix_srcfile_path="$fix_srcfile_path_CXX"
+
+# Set to yes if exported symbols are required.
+always_export_symbols=$always_export_symbols_CXX
+
+# The commands to list exported symbols.
+export_symbols_cmds=$lt_export_symbols_cmds_CXX
+
+# The commands to extract the exported symbol list from a shared archive.
+extract_expsyms_cmds=$lt_extract_expsyms_cmds
+
+# Symbols that should not be listed in the preloaded symbols.
+exclude_expsyms=$lt_exclude_expsyms_CXX
+
+# Symbols that must always be exported.
+include_expsyms=$lt_include_expsyms_CXX
+
+# ### END LIBTOOL TAG CONFIG: $tagname
+
+__EOF__
+
+
+else
+  # If there is no Makefile yet, we rely on a make rule to execute
+  # `config.status --recheck' to rerun these tests and create the
+  # libtool script then.
+  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
+  if test -f "$ltmain_in"; then
+    test -f Makefile && make "$ltmain"
+  fi
+fi
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+CC=$lt_save_CC
+LDCXX=$LD
+LD=$lt_save_LD
+GCC=$lt_save_GCC
+with_gnu_ldcxx=$with_gnu_ld
+with_gnu_ld=$lt_save_with_gnu_ld
+lt_cv_path_LDCXX=$lt_cv_path_LD
+lt_cv_path_LD=$lt_save_path_LD
+lt_cv_prog_gnu_ldcxx=$lt_cv_prog_gnu_ld
+lt_cv_prog_gnu_ld=$lt_save_with_gnu_ld
+
+	else
+	  tagname=""
+	fi
+	;;
+
+      F77)
+	if test -n "$F77" && test "X$F77" != "Xno"; then
+
+ac_ext=f
+ac_compile='$F77 -c $FFLAGS conftest.$ac_ext >&5'
+ac_link='$F77 -o conftest$ac_exeext $FFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_f77_compiler_gnu
+
+
+archive_cmds_need_lc_F77=no
+allow_undefined_flag_F77=
+always_export_symbols_F77=no
+archive_expsym_cmds_F77=
+export_dynamic_flag_spec_F77=
+hardcode_direct_F77=no
+hardcode_libdir_flag_spec_F77=
+hardcode_libdir_flag_spec_ld_F77=
+hardcode_libdir_separator_F77=
+hardcode_minus_L_F77=no
+hardcode_automatic_F77=no
+module_cmds_F77=
+module_expsym_cmds_F77=
+link_all_deplibs_F77=unknown
+old_archive_cmds_F77=$old_archive_cmds
+no_undefined_flag_F77=
+whole_archive_flag_spec_F77=
+enable_shared_with_static_runtimes_F77=no
+
+# Source file extension for f77 test sources.
+ac_ext=f
+
+# Object file extension for compiled f77 test sources.
+objext=o
+objext_F77=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="      subroutine t\n      return\n      end\n"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code="      program t\n      end\n"
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+
+# If no C compiler was specified, use CC.
+LTCC=${LTCC-"$CC"}
+
+# If no C compiler flags were specified, use CFLAGS.
+LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
+
+# Allow CC to be a program name with arguments.
+compiler=$CC
+
+
+# save warnings/boilerplate of simple test code
+ac_outfile=conftest.$ac_objext
+printf "$lt_simple_compile_test_code" >conftest.$ac_ext
+eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_compiler_boilerplate=`cat conftest.err`
+$rm conftest*
+
+ac_outfile=conftest.$ac_objext
+printf "$lt_simple_link_test_code" >conftest.$ac_ext
+eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_linker_boilerplate=`cat conftest.err`
+$rm conftest*
+
+
+# Allow CC to be a program name with arguments.
+lt_save_CC="$CC"
+CC=${F77-"f77"}
+compiler=$CC
+compiler_F77=$CC
+for cc_temp in $compiler""; do
+  case $cc_temp in
+    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
+    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
+    \-*) ;;
+    *) break;;
+  esac
+done
+cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+
+
+{ echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5
+echo $ECHO_N "checking if libtool supports shared libraries... $ECHO_C" >&6; }
+{ echo "$as_me:$LINENO: result: $can_build_shared" >&5
+echo "${ECHO_T}$can_build_shared" >&6; }
+
+{ echo "$as_me:$LINENO: checking whether to build shared libraries" >&5
+echo $ECHO_N "checking whether to build shared libraries... $ECHO_C" >&6; }
+test "$can_build_shared" = "no" && enable_shared=no
+
+# On AIX, shared libraries and static libraries use the same namespace, and
+# are all built from PIC.
+case $host_os in
+aix3*)
+  test "$enable_shared" = yes && enable_static=no
+  if test -n "$RANLIB"; then
+    archive_cmds="$archive_cmds~\$RANLIB \$lib"
+    postinstall_cmds='$RANLIB $lib'
+  fi
+  ;;
+aix4* | aix5*)
+  if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
+    test "$enable_shared" = yes && enable_static=no
+  fi
+  ;;
+esac
+{ echo "$as_me:$LINENO: result: $enable_shared" >&5
+echo "${ECHO_T}$enable_shared" >&6; }
+
+{ echo "$as_me:$LINENO: checking whether to build static libraries" >&5
+echo $ECHO_N "checking whether to build static libraries... $ECHO_C" >&6; }
+# Make sure either enable_shared or enable_static is yes.
+test "$enable_shared" = yes || enable_static=yes
+{ echo "$as_me:$LINENO: result: $enable_static" >&5
+echo "${ECHO_T}$enable_static" >&6; }
+
+GCC_F77="$G77"
+LD_F77="$LD"
+
+lt_prog_compiler_wl_F77=
+lt_prog_compiler_pic_F77=
+lt_prog_compiler_static_F77=
+
+{ echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
+echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
+
+  if test "$GCC" = yes; then
+    lt_prog_compiler_wl_F77='-Wl,'
+    lt_prog_compiler_static_F77='-static'
+
+    case $host_os in
+      aix*)
+      # All AIX code is PIC.
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	lt_prog_compiler_static_F77='-Bstatic'
+      fi
+      ;;
+
+    amigaos*)
+      # FIXME: we need at least 68020 code to build shared libraries, but
+      # adding the `-m68020' flag to GCC prevents building anything better,
+      # like `-m68040'.
+      lt_prog_compiler_pic_F77='-m68020 -resident32 -malways-restore-a4'
+      ;;
+
+    beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+      # PIC is the default for these OSes.
+      ;;
+
+    mingw* | pw32* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      lt_prog_compiler_pic_F77='-DDLL_EXPORT'
+      ;;
+
+    darwin* | rhapsody*)
+      # PIC is the default on this platform
+      # Common symbols not allowed in MH_DYLIB files
+      lt_prog_compiler_pic_F77='-fno-common'
+      ;;
+
+    interix3*)
+      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
+      # Instead, we relocate shared libraries at runtime.
+      ;;
+
+    msdosdjgpp*)
+      # Just because we use GCC doesn't mean we suddenly get shared libraries
+      # on systems that don't support them.
+      lt_prog_compiler_can_build_shared_F77=no
+      enable_shared=no
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	lt_prog_compiler_pic_F77=-Kconform_pic
+      fi
+      ;;
+
+    hpux*)
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case $host_cpu in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
+      *)
+	lt_prog_compiler_pic_F77='-fPIC'
+	;;
+      esac
+      ;;
+
+    *)
+      lt_prog_compiler_pic_F77='-fPIC'
+      ;;
+    esac
+  else
+    # PORTME Check for flag to pass linker flags through the system compiler.
+    case $host_os in
+    aix*)
+      lt_prog_compiler_wl_F77='-Wl,'
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	lt_prog_compiler_static_F77='-Bstatic'
+      else
+	lt_prog_compiler_static_F77='-bnso -bI:/lib/syscalls.exp'
+      fi
+      ;;
+      darwin*)
+        # PIC is the default on this platform
+        # Common symbols not allowed in MH_DYLIB files
+       case $cc_basename in
+         xlc*)
+         lt_prog_compiler_pic_F77='-qnocommon'
+         lt_prog_compiler_wl_F77='-Wl,'
+         ;;
+       esac
+       ;;
+
+    mingw* | pw32* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      lt_prog_compiler_pic_F77='-DDLL_EXPORT'
+      ;;
+
+    hpux9* | hpux10* | hpux11*)
+      lt_prog_compiler_wl_F77='-Wl,'
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case $host_cpu in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
+      *)
+	lt_prog_compiler_pic_F77='+Z'
+	;;
+      esac
+      # Is there a better lt_prog_compiler_static that works with the bundled CC?
+      lt_prog_compiler_static_F77='${wl}-a ${wl}archive'
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      lt_prog_compiler_wl_F77='-Wl,'
+      # PIC (with -KPIC) is the default.
+      lt_prog_compiler_static_F77='-non_shared'
+      ;;
+
+    newsos6)
+      lt_prog_compiler_pic_F77='-KPIC'
+      lt_prog_compiler_static_F77='-Bstatic'
+      ;;
+
+    linux*)
+      case $cc_basename in
+      icc* | ecc*)
+	lt_prog_compiler_wl_F77='-Wl,'
+	lt_prog_compiler_pic_F77='-KPIC'
+	lt_prog_compiler_static_F77='-static'
+        ;;
+      pgcc* | pgf77* | pgf90* | pgf95*)
+        # Portland Group compilers (*not* the Pentium gcc compiler,
+	# which looks to be a dead project)
+	lt_prog_compiler_wl_F77='-Wl,'
+	lt_prog_compiler_pic_F77='-fpic'
+	lt_prog_compiler_static_F77='-Bstatic'
+        ;;
+      ccc*)
+        lt_prog_compiler_wl_F77='-Wl,'
+        # All Alpha code is PIC.
+        lt_prog_compiler_static_F77='-non_shared'
+        ;;
+      esac
+      ;;
+
+    osf3* | osf4* | osf5*)
+      lt_prog_compiler_wl_F77='-Wl,'
+      # All OSF/1 code is PIC.
+      lt_prog_compiler_static_F77='-non_shared'
+      ;;
+
+    solaris*)
+      lt_prog_compiler_pic_F77='-KPIC'
+      lt_prog_compiler_static_F77='-Bstatic'
+      case $cc_basename in
+      f77* | f90* | f95*)
+	lt_prog_compiler_wl_F77='-Qoption ld ';;
+      *)
+	lt_prog_compiler_wl_F77='-Wl,';;
+      esac
+      ;;
+
+    sunos4*)
+      lt_prog_compiler_wl_F77='-Qoption ld '
+      lt_prog_compiler_pic_F77='-PIC'
+      lt_prog_compiler_static_F77='-Bstatic'
+      ;;
+
+    sysv4 | sysv4.2uw2* | sysv4.3*)
+      lt_prog_compiler_wl_F77='-Wl,'
+      lt_prog_compiler_pic_F77='-KPIC'
+      lt_prog_compiler_static_F77='-Bstatic'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec ;then
+	lt_prog_compiler_pic_F77='-Kconform_pic'
+	lt_prog_compiler_static_F77='-Bstatic'
+      fi
+      ;;
+
+    sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
+      lt_prog_compiler_wl_F77='-Wl,'
+      lt_prog_compiler_pic_F77='-KPIC'
+      lt_prog_compiler_static_F77='-Bstatic'
+      ;;
+
+    unicos*)
+      lt_prog_compiler_wl_F77='-Wl,'
+      lt_prog_compiler_can_build_shared_F77=no
+      ;;
+
+    uts4*)
+      lt_prog_compiler_pic_F77='-pic'
+      lt_prog_compiler_static_F77='-Bstatic'
+      ;;
+
+    *)
+      lt_prog_compiler_can_build_shared_F77=no
+      ;;
+    esac
+  fi
+
+{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_F77" >&5
+echo "${ECHO_T}$lt_prog_compiler_pic_F77" >&6; }
+
+#
+# Check to make sure the PIC flag actually works.
+#
+if test -n "$lt_prog_compiler_pic_F77"; then
+
+{ echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic_F77 works" >&5
+echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic_F77 works... $ECHO_C" >&6; }
+if test "${lt_prog_compiler_pic_works_F77+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_prog_compiler_pic_works_F77=no
+  ac_outfile=conftest.$ac_objext
+   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+   lt_compiler_flag="$lt_prog_compiler_pic_F77"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   # The option is referenced via a variable to avoid confusing sed.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:14691: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>conftest.err)
+   ac_status=$?
+   cat conftest.err >&5
+   echo "$as_me:14695: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s "$ac_outfile"; then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings other than the usual output.
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
+       lt_prog_compiler_pic_works_F77=yes
+     fi
+   fi
+   $rm conftest*
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_works_F77" >&5
+echo "${ECHO_T}$lt_prog_compiler_pic_works_F77" >&6; }
+
+if test x"$lt_prog_compiler_pic_works_F77" = xyes; then
+    case $lt_prog_compiler_pic_F77 in
+     "" | " "*) ;;
+     *) lt_prog_compiler_pic_F77=" $lt_prog_compiler_pic_F77" ;;
+     esac
+else
+    lt_prog_compiler_pic_F77=
+     lt_prog_compiler_can_build_shared_F77=no
+fi
+
+fi
+case $host_os in
+  # For platforms which do not support PIC, -DPIC is meaningless:
+  *djgpp*)
+    lt_prog_compiler_pic_F77=
+    ;;
+  *)
+    lt_prog_compiler_pic_F77="$lt_prog_compiler_pic_F77"
+    ;;
+esac
+
+#
+# Check to make sure the static flag actually works.
+#
+wl=$lt_prog_compiler_wl_F77 eval lt_tmp_static_flag=\"$lt_prog_compiler_static_F77\"
+{ echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5
+echo $ECHO_N "checking if $compiler static flag $lt_tmp_static_flag works... $ECHO_C" >&6; }
+if test "${lt_prog_compiler_static_works_F77+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_prog_compiler_static_works_F77=no
+   save_LDFLAGS="$LDFLAGS"
+   LDFLAGS="$LDFLAGS $lt_tmp_static_flag"
+   printf "$lt_simple_link_test_code" > conftest.$ac_ext
+   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
+     # The linker can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test -s conftest.err; then
+       # Append any errors to the config.log.
+       cat conftest.err 1>&5
+       $echo "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
+       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+       if diff conftest.exp conftest.er2 >/dev/null; then
+         lt_prog_compiler_static_works_F77=yes
+       fi
+     else
+       lt_prog_compiler_static_works_F77=yes
+     fi
+   fi
+   $rm conftest*
+   LDFLAGS="$save_LDFLAGS"
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_prog_compiler_static_works_F77" >&5
+echo "${ECHO_T}$lt_prog_compiler_static_works_F77" >&6; }
+
+if test x"$lt_prog_compiler_static_works_F77" = xyes; then
+    :
+else
+    lt_prog_compiler_static_F77=
+fi
+
+
+{ echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
+echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6; }
+if test "${lt_cv_prog_compiler_c_o_F77+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_prog_compiler_c_o_F77=no
+   $rm -r conftest 2>/dev/null
+   mkdir conftest
+   cd conftest
+   mkdir out
+   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+   lt_compiler_flag="-o out/conftest2.$ac_objext"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:14795: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>out/conftest.err)
+   ac_status=$?
+   cat out/conftest.err >&5
+   echo "$as_me:14799: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s out/conftest2.$ac_objext
+   then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
+     $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
+     if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
+       lt_cv_prog_compiler_c_o_F77=yes
+     fi
+   fi
+   chmod u+w . 2>&5
+   $rm conftest*
+   # SGI C++ compiler will create directory out/ii_files/ for
+   # template instantiation
+   test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files
+   $rm out/* && rmdir out
+   cd ..
+   rmdir conftest
+   $rm conftest*
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o_F77" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_c_o_F77" >&6; }
+
+
+hard_links="nottested"
+if test "$lt_cv_prog_compiler_c_o_F77" = no && test "$need_locks" != no; then
+  # do not overwrite the value of need_locks provided by the user
+  { echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
+echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6; }
+  hard_links=yes
+  $rm conftest*
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  touch conftest.a
+  ln conftest.a conftest.b 2>&5 || hard_links=no
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  { echo "$as_me:$LINENO: result: $hard_links" >&5
+echo "${ECHO_T}$hard_links" >&6; }
+  if test "$hard_links" = no; then
+    { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
+echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
+    need_locks=warn
+  fi
+else
+  need_locks=no
+fi
+
+{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
+echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; }
+
+  runpath_var=
+  allow_undefined_flag_F77=
+  enable_shared_with_static_runtimes_F77=no
+  archive_cmds_F77=
+  archive_expsym_cmds_F77=
+  old_archive_From_new_cmds_F77=
+  old_archive_from_expsyms_cmds_F77=
+  export_dynamic_flag_spec_F77=
+  whole_archive_flag_spec_F77=
+  thread_safe_flag_spec_F77=
+  hardcode_libdir_flag_spec_F77=
+  hardcode_libdir_flag_spec_ld_F77=
+  hardcode_libdir_separator_F77=
+  hardcode_direct_F77=no
+  hardcode_minus_L_F77=no
+  hardcode_shlibpath_var_F77=unsupported
+  link_all_deplibs_F77=unknown
+  hardcode_automatic_F77=no
+  module_cmds_F77=
+  module_expsym_cmds_F77=
+  always_export_symbols_F77=no
+  export_symbols_cmds_F77='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  # include_expsyms should be a list of space-separated symbols to be *always*
+  # included in the symbol list
+  include_expsyms_F77=
+  # exclude_expsyms can be an extended regexp of symbols to exclude
+  # it will be wrapped by ` (' and `)$', so one must not match beginning or
+  # end of line.  Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
+  # as well as any symbol that contains `d'.
+  exclude_expsyms_F77="_GLOBAL_OFFSET_TABLE_"
+  # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
+  # platforms (ab)use it in PIC code, but their linkers get confused if
+  # the symbol is explicitly referenced.  Since portable code cannot
+  # rely on this symbol name, it's probably fine to never include it in
+  # preloaded symbol tables.
+  extract_expsyms_cmds=
+  # Just being paranoid about ensuring that cc_basename is set.
+  for cc_temp in $compiler""; do
+  case $cc_temp in
+    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
+    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
+    \-*) ;;
+    *) break;;
+  esac
+done
+cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+
+  case $host_os in
+  cygwin* | mingw* | pw32*)
+    # FIXME: the MSVC++ port hasn't been tested in a loooong time
+    # When not using gcc, we currently assume that we are using
+    # Microsoft Visual C++.
+    if test "$GCC" != yes; then
+      with_gnu_ld=no
+    fi
+    ;;
+  interix*)
+    # we just hope/assume this is gcc and not c89 (= MSVC++)
+    with_gnu_ld=yes
+    ;;
+  openbsd*)
+    with_gnu_ld=no
+    ;;
+  esac
+
+  ld_shlibs_F77=yes
+  if test "$with_gnu_ld" = yes; then
+    # If archive_cmds runs LD, not CC, wlarc should be empty
+    wlarc='${wl}'
+
+    # Set some defaults for GNU ld with shared library support. These
+    # are reset later if shared libraries are not supported. Putting them
+    # here allows them to be overridden if necessary.
+    runpath_var=LD_RUN_PATH
+    hardcode_libdir_flag_spec_F77='${wl}--rpath ${wl}$libdir'
+    export_dynamic_flag_spec_F77='${wl}--export-dynamic'
+    # ancient GNU ld didn't support --whole-archive et. al.
+    if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
+	whole_archive_flag_spec_F77="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+      else
+  	whole_archive_flag_spec_F77=
+    fi
+    supports_anon_versioning=no
+    case `$LD -v 2>/dev/null` in
+      *\ [01].* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
+      *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
+      *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
+      *\ 2.11.*) ;; # other 2.11 versions
+      *) supports_anon_versioning=yes ;;
+    esac
+
+    # See if GNU ld supports shared libraries.
+    case $host_os in
+    aix3* | aix4* | aix5*)
+      # On AIX/PPC, the GNU linker is very broken
+      if test "$host_cpu" != ia64; then
+	ld_shlibs_F77=no
+	cat <<EOF 1>&2
+
+*** Warning: the GNU linker, at least up to release 2.9.1, is reported
+*** to be unable to reliably create shared libraries on AIX.
+*** Therefore, libtool is disabling shared libraries support.  If you
+*** really care for shared libraries, you may want to modify your PATH
+*** so that a non-GNU linker is found, and then restart.
+
+EOF
+      fi
+      ;;
+
+    amigaos*)
+      archive_cmds_F77='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+      hardcode_libdir_flag_spec_F77='-L$libdir'
+      hardcode_minus_L_F77=yes
+
+      # Samuel A. Falvo II <kc5tja@dolphin.openprojects.net> reports
+      # that the semantics of dynamic libraries on AmigaOS, at least up
+      # to version 4, is to share data among multiple programs linked
+      # with the same dynamic library.  Since this doesn't match the
+      # behavior of shared libraries on other platforms, we can't use
+      # them.
+      ld_shlibs_F77=no
+      ;;
+
+    beos*)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	allow_undefined_flag_F77=unsupported
+	# Joseph Beckenbach <jrb3@best.com> says some releases of gcc
+	# support --undefined.  This deserves some investigation.  FIXME
+	archive_cmds_F77='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+      else
+	ld_shlibs_F77=no
+      fi
+      ;;
+
+    cygwin* | mingw* | pw32*)
+      # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, F77) is actually meaningless,
+      # as there is no search path for DLLs.
+      hardcode_libdir_flag_spec_F77='-L$libdir'
+      allow_undefined_flag_F77=unsupported
+      always_export_symbols_F77=no
+      enable_shared_with_static_runtimes_F77=yes
+      export_symbols_cmds_F77='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS] /s/.* \([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols'
+
+      if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
+        archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+	# If the export-symbols file already is a .def file (1st line
+	# is EXPORTS), use it as is; otherwise, prepend...
+	archive_expsym_cmds_F77='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	  cp $export_symbols $output_objdir/$soname.def;
+	else
+	  echo EXPORTS > $output_objdir/$soname.def;
+	  cat $export_symbols >> $output_objdir/$soname.def;
+	fi~
+	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+      else
+	ld_shlibs_F77=no
+      fi
+      ;;
+
+    interix3*)
+      hardcode_direct_F77=no
+      hardcode_shlibpath_var_F77=no
+      hardcode_libdir_flag_spec_F77='${wl}-rpath,$libdir'
+      export_dynamic_flag_spec_F77='${wl}-E'
+      # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
+      # Instead, shared libraries are loaded at an image base (0x10000000 by
+      # default) and relocated if they conflict, which is a slow very memory
+      # consuming and fragmenting process.  To avoid this, we pick a random,
+      # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
+      # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
+      archive_cmds_F77='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      archive_expsym_cmds_F77='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      ;;
+
+    linux*)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	tmp_addflag=
+	case $cc_basename,$host_cpu in
+	pgcc*)				# Portland Group C compiler
+	  whole_archive_flag_spec_F77='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_addflag=' $pic_flag'
+	  ;;
+	pgf77* | pgf90* | pgf95*)	# Portland Group f77 and f90 compilers
+	  whole_archive_flag_spec_F77='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_addflag=' $pic_flag -Mnomain' ;;
+	ecc*,ia64* | icc*,ia64*)		# Intel C compiler on ia64
+	  tmp_addflag=' -i_dynamic' ;;
+	efc*,ia64* | ifort*,ia64*)	# Intel Fortran compiler on ia64
+	  tmp_addflag=' -i_dynamic -nofor_main' ;;
+	ifc* | ifort*)			# Intel Fortran compiler
+	  tmp_addflag=' -nofor_main' ;;
+	esac
+	archive_cmds_F77='$CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+
+	if test $supports_anon_versioning = yes; then
+	  archive_expsym_cmds_F77='$echo "{ global:" > $output_objdir/$libname.ver~
+  cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+  $echo "local: *; };" >> $output_objdir/$libname.ver~
+	  $CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
+	fi
+      else
+	ld_shlibs_F77=no
+      fi
+      ;;
+
+    netbsd*)
+      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+	archive_cmds_F77='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
+	wlarc=
+      else
+	archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      fi
+      ;;
+
+    solaris*)
+      if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
+	ld_shlibs_F77=no
+	cat <<EOF 1>&2
+
+*** Warning: The releases 2.8.* of the GNU linker cannot reliably
+*** create shared libraries on Solaris systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.9.1 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+EOF
+      elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	ld_shlibs_F77=no
+      fi
+      ;;
+
+    sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
+      case `$LD -v 2>&1` in
+        *\ [01].* | *\ 2.[0-9].* | *\ 2.1[0-5].*)
+	ld_shlibs_F77=no
+	cat <<_LT_EOF 1>&2
+
+*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not
+*** reliably create shared libraries on SCO systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.16.91.0.3 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+_LT_EOF
+	;;
+	*)
+	  if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	    hardcode_libdir_flag_spec_F77='`test -z "$SCOABSPATH" && echo ${wl}-rpath,$libdir`'
+	    archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib'
+	    archive_expsym_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname,-retain-symbols-file,$export_symbols -o $lib'
+	  else
+	    ld_shlibs_F77=no
+	  fi
+	;;
+      esac
+      ;;
+
+    sunos4*)
+      archive_cmds_F77='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      wlarc=
+      hardcode_direct_F77=yes
+      hardcode_shlibpath_var_F77=no
+      ;;
+
+    *)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	ld_shlibs_F77=no
+      fi
+      ;;
+    esac
+
+    if test "$ld_shlibs_F77" = no; then
+      runpath_var=
+      hardcode_libdir_flag_spec_F77=
+      export_dynamic_flag_spec_F77=
+      whole_archive_flag_spec_F77=
+    fi
+  else
+    # PORTME fill in a description of your system's linker (not GNU ld)
+    case $host_os in
+    aix3*)
+      allow_undefined_flag_F77=unsupported
+      always_export_symbols_F77=yes
+      archive_expsym_cmds_F77='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
+      # Note: this linker hardcodes the directories in LIBPATH if there
+      # are no directories specified by -L.
+      hardcode_minus_L_F77=yes
+      if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then
+	# Neither direct hardcoding nor static linking is supported with a
+	# broken collect2.
+	hardcode_direct_F77=unsupported
+      fi
+      ;;
+
+    aix4* | aix5*)
+      if test "$host_cpu" = ia64; then
+	# On IA64, the linker does run time linking by default, so we don't
+	# have to do anything special.
+	aix_use_runtimelinking=no
+	exp_sym_flag='-Bexport'
+	no_entry_flag=""
+      else
+	# If we're using GNU nm, then we don't want the "-C" option.
+	# -C means demangle to AIX nm, but means don't demangle with GNU nm
+	if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
+	  export_symbols_cmds_F77='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
+	else
+	  export_symbols_cmds_F77='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
+	fi
+	aix_use_runtimelinking=no
+
+	# Test if we are trying to use run time linking or normal
+	# AIX style linking. If -brtl is somewhere in LDFLAGS, we
+	# need to do runtime linking.
+	case $host_os in aix4.[23]|aix4.[23].*|aix5*)
+	  for ld_flag in $LDFLAGS; do
+  	  if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
+  	    aix_use_runtimelinking=yes
+  	    break
+  	  fi
+	  done
+	  ;;
+	esac
+
+	exp_sym_flag='-bexport'
+	no_entry_flag='-bnoentry'
+      fi
+
+      # When large executables or shared objects are built, AIX ld can
+      # have problems creating the table of contents.  If linking a library
+      # or program results in "error TOC overflow" add -mminimal-toc to
+      # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
+      # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
+
+      archive_cmds_F77=''
+      hardcode_direct_F77=yes
+      hardcode_libdir_separator_F77=':'
+      link_all_deplibs_F77=yes
+
+      if test "$GCC" = yes; then
+	case $host_os in aix4.[012]|aix4.[012].*)
+	# We only want to do this on AIX 4.2 and lower, the check
+	# below for broken collect2 doesn't work under 4.3+
+	  collect2name=`${CC} -print-prog-name=collect2`
+	  if test -f "$collect2name" && \
+  	   strings "$collect2name" | grep resolve_lib_name >/dev/null
+	  then
+  	  # We have reworked collect2
+  	  hardcode_direct_F77=yes
+	  else
+  	  # We have old collect2
+  	  hardcode_direct_F77=unsupported
+  	  # It fails to find uninstalled libraries when the uninstalled
+  	  # path is not listed in the libpath.  Setting hardcode_minus_L
+  	  # to unsupported forces relinking
+  	  hardcode_minus_L_F77=yes
+  	  hardcode_libdir_flag_spec_F77='-L$libdir'
+  	  hardcode_libdir_separator_F77=
+	  fi
+	  ;;
+	esac
+	shared_flag='-shared'
+	if test "$aix_use_runtimelinking" = yes; then
+	  shared_flag="$shared_flag "'${wl}-G'
+	fi
+      else
+	# not using gcc
+	if test "$host_cpu" = ia64; then
+  	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
+  	# chokes on -Wl,-G. The following line is correct:
+	  shared_flag='-G'
+	else
+	  if test "$aix_use_runtimelinking" = yes; then
+	    shared_flag='${wl}-G'
+	  else
+	    shared_flag='${wl}-bM:SRE'
+	  fi
+	fi
+      fi
+
+      # It seems that -bexpall does not export symbols beginning with
+      # underscore (_), so it is better to generate a list of symbols to export.
+      always_export_symbols_F77=yes
+      if test "$aix_use_runtimelinking" = yes; then
+	# Warning - without using the other runtime loading flags (-brtl),
+	# -berok will link without error, but may produce a broken library.
+	allow_undefined_flag_F77='-berok'
+       # Determine the default libpath from the value encoded in an empty executable.
+       cat >conftest.$ac_ext <<_ACEOF
+      program main
+
+      end
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_f77_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`
+# Check for a 64-bit object if we didn't find anything.
+if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`; fi
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+
+       hardcode_libdir_flag_spec_F77='${wl}-blibpath:$libdir:'"$aix_libpath"
+	archive_expsym_cmds_F77="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+       else
+	if test "$host_cpu" = ia64; then
+	  hardcode_libdir_flag_spec_F77='${wl}-R $libdir:/usr/lib:/lib'
+	  allow_undefined_flag_F77="-z nodefs"
+	  archive_expsym_cmds_F77="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
+	else
+	 # Determine the default libpath from the value encoded in an empty executable.
+	 cat >conftest.$ac_ext <<_ACEOF
+      program main
+
+      end
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_f77_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`
+# Check for a 64-bit object if we didn't find anything.
+if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`; fi
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+
+	 hardcode_libdir_flag_spec_F77='${wl}-blibpath:$libdir:'"$aix_libpath"
+	  # Warning - without using the other run time loading flags,
+	  # -berok will link without error, but may produce a broken library.
+	  no_undefined_flag_F77=' ${wl}-bernotok'
+	  allow_undefined_flag_F77=' ${wl}-berok'
+	  # Exported symbols can be pulled into shared objects from archives
+	  whole_archive_flag_spec_F77='$convenience'
+	  archive_cmds_need_lc_F77=yes
+	  # This is similar to how AIX traditionally builds its shared libraries.
+	  archive_expsym_cmds_F77="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+	fi
+      fi
+      ;;
+
+    amigaos*)
+      archive_cmds_F77='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+      hardcode_libdir_flag_spec_F77='-L$libdir'
+      hardcode_minus_L_F77=yes
+      # see comment about different semantics on the GNU ld section
+      ld_shlibs_F77=no
+      ;;
+
+    bsdi[45]*)
+      export_dynamic_flag_spec_F77=-rdynamic
+      ;;
+
+    cygwin* | mingw* | pw32*)
+      # When not using gcc, we currently assume that we are using
+      # Microsoft Visual C++.
+      # hardcode_libdir_flag_spec is actually meaningless, as there is
+      # no search path for DLLs.
+      hardcode_libdir_flag_spec_F77=' '
+      allow_undefined_flag_F77=unsupported
+      # Tell ltmain to make .lib files, not .a files.
+      libext=lib
+      # Tell ltmain to make .dll files, not .so files.
+      shrext_cmds=".dll"
+      # FIXME: Setting linknames here is a bad hack.
+      archive_cmds_F77='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
+      # The linker will automatically build a .lib file if we build a DLL.
+      old_archive_From_new_cmds_F77='true'
+      # FIXME: Should let the user specify the lib program.
+      old_archive_cmds_F77='lib /OUT:$oldlib$oldobjs$old_deplibs'
+      fix_srcfile_path_F77='`cygpath -w "$srcfile"`'
+      enable_shared_with_static_runtimes_F77=yes
+      ;;
+
+    darwin* | rhapsody*)
+      case $host_os in
+        rhapsody* | darwin1.[012])
+         allow_undefined_flag_F77='${wl}-undefined ${wl}suppress'
+         ;;
+       *) # Darwin 1.3 on
+         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+           allow_undefined_flag_F77='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
+         else
+           case ${MACOSX_DEPLOYMENT_TARGET} in
+             10.[012])
+               allow_undefined_flag_F77='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
+               ;;
+             10.*)
+               allow_undefined_flag_F77='${wl}-undefined ${wl}dynamic_lookup'
+               ;;
+           esac
+         fi
+         ;;
+      esac
+      archive_cmds_need_lc_F77=no
+      hardcode_direct_F77=no
+      hardcode_automatic_F77=yes
+      hardcode_shlibpath_var_F77=unsupported
+      whole_archive_flag_spec_F77=''
+      link_all_deplibs_F77=yes
+    if test "$GCC" = yes ; then
+    	output_verbose_link_cmd='echo'
+        archive_cmds_F77='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+      module_cmds_F77='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
+      archive_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+      module_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    else
+      case $cc_basename in
+        xlc*)
+         output_verbose_link_cmd='echo'
+         archive_cmds_F77='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring'
+         module_cmds_F77='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
+         archive_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          module_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          ;;
+       *)
+         ld_shlibs_F77=no
+          ;;
+      esac
+    fi
+      ;;
+
+    dgux*)
+      archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_libdir_flag_spec_F77='-L$libdir'
+      hardcode_shlibpath_var_F77=no
+      ;;
+
+    freebsd1*)
+      ld_shlibs_F77=no
+      ;;
+
+    # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
+    # support.  Future versions do this automatically, but an explicit c++rt0.o
+    # does not break anything, and helps significantly (at the cost of a little
+    # extra space).
+    freebsd2.2*)
+      archive_cmds_F77='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
+      hardcode_libdir_flag_spec_F77='-R$libdir'
+      hardcode_direct_F77=yes
+      hardcode_shlibpath_var_F77=no
+      ;;
+
+    # Unfortunately, older versions of FreeBSD 2 do not have this feature.
+    freebsd2*)
+      archive_cmds_F77='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_direct_F77=yes
+      hardcode_minus_L_F77=yes
+      hardcode_shlibpath_var_F77=no
+      ;;
+
+    # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
+    freebsd* | kfreebsd*-gnu | dragonfly*)
+      archive_cmds_F77='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
+      hardcode_libdir_flag_spec_F77='-R$libdir'
+      hardcode_direct_F77=yes
+      hardcode_shlibpath_var_F77=no
+      ;;
+
+    hpux9*)
+      if test "$GCC" = yes; then
+	archive_cmds_F77='$rm $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      else
+	archive_cmds_F77='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      fi
+      hardcode_libdir_flag_spec_F77='${wl}+b ${wl}$libdir'
+      hardcode_libdir_separator_F77=:
+      hardcode_direct_F77=yes
+
+      # hardcode_minus_L: Not really in the search PATH,
+      # but as the default location of the library.
+      hardcode_minus_L_F77=yes
+      export_dynamic_flag_spec_F77='${wl}-E'
+      ;;
+
+    hpux10*)
+      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+	archive_cmds_F77='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds_F77='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      if test "$with_gnu_ld" = no; then
+	hardcode_libdir_flag_spec_F77='${wl}+b ${wl}$libdir'
+	hardcode_libdir_separator_F77=:
+
+	hardcode_direct_F77=yes
+	export_dynamic_flag_spec_F77='${wl}-E'
+
+	# hardcode_minus_L: Not really in the search PATH,
+	# but as the default location of the library.
+	hardcode_minus_L_F77=yes
+      fi
+      ;;
+
+    hpux11*)
+      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+	case $host_cpu in
+	hppa*64*)
+	  archive_cmds_F77='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	ia64*)
+	  archive_cmds_F77='$CC -shared ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+	  archive_cmds_F77='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	esac
+      else
+	case $host_cpu in
+	hppa*64*)
+	  archive_cmds_F77='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	ia64*)
+	  archive_cmds_F77='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+	  archive_cmds_F77='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	esac
+      fi
+      if test "$with_gnu_ld" = no; then
+	hardcode_libdir_flag_spec_F77='${wl}+b ${wl}$libdir'
+	hardcode_libdir_separator_F77=:
+
+	case $host_cpu in
+	hppa*64*|ia64*)
+	  hardcode_libdir_flag_spec_ld_F77='+b $libdir'
+	  hardcode_direct_F77=no
+	  hardcode_shlibpath_var_F77=no
+	  ;;
+	*)
+	  hardcode_direct_F77=yes
+	  export_dynamic_flag_spec_F77='${wl}-E'
+
+	  # hardcode_minus_L: Not really in the search PATH,
+	  # but as the default location of the library.
+	  hardcode_minus_L_F77=yes
+	  ;;
+	esac
+      fi
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      if test "$GCC" = yes; then
+	archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+      else
+	archive_cmds_F77='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+	hardcode_libdir_flag_spec_ld_F77='-rpath $libdir'
+      fi
+      hardcode_libdir_flag_spec_F77='${wl}-rpath ${wl}$libdir'
+      hardcode_libdir_separator_F77=:
+      link_all_deplibs_F77=yes
+      ;;
+
+    netbsd*)
+      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+	archive_cmds_F77='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
+      else
+	archive_cmds_F77='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
+      fi
+      hardcode_libdir_flag_spec_F77='-R$libdir'
+      hardcode_direct_F77=yes
+      hardcode_shlibpath_var_F77=no
+      ;;
+
+    newsos6)
+      archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_direct_F77=yes
+      hardcode_libdir_flag_spec_F77='${wl}-rpath ${wl}$libdir'
+      hardcode_libdir_separator_F77=:
+      hardcode_shlibpath_var_F77=no
+      ;;
+
+    openbsd*)
+      hardcode_direct_F77=yes
+      hardcode_shlibpath_var_F77=no
+      if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+	archive_cmds_F77='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_F77='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
+	hardcode_libdir_flag_spec_F77='${wl}-rpath,$libdir'
+	export_dynamic_flag_spec_F77='${wl}-E'
+      else
+       case $host_os in
+	 openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*)
+	   archive_cmds_F77='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+	   hardcode_libdir_flag_spec_F77='-R$libdir'
+	   ;;
+	 *)
+	   archive_cmds_F77='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	   hardcode_libdir_flag_spec_F77='${wl}-rpath,$libdir'
+	   ;;
+       esac
+      fi
+      ;;
+
+    os2*)
+      hardcode_libdir_flag_spec_F77='-L$libdir'
+      hardcode_minus_L_F77=yes
+      allow_undefined_flag_F77=unsupported
+      archive_cmds_F77='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
+      old_archive_From_new_cmds_F77='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
+      ;;
+
+    osf3*)
+      if test "$GCC" = yes; then
+	allow_undefined_flag_F77=' ${wl}-expect_unresolved ${wl}\*'
+	archive_cmds_F77='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+      else
+	allow_undefined_flag_F77=' -expect_unresolved \*'
+	archive_cmds_F77='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+      fi
+      hardcode_libdir_flag_spec_F77='${wl}-rpath ${wl}$libdir'
+      hardcode_libdir_separator_F77=:
+      ;;
+
+    osf4* | osf5*)	# as osf3* with the addition of -msym flag
+      if test "$GCC" = yes; then
+	allow_undefined_flag_F77=' ${wl}-expect_unresolved ${wl}\*'
+	archive_cmds_F77='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	hardcode_libdir_flag_spec_F77='${wl}-rpath ${wl}$libdir'
+      else
+	allow_undefined_flag_F77=' -expect_unresolved \*'
+	archive_cmds_F77='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+	archive_expsym_cmds_F77='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~
+	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib~$rm $lib.exp'
+
+	# Both c and cxx compiler support -rpath directly
+	hardcode_libdir_flag_spec_F77='-rpath $libdir'
+      fi
+      hardcode_libdir_separator_F77=:
+      ;;
+
+    solaris*)
+      no_undefined_flag_F77=' -z text'
+      if test "$GCC" = yes; then
+	wlarc='${wl}'
+	archive_cmds_F77='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_F77='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+	  $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp'
+      else
+	wlarc=''
+	archive_cmds_F77='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	archive_expsym_cmds_F77='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+  	$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
+      fi
+      hardcode_libdir_flag_spec_F77='-R$libdir'
+      hardcode_shlibpath_var_F77=no
+      case $host_os in
+      solaris2.[0-5] | solaris2.[0-5].*) ;;
+      *)
+ 	# The compiler driver will combine linker options so we
+ 	# cannot just pass the convience library names through
+ 	# without $wl, iff we do not link with $LD.
+ 	# Luckily, gcc supports the same syntax we need for Sun Studio.
+ 	# Supported since Solaris 2.6 (maybe 2.5.1?)
+ 	case $wlarc in
+ 	'')
+ 	  whole_archive_flag_spec_F77='-z allextract$convenience -z defaultextract' ;;
+ 	*)
+ 	  whole_archive_flag_spec_F77='${wl}-z ${wl}allextract`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}-z ${wl}defaultextract' ;;
+ 	esac ;;
+      esac
+      link_all_deplibs_F77=yes
+      ;;
+
+    sunos4*)
+      if test "x$host_vendor" = xsequent; then
+	# Use $CC to link under sequent, because it throws in some extra .o
+	# files that make .init and .fini sections work.
+	archive_cmds_F77='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds_F77='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      hardcode_libdir_flag_spec_F77='-L$libdir'
+      hardcode_direct_F77=yes
+      hardcode_minus_L_F77=yes
+      hardcode_shlibpath_var_F77=no
+      ;;
+
+    sysv4)
+      case $host_vendor in
+	sni)
+	  archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  hardcode_direct_F77=yes # is this really true???
+	;;
+	siemens)
+	  ## LD is ld it makes a PLAMLIB
+	  ## CC just makes a GrossModule.
+	  archive_cmds_F77='$LD -G -o $lib $libobjs $deplibs $linker_flags'
+	  reload_cmds_F77='$CC -r -o $output$reload_objs'
+	  hardcode_direct_F77=no
+        ;;
+	motorola)
+	  archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  hardcode_direct_F77=no #Motorola manual says yes, but my tests say they lie
+	;;
+      esac
+      runpath_var='LD_RUN_PATH'
+      hardcode_shlibpath_var_F77=no
+      ;;
+
+    sysv4.3*)
+      archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_shlibpath_var_F77=no
+      export_dynamic_flag_spec_F77='-Bexport'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	hardcode_shlibpath_var_F77=no
+	runpath_var=LD_RUN_PATH
+	hardcode_runpath_var=yes
+	ld_shlibs_F77=yes
+      fi
+      ;;
+
+    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7*)
+      no_undefined_flag_F77='${wl}-z,text'
+      archive_cmds_need_lc_F77=no
+      hardcode_shlibpath_var_F77=no
+      runpath_var='LD_RUN_PATH'
+
+      if test "$GCC" = yes; then
+	archive_cmds_F77='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_F77='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds_F77='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_F77='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
+      ;;
+
+    sysv5* | sco3.2v5* | sco5v6*)
+      # Note: We can NOT use -z defs as we might desire, because we do not
+      # link with -lc, and that would cause any symbols used from libc to
+      # always be unresolved, which means just about no library would
+      # ever link correctly.  If we're not using GNU ld we use -z text
+      # though, which does catch some bad symbols but isn't as heavy-handed
+      # as -z defs.
+      no_undefined_flag_F77='${wl}-z,text'
+      allow_undefined_flag_F77='${wl}-z,nodefs'
+      archive_cmds_need_lc_F77=no
+      hardcode_shlibpath_var_F77=no
+      hardcode_libdir_flag_spec_F77='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
+      hardcode_libdir_separator_F77=':'
+      link_all_deplibs_F77=yes
+      export_dynamic_flag_spec_F77='${wl}-Bexport'
+      runpath_var='LD_RUN_PATH'
+
+      if test "$GCC" = yes; then
+	archive_cmds_F77='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_F77='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds_F77='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_F77='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
+      ;;
+
+    uts4*)
+      archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_libdir_flag_spec_F77='-L$libdir'
+      hardcode_shlibpath_var_F77=no
+      ;;
+
+    *)
+      ld_shlibs_F77=no
+      ;;
+    esac
+  fi
+
+{ echo "$as_me:$LINENO: result: $ld_shlibs_F77" >&5
+echo "${ECHO_T}$ld_shlibs_F77" >&6; }
+test "$ld_shlibs_F77" = no && can_build_shared=no
+
+#
+# Do we need to explicitly link libc?
+#
+case "x$archive_cmds_need_lc_F77" in
+x|xyes)
+  # Assume -lc should be added
+  archive_cmds_need_lc_F77=yes
+
+  if test "$enable_shared" = yes && test "$GCC" = yes; then
+    case $archive_cmds_F77 in
+    *'~'*)
+      # FIXME: we may have to deal with multi-command sequences.
+      ;;
+    '$CC '*)
+      # Test whether the compiler implicitly links with -lc since on some
+      # systems, -lgcc has to come before -lc. If gcc already passes -lc
+      # to ld, don't add -lc before -lgcc.
+      { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
+echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; }
+      $rm conftest*
+      printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+      if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } 2>conftest.err; then
+        soname=conftest
+        lib=conftest
+        libobjs=conftest.$ac_objext
+        deplibs=
+        wl=$lt_prog_compiler_wl_F77
+	pic_flag=$lt_prog_compiler_pic_F77
+        compiler_flags=-v
+        linker_flags=-v
+        verstring=
+        output_objdir=.
+        libname=conftest
+        lt_save_allow_undefined_flag=$allow_undefined_flag_F77
+        allow_undefined_flag_F77=
+        if { (eval echo "$as_me:$LINENO: \"$archive_cmds_F77 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\"") >&5
+  (eval $archive_cmds_F77 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+        then
+	  archive_cmds_need_lc_F77=no
+        else
+	  archive_cmds_need_lc_F77=yes
+        fi
+        allow_undefined_flag_F77=$lt_save_allow_undefined_flag
+      else
+        cat conftest.err 1>&5
+      fi
+      $rm conftest*
+      { echo "$as_me:$LINENO: result: $archive_cmds_need_lc_F77" >&5
+echo "${ECHO_T}$archive_cmds_need_lc_F77" >&6; }
+      ;;
+    esac
+  fi
+  ;;
+esac
+
+{ echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
+echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6; }
+library_names_spec=
+libname_spec='lib$name'
+soname_spec=
+shrext_cmds=".so"
+postinstall_cmds=
+postuninstall_cmds=
+finish_cmds=
+finish_eval=
+shlibpath_var=
+shlibpath_overrides_runpath=unknown
+version_type=none
+dynamic_linker="$host_os ld.so"
+sys_lib_dlsearch_path_spec="/lib /usr/lib"
+if test "$GCC" = yes; then
+  sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+  if echo "$sys_lib_search_path_spec" | grep ';' >/dev/null ; then
+    # if the path contains ";" then we assume it to be the separator
+    # otherwise default to the standard path separator (i.e. ":") - it is
+    # assumed that no part of a normal pathname contains ";" but that should
+    # okay in the real world where ";" in dirpaths is itself problematic.
+    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+  else
+    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+  fi
+else
+  sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
+fi
+need_lib_prefix=unknown
+hardcode_into_libs=no
+
+# when you set need_version to no, make sure it does not cause -set_version
+# flags to be left without arguments
+need_version=unknown
+
+case $host_os in
+aix3*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
+  shlibpath_var=LIBPATH
+
+  # AIX 3 has no versioning support, so we append a major version to the name.
+  soname_spec='${libname}${release}${shared_ext}$major'
+  ;;
+
+aix4* | aix5*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  hardcode_into_libs=yes
+  if test "$host_cpu" = ia64; then
+    # AIX 5 supports IA64
+    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
+    shlibpath_var=LD_LIBRARY_PATH
+  else
+    # With GCC up to 2.95.x, collect2 would create an import file
+    # for dependence libraries.  The import file would start with
+    # the line `#! .'.  This would cause the generated library to
+    # depend on `.', always an invalid library.  This was fixed in
+    # development snapshots of GCC prior to 3.0.
+    case $host_os in
+      aix4 | aix4.[01] | aix4.[01].*)
+      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
+	   echo ' yes '
+	   echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then
+	:
+      else
+	can_build_shared=no
+      fi
+      ;;
+    esac
+    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
+    # soname into executable. Probably we can add versioning support to
+    # collect2, so additional links can be useful in future.
+    if test "$aix_use_runtimelinking" = yes; then
+      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
+      # instead of lib<name>.a to let people know that these are not
+      # typical AIX shared libraries.
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    else
+      # We preserve .a as extension for shared libraries through AIX4.2
+      # and later when we are not doing run time linking.
+      library_names_spec='${libname}${release}.a $libname.a'
+      soname_spec='${libname}${release}${shared_ext}$major'
+    fi
+    shlibpath_var=LIBPATH
+  fi
+  ;;
+
+amigaos*)
+  library_names_spec='$libname.ixlibrary $libname.a'
+  # Create ${libname}_ixlibrary.a entries in /sys/libs.
+  finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
+  ;;
+
+beos*)
+  library_names_spec='${libname}${shared_ext}'
+  dynamic_linker="$host_os ld.so"
+  shlibpath_var=LIBRARY_PATH
+  ;;
+
+bsdi[45]*)
+  version_type=linux
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
+  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
+  # the default ld.so.conf also contains /usr/contrib/lib and
+  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
+  # libtool to hard-code these into programs
+  ;;
+
+cygwin* | mingw* | pw32*)
+  version_type=windows
+  shrext_cmds=".dll"
+  need_version=no
+  need_lib_prefix=no
+
+  case $GCC,$host_os in
+  yes,cygwin* | yes,mingw* | yes,pw32*)
+    library_names_spec='$libname.dll.a'
+    # DLL is installed to $(libdir)/../bin by postinstall_cmds
+    postinstall_cmds='base_file=`basename \${file}`~
+      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
+      dldir=$destdir/`dirname \$dlpath`~
+      test -d \$dldir || mkdir -p \$dldir~
+      $install_prog $dir/$dlname \$dldir/$dlname~
+      chmod a+x \$dldir/$dlname'
+    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
+      dlpath=$dir/\$dldll~
+       $rm \$dlpath'
+    shlibpath_overrides_runpath=yes
+
+    case $host_os in
+    cygwin*)
+      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
+      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
+      ;;
+    mingw*)
+      # MinGW DLLs use traditional 'lib' prefix
+      soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+      if echo "$sys_lib_search_path_spec" | grep ';[c-zC-Z]:/' >/dev/null; then
+        # It is most probably a Windows format PATH printed by
+        # mingw gcc, but we are running on Cygwin. Gcc prints its search
+        # path with ; separators, and with drive letters. We can handle the
+        # drive letters (cygwin fileutils understands them), so leave them,
+        # especially as we might pass files found there to a mingw objdump,
+        # which wouldn't understand a cygwinified path. Ahh.
+        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+      else
+        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+      fi
+      ;;
+    pw32*)
+      # pw32 DLLs use 'pw' prefix rather than 'lib'
+      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      ;;
+    esac
+    ;;
+
+  linux*)
+    if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then
+      archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+      supports_anon_versioning=no
+      case `$LD -v 2>/dev/null` in
+        *\ 01.* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
+        *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
+        *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
+        *\ 2.11.*) ;; # other 2.11 versions
+        *) supports_anon_versioning=yes ;;
+      esac
+      if test $supports_anon_versioning = yes; then
+        archive_expsym_cmds='$echo "{ global:" > $output_objdir/$libname.ver~
+cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+$echo "local: *; };" >> $output_objdir/$libname.ver~
+        $CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
+      else
+        $archive_expsym_cmds="$archive_cmds"
+      fi
+    else
+      ld_shlibs=no
+    fi
+    ;;
+
+  *)
+    library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib'
+    ;;
+  esac
+  dynamic_linker='Win32 ld.exe'
+  # FIXME: first we should search . and the directory the executable is in
+  shlibpath_var=PATH
+  ;;
+
+darwin* | rhapsody*)
+  dynamic_linker="$host_os dyld"
+  version_type=darwin
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
+  soname_spec='${libname}${release}${major}$shared_ext'
+  shlibpath_overrides_runpath=yes
+  shlibpath_var=DYLD_LIBRARY_PATH
+  shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
+  # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
+  if test "$GCC" = yes; then
+    sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
+  else
+    sys_lib_search_path_spec='/lib /usr/lib /usr/local/lib'
+  fi
+  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
+  ;;
+
+dgux*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+freebsd1*)
+  dynamic_linker=no
+  ;;
+
+kfreebsd*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='GNU ld.so'
+  ;;
+
+freebsd* | dragonfly*)
+  # DragonFly does not have aout.  When/if they implement a new
+  # versioning mechanism, adjust this.
+  if test -x /usr/bin/objformat; then
+    objformat=`/usr/bin/objformat`
+  else
+    case $host_os in
+    freebsd[123]*) objformat=aout ;;
+    *) objformat=elf ;;
+    esac
+  fi
+  # Handle Gentoo/FreeBSD as it was Linux
+  case $host_vendor in
+    gentoo)
+      version_type=linux ;;
+    *)
+      version_type=freebsd-$objformat ;;
+  esac
+
+  case $version_type in
+    freebsd-elf*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+      need_version=no
+      need_lib_prefix=no
+      ;;
+    freebsd-*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
+      need_version=yes
+      ;;
+    linux)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+      soname_spec='${libname}${release}${shared_ext}$major'
+      need_lib_prefix=no
+      need_version=no
+      ;;
+  esac
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_os in
+  freebsd2*)
+    shlibpath_overrides_runpath=yes
+    ;;
+  freebsd3.[01]* | freebsdelf3.[01]*)
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
+  freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
+    shlibpath_overrides_runpath=no
+    hardcode_into_libs=yes
+    ;;
+  freebsd*) # from 4.6 on
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  esac
+  ;;
+
+gnu*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  ;;
+
+hpux9* | hpux10* | hpux11*)
+  # Give a soname corresponding to the major version so that dld.sl refuses to
+  # link against other versions.
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  case $host_cpu in
+  ia64*)
+    shrext_cmds='.so'
+    hardcode_into_libs=yes
+    dynamic_linker="$host_os dld.so"
+    shlibpath_var=LD_LIBRARY_PATH
+    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    if test "X$HPUX_IA64_MODE" = X32; then
+      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
+    else
+      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
+    fi
+    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+    ;;
+   hppa*64*)
+     shrext_cmds='.sl'
+     hardcode_into_libs=yes
+     dynamic_linker="$host_os dld.sl"
+     shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
+     shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+     library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+     soname_spec='${libname}${release}${shared_ext}$major'
+     sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
+     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+     ;;
+   *)
+    shrext_cmds='.sl'
+    dynamic_linker="$host_os dld.sl"
+    shlibpath_var=SHLIB_PATH
+    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    ;;
+  esac
+  # HP-UX runs *really* slowly unless shared libraries are mode 555.
+  postinstall_cmds='chmod 555 $lib'
+  ;;
+
+interix3*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  ;;
+
+irix5* | irix6* | nonstopux*)
+  case $host_os in
+    nonstopux*) version_type=nonstopux ;;
+    *)
+	if test "$lt_cv_prog_gnu_ld" = yes; then
+		version_type=linux
+	else
+		version_type=irix
+	fi ;;
+  esac
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
+  case $host_os in
+  irix5* | nonstopux*)
+    libsuff= shlibsuff=
+    ;;
+  *)
+    case $LD in # libtool.m4 will add one of these switches to LD
+    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
+      libsuff= shlibsuff= libmagic=32-bit;;
+    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
+      libsuff=32 shlibsuff=N32 libmagic=N32;;
+    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
+      libsuff=64 shlibsuff=64 libmagic=64-bit;;
+    *) libsuff= shlibsuff= libmagic=never-match;;
+    esac
+    ;;
+  esac
+  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
+  shlibpath_overrides_runpath=no
+  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
+  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
+  hardcode_into_libs=yes
+  ;;
+
+# No shared lib support for Linux oldld, aout, or coff.
+linux*oldld* | linux*aout* | linux*coff*)
+  dynamic_linker=no
+  ;;
+
+# This must be Linux ELF.
+linux*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  # This implies no fast_install, which is unacceptable.
+  # Some rework will be needed to allow for fast_install
+  # before this can be enabled.
+  hardcode_into_libs=yes
+
+  # Append ld.so.conf contents to the search path
+  if test -f /etc/ld.so.conf; then
+    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+  fi
+
+  # We used to test for /lib/ld.so.1 and disable shared libraries on
+  # powerpc, because MkLinux only supported shared libraries with the
+  # GNU dynamic linker.  Since this was broken with cross compilers,
+  # most powerpc-linux boxes support dynamic linking these days and
+  # people can always --disable-shared, the test was removed, and we
+  # assume the GNU/Linux dynamic linker is in use.
+  dynamic_linker='GNU/Linux ld.so'
+  ;;
+
+knetbsd*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='GNU ld.so'
+  ;;
+
+netbsd*)
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+    dynamic_linker='NetBSD (a.out) ld.so'
+  else
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    dynamic_linker='NetBSD ld.elf_so'
+  fi
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  ;;
+
+newsos6)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+nto-qnx*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+openbsd*)
+  version_type=sunos
+  sys_lib_dlsearch_path_spec="/usr/lib"
+  need_lib_prefix=no
+  # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs.
+  case $host_os in
+    openbsd3.3 | openbsd3.3.*) need_version=yes ;;
+    *)                         need_version=no  ;;
+  esac
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+    case $host_os in
+      openbsd2.[89] | openbsd2.[89].*)
+	shlibpath_overrides_runpath=no
+	;;
+      *)
+	shlibpath_overrides_runpath=yes
+	;;
+      esac
+  else
+    shlibpath_overrides_runpath=yes
+  fi
+  ;;
+
+os2*)
+  libname_spec='$name'
+  shrext_cmds=".dll"
+  need_lib_prefix=no
+  library_names_spec='$libname${shared_ext} $libname.a'
+  dynamic_linker='OS/2 ld.exe'
+  shlibpath_var=LIBPATH
+  ;;
+
+osf3* | osf4* | osf5*)
+  version_type=osf
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
+  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
+  ;;
+
+solaris*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  # ldd complains unless libraries are executable
+  postinstall_cmds='chmod +x $lib'
+  ;;
+
+sunos4*)
+  version_type=sunos
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  if test "$with_gnu_ld" = yes; then
+    need_lib_prefix=no
+  fi
+  need_version=yes
+  ;;
+
+sysv4 | sysv4.3*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_vendor in
+    sni)
+      shlibpath_overrides_runpath=no
+      need_lib_prefix=no
+      export_dynamic_flag_spec='${wl}-Blargedynsym'
+      runpath_var=LD_RUN_PATH
+      ;;
+    siemens)
+      need_lib_prefix=no
+      ;;
+    motorola)
+      need_lib_prefix=no
+      need_version=no
+      shlibpath_overrides_runpath=no
+      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
+      ;;
+  esac
+  ;;
+
+sysv4*MP*)
+  if test -d /usr/nec ;then
+    version_type=linux
+    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
+    soname_spec='$libname${shared_ext}.$major'
+    shlibpath_var=LD_LIBRARY_PATH
+  fi
+  ;;
+
+sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
+  version_type=freebsd-elf
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  if test "$with_gnu_ld" = yes; then
+    sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
+    shlibpath_overrides_runpath=no
+  else
+    sys_lib_search_path_spec='/usr/ccs/lib /usr/lib'
+    shlibpath_overrides_runpath=yes
+    case $host_os in
+      sco3.2v5*)
+        sys_lib_search_path_spec="$sys_lib_search_path_spec /lib"
+	;;
+    esac
+  fi
+  sys_lib_dlsearch_path_spec='/usr/lib'
+  ;;
+
+uts4*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+*)
+  dynamic_linker=no
+  ;;
+esac
+{ echo "$as_me:$LINENO: result: $dynamic_linker" >&5
+echo "${ECHO_T}$dynamic_linker" >&6; }
+test "$dynamic_linker" = no && can_build_shared=no
+
+variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
+if test "$GCC" = yes; then
+  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
+fi
+
+{ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
+echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6; }
+hardcode_action_F77=
+if test -n "$hardcode_libdir_flag_spec_F77" || \
+   test -n "$runpath_var_F77" || \
+   test "X$hardcode_automatic_F77" = "Xyes" ; then
+
+  # We can hardcode non-existant directories.
+  if test "$hardcode_direct_F77" != no &&
+     # If the only mechanism to avoid hardcoding is shlibpath_var, we
+     # have to relink, otherwise we might link with an installed library
+     # when we should be linking with a yet-to-be-installed one
+     ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, F77)" != no &&
+     test "$hardcode_minus_L_F77" != no; then
+    # Linking always hardcodes the temporary library directory.
+    hardcode_action_F77=relink
+  else
+    # We can link without hardcoding, and we can hardcode nonexisting dirs.
+    hardcode_action_F77=immediate
+  fi
+else
+  # We cannot hardcode anything, or else we can only hardcode existing
+  # directories.
+  hardcode_action_F77=unsupported
+fi
+{ echo "$as_me:$LINENO: result: $hardcode_action_F77" >&5
+echo "${ECHO_T}$hardcode_action_F77" >&6; }
+
+if test "$hardcode_action_F77" = relink; then
+  # Fast installation is not supported
+  enable_fast_install=no
+elif test "$shlibpath_overrides_runpath" = yes ||
+     test "$enable_shared" = no; then
+  # Fast installation is not necessary
+  enable_fast_install=needless
+fi
+
+
+# The else clause should only fire when bootstrapping the
+# libtool distribution, otherwise you forgot to ship ltmain.sh
+# with your package, and you will get complaints that there are
+# no rules to generate ltmain.sh.
+if test -f "$ltmain"; then
+  # See if we are running on zsh, and set the options which allow our commands through
+  # without removal of \ escapes.
+  if test -n "${ZSH_VERSION+set}" ; then
+    setopt NO_GLOB_SUBST
+  fi
+  # Now quote all the things that may contain metacharacters while being
+  # careful not to overquote the AC_SUBSTed values.  We take copies of the
+  # variables and quote the copies for generation of the libtool script.
+  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \
+    SED SHELL STRIP \
+    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
+    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
+    deplibs_check_method reload_flag reload_cmds need_locks \
+    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
+    lt_cv_sys_global_symbol_to_c_name_address \
+    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
+    old_postinstall_cmds old_postuninstall_cmds \
+    compiler_F77 \
+    CC_F77 \
+    LD_F77 \
+    lt_prog_compiler_wl_F77 \
+    lt_prog_compiler_pic_F77 \
+    lt_prog_compiler_static_F77 \
+    lt_prog_compiler_no_builtin_flag_F77 \
+    export_dynamic_flag_spec_F77 \
+    thread_safe_flag_spec_F77 \
+    whole_archive_flag_spec_F77 \
+    enable_shared_with_static_runtimes_F77 \
+    old_archive_cmds_F77 \
+    old_archive_from_new_cmds_F77 \
+    predep_objects_F77 \
+    postdep_objects_F77 \
+    predeps_F77 \
+    postdeps_F77 \
+    compiler_lib_search_path_F77 \
+    archive_cmds_F77 \
+    archive_expsym_cmds_F77 \
+    postinstall_cmds_F77 \
+    postuninstall_cmds_F77 \
+    old_archive_from_expsyms_cmds_F77 \
+    allow_undefined_flag_F77 \
+    no_undefined_flag_F77 \
+    export_symbols_cmds_F77 \
+    hardcode_libdir_flag_spec_F77 \
+    hardcode_libdir_flag_spec_ld_F77 \
+    hardcode_libdir_separator_F77 \
+    hardcode_automatic_F77 \
+    module_cmds_F77 \
+    module_expsym_cmds_F77 \
+    lt_cv_prog_compiler_c_o_F77 \
+    exclude_expsyms_F77 \
+    include_expsyms_F77; do
+
+    case $var in
+    old_archive_cmds_F77 | \
+    old_archive_from_new_cmds_F77 | \
+    archive_cmds_F77 | \
+    archive_expsym_cmds_F77 | \
+    module_cmds_F77 | \
+    module_expsym_cmds_F77 | \
+    old_archive_from_expsyms_cmds_F77 | \
+    export_symbols_cmds_F77 | \
+    extract_expsyms_cmds | reload_cmds | finish_cmds | \
+    postinstall_cmds | postuninstall_cmds | \
+    old_postinstall_cmds | old_postuninstall_cmds | \
+    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
+      # Double-quote double-evaled strings.
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
+      ;;
+    *)
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
+      ;;
+    esac
+  done
+
+  case $lt_echo in
+  *'\$0 --fallback-echo"')
+    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'`
+    ;;
+  esac
+
+cfgfile="$ofile"
+
+  cat <<__EOF__ >> "$cfgfile"
+# ### BEGIN LIBTOOL TAG CONFIG: $tagname
+
+# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
+
+# Shell to use when invoking shell scripts.
+SHELL=$lt_SHELL
+
+# Whether or not to build shared libraries.
+build_libtool_libs=$enable_shared
+
+# Whether or not to build static libraries.
+build_old_libs=$enable_static
+
+# Whether or not to add -lc for building shared libraries.
+build_libtool_need_lc=$archive_cmds_need_lc_F77
+
+# Whether or not to disallow shared libs when runtime libs are static
+allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes_F77
+
+# Whether or not to optimize for fast installation.
+fast_install=$enable_fast_install
+
+# The host system.
+host_alias=$host_alias
+host=$host
+host_os=$host_os
+
+# The build system.
+build_alias=$build_alias
+build=$build
+build_os=$build_os
+
+# An echo program that does not interpret backslashes.
+echo=$lt_echo
+
+# The archiver.
+AR=$lt_AR
+AR_FLAGS=$lt_AR_FLAGS
+
+# A C compiler.
+LTCC=$lt_LTCC
+
+# LTCC compiler flags.
+LTCFLAGS=$lt_LTCFLAGS
+
+# A language-specific compiler.
+CC=$lt_compiler_F77
+
+# Is the compiler the GNU C compiler?
+with_gcc=$GCC_F77
+
+# An ERE matcher.
+EGREP=$lt_EGREP
+
+# The linker used to build libraries.
+LD=$lt_LD_F77
+
+# Whether we need hard or soft links.
+LN_S=$lt_LN_S
+
+# A BSD-compatible nm program.
+NM=$lt_NM
+
+# A symbol stripping program
+STRIP=$lt_STRIP
+
+# Used to examine libraries when file_magic_cmd begins "file"
+MAGIC_CMD=$MAGIC_CMD
+
+# Used on cygwin: DLL creation program.
+DLLTOOL="$DLLTOOL"
+
+# Used on cygwin: object dumper.
+OBJDUMP="$OBJDUMP"
+
+# Used on cygwin: assembler.
+AS="$AS"
+
+# The name of the directory that contains temporary libtool files.
+objdir=$objdir
+
+# How to create reloadable object files.
+reload_flag=$lt_reload_flag
+reload_cmds=$lt_reload_cmds
+
+# How to pass a linker flag through the compiler.
+wl=$lt_lt_prog_compiler_wl_F77
+
+# Object file suffix (normally "o").
+objext="$ac_objext"
+
+# Old archive suffix (normally "a").
+libext="$libext"
+
+# Shared library suffix (normally ".so").
+shrext_cmds='$shrext_cmds'
+
+# Executable file suffix (normally "").
+exeext="$exeext"
+
+# Additional compiler flags for building library objects.
+pic_flag=$lt_lt_prog_compiler_pic_F77
+pic_mode=$pic_mode
+
+# What is the maximum length of a command?
+max_cmd_len=$lt_cv_sys_max_cmd_len
+
+# Does compiler simultaneously support -c and -o options?
+compiler_c_o=$lt_lt_cv_prog_compiler_c_o_F77
+
+# Must we lock files when doing compilation?
+need_locks=$lt_need_locks
+
+# Do we need the lib prefix for modules?
+need_lib_prefix=$need_lib_prefix
+
+# Do we need a version for libraries?
+need_version=$need_version
+
+# Whether dlopen is supported.
+dlopen_support=$enable_dlopen
+
+# Whether dlopen of programs is supported.
+dlopen_self=$enable_dlopen_self
+
+# Whether dlopen of statically linked programs is supported.
+dlopen_self_static=$enable_dlopen_self_static
+
+# Compiler flag to prevent dynamic linking.
+link_static_flag=$lt_lt_prog_compiler_static_F77
+
+# Compiler flag to turn off builtin functions.
+no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag_F77
+
+# Compiler flag to allow reflexive dlopens.
+export_dynamic_flag_spec=$lt_export_dynamic_flag_spec_F77
+
+# Compiler flag to generate shared objects directly from archives.
+whole_archive_flag_spec=$lt_whole_archive_flag_spec_F77
+
+# Compiler flag to generate thread-safe objects.
+thread_safe_flag_spec=$lt_thread_safe_flag_spec_F77
+
+# Library versioning type.
+version_type=$version_type
+
+# Format of library name prefix.
+libname_spec=$lt_libname_spec
+
+# List of archive names.  First name is the real one, the rest are links.
+# The last name is the one that the linker finds with -lNAME.
+library_names_spec=$lt_library_names_spec
+
+# The coded name of the library, if different from the real name.
+soname_spec=$lt_soname_spec
+
+# Commands used to build and install an old-style archive.
+RANLIB=$lt_RANLIB
+old_archive_cmds=$lt_old_archive_cmds_F77
+old_postinstall_cmds=$lt_old_postinstall_cmds
+old_postuninstall_cmds=$lt_old_postuninstall_cmds
+
+# Create an old-style archive from a shared archive.
+old_archive_from_new_cmds=$lt_old_archive_from_new_cmds_F77
+
+# Create a temporary old-style archive to link instead of a shared archive.
+old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds_F77
+
+# Commands used to build and install a shared archive.
+archive_cmds=$lt_archive_cmds_F77
+archive_expsym_cmds=$lt_archive_expsym_cmds_F77
+postinstall_cmds=$lt_postinstall_cmds
+postuninstall_cmds=$lt_postuninstall_cmds
+
+# Commands used to build a loadable module (assumed same as above if empty)
+module_cmds=$lt_module_cmds_F77
+module_expsym_cmds=$lt_module_expsym_cmds_F77
+
+# Commands to strip libraries.
+old_striplib=$lt_old_striplib
+striplib=$lt_striplib
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predep_objects=$lt_predep_objects_F77
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdep_objects=$lt_postdep_objects_F77
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predeps=$lt_predeps_F77
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdeps=$lt_postdeps_F77
+
+# The library search path used internally by the compiler when linking
+# a shared library.
+compiler_lib_search_path=$lt_compiler_lib_search_path_F77
+
+# Method to check whether dependent libraries are shared objects.
+deplibs_check_method=$lt_deplibs_check_method
+
+# Command to use when deplibs_check_method == file_magic.
+file_magic_cmd=$lt_file_magic_cmd
+
+# Flag that allows shared libraries with undefined symbols to be built.
+allow_undefined_flag=$lt_allow_undefined_flag_F77
+
+# Flag that forces no undefined symbols.
+no_undefined_flag=$lt_no_undefined_flag_F77
+
+# Commands used to finish a libtool library installation in a directory.
+finish_cmds=$lt_finish_cmds
+
+# Same as above, but a single script fragment to be evaled but not shown.
+finish_eval=$lt_finish_eval
+
+# Take the output of nm and produce a listing of raw symbols and C names.
+global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
+
+# Transform the output of nm in a proper C declaration
+global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
+
+# Transform the output of nm in a C name address pair
+global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
+
+# This is the shared library runtime path variable.
+runpath_var=$runpath_var
+
+# This is the shared library path variable.
+shlibpath_var=$shlibpath_var
+
+# Is shlibpath searched before the hard-coded library search path?
+shlibpath_overrides_runpath=$shlibpath_overrides_runpath
+
+# How to hardcode a shared library path into an executable.
+hardcode_action=$hardcode_action_F77
+
+# Whether we should hardcode library paths into libraries.
+hardcode_into_libs=$hardcode_into_libs
+
+# Flag to hardcode \$libdir into a binary during linking.
+# This must work even if \$libdir does not exist.
+hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec_F77
+
+# If ld is used when linking, flag to hardcode \$libdir into
+# a binary during linking. This must work even if \$libdir does
+# not exist.
+hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld_F77
+
+# Whether we need a single -rpath flag with a separated argument.
+hardcode_libdir_separator=$lt_hardcode_libdir_separator_F77
+
+# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
+# resulting binary.
+hardcode_direct=$hardcode_direct_F77
+
+# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
+# resulting binary.
+hardcode_minus_L=$hardcode_minus_L_F77
+
+# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
+# the resulting binary.
+hardcode_shlibpath_var=$hardcode_shlibpath_var_F77
+
+# Set to yes if building a shared library automatically hardcodes DIR into the library
+# and all subsequent libraries and executables linked against it.
+hardcode_automatic=$hardcode_automatic_F77
+
+# Variables whose values should be saved in libtool wrapper scripts and
+# restored at relink time.
+variables_saved_for_relink="$variables_saved_for_relink"
+
+# Whether libtool must link a program against all its dependency libraries.
+link_all_deplibs=$link_all_deplibs_F77
+
+# Compile-time system search path for libraries
+sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
+
+# Run-time system search path for libraries
+sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
+
+# Fix the shell variable \$srcfile for the compiler.
+fix_srcfile_path="$fix_srcfile_path_F77"
+
+# Set to yes if exported symbols are required.
+always_export_symbols=$always_export_symbols_F77
+
+# The commands to list exported symbols.
+export_symbols_cmds=$lt_export_symbols_cmds_F77
+
+# The commands to extract the exported symbol list from a shared archive.
+extract_expsyms_cmds=$lt_extract_expsyms_cmds
+
+# Symbols that should not be listed in the preloaded symbols.
+exclude_expsyms=$lt_exclude_expsyms_F77
+
+# Symbols that must always be exported.
+include_expsyms=$lt_include_expsyms_F77
+
+# ### END LIBTOOL TAG CONFIG: $tagname
+
+__EOF__
+
+
+else
+  # If there is no Makefile yet, we rely on a make rule to execute
+  # `config.status --recheck' to rerun these tests and create the
+  # libtool script then.
+  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
+  if test -f "$ltmain_in"; then
+    test -f Makefile && make "$ltmain"
+  fi
+fi
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+CC="$lt_save_CC"
+
+	else
+	  tagname=""
+	fi
+	;;
+
+      GCJ)
+	if test -n "$GCJ" && test "X$GCJ" != "Xno"; then
+
+
+# Source file extension for Java test sources.
+ac_ext=java
+
+# Object file extension for compiled Java test sources.
+objext=o
+objext_GCJ=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="class foo {}\n"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='public class conftest { public static void main(String[] argv) {}; }\n'
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+
+# If no C compiler was specified, use CC.
+LTCC=${LTCC-"$CC"}
+
+# If no C compiler flags were specified, use CFLAGS.
+LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
+
+# Allow CC to be a program name with arguments.
+compiler=$CC
+
+
+# save warnings/boilerplate of simple test code
+ac_outfile=conftest.$ac_objext
+printf "$lt_simple_compile_test_code" >conftest.$ac_ext
+eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_compiler_boilerplate=`cat conftest.err`
+$rm conftest*
+
+ac_outfile=conftest.$ac_objext
+printf "$lt_simple_link_test_code" >conftest.$ac_ext
+eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_linker_boilerplate=`cat conftest.err`
+$rm conftest*
+
+
+# Allow CC to be a program name with arguments.
+lt_save_CC="$CC"
+CC=${GCJ-"gcj"}
+compiler=$CC
+compiler_GCJ=$CC
+for cc_temp in $compiler""; do
+  case $cc_temp in
+    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
+    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
+    \-*) ;;
+    *) break;;
+  esac
+done
+cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+
+
+# GCJ did not exist at the time GCC didn't implicitly link libc in.
+archive_cmds_need_lc_GCJ=no
+
+old_archive_cmds_GCJ=$old_archive_cmds
+
+
+lt_prog_compiler_no_builtin_flag_GCJ=
+
+if test "$GCC" = yes; then
+  lt_prog_compiler_no_builtin_flag_GCJ=' -fno-builtin'
+
+
+{ echo "$as_me:$LINENO: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
+echo $ECHO_N "checking if $compiler supports -fno-rtti -fno-exceptions... $ECHO_C" >&6; }
+if test "${lt_cv_prog_compiler_rtti_exceptions+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_prog_compiler_rtti_exceptions=no
+  ac_outfile=conftest.$ac_objext
+   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+   lt_compiler_flag="-fno-rtti -fno-exceptions"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   # The option is referenced via a variable to avoid confusing sed.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:17030: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>conftest.err)
+   ac_status=$?
+   cat conftest.err >&5
+   echo "$as_me:17034: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s "$ac_outfile"; then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings other than the usual output.
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
+       lt_cv_prog_compiler_rtti_exceptions=yes
+     fi
+   fi
+   $rm conftest*
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_rtti_exceptions" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_rtti_exceptions" >&6; }
+
+if test x"$lt_cv_prog_compiler_rtti_exceptions" = xyes; then
+    lt_prog_compiler_no_builtin_flag_GCJ="$lt_prog_compiler_no_builtin_flag_GCJ -fno-rtti -fno-exceptions"
+else
+    :
+fi
+
+fi
+
+lt_prog_compiler_wl_GCJ=
+lt_prog_compiler_pic_GCJ=
+lt_prog_compiler_static_GCJ=
+
+{ echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
+echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6; }
+
+  if test "$GCC" = yes; then
+    lt_prog_compiler_wl_GCJ='-Wl,'
+    lt_prog_compiler_static_GCJ='-static'
+
+    case $host_os in
+      aix*)
+      # All AIX code is PIC.
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	lt_prog_compiler_static_GCJ='-Bstatic'
+      fi
+      ;;
+
+    amigaos*)
+      # FIXME: we need at least 68020 code to build shared libraries, but
+      # adding the `-m68020' flag to GCC prevents building anything better,
+      # like `-m68040'.
+      lt_prog_compiler_pic_GCJ='-m68020 -resident32 -malways-restore-a4'
+      ;;
+
+    beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+      # PIC is the default for these OSes.
+      ;;
+
+    mingw* | pw32* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      lt_prog_compiler_pic_GCJ='-DDLL_EXPORT'
+      ;;
+
+    darwin* | rhapsody*)
+      # PIC is the default on this platform
+      # Common symbols not allowed in MH_DYLIB files
+      lt_prog_compiler_pic_GCJ='-fno-common'
+      ;;
+
+    interix3*)
+      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
+      # Instead, we relocate shared libraries at runtime.
+      ;;
+
+    msdosdjgpp*)
+      # Just because we use GCC doesn't mean we suddenly get shared libraries
+      # on systems that don't support them.
+      lt_prog_compiler_can_build_shared_GCJ=no
+      enable_shared=no
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	lt_prog_compiler_pic_GCJ=-Kconform_pic
+      fi
+      ;;
+
+    hpux*)
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case $host_cpu in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
+      *)
+	lt_prog_compiler_pic_GCJ='-fPIC'
+	;;
+      esac
+      ;;
+
+    *)
+      lt_prog_compiler_pic_GCJ='-fPIC'
+      ;;
+    esac
+  else
+    # PORTME Check for flag to pass linker flags through the system compiler.
+    case $host_os in
+    aix*)
+      lt_prog_compiler_wl_GCJ='-Wl,'
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	lt_prog_compiler_static_GCJ='-Bstatic'
+      else
+	lt_prog_compiler_static_GCJ='-bnso -bI:/lib/syscalls.exp'
+      fi
+      ;;
+      darwin*)
+        # PIC is the default on this platform
+        # Common symbols not allowed in MH_DYLIB files
+       case $cc_basename in
+         xlc*)
+         lt_prog_compiler_pic_GCJ='-qnocommon'
+         lt_prog_compiler_wl_GCJ='-Wl,'
+         ;;
+       esac
+       ;;
+
+    mingw* | pw32* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      lt_prog_compiler_pic_GCJ='-DDLL_EXPORT'
+      ;;
+
+    hpux9* | hpux10* | hpux11*)
+      lt_prog_compiler_wl_GCJ='-Wl,'
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case $host_cpu in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
+      *)
+	lt_prog_compiler_pic_GCJ='+Z'
+	;;
+      esac
+      # Is there a better lt_prog_compiler_static that works with the bundled CC?
+      lt_prog_compiler_static_GCJ='${wl}-a ${wl}archive'
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      lt_prog_compiler_wl_GCJ='-Wl,'
+      # PIC (with -KPIC) is the default.
+      lt_prog_compiler_static_GCJ='-non_shared'
+      ;;
+
+    newsos6)
+      lt_prog_compiler_pic_GCJ='-KPIC'
+      lt_prog_compiler_static_GCJ='-Bstatic'
+      ;;
+
+    linux*)
+      case $cc_basename in
+      icc* | ecc*)
+	lt_prog_compiler_wl_GCJ='-Wl,'
+	lt_prog_compiler_pic_GCJ='-KPIC'
+	lt_prog_compiler_static_GCJ='-static'
+        ;;
+      pgcc* | pgf77* | pgf90* | pgf95*)
+        # Portland Group compilers (*not* the Pentium gcc compiler,
+	# which looks to be a dead project)
+	lt_prog_compiler_wl_GCJ='-Wl,'
+	lt_prog_compiler_pic_GCJ='-fpic'
+	lt_prog_compiler_static_GCJ='-Bstatic'
+        ;;
+      ccc*)
+        lt_prog_compiler_wl_GCJ='-Wl,'
+        # All Alpha code is PIC.
+        lt_prog_compiler_static_GCJ='-non_shared'
+        ;;
+      esac
+      ;;
+
+    osf3* | osf4* | osf5*)
+      lt_prog_compiler_wl_GCJ='-Wl,'
+      # All OSF/1 code is PIC.
+      lt_prog_compiler_static_GCJ='-non_shared'
+      ;;
+
+    solaris*)
+      lt_prog_compiler_pic_GCJ='-KPIC'
+      lt_prog_compiler_static_GCJ='-Bstatic'
+      case $cc_basename in
+      f77* | f90* | f95*)
+	lt_prog_compiler_wl_GCJ='-Qoption ld ';;
+      *)
+	lt_prog_compiler_wl_GCJ='-Wl,';;
+      esac
+      ;;
+
+    sunos4*)
+      lt_prog_compiler_wl_GCJ='-Qoption ld '
+      lt_prog_compiler_pic_GCJ='-PIC'
+      lt_prog_compiler_static_GCJ='-Bstatic'
+      ;;
+
+    sysv4 | sysv4.2uw2* | sysv4.3*)
+      lt_prog_compiler_wl_GCJ='-Wl,'
+      lt_prog_compiler_pic_GCJ='-KPIC'
+      lt_prog_compiler_static_GCJ='-Bstatic'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec ;then
+	lt_prog_compiler_pic_GCJ='-Kconform_pic'
+	lt_prog_compiler_static_GCJ='-Bstatic'
+      fi
+      ;;
+
+    sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
+      lt_prog_compiler_wl_GCJ='-Wl,'
+      lt_prog_compiler_pic_GCJ='-KPIC'
+      lt_prog_compiler_static_GCJ='-Bstatic'
+      ;;
+
+    unicos*)
+      lt_prog_compiler_wl_GCJ='-Wl,'
+      lt_prog_compiler_can_build_shared_GCJ=no
+      ;;
+
+    uts4*)
+      lt_prog_compiler_pic_GCJ='-pic'
+      lt_prog_compiler_static_GCJ='-Bstatic'
+      ;;
+
+    *)
+      lt_prog_compiler_can_build_shared_GCJ=no
+      ;;
+    esac
+  fi
+
+{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_GCJ" >&5
+echo "${ECHO_T}$lt_prog_compiler_pic_GCJ" >&6; }
+
+#
+# Check to make sure the PIC flag actually works.
+#
+if test -n "$lt_prog_compiler_pic_GCJ"; then
+
+{ echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic_GCJ works" >&5
+echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic_GCJ works... $ECHO_C" >&6; }
+if test "${lt_prog_compiler_pic_works_GCJ+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_prog_compiler_pic_works_GCJ=no
+  ac_outfile=conftest.$ac_objext
+   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+   lt_compiler_flag="$lt_prog_compiler_pic_GCJ"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   # The option is referenced via a variable to avoid confusing sed.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:17298: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>conftest.err)
+   ac_status=$?
+   cat conftest.err >&5
+   echo "$as_me:17302: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s "$ac_outfile"; then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings other than the usual output.
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
+       lt_prog_compiler_pic_works_GCJ=yes
+     fi
+   fi
+   $rm conftest*
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_works_GCJ" >&5
+echo "${ECHO_T}$lt_prog_compiler_pic_works_GCJ" >&6; }
+
+if test x"$lt_prog_compiler_pic_works_GCJ" = xyes; then
+    case $lt_prog_compiler_pic_GCJ in
+     "" | " "*) ;;
+     *) lt_prog_compiler_pic_GCJ=" $lt_prog_compiler_pic_GCJ" ;;
+     esac
+else
+    lt_prog_compiler_pic_GCJ=
+     lt_prog_compiler_can_build_shared_GCJ=no
+fi
+
+fi
+case $host_os in
+  # For platforms which do not support PIC, -DPIC is meaningless:
+  *djgpp*)
+    lt_prog_compiler_pic_GCJ=
+    ;;
+  *)
+    lt_prog_compiler_pic_GCJ="$lt_prog_compiler_pic_GCJ"
+    ;;
+esac
+
+#
+# Check to make sure the static flag actually works.
+#
+wl=$lt_prog_compiler_wl_GCJ eval lt_tmp_static_flag=\"$lt_prog_compiler_static_GCJ\"
+{ echo "$as_me:$LINENO: checking if $compiler static flag $lt_tmp_static_flag works" >&5
+echo $ECHO_N "checking if $compiler static flag $lt_tmp_static_flag works... $ECHO_C" >&6; }
+if test "${lt_prog_compiler_static_works_GCJ+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_prog_compiler_static_works_GCJ=no
+   save_LDFLAGS="$LDFLAGS"
+   LDFLAGS="$LDFLAGS $lt_tmp_static_flag"
+   printf "$lt_simple_link_test_code" > conftest.$ac_ext
+   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
+     # The linker can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test -s conftest.err; then
+       # Append any errors to the config.log.
+       cat conftest.err 1>&5
+       $echo "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
+       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+       if diff conftest.exp conftest.er2 >/dev/null; then
+         lt_prog_compiler_static_works_GCJ=yes
+       fi
+     else
+       lt_prog_compiler_static_works_GCJ=yes
+     fi
+   fi
+   $rm conftest*
+   LDFLAGS="$save_LDFLAGS"
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_prog_compiler_static_works_GCJ" >&5
+echo "${ECHO_T}$lt_prog_compiler_static_works_GCJ" >&6; }
+
+if test x"$lt_prog_compiler_static_works_GCJ" = xyes; then
+    :
+else
+    lt_prog_compiler_static_GCJ=
+fi
+
+
+{ echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
+echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6; }
+if test "${lt_cv_prog_compiler_c_o_GCJ+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_prog_compiler_c_o_GCJ=no
+   $rm -r conftest 2>/dev/null
+   mkdir conftest
+   cd conftest
+   mkdir out
+   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+   lt_compiler_flag="-o out/conftest2.$ac_objext"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:17402: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>out/conftest.err)
+   ac_status=$?
+   cat out/conftest.err >&5
+   echo "$as_me:17406: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s out/conftest2.$ac_objext
+   then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
+     $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
+     if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
+       lt_cv_prog_compiler_c_o_GCJ=yes
+     fi
+   fi
+   chmod u+w . 2>&5
+   $rm conftest*
+   # SGI C++ compiler will create directory out/ii_files/ for
+   # template instantiation
+   test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files
+   $rm out/* && rmdir out
+   cd ..
+   rmdir conftest
+   $rm conftest*
+
+fi
+{ echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o_GCJ" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_c_o_GCJ" >&6; }
+
+
+hard_links="nottested"
+if test "$lt_cv_prog_compiler_c_o_GCJ" = no && test "$need_locks" != no; then
+  # do not overwrite the value of need_locks provided by the user
+  { echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
+echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6; }
+  hard_links=yes
+  $rm conftest*
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  touch conftest.a
+  ln conftest.a conftest.b 2>&5 || hard_links=no
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  { echo "$as_me:$LINENO: result: $hard_links" >&5
+echo "${ECHO_T}$hard_links" >&6; }
+  if test "$hard_links" = no; then
+    { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
+echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
+    need_locks=warn
+  fi
+else
+  need_locks=no
+fi
+
+{ echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
+echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6; }
+
+  runpath_var=
+  allow_undefined_flag_GCJ=
+  enable_shared_with_static_runtimes_GCJ=no
+  archive_cmds_GCJ=
+  archive_expsym_cmds_GCJ=
+  old_archive_From_new_cmds_GCJ=
+  old_archive_from_expsyms_cmds_GCJ=
+  export_dynamic_flag_spec_GCJ=
+  whole_archive_flag_spec_GCJ=
+  thread_safe_flag_spec_GCJ=
+  hardcode_libdir_flag_spec_GCJ=
+  hardcode_libdir_flag_spec_ld_GCJ=
+  hardcode_libdir_separator_GCJ=
+  hardcode_direct_GCJ=no
+  hardcode_minus_L_GCJ=no
+  hardcode_shlibpath_var_GCJ=unsupported
+  link_all_deplibs_GCJ=unknown
+  hardcode_automatic_GCJ=no
+  module_cmds_GCJ=
+  module_expsym_cmds_GCJ=
+  always_export_symbols_GCJ=no
+  export_symbols_cmds_GCJ='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  # include_expsyms should be a list of space-separated symbols to be *always*
+  # included in the symbol list
+  include_expsyms_GCJ=
+  # exclude_expsyms can be an extended regexp of symbols to exclude
+  # it will be wrapped by ` (' and `)$', so one must not match beginning or
+  # end of line.  Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
+  # as well as any symbol that contains `d'.
+  exclude_expsyms_GCJ="_GLOBAL_OFFSET_TABLE_"
+  # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
+  # platforms (ab)use it in PIC code, but their linkers get confused if
+  # the symbol is explicitly referenced.  Since portable code cannot
+  # rely on this symbol name, it's probably fine to never include it in
+  # preloaded symbol tables.
+  extract_expsyms_cmds=
+  # Just being paranoid about ensuring that cc_basename is set.
+  for cc_temp in $compiler""; do
+  case $cc_temp in
+    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
+    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
+    \-*) ;;
+    *) break;;
+  esac
+done
+cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+
+  case $host_os in
+  cygwin* | mingw* | pw32*)
+    # FIXME: the MSVC++ port hasn't been tested in a loooong time
+    # When not using gcc, we currently assume that we are using
+    # Microsoft Visual C++.
+    if test "$GCC" != yes; then
+      with_gnu_ld=no
+    fi
+    ;;
+  interix*)
+    # we just hope/assume this is gcc and not c89 (= MSVC++)
+    with_gnu_ld=yes
+    ;;
+  openbsd*)
+    with_gnu_ld=no
+    ;;
+  esac
+
+  ld_shlibs_GCJ=yes
+  if test "$with_gnu_ld" = yes; then
+    # If archive_cmds runs LD, not CC, wlarc should be empty
+    wlarc='${wl}'
+
+    # Set some defaults for GNU ld with shared library support. These
+    # are reset later if shared libraries are not supported. Putting them
+    # here allows them to be overridden if necessary.
+    runpath_var=LD_RUN_PATH
+    hardcode_libdir_flag_spec_GCJ='${wl}--rpath ${wl}$libdir'
+    export_dynamic_flag_spec_GCJ='${wl}--export-dynamic'
+    # ancient GNU ld didn't support --whole-archive et. al.
+    if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
+	whole_archive_flag_spec_GCJ="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+      else
+  	whole_archive_flag_spec_GCJ=
+    fi
+    supports_anon_versioning=no
+    case `$LD -v 2>/dev/null` in
+      *\ [01].* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
+      *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
+      *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
+      *\ 2.11.*) ;; # other 2.11 versions
+      *) supports_anon_versioning=yes ;;
+    esac
+
+    # See if GNU ld supports shared libraries.
+    case $host_os in
+    aix3* | aix4* | aix5*)
+      # On AIX/PPC, the GNU linker is very broken
+      if test "$host_cpu" != ia64; then
+	ld_shlibs_GCJ=no
+	cat <<EOF 1>&2
+
+*** Warning: the GNU linker, at least up to release 2.9.1, is reported
+*** to be unable to reliably create shared libraries on AIX.
+*** Therefore, libtool is disabling shared libraries support.  If you
+*** really care for shared libraries, you may want to modify your PATH
+*** so that a non-GNU linker is found, and then restart.
+
+EOF
+      fi
+      ;;
+
+    amigaos*)
+      archive_cmds_GCJ='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+      hardcode_libdir_flag_spec_GCJ='-L$libdir'
+      hardcode_minus_L_GCJ=yes
+
+      # Samuel A. Falvo II <kc5tja@dolphin.openprojects.net> reports
+      # that the semantics of dynamic libraries on AmigaOS, at least up
+      # to version 4, is to share data among multiple programs linked
+      # with the same dynamic library.  Since this doesn't match the
+      # behavior of shared libraries on other platforms, we can't use
+      # them.
+      ld_shlibs_GCJ=no
+      ;;
+
+    beos*)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	allow_undefined_flag_GCJ=unsupported
+	# Joseph Beckenbach <jrb3@best.com> says some releases of gcc
+	# support --undefined.  This deserves some investigation.  FIXME
+	archive_cmds_GCJ='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+      else
+	ld_shlibs_GCJ=no
+      fi
+      ;;
+
+    cygwin* | mingw* | pw32*)
+      # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, GCJ) is actually meaningless,
+      # as there is no search path for DLLs.
+      hardcode_libdir_flag_spec_GCJ='-L$libdir'
+      allow_undefined_flag_GCJ=unsupported
+      always_export_symbols_GCJ=no
+      enable_shared_with_static_runtimes_GCJ=yes
+      export_symbols_cmds_GCJ='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS] /s/.* \([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols'
+
+      if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
+        archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+	# If the export-symbols file already is a .def file (1st line
+	# is EXPORTS), use it as is; otherwise, prepend...
+	archive_expsym_cmds_GCJ='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	  cp $export_symbols $output_objdir/$soname.def;
+	else
+	  echo EXPORTS > $output_objdir/$soname.def;
+	  cat $export_symbols >> $output_objdir/$soname.def;
+	fi~
+	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+      else
+	ld_shlibs_GCJ=no
+      fi
+      ;;
+
+    interix3*)
+      hardcode_direct_GCJ=no
+      hardcode_shlibpath_var_GCJ=no
+      hardcode_libdir_flag_spec_GCJ='${wl}-rpath,$libdir'
+      export_dynamic_flag_spec_GCJ='${wl}-E'
+      # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
+      # Instead, shared libraries are loaded at an image base (0x10000000 by
+      # default) and relocated if they conflict, which is a slow very memory
+      # consuming and fragmenting process.  To avoid this, we pick a random,
+      # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
+      # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
+      archive_cmds_GCJ='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      archive_expsym_cmds_GCJ='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      ;;
+
+    linux*)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	tmp_addflag=
+	case $cc_basename,$host_cpu in
+	pgcc*)				# Portland Group C compiler
+	  whole_archive_flag_spec_GCJ='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_addflag=' $pic_flag'
+	  ;;
+	pgf77* | pgf90* | pgf95*)	# Portland Group f77 and f90 compilers
+	  whole_archive_flag_spec_GCJ='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_addflag=' $pic_flag -Mnomain' ;;
+	ecc*,ia64* | icc*,ia64*)		# Intel C compiler on ia64
+	  tmp_addflag=' -i_dynamic' ;;
+	efc*,ia64* | ifort*,ia64*)	# Intel Fortran compiler on ia64
+	  tmp_addflag=' -i_dynamic -nofor_main' ;;
+	ifc* | ifort*)			# Intel Fortran compiler
+	  tmp_addflag=' -nofor_main' ;;
+	esac
+	archive_cmds_GCJ='$CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+
+	if test $supports_anon_versioning = yes; then
+	  archive_expsym_cmds_GCJ='$echo "{ global:" > $output_objdir/$libname.ver~
+  cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+  $echo "local: *; };" >> $output_objdir/$libname.ver~
+	  $CC -shared'"$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
+	fi
+      else
+	ld_shlibs_GCJ=no
+      fi
+      ;;
+
+    netbsd*)
+      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+	archive_cmds_GCJ='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
+	wlarc=
+      else
+	archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      fi
+      ;;
+
+    solaris*)
+      if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
+	ld_shlibs_GCJ=no
+	cat <<EOF 1>&2
+
+*** Warning: The releases 2.8.* of the GNU linker cannot reliably
+*** create shared libraries on Solaris systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.9.1 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+EOF
+      elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	ld_shlibs_GCJ=no
+      fi
+      ;;
+
+    sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
+      case `$LD -v 2>&1` in
+        *\ [01].* | *\ 2.[0-9].* | *\ 2.1[0-5].*)
+	ld_shlibs_GCJ=no
+	cat <<_LT_EOF 1>&2
+
+*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not
+*** reliably create shared libraries on SCO systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.16.91.0.3 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+_LT_EOF
+	;;
+	*)
+	  if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	    hardcode_libdir_flag_spec_GCJ='`test -z "$SCOABSPATH" && echo ${wl}-rpath,$libdir`'
+	    archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib'
+	    archive_expsym_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname,-retain-symbols-file,$export_symbols -o $lib'
+	  else
+	    ld_shlibs_GCJ=no
+	  fi
+	;;
+      esac
+      ;;
+
+    sunos4*)
+      archive_cmds_GCJ='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      wlarc=
+      hardcode_direct_GCJ=yes
+      hardcode_shlibpath_var_GCJ=no
+      ;;
+
+    *)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	ld_shlibs_GCJ=no
+      fi
+      ;;
+    esac
+
+    if test "$ld_shlibs_GCJ" = no; then
+      runpath_var=
+      hardcode_libdir_flag_spec_GCJ=
+      export_dynamic_flag_spec_GCJ=
+      whole_archive_flag_spec_GCJ=
+    fi
+  else
+    # PORTME fill in a description of your system's linker (not GNU ld)
+    case $host_os in
+    aix3*)
+      allow_undefined_flag_GCJ=unsupported
+      always_export_symbols_GCJ=yes
+      archive_expsym_cmds_GCJ='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
+      # Note: this linker hardcodes the directories in LIBPATH if there
+      # are no directories specified by -L.
+      hardcode_minus_L_GCJ=yes
+      if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then
+	# Neither direct hardcoding nor static linking is supported with a
+	# broken collect2.
+	hardcode_direct_GCJ=unsupported
+      fi
+      ;;
+
+    aix4* | aix5*)
+      if test "$host_cpu" = ia64; then
+	# On IA64, the linker does run time linking by default, so we don't
+	# have to do anything special.
+	aix_use_runtimelinking=no
+	exp_sym_flag='-Bexport'
+	no_entry_flag=""
+      else
+	# If we're using GNU nm, then we don't want the "-C" option.
+	# -C means demangle to AIX nm, but means don't demangle with GNU nm
+	if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
+	  export_symbols_cmds_GCJ='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
+	else
+	  export_symbols_cmds_GCJ='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
+	fi
+	aix_use_runtimelinking=no
+
+	# Test if we are trying to use run time linking or normal
+	# AIX style linking. If -brtl is somewhere in LDFLAGS, we
+	# need to do runtime linking.
+	case $host_os in aix4.[23]|aix4.[23].*|aix5*)
+	  for ld_flag in $LDFLAGS; do
+  	  if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
+  	    aix_use_runtimelinking=yes
+  	    break
+  	  fi
+	  done
+	  ;;
+	esac
+
+	exp_sym_flag='-bexport'
+	no_entry_flag='-bnoentry'
+      fi
+
+      # When large executables or shared objects are built, AIX ld can
+      # have problems creating the table of contents.  If linking a library
+      # or program results in "error TOC overflow" add -mminimal-toc to
+      # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
+      # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
+
+      archive_cmds_GCJ=''
+      hardcode_direct_GCJ=yes
+      hardcode_libdir_separator_GCJ=':'
+      link_all_deplibs_GCJ=yes
+
+      if test "$GCC" = yes; then
+	case $host_os in aix4.[012]|aix4.[012].*)
+	# We only want to do this on AIX 4.2 and lower, the check
+	# below for broken collect2 doesn't work under 4.3+
+	  collect2name=`${CC} -print-prog-name=collect2`
+	  if test -f "$collect2name" && \
+  	   strings "$collect2name" | grep resolve_lib_name >/dev/null
+	  then
+  	  # We have reworked collect2
+  	  hardcode_direct_GCJ=yes
+	  else
+  	  # We have old collect2
+  	  hardcode_direct_GCJ=unsupported
+  	  # It fails to find uninstalled libraries when the uninstalled
+  	  # path is not listed in the libpath.  Setting hardcode_minus_L
+  	  # to unsupported forces relinking
+  	  hardcode_minus_L_GCJ=yes
+  	  hardcode_libdir_flag_spec_GCJ='-L$libdir'
+  	  hardcode_libdir_separator_GCJ=
+	  fi
+	  ;;
+	esac
+	shared_flag='-shared'
+	if test "$aix_use_runtimelinking" = yes; then
+	  shared_flag="$shared_flag "'${wl}-G'
+	fi
+      else
+	# not using gcc
+	if test "$host_cpu" = ia64; then
+  	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
+  	# chokes on -Wl,-G. The following line is correct:
+	  shared_flag='-G'
+	else
+	  if test "$aix_use_runtimelinking" = yes; then
+	    shared_flag='${wl}-G'
+	  else
+	    shared_flag='${wl}-bM:SRE'
+	  fi
+	fi
+      fi
+
+      # It seems that -bexpall does not export symbols beginning with
+      # underscore (_), so it is better to generate a list of symbols to export.
+      always_export_symbols_GCJ=yes
+      if test "$aix_use_runtimelinking" = yes; then
+	# Warning - without using the other runtime loading flags (-brtl),
+	# -berok will link without error, but may produce a broken library.
+	allow_undefined_flag_GCJ='-berok'
+       # Determine the default libpath from the value encoded in an empty executable.
+       cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`
+# Check for a 64-bit object if we didn't find anything.
+if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`; fi
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+
+       hardcode_libdir_flag_spec_GCJ='${wl}-blibpath:$libdir:'"$aix_libpath"
+	archive_expsym_cmds_GCJ="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+       else
+	if test "$host_cpu" = ia64; then
+	  hardcode_libdir_flag_spec_GCJ='${wl}-R $libdir:/usr/lib:/lib'
+	  allow_undefined_flag_GCJ="-z nodefs"
+	  archive_expsym_cmds_GCJ="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
+	else
+	 # Determine the default libpath from the value encoded in an empty executable.
+	 cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`
+# Check for a 64-bit object if we didn't find anything.
+if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`; fi
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+
+	 hardcode_libdir_flag_spec_GCJ='${wl}-blibpath:$libdir:'"$aix_libpath"
+	  # Warning - without using the other run time loading flags,
+	  # -berok will link without error, but may produce a broken library.
+	  no_undefined_flag_GCJ=' ${wl}-bernotok'
+	  allow_undefined_flag_GCJ=' ${wl}-berok'
+	  # Exported symbols can be pulled into shared objects from archives
+	  whole_archive_flag_spec_GCJ='$convenience'
+	  archive_cmds_need_lc_GCJ=yes
+	  # This is similar to how AIX traditionally builds its shared libraries.
+	  archive_expsym_cmds_GCJ="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+	fi
+      fi
+      ;;
+
+    amigaos*)
+      archive_cmds_GCJ='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+      hardcode_libdir_flag_spec_GCJ='-L$libdir'
+      hardcode_minus_L_GCJ=yes
+      # see comment about different semantics on the GNU ld section
+      ld_shlibs_GCJ=no
+      ;;
+
+    bsdi[45]*)
+      export_dynamic_flag_spec_GCJ=-rdynamic
+      ;;
+
+    cygwin* | mingw* | pw32*)
+      # When not using gcc, we currently assume that we are using
+      # Microsoft Visual C++.
+      # hardcode_libdir_flag_spec is actually meaningless, as there is
+      # no search path for DLLs.
+      hardcode_libdir_flag_spec_GCJ=' '
+      allow_undefined_flag_GCJ=unsupported
+      # Tell ltmain to make .lib files, not .a files.
+      libext=lib
+      # Tell ltmain to make .dll files, not .so files.
+      shrext_cmds=".dll"
+      # FIXME: Setting linknames here is a bad hack.
+      archive_cmds_GCJ='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
+      # The linker will automatically build a .lib file if we build a DLL.
+      old_archive_From_new_cmds_GCJ='true'
+      # FIXME: Should let the user specify the lib program.
+      old_archive_cmds_GCJ='lib /OUT:$oldlib$oldobjs$old_deplibs'
+      fix_srcfile_path_GCJ='`cygpath -w "$srcfile"`'
+      enable_shared_with_static_runtimes_GCJ=yes
+      ;;
+
+    darwin* | rhapsody*)
+      case $host_os in
+        rhapsody* | darwin1.[012])
+         allow_undefined_flag_GCJ='${wl}-undefined ${wl}suppress'
+         ;;
+       *) # Darwin 1.3 on
+         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+           allow_undefined_flag_GCJ='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
+         else
+           case ${MACOSX_DEPLOYMENT_TARGET} in
+             10.[012])
+               allow_undefined_flag_GCJ='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
+               ;;
+             10.*)
+               allow_undefined_flag_GCJ='${wl}-undefined ${wl}dynamic_lookup'
+               ;;
+           esac
+         fi
+         ;;
+      esac
+      archive_cmds_need_lc_GCJ=no
+      hardcode_direct_GCJ=no
+      hardcode_automatic_GCJ=yes
+      hardcode_shlibpath_var_GCJ=unsupported
+      whole_archive_flag_spec_GCJ=''
+      link_all_deplibs_GCJ=yes
+    if test "$GCC" = yes ; then
+    	output_verbose_link_cmd='echo'
+        archive_cmds_GCJ='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+      module_cmds_GCJ='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
+      archive_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+      module_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    else
+      case $cc_basename in
+        xlc*)
+         output_verbose_link_cmd='echo'
+         archive_cmds_GCJ='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring'
+         module_cmds_GCJ='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
+         archive_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          module_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          ;;
+       *)
+         ld_shlibs_GCJ=no
+          ;;
+      esac
+    fi
+      ;;
+
+    dgux*)
+      archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_libdir_flag_spec_GCJ='-L$libdir'
+      hardcode_shlibpath_var_GCJ=no
+      ;;
+
+    freebsd1*)
+      ld_shlibs_GCJ=no
+      ;;
+
+    # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
+    # support.  Future versions do this automatically, but an explicit c++rt0.o
+    # does not break anything, and helps significantly (at the cost of a little
+    # extra space).
+    freebsd2.2*)
+      archive_cmds_GCJ='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
+      hardcode_libdir_flag_spec_GCJ='-R$libdir'
+      hardcode_direct_GCJ=yes
+      hardcode_shlibpath_var_GCJ=no
+      ;;
+
+    # Unfortunately, older versions of FreeBSD 2 do not have this feature.
+    freebsd2*)
+      archive_cmds_GCJ='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_direct_GCJ=yes
+      hardcode_minus_L_GCJ=yes
+      hardcode_shlibpath_var_GCJ=no
+      ;;
+
+    # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
+    freebsd* | kfreebsd*-gnu | dragonfly*)
+      archive_cmds_GCJ='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
+      hardcode_libdir_flag_spec_GCJ='-R$libdir'
+      hardcode_direct_GCJ=yes
+      hardcode_shlibpath_var_GCJ=no
+      ;;
+
+    hpux9*)
+      if test "$GCC" = yes; then
+	archive_cmds_GCJ='$rm $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      else
+	archive_cmds_GCJ='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      fi
+      hardcode_libdir_flag_spec_GCJ='${wl}+b ${wl}$libdir'
+      hardcode_libdir_separator_GCJ=:
+      hardcode_direct_GCJ=yes
+
+      # hardcode_minus_L: Not really in the search PATH,
+      # but as the default location of the library.
+      hardcode_minus_L_GCJ=yes
+      export_dynamic_flag_spec_GCJ='${wl}-E'
+      ;;
+
+    hpux10*)
+      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+	archive_cmds_GCJ='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds_GCJ='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      if test "$with_gnu_ld" = no; then
+	hardcode_libdir_flag_spec_GCJ='${wl}+b ${wl}$libdir'
+	hardcode_libdir_separator_GCJ=:
+
+	hardcode_direct_GCJ=yes
+	export_dynamic_flag_spec_GCJ='${wl}-E'
+
+	# hardcode_minus_L: Not really in the search PATH,
+	# but as the default location of the library.
+	hardcode_minus_L_GCJ=yes
+      fi
+      ;;
+
+    hpux11*)
+      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+	case $host_cpu in
+	hppa*64*)
+	  archive_cmds_GCJ='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	ia64*)
+	  archive_cmds_GCJ='$CC -shared ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+	  archive_cmds_GCJ='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	esac
+      else
+	case $host_cpu in
+	hppa*64*)
+	  archive_cmds_GCJ='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	ia64*)
+	  archive_cmds_GCJ='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+	  archive_cmds_GCJ='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	esac
+      fi
+      if test "$with_gnu_ld" = no; then
+	hardcode_libdir_flag_spec_GCJ='${wl}+b ${wl}$libdir'
+	hardcode_libdir_separator_GCJ=:
+
+	case $host_cpu in
+	hppa*64*|ia64*)
+	  hardcode_libdir_flag_spec_ld_GCJ='+b $libdir'
+	  hardcode_direct_GCJ=no
+	  hardcode_shlibpath_var_GCJ=no
+	  ;;
+	*)
+	  hardcode_direct_GCJ=yes
+	  export_dynamic_flag_spec_GCJ='${wl}-E'
+
+	  # hardcode_minus_L: Not really in the search PATH,
+	  # but as the default location of the library.
+	  hardcode_minus_L_GCJ=yes
+	  ;;
+	esac
+      fi
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      if test "$GCC" = yes; then
+	archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+      else
+	archive_cmds_GCJ='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+	hardcode_libdir_flag_spec_ld_GCJ='-rpath $libdir'
+      fi
+      hardcode_libdir_flag_spec_GCJ='${wl}-rpath ${wl}$libdir'
+      hardcode_libdir_separator_GCJ=:
+      link_all_deplibs_GCJ=yes
+      ;;
+
+    netbsd*)
+      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+	archive_cmds_GCJ='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
+      else
+	archive_cmds_GCJ='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
+      fi
+      hardcode_libdir_flag_spec_GCJ='-R$libdir'
+      hardcode_direct_GCJ=yes
+      hardcode_shlibpath_var_GCJ=no
+      ;;
+
+    newsos6)
+      archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_direct_GCJ=yes
+      hardcode_libdir_flag_spec_GCJ='${wl}-rpath ${wl}$libdir'
+      hardcode_libdir_separator_GCJ=:
+      hardcode_shlibpath_var_GCJ=no
+      ;;
+
+    openbsd*)
+      hardcode_direct_GCJ=yes
+      hardcode_shlibpath_var_GCJ=no
+      if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+	archive_cmds_GCJ='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_GCJ='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
+	hardcode_libdir_flag_spec_GCJ='${wl}-rpath,$libdir'
+	export_dynamic_flag_spec_GCJ='${wl}-E'
+      else
+       case $host_os in
+	 openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*)
+	   archive_cmds_GCJ='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+	   hardcode_libdir_flag_spec_GCJ='-R$libdir'
+	   ;;
+	 *)
+	   archive_cmds_GCJ='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	   hardcode_libdir_flag_spec_GCJ='${wl}-rpath,$libdir'
+	   ;;
+       esac
+      fi
+      ;;
+
+    os2*)
+      hardcode_libdir_flag_spec_GCJ='-L$libdir'
+      hardcode_minus_L_GCJ=yes
+      allow_undefined_flag_GCJ=unsupported
+      archive_cmds_GCJ='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
+      old_archive_From_new_cmds_GCJ='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
+      ;;
+
+    osf3*)
+      if test "$GCC" = yes; then
+	allow_undefined_flag_GCJ=' ${wl}-expect_unresolved ${wl}\*'
+	archive_cmds_GCJ='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+      else
+	allow_undefined_flag_GCJ=' -expect_unresolved \*'
+	archive_cmds_GCJ='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+      fi
+      hardcode_libdir_flag_spec_GCJ='${wl}-rpath ${wl}$libdir'
+      hardcode_libdir_separator_GCJ=:
+      ;;
+
+    osf4* | osf5*)	# as osf3* with the addition of -msym flag
+      if test "$GCC" = yes; then
+	allow_undefined_flag_GCJ=' ${wl}-expect_unresolved ${wl}\*'
+	archive_cmds_GCJ='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	hardcode_libdir_flag_spec_GCJ='${wl}-rpath ${wl}$libdir'
+      else
+	allow_undefined_flag_GCJ=' -expect_unresolved \*'
+	archive_cmds_GCJ='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+	archive_expsym_cmds_GCJ='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~
+	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib~$rm $lib.exp'
+
+	# Both c and cxx compiler support -rpath directly
+	hardcode_libdir_flag_spec_GCJ='-rpath $libdir'
+      fi
+      hardcode_libdir_separator_GCJ=:
+      ;;
+
+    solaris*)
+      no_undefined_flag_GCJ=' -z text'
+      if test "$GCC" = yes; then
+	wlarc='${wl}'
+	archive_cmds_GCJ='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_GCJ='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+	  $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp'
+      else
+	wlarc=''
+	archive_cmds_GCJ='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	archive_expsym_cmds_GCJ='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+  	$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
+      fi
+      hardcode_libdir_flag_spec_GCJ='-R$libdir'
+      hardcode_shlibpath_var_GCJ=no
+      case $host_os in
+      solaris2.[0-5] | solaris2.[0-5].*) ;;
+      *)
+ 	# The compiler driver will combine linker options so we
+ 	# cannot just pass the convience library names through
+ 	# without $wl, iff we do not link with $LD.
+ 	# Luckily, gcc supports the same syntax we need for Sun Studio.
+ 	# Supported since Solaris 2.6 (maybe 2.5.1?)
+ 	case $wlarc in
+ 	'')
+ 	  whole_archive_flag_spec_GCJ='-z allextract$convenience -z defaultextract' ;;
+ 	*)
+ 	  whole_archive_flag_spec_GCJ='${wl}-z ${wl}allextract`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}-z ${wl}defaultextract' ;;
+ 	esac ;;
+      esac
+      link_all_deplibs_GCJ=yes
+      ;;
+
+    sunos4*)
+      if test "x$host_vendor" = xsequent; then
+	# Use $CC to link under sequent, because it throws in some extra .o
+	# files that make .init and .fini sections work.
+	archive_cmds_GCJ='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds_GCJ='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      hardcode_libdir_flag_spec_GCJ='-L$libdir'
+      hardcode_direct_GCJ=yes
+      hardcode_minus_L_GCJ=yes
+      hardcode_shlibpath_var_GCJ=no
+      ;;
+
+    sysv4)
+      case $host_vendor in
+	sni)
+	  archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  hardcode_direct_GCJ=yes # is this really true???
+	;;
+	siemens)
+	  ## LD is ld it makes a PLAMLIB
+	  ## CC just makes a GrossModule.
+	  archive_cmds_GCJ='$LD -G -o $lib $libobjs $deplibs $linker_flags'
+	  reload_cmds_GCJ='$CC -r -o $output$reload_objs'
+	  hardcode_direct_GCJ=no
+        ;;
+	motorola)
+	  archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  hardcode_direct_GCJ=no #Motorola manual says yes, but my tests say they lie
+	;;
+      esac
+      runpath_var='LD_RUN_PATH'
+      hardcode_shlibpath_var_GCJ=no
+      ;;
+
+    sysv4.3*)
+      archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_shlibpath_var_GCJ=no
+      export_dynamic_flag_spec_GCJ='-Bexport'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	hardcode_shlibpath_var_GCJ=no
+	runpath_var=LD_RUN_PATH
+	hardcode_runpath_var=yes
+	ld_shlibs_GCJ=yes
+      fi
+      ;;
+
+    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7*)
+      no_undefined_flag_GCJ='${wl}-z,text'
+      archive_cmds_need_lc_GCJ=no
+      hardcode_shlibpath_var_GCJ=no
+      runpath_var='LD_RUN_PATH'
+
+      if test "$GCC" = yes; then
+	archive_cmds_GCJ='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_GCJ='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds_GCJ='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_GCJ='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
+      ;;
+
+    sysv5* | sco3.2v5* | sco5v6*)
+      # Note: We can NOT use -z defs as we might desire, because we do not
+      # link with -lc, and that would cause any symbols used from libc to
+      # always be unresolved, which means just about no library would
+      # ever link correctly.  If we're not using GNU ld we use -z text
+      # though, which does catch some bad symbols but isn't as heavy-handed
+      # as -z defs.
+      no_undefined_flag_GCJ='${wl}-z,text'
+      allow_undefined_flag_GCJ='${wl}-z,nodefs'
+      archive_cmds_need_lc_GCJ=no
+      hardcode_shlibpath_var_GCJ=no
+      hardcode_libdir_flag_spec_GCJ='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
+      hardcode_libdir_separator_GCJ=':'
+      link_all_deplibs_GCJ=yes
+      export_dynamic_flag_spec_GCJ='${wl}-Bexport'
+      runpath_var='LD_RUN_PATH'
+
+      if test "$GCC" = yes; then
+	archive_cmds_GCJ='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_GCJ='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds_GCJ='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_GCJ='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
+      ;;
+
+    uts4*)
+      archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_libdir_flag_spec_GCJ='-L$libdir'
+      hardcode_shlibpath_var_GCJ=no
+      ;;
+
+    *)
+      ld_shlibs_GCJ=no
+      ;;
+    esac
+  fi
+
+{ echo "$as_me:$LINENO: result: $ld_shlibs_GCJ" >&5
+echo "${ECHO_T}$ld_shlibs_GCJ" >&6; }
+test "$ld_shlibs_GCJ" = no && can_build_shared=no
+
+#
+# Do we need to explicitly link libc?
+#
+case "x$archive_cmds_need_lc_GCJ" in
+x|xyes)
+  # Assume -lc should be added
+  archive_cmds_need_lc_GCJ=yes
+
+  if test "$enable_shared" = yes && test "$GCC" = yes; then
+    case $archive_cmds_GCJ in
+    *'~'*)
+      # FIXME: we may have to deal with multi-command sequences.
+      ;;
+    '$CC '*)
+      # Test whether the compiler implicitly links with -lc since on some
+      # systems, -lgcc has to come before -lc. If gcc already passes -lc
+      # to ld, don't add -lc before -lgcc.
+      { echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
+echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6; }
+      $rm conftest*
+      printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+      if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } 2>conftest.err; then
+        soname=conftest
+        lib=conftest
+        libobjs=conftest.$ac_objext
+        deplibs=
+        wl=$lt_prog_compiler_wl_GCJ
+	pic_flag=$lt_prog_compiler_pic_GCJ
+        compiler_flags=-v
+        linker_flags=-v
+        verstring=
+        output_objdir=.
+        libname=conftest
+        lt_save_allow_undefined_flag=$allow_undefined_flag_GCJ
+        allow_undefined_flag_GCJ=
+        if { (eval echo "$as_me:$LINENO: \"$archive_cmds_GCJ 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\"") >&5
+  (eval $archive_cmds_GCJ 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+        then
+	  archive_cmds_need_lc_GCJ=no
+        else
+	  archive_cmds_need_lc_GCJ=yes
+        fi
+        allow_undefined_flag_GCJ=$lt_save_allow_undefined_flag
+      else
+        cat conftest.err 1>&5
+      fi
+      $rm conftest*
+      { echo "$as_me:$LINENO: result: $archive_cmds_need_lc_GCJ" >&5
+echo "${ECHO_T}$archive_cmds_need_lc_GCJ" >&6; }
+      ;;
+    esac
+  fi
+  ;;
+esac
+
+{ echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
+echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6; }
+library_names_spec=
+libname_spec='lib$name'
+soname_spec=
+shrext_cmds=".so"
+postinstall_cmds=
+postuninstall_cmds=
+finish_cmds=
+finish_eval=
+shlibpath_var=
+shlibpath_overrides_runpath=unknown
+version_type=none
+dynamic_linker="$host_os ld.so"
+sys_lib_dlsearch_path_spec="/lib /usr/lib"
+if test "$GCC" = yes; then
+  sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+  if echo "$sys_lib_search_path_spec" | grep ';' >/dev/null ; then
+    # if the path contains ";" then we assume it to be the separator
+    # otherwise default to the standard path separator (i.e. ":") - it is
+    # assumed that no part of a normal pathname contains ";" but that should
+    # okay in the real world where ";" in dirpaths is itself problematic.
+    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+  else
+    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+  fi
+else
+  sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
+fi
+need_lib_prefix=unknown
+hardcode_into_libs=no
+
+# when you set need_version to no, make sure it does not cause -set_version
+# flags to be left without arguments
+need_version=unknown
+
+case $host_os in
+aix3*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
+  shlibpath_var=LIBPATH
+
+  # AIX 3 has no versioning support, so we append a major version to the name.
+  soname_spec='${libname}${release}${shared_ext}$major'
+  ;;
+
+aix4* | aix5*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  hardcode_into_libs=yes
+  if test "$host_cpu" = ia64; then
+    # AIX 5 supports IA64
+    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
+    shlibpath_var=LD_LIBRARY_PATH
+  else
+    # With GCC up to 2.95.x, collect2 would create an import file
+    # for dependence libraries.  The import file would start with
+    # the line `#! .'.  This would cause the generated library to
+    # depend on `.', always an invalid library.  This was fixed in
+    # development snapshots of GCC prior to 3.0.
+    case $host_os in
+      aix4 | aix4.[01] | aix4.[01].*)
+      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
+	   echo ' yes '
+	   echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then
+	:
+      else
+	can_build_shared=no
+      fi
+      ;;
+    esac
+    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
+    # soname into executable. Probably we can add versioning support to
+    # collect2, so additional links can be useful in future.
+    if test "$aix_use_runtimelinking" = yes; then
+      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
+      # instead of lib<name>.a to let people know that these are not
+      # typical AIX shared libraries.
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    else
+      # We preserve .a as extension for shared libraries through AIX4.2
+      # and later when we are not doing run time linking.
+      library_names_spec='${libname}${release}.a $libname.a'
+      soname_spec='${libname}${release}${shared_ext}$major'
+    fi
+    shlibpath_var=LIBPATH
+  fi
+  ;;
+
+amigaos*)
+  library_names_spec='$libname.ixlibrary $libname.a'
+  # Create ${libname}_ixlibrary.a entries in /sys/libs.
+  finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
+  ;;
+
+beos*)
+  library_names_spec='${libname}${shared_ext}'
+  dynamic_linker="$host_os ld.so"
+  shlibpath_var=LIBRARY_PATH
+  ;;
+
+bsdi[45]*)
+  version_type=linux
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
+  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
+  # the default ld.so.conf also contains /usr/contrib/lib and
+  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
+  # libtool to hard-code these into programs
+  ;;
+
+cygwin* | mingw* | pw32*)
+  version_type=windows
+  shrext_cmds=".dll"
+  need_version=no
+  need_lib_prefix=no
+
+  case $GCC,$host_os in
+  yes,cygwin* | yes,mingw* | yes,pw32*)
+    library_names_spec='$libname.dll.a'
+    # DLL is installed to $(libdir)/../bin by postinstall_cmds
+    postinstall_cmds='base_file=`basename \${file}`~
+      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
+      dldir=$destdir/`dirname \$dlpath`~
+      test -d \$dldir || mkdir -p \$dldir~
+      $install_prog $dir/$dlname \$dldir/$dlname~
+      chmod a+x \$dldir/$dlname'
+    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
+      dlpath=$dir/\$dldll~
+       $rm \$dlpath'
+    shlibpath_overrides_runpath=yes
+
+    case $host_os in
+    cygwin*)
+      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
+      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
+      ;;
+    mingw*)
+      # MinGW DLLs use traditional 'lib' prefix
+      soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+      if echo "$sys_lib_search_path_spec" | grep ';[c-zC-Z]:/' >/dev/null; then
+        # It is most probably a Windows format PATH printed by
+        # mingw gcc, but we are running on Cygwin. Gcc prints its search
+        # path with ; separators, and with drive letters. We can handle the
+        # drive letters (cygwin fileutils understands them), so leave them,
+        # especially as we might pass files found there to a mingw objdump,
+        # which wouldn't understand a cygwinified path. Ahh.
+        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+      else
+        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+      fi
+      ;;
+    pw32*)
+      # pw32 DLLs use 'pw' prefix rather than 'lib'
+      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      ;;
+    esac
+    ;;
+
+  linux*)
+    if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then
+      archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+      supports_anon_versioning=no
+      case `$LD -v 2>/dev/null` in
+        *\ 01.* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
+        *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
+        *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
+        *\ 2.11.*) ;; # other 2.11 versions
+        *) supports_anon_versioning=yes ;;
+      esac
+      if test $supports_anon_versioning = yes; then
+        archive_expsym_cmds='$echo "{ global:" > $output_objdir/$libname.ver~
+cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+$echo "local: *; };" >> $output_objdir/$libname.ver~
+        $CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
+      else
+        $archive_expsym_cmds="$archive_cmds"
+      fi
+    else
+      ld_shlibs=no
+    fi
+    ;;
+
+  *)
+    library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib'
+    ;;
+  esac
+  dynamic_linker='Win32 ld.exe'
+  # FIXME: first we should search . and the directory the executable is in
+  shlibpath_var=PATH
+  ;;
+
+darwin* | rhapsody*)
+  dynamic_linker="$host_os dyld"
+  version_type=darwin
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
+  soname_spec='${libname}${release}${major}$shared_ext'
+  shlibpath_overrides_runpath=yes
+  shlibpath_var=DYLD_LIBRARY_PATH
+  shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
+  # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
+  if test "$GCC" = yes; then
+    sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
+  else
+    sys_lib_search_path_spec='/lib /usr/lib /usr/local/lib'
+  fi
+  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
+  ;;
+
+dgux*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+freebsd1*)
+  dynamic_linker=no
+  ;;
+
+kfreebsd*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='GNU ld.so'
+  ;;
+
+freebsd* | dragonfly*)
+  # DragonFly does not have aout.  When/if they implement a new
+  # versioning mechanism, adjust this.
+  if test -x /usr/bin/objformat; then
+    objformat=`/usr/bin/objformat`
+  else
+    case $host_os in
+    freebsd[123]*) objformat=aout ;;
+    *) objformat=elf ;;
+    esac
+  fi
+  # Handle Gentoo/FreeBSD as it was Linux
+  case $host_vendor in
+    gentoo)
+      version_type=linux ;;
+    *)
+      version_type=freebsd-$objformat ;;
+  esac
+
+  case $version_type in
+    freebsd-elf*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+      need_version=no
+      need_lib_prefix=no
+      ;;
+    freebsd-*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
+      need_version=yes
+      ;;
+    linux)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+      soname_spec='${libname}${release}${shared_ext}$major'
+      need_lib_prefix=no
+      need_version=no
+      ;;
+  esac
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_os in
+  freebsd2*)
+    shlibpath_overrides_runpath=yes
+    ;;
+  freebsd3.[01]* | freebsdelf3.[01]*)
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
+  freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
+    shlibpath_overrides_runpath=no
+    hardcode_into_libs=yes
+    ;;
+  freebsd*) # from 4.6 on
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  esac
+  ;;
+
+gnu*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  ;;
+
+hpux9* | hpux10* | hpux11*)
+  # Give a soname corresponding to the major version so that dld.sl refuses to
+  # link against other versions.
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  case $host_cpu in
+  ia64*)
+    shrext_cmds='.so'
+    hardcode_into_libs=yes
+    dynamic_linker="$host_os dld.so"
+    shlibpath_var=LD_LIBRARY_PATH
+    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    if test "X$HPUX_IA64_MODE" = X32; then
+      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
+    else
+      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
+    fi
+    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+    ;;
+   hppa*64*)
+     shrext_cmds='.sl'
+     hardcode_into_libs=yes
+     dynamic_linker="$host_os dld.sl"
+     shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
+     shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+     library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+     soname_spec='${libname}${release}${shared_ext}$major'
+     sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
+     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+     ;;
+   *)
+    shrext_cmds='.sl'
+    dynamic_linker="$host_os dld.sl"
+    shlibpath_var=SHLIB_PATH
+    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    ;;
+  esac
+  # HP-UX runs *really* slowly unless shared libraries are mode 555.
+  postinstall_cmds='chmod 555 $lib'
+  ;;
+
+interix3*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  ;;
+
+irix5* | irix6* | nonstopux*)
+  case $host_os in
+    nonstopux*) version_type=nonstopux ;;
+    *)
+	if test "$lt_cv_prog_gnu_ld" = yes; then
+		version_type=linux
+	else
+		version_type=irix
+	fi ;;
+  esac
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
+  case $host_os in
+  irix5* | nonstopux*)
+    libsuff= shlibsuff=
+    ;;
+  *)
+    case $LD in # libtool.m4 will add one of these switches to LD
+    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
+      libsuff= shlibsuff= libmagic=32-bit;;
+    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
+      libsuff=32 shlibsuff=N32 libmagic=N32;;
+    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
+      libsuff=64 shlibsuff=64 libmagic=64-bit;;
+    *) libsuff= shlibsuff= libmagic=never-match;;
+    esac
+    ;;
+  esac
+  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
+  shlibpath_overrides_runpath=no
+  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
+  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
+  hardcode_into_libs=yes
+  ;;
+
+# No shared lib support for Linux oldld, aout, or coff.
+linux*oldld* | linux*aout* | linux*coff*)
+  dynamic_linker=no
+  ;;
+
+# This must be Linux ELF.
+linux*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  # This implies no fast_install, which is unacceptable.
+  # Some rework will be needed to allow for fast_install
+  # before this can be enabled.
+  hardcode_into_libs=yes
+
+  # Append ld.so.conf contents to the search path
+  if test -f /etc/ld.so.conf; then
+    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
+  fi
+
+  # We used to test for /lib/ld.so.1 and disable shared libraries on
+  # powerpc, because MkLinux only supported shared libraries with the
+  # GNU dynamic linker.  Since this was broken with cross compilers,
+  # most powerpc-linux boxes support dynamic linking these days and
+  # people can always --disable-shared, the test was removed, and we
+  # assume the GNU/Linux dynamic linker is in use.
+  dynamic_linker='GNU/Linux ld.so'
+  ;;
+
+knetbsd*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='GNU ld.so'
+  ;;
+
+netbsd*)
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+    dynamic_linker='NetBSD (a.out) ld.so'
+  else
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    dynamic_linker='NetBSD ld.elf_so'
+  fi
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  ;;
+
+newsos6)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+nto-qnx*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+openbsd*)
+  version_type=sunos
+  sys_lib_dlsearch_path_spec="/usr/lib"
+  need_lib_prefix=no
+  # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs.
+  case $host_os in
+    openbsd3.3 | openbsd3.3.*) need_version=yes ;;
+    *)                         need_version=no  ;;
+  esac
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+    case $host_os in
+      openbsd2.[89] | openbsd2.[89].*)
+	shlibpath_overrides_runpath=no
+	;;
+      *)
+	shlibpath_overrides_runpath=yes
+	;;
+      esac
+  else
+    shlibpath_overrides_runpath=yes
+  fi
+  ;;
+
+os2*)
+  libname_spec='$name'
+  shrext_cmds=".dll"
+  need_lib_prefix=no
+  library_names_spec='$libname${shared_ext} $libname.a'
+  dynamic_linker='OS/2 ld.exe'
+  shlibpath_var=LIBPATH
+  ;;
+
+osf3* | osf4* | osf5*)
+  version_type=osf
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
+  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
+  ;;
+
+solaris*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  # ldd complains unless libraries are executable
+  postinstall_cmds='chmod +x $lib'
+  ;;
+
+sunos4*)
+  version_type=sunos
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  if test "$with_gnu_ld" = yes; then
+    need_lib_prefix=no
+  fi
+  need_version=yes
+  ;;
+
+sysv4 | sysv4.3*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_vendor in
+    sni)
+      shlibpath_overrides_runpath=no
+      need_lib_prefix=no
+      export_dynamic_flag_spec='${wl}-Blargedynsym'
+      runpath_var=LD_RUN_PATH
+      ;;
+    siemens)
+      need_lib_prefix=no
+      ;;
+    motorola)
+      need_lib_prefix=no
+      need_version=no
+      shlibpath_overrides_runpath=no
+      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
+      ;;
+  esac
+  ;;
+
+sysv4*MP*)
+  if test -d /usr/nec ;then
+    version_type=linux
+    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
+    soname_spec='$libname${shared_ext}.$major'
+    shlibpath_var=LD_LIBRARY_PATH
+  fi
+  ;;
+
+sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
+  version_type=freebsd-elf
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  if test "$with_gnu_ld" = yes; then
+    sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
+    shlibpath_overrides_runpath=no
+  else
+    sys_lib_search_path_spec='/usr/ccs/lib /usr/lib'
+    shlibpath_overrides_runpath=yes
+    case $host_os in
+      sco3.2v5*)
+        sys_lib_search_path_spec="$sys_lib_search_path_spec /lib"
+	;;
+    esac
+  fi
+  sys_lib_dlsearch_path_spec='/usr/lib'
+  ;;
+
+uts4*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+*)
+  dynamic_linker=no
+  ;;
+esac
+{ echo "$as_me:$LINENO: result: $dynamic_linker" >&5
+echo "${ECHO_T}$dynamic_linker" >&6; }
+test "$dynamic_linker" = no && can_build_shared=no
+
+variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
+if test "$GCC" = yes; then
+  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
+fi
+
+{ echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
+echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6; }
+hardcode_action_GCJ=
+if test -n "$hardcode_libdir_flag_spec_GCJ" || \
+   test -n "$runpath_var_GCJ" || \
+   test "X$hardcode_automatic_GCJ" = "Xyes" ; then
+
+  # We can hardcode non-existant directories.
+  if test "$hardcode_direct_GCJ" != no &&
+     # If the only mechanism to avoid hardcoding is shlibpath_var, we
+     # have to relink, otherwise we might link with an installed library
+     # when we should be linking with a yet-to-be-installed one
+     ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, GCJ)" != no &&
+     test "$hardcode_minus_L_GCJ" != no; then
+    # Linking always hardcodes the temporary library directory.
+    hardcode_action_GCJ=relink
+  else
+    # We can link without hardcoding, and we can hardcode nonexisting dirs.
+    hardcode_action_GCJ=immediate
+  fi
+else
+  # We cannot hardcode anything, or else we can only hardcode existing
+  # directories.
+  hardcode_action_GCJ=unsupported
+fi
+{ echo "$as_me:$LINENO: result: $hardcode_action_GCJ" >&5
+echo "${ECHO_T}$hardcode_action_GCJ" >&6; }
+
+if test "$hardcode_action_GCJ" = relink; then
+  # Fast installation is not supported
+  enable_fast_install=no
+elif test "$shlibpath_overrides_runpath" = yes ||
+     test "$enable_shared" = no; then
+  # Fast installation is not necessary
+  enable_fast_install=needless
+fi
+
+
+# The else clause should only fire when bootstrapping the
+# libtool distribution, otherwise you forgot to ship ltmain.sh
+# with your package, and you will get complaints that there are
+# no rules to generate ltmain.sh.
+if test -f "$ltmain"; then
+  # See if we are running on zsh, and set the options which allow our commands through
+  # without removal of \ escapes.
+  if test -n "${ZSH_VERSION+set}" ; then
+    setopt NO_GLOB_SUBST
+  fi
+  # Now quote all the things that may contain metacharacters while being
+  # careful not to overquote the AC_SUBSTed values.  We take copies of the
+  # variables and quote the copies for generation of the libtool script.
+  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \
+    SED SHELL STRIP \
+    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
+    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
+    deplibs_check_method reload_flag reload_cmds need_locks \
+    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
+    lt_cv_sys_global_symbol_to_c_name_address \
+    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
+    old_postinstall_cmds old_postuninstall_cmds \
+    compiler_GCJ \
+    CC_GCJ \
+    LD_GCJ \
+    lt_prog_compiler_wl_GCJ \
+    lt_prog_compiler_pic_GCJ \
+    lt_prog_compiler_static_GCJ \
+    lt_prog_compiler_no_builtin_flag_GCJ \
+    export_dynamic_flag_spec_GCJ \
+    thread_safe_flag_spec_GCJ \
+    whole_archive_flag_spec_GCJ \
+    enable_shared_with_static_runtimes_GCJ \
+    old_archive_cmds_GCJ \
+    old_archive_from_new_cmds_GCJ \
+    predep_objects_GCJ \
+    postdep_objects_GCJ \
+    predeps_GCJ \
+    postdeps_GCJ \
+    compiler_lib_search_path_GCJ \
+    archive_cmds_GCJ \
+    archive_expsym_cmds_GCJ \
+    postinstall_cmds_GCJ \
+    postuninstall_cmds_GCJ \
+    old_archive_from_expsyms_cmds_GCJ \
+    allow_undefined_flag_GCJ \
+    no_undefined_flag_GCJ \
+    export_symbols_cmds_GCJ \
+    hardcode_libdir_flag_spec_GCJ \
+    hardcode_libdir_flag_spec_ld_GCJ \
+    hardcode_libdir_separator_GCJ \
+    hardcode_automatic_GCJ \
+    module_cmds_GCJ \
+    module_expsym_cmds_GCJ \
+    lt_cv_prog_compiler_c_o_GCJ \
+    exclude_expsyms_GCJ \
+    include_expsyms_GCJ; do
+
+    case $var in
+    old_archive_cmds_GCJ | \
+    old_archive_from_new_cmds_GCJ | \
+    archive_cmds_GCJ | \
+    archive_expsym_cmds_GCJ | \
+    module_cmds_GCJ | \
+    module_expsym_cmds_GCJ | \
+    old_archive_from_expsyms_cmds_GCJ | \
+    export_symbols_cmds_GCJ | \
+    extract_expsyms_cmds | reload_cmds | finish_cmds | \
+    postinstall_cmds | postuninstall_cmds | \
+    old_postinstall_cmds | old_postuninstall_cmds | \
+    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
+      # Double-quote double-evaled strings.
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
+      ;;
+    *)
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
+      ;;
+    esac
+  done
+
+  case $lt_echo in
+  *'\$0 --fallback-echo"')
+    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'`
+    ;;
+  esac
+
+cfgfile="$ofile"
+
+  cat <<__EOF__ >> "$cfgfile"
+# ### BEGIN LIBTOOL TAG CONFIG: $tagname
+
+# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
+
+# Shell to use when invoking shell scripts.
+SHELL=$lt_SHELL
+
+# Whether or not to build shared libraries.
+build_libtool_libs=$enable_shared
+
+# Whether or not to build static libraries.
+build_old_libs=$enable_static
+
+# Whether or not to add -lc for building shared libraries.
+build_libtool_need_lc=$archive_cmds_need_lc_GCJ
+
+# Whether or not to disallow shared libs when runtime libs are static
+allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes_GCJ
+
+# Whether or not to optimize for fast installation.
+fast_install=$enable_fast_install
+
+# The host system.
+host_alias=$host_alias
+host=$host
+host_os=$host_os
+
+# The build system.
+build_alias=$build_alias
+build=$build
+build_os=$build_os
+
+# An echo program that does not interpret backslashes.
+echo=$lt_echo
+
+# The archiver.
+AR=$lt_AR
+AR_FLAGS=$lt_AR_FLAGS
+
+# A C compiler.
+LTCC=$lt_LTCC
+
+# LTCC compiler flags.
+LTCFLAGS=$lt_LTCFLAGS
+
+# A language-specific compiler.
+CC=$lt_compiler_GCJ
+
+# Is the compiler the GNU C compiler?
+with_gcc=$GCC_GCJ
+
+# An ERE matcher.
+EGREP=$lt_EGREP
+
+# The linker used to build libraries.
+LD=$lt_LD_GCJ
+
+# Whether we need hard or soft links.
+LN_S=$lt_LN_S
+
+# A BSD-compatible nm program.
+NM=$lt_NM
+
+# A symbol stripping program
+STRIP=$lt_STRIP
+
+# Used to examine libraries when file_magic_cmd begins "file"
+MAGIC_CMD=$MAGIC_CMD
+
+# Used on cygwin: DLL creation program.
+DLLTOOL="$DLLTOOL"
+
+# Used on cygwin: object dumper.
+OBJDUMP="$OBJDUMP"
+
+# Used on cygwin: assembler.
+AS="$AS"
+
+# The name of the directory that contains temporary libtool files.
+objdir=$objdir
+
+# How to create reloadable object files.
+reload_flag=$lt_reload_flag
+reload_cmds=$lt_reload_cmds
+
+# How to pass a linker flag through the compiler.
+wl=$lt_lt_prog_compiler_wl_GCJ
+
+# Object file suffix (normally "o").
+objext="$ac_objext"
+
+# Old archive suffix (normally "a").
+libext="$libext"
+
+# Shared library suffix (normally ".so").
+shrext_cmds='$shrext_cmds'
+
+# Executable file suffix (normally "").
+exeext="$exeext"
+
+# Additional compiler flags for building library objects.
+pic_flag=$lt_lt_prog_compiler_pic_GCJ
+pic_mode=$pic_mode
+
+# What is the maximum length of a command?
+max_cmd_len=$lt_cv_sys_max_cmd_len
+
+# Does compiler simultaneously support -c and -o options?
+compiler_c_o=$lt_lt_cv_prog_compiler_c_o_GCJ
+
+# Must we lock files when doing compilation?
+need_locks=$lt_need_locks
+
+# Do we need the lib prefix for modules?
+need_lib_prefix=$need_lib_prefix
+
+# Do we need a version for libraries?
+need_version=$need_version
+
+# Whether dlopen is supported.
+dlopen_support=$enable_dlopen
+
+# Whether dlopen of programs is supported.
+dlopen_self=$enable_dlopen_self
+
+# Whether dlopen of statically linked programs is supported.
+dlopen_self_static=$enable_dlopen_self_static
+
+# Compiler flag to prevent dynamic linking.
+link_static_flag=$lt_lt_prog_compiler_static_GCJ
+
+# Compiler flag to turn off builtin functions.
+no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag_GCJ
+
+# Compiler flag to allow reflexive dlopens.
+export_dynamic_flag_spec=$lt_export_dynamic_flag_spec_GCJ
+
+# Compiler flag to generate shared objects directly from archives.
+whole_archive_flag_spec=$lt_whole_archive_flag_spec_GCJ
+
+# Compiler flag to generate thread-safe objects.
+thread_safe_flag_spec=$lt_thread_safe_flag_spec_GCJ
+
+# Library versioning type.
+version_type=$version_type
+
+# Format of library name prefix.
+libname_spec=$lt_libname_spec
+
+# List of archive names.  First name is the real one, the rest are links.
+# The last name is the one that the linker finds with -lNAME.
+library_names_spec=$lt_library_names_spec
+
+# The coded name of the library, if different from the real name.
+soname_spec=$lt_soname_spec
+
+# Commands used to build and install an old-style archive.
+RANLIB=$lt_RANLIB
+old_archive_cmds=$lt_old_archive_cmds_GCJ
+old_postinstall_cmds=$lt_old_postinstall_cmds
+old_postuninstall_cmds=$lt_old_postuninstall_cmds
+
+# Create an old-style archive from a shared archive.
+old_archive_from_new_cmds=$lt_old_archive_from_new_cmds_GCJ
+
+# Create a temporary old-style archive to link instead of a shared archive.
+old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds_GCJ
+
+# Commands used to build and install a shared archive.
+archive_cmds=$lt_archive_cmds_GCJ
+archive_expsym_cmds=$lt_archive_expsym_cmds_GCJ
+postinstall_cmds=$lt_postinstall_cmds
+postuninstall_cmds=$lt_postuninstall_cmds
+
+# Commands used to build a loadable module (assumed same as above if empty)
+module_cmds=$lt_module_cmds_GCJ
+module_expsym_cmds=$lt_module_expsym_cmds_GCJ
+
+# Commands to strip libraries.
+old_striplib=$lt_old_striplib
+striplib=$lt_striplib
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predep_objects=$lt_predep_objects_GCJ
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdep_objects=$lt_postdep_objects_GCJ
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predeps=$lt_predeps_GCJ
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdeps=$lt_postdeps_GCJ
+
+# The library search path used internally by the compiler when linking
+# a shared library.
+compiler_lib_search_path=$lt_compiler_lib_search_path_GCJ
+
+# Method to check whether dependent libraries are shared objects.
+deplibs_check_method=$lt_deplibs_check_method
+
+# Command to use when deplibs_check_method == file_magic.
+file_magic_cmd=$lt_file_magic_cmd
+
+# Flag that allows shared libraries with undefined symbols to be built.
+allow_undefined_flag=$lt_allow_undefined_flag_GCJ
+
+# Flag that forces no undefined symbols.
+no_undefined_flag=$lt_no_undefined_flag_GCJ
+
+# Commands used to finish a libtool library installation in a directory.
+finish_cmds=$lt_finish_cmds
+
+# Same as above, but a single script fragment to be evaled but not shown.
+finish_eval=$lt_finish_eval
+
+# Take the output of nm and produce a listing of raw symbols and C names.
+global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
+
+# Transform the output of nm in a proper C declaration
+global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
+
+# Transform the output of nm in a C name address pair
+global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
+
+# This is the shared library runtime path variable.
+runpath_var=$runpath_var
+
+# This is the shared library path variable.
+shlibpath_var=$shlibpath_var
+
+# Is shlibpath searched before the hard-coded library search path?
+shlibpath_overrides_runpath=$shlibpath_overrides_runpath
+
+# How to hardcode a shared library path into an executable.
+hardcode_action=$hardcode_action_GCJ
+
+# Whether we should hardcode library paths into libraries.
+hardcode_into_libs=$hardcode_into_libs
+
+# Flag to hardcode \$libdir into a binary during linking.
+# This must work even if \$libdir does not exist.
+hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec_GCJ
+
+# If ld is used when linking, flag to hardcode \$libdir into
+# a binary during linking. This must work even if \$libdir does
+# not exist.
+hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld_GCJ
+
+# Whether we need a single -rpath flag with a separated argument.
+hardcode_libdir_separator=$lt_hardcode_libdir_separator_GCJ
+
+# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
+# resulting binary.
+hardcode_direct=$hardcode_direct_GCJ
+
+# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
+# resulting binary.
+hardcode_minus_L=$hardcode_minus_L_GCJ
+
+# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
+# the resulting binary.
+hardcode_shlibpath_var=$hardcode_shlibpath_var_GCJ
+
+# Set to yes if building a shared library automatically hardcodes DIR into the library
+# and all subsequent libraries and executables linked against it.
+hardcode_automatic=$hardcode_automatic_GCJ
+
+# Variables whose values should be saved in libtool wrapper scripts and
+# restored at relink time.
+variables_saved_for_relink="$variables_saved_for_relink"
+
+# Whether libtool must link a program against all its dependency libraries.
+link_all_deplibs=$link_all_deplibs_GCJ
+
+# Compile-time system search path for libraries
+sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
+
+# Run-time system search path for libraries
+sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
+
+# Fix the shell variable \$srcfile for the compiler.
+fix_srcfile_path="$fix_srcfile_path_GCJ"
+
+# Set to yes if exported symbols are required.
+always_export_symbols=$always_export_symbols_GCJ
+
+# The commands to list exported symbols.
+export_symbols_cmds=$lt_export_symbols_cmds_GCJ
+
+# The commands to extract the exported symbol list from a shared archive.
+extract_expsyms_cmds=$lt_extract_expsyms_cmds
+
+# Symbols that should not be listed in the preloaded symbols.
+exclude_expsyms=$lt_exclude_expsyms_GCJ
+
+# Symbols that must always be exported.
+include_expsyms=$lt_include_expsyms_GCJ
+
+# ### END LIBTOOL TAG CONFIG: $tagname
+
+__EOF__
+
+
+else
+  # If there is no Makefile yet, we rely on a make rule to execute
+  # `config.status --recheck' to rerun these tests and create the
+  # libtool script then.
+  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
+  if test -f "$ltmain_in"; then
+    test -f Makefile && make "$ltmain"
+  fi
+fi
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+CC="$lt_save_CC"
+
+	else
+	  tagname=""
+	fi
+	;;
+
+      RC)
+
+
+# Source file extension for RC test sources.
+ac_ext=rc
+
+# Object file extension for compiled RC test sources.
+objext=o
+objext_RC=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }\n'
+
+# Code to be used in simple link tests
+lt_simple_link_test_code="$lt_simple_compile_test_code"
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+
+# If no C compiler was specified, use CC.
+LTCC=${LTCC-"$CC"}
+
+# If no C compiler flags were specified, use CFLAGS.
+LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
+
+# Allow CC to be a program name with arguments.
+compiler=$CC
+
+
+# save warnings/boilerplate of simple test code
+ac_outfile=conftest.$ac_objext
+printf "$lt_simple_compile_test_code" >conftest.$ac_ext
+eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_compiler_boilerplate=`cat conftest.err`
+$rm conftest*
+
+ac_outfile=conftest.$ac_objext
+printf "$lt_simple_link_test_code" >conftest.$ac_ext
+eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_linker_boilerplate=`cat conftest.err`
+$rm conftest*
+
+
+# Allow CC to be a program name with arguments.
+lt_save_CC="$CC"
+CC=${RC-"windres"}
+compiler=$CC
+compiler_RC=$CC
+for cc_temp in $compiler""; do
+  case $cc_temp in
+    compile | *[\\/]compile | ccache | *[\\/]ccache ) ;;
+    distcc | *[\\/]distcc | purify | *[\\/]purify ) ;;
+    \-*) ;;
+    *) break;;
+  esac
+done
+cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+
+lt_cv_prog_compiler_c_o_RC=yes
+
+# The else clause should only fire when bootstrapping the
+# libtool distribution, otherwise you forgot to ship ltmain.sh
+# with your package, and you will get complaints that there are
+# no rules to generate ltmain.sh.
+if test -f "$ltmain"; then
+  # See if we are running on zsh, and set the options which allow our commands through
+  # without removal of \ escapes.
+  if test -n "${ZSH_VERSION+set}" ; then
+    setopt NO_GLOB_SUBST
+  fi
+  # Now quote all the things that may contain metacharacters while being
+  # careful not to overquote the AC_SUBSTed values.  We take copies of the
+  # variables and quote the copies for generation of the libtool script.
+  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \
+    SED SHELL STRIP \
+    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
+    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
+    deplibs_check_method reload_flag reload_cmds need_locks \
+    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
+    lt_cv_sys_global_symbol_to_c_name_address \
+    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
+    old_postinstall_cmds old_postuninstall_cmds \
+    compiler_RC \
+    CC_RC \
+    LD_RC \
+    lt_prog_compiler_wl_RC \
+    lt_prog_compiler_pic_RC \
+    lt_prog_compiler_static_RC \
+    lt_prog_compiler_no_builtin_flag_RC \
+    export_dynamic_flag_spec_RC \
+    thread_safe_flag_spec_RC \
+    whole_archive_flag_spec_RC \
+    enable_shared_with_static_runtimes_RC \
+    old_archive_cmds_RC \
+    old_archive_from_new_cmds_RC \
+    predep_objects_RC \
+    postdep_objects_RC \
+    predeps_RC \
+    postdeps_RC \
+    compiler_lib_search_path_RC \
+    archive_cmds_RC \
+    archive_expsym_cmds_RC \
+    postinstall_cmds_RC \
+    postuninstall_cmds_RC \
+    old_archive_from_expsyms_cmds_RC \
+    allow_undefined_flag_RC \
+    no_undefined_flag_RC \
+    export_symbols_cmds_RC \
+    hardcode_libdir_flag_spec_RC \
+    hardcode_libdir_flag_spec_ld_RC \
+    hardcode_libdir_separator_RC \
+    hardcode_automatic_RC \
+    module_cmds_RC \
+    module_expsym_cmds_RC \
+    lt_cv_prog_compiler_c_o_RC \
+    exclude_expsyms_RC \
+    include_expsyms_RC; do
+
+    case $var in
+    old_archive_cmds_RC | \
+    old_archive_from_new_cmds_RC | \
+    archive_cmds_RC | \
+    archive_expsym_cmds_RC | \
+    module_cmds_RC | \
+    module_expsym_cmds_RC | \
+    old_archive_from_expsyms_cmds_RC | \
+    export_symbols_cmds_RC | \
+    extract_expsyms_cmds | reload_cmds | finish_cmds | \
+    postinstall_cmds | postuninstall_cmds | \
+    old_postinstall_cmds | old_postuninstall_cmds | \
+    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
+      # Double-quote double-evaled strings.
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
+      ;;
+    *)
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
+      ;;
+    esac
+  done
+
+  case $lt_echo in
+  *'\$0 --fallback-echo"')
+    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'`
+    ;;
+  esac
+
+cfgfile="$ofile"
+
+  cat <<__EOF__ >> "$cfgfile"
+# ### BEGIN LIBTOOL TAG CONFIG: $tagname
+
+# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
+
+# Shell to use when invoking shell scripts.
+SHELL=$lt_SHELL
+
+# Whether or not to build shared libraries.
+build_libtool_libs=$enable_shared
+
+# Whether or not to build static libraries.
+build_old_libs=$enable_static
+
+# Whether or not to add -lc for building shared libraries.
+build_libtool_need_lc=$archive_cmds_need_lc_RC
+
+# Whether or not to disallow shared libs when runtime libs are static
+allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes_RC
+
+# Whether or not to optimize for fast installation.
+fast_install=$enable_fast_install
+
+# The host system.
+host_alias=$host_alias
+host=$host
+host_os=$host_os
+
+# The build system.
+build_alias=$build_alias
+build=$build
+build_os=$build_os
+
+# An echo program that does not interpret backslashes.
+echo=$lt_echo
+
+# The archiver.
+AR=$lt_AR
+AR_FLAGS=$lt_AR_FLAGS
+
+# A C compiler.
+LTCC=$lt_LTCC
+
+# LTCC compiler flags.
+LTCFLAGS=$lt_LTCFLAGS
+
+# A language-specific compiler.
+CC=$lt_compiler_RC
+
+# Is the compiler the GNU C compiler?
+with_gcc=$GCC_RC
+
+# An ERE matcher.
+EGREP=$lt_EGREP
+
+# The linker used to build libraries.
+LD=$lt_LD_RC
+
+# Whether we need hard or soft links.
+LN_S=$lt_LN_S
+
+# A BSD-compatible nm program.
+NM=$lt_NM
+
+# A symbol stripping program
+STRIP=$lt_STRIP
+
+# Used to examine libraries when file_magic_cmd begins "file"
+MAGIC_CMD=$MAGIC_CMD
+
+# Used on cygwin: DLL creation program.
+DLLTOOL="$DLLTOOL"
+
+# Used on cygwin: object dumper.
+OBJDUMP="$OBJDUMP"
+
+# Used on cygwin: assembler.
+AS="$AS"
+
+# The name of the directory that contains temporary libtool files.
+objdir=$objdir
+
+# How to create reloadable object files.
+reload_flag=$lt_reload_flag
+reload_cmds=$lt_reload_cmds
+
+# How to pass a linker flag through the compiler.
+wl=$lt_lt_prog_compiler_wl_RC
+
+# Object file suffix (normally "o").
+objext="$ac_objext"
+
+# Old archive suffix (normally "a").
+libext="$libext"
+
+# Shared library suffix (normally ".so").
+shrext_cmds='$shrext_cmds'
+
+# Executable file suffix (normally "").
+exeext="$exeext"
+
+# Additional compiler flags for building library objects.
+pic_flag=$lt_lt_prog_compiler_pic_RC
+pic_mode=$pic_mode
+
+# What is the maximum length of a command?
+max_cmd_len=$lt_cv_sys_max_cmd_len
+
+# Does compiler simultaneously support -c and -o options?
+compiler_c_o=$lt_lt_cv_prog_compiler_c_o_RC
+
+# Must we lock files when doing compilation?
+need_locks=$lt_need_locks
+
+# Do we need the lib prefix for modules?
+need_lib_prefix=$need_lib_prefix
+
+# Do we need a version for libraries?
+need_version=$need_version
+
+# Whether dlopen is supported.
+dlopen_support=$enable_dlopen
+
+# Whether dlopen of programs is supported.
+dlopen_self=$enable_dlopen_self
+
+# Whether dlopen of statically linked programs is supported.
+dlopen_self_static=$enable_dlopen_self_static
+
+# Compiler flag to prevent dynamic linking.
+link_static_flag=$lt_lt_prog_compiler_static_RC
+
+# Compiler flag to turn off builtin functions.
+no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag_RC
+
+# Compiler flag to allow reflexive dlopens.
+export_dynamic_flag_spec=$lt_export_dynamic_flag_spec_RC
+
+# Compiler flag to generate shared objects directly from archives.
+whole_archive_flag_spec=$lt_whole_archive_flag_spec_RC
+
+# Compiler flag to generate thread-safe objects.
+thread_safe_flag_spec=$lt_thread_safe_flag_spec_RC
+
+# Library versioning type.
+version_type=$version_type
+
+# Format of library name prefix.
+libname_spec=$lt_libname_spec
+
+# List of archive names.  First name is the real one, the rest are links.
+# The last name is the one that the linker finds with -lNAME.
+library_names_spec=$lt_library_names_spec
+
+# The coded name of the library, if different from the real name.
+soname_spec=$lt_soname_spec
+
+# Commands used to build and install an old-style archive.
+RANLIB=$lt_RANLIB
+old_archive_cmds=$lt_old_archive_cmds_RC
+old_postinstall_cmds=$lt_old_postinstall_cmds
+old_postuninstall_cmds=$lt_old_postuninstall_cmds
+
+# Create an old-style archive from a shared archive.
+old_archive_from_new_cmds=$lt_old_archive_from_new_cmds_RC
+
+# Create a temporary old-style archive to link instead of a shared archive.
+old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds_RC
+
+# Commands used to build and install a shared archive.
+archive_cmds=$lt_archive_cmds_RC
+archive_expsym_cmds=$lt_archive_expsym_cmds_RC
+postinstall_cmds=$lt_postinstall_cmds
+postuninstall_cmds=$lt_postuninstall_cmds
+
+# Commands used to build a loadable module (assumed same as above if empty)
+module_cmds=$lt_module_cmds_RC
+module_expsym_cmds=$lt_module_expsym_cmds_RC
+
+# Commands to strip libraries.
+old_striplib=$lt_old_striplib
+striplib=$lt_striplib
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predep_objects=$lt_predep_objects_RC
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdep_objects=$lt_postdep_objects_RC
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predeps=$lt_predeps_RC
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdeps=$lt_postdeps_RC
+
+# The library search path used internally by the compiler when linking
+# a shared library.
+compiler_lib_search_path=$lt_compiler_lib_search_path_RC
+
+# Method to check whether dependent libraries are shared objects.
+deplibs_check_method=$lt_deplibs_check_method
+
+# Command to use when deplibs_check_method == file_magic.
+file_magic_cmd=$lt_file_magic_cmd
+
+# Flag that allows shared libraries with undefined symbols to be built.
+allow_undefined_flag=$lt_allow_undefined_flag_RC
+
+# Flag that forces no undefined symbols.
+no_undefined_flag=$lt_no_undefined_flag_RC
+
+# Commands used to finish a libtool library installation in a directory.
+finish_cmds=$lt_finish_cmds
+
+# Same as above, but a single script fragment to be evaled but not shown.
+finish_eval=$lt_finish_eval
+
+# Take the output of nm and produce a listing of raw symbols and C names.
+global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
+
+# Transform the output of nm in a proper C declaration
+global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
+
+# Transform the output of nm in a C name address pair
+global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
+
+# This is the shared library runtime path variable.
+runpath_var=$runpath_var
+
+# This is the shared library path variable.
+shlibpath_var=$shlibpath_var
+
+# Is shlibpath searched before the hard-coded library search path?
+shlibpath_overrides_runpath=$shlibpath_overrides_runpath
+
+# How to hardcode a shared library path into an executable.
+hardcode_action=$hardcode_action_RC
+
+# Whether we should hardcode library paths into libraries.
+hardcode_into_libs=$hardcode_into_libs
+
+# Flag to hardcode \$libdir into a binary during linking.
+# This must work even if \$libdir does not exist.
+hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec_RC
+
+# If ld is used when linking, flag to hardcode \$libdir into
+# a binary during linking. This must work even if \$libdir does
+# not exist.
+hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld_RC
+
+# Whether we need a single -rpath flag with a separated argument.
+hardcode_libdir_separator=$lt_hardcode_libdir_separator_RC
+
+# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
+# resulting binary.
+hardcode_direct=$hardcode_direct_RC
+
+# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
+# resulting binary.
+hardcode_minus_L=$hardcode_minus_L_RC
+
+# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
+# the resulting binary.
+hardcode_shlibpath_var=$hardcode_shlibpath_var_RC
+
+# Set to yes if building a shared library automatically hardcodes DIR into the library
+# and all subsequent libraries and executables linked against it.
+hardcode_automatic=$hardcode_automatic_RC
+
+# Variables whose values should be saved in libtool wrapper scripts and
+# restored at relink time.
+variables_saved_for_relink="$variables_saved_for_relink"
+
+# Whether libtool must link a program against all its dependency libraries.
+link_all_deplibs=$link_all_deplibs_RC
+
+# Compile-time system search path for libraries
+sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
+
+# Run-time system search path for libraries
+sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
+
+# Fix the shell variable \$srcfile for the compiler.
+fix_srcfile_path="$fix_srcfile_path_RC"
+
+# Set to yes if exported symbols are required.
+always_export_symbols=$always_export_symbols_RC
+
+# The commands to list exported symbols.
+export_symbols_cmds=$lt_export_symbols_cmds_RC
+
+# The commands to extract the exported symbol list from a shared archive.
+extract_expsyms_cmds=$lt_extract_expsyms_cmds
+
+# Symbols that should not be listed in the preloaded symbols.
+exclude_expsyms=$lt_exclude_expsyms_RC
+
+# Symbols that must always be exported.
+include_expsyms=$lt_include_expsyms_RC
+
+# ### END LIBTOOL TAG CONFIG: $tagname
+
+__EOF__
+
+
+else
+  # If there is no Makefile yet, we rely on a make rule to execute
+  # `config.status --recheck' to rerun these tests and create the
+  # libtool script then.
+  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
+  if test -f "$ltmain_in"; then
+    test -f Makefile && make "$ltmain"
+  fi
+fi
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+CC="$lt_save_CC"
+
+	;;
+
+      *)
+	{ { echo "$as_me:$LINENO: error: Unsupported tag name: $tagname" >&5
+echo "$as_me: error: Unsupported tag name: $tagname" >&2;}
+   { (exit 1); exit 1; }; }
+	;;
+      esac
+
+      # Append the new tag name to the list of available tags.
+      if test -n "$tagname" ; then
+      available_tags="$available_tags $tagname"
+    fi
+    fi
+  done
+  IFS="$lt_save_ifs"
+
+  # Now substitute the updated list of available tags.
+  if eval "sed -e 's/^available_tags=.*\$/available_tags=\"$available_tags\"/' \"$ofile\" > \"${ofile}T\""; then
+    mv "${ofile}T" "$ofile"
+    chmod +x "$ofile"
+  else
+    rm -f "${ofile}T"
+    { { echo "$as_me:$LINENO: error: unable to update list of available tagged configurations." >&5
+echo "$as_me: error: unable to update list of available tagged configurations." >&2;}
+   { (exit 1); exit 1; }; }
+  fi
+fi
+
+
+
+# This can be used to rebuild libtool when needed
+LIBTOOL_DEPS="$ac_aux_dir/ltmain.sh"
+
+# Always use our own libtool.
+LIBTOOL='$(SHELL) $(top_builddir)/libtool'
+
+# Prevent multiple expansion
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+for ac_prog in flex lex
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_LEX+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$LEX"; then
+  ac_cv_prog_LEX="$LEX" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_LEX="$ac_prog"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+LEX=$ac_cv_prog_LEX
+if test -n "$LEX"; then
+  { echo "$as_me:$LINENO: result: $LEX" >&5
+echo "${ECHO_T}$LEX" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+  test -n "$LEX" && break
+done
+test -n "$LEX" || LEX=":"
+
+if test "x$LEX" != "x:"; then
+  cat >conftest.l <<_ACEOF
+%%
+a { ECHO; }
+b { REJECT; }
+c { yymore (); }
+d { yyless (1); }
+e { yyless (input () != 0); }
+f { unput (yytext[0]); }
+. { BEGIN INITIAL; }
+%%
+#ifdef YYTEXT_POINTER
+extern char *yytext;
+#endif
+int
+main (void)
+{
+  return ! yylex () + ! yywrap ();
+}
+_ACEOF
+{ (ac_try="$LEX conftest.l"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$LEX conftest.l") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+{ echo "$as_me:$LINENO: checking lex output file root" >&5
+echo $ECHO_N "checking lex output file root... $ECHO_C" >&6; }
+if test "${ac_cv_prog_lex_root+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+if test -f lex.yy.c; then
+  ac_cv_prog_lex_root=lex.yy
+elif test -f lexyy.c; then
+  ac_cv_prog_lex_root=lexyy
+else
+  { { echo "$as_me:$LINENO: error: cannot find output from $LEX; giving up" >&5
+echo "$as_me: error: cannot find output from $LEX; giving up" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_prog_lex_root" >&5
+echo "${ECHO_T}$ac_cv_prog_lex_root" >&6; }
+LEX_OUTPUT_ROOT=$ac_cv_prog_lex_root
+
+if test -z "${LEXLIB+set}"; then
+  { echo "$as_me:$LINENO: checking lex library" >&5
+echo $ECHO_N "checking lex library... $ECHO_C" >&6; }
+if test "${ac_cv_lib_lex+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+    ac_save_LIBS=$LIBS
+    ac_cv_lib_lex='none needed'
+    for ac_lib in '' -lfl -ll; do
+      LIBS="$ac_lib $ac_save_LIBS"
+      cat >conftest.$ac_ext <<_ACEOF
+`cat $LEX_OUTPUT_ROOT.c`
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_lex=$ac_lib
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+      test "$ac_cv_lib_lex" != 'none needed' && break
+    done
+    LIBS=$ac_save_LIBS
+
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_lex" >&5
+echo "${ECHO_T}$ac_cv_lib_lex" >&6; }
+  test "$ac_cv_lib_lex" != 'none needed' && LEXLIB=$ac_cv_lib_lex
+fi
+
+
+{ echo "$as_me:$LINENO: checking whether yytext is a pointer" >&5
+echo $ECHO_N "checking whether yytext is a pointer... $ECHO_C" >&6; }
+if test "${ac_cv_prog_lex_yytext_pointer+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  # POSIX says lex can declare yytext either as a pointer or an array; the
+# default is implementation-dependent.  Figure out which it is, since
+# not all implementations provide the %pointer and %array declarations.
+ac_cv_prog_lex_yytext_pointer=no
+ac_save_LIBS=$LIBS
+LIBS="$LEXLIB $ac_save_LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+#define YYTEXT_POINTER 1
+`cat $LEX_OUTPUT_ROOT.c`
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_prog_lex_yytext_pointer=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_save_LIBS
+
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_prog_lex_yytext_pointer" >&5
+echo "${ECHO_T}$ac_cv_prog_lex_yytext_pointer" >&6; }
+if test $ac_cv_prog_lex_yytext_pointer = yes; then
+
+cat >>confdefs.h <<\_ACEOF
+#define YYTEXT_POINTER 1
+_ACEOF
+
+fi
+rm -f conftest.l $LEX_OUTPUT_ROOT.c
+
+fi
+for ac_prog in 'bison -y' byacc
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_YACC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$YACC"; then
+  ac_cv_prog_YACC="$YACC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_YACC="$ac_prog"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+YACC=$ac_cv_prog_YACC
+if test -n "$YACC"; then
+  { echo "$as_me:$LINENO: result: $YACC" >&5
+echo "${ECHO_T}$YACC" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+  test -n "$YACC" && break
+done
+test -n "$YACC" || YACC="yacc"
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
+set dummy ${ac_tool_prefix}gcc; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_CC="${ac_tool_prefix}gcc"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_CC"; then
+  ac_ct_CC=$CC
+  # Extract the first word of "gcc", so it can be a program name with args.
+set dummy gcc; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_CC"; then
+  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_CC="gcc"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_CC=$ac_cv_prog_ac_ct_CC
+if test -n "$ac_ct_CC"; then
+  { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+echo "${ECHO_T}$ac_ct_CC" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+  if test "x$ac_ct_CC" = x; then
+    CC=""
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    CC=$ac_ct_CC
+  fi
+else
+  CC="$ac_cv_prog_CC"
+fi
+
+if test -z "$CC"; then
+          if test -n "$ac_tool_prefix"; then
+    # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
+set dummy ${ac_tool_prefix}cc; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_CC="${ac_tool_prefix}cc"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+  fi
+fi
+if test -z "$CC"; then
+  # Extract the first word of "cc", so it can be a program name with args.
+set dummy cc; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+  ac_prog_rejected=no
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
+       ac_prog_rejected=yes
+       continue
+     fi
+    ac_cv_prog_CC="cc"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+if test $ac_prog_rejected = yes; then
+  # We found a bogon in the path, so make sure we never use it.
+  set dummy $ac_cv_prog_CC
+  shift
+  if test $# != 0; then
+    # We chose a different compiler from the bogus one.
+    # However, it has the same basename, so the bogon will be chosen
+    # first if we set CC to just the basename; use the full file name.
+    shift
+    ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@"
+  fi
+fi
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+fi
+if test -z "$CC"; then
+  if test -n "$ac_tool_prefix"; then
+  for ac_prog in cl.exe
+  do
+    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
+set dummy $ac_tool_prefix$ac_prog; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  { echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+    test -n "$CC" && break
+  done
+fi
+if test -z "$CC"; then
+  ac_ct_CC=$CC
+  for ac_prog in cl.exe
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_CC"; then
+  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_prog_ac_ct_CC="$ac_prog"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_CC=$ac_cv_prog_ac_ct_CC
+if test -n "$ac_ct_CC"; then
+  { echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+echo "${ECHO_T}$ac_ct_CC" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+  test -n "$ac_ct_CC" && break
+done
+
+  if test "x$ac_ct_CC" = x; then
+    CC=""
+  else
+    case $cross_compiling:$ac_tool_warned in
+yes:)
+{ echo "$as_me:$LINENO: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&5
+echo "$as_me: WARNING: In the future, Autoconf will not detect cross-tools
+whose name does not start with the host triplet.  If you think this
+configuration is useful to you, please write to autoconf@gnu.org." >&2;}
+ac_tool_warned=yes ;;
+esac
+    CC=$ac_ct_CC
+  fi
+fi
+
+fi
+
+
+test -z "$CC" && { { echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH
+See \`config.log' for more details." >&5
+echo "$as_me: error: no acceptable C compiler found in \$PATH
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }
+
+# Provide some information about the compiler.
+echo "$as_me:$LINENO: checking for C compiler version" >&5
+ac_compiler=`set X $ac_compile; echo $2`
+{ (ac_try="$ac_compiler --version >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler --version >&5") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+{ (ac_try="$ac_compiler -v >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler -v >&5") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+{ (ac_try="$ac_compiler -V >&5"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compiler -V >&5") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+
+{ echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5
+echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6; }
+if test "${ac_cv_c_compiler_gnu+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+#ifndef __GNUC__
+       choke me
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_compiler_gnu=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_compiler_gnu=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ac_cv_c_compiler_gnu=$ac_compiler_gnu
+
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5
+echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6; }
+GCC=`test $ac_compiler_gnu = yes && echo yes`
+ac_test_CFLAGS=${CFLAGS+set}
+ac_save_CFLAGS=$CFLAGS
+{ echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5
+echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6; }
+if test "${ac_cv_prog_cc_g+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_save_c_werror_flag=$ac_c_werror_flag
+   ac_c_werror_flag=yes
+   ac_cv_prog_cc_g=no
+   CFLAGS="-g"
+   cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_prog_cc_g=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	CFLAGS=""
+      cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  :
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_c_werror_flag=$ac_save_c_werror_flag
+	 CFLAGS="-g"
+	 cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_prog_cc_g=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+   ac_c_werror_flag=$ac_save_c_werror_flag
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5
+echo "${ECHO_T}$ac_cv_prog_cc_g" >&6; }
+if test "$ac_test_CFLAGS" = set; then
+  CFLAGS=$ac_save_CFLAGS
+elif test $ac_cv_prog_cc_g = yes; then
+  if test "$GCC" = yes; then
+    CFLAGS="-g -O2"
+  else
+    CFLAGS="-g"
+  fi
+else
+  if test "$GCC" = yes; then
+    CFLAGS="-O2"
+  else
+    CFLAGS=
+  fi
+fi
+{ echo "$as_me:$LINENO: checking for $CC option to accept ISO C89" >&5
+echo $ECHO_N "checking for $CC option to accept ISO C89... $ECHO_C" >&6; }
+if test "${ac_cv_prog_cc_c89+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_prog_cc_c89=no
+ac_save_CC=$CC
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <stdarg.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+/* Most of the following tests are stolen from RCS 5.7's src/conf.sh.  */
+struct buf { int x; };
+FILE * (*rcsopen) (struct buf *, struct stat *, int);
+static char *e (p, i)
+     char **p;
+     int i;
+{
+  return p[i];
+}
+static char *f (char * (*g) (char **, int), char **p, ...)
+{
+  char *s;
+  va_list v;
+  va_start (v,p);
+  s = g (p, va_arg (v,int));
+  va_end (v);
+  return s;
+}
+
+/* OSF 4.0 Compaq cc is some sort of almost-ANSI by default.  It has
+   function prototypes and stuff, but not '\xHH' hex character constants.
+   These don't provoke an error unfortunately, instead are silently treated
+   as 'x'.  The following induces an error, until -std is added to get
+   proper ANSI mode.  Curiously '\x00'!='x' always comes out true, for an
+   array size at least.  It's necessary to write '\x00'==0 to get something
+   that's true only with -std.  */
+int osf4_cc_array ['\x00' == 0 ? 1 : -1];
+
+/* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters
+   inside strings and character constants.  */
+#define FOO(x) 'x'
+int xlc6_cc_array[FOO(a) == 'x' ? 1 : -1];
+
+int test (int i, double x);
+struct s1 {int (*f) (int a);};
+struct s2 {int (*f) (double a);};
+int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int);
+int argc;
+char **argv;
+int
+main ()
+{
+return f (e, argv, 0) != argv[0]  ||  f (e, argv, 1) != argv[1];
+  ;
+  return 0;
+}
+_ACEOF
+for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \
+	-Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
+do
+  CC="$ac_save_CC $ac_arg"
+  rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_cv_prog_cc_c89=$ac_arg
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext
+  test "x$ac_cv_prog_cc_c89" != "xno" && break
+done
+rm -f conftest.$ac_ext
+CC=$ac_save_CC
+
+fi
+# AC_CACHE_VAL
+case "x$ac_cv_prog_cc_c89" in
+  x)
+    { echo "$as_me:$LINENO: result: none needed" >&5
+echo "${ECHO_T}none needed" >&6; } ;;
+  xno)
+    { echo "$as_me:$LINENO: result: unsupported" >&5
+echo "${ECHO_T}unsupported" >&6; } ;;
+  *)
+    CC="$CC $ac_cv_prog_cc_c89"
+    { echo "$as_me:$LINENO: result: $ac_cv_prog_cc_c89" >&5
+echo "${ECHO_T}$ac_cv_prog_cc_c89" >&6; } ;;
+esac
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+depcc="$CC"   am_compiler_list=
+
+{ echo "$as_me:$LINENO: checking dependency style of $depcc" >&5
+echo $ECHO_N "checking dependency style of $depcc... $ECHO_C" >&6; }
+if test "${am_cv_CC_dependencies_compiler_type+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then
+  # We make a subdir and do the tests there.  Otherwise we can end up
+  # making bogus files that we don't know about and never remove.  For
+  # instance it was reported that on HP-UX the gcc test will end up
+  # making a dummy file named `D' -- because `-MD' means `put the output
+  # in D'.
+  mkdir conftest.dir
+  # Copy depcomp to subdir because otherwise we won't find it if we're
+  # using a relative directory.
+  cp "$am_depcomp" conftest.dir
+  cd conftest.dir
+  # We will build objects and dependencies in a subdirectory because
+  # it helps to detect inapplicable dependency modes.  For instance
+  # both Tru64's cc and ICC support -MD to output dependencies as a
+  # side effect of compilation, but ICC will put the dependencies in
+  # the current directory while Tru64 will put them in the object
+  # directory.
+  mkdir sub
+
+  am_cv_CC_dependencies_compiler_type=none
+  if test "$am_compiler_list" = ""; then
+     am_compiler_list=`sed -n 's/^#*\([a-zA-Z0-9]*\))$/\1/p' < ./depcomp`
+  fi
+  for depmode in $am_compiler_list; do
+    # Setup a source with many dependencies, because some compilers
+    # like to wrap large dependency lists on column 80 (with \), and
+    # we should not choose a depcomp mode which is confused by this.
+    #
+    # We need to recreate these files for each test, as the compiler may
+    # overwrite some of them when testing with obscure command lines.
+    # This happens at least with the AIX C compiler.
+    : > sub/conftest.c
+    for i in 1 2 3 4 5 6; do
+      echo '#include "conftst'$i'.h"' >> sub/conftest.c
+      # Using `: > sub/conftst$i.h' creates only sub/conftst1.h with
+      # Solaris 8's {/usr,}/bin/sh.
+      touch sub/conftst$i.h
+    done
+    echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf
+
+    case $depmode in
+    nosideeffect)
+      # after this tag, mechanisms are not by side-effect, so they'll
+      # only be used when explicitly requested
+      if test "x$enable_dependency_tracking" = xyes; then
+	continue
+      else
+	break
+      fi
+      ;;
+    none) break ;;
+    esac
+    # We check with `-c' and `-o' for the sake of the "dashmstdout"
+    # mode.  It turns out that the SunPro C++ compiler does not properly
+    # handle `-M -o', and we need to detect this.
+    if depmode=$depmode \
+       source=sub/conftest.c object=sub/conftest.${OBJEXT-o} \
+       depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \
+       $SHELL ./depcomp $depcc -c -o sub/conftest.${OBJEXT-o} sub/conftest.c \
+         >/dev/null 2>conftest.err &&
+       grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 &&
+       grep sub/conftest.${OBJEXT-o} sub/conftest.Po > /dev/null 2>&1 &&
+       ${MAKE-make} -s -f confmf > /dev/null 2>&1; then
+      # icc doesn't choke on unknown options, it will just issue warnings
+      # or remarks (even with -Werror).  So we grep stderr for any message
+      # that says an option was ignored or not supported.
+      # When given -MP, icc 7.0 and 7.1 complain thusly:
+      #   icc: Command line warning: ignoring option '-M'; no argument required
+      # The diagnosis changed in icc 8.0:
+      #   icc: Command line remark: option '-MP' not supported
+      if (grep 'ignoring option' conftest.err ||
+          grep 'not supported' conftest.err) >/dev/null 2>&1; then :; else
+        am_cv_CC_dependencies_compiler_type=$depmode
+        break
+      fi
+    fi
+  done
+
+  cd ..
+  rm -rf conftest.dir
+else
+  am_cv_CC_dependencies_compiler_type=none
+fi
+
+fi
+{ echo "$as_me:$LINENO: result: $am_cv_CC_dependencies_compiler_type" >&5
+echo "${ECHO_T}$am_cv_CC_dependencies_compiler_type" >&6; }
+CCDEPMODE=depmode=$am_cv_CC_dependencies_compiler_type
+
+
+
+if
+  test "x$enable_dependency_tracking" != xno \
+  && test "$am_cv_CC_dependencies_compiler_type" = gcc3; then
+  am__fastdepCC_TRUE=
+  am__fastdepCC_FALSE='#'
+else
+  am__fastdepCC_TRUE='#'
+  am__fastdepCC_FALSE=
+fi
+
+
+# Extract the first word of "gperf", so it can be a program name with args.
+set dummy gperf; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_path_GPERF+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  case $GPERF in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_GPERF="$GPERF" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+as_dummy="$PATH:/bin:/usr/bin:/usr/local/bin"
+for as_dir in $as_dummy
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_path_GPERF="$as_dir/$ac_word$ac_exec_ext"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+GPERF=$ac_cv_path_GPERF
+if test -n "$GPERF"; then
+  { echo "$as_me:$LINENO: result: $GPERF" >&5
+echo "${ECHO_T}$GPERF" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+# Extract the first word of "perl", so it can be a program name with args.
+set dummy perl; ac_word=$2
+{ echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6; }
+if test "${ac_cv_path_PERL+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  case $PERL in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_PERL="$PERL" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+as_dummy="$PATH:/bin:/usr/bin:/usr/local/bin"
+for as_dir in $as_dummy
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+    ac_cv_path_PERL="$as_dir/$ac_word$ac_exec_ext"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+PERL=$ac_cv_path_PERL
+if test -n "$PERL"; then
+  { echo "$as_me:$LINENO: result: $PERL" >&5
+echo "${ECHO_T}$PERL" >&6; }
+else
+  { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+fi
+
+
+
+
+
+for ac_func in backtrace
+do
+as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define $ac_func innocuous_$ac_func
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef $ac_func
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char $ac_func ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_$ac_func || defined __stub___$ac_func
+choke me
+#endif
+
+int
+main ()
+{
+return $ac_func ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  eval "$as_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	eval "$as_ac_var=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_var'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+
+for ac_func in getifaddrs
+do
+as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define $ac_func innocuous_$ac_func
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char $ac_func (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef $ac_func
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char $ac_func ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined __stub_$ac_func || defined __stub___$ac_func
+choke me
+#endif
+
+int
+main ()
+{
+return $ac_func ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  eval "$as_ac_var=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	eval "$as_ac_var=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_var'}'`
+	       { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_var'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+
+{ echo "$as_me:$LINENO: checking for main in -lgmp" >&5
+echo $ECHO_N "checking for main in -lgmp... $ECHO_C" >&6; }
+if test "${ac_cv_lib_gmp_main+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lgmp  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_gmp_main=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_lib_gmp_main=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_gmp_main" >&5
+echo "${ECHO_T}$ac_cv_lib_gmp_main" >&6; }
+if test $ac_cv_lib_gmp_main = yes; then
+  LIBS="$LIBS"
+else
+  { { echo "$as_me:$LINENO: error: GNU Multi Precision library gmp not found" >&5
+echo "$as_me: error: GNU Multi Precision library gmp not found" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+ac_cv_lib_gmp=ac_cv_lib_gmp_main
+
+if test "$ldap" = "true"; then
+    { echo "$as_me:$LINENO: checking for main in -lldap" >&5
+echo $ECHO_N "checking for main in -lldap... $ECHO_C" >&6; }
+if test "${ac_cv_lib_ldap_main+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lldap  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_ldap_main=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_lib_ldap_main=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_ldap_main" >&5
+echo "${ECHO_T}$ac_cv_lib_ldap_main" >&6; }
+if test $ac_cv_lib_ldap_main = yes; then
+  LIBS="$LIBS"
+else
+  { { echo "$as_me:$LINENO: error: LDAP enabled, but library ldap not found" >&5
+echo "$as_me: error: LDAP enabled, but library ldap not found" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+ac_cv_lib_ldap=ac_cv_lib_ldap_main
+
+    { echo "$as_me:$LINENO: checking for main in -llber" >&5
+echo $ECHO_N "checking for main in -llber... $ECHO_C" >&6; }
+if test "${ac_cv_lib_lber_main+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-llber  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_lber_main=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_lib_lber_main=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_lber_main" >&5
+echo "${ECHO_T}$ac_cv_lib_lber_main" >&6; }
+if test $ac_cv_lib_lber_main = yes; then
+  LIBS="$LIBS"
+else
+  { { echo "$as_me:$LINENO: error: LDAP enabled, but library lber not found" >&5
+echo "$as_me: error: LDAP enabled, but library lber not found" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+ac_cv_lib_lber=ac_cv_lib_lber_main
+
+fi
+if test "$http" = "true"; then
+    { echo "$as_me:$LINENO: checking for main in -lcurl" >&5
+echo $ECHO_N "checking for main in -lcurl... $ECHO_C" >&6; }
+if test "${ac_cv_lib_curl_main+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lcurl  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+
+int
+main ()
+{
+return main ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_curl_main=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_lib_curl_main=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_curl_main" >&5
+echo "${ECHO_T}$ac_cv_lib_curl_main" >&6; }
+if test $ac_cv_lib_curl_main = yes; then
+  LIBS="$LIBS"
+else
+  { { echo "$as_me:$LINENO: error: HTTP enabled, but library curl not found" >&5
+echo "$as_me: error: HTTP enabled, but library curl not found" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+ac_cv_lib_curl=ac_cv_lib_curl_main
+
+fi
+
+
+
+
+{ echo "$as_me:$LINENO: checking gmp.h version >= 4.1.4" >&5
+echo $ECHO_N "checking gmp.h version >= 4.1.4... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include "gmp.h"
+int
+main ()
+{
+
+        #if (__GNU_MP_VERSION*100 +  __GNU_MP_VERSION_MINOR*10 + __GNU_MP_VERSION_PATCHLEVEL) < 414
+            #error bad gmp
+        #endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	{ echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }; { { echo "$as_me:$LINENO: error: No usable gmp.h found!" >&5
+echo "$as_me: error: No usable gmp.h found!" >&2;}
+   { (exit 1); exit 1; }; }
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+if test "$ldap" = "true"; then
+    if test "${ac_cv_header_ldap_h+set}" = set; then
+  { echo "$as_me:$LINENO: checking for ldap.h" >&5
+echo $ECHO_N "checking for ldap.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_ldap_h+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_ldap_h" >&5
+echo "${ECHO_T}$ac_cv_header_ldap_h" >&6; }
+else
+  # Is the header compilable?
+{ echo "$as_me:$LINENO: checking ldap.h usability" >&5
+echo $ECHO_N "checking ldap.h usability... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#include <ldap.h>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_header_compiler=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_header_compiler=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
+
+# Is the header present?
+{ echo "$as_me:$LINENO: checking ldap.h presence" >&5
+echo $ECHO_N "checking ldap.h presence... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <ldap.h>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  ac_header_preproc=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  ac_header_preproc=no
+fi
+
+rm -f conftest.err conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
+
+# So?  What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+  yes:no: )
+    { echo "$as_me:$LINENO: WARNING: ldap.h: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: ldap.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: ldap.h: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: ldap.h: proceeding with the compiler's result" >&2;}
+    ac_header_preproc=yes
+    ;;
+  no:yes:* )
+    { echo "$as_me:$LINENO: WARNING: ldap.h: present but cannot be compiled" >&5
+echo "$as_me: WARNING: ldap.h: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: ldap.h:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: ldap.h:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: ldap.h: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: ldap.h: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: ldap.h:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: ldap.h:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: ldap.h: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: ldap.h: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: ldap.h: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: ldap.h: in the future, the compiler will take precedence" >&2;}
+
+    ;;
+esac
+{ echo "$as_me:$LINENO: checking for ldap.h" >&5
+echo $ECHO_N "checking for ldap.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_ldap_h+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_header_ldap_h=$ac_header_preproc
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_ldap_h" >&5
+echo "${ECHO_T}$ac_cv_header_ldap_h" >&6; }
+
+fi
+if test $ac_cv_header_ldap_h = yes; then
+  :
+else
+  { { echo "$as_me:$LINENO: error: LDAP enabled, but ldap.h not found!" >&5
+echo "$as_me: error: LDAP enabled, but ldap.h not found!" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+
+fi
+if test "$http" = "true"; then
+    if test "${ac_cv_header_curl_curl_h+set}" = set; then
+  { echo "$as_me:$LINENO: checking for curl/curl.h" >&5
+echo $ECHO_N "checking for curl/curl.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_curl_curl_h+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_curl_curl_h" >&5
+echo "${ECHO_T}$ac_cv_header_curl_curl_h" >&6; }
+else
+  # Is the header compilable?
+{ echo "$as_me:$LINENO: checking curl/curl.h usability" >&5
+echo $ECHO_N "checking curl/curl.h usability... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#include <curl/curl.h>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_compile") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest.$ac_objext; then
+  ac_header_compiler=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_header_compiler=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
+
+# Is the header present?
+{ echo "$as_me:$LINENO: checking curl/curl.h presence" >&5
+echo $ECHO_N "checking curl/curl.h presence... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <curl/curl.h>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null && {
+	 test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       }; then
+  ac_header_preproc=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  ac_header_preproc=no
+fi
+
+rm -f conftest.err conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
+
+# So?  What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+  yes:no: )
+    { echo "$as_me:$LINENO: WARNING: curl/curl.h: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: curl/curl.h: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: curl/curl.h: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: curl/curl.h: proceeding with the compiler's result" >&2;}
+    ac_header_preproc=yes
+    ;;
+  no:yes:* )
+    { echo "$as_me:$LINENO: WARNING: curl/curl.h: present but cannot be compiled" >&5
+echo "$as_me: WARNING: curl/curl.h: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: curl/curl.h:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: curl/curl.h:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: curl/curl.h: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: curl/curl.h: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: curl/curl.h:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: curl/curl.h:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: curl/curl.h: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: curl/curl.h: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: curl/curl.h: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: curl/curl.h: in the future, the compiler will take precedence" >&2;}
+
+    ;;
+esac
+{ echo "$as_me:$LINENO: checking for curl/curl.h" >&5
+echo $ECHO_N "checking for curl/curl.h... $ECHO_C" >&6; }
+if test "${ac_cv_header_curl_curl_h+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_header_curl_curl_h=$ac_header_preproc
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_header_curl_curl_h" >&5
+echo "${ECHO_T}$ac_cv_header_curl_curl_h" >&6; }
+
+fi
+if test $ac_cv_header_curl_curl_h = yes; then
+  :
+else
+  { { echo "$as_me:$LINENO: error: HTTP enabled, but curl.h not found!" >&5
+echo "$as_me: error: HTTP enabled, but curl.h not found!" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+
+fi
+
+
+ac_config_files="$ac_config_files Makefile src/Makefile src/libstrongswan/Makefile src/libcrypto/Makefile src/libfreeswan/Makefile src/pluto/Makefile src/whack/Makefile src/charon/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile"
+
+cat >confcache <<\_ACEOF
+# This file is a shell script that caches the results of configure
+# tests run on this system so they can be shared between configure
+# scripts and configure runs, see configure's option --config-cache.
+# It is not useful on other systems.  If it contains results you don't
+# want to keep, you may remove or edit it.
+#
+# config.status only pays attention to the cache file if you give it
+# the --recheck option to rerun configure.
+#
+# `ac_cv_env_foo' variables (set or unset) will be overridden when
+# loading this file, other *unset* `ac_cv_foo' will be assigned the
+# following values.
+
+_ACEOF
+
+# The following way of writing the cache mishandles newlines in values,
+# but we know of no workaround that is simple, portable, and efficient.
+# So, we kill variables containing newlines.
+# Ultrix sh set writes to stderr and can't be redirected directly,
+# and sets the high bit in the cache file unless we assign to the vars.
+(
+  for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do
+    eval ac_val=\$$ac_var
+    case $ac_val in #(
+    *${as_nl}*)
+      case $ac_var in #(
+      *_cv_*) { echo "$as_me:$LINENO: WARNING: Cache variable $ac_var contains a newline." >&5
+echo "$as_me: WARNING: Cache variable $ac_var contains a newline." >&2;} ;;
+      esac
+      case $ac_var in #(
+      _ | IFS | as_nl) ;; #(
+      *) $as_unset $ac_var ;;
+      esac ;;
+    esac
+  done
+
+  (set) 2>&1 |
+    case $as_nl`(ac_space=' '; set) 2>&1` in #(
+    *${as_nl}ac_space=\ *)
+      # `set' does not quote correctly, so add quotes (double-quote
+      # substitution turns \\\\ into \\, and sed turns \\ into \).
+      sed -n \
+	"s/'/'\\\\''/g;
+	  s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p"
+      ;; #(
+    *)
+      # `set' quotes correctly as required by POSIX, so do not add quotes.
+      sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p"
+      ;;
+    esac |
+    sort
+) |
+  sed '
+     /^ac_cv_env_/b end
+     t clear
+     :clear
+     s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/
+     t end
+     s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/
+     :end' >>confcache
+if diff "$cache_file" confcache >/dev/null 2>&1; then :; else
+  if test -w "$cache_file"; then
+    test "x$cache_file" != "x/dev/null" &&
+      { echo "$as_me:$LINENO: updating cache $cache_file" >&5
+echo "$as_me: updating cache $cache_file" >&6;}
+    cat confcache >$cache_file
+  else
+    { echo "$as_me:$LINENO: not updating unwritable cache $cache_file" >&5
+echo "$as_me: not updating unwritable cache $cache_file" >&6;}
+  fi
+fi
+rm -f confcache
+
+test "x$prefix" = xNONE && prefix=$ac_default_prefix
+# Let make expand exec_prefix.
+test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
+
+# Transform confdefs.h into DEFS.
+# Protect against shell expansion while executing Makefile rules.
+# Protect against Makefile macro expansion.
+#
+# If the first sed substitution is executed (which looks for macros that
+# take arguments), then branch to the quote section.  Otherwise,
+# look for a macro that doesn't take arguments.
+ac_script='
+t clear
+:clear
+s/^[	 ]*#[	 ]*define[	 ][	 ]*\([^	 (][^	 (]*([^)]*)\)[	 ]*\(.*\)/-D\1=\2/g
+t quote
+s/^[	 ]*#[	 ]*define[	 ][	 ]*\([^	 ][^	 ]*\)[	 ]*\(.*\)/-D\1=\2/g
+t quote
+b any
+:quote
+s/[	 `~#$^&*(){}\\|;'\''"<>?]/\\&/g
+s/\[/\\&/g
+s/\]/\\&/g
+s/\$/$$/g
+H
+:any
+${
+	g
+	s/^\n//
+	s/\n/ /g
+	p
+}
+'
+DEFS=`sed -n "$ac_script" confdefs.h`
+
+
+ac_libobjs=
+ac_ltlibobjs=
+for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue
+  # 1. Remove the extension, and $U if already installed.
+  ac_script='s/\$U\././;s/\.o$//;s/\.obj$//'
+  ac_i=`echo "$ac_i" | sed "$ac_script"`
+  # 2. Prepend LIBOBJDIR.  When used with automake>=1.10 LIBOBJDIR
+  #    will be set to the directory where LIBOBJS objects are built.
+  ac_libobjs="$ac_libobjs \${LIBOBJDIR}$ac_i\$U.$ac_objext"
+  ac_ltlibobjs="$ac_ltlibobjs \${LIBOBJDIR}$ac_i"'$U.lo'
+done
+LIBOBJS=$ac_libobjs
+
+LTLIBOBJS=$ac_ltlibobjs
+
+
+if test -z "${AMDEP_TRUE}" && test -z "${AMDEP_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"AMDEP\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"AMDEP\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${am__fastdepCC_TRUE}" && test -z "${am__fastdepCC_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"am__fastdepCC\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"am__fastdepCC\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_LIBCURL_TRUE}" && test -z "${USE_LIBCURL_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_LIBCURL\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_LIBCURL\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_LIBLDAP_TRUE}" && test -z "${USE_LIBLDAP_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_LIBLDAP\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_LIBLDAP\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_SMARTCARD_TRUE}" && test -z "${USE_SMARTCARD_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_SMARTCARD\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_SMARTCARD\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_CISCO_QUIRKS_TRUE}" && test -z "${USE_CISCO_QUIRKS_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_CISCO_QUIRKS\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_CISCO_QUIRKS\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_LEAK_DETECTIVE_TRUE}" && test -z "${USE_LEAK_DETECTIVE_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_LEAK_DETECTIVE\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_LEAK_DETECTIVE\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${BUILD_EAP_SIM_TRUE}" && test -z "${BUILD_EAP_SIM_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"BUILD_EAP_SIM\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"BUILD_EAP_SIM\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_NAT_TRANSPORT_TRUE}" && test -z "${USE_NAT_TRANSPORT_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_NAT_TRANSPORT\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_NAT_TRANSPORT\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${USE_VENDORID_TRUE}" && test -z "${USE_VENDORID_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"USE_VENDORID\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"USE_VENDORID\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${am__fastdepCXX_TRUE}" && test -z "${am__fastdepCXX_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"am__fastdepCXX\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"am__fastdepCXX\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${am__fastdepCC_TRUE}" && test -z "${am__fastdepCC_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"am__fastdepCC\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"am__fastdepCC\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+: ${CONFIG_STATUS=./config.status}
+ac_clean_files_save=$ac_clean_files
+ac_clean_files="$ac_clean_files $CONFIG_STATUS"
+{ echo "$as_me:$LINENO: creating $CONFIG_STATUS" >&5
+echo "$as_me: creating $CONFIG_STATUS" >&6;}
+cat >$CONFIG_STATUS <<_ACEOF
+#! $SHELL
+# Generated by $as_me.
+# Run this file to recreate the current configuration.
+# Compiler output produced by configure, useful for debugging
+# configure, is in config.log if it exists.
+
+debug=false
+ac_cs_recheck=false
+ac_cs_silent=false
+SHELL=\${CONFIG_SHELL-$SHELL}
+_ACEOF
+
+cat >>$CONFIG_STATUS <<\_ACEOF
+## --------------------- ##
+## M4sh Initialization.  ##
+## --------------------- ##
+
+# Be more Bourne compatible
+DUALCASE=1; export DUALCASE # for MKS sh
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+  emulate sh
+  NULLCMD=:
+  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+  # is contrary to our usage.  Disable this feature.
+  alias -g '${1+"$@"}'='"$@"'
+  setopt NO_GLOB_SUBST
+else
+  case `(set -o) 2>/dev/null` in
+  *posix*) set -o posix ;;
+esac
+
+fi
+
+
+
+
+# PATH needs CR
+# Avoid depending upon Character Ranges.
+as_cr_letters='abcdefghijklmnopqrstuvwxyz'
+as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+as_cr_Letters=$as_cr_letters$as_cr_LETTERS
+as_cr_digits='0123456789'
+as_cr_alnum=$as_cr_Letters$as_cr_digits
+
+# The user is always right.
+if test "${PATH_SEPARATOR+set}" != set; then
+  echo "#! /bin/sh" >conf$$.sh
+  echo  "exit 0"   >>conf$$.sh
+  chmod +x conf$$.sh
+  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
+    PATH_SEPARATOR=';'
+  else
+    PATH_SEPARATOR=:
+  fi
+  rm -f conf$$.sh
+fi
+
+# Support unset when possible.
+if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
+  as_unset=unset
+else
+  as_unset=false
+fi
+
+
+# IFS
+# We need space, tab and new line, in precisely that order.  Quoting is
+# there to prevent editors from complaining about space-tab.
+# (If _AS_PATH_WALK were called with IFS unset, it would disable word
+# splitting by setting IFS to empty value.)
+as_nl='
+'
+IFS=" ""	$as_nl"
+
+# Find who we are.  Look in the path if we contain no directory separator.
+case $0 in
+  *[\\/]* ) as_myself=$0 ;;
+  *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
+done
+IFS=$as_save_IFS
+
+     ;;
+esac
+# We did not find ourselves, most probably we were run as `sh COMMAND'
+# in which case we are not to be found in the path.
+if test "x$as_myself" = x; then
+  as_myself=$0
+fi
+if test ! -f "$as_myself"; then
+  echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
+  { (exit 1); exit 1; }
+fi
+
+# Work around bugs in pre-3.0 UWIN ksh.
+for as_var in ENV MAIL MAILPATH
+do ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+done
+PS1='$ '
+PS2='> '
+PS4='+ '
+
+# NLS nuisances.
+for as_var in \
+  LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
+  LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
+  LC_TELEPHONE LC_TIME
+do
+  if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
+    eval $as_var=C; export $as_var
+  else
+    ($as_unset $as_var) >/dev/null 2>&1 && $as_unset $as_var
+  fi
+done
+
+# Required to use basename.
+if expr a : '\(a\)' >/dev/null 2>&1 &&
+   test "X`expr 00001 : '.*\(...\)'`" = X001; then
+  as_expr=expr
+else
+  as_expr=false
+fi
+
+if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
+  as_basename=basename
+else
+  as_basename=false
+fi
+
+
+# Name of the executable.
+as_me=`$as_basename -- "$0" ||
+$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
+	 X"$0" : 'X\(//\)$' \| \
+	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
+echo X/"$0" |
+    sed '/^.*\/\([^/][^/]*\)\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\/\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\/\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+
+# CDPATH.
+$as_unset CDPATH
+
+
+
+  as_lineno_1=$LINENO
+  as_lineno_2=$LINENO
+  test "x$as_lineno_1" != "x$as_lineno_2" &&
+  test "x`expr $as_lineno_1 + 1`" = "x$as_lineno_2" || {
+
+  # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
+  # uniformly replaced by the line number.  The first 'sed' inserts a
+  # line-number line after each line using $LINENO; the second 'sed'
+  # does the real work.  The second script uses 'N' to pair each
+  # line-number line with the line containing $LINENO, and appends
+  # trailing '-' during substitution so that $LINENO is not a special
+  # case at line end.
+  # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
+  # scripts with optimization help from Paolo Bonzini.  Blame Lee
+  # E. McMahon (1931-1989) for sed's syntax.  :-)
+  sed -n '
+    p
+    /[$]LINENO/=
+  ' <$as_myself |
+    sed '
+      s/[$]LINENO.*/&-/
+      t lineno
+      b
+      :lineno
+      N
+      :loop
+      s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/
+      t loop
+      s/-\n.*//
+    ' >$as_me.lineno &&
+  chmod +x "$as_me.lineno" ||
+    { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
+   { (exit 1); exit 1; }; }
+
+  # Don't try to exec as it changes $[0], causing all sort of problems
+  # (the dirname of $[0] is not the place where we might find the
+  # original and so on.  Autoconf is especially sensitive to this).
+  . "./$as_me.lineno"
+  # Exit status is that of the last command.
+  exit
+}
+
+
+if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
+  as_dirname=dirname
+else
+  as_dirname=false
+fi
+
+ECHO_C= ECHO_N= ECHO_T=
+case `echo -n x` in
+-n*)
+  case `echo 'x\c'` in
+  *c*) ECHO_T='	';;	# ECHO_T is single tab character.
+  *)   ECHO_C='\c';;
+  esac;;
+*)
+  ECHO_N='-n';;
+esac
+
+if expr a : '\(a\)' >/dev/null 2>&1 &&
+   test "X`expr 00001 : '.*\(...\)'`" = X001; then
+  as_expr=expr
+else
+  as_expr=false
+fi
+
+rm -f conf$$ conf$$.exe conf$$.file
+if test -d conf$$.dir; then
+  rm -f conf$$.dir/conf$$.file
+else
+  rm -f conf$$.dir
+  mkdir conf$$.dir
+fi
+echo >conf$$.file
+if ln -s conf$$.file conf$$ 2>/dev/null; then
+  as_ln_s='ln -s'
+  # ... but there are two gotchas:
+  # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
+  # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
+  # In both cases, we have to default to `cp -p'.
+  ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
+    as_ln_s='cp -p'
+elif ln conf$$.file conf$$ 2>/dev/null; then
+  as_ln_s=ln
+else
+  as_ln_s='cp -p'
+fi
+rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
+rmdir conf$$.dir 2>/dev/null
+
+if mkdir -p . 2>/dev/null; then
+  as_mkdir_p=:
+else
+  test -d ./-p && rmdir ./-p
+  as_mkdir_p=false
+fi
+
+if test -x / >/dev/null 2>&1; then
+  as_test_x='test -x'
+else
+  if ls -dL / >/dev/null 2>&1; then
+    as_ls_L_option=L
+  else
+    as_ls_L_option=
+  fi
+  as_test_x='
+    eval sh -c '\''
+      if test -d "$1"; then
+        test -d "$1/.";
+      else
+	case $1 in
+        -*)set "./$1";;
+	esac;
+	case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in
+	???[sx]*):;;*)false;;esac;fi
+    '\'' sh
+  '
+fi
+as_executable_p=$as_test_x
+
+# Sed expression to map a string onto a valid CPP name.
+as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
+
+# Sed expression to map a string onto a valid variable name.
+as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
+
+
+exec 6>&1
+
+# Save the log message, to keep $[0] and so on meaningful, and to
+# report actual input values of CONFIG_FILES etc. instead of their
+# values after options handling.
+ac_log="
+This file was extended by strongSwan $as_me 4.1.1, which was
+generated by GNU Autoconf 2.61.  Invocation command line was
+
+  CONFIG_FILES    = $CONFIG_FILES
+  CONFIG_HEADERS  = $CONFIG_HEADERS
+  CONFIG_LINKS    = $CONFIG_LINKS
+  CONFIG_COMMANDS = $CONFIG_COMMANDS
+  $ $0 $@
+
+on `(hostname || uname -n) 2>/dev/null | sed 1q`
+"
+
+_ACEOF
+
+cat >>$CONFIG_STATUS <<_ACEOF
+# Files that config.status was made for.
+config_files="$ac_config_files"
+config_commands="$ac_config_commands"
+
+_ACEOF
+
+cat >>$CONFIG_STATUS <<\_ACEOF
+ac_cs_usage="\
+\`$as_me' instantiates files from templates according to the
+current configuration.
+
+Usage: $0 [OPTIONS] [FILE]...
+
+  -h, --help       print this help, then exit
+  -V, --version    print version number and configuration settings, then exit
+  -q, --quiet      do not print progress messages
+  -d, --debug      don't remove temporary files
+      --recheck    update $as_me by reconfiguring in the same conditions
+  --file=FILE[:TEMPLATE]
+		   instantiate the configuration file FILE
+
+Configuration files:
+$config_files
+
+Configuration commands:
+$config_commands
+
+Report bugs to <bug-autoconf@gnu.org>."
+
+_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF
+ac_cs_version="\\
+strongSwan config.status 4.1.1
+configured by $0, generated by GNU Autoconf 2.61,
+  with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
+
+Copyright (C) 2006 Free Software Foundation, Inc.
+This config.status script is free software; the Free Software Foundation
+gives unlimited permission to copy, distribute and modify it."
+
+ac_pwd='$ac_pwd'
+srcdir='$srcdir'
+INSTALL='$INSTALL'
+_ACEOF
+
+cat >>$CONFIG_STATUS <<\_ACEOF
+# If no file are specified by the user, then we need to provide default
+# value.  By we need to know if files were specified by the user.
+ac_need_defaults=:
+while test $# != 0
+do
+  case $1 in
+  --*=*)
+    ac_option=`expr "X$1" : 'X\([^=]*\)='`
+    ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'`
+    ac_shift=:
+    ;;
+  *)
+    ac_option=$1
+    ac_optarg=$2
+    ac_shift=shift
+    ;;
+  esac
+
+  case $ac_option in
+  # Handling of the options.
+  -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
+    ac_cs_recheck=: ;;
+  --version | --versio | --versi | --vers | --ver | --ve | --v | -V )
+    echo "$ac_cs_version"; exit ;;
+  --debug | --debu | --deb | --de | --d | -d )
+    debug=: ;;
+  --file | --fil | --fi | --f )
+    $ac_shift
+    CONFIG_FILES="$CONFIG_FILES $ac_optarg"
+    ac_need_defaults=false;;
+  --he | --h |  --help | --hel | -h )
+    echo "$ac_cs_usage"; exit ;;
+  -q | -quiet | --quiet | --quie | --qui | --qu | --q \
+  | -silent | --silent | --silen | --sile | --sil | --si | --s)
+    ac_cs_silent=: ;;
+
+  # This is an error.
+  -*) { echo "$as_me: error: unrecognized option: $1
+Try \`$0 --help' for more information." >&2
+   { (exit 1); exit 1; }; } ;;
+
+  *) ac_config_targets="$ac_config_targets $1"
+     ac_need_defaults=false ;;
+
+  esac
+  shift
+done
+
+ac_configure_extra_args=
+
+if $ac_cs_silent; then
+  exec 6>/dev/null
+  ac_configure_extra_args="$ac_configure_extra_args --silent"
+fi
+
+_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF
+if \$ac_cs_recheck; then
+  echo "running CONFIG_SHELL=$SHELL $SHELL $0 "$ac_configure_args \$ac_configure_extra_args " --no-create --no-recursion" >&6
+  CONFIG_SHELL=$SHELL
+  export CONFIG_SHELL
+  exec $SHELL "$0"$ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
+fi
+
+_ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF
+exec 5>>config.log
+{
+  echo
+  sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX
+## Running $as_me. ##
+_ASBOX
+  echo "$ac_log"
+} >&5
+
+_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF
+#
+# INIT-COMMANDS
+#
+AMDEP_TRUE="$AMDEP_TRUE" ac_aux_dir="$ac_aux_dir"
+
+_ACEOF
+
+cat >>$CONFIG_STATUS <<\_ACEOF
+
+# Handling of arguments.
+for ac_config_target in $ac_config_targets
+do
+  case $ac_config_target in
+    "depfiles") CONFIG_COMMANDS="$CONFIG_COMMANDS depfiles" ;;
+    "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
+    "src/Makefile") CONFIG_FILES="$CONFIG_FILES src/Makefile" ;;
+    "src/libstrongswan/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/Makefile" ;;
+    "src/libcrypto/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcrypto/Makefile" ;;
+    "src/libfreeswan/Makefile") CONFIG_FILES="$CONFIG_FILES src/libfreeswan/Makefile" ;;
+    "src/pluto/Makefile") CONFIG_FILES="$CONFIG_FILES src/pluto/Makefile" ;;
+    "src/whack/Makefile") CONFIG_FILES="$CONFIG_FILES src/whack/Makefile" ;;
+    "src/charon/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/Makefile" ;;
+    "src/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/stroke/Makefile" ;;
+    "src/ipsec/Makefile") CONFIG_FILES="$CONFIG_FILES src/ipsec/Makefile" ;;
+    "src/starter/Makefile") CONFIG_FILES="$CONFIG_FILES src/starter/Makefile" ;;
+    "src/_updown/Makefile") CONFIG_FILES="$CONFIG_FILES src/_updown/Makefile" ;;
+    "src/_updown_espmark/Makefile") CONFIG_FILES="$CONFIG_FILES src/_updown_espmark/Makefile" ;;
+    "src/_copyright/Makefile") CONFIG_FILES="$CONFIG_FILES src/_copyright/Makefile" ;;
+    "src/openac/Makefile") CONFIG_FILES="$CONFIG_FILES src/openac/Makefile" ;;
+    "src/scepclient/Makefile") CONFIG_FILES="$CONFIG_FILES src/scepclient/Makefile" ;;
+
+  *) { { echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5
+echo "$as_me: error: invalid argument: $ac_config_target" >&2;}
+   { (exit 1); exit 1; }; };;
+  esac
+done
+
+
+# If the user did not use the arguments to specify the items to instantiate,
+# then the envvar interface is used.  Set only those that are not.
+# We use the long form for the default assignment because of an extremely
+# bizarre bug on SunOS 4.1.3.
+if $ac_need_defaults; then
+  test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files
+  test "${CONFIG_COMMANDS+set}" = set || CONFIG_COMMANDS=$config_commands
+fi
+
+# Have a temporary directory for convenience.  Make it in the build tree
+# simply because there is no reason against having it here, and in addition,
+# creating and moving files from /tmp can sometimes cause problems.
+# Hook for its removal unless debugging.
+# Note that there is a small window in which the directory will not be cleaned:
+# after its creation but before its name has been assigned to `$tmp'.
+$debug ||
+{
+  tmp=
+  trap 'exit_status=$?
+  { test -z "$tmp" || test ! -d "$tmp" || rm -fr "$tmp"; } && exit $exit_status
+' 0
+  trap '{ (exit 1); exit 1; }' 1 2 13 15
+}
+# Create a (secure) tmp directory for tmp files.
+
+{
+  tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` &&
+  test -n "$tmp" && test -d "$tmp"
+}  ||
+{
+  tmp=./conf$$-$RANDOM
+  (umask 077 && mkdir "$tmp")
+} ||
+{
+   echo "$me: cannot create a temporary directory in ." >&2
+   { (exit 1); exit 1; }
+}
+
+#
+# Set up the sed scripts for CONFIG_FILES section.
+#
+
+# No need to generate the scripts if there are no CONFIG_FILES.
+# This happens for instance when ./config.status config.h
+if test -n "$CONFIG_FILES"; then
+
+_ACEOF
+
+
+
+ac_delim='%!_!# '
+for ac_last_try in false false false false false :; do
+  cat >conf$$subs.sed <<_ACEOF
+SHELL!$SHELL$ac_delim
+PATH_SEPARATOR!$PATH_SEPARATOR$ac_delim
+PACKAGE_NAME!$PACKAGE_NAME$ac_delim
+PACKAGE_TARNAME!$PACKAGE_TARNAME$ac_delim
+PACKAGE_VERSION!$PACKAGE_VERSION$ac_delim
+PACKAGE_STRING!$PACKAGE_STRING$ac_delim
+PACKAGE_BUGREPORT!$PACKAGE_BUGREPORT$ac_delim
+exec_prefix!$exec_prefix$ac_delim
+prefix!$prefix$ac_delim
+program_transform_name!$program_transform_name$ac_delim
+bindir!$bindir$ac_delim
+sbindir!$sbindir$ac_delim
+libexecdir!$libexecdir$ac_delim
+datarootdir!$datarootdir$ac_delim
+datadir!$datadir$ac_delim
+sysconfdir!$sysconfdir$ac_delim
+sharedstatedir!$sharedstatedir$ac_delim
+localstatedir!$localstatedir$ac_delim
+includedir!$includedir$ac_delim
+oldincludedir!$oldincludedir$ac_delim
+docdir!$docdir$ac_delim
+infodir!$infodir$ac_delim
+htmldir!$htmldir$ac_delim
+dvidir!$dvidir$ac_delim
+pdfdir!$pdfdir$ac_delim
+psdir!$psdir$ac_delim
+libdir!$libdir$ac_delim
+localedir!$localedir$ac_delim
+mandir!$mandir$ac_delim
+DEFS!$DEFS$ac_delim
+ECHO_C!$ECHO_C$ac_delim
+ECHO_N!$ECHO_N$ac_delim
+ECHO_T!$ECHO_T$ac_delim
+LIBS!$LIBS$ac_delim
+build_alias!$build_alias$ac_delim
+host_alias!$host_alias$ac_delim
+target_alias!$target_alias$ac_delim
+INSTALL_PROGRAM!$INSTALL_PROGRAM$ac_delim
+INSTALL_SCRIPT!$INSTALL_SCRIPT$ac_delim
+INSTALL_DATA!$INSTALL_DATA$ac_delim
+CYGPATH_W!$CYGPATH_W$ac_delim
+PACKAGE!$PACKAGE$ac_delim
+VERSION!$VERSION$ac_delim
+ACLOCAL!$ACLOCAL$ac_delim
+AUTOCONF!$AUTOCONF$ac_delim
+AUTOMAKE!$AUTOMAKE$ac_delim
+AUTOHEADER!$AUTOHEADER$ac_delim
+MAKEINFO!$MAKEINFO$ac_delim
+install_sh!$install_sh$ac_delim
+STRIP!$STRIP$ac_delim
+INSTALL_STRIP_PROGRAM!$INSTALL_STRIP_PROGRAM$ac_delim
+mkdir_p!$mkdir_p$ac_delim
+AWK!$AWK$ac_delim
+SET_MAKE!$SET_MAKE$ac_delim
+am__leading_dot!$am__leading_dot$ac_delim
+AMTAR!$AMTAR$ac_delim
+am__tar!$am__tar$ac_delim
+am__untar!$am__untar$ac_delim
+CC!$CC$ac_delim
+CFLAGS!$CFLAGS$ac_delim
+LDFLAGS!$LDFLAGS$ac_delim
+CPPFLAGS!$CPPFLAGS$ac_delim
+ac_ct_CC!$ac_ct_CC$ac_delim
+EXEEXT!$EXEEXT$ac_delim
+OBJEXT!$OBJEXT$ac_delim
+DEPDIR!$DEPDIR$ac_delim
+am__include!$am__include$ac_delim
+am__quote!$am__quote$ac_delim
+AMDEP_TRUE!$AMDEP_TRUE$ac_delim
+AMDEP_FALSE!$AMDEP_FALSE$ac_delim
+AMDEPBACKSLASH!$AMDEPBACKSLASH$ac_delim
+CCDEPMODE!$CCDEPMODE$ac_delim
+am__fastdepCC_TRUE!$am__fastdepCC_TRUE$ac_delim
+am__fastdepCC_FALSE!$am__fastdepCC_FALSE$ac_delim
+CPP!$CPP$ac_delim
+GREP!$GREP$ac_delim
+EGREP!$EGREP$ac_delim
+confdir!$confdir$ac_delim
+ipsecdir!$ipsecdir$ac_delim
+piddir!$piddir$ac_delim
+eapdir!$eapdir$ac_delim
+USE_LIBCURL_TRUE!$USE_LIBCURL_TRUE$ac_delim
+USE_LIBCURL_FALSE!$USE_LIBCURL_FALSE$ac_delim
+USE_LIBLDAP_TRUE!$USE_LIBLDAP_TRUE$ac_delim
+USE_LIBLDAP_FALSE!$USE_LIBLDAP_FALSE$ac_delim
+USE_SMARTCARD_TRUE!$USE_SMARTCARD_TRUE$ac_delim
+USE_SMARTCARD_FALSE!$USE_SMARTCARD_FALSE$ac_delim
+USE_CISCO_QUIRKS_TRUE!$USE_CISCO_QUIRKS_TRUE$ac_delim
+USE_CISCO_QUIRKS_FALSE!$USE_CISCO_QUIRKS_FALSE$ac_delim
+USE_LEAK_DETECTIVE_TRUE!$USE_LEAK_DETECTIVE_TRUE$ac_delim
+USE_LEAK_DETECTIVE_FALSE!$USE_LEAK_DETECTIVE_FALSE$ac_delim
+BUILD_EAP_SIM_TRUE!$BUILD_EAP_SIM_TRUE$ac_delim
+BUILD_EAP_SIM_FALSE!$BUILD_EAP_SIM_FALSE$ac_delim
+USE_NAT_TRANSPORT_TRUE!$USE_NAT_TRANSPORT_TRUE$ac_delim
+USE_NAT_TRANSPORT_FALSE!$USE_NAT_TRANSPORT_FALSE$ac_delim
+USE_VENDORID_TRUE!$USE_VENDORID_TRUE$ac_delim
+USE_VENDORID_FALSE!$USE_VENDORID_FALSE$ac_delim
+_ACEOF
+
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
+    break
+  elif $ac_last_try; then
+    { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
+echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
+   { (exit 1); exit 1; }; }
+  else
+    ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
+  fi
+done
+
+ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed`
+if test -n "$ac_eof"; then
+  ac_eof=`echo "$ac_eof" | sort -nru | sed 1q`
+  ac_eof=`expr $ac_eof + 1`
+fi
+
+cat >>$CONFIG_STATUS <<_ACEOF
+cat >"\$tmp/subs-1.sed" <<\CEOF$ac_eof
+/@[a-zA-Z_][a-zA-Z_0-9]*@/!b
+_ACEOF
+sed '
+s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g
+s/^/s,@/; s/!/@,|#_!!_#|/
+:n
+t n
+s/'"$ac_delim"'$/,g/; t
+s/$/\\/; p
+N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n
+' >>$CONFIG_STATUS <conf$$subs.sed
+rm -f conf$$subs.sed
+cat >>$CONFIG_STATUS <<_ACEOF
+CEOF$ac_eof
+_ACEOF
+
+
+ac_delim='%!_!# '
+for ac_last_try in false false false false false :; do
+  cat >conf$$subs.sed <<_ACEOF
+build!$build$ac_delim
+build_cpu!$build_cpu$ac_delim
+build_vendor!$build_vendor$ac_delim
+build_os!$build_os$ac_delim
+host!$host$ac_delim
+host_cpu!$host_cpu$ac_delim
+host_vendor!$host_vendor$ac_delim
+host_os!$host_os$ac_delim
+LN_S!$LN_S$ac_delim
+ECHO!$ECHO$ac_delim
+AR!$AR$ac_delim
+RANLIB!$RANLIB$ac_delim
+CXX!$CXX$ac_delim
+CXXFLAGS!$CXXFLAGS$ac_delim
+ac_ct_CXX!$ac_ct_CXX$ac_delim
+CXXDEPMODE!$CXXDEPMODE$ac_delim
+am__fastdepCXX_TRUE!$am__fastdepCXX_TRUE$ac_delim
+am__fastdepCXX_FALSE!$am__fastdepCXX_FALSE$ac_delim
+CXXCPP!$CXXCPP$ac_delim
+F77!$F77$ac_delim
+FFLAGS!$FFLAGS$ac_delim
+ac_ct_F77!$ac_ct_F77$ac_delim
+LIBTOOL!$LIBTOOL$ac_delim
+LEX!$LEX$ac_delim
+LEX_OUTPUT_ROOT!$LEX_OUTPUT_ROOT$ac_delim
+LEXLIB!$LEXLIB$ac_delim
+YACC!$YACC$ac_delim
+YFLAGS!$YFLAGS$ac_delim
+GPERF!$GPERF$ac_delim
+PERL!$PERL$ac_delim
+LIBOBJS!$LIBOBJS$ac_delim
+LTLIBOBJS!$LTLIBOBJS$ac_delim
+_ACEOF
+
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 32; then
+    break
+  elif $ac_last_try; then
+    { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
+echo "$as_me: error: could not make $CONFIG_STATUS" >&2;}
+   { (exit 1); exit 1; }; }
+  else
+    ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
+  fi
+done
+
+ac_eof=`sed -n '/^CEOF[0-9]*$/s/CEOF/0/p' conf$$subs.sed`
+if test -n "$ac_eof"; then
+  ac_eof=`echo "$ac_eof" | sort -nru | sed 1q`
+  ac_eof=`expr $ac_eof + 1`
+fi
+
+cat >>$CONFIG_STATUS <<_ACEOF
+cat >"\$tmp/subs-2.sed" <<\CEOF$ac_eof
+/@[a-zA-Z_][a-zA-Z_0-9]*@/!b end
+_ACEOF
+sed '
+s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g
+s/^/s,@/; s/!/@,|#_!!_#|/
+:n
+t n
+s/'"$ac_delim"'$/,g/; t
+s/$/\\/; p
+N; s/^.*\n//; s/[,\\&]/\\&/g; s/@/@|#_!!_#|/g; b n
+' >>$CONFIG_STATUS <conf$$subs.sed
+rm -f conf$$subs.sed
+cat >>$CONFIG_STATUS <<_ACEOF
+:end
+s/|#_!!_#|//g
+CEOF$ac_eof
+_ACEOF
+
+
+# VPATH may cause trouble with some makes, so we remove $(srcdir),
+# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and
+# trailing colons and then remove the whole line if VPATH becomes empty
+# (actually we leave an empty line to preserve line numbers).
+if test "x$srcdir" = x.; then
+  ac_vpsub='/^[	 ]*VPATH[	 ]*=/{
+s/:*\$(srcdir):*/:/
+s/:*\${srcdir}:*/:/
+s/:*@srcdir@:*/:/
+s/^\([^=]*=[	 ]*\):*/\1/
+s/:*$//
+s/^[^=]*=[	 ]*$//
+}'
+fi
+
+cat >>$CONFIG_STATUS <<\_ACEOF
+fi # test -n "$CONFIG_FILES"
+
+
+for ac_tag in  :F $CONFIG_FILES      :C $CONFIG_COMMANDS
+do
+  case $ac_tag in
+  :[FHLC]) ac_mode=$ac_tag; continue;;
+  esac
+  case $ac_mode$ac_tag in
+  :[FHL]*:*);;
+  :L* | :C*:*) { { echo "$as_me:$LINENO: error: Invalid tag $ac_tag." >&5
+echo "$as_me: error: Invalid tag $ac_tag." >&2;}
+   { (exit 1); exit 1; }; };;
+  :[FH]-) ac_tag=-:-;;
+  :[FH]*) ac_tag=$ac_tag:$ac_tag.in;;
+  esac
+  ac_save_IFS=$IFS
+  IFS=:
+  set x $ac_tag
+  IFS=$ac_save_IFS
+  shift
+  ac_file=$1
+  shift
+
+  case $ac_mode in
+  :L) ac_source=$1;;
+  :[FH])
+    ac_file_inputs=
+    for ac_f
+    do
+      case $ac_f in
+      -) ac_f="$tmp/stdin";;
+      *) # Look for the file first in the build tree, then in the source tree
+	 # (if the path is not absolute).  The absolute path cannot be DOS-style,
+	 # because $ac_f cannot contain `:'.
+	 test -f "$ac_f" ||
+	   case $ac_f in
+	   [\\/$]*) false;;
+	   *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";;
+	   esac ||
+	   { { echo "$as_me:$LINENO: error: cannot find input file: $ac_f" >&5
+echo "$as_me: error: cannot find input file: $ac_f" >&2;}
+   { (exit 1); exit 1; }; };;
+      esac
+      ac_file_inputs="$ac_file_inputs $ac_f"
+    done
+
+    # Let's still pretend it is `configure' which instantiates (i.e., don't
+    # use $as_me), people would be surprised to read:
+    #    /* config.h.  Generated by config.status.  */
+    configure_input="Generated from "`IFS=:
+	  echo $* | sed 's|^[^:]*/||;s|:[^:]*/|, |g'`" by configure."
+    if test x"$ac_file" != x-; then
+      configure_input="$ac_file.  $configure_input"
+      { echo "$as_me:$LINENO: creating $ac_file" >&5
+echo "$as_me: creating $ac_file" >&6;}
+    fi
+
+    case $ac_tag in
+    *:-:* | *:-) cat >"$tmp/stdin";;
+    esac
+    ;;
+  esac
+
+  ac_dir=`$as_dirname -- "$ac_file" ||
+$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	 X"$ac_file" : 'X\(//\)[^/]' \| \
+	 X"$ac_file" : 'X\(//\)$' \| \
+	 X"$ac_file" : 'X\(/\)' \| . 2>/dev/null ||
+echo X"$ac_file" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)[^/].*/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+  { as_dir="$ac_dir"
+  case $as_dir in #(
+  -*) as_dir=./$as_dir;;
+  esac
+  test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || {
+    as_dirs=
+    while :; do
+      case $as_dir in #(
+      *\'*) as_qdir=`echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #(
+      *) as_qdir=$as_dir;;
+      esac
+      as_dirs="'$as_qdir' $as_dirs"
+      as_dir=`$as_dirname -- "$as_dir" ||
+$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	 X"$as_dir" : 'X\(//\)[^/]' \| \
+	 X"$as_dir" : 'X\(//\)$' \| \
+	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
+echo X"$as_dir" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)[^/].*/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+      test -d "$as_dir" && break
+    done
+    test -z "$as_dirs" || eval "mkdir $as_dirs"
+  } || test -d "$as_dir" || { { echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5
+echo "$as_me: error: cannot create directory $as_dir" >&2;}
+   { (exit 1); exit 1; }; }; }
+  ac_builddir=.
+
+case "$ac_dir" in
+.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
+*)
+  ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
+  # A ".." for each directory in $ac_dir_suffix.
+  ac_top_builddir_sub=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,/..,g;s,/,,'`
+  case $ac_top_builddir_sub in
+  "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
+  *)  ac_top_build_prefix=$ac_top_builddir_sub/ ;;
+  esac ;;
+esac
+ac_abs_top_builddir=$ac_pwd
+ac_abs_builddir=$ac_pwd$ac_dir_suffix
+# for backward compatibility:
+ac_top_builddir=$ac_top_build_prefix
+
+case $srcdir in
+  .)  # We are building in place.
+    ac_srcdir=.
+    ac_top_srcdir=$ac_top_builddir_sub
+    ac_abs_top_srcdir=$ac_pwd ;;
+  [\\/]* | ?:[\\/]* )  # Absolute name.
+    ac_srcdir=$srcdir$ac_dir_suffix;
+    ac_top_srcdir=$srcdir
+    ac_abs_top_srcdir=$srcdir ;;
+  *) # Relative name.
+    ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix
+    ac_top_srcdir=$ac_top_build_prefix$srcdir
+    ac_abs_top_srcdir=$ac_pwd/$srcdir ;;
+esac
+ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix
+
+
+  case $ac_mode in
+  :F)
+  #
+  # CONFIG_FILE
+  #
+
+  case $INSTALL in
+  [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;;
+  *) ac_INSTALL=$ac_top_build_prefix$INSTALL ;;
+  esac
+_ACEOF
+
+cat >>$CONFIG_STATUS <<\_ACEOF
+# If the template does not know about datarootdir, expand it.
+# FIXME: This hack should be removed a few years after 2.60.
+ac_datarootdir_hack=; ac_datarootdir_seen=
+
+case `sed -n '/datarootdir/ {
+  p
+  q
+}
+/@datadir@/p
+/@docdir@/p
+/@infodir@/p
+/@localedir@/p
+/@mandir@/p
+' $ac_file_inputs` in
+*datarootdir*) ac_datarootdir_seen=yes;;
+*@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*)
+  { echo "$as_me:$LINENO: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5
+echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;}
+_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF
+  ac_datarootdir_hack='
+  s&@datadir@&$datadir&g
+  s&@docdir@&$docdir&g
+  s&@infodir@&$infodir&g
+  s&@localedir@&$localedir&g
+  s&@mandir@&$mandir&g
+    s&\\\${datarootdir}&$datarootdir&g' ;;
+esac
+_ACEOF
+
+# Neutralize VPATH when `$srcdir' = `.'.
+# Shell code in configure.ac might set extrasub.
+# FIXME: do we really want to maintain this feature?
+cat >>$CONFIG_STATUS <<_ACEOF
+  sed "$ac_vpsub
+$extrasub
+_ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF
+:t
+/@[a-zA-Z_][a-zA-Z_0-9]*@/!b
+s&@configure_input@&$configure_input&;t t
+s&@top_builddir@&$ac_top_builddir_sub&;t t
+s&@srcdir@&$ac_srcdir&;t t
+s&@abs_srcdir@&$ac_abs_srcdir&;t t
+s&@top_srcdir@&$ac_top_srcdir&;t t
+s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t
+s&@builddir@&$ac_builddir&;t t
+s&@abs_builddir@&$ac_abs_builddir&;t t
+s&@abs_top_builddir@&$ac_abs_top_builddir&;t t
+s&@INSTALL@&$ac_INSTALL&;t t
+$ac_datarootdir_hack
+" $ac_file_inputs | sed -f "$tmp/subs-1.sed" | sed -f "$tmp/subs-2.sed" >$tmp/out
+
+test -z "$ac_datarootdir_hack$ac_datarootdir_seen" &&
+  { ac_out=`sed -n '/\${datarootdir}/p' "$tmp/out"`; test -n "$ac_out"; } &&
+  { ac_out=`sed -n '/^[	 ]*datarootdir[	 ]*:*=/p' "$tmp/out"`; test -z "$ac_out"; } &&
+  { echo "$as_me:$LINENO: WARNING: $ac_file contains a reference to the variable \`datarootdir'
+which seems to be undefined.  Please make sure it is defined." >&5
+echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
+which seems to be undefined.  Please make sure it is defined." >&2;}
+
+  rm -f "$tmp/stdin"
+  case $ac_file in
+  -) cat "$tmp/out"; rm -f "$tmp/out";;
+  *) rm -f "$ac_file"; mv "$tmp/out" $ac_file;;
+  esac
+ ;;
+
+
+  :C)  { echo "$as_me:$LINENO: executing $ac_file commands" >&5
+echo "$as_me: executing $ac_file commands" >&6;}
+ ;;
+  esac
+
+
+  case $ac_file$ac_mode in
+    "depfiles":C) test x"$AMDEP_TRUE" != x"" || for mf in $CONFIG_FILES; do
+  # Strip MF so we end up with the name of the file.
+  mf=`echo "$mf" | sed -e 's/:.*$//'`
+  # Check whether this is an Automake generated Makefile or not.
+  # We used to match only the files named `Makefile.in', but
+  # some people rename them; so instead we look at the file content.
+  # Grep'ing the first line is not enough: some people post-process
+  # each Makefile.in and add a new line on top of each file to say so.
+  # So let's grep whole file.
+  if grep '^#.*generated by automake' $mf > /dev/null 2>&1; then
+    dirpart=`$as_dirname -- "$mf" ||
+$as_expr X"$mf" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	 X"$mf" : 'X\(//\)[^/]' \| \
+	 X"$mf" : 'X\(//\)$' \| \
+	 X"$mf" : 'X\(/\)' \| . 2>/dev/null ||
+echo X"$mf" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)[^/].*/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+  else
+    continue
+  fi
+  # Extract the definition of DEPDIR, am__include, and am__quote
+  # from the Makefile without running `make'.
+  DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"`
+  test -z "$DEPDIR" && continue
+  am__include=`sed -n 's/^am__include = //p' < "$mf"`
+  test -z "am__include" && continue
+  am__quote=`sed -n 's/^am__quote = //p' < "$mf"`
+  # When using ansi2knr, U may be empty or an underscore; expand it
+  U=`sed -n 's/^U = //p' < "$mf"`
+  # Find all dependency output files, they are included files with
+  # $(DEPDIR) in their names.  We invoke sed twice because it is the
+  # simplest approach to changing $(DEPDIR) to its actual value in the
+  # expansion.
+  for file in `sed -n "
+    s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \
+       sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do
+    # Make sure the directory exists.
+    test -f "$dirpart/$file" && continue
+    fdir=`$as_dirname -- "$file" ||
+$as_expr X"$file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	 X"$file" : 'X\(//\)[^/]' \| \
+	 X"$file" : 'X\(//\)$' \| \
+	 X"$file" : 'X\(/\)' \| . 2>/dev/null ||
+echo X"$file" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)[^/].*/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+    { as_dir=$dirpart/$fdir
+  case $as_dir in #(
+  -*) as_dir=./$as_dir;;
+  esac
+  test -d "$as_dir" || { $as_mkdir_p && mkdir -p "$as_dir"; } || {
+    as_dirs=
+    while :; do
+      case $as_dir in #(
+      *\'*) as_qdir=`echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #(
+      *) as_qdir=$as_dir;;
+      esac
+      as_dirs="'$as_qdir' $as_dirs"
+      as_dir=`$as_dirname -- "$as_dir" ||
+$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	 X"$as_dir" : 'X\(//\)[^/]' \| \
+	 X"$as_dir" : 'X\(//\)$' \| \
+	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
+echo X"$as_dir" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)[^/].*/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\/\)$/{
+	    s//\1/
+	    q
+	  }
+	  /^X\(\/\).*/{
+	    s//\1/
+	    q
+	  }
+	  s/.*/./; q'`
+      test -d "$as_dir" && break
+    done
+    test -z "$as_dirs" || eval "mkdir $as_dirs"
+  } || test -d "$as_dir" || { { echo "$as_me:$LINENO: error: cannot create directory $as_dir" >&5
+echo "$as_me: error: cannot create directory $as_dir" >&2;}
+   { (exit 1); exit 1; }; }; }
+    # echo "creating $dirpart/$file"
+    echo '# dummy' > "$dirpart/$file"
+  done
+done
+ ;;
+
+  esac
+done # for ac_tag
+
+
+{ (exit 0); exit 0; }
+_ACEOF
+chmod +x $CONFIG_STATUS
+ac_clean_files=$ac_clean_files_save
+
+
+# configure is writing to config.log, and then calls config.status.
+# config.status does its own redirection, appending to config.log.
+# Unfortunately, on DOS this fails, as config.log is still kept open
+# by configure, so config.status won't be able to write to it; its
+# output is simply discarded.  So we exec the FD to /dev/null,
+# effectively closing config.log, so it can be properly (re)opened and
+# appended to by config.status.  When coming back to configure, we
+# need to make the FD available again.
+if test "$no_create" != yes; then
+  ac_cs_success=:
+  ac_config_status_args=
+  test "$silent" = yes &&
+    ac_config_status_args="$ac_config_status_args --quiet"
+  exec 5>/dev/null
+  $SHELL $CONFIG_STATUS $ac_config_status_args || ac_cs_success=false
+  exec 5>>config.log
+  # Use ||, not &&, to avoid exiting from the if with $? = 1, which
+  # would make configure fail if this is the last instruction.
+  $ac_cs_success || { (exit 1); exit 1; }
+fi
+
diff --git a/configure.in b/configure.in
new file mode 100644
index 000000000..725be81e6
--- /dev/null
+++ b/configure.in
@@ -0,0 +1,240 @@
+dnl  configure.in for linux strongSwan
+dnl  Copyright (C) 2006 Martin Willi
+dnl  Hochschule fuer Technik Rapperswil
+dnl 
+dnl  This program is free software; you can redistribute it and/or modify it
+dnl  under the terms of the GNU General Public License as published by the
+dnl  Free Software Foundation; either version 2 of the License, or (at your
+dnl  option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+dnl 
+dnl  This program is distributed in the hope that it will be useful, but
+dnl  WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+dnl  or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+dnl  for more details.
+
+dnl ===========================
+dnl  initialize & set some vars
+dnl ===========================
+
+AC_INIT(strongSwan,4.1.1)
+AM_INIT_AUTOMAKE(tar-ustar)
+AC_C_BIGENDIAN
+AC_SUBST(confdir, '${sysconfdir}')
+
+dnl =================================
+dnl  check --enable-xxx & --with-xxx
+dnl =================================
+
+
+AC_ARG_WITH(
+    [default-pkcs11],
+    AS_HELP_STRING([--with-default-pkcs11=lib],[set the default PKCS11 library other than "/usr/lib/opensc-pkcs11.so"]),
+    [AC_DEFINE_UNQUOTED(PKCS11_DEFAULT_LIB, "$withval")],
+    [AC_DEFINE_UNQUOTED(PKCS11_DEFAULT_LIB, "/usr/lib/opensc-pkcs11.so")]
+)
+
+AC_ARG_WITH(
+    [xauth-module],
+    AS_HELP_STRING([--with-xauth-module=lib],[set the path to the XAUTH module]),
+    [AC_DEFINE_UNQUOTED(XAUTH_DEFAULT_LIB, "$withval")],
+)
+
+AC_ARG_WITH(
+    [random-device],
+    AS_HELP_STRING([--with-random-device=dev],[set the device for real random data other than "/dev/random"]),
+    [AC_DEFINE_UNQUOTED(DEV_RANDOM, "$withval")],
+    [AC_DEFINE_UNQUOTED(DEV_RANDOM, "/dev/random")]
+)
+AC_ARG_WITH(
+    [resolv-conf],
+    AS_HELP_STRING([--with-resolv-conf=file],[set the file to store DNS server information other than "sysconfdir/resolv.conf"]),
+    [AC_DEFINE_UNQUOTED(RESOLV_CONF, "$withval")],
+    [AC_DEFINE_UNQUOTED(RESOLV_CONF, "${sysconfdir}/resolv.conf")]
+)
+
+AC_ARG_WITH(
+    [urandom-device],
+    AS_HELP_STRING([--with-urandom-device=dev],[set the device for pseudo random data other than "/dev/urandom"]),
+    [AC_DEFINE_UNQUOTED(DEV_URANDOM, "$withval")],
+    [AC_DEFINE_UNQUOTED(DEV_URANDOM, "/dev/urandom")]
+)
+
+AC_ARG_WITH(
+    [ipsecdir],
+    AS_HELP_STRING([--with-ipsecdir=dir],[installation path for ipsec tools other than "libexecdir/ipsec"]),
+    [AC_SUBST(ipsecdir, "$withval")],
+    [AC_SUBST(ipsecdir, "${libexecdir}/ipsec")]
+)
+
+AC_ARG_WITH(
+    [piddir],
+    AS_HELP_STRING([--with-piddir=dir],[path for PID and UNIX socket files other than "/var/run"]),
+    [AC_SUBST(piddir, "$withval")],
+    [AC_SUBST(piddir, "/var/run")]
+)
+
+AC_ARG_WITH(
+    [eapdir],
+    AS_HELP_STRING([--with-eapdir=dir],[path for pluggable EAP modules other than "ipsecdir/eap"]),
+    [AC_SUBST(eapdir, "$withval")],
+    [AC_SUBST(eapdir, "${ipsecdir}/eap")]
+)
+
+AC_ARG_WITH(
+    [sim-reader],
+    AS_HELP_STRING([--with-sim-reader=library.so],[library containing the sim_run_alg() function for EAP-SIM]),
+    [AC_DEFINE_UNQUOTED(SIM_READER_LIB, "$withval")]
+)
+
+AC_ARG_ENABLE(
+    [http],
+    AS_HELP_STRING([--enable-http],[enable OCSP and fetching of Certificates and CRLs over HTTP (default is NO). Requires libcurl.]),
+    [if test x$enableval = xyes; then
+        http=true
+        AC_DEFINE(LIBCURL)
+    fi]
+)
+AM_CONDITIONAL(USE_LIBCURL, test x$http = xtrue)
+
+AC_ARG_ENABLE(
+    [ldap],
+    AS_HELP_STRING([--enable-ldap],[enable fetching of CRLs from LDAP (default is NO). Requires openLDAP.]),
+    [if test x$enableval = xyes; then
+        ldap=true
+        AC_DEFINE(LIBLDAP)
+    fi]
+)
+AM_CONDITIONAL(USE_LIBLDAP, test x$ldap = xtrue)
+
+AC_ARG_ENABLE(
+    [smartcard],
+    AS_HELP_STRING([--enable-smartcard],[enable smartcard support (default is NO).]),
+    [if test x$enableval = xyes; then
+        smartcard=true
+        AC_DEFINE(SMARTCARD)
+    fi]
+)
+AM_CONDITIONAL(USE_SMARTCARD, test x$smartcard = xtrue)
+
+AC_ARG_ENABLE(
+    [cisco-quirks],
+    AS_HELP_STRING([--enable-cisco-quirks],[enable support of Cisco VPN client (default is NO).]),
+    [if test x$enableval = xyes; then
+        cisco_quirks=true
+    fi]
+)
+AM_CONDITIONAL(USE_CISCO_QUIRKS, test x$cisco_quirks = xtrue)
+
+AC_ARG_ENABLE(
+    [leak-detective],
+    AS_HELP_STRING([--enable-leak-detective],[enable malloc hooks to find memory leaks (default is NO).]),
+    [if test x$enableval = xyes; then
+        leak_detective=true
+    fi]
+)
+AM_CONDITIONAL(USE_LEAK_DETECTIVE, test x$leak_detective = xtrue)
+
+AC_ARG_ENABLE(
+    [eap-sim],
+    AS_HELP_STRING([--enable-eap-sim],[build SIM authenication module for EAP (default is NO).]),
+    [if test x$enableval = xyes; then
+        eap_sim=true
+    fi]
+)
+AM_CONDITIONAL(BUILD_EAP_SIM, test x$eap_sim = xtrue)
+
+AC_ARG_ENABLE(
+    [nat-transport],
+    AS_HELP_STRING([--enable-nat-transport],[enable NAT traversal with IPsec transport mode (default is NO).]),
+    [if test x$enableval = xyes; then
+        nat_transport=true
+    fi]
+)
+AM_CONDITIONAL(USE_NAT_TRANSPORT, test x$nat_transport = xtrue)
+
+AC_ARG_ENABLE(
+    [vendor-id],
+    AS_HELP_STRING([--disable-vendor-id],[disable the sending of the strongSwan vendor ID (default is NO).]),
+    [if test x$enableval = xyes; then
+        vendor_id=true
+     else
+        vendor_id=false
+    fi],
+    vendor_id=true
+)
+AM_CONDITIONAL(USE_VENDORID, test x$vendor_id = xtrue)
+
+dnl =========================
+dnl  check required programs
+dnl =========================
+
+AC_PROG_INSTALL
+AC_PROG_LIBTOOL
+AC_PROG_LEX
+AC_PROG_YACC
+AC_PROG_CC()
+AC_PATH_PROG([GPERF], [gperf], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
+AC_PATH_PROG([PERL], [perl], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
+
+dnl ==========================
+dnl  check required libraries
+dnl ==========================
+
+AC_CHECK_FUNCS(backtrace)
+AC_CHECK_FUNCS(getifaddrs)
+
+AC_HAVE_LIBRARY([gmp],[LIBS="$LIBS"],[AC_MSG_ERROR([GNU Multi Precision library gmp not found])])	
+if test "$ldap" = "true"; then
+    AC_HAVE_LIBRARY([ldap],[LIBS="$LIBS"],[AC_MSG_ERROR([LDAP enabled, but library ldap not found])])
+    AC_HAVE_LIBRARY([lber],[LIBS="$LIBS"],[AC_MSG_ERROR([LDAP enabled, but library lber not found])])
+fi
+if test "$http" = "true"; then
+    AC_HAVE_LIBRARY([curl],[LIBS="$LIBS"],[AC_MSG_ERROR([HTTP enabled, but library curl not found])])
+fi
+
+
+dnl =============================
+dnl  check required header files
+dnl =============================
+
+
+AC_MSG_CHECKING([gmp.h version >= 4.1.4])
+AC_TRY_COMPILE(
+    [#include "gmp.h"],
+    [
+        #if (__GNU_MP_VERSION*100 +  __GNU_MP_VERSION_MINOR*10 + __GNU_MP_VERSION_PATCHLEVEL) < 414
+            #error bad gmp
+        #endif
+    ], 
+    [AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no]); AC_MSG_ERROR([No usable gmp.h found!])]
+)
+if test "$ldap" = "true"; then
+    AC_CHECK_HEADER([ldap.h],,[AC_MSG_ERROR([LDAP enabled, but ldap.h not found!])])
+fi
+if test "$http" = "true"; then
+    AC_CHECK_HEADER([curl/curl.h],,[AC_MSG_ERROR([HTTP enabled, but curl.h not found!])])
+fi
+
+dnl ==============================
+dnl  build Makefiles
+dnl ==============================
+
+AC_OUTPUT(
+	Makefile
+	src/Makefile
+	src/libstrongswan/Makefile
+	src/libcrypto/Makefile
+	src/libfreeswan/Makefile
+	src/pluto/Makefile
+	src/whack/Makefile
+	src/charon/Makefile
+dnl	src/charon/testing/Makefile
+	src/stroke/Makefile
+	src/ipsec/Makefile
+	src/starter/Makefile
+	src/_updown/Makefile
+	src/_updown_espmark/Makefile
+	src/_copyright/Makefile
+	src/openac/Makefile
+	src/scepclient/Makefile
+)
diff --git a/depcomp b/depcomp
new file mode 100755
index 000000000..04701da53
--- /dev/null
+++ b/depcomp
@@ -0,0 +1,530 @@
+#! /bin/sh
+# depcomp - compile a program generating dependencies as side-effects
+
+scriptversion=2005-07-09.11
+
+# Copyright (C) 1999, 2000, 2003, 2004, 2005 Free Software Foundation, Inc.
+
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+# 02110-1301, USA.
+
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# Originally written by Alexandre Oliva <oliva@dcc.unicamp.br>.
+
+case $1 in
+  '')
+     echo "$0: No command.  Try \`$0 --help' for more information." 1>&2
+     exit 1;
+     ;;
+  -h | --h*)
+    cat <<\EOF
+Usage: depcomp [--help] [--version] PROGRAM [ARGS]
+
+Run PROGRAMS ARGS to compile a file, generating dependencies
+as side-effects.
+
+Environment variables:
+  depmode     Dependency tracking mode.
+  source      Source file read by `PROGRAMS ARGS'.
+  object      Object file output by `PROGRAMS ARGS'.
+  DEPDIR      directory where to store dependencies.
+  depfile     Dependency file to output.
+  tmpdepfile  Temporary file to use when outputing dependencies.
+  libtool     Whether libtool is used (yes/no).
+
+Report bugs to <bug-automake@gnu.org>.
+EOF
+    exit $?
+    ;;
+  -v | --v*)
+    echo "depcomp $scriptversion"
+    exit $?
+    ;;
+esac
+
+if test -z "$depmode" || test -z "$source" || test -z "$object"; then
+  echo "depcomp: Variables source, object and depmode must be set" 1>&2
+  exit 1
+fi
+
+# Dependencies for sub/bar.o or sub/bar.obj go into sub/.deps/bar.Po.
+depfile=${depfile-`echo "$object" |
+  sed 's|[^\\/]*$|'${DEPDIR-.deps}'/&|;s|\.\([^.]*\)$|.P\1|;s|Pobj$|Po|'`}
+tmpdepfile=${tmpdepfile-`echo "$depfile" | sed 's/\.\([^.]*\)$/.T\1/'`}
+
+rm -f "$tmpdepfile"
+
+# Some modes work just like other modes, but use different flags.  We
+# parameterize here, but still list the modes in the big case below,
+# to make depend.m4 easier to write.  Note that we *cannot* use a case
+# here, because this file can only contain one case statement.
+if test "$depmode" = hp; then
+  # HP compiler uses -M and no extra arg.
+  gccflag=-M
+  depmode=gcc
+fi
+
+if test "$depmode" = dashXmstdout; then
+   # This is just like dashmstdout with a different argument.
+   dashmflag=-xM
+   depmode=dashmstdout
+fi
+
+case "$depmode" in
+gcc3)
+## gcc 3 implements dependency tracking that does exactly what
+## we want.  Yay!  Note: for some reason libtool 1.4 doesn't like
+## it if -MD -MP comes after the -MF stuff.  Hmm.
+  "$@" -MT "$object" -MD -MP -MF "$tmpdepfile"
+  stat=$?
+  if test $stat -eq 0; then :
+  else
+    rm -f "$tmpdepfile"
+    exit $stat
+  fi
+  mv "$tmpdepfile" "$depfile"
+  ;;
+
+gcc)
+## There are various ways to get dependency output from gcc.  Here's
+## why we pick this rather obscure method:
+## - Don't want to use -MD because we'd like the dependencies to end
+##   up in a subdir.  Having to rename by hand is ugly.
+##   (We might end up doing this anyway to support other compilers.)
+## - The DEPENDENCIES_OUTPUT environment variable makes gcc act like
+##   -MM, not -M (despite what the docs say).
+## - Using -M directly means running the compiler twice (even worse
+##   than renaming).
+  if test -z "$gccflag"; then
+    gccflag=-MD,
+  fi
+  "$@" -Wp,"$gccflag$tmpdepfile"
+  stat=$?
+  if test $stat -eq 0; then :
+  else
+    rm -f "$tmpdepfile"
+    exit $stat
+  fi
+  rm -f "$depfile"
+  echo "$object : \\" > "$depfile"
+  alpha=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
+## The second -e expression handles DOS-style file names with drive letters.
+  sed -e 's/^[^:]*: / /' \
+      -e 's/^['$alpha']:\/[^:]*: / /' < "$tmpdepfile" >> "$depfile"
+## This next piece of magic avoids the `deleted header file' problem.
+## The problem is that when a header file which appears in a .P file
+## is deleted, the dependency causes make to die (because there is
+## typically no way to rebuild the header).  We avoid this by adding
+## dummy dependencies for each header file.  Too bad gcc doesn't do
+## this for us directly.
+  tr ' ' '
+' < "$tmpdepfile" |
+## Some versions of gcc put a space before the `:'.  On the theory
+## that the space means something, we add a space to the output as
+## well.
+## Some versions of the HPUX 10.20 sed can't process this invocation
+## correctly.  Breaking it into two sed invocations is a workaround.
+    sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
+  rm -f "$tmpdepfile"
+  ;;
+
+hp)
+  # This case exists only to let depend.m4 do its work.  It works by
+  # looking at the text of this script.  This case will never be run,
+  # since it is checked for above.
+  exit 1
+  ;;
+
+sgi)
+  if test "$libtool" = yes; then
+    "$@" "-Wp,-MDupdate,$tmpdepfile"
+  else
+    "$@" -MDupdate "$tmpdepfile"
+  fi
+  stat=$?
+  if test $stat -eq 0; then :
+  else
+    rm -f "$tmpdepfile"
+    exit $stat
+  fi
+  rm -f "$depfile"
+
+  if test -f "$tmpdepfile"; then  # yes, the sourcefile depend on other files
+    echo "$object : \\" > "$depfile"
+
+    # Clip off the initial element (the dependent).  Don't try to be
+    # clever and replace this with sed code, as IRIX sed won't handle
+    # lines with more than a fixed number of characters (4096 in
+    # IRIX 6.2 sed, 8192 in IRIX 6.5).  We also remove comment lines;
+    # the IRIX cc adds comments like `#:fec' to the end of the
+    # dependency line.
+    tr ' ' '
+' < "$tmpdepfile" \
+    | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' | \
+    tr '
+' ' ' >> $depfile
+    echo >> $depfile
+
+    # The second pass generates a dummy entry for each header file.
+    tr ' ' '
+' < "$tmpdepfile" \
+   | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \
+   >> $depfile
+  else
+    # The sourcefile does not contain any dependencies, so just
+    # store a dummy comment line, to avoid errors with the Makefile
+    # "include basename.Plo" scheme.
+    echo "#dummy" > "$depfile"
+  fi
+  rm -f "$tmpdepfile"
+  ;;
+
+aix)
+  # The C for AIX Compiler uses -M and outputs the dependencies
+  # in a .u file.  In older versions, this file always lives in the
+  # current directory.  Also, the AIX compiler puts `$object:' at the
+  # start of each line; $object doesn't have directory information.
+  # Version 6 uses the directory in both cases.
+  stripped=`echo "$object" | sed 's/\(.*\)\..*$/\1/'`
+  tmpdepfile="$stripped.u"
+  if test "$libtool" = yes; then
+    "$@" -Wc,-M
+  else
+    "$@" -M
+  fi
+  stat=$?
+
+  if test -f "$tmpdepfile"; then :
+  else
+    stripped=`echo "$stripped" | sed 's,^.*/,,'`
+    tmpdepfile="$stripped.u"
+  fi
+
+  if test $stat -eq 0; then :
+  else
+    rm -f "$tmpdepfile"
+    exit $stat
+  fi
+
+  if test -f "$tmpdepfile"; then
+    outname="$stripped.o"
+    # Each line is of the form `foo.o: dependent.h'.
+    # Do two passes, one to just change these to
+    # `$object: dependent.h' and one to simply `dependent.h:'.
+    sed -e "s,^$outname:,$object :," < "$tmpdepfile" > "$depfile"
+    sed -e "s,^$outname: \(.*\)$,\1:," < "$tmpdepfile" >> "$depfile"
+  else
+    # The sourcefile does not contain any dependencies, so just
+    # store a dummy comment line, to avoid errors with the Makefile
+    # "include basename.Plo" scheme.
+    echo "#dummy" > "$depfile"
+  fi
+  rm -f "$tmpdepfile"
+  ;;
+
+icc)
+  # Intel's C compiler understands `-MD -MF file'.  However on
+  #    icc -MD -MF foo.d -c -o sub/foo.o sub/foo.c
+  # ICC 7.0 will fill foo.d with something like
+  #    foo.o: sub/foo.c
+  #    foo.o: sub/foo.h
+  # which is wrong.  We want:
+  #    sub/foo.o: sub/foo.c
+  #    sub/foo.o: sub/foo.h
+  #    sub/foo.c:
+  #    sub/foo.h:
+  # ICC 7.1 will output
+  #    foo.o: sub/foo.c sub/foo.h
+  # and will wrap long lines using \ :
+  #    foo.o: sub/foo.c ... \
+  #     sub/foo.h ... \
+  #     ...
+
+  "$@" -MD -MF "$tmpdepfile"
+  stat=$?
+  if test $stat -eq 0; then :
+  else
+    rm -f "$tmpdepfile"
+    exit $stat
+  fi
+  rm -f "$depfile"
+  # Each line is of the form `foo.o: dependent.h',
+  # or `foo.o: dep1.h dep2.h \', or ` dep3.h dep4.h \'.
+  # Do two passes, one to just change these to
+  # `$object: dependent.h' and one to simply `dependent.h:'.
+  sed "s,^[^:]*:,$object :," < "$tmpdepfile" > "$depfile"
+  # Some versions of the HPUX 10.20 sed can't process this invocation
+  # correctly.  Breaking it into two sed invocations is a workaround.
+  sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" |
+    sed -e 's/$/ :/' >> "$depfile"
+  rm -f "$tmpdepfile"
+  ;;
+
+tru64)
+   # The Tru64 compiler uses -MD to generate dependencies as a side
+   # effect.  `cc -MD -o foo.o ...' puts the dependencies into `foo.o.d'.
+   # At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put
+   # dependencies in `foo.d' instead, so we check for that too.
+   # Subdirectories are respected.
+   dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
+   test "x$dir" = "x$object" && dir=
+   base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'`
+
+   if test "$libtool" = yes; then
+      # With Tru64 cc, shared objects can also be used to make a
+      # static library.  This mecanism is used in libtool 1.4 series to
+      # handle both shared and static libraries in a single compilation.
+      # With libtool 1.4, dependencies were output in $dir.libs/$base.lo.d.
+      #
+      # With libtool 1.5 this exception was removed, and libtool now
+      # generates 2 separate objects for the 2 libraries.  These two
+      # compilations output dependencies in in $dir.libs/$base.o.d and
+      # in $dir$base.o.d.  We have to check for both files, because
+      # one of the two compilations can be disabled.  We should prefer
+      # $dir$base.o.d over $dir.libs/$base.o.d because the latter is
+      # automatically cleaned when .libs/ is deleted, while ignoring
+      # the former would cause a distcleancheck panic.
+      tmpdepfile1=$dir.libs/$base.lo.d   # libtool 1.4
+      tmpdepfile2=$dir$base.o.d          # libtool 1.5
+      tmpdepfile3=$dir.libs/$base.o.d    # libtool 1.5
+      tmpdepfile4=$dir.libs/$base.d      # Compaq CCC V6.2-504
+      "$@" -Wc,-MD
+   else
+      tmpdepfile1=$dir$base.o.d
+      tmpdepfile2=$dir$base.d
+      tmpdepfile3=$dir$base.d
+      tmpdepfile4=$dir$base.d
+      "$@" -MD
+   fi
+
+   stat=$?
+   if test $stat -eq 0; then :
+   else
+      rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" "$tmpdepfile4"
+      exit $stat
+   fi
+
+   for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" "$tmpdepfile4"
+   do
+     test -f "$tmpdepfile" && break
+   done
+   if test -f "$tmpdepfile"; then
+      sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile"
+      # That's a tab and a space in the [].
+      sed -e 's,^.*\.[a-z]*:[	 ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile"
+   else
+      echo "#dummy" > "$depfile"
+   fi
+   rm -f "$tmpdepfile"
+   ;;
+
+#nosideeffect)
+  # This comment above is used by automake to tell side-effect
+  # dependency tracking mechanisms from slower ones.
+
+dashmstdout)
+  # Important note: in order to support this mode, a compiler *must*
+  # always write the preprocessed file to stdout, regardless of -o.
+  "$@" || exit $?
+
+  # Remove the call to Libtool.
+  if test "$libtool" = yes; then
+    while test $1 != '--mode=compile'; do
+      shift
+    done
+    shift
+  fi
+
+  # Remove `-o $object'.
+  IFS=" "
+  for arg
+  do
+    case $arg in
+    -o)
+      shift
+      ;;
+    $object)
+      shift
+      ;;
+    *)
+      set fnord "$@" "$arg"
+      shift # fnord
+      shift # $arg
+      ;;
+    esac
+  done
+
+  test -z "$dashmflag" && dashmflag=-M
+  # Require at least two characters before searching for `:'
+  # in the target name.  This is to cope with DOS-style filenames:
+  # a dependency such as `c:/foo/bar' could be seen as target `c' otherwise.
+  "$@" $dashmflag |
+    sed 's:^[  ]*[^: ][^:][^:]*\:[    ]*:'"$object"'\: :' > "$tmpdepfile"
+  rm -f "$depfile"
+  cat < "$tmpdepfile" > "$depfile"
+  tr ' ' '
+' < "$tmpdepfile" | \
+## Some versions of the HPUX 10.20 sed can't process this invocation
+## correctly.  Breaking it into two sed invocations is a workaround.
+    sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
+  rm -f "$tmpdepfile"
+  ;;
+
+dashXmstdout)
+  # This case only exists to satisfy depend.m4.  It is never actually
+  # run, as this mode is specially recognized in the preamble.
+  exit 1
+  ;;
+
+makedepend)
+  "$@" || exit $?
+  # Remove any Libtool call
+  if test "$libtool" = yes; then
+    while test $1 != '--mode=compile'; do
+      shift
+    done
+    shift
+  fi
+  # X makedepend
+  shift
+  cleared=no
+  for arg in "$@"; do
+    case $cleared in
+    no)
+      set ""; shift
+      cleared=yes ;;
+    esac
+    case "$arg" in
+    -D*|-I*)
+      set fnord "$@" "$arg"; shift ;;
+    # Strip any option that makedepend may not understand.  Remove
+    # the object too, otherwise makedepend will parse it as a source file.
+    -*|$object)
+      ;;
+    *)
+      set fnord "$@" "$arg"; shift ;;
+    esac
+  done
+  obj_suffix="`echo $object | sed 's/^.*\././'`"
+  touch "$tmpdepfile"
+  ${MAKEDEPEND-makedepend} -o"$obj_suffix" -f"$tmpdepfile" "$@"
+  rm -f "$depfile"
+  cat < "$tmpdepfile" > "$depfile"
+  sed '1,2d' "$tmpdepfile" | tr ' ' '
+' | \
+## Some versions of the HPUX 10.20 sed can't process this invocation
+## correctly.  Breaking it into two sed invocations is a workaround.
+    sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
+  rm -f "$tmpdepfile" "$tmpdepfile".bak
+  ;;
+
+cpp)
+  # Important note: in order to support this mode, a compiler *must*
+  # always write the preprocessed file to stdout.
+  "$@" || exit $?
+
+  # Remove the call to Libtool.
+  if test "$libtool" = yes; then
+    while test $1 != '--mode=compile'; do
+      shift
+    done
+    shift
+  fi
+
+  # Remove `-o $object'.
+  IFS=" "
+  for arg
+  do
+    case $arg in
+    -o)
+      shift
+      ;;
+    $object)
+      shift
+      ;;
+    *)
+      set fnord "$@" "$arg"
+      shift # fnord
+      shift # $arg
+      ;;
+    esac
+  done
+
+  "$@" -E |
+    sed -n -e '/^# [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \
+       -e '/^#line [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' |
+    sed '$ s: \\$::' > "$tmpdepfile"
+  rm -f "$depfile"
+  echo "$object : \\" > "$depfile"
+  cat < "$tmpdepfile" >> "$depfile"
+  sed < "$tmpdepfile" '/^$/d;s/^ //;s/ \\$//;s/$/ :/' >> "$depfile"
+  rm -f "$tmpdepfile"
+  ;;
+
+msvisualcpp)
+  # Important note: in order to support this mode, a compiler *must*
+  # always write the preprocessed file to stdout, regardless of -o,
+  # because we must use -o when running libtool.
+  "$@" || exit $?
+  IFS=" "
+  for arg
+  do
+    case "$arg" in
+    "-Gm"|"/Gm"|"-Gi"|"/Gi"|"-ZI"|"/ZI")
+	set fnord "$@"
+	shift
+	shift
+	;;
+    *)
+	set fnord "$@" "$arg"
+	shift
+	shift
+	;;
+    esac
+  done
+  "$@" -E |
+  sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::echo "`cygpath -u \\"\1\\"`":p' | sort | uniq > "$tmpdepfile"
+  rm -f "$depfile"
+  echo "$object : \\" > "$depfile"
+  . "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s::	\1 \\:p' >> "$depfile"
+  echo "	" >> "$depfile"
+  . "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s::\1\::p' >> "$depfile"
+  rm -f "$tmpdepfile"
+  ;;
+
+none)
+  exec "$@"
+  ;;
+
+*)
+  echo "Unknown depmode $depmode" 1>&2
+  exit 1
+  ;;
+esac
+
+exit 0
+
+# Local Variables:
+# mode: shell-script
+# sh-indentation: 2
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "scriptversion="
+# time-stamp-format: "%:y-%02m-%02d.%02H"
+# time-stamp-end: "$"
+# End:
diff --git a/install-sh b/install-sh
new file mode 100755
index 000000000..4d4a9519e
--- /dev/null
+++ b/install-sh
@@ -0,0 +1,323 @@
+#!/bin/sh
+# install - install a program, script, or datafile
+
+scriptversion=2005-05-14.22
+
+# This originates from X11R5 (mit/util/scripts/install.sh), which was
+# later released in X11R6 (xc/config/util/install.sh) with the
+# following copyright and license.
+#
+# Copyright (C) 1994 X Consortium
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to
+# deal in the Software without restriction, including without limitation the
+# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+# sell copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
+# X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
+# AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC-
+# TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+# Except as contained in this notice, the name of the X Consortium shall not
+# be used in advertising or otherwise to promote the sale, use or other deal-
+# ings in this Software without prior written authorization from the X Consor-
+# tium.
+#
+#
+# FSF changes to this file are in the public domain.
+#
+# Calling this script install-sh is preferred over install.sh, to prevent
+# `make' implicit rules from creating a file called install from it
+# when there is no Makefile.
+#
+# This script is compatible with the BSD install script, but was written
+# from scratch.  It can only install one file at a time, a restriction
+# shared with many OS's install programs.
+
+# set DOITPROG to echo to test this script
+
+# Don't use :- since 4.3BSD and earlier shells don't like it.
+doit="${DOITPROG-}"
+
+# put in absolute paths if you don't have them in your path; or use env. vars.
+
+mvprog="${MVPROG-mv}"
+cpprog="${CPPROG-cp}"
+chmodprog="${CHMODPROG-chmod}"
+chownprog="${CHOWNPROG-chown}"
+chgrpprog="${CHGRPPROG-chgrp}"
+stripprog="${STRIPPROG-strip}"
+rmprog="${RMPROG-rm}"
+mkdirprog="${MKDIRPROG-mkdir}"
+
+chmodcmd="$chmodprog 0755"
+chowncmd=
+chgrpcmd=
+stripcmd=
+rmcmd="$rmprog -f"
+mvcmd="$mvprog"
+src=
+dst=
+dir_arg=
+dstarg=
+no_target_directory=
+
+usage="Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE
+   or: $0 [OPTION]... SRCFILES... DIRECTORY
+   or: $0 [OPTION]... -t DIRECTORY SRCFILES...
+   or: $0 [OPTION]... -d DIRECTORIES...
+
+In the 1st form, copy SRCFILE to DSTFILE.
+In the 2nd and 3rd, copy all SRCFILES to DIRECTORY.
+In the 4th, create DIRECTORIES.
+
+Options:
+-c         (ignored)
+-d         create directories instead of installing files.
+-g GROUP   $chgrpprog installed files to GROUP.
+-m MODE    $chmodprog installed files to MODE.
+-o USER    $chownprog installed files to USER.
+-s         $stripprog installed files.
+-t DIRECTORY  install into DIRECTORY.
+-T         report an error if DSTFILE is a directory.
+--help     display this help and exit.
+--version  display version info and exit.
+
+Environment variables override the default commands:
+  CHGRPPROG CHMODPROG CHOWNPROG CPPROG MKDIRPROG MVPROG RMPROG STRIPPROG
+"
+
+while test -n "$1"; do
+  case $1 in
+    -c) shift
+        continue;;
+
+    -d) dir_arg=true
+        shift
+        continue;;
+
+    -g) chgrpcmd="$chgrpprog $2"
+        shift
+        shift
+        continue;;
+
+    --help) echo "$usage"; exit $?;;
+
+    -m) chmodcmd="$chmodprog $2"
+        shift
+        shift
+        continue;;
+
+    -o) chowncmd="$chownprog $2"
+        shift
+        shift
+        continue;;
+
+    -s) stripcmd=$stripprog
+        shift
+        continue;;
+
+    -t) dstarg=$2
+	shift
+	shift
+	continue;;
+
+    -T) no_target_directory=true
+	shift
+	continue;;
+
+    --version) echo "$0 $scriptversion"; exit $?;;
+
+    *)  # When -d is used, all remaining arguments are directories to create.
+	# When -t is used, the destination is already specified.
+	test -n "$dir_arg$dstarg" && break
+        # Otherwise, the last argument is the destination.  Remove it from $@.
+	for arg
+	do
+          if test -n "$dstarg"; then
+	    # $@ is not empty: it contains at least $arg.
+	    set fnord "$@" "$dstarg"
+	    shift # fnord
+	  fi
+	  shift # arg
+	  dstarg=$arg
+	done
+	break;;
+  esac
+done
+
+if test -z "$1"; then
+  if test -z "$dir_arg"; then
+    echo "$0: no input file specified." >&2
+    exit 1
+  fi
+  # It's OK to call `install-sh -d' without argument.
+  # This can happen when creating conditional directories.
+  exit 0
+fi
+
+for src
+do
+  # Protect names starting with `-'.
+  case $src in
+    -*) src=./$src ;;
+  esac
+
+  if test -n "$dir_arg"; then
+    dst=$src
+    src=
+
+    if test -d "$dst"; then
+      mkdircmd=:
+      chmodcmd=
+    else
+      mkdircmd=$mkdirprog
+    fi
+  else
+    # Waiting for this to be detected by the "$cpprog $src $dsttmp" command
+    # might cause directories to be created, which would be especially bad
+    # if $src (and thus $dsttmp) contains '*'.
+    if test ! -f "$src" && test ! -d "$src"; then
+      echo "$0: $src does not exist." >&2
+      exit 1
+    fi
+
+    if test -z "$dstarg"; then
+      echo "$0: no destination specified." >&2
+      exit 1
+    fi
+
+    dst=$dstarg
+    # Protect names starting with `-'.
+    case $dst in
+      -*) dst=./$dst ;;
+    esac
+
+    # If destination is a directory, append the input filename; won't work
+    # if double slashes aren't ignored.
+    if test -d "$dst"; then
+      if test -n "$no_target_directory"; then
+	echo "$0: $dstarg: Is a directory" >&2
+	exit 1
+      fi
+      dst=$dst/`basename "$src"`
+    fi
+  fi
+
+  # This sed command emulates the dirname command.
+  dstdir=`echo "$dst" | sed -e 's,/*$,,;s,[^/]*$,,;s,/*$,,;s,^$,.,'`
+
+  # Make sure that the destination directory exists.
+
+  # Skip lots of stat calls in the usual case.
+  if test ! -d "$dstdir"; then
+    defaultIFS='
+	 '
+    IFS="${IFS-$defaultIFS}"
+
+    oIFS=$IFS
+    # Some sh's can't handle IFS=/ for some reason.
+    IFS='%'
+    set x `echo "$dstdir" | sed -e 's@/@%@g' -e 's@^%@/@'`
+    shift
+    IFS=$oIFS
+
+    pathcomp=
+
+    while test $# -ne 0 ; do
+      pathcomp=$pathcomp$1
+      shift
+      if test ! -d "$pathcomp"; then
+        $mkdirprog "$pathcomp"
+	# mkdir can fail with a `File exist' error in case several
+	# install-sh are creating the directory concurrently.  This
+	# is OK.
+	test -d "$pathcomp" || exit
+      fi
+      pathcomp=$pathcomp/
+    done
+  fi
+
+  if test -n "$dir_arg"; then
+    $doit $mkdircmd "$dst" \
+      && { test -z "$chowncmd" || $doit $chowncmd "$dst"; } \
+      && { test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } \
+      && { test -z "$stripcmd" || $doit $stripcmd "$dst"; } \
+      && { test -z "$chmodcmd" || $doit $chmodcmd "$dst"; }
+
+  else
+    dstfile=`basename "$dst"`
+
+    # Make a couple of temp file names in the proper directory.
+    dsttmp=$dstdir/_inst.$$_
+    rmtmp=$dstdir/_rm.$$_
+
+    # Trap to clean up those temp files at exit.
+    trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0
+    trap '(exit $?); exit' 1 2 13 15
+
+    # Copy the file name to the temp name.
+    $doit $cpprog "$src" "$dsttmp" &&
+
+    # and set any options; do chmod last to preserve setuid bits.
+    #
+    # If any of these fail, we abort the whole thing.  If we want to
+    # ignore errors from any of these, just make sure not to ignore
+    # errors from the above "$doit $cpprog $src $dsttmp" command.
+    #
+    { test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } \
+      && { test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } \
+      && { test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } \
+      && { test -z "$chmodcmd" || $doit $chmodcmd "$dsttmp"; } &&
+
+    # Now rename the file to the real destination.
+    { $doit $mvcmd -f "$dsttmp" "$dstdir/$dstfile" 2>/dev/null \
+      || {
+	   # The rename failed, perhaps because mv can't rename something else
+	   # to itself, or perhaps because mv is so ancient that it does not
+	   # support -f.
+
+	   # Now remove or move aside any old file at destination location.
+	   # We try this two ways since rm can't unlink itself on some
+	   # systems and the destination file might be busy for other
+	   # reasons.  In this case, the final cleanup might fail but the new
+	   # file should still install successfully.
+	   {
+	     if test -f "$dstdir/$dstfile"; then
+	       $doit $rmcmd -f "$dstdir/$dstfile" 2>/dev/null \
+	       || $doit $mvcmd -f "$dstdir/$dstfile" "$rmtmp" 2>/dev/null \
+	       || {
+		 echo "$0: cannot unlink or rename $dstdir/$dstfile" >&2
+		 (exit 1); exit 1
+	       }
+	     else
+	       :
+	     fi
+	   } &&
+
+	   # Now rename the file to the real destination.
+	   $doit $mvcmd "$dsttmp" "$dstdir/$dstfile"
+	 }
+    }
+  fi || { (exit 1); exit 1; }
+done
+
+# The final little trick to "correctly" pass the exit status to the exit trap.
+{
+  (exit 0); exit 0
+}
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "scriptversion="
+# time-stamp-format: "%:y-%02m-%02d.%02H"
+# time-stamp-end: "$"
+# End:
diff --git a/lib/.cvsignore b/lib/.cvsignore
deleted file mode 100644
index aa84dc001..000000000
--- a/lib/.cvsignore
+++ /dev/null
@@ -1,2 +0,0 @@
-ktmp
-version.c
diff --git a/lib/COPYING.LIB b/lib/COPYING.LIB
deleted file mode 100644
index 92b8903ff..000000000
--- a/lib/COPYING.LIB
+++ /dev/null
@@ -1,481 +0,0 @@
-		  GNU LIBRARY GENERAL PUBLIC LICENSE
-		       Version 2, June 1991
-
- Copyright (C) 1991 Free Software Foundation, Inc.
-    		    59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-[This is the first released version of the library GPL.  It is
- numbered 2 because it goes with version 2 of the ordinary GPL.]
-
-			    Preamble
-
-  The licenses for most software are designed to take away your
-freedom to share and change it.  By contrast, the GNU General Public
-Licenses are intended to guarantee your freedom to share and change
-free software--to make sure the software is free for all its users.
-
-  This license, the Library General Public License, applies to some
-specially designated Free Software Foundation software, and to any
-other libraries whose authors decide to use it.  You can use it for
-your libraries, too.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-this service if you wish), that you receive source code or can get it
-if you want it, that you can change the software or use pieces of it
-in new free programs; and that you know you can do these things.
-
-  To protect your rights, we need to make restrictions that forbid
-anyone to deny you these rights or to ask you to surrender the rights.
-These restrictions translate to certain responsibilities for you if
-you distribute copies of the library, or if you modify it.
-
-  For example, if you distribute copies of the library, whether gratis
-or for a fee, you must give the recipients all the rights that we gave
-you.  You must make sure that they, too, receive or can get the source
-code.  If you link a program with the library, you must provide
-complete object files to the recipients so that they can relink them
-with the library, after making changes to the library and recompiling
-it.  And you must show them these terms so they know their rights.
-
-  Our method of protecting your rights has two steps: (1) copyright
-the library, and (2) offer you this license which gives you legal
-permission to copy, distribute and/or modify the library.
-
-  Also, for each distributor's protection, we want to make certain
-that everyone understands that there is no warranty for this free
-library.  If the library is modified by someone else and passed on, we
-want its recipients to know that what they have is not the original
-version, so that any problems introduced by others will not reflect on
-the original authors' reputations.
-
-  Finally, any free program is threatened constantly by software
-patents.  We wish to avoid the danger that companies distributing free
-software will individually obtain patent licenses, thus in effect
-transforming the program into proprietary software.  To prevent this,
-we have made it clear that any patent must be licensed for everyone's
-free use or not licensed at all.
-
-  Most GNU software, including some libraries, is covered by the ordinary
-GNU General Public License, which was designed for utility programs.  This
-license, the GNU Library General Public License, applies to certain
-designated libraries.  This license is quite different from the ordinary
-one; be sure to read it in full, and don't assume that anything in it is
-the same as in the ordinary license.
-
-  The reason we have a separate public license for some libraries is that
-they blur the distinction we usually make between modifying or adding to a
-program and simply using it.  Linking a program with a library, without
-changing the library, is in some sense simply using the library, and is
-analogous to running a utility program or application program.  However, in
-a textual and legal sense, the linked executable is a combined work, a
-derivative of the original library, and the ordinary General Public License
-treats it as such.
-
-  Because of this blurred distinction, using the ordinary General
-Public License for libraries did not effectively promote software
-sharing, because most developers did not use the libraries.  We
-concluded that weaker conditions might promote sharing better.
-
-  However, unrestricted linking of non-free programs would deprive the
-users of those programs of all benefit from the free status of the
-libraries themselves.  This Library General Public License is intended to
-permit developers of non-free programs to use free libraries, while
-preserving your freedom as a user of such programs to change the free
-libraries that are incorporated in them.  (We have not seen how to achieve
-this as regards changes in header files, but we have achieved it as regards
-changes in the actual functions of the Library.)  The hope is that this
-will lead to faster development of free libraries.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.  Pay close attention to the difference between a
-"work based on the library" and a "work that uses the library".  The
-former contains code derived from the library, while the latter only
-works together with the library.
-
-  Note that it is possible for a library to be covered by the ordinary
-General Public License rather than by this special one.
-
-		  GNU LIBRARY GENERAL PUBLIC LICENSE
-   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-
-  0. This License Agreement applies to any software library which
-contains a notice placed by the copyright holder or other authorized
-party saying it may be distributed under the terms of this Library
-General Public License (also called "this License").  Each licensee is
-addressed as "you".
-
-  A "library" means a collection of software functions and/or data
-prepared so as to be conveniently linked with application programs
-(which use some of those functions and data) to form executables.
-
-  The "Library", below, refers to any such software library or work
-which has been distributed under these terms.  A "work based on the
-Library" means either the Library or any derivative work under
-copyright law: that is to say, a work containing the Library or a
-portion of it, either verbatim or with modifications and/or translated
-straightforwardly into another language.  (Hereinafter, translation is
-included without limitation in the term "modification".)
-
-  "Source code" for a work means the preferred form of the work for
-making modifications to it.  For a library, complete source code means
-all the source code for all modules it contains, plus any associated
-interface definition files, plus the scripts used to control compilation
-and installation of the library.
-
-  Activities other than copying, distribution and modification are not
-covered by this License; they are outside its scope.  The act of
-running a program using the Library is not restricted, and output from
-such a program is covered only if its contents constitute a work based
-on the Library (independent of the use of the Library in a tool for
-writing it).  Whether that is true depends on what the Library does
-and what the program that uses the Library does.
-  
-  1. You may copy and distribute verbatim copies of the Library's
-complete source code as you receive it, in any medium, provided that
-you conspicuously and appropriately publish on each copy an
-appropriate copyright notice and disclaimer of warranty; keep intact
-all the notices that refer to this License and to the absence of any
-warranty; and distribute a copy of this License along with the
-Library.
-
-  You may charge a fee for the physical act of transferring a copy,
-and you may at your option offer warranty protection in exchange for a
-fee.
-
-  2. You may modify your copy or copies of the Library or any portion
-of it, thus forming a work based on the Library, and copy and
-distribute such modifications or work under the terms of Section 1
-above, provided that you also meet all of these conditions:
-
-    a) The modified work must itself be a software library.
-
-    b) You must cause the files modified to carry prominent notices
-    stating that you changed the files and the date of any change.
-
-    c) You must cause the whole of the work to be licensed at no
-    charge to all third parties under the terms of this License.
-
-    d) If a facility in the modified Library refers to a function or a
-    table of data to be supplied by an application program that uses
-    the facility, other than as an argument passed when the facility
-    is invoked, then you must make a good faith effort to ensure that,
-    in the event an application does not supply such function or
-    table, the facility still operates, and performs whatever part of
-    its purpose remains meaningful.
-
-    (For example, a function in a library to compute square roots has
-    a purpose that is entirely well-defined independent of the
-    application.  Therefore, Subsection 2d requires that any
-    application-supplied function or table used by this function must
-    be optional: if the application does not supply it, the square
-    root function must still compute square roots.)
-
-These requirements apply to the modified work as a whole.  If
-identifiable sections of that work are not derived from the Library,
-and can be reasonably considered independent and separate works in
-themselves, then this License, and its terms, do not apply to those
-sections when you distribute them as separate works.  But when you
-distribute the same sections as part of a whole which is a work based
-on the Library, the distribution of the whole must be on the terms of
-this License, whose permissions for other licensees extend to the
-entire whole, and thus to each and every part regardless of who wrote
-it.
-
-Thus, it is not the intent of this section to claim rights or contest
-your rights to work written entirely by you; rather, the intent is to
-exercise the right to control the distribution of derivative or
-collective works based on the Library.
-
-In addition, mere aggregation of another work not based on the Library
-with the Library (or with a work based on the Library) on a volume of
-a storage or distribution medium does not bring the other work under
-the scope of this License.
-
-  3. You may opt to apply the terms of the ordinary GNU General Public
-License instead of this License to a given copy of the Library.  To do
-this, you must alter all the notices that refer to this License, so
-that they refer to the ordinary GNU General Public License, version 2,
-instead of to this License.  (If a newer version than version 2 of the
-ordinary GNU General Public License has appeared, then you can specify
-that version instead if you wish.)  Do not make any other change in
-these notices.
-
-  Once this change is made in a given copy, it is irreversible for
-that copy, so the ordinary GNU General Public License applies to all
-subsequent copies and derivative works made from that copy.
-
-  This option is useful when you wish to copy part of the code of
-the Library into a program that is not a library.
-
-  4. You may copy and distribute the Library (or a portion or
-derivative of it, under Section 2) in object code or executable form
-under the terms of Sections 1 and 2 above provided that you accompany
-it with the complete corresponding machine-readable source code, which
-must be distributed under the terms of Sections 1 and 2 above on a
-medium customarily used for software interchange.
-
-  If distribution of object code is made by offering access to copy
-from a designated place, then offering equivalent access to copy the
-source code from the same place satisfies the requirement to
-distribute the source code, even though third parties are not
-compelled to copy the source along with the object code.
-
-  5. A program that contains no derivative of any portion of the
-Library, but is designed to work with the Library by being compiled or
-linked with it, is called a "work that uses the Library".  Such a
-work, in isolation, is not a derivative work of the Library, and
-therefore falls outside the scope of this License.
-
-  However, linking a "work that uses the Library" with the Library
-creates an executable that is a derivative of the Library (because it
-contains portions of the Library), rather than a "work that uses the
-library".  The executable is therefore covered by this License.
-Section 6 states terms for distribution of such executables.
-
-  When a "work that uses the Library" uses material from a header file
-that is part of the Library, the object code for the work may be a
-derivative work of the Library even though the source code is not.
-Whether this is true is especially significant if the work can be
-linked without the Library, or if the work is itself a library.  The
-threshold for this to be true is not precisely defined by law.
-
-  If such an object file uses only numerical parameters, data
-structure layouts and accessors, and small macros and small inline
-functions (ten lines or less in length), then the use of the object
-file is unrestricted, regardless of whether it is legally a derivative
-work.  (Executables containing this object code plus portions of the
-Library will still fall under Section 6.)
-
-  Otherwise, if the work is a derivative of the Library, you may
-distribute the object code for the work under the terms of Section 6.
-Any executables containing that work also fall under Section 6,
-whether or not they are linked directly with the Library itself.
-
-  6. As an exception to the Sections above, you may also compile or
-link a "work that uses the Library" with the Library to produce a
-work containing portions of the Library, and distribute that work
-under terms of your choice, provided that the terms permit
-modification of the work for the customer's own use and reverse
-engineering for debugging such modifications.
-
-  You must give prominent notice with each copy of the work that the
-Library is used in it and that the Library and its use are covered by
-this License.  You must supply a copy of this License.  If the work
-during execution displays copyright notices, you must include the
-copyright notice for the Library among them, as well as a reference
-directing the user to the copy of this License.  Also, you must do one
-of these things:
-
-    a) Accompany the work with the complete corresponding
-    machine-readable source code for the Library including whatever
-    changes were used in the work (which must be distributed under
-    Sections 1 and 2 above); and, if the work is an executable linked
-    with the Library, with the complete machine-readable "work that
-    uses the Library", as object code and/or source code, so that the
-    user can modify the Library and then relink to produce a modified
-    executable containing the modified Library.  (It is understood
-    that the user who changes the contents of definitions files in the
-    Library will not necessarily be able to recompile the application
-    to use the modified definitions.)
-
-    b) Accompany the work with a written offer, valid for at
-    least three years, to give the same user the materials
-    specified in Subsection 6a, above, for a charge no more
-    than the cost of performing this distribution.
-
-    c) If distribution of the work is made by offering access to copy
-    from a designated place, offer equivalent access to copy the above
-    specified materials from the same place.
-
-    d) Verify that the user has already received a copy of these
-    materials or that you have already sent this user a copy.
-
-  For an executable, the required form of the "work that uses the
-Library" must include any data and utility programs needed for
-reproducing the executable from it.  However, as a special exception,
-the source code distributed need not include anything that is normally
-distributed (in either source or binary form) with the major
-components (compiler, kernel, and so on) of the operating system on
-which the executable runs, unless that component itself accompanies
-the executable.
-
-  It may happen that this requirement contradicts the license
-restrictions of other proprietary libraries that do not normally
-accompany the operating system.  Such a contradiction means you cannot
-use both them and the Library together in an executable that you
-distribute.
-
-  7. You may place library facilities that are a work based on the
-Library side-by-side in a single library together with other library
-facilities not covered by this License, and distribute such a combined
-library, provided that the separate distribution of the work based on
-the Library and of the other library facilities is otherwise
-permitted, and provided that you do these two things:
-
-    a) Accompany the combined library with a copy of the same work
-    based on the Library, uncombined with any other library
-    facilities.  This must be distributed under the terms of the
-    Sections above.
-
-    b) Give prominent notice with the combined library of the fact
-    that part of it is a work based on the Library, and explaining
-    where to find the accompanying uncombined form of the same work.
-
-  8. You may not copy, modify, sublicense, link with, or distribute
-the Library except as expressly provided under this License.  Any
-attempt otherwise to copy, modify, sublicense, link with, or
-distribute the Library is void, and will automatically terminate your
-rights under this License.  However, parties who have received copies,
-or rights, from you under this License will not have their licenses
-terminated so long as such parties remain in full compliance.
-
-  9. You are not required to accept this License, since you have not
-signed it.  However, nothing else grants you permission to modify or
-distribute the Library or its derivative works.  These actions are
-prohibited by law if you do not accept this License.  Therefore, by
-modifying or distributing the Library (or any work based on the
-Library), you indicate your acceptance of this License to do so, and
-all its terms and conditions for copying, distributing or modifying
-the Library or works based on it.
-
-  10. Each time you redistribute the Library (or any work based on the
-Library), the recipient automatically receives a license from the
-original licensor to copy, distribute, link with or modify the Library
-subject to these terms and conditions.  You may not impose any further
-restrictions on the recipients' exercise of the rights granted herein.
-You are not responsible for enforcing compliance by third parties to
-this License.
-
-  11. If, as a consequence of a court judgment or allegation of patent
-infringement or for any other reason (not limited to patent issues),
-conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot
-distribute so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you
-may not distribute the Library at all.  For example, if a patent
-license would not permit royalty-free redistribution of the Library by
-all those who receive copies directly or indirectly through you, then
-the only way you could satisfy both it and this License would be to
-refrain entirely from distribution of the Library.
-
-If any portion of this section is held invalid or unenforceable under any
-particular circumstance, the balance of the section is intended to apply,
-and the section as a whole is intended to apply in other circumstances.
-
-It is not the purpose of this section to induce you to infringe any
-patents or other property right claims or to contest validity of any
-such claims; this section has the sole purpose of protecting the
-integrity of the free software distribution system which is
-implemented by public license practices.  Many people have made
-generous contributions to the wide range of software distributed
-through that system in reliance on consistent application of that
-system; it is up to the author/donor to decide if he or she is willing
-to distribute software through any other system and a licensee cannot
-impose that choice.
-
-This section is intended to make thoroughly clear what is believed to
-be a consequence of the rest of this License.
-
-  12. If the distribution and/or use of the Library is restricted in
-certain countries either by patents or by copyrighted interfaces, the
-original copyright holder who places the Library under this License may add
-an explicit geographical distribution limitation excluding those countries,
-so that distribution is permitted only in or among countries not thus
-excluded.  In such case, this License incorporates the limitation as if
-written in the body of this License.
-
-  13. The Free Software Foundation may publish revised and/or new
-versions of the Library General Public License from time to time.
-Such new versions will be similar in spirit to the present version,
-but may differ in detail to address new problems or concerns.
-
-Each version is given a distinguishing version number.  If the Library
-specifies a version number of this License which applies to it and
-"any later version", you have the option of following the terms and
-conditions either of that version or of any later version published by
-the Free Software Foundation.  If the Library does not specify a
-license version number, you may choose any version ever published by
-the Free Software Foundation.
-
-  14. If you wish to incorporate parts of the Library into other free
-programs whose distribution conditions are incompatible with these,
-write to the author to ask for permission.  For software which is
-copyrighted by the Free Software Foundation, write to the Free
-Software Foundation; we sometimes make exceptions for this.  Our
-decision will be guided by the two goals of preserving the free status
-of all derivatives of our free software and of promoting the sharing
-and reuse of software generally.
-
-			    NO WARRANTY
-
-  15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO
-WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
-EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR
-OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY
-KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
-LIBRARY IS WITH YOU.  SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME
-THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
-
-  16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
-WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY
-AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU
-FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
-CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE
-LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING
-RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
-FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF
-SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
-DAMAGES.
-
-		     END OF TERMS AND CONDITIONS
-
-           How to Apply These Terms to Your New Libraries
-
-  If you develop a new library, and you want it to be of the greatest
-possible use to the public, we recommend making it free software that
-everyone can redistribute and change.  You can do so by permitting
-redistribution under these terms (or, alternatively, under the terms of the
-ordinary General Public License).
-
-  To apply these terms, attach the following notices to the library.  It is
-safest to attach them to the start of each source file to most effectively
-convey the exclusion of warranty; and each file should have at least the
-"copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the library's name and a brief idea of what it does.>
-    Copyright (C) <year>  <name of author>
-
-    This library is free software; you can redistribute it and/or
-    modify it under the terms of the GNU Library General Public
-    License as published by the Free Software Foundation; either
-    version 2 of the License, or (at your option) any later version.
-
-    This library is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-    Library General Public License for more details.
-
-    You should have received a copy of the GNU Library General Public
-    License along with this library; if not, write to the Free
-    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
-
-Also add information on how to contact you by electronic and paper mail.
-
-You should also get your employer (if you work as a programmer) or your
-school, if any, to sign a "copyright disclaimer" for the library, if
-necessary.  Here is a sample; alter the names:
-
-  Yoyodyne, Inc., hereby disclaims all copyright interest in the
-  library `Frob' (a library for tweaking knobs) written by James Random Hacker.
-
-  <signature of Ty Coon>, 1 April 1990
-  Ty Coon, President of Vice
-
-That's all there is to it!
diff --git a/lib/Makefile b/lib/Makefile
deleted file mode 100644
index 8f0b6ec24..000000000
--- a/lib/Makefile
+++ /dev/null
@@ -1,40 +0,0 @@
-# Makefile for the KLIPS interface utilities
-# Copyright (C) 1998, 1999  Henry Spencer.
-# Copyright (C) 1999, 2000, 2001  Richard Guy Briggs
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.2 2006/10/19 18:12:45 as Exp $
-
-FREESWANSRCDIR=..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-SUBDIRS=libfreeswan libdes
-
-ifeq ($(USE_LWRES),true)
-SUBDIRS+=liblwres
-endif
-
-ifeq ($(USE_IPSECPOLICY),true)
-SUBDIRS+=libipsecpolicy
-endif
-
-def:
-	@echo "Please read doc/intro.html or INSTALL before running make"
-	@false
-
-# programs
-
-cleanall distclean mostlyclean realclean install programs checkprograms check clean spotless install_file_list:
-	@for d in $(SUBDIRS) ; \
-	do \
-		(cd $$d && $(MAKE) FREESWANSRCDIR=$(FREESWANSRCDIR)/.. $@ ) || exit 1; \
-	done; 
diff --git a/lib/Makefile.kernel b/lib/Makefile.kernel
deleted file mode 100644
index f32a4f0b7..000000000
--- a/lib/Makefile.kernel
+++ /dev/null
@@ -1,65 +0,0 @@
-# FreeS/WAN library
-# Copyright (C) 1998-2002  Henry Spencer.
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile.kernel,v 1.1 2004/03/15 20:35:24 as Exp $
-
-
-
-include ../Makefile.inc
-include ../Makefile.ver
-
-
-
-ifndef TOPDIR
-TOPDIR  := /usr/src/linux
-endif
-
-L_TARGET := libkernel.a
-
-obj-y := addrtoa.o datatot.o goodmask.o \
-	pfkey_v2_build.o pfkey_v2_debug.o pfkey_v2_ext_bits.o pfkey_v2_parse.o \
-	prng.o rangetoa.o satoa.o \
-	subnetof.o subnettoa.o ultoa.o version.o
-
-HDRS=freeswan.h internal.h
-
-EXTRA_CFLAGS += -I. $(KLIPSCOMPILE)
-
-EXTRA_CFLAGS += -Wall 
-#EXTRA_CFLAGS += -Wconversion 
-#EXTRA_CFLAGS += -Wmissing-prototypes 
-EXTRA_CFLAGS += -Wpointer-arith 
-#EXTRA_CFLAGS += -Wcast-qual 
-#EXTRA_CFLAGS += -Wmissing-declarations 
-EXTRA_CFLAGS += -Wstrict-prototypes
-#EXTRA_CFLAGS += -pedantic
-#EXTRA_CFLAGS += -W
-#EXTRA_CFLAGS += -Wwrite-strings 
-#EXTRA_CFLAGS += -Wbad-function-cast 
-
-active-objs     := $(sort $(obj-y) $(obj-m))
-L_OBJS          := $(obj-y)
-M_OBJS          := $(obj-m)
-MIX_OBJS        := $(filter $(export-objs), $(active-objs))
-
-include $(TOPDIR)/Rules.make
-
-$(obj-y):	$(HDRS)
-
-# build version.c using version number from Makefile.ver
-version.c:	version.in.c
-	sed '/"/s/xxx/$(IPSECVERSION)/' version.in.c >$@
-
-clean:
-	rm -f $(L_TARGET) *.o try* core *.core version.c
-	( cd des && $(MAKE) clean )
diff --git a/lib/README b/lib/README
deleted file mode 100644
index 1834a8792..000000000
--- a/lib/README
+++ /dev/null
@@ -1,3 +0,0 @@
-These are general library functions used in many places in FreeS/WAN.
-
-They are under the GNU library license; see COPYING.LIB.
diff --git a/lib/libcrypto/libaes/Makefile b/lib/libcrypto/libaes/Makefile
deleted file mode 100644
index 7e4cff6e8..000000000
--- a/lib/libcrypto/libaes/Makefile
+++ /dev/null
@@ -1,40 +0,0 @@
-CFLAGS=-O3 -fomit-frame-pointer -D__KERNEL__  -Wall  -Wcast-qual $(EXTRA_CFLAGS)
-INC=-I../include 
-
-AES_CORE_OBJ:=aes.o
-
-ASM-$(ARCH_ASM):=1
-ASM_X86:=$(ASM-i586)$(ASM-i686)
-ifneq ($(strip $(ASM_X86)),)
-AES_CORE_OBJ:= asm/aes-i586.o
-endif
-
-LIBOBJ := aes_xcbc_mac.o aes_cbc.o $(AES_CORE_OBJ)
-LDLIBS := -laes
-LDFLAGS := -L.
-
-BLIB := libaes.a
-
-L_TARGET := $(BLIB)
-
-.c.o:
-	$(CC) $(CPPFLAGS) $(CFLAGS) $(INC) -c $< -o $@
-
-.S.o:
-	$(CC) $(AFLAGS) -c $< -o $@
-
-$(BLIB): $(LIBOBJ)
-	/bin/rm -f $(BLIB)
-	ar cr $(BLIB) $(LIBOBJ)
-	-if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \
-	else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \
-	else exit 0; fi; fi
-
-testx: test_main_mac.o $(BLIB)
-	$(CC) -o $@ $^ 
-
-test: test_main.o $(BLIB)
-	$(CC) -o $@ $^ 
-
-clean:
-	rm -f *.[oa] asm/*.o core $(TARGET) test testx
diff --git a/lib/libcrypto/libaes/asm/aes-i586.S b/lib/libcrypto/libaes/asm/aes-i586.S
deleted file mode 100644
index df19d0d62..000000000
--- a/lib/libcrypto/libaes/asm/aes-i586.S
+++ /dev/null
@@ -1,892 +0,0 @@
-//
-// Copyright (c) 2001, Dr Brian Gladman <brg@gladman.uk.net>, Worcester, UK.
-// All rights reserved.
-//
-// TERMS
-//
-//  Redistribution and use in source and binary forms, with or without
-//  modification, are permitted subject to the following conditions:
-//
-//  1. Redistributions of source code must retain the above copyright
-//     notice, this list of conditions and the following disclaimer.
-//
-//  2. Redistributions in binary form must reproduce the above copyright
-//     notice, this list of conditions and the following disclaimer in the
-//     documentation and/or other materials provided with the distribution.
-//
-//  3. The copyright holder's name must not be used to endorse or promote
-//     any products derived from this software without his specific prior
-//     written permission.
-//
-//  This software is provided 'as is' with no express or implied warranties
-//  of correctness or fitness for purpose.
-
-// Modified by Jari Ruusu,  December 24 2001
-//  - Converted syntax to GNU CPP/assembler syntax
-//  - C programming interface converted back to "old" API
-//  - Minor portability cleanups and speed optimizations
-
-// An AES (Rijndael) implementation for the Pentium. This version only
-// implements the standard AES block length (128 bits, 16 bytes). This code
-// does not preserve the eax, ecx or edx registers or the artihmetic status
-// flags. However, the ebx, esi, edi, and ebp registers are preserved across
-// calls.
-
-// void aes_set_key(aes_context *cx, const unsigned char key[], const int key_len, const int f)
-// void aes_encrypt(const aes_context *cx, const unsigned char in_blk[], unsigned char out_blk[])
-// void aes_decrypt(const aes_context *cx, const unsigned char in_blk[], unsigned char out_blk[])
-
-#if defined(USE_UNDERLINE)
-# define aes_set_key _aes_set_key
-# define aes_encrypt _aes_encrypt
-# define aes_decrypt _aes_decrypt
-#endif
-#if !defined(ALIGN32BYTES)
-# define ALIGN32BYTES 32
-#endif
-
-	.file	"aes-i586.S"
-	.globl	aes_set_key
-	.globl	aes_encrypt
-	.globl	aes_decrypt
-
-#define tlen	1024	// length of each of 4 'xor' arrays (256 32-bit words)
-
-// offsets to parameters with one register pushed onto stack
-
-#define ctx	8	// AES context structure
-#define in_blk	12	// input byte array address parameter
-#define out_blk	16	// output byte array address parameter
-
-// offsets in context structure
-
-#define nkey	0	// key length, size 4
-#define nrnd	4	// number of rounds, size 4
-#define ekey	8	// encryption key schedule base address, size 256
-#define dkey	264	// decryption key schedule base address, size 256
-
-// This macro performs a forward encryption cycle. It is entered with
-// the first previous round column values in %eax, %ebx, %esi and %edi and
-// exits with the final values in the same registers.
-
-#define fwd_rnd(p1,p2)			 \
-	mov	%ebx,(%esp)		;\
-	movzbl	%al,%edx		;\
-	mov	%eax,%ecx		;\
-	mov	p2(%ebp),%eax		;\
-	mov	%edi,4(%esp)		;\
-	mov	p2+12(%ebp),%edi	;\
-	xor	p1(,%edx,4),%eax	;\
-	movzbl	%ch,%edx		;\
-	shr	$16,%ecx		;\
-	mov	p2+4(%ebp),%ebx		;\
-	xor	p1+tlen(,%edx,4),%edi	;\
-	movzbl	%cl,%edx		;\
-	movzbl	%ch,%ecx		;\
-	xor	p1+3*tlen(,%ecx,4),%ebx	;\
-	mov	%esi,%ecx		;\
-	mov	p1+2*tlen(,%edx,4),%esi	;\
-	movzbl	%cl,%edx		;\
-	xor	p1(,%edx,4),%esi	;\
-	movzbl	%ch,%edx		;\
-	shr	$16,%ecx		;\
-	xor	p1+tlen(,%edx,4),%ebx	;\
-	movzbl	%cl,%edx		;\
-	movzbl	%ch,%ecx		;\
-	xor	p1+2*tlen(,%edx,4),%eax	;\
-	mov	(%esp),%edx		;\
-	xor	p1+3*tlen(,%ecx,4),%edi ;\
-	movzbl	%dl,%ecx		;\
-	xor	p2+8(%ebp),%esi		;\
-	xor	p1(,%ecx,4),%ebx	;\
-	movzbl	%dh,%ecx		;\
-	shr	$16,%edx		;\
-	xor	p1+tlen(,%ecx,4),%eax	;\
-	movzbl	%dl,%ecx		;\
-	movzbl	%dh,%edx		;\
-	xor	p1+2*tlen(,%ecx,4),%edi	;\
-	mov	4(%esp),%ecx		;\
-	xor	p1+3*tlen(,%edx,4),%esi ;\
-	movzbl	%cl,%edx		;\
-	xor	p1(,%edx,4),%edi	;\
-	movzbl	%ch,%edx		;\
-	shr	$16,%ecx		;\
-	xor	p1+tlen(,%edx,4),%esi	;\
-	movzbl	%cl,%edx		;\
-	movzbl	%ch,%ecx		;\
-	xor	p1+2*tlen(,%edx,4),%ebx	;\
-	xor	p1+3*tlen(,%ecx,4),%eax
-
-// This macro performs an inverse encryption cycle. It is entered with
-// the first previous round column values in %eax, %ebx, %esi and %edi and
-// exits with the final values in the same registers.
-
-#define inv_rnd(p1,p2)			 \
-	movzbl	%al,%edx		;\
-	mov	%ebx,(%esp)		;\
-	mov	%eax,%ecx		;\
-	mov	p2(%ebp),%eax		;\
-	mov	%edi,4(%esp)		;\
-	mov	p2+4(%ebp),%ebx		;\
-	xor	p1(,%edx,4),%eax	;\
-	movzbl	%ch,%edx		;\
-	shr	$16,%ecx		;\
-	mov	p2+12(%ebp),%edi	;\
-	xor	p1+tlen(,%edx,4),%ebx	;\
-	movzbl	%cl,%edx		;\
-	movzbl	%ch,%ecx		;\
-	xor	p1+3*tlen(,%ecx,4),%edi	;\
-	mov	%esi,%ecx		;\
-	mov	p1+2*tlen(,%edx,4),%esi	;\
-	movzbl	%cl,%edx		;\
-	xor	p1(,%edx,4),%esi	;\
-	movzbl	%ch,%edx		;\
-	shr	$16,%ecx		;\
-	xor	p1+tlen(,%edx,4),%edi	;\
-	movzbl	%cl,%edx		;\
-	movzbl	%ch,%ecx		;\
-	xor	p1+2*tlen(,%edx,4),%eax	;\
-	mov	(%esp),%edx		;\
-	xor	p1+3*tlen(,%ecx,4),%ebx ;\
-	movzbl	%dl,%ecx		;\
-	xor	p2+8(%ebp),%esi		;\
-	xor	p1(,%ecx,4),%ebx	;\
-	movzbl	%dh,%ecx		;\
-	shr	$16,%edx		;\
-	xor	p1+tlen(,%ecx,4),%esi	;\
-	movzbl	%dl,%ecx		;\
-	movzbl	%dh,%edx		;\
-	xor	p1+2*tlen(,%ecx,4),%edi	;\
-	mov	4(%esp),%ecx		;\
-	xor	p1+3*tlen(,%edx,4),%eax ;\
-	movzbl	%cl,%edx		;\
-	xor	p1(,%edx,4),%edi	;\
-	movzbl	%ch,%edx		;\
-	shr	$16,%ecx		;\
-	xor	p1+tlen(,%edx,4),%eax	;\
-	movzbl	%cl,%edx		;\
-	movzbl	%ch,%ecx		;\
-	xor	p1+2*tlen(,%edx,4),%ebx	;\
-	xor	p1+3*tlen(,%ecx,4),%esi
-
-// AES (Rijndael) Encryption Subroutine
-
-	.text
-	.align	ALIGN32BYTES
-aes_encrypt:
-	push	%ebp
-	mov	ctx(%esp),%ebp		// pointer to context
-	mov	in_blk(%esp),%ecx
-	push	%ebx
-	push	%esi
-	push	%edi
-	mov	nrnd(%ebp),%edx		// number of rounds
-	lea	ekey+16(%ebp),%ebp	// key pointer
-
-// input four columns and xor in first round key
-
-	mov	(%ecx),%eax
-	mov	4(%ecx),%ebx
-	mov	8(%ecx),%esi
-	mov	12(%ecx),%edi
-	xor	-16(%ebp),%eax
-	xor	-12(%ebp),%ebx
-	xor	-8(%ebp),%esi
-	xor	-4(%ebp),%edi
-
-	sub	$8,%esp			// space for register saves on stack
-
-	sub	$10,%edx
-	je	aes_15
-	add	$32,%ebp
-	sub	$2,%edx
-	je	aes_13
-	add	$32,%ebp
-
-	fwd_rnd(aes_ft_tab,-64)		// 14 rounds for 256-bit key
-	fwd_rnd(aes_ft_tab,-48)
-aes_13:	fwd_rnd(aes_ft_tab,-32)		// 12 rounds for 192-bit key
-	fwd_rnd(aes_ft_tab,-16)
-aes_15:	fwd_rnd(aes_ft_tab,0)		// 10 rounds for 128-bit key
-	fwd_rnd(aes_ft_tab,16)
-	fwd_rnd(aes_ft_tab,32)
-	fwd_rnd(aes_ft_tab,48)
-	fwd_rnd(aes_ft_tab,64)
-	fwd_rnd(aes_ft_tab,80)
-	fwd_rnd(aes_ft_tab,96)
-	fwd_rnd(aes_ft_tab,112)
-	fwd_rnd(aes_ft_tab,128)
-	fwd_rnd(aes_fl_tab,144)		// last round uses a different table
-
-// move final values to the output array.
-
-	mov	out_blk+20(%esp),%ebp
-	add	$8,%esp
-	mov	%eax,(%ebp)
-	mov	%ebx,4(%ebp)
-	mov	%esi,8(%ebp)
-	mov	%edi,12(%ebp)
-	pop	%edi
-	pop	%esi
-	pop	%ebx
-	pop	%ebp
-	ret
-
-
-// AES (Rijndael) Decryption Subroutine
-
-	.align	ALIGN32BYTES
-aes_decrypt:
-	push	%ebp
-	mov	ctx(%esp),%ebp		// pointer to context
-	mov	in_blk(%esp),%ecx
-	push	%ebx
-	push	%esi
-	push	%edi
-	mov	nrnd(%ebp),%edx		// number of rounds
-	lea	dkey+16(%ebp),%ebp	// key pointer
-
-// input four columns and xor in first round key
-
-	mov	(%ecx),%eax
-	mov	4(%ecx),%ebx
-	mov	8(%ecx),%esi
-	mov	12(%ecx),%edi
-	xor	-16(%ebp),%eax
-	xor	-12(%ebp),%ebx
-	xor	-8(%ebp),%esi
-	xor	-4(%ebp),%edi
-
-	sub	$8,%esp			// space for register saves on stack
-
-	sub	$10,%edx
-	je	aes_25
-	add	$32,%ebp
-	sub	$2,%edx
-	je	aes_23
-	add	$32,%ebp
-
-	inv_rnd(aes_it_tab,-64)		// 14 rounds for 256-bit key
-	inv_rnd(aes_it_tab,-48)
-aes_23:	inv_rnd(aes_it_tab,-32)		// 12 rounds for 192-bit key
-	inv_rnd(aes_it_tab,-16)
-aes_25:	inv_rnd(aes_it_tab,0)		// 10 rounds for 128-bit key
-	inv_rnd(aes_it_tab,16)
-	inv_rnd(aes_it_tab,32)
-	inv_rnd(aes_it_tab,48)
-	inv_rnd(aes_it_tab,64)
-	inv_rnd(aes_it_tab,80)
-	inv_rnd(aes_it_tab,96)
-	inv_rnd(aes_it_tab,112)
-	inv_rnd(aes_it_tab,128)
-	inv_rnd(aes_il_tab,144)		// last round uses a different table
-
-// move final values to the output array.
-
-	mov	out_blk+20(%esp),%ebp
-	add	$8,%esp
-	mov	%eax,(%ebp)
-	mov	%ebx,4(%ebp)
-	mov	%esi,8(%ebp)
-	mov	%edi,12(%ebp)
-	pop	%edi
-	pop	%esi
-	pop	%ebx
-	pop	%ebp
-	ret
-
-// AES (Rijndael) Key Schedule Subroutine
-
-// input/output parameters
-
-#define aes_cx	12	// AES context
-#define in_key	16	// key input array address
-#define key_ln	20	// key length, bytes (16,24,32) or bits (128,192,256)
-#define ed_flg	24	// 0=create both encr/decr keys, 1=create encr key only
-
-// offsets for locals
-
-#define cnt	-4
-#define kpf	-8
-#define slen	8
-
-// This macro performs a column mixing operation on an input 32-bit
-// word to give a 32-bit result. It uses each of the 4 bytes in the
-// the input column to index 4 different tables of 256 32-bit words
-// that are xored together to form the output value.
-
-#define mix_col(p1)			 \
-	movzbl	%bl,%ecx		;\
-	mov	p1(,%ecx,4),%eax	;\
-	movzbl	%bh,%ecx		;\
-	ror	$16,%ebx		;\
-	xor	p1+tlen(,%ecx,4),%eax	;\
-	movzbl	%bl,%ecx		;\
-	xor	p1+2*tlen(,%ecx,4),%eax	;\
-	movzbl	%bh,%ecx		;\
-	xor	p1+3*tlen(,%ecx,4),%eax
-
-// Key Schedule Macros
-
-#define ksc4(p1)			 \
-	rol	$24,%ebx		;\
-	mix_col(aes_fl_tab)		;\
-	ror	$8,%ebx			;\
-	xor	4*p1+aes_rcon_tab,%eax	;\
-	xor	%eax,%esi		;\
-	xor	%esi,%ebp		;\
-	mov	%esi,16*p1(%edi)	;\
-	mov	%ebp,16*p1+4(%edi)	;\
-	xor	%ebp,%edx		;\
-	xor	%edx,%ebx		;\
-	mov	%edx,16*p1+8(%edi)	;\
-	mov	%ebx,16*p1+12(%edi)
-
-#define ksc6(p1)			 \
-	rol	$24,%ebx		;\
-	mix_col(aes_fl_tab)		;\
-	ror	$8,%ebx			;\
-	xor	4*p1+aes_rcon_tab,%eax	;\
-	xor	24*p1-24(%edi),%eax	;\
-	mov	%eax,24*p1(%edi)	;\
-	xor	24*p1-20(%edi),%eax	;\
-	mov	%eax,24*p1+4(%edi)	;\
-	xor	%eax,%esi		;\
-	xor	%esi,%ebp		;\
-	mov	%esi,24*p1+8(%edi)	;\
-	mov	%ebp,24*p1+12(%edi)	;\
-	xor	%ebp,%edx		;\
-	xor	%edx,%ebx		;\
-	mov	%edx,24*p1+16(%edi)	;\
-	mov	%ebx,24*p1+20(%edi)
-
-#define ksc8(p1)			 \
-	rol	$24,%ebx		;\
-	mix_col(aes_fl_tab)		;\
-	ror	$8,%ebx			;\
-	xor	4*p1+aes_rcon_tab,%eax	;\
-	xor	32*p1-32(%edi),%eax	;\
-	mov	%eax,32*p1(%edi)	;\
-	xor	32*p1-28(%edi),%eax	;\
-	mov	%eax,32*p1+4(%edi)	;\
-	xor	32*p1-24(%edi),%eax	;\
-	mov	%eax,32*p1+8(%edi)	;\
-	xor	32*p1-20(%edi),%eax	;\
-	mov	%eax,32*p1+12(%edi)	;\
-	push	%ebx			;\
-	mov	%eax,%ebx		;\
-	mix_col(aes_fl_tab)		;\
-	pop	%ebx			;\
-	xor	%eax,%esi		;\
-	xor	%esi,%ebp		;\
-	mov	%esi,32*p1+16(%edi)	;\
-	mov	%ebp,32*p1+20(%edi)	;\
-	xor	%ebp,%edx		;\
-	xor	%edx,%ebx		;\
-	mov	%edx,32*p1+24(%edi)	;\
-	mov	%ebx,32*p1+28(%edi)
-
-	.align	ALIGN32BYTES
-aes_set_key:
-	pushfl
-	push	%ebp
-	mov	%esp,%ebp
-	sub	$slen,%esp
-	push	%ebx
-	push	%esi
-	push	%edi
-
-	mov	aes_cx(%ebp),%edx	// edx -> AES context
-
-	mov	key_ln(%ebp),%ecx	// key length
-	cmpl	$128,%ecx
-	jb	aes_30
-	shr	$3,%ecx
-aes_30:	cmpl	$32,%ecx
-	je	aes_32
-	cmpl	$24,%ecx
-	je	aes_32
-	mov	$16,%ecx
-aes_32:	shr	$2,%ecx
-	mov	%ecx,nkey(%edx)
-
-	lea	6(%ecx),%eax		// 10/12/14 for 4/6/8 32-bit key length
-	mov	%eax,nrnd(%edx)
-
-	mov	in_key(%ebp),%esi	// key input array
-	lea	ekey(%edx),%edi		// key position in AES context
-	cld
-	push	%ebp
-	mov	%ecx,%eax		// save key length in eax
-	rep ;	movsl			// words in the key schedule
-	mov	-4(%esi),%ebx		// put some values in registers
-	mov	-8(%esi),%edx		// to allow faster code
-	mov	-12(%esi),%ebp
-	mov	-16(%esi),%esi
-
-	cmpl	$4,%eax			// jump on key size
-	je	aes_36
-	cmpl	$6,%eax
-	je	aes_35
-
-	ksc8(0)
-	ksc8(1)
-	ksc8(2)
-	ksc8(3)
-	ksc8(4)
-	ksc8(5)
-	ksc8(6)
-	jmp	aes_37
-aes_35:	ksc6(0)
-	ksc6(1)
-	ksc6(2)
-	ksc6(3)
-	ksc6(4)
-	ksc6(5)
-	ksc6(6)
-	ksc6(7)
-	jmp	aes_37
-aes_36:	ksc4(0)
-	ksc4(1)
-	ksc4(2)
-	ksc4(3)
-	ksc4(4)
-	ksc4(5)
-	ksc4(6)
-	ksc4(7)
-	ksc4(8)
-	ksc4(9)
-aes_37:	pop	%ebp
-	mov	aes_cx(%ebp),%edx	// edx -> AES context
-	cmpl	$0,ed_flg(%ebp)
-	jne	aes_39
-
-// compile decryption key schedule from encryption schedule - reverse
-// order and do mix_column operation on round keys except first and last
-
-	mov	nrnd(%edx),%eax		// kt = cx->d_key + nc * cx->Nrnd
-	shl	$2,%eax
-	lea	dkey(%edx,%eax,4),%edi
-	lea	ekey(%edx),%esi		// kf = cx->e_key
-
-	movsl				// copy first round key (unmodified)
-	movsl
-	movsl
-	movsl
-	sub	$32,%edi
-	movl	$1,cnt(%ebp)
-aes_38:					// do mix column on each column of
-	lodsl				// each round key
-	mov	%eax,%ebx
-	mix_col(aes_im_tab)
-	stosl
-	lodsl
-	mov	%eax,%ebx
-	mix_col(aes_im_tab)
-	stosl
-	lodsl
-	mov	%eax,%ebx
-	mix_col(aes_im_tab)
-	stosl
-	lodsl
-	mov	%eax,%ebx
-	mix_col(aes_im_tab)
-	stosl
-	sub	$32,%edi
-
-	incl	cnt(%ebp)
-	mov	cnt(%ebp),%eax
-	cmp	nrnd(%edx),%eax
-	jb	aes_38
-
-	movsl				// copy last round key (unmodified)
-	movsl
-	movsl
-	movsl
-aes_39:	pop	%edi
-	pop	%esi
-	pop	%ebx
-	mov	%ebp,%esp
-	pop	%ebp
-	popfl
-	ret
-
-
-// finite field multiplies by {02}, {04} and {08}
-
-#define f2(x)	((x<<1)^(((x>>7)&1)*0x11b))
-#define f4(x)	((x<<2)^(((x>>6)&1)*0x11b)^(((x>>6)&2)*0x11b))
-#define f8(x)	((x<<3)^(((x>>5)&1)*0x11b)^(((x>>5)&2)*0x11b)^(((x>>5)&4)*0x11b))
-
-// finite field multiplies required in table generation
-
-#define f3(x)	(f2(x) ^ x)
-#define f9(x)	(f8(x) ^ x)
-#define fb(x)	(f8(x) ^ f2(x) ^ x)
-#define fd(x)	(f8(x) ^ f4(x) ^ x)
-#define fe(x)	(f8(x) ^ f4(x) ^ f2(x))
-
-// These defines generate the forward table entries
-
-#define u0(x)	((f3(x) << 24) | (x << 16) | (x << 8) | f2(x))
-#define u1(x)	((x << 24) | (x << 16) | (f2(x) << 8) | f3(x))
-#define u2(x)	((x << 24) | (f2(x) << 16) | (f3(x) << 8) | x)
-#define u3(x)	((f2(x) << 24) | (f3(x) << 16) | (x << 8) | x)
-
-// These defines generate the inverse table entries
-
-#define v0(x)	((fb(x) << 24) | (fd(x) << 16) | (f9(x) << 8) | fe(x))
-#define v1(x)	((fd(x) << 24) | (f9(x) << 16) | (fe(x) << 8) | fb(x))
-#define v2(x)	((f9(x) << 24) | (fe(x) << 16) | (fb(x) << 8) | fd(x))
-#define v3(x)	((fe(x) << 24) | (fb(x) << 16) | (fd(x) << 8) | f9(x))
-
-// These defines generate entries for the last round tables
-
-#define w0(x)	(x)
-#define w1(x)	(x <<  8)
-#define w2(x)	(x << 16)
-#define w3(x)	(x << 24)
-
-// macro to generate inverse mix column tables (needed for the key schedule)
-
-#define im_data0(p1) \
-	.long	p1(0x00),p1(0x01),p1(0x02),p1(0x03),p1(0x04),p1(0x05),p1(0x06),p1(0x07) ;\
-	.long	p1(0x08),p1(0x09),p1(0x0a),p1(0x0b),p1(0x0c),p1(0x0d),p1(0x0e),p1(0x0f) ;\
-	.long	p1(0x10),p1(0x11),p1(0x12),p1(0x13),p1(0x14),p1(0x15),p1(0x16),p1(0x17) ;\
-	.long	p1(0x18),p1(0x19),p1(0x1a),p1(0x1b),p1(0x1c),p1(0x1d),p1(0x1e),p1(0x1f)
-#define im_data1(p1) \
-	.long	p1(0x20),p1(0x21),p1(0x22),p1(0x23),p1(0x24),p1(0x25),p1(0x26),p1(0x27) ;\
-	.long	p1(0x28),p1(0x29),p1(0x2a),p1(0x2b),p1(0x2c),p1(0x2d),p1(0x2e),p1(0x2f) ;\
-	.long	p1(0x30),p1(0x31),p1(0x32),p1(0x33),p1(0x34),p1(0x35),p1(0x36),p1(0x37) ;\
-	.long	p1(0x38),p1(0x39),p1(0x3a),p1(0x3b),p1(0x3c),p1(0x3d),p1(0x3e),p1(0x3f)
-#define im_data2(p1) \
-	.long	p1(0x40),p1(0x41),p1(0x42),p1(0x43),p1(0x44),p1(0x45),p1(0x46),p1(0x47) ;\
-	.long	p1(0x48),p1(0x49),p1(0x4a),p1(0x4b),p1(0x4c),p1(0x4d),p1(0x4e),p1(0x4f) ;\
-	.long	p1(0x50),p1(0x51),p1(0x52),p1(0x53),p1(0x54),p1(0x55),p1(0x56),p1(0x57) ;\
-	.long	p1(0x58),p1(0x59),p1(0x5a),p1(0x5b),p1(0x5c),p1(0x5d),p1(0x5e),p1(0x5f)
-#define im_data3(p1) \
-	.long	p1(0x60),p1(0x61),p1(0x62),p1(0x63),p1(0x64),p1(0x65),p1(0x66),p1(0x67) ;\
-	.long	p1(0x68),p1(0x69),p1(0x6a),p1(0x6b),p1(0x6c),p1(0x6d),p1(0x6e),p1(0x6f) ;\
-	.long	p1(0x70),p1(0x71),p1(0x72),p1(0x73),p1(0x74),p1(0x75),p1(0x76),p1(0x77) ;\
-	.long	p1(0x78),p1(0x79),p1(0x7a),p1(0x7b),p1(0x7c),p1(0x7d),p1(0x7e),p1(0x7f)
-#define im_data4(p1) \
-	.long	p1(0x80),p1(0x81),p1(0x82),p1(0x83),p1(0x84),p1(0x85),p1(0x86),p1(0x87) ;\
-	.long	p1(0x88),p1(0x89),p1(0x8a),p1(0x8b),p1(0x8c),p1(0x8d),p1(0x8e),p1(0x8f) ;\
-	.long	p1(0x90),p1(0x91),p1(0x92),p1(0x93),p1(0x94),p1(0x95),p1(0x96),p1(0x97) ;\
-	.long	p1(0x98),p1(0x99),p1(0x9a),p1(0x9b),p1(0x9c),p1(0x9d),p1(0x9e),p1(0x9f)
-#define im_data5(p1) \
-	.long	p1(0xa0),p1(0xa1),p1(0xa2),p1(0xa3),p1(0xa4),p1(0xa5),p1(0xa6),p1(0xa7) ;\
-	.long	p1(0xa8),p1(0xa9),p1(0xaa),p1(0xab),p1(0xac),p1(0xad),p1(0xae),p1(0xaf) ;\
-	.long	p1(0xb0),p1(0xb1),p1(0xb2),p1(0xb3),p1(0xb4),p1(0xb5),p1(0xb6),p1(0xb7) ;\
-	.long	p1(0xb8),p1(0xb9),p1(0xba),p1(0xbb),p1(0xbc),p1(0xbd),p1(0xbe),p1(0xbf)
-#define im_data6(p1) \
-	.long	p1(0xc0),p1(0xc1),p1(0xc2),p1(0xc3),p1(0xc4),p1(0xc5),p1(0xc6),p1(0xc7) ;\
-	.long	p1(0xc8),p1(0xc9),p1(0xca),p1(0xcb),p1(0xcc),p1(0xcd),p1(0xce),p1(0xcf) ;\
-	.long	p1(0xd0),p1(0xd1),p1(0xd2),p1(0xd3),p1(0xd4),p1(0xd5),p1(0xd6),p1(0xd7) ;\
-	.long	p1(0xd8),p1(0xd9),p1(0xda),p1(0xdb),p1(0xdc),p1(0xdd),p1(0xde),p1(0xdf)
-#define im_data7(p1) \
-	.long	p1(0xe0),p1(0xe1),p1(0xe2),p1(0xe3),p1(0xe4),p1(0xe5),p1(0xe6),p1(0xe7) ;\
-	.long	p1(0xe8),p1(0xe9),p1(0xea),p1(0xeb),p1(0xec),p1(0xed),p1(0xee),p1(0xef) ;\
-	.long	p1(0xf0),p1(0xf1),p1(0xf2),p1(0xf3),p1(0xf4),p1(0xf5),p1(0xf6),p1(0xf7) ;\
-	.long	p1(0xf8),p1(0xf9),p1(0xfa),p1(0xfb),p1(0xfc),p1(0xfd),p1(0xfe),p1(0xff)
-
-// S-box data - 256 entries
-
-#define sb_data0(p1) \
-	.long	p1(0x63),p1(0x7c),p1(0x77),p1(0x7b),p1(0xf2),p1(0x6b),p1(0x6f),p1(0xc5) ;\
-	.long	p1(0x30),p1(0x01),p1(0x67),p1(0x2b),p1(0xfe),p1(0xd7),p1(0xab),p1(0x76) ;\
-	.long	p1(0xca),p1(0x82),p1(0xc9),p1(0x7d),p1(0xfa),p1(0x59),p1(0x47),p1(0xf0) ;\
-	.long	p1(0xad),p1(0xd4),p1(0xa2),p1(0xaf),p1(0x9c),p1(0xa4),p1(0x72),p1(0xc0)
-#define sb_data1(p1) \
-	.long	p1(0xb7),p1(0xfd),p1(0x93),p1(0x26),p1(0x36),p1(0x3f),p1(0xf7),p1(0xcc) ;\
-	.long	p1(0x34),p1(0xa5),p1(0xe5),p1(0xf1),p1(0x71),p1(0xd8),p1(0x31),p1(0x15) ;\
-	.long	p1(0x04),p1(0xc7),p1(0x23),p1(0xc3),p1(0x18),p1(0x96),p1(0x05),p1(0x9a) ;\
-	.long	p1(0x07),p1(0x12),p1(0x80),p1(0xe2),p1(0xeb),p1(0x27),p1(0xb2),p1(0x75)
-#define sb_data2(p1) \
-	.long	p1(0x09),p1(0x83),p1(0x2c),p1(0x1a),p1(0x1b),p1(0x6e),p1(0x5a),p1(0xa0) ;\
-	.long	p1(0x52),p1(0x3b),p1(0xd6),p1(0xb3),p1(0x29),p1(0xe3),p1(0x2f),p1(0x84) ;\
-	.long	p1(0x53),p1(0xd1),p1(0x00),p1(0xed),p1(0x20),p1(0xfc),p1(0xb1),p1(0x5b) ;\
-	.long	p1(0x6a),p1(0xcb),p1(0xbe),p1(0x39),p1(0x4a),p1(0x4c),p1(0x58),p1(0xcf)
-#define sb_data3(p1) \
-	.long	p1(0xd0),p1(0xef),p1(0xaa),p1(0xfb),p1(0x43),p1(0x4d),p1(0x33),p1(0x85) ;\
-	.long	p1(0x45),p1(0xf9),p1(0x02),p1(0x7f),p1(0x50),p1(0x3c),p1(0x9f),p1(0xa8) ;\
-	.long	p1(0x51),p1(0xa3),p1(0x40),p1(0x8f),p1(0x92),p1(0x9d),p1(0x38),p1(0xf5) ;\
-	.long	p1(0xbc),p1(0xb6),p1(0xda),p1(0x21),p1(0x10),p1(0xff),p1(0xf3),p1(0xd2)
-#define sb_data4(p1) \
-	.long	p1(0xcd),p1(0x0c),p1(0x13),p1(0xec),p1(0x5f),p1(0x97),p1(0x44),p1(0x17) ;\
-	.long	p1(0xc4),p1(0xa7),p1(0x7e),p1(0x3d),p1(0x64),p1(0x5d),p1(0x19),p1(0x73) ;\
-	.long	p1(0x60),p1(0x81),p1(0x4f),p1(0xdc),p1(0x22),p1(0x2a),p1(0x90),p1(0x88) ;\
-	.long	p1(0x46),p1(0xee),p1(0xb8),p1(0x14),p1(0xde),p1(0x5e),p1(0x0b),p1(0xdb)
-#define sb_data5(p1) \
-	.long	p1(0xe0),p1(0x32),p1(0x3a),p1(0x0a),p1(0x49),p1(0x06),p1(0x24),p1(0x5c) ;\
-	.long	p1(0xc2),p1(0xd3),p1(0xac),p1(0x62),p1(0x91),p1(0x95),p1(0xe4),p1(0x79) ;\
-	.long	p1(0xe7),p1(0xc8),p1(0x37),p1(0x6d),p1(0x8d),p1(0xd5),p1(0x4e),p1(0xa9) ;\
-	.long	p1(0x6c),p1(0x56),p1(0xf4),p1(0xea),p1(0x65),p1(0x7a),p1(0xae),p1(0x08)
-#define sb_data6(p1) \
-	.long	p1(0xba),p1(0x78),p1(0x25),p1(0x2e),p1(0x1c),p1(0xa6),p1(0xb4),p1(0xc6) ;\
-	.long	p1(0xe8),p1(0xdd),p1(0x74),p1(0x1f),p1(0x4b),p1(0xbd),p1(0x8b),p1(0x8a) ;\
-	.long	p1(0x70),p1(0x3e),p1(0xb5),p1(0x66),p1(0x48),p1(0x03),p1(0xf6),p1(0x0e) ;\
-	.long	p1(0x61),p1(0x35),p1(0x57),p1(0xb9),p1(0x86),p1(0xc1),p1(0x1d),p1(0x9e)
-#define sb_data7(p1) \
-	.long	p1(0xe1),p1(0xf8),p1(0x98),p1(0x11),p1(0x69),p1(0xd9),p1(0x8e),p1(0x94) ;\
-	.long	p1(0x9b),p1(0x1e),p1(0x87),p1(0xe9),p1(0xce),p1(0x55),p1(0x28),p1(0xdf) ;\
-	.long	p1(0x8c),p1(0xa1),p1(0x89),p1(0x0d),p1(0xbf),p1(0xe6),p1(0x42),p1(0x68) ;\
-	.long	p1(0x41),p1(0x99),p1(0x2d),p1(0x0f),p1(0xb0),p1(0x54),p1(0xbb),p1(0x16)
-
-// Inverse S-box data - 256 entries
-
-#define ib_data0(p1) \
-	.long	p1(0x52),p1(0x09),p1(0x6a),p1(0xd5),p1(0x30),p1(0x36),p1(0xa5),p1(0x38) ;\
-	.long	p1(0xbf),p1(0x40),p1(0xa3),p1(0x9e),p1(0x81),p1(0xf3),p1(0xd7),p1(0xfb) ;\
-	.long	p1(0x7c),p1(0xe3),p1(0x39),p1(0x82),p1(0x9b),p1(0x2f),p1(0xff),p1(0x87) ;\
-	.long	p1(0x34),p1(0x8e),p1(0x43),p1(0x44),p1(0xc4),p1(0xde),p1(0xe9),p1(0xcb)
-#define ib_data1(p1) \
-	.long	p1(0x54),p1(0x7b),p1(0x94),p1(0x32),p1(0xa6),p1(0xc2),p1(0x23),p1(0x3d) ;\
-	.long	p1(0xee),p1(0x4c),p1(0x95),p1(0x0b),p1(0x42),p1(0xfa),p1(0xc3),p1(0x4e) ;\
-	.long	p1(0x08),p1(0x2e),p1(0xa1),p1(0x66),p1(0x28),p1(0xd9),p1(0x24),p1(0xb2) ;\
-	.long	p1(0x76),p1(0x5b),p1(0xa2),p1(0x49),p1(0x6d),p1(0x8b),p1(0xd1),p1(0x25)
-#define ib_data2(p1) \
-	.long	p1(0x72),p1(0xf8),p1(0xf6),p1(0x64),p1(0x86),p1(0x68),p1(0x98),p1(0x16) ;\
-	.long	p1(0xd4),p1(0xa4),p1(0x5c),p1(0xcc),p1(0x5d),p1(0x65),p1(0xb6),p1(0x92) ;\
-	.long	p1(0x6c),p1(0x70),p1(0x48),p1(0x50),p1(0xfd),p1(0xed),p1(0xb9),p1(0xda) ;\
-	.long	p1(0x5e),p1(0x15),p1(0x46),p1(0x57),p1(0xa7),p1(0x8d),p1(0x9d),p1(0x84)
-#define ib_data3(p1) \
-	.long	p1(0x90),p1(0xd8),p1(0xab),p1(0x00),p1(0x8c),p1(0xbc),p1(0xd3),p1(0x0a) ;\
-	.long	p1(0xf7),p1(0xe4),p1(0x58),p1(0x05),p1(0xb8),p1(0xb3),p1(0x45),p1(0x06) ;\
-	.long	p1(0xd0),p1(0x2c),p1(0x1e),p1(0x8f),p1(0xca),p1(0x3f),p1(0x0f),p1(0x02) ;\
-	.long	p1(0xc1),p1(0xaf),p1(0xbd),p1(0x03),p1(0x01),p1(0x13),p1(0x8a),p1(0x6b)
-#define ib_data4(p1) \
-	.long	p1(0x3a),p1(0x91),p1(0x11),p1(0x41),p1(0x4f),p1(0x67),p1(0xdc),p1(0xea) ;\
-	.long	p1(0x97),p1(0xf2),p1(0xcf),p1(0xce),p1(0xf0),p1(0xb4),p1(0xe6),p1(0x73) ;\
-	.long	p1(0x96),p1(0xac),p1(0x74),p1(0x22),p1(0xe7),p1(0xad),p1(0x35),p1(0x85) ;\
-	.long	p1(0xe2),p1(0xf9),p1(0x37),p1(0xe8),p1(0x1c),p1(0x75),p1(0xdf),p1(0x6e)
-#define ib_data5(p1) \
-	.long	p1(0x47),p1(0xf1),p1(0x1a),p1(0x71),p1(0x1d),p1(0x29),p1(0xc5),p1(0x89) ;\
-	.long	p1(0x6f),p1(0xb7),p1(0x62),p1(0x0e),p1(0xaa),p1(0x18),p1(0xbe),p1(0x1b) ;\
-	.long	p1(0xfc),p1(0x56),p1(0x3e),p1(0x4b),p1(0xc6),p1(0xd2),p1(0x79),p1(0x20) ;\
-	.long	p1(0x9a),p1(0xdb),p1(0xc0),p1(0xfe),p1(0x78),p1(0xcd),p1(0x5a),p1(0xf4)
-#define ib_data6(p1) \
-	.long	p1(0x1f),p1(0xdd),p1(0xa8),p1(0x33),p1(0x88),p1(0x07),p1(0xc7),p1(0x31) ;\
-	.long	p1(0xb1),p1(0x12),p1(0x10),p1(0x59),p1(0x27),p1(0x80),p1(0xec),p1(0x5f) ;\
-	.long	p1(0x60),p1(0x51),p1(0x7f),p1(0xa9),p1(0x19),p1(0xb5),p1(0x4a),p1(0x0d) ;\
-	.long	p1(0x2d),p1(0xe5),p1(0x7a),p1(0x9f),p1(0x93),p1(0xc9),p1(0x9c),p1(0xef)
-#define ib_data7(p1) \
-	.long	p1(0xa0),p1(0xe0),p1(0x3b),p1(0x4d),p1(0xae),p1(0x2a),p1(0xf5),p1(0xb0) ;\
-	.long	p1(0xc8),p1(0xeb),p1(0xbb),p1(0x3c),p1(0x83),p1(0x53),p1(0x99),p1(0x61) ;\
-	.long	p1(0x17),p1(0x2b),p1(0x04),p1(0x7e),p1(0xba),p1(0x77),p1(0xd6),p1(0x26) ;\
-	.long	p1(0xe1),p1(0x69),p1(0x14),p1(0x63),p1(0x55),p1(0x21),p1(0x0c),p1(0x7d)
-
-// The rcon_table (needed for the key schedule)
-//
-// Here is original Dr Brian Gladman's source code:
-//	_rcon_tab:
-//	%assign x   1
-//	%rep 29
-//	    dd  x
-//	%assign x f2(x)
-//	%endrep
-//
-// Here is precomputed output (it's more portable this way):
-
-	.align	ALIGN32BYTES
-aes_rcon_tab:
-	.long	0x01,0x02,0x04,0x08,0x10,0x20,0x40,0x80
-	.long	0x1b,0x36,0x6c,0xd8,0xab,0x4d,0x9a,0x2f
-	.long	0x5e,0xbc,0x63,0xc6,0x97,0x35,0x6a,0xd4
-	.long	0xb3,0x7d,0xfa,0xef,0xc5
-
-// The forward xor tables
-
-	.align	ALIGN32BYTES
-aes_ft_tab:
-	sb_data0(u0)
-	sb_data1(u0)
-	sb_data2(u0)
-	sb_data3(u0)
-	sb_data4(u0)
-	sb_data5(u0)
-	sb_data6(u0)
-	sb_data7(u0)
-
-	sb_data0(u1)
-	sb_data1(u1)
-	sb_data2(u1)
-	sb_data3(u1)
-	sb_data4(u1)
-	sb_data5(u1)
-	sb_data6(u1)
-	sb_data7(u1)
-
-	sb_data0(u2)
-	sb_data1(u2)
-	sb_data2(u2)
-	sb_data3(u2)
-	sb_data4(u2)
-	sb_data5(u2)
-	sb_data6(u2)
-	sb_data7(u2)
-
-	sb_data0(u3)
-	sb_data1(u3)
-	sb_data2(u3)
-	sb_data3(u3)
-	sb_data4(u3)
-	sb_data5(u3)
-	sb_data6(u3)
-	sb_data7(u3)
-
-	.align	ALIGN32BYTES
-aes_fl_tab:
-	sb_data0(w0)
-	sb_data1(w0)
-	sb_data2(w0)
-	sb_data3(w0)
-	sb_data4(w0)
-	sb_data5(w0)
-	sb_data6(w0)
-	sb_data7(w0)
-
-	sb_data0(w1)
-	sb_data1(w1)
-	sb_data2(w1)
-	sb_data3(w1)
-	sb_data4(w1)
-	sb_data5(w1)
-	sb_data6(w1)
-	sb_data7(w1)
-
-	sb_data0(w2)
-	sb_data1(w2)
-	sb_data2(w2)
-	sb_data3(w2)
-	sb_data4(w2)
-	sb_data5(w2)
-	sb_data6(w2)
-	sb_data7(w2)
-
-	sb_data0(w3)
-	sb_data1(w3)
-	sb_data2(w3)
-	sb_data3(w3)
-	sb_data4(w3)
-	sb_data5(w3)
-	sb_data6(w3)
-	sb_data7(w3)
-
-// The inverse xor tables
-
-	.align	ALIGN32BYTES
-aes_it_tab:
-	ib_data0(v0)
-	ib_data1(v0)
-	ib_data2(v0)
-	ib_data3(v0)
-	ib_data4(v0)
-	ib_data5(v0)
-	ib_data6(v0)
-	ib_data7(v0)
-
-	ib_data0(v1)
-	ib_data1(v1)
-	ib_data2(v1)
-	ib_data3(v1)
-	ib_data4(v1)
-	ib_data5(v1)
-	ib_data6(v1)
-	ib_data7(v1)
-
-	ib_data0(v2)
-	ib_data1(v2)
-	ib_data2(v2)
-	ib_data3(v2)
-	ib_data4(v2)
-	ib_data5(v2)
-	ib_data6(v2)
-	ib_data7(v2)
-
-	ib_data0(v3)
-	ib_data1(v3)
-	ib_data2(v3)
-	ib_data3(v3)
-	ib_data4(v3)
-	ib_data5(v3)
-	ib_data6(v3)
-	ib_data7(v3)
-
-	.align	ALIGN32BYTES
-aes_il_tab:
-	ib_data0(w0)
-	ib_data1(w0)
-	ib_data2(w0)
-	ib_data3(w0)
-	ib_data4(w0)
-	ib_data5(w0)
-	ib_data6(w0)
-	ib_data7(w0)
-
-	ib_data0(w1)
-	ib_data1(w1)
-	ib_data2(w1)
-	ib_data3(w1)
-	ib_data4(w1)
-	ib_data5(w1)
-	ib_data6(w1)
-	ib_data7(w1)
-
-	ib_data0(w2)
-	ib_data1(w2)
-	ib_data2(w2)
-	ib_data3(w2)
-	ib_data4(w2)
-	ib_data5(w2)
-	ib_data6(w2)
-	ib_data7(w2)
-
-	ib_data0(w3)
-	ib_data1(w3)
-	ib_data2(w3)
-	ib_data3(w3)
-	ib_data4(w3)
-	ib_data5(w3)
-	ib_data6(w3)
-	ib_data7(w3)
-
-// The inverse mix column tables
-
-	.align	ALIGN32BYTES
-aes_im_tab:
-	im_data0(v0)
-	im_data1(v0)
-	im_data2(v0)
-	im_data3(v0)
-	im_data4(v0)
-	im_data5(v0)
-	im_data6(v0)
-	im_data7(v0)
-
-	im_data0(v1)
-	im_data1(v1)
-	im_data2(v1)
-	im_data3(v1)
-	im_data4(v1)
-	im_data5(v1)
-	im_data6(v1)
-	im_data7(v1)
-
-	im_data0(v2)
-	im_data1(v2)
-	im_data2(v2)
-	im_data3(v2)
-	im_data4(v2)
-	im_data5(v2)
-	im_data6(v2)
-	im_data7(v2)
-
-	im_data0(v3)
-	im_data1(v3)
-	im_data2(v3)
-	im_data3(v3)
-	im_data4(v3)
-	im_data5(v3)
-	im_data6(v3)
-	im_data7(v3)
diff --git a/lib/libcrypto/libaes/test_main.c b/lib/libcrypto/libaes/test_main.c
deleted file mode 100644
index 5fd4599be..000000000
--- a/lib/libcrypto/libaes/test_main.c
+++ /dev/null
@@ -1,41 +0,0 @@
-#include <stdio.h>
-#include <string.h>
-#include <sys/types.h>
-#include "aes_cbc.h"
-#define AES_BLOCK_SIZE	16
-#define KEY_SIZE 	128	/* bits */
-#define KEY 		"1234567890123456"
-#define STR 		"hola guaso como estaisss ... 012"
-#define STRSZ		(sizeof(STR)-1)
-
-#define EMT_AESCBC_BLKLEN AES_BLOCK_SIZE
-#define AES_CONTEXT_T  aes_context
-#define EMT_ESPAES_KEY_SZ 16
-int pretty_print(const unsigned char *buf, int count) {
-	int i=0;
-	for (;i<count;i++) {
-		if (i%8==0) putchar(' ');
-		if (i%16==0) putchar('\n');
-		printf ("%02hhx ", buf[i]);
-	}
-	putchar('\n');
-	return i;
-}
-//#define SIZE STRSZ/2
-#define SIZE STRSZ
-int main() {
-	int ret;
-	char buf0[SIZE+1], buf1[SIZE+1];
-	char IV[AES_BLOCK_SIZE]="\0\0\0\0\0\0\0\0" "\0\0\0\0\0\0\0\0";
-	aes_context ac;	
-	AES_set_key(&ac, KEY, KEY_SIZE);
-	//pretty_print((char *)&ac.aes_e_key, sizeof(ac.aes_e_key));
-	memset(buf0, 0, sizeof (buf0));
-	memset(buf1, 0, sizeof (buf1));
-	ret=AES_cbc_encrypt(&ac, STR, buf0, SIZE, IV, 1);
-	pretty_print(buf0, SIZE);
-	printf("size=%d ret=%d\n%s\n", SIZE, ret, buf0);
-	ret=AES_cbc_encrypt(&ac, buf0, buf1, SIZE, IV, 0);
-	printf("size=%d ret=%d\n%s\n", SIZE, ret, buf1);
-	return 0;
-}
diff --git a/lib/libcrypto/libaes/test_main_mac.c b/lib/libcrypto/libaes/test_main_mac.c
deleted file mode 100644
index eea47dc9c..000000000
--- a/lib/libcrypto/libaes/test_main_mac.c
+++ /dev/null
@@ -1,30 +0,0 @@
-#include <stdio.h>
-#include <sys/types.h>
-#include <string.h>
-#include "aes.h"
-#include "aes_xcbc_mac.h"
-#define STR "Hola guasssso c|mo estais ...012"  
-void print_hash(const __u8 *hash) {
-	printf("%08x %08x %08x %08x\n", 
-			*(__u32*)(&hash[0]), 
-			*(__u32*)(&hash[4]), 
-			*(__u32*)(&hash[8]), 
-			*(__u32*)(&hash[12]));
-}
-int main(int argc, char *argv[]) {
-	aes_block key= { 0xdeadbeef, 0xceedcaca, 0xcafebabe, 0xff010204 };
-	__u8  hash[16];
-	char *str = argv[1];
-	aes_context_mac ctx;
-	if (str==NULL) {
-		fprintf(stderr, "pasame el str\n");
-		return 255;
-	}
-	AES_xcbc_mac_set_key(&ctx, (__u8 *)&key, sizeof(key));
-	AES_xcbc_mac_hash(&ctx, str, strlen(str), hash);
-	print_hash(hash);
-	str[2]='x';
-	AES_xcbc_mac_hash(&ctx, str, strlen(str), hash);
-	print_hash(hash);
-	return 0;
-}
diff --git a/lib/libcrypto/libblowfish/COPYRIGHT b/lib/libcrypto/libblowfish/COPYRIGHT
deleted file mode 100644
index 685722350..000000000
--- a/lib/libcrypto/libblowfish/COPYRIGHT
+++ /dev/null
@@ -1,46 +0,0 @@
-Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
-All rights reserved.
-
-This package is an Blowfish implementation written
-by Eric Young (eay@cryptsoft.com).
-
-This library is free for commercial and non-commercial use as long as
-the following conditions are aheared to.  The following conditions
-apply to all code found in this distribution.
-
-Copyright remains Eric Young's, and as such any Copyright notices in
-the code are not to be removed.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-1. Redistributions of source code must retain the copyright
-   notice, this list of conditions and the following disclaimer.
-2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the distribution.
-3. All advertising materials mentioning features or use of this software
-   must display the following acknowledgement:
-   This product includes software developed by Eric Young (eay@cryptsoft.com)
-
-THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGE.
-
-The license and distribution terms for any publically available version or
-derivative of this code cannot be changed.  i.e. this code cannot simply be
-copied and put under another distrubution license
-[including the GNU Public License.]
-
-The reason behind this being stated in this direct manner is past
-experience in code simply being copied and the attribution removed
-from it and then being distributed as part of other packages. This
-implementation was a non-trivial and unpaid effort.
diff --git a/lib/libcrypto/libblowfish/INSTALL b/lib/libcrypto/libblowfish/INSTALL
deleted file mode 100644
index 3b2592353..000000000
--- a/lib/libcrypto/libblowfish/INSTALL
+++ /dev/null
@@ -1,14 +0,0 @@
-This Eric Young's blowfish implementation, taken from his SSLeay library
-and made available as a separate library.
- 
-The version number (0.7.2m) is the SSLeay version that this library was
-taken from.
- 
-To build, just unpack and type make.
-If you are not using gcc, edit the Makefile.
-If you are compiling for an x86 box, try the assembler (it needs improving).
-There are also some compile time options that can improve performance,
-these are documented in the Makefile.
- 
-eric 15-Apr-1997
- 
diff --git a/lib/libcrypto/libblowfish/Makefile b/lib/libcrypto/libblowfish/Makefile
deleted file mode 100644
index 62724042b..000000000
--- a/lib/libcrypto/libblowfish/Makefile
+++ /dev/null
@@ -1,121 +0,0 @@
-#
-# SSLeay/crypto/blowfish/Makefile
-#
-
-DIR=	bf
-TOP=	../..
-CC=	cc
-CPP=	$(CC) -E
-INC=-I ../include 
-CFLAG=-g -D__KERNEL__ -I/usr/src/linux/include
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKE=		make -f Makefile.ssl
-MAKEDEPEND=	$(TOP)/util/domd $(TOP)
-MAKEFILE=	Makefile.ssl
-AR=		ar r
-RANLIB=		ranlib
-PERL=		perl
-
-CFLAGS= $(INC) $(CFLAG)
-
-.c.o:
-	$(CC) $(CPPFLAGS) $(CFLAGS) $(INC) -c $< -o $@
-
-BF_ASM-i586 := bf-586.pl
-BF_ASM-i686 := bf-686.pl
-BF_ENC := bf_enc.o
-
-ASM-$(ARCH_ASM):=1
-ASM_X86:=$(ASM-i586)$(ASM-i686)
-ifneq ($(strip $(ASM_X86)),)
-	BF_ENC=	asm/bx86-elf.o
-	BF_ASM= $(BF_ASM-$(ARCH_ASM))
-endif
-
-
-GENERAL=Makefile
-TEST=bftest.c
-APPS=
-
-LIB=libblowfish.a
-LIBSRC=bf_skey.c bf_enc.c 
-LIBOBJ=bf_skey.o $(BF_ENC)
-
-SRC= $(LIBSRC)
-
-EXHEADER= blowfish.h
-HEADER=	bf_pi.h bf_locl.h $(EXHEADER)
-
-ALL=    $(GENERAL) $(SRC) $(HEADER)
-
-#top:
-#	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
-
-all:	lib
-
-lib:	$(LIB)
-
-$(LIB):	$(LIBOBJ)
-	$(AR) $(LIB) $(LIBOBJ)
-	$(RANLIB) $(LIB)
-
-# elf
-asm/bx86-elf.o: asm/bx86unix.cpp
-	$(CPP) -DELF -x c asm/bx86unix.cpp | as -o asm/bx86-elf.o
-
-# solaris
-asm/bx86-sol.o: asm/bx86unix.cpp
-	$(CC) -E -DSOL asm/bx86unix.cpp | sed 's/^#.*//' > asm/bx86-sol.s
-	as -o asm/bx86-sol.o asm/bx86-sol.s
-	rm -f asm/bx86-sol.s
-
-# a.out
-asm/bx86-out.o: asm/bx86unix.cpp
-	$(CPP) -DOUT asm/bx86unix.cpp | as -o asm/bx86-out.o
-
-# bsdi
-asm/bx86bsdi.o: asm/bx86unix.cpp
-	$(CPP) -DBSDI asm/bx86unix.cpp | sed 's/ :/:/' | as -o asm/bx86bsdi.o
-
-asm/bx86unix.cpp: asm/$(BF_ASM) ../perlasm/x86asm.pl ../perlasm/cbc.pl
-	(cd asm; $(PERL) $(BF_ASM) cpp $(PROCESSOR) >bx86unix.cpp)
-
-files:
-	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
-
-links:
-	@$(TOP)/util/point.sh Makefile.ssl Makefile
-	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
-	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
-	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
-
-install: installs
-
-installs:
-	@for i in $(EXHEADER) ; \
-	do  \
-	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
-	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
-	done;
-
-tags:
-	ctags $(SRC)
-
-tests:
-
-lint:
-	lint -DLINT $(INCLUDES) $(SRC)>fluff
-
-depend:
-	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
-
-dclean:
-	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
-	mv -f Makefile.new $(MAKEFILE)
-
-clean:
-	rm -f asm/bx86unix.cpp *.o asm/*.o *.obj $(LIB) tags core .pure .nfs* *.old *.bak fluff
-
-# DO NOT DELETE THIS LINE -- make depend depends on it.
diff --git a/lib/libcrypto/libblowfish/Makefile.ssl b/lib/libcrypto/libblowfish/Makefile.ssl
deleted file mode 100644
index adc9eec3c..000000000
--- a/lib/libcrypto/libblowfish/Makefile.ssl
+++ /dev/null
@@ -1,118 +0,0 @@
-#
-# SSLeay/crypto/blowfish/Makefile
-#
-
-DIR=	bf
-TOP=	../..
-CC=	cc
-CPP=	$(CC) -E
-INCLUDES=
-CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKE=		make -f Makefile.ssl
-MAKEDEPEND=	$(TOP)/util/domd $(TOP)
-MAKEFILE=	Makefile.ssl
-AR=		ar r
-
-BF_ENC=		bf_enc.o
-# or use
-#DES_ENC=	bx86-elf.o
-
-CFLAGS= $(INCLUDES) $(CFLAG)
-
-GENERAL=Makefile
-TEST=bftest.c
-APPS=
-
-LIB=$(TOP)/libcrypto.a
-LIBSRC=bf_skey.c bf_ecb.c bf_enc.c bf_cfb64.c bf_ofb64.c 
-LIBOBJ=bf_skey.o bf_ecb.o $(BF_ENC) bf_cfb64.o bf_ofb64.o
-
-SRC= $(LIBSRC)
-
-EXHEADER= blowfish.h
-HEADER=	bf_pi.h bf_locl.h $(EXHEADER)
-
-ALL=    $(GENERAL) $(SRC) $(HEADER)
-
-top:
-	(cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
-
-all:	lib
-
-lib:	$(LIBOBJ)
-	$(AR) $(LIB) $(LIBOBJ)
-	$(RANLIB) $(LIB)
-	@touch lib
-
-# elf
-asm/bx86-elf.o: asm/bx86unix.cpp
-	$(CPP) -DELF -x c asm/bx86unix.cpp | as -o asm/bx86-elf.o
-
-# solaris
-asm/bx86-sol.o: asm/bx86unix.cpp
-	$(CC) -E -DSOL asm/bx86unix.cpp | sed 's/^#.*//' > asm/bx86-sol.s
-	as -o asm/bx86-sol.o asm/bx86-sol.s
-	rm -f asm/bx86-sol.s
-
-# a.out
-asm/bx86-out.o: asm/bx86unix.cpp
-	$(CPP) -DOUT asm/bx86unix.cpp | as -o asm/bx86-out.o
-
-# bsdi
-asm/bx86bsdi.o: asm/bx86unix.cpp
-	$(CPP) -DBSDI asm/bx86unix.cpp | sed 's/ :/:/' | as -o asm/bx86bsdi.o
-
-asm/bx86unix.cpp: asm/bf-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
-	(cd asm; $(PERL) bf-586.pl cpp $(PROCESSOR) >bx86unix.cpp)
-
-files:
-	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
-
-links:
-	@$(TOP)/util/point.sh Makefile.ssl Makefile
-	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
-	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
-	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
-
-install: installs
-
-installs:
-	@for i in $(EXHEADER) ; \
-	do  \
-	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
-	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
-	done;
-
-tags:
-	ctags $(SRC)
-
-tests:
-
-lint:
-	lint -DLINT $(INCLUDES) $(SRC)>fluff
-
-depend:
-	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
-
-dclean:
-	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
-	mv -f Makefile.new $(MAKEFILE)
-
-clean:
-	rm -f asm/bx86unix.cpp *.o asm/*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
-
-# DO NOT DELETE THIS LINE -- make depend depends on it.
-
-bf_cfb64.o: ../../include/openssl/blowfish.h
-bf_cfb64.o: ../../include/openssl/opensslconf.h bf_locl.h
-bf_ecb.o: ../../include/openssl/blowfish.h ../../include/openssl/opensslconf.h
-bf_ecb.o: ../../include/openssl/opensslv.h bf_locl.h
-bf_enc.o: ../../include/openssl/blowfish.h ../../include/openssl/opensslconf.h
-bf_enc.o: bf_locl.h
-bf_ofb64.o: ../../include/openssl/blowfish.h
-bf_ofb64.o: ../../include/openssl/opensslconf.h bf_locl.h
-bf_skey.o: ../../include/openssl/blowfish.h ../../include/openssl/opensslconf.h
-bf_skey.o: bf_locl.h bf_pi.h
diff --git a/lib/libcrypto/libblowfish/README b/lib/libcrypto/libblowfish/README
deleted file mode 100644
index f2712fd0e..000000000
--- a/lib/libcrypto/libblowfish/README
+++ /dev/null
@@ -1,8 +0,0 @@
-This is a quick packaging up of my blowfish code into a library.
-It has been lifted from SSLeay.
-The copyright notices seem a little harsh because I have not spent the
-time to rewrite the conditions from the normal SSLeay ones.
-
-Basically if you just want to play with the library, not a problem.
-
-eric 15-Apr-1997
diff --git a/lib/libcrypto/libblowfish/VERSION b/lib/libcrypto/libblowfish/VERSION
deleted file mode 100644
index be995855e..000000000
--- a/lib/libcrypto/libblowfish/VERSION
+++ /dev/null
@@ -1,6 +0,0 @@
-The version numbers will follow my SSL implementation
-
-0.7.2r - Some reasonable default compiler options from 
-	Peter Gutman <pgut001@cs.auckland.ac.nz>
-
-0.7.2m - the first release
diff --git a/lib/libcrypto/libblowfish/asm/bf-586.pl b/lib/libcrypto/libblowfish/asm/bf-586.pl
deleted file mode 100644
index f00f3f4bf..000000000
--- a/lib/libcrypto/libblowfish/asm/bf-586.pl
+++ /dev/null
@@ -1,136 +0,0 @@
-#!/usr/bin/perl
-
-push(@INC,"perlasm","../../perlasm");
-require "x86asm.pl";
-require "cbc.pl";
-
-&asm_init($ARGV[0],"bf-586.pl",$ARGV[$#ARGV] eq "386");
-
-$BF_ROUNDS=16;
-$BF_OFF=($BF_ROUNDS+2)*4;
-$L="edi";
-$R="esi";
-$P="ebp";
-$tmp1="eax";
-$tmp2="ebx";
-$tmp3="ecx";
-$tmp4="edx";
-
-&BF_encrypt("BF_encrypt",1);
-&BF_encrypt("BF_decrypt",0);
-&cbc("BF_cbc_encrypt","BF_encrypt","BF_decrypt",1,4,5,3,-1,-1);
-&asm_finish();
-
-sub BF_encrypt
-	{
-	local($name,$enc)=@_;
-
-	&function_begin_B($name,"");
-
-	&comment("");
-
-	&push("ebp");
-	&push("ebx");
-	&mov($tmp2,&wparam(0));
-	&mov($P,&wparam(1));
-	&push("esi");
-	&push("edi");
-
-	&comment("Load the 2 words");
-	&mov($L,&DWP(0,$tmp2,"",0));
-	&mov($R,&DWP(4,$tmp2,"",0));
-
-	&xor(	$tmp1,	$tmp1);
-
-	# encrypting part
-
-	if ($enc)
-		{
-		 &mov($tmp2,&DWP(0,$P,"",0));
-		&xor(	$tmp3,	$tmp3);
-
-		&xor($L,$tmp2);
-		for ($i=0; $i<$BF_ROUNDS; $i+=2)
-			{
-			&comment("");
-			&comment("Round $i");
-			&BF_ENCRYPT($i+1,$R,$L,$P,$tmp1,$tmp2,$tmp3,$tmp4,1);
-
-			&comment("");
-			&comment("Round ".sprintf("%d",$i+1));
-			&BF_ENCRYPT($i+2,$L,$R,$P,$tmp1,$tmp2,$tmp3,$tmp4,1);
-			}
-		# &mov($tmp1,&wparam(0)); In last loop
-		&mov($tmp4,&DWP(($BF_ROUNDS+1)*4,$P,"",0));
-		}
-	else
-		{
-		 &mov($tmp2,&DWP(($BF_ROUNDS+1)*4,$P,"",0));
-		&xor(	$tmp3,	$tmp3);
-
-		&xor($L,$tmp2);
-		for ($i=$BF_ROUNDS; $i>0; $i-=2)
-			{
-			&comment("");
-			&comment("Round $i");
-			&BF_ENCRYPT($i,$R,$L,$P,$tmp1,$tmp2,$tmp3,$tmp4,0);
-			&comment("");
-			&comment("Round ".sprintf("%d",$i-1));
-			&BF_ENCRYPT($i-1,$L,$R,$P,$tmp1,$tmp2,$tmp3,$tmp4,0);
-			}
-		# &mov($tmp1,&wparam(0)); In last loop
-		&mov($tmp4,&DWP(0,$P,"",0));
-		}
-
-	&xor($R,$tmp4);
-	&mov(&DWP(4,$tmp1,"",0),$L);
-
-	&mov(&DWP(0,$tmp1,"",0),$R);
-	&function_end($name);
-	}
-
-sub BF_ENCRYPT
-	{
-	local($i,$L,$R,$P,$tmp1,$tmp2,$tmp3,$tmp4,$enc)=@_;
-
-	&mov(	$tmp4,		&DWP(&n2a($i*4),$P,"",0)); # for next round
-
-	&mov(	$tmp2,		$R);
-	&xor(	$L,		$tmp4);
-
-	&shr(	$tmp2,		16);
-	&mov(	$tmp4,		$R);
-
-	&movb(	&LB($tmp1),	&HB($tmp2));	# A
-	&and(	$tmp2,		0xff);		# B
-
-	&movb(	&LB($tmp3),	&HB($tmp4));	# C
-	&and(	$tmp4,		0xff);		# D
-
-	&mov(	$tmp1,		&DWP(&n2a($BF_OFF+0x0000),$P,$tmp1,4));
-	&mov(	$tmp2,		&DWP(&n2a($BF_OFF+0x0400),$P,$tmp2,4));
-
-	&add(	$tmp2,		$tmp1);
-	&mov(	$tmp1,		&DWP(&n2a($BF_OFF+0x0800),$P,$tmp3,4));
-
-	&xor(	$tmp2,		$tmp1);
-	&mov(	$tmp4,		&DWP(&n2a($BF_OFF+0x0C00),$P,$tmp4,4));
-
-	&add(	$tmp2,		$tmp4);
-	if (($enc && ($i != 16)) || ((!$enc) && ($i != 1)))
-		{ &xor(	$tmp1,		$tmp1); }
-	else
-		{
-		&comment("Load parameter 0 ($i) enc=$enc");
-		&mov($tmp1,&wparam(0));
-		} # In last loop
-
-	&xor(	$L,		$tmp2);
-	# delay
-	}
-
-sub n2a
-	{
-	sprintf("%d",$_[0]);
-	}
-
diff --git a/lib/libcrypto/libblowfish/asm/bf-686.pl b/lib/libcrypto/libblowfish/asm/bf-686.pl
deleted file mode 100644
index 9222f5e7a..000000000
--- a/lib/libcrypto/libblowfish/asm/bf-686.pl
+++ /dev/null
@@ -1,127 +0,0 @@
-#!/usr/bin/perl
-
-push(@INC,"perlasm","../../perlasm");
-require "x86asm.pl";
-require "cbc.pl";
-
-&asm_init($ARGV[0],"bf-686.pl");
-
-$BF_ROUNDS=16;
-$BF_OFF=($BF_ROUNDS+2)*4;
-$L="ecx";
-$R="edx";
-$P="edi";
-$tot="esi";
-$tmp1="eax";
-$tmp2="ebx";
-$tmp3="ebp";
-
-&des_encrypt("BF_encrypt",1);
-&des_encrypt("BF_decrypt",0);
-&cbc("BF_cbc_encrypt","BF_encrypt","BF_decrypt",1,4,5,3,-1,-1);
-
-&asm_finish();
-
-&file_end();
-
-sub des_encrypt
-	{
-	local($name,$enc)=@_;
-
-	&function_begin($name,"");
-
-	&comment("");
-	&comment("Load the 2 words");
-	&mov("eax",&wparam(0));
-	&mov($L,&DWP(0,"eax","",0));
-	&mov($R,&DWP(4,"eax","",0));
-
-	&comment("");
-	&comment("P pointer, s and enc flag");
-	&mov($P,&wparam(1));
-
-	&xor(	$tmp1,	$tmp1);
-	&xor(	$tmp2,	$tmp2);
-
-	# encrypting part
-
-	if ($enc)
-		{
-		&xor($L,&DWP(0,$P,"",0));
-		for ($i=0; $i<$BF_ROUNDS; $i+=2)
-			{
-			&comment("");
-			&comment("Round $i");
-			&BF_ENCRYPT($i+1,$R,$L,$P,$tot,$tmp1,$tmp2,$tmp3);
-
-			&comment("");
-			&comment("Round ".sprintf("%d",$i+1));
-			&BF_ENCRYPT($i+2,$L,$R,$P,$tot,$tmp1,$tmp2,$tmp3);
-			}
-		&xor($R,&DWP(($BF_ROUNDS+1)*4,$P,"",0));
-
-		&mov("eax",&wparam(0));
-		&mov(&DWP(0,"eax","",0),$R);
-		&mov(&DWP(4,"eax","",0),$L);
-		&function_end_A($name);
-		}
-	else
-		{
-		&xor($L,&DWP(($BF_ROUNDS+1)*4,$P,"",0));
-		for ($i=$BF_ROUNDS; $i>0; $i-=2)
-			{
-			&comment("");
-			&comment("Round $i");
-			&BF_ENCRYPT($i,$R,$L,$P,$tot,$tmp1,$tmp2,$tmp3);
-			&comment("");
-			&comment("Round ".sprintf("%d",$i-1));
-			&BF_ENCRYPT($i-1,$L,$R,$P,$tot,$tmp1,$tmp2,$tmp3);
-			}
-		&xor($R,&DWP(0,$P,"",0));
-
-		&mov("eax",&wparam(0));
-		&mov(&DWP(0,"eax","",0),$R);
-		&mov(&DWP(4,"eax","",0),$L);
-		&function_end_A($name);
-		}
-
-	&function_end_B($name);
-	}
-
-sub BF_ENCRYPT
-	{
-	local($i,$L,$R,$P,$tot,$tmp1,$tmp2,$tmp3)=@_;
-
-	&rotr(	$R,		16);
-	&mov(	$tot,		&DWP(&n2a($i*4),$P,"",0));
-
-	&movb(	&LB($tmp1),	&HB($R));
-	&movb(	&LB($tmp2),	&LB($R));
-
-	&rotr(	$R,		16);
-	&xor(	$L,		$tot);
-
-	&mov(	$tot,		&DWP(&n2a($BF_OFF+0x0000),$P,$tmp1,4));
-	&mov(	$tmp3,		&DWP(&n2a($BF_OFF+0x0400),$P,$tmp2,4));
-
-	&movb(	&LB($tmp1),	&HB($R));
-	&movb(	&LB($tmp2),	&LB($R));
-
-	&add(	$tot,		$tmp3);
-	&mov(	$tmp1,		&DWP(&n2a($BF_OFF+0x0800),$P,$tmp1,4)); # delay
-
-	&xor(	$tot,		$tmp1);
-	&mov(	$tmp3,		&DWP(&n2a($BF_OFF+0x0C00),$P,$tmp2,4));
-
-	&add(	$tot,		$tmp3);
-	&xor(	$tmp1,		$tmp1);
-
-	&xor(	$L,		$tot);					
-	# delay
-	}
-
-sub n2a
-	{
-	sprintf("%d",$_[0]);
-	}
-
diff --git a/lib/libcrypto/libblowfish/asm/readme b/lib/libcrypto/libblowfish/asm/readme
deleted file mode 100644
index 2385fa381..000000000
--- a/lib/libcrypto/libblowfish/asm/readme
+++ /dev/null
@@ -1,10 +0,0 @@
-There are blowfish assembler generation scripts.
-bf-586.pl version is for the pentium and
-bf-686.pl is my original version, which is faster on the pentium pro.
-
-When using a bf-586.pl, the pentium pro/II is %8 slower than using
-bf-686.pl.  When using a bf-686.pl, the pentium is %16 slower
-than bf-586.pl
-
-So the default is bf-586.pl
-
diff --git a/lib/libcrypto/libserpent/Makefile b/lib/libcrypto/libserpent/Makefile
deleted file mode 100644
index 51a1e0582..000000000
--- a/lib/libcrypto/libserpent/Makefile
+++ /dev/null
@@ -1,20 +0,0 @@
-CFLAGS=-O3 -fomit-frame-pointer -D__KERNEL__  -Wall $(EXTRA_CFLAGS)
-INC=-I../include 
-LIBOBJ=serpent.o serpent_cbc.o
-BLIB=libserpent.a
-
-.c.o:
-	$(CC) $(CPPFLAGS) $(CFLAGS) $(INC) -c $< -o $@
-
-$(BLIB): $(LIBOBJ)
-	/bin/rm -f $(BLIB)
-	ar cr $(BLIB) $(LIBOBJ)
-	-if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \
-	else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \
-	else exit 0; fi; fi
-
-test: test_main.o $(BLIB)
-	$(CC) -o $@ $^ 
-
-clean:
-	rm -f *.[oa] core $(TARGET) test
diff --git a/lib/libcrypto/libserpent/test_main.c b/lib/libcrypto/libserpent/test_main.c
deleted file mode 100644
index 350068e60..000000000
--- a/lib/libcrypto/libserpent/test_main.c
+++ /dev/null
@@ -1,34 +0,0 @@
-#include <stdio.h>
-#include <string.h>
-#include "serpent_cbc.h"
-#define BLOCK_SIZE	16
-#define KEY_SIZE 	128	/* bits */
-#define KEY 		"1234567890123456"
-#define STR 		"hola guaso como estaisss ... 012"
-#define STRSZ		(sizeof(STR)-1)
-
-#define BLKLEN 		BLOCK_SIZE
-#define CONTEXT_T  	serpent_context
-static int pretty_print(const unsigned char *buf, int count) {
-	int i=0;
-	for (;i<count;i++) printf ("%02hhx ", buf[i]);
-	putchar('\n');
-	return i;
-}
-//#define SIZE STRSZ/2
-#define SIZE STRSZ
-int main() {
-	int ret;
-	char buf0[SIZE+1], buf1[SIZE+1];
-	char IV[BLOCK_SIZE];
-	CONTEXT_T ac;	
-	serpent_set_key(&ac, (void *)KEY, KEY_SIZE);
-	memset(buf0, 0, sizeof (buf0));
-	memset(buf1, 0, sizeof (buf1));
-	serpent_cbc_encrypt(&ac, STR, buf0, SIZE, IV, 1);
-	pretty_print(buf0, SIZE);
-	printf("size=%d ret=%d\n%s\n", SIZE, ret, buf0);
-	ret=serpent_cbc_encrypt(&ac, buf0, buf1, SIZE, IV, 0);
-	printf("size=%d ret=%d\n%s\n", SIZE, ret, buf1);
-	return 0;
-}
diff --git a/lib/libcrypto/libsha2/Makefile b/lib/libcrypto/libsha2/Makefile
deleted file mode 100644
index cee7e6109..000000000
--- a/lib/libcrypto/libsha2/Makefile
+++ /dev/null
@@ -1,21 +0,0 @@
-CFLAGS=-O3 -fomit-frame-pointer -I../include $(EXTRA_CFLAGS)
-
-LIBOBJ := hmac_sha2.o sha2.o
-
-BLIB := libsha2.a
-
-.S.o:
-	$(CC) $(AFLAGS) -c $< -o $@
-
-$(BLIB): $(LIBOBJ)
-	/bin/rm -f $(BLIB)
-	ar cr $(BLIB) $(LIBOBJ)
-	-if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \
-	else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \
-	else exit 0; fi; fi
-
-test: test_main.o $(BLIB)
-	$(CC) -o $@ $^ 
-
-clean:
-	rm -f *.[oa] core $(TARGET) test
diff --git a/lib/libcrypto/libtwofish/Makefile b/lib/libcrypto/libtwofish/Makefile
deleted file mode 100644
index 714fd6115..000000000
--- a/lib/libcrypto/libtwofish/Makefile
+++ /dev/null
@@ -1,21 +0,0 @@
-CFLAGS=-O3 -fomit-frame-pointer -D__KERNEL__  -Wall $(EXTRA_CFLAGS)
-INC=-I../include 
-
-LIBOBJ=twofish.o twofish_cbc.o
-BLIB=libtwofish.a
-
-.c.o:
-	$(CC) $(CPPFLAGS) $(CFLAGS) $(INC) -c $< -o $@
-
-$(BLIB): $(LIBOBJ)
-	/bin/rm -f $(BLIB)
-	ar cr $(BLIB) $(LIBOBJ)
-	-if test -s /bin/ranlib; then /bin/ranlib $(BLIB); \
-	else if test -s /usr/bin/ranlib; then /usr/bin/ranlib $(BLIB); \
-	else exit 0; fi; fi
-
-test: test_main.o $(BLIB)
-	$(CC) -o $@ $^ 
-
-clean:
-	rm -f *.[oa] core $(TARGET) test
diff --git a/lib/libcrypto/libtwofish/test_main.c b/lib/libcrypto/libtwofish/test_main.c
deleted file mode 100644
index 1e8b0db56..000000000
--- a/lib/libcrypto/libtwofish/test_main.c
+++ /dev/null
@@ -1,34 +0,0 @@
-#include <stdio.h>
-#include <string.h>
-#include "twofish_cbc.h"
-#define BLOCK_SIZE	16
-#define KEY_SIZE 	128	/* bits */
-#define KEY 		"1234567890123456"
-#define STR 		"hola guaso como estaisss ... 012"
-#define STRSZ		(sizeof(STR)-1)
-
-#define BLKLEN 		BLOCK_SIZE
-#define CONTEXT_T  	twofish_context
-static int pretty_print(const unsigned char *buf, int count) {
-	int i=0;
-	for (;i<count;i++) printf ("%02hhx ", buf[i]);
-	putchar('\n');
-	return i;
-}
-//#define SIZE STRSZ/2
-#define SIZE STRSZ
-int main() {
-	int ret;
-	char buf0[SIZE+1], buf1[SIZE+1];
-	char IV[BLOCK_SIZE];
-	CONTEXT_T ac;	
-	twofish_set_key(&ac, (void *)KEY, KEY_SIZE);
-	memset(buf0, 0, sizeof (buf0));
-	memset(buf1, 0, sizeof (buf1));
-	twofish_cbc_encrypt(&ac, STR, buf0, SIZE, IV, 1);
-	pretty_print(buf0, SIZE);
-	printf("size=%d ret=%d\n%s\n", SIZE, ret, buf0);
-	ret=twofish_cbc_encrypt(&ac, buf0, buf1, SIZE, IV, 0);
-	printf("size=%d ret=%d\n%s\n", SIZE, ret, buf1);
-	return 0;
-}
diff --git a/lib/libcrypto/perlasm/LICENSE b/lib/libcrypto/perlasm/LICENSE
deleted file mode 100644
index 3fd259ac3..000000000
--- a/lib/libcrypto/perlasm/LICENSE
+++ /dev/null
@@ -1,127 +0,0 @@
-
-  LICENSE ISSUES
-  ==============
-
-  The OpenSSL toolkit stays under a dual license, i.e. both the conditions of
-  the OpenSSL License and the original SSLeay license apply to the toolkit.
-  See below for the actual license texts. Actually both licenses are BSD-style
-  Open Source licenses. In case of any license issues related to OpenSSL
-  please contact openssl-core@openssl.org.
-
-  OpenSSL License
-  ---------------
-
-/* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
- Original SSLeay License
- -----------------------
-
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
diff --git a/lib/libcrypto/perlasm/alpha.pl b/lib/libcrypto/perlasm/alpha.pl
deleted file mode 100644
index fe69ca5a3..000000000
--- a/lib/libcrypto/perlasm/alpha.pl
+++ /dev/null
@@ -1,434 +0,0 @@
-#!/usr/bin/perl
-
-package alpha;
-use Carp qw(croak cluck);
-
-$label="100";
-
-$n_debug=0;
-$smear_regs=1;
-$reg_alloc=1;
-
-$align="3";
-$com_start="#";
-
-sub main'asm_init_output { @out=(); }
-sub main'asm_get_output { return(@out); }
-sub main'get_labels { return(@labels); }
-sub main'external_label { push(@labels,@_); }
-
-# General registers
-
-%regs=(	'r0',	'$0',
-	'r1',	'$1',
-	'r2',	'$2',
-	'r3',	'$3',
-	'r4',	'$4',
-	'r5',	'$5',
-	'r6',	'$6',
-	'r7',	'$7',
-	'r8',	'$8',
-	'r9',	'$22',
-	'r10',	'$23',
-	'r11',	'$24',
-	'r12',	'$25',
-	'r13',	'$27',
-	'r14',	'$28',
-	'r15',	'$21', # argc == 5
-	'r16',	'$20', # argc == 4
-	'r17',	'$19', # argc == 3
-	'r18',	'$18', # argc == 2
-	'r19',	'$17', # argc == 1
-	'r20',	'$16', # argc == 0
-	'r21',	'$9',  # save 0
-	'r22',	'$10', # save 1
-	'r23',	'$11', # save 2
-	'r24',	'$12', # save 3
-	'r25',	'$13', # save 4
-	'r26',	'$14', # save 5
-
-	'a0',	'$16',
-	'a1',	'$17',
-	'a2',	'$18',
-	'a3',	'$19',
-	'a4',	'$20',
-	'a5',	'$21',
-
-	's0',	'$9',
-	's1',	'$10',
-	's2',	'$11',
-	's3',	'$12',
-	's4',	'$13',
-	's5',	'$14',
-	'zero',	'$31',
-	'sp',	'$30',
-	);
-
-$main'reg_s0="r21";
-$main'reg_s1="r22";
-$main'reg_s2="r23";
-$main'reg_s3="r24";
-$main'reg_s4="r25";
-$main'reg_s5="r26";
-
-@reg=(  '$0', '$1' ,'$2' ,'$3' ,'$4' ,'$5' ,'$6' ,'$7' ,'$8',
-	'$22','$23','$24','$25','$20','$21','$27','$28');
-
-
-sub main'sub	{ &out3("subq",@_); }
-sub main'add	{ &out3("addq",@_); }
-sub main'mov	{ &out3("bis",$_[0],$_[0],$_[1]); }
-sub main'or	{ &out3("bis",@_); }
-sub main'bis	{ &out3("bis",@_); }
-sub main'br	{ &out1("br",@_); }
-sub main'ld	{ &out2("ldq",@_); }
-sub main'st	{ &out2("stq",@_); }
-sub main'cmpult	{ &out3("cmpult",@_); }
-sub main'cmplt	{ &out3("cmplt",@_); }
-sub main'bgt	{ &out2("bgt",@_); }
-sub main'ble	{ &out2("ble",@_); }
-sub main'blt	{ &out2("blt",@_); }
-sub main'mul	{ &out3("mulq",@_); }
-sub main'muh	{ &out3("umulh",@_); }
-
-$main'QWS=8;
-
-sub main'asm_add
-	{
-	push(@out,@_);
-	}
-
-sub main'asm_finish
-	{
-	&main'file_end();
-	print &main'asm_get_output();
-	}
-
-sub main'asm_init
-	{
-	($type,$fn)=@_;
-	$filename=$fn;
-
-	&main'asm_init_output();
-	&main'comment("Don't even think of reading this code");
-	&main'comment("It was automatically generated by $filename");
-	&main'comment("Which is a perl program used to generate the alpha assember.");
-	&main'comment("eric <eay\@cryptsoft.com>");
-	&main'comment("");
-
-	$filename =~ s/\.pl$//;
-	&main'file($filename);
-	}
-
-sub conv
-	{
-	local($r)=@_;
-	local($v);
-
-	return($regs{$r}) if defined($regs{$r});
-	return($r);
-	}
-
-sub main'QWPw
-	{
-	local($off,$reg)=@_;
-
-	return(&main'QWP($off*8,$reg));
-	}
-
-sub main'QWP
-	{
-	local($off,$reg)=@_;
-
-	$ret="$off(".&conv($reg).")";
-	return($ret);
-	}
-
-sub out3
-	{
-	local($name,$p1,$p2,$p3)=@_;
-
-	$p1=&conv($p1);
-	$p2=&conv($p2);
-	$p3=&conv($p3);
-	push(@out,"\t$name\t");
-	$l=length($p1)+1;
-	push(@out,$p1.",");
-	$ll=3-($l+9)/8;
-	$tmp1=sprintf("\t" x $ll);
-	push(@out,$tmp1);
-
-	$l=length($p2)+1;
-	push(@out,$p2.",");
-	$ll=3-($l+9)/8;
-	$tmp1=sprintf("\t" x $ll);
-	push(@out,$tmp1);
-
-	push(@out,&conv($p3)."\n");
-	}
-
-sub out2
-	{
-	local($name,$p1,$p2,$p3)=@_;
-
-	$p1=&conv($p1);
-	$p2=&conv($p2);
-	push(@out,"\t$name\t");
-	$l=length($p1)+1;
-	push(@out,$p1.",");
-	$ll=3-($l+9)/8;
-	$tmp1=sprintf("\t" x $ll);
-	push(@out,$tmp1);
-
-	push(@out,&conv($p2)."\n");
-	}
-
-sub out1
-	{
-	local($name,$p1)=@_;
-
-	$p1=&conv($p1);
-	push(@out,"\t$name\t".$p1."\n");
-	}
-
-sub out0
-	{
-	push(@out,"\t$_[0]\n");
-	}
-
-sub main'file
-	{
-	local($file)=@_;
-
-	local($tmp)=<<"EOF";
- # DEC Alpha assember
- # Generated from perl scripts contains in SSLeay
-	.file	1 "$file.s"
-	.set noat
-EOF
-	push(@out,$tmp);
-	}
-
-sub main'function_begin
-	{
-	local($func)=@_;
-
-print STDERR "$func\n";
-	local($tmp)=<<"EOF";
-	.text
-	.align $align
-	.globl $func
-	.ent $func
-${func}:
-${func}..ng:
-	.frame \$30,0,\$26,0
-	.prologue 0
-EOF
-	push(@out,$tmp);
-	$stack=0;
-	}
-
-sub main'function_end
-	{
-	local($func)=@_;
-
-	local($tmp)=<<"EOF";
-	ret	\$31,(\$26),1
-	.end $func
-EOF
-	push(@out,$tmp);
-	$stack=0;
-	%label=();
-	}
-
-sub main'function_end_A
-	{
-	local($func)=@_;
-
-	local($tmp)=<<"EOF";
-	ret	\$31,(\$26),1
-EOF
-	push(@out,$tmp);
-	}
-
-sub main'function_end_B
-	{
-	local($func)=@_;
-
-	$func=$under.$func;
-
-	push(@out,"\t.end $func\n");
-	$stack=0;
-	%label=();
-	}
-
-sub main'wparam
-	{
-	local($num)=@_;
-
-	if ($num < 6)
-		{
-		$num=20-$num;
-		return("r$num");
-		}
-	else
-		{ return(&main'QWP($stack+$num*8,"sp")); }
-	}
-
-sub main'stack_push
-	{
-	local($num)=@_;
-	$stack+=$num*8;
-	&main'sub("sp",$num*8,"sp");
-	}
-
-sub main'stack_pop
-	{
-	local($num)=@_;
-	$stack-=$num*8;
-	&main'add("sp",$num*8,"sp");
-	}
-
-sub main'swtmp
-	{
-	return(&main'QWP(($_[0])*8,"sp"));
-	}
-
-# Should use swtmp, which is above sp.  Linix can trash the stack above esp
-#sub main'wtmp
-#	{
-#	local($num)=@_;
-#
-#	return(&main'QWP(-($num+1)*4,"esp","",0));
-#	}
-
-sub main'comment
-	{
-	foreach (@_)
-		{
-		if (/^\s*$/)
-			{ push(@out,"\n"); }
-		else
-			{ push(@out,"\t$com_start $_ $com_end\n"); }
-		}
-	}
-
-sub main'label
-	{
-	if (!defined($label{$_[0]}))
-		{
-		$label{$_[0]}=$label;
-		$label++;
-		}
-	return('$'.$label{$_[0]});
-	}
-
-sub main'set_label
-	{
-	if (!defined($label{$_[0]}))
-		{
-		$label{$_[0]}=$label;
-		$label++;
-		}
-#	push(@out,".align $align\n") if ($_[1] != 0);
-	push(@out,'$'."$label{$_[0]}:\n");
-	}
-
-sub main'file_end
-	{
-	}
-
-sub main'data_word
-	{
-	push(@out,"\t.long $_[0]\n");
-	}
-
-@pool_free=();
-@pool_taken=();
-$curr_num=0;
-$max=0;
-
-sub main'init_pool
-	{
-	local($args)=@_;
-	local($i);
-
-	@pool_free=();
-	for ($i=(14+(6-$args)); $i >= 0; $i--)
-		{
-		push(@pool_free,"r$i");
-		}
-	print STDERR "START :register pool:@pool_free\n";
-	$curr_num=$max=0;
-	}
-
-sub main'fin_pool
-	{
-	printf STDERR "END %2d:register pool:@pool_free\n",$max;
-	}
-
-sub main'GR
-	{
-	local($r)=@_;
-	local($i,@n,$_);
-
-	foreach (@pool_free)
-		{
-		if ($r ne $_)
-			{ push(@n,$_); }
-		else
-			{
-			$curr_num++;
-			$max=$curr_num if ($curr_num > $max);
-			}
-		}
-	@pool_free=@n;
-print STDERR "GR:@pool_free\n" if $reg_alloc;
-	return(@_);
-	}
-
-sub main'NR
-	{
-	local($num)=@_;
-	local(@ret);
-
-	$num=1 if $num == 0;
-	($#pool_free >= ($num-1)) || croak "out of registers: want $num, have @pool_free";
-	while ($num > 0)
-		{
-		push(@ret,pop @pool_free);
-		$curr_num++;
-		$max=$curr_num if ($curr_num > $max);
-		$num--
-		}
-	print STDERR "nr @ret\n" if $n_debug;
-print STDERR "NR:@pool_free\n" if $reg_alloc;
-	return(@ret);
-
-	}
-
-sub main'FR
-	{
-	local(@r)=@_;
-	local(@a,$v,$w);
-
-	print STDERR "fr @r\n" if $n_debug;
-#	cluck "fr @r";
-	for $w (@pool_free)
-		{
-		foreach $v (@r)
-			{
-			croak "double register free of $v (@pool_free)" if $w eq $v;
-			}
-		}
-	foreach $v (@r)
-		{
-		croak "bad argument to FR" if ($v !~ /^r\d+$/);
-		if ($smear_regs)
-			{ unshift(@pool_free,$v); }
-		else	{ push(@pool_free,$v); }
-		$curr_num--;
-		}
-print STDERR "FR:@pool_free\n" if $reg_alloc;
-	}
-1;
diff --git a/lib/libcrypto/perlasm/cbc.pl b/lib/libcrypto/perlasm/cbc.pl
deleted file mode 100644
index 278930579..000000000
--- a/lib/libcrypto/perlasm/cbc.pl
+++ /dev/null
@@ -1,342 +0,0 @@
-#!/usr/bin/perl
-
-# void des_ncbc_encrypt(input, output, length, schedule, ivec, enc)
-# des_cblock (*input);
-# des_cblock (*output);
-# long length;
-# des_key_schedule schedule;
-# des_cblock (*ivec);
-# int enc;
-#
-# calls 
-# des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT);
-#
-
-#&cbc("des_ncbc_encrypt","des_encrypt",0);
-#&cbc("BF_cbc_encrypt","BF_encrypt","BF_encrypt",
-#	1,4,5,3,5,-1);
-#&cbc("des_ncbc_encrypt","des_encrypt","des_encrypt",
-#	0,4,5,3,5,-1);
-#&cbc("des_ede3_cbc_encrypt","des_encrypt3","des_decrypt3",
-#	0,6,7,3,4,5);
-#
-# When doing a cipher that needs bigendian order,
-# for encrypt, the iv is kept in bigendian form,
-# while for decrypt, it is kept in little endian.
-sub cbc
-	{
-	local($name,$enc_func,$dec_func,$swap,$iv_off,$enc_off,$p1,$p2,$p3)=@_;
-	# name is the function name
-	# enc_func and dec_func and the functions to call for encrypt/decrypt
-	# swap is true if byte order needs to be reversed
-	# iv_off is parameter number for the iv 
-	# enc_off is parameter number for the encrypt/decrypt flag
-	# p1,p2,p3 are the offsets for parameters to be passed to the
-	# underlying calls.
-
-	&function_begin_B($name,"");
-	&comment("");
-
-	$in="esi";
-	$out="edi";
-	$count="ebp";
-
-	&push("ebp");
-	&push("ebx");
-	&push("esi");
-	&push("edi");
-
-	$data_off=4;
-	$data_off+=4 if ($p1 > 0);
-	$data_off+=4 if ($p2 > 0);
-	$data_off+=4 if ($p3 > 0);
-
-	&mov($count,	&wparam(2));	# length
-
-	&comment("getting iv ptr from parameter $iv_off");
-	&mov("ebx",	&wparam($iv_off));	# Get iv ptr
-
-	&mov($in,	&DWP(0,"ebx","",0));#	iv[0]
-	&mov($out,	&DWP(4,"ebx","",0));#	iv[1]
-
-	&push($out);
-	&push($in);
-	&push($out);	# used in decrypt for iv[1]
-	&push($in);	# used in decrypt for iv[0]
-
-	&mov("ebx",	"esp");		# This is the address of tin[2]
-
-	&mov($in,	&wparam(0));	# in
-	&mov($out,	&wparam(1));	# out
-
-	# We have loaded them all, how lets push things
-	&comment("getting encrypt flag from parameter $enc_off");
-	&mov("ecx",	&wparam($enc_off));	# Get enc flag
-	if ($p3 > 0)
-		{
-		&comment("get and push parameter $p3");
-		if ($enc_off != $p3)
-			{ &mov("eax",	&wparam($p3)); &push("eax"); }
-		else	{ &push("ecx"); }
-		}
-	if ($p2 > 0)
-		{
-		&comment("get and push parameter $p2");
-		if ($enc_off != $p2)
-			{ &mov("eax",	&wparam($p2)); &push("eax"); }
-		else	{ &push("ecx"); }
-		}
-	if ($p1 > 0)
-		{
-		&comment("get and push parameter $p1");
-		if ($enc_off != $p1)
-			{ &mov("eax",	&wparam($p1)); &push("eax"); }
-		else	{ &push("ecx"); }
-		}
-	&push("ebx");		# push data/iv
-
-	&cmp("ecx",0);
-	&jz(&label("decrypt"));
-
-	&and($count,0xfffffff8);
-	&mov("eax",	&DWP($data_off,"esp","",0));	# load iv[0]
-	&mov("ebx",	&DWP($data_off+4,"esp","",0));	# load iv[1]
-
-	&jz(&label("encrypt_finish"));
-
-	#############################################################
-
-	&set_label("encrypt_loop");
-	# encrypt start 
-	# "eax" and "ebx" hold iv (or the last cipher text)
-
-	&mov("ecx",	&DWP(0,$in,"",0));	# load first 4 bytes
-	&mov("edx",	&DWP(4,$in,"",0));	# second 4 bytes
-
-	&xor("eax",	"ecx");
-	&xor("ebx",	"edx");
-
-	&bswap("eax")	if $swap;
-	&bswap("ebx")	if $swap;
-
-	&mov(&DWP($data_off,"esp","",0),	"eax");	# put in array for call
-	&mov(&DWP($data_off+4,"esp","",0),	"ebx");	#
-
-	&call($enc_func);
-
-	&mov("eax",	&DWP($data_off,"esp","",0));
-	&mov("ebx",	&DWP($data_off+4,"esp","",0));
-
-	&bswap("eax")	if $swap;
-	&bswap("ebx")	if $swap;
-
-	&mov(&DWP(0,$out,"",0),"eax");
-	&mov(&DWP(4,$out,"",0),"ebx");
-
-	# eax and ebx are the next iv.
-
-	&add($in,	8);
-	&add($out,	8);
-
-	&sub($count,	8);
-	&jnz(&label("encrypt_loop"));
-
-###################################################################3
-	&set_label("encrypt_finish");
-	&mov($count,	&wparam(2));	# length
-	&and($count,	7);
-	&jz(&label("finish"));
-	&xor("ecx","ecx");
-	&xor("edx","edx");
-	&mov($count,&DWP(&label("cbc_enc_jmp_table"),"",$count,4));
-	&jmp_ptr($count);
-
-&set_label("ej7");
-	&xor("edx",		"edx") if $ppro; # ppro friendly
-	&movb(&HB("edx"),	&BP(6,$in,"",0));
-	&shl("edx",8);
-&set_label("ej6");
-	&movb(&HB("edx"),	&BP(5,$in,"",0));
-&set_label("ej5");
-	&movb(&LB("edx"),	&BP(4,$in,"",0));
-&set_label("ej4");
-	&mov("ecx",		&DWP(0,$in,"",0));
-	&jmp(&label("ejend"));
-&set_label("ej3");
-	&movb(&HB("ecx"),	&BP(2,$in,"",0));
-	&xor("ecx",		"ecx") if $ppro; # ppro friendly
-	&shl("ecx",8);
-&set_label("ej2");
-	&movb(&HB("ecx"),	&BP(1,$in,"",0));
-&set_label("ej1");
-	&movb(&LB("ecx"),	&BP(0,$in,"",0));
-&set_label("ejend");
-
-	&xor("eax",	"ecx");
-	&xor("ebx",	"edx");
-
-	&bswap("eax")	if $swap;
-	&bswap("ebx")	if $swap;
-
-	&mov(&DWP($data_off,"esp","",0),	"eax");	# put in array for call
-	&mov(&DWP($data_off+4,"esp","",0),	"ebx");	#
-
-	&call($enc_func);
-
-	&mov("eax",	&DWP($data_off,"esp","",0));
-	&mov("ebx",	&DWP($data_off+4,"esp","",0));
-
-	&bswap("eax")	if $swap;
-	&bswap("ebx")	if $swap;
-
-	&mov(&DWP(0,$out,"",0),"eax");
-	&mov(&DWP(4,$out,"",0),"ebx");
-
-	&jmp(&label("finish"));
-
-	#############################################################
-	#############################################################
-	&set_label("decrypt",1);
-	# decrypt start 
-	&and($count,0xfffffff8);
-	# The next 2 instructions are only for if the jz is taken
-	&mov("eax",	&DWP($data_off+8,"esp","",0));	# get iv[0]
-	&mov("ebx",	&DWP($data_off+12,"esp","",0));	# get iv[1]
-	&jz(&label("decrypt_finish"));
-
-	&set_label("decrypt_loop");
-	&mov("eax",	&DWP(0,$in,"",0));	# load first 4 bytes
-	&mov("ebx",	&DWP(4,$in,"",0));	# second 4 bytes
-
-	&bswap("eax")	if $swap;
-	&bswap("ebx")	if $swap;
-
-	&mov(&DWP($data_off,"esp","",0),	"eax");	# put back
-	&mov(&DWP($data_off+4,"esp","",0),	"ebx");	#
-
-	&call($dec_func);
-
-	&mov("eax",	&DWP($data_off,"esp","",0));	# get return
-	&mov("ebx",	&DWP($data_off+4,"esp","",0));	#
-
-	&bswap("eax")	if $swap;
-	&bswap("ebx")	if $swap;
-
-	&mov("ecx",	&DWP($data_off+8,"esp","",0));	# get iv[0]
-	&mov("edx",	&DWP($data_off+12,"esp","",0));	# get iv[1]
-
-	&xor("ecx",	"eax");
-	&xor("edx",	"ebx");
-
-	&mov("eax",	&DWP(0,$in,"",0));	# get old cipher text,
-	&mov("ebx",	&DWP(4,$in,"",0));	# next iv actually
-
-	&mov(&DWP(0,$out,"",0),"ecx");
-	&mov(&DWP(4,$out,"",0),"edx");
-
-	&mov(&DWP($data_off+8,"esp","",0),	"eax");	# save iv
-	&mov(&DWP($data_off+12,"esp","",0),	"ebx");	#
-
-	&add($in,	8);
-	&add($out,	8);
-
-	&sub($count,	8);
-	&jnz(&label("decrypt_loop"));
-############################ ENDIT #######################3
-	&set_label("decrypt_finish");
-	&mov($count,	&wparam(2));	# length
-	&and($count,	7);
-	&jz(&label("finish"));
-
-	&mov("eax",	&DWP(0,$in,"",0));	# load first 4 bytes
-	&mov("ebx",	&DWP(4,$in,"",0));	# second 4 bytes
-
-	&bswap("eax")	if $swap;
-	&bswap("ebx")	if $swap;
-
-	&mov(&DWP($data_off,"esp","",0),	"eax");	# put back
-	&mov(&DWP($data_off+4,"esp","",0),	"ebx");	#
-
-	&call($dec_func);
-
-	&mov("eax",	&DWP($data_off,"esp","",0));	# get return
-	&mov("ebx",	&DWP($data_off+4,"esp","",0));	#
-
-	&bswap("eax")	if $swap;
-	&bswap("ebx")	if $swap;
-
-	&mov("ecx",	&DWP($data_off+8,"esp","",0));	# get iv[0]
-	&mov("edx",	&DWP($data_off+12,"esp","",0));	# get iv[1]
-
-	&xor("ecx",	"eax");
-	&xor("edx",	"ebx");
-
-	# this is for when we exit
-	&mov("eax",	&DWP(0,$in,"",0));	# get old cipher text,
-	&mov("ebx",	&DWP(4,$in,"",0));	# next iv actually
-
-&set_label("dj7");
-	&rotr("edx",	16);
-	&movb(&BP(6,$out,"",0),	&LB("edx"));
-	&shr("edx",16);
-&set_label("dj6");
-	&movb(&BP(5,$out,"",0),	&HB("edx"));
-&set_label("dj5");
-	&movb(&BP(4,$out,"",0),	&LB("edx"));
-&set_label("dj4");
-	&mov(&DWP(0,$out,"",0),	"ecx");
-	&jmp(&label("djend"));
-&set_label("dj3");
-	&rotr("ecx",	16);
-	&movb(&BP(2,$out,"",0),	&LB("ecx"));
-	&shl("ecx",16);
-&set_label("dj2");
-	&movb(&BP(1,$in,"",0),	&HB("ecx"));
-&set_label("dj1");
-	&movb(&BP(0,$in,"",0),	&LB("ecx"));
-&set_label("djend");
-
-	# final iv is still in eax:ebx
-	&jmp(&label("finish"));
-
-
-############################ FINISH #######################3
-	&set_label("finish",1);
-	&mov("ecx",	&wparam($iv_off));	# Get iv ptr
-
-	#################################################
-	$total=16+4;
-	$total+=4 if ($p1 > 0);
-	$total+=4 if ($p2 > 0);
-	$total+=4 if ($p3 > 0);
-	&add("esp",$total);
-
-	&mov(&DWP(0,"ecx","",0),	"eax");	# save iv
-	&mov(&DWP(4,"ecx","",0),	"ebx");	# save iv
-
-	&function_end_A($name);
-
-	&set_label("cbc_enc_jmp_table",1);
-	&data_word("0");
-	&data_word(&label("ej1"));
-	&data_word(&label("ej2"));
-	&data_word(&label("ej3"));
-	&data_word(&label("ej4"));
-	&data_word(&label("ej5"));
-	&data_word(&label("ej6"));
-	&data_word(&label("ej7"));
-	&set_label("cbc_dec_jmp_table",1);
-	&data_word("0");
-	&data_word(&label("dj1"));
-	&data_word(&label("dj2"));
-	&data_word(&label("dj3"));
-	&data_word(&label("dj4"));
-	&data_word(&label("dj5"));
-	&data_word(&label("dj6"));
-	&data_word(&label("dj7"));
-
-	&function_end_B($name);
-	
-	}
-
-1;
diff --git a/lib/libcrypto/perlasm/readme b/lib/libcrypto/perlasm/readme
deleted file mode 100644
index f02bbee75..000000000
--- a/lib/libcrypto/perlasm/readme
+++ /dev/null
@@ -1,124 +0,0 @@
-The perl scripts in this directory are my 'hack' to generate
-multiple different assembler formats via the one origional script.
-
-The way to use this library is to start with adding the path to this directory
-and then include it.
-
-push(@INC,"perlasm","../../perlasm");
-require "x86asm.pl";
-
-The first thing we do is setup the file and type of assember
-
-&asm_init($ARGV[0],$0);
-
-The first argument is the 'type'.  Currently
-'cpp', 'sol', 'a.out', 'elf' or 'win32'.
-Argument 2 is the file name.
-
-The reciprocal function is
-&asm_finish() which should be called at the end.
-
-There are 2 main 'packages'. x86ms.pl, which is the microsoft assembler,
-and x86unix.pl which is the unix (gas) version.
-
-Functions of interest are:
-&external_label("des_SPtrans");	declare and external variable
-&LB(reg);			Low byte for a register
-&HB(reg);			High byte for a register
-&BP(off,base,index,scale)	Byte pointer addressing
-&DWP(off,base,index,scale)	Word pointer addressing
-&stack_push(num)		Basically a 'sub esp, num*4' with extra
-&stack_pop(num)			inverse of stack_push
-&function_begin(name,extra)	Start a function with pushing of
-				edi, esi, ebx and ebp.  extra is extra win32
-				external info that may be required.
-&function_begin_B(name,extra)	Same as norma function_begin but no pushing.
-&function_end(name)		Call at end of function.
-&function_end_A(name)		Standard pop and ret, for use inside functions
-&function_end_B(name)		Call at end but with poping or 'ret'.
-&swtmp(num)			Address on stack temp word.
-&wparam(num)			Parameter number num, that was push
-				in C convention.  This all works over pushes
-				and pops.
-&comment("hello there")		Put in a comment.
-&label("loop")			Refer to a label, normally a jmp target.
-&set_label("loop")		Set a label at this point.
-&data_word(word)		Put in a word of data.
-
-So how does this all hold together?  Given
-
-int calc(int len, int *data)
-	{
-	int i,j=0;
-
-	for (i=0; i<len; i++)
-		{
-		j+=other(data[i]);
-		}
-	}
-
-So a very simple version of this function could be coded as
-
-	push(@INC,"perlasm","../../perlasm");
-	require "x86asm.pl";
-	
-	&asm_init($ARGV[0],"cacl.pl");
-
-	&external_label("other");
-
-	$tmp1=	"eax";
-	$j=	"edi";
-	$data=	"esi";
-	$i=	"ebp";
-
-	&comment("a simple function");
-	&function_begin("calc");
-	&mov(	$data,		&wparam(1)); # data
-	&xor(	$j,		$j);
-	&xor(	$i,		$i);
-
-	&set_label("loop");
-	&cmp(	$i,		&wparam(0));
-	&jge(	&label("end"));
-
-	&mov(	$tmp1,		&DWP(0,$data,$i,4));
-	&push(	$tmp1);
-	&call(	"other");
-	&add(	$j,		"eax");
-	&pop(	$tmp1);
-	&inc(	$i);
-	&jmp(	&label("loop"));
-
-	&set_label("end");
-	&mov(	"eax",		$j);
-
-	&function_end("calc");
-
-	&asm_finish();
-
-The above example is very very unoptimised but gives an idea of how
-things work.
-
-There is also a cbc mode function generator in cbc.pl
-
-&cbc(	$name,
-	$encrypt_function_name,
-	$decrypt_function_name,
-	$true_if_byte_swap_needed,
-	$parameter_number_for_iv,
-	$parameter_number_for_encrypt_flag,
-	$first_parameter_to_pass,
-	$second_parameter_to_pass,
-	$third_parameter_to_pass);
-
-So for example, given
-void BF_encrypt(BF_LONG *data,BF_KEY *key);
-void BF_decrypt(BF_LONG *data,BF_KEY *key);
-void BF_cbc_encrypt(unsigned char *in, unsigned char *out, long length,
-        BF_KEY *ks, unsigned char *iv, int enc);
-
-&cbc("BF_cbc_encrypt","BF_encrypt","BF_encrypt",1,4,5,3,-1,-1);
-
-&cbc("des_ncbc_encrypt","des_encrypt","des_encrypt",0,4,5,3,5,-1);
-&cbc("des_ede3_cbc_encrypt","des_encrypt3","des_decrypt3",0,6,7,3,4,5);
-
diff --git a/lib/libcrypto/perlasm/version b/lib/libcrypto/perlasm/version
deleted file mode 100644
index 5e62822b4..000000000
--- a/lib/libcrypto/perlasm/version
+++ /dev/null
@@ -1,5 +0,0 @@
-version,v 1.1.2.1 2003/11/21 18:12:23 jjo Exp
-
-This version of perlasm was copied from the openssl 0.9.6c distribution
-
-The license applying to it is enclose in the LICENSE file
diff --git a/lib/libcrypto/perlasm/x86asm.pl b/lib/libcrypto/perlasm/x86asm.pl
deleted file mode 100644
index 8af0fd17f..000000000
--- a/lib/libcrypto/perlasm/x86asm.pl
+++ /dev/null
@@ -1,118 +0,0 @@
-#!/usr/bin/perl
-
-# require 'x86asm.pl';
-# &asm_init("cpp","des-586.pl");
-# XXX
-# XXX
-# main'asm_finish
-
-sub main'asm_finish
-	{
-	&file_end();
-	&asm_finish_cpp() if $cpp;
-	print &asm_get_output();
-	}
-
-sub main'asm_init
-	{
-	($type,$fn,$i386)=@_;
-	$filename=$fn;
-
-	$cpp=$sol=$aout=$win32=$gaswin=0;
-	if (	($type eq "elf"))
-		{ require "x86unix.pl"; }
-	elsif (	($type eq "a.out"))
-		{ $aout=1; require "x86unix.pl"; }
-	elsif (	($type eq "gaswin"))
-		{ $gaswin=1; $aout=1; require "x86unix.pl"; }
-	elsif (	($type eq "sol"))
-		{ $sol=1; require "x86unix.pl"; }
-	elsif (	($type eq "cpp"))
-		{ $cpp=1; require "x86unix.pl"; }
-	elsif (	($type eq "win32"))
-		{ $win32=1; require "x86ms.pl"; }
-	elsif (	($type eq "win32n"))
-		{ $win32=1; require "x86nasm.pl"; }
-	else
-		{
-		print STDERR <<"EOF";
-Pick one target type from
-	elf	- linux, FreeBSD etc
-	a.out	- old linux
-	sol	- x86 solaris
-	cpp	- format so x86unix.cpp can be used
-	win32	- Windows 95/Windows NT
-	win32n	- Windows 95/Windows NT NASM format
-EOF
-		exit(1);
-		}
-
-	&asm_init_output();
-
-&comment("Don't even think of reading this code");
-&comment("It was automatically generated by $filename");
-&comment("Which is a perl program used to generate the x86 assember for");
-&comment("any of elf, a.out, BSDI, Win32, gaswin (for GNU as on Win32) or Solaris");
-&comment("eric <eay\@cryptsoft.com>");
-&comment("");
-
-	$filename =~ s/\.pl$//;
-	&file($filename);
-	}
-
-sub asm_finish_cpp
-	{
-	return unless $cpp;
-
-	local($tmp,$i);
-	foreach $i (&get_labels())
-		{
-		$tmp.="#define $i _$i\n";
-		}
-	print <<"EOF";
-/* Run the C pre-processor over this file with one of the following defined
- * ELF - elf object files,
- * OUT - a.out object files,
- * BSDI - BSDI style a.out object files
- * SOL - Solaris style elf
- */
-
-#define TYPE(a,b)       .type   a,b
-#define SIZE(a,b)       .size   a,b
-
-#if defined(OUT) || (defined(BSDI) && !defined(ELF))
-$tmp
-#endif
-
-#ifdef OUT
-#define OK	1
-#define ALIGN	4
-#endif
-
-#if defined(BSDI) && !defined(ELF)
-#define OK              1
-#define ALIGN           4
-#undef SIZE
-#undef TYPE
-#define SIZE(a,b)
-#define TYPE(a,b)
-#endif
-
-#if defined(ELF) || defined(SOL)
-#define OK              1
-#define ALIGN           16
-#endif
-
-#ifndef OK
-You need to define one of
-ELF - elf systems - linux-elf, NetBSD and DG-UX
-OUT - a.out systems - linux-a.out and FreeBSD
-SOL - solaris systems, which are elf with strange comment lines
-BSDI - a.out with a very primative version of as.
-#endif
-
-/* Let the Assembler begin :-) */
-EOF
-	}
-
-1;
diff --git a/lib/libcrypto/perlasm/x86ms.pl b/lib/libcrypto/perlasm/x86ms.pl
deleted file mode 100644
index c6212f434..000000000
--- a/lib/libcrypto/perlasm/x86ms.pl
+++ /dev/null
@@ -1,365 +0,0 @@
-#!/usr/bin/perl
-
-package x86ms;
-
-$label="L000";
-
-%lb=(	'eax',	'al',
-	'ebx',	'bl',
-	'ecx',	'cl',
-	'edx',	'dl',
-	'ax',	'al',
-	'bx',	'bl',
-	'cx',	'cl',
-	'dx',	'dl',
-	);
-
-%hb=(	'eax',	'ah',
-	'ebx',	'bh',
-	'ecx',	'ch',
-	'edx',	'dh',
-	'ax',	'ah',
-	'bx',	'bh',
-	'cx',	'ch',
-	'dx',	'dh',
-	);
-
-sub main'asm_init_output { @out=(); }
-sub main'asm_get_output { return(@out); }
-sub main'get_labels { return(@labels); }
-sub main'external_label { push(@labels,@_); }
-
-sub main'LB
-	{
-	(defined($lb{$_[0]})) || die "$_[0] does not have a 'low byte'\n";
-	return($lb{$_[0]});
-	}
-
-sub main'HB
-	{
-	(defined($hb{$_[0]})) || die "$_[0] does not have a 'high byte'\n";
-	return($hb{$_[0]});
-	}
-
-sub main'BP
-	{
-	&get_mem("BYTE",@_);
-	}
-
-sub main'DWP
-	{
-	&get_mem("DWORD",@_);
-	}
-
-sub main'BC
-	{
-	return @_;
-	}
-
-sub main'DWC
-	{
-	return @_;
-	}
-
-sub main'stack_push
-	{
-	local($num)=@_;
-	$stack+=$num*4;
-	&main'sub("esp",$num*4);
-	}
-
-sub main'stack_pop
-	{
-	local($num)=@_;
-	$stack-=$num*4;
-	&main'add("esp",$num*4);
-	}
-
-sub get_mem
-	{
-	local($size,$addr,$reg1,$reg2,$idx)=@_;
-	local($t,$post);
-	local($ret)="$size PTR ";
-
-	$addr =~ s/^\s+//;
-	if ($addr =~ /^(.+)\+(.+)$/)
-		{
-		$reg2=&conv($1);
-		$addr="_$2";
-		}
-	elsif ($addr =~ /^[_a-zA-Z]/)
-		{
-		$addr="_$addr";
-		}
-
-	$reg1="$regs{$reg1}" if defined($regs{$reg1});
-	$reg2="$regs{$reg2}" if defined($regs{$reg2});
-	if (($addr ne "") && ($addr ne 0))
-		{
-		if ($addr !~ /^-/)
-			{ $ret.=$addr; }
-		else	{ $post=$addr; }
-		}
-	if ($reg2 ne "")
-		{
-		$t="";
-		$t="*$idx" if ($idx != 0);
-		$reg1="+".$reg1 if ("$reg1$post" ne "");
-		$ret.="[$reg2$t$reg1$post]";
-		}
-	else
-		{
-		$ret.="[$reg1$post]"
-		}
-	return($ret);
-	}
-
-sub main'mov	{ &out2("mov",@_); }
-sub main'movb	{ &out2("mov",@_); }
-sub main'and	{ &out2("and",@_); }
-sub main'or	{ &out2("or",@_); }
-sub main'shl	{ &out2("shl",@_); }
-sub main'shr	{ &out2("shr",@_); }
-sub main'xor	{ &out2("xor",@_); }
-sub main'xorb	{ &out2("xor",@_); }
-sub main'add	{ &out2("add",@_); }
-sub main'adc	{ &out2("adc",@_); }
-sub main'sub	{ &out2("sub",@_); }
-sub main'rotl	{ &out2("rol",@_); }
-sub main'rotr	{ &out2("ror",@_); }
-sub main'exch	{ &out2("xchg",@_); }
-sub main'cmp	{ &out2("cmp",@_); }
-sub main'lea	{ &out2("lea",@_); }
-sub main'mul	{ &out1("mul",@_); }
-sub main'div	{ &out1("div",@_); }
-sub main'dec	{ &out1("dec",@_); }
-sub main'inc	{ &out1("inc",@_); }
-sub main'jmp	{ &out1("jmp",@_); }
-sub main'jmp_ptr { &out1p("jmp",@_); }
-sub main'je	{ &out1("je",@_); }
-sub main'jle	{ &out1("jle",@_); }
-sub main'jz	{ &out1("jz",@_); }
-sub main'jge	{ &out1("jge",@_); }
-sub main'jl	{ &out1("jl",@_); }
-sub main'jb	{ &out1("jb",@_); }
-sub main'jc	{ &out1("jc",@_); }
-sub main'jnc	{ &out1("jnc",@_); }
-sub main'jnz	{ &out1("jnz",@_); }
-sub main'jne	{ &out1("jne",@_); }
-sub main'jno	{ &out1("jno",@_); }
-sub main'push	{ &out1("push",@_); $stack+=4; }
-sub main'pop	{ &out1("pop",@_); $stack-=4; }
-sub main'bswap	{ &out1("bswap",@_); &using486(); }
-sub main'not	{ &out1("not",@_); }
-sub main'call	{ &out1("call",'_'.$_[0]); }
-sub main'ret	{ &out0("ret"); }
-sub main'nop	{ &out0("nop"); }
-
-sub out2
-	{
-	local($name,$p1,$p2)=@_;
-	local($l,$t);
-
-	push(@out,"\t$name\t");
-	$t=&conv($p1).",";
-	$l=length($t);
-	push(@out,$t);
-	$l=4-($l+9)/8;
-	push(@out,"\t" x $l);
-	push(@out,&conv($p2));
-	push(@out,"\n");
-	}
-
-sub out0
-	{
-	local($name)=@_;
-
-	push(@out,"\t$name\n");
-	}
-
-sub out1
-	{
-	local($name,$p1)=@_;
-	local($l,$t);
-
-	push(@out,"\t$name\t".&conv($p1)."\n");
-	}
-
-sub conv
-	{
-	local($p)=@_;
-
-	$p =~ s/0x([0-9A-Fa-f]+)/0$1h/;
-	return $p;
-	}
-
-sub using486
-	{
-	return if $using486;
-	$using486++;
-	grep(s/\.386/\.486/,@out);
-	}
-
-sub main'file
-	{
-	local($file)=@_;
-
-	local($tmp)=<<"EOF";
-	TITLE	$file.asm
-        .386
-.model FLAT
-EOF
-	push(@out,$tmp);
-	}
-
-sub main'function_begin
-	{
-	local($func,$extra)=@_;
-
-	push(@labels,$func);
-
-	local($tmp)=<<"EOF";
-_TEXT	SEGMENT
-PUBLIC	_$func
-$extra
-_$func PROC NEAR
-	push	ebp
-	push	ebx
-	push	esi
-	push	edi
-EOF
-	push(@out,$tmp);
-	$stack=20;
-	}
-
-sub main'function_begin_B
-	{
-	local($func,$extra)=@_;
-
-	local($tmp)=<<"EOF";
-_TEXT	SEGMENT
-PUBLIC	_$func
-$extra
-_$func PROC NEAR
-EOF
-	push(@out,$tmp);
-	$stack=4;
-	}
-
-sub main'function_end
-	{
-	local($func)=@_;
-
-	local($tmp)=<<"EOF";
-	pop	edi
-	pop	esi
-	pop	ebx
-	pop	ebp
-	ret
-_$func ENDP
-_TEXT	ENDS
-EOF
-	push(@out,$tmp);
-	$stack=0;
-	%label=();
-	}
-
-sub main'function_end_B
-	{
-	local($func)=@_;
-
-	local($tmp)=<<"EOF";
-_$func ENDP
-_TEXT	ENDS
-EOF
-	push(@out,$tmp);
-	$stack=0;
-	%label=();
-	}
-
-sub main'function_end_A
-	{
-	local($func)=@_;
-
-	local($tmp)=<<"EOF";
-	pop	edi
-	pop	esi
-	pop	ebx
-	pop	ebp
-	ret
-EOF
-	push(@out,$tmp);
-	}
-
-sub main'file_end
-	{
-	push(@out,"END\n");
-	}
-
-sub main'wparam
-	{
-	local($num)=@_;
-
-	return(&main'DWP($stack+$num*4,"esp","",0));
-	}
-
-sub main'swtmp
-	{
-	return(&main'DWP($_[0]*4,"esp","",0));
-	}
-
-# Should use swtmp, which is above esp.  Linix can trash the stack above esp
-#sub main'wtmp
-#	{
-#	local($num)=@_;
-#
-#	return(&main'DWP(-(($num+1)*4),"esp","",0));
-#	}
-
-sub main'comment
-	{
-	foreach (@_)
-		{
-		push(@out,"\t; $_\n");
-		}
-	}
-
-sub main'label
-	{
-	if (!defined($label{$_[0]}))
-		{
-		$label{$_[0]}="\$${label}${_[0]}";
-		$label++;
-		}
-	return($label{$_[0]});
-	}
-
-sub main'set_label
-	{
-	if (!defined($label{$_[0]}))
-		{
-		$label{$_[0]}="${label}${_[0]}";
-		$label++;
-		}
-	if((defined $_[2]) && ($_[2] == 1))
-		{
-		push(@out,"$label{$_[0]}::\n");
-		}
-	else
-		{
-		push(@out,"$label{$_[0]}:\n");
-		}
-	}
-
-sub main'data_word
-	{
-	push(@out,"\tDD\t$_[0]\n");
-	}
-
-sub out1p
-	{
-	local($name,$p1)=@_;
-	local($l,$t);
-
-	push(@out,"\t$name\t ".&conv($p1)."\n");
-	}
diff --git a/lib/libcrypto/perlasm/x86nasm.pl b/lib/libcrypto/perlasm/x86nasm.pl
deleted file mode 100644
index 90d27fca9..000000000
--- a/lib/libcrypto/perlasm/x86nasm.pl
+++ /dev/null
@@ -1,366 +0,0 @@
-#!/usr/bin/perl
-
-package x86nasm;
-
-$label="L000";
-
-%lb=(	'eax',	'al',
-	'ebx',	'bl',
-	'ecx',	'cl',
-	'edx',	'dl',
-	'ax',	'al',
-	'bx',	'bl',
-	'cx',	'cl',
-	'dx',	'dl',
-	);
-
-%hb=(	'eax',	'ah',
-	'ebx',	'bh',
-	'ecx',	'ch',
-	'edx',	'dh',
-	'ax',	'ah',
-	'bx',	'bh',
-	'cx',	'ch',
-	'dx',	'dh',
-	);
-
-%regs=(	'eax',	'eax',
-	'ebx',	'ebx',
-	'ecx',	'ecx',
-	'edx',	'edx',
-	'esi',	'esi',
-	'edi',	'edi',
-	'ebp',	'ebp',
-	'esp',	'esp',
-	'mm0',  'mm0',
-	'mm1',  'mm1',
-	);
-
-sub main::asm_init_output { @out=(); }
-sub main::asm_get_output { return(@out); }
-sub main::get_labels { return(@labels); }
-
-sub main::external_label
-{
-	push(@labels,@_);
-	foreach (@_) {
-		push(@out, "extern\t_$_\n");
-	}
-}
-
-sub main::LB
-	{
-	(defined($lb{$_[0]})) || die "$_[0] does not have a 'low byte'\n";
-	return($lb{$_[0]});
-	}
-
-sub main::HB
-	{
-	(defined($hb{$_[0]})) || die "$_[0] does not have a 'high byte'\n";
-	return($hb{$_[0]});
-	}
-
-sub main::BP
-	{
-	&get_mem("BYTE",@_);
-	}
-
-sub main::DWP
-	{
-	&get_mem("DWORD",@_);
-	}
-
-sub main::BC
-	{
-	return "BYTE @_";
-	}
-
-sub main::DWC
-	{
-	return "DWORD @_";
-	}
-
-sub main::stack_push
-	{
-	my($num)=@_;
-	$stack+=$num*4;
-	&main::sub("esp",$num*4);
-	}
-
-sub main::stack_pop
-	{
-	my($num)=@_;
-	$stack-=$num*4;
-	&main::add("esp",$num*4);
-	}
-
-sub get_mem
-	{
-	my($size,$addr,$reg1,$reg2,$idx)=@_;
-	my($t,$post);
-	my($ret)="[";
-	$addr =~ s/^\s+//;
-	if ($addr =~ /^(.+)\+(.+)$/)
-		{
-		if (defined($regs{$reg2})) {
-		    $addr=join('+', &conv($1), "_$2");
-		} else {
-		    $reg2=&conv($1);
-		    $addr="_$2";
-		}
-		}
-	elsif ($addr =~ /^[_a-zA-Z]/)
-		{
-		$addr="_$addr";
-		}
-
-	$reg1="$regs{$reg1}" if defined($regs{$reg1});
-	$reg2="$regs{$reg2}" if defined($regs{$reg2});
-	if (($addr ne "") && ($addr ne 0))
-		{
-		if ($addr !~ /^-/)
-			{ $ret.="${addr}+"; }
-		else	{ $post=$addr; }
-		}
-	if ($reg2 ne "")
-		{
-		$t="";
-		$t="*$idx" if ($idx != 0);
-		$reg1="+".$reg1 if ("$reg1$post" ne "");
-		$ret.="$reg2$t$reg1$post]";
-		}
-	else
-		{
-		$ret.="$reg1$post]"
-		}
-	return($ret);
-	}
-
-sub main::mov	{ &out2("mov",@_); }
-sub main::movb	{ &out2("mov",@_); }
-sub main::and	{ &out2("and",@_); }
-sub main::or	{ &out2("or",@_); }
-sub main::shl	{ &out2("shl",@_); }
-sub main::shr	{ &out2("shr",@_); }
-sub main::xor	{ &out2("xor",@_); }
-sub main::xorb	{ &out2("xor",@_); }
-sub main::add	{ &out2("add",@_); }
-sub main::adc	{ &out2("adc",@_); }
-sub main::sub	{ &out2("sub",@_); }
-sub main::rotl	{ &out2("rol",@_); }
-sub main::rotr	{ &out2("ror",@_); }
-sub main::exch	{ &out2("xchg",@_); }
-sub main::cmp	{ &out2("cmp",@_); }
-sub main::lea	{ &out2("lea",@_); }
-sub main::mul	{ &out1("mul",@_); }
-sub main::div	{ &out1("div",@_); }
-sub main::dec	{ &out1("dec",@_); }
-sub main::inc	{ &out1("inc",@_); }
-sub main::jmp	{ &out1("jmp",@_); }
-sub main::jmp_ptr { &out1p("jmp",@_); }
-
-# This is a bit of a kludge: declare all branches as NEAR.
-sub main::je	{ &out1("je NEAR",@_); }
-sub main::jle	{ &out1("jle NEAR",@_); }
-sub main::jz	{ &out1("jz NEAR",@_); }
-sub main::jge	{ &out1("jge NEAR",@_); }
-sub main::jl	{ &out1("jl NEAR",@_); }
-sub main::jb	{ &out1("jb NEAR",@_); }
-sub main::jc	{ &out1("jc NEAR",@_); }
-sub main::jnc	{ &out1("jnc NEAR",@_); }
-sub main::jnz	{ &out1("jnz NEAR",@_); }
-sub main::jne	{ &out1("jne NEAR",@_); }
-sub main::jno	{ &out1("jno NEAR",@_); }
-
-sub main::push	{ &out1("push",@_); $stack+=4; }
-sub main::pop	{ &out1("pop",@_); $stack-=4; }
-sub main::bswap	{ &out1("bswap",@_); &using486(); }
-sub main::not	{ &out1("not",@_); }
-sub main::call	{ &out1("call",'_'.$_[0]); }
-sub main::ret	{ &out0("ret"); }
-sub main::nop	{ &out0("nop"); }
-
-sub out2
-	{
-	my($name,$p1,$p2)=@_;
-	my($l,$t);
-
-	push(@out,"\t$name\t");
-	$t=&conv($p1).",";
-	$l=length($t);
-	push(@out,$t);
-	$l=4-($l+9)/8;
-	push(@out,"\t" x $l);
-	push(@out,&conv($p2));
-	push(@out,"\n");
-	}
-
-sub out0
-	{
-	my($name)=@_;
-
-	push(@out,"\t$name\n");
-	}
-
-sub out1
-	{
-	my($name,$p1)=@_;
-	my($l,$t);
-	push(@out,"\t$name\t".&conv($p1)."\n");
-	}
-
-sub conv
-	{
-	my($p)=@_;
-	$p =~ s/0x([0-9A-Fa-f]+)/0$1h/;
-	return $p;
-	}
-
-sub using486
-	{
-	return if $using486;
-	$using486++;
-	grep(s/\.386/\.486/,@out);
-	}
-
-sub main::file
-	{
-	push(@out, "segment .text\n");
-	}
-
-sub main::function_begin
-	{
-	my($func,$extra)=@_;
-
-	push(@labels,$func);
-	my($tmp)=<<"EOF";
-global	_$func
-_$func:
-	push	ebp
-	push	ebx
-	push	esi
-	push	edi
-EOF
-	push(@out,$tmp);
-	$stack=20;
-	}
-
-sub main::function_begin_B
-	{
-	my($func,$extra)=@_;
-	my($tmp)=<<"EOF";
-global	_$func
-_$func:
-EOF
-	push(@out,$tmp);
-	$stack=4;
-	}
-
-sub main::function_end
-	{
-	my($func)=@_;
-
-	my($tmp)=<<"EOF";
-	pop	edi
-	pop	esi
-	pop	ebx
-	pop	ebp
-	ret
-EOF
-	push(@out,$tmp);
-	$stack=0;
-	%label=();
-	}
-
-sub main::function_end_B
-	{
-	$stack=0;
-	%label=();
-	}
-
-sub main::function_end_A
-	{
-	my($func)=@_;
-
-	my($tmp)=<<"EOF";
-	pop	edi
-	pop	esi
-	pop	ebx
-	pop	ebp
-	ret
-EOF
-	push(@out,$tmp);
-	}
-
-sub main::file_end
-	{
-	}
-
-sub main::wparam
-	{
-	my($num)=@_;
-
-	return(&main::DWP($stack+$num*4,"esp","",0));
-	}
-
-sub main::swtmp
-	{
-	return(&main::DWP($_[0]*4,"esp","",0));
-	}
-
-# Should use swtmp, which is above esp.  Linix can trash the stack above esp
-#sub main::wtmp
-#	{
-#	my($num)=@_;
-#
-#	return(&main::DWP(-(($num+1)*4),"esp","",0));
-#	}
-
-sub main::comment
-	{
-	foreach (@_)
-		{
-		push(@out,"\t; $_\n");
-		}
-	}
-
-sub main::label
-	{
-	if (!defined($label{$_[0]}))
-		{
-		$label{$_[0]}="\$${label}${_[0]}";
-		$label++;
-		}
-	return($label{$_[0]});
-	}
-
-sub main::set_label
-	{
-	if (!defined($label{$_[0]}))
-		{
-		$label{$_[0]}="${label}${_[0]}";
-		$label++;
-		}
-	push(@out,"$label{$_[0]}:\n");
-	}
-
-sub main::data_word
-	{
-	push(@out,"\tDD\t$_[0]\n");
-	}
-
-sub out1p
-	{
-	my($name,$p1)=@_;
-	my($l,$t);
-
-	push(@out,"\t$name\t ".&conv($p1)."\n");
-	}
-
-##
-## Additional functions required for MMX and other ops
-##
-sub main::testb { &out2('test', @_) }
-sub main::movzx { &out2('movzx', @_) }
-sub main::movd { &out2('movd', @_) }
-sub main::emms { &out0('emms', @_) }
diff --git a/lib/libcrypto/perlasm/x86unix.pl b/lib/libcrypto/perlasm/x86unix.pl
deleted file mode 100644
index f804b91c9..000000000
--- a/lib/libcrypto/perlasm/x86unix.pl
+++ /dev/null
@@ -1,472 +0,0 @@
-#!/usr/bin/perl
-
-package x86unix;
-
-$label="L000";
-
-$align=($main::aout)?"4":"16";
-$under=($main::aout)?"_":"";
-$com_start=($main::sol)?"/":"#";
-
-sub main::asm_init_output { @out=(); }
-sub main::asm_get_output { return(@out); }
-sub main::get_labels { return(@labels); }
-sub main::external_label { push(@labels,@_); }
-
-if ($main::cpp)
-	{
-	$align="ALIGN";
-	$under="";
-	$com_start='/*';
-	$com_end='*/';
-	}
-
-%lb=(	'eax',	'%al',
-	'ebx',	'%bl',
-	'ecx',	'%cl',
-	'edx',	'%dl',
-	'ax',	'%al',
-	'bx',	'%bl',
-	'cx',	'%cl',
-	'dx',	'%dl',
-	);
-
-%hb=(	'eax',	'%ah',
-	'ebx',	'%bh',
-	'ecx',	'%ch',
-	'edx',	'%dh',
-	'ax',	'%ah',
-	'bx',	'%bh',
-	'cx',	'%ch',
-	'dx',	'%dh',
-	);
-
-%regs=(	'eax',	'%eax',
-	'ebx',	'%ebx',
-	'ecx',	'%ecx',
-	'edx',	'%edx',
-	'esi',	'%esi',
-	'edi',	'%edi',
-	'ebp',	'%ebp',
-	'esp',	'%esp',
-	'mm0',  '%mm0',
-	'mm1',  '%mm1',
-	);
-
-%reg_val=(
-	'eax',	0x00,
-	'ebx',	0x03,
-	'ecx',	0x01,
-	'edx',	0x02,
-	'esi',	0x06,
-	'edi',	0x07,
-	'ebp',	0x05,
-	'esp',	0x04,
-	);
-
-sub main::LB
-	{
-	(defined($lb{$_[0]})) || die "$_[0] does not have a 'low byte'\n";
-	return($lb{$_[0]});
-	}
-
-sub main::HB
-	{
-	(defined($hb{$_[0]})) || die "$_[0] does not have a 'high byte'\n";
-	return($hb{$_[0]});
-	}
-
-sub main::DWP
-	{
-	local($addr,$reg1,$reg2,$idx)=@_;
-
-	$ret="";
-	$addr =~ s/(^|[+ \t])([A-Za-z_]+[A-Za-z0-9_]+)($|[+ \t])/$1$under$2$3/;
-	$reg1="$regs{$reg1}" if defined($regs{$reg1});
-	$reg2="$regs{$reg2}" if defined($regs{$reg2});
-	$ret.=$addr if ($addr ne "") && ($addr ne 0);
-	if ($reg2 ne "")
-		{
-		if($idx ne "")
-		    { $ret.="($reg1,$reg2,$idx)"; }
-		else
-		    { $ret.="($reg1,$reg2)"; }
-	        }
-	else
-		{ $ret.="($reg1)" }
-	return($ret);
-	}
-
-sub main::BP
-	{
-	return(&main::DWP(@_));
-	}
-
-sub main::BC
-	{
-	return @_;
-	}
-
-sub main::DWC
-	{
-	return @_;
-	}
-
-#sub main::BP
-#	{
-#	local($addr,$reg1,$reg2,$idx)=@_;
-#
-#	$ret="";
-#
-#	$addr =~ s/(^|[+ \t])([A-Za-z_]+)($|[+ \t])/$1$under$2$3/;
-#	$reg1="$regs{$reg1}" if defined($regs{$reg1});
-#	$reg2="$regs{$reg2}" if defined($regs{$reg2});
-#	$ret.=$addr if ($addr ne "") && ($addr ne 0);
-#	if ($reg2 ne "")
-#		{ $ret.="($reg1,$reg2,$idx)"; }
-#	else
-#		{ $ret.="($reg1)" }
-#	return($ret);
-#	}
-
-sub main::mov	{ &out2("movl",@_); }
-sub main::movb	{ &out2("movb",@_); }
-sub main::and	{ &out2("andl",@_); }
-sub main::or	{ &out2("orl",@_); }
-sub main::shl	{ &out2("sall",@_); }
-sub main::shr	{ &out2("shrl",@_); }
-sub main::xor	{ &out2("xorl",@_); }
-sub main::xorb	{ &out2("xorb",@_); }
-sub main::add	{ &out2("addl",@_); }
-sub main::adc	{ &out2("adcl",@_); }
-sub main::sub	{ &out2("subl",@_); }
-sub main::rotl	{ &out2("roll",@_); }
-sub main::rotr	{ &out2("rorl",@_); }
-sub main::exch	{ &out2("xchg",@_); }
-sub main::cmp	{ &out2("cmpl",@_); }
-sub main::lea	{ &out2("leal",@_); }
-sub main::mul	{ &out1("mull",@_); }
-sub main::div	{ &out1("divl",@_); }
-sub main::jmp	{ &out1("jmp",@_); }
-sub main::jmp_ptr { &out1p("jmp",@_); }
-sub main::je	{ &out1("je",@_); }
-sub main::jle	{ &out1("jle",@_); }
-sub main::jne	{ &out1("jne",@_); }
-sub main::jnz	{ &out1("jnz",@_); }
-sub main::jz	{ &out1("jz",@_); }
-sub main::jge	{ &out1("jge",@_); }
-sub main::jl	{ &out1("jl",@_); }
-sub main::jb	{ &out1("jb",@_); }
-sub main::jc	{ &out1("jc",@_); }
-sub main::jnc	{ &out1("jnc",@_); }
-sub main::jno	{ &out1("jno",@_); }
-sub main::dec	{ &out1("decl",@_); }
-sub main::inc	{ &out1("incl",@_); }
-sub main::push	{ &out1("pushl",@_); $stack+=4; }
-sub main::pop	{ &out1("popl",@_); $stack-=4; }
-sub main::not	{ &out1("notl",@_); }
-sub main::call	{ &out1("call",$under.$_[0]); }
-sub main::ret	{ &out0("ret"); }
-sub main::nop	{ &out0("nop"); }
-
-# The bswapl instruction is new for the 486. Emulate if i386.
-sub main::bswap
-	{
-	if ($main::i386)
-		{
-		&main::comment("bswapl @_");
-		&main::exch(main::HB(@_),main::LB(@_));
-		&main::rotr(@_,16);
-		&main::exch(main::HB(@_),main::LB(@_));
-		}
-	else
-		{
-		&out1("bswapl",@_);
-		}
-	}
-
-sub out2
-	{
-	local($name,$p1,$p2)=@_;
-	local($l,$ll,$t);
-	local(%special)=(	"roll",0xD1C0,"rorl",0xD1C8,
-				"rcll",0xD1D0,"rcrl",0xD1D8,
-				"shll",0xD1E0,"shrl",0xD1E8,
-				"sarl",0xD1F8);
-	
-	if ((defined($special{$name})) && defined($regs{$p1}) && ($p2 == 1))
-		{
-		$op=$special{$name}|$reg_val{$p1};
-		$tmp1=sprintf(".byte %d\n",($op>>8)&0xff);
-		$tmp2=sprintf(".byte %d\t",$op     &0xff);
-		push(@out,$tmp1);
-		push(@out,$tmp2);
-
-		$p2=&conv($p2);
-		$p1=&conv($p1);
-		&main::comment("$name $p2 $p1");
-		return;
-		}
-
-	push(@out,"\t$name\t");
-	$t=&conv($p2).",";
-	$l=length($t);
-	push(@out,$t);
-	$ll=4-($l+9)/8;
-	$tmp1=sprintf("\t" x $ll);
-	push(@out,$tmp1);
-	push(@out,&conv($p1)."\n");
-	}
-
-sub out1
-	{
-	local($name,$p1)=@_;
-	local($l,$t);
-	local(%special)=("bswapl",0x0FC8);
-
-	if ((defined($special{$name})) && defined($regs{$p1}))
-		{
-		$op=$special{$name}|$reg_val{$p1};
-		$tmp1=sprintf(".byte %d\n",($op>>8)&0xff);
-		$tmp2=sprintf(".byte %d\t",$op     &0xff);
-		push(@out,$tmp1);
-		push(@out,$tmp2);
-
-		$p2=&conv($p2);
-		$p1=&conv($p1);
-		&main::comment("$name $p2 $p1");
-		return;
-		}
-
-	push(@out,"\t$name\t".&conv($p1)."\n");
-	}
-
-sub out1p
-	{
-	local($name,$p1)=@_;
-	local($l,$t);
-
-	push(@out,"\t$name\t*".&conv($p1)."\n");
-	}
-
-sub out0
-	{
-	push(@out,"\t$_[0]\n");
-	}
-
-sub conv
-	{
-	local($p)=@_;
-
-#	$p =~ s/0x([0-9A-Fa-f]+)/0$1h/;
-
-	$p=$regs{$p} if (defined($regs{$p}));
-
-	$p =~ s/^(-{0,1}[0-9A-Fa-f]+)$/\$$1/;
-	$p =~ s/^(0x[0-9A-Fa-f]+)$/\$$1/;
-	return $p;
-	}
-
-sub main::file
-	{
-	local($file)=@_;
-
-	local($tmp)=<<"EOF";
-	.file	"$file.s"
-	.version	"01.01"
-EOF
-# Removed the next line from previous infile
-#gcc2_compiled.:
-	push(@out,$tmp);
-	}
-
-sub main::function_begin
-	{
-	local($func)=@_;
-
-	&main::external_label($func);
-	$func=$under.$func;
-
-	local($tmp)=<<"EOF";
-.text
-	.align $align
-.globl $func
-EOF
-	push(@out,$tmp);
-	if ($main::cpp)
-		{ $tmp=push(@out,"\tTYPE($func,\@function)\n"); }
-	elsif ($main::gaswin)
-		{ $tmp=push(@out,"\t.def\t$func;\t.scl\t2;\t.type\t32;\t.endef\n"); }
-	else	{ $tmp=push(@out,"\t.type\t$func,\@function\n"); }
-	push(@out,"$func:\n");
-	$tmp=<<"EOF";
-	pushl	%ebp
-	pushl	%ebx
-	pushl	%esi
-	pushl	%edi
-
-EOF
-	push(@out,$tmp);
-	$stack=20;
-	}
-
-sub main::function_begin_B
-	{
-	local($func,$extra)=@_;
-
-	&main::external_label($func);
-	$func=$under.$func;
-
-	local($tmp)=<<"EOF";
-.text
-	.align $align
-.globl $func
-EOF
-	push(@out,$tmp);
-	if ($main::cpp)
-		{ push(@out,"\tTYPE($func,\@function)\n"); }
-	elsif ($main::gaswin)
-		{ $tmp=push(@out,"\t.def\t$func;\t.scl\t2;\t.type\t32;\t.endef\n"); }
-	else	{ push(@out,"\t.type	$func,\@function\n"); }
-	push(@out,"$func:\n");
-	$stack=4;
-	}
-
-sub main::function_end
-	{
-	local($func)=@_;
-
-	$func=$under.$func;
-
-	local($tmp)=<<"EOF";
-	popl	%edi
-	popl	%esi
-	popl	%ebx
-	popl	%ebp
-	ret
-.${func}_end:
-EOF
-	push(@out,$tmp);
-	if ($main::cpp)
-		{ push(@out,"\tSIZE($func,.${func}_end-$func)\n"); }
-	elsif ($main::gaswin)
-                { $tmp=push(@out,"\t.align 4\n"); }
-	else	{ push(@out,"\t.size\t$func,.${func}_end-$func\n"); }
-	push(@out,".ident	\"$func\"\n");
-	$stack=0;
-	%label=();
-	}
-
-sub main::function_end_A
-	{
-	local($func)=@_;
-
-	local($tmp)=<<"EOF";
-	popl	%edi
-	popl	%esi
-	popl	%ebx
-	popl	%ebp
-	ret
-EOF
-	push(@out,$tmp);
-	}
-
-sub main::function_end_B
-	{
-	local($func)=@_;
-
-	$func=$under.$func;
-
-	push(@out,".L_${func}_end:\n");
-	if ($main::cpp)
-		{ push(@out,"\tSIZE($func,.L_${func}_end-$func)\n"); }
-        elsif ($main::gaswin)
-                { push(@out,"\t.align 4\n"); }
-	else	{ push(@out,"\t.size\t$func,.L_${func}_end-$func\n"); }
-	push(@out,".ident	\"desasm.pl\"\n");
-	$stack=0;
-	%label=();
-	}
-
-sub main::wparam
-	{
-	local($num)=@_;
-
-	return(&main::DWP($stack+$num*4,"esp","",0));
-	}
-
-sub main::stack_push
-	{
-	local($num)=@_;
-	$stack+=$num*4;
-	&main::sub("esp",$num*4);
-	}
-
-sub main::stack_pop
-	{
-	local($num)=@_;
-	$stack-=$num*4;
-	&main::add("esp",$num*4);
-	}
-
-sub main::swtmp
-	{
-	return(&main::DWP($_[0]*4,"esp","",0));
-	}
-
-# Should use swtmp, which is above esp.  Linix can trash the stack above esp
-#sub main::wtmp
-#	{
-#	local($num)=@_;
-#
-#	return(&main::DWP(-($num+1)*4,"esp","",0));
-#	}
-
-sub main::comment
-	{
-	foreach (@_)
-		{
-		if (/^\s*$/)
-			{ push(@out,"\n"); }
-		else
-			{ push(@out,"\t$com_start $_ $com_end\n"); }
-		}
-	}
-
-sub main::label
-	{
-	if (!defined($label{$_[0]}))
-		{
-		$label{$_[0]}=".${label}${_[0]}";
-		$label++;
-		}
-	return($label{$_[0]});
-	}
-
-sub main::set_label
-	{
-	if (!defined($label{$_[0]}))
-		{
-		$label{$_[0]}=".${label}${_[0]}";
-		$label++;
-		}
-	push(@out,".align $align\n") if ($_[1] != 0);
-	push(@out,"$label{$_[0]}:\n");
-	}
-
-sub main::file_end
-	{
-	}
-
-sub main::data_word
-	{
-	push(@out,"\t.long $_[0]\n");
-	}
-
-##
-## Additional functions required for MMX and other ops
-##
-sub main::testb { &out2('testb', @_) }
-sub main::movzx { &out2('movzx', @_) }
-sub main::movd { &out2('movd', @_) }
-sub main::emms { &out0('emms', @_) }
diff --git a/lib/libdes/.cvsignore b/lib/libdes/.cvsignore
deleted file mode 100644
index e06b80457..000000000
--- a/lib/libdes/.cvsignore
+++ /dev/null
@@ -1,3 +0,0 @@
-des_opts
-destest
-speed
diff --git a/lib/libdes/Makefile b/lib/libdes/Makefile
deleted file mode 100644
index e00bb0073..000000000
--- a/lib/libdes/Makefile
+++ /dev/null
@@ -1,245 +0,0 @@
-ifndef FREESWANSRCDIR
-FREESWANSRCDIR=../..
-endif
-
-include ${FREESWANSRCDIR}/Makefile.inc
-
-KLIPSD=${FREESWANSRCDIR}/linux
-SRCDIR=${KLIPSD}/crypto/ciphers/des
-
-VPATH =${SRCDIR}
-
-# You must select the correct terminal control system to be used to
-# turn character echo off when reading passwords.  There a 5 systems
-# SGTTY   - the old BSD system
-# TERMIO  - most system V boxes
-# TERMIOS - SGI (ala IRIX).
-# VMS     - the DEC operating system
-# MSDOS   - we all know what it is :-)
-# read_pwd.c makes a reasonable guess at what is correct.
-
-# Targets
-# make          - twidle the options yourself :-)
-# make cc       - standard cc options
-# make gcc      - standard gcc options
-# make x86-elf  - linux-elf etc
-# make x86-out  - linux-a.out, FreeBSD etc
-# make x86-solaris
-# make x86-bdsi
-
-# If you are on a DEC Alpha, edit des.h and change the DES_LONG
-# define to 'unsigned int'.  I have seen this give a %20 speedup.
-
-OPTS0= -DLIBDES_LIT -DRAND -DTERMIO #-DNOCONST
-
-# Version 1.94 has changed the strings_to_key function so that it is
-# now compatible with MITs when the string is longer than 8 characters.
-# If you wish to keep the old version, uncomment the following line.
-# This will affect the -E/-D options on des(1).
-#OPTS1= -DOLD_STR_TO_KEY
-
-# There are 4 possible performance options
-# -DDES_PTR
-# -DDES_RISC1
-# -DDES_RISC2 (only one of DES_RISC1 and DES_RISC2)
-# -DDES_UNROLL
-# after the initial build, run 'des_opts' to see which options are best
-# for your platform.  There are some listed in options.txt
-#OPTS2= -DDES_PTR 
-#OPTS3= -DDES_RISC1 # or DES_RISC2
-#OPTS4= -DDES_UNROLL
-
-OPTS= $(OPTS0) $(OPTS1) $(OPTS2) $(OPTS3) $(OPTS4)
-
-MAKE=make -f Makefile
-#CC=cc
-#CFLAG= -O
-
-#CC=gcc
-#CFLAG= -O4 -funroll-loops -fomit-frame-pointer
-# normally overridden by FreeS/WAN Makefiles anyway
-CFLAG= -O3 -fomit-frame-pointer -I${KLIPSD}/include -I${SRCDIR}
-
-CFLAGS=$(OPTS) $(CFLAG) $(USERCOMPILE)
-CPP=$(CC) -E
-
-# Assember version of des_encrypt*().
-DES_ENC=des_enc.o fcrypt_b.o		# normal C version
-#DES_ENC=asm/dx86-elf.o	asm/yx86-elf.o	# elf format x86
-#DES_ENC=asm/dx86-out.o	asm/yx86-out.o	# a.out format x86
-#DES_ENC=asm/dx86-sol.o	asm/yx86-sol.o	# solaris format x86 
-#DES_ENC=asm/dx86bsdi.o	asm/yx86basi.o	# bsdi format x86 
-
-LIBDIR=$(DESTDIR)$(INC_USRLOCAL)/lib
-INCDIR=$(DESTDIR)$(INC_USRLOCAL)/include
-MANDIR=$(MANTREE)
-MAN1=1
-MAN3=3
-SHELL=/bin/sh
-MAN1=1
-MAN3=3
-SHELL=/bin/sh
-OBJ_LIT=cbc_enc.o ecb_enc.o $(DES_ENC) fcrypt.o set_key.o
-OBJ_FULL=cbc_cksm.o $(OBJ_LIT) pcbc_enc.o \
-	xcbc_enc.o qud_cksm.o \
-	cfb64ede.o cfb64enc.o cfb_enc.o ecb3_enc.o \
-	enc_read.o enc_writ.o ofb64ede.o ofb64enc.o ofb_enc.o  \
-	rand_key.o read_pwd.o read2pwd.o rpc_enc.o  str2key.o supp.o
-
-GENERAL_LIT=COPYRIGHT INSTALL README VERSION Makefile des_crypt.man \
-	des.doc options.txt asm
-
-GENERAL_FULL=$(GENERAL_LIT) FILES Imakefile times vms.com KERBEROS MODES.DES \
-	des.man DES.pm DES.pod DES.xs Makefile.PL dess.S des3s.S \
-	Makefile.uni typemap t Makefile.ssl makefile.bc Makefile.lit \
-	des.org des_locl.org
-
-TESTING_LIT=	destest speed des_opts
-TESTING_FULL=	rpw $(TESTING_LIT)
-TESTING_SRC_LIT=destest.c speed.c des_opts.c
-TESTING_SRC_FULL=rpw.c $(TESTING_SRC_LIT)
-HEADERS_LIT=des_ver.h des.h des_locl.h podd.h sk.h spr.h
-HEADERS_FULL= $(HEADERS_LIT) rpc_des.h
-LIBDES_LIT=cbc_enc.c ecb_enc.c fcrypt.c set_key.c des_enc.c fcrypt_b.c
-
-LIBDES_FULL= cbc_cksm.c pcbc_enc.c qud_cksm.c \
-	cfb64ede.c cfb64enc.c cfb_enc.c ecb3_enc.c \
-	enc_read.c enc_writ.c ofb64ede.c ofb64enc.c ofb_enc.c  \
-	rand_key.c rpc_enc.c  str2key.c  supp.c \
-	xcbc_enc.c $(LIBDES_LIT) read_pwd.c read2pwd.c
-
-PERL=	des.pl testdes.pl doIP doPC1 doPC2 PC1 PC2 shifts.pl
-
-OBJ=	$(OBJ_LIT)
-GENERAL=$(GENERAL_LIT)
-TESTING=$(TESTING_LIT)
-TESTING_SRC=$(TESTING_SRC_LIT)
-HEADERS=$(HEADERS_LIT)
-LIBDES=	$(LIBDES_LIT)
-
-ALL=	$(GENERAL) $(TESTING_SRC) $(LIBDES) $(PERL) $(HEADERS)
-
-DLIB=	libdes.a
-
-.PHONY:	all cc gcc x86-elf x86-out x86-solaris x86-bsdi test tar_lit \
-	tar shar depend clean dclean install check checkprograms
-
-all: $(DLIB) $(TESTING)
-programs: $(DLIB)
-
-cc:
-	$(MAKE) CC=cc CFLAGS="-O $(OPTS) $(CFLAG)" all
-
-gcc:
-	$(MAKE) CC=gcc CFLAGS="-O3 -fomit-frame-pointer $(OPTS) $(CFLAG)" all
-
-x86-elf:
-	$(MAKE) DES_ENC='asm/dx86-elf.o asm/yx86-elf.o' CC='$(CC)' CFLAGS="-DELF $(OPTS) $(CFLAG)" all
-
-x86-out:
-	$(MAKE) DES_ENC='asm/dx86-out.o asm/yx86-out.o' CC='$(CC)' CFLAGS="-DOUT $(OPTS) $(CFLAG)" all
-
-x86-solaris:
-	$(MAKE) DES_ENC='asm/dx86-sol.o asm/yx86-sol.o' CC='$(CC)' CFLAGS="-DSOL $(OPTS) $(CFLAG)" all
-
-x86-bsdi:
-	$(MAKE) DES_ENC='asm/dx86bsdi.o asm/yx86bsdi.o' CC='$(CC)' CFLAGS="-DBSDI $(OPTS) $(CFLAG)" all
-
-# elf
-asm/dx86-elf.o: asm/dx86unix.S
-	$(CPP) -DELF asm/dx86unix.S | $(AS) -o asm/dx86-elf.o
-
-asm/yx86-elf.o: asm/yx86unix.S
-	$(CPP) -DELF asm/yx86unix.S | $(AS) -o asm/yx86-elf.o
-
-# solaris
-asm/dx86-sol.o: asm/dx86unix.S
-	$(CC) -E -DSOL asm/dx86unix.S | sed 's/^#.*//' > asm/dx86-sol.s
-	as -o asm/dx86-sol.o asm/dx86-sol.s
-	rm -f asm/dx86-sol.s
-
-asm/yx86-sol.o: asm/yx86unix.S
-	$(CC) -E -DSOL asm/yx86unix.S | sed 's/^#.*//' > asm/yx86-sol.s
-	as -o asm/yx86-sol.o asm/yx86-sol.s
-	rm -f asm/yx86-sol.s
-
-# a.out
-asm/dx86-out.o: asm/dx86unix.S
-	$(CPP) -DOUT asm/dx86unix.S | $(AS) -o asm/dx86-out.o
-
-asm/yx86-out.o: asm/yx86unix.S
-	$(CPP) -DOUT asm/yx86unix.S | $(AS) -o asm/yx86-out.o
-
-# bsdi
-asm/dx86bsdi.o: asm/dx86unix.S
-	$(CPP) -DBSDI asm/dx86unix.S | $(AS) -o asm/dx86bsdi.o
-
-asm/yx86bsdi.o: asm/yx86unix.S
-	$(CPP) -DBSDI asm/yx86unix.S | $(AS) -o asm/yx86bsdi.o
-
-asm/dx86unix.S:
-	(cd asm; perl des-586.pl cpp >dx86unix.S)
-
-asm/yx86unix.S:
-	(cd asm; perl crypt586.pl cpp >yx86unix.S)
-
-test:	all
-	./destest
-
-$(DLIB): $(OBJ)
-	rm -f $(DLIB)
-	$(AR) crs $(DLIB) $(OBJ)
-
-des_opts: des_opts.o $(DLIB)
-	$(CC) $(CFLAGS) -o des_opts des_opts.o $(DLIB)
-
-destest: destest.o $(DLIB)
-	$(CC) $(CFLAGS) -o destest destest.o $(DLIB)
-
-rpw: rpw.o $(DLIB)
-	$(CC) $(CFLAGS) -o rpw rpw.o $(DLIB)
-
-speed: speed.o $(DLIB)
-	$(CC) $(CFLAGS) -o speed speed.o $(DLIB)
-
-des: des.o $(DLIB)
-	$(CC) $(CFLAGS) -o des des.o $(DLIB)
-
-tags:
-	ctags $(TESTING_SRC) $(LIBDES)
-
-tar_lit:
-	/bin/mv Makefile Makefile.tmp
-	/bin/cp Makefile.lit Makefile
-	tar chf libdes-l.tar $(LIBDES_LIT) $(HEADERS_LIT) \
-		$(GENERAL_LIT) $(TESTING_SRC_LIT)
-	/bin/rm -f Makefile
-	/bin/mv Makefile.tmp Makefile
-
-tar:
-	tar chf libdes.tar $(ALL)
-
-shar:
-	shar $(ALL) >libdes.shar
-
-depend:
-	makedepend $(LIBDES) $(TESTING_SRC)
-
-clean:
-	/bin/rm -f *.o tags core $(TESTING) $(DLIB) .nfs* *.old *.bak asm/*.o \
-		asm/*.S
-
-dclean:
-	sed -e '/^# DO NOT DELETE THIS LINE/ q' Makefile >Makefile.new
-	mv -f Makefile.new Makefile
-
-install install_file_list: 
-	@true
-
-check:
-	echo no checks in lib right now.
-
-checkprograms:
-
-# DO NOT DELETE THIS LINE -- make depend depends on it.
-
diff --git a/lib/libfreeswan/.cvsignore b/lib/libfreeswan/.cvsignore
deleted file mode 100644
index 49cc19caa..000000000
--- a/lib/libfreeswan/.cvsignore
+++ /dev/null
@@ -1,9 +0,0 @@
-try
-try1a
-try2
-try3
-try4
-try4a
-try6
-try7
-version.c
diff --git a/lib/libfreeswan/Makefile b/lib/libfreeswan/Makefile
deleted file mode 100644
index aa05927e3..000000000
--- a/lib/libfreeswan/Makefile
+++ /dev/null
@@ -1,176 +0,0 @@
-# FreeS/WAN library
-# Copyright (C) 1998-2001  Henry Spencer.
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.3 2006/07/06 12:35:32 as Exp $
-
-
-FREESWANSRCDIR=../..
-
-include ${FREESWANSRCDIR}/Makefile.inc
-include ${FREESWANSRCDIR}/Makefile.ver
-
-
-MANDIR=$(MANTREE)/man3
-
-SRCS=addrtoa.c addrtot.c addrtypeof.c anyaddr.c atoaddr.c \
-	atoasr.c atosa.c atosubnet.c atoul.c copyright.c datatot.c \
-	goodmask.c initaddr.c initsaid.c initsubnet.c keyblobtoid.c \
-	optionsfrom.c pfkey_v2_build.c pfkey_v2_ext_bits.c pfkey_v2_parse.c \
-	pfkey_v2_debug.c prng.c \
-	portof.c rangetoa.c rangetosubnet.c sameaddr.c \
-	satoa.c satot.c subnetof.c subnettoa.c subnettot.c \
-	subnettypeof.c ttoaddr.c ttodata.c ttoprotoport.c \
-	ttosa.c ttosubnet.c ttoul.c ultoa.c ultot.c 
-
-OBJS=${SRCS:.c=.o} version.o
-
-KLIPSD=${FREESWANSRCDIR}/linux/include
-SRCDIR=${FREESWANSRCDIR}/linux/lib/libfreeswan
-
-VPATH = ${SRCDIR}
-
-HDRS=${KLIPSD}/freeswan.h ${SRCDIR}/internal.h
-
-LIB=libfreeswan.a
-# Original flags
-CFLAGS=-I. -I${SRCDIR} -I${KLIPSD} -I${FREESWANSRCDIR} $(USERCOMPILE)
-CFLAGS+= -Wall
-#CFLAGS+= -Wconversion
-#CFLAGS+= -Wmissing-prototypes
-CFLAGS+= -Wpointer-arith
-CFLAGS+= -Wcast-qual
-#CFLAGS+= -Wmissing-declarations
-CFLAGS+= -Wstrict-prototypes
-#CFLAGS+= -pedantic
-#CFLAGS+= -W
-#CFLAGS+= -Wwrite-strings
-CFLAGS+= -Wbad-function-cast 
-
-ifeq ($(USE_NAT_TRAVERSAL),true)
-  CFLAGS+= -DNAT_TRAVERSAL
-endif
-
-ARFLAGS=crvs
-EXTHDRS=des.h
-EXTLIBS=libdes.a
-MANS=anyaddr.3 atoaddr.3 atoasr.3 atosa.3 atoul.3 goodmask.3 \
-	initaddr.3 initsubnet.3 optionsfrom.3 portof.3 rangetosubnet.3 \
-	sameaddr.3 subnetof.3 ttoaddr.3 ttodata.3 ttosa.3 ttoul.3 version.3
-
-.PHONY:	all install clean l t lt tar check depend checkprograms
-
-all:	$(LIB) 
-programs: $(LIB)
-
-install:
-	@mkdir -p $(MANDIR)
-	@for f in $(MANS) ; \
-	do \
-		$(INSTALL) $(INSTMANFLAGS) $(SRCDIR)/$$f $(MANDIR)/ipsec_$$f || exit 1 ; \
-	done
-	@$(FREESWANSRCDIR)/packaging/utils/manlink $(foreach man, $(MANS), ${SRCDIR}/$(man)) | \
-	while read from to; \
-	do \
-		ln -s -f ipsec_$$from $(MANDIR)/$$to; \
-	done
-
-
-install_file_list:
-	@for f in $(MANS) ; \
-	do \
-		echo $(MANDIR)/ipsec_$$f;\
-	done;
-	@$(FREESWANSRCDIR)/packaging/utils/manlink $(foreach man, $(MANS), ${SRCDIR}/$(man)) | \
-	while read from to; \
-	do \
-		echo $(MANDIR)/$$to; \
-	done
-
-$(LIB):	$(OBJS)
-	$(AR) $(ARFLAGS) $(LIB) $(OBJS)
-
-$(OBJS):	$(HDRS)
-
-# build version.c using version number from Makefile.ver
-version.c:	${SRCDIR}/version.in.c ${FREESWANSRCDIR}/Makefile.ver
-	sed '/"/s/xxx/$(IPSECVERSION)/' ${SRCDIR}/version.in.c >$@
-
-#libdes.a:	../libdes/libdes.a
-#	ln -f -s ../libdes/libdes.a
-#
-# yes, that's CFLAG=, not CFLAGS=
-#../libdes/libdes.a:
-#	cd ../libdes ; \
-#	if test " `arch | sed 's/^i[3456]/x/'`" = " x86" ; \
-#	then $(MAKE) CC='$(CC)' CFLAG='$(CFLAGS)' TESTING='' x86-elf ; \
-#	else $(MAKE) CC='$(CC)' CFLAG='$(CFLAGS)' libdes.a ; \
-#	fi
-
-clean:
-	rm -f $(LIB) *.o try* core *.core $(EXTHDRS) $(EXTLIBS) version.c
-
-
-# developer-only stuff
-l:
-	$(MAKE) $(LIB) ARFLAGS=crv CFLAGS=-O
-	$(RANLIB) $(LIB)
-
-t:	$(LIB) 
-	ln -f -s ${SRCDIR}/atosubnet.c try.c
-	${CC} ${CFLAGS} -DATOSUBNET_MAIN try.c $(LIB) -o try
-	./try -r
-	ln -f -s ${SRCDIR}/ttosubnet.c try1a.c
-	${CC} ${CFLAGS} -DTTOSUBNET_MAIN try1a.c $(LIB) -o try1a
-	./try1a -r
-	ln -f -s ${SRCDIR}/ttodata.c try2.c
-	${CC} ${CFLAGS} -DTTODATA_MAIN try2.c $(LIB) -o try2
-	./try2 -r
-	ln -f -s ${SRCDIR}/atoasr.c try3.c
-	${CC} ${CFLAGS} -DATOASR_MAIN try3.c $(LIB) -o try3
-	./try3 -r
-	ln -f -s ${SRCDIR}/atosa.c try4.c
-	${CC} ${CFLAGS} -DATOSA_MAIN try4.c $(LIB) -o try4
-	./try4 -r
-	ln -f -s ${SRCDIR}/ttosa.c try4a.c
-	${CC} ${CFLAGS} -DTTOSA_MAIN try4a.c $(LIB) -o try4a
-	./try4a -r
-	ln -f -s ${SRCDIR}/rangetosubnet.c try6.c
-	${CC} ${CFLAGS} -DRANGETOSUBNET_MAIN try6.c $(LIB) -o try6
-	./try6 -r
-	ln -f -s ${SRCDIR}/addrtot.c try7.c
-	${CC} ${CFLAGS} -DADDRTOT_MAIN try7.c $(LIB) -o try7
-	./try7 -r
-
-lt:	$(LIB)
-	$(MAKE) t
-	cp optionsfrom.c try5.c
-	cc -DTEST try5.c $(LIB) -o try5
-	echo --foo --bar >try5in1
-	echo --optionsfrom >>try5in1
-	echo try5in2 >>try5in1
-	echo --foo >try5in2
-	./try5 --foo --bar --optionsfrom try5in1 --bar something
-
-tar:	clean
-	tar -cvf /tmp/lib.tar Makefile [a-z]*
-
-check:
-	echo no checks in lib right now.
-
-depend:
-	makedepend -Y -- $(CFLAGS) -- $(SRCS)
-
-checkprograms:
-
-# DO NOT DELETE
-
diff --git a/lib/libipsecpolicy/.cvsignore b/lib/libipsecpolicy/.cvsignore
deleted file mode 100644
index 17435c875..000000000
--- a/lib/libipsecpolicy/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-version.c
diff --git a/lib/libipsecpolicy/Makefile b/lib/libipsecpolicy/Makefile
deleted file mode 100644
index a23fa5d04..000000000
--- a/lib/libipsecpolicy/Makefile
+++ /dev/null
@@ -1,96 +0,0 @@
-# FreeS/WAN library
-# Copyright (C) 2003	Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:24 as Exp $
-
-
-FREESWANSRCDIR=../..
-
-include ${FREESWANSRCDIR}/Makefile.inc
-include ${FREESWANSRCDIR}/Makefile.ver
-
-
-MANDIR=$(MANTREE)/man3
-
-SRCS=policyquery.c cgipolicy.c
-
-OBJS=${SRCS:.c=.o} version.o
-
-KLIPSD=${FREESWANSRCDIR}/linux/include
-
-LIB=libipsecpolicy.a
-# Original flags
-CFLAGS=-I. -I${KLIPSD} -I${FREESWANSRCDIR} $(USERCOMPILE)
-CFLAGS+= -Wall
-CFLAGS+= -Wpointer-arith
-CFLAGS+= -Wcast-qual
-CFLAGS+= -Wstrict-prototypes
-CFLAGS+= -Wbad-function-cast 
-
-MANS=
-
-.PHONY:	all install clean l t lt tar check depend checkprograms
-
-all:	$(LIB) 
-programs: $(LIB)
-
-install:
-	@mkdir -p $(MANDIR)
-	@for f in $(MANS) ; \
-	do \
-		$(INSTALL) $(INSTMANFLAGS) $(SRCDIR)/$$f $(MANDIR)/ipsec_$$f || exit 1 ; \
-	done
-	@$(FREESWANSRCDIR)/packaging/utils/manlink $(foreach man, $(MANS), ${SRCDIR}/$(man)) | \
-	while read from to; \
-	do \
-		ln -s -f ipsec_$$from $(MANDIR)/$$to; \
-	done
-
-
-install_file_list:
-	@for f in $(MANS) ; \
-	do \
-		echo $(MANDIR)/ipsec_$$f;\
-	done;
-	@$(FREESWANSRCDIR)/packaging/utils/manlink $(foreach man, $(MANS), ${SRCDIR}/$(man)) | \
-	while read from to; \
-	do \
-		echo $(MANDIR)/$$to; \
-	done
-
-$(LIB):	$(OBJS)
-	$(AR) $(ARFLAGS) $(LIB) $(OBJS)
-
-$(OBJS):	$(HDRS)
-
-# build version.c using version number from Makefile.ver
-version.c:	version.in.c ${FREESWANSRCDIR}/Makefile.ver
-	sed '/"/s/xxx/$(IPSECVERSION)/' version.in.c >$@
-
-clean:
-	rm -f $(LIB) *.o try* core *.core $(EXTHDRS) $(EXTLIBS) version.c
-
-
-tar:	clean
-	tar -cvf /tmp/lib.tar Makefile [a-z]*
-
-check:
-	echo no checks in lib right now.
-
-depend:
-	makedepend -Y -- $(CFLAGS) -- $(SRCS)
-
-checkprograms:
-
-# DO NOT DELETE
-
diff --git a/lib/libipsecpolicy/cgipolicy.c b/lib/libipsecpolicy/cgipolicy.c
deleted file mode 100644
index d28243e85..000000000
--- a/lib/libipsecpolicy/cgipolicy.c
+++ /dev/null
@@ -1,77 +0,0 @@
-/* routines that interface with pluto to get policy information
- * Copyright (C) 2003       Michael Richardson <mcr@freeswan.org>
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: cgipolicy.c,v 1.1 2004/03/15 20:35:24 as Exp $
- */
-
-#include <stddef.h>
-#include <string.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <errno.h>
-#include <wait.h>
-#include <unistd.h>
-#include <fcntl.h>
-
-#include <sys/socket.h>
-#include <sys/un.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include <freeswan.h>
-#include <freeswan/ipsec_policy.h>
-
-#include "libipsecpolicy.h"
-
-/*
- * this version is appropriate for when one is called from a perl CGI,
- * running under Apache. It extracts the appropriate things out of standard 
- * CGI environment variables, namely: 
- *   $SERVER_ADDR  us
- *   $REMOTE_ADDR  them
- */
-
-err_t ipsec_policy_cgilookup(struct ipsec_policy_cmd_query *result)
-{
-  err_t ret;
-  char *us, *them;
-
-  /* clear it all out */
-  memset(result, 0, sizeof(*result));
-
-  /* setup it up */
-  result->head.ipm_version = IPSEC_POLICY_MSG_REVISION;
-  result->head.ipm_msg_len = sizeof(*result);
-  result->head.ipm_msg_type = IPSEC_CMD_QUERY_HOSTPAIR;
-  result->head.ipm_msg_seq = ipsec_policy_seq();
-
-
-  us   = getenv("SERVER_ADDR");
-  them = getenv("REMOTE_ADDR");
-  if(!us || !them) {
-    return "$SERVER_ADDR and $REMOTE_ADDR must be set";
-  }
-
-  ret = ttoaddr(us, 0, AF_INET, &result->query_local);
-  if(ret != NULL) {
-    return ret;
-  }
-
-  ret = ttoaddr(them, 0, AF_INET, &result->query_remote);
-  if(ret != NULL) {
-    return ret;
-  }
-  
-  return ipsec_policy_sendrecv((unsigned char *)result, sizeof(*result));
-}
-
diff --git a/lib/libipsecpolicy/libipsecpolicy.h b/lib/libipsecpolicy/libipsecpolicy.h
deleted file mode 100644
index 2c4ebdc0c..000000000
--- a/lib/libipsecpolicy/libipsecpolicy.h
+++ /dev/null
@@ -1,4 +0,0 @@
-
-extern u_int32_t ipsec_policy_seq(void);
-
-
diff --git a/lib/libipsecpolicy/policyquery.c b/lib/libipsecpolicy/policyquery.c
deleted file mode 100644
index 6555bdc08..000000000
--- a/lib/libipsecpolicy/policyquery.c
+++ /dev/null
@@ -1,167 +0,0 @@
-/* routines that interface with pluto to get policy information
- * Copyright (C) 2003       Michael Richardson <mcr@freeswan.org>
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: policyquery.c,v 1.1 2004/03/15 20:35:25 as Exp $
- */
-
-#include <stddef.h>
-#include <string.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <errno.h>
-#include <wait.h>
-#include <unistd.h>
-#include <fcntl.h>
-
-#include <sys/socket.h>
-#include <sys/un.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include <freeswan.h>
-#include <freeswan/ipsec_policy.h>
-
-#include "libipsecpolicy.h"
-
-static int policy_query_socket = -1;
-static u_int32_t policy_seq = 1;
-
-u_int32_t ipsec_policy_seq(void)
-{
-  return ++policy_seq;
-}
-
-err_t ipsec_policy_init(void)
-{
-  struct sockaddr_un sn;
-
-  if(policy_query_socket != -1) {
-    return NULL;
-  }
-
-  policy_query_socket = socket(PF_UNIX, SOCK_STREAM, 0);
-  if(policy_query_socket == -1) {
-    return "failed to open policy socket";
-  }
-
-  /* now connect it */
-  sn.sun_family = AF_UNIX;
-  strcpy(sn.sun_path, IPSEC_POLICY_SOCKET);
-  
-  if(connect(policy_query_socket, (struct sockaddr *)&sn, sizeof(sn)) != 0) {
-    int saveerrno = errno;
-    close(policy_query_socket);
-    policy_query_socket=-1;
-    errno = saveerrno;
-    return "failed to connect policy socket";
-  }
-
-  /* okay, I think we are done */
-  return NULL;
-}
-
-err_t ipsec_policy_final(void)
-{
-  if(policy_query_socket != -1) {
-    close(policy_query_socket);
-    policy_query_socket = -1;
-  }
-  
-  return NULL;
-}
-
-err_t ipsec_policy_readmsg(int policysock,
-			   unsigned char *buf,
-			   size_t buflen)
-{
-  struct ipsec_policy_msg_head ipmh;
-
-  if(read(policysock, &ipmh, sizeof(ipmh))
-     != sizeof(ipmh)) {
-    return "read failed";
-  }
-
-  /* got the header, sanitize it, and find out how much more to read */
-  switch(ipmh.ipm_version) {
-  case IPSEC_POLICY_MSG_REVISION:
-    break;
-    
-  default:
-    /* XXX go deal with older versions, error for now */
-    fprintf(stderr, "Bad magic header: %u\n", ipmh.ipm_version);
-    return "bad policy msg version magic";
-  }
-
-  if(ipmh.ipm_msg_len > buflen) {
-    return "buffer too small for this message";
-  }
-
-  buflen = ipmh.ipm_msg_len;
-  memcpy(buf, &ipmh, sizeof(ipmh));
-  buf += sizeof(ipmh);
-  buflen -= sizeof(ipmh);
-
-  if(read(policysock, buf, buflen) != buflen) {
-    return "short read from socket";
-  }
-  
-  return NULL;
-}
-
-err_t ipsec_policy_sendrecv(unsigned char *buf,
-			    size_t buflen)
-{
-  err_t ret;
-  ipsec_policy_init();
-
-  if(write(policy_query_socket, buf, buflen)
-     != buflen) {
-    return "write failed";
-  }
-
-  ret = ipsec_policy_readmsg(policy_query_socket,
-			     buf, buflen);
-  
-  ipsec_policy_final();
-  
-  return ret;
-}
-
-
-err_t ipsec_policy_lookup(int fd, struct ipsec_policy_cmd_query *result)
-{
-  int len;
-
-  /* clear it out */
-  memset(result, 0, sizeof(*result));
-
-  /* setup it up */
-  result->head.ipm_version = IPSEC_POLICY_MSG_REVISION;
-  result->head.ipm_msg_len = sizeof(*result);
-  result->head.ipm_msg_type = IPSEC_CMD_QUERY_HOSTPAIR;
-  result->head.ipm_msg_seq = ipsec_policy_seq();
-  
-  /* suck out the data on the sockets */
-  len = sizeof(result->query_local);
-  if(getsockname(fd, (struct sockaddr *)&result->query_local, &len) != 0) {
-    return "getsockname failed";
-  }
-
-  len = sizeof(result->query_remote);
-  if(getpeername(fd, (struct sockaddr *)&result->query_remote, &len) != 0) {
-    return "getpeername failed";
-  }
-
-  return ipsec_policy_sendrecv((unsigned char *)result, sizeof(*result));
-}
-
diff --git a/lib/libipsecpolicy/version.in.c b/lib/libipsecpolicy/version.in.c
deleted file mode 100644
index 304c58c0c..000000000
--- a/lib/libipsecpolicy/version.in.c
+++ /dev/null
@@ -1,38 +0,0 @@
-/*
- * libipsecpolicy version information
- * Copyright (C) 2003   Michael Richardson <mcr@freeswan.org>
- * 
- * This library is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Library General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
- * This library is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
- * License for more details.
- *
- * RCSID $Id: version.in.c,v 1.1 2004/03/15 20:35:25 as Exp $
- */
-
-#define	V	"xxx"		/* substituted in by Makefile */
-static const char ipsecpolicy_number[] = V;
-static const char ipsecpolicy_string[] = "Linux FreeS/WAN policylib " V;
-
-/*
- - ipsec_version_code - return IPsec version number/code, as string
- */
-const char *
-ipsec_version_code(void)
-{
-	return ipsecpolicy_number;
-}
-
-/*
- - ipsec_version_string - return full version string
- */
-const char *
-ipsec_version_string(void)
-{
-	return ipsecpolicy_string;
-}
diff --git a/lib/liblwres/Makefile b/lib/liblwres/Makefile
deleted file mode 100644
index 84a7713ab..000000000
--- a/lib/liblwres/Makefile
+++ /dev/null
@@ -1,73 +0,0 @@
-# Copyright (C) 2000, 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
-# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
-# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
-# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
-# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
-# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile,v 1.1 2004/03/15 20:35:25 as Exp $
-
-srcdir =	.
-VPATH =		.
-top_srcdir =	.
-
-CINCLUDES =	-I${srcdir}/unix/include \
-		-I. -I./include -I${srcdir}/include 
-CDEFINES = -g
-CWARNINGS = -Werror
-
-CFLAGS=${CINCLUDES} ${CDEFINES} ${CWARNINGS}
-
-VERSION="@(\#) freeswan-hacking-9.2.1-for-fs2"
-LIBINTERFACE=2
-LIBREVISION=0
-LIBAGE=1
-RANLIB=ranlib
-
-# Alphabetically
-OBJS =		async.o context.o gai_strerror.o getaddrinfo.o gethost.o \
-		getipnode.o getnameinfo.o getrrset.o getrrset2.o herror.o \
-		lwbuffer.o lwconfig.o lwpacket.o lwresutil.o \
-		lwres_gabn.o lwres_gnba.o lwres_grbn.o lwres_noop.o \
-		lwinetaton.o lwinetpton.o lwinetntop.o
-
-# Alphabetically
-SRCS =		async.c context.c gai_strerror.c getaddrinfo.c gethost.c \
-		getipnode.c getnameinfo.c getrrset.c getrrset2.c herror.c \
-		lwbuffer.c lwconfig.c lwpacket.c lwresutil.c \
-		lwres_gabn.c lwres_gnba.c lwres_grbn.c lwres_noop.c \
-		lwinetaton.c lwinetpton.c lwinetntop.c
-
-programs all: liblwres.a
-
-version.o: version.c
-	${LIBTOOL} ${CC} ${ALL_CFLAGS} \
-		-DVERSION=\"${VERSION}\" \
-		-DLIBINTERFACE=${LIBINTERFACE} \
-		-DLIBREVISION=${LIBREVISION} \
-		-DLIBAGE=${LIBAGE} \
-		-c ${srcdir}/version.c
-
-liblwres.a: ${OBJS} version.o
-	${AR} ${ARFLAGS} $@ ${OBJS} version.o
-	${RANLIB} $@
-
-timestamp: liblwres.a
-	touch timestamp
-
-clean distclean mostlyclean realclean cleanall spotless::
-	rm -f liblwres.a liblwres.la timestamp $(OBJS)
-
-install checkprograms check install_file_list:
-	@true
-
-TAGS: ${SRCS}
-	etags ${SRCS}
diff --git a/lib/liblwres/api b/lib/liblwres/api
deleted file mode 100644
index f86947031..000000000
--- a/lib/liblwres/api
+++ /dev/null
@@ -1,3 +0,0 @@
-LIBINTERFACE = 2
-LIBREVISION = 0
-LIBAGE = 1
diff --git a/lib/liblwres/assert_p.h b/lib/liblwres/assert_p.h
deleted file mode 100644
index 0c5718290..000000000
--- a/lib/liblwres/assert_p.h
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: assert_p.h,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-#ifndef LWRES_ASSERT_P_H
-#define LWRES_ASSERT_P_H 1
-
-#include <assert.h>		/* Required for assert() prototype. */
-
-#define REQUIRE(x)		assert(x)
-#define INSIST(x)		assert(x)
-
-#define UNUSED(x)		((void)(x))
-
-#define SPACE_OK(b, s)		(LWRES_BUFFER_AVAILABLECOUNT(b) >= (s))
-#define SPACE_REMAINING(b, s)	(LWRES_BUFFER_REMAINING(b) >= (s))
-
-#endif /* LWRES_ASSERT_P_H */
diff --git a/lib/liblwres/async.c b/lib/liblwres/async.c
deleted file mode 100644
index b23596a70..000000000
--- a/lib/liblwres/async.c
+++ /dev/null
@@ -1,361 +0,0 @@
-/*
- * Copyright (C) 2003, Michael Richardson <mcr@freeswawn.org>
- * Derived from code:  Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: async.c,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-#include <config.h>
-
-#include <string.h>
-#include <errno.h>
-#include <stdlib.h>
-
-#include <lwres/lwres.h>
-#include <lwres/net.h>
-#include <lwres/netdb.h>	/* XXX #include <netdb.h> */
-#include <lwres/async.h>
-
-#include "assert_p.h"
-#include "context_p.h"
-
-/*
- * malloc / calloc functions that guarantee to only
- * return NULL if there is an error, like they used
- * to before the ANSI C committee broke them.
- */
-
-static void *
-sane_malloc(size_t size) {
-	if (size == 0)
-		size = 1;
-	return (malloc(size));
-}
-
-static void *
-sane_calloc(size_t number, size_t size) {
-	size_t len = number * size;
-	void *mem  = sane_malloc(len);
-	if (mem != NULL)
-		memset(mem, 0, len);
-	return (mem);
-}
-
-int 
-lwres_async_init(lwres_context_t **pctx)
-{
-	lwres_result_t lwresult;
-	lwres_context_t *ctx = NULL;
-	int result;
-
-	lwresult = lwres_context_create(&ctx, NULL, NULL, NULL, 0);
-	if (lwresult != LWRES_R_SUCCESS) {
-		result = lwresult_to_result(lwresult);
-		return(result);
-	}
-	(void) lwres_conf_parse(ctx, lwres_resolv_conf);
-
-	*pctx = ctx;
-	return (ERRSET_SUCCESS);
-}
-
-int
-lwres_getrrsetbyname_init(const char *hostname, unsigned int rdclass,
-			  unsigned int rdtype, unsigned int flags,
-			  lwres_context_t *ctx,
-			  struct lwres_async_state *las)
-{
-	lwres_result_t lwresult;
-	unsigned int i;
-	unsigned int lwflags;
-	unsigned int result;
-
-	int ret;
-	lwres_lwpacket_t pkt;
-	lwres_grbnrequest_t request;
-	char target_name[1024];
-	unsigned int target_length;
-
-	int ret2;
-
-	if (rdclass > 0xffff || rdtype > 0xffff) {
-		result = ERRSET_INVAL;
-		return result;
-	}
-
-	/*
-	 * Don't allow queries of class or type ANY
-	 */
-	if (rdclass == 0xff || rdtype == 0xff) {
-		result = ERRSET_INVAL;
-		return result;
-	}
-
-	/*
-	 * If any input flags were defined, lwflags would be set here
-	 * based on them
-	 */
-	UNUSED(flags);
-	lwflags = 0;
-
-	las->b_in.base = NULL;
-	las->b_out.base = NULL;
-	las->serial = lwres_context_nextserial(ctx);
-	las->opcode = LWRES_OPCODE_GETRDATABYNAME;
-
-	target_length = strlen(hostname);
-	if (target_length >= sizeof(target_name))
-		return (LWRES_R_FAILURE);
-	strcpy(target_name, hostname); /* strcpy is safe */
-
-	/*
-	 * Set up our request and render it to a buffer.
-	 */
-	request.rdclass = rdclass;
-	request.rdtype = rdtype;
-	request.flags = lwflags;
-	request.name = target_name;
-	request.namelen = target_length;
-	pkt.pktflags = 0;
-	pkt.serial = las->serial;
-	pkt.result = 0;
-	pkt.recvlength = LWRES_RECVLENGTH;
-
-	/* set up async system */
-	las->next = ctx->pending;
-	ctx->pending = las;
-
-	ret = lwres_grbnrequest_render(ctx, &request, &pkt, &las->b_out);
-
-	return ret;
-}
-
-int
-lwres_getrrsetbyname_xmit(lwres_context_t *ctx,
-			  struct lwres_async_state *las)
-{
-	lwres_result_t lwresult;
-	int ret;
-
-	lwresult = lwres_context_send(ctx, las->b_out.base, las->b_out.length);
-
-	return(lwresult_to_result(lwresult));
-}
-
-
-
-unsigned long
-lwres_async_timeout(lwres_context_t *ctx) 
-{
-	unsigned long tv_sec;
-
-	/*
-	 * Type of tv_sec is long, so make sure the unsigned long timeout
-	 * does not overflow it.
-	 */
-	if (ctx->timeout <= LONG_MAX)
-		tv_sec = (long)ctx->timeout;
-	else
-		tv_sec = LONG_MAX;
-
-	return tv_sec;
-}
-
-int
-lwres_async_fd(lwres_context_t *ctx) 
-{
-	return (ctx->sock);
-}
-
-
-/*
-const char *hostname, unsigned int rdclass,
-			  unsigned int rdtype, unsigned int flags,
-*/
-			  
-int
-lwres_getrrsetbyname_read(struct lwres_async_state **plas,
-			  lwres_context_t *ctx,
-			  struct rrsetinfo **res)
-{
-	lwres_result_t lwresult;
-	lwres_grbnresponse_t *response = NULL;
-	char *buffer;
-	struct rrsetinfo *rrset = NULL;
-	int recvlen;
-	int ret, result, i;
-	lwres_buffer_t            b_in;
-	struct lwres_async_state *las;
-	struct lwres_async_state **las_prev;
-	lwres_lwpacket_t pkt;
-
-	buffer = NULL;
-	buffer = CTXMALLOC(LWRES_RECVLENGTH);
-	if (buffer == NULL) {
-		return ERRSET_NOMEMORY;
-	}
-
-	ret = LWRES_R_SUCCESS;
-	lwresult = lwres_context_recv(ctx, buffer, LWRES_RECVLENGTH, &recvlen);
-	if (lwresult == LWRES_R_RETRY) {
-		ret = LWRES_R_RETRY;
-		goto out;
-	}
-	
-	if (ret != LWRES_R_SUCCESS) 
-		goto out;
-
-	lwres_buffer_init(&b_in, buffer, recvlen);
-	b_in.used = recvlen;
-
-	/*
-	 * Parse the packet header.
-	 */
-	ret = lwres_lwpacket_parseheader(&b_in, &pkt);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	/*
-	 * find an appropriate waiting las entry. This is a linear search.
-	 * we can do MUCH better, since we control the serial number!
-	 * do that later.
-	 */
-	las_prev = &ctx->pending;
-	las = ctx->pending;
-	while(las && las->serial != pkt.serial) {
-		las_prev=&las->next;
-		las=las->next;
-	}
-
-	if(las == NULL) {
-		/* no matching serial number! */
-		return(LWRES_R_RETRY);
-	}
-
-	/* okay, remove it from the receive queue */
-	*las_prev = las->next;
-	las->next = NULL;
-
-	*plas = las;
-
-	/*
-	 * Free what we've transmitted, long ago.
-	 */
-	CTXFREE(las->b_out.base, las->b_out.length);
-	las->b_out.base = NULL;
-	las->b_out.length = 0;
-
-	if (pkt.result != LWRES_R_SUCCESS) {
-		ret = pkt.result;
-		goto out;
-	}
-
-	/*
-	 * Parse the response.
-	 */
-	ret = lwres_grbnresponse_parse(ctx, &b_in, &pkt, &response);
-	if (ret != LWRES_R_SUCCESS) {
-	out:
-		if (buffer != NULL)
-			CTXFREE(buffer, LWRES_RECVLENGTH);
-		if (response != NULL)
-			lwres_grbnresponse_free(ctx, &response);
-		result = lwresult_to_result(ret);
-		goto fail;
-	}
-
-	response->base = buffer;
-	response->baselen = LWRES_RECVLENGTH;
-	buffer = NULL; /* don't free this below */
-
-	lwresult = LWRES_R_SUCCESS;
-
-	rrset = sane_malloc(sizeof(struct rrsetinfo));
-	if (rrset == NULL) {
-		result = ERRSET_NOMEMORY;
-		goto fail;
-	}
-	rrset->rri_name = NULL;
-	rrset->rri_rdclass = response->rdclass;
-	rrset->rri_rdtype = response->rdtype;
-	rrset->rri_ttl = response->ttl;
-	rrset->rri_flags = 0;
-	rrset->rri_nrdatas = 0;
-	rrset->rri_rdatas = NULL;
-	rrset->rri_nsigs = 0;
-	rrset->rri_sigs = NULL;
-
-	rrset->rri_name = sane_malloc(response->realnamelen + 1);
-	if (rrset->rri_name == NULL) {
-		result = ERRSET_NOMEMORY;
-		goto fail;
-	}
-	strncpy(rrset->rri_name, response->realname, response->realnamelen);
-	rrset->rri_name[response->realnamelen] = 0;
-
-	if ((response->flags & LWRDATA_VALIDATED) != 0)
-		rrset->rri_flags |= RRSET_VALIDATED;
-
-	rrset->rri_nrdatas = response->nrdatas;
-	rrset->rri_rdatas = sane_calloc(rrset->rri_nrdatas,
-				   sizeof(struct rdatainfo));
-	if (rrset->rri_rdatas == NULL) {
-		result = ERRSET_NOMEMORY;
-		goto fail;
-	}
-	for (i = 0; i < rrset->rri_nrdatas; i++) {
-		rrset->rri_rdatas[i].rdi_length = response->rdatalen[i];
-		rrset->rri_rdatas[i].rdi_data =
-				sane_malloc(rrset->rri_rdatas[i].rdi_length);
-		if (rrset->rri_rdatas[i].rdi_data == NULL) {
-			result = ERRSET_NOMEMORY;
-			goto fail;
-		}
-		memcpy(rrset->rri_rdatas[i].rdi_data, response->rdatas[i],
-		       rrset->rri_rdatas[i].rdi_length);
-	}
-	rrset->rri_nsigs = response->nsigs;
-	rrset->rri_sigs = sane_calloc(rrset->rri_nsigs,
-				      sizeof(struct rdatainfo));
-	if (rrset->rri_sigs == NULL) {
-		result = ERRSET_NOMEMORY;
-		goto fail;
-	}
-	for (i = 0; i < rrset->rri_nsigs; i++) {
-		rrset->rri_sigs[i].rdi_length = response->siglen[i];
-		rrset->rri_sigs[i].rdi_data =
-				sane_malloc(rrset->rri_sigs[i].rdi_length);
-		if (rrset->rri_sigs[i].rdi_data == NULL) {
-			result = ERRSET_NOMEMORY;
-			goto fail;
-		}
-		memcpy(rrset->rri_sigs[i].rdi_data, response->sigs[i],
-		       rrset->rri_sigs[i].rdi_length);
-	}
-
-	lwres_grbnresponse_free(ctx, &response);
-
-	*res = rrset;
-	return (ERRSET_SUCCESS);
- fail:
-	if (rrset != NULL)
-		lwres_freerrset(rrset);
-	if (response != NULL)
-		lwres_grbnresponse_free(ctx, &response);
-	return (result);
-
-}
-
diff --git a/lib/liblwres/context.c b/lib/liblwres/context.c
deleted file mode 100644
index 40f8f3e3d..000000000
--- a/lib/liblwres/context.c
+++ /dev/null
@@ -1,380 +0,0 @@
-/*
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: context.c,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-#include <config.h>
-
-#include <fcntl.h>
-#include <limits.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-#include <unistd.h>
-
-#include <lwres/lwres.h>
-#include <lwres/net.h>
-#include <lwres/platform.h>
-
-#ifdef LWRES_PLATFORM_NEEDSYSSELECTH
-#include <sys/select.h>
-#endif
-
-#include "context_p.h"
-#include "assert_p.h"
-
-/*
- * Some systems define the socket length argument as an int, some as size_t,
- * some as socklen_t.  The last is what the current POSIX standard mandates.
- * This definition is here so it can be portable but easily changed if needed.
- */
-#ifndef LWRES_SOCKADDR_LEN_T
-#define LWRES_SOCKADDR_LEN_T unsigned int
-#endif
-
-/*
- * Make a socket nonblocking.
- */
-#ifndef MAKE_NONBLOCKING
-#define MAKE_NONBLOCKING(sd, retval) \
-do { \
-	retval = fcntl(sd, F_GETFL, 0); \
-	if (retval != -1) { \
-		retval |= O_NONBLOCK; \
-		retval = fcntl(sd, F_SETFL, retval); \
-	} \
-} while (0)
-#endif
-
-lwres_uint16_t lwres_udp_port = LWRES_UDP_PORT;
-const char *lwres_resolv_conf = LWRES_RESOLV_CONF;
-
-static void *
-lwres_malloc(void *, size_t);
-
-static void
-lwres_free(void *, void *, size_t);
-
-static lwres_result_t
-context_connect(lwres_context_t *);
-
-lwres_result_t
-lwres_context_create(lwres_context_t **contextp, void *arg,
-		     lwres_malloc_t malloc_function,
-		     lwres_free_t free_function,
-		     unsigned int flags)
-{
-	lwres_context_t *ctx;
-
-	REQUIRE(contextp != NULL && *contextp == NULL);
-	UNUSED(flags);
-
-	/*
-	 * If we were not given anything special to use, use our own
-	 * functions.  These are just wrappers around malloc() and free().
-	 */
-	if (malloc_function == NULL || free_function == NULL) {
-		REQUIRE(malloc_function == NULL);
-		REQUIRE(free_function == NULL);
-		malloc_function = lwres_malloc;
-		free_function = lwres_free;
-	}
-
-	ctx = malloc_function(arg, sizeof(lwres_context_t));
-	if (ctx == NULL)
-		return (LWRES_R_NOMEMORY);
-
-	/*
-	 * Set up the context.
-	 */
-	ctx->malloc = malloc_function;
-	ctx->free = free_function;
-	ctx->arg = arg;
-	ctx->sock = -1;
-
-	ctx->timeout = LWRES_DEFAULT_TIMEOUT;
-	ctx->serial = time(NULL); /* XXXMLG or BEW */
-
-	/*
-	 * Init resolv.conf bits.
-	 */
-	lwres_conf_init(ctx);
-
-	*contextp = ctx;
-	return (LWRES_R_SUCCESS);
-}
-
-void
-lwres_context_destroy(lwres_context_t **contextp) {
-	lwres_context_t *ctx;
-
-	REQUIRE(contextp != NULL && *contextp != NULL);
-
-	ctx = *contextp;
-	*contextp = NULL;
-
-	if (ctx->sock != -1) {
-		close(ctx->sock);
-		ctx->sock = -1;
-	}
-
-	CTXFREE(ctx, sizeof(lwres_context_t));
-}
-
-lwres_uint32_t
-lwres_context_nextserial(lwres_context_t *ctx) {
-	REQUIRE(ctx != NULL);
-
-	return (ctx->serial++);
-}
-
-void
-lwres_context_initserial(lwres_context_t *ctx, lwres_uint32_t serial) {
-	REQUIRE(ctx != NULL);
-
-	ctx->serial = serial;
-}
-
-void
-lwres_context_freemem(lwres_context_t *ctx, void *mem, size_t len) {
-	REQUIRE(mem != NULL);
-	REQUIRE(len != 0);
-
-	CTXFREE(mem, len);
-}
-
-void *
-lwres_context_allocmem(lwres_context_t *ctx, size_t len) {
-	REQUIRE(len != 0);
-
-	return (CTXMALLOC(len));
-}
-
-static void *
-lwres_malloc(void *arg, size_t len) {
-	void *mem;
-
-	UNUSED(arg);
-
-	mem = malloc(len);
-	if (mem == NULL)
-		return (NULL);
-
-	memset(mem, 0xe5, len);
-
-	return (mem);
-}
-
-static void
-lwres_free(void *arg, void *mem, size_t len) {
-	UNUSED(arg);
-
-	memset(mem, 0xa9, len);
-	free(mem);
-}
-
-static lwres_result_t
-context_connect(lwres_context_t *ctx) {
-	int s;
-	int ret;
-	struct sockaddr_in sin;
-	struct sockaddr_in6 sin6;
-	struct sockaddr *sa;
-	LWRES_SOCKADDR_LEN_T salen;
-	int domain;
-
-	if (ctx->confdata.lwnext != 0) {
-		memcpy(&ctx->address, &ctx->confdata.lwservers[0],
-		       sizeof(lwres_addr_t));
-		LWRES_LINK_INIT(&ctx->address, link);
-	} else {
-		/* The default is the IPv4 loopback address 127.0.0.1. */
-		memset(&ctx->address, 0, sizeof(ctx->address));
-		ctx->address.family = LWRES_ADDRTYPE_V4;
-		ctx->address.length = 4;
-		ctx->address.address[0] = 127;
-		ctx->address.address[1] = 0;
-		ctx->address.address[2] = 0;
-		ctx->address.address[3] = 1;
-	}
-
-	if (ctx->address.family == LWRES_ADDRTYPE_V4) {
-		memcpy(&sin.sin_addr, ctx->address.address,
-		       sizeof(sin.sin_addr));
-		sin.sin_port = htons(lwres_udp_port);
-		sin.sin_family = AF_INET;
-		sa = (struct sockaddr *)&sin;
-		salen = sizeof(sin);
-		domain = PF_INET;
-	} else if (ctx->address.family == LWRES_ADDRTYPE_V6) {
-		memcpy(&sin6.sin6_addr, ctx->address.address,
-		       sizeof(sin6.sin6_addr));
-		sin6.sin6_port = htons(lwres_udp_port);
-		sin6.sin6_family = AF_INET6;
-		sa = (struct sockaddr *)&sin6;
-		salen = sizeof(sin6);
-		domain = PF_INET6;
-	} else
-		return (LWRES_R_IOERROR);
-
-	s = socket(domain, SOCK_DGRAM, IPPROTO_UDP);
-	if (s < 0)
-		return (LWRES_R_IOERROR);
-
-	ret = connect(s, sa, salen);
-	if (ret != 0) {
-		close(s);
-		return (LWRES_R_IOERROR);
-	}
-
-	MAKE_NONBLOCKING(s, ret);
-	if (ret < 0)
-		return (LWRES_R_IOERROR);
-
-	ctx->sock = s;
-
-	return (LWRES_R_SUCCESS);
-}
-
-int
-lwres_context_getsocket(lwres_context_t *ctx) {
-	return (ctx->sock);
-}
-
-lwres_result_t
-lwres_context_send(lwres_context_t *ctx,
-		   void *sendbase, int sendlen) {
-	int ret;
-	lwres_result_t lwresult;
-
-	if (ctx->sock == -1) {
-		lwresult = context_connect(ctx);
-		if (lwresult != LWRES_R_SUCCESS)
-			return (lwresult);
-	}
-
-	ret = sendto(ctx->sock, sendbase, sendlen, 0, NULL, 0);
-	if (ret < 0)
-		return (LWRES_R_IOERROR);
-	if (ret != sendlen)
-		return (LWRES_R_IOERROR);
-
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_result_t
-lwres_context_recv(lwres_context_t *ctx,
-		   void *recvbase, int recvlen,
-		   int *recvd_len)
-{
-	LWRES_SOCKADDR_LEN_T fromlen;
-	struct sockaddr_in sin;
-	struct sockaddr_in6 sin6;
-	struct sockaddr *sa;
-	int ret;
-
-	if (ctx->address.family == LWRES_ADDRTYPE_V4) {
-		sa = (struct sockaddr *)&sin;
-		fromlen = sizeof(sin);
-	} else {
-		sa = (struct sockaddr *)&sin6;
-		fromlen = sizeof(sin6);
-	}
-
-	/*
-	 * The address of fromlen is cast to void * to shut up compiler
-	 * warnings, namely on systems that have the sixth parameter
-	 * prototyped as a signed int when LWRES_SOCKADDR_LEN_T is
-	 * defined as unsigned.
-	 */
-	ret = recvfrom(ctx->sock, recvbase, recvlen, 0, sa, (void *)&fromlen);
-
-	if (ret < 0)
-		return (LWRES_R_IOERROR);
-
-	if (ret == recvlen)
-		return (LWRES_R_TOOLARGE);
-
-	/*
-	 * If we got something other than what we expect, have the caller
-	 * wait for another packet.  This can happen if an old result
-	 * comes in, or if someone is sending us random stuff.
-	 */
-	if (ctx->address.family == LWRES_ADDRTYPE_V4) {
-		if (fromlen != sizeof(sin)
-		    || memcmp(&sin.sin_addr, ctx->address.address,
-			      sizeof(sin.sin_addr)) != 0
-		    || sin.sin_port != htons(lwres_udp_port))
-			return (LWRES_R_RETRY);
-	} else {
-		if (fromlen != sizeof(sin6)
-		    || memcmp(&sin6.sin6_addr, ctx->address.address,
-			      sizeof(sin6.sin6_addr)) != 0
-		    || sin6.sin6_port != htons(lwres_udp_port))
-			return (LWRES_R_RETRY);
-	}
-
-	if (recvd_len != NULL)
-		*recvd_len = ret;
-
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_result_t
-lwres_context_sendrecv(lwres_context_t *ctx,
-		       void *sendbase, int sendlen,
-		       void *recvbase, int recvlen,
-		       int *recvd_len)
-{
-	lwres_result_t result;
-	int ret2;
-	fd_set readfds;
-	struct timeval timeout;
-
-	/*
-	 * Type of tv_sec is long, so make sure the unsigned long timeout
-	 * does not overflow it.
-	 */
-	if (ctx->timeout <= LONG_MAX)
-		timeout.tv_sec = (long)ctx->timeout;
-	else
-		timeout.tv_sec = LONG_MAX;
-
-	timeout.tv_usec = 0;
-
-	result = lwres_context_send(ctx, sendbase, sendlen);
-	if (result != LWRES_R_SUCCESS)
-		return (result);
- again:
-	FD_ZERO(&readfds);
-	FD_SET(ctx->sock, &readfds);
-	ret2 = select(ctx->sock + 1, &readfds, NULL, NULL, &timeout);
-	
-	/*
-	 * What happened with select?
-	 */
-	if (ret2 < 0)
-		return (LWRES_R_IOERROR);
-	if (ret2 == 0)
-		return (LWRES_R_TIMEOUT);
-
-	result = lwres_context_recv(ctx, recvbase, recvlen, recvd_len);
-	if (result == LWRES_R_RETRY)
-		goto again;
-	
-	return (result);
-}
diff --git a/lib/liblwres/context_p.h b/lib/liblwres/context_p.h
deleted file mode 100644
index 52dd870e1..000000000
--- a/lib/liblwres/context_p.h
+++ /dev/null
@@ -1,68 +0,0 @@
-/*
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: context_p.h,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-#ifndef LWRES_CONTEXT_P_H
-#define LWRES_CONTEXT_P_H 1
-
-/*
- * Helper functions, assuming the context is always called "ctx" in
- * the scope these functions are called from.
- */
-#define CTXMALLOC(len)		ctx->malloc(ctx->arg, (len))
-#define CTXFREE(addr, len)	ctx->free(ctx->arg, (addr), (len))
-
-#define LWRES_DEFAULT_TIMEOUT	120	/* 120 seconds for a reply */
-
-/*
- * Not all the attributes here are actually settable by the application at
- * this time.
- */
-struct lwres_context {
-	unsigned int		timeout;	/* time to wait for reply */
-	lwres_uint32_t		serial;		/* serial number state */
-
-	/*
-	 * For network I/O.
-	 */
-	int			sock;		/* socket to send on */
-	lwres_addr_t		address;	/* address to send to */
-
-	/*
-	 * Function pointers for allocating memory.
-	 */
-	lwres_malloc_t		malloc;
-	lwres_free_t		free;
-	void		       *arg;
-
-	/*
-	 * resolv.conf-like data
-	 */
-	lwres_conf_t		confdata;
-
-	/* linked list of outstanding DNS requests */
-	struct lwres_async_state *pending;
-};
-
-#endif /* LWRES_CONTEXT_P_H */
-
-/*
- * Local Variables:
- * c-basic-offset: 8
- * End Variables:
- */
diff --git a/lib/liblwres/gai_strerror.c b/lib/liblwres/gai_strerror.c
deleted file mode 100644
index 913b5139f..000000000
--- a/lib/liblwres/gai_strerror.c
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: gai_strerror.c,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-#include <lwres/netdb.h>
-
-static const char *gai_messages[] = {
-	"no error",
-	"address family for hostname not supported",
-	"temporary failure in name resolution",
-	"invalid value for ai_flags",
-	"non-recoverable failure in name resolution",
-	"ai_family not supported",
-	"memory allocation failure",
-	"no address associated with hostname",
-	"hostname nor servname provided, or not known",
-	"servname not supported for ai_socktype",
-	"ai_socktype not supported",
-	"system error returned in errno",
-	"bad hints",
-	"bad protocol"
-};
-
-char *
-lwres_gai_strerror(int ecode) {
-	union {
-		const char *const_ptr;
-		char *deconst_ptr;
-	} ptr;
-
-	if ((ecode < 0) ||
-	    (ecode >= (int)(sizeof(gai_messages)/sizeof(*gai_messages))))
-		ptr.const_ptr = "invalid error code";
-	else
-		ptr.const_ptr = gai_messages[ecode];
-	return (ptr.deconst_ptr);
-}
diff --git a/lib/liblwres/getaddrinfo.c b/lib/liblwres/getaddrinfo.c
deleted file mode 100644
index 06cb39ffc..000000000
--- a/lib/liblwres/getaddrinfo.c
+++ /dev/null
@@ -1,692 +0,0 @@
-/*
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * This code is derived from software contributed to Internet Software
- * Consortium by Berkeley Software Design, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM AND
- * BERKELEY SOFTWARE DESIGN, INC DISCLAIM ALL WARRANTIES WITH REGARD TO
- * THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
- * FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE CONSORTIUM OR BERKELEY
- * SOFTWARE DESIGN, INC BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
- * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
- * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
- * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: getaddrinfo.c,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-#include <config.h>
-
-#include <string.h>
-#include <errno.h>
-#include <stdlib.h>
-
-#include <lwres/lwres.h>
-#include <lwres/net.h>
-#include <lwres/netdb.h>
-
-#define SA(addr)	((struct sockaddr *)(addr))
-#define SIN(addr)	((struct sockaddr_in *)(addr))
-#define SIN6(addr)	((struct sockaddr_in6 *)(addr))
-#define SUN(addr)	((struct sockaddr_un *)(addr))
-
-static struct addrinfo
-	*ai_reverse(struct addrinfo *oai),
-	*ai_clone(struct addrinfo *oai, int family),
-	*ai_alloc(int family, int addrlen);
-#ifdef AF_LOCAL
-static int get_local(const char *name, int socktype, struct addrinfo **res);
-#endif
-
-static int add_ipv4(const char *hostname, int flags, struct addrinfo **aip,
-    int socktype, int port);
-static int add_ipv6(const char *hostname, int flags, struct addrinfo **aip,
-    int socktype, int port);
-static void set_order(int, int (**)(const char *, int, struct addrinfo **,
-         int, int));
-
-#define FOUND_IPV4	0x1
-#define FOUND_IPV6	0x2
-#define FOUND_MAX	2
-
-#define ISC_AI_MASK (AI_PASSIVE|AI_CANONNAME|AI_NUMERICHOST)
-
-int
-lwres_getaddrinfo(const char *hostname, const char *servname,
-	const struct addrinfo *hints, struct addrinfo **res)
-{
-	struct servent *sp;
-	const char *proto;
-	int family, socktype, flags, protocol;
-	struct addrinfo *ai, *ai_list;
-	int port, err, i;
-	int (*net_order[FOUND_MAX+1])(const char *, int, struct addrinfo **,
-		 int, int);
-
-	if (hostname == NULL && servname == NULL)
-		return (EAI_NONAME);
-
-	proto = NULL;
-	if (hints != NULL) {
-		if ((hints->ai_flags & ~(ISC_AI_MASK)) != 0)
-			return (EAI_BADFLAGS);
-		if (hints->ai_addrlen || hints->ai_canonname ||
-		    hints->ai_addr || hints->ai_next) {
-			errno = EINVAL;
-			return (EAI_SYSTEM);
-		}
-		family = hints->ai_family;
-		socktype = hints->ai_socktype;
-		protocol = hints->ai_protocol;
-		flags = hints->ai_flags;
-		switch (family) {
-		case AF_UNSPEC:
-			switch (hints->ai_socktype) {
-			case SOCK_STREAM:
-				proto = "tcp";
-				break;
-			case SOCK_DGRAM:
-				proto = "udp";
-				break;
-			}
-			break;
-		case AF_INET:
-		case AF_INET6:
-			switch (hints->ai_socktype) {
-			case 0:
-				break;
-			case SOCK_STREAM:
-				proto = "tcp";
-				break;
-			case SOCK_DGRAM:
-				proto = "udp";
-				break;
-			case SOCK_RAW:
-				break;
-			default:
-				return (EAI_SOCKTYPE);
-			}
-			break;
-#ifdef	AF_LOCAL
-		case AF_LOCAL:
-			switch (hints->ai_socktype) {
-			case 0:
-				break;
-			case SOCK_STREAM:
-				break;
-			case SOCK_DGRAM:
-				break;
-			default:
-				return (EAI_SOCKTYPE);
-			}
-			break;
-#endif
-		default:
-			return (EAI_FAMILY);
-		}
-	} else {
-		protocol = 0;
-		family = 0;
-		socktype = 0;
-		flags = 0;
-	}
-
-#ifdef	AF_LOCAL
-	/*
-	 * First, deal with AF_LOCAL.  If the family was not set,
-	 * then assume AF_LOCAL if the first character of the
-	 * hostname/servname is '/'.
-	 */
-
-	if (hostname != NULL &&
-	    (family == AF_LOCAL || (family == 0 && *hostname == '/')))
-		return (get_local(hostname, socktype, res));
-
-	if (servname != NULL &&
-	    (family == AF_LOCAL || (family == 0 && *servname == '/')))
-		return (get_local(servname, socktype, res));
-#endif
-
-	/*
-	 * Ok, only AF_INET and AF_INET6 left.
-	 */
-	ai_list = NULL;
-
-	/*
-	 * First, look up the service name (port) if it was
-	 * requested.  If the socket type wasn't specified, then
-	 * try and figure it out.
-	 */
-	if (servname != NULL) {
-		char *e;
-
-		port = strtol(servname, &e, 10);
-		if (*e == '\0') {
-			if (socktype == 0)
-				return (EAI_SOCKTYPE);
-			if (port < 0 || port > 65535)
-				return (EAI_SERVICE);
-			port = htons((unsigned short) port);
-		} else {
-			sp = getservbyname(servname, proto);
-			if (sp == NULL)
-				return (EAI_SERVICE);
-			port = sp->s_port;
-			if (socktype == 0) {
-				if (strcmp(sp->s_proto, "tcp") == 0)
-					socktype = SOCK_STREAM;
-				else if (strcmp(sp->s_proto, "udp") == 0)
-					socktype = SOCK_DGRAM;
-			}
-		}
-	} else
-		port = 0;
-
-	/*
-	 * Next, deal with just a service name, and no hostname.
-	 * (we verified that one of them was non-null up above).
-	 */
-	if (hostname == NULL && (flags & AI_PASSIVE) != 0) {
-		if (family == AF_INET || family == 0) {
-			ai = ai_alloc(AF_INET, sizeof(struct sockaddr_in));
-			if (ai == NULL)
-				return (EAI_MEMORY);
-			ai->ai_socktype = socktype;
-			ai->ai_protocol = protocol;
-			SIN(ai->ai_addr)->sin_port = port;
-			ai->ai_next = ai_list;
-			ai_list = ai;
-		}
-
-		if (family == AF_INET6 || family == 0) {
-			ai = ai_alloc(AF_INET6, sizeof(struct sockaddr_in6));
-			if (ai == NULL) {
-				lwres_freeaddrinfo(ai_list);
-				return (EAI_MEMORY);
-			}
-			ai->ai_socktype = socktype;
-			ai->ai_protocol = protocol;
-			SIN6(ai->ai_addr)->sin6_port = port;
-			ai->ai_next = ai_list;
-			ai_list = ai;
-		}
-
-		*res = ai_list;
-		return (0);
-	}
-
-	/*
-	 * If the family isn't specified or AI_NUMERICHOST specified,
-	 * check first to see if it is a numeric address.
-	 * Though the gethostbyname2() routine
-	 * will recognize numeric addresses, it will only recognize
-	 * the format that it is being called for.  Thus, a numeric
-	 * AF_INET address will be treated by the AF_INET6 call as
-	 * a domain name, and vice versa.  Checking for both numerics
-	 * here avoids that.
-	 */
-	if (hostname != NULL &&
-	    (family == 0 || (flags & AI_NUMERICHOST) != 0)) {
-		char abuf[sizeof(struct in6_addr)];
-		char nbuf[NI_MAXHOST];
-		int addrsize, addroff;
-#ifdef LWRES_HAVE_SIN6_SCOPE_ID
-		char *p, *ep;
-		char ntmp[NI_MAXHOST];
-		lwres_uint32_t scopeid;
-#endif
-
-#ifdef LWRES_HAVE_SIN6_SCOPE_ID
-		/*
-		 * Scope identifier portion.
-		 */
-		ntmp[0] = '\0';
-		if (strchr(hostname, '%') != NULL) {
-			strncpy(ntmp, hostname, sizeof(ntmp) - 1);
-			ntmp[sizeof(ntmp) - 1] = '\0';
-			p = strchr(ntmp, '%');
-			ep = NULL;
-
-			/*
-			 * Vendors may want to support non-numeric
-			 * scopeid around here.
-			 */
-
-			if (p != NULL)
-				scopeid = (lwres_uint32_t)strtoul(p + 1,
-								  &ep, 10);
-			if (p != NULL && ep != NULL && ep[0] == '\0')
-				*p = '\0';
-			else {
-				ntmp[0] = '\0';
-				scopeid = 0;
-			}
-		} else
-			scopeid = 0;
-#endif
-
-               if (lwres_net_pton(AF_INET, hostname, (struct in_addr *)abuf)
-		   == 1)
-	       {
-			if (family == AF_INET6) {
-				/*
-				 * Convert to a V4 mapped address.
-				 */
-				struct in6_addr *a6 = (struct in6_addr *)abuf;
-				memcpy(&a6->s6_addr[12], &a6->s6_addr[0], 4);
-				memset(&a6->s6_addr[10], 0xff, 2);
-				memset(&a6->s6_addr[0], 0, 10);
-				goto inet6_addr;
-			}
-			addrsize = sizeof(struct in_addr);
-			addroff = (char *)(&SIN(0)->sin_addr) - (char *)0;
-			family = AF_INET;
-			goto common;
-#ifdef LWRES_HAVE_SIN6_SCOPE_ID
-		} else if (ntmp[0] != '\0' &&
-			   lwres_net_pton(AF_INET6, ntmp, abuf) == 1)
-		{
-			if (family && family != AF_INET6)
-				return (EAI_NONAME);
-			addrsize = sizeof(struct in6_addr);
-			addroff = (char *)(&SIN6(0)->sin6_addr) - (char *)0;
-			family = AF_INET6;
-			goto common;
-#endif
-		} else if (lwres_net_pton(AF_INET6, hostname, abuf) == 1) {
-			if (family != 0 && family != AF_INET6)
-				return (EAI_NONAME);
-		inet6_addr:
-			addrsize = sizeof(struct in6_addr);
-			addroff = (char *)(&SIN6(0)->sin6_addr) - (char *)0;
-			family = AF_INET6;
-
-		common:
-			ai = ai_clone(ai_list, family);
-			if (ai == NULL)
-				return (EAI_MEMORY);
-			ai_list = ai;
-			ai->ai_socktype = socktype;
-			SIN(ai->ai_addr)->sin_port = port;
-			memcpy((char *)ai->ai_addr + addroff, abuf, addrsize);
-			if (flags & AI_CANONNAME) {
-#if defined(LWRES_HAVE_SIN6_SCOPE_ID)
-				if (ai->ai_family == AF_INET6)
-					SIN6(ai->ai_addr)->sin6_scope_id =
-									scopeid;
-#endif
-				if (lwres_getnameinfo(ai->ai_addr,
-				    ai->ai_addrlen, nbuf, sizeof(nbuf),
-						      NULL, 0,
-						      NI_NUMERICHOST) == 0) {
-					ai->ai_canonname = strdup(nbuf);
-					if (ai->ai_canonname == NULL)
-						return (EAI_MEMORY);
-				} else {
-					/* XXX raise error? */
-					ai->ai_canonname = NULL;
-				}
-			}
-			goto done;
-		} else if ((flags & AI_NUMERICHOST) != 0) {
-			return (EAI_NONAME);
-		}
-	}
-
-	set_order(family, net_order);
-	for (i = 0; i < FOUND_MAX; i++) {
-		if (net_order[i] == NULL)
-			break;
-		err = (net_order[i])(hostname, flags, &ai_list,
-				     socktype, port);
-		if (err != 0)
-			return (err);
-	}
-
-	if (ai_list == NULL)
-		return (EAI_NODATA);
-
-done:
-	ai_list = ai_reverse(ai_list);
-
-	*res = ai_list;
-	return (0);
-}
-
-static char *
-lwres_strsep(char **stringp, const char *delim) {
-	char *string = *stringp;
-	char *s;
-	const char *d;
-	char sc, dc;
-
-	if (string == NULL)
-		return (NULL);
-
-	for (s = string; *s != '\0'; s++) {
-		sc = *s;
-		for (d = delim; (dc = *d) != '\0'; d++)
-			if (sc == dc) {
-				*s++ = '\0';
-				*stringp = s;
-				return (string);
-			}
-	}
-	*stringp = NULL;
-	return (string);
-}
-
-static void
-set_order(int family, int (**net_order)(const char *, int, struct addrinfo **,
-					int, int))
-{
-	char *order, *tok;
-	int found;
-
-	if (family) {
-		switch (family) {
-		case AF_INET:
-			*net_order++ = add_ipv4;
-			break;
-		case AF_INET6:
-			*net_order++ = add_ipv6;
-			break;
-		}
-	} else {
-		order = getenv("NET_ORDER");
-		found = 0;
-		while (order != NULL) {
-			/*
-			 * We ignore any unknown names.
-			 */
-			tok = lwres_strsep(&order, ":");
-			if (strcasecmp(tok, "inet6") == 0) {
-				if ((found & FOUND_IPV6) == 0)
-					*net_order++ = add_ipv6;
-				found |= FOUND_IPV6;
-			} else if (strcasecmp(tok, "inet") == 0 ||
-			    strcasecmp(tok, "inet4") == 0) {
-				if ((found & FOUND_IPV4) == 0)
-					*net_order++ = add_ipv4;
-				found |= FOUND_IPV4;
-			}
-		}
-
-		/*
-		 * Add in anything that we didn't find.
-		 */
-		if ((found & FOUND_IPV4) == 0)
-			*net_order++ = add_ipv4;
-		if ((found & FOUND_IPV6) == 0)
-			*net_order++ = add_ipv6;
-	}
-	*net_order = NULL;
-	return;
-}
-
-static char v4_loop[4] = { 127, 0, 0, 1 };
-
-/*
- * The test against 0 is there to keep the Solaris compiler
- * from complaining about "end-of-loop code not reached".
- */
-#define ERR(code) \
-	do { result = (code);			\
-		if (result != 0) goto cleanup;	\
-	} while (0)
-
-static int
-add_ipv4(const char *hostname, int flags, struct addrinfo **aip,
-	int socktype, int port)
-{
-	struct addrinfo *ai;
-	lwres_context_t *lwrctx = NULL;
-	lwres_gabnresponse_t *by = NULL;
-	lwres_addr_t *addr;
-	lwres_result_t lwres;
-	int result = 0;
-
-	lwres = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
-	if (lwres != LWRES_R_SUCCESS)
-		ERR(EAI_FAIL);
-	(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
-	if (hostname == NULL && (flags & AI_PASSIVE) == 0) {
-		ai = ai_clone(*aip, AF_INET);
-		if (ai == NULL) {
-			lwres_freeaddrinfo(*aip);
-			ERR(EAI_MEMORY);
-		}
-
-		*aip = ai;
-		ai->ai_socktype = socktype;
-		SIN(ai->ai_addr)->sin_port = port;
-		memcpy(&SIN(ai->ai_addr)->sin_addr, v4_loop, 4);
-	} else {
-		lwres = lwres_getaddrsbyname(lwrctx, hostname,
-					     LWRES_ADDRTYPE_V4, &by);
-		if (lwres != LWRES_R_SUCCESS) {
-			if (lwres == LWRES_R_NOTFOUND)
-				goto cleanup;
-			else
-				ERR(EAI_FAIL);
-		}
-		addr = LWRES_LIST_HEAD(by->addrs);
-		while (addr != NULL) {
-			ai = ai_clone(*aip, AF_INET);
-			if (ai == NULL) {
-				lwres_freeaddrinfo(*aip);
-				ERR(EAI_MEMORY);
-			}
-			*aip = ai;
-			ai->ai_socktype = socktype;
-			SIN(ai->ai_addr)->sin_port = port;
-			memcpy(&SIN(ai->ai_addr)->sin_addr,
-			       addr->address, 4);
-			if (flags & AI_CANONNAME) {
-				ai->ai_canonname = strdup(by->realname);
-				if (ai->ai_canonname == NULL)
-					ERR(EAI_MEMORY);
-			}
-			addr = LWRES_LIST_NEXT(addr, link);
-		}
-	}
- cleanup:
-	if (by != NULL)
-		lwres_gabnresponse_free(lwrctx, &by);
-	if (lwrctx != NULL) {
-		lwres_conf_clear(lwrctx);
-		lwres_context_destroy(&lwrctx);
-	}
-	return (result);
-}
-
-static char v6_loop[16] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1 };
-
-static int
-add_ipv6(const char *hostname, int flags, struct addrinfo **aip,
-	 int socktype, int port)
-{
-	struct addrinfo *ai;
-	lwres_context_t *lwrctx = NULL;
-	lwres_gabnresponse_t *by = NULL;
-	lwres_addr_t *addr;
-	lwres_result_t lwres;
-	int result = 0;
-
-	lwres = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
-	if (lwres != LWRES_R_SUCCESS)
-		ERR(EAI_FAIL);
-	(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
-
-	if (hostname == NULL && (flags & AI_PASSIVE) == 0) {
-		ai = ai_clone(*aip, AF_INET6);
-		if (ai == NULL) {
-			lwres_freeaddrinfo(*aip);
-			ERR(EAI_MEMORY);
-		}
-
-		*aip = ai;
-		ai->ai_socktype = socktype;
-		SIN6(ai->ai_addr)->sin6_port = port;
-		memcpy(&SIN6(ai->ai_addr)->sin6_addr, v6_loop, 16);
-	} else {
-		lwres = lwres_getaddrsbyname(lwrctx, hostname,
-					     LWRES_ADDRTYPE_V6, &by);
-		if (lwres != LWRES_R_SUCCESS) {
-			if (lwres == LWRES_R_NOTFOUND)
-				goto cleanup;
-			else
-				ERR(EAI_FAIL);
-		}
-		addr = LWRES_LIST_HEAD(by->addrs);
-		while (addr != NULL) {
-			ai = ai_clone(*aip, AF_INET6);
-			if (ai == NULL) {
-				lwres_freeaddrinfo(*aip);
-				ERR(EAI_MEMORY);
-			}
-			*aip = ai;
-			ai->ai_socktype = socktype;
-			SIN6(ai->ai_addr)->sin6_port = port;
-			memcpy(&SIN6(ai->ai_addr)->sin6_addr,
-			       addr->address, 16);
-			if (flags & AI_CANONNAME) {
-				ai->ai_canonname = strdup(by->realname);
-				if (ai->ai_canonname == NULL)
-					ERR(EAI_MEMORY);
-			}
-			addr = LWRES_LIST_NEXT(addr, link);
-		}
-	}
- cleanup:
-	if (by != NULL)
-		lwres_gabnresponse_free(lwrctx, &by);
-	if (lwrctx != NULL) {
-		lwres_conf_clear(lwrctx);
-		lwres_context_destroy(&lwrctx);
-	}
-	return (result);
-}
-
-void
-lwres_freeaddrinfo(struct addrinfo *ai) {
-	struct addrinfo *ai_next;
-
-	while (ai != NULL) {
-		ai_next = ai->ai_next;
-		if (ai->ai_addr != NULL)
-			free(ai->ai_addr);
-		if (ai->ai_canonname)
-			free(ai->ai_canonname);
-		free(ai);
-		ai = ai_next;
-	}
-}
-
-#ifdef AF_LOCAL
-static int
-get_local(const char *name, int socktype, struct addrinfo **res) {
-	struct addrinfo *ai;
-	struct sockaddr_un *sun;
-
-	if (socktype == 0)
-		return (EAI_SOCKTYPE);
-
-	ai = ai_alloc(AF_LOCAL, sizeof(*sun));
-	if (ai == NULL)
-		return (EAI_MEMORY);
-
-	sun = SUN(ai->ai_addr);
-	strncpy(sun->sun_path, name, sizeof(sun->sun_path));
-
-	ai->ai_socktype = socktype;
-	/*
-	 * ai->ai_flags, ai->ai_protocol, ai->ai_canonname,
-	 * and ai->ai_next were initialized to zero.
-	 */
-
-	*res = ai;
-	return (0);
-}
-#endif
-
-/*
- * Allocate an addrinfo structure, and a sockaddr structure
- * of the specificed length.  We initialize:
- *	ai_addrlen
- *	ai_family
- *	ai_addr
- *	ai_addr->sa_family
- *	ai_addr->sa_len	(LWRES_PLATFORM_HAVESALEN)
- * and everything else is initialized to zero.
- */
-static struct addrinfo *
-ai_alloc(int family, int addrlen) {
-	struct addrinfo *ai;
-
-	ai = (struct addrinfo *)calloc(1, sizeof(*ai));
-	if (ai == NULL)
-		return (NULL);
-
-	ai->ai_addr = SA(calloc(1, addrlen));
-	if (ai->ai_addr == NULL) {
-		free(ai);
-		return (NULL);
-	}
-	ai->ai_addrlen = addrlen;
-	ai->ai_family = family;
-	ai->ai_addr->sa_family = family;
-#ifdef LWRES_PLATFORM_HAVESALEN
-	ai->ai_addr->sa_len = addrlen;
-#endif
-	return (ai);
-}
-
-static struct addrinfo *
-ai_clone(struct addrinfo *oai, int family) {
-	struct addrinfo *ai;
-
-	ai = ai_alloc(family, ((family == AF_INET6) ?
-	    sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in)));
-
-	if (ai == NULL) {
-		lwres_freeaddrinfo(oai);
-		return (NULL);
-	}
-	if (oai == NULL)
-		return (ai);
-
-	ai->ai_flags = oai->ai_flags;
-	ai->ai_socktype = oai->ai_socktype;
-	ai->ai_protocol = oai->ai_protocol;
-	ai->ai_canonname = NULL;
-	ai->ai_next = oai;
-	return (ai);
-}
-
-static struct addrinfo *
-ai_reverse(struct addrinfo *oai) {
-	struct addrinfo *nai, *tai;
-
-	nai = NULL;
-
-	while (oai != NULL) {
-		/*
-		 * Grab one off the old list.
-		 */
-		tai = oai;
-		oai = oai->ai_next;
-		/*
-		 * Put it on the front of the new list.
-		 */
-		tai->ai_next = nai;
-		nai = tai;
-	}
-	return (nai);
-}
diff --git a/lib/liblwres/gethost.c b/lib/liblwres/gethost.c
deleted file mode 100644
index 32c8359b4..000000000
--- a/lib/liblwres/gethost.c
+++ /dev/null
@@ -1,219 +0,0 @@
-/*
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: gethost.c,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-#include <config.h>
-
-#include <errno.h>
-#include <string.h>
-
-#include <lwres/net.h>
-#include <lwres/netdb.h>
-
-#include "assert_p.h"
-
-#define LWRES_ALIGNBYTES (sizeof(char *) - 1)
-#define LWRES_ALIGN(p) \
-	(((unsigned long)(p) + LWRES_ALIGNBYTES) &~ LWRES_ALIGNBYTES)
-
-static struct hostent *he = NULL;
-static int copytobuf(struct hostent *, struct hostent *, char *, int);
-
-struct hostent *
-lwres_gethostbyname(const char *name) {
-
-	if (he != NULL)
-		lwres_freehostent(he);
-
-	he = lwres_getipnodebyname(name, AF_INET, 0, &lwres_h_errno);
-	return (he);
-}
-
-struct hostent *
-lwres_gethostbyname2(const char *name, int af) {
-	if (he != NULL)
-		lwres_freehostent(he);
-
-	he = lwres_getipnodebyname(name, af, 0, &lwres_h_errno);
-	return (he);
-}
-
-struct hostent *
-lwres_gethostbyaddr(const char *addr, int len, int type) {
-
-	if (he != NULL)
-		lwres_freehostent(he);
-
-	he = lwres_getipnodebyaddr(addr, len, type, &lwres_h_errno);
-	return (he);
-}
-
-struct hostent *
-lwres_gethostent(void) {
-	if (he != NULL)
-		lwres_freehostent(he);
-
-	return (NULL);
-}
-
-void
-lwres_sethostent(int stayopen) {
-	/*
-	 * Empty.
-	 */
-	UNUSED(stayopen);
-}
-
-void
-lwres_endhostent(void) {
-	/*
-	 * Empty.
-	 */
-}
-
-struct hostent *
-lwres_gethostbyname_r(const char *name, struct hostent *resbuf,
-		char *buf, int buflen, int *error)
-{
-	struct hostent *he;
-	int res;
-
-	he = lwres_getipnodebyname(name, AF_INET, 0, error);
-	if (he == NULL)
-		return (NULL);
-	res = copytobuf(he, resbuf, buf, buflen);
-	lwres_freehostent(he);
-	if (res != 0) {
-		errno = ERANGE;
-		return (NULL);
-	}
-	return (resbuf);
-}
-
-struct hostent  *
-lwres_gethostbyaddr_r(const char *addr, int len, int type,
-		      struct hostent *resbuf, char *buf, int buflen,
-		      int *error)
-{
-	struct hostent *he;
-	int res;
-
-	he = lwres_getipnodebyaddr(addr, len, type, error);
-	if (he == NULL)
-		return (NULL);
-	res = copytobuf(he, resbuf, buf, buflen);
-	lwres_freehostent(he);
-	if (res != 0) {
-		errno = ERANGE;
-		return (NULL);
-	}
-	return (resbuf);
-}
-
-struct hostent  *
-lwres_gethostent_r(struct hostent *resbuf, char *buf, int buflen, int *error) {
-	UNUSED(resbuf);
-	UNUSED(buf);
-	UNUSED(buflen);
-	*error = 0;
-	return (NULL);
-}
-
-void
-lwres_sethostent_r(int stayopen) {
-	/*
-	 * Empty.
-	 */
-	UNUSED(stayopen);
-}
-
-void
-lwres_endhostent_r(void) {
-	/*
-	 * Empty.
-	 */
-}
-
-static int
-copytobuf(struct hostent *he, struct hostent *hptr, char *buf, int buflen) {
-        char *cp;
-        char **ptr;
-        int i, n;
-        int nptr, len;
-
-        /*
-	 * Find out the amount of space required to store the answer.
-	 */
-        nptr = 2; /* NULL ptrs */
-        len = (char *)LWRES_ALIGN(buf) - buf;
-        for (i = 0; he->h_addr_list[i]; i++, nptr++) {
-                len += he->h_length;
-        }
-        for (i = 0; he->h_aliases[i]; i++, nptr++) {
-                len += strlen(he->h_aliases[i]) + 1;
-        }
-        len += strlen(he->h_name) + 1;
-        len += nptr * sizeof(char*);
-
-        if (len > buflen) {
-                return (-1);
-        }
-
-        /*
-	 * Copy address size and type.
-	 */
-        hptr->h_addrtype = he->h_addrtype;
-        n = hptr->h_length = he->h_length;
-
-        ptr = (char **)LWRES_ALIGN(buf);
-        cp = (char *)LWRES_ALIGN(buf) + nptr * sizeof(char *);
-
-        /*
-	 * Copy address list.
-	 */
-        hptr->h_addr_list = ptr;
-        for (i = 0; he->h_addr_list[i]; i++, ptr++) {
-                memcpy(cp, he->h_addr_list[i], n);
-                hptr->h_addr_list[i] = cp;
-                cp += n;
-        }
-        hptr->h_addr_list[i] = NULL;
-        ptr++;
-
-        /*
-	 * Copy official name.
-	 */
-        n = strlen(he->h_name) + 1;
-        strcpy(cp, he->h_name);
-        hptr->h_name = cp;
-        cp += n;
-
-        /*
-	 * Copy aliases.
-	 */
-        hptr->h_aliases = ptr;
-        for (i = 0; he->h_aliases[i]; i++) {
-                n = strlen(he->h_aliases[i]) + 1;
-                strcpy(cp, he->h_aliases[i]);
-                hptr->h_aliases[i] = cp;
-                cp += n;
-        }
-        hptr->h_aliases[i] = NULL;
-
-        return (0);
-}
diff --git a/lib/liblwres/getipnode.c b/lib/liblwres/getipnode.c
deleted file mode 100644
index 94882cbe4..000000000
--- a/lib/liblwres/getipnode.c
+++ /dev/null
@@ -1,839 +0,0 @@
-/*
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: getipnode.c,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-#include <config.h>
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <lwres/lwres.h>
-#include <lwres/net.h>
-#include <lwres/netdb.h>	/* XXX #include <netdb.h> */
-
-#include "assert_p.h"
-
-#ifndef INADDRSZ
-#define INADDRSZ 4
-#endif
-#ifndef IN6ADDRSZ
-#define IN6ADDRSZ 16
-#endif
-
-#ifdef LWRES_PLATFORM_NEEDIN6ADDRANY
-LIBLWRES_EXTERNAL_DATA const struct in6_addr in6addr_any = IN6ADDR_ANY_INIT;
-#endif
-
-#ifndef IN6_IS_ADDR_V4COMPAT
-static const unsigned char in6addr_compat[12] = {
-        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
-};
-#define IN6_IS_ADDR_V4COMPAT(x) (!memcmp((x)->s6_addr, in6addr_compat, 12) && \
-                                 ((x)->s6_addr[12] != 0 || \
-                                  (x)->s6_addr[13] != 0 || \
-                                  (x)->s6_addr[14] != 0 || \
-                                   ((x)->s6_addr[15] != 0 && \
-                                    (x)->s6_addr[15] != 1)))
-#endif
-#ifndef IN6_IS_ADDR_V4MAPPED
-#define IN6_IS_ADDR_V4MAPPED(x) (!memcmp((x)->s6_addr, in6addr_mapped, 12))
-#endif
-
-static const unsigned char in6addr_mapped[12] = {
-        0, 0, 0, 0,  0, 0, 0, 0,  0, 0, 0xff, 0xff
-};
-
-/***
- ***	Forward declarations.
- ***/
-
-static int
-scan_interfaces(int *, int *);
-
-static struct hostent *
-copyandmerge(struct hostent *, struct hostent *, int, int *);
-
-static struct hostent *
-hostfromaddr(lwres_gnbaresponse_t *addr, int af, const void *src);
-
-static struct hostent *
-hostfromname(lwres_gabnresponse_t *name, int af);
-
-/***
- ***	Public functions.
- ***/
-
-/*
- *	AI_V4MAPPED + AF_INET6
- *	If no IPv6 address then a query for IPv4 and map returned values.
- *
- *	AI_ALL + AI_V4MAPPED + AF_INET6
- *	Return IPv6 and IPv4 mapped.
- *
- *	AI_ADDRCONFIG
- *	Only return IPv6 / IPv4 address if there is an interface of that
- *	type active.
- */
-
-struct hostent *
-lwres_getipnodebyname(const char *name, int af, int flags, int *error_num) {
-	int have_v4 = 1, have_v6 = 1;
-	struct in_addr in4;
-	struct in6_addr in6;
-	struct hostent he, *he1 = NULL, *he2 = NULL, *he3 = NULL;
-	int v4 = 0, v6 = 0;
-	int tmp_err;
-	lwres_context_t *lwrctx = NULL;
-	lwres_gabnresponse_t *by = NULL;
-	int n;
-
-	/*
-	 * If we care about active interfaces then check.
-	 */
-	if ((flags & AI_ADDRCONFIG) != 0)
-		if (scan_interfaces(&have_v4, &have_v6) == -1) {
-			*error_num = NO_RECOVERY;
-			return (NULL);
-		}
-
-	/* Check for literal address. */
-	if ((v4 = lwres_net_pton(AF_INET, name, &in4)) != 1)
-		v6 = lwres_net_pton(AF_INET6, name, &in6);
-
-	/*
-	 * Impossible combination?
-	 */
-	if ((af == AF_INET6 && (flags & AI_V4MAPPED) == 0 && v4 == 1) ||
-	    (af == AF_INET && v6 == 1) ||
-	    (have_v4 == 0 && v4 == 1) ||
-	    (have_v6 == 0 && v6 == 1) ||
-	    (have_v4 == 0 && af == AF_INET) ||
-	    (have_v6 == 0 && af == AF_INET6 &&
-	     (((flags & AI_V4MAPPED) != 0 && have_v4) ||
-	      (flags & AI_V4MAPPED) == 0))) {
-		*error_num = HOST_NOT_FOUND;
-		return (NULL);
-	}
-
-	/*
-	 * Literal address?
-	 */
-	if (v4 == 1 || v6 == 1) {
-		char *addr_list[2];
-		char *aliases[1];
-		union {
-			const char *const_name;
-			char *deconst_name;
-		} u;
-
-		u.const_name = name;
-		he.h_name = u.deconst_name;
-		he.h_addr_list = addr_list;
-		he.h_addr_list[0] = (v4 == 1) ? (char *)&in4 : (char *)&in6;
-		he.h_addr_list[1] = NULL;
-		he.h_aliases = aliases;
-		he.h_aliases[0] = NULL;
-		he.h_length = (v4 == 1) ? INADDRSZ : IN6ADDRSZ;
-		he.h_addrtype = (v4 == 1) ? AF_INET : AF_INET6;
-		return (copyandmerge(&he, NULL, af, error_num));
-	}
-
-	n = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
-	if (n != 0) {
-		*error_num = NO_RECOVERY;
-		goto cleanup;
-	}
-	(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
-	tmp_err = NO_RECOVERY;
-	if (have_v6 && af == AF_INET6) {
-
-		n = lwres_getaddrsbyname(lwrctx, name, LWRES_ADDRTYPE_V6, &by);
-		if (n == 0) {
-			he1 = hostfromname(by, AF_INET6);
-			lwres_gabnresponse_free(lwrctx, &by);
-			if (he1 == NULL) {
-				*error_num = NO_RECOVERY;
-				goto cleanup;
-			}
-		} else {
-			tmp_err = HOST_NOT_FOUND;
-		}
-	}
-
-	if (have_v4 &&
-	    ((af == AF_INET) ||
-	     (af == AF_INET6 && (flags & AI_V4MAPPED) != 0 &&
-	      (he1 == NULL || (flags & AI_ALL) != 0)))) {
-		n = lwres_getaddrsbyname(lwrctx, name, LWRES_ADDRTYPE_V4, &by);
-		if (n == 0) {
-			he2 = hostfromname(by, AF_INET);
-			lwres_gabnresponse_free(lwrctx, &by);
-			if (he2 == NULL) {
-				*error_num = NO_RECOVERY;
-				goto cleanup;
-			}
-		} else if (he1 == NULL) {
-			if (n == LWRES_R_NOTFOUND)
-				*error_num = HOST_NOT_FOUND;
-			else
-				*error_num = NO_RECOVERY;
-			goto cleanup;
-		}
-	} else
-		*error_num = tmp_err;
-
-	he3 = copyandmerge(he1, he2, af, error_num);
-
- cleanup:
-	if (he1 != NULL)
-		lwres_freehostent(he1);
-	if (he2 != NULL)
-		lwres_freehostent(he2);
-	if (lwrctx != NULL) {
-		lwres_conf_clear(lwrctx);
-		lwres_context_destroy(&lwrctx);
-	}
-	return (he3);
-}
-
-struct hostent *
-lwres_getipnodebyaddr(const void *src, size_t len, int af, int *error_num) {
-	struct hostent *he1, *he2;
-	lwres_context_t *lwrctx = NULL;
-	lwres_gnbaresponse_t *by = NULL;
-	lwres_result_t n;
-	union {
-		const void *konst;
-		struct in6_addr *in6;
-	} u;
-
-	/*
-	 * Sanity checks.
-	 */
-	if (src == NULL) {
-		*error_num = NO_RECOVERY;
-		return (NULL);
-	}
-
-	switch (af) {
-	case AF_INET:
-		if (len != INADDRSZ) {
-			*error_num = NO_RECOVERY;
-			return (NULL);
-		}
-		break;
-	case AF_INET6:
-		if (len != IN6ADDRSZ) {
-			*error_num = NO_RECOVERY;
-			return (NULL);
-		}
-		break;
-	default:
-		*error_num = NO_RECOVERY;
-		return (NULL);
-	}
-
-	/*
-	 * The de-"const"-ing game is done because at least one
-	 * vendor's system (RedHat 6.0) defines the IN6_IS_ADDR_*
-	 * macros in such a way that they discard the const with
-	 * internal casting, and gcc ends up complaining.  Rather
-	 * than replacing their own (possibly optimized) definitions
-	 * with our own, cleanly discarding the const is the easiest
-	 * thing to do.
-	 */
-	u.konst = src;
-
-	/*
-	 * Look up IPv4 and IPv4 mapped/compatible addresses.
-	 */
-	if ((af == AF_INET6 && IN6_IS_ADDR_V4COMPAT(u.in6)) ||
-	    (af == AF_INET6 && IN6_IS_ADDR_V4MAPPED(u.in6)) ||
-	    (af == AF_INET)) {
-		const unsigned char *cp = src;
-
-		if (af == AF_INET6)
-			cp += 12;
-		n = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
-		if (n == LWRES_R_SUCCESS)
-			(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
-		if (n == LWRES_R_SUCCESS)
-			n = lwres_getnamebyaddr(lwrctx, LWRES_ADDRTYPE_V4,
-						INADDRSZ, cp, &by);
-		if (n != LWRES_R_SUCCESS) {
-			lwres_conf_clear(lwrctx);
-			lwres_context_destroy(&lwrctx);
-			if (n == LWRES_R_NOTFOUND)
-				*error_num = HOST_NOT_FOUND;
-			else
-				*error_num = NO_RECOVERY;
-			return (NULL);
-		}
-		he1 = hostfromaddr(by, AF_INET, cp);
-		lwres_gnbaresponse_free(lwrctx, &by);
-		lwres_conf_clear(lwrctx);
-		lwres_context_destroy(&lwrctx);
-		if (af != AF_INET6)
-			return (he1);
-
-		/*
-		 * Convert from AF_INET to AF_INET6.
-		 */
-		he2 = copyandmerge(he1, NULL, af, error_num);
-		lwres_freehostent(he1);
-		if (he2 == NULL)
-			return (NULL);
-		/*
-		 * Restore original address.
-		 */
-		memcpy(he2->h_addr, src, len);
-		return (he2);
-	}
-
-	/*
-	 * Lookup IPv6 address.
-	 */
-	if (memcmp(src, &in6addr_any, IN6ADDRSZ) == 0) {
-		*error_num = HOST_NOT_FOUND;
-		return (NULL);
-	}
-
-	n = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
-	if (n == LWRES_R_SUCCESS)
-		(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
-	if (n == LWRES_R_SUCCESS)
-		n = lwres_getnamebyaddr(lwrctx, LWRES_ADDRTYPE_V6, IN6ADDRSZ,
-					src, &by);
-	if (n != 0) {
-		*error_num = HOST_NOT_FOUND;
-		return (NULL);
-	}
-	he1 = hostfromaddr(by, AF_INET6, src);
-	lwres_gnbaresponse_free(lwrctx, &by);
-	if (he1 == NULL)
-		*error_num = NO_RECOVERY;
-	lwres_context_destroy(&lwrctx);
-	return (he1);
-}
-
-void
-lwres_freehostent(struct hostent *he) {
-	char **cpp;
-	int names = 1;
-	int addresses = 1;
-
-	free(he->h_name);
-
-	cpp = he->h_addr_list;
-	while (*cpp != NULL) {
-		free(*cpp);
-		*cpp = NULL;
-		cpp++;
-		addresses++;
-	}
-
-	cpp = he->h_aliases;
-	while (*cpp != NULL) {
-		free(*cpp);
-		cpp++;
-		names++;
-	}
-
-	free(he->h_aliases);
-	free(he->h_addr_list);
-	free(he);
-}
-
-/*
- * Private
- */
-
-/*
- * Scan the interface table and set have_v4 and have_v6 depending
- * upon whether there are IPv4 and IPv6 interface addresses.
- *
- * Returns:
- *	0 on success
- *	-1 on failure.
- */
-
-static int
-scan_interfaces(int *have_v4, int *have_v6) {
-#if 1
-	*have_v4 = *have_v6 = 1;
-	return (0);
-#else
-	struct ifconf ifc;
-	struct ifreq ifreq;
-	struct in_addr in4;
-	struct in6_addr in6;
-	char *buf = NULL, *cp, *cplim;
-	static int bufsiz = 4095;
-	int s, cpsize, n;
-
-	/*
-	 * Set to zero.  Used as loop terminators below.
-	 */
-	*have_v4 = *have_v6 = 0;
-
-	/*
-	 * Get interface list from system.
-	 */
-	if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
-		goto err_ret;
-
-	/*
-	 * Grow buffer until large enough to contain all interface
-	 * descriptions.
-	 */
-	for (;;) {
-		buf = malloc(bufsiz);
-		if (buf == NULL)
-			goto err_ret;
-		ifc.ifc_len = bufsiz;
-		ifc.ifc_buf = buf;
-#ifdef IRIX_EMUL_IOCTL_SIOCGIFCONF
-		/*
-		 * This is a fix for IRIX OS in which the call to ioctl with
-		 * the flag SIOCGIFCONF may not return an entry for all the
-		 * interfaces like most flavors of Unix.
-		 */
-		if (emul_ioctl(&ifc) >= 0)
-			break;
-#else
-		if ((n = ioctl(s, SIOCGIFCONF, (char *)&ifc)) != -1) {
-			/*
-			 * Some OS's just return what will fit rather
-			 * than set EINVAL if the buffer is too small
-			 * to fit all the interfaces in.  If
-			 * ifc.ifc_len is too near to the end of the
-			 * buffer we will grow it just in case and
-			 * retry.
-			 */
-			if (ifc.ifc_len + 2 * sizeof(ifreq) < bufsiz)
-				break;
-		}
-#endif
-		if ((n == -1) && errno != EINVAL)
-			goto err_ret;
-
-		if (bufsiz > 1000000)
-			goto err_ret;
-
-		free(buf);
-		bufsiz += 4096;
-	}
-
-	/*
-	 * Parse system's interface list.
-	 */
-	cplim = buf + ifc.ifc_len;    /* skip over if's with big ifr_addr's */
-	for (cp = buf;
-	     (*have_v4 == 0 || *have_v6 == 0) && cp < cplim;
-	     cp += cpsize) {
-		memcpy(&ifreq, cp, sizeof ifreq);
-#ifdef LWRES_PLATFORM_HAVESALEN
-#ifdef FIX_ZERO_SA_LEN
-		if (ifreq.ifr_addr.sa_len == 0)
-			ifreq.ifr_addr.sa_len = IN6ADDRSZ;
-#endif
-#ifdef HAVE_MINIMUM_IFREQ
-		cpsize = sizeof ifreq;
-		if (ifreq.ifr_addr.sa_len > sizeof (struct sockaddr))
-			cpsize += (int)ifreq.ifr_addr.sa_len -
-				(int)(sizeof(struct sockaddr));
-#else
-		cpsize = sizeof ifreq.ifr_name + ifreq.ifr_addr.sa_len;
-#endif /* HAVE_MINIMUM_IFREQ */
-#elif defined SIOCGIFCONF_ADDR
-		cpsize = sizeof ifreq;
-#else
-		cpsize = sizeof ifreq.ifr_name;
-		/* XXX maybe this should be a hard error? */
-		if (ioctl(s, SIOCGIFADDR, (char *)&ifreq) < 0)
-			continue;
-#endif /* LWRES_PLATFORM_HAVESALEN */
-		switch (ifreq.ifr_addr.sa_family) {
-		case AF_INET:
-			if (*have_v4 == 0) {
-				memcpy(&in4,
-				       &((struct sockaddr_in *)
-				       &ifreq.ifr_addr)->sin_addr,
-				       sizeof(in4));
-				if (in4.s_addr == INADDR_ANY)
-					break;
-				n = ioctl(s, SIOCGIFFLAGS, (char *)&ifreq);
-				if (n < 0)
-					break;
-				if ((ifreq.ifr_flags & IFF_UP) == 0)
-					break;
-				*have_v4 = 1;
-			}
-			break;
-		case AF_INET6:
-			if (*have_v6 == 0) {
-				memcpy(&in6,
-				       &((struct sockaddr_in6 *)
-				       &ifreq.ifr_addr)->sin6_addr,
-				       sizeof(in6));
-				if (memcmp(&in6, &in6addr_any,
-					   sizeof(in6)) == 0)
-					break;
-				n = ioctl(s, SIOCGIFFLAGS, (char *)&ifreq);
-				if (n < 0)
-					break;
-				if ((ifreq.ifr_flags & IFF_UP) == 0)
-					break;
-				*have_v6 = 1;
-			}
-			break;
-		}
-	}
-	if (buf != NULL)
-		free(buf);
-	close(s);
-	return (0);
- err_ret:
-	if (buf != NULL)
-		free(buf);
-	if (s != -1)
-		close(s);
-	return (-1);
-#endif
-}
-
-static struct hostent *
-copyandmerge(struct hostent *he1, struct hostent *he2, int af, int *error_num)
-{
-	struct hostent *he = NULL;
-	int addresses = 1;	/* NULL terminator */
-	int names = 1;		/* NULL terminator */
-	int len = 0;
-	char **cpp, **npp;
-
-	/*
-	 * Work out array sizes.
-	 */
-	if (he1 != NULL) {
-		cpp = he1->h_addr_list;
-		while (*cpp != NULL) {
-			addresses++;
-			cpp++;
-		}
-		cpp = he1->h_aliases;
-		while (*cpp != NULL) {
-			names++;
-			cpp++;
-		}
-	}
-
-	if (he2 != NULL) {
-		cpp = he2->h_addr_list;
-		while (*cpp != NULL) {
-			addresses++;
-			cpp++;
-		}
-		if (he1 == NULL) {
-			cpp = he2->h_aliases;
-			while (*cpp != NULL) {
-				names++;
-				cpp++;
-			}
-		}
-	}
-
-	if (addresses == 1) {
-		*error_num = NO_ADDRESS;
-		return (NULL);
-	}
-
-	he = malloc(sizeof *he);
-	if (he == NULL)
-		goto no_recovery;
-
-	he->h_addr_list = malloc(sizeof(char *) * (addresses));
-	if (he->h_addr_list == NULL)
-		goto cleanup0;
-	memset(he->h_addr_list, 0, sizeof(char *) * (addresses));
-
-	/*
-	 * Copy addresses.
-	 */
-	npp = he->h_addr_list;
-	if (he1 != NULL) {
-		cpp = he1->h_addr_list;
-		while (*cpp != NULL) {
-			*npp = malloc((af == AF_INET) ? INADDRSZ : IN6ADDRSZ);
-			if (*npp == NULL)
-				goto cleanup1;
-			/*
-			 * Convert to mapped if required.
-			 */
-			if (af == AF_INET6 && he1->h_addrtype == AF_INET) {
-				memcpy(*npp, in6addr_mapped,
-				       sizeof in6addr_mapped);
-				memcpy(*npp + sizeof in6addr_mapped, *cpp,
-				       INADDRSZ);
-			} else {
-				memcpy(*npp, *cpp,
-				       (af == AF_INET) ? INADDRSZ : IN6ADDRSZ);
-			}
-			cpp++;
-			npp++;
-		}
-	}
-
-	if (he2 != NULL) {
-		cpp = he2->h_addr_list;
-		while (*cpp != NULL) {
-			*npp = malloc((af == AF_INET) ? INADDRSZ : IN6ADDRSZ);
-			if (*npp == NULL)
-				goto cleanup1;
-			/*
-			 * Convert to mapped if required.
-			 */
-			if (af == AF_INET6 && he2->h_addrtype == AF_INET) {
-				memcpy(*npp, in6addr_mapped,
-				       sizeof in6addr_mapped);
-				memcpy(*npp + sizeof in6addr_mapped, *cpp,
-				       INADDRSZ);
-			} else {
-				memcpy(*npp, *cpp,
-				       (af == AF_INET) ? INADDRSZ : IN6ADDRSZ);
-			}
-			cpp++;
-			npp++;
-		}
-	}
-
-	he->h_aliases = malloc(sizeof(char *) * (names));
-	if (he->h_aliases == NULL)
-		goto cleanup1;
-	memset(he->h_aliases, 0, sizeof(char *) * (names));
-
-	/*
-	 * Copy aliases.
-	 */
-	npp = he->h_aliases;
-	cpp = (he1 != NULL) ? he1->h_aliases : he2->h_aliases;
-	while (*cpp != NULL) {
-		len = strlen (*cpp) + 1;
-		*npp = malloc(len);
-		if (*npp == NULL)
-			goto cleanup2;
-		strcpy(*npp, *cpp);
-		npp++;
-		cpp++;
-	}
-
-	/*
-	 * Copy hostname.
-	 */
-	he->h_name = malloc(strlen((he1 != NULL) ?
-			    he1->h_name : he2->h_name) + 1);
-	if (he->h_name == NULL)
-		goto cleanup2;
-	strcpy(he->h_name, (he1 != NULL) ? he1->h_name : he2->h_name);
-
-	/*
-	 * Set address type and length.
-	 */
-	he->h_addrtype = af;
-	he->h_length = (af == AF_INET) ? INADDRSZ : IN6ADDRSZ;
-	return (he);
-
- cleanup2:
-	cpp = he->h_aliases;
-	while (*cpp != NULL) {
-		free(*cpp);
-		cpp++;
-	}
-	free(he->h_aliases);
-
- cleanup1:
-	cpp = he->h_addr_list;
-	while (*cpp != NULL) {
-		free(*cpp);
-		*cpp = NULL;
-		cpp++;
-	}
-	free(he->h_addr_list);
-
- cleanup0:
-	free(he);
-
- no_recovery:
-	*error_num = NO_RECOVERY;
-	return (NULL);
-}
-
-static struct hostent *
-hostfromaddr(lwres_gnbaresponse_t *addr, int af, const void *src) {
-	struct hostent *he;
-	int i;
-
-	he = malloc(sizeof *he);
-	if (he == NULL)
-		goto cleanup;
-	memset(he, 0, sizeof(*he));
-
-	/*
-	 * Set family and length.
-	 */
-	he->h_addrtype = af;
-	switch (af) {
-	case AF_INET:
-		he->h_length = INADDRSZ;
-		break;
-	case AF_INET6:
-		he->h_length = IN6ADDRSZ;
-		break;
-	default:
-		INSIST(0);
-	}
-
-	/*
-	 * Copy name.
-	 */
-	he->h_name = strdup(addr->realname);
-	if (he->h_name == NULL)
-		goto cleanup;
-
-	/*
-	 * Copy aliases.
-	 */
-	he->h_aliases = malloc(sizeof(char *) * (addr->naliases + 1));
-	if (he->h_aliases == NULL)
-		goto cleanup;
-	for (i = 0 ; i < addr->naliases; i++) {
-		he->h_aliases[i] = strdup(addr->aliases[i]);
-		if (he->h_aliases[i] == NULL)
-			goto cleanup;
-	}
-	he->h_aliases[i] = NULL;
-
-	/*
-	 * Copy address.
-	 */
-	he->h_addr_list = malloc(sizeof(char *) * 2);
-	if (he->h_addr_list == NULL)
-		goto cleanup;
-	he->h_addr_list[0] = malloc(he->h_length);
-	if (he->h_addr_list[0] == NULL)
-		goto cleanup;
-	memcpy(he->h_addr_list[0], src, he->h_length);
-	he->h_addr_list[1] = NULL;
-	return (he);
-
- cleanup:
-	if (he != NULL && he->h_addr_list != NULL) {
-		for (i = 0; he->h_addr_list[i] != NULL; i++)
-			free(he->h_addr_list[i]);
-		free(he->h_addr_list);
-	}
-	if (he != NULL && he->h_aliases != NULL) {
-		for (i = 0; he->h_aliases[i] != NULL; i++)
-			free(he->h_aliases[i]);
-		free(he->h_aliases);
-	}
-	if (he != NULL && he->h_name != NULL)
-		free(he->h_name);
-	if (he != NULL)
-		free(he);
-	return (NULL);
-}
-
-static struct hostent *
-hostfromname(lwres_gabnresponse_t *name, int af) {
-	struct hostent *he;
-	int i;
-	lwres_addr_t *addr;
-
-	he = malloc(sizeof *he);
-	if (he == NULL)
-		goto cleanup;
-	memset(he, 0, sizeof(*he));
-
-	/*
-	 * Set family and length.
-	 */
-	he->h_addrtype = af;
-	switch (af) {
-	case AF_INET:
-		he->h_length = INADDRSZ;
-		break;
-	case AF_INET6:
-		he->h_length = IN6ADDRSZ;
-		break;
-	default:
-		INSIST(0);
-	}
-
-	/*
-	 * Copy name.
-	 */
-	he->h_name = strdup(name->realname);
-	if (he->h_name == NULL)
-		goto cleanup;
-
-	/*
-	 * Copy aliases.
-	 */
-	he->h_aliases = malloc(sizeof(char *) * (name->naliases + 1));
-	for (i = 0 ; i < name->naliases; i++) {
-		he->h_aliases[i] = strdup(name->aliases[i]);
-		if (he->h_aliases[i] == NULL)
-			goto cleanup;
-	}
-	he->h_aliases[i] = NULL;
-
-	/*
-	 * Copy addresses.
-	 */
-	he->h_addr_list = malloc(sizeof(char *) * (name->naddrs + 1));
-	addr = LWRES_LIST_HEAD(name->addrs);
-	i = 0;
-	while (addr != NULL) {
-		he->h_addr_list[i] = malloc(he->h_length);
-		if (he->h_addr_list[i] == NULL)
-			goto cleanup;
-		memcpy(he->h_addr_list[i], addr->address, he->h_length);
-		addr = LWRES_LIST_NEXT(addr, link);
-		i++;
-	}
-	he->h_addr_list[i] = NULL;
-	return (he);
-
- cleanup:
-	if (he != NULL && he->h_addr_list != NULL) {
-		for (i = 0; he->h_addr_list[i] != NULL; i++)
-			free(he->h_addr_list[i]);
-		free(he->h_addr_list);
-	}
-	if (he != NULL && he->h_aliases != NULL) {
-		for (i = 0; he->h_aliases[i] != NULL; i++)
-			free(he->h_aliases[i]);
-		free(he->h_aliases);
-	}
-	if (he != NULL && he->h_name != NULL)
-		free(he->h_name);
-	if (he != NULL)
-		free(he);
-	return (NULL);
-}
diff --git a/lib/liblwres/getnameinfo.c b/lib/liblwres/getnameinfo.c
deleted file mode 100644
index 36eea3180..000000000
--- a/lib/liblwres/getnameinfo.c
+++ /dev/null
@@ -1,289 +0,0 @@
-/*
- * Portions Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: getnameinfo.c,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    This product includes software developed by WIDE Project and
- *    its contributors.
- * 4. Neither the name of the project nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * XXX
- * Issues to be discussed:
- * - Return values.  There seems to be no standard for return value (RFC2553)
- *   but INRIA implementation returns EAI_xxx defined for getaddrinfo().
- */
-
-#include <config.h>
-
-#include <stdio.h>
-#include <string.h>
-
-#include <lwres/lwres.h>
-#include <lwres/net.h>
-#include <lwres/netdb.h>
-
-#include "assert_p.h"
-
-#define SUCCESS 0
-
-static struct afd {
-	int a_af;
-	size_t a_addrlen;
-	size_t a_socklen;
-} afdl [] = {
-	/*
-	 * First entry is linked last...
-	 */
-	{ AF_INET, sizeof(struct in_addr), sizeof(struct sockaddr_in) },
-	{ AF_INET6, sizeof(struct in6_addr), sizeof(struct sockaddr_in6) },
-	{0, 0, 0},
-};
-
-#define ENI_NOSERVNAME	1
-#define ENI_NOHOSTNAME	2
-#define ENI_MEMORY	3
-#define ENI_SYSTEM	4
-#define ENI_FAMILY	5
-#define ENI_SALEN	6
-#define ENI_NOSOCKET 	7
-
-/*
- * The test against 0 is there to keep the Solaris compiler
- * from complaining about "end-of-loop code not reached".
- */
-#define ERR(code) \
-	do { result = (code);			\
-		if (result != 0) goto cleanup;	\
-	} while (0)
-
-int
-lwres_getnameinfo(const struct sockaddr *sa, size_t salen, char *host,
-		  size_t hostlen, char *serv, size_t servlen, int flags)
-{
-	struct afd *afd;
-	struct servent *sp;
-	unsigned short port;
-#ifdef LWRES_PLATFORM_HAVESALEN
-	size_t len;
-#endif
-	int family, i;
-	const void *addr;
-	char *p;
-#if 0
-	unsigned long v4a;
-	unsigned char pfx;
-#endif
-	char numserv[sizeof("65000")];
-	char numaddr[sizeof("abcd:abcd:abcd:abcd:abcd:abcd:255.255.255.255")
-		    + 1 + sizeof("4294967295")];
-	const char *proto;
-	lwres_uint32_t lwf = 0;
-	lwres_context_t *lwrctx = NULL;
-	lwres_gnbaresponse_t *by = NULL;
-	int result = SUCCESS;
-	int n;
-
-	if (sa == NULL)
-		ERR(ENI_NOSOCKET);
-
-#ifdef LWRES_PLATFORM_HAVESALEN
-	len = sa->sa_len;
-	if (len != salen)
-		ERR(ENI_SALEN);
-#endif
-
-	family = sa->sa_family;
-	for (i = 0; afdl[i].a_af; i++)
-		if (afdl[i].a_af == family) {
-			afd = &afdl[i];
-			goto found;
-		}
-	ERR(ENI_FAMILY);
-
- found:
-	if (salen != afd->a_socklen)
-		ERR(ENI_SALEN);
-
-	switch (family) {
-	case AF_INET:
-		port = ((const struct sockaddr_in *)sa)->sin_port;
-		addr = &((const struct sockaddr_in *)sa)->sin_addr.s_addr;
-		break;
-
-	case AF_INET6:
-		port = ((const struct sockaddr_in6 *)sa)->sin6_port;
-		addr = ((const struct sockaddr_in6 *)sa)->sin6_addr.s6_addr;
-		break;
-
-	default:
-		port = 0;
-		addr = NULL;
-		INSIST(0);
-	}
-	proto = (flags & NI_DGRAM) ? "udp" : "tcp";
-
-	if (serv == NULL || servlen == 0) {
-		/*
-		 * Caller does not want service.
-		 */
-	} else if ((flags & NI_NUMERICSERV) != 0 ||
-		   (sp = getservbyport(port, proto)) == NULL) {
-		sprintf(numserv, "%d", ntohs(port));
-		if ((strlen(numserv) + 1) > servlen)
-			ERR(ENI_MEMORY);
-		strcpy(serv, numserv);
-	} else {
-		if ((strlen(sp->s_name) + 1) > servlen)
-			ERR(ENI_MEMORY);
-		strcpy(serv, sp->s_name);
-	}
-
-#if 0
-	switch (sa->sa_family) {
-	case AF_INET:
-		v4a = ((struct sockaddr_in *)sa)->sin_addr.s_addr;
-		if (IN_MULTICAST(v4a) || IN_EXPERIMENTAL(v4a))
-			flags |= NI_NUMERICHOST;
-		v4a >>= IN_CLASSA_NSHIFT;
-		if (v4a == 0 || v4a == IN_LOOPBACKNET)
-			flags |= NI_NUMERICHOST;
-		break;
-
-	case AF_INET6:
-		pfx = ((struct sockaddr_in6 *)sa)->sin6_addr.s6_addr[0];
-		if (pfx == 0 || pfx == 0xfe || pfx == 0xff)
-			flags |= NI_NUMERICHOST;
-		break;
-	}
-#endif
-
-	if (host == NULL || hostlen == 0) {
-		/*
-		 * What should we do?
-		 */
-	} else if (flags & NI_NUMERICHOST) {
-		if (lwres_net_ntop(afd->a_af, addr, numaddr, sizeof(numaddr))
-		    == NULL)
-			ERR(ENI_SYSTEM);
-#if defined(LWRES_HAVE_SIN6_SCOPE_ID)
-		if (afd->a_af == AF_INET6 &&
-		    ((const struct sockaddr_in6 *)sa)->sin6_scope_id) {
-			char *p = numaddr + strlen(numaddr);
-			const char *stringscope = NULL;
-#if 0
-			if ((flags & NI_NUMERICSCOPE) == 0) {
-				/*
-				 * Vendors may want to add support for
-				 * non-numeric scope identifier.
-				 */
-				stringscope = foo;
-			}
-#endif
-			if (stringscope == NULL) {
-				snprintf(p, sizeof(numaddr) - (p - numaddr),
-				    "%%%u",
-				    ((const struct sockaddr_in6 *)sa)->sin6_scope_id);
-			} else {
-				snprintf(p, sizeof(numaddr) - (p - numaddr),
-				    "%%%s", stringscope);
-			}
-		}
-#endif
-		if (strlen(numaddr) + 1 > hostlen)
-			ERR(ENI_MEMORY);
-		strcpy(host, numaddr);
-	} else {
-		switch (family) {
-		case AF_INET:
-			lwf = LWRES_ADDRTYPE_V4;
-			break;
-		case AF_INET6:
-			lwf = LWRES_ADDRTYPE_V6;
-			break;
-		default:
-			INSIST(0);
-		}
-
-		n = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
-		if (n == 0)
-			(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
-
-		if (n == 0)
-			n = lwres_getnamebyaddr(lwrctx, lwf,
-						(lwres_uint16_t)afd->a_addrlen,
-						addr, &by);
-		if (n == 0) {
-			if (flags & NI_NOFQDN) {
-				p = strchr(by->realname, '.');
-				if (p)
-					*p = '\0';
-			}
-			if ((strlen(by->realname) + 1) > hostlen)
-				ERR(ENI_MEMORY);
-			strcpy(host, by->realname);
-		} else {
-			if (flags & NI_NAMEREQD)
-				ERR(ENI_NOHOSTNAME);
-			if (lwres_net_ntop(afd->a_af, addr, numaddr,
-					   sizeof(numaddr))
-			    == NULL)
-				ERR(ENI_NOHOSTNAME);
-			if ((strlen(numaddr) + 1) > hostlen)
-				ERR(ENI_MEMORY);
-			strcpy(host, numaddr);
-		}
-	}
-	result = SUCCESS;
- cleanup:
-	if (by != NULL)
-		lwres_gnbaresponse_free(lwrctx, &by);
-	if (lwrctx != NULL) {
-		lwres_conf_clear(lwrctx);
-		lwres_context_destroy(&lwrctx);
-	}
-	return (result);
-}
diff --git a/lib/liblwres/getrrset.c b/lib/liblwres/getrrset.c
deleted file mode 100644
index cf8359268..000000000
--- a/lib/liblwres/getrrset.c
+++ /dev/null
@@ -1,211 +0,0 @@
-/*
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: getrrset.c,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-#include <config.h>
-
-#include <string.h>
-#include <errno.h>
-#include <stdlib.h>
-
-#include <lwres/lwres.h>
-#include <lwres/net.h>
-#include <lwres/netdb.h>	/* XXX #include <netdb.h> */
-
-#include "assert_p.h"
-
-unsigned int
-lwresult_to_result(lwres_result_t lwresult) {
-	switch (lwresult) {
-	case LWRES_R_SUCCESS:	return (ERRSET_SUCCESS);
-	case LWRES_R_NOMEMORY:	return (ERRSET_NOMEMORY);
-	case LWRES_R_NOTFOUND:	return (ERRSET_NONAME);
-	case LWRES_R_TYPENOTFOUND: return (ERRSET_NODATA);
-	case LWRES_R_RETRY:     return (ERRSET_RETRY);
-	default:		return (ERRSET_FAIL);
-	}
-}
-
-/*
- * malloc / calloc functions that guarantee to only
- * return NULL if there is an error, like they used
- * to before the ANSI C committee broke them.
- */
-
-static void *
-sane_malloc(size_t size) {
-	if (size == 0)
-		size = 1;
-	return (malloc(size));
-}
-
-static void *
-sane_calloc(size_t number, size_t size) {
-	size_t len = number * size;
-	void *mem  = sane_malloc(len);
-	if (mem != NULL)
-		memset(mem, 0, len);
-	return (mem);
-}
-
-int
-lwres_getrrsetbyname(const char *hostname, unsigned int rdclass,
-		     unsigned int rdtype, unsigned int flags,
-		     struct rrsetinfo **res)
-{
-	lwres_context_t *lwrctx = NULL;
-	lwres_result_t lwresult;
-	lwres_grbnresponse_t *response = NULL;
-	struct rrsetinfo *rrset = NULL;
-	unsigned int i;
-	unsigned int lwflags;
-	unsigned int result;
-
-	if (rdclass > 0xffff || rdtype > 0xffff) {
-		result = ERRSET_INVAL;
-		goto fail;
-	}
-
-	/*
-	 * Don't allow queries of class or type ANY
-	 */
-	if (rdclass == 0xff || rdtype == 0xff) {
-		result = ERRSET_INVAL;
-		goto fail;
-	}
-
-	lwresult = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
-	if (lwresult != LWRES_R_SUCCESS) {
-		result = lwresult_to_result(lwresult);
-		goto fail;
-	}
-	(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
-
-	/*
-	 * If any input flags were defined, lwflags would be set here
-	 * based on them
-	 */
-	UNUSED(flags);
-	lwflags = 0;
-
-	lwresult = lwres_getrdatabyname(lwrctx, hostname,
-					(lwres_uint16_t)rdclass, 
-					(lwres_uint16_t)rdtype,
-					lwflags, &response);
-	if (lwresult != LWRES_R_SUCCESS) {
-		result = lwresult_to_result(lwresult);
-		goto fail;
-	}
-
-	rrset = sane_malloc(sizeof(struct rrsetinfo));
-	if (rrset == NULL) {
-		result = ERRSET_NOMEMORY;
-		goto fail;
-	}
-	rrset->rri_name = NULL;
-	rrset->rri_rdclass = response->rdclass;
-	rrset->rri_rdtype = response->rdtype;
-	rrset->rri_ttl = response->ttl;
-	rrset->rri_flags = 0;
-	rrset->rri_nrdatas = 0;
-	rrset->rri_rdatas = NULL;
-	rrset->rri_nsigs = 0;
-	rrset->rri_sigs = NULL;
-
-	rrset->rri_name = sane_malloc(response->realnamelen + 1);
-	if (rrset->rri_name == NULL) {
-		result = ERRSET_NOMEMORY;
-		goto fail;
-	}
-	strncpy(rrset->rri_name, response->realname, response->realnamelen);
-	rrset->rri_name[response->realnamelen] = 0;
-
-	if ((response->flags & LWRDATA_VALIDATED) != 0)
-		rrset->rri_flags |= RRSET_VALIDATED;
-
-	rrset->rri_nrdatas = response->nrdatas;
-	rrset->rri_rdatas = sane_calloc(rrset->rri_nrdatas,
-				   sizeof(struct rdatainfo));
-	if (rrset->rri_rdatas == NULL) {
-		result = ERRSET_NOMEMORY;
-		goto fail;
-	}
-	for (i = 0; i < rrset->rri_nrdatas; i++) {
-		rrset->rri_rdatas[i].rdi_length = response->rdatalen[i];
-		rrset->rri_rdatas[i].rdi_data =
-				sane_malloc(rrset->rri_rdatas[i].rdi_length);
-		if (rrset->rri_rdatas[i].rdi_data == NULL) {
-			result = ERRSET_NOMEMORY;
-			goto fail;
-		}
-		memcpy(rrset->rri_rdatas[i].rdi_data, response->rdatas[i],
-		       rrset->rri_rdatas[i].rdi_length);
-	}
-	rrset->rri_nsigs = response->nsigs;
-	rrset->rri_sigs = sane_calloc(rrset->rri_nsigs,
-				      sizeof(struct rdatainfo));
-	if (rrset->rri_sigs == NULL) {
-		result = ERRSET_NOMEMORY;
-		goto fail;
-	}
-	for (i = 0; i < rrset->rri_nsigs; i++) {
-		rrset->rri_sigs[i].rdi_length = response->siglen[i];
-		rrset->rri_sigs[i].rdi_data =
-				sane_malloc(rrset->rri_sigs[i].rdi_length);
-		if (rrset->rri_sigs[i].rdi_data == NULL) {
-			result = ERRSET_NOMEMORY;
-			goto fail;
-		}
-		memcpy(rrset->rri_sigs[i].rdi_data, response->sigs[i],
-		       rrset->rri_sigs[i].rdi_length);
-	}
-
-	lwres_grbnresponse_free(lwrctx, &response);
-	lwres_context_destroy(&lwrctx);
-	*res = rrset;
-	return (ERRSET_SUCCESS);
- fail:
-	if (rrset != NULL)
-		lwres_freerrset(rrset);
-	if (response != NULL)
-		lwres_grbnresponse_free(lwrctx, &response);
-	if (lwrctx != NULL)
-		lwres_context_destroy(&lwrctx);
-	return (result);
-
-}
-
-void
-lwres_freerrset(struct rrsetinfo *rrset) {
-	unsigned int i;
-	for (i = 0; i < rrset->rri_nrdatas; i++) {
-		if (rrset->rri_rdatas[i].rdi_data == NULL)
-			break;
-		free(rrset->rri_rdatas[i].rdi_data);
-	}
-	free(rrset->rri_rdatas);
-	for (i = 0; i < rrset->rri_nsigs; i++) {
-		if (rrset->rri_sigs[i].rdi_data == NULL)
-			break;
-		free(rrset->rri_sigs[i].rdi_data);
-	}
-	free(rrset->rri_sigs);
-	free(rrset->rri_name);
-	free(rrset);
-}
-
diff --git a/lib/liblwres/getrrset2.c b/lib/liblwres/getrrset2.c
deleted file mode 100644
index 031021e06..000000000
--- a/lib/liblwres/getrrset2.c
+++ /dev/null
@@ -1,97 +0,0 @@
-/*
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: getrrset2.c,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-#include <config.h>
-
-#include <string.h>
-#include <errno.h>
-#include <stdlib.h>
-
-#include <lwres/lwres.h>
-#include <lwres/net.h>
-#include <lwres/netdb.h>	/* XXX #include <netdb.h> */
-
-#include <lwres/async.h>
-
-#include "assert_p.h"
-
-int
-lwres_getrrsetbyname_async(const char *hostname, unsigned int rdclass,
-			   unsigned int rdtype, unsigned int flags,
-			   struct rrsetinfo **res)
-{
-	int ret, ret2;
-	lwres_context_t *ctx = NULL;
-	struct lwres_async_state las;
-	struct lwres_async_state *plas;
-	struct timeval timeout;
-	fd_set readfds;
-	int    sock;
-
-	ret = lwres_async_init(&ctx);
-	if(ret != ERRSET_SUCCESS) {
-		return(ret);
-	}
-	
-	ret = lwres_getrrsetbyname_init(hostname, rdclass,
-					rdtype, flags,
-					ctx, &las);
-
-	if(ret != ERRSET_SUCCESS) {
-		return ret;
-	}
-
-	again:
-
-	lwres_getrrsetbyname_xmit(ctx, &las);
-	timeout.tv_sec = lwres_async_timeout(ctx);
-	sock = lwres_async_fd(ctx);
-
-	FD_ZERO(&readfds);
-	FD_SET(sock, &readfds);
-	ret2 = select(sock + 1, &readfds, NULL, NULL, &timeout);
-	
-	/*
-	 * What happened with select?
-	 */
-	if (ret2 < 0) {
-		ret = LWRES_R_IOERROR;
-		goto out3;
-	}
-	if (ret2 == 0) {
-		ret = LWRES_R_TIMEOUT;
-		goto out3;
-	}
-
-	ret = lwres_getrrsetbyname_read(&plas, ctx, res);
-	if(ret == LWRES_R_RETRY) {
-		/* XXX retransmit */
-		goto again;
-	}
-
- out3:
-	/* clean stuff up */
-
- out:
-	if (ctx != NULL)
-		lwres_context_destroy(&ctx);
-	
-	return ret;
-}
-
diff --git a/lib/liblwres/herror.c b/lib/liblwres/herror.c
deleted file mode 100644
index 7a8bcb2bd..000000000
--- a/lib/liblwres/herror.c
+++ /dev/null
@@ -1,101 +0,0 @@
-/*
- * Portions Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Copyright (c) 1987, 1993
- *    The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- * 	This product includes software developed by the University of
- * 	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char sccsid[] = "@(#)herror.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] =
-	"$Id: herror.c,v 1.1 2004/03/15 20:35:25 as Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include <config.h>
-
-#include <stdio.h>
-
-#include <lwres/netdb.h>
-#include <lwres/platform.h>
-
-LIBLWRES_EXTERNAL_DATA int	lwres_h_errno;
-
-/*
- * these have never been declared in any header file so make them static
- */
-
-static const char *h_errlist[] = {
-	"Resolver Error 0 (no error)",
-	"Unknown host",				/* 1 HOST_NOT_FOUND */
-	"Host name lookup failure",		/* 2 TRY_AGAIN */
-	"Unknown server error",			/* 3 NO_RECOVERY */
-	"No address associated with name",	/* 4 NO_ADDRESS */
-};
-
-static int	h_nerr = { sizeof h_errlist / sizeof h_errlist[0] };
-
-
-/*
- * herror --
- *	print the error indicated by the h_errno value.
- */
-void
-lwres_herror(const char *s) {
-	fprintf(stderr, "%s: %s\n", s, lwres_hstrerror(lwres_h_errno));
-}
-
-/*
- * hstrerror --
- *	return the string associated with a given "host" errno value.
- */
-const char *
-lwres_hstrerror(int err) {
-	if (err < 0)
-		return ("Resolver internal error");
-	else if (err < h_nerr)
-		return (h_errlist[err]);
-	return ("Unknown resolver error");
-}
diff --git a/lib/liblwres/include/lwres/async.h b/lib/liblwres/include/lwres/async.h
deleted file mode 100644
index 6715afaed..000000000
--- a/lib/liblwres/include/lwres/async.h
+++ /dev/null
@@ -1,78 +0,0 @@
-/*
- * Copyright (C) 2003  Michael Richardson
- * Contributed by Michael Richardson <mcr@freeswan.org> while working
- * on the Linux FreeS/WAN project in 2003.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: async.h,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-#ifndef LWRES_ASYNC_H
-#define LWRES_ASYNC_H 1
-
-#include <lwres/lwres.h>
-
-/*
- * support for asynchronous requests to lwres port
- */
-struct lwres_async_state {
-	struct lwres_async_state *next;
-
-	lwres_buffer_t            b_in, b_out;
-	lwres_uint32_t            serial;
-	int                       opcode;
-
-	int (*callback)(void *uctx, struct rrsetinfo *res);
-	void *uctx;
-};
-
-
-
-/*
- * The calls for asynchronous requests.
- */
-
-int lwres_async_init(lwres_context_t **pctx);
-
-int lwres_getrrsetbyname_init(const char *hostname, unsigned int rdclass,
-			      unsigned int rdtype, unsigned int flags,
-			      lwres_context_t *ctx,
-			      struct lwres_async_state *las);
-
-int lwres_getrrsetbyname_xmit(lwres_context_t *ctx,
-			      struct lwres_async_state *las);
-
-unsigned long lwres_async_timeout(lwres_context_t *ctx);
-
-int lwres_async_fd(lwres_context_t *ctx);
-
-int lwres_getrrsetbyname_read(struct lwres_async_state **plas,
-			      lwres_context_t *ctx,
-			      struct rrsetinfo **res);
-
-int lwres_getrrsetbyname_async(const char *hostname, unsigned int rdclass,
-			       unsigned int rdtype, unsigned int flags,
-			       struct rrsetinfo **res);
-
-#endif /* LWRES_ASYNC_H */
-
-
-
-
-
-
-
-
-
diff --git a/lib/liblwres/include/lwres/context.h b/lib/liblwres/include/lwres/context.h
deleted file mode 100644
index 55ca3c7fb..000000000
--- a/lib/liblwres/include/lwres/context.h
+++ /dev/null
@@ -1,133 +0,0 @@
-/*
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: context.h,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-#ifndef LWRES_CONTEXT_H
-#define LWRES_CONTEXT_H 1
-
-#include <stddef.h>
-
-#include <lwres/lang.h>
-#include <lwres/int.h>
-#include <lwres/result.h>
-
-/*
- * Used to set various options such as timeout, authentication, etc
- */
-typedef struct lwres_context lwres_context_t;
-
-LWRES_LANG_BEGINDECLS
-
-typedef void *(*lwres_malloc_t)(void *arg, size_t length);
-typedef void (*lwres_free_t)(void *arg, void *mem, size_t length);
-
-/*
- * XXXMLG
- *
- * Make the server reload /etc/resolv.conf periodically.
- *
- * Make the server do sortlist/searchlist.
- *
- * Client side can disable the search/sortlist processing.
- *
- * Use an array of addresses/masks and searchlist for client-side, and
- * if added to the client disable the processing on the server.
- *
- * Share /etc/resolv.conf data between contexts.
- */
-
-/*
- * _SERVERMODE
- *	Don't allocate and connect a socket to the server, since the
- *	caller _is_ a server.
- */
-#define LWRES_CONTEXT_SERVERMODE	0x00000001U
-
-lwres_result_t
-lwres_context_create(lwres_context_t **contextp, void *arg,
-		     lwres_malloc_t malloc_function,
-		     lwres_free_t free_function,
-		     unsigned int flags);
-/*
- * Allocate a lwres context.  This is used in all lwres calls.
- *
- * Memory management can be replaced here by passing in two functions.
- * If one is non-NULL, they must both be non-NULL.  "arg" is passed to
- * these functions.
- *
- * Contexts are not thread safe.  Document at the top of the file.
- * XXXMLG
- *
- * If they are NULL, the standard malloc() and free() will be used.
- *
- * Requires:
- *
- *	contextp != NULL && contextp == NULL.
- *
- * Returns:
- *
- *	Returns 0 on success, non-zero on failure.
- */
-
-void
-lwres_context_destroy(lwres_context_t **contextp);
-/*
- * Frees all memory associated with a lwres context.
- *
- * Requires:
- *
- *	contextp != NULL && contextp == NULL.
- */
-
-lwres_uint32_t
-lwres_context_nextserial(lwres_context_t *ctx);
-/*
- * XXXMLG Document
- */
-
-void
-lwres_context_initserial(lwres_context_t *ctx, lwres_uint32_t serial);
-
-void
-lwres_context_freemem(lwres_context_t *ctx, void *mem, size_t len);
-
-void *
-lwres_context_allocmem(lwres_context_t *ctx, size_t len);
-
-int
-lwres_context_getsocket(lwres_context_t *ctx);
-
-lwres_result_t
-lwres_context_send(lwres_context_t *ctx,
-		   void *sendbase, int sendlen);
-
-lwres_result_t
-lwres_context_recv(lwres_context_t *ctx,
-		   void *recvbase, int recvlen,
-		   int *recvd_len);
-
-lwres_result_t
-lwres_context_sendrecv(lwres_context_t *ctx,
-		       void *sendbase, int sendlen,
-		       void *recvbase, int recvlen,
-		       int *recvd_len);
-
-LWRES_LANG_ENDDECLS
-
-#endif /* LWRES_CONTEXT_H */
-
diff --git a/lib/liblwres/include/lwres/int.h b/lib/liblwres/include/lwres/int.h
deleted file mode 100644
index 470372e77..000000000
--- a/lib/liblwres/include/lwres/int.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: int.h,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-#ifndef LWRES_INT_H
-#define LWRES_INT_H 1
-
-typedef char				lwres_int8_t;
-typedef unsigned char			lwres_uint8_t;
-typedef short				lwres_int16_t;
-typedef unsigned short			lwres_uint16_t;
-typedef int				lwres_int32_t;
-typedef unsigned int			lwres_uint32_t;
-typedef long long			lwres_int64_t;
-typedef unsigned long long		lwres_uint64_t;
-
-#endif /* LWRES_INT_H */
diff --git a/lib/liblwres/include/lwres/ipv6.h b/lib/liblwres/include/lwres/ipv6.h
deleted file mode 100644
index ee7bc0743..000000000
--- a/lib/liblwres/include/lwres/ipv6.h
+++ /dev/null
@@ -1,118 +0,0 @@
-/*
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ipv6.h,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-#ifndef LWRES_IPV6_H
-#define LWRES_IPV6_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * IPv6 definitions for systems which do not support IPv6.
- */
-
-/***
- *** Imports.
- ***/
-
-#include <lwres/int.h>
-#include <lwres/platform.h>
-
-/***
- *** Types.
- ***/
-
-struct in6_addr {
-        union {
-		lwres_uint8_t	_S6_u8[16];
-		lwres_uint16_t	_S6_u16[8];
-		lwres_uint32_t	_S6_u32[4];
-        } _S6_un;
-};
-#define s6_addr		_S6_un._S6_u8
-#define s6_addr8	_S6_un._S6_u8
-#define s6_addr16	_S6_un._S6_u16
-#define s6_addr32	_S6_un._S6_u32
-
-#define IN6ADDR_ANY_INIT 	{{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }}}
-#define IN6ADDR_LOOPBACK_INIT 	{{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 }}}
-
-LIBLWRES_EXTERNAL_DATA extern const struct in6_addr in6addr_any;
-LIBLWRES_EXTERNAL_DATA extern const struct in6_addr in6addr_loopback;
-
-struct sockaddr_in6 {
-#ifdef LWRES_PLATFORM_HAVESALEN
-	lwres_uint8_t		sin6_len;
-	lwres_uint8_t		sin6_family;
-#else
-	lwres_uint16_t		sin6_family;
-#endif
-	lwres_uint16_t		sin6_port;
-	lwres_uint32_t		sin6_flowinfo;
-	struct in6_addr		sin6_addr;
-	lwres_uint32_t		sin6_scope_id;
-};
-
-#ifdef LWRES_PLATFORM_HAVESALEN
-#define SIN6_LEN 1
-#endif
-
-struct in6_pktinfo {
-	struct in6_addr ipi6_addr;    /* src/dst IPv6 address */
-	unsigned int    ipi6_ifindex; /* send/recv interface index */
-};
-
-/*
- * Unspecified
- */
-#define IN6_IS_ADDR_UNSPECIFIED(a)      \
-        (((a)->s6_addr32[0] == 0) &&    \
-         ((a)->s6_addr32[1] == 0) &&    \
-         ((a)->s6_addr32[2] == 0) &&    \
-         ((a)->s6_addr32[3] == 0))
-
-/*
- * Loopback
- */
-#define IN6_IS_ADDR_LOOPBACK(a)         \
-        (((a)->s6_addr32[0] == 0) &&    \
-         ((a)->s6_addr32[1] == 0) &&    \
-         ((a)->s6_addr32[2] == 0) &&    \
-         ((a)->s6_addr32[3] == htonl(1)))
-
-/*
- * IPv4 compatible
- */
-#define IN6_IS_ADDR_V4COMPAT(a)         \
-        (((a)->s6_addr32[0] == 0) &&    \
-         ((a)->s6_addr32[1] == 0) &&    \
-         ((a)->s6_addr32[2] == 0) &&    \
-         ((a)->s6_addr32[3] != 0) &&    \
-         ((a)->s6_addr32[3] != htonl(1)))
-
-/*
- * Mapped
- */
-#define IN6_IS_ADDR_V4MAPPED(a)               \
-        (((a)->s6_addr32[0] == 0) &&          \
-         ((a)->s6_addr32[1] == 0) &&          \
-         ((a)->s6_addr32[2] == htonl(0x0000ffff)))
-
-#endif /* LWRES_IPV6_H */
diff --git a/lib/liblwres/include/lwres/lang.h b/lib/liblwres/include/lwres/lang.h
deleted file mode 100644
index 1de35fd91..000000000
--- a/lib/liblwres/include/lwres/lang.h
+++ /dev/null
@@ -1,31 +0,0 @@
-/*
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lang.h,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-#ifndef LWRES_LANG_H
-#define LWRES_LANG_H 1
-
-#ifdef __cplusplus
-#define LWRES_LANG_BEGINDECLS	extern "C" {
-#define LWRES_LANG_ENDDECLS	}
-#else
-#define LWRES_LANG_BEGINDECLS
-#define LWRES_LANG_ENDDECLS
-#endif
-
-#endif /* LWRES_LANG_H */
diff --git a/lib/liblwres/include/lwres/list.h b/lib/liblwres/include/lwres/list.h
deleted file mode 100644
index e90a1b55a..000000000
--- a/lib/liblwres/include/lwres/list.h
+++ /dev/null
@@ -1,119 +0,0 @@
-/*
- * Copyright (C) 1997-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: list.h,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-#ifndef LWRES_LIST_H
-#define LWRES_LIST_H 1
-
-#define LWRES_LIST(type) struct { type *head, *tail; }
-#define LWRES_LIST_INIT(list) \
-	do { (list).head = NULL; (list).tail = NULL; } while (0)
-
-#define LWRES_LINK(type) struct { type *prev, *next; }
-#define LWRES_LINK_INIT(elt, link) \
-	do { \
-		(elt)->link.prev = (void *)(-1); \
-		(elt)->link.next = (void *)(-1); \
-	} while (0)
-#define LWRES_LINK_LINKED(elt, link) \
-	((void *)((elt)->link.prev) != (void *)(-1))
-
-#define LWRES_LIST_HEAD(list) ((list).head)
-#define LWRES_LIST_TAIL(list) ((list).tail)
-#define LWRES_LIST_EMPTY(list) LWRES_TF((list).head == NULL)
-
-#define LWRES_LIST_PREPEND(list, elt, link) \
-	do { \
-		if ((list).head != NULL) \
-			(list).head->link.prev = (elt); \
-		else \
-			(list).tail = (elt); \
-		(elt)->link.prev = NULL; \
-		(elt)->link.next = (list).head; \
-		(list).head = (elt); \
-	} while (0)
-
-#define LWRES_LIST_APPEND(list, elt, link) \
-	do { \
-		if ((list).tail != NULL) \
-			(list).tail->link.next = (elt); \
-		else \
-			(list).head = (elt); \
-		(elt)->link.prev = (list).tail; \
-		(elt)->link.next = NULL; \
-		(list).tail = (elt); \
-	} while (0)
-
-#define LWRES_LIST_UNLINK(list, elt, link) \
-	do { \
-		if ((elt)->link.next != NULL) \
-			(elt)->link.next->link.prev = (elt)->link.prev; \
-		else \
-			(list).tail = (elt)->link.prev; \
-		if ((elt)->link.prev != NULL) \
-			(elt)->link.prev->link.next = (elt)->link.next; \
-		else \
-			(list).head = (elt)->link.next; \
-		(elt)->link.prev = (void *)(-1); \
-		(elt)->link.next = (void *)(-1); \
-	} while (0)
-
-#define LWRES_LIST_PREV(elt, link) ((elt)->link.prev)
-#define LWRES_LIST_NEXT(elt, link) ((elt)->link.next)
-
-#define LWRES_LIST_INSERTBEFORE(list, before, elt, link) \
-	do { \
-		if ((before)->link.prev == NULL) \
-			LWRES_LIST_PREPEND(list, elt, link); \
-		else { \
-			(elt)->link.prev = (before)->link.prev; \
-			(before)->link.prev = (elt); \
-			(elt)->link.prev->link.next = (elt); \
-			(elt)->link.next = (before); \
-		} \
-	} while (0)
-
-#define LWRES_LIST_INSERTAFTER(list, after, elt, link) \
-	do { \
-		if ((after)->link.next == NULL) \
-			LWRES_LIST_APPEND(list, elt, link); \
-		else { \
-			(elt)->link.next = (after)->link.next; \
-			(after)->link.next = (elt); \
-			(elt)->link.next->link.prev = (elt); \
-			(elt)->link.prev = (after); \
-		} \
-	} while (0)
-
-#define LWRES_LIST_APPENDLIST(list1, list2, link) \
-	do { \
-		if (LWRES_LIST_EMPTY(list1)) \
-			(list1) = (list2); \
-		else if (!LWRES_LIST_EMPTY(list2)) { \
-			(list1).tail->link.next = (list2).head; \
-			(list2).head->link.prev = (list1).tail; \
-			(list1).tail = (list2).tail; \
-		} \
-		(list2).head = NULL; \
-		(list2).tail = NULL; \
-	} while (0)
-
-#define LWRES_LIST_ENQUEUE(list, elt, link) LWRES_LIST_APPEND(list, elt, link)
-#define LWRES_LIST_DEQUEUE(list, elt, link) LWRES_LIST_UNLINK(list, elt, link)
-
-#endif /* LWRES_LIST_H */
diff --git a/lib/liblwres/include/lwres/lwbuffer.h b/lib/liblwres/include/lwres/lwbuffer.h
deleted file mode 100644
index 7486e8bc3..000000000
--- a/lib/liblwres/include/lwres/lwbuffer.h
+++ /dev/null
@@ -1,402 +0,0 @@
-/*
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwbuffer.h,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-#ifndef LWRES_LWBUFFER_H
-#define LWRES_LWBUFFER_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * Buffers
- *
- * A buffer is a region of memory, together with a set of related subregions.
- * Buffers are used for parsing and I/O operations.
- *
- * The 'used region' and the 'available' region are disjoint, and their
- * union is the buffer's region.  The used region extends from the beginning
- * of the buffer region to the last used byte.  The available region
- * extends from one byte greater than the last used byte to the end of the
- * buffer's region.  The size of the used region can be changed using various
- * buffer commands.  Initially, the used region is empty.
- *
- * The used region is further subdivided into two disjoint regions: the
- * 'consumed region' and the 'remaining region'.  The union of these two
- * regions is the used region.  The consumed region extends from the beginning
- * of the used region to the byte before the 'current' offset (if any).  The
- * 'remaining' region the current pointer to the end of the used
- * region.  The size of the consumed region can be changed using various
- * buffer commands.  Initially, the consumed region is empty.
- *
- * The 'active region' is an (optional) subregion of the remaining region.
- * It extends from the current offset to an offset in the remaining region
- * that is selected with lwres_buffer_setactive().  Initially, the active
- * region is empty.  If the current offset advances beyond the chosen offset,
- * the active region will also be empty.
- *
- *  /----- used region -----\/-- available --\
- *  +----------------------------------------+
- *  | consumed  | remaining |                |
- *  +----------------------------------------+
- *  a           b     c     d                e
- *
- * a == base of buffer.
- * b == current pointer.  Can be anywhere between a and d.
- * c == active pointer.  Meaningful between b and d.
- * d == used pointer.
- * e == length of buffer.
- *
- * a-e == entire (length) of buffer.
- * a-d == used region.
- * a-b == consumed region.
- * b-d == remaining region.
- * b-c == optional active region.
- *
- * The following invariants are maintained by all routines:
- *
- *	length > 0
- *
- *	base is a valid pointer to length bytes of memory
- *
- *	0 <= used <= length
- *
- *	0 <= current <= used
- *
- *	0 <= active <= used
- *	(although active < current implies empty active region)
- *
- * MP:
- *	Buffers have no synchronization.  Clients must ensure exclusive
- *	access.
- *
- * Reliability:
- *	No anticipated impact.
- *
- * Resources:
- *	Memory: 1 pointer + 6 unsigned integers per buffer.
- *
- * Security:
- *	No anticipated impact.
- *
- * Standards:
- *	None.
- */
-
-/***
- *** Imports
- ***/
-
-#include <lwres/lang.h>
-#include <lwres/int.h>
-
-LWRES_LANG_BEGINDECLS
-
-/***
- *** Magic numbers
- ***/
-#define LWRES_BUFFER_MAGIC		0x4275663fU	/* Buf?. */
-
-#define LWRES_BUFFER_VALID(b)		((b) != NULL && \
-					 (b)->magic == LWRES_BUFFER_MAGIC)
-
-/*
- * The following macros MUST be used only on valid buffers.  It is the
- * caller's responsibility to ensure this by using the LWRES_BUFFER_VALID
- * check above, or by calling another lwres_buffer_*() function (rather than
- * another macro.)
- */
-
-/*
- * Get the length of the used region of buffer "b"
- */
-#define LWRES_BUFFER_USEDCOUNT(b)	((b)->used)
-
-/*
- * Get the length of the available region of buffer "b"
- */
-#define LWRES_BUFFER_AVAILABLECOUNT(b)	((b)->length - (b)->used)
-
-#define LWRES_BUFFER_REMAINING(b)	((b)->used - (b)->current)
-
-/*
- * Note that the buffer structure is public.  This is principally so buffer
- * operations can be implemented using macros.  Applications are strongly
- * discouraged from directly manipulating the structure.
- */
-
-typedef struct lwres_buffer lwres_buffer_t;
-struct lwres_buffer {
-	unsigned int		magic;
-	unsigned char 	       *base;
-	/* The following integers are byte offsets from 'base'. */
-	unsigned int		length;
-	unsigned int		used;
-	unsigned int 		current;
-	unsigned int 		active;
-};
-
-/***
- *** Functions
- ***/
-
-void
-lwres_buffer_init(lwres_buffer_t *b, void *base, unsigned int length);
-/*
- * Make 'b' refer to the 'length'-byte region starting at base.
- *
- * Requires:
- *
- *	'length' > 0
- *
- *	'base' is a pointer to a sequence of 'length' bytes.
- *
- */
-
-void
-lwres_buffer_invalidate(lwres_buffer_t *b);
-/*
- * Make 'b' an invalid buffer.
- *
- * Requires:
- *	'b' is a valid buffer.
- *
- * Ensures:
- *	If assertion checking is enabled, future attempts to use 'b' without
- *	calling lwres_buffer_init() on it will cause an assertion failure.
- */
-
-void
-lwres_buffer_add(lwres_buffer_t *b, unsigned int n);
-/*
- * Increase the 'used' region of 'b' by 'n' bytes.
- *
- * Requires:
- *
- *	'b' is a valid buffer
- *
- *	used + n <= length
- *
- */
-
-void
-lwres_buffer_subtract(lwres_buffer_t *b, unsigned int n);
-/*
- * Decrease the 'used' region of 'b' by 'n' bytes.
- *
- * Requires:
- *
- *	'b' is a valid buffer
- *
- *	used >= n
- *
- */
-
-void
-lwres_buffer_clear(lwres_buffer_t *b);
-/*
- * Make the used region empty.
- *
- * Requires:
- *
- *	'b' is a valid buffer
- *
- * Ensures:
- *
- *	used = 0
- *
- */
-
-void
-lwres_buffer_first(lwres_buffer_t *b);
-/*
- * Make the consumed region empty.
- *
- * Requires:
- *
- *	'b' is a valid buffer
- *
- * Ensures:
- *
- *	current == 0
- *
- */
-
-void
-lwres_buffer_forward(lwres_buffer_t *b, unsigned int n);
-/*
- * Increase the 'consumed' region of 'b' by 'n' bytes.
- *
- * Requires:
- *
- *	'b' is a valid buffer
- *
- *	current + n <= used
- *
- */
-
-void
-lwres_buffer_back(lwres_buffer_t *b, unsigned int n);
-/*
- * Decrease the 'consumed' region of 'b' by 'n' bytes.
- *
- * Requires:
- *
- *	'b' is a valid buffer
- *
- *	n <= current
- *
- */
-
-lwres_uint8_t
-lwres_buffer_getuint8(lwres_buffer_t *b);
-/*
- * Read an unsigned 8-bit integer from 'b' and return it.
- *
- * Requires:
- *
- *	'b' is a valid buffer.
- *
- *	The length of the available region of 'b' is at least 1.
- *
- * Ensures:
- *
- *	The current pointer in 'b' is advanced by 1.
- *
- * Returns:
- *
- *	A 8-bit unsigned integer.
- */
-
-void
-lwres_buffer_putuint8(lwres_buffer_t *b, lwres_uint8_t val);
-/*
- * Store an unsigned 8-bit integer from 'val' into 'b'.
- *
- * Requires:
- *	'b' is a valid buffer.
- *
- *	The length of the unused region of 'b' is at least 1.
- *
- * Ensures:
- *	The used pointer in 'b' is advanced by 1.
- */
-
-lwres_uint16_t
-lwres_buffer_getuint16(lwres_buffer_t *b);
-/*
- * Read an unsigned 16-bit integer in network byte order from 'b', convert
- * it to host byte order, and return it.
- *
- * Requires:
- *
- *	'b' is a valid buffer.
- *
- *	The length of the available region of 'b' is at least 2.
- *
- * Ensures:
- *
- *	The current pointer in 'b' is advanced by 2.
- *
- * Returns:
- *
- *	A 16-bit unsigned integer.
- */
-
-void
-lwres_buffer_putuint16(lwres_buffer_t *b, lwres_uint16_t val);
-/*
- * Store an unsigned 16-bit integer in host byte order from 'val'
- * into 'b' in network byte order.
- *
- * Requires:
- *	'b' is a valid buffer.
- *
- *	The length of the unused region of 'b' is at least 2.
- *
- * Ensures:
- *	The used pointer in 'b' is advanced by 2.
- */
-
-lwres_uint32_t
-lwres_buffer_getuint32(lwres_buffer_t *b);
-/*
- * Read an unsigned 32-bit integer in network byte order from 'b', convert
- * it to host byte order, and return it.
- *
- * Requires:
- *
- *	'b' is a valid buffer.
- *
- *	The length of the available region of 'b' is at least 2.
- *
- * Ensures:
- *
- *	The current pointer in 'b' is advanced by 2.
- *
- * Returns:
- *
- *	A 32-bit unsigned integer.
- */
-
-void
-lwres_buffer_putuint32(lwres_buffer_t *b, lwres_uint32_t val);
-/*
- * Store an unsigned 32-bit integer in host byte order from 'val'
- * into 'b' in network byte order.
- *
- * Requires:
- *	'b' is a valid buffer.
- *
- *	The length of the unused region of 'b' is at least 4.
- *
- * Ensures:
- *	The used pointer in 'b' is advanced by 4.
- */
-
-void
-lwres_buffer_putmem(lwres_buffer_t *b, const unsigned char *base,
-		    unsigned int length);
-/*
- * Copy 'length' bytes of memory at 'base' into 'b'.
- *
- * Requires:
- *	'b' is a valid buffer.
- *
- *	'base' points to 'length' bytes of valid memory.
- *
- */
-
-void
-lwres_buffer_getmem(lwres_buffer_t *b, unsigned char *base,
-		    unsigned int length);
-/*
- * Copy 'length' bytes of memory from 'b' into 'base'.
- *
- * Requires:
- *	'b' is a valid buffer.
- *
- *	'base' points to at least 'length' bytes of valid memory.
- *
- *	'b' have at least 'length' bytes remaining.
- */
-
-LWRES_LANG_ENDDECLS
-
-#endif /* LWRES_LWBUFFER_H */
diff --git a/lib/liblwres/include/lwres/lwpacket.h b/lib/liblwres/include/lwres/lwpacket.h
deleted file mode 100644
index a0d216e57..000000000
--- a/lib/liblwres/include/lwres/lwpacket.h
+++ /dev/null
@@ -1,124 +0,0 @@
-/*
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwpacket.h,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-#ifndef LWRES_LWPACKET_H
-#define LWRES_LWPACKET_H 1
-
-#include <lwres/lang.h>
-#include <lwres/lwbuffer.h>
-#include <lwres/result.h>
-
-typedef struct lwres_lwpacket lwres_lwpacket_t;
-
-struct lwres_lwpacket {
-	lwres_uint32_t		length;
-	lwres_uint16_t		version;
-	lwres_uint16_t		pktflags;
-	lwres_uint32_t		serial;
-	lwres_uint32_t		opcode;
-	lwres_uint32_t		result;
-	lwres_uint32_t		recvlength;
-	lwres_uint16_t		authtype;
-	lwres_uint16_t		authlength;
-};
-
-#define LWRES_LWPACKET_LENGTH		(4 * 5 + 2 * 4)
-
-#define LWRES_LWPACKETFLAG_RESPONSE	0x0001U	/* if set, pkt is a response */
-
-
-#define LWRES_LWPACKETVERSION_0		0
-
-/*
- * "length" is the overall packet length, including the entire packet header.
- *
- * "version" specifies the header format.  Currently, there is only one
- * format, LWRES_LWPACKETVERSION_0.
- *
- * "flags" specifies library-defined flags for this packet.  None of these
- * are definable by the caller, but library-defined values can be set by
- * the caller.  For example, one bit in this field indicates if the packet
- * is a request or a response.
- *
- * "serial" is set by the requestor and is returned in all replies.  If two
- * packets from the same source have the same serial number and are from
- * the same source, they are assumed to be duplicates and the latter ones
- * may be dropped.  (The library does not do this by default on replies, but
- * does so on requests.)
- *
- * "opcode" is application defined.  Opcodes between 0x04000000 and 0xffffffff
- * are application defined.  Opcodes between 0x00000000 and 0x03ffffff are
- * reserved for library use.
- *
- * "result" is application defined, and valid only on replies.
- * Results between 0x04000000 and 0xffffffff are application defined.
- * Results between 0x00000000 and 0x03ffffff are reserved for library use.
- * (This is the same reserved range defined in <isc/resultclass.h>, so it
- * would be trivial to map ISC_R_* result codes into packet result codes
- * when appropriate.)
- *
- * "recvlength" is set to the maximum buffer size that the receiver can
- * handle on requests, and the size of the buffer needed to satisfy a request
- * when the buffer is too large for replies.
- *
- * "authtype" is the packet level auth type used.
- * Authtypes between 0x1000 and 0xffff are application defined.  Authtypes
- * between 0x0000 and 0x0fff are reserved for library use.  This is currently
- * unused and MUST be set to zero.
- *
- * "authlen" is the length of the authentication data.  See the specific
- * authtypes for more information on what is contained in this field.  This
- * is currently unused, and MUST be set to zero.
- *
- * The remainder of the packet consists of two regions, one described by
- * "authlen" and one of "length - authlen - sizeof(lwres_lwpacket_t)".
- *
- * That is:
- *
- *	pkt header
- *	authlen bytes of auth information
- *	data bytes
- */
-
-/*
- * Currently defined opcodes:
- *
- *	NOOP.  Success is always returned, with the packet contents echoed.
- *
- *	GETADDRSBYNAME.  Return all known addresses for a given name.
- *		This may return NIS or /etc/hosts info as well as DNS
- *		information.  Flags will be provided to indicate ip4/ip6
- *		addresses are desired.
- *
- *	GETNAMEBYADDR.	Return the hostname for the given address.  Once
- *		again, it will return data from multiple sources.
- */
-
-LWRES_LANG_BEGINDECLS
-
-/* XXXMLG document */
-lwres_result_t
-lwres_lwpacket_renderheader(lwres_buffer_t *b, lwres_lwpacket_t *pkt);
-
-lwres_result_t
-lwres_lwpacket_parseheader(lwres_buffer_t *b, lwres_lwpacket_t *pkt);
-
-LWRES_LANG_ENDDECLS
-
-#endif /* LWRES_LWPACKET_H */
diff --git a/lib/liblwres/include/lwres/lwres.h b/lib/liblwres/include/lwres/lwres.h
deleted file mode 100644
index e819c8b68..000000000
--- a/lib/liblwres/include/lwres/lwres.h
+++ /dev/null
@@ -1,584 +0,0 @@
-/*
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwres.h,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-#ifndef LWRES_LWRES_H
-#define LWRES_LWRES_H 1
-
-#include <stdio.h>
-
-#include <lwres/context.h>
-#include <lwres/lang.h>
-#include <lwres/list.h>
-#include <lwres/lwpacket.h>
-
-/*
- * Design notes:
- *
- * Each opcode has two structures and three functions which operate on each
- * structure.  For example, using the "no operation/ping" opcode as an
- * example:
- *
- *	lwres_nooprequest_t:
- *
- *		lwres_nooprequest_render() takes a lwres_nooprequest_t and
- *		and renders it into wire format, storing the allocated
- *		buffer information in a passed-in buffer.  When this buffer
- *		is no longer needed, it must be freed by
- *		lwres_context_freemem().  All other memory used by the
- *		caller must be freed manually, including the
- *		lwres_nooprequest_t passed in.
- *
- *		lwres_nooprequest_parse() takes a wire format message and
- *		breaks it out into a lwres_nooprequest_t.  The structure
- *		must be freed via lwres_nooprequest_free() when it is no longer
- *		needed.
- *
- *		lwres_nooprequest_free() releases into the lwres_context_t
- *		any space allocated during parsing.
- *
- *	lwres_noopresponse_t:
- *
- *		The functions used are similar to the three used for
- *		requests, just with different names.
- *
- * Typically, the client will use request_render, response_parse, and
- * response_free, while the daemon will use request_parse, response_render,
- * and request_free.
- *
- * The basic flow of a typical client is:
- *
- *	fill in a request_t, and call the render function.
- *
- *	Transmit the buffer returned to the daemon.
- *
- *	Wait for a response.
- *
- *	When a response is received, parse it into a response_t.
- *
- *	free the request buffer using lwres_context_freemem().
- *
- *	free the response structure and its associated buffer using
- *	response_free().
- */
-
-#define LWRES_UDP_PORT		921
-#define LWRES_RECVLENGTH	16384
-#define LWRES_ADDR_MAXLEN	16	/* changing this breaks ABI */
-#define LWRES_RESOLV_CONF	"/etc/resolv.conf"
-
-/*
- * Flags.
- *
- * 	These flags are only relevant to rrset queries.
- *
- *	TRUSTNOTREQUIRED:  DNSSEC is not required (input)
- *	SECUREDATA: The data was crypto-verified with DNSSEC (output)
- *
- */
-#define LWRES_FLAG_TRUSTNOTREQUIRED	0x00000001U
-#define LWRES_FLAG_SECUREDATA		0x00000002U
-
-/*
- * no-op
- */
-#define LWRES_OPCODE_NOOP		0x00000000U
-
-typedef struct {
-	/* public */
-	lwres_uint16_t			datalength;
-	unsigned char		       *data;
-} lwres_nooprequest_t;
-
-typedef struct {
-	/* public */
-	lwres_uint16_t			datalength;
-	unsigned char		       *data;
-} lwres_noopresponse_t;
-
-/*
- * get addresses by name
- */
-#define LWRES_OPCODE_GETADDRSBYNAME	0x00010001U
-
-typedef struct lwres_addr lwres_addr_t;
-typedef LWRES_LIST(lwres_addr_t) lwres_addrlist_t;
-
-struct lwres_addr {
-	lwres_uint32_t			family;
-	lwres_uint16_t			length;
-	unsigned char			address[LWRES_ADDR_MAXLEN];
-	LWRES_LINK(lwres_addr_t)	link;
-};
-
-typedef struct {
-	/* public */
-	lwres_uint32_t			flags;
-	lwres_uint32_t			addrtypes;
-	lwres_uint16_t			namelen;
-	char			       *name;
-} lwres_gabnrequest_t;
-
-typedef struct {
-	/* public */
-	lwres_uint32_t			flags;
-	lwres_uint16_t			naliases;
-	lwres_uint16_t			naddrs;
-	char			       *realname;
-	char			      **aliases;
-	lwres_uint16_t			realnamelen;
-	lwres_uint16_t		       *aliaslen;
-	lwres_addrlist_t		addrs;
-	/* if base != NULL, it will be freed when this structure is freed. */
-	void			       *base;
-	size_t				baselen;
-} lwres_gabnresponse_t;
-
-/*
- * get name by address
- */
-#define LWRES_OPCODE_GETNAMEBYADDR	0x00010002U
-typedef struct {
-	/* public */
-	lwres_uint32_t			flags;
-	lwres_addr_t			addr;
-} lwres_gnbarequest_t;
-
-typedef struct {
-	/* public */
-	lwres_uint32_t			flags;
-	lwres_uint16_t			naliases;
-	char			       *realname;
-	char			      **aliases;
-	lwres_uint16_t			realnamelen;
-	lwres_uint16_t		       *aliaslen;
-	/* if base != NULL, it will be freed when this structure is freed. */
-	void			       *base;
-	size_t				baselen;
-} lwres_gnbaresponse_t;
-
-/*
- * get rdata by name
- */
-#define LWRES_OPCODE_GETRDATABYNAME	0x00010003U
-
-typedef struct {
-	/* public */
-	lwres_uint32_t			flags;
-	lwres_uint16_t			rdclass;
-	lwres_uint16_t			rdtype;
-	lwres_uint16_t			namelen;
-	char			       *name;
-} lwres_grbnrequest_t;
-
-typedef struct {
-	/* public */
-	lwres_uint32_t			flags;
-	lwres_uint16_t			rdclass;
-	lwres_uint16_t			rdtype;
-	lwres_uint32_t			ttl;
-	lwres_uint16_t			nrdatas;
-	lwres_uint16_t			nsigs;
-	char			       *realname;
-	lwres_uint16_t			realnamelen;
-	unsigned char		      **rdatas;
-	lwres_uint16_t		       *rdatalen;
-	unsigned char		      **sigs;
-	lwres_uint16_t		       *siglen;
-	/* if base != NULL, it will be freed when this structure is freed. */
-	void			       *base;
-	size_t				baselen;
-} lwres_grbnresponse_t;
-
-#define LWRDATA_VALIDATED	0x00000001
-
-/*
- * resolv.conf data
- */
-
-#define LWRES_CONFMAXNAMESERVERS 3	/* max 3 "nameserver" entries */
-#define LWRES_CONFMAXLWSERVERS 1	/* max 1 "lwserver" entry */
-#define LWRES_CONFMAXSEARCH 8		/* max 8 domains in "search" entry */
-#define LWRES_CONFMAXLINELEN 256	/* max size of a line */
-#define LWRES_CONFMAXSORTLIST 10
-typedef struct {
-	lwres_context_t *lwctx;
-	lwres_addr_t    nameservers[LWRES_CONFMAXNAMESERVERS];
-	lwres_uint8_t	nsnext;		/* index for next free slot */
-
-	lwres_addr_t	lwservers[LWRES_CONFMAXLWSERVERS];
-	lwres_uint8_t	lwnext;		/* index for next free slot */
-
-	char	       *domainname;
-
-	char 	       *search[LWRES_CONFMAXSEARCH];
-	lwres_uint8_t	searchnxt;	/* index for next free slot */
-
-	struct {
-		lwres_addr_t addr;
-		/* mask has a non-zero 'family' and 'length' if set */
-		lwres_addr_t mask;
-	} sortlist[LWRES_CONFMAXSORTLIST];
-	lwres_uint8_t	sortlistnxt;
-
-	lwres_uint8_t	resdebug;      /* non-zero if 'options debug' set */
-	lwres_uint8_t	ndots;	       /* set to n in 'options ndots:n' */
-	lwres_uint8_t	no_tld_query;  /* non-zero if 'options no_tld_query' */
-} lwres_conf_t;
-
-#define LWRES_ADDRTYPE_V4		0x00000001U	/* ipv4 */
-#define LWRES_ADDRTYPE_V6		0x00000002U	/* ipv6 */
-
-#define LWRES_MAX_ALIASES		16		/* max # of aliases */
-#define LWRES_MAX_ADDRS			64		/* max # of addrs */
-
-LWRES_LANG_BEGINDECLS
-
-/*
- * This is in host byte order.
- */
-extern lwres_uint16_t lwres_udp_port;
-
-extern const char *lwres_resolv_conf;
-
-lwres_result_t
-lwres_gabnrequest_render(lwres_context_t *ctx, lwres_gabnrequest_t *req,
-			 lwres_lwpacket_t *pkt, lwres_buffer_t *b);
-
-lwres_result_t
-lwres_gabnresponse_render(lwres_context_t *ctx, lwres_gabnresponse_t *req,
-			  lwres_lwpacket_t *pkt, lwres_buffer_t *b);
-
-lwres_result_t
-lwres_gabnrequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			lwres_lwpacket_t *pkt, lwres_gabnrequest_t **structp);
-
-lwres_result_t
-lwres_gabnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			 lwres_lwpacket_t *pkt,
-			 lwres_gabnresponse_t **structp);
-
-void
-lwres_gabnrequest_free(lwres_context_t *ctx, lwres_gabnrequest_t **structp);
-/*
- * Frees any dynamically allocated memory for this structure.
- *
- * Requires:
- *
- *	ctx != NULL, and be a context returned via lwres_contextcreate().
- *
- *	structp != NULL && *structp != NULL.
- *
- * Ensures:
- *
- *	*structp == NULL.
- *
- *	All memory allocated by this structure will be returned to the
- *	system via the context's free function.
- */
-
-void
-lwres_gabnresponse_free(lwres_context_t *ctx, lwres_gabnresponse_t **structp);
-/*
- * Frees any dynamically allocated memory for this structure.
- *
- * Requires:
- *
- *	ctx != NULL, and be a context returned via lwres_contextcreate().
- *
- *	structp != NULL && *structp != NULL.
- *
- * Ensures:
- *
- *	*structp == NULL.
- *
- *	All memory allocated by this structure will be returned to the
- *	system via the context's free function.
- */
-
-
-lwres_result_t
-lwres_gnbarequest_render(lwres_context_t *ctx, lwres_gnbarequest_t *req,
-			 lwres_lwpacket_t *pkt, lwres_buffer_t *b);
-
-lwres_result_t
-lwres_gnbaresponse_render(lwres_context_t *ctx, lwres_gnbaresponse_t *req,
-			  lwres_lwpacket_t *pkt, lwres_buffer_t *b);
-
-lwres_result_t
-lwres_gnbarequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			lwres_lwpacket_t *pkt, lwres_gnbarequest_t **structp);
-
-lwres_result_t
-lwres_gnbaresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			 lwres_lwpacket_t *pkt,
-			 lwres_gnbaresponse_t **structp);
-
-void
-lwres_gnbarequest_free(lwres_context_t *ctx, lwres_gnbarequest_t **structp);
-/*
- * Frees any dynamically allocated memory for this structure.
- *
- * Requires:
- *
- *	ctx != NULL, and be a context returned via lwres_contextcreate().
- *
- *	structp != NULL && *structp != NULL.
- *
- * Ensures:
- *
- *	*structp == NULL.
- *
- *	All memory allocated by this structure will be returned to the
- *	system via the context's free function.
- */
-
-void
-lwres_gnbaresponse_free(lwres_context_t *ctx, lwres_gnbaresponse_t **structp);
-/*
- * Frees any dynamically allocated memory for this structure.
- *
- * Requires:
- *
- *	ctx != NULL, and be a context returned via lwres_contextcreate().
- *
- *	structp != NULL && *structp != NULL.
- *
- * Ensures:
- *
- *	*structp == NULL.
- *
- *	All memory allocated by this structure will be returned to the
- *	system via the context's free function.
- */
-
-lwres_result_t
-lwres_grbnrequest_render(lwres_context_t *ctx, lwres_grbnrequest_t *req,
-			 lwres_lwpacket_t *pkt, lwres_buffer_t *b);
-
-lwres_result_t
-lwres_grbnresponse_render(lwres_context_t *ctx, lwres_grbnresponse_t *req,
-			  lwres_lwpacket_t *pkt, lwres_buffer_t *b);
-
-lwres_result_t
-lwres_grbnrequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			lwres_lwpacket_t *pkt, lwres_grbnrequest_t **structp);
-
-lwres_result_t
-lwres_grbnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			 lwres_lwpacket_t *pkt,
-			 lwres_grbnresponse_t **structp);
-
-void
-lwres_grbnrequest_free(lwres_context_t *ctx, lwres_grbnrequest_t **structp);
-/*
- * Frees any dynamically allocated memory for this structure.
- *
- * Requires:
- *
- *	ctx != NULL, and be a context returned via lwres_contextcreate().
- *
- *	structp != NULL && *structp != NULL.
- *
- * Ensures:
- *
- *	*structp == NULL.
- *
- *	All memory allocated by this structure will be returned to the
- *	system via the context's free function.
- */
-
-void
-lwres_grbnresponse_free(lwres_context_t *ctx, lwres_grbnresponse_t **structp);
-/*
- * Frees any dynamically allocated memory for this structure.
- *
- * Requires:
- *
- *	ctx != NULL, and be a context returned via lwres_contextcreate().
- *
- *	structp != NULL && *structp != NULL.
- *
- * Ensures:
- *
- *	*structp == NULL.
- *
- *	All memory allocated by this structure will be returned to the
- *	system via the context's free function.
- */
-
-lwres_result_t
-lwres_nooprequest_render(lwres_context_t *ctx, lwres_nooprequest_t *req,
-			 lwres_lwpacket_t *pkt, lwres_buffer_t *b);
-/*
- * Allocate space and render into wire format a noop request packet.
- *
- * Requires:
- *
- *	ctx != NULL, and be a context returned via lwres_contextcreate().
- *
- *	b != NULL, and points to a lwres_buffer_t.  The contents of the
- *	buffer structure will be initialized to contain the wire-format
- *	noop request packet.
- *
- *	Caller needs to fill in parts of "pkt" before calling:
- *		serial, maxrecv, result.
- *
- * Returns:
- *
- *	Returns 0 on success, non-zero on failure.
- *
- *	On successful return, *b will contain data about the wire-format
- *	packet.  It can be transmitted in any way, including lwres_sendblock().
- */
-
-lwres_result_t
-lwres_noopresponse_render(lwres_context_t *ctx, lwres_noopresponse_t *req,
-			  lwres_lwpacket_t *pkt, lwres_buffer_t *b);
-
-lwres_result_t
-lwres_nooprequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			lwres_lwpacket_t *pkt, lwres_nooprequest_t **structp);
-/*
- * Parse a noop request.  Note that to get here, the lwpacket must have
- * already been parsed and removed by the caller, otherwise it would be
- * pretty hard for it to know this is the right function to call.
- *
- * The function verifies bits of the header, but does not modify it.
- */
-
-lwres_result_t
-lwres_noopresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			 lwres_lwpacket_t *pkt,
-			 lwres_noopresponse_t **structp);
-
-void
-lwres_nooprequest_free(lwres_context_t *ctx, lwres_nooprequest_t **structp);
-
-void
-lwres_noopresponse_free(lwres_context_t *ctx, lwres_noopresponse_t **structp);
-
-/*
- * Frees any dynamically allocated memory for this structure.
- *
- * Requires:
- *
- *	ctx != NULL, and be a context returned via lwres_contextcreate().
- *
- *	structp != NULL && *structp != NULL.
- *
- * Ensures:
- *
- *	*structp == NULL.
- *
- *	All memory allocated by this structure will be returned to the
- *	system via the context's free function.
- */
-
-lwres_result_t
-lwres_conf_parse(lwres_context_t *ctx, const char *filename);
-/*
- * parses a resolv.conf-format file and stores the results in the structure
- * pointed to by *ctx.
- *
- * Requires:
- *	ctx != NULL
- *	filename != NULL && strlen(filename) > 0
- *
- * Returns:
- *	LWRES_R_SUCCESS on a successful parse.
- *	Anything else on error, although the structure may be partially filled
- *	in.
- */
-
-lwres_result_t
-lwres_conf_print(lwres_context_t *ctx, FILE *fp);
-/*
- * Prints a resolv.conf-format of confdata output to fp.
- *
- * Requires:
- *	ctx != NULL
- */
-
-void
-lwres_conf_init(lwres_context_t *ctx);
-/*
- * sets all internal fields to a default state. Used to initialize a new
- * lwres_conf_t structure (not reset a used on).
- *
- * Requires:
- *	ctx != NULL
- */
-
-void
-lwres_conf_clear(lwres_context_t *ctx);
-/*
- * frees all internally allocated memory in confdata. Uses the memory
- * routines supplied by ctx.
- *
- * Requires:
- *	ctx != NULL
- */
-
-lwres_conf_t *
-lwres_conf_get(lwres_context_t *ctx);
-/*
- * returns a pointer to the current config structure.
- * Be extremely cautions in modifying the contents of this structure; it
- * needs an API to return the various bits of data, walk lists, etc.
- *
- * Requires:
- *	ctx != NULL
- */
-
-/*
- * Helper functions
- */
-
-lwres_result_t
-lwres_data_parse(lwres_buffer_t *b, unsigned char **p, lwres_uint16_t *len);
-
-lwres_result_t
-lwres_string_parse(lwres_buffer_t *b, char **c, lwres_uint16_t *len);
-
-lwres_result_t
-lwres_addr_parse(lwres_buffer_t *b, lwres_addr_t *addr);
-
-lwres_result_t
-lwres_getaddrsbyname(lwres_context_t *ctx, const char *name,
-		     lwres_uint32_t addrtypes, lwres_gabnresponse_t **structp);
-
-lwres_result_t
-lwres_getnamebyaddr(lwres_context_t *ctx, lwres_uint32_t addrtype,
-		    lwres_uint16_t addrlen, const unsigned char *addr,
-		    lwres_gnbaresponse_t **structp);
-
-lwres_result_t
-lwres_getrdatabyname(lwres_context_t *ctx, const char *name,
-		     lwres_uint16_t rdclass, lwres_uint16_t rdtype,
-		     lwres_uint32_t flags, lwres_grbnresponse_t **structp);
-
-lwres_result_t
-lwres_getaddrsbyname_setup(lwres_context_t *ctx, const char *name,
-		     lwres_uint32_t addrtypes, lwres_gabnresponse_t **structp);
-
-
-
-LWRES_LANG_ENDDECLS
-
-#endif /* LWRES_LWRES_H */
diff --git a/lib/liblwres/include/lwres/netdb.h b/lib/liblwres/include/lwres/netdb.h
deleted file mode 100644
index 2391d31fb..000000000
--- a/lib/liblwres/include/lwres/netdb.h
+++ /dev/null
@@ -1,522 +0,0 @@
-/*
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: netdb.h,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-#ifndef LWRES_NETDB_H
-#define LWRES_NETDB_H 1
-
-#include <stddef.h>	/* Required on FreeBSD (and  others?) for size_t. */
-#include <netdb.h>	/* Contractual provision. */
-
-#include <lwres/lang.h>
-
-/*
- * Define if <netdb.h> does not declare struct addrinfo.
- */
-#undef ISC_LWRES_NEEDADDRINFO 
-
-#ifdef ISC_LWRES_NEEDADDRINFO
-struct addrinfo {
-	int		ai_flags;      /* AI_PASSIVE, AI_CANONNAME */
-	int		ai_family;     /* PF_xxx */
-	int		ai_socktype;   /* SOCK_xxx */
-	int		ai_protocol;   /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
-	size_t		ai_addrlen;    /* Length of ai_addr */
-	char		*ai_canonname; /* Canonical name for hostname */
-	struct sockaddr	*ai_addr;      /* Binary address */
-	struct addrinfo	*ai_next;      /* Next structure in linked list */
-};
-#endif
-
-/*
- * Undefine all #defines we are interested in as <netdb.h> may or may not have
- * defined them.
- */
-
-/*
- * Error return codes from gethostbyname() and gethostbyaddr()
- * (left in extern int h_errno).
- */
-
-#undef	NETDB_INTERNAL
-#undef	NETDB_SUCCESS
-#undef	HOST_NOT_FOUND
-#undef	TRY_AGAIN
-#undef	NO_RECOVERY
-#undef	NO_DATA
-#undef	NO_ADDRESS
-
-#define	NETDB_INTERNAL	-1	/* see errno */
-#define	NETDB_SUCCESS	0	/* no problem */
-#define	HOST_NOT_FOUND	1 /* Authoritative Answer Host not found */
-#define	TRY_AGAIN	2 /* Non-Authoritive Host not found, or SERVERFAIL */
-#define	NO_RECOVERY	3 /* Non recoverable errors, FORMERR, REFUSED, NOTIMP */
-#define	NO_DATA		4 /* Valid name, no data record of requested type */
-#define	NO_ADDRESS	NO_DATA		/* no address, look for MX record */
-
-/*
- * Error return codes from getaddrinfo()
- */
-
-#undef	EAI_ADDRFAMILY
-#undef	EAI_AGAIN
-#undef	EAI_BADFLAGS
-#undef	EAI_FAIL
-#undef	EAI_FAMILY
-#undef	EAI_MEMORY
-#undef	EAI_NODATA
-#undef	EAI_NONAME
-#undef	EAI_SERVICE
-#undef	EAI_SOCKTYPE
-#undef	EAI_SYSTEM
-#undef	EAI_BADHINTS
-#undef	EAI_PROTOCOL
-#undef	EAI_MAX
-
-#define	EAI_ADDRFAMILY	 1	/* address family for hostname not supported */
-#define	EAI_AGAIN	 2	/* temporary failure in name resolution */
-#define	EAI_BADFLAGS	 3	/* invalid value for ai_flags */
-#define	EAI_FAIL	 4	/* non-recoverable failure in name resolution */
-#define	EAI_FAMILY	 5	/* ai_family not supported */
-#define	EAI_MEMORY	 6	/* memory allocation failure */
-#define	EAI_NODATA	 7	/* no address associated with hostname */
-#define	EAI_NONAME	 8	/* hostname nor servname provided, or not known */
-#define	EAI_SERVICE	 9	/* servname not supported for ai_socktype */
-#define	EAI_SOCKTYPE	10	/* ai_socktype not supported */
-#define	EAI_SYSTEM	11	/* system error returned in errno */
-#define EAI_BADHINTS	12
-#define EAI_PROTOCOL	13
-#define EAI_MAX		14
-
-/*
- * Flag values for getaddrinfo()
- */
-#undef	AI_PASSIVE
-#undef	AI_CANONNAME
-#undef	AI_NUMERICHOST
-
-#define	AI_PASSIVE	0x00000001
-#define	AI_CANONNAME	0x00000002
-#define AI_NUMERICHOST	0x00000004
-
-/*
- * Flag values for getipnodebyname()
- */
-#undef AI_V4MAPPED
-#undef AI_ALL
-#undef AI_ADDRCONFIG
-#undef AI_DEFAULT
-
-#define AI_V4MAPPED	0x00000008
-#define AI_ALL		0x00000010
-#define AI_ADDRCONFIG	0x00000020
-#define AI_DEFAULT	(AI_V4MAPPED|AI_ADDRCONFIG)
-
-/*
- * Constants for lwres_getnameinfo()
- */
-#undef	NI_MAXHOST
-#undef	NI_MAXSERV
-
-#define	NI_MAXHOST	1025
-#define	NI_MAXSERV	32
-
-/*
- * Flag values for lwres_getnameinfo()
- */
-#undef	NI_NOFQDN
-#undef	NI_NUMERICHOST
-#undef	NI_NAMEREQD
-#undef	NI_NUMERICSERV
-#undef	NI_DGRAM
-#undef	NI_NUMERICSCOPE
-
-#define	NI_NOFQDN	0x00000001
-#define	NI_NUMERICHOST	0x00000002
-#define	NI_NAMEREQD	0x00000004
-#define	NI_NUMERICSERV	0x00000008
-#define	NI_DGRAM	0x00000010
-#define	NI_NUMERICSCOPE	0x00000020	/*2553bis-00*/
-
-/*
- * Define if <netdb.h> does not declare struct rrsetinfo.
- */
-#define ISC_LWRES_NEEDRRSETINFO 1
-
-#ifdef ISC_LWRES_NEEDRRSETINFO
-/*
- * Structures for getrrsetbyname()
- */
-struct rdatainfo {
-	unsigned int		rdi_length;
-	unsigned char		*rdi_data;
-};
-
-struct rrsetinfo {
-	unsigned int		rri_flags;
-	int			rri_rdclass;
-	int			rri_rdtype;
-	unsigned int		rri_ttl;
-	unsigned int		rri_nrdatas;
-	unsigned int		rri_nsigs;
-	char			*rri_name;
-	struct rdatainfo	*rri_rdatas;
-	struct rdatainfo	*rri_sigs;
-};
-
-/*
- * Flags for getrrsetbyname()
- */
-#define RRSET_VALIDATED		0x00000001
-	/* Set was dnssec validated */
-
-/*
- * Return codes for getrrsetbyname()
- */
-#define ERRSET_SUCCESS		0
-#define ERRSET_NOMEMORY		1
-#define ERRSET_FAIL		2
-#define ERRSET_INVAL		3
-#define	ERRSET_NONAME	 	4
-#define	ERRSET_NODATA	 	5
-#define ERRSET_RETRY            6
-#endif
-
-/*
- * Define to map into lwres_ namespace.
- */
-
-#define LWRES_NAMESPACE
-
-#ifdef LWRES_NAMESPACE
-
-/*
- * Use our versions not the ones from the C library.
- */
-
-#ifdef getnameinfo
-#undef getnameinfo
-#endif
-#define getnameinfo lwres_getnameinfo
-
-#ifdef getaddrinfo
-#undef getaddrinfo
-#endif
-#define getaddrinfo lwres_getaddrinfo
-
-#ifdef freeaddrinfo
-#undef freeaddrinfo
-#endif
-#define freeaddrinfo lwres_freeaddrinfo
-
-#ifdef gai_strerror
-#undef gai_strerror
-#endif
-#define gai_strerror lwres_gai_strerror
-
-#ifdef herror
-#undef herror
-#endif
-#define herror lwres_herror
-
-#ifdef hstrerror
-#undef hstrerror
-#endif
-#define hstrerror lwres_hstrerror
-
-#ifdef getipnodebyname
-#undef getipnodebyname
-#endif
-#define getipnodebyname lwres_getipnodebyname
-
-#ifdef getipnodebyaddr
-#undef getipnodebyaddr
-#endif
-#define getipnodebyaddr lwres_getipnodebyaddr
-
-#ifdef freehostent
-#undef freehostent
-#endif
-#define freehostent lwres_freehostent
-
-#ifdef gethostbyname
-#undef gethostbyname
-#endif
-#define gethostbyname lwres_gethostbyname
-
-#ifdef gethostbyname2
-#undef gethostbyname2
-#endif
-#define gethostbyname2 lwres_gethostbyname2
-
-#ifdef gethostbyaddr
-#undef gethostbyaddr
-#endif
-#define gethostbyaddr lwres_gethostbyaddr
-
-#ifdef gethostent
-#undef gethostent
-#endif
-#define gethostent lwres_gethostent
-
-#ifdef sethostent
-#undef sethostent
-#endif
-#define sethostent lwres_sethostent
-
-#ifdef endhostent
-#undef endhostent
-#endif
-#define endhostent lwres_endhostent
-
-/* #define sethostfile lwres_sethostfile */
-
-#ifdef gethostbyname_r
-#undef gethostbyname_r
-#endif
-#define gethostbyname_r lwres_gethostbyname_r
-
-#ifdef gethostbyaddr_r
-#undef gethostbyaddr_r
-#endif
-#define gethostbyaddr_r lwres_gethostbyaddr_r
-
-#ifdef gethostent_r
-#undef gethostent_r
-#endif
-#define gethostent_r lwres_gethostent_r
-
-#ifdef sethostent_r
-#undef sethostent_r
-#endif
-#define sethostent_r lwres_sethostent_r
-
-#ifdef endhostent_r
-#undef endhostent_r
-#endif
-#define endhostent_r lwres_endhostent_r
-
-#ifdef getrrsetbyname
-#undef getrrsetbyname
-#endif
-#define getrrsetbyname lwres_getrrsetbyname
-
-#ifdef freerrset
-#undef freerrset
-#endif
-#define freerrset lwres_freerrset
-
-#ifdef notyet
-#define getservbyname lwres_getservbyname
-#define getservbyport lwres_getservbyport
-#define getservent lwres_getservent
-#define setservent lwres_setservent
-#define endservent lwres_endservent
-
-#define getservbyname_r lwres_getservbyname_r
-#define getservbyport_r lwres_getservbyport_r
-#define getservent_r lwres_getservent_r
-#define setservent_r lwres_setservent_r
-#define endservent_r lwres_endservent_r
-
-#define getprotobyname lwres_getprotobyname
-#define getprotobynumber lwres_getprotobynumber
-#define getprotoent lwres_getprotoent
-#define setprotoent lwres_setprotoent
-#define endprotoent lwres_endprotoent
-
-#define getprotobyname_r lwres_getprotobyname_r
-#define getprotobynumber_r lwres_getprotobynumber_r
-#define getprotoent_r lwres_getprotoent_r
-#define setprotoent_r lwres_setprotoent_r
-#define endprotoent_r lwres_endprotoent_r
-
-#ifdef getnetbyname
-#undef getnetbyname
-#endif
-#define getnetbyname lwres_getnetbyname
-
-#ifdef getnetbyaddr
-#undef getnetbyaddr
-#endif
-#define getnetbyaddr lwres_getnetbyaddr
-
-#ifdef getnetent
-#undef getnetent
-#endif
-#define getnetent lwres_getnetent
-
-#ifdef setnetent
-#undef setnetent
-#endif
-#define setnetent lwres_setnetent
-
-#ifdef endnetent
-#undef endnetent
-#endif
-#define endnetent lwres_endnetent
-
-
-#ifdef getnetbyname_r
-#undef getnetbyname_r
-#endif
-#define getnetbyname_r lwres_getnetbyname_r
-
-#ifdef getnetbyaddr_r
-#undef getnetbyaddr_r
-#endif
-#define getnetbyaddr_r lwres_getnetbyaddr_r
-
-#ifdef getnetent_r
-#undef getnetent_r
-#endif
-#define getnetent_r lwres_getnetent_r
-
-#ifdef setnetent_r
-#undef setnetent_r
-#endif
-#define setnetent_r lwres_setnetent_r
-
-#ifdef endnetent_r
-#undef endnetent_r
-#endif
-#define endnetent_r lwres_endnetent_r
-#endif	/* notyet */
-
-#ifdef h_errno
-#undef h_errno
-#endif
-#define h_errno lwres_h_errno
-
-#endif	/* LWRES_NAMESPACE */
-
-LWRES_LANG_BEGINDECLS
-
-extern int lwres_h_errno;
-
-int		lwres_getaddrinfo(const char *, const char *,
-				 const struct addrinfo *, struct addrinfo **);
-int		lwres_getnameinfo(const struct sockaddr *, size_t, char *,
-				 size_t, char *, size_t, int);
-void		lwres_freeaddrinfo(struct addrinfo *);
-char		*lwres_gai_strerror(int);
-
-struct hostent	*lwres_gethostbyaddr(const char *, int, int);
-struct hostent	*lwres_gethostbyname(const char *);
-struct hostent	*lwres_gethostbyname2(const char *, int);
-struct hostent	*lwres_gethostent(void);
-struct hostent	*lwres_getipnodebyname(const char *, int, int, int *);
-struct hostent	*lwres_getipnodebyaddr(const void *, size_t, int, int *);
-void		lwres_endhostent(void);
-void		lwres_sethostent(int);
-/* void		lwres_sethostfile(const char *); */
-void		lwres_freehostent(struct hostent *);
-
-int		lwres_getrrsetbyname(const char *, unsigned int, unsigned int,
-				     unsigned int, struct rrsetinfo **);
-int		lwres_getrrsetbyname_all(const char *, unsigned int,
-					 unsigned int,
-				     unsigned int, struct rrsetinfo **);
-void		lwres_freerrset(struct rrsetinfo *);
-
-#ifdef notyet
-struct netent	*lwres_getnetbyaddr(unsigned long, int);
-struct netent	*lwres_getnetbyname(const char *);
-struct netent	*lwres_getnetent(void);
-void		lwres_endnetent(void);
-void		lwres_setnetent(int);
-
-struct protoent	*lwres_getprotobyname(const char *);
-struct protoent	*lwres_getprotobynumber(int);
-struct protoent	*lwres_getprotoent(void);
-void		lwres_endprotoent(void);
-void		lwres_setprotoent(int);
-
-struct servent	*lwres_getservbyname(const char *, const char *);
-struct servent	*lwres_getservbyport(int, const char *);
-struct servent	*lwres_getservent(void);
-void		lwres_endservent(void);
-void		lwres_setservent(int);
-#endif /* notyet */
-
-void		lwres_herror(const char *);
-const char	*lwres_hstrerror(int);
-
-
-struct hostent	*lwres_gethostbyaddr_r(const char *, int, int, struct hostent *,
-					char *, int, int *);
-struct hostent	*lwres_gethostbyname_r(const char *, struct hostent *,
-					char *, int, int *);
-struct hostent	*lwres_gethostent_r(struct hostent *, char *, int, int *);
-void		lwres_sethostent_r(int);
-void		lwres_endhostent_r(void);
-
-#ifdef notyet
-struct netent	*lwres_getnetbyname_r(const char *, struct netent *,
-					char *, int);
-struct netent	*lwres_getnetbyaddr_r(long, int, struct netent *,
-					char *, int);
-struct netent	*lwres_getnetent_r(struct netent *, char *, int);
-void		lwres_setnetent_r(int);
-void		lwres_endnetent_r(void);
-
-struct protoent	*lwres_getprotobyname_r(const char *,
-				struct protoent *, char *, int);
-struct protoent	*lwres_getprotobynumber_r(int,
-				struct protoent *, char *, int);
-struct protoent	*lwres_getprotoent_r(struct protoent *, char *, int);
-void		lwres_setprotoent_r(int);
-void		lwres_endprotoent_r(void);
-
-struct servent	*lwres_getservbyname_r(const char *name, const char *,
-					struct servent *, char *, int);
-struct servent	*lwres_getservbyport_r(int port, const char *,
-					struct servent *, char *, int);
-struct servent	*lwres_getservent_r(struct servent *, char *, int);
-void		lwres_setservent_r(int);
-void		lwres_endservent_r(void);
-#endif	/* notyet */
-
-LWRES_LANG_ENDDECLS
-
-#ifdef notyet
-/* This is nec'y to make this include file properly replace the sun version. */
-#ifdef sun
-#ifdef __GNU_LIBRARY__
-#include <rpc/netdb.h>		/* Required. */
-#else /* !__GNU_LIBRARY__ */
-struct rpcent {
-	char	*r_name;	/* name of server for this rpc program */
-	char	**r_aliases;	/* alias list */
-	int	r_number;	/* rpc program number */
-};
-struct rpcent	*lwres_getrpcbyname();
-struct rpcent	*lwres_getrpcbynumber(),
-struct rpcent	*lwres_getrpcent();
-#endif /* __GNU_LIBRARY__ */
-#endif /* sun */
-#endif /* notyet */
-
-/*
- * Tell Emacs to use C mode on this file.
- * Local variables:
- * mode: c
- * End:
- */
-
-#endif /* LWRES_NETDB_H */
diff --git a/lib/liblwres/include/lwres/netdb.h.in b/lib/liblwres/include/lwres/netdb.h.in
deleted file mode 100644
index 75446e8f8..000000000
--- a/lib/liblwres/include/lwres/netdb.h.in
+++ /dev/null
@@ -1,518 +0,0 @@
-/*
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: netdb.h.in,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-#ifndef LWRES_NETDB_H
-#define LWRES_NETDB_H 1
-
-#include <stddef.h>	/* Required on FreeBSD (and  others?) for size_t. */
-#include <netdb.h>	/* Contractual provision. */
-
-#include <lwres/lang.h>
-
-/*
- * Define if <netdb.h> does not declare struct addrinfo.
- */
-@ISC_LWRES_NEEDADDRINFO@
-
-#ifdef ISC_LWRES_NEEDADDRINFO
-struct addrinfo {
-	int		ai_flags;      /* AI_PASSIVE, AI_CANONNAME */
-	int		ai_family;     /* PF_xxx */
-	int		ai_socktype;   /* SOCK_xxx */
-	int		ai_protocol;   /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
-	size_t		ai_addrlen;    /* Length of ai_addr */
-	char		*ai_canonname; /* Canonical name for hostname */
-	struct sockaddr	*ai_addr;      /* Binary address */
-	struct addrinfo	*ai_next;      /* Next structure in linked list */
-};
-#endif
-
-/*
- * Undefine all #defines we are interested in as <netdb.h> may or may not have
- * defined them.
- */
-
-/*
- * Error return codes from gethostbyname() and gethostbyaddr()
- * (left in extern int h_errno).
- */
-
-#undef	NETDB_INTERNAL
-#undef	NETDB_SUCCESS
-#undef	HOST_NOT_FOUND
-#undef	TRY_AGAIN
-#undef	NO_RECOVERY
-#undef	NO_DATA
-#undef	NO_ADDRESS
-
-#define	NETDB_INTERNAL	-1	/* see errno */
-#define	NETDB_SUCCESS	0	/* no problem */
-#define	HOST_NOT_FOUND	1 /* Authoritative Answer Host not found */
-#define	TRY_AGAIN	2 /* Non-Authoritive Host not found, or SERVERFAIL */
-#define	NO_RECOVERY	3 /* Non recoverable errors, FORMERR, REFUSED, NOTIMP */
-#define	NO_DATA		4 /* Valid name, no data record of requested type */
-#define	NO_ADDRESS	NO_DATA		/* no address, look for MX record */
-
-/*
- * Error return codes from getaddrinfo()
- */
-
-#undef	EAI_ADDRFAMILY
-#undef	EAI_AGAIN
-#undef	EAI_BADFLAGS
-#undef	EAI_FAIL
-#undef	EAI_FAMILY
-#undef	EAI_MEMORY
-#undef	EAI_NODATA
-#undef	EAI_NONAME
-#undef	EAI_SERVICE
-#undef	EAI_SOCKTYPE
-#undef	EAI_SYSTEM
-#undef	EAI_BADHINTS
-#undef	EAI_PROTOCOL
-#undef	EAI_MAX
-
-#define	EAI_ADDRFAMILY	 1	/* address family for hostname not supported */
-#define	EAI_AGAIN	 2	/* temporary failure in name resolution */
-#define	EAI_BADFLAGS	 3	/* invalid value for ai_flags */
-#define	EAI_FAIL	 4	/* non-recoverable failure in name resolution */
-#define	EAI_FAMILY	 5	/* ai_family not supported */
-#define	EAI_MEMORY	 6	/* memory allocation failure */
-#define	EAI_NODATA	 7	/* no address associated with hostname */
-#define	EAI_NONAME	 8	/* hostname nor servname provided, or not known */
-#define	EAI_SERVICE	 9	/* servname not supported for ai_socktype */
-#define	EAI_SOCKTYPE	10	/* ai_socktype not supported */
-#define	EAI_SYSTEM	11	/* system error returned in errno */
-#define EAI_BADHINTS	12
-#define EAI_PROTOCOL	13
-#define EAI_MAX		14
-
-/*
- * Flag values for getaddrinfo()
- */
-#undef	AI_PASSIVE
-#undef	AI_CANONNAME
-#undef	AI_NUMERICHOST
-
-#define	AI_PASSIVE	0x00000001
-#define	AI_CANONNAME	0x00000002
-#define AI_NUMERICHOST	0x00000004
-
-/*
- * Flag values for getipnodebyname()
- */
-#undef AI_V4MAPPED
-#undef AI_ALL
-#undef AI_ADDRCONFIG
-#undef AI_DEFAULT
-
-#define AI_V4MAPPED	0x00000008
-#define AI_ALL		0x00000010
-#define AI_ADDRCONFIG	0x00000020
-#define AI_DEFAULT	(AI_V4MAPPED|AI_ADDRCONFIG)
-
-/*
- * Constants for lwres_getnameinfo()
- */
-#undef	NI_MAXHOST
-#undef	NI_MAXSERV
-
-#define	NI_MAXHOST	1025
-#define	NI_MAXSERV	32
-
-/*
- * Flag values for lwres_getnameinfo()
- */
-#undef	NI_NOFQDN
-#undef	NI_NUMERICHOST
-#undef	NI_NAMEREQD
-#undef	NI_NUMERICSERV
-#undef	NI_DGRAM
-#undef	NI_NUMERICSCOPE
-
-#define	NI_NOFQDN	0x00000001
-#define	NI_NUMERICHOST	0x00000002
-#define	NI_NAMEREQD	0x00000004
-#define	NI_NUMERICSERV	0x00000008
-#define	NI_DGRAM	0x00000010
-#define	NI_NUMERICSCOPE	0x00000020	/*2553bis-00*/
-
-/*
- * Define if <netdb.h> does not declare struct rrsetinfo.
- */
-@ISC_LWRES_NEEDRRSETINFO@
-
-#ifdef ISC_LWRES_NEEDRRSETINFO
-/*
- * Structures for getrrsetbyname()
- */
-struct rdatainfo {
-	unsigned int		rdi_length;
-	unsigned char		*rdi_data;
-};
-
-struct rrsetinfo {
-	unsigned int		rri_flags;
-	int			rri_rdclass;
-	int			rri_rdtype;
-	unsigned int		rri_ttl;
-	unsigned int		rri_nrdatas;
-	unsigned int		rri_nsigs;
-	char			*rri_name;
-	struct rdatainfo	*rri_rdatas;
-	struct rdatainfo	*rri_sigs;
-};
-
-/*
- * Flags for getrrsetbyname()
- */
-#define RRSET_VALIDATED		0x00000001
-	/* Set was dnssec validated */
-
-/*
- * Return codes for getrrsetbyname()
- */
-#define ERRSET_SUCCESS		0
-#define ERRSET_NOMEMORY		1
-#define ERRSET_FAIL		2
-#define ERRSET_INVAL		3
-#define	ERRSET_NONAME	 	4
-#define	ERRSET_NODATA	 	5
-#endif
-
-/*
- * Define to map into lwres_ namespace.
- */
-
-#define LWRES_NAMESPACE
-
-#ifdef LWRES_NAMESPACE
-
-/*
- * Use our versions not the ones from the C library.
- */
-
-#ifdef getnameinfo
-#undef getnameinfo
-#endif
-#define getnameinfo lwres_getnameinfo
-
-#ifdef getaddrinfo
-#undef getaddrinfo
-#endif
-#define getaddrinfo lwres_getaddrinfo
-
-#ifdef freeaddrinfo
-#undef freeaddrinfo
-#endif
-#define freeaddrinfo lwres_freeaddrinfo
-
-#ifdef gai_strerror
-#undef gai_strerror
-#endif
-#define gai_strerror lwres_gai_strerror
-
-#ifdef herror
-#undef herror
-#endif
-#define herror lwres_herror
-
-#ifdef hstrerror
-#undef hstrerror
-#endif
-#define hstrerror lwres_hstrerror
-
-#ifdef getipnodebyname
-#undef getipnodebyname
-#endif
-#define getipnodebyname lwres_getipnodebyname
-
-#ifdef getipnodebyaddr
-#undef getipnodebyaddr
-#endif
-#define getipnodebyaddr lwres_getipnodebyaddr
-
-#ifdef freehostent
-#undef freehostent
-#endif
-#define freehostent lwres_freehostent
-
-#ifdef gethostbyname
-#undef gethostbyname
-#endif
-#define gethostbyname lwres_gethostbyname
-
-#ifdef gethostbyname2
-#undef gethostbyname2
-#endif
-#define gethostbyname2 lwres_gethostbyname2
-
-#ifdef gethostbyaddr
-#undef gethostbyaddr
-#endif
-#define gethostbyaddr lwres_gethostbyaddr
-
-#ifdef gethostent
-#undef gethostent
-#endif
-#define gethostent lwres_gethostent
-
-#ifdef sethostent
-#undef sethostent
-#endif
-#define sethostent lwres_sethostent
-
-#ifdef endhostent
-#undef endhostent
-#endif
-#define endhostent lwres_endhostent
-
-/* #define sethostfile lwres_sethostfile */
-
-#ifdef gethostbyname_r
-#undef gethostbyname_r
-#endif
-#define gethostbyname_r lwres_gethostbyname_r
-
-#ifdef gethostbyaddr_r
-#undef gethostbyaddr_r
-#endif
-#define gethostbyaddr_r lwres_gethostbyaddr_r
-
-#ifdef gethostent_r
-#undef gethostent_r
-#endif
-#define gethostent_r lwres_gethostent_r
-
-#ifdef sethostent_r
-#undef sethostent_r
-#endif
-#define sethostent_r lwres_sethostent_r
-
-#ifdef endhostent_r
-#undef endhostent_r
-#endif
-#define endhostent_r lwres_endhostent_r
-
-#ifdef getrrsetbyname
-#undef getrrsetbyname
-#endif
-#define getrrsetbyname lwres_getrrsetbyname
-
-#ifdef freerrset
-#undef freerrset
-#endif
-#define freerrset lwres_freerrset
-
-#ifdef notyet
-#define getservbyname lwres_getservbyname
-#define getservbyport lwres_getservbyport
-#define getservent lwres_getservent
-#define setservent lwres_setservent
-#define endservent lwres_endservent
-
-#define getservbyname_r lwres_getservbyname_r
-#define getservbyport_r lwres_getservbyport_r
-#define getservent_r lwres_getservent_r
-#define setservent_r lwres_setservent_r
-#define endservent_r lwres_endservent_r
-
-#define getprotobyname lwres_getprotobyname
-#define getprotobynumber lwres_getprotobynumber
-#define getprotoent lwres_getprotoent
-#define setprotoent lwres_setprotoent
-#define endprotoent lwres_endprotoent
-
-#define getprotobyname_r lwres_getprotobyname_r
-#define getprotobynumber_r lwres_getprotobynumber_r
-#define getprotoent_r lwres_getprotoent_r
-#define setprotoent_r lwres_setprotoent_r
-#define endprotoent_r lwres_endprotoent_r
-
-#ifdef getnetbyname
-#undef getnetbyname
-#endif
-#define getnetbyname lwres_getnetbyname
-
-#ifdef getnetbyaddr
-#undef getnetbyaddr
-#endif
-#define getnetbyaddr lwres_getnetbyaddr
-
-#ifdef getnetent
-#undef getnetent
-#endif
-#define getnetent lwres_getnetent
-
-#ifdef setnetent
-#undef setnetent
-#endif
-#define setnetent lwres_setnetent
-
-#ifdef endnetent
-#undef endnetent
-#endif
-#define endnetent lwres_endnetent
-
-
-#ifdef getnetbyname_r
-#undef getnetbyname_r
-#endif
-#define getnetbyname_r lwres_getnetbyname_r
-
-#ifdef getnetbyaddr_r
-#undef getnetbyaddr_r
-#endif
-#define getnetbyaddr_r lwres_getnetbyaddr_r
-
-#ifdef getnetent_r
-#undef getnetent_r
-#endif
-#define getnetent_r lwres_getnetent_r
-
-#ifdef setnetent_r
-#undef setnetent_r
-#endif
-#define setnetent_r lwres_setnetent_r
-
-#ifdef endnetent_r
-#undef endnetent_r
-#endif
-#define endnetent_r lwres_endnetent_r
-#endif	/* notyet */
-
-#ifdef h_errno
-#undef h_errno
-#endif
-#define h_errno lwres_h_errno
-
-#endif	/* LWRES_NAMESPACE */
-
-LWRES_LANG_BEGINDECLS
-
-extern int lwres_h_errno;
-
-int		lwres_getaddrinfo(const char *, const char *,
-				 const struct addrinfo *, struct addrinfo **);
-int		lwres_getnameinfo(const struct sockaddr *, size_t, char *,
-				 size_t, char *, size_t, int);
-void		lwres_freeaddrinfo(struct addrinfo *);
-char		*lwres_gai_strerror(int);
-
-struct hostent	*lwres_gethostbyaddr(const char *, int, int);
-struct hostent	*lwres_gethostbyname(const char *);
-struct hostent	*lwres_gethostbyname2(const char *, int);
-struct hostent	*lwres_gethostent(void);
-struct hostent	*lwres_getipnodebyname(const char *, int, int, int *);
-struct hostent	*lwres_getipnodebyaddr(const void *, size_t, int, int *);
-void		lwres_endhostent(void);
-void		lwres_sethostent(int);
-/* void		lwres_sethostfile(const char *); */
-void		lwres_freehostent(struct hostent *);
-
-int		lwres_getrrsetbyname(const char *, unsigned int, unsigned int,
-				     unsigned int, struct rrsetinfo **);
-void		lwres_freerrset(struct rrsetinfo *);
-
-#ifdef notyet
-struct netent	*lwres_getnetbyaddr(unsigned long, int);
-struct netent	*lwres_getnetbyname(const char *);
-struct netent	*lwres_getnetent(void);
-void		lwres_endnetent(void);
-void		lwres_setnetent(int);
-
-struct protoent	*lwres_getprotobyname(const char *);
-struct protoent	*lwres_getprotobynumber(int);
-struct protoent	*lwres_getprotoent(void);
-void		lwres_endprotoent(void);
-void		lwres_setprotoent(int);
-
-struct servent	*lwres_getservbyname(const char *, const char *);
-struct servent	*lwres_getservbyport(int, const char *);
-struct servent	*lwres_getservent(void);
-void		lwres_endservent(void);
-void		lwres_setservent(int);
-#endif /* notyet */
-
-void		lwres_herror(const char *);
-const char	*lwres_hstrerror(int);
-
-
-struct hostent	*lwres_gethostbyaddr_r(const char *, int, int, struct hostent *,
-					char *, int, int *);
-struct hostent	*lwres_gethostbyname_r(const char *, struct hostent *,
-					char *, int, int *);
-struct hostent	*lwres_gethostent_r(struct hostent *, char *, int, int *);
-void		lwres_sethostent_r(int);
-void		lwres_endhostent_r(void);
-
-#ifdef notyet
-struct netent	*lwres_getnetbyname_r(const char *, struct netent *,
-					char *, int);
-struct netent	*lwres_getnetbyaddr_r(long, int, struct netent *,
-					char *, int);
-struct netent	*lwres_getnetent_r(struct netent *, char *, int);
-void		lwres_setnetent_r(int);
-void		lwres_endnetent_r(void);
-
-struct protoent	*lwres_getprotobyname_r(const char *,
-				struct protoent *, char *, int);
-struct protoent	*lwres_getprotobynumber_r(int,
-				struct protoent *, char *, int);
-struct protoent	*lwres_getprotoent_r(struct protoent *, char *, int);
-void		lwres_setprotoent_r(int);
-void		lwres_endprotoent_r(void);
-
-struct servent	*lwres_getservbyname_r(const char *name, const char *,
-					struct servent *, char *, int);
-struct servent	*lwres_getservbyport_r(int port, const char *,
-					struct servent *, char *, int);
-struct servent	*lwres_getservent_r(struct servent *, char *, int);
-void		lwres_setservent_r(int);
-void		lwres_endservent_r(void);
-#endif	/* notyet */
-
-LWRES_LANG_ENDDECLS
-
-#ifdef notyet
-/* This is nec'y to make this include file properly replace the sun version. */
-#ifdef sun
-#ifdef __GNU_LIBRARY__
-#include <rpc/netdb.h>		/* Required. */
-#else /* !__GNU_LIBRARY__ */
-struct rpcent {
-	char	*r_name;	/* name of server for this rpc program */
-	char	**r_aliases;	/* alias list */
-	int	r_number;	/* rpc program number */
-};
-struct rpcent	*lwres_getrpcbyname();
-struct rpcent	*lwres_getrpcbynumber(),
-struct rpcent	*lwres_getrpcent();
-#endif /* __GNU_LIBRARY__ */
-#endif /* sun */
-#endif /* notyet */
-
-/*
- * Tell Emacs to use C mode on this file.
- * Local variables:
- * mode: c
- * End:
- */
-
-#endif /* LWRES_NETDB_H */
diff --git a/lib/liblwres/include/lwres/platform.h b/lib/liblwres/include/lwres/platform.h
deleted file mode 100644
index af4c615d9..000000000
--- a/lib/liblwres/include/lwres/platform.h
+++ /dev/null
@@ -1,91 +0,0 @@
-/*
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: platform.h,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-#ifndef LWRES_PLATFORM_H
-#define LWRES_PLATFORM_H 1
-
-/*****
- ***** Platform-dependent defines.
- *****/
-
-/***
- *** Network.
- ***/
-
-/*
- * Define if this system needs the <netinet/in6.h> header file for IPv6.
- */
-#undef LWRES_PLATFORM_NEEDNETINETIN6H
-
-/*
- * Define if this system needs the <netinet6/in6.h> header file for IPv6.
- */
-#undef LWRES_PLATFORM_NEEDNETINET6IN6H
-
-/*
- * If sockaddrs on this system have an sa_len field, LWRES_PLATFORM_HAVESALEN
- * will be defined.
- */
-#undef LWRES_PLATFORM_HAVESALEN
-
-/*
- * If this system has the IPv6 structure definitions, LWRES_PLATFORM_HAVEIPV6
- * will be defined.
- */
-#define LWRES_PLATFORM_HAVEIPV6 1
-
-/*
- * If this system is missing in6addr_any, LWRES_PLATFORM_NEEDIN6ADDRANY will
- * be defined.
- */
-#undef LWRES_PLATFORM_NEEDIN6ADDRANY
-
-/*
- * If this system is missing in6addr_loopback, 
- * LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK will be defined.
- */
-#undef LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK
-
-/*
- * If this system has in_addr6, rather than in6_addr,
- * LWRES_PLATFORM_HAVEINADDR6 will be defined.
- */
-#undef LWRES_PLATFORM_HAVEINADDR6
-
-/*
- * Defined if unistd.h does not cause fd_set to be delared.
- */
-#define LWRES_PLATFORM_NEEDSYSSELECTH 1
-
-/*
- * Used to control how extern data is linked; needed for Win32 platforms.
- */
-#undef LWRES_PLATFORM_USEDECLSPEC
-
-#ifndef LWRES_PLATFORM_USEDECLSPEC
-#define LIBLWRES_EXTERNAL_DATA
-#else
-#ifdef LIBLWRES_EXPORTS
-#define LIBLWRES_EXTERNAL_DATA __declspec(dllexport)
-#else
-#define LIBLWRES_EXTERNAL_DATA __declspec(dllimport)
-#endif
-#endif
-
-#endif /* LWRES_PLATFORM_H */
diff --git a/lib/liblwres/include/lwres/platform.h.in b/lib/liblwres/include/lwres/platform.h.in
deleted file mode 100644
index c679d8fae..000000000
--- a/lib/liblwres/include/lwres/platform.h.in
+++ /dev/null
@@ -1,91 +0,0 @@
-/*
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: platform.h.in,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-#ifndef LWRES_PLATFORM_H
-#define LWRES_PLATFORM_H 1
-
-/*****
- ***** Platform-dependent defines.
- *****/
-
-/***
- *** Network.
- ***/
-
-/*
- * Define if this system needs the <netinet/in6.h> header file for IPv6.
- */
-@LWRES_PLATFORM_NEEDNETINETIN6H@
-
-/*
- * Define if this system needs the <netinet6/in6.h> header file for IPv6.
- */
-@LWRES_PLATFORM_NEEDNETINET6IN6H@
-
-/*
- * If sockaddrs on this system have an sa_len field, LWRES_PLATFORM_HAVESALEN
- * will be defined.
- */
-@LWRES_PLATFORM_HAVESALEN@
-
-/*
- * If this system has the IPv6 structure definitions, LWRES_PLATFORM_HAVEIPV6
- * will be defined.
- */
-@LWRES_PLATFORM_HAVEIPV6@
-
-/*
- * If this system is missing in6addr_any, LWRES_PLATFORM_NEEDIN6ADDRANY will
- * be defined.
- */
-@LWRES_PLATFORM_NEEDIN6ADDRANY@
-
-/*
- * If this system is missing in6addr_loopback, 
- * LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK will be defined.
- */
-@LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK@
-
-/*
- * If this system has in_addr6, rather than in6_addr,
- * LWRES_PLATFORM_HAVEINADDR6 will be defined.
- */
-@LWRES_PLATFORM_HAVEINADDR6@
-
-/*
- * Defined if unistd.h does not cause fd_set to be delared.
- */
-@LWRES_PLATFORM_NEEDSYSSELECTH@
-
-/*
- * Used to control how extern data is linked; needed for Win32 platforms.
- */
-@LWRES_PLATFORM_USEDECLSPEC@
-
-#ifndef LWRES_PLATFORM_USEDECLSPEC
-#define LIBLWRES_EXTERNAL_DATA
-#else
-#ifdef LIBLWRES_EXPORTS
-#define LIBLWRES_EXTERNAL_DATA __declspec(dllexport)
-#else
-#define LIBLWRES_EXTERNAL_DATA __declspec(dllimport)
-#endif
-#endif
-
-#endif /* LWRES_PLATFORM_H */
diff --git a/lib/liblwres/include/lwres/result.h b/lib/liblwres/include/lwres/result.h
deleted file mode 100644
index 42e1bccea..000000000
--- a/lib/liblwres/include/lwres/result.h
+++ /dev/null
@@ -1,40 +0,0 @@
-/*
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: result.h,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-#ifndef LWRES_RESULT_H
-#define LWRES_RESULT_H 1
-
-typedef unsigned int lwres_result_t;
-
-#define LWRES_R_SUCCESS			0
-#define LWRES_R_NOMEMORY		1
-#define LWRES_R_TIMEOUT			2
-#define LWRES_R_NOTFOUND		3
-#define LWRES_R_UNEXPECTEDEND		4	/* unexpected end of input */
-#define LWRES_R_FAILURE			5	/* generic failure */
-#define LWRES_R_IOERROR			6
-#define LWRES_R_NOTIMPLEMENTED		7
-#define LWRES_R_UNEXPECTED		8
-#define LWRES_R_TRAILINGDATA		9
-#define LWRES_R_INCOMPLETE		10
-#define LWRES_R_RETRY			11
-#define LWRES_R_TYPENOTFOUND		12
-#define LWRES_R_TOOLARGE		13
-
-#endif /* LWRES_RESULT_H */
diff --git a/lib/liblwres/lwbuffer.c b/lib/liblwres/lwbuffer.c
deleted file mode 100644
index 465ad2569..000000000
--- a/lib/liblwres/lwbuffer.c
+++ /dev/null
@@ -1,287 +0,0 @@
-/*
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwbuffer.c,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-#include <config.h>
-
-#include <string.h>
-
-#include <lwres/lwbuffer.h>
-
-#include "assert_p.h"
-
-void
-lwres_buffer_init(lwres_buffer_t *b, void *base, unsigned int length)
-{
-	/*
-	 * Make 'b' refer to the 'length'-byte region starting at base.
-	 */
-
-	REQUIRE(b != NULL);
-
-	b->magic = LWRES_BUFFER_MAGIC;
-	b->base = base;
-	b->length = length;
-	b->used = 0;
-	b->current = 0;
-	b->active = 0;
-}
-
-void
-lwres_buffer_invalidate(lwres_buffer_t *b)
-{
-	/*
-	 * Make 'b' an invalid buffer.
-	 */
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-
-	b->magic = 0;
-	b->base = NULL;
-	b->length = 0;
-	b->used = 0;
-	b->current = 0;
-	b->active = 0;
-}
-
-void
-lwres_buffer_add(lwres_buffer_t *b, unsigned int n)
-{
-	/*
-	 * Increase the 'used' region of 'b' by 'n' bytes.
-	 */
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(b->used + n <= b->length);
-
-	b->used += n;
-}
-
-void
-lwres_buffer_subtract(lwres_buffer_t *b, unsigned int n)
-{
-	/*
-	 * Decrease the 'used' region of 'b' by 'n' bytes.
-	 */
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(b->used >= n);
-
-	b->used -= n;
-	if (b->current > b->used)
-		b->current = b->used;
-	if (b->active > b->used)
-		b->active = b->used;
-}
-
-void
-lwres_buffer_clear(lwres_buffer_t *b)
-{
-	/*
-	 * Make the used region empty.
-	 */
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-
-	b->used = 0;
-	b->current = 0;
-	b->active = 0;
-}
-
-void
-lwres_buffer_first(lwres_buffer_t *b)
-{
-	/*
-	 * Make the consumed region empty.
-	 */
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-
-	b->current = 0;
-}
-
-void
-lwres_buffer_forward(lwres_buffer_t *b, unsigned int n)
-{
-	/*
-	 * Increase the 'consumed' region of 'b' by 'n' bytes.
-	 */
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(b->current + n <= b->used);
-
-	b->current += n;
-}
-
-void
-lwres_buffer_back(lwres_buffer_t *b, unsigned int n)
-{
-	/*
-	 * Decrease the 'consumed' region of 'b' by 'n' bytes.
-	 */
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(n <= b->current);
-
-	b->current -= n;
-}
-
-lwres_uint8_t
-lwres_buffer_getuint8(lwres_buffer_t *b)
-{
-	unsigned char *cp;
-	lwres_uint8_t result;
-
-	/*
-	 * Read an unsigned 8-bit integer from 'b' and return it.
-	 */
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(b->used - b->current >= 1);
-
-	cp = b->base;
-	cp += b->current;
-	b->current += 1;
-	result = ((unsigned int)(cp[0]));
-
-	return (result);
-}
-
-void
-lwres_buffer_putuint8(lwres_buffer_t *b, lwres_uint8_t val)
-{
-	unsigned char *cp;
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(b->used + 1 <= b->length);
-
-	cp = b->base;
-	cp += b->used;
-	b->used += 1;
-	cp[0] = (val & 0x00ff);
-}
-
-lwres_uint16_t
-lwres_buffer_getuint16(lwres_buffer_t *b)
-{
-	unsigned char *cp;
-	lwres_uint16_t result;
-
-	/*
-	 * Read an unsigned 16-bit integer in network byte order from 'b',
-	 * convert it to host byte order, and return it.
-	 */
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(b->used - b->current >= 2);
-
-	cp = b->base;
-	cp += b->current;
-	b->current += 2;
-	result = ((unsigned int)(cp[0])) << 8;
-	result |= ((unsigned int)(cp[1]));
-
-	return (result);
-}
-
-void
-lwres_buffer_putuint16(lwres_buffer_t *b, lwres_uint16_t val)
-{
-	unsigned char *cp;
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(b->used + 2 <= b->length);
-
-	cp = b->base;
-	cp += b->used;
-	b->used += 2;
-	cp[0] = (val & 0xff00) >> 8;
-	cp[1] = (val & 0x00ff);
-}
-
-lwres_uint32_t
-lwres_buffer_getuint32(lwres_buffer_t *b)
-{
-	unsigned char *cp;
-	lwres_uint32_t result;
-
-	/*
-	 * Read an unsigned 32-bit integer in network byte order from 'b',
-	 * convert it to host byte order, and return it.
-	 */
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(b->used - b->current >= 4);
-
-	cp = b->base;
-	cp += b->current;
-	b->current += 4;
-	result = ((unsigned int)(cp[0])) << 24;
-	result |= ((unsigned int)(cp[1])) << 16;
-	result |= ((unsigned int)(cp[2])) << 8;
-	result |= ((unsigned int)(cp[3]));
-
-	return (result);
-}
-
-void
-lwres_buffer_putuint32(lwres_buffer_t *b, lwres_uint32_t val)
-{
-	unsigned char *cp;
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(b->used + 4 <= b->length);
-
-	cp = b->base;
-	cp += b->used;
-	b->used += 4;
-	cp[0] = (unsigned char)((val & 0xff000000) >> 24);
-	cp[1] = (unsigned char)((val & 0x00ff0000) >> 16);
-	cp[2] = (unsigned char)((val & 0x0000ff00) >> 8);
-	cp[3] = (unsigned char)(val & 0x000000ff);
-}
-
-void
-lwres_buffer_putmem(lwres_buffer_t *b, const unsigned char *base,
-		    unsigned int length)
-{
-	unsigned char *cp;
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(b->used + length <= b->length);
-
-	cp = (unsigned char *)b->base + b->used;
-	memcpy(cp, base, length);
-	b->used += length;
-}
-
-void
-lwres_buffer_getmem(lwres_buffer_t *b, unsigned char *base,
-		    unsigned int length)
-{
-	unsigned char *cp;
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(b->used - b->current >= length);
-
-	cp = b->base;
-	cp += b->current;
-	b->current += length;
-
-	memcpy(base, cp, length);
-}
diff --git a/lib/liblwres/lwconfig.c b/lib/liblwres/lwconfig.c
deleted file mode 100644
index f1c19b697..000000000
--- a/lib/liblwres/lwconfig.c
+++ /dev/null
@@ -1,703 +0,0 @@
-/*
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwconfig.c,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-/***
- *** Module for parsing resolv.conf files.
- ***
- *** entry points are:
- ***	lwres_conf_init(lwres_context_t *ctx)
- ***		intializes data structure for subsequent config parsing.
- ***
- ***	lwres_conf_parse(lwres_context_t *ctx, const char *filename)
- ***		parses a file and fills in the data structure.
- ***
- ***	lwres_conf_print(lwres_context_t *ctx, FILE *fp)
- ***		prints the config data structure to the FILE.
- ***
- ***	lwres_conf_clear(lwres_context_t *ctx)
- ***		frees up all the internal memory used by the config data
- ***		 structure, returning it to the lwres_context_t.
- ***
- ***/
-
-#include <config.h>
-
-#include <assert.h>
-#include <ctype.h>
-#include <errno.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <lwres/lwbuffer.h>
-#include <lwres/lwres.h>
-#include <lwres/net.h>
-#include <lwres/result.h>
-
-#include "assert_p.h"
-#include "context_p.h"
-
-
-#if ! defined(NS_INADDRSZ)
-#define NS_INADDRSZ	 4
-#endif
-
-#if ! defined(NS_IN6ADDRSZ)
-#define NS_IN6ADDRSZ	16
-#endif
-
-static lwres_result_t
-lwres_conf_parsenameserver(lwres_context_t *ctx,  FILE *fp);
-
-static lwres_result_t
-lwres_conf_parselwserver(lwres_context_t *ctx,  FILE *fp);
-
-static lwres_result_t
-lwres_conf_parsedomain(lwres_context_t *ctx, FILE *fp);
-
-static lwres_result_t
-lwres_conf_parsesearch(lwres_context_t *ctx,  FILE *fp);
-
-static lwres_result_t
-lwres_conf_parsesortlist(lwres_context_t *ctx,  FILE *fp);
-
-static lwres_result_t
-lwres_conf_parseoption(lwres_context_t *ctx,  FILE *fp);
-
-static void
-lwres_resetaddr(lwres_addr_t *addr);
-
-static lwres_result_t
-lwres_create_addr(const char *buff, lwres_addr_t *addr, int convert_zero);
-
-static int lwresaddr2af(int lwresaddrtype);
-
-
-static int
-lwresaddr2af(int lwresaddrtype)
-{
-	int af = 0;
-
-	switch (lwresaddrtype) {
-	case LWRES_ADDRTYPE_V4:
-		af = AF_INET;
-		break;
-
-	case LWRES_ADDRTYPE_V6:
-		af = AF_INET6;
-		break;
-	}
-
-	return (af);
-}
-
-
-/*
- * Eat characters from FP until EOL or EOF. Returns EOF or '\n'
- */
-static int
-eatline(FILE *fp) {
-	int ch;
-
-	ch = fgetc(fp);
-	while (ch != '\n' && ch != EOF)
-		ch = fgetc(fp);
-
-	return (ch);
-}
-
-
-/*
- * Eats white space up to next newline or non-whitespace character (of
- * EOF). Returns the last character read. Comments are considered white
- * space.
- */
-static int
-eatwhite(FILE *fp) {
-	int ch;
-
-	ch = fgetc(fp);
-	while (ch != '\n' && ch != EOF && isspace((unsigned char)ch))
-		ch = fgetc(fp);
-
-	if (ch == ';' || ch == '#')
-		ch = eatline(fp);
-
-	return (ch);
-}
-
-
-/*
- * Skip over any leading whitespace and then read in the next sequence of
- * non-whitespace characters. In this context newline is not considered
- * whitespace. Returns EOF on end-of-file, or the character
- * that caused the reading to stop.
- */
-static int
-getword(FILE *fp, char *buffer, size_t size) {
-	int ch;
-	char *p = buffer;
-
-	REQUIRE(buffer != NULL);
-	REQUIRE(size > 0);
-
-	*p = '\0';
-
-	ch = eatwhite(fp);
-
-	if (ch == EOF)
-		return (EOF);
-
-	do {
-		*p = '\0';
-
-		if (ch == EOF || isspace((unsigned char)ch))
-			break;
-		else if ((size_t) (p - buffer) == size - 1)
-			return (EOF);	/* Not enough space. */
-
-		*p++ = (char)ch;
-		ch = fgetc(fp);
-	} while (1);
-
-	return (ch);
-}
-
-static void
-lwres_resetaddr(lwres_addr_t *addr) {
-	REQUIRE(addr != NULL);
-
-	memset(addr->address, 0, LWRES_ADDR_MAXLEN);
-	addr->family = 0;
-	addr->length = 0;
-}
-
-static char *
-lwres_strdup(lwres_context_t *ctx, const char *str) {
-	char *p;
-
-	REQUIRE(str != NULL);
-	REQUIRE(strlen(str) > 0);
-
-	p = CTXMALLOC(strlen(str) + 1);
-	if (p != NULL)
-		strcpy(p, str);
-
-	return (p);
-}
-
-void
-lwres_conf_init(lwres_context_t *ctx) {
-	int i;
-	lwres_conf_t *confdata;
-
-	REQUIRE(ctx != NULL);
-	confdata = &ctx->confdata;
-
-	confdata->nsnext = 0;
-	confdata->lwnext = 0;
-	confdata->domainname = NULL;
-	confdata->searchnxt = 0;
-	confdata->sortlistnxt = 0;
-	confdata->resdebug = 0;
-	confdata->ndots = 1;
-	confdata->no_tld_query = 0;
-
-	for (i = 0 ; i < LWRES_CONFMAXNAMESERVERS ; i++)
-		lwres_resetaddr(&confdata->nameservers[i]);
-
-	for (i = 0 ; i < LWRES_CONFMAXSEARCH ; i++)
-		confdata->search[i] = NULL;
-
-	for (i = 0 ; i < LWRES_CONFMAXSORTLIST ; i++) {
-		lwres_resetaddr(&confdata->sortlist[i].addr);
-		lwres_resetaddr(&confdata->sortlist[i].mask);
-	}
-}
-
-void
-lwres_conf_clear(lwres_context_t *ctx) {
-	int i;
-	lwres_conf_t *confdata;
-
-	REQUIRE(ctx != NULL);
-	confdata = &ctx->confdata;
-
-	for (i = 0 ; i < confdata->nsnext ; i++)
-		lwres_resetaddr(&confdata->nameservers[i]);
-
-	if (confdata->domainname != NULL) {
-		CTXFREE(confdata->domainname,
-			strlen(confdata->domainname) + 1);
-		confdata->domainname = NULL;
-	}
-
-	for (i = 0 ; i < confdata->searchnxt ; i++) {
-		if (confdata->search[i] != NULL) {
-			CTXFREE(confdata->search[i],
-				strlen(confdata->search[i]) + 1);
-			confdata->search[i] = NULL;
-		}
-	}
-
-	for (i = 0 ; i < LWRES_CONFMAXSORTLIST ; i++) {
-		lwres_resetaddr(&confdata->sortlist[i].addr);
-		lwres_resetaddr(&confdata->sortlist[i].mask);
-	}
-
-	confdata->nsnext = 0;
-	confdata->lwnext = 0;
-	confdata->domainname = NULL;
-	confdata->searchnxt = 0;
-	confdata->sortlistnxt = 0;
-	confdata->resdebug = 0;
-	confdata->ndots = 1;
-	confdata->no_tld_query = 0;
-}
-
-static lwres_result_t
-lwres_conf_parsenameserver(lwres_context_t *ctx,  FILE *fp) {
-	char word[LWRES_CONFMAXLINELEN];
-	int res;
-	lwres_conf_t *confdata;
-
-	confdata = &ctx->confdata;
-
-	if (confdata->nsnext == LWRES_CONFMAXNAMESERVERS)
-		return (LWRES_R_SUCCESS);
-
-	res = getword(fp, word, sizeof(word));
-	if (strlen(word) == 0)
-		return (LWRES_R_FAILURE); /* Nothing on line. */
-	else if (res == ' ' || res == '\t')
-		res = eatwhite(fp);
-
-	if (res != EOF && res != '\n')
-		return (LWRES_R_FAILURE); /* Extra junk on line. */
-
-	res = lwres_create_addr(word,
-				&confdata->nameservers[confdata->nsnext++], 1);
-	if (res != LWRES_R_SUCCESS)
-		return (res);
-
-	return (LWRES_R_SUCCESS);
-}
-
-static lwres_result_t
-lwres_conf_parselwserver(lwres_context_t *ctx,  FILE *fp) {
-	char word[LWRES_CONFMAXLINELEN];
-	int res;
-	lwres_conf_t *confdata;
-
-	confdata = &ctx->confdata;
-
-	if (confdata->lwnext == LWRES_CONFMAXLWSERVERS)
-		return (LWRES_R_SUCCESS);
-
-	res = getword(fp, word, sizeof(word));
-	if (strlen(word) == 0)
-		return (LWRES_R_FAILURE); /* Nothing on line. */
-	else if (res == ' ' || res == '\t')
-		res = eatwhite(fp);
-
-	if (res != EOF && res != '\n')
-		return (LWRES_R_FAILURE); /* Extra junk on line. */
-
-	res = lwres_create_addr(word,
-				&confdata->lwservers[confdata->lwnext++], 1);
-	if (res != LWRES_R_SUCCESS)
-		return (res);
-
-	return (LWRES_R_SUCCESS);
-}
-
-static lwres_result_t
-lwres_conf_parsedomain(lwres_context_t *ctx,  FILE *fp) {
-	char word[LWRES_CONFMAXLINELEN];
-	int res, i;
-	lwres_conf_t *confdata;
-
-	confdata = &ctx->confdata;
-
-	res = getword(fp, word, sizeof(word));
-	if (strlen(word) == 0)
-		return (LWRES_R_FAILURE); /* Nothing else on line. */
-	else if (res == ' ' || res == '\t')
-		res = eatwhite(fp);
-
-	if (res != EOF && res != '\n')
-		return (LWRES_R_FAILURE); /* Extra junk on line. */
-
-	if (confdata->domainname != NULL)
-		CTXFREE(confdata->domainname,
-			strlen(confdata->domainname) + 1); /*  */
-
-	/*
-	 * Search and domain are mutually exclusive.
-	 */
-	for (i = 0 ; i < LWRES_CONFMAXSEARCH ; i++) {
-		if (confdata->search[i] != NULL) {
-			CTXFREE(confdata->search[i],
-				strlen(confdata->search[i])+1);
-			confdata->search[i] = NULL;
-		}
-	}
-	confdata->searchnxt = 0;
-
-	confdata->domainname = lwres_strdup(ctx, word);
-
-	if (confdata->domainname == NULL)
-		return (LWRES_R_FAILURE);
-
-	return (LWRES_R_SUCCESS);
-}
-
-static lwres_result_t
-lwres_conf_parsesearch(lwres_context_t *ctx,  FILE *fp) {
-	int idx, delim;
-	char word[LWRES_CONFMAXLINELEN];
-	lwres_conf_t *confdata;
-
-	confdata = &ctx->confdata;
-
-	if (confdata->domainname != NULL) {
-		/*
-		 * Search and domain are mutually exclusive.
-		 */
-		CTXFREE(confdata->domainname,
-			strlen(confdata->domainname) + 1);
-		confdata->domainname = NULL;
-	}
-
-	/*
-	 * Remove any previous search definitions.
-	 */
-	for (idx = 0 ; idx < LWRES_CONFMAXSEARCH ; idx++) {
-		if (confdata->search[idx] != NULL) {
-			CTXFREE(confdata->search[idx],
-				strlen(confdata->search[idx])+1);
-			confdata->search[idx] = NULL;
-		}
-	}
-	confdata->searchnxt = 0;
-
-	delim = getword(fp, word, sizeof(word));
-	if (strlen(word) == 0)
-		return (LWRES_R_FAILURE); /* Nothing else on line. */
-
-	idx = 0;
-	while (strlen(word) > 0) {
-		if (confdata->searchnxt == LWRES_CONFMAXSEARCH)
-			goto ignore; /* Too many domains. */
-
-		confdata->search[idx] = lwres_strdup(ctx, word);
-		if (confdata->search[idx] == NULL)
-			return (LWRES_R_FAILURE);
-		idx++;
-		confdata->searchnxt++;
-
-	ignore:
-		if (delim == EOF || delim == '\n')
-			break;
-		else
-			delim = getword(fp, word, sizeof(word));
-	}
-
-	return (LWRES_R_SUCCESS);
-}
-
-static lwres_result_t
-lwres_create_addr(const char *buffer, lwres_addr_t *addr, int convert_zero) {
-	struct in_addr v4;
-	struct in6_addr v6;
-
-	if (lwres_net_aton(buffer, &v4) == 1) {
-		if (convert_zero) {
-			unsigned char zeroaddress[] = {0, 0, 0, 0};
-			unsigned char loopaddress[] = {127, 0, 0, 1};
-			if (memcmp(&v4, zeroaddress, 4) == 0)
-				memcpy(&v4, loopaddress, 4);
-		}
-		addr->family = LWRES_ADDRTYPE_V4;
-		addr->length = NS_INADDRSZ;
-		memcpy((void *)addr->address, &v4, NS_INADDRSZ);
-
-	} else if (lwres_net_pton(AF_INET6, buffer, &v6) == 1) {
-		addr->family = LWRES_ADDRTYPE_V6;
-		addr->length = NS_IN6ADDRSZ;
-		memcpy((void *)addr->address, &v6, NS_IN6ADDRSZ);
-	} else {
-		return (LWRES_R_FAILURE); /* Unrecognised format. */
-	}
-
-	return (LWRES_R_SUCCESS);
-}
-
-static lwres_result_t
-lwres_conf_parsesortlist(lwres_context_t *ctx,  FILE *fp) {
-	int delim, res, idx;
-	char word[LWRES_CONFMAXLINELEN];
-	char *p;
-	lwres_conf_t *confdata;
-
-	confdata = &ctx->confdata;
-
-	delim = getword(fp, word, sizeof(word));
-	if (strlen(word) == 0)
-		return (LWRES_R_FAILURE); /* Empty line after keyword. */
-
-	while (strlen(word) > 0) {
-		if (confdata->sortlistnxt == LWRES_CONFMAXSORTLIST)
-			return (LWRES_R_FAILURE); /* Too many values. */
-
-		p = strchr(word, '/');
-		if (p != NULL)
-			*p++ = '\0';
-
-		idx = confdata->sortlistnxt;
-		res = lwres_create_addr(word, &confdata->sortlist[idx].addr, 1);
-		if (res != LWRES_R_SUCCESS)
-			return (res);
-
-		if (p != NULL) {
-			res = lwres_create_addr(p,
-						&confdata->sortlist[idx].mask,
-						0);
-			if (res != LWRES_R_SUCCESS)
-				return (res);
-		} else {
-			/*
-			 * Make up a mask.
-			 */
-			confdata->sortlist[idx].mask =
-				confdata->sortlist[idx].addr;
-
-			memset(&confdata->sortlist[idx].mask.address, 0xff,
-			       confdata->sortlist[idx].addr.length);
-		}
-
-		confdata->sortlistnxt++;
-
-		if (delim == EOF || delim == '\n')
-			break;
-		else
-			delim = getword(fp, word, sizeof(word));
-	}
-
-	return (LWRES_R_SUCCESS);
-}
-
-static lwres_result_t
-lwres_conf_parseoption(lwres_context_t *ctx,  FILE *fp) {
-	int delim;
-	long ndots;
-	char *p;
-	char word[LWRES_CONFMAXLINELEN];
-	lwres_conf_t *confdata;
-
-	REQUIRE(ctx != NULL);
-	confdata = &ctx->confdata;
-
-	delim = getword(fp, word, sizeof(word));
-	if (strlen(word) == 0)
-		return (LWRES_R_FAILURE); /* Empty line after keyword. */
-
-	while (strlen(word) > 0) {
-		if (strcmp("debug", word) == 0) {
-			confdata->resdebug = 1;
-		} else if (strcmp("no_tld_query", word) == 0) {
-			confdata->no_tld_query = 1;
-		} else if (strncmp("ndots:", word, 6) == 0) {
-			ndots = strtol(word + 6, &p, 10);
-			if (*p != '\0') /* Bad string. */
-				return (LWRES_R_FAILURE);
-			if (ndots < 0 || ndots > 0xff) /* Out of range. */
-				return (LWRES_R_FAILURE);
-			confdata->ndots = (lwres_uint8_t)ndots;
-		}
-
-		if (delim == EOF || delim == '\n')
-			break;
-		else
-			delim = getword(fp, word, sizeof(word));
-	}
-
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_result_t
-lwres_conf_parse(lwres_context_t *ctx, const char *filename) {
-	FILE *fp = NULL;
-	char word[256];
-	lwres_result_t rval, ret;
-	lwres_conf_t *confdata;
-	int stopchar;
-
-	REQUIRE(ctx != NULL);
-	confdata = &ctx->confdata;
-
-	REQUIRE(filename != NULL);
-	REQUIRE(strlen(filename) > 0);
-	REQUIRE(confdata != NULL);
-
-	errno = 0;
-	if ((fp = fopen(filename, "r")) == NULL)
-		return (LWRES_R_FAILURE);
-
-	ret = LWRES_R_SUCCESS;
-	do {
-		stopchar = getword(fp, word, sizeof(word));
-		if (stopchar == EOF) {
-			rval = LWRES_R_SUCCESS;
-			break;
-		}
-
-		if (strlen(word) == 0)
-			rval = LWRES_R_SUCCESS;
-		else if (strcmp(word, "nameserver") == 0)
-			rval = lwres_conf_parsenameserver(ctx, fp);
-		else if (strcmp(word, "lwserver") == 0)
-			rval = lwres_conf_parselwserver(ctx, fp);
-		else if (strcmp(word, "domain") == 0)
-			rval = lwres_conf_parsedomain(ctx, fp);
-		else if (strcmp(word, "search") == 0)
-			rval = lwres_conf_parsesearch(ctx, fp);
-		else if (strcmp(word, "sortlist") == 0)
-			rval = lwres_conf_parsesortlist(ctx, fp);
-		else if (strcmp(word, "option") == 0)
-			rval = lwres_conf_parseoption(ctx, fp);
-		else {
-			/* unrecognised word. Ignore entire line */
-			rval = LWRES_R_SUCCESS;
-			stopchar = eatline(fp);
-			if (stopchar == EOF) {
-				break;
-			}
-		}
-		if (ret == LWRES_R_SUCCESS && rval != LWRES_R_SUCCESS)
-			ret = rval;
-	} while (1);
-
-	fclose(fp);
-
-	return (ret);
-}
-
-lwres_result_t
-lwres_conf_print(lwres_context_t *ctx, FILE *fp) {
-	int i;
-	int af;
-	char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255"];
-	const char *p;
-	lwres_conf_t *confdata;
-	lwres_addr_t tmpaddr;
-
-	REQUIRE(ctx != NULL);
-	confdata = &ctx->confdata;
-
-	REQUIRE(confdata->nsnext <= LWRES_CONFMAXNAMESERVERS);
-
-	for (i = 0 ; i < confdata->nsnext ; i++) {
-		af = lwresaddr2af(confdata->nameservers[i].family);
-
-		p = lwres_net_ntop(af, confdata->nameservers[i].address,
-				   tmp, sizeof(tmp));
-		if (p != tmp)
-			return (LWRES_R_FAILURE);
-
-		fprintf(fp, "nameserver %s\n", tmp);
-	}
-
-	for (i = 0 ; i < confdata->lwnext ; i++) {
-		af = lwresaddr2af(confdata->lwservers[i].family);
-
-		p = lwres_net_ntop(af, confdata->lwservers[i].address,
-				   tmp, sizeof(tmp));
-		if (p != tmp)
-			return (LWRES_R_FAILURE);
-
-		fprintf(fp, "lwserver %s\n", tmp);
-	}
-
-	if (confdata->domainname != NULL) {
-		fprintf(fp, "domain %s\n", confdata->domainname);
-	} else if (confdata->searchnxt > 0) {
-		REQUIRE(confdata->searchnxt <= LWRES_CONFMAXSEARCH);
-
-		fprintf(fp, "search");
-		for (i = 0 ; i < confdata->searchnxt ; i++)
-			fprintf(fp, " %s", confdata->search[i]);
-		fputc('\n', fp);
-	}
-
-	REQUIRE(confdata->sortlistnxt <= LWRES_CONFMAXSORTLIST);
-
-	if (confdata->sortlistnxt > 0) {
-		fputs("sortlist", fp);
-		for (i = 0 ; i < confdata->sortlistnxt ; i++) {
-			af = lwresaddr2af(confdata->sortlist[i].addr.family);
-
-			p = lwres_net_ntop(af,
-					   confdata->sortlist[i].addr.address,
-					   tmp, sizeof(tmp));
-			if (p != tmp)
-				return (LWRES_R_FAILURE);
-
-			fprintf(fp, " %s", tmp);
-
-			tmpaddr = confdata->sortlist[i].mask;
-			memset(&tmpaddr.address, 0xff, tmpaddr.length);
-
-			if (memcmp(&tmpaddr.address,
-				   confdata->sortlist[i].mask.address,
-				   confdata->sortlist[i].mask.length) != 0) {
-				af = lwresaddr2af(
-					    confdata->sortlist[i].mask.family);
-				p = lwres_net_ntop
-					(af,
-					 confdata->sortlist[i].mask.address,
-					 tmp, sizeof(tmp));
-				if (p != tmp)
-					return (LWRES_R_FAILURE);
-
-				fprintf(fp, "/%s", tmp);
-			}
-		}
-		fputc('\n', fp);
-	}
-
-	if (confdata->resdebug)
-		fprintf(fp, "options debug\n");
-
-	if (confdata->ndots > 0)
-		fprintf(fp, "options ndots:%d\n", confdata->ndots);
-
-	if (confdata->no_tld_query)
-		fprintf(fp, "options no_tld_query\n");
-
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_conf_t *
-lwres_conf_get(lwres_context_t *ctx) {
-	REQUIRE(ctx != NULL);
-
-	return (&ctx->confdata);
-}
diff --git a/lib/liblwres/lwinetaton.c b/lib/liblwres/lwinetaton.c
deleted file mode 100644
index 42a2cfa69..000000000
--- a/lib/liblwres/lwinetaton.c
+++ /dev/null
@@ -1,203 +0,0 @@
-/*
- * Portions Copyright (C) 1996-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Copyright (c) 1983, 1990, 1993
- *    The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- * 	This product includes software developed by the University of
- * 	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * Portions Copyright (c) 1993 by Digital Equipment Corporation.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies, and that
- * the name of Digital Equipment Corporation not be used in advertising or
- * publicity pertaining to distribution of the document or software without
- * specific, written prior permission.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
- * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static char sccsid[] = "@(#)inet_addr.c	8.1 (Berkeley) 6/17/93";
-static char rcsid[] = "$Id: lwinetaton.c,v 1.1 2004/03/15 20:35:25 as Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include <config.h>
-
-#include <ctype.h>
-
-#include <stddef.h>
-
-#include <lwres/int.h>
-#include <lwres/net.h>
-
-#include "assert_p.h"
-
-/*
- * Check whether "cp" is a valid ascii representation
- * of an Internet address and convert to a binary address.
- * Returns 1 if the address is valid, 0 if not.
- * This replaces inet_addr, the return value from which
- * cannot distinguish between failure and a local broadcast address.
- */
-int
-lwres_net_aton(const char *cp, struct in_addr *addr) {
-	unsigned long val;
-	int base, n;
-	unsigned char c;
-	lwres_uint8_t parts[4];
-	lwres_uint8_t *pp = parts;
-	int digit;
-
-	REQUIRE(cp != NULL);
-
-	c = *cp;
-	for (;;) {
-		/*
-		 * Collect number up to ``.''.
-		 * Values are specified as for C:
-		 * 0x=hex, 0=octal, isdigit=decimal.
-		 */
-		if (!isdigit(c & 0xff))
-			return (0);
-		val = 0;
-		base = 10;
-		digit = 0;
-		if (c == '0') {
-			c = *++cp;
-			if (c == 'x' || c == 'X') {
-				base = 16;
-			       	c = *++cp;
-			} else {
-				base = 8;
-				digit = 1;
-			}
-		}
-		for (;;) {
-			/*
-			 * isascii() is valid for all integer values, and
-			 * when it is true, c is known to be in scope
-			 * for isdigit().  No cast necessary.  Similar
-			 * comment applies for later ctype uses.
-			 */
-			if (isascii(c) && isdigit(c)) {
-				if (base == 8 && (c == '8' || c == '9'))
-					return (0);
-				val = (val * base) + (c - '0');
-				c = *++cp;
-				digit = 1;
-			} else if (base == 16 && isascii(c) && isxdigit(c)) {
-				val = (val << 4) |
-					(c + 10 - (islower(c) ? 'a' : 'A'));
-				c = *++cp;
-				digit = 1;
-			} else
-				break;
-		}
-		if (c == '.') {
-			/*
-			 * Internet format:
-			 *	a.b.c.d
-			 *	a.b.c	(with c treated as 16 bits)
-			 *	a.b	(with b treated as 24 bits)
-			 */
-			if (pp >= parts + 3 || val > 0xff)
-				return (0);
-			*pp++ = (lwres_uint8_t)val;
-			c = *++cp;
-		} else
-			break;
-	}
-	/*
-	 * Check for trailing characters.
-	 */
-	if (c != '\0' && (!isascii(c) || !isspace(c)))
-		return (0);
-	/*
-	 * Did we get a valid digit?
-	 */
-	if (!digit)
-		return (0);
-	/*
-	 * Concoct the address according to
-	 * the number of parts specified.
-	 */
-	n = pp - parts + 1;
-	switch (n) {
-	case 1:				/* a -- 32 bits */
-		break;
-
-	case 2:				/* a.b -- 8.24 bits */
-		if (val > 0xffffff)
-			return (0);
-		val |= parts[0] << 24;
-		break;
-
-	case 3:				/* a.b.c -- 8.8.16 bits */
-		if (val > 0xffff)
-			return (0);
-		val |= (parts[0] << 24) | (parts[1] << 16);
-		break;
-
-	case 4:				/* a.b.c.d -- 8.8.8.8 bits */
-		if (val > 0xff)
-			return (0);
-		val |= (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8);
-		break;
-	}
-	if (addr != NULL)
-		addr->s_addr = htonl(val);
-
-	return (1);
-}
diff --git a/lib/liblwres/lwinetntop.c b/lib/liblwres/lwinetntop.c
deleted file mode 100644
index dfc55a97c..000000000
--- a/lib/liblwres/lwinetntop.c
+++ /dev/null
@@ -1,191 +0,0 @@
-/*
- * Copyright (C) 1996-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] =
-	"$Id: lwinetntop.c,v 1.1 2004/03/15 20:35:25 as Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include <config.h>
-
-#include <errno.h>
-#include <stdio.h>
-#include <string.h>
-
-#include <lwres/net.h>
-
-#define NS_INT16SZ	 2
-#define NS_IN6ADDRSZ	16
-
-/*
- * WARNING: Don't even consider trying to compile this on a system where
- * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
- */
-
-static const char *inet_ntop4(const unsigned char *src, char *dst,
-			      size_t size);
-
-#ifdef AF_INET6
-static const char *inet_ntop6(const unsigned char *src, char *dst,
-			      size_t size);
-#endif
-
-/* char *
- * lwres_net_ntop(af, src, dst, size)
- *	convert a network format address to presentation format.
- * return:
- *	pointer to presentation format address (`dst'), or NULL (see errno).
- * author:
- *	Paul Vixie, 1996.
- */
-const char *
-lwres_net_ntop(int af, const void *src, char *dst, size_t size) {
-	switch (af) {
-	case AF_INET:
-		return (inet_ntop4(src, dst, size));
-#ifdef AF_INET6
-	case AF_INET6:
-		return (inet_ntop6(src, dst, size));
-#endif
-	default:
-		errno = EAFNOSUPPORT;
-		return (NULL);
-	}
-	/* NOTREACHED */
-}
-
-/* const char *
- * inet_ntop4(src, dst, size)
- *	format an IPv4 address
- * return:
- *	`dst' (as a const)
- * notes:
- *	(1) uses no statics
- *	(2) takes a unsigned char* not an in_addr as input
- * author:
- *	Paul Vixie, 1996.
- */
-static const char *
-inet_ntop4(const unsigned char *src, char *dst, size_t size) {
-	static const char fmt[] = "%u.%u.%u.%u";
-	char tmp[sizeof "255.255.255.255"];
-
-	if ((size_t)sprintf(tmp, fmt, src[0], src[1], src[2], src[3]) >= size)
-	{
-		errno = ENOSPC;
-		return (NULL);
-	}
-	strcpy(dst, tmp);
-
-	return (dst);
-}
-
-/* const char *
- * inet_ntop6(src, dst, size)
- *	convert IPv6 binary address into presentation (printable) format
- * author:
- *	Paul Vixie, 1996.
- */
-#ifdef AF_INET6
-static const char *
-inet_ntop6(const unsigned char *src, char *dst, size_t size) {
-	/*
-	 * Note that int32_t and int16_t need only be "at least" large enough
-	 * to contain a value of the specified size.  On some systems, like
-	 * Crays, there is no such thing as an integer variable with 16 bits.
-	 * Keep this in mind if you think this function should have been coded
-	 * to use pointer overlays.  All the world's not a VAX.
-	 */
-	char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255"], *tp;
-	struct { int base, len; } best, cur;
-	unsigned int words[NS_IN6ADDRSZ / NS_INT16SZ];
-	int i;
-
-	/*
-	 * Preprocess:
-	 *	Copy the input (bytewise) array into a wordwise array.
-	 *	Find the longest run of 0x00's in src[] for :: shorthanding.
-	 */
-	memset(words, '\0', sizeof words);
-	for (i = 0; i < NS_IN6ADDRSZ; i++)
-		words[i / 2] |= (src[i] << ((1 - (i % 2)) << 3));
-	best.base = -1;
-	cur.base = -1;
-	for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
-		if (words[i] == 0) {
-			if (cur.base == -1)
-				cur.base = i, cur.len = 1;
-			else
-				cur.len++;
-		} else {
-			if (cur.base != -1) {
-				if (best.base == -1 || cur.len > best.len)
-					best = cur;
-				cur.base = -1;
-			}
-		}
-	}
-	if (cur.base != -1) {
-		if (best.base == -1 || cur.len > best.len)
-			best = cur;
-	}
-	if (best.base != -1 && best.len < 2)
-		best.base = -1;
-
-	/*
-	 * Format the result.
-	 */
-	tp = tmp;
-	for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
-		/* Are we inside the best run of 0x00's? */
-		if (best.base != -1 && i >= best.base &&
-		    i < (best.base + best.len)) {
-			if (i == best.base)
-				*tp++ = ':';
-			continue;
-		}
-		/* Are we following an initial run of 0x00s or any real hex? */
-		if (i != 0)
-			*tp++ = ':';
-		/* Is this address an encapsulated IPv4? */
-		if (i == 6 && best.base == 0 &&
-		    (best.len == 6 || (best.len == 5 && words[5] == 0xffff))) {
-			if (!inet_ntop4(src+12, tp,
-					sizeof tmp - (tp - tmp)))
-				return (NULL);
-			tp += strlen(tp);
-			break;
-		}
-		tp += sprintf(tp, "%x", words[i]);
-	}
-	/* Was it a trailing run of 0x00's? */
-	if (best.base != -1 && (best.base + best.len) ==
-	    (NS_IN6ADDRSZ / NS_INT16SZ))
-		*tp++ = ':';
-	*tp++ = '\0';
-
-	/*
-	 * Check for overflow, copy, and we're done.
-	 */
-	if ((size_t)(tp - tmp) > size) {
-		errno = ENOSPC;
-		return (NULL);
-	}
-	strcpy(dst, tmp);
-	return (dst);
-}
-#endif /* AF_INET6 */
diff --git a/lib/liblwres/lwinetpton.c b/lib/liblwres/lwinetpton.c
deleted file mode 100644
index 792a74775..000000000
--- a/lib/liblwres/lwinetpton.c
+++ /dev/null
@@ -1,206 +0,0 @@
-/*
- * Copyright (C) 1996-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] = "$Id: lwinetpton.c,v 1.1 2004/03/15 20:35:25 as Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include <config.h>
-
-#include <errno.h>
-#include <string.h>
-
-#include <lwres/net.h>
-
-#define NS_INT16SZ	 2
-#define NS_INADDRSZ	 4
-#define NS_IN6ADDRSZ	16
-
-/*
- * WARNING: Don't even consider trying to compile this on a system where
- * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
- */
-
-static int inet_pton4(const char *src, unsigned char *dst);
-static int inet_pton6(const char *src, unsigned char *dst);
-
-/* int
- * lwres_net_pton(af, src, dst)
- *	convert from presentation format (which usually means ASCII printable)
- *	to network format (which is usually some kind of binary format).
- * return:
- *	1 if the address was valid for the specified address family
- *	0 if the address wasn't valid (`dst' is untouched in this case)
- *	-1 if some other error occurred (`dst' is untouched in this case, too)
- * author:
- *	Paul Vixie, 1996.
- */
-int
-lwres_net_pton(int af, const char *src, void *dst) {
-	switch (af) {
-	case AF_INET:
-		return (inet_pton4(src, dst));
-	case AF_INET6:
-		return (inet_pton6(src, dst));
-	default:
-		errno = EAFNOSUPPORT;
-		return (-1);
-	}
-	/* NOTREACHED */
-}
-
-/* int
- * inet_pton4(src, dst)
- *	like inet_aton() but without all the hexadecimal and shorthand.
- * return:
- *	1 if `src' is a valid dotted quad, else 0.
- * notice:
- *	does not touch `dst' unless it's returning 1.
- * author:
- *	Paul Vixie, 1996.
- */
-static int
-inet_pton4(const char *src, unsigned char *dst) {
-	static const char digits[] = "0123456789";
-	int saw_digit, octets, ch;
-	unsigned char tmp[NS_INADDRSZ], *tp;
-
-	saw_digit = 0;
-	octets = 0;
-	*(tp = tmp) = 0;
-	while ((ch = *src++) != '\0') {
-		const char *pch;
-
-		if ((pch = strchr(digits, ch)) != NULL) {
-			unsigned int new = *tp * 10 + (pch - digits);
-
-			if (new > 255)
-				return (0);
-			*tp = new;
-			if (! saw_digit) {
-				if (++octets > 4)
-					return (0);
-				saw_digit = 1;
-			}
-		} else if (ch == '.' && saw_digit) {
-			if (octets == 4)
-				return (0);
-			*++tp = 0;
-			saw_digit = 0;
-		} else
-			return (0);
-	}
-	if (octets < 4)
-		return (0);
-	memcpy(dst, tmp, NS_INADDRSZ);
-	return (1);
-}
-
-/* int
- * inet_pton6(src, dst)
- *	convert presentation level address to network order binary form.
- * return:
- *	1 if `src' is a valid [RFC1884 2.2] address, else 0.
- * notice:
- *	(1) does not touch `dst' unless it's returning 1.
- *	(2) :: in a full address is silently ignored.
- * credit:
- *	inspired by Mark Andrews.
- * author:
- *	Paul Vixie, 1996.
- */
-static int
-inet_pton6(const char *src, unsigned char *dst) {
-	static const char xdigits_l[] = "0123456789abcdef",
-			  xdigits_u[] = "0123456789ABCDEF";
-	unsigned char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp;
-	const char *xdigits, *curtok;
-	int ch, saw_xdigit;
-	unsigned int val;
-
-	memset((tp = tmp), '\0', NS_IN6ADDRSZ);
-	endp = tp + NS_IN6ADDRSZ;
-	colonp = NULL;
-	/* Leading :: requires some special handling. */
-	if (*src == ':')
-		if (*++src != ':')
-			return (0);
-	curtok = src;
-	saw_xdigit = 0;
-	val = 0;
-	while ((ch = *src++) != '\0') {
-		const char *pch;
-
-		if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL)
-			pch = strchr((xdigits = xdigits_u), ch);
-		if (pch != NULL) {
-			val <<= 4;
-			val |= (pch - xdigits);
-			if (val > 0xffff)
-				return (0);
-			saw_xdigit = 1;
-			continue;
-		}
-		if (ch == ':') {
-			curtok = src;
-			if (!saw_xdigit) {
-				if (colonp)
-					return (0);
-				colonp = tp;
-				continue;
-			}
-			if (tp + NS_INT16SZ > endp)
-				return (0);
-			*tp++ = (unsigned char) (val >> 8) & 0xff;
-			*tp++ = (unsigned char) val & 0xff;
-			saw_xdigit = 0;
-			val = 0;
-			continue;
-		}
-		if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) &&
-		    inet_pton4(curtok, tp) > 0) {
-			tp += NS_INADDRSZ;
-			saw_xdigit = 0;
-			break;	/* '\0' was seen by inet_pton4(). */
-		}
-		return (0);
-	}
-	if (saw_xdigit) {
-		if (tp + NS_INT16SZ > endp)
-			return (0);
-		*tp++ = (unsigned char) (val >> 8) & 0xff;
-		*tp++ = (unsigned char) val & 0xff;
-	}
-	if (colonp != NULL) {
-		/*
-		 * Since some memmove()'s erroneously fail to handle
-		 * overlapping regions, we'll do the shift by hand.
-		 */
-		const int n = tp - colonp;
-		int i;
-
-		for (i = 1; i <= n; i++) {
-			endp[- i] = colonp[n - i];
-			colonp[n - i] = 0;
-		}
-		tp = endp;
-	}
-	if (tp != endp)
-		return (0);
-	memcpy(dst, tmp, NS_IN6ADDRSZ);
-	return (1);
-}
diff --git a/lib/liblwres/lwpacket.c b/lib/liblwres/lwpacket.c
deleted file mode 100644
index 7bcdbbd4a..000000000
--- a/lib/liblwres/lwpacket.c
+++ /dev/null
@@ -1,85 +0,0 @@
-/*
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwpacket.c,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-#include <config.h>
-
-#include <assert.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <lwres/lwbuffer.h>
-#include <lwres/lwpacket.h>
-#include <lwres/result.h>
-
-#include "assert_p.h"
-
-#define LWPACKET_LENGTH \
-	(sizeof(lwres_uint16_t) * 4 + sizeof(lwres_uint32_t) * 5)
-
-lwres_result_t
-lwres_lwpacket_renderheader(lwres_buffer_t *b, lwres_lwpacket_t *pkt) {
-	REQUIRE(b != NULL);
-	REQUIRE(pkt != NULL);
-
-	if (!SPACE_OK(b, LWPACKET_LENGTH))
-		return (LWRES_R_UNEXPECTEDEND);
-
-	lwres_buffer_putuint32(b, pkt->length);
-	lwres_buffer_putuint16(b, pkt->version);
-	lwres_buffer_putuint16(b, pkt->pktflags);
-	lwres_buffer_putuint32(b, pkt->serial);
-	lwres_buffer_putuint32(b, pkt->opcode);
-	lwres_buffer_putuint32(b, pkt->result);
-	lwres_buffer_putuint32(b, pkt->recvlength);
-	lwres_buffer_putuint16(b, pkt->authtype);
-	lwres_buffer_putuint16(b, pkt->authlength);
-
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_result_t
-lwres_lwpacket_parseheader(lwres_buffer_t *b, lwres_lwpacket_t *pkt) {
-	lwres_uint32_t space;
-
-	REQUIRE(b != NULL);
-	REQUIRE(pkt != NULL);
-
-	space = LWRES_BUFFER_REMAINING(b);
-	if (space < LWPACKET_LENGTH)
-		return (LWRES_R_UNEXPECTEDEND);
-
-	pkt->length = lwres_buffer_getuint32(b);
-	/*
-	 * XXXBEW/MLG Checking that the buffer is long enough probably
-	 * shouldn't be done here, since this function is supposed to just
-	 * parse the header.
-	 */
-	if (pkt->length > space)
-		return (LWRES_R_UNEXPECTEDEND);
-	pkt->version = lwres_buffer_getuint16(b);
-	pkt->pktflags = lwres_buffer_getuint16(b);
-	pkt->serial = lwres_buffer_getuint32(b);
-	pkt->opcode = lwres_buffer_getuint32(b);
-	pkt->result = lwres_buffer_getuint32(b);
-	pkt->recvlength = lwres_buffer_getuint32(b);
-	pkt->authtype = lwres_buffer_getuint16(b);
-	pkt->authlength = lwres_buffer_getuint16(b);
-
-	return (LWRES_R_SUCCESS);
-}
diff --git a/lib/liblwres/lwres_gabn.c b/lib/liblwres/lwres_gabn.c
deleted file mode 100644
index 5e809ba8e..000000000
--- a/lib/liblwres/lwres_gabn.c
+++ /dev/null
@@ -1,415 +0,0 @@
-/*
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwres_gabn.c,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-#include <config.h>
-
-#include <assert.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <lwres/lwbuffer.h>
-#include <lwres/lwpacket.h>
-#include <lwres/lwres.h>
-#include <lwres/result.h>
-
-#include "context_p.h"
-#include "assert_p.h"
-
-lwres_result_t
-lwres_gabnrequest_render(lwres_context_t *ctx, lwres_gabnrequest_t *req,
-			 lwres_lwpacket_t *pkt, lwres_buffer_t *b)
-{
-	unsigned char *buf;
-	size_t buflen;
-	int ret;
-	size_t payload_length;
-	lwres_uint16_t datalen;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(req != NULL);
-	REQUIRE(req->name != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-
-	datalen = strlen(req->name);
-
-	payload_length = 4 + 4 + 2 + req->namelen + 1;
-
-	buflen = LWRES_LWPACKET_LENGTH + payload_length;
-	buf = CTXMALLOC(buflen);
-	if (buf == NULL)
-		return (LWRES_R_NOMEMORY);
-
-	lwres_buffer_init(b, buf, buflen);
-
-	pkt->length = buflen;
-	pkt->version = LWRES_LWPACKETVERSION_0;
-	pkt->pktflags &= ~LWRES_LWPACKETFLAG_RESPONSE;
-	pkt->opcode = LWRES_OPCODE_GETADDRSBYNAME;
-	pkt->result = 0;
-	pkt->authtype = 0;
-	pkt->authlength = 0;
-
-	ret = lwres_lwpacket_renderheader(b, pkt);
-	if (ret != LWRES_R_SUCCESS) {
-		lwres_buffer_invalidate(b);
-		CTXFREE(buf, buflen);
-		return (ret);
-	}
-
-	INSIST(SPACE_OK(b, payload_length));
-
-	/*
-	 * Flags.
-	 */
-	lwres_buffer_putuint32(b, req->flags);
-
-	/*
-	 * Address types we'll accept.
-	 */
-	lwres_buffer_putuint32(b, req->addrtypes);
-
-	/*
-	 * Put the length and the data.  We know this will fit because we
-	 * just checked for it.
-	 */
-	lwres_buffer_putuint16(b, datalen);
-	lwres_buffer_putmem(b, (unsigned char *)req->name, datalen);
-	lwres_buffer_putuint8(b, 0); /* trailing NUL */
-
-	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
-
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_result_t
-lwres_gabnresponse_render(lwres_context_t *ctx, lwres_gabnresponse_t *req,
-			  lwres_lwpacket_t *pkt, lwres_buffer_t *b)
-{
-	unsigned char *buf;
-	size_t buflen;
-	int ret;
-	size_t payload_length;
-	lwres_uint16_t datalen;
-	lwres_addr_t *addr;
-	int x;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(req != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-
-	/* naliases, naddrs */
-	payload_length = 4 + 2 + 2;
-	/* real name encoding */
-	payload_length += 2 + req->realnamelen + 1;
-	/* each alias */
-	for (x = 0 ; x < req->naliases ; x++)
-		payload_length += 2 + req->aliaslen[x] + 1;
-	/* each address */
-	x = 0;
-	addr = LWRES_LIST_HEAD(req->addrs);
-	while (addr != NULL) {
-		payload_length += 4 + 2;
-		payload_length += addr->length;
-		addr = LWRES_LIST_NEXT(addr, link);
-		x++;
-	}
-	INSIST(x == req->naddrs);
-
-	buflen = LWRES_LWPACKET_LENGTH + payload_length;
-	buf = CTXMALLOC(buflen);
-	if (buf == NULL)
-		return (LWRES_R_NOMEMORY);
-	lwres_buffer_init(b, buf, buflen);
-
-	pkt->length = buflen;
-	pkt->version = LWRES_LWPACKETVERSION_0;
-	pkt->pktflags |= LWRES_LWPACKETFLAG_RESPONSE;
-	pkt->opcode = LWRES_OPCODE_GETADDRSBYNAME;
-	pkt->authtype = 0;
-	pkt->authlength = 0;
-
-	ret = lwres_lwpacket_renderheader(b, pkt);
-	if (ret != LWRES_R_SUCCESS) {
-		lwres_buffer_invalidate(b);
-		CTXFREE(buf, buflen);
-		return (ret);
-	}
-
-	/*
-	 * Check space needed here.
-	 */
-	INSIST(SPACE_OK(b, payload_length));
-
-	/* Flags. */
-	lwres_buffer_putuint32(b, req->flags);
-
-	/* encode naliases and naddrs */
-	lwres_buffer_putuint16(b, req->naliases);
-	lwres_buffer_putuint16(b, req->naddrs);
-
-	/* encode the real name */
-	datalen = req->realnamelen;
-	lwres_buffer_putuint16(b, datalen);
-	lwres_buffer_putmem(b, (unsigned char *)req->realname, datalen);
-	lwres_buffer_putuint8(b, 0);
-
-	/* encode the aliases */
-	for (x = 0 ; x < req->naliases ; x++) {
-		datalen = req->aliaslen[x];
-		lwres_buffer_putuint16(b, datalen);
-		lwres_buffer_putmem(b, (unsigned char *)req->aliases[x],
-				    datalen);
-		lwres_buffer_putuint8(b, 0);
-	}
-
-	/* encode the addresses */
-	addr = LWRES_LIST_HEAD(req->addrs);
-	while (addr != NULL) {
-		lwres_buffer_putuint32(b, addr->family);
-		lwres_buffer_putuint16(b, addr->length);
-		lwres_buffer_putmem(b, addr->address, addr->length);
-		addr = LWRES_LIST_NEXT(addr, link);
-	}
-
-	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
-	INSIST(LWRES_BUFFER_USEDCOUNT(b) == pkt->length);
-
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_result_t
-lwres_gabnrequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			lwres_lwpacket_t *pkt, lwres_gabnrequest_t **structp)
-{
-	int ret;
-	char *name;
-	lwres_gabnrequest_t *gabn;
-	lwres_uint32_t addrtypes;
-	lwres_uint32_t flags;
-	lwres_uint16_t namelen;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-	REQUIRE(structp != NULL && *structp == NULL);
-
-	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) != 0)
-		return (LWRES_R_FAILURE);
-
-	if (!SPACE_REMAINING(b, 4 + 4))
-		return (LWRES_R_UNEXPECTEDEND);
-
-	flags = lwres_buffer_getuint32(b);
-	addrtypes = lwres_buffer_getuint32(b);
-
-	/*
-	 * Pull off the name itself
-	 */
-	ret = lwres_string_parse(b, &name, &namelen);
-	if (ret != LWRES_R_SUCCESS)
-		return (ret);
-
-	if (LWRES_BUFFER_REMAINING(b) != 0)
-		return (LWRES_R_TRAILINGDATA);
-
-	gabn = CTXMALLOC(sizeof(lwres_gabnrequest_t));
-	if (gabn == NULL)
-		return (LWRES_R_NOMEMORY);
-
-	gabn->flags = flags;
-	gabn->addrtypes = addrtypes;
-	gabn->name = name;
-	gabn->namelen = namelen;
-
-	*structp = gabn;
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_result_t
-lwres_gabnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			lwres_lwpacket_t *pkt, lwres_gabnresponse_t **structp)
-{
-	lwres_result_t ret;
-	unsigned int x;
-	lwres_uint32_t flags;
-	lwres_uint16_t naliases;
-	lwres_uint16_t naddrs;
-	lwres_gabnresponse_t *gabn;
-	lwres_addrlist_t addrlist;
-	lwres_addr_t *addr;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-	REQUIRE(structp != NULL && *structp == NULL);
-
-	gabn = NULL;
-
-	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) == 0)
-		return (LWRES_R_FAILURE);
-
-	/*
-	 * Pull off the name itself
-	 */
-	if (!SPACE_REMAINING(b, 4 + 2 + 2))
-		return (LWRES_R_UNEXPECTEDEND);
-	flags = lwres_buffer_getuint32(b);
-	naliases = lwres_buffer_getuint16(b);
-	naddrs = lwres_buffer_getuint16(b);
-
-	gabn = CTXMALLOC(sizeof(lwres_gabnresponse_t));
-	if (gabn == NULL)
-		return (LWRES_R_NOMEMORY);
-	gabn->aliases = NULL;
-	gabn->aliaslen = NULL;
-	LWRES_LIST_INIT(gabn->addrs);
-	gabn->base = NULL;
-
-	gabn->flags = flags;
-	gabn->naliases = naliases;
-	gabn->naddrs = naddrs;
-
-	LWRES_LIST_INIT(addrlist);
-
-	if (naliases > 0) {
-		gabn->aliases = CTXMALLOC(sizeof(char *) * naliases);
-		if (gabn->aliases == NULL) {
-			ret = LWRES_R_NOMEMORY;
-			goto out;
-		}
-
-		gabn->aliaslen = CTXMALLOC(sizeof(lwres_uint16_t) * naliases);
-		if (gabn->aliaslen == NULL) {
-			ret = LWRES_R_NOMEMORY;
-			goto out;
-		}
-	}
-
-	for (x = 0 ; x < naddrs ; x++) {
-		addr = CTXMALLOC(sizeof(lwres_addr_t));
-		if (addr == NULL) {
-			ret = LWRES_R_NOMEMORY;
-			goto out;
-		}
-		LWRES_LINK_INIT(addr, link);
-		LWRES_LIST_APPEND(addrlist, addr, link);
-	}
-
-	/*
-	 * Now, pull off the real name.
-	 */
-	ret = lwres_string_parse(b, &gabn->realname, &gabn->realnamelen);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	/*
-	 * Parse off the aliases.
-	 */
-	for (x = 0 ; x < gabn->naliases ; x++) {
-		ret = lwres_string_parse(b, &gabn->aliases[x],
-					 &gabn->aliaslen[x]);
-		if (ret != LWRES_R_SUCCESS)
-			goto out;
-	}
-
-	/*
-	 * Pull off the addresses.  We already strung the linked list
-	 * up above.
-	 */
-	addr = LWRES_LIST_HEAD(addrlist);
-	for (x = 0 ; x < gabn->naddrs ; x++) {
-		INSIST(addr != NULL);
-		ret = lwres_addr_parse(b, addr);
-		if (ret != LWRES_R_SUCCESS)
-			goto out;
-		addr = LWRES_LIST_NEXT(addr, link);
-	}
-
-	if (LWRES_BUFFER_REMAINING(b) != 0) {
-		ret = LWRES_R_TRAILINGDATA;
-		goto out;
-	}
-
-	gabn->addrs = addrlist;
-
-	*structp = gabn;
-	return (LWRES_R_SUCCESS);
-
- out:
-	if (gabn != NULL) {
-		if (gabn->aliases != NULL)
-			CTXFREE(gabn->aliases, sizeof(char *) * naliases);
-		if (gabn->aliaslen != NULL)
-			CTXFREE(gabn->aliaslen,
-				sizeof(lwres_uint16_t) * naliases);
-		addr = LWRES_LIST_HEAD(addrlist);
-		while (addr != NULL) {
-			LWRES_LIST_UNLINK(addrlist, addr, link);
-			CTXFREE(addr, sizeof(lwres_addr_t));
-			addr = LWRES_LIST_HEAD(addrlist);
-		}
-		CTXFREE(gabn, sizeof(lwres_gabnresponse_t));
-	}
-
-	return (ret);
-}
-
-void
-lwres_gabnrequest_free(lwres_context_t *ctx, lwres_gabnrequest_t **structp)
-{
-	lwres_gabnrequest_t *gabn;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(structp != NULL && *structp != NULL);
-
-	gabn = *structp;
-	*structp = NULL;
-
-	CTXFREE(gabn, sizeof(lwres_gabnrequest_t));
-}
-
-void
-lwres_gabnresponse_free(lwres_context_t *ctx, lwres_gabnresponse_t **structp)
-{
-	lwres_gabnresponse_t *gabn;
-	lwres_addr_t *addr;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(structp != NULL && *structp != NULL);
-
-	gabn = *structp;
-	*structp = NULL;
-
-	if (gabn->naliases > 0) {
-		CTXFREE(gabn->aliases, sizeof(char *) * gabn->naliases);
-		CTXFREE(gabn->aliaslen,
-			sizeof(lwres_uint16_t) * gabn->naliases);
-	}
-	addr = LWRES_LIST_HEAD(gabn->addrs);
-	while (addr != NULL) {
-		LWRES_LIST_UNLINK(gabn->addrs, addr, link);
-		CTXFREE(addr, sizeof(lwres_addr_t));
-		addr = LWRES_LIST_HEAD(gabn->addrs);
-	}
-	if (gabn->base != NULL)
-		CTXFREE(gabn->base, gabn->baselen);
-	CTXFREE(gabn, sizeof(lwres_gabnresponse_t));
-}
diff --git a/lib/liblwres/lwres_gnba.c b/lib/liblwres/lwres_gnba.c
deleted file mode 100644
index 293eb05ac..000000000
--- a/lib/liblwres/lwres_gnba.c
+++ /dev/null
@@ -1,328 +0,0 @@
-/*
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwres_gnba.c,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-#include <config.h>
-
-#include <assert.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <lwres/lwbuffer.h>
-#include <lwres/lwpacket.h>
-#include <lwres/lwres.h>
-#include <lwres/result.h>
-
-#include "context_p.h"
-#include "assert_p.h"
-
-lwres_result_t
-lwres_gnbarequest_render(lwres_context_t *ctx, lwres_gnbarequest_t *req,
-			 lwres_lwpacket_t *pkt, lwres_buffer_t *b)
-{
-	unsigned char *buf;
-	size_t buflen;
-	int ret;
-	size_t payload_length;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(req != NULL);
-	REQUIRE(req->addr.family != 0);
-	REQUIRE(req->addr.length != 0);
-	REQUIRE(req->addr.address != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-
-	payload_length = 4 + 4 + 2 + + req->addr.length;
-
-	buflen = LWRES_LWPACKET_LENGTH + payload_length;
-	buf = CTXMALLOC(buflen);
-	if (buf == NULL)
-		return (LWRES_R_NOMEMORY);
-	lwres_buffer_init(b, buf, buflen);
-
-	pkt->length = buflen;
-	pkt->version = LWRES_LWPACKETVERSION_0;
-	pkt->pktflags &= ~LWRES_LWPACKETFLAG_RESPONSE;
-	pkt->opcode = LWRES_OPCODE_GETNAMEBYADDR;
-	pkt->result = 0;
-	pkt->authtype = 0;
-	pkt->authlength = 0;
-
-	ret = lwres_lwpacket_renderheader(b, pkt);
-	if (ret != LWRES_R_SUCCESS) {
-		lwres_buffer_invalidate(b);
-		CTXFREE(buf, buflen);
-		return (ret);
-	}
-
-	INSIST(SPACE_OK(b, payload_length));
-
-	/*
-	 * Put the length and the data.  We know this will fit because we
-	 * just checked for it.
-	 */
-	lwres_buffer_putuint32(b, req->flags);
-	lwres_buffer_putuint32(b, req->addr.family);
-	lwres_buffer_putuint16(b, req->addr.length);
-	lwres_buffer_putmem(b, (unsigned char *)req->addr.address,
-			    req->addr.length);
-
-	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
-
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_result_t
-lwres_gnbaresponse_render(lwres_context_t *ctx, lwres_gnbaresponse_t *req,
-			  lwres_lwpacket_t *pkt, lwres_buffer_t *b)
-{
-	unsigned char *buf;
-	size_t buflen;
-	int ret;
-	size_t payload_length;
-	lwres_uint16_t datalen;
-	int x;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(req != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-
-	/*
-	 * Calculate packet size.
-	 */
-	payload_length = 4;			       /* flags */
-	payload_length += 2;			       /* naliases */
-	payload_length += 2 + req->realnamelen + 1;    /* real name encoding */
-	for (x = 0 ; x < req->naliases ; x++)	       /* each alias */
-		payload_length += 2 + req->aliaslen[x] + 1;
-
-	buflen = LWRES_LWPACKET_LENGTH + payload_length;
-	buf = CTXMALLOC(buflen);
-	if (buf == NULL)
-		return (LWRES_R_NOMEMORY);
-	lwres_buffer_init(b, buf, buflen);
-
-	pkt->length = buflen;
-	pkt->version = LWRES_LWPACKETVERSION_0;
-	pkt->pktflags |= LWRES_LWPACKETFLAG_RESPONSE;
-	pkt->opcode = LWRES_OPCODE_GETNAMEBYADDR;
-	pkt->authtype = 0;
-	pkt->authlength = 0;
-
-	ret = lwres_lwpacket_renderheader(b, pkt);
-	if (ret != LWRES_R_SUCCESS) {
-		lwres_buffer_invalidate(b);
-		CTXFREE(buf, buflen);
-		return (ret);
-	}
-
-	INSIST(SPACE_OK(b, payload_length));
-	lwres_buffer_putuint32(b, req->flags);
-
-	/* encode naliases */
-	lwres_buffer_putuint16(b, req->naliases);
-
-	/* encode the real name */
-	datalen = req->realnamelen;
-	lwres_buffer_putuint16(b, datalen);
-	lwres_buffer_putmem(b, (unsigned char *)req->realname, datalen);
-	lwres_buffer_putuint8(b, 0);
-
-	/* encode the aliases */
-	for (x = 0 ; x < req->naliases ; x++) {
-		datalen = req->aliaslen[x];
-		lwres_buffer_putuint16(b, datalen);
-		lwres_buffer_putmem(b, (unsigned char *)req->aliases[x],
-				    datalen);
-		lwres_buffer_putuint8(b, 0);
-	}
-
-	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
-
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_result_t
-lwres_gnbarequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			lwres_lwpacket_t *pkt, lwres_gnbarequest_t **structp)
-{
-	int ret;
-	lwres_gnbarequest_t *gnba;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-	REQUIRE(structp != NULL && *structp == NULL);
-
-	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) != 0)
-		return (LWRES_R_FAILURE);
-
-	gnba = CTXMALLOC(sizeof(lwres_gnbarequest_t));
-	if (gnba == NULL)
-		return (LWRES_R_NOMEMORY);
-
-	if (!SPACE_REMAINING(b, 4))
-		return (LWRES_R_UNEXPECTEDEND);
-
-	gnba->flags = lwres_buffer_getuint32(b);
-
-	ret = lwres_addr_parse(b, &gnba->addr);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	if (LWRES_BUFFER_REMAINING(b) != 0) {
-		ret = LWRES_R_TRAILINGDATA;
-		goto out;
-	}
-
-	*structp = gnba;
-	return (LWRES_R_SUCCESS);
-
- out:
-	if (gnba != NULL)
-		lwres_gnbarequest_free(ctx, &gnba);
-
-	return (ret);
-}
-
-lwres_result_t
-lwres_gnbaresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			 lwres_lwpacket_t *pkt, lwres_gnbaresponse_t **structp)
-{
-	int ret;
-	unsigned int x;
-	lwres_uint32_t flags;
-	lwres_uint16_t naliases;
-	lwres_gnbaresponse_t *gnba;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-	REQUIRE(structp != NULL && *structp == NULL);
-
-	gnba = NULL;
-
-	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) == 0)
-		return (LWRES_R_FAILURE);
-
-	/*
-	 * Pull off flags & naliases
-	 */
-	if (!SPACE_REMAINING(b, 4 + 2))
-		return (LWRES_R_UNEXPECTEDEND);
-	flags = lwres_buffer_getuint32(b);
-	naliases = lwres_buffer_getuint16(b);
-
-	gnba = CTXMALLOC(sizeof(lwres_gnbaresponse_t));
-	if (gnba == NULL)
-		return (LWRES_R_NOMEMORY);
-	gnba->base = NULL;
-	gnba->aliases = NULL;
-	gnba->aliaslen = NULL;
-
-	gnba->flags = flags;
-	gnba->naliases = naliases;
-
-	if (naliases > 0) {
-		gnba->aliases = CTXMALLOC(sizeof(char *) * naliases);
-		if (gnba->aliases == NULL) {
-			ret = LWRES_R_NOMEMORY;
-			goto out;
-		}
-
-		gnba->aliaslen = CTXMALLOC(sizeof(lwres_uint16_t) * naliases);
-		if (gnba->aliaslen == NULL) {
-			ret = LWRES_R_NOMEMORY;
-			goto out;
-		}
-	}
-
-	/*
-	 * Now, pull off the real name.
-	 */
-	ret = lwres_string_parse(b, &gnba->realname, &gnba->realnamelen);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	/*
-	 * Parse off the aliases.
-	 */
-	for (x = 0 ; x < gnba->naliases ; x++) {
-		ret = lwres_string_parse(b, &gnba->aliases[x],
-					 &gnba->aliaslen[x]);
-		if (ret != LWRES_R_SUCCESS)
-			goto out;
-	}
-
-	if (LWRES_BUFFER_REMAINING(b) != 0) {
-		ret = LWRES_R_TRAILINGDATA;
-		goto out;
-	}
-
-	*structp = gnba;
-	return (LWRES_R_SUCCESS);
-
- out:
-	if (gnba != NULL) {
-		if (gnba->aliases != NULL)
-			CTXFREE(gnba->aliases, sizeof(char *) * naliases);
-		if (gnba->aliaslen != NULL)
-			CTXFREE(gnba->aliaslen,
-				sizeof(lwres_uint16_t) * naliases);
-		CTXFREE(gnba, sizeof(lwres_gnbaresponse_t));
-	}
-
-	return (ret);
-}
-
-void
-lwres_gnbarequest_free(lwres_context_t *ctx, lwres_gnbarequest_t **structp)
-{
-	lwres_gnbarequest_t *gnba;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(structp != NULL && *structp != NULL);
-
-	gnba = *structp;
-	*structp = NULL;
-
-	CTXFREE(gnba, sizeof(lwres_gnbarequest_t));
-}
-
-void
-lwres_gnbaresponse_free(lwres_context_t *ctx, lwres_gnbaresponse_t **structp)
-{
-	lwres_gnbaresponse_t *gnba;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(structp != NULL && *structp != NULL);
-
-	gnba = *structp;
-	*structp = NULL;
-
-	if (gnba->naliases > 0) {
-		CTXFREE(gnba->aliases, sizeof(char *) * gnba->naliases);
-		CTXFREE(gnba->aliaslen,
-			sizeof(lwres_uint16_t) * gnba->naliases);
-	}
-	if (gnba->base != NULL)
-		CTXFREE(gnba->base, gnba->baselen);
-	CTXFREE(gnba, sizeof(lwres_gnbaresponse_t));
-}
diff --git a/lib/liblwres/lwres_grbn.c b/lib/liblwres/lwres_grbn.c
deleted file mode 100644
index fd8de50a2..000000000
--- a/lib/liblwres/lwres_grbn.c
+++ /dev/null
@@ -1,416 +0,0 @@
-/*
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwres_grbn.c,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-#include <config.h>
-
-#include <assert.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <lwres/lwbuffer.h>
-#include <lwres/lwpacket.h>
-#include <lwres/lwres.h>
-#include <lwres/result.h>
-
-#include "context_p.h"
-#include "assert_p.h"
-
-lwres_result_t
-lwres_grbnrequest_render(lwres_context_t *ctx, lwres_grbnrequest_t *req,
-			 lwres_lwpacket_t *pkt, lwres_buffer_t *b)
-{
-	unsigned char *buf;
-	size_t buflen;
-	int ret;
-	size_t payload_length;
-	lwres_uint16_t datalen;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(req != NULL);
-	REQUIRE(req->name != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-
-	datalen = strlen(req->name);
-
-	payload_length = 4 + 2 + 2 + 2 + req->namelen + 1;
-
-	buflen = LWRES_LWPACKET_LENGTH + payload_length;
-	buf = CTXMALLOC(buflen);
-	if (buf == NULL)
-		return (LWRES_R_NOMEMORY);
-
-	lwres_buffer_init(b, buf, buflen);
-
-	pkt->length = buflen;
-	pkt->version = LWRES_LWPACKETVERSION_0;
-	pkt->pktflags &= ~LWRES_LWPACKETFLAG_RESPONSE;
-	pkt->opcode = LWRES_OPCODE_GETRDATABYNAME;
-	pkt->result = 0;
-	pkt->authtype = 0;
-	pkt->authlength = 0;
-
-	ret = lwres_lwpacket_renderheader(b, pkt);
-	if (ret != LWRES_R_SUCCESS) {
-		lwres_buffer_invalidate(b);
-		CTXFREE(buf, buflen);
-		return (ret);
-	}
-
-	INSIST(SPACE_OK(b, payload_length));
-
-	/*
-	 * Flags.
-	 */
-	lwres_buffer_putuint32(b, req->flags);
-
-	/*
-	 * Class.
-	 */
-	lwres_buffer_putuint16(b, req->rdclass);
-
-	/*
-	 * Type.
-	 */
-	lwres_buffer_putuint16(b, req->rdtype);
-
-	/*
-	 * Put the length and the data.  We know this will fit because we
-	 * just checked for it.
-	 */
-	lwres_buffer_putuint16(b, datalen);
-	lwres_buffer_putmem(b, (unsigned char *)req->name, datalen);
-	lwres_buffer_putuint8(b, 0); /* trailing NUL */
-
-	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
-
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_result_t
-lwres_grbnresponse_render(lwres_context_t *ctx, lwres_grbnresponse_t *req,
-			  lwres_lwpacket_t *pkt, lwres_buffer_t *b)
-{
-	unsigned char *buf;
-	size_t buflen;
-	int ret;
-	size_t payload_length;
-	lwres_uint16_t datalen;
-	int x;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(req != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-
-	/* flags, class, type, ttl, nrdatas, nsigs */
-	payload_length = 4 + 2 + 2 + 4 + 2 + 2;
-	/* real name encoding */
-	payload_length += 2 + req->realnamelen + 1;
-	/* each rr */
-	for (x = 0 ; x < req->nrdatas ; x++)
-		payload_length += 2 + req->rdatalen[x];
-	for (x = 0 ; x < req->nsigs ; x++)
-		payload_length += 2 + req->siglen[x];
-
-	buflen = LWRES_LWPACKET_LENGTH + payload_length;
-	buf = CTXMALLOC(buflen);
-	if (buf == NULL)
-		return (LWRES_R_NOMEMORY);
-	lwres_buffer_init(b, buf, buflen);
-
-	pkt->length = buflen;
-	pkt->version = LWRES_LWPACKETVERSION_0;
-	pkt->pktflags |= LWRES_LWPACKETFLAG_RESPONSE;
-	pkt->opcode = LWRES_OPCODE_GETRDATABYNAME;
-	pkt->authtype = 0;
-	pkt->authlength = 0;
-
-	ret = lwres_lwpacket_renderheader(b, pkt);
-	if (ret != LWRES_R_SUCCESS) {
-		lwres_buffer_invalidate(b);
-		CTXFREE(buf, buflen);
-		return (ret);
-	}
-
-	/*
-	 * Check space needed here.
-	 */
-	INSIST(SPACE_OK(b, payload_length));
-
-	/* Flags. */
-	lwres_buffer_putuint32(b, req->flags);
-
-	/* encode class, type, ttl, and nrdatas */
-	lwres_buffer_putuint16(b, req->rdclass);
-	lwres_buffer_putuint16(b, req->rdtype);
-	lwres_buffer_putuint32(b, req->ttl);
-	lwres_buffer_putuint16(b, req->nrdatas);
-	lwres_buffer_putuint16(b, req->nsigs);
-
-	/* encode the real name */
-	datalen = req->realnamelen;
-	lwres_buffer_putuint16(b, datalen);
-	lwres_buffer_putmem(b, (unsigned char *)req->realname, datalen);
-	lwres_buffer_putuint8(b, 0);
-
-	/* encode the rdatas */
-	for (x = 0 ; x < req->nrdatas ; x++) {
-		datalen = req->rdatalen[x];
-		lwres_buffer_putuint16(b, datalen);
-		lwres_buffer_putmem(b, req->rdatas[x], datalen);
-	}
-
-	/* encode the signatures */
-	for (x = 0 ; x < req->nsigs ; x++) {
-		datalen = req->siglen[x];
-		lwres_buffer_putuint16(b, datalen);
-		lwres_buffer_putmem(b, req->sigs[x], datalen);
-	}
-
-	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
-	INSIST(LWRES_BUFFER_USEDCOUNT(b) == pkt->length);
-
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_result_t
-lwres_grbnrequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			lwres_lwpacket_t *pkt, lwres_grbnrequest_t **structp)
-{
-	int ret;
-	char *name;
-	lwres_grbnrequest_t *grbn;
-	lwres_uint32_t flags;
-	lwres_uint16_t rdclass, rdtype;
-	lwres_uint16_t namelen;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-	REQUIRE(structp != NULL && *structp == NULL);
-
-	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) != 0)
-		return (LWRES_R_FAILURE);
-
-	if (!SPACE_REMAINING(b, 4 + 2 + 2))
-		return (LWRES_R_UNEXPECTEDEND);
-
-	/*
-	 * Pull off the flags, class, and type.
-	 */
-	flags = lwres_buffer_getuint32(b);
-	rdclass = lwres_buffer_getuint16(b);
-	rdtype = lwres_buffer_getuint16(b);
-
-	/*
-	 * Pull off the name itself
-	 */
-	ret = lwres_string_parse(b, &name, &namelen);
-	if (ret != LWRES_R_SUCCESS)
-		return (ret);
-
-	if (LWRES_BUFFER_REMAINING(b) != 0)
-		return (LWRES_R_TRAILINGDATA);
-
-	grbn = CTXMALLOC(sizeof(lwres_grbnrequest_t));
-	if (grbn == NULL)
-		return (LWRES_R_NOMEMORY);
-
-	grbn->flags = flags;
-	grbn->rdclass = rdclass;
-	grbn->rdtype = rdtype;
-	grbn->name = name;
-	grbn->namelen = namelen;
-
-	*structp = grbn;
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_result_t
-lwres_grbnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			lwres_lwpacket_t *pkt, lwres_grbnresponse_t **structp)
-{
-	lwres_result_t ret;
-	unsigned int x;
-	lwres_uint32_t flags;
-	lwres_uint16_t rdclass, rdtype;
-	lwres_uint32_t ttl;
-	lwres_uint16_t nrdatas, nsigs;
-	lwres_grbnresponse_t *grbn;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-	REQUIRE(structp != NULL && *structp == NULL);
-
-	grbn = NULL;
-
-	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) == 0)
-		return (LWRES_R_FAILURE);
-
-	/*
-	 * Pull off the flags, class, type, ttl, nrdatas, and nsigs
-	 */
-	if (!SPACE_REMAINING(b, 4 + 2 + 2 + 4 + 2 + 2))
-		return (LWRES_R_UNEXPECTEDEND);
-	flags = lwres_buffer_getuint32(b);
-	rdclass = lwres_buffer_getuint16(b);
-	rdtype = lwres_buffer_getuint16(b);
-	ttl = lwres_buffer_getuint32(b);
-	nrdatas = lwres_buffer_getuint16(b);
-	nsigs = lwres_buffer_getuint16(b);
-
-	/*
-	 * Pull off the name itself
-	 */
-
-	grbn = CTXMALLOC(sizeof(lwres_grbnresponse_t));
-	if (grbn == NULL)
-		return (LWRES_R_NOMEMORY);
-	grbn->rdatas = NULL;
-	grbn->rdatalen = NULL;
-	grbn->sigs = NULL;
-	grbn->siglen = NULL;
-	grbn->base = NULL;
-
-	grbn->flags = flags;
-	grbn->rdclass = rdclass;
-	grbn->rdtype = rdtype;
-	grbn->ttl = ttl;
-	grbn->nrdatas = nrdatas;
-	grbn->nsigs = nsigs;
-
-	if (nrdatas > 0) {
-		grbn->rdatas = CTXMALLOC(sizeof(char *) * nrdatas);
-		if (grbn->rdatas == NULL) {
-			ret = LWRES_R_NOMEMORY;
-			goto out;
-		}
-
-		grbn->rdatalen = CTXMALLOC(sizeof(lwres_uint16_t) * nrdatas);
-		if (grbn->rdatalen == NULL) {
-			ret = LWRES_R_NOMEMORY;
-			goto out;
-		}
-	}
-
-	if (nsigs > 0) {
-		grbn->sigs = CTXMALLOC(sizeof(char *) * nsigs);
-		if (grbn->sigs == NULL) {
-			ret = LWRES_R_NOMEMORY;
-			goto out;
-		}
-
-		grbn->siglen = CTXMALLOC(sizeof(lwres_uint16_t) * nsigs);
-		if (grbn->siglen == NULL) {
-			ret = LWRES_R_NOMEMORY;
-			goto out;
-		}
-	}
-
-	/*
-	 * Now, pull off the real name.
-	 */
-	ret = lwres_string_parse(b, &grbn->realname, &grbn->realnamelen);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	/*
-	 * Parse off the rdatas.
-	 */
-	for (x = 0 ; x < grbn->nrdatas ; x++) {
-		ret = lwres_data_parse(b, &grbn->rdatas[x],
-					 &grbn->rdatalen[x]);
-		if (ret != LWRES_R_SUCCESS)
-			goto out;
-	}
-
-	/*
-	 * Parse off the signatures.
-	 */
-	for (x = 0 ; x < grbn->nsigs ; x++) {
-		ret = lwres_data_parse(b, &grbn->sigs[x], &grbn->siglen[x]);
-		if (ret != LWRES_R_SUCCESS)
-			goto out;
-	}
-
-	if (LWRES_BUFFER_REMAINING(b) != 0) {
-		ret = LWRES_R_TRAILINGDATA;
-		goto out;
-	}
-
-	*structp = grbn;
-	return (LWRES_R_SUCCESS);
-
- out:
-	if (grbn != NULL) {
-		if (grbn->rdatas != NULL)
-			CTXFREE(grbn->rdatas, sizeof(char *) * nrdatas);
-		if (grbn->rdatalen != NULL)
-			CTXFREE(grbn->rdatalen,
-				sizeof(lwres_uint16_t) * nrdatas);
-		if (grbn->sigs != NULL)
-			CTXFREE(grbn->sigs, sizeof(char *) * nsigs);
-		if (grbn->siglen != NULL)
-			CTXFREE(grbn->siglen, sizeof(lwres_uint16_t) * nsigs);
-		CTXFREE(grbn, sizeof(lwres_grbnresponse_t));
-	}
-
-	return (ret);
-}
-
-void
-lwres_grbnrequest_free(lwres_context_t *ctx, lwres_grbnrequest_t **structp)
-{
-	lwres_grbnrequest_t *grbn;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(structp != NULL && *structp != NULL);
-
-	grbn = *structp;
-	*structp = NULL;
-
-	CTXFREE(grbn, sizeof(lwres_grbnrequest_t));
-}
-
-void
-lwres_grbnresponse_free(lwres_context_t *ctx, lwres_grbnresponse_t **structp)
-{
-	lwres_grbnresponse_t *grbn;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(structp != NULL && *structp != NULL);
-
-	grbn = *structp;
-	*structp = NULL;
-
-	if (grbn->nrdatas > 0) {
-		CTXFREE(grbn->rdatas, sizeof(char *) * grbn->nrdatas);
-		CTXFREE(grbn->rdatalen,
-			sizeof(lwres_uint16_t) * grbn->nrdatas);
-	}
-	if (grbn->nsigs > 0) {
-		CTXFREE(grbn->sigs, sizeof(char *) * grbn->nsigs);
-		CTXFREE(grbn->siglen, sizeof(lwres_uint16_t) * grbn->nsigs);
-	}
-	if (grbn->base != NULL)
-		CTXFREE(grbn->base, grbn->baselen);
-	CTXFREE(grbn, sizeof(lwres_grbnresponse_t));
-}
diff --git a/lib/liblwres/lwres_noop.c b/lib/liblwres/lwres_noop.c
deleted file mode 100644
index a75fba351..000000000
--- a/lib/liblwres/lwres_noop.c
+++ /dev/null
@@ -1,255 +0,0 @@
-/*
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwres_noop.c,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-#include <config.h>
-
-#include <assert.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <lwres/lwbuffer.h>
-#include <lwres/lwpacket.h>
-#include <lwres/lwres.h>
-#include <lwres/result.h>
-
-#include "context_p.h"
-#include "assert_p.h"
-
-lwres_result_t
-lwres_nooprequest_render(lwres_context_t *ctx, lwres_nooprequest_t *req,
-			 lwres_lwpacket_t *pkt, lwres_buffer_t *b)
-{
-	unsigned char *buf;
-	size_t buflen;
-	int ret;
-	size_t payload_length;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(req != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-
-	payload_length = sizeof(lwres_uint16_t) + req->datalength;
-
-	buflen = LWRES_LWPACKET_LENGTH + payload_length;
-	buf = CTXMALLOC(buflen);
-	if (buf == NULL)
-		return (LWRES_R_NOMEMORY);
-	lwres_buffer_init(b, buf, buflen);
-
-	pkt->length = buflen;
-	pkt->version = LWRES_LWPACKETVERSION_0;
-	pkt->pktflags &= ~LWRES_LWPACKETFLAG_RESPONSE;
-	pkt->opcode = LWRES_OPCODE_NOOP;
-	pkt->result = 0;
-	pkt->authtype = 0;
-	pkt->authlength = 0;
-
-	ret = lwres_lwpacket_renderheader(b, pkt);
-	if (ret != LWRES_R_SUCCESS) {
-		lwres_buffer_invalidate(b);
-		CTXFREE(buf, buflen);
-		return (ret);
-	}
-
-	INSIST(SPACE_OK(b, payload_length));
-
-	/*
-	 * Put the length and the data.  We know this will fit because we
-	 * just checked for it.
-	 */
-	lwres_buffer_putuint16(b, req->datalength);
-	lwres_buffer_putmem(b, req->data, req->datalength);
-
-	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
-
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_result_t
-lwres_noopresponse_render(lwres_context_t *ctx, lwres_noopresponse_t *req,
-			  lwres_lwpacket_t *pkt, lwres_buffer_t *b)
-{
-	unsigned char *buf;
-	size_t buflen;
-	int ret;
-	size_t payload_length;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(req != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-
-	payload_length = sizeof(lwres_uint16_t) + req->datalength;
-
-	buflen = LWRES_LWPACKET_LENGTH + payload_length;
-	buf = CTXMALLOC(buflen);
-	if (buf == NULL)
-		return (LWRES_R_NOMEMORY);
-	lwres_buffer_init(b, buf, buflen);
-
-	pkt->length = buflen;
-	pkt->version = LWRES_LWPACKETVERSION_0;
-	pkt->pktflags |= LWRES_LWPACKETFLAG_RESPONSE;
-	pkt->opcode = LWRES_OPCODE_NOOP;
-	pkt->authtype = 0;
-	pkt->authlength = 0;
-
-	ret = lwres_lwpacket_renderheader(b, pkt);
-	if (ret != LWRES_R_SUCCESS) {
-		lwres_buffer_invalidate(b);
-		CTXFREE(buf, buflen);
-		return (ret);
-	}
-
-	INSIST(SPACE_OK(b, payload_length));
-
-	/*
-	 * Put the length and the data.  We know this will fit because we
-	 * just checked for it.
-	 */
-	lwres_buffer_putuint16(b, req->datalength);
-	lwres_buffer_putmem(b, req->data, req->datalength);
-
-	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
-
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_result_t
-lwres_nooprequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			lwres_lwpacket_t *pkt, lwres_nooprequest_t **structp)
-{
-	int ret;
-	lwres_nooprequest_t *req;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(b != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(structp != NULL && *structp == NULL);
-
-	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) != 0)
-		return (LWRES_R_FAILURE);
-
-	req = CTXMALLOC(sizeof(lwres_nooprequest_t));
-	if (req == NULL)
-		return (LWRES_R_NOMEMORY);
-
-	if (!SPACE_REMAINING(b, sizeof(lwres_uint16_t))) {
-		ret = LWRES_R_UNEXPECTEDEND;
-		goto out;
-	}
-	req->datalength = lwres_buffer_getuint16(b);
-
-	if (!SPACE_REMAINING(b, req->datalength)) {
-		ret = LWRES_R_UNEXPECTEDEND;
-		goto out;
-	}
-	req->data = b->base + b->current;
-	lwres_buffer_forward(b, req->datalength);
-
-	if (LWRES_BUFFER_REMAINING(b) != 0) {
-		ret = LWRES_R_TRAILINGDATA;
-		goto out;
-	}
-
-	/* success! */
-	*structp = req;
-	return (LWRES_R_SUCCESS);
-
-	/* Error return */
- out:
-	CTXFREE(req, sizeof(lwres_nooprequest_t));
-	return (ret);
-}
-
-lwres_result_t
-lwres_noopresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			 lwres_lwpacket_t *pkt, lwres_noopresponse_t **structp)
-{
-	int ret;
-	lwres_noopresponse_t *req;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(b != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(structp != NULL && *structp == NULL);
-
-	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) == 0)
-		return (LWRES_R_FAILURE);
-
-	req = CTXMALLOC(sizeof(lwres_noopresponse_t));
-	if (req == NULL)
-		return (LWRES_R_NOMEMORY);
-
-	if (!SPACE_REMAINING(b, sizeof(lwres_uint16_t))) {
-		ret = LWRES_R_UNEXPECTEDEND;
-		goto out;
-	}
-	req->datalength = lwres_buffer_getuint16(b);
-
-	if (!SPACE_REMAINING(b, req->datalength)) {
-		ret = LWRES_R_UNEXPECTEDEND;
-		goto out;
-	}
-	req->data = b->base + b->current;
-
-	lwres_buffer_forward(b, req->datalength);
-	if (LWRES_BUFFER_REMAINING(b) != 0) {
-		ret = LWRES_R_TRAILINGDATA;
-		goto out;
-	}
-
-	/* success! */
-	*structp = req;
-	return (LWRES_R_SUCCESS);
-
-	/* Error return */
- out:
-	CTXFREE(req, sizeof(lwres_noopresponse_t));
-	return (ret);
-}
-
-void
-lwres_noopresponse_free(lwres_context_t *ctx, lwres_noopresponse_t **structp)
-{
-	lwres_noopresponse_t *noop;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(structp != NULL && *structp != NULL);
-
-	noop = *structp;
-	*structp = NULL;
-
-	CTXFREE(noop, sizeof(lwres_noopresponse_t));
-}
-
-void
-lwres_nooprequest_free(lwres_context_t *ctx, lwres_nooprequest_t **structp)
-{
-	lwres_nooprequest_t *noop;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(structp != NULL && *structp != NULL);
-
-	noop = *structp;
-	*structp = NULL;
-
-	CTXFREE(noop, sizeof(lwres_nooprequest_t));
-}
diff --git a/lib/liblwres/lwresutil.c b/lib/liblwres/lwresutil.c
deleted file mode 100644
index 60f330e76..000000000
--- a/lib/liblwres/lwresutil.c
+++ /dev/null
@@ -1,491 +0,0 @@
-/*
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwresutil.c,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-#include <config.h>
-
-#include <assert.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <lwres/lwbuffer.h>
-#include <lwres/lwres.h>
-#include <lwres/result.h>
-
-#include "assert_p.h"
-#include "context_p.h"
-
-/*
- * Requires:
- *
- *	The "current" pointer in "b" points to encoded raw data.
- *
- * Ensures:
- *
- *	The address of the first byte of the data is returned via "p",
- *	and the length is returned via "len".  If NULL, they are not
- *	set.
- *
- *	On return, the current pointer of "b" will point to the character
- *	following the data length and the data.
- *
- */
-lwres_result_t
-lwres_data_parse(lwres_buffer_t *b, unsigned char **p, lwres_uint16_t *len)
-{
-	lwres_uint16_t datalen;
-	unsigned char *data;
-
-	REQUIRE(b != NULL);
-
-	/*
-	 * Pull off the length (2 bytes)
-	 */
-	if (!SPACE_REMAINING(b, 2))
-		return (LWRES_R_UNEXPECTEDEND);
-	datalen = lwres_buffer_getuint16(b);
-
-	/*
-	 * Set the pointer to this string to the right place, then
-	 * advance the buffer pointer.
-	 */
-	if (!SPACE_REMAINING(b, datalen))
-		return (LWRES_R_UNEXPECTEDEND);
-	data = b->base + b->current;
-	lwres_buffer_forward(b, datalen);
-
-	if (len != NULL)
-		*len = datalen;
-	if (p != NULL)
-		*p = data;
-
-	return (LWRES_R_SUCCESS);
-}
-
-/*
- * Requires:
- *
- *	The "current" pointer in "b" point to an encoded string.
- *
- * Ensures:
- *
- *	The address of the first byte of the string is returned via "c",
- *	and the length is returned via "len".  If NULL, they are not
- *	set.
- *
- *	On return, the current pointer of "b" will point to the character
- *	following the string length, the string, and the trailing NULL.
- *
- */
-lwres_result_t
-lwres_string_parse(lwres_buffer_t *b, char **c, lwres_uint16_t *len)
-{
-	lwres_uint16_t datalen;
-	char *string;
-
-	REQUIRE(b != NULL);
-
-	/*
-	 * Pull off the length (2 bytes)
-	 */
-	if (!SPACE_REMAINING(b, 2))
-		return (LWRES_R_UNEXPECTEDEND);
-	datalen = lwres_buffer_getuint16(b);
-
-	/*
-	 * Set the pointer to this string to the right place, then
-	 * advance the buffer pointer.
-	 */
-	if (!SPACE_REMAINING(b, datalen))
-		return (LWRES_R_UNEXPECTEDEND);
-	string = (char *)b->base + b->current;
-	lwres_buffer_forward(b, datalen);
-
-	/*
-	 * Skip the "must be zero" byte.
-	 */
-	if (!SPACE_REMAINING(b, 1))
-		return (LWRES_R_UNEXPECTEDEND);
-	if (0 != lwres_buffer_getuint8(b))
-		return (LWRES_R_FAILURE);
-
-	if (len != NULL)
-		*len = datalen;
-	if (c != NULL)
-		*c = string;
-
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_result_t
-lwres_addr_parse(lwres_buffer_t *b, lwres_addr_t *addr)
-{
-	REQUIRE(addr != NULL);
-
-	if (!SPACE_REMAINING(b, 6))
-		return (LWRES_R_UNEXPECTEDEND);
-
-	addr->family = lwres_buffer_getuint32(b);
-	addr->length = lwres_buffer_getuint16(b);
-
-	if (!SPACE_REMAINING(b, addr->length))
-		return (LWRES_R_UNEXPECTEDEND);
-	if (addr->length > LWRES_ADDR_MAXLEN)
-		return (LWRES_R_FAILURE);
-
-	lwres_buffer_getmem(b, addr->address, addr->length);
-
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_result_t
-lwres_getaddrsbyname(lwres_context_t *ctx, const char *name,
-		     lwres_uint32_t addrtypes, lwres_gabnresponse_t **structp)
-{
-	lwres_gabnrequest_t request;
-	lwres_gabnresponse_t *response;
-	int ret;
-	int recvlen;
-	lwres_buffer_t b_in, b_out;
-	lwres_lwpacket_t pkt;
-	lwres_uint32_t serial;
-	char *buffer;
-	char target_name[1024];
-	unsigned int target_length;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(name != NULL);
-	REQUIRE(addrtypes != 0);
-	REQUIRE(structp != NULL && *structp == NULL);
-
-	b_in.base = NULL;
-	b_out.base = NULL;
-	response = NULL;
-	buffer = NULL;
-	serial = lwres_context_nextserial(ctx);
-
-	buffer = CTXMALLOC(LWRES_RECVLENGTH);
-	if (buffer == NULL) {
-		ret = LWRES_R_NOMEMORY;
-		goto out;
-	}
-
-	target_length = strlen(name);
-	if (target_length >= sizeof(target_name))
-		return (LWRES_R_FAILURE);
-	strcpy(target_name, name); /* strcpy is safe */
-
-	/*
-	 * Set up our request and render it to a buffer.
-	 */
-	request.flags = 0;
-	request.addrtypes = addrtypes;
-	request.name = target_name;
-	request.namelen = target_length;
-	pkt.pktflags = 0;
-	pkt.serial = serial;
-	pkt.result = 0;
-	pkt.recvlength = LWRES_RECVLENGTH;
-
- again:
-	ret = lwres_gabnrequest_render(ctx, &request, &pkt, &b_out);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	ret = lwres_context_sendrecv(ctx, b_out.base, b_out.length, buffer,
-				     LWRES_RECVLENGTH, &recvlen);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	lwres_buffer_init(&b_in, buffer, recvlen);
-	b_in.used = recvlen;
-
-	/*
-	 * Parse the packet header.
-	 */
-	ret = lwres_lwpacket_parseheader(&b_in, &pkt);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	/*
-	 * Sanity check.
-	 */
-	if (pkt.serial != serial)
-		goto again;
-	if (pkt.opcode != LWRES_OPCODE_GETADDRSBYNAME)
-		goto again;
-
-	/*
-	 * Free what we've transmitted
-	 */
-	CTXFREE(b_out.base, b_out.length);
-	b_out.base = NULL;
-	b_out.length = 0;
-
-	if (pkt.result != LWRES_R_SUCCESS) {
-		ret = pkt.result;
-		goto out;
-	}
-
-	/*
-	 * Parse the response.
-	 */
-	ret = lwres_gabnresponse_parse(ctx, &b_in, &pkt, &response);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-	response->base = buffer;
-	response->baselen = LWRES_RECVLENGTH;
-	buffer = NULL; /* don't free this below */
-
-	*structp = response;
-	return (LWRES_R_SUCCESS);
-
- out:
-	if (b_out.base != NULL)
-		CTXFREE(b_out.base, b_out.length);
-	if (buffer != NULL)
-		CTXFREE(buffer, LWRES_RECVLENGTH);
-	if (response != NULL)
-		lwres_gabnresponse_free(ctx, &response);
-
-	return (ret);
-}
-
-
-lwres_result_t
-lwres_getnamebyaddr(lwres_context_t *ctx, lwres_uint32_t addrtype,
-		    lwres_uint16_t addrlen, const unsigned char *addr,
-		    lwres_gnbaresponse_t **structp)
-{
-	lwres_gnbarequest_t request;
-	lwres_gnbaresponse_t *response;
-	int ret;
-	int recvlen;
-	lwres_buffer_t b_in, b_out;
-	lwres_lwpacket_t pkt;
-	lwres_uint32_t serial;
-	char *buffer;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(addrtype != 0);
-	REQUIRE(addrlen != 0);
-	REQUIRE(addr != NULL);
-	REQUIRE(structp != NULL && *structp == NULL);
-
-	b_in.base = NULL;
-	b_out.base = NULL;
-	response = NULL;
-	buffer = NULL;
-	serial = lwres_context_nextserial(ctx);
-
-	buffer = CTXMALLOC(LWRES_RECVLENGTH);
-	if (buffer == NULL) {
-		ret = LWRES_R_NOMEMORY;
-		goto out;
-	}
-
-	/*
-	 * Set up our request and render it to a buffer.
-	 */
-	request.flags = 0;
-	request.addr.family = addrtype;
-	request.addr.length = addrlen;
-	memcpy(request.addr.address, addr, addrlen);
-	pkt.pktflags = 0;
-	pkt.serial = serial;
-	pkt.result = 0;
-	pkt.recvlength = LWRES_RECVLENGTH;
-
- again:
-	ret = lwres_gnbarequest_render(ctx, &request, &pkt, &b_out);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	ret = lwres_context_sendrecv(ctx, b_out.base, b_out.length, buffer,
-				     LWRES_RECVLENGTH, &recvlen);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	lwres_buffer_init(&b_in, buffer, recvlen);
-	b_in.used = recvlen;
-
-	/*
-	 * Parse the packet header.
-	 */
-	ret = lwres_lwpacket_parseheader(&b_in, &pkt);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	/*
-	 * Sanity check.
-	 */
-	if (pkt.serial != serial)
-		goto again;
-	if (pkt.opcode != LWRES_OPCODE_GETNAMEBYADDR)
-		goto again;
-
-	/*
-	 * Free what we've transmitted
-	 */
-	CTXFREE(b_out.base, b_out.length);
-	b_out.base = NULL;
-	b_out.length = 0;
-
-	if (pkt.result != LWRES_R_SUCCESS) {
-		ret = pkt.result;
-		goto out;
-	}
-
-	/*
-	 * Parse the response.
-	 */
-	ret = lwres_gnbaresponse_parse(ctx, &b_in, &pkt, &response);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-	response->base = buffer;
-	response->baselen = LWRES_RECVLENGTH;
-	buffer = NULL; /* don't free this below */
-
-	*structp = response;
-	return (LWRES_R_SUCCESS);
-
- out:
-	if (b_out.base != NULL)
-		CTXFREE(b_out.base, b_out.length);
-	if (buffer != NULL)
-		CTXFREE(buffer, LWRES_RECVLENGTH);
-	if (response != NULL)
-		lwres_gnbaresponse_free(ctx, &response);
-
-	return (ret);
-}
-
-lwres_result_t
-lwres_getrdatabyname(lwres_context_t *ctx, const char *name,
-		     lwres_uint16_t rdclass, lwres_uint16_t rdtype,
-		     lwres_uint32_t flags, lwres_grbnresponse_t **structp)
-{
-	int ret;
-	int recvlen;
-	lwres_buffer_t b_in, b_out;
-	lwres_lwpacket_t pkt;
-	lwres_uint32_t serial;
-	char *buffer;
-	lwres_grbnrequest_t request;
-	lwres_grbnresponse_t *response;
-	char target_name[1024];
-	unsigned int target_length;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(name != NULL);
-	REQUIRE(structp != NULL && *structp == NULL);
-
-	b_in.base = NULL;
-	b_out.base = NULL;
-	response = NULL;
-	buffer = NULL;
-	serial = lwres_context_nextserial(ctx);
-
-	buffer = CTXMALLOC(LWRES_RECVLENGTH);
-	if (buffer == NULL) {
-		ret = LWRES_R_NOMEMORY;
-		goto out;
-	}
-
-	target_length = strlen(name);
-	if (target_length >= sizeof(target_name))
-		return (LWRES_R_FAILURE);
-	strcpy(target_name, name); /* strcpy is safe */
-
-	/*
-	 * Set up our request and render it to a buffer.
-	 */
-	request.rdclass = rdclass;
-	request.rdtype = rdtype;
-	request.flags = flags;
-	request.name = target_name;
-	request.namelen = target_length;
-	pkt.pktflags = 0;
-	pkt.serial = serial;
-	pkt.result = 0;
-	pkt.recvlength = LWRES_RECVLENGTH;
-
- again:
-	ret = lwres_grbnrequest_render(ctx, &request, &pkt, &b_out);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	ret = lwres_context_sendrecv(ctx, b_out.base, b_out.length, buffer,
-				     LWRES_RECVLENGTH, &recvlen);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	lwres_buffer_init(&b_in, buffer, recvlen);
-	b_in.used = recvlen;
-
-	/*
-	 * Parse the packet header.
-	 */
-	ret = lwres_lwpacket_parseheader(&b_in, &pkt);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	/*
-	 * Sanity check.
-	 */
-	if (pkt.serial != serial)
-		goto again;
-	if (pkt.opcode != LWRES_OPCODE_GETRDATABYNAME)
-		goto again;
-
-	/*
-	 * Free what we've transmitted
-	 */
-	CTXFREE(b_out.base, b_out.length);
-	b_out.base = NULL;
-	b_out.length = 0;
-
-	if (pkt.result != LWRES_R_SUCCESS) {
-		ret = pkt.result;
-		goto out;
-	}
-
-	/*
-	 * Parse the response.
-	 */
-	ret = lwres_grbnresponse_parse(ctx, &b_in, &pkt, &response);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-	response->base = buffer;
-	response->baselen = LWRES_RECVLENGTH;
-	buffer = NULL; /* don't free this below */
-
-	*structp = response;
-	return (LWRES_R_SUCCESS);
-
- out:
-	if (b_out.base != NULL)
-		CTXFREE(b_out.base, b_out.length);
-	if (buffer != NULL)
-		CTXFREE(buffer, LWRES_RECVLENGTH);
-	if (response != NULL)
-		lwres_grbnresponse_free(ctx, &response);
-
-	return (ret);
-}
diff --git a/lib/liblwres/man/Makefile.in b/lib/liblwres/man/Makefile.in
deleted file mode 100644
index d06f370ad..000000000
--- a/lib/liblwres/man/Makefile.in
+++ /dev/null
@@ -1,232 +0,0 @@
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
-# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
-# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
-# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
-# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
-# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.1 2004/03/15 20:35:25 as Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-@BIND9_MAKE_RULES@
-
-# Alphabetically
-#MANPAGES =	lwres.3 lwres_addr_parse.3 lwres_buffer.3 \
-#		lwres_buffer_add.3 lwres_buffer_back.3 lwres_buffer_clear.3 \
-#		lwres_buffer_first.3 lwres_buffer_forward.3 \
-#		lwres_buffer_getmem.3 lwres_buffer_getuint16.3 \
-#		lwres_buffer_getuint32.3 lwres_buffer_getuint8.3 \
-#		lwres_buffer_init.3 lwres_buffer_invalidate.3 \
-#		lwres_buffer_putmem.3 lwres_buffer_putuint16.3 \
-#		lwres_buffer_putuint32.3 lwres_buffer_putuint8.3 \
-#		lwres_buffer_subtract.3 lwres_conf_clear.3 \
-#		lwres_conf_get.3 lwres_conf_init.3 \
-#		lwres_conf_parse.3 lwres_conf_print.3 \
-#		lwres_config.3 lwres_context.3 \
-#		lwres_context_allocmem.3 lwres_context_create.3 \
-#		lwres_context_destroy.3 lwres_context_freemem.3 \
-#		lwres_context_initserial.3 lwres_context_nextserial.3 \
-#		lwres_context_sendrecv.3 lwres_endhostent.3 \
-#		lwres_endhostent_r.3 lwres_freeaddrinfo.3 \
-#		lwres_freehostent.3 lwres_gabn.3 \
-#		lwres_gabnrequest_free.3 lwres_gabnrequest_parse.3 \
-#		lwres_gabnrequest_render.3 lwres_gabnresponse_free.3 \
-#		lwres_gabnresponse_parse.3 lwres_gabnresponse_render.3 \
-#		lwres_gai_strerror.3 lwres_getaddrinfo.3 \
-#		lwres_getaddrsbyname.3 lwres_gethostbyaddr.3 \
-#		lwres_gethostbyaddr_r.3 lwres_gethostbyname.3 \
-#		lwres_gethostbyname2.3 lwres_gethostbyname_r.3 \
-#		lwres_gethostent.3 lwres_gethostent_r.3 \
-#		lwres_getipnode.3 lwres_getipnodebyaddr.3 \
-#		lwres_getipnodebyname.3 lwres_getnamebyaddr.3 \
-#		lwres_getnameinfo.3 lwres_getrrsetbyname.3 \
-#		lwres_gnba.3 lwres_gnbarequest_free.3 \
-#		lwres_gnbarequest_parse.3 lwres_gnbarequest_render.3 \
-#		lwres_gnbaresponse_free.3 lwres_gnbaresponse_parse.3 \
-#		lwres_gnbaresponse_render.3 lwres_herror.3 \
-#		lwres_hstrerror.3 lwres_inetntop.3 \
-#		lwres_lwpacket_parseheader.3 lwres_lwpacket_renderheader.3 \
-#		lwres_net_ntop.3 lwres_noop.3 \
-#		lwres_nooprequest_free.3 lwres_nooprequest_parse.3 \
-#		lwres_nooprequest_render.3 lwres_noopresponse_free.3 \
-#		lwres_noopresponse_parse.3 lwres_noopresponse_render.3 \
-#		lwres_packet.3 lwres_resutil.3 \
-#		lwres_sethostent.3 lwres_sethostent_r.3 \
-#		lwres_string_parse.3
-
-
-MANPAGES = 	lwres.3 lwres_buffer.3 lwres_config.3 lwres_context.3	\
-		lwres_gabn.3 lwres_gai_strerror.3 lwres_getaddrinfo.3			\
-		lwres_gethostent.3 lwres_getipnode.3 lwres_getnameinfo.3		\
-		lwres_getrrsetbyname.3 lwres_gnba.3 lwres_hstrerror.3 lwres_inetntop.3	\
-		lwres_noop.3 lwres_packet.3 lwres_resutil.3
-
-HTMLPAGES = 	lwres.html lwres_buffer.html lwres_config.html lwres_context.html	\
-		lwres_gabn.html lwres_gai_strerror.html lwres_getaddrinfo.html			\
-		lwres_gethostent.html lwres_getipnode.html lwres_getnameinfo.html		\
-		lwres_getrrsetbyname.html lwres_gnba.html lwres_hstrerror.html lwres_inetntop.html	\
-		lwres_noop.html lwres_packet.html lwres_resutil.html
-
-MANOBJS =	${MANPAGES} ${HTMLPAGES}
-
-doc man:: ${MANOBJS}
-
-docclean manclean maintainer-clean::
-	rm -f ${MANOBJS}
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man3
-
-man3 = ${DESTDIR}${mandir}/man3
-
-install:: installdirs
-	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man3; done
-	rm -f ${man3}/lwres_addr_parse.3
-	@LN@ ${man3}/lwres_resutil.3 ${man3}/lwres_addr_parse.3
-	rm -f ${man3}/lwres_buffer_add.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_add.3
-	rm -f ${man3}/lwres_buffer_back.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_back.3
-	rm -f ${man3}/lwres_buffer_clear.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_clear.3
-	rm -f ${man3}/lwres_buffer_first.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_first.3
-	rm -f ${man3}/lwres_buffer_forward.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_forward.3
-	rm -f ${man3}/lwres_buffer_getmem.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_getmem.3
-	rm -f ${man3}/lwres_buffer_getuint16.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_getuint16.3
-	rm -f ${man3}/lwres_buffer_getuint32.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_getuint32.3
-	rm -f ${man3}/lwres_buffer_getuint8.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_getuint8.3
-	rm -f ${man3}/lwres_buffer_init.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_init.3
-	rm -f ${man3}/lwres_buffer_invalidate.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_invalidate.3
-	rm -f ${man3}/lwres_buffer_putmem.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_putmem.3
-	rm -f ${man3}/lwres_buffer_putuint16.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_putuint16.3
-	rm -f ${man3}/lwres_buffer_putuint32.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_putuint32.3
-	rm -f ${man3}/lwres_buffer_putuint8.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_putuint8.3
-	rm -f ${man3}/lwres_buffer_subtract.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_subtract.3
-	rm -f ${man3}/lwres_conf_clear.3
-	@LN@ ${man3}/lwres_config.3 ${man3}/lwres_conf_clear.3
-	rm -f ${man3}/lwres_conf_get.3
-	@LN@ ${man3}/lwres_config.3 ${man3}/lwres_conf_get.3
-	rm -f ${man3}/lwres_conf_init.3
-	@LN@ ${man3}/lwres_config.3 ${man3}/lwres_conf_init.3
-	rm -f ${man3}/lwres_conf_parse.3
-	@LN@ ${man3}/lwres_config.3 ${man3}/lwres_conf_parse.3
-	rm -f ${man3}/lwres_conf_print.3
-	@LN@ ${man3}/lwres_config.3 ${man3}/lwres_conf_print.3
-	rm -f ${man3}/lwres_context_allocmem.3
-	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_allocmem.3
-	rm -f ${man3}/lwres_context_create.3
-	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_create.3
-	rm -f ${man3}/lwres_context_destroy.3
-	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_destroy.3
-	rm -f ${man3}/lwres_context_freemem.3
-	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_freemem.3
-	rm -f ${man3}/lwres_context_initserial.3
-	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_initserial.3
-	rm -f ${man3}/lwres_context_nextserial.3
-	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_nextserial.3
-	rm -f ${man3}/lwres_context_sendrecv.3
-	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_sendrecv.3
-	rm -f ${man3}/lwres_endhostent.3
-	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_endhostent.3
-	rm -f ${man3}/lwres_endhostent_r.3
-	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_endhostent_r.3
-	rm -f ${man3}/lwres_freeaddrinfo.3
-	@LN@ ${man3}/lwres_getaddrinfo.3 ${man3}/lwres_freeaddrinfo.3
-	rm -f ${man3}/lwres_freehostent.3
-	@LN@ ${man3}/lwres_getipnode.3 ${man3}/lwres_freehostent.3
-	rm -f ${man3}/lwres_gabnrequest_free.3
-	@LN@ ${man3}/lwres_gabn.3 ${man3}/lwres_gabnrequest_free.3
-	rm -f ${man3}/lwres_gabnrequest_parse.3
-	@LN@ ${man3}/lwres_gabn.3 ${man3}/lwres_gabnrequest_parse.3
-	rm -f ${man3}/lwres_gabnrequest_render.3
-	@LN@ ${man3}/lwres_gabn.3 ${man3}/lwres_gabnrequest_render.3
-	rm -f ${man3}/lwres_gabnresponse_free.3
-	@LN@ ${man3}/lwres_gabn.3 ${man3}/lwres_gabnresponse_free.3
-	rm -f ${man3}/lwres_gabnresponse_parse.3
-	@LN@ ${man3}/lwres_gabn.3 ${man3}/lwres_gabnresponse_parse.3
-	rm -f ${man3}/lwres_gabnresponse_render.3
-	@LN@ ${man3}/lwres_gabn.3 ${man3}/lwres_gabnresponse_render.3
-	rm -f ${man3}/lwres_getaddrsbyname.3
-	@LN@ ${man3}/lwres_resutil.3 ${man3}/lwres_getaddrsbyname.3
-	rm -f ${man3}/lwres_gethostbyaddr.3
-	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_gethostbyaddr.3
-	rm -f ${man3}/lwres_gethostbyaddr_r.3
-	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_gethostbyaddr_r.3
-	rm -f ${man3}/lwres_gethostbyname.3
-	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_gethostbyname.3
-	rm -f ${man3}/lwres_gethostbyname2.3
-	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_gethostbyname2.3
-	rm -f ${man3}/lwres_gethostbyname_r.3
-	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_gethostbyname_r.3
-	rm -f ${man3}/lwres_gethostent_r.3
-	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_gethostent_r.3
-	rm -f ${man3}/lwres_getipnodebyaddr.3
-	@LN@ ${man3}/lwres_getipnode.3 ${man3}/lwres_getipnodebyaddr.3
-	rm -f ${man3}/lwres_getipnodebyname.3
-	@LN@ ${man3}/lwres_getipnode.3 ${man3}/lwres_getipnodebyname.3
-	rm -f ${man3}/lwres_getnamebyaddr.3
-	@LN@ ${man3}/lwres_resutil.3 ${man3}/lwres_getnamebyaddr.3
-	rm -f ${man3}/lwres_gnbarequest_free.3
-	@LN@ ${man3}/lwres_gnba.3 ${man3}/lwres_gnbarequest_free.3
-	rm -f ${man3}/lwres_gnbarequest_parse.3
-	@LN@ ${man3}/lwres_gnba.3 ${man3}/lwres_gnbarequest_parse.3
-	rm -f ${man3}/lwres_gnbarequest_render.3
-	@LN@ ${man3}/lwres_gnba.3 ${man3}/lwres_gnbarequest_render.3
-	rm -f ${man3}/lwres_gnbaresponse_free.3
-	@LN@ ${man3}/lwres_gnba.3 ${man3}/lwres_gnbaresponse_free.3
-	rm -f ${man3}/lwres_gnbaresponse_parse.3
-	@LN@ ${man3}/lwres_gnba.3 ${man3}/lwres_gnbaresponse_parse.3
-	rm -f ${man3}/lwres_gnbaresponse_render.3
-	@LN@ ${man3}/lwres_gnba.3 ${man3}/lwres_gnbaresponse_render.3
-	rm -f ${man3}/lwres_herror.3
-	@LN@ ${man3}/lwres_hstrerror.3 ${man3}/lwres_herror.3
-	rm -f ${man3}/lwres_lwpacket_parseheader.3
-	@LN@ ${man3}/lwres_packet.3 ${man3}/lwres_lwpacket_parseheader.3
-	rm -f ${man3}/lwres_lwpacket_renderheader.3
-	@LN@ ${man3}/lwres_packet.3 ${man3}/lwres_lwpacket_renderheader.3
-	rm -f ${man3}/lwres_net_ntop.3
-	@LN@ ${man3}/lwres_inetntop.3 ${man3}/lwres_net_ntop.3
-	rm -f ${man3}/lwres_nooprequest_free.3
-	@LN@ ${man3}/lwres_noop.3 ${man3}/lwres_nooprequest_free.3
-	rm -f ${man3}/lwres_nooprequest_parse.3
-	@LN@ ${man3}/lwres_noop.3 ${man3}/lwres_nooprequest_parse.3
-	rm -f ${man3}/lwres_nooprequest_render.3
-	@LN@ ${man3}/lwres_noop.3 ${man3}/lwres_nooprequest_render.3
-	rm -f ${man3}/lwres_noopresponse_free.3
-	@LN@ ${man3}/lwres_noop.3 ${man3}/lwres_noopresponse_free.3
-	rm -f ${man3}/lwres_noopresponse_parse.3
-	@LN@ ${man3}/lwres_noop.3 ${man3}/lwres_noopresponse_parse.3
-	rm -f ${man3}/lwres_noopresponse_render.3
-	@LN@ ${man3}/lwres_noop.3 ${man3}/lwres_noopresponse_render.3
-	rm -f ${man3}/lwres_sethostent.3
-	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_sethostent.3
-	rm -f ${man3}/lwres_sethostent_r.3
-	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_sethostent_r.3
-	rm -f ${man3}/lwres_string_parse.3
-	@LN@ ${man3}/lwres_resutil.3 ${man3}/lwres_string_parse.3
diff --git a/lib/liblwres/man/lwres.3 b/lib/liblwres/man/lwres.3
deleted file mode 100644
index f2393912d..000000000
--- a/lib/liblwres/man/lwres.3
+++ /dev/null
@@ -1,158 +0,0 @@
-.\"
-.\" Copyright (C) 2000, 2001  Internet Software Consortium.
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
-.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
-.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
-.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
-.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
-.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.TH "LWRES" "3" "Jun 30, 2000" "BIND9" ""
-.SH NAME
-lwres \- introduction to the lightweight resolver library
-.SH SYNOPSIS
-\fB#include <lwres/lwres.h>\fR
-.SH "DESCRIPTION"
-.PP
-The BIND 9 lightweight resolver library is a simple, name service
-independent stub resolver library. It provides hostname-to-address
-and address-to-hostname lookup services to applications by
-transmitting lookup requests to a resolver daemon
-\fBlwresd\fR
-running on the local host. The resover daemon performs the
-lookup using the DNS or possibly other name service protocols,
-and returns the results to the application through the library. 
-The library and resolver daemon communicate using a simple
-UDP-based protocol.
-.SH "OVERVIEW"
-.PP
-The lwresd library implements multiple name service APIs.
-The standard
-\fBgethostbyname()\fR,
-\fBgethostbyaddr()\fR,
-\fBgethostbyname_r()\fR,
-\fBgethostbyaddr_r()\fR,
-\fBgetaddrinfo()\fR,
-\fBgetipnodebyname()\fR,
-and
-\fBgetipnodebyaddr()\fR
-functions are all supported. To allow the lwres library to coexist
-with system libraries that define functions of the same name,
-the library defines these functions with names prefixed by
-lwres_.
-To define the standard names, applications must include the
-header file
-\fI<lwres/netdb.h>\fR
-which contains macro definitions mapping the standard function names
-into
-lwres_
-prefixed ones. Operating system vendors who integrate the lwres
-library into their base distributions should rename the functions
-in the library proper so that the renaming macros are not needed.
-.PP
-The library also provides a native API consisting of the functions
-\fBlwres_getaddrsbyname()\fR
-and
-\fBlwres_getnamebyaddr()\fR.
-These may be called by applications that require more detailed
-control over the lookup process than the standard functions
-provide.
-.PP
-In addition to these name service independent address lookup
-functions, the library implements a new, experimental API
-for looking up arbitrary DNS resource records, using the
-\fBlwres_getaddrsbyname()\fR
-function.
-.PP
-Finally, there is a low-level API for converting lookup
-requests and responses to and from raw lwres protocol packets. 
-This API can be used by clients requiring nonblocking operation, 
-and is also used when implementing the server side of the lwres
-protocol, for example in the
-\fBlwresd\fR
-resolver daemon. The use of this low-level API in clients
-and servers is outlined in the following sections.
-.SH "CLIENT-SIDE LOW-LEVEL API CALL FLOW"
-.PP
-When a client program wishes to make an lwres request using the
-native low-level API, it typically performs the following 
-sequence of actions.
-.PP
-(1) Allocate or use an existing \fBlwres_packet_t\fR,
-called pkt below.
-.PP
-(2) Set \fBpkt.recvlength\fR to the maximum length we will accept. 
-This is done so the receiver of our packets knows how large our receive 
-buffer is. The "default" is a constant in
-\fIlwres.h\fR: LWRES_RECVLENGTH = 4096.
-.PP
-(3) Set \fBpkt.serial\fR
-to a unique serial number. This value is echoed
-back to the application by the remote server.
-.PP
-(4) Set \fBpkt.pktflags\fR. Usually this is set to 0.
-.PP
-(5) Set \fBpkt.result\fR to 0.
-.PP
-(6) Call \fBlwres_*request_render()\fR, 
-or marshall in the data using the primitives
-such as \fBlwres_packet_render()\fR
-and storing the packet data.
-.PP
-(7) Transmit the resulting buffer.
-.PP
-(8) Call \fBlwres_*response_parse()\fR
-to parse any packets received.
-.PP
-(9) Verify that the opcode and serial match a request, and process the
-packet specific information contained in the body.
-.SH "SERVER-SIDE LOW-LEVEL API CALL FLOW"
-.PP
-When implementing the server side of the lightweight resolver
-protocol using the lwres library, a sequence of actions like the
-following is typically involved in processing each request packet.
-.PP
-Note that the same \fBlwres_packet_t\fR is used
-in both the \fB_parse()\fR and \fB_render()\fR calls,
-with only a few modifications made
-to the packet header's contents between uses. This method is recommended
-as it keeps the serial, opcode, and other fields correct.
-.PP
-(1) When a packet is received, call \fBlwres_*request_parse()\fR to
-unmarshall it. This returns a \fBlwres_packet_t\fR (also called pkt, below)
-as well as a data specific type, such as \fBlwres_gabnrequest_t\fR.
-.PP
-(2) Process the request in the data specific type.
-.PP
-(3) Set the \fBpkt.result\fR,
-\fBpkt.recvlength\fR as above. All other fields can
-be left untouched since they were filled in by the \fB*_parse()\fR call
-above. If using \fBlwres_*response_render()\fR,
-\fBpkt.pktflags\fR will be set up
-properly. Otherwise, the LWRES_LWPACKETFLAG_RESPONSE bit should be
-set.
-.PP
-(4) Call the data specific rendering function, such as
-\fBlwres_gabnresponse_render()\fR.
-.PP
-(5) Send the resulting packet to the client.
-.PP
-.SH "SEE ALSO"
-.PP
-\fBlwres_gethostent\fR(3),
-\fBlwres_getipnode\fR(3),
-\fBlwres_getnameinfo\fR(3),
-\fBlwres_noop\fR(3),
-\fBlwres_gabn\fR(3),
-\fBlwres_gnba\fR(3),
-\fBlwres_context\fR(3),
-\fBlwres_config\fR(3),
-\fBresolver\fR(5),
-\fBlwresd\fR(8).
diff --git a/lib/liblwres/man/lwres.docbook b/lib/liblwres/man/lwres.docbook
deleted file mode 100644
index 15378e908..000000000
--- a/lib/liblwres/man/lwres.docbook
+++ /dev/null
@@ -1,244 +0,0 @@
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
-<!--
- - Copyright (C) 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres.docbook,v 1.1 2004/03/15 20:35:25 as Exp $ -->
-
-<refentry>
-<refentryinfo>
-
-<date>Jun 30, 2000</date>
-</refentryinfo>
-<refmeta>
-<refentrytitle>lwres</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-<refnamediv>
-<refname>lwres</refname>
-<refpurpose>introduction to the lightweight resolver library</refpurpose>
-</refnamediv>
-
-<refsynopsisdiv>
-<funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
-</funcsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-The BIND 9 lightweight resolver library is a simple, name service
-independent stub resolver library.  It provides hostname-to-address
-and address-to-hostname lookup services to applications by
-transmitting lookup requests to a resolver daemon
-<command>lwresd</command>
-running on the local host. The resover daemon performs the
-lookup using the DNS or possibly other name service protocols,
-and returns the results to the application through the library.  
-The library and resolver daemon communicate using a simple
-UDP-based protocol.
-</para>
-</refsect1>
-
-<refsect1>
-<title>OVERVIEW</title>
-<para>
-The lwresd library implements multiple name service APIs.
-The standard
-<function>gethostbyname()</function>,
-<function>gethostbyaddr()</function>,
-<function>gethostbyname_r()</function>,
-<function>gethostbyaddr_r()</function>,
-<function>getaddrinfo()</function>,
-<function>getipnodebyname()</function>,
-and
-<function>getipnodebyaddr()</function>
-functions are all supported.  To allow the lwres library to coexist
-with system libraries that define functions of the same name,
-the library defines these functions with names prefixed by
-<literal>lwres_</literal>.
-To define the standard names, applications must include the
-header file
-<filename>&lt;lwres/netdb.h&gt;</filename>
-which contains macro definitions mapping the standard function names
-into
-<literal>lwres_</literal>
-prefixed ones.  Operating system vendors who integrate the lwres
-library into their base distributions should rename the functions
-in the library proper so that the renaming macros are not needed.
-</para>
-<para>
-The library also provides a native API consisting of the functions
-<function>lwres_getaddrsbyname()</function>
-and
-<function>lwres_getnamebyaddr()</function>.
-These may be called by applications that require more detailed
-control over the lookup process than the standard functions
-provide.
-</para>
-<para>
-In addition to these name service independent address lookup
-functions, the library implements a new, experimental API
-for looking up arbitrary DNS resource records, using the
-<function>lwres_getaddrsbyname()</function>
-function.
-</para>
-<para>
-Finally, there is a low-level API for converting lookup
-requests and responses to and from raw lwres protocol packets.  
-This API can be used by clients requiring nonblocking operation, 
-and is also used when implementing the server side of the lwres
-protocol, for example in the
-<command>lwresd</command>
-resolver daemon.  The use of this low-level API in clients
-and servers is outlined in the following sections.
-</para>
-</refsect1>
-<refsect1>
-<title>CLIENT-SIDE LOW-LEVEL API CALL FLOW</title>
-<para>
-When a client program wishes to make an lwres request using the
-native low-level API, it typically performs the following 
-sequence of actions.
-</para>
-<para>
-(1) Allocate or use an existing <type>lwres_packet_t</type>,
-called <varname>pkt</varname> below.
-</para>
-<para>
-(2) Set <structfield>pkt.recvlength</structfield> to the maximum length we will accept.  
-This is done so the receiver of our packets knows how large our receive 
-buffer is.  The "default" is a constant in
-<filename>lwres.h</filename>: <constant>LWRES_RECVLENGTH = 4096</constant>.
-</para>
-<para>
-(3) Set <structfield>pkt.serial</structfield>
-to a unique serial number.  This value is echoed
-back to the application by the remote server.
-</para>
-<para>
-(4) Set <structfield>pkt.pktflags</structfield>.  Usually this is set to 0.
-</para>
-<para>
-(5) Set <structfield>pkt.result</structfield> to 0.
-</para>
-<para>
-(6) Call <function>lwres_*request_render()</function>, 
-or marshall in the data using the primitives
-such as <function>lwres_packet_render()</function>
-and storing the packet data.
-</para>
-<para>
-(7) Transmit the resulting buffer.
-</para>
-<para>
-(8) Call <function>lwres_*response_parse()</function>
-to parse any packets received.
-</para>
-<para>
-(9) Verify that the opcode and serial match a request, and process the
-packet specific information contained in the body.
-</para>
-</refsect1>
-<refsect1>
-<title>SERVER-SIDE LOW-LEVEL API CALL FLOW</title>
-<para>
-When implementing the server side of the lightweight resolver
-protocol using the lwres library, a sequence of actions like the
-following is typically involved in processing each request packet.
-</para>
-<para>
-Note that the same <type>lwres_packet_t</type> is used
-in both the <function>_parse()</function> and <function>_render()</function> calls,
-with only a few modifications made
-to the packet header's contents between uses.  This method is recommended
-as it keeps the serial, opcode, and other fields correct.
-</para>
-<para>
-(1) When a packet is received, call <function>lwres_*request_parse()</function> to
-unmarshall it.  This returns a <type>lwres_packet_t</type> (also called <varname>pkt</varname>, below)
-as well as a data specific type, such as <type>lwres_gabnrequest_t</type>.
-</para>
-<para>
-(2) Process the request in the data specific type.
-</para>
-<para>
-(3) Set the <structfield>pkt.result</structfield>,
-<structfield>pkt.recvlength</structfield> as above.  All other fields can
-be left untouched since they were filled in by the <function>*_parse()</function> call
-above.  If using <function>lwres_*response_render()</function>,
-<structfield>pkt.pktflags</structfield> will be set up
-properly.  Otherwise, the <constant>LWRES_LWPACKETFLAG_RESPONSE</constant> bit should be
-set.
-</para>
-<para>
-(4) Call the data specific rendering function, such as
-<function>lwres_gabnresponse_render()</function>.
-</para>
-<para>
-(5) Send the resulting packet to the client.
-</para>
-<para>
-</para>
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>lwres_gethostent</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_getipnode</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_getnameinfo</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_noop</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_gabn</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_gnba</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_context</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_config</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>resolver</refentrytitle><manvolnum>5</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwresd</refentrytitle><manvolnum>8</manvolnum>
-</citerefentry>.
-
-</para>
-</refsect1>
-</refentry>
diff --git a/lib/liblwres/man/lwres.html b/lib/liblwres/man/lwres.html
deleted file mode 100644
index 7b9f88dcb..000000000
--- a/lib/liblwres/man/lwres.html
+++ /dev/null
@@ -1,444 +0,0 @@
-<!--
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-<HTML
-><HEAD
-><TITLE
->lwres</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.61
-"></HEAD
-><BODY
-CLASS="REFENTRY"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><H1
-><A
-NAME="AEN1"
->lwres</A
-></H1
-><DIV
-CLASS="REFNAMEDIV"
-><A
-NAME="AEN8"
-></A
-><H2
->Name</H2
->lwres&nbsp;--&nbsp;introduction to the lightweight resolver library</DIV
-><DIV
-CLASS="REFSYNOPSISDIV"
-><A
-NAME="AEN11"
-></A
-><H2
->Synopsis</H2
-><DIV
-CLASS="FUNCSYNOPSIS"
-><A
-NAME="AEN12"
-></A
-><P
-></P
-><PRE
-CLASS="FUNCSYNOPSISINFO"
->#include &lt;lwres/lwres.h&gt;</PRE
-><P
-></P
-></DIV
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN14"
-></A
-><H2
->DESCRIPTION</H2
-><P
->The BIND 9 lightweight resolver library is a simple, name service
-independent stub resolver library.  It provides hostname-to-address
-and address-to-hostname lookup services to applications by
-transmitting lookup requests to a resolver daemon
-<B
-CLASS="COMMAND"
->lwresd</B
->
-running on the local host. The resover daemon performs the
-lookup using the DNS or possibly other name service protocols,
-and returns the results to the application through the library.  
-The library and resolver daemon communicate using a simple
-UDP-based protocol.</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN18"
-></A
-><H2
->OVERVIEW</H2
-><P
->The lwresd library implements multiple name service APIs.
-The standard
-<TT
-CLASS="FUNCTION"
->gethostbyname()</TT
->,
-<TT
-CLASS="FUNCTION"
->gethostbyaddr()</TT
->,
-<TT
-CLASS="FUNCTION"
->gethostbyname_r()</TT
->,
-<TT
-CLASS="FUNCTION"
->gethostbyaddr_r()</TT
->,
-<TT
-CLASS="FUNCTION"
->getaddrinfo()</TT
->,
-<TT
-CLASS="FUNCTION"
->getipnodebyname()</TT
->,
-and
-<TT
-CLASS="FUNCTION"
->getipnodebyaddr()</TT
->
-functions are all supported.  To allow the lwres library to coexist
-with system libraries that define functions of the same name,
-the library defines these functions with names prefixed by
-<TT
-CLASS="LITERAL"
->lwres_</TT
->.
-To define the standard names, applications must include the
-header file
-<TT
-CLASS="FILENAME"
->&lt;lwres/netdb.h&gt;</TT
->
-which contains macro definitions mapping the standard function names
-into
-<TT
-CLASS="LITERAL"
->lwres_</TT
->
-prefixed ones.  Operating system vendors who integrate the lwres
-library into their base distributions should rename the functions
-in the library proper so that the renaming macros are not needed.</P
-><P
->The library also provides a native API consisting of the functions
-<TT
-CLASS="FUNCTION"
->lwres_getaddrsbyname()</TT
->
-and
-<TT
-CLASS="FUNCTION"
->lwres_getnamebyaddr()</TT
->.
-These may be called by applications that require more detailed
-control over the lookup process than the standard functions
-provide.</P
-><P
->In addition to these name service independent address lookup
-functions, the library implements a new, experimental API
-for looking up arbitrary DNS resource records, using the
-<TT
-CLASS="FUNCTION"
->lwres_getaddrsbyname()</TT
->
-function.</P
-><P
->Finally, there is a low-level API for converting lookup
-requests and responses to and from raw lwres protocol packets.  
-This API can be used by clients requiring nonblocking operation, 
-and is also used when implementing the server side of the lwres
-protocol, for example in the
-<B
-CLASS="COMMAND"
->lwresd</B
->
-resolver daemon.  The use of this low-level API in clients
-and servers is outlined in the following sections.</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN38"
-></A
-><H2
->CLIENT-SIDE LOW-LEVEL API CALL FLOW</H2
-><P
->When a client program wishes to make an lwres request using the
-native low-level API, it typically performs the following 
-sequence of actions.</P
-><P
->(1) Allocate or use an existing <SPAN
-CLASS="TYPE"
->lwres_packet_t</SPAN
->,
-called <TT
-CLASS="VARNAME"
->pkt</TT
-> below.</P
-><P
->(2) Set <TT
-CLASS="STRUCTFIELD"
-><I
->pkt.recvlength</I
-></TT
-> to the maximum length we will accept.  
-This is done so the receiver of our packets knows how large our receive 
-buffer is.  The "default" is a constant in
-<TT
-CLASS="FILENAME"
->lwres.h</TT
->: <TT
-CLASS="CONSTANT"
->LWRES_RECVLENGTH = 4096</TT
->.</P
-><P
->(3) Set <TT
-CLASS="STRUCTFIELD"
-><I
->pkt.serial</I
-></TT
->
-to a unique serial number.  This value is echoed
-back to the application by the remote server.</P
-><P
->(4) Set <TT
-CLASS="STRUCTFIELD"
-><I
->pkt.pktflags</I
-></TT
->.  Usually this is set to 0.</P
-><P
->(5) Set <TT
-CLASS="STRUCTFIELD"
-><I
->pkt.result</I
-></TT
-> to 0.</P
-><P
->(6) Call <TT
-CLASS="FUNCTION"
->lwres_*request_render()</TT
->, 
-or marshall in the data using the primitives
-such as <TT
-CLASS="FUNCTION"
->lwres_packet_render()</TT
->
-and storing the packet data.</P
-><P
->(7) Transmit the resulting buffer.</P
-><P
->(8) Call <TT
-CLASS="FUNCTION"
->lwres_*response_parse()</TT
->
-to parse any packets received.</P
-><P
->(9) Verify that the opcode and serial match a request, and process the
-packet specific information contained in the body.</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN61"
-></A
-><H2
->SERVER-SIDE LOW-LEVEL API CALL FLOW</H2
-><P
->When implementing the server side of the lightweight resolver
-protocol using the lwres library, a sequence of actions like the
-following is typically involved in processing each request packet.</P
-><P
->Note that the same <SPAN
-CLASS="TYPE"
->lwres_packet_t</SPAN
-> is used
-in both the <TT
-CLASS="FUNCTION"
->_parse()</TT
-> and <TT
-CLASS="FUNCTION"
->_render()</TT
-> calls,
-with only a few modifications made
-to the packet header's contents between uses.  This method is recommended
-as it keeps the serial, opcode, and other fields correct.</P
-><P
->(1) When a packet is received, call <TT
-CLASS="FUNCTION"
->lwres_*request_parse()</TT
-> to
-unmarshall it.  This returns a <SPAN
-CLASS="TYPE"
->lwres_packet_t</SPAN
-> (also called <TT
-CLASS="VARNAME"
->pkt</TT
->, below)
-as well as a data specific type, such as <SPAN
-CLASS="TYPE"
->lwres_gabnrequest_t</SPAN
->.</P
-><P
->(2) Process the request in the data specific type.</P
-><P
->(3) Set the <TT
-CLASS="STRUCTFIELD"
-><I
->pkt.result</I
-></TT
->,
-<TT
-CLASS="STRUCTFIELD"
-><I
->pkt.recvlength</I
-></TT
-> as above.  All other fields can
-be left untouched since they were filled in by the <TT
-CLASS="FUNCTION"
->*_parse()</TT
-> call
-above.  If using <TT
-CLASS="FUNCTION"
->lwres_*response_render()</TT
->,
-<TT
-CLASS="STRUCTFIELD"
-><I
->pkt.pktflags</I
-></TT
-> will be set up
-properly.  Otherwise, the <TT
-CLASS="CONSTANT"
->LWRES_LWPACKETFLAG_RESPONSE</TT
-> bit should be
-set.</P
-><P
->(4) Call the data specific rendering function, such as
-<TT
-CLASS="FUNCTION"
->lwres_gabnresponse_render()</TT
->.</P
-><P
->(5) Send the resulting packet to the client.</P
-><P
-></P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN85"
-></A
-><H2
->SEE ALSO</H2
-><P
-><SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres_gethostent</SPAN
->(3)</SPAN
->,
-
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres_getipnode</SPAN
->(3)</SPAN
->,
-
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres_getnameinfo</SPAN
->(3)</SPAN
->,
-
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres_noop</SPAN
->(3)</SPAN
->,
-
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres_gabn</SPAN
->(3)</SPAN
->,
-
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres_gnba</SPAN
->(3)</SPAN
->,
-
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres_context</SPAN
->(3)</SPAN
->,
-
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres_config</SPAN
->(3)</SPAN
->,
-
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->resolver</SPAN
->(5)</SPAN
->,
-
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwresd</SPAN
->(8)</SPAN
->.&#13;</P
-></DIV
-></BODY
-></HTML
->
\ No newline at end of file
diff --git a/lib/liblwres/man/lwres_buffer.3 b/lib/liblwres/man/lwres_buffer.3
deleted file mode 100644
index 8077fc2ef..000000000
--- a/lib/liblwres/man/lwres_buffer.3
+++ /dev/null
@@ -1,277 +0,0 @@
-.\"
-.\" Copyright (C) 2000, 2001  Internet Software Consortium.
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
-.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
-.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
-.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
-.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
-.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.TH "LWRES_BUFFER" "3" "Jun 30, 2000" "BIND9" ""
-.SH NAME
-lwres_buffer_init, lwres_buffer_invalidate, lwres_buffer_add, lwres_buffer_subtract, lwres_buffer_clear, lwres_buffer_first, lwres_buffer_forward, lwres_buffer_back, lwres_buffer_getuint8, lwres_buffer_putuint8, lwres_buffer_getuint16, lwres_buffer_putuint16, lwres_buffer_getuint32, lwres_buffer_putuint32, lwres_buffer_putmem, lwres_buffer_getmem \- lightweight resolver buffer management
-.SH SYNOPSIS
-\fB#include <lwres/lwbuffer.h>
-.sp
-.na
-void
-lwres_buffer_init(lwres_buffer_t *b, void *base, unsigned int length);
-.ad
-.sp
-.na
-void
-lwres_buffer_invalidate(lwres_buffer_t *b);
-.ad
-.sp
-.na
-void
-lwres_buffer_add(lwres_buffer_t *b, unsigned int n);
-.ad
-.sp
-.na
-void
-lwres_buffer_subtract(lwres_buffer_t *b, unsigned int n);
-.ad
-.sp
-.na
-void
-lwres_buffer_clear(lwres_buffer_t *b);
-.ad
-.sp
-.na
-void
-lwres_buffer_first(lwres_buffer_t *b);
-.ad
-.sp
-.na
-void
-lwres_buffer_forward(lwres_buffer_t *b, unsigned int n);
-.ad
-.sp
-.na
-void
-lwres_buffer_back(lwres_buffer_t *b, unsigned int n);
-.ad
-.sp
-.na
-lwres_uint8_t
-lwres_buffer_getuint8(lwres_buffer_t *b);
-.ad
-.sp
-.na
-void
-lwres_buffer_putuint8(lwres_buffer_t *b, lwres_uint8_t val);
-.ad
-.sp
-.na
-lwres_uint16_t
-lwres_buffer_getuint16(lwres_buffer_t *b);
-.ad
-.sp
-.na
-void
-lwres_buffer_putuint16(lwres_buffer_t *b, lwres_uint16_t val);
-.ad
-.sp
-.na
-lwres_uint32_t
-lwres_buffer_getuint32(lwres_buffer_t *b);
-.ad
-.sp
-.na
-void
-lwres_buffer_putuint32(lwres_buffer_t *b, lwres_uint32_t val);
-.ad
-.sp
-.na
-void
-lwres_buffer_putmem(lwres_buffer_t *b, const unsigned char *base, unsigned int length);
-.ad
-.sp
-.na
-void
-lwres_buffer_getmem(lwres_buffer_t *b, unsigned char *base, unsigned int length);
-.ad
-\fR.SH "DESCRIPTION"
-.PP
-These functions provide bounds checked access to a region of memory
-where data is being read or written.
-They are based on, and similar to, the
-isc_buffer_
-functions in the ISC library.
-.PP
-A buffer is a region of memory, together with a set of related
-subregions.
-The \fBused region\fR and the
-\fBavailable\fR region are disjoint, and
-their union is the buffer's region.
-The used region extends from the beginning of the buffer region to the
-last used byte.
-The available region extends from one byte greater than the last used
-byte to the end of the buffer's region.
-The size of the used region can be changed using various
-buffer commands.
-Initially, the used region is empty.
-.PP
-The used region is further subdivided into two disjoint regions: the
-\fBconsumed region\fR and the \fBremaining region\fR.
-The union of these two regions is the used region.
-The consumed region extends from the beginning of the used region to
-the byte before the \fBcurrent\fR offset (if any).
-The \fBremaining\fR region the current pointer to the end of the used
-region.
-The size of the consumed region can be changed using various
-buffer commands.
-Initially, the consumed region is empty.
-.PP
-The \fBactive region\fR is an (optional) subregion of the remaining
-region.
-It extends from the current offset to an offset in the
-remaining region.
-Initially, the active region is empty.
-If the current offset advances beyond the chosen offset,
-the active region will also be empty.
-.PP
-.sp
-.nf
- 
-   /------------entire length---------------\\\\
-   /----- used region -----\\\\/-- available --\\\\
-   +----------------------------------------+
-   | consumed  | remaining |                |
-   +----------------------------------------+
-   a           b     c     d                e
- 
-  a == base of buffer.
-  b == current pointer.  Can be anywhere between a and d.
-  c == active pointer.  Meaningful between b and d.
-  d == used pointer.
-  e == length of buffer.
- 
-  a-e == entire length of buffer.
-  a-d == used region.
-  a-b == consumed region.
-  b-d == remaining region.
-  b-c == optional active region.
-.sp
-.fi
-.PP
-\fBlwres_buffer_init()\fR
-initializes the
-\fBlwres_buffer_t\fR
-\fI*b\fR
-and assocates it with the memory region of size
-\fIlength\fR
-bytes starting at location
-\fIbase.\fR
-.PP
-\fBlwres_buffer_invalidate()\fR
-marks the buffer
-\fI*b\fR
-as invalid. Invalidating a buffer after use is not required,
-but makes it possible to catch its possible accidental use.
-.PP
-The functions
-\fBlwres_buffer_add()\fR
-and
-\fBlwres_buffer_subtract()\fR
-respectively increase and decrease the used space in
-buffer
-\fI*b\fR
-by
-\fIn\fR
-bytes.
-\fBlwres_buffer_add()\fR
-checks for buffer overflow and
-\fBlwres_buffer_subtract()\fR
-checks for underflow.
-These functions do not allocate or deallocate memory.
-They just change the value of
-\fBused\fR.
-.PP
-A buffer is re-initialised by
-\fBlwres_buffer_clear()\fR.
-The function sets
-\fBused\fR ,
-\fBcurrent\fR
-and
-\fBactive\fR
-to zero.
-.PP
-\fBlwres_buffer_first\fR
-makes the consumed region of buffer
-\fI*p\fR
-empty by setting
-\fBcurrent\fR
-to zero (the start of the buffer).
-.PP
-\fBlwres_buffer_forward()\fR
-increases the consumed region of buffer
-\fI*b\fR
-by
-\fIn\fR
-bytes, checking for overflow.
-Similarly,
-\fBlwres_buffer_back()\fR
-decreases buffer
-\fIb\fR's
-consumed region by
-\fIn\fR
-bytes and checks for underflow.
-.PP
-\fBlwres_buffer_getuint8()\fR
-reads an unsigned 8-bit integer from
-\fI*b\fR
-and returns it.
-\fBlwres_buffer_putuint8()\fR
-writes the unsigned 8-bit integer
-\fIval\fR
-to buffer
-\fI*b\fR.
-.PP
-\fBlwres_buffer_getuint16()\fR
-and
-\fBlwres_buffer_getuint32()\fR
-are identical to
-\fBlwres_buffer_putuint8()\fR
-except that they respectively read an unsigned 16-bit or 32-bit integer 
-in network byte order from
-\fIb\fR.
-Similarly,
-\fBlwres_buffer_putuint16()\fR
-and
-\fBlwres_buffer_putuint32()\fR
-writes the unsigned 16-bit or 32-bit integer
-\fIval\fR
-to buffer
-\fIb\fR,
-in network byte order.
-.PP
-Arbitrary amounts of data are read or written from a lightweight
-resolver buffer with
-\fBlwres_buffer_getmem()\fR
-and
-\fBlwres_buffer_putmem()\fR
-respectively.
-\fBlwres_buffer_putmem()\fR
-copies
-\fIlength\fR
-bytes of memory at
-\fIbase\fR
-to
-\fIb\fR.
-Conversely,
-\fBlwres_buffer_getmem()\fR
-copies
-\fIlength\fR
-bytes of memory from
-\fIb\fR
-to
-\fIbase\fR.
diff --git a/lib/liblwres/man/lwres_buffer.docbook b/lib/liblwres/man/lwres_buffer.docbook
deleted file mode 100644
index 8f9d55889..000000000
--- a/lib/liblwres/man/lwres_buffer.docbook
+++ /dev/null
@@ -1,378 +0,0 @@
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
-<!--
- - Copyright (C) 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_buffer.docbook,v 1.1 2004/03/15 20:35:25 as Exp $ -->
-
-<refentry>
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
-
-<refmeta>
-<refentrytitle>lwres_buffer</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-
-<refnamediv>
-<refname>lwres_buffer_init</refname>
-<refname>lwres_buffer_invalidate</refname>
-<refname>lwres_buffer_add</refname>
-<refname>lwres_buffer_subtract</refname>
-<refname>lwres_buffer_clear</refname>
-<refname>lwres_buffer_first</refname>
-<refname>lwres_buffer_forward</refname>
-<refname>lwres_buffer_back</refname>
-<refname>lwres_buffer_getuint8</refname>
-<refname>lwres_buffer_putuint8</refname>
-<refname>lwres_buffer_getuint16</refname>
-<refname>lwres_buffer_putuint16</refname>
-<refname>lwres_buffer_getuint32</refname>
-<refname>lwres_buffer_putuint32</refname>
-<refname>lwres_buffer_putmem</refname>
-<refname>lwres_buffer_getmem</refname>
-<refpurpose>lightweight resolver buffer management</refpurpose>
-</refnamediv>
-
-<refsynopsisdiv>
-
-<funcsynopsis>
-<funcsynopsisinfo>
-#include &lt;lwres/lwbuffer.h&gt;
-</funcsynopsisinfo>
-
-<funcprototype>
-
-<funcdef>
-void
-<function>lwres_buffer_init</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>void *base</paramdef>
-<paramdef>unsigned int length</paramdef>
-</funcprototype>
-
-<funcprototype>
-<funcdef>
-void
-<function>lwres_buffer_invalidate</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_buffer_add</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>unsigned int n</paramdef>
-</funcprototype>
-
-<funcprototype>
-<funcdef>
-void
-<function>lwres_buffer_subtract</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>unsigned int n</paramdef>
-</funcprototype>
-
-<funcprototype>
-<funcdef>
-void
-<function>lwres_buffer_clear</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-</funcprototype>
-
-<funcprototype>
-<funcdef>
-void
-<function>lwres_buffer_first</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-</funcprototype>
-
-<funcprototype>
-<funcdef>
-void
-<function>lwres_buffer_forward</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>unsigned int n</paramdef>
-</funcprototype>
-<funcprototype>
-
-<funcdef>
-void
-<function>lwres_buffer_back</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>unsigned int n</paramdef>
-</funcprototype>
-
-<funcprototype>
-<funcdef>
-lwres_uint8_t
-<function>lwres_buffer_getuint8</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-</funcprototype>
-
-<funcprototype>
-<funcdef>
-void
-<function>lwres_buffer_putuint8</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_uint8_t val</paramdef>
-</funcprototype>
-
-<funcprototype>
-<funcdef>
-lwres_uint16_t
-<function>lwres_buffer_getuint16</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-</funcprototype>
-
-<funcprototype>
-<funcdef>
-void
-<function>lwres_buffer_putuint16</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_uint16_t val</paramdef>
-</funcprototype>
-
-<funcprototype>
-<funcdef>
-lwres_uint32_t
-<function>lwres_buffer_getuint32</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-</funcprototype>
-
-<funcprototype>
-<funcdef>
-void
-<function>lwres_buffer_putuint32</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_uint32_t val</paramdef>
-</funcprototype>
-
-<funcprototype>
-<funcdef>
-void
-<function>lwres_buffer_putmem</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>const unsigned char *base</paramdef>
-<paramdef>unsigned int length</paramdef>
-</funcprototype>
-
-<funcprototype>
-<funcdef>
-void
-<function>lwres_buffer_getmem</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>unsigned char *base</paramdef>
-<paramdef>unsigned int length</paramdef>
-</funcprototype>
-
-</funcsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
-
-<title>DESCRIPTION</title>
-<para>
-These functions provide bounds checked access to a region of memory
-where data is being read or written.
-They are based on, and similar to, the
-<literal>isc_buffer_</literal>
-functions in the ISC library.
-</para>
-<para>
-A buffer is a region of memory, together with a set of related
-subregions.
-The <emphasis>used region</emphasis> and the
-<emphasis>available</emphasis> region are disjoint, and
-their union is the buffer's region.
-The used region extends from the beginning of the buffer region to the
-last used byte.
-The available region extends from one byte greater than the last used
-byte to the end of the  buffer's region.
-The size of the used region can be changed using various
-buffer commands.
-Initially, the used region is empty.
-</para>
-<para>
-The used region is further subdivided into two disjoint regions: the
-<emphasis>consumed region</emphasis> and the <emphasis>remaining region</emphasis>.
-The union of these two regions is the used region.
-The consumed region extends from the beginning of the used region to
-the byte before the <emphasis>current</emphasis> offset (if any).
-The <emphasis>remaining</emphasis> region the current pointer to the end of the used
-region.
-The size of the consumed region can be changed using various
-buffer commands.
-Initially, the consumed region is empty.
-</para>
-<para>
-The <emphasis>active region</emphasis> is an (optional) subregion of the remaining
-region.
-It extends from the current offset to an offset in the
-remaining region.
-Initially, the active region is empty.
-If the current offset advances beyond the chosen offset,
-the active region will also be empty.
-</para>
-<para>
-<programlisting>
- 
-   /------------entire length---------------\\
-   /----- used region -----\\/-- available --\\
-   +----------------------------------------+
-   | consumed  | remaining |                |
-   +----------------------------------------+
-   a           b     c     d                e
- 
-  a == base of buffer.
-  b == current pointer.  Can be anywhere between a and d.
-  c == active pointer.  Meaningful between b and d.
-  d == used pointer.
-  e == length of buffer.
- 
-  a-e == entire length of buffer.
-  a-d == used region.
-  a-b == consumed region.
-  b-d == remaining region.
-  b-c == optional active region.
-</programlisting>
-</para>
-<para>
-<function>lwres_buffer_init()</function>
-initializes the
-<type>lwres_buffer_t</type>
-<parameter>*b</parameter>
-and assocates it with the memory region of size
-<parameter>length</parameter>
-bytes starting at location
-<parameter>base.</parameter>
-</para>
-<para>
-<function>lwres_buffer_invalidate()</function>
-marks the buffer
-<parameter>*b</parameter>
-as invalid.  Invalidating a buffer after use is not required,
-but makes it possible to catch its possible accidental use.
-</para>
-<para>
-The functions
-<function>lwres_buffer_add()</function>
-and
-<function>lwres_buffer_subtract()</function>
-respectively increase and decrease the used space in
-buffer
-<parameter>*b</parameter>
-by
-<parameter>n</parameter>
-bytes.
-<function>lwres_buffer_add()</function>
-checks for buffer overflow and
-<function>lwres_buffer_subtract()</function>
-checks for underflow.
-These functions do not allocate or deallocate memory.
-They just change the value of
-<structfield>used</structfield>.
-</para>
-<para>
-A buffer is re-initialised by
-<function>lwres_buffer_clear()</function>.
-The function sets
-<structfield>used</structfield> ,
-<structfield>current</structfield>
-and
-<structfield>active</structfield>
-to zero.
-</para>
-<para>
-<function>lwres_buffer_first</function>
-makes the consumed region of buffer
-<parameter>*p</parameter>
-empty by setting
-<structfield>current</structfield>
-to zero (the start of the buffer).
-</para>
-<para>
-<function>lwres_buffer_forward()</function>
-increases the consumed region of buffer
-<parameter>*b</parameter>
-by
-<parameter>n</parameter>
-bytes, checking for overflow.
-Similarly,
-<function>lwres_buffer_back()</function>
-decreases buffer
-<parameter>b</parameter>'s
-consumed region by
-<parameter>n</parameter>
-bytes and checks for underflow.
-</para>
-<para>
-<function>lwres_buffer_getuint8()</function>
-reads an unsigned 8-bit integer from
-<parameter>*b</parameter>
-and returns it.
-<function>lwres_buffer_putuint8()</function>
-writes the unsigned 8-bit integer
-<parameter>val</parameter>
-to buffer
-<parameter>*b</parameter>.
-</para>
-<para>
-<function>lwres_buffer_getuint16()</function>
-and
-<function>lwres_buffer_getuint32()</function>
-are identical to
-<function>lwres_buffer_putuint8()</function>
-except that they respectively read an unsigned 16-bit or 32-bit integer 
-in network byte order from
-<parameter>b</parameter>.
-Similarly,
-<function>lwres_buffer_putuint16()</function>
-and
-<function>lwres_buffer_putuint32()</function>
-writes the unsigned 16-bit or 32-bit integer
-<parameter>val</parameter>
-to buffer
-<parameter>b</parameter>,
-in network byte order.
-</para>
-<para>
-Arbitrary amounts of data are read or written from a lightweight
-resolver buffer with
-<function>lwres_buffer_getmem()</function>
-and
-<function>lwres_buffer_putmem()</function>
-respectively.
-<function>lwres_buffer_putmem()</function>
-copies
-<parameter>length</parameter>
-bytes of memory at
-<parameter>base</parameter>
-to
-<parameter>b</parameter>.
-Conversely,
-<function>lwres_buffer_getmem()</function>
-copies
-<parameter>length</parameter>
-bytes of memory from
-<parameter>b</parameter>
-to
-<parameter>base</parameter>.
-</para>
-</refsect1>
-</refentry>
diff --git a/lib/liblwres/man/lwres_buffer.html b/lib/liblwres/man/lwres_buffer.html
deleted file mode 100644
index ae2ffd50c..000000000
--- a/lib/liblwres/man/lwres_buffer.html
+++ /dev/null
@@ -1,608 +0,0 @@
-<!--
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-<HTML
-><HEAD
-><TITLE
->lwres_buffer</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.61
-"></HEAD
-><BODY
-CLASS="REFENTRY"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><H1
-><A
-NAME="AEN1"
->lwres_buffer</A
-></H1
-><DIV
-CLASS="REFNAMEDIV"
-><A
-NAME="AEN8"
-></A
-><H2
->Name</H2
->lwres_buffer_init, lwres_buffer_invalidate, lwres_buffer_add, lwres_buffer_subtract, lwres_buffer_clear, lwres_buffer_first, lwres_buffer_forward, lwres_buffer_back, lwres_buffer_getuint8, lwres_buffer_putuint8, lwres_buffer_getuint16, lwres_buffer_putuint16, lwres_buffer_getuint32, lwres_buffer_putuint32, lwres_buffer_putmem, lwres_buffer_getmem&nbsp;--&nbsp;lightweight resolver buffer management</DIV
-><DIV
-CLASS="REFSYNOPSISDIV"
-><A
-NAME="AEN26"
-></A
-><H2
->Synopsis</H2
-><DIV
-CLASS="FUNCSYNOPSIS"
-><A
-NAME="AEN27"
-></A
-><P
-></P
-><PRE
-CLASS="FUNCSYNOPSISINFO"
->#include &lt;lwres/lwbuffer.h&gt;</PRE
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->void
-lwres_buffer_init</CODE
->(lwres_buffer_t *b, void *base, unsigned int length);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->void
-lwres_buffer_invalidate</CODE
->(lwres_buffer_t *b);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->void
-lwres_buffer_add</CODE
->(lwres_buffer_t *b, unsigned int n);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->void
-lwres_buffer_subtract</CODE
->(lwres_buffer_t *b, unsigned int n);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->void
-lwres_buffer_clear</CODE
->(lwres_buffer_t *b);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->void
-lwres_buffer_first</CODE
->(lwres_buffer_t *b);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->void
-lwres_buffer_forward</CODE
->(lwres_buffer_t *b, unsigned int n);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->void
-lwres_buffer_back</CODE
->(lwres_buffer_t *b, unsigned int n);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->lwres_uint8_t
-lwres_buffer_getuint8</CODE
->(lwres_buffer_t *b);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->void
-lwres_buffer_putuint8</CODE
->(lwres_buffer_t *b, lwres_uint8_t val);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->lwres_uint16_t
-lwres_buffer_getuint16</CODE
->(lwres_buffer_t *b);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->void
-lwres_buffer_putuint16</CODE
->(lwres_buffer_t *b, lwres_uint16_t val);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->lwres_uint32_t
-lwres_buffer_getuint32</CODE
->(lwres_buffer_t *b);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->void
-lwres_buffer_putuint32</CODE
->(lwres_buffer_t *b, lwres_uint32_t val);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->void
-lwres_buffer_putmem</CODE
->(lwres_buffer_t *b, const unsigned char *base, unsigned int length);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->void
-lwres_buffer_getmem</CODE
->(lwres_buffer_t *b, unsigned char *base, unsigned int length);</CODE
-></P
-><P
-></P
-></DIV
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN106"
-></A
-><H2
->DESCRIPTION</H2
-><P
->These functions provide bounds checked access to a region of memory
-where data is being read or written.
-They are based on, and similar to, the
-<TT
-CLASS="LITERAL"
->isc_buffer_</TT
->
-functions in the ISC library.</P
-><P
->A buffer is a region of memory, together with a set of related
-subregions.
-The <I
-CLASS="EMPHASIS"
->used region</I
-> and the
-<I
-CLASS="EMPHASIS"
->available</I
-> region are disjoint, and
-their union is the buffer's region.
-The used region extends from the beginning of the buffer region to the
-last used byte.
-The available region extends from one byte greater than the last used
-byte to the end of the  buffer's region.
-The size of the used region can be changed using various
-buffer commands.
-Initially, the used region is empty.</P
-><P
->The used region is further subdivided into two disjoint regions: the
-<I
-CLASS="EMPHASIS"
->consumed region</I
-> and the <I
-CLASS="EMPHASIS"
->remaining region</I
->.
-The union of these two regions is the used region.
-The consumed region extends from the beginning of the used region to
-the byte before the <I
-CLASS="EMPHASIS"
->current</I
-> offset (if any).
-The <I
-CLASS="EMPHASIS"
->remaining</I
-> region the current pointer to the end of the used
-region.
-The size of the consumed region can be changed using various
-buffer commands.
-Initially, the consumed region is empty.</P
-><P
->The <I
-CLASS="EMPHASIS"
->active region</I
-> is an (optional) subregion of the remaining
-region.
-It extends from the current offset to an offset in the
-remaining region.
-Initially, the active region is empty.
-If the current offset advances beyond the chosen offset,
-the active region will also be empty.</P
-><P
-><PRE
-CLASS="PROGRAMLISTING"
-> 
-   /------------entire length---------------\\
-   /----- used region -----\\/-- available --\\
-   +----------------------------------------+
-   | consumed  | remaining |                |
-   +----------------------------------------+
-   a           b     c     d                e
- 
-  a == base of buffer.
-  b == current pointer.  Can be anywhere between a and d.
-  c == active pointer.  Meaningful between b and d.
-  d == used pointer.
-  e == length of buffer.
- 
-  a-e == entire length of buffer.
-  a-d == used region.
-  a-b == consumed region.
-  b-d == remaining region.
-  b-c == optional active region.</PRE
-></P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_buffer_init()</TT
->
-initializes the
-<SPAN
-CLASS="TYPE"
->lwres_buffer_t</SPAN
->
-<TT
-CLASS="PARAMETER"
-><I
->*b</I
-></TT
->
-and assocates it with the memory region of size
-<TT
-CLASS="PARAMETER"
-><I
->length</I
-></TT
->
-bytes starting at location
-<TT
-CLASS="PARAMETER"
-><I
->base.</I
-></TT
-></P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_buffer_invalidate()</TT
->
-marks the buffer
-<TT
-CLASS="PARAMETER"
-><I
->*b</I
-></TT
->
-as invalid.  Invalidating a buffer after use is not required,
-but makes it possible to catch its possible accidental use.</P
-><P
->The functions
-<TT
-CLASS="FUNCTION"
->lwres_buffer_add()</TT
->
-and
-<TT
-CLASS="FUNCTION"
->lwres_buffer_subtract()</TT
->
-respectively increase and decrease the used space in
-buffer
-<TT
-CLASS="PARAMETER"
-><I
->*b</I
-></TT
->
-by
-<TT
-CLASS="PARAMETER"
-><I
->n</I
-></TT
->
-bytes.
-<TT
-CLASS="FUNCTION"
->lwres_buffer_add()</TT
->
-checks for buffer overflow and
-<TT
-CLASS="FUNCTION"
->lwres_buffer_subtract()</TT
->
-checks for underflow.
-These functions do not allocate or deallocate memory.
-They just change the value of
-<TT
-CLASS="STRUCTFIELD"
-><I
->used</I
-></TT
->.</P
-><P
->A buffer is re-initialised by
-<TT
-CLASS="FUNCTION"
->lwres_buffer_clear()</TT
->.
-The function sets
-<TT
-CLASS="STRUCTFIELD"
-><I
->used</I
-></TT
-> ,
-<TT
-CLASS="STRUCTFIELD"
-><I
->current</I
-></TT
->
-and
-<TT
-CLASS="STRUCTFIELD"
-><I
->active</I
-></TT
->
-to zero.</P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_buffer_first</TT
->
-makes the consumed region of buffer
-<TT
-CLASS="PARAMETER"
-><I
->*p</I
-></TT
->
-empty by setting
-<TT
-CLASS="STRUCTFIELD"
-><I
->current</I
-></TT
->
-to zero (the start of the buffer).</P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_buffer_forward()</TT
->
-increases the consumed region of buffer
-<TT
-CLASS="PARAMETER"
-><I
->*b</I
-></TT
->
-by
-<TT
-CLASS="PARAMETER"
-><I
->n</I
-></TT
->
-bytes, checking for overflow.
-Similarly,
-<TT
-CLASS="FUNCTION"
->lwres_buffer_back()</TT
->
-decreases buffer
-<TT
-CLASS="PARAMETER"
-><I
->b</I
-></TT
->'s
-consumed region by
-<TT
-CLASS="PARAMETER"
-><I
->n</I
-></TT
->
-bytes and checks for underflow.</P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_buffer_getuint8()</TT
->
-reads an unsigned 8-bit integer from
-<TT
-CLASS="PARAMETER"
-><I
->*b</I
-></TT
->
-and returns it.
-<TT
-CLASS="FUNCTION"
->lwres_buffer_putuint8()</TT
->
-writes the unsigned 8-bit integer
-<TT
-CLASS="PARAMETER"
-><I
->val</I
-></TT
->
-to buffer
-<TT
-CLASS="PARAMETER"
-><I
->*b</I
-></TT
->.</P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_buffer_getuint16()</TT
->
-and
-<TT
-CLASS="FUNCTION"
->lwres_buffer_getuint32()</TT
->
-are identical to
-<TT
-CLASS="FUNCTION"
->lwres_buffer_putuint8()</TT
->
-except that they respectively read an unsigned 16-bit or 32-bit integer 
-in network byte order from
-<TT
-CLASS="PARAMETER"
-><I
->b</I
-></TT
->.
-Similarly,
-<TT
-CLASS="FUNCTION"
->lwres_buffer_putuint16()</TT
->
-and
-<TT
-CLASS="FUNCTION"
->lwres_buffer_putuint32()</TT
->
-writes the unsigned 16-bit or 32-bit integer
-<TT
-CLASS="PARAMETER"
-><I
->val</I
-></TT
->
-to buffer
-<TT
-CLASS="PARAMETER"
-><I
->b</I
-></TT
->,
-in network byte order.</P
-><P
->Arbitrary amounts of data are read or written from a lightweight
-resolver buffer with
-<TT
-CLASS="FUNCTION"
->lwres_buffer_getmem()</TT
->
-and
-<TT
-CLASS="FUNCTION"
->lwres_buffer_putmem()</TT
->
-respectively.
-<TT
-CLASS="FUNCTION"
->lwres_buffer_putmem()</TT
->
-copies
-<TT
-CLASS="PARAMETER"
-><I
->length</I
-></TT
->
-bytes of memory at
-<TT
-CLASS="PARAMETER"
-><I
->base</I
-></TT
->
-to
-<TT
-CLASS="PARAMETER"
-><I
->b</I
-></TT
->.
-Conversely,
-<TT
-CLASS="FUNCTION"
->lwres_buffer_getmem()</TT
->
-copies
-<TT
-CLASS="PARAMETER"
-><I
->length</I
-></TT
->
-bytes of memory from
-<TT
-CLASS="PARAMETER"
-><I
->b</I
-></TT
->
-to
-<TT
-CLASS="PARAMETER"
-><I
->base</I
-></TT
->.</P
-></DIV
-></BODY
-></HTML
->
\ No newline at end of file
diff --git a/lib/liblwres/man/lwres_config.3 b/lib/liblwres/man/lwres_config.3
deleted file mode 100644
index 9a93cc0e7..000000000
--- a/lib/liblwres/man/lwres_config.3
+++ /dev/null
@@ -1,105 +0,0 @@
-.\"
-.\" Copyright (C) 2000, 2001  Internet Software Consortium.
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
-.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
-.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
-.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
-.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
-.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.TH "LWRES_CONFIG" "3" "Jun 30, 2000" "BIND9" ""
-.SH NAME
-lwres_conf_init, lwres_conf_clear, lwres_conf_parse, lwres_conf_print, lwres_conf_get \- lightweight resolver configuration
-.SH SYNOPSIS
-\fB#include <lwres/lwres.h>
-.sp
-.na
-void
-lwres_conf_init(lwres_context_t *ctx);
-.ad
-.sp
-.na
-void
-lwres_conf_clear(lwres_context_t *ctx);
-.ad
-.sp
-.na
-lwres_result_t
-lwres_conf_parse(lwres_context_t *ctx, const char *filename);
-.ad
-.sp
-.na
-lwres_result_t
-lwres_conf_print(lwres_context_t *ctx, FILE *fp);
-.ad
-.sp
-.na
-lwres_conf_t *
-lwres_conf_get(lwres_context_t *ctx);
-.ad
-\fR.SH "DESCRIPTION"
-.PP
-\fBlwres_conf_init()\fR
-creates an empty
-\fBlwres_conf_t\fR
-structure for lightweight resolver context
-\fIctx\fR.
-.PP
-\fBlwres_conf_clear()\fR
-frees up all the internal memory used by
-that
-\fBlwres_conf_t\fR
-structure in resolver context
-\fIctx\fR.
-.PP
-\fBlwres_conf_parse()\fR
-opens the file
-\fIfilename\fR
-and parses it to initialise the resolver context
-\fIctx\fR's
-\fBlwres_conf_t\fR
-structure.
-.PP
-\fBlwres_conf_print()\fR
-prints the
-\fBlwres_conf_t\fR
-structure for resolver context
-\fIctx\fR
-to the
-\fBFILE\fR
-\fIfp\fR.
-.SH "RETURN VALUES"
-.PP
-\fBlwres_conf_parse()\fR
-returns
-LWRES_R_SUCCESS
-if it successfully read and parsed
-\fIfilename\fR.
-It returns
-LWRES_R_FAILURE
-if
-\fIfilename\fR
-could not be opened or contained incorrect
-resolver statements.
-.PP
-\fBlwres_conf_print()\fR
-returns
-LWRES_R_SUCCESS
-unless an error occurred when converting the network addresses to a
-numeric host address string.
-If this happens, the function returns
-LWRES_R_FAILURE.
-.SH "SEE ALSO"
-.PP
-\fBstdio\fR(3),
-\fBresolver\fR(5).
-.SH "FILES"
-.PP
-\fI/etc/resolv.conf\fR
diff --git a/lib/liblwres/man/lwres_config.docbook b/lib/liblwres/man/lwres_config.docbook
deleted file mode 100644
index 03ec6c211..000000000
--- a/lib/liblwres/man/lwres_config.docbook
+++ /dev/null
@@ -1,159 +0,0 @@
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
-<!--
- - Copyright (C) 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_config.docbook,v 1.1 2004/03/15 20:35:25 as Exp $ -->
-
-<refentry>
-<refentryinfo>
-
-<date>Jun 30, 2000</date>
-</refentryinfo>
-
-<refmeta>
-<refentrytitle>lwres_config</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-
-<refnamediv>
-<refname>lwres_conf_init</refname>
-<refname>lwres_conf_clear</refname>
-<refname>lwres_conf_parse</refname>
-<refname>lwres_conf_print</refname>
-<refname>lwres_conf_get</refname>
-<refpurpose>lightweight resolver configuration</refpurpose>
-</refnamediv>
-
-<refsynopsisdiv>
-<funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_conf_init</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_conf_clear</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_conf_parse</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>const char *filename</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_conf_print</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>FILE *fp</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-lwres_conf_t *
-<function>lwres_conf_get</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-</funcprototype>
-</funcsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-<function>lwres_conf_init()</function>
-creates an empty
-<type>lwres_conf_t</type>
-structure for lightweight resolver context
-<parameter>ctx</parameter>.
-</para>
-<para>
-<function>lwres_conf_clear()</function>
-frees up all the internal memory used by
-that
-<type>lwres_conf_t</type>
-structure in resolver context
-<parameter>ctx</parameter>.
-</para>
-<para>
-<function>lwres_conf_parse()</function>
-opens the file
-<parameter>filename</parameter>
-and parses it to initialise the resolver context
-<parameter>ctx</parameter>'s
-<type>lwres_conf_t</type>
-structure.
-</para>
-<para>
-<function>lwres_conf_print()</function>
-prints the
-<type>lwres_conf_t</type>
-structure for resolver context
-<parameter>ctx</parameter>
-to the
-<type>FILE</type>
-<parameter>fp</parameter>.
-</para>
-</refsect1>
-<refsect1>
-
-<title>RETURN VALUES</title>
-<para>
-<function>lwres_conf_parse()</function>
-returns
-<errorcode>LWRES_R_SUCCESS</errorcode>
-if it successfully read and parsed
-<parameter>filename</parameter>.
-It returns
-<errorcode>LWRES_R_FAILURE</errorcode>
-if
-<parameter>filename</parameter>
-could not be opened or contained incorrect
-resolver statements.
-</para>
-<para>
-<function>lwres_conf_print()</function>
-returns
-<errorcode>LWRES_R_SUCCESS</errorcode>
-unless an error occurred when converting the network addresses to a
-numeric host address string.
-If this happens, the function returns
-<errorcode>LWRES_R_FAILURE</errorcode>.
-</para>
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>stdio</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>resolver</refentrytitle><manvolnum>5</manvolnum>
-</citerefentry>.
-</refsect1>
-<refsect1>
-<title>FILES</title>
-<para>
-<filename>/etc/resolv.conf</filename>
-</para>
-</refsect1>
-</refentry>
diff --git a/lib/liblwres/man/lwres_config.html b/lib/liblwres/man/lwres_config.html
deleted file mode 100644
index 67fbcdd88..000000000
--- a/lib/liblwres/man/lwres_config.html
+++ /dev/null
@@ -1,295 +0,0 @@
-<!--
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-<HTML
-><HEAD
-><TITLE
->lwres_config</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.61
-"></HEAD
-><BODY
-CLASS="REFENTRY"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><H1
-><A
-NAME="AEN1"
->lwres_config</A
-></H1
-><DIV
-CLASS="REFNAMEDIV"
-><A
-NAME="AEN8"
-></A
-><H2
->Name</H2
->lwres_conf_init, lwres_conf_clear, lwres_conf_parse, lwres_conf_print, lwres_conf_get&nbsp;--&nbsp;lightweight resolver configuration</DIV
-><DIV
-CLASS="REFSYNOPSISDIV"
-><A
-NAME="AEN15"
-></A
-><H2
->Synopsis</H2
-><DIV
-CLASS="FUNCSYNOPSIS"
-><A
-NAME="AEN16"
-></A
-><P
-></P
-><PRE
-CLASS="FUNCSYNOPSISINFO"
->#include &lt;lwres/lwres.h&gt;</PRE
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->void
-lwres_conf_init</CODE
->(lwres_context_t *ctx);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->void
-lwres_conf_clear</CODE
->(lwres_context_t *ctx);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->lwres_result_t
-lwres_conf_parse</CODE
->(lwres_context_t *ctx, const char *filename);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->lwres_result_t
-lwres_conf_print</CODE
->(lwres_context_t *ctx, FILE *fp);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->lwres_conf_t *
-lwres_conf_get</CODE
->(lwres_context_t *ctx);</CODE
-></P
-><P
-></P
-></DIV
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN40"
-></A
-><H2
->DESCRIPTION</H2
-><P
-><TT
-CLASS="FUNCTION"
->lwres_conf_init()</TT
->
-creates an empty
-<SPAN
-CLASS="TYPE"
->lwres_conf_t</SPAN
->
-structure for lightweight resolver context
-<TT
-CLASS="PARAMETER"
-><I
->ctx</I
-></TT
->.</P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_conf_clear()</TT
->
-frees up all the internal memory used by
-that
-<SPAN
-CLASS="TYPE"
->lwres_conf_t</SPAN
->
-structure in resolver context
-<TT
-CLASS="PARAMETER"
-><I
->ctx</I
-></TT
->.</P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_conf_parse()</TT
->
-opens the file
-<TT
-CLASS="PARAMETER"
-><I
->filename</I
-></TT
->
-and parses it to initialise the resolver context
-<TT
-CLASS="PARAMETER"
-><I
->ctx</I
-></TT
->'s
-<SPAN
-CLASS="TYPE"
->lwres_conf_t</SPAN
->
-structure.</P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_conf_print()</TT
->
-prints the
-<SPAN
-CLASS="TYPE"
->lwres_conf_t</SPAN
->
-structure for resolver context
-<TT
-CLASS="PARAMETER"
-><I
->ctx</I
-></TT
->
-to the
-<SPAN
-CLASS="TYPE"
->FILE</SPAN
->
-<TT
-CLASS="PARAMETER"
-><I
->fp</I
-></TT
->.</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN61"
-></A
-><H2
->RETURN VALUES</H2
-><P
-><TT
-CLASS="FUNCTION"
->lwres_conf_parse()</TT
->
-returns
-<SPAN
-CLASS="ERRORCODE"
->LWRES_R_SUCCESS</SPAN
->
-if it successfully read and parsed
-<TT
-CLASS="PARAMETER"
-><I
->filename</I
-></TT
->.
-It returns
-<SPAN
-CLASS="ERRORCODE"
->LWRES_R_FAILURE</SPAN
->
-if
-<TT
-CLASS="PARAMETER"
-><I
->filename</I
-></TT
->
-could not be opened or contained incorrect
-resolver statements.</P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_conf_print()</TT
->
-returns
-<SPAN
-CLASS="ERRORCODE"
->LWRES_R_SUCCESS</SPAN
->
-unless an error occurred when converting the network addresses to a
-numeric host address string.
-If this happens, the function returns
-<SPAN
-CLASS="ERRORCODE"
->LWRES_R_FAILURE</SPAN
->.</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN73"
-></A
-><H2
->SEE ALSO</H2
-><P
-><SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->stdio</SPAN
->(3)</SPAN
->,
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->resolver</SPAN
->(5)</SPAN
->.</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN82"
-></A
-><H2
->FILES</H2
-><P
-><TT
-CLASS="FILENAME"
->/etc/resolv.conf</TT
-></P
-></DIV
-></BODY
-></HTML
->
\ No newline at end of file
diff --git a/lib/liblwres/man/lwres_context.3 b/lib/liblwres/man/lwres_context.3
deleted file mode 100644
index d55c14fef..000000000
--- a/lib/liblwres/man/lwres_context.3
+++ /dev/null
@@ -1,194 +0,0 @@
-.\"
-.\" Copyright (C) 2000, 2001  Internet Software Consortium.
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
-.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
-.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
-.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
-.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
-.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.TH "LWRES_CONTEXT" "3" "Jun 30, 2000" "BIND9" ""
-.SH NAME
-lwres_context_create, lwres_context_destroy, lwres_context_nextserial, lwres_context_initserial, lwres_context_freemem, lwres_context_allocmem, lwres_context_sendrecv \- lightweight resolver context management
-.SH SYNOPSIS
-\fB#include <lwres/lwres.h>
-.sp
-.na
-lwres_result_t
-lwres_context_create(lwres_context_t **contextp, void *arg, lwres_malloc_t malloc_function, lwres_free_t free_function);
-.ad
-.sp
-.na
-lwres_result_t
-lwres_context_destroy(lwres_context_t **contextp);
-.ad
-.sp
-.na
-void
-lwres_context_initserial(lwres_context_t *ctx, lwres_uint32_t serial);
-.ad
-.sp
-.na
-lwres_uint32_t
-lwres_context_nextserial(lwres_context_t *ctx);
-.ad
-.sp
-.na
-void
-lwres_context_freemem(lwres_context_t *ctx, void *mem, size_t len);
-.ad
-.sp
-.na
-void
-lwres_context_allocmem(lwres_context_t *ctx, size_t len);
-.ad
-.sp
-.na
-void *
-lwres_context_sendrecv(lwres_context_t *ctx, void *sendbase, int sendlen, void *recvbase, int recvlen, int *recvd_len);
-.ad
-\fR.SH "DESCRIPTION"
-.PP
-\fBlwres_context_create()\fR
-creates a
-\fBlwres_context_t\fR
-structure for use in lightweight resolver operations.
-It holds a socket and other data needed for communicating
-with a resolver daemon.
-The new
-\fBlwres_context_t\fR
-is returned throught
-\fIcontextp\fR,
-a pointer to a
-\fBlwres_context_t\fR
-pointer. This 
-\fBlwres_context_t\fR
-pointer must initially be NULL, and is modified 
-to point to the newly created
-\fBlwres_context_t\fR.
-.PP
-When the lightweight resolver needs to perform dynamic memory
-allocation, it will call
-\fImalloc_function\fR
-to allocate memory and
-\fIfree_function\fR
-to free it. If 
-\fImalloc_function\fR
-and
-\fIfree_function\fR
-are NULL, memory is allocated using
-\&.Xr malloc 3
-and
-\fBfree\fR(3).
-It is not permitted to have a NULL
-\fImalloc_function\fR
-and a non-NULL
-\fIfree_function\fR
-or vice versa.
-\fIarg\fR
-is passed as the first parameter to the memory
-allocation functions. 
-If
-\fImalloc_function\fR
-and
-\fIfree_function\fR
-are NULL,
-\fIarg\fR
-is unused and should be passed as NULL.
-.PP
-Once memory for the structure has been allocated,
-it is initialized using
-\fBlwres_conf_init\fR(3)
-and returned via
-\fI*contextp\fR.
-.PP
-\fBlwres_context_destroy()\fR
-destroys a 
-\fBlwres_context_t\fR,
-closing its socket.
-\fIcontextp\fR
-is a pointer to a pointer to the context that is to be destroyed.
-The pointer will be set to NULL when the context has been destroyed.
-.PP
-The context holds a serial number that is used to identify resolver
-request packets and associate responses with the corresponding requests.
-This serial number is controlled using
-\fBlwres_context_initserial()\fR
-and
-\fBlwres_context_nextserial()\fR.
-\fBlwres_context_initserial()\fR
-sets the serial number for context
-\fI*ctx\fR
-to
-\fIserial\fR.
-\fBlwres_context_nextserial()\fR
-increments the serial number and returns the previous value.
-.PP
-Memory for a lightweight resolver context is allocated and freed using
-\fBlwres_context_allocmem()\fR
-and
-\fBlwres_context_freemem()\fR.
-These use whatever allocations were defined when the context was
-created with
-\fBlwres_context_create()\fR.
-\fBlwres_context_allocmem()\fR
-allocates
-\fIlen\fR
-bytes of memory and if successful returns a pointer to the allocated
-storage.
-\fBlwres_context_freemem()\fR
-frees
-\fIlen\fR
-bytes of space starting at location
-\fImem\fR.
-.PP
-\fBlwres_context_sendrecv()\fR
-performs I/O for the context
-\fIctx\fR.
-Data are read and written from the context's socket.
-It writes data from
-\fIsendbase\fR
-\(em typically a lightweight resolver query packet \(em
-and waits for a reply which is copied to the receive buffer at
-\fIrecvbase\fR.
-The number of bytes that were written to this receive buffer is
-returned in
-\fI*recvd_len\fR.
-.SH "RETURN VALUES"
-.PP
-\fBlwres_context_create()\fR
-returns
-LWRES_R_NOMEMORY
-if memory for the
-\fBstruct lwres_context\fR
-could not be allocated, 
-LWRES_R_SUCCESS
-otherwise.
-.PP
-Successful calls to the memory allocator
-\fBlwres_context_allocmem()\fR
-return a pointer to the start of the allocated space.
-It returns NULL if memory could not be allocated.
-.PP
-LWRES_R_SUCCESS
-is returned when
-\fBlwres_context_sendrecv()\fR
-completes successfully.
-LWRES_R_IOERROR
-is returned if an I/O error occurs and
-LWRES_R_TIMEOUT
-is returned if
-\fBlwres_context_sendrecv()\fR
-times out waiting for a response.
-.SH "SEE ALSO"
-.PP
-\fBlwres_conf_init\fR(3),
-\fBmalloc\fR(3),
-\fBfree\fR(3).
diff --git a/lib/liblwres/man/lwres_context.docbook b/lib/liblwres/man/lwres_context.docbook
deleted file mode 100644
index 9cdfa7525..000000000
--- a/lib/liblwres/man/lwres_context.docbook
+++ /dev/null
@@ -1,283 +0,0 @@
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
-<!--
- - Copyright (C) 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_context.docbook,v 1.1 2004/03/15 20:35:25 as Exp $ -->
-
-<refentry>
-<refentryinfo>
-
-
-<date>Jun 30, 2000</date>
-</refentryinfo>
-<refmeta>
-<refentrytitle>lwres_context</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-<refnamediv>
-<refname>lwres_context_create</refname>
-<refname>lwres_context_destroy</refname>
-<refname>lwres_context_nextserial</refname>
-<refname>lwres_context_initserial</refname>
-<refname>lwres_context_freemem</refname>
-<refname>lwres_context_allocmem</refname>
-<refname>lwres_context_sendrecv</refname>
-<refpurpose>lightweight resolver context management</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_context_create</function></funcdef>
-<paramdef>lwres_context_t **contextp</paramdef>
-<paramdef>void *arg</paramdef>
-<paramdef>lwres_malloc_t malloc_function</paramdef>
-<paramdef>lwres_free_t free_function</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_context_destroy</function></funcdef>
-<paramdef>lwres_context_t **contextp</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_context_initserial</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_uint32_t serial</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-lwres_uint32_t
-<function>lwres_context_nextserial</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_context_freemem</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>void *mem</paramdef>
-<paramdef>size_t len</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_context_allocmem</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>size_t len</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void *
-<function>lwres_context_sendrecv</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>void *sendbase</paramdef>
-<paramdef>int sendlen</paramdef>
-<paramdef>void *recvbase</paramdef>
-<paramdef>int recvlen</paramdef>
-<paramdef>int *recvd_len</paramdef>
-</funcprototype>
-</funcsynopsis>
-</refsynopsisdiv>
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-<function>lwres_context_create()</function>
-creates a
-<type>lwres_context_t</type>
-structure for use in lightweight resolver operations.
-It holds a socket and other data needed for communicating
-with a resolver daemon.
-The new
-<type>lwres_context_t</type>
-is returned throught
-<parameter>contextp</parameter>,
-
-a pointer to a
-<type>lwres_context_t</type>
-pointer.  This 
-<type>lwres_context_t</type>
-pointer must initially be NULL, and is modified 
-to point to the newly created
-<type>lwres_context_t</type>.
-
-</para>
-<para>
-When the lightweight resolver needs to perform dynamic memory
-allocation, it will call
-<parameter>malloc_function</parameter>
-to allocate memory and
-<parameter>free_function</parameter>
-
-to free it.  If 
-<parameter>malloc_function</parameter>
-and
-<parameter>free_function</parameter>
-
-are NULL, memory is allocated using
-.Xr malloc 3
-and
-<citerefentry>
-<refentrytitle>free</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>.
-
-It is not permitted to have a NULL
-<parameter>malloc_function</parameter>
-and a non-NULL
-<parameter>free_function</parameter>
-or vice versa.
-<parameter>arg</parameter>
-is passed as the first parameter to the memory
-allocation functions.  
-If
-<parameter>malloc_function</parameter>
-and
-<parameter>free_function</parameter>
-are NULL,
-<parameter>arg</parameter>
-
-is unused and should be passed as NULL.
-</para>
-<para>
-Once memory for the structure has been allocated,
-it is initialized using
-<citerefentry>
-<refentrytitle>lwres_conf_init</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>
-
-and returned via
-<parameter>*contextp</parameter>.
-
-</para>
-<para>
-<function>lwres_context_destroy()</function>
-destroys a 
-<type>lwres_context_t</type>,
-
-closing its socket.
-<parameter>contextp</parameter>
-is a pointer to a pointer to the context that is to be destroyed.
-The pointer will be set to NULL when the context has been destroyed.
-</para>
-<para>
-The context holds a serial number that is used to identify resolver
-request packets and associate responses with the corresponding requests.
-This serial number is controlled using
-<function>lwres_context_initserial()</function>
-and
-<function>lwres_context_nextserial()</function>.
-<function>lwres_context_initserial()</function>
-sets the serial number for context
-<parameter>*ctx</parameter>
-to
-<parameter>serial</parameter>.
-
-<function>lwres_context_nextserial()</function>
-increments the serial number and returns the previous value.
-</para>
-<para>
-Memory for a lightweight resolver context is allocated and freed using
-<function>lwres_context_allocmem()</function>
-and
-<function>lwres_context_freemem()</function>.
-These use whatever allocations were defined when the context was
-created with
-<function>lwres_context_create()</function>.
-<function>lwres_context_allocmem()</function>
-allocates
-<parameter>len</parameter>
-bytes of memory and if successful returns a pointer to the allocated
-storage.
-<function>lwres_context_freemem()</function>
-frees
-<parameter>len</parameter>
-bytes of space starting at location
-<parameter>mem</parameter>.
-
-</para>
-<para>
-<function>lwres_context_sendrecv()</function>
-performs I/O for the context
-<parameter>ctx</parameter>.
-
-Data are read and written from the context's socket.
-It writes data from
-<parameter>sendbase</parameter>
-&mdash; typically a lightweight resolver query packet &mdash;
-and waits for a reply which is copied to the receive buffer at
-<parameter>recvbase</parameter>.
-
-The number of bytes that were written to this receive buffer is
-returned in
-<parameter>*recvd_len</parameter>.
-
-</para>
-</refsect1>
-<refsect1>
-<title>RETURN VALUES</title>
-<para>
-<function>lwres_context_create()</function>
-returns
-<errorcode>LWRES_R_NOMEMORY</errorcode>
-if memory for the
-<type>struct lwres_context</type>
-could not be allocated, 
-<errorcode>LWRES_R_SUCCESS</errorcode>
-otherwise.
-</para>
-<para>
-Successful calls to the memory allocator
-<function>lwres_context_allocmem()</function>
-return a pointer to the start of the allocated space.
-It returns NULL if memory could not be allocated.
-</para>
-<para>
-<errorcode>LWRES_R_SUCCESS</errorcode>
-is returned when
-<function>lwres_context_sendrecv()</function>
-completes successfully.
-<errorcode>LWRES_R_IOERROR</errorcode>
-is returned if an I/O error occurs and
-<errorcode>LWRES_R_TIMEOUT</errorcode>
-is returned if
-<function>lwres_context_sendrecv()</function>
-times out waiting for a response.
-</para>
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>lwres_conf_init</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>malloc</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>free</refentrytitle><manvolnum>3
-</manvolnum>
-</citerefentry>.
-</para>
-</refsect1>
-</refentry>
diff --git a/lib/liblwres/man/lwres_context.html b/lib/liblwres/man/lwres_context.html
deleted file mode 100644
index 377125c43..000000000
--- a/lib/liblwres/man/lwres_context.html
+++ /dev/null
@@ -1,519 +0,0 @@
-<!--
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-<HTML
-><HEAD
-><TITLE
->lwres_context</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.61
-"></HEAD
-><BODY
-CLASS="REFENTRY"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><H1
-><A
-NAME="AEN1"
->lwres_context</A
-></H1
-><DIV
-CLASS="REFNAMEDIV"
-><A
-NAME="AEN8"
-></A
-><H2
->Name</H2
->lwres_context_create, lwres_context_destroy, lwres_context_nextserial, lwres_context_initserial, lwres_context_freemem, lwres_context_allocmem, lwres_context_sendrecv&nbsp;--&nbsp;lightweight resolver context management</DIV
-><DIV
-CLASS="REFSYNOPSISDIV"
-><A
-NAME="AEN17"
-></A
-><H2
->Synopsis</H2
-><DIV
-CLASS="FUNCSYNOPSIS"
-><A
-NAME="AEN18"
-></A
-><P
-></P
-><PRE
-CLASS="FUNCSYNOPSISINFO"
->#include &lt;lwres/lwres.h&gt;</PRE
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->lwres_result_t
-lwres_context_create</CODE
->(lwres_context_t **contextp, void *arg, lwres_malloc_t malloc_function, lwres_free_t free_function);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->lwres_result_t
-lwres_context_destroy</CODE
->(lwres_context_t **contextp);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->void
-lwres_context_initserial</CODE
->(lwres_context_t *ctx, lwres_uint32_t serial);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->lwres_uint32_t
-lwres_context_nextserial</CODE
->(lwres_context_t *ctx);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->void
-lwres_context_freemem</CODE
->(lwres_context_t *ctx, void *mem, size_t len);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->void
-lwres_context_allocmem</CODE
->(lwres_context_t *ctx, size_t len);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->void *
-lwres_context_sendrecv</CODE
->(lwres_context_t *ctx, void *sendbase, int sendlen, void *recvbase, int recvlen, int *recvd_len);</CODE
-></P
-><P
-></P
-></DIV
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN60"
-></A
-><H2
->DESCRIPTION</H2
-><P
-><TT
-CLASS="FUNCTION"
->lwres_context_create()</TT
->
-creates a
-<SPAN
-CLASS="TYPE"
->lwres_context_t</SPAN
->
-structure for use in lightweight resolver operations.
-It holds a socket and other data needed for communicating
-with a resolver daemon.
-The new
-<SPAN
-CLASS="TYPE"
->lwres_context_t</SPAN
->
-is returned throught
-<TT
-CLASS="PARAMETER"
-><I
->contextp</I
-></TT
->,
-
-a pointer to a
-<SPAN
-CLASS="TYPE"
->lwres_context_t</SPAN
->
-pointer.  This 
-<SPAN
-CLASS="TYPE"
->lwres_context_t</SPAN
->
-pointer must initially be NULL, and is modified 
-to point to the newly created
-<SPAN
-CLASS="TYPE"
->lwres_context_t</SPAN
->.&#13;</P
-><P
->When the lightweight resolver needs to perform dynamic memory
-allocation, it will call
-<TT
-CLASS="PARAMETER"
-><I
->malloc_function</I
-></TT
->
-to allocate memory and
-<TT
-CLASS="PARAMETER"
-><I
->free_function</I
-></TT
->
-
-to free it.  If 
-<TT
-CLASS="PARAMETER"
-><I
->malloc_function</I
-></TT
->
-and
-<TT
-CLASS="PARAMETER"
-><I
->free_function</I
-></TT
->
-
-are NULL, memory is allocated using
-.Xr malloc 3
-and
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->free</SPAN
->(3)</SPAN
->.
-
-It is not permitted to have a NULL
-<TT
-CLASS="PARAMETER"
-><I
->malloc_function</I
-></TT
->
-and a non-NULL
-<TT
-CLASS="PARAMETER"
-><I
->free_function</I
-></TT
->
-or vice versa.
-<TT
-CLASS="PARAMETER"
-><I
->arg</I
-></TT
->
-is passed as the first parameter to the memory
-allocation functions.  
-If
-<TT
-CLASS="PARAMETER"
-><I
->malloc_function</I
-></TT
->
-and
-<TT
-CLASS="PARAMETER"
-><I
->free_function</I
-></TT
->
-are NULL,
-<TT
-CLASS="PARAMETER"
-><I
->arg</I
-></TT
->
-
-is unused and should be passed as NULL.</P
-><P
->Once memory for the structure has been allocated,
-it is initialized using
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres_conf_init</SPAN
->(3)</SPAN
->
-
-and returned via
-<TT
-CLASS="PARAMETER"
-><I
->*contextp</I
-></TT
->.&#13;</P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_context_destroy()</TT
->
-destroys a 
-<SPAN
-CLASS="TYPE"
->lwres_context_t</SPAN
->,
-
-closing its socket.
-<TT
-CLASS="PARAMETER"
-><I
->contextp</I
-></TT
->
-is a pointer to a pointer to the context that is to be destroyed.
-The pointer will be set to NULL when the context has been destroyed.</P
-><P
->The context holds a serial number that is used to identify resolver
-request packets and associate responses with the corresponding requests.
-This serial number is controlled using
-<TT
-CLASS="FUNCTION"
->lwres_context_initserial()</TT
->
-and
-<TT
-CLASS="FUNCTION"
->lwres_context_nextserial()</TT
->.
-<TT
-CLASS="FUNCTION"
->lwres_context_initserial()</TT
->
-sets the serial number for context
-<TT
-CLASS="PARAMETER"
-><I
->*ctx</I
-></TT
->
-to
-<TT
-CLASS="PARAMETER"
-><I
->serial</I
-></TT
->.
-
-<TT
-CLASS="FUNCTION"
->lwres_context_nextserial()</TT
->
-increments the serial number and returns the previous value.</P
-><P
->Memory for a lightweight resolver context is allocated and freed using
-<TT
-CLASS="FUNCTION"
->lwres_context_allocmem()</TT
->
-and
-<TT
-CLASS="FUNCTION"
->lwres_context_freemem()</TT
->.
-These use whatever allocations were defined when the context was
-created with
-<TT
-CLASS="FUNCTION"
->lwres_context_create()</TT
->.
-<TT
-CLASS="FUNCTION"
->lwres_context_allocmem()</TT
->
-allocates
-<TT
-CLASS="PARAMETER"
-><I
->len</I
-></TT
->
-bytes of memory and if successful returns a pointer to the allocated
-storage.
-<TT
-CLASS="FUNCTION"
->lwres_context_freemem()</TT
->
-frees
-<TT
-CLASS="PARAMETER"
-><I
->len</I
-></TT
->
-bytes of space starting at location
-<TT
-CLASS="PARAMETER"
-><I
->mem</I
-></TT
->.&#13;</P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_context_sendrecv()</TT
->
-performs I/O for the context
-<TT
-CLASS="PARAMETER"
-><I
->ctx</I
-></TT
->.
-
-Data are read and written from the context's socket.
-It writes data from
-<TT
-CLASS="PARAMETER"
-><I
->sendbase</I
-></TT
->
-&mdash; typically a lightweight resolver query packet &mdash;
-and waits for a reply which is copied to the receive buffer at
-<TT
-CLASS="PARAMETER"
-><I
->recvbase</I
-></TT
->.
-
-The number of bytes that were written to this receive buffer is
-returned in
-<TT
-CLASS="PARAMETER"
-><I
->*recvd_len</I
-></TT
->.&#13;</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN115"
-></A
-><H2
->RETURN VALUES</H2
-><P
-><TT
-CLASS="FUNCTION"
->lwres_context_create()</TT
->
-returns
-<SPAN
-CLASS="ERRORCODE"
->LWRES_R_NOMEMORY</SPAN
->
-if memory for the
-<SPAN
-CLASS="TYPE"
->struct lwres_context</SPAN
->
-could not be allocated, 
-<SPAN
-CLASS="ERRORCODE"
->LWRES_R_SUCCESS</SPAN
->
-otherwise.</P
-><P
->Successful calls to the memory allocator
-<TT
-CLASS="FUNCTION"
->lwres_context_allocmem()</TT
->
-return a pointer to the start of the allocated space.
-It returns NULL if memory could not be allocated.</P
-><P
-><SPAN
-CLASS="ERRORCODE"
->LWRES_R_SUCCESS</SPAN
->
-is returned when
-<TT
-CLASS="FUNCTION"
->lwres_context_sendrecv()</TT
->
-completes successfully.
-<SPAN
-CLASS="ERRORCODE"
->LWRES_R_IOERROR</SPAN
->
-is returned if an I/O error occurs and
-<SPAN
-CLASS="ERRORCODE"
->LWRES_R_TIMEOUT</SPAN
->
-is returned if
-<TT
-CLASS="FUNCTION"
->lwres_context_sendrecv()</TT
->
-times out waiting for a response.</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN130"
-></A
-><H2
->SEE ALSO</H2
-><P
-><SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres_conf_init</SPAN
->(3)</SPAN
->,
-
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->malloc</SPAN
->(3)</SPAN
->,
-
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->free</SPAN
->(3)</SPAN
->.</P
-></DIV
-></BODY
-></HTML
->
\ No newline at end of file
diff --git a/lib/liblwres/man/lwres_gabn.3 b/lib/liblwres/man/lwres_gabn.3
deleted file mode 100644
index 79a22c14f..000000000
--- a/lib/liblwres/man/lwres_gabn.3
+++ /dev/null
@@ -1,193 +0,0 @@
-.\"
-.\" Copyright (C) 2000, 2001  Internet Software Consortium.
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
-.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
-.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
-.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
-.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
-.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.TH "LWRES_GABN" "3" "Jun 30, 2000" "BIND9" ""
-.SH NAME
-lwres_gabnrequest_render, lwres_gabnresponse_render, lwres_gabnrequest_parse, lwres_gabnresponse_parse, lwres_gabnresponse_free, lwres_gabnrequest_free \- lightweight resolver getaddrbyname message handling
-.SH SYNOPSIS
-\fB#include <lwres/lwres.h>
-.sp
-.na
-lwres_result_t
-lwres_gabnrequest_render(lwres_context_t *ctx, lwres_gabnrequest_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);
-.ad
-.sp
-.na
-lwres_result_t
-lwres_gabnresponse_render(lwres_context_t *ctx, lwres_gabnresponse_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);
-.ad
-.sp
-.na
-lwres_result_t
-lwres_gabnrequest_parse(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_gabnrequest_t **structp);
-.ad
-.sp
-.na
-lwres_result_t
-lwres_gabnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_gabnresponse_t **structp);
-.ad
-.sp
-.na
-void
-lwres_gabnresponse_free(lwres_context_t *ctx, lwres_gabnresponse_t **structp);
-.ad
-.sp
-.na
-void
-lwres_gabnrequest_free(lwres_context_t *ctx, lwres_gabnrequest_t **structp);
-.ad
-\fR.SH "DESCRIPTION"
-.PP
-These are low-level routines for creating and parsing
-lightweight resolver name-to-address lookup request and 
-response messages.
-.PP
-There are four main functions for the getaddrbyname opcode.
-One render function converts a getaddrbyname request structure \(em
-\fBlwres_gabnrequest_t\fR \(em
-to the lighweight resolver's canonical format.
-It is complemented by a parse function that converts a packet in this
-canonical format to a getaddrbyname request structure.
-Another render function converts the getaddrbyname response structure \(em
-\fBlwres_gabnresponse_t\fR \(em
-to the canonical format.
-This is complemented by a parse function which converts a packet in
-canonical format to a getaddrbyname response structure.
-.PP
-These structures are defined in
-\fI<lwres/lwres.h>\fR.
-They are shown below.
-.sp
-.nf
-#define LWRES_OPCODE_GETADDRSBYNAME     0x00010001U
-
-typedef struct lwres_addr lwres_addr_t;
-typedef LWRES_LIST(lwres_addr_t) lwres_addrlist_t;
-
-typedef struct {
-        lwres_uint32_t  flags;
-        lwres_uint32_t  addrtypes;
-        lwres_uint16_t  namelen;
-        char           *name;
-} lwres_gabnrequest_t;
-
-typedef struct {
-        lwres_uint32_t          flags;
-        lwres_uint16_t          naliases;
-        lwres_uint16_t          naddrs;
-        char                   *realname;
-        char                  **aliases;
-        lwres_uint16_t          realnamelen;
-        lwres_uint16_t         *aliaslen;
-        lwres_addrlist_t        addrs;
-        void                   *base;
-        size_t                  baselen;
-} lwres_gabnresponse_t;
-.sp
-.fi
-.PP
-\fBlwres_gabnrequest_render()\fR
-uses resolver context
-\fIctx\fR
-to convert getaddrbyname request structure
-\fIreq\fR
-to canonical format.
-The packet header structure
-\fIpkt\fR
-is initialised and transferred to
-buffer
-\fIb\fR.
-The contents of
-\fI*req\fR
-are then appended to the buffer in canonical format.
-\fBlwres_gabnresponse_render()\fR
-performs the same task, except it converts a getaddrbyname response structure
-\fBlwres_gabnresponse_t\fR
-to the lightweight resolver's canonical format.
-.PP
-\fBlwres_gabnrequest_parse()\fR
-uses context
-\fIctx\fR
-to convert the contents of packet
-\fIpkt\fR
-to a
-\fBlwres_gabnrequest_t\fR
-structure.
-Buffer
-\fIb\fR
-provides space to be used for storing this structure.
-When the function succeeds, the resulting
-\fBlwres_gabnrequest_t\fR
-is made available through
-\fI*structp\fR.
-\fBlwres_gabnresponse_parse()\fR
-offers the same semantics as
-\fBlwres_gabnrequest_parse()\fR
-except it yields a
-\fBlwres_gabnresponse_t\fR
-structure.
-.PP
-\fBlwres_gabnresponse_free()\fR
-and
-\fBlwres_gabnrequest_free()\fR
-release the memory in resolver context
-\fIctx\fR
-that was allocated to the
-\fBlwres_gabnresponse_t\fR
-or
-\fBlwres_gabnrequest_t\fR
-structures referenced via
-\fIstructp\fR.
-Any memory associated with ancillary buffers and strings for those
-structures is also discarded.
-.SH "RETURN VALUES"
-.PP
-The getaddrbyname opcode functions
-\fBlwres_gabnrequest_render()\fR, 
-\fBlwres_gabnresponse_render()\fR
-\fBlwres_gabnrequest_parse()\fR
-and
-\fBlwres_gabnresponse_parse()\fR
-all return
-LWRES_R_SUCCESS
-on success.
-They return
-LWRES_R_NOMEMORY
-if memory allocation fails.
-LWRES_R_UNEXPECTEDEND
-is returned if the available space in the buffer
-\fIb\fR
-is too small to accommodate the packet header or the
-\fBlwres_gabnrequest_t\fR
-and
-\fBlwres_gabnresponse_t\fR
-structures.
-\fBlwres_gabnrequest_parse()\fR
-and
-\fBlwres_gabnresponse_parse()\fR
-will return
-LWRES_R_UNEXPECTEDEND
-if the buffer is not empty after decoding the received packet.
-These functions will return
-LWRES_R_FAILURE
-if
-\fBpktflags\fR
-in the packet header structure
-\fBlwres_lwpacket_t\fR
-indicate that the packet is not a response to an earlier query.
-.SH "SEE ALSO"
-.PP
-\fBlwres_packet\fR(3)
diff --git a/lib/liblwres/man/lwres_gabn.docbook b/lib/liblwres/man/lwres_gabn.docbook
deleted file mode 100644
index 91f549564..000000000
--- a/lib/liblwres/man/lwres_gabn.docbook
+++ /dev/null
@@ -1,255 +0,0 @@
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
-<!--
- - Copyright (C) 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_gabn.docbook,v 1.1 2004/03/15 20:35:25 as Exp $ -->
-
-<refentry>
-<refentryinfo>
-
-
-<date>Jun 30, 2000</date>
-</refentryinfo>
-<refmeta>
-<refentrytitle>lwres_gabn</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-<refnamediv>
-<refname>lwres_gabnrequest_render</refname>
-<refname>lwres_gabnresponse_render</refname>
-<refname>lwres_gabnrequest_parse</refname>
-<refname>lwres_gabnresponse_parse</refname>
-<refname>lwres_gabnresponse_free</refname>
-<refname>lwres_gabnrequest_free</refname>
-<refpurpose>lightweight resolver getaddrbyname message handling</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_gabnrequest_render</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_gabnrequest_t *req</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_gabnresponse_render</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_gabnresponse_t *req</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_gabnrequest_parse</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-<paramdef>lwres_gabnrequest_t **structp</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_gabnresponse_parse</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-<paramdef>lwres_gabnresponse_t **structp</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_gabnresponse_free</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_gabnresponse_t **structp</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_gabnrequest_free</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_gabnrequest_t **structp</paramdef>
-</funcprototype>
-</funcsynopsis>
-</refsynopsisdiv>
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-These are low-level routines for creating and parsing
-lightweight resolver name-to-address lookup request and 
-response messages.
-</para><para>
-There are four main functions for the getaddrbyname opcode.
-One render function converts a getaddrbyname request structure &mdash;
-<type>lwres_gabnrequest_t</type> &mdash;
-to the lighweight resolver's canonical format.
-It is complemented by a parse function that converts a packet in this
-canonical format to a getaddrbyname request structure.
-Another render function converts the getaddrbyname response structure &mdash;
-<type>lwres_gabnresponse_t</type> &mdash;
-to the canonical format.
-This is complemented by a parse function which converts a packet in
-canonical format to a getaddrbyname response structure.
-</para>
-<para>
-These structures are defined in
-<filename>&lt;lwres/lwres.h&gt;</filename>.
-They are shown below.
-<programlisting>
-#define LWRES_OPCODE_GETADDRSBYNAME     0x00010001U
-
-typedef struct lwres_addr lwres_addr_t;
-typedef LWRES_LIST(lwres_addr_t) lwres_addrlist_t;
-
-typedef struct {
-        lwres_uint32_t  flags;
-        lwres_uint32_t  addrtypes;
-        lwres_uint16_t  namelen;
-        char           *name;
-} lwres_gabnrequest_t;
-
-typedef struct {
-        lwres_uint32_t          flags;
-        lwres_uint16_t          naliases;
-        lwres_uint16_t          naddrs;
-        char                   *realname;
-        char                  **aliases;
-        lwres_uint16_t          realnamelen;
-        lwres_uint16_t         *aliaslen;
-        lwres_addrlist_t        addrs;
-        void                   *base;
-        size_t                  baselen;
-} lwres_gabnresponse_t;
-</programlisting>
-</para>
-<para>
-<function>lwres_gabnrequest_render()</function>
-uses resolver context
-<parameter>ctx</parameter>
-to convert getaddrbyname request structure
-<parameter>req</parameter>
-to canonical format.
-The packet header structure
-<parameter>pkt</parameter>
-is initialised and transferred to
-buffer
-<parameter>b</parameter>.
-
-The contents of
-<parameter>*req</parameter>
-are then appended to the buffer in canonical format.
-<function>lwres_gabnresponse_render()</function>
-performs the same task, except it converts a getaddrbyname response structure
-<type>lwres_gabnresponse_t</type>
-to the lightweight resolver's canonical format.
-</para>
-<para>
-<function>lwres_gabnrequest_parse()</function>
-uses context
-<parameter>ctx</parameter>
-to convert the contents of packet
-<parameter>pkt</parameter>
-to a
-<type>lwres_gabnrequest_t</type>
-structure.
-Buffer
-<parameter>b</parameter>
-provides space to be used for storing this structure.
-When the function succeeds, the resulting
-<type>lwres_gabnrequest_t</type>
-is made available through
-<parameter>*structp</parameter>.
-
-<function>lwres_gabnresponse_parse()</function>
-offers the same semantics as
-<function>lwres_gabnrequest_parse()</function>
-except it yields a
-<type>lwres_gabnresponse_t</type>
-structure.
-</para>
-<para>
-<function>lwres_gabnresponse_free()</function>
-and
-<function>lwres_gabnrequest_free()</function>
-release the memory in resolver context
-<parameter>ctx</parameter>
-that was allocated to the
-<type>lwres_gabnresponse_t</type>
-or
-<type>lwres_gabnrequest_t</type>
-structures referenced via
-<parameter>structp</parameter>.
-
-Any memory associated with ancillary buffers and strings for those
-structures is also discarded.
-</para>
-</refsect1>
-<refsect1>
-<title>RETURN VALUES</title>
-<para>
-The getaddrbyname opcode functions
-<function>lwres_gabnrequest_render()</function>, 
-<function>lwres_gabnresponse_render()</function>
-<function>lwres_gabnrequest_parse()</function>
-and
-<function>lwres_gabnresponse_parse()</function>
-all return
-<errorcode>LWRES_R_SUCCESS</errorcode>
-on success.
-They return
-<errorcode>LWRES_R_NOMEMORY</errorcode>
-if memory allocation fails.
-<errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
-is returned if the available space in the buffer
-<parameter>b</parameter>
-is too small to accommodate the packet header or the
-<type>lwres_gabnrequest_t</type>
-and
-<type>lwres_gabnresponse_t</type>
-structures.
-<function>lwres_gabnrequest_parse()</function>
-and
-<function>lwres_gabnresponse_parse()</function>
-will return
-<errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
-if the buffer is not empty after decoding the received packet.
-These functions will return
-<errorcode>LWRES_R_FAILURE</errorcode>
-if
-<structfield>pktflags</structfield>
-in the packet header structure
-<type>lwres_lwpacket_t</type>
-indicate that the packet is not a response to an earlier query.
-</para>
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>lwres_packet</refentrytitle><manvolnum>3
-</manvolnum>
-</citerefentry>
-</para>
-</refsect1>
-</refentry>
diff --git a/lib/liblwres/man/lwres_gabn.html b/lib/liblwres/man/lwres_gabn.html
deleted file mode 100644
index 5611cac6c..000000000
--- a/lib/liblwres/man/lwres_gabn.html
+++ /dev/null
@@ -1,442 +0,0 @@
-<!--
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-<HTML
-><HEAD
-><TITLE
->lwres_gabn</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.61
-"></HEAD
-><BODY
-CLASS="REFENTRY"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><H1
-><A
-NAME="AEN1"
->lwres_gabn</A
-></H1
-><DIV
-CLASS="REFNAMEDIV"
-><A
-NAME="AEN8"
-></A
-><H2
->Name</H2
->lwres_gabnrequest_render, lwres_gabnresponse_render, lwres_gabnrequest_parse, lwres_gabnresponse_parse, lwres_gabnresponse_free, lwres_gabnrequest_free&nbsp;--&nbsp;lightweight resolver getaddrbyname message handling</DIV
-><DIV
-CLASS="REFSYNOPSISDIV"
-><A
-NAME="AEN16"
-></A
-><H2
->Synopsis</H2
-><DIV
-CLASS="FUNCSYNOPSIS"
-><A
-NAME="AEN17"
-></A
-><P
-></P
-><PRE
-CLASS="FUNCSYNOPSISINFO"
->#include &lt;lwres/lwres.h&gt;</PRE
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->lwres_result_t
-lwres_gabnrequest_render</CODE
->(lwres_context_t *ctx, lwres_gabnrequest_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->lwres_result_t
-lwres_gabnresponse_render</CODE
->(lwres_context_t *ctx, lwres_gabnresponse_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->lwres_result_t
-lwres_gabnrequest_parse</CODE
->(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_gabnrequest_t **structp);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->lwres_result_t
-lwres_gabnresponse_parse</CODE
->(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_gabnresponse_t **structp);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->void
-lwres_gabnresponse_free</CODE
->(lwres_context_t *ctx, lwres_gabnresponse_t **structp);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->void
-lwres_gabnrequest_free</CODE
->(lwres_context_t *ctx, lwres_gabnrequest_t **structp);</CODE
-></P
-><P
-></P
-></DIV
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN57"
-></A
-><H2
->DESCRIPTION</H2
-><P
->These are low-level routines for creating and parsing
-lightweight resolver name-to-address lookup request and 
-response messages.</P
-><P
->There are four main functions for the getaddrbyname opcode.
-One render function converts a getaddrbyname request structure &mdash;
-<SPAN
-CLASS="TYPE"
->lwres_gabnrequest_t</SPAN
-> &mdash;
-to the lighweight resolver's canonical format.
-It is complemented by a parse function that converts a packet in this
-canonical format to a getaddrbyname request structure.
-Another render function converts the getaddrbyname response structure &mdash;
-<SPAN
-CLASS="TYPE"
->lwres_gabnresponse_t</SPAN
-> &mdash;
-to the canonical format.
-This is complemented by a parse function which converts a packet in
-canonical format to a getaddrbyname response structure.</P
-><P
->These structures are defined in
-<TT
-CLASS="FILENAME"
->&lt;lwres/lwres.h&gt;</TT
->.
-They are shown below.
-<PRE
-CLASS="PROGRAMLISTING"
->#define LWRES_OPCODE_GETADDRSBYNAME     0x00010001U
-
-typedef struct lwres_addr lwres_addr_t;
-typedef LWRES_LIST(lwres_addr_t) lwres_addrlist_t;
-
-typedef struct {
-        lwres_uint32_t  flags;
-        lwres_uint32_t  addrtypes;
-        lwres_uint16_t  namelen;
-        char           *name;
-} lwres_gabnrequest_t;
-
-typedef struct {
-        lwres_uint32_t          flags;
-        lwres_uint16_t          naliases;
-        lwres_uint16_t          naddrs;
-        char                   *realname;
-        char                  **aliases;
-        lwres_uint16_t          realnamelen;
-        lwres_uint16_t         *aliaslen;
-        lwres_addrlist_t        addrs;
-        void                   *base;
-        size_t                  baselen;
-} lwres_gabnresponse_t;</PRE
-></P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_gabnrequest_render()</TT
->
-uses resolver context
-<TT
-CLASS="PARAMETER"
-><I
->ctx</I
-></TT
->
-to convert getaddrbyname request structure
-<TT
-CLASS="PARAMETER"
-><I
->req</I
-></TT
->
-to canonical format.
-The packet header structure
-<TT
-CLASS="PARAMETER"
-><I
->pkt</I
-></TT
->
-is initialised and transferred to
-buffer
-<TT
-CLASS="PARAMETER"
-><I
->b</I
-></TT
->.
-
-The contents of
-<TT
-CLASS="PARAMETER"
-><I
->*req</I
-></TT
->
-are then appended to the buffer in canonical format.
-<TT
-CLASS="FUNCTION"
->lwres_gabnresponse_render()</TT
->
-performs the same task, except it converts a getaddrbyname response structure
-<SPAN
-CLASS="TYPE"
->lwres_gabnresponse_t</SPAN
->
-to the lightweight resolver's canonical format.</P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_gabnrequest_parse()</TT
->
-uses context
-<TT
-CLASS="PARAMETER"
-><I
->ctx</I
-></TT
->
-to convert the contents of packet
-<TT
-CLASS="PARAMETER"
-><I
->pkt</I
-></TT
->
-to a
-<SPAN
-CLASS="TYPE"
->lwres_gabnrequest_t</SPAN
->
-structure.
-Buffer
-<TT
-CLASS="PARAMETER"
-><I
->b</I
-></TT
->
-provides space to be used for storing this structure.
-When the function succeeds, the resulting
-<SPAN
-CLASS="TYPE"
->lwres_gabnrequest_t</SPAN
->
-is made available through
-<TT
-CLASS="PARAMETER"
-><I
->*structp</I
-></TT
->.
-
-<TT
-CLASS="FUNCTION"
->lwres_gabnresponse_parse()</TT
->
-offers the same semantics as
-<TT
-CLASS="FUNCTION"
->lwres_gabnrequest_parse()</TT
->
-except it yields a
-<SPAN
-CLASS="TYPE"
->lwres_gabnresponse_t</SPAN
->
-structure.</P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_gabnresponse_free()</TT
->
-and
-<TT
-CLASS="FUNCTION"
->lwres_gabnrequest_free()</TT
->
-release the memory in resolver context
-<TT
-CLASS="PARAMETER"
-><I
->ctx</I
-></TT
->
-that was allocated to the
-<SPAN
-CLASS="TYPE"
->lwres_gabnresponse_t</SPAN
->
-or
-<SPAN
-CLASS="TYPE"
->lwres_gabnrequest_t</SPAN
->
-structures referenced via
-<TT
-CLASS="PARAMETER"
-><I
->structp</I
-></TT
->.
-
-Any memory associated with ancillary buffers and strings for those
-structures is also discarded.</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN93"
-></A
-><H2
->RETURN VALUES</H2
-><P
->The getaddrbyname opcode functions
-<TT
-CLASS="FUNCTION"
->lwres_gabnrequest_render()</TT
->, 
-<TT
-CLASS="FUNCTION"
->lwres_gabnresponse_render()</TT
->
-<TT
-CLASS="FUNCTION"
->lwres_gabnrequest_parse()</TT
->
-and
-<TT
-CLASS="FUNCTION"
->lwres_gabnresponse_parse()</TT
->
-all return
-<SPAN
-CLASS="ERRORCODE"
->LWRES_R_SUCCESS</SPAN
->
-on success.
-They return
-<SPAN
-CLASS="ERRORCODE"
->LWRES_R_NOMEMORY</SPAN
->
-if memory allocation fails.
-<SPAN
-CLASS="ERRORCODE"
->LWRES_R_UNEXPECTEDEND</SPAN
->
-is returned if the available space in the buffer
-<TT
-CLASS="PARAMETER"
-><I
->b</I
-></TT
->
-is too small to accommodate the packet header or the
-<SPAN
-CLASS="TYPE"
->lwres_gabnrequest_t</SPAN
->
-and
-<SPAN
-CLASS="TYPE"
->lwres_gabnresponse_t</SPAN
->
-structures.
-<TT
-CLASS="FUNCTION"
->lwres_gabnrequest_parse()</TT
->
-and
-<TT
-CLASS="FUNCTION"
->lwres_gabnresponse_parse()</TT
->
-will return
-<SPAN
-CLASS="ERRORCODE"
->LWRES_R_UNEXPECTEDEND</SPAN
->
-if the buffer is not empty after decoding the received packet.
-These functions will return
-<SPAN
-CLASS="ERRORCODE"
->LWRES_R_FAILURE</SPAN
->
-if
-<TT
-CLASS="STRUCTFIELD"
-><I
->pktflags</I
-></TT
->
-in the packet header structure
-<SPAN
-CLASS="TYPE"
->lwres_lwpacket_t</SPAN
->
-indicate that the packet is not a response to an earlier query.</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN112"
-></A
-><H2
->SEE ALSO</H2
-><P
-><SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres_packet</SPAN
->(3)</SPAN
-></P
-></DIV
-></BODY
-></HTML
->
\ No newline at end of file
diff --git a/lib/liblwres/man/lwres_gai_strerror.3 b/lib/liblwres/man/lwres_gai_strerror.3
deleted file mode 100644
index a8287e924..000000000
--- a/lib/liblwres/man/lwres_gai_strerror.3
+++ /dev/null
@@ -1,86 +0,0 @@
-.\"
-.\" Copyright (C) 2000, 2001  Internet Software Consortium.
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
-.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
-.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
-.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
-.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
-.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.TH "LWRES_GAI_STRERROR" "3" "Jun 30, 2000" "BIND9" ""
-.SH NAME
-gai_strerror \- print suitable error string
-.SH SYNOPSIS
-\fB#include <lwres/netdb.h>
-.sp
-.na
-char *
-gai_strerror(int ecode);
-.ad
-\fR.SH "DESCRIPTION"
-.PP
-\fBlwres_gai_strerror()\fR
-returns an error message corresponding to an error code returned by
-\fBgetaddrinfo()\fR.
-The following error codes and their meaning are defined in
-\fIinclude/lwres/netdb.h\fR.
-.TP
-\fBEAI_ADDRFAMILY\fR
-address family for hostname not supported
-.TP
-\fBEAI_AGAIN\fR
-temporary failure in name resolution
-.TP
-\fBEAI_BADFLAGS\fR
-invalid value for
-ai_flags
-.TP
-\fBEAI_FAIL\fR
-non-recoverable failure in name resolution
-.TP
-\fBEAI_FAMILY\fR
-ai_family not supported
-.TP
-\fBEAI_MEMORY\fR
-memory allocation failure
-.TP
-\fBEAI_NODATA\fR
-no address associated with hostname
-.TP
-\fBEAI_NONAME\fR
-hostname or servname not provided, or not known
-.TP
-\fBEAI_SERVICE\fR
-servname not supported for ai_socktype
-.TP
-\fBEAI_SOCKTYPE\fR
-ai_socktype not supported
-.TP
-\fBEAI_SYSTEM\fR
-system error returned in errno
-.PP
-The message \fBinvalid error code\fR is returned if
-\fIecode\fR
-is out of range.
-.PP
-ai_flags,
-ai_family
-and
-ai_socktype
-are elements of the
-\fBstruct addrinfo\fR
-used by
-\fBlwres_getaddrinfo()\fR.
-.SH "SEE ALSO"
-.PP
-\fBstrerror\fR(3),
-\fBlwres_getaddrinfo\fR(3),
-\fBgetaddrinfo\fR(3),
-\fBRFC2133\fR.
diff --git a/lib/liblwres/man/lwres_gai_strerror.docbook b/lib/liblwres/man/lwres_gai_strerror.docbook
deleted file mode 100644
index 6ffe8fc47..000000000
--- a/lib/liblwres/man/lwres_gai_strerror.docbook
+++ /dev/null
@@ -1,161 +0,0 @@
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
-<!--
- - Copyright (C) 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_gai_strerror.docbook,v 1.1 2004/03/15 20:35:25 as Exp $ -->
-
-<refentry>
-<refentryinfo>
-
-
-<date>Jun 30, 2000</date>
-</refentryinfo>
-<refmeta>
-<refentrytitle>lwres_gai_strerror</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-<refnamediv>
-<refname>gai_strerror</refname>
-<refpurpose>print suitable error string</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
-<funcprototype>
-<funcdef>
-char *
-<function>gai_strerror</function></funcdef>
-<paramdef>int ecode</paramdef>
-</funcprototype>
-</funcsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-<function>lwres_gai_strerror()</function>
-returns an error message corresponding to an error code returned by
-<function>getaddrinfo()</function>.
-The following error codes and their meaning are defined in
-<filename>include/lwres/netdb.h</filename>.
-<variablelist>
-<varlistentry><term><errorcode>EAI_ADDRFAMILY</errorcode></term>
-<listitem>
-<para>
-address family for hostname not supported
-</para>
-</listitem></varlistentry>
-<varlistentry><term><errorcode>EAI_AGAIN</errorcode></term>
-<listitem>
-<para>
-temporary failure in name resolution
-</para>
-</listitem></varlistentry>
-<varlistentry><term><errorcode>EAI_BADFLAGS</errorcode></term>
-<listitem>
-<para>
-invalid value for
-<constant>ai_flags</constant>
-</para>
-</listitem></varlistentry>
-<varlistentry><term><errorcode>EAI_FAIL</errorcode></term>
-<listitem>
-<para>
-non-recoverable failure in name resolution
-</para>
-</listitem></varlistentry>
-<varlistentry><term><errorcode>EAI_FAMILY</errorcode></term>
-<listitem>
-<para>
-<constant>ai_family</constant> not supported
-</para>
-</listitem></varlistentry>
-<varlistentry><term><errorcode>EAI_MEMORY</errorcode></term>
-<listitem>
-<para>
-memory allocation failure
-</para>
-</listitem></varlistentry>
-<varlistentry><term><errorcode>EAI_NODATA</errorcode></term>
-<listitem>
-<para>
-no address associated with hostname
-</para>
-</listitem></varlistentry>
-<varlistentry><term><errorcode>EAI_NONAME</errorcode></term>
-<listitem>
-<para>
-hostname or servname not provided, or not known
-</para>
-</listitem></varlistentry>
-<varlistentry><term><errorcode>EAI_SERVICE</errorcode></term>
-<listitem>
-<para>
-servname not supported for <constant>ai_socktype</constant>
-</para>
-</listitem></varlistentry>
-<varlistentry><term><errorcode>EAI_SOCKTYPE</errorcode></term>
-<listitem>
-<para>
-<constant>ai_socktype</constant> not supported
-</para>
-</listitem></varlistentry>
-<varlistentry><term><errorcode>EAI_SYSTEM</errorcode></term>
-<listitem>
-<para>
-system error returned in errno
-</para>
-</listitem></varlistentry>
-</variablelist>
-The message <errorname>invalid error code</errorname> is returned if
-<parameter>ecode</parameter>
-is out of range.
-</para>
-<para>
-<constant>ai_flags</constant>,
-<constant>ai_family</constant>
-and
-<constant>ai_socktype</constant>
-are elements of the
-<type>struct  addrinfo</type>
-used by
-<function>lwres_getaddrinfo()</function>.
-</para>
-</refsect1>
-
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>strerror</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_getaddrinfo</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>getaddrinfo</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>RFC2133</refentrytitle>
-</citerefentry>.
-</para>
-</refsect1>
-</refentry>
diff --git a/lib/liblwres/man/lwres_gai_strerror.html b/lib/liblwres/man/lwres_gai_strerror.html
deleted file mode 100644
index 7f245ba4e..000000000
--- a/lib/liblwres/man/lwres_gai_strerror.html
+++ /dev/null
@@ -1,294 +0,0 @@
-<!--
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-<HTML
-><HEAD
-><TITLE
->lwres_gai_strerror</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.61
-"></HEAD
-><BODY
-CLASS="REFENTRY"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><H1
-><A
-NAME="AEN1"
->lwres_gai_strerror</A
-></H1
-><DIV
-CLASS="REFNAMEDIV"
-><A
-NAME="AEN8"
-></A
-><H2
->Name</H2
->gai_strerror&nbsp;--&nbsp;print suitable error string</DIV
-><DIV
-CLASS="REFSYNOPSISDIV"
-><A
-NAME="AEN11"
-></A
-><H2
->Synopsis</H2
-><DIV
-CLASS="FUNCSYNOPSIS"
-><A
-NAME="AEN12"
-></A
-><P
-></P
-><PRE
-CLASS="FUNCSYNOPSISINFO"
->#include &lt;lwres/netdb.h&gt;</PRE
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->char *
-gai_strerror</CODE
->(int ecode);</CODE
-></P
-><P
-></P
-></DIV
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN18"
-></A
-><H2
->DESCRIPTION</H2
-><P
-><TT
-CLASS="FUNCTION"
->lwres_gai_strerror()</TT
->
-returns an error message corresponding to an error code returned by
-<TT
-CLASS="FUNCTION"
->getaddrinfo()</TT
->.
-The following error codes and their meaning are defined in
-<TT
-CLASS="FILENAME"
->include/lwres/netdb.h</TT
->.
-<P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><SPAN
-CLASS="ERRORCODE"
->EAI_ADDRFAMILY</SPAN
-></DT
-><DD
-><P
->address family for hostname not supported</P
-></DD
-><DT
-><SPAN
-CLASS="ERRORCODE"
->EAI_AGAIN</SPAN
-></DT
-><DD
-><P
->temporary failure in name resolution</P
-></DD
-><DT
-><SPAN
-CLASS="ERRORCODE"
->EAI_BADFLAGS</SPAN
-></DT
-><DD
-><P
->invalid value for
-<TT
-CLASS="CONSTANT"
->ai_flags</TT
-></P
-></DD
-><DT
-><SPAN
-CLASS="ERRORCODE"
->EAI_FAIL</SPAN
-></DT
-><DD
-><P
->non-recoverable failure in name resolution</P
-></DD
-><DT
-><SPAN
-CLASS="ERRORCODE"
->EAI_FAMILY</SPAN
-></DT
-><DD
-><P
-><TT
-CLASS="CONSTANT"
->ai_family</TT
-> not supported</P
-></DD
-><DT
-><SPAN
-CLASS="ERRORCODE"
->EAI_MEMORY</SPAN
-></DT
-><DD
-><P
->memory allocation failure</P
-></DD
-><DT
-><SPAN
-CLASS="ERRORCODE"
->EAI_NODATA</SPAN
-></DT
-><DD
-><P
->no address associated with hostname</P
-></DD
-><DT
-><SPAN
-CLASS="ERRORCODE"
->EAI_NONAME</SPAN
-></DT
-><DD
-><P
->hostname or servname not provided, or not known</P
-></DD
-><DT
-><SPAN
-CLASS="ERRORCODE"
->EAI_SERVICE</SPAN
-></DT
-><DD
-><P
->servname not supported for <TT
-CLASS="CONSTANT"
->ai_socktype</TT
-></P
-></DD
-><DT
-><SPAN
-CLASS="ERRORCODE"
->EAI_SOCKTYPE</SPAN
-></DT
-><DD
-><P
-><TT
-CLASS="CONSTANT"
->ai_socktype</TT
-> not supported</P
-></DD
-><DT
-><SPAN
-CLASS="ERRORCODE"
->EAI_SYSTEM</SPAN
-></DT
-><DD
-><P
->system error returned in errno</P
-></DD
-></DL
-></DIV
->
-The message <SPAN
-CLASS="ERRORNAME"
->invalid error code</SPAN
-> is returned if
-<TT
-CLASS="PARAMETER"
-><I
->ecode</I
-></TT
->
-is out of range.</P
-><P
-><TT
-CLASS="CONSTANT"
->ai_flags</TT
->,
-<TT
-CLASS="CONSTANT"
->ai_family</TT
->
-and
-<TT
-CLASS="CONSTANT"
->ai_socktype</TT
->
-are elements of the
-<SPAN
-CLASS="TYPE"
->struct  addrinfo</SPAN
->
-used by
-<TT
-CLASS="FUNCTION"
->lwres_getaddrinfo()</TT
->.</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN92"
-></A
-><H2
->SEE ALSO</H2
-><P
-><SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->strerror</SPAN
->(3)</SPAN
->,
-
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres_getaddrinfo</SPAN
->(3)</SPAN
->,
-
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->getaddrinfo</SPAN
->(3)</SPAN
->,
-
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->RFC2133</SPAN
-></SPAN
->.</P
-></DIV
-></BODY
-></HTML
->
\ No newline at end of file
diff --git a/lib/liblwres/man/lwres_getaddrinfo.3 b/lib/liblwres/man/lwres_getaddrinfo.3
deleted file mode 100644
index b7ea46128..000000000
--- a/lib/liblwres/man/lwres_getaddrinfo.3
+++ /dev/null
@@ -1,247 +0,0 @@
-.\"
-.\" Copyright (C) 2000, 2001  Internet Software Consortium.
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
-.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
-.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
-.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
-.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
-.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.TH "LWRES_GETADDRINFO" "3" "Jun 30, 2000" "BIND9" ""
-.SH NAME
-lwres_getaddrinfo, lwres_freeaddrinfo \- socket address structure to host and service name
-.SH SYNOPSIS
-\fB#include <lwres/netdb.h>
-.sp
-.na
-int
-lwres_getaddrinfo(const char *hostname, const char *servname, const struct addrinfo *hints, struct addrinfo **res);
-.ad
-.sp
-.na
-void
-lwres_freeaddrinfo(struct addrinfo *ai);
-.ad
-\fR.PP
-If the operating system does not provide a
-\fBstruct addrinfo\fR,
-the following structure is used:
-.sp
-.nf
-struct  addrinfo {
-        int             ai_flags;       /* AI_PASSIVE, AI_CANONNAME */
-        int             ai_family;      /* PF_xxx */
-        int             ai_socktype;    /* SOCK_xxx */
-        int             ai_protocol;    /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
-        size_t          ai_addrlen;     /* length of ai_addr */
-        char            *ai_canonname;  /* canonical name for hostname */
-        struct sockaddr *ai_addr;       /* binary address */
-        struct addrinfo *ai_next;       /* next structure in linked list */
-};
-.sp
-.fi
-.SH "DESCRIPTION"
-.PP
-\fBlwres_getaddrinfo()\fR
-is used to get a list of IP addresses and port numbers for host
-\fIhostname\fR
-and service
-\fIservname\fR.
-The function is the lightweight resolver's implementation of
-\fBgetaddrinfo()\fR
-as defined in RFC2133.
-\fIhostname\fR
-and
-\fIservname\fR
-are pointers to null-terminated
-strings or
-\fBNULL\fR.
-\fIhostname\fR
-is either a host name or a numeric host address string: a dotted decimal
-IPv4 address or an IPv6 address.
-\fIservname\fR
-is either a decimal port number or a service name as listed in
-\fI/etc/services\fR.
-.PP
-\fIhints\fR
-is an optional pointer to a
-\fBstruct addrinfo\fR.
-This structure can be used to provide hints concerning the type of socket
-that the caller supports or wishes to use.
-The caller can supply the following structure elements in
-\fI*hints\fR:
-.TP
-\fBai_family\fR
-The protocol family that should be used.
-When
-ai_family
-is set to
-\fBPF_UNSPEC\fR,
-it means the caller will accept any protocol family supported by the
-operating system.
-.TP
-\fBai_socktype\fR
-denotes the type of socket \(em
-\fBSOCK_STREAM\fR,
-\fBSOCK_DGRAM\fR
-or
-\fBSOCK_RAW\fR
-\(em that is wanted.
-When
-ai_socktype
-is zero the caller will accept any socket type.
-.TP
-\fBai_protocol\fR
-indicates which transport protocol is wanted: IPPROTO_UDP or 
-IPPROTO_TCP.
-If
-ai_protocol
-is zero the caller will accept any protocol.
-.TP
-\fBai_flags\fR
-Flag bits.
-If the
-\fBAI_CANONNAME\fR
-bit is set, a successful call to
-\fBlwres_getaddrinfo()\fR
-will return a a null-terminated string containing the canonical name
-of the specified hostname in
-ai_canonname
-of the first
-\fBaddrinfo\fR
-structure returned.
-Setting the
-\fBAI_PASSIVE\fR
-bit indicates that the returned socket address structure is intended
-for used in a call to
-\fBbind\fR(2).
-In this case, if the hostname argument is a
-\fBNULL\fR
-pointer, then the IP address portion of the socket
-address structure will be set to
-\fBINADDR_ANY\fR
-for an IPv4 address or
-\fBIN6ADDR_ANY_INIT\fR
-for an IPv6 address.
-
-When
-ai_flags
-does not set the
-\fBAI_PASSIVE\fR
-bit, the returned socket address structure will be ready
-for use in a call to
-\fBconnect\fR(2)
-for a connection-oriented protocol or
-\fBconnect\fR(2),
-\fBsendto\fR(2),
-or
-\fBsendmsg\fR(2)
-if a connectionless protocol was chosen.
-The IP address portion of the socket address structure will be
-set to the loopback address if
-\fIhostname\fR
-is a
-\fBNULL\fR
-pointer and
-\fBAI_PASSIVE\fR
-is not set in
-ai_flags.
-
-If
-ai_flags
-is set to
-\fBAI_NUMERICHOST\fR
-it indicates that
-\fIhostname\fR
-should be treated as a numeric string defining an IPv4 or IPv6 address
-and no name resolution should be attempted.
-.PP
-All other elements of the \fBstruct addrinfo\fR passed
-via \fIhints\fR must be zero.
-.PP
-A \fIhints\fR of \fBNULL\fR is treated as if
-the caller provided a \fBstruct addrinfo\fR initialized to zero
-with ai_familyset to
-PF_UNSPEC.
-.PP
-After a successful call to
-\fBlwres_getaddrinfo()\fR,
-\fI*res\fR
-is a pointer to a linked list of one or more
-\fBaddrinfo\fR
-structures.
-Each
-\fBstruct addrinfo\fR
-in this list cn be processed by following
-the
-ai_next
-pointer, until a
-\fBNULL\fR
-pointer is encountered.
-The three members
-ai_family,
-ai_socktype,
-and
-ai_protocol
-in each
-returned
-\fBaddrinfo\fR
-structure contain the corresponding arguments for a call to
-\fBsocket\fR(2).
-For each
-\fBaddrinfo\fR
-structure in the list, the
-ai_addr
-member points to a filled-in socket address structure of length
-ai_addrlen.
-.PP
-All of the information returned by
-\fBlwres_getaddrinfo()\fR
-is dynamically allocated: the addrinfo structures, and the socket
-address structures and canonical host name strings pointed to by the
-addrinfostructures.
-Memory allocated for the dynamically allocated structures created by
-a successful call to
-\fBlwres_getaddrinfo()\fR
-is released by
-\fBlwres_freeaddrinfo()\fR.
-\fIai\fR
-is a pointer to a
-\fBstruct addrinfo\fR
-created by a call to
-\fBlwres_getaddrinfo()\fR.
-.SH "RETURN VALUES"
-.PP
-\fBlwres_getaddrinfo()\fR
-returns zero on success or one of the error codes listed in
-\fBgai_strerror\fR(3)
-if an error occurs.
-If both
-\fIhostname\fR
-and
-\fIservname\fR
-are
-\fBNULL\fR
-\fBlwres_getaddrinfo()\fR
-returns
-EAI_NONAME.
-.SH "SEE ALSO"
-.PP
-\fBlwres\fR(3),
-\fBlwres_getaddrinfo\fR(3),
-\fBlwres_freeaddrinfo\fR(3),
-\fBlwres_gai_strerror\fR(3),
-\fBRFC2133\fR,
-\fBgetservbyname\fR(3),
-\fBbind\fR(2),
-\fBconnect\fR(2),
-\fBsendto\fR(2),
-\fBsendmsg\fR(2),
-\fBsocket\fR(2).
diff --git a/lib/liblwres/man/lwres_getaddrinfo.docbook b/lib/liblwres/man/lwres_getaddrinfo.docbook
deleted file mode 100644
index f89107304..000000000
--- a/lib/liblwres/man/lwres_getaddrinfo.docbook
+++ /dev/null
@@ -1,372 +0,0 @@
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
-<!--
- - Copyright (C) 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_getaddrinfo.docbook,v 1.1 2004/03/15 20:35:25 as Exp $ -->
-
-<refentry>
-
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
-
-<refmeta>
-<refentrytitle>lwres_getaddrinfo</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-
-<refnamediv>
-<refname>lwres_getaddrinfo</refname>
-<refname>lwres_freeaddrinfo</refname>
-<refpurpose>socket address structure to host and service name</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
-<funcprototype>
-<funcdef>
-int
-<function>lwres_getaddrinfo</function></funcdef>
-<paramdef>const char *hostname</paramdef>
-<paramdef>const char *servname</paramdef>
-<paramdef>const struct addrinfo *hints</paramdef>
-<paramdef>struct addrinfo **res</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_freeaddrinfo</function></funcdef>
-<paramdef>struct addrinfo *ai</paramdef>
-</funcprototype>
-</funcsynopsis>
-
-<para>
-If the operating system does not provide a
-<type>struct addrinfo</type>,
-the following structure is used:
-
-<programlisting>
-struct  addrinfo {
-        int             ai_flags;       /* AI_PASSIVE, AI_CANONNAME */
-        int             ai_family;      /* PF_xxx */
-        int             ai_socktype;    /* SOCK_xxx */
-        int             ai_protocol;    /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
-        size_t          ai_addrlen;     /* length of ai_addr */
-        char            *ai_canonname;  /* canonical name for hostname */
-        struct sockaddr *ai_addr;       /* binary address */
-        struct addrinfo *ai_next;       /* next structure in linked list */
-};
-</programlisting>
-</para>
-
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-<function>lwres_getaddrinfo()</function>
-is used to get a list of IP addresses and port numbers for host
-<parameter>hostname</parameter>
-and service
-<parameter>servname</parameter>.
-
-The function is the lightweight resolver's implementation of
-<function>getaddrinfo()</function>
-as defined in RFC2133.
-<parameter>hostname</parameter>
-and
-<parameter>servname</parameter>
-are pointers to null-terminated
-strings or
-<type>NULL</type>.
-
-<parameter>hostname</parameter>
-is either a host name or a numeric host address string: a dotted decimal
-IPv4 address or an IPv6 address.
-<parameter>servname</parameter>
-is either a decimal port number or a service name as listed in
-<filename>/etc/services</filename>.
-</para>
-
-<para>
-<parameter>hints</parameter>
-is an optional pointer to a
-<type>struct addrinfo</type>.
-This structure can be used to provide hints concerning the type of socket
-that the caller supports or wishes to use.
-The caller can supply the following structure elements in
-<parameter>*hints</parameter>:
-
-<variablelist>
-<varlistentry><term><constant>ai_family</constant></term>
-<listitem>
-<para>The protocol family that should be used.
-When
-<constant>ai_family</constant>
-is set to
-<type>PF_UNSPEC</type>,
-it means the caller will accept any protocol family supported by the
-operating system.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>ai_socktype</constant></term>
-<listitem>
-<para>
-denotes the type of socket &mdash;
-<type>SOCK_STREAM</type>,
-<type>SOCK_DGRAM</type>
-or
-<type>SOCK_RAW</type>
-&mdash; that is wanted.
-When
-<constant>ai_socktype</constant>
-is zero the caller will accept any socket type.
-</para>
-</listitem>
-</varlistentry>
-<varlistentry><term><constant>ai_protocol</constant></term>
-<listitem>
-<para>
-indicates which transport protocol is wanted: IPPROTO_UDP or 
-IPPROTO_TCP.
-If
-<constant>ai_protocol</constant>
-is zero the caller will accept any protocol.
-</para>
-</listitem>
-</varlistentry>
-<varlistentry><term><constant>ai_flags</constant></term>
-<listitem>
-<para>
-Flag bits.
-If the
-<type>AI_CANONNAME</type>
-bit is set, a successful call to
-<function>lwres_getaddrinfo()</function>
-will return a a null-terminated string containing the canonical name
-of the specified hostname in
-<constant>ai_canonname</constant>
-of the first
-<type>addrinfo</type>
-structure returned.
-Setting the
-<type>AI_PASSIVE</type>
-bit indicates that the returned socket address structure is intended
-for used in a call to
-<citerefentry>
-<refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum>
-</citerefentry>.
-
-In this case, if the hostname argument is a
-<type>NULL</type>
-pointer, then the IP address portion of the socket
-address structure will be set to
-<type>INADDR_ANY</type>
-for an IPv4 address or
-<type>IN6ADDR_ANY_INIT</type>
-for an IPv6 address.
-</para>
-<para>
-When
-<constant>ai_flags</constant>
-does not set the
-<type>AI_PASSIVE</type>
-bit, the returned socket address structure will be ready
-for use in a call to
-<citerefentry>
-<refentrytitle>connect</refentrytitle><manvolnum>2
-</manvolnum>
-</citerefentry>
-for a connection-oriented protocol or
-<citerefentry>
-<refentrytitle>connect</refentrytitle><manvolnum>2</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>sendto</refentrytitle><manvolnum>2</manvolnum>
-</citerefentry>,
-
-or
-<citerefentry>
-<refentrytitle>sendmsg</refentrytitle><manvolnum>2
-</manvolnum>
-</citerefentry>
-if a connectionless protocol was chosen.
-The IP address portion of the socket address structure will be
-set to the loopback address if
-<parameter>hostname</parameter>
-is a
-<type>NULL</type>
-pointer and
-<type>AI_PASSIVE</type>
-is not set in
-<constant>ai_flags</constant>.
-</para>
-<para>
-If
-<constant>ai_flags</constant>
-is set to
-<type>AI_NUMERICHOST</type>
-it indicates that
-<parameter>hostname</parameter>
-should be treated as a numeric string defining an IPv4 or IPv6 address
-and no name resolution should be attempted.
-</para>
-</listitem>
-</varlistentry>
-</variablelist>
-</para>
-
-<para>
-All other elements of the <type>struct addrinfo</type> passed
-via <parameter>hints</parameter> must be zero.
-</para>
-
-<para>
-A <parameter>hints</parameter> of <type>NULL</type> is treated as if
-the caller provided a <type>struct addrinfo</type> initialized to zero
-with <constant>ai_family</constant>set to
-<constant>PF_UNSPEC</constant>.
-</para>
-
-<para>
-After a successful call to
-<function>lwres_getaddrinfo()</function>,
-<parameter>*res</parameter>
-is a pointer to a linked list of one or more
-<type>addrinfo</type>
-structures.
-Each
-<type>struct addrinfo</type>
-in this list cn be processed by following
-the
-<constant>ai_next</constant>
-pointer, until a
-<type>NULL</type>
-pointer is encountered.
-The three members
-<constant>ai_family</constant>,
-<constant>ai_socktype</constant>,
-and
-<constant>ai_protocol</constant>
-in each
-returned
-<type>addrinfo</type>
-structure contain the corresponding arguments for a call to
-<citerefentry>
-<refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum>
-</citerefentry>.
-For each
-<type>addrinfo</type>
-structure in the list, the
-<constant>ai_addr</constant>
-member points to a filled-in socket address structure of length
-<constant>ai_addrlen</constant>.
-</para>
-
-<para>
-All of the information returned by
-<function>lwres_getaddrinfo()</function>
-is dynamically allocated: the addrinfo structures, and the socket
-address structures and canonical host name strings pointed to by the
-<constant>addrinfo</constant>structures.
-Memory allocated for the dynamically allocated structures created by
-a successful call to
-<function>lwres_getaddrinfo()</function>
-is released by
-<function>lwres_freeaddrinfo()</function>.
-<parameter>ai</parameter>
-is a pointer to a
-<type>struct addrinfo</type>
-created by a call to
-<function>lwres_getaddrinfo()</function>.
-</para>
-
-</refsect1>
-
-<refsect1>
-<title>RETURN VALUES</title>
-<para>
-<function>lwres_getaddrinfo()</function>
-returns zero on success or one of the error codes listed in
-<citerefentry>
-<refentrytitle>gai_strerror</refentrytitle><manvolnum>3
-</manvolnum>
-</citerefentry>
-if an error occurs.
-If both
-<parameter>hostname</parameter>
-and
-<parameter>servname</parameter>
-are
-<type>NULL</type>
-<function>lwres_getaddrinfo()</function>
-returns
-<errorcode>EAI_NONAME</errorcode>.
-
-</para>
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>lwres</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_getaddrinfo</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_freeaddrinfo</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_gai_strerror</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>RFC2133</refentrytitle>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>getservbyname</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>connect</refentrytitle><manvolnum>2</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>sendto</refentrytitle><manvolnum>2</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>sendmsg</refentrytitle><manvolnum>2</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum>
-</citerefentry>.
-</para>
-
-</refsect1>
-</refentry>
diff --git a/lib/liblwres/man/lwres_getaddrinfo.html b/lib/liblwres/man/lwres_getaddrinfo.html
deleted file mode 100644
index d04ecc1a2..000000000
--- a/lib/liblwres/man/lwres_getaddrinfo.html
+++ /dev/null
@@ -1,722 +0,0 @@
-<!--
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-<HTML
-><HEAD
-><TITLE
->lwres_getaddrinfo</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.61
-"></HEAD
-><BODY
-CLASS="REFENTRY"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><H1
-><A
-NAME="AEN1"
->lwres_getaddrinfo</A
-></H1
-><DIV
-CLASS="REFNAMEDIV"
-><A
-NAME="AEN8"
-></A
-><H2
->Name</H2
->lwres_getaddrinfo, lwres_freeaddrinfo&nbsp;--&nbsp;socket address structure to host and service name</DIV
-><DIV
-CLASS="REFSYNOPSISDIV"
-><A
-NAME="AEN12"
-></A
-><H2
->Synopsis</H2
-><DIV
-CLASS="FUNCSYNOPSIS"
-><A
-NAME="AEN13"
-></A
-><P
-></P
-><PRE
-CLASS="FUNCSYNOPSISINFO"
->#include &lt;lwres/netdb.h&gt;</PRE
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->int
-lwres_getaddrinfo</CODE
->(const char *hostname, const char *servname, const struct addrinfo *hints, struct addrinfo **res);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->void
-lwres_freeaddrinfo</CODE
->(struct addrinfo *ai);</CODE
-></P
-><P
-></P
-></DIV
-><P
->If the operating system does not provide a
-<SPAN
-CLASS="TYPE"
->struct addrinfo</SPAN
->,
-the following structure is used:
-
-<PRE
-CLASS="PROGRAMLISTING"
->struct  addrinfo {
-        int             ai_flags;       /* AI_PASSIVE, AI_CANONNAME */
-        int             ai_family;      /* PF_xxx */
-        int             ai_socktype;    /* SOCK_xxx */
-        int             ai_protocol;    /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
-        size_t          ai_addrlen;     /* length of ai_addr */
-        char            *ai_canonname;  /* canonical name for hostname */
-        struct sockaddr *ai_addr;       /* binary address */
-        struct addrinfo *ai_next;       /* next structure in linked list */
-};</PRE
-></P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN29"
-></A
-><H2
->DESCRIPTION</H2
-><P
-><TT
-CLASS="FUNCTION"
->lwres_getaddrinfo()</TT
->
-is used to get a list of IP addresses and port numbers for host
-<TT
-CLASS="PARAMETER"
-><I
->hostname</I
-></TT
->
-and service
-<TT
-CLASS="PARAMETER"
-><I
->servname</I
-></TT
->.
-
-The function is the lightweight resolver's implementation of
-<TT
-CLASS="FUNCTION"
->getaddrinfo()</TT
->
-as defined in RFC2133.
-<TT
-CLASS="PARAMETER"
-><I
->hostname</I
-></TT
->
-and
-<TT
-CLASS="PARAMETER"
-><I
->servname</I
-></TT
->
-are pointers to null-terminated
-strings or
-<SPAN
-CLASS="TYPE"
->NULL</SPAN
->.
-
-<TT
-CLASS="PARAMETER"
-><I
->hostname</I
-></TT
->
-is either a host name or a numeric host address string: a dotted decimal
-IPv4 address or an IPv6 address.
-<TT
-CLASS="PARAMETER"
-><I
->servname</I
-></TT
->
-is either a decimal port number or a service name as listed in
-<TT
-CLASS="FILENAME"
->/etc/services</TT
->.</P
-><P
-><TT
-CLASS="PARAMETER"
-><I
->hints</I
-></TT
->
-is an optional pointer to a
-<SPAN
-CLASS="TYPE"
->struct addrinfo</SPAN
->.
-This structure can be used to provide hints concerning the type of socket
-that the caller supports or wishes to use.
-The caller can supply the following structure elements in
-<TT
-CLASS="PARAMETER"
-><I
->*hints</I
-></TT
->:
-
-<P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="CONSTANT"
->ai_family</TT
-></DT
-><DD
-><P
->The protocol family that should be used.
-When
-<TT
-CLASS="CONSTANT"
->ai_family</TT
->
-is set to
-<SPAN
-CLASS="TYPE"
->PF_UNSPEC</SPAN
->,
-it means the caller will accept any protocol family supported by the
-operating system.</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->ai_socktype</TT
-></DT
-><DD
-><P
->denotes the type of socket &mdash;
-<SPAN
-CLASS="TYPE"
->SOCK_STREAM</SPAN
->,
-<SPAN
-CLASS="TYPE"
->SOCK_DGRAM</SPAN
->
-or
-<SPAN
-CLASS="TYPE"
->SOCK_RAW</SPAN
->
-&mdash; that is wanted.
-When
-<TT
-CLASS="CONSTANT"
->ai_socktype</TT
->
-is zero the caller will accept any socket type.</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->ai_protocol</TT
-></DT
-><DD
-><P
->indicates which transport protocol is wanted: IPPROTO_UDP or 
-IPPROTO_TCP.
-If
-<TT
-CLASS="CONSTANT"
->ai_protocol</TT
->
-is zero the caller will accept any protocol.</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->ai_flags</TT
-></DT
-><DD
-><P
->Flag bits.
-If the
-<SPAN
-CLASS="TYPE"
->AI_CANONNAME</SPAN
->
-bit is set, a successful call to
-<TT
-CLASS="FUNCTION"
->lwres_getaddrinfo()</TT
->
-will return a a null-terminated string containing the canonical name
-of the specified hostname in
-<TT
-CLASS="CONSTANT"
->ai_canonname</TT
->
-of the first
-<SPAN
-CLASS="TYPE"
->addrinfo</SPAN
->
-structure returned.
-Setting the
-<SPAN
-CLASS="TYPE"
->AI_PASSIVE</SPAN
->
-bit indicates that the returned socket address structure is intended
-for used in a call to
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->bind</SPAN
->(2)</SPAN
->.
-
-In this case, if the hostname argument is a
-<SPAN
-CLASS="TYPE"
->NULL</SPAN
->
-pointer, then the IP address portion of the socket
-address structure will be set to
-<SPAN
-CLASS="TYPE"
->INADDR_ANY</SPAN
->
-for an IPv4 address or
-<SPAN
-CLASS="TYPE"
->IN6ADDR_ANY_INIT</SPAN
->
-for an IPv6 address.</P
-><P
->When
-<TT
-CLASS="CONSTANT"
->ai_flags</TT
->
-does not set the
-<SPAN
-CLASS="TYPE"
->AI_PASSIVE</SPAN
->
-bit, the returned socket address structure will be ready
-for use in a call to
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->connect</SPAN
->(2)</SPAN
->
-for a connection-oriented protocol or
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->connect</SPAN
->(2)</SPAN
->,
-
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->sendto</SPAN
->(2)</SPAN
->,
-
-or
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->sendmsg</SPAN
->(2)</SPAN
->
-if a connectionless protocol was chosen.
-The IP address portion of the socket address structure will be
-set to the loopback address if
-<TT
-CLASS="PARAMETER"
-><I
->hostname</I
-></TT
->
-is a
-<SPAN
-CLASS="TYPE"
->NULL</SPAN
->
-pointer and
-<SPAN
-CLASS="TYPE"
->AI_PASSIVE</SPAN
->
-is not set in
-<TT
-CLASS="CONSTANT"
->ai_flags</TT
->.</P
-><P
->If
-<TT
-CLASS="CONSTANT"
->ai_flags</TT
->
-is set to
-<SPAN
-CLASS="TYPE"
->AI_NUMERICHOST</SPAN
->
-it indicates that
-<TT
-CLASS="PARAMETER"
-><I
->hostname</I
-></TT
->
-should be treated as a numeric string defining an IPv4 or IPv6 address
-and no name resolution should be attempted.</P
-></DD
-></DL
-></DIV
-></P
-><P
->All other elements of the <SPAN
-CLASS="TYPE"
->struct addrinfo</SPAN
-> passed
-via <TT
-CLASS="PARAMETER"
-><I
->hints</I
-></TT
-> must be zero.</P
-><P
->A <TT
-CLASS="PARAMETER"
-><I
->hints</I
-></TT
-> of <SPAN
-CLASS="TYPE"
->NULL</SPAN
-> is treated as if
-the caller provided a <SPAN
-CLASS="TYPE"
->struct addrinfo</SPAN
-> initialized to zero
-with <TT
-CLASS="CONSTANT"
->ai_family</TT
->set to
-<TT
-CLASS="CONSTANT"
->PF_UNSPEC</TT
->.</P
-><P
->After a successful call to
-<TT
-CLASS="FUNCTION"
->lwres_getaddrinfo()</TT
->,
-<TT
-CLASS="PARAMETER"
-><I
->*res</I
-></TT
->
-is a pointer to a linked list of one or more
-<SPAN
-CLASS="TYPE"
->addrinfo</SPAN
->
-structures.
-Each
-<SPAN
-CLASS="TYPE"
->struct addrinfo</SPAN
->
-in this list cn be processed by following
-the
-<TT
-CLASS="CONSTANT"
->ai_next</TT
->
-pointer, until a
-<SPAN
-CLASS="TYPE"
->NULL</SPAN
->
-pointer is encountered.
-The three members
-<TT
-CLASS="CONSTANT"
->ai_family</TT
->,
-<TT
-CLASS="CONSTANT"
->ai_socktype</TT
->,
-and
-<TT
-CLASS="CONSTANT"
->ai_protocol</TT
->
-in each
-returned
-<SPAN
-CLASS="TYPE"
->addrinfo</SPAN
->
-structure contain the corresponding arguments for a call to
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->socket</SPAN
->(2)</SPAN
->.
-For each
-<SPAN
-CLASS="TYPE"
->addrinfo</SPAN
->
-structure in the list, the
-<TT
-CLASS="CONSTANT"
->ai_addr</TT
->
-member points to a filled-in socket address structure of length
-<TT
-CLASS="CONSTANT"
->ai_addrlen</TT
->.</P
-><P
->All of the information returned by
-<TT
-CLASS="FUNCTION"
->lwres_getaddrinfo()</TT
->
-is dynamically allocated: the addrinfo structures, and the socket
-address structures and canonical host name strings pointed to by the
-<TT
-CLASS="CONSTANT"
->addrinfo</TT
->structures.
-Memory allocated for the dynamically allocated structures created by
-a successful call to
-<TT
-CLASS="FUNCTION"
->lwres_getaddrinfo()</TT
->
-is released by
-<TT
-CLASS="FUNCTION"
->lwres_freeaddrinfo()</TT
->.
-<TT
-CLASS="PARAMETER"
-><I
->ai</I
-></TT
->
-is a pointer to a
-<SPAN
-CLASS="TYPE"
->struct addrinfo</SPAN
->
-created by a call to
-<TT
-CLASS="FUNCTION"
->lwres_getaddrinfo()</TT
->.</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN142"
-></A
-><H2
->RETURN VALUES</H2
-><P
-><TT
-CLASS="FUNCTION"
->lwres_getaddrinfo()</TT
->
-returns zero on success or one of the error codes listed in
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->gai_strerror</SPAN
->(3)</SPAN
->
-if an error occurs.
-If both
-<TT
-CLASS="PARAMETER"
-><I
->hostname</I
-></TT
->
-and
-<TT
-CLASS="PARAMETER"
-><I
->servname</I
-></TT
->
-are
-<SPAN
-CLASS="TYPE"
->NULL</SPAN
->
-<TT
-CLASS="FUNCTION"
->lwres_getaddrinfo()</TT
->
-returns
-<SPAN
-CLASS="ERRORCODE"
->EAI_NONAME</SPAN
->.&#13;</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN154"
-></A
-><H2
->SEE ALSO</H2
-><P
-><SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres</SPAN
->(3)</SPAN
->,
-
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres_getaddrinfo</SPAN
->(3)</SPAN
->,
-
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres_freeaddrinfo</SPAN
->(3)</SPAN
->,
-
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres_gai_strerror</SPAN
->(3)</SPAN
->,
-
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->RFC2133</SPAN
-></SPAN
->,
-
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->getservbyname</SPAN
->(3)</SPAN
->,
-
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->bind</SPAN
->(2)</SPAN
->,
-
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->connect</SPAN
->(2)</SPAN
->,
-
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->sendto</SPAN
->(2)</SPAN
->,
-
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->sendmsg</SPAN
->(2)</SPAN
->,
-
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->socket</SPAN
->(2)</SPAN
->.</P
-></DIV
-></BODY
-></HTML
->
\ No newline at end of file
diff --git a/lib/liblwres/man/lwres_gethostent.3 b/lib/liblwres/man/lwres_gethostent.3
deleted file mode 100644
index 44811ef4d..000000000
--- a/lib/liblwres/man/lwres_gethostent.3
+++ /dev/null
@@ -1,270 +0,0 @@
-.\"
-.\" Copyright (C) 2000, 2001  Internet Software Consortium.
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
-.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
-.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
-.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
-.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
-.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.TH "LWRES_GETHOSTENT" "3" "Jun 30, 2000" "BIND9" ""
-.SH NAME
-lwres_gethostbyname, lwres_gethostbyname2, lwres_gethostbyaddr, lwres_gethostent, lwres_sethostent, lwres_endhostent, lwres_gethostbyname_r, lwres_gethostbyaddr_r, lwres_gethostent_r, lwres_sethostent_r, lwres_endhostent_r \- lightweight resolver get network host entry
-.SH SYNOPSIS
-\fB#include <lwres/netdb.h>
-.sp
-.na
-struct hostent *
-lwres_gethostbyname(const char *name);
-.ad
-.sp
-.na
-struct hostent *
-lwres_gethostbyname2(const char *name, int af);
-.ad
-.sp
-.na
-struct hostent *
-lwres_gethostbyaddr(const char *addr, int len, int type);
-.ad
-.sp
-.na
-struct hostent *
-lwres_gethostent(void);
-.ad
-.sp
-.na
-void
-lwres_sethostent(int stayopen);
-.ad
-.sp
-.na
-void
-lwres_endhostent(void);
-.ad
-.sp
-.na
-struct hostent *
-lwres_gethostbyname_r(const char *name, struct hostent *resbuf, char *buf, int buflen, int *error);
-.ad
-.sp
-.na
-struct hostent *
-lwres_gethostbyaddr_r(const char *addr, int len, int type, struct hostent *resbuf, char *buf, int buflen, int *error);
-.ad
-.sp
-.na
-struct hostent *
-lwres_gethostent_r(struct hostent *resbuf, char *buf, int buflen, int *error);
-.ad
-.sp
-.na
-void
-lwres_sethostent_r(int stayopen);
-.ad
-.sp
-.na
-void
-lwres_endhostent_r(void);
-.ad
-\fR.SH "DESCRIPTION"
-.PP
-These functions provide hostname-to-address and
-address-to-hostname lookups by means of the lightweight resolver.
-They are similar to the standard
-\fBgethostent\fR(3)
-functions provided by most operating systems.
-They use a
-\fBstruct hostent\fR
-which is usually defined in
-\fI<namedb.h>\fR.
-.sp
-.nf
-struct  hostent {
-        char    *h_name;        /* official name of host */
-        char    **h_aliases;    /* alias list */
-        int     h_addrtype;     /* host address type */
-        int     h_length;       /* length of address */
-        char    **h_addr_list;  /* list of addresses from name server */
-};
-#define h_addr  h_addr_list[0]  /* address, for backward compatibility */
-.sp
-.fi
-.PP
-The members of this structure are:
-.TP
-\fBh_name\fR
-The official (canonical) name of the host.
-.TP
-\fBh_aliases\fR
-A NULL-terminated array of alternate names (nicknames) for the host.
-.TP
-\fBh_addrtype\fR
-The type of address being returned \(em
-\fBPF_INET\fR
-or
-\fBPF_INET6\fR.
-.TP
-\fBh_length\fR
-The length of the address in bytes.
-.TP
-\fBh_addr_list\fR
-A \fBNULL\fR
-terminated array of network addresses for the host.
-Host addresses are returned in network byte order.
-.PP
-For backward compatibility with very old software,
-h_addr
-is the first address in
-h_addr_list.
-.PP
-\fBlwres_gethostent()\fR,
-\fBlwres_sethostent()\fR,
-\fBlwres_endhostent()\fR,
-\fBlwres_gethostent_r()\fR,
-\fBlwres_sethostent_r()\fR
-and
-\fBlwres_endhostent_r()\fR
-provide iteration over the known host entries on systems that
-provide such functionality through facilities like
-\fI/etc/hosts\fR
-or NIS. The lightweight resolver does not currently implement
-these functions; it only provides them as stub functions that always
-return failure.
-.PP
-\fBlwres_gethostbyname()\fR and
-\fBlwres_gethostbyname2()\fR look up the hostname
-\fIname\fR.
-\fBlwres_gethostbyname()\fR always looks for an IPv4
-address while \fBlwres_gethostbyname2()\fR looks for an
-address of protocol family \fIaf\fR: either
-\fBPF_INET\fR or \fBPF_INET6\fR \(em IPv4 or IPV6
-addresses respectively. Successful calls of the functions return a
-\fBstruct hostent\fRfor the name that was looked up.
-\fBNULL\fR is returned if the lookups by
-\fBlwres_gethostbyname()\fR or
-\fBlwres_gethostbyname2()\fR fail.
-.PP
-Reverse lookups of addresses are performed by
-\fBlwres_gethostbyaddr()\fR.
-\fIaddr\fR is an address of length
-\fIlen\fR bytes and protocol family
-\fItype\fR \(em \fBPF_INET\fR or
-\fBPF_INET6\fR.
-\fBlwres_gethostbyname_r()\fR is a thread-safe function
-for forward lookups. If an error occurs, an error code is returned in
-\fI*error\fR.
-\fIresbuf\fR is a pointer to a \fBstruct
-hostent\fR which is initialised by a successful call to
-\fBlwres_gethostbyname_r()\fR .
-\fIbuf\fR is a buffer of length
-\fIlen\fR bytes which is used to store the
-h_name, h_aliases, and
-h_addr_list elements of the \fBstruct
-hostent\fR returned in \fIresbuf\fR.
-Successful calls to \fBlwres_gethostbyname_r()\fR
-return \fIresbuf\fR,
-which is a pointer to the \fBstruct hostent\fR it created.
-.PP
-\fBlwres_gethostbyaddr_r()\fR is a thread-safe function
-that performs a reverse lookup of address \fIaddr\fR
-which is \fIlen\fR bytes long and is of protocol
-family \fItype\fR \(em \fBPF_INET\fR or
-\fBPF_INET6\fR. If an error occurs, the error code is returned
-in \fI*error\fR. The other function parameters are
-identical to those in \fBlwres_gethostbyname_r()\fR.
-\fIresbuf\fR is a pointer to a \fBstruct
-hostent\fR which is initialised by a successful call to
-\fBlwres_gethostbyaddr_r()\fR.
-\fIbuf\fR is a buffer of length
-\fIlen\fR bytes which is used to store the
-h_name, h_aliases, and
-h_addr_list elements of the \fBstruct
-hostent\fR returned in \fIresbuf\fR. Successful
-calls to \fBlwres_gethostbyaddr_r()\fR return
-\fIresbuf\fR, which is a pointer to the
-\fBstruct hostent()\fR it created.
-.SH "RETURN VALUES"
-.PP
-The functions
-\fBlwres_gethostbyname()\fR,
-\fBlwres_gethostbyname2()\fR,
-\fBlwres_gethostbyaddr()\fR,
-and
-\fBlwres_gethostent()\fR
-return NULL to indicate an error. In this case the global variable
-\fBlwres_h_errno\fR
-will contain one of the following error codes defined in
-\fI<lwres/netdb.h>\fR:
-.TP
-\fBHOST_NOT_FOUND\fR
-The host or address was not found.
-.TP
-\fBTRY_AGAIN\fR
-A recoverable error occurred, e.g., a timeout.
-Retrying the lookup may succeed.
-.TP
-\fBNO_RECOVERY\fR
-A non-recoverable error occurred.
-.TP
-\fBNO_DATA\fR
-The name exists, but has no address information
-associated with it (or vice versa in the case
-of a reverse lookup). The code NO_ADDRESS
-is accepted as a synonym for NO_DATA for backwards
-compatibility.
-.PP
-\fBlwres_hstrerror\fR(3)
-translates these error codes to suitable error messages.
-.PP
-\fBlwres_gethostent()\fR
-and
-\fBlwres_gethostent_r()\fR
-always return
-\fBNULL\fR.
-.PP
-Successful calls to \fBlwres_gethostbyname_r()\fR and
-\fBlwres_gethostbyaddr_r()\fR return
-\fIresbuf\fR, a pointer to the \fBstruct
-hostent\fR that was initialised by these functions. They return
-\fBNULL\fR if the lookups fail or if \fIbuf\fR
-was too small to hold the list of addresses and names referenced by
-the h_name, h_aliases, and
-h_addr_list elements of the \fBstruct
-hostent\fR. If \fIbuf\fR was too small, both
-\fBlwres_gethostbyname_r()\fR and
-\fBlwres_gethostbyaddr_r()\fR set the global variable
-\fBerrno\fR to ERANGE.
-.SH "SEE ALSO"
-.PP
-\fBgethostent\fR(3),
-\fBlwres_getipnode\fR(3),
-\fBlwres_hstrerror\fR(3)
-.SH "BUGS"
-.PP
-\fBlwres_gethostbyname()\fR,
-\fBlwres_gethostbyname2()\fR,
-\fBlwres_gethostbyaddr()\fR
-and
-\fBlwres_endhostent()\fR
-are not thread safe; they return pointers to static data and 
-provide error codes through a global variable.
-Thread-safe versions for name and address lookup are provided by
-\fBlwres_gethostbyname_r()\fR,
-and
-\fBlwres_gethostbyaddr_r()\fR
-respectively.
-.PP
-The resolver daemon does not currently support any non-DNS
-name services such as 
-\fI/etc/hosts\fR
-or
-\fBNIS\fR,
-consequently the above functions don't, either.
diff --git a/lib/liblwres/man/lwres_gethostent.docbook b/lib/liblwres/man/lwres_gethostent.docbook
deleted file mode 100644
index 22717821c..000000000
--- a/lib/liblwres/man/lwres_gethostent.docbook
+++ /dev/null
@@ -1,407 +0,0 @@
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
-<!--
- - Copyright (C) 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_gethostent.docbook,v 1.1 2004/03/15 20:35:25 as Exp $ -->
-
-<refentry>
-
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
-
-<refmeta>
-<refentrytitle>lwres_gethostent</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-
-<refnamediv>
-<refname>lwres_gethostbyname</refname>
-<refname>lwres_gethostbyname2</refname>
-<refname>lwres_gethostbyaddr</refname>
-<refname>lwres_gethostent</refname>
-<refname>lwres_sethostent</refname>
-<refname>lwres_endhostent</refname>
-<refname>lwres_gethostbyname_r</refname>
-<refname>lwres_gethostbyaddr_r</refname>
-<refname>lwres_gethostent_r</refname>
-<refname>lwres_sethostent_r</refname>
-<refname>lwres_endhostent_r</refname>
-<refpurpose>lightweight resolver get network host entry</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
-<funcprototype>
-<funcdef>
-struct hostent *
-<function>lwres_gethostbyname</function></funcdef>
-<paramdef>const char *name</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-struct hostent *
-<function>lwres_gethostbyname2</function></funcdef>
-<paramdef>const char *name</paramdef>
-<paramdef>int af</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-struct hostent *
-<function>lwres_gethostbyaddr</function></funcdef>
-<paramdef>const char *addr</paramdef>
-<paramdef>int len</paramdef>
-<paramdef>int type</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-struct hostent *
-<function>lwres_gethostent</function></funcdef>
-<paramdef>void</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_sethostent</function></funcdef>
-<paramdef>int stayopen</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_endhostent</function></funcdef>
-<paramdef>void</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-struct hostent *
-<function>lwres_gethostbyname_r</function></funcdef>
-<paramdef>const char *name</paramdef>
-<paramdef>struct hostent *resbuf</paramdef>
-<paramdef>char *buf</paramdef>
-<paramdef>int buflen</paramdef>
-<paramdef>int *error</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-struct hostent  *
-<function>lwres_gethostbyaddr_r</function></funcdef>
-<paramdef>const char *addr</paramdef>
-<paramdef>int len</paramdef>
-<paramdef>int type</paramdef>
-<paramdef>struct hostent *resbuf</paramdef>
-<paramdef>char *buf</paramdef>
-<paramdef>int buflen</paramdef>
-<paramdef>int *error</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-struct hostent  *
-<function>lwres_gethostent_r</function></funcdef>
-<paramdef>struct hostent *resbuf</paramdef>
-<paramdef>char *buf</paramdef>
-<paramdef>int buflen</paramdef>
-<paramdef>int *error</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_sethostent_r</function></funcdef>
-<paramdef>int stayopen</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_endhostent_r</function></funcdef>
-<paramdef>void</paramdef>
-</funcprototype>
-</funcsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-These functions provide hostname-to-address and
-address-to-hostname lookups by means of the lightweight resolver.
-They are similar to the standard
-<citerefentry>
-<refentrytitle>gethostent</refentrytitle><manvolnum>3
-</manvolnum>
-</citerefentry>
-functions provided by most operating systems.
-They use a
-<type>struct hostent</type>
-which is usually defined in
-<filename>&lt;namedb.h&gt;</filename>.
-
-<programlisting>
-struct  hostent {
-        char    *h_name;        /* official name of host */
-        char    **h_aliases;    /* alias list */
-        int     h_addrtype;     /* host address type */
-        int     h_length;       /* length of address */
-        char    **h_addr_list;  /* list of addresses from name server */
-};
-#define h_addr  h_addr_list[0]  /* address, for backward compatibility */
-</programlisting>
-</para>
-<para>
-The members of this structure are:
-<variablelist>
-<varlistentry><term><constant>h_name</constant></term>
-<listitem>
-<para>
-The official (canonical) name of the host.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>h_aliases</constant></term>
-<listitem>
-<para>
-A NULL-terminated array of alternate names (nicknames) for the host.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>h_addrtype</constant></term>
-<listitem>
-<para>
-The type of address being returned &mdash;
-<type>PF_INET</type>
-or
-<type>PF_INET6</type>.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>h_length</constant></term>
-<listitem>
-<para>
-The length of the address in bytes.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>h_addr_list</constant></term>
-<listitem>
-<para>
-A <type>NULL</type>
-terminated array of network addresses for the host.
-Host addresses are returned in network byte order.
-</para>
-</listitem></varlistentry>
-</variablelist>
-</para>
-<para>
-For backward compatibility with very old software,
-<constant>h_addr</constant>
-is the first address in
-<constant>h_addr_list.</constant>
-</para>
-<para>
-<function>lwres_gethostent()</function>,
-<function>lwres_sethostent()</function>,
-<function>lwres_endhostent()</function>,
-<function>lwres_gethostent_r()</function>,
-<function>lwres_sethostent_r()</function>
-and
-<function>lwres_endhostent_r()</function>
-provide iteration over the known host entries on systems that
-provide such functionality through facilities like
-<filename>/etc/hosts</filename>
-or NIS.  The lightweight resolver does not currently implement
-these functions; it only provides them as stub functions that always
-return failure.
-</para>
-
-<para>
-<function>lwres_gethostbyname()</function> and
-<function>lwres_gethostbyname2()</function> look up the hostname
-<parameter>name</parameter>.
-<function>lwres_gethostbyname()</function> always looks for an IPv4
-address while <function>lwres_gethostbyname2()</function> looks for an
-address of protocol family <parameter>af</parameter>: either
-<type>PF_INET</type> or <type>PF_INET6</type> &mdash; IPv4 or IPV6
-addresses respectively.  Successful calls of the functions return a
-<type>struct hostent</type>for the name that was looked up.
-<type>NULL</type> is returned if the lookups by
-<function>lwres_gethostbyname()</function> or
-<function>lwres_gethostbyname2()</function> fail.
-</para>
-
-<para>
-Reverse lookups of addresses are performed by
-<function>lwres_gethostbyaddr()</function>.
-<parameter>addr</parameter> is an address of length
-<parameter>len</parameter> bytes and protocol family
-<parameter>type</parameter> &mdash; <type>PF_INET</type> or
-<type>PF_INET6</type>.
-<function>lwres_gethostbyname_r()</function> is a thread-safe function
-for forward lookups.  If an error occurs, an error code is returned in
-<parameter>*error</parameter>.
-<parameter>resbuf</parameter> is a pointer to a <type>struct
-hostent</type> which is initialised by a successful call to
-<function>lwres_gethostbyname_r()</function> .
-<parameter>buf</parameter> is a buffer of length
-<parameter>len</parameter> bytes which is used to store the
-<constant>h_name</constant>, <constant>h_aliases</constant>, and
-<constant>h_addr_list</constant> elements of the <type>struct
-hostent</type> returned in <parameter>resbuf</parameter>.
-Successful calls to <function>lwres_gethostbyname_r()</function>
-return <parameter>resbuf</parameter>,
-which is a pointer to the <type>struct hostent</type> it created.
-</para>
-
-<para>
-<function>lwres_gethostbyaddr_r()</function> is a thread-safe function
-that performs a reverse lookup of address <parameter>addr</parameter>
-which is <parameter>len</parameter> bytes long and is of protocol
-family <parameter>type</parameter> &mdash; <type>PF_INET</type> or
-<type>PF_INET6</type>.  If an error occurs, the error code is returned
-in <parameter>*error</parameter>.  The other function parameters are
-identical to those in <function>lwres_gethostbyname_r()</function>.
-<parameter>resbuf</parameter> is a pointer to a <type>struct
-hostent</type> which is initialised by a successful call to
-<function>lwres_gethostbyaddr_r()</function>.
-<parameter>buf</parameter> is a buffer of length
-<parameter>len</parameter> bytes which is used to store the
-<constant>h_name</constant>, <constant>h_aliases</constant>, and
-<constant>h_addr_list</constant> elements of the <type>struct
-hostent</type> returned in <parameter>resbuf</parameter>.  Successful
-calls to <function>lwres_gethostbyaddr_r()</function> return
-<parameter>resbuf</parameter>, which is a pointer to the
-<function>struct hostent()</function> it created.
-</para>
-
-</refsect1>
-
-<refsect1>
-<title>RETURN VALUES</title>
-<para>
-The functions
-<function>lwres_gethostbyname()</function>,
-<function>lwres_gethostbyname2()</function>,
-<function>lwres_gethostbyaddr()</function>,
-and
-<function>lwres_gethostent()</function>
-return NULL to indicate an error.  In this case the global variable
-<type>lwres_h_errno</type>
-will contain one of the following error codes defined in
-<filename>&lt;lwres/netdb.h&gt;</filename>:
-
-<variablelist>
-<varlistentry><term><constant>HOST_NOT_FOUND</constant></term>
-<listitem>
-<para>
-The host or address was not found.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>TRY_AGAIN</constant></term>
-<listitem>
-<para>
-A recoverable error occurred, e.g., a timeout.
-Retrying the lookup may succeed.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>NO_RECOVERY</constant></term>
-<listitem>
-<para>
-A non-recoverable error occurred.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>NO_DATA</constant></term>
-<listitem>
-<para>
-The name exists, but has no address information
-associated with it (or vice versa in the case
-of a reverse lookup).  The code NO_ADDRESS
-is accepted as a synonym for NO_DATA for backwards
-compatibility.
-</para>
-</listitem></varlistentry>
-</variablelist>
-</para>
-
-<para>
-<citerefentry>
-<refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3
-</manvolnum>
-</citerefentry>
-translates these error codes to suitable error messages.
-</para>
-
-<para>
-<function>lwres_gethostent()</function>
-and
-<function>lwres_gethostent_r()</function>
-always return
-<type>NULL</type>.
-</para>
-
-<para>
-Successful calls to <function>lwres_gethostbyname_r()</function> and
-<function>lwres_gethostbyaddr_r()</function> return
-<parameter>resbuf</parameter>, a pointer to the <type>struct
-hostent</type> that was initialised by these functions.  They return
-<type>NULL</type> if the lookups fail or if <parameter>buf</parameter>
-was too small to hold the list of addresses and names referenced by
-the <constant>h_name</constant>, <constant>h_aliases</constant>, and
-<constant>h_addr_list</constant> elements of the <type>struct
-hostent</type>.  If <parameter>buf</parameter> was too small, both
-<function>lwres_gethostbyname_r()</function> and
-<function>lwres_gethostbyaddr_r()</function> set the global variable
-<type>errno</type> to <errorcode>ERANGE</errorcode>.
-</para>
-
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>gethostent</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_getipnode</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3
-</manvolnum>
-</citerefentry>
-</para>
-</refsect1>
-
-<refsect1>
-<title>BUGS</title>
-<para>
-<function>lwres_gethostbyname()</function>,
-<function>lwres_gethostbyname2()</function>,
-<function>lwres_gethostbyaddr()</function>
-and
-<function>lwres_endhostent()</function>
-are not thread safe; they return pointers to static data and 
-provide error codes through a global variable.
-Thread-safe versions for name and address lookup are provided by
-<function>lwres_gethostbyname_r()</function>,
-and
-<function>lwres_gethostbyaddr_r()</function>
-respectively.
-</para>
-<para>
-The resolver daemon does not currently support any non-DNS
-name services such as 
-<filename>/etc/hosts</filename>
-or
-<type>NIS</type>,
-consequently the above functions don't, either.
-</para>
-</refsect1>
-</refentry>
diff --git a/lib/liblwres/man/lwres_gethostent.html b/lib/liblwres/man/lwres_gethostent.html
deleted file mode 100644
index 28671b86b..000000000
--- a/lib/liblwres/man/lwres_gethostent.html
+++ /dev/null
@@ -1,827 +0,0 @@
-<!--
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-<HTML
-><HEAD
-><TITLE
->lwres_gethostent</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.61
-"></HEAD
-><BODY
-CLASS="REFENTRY"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><H1
-><A
-NAME="AEN1"
->lwres_gethostent</A
-></H1
-><DIV
-CLASS="REFNAMEDIV"
-><A
-NAME="AEN8"
-></A
-><H2
->Name</H2
->lwres_gethostbyname, lwres_gethostbyname2, lwres_gethostbyaddr, lwres_gethostent, lwres_sethostent, lwres_endhostent, lwres_gethostbyname_r, lwres_gethostbyaddr_r, lwres_gethostent_r, lwres_sethostent_r, lwres_endhostent_r&nbsp;--&nbsp;lightweight resolver get network host entry</DIV
-><DIV
-CLASS="REFSYNOPSISDIV"
-><A
-NAME="AEN21"
-></A
-><H2
->Synopsis</H2
-><DIV
-CLASS="FUNCSYNOPSIS"
-><A
-NAME="AEN22"
-></A
-><P
-></P
-><PRE
-CLASS="FUNCSYNOPSISINFO"
->#include &lt;lwres/netdb.h&gt;</PRE
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->struct hostent *
-lwres_gethostbyname</CODE
->(const char *name);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->struct hostent *
-lwres_gethostbyname2</CODE
->(const char *name, int af);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->struct hostent *
-lwres_gethostbyaddr</CODE
->(const char *addr, int len, int type);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->struct hostent *
-lwres_gethostent</CODE
->(void);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->void
-lwres_sethostent</CODE
->(int stayopen);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->void
-lwres_endhostent</CODE
->(void);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->struct hostent *
-lwres_gethostbyname_r</CODE
->(const char *name, struct hostent *resbuf, char *buf, int buflen, int *error);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->struct hostent  *
-lwres_gethostbyaddr_r</CODE
->(const char *addr, int len, int type, struct hostent *resbuf, char *buf, int buflen, int *error);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->struct hostent  *
-lwres_gethostent_r</CODE
->(struct hostent *resbuf, char *buf, int buflen, int *error);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->void
-lwres_sethostent_r</CODE
->(int stayopen);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->void
-lwres_endhostent_r</CODE
->(void);</CODE
-></P
-><P
-></P
-></DIV
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN84"
-></A
-><H2
->DESCRIPTION</H2
-><P
->These functions provide hostname-to-address and
-address-to-hostname lookups by means of the lightweight resolver.
-They are similar to the standard
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->gethostent</SPAN
->(3)</SPAN
->
-functions provided by most operating systems.
-They use a
-<SPAN
-CLASS="TYPE"
->struct hostent</SPAN
->
-which is usually defined in
-<TT
-CLASS="FILENAME"
->&lt;namedb.h&gt;</TT
->.
-
-<PRE
-CLASS="PROGRAMLISTING"
->struct  hostent {
-        char    *h_name;        /* official name of host */
-        char    **h_aliases;    /* alias list */
-        int     h_addrtype;     /* host address type */
-        int     h_length;       /* length of address */
-        char    **h_addr_list;  /* list of addresses from name server */
-};
-#define h_addr  h_addr_list[0]  /* address, for backward compatibility */</PRE
-></P
-><P
->The members of this structure are:
-<P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="CONSTANT"
->h_name</TT
-></DT
-><DD
-><P
->The official (canonical) name of the host.</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->h_aliases</TT
-></DT
-><DD
-><P
->A NULL-terminated array of alternate names (nicknames) for the host.</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->h_addrtype</TT
-></DT
-><DD
-><P
->The type of address being returned &mdash;
-<SPAN
-CLASS="TYPE"
->PF_INET</SPAN
->
-or
-<SPAN
-CLASS="TYPE"
->PF_INET6</SPAN
->.</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->h_length</TT
-></DT
-><DD
-><P
->The length of the address in bytes.</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->h_addr_list</TT
-></DT
-><DD
-><P
->A <SPAN
-CLASS="TYPE"
->NULL</SPAN
->
-terminated array of network addresses for the host.
-Host addresses are returned in network byte order.</P
-></DD
-></DL
-></DIV
-></P
-><P
->For backward compatibility with very old software,
-<TT
-CLASS="CONSTANT"
->h_addr</TT
->
-is the first address in
-<TT
-CLASS="CONSTANT"
->h_addr_list.</TT
-></P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_gethostent()</TT
->,
-<TT
-CLASS="FUNCTION"
->lwres_sethostent()</TT
->,
-<TT
-CLASS="FUNCTION"
->lwres_endhostent()</TT
->,
-<TT
-CLASS="FUNCTION"
->lwres_gethostent_r()</TT
->,
-<TT
-CLASS="FUNCTION"
->lwres_sethostent_r()</TT
->
-and
-<TT
-CLASS="FUNCTION"
->lwres_endhostent_r()</TT
->
-provide iteration over the known host entries on systems that
-provide such functionality through facilities like
-<TT
-CLASS="FILENAME"
->/etc/hosts</TT
->
-or NIS.  The lightweight resolver does not currently implement
-these functions; it only provides them as stub functions that always
-return failure.</P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_gethostbyname()</TT
-> and
-<TT
-CLASS="FUNCTION"
->lwres_gethostbyname2()</TT
-> look up the hostname
-<TT
-CLASS="PARAMETER"
-><I
->name</I
-></TT
->.
-<TT
-CLASS="FUNCTION"
->lwres_gethostbyname()</TT
-> always looks for an IPv4
-address while <TT
-CLASS="FUNCTION"
->lwres_gethostbyname2()</TT
-> looks for an
-address of protocol family <TT
-CLASS="PARAMETER"
-><I
->af</I
-></TT
->: either
-<SPAN
-CLASS="TYPE"
->PF_INET</SPAN
-> or <SPAN
-CLASS="TYPE"
->PF_INET6</SPAN
-> &mdash; IPv4 or IPV6
-addresses respectively.  Successful calls of the functions return a
-<SPAN
-CLASS="TYPE"
->struct hostent</SPAN
->for the name that was looked up.
-<SPAN
-CLASS="TYPE"
->NULL</SPAN
-> is returned if the lookups by
-<TT
-CLASS="FUNCTION"
->lwres_gethostbyname()</TT
-> or
-<TT
-CLASS="FUNCTION"
->lwres_gethostbyname2()</TT
-> fail.</P
-><P
->Reverse lookups of addresses are performed by
-<TT
-CLASS="FUNCTION"
->lwres_gethostbyaddr()</TT
->.
-<TT
-CLASS="PARAMETER"
-><I
->addr</I
-></TT
-> is an address of length
-<TT
-CLASS="PARAMETER"
-><I
->len</I
-></TT
-> bytes and protocol family
-<TT
-CLASS="PARAMETER"
-><I
->type</I
-></TT
-> &mdash; <SPAN
-CLASS="TYPE"
->PF_INET</SPAN
-> or
-<SPAN
-CLASS="TYPE"
->PF_INET6</SPAN
->.
-<TT
-CLASS="FUNCTION"
->lwres_gethostbyname_r()</TT
-> is a thread-safe function
-for forward lookups.  If an error occurs, an error code is returned in
-<TT
-CLASS="PARAMETER"
-><I
->*error</I
-></TT
->.
-<TT
-CLASS="PARAMETER"
-><I
->resbuf</I
-></TT
-> is a pointer to a <SPAN
-CLASS="TYPE"
->struct
-hostent</SPAN
-> which is initialised by a successful call to
-<TT
-CLASS="FUNCTION"
->lwres_gethostbyname_r()</TT
-> .
-<TT
-CLASS="PARAMETER"
-><I
->buf</I
-></TT
-> is a buffer of length
-<TT
-CLASS="PARAMETER"
-><I
->len</I
-></TT
-> bytes which is used to store the
-<TT
-CLASS="CONSTANT"
->h_name</TT
->, <TT
-CLASS="CONSTANT"
->h_aliases</TT
->, and
-<TT
-CLASS="CONSTANT"
->h_addr_list</TT
-> elements of the <SPAN
-CLASS="TYPE"
->struct
-hostent</SPAN
-> returned in <TT
-CLASS="PARAMETER"
-><I
->resbuf</I
-></TT
->.
-Successful calls to <TT
-CLASS="FUNCTION"
->lwres_gethostbyname_r()</TT
->
-return <TT
-CLASS="PARAMETER"
-><I
->resbuf</I
-></TT
->,
-which is a pointer to the <SPAN
-CLASS="TYPE"
->struct hostent</SPAN
-> it created.</P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_gethostbyaddr_r()</TT
-> is a thread-safe function
-that performs a reverse lookup of address <TT
-CLASS="PARAMETER"
-><I
->addr</I
-></TT
->
-which is <TT
-CLASS="PARAMETER"
-><I
->len</I
-></TT
-> bytes long and is of protocol
-family <TT
-CLASS="PARAMETER"
-><I
->type</I
-></TT
-> &mdash; <SPAN
-CLASS="TYPE"
->PF_INET</SPAN
-> or
-<SPAN
-CLASS="TYPE"
->PF_INET6</SPAN
->.  If an error occurs, the error code is returned
-in <TT
-CLASS="PARAMETER"
-><I
->*error</I
-></TT
->.  The other function parameters are
-identical to those in <TT
-CLASS="FUNCTION"
->lwres_gethostbyname_r()</TT
->.
-<TT
-CLASS="PARAMETER"
-><I
->resbuf</I
-></TT
-> is a pointer to a <SPAN
-CLASS="TYPE"
->struct
-hostent</SPAN
-> which is initialised by a successful call to
-<TT
-CLASS="FUNCTION"
->lwres_gethostbyaddr_r()</TT
->.
-<TT
-CLASS="PARAMETER"
-><I
->buf</I
-></TT
-> is a buffer of length
-<TT
-CLASS="PARAMETER"
-><I
->len</I
-></TT
-> bytes which is used to store the
-<TT
-CLASS="CONSTANT"
->h_name</TT
->, <TT
-CLASS="CONSTANT"
->h_aliases</TT
->, and
-<TT
-CLASS="CONSTANT"
->h_addr_list</TT
-> elements of the <SPAN
-CLASS="TYPE"
->struct
-hostent</SPAN
-> returned in <TT
-CLASS="PARAMETER"
-><I
->resbuf</I
-></TT
->.  Successful
-calls to <TT
-CLASS="FUNCTION"
->lwres_gethostbyaddr_r()</TT
-> return
-<TT
-CLASS="PARAMETER"
-><I
->resbuf</I
-></TT
->, which is a pointer to the
-<TT
-CLASS="FUNCTION"
->struct hostent()</TT
-> it created.</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN191"
-></A
-><H2
->RETURN VALUES</H2
-><P
->The functions
-<TT
-CLASS="FUNCTION"
->lwres_gethostbyname()</TT
->,
-<TT
-CLASS="FUNCTION"
->lwres_gethostbyname2()</TT
->,
-<TT
-CLASS="FUNCTION"
->lwres_gethostbyaddr()</TT
->,
-and
-<TT
-CLASS="FUNCTION"
->lwres_gethostent()</TT
->
-return NULL to indicate an error.  In this case the global variable
-<SPAN
-CLASS="TYPE"
->lwres_h_errno</SPAN
->
-will contain one of the following error codes defined in
-<TT
-CLASS="FILENAME"
->&lt;lwres/netdb.h&gt;</TT
->:
-
-<P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="CONSTANT"
->HOST_NOT_FOUND</TT
-></DT
-><DD
-><P
->The host or address was not found.</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->TRY_AGAIN</TT
-></DT
-><DD
-><P
->A recoverable error occurred, e.g., a timeout.
-Retrying the lookup may succeed.</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->NO_RECOVERY</TT
-></DT
-><DD
-><P
->A non-recoverable error occurred.</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->NO_DATA</TT
-></DT
-><DD
-><P
->The name exists, but has no address information
-associated with it (or vice versa in the case
-of a reverse lookup).  The code NO_ADDRESS
-is accepted as a synonym for NO_DATA for backwards
-compatibility.</P
-></DD
-></DL
-></DIV
-></P
-><P
-><SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres_hstrerror</SPAN
->(3)</SPAN
->
-translates these error codes to suitable error messages.</P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_gethostent()</TT
->
-and
-<TT
-CLASS="FUNCTION"
->lwres_gethostent_r()</TT
->
-always return
-<SPAN
-CLASS="TYPE"
->NULL</SPAN
->.</P
-><P
->Successful calls to <TT
-CLASS="FUNCTION"
->lwres_gethostbyname_r()</TT
-> and
-<TT
-CLASS="FUNCTION"
->lwres_gethostbyaddr_r()</TT
-> return
-<TT
-CLASS="PARAMETER"
-><I
->resbuf</I
-></TT
->, a pointer to the <SPAN
-CLASS="TYPE"
->struct
-hostent</SPAN
-> that was initialised by these functions.  They return
-<SPAN
-CLASS="TYPE"
->NULL</SPAN
-> if the lookups fail or if <TT
-CLASS="PARAMETER"
-><I
->buf</I
-></TT
->
-was too small to hold the list of addresses and names referenced by
-the <TT
-CLASS="CONSTANT"
->h_name</TT
->, <TT
-CLASS="CONSTANT"
->h_aliases</TT
->, and
-<TT
-CLASS="CONSTANT"
->h_addr_list</TT
-> elements of the <SPAN
-CLASS="TYPE"
->struct
-hostent</SPAN
->.  If <TT
-CLASS="PARAMETER"
-><I
->buf</I
-></TT
-> was too small, both
-<TT
-CLASS="FUNCTION"
->lwres_gethostbyname_r()</TT
-> and
-<TT
-CLASS="FUNCTION"
->lwres_gethostbyaddr_r()</TT
-> set the global variable
-<SPAN
-CLASS="TYPE"
->errno</SPAN
-> to <SPAN
-CLASS="ERRORCODE"
->ERANGE</SPAN
->.</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN245"
-></A
-><H2
->SEE ALSO</H2
-><P
-><SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->gethostent</SPAN
->(3)</SPAN
->,
-
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres_getipnode</SPAN
->(3)</SPAN
->,
-
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres_hstrerror</SPAN
->(3)</SPAN
-></P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN257"
-></A
-><H2
->BUGS</H2
-><P
-><TT
-CLASS="FUNCTION"
->lwres_gethostbyname()</TT
->,
-<TT
-CLASS="FUNCTION"
->lwres_gethostbyname2()</TT
->,
-<TT
-CLASS="FUNCTION"
->lwres_gethostbyaddr()</TT
->
-and
-<TT
-CLASS="FUNCTION"
->lwres_endhostent()</TT
->
-are not thread safe; they return pointers to static data and 
-provide error codes through a global variable.
-Thread-safe versions for name and address lookup are provided by
-<TT
-CLASS="FUNCTION"
->lwres_gethostbyname_r()</TT
->,
-and
-<TT
-CLASS="FUNCTION"
->lwres_gethostbyaddr_r()</TT
->
-respectively.</P
-><P
->The resolver daemon does not currently support any non-DNS
-name services such as 
-<TT
-CLASS="FILENAME"
->/etc/hosts</TT
->
-or
-<SPAN
-CLASS="TYPE"
->NIS</SPAN
->,
-consequently the above functions don't, either.</P
-></DIV
-></BODY
-></HTML
->
\ No newline at end of file
diff --git a/lib/liblwres/man/lwres_getipnode.3 b/lib/liblwres/man/lwres_getipnode.3
deleted file mode 100644
index 39dfc984a..000000000
--- a/lib/liblwres/man/lwres_getipnode.3
+++ /dev/null
@@ -1,187 +0,0 @@
-.\"
-.\" Copyright (C) 2000, 2001  Internet Software Consortium.
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
-.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
-.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
-.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
-.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
-.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.TH "LWRES_GETIPNODE" "3" "Jun 30, 2000" "BIND9" ""
-.SH NAME
-lwres_getipnodebyname, lwres_getipnodebyaddr, lwres_freehostent \- lightweight resolver nodename / address translation API
-.SH SYNOPSIS
-\fB#include <lwres/netdb.h>
-.sp
-.na
-struct hostent *
-lwres_getipnodebyname(const char *name, int af, int flags, int *error_num);
-.ad
-.sp
-.na
-struct hostent *
-lwres_getipnodebyaddr(const void *src, size_t len, int af, int *error_num);
-.ad
-.sp
-.na
-void
-lwres_freehostent(struct hostent *he);
-.ad
-\fR.SH "DESCRIPTION"
-.PP
-These functions perform thread safe, protocol independent
-nodename-to-address and address-to-nodename 
-translation as defined in RFC2553.
-.PP
-They use a
-\fBstruct hostent\fR
-which is defined in
-\fInamedb.h\fR:
-.sp
-.nf
-struct  hostent {
-        char    *h_name;        /* official name of host */
-        char    **h_aliases;    /* alias list */
-        int     h_addrtype;     /* host address type */
-        int     h_length;       /* length of address */
-        char    **h_addr_list;  /* list of addresses from name server */
-};
-#define h_addr  h_addr_list[0]  /* address, for backward compatibility */
-.sp
-.fi
-.PP
-The members of this structure are:
-.TP
-\fBh_name\fR
-The official (canonical) name of the host.
-.TP
-\fBh_aliases\fR
-A NULL-terminated array of alternate names (nicknames) for the host.
-.TP
-\fBh_addrtype\fR
-The type of address being returned - usually
-\fBPF_INET\fR
-or
-\fBPF_INET6\fR.
-.TP
-\fBh_length\fR
-The length of the address in bytes.
-.TP
-\fBh_addr_list\fR
-A
-\fBNULL\fR
-terminated array of network addresses for the host.
-Host addresses are returned in network byte order.
-.PP
-\fBlwres_getipnodebyname()\fR
-looks up addresses of protocol family
-\fIaf\fR
-for the hostname
-\fIname\fR.
-The
-\fIflags\fR
-parameter contains ORed flag bits to 
-specify the types of addresses that are searched
-for, and the types of addresses that are returned. 
-The flag bits are:
-.TP
-\fBAI_V4MAPPED\fR
-This is used with an
-\fIaf\fR
-of AF_INET6, and causes IPv4 addresses to be returned as IPv4-mapped
-IPv6 addresses.
-.TP
-\fBAI_ALL\fR
-This is used with an
-\fIaf\fR
-of AF_INET6, and causes all known addresses (IPv6 and IPv4) to be returned.
-If AI_V4MAPPED is also set, the IPv4 addresses are return as mapped
-IPv6 addresses.
-.TP
-\fBAI_ADDRCONFIG\fR
-Only return an IPv6 or IPv4 address if here is an active network
-interface of that type. This is not currently implemented
-in the BIND 9 lightweight resolver, and the flag is ignored.
-.TP
-\fBAI_DEFAULT\fR
-This default sets the
-AI_V4MAPPED
-and
-AI_ADDRCONFIG
-flag bits.
-.PP
-\fBlwres_getipnodebyaddr()\fR
-performs a reverse lookup
-of address
-\fIsrc\fR
-which is
-\fIlen\fR
-bytes long.
-\fIaf\fR
-denotes the protocol family, typically
-\fBPF_INET\fR
-or
-\fBPF_INET6\fR.
-.PP
-\fBlwres_freehostent()\fR
-releases all the memory associated with
-the
-\fBstruct hostent\fR
-pointer
-\fIhe\fR.
-Any memory allocated for the
-h_name,
-h_addr_list
-and
-h_aliases
-is freed, as is the memory for the
-\fBhostent\fR
-structure itself.
-.SH "RETURN VALUES"
-.PP
-If an error occurs,
-\fBlwres_getipnodebyname()\fR
-and
-\fBlwres_getipnodebyaddr()\fR
-set
-\fI*error_num\fR
-to an approriate error code and the function returns a
-\fBNULL\fR
-pointer.
-The error codes and their meanings are defined in
-\fI<lwres/netdb.h>\fR:
-.TP
-\fBHOST_NOT_FOUND\fR
-No such host is known.
-.TP
-\fBNO_ADDRESS\fR
-The server recognised the request and the name but no address is
-available. Another type of request to the name server for the
-domain might return an answer.
-.TP
-\fBTRY_AGAIN\fR
-A temporary and possibly transient error occurred, such as a
-failure of a server to respond. The request may succeed if
-retried.
-.TP
-\fBNO_RECOVERY\fR
-An unexpected failure occurred, and retrying the request
-is pointless.
-.PP
-\fBlwres_hstrerror\fR(3)
-translates these error codes to suitable error messages.
-.SH "SEE ALSO"
-.PP
-\fBRFC2553\fR,
-\fBlwres\fR(3),
-\fBlwres_gethostent\fR(3),
-\fBlwres_getaddrinfo\fR(3),
-\fBlwres_getnameinfo\fR(3),
-\fBlwres_hstrerror\fR(3).
diff --git a/lib/liblwres/man/lwres_getipnode.docbook b/lib/liblwres/man/lwres_getipnode.docbook
deleted file mode 100644
index 3d4fa7f15..000000000
--- a/lib/liblwres/man/lwres_getipnode.docbook
+++ /dev/null
@@ -1,307 +0,0 @@
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
-<!--
- - Copyright (C) 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_getipnode.docbook,v 1.1 2004/03/15 20:35:25 as Exp $ -->
-
-<refentry>
-
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
-
-<refmeta>
-<refentrytitle>lwres_getipnode</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-
-<refnamediv>
-<refname>lwres_getipnodebyname</refname>
-<refname>lwres_getipnodebyaddr</refname>
-<refname>lwres_freehostent</refname>
-<refpurpose>lightweight resolver nodename / address translation API</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
-<funcprototype>
-<funcdef>
-struct hostent *
-<function>lwres_getipnodebyname</function></funcdef>
-<paramdef>const char *name</paramdef>
-<paramdef>int af</paramdef>
-<paramdef>int flags</paramdef>
-<paramdef>int *error_num</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-struct hostent *
-<function>lwres_getipnodebyaddr</function></funcdef>
-<paramdef>const void *src</paramdef>
-<paramdef>size_t len</paramdef>
-<paramdef>int af</paramdef>
-<paramdef>int *error_num</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_freehostent</function></funcdef>
-<paramdef>struct hostent *he</paramdef>
-</funcprototype>
-</funcsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-
-<para>
-These functions perform thread safe, protocol independent
-nodename-to-address and address-to-nodename 
-translation as defined in RFC2553.
-</para>
-
-<para>
-They use a
-<type>struct hostent</type>
-which is defined in
-<filename>namedb.h</filename>:
-<programlisting>
-struct  hostent {
-        char    *h_name;        /* official name of host */
-        char    **h_aliases;    /* alias list */
-        int     h_addrtype;     /* host address type */
-        int     h_length;       /* length of address */
-        char    **h_addr_list;  /* list of addresses from name server */
-};
-#define h_addr  h_addr_list[0]  /* address, for backward compatibility */
-</programlisting>
-</para>
-
-<para>
-The members of this structure are:
-<variablelist>
-<varlistentry><term><constant>h_name</constant></term>
-<listitem>
-<para>
-The official (canonical) name of the host.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>h_aliases</constant></term>
-<listitem>
-<para>
-A NULL-terminated array of alternate names (nicknames) for the host.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>h_addrtype</constant></term>
-<listitem>
-<para>
-The type of address being returned - usually
-<type>PF_INET</type>
-or
-<type>PF_INET6</type>.
-
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>h_length</constant></term>
-<listitem>
-<para>
-The length of the address in bytes.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>h_addr_list</constant></term>
-<listitem>
-<para>
-A
-<type>NULL</type>
-terminated array of network addresses for the host.
-Host addresses are returned in network byte order.
-</para>
-</listitem></varlistentry>
-</variablelist>
-</para>
-<para>
-<function>lwres_getipnodebyname()</function>
-looks up addresses of protocol family
-<parameter>af</parameter>
-
-for the hostname
-<parameter>name</parameter>.
-
-The
-<parameter>flags</parameter>
-parameter contains ORed flag bits to 
-specify the types of addresses that are searched
-for, and the types of addresses that are returned. 
-The flag bits are:
-<variablelist>
-<varlistentry><term><constant>AI_V4MAPPED</constant></term>
-<listitem>
-<para>
-This is used with an
-<parameter>af</parameter>
-of AF_INET6, and causes IPv4 addresses to be returned as IPv4-mapped
-IPv6 addresses.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>AI_ALL</constant></term>
-<listitem>
-<para>
-This is used with an
-<parameter>af</parameter>
-of AF_INET6, and causes all known addresses (IPv6 and IPv4) to be returned.
-If AI_V4MAPPED is also set, the IPv4 addresses are return as mapped
-IPv6 addresses.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>AI_ADDRCONFIG</constant></term>
-<listitem>
-<para>
-Only return an IPv6 or IPv4 address if here is an active network
-interface of that type.  This is not currently implemented
-in the BIND 9 lightweight resolver, and the flag is ignored.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>AI_DEFAULT</constant></term>
-<listitem>
-<para>
-This default sets the
-<constant>AI_V4MAPPED</constant>
-and
-<constant>AI_ADDRCONFIG</constant>
-flag bits.
-</para>
-</listitem></varlistentry>
-</variablelist>
-</para>
-<para>
-<function>lwres_getipnodebyaddr()</function>
-performs a reverse lookup
-of address
-<parameter>src</parameter>
-which is
-<parameter>len</parameter>
-bytes long.
-<parameter>af</parameter>
-denotes the protocol family, typically
-<type>PF_INET</type>
-or
-<type>PF_INET6</type>.
-
-</para>
-<para>
-<function>lwres_freehostent()</function>
-releases all the memory associated with
-the
-<type>struct hostent</type>
-pointer
-<parameter>he</parameter>.
-
-Any memory allocated for the
-<constant>h_name</constant>,
-
-<constant>h_addr_list</constant>
-and
-<constant>h_aliases</constant>
-is freed, as is the memory for the
-<type>hostent</type>
-structure itself.
-</para>
-</refsect1>
-<refsect1>
-<title>RETURN VALUES</title>
-<para>
-If an error occurs,
-<function>lwres_getipnodebyname()</function>
-and
-<function>lwres_getipnodebyaddr()</function>
-set
-<parameter>*error_num</parameter>
-to an approriate error code and the function returns a
-<type>NULL</type>
-pointer.
-The error codes and their meanings are defined in
-<filename>&lt;lwres/netdb.h&gt;</filename>:
-<variablelist>
-<varlistentry><term><constant>HOST_NOT_FOUND</constant></term>
-<listitem>
-<para>
-No such host is known.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>NO_ADDRESS</constant></term>
-<listitem>
-<para>
-The server recognised the request and the name but no address is
-available.  Another type of request to the name server for the
-domain might return an answer.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>TRY_AGAIN</constant></term>
-<listitem>
-<para>
-A temporary and possibly transient error occurred, such as a
-failure of a server to respond.  The request may succeed if
-retried.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>NO_RECOVERY</constant></term>
-<listitem>
-<para>
-An unexpected failure occurred, and retrying the request
-is pointless.
-</para>
-</listitem></varlistentry>
-</variablelist>
-</para>
-<para>
-<citerefentry>
-<refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3
-</manvolnum>
-</citerefentry>
-translates these error codes to suitable error messages.
-</para>
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>RFC2553</refentrytitle>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_gethostent</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_getaddrinfo</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_getnameinfo</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>.
-</para>
-</refsect1>
-</refentry>
diff --git a/lib/liblwres/man/lwres_getipnode.html b/lib/liblwres/man/lwres_getipnode.html
deleted file mode 100644
index d0a71e69d..000000000
--- a/lib/liblwres/man/lwres_getipnode.html
+++ /dev/null
@@ -1,529 +0,0 @@
-<!--
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-<HTML
-><HEAD
-><TITLE
->lwres_getipnode</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.61
-"></HEAD
-><BODY
-CLASS="REFENTRY"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><H1
-><A
-NAME="AEN1"
->lwres_getipnode</A
-></H1
-><DIV
-CLASS="REFNAMEDIV"
-><A
-NAME="AEN8"
-></A
-><H2
->Name</H2
->lwres_getipnodebyname, lwres_getipnodebyaddr, lwres_freehostent&nbsp;--&nbsp;lightweight resolver nodename / address translation API</DIV
-><DIV
-CLASS="REFSYNOPSISDIV"
-><A
-NAME="AEN13"
-></A
-><H2
->Synopsis</H2
-><DIV
-CLASS="FUNCSYNOPSIS"
-><A
-NAME="AEN14"
-></A
-><P
-></P
-><PRE
-CLASS="FUNCSYNOPSISINFO"
->#include &lt;lwres/netdb.h&gt;</PRE
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->struct hostent *
-lwres_getipnodebyname</CODE
->(const char *name, int af, int flags, int *error_num);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->struct hostent *
-lwres_getipnodebyaddr</CODE
->(const void *src, size_t len, int af, int *error_num);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->void
-lwres_freehostent</CODE
->(struct hostent *he);</CODE
-></P
-><P
-></P
-></DIV
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN34"
-></A
-><H2
->DESCRIPTION</H2
-><P
->These functions perform thread safe, protocol independent
-nodename-to-address and address-to-nodename 
-translation as defined in RFC2553.</P
-><P
->They use a
-<SPAN
-CLASS="TYPE"
->struct hostent</SPAN
->
-which is defined in
-<TT
-CLASS="FILENAME"
->namedb.h</TT
->:
-<PRE
-CLASS="PROGRAMLISTING"
->struct  hostent {
-        char    *h_name;        /* official name of host */
-        char    **h_aliases;    /* alias list */
-        int     h_addrtype;     /* host address type */
-        int     h_length;       /* length of address */
-        char    **h_addr_list;  /* list of addresses from name server */
-};
-#define h_addr  h_addr_list[0]  /* address, for backward compatibility */</PRE
-></P
-><P
->The members of this structure are:
-<P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="CONSTANT"
->h_name</TT
-></DT
-><DD
-><P
->The official (canonical) name of the host.</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->h_aliases</TT
-></DT
-><DD
-><P
->A NULL-terminated array of alternate names (nicknames) for the host.</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->h_addrtype</TT
-></DT
-><DD
-><P
->The type of address being returned - usually
-<SPAN
-CLASS="TYPE"
->PF_INET</SPAN
->
-or
-<SPAN
-CLASS="TYPE"
->PF_INET6</SPAN
->.&#13;</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->h_length</TT
-></DT
-><DD
-><P
->The length of the address in bytes.</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->h_addr_list</TT
-></DT
-><DD
-><P
->A
-<SPAN
-CLASS="TYPE"
->NULL</SPAN
->
-terminated array of network addresses for the host.
-Host addresses are returned in network byte order.</P
-></DD
-></DL
-></DIV
-></P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_getipnodebyname()</TT
->
-looks up addresses of protocol family
-<TT
-CLASS="PARAMETER"
-><I
->af</I
-></TT
->
-
-for the hostname
-<TT
-CLASS="PARAMETER"
-><I
->name</I
-></TT
->.
-
-The
-<TT
-CLASS="PARAMETER"
-><I
->flags</I
-></TT
->
-parameter contains ORed flag bits to 
-specify the types of addresses that are searched
-for, and the types of addresses that are returned. 
-The flag bits are:
-<P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="CONSTANT"
->AI_V4MAPPED</TT
-></DT
-><DD
-><P
->This is used with an
-<TT
-CLASS="PARAMETER"
-><I
->af</I
-></TT
->
-of AF_INET6, and causes IPv4 addresses to be returned as IPv4-mapped
-IPv6 addresses.</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->AI_ALL</TT
-></DT
-><DD
-><P
->This is used with an
-<TT
-CLASS="PARAMETER"
-><I
->af</I
-></TT
->
-of AF_INET6, and causes all known addresses (IPv6 and IPv4) to be returned.
-If AI_V4MAPPED is also set, the IPv4 addresses are return as mapped
-IPv6 addresses.</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->AI_ADDRCONFIG</TT
-></DT
-><DD
-><P
->Only return an IPv6 or IPv4 address if here is an active network
-interface of that type.  This is not currently implemented
-in the BIND 9 lightweight resolver, and the flag is ignored.</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->AI_DEFAULT</TT
-></DT
-><DD
-><P
->This default sets the
-<TT
-CLASS="CONSTANT"
->AI_V4MAPPED</TT
->
-and
-<TT
-CLASS="CONSTANT"
->AI_ADDRCONFIG</TT
->
-flag bits.</P
-></DD
-></DL
-></DIV
-></P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_getipnodebyaddr()</TT
->
-performs a reverse lookup
-of address
-<TT
-CLASS="PARAMETER"
-><I
->src</I
-></TT
->
-which is
-<TT
-CLASS="PARAMETER"
-><I
->len</I
-></TT
->
-bytes long.
-<TT
-CLASS="PARAMETER"
-><I
->af</I
-></TT
->
-denotes the protocol family, typically
-<SPAN
-CLASS="TYPE"
->PF_INET</SPAN
->
-or
-<SPAN
-CLASS="TYPE"
->PF_INET6</SPAN
->.&#13;</P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_freehostent()</TT
->
-releases all the memory associated with
-the
-<SPAN
-CLASS="TYPE"
->struct hostent</SPAN
->
-pointer
-<TT
-CLASS="PARAMETER"
-><I
->he</I
-></TT
->.
-
-Any memory allocated for the
-<TT
-CLASS="CONSTANT"
->h_name</TT
->,
-
-<TT
-CLASS="CONSTANT"
->h_addr_list</TT
->
-and
-<TT
-CLASS="CONSTANT"
->h_aliases</TT
->
-is freed, as is the memory for the
-<SPAN
-CLASS="TYPE"
->hostent</SPAN
->
-structure itself.</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN116"
-></A
-><H2
->RETURN VALUES</H2
-><P
->If an error occurs,
-<TT
-CLASS="FUNCTION"
->lwres_getipnodebyname()</TT
->
-and
-<TT
-CLASS="FUNCTION"
->lwres_getipnodebyaddr()</TT
->
-set
-<TT
-CLASS="PARAMETER"
-><I
->*error_num</I
-></TT
->
-to an approriate error code and the function returns a
-<SPAN
-CLASS="TYPE"
->NULL</SPAN
->
-pointer.
-The error codes and their meanings are defined in
-<TT
-CLASS="FILENAME"
->&lt;lwres/netdb.h&gt;</TT
->:
-<P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="CONSTANT"
->HOST_NOT_FOUND</TT
-></DT
-><DD
-><P
->No such host is known.</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->NO_ADDRESS</TT
-></DT
-><DD
-><P
->The server recognised the request and the name but no address is
-available.  Another type of request to the name server for the
-domain might return an answer.</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->TRY_AGAIN</TT
-></DT
-><DD
-><P
->A temporary and possibly transient error occurred, such as a
-failure of a server to respond.  The request may succeed if
-retried.</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->NO_RECOVERY</TT
-></DT
-><DD
-><P
->An unexpected failure occurred, and retrying the request
-is pointless.</P
-></DD
-></DL
-></DIV
-></P
-><P
-><SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres_hstrerror</SPAN
->(3)</SPAN
->
-translates these error codes to suitable error messages.</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN149"
-></A
-><H2
->SEE ALSO</H2
-><P
-><SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->RFC2553</SPAN
-></SPAN
->,
-
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres</SPAN
->(3)</SPAN
->,
-
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres_gethostent</SPAN
->(3)</SPAN
->,
-
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres_getaddrinfo</SPAN
->(3)</SPAN
->,
-
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres_getnameinfo</SPAN
->(3)</SPAN
->,
-
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres_hstrerror</SPAN
->(3)</SPAN
->.</P
-></DIV
-></BODY
-></HTML
->
\ No newline at end of file
diff --git a/lib/liblwres/man/lwres_getnameinfo.3 b/lib/liblwres/man/lwres_getnameinfo.3
deleted file mode 100644
index 61f3ba426..000000000
--- a/lib/liblwres/man/lwres_getnameinfo.3
+++ /dev/null
@@ -1,84 +0,0 @@
-.\"
-.\" Copyright (C) 2000, 2001  Internet Software Consortium.
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
-.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
-.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
-.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
-.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
-.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.TH "LWRES_GETNAMEINFO" "3" "Jun 30, 2000" "BIND9" ""
-.SH NAME
-lwres_getnameinfo \- lightweight resolver socket address structure to hostname and service name
-.SH SYNOPSIS
-\fB#include <lwres/netdb.h>
-.sp
-.na
-int
-lwres_getnameinfo(const struct sockaddr *sa, size_t salen, char *host, size_t hostlen, char *serv, size_t servlen, int flags);
-.ad
-\fR.SH "DESCRIPTION"
-.PP
-This function is equivalent to the \fBgetnameinfo\fR(3) function defined in RFC2133.
-\fBlwres_getnameinfo()\fR returns the hostname for the
-\fBstruct sockaddr\fR \fIsa\fR which is
-\fIsalen\fR bytes long. The hostname is of length
-\fIhostlen\fR and is returned via
-\fI*host.\fR The maximum length of the hostname is
-1025 bytes: NI_MAXHOST.
-.PP
-The name of the service associated with the port number in
-\fIsa\fR is returned in \fI*serv.\fR
-It is \fIservlen\fR bytes long. The maximum length
-of the service name is NI_MAXSERV - 32 bytes.
-.PP
-The \fIflags\fR argument sets the following
-bits:
-.TP
-\fBNI_NOFQDN\fR
-A fully qualified domain name is not required for local hosts.
-The local part of the fully qualified domain name is returned instead.
-.TP
-\fBNI_NUMERICHOST\fR
-Return the address in numeric form, as if calling inet_ntop(),
-instead of a host name.
-.TP
-\fBNI_NAMEREQD\fR
-A name is required. If the hostname cannot be found in the DNS and
-this flag is set, a non-zero error code is returned.
-If the hostname is not found and the flag is not set, the 
-address is returned in numeric form.
-.TP
-\fBNI_NUMERICSERV\fR
-The service name is returned as a digit string representing the port number.
-.TP
-\fBNI_DGRAM\fR
-Specifies that the service being looked up is a datagram
-service, and causes getservbyport() to be called with a second
-argument of "udp" instead of its default of "tcp". This is required
-for the few ports (512-514) that have different services for UDP and
-TCP.
-.SH "RETURN VALUES"
-.PP
-\fBlwres_getnameinfo()\fR
-returns 0 on success or a non-zero error code if an error occurs.
-.SH "SEE ALSO"
-.PP
-\fBRFC2133\fR,
-\fBgetservbyport\fR(3),
-\fBlwres\fR(3),
-\fBlwres_getnameinfo\fR(3),
-\fBlwres_getnamebyaddr\fR(3).
-\fBlwres_net_ntop\fR(3).
-.SH "BUGS"
-.PP
-RFC2133 fails to define what the nonzero return values of
-\fBgetnameinfo\fR(3)
-are.
diff --git a/lib/liblwres/man/lwres_getnameinfo.docbook b/lib/liblwres/man/lwres_getnameinfo.docbook
deleted file mode 100644
index 56bcd8b9f..000000000
--- a/lib/liblwres/man/lwres_getnameinfo.docbook
+++ /dev/null
@@ -1,154 +0,0 @@
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
-<!--
- - Copyright (C) 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_getnameinfo.docbook,v 1.1 2004/03/15 20:35:25 as Exp $ -->
-
-<refentry>
-
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
-
-<refmeta>
-<refentrytitle>lwres_getnameinfo</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-
-<refnamediv>
-<refname>lwres_getnameinfo</refname>
-<refpurpose>lightweight resolver socket address structure to hostname and service name</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
-<funcprototype>
-<funcdef>
-int
-<function>lwres_getnameinfo</function></funcdef>
-<paramdef>const struct sockaddr *sa</paramdef>
-<paramdef>size_t salen</paramdef>
-<paramdef>char *host</paramdef>
-<paramdef>size_t hostlen</paramdef>
-<paramdef>char *serv</paramdef>
-<paramdef>size_t servlen</paramdef>
-<paramdef>int flags</paramdef>
-</funcprototype>
-</funcsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-
-<para> This function is equivalent to the <citerefentry>
-<refentrytitle>getnameinfo</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry> function defined in RFC2133.
-<function>lwres_getnameinfo()</function> returns the hostname for the
-<type>struct sockaddr</type> <parameter>sa</parameter> which is
-<parameter>salen</parameter> bytes long.  The hostname is of length
-<parameter>hostlen</parameter> and is returned via
-<parameter>*host.</parameter> The maximum length of the hostname is
-1025 bytes: <constant>NI_MAXHOST</constant>.</para>
-
-<para> The name of the service associated with the port number in
-<parameter>sa</parameter> is returned in <parameter>*serv.</parameter>
-It is <parameter>servlen</parameter> bytes long.  The maximum length
-of the service name is <constant>NI_MAXSERV</constant> - 32 bytes.
-</para>
-
-<para> The <parameter>flags</parameter> argument sets the following
-bits:
-<variablelist>
-<varlistentry><term><constant>NI_NOFQDN</constant></term>
-<listitem>
-<para>
-A fully qualified domain name is not required for local hosts.
-The local part of the fully qualified domain name is returned instead.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>NI_NUMERICHOST</constant></term>
-<listitem>
-<para>
-Return the address in numeric form, as if calling inet_ntop(),
-instead of a host name.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>NI_NAMEREQD</constant></term>
-<listitem>
-<para>
-A name is required. If the hostname cannot be found in the DNS and
-this flag is set, a non-zero error code is returned.
-If the hostname is not found and the flag is not set, the 
-address is returned in numeric form.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>NI_NUMERICSERV</constant></term>
-<listitem>
-<para>
-The service name is returned as a digit string representing the port number.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>NI_DGRAM</constant></term>
-<listitem>
-<para>
-Specifies that the service being looked up is a datagram
-service,  and causes getservbyport() to be called with a second
-argument of "udp" instead of its default of "tcp".  This is required
-for the few ports (512-514) that have different services for UDP and
-TCP.
-</para></listitem></varlistentry>
-</variablelist>
-</para>
-</refsect1>
-
-<refsect1>
-<title>RETURN VALUES</title>
-<para>
-<function>lwres_getnameinfo()</function>
-returns 0 on success or a non-zero error code if an error occurs.
-</para>
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>RFC2133</refentrytitle>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>getservbyport</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>lwres</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>lwres_getnameinfo</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>lwres_getnamebyaddr</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>.
-<citerefentry>
-<refentrytitle>lwres_net_ntop</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>.
-</refsect1>
-<refsect1>
-<title>BUGS</title>
-<para>
-RFC2133 fails to define what the nonzero return values of
-<citerefentry>
-<refentrytitle>getnameinfo</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>
-are.
-</para>
-</refsect1>
-</refentry>
diff --git a/lib/liblwres/man/lwres_getnameinfo.html b/lib/liblwres/man/lwres_getnameinfo.html
deleted file mode 100644
index b98a92848..000000000
--- a/lib/liblwres/man/lwres_getnameinfo.html
+++ /dev/null
@@ -1,303 +0,0 @@
-<!--
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-<HTML
-><HEAD
-><TITLE
->lwres_getnameinfo</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.61
-"></HEAD
-><BODY
-CLASS="REFENTRY"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><H1
-><A
-NAME="AEN1"
->lwres_getnameinfo</A
-></H1
-><DIV
-CLASS="REFNAMEDIV"
-><A
-NAME="AEN8"
-></A
-><H2
->Name</H2
->lwres_getnameinfo&nbsp;--&nbsp;lightweight resolver socket address structure to hostname and service name</DIV
-><DIV
-CLASS="REFSYNOPSISDIV"
-><A
-NAME="AEN11"
-></A
-><H2
->Synopsis</H2
-><DIV
-CLASS="FUNCSYNOPSIS"
-><A
-NAME="AEN12"
-></A
-><P
-></P
-><PRE
-CLASS="FUNCSYNOPSISINFO"
->#include &lt;lwres/netdb.h&gt;</PRE
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->int
-lwres_getnameinfo</CODE
->(const struct sockaddr *sa, size_t salen, char *host, size_t hostlen, char *serv, size_t servlen, int flags);</CODE
-></P
-><P
-></P
-></DIV
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN24"
-></A
-><H2
->DESCRIPTION</H2
-><P
-> This function is equivalent to the <SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->getnameinfo</SPAN
->(3)</SPAN
-> function defined in RFC2133.
-<TT
-CLASS="FUNCTION"
->lwres_getnameinfo()</TT
-> returns the hostname for the
-<SPAN
-CLASS="TYPE"
->struct sockaddr</SPAN
-> <TT
-CLASS="PARAMETER"
-><I
->sa</I
-></TT
-> which is
-<TT
-CLASS="PARAMETER"
-><I
->salen</I
-></TT
-> bytes long.  The hostname is of length
-<TT
-CLASS="PARAMETER"
-><I
->hostlen</I
-></TT
-> and is returned via
-<TT
-CLASS="PARAMETER"
-><I
->*host.</I
-></TT
-> The maximum length of the hostname is
-1025 bytes: <TT
-CLASS="CONSTANT"
->NI_MAXHOST</TT
->.</P
-><P
-> The name of the service associated with the port number in
-<TT
-CLASS="PARAMETER"
-><I
->sa</I
-></TT
-> is returned in <TT
-CLASS="PARAMETER"
-><I
->*serv.</I
-></TT
->
-It is <TT
-CLASS="PARAMETER"
-><I
->servlen</I
-></TT
-> bytes long.  The maximum length
-of the service name is <TT
-CLASS="CONSTANT"
->NI_MAXSERV</TT
-> - 32 bytes.</P
-><P
-> The <TT
-CLASS="PARAMETER"
-><I
->flags</I
-></TT
-> argument sets the following
-bits:
-<P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="CONSTANT"
->NI_NOFQDN</TT
-></DT
-><DD
-><P
->A fully qualified domain name is not required for local hosts.
-The local part of the fully qualified domain name is returned instead.</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->NI_NUMERICHOST</TT
-></DT
-><DD
-><P
->Return the address in numeric form, as if calling inet_ntop(),
-instead of a host name.</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->NI_NAMEREQD</TT
-></DT
-><DD
-><P
->A name is required. If the hostname cannot be found in the DNS and
-this flag is set, a non-zero error code is returned.
-If the hostname is not found and the flag is not set, the 
-address is returned in numeric form.</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->NI_NUMERICSERV</TT
-></DT
-><DD
-><P
->The service name is returned as a digit string representing the port number.</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->NI_DGRAM</TT
-></DT
-><DD
-><P
->Specifies that the service being looked up is a datagram
-service,  and causes getservbyport() to be called with a second
-argument of "udp" instead of its default of "tcp".  This is required
-for the few ports (512-514) that have different services for UDP and
-TCP.</P
-></DD
-></DL
-></DIV
-></P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN70"
-></A
-><H2
->RETURN VALUES</H2
-><P
-><TT
-CLASS="FUNCTION"
->lwres_getnameinfo()</TT
->
-returns 0 on success or a non-zero error code if an error occurs.</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN74"
-></A
-><H2
->SEE ALSO</H2
-><P
-><SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->RFC2133</SPAN
-></SPAN
->,
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->getservbyport</SPAN
->(3)</SPAN
->,
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres</SPAN
->(3)</SPAN
->,
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres_getnameinfo</SPAN
->(3)</SPAN
->,
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres_getnamebyaddr</SPAN
->(3)</SPAN
->.
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres_net_ntop</SPAN
->(3)</SPAN
->.</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN94"
-></A
-><H2
->BUGS</H2
-><P
->RFC2133 fails to define what the nonzero return values of
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->getnameinfo</SPAN
->(3)</SPAN
->
-are.</P
-></DIV
-></BODY
-></HTML
->
\ No newline at end of file
diff --git a/lib/liblwres/man/lwres_getrrsetbyname.3 b/lib/liblwres/man/lwres_getrrsetbyname.3
deleted file mode 100644
index 301630e23..000000000
--- a/lib/liblwres/man/lwres_getrrsetbyname.3
+++ /dev/null
@@ -1,142 +0,0 @@
-.\"
-.\" Copyright (C) 2000, 2001  Internet Software Consortium.
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
-.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
-.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
-.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
-.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
-.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.TH "LWRES_GETRRSETBYNAME" "3" "Oct 18, 2000" "BIND9" ""
-.SH NAME
-lwres_getrrsetbyname, lwres_freerrset \- retrieve DNS records
-.SH SYNOPSIS
-\fB#include <lwres/netdb.h>
-.sp
-.na
-int
-lwres_getrrsetbyname(const char *hostname, unsigned int rdclass, unsigned int rdtype, unsigned int flags, struct rrsetinfo **res);
-.ad
-.sp
-.na
-void
-lwres_freerrset(struct rrsetinfo *rrset);
-.ad
-\fR.PP
-The following structures are used:
-.sp
-.nf
-struct  rdatainfo {
-        unsigned int            rdi_length;     /* length of data */
-        unsigned char           *rdi_data;      /* record data */
-};
-
-struct  rrsetinfo {
-        unsigned int            rri_flags;      /* RRSET_VALIDATED... */
-        unsigned int            rri_rdclass;    /* class number */
-        unsigned int            rri_rdtype;     /* RR type number */
-        unsigned int            rri_ttl;        /* time to live */
-        unsigned int            rri_nrdatas;    /* size of rdatas array */
-        unsigned int            rri_nsigs;      /* size of sigs array */
-        char                    *rri_name;      /* canonical name */
-        struct rdatainfo        *rri_rdatas;    /* individual records */
-        struct rdatainfo        *rri_sigs;      /* individual signatures */
-};
-.sp
-.fi
-.SH "DESCRIPTION"
-.PP
-\fBlwres_getrrsetbyname()\fR
-gets a set of resource records associated with a
-\fIhostname\fR,
-\fIclass\fR,
-and
-\fItype\fR.
-\fIhostname\fR
-is
-a pointer a to null-terminated string. The
-\fIflags\fR
-field is currently unused and must be zero.
-.PP
-After a successful call to
-\fBlwres_getrrsetbyname()\fR,
-\fI*res\fR
-is a pointer to an
-\fBrrsetinfo\fR
-structure, containing a list of one or more
-\fBrdatainfo\fR
-structures containing resource records and potentially another list of
-\fBrdatainfo\fR
-structures containing SIG resource records
-associated with those records.
-The members
-rri_rdclass
-and
-rri_rdtype
-are copied from the parameters.
-rri_ttl
-and
-rri_name
-are properties of the obtained rrset.
-The resource records contained in
-rri_rdatas
-and
-rri_sigs
-are in uncompressed DNS wire format.
-Properties of the rdataset are represented in the
-rri_flags
-bitfield. If the RRSET_VALIDATED bit is set, the data has been DNSSEC
-validated and the signatures verified. 
-.PP
-All of the information returned by
-\fBlwres_getrrsetbyname()\fR
-is dynamically allocated: the
-rrsetinfo
-and
-rdatainfo
-structures,
-and the canonical host name strings pointed to by the
-rrsetinfostructure.
-Memory allocated for the dynamically allocated structures created by
-a successful call to
-\fBlwres_getrrsetbyname()\fR
-is released by
-\fBlwres_freerrset()\fR.
-\fIrrset\fR
-is a pointer to a
-\fBstruct rrset\fR
-created by a call to
-\fBlwres_getrrsetbyname()\fR.
-.PP
-.SH "RETURN VALUES"
-.PP
-\fBlwres_getrrsetbyname()\fR
-returns zero on success, and one of the following error
-codes if an error occurred:
-.TP
-\fBERRSET_NONAME\fR
-the name does not exist
-.TP
-\fBERRSET_NODATA\fR
-the name exists, but does not have data of the desired type
-.TP
-\fBERRSET_NOMEMORY\fR
-memory could not be allocated
-.TP
-\fBERRSET_INVAL\fR
-a parameter is invalid
-.TP
-\fBERRSET_FAIL\fR
-other failure
-.TP
-\fB\fR
-.SH "SEE ALSO"
-.PP
-\fBlwres\fR(3).
diff --git a/lib/liblwres/man/lwres_getrrsetbyname.docbook b/lib/liblwres/man/lwres_getrrsetbyname.docbook
deleted file mode 100644
index 9151c9c57..000000000
--- a/lib/liblwres/man/lwres_getrrsetbyname.docbook
+++ /dev/null
@@ -1,208 +0,0 @@
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
-<!--
- - Copyright (C) 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_getrrsetbyname.docbook,v 1.1 2004/03/15 20:35:25 as Exp $ -->
-
-<refentry>
-<refentryinfo>
-
-
-<date>Oct 18, 2000</date>
-</refentryinfo>
-<refmeta>
-<refentrytitle>lwres_getrrsetbyname</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-<refnamediv>
-<refname>lwres_getrrsetbyname</refname>
-<refname>lwres_freerrset</refname>
-<refpurpose>retrieve DNS records</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
-<funcprototype>
-<funcdef>
-int
-<function>lwres_getrrsetbyname</function></funcdef>
-<paramdef>const char *hostname</paramdef>
-<paramdef>unsigned int rdclass</paramdef>
-<paramdef>unsigned int rdtype</paramdef>
-<paramdef>unsigned int flags</paramdef>
-<paramdef>struct rrsetinfo **res</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_freerrset</function></funcdef>
-<paramdef>struct rrsetinfo *rrset</paramdef>
-</funcprototype>
-</funcsynopsis>
-
-<para>
-The following structures are used:
-<programlisting>
-struct  rdatainfo {
-        unsigned int            rdi_length;     /* length of data */
-        unsigned char           *rdi_data;      /* record data */
-};
-
-struct  rrsetinfo {
-        unsigned int            rri_flags;      /* RRSET_VALIDATED... */
-        unsigned int            rri_rdclass;    /* class number */
-        unsigned int            rri_rdtype;     /* RR type number */
-        unsigned int            rri_ttl;        /* time to live */
-        unsigned int            rri_nrdatas;    /* size of rdatas array */
-        unsigned int            rri_nsigs;      /* size of sigs array */
-        char                    *rri_name;      /* canonical name */
-        struct rdatainfo        *rri_rdatas;    /* individual records */
-        struct rdatainfo        *rri_sigs;      /* individual signatures */
-};
-</programlisting>
-</para>
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-<function>lwres_getrrsetbyname()</function>
-gets a set of resource records associated with a
-<parameter>hostname</parameter>,
-
-<parameter>class</parameter>,
-
-and
-<parameter>type</parameter>.
-
-<parameter>hostname</parameter>
-is
-a pointer a to null-terminated string.  The
-<parameter>flags</parameter>
-field is currently unused and must be zero.
-</para>
-<para>
-After a successful call to
-<function>lwres_getrrsetbyname()</function>,
-
-<parameter>*res</parameter>
-is a pointer to an
-<type>rrsetinfo</type>
-structure, containing a list of one or more
-<type>rdatainfo</type>
-structures containing resource records and potentially another list of
-<type>rdatainfo</type>
-structures containing SIG resource records
-associated with those records.
-The members
-<constant>rri_rdclass</constant>
-and
-<constant>rri_rdtype</constant>
-are copied from the parameters.
-<constant>rri_ttl</constant>
-and
-<constant>rri_name</constant>
-are properties of the obtained rrset.
-The resource records contained in
-<constant>rri_rdatas</constant>
-and
-<constant>rri_sigs</constant>
-are in uncompressed DNS wire format.
-Properties of the rdataset are represented in the
-<constant>rri_flags</constant>
-bitfield.  If the RRSET_VALIDATED bit is set, the data has been DNSSEC
-validated and the signatures verified.  
-</para>
-<para>
-All of the information returned by
-<function>lwres_getrrsetbyname()</function>
-is dynamically allocated: the
-<constant>rrsetinfo</constant>
-and
-<constant>rdatainfo</constant>
-structures,
-and the canonical host name strings pointed to by the
-<constant>rrsetinfo</constant>structure.
-
-Memory allocated for the dynamically allocated structures created by
-a successful call to
-<function>lwres_getrrsetbyname()</function>
-is released by
-<function>lwres_freerrset()</function>.
-
-<parameter>rrset</parameter>
-is a pointer to a
-<type>struct rrset</type>
-created by a call to
-<function>lwres_getrrsetbyname()</function>.
-
-</para>
-<para>
-</para>
-</refsect1>
-<refsect1>
-<title>RETURN VALUES</title>
-<para>
-<function>lwres_getrrsetbyname()</function>
-returns zero on success, and one of the following error
-codes if an error occurred:
-<variablelist>
-
-<varlistentry><term><constant>ERRSET_NONAME</constant></term>
-<listitem><para>
-the name does not exist
-</para></listitem></varlistentry>
-
-<varlistentry><term><constant>ERRSET_NODATA</constant></term>
-<listitem><para>
-the name exists, but does not have data of the desired type
-</para></listitem></varlistentry>
-
-<varlistentry><term><constant>ERRSET_NOMEMORY</constant></term>
-<listitem><para>
-memory could not be allocated
-</para></listitem></varlistentry>
-
-<varlistentry><term><constant>ERRSET_INVAL</constant></term>
-<listitem><para>
-a parameter is invalid
-</para></listitem></varlistentry>
-
-<varlistentry><term><constant>ERRSET_FAIL</constant></term>
-<listitem><para>
-other failure
-</para></listitem></varlistentry>
-
-<varlistentry><term><constant></constant></term>
-<listitem><para>
-</para></listitem></varlistentry>
-
-</variablelist>
-
-</para>
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>lwres</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>.
-</para>
-
-</refsect1>
-</refentry>
diff --git a/lib/liblwres/man/lwres_getrrsetbyname.html b/lib/liblwres/man/lwres_getrrsetbyname.html
deleted file mode 100644
index 3e5ab615c..000000000
--- a/lib/liblwres/man/lwres_getrrsetbyname.html
+++ /dev/null
@@ -1,371 +0,0 @@
-<!--
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-<HTML
-><HEAD
-><TITLE
->lwres_getrrsetbyname</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.61
-"></HEAD
-><BODY
-CLASS="REFENTRY"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><H1
-><A
-NAME="AEN1"
->lwres_getrrsetbyname</A
-></H1
-><DIV
-CLASS="REFNAMEDIV"
-><A
-NAME="AEN8"
-></A
-><H2
->Name</H2
->lwres_getrrsetbyname, lwres_freerrset&nbsp;--&nbsp;retrieve DNS records</DIV
-><DIV
-CLASS="REFSYNOPSISDIV"
-><A
-NAME="AEN12"
-></A
-><H2
->Synopsis</H2
-><DIV
-CLASS="FUNCSYNOPSIS"
-><A
-NAME="AEN13"
-></A
-><P
-></P
-><PRE
-CLASS="FUNCSYNOPSISINFO"
->#include &lt;lwres/netdb.h&gt;</PRE
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->int
-lwres_getrrsetbyname</CODE
->(const char *hostname, unsigned int rdclass, unsigned int rdtype, unsigned int flags, struct rrsetinfo **res);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->void
-lwres_freerrset</CODE
->(struct rrsetinfo *rrset);</CODE
-></P
-><P
-></P
-></DIV
-><P
->The following structures are used:
-<PRE
-CLASS="PROGRAMLISTING"
->struct  rdatainfo {
-        unsigned int            rdi_length;     /* length of data */
-        unsigned char           *rdi_data;      /* record data */
-};
-
-struct  rrsetinfo {
-        unsigned int            rri_flags;      /* RRSET_VALIDATED... */
-        unsigned int            rri_rdclass;    /* class number */
-        unsigned int            rri_rdtype;     /* RR type number */
-        unsigned int            rri_ttl;        /* time to live */
-        unsigned int            rri_nrdatas;    /* size of rdatas array */
-        unsigned int            rri_nsigs;      /* size of sigs array */
-        char                    *rri_name;      /* canonical name */
-        struct rdatainfo        *rri_rdatas;    /* individual records */
-        struct rdatainfo        *rri_sigs;      /* individual signatures */
-};</PRE
-></P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN29"
-></A
-><H2
->DESCRIPTION</H2
-><P
-><TT
-CLASS="FUNCTION"
->lwres_getrrsetbyname()</TT
->
-gets a set of resource records associated with a
-<TT
-CLASS="PARAMETER"
-><I
->hostname</I
-></TT
->,
-
-<TT
-CLASS="PARAMETER"
-><I
->class</I
-></TT
->,
-
-and
-<TT
-CLASS="PARAMETER"
-><I
->type</I
-></TT
->.
-
-<TT
-CLASS="PARAMETER"
-><I
->hostname</I
-></TT
->
-is
-a pointer a to null-terminated string.  The
-<TT
-CLASS="PARAMETER"
-><I
->flags</I
-></TT
->
-field is currently unused and must be zero.</P
-><P
->After a successful call to
-<TT
-CLASS="FUNCTION"
->lwres_getrrsetbyname()</TT
->,
-
-<TT
-CLASS="PARAMETER"
-><I
->*res</I
-></TT
->
-is a pointer to an
-<SPAN
-CLASS="TYPE"
->rrsetinfo</SPAN
->
-structure, containing a list of one or more
-<SPAN
-CLASS="TYPE"
->rdatainfo</SPAN
->
-structures containing resource records and potentially another list of
-<SPAN
-CLASS="TYPE"
->rdatainfo</SPAN
->
-structures containing SIG resource records
-associated with those records.
-The members
-<TT
-CLASS="CONSTANT"
->rri_rdclass</TT
->
-and
-<TT
-CLASS="CONSTANT"
->rri_rdtype</TT
->
-are copied from the parameters.
-<TT
-CLASS="CONSTANT"
->rri_ttl</TT
->
-and
-<TT
-CLASS="CONSTANT"
->rri_name</TT
->
-are properties of the obtained rrset.
-The resource records contained in
-<TT
-CLASS="CONSTANT"
->rri_rdatas</TT
->
-and
-<TT
-CLASS="CONSTANT"
->rri_sigs</TT
->
-are in uncompressed DNS wire format.
-Properties of the rdataset are represented in the
-<TT
-CLASS="CONSTANT"
->rri_flags</TT
->
-bitfield.  If the RRSET_VALIDATED bit is set, the data has been DNSSEC
-validated and the signatures verified.  </P
-><P
->All of the information returned by
-<TT
-CLASS="FUNCTION"
->lwres_getrrsetbyname()</TT
->
-is dynamically allocated: the
-<TT
-CLASS="CONSTANT"
->rrsetinfo</TT
->
-and
-<TT
-CLASS="CONSTANT"
->rdatainfo</TT
->
-structures,
-and the canonical host name strings pointed to by the
-<TT
-CLASS="CONSTANT"
->rrsetinfo</TT
->structure.
-
-Memory allocated for the dynamically allocated structures created by
-a successful call to
-<TT
-CLASS="FUNCTION"
->lwres_getrrsetbyname()</TT
->
-is released by
-<TT
-CLASS="FUNCTION"
->lwres_freerrset()</TT
->.
-
-<TT
-CLASS="PARAMETER"
-><I
->rrset</I
-></TT
->
-is a pointer to a
-<SPAN
-CLASS="TYPE"
->struct rrset</SPAN
->
-created by a call to
-<TT
-CLASS="FUNCTION"
->lwres_getrrsetbyname()</TT
->.&#13;</P
-><P
-></P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN62"
-></A
-><H2
->RETURN VALUES</H2
-><P
-><TT
-CLASS="FUNCTION"
->lwres_getrrsetbyname()</TT
->
-returns zero on success, and one of the following error
-codes if an error occurred:
-<P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="CONSTANT"
->ERRSET_NONAME</TT
-></DT
-><DD
-><P
->the name does not exist</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->ERRSET_NODATA</TT
-></DT
-><DD
-><P
->the name exists, but does not have data of the desired type</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->ERRSET_NOMEMORY</TT
-></DT
-><DD
-><P
->memory could not be allocated</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->ERRSET_INVAL</TT
-></DT
-><DD
-><P
->a parameter is invalid</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->ERRSET_FAIL</TT
-></DT
-><DD
-><P
->other failure</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
-></TT
-></DT
-><DD
-><P
-></P
-></DD
-></DL
-></DIV
->&#13;</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN97"
-></A
-><H2
->SEE ALSO</H2
-><P
-><SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres</SPAN
->(3)</SPAN
->.</P
-></DIV
-></BODY
-></HTML
->
\ No newline at end of file
diff --git a/lib/liblwres/man/lwres_gnba.3 b/lib/liblwres/man/lwres_gnba.3
deleted file mode 100644
index 515224f77..000000000
--- a/lib/liblwres/man/lwres_gnba.3
+++ /dev/null
@@ -1,186 +0,0 @@
-.\"
-.\" Copyright (C) 2000, 2001  Internet Software Consortium.
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
-.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
-.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
-.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
-.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
-.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.TH "LWRES_GNBA" "3" "Jun 30, 2000" "BIND9" ""
-.SH NAME
-lwres_gnbarequest_render, lwres_gnbaresponse_render, lwres_gnbarequest_parse, lwres_gnbaresponse_parse, lwres_gnbaresponse_free, lwres_gnbarequest_free \- lightweight resolver getnamebyaddress message handling
-.SH SYNOPSIS
-\fB#include <lwres/lwres.h>
-.sp
-.na
-lwres_result_t
-lwres_gnbarequest_render(lwres_context_t *\fIctx\fB, lwres_gnbarequest_t *\fIreq\fB, lwres_lwpacket_t *\fIpkt\fB, lwres_buffer_t *\fIb\fB);
-.ad
-.sp
-.na
-lwres_result_t
-lwres_gnbaresponse_render(lwres_context_t *ctx, lwres_gnbaresponse_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);
-.ad
-.sp
-.na
-lwres_result_t
-lwres_gnbarequest_parse(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_gnbarequest_t **structp);
-.ad
-.sp
-.na
-lwres_result_t
-lwres_gnbaresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_gnbaresponse_t **structp);
-.ad
-.sp
-.na
-void
-lwres_gnbaresponse_free(lwres_context_t *ctx, lwres_gnbaresponse_t **structp);
-.ad
-.sp
-.na
-void
-lwres_gnbarequest_free(lwres_context_t *ctx, lwres_gnbarequest_t **structp);
-.ad
-\fR.SH "DESCRIPTION"
-.PP
-These are low-level routines for creating and parsing
-lightweight resolver address-to-name lookup request and 
-response messages.
-.PP
-There are four main functions for the getnamebyaddr opcode.
-One render function converts a getnamebyaddr request structure \(em
-\fBlwres_gnbarequest_t\fR \(em
-to the lightweight resolver's canonical format.
-It is complemented by a parse function that converts a packet in this
-canonical format to a getnamebyaddr request structure.
-Another render function converts the getnamebyaddr response structure \(em
-\fBlwres_gnbaresponse_t\fR
-to the canonical format.
-This is complemented by a parse function which converts a packet in
-canonical format to a getnamebyaddr response structure.
-.PP
-These structures are defined in
-\fIlwres/lwres.h\fR.
-They are shown below.
-.sp
-.nf
-#define LWRES_OPCODE_GETNAMEBYADDR      0x00010002U
-
-typedef struct {
-        lwres_uint32_t  flags;
-        lwres_addr_t    addr;
-} lwres_gnbarequest_t;
-
-typedef struct {
-        lwres_uint32_t  flags;
-        lwres_uint16_t  naliases;
-        char           *realname;
-        char          **aliases;
-        lwres_uint16_t  realnamelen;
-        lwres_uint16_t *aliaslen;
-        void           *base;
-        size_t          baselen;
-} lwres_gnbaresponse_t;
-.sp
-.fi
-.PP
-\fBlwres_gnbarequest_render()\fR
-uses resolver context
-ctx
-to convert getnamebyaddr request structure
-req
-to canonical format.
-The packet header structure
-pkt
-is initialised and transferred to
-buffer
-b.
-The contents of
-*req
-are then appended to the buffer in canonical format.
-\fBlwres_gnbaresponse_render()\fR
-performs the same task, except it converts a getnamebyaddr response structure
-\fBlwres_gnbaresponse_t\fR
-to the lightweight resolver's canonical format.
-.PP
-\fBlwres_gnbarequest_parse()\fR
-uses context
-ctx
-to convert the contents of packet
-pkt
-to a
-\fBlwres_gnbarequest_t\fR
-structure.
-Buffer
-b
-provides space to be used for storing this structure.
-When the function succeeds, the resulting
-\fBlwres_gnbarequest_t\fR
-is made available through
-*structp.
-\fBlwres_gnbaresponse_parse()\fR
-offers the same semantics as
-\fBlwres_gnbarequest_parse()\fR
-except it yields a
-\fBlwres_gnbaresponse_t\fR
-structure.
-.PP
-\fBlwres_gnbaresponse_free()\fR
-and
-\fBlwres_gnbarequest_free()\fR
-release the memory in resolver context
-ctx
-that was allocated to the
-\fBlwres_gnbaresponse_t\fR
-or
-\fBlwres_gnbarequest_t\fR
-structures referenced via
-structp.
-Any memory associated with ancillary buffers and strings for those
-structures is also discarded.
-.SH "RETURN VALUES"
-.PP
-The getnamebyaddr opcode functions
-\fBlwres_gnbarequest_render()\fR,
-\fBlwres_gnbaresponse_render()\fR
-\fBlwres_gnbarequest_parse()\fR
-and
-\fBlwres_gnbaresponse_parse()\fR
-all return
-LWRES_R_SUCCESS
-on success.
-They return
-LWRES_R_NOMEMORY
-if memory allocation fails.
-LWRES_R_UNEXPECTEDEND
-is returned if the available space in the buffer
-b
-is too small to accommodate the packet header or the
-\fBlwres_gnbarequest_t\fR
-and
-\fBlwres_gnbaresponse_t\fR
-structures.
-\fBlwres_gnbarequest_parse()\fR
-and
-\fBlwres_gnbaresponse_parse()\fR
-will return
-LWRES_R_UNEXPECTEDEND
-if the buffer is not empty after decoding the received packet.
-These functions will return
-LWRES_R_FAILURE
-if
-\fBpktflags\fR
-in the packet header structure
-\fBlwres_lwpacket_t\fR
-indicate that the packet is not a response to an earlier query.
-.SH "SEE ALSO"
-.PP
-\fBlwres_packet\fR(3).
diff --git a/lib/liblwres/man/lwres_gnba.docbook b/lib/liblwres/man/lwres_gnba.docbook
deleted file mode 100644
index 525452085..000000000
--- a/lib/liblwres/man/lwres_gnba.docbook
+++ /dev/null
@@ -1,259 +0,0 @@
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
-<!--
- - Copyright (C) 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_gnba.docbook,v 1.1 2004/03/15 20:35:25 as Exp $ -->
-
-<refentry>
-
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
-
-<refmeta>
-<refentrytitle>lwres_gnba</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-
-<refnamediv>
-<refname>lwres_gnbarequest_render</refname>
-<refname>lwres_gnbaresponse_render</refname>
-<refname>lwres_gnbarequest_parse</refname>
-<refname>lwres_gnbaresponse_parse</refname>
-<refname>lwres_gnbaresponse_free</refname>
-<refname>lwres_gnbarequest_free</refname>
-<refpurpose>lightweight resolver getnamebyaddress message handling</refpurpose>
-</refnamediv>
-
-<refsynopsisdiv>
-
-<funcsynopsis>
-<funcsynopsisinfo>
-#include &lt;lwres/lwres.h&gt;
-</funcsynopsisinfo>
-
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_gnbarequest_render</function>
-</funcdef>
-<paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
-<paramdef>lwres_gnbarequest_t *<parameter>req</parameter></paramdef>
-<paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
-<paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-</funcprototype>
-
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_gnbaresponse_render</function>
-</funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_gnbaresponse_t *req</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_gnbarequest_parse</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-<paramdef>lwres_gnbarequest_t **structp</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_gnbaresponse_parse</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-<paramdef>lwres_gnbaresponse_t **structp</paramdef>
-</funcprototype>
-
-<funcprototype>
-<funcdef>
-void
-<function>lwres_gnbaresponse_free</function>
-</funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_gnbaresponse_t **structp</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_gnbarequest_free</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_gnbarequest_t **structp</paramdef>
-</funcprototype>
-</funcsynopsis>
-
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-These are low-level routines for creating and parsing
-lightweight resolver address-to-name lookup request and 
-response messages.
-</para>
-<para>
-There are four main functions for the getnamebyaddr opcode.
-One render function converts a getnamebyaddr request structure &mdash;
-<type>lwres_gnbarequest_t</type> &mdash;
-to the lightweight resolver's canonical format.
-It is complemented by a parse function that converts a packet in this
-canonical format to a getnamebyaddr request structure.
-Another render function converts the getnamebyaddr response structure &mdash;
-<type>lwres_gnbaresponse_t</type>
-to the canonical format.
-This is complemented by a parse function which converts a packet in
-canonical format to a getnamebyaddr response structure.
-</para>
-<para>
-These structures are defined in
-<filename>lwres/lwres.h</filename>.
-They are shown below.
-<programlisting>
-#define LWRES_OPCODE_GETNAMEBYADDR      0x00010002U
-
-typedef struct {
-        lwres_uint32_t  flags;
-        lwres_addr_t    addr;
-} lwres_gnbarequest_t;
-
-typedef struct {
-        lwres_uint32_t  flags;
-        lwres_uint16_t  naliases;
-        char           *realname;
-        char          **aliases;
-        lwres_uint16_t  realnamelen;
-        lwres_uint16_t *aliaslen;
-        void           *base;
-        size_t          baselen;
-} lwres_gnbaresponse_t;
-</programlisting>
-</para>
-<para>
-<function>lwres_gnbarequest_render()</function>
-uses resolver context
-<varname>ctx</varname>
-to convert getnamebyaddr request structure
-<varname>req</varname>
-to canonical format.
-The packet header structure
-<varname>pkt</varname>
-is initialised and transferred to
-buffer
-<varname>b</varname>.
-The contents of
-<varname>*req</varname>
-are then appended to the buffer in canonical format.
-<function>lwres_gnbaresponse_render()</function>
-performs the same task, except it converts a getnamebyaddr response structure
-<type>lwres_gnbaresponse_t</type>
-to the lightweight resolver's canonical format.
-</para>
-<para>
-<function>lwres_gnbarequest_parse()</function>
-uses context
-<varname>ctx</varname>
-to convert the contents of packet
-<varname>pkt</varname>
-to a
-<type>lwres_gnbarequest_t</type>
-structure.
-Buffer
-<varname>b</varname>
-provides space to be used for storing this structure.
-When the function succeeds, the resulting
-<type>lwres_gnbarequest_t</type>
-is made available through
-<varname>*structp</varname>.
-<function>lwres_gnbaresponse_parse()</function>
-offers the same semantics as
-<function>lwres_gnbarequest_parse()</function>
-except it yields a
-<type>lwres_gnbaresponse_t</type>
-structure.
-</para>
-<para>
-<function>lwres_gnbaresponse_free()</function>
-and
-<function>lwres_gnbarequest_free()</function>
-release the memory in resolver context
-<varname>ctx</varname>
-that was allocated to the
-<type>lwres_gnbaresponse_t</type>
-or
-<type>lwres_gnbarequest_t</type>
-structures referenced via
-<varname>structp</varname>.
-Any memory associated with ancillary buffers and strings for those
-structures is also discarded.
-</para>
-</refsect1>
-<refsect1>
-<title>RETURN VALUES</title>
-<para>
-The getnamebyaddr opcode functions
-<function>lwres_gnbarequest_render()</function>,
-<function>lwres_gnbaresponse_render()</function>
-<function>lwres_gnbarequest_parse()</function>
-and
-<function>lwres_gnbaresponse_parse()</function>
-all return
-<errorcode>LWRES_R_SUCCESS</errorcode>
-on success.
-They return
-<errorcode>LWRES_R_NOMEMORY</errorcode>
-if memory allocation fails.
-<errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
-is returned if the available space in the buffer
-<varname>b</varname>
-is too small to accommodate the packet header or the
-<type>lwres_gnbarequest_t</type>
-and
-<type>lwres_gnbaresponse_t</type>
-structures.
-<function>lwres_gnbarequest_parse()</function>
-and
-<function>lwres_gnbaresponse_parse()</function>
-will return
-<errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
-if the buffer is not empty after decoding the received packet.
-These functions will return
-<errorcode>LWRES_R_FAILURE</errorcode>
-if
-<structfield>pktflags</structfield>
-in the packet header structure
-<type>lwres_lwpacket_t</type>
-indicate that the packet is not a response to an earlier query.
-</para>
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>lwres_packet</refentrytitle>
-<manvolnum>3</manvolnum>
-</citerefentry>.
-</para>
-</refsect1>
-</refentry>
diff --git a/lib/liblwres/man/lwres_gnba.html b/lib/liblwres/man/lwres_gnba.html
deleted file mode 100644
index 98cc04dd6..000000000
--- a/lib/liblwres/man/lwres_gnba.html
+++ /dev/null
@@ -1,408 +0,0 @@
-<!--
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-<HTML
-><HEAD
-><TITLE
->lwres_gnba</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.61
-"></HEAD
-><BODY
-CLASS="REFENTRY"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><H1
-><A
-NAME="AEN1"
->lwres_gnba</A
-></H1
-><DIV
-CLASS="REFNAMEDIV"
-><A
-NAME="AEN8"
-></A
-><H2
->Name</H2
->lwres_gnbarequest_render, lwres_gnbaresponse_render, lwres_gnbarequest_parse, lwres_gnbaresponse_parse, lwres_gnbaresponse_free, lwres_gnbarequest_free&nbsp;--&nbsp;lightweight resolver getnamebyaddress message handling</DIV
-><DIV
-CLASS="REFSYNOPSISDIV"
-><A
-NAME="AEN16"
-></A
-><H2
->Synopsis</H2
-><DIV
-CLASS="FUNCSYNOPSIS"
-><A
-NAME="AEN17"
-></A
-><P
-></P
-><PRE
-CLASS="FUNCSYNOPSISINFO"
->#include &lt;lwres/lwres.h&gt;</PRE
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->lwres_result_t
-lwres_gnbarequest_render</CODE
->(lwres_context_t *ctx, lwres_gnbarequest_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->lwres_result_t
-lwres_gnbaresponse_render</CODE
->(lwres_context_t *ctx, lwres_gnbaresponse_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->lwres_result_t
-lwres_gnbarequest_parse</CODE
->(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_gnbarequest_t **structp);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->lwres_result_t
-lwres_gnbaresponse_parse</CODE
->(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_gnbaresponse_t **structp);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->void
-lwres_gnbaresponse_free</CODE
->(lwres_context_t *ctx, lwres_gnbaresponse_t **structp);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->void
-lwres_gnbarequest_free</CODE
->(lwres_context_t *ctx, lwres_gnbarequest_t **structp);</CODE
-></P
-><P
-></P
-></DIV
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN61"
-></A
-><H2
->DESCRIPTION</H2
-><P
->These are low-level routines for creating and parsing
-lightweight resolver address-to-name lookup request and 
-response messages.</P
-><P
->There are four main functions for the getnamebyaddr opcode.
-One render function converts a getnamebyaddr request structure &mdash;
-<SPAN
-CLASS="TYPE"
->lwres_gnbarequest_t</SPAN
-> &mdash;
-to the lightweight resolver's canonical format.
-It is complemented by a parse function that converts a packet in this
-canonical format to a getnamebyaddr request structure.
-Another render function converts the getnamebyaddr response structure &mdash;
-<SPAN
-CLASS="TYPE"
->lwres_gnbaresponse_t</SPAN
->
-to the canonical format.
-This is complemented by a parse function which converts a packet in
-canonical format to a getnamebyaddr response structure.</P
-><P
->These structures are defined in
-<TT
-CLASS="FILENAME"
->lwres/lwres.h</TT
->.
-They are shown below.
-<PRE
-CLASS="PROGRAMLISTING"
->#define LWRES_OPCODE_GETNAMEBYADDR      0x00010002U
-
-typedef struct {
-        lwres_uint32_t  flags;
-        lwres_addr_t    addr;
-} lwres_gnbarequest_t;
-
-typedef struct {
-        lwres_uint32_t  flags;
-        lwres_uint16_t  naliases;
-        char           *realname;
-        char          **aliases;
-        lwres_uint16_t  realnamelen;
-        lwres_uint16_t *aliaslen;
-        void           *base;
-        size_t          baselen;
-} lwres_gnbaresponse_t;</PRE
-></P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_gnbarequest_render()</TT
->
-uses resolver context
-<TT
-CLASS="VARNAME"
->ctx</TT
->
-to convert getnamebyaddr request structure
-<TT
-CLASS="VARNAME"
->req</TT
->
-to canonical format.
-The packet header structure
-<TT
-CLASS="VARNAME"
->pkt</TT
->
-is initialised and transferred to
-buffer
-<TT
-CLASS="VARNAME"
->b</TT
->.
-The contents of
-<TT
-CLASS="VARNAME"
->*req</TT
->
-are then appended to the buffer in canonical format.
-<TT
-CLASS="FUNCTION"
->lwres_gnbaresponse_render()</TT
->
-performs the same task, except it converts a getnamebyaddr response structure
-<SPAN
-CLASS="TYPE"
->lwres_gnbaresponse_t</SPAN
->
-to the lightweight resolver's canonical format.</P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_gnbarequest_parse()</TT
->
-uses context
-<TT
-CLASS="VARNAME"
->ctx</TT
->
-to convert the contents of packet
-<TT
-CLASS="VARNAME"
->pkt</TT
->
-to a
-<SPAN
-CLASS="TYPE"
->lwres_gnbarequest_t</SPAN
->
-structure.
-Buffer
-<TT
-CLASS="VARNAME"
->b</TT
->
-provides space to be used for storing this structure.
-When the function succeeds, the resulting
-<SPAN
-CLASS="TYPE"
->lwres_gnbarequest_t</SPAN
->
-is made available through
-<TT
-CLASS="VARNAME"
->*structp</TT
->.
-<TT
-CLASS="FUNCTION"
->lwres_gnbaresponse_parse()</TT
->
-offers the same semantics as
-<TT
-CLASS="FUNCTION"
->lwres_gnbarequest_parse()</TT
->
-except it yields a
-<SPAN
-CLASS="TYPE"
->lwres_gnbaresponse_t</SPAN
->
-structure.</P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_gnbaresponse_free()</TT
->
-and
-<TT
-CLASS="FUNCTION"
->lwres_gnbarequest_free()</TT
->
-release the memory in resolver context
-<TT
-CLASS="VARNAME"
->ctx</TT
->
-that was allocated to the
-<SPAN
-CLASS="TYPE"
->lwres_gnbaresponse_t</SPAN
->
-or
-<SPAN
-CLASS="TYPE"
->lwres_gnbarequest_t</SPAN
->
-structures referenced via
-<TT
-CLASS="VARNAME"
->structp</TT
->.
-Any memory associated with ancillary buffers and strings for those
-structures is also discarded.</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN97"
-></A
-><H2
->RETURN VALUES</H2
-><P
->The getnamebyaddr opcode functions
-<TT
-CLASS="FUNCTION"
->lwres_gnbarequest_render()</TT
->,
-<TT
-CLASS="FUNCTION"
->lwres_gnbaresponse_render()</TT
->
-<TT
-CLASS="FUNCTION"
->lwres_gnbarequest_parse()</TT
->
-and
-<TT
-CLASS="FUNCTION"
->lwres_gnbaresponse_parse()</TT
->
-all return
-<SPAN
-CLASS="ERRORCODE"
->LWRES_R_SUCCESS</SPAN
->
-on success.
-They return
-<SPAN
-CLASS="ERRORCODE"
->LWRES_R_NOMEMORY</SPAN
->
-if memory allocation fails.
-<SPAN
-CLASS="ERRORCODE"
->LWRES_R_UNEXPECTEDEND</SPAN
->
-is returned if the available space in the buffer
-<TT
-CLASS="VARNAME"
->b</TT
->
-is too small to accommodate the packet header or the
-<SPAN
-CLASS="TYPE"
->lwres_gnbarequest_t</SPAN
->
-and
-<SPAN
-CLASS="TYPE"
->lwres_gnbaresponse_t</SPAN
->
-structures.
-<TT
-CLASS="FUNCTION"
->lwres_gnbarequest_parse()</TT
->
-and
-<TT
-CLASS="FUNCTION"
->lwres_gnbaresponse_parse()</TT
->
-will return
-<SPAN
-CLASS="ERRORCODE"
->LWRES_R_UNEXPECTEDEND</SPAN
->
-if the buffer is not empty after decoding the received packet.
-These functions will return
-<SPAN
-CLASS="ERRORCODE"
->LWRES_R_FAILURE</SPAN
->
-if
-<TT
-CLASS="STRUCTFIELD"
-><I
->pktflags</I
-></TT
->
-in the packet header structure
-<SPAN
-CLASS="TYPE"
->lwres_lwpacket_t</SPAN
->
-indicate that the packet is not a response to an earlier query.</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN116"
-></A
-><H2
->SEE ALSO</H2
-><P
-><SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres_packet</SPAN
->(3)</SPAN
->.</P
-></DIV
-></BODY
-></HTML
->
\ No newline at end of file
diff --git a/lib/liblwres/man/lwres_hstrerror.3 b/lib/liblwres/man/lwres_hstrerror.3
deleted file mode 100644
index dd7fa9c4c..000000000
--- a/lib/liblwres/man/lwres_hstrerror.3
+++ /dev/null
@@ -1,67 +0,0 @@
-.\"
-.\" Copyright (C) 2000, 2001  Internet Software Consortium.
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
-.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
-.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
-.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
-.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
-.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.TH "LWRES_HSTRERROR" "3" "Jun 30, 2000" "BIND9" ""
-.SH NAME
-lwres_herror, lwres_hstrerror \- lightweight resolver error message generation
-.SH SYNOPSIS
-\fB#include <lwres/netdb.h>
-.sp
-.na
-void
-lwres_herror(const char *s);
-.ad
-.sp
-.na
-const char *
-lwres_hstrerror(int err);
-.ad
-\fR.SH "DESCRIPTION"
-.PP
-\fBlwres_herror()\fR prints the string
-\fIs\fR on \fBstderr\fR followed by the string
-generated by \fBlwres_hstrerror()\fR for the error code
-stored in the global variable lwres_h_errno.
-.PP
-\fBlwres_hstrerror()\fR returns an appropriate string
-for the error code gievn by \fIerr\fR. The values of
-the error codes and messages are as follows:
-.TP
-\fBNETDB_SUCCESS\fR
-\fBResolver Error 0 (no error)\fR
-.TP
-\fBHOST_NOT_FOUND\fR
-\fBUnknown host\fR
-.TP
-\fBTRY_AGAIN\fR
-\fBHost name lookup failure\fR
-.TP
-\fBNO_RECOVERY\fR
-\fBUnknown server error\fR
-.TP
-\fBNO_DATA\fR
-\fBNo address associated with name\fR
-.SH "RETURN VALUES"
-.PP
-The string \fBUnknown resolver error\fR is returned by
-\fBlwres_hstrerror()\fR
-when the value of
-lwres_h_errno
-is not a valid error code.
-.SH "SEE ALSO"
-.PP
-\fBherror\fR(3),
-\fBlwres_hstrerror\fR(3).
diff --git a/lib/liblwres/man/lwres_hstrerror.docbook b/lib/liblwres/man/lwres_hstrerror.docbook
deleted file mode 100644
index 2f4c06a11..000000000
--- a/lib/liblwres/man/lwres_hstrerror.docbook
+++ /dev/null
@@ -1,124 +0,0 @@
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
-<!--
- - Copyright (C) 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_hstrerror.docbook,v 1.1 2004/03/15 20:35:25 as Exp $ -->
-
-<refentry>
-
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
-
-<refmeta>
-<refentrytitle>lwres_hstrerror</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-
-<refnamediv>
-<refname>lwres_herror</refname>
-<refname>lwres_hstrerror</refname>
-<refpurpose>lightweight resolver error message generation</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_herror</function></funcdef>
-<paramdef>const char *s</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-const char *
-<function>lwres_hstrerror</function></funcdef>
-<paramdef>int err</paramdef>
-</funcprototype>
-</funcsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-
-<para>
-<function>lwres_herror()</function> prints the string
-<parameter>s</parameter> on <type>stderr</type> followed by the string
-generated by <function>lwres_hstrerror()</function> for the error code
-stored in the global variable <constant>lwres_h_errno</constant>.
-</para>
-
-<para>
-<function>lwres_hstrerror()</function> returns an appropriate string
-for the error code gievn by <parameter>err</parameter>.  The values of
-the error codes and messages are as follows:
-
-<variablelist>
-<varlistentry><term><errorcode>NETDB_SUCCESS</errorcode></term>
-<listitem>
-<para>
-<errorname>Resolver Error 0 (no error)</errorname>
-</para></listitem></varlistentry>
-<varlistentry><term><errorcode>HOST_NOT_FOUND</errorcode></term>
-<listitem>
-<para>
-<errorname>Unknown host</errorname>
-</para></listitem></varlistentry>
-<varlistentry><term><errorcode>TRY_AGAIN</errorcode></term>
-<listitem>
-<para>
-<errorname>Host name lookup failure</errorname>
-</para></listitem></varlistentry>
-<varlistentry><term><errorcode>NO_RECOVERY</errorcode></term>
-<listitem>
-<para>
-<errorname>Unknown server error</errorname>
-</para></listitem></varlistentry>
-<varlistentry><term><errorcode>NO_DATA</errorcode></term>
-<listitem>
-<para>
-<errorname>No address associated with name</errorname>
-</para></listitem></varlistentry>
-</variablelist>
-</para>
-</refsect1>
-
-<refsect1>
-<title>RETURN VALUES</title>
-<para>
-The string <errorname>Unknown resolver error</errorname> is returned by
-<function>lwres_hstrerror()</function>
-when the value of
-<constant>lwres_h_errno</constant>
-is not a valid error code.
-</para>
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>herror</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>.
-</para>
-
-</refsect1>
-</refentry>
diff --git a/lib/liblwres/man/lwres_hstrerror.html b/lib/liblwres/man/lwres_hstrerror.html
deleted file mode 100644
index 128b7e4f8..000000000
--- a/lib/liblwres/man/lwres_hstrerror.html
+++ /dev/null
@@ -1,242 +0,0 @@
-<!--
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-<HTML
-><HEAD
-><TITLE
->lwres_hstrerror</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.61
-"></HEAD
-><BODY
-CLASS="REFENTRY"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><H1
-><A
-NAME="AEN1"
->lwres_hstrerror</A
-></H1
-><DIV
-CLASS="REFNAMEDIV"
-><A
-NAME="AEN8"
-></A
-><H2
->Name</H2
->lwres_herror, lwres_hstrerror&nbsp;--&nbsp;lightweight resolver error message generation</DIV
-><DIV
-CLASS="REFSYNOPSISDIV"
-><A
-NAME="AEN12"
-></A
-><H2
->Synopsis</H2
-><DIV
-CLASS="FUNCSYNOPSIS"
-><A
-NAME="AEN13"
-></A
-><P
-></P
-><PRE
-CLASS="FUNCSYNOPSISINFO"
->#include &lt;lwres/netdb.h&gt;</PRE
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->void
-lwres_herror</CODE
->(const char *s);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->const char *
-lwres_hstrerror</CODE
->(int err);</CODE
-></P
-><P
-></P
-></DIV
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN23"
-></A
-><H2
->DESCRIPTION</H2
-><P
-><TT
-CLASS="FUNCTION"
->lwres_herror()</TT
-> prints the string
-<TT
-CLASS="PARAMETER"
-><I
->s</I
-></TT
-> on <SPAN
-CLASS="TYPE"
->stderr</SPAN
-> followed by the string
-generated by <TT
-CLASS="FUNCTION"
->lwres_hstrerror()</TT
-> for the error code
-stored in the global variable <TT
-CLASS="CONSTANT"
->lwres_h_errno</TT
->.</P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_hstrerror()</TT
-> returns an appropriate string
-for the error code gievn by <TT
-CLASS="PARAMETER"
-><I
->err</I
-></TT
->.  The values of
-the error codes and messages are as follows:
-
-<P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><SPAN
-CLASS="ERRORCODE"
->NETDB_SUCCESS</SPAN
-></DT
-><DD
-><P
-><SPAN
-CLASS="ERRORNAME"
->Resolver Error 0 (no error)</SPAN
-></P
-></DD
-><DT
-><SPAN
-CLASS="ERRORCODE"
->HOST_NOT_FOUND</SPAN
-></DT
-><DD
-><P
-><SPAN
-CLASS="ERRORNAME"
->Unknown host</SPAN
-></P
-></DD
-><DT
-><SPAN
-CLASS="ERRORCODE"
->TRY_AGAIN</SPAN
-></DT
-><DD
-><P
-><SPAN
-CLASS="ERRORNAME"
->Host name lookup failure</SPAN
-></P
-></DD
-><DT
-><SPAN
-CLASS="ERRORCODE"
->NO_RECOVERY</SPAN
-></DT
-><DD
-><P
-><SPAN
-CLASS="ERRORNAME"
->Unknown server error</SPAN
-></P
-></DD
-><DT
-><SPAN
-CLASS="ERRORCODE"
->NO_DATA</SPAN
-></DT
-><DD
-><P
-><SPAN
-CLASS="ERRORNAME"
->No address associated with name</SPAN
-></P
-></DD
-></DL
-></DIV
-></P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN65"
-></A
-><H2
->RETURN VALUES</H2
-><P
->The string <SPAN
-CLASS="ERRORNAME"
->Unknown resolver error</SPAN
-> is returned by
-<TT
-CLASS="FUNCTION"
->lwres_hstrerror()</TT
->
-when the value of
-<TT
-CLASS="CONSTANT"
->lwres_h_errno</TT
->
-is not a valid error code.</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN71"
-></A
-><H2
->SEE ALSO</H2
-><P
-><SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->herror</SPAN
->(3)</SPAN
->,
-
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres_hstrerror</SPAN
->(3)</SPAN
->.</P
-></DIV
-></BODY
-></HTML
->
\ No newline at end of file
diff --git a/lib/liblwres/man/lwres_inetntop.3 b/lib/liblwres/man/lwres_inetntop.3
deleted file mode 100644
index 983a33d85..000000000
--- a/lib/liblwres/man/lwres_inetntop.3
+++ /dev/null
@@ -1,52 +0,0 @@
-.\"
-.\" Copyright (C) 2000, 2001  Internet Software Consortium.
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
-.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
-.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
-.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
-.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
-.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.TH "LWRES_INETNTOP" "3" "Jun 30, 2000" "BIND9" ""
-.SH NAME
-lwres_net_ntop \- lightweight resolver IP address presentation
-.SH SYNOPSIS
-\fB#include <lwres/net.h>
-.sp
-.na
-const char *
-lwres_net_ntop(int af, const void *src, char *dst, size_t size);
-.ad
-\fR.SH "DESCRIPTION"
-.PP
-\fBlwres_net_ntop()\fR converts an IP address of
-protocol family \fIaf\fR \(em IPv4 or IPv6 \(em
-at location \fIsrc\fR from network format to its
-conventional representation as a string. For IPv4 addresses, that
-string would be a dotted-decimal. An IPv6 address would be
-represented in colon notation as described in RFC1884.
-.PP
-The generated string is copied to \fIdst\fR provided
-\fIsize\fR indicates it is long enough to store the
-ASCII representation of the address.
-.SH "RETURN VALUES"
-.PP
-If successful, the function returns \fIdst\fR:
-a pointer to a string containing the presentation format of the
-address. \fBlwres_net_ntop()\fR returns
-\fBNULL\fR and sets the global variable
-errno to EAFNOSUPPORT if
-the protocol family given in \fIaf\fR is not
-supported.
-.SH "SEE ALSO"
-.PP
-\fBRFC1884\fR,
-\fBinet_ntop\fR(3),
-\fBerrno\fR(3).
diff --git a/lib/liblwres/man/lwres_inetntop.docbook b/lib/liblwres/man/lwres_inetntop.docbook
deleted file mode 100644
index 8daa36351..000000000
--- a/lib/liblwres/man/lwres_inetntop.docbook
+++ /dev/null
@@ -1,99 +0,0 @@
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
-<!--
- - Copyright (C) 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_inetntop.docbook,v 1.1 2004/03/15 20:35:25 as Exp $ -->
-
-<refentry>
-
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
-
-<refmeta>
-<refentrytitle>lwres_inetntop</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-
-<refnamediv>
-<refname>lwres_net_ntop</refname>
-<refpurpose>lightweight resolver IP address presentation</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/net.h&gt;</funcsynopsisinfo>
-<funcprototype>
-<funcdef>
-const char *
-<function>lwres_net_ntop</function></funcdef>
-<paramdef>int af</paramdef>
-<paramdef>const void *src</paramdef>
-<paramdef>char *dst</paramdef>
-<paramdef>size_t size</paramdef>
-</funcprototype>
-</funcsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-
-<para>
-<function>lwres_net_ntop()</function> converts an IP address of
-protocol family <parameter>af</parameter> &mdash; IPv4 or IPv6 &mdash;
-at location <parameter>src</parameter> from network format to its
-conventional representation as a string.  For IPv4 addresses, that
-string would be a dotted-decimal.  An IPv6 address would be
-represented in colon notation as described in RFC1884.
-</para>
-
-<para>
-The generated string is copied to <parameter>dst</parameter> provided
-<parameter>size</parameter> indicates it is long enough to store the
-ASCII representation of the address.
-</para>
-
-</refsect1>
-<refsect1>
-<title>RETURN VALUES</title>
-
-<para>
-If successful, the function returns <parameter>dst</parameter>:
-a pointer to a string containing the presentation format of the
-address.  <function>lwres_net_ntop()</function> returns
-<type>NULL</type> and sets the global variable
-<constant>errno</constant> to <errorcode>EAFNOSUPPORT</errorcode> if
-the protocol family given in <parameter>af</parameter> is not
-supported.
-</para>
-
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>RFC1884</refentrytitle>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>inet_ntop</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>errno</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>.
-</para>
-</refsect1>
-</refentry>
diff --git a/lib/liblwres/man/lwres_inetntop.html b/lib/liblwres/man/lwres_inetntop.html
deleted file mode 100644
index 09d4fea34..000000000
--- a/lib/liblwres/man/lwres_inetntop.html
+++ /dev/null
@@ -1,186 +0,0 @@
-<!--
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-<HTML
-><HEAD
-><TITLE
->lwres_inetntop</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.61
-"></HEAD
-><BODY
-CLASS="REFENTRY"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><H1
-><A
-NAME="AEN1"
->lwres_inetntop</A
-></H1
-><DIV
-CLASS="REFNAMEDIV"
-><A
-NAME="AEN8"
-></A
-><H2
->Name</H2
->lwres_net_ntop&nbsp;--&nbsp;lightweight resolver IP address presentation</DIV
-><DIV
-CLASS="REFSYNOPSISDIV"
-><A
-NAME="AEN11"
-></A
-><H2
->Synopsis</H2
-><DIV
-CLASS="FUNCSYNOPSIS"
-><A
-NAME="AEN12"
-></A
-><P
-></P
-><PRE
-CLASS="FUNCSYNOPSISINFO"
->#include &lt;lwres/net.h&gt;</PRE
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->const char *
-lwres_net_ntop</CODE
->(int af, const void *src, char *dst, size_t size);</CODE
-></P
-><P
-></P
-></DIV
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN21"
-></A
-><H2
->DESCRIPTION</H2
-><P
-><TT
-CLASS="FUNCTION"
->lwres_net_ntop()</TT
-> converts an IP address of
-protocol family <TT
-CLASS="PARAMETER"
-><I
->af</I
-></TT
-> &mdash; IPv4 or IPv6 &mdash;
-at location <TT
-CLASS="PARAMETER"
-><I
->src</I
-></TT
-> from network format to its
-conventional representation as a string.  For IPv4 addresses, that
-string would be a dotted-decimal.  An IPv6 address would be
-represented in colon notation as described in RFC1884.</P
-><P
->The generated string is copied to <TT
-CLASS="PARAMETER"
-><I
->dst</I
-></TT
-> provided
-<TT
-CLASS="PARAMETER"
-><I
->size</I
-></TT
-> indicates it is long enough to store the
-ASCII representation of the address.</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN30"
-></A
-><H2
->RETURN VALUES</H2
-><P
->If successful, the function returns <TT
-CLASS="PARAMETER"
-><I
->dst</I
-></TT
->:
-a pointer to a string containing the presentation format of the
-address.  <TT
-CLASS="FUNCTION"
->lwres_net_ntop()</TT
-> returns
-<SPAN
-CLASS="TYPE"
->NULL</SPAN
-> and sets the global variable
-<TT
-CLASS="CONSTANT"
->errno</TT
-> to <SPAN
-CLASS="ERRORCODE"
->EAFNOSUPPORT</SPAN
-> if
-the protocol family given in <TT
-CLASS="PARAMETER"
-><I
->af</I
-></TT
-> is not
-supported.</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN39"
-></A
-><H2
->SEE ALSO</H2
-><P
-><SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->RFC1884</SPAN
-></SPAN
->,
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->inet_ntop</SPAN
->(3)</SPAN
->,
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->errno</SPAN
->(3)</SPAN
->.</P
-></DIV
-></BODY
-></HTML
->
\ No newline at end of file
diff --git a/lib/liblwres/man/lwres_noop.3 b/lib/liblwres/man/lwres_noop.3
deleted file mode 100644
index 50d127029..000000000
--- a/lib/liblwres/man/lwres_noop.3
+++ /dev/null
@@ -1,160 +0,0 @@
-.\"
-.\" Copyright (C) 2000, 2001  Internet Software Consortium.
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
-.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
-.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
-.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
-.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
-.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.TH "LWRES_NOOP" "3" "Jun 30, 2000" "BIND9" ""
-.SH NAME
-lwres_nooprequest_render, lwres_noopresponse_render, lwres_nooprequest_parse, lwres_noopresponse_parse, lwres_noopresponse_free, lwres_nooprequest_free \- lightweight resolver no-op message handling
-.SH SYNOPSIS
-\fB#include <lwres/lwres.h>
-.sp
-.na
-lwres_result_t
-lwres_nooprequest_render(lwres_context_t *ctx, lwres_nooprequest_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);
-.ad
-.sp
-.na
-lwres_result_t
-lwres_noopresponse_render(lwres_context_t *ctx, lwres_noopresponse_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);
-.ad
-.sp
-.na
-lwres_result_t
-lwres_nooprequest_parse(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_nooprequest_t **structp);
-.ad
-.sp
-.na
-lwres_result_t
-lwres_noopresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_noopresponse_t **structp);
-.ad
-.sp
-.na
-void
-lwres_noopresponse_free(lwres_context_t *ctx, lwres_noopresponse_t **structp);
-.ad
-.sp
-.na
-void
-lwres_nooprequest_free(lwres_context_t *ctx, lwres_nooprequest_t **structp);
-.ad
-\fR.SH "DESCRIPTION"
-.PP
-These are low-level routines for creating and parsing
-lightweight resolver no-op request and response messages.
-.PP
-The no-op message is analogous to a \fBping\fR packet: 
-a packet is sent to the resolver daemon and is simply echoed back.
-The opcode is intended to allow a client to determine if the server is
-operational or not.
-.PP
-There are four main functions for the no-op opcode.
-One render function converts a no-op request structure \(em
-\fBlwres_nooprequest_t\fR \(em
-to the lighweight resolver's canonical format.
-It is complemented by a parse function that converts a packet in this
-canonical format to a no-op request structure.
-Another render function converts the no-op response structure \(em
-\fBlwres_noopresponse_t\fR
-to the canonical format.
-This is complemented by a parse function which converts a packet in
-canonical format to a no-op response structure.
-.PP
-These structures are defined in
-\fIlwres/lwres.h\fR.
-They are shown below.
-.sp
-.nf
-#define LWRES_OPCODE_NOOP       0x00000000U
-
-typedef struct {
-        lwres_uint16_t  datalength;
-        unsigned char   *data;
-} lwres_nooprequest_t;
-
-typedef struct {
-        lwres_uint16_t  datalength;
-        unsigned char   *data;
-} lwres_noopresponse_t;
-.sp
-.fi
-Although the structures have different types, they are identical.
-This is because the no-op opcode simply echos whatever data was sent:
-the response is therefore identical to the request.
-.PP
-\fBlwres_nooprequest_render()\fR uses resolver
-context \fIctx\fR to convert no-op request structure
-\fIreq\fR to canonical format. The packet header
-structure \fIpkt\fR is initialised and transferred to
-buffer \fIb\fR. The contents of
-\fI*req\fR are then appended to the buffer in
-canonical format. \fBlwres_noopresponse_render()\fR
-performs the same task, except it converts a no-op response structure
-\fBlwres_noopresponse_t\fR to the lightweight resolver's
-canonical format.
-.PP
-\fBlwres_nooprequest_parse()\fR uses context
-\fIctx\fR to convert the contents of packet
-\fIpkt\fR to a \fBlwres_nooprequest_t\fR
-structure. Buffer \fIb\fR provides space to be used
-for storing this structure. When the function succeeds, the resulting
-\fBlwres_nooprequest_t\fR is made available through
-\fI*structp\fR.
-\fBlwres_noopresponse_parse()\fR offers the same
-semantics as \fBlwres_nooprequest_parse()\fR except it
-yields a \fBlwres_noopresponse_t\fR structure.
-.PP
-\fBlwres_noopresponse_free()\fR and
-\fBlwres_nooprequest_free()\fR release the memory in
-resolver context \fIctx\fR that was allocated to the
-\fBlwres_noopresponse_t\fR or \fBlwres_nooprequest_t\fR
-structures referenced via \fIstructp\fR.
-.SH "RETURN VALUES"
-.PP
-The no-op opcode functions
-\fBlwres_nooprequest_render()\fR,
-\fBlwres_noopresponse_render()\fR
-\fBlwres_nooprequest_parse()\fR
-and
-\fBlwres_noopresponse_parse()\fR
-all return
-LWRES_R_SUCCESS
-on success.
-They return
-LWRES_R_NOMEMORY
-if memory allocation fails.
-LWRES_R_UNEXPECTEDEND
-is returned if the available space in the buffer
-\fIb\fR
-is too small to accommodate the packet header or the
-\fBlwres_nooprequest_t\fR
-and
-\fBlwres_noopresponse_t\fR
-structures.
-\fBlwres_nooprequest_parse()\fR
-and
-\fBlwres_noopresponse_parse()\fR
-will return
-LWRES_R_UNEXPECTEDEND
-if the buffer is not empty after decoding the received packet.
-These functions will return
-LWRES_R_FAILURE
-if
-pktflags
-in the packet header structure
-\fBlwres_lwpacket_t\fR
-indicate that the packet is not a response to an earlier query.
-.SH "SEE ALSO"
-.PP
-\fBlwres_packet\fR(3)
diff --git a/lib/liblwres/man/lwres_noop.docbook b/lib/liblwres/man/lwres_noop.docbook
deleted file mode 100644
index 18762e515..000000000
--- a/lib/liblwres/man/lwres_noop.docbook
+++ /dev/null
@@ -1,229 +0,0 @@
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
-<!--
- - Copyright (C) 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_noop.docbook,v 1.1 2004/03/15 20:35:25 as Exp $ -->
-
-<refentry>
-
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
-
-<refmeta>
-<refentrytitle>lwres_noop</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-
-<refnamediv>
-<refname>lwres_nooprequest_render</refname>
-<refname>lwres_noopresponse_render</refname>
-<refname>lwres_nooprequest_parse</refname>
-<refname>lwres_noopresponse_parse</refname>
-<refname>lwres_noopresponse_free</refname>
-<refname>lwres_nooprequest_free</refname>
-<refpurpose>lightweight resolver no-op message handling</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
-<funcsynopsisinfo>
-#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_nooprequest_render</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_nooprequest_t *req</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_noopresponse_render</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_noopresponse_t *req</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_nooprequest_parse</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-<paramdef>lwres_nooprequest_t **structp</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_noopresponse_parse</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-<paramdef>lwres_noopresponse_t **structp</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_noopresponse_free</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_noopresponse_t **structp</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_nooprequest_free</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_nooprequest_t **structp</paramdef>
-</funcprototype>
-</funcsynopsis>
-</refsynopsisdiv>
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-These are low-level routines for creating and parsing
-lightweight resolver no-op request and response messages.
-</para>
-<para>
-The no-op message is analogous to a <command>ping</command> packet: 
-a packet is sent to the resolver daemon and is simply echoed back.
-The opcode is intended to allow a client to determine if the server is
-operational or not.
-</para>
-<para>
-There are four main functions for the no-op opcode.
-One render function converts a no-op request structure &mdash;
-<type>lwres_nooprequest_t</type> &mdash;
-to the lighweight resolver's canonical format.
-It is complemented by a parse function that converts a packet in this
-canonical format to a no-op request structure.
-Another render function converts the no-op response structure &mdash;
-<type>lwres_noopresponse_t</type>
-to the canonical format.
-This is complemented by a parse function which converts a packet in
-canonical format to a no-op response structure.
-</para>
-<para>
-These structures are defined in
-<filename>lwres/lwres.h</filename>.
-
-They are shown below.
-<programlisting>
-#define LWRES_OPCODE_NOOP       0x00000000U
-
-typedef struct {
-        lwres_uint16_t  datalength;
-        unsigned char   *data;
-} lwres_nooprequest_t;
-
-typedef struct {
-        lwres_uint16_t  datalength;
-        unsigned char   *data;
-} lwres_noopresponse_t;
-</programlisting>
-Although the structures have different types, they are identical.
-This is because the no-op opcode simply echos whatever data was sent:
-the response is therefore identical to the request.
-</para>
-
-<para>
-<function>lwres_nooprequest_render()</function> uses resolver
-context <parameter>ctx</parameter> to convert no-op request structure
-<parameter>req</parameter> to canonical format.  The packet header
-structure <parameter>pkt</parameter> is initialised and transferred to
-buffer <parameter>b</parameter>.  The contents of
-<parameter>*req</parameter> are then appended to the buffer in
-canonical format.  <function>lwres_noopresponse_render()</function>
-performs the same task, except it converts a no-op response structure
-<type>lwres_noopresponse_t</type> to the lightweight resolver's
-canonical format.
-</para>
-
-<para>
-<function>lwres_nooprequest_parse()</function> uses context
-<parameter>ctx</parameter> to convert the contents of packet
-<parameter>pkt</parameter> to a <type>lwres_nooprequest_t</type>
-structure.  Buffer <parameter>b</parameter> provides space to be used
-for storing this structure.  When the function succeeds, the resulting
-<type>lwres_nooprequest_t</type> is made available through
-<parameter>*structp</parameter>.
-<function>lwres_noopresponse_parse()</function> offers the same
-semantics as <function>lwres_nooprequest_parse()</function> except it
-yields a <type>lwres_noopresponse_t</type> structure.
-</para>
-
-<para>
-<function>lwres_noopresponse_free()</function> and
-<function>lwres_nooprequest_free()</function> release the memory in
-resolver context <parameter>ctx</parameter> that was allocated to the
-<type>lwres_noopresponse_t</type> or <type>lwres_nooprequest_t</type>
-structures referenced via <parameter>structp</parameter>.
-</para>
-
-</refsect1>
-<refsect1>
-<title>RETURN VALUES</title>
-<para>
-The no-op opcode functions
-<function>lwres_nooprequest_render()</function>,
-
-<function>lwres_noopresponse_render()</function>
-<function>lwres_nooprequest_parse()</function>
-and
-<function>lwres_noopresponse_parse()</function>
-all return
-<errorcode>LWRES_R_SUCCESS</errorcode>
-on success.
-They return
-<errorcode>LWRES_R_NOMEMORY</errorcode>
-if memory allocation fails.
-<errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
-is returned if the available space in the buffer
-<parameter>b</parameter>
-is too small to accommodate the packet header or the
-<type>lwres_nooprequest_t</type>
-and
-<type>lwres_noopresponse_t</type>
-structures.
-<function>lwres_nooprequest_parse()</function>
-and
-<function>lwres_noopresponse_parse()</function>
-will return
-<errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
-if the buffer is not empty after decoding the received packet.
-These functions will return
-<errorcode>LWRES_R_FAILURE</errorcode>
-if
-<constant>pktflags</constant>
-in the packet header structure
-<type>lwres_lwpacket_t</type>
-indicate that the packet is not a response to an earlier query.
-</para>
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>lwres_packet</refentrytitle><manvolnum>3
-</manvolnum>
-</citerefentry>
-</para>
-</refsect1>
-</refentry>
diff --git a/lib/liblwres/man/lwres_noop.html b/lib/liblwres/man/lwres_noop.html
deleted file mode 100644
index fdb5da103..000000000
--- a/lib/liblwres/man/lwres_noop.html
+++ /dev/null
@@ -1,409 +0,0 @@
-<!--
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-<HTML
-><HEAD
-><TITLE
->lwres_noop</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.61
-"></HEAD
-><BODY
-CLASS="REFENTRY"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><H1
-><A
-NAME="AEN1"
->lwres_noop</A
-></H1
-><DIV
-CLASS="REFNAMEDIV"
-><A
-NAME="AEN8"
-></A
-><H2
->Name</H2
->lwres_nooprequest_render, lwres_noopresponse_render, lwres_nooprequest_parse, lwres_noopresponse_parse, lwres_noopresponse_free, lwres_nooprequest_free&nbsp;--&nbsp;lightweight resolver no-op message handling</DIV
-><DIV
-CLASS="REFSYNOPSISDIV"
-><A
-NAME="AEN16"
-></A
-><H2
->Synopsis</H2
-><DIV
-CLASS="FUNCSYNOPSIS"
-><A
-NAME="AEN17"
-></A
-><P
-></P
-><PRE
-CLASS="FUNCSYNOPSISINFO"
->#include &lt;lwres/lwres.h&gt;</PRE
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->lwres_result_t
-lwres_nooprequest_render</CODE
->(lwres_context_t *ctx, lwres_nooprequest_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->lwres_result_t
-lwres_noopresponse_render</CODE
->(lwres_context_t *ctx, lwres_noopresponse_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->lwres_result_t
-lwres_nooprequest_parse</CODE
->(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_nooprequest_t **structp);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->lwres_result_t
-lwres_noopresponse_parse</CODE
->(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_noopresponse_t **structp);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->void
-lwres_noopresponse_free</CODE
->(lwres_context_t *ctx, lwres_noopresponse_t **structp);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->void
-lwres_nooprequest_free</CODE
->(lwres_context_t *ctx, lwres_nooprequest_t **structp);</CODE
-></P
-><P
-></P
-></DIV
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN57"
-></A
-><H2
->DESCRIPTION</H2
-><P
->These are low-level routines for creating and parsing
-lightweight resolver no-op request and response messages.</P
-><P
->The no-op message is analogous to a <B
-CLASS="COMMAND"
->ping</B
-> packet: 
-a packet is sent to the resolver daemon and is simply echoed back.
-The opcode is intended to allow a client to determine if the server is
-operational or not.</P
-><P
->There are four main functions for the no-op opcode.
-One render function converts a no-op request structure &mdash;
-<SPAN
-CLASS="TYPE"
->lwres_nooprequest_t</SPAN
-> &mdash;
-to the lighweight resolver's canonical format.
-It is complemented by a parse function that converts a packet in this
-canonical format to a no-op request structure.
-Another render function converts the no-op response structure &mdash;
-<SPAN
-CLASS="TYPE"
->lwres_noopresponse_t</SPAN
->
-to the canonical format.
-This is complemented by a parse function which converts a packet in
-canonical format to a no-op response structure.</P
-><P
->These structures are defined in
-<TT
-CLASS="FILENAME"
->lwres/lwres.h</TT
->.
-
-They are shown below.
-<PRE
-CLASS="PROGRAMLISTING"
->#define LWRES_OPCODE_NOOP       0x00000000U
-
-typedef struct {
-        lwres_uint16_t  datalength;
-        unsigned char   *data;
-} lwres_nooprequest_t;
-
-typedef struct {
-        lwres_uint16_t  datalength;
-        unsigned char   *data;
-} lwres_noopresponse_t;</PRE
->
-Although the structures have different types, they are identical.
-This is because the no-op opcode simply echos whatever data was sent:
-the response is therefore identical to the request.</P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_nooprequest_render()</TT
-> uses resolver
-context <TT
-CLASS="PARAMETER"
-><I
->ctx</I
-></TT
-> to convert no-op request structure
-<TT
-CLASS="PARAMETER"
-><I
->req</I
-></TT
-> to canonical format.  The packet header
-structure <TT
-CLASS="PARAMETER"
-><I
->pkt</I
-></TT
-> is initialised and transferred to
-buffer <TT
-CLASS="PARAMETER"
-><I
->b</I
-></TT
->.  The contents of
-<TT
-CLASS="PARAMETER"
-><I
->*req</I
-></TT
-> are then appended to the buffer in
-canonical format.  <TT
-CLASS="FUNCTION"
->lwres_noopresponse_render()</TT
->
-performs the same task, except it converts a no-op response structure
-<SPAN
-CLASS="TYPE"
->lwres_noopresponse_t</SPAN
-> to the lightweight resolver's
-canonical format.</P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_nooprequest_parse()</TT
-> uses context
-<TT
-CLASS="PARAMETER"
-><I
->ctx</I
-></TT
-> to convert the contents of packet
-<TT
-CLASS="PARAMETER"
-><I
->pkt</I
-></TT
-> to a <SPAN
-CLASS="TYPE"
->lwres_nooprequest_t</SPAN
->
-structure.  Buffer <TT
-CLASS="PARAMETER"
-><I
->b</I
-></TT
-> provides space to be used
-for storing this structure.  When the function succeeds, the resulting
-<SPAN
-CLASS="TYPE"
->lwres_nooprequest_t</SPAN
-> is made available through
-<TT
-CLASS="PARAMETER"
-><I
->*structp</I
-></TT
->.
-<TT
-CLASS="FUNCTION"
->lwres_noopresponse_parse()</TT
-> offers the same
-semantics as <TT
-CLASS="FUNCTION"
->lwres_nooprequest_parse()</TT
-> except it
-yields a <SPAN
-CLASS="TYPE"
->lwres_noopresponse_t</SPAN
-> structure.</P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_noopresponse_free()</TT
-> and
-<TT
-CLASS="FUNCTION"
->lwres_nooprequest_free()</TT
-> release the memory in
-resolver context <TT
-CLASS="PARAMETER"
-><I
->ctx</I
-></TT
-> that was allocated to the
-<SPAN
-CLASS="TYPE"
->lwres_noopresponse_t</SPAN
-> or <SPAN
-CLASS="TYPE"
->lwres_nooprequest_t</SPAN
->
-structures referenced via <TT
-CLASS="PARAMETER"
-><I
->structp</I
-></TT
->.</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN95"
-></A
-><H2
->RETURN VALUES</H2
-><P
->The no-op opcode functions
-<TT
-CLASS="FUNCTION"
->lwres_nooprequest_render()</TT
->,
-
-<TT
-CLASS="FUNCTION"
->lwres_noopresponse_render()</TT
->
-<TT
-CLASS="FUNCTION"
->lwres_nooprequest_parse()</TT
->
-and
-<TT
-CLASS="FUNCTION"
->lwres_noopresponse_parse()</TT
->
-all return
-<SPAN
-CLASS="ERRORCODE"
->LWRES_R_SUCCESS</SPAN
->
-on success.
-They return
-<SPAN
-CLASS="ERRORCODE"
->LWRES_R_NOMEMORY</SPAN
->
-if memory allocation fails.
-<SPAN
-CLASS="ERRORCODE"
->LWRES_R_UNEXPECTEDEND</SPAN
->
-is returned if the available space in the buffer
-<TT
-CLASS="PARAMETER"
-><I
->b</I
-></TT
->
-is too small to accommodate the packet header or the
-<SPAN
-CLASS="TYPE"
->lwres_nooprequest_t</SPAN
->
-and
-<SPAN
-CLASS="TYPE"
->lwres_noopresponse_t</SPAN
->
-structures.
-<TT
-CLASS="FUNCTION"
->lwres_nooprequest_parse()</TT
->
-and
-<TT
-CLASS="FUNCTION"
->lwres_noopresponse_parse()</TT
->
-will return
-<SPAN
-CLASS="ERRORCODE"
->LWRES_R_UNEXPECTEDEND</SPAN
->
-if the buffer is not empty after decoding the received packet.
-These functions will return
-<SPAN
-CLASS="ERRORCODE"
->LWRES_R_FAILURE</SPAN
->
-if
-<TT
-CLASS="CONSTANT"
->pktflags</TT
->
-in the packet header structure
-<SPAN
-CLASS="TYPE"
->lwres_lwpacket_t</SPAN
->
-indicate that the packet is not a response to an earlier query.</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN114"
-></A
-><H2
->SEE ALSO</H2
-><P
-><SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres_packet</SPAN
->(3)</SPAN
-></P
-></DIV
-></BODY
-></HTML
->
\ No newline at end of file
diff --git a/lib/liblwres/man/lwres_packet.3 b/lib/liblwres/man/lwres_packet.3
deleted file mode 100644
index d7fb6f077..000000000
--- a/lib/liblwres/man/lwres_packet.3
+++ /dev/null
@@ -1,149 +0,0 @@
-.\"
-.\" Copyright (C) 2000, 2001  Internet Software Consortium.
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
-.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
-.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
-.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
-.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
-.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.TH "LWRES_PACKET" "3" "Jun 30, 2000" "BIND9" ""
-.SH NAME
-lwres_lwpacket_renderheader, lwres_lwpacket_parseheader \- lightweight resolver packet handling functions
-.SH SYNOPSIS
-\fB#include <lwres/lwpacket.h>
-.sp
-.na
-lwres_result_t
-lwres_lwpacket_renderheader(lwres_buffer_t *b, lwres_lwpacket_t *pkt);
-.ad
-.sp
-.na
-lwres_result_t
-lwres_lwpacket_parseheader(lwres_buffer_t *b, lwres_lwpacket_t *pkt);
-.ad
-\fR.SH "DESCRIPTION"
-.PP
-These functions rely on a
-\fBstruct lwres_lwpacket\fR
-which is defined in
-\fIlwres/lwpacket.h\fR.
-.sp
-.nf
-typedef struct lwres_lwpacket lwres_lwpacket_t;
-
-struct lwres_lwpacket {
-        lwres_uint32_t          length;
-        lwres_uint16_t          version;
-        lwres_uint16_t          pktflags;
-        lwres_uint32_t          serial;
-        lwres_uint32_t          opcode;
-        lwres_uint32_t          result;
-        lwres_uint32_t          recvlength;
-        lwres_uint16_t          authtype;
-        lwres_uint16_t          authlength;
-};
-.sp
-.fi
-.PP
-The elements of this structure are:
-.TP
-\fBlength\fR
-the overall packet length, including the entire packet header.
-This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-calls.
-.TP
-\fBversion\fR
-the header format. There is currently only one format,
-\fBLWRES_LWPACKETVERSION_0\fR.
-This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-calls.
-.TP
-\fBpktflags\fR
-library-defined flags for this packet: for instance whether the packet
-is a request or a reply. Flag values can be set, but not defined by
-the caller.
-This field is filled in by the application wit the exception of the
-LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library in the
-lwres_gabn_*() and lwres_gnba_*() calls.
-.TP
-\fBserial\fR
-is set by the requestor and is returned in all replies. If two or more
-packets from the same source have the same serial number and are from
-the same source, they are assumed to be duplicates and the latter ones
-may be dropped.
-This field must be set by the application.
-.TP
-\fBopcode\fR
-indicates the operation.
-Opcodes between 0x00000000 and 0x03ffffff are
-reserved for use by the lightweight resolver library. Opcodes between
-0x04000000 and 0xffffffff are application defined.
-This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-calls.
-.TP
-\fBresult\fR
-is only valid for replies.
-Results between 0x04000000 and 0xffffffff are application defined.
-Results between 0x00000000 and 0x03ffffff are reserved for library use.
-This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-calls.
-.TP
-\fBrecvlength\fR
-is the maximum buffer size that the receiver can handle on requests
-and the size of the buffer needed to satisfy a request when the buffer
-is too large for replies.
-This field is supplied by the application.
-.TP
-\fBauthtype\fR
-defines the packet level authentication that is used.
-Authorisation types between 0x1000 and 0xffff are application defined
-and types between 0x0000 and 0x0fff are reserved for library use.
-Currently these are not used and must be zero.
-.TP
-\fBauthlen\fR
-gives the length of the authentication data.
-Since packet authentication is currently not used, this must be zero.
-.PP
-The following opcodes are currently defined:
-.TP
-\fBNOOP\fR
-Success is always returned and the packet contents are echoed.
-The lwres_noop_*() functions should be used for this type.
-.TP
-\fBGETADDRSBYNAME\fR
-returns all known addresses for a given name.
-The lwres_gabn_*() functions should be used for this type.
-.TP
-\fBGETNAMEBYADDR\fR
-return the hostname for the given address.
-The lwres_gnba_*() functions should be used for this type.
-.PP
-\fBlwres_lwpacket_renderheader()\fR transfers the
-contents of lightweight resolver packet structure
-\fBlwres_lwpacket_t\fR \fI*pkt\fR in network
-byte order to the lightweight resolver buffer,
-\fI*b\fR.
-.PP
-\fBlwres_lwpacket_parseheader()\fR performs the
-converse operation. It transfers data in network byte order from
-buffer \fI*b\fR to resolver packet
-\fI*pkt\fR. The contents of the buffer
-\fIb\fR should correspond to a
-\fBlwres_lwpacket_t\fR.
-.SH "RETURN VALUES"
-.PP
-Successful calls to
-\fBlwres_lwpacket_renderheader()\fR and
-\fBlwres_lwpacket_parseheader()\fR return
-LWRES_R_SUCCESS. If there is insufficient
-space to copy data between the buffer \fI*b\fR and
-lightweight resolver packet \fI*pkt\fR both functions
-return LWRES_R_UNEXPECTEDEND.
diff --git a/lib/liblwres/man/lwres_packet.docbook b/lib/liblwres/man/lwres_packet.docbook
deleted file mode 100644
index 7b9ed38b3..000000000
--- a/lib/liblwres/man/lwres_packet.docbook
+++ /dev/null
@@ -1,218 +0,0 @@
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
-<!--
- - Copyright (C) 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_packet.docbook,v 1.1 2004/03/15 20:35:25 as Exp $ -->
-
-<refentry>
-
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
-
-<refmeta>
-<refentrytitle>lwres_packet</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-
-<refnamediv>
-<refname>lwres_lwpacket_renderheader</refname>
-<refname>lwres_lwpacket_parseheader</refname>
-<refpurpose>lightweight resolver packet handling functions</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/lwpacket.h&gt;</funcsynopsisinfo>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_lwpacket_renderheader</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_lwpacket_parseheader</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-</funcprototype>
-</funcsynopsis>
-</refsynopsisdiv>
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-These functions rely on a
-<type>struct lwres_lwpacket</type>
-which is defined in
-<filename>lwres/lwpacket.h</filename>.
-
-<programlisting>
-typedef struct lwres_lwpacket lwres_lwpacket_t;
-
-struct lwres_lwpacket {
-        lwres_uint32_t          length;
-        lwres_uint16_t          version;
-        lwres_uint16_t          pktflags;
-        lwres_uint32_t          serial;
-        lwres_uint32_t          opcode;
-        lwres_uint32_t          result;
-        lwres_uint32_t          recvlength;
-        lwres_uint16_t          authtype;
-        lwres_uint16_t          authlength;
-};
-</programlisting>
-</para>
-
-<para>
-The elements of this structure are:
-<variablelist>
-<varlistentry><term><constant>length</constant></term>
-<listitem>
-<para>
-the overall packet length, including the entire packet header.
-This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-calls.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>version</constant></term>
-<listitem>
-<para>
-the header format. There is currently only one format,
-<type>LWRES_LWPACKETVERSION_0</type>.
-
-This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-calls.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>pktflags</constant></term>
-<listitem>
-<para>
-library-defined flags for this packet: for instance whether the packet
-is a request or a reply. Flag values can be set, but not defined by
-the caller.
-This field is filled in by the application wit the exception of the
-LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library in the
-lwres_gabn_*() and lwres_gnba_*() calls.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>serial</constant></term>
-<listitem>
-<para>
-is set by the requestor and is returned in all replies. If two or more
-packets from the same source have the same serial number and are from
-the same source, they are assumed to be duplicates and the latter ones
-may be dropped.
-This field must be set by the application.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>opcode</constant></term>
-<listitem>
-<para>
-indicates the operation.
-Opcodes between 0x00000000 and 0x03ffffff are
-reserved for use by the lightweight resolver library. Opcodes between
-0x04000000 and 0xffffffff are application defined.
-This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-calls.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>result</constant></term>
-<listitem>
-<para>
-is only valid for replies.
-Results between 0x04000000 and 0xffffffff are application defined.
-Results between 0x00000000 and 0x03ffffff are reserved for library use.
-This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-calls.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>recvlength</constant></term>
-<listitem>
-<para>
-is the maximum buffer size that the receiver can handle on requests
-and the size of the buffer needed to satisfy a request when the buffer
-is too large for replies.
-This field is supplied by the application.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>authtype</constant></term>
-<listitem>
-<para>
-defines the packet level authentication that is used.
-Authorisation types between 0x1000 and 0xffff are application defined
-and types between 0x0000 and 0x0fff are reserved for library use.
-Currently these are not used and must be zero.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>authlen</constant></term>
-<listitem>
-<para>
-gives the length of the authentication data.
-Since packet authentication is currently not used, this must be zero.
-</para></listitem></varlistentry>
-</variablelist>
-</para>
-<para>
-The following opcodes are currently defined:
-<variablelist>
-<varlistentry><term><constant>NOOP</constant></term>
-<listitem>
-<para>
-Success is always returned and the packet contents are echoed.
-The lwres_noop_*() functions should be used for this type.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>GETADDRSBYNAME</constant></term>
-<listitem>
-<para>
-returns all known addresses for a given name.
-The lwres_gabn_*() functions should be used for this type.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>GETNAMEBYADDR</constant></term>
-<listitem>
-<para>
-return the hostname for the given address.
-The lwres_gnba_*() functions should be used for this type.
-</para></listitem></varlistentry>
-</variablelist>
-</para>
-
-<para>
-<function>lwres_lwpacket_renderheader()</function> transfers the
-contents of lightweight resolver packet structure
-<type>lwres_lwpacket_t</type> <parameter>*pkt</parameter> in network
-byte order to the lightweight resolver buffer,
-<parameter>*b</parameter>.
-</para>
-
-<para>
-<function>lwres_lwpacket_parseheader()</function> performs the
-converse operation.  It transfers data in network byte order from
-buffer <parameter>*b</parameter> to resolver packet
-<parameter>*pkt</parameter>.  The contents of the buffer
-<parameter>b</parameter> should correspond to a
-<type>lwres_lwpacket_t</type>.
-</para>
-
-</refsect1>
-
-<refsect1>
-<title>RETURN VALUES</title>
-<para> Successful calls to
-<function>lwres_lwpacket_renderheader()</function> and
-<function>lwres_lwpacket_parseheader()</function> return
-<errorcode>LWRES_R_SUCCESS</errorcode>.  If there is insufficient
-space to copy data between the buffer <parameter>*b</parameter> and
-lightweight resolver packet <parameter>*pkt</parameter> both functions
-return <errorcode>LWRES_R_UNEXPECTEDEND</errorcode>.
-</para>
-
-</refsect1>
-</refentry>
diff --git a/lib/liblwres/man/lwres_packet.html b/lib/liblwres/man/lwres_packet.html
deleted file mode 100644
index 5c5828f49..000000000
--- a/lib/liblwres/man/lwres_packet.html
+++ /dev/null
@@ -1,373 +0,0 @@
-<!--
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-<HTML
-><HEAD
-><TITLE
->lwres_packet</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.61
-"></HEAD
-><BODY
-CLASS="REFENTRY"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><H1
-><A
-NAME="AEN1"
->lwres_packet</A
-></H1
-><DIV
-CLASS="REFNAMEDIV"
-><A
-NAME="AEN8"
-></A
-><H2
->Name</H2
->lwres_lwpacket_renderheader, lwres_lwpacket_parseheader&nbsp;--&nbsp;lightweight resolver packet handling functions</DIV
-><DIV
-CLASS="REFSYNOPSISDIV"
-><A
-NAME="AEN12"
-></A
-><H2
->Synopsis</H2
-><DIV
-CLASS="FUNCSYNOPSIS"
-><A
-NAME="AEN13"
-></A
-><P
-></P
-><PRE
-CLASS="FUNCSYNOPSISINFO"
->#include &lt;lwres/lwpacket.h&gt;</PRE
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->lwres_result_t
-lwres_lwpacket_renderheader</CODE
->(lwres_buffer_t *b, lwres_lwpacket_t *pkt);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->lwres_result_t
-lwres_lwpacket_parseheader</CODE
->(lwres_buffer_t *b, lwres_lwpacket_t *pkt);</CODE
-></P
-><P
-></P
-></DIV
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN25"
-></A
-><H2
->DESCRIPTION</H2
-><P
->These functions rely on a
-<SPAN
-CLASS="TYPE"
->struct lwres_lwpacket</SPAN
->
-which is defined in
-<TT
-CLASS="FILENAME"
->lwres/lwpacket.h</TT
->.
-
-<PRE
-CLASS="PROGRAMLISTING"
->typedef struct lwres_lwpacket lwres_lwpacket_t;
-
-struct lwres_lwpacket {
-        lwres_uint32_t          length;
-        lwres_uint16_t          version;
-        lwres_uint16_t          pktflags;
-        lwres_uint32_t          serial;
-        lwres_uint32_t          opcode;
-        lwres_uint32_t          result;
-        lwres_uint32_t          recvlength;
-        lwres_uint16_t          authtype;
-        lwres_uint16_t          authlength;
-};</PRE
-></P
-><P
->The elements of this structure are:
-<P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="CONSTANT"
->length</TT
-></DT
-><DD
-><P
->the overall packet length, including the entire packet header.
-This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-calls.</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->version</TT
-></DT
-><DD
-><P
->the header format. There is currently only one format,
-<SPAN
-CLASS="TYPE"
->LWRES_LWPACKETVERSION_0</SPAN
->.
-
-This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-calls.</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->pktflags</TT
-></DT
-><DD
-><P
->library-defined flags for this packet: for instance whether the packet
-is a request or a reply. Flag values can be set, but not defined by
-the caller.
-This field is filled in by the application wit the exception of the
-LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library in the
-lwres_gabn_*() and lwres_gnba_*() calls.</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->serial</TT
-></DT
-><DD
-><P
->is set by the requestor and is returned in all replies. If two or more
-packets from the same source have the same serial number and are from
-the same source, they are assumed to be duplicates and the latter ones
-may be dropped.
-This field must be set by the application.</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->opcode</TT
-></DT
-><DD
-><P
->indicates the operation.
-Opcodes between 0x00000000 and 0x03ffffff are
-reserved for use by the lightweight resolver library. Opcodes between
-0x04000000 and 0xffffffff are application defined.
-This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-calls.</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->result</TT
-></DT
-><DD
-><P
->is only valid for replies.
-Results between 0x04000000 and 0xffffffff are application defined.
-Results between 0x00000000 and 0x03ffffff are reserved for library use.
-This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-calls.</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->recvlength</TT
-></DT
-><DD
-><P
->is the maximum buffer size that the receiver can handle on requests
-and the size of the buffer needed to satisfy a request when the buffer
-is too large for replies.
-This field is supplied by the application.</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->authtype</TT
-></DT
-><DD
-><P
->defines the packet level authentication that is used.
-Authorisation types between 0x1000 and 0xffff are application defined
-and types between 0x0000 and 0x0fff are reserved for library use.
-Currently these are not used and must be zero.</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->authlen</TT
-></DT
-><DD
-><P
->gives the length of the authentication data.
-Since packet authentication is currently not used, this must be zero.</P
-></DD
-></DL
-></DIV
-></P
-><P
->The following opcodes are currently defined:
-<P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
-><TT
-CLASS="CONSTANT"
->NOOP</TT
-></DT
-><DD
-><P
->Success is always returned and the packet contents are echoed.
-The lwres_noop_*() functions should be used for this type.</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->GETADDRSBYNAME</TT
-></DT
-><DD
-><P
->returns all known addresses for a given name.
-The lwres_gabn_*() functions should be used for this type.</P
-></DD
-><DT
-><TT
-CLASS="CONSTANT"
->GETNAMEBYADDR</TT
-></DT
-><DD
-><P
->return the hostname for the given address.
-The lwres_gnba_*() functions should be used for this type.</P
-></DD
-></DL
-></DIV
-></P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_lwpacket_renderheader()</TT
-> transfers the
-contents of lightweight resolver packet structure
-<SPAN
-CLASS="TYPE"
->lwres_lwpacket_t</SPAN
-> <TT
-CLASS="PARAMETER"
-><I
->*pkt</I
-></TT
-> in network
-byte order to the lightweight resolver buffer,
-<TT
-CLASS="PARAMETER"
-><I
->*b</I
-></TT
->.</P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_lwpacket_parseheader()</TT
-> performs the
-converse operation.  It transfers data in network byte order from
-buffer <TT
-CLASS="PARAMETER"
-><I
->*b</I
-></TT
-> to resolver packet
-<TT
-CLASS="PARAMETER"
-><I
->*pkt</I
-></TT
->.  The contents of the buffer
-<TT
-CLASS="PARAMETER"
-><I
->b</I
-></TT
-> should correspond to a
-<SPAN
-CLASS="TYPE"
->lwres_lwpacket_t</SPAN
->.</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN107"
-></A
-><H2
->RETURN VALUES</H2
-><P
-> Successful calls to
-<TT
-CLASS="FUNCTION"
->lwres_lwpacket_renderheader()</TT
-> and
-<TT
-CLASS="FUNCTION"
->lwres_lwpacket_parseheader()</TT
-> return
-<SPAN
-CLASS="ERRORCODE"
->LWRES_R_SUCCESS</SPAN
->.  If there is insufficient
-space to copy data between the buffer <TT
-CLASS="PARAMETER"
-><I
->*b</I
-></TT
-> and
-lightweight resolver packet <TT
-CLASS="PARAMETER"
-><I
->*pkt</I
-></TT
-> both functions
-return <SPAN
-CLASS="ERRORCODE"
->LWRES_R_UNEXPECTEDEND</SPAN
->.</P
-></DIV
-></BODY
-></HTML
->
\ No newline at end of file
diff --git a/lib/liblwres/man/lwres_resutil.3 b/lib/liblwres/man/lwres_resutil.3
deleted file mode 100644
index 6db4825b0..000000000
--- a/lib/liblwres/man/lwres_resutil.3
+++ /dev/null
@@ -1,151 +0,0 @@
-.\"
-.\" Copyright (C) 2000, 2001  Internet Software Consortium.
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
-.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
-.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
-.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
-.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
-.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.TH "LWRES_RESUTIL" "3" "Jun 30, 2000" "BIND9" ""
-.SH NAME
-lwres_string_parse, lwres_addr_parse, lwres_getaddrsbyname, lwres_getnamebyaddr \- lightweight resolver utility functions
-.SH SYNOPSIS
-\fB#include <lwres/lwres.h>
-.sp
-.na
-lwres_result_t
-lwres_string_parse(lwres_buffer_t *b, char **c, lwres_uint16_t *len);
-.ad
-.sp
-.na
-lwres_result_t
-lwres_addr_parse(lwres_buffer_t *b, lwres_addr_t *addr);
-.ad
-.sp
-.na
-lwres_result_t
-lwres_getaddrsbyname(lwres_context_t *ctx, const char *name, lwres_uint32_t addrtypes, lwres_gabnresponse_t **structp);
-.ad
-.sp
-.na
-lwres_result_t
-lwres_getnamebyaddr(lwres_context_t *ctx, lwres_uint32_t addrtype, lwres_uint16_t addrlen, const unsigned char *addr, lwres_gnbaresponse_t **structp);
-.ad
-\fR.SH "DESCRIPTION"
-.PP
-\fBlwres_string_parse()\fR retrieves a DNS-encoded
-string starting the current pointer of lightweight resolver buffer
-\fIb\fR: i.e. b->current.
-When the function returns, the address of the first byte of the
-encoded string is returned via \fI*c\fR and the
-length of that string is given by \fI*len\fR. The
-buffer's current pointer is advanced to point at the character
-following the string length, the encoded string, and the trailing
-\fBNULL\fR character.
-.PP
-\fBlwres_addr_parse()\fR extracts an address from the
-buffer \fIb\fR. The buffer's current pointer
-b->current is presumed to point at an encoded
-address: the address preceded by a 32-bit protocol family identifier
-and a 16-bit length field. The encoded address is copied to
-addr->address and
-addr->length indicates the size in bytes of
-the address that was copied. b->current is
-advanced to point at the next byte of available data in the buffer
-following the encoded address.
-.PP
-\fBlwres_getaddrsbyname()\fR
-and
-\fBlwres_getnamebyaddr()\fR
-use the
-\fBlwres_gnbaresponse_t\fR
-structure defined below:
-.sp
-.nf
-typedef struct {
-        lwres_uint32_t          flags;
-        lwres_uint16_t          naliases;
-        lwres_uint16_t          naddrs;
-        char                   *realname;
-        char                  **aliases;
-        lwres_uint16_t          realnamelen;
-        lwres_uint16_t         *aliaslen;
-        lwres_addrlist_t        addrs;
-        void                   *base;
-        size_t                  baselen;
-} lwres_gabnresponse_t;
-.sp
-.fi
-The contents of this structure are not manipulated directly but
-they are controlled through the
-\fBlwres_gabn\fR(3)
-functions.
-.PP
-The lightweight resolver uses
-\fBlwres_getaddrsbyname()\fR to perform foward lookups.
-Hostname \fIname\fR is looked up using the resolver
-context \fIctx\fR for memory allocation.
-\fIaddrtypes\fR is a bitmask indicating which type of
-addresses are to be looked up. Current values for this bitmask are
-\fBLWRES_ADDRTYPE_V4\fR for IPv4 addresses and
-\fBLWRES_ADDRTYPE_V6\fR for IPv6 addresses. Results of the
-lookup are returned in \fI*structp\fR.
-.PP
-\fBlwres_getnamebyaddr()\fR performs reverse lookups.
-Resolver context \fIctx\fR is used for memory
-allocation. The address type is indicated by
-\fIaddrtype\fR: \fBLWRES_ADDRTYPE_V4\fR or
-\fBLWRES_ADDRTYPE_V6\fR. The address to be looked up is given
-by \fIaddr\fR and its length is
-\fIaddrlen\fR bytes. The result of the function call
-is made available through \fI*structp\fR.
-.SH "RETURN VALUES"
-.PP
-Successful calls to
-\fBlwres_string_parse()\fR
-and
-\fBlwres_addr_parse()\fR
-return
-LWRES_R_SUCCESS.
-Both functions return
-LWRES_R_FAILURE
-if the buffer is corrupt or
-LWRES_R_UNEXPECTEDEND
-if the buffer has less space than expected for the components of the
-encoded string or address.
-.PP
-\fBlwres_getaddrsbyname()\fR
-returns
-LWRES_R_SUCCESS
-on success and it returns
-LWRES_R_NOTFOUND
-if the hostname
-\fIname\fR
-could not be found.
-.PP
-LWRES_R_SUCCESS
-is returned by a successful call to
-\fBlwres_getnamebyaddr()\fR.
-.PP
-Both
-\fBlwres_getaddrsbyname()\fR
-and
-\fBlwres_getnamebyaddr()\fR
-return
-LWRES_R_NOMEMORY
-when memory allocation requests fail and
-LWRES_R_UNEXPECTEDEND
-if the buffers used for sending queries and receiving replies are too
-small.
-.SH "SEE ALSO"
-.PP
-\fBlwres_buffer\fR(3),
-\fBlwres_gabn\fR(3).
diff --git a/lib/liblwres/man/lwres_resutil.docbook b/lib/liblwres/man/lwres_resutil.docbook
deleted file mode 100644
index 72d6dc614..000000000
--- a/lib/liblwres/man/lwres_resutil.docbook
+++ /dev/null
@@ -1,221 +0,0 @@
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
-<!--
- - Copyright (C) 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_resutil.docbook,v 1.1 2004/03/15 20:35:25 as Exp $ -->
-
-<refentry>
-
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
-
-<refmeta>
-  <refentrytitle>lwres_resutil</refentrytitle>
-  <manvolnum>3</manvolnum>
-  <refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-
-<refnamediv>
-<refname>lwres_string_parse</refname>
-<refname>lwres_addr_parse</refname>
-<refname>lwres_getaddrsbyname</refname>
-<refname>lwres_getnamebyaddr</refname>
-<refpurpose>lightweight resolver utility functions</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_string_parse</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>char **c</paramdef>
-<paramdef>lwres_uint16_t *len</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_addr_parse</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_addr_t *addr</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_getaddrsbyname</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>const char *name</paramdef>
-<paramdef>lwres_uint32_t addrtypes</paramdef>
-<paramdef>lwres_gabnresponse_t **structp</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_getnamebyaddr</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_uint32_t addrtype</paramdef>
-<paramdef>lwres_uint16_t addrlen</paramdef>
-<paramdef>const unsigned char *addr</paramdef>
-<paramdef>lwres_gnbaresponse_t **structp</paramdef>
-</funcprototype>
-</funcsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-
-<para>
-<function>lwres_string_parse()</function> retrieves a DNS-encoded
-string starting the current pointer of lightweight resolver buffer
-<parameter>b</parameter>: i.e.  <constant>b-&gt;current</constant>.
-When the function returns, the address of the first byte of the
-encoded string is returned via <parameter>*c</parameter> and the
-length of that string is given by <parameter>*len</parameter>.  The
-buffer's current pointer is advanced to point at the character
-following the string length, the encoded string, and the trailing
-<type>NULL</type> character.
-</para>
-
-<para>
-<function>lwres_addr_parse()</function> extracts an address from the
-buffer <parameter>b</parameter>.  The buffer's current pointer
-<constant>b-&gt;current</constant> is presumed to point at an encoded
-address: the address preceded by a 32-bit protocol family identifier
-and a 16-bit length field.  The encoded address is copied to
-<constant>addr-&gt;address</constant> and
-<constant>addr-&gt;length</constant> indicates the size in bytes of
-the address that was copied.  <constant>b-&gt;current</constant> is
-advanced to point at the next byte of available data in the buffer
-following the encoded address.
-</para>
-
-<para>
-<function>lwres_getaddrsbyname()</function>
-and
-<function>lwres_getnamebyaddr()</function>
-use the
-<type>lwres_gnbaresponse_t</type>
-structure defined below:
-<programlisting>
-typedef struct {
-        lwres_uint32_t          flags;
-        lwres_uint16_t          naliases;
-        lwres_uint16_t          naddrs;
-        char                   *realname;
-        char                  **aliases;
-        lwres_uint16_t          realnamelen;
-        lwres_uint16_t         *aliaslen;
-        lwres_addrlist_t        addrs;
-        void                   *base;
-        size_t                  baselen;
-} lwres_gabnresponse_t;
-</programlisting>
-The contents of this structure are not manipulated directly but
-they are controlled through the
-<citerefentry>
-<refentrytitle>lwres_gabn</refentrytitle><manvolnum>3
-</manvolnum>
-</citerefentry>
-functions.
-</para>
-
-<para>
-The lightweight resolver uses
-<function>lwres_getaddrsbyname()</function> to perform foward lookups.
-Hostname <parameter>name</parameter> is looked up using the resolver
-context <parameter>ctx</parameter> for memory allocation.
-<parameter>addrtypes</parameter> is a bitmask indicating which type of
-addresses are to be looked up.  Current values for this bitmask are
-<type>LWRES_ADDRTYPE_V4</type> for IPv4 addresses and
-<type>LWRES_ADDRTYPE_V6</type> for IPv6 addresses.  Results of the
-lookup are returned in <parameter>*structp</parameter>.
-</para>
-
-<para>
-<function>lwres_getnamebyaddr()</function> performs reverse lookups.
-Resolver context <parameter>ctx</parameter> is used for memory
-allocation.  The address type is indicated by
-<parameter>addrtype</parameter>: <type>LWRES_ADDRTYPE_V4</type> or
-<type>LWRES_ADDRTYPE_V6</type>.  The address to be looked up is given
-by <parameter>addr</parameter> and its length is
-<parameter>addrlen</parameter> bytes.  The result of the function call
-is made available through <parameter>*structp</parameter>.
-</para>
-</refsect1>
-
-<refsect1>
-<title>RETURN VALUES</title>
-<para>
-Successful calls to
-<function>lwres_string_parse()</function>
-and
-<function>lwres_addr_parse()</function>
-return
-<errorcode>LWRES_R_SUCCESS.</errorcode>
-Both functions return
-<errorcode>LWRES_R_FAILURE</errorcode>
-if the buffer is corrupt or
-<errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
-if the buffer has less space than expected for the components of the
-encoded string or address.
-</para>
-<para>
-<function>lwres_getaddrsbyname()</function>
-returns
-<errorcode>LWRES_R_SUCCESS</errorcode>
-on success and it returns
-<errorcode>LWRES_R_NOTFOUND</errorcode>
-if the hostname
-<parameter>name</parameter>
-could not be found.
-</para>
-<para>
-<errorcode>LWRES_R_SUCCESS</errorcode>
-is returned by a successful call to
-<function>lwres_getnamebyaddr()</function>.
-</para>
-
-<para>
-Both
-<function>lwres_getaddrsbyname()</function>
-and
-<function>lwres_getnamebyaddr()</function>
-return
-<errorcode>LWRES_R_NOMEMORY</errorcode>
-when memory allocation requests fail and
-<errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
-if the buffers used for sending queries and receiving replies are too
-small.
-</para>
-
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>lwres_buffer</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_gabn</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>.
-</para>
-
-</refsect1>
-</refentry>
diff --git a/lib/liblwres/man/lwres_resutil.html b/lib/liblwres/man/lwres_resutil.html
deleted file mode 100644
index ae3a2f646..000000000
--- a/lib/liblwres/man/lwres_resutil.html
+++ /dev/null
@@ -1,412 +0,0 @@
-<!--
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--->
-<HTML
-><HEAD
-><TITLE
->lwres_resutil</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.61
-"></HEAD
-><BODY
-CLASS="REFENTRY"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><H1
-><A
-NAME="AEN1"
->lwres_resutil</A
-></H1
-><DIV
-CLASS="REFNAMEDIV"
-><A
-NAME="AEN8"
-></A
-><H2
->Name</H2
->lwres_string_parse, lwres_addr_parse, lwres_getaddrsbyname, lwres_getnamebyaddr&nbsp;--&nbsp;lightweight resolver utility functions</DIV
-><DIV
-CLASS="REFSYNOPSISDIV"
-><A
-NAME="AEN14"
-></A
-><H2
->Synopsis</H2
-><DIV
-CLASS="FUNCSYNOPSIS"
-><A
-NAME="AEN15"
-></A
-><P
-></P
-><PRE
-CLASS="FUNCSYNOPSISINFO"
->#include &lt;lwres/lwres.h&gt;</PRE
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->lwres_result_t
-lwres_string_parse</CODE
->(lwres_buffer_t *b, char **c, lwres_uint16_t *len);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->lwres_result_t
-lwres_addr_parse</CODE
->(lwres_buffer_t *b, lwres_addr_t *addr);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->lwres_result_t
-lwres_getaddrsbyname</CODE
->(lwres_context_t *ctx, const char *name, lwres_uint32_t addrtypes, lwres_gabnresponse_t **structp);</CODE
-></P
-><P
-><CODE
-><CODE
-CLASS="FUNCDEF"
->lwres_result_t
-lwres_getnamebyaddr</CODE
->(lwres_context_t *ctx, lwres_uint32_t addrtype, lwres_uint16_t addrlen, const unsigned char *addr, lwres_gnbaresponse_t **structp);</CODE
-></P
-><P
-></P
-></DIV
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN43"
-></A
-><H2
->DESCRIPTION</H2
-><P
-><TT
-CLASS="FUNCTION"
->lwres_string_parse()</TT
-> retrieves a DNS-encoded
-string starting the current pointer of lightweight resolver buffer
-<TT
-CLASS="PARAMETER"
-><I
->b</I
-></TT
->: i.e.  <TT
-CLASS="CONSTANT"
->b-&gt;current</TT
->.
-When the function returns, the address of the first byte of the
-encoded string is returned via <TT
-CLASS="PARAMETER"
-><I
->*c</I
-></TT
-> and the
-length of that string is given by <TT
-CLASS="PARAMETER"
-><I
->*len</I
-></TT
->.  The
-buffer's current pointer is advanced to point at the character
-following the string length, the encoded string, and the trailing
-<SPAN
-CLASS="TYPE"
->NULL</SPAN
-> character.</P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_addr_parse()</TT
-> extracts an address from the
-buffer <TT
-CLASS="PARAMETER"
-><I
->b</I
-></TT
->.  The buffer's current pointer
-<TT
-CLASS="CONSTANT"
->b-&gt;current</TT
-> is presumed to point at an encoded
-address: the address preceded by a 32-bit protocol family identifier
-and a 16-bit length field.  The encoded address is copied to
-<TT
-CLASS="CONSTANT"
->addr-&gt;address</TT
-> and
-<TT
-CLASS="CONSTANT"
->addr-&gt;length</TT
-> indicates the size in bytes of
-the address that was copied.  <TT
-CLASS="CONSTANT"
->b-&gt;current</TT
-> is
-advanced to point at the next byte of available data in the buffer
-following the encoded address.</P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_getaddrsbyname()</TT
->
-and
-<TT
-CLASS="FUNCTION"
->lwres_getnamebyaddr()</TT
->
-use the
-<SPAN
-CLASS="TYPE"
->lwres_gnbaresponse_t</SPAN
->
-structure defined below:
-<PRE
-CLASS="PROGRAMLISTING"
->typedef struct {
-        lwres_uint32_t          flags;
-        lwres_uint16_t          naliases;
-        lwres_uint16_t          naddrs;
-        char                   *realname;
-        char                  **aliases;
-        lwres_uint16_t          realnamelen;
-        lwres_uint16_t         *aliaslen;
-        lwres_addrlist_t        addrs;
-        void                   *base;
-        size_t                  baselen;
-} lwres_gabnresponse_t;</PRE
->
-The contents of this structure are not manipulated directly but
-they are controlled through the
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres_gabn</SPAN
->(3)</SPAN
->
-functions.</P
-><P
->The lightweight resolver uses
-<TT
-CLASS="FUNCTION"
->lwres_getaddrsbyname()</TT
-> to perform foward lookups.
-Hostname <TT
-CLASS="PARAMETER"
-><I
->name</I
-></TT
-> is looked up using the resolver
-context <TT
-CLASS="PARAMETER"
-><I
->ctx</I
-></TT
-> for memory allocation.
-<TT
-CLASS="PARAMETER"
-><I
->addrtypes</I
-></TT
-> is a bitmask indicating which type of
-addresses are to be looked up.  Current values for this bitmask are
-<SPAN
-CLASS="TYPE"
->LWRES_ADDRTYPE_V4</SPAN
-> for IPv4 addresses and
-<SPAN
-CLASS="TYPE"
->LWRES_ADDRTYPE_V6</SPAN
-> for IPv6 addresses.  Results of the
-lookup are returned in <TT
-CLASS="PARAMETER"
-><I
->*structp</I
-></TT
->.</P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_getnamebyaddr()</TT
-> performs reverse lookups.
-Resolver context <TT
-CLASS="PARAMETER"
-><I
->ctx</I
-></TT
-> is used for memory
-allocation.  The address type is indicated by
-<TT
-CLASS="PARAMETER"
-><I
->addrtype</I
-></TT
->: <SPAN
-CLASS="TYPE"
->LWRES_ADDRTYPE_V4</SPAN
-> or
-<SPAN
-CLASS="TYPE"
->LWRES_ADDRTYPE_V6</SPAN
->.  The address to be looked up is given
-by <TT
-CLASS="PARAMETER"
-><I
->addr</I
-></TT
-> and its length is
-<TT
-CLASS="PARAMETER"
-><I
->addrlen</I
-></TT
-> bytes.  The result of the function call
-is made available through <TT
-CLASS="PARAMETER"
-><I
->*structp</I
-></TT
->.</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN84"
-></A
-><H2
->RETURN VALUES</H2
-><P
->Successful calls to
-<TT
-CLASS="FUNCTION"
->lwres_string_parse()</TT
->
-and
-<TT
-CLASS="FUNCTION"
->lwres_addr_parse()</TT
->
-return
-<SPAN
-CLASS="ERRORCODE"
->LWRES_R_SUCCESS.</SPAN
->
-Both functions return
-<SPAN
-CLASS="ERRORCODE"
->LWRES_R_FAILURE</SPAN
->
-if the buffer is corrupt or
-<SPAN
-CLASS="ERRORCODE"
->LWRES_R_UNEXPECTEDEND</SPAN
->
-if the buffer has less space than expected for the components of the
-encoded string or address.</P
-><P
-><TT
-CLASS="FUNCTION"
->lwres_getaddrsbyname()</TT
->
-returns
-<SPAN
-CLASS="ERRORCODE"
->LWRES_R_SUCCESS</SPAN
->
-on success and it returns
-<SPAN
-CLASS="ERRORCODE"
->LWRES_R_NOTFOUND</SPAN
->
-if the hostname
-<TT
-CLASS="PARAMETER"
-><I
->name</I
-></TT
->
-could not be found.</P
-><P
-><SPAN
-CLASS="ERRORCODE"
->LWRES_R_SUCCESS</SPAN
->
-is returned by a successful call to
-<TT
-CLASS="FUNCTION"
->lwres_getnamebyaddr()</TT
->.</P
-><P
->Both
-<TT
-CLASS="FUNCTION"
->lwres_getaddrsbyname()</TT
->
-and
-<TT
-CLASS="FUNCTION"
->lwres_getnamebyaddr()</TT
->
-return
-<SPAN
-CLASS="ERRORCODE"
->LWRES_R_NOMEMORY</SPAN
->
-when memory allocation requests fail and
-<SPAN
-CLASS="ERRORCODE"
->LWRES_R_UNEXPECTEDEND</SPAN
->
-if the buffers used for sending queries and receiving replies are too
-small.</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN105"
-></A
-><H2
->SEE ALSO</H2
-><P
-><SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres_buffer</SPAN
->(3)</SPAN
->,
-
-<SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->lwres_gabn</SPAN
->(3)</SPAN
->.</P
-></DIV
-></BODY
-></HTML
->
\ No newline at end of file
diff --git a/lib/liblwres/unix/include/lwres/net.h b/lib/liblwres/unix/include/lwres/net.h
deleted file mode 100644
index cb17700cd..000000000
--- a/lib/liblwres/unix/include/lwres/net.h
+++ /dev/null
@@ -1,127 +0,0 @@
-/*
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: net.h,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-#ifndef LWRES_NET_H
-#define LWRES_NET_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * Basic Networking Types
- *
- * This module is responsible for defining the following basic networking
- * types:
- *
- *		struct in_addr
- *		struct in6_addr
- *		struct sockaddr
- *		struct sockaddr_in
- *		struct sockaddr_in6
- *
- * It ensures that the AF_ and PF_ macros are defined.
- *
- * It declares ntoh[sl]() and hton[sl]().
- *
- * It declares lwres_net_aton(), lwres_net_ntop(), and lwres_net_pton().
- *
- * It ensures that INADDR_LOOPBACK, INADDR_ANY and IN6ADDR_ANY_INIT
- * are defined.
- */
-
-/***
- *** Imports.
- ***/
-
-#include <lwres/platform.h>	/* Required for LWRES_PLATFORM_*. */
-
-#include <sys/types.h>
-#include <sys/socket.h>		/* Contractual promise. */
-#include <sys/time.h>
-#include <sys/un.h>
-
-#include <netinet/in.h>		/* Contractual promise. */
-#include <arpa/inet.h>		/* Contractual promise. */
-#ifdef LWRES_PLATFORM_NEEDNETINETIN6H
-#include <netinet/in6.h>	/* Required on UnixWare. */
-#endif
-#ifdef LWRES_PLATFORM_NEEDNETINET6IN6H
-#include <netinet6/in6.h>	/* Required on BSD/OS for in6_pktinfo. */
-#endif
-
-#include <lwres/lang.h>
-
-#ifndef LWRES_PLATFORM_HAVEIPV6
-#include <lwres/ipv6.h>		/* Contractual promise. */
-#endif
-
-#ifdef LWRES_PLATFORM_HAVEINADDR6
-#define in6_addr in_addr6	/* Required for pre RFC2133 implementations. */
-#endif
-
-/*
- * Required for some pre RFC2133 implementations.
- * IN6ADDR_ANY_INIT and IN6ADDR_LOOPBACK_INIT were added in
- * draft-ietf-ipngwg-bsd-api-04.txt or draft-ietf-ipngwg-bsd-api-05.txt.  
- * If 's6_addr' is defined then assume that there is a union and three
- * levels otherwise assume two levels required.
- */
-#ifndef IN6ADDR_ANY_INIT
-#ifdef s6_addr
-#define IN6ADDR_ANY_INIT { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 } } }
-#else
-#define IN6ADDR_ANY_INIT { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 } }
-#endif
-#endif
-
-#ifndef IN6ADDR_LOOPBACK_INIT
-#ifdef s6_addr
-#define IN6ADDR_LOOPBACK_INIT { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 } } }
-#else
-#define IN6ADDR_LOOPBACK_INIT { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 } }
-#endif
-#endif
-
-#ifndef AF_INET6
-#define AF_INET6 99
-#endif
-
-#ifndef PF_INET6
-#define PF_INET6 AF_INET6
-#endif
-
-#ifndef INADDR_LOOPBACK
-#define INADDR_LOOPBACK 0x7f000001UL
-#endif
-
-LWRES_LANG_BEGINDECLS
-
-const char *
-lwres_net_ntop(int af, const void *src, char *dst, size_t size);
-
-int
-lwres_net_pton(int af, const char *src, void *dst);
-
-int
-lwres_net_aton(const char *cp, struct in_addr *addr);
-
-LWRES_LANG_ENDDECLS
-
-#endif /* LWRES_NET_H */
diff --git a/lib/liblwres/version.c b/lib/liblwres/version.c
deleted file mode 100644
index ce0380d23..000000000
--- a/lib/liblwres/version.c
+++ /dev/null
@@ -1,24 +0,0 @@
-/*
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- * INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: version.c,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-char lwres_version[] = VERSION;
-
-unsigned int lwres_libinterface = LIBINTERFACE;
-unsigned int lwres_librevision = LIBREVISION;
-unsigned int lwres_libage = LIBAGE;
diff --git a/linux/Documentation/Configure.help.fs2_0.patch b/linux/Documentation/Configure.help.fs2_0.patch
deleted file mode 100644
index 370b8944e..000000000
--- a/linux/Documentation/Configure.help.fs2_0.patch
+++ /dev/null
@@ -1,65 +0,0 @@
---- linux/Documentation/Configure.help.orig	Tue Jan  9 16:29:20 2001
-+++ linux/Documentation/Configure.help	Fri Aug  9 14:47:14 2002
-@@ -4979,2 +4979,62 @@
- 
-+IP Security Protocol (IPSEC) (EXPERIMENTAL)
-+CONFIG_IPSEC
-+  This unit is experimental code.
-+  Pick 'y' for static linking, 'm' for module support or 'n' for none.
-+  This option adds support for network layer packet encryption and/or
-+  authentication with participating hosts.    The standards start with:
-+  RFCs 2411, 2407 and 2401.  Others are mentioned where they refer to
-+  specific features below.  There are more pending which can be 
-+  found at:  ftp://ftp.ietf.org/internet-drafts/draft-ietf-ipsec-*.
-+  A description of each document can also be found at: 
-+  http://ietf.org/ids.by.wg/ipsec.html.
-+  Their charter can be found at: 
-+  http://www.ietf.org/html.charters/ipsec-charter.html
-+  Snapshots and releases of the current work can be found at: 
-+  http://www.freeswan.org/
-+
-+IPSEC: IP-in-IP encapsulation
-+CONFIG_IPSEC_IPIP
-+  This option provides support for tunnel mode IPSEC.  It is recommended
-+  to enable this.
-+
-+IPSEC: Authentication Header
-+CONFIG_IPSEC_AH
-+  This option provides support for the IPSEC Authentication Header
-+  (IP protocol 51) which provides packet layer sender and content
-+  authentication.  It is recommended to enable this.  RFC2402
-+
-+HMAC-MD5 algorithm
-+CONFIG_IPSEC_AUTH_HMAC_MD5
-+  Provides support for authentication using the HMAC MD5
-+  algorithm with 96 bits of hash used as the authenticator.  RFC2403
-+
-+HMAC-SHA1 algorithm
-+CONFIG_IPSEC_AUTH_HMAC_SHA1
-+  Provides support for Authentication Header using the HMAC SHA1
-+  algorithm with 96 bits of hash used as the authenticator.  RFC2404
-+
-+IPSEC: Encapsulating Security Payload
-+CONFIG_IPSEC_ESP
-+  This option provides support for the IPSEC Encapsulation Security
-+  Payload (IP protocol 50) which provides packet layer content
-+  hiding.  It is recommended to enable this.  RFC2406
-+
-+3DES algorithm
-+CONFIG_IPSEC_ENC_3DES
-+  Provides support for Encapsulation Security Payload protocol, using
-+  the triple DES encryption algorithm.  RFC2451
-+
-+IPSEC Debugging Option
-+CONFIG_IPSEC_DEBUG
-+  Enables IPSEC kernel debugging.  It is further controlled by the
-+  user space utility 'klipsdebug'.
-+
-+IPSEC Regression Testing option
-+CONFIG_IPSEC_REGRESS
-+  Enables IPSEC regression testing. Creates a number of switches in
-+  /proc/sys/net/ipsec which cause various failure modes in KLIPS.
-+  For more details see FreeSWAN source under 
-+  testing/doc/regression_options.txt.
-+
- # need an empty line after last entry, for sed script in Configure.
diff --git a/linux/Documentation/Configure.help.fs2_2.patch b/linux/Documentation/Configure.help.fs2_2.patch
deleted file mode 100644
index 52a133410..000000000
--- a/linux/Documentation/Configure.help.fs2_2.patch
+++ /dev/null
@@ -1,70 +0,0 @@
---- /a3/kernel_sources/linux-2.2.20/Documentation/Configure.help	Fri Nov  2 11:39:05 2001
-+++ linux2.2/Documentation/Configure.help	Mon Jul 29 15:42:26 2002
-@@ -15237,5 +15237,66 @@
-    
--#
-+
-+IP Security Protocol (IPSEC) (EXPERIMENTAL)
-+CONFIG_IPSEC
-+  This unit is experimental code.
-+  Pick 'y' for static linking, 'm' for module support or 'n' for none.
-+  This option adds support for network layer packet encryption and/or
-+  authentication with participating hosts.  The standards start with:
-+  RFCs 2411, 2407 and 2401.  Others are mentioned where they refer to
-+  specific features below.  There are more pending which can be found
-+  at:  ftp://ftp.ietf.org/internet-drafts/draft-ietf-ipsec-*.
-+  A description of each document can also be found at: 
-+  http://ietf.org/ids.by.wg/ipsec.html.
-+  Their charter can be found at: 
-+  http://www.ietf.org/html.charters/ipsec-charter.html
-+  Snapshots and releases of the current work can be found at: 
-+  http://www.freeswan.org/
-+
-+IPSEC: IP-in-IP encapsulation
-+CONFIG_IPSEC_IPIP
-+  This option provides support for tunnel mode IPSEC.  It is recommended
-+  to enable this.
-+
-+IPSEC: Authentication Header
-+CONFIG_IPSEC_AH
-+  This option provides support for the IPSEC Authentication Header
-+  (IP protocol 51) which provides packet layer sender and content
-+  authentication.  It is recommended to enable this.  RFC2402
-+
-+HMAC-MD5 algorithm
-+CONFIG_IPSEC_AUTH_HMAC_MD5
-+  Provides support for authentication using the HMAC MD5
-+  algorithm with 96 bits of hash used as the authenticator.  RFC2403
-+
-+HMAC-SHA1 algorithm
-+CONFIG_IPSEC_AUTH_HMAC_SHA1
-+  Provides support for Authentication Header using the HMAC SHA1
-+  algorithm with 96 bits of hash used as the authenticator.  RFC2404
-+
-+IPSEC: Encapsulating Security Payload
-+CONFIG_IPSEC_ESP
-+  This option provides support for the IPSEC Encapsulation Security
-+  Payload (IP protocol 50) which provides packet layer content
-+  hiding.  It is recommended to enable this.  RFC2406
-+
-+3DES algorithm
-+CONFIG_IPSEC_ENC_3DES
-+  Provides support for Encapsulation Security Payload protocol, using
-+  the triple DES encryption algorithm.  RFC2451
-+
-+IPSEC Debugging Option
-+CONFIG_IPSEC_DEBUG
-+  Enables IPSEC kernel debugging.  It is further controlled by the
-+  user space utility 'klipsdebug'.
-+
-+IPSEC Regression Testing option
-+CONFIG_IPSEC_REGRESS
-+  Enables IPSEC regression testing. Creates a number of switches in
-+  /proc/sys/net/ipsec which cause various failure modes in KLIPS.
-+  For more details see FreeSWAN source under 
-+  testing/doc/regression_options.txt.
-+
-+#  
- # A couple of things I keep forgetting:
- #   capitalize: AppleTalk, Ethernet, DOS, DMA, FAT, FTP, Internet, 
- #               Intel, IRQ, Linux, MSDOS, NetWare, NetWinder, NFS, 
diff --git a/linux/Documentation/Configure.help.fs2_4.patch b/linux/Documentation/Configure.help.fs2_4.patch
deleted file mode 100644
index 863d69c35..000000000
--- a/linux/Documentation/Configure.help.fs2_4.patch
+++ /dev/null
@@ -1,69 +0,0 @@
---- linux/Documentation/Configure.help.orig	Fri Dec 21 12:41:53 2001
-+++ linux/Documentation/Configure.help	Mon Jul 29 16:35:32 2002
-@@ -24237,5 +24237,65 @@
- 
--#
-+IP Security Protocol (IPSEC) (EXPERIMENTAL)
-+CONFIG_IPSEC
-+  This unit is experimental code.
-+  Pick 'y' for static linking, 'm' for module support or 'n' for none.
-+  This option adds support for network layer packet encryption and/or
-+  authentication with participating hosts.  The standards start with:
-+  RFCs 2411, 2407 and 2401.  Others are mentioned where they refer to
-+  specific features below.  There are more pending which can be found
-+  at:  ftp://ftp.ietf.org/internet-drafts/draft-ietf-ipsec-*.
-+  A description of each document can also be found at: 
-+  http://ietf.org/ids.by.wg/ipsec.html.
-+  Their charter can be found at: 
-+  http://www.ietf.org/html.charters/ipsec-charter.html
-+  Snapshots and releases of the current work can be found at: 
-+  http://www.freeswan.org/
-+
-+IPSEC: IP-in-IP encapsulation
-+CONFIG_IPSEC_IPIP
-+  This option provides support for tunnel mode IPSEC.  It is recommended
-+  to enable this.
-+
-+IPSEC: Authentication Header
-+CONFIG_IPSEC_AH
-+  This option provides support for the IPSEC Authentication Header
-+  (IP protocol 51) which provides packet layer sender and content
-+  authentication.  It is recommended to enable this.  RFC2402
-+
-+HMAC-MD5 algorithm
-+CONFIG_IPSEC_AUTH_HMAC_MD5
-+  Provides support for authentication using the HMAC MD5
-+  algorithm with 96 bits of hash used as the authenticator.  RFC2403
-+
-+HMAC-SHA1 algorithm
-+CONFIG_IPSEC_AUTH_HMAC_SHA1
-+  Provides support for Authentication Header using the HMAC SHA1
-+  algorithm with 96 bits of hash used as the authenticator.  RFC2404
-+
-+IPSEC: Encapsulating Security Payload
-+CONFIG_IPSEC_ESP
-+  This option provides support for the IPSEC Encapsulation Security
-+  Payload (IP protocol 50) which provides packet layer content
-+  hiding.  It is recommended to enable this.  RFC2406
-+
-+3DES algorithm
-+CONFIG_IPSEC_ENC_3DES
-+  Provides support for Encapsulation Security Payload protocol, using
-+  the triple DES encryption algorithm.  RFC2451
-+
-+IPSEC Debugging Option
-+CONFIG_IPSEC_DEBUG
-+  Enables IPSEC kernel debugging.  It is further controlled by the
-+  user space utility 'klipsdebug'.
-+
-+IPSEC Regression Testing option
-+CONFIG_IPSEC_REGRESS
-+  Enables IPSEC regression testing. Creates a number of switches in
-+  /proc/sys/net/ipsec which cause various failure modes in KLIPS.
-+  For more details see FreeSWAN source under 
-+  testing/doc/regression_options.txt.
-+
-+# 
- # A couple of things I keep forgetting:
- #   capitalize: AppleTalk, Ethernet, DOS, DMA, FAT, FTP, Internet,
- #               Intel, IRQ, ISDN, Linux, MSDOS, NetWare, NetWinder,
diff --git a/linux/Makefile b/linux/Makefile
deleted file mode 100644
index b5715105f..000000000
--- a/linux/Makefile
+++ /dev/null
@@ -1,32 +0,0 @@
-# FreeS/WAN subdir makefile
-# Copyright (C) 1998-2001  Henry Spencer.
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:25 as Exp $
-
-FREESWANSRCDIR=..
-#SUBDIRS=net/ipsec
-
-include $(FREESWANSRCDIR)/Makefile.inc
-
-def:
-	@echo "Please read doc/intro.html or INSTALL before running make"
-	@false
-
-cleanall distclean mostlyclean realclean install programs checkprograms check clean spotless modules install_file_list:
-	@true
-
-#	@for d in $(SUBDIRS); \
-#	do \
-#		(cd $$d && $(MAKE) TOPDIR=${KERNELSRC} FREESWANSRCDIR=$(FREESWANSRCDIR)/.. $@ ) || exit 1 ; \
-#	done
-
diff --git a/linux/README.freeswan b/linux/README.freeswan
deleted file mode 100644
index 7d868e4cb..000000000
--- a/linux/README.freeswan
+++ /dev/null
@@ -1,177 +0,0 @@
-*
-* RCSID $Id: README.freeswan,v 1.1 2004/03/15 20:35:25 as Exp $
-*
-
-               ****************************************
-               * IPSEC for Linux, Release 2.xx series *
-               ****************************************
-
-
-
-1. Files
-
-The contents of linux/net/ipsec/ (see below) join the linux kernel source tree.
-as provided for higher up.
-
-The programs/ directory contains the user-level utilities which you need
-to run IPSEC.  See the top-level top/INSTALL to compile and install them.
-
-The test/ directory contains test scripts.
-
-The doc/ directory contains -- what else -- documentation. 
-
-1.1. Kernel files
-
-The following are found in net/ipsec/:
-
-Makefile			The Makefile
-Config.in			The configuration script for make menuconfig
-defconfig			Configuration defaults for first time.
-
-radij.c				General-purpose radix-tree operations
-
-ipcomp.c			IPCOMP interface code.
-
-pfkey_v2.c			PF_KEYv2 socket interface code.
-pfkey_v2_parser.c		PF_KEYv2 message parsing and processing code.
-
-ipsec_init.c			Initialization code, /proc interface.
-ipsec_radij.c			Interface with the radix tree code.
-ipsec_netlink.c			Interface with the netlink code.
-ipsec_xform.c			Routines and structures common to transforms.
-ipsec_tunnel.c			The outgoing packet processing code.
-ipsec_rcv.c			The incoming packet processing code.
-ipsec_md5c.c			Somewhat modified RSADSI MD5 C code.
-ipsec_sha1.c			Somewhat modified Steve Reid SHA-1 C code.
-
-sysctl_net_ipsec.c		/proc/sys/net/ipsec/* variable definitions.
-
-version.c			symbolic link to project version.
-
-radij.h				Headers for radij.c
-
-ipcomp.h			Headers used by IPCOMP code.
-
-ipsec_radij.h			Interface with the radix tree code.
-ipsec_netlink.h			Headers used by the netlink interface.
-ipsec_encap.h			Headers defining encapsulation structures.
-ipsec_xform.h			Transform headers.
-ipsec_tunnel.h			Headers used by tunneling code.
-ipsec_ipe4.h			Headers for the IP-in-IP code.
-ipsec_ah.h			Headers common to AH transforms.
-ipsec_md5h.h			RSADSI MD5 headers.
-ipsec_sha1.h			SHA-1 headers.
-ipsec_esp.h			Headers common to ESP transfroms.
-ipsec_rcv.h			Headers for incoming packet processing code.
-
-1.2. User-level files.
-
-The following are found in utils/:
-
-eroute.c	Create an "extended route" source code
-spi.c		Set up Security Associations source code
-spigrp.c        Link SPIs together source code.
-tncfg.c         Configure the tunneling features of the virtual interface
-		source code
-klipsdebug.c	Set/reset klips debugging features source code.
-version.c	symbolic link to project version.
-
-eroute.8	Create an "extended route" manual page
-spi.8		Set up Security Associations manual page
-spigrp.8        Link SPIs together manual page
-tncfg.8         Configure the tunneling features of the virtual interface
-		manual page
-klipsdebug.8	Set/reset klips debugging features manual page
-
-eroute.5	/proc/net/ipsec_eroute format manual page
-spi.5		/proc/net/ipsec_spi format manual page
-spigrp.5	/proc/net/ipsec_spigrp format manual page
-tncfg.5		/proc/net/ipsec_tncfg format manual page
-klipsdebug.5	/proc/net/ipsec_klipsdebug format manual page
-version.5	/proc/net/ipsec_version format manual page
-pf_key.5	/proc/net/pf_key format manual page
-
-Makefile	Utilities makefile.
-
-*.8		Manpages for the respective utils.
-
-
-1.3. Test files
-
-The test scripts are locate in testing/ and and documentation is found
-at doc/src/umltesting.html. Automated testing via "make check" is available
-provided that the User-Mode-Linux patches are available.
-
-*
-* $Log: README.freeswan,v $
-* Revision 1.1  2004/03/15 20:35:25  as
-* added files from freeswan-2.04-x509-1.5.3
-*
-* Revision 1.11  2002/07/28 23:00:14  mcr
-* 	removed docs on "test" directory.
-* 	some slight "updates"
-*
-* Revision 1.10  2002/05/06 21:34:19  mcr
-* Moved from linux/README,v
-*
-* Revision 1.9  2002/04/24 07:36:35  mcr
-* Moved from ./klips/README,v
-*
-* Revision 1.8  2000/11/06 05:42:58  rgb
-* Updated file list (had not been done in 2 years?).
-*
-* Revision 1.7  2000/08/21 17:30:09  rgb
-* Remove any references to src/.
-*
-* Revision 1.6  1999/04/06 04:54:22  rgb
-* Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
-* patch shell fixes.
-*
-* Revision 1.5  1998/11/25 04:54:34  rgb
-* Updated files section to include newer transforms and other files.
-*
-* Revision 1.4  1998/05/01 03:47:17  rgb
-* Minor cleanup of utils filenames overlooked in major overhaul.
-*
-* Revision 1.3  1998/05/01 03:40:31  rgb
-* Major overhaul.
-* Removed install/initialise section with pointers to top-level INSTALL.txt.
-* Updated filelists and providing descriptions of all files.
-* Removed usage example and moved it to doc/*_setup.txt.
-*
-* Revision 1.2  1998/04/09 03:01:13  henry
-* INSTALL.txt moves up, loses its installation instructions, and turns
-* into the klips README.
-*
-* Revision 1.1.1.1  1998/04/08 05:35:13  henry
-* RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
-*
-*
-* Revision 0.7  rgb
-* Cleaned up several transmission bugs.
-*
-* Revision 0.6  1997/09?  ak
-* Hooked in esp des-md5-96.
-* Added copyrights.
-* 
-* Revision 0.5  1997/06/03 04:28:46  ji
-* Added transport mode.
-* Added esp 3des-md5-96.
-*
-* Revision 0.4  1997/01/14 21:35:31  ji
-* Added new transforms.
-* Cleaned up the user-level programs.
-*
-* Revision 0.3  1996/11/20 11:59:33  ji
-* *** empty log message ***
-*
-*
-* New in this release (0.3; works with the 2.0.24 kernel)
-*
-*   > Cleaned up a fair amount of crud.
-*   > Fixed truncated names of /proc/net entries.
-*   > Made RCS versioning visible to the external release.
-*   > Rationalized debugging facilities.
-*   > Rationalized untar directory structure.
-*   > Fixed non-incrementing IV in DES-CBC
-*   > Cleaned up this file a bit and provided additional examples
diff --git a/linux/crypto/ciphers/des/COPYRIGHT b/linux/crypto/ciphers/des/COPYRIGHT
deleted file mode 100644
index 5469e1e46..000000000
--- a/linux/crypto/ciphers/des/COPYRIGHT
+++ /dev/null
@@ -1,50 +0,0 @@
-Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
-All rights reserved.
-
-This package is an DES implementation written by Eric Young (eay@cryptsoft.com).
-The implementation was written so as to conform with MIT's libdes.
-
-This library is free for commercial and non-commercial use as long as
-the following conditions are aheared to.  The following conditions
-apply to all code found in this distribution.
-
-Copyright remains Eric Young's, and as such any Copyright notices in
-the code are not to be removed.
-If this package is used in a product, Eric Young should be given attribution
-as the author of that the SSL library.  This can be in the form of a textual
-message at program startup or in documentation (online or textual) provided
-with the package.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-1. Redistributions of source code must retain the copyright
-   notice, this list of conditions and the following disclaimer.
-2. Redistributions in binary form must reproduce the above copyright
-   notice, this list of conditions and the following disclaimer in the
-   documentation and/or other materials provided with the distribution.
-3. All advertising materials mentioning features or use of this software
-   must display the following acknowledgement:
-   This product includes software developed by Eric Young (eay@cryptsoft.com)
-
-THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGE.
-
-The license and distribution terms for any publically available version or
-derivative of this code cannot be changed.  i.e. this code cannot simply be
-copied and put under another distrubution license
-[including the GNU Public License.]
-
-The reason behind this being stated in this direct manner is past
-experience in code simply being copied and the attribution removed
-from it and then being distributed as part of other packages. This
-implementation was a non-trivial and unpaid effort.
diff --git a/linux/crypto/ciphers/des/INSTALL b/linux/crypto/ciphers/des/INSTALL
deleted file mode 100644
index 32457d775..000000000
--- a/linux/crypto/ciphers/des/INSTALL
+++ /dev/null
@@ -1,69 +0,0 @@
-Check the CC and CFLAGS lines in the makefile
-
-If your C library does not support the times(3) function, change the
-#define TIMES to
-#undef TIMES in speed.c
-If it does, check the HZ value for the times(3) function.
-If your system does not define CLK_TCK it will be assumed to
-be 100.0.
-
-If possible use gcc v 2.7.?
-Turn on the maximum optimising (normally '-O3 -fomit-frame-pointer' for gcc)
-In recent times, some system compilers give better performace.
-
-type 'make'
-
-run './destest' to check things are ok.
-run './rpw' to check the tty code for reading passwords works.
-run './speed' to see how fast those optimisations make the library run :-)
-run './des_opts' to determin the best compile time options.
-
-The output from des_opts should be put in the makefile options and des_enc.c
-should be rebuilt.  For 64 bit computers, do not use the DES_PTR option.
-For the DEC Alpha, edit des.h and change DES_LONG to 'unsigned int'
-and then you can use the 'DES_PTR' option.
-
-The file options.txt has the options listed for best speed on quite a
-few systems.  Look and the options (UNROLL, PTR, RISC2 etc) and then
-turn on the relevent option in the Makefile
-
-There are some special Makefile targets that make life easier.
-make cc		- standard cc build
-make gcc	- standard gcc build
-make x86-elf	- x86 assembler (elf), linux-elf.
-make x86-out	- x86 assembler (a.out), FreeBSD
-make x86-solaris- x86 assembler
-make x86-bsdi	- x86 assembler (a.out with primative assembler).
-
-If at all possible use the assembler (for Windows NT/95, use
-asm/win32.obj to link with).  The x86 assembler is very very fast.
-
-A make install will by default install
-libdes.a      in /usr/local/lib/libdes.a
-des           in /usr/local/bin/des
-des_crypt.man in /usr/local/man/man3/des_crypt.3
-des.man       in /usr/local/man/man1/des.1
-des.h         in /usr/include/des.h
-
-des(1) should be compatible with sunOS's but I have been unable to
-test it.
-
-These routines should compile on MSDOS, most 32bit and 64bit version
-of Unix (BSD and SYSV) and VMS, without modification.
-The only problems should be #include files that are in the wrong places.
-
-These routines can be compiled under MSDOS.
-I have successfully encrypted files using des(1) under MSDOS and then
-decrypted the files on a SparcStation.
-I have been able to compile and test the routines with
-Microsoft C v 5.1 and Turbo C v 2.0.
-The code in this library is in no way optimised for the 16bit
-operation of MSDOS.
-
-When building for glibc, ignore all of the above and just unpack into
-glibc-1.??/des and then gmake as per normal.
-
-As a final note on performace.  Certain CPUs like sparcs and Alpha often give
-a %10 speed difference depending on the link order.  It is rather anoying
-when one program reports 'x' DES encrypts a second and another reports
-'x*0.9' the speed.
diff --git a/linux/crypto/ciphers/des/Makefile.objs b/linux/crypto/ciphers/des/Makefile.objs
deleted file mode 100644
index 4cef95963..000000000
--- a/linux/crypto/ciphers/des/Makefile.objs
+++ /dev/null
@@ -1,20 +0,0 @@
-obj-$(CONFIG_IPSEC_ENC_3DES) += cbc_enc.o
-#obj-$(CONFIG_IPSEC_ENC_3DES) += des_opts.o
-obj-$(CONFIG_IPSEC_ENC_3DES) += ecb_enc.o
-#obj-$(CONFIG_IPSEC_ENC_3DES) += fcrypt.o
-obj-$(CONFIG_IPSEC_ENC_3DES) += set_key.o
-
-ifeq ($(strip ${SUBARCH}),)
-SUBARCH:=${ARCH}
-endif
-
-ifeq (${SUBARCH},i386)
-obj-$(CONFIG_IPSEC_ENC_3DES) += dx86unix.o
-else
-obj-$(CONFIG_IPSEC_ENC_3DES) += des_enc.o
-endif
-
-
-
-
-
diff --git a/linux/crypto/ciphers/des/README b/linux/crypto/ciphers/des/README
deleted file mode 100644
index 621a5ab46..000000000
--- a/linux/crypto/ciphers/des/README
+++ /dev/null
@@ -1,54 +0,0 @@
-
-		libdes, Version 4.01 10-Jan-97
-
-		Copyright (c) 1997, Eric Young
-			  All rights reserved.
-
-    This program is free software; you can redistribute it and/or modify
-    it under the terms specified in COPYRIGHT.
-    
---
-The primary ftp site for this library is
-ftp://ftp.psy.uq.oz.au/pub/Crypto/DES/libdes-x.xx.tar.gz
-libdes is now also shipped with SSLeay.  Primary ftp site of
-ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/SSLeay-x.x.x.tar.gz
-
-The best way to build this library is to build it as part of SSLeay.
-
-This kit builds a DES encryption library and a DES encryption program.
-It supports ecb, cbc, ofb, cfb, triple ecb, triple cbc, triple ofb,
-triple cfb, desx, and MIT's pcbc encryption modes and also has a fast
-implementation of crypt(3).
-It contains support routines to read keys from a terminal,
-generate a random key, generate a key from an arbitrary length string,
-read/write encrypted data from/to a file descriptor.
-
-The implementation was written so as to conform with the manual entry
-for the des_crypt(3) library routines from MIT's project Athena.
-
-destest should be run after compilation to test the des routines.
-rpw should be run after compilation to test the read password routines.
-The des program is a replacement for the sun des command.  I believe it
-conforms to the sun version.
-
-The Imakefile is setup for use in the kerberos distribution.
-
-These routines are best compiled with gcc or any other good
-optimising compiler.
-Just turn you optimiser up to the highest settings and run destest
-after the build to make sure everything works.
-
-I believe these routines are close to the fastest and most portable DES
-routines that use small lookup tables (4.5k) that are publicly available.
-The fcrypt routine is faster than ufc's fcrypt (when compiling with
-gcc2 -O2) on the sparc 2 (1410 vs 1270) but is not so good on other machines
-(on a sun3/260 168 vs 336).  It is a function of CPU on chip cache size.
-[ 10-Jan-97 and a function of an incorrect speed testing program in
-  ufc which gave much better test figures that reality ].
-
-It is worth noting that on sparc and Alpha CPUs, performance of the DES
-library can vary by upto %10 due to the positioning of files after application
-linkage.
-
-Eric Young (eay@cryptsoft.com)
-
diff --git a/linux/crypto/ciphers/des/README.freeswan b/linux/crypto/ciphers/des/README.freeswan
deleted file mode 100644
index 40874d5f8..000000000
--- a/linux/crypto/ciphers/des/README.freeswan
+++ /dev/null
@@ -1,33 +0,0 @@
-The only changes the FreeS/WAN project has made to libdes-lite 4.04b are:
-
-We #ifdef-ed the declaration of DES_LONG in des.h, so it's more efficient
-on the Alpha, instead of just noting the issue in a comment. 
-
-We #ifdef-ed out the des_options() function in ecb_enc.c, because we don't
-use it, and its call to sprintf() can cause subtle difficulties when KLIPS
-is built as a module (depending on details of Linux configuration options).
-
-We changed some instances of CC=$(CC) in the Makefile to CC='$(CC)' to make
-it cope better with Linux kernel Makefile stupidities, and took out an
-explicit CC=gcc (unwise on systems with strange compilers).
-
-We deleted some references to <stdio.h> and <stdlib.h>, and a declaration
-of one function found only in the full libdes (not in libdes-lite), to
-avoid dragging in bits of stdio/stdlib unnecessarily.  (Our thanks to Hans
-Schultz for spotting this and pointing out the fixes.)
-
-We deleted a couple of .obj files in the asm subdirectory, which appear to
-have been included in the original library by accident. 
-
-We have added an include of our Makefile.inc file, to permit overriding
-things like choice of compiler (although the libdes Makefile would
-probably need some work to make this effective).
-
-
-
-Note that Eric Young is no longer at the email address listed in these
-files, and is (alas) no longer working on free crypto software. 
-
-
-
-This file is RCSID $Id: README.freeswan,v 1.1 2004/03/15 20:35:25 as Exp $
diff --git a/linux/crypto/ciphers/des/VERSION b/linux/crypto/ciphers/des/VERSION
deleted file mode 100644
index 345035195..000000000
--- a/linux/crypto/ciphers/des/VERSION
+++ /dev/null
@@ -1,406 +0,0 @@
-Version 4.04
-	Fixed a few tests in destest.  Also added x86 assember for
-	des_ncbc_encrypt() which is the standard cbc mode function.
-	This makes a very very large performace difference.
-	Ariel Glenn ariel@columbia.edu reports that the terminal
-	'turn echo off' can return (errno == EINVAL) under solaris
-	when redirection is used.  So I now catch that as well as ENOTTY.
-
-
-Version 4.03
-	Left a static out of enc_write.c, which caused to buffer to be
-	continiously malloc()ed.  Does anyone use these functions?  I keep
-	on feeling like removing them since I only had these in there
-	for a version of kerberised login.  Anyway, this was pointed out
-	by Theo de Raadt <deraadt@cvs.openbsd.org>
-	The 'n' bit ofb code was wrong, it was not shifting the shift
-	register. It worked correctly for n == 64.  Thanks to
-	Gigi Ankeny <Gigi.Ankeny@Eng.Sun.COM> for pointing this one out.
-
-Version 4.02
-	I was doing 'if (memcmp(weak_keys[i],key,sizeof(key)) == 0)'
-	when checking for weak keys which is wrong :-(, pointed out by
-	Markus F.X.J. Oberhumer <markus.oberhumer@jk.uni-linz.ac.at>.
-
-Version 4.01
-	Even faster inner loop in the DES assembler for x86 and a modification
-	for IP/FP which is faster on x86.  Both of these changes are
-	from Svend Olaf Mikkelsen <svolaf@inet.uni-c.dk>.  His
-	changes make the assembler run %40 faster on a pentium.  This is just
-	a case of getting the instruction sequence 'just right'.
-	All credit to 'Svend' :-)
-	Quite a few special x86 'make' targets.
-	A libdes-l (lite) distribution.
-
-Version 4.00
-	After a bit of a pause, I'll up the major version number since this
-	is mostly a performace release.  I've added x86 assembler and
-	added more options for performance.  A %28 speedup for gcc 
-	on a pentium and the assembler is a %50 speedup.
-	MIPS CPU's, sparc and Alpha are the main CPU's with speedups.
-	Run des_opts to work out which options should be used.
-	DES_RISC1/DES_RISC2 use alternative inner loops which use
-	more registers but should give speedups on any CPU that does
-	dual issue (pentium).  DES_UNROLL unrolls the inner loop,
-	which costs in code size.
-
-Version 3.26
-	I've finally removed one of the shifts in D_ENCRYPT.  This
-	meant I've changed the des_SPtrans table (spr.h), the set_key()
-	function and some things in des_enc.c.  This has definitly
-	made things faster :-).  I've known about this one for some
-	time but I've been too lazy to follow it up :-).
-	Noticed that in the D_ENCRYPT() macro, we can just do L^=(..)^(..)^..
-	instead of L^=((..)|(..)|(..)..  This should save a register at
-	least.
-	Assember for x86.  The file to replace is des_enc.c, which is replaced
-	by one of the assembler files found in asm.  Look at des/asm/readme
-	for more info.
-
-	/* Modification to fcrypt so it can be compiled to support
-	HPUX 10.x's long password format, define -DLONGCRYPT to use this.
-	Thanks to Jens Kupferschmidt <bt1cu@hpboot.rz.uni-leipzig.de>. */
-
-	SIGWINCH case put in des_read_passwd() so the function does not
-	'exit' if this function is recieved.
-
-Version 3.25 17/07/96
-	Modified read_pwd.c so that stdin can be read if not a tty.
-	Thanks to Jeff Barber <jeffb@issl.atl.hp.com> for the patches.
-	des_init_random_number_generator() shortened due to VMS linker
-	limits.
-	Added RSA's DESX cbc mode.  It is a form of cbc encryption, with 2
-	8 byte quantites xored before and after encryption.
-	des_xcbc_encryption() - the name is funny to preserve the des_
-	prefix on all functions.
-
-Version 3.24 20/04/96
-	The DES_PTR macro option checked and used by SSLeay configuration
-
-Version 3.23 11/04/96
-	Added DES_LONG.  If defined to 'unsigned int' on the DEC Alpha,
-	it gives a %20 speedup :-)
-	Fixed the problem with des.pl under perl5.  The patches were
-	sent by Ed Kubaitis (ejk@uiuc.edu).
-	if fcrypt.c, changed values to handle illegal salt values the way
-	normal crypt() implementations do.  Some programs apparently use
-	them :-(. The patch was sent by Bjorn Gronvall <bg@sics.se>
-
-Version 3.22 29/11/95
-	Bug in des(1), an error with the uuencoding stuff when the
-	'data' is small, thanks to Geoff Keating <keagchon@mehta.anu.edu.au>
-	for the patch.
-
-Version 3.21 22/11/95
-	After some emailing back and forth with 
-	Colin Plumb <colin@nyx10.cs.du.edu>, I've tweaked a few things
-	and in a future version I will probably put in some of the
-	optimisation he suggested for use with the DES_USE_PTR option.
-	Extra routines from Mark Murray <mark@grondar.za> for use in
-	freeBSD.  They mostly involve random number generation for use
-	with kerberos.  They involve evil machine specific system calls
-	etc so I would normally suggest pushing this stuff into the
-	application and/or using RAND_seed()/RAND_bytes() if you are
-	using this DES library as part of SSLeay.
-	Redone the read_pw() function so that it is cleaner and
-	supports termios, thanks to Sameer Parekh <sameer@c2.org>
-	for the initial patches for this.
-	Renamed 3ecb_encrypt() to ecb3_encrypt().  This has been
-	 done just to make things more consistent.
-	I have also now added triple DES versions of cfb and ofb.
-
-Version 3.20
-	Damn, Damn, Damn, as pointed out by Mike_Spreitzer.PARC@xerox.com,
-	my des_random_seed() function was only copying 4 bytes of the
-	passed seed into the init structure.  It is now fixed to copy 8.
-	My own suggestion is to used something like MD5 :-)
-
-Version 3.19 
-	While looking at my code one day, I though, why do I keep on
-	calling des_encrypt(in,out,ks,enc) when every function that
-	calls it has in and out the same.  So I dropped the 'out'
-	parameter, people should not be using this function.
-
-Version 3.18 30/08/95
-	Fixed a few bit with the distribution and the filenames.
-	3.17 had been munged via a move to DOS and back again.
-	NO CODE CHANGES
-
-Version 3.17 14/07/95
-	Fixed ede3 cbc which I had broken in 3.16.  I have also
-	removed some unneeded variables in 7-8 of the routines.
-
-Version 3.16 26/06/95
-	Added des_encrypt2() which does not use IP/FP, used by triple
-	des routines.  Tweaked things a bit elsewhere. %13 speedup on
-	sparc and %6 on a R4400 for ede3 cbc mode.
-
-Version 3.15 06/06/95
-	Added des_ncbc_encrypt(), it is des_cbc mode except that it is
-	'normal' and copies the new iv value back over the top of the
-	passed parameter.
-	CHANGED des_ede3_cbc_encrypt() so that it too now overwrites
-	the iv.  THIS WILL BREAK EXISTING CODE, but since this function
-	only new, I feel I can change it, not so with des_cbc_encrypt :-(.
-	I need to update the documentation.
-
-Version 3.14 31/05/95
-	New release upon the world, as part of my SSL implementation.
-	New copyright and usage stuff.  Basically free for all to use
-	as long as you say it came from me :-)
-
-Version 3.13 31/05/95
-	A fix in speed.c, if HZ is not defined, I set it to 100.0
-	which is reasonable for most unixes except SunOS 4.x.
-	I now have a #ifdef sun but timing for SunOS 4.x looked very
-	good :-(.  At my last job where I used SunOS 4.x, it was
-	defined to be 60.0 (look at the old INSTALL documentation), at
-	the last release had it changed to 100.0 since I now work with
-	Solaris2 and SVR4 boxes.
-	Thanks to  Rory Chisholm <rchishol@math.ethz.ch> for pointing this
-	one out.
-
-Version 3.12 08/05/95
-	As pointed out by The Crypt Keeper <tck@bend.UCSD.EDU>,
-	my D_ENCRYPT macro in crypt() had an un-necessary variable.
-	It has been removed.
-
-Version 3.11 03/05/95
-	Added des_ede3_cbc_encrypt() which is cbc mode des with 3 keys
-	and one iv.  It is a standard and I needed it for my SSL code.
-	It makes more sense to use this for triple DES than
-	3cbc_encrypt().  I have also added (or should I say tested :-)
-	cfb64_encrypt() which is cfb64 but it will encrypt a partial
-	number of bytes - 3 bytes in 3 bytes out.  Again this is for
-	my SSL library, as a form of encryption to use with SSL
-	telnet.
-
-Version 3.10 22/03/95
-	Fixed a bug in 3cbc_encrypt() :-(.  When making repeated calls
-	to cbc3_encrypt, the 2 iv values that were being returned to
-	be used in the next call were reversed :-(.
-	Many thanks to Bill Wade <wade@Stoner.COM> for pointing out
-	this error.
-
-Version 3.09 01/02/95
-	Fixed des_random_key to far more random, it was rather feeble
-	with regards to picking the initial seed.  The problem was
-	pointed out by Olaf Kirch <okir@monad.swb.de>.
-
-Version 3.08 14/12/94
-	Added Makefile.PL so libdes can be built into perl5.
-	Changed des_locl.h so RAND is always defined.
-
-Version 3.07 05/12/94
-	Added GNUmake and stuff so the library can be build with
-	glibc.
-
-Version 3.06 30/08/94
-	Added rpc_enc.c which contains _des_crypt.  This is for use in
-	secure_rpc v 4.0
-	Finally fixed the cfb_enc problems.
-	Fixed a few parameter parsing bugs in des (-3 and -b), thanks
-	to Rob McMillan <R.McMillan@its.gu.edu.au>
-
-Version 3.05 21/04/94
-	for unsigned long l; gcc does not produce ((l>>34) == 0)
-	This causes bugs in cfb_enc.
-	Thanks to Hadmut Danisch <danisch@ira.uka.de>
-
-Version 3.04 20/04/94
-	Added a version number to des.c and libdes.a
-
-Version 3.03 12/01/94
-	Fixed a bug in non zero iv in 3cbc_enc.
-
-Version 3.02 29/10/93
-	I now work in a place where there are 6+ architectures and 14+
-	OS versions :-).
-	Fixed TERMIO definition so the most sys V boxes will work :-)
-
-Release upon comp.sources.misc
-Version 3.01 08/10/93
-	Added des_3cbc_encrypt()
-
-Version 3.00 07/10/93
-	Fixed up documentation.
-	quad_cksum definitely compatible with MIT's now.
-
-Version 2.30 24/08/93
-	Triple DES now defaults to triple cbc but can do triple ecb
-	 with the -b flag.
-	Fixed some MSDOS uuen/uudecoding problems, thanks to
-	Added prototypes.
-	
-Version 2.22 29/06/93
-	Fixed a bug in des_is_weak_key() which stopped it working :-(
-	thanks to engineering@MorningStar.Com.
-
-Version 2.21 03/06/93
-	des(1) with no arguments gives quite a bit of help.
-	Added -c (generate ckecksum) flag to des(1).
-	Added -3 (triple DES) flag to des(1).
-	Added cfb and ofb routines to the library.
-
-Version 2.20 11/03/93
-	Added -u (uuencode) flag to des(1).
-	I have been playing with byte order in quad_cksum to make it
-	 compatible with MIT's version.  All I can say is avid this
-	 function if possible since MIT's output is endian dependent.
-
-Version 2.12 14/10/92
-	Added MSDOS specific macro in ecb_encrypt which gives a %70
-	 speed up when the code is compiled with turbo C.
-
-Version 2.11 12/10/92
-	Speedup in set_key (recoding of PC-1)
-	 I now do it in 47 simple operations, down from 60.
-	 Thanks to John Fletcher (john_fletcher@lccmail.ocf.llnl.gov)
-	 for motivating me to look for a faster system :-)
-	 The speedup is probably less that 1% but it is still 13
-	 instructions less :-).
-
-Version 2.10 06/10/92
-	The code now works on the 64bit ETA10 and CRAY without modifications or
-	 #defines.  I believe the code should work on any machine that
-	 defines long, int or short to be 8 bytes long.
-	Thanks to Shabbir J. Safdar (shabby@mentor.cc.purdue.edu)
-	 for helping me fix the code to run on 64bit machines (he had
-	 access to an ETA10).
-	Thanks also to John Fletcher <john_fletcher@lccmail.ocf.llnl.gov>
-	 for testing the routines on a CRAY.
-	read_password.c has been renamed to read_passwd.c
-	string_to_key.c has been renamed to string2key.c
-
-Version 2.00 14/09/92
-	Made mods so that the library should work on 64bit CPU's.
-	Removed all my uchar and ulong defs.  To many different
-	 versions of unix define them in their header files in too many
-	 different combinations :-)
-	IRIX - Sillicon Graphics mods (mostly in read_password.c).
-	 Thanks to Andrew Daviel (advax@erich.triumf.ca)
-
-Version 1.99 26/08/92
-	Fixed a bug or 2 in enc_read.c
-	Fixed a bug in enc_write.c
-	Fixed a pseudo bug in fcrypt.c (very obscure).
-
-Version 1.98 31/07/92
-	Support for the ETA10.  This is a strange machine that defines
-	longs and ints as 8 bytes and shorts as 4 bytes.
-	Since I do evil things with long * that assume that they are 4
-	bytes.  Look in the Makefile for the option to compile for
-	this machine.  quad_cksum appears to have problems but I
-	will don't have the time to fix it right now, and this is not
-	a function that uses DES and so will not effect the main uses
-	of the library.
-
-Version 1.97 20/05/92 eay
-	Fixed the Imakefile and made some changes to des.h to fix some
-	problems when building this package with Kerberos v 4.
-
-Version 1.96 18/05/92 eay
-	Fixed a small bug in string_to_key() where problems could
-	occur if des_check_key was set to true and the string
-	generated a weak key.
-
-Patch2 posted to comp.sources.misc
-Version 1.95 13/05/92 eay
-	Added an alternative version of the D_ENCRYPT macro in
-	ecb_encrypt and fcrypt.  Depending on the compiler, one version or the
-	other will be faster.  This was inspired by 
-	Dana How <how@isl.stanford.edu>, and her pointers about doing the
-	*(ulong *)((uchar *)ptr+(value&0xfc))
-	vs
-	ptr[value&0x3f]
-	to stop the C compiler doing a <<2 to convert the long array index.
-
-Version 1.94 05/05/92 eay
-	Fixed an incompatibility between my string_to_key and the MIT
-	 version.  When the key is longer than 8 chars, I was wrapping
-	 with a different method.  To use the old version, define
-	 OLD_STR_TO_KEY in the makefile.  Thanks to
-	 viktor@newsu.shearson.com (Viktor Dukhovni).
-
-Version 1.93 28/04/92 eay
-	Fixed the VMS mods so that echo is now turned off in
-	 read_password.  Thanks again to brennan@coco.cchs.su.oz.AU.
-	MSDOS support added.  The routines can be compiled with
-	 Turbo C (v2.0) and MSC (v5.1).  Make sure MSDOS is defined.
-
-Patch1 posted to comp.sources.misc
-Version 1.92 13/04/92 eay
-	Changed D_ENCRYPT so that the rotation of R occurs outside of
-	 the loop.  This required rotating all the longs in sp.h (now
-	 called spr.h). Thanks to Richard Outerbridge <71755.204@CompuServe.COM>
-	speed.c has been changed so it will work without SIGALRM.  If
-	 times(3) is not present it will try to use ftime() instead.
-
-Version 1.91 08/04/92 eay
-	Added -E/-D options to des(1) so it can use string_to_key.
-	Added SVR4 mods suggested by witr@rwwa.COM
-	Added VMS mods suggested by brennan@coco.cchs.su.oz.AU.  If
-	anyone knows how to turn of tty echo in VMS please tell me or
-	implement it yourself :-).
-	Changed FILE *IN/*OUT to *DES_IN/*DES_OUT since it appears VMS
-	does not like IN/OUT being used.
-
-Libdes posted to comp.sources.misc
-Version 1.9 24/03/92 eay
-	Now contains a fast small crypt replacement.
-	Added des(1) command.
-	Added des_rw_mode so people can use cbc encryption with
-	enc_read and enc_write.
-
-Version 1.8 15/10/91 eay
-	Bug in cbc_cksum.
-	Many thanks to Keith Reynolds (keithr@sco.COM) for pointing this
-	one out.
-
-Version 1.7 24/09/91 eay
-	Fixed set_key :-)
-	set_key is 4 times faster and takes less space.
-	There are a few minor changes that could be made.
-
-Version 1.6 19/09/1991 eay
-	Finally go IP and FP finished.
-	Now I need to fix set_key.
-	This version is quite a bit faster that 1.51
-
-Version 1.52 15/06/1991 eay
-	20% speedup in ecb_encrypt by changing the E bit selection
-	to use 2 32bit words.  This also required modification of the
-	sp table.  There is still a way to speedup the IP and IP-1
-	(hints from outer@sq.com) still working on this one :-(.
-
-Version 1.51 07/06/1991 eay
-	Faster des_encrypt by loop unrolling
-	Fixed bug in quad_cksum.c (thanks to hughes@logos.ucs.indiana.edu)
-
-Version 1.50 28/05/1991 eay
-	Optimised the code a bit more for the sparc.  I have improved the
-	speed of the inner des_encrypt by speeding up the initial and
-	final permutations.
-
-Version 1.40 23/10/1990 eay
-	Fixed des_random_key, it did not produce a random key :-(
-
-Version 1.30  2/10/1990 eay
-	Have made des_quad_cksum the same as MIT's, the full package
-	should be compatible with MIT's
-	Have tested on a DECstation 3100
-	Still need to fix des_set_key (make it faster).
-	Does des_cbc_encrypts at 70.5k/sec on a 3100.
-
-Version 1.20 18/09/1990 eay
-	Fixed byte order dependencies.
-	Fixed (I hope) all the word alignment problems.
-	Speedup in des_ecb_encrypt.
-
-Version 1.10 11/09/1990 eay
-	Added des_enc_read and des_enc_write.
-	Still need to fix des_quad_cksum.
-	Still need to document des_enc_read and des_enc_write.
-
-Version 1.00 27/08/1990 eay
-
diff --git a/linux/crypto/ciphers/des/asm/crypt586.pl b/linux/crypto/ciphers/des/asm/crypt586.pl
deleted file mode 100644
index 297e38dec..000000000
--- a/linux/crypto/ciphers/des/asm/crypt586.pl
+++ /dev/null
@@ -1,204 +0,0 @@
-#!/usr/bin/perl
-#
-# The inner loop instruction sequence and the IP/FP modifications are from
-# Svend Olaf Mikkelsen <svolaf@inet.uni-c.dk>
-# I've added the stuff needed for crypt() but I've not worried about making
-# things perfect.
-#
-
-push(@INC,"perlasm","../../perlasm");
-require "x86asm.pl";
-
-&asm_init($ARGV[0],"crypt586.pl");
-
-$L="edi";
-$R="esi";
-
-&external_label("des_SPtrans");
-&fcrypt_body("fcrypt_body");
-&asm_finish();
-
-sub fcrypt_body
-	{
-	local($name,$do_ip)=@_;
-
-	&function_begin($name,"EXTRN   _des_SPtrans:DWORD");
-
-	&comment("");
-	&comment("Load the 2 words");
-	$ks="ebp";
-
-	&xor(	$L,	$L);
-	&xor(	$R,	$R);
-	&mov($ks,&wparam(1));
-
-	&push(25); # add a variable
-
-	&set_label("start");
-	for ($i=0; $i<16; $i+=2)
-		{
-		&comment("");
-		&comment("Round $i");
-		&D_ENCRYPT($i,$L,$R,$i*2,$ks,"des_SPtrans","eax","ebx","ecx","edx");
-
-		&comment("");
-		&comment("Round ".sprintf("%d",$i+1));
-		&D_ENCRYPT($i+1,$R,$L,($i+1)*2,$ks,"des_SPtrans","eax","ebx","ecx","edx");
-		}
-	 &mov("ebx",	&swtmp(0));
-	&mov("eax",	$L);
-	 &dec("ebx");
-	&mov($L,	$R);
-	 &mov($R,	"eax");
-	&mov(&swtmp(0),	"ebx");
-	 &jnz(&label("start"));
-
-	&comment("");
-	&comment("FP");
-	&mov("edx",&wparam(0));
-
-	&FP_new($R,$L,"eax",3);
-	&mov(&DWP(0,"edx","",0),"eax");
-	&mov(&DWP(4,"edx","",0),$L);
-
-	&pop("ecx");	# remove variable
-
-	&function_end($name);
-	}
-
-sub D_ENCRYPT
-	{
-	local($r,$L,$R,$S,$ks,$desSP,$u,$tmp1,$tmp2,$t)=@_;
-
-	&mov(	$u,		&wparam(2));			# 2
-	&mov(	$t,		$R);
-	&shr(	$t,		16);				# 1
-	&mov(	$tmp2,		&wparam(3));			# 2
-	&xor(	$t,		$R);				# 1
-
-	&and(	$u,		$t);				# 2
-	&and(	$t,		$tmp2);				# 2
-
-	&mov(	$tmp1,		$u);
-	&shl(	$tmp1,		16); 				# 1
-	&mov(	$tmp2,		$t);
-	&shl(	$tmp2,		16); 				# 1
-	&xor(	$u,		$tmp1);				# 2
-	&xor(	$t,		$tmp2);				# 2
-	&mov(	$tmp1,		&DWP(&n2a($S*4),$ks,"",0));	# 2
-	&xor(	$u,		$tmp1);
-	&mov(	$tmp2,		&DWP(&n2a(($S+1)*4),$ks,"",0));	# 2
-	&xor(	$u,		$R);
-	&xor(	$t,		$R);
-	&xor(	$t,		$tmp2);
-
-	&and(	$u,		"0xfcfcfcfc"	);		# 2
-	&xor(	$tmp1,		$tmp1);				# 1
-	&and(	$t,		"0xcfcfcfcf"	);		# 2
-	&xor(	$tmp2,		$tmp2);	
-	&movb(	&LB($tmp1),	&LB($u)	);
-	&movb(	&LB($tmp2),	&HB($u)	);
-	&rotr(	$t,		4		);
-	&mov(	$ks,		&DWP("      $desSP",$tmp1,"",0));
-	&movb(	&LB($tmp1),	&LB($t)	);
-	&xor(	$L,		$ks);
-	&mov(	$ks,		&DWP("0x200+$desSP",$tmp2,"",0));
-	&xor(	$L,		$ks);
-	&movb(	&LB($tmp2),	&HB($t)	);
-	&shr(	$u,		16);
-	&mov(	$ks,		&DWP("0x100+$desSP",$tmp1,"",0));
-	&xor(	$L,		$ks); 
-	&movb(	&LB($tmp1),	&HB($u)	);
-	&shr(	$t,		16);
-	&mov(	$ks,		&DWP("0x300+$desSP",$tmp2,"",0));
-	&xor(	$L,		$ks);
-	&mov(	$ks,		&wparam(1));
-	&movb(	&LB($tmp2),	&HB($t)	);
-	&and(	$u,		"0xff"	);
-	&and(	$t,		"0xff"	);
-	&mov(	$tmp1,		&DWP("0x600+$desSP",$tmp1,"",0));
-	&xor(	$L,		$tmp1);
-	&mov(	$tmp1,		&DWP("0x700+$desSP",$tmp2,"",0));
-	&xor(	$L,		$tmp1);
-	&mov(	$tmp1,		&DWP("0x400+$desSP",$u,"",0));
-	&xor(	$L,		$tmp1);
-	&mov(	$tmp1,		&DWP("0x500+$desSP",$t,"",0));
-	&xor(	$L,		$tmp1);
-	}
-
-sub n2a
-	{
-	sprintf("%d",$_[0]);
-	}
-
-# now has a side affect of rotating $a by $shift
-sub R_PERM_OP
-	{
-	local($a,$b,$tt,$shift,$mask,$last)=@_;
-
-	&rotl(	$a,		$shift		) if ($shift != 0);
-	&mov(	$tt,		$a		);
-	&xor(	$a,		$b		);
-	&and(	$a,		$mask		);
-	if ($notlast eq $b)
-		{
-		&xor(	$b,		$a		);
-		&xor(	$tt,		$a		);
-		}
-	else
-		{
-		&xor(	$tt,		$a		);
-		&xor(	$b,		$a		);
-		}
-	&comment("");
-	}
-
-sub IP_new
-	{
-	local($l,$r,$tt,$lr)=@_;
-
-	&R_PERM_OP($l,$r,$tt, 4,"0xf0f0f0f0",$l);
-	&R_PERM_OP($r,$tt,$l,20,"0xfff0000f",$l);
-	&R_PERM_OP($l,$tt,$r,14,"0x33333333",$r);
-	&R_PERM_OP($tt,$r,$l,22,"0x03fc03fc",$r);
-	&R_PERM_OP($l,$r,$tt, 9,"0xaaaaaaaa",$r);
-	
-	if ($lr != 3)
-		{
-		if (($lr-3) < 0)
-			{ &rotr($tt,	3-$lr); }
-		else	{ &rotl($tt,	$lr-3); }
-		}
-	if ($lr != 2)
-		{
-		if (($lr-2) < 0)
-			{ &rotr($r,	2-$lr); }
-		else	{ &rotl($r,	$lr-2); }
-		}
-	}
-
-sub FP_new
-	{
-	local($l,$r,$tt,$lr)=@_;
-
-	if ($lr != 2)
-		{
-		if (($lr-2) < 0)
-			{ &rotl($r,	2-$lr); }
-		else	{ &rotr($r,	$lr-2); }
-		}
-	if ($lr != 3)
-		{
-		if (($lr-3) < 0)
-			{ &rotl($l,	3-$lr); }
-		else	{ &rotr($l,	$lr-3); }
-		}
-
-	&R_PERM_OP($l,$r,$tt, 0,"0xaaaaaaaa",$r);
-	&R_PERM_OP($tt,$r,$l,23,"0x03fc03fc",$r);
-	&R_PERM_OP($l,$r,$tt,10,"0x33333333",$l);
-	&R_PERM_OP($r,$tt,$l,18,"0xfff0000f",$l);
-	&R_PERM_OP($l,$tt,$r,12,"0xf0f0f0f0",$r);
-	&rotr($tt	, 4);
-	}
-
diff --git a/linux/crypto/ciphers/des/asm/des-586.pl b/linux/crypto/ciphers/des/asm/des-586.pl
deleted file mode 100644
index 7f2e09fa7..000000000
--- a/linux/crypto/ciphers/des/asm/des-586.pl
+++ /dev/null
@@ -1,251 +0,0 @@
-#!/usr/bin/perl
-#
-# The inner loop instruction sequence and the IP/FP modifications are from
-# Svend Olaf Mikkelsen <svolaf@inet.uni-c.dk>
-#
-
-push(@INC,"perlasm","../../perlasm");
-require "x86asm.pl";
-require "cbc.pl";
-require "desboth.pl";
-
-# base code is in microsft
-# op dest, source
-# format.
-#
-
-&asm_init($ARGV[0],"des-586.pl");
-
-$L="edi";
-$R="esi";
-
-&external_label("des_SPtrans");
-&des_encrypt("des_encrypt",1);
-&des_encrypt("des_encrypt2",0);
-&des_encrypt3("des_encrypt3",1);
-&des_encrypt3("des_decrypt3",0);
-&cbc("des_ncbc_encrypt","des_encrypt","des_encrypt",0,4,5,3,5,-1);
-&cbc("des_ede3_cbc_encrypt","des_encrypt3","des_decrypt3",0,6,7,3,4,5);
-
-&asm_finish();
-
-sub des_encrypt
-	{
-	local($name,$do_ip)=@_;
-
-	&function_begin_B($name,"EXTRN   _des_SPtrans:DWORD");
-
-	&push("esi");
-	&push("edi");
-
-	&comment("");
-	&comment("Load the 2 words");
-	$ks="ebp";
-
-	if ($do_ip)
-		{
-		&mov($R,&wparam(0));
-		 &xor(	"ecx",		"ecx"		);
-
-		&push("ebx");
-		&push("ebp");
-
-		&mov("eax",&DWP(0,$R,"",0));
-		 &mov("ebx",&wparam(2));	# get encrypt flag
-		&mov($L,&DWP(4,$R,"",0));
-		&comment("");
-		&comment("IP");
-		&IP_new("eax",$L,$R,3);
-		}
-	else
-		{
-		&mov("eax",&wparam(0));
-		 &xor(	"ecx",		"ecx"		);
-
-		&push("ebx");
-		&push("ebp");
-
-		&mov($R,&DWP(0,"eax","",0));
-		 &mov("ebx",&wparam(2));	# get encrypt flag
-		&rotl($R,3);
-		&mov($L,&DWP(4,"eax","",0));
-		&rotl($L,3);
-		}
-
-	&mov(	$ks,		&wparam(1)	);
-	&cmp("ebx","0");
-	&je(&label("start_decrypt"));
-
-	for ($i=0; $i<16; $i+=2)
-		{
-		&comment("");
-		&comment("Round $i");
-		&D_ENCRYPT($i,$L,$R,$i*2,$ks,"des_SPtrans","eax","ebx","ecx","edx");
-
-		&comment("");
-		&comment("Round ".sprintf("%d",$i+1));
-		&D_ENCRYPT($i+1,$R,$L,($i+1)*2,$ks,"des_SPtrans","eax","ebx","ecx","edx");
-		}
-	&jmp(&label("end"));
-
-	&set_label("start_decrypt");
-
-	for ($i=15; $i>0; $i-=2)
-		{
-		&comment("");
-		&comment("Round $i");
-		&D_ENCRYPT(15-$i,$L,$R,$i*2,$ks,"des_SPtrans","eax","ebx","ecx","edx");
-		&comment("");
-		&comment("Round ".sprintf("%d",$i-1));
-		&D_ENCRYPT(15-$i+1,$R,$L,($i-1)*2,$ks,"des_SPtrans","eax","ebx","ecx","edx");
-		}
-
-	&set_label("end");
-
-	if ($do_ip)
-		{
-		&comment("");
-		&comment("FP");
-		&mov("edx",&wparam(0));
-		&FP_new($L,$R,"eax",3);
-
-		&mov(&DWP(0,"edx","",0),"eax");
-		&mov(&DWP(4,"edx","",0),$R);
-		}
-	else
-		{
-		&comment("");
-		&comment("Fixup");
-		&rotr($L,3);		# r
-		 &mov("eax",&wparam(0));
-		&rotr($R,3);		# l
-		 &mov(&DWP(0,"eax","",0),$L);
-		 &mov(&DWP(4,"eax","",0),$R);
-		}
-
-	&pop("ebp");
-	&pop("ebx");
-	&pop("edi");
-	&pop("esi");
-	&ret();
-
-	&function_end_B($name);
-	}
-
-sub D_ENCRYPT
-	{
-	local($r,$L,$R,$S,$ks,$desSP,$u,$tmp1,$tmp2,$t)=@_;
-
-	 &mov(	$u,		&DWP(&n2a($S*4),$ks,"",0));
-	&xor(	$tmp1,		$tmp1);
-	 &mov(	$t,		&DWP(&n2a(($S+1)*4),$ks,"",0));
-	&xor(	$u,		$R);
-	 &xor(	$t,		$R);
-	&and(	$u,		"0xfcfcfcfc"	);
-	 &and(	$t,		"0xcfcfcfcf"	);
-	&movb(	&LB($tmp1),	&LB($u)	);
-	 &movb(	&LB($tmp2),	&HB($u)	);
-	&rotr(	$t,		4		);
-	&mov(	$ks,		&DWP("      $desSP",$tmp1,"",0));
-	 &movb(	&LB($tmp1),	&LB($t)	);
-	&xor(	$L,		$ks);
-	 &mov(	$ks,		&DWP("0x200+$desSP",$tmp2,"",0));
-	&xor(	$L,		$ks); ######
-	 &movb(	&LB($tmp2),	&HB($t)	);
-	&shr(	$u,		16);
-	 &mov(	$ks,		&DWP("0x100+$desSP",$tmp1,"",0));
-	&xor(	$L,		$ks); ######
-	 &movb(	&LB($tmp1),	&HB($u)	);
-	&shr(	$t,		16);
-	 &mov(	$ks,		&DWP("0x300+$desSP",$tmp2,"",0));
-	&xor(	$L,		$ks);
-	 &mov(	$ks,		&wparam(1)	);
-	&movb(	&LB($tmp2),	&HB($t)	);
-	 &and(	$u,		"0xff"	);
-	&and(	$t,		"0xff"	);
-	 &mov(	$tmp1,		&DWP("0x600+$desSP",$tmp1,"",0));
-	&xor(	$L,		$tmp1);
-	 &mov(	$tmp1,		&DWP("0x700+$desSP",$tmp2,"",0));
-	&xor(	$L,		$tmp1);
-	 &mov(	$tmp1,		&DWP("0x400+$desSP",$u,"",0));
-	&xor(	$L,		$tmp1);
-	 &mov(	$tmp1,		&DWP("0x500+$desSP",$t,"",0));
-	&xor(	$L,		$tmp1);
-	}
-
-sub n2a
-	{
-	sprintf("%d",$_[0]);
-	}
-
-# now has a side affect of rotating $a by $shift
-sub R_PERM_OP
-	{
-	local($a,$b,$tt,$shift,$mask,$last)=@_;
-
-	&rotl(	$a,		$shift		) if ($shift != 0);
-	&mov(	$tt,		$a		);
-	&xor(	$a,		$b		);
-	&and(	$a,		$mask		);
-	if (!$last eq $b)
-		{
-		&xor(	$b,		$a		);
-		&xor(	$tt,		$a		);
-		}
-	else
-		{
-		&xor(	$tt,		$a		);
-		&xor(	$b,		$a		);
-		}
-	&comment("");
-	}
-
-sub IP_new
-	{
-	local($l,$r,$tt,$lr)=@_;
-
-	&R_PERM_OP($l,$r,$tt, 4,"0xf0f0f0f0",$l);
-	&R_PERM_OP($r,$tt,$l,20,"0xfff0000f",$l);
-	&R_PERM_OP($l,$tt,$r,14,"0x33333333",$r);
-	&R_PERM_OP($tt,$r,$l,22,"0x03fc03fc",$r);
-	&R_PERM_OP($l,$r,$tt, 9,"0xaaaaaaaa",$r);
-	
-	if ($lr != 3)
-		{
-		if (($lr-3) < 0)
-			{ &rotr($tt,	3-$lr); }
-		else	{ &rotl($tt,	$lr-3); }
-		}
-	if ($lr != 2)
-		{
-		if (($lr-2) < 0)
-			{ &rotr($r,	2-$lr); }
-		else	{ &rotl($r,	$lr-2); }
-		}
-	}
-
-sub FP_new
-	{
-	local($l,$r,$tt,$lr)=@_;
-
-	if ($lr != 2)
-		{
-		if (($lr-2) < 0)
-			{ &rotl($r,	2-$lr); }
-		else	{ &rotr($r,	$lr-2); }
-		}
-	if ($lr != 3)
-		{
-		if (($lr-3) < 0)
-			{ &rotl($l,	3-$lr); }
-		else	{ &rotr($l,	$lr-3); }
-		}
-
-	&R_PERM_OP($l,$r,$tt, 0,"0xaaaaaaaa",$r);
-	&R_PERM_OP($tt,$r,$l,23,"0x03fc03fc",$r);
-	&R_PERM_OP($l,$r,$tt,10,"0x33333333",$l);
-	&R_PERM_OP($r,$tt,$l,18,"0xfff0000f",$l);
-	&R_PERM_OP($l,$tt,$r,12,"0xf0f0f0f0",$r);
-	&rotr($tt	, 4);
-	}
-
diff --git a/linux/crypto/ciphers/des/asm/des686.pl b/linux/crypto/ciphers/des/asm/des686.pl
deleted file mode 100644
index cf1a82fb5..000000000
--- a/linux/crypto/ciphers/des/asm/des686.pl
+++ /dev/null
@@ -1,230 +0,0 @@
-#!/usr/bin/perl
-
-$prog="des686.pl";
-
-# base code is in microsft
-# op dest, source
-# format.
-#
-
-# WILL NOT WORK ANYMORE WITH desboth.pl
-require "desboth.pl";
-
-if (	($ARGV[0] eq "elf"))
-	{ require "x86unix.pl"; }
-elsif (	($ARGV[0] eq "a.out"))
-	{ $aout=1; require "x86unix.pl"; }
-elsif (	($ARGV[0] eq "sol"))
-	{ $sol=1; require "x86unix.pl"; }
-elsif ( ($ARGV[0] eq "cpp"))
-	{ $cpp=1; require "x86unix.pl"; }
-elsif (	($ARGV[0] eq "win32"))
-	{ require "x86ms.pl"; }
-else
-	{
-	print STDERR <<"EOF";
-Pick one target type from
-	elf	- linux, FreeBSD etc
-	a.out	- old linux
-	sol	- x86 solaris
-	cpp	- format so x86unix.cpp can be used
-	win32	- Windows 95/Windows NT
-EOF
-	exit(1);
-	}
-
-&comment("Don't even think of reading this code");
-&comment("It was automatically generated by $prog");
-&comment("Which is a perl program used to generate the x86 assember for");
-&comment("any of elf, a.out, Win32, or Solaris");
-&comment("It can be found in SSLeay 0.6.5+ or in libdes 3.26+");
-&comment("eric <eay\@cryptsoft.com>");
-&comment("");
-
-&file("dx86xxxx");
-
-$L="edi";
-$R="esi";
-
-&des_encrypt("des_encrypt",1);
-&des_encrypt("des_encrypt2",0);
-
-&des_encrypt3("des_encrypt3",1);
-&des_encrypt3("des_decrypt3",0);
-
-&file_end();
-
-sub des_encrypt
-	{
-	local($name,$do_ip)=@_;
-
-	&function_begin($name,"EXTRN   _des_SPtrans:DWORD");
-
-	&comment("");
-	&comment("Load the 2 words");
-	&mov("eax",&wparam(0));
-	&mov($L,&DWP(0,"eax","",0));
-	&mov($R,&DWP(4,"eax","",0));
-
-	$ksp=&wparam(1);
-
-	if ($do_ip)
-		{
-		&comment("");
-		&comment("IP");
-		&IP_new($L,$R,"eax");
-		}
-
-	&comment("");
-	&comment("fixup rotate");
-	&rotl($R,3);
-	&rotl($L,3);
-	&exch($L,$R);
-
-	&comment("");
-	&comment("load counter, key_schedule and enc flag");
-	&mov("eax",&wparam(2));	# get encrypt flag
-	&mov("ebp",&wparam(1));	# get ks
-	&cmp("eax","0");
-	&je(&label("start_decrypt"));
-
-	# encrypting part
-
-	for ($i=0; $i<16; $i+=2)
-		{
-		&comment("");
-		&comment("Round $i");
-		&D_ENCRYPT($L,$R,$i*2,"ebp","des_SPtrans","ecx","edx","eax","ebx");
-
-		&comment("");
-		&comment("Round ".sprintf("%d",$i+1));
-		&D_ENCRYPT($R,$L,($i+1)*2,"ebp","des_SPtrans","ecx","edx","eax","ebx");
-		}
-	&jmp(&label("end"));
-
-	&set_label("start_decrypt");
-
-	for ($i=15; $i>0; $i-=2)
-		{
-		&comment("");
-		&comment("Round $i");
-		&D_ENCRYPT($L,$R,$i*2,"ebp","des_SPtrans","ecx","edx","eax","ebx");
-		&comment("");
-		&comment("Round ".sprintf("%d",$i-1));
-		&D_ENCRYPT($R,$L,($i-1)*2,"ebp","des_SPtrans","ecx","edx","eax","ebx");
-		}
-
-	&set_label("end");
-
-	&comment("");
-	&comment("Fixup");
-	&rotr($L,3);		# r
-	&rotr($R,3);		# l
-
-	if ($do_ip)
-		{
-		&comment("");
-		&comment("FP");
-		&FP_new($R,$L,"eax");
-		}
-
-	&mov("eax",&wparam(0));
-	&mov(&DWP(0,"eax","",0),$L);
-	&mov(&DWP(4,"eax","",0),$R);
-
-	&function_end($name);
-	}
-
-
-# The logic is to load R into 2 registers and operate on both at the same time.
-# We also load the 2 R's into 2 more registers so we can do the 'move word down a byte'
-# while also masking the other copy and doing a lookup.  We then also accumulate the
-# L value in 2 registers then combine them at the end.
-sub D_ENCRYPT
-	{
-	local($L,$R,$S,$ks,$desSP,$u,$t,$tmp1,$tmp2,$tmp3)=@_;
-
-	&mov(	$u,		&DWP(&n2a($S*4),$ks,"",0));
-	&mov(	$t,		&DWP(&n2a(($S+1)*4),$ks,"",0));
-	&xor(	$u,		$R		);
-	&xor(	$t,		$R		);
-	&rotr(	$t,		4		);
-
-	# the numbers at the end of the line are origional instruction order
-	&mov(	$tmp2,		$u		);			# 1 2
-	&mov(	$tmp1,		$t		);			# 1 1
-	&and(	$tmp2,		"0xfc"		);			# 1 4
-	&and(	$tmp1,		"0xfc"		);			# 1 3
-	&shr(	$t,		8		);			# 1 5
-	&xor(	$L,		&DWP("0x100+$desSP",$tmp1,"",0));	# 1 7
-	&shr(	$u,		8		);			# 1 6
-	&mov(	$tmp1,		&DWP("      $desSP",$tmp2,"",0));	# 1 8
-
-	&mov(	$tmp2,		$u		);			# 2 2
-	&xor(	$L,		$tmp1		);			# 1 9
-	&and(	$tmp2,		"0xfc"		);			# 2 4
-	&mov(	$tmp1,		$t		);			# 2 1
-	&and(	$tmp1,		"0xfc"		);			# 2 3
-	&shr(	$t,		8		);			# 2 5
-	&xor(	$L,		&DWP("0x300+$desSP",$tmp1,"",0));	# 2 7
-	&shr(	$u,		8		);			# 2 6
-	&mov(	$tmp1,		&DWP("0x200+$desSP",$tmp2,"",0));	# 2 8
-	&mov(	$tmp2,		$u		);			# 3 2
-
-	&xor(	$L,		$tmp1		);			# 2 9
-	&and(	$tmp2,		"0xfc"		);			# 3 4
-
-	&mov(	$tmp1,		$t		);			# 3 1 
-	&shr(	$u,		8		);			# 3 6
-	&and(	$tmp1,		"0xfc"		);			# 3 3
-	&shr(	$t,		8		);			# 3 5
-	&xor(	$L,		&DWP("0x500+$desSP",$tmp1,"",0));	# 3 7
-	&mov(	$tmp1,		&DWP("0x400+$desSP",$tmp2,"",0));	# 3 8
-
-	&and(	$t,		"0xfc"		);			# 4 1
-	&xor(	$L,		$tmp1		);			# 3 9
-
-	&and(	$u,		"0xfc"		);			# 4 2
-	&xor(	$L,		&DWP("0x700+$desSP",$t,"",0));		# 4 3
-	&xor(	$L,		&DWP("0x600+$desSP",$u,"",0));		# 4 4
-	}
-
-sub PERM_OP
-	{
-	local($a,$b,$tt,$shift,$mask)=@_;
-
-	&mov(	$tt,		$a		);
-	&shr(	$tt,		$shift		);
-	&xor(	$tt,		$b		);
-	&and(	$tt,		$mask		);
-	&xor(	$b,		$tt		);
-	&shl(	$tt,		$shift		);
-	&xor(	$a,		$tt		);
-	}
-
-sub IP_new
-	{
-	local($l,$r,$tt)=@_;
-
-	&PERM_OP($r,$l,$tt, 4,"0x0f0f0f0f");
-	&PERM_OP($l,$r,$tt,16,"0x0000ffff");
-	&PERM_OP($r,$l,$tt, 2,"0x33333333");
-	&PERM_OP($l,$r,$tt, 8,"0x00ff00ff");
-	&PERM_OP($r,$l,$tt, 1,"0x55555555");
-	}
-
-sub FP_new
-	{
-	local($l,$r,$tt)=@_;
-
-	&PERM_OP($l,$r,$tt, 1,"0x55555555");
-        &PERM_OP($r,$l,$tt, 8,"0x00ff00ff");
-        &PERM_OP($l,$r,$tt, 2,"0x33333333");
-        &PERM_OP($r,$l,$tt,16,"0x0000ffff");
-        &PERM_OP($l,$r,$tt, 4,"0x0f0f0f0f");
-	}
-
-sub n2a
-	{
-	sprintf("%d",$_[0]);
-	}
diff --git a/linux/crypto/ciphers/des/asm/desboth.pl b/linux/crypto/ciphers/des/asm/desboth.pl
deleted file mode 100644
index 8f939953a..000000000
--- a/linux/crypto/ciphers/des/asm/desboth.pl
+++ /dev/null
@@ -1,79 +0,0 @@
-#!/usr/bin/perl
-
-$L="edi";
-$R="esi";
-
-sub des_encrypt3
-	{
-	local($name,$enc)=@_;
-
-	&function_begin_B($name,"");
-	&push("ebx");
-	&mov("ebx",&wparam(0));
-
-	&push("ebp");
-	&push("esi");
-
-	&push("edi");
-
-	&comment("");
-	&comment("Load the data words");
-	&mov($L,&DWP(0,"ebx","",0));
-	&mov($R,&DWP(4,"ebx","",0));
-	&stack_push(3);
-
-	&comment("");
-	&comment("IP");
-	&IP_new($L,$R,"edx",0);
-
-	# put them back
-	
-	if ($enc)
-		{
-		&mov(&DWP(4,"ebx","",0),$R);
-		 &mov("eax",&wparam(1));
-		&mov(&DWP(0,"ebx","",0),"edx");
-		 &mov("edi",&wparam(2));
-		 &mov("esi",&wparam(3));
-		}
-	else
-		{
-		&mov(&DWP(4,"ebx","",0),$R);
-		 &mov("esi",&wparam(1));
-		&mov(&DWP(0,"ebx","",0),"edx");
-		 &mov("edi",&wparam(2));
-		 &mov("eax",&wparam(3));
-		}
-	&mov(&swtmp(2),	(($enc)?"1":"0"));
-	&mov(&swtmp(1),	"eax");
-	&mov(&swtmp(0),	"ebx");
-	&call("des_encrypt2");
-	&mov(&swtmp(2),	(($enc)?"0":"1"));
-	&mov(&swtmp(1),	"edi");
-	&mov(&swtmp(0),	"ebx");
-	&call("des_encrypt2");
-	&mov(&swtmp(2),	(($enc)?"1":"0"));
-	&mov(&swtmp(1),	"esi");
-	&mov(&swtmp(0),	"ebx");
-	&call("des_encrypt2");
-
-	&stack_pop(3);
-	&mov($L,&DWP(0,"ebx","",0));
-	&mov($R,&DWP(4,"ebx","",0));
-
-	&comment("");
-	&comment("FP");
-	&FP_new($L,$R,"eax",0);
-
-	&mov(&DWP(0,"ebx","",0),"eax");
-	&mov(&DWP(4,"ebx","",0),$R);
-
-	&pop("edi");
-	&pop("esi");
-	&pop("ebp");
-	&pop("ebx");
-	&ret();
-	&function_end_B($name);
-	}
-
-
diff --git a/linux/crypto/ciphers/des/asm/perlasm/cbc.pl b/linux/crypto/ciphers/des/asm/perlasm/cbc.pl
deleted file mode 100644
index 278930579..000000000
--- a/linux/crypto/ciphers/des/asm/perlasm/cbc.pl
+++ /dev/null
@@ -1,342 +0,0 @@
-#!/usr/bin/perl
-
-# void des_ncbc_encrypt(input, output, length, schedule, ivec, enc)
-# des_cblock (*input);
-# des_cblock (*output);
-# long length;
-# des_key_schedule schedule;
-# des_cblock (*ivec);
-# int enc;
-#
-# calls 
-# des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT);
-#
-
-#&cbc("des_ncbc_encrypt","des_encrypt",0);
-#&cbc("BF_cbc_encrypt","BF_encrypt","BF_encrypt",
-#	1,4,5,3,5,-1);
-#&cbc("des_ncbc_encrypt","des_encrypt","des_encrypt",
-#	0,4,5,3,5,-1);
-#&cbc("des_ede3_cbc_encrypt","des_encrypt3","des_decrypt3",
-#	0,6,7,3,4,5);
-#
-# When doing a cipher that needs bigendian order,
-# for encrypt, the iv is kept in bigendian form,
-# while for decrypt, it is kept in little endian.
-sub cbc
-	{
-	local($name,$enc_func,$dec_func,$swap,$iv_off,$enc_off,$p1,$p2,$p3)=@_;
-	# name is the function name
-	# enc_func and dec_func and the functions to call for encrypt/decrypt
-	# swap is true if byte order needs to be reversed
-	# iv_off is parameter number for the iv 
-	# enc_off is parameter number for the encrypt/decrypt flag
-	# p1,p2,p3 are the offsets for parameters to be passed to the
-	# underlying calls.
-
-	&function_begin_B($name,"");
-	&comment("");
-
-	$in="esi";
-	$out="edi";
-	$count="ebp";
-
-	&push("ebp");
-	&push("ebx");
-	&push("esi");
-	&push("edi");
-
-	$data_off=4;
-	$data_off+=4 if ($p1 > 0);
-	$data_off+=4 if ($p2 > 0);
-	$data_off+=4 if ($p3 > 0);
-
-	&mov($count,	&wparam(2));	# length
-
-	&comment("getting iv ptr from parameter $iv_off");
-	&mov("ebx",	&wparam($iv_off));	# Get iv ptr
-
-	&mov($in,	&DWP(0,"ebx","",0));#	iv[0]
-	&mov($out,	&DWP(4,"ebx","",0));#	iv[1]
-
-	&push($out);
-	&push($in);
-	&push($out);	# used in decrypt for iv[1]
-	&push($in);	# used in decrypt for iv[0]
-
-	&mov("ebx",	"esp");		# This is the address of tin[2]
-
-	&mov($in,	&wparam(0));	# in
-	&mov($out,	&wparam(1));	# out
-
-	# We have loaded them all, how lets push things
-	&comment("getting encrypt flag from parameter $enc_off");
-	&mov("ecx",	&wparam($enc_off));	# Get enc flag
-	if ($p3 > 0)
-		{
-		&comment("get and push parameter $p3");
-		if ($enc_off != $p3)
-			{ &mov("eax",	&wparam($p3)); &push("eax"); }
-		else	{ &push("ecx"); }
-		}
-	if ($p2 > 0)
-		{
-		&comment("get and push parameter $p2");
-		if ($enc_off != $p2)
-			{ &mov("eax",	&wparam($p2)); &push("eax"); }
-		else	{ &push("ecx"); }
-		}
-	if ($p1 > 0)
-		{
-		&comment("get and push parameter $p1");
-		if ($enc_off != $p1)
-			{ &mov("eax",	&wparam($p1)); &push("eax"); }
-		else	{ &push("ecx"); }
-		}
-	&push("ebx");		# push data/iv
-
-	&cmp("ecx",0);
-	&jz(&label("decrypt"));
-
-	&and($count,0xfffffff8);
-	&mov("eax",	&DWP($data_off,"esp","",0));	# load iv[0]
-	&mov("ebx",	&DWP($data_off+4,"esp","",0));	# load iv[1]
-
-	&jz(&label("encrypt_finish"));
-
-	#############################################################
-
-	&set_label("encrypt_loop");
-	# encrypt start 
-	# "eax" and "ebx" hold iv (or the last cipher text)
-
-	&mov("ecx",	&DWP(0,$in,"",0));	# load first 4 bytes
-	&mov("edx",	&DWP(4,$in,"",0));	# second 4 bytes
-
-	&xor("eax",	"ecx");
-	&xor("ebx",	"edx");
-
-	&bswap("eax")	if $swap;
-	&bswap("ebx")	if $swap;
-
-	&mov(&DWP($data_off,"esp","",0),	"eax");	# put in array for call
-	&mov(&DWP($data_off+4,"esp","",0),	"ebx");	#
-
-	&call($enc_func);
-
-	&mov("eax",	&DWP($data_off,"esp","",0));
-	&mov("ebx",	&DWP($data_off+4,"esp","",0));
-
-	&bswap("eax")	if $swap;
-	&bswap("ebx")	if $swap;
-
-	&mov(&DWP(0,$out,"",0),"eax");
-	&mov(&DWP(4,$out,"",0),"ebx");
-
-	# eax and ebx are the next iv.
-
-	&add($in,	8);
-	&add($out,	8);
-
-	&sub($count,	8);
-	&jnz(&label("encrypt_loop"));
-
-###################################################################3
-	&set_label("encrypt_finish");
-	&mov($count,	&wparam(2));	# length
-	&and($count,	7);
-	&jz(&label("finish"));
-	&xor("ecx","ecx");
-	&xor("edx","edx");
-	&mov($count,&DWP(&label("cbc_enc_jmp_table"),"",$count,4));
-	&jmp_ptr($count);
-
-&set_label("ej7");
-	&xor("edx",		"edx") if $ppro; # ppro friendly
-	&movb(&HB("edx"),	&BP(6,$in,"",0));
-	&shl("edx",8);
-&set_label("ej6");
-	&movb(&HB("edx"),	&BP(5,$in,"",0));
-&set_label("ej5");
-	&movb(&LB("edx"),	&BP(4,$in,"",0));
-&set_label("ej4");
-	&mov("ecx",		&DWP(0,$in,"",0));
-	&jmp(&label("ejend"));
-&set_label("ej3");
-	&movb(&HB("ecx"),	&BP(2,$in,"",0));
-	&xor("ecx",		"ecx") if $ppro; # ppro friendly
-	&shl("ecx",8);
-&set_label("ej2");
-	&movb(&HB("ecx"),	&BP(1,$in,"",0));
-&set_label("ej1");
-	&movb(&LB("ecx"),	&BP(0,$in,"",0));
-&set_label("ejend");
-
-	&xor("eax",	"ecx");
-	&xor("ebx",	"edx");
-
-	&bswap("eax")	if $swap;
-	&bswap("ebx")	if $swap;
-
-	&mov(&DWP($data_off,"esp","",0),	"eax");	# put in array for call
-	&mov(&DWP($data_off+4,"esp","",0),	"ebx");	#
-
-	&call($enc_func);
-
-	&mov("eax",	&DWP($data_off,"esp","",0));
-	&mov("ebx",	&DWP($data_off+4,"esp","",0));
-
-	&bswap("eax")	if $swap;
-	&bswap("ebx")	if $swap;
-
-	&mov(&DWP(0,$out,"",0),"eax");
-	&mov(&DWP(4,$out,"",0),"ebx");
-
-	&jmp(&label("finish"));
-
-	#############################################################
-	#############################################################
-	&set_label("decrypt",1);
-	# decrypt start 
-	&and($count,0xfffffff8);
-	# The next 2 instructions are only for if the jz is taken
-	&mov("eax",	&DWP($data_off+8,"esp","",0));	# get iv[0]
-	&mov("ebx",	&DWP($data_off+12,"esp","",0));	# get iv[1]
-	&jz(&label("decrypt_finish"));
-
-	&set_label("decrypt_loop");
-	&mov("eax",	&DWP(0,$in,"",0));	# load first 4 bytes
-	&mov("ebx",	&DWP(4,$in,"",0));	# second 4 bytes
-
-	&bswap("eax")	if $swap;
-	&bswap("ebx")	if $swap;
-
-	&mov(&DWP($data_off,"esp","",0),	"eax");	# put back
-	&mov(&DWP($data_off+4,"esp","",0),	"ebx");	#
-
-	&call($dec_func);
-
-	&mov("eax",	&DWP($data_off,"esp","",0));	# get return
-	&mov("ebx",	&DWP($data_off+4,"esp","",0));	#
-
-	&bswap("eax")	if $swap;
-	&bswap("ebx")	if $swap;
-
-	&mov("ecx",	&DWP($data_off+8,"esp","",0));	# get iv[0]
-	&mov("edx",	&DWP($data_off+12,"esp","",0));	# get iv[1]
-
-	&xor("ecx",	"eax");
-	&xor("edx",	"ebx");
-
-	&mov("eax",	&DWP(0,$in,"",0));	# get old cipher text,
-	&mov("ebx",	&DWP(4,$in,"",0));	# next iv actually
-
-	&mov(&DWP(0,$out,"",0),"ecx");
-	&mov(&DWP(4,$out,"",0),"edx");
-
-	&mov(&DWP($data_off+8,"esp","",0),	"eax");	# save iv
-	&mov(&DWP($data_off+12,"esp","",0),	"ebx");	#
-
-	&add($in,	8);
-	&add($out,	8);
-
-	&sub($count,	8);
-	&jnz(&label("decrypt_loop"));
-############################ ENDIT #######################3
-	&set_label("decrypt_finish");
-	&mov($count,	&wparam(2));	# length
-	&and($count,	7);
-	&jz(&label("finish"));
-
-	&mov("eax",	&DWP(0,$in,"",0));	# load first 4 bytes
-	&mov("ebx",	&DWP(4,$in,"",0));	# second 4 bytes
-
-	&bswap("eax")	if $swap;
-	&bswap("ebx")	if $swap;
-
-	&mov(&DWP($data_off,"esp","",0),	"eax");	# put back
-	&mov(&DWP($data_off+4,"esp","",0),	"ebx");	#
-
-	&call($dec_func);
-
-	&mov("eax",	&DWP($data_off,"esp","",0));	# get return
-	&mov("ebx",	&DWP($data_off+4,"esp","",0));	#
-
-	&bswap("eax")	if $swap;
-	&bswap("ebx")	if $swap;
-
-	&mov("ecx",	&DWP($data_off+8,"esp","",0));	# get iv[0]
-	&mov("edx",	&DWP($data_off+12,"esp","",0));	# get iv[1]
-
-	&xor("ecx",	"eax");
-	&xor("edx",	"ebx");
-
-	# this is for when we exit
-	&mov("eax",	&DWP(0,$in,"",0));	# get old cipher text,
-	&mov("ebx",	&DWP(4,$in,"",0));	# next iv actually
-
-&set_label("dj7");
-	&rotr("edx",	16);
-	&movb(&BP(6,$out,"",0),	&LB("edx"));
-	&shr("edx",16);
-&set_label("dj6");
-	&movb(&BP(5,$out,"",0),	&HB("edx"));
-&set_label("dj5");
-	&movb(&BP(4,$out,"",0),	&LB("edx"));
-&set_label("dj4");
-	&mov(&DWP(0,$out,"",0),	"ecx");
-	&jmp(&label("djend"));
-&set_label("dj3");
-	&rotr("ecx",	16);
-	&movb(&BP(2,$out,"",0),	&LB("ecx"));
-	&shl("ecx",16);
-&set_label("dj2");
-	&movb(&BP(1,$in,"",0),	&HB("ecx"));
-&set_label("dj1");
-	&movb(&BP(0,$in,"",0),	&LB("ecx"));
-&set_label("djend");
-
-	# final iv is still in eax:ebx
-	&jmp(&label("finish"));
-
-
-############################ FINISH #######################3
-	&set_label("finish",1);
-	&mov("ecx",	&wparam($iv_off));	# Get iv ptr
-
-	#################################################
-	$total=16+4;
-	$total+=4 if ($p1 > 0);
-	$total+=4 if ($p2 > 0);
-	$total+=4 if ($p3 > 0);
-	&add("esp",$total);
-
-	&mov(&DWP(0,"ecx","",0),	"eax");	# save iv
-	&mov(&DWP(4,"ecx","",0),	"ebx");	# save iv
-
-	&function_end_A($name);
-
-	&set_label("cbc_enc_jmp_table",1);
-	&data_word("0");
-	&data_word(&label("ej1"));
-	&data_word(&label("ej2"));
-	&data_word(&label("ej3"));
-	&data_word(&label("ej4"));
-	&data_word(&label("ej5"));
-	&data_word(&label("ej6"));
-	&data_word(&label("ej7"));
-	&set_label("cbc_dec_jmp_table",1);
-	&data_word("0");
-	&data_word(&label("dj1"));
-	&data_word(&label("dj2"));
-	&data_word(&label("dj3"));
-	&data_word(&label("dj4"));
-	&data_word(&label("dj5"));
-	&data_word(&label("dj6"));
-	&data_word(&label("dj7"));
-
-	&function_end_B($name);
-	
-	}
-
-1;
diff --git a/linux/crypto/ciphers/des/asm/perlasm/readme b/linux/crypto/ciphers/des/asm/perlasm/readme
deleted file mode 100644
index f02bbee75..000000000
--- a/linux/crypto/ciphers/des/asm/perlasm/readme
+++ /dev/null
@@ -1,124 +0,0 @@
-The perl scripts in this directory are my 'hack' to generate
-multiple different assembler formats via the one origional script.
-
-The way to use this library is to start with adding the path to this directory
-and then include it.
-
-push(@INC,"perlasm","../../perlasm");
-require "x86asm.pl";
-
-The first thing we do is setup the file and type of assember
-
-&asm_init($ARGV[0],$0);
-
-The first argument is the 'type'.  Currently
-'cpp', 'sol', 'a.out', 'elf' or 'win32'.
-Argument 2 is the file name.
-
-The reciprocal function is
-&asm_finish() which should be called at the end.
-
-There are 2 main 'packages'. x86ms.pl, which is the microsoft assembler,
-and x86unix.pl which is the unix (gas) version.
-
-Functions of interest are:
-&external_label("des_SPtrans");	declare and external variable
-&LB(reg);			Low byte for a register
-&HB(reg);			High byte for a register
-&BP(off,base,index,scale)	Byte pointer addressing
-&DWP(off,base,index,scale)	Word pointer addressing
-&stack_push(num)		Basically a 'sub esp, num*4' with extra
-&stack_pop(num)			inverse of stack_push
-&function_begin(name,extra)	Start a function with pushing of
-				edi, esi, ebx and ebp.  extra is extra win32
-				external info that may be required.
-&function_begin_B(name,extra)	Same as norma function_begin but no pushing.
-&function_end(name)		Call at end of function.
-&function_end_A(name)		Standard pop and ret, for use inside functions
-&function_end_B(name)		Call at end but with poping or 'ret'.
-&swtmp(num)			Address on stack temp word.
-&wparam(num)			Parameter number num, that was push
-				in C convention.  This all works over pushes
-				and pops.
-&comment("hello there")		Put in a comment.
-&label("loop")			Refer to a label, normally a jmp target.
-&set_label("loop")		Set a label at this point.
-&data_word(word)		Put in a word of data.
-
-So how does this all hold together?  Given
-
-int calc(int len, int *data)
-	{
-	int i,j=0;
-
-	for (i=0; i<len; i++)
-		{
-		j+=other(data[i]);
-		}
-	}
-
-So a very simple version of this function could be coded as
-
-	push(@INC,"perlasm","../../perlasm");
-	require "x86asm.pl";
-	
-	&asm_init($ARGV[0],"cacl.pl");
-
-	&external_label("other");
-
-	$tmp1=	"eax";
-	$j=	"edi";
-	$data=	"esi";
-	$i=	"ebp";
-
-	&comment("a simple function");
-	&function_begin("calc");
-	&mov(	$data,		&wparam(1)); # data
-	&xor(	$j,		$j);
-	&xor(	$i,		$i);
-
-	&set_label("loop");
-	&cmp(	$i,		&wparam(0));
-	&jge(	&label("end"));
-
-	&mov(	$tmp1,		&DWP(0,$data,$i,4));
-	&push(	$tmp1);
-	&call(	"other");
-	&add(	$j,		"eax");
-	&pop(	$tmp1);
-	&inc(	$i);
-	&jmp(	&label("loop"));
-
-	&set_label("end");
-	&mov(	"eax",		$j);
-
-	&function_end("calc");
-
-	&asm_finish();
-
-The above example is very very unoptimised but gives an idea of how
-things work.
-
-There is also a cbc mode function generator in cbc.pl
-
-&cbc(	$name,
-	$encrypt_function_name,
-	$decrypt_function_name,
-	$true_if_byte_swap_needed,
-	$parameter_number_for_iv,
-	$parameter_number_for_encrypt_flag,
-	$first_parameter_to_pass,
-	$second_parameter_to_pass,
-	$third_parameter_to_pass);
-
-So for example, given
-void BF_encrypt(BF_LONG *data,BF_KEY *key);
-void BF_decrypt(BF_LONG *data,BF_KEY *key);
-void BF_cbc_encrypt(unsigned char *in, unsigned char *out, long length,
-        BF_KEY *ks, unsigned char *iv, int enc);
-
-&cbc("BF_cbc_encrypt","BF_encrypt","BF_encrypt",1,4,5,3,-1,-1);
-
-&cbc("des_ncbc_encrypt","des_encrypt","des_encrypt",0,4,5,3,5,-1);
-&cbc("des_ede3_cbc_encrypt","des_encrypt3","des_decrypt3",0,6,7,3,4,5);
-
diff --git a/linux/crypto/ciphers/des/asm/perlasm/x86asm.pl b/linux/crypto/ciphers/des/asm/perlasm/x86asm.pl
deleted file mode 100644
index 164a942c5..000000000
--- a/linux/crypto/ciphers/des/asm/perlasm/x86asm.pl
+++ /dev/null
@@ -1,111 +0,0 @@
-#!/usr/bin/perl
-
-# require 'x86asm.pl';
-# &asm_init("cpp","des-586.pl");
-# XXX
-# XXX
-# main'asm_finish
-
-sub main'asm_finish
-	{
-	&file_end();
-	&asm_finish_cpp() if $cpp;
-	print &asm_get_output();
-	}
-
-sub main'asm_init
-	{
-	($type,$fn)=@_;
-	$filename=$fn;
-
-	$cpp=$sol=$aout=$win32=0;
-	if (	($type eq "elf"))
-		{ require "x86unix.pl"; }
-	elsif (	($type eq "a.out"))
-		{ $aout=1; require "x86unix.pl"; }
-	elsif (	($type eq "sol"))
-		{ $sol=1; require "x86unix.pl"; }
-	elsif (	($type eq "cpp"))
-		{ $cpp=1; require "x86unix.pl"; }
-	elsif (	($type eq "win32"))
-		{ $win32=1; require "x86ms.pl"; }
-	else
-		{
-		print STDERR <<"EOF";
-Pick one target type from
-	elf	- linux, FreeBSD etc
-	a.out	- old linux
-	sol	- x86 solaris
-	cpp	- format so x86unix.cpp can be used
-	win32	- Windows 95/Windows NT
-EOF
-		exit(1);
-		}
-
-	&asm_init_output();
-
-&comment("Don't even think of reading this code");
-&comment("It was automatically generated by $filename");
-&comment("Which is a perl program used to generate the x86 assember for");
-&comment("any of elf, a.out, BSDI,Win32, or Solaris");
-&comment("eric <eay\@cryptsoft.com>");
-&comment("");
-
-	$filename =~ s/\.pl$//;
-	&file($filename);
-	}
-
-sub asm_finish_cpp
-	{
-	return unless $cpp;
-
-	local($tmp,$i);
-	foreach $i (&get_labels())
-		{
-		$tmp.="#define $i _$i\n";
-		}
-	print <<"EOF";
-/* Run the C pre-processor over this file with one of the following defined
- * ELF - elf object files,
- * OUT - a.out object files,
- * BSDI - BSDI style a.out object files
- * SOL - Solaris style elf
- */
-
-#define TYPE(a,b)       .type   a,b
-#define SIZE(a,b)       .size   a,b
-
-#if defined(OUT) || defined(BSDI)
-$tmp
-#endif
-
-#ifdef OUT
-#define OK	1
-#define ALIGN	4
-#endif
-
-#ifdef BSDI
-#define OK              1
-#define ALIGN           4
-#undef SIZE
-#undef TYPE
-#endif
-
-#if defined(ELF) || defined(SOL)
-#define OK              1
-#define ALIGN           16
-#endif
-
-#ifndef OK
-You need to define one of
-ELF - elf systems - linux-elf, NetBSD and DG-UX
-OUT - a.out systems - linux-a.out and FreeBSD
-SOL - solaris systems, which are elf with strange comment lines
-BSDI - a.out with a very primative version of as.
-#endif
-
-/* Let the Assembler begin :-) */
-EOF
-	}
-
-1;
diff --git a/linux/crypto/ciphers/des/asm/perlasm/x86ms.pl b/linux/crypto/ciphers/des/asm/perlasm/x86ms.pl
deleted file mode 100644
index 0681ea18c..000000000
--- a/linux/crypto/ciphers/des/asm/perlasm/x86ms.pl
+++ /dev/null
@@ -1,345 +0,0 @@
-#!/usr/bin/perl
-
-package x86ms;
-
-$label="L000";
-
-%lb=(	'eax',	'al',
-	'ebx',	'bl',
-	'ecx',	'cl',
-	'edx',	'dl',
-	'ax',	'al',
-	'bx',	'bl',
-	'cx',	'cl',
-	'dx',	'dl',
-	);
-
-%hb=(	'eax',	'ah',
-	'ebx',	'bh',
-	'ecx',	'ch',
-	'edx',	'dh',
-	'ax',	'ah',
-	'bx',	'bh',
-	'cx',	'ch',
-	'dx',	'dh',
-	);
-
-sub main'asm_init_output { @out=(); }
-sub main'asm_get_output { return(@out); }
-sub main'get_labels { return(@labels); }
-sub main'external_label { push(@labels,@_); }
-
-sub main'LB
-	{
-	(defined($lb{$_[0]})) || die "$_[0] does not have a 'low byte'\n";
-	return($lb{$_[0]});
-	}
-
-sub main'HB
-	{
-	(defined($hb{$_[0]})) || die "$_[0] does not have a 'high byte'\n";
-	return($hb{$_[0]});
-	}
-
-sub main'BP
-	{
-	&get_mem("BYTE",@_);
-	}
-
-sub main'DWP
-	{
-	&get_mem("DWORD",@_);
-	}
-
-sub main'stack_push
-	{
-	local($num)=@_;
-	$stack+=$num*4;
-	&main'sub("esp",$num*4);
-	}
-
-sub main'stack_pop
-	{
-	local($num)=@_;
-	$stack-=$num*4;
-	&main'add("esp",$num*4);
-	}
-
-sub get_mem
-	{
-	local($size,$addr,$reg1,$reg2,$idx)=@_;
-	local($t,$post);
-	local($ret)="$size PTR ";
-
-	$addr =~ s/^\s+//;
-	if ($addr =~ /^(.+)\+(.+)$/)
-		{
-		$reg2=&conv($1);
-		$addr="_$2";
-		}
-	elsif ($addr =~ /^[_a-zA-Z]/)
-		{
-		$addr="_$addr";
-		}
-
-	$reg1="$regs{$reg1}" if defined($regs{$reg1});
-	$reg2="$regs{$reg2}" if defined($regs{$reg2});
-	if (($addr ne "") && ($addr ne 0))
-		{
-		if ($addr !~ /^-/)
-			{ $ret.=$addr; }
-		else	{ $post=$addr; }
-		}
-	if ($reg2 ne "")
-		{
-		$t="";
-		$t="*$idx" if ($idx != 0);
-		$reg1="+".$reg1 if ("$reg1$post" ne "");
-		$ret.="[$reg2$t$reg1$post]";
-		}
-	else
-		{
-		$ret.="[$reg1$post]"
-		}
-	return($ret);
-	}
-
-sub main'mov	{ &out2("mov",@_); }
-sub main'movb	{ &out2("mov",@_); }
-sub main'and	{ &out2("and",@_); }
-sub main'or	{ &out2("or",@_); }
-sub main'shl	{ &out2("shl",@_); }
-sub main'shr	{ &out2("shr",@_); }
-sub main'xor	{ &out2("xor",@_); }
-sub main'xorb	{ &out2("xor",@_); }
-sub main'add	{ &out2("add",@_); }
-sub main'adc	{ &out2("adc",@_); }
-sub main'sub	{ &out2("sub",@_); }
-sub main'rotl	{ &out2("rol",@_); }
-sub main'rotr	{ &out2("ror",@_); }
-sub main'exch	{ &out2("xchg",@_); }
-sub main'cmp	{ &out2("cmp",@_); }
-sub main'lea	{ &out2("lea",@_); }
-sub main'mul	{ &out1("mul",@_); }
-sub main'div	{ &out1("div",@_); }
-sub main'dec	{ &out1("dec",@_); }
-sub main'inc	{ &out1("inc",@_); }
-sub main'jmp	{ &out1("jmp",@_); }
-sub main'jmp_ptr { &out1p("jmp",@_); }
-sub main'je	{ &out1("je",@_); }
-sub main'jle	{ &out1("jle",@_); }
-sub main'jz	{ &out1("jz",@_); }
-sub main'jge	{ &out1("jge",@_); }
-sub main'jl	{ &out1("jl",@_); }
-sub main'jb	{ &out1("jb",@_); }
-sub main'jnz	{ &out1("jnz",@_); }
-sub main'jne	{ &out1("jne",@_); }
-sub main'push	{ &out1("push",@_); $stack+=4; }
-sub main'pop	{ &out1("pop",@_); $stack-=4; }
-sub main'bswap	{ &out1("bswap",@_); &using486(); }
-sub main'not	{ &out1("not",@_); }
-sub main'call	{ &out1("call",'_'.$_[0]); }
-sub main'ret	{ &out0("ret"); }
-sub main'nop	{ &out0("nop"); }
-
-sub out2
-	{
-	local($name,$p1,$p2)=@_;
-	local($l,$t);
-
-	push(@out,"\t$name\t");
-	$t=&conv($p1).",";
-	$l=length($t);
-	push(@out,$t);
-	$l=4-($l+9)/8;
-	push(@out,"\t" x $l);
-	push(@out,&conv($p2));
-	push(@out,"\n");
-	}
-
-sub out0
-	{
-	local($name)=@_;
-
-	push(@out,"\t$name\n");
-	}
-
-sub out1
-	{
-	local($name,$p1)=@_;
-	local($l,$t);
-
-	push(@out,"\t$name\t".&conv($p1)."\n");
-	}
-
-sub conv
-	{
-	local($p)=@_;
-
-	$p =~ s/0x([0-9A-Fa-f]+)/0$1h/;
-	return $p;
-	}
-
-sub using486
-	{
-	return if $using486;
-	$using486++;
-	grep(s/\.386/\.486/,@out);
-	}
-
-sub main'file
-	{
-	local($file)=@_;
-
-	local($tmp)=<<"EOF";
-	TITLE	$file.asm
-        .386
-.model FLAT
-EOF
-	push(@out,$tmp);
-	}
-
-sub main'function_begin
-	{
-	local($func,$extra)=@_;
-
-	push(@labels,$func);
-
-	local($tmp)=<<"EOF";
-_TEXT	SEGMENT
-PUBLIC	_$func
-$extra
-_$func PROC NEAR
-	push	ebp
-	push	ebx
-	push	esi
-	push	edi
-EOF
-	push(@out,$tmp);
-	$stack=20;
-	}
-
-sub main'function_begin_B
-	{
-	local($func,$extra)=@_;
-
-	local($tmp)=<<"EOF";
-_TEXT	SEGMENT
-PUBLIC	_$func
-$extra
-_$func PROC NEAR
-EOF
-	push(@out,$tmp);
-	$stack=4;
-	}
-
-sub main'function_end
-	{
-	local($func)=@_;
-
-	local($tmp)=<<"EOF";
-	pop	edi
-	pop	esi
-	pop	ebx
-	pop	ebp
-	ret
-_$func ENDP
-_TEXT	ENDS
-EOF
-	push(@out,$tmp);
-	$stack=0;
-	%label=();
-	}
-
-sub main'function_end_B
-	{
-	local($func)=@_;
-
-	local($tmp)=<<"EOF";
-_$func ENDP
-_TEXT	ENDS
-EOF
-	push(@out,$tmp);
-	$stack=0;
-	%label=();
-	}
-
-sub main'function_end_A
-	{
-	local($func)=@_;
-
-	local($tmp)=<<"EOF";
-	pop	edi
-	pop	esi
-	pop	ebx
-	pop	ebp
-	ret
-EOF
-	push(@out,$tmp);
-	}
-
-sub main'file_end
-	{
-	push(@out,"END\n");
-	}
-
-sub main'wparam
-	{
-	local($num)=@_;
-
-	return(&main'DWP($stack+$num*4,"esp","",0));
-	}
-
-sub main'swtmp
-	{
-	return(&main'DWP($_[0]*4,"esp","",0));
-	}
-
-# Should use swtmp, which is above esp.  Linix can trash the stack above esp
-#sub main'wtmp
-#	{
-#	local($num)=@_;
-#
-#	return(&main'DWP(-(($num+1)*4),"esp","",0));
-#	}
-
-sub main'comment
-	{
-	foreach (@_)
-		{
-		push(@out,"\t; $_\n");
-		}
-	}
-
-sub main'label
-	{
-	if (!defined($label{$_[0]}))
-		{
-		$label{$_[0]}="\$${label}${_[0]}";
-		$label++;
-		}
-	return($label{$_[0]});
-	}
-
-sub main'set_label
-	{
-	if (!defined($label{$_[0]}))
-		{
-		$label{$_[0]}="${label}${_[0]}";
-		$label++;
-		}
-	push(@out,"$label{$_[0]}:\n");
-	}
-
-sub main'data_word
-	{
-	push(@out,"\tDD\t$_[0]\n");
-	}
-
-sub out1p
-	{
-	local($name,$p1)=@_;
-	local($l,$t);
-
-	push(@out,"\t$name\t ".&conv($p1)."\n");
-	}
diff --git a/linux/crypto/ciphers/des/asm/perlasm/x86unix.pl b/linux/crypto/ciphers/des/asm/perlasm/x86unix.pl
deleted file mode 100644
index 1d661221c..000000000
--- a/linux/crypto/ciphers/des/asm/perlasm/x86unix.pl
+++ /dev/null
@@ -1,403 +0,0 @@
-#!/usr/bin/perl
-
-package x86unix;
-
-$label="L000";
-
-$align=($main'aout)?"4":"16";
-$under=($main'aout)?"_":"";
-$com_start=($main'sol)?"/":"#";
-
-sub main'asm_init_output { @out=(); }
-sub main'asm_get_output { return(@out); }
-sub main'get_labels { return(@labels); }
-sub main'external_label { push(@labels,@_); }
-
-if ($main'cpp)
-	{
-	$align="ALIGN";
-	$under="";
-	$com_start='/*';
-	$com_end='*/';
-	}
-
-%lb=(	'eax',	'%al',
-	'ebx',	'%bl',
-	'ecx',	'%cl',
-	'edx',	'%dl',
-	'ax',	'%al',
-	'bx',	'%bl',
-	'cx',	'%cl',
-	'dx',	'%dl',
-	);
-
-%hb=(	'eax',	'%ah',
-	'ebx',	'%bh',
-	'ecx',	'%ch',
-	'edx',	'%dh',
-	'ax',	'%ah',
-	'bx',	'%bh',
-	'cx',	'%ch',
-	'dx',	'%dh',
-	);
-
-%regs=(	'eax',	'%eax',
-	'ebx',	'%ebx',
-	'ecx',	'%ecx',
-	'edx',	'%edx',
-	'esi',	'%esi',
-	'edi',	'%edi',
-	'ebp',	'%ebp',
-	'esp',	'%esp',
-	);
-
-%reg_val=(
-	'eax',	0x00,
-	'ebx',	0x03,
-	'ecx',	0x01,
-	'edx',	0x02,
-	'esi',	0x06,
-	'edi',	0x07,
-	'ebp',	0x05,
-	'esp',	0x04,
-	);
-
-sub main'LB
-	{
-	(defined($lb{$_[0]})) || die "$_[0] does not have a 'low byte'\n";
-	return($lb{$_[0]});
-	}
-
-sub main'HB
-	{
-	(defined($hb{$_[0]})) || die "$_[0] does not have a 'high byte'\n";
-	return($hb{$_[0]});
-	}
-
-sub main'DWP
-	{
-	local($addr,$reg1,$reg2,$idx)=@_;
-
-	$ret="";
-	$addr =~ s/(^|[+ \t])([A-Za-z_]+)($|[+ \t])/$1$under$2$3/;
-	$reg1="$regs{$reg1}" if defined($regs{$reg1});
-	$reg2="$regs{$reg2}" if defined($regs{$reg2});
-	$ret.=$addr if ($addr ne "") && ($addr ne 0);
-	if ($reg2 ne "")
-		{ $ret.="($reg1,$reg2,$idx)"; }
-	else
-		{ $ret.="($reg1)" }
-	return($ret);
-	}
-
-sub main'BP
-	{
-	return(&main'DWP(@_));
-	}
-
-#sub main'BP
-#	{
-#	local($addr,$reg1,$reg2,$idx)=@_;
-#
-#	$ret="";
-#
-#	$addr =~ s/(^|[+ \t])([A-Za-z_]+)($|[+ \t])/$1$under$2$3/;
-#	$reg1="$regs{$reg1}" if defined($regs{$reg1});
-#	$reg2="$regs{$reg2}" if defined($regs{$reg2});
-#	$ret.=$addr if ($addr ne "") && ($addr ne 0);
-#	if ($reg2 ne "")
-#		{ $ret.="($reg1,$reg2,$idx)"; }
-#	else
-#		{ $ret.="($reg1)" }
-#	return($ret);
-#	}
-
-sub main'mov	{ &out2("movl",@_); }
-sub main'movb	{ &out2("movb",@_); }
-sub main'and	{ &out2("andl",@_); }
-sub main'or	{ &out2("orl",@_); }
-sub main'shl	{ &out2("sall",@_); }
-sub main'shr	{ &out2("shrl",@_); }
-sub main'xor	{ &out2("xorl",@_); }
-sub main'xorb	{ &out2("xorb",@_); }
-sub main'add	{ &out2("addl",@_); }
-sub main'adc	{ &out2("adcl",@_); }
-sub main'sub	{ &out2("subl",@_); }
-sub main'rotl	{ &out2("roll",@_); }
-sub main'rotr	{ &out2("rorl",@_); }
-sub main'exch	{ &out2("xchg",@_); }
-sub main'cmp	{ &out2("cmpl",@_); }
-sub main'lea	{ &out2("leal",@_); }
-sub main'mul	{ &out1("mull",@_); }
-sub main'div	{ &out1("divl",@_); }
-sub main'jmp	{ &out1("jmp",@_); }
-sub main'jmp_ptr { &out1p("jmp",@_); }
-sub main'je	{ &out1("je",@_); }
-sub main'jle	{ &out1("jle",@_); }
-sub main'jne	{ &out1("jne",@_); }
-sub main'jnz	{ &out1("jnz",@_); }
-sub main'jz	{ &out1("jz",@_); }
-sub main'jge	{ &out1("jge",@_); }
-sub main'jl	{ &out1("jl",@_); }
-sub main'jb	{ &out1("jb",@_); }
-sub main'dec	{ &out1("decl",@_); }
-sub main'inc	{ &out1("incl",@_); }
-sub main'push	{ &out1("pushl",@_); $stack+=4; }
-sub main'pop	{ &out1("popl",@_); $stack-=4; }
-sub main'bswap	{ &out1("bswapl",@_); }
-sub main'not	{ &out1("notl",@_); }
-sub main'call	{ &out1("call",$under.$_[0]); }
-sub main'ret	{ &out0("ret"); }
-sub main'nop	{ &out0("nop"); }
-
-sub out2
-	{
-	local($name,$p1,$p2)=@_;
-	local($l,$ll,$t);
-	local(%special)=(	"roll",0xD1C0,"rorl",0xD1C8,
-				"rcll",0xD1D0,"rcrl",0xD1D8,
-				"shll",0xD1E0,"shrl",0xD1E8,
-				"sarl",0xD1F8);
-	
-	if ((defined($special{$name})) && defined($regs{$p1}) && ($p2 == 1))
-		{
-		$op=$special{$name}|$reg_val{$p1};
-		$tmp1=sprintf ".byte %d\n",($op>>8)&0xff;
-		$tmp2=sprintf ".byte %d\t",$op     &0xff;
-		push(@out,$tmp1);
-		push(@out,$tmp2);
-
-		$p2=&conv($p2);
-		$p1=&conv($p1);
-		&main'comment("$name $p2 $p1");
-		return;
-		}
-
-	push(@out,"\t$name\t");
-	$t=&conv($p2).",";
-	$l=length($t);
-	push(@out,$t);
-	$ll=4-($l+9)/8;
-	$tmp1=sprintf "\t" x $ll;
-	push(@out,$tmp1);
-	push(@out,&conv($p1)."\n");
-	}
-
-sub out1
-	{
-	local($name,$p1)=@_;
-	local($l,$t);
-
-	push(@out,"\t$name\t".&conv($p1)."\n");
-	}
-
-sub out1p
-	{
-	local($name,$p1)=@_;
-	local($l,$t);
-
-	push(@out,"\t$name\t*".&conv($p1)."\n");
-	}
-
-sub out0
-	{
-	push(@out,"\t$_[0]\n");
-	}
-
-sub conv
-	{
-	local($p)=@_;
-
-#	$p =~ s/0x([0-9A-Fa-f]+)/0$1h/;
-
-	$p=$regs{$p} if (defined($regs{$p}));
-
-	$p =~ s/^(-{0,1}[0-9A-Fa-f]+)$/\$$1/;
-	$p =~ s/^(0x[0-9A-Fa-f]+)$/\$$1/;
-	return $p;
-	}
-
-sub main'file
-	{
-	local($file)=@_;
-
-	local($tmp)=<<"EOF";
-	.file	"$file.s"
-	.version	"01.01"
-gcc2_compiled.:
-EOF
-	push(@out,$tmp);
-	}
-
-sub main'function_begin
-	{
-	local($func)=@_;
-
-	$func=$under.$func;
-
-	local($tmp)=<<"EOF";
-.text
-	.align $align
-.globl $func
-EOF
-	push(@out,$tmp);
-	if ($main'cpp)
-		{ $tmp=push(@out,"\tTYPE($func,\@function)\n"); }
-	else	{ $tmp=push(@out,"\t.type\t$func,\@function\n"); }
-	push(@out,"$func:\n");
-	$tmp=<<"EOF";
-	pushl	%ebp
-	pushl	%ebx
-	pushl	%esi
-	pushl	%edi
-
-EOF
-	push(@out,$tmp);
-	$stack=20;
-	}
-
-sub main'function_begin_B
-	{
-	local($func,$extra)=@_;
-
-	$func=$under.$func;
-
-	local($tmp)=<<"EOF";
-.text
-	.align $align
-.globl $func
-EOF
-	push(@out,$tmp);
-	if ($main'cpp)
-		{ push(@out,"\tTYPE($func,\@function)\n"); }
-	else	{ push(@out,"\t.type	$func,\@function\n"); }
-	push(@out,"$func:\n");
-	$stack=4;
-	}
-
-sub main'function_end
-	{
-	local($func)=@_;
-
-	$func=$under.$func;
-
-	local($tmp)=<<"EOF";
-	popl	%edi
-	popl	%esi
-	popl	%ebx
-	popl	%ebp
-	ret
-.${func}_end:
-EOF
-	push(@out,$tmp);
-	if ($main'cpp)
-		{ push(@out,"\tSIZE($func,.${func}_end-$func)\n"); }
-	else	{ push(@out,"\t.size\t$func,.${func}_end-$func\n"); }
-	push(@out,".ident	\"$func\"\n");
-	$stack=0;
-	%label=();
-	}
-
-sub main'function_end_A
-	{
-	local($func)=@_;
-
-	local($tmp)=<<"EOF";
-	popl	%edi
-	popl	%esi
-	popl	%ebx
-	popl	%ebp
-	ret
-EOF
-	push(@out,$tmp);
-	}
-
-sub main'function_end_B
-	{
-	local($func)=@_;
-
-	$func=$under.$func;
-
-	push(@out,".${func}_end:\n");
-	if ($main'cpp)
-		{ push(@out,"\tSIZE($func,.${func}_end-$func)\n"); }
-	else	{ push(@out,"\t.size\t$func,.${func}_end-$func\n"); }
-	push(@out,".ident	\"desasm.pl\"\n");
-	$stack=0;
-	%label=();
-	}
-
-sub main'wparam
-	{
-	local($num)=@_;
-
-	return(&main'DWP($stack+$num*4,"esp","",0));
-	}
-
-sub main'stack_push
-	{
-	local($num)=@_;
-	$stack+=$num*4;
-	&main'sub("esp",$num*4);
-	}
-
-sub main'stack_pop
-	{
-	local($num)=@_;
-	$stack-=$num*4;
-	&main'add("esp",$num*4);
-	}
-
-sub main'swtmp
-	{
-	return(&main'DWP($_[0]*4,"esp","",0));
-	}
-
-# Should use swtmp, which is above esp.  Linix can trash the stack above esp
-#sub main'wtmp
-#	{
-#	local($num)=@_;
-#
-#	return(&main'DWP(-($num+1)*4,"esp","",0));
-#	}
-
-sub main'comment
-	{
-	foreach (@_)
-		{
-		if (/^\s*$/)
-			{ push(@out,"\n"); }
-		else
-			{ push(@out,"\t$com_start $_ $com_end\n"); }
-		}
-	}
-
-sub main'label
-	{
-	if (!defined($label{$_[0]}))
-		{
-		$label{$_[0]}=".${label}${_[0]}";
-		$label++;
-		}
-	return($label{$_[0]});
-	}
-
-sub main'set_label
-	{
-	if (!defined($label{$_[0]}))
-		{
-		$label{$_[0]}=".${label}${_[0]}";
-		$label++;
-		}
-	push(@out,".align $align\n") if ($_[1] != 0);
-	push(@out,"$label{$_[0]}:\n");
-	}
-
-sub main'file_end
-	{
-	}
-
-sub main'data_word
-	{
-	push(@out,"\t.long $_[0]\n");
-	}
diff --git a/linux/crypto/ciphers/des/asm/readme b/linux/crypto/ciphers/des/asm/readme
deleted file mode 100644
index f8529d930..000000000
--- a/linux/crypto/ciphers/des/asm/readme
+++ /dev/null
@@ -1,131 +0,0 @@
-First up, let me say I don't like writing in assembler.  It is not portable,
-dependant on the particular CPU architecture release and is generally a pig
-to debug and get right.  Having said that, the x86 architecture is probably
-the most important for speed due to number of boxes and since
-it appears to be the worst architecture to to get
-good C compilers for.  So due to this, I have lowered myself to do
-assembler for the inner DES routines in libdes :-).
-
-The file to implement in assembler is des_enc.c.  Replace the following
-4 functions
-des_encrypt(DES_LONG data[2],des_key_schedule ks, int encrypt);
-des_encrypt2(DES_LONG data[2],des_key_schedule ks, int encrypt);
-des_encrypt3(DES_LONG data[2],des_key_schedule ks1,ks2,ks3);
-des_decrypt3(DES_LONG data[2],des_key_schedule ks1,ks2,ks3);
-
-They encrypt/decrypt the 64 bits held in 'data' using
-the 'ks' key schedules.   The only difference between the 4 functions is that
-des_encrypt2() does not perform IP() or FP() on the data (this is an
-optimization for when doing triple DES and des_encrypt3() and des_decrypt3()
-perform triple des.  The triple DES routines are in here because it does
-make a big difference to have them located near the des_encrypt2 function
-at link time..
-
-Now as we all know, there are lots of different operating systems running on
-x86 boxes, and unfortunately they normally try to make sure their assembler
-formating is not the same as the other peoples.
-The 4 main formats I know of are
-Microsoft	Windows 95/Windows NT
-Elf		Includes Linux and FreeBSD(?).
-a.out		The older Linux.
-Solaris		Same as Elf but different comments :-(.
-
-Now I was not overly keen to write 4 different copies of the same code,
-so I wrote a few perl routines to output the correct assembler, given
-a target assembler type.  This code is ugly and is just a hack.
-The libraries are x86unix.pl and x86ms.pl.
-des586.pl, des686.pl and des-som[23].pl are the programs to actually
-generate the assembler.
-
-So to generate elf assembler
-perl des-som3.pl elf >dx86-elf.s
-For Windows 95/NT
-perl des-som2.pl win32 >win32.asm
-
-[ update 4 Jan 1996 ]
-I have added another way to do things.
-perl des-som3.pl cpp >dx86-cpp.s
-generates a file that will be included by dx86unix.cpp when it is compiled.
-To build for elf, a.out, solaris, bsdi etc,
-cc -E -DELF asm/dx86unix.cpp | as -o asm/dx86-elf.o
-cc -E -DSOL asm/dx86unix.cpp | as -o asm/dx86-sol.o
-cc -E -DOUT asm/dx86unix.cpp | as -o asm/dx86-out.o
-cc -E -DBSDI asm/dx86unix.cpp | as -o asm/dx86bsdi.o
-This was done to cut down the number of files in the distribution.
-
-Now the ugly part.  I acquired my copy of Intels
-"Optimization's For Intel's 32-Bit Processors" and found a few interesting
-things.  First, the aim of the exersize is to 'extract' one byte at a time
-from a word and do an array lookup.  This involves getting the byte from
-the 4 locations in the word and moving it to a new word and doing the lookup.
-The most obvious way to do this is
-xor	eax,	eax				# clear word
-movb	al,	cl				# get low byte
-xor	edi	DWORD PTR 0x100+des_SP[eax] 	# xor in word
-movb	al,	ch				# get next byte
-xor	edi	DWORD PTR 0x300+des_SP[eax] 	# xor in word
-shr	ecx	16
-which seems ok.  For the pentium, this system appears to be the best.
-One has to do instruction interleaving to keep both functional units
-operating, but it is basically very efficient.
-
-Now the crunch.  When a full register is used after a partial write, eg.
-mov	al,	cl
-xor	edi,	DWORD PTR 0x100+des_SP[eax]
-386	- 1 cycle stall
-486	- 1 cycle stall
-586	- 0 cycle stall
-686	- at least 7 cycle stall (page 22 of the above mentioned document).
-
-So the technique that produces the best results on a pentium, according to
-the documentation, will produce hideous results on a pentium pro.
-
-To get around this, des686.pl will generate code that is not as fast on
-a pentium, should be very good on a pentium pro.
-mov	eax,	ecx				# copy word 
-shr	ecx,	8				# line up next byte
-and	eax,	0fch				# mask byte
-xor	edi	DWORD PTR 0x100+des_SP[eax] 	# xor in array lookup
-mov	eax,	ecx				# get word
-shr	ecx	8				# line up next byte
-and	eax,	0fch				# mask byte
-xor	edi	DWORD PTR 0x300+des_SP[eax] 	# xor in array lookup
-
-Due to the execution units in the pentium, this actually works quite well.
-For a pentium pro it should be very good.  This is the type of output
-Visual C++ generates.
-
-There is a third option.  instead of using
-mov	al,	ch
-which is bad on the pentium pro, one may be able to use
-movzx	eax,	ch
-which may not incur the partial write penalty.  On the pentium,
-this instruction takes 4 cycles so is not worth using but on the
-pentium pro it appears it may be worth while.  I need access to one to
-experiment :-).
-
-eric (20 Oct 1996)
-
-22 Nov 1996 - I have asked people to run the 2 different version on pentium
-pros and it appears that the intel documentation is wrong.  The
-mov al,bh is still faster on a pentium pro, so just use the des586.pl
-install des686.pl
-
-3 Dec 1996 - I added des_encrypt3/des_decrypt3 because I have moved these
-functions into des_enc.c because it does make a massive performance
-difference on some boxes to have the functions code located close to
-the des_encrypt2() function.
-
-9 Jan 1997 - des-som2.pl is now the correct perl script to use for
-pentiums.  It contains an inner loop from
-Svend Olaf Mikkelsen <svolaf@inet.uni-c.dk> which does raw ecb DES calls at
-273,000 per second.  He had a previous version at 250,000 and the best
-I was able to get was 203,000.  The content has not changed, this is all
-due to instruction sequencing (and actual instructions choice) which is able
-to keep both functional units of the pentium going.
-We may have lost the ugly register usage restrictions when x86 went 32 bit
-but for the pentium it has been replaced by evil instruction ordering tricks.
-
-13 Jan 1997 - des-som3.pl, more optimizations from Svend Olaf.
-raw DES at 281,000 per second on a pentium 100.
-
diff --git a/linux/crypto/ciphers/des/des.doc b/linux/crypto/ciphers/des/des.doc
deleted file mode 100644
index 1e3015812..000000000
--- a/linux/crypto/ciphers/des/des.doc
+++ /dev/null
@@ -1,505 +0,0 @@
-The DES library.
-
-Please note that this library was originally written to operate with
-eBones, a version of Kerberos that had had encryption removed when it left
-the USA and then put back in.  As such there are some routines that I will
-advise not using but they are still in the library for historical reasons.
-For all calls that have an 'input' and 'output' variables, they can be the
-same.
-
-This library requires the inclusion of 'des.h'.
-
-All of the encryption functions take what is called a des_key_schedule as an 
-argument.  A des_key_schedule is an expanded form of the des key.
-A des_key is 8 bytes of odd parity, the type used to hold the key is a
-des_cblock.  A des_cblock is an array of 8 bytes, often in this library
-description I will refer to input bytes when the function specifies
-des_cblock's as input or output, this just means that the variable should
-be a multiple of 8 bytes.
-
-The define DES_ENCRYPT is passed to specify encryption, DES_DECRYPT to
-specify decryption.  The functions and global variable are as follows:
-
-int des_check_key;
-	DES keys are supposed to be odd parity.  If this variable is set to
-	a non-zero value, des_set_key() will check that the key has odd
-	parity and is not one of the known weak DES keys.  By default this
-	variable is turned off;
-	
-void des_set_odd_parity(
-des_cblock *key );
-	This function takes a DES key (8 bytes) and sets the parity to odd.
-	
-int des_is_weak_key(
-des_cblock *key );
-	This function returns a non-zero value if the DES key passed is a
-	weak, DES key.  If it is a weak key, don't use it, try a different
-	one.  If you are using 'random' keys, the chances of hitting a weak
-	key are 1/2^52 so it is probably not worth checking for them.
-	
-int des_set_key(
-des_cblock *key,
-des_key_schedule schedule);
-	Des_set_key converts an 8 byte DES key into a des_key_schedule.
-	A des_key_schedule is an expanded form of the key which is used to
-	perform actual encryption.  It can be regenerated from the DES key
-	so it only needs to be kept when encryption or decryption is about
-	to occur.  Don't save or pass around des_key_schedule's since they
-	are CPU architecture dependent, DES keys are not.  If des_check_key
-	is non zero, zero is returned if the key has the wrong parity or
-	the key is a weak key, else 1 is returned.
-	
-int des_key_sched(
-des_cblock *key,
-des_key_schedule schedule);
-	An alternative name for des_set_key().
-
-int des_rw_mode;		/* defaults to DES_PCBC_MODE */
-	This flag holds either DES_CBC_MODE or DES_PCBC_MODE (default).
-	This specifies the function to use in the enc_read() and enc_write()
-	functions.
-
-void des_encrypt(
-unsigned long *data,
-des_key_schedule ks,
-int enc);
-	This is the DES encryption function that gets called by just about
-	every other DES routine in the library.  You should not use this
-	function except to implement 'modes' of DES.  I say this because the
-	functions that call this routine do the conversion from 'char *' to
-	long, and this needs to be done to make sure 'non-aligned' memory
-	access do not occur.  The characters are loaded 'little endian',
-	have a look at my source code for more details on how I use this
-	function.
-	Data is a pointer to 2 unsigned long's and ks is the
-	des_key_schedule to use.  enc, is non zero specifies encryption,
-	zero if decryption.
-
-void des_encrypt2(
-unsigned long *data,
-des_key_schedule ks,
-int enc);
-	This functions is the same as des_encrypt() except that the DES
-	initial permutation (IP) and final permutation (FP) have been left
-	out.  As for des_encrypt(), you should not use this function.
-	It is used by the routines in my library that implement triple DES.
-	IP() des_encrypt2() des_encrypt2() des_encrypt2() FP() is the same
-	as des_encrypt() des_encrypt() des_encrypt() except faster :-).
-
-void des_ecb_encrypt(
-des_cblock *input,
-des_cblock *output,
-des_key_schedule ks,
-int enc);
-	This is the basic Electronic Code Book form of DES, the most basic
-	form.  Input is encrypted into output using the key represented by
-	ks.  If enc is non zero (DES_ENCRYPT), encryption occurs, otherwise
-	decryption occurs.  Input is 8 bytes long and output is 8 bytes.
-	(the des_cblock structure is 8 chars).
-	
-void des_ecb3_encrypt(
-des_cblock *input,
-des_cblock *output,
-des_key_schedule ks1,
-des_key_schedule ks2,
-des_key_schedule ks3,
-int enc);
-	This is the 3 key EDE mode of ECB DES.  What this means is that 
-	the 8 bytes of input is encrypted with ks1, decrypted with ks2 and
-	then encrypted again with ks3, before being put into output;
-	C=E(ks3,D(ks2,E(ks1,M))).  There is a macro, des_ecb2_encrypt()
-	that only takes 2 des_key_schedules that implements,
-	C=E(ks1,D(ks2,E(ks1,M))) in that the final encrypt is done with ks1.
-	
-void des_cbc_encrypt(
-des_cblock *input,
-des_cblock *output,
-long length,
-des_key_schedule ks,
-des_cblock *ivec,
-int enc);
-	This routine implements DES in Cipher Block Chaining mode.
-	Input, which should be a multiple of 8 bytes is encrypted
-	(or decrypted) to output which will also be a multiple of 8 bytes.
-	The number of bytes is in length (and from what I've said above,
-	should be a multiple of 8).  If length is not a multiple of 8, I'm
-	not being held responsible :-).  ivec is the initialisation vector.
-	This function does not modify this variable.  To correctly implement
-	cbc mode, you need to do one of 2 things; copy the last 8 bytes of
-	cipher text for use as the next ivec in your application,
-	or use des_ncbc_encrypt(). 
-	Only this routine has this problem with updating the ivec, all
-	other routines that are implementing cbc mode update ivec.
-	
-void des_ncbc_encrypt(
-des_cblock *input,
-des_cblock *output,
-long length,
-des_key_schedule sk,
-des_cblock *ivec,
-int enc);
-	For historical reasons, des_cbc_encrypt() did not update the
-	ivec with the value requires so that subsequent calls to
-	des_cbc_encrypt() would 'chain'.  This was needed so that the same
-	'length' values would not need to be used when decrypting.
-	des_ncbc_encrypt() does the right thing.  It is the same as
-	des_cbc_encrypt accept that ivec is updates with the correct value
-	to pass in subsequent calls to des_ncbc_encrypt().  I advise using
-	des_ncbc_encrypt() instead of des_cbc_encrypt();
-
-void des_xcbc_encrypt(
-des_cblock *input,
-des_cblock *output,
-long length,
-des_key_schedule sk,
-des_cblock *ivec,
-des_cblock *inw,
-des_cblock *outw,
-int enc);
-	This is RSA's DESX mode of DES.  It uses inw and outw to
-	'whiten' the encryption.  inw and outw are secret (unlike the iv)
-	and are as such, part of the key.  So the key is sort of 24 bytes.
-	This is much better than cbc des.
-	
-void des_3cbc_encrypt(
-des_cblock *input,
-des_cblock *output,
-long length,
-des_key_schedule sk1,
-des_key_schedule sk2,
-des_cblock *ivec1,
-des_cblock *ivec2,
-int enc);
-	This function is flawed, do not use it.  I have left it in the
-	library because it is used in my des(1) program and will function
-	correctly when used by des(1).  If I removed the function, people
-	could end up unable to decrypt files.
-	This routine implements outer triple cbc encryption using 2 ks and
-	2 ivec's.  Use des_ede2_cbc_encrypt() instead.
-	
-void des_ede3_cbc_encrypt(
-des_cblock *input,
-des_cblock *output, 
-long length,
-des_key_schedule ks1,
-des_key_schedule ks2, 
-des_key_schedule ks3, 
-des_cblock *ivec,
-int enc);
-	This function implements inner triple CBC DES encryption with 3
-	keys.  What this means is that each 'DES' operation
-	inside the cbc mode is really an C=E(ks3,D(ks2,E(ks1,M))).
-	Again, this is cbc mode so an ivec is requires.
-	This mode is used by SSL.
-	There is also a des_ede2_cbc_encrypt() that only uses 2
-	des_key_schedule's, the first being reused for the final
-	encryption.  C=E(ks1,D(ks2,E(ks1,M))).  This form of triple DES
-	is used by the RSAref library.
-	
-void des_pcbc_encrypt(
-des_cblock *input,
-des_cblock *output,
-long length,
-des_key_schedule ks,
-des_cblock *ivec,
-int enc);
-	This is Propagating Cipher Block Chaining mode of DES.  It is used
-	by Kerberos v4.  It's parameters are the same as des_ncbc_encrypt().
-	
-void des_cfb_encrypt(
-unsigned char *in,
-unsigned char *out,
-int numbits,
-long length,
-des_key_schedule ks,
-des_cblock *ivec,
-int enc);
-	Cipher Feedback Back mode of DES.  This implementation 'feeds back'
-	in numbit blocks.  The input (and output) is in multiples of numbits
-	bits.  numbits should to be a multiple of 8 bits.  Length is the
-	number of bytes input.  If numbits is not a multiple of 8 bits,
-	the extra bits in the bytes will be considered padding.  So if
-	numbits is 12, for each 2 input bytes, the 4 high bits of the
-	second byte will be ignored.  So to encode 72 bits when using
-	a numbits of 12 take 12 bytes.  To encode 72 bits when using
-	numbits of 9 will take 16 bytes.  To encode 80 bits when using
-	numbits of 16 will take 10 bytes. etc, etc.  This padding will
-	apply to both input and output.
-
-	
-void des_cfb64_encrypt(
-unsigned char *in,
-unsigned char *out,
-long length,
-des_key_schedule ks,
-des_cblock *ivec,
-int *num,
-int enc);
-	This is one of the more useful functions in this DES library, it
-	implements CFB mode of DES with 64bit feedback.  Why is this
-	useful you ask?  Because this routine will allow you to encrypt an
-	arbitrary number of bytes, no 8 byte padding.  Each call to this
-	routine will encrypt the input bytes to output and then update ivec
-	and num.  num contains 'how far' we are though ivec.  If this does
-	not make much sense, read more about cfb mode of DES :-).
-	
-void des_ede3_cfb64_encrypt(
-unsigned char *in,
-unsigned char *out,
-long length,
-des_key_schedule ks1,
-des_key_schedule ks2,
-des_key_schedule ks3,
-des_cblock *ivec,
-int *num,
-int enc);
-	Same as des_cfb64_encrypt() accept that the DES operation is
-	triple DES.  As usual, there is a macro for
-	des_ede2_cfb64_encrypt() which reuses ks1.
-
-void des_ofb_encrypt(
-unsigned char *in,
-unsigned char *out,
-int numbits,
-long length,
-des_key_schedule ks,
-des_cblock *ivec);
-	This is a implementation of Output Feed Back mode of DES.  It is
-	the same as des_cfb_encrypt() in that numbits is the size of the
-	units dealt with during input and output (in bits).
-	
-void des_ofb64_encrypt(
-unsigned char *in,
-unsigned char *out,
-long length,
-des_key_schedule ks,
-des_cblock *ivec,
-int *num);
-	The same as des_cfb64_encrypt() except that it is Output Feed Back
-	mode.
-
-void des_ede3_ofb64_encrypt(
-unsigned char *in,
-unsigned char *out,
-long length,
-des_key_schedule ks1,
-des_key_schedule ks2,
-des_key_schedule ks3,
-des_cblock *ivec,
-int *num);
-	Same as des_ofb64_encrypt() accept that the DES operation is
-	triple DES.  As usual, there is a macro for
-	des_ede2_ofb64_encrypt() which reuses ks1.
-
-int des_read_pw_string(
-char *buf,
-int length,
-char *prompt,
-int verify);
-	This routine is used to get a password from the terminal with echo
-	turned off.  Buf is where the string will end up and length is the
-	size of buf.  Prompt is a string presented to the 'user' and if
-	verify is set, the key is asked for twice and unless the 2 copies
-	match, an error is returned.  A return code of -1 indicates a
-	system error, 1 failure due to use interaction, and 0 is success.
-
-unsigned long des_cbc_cksum(
-des_cblock *input,
-des_cblock *output,
-long length,
-des_key_schedule ks,
-des_cblock *ivec);
-	This function produces an 8 byte checksum from input that it puts in
-	output and returns the last 4 bytes as a long.  The checksum is
-	generated via cbc mode of DES in which only the last 8 byes are
-	kept.  I would recommend not using this function but instead using
-	the EVP_Digest routines, or at least using MD5 or SHA.  This
-	function is used by Kerberos v4 so that is why it stays in the
-	library.
-	
-char *des_fcrypt(
-const char *buf,
-const char *salt
-char *ret);
-	This is my fast version of the unix crypt(3) function.  This version
-	takes only a small amount of space relative to other fast
-	crypt() implementations.  This is different to the normal crypt
-	in that the third parameter is the buffer that the return value
-	is written into.  It needs to be at least 14 bytes long.  This
-	function is thread safe, unlike the normal crypt.
-
-char *crypt(
-const char *buf,
-const char *salt);
-	This function calls des_fcrypt() with a static array passed as the
-	third parameter.  This emulates the normal non-thread safe semantics
-	of crypt(3).
-
-void des_string_to_key(
-char *str,
-des_cblock *key);
-	This function takes str and converts it into a DES key.  I would
-	recommend using MD5 instead and use the first 8 bytes of output.
-	When I wrote the first version of these routines back in 1990, MD5
-	did not exist but I feel these routines are still sound.  This
-	routines is compatible with the one in MIT's libdes.
-	
-void des_string_to_2keys(
-char *str,
-des_cblock *key1,
-des_cblock *key2);
-	This function takes str and converts it into 2 DES keys.
-	I would recommend using MD5 and using the 16 bytes as the 2 keys.
-	I have nothing against these 2 'string_to_key' routines, it's just
-	that if you say that your encryption key is generated by using the
-	16 bytes of an MD5 hash, every-one knows how you generated your
-	keys.
-
-int des_read_password(
-des_cblock *key,
-char *prompt,
-int verify);
-	This routine combines des_read_pw_string() with des_string_to_key().
-
-int des_read_2passwords(
-des_cblock *key1,
-des_cblock *key2,
-char *prompt,
-int verify);
-	This routine combines des_read_pw_string() with des_string_to_2key().
-
-void des_random_seed(
-des_cblock key);
-	This routine sets a starting point for des_random_key().
-	
-void des_random_key(
-des_cblock ret);
-	This function return a random key.  Make sure to 'seed' the random
-	number generator (with des_random_seed()) before using this function.
-	I personally now use a MD5 based random number system.
-
-int des_enc_read(
-int fd,
-char *buf,
-int len,
-des_key_schedule ks,
-des_cblock *iv);
-	This function will write to a file descriptor the encrypted data
-	from buf.  This data will be preceded by a 4 byte 'byte count' and
-	will be padded out to 8 bytes.  The encryption is either CBC of
-	PCBC depending on the value of des_rw_mode.  If it is DES_PCBC_MODE,
-	pcbc is used, if DES_CBC_MODE, cbc is used.  The default is to use
-	DES_PCBC_MODE.
-
-int des_enc_write(
-int fd,
-char *buf,
-int len,
-des_key_schedule ks,
-des_cblock *iv);
-	This routines read stuff written by des_enc_read() and decrypts it.
-	I have used these routines quite a lot but I don't believe they are
-	suitable for non-blocking io.  If you are after a full
-	authentication/encryption over networks, have a look at SSL instead.
-
-unsigned long des_quad_cksum(
-des_cblock *input,
-des_cblock *output,
-long length,
-int out_count,
-des_cblock *seed);
-	This is a function from Kerberos v4 that is not anything to do with
-	DES but was needed.  It is a cksum that is quicker to generate than
-	des_cbc_cksum();  I personally would use MD5 routines now.
-=====
-Modes of DES
-Quite a bit of the following information has been taken from
-	AS 2805.5.2
-	Australian Standard
-	Electronic funds transfer - Requirements for interfaces,
-	Part 5.2: Modes of operation for an n-bit block cipher algorithm
-	Appendix A
-
-There are several different modes in which DES can be used, they are
-as follows.
-
-Electronic Codebook Mode (ECB) (des_ecb_encrypt())
-- 64 bits are enciphered at a time.
-- The order of the blocks can be rearranged without detection.
-- The same plaintext block always produces the same ciphertext block
-  (for the same key) making it vulnerable to a 'dictionary attack'.
-- An error will only affect one ciphertext block.
-
-Cipher Block Chaining Mode (CBC) (des_cbc_encrypt())
-- a multiple of 64 bits are enciphered at a time.
-- The CBC mode produces the same ciphertext whenever the same
-  plaintext is encrypted using the same key and starting variable.
-- The chaining operation makes the ciphertext blocks dependent on the
-  current and all preceding plaintext blocks and therefore blocks can not
-  be rearranged.
-- The use of different starting variables prevents the same plaintext
-  enciphering to the same ciphertext.
-- An error will affect the current and the following ciphertext blocks.
-
-Cipher Feedback Mode (CFB) (des_cfb_encrypt())
-- a number of bits (j) <= 64 are enciphered at a time.
-- The CFB mode produces the same ciphertext whenever the same
-  plaintext is encrypted using the same key and starting variable.
-- The chaining operation makes the ciphertext variables dependent on the
-  current and all preceding variables and therefore j-bit variables are
-  chained together and can not be rearranged.
-- The use of different starting variables prevents the same plaintext
-  enciphering to the same ciphertext.
-- The strength of the CFB mode depends on the size of k (maximal if
-  j == k).  In my implementation this is always the case.
-- Selection of a small value for j will require more cycles through
-  the encipherment algorithm per unit of plaintext and thus cause
-  greater processing overheads.
-- Only multiples of j bits can be enciphered.
-- An error will affect the current and the following ciphertext variables.
-
-Output Feedback Mode (OFB) (des_ofb_encrypt())
-- a number of bits (j) <= 64 are enciphered at a time.
-- The OFB mode produces the same ciphertext whenever the same
-  plaintext enciphered using the same key and starting variable.  More
-  over, in the OFB mode the same key stream is produced when the same
-  key and start variable are used.  Consequently, for security reasons
-  a specific start variable should be used only once for a given key.
-- The absence of chaining makes the OFB more vulnerable to specific attacks.
-- The use of different start variables values prevents the same
-  plaintext enciphering to the same ciphertext, by producing different
-  key streams.
-- Selection of a small value for j will require more cycles through
-  the encipherment algorithm per unit of plaintext and thus cause
-  greater processing overheads.
-- Only multiples of j bits can be enciphered.
-- OFB mode of operation does not extend ciphertext errors in the
-  resultant plaintext output.  Every bit error in the ciphertext causes
-  only one bit to be in error in the deciphered plaintext.
-- OFB mode is not self-synchronising.  If the two operation of
-  encipherment and decipherment get out of synchronism, the system needs
-  to be re-initialised.
-- Each re-initialisation should use a value of the start variable
- different from the start variable values used before with the same
- key.  The reason for this is that an identical bit stream would be
- produced each time from the same parameters.  This would be
- susceptible to a ' known plaintext' attack.
-
-Triple ECB Mode (des_ecb3_encrypt())
-- Encrypt with key1, decrypt with key2 and encrypt with key3 again.
-- As for ECB encryption but increases the key length to 168 bits.
-  There are theoretic attacks that can be used that make the effective
-  key length 112 bits, but this attack also requires 2^56 blocks of
-  memory, not very likely, even for the NSA.
-- If both keys are the same it is equivalent to encrypting once with
-  just one key.
-- If the first and last key are the same, the key length is 112 bits.
-  There are attacks that could reduce the key space to 55 bit's but it
-  requires 2^56 blocks of memory.
-- If all 3 keys are the same, this is effectively the same as normal
-  ecb mode.
-
-Triple CBC Mode (des_ede3_cbc_encrypt())
-- Encrypt with key1, decrypt with key2 and then encrypt with key3.
-- As for CBC encryption but increases the key length to 168 bits with
-  the same restrictions as for triple ecb mode.
diff --git a/linux/crypto/ciphers/des/des_crypt.man b/linux/crypto/ciphers/des/des_crypt.man
deleted file mode 100644
index 0ecc41687..000000000
--- a/linux/crypto/ciphers/des/des_crypt.man
+++ /dev/null
@@ -1,508 +0,0 @@
-.TH DES_CRYPT 3 
-.SH NAME
-des_read_password, des_read_2password,
-des_string_to_key, des_string_to_2key, des_read_pw_string,
-des_random_key, des_set_key,
-des_key_sched, des_ecb_encrypt, des_ecb3_encrypt, des_cbc_encrypt,
-des_3cbc_encrypt,
-des_pcbc_encrypt, des_cfb_encrypt, des_ofb_encrypt,
-des_cbc_cksum, des_quad_cksum,
-des_enc_read, des_enc_write, des_set_odd_parity,
-des_is_weak_key, crypt \- (non USA) DES encryption
-.SH SYNOPSIS
-.nf
-.nj
-.ft B
-#include <des.h>
-.PP
-.B int des_read_password(key,prompt,verify)
-des_cblock *key;
-char *prompt;
-int verify;
-.PP
-.B int des_read_2password(key1,key2,prompt,verify)
-des_cblock *key1,*key2;
-char *prompt;
-int verify;
-.PP
-.B int des_string_to_key(str,key)
-char *str;
-des_cblock *key;
-.PP
-.B int des_string_to_2keys(str,key1,key2)
-char *str;
-des_cblock *key1,*key2;
-.PP
-.B int des_read_pw_string(buf,length,prompt,verify)
-char *buf;
-int length;
-char *prompt;
-int verify;
-.PP
-.B int des_random_key(key)
-des_cblock *key;
-.PP
-.B int des_set_key(key,schedule)
-des_cblock *key;
-des_key_schedule schedule;
-.PP
-.B int des_key_sched(key,schedule)
-des_cblock *key;
-des_key_schedule schedule;
-.PP
-.B int des_ecb_encrypt(input,output,schedule,encrypt)
-des_cblock *input;
-des_cblock *output;
-des_key_schedule schedule;
-int encrypt;
-.PP
-.B int des_ecb3_encrypt(input,output,ks1,ks2,encrypt)
-des_cblock *input;
-des_cblock *output;
-des_key_schedule ks1,ks2;
-int encrypt;
-.PP
-.B int des_cbc_encrypt(input,output,length,schedule,ivec,encrypt)
-des_cblock *input;
-des_cblock *output;
-long length;
-des_key_schedule schedule;
-des_cblock *ivec;
-int encrypt;
-.PP
-.B int des_3cbc_encrypt(input,output,length,sk1,sk2,ivec1,ivec2,encrypt)
-des_cblock *input;
-des_cblock *output;
-long length;
-des_key_schedule sk1;
-des_key_schedule sk2;
-des_cblock *ivec1;
-des_cblock *ivec2;
-int encrypt;
-.PP
-.B int des_pcbc_encrypt(input,output,length,schedule,ivec,encrypt)
-des_cblock *input;
-des_cblock *output;
-long length;
-des_key_schedule schedule;
-des_cblock *ivec;
-int encrypt;
-.PP
-.B int des_cfb_encrypt(input,output,numbits,length,schedule,ivec,encrypt)
-unsigned char *input;
-unsigned char *output;
-int numbits;
-long length;
-des_key_schedule schedule;
-des_cblock *ivec;
-int encrypt;
-.PP
-.B int des_ofb_encrypt(input,output,numbits,length,schedule,ivec)
-unsigned char *input,*output;
-int numbits;
-long length;
-des_key_schedule schedule;
-des_cblock *ivec;
-.PP
-.B unsigned long des_cbc_cksum(input,output,length,schedule,ivec)
-des_cblock *input;
-des_cblock *output;
-long length;
-des_key_schedule schedule;
-des_cblock *ivec;
-.PP
-.B unsigned long des_quad_cksum(input,output,length,out_count,seed)
-des_cblock *input;
-des_cblock *output;
-long length;
-int out_count;
-des_cblock *seed;
-.PP
-.B int des_check_key;
-.PP
-.B int des_enc_read(fd,buf,len,sched,iv)
-int fd;
-char *buf;
-int len;
-des_key_schedule sched;
-des_cblock *iv;
-.PP
-.B int des_enc_write(fd,buf,len,sched,iv)
-int fd;
-char *buf;
-int len;
-des_key_schedule sched;
-des_cblock *iv;
-.PP
-.B extern int des_rw_mode;
-.PP
-.B void des_set_odd_parity(key)
-des_cblock *key;
-.PP
-.B int des_is_weak_key(key)
-des_cblock *key;
-.PP
-.B char *crypt(passwd,salt)
-char *passwd;
-char *salt;
-.PP
-.fi
-.SH DESCRIPTION
-This library contains a fast implementation of the DES encryption
-algorithm.
-.PP
-There are two phases to the use of DES encryption.
-The first is the generation of a
-.I des_key_schedule
-from a key,
-the second is the actual encryption.
-A des key is of type
-.I des_cblock.
-This type is made from 8 characters with odd parity.
-The least significant bit in the character is the parity bit.
-The key schedule is an expanded form of the key; it is used to speed the
-encryption process.
-.PP
-.I des_read_password
-writes the string specified by prompt to the standard output,
-turns off echo and reads an input string from standard input
-until terminated with a newline.
-If verify is non-zero, it prompts and reads the input again and verifies
-that both entered passwords are the same.
-The entered string is converted into a des key by using the
-.I des_string_to_key
-routine.
-The new key is placed in the
-.I des_cblock
-that was passed (by reference) to the routine.
-If there were no errors,
-.I des_read_password
-returns 0,
--1 is returned if there was a terminal error and 1 is returned for
-any other error.
-.PP
-.I des_read_2password
-operates in the same way as
-.I des_read_password
-except that it generates 2 keys by using the
-.I des_string_to_2key
-function.
-.PP
-.I des_read_pw_string
-is called by
-.I des_read_password
-to read and verify a string from a terminal device.
-The string is returned in
-.I buf.
-The size of
-.I buf
-is passed to the routine via the
-.I length
-parameter.
-.PP
-.I des_string_to_key
-converts a string into a valid des key.
-.PP
-.I des_string_to_2key
-converts a string into 2 valid des keys.
-This routine is best suited for used to generate keys for use with
-.I des_ecb3_encrypt.
-.PP
-.I des_random_key
-returns a random key that is made of a combination of process id,
-time and an increasing counter.
-.PP
-Before a des key can be used it is converted into a
-.I des_key_schedule
-via the
-.I des_set_key
-routine.
-If the
-.I des_check_key
-flag is non-zero,
-.I des_set_key
-will check that the key passed is of odd parity and is not a week or
-semi-weak key.
-If the parity is wrong,
-then -1 is returned.
-If the key is a weak key,
-then -2 is returned.
-If an error is returned,
-the key schedule is not generated.
-.PP
-.I des_key_sched
-is another name for the
-.I des_set_key
-function.
-.PP
-The following routines mostly operate on an input and output stream of
-.I des_cblock's.
-.PP
-.I des_ecb_encrypt
-is the basic DES encryption routine that encrypts or decrypts a single 8-byte
-.I des_cblock
-in
-.I electronic code book
-mode.
-It always transforms the input data, pointed to by
-.I input,
-into the output data,
-pointed to by the
-.I output
-argument.
-If the
-.I encrypt
-argument is non-zero (DES_ENCRYPT),
-the
-.I input
-(cleartext) is encrypted in to the
-.I output
-(ciphertext) using the key_schedule specified by the
-.I schedule
-argument,
-previously set via
-.I des_set_key.
-If
-.I encrypt
-is zero (DES_DECRYPT),
-the
-.I input
-(now ciphertext)
-is decrypted into the
-.I output
-(now cleartext).
-Input and output may overlap.
-No meaningful value is returned.
-.PP
-.I des_ecb3_encrypt
-encrypts/decrypts the
-.I input
-block by using triple ecb DES encryption.
-This involves encrypting the input with 
-.I ks1,
-decryption with the key schedule
-.I ks2,
-and then encryption with the first again.
-This routine greatly reduces the chances of brute force breaking of
-DES and has the advantage of if
-.I ks1
-and
-.I ks2
-are the same, it is equivalent to just encryption using ecb mode and
-.I ks1
-as the key.
-.PP
-.I des_cbc_encrypt
-encrypts/decrypts using the
-.I cipher-block-chaining
-mode of DES.
-If the
-.I encrypt
-argument is non-zero,
-the routine cipher-block-chain encrypts the cleartext data pointed to by the
-.I input
-argument into the ciphertext pointed to by the
-.I output
-argument,
-using the key schedule provided by the
-.I schedule
-argument,
-and initialisation vector provided by the
-.I ivec
-argument.
-If the
-.I length
-argument is not an integral multiple of eight bytes, 
-the last block is copied to a temporary area and zero filled.
-The output is always
-an integral multiple of eight bytes.
-To make multiple cbc encrypt calls on a large amount of data appear to
-be one 
-.I des_cbc_encrypt
-call, the
-.I ivec
-of subsequent calls should be the last 8 bytes of the output.
-.PP
-.I des_3cbc_encrypt
-encrypts/decrypts the
-.I input
-block by using triple cbc DES encryption.
-This involves encrypting the input with key schedule
-.I ks1,
-decryption with the key schedule
-.I ks2,
-and then encryption with the first again.
-2 initialisation vectors are required,
-.I ivec1
-and
-.I ivec2.
-Unlike
-.I des_cbc_encrypt,
-these initialisation vectors are modified by the subroutine.
-This routine greatly reduces the chances of brute force breaking of
-DES and has the advantage of if
-.I ks1
-and
-.I ks2
-are the same, it is equivalent to just encryption using cbc mode and
-.I ks1
-as the key.
-.PP
-.I des_pcbc_encrypt
-encrypt/decrypts using a modified block chaining mode.
-It provides better error propagation characteristics than cbc
-encryption.
-.PP
-.I des_cfb_encrypt
-encrypt/decrypts using cipher feedback mode.  This method takes an
-array of characters as input and outputs and array of characters.  It
-does not require any padding to 8 character groups.  Note: the ivec
-variable is changed and the new changed value needs to be passed to
-the next call to this function.  Since this function runs a complete
-DES ecb encryption per numbits, this function is only suggested for
-use when sending small numbers of characters.
-.PP
-.I des_ofb_encrypt
-encrypt using output feedback mode.  This method takes an
-array of characters as input and outputs and array of characters.  It
-does not require any padding to 8 character groups.  Note: the ivec
-variable is changed and the new changed value needs to be passed to
-the next call to this function.  Since this function runs a complete
-DES ecb encryption per numbits, this function is only suggested for
-use when sending small numbers of characters.
-.PP
-.I des_cbc_cksum
-produces an 8 byte checksum based on the input stream (via cbc encryption).
-The last 4 bytes of the checksum is returned and the complete 8 bytes is
-placed in
-.I output.
-.PP
-.I des_quad_cksum
-returns a 4 byte checksum from the input bytes.
-The algorithm can be iterated over the input,
-depending on
-.I out_count,
-1, 2, 3 or 4 times.
-If
-.I output
-is non-NULL,
-the 8 bytes generated by each pass are written into
-.I output.
-.PP
-.I des_enc_write
-is used to write
-.I len
-bytes
-to file descriptor
-.I fd
-from buffer
-.I buf.
-The data is encrypted via
-.I pcbc_encrypt
-(default) using
-.I sched
-for the key and
-.I iv
-as a starting vector.
-The actual data send down
-.I fd
-consists of 4 bytes (in network byte order) containing the length of the
-following encrypted data.  The encrypted data then follows, padded with random
-data out to a multiple of 8 bytes.
-.PP
-.I des_enc_read
-is used to read
-.I len
-bytes
-from file descriptor
-.I fd
-into buffer
-.I buf.
-The data being read from
-.I fd
-is assumed to have come from
-.I des_enc_write
-and is decrypted using
-.I sched
-for the key schedule and
-.I iv
-for the initial vector.
-The
-.I des_enc_read/des_enc_write
-pair can be used to read/write to files, pipes and sockets.
-I have used them in implementing a version of rlogin in which all
-data is encrypted.
-.PP
-.I des_rw_mode
-is used to specify the encryption mode to use with 
-.I des_enc_read
-and 
-.I des_end_write.
-If set to
-.I DES_PCBC_MODE
-(the default), des_pcbc_encrypt is used.
-If set to
-.I DES_CBC_MODE
-des_cbc_encrypt is used.
-These two routines and the variable are not part of the normal MIT library.
-.PP
-.I des_set_odd_parity
-sets the parity of the passed
-.I key
-to odd.  This routine is not part of the standard MIT library.
-.PP
-.I des_is_weak_key
-returns 1 is the passed key is a weak key (pick again :-),
-0 if it is ok.
-This routine is not part of the standard MIT library.
-.PP
-.I crypt
-is a replacement for the normal system crypt.
-It is much faster than the system crypt.
-.PP
-.SH FILES
-/usr/include/des.h
-.br
-/usr/lib/libdes.a
-.PP
-The encryption routines have been tested on 16bit, 32bit and 64bit
-machines of various endian and even works under VMS.
-.PP
-.SH BUGS
-.PP
-If you think this manual is sparse,
-read the des_crypt(3) manual from the MIT kerberos (or bones outside
-of the USA) distribution.
-.PP
-.I des_cfb_encrypt
-and
-.I des_ofb_encrypt
-operates on input of 8 bits.  What this means is that if you set
-numbits to 12, and length to 2, the first 12 bits will come from the 1st
-input byte and the low half of the second input byte.  The second 12
-bits will have the low 8 bits taken from the 3rd input byte and the
-top 4 bits taken from the 4th input byte.  The same holds for output.
-This function has been implemented this way because most people will
-be using a multiple of 8 and because once you get into pulling bytes input
-bytes apart things get ugly!
-.PP
-.I des_read_pw_string
-is the most machine/OS dependent function and normally generates the
-most problems when porting this code.
-.PP
-.I des_string_to_key
-is probably different from the MIT version since there are lots
-of fun ways to implement one-way encryption of a text string.
-.PP
-The routines are optimised for 32 bit machines and so are not efficient
-on IBM PCs.
-.PP
-NOTE: extensive work has been done on this library since this document
-was origionally written.  Please try to read des.doc from the libdes
-distribution since it is far more upto date and documents more of the
-functions.  Libdes is now also being shipped as part of SSLeay, a
-general cryptographic library that amonst other things implements
-netscapes SSL protocoll.  The most recent version can be found in
-SSLeay distributions.
-.SH AUTHOR
-Eric Young (eay@cryptsoft.com)
diff --git a/linux/crypto/ciphers/des/dx86unix.S b/linux/crypto/ciphers/des/dx86unix.S
deleted file mode 100644
index 31dc0d0e1..000000000
--- a/linux/crypto/ciphers/des/dx86unix.S
+++ /dev/null
@@ -1,3160 +0,0 @@
-/* 
- * This file was originally generated by Michael Richardson <mcr@freeswan.org>
- * via the perl scripts found in the ASM subdir. It remains copyright of
- * Eric Young, see the file COPYRIGHT.
- *
- * This was last done on October 9, 2002.
- *
- * While this file does not need to go through cpp, we pass it through
- * CPP by naming it dx86unix.S instead of dx86unix.s because there is
- * a bug in Rules.make for .s builds - specifically it references EXTRA_CFLAGS
- * which may contain stuff that AS doesn't understand instead of
- * referencing EXTRA_AFLAGS.
- */	 
-
-	.file	"dx86unix.S"
-	.version	"01.01"
-.text
-	.align 16 
-.globl des_encrypt
-	.type    des_encrypt , @function  
-des_encrypt:
-	pushl	%esi
-	pushl	%edi
-
-	 
-	movl	12(%esp),	%esi
-	xorl	%ecx,		%ecx
-	pushl	%ebx
-	pushl	%ebp
-	movl	(%esi),		%eax
-	movl	28(%esp),	%ebx
-	movl	4(%esi),	%edi
-
-	 
-	roll	$4,		%eax
-	movl	%eax,		%esi
-	xorl	%edi,		%eax
-	andl	$0xf0f0f0f0,	%eax
-	xorl	%eax,		%esi
-	xorl	%eax,		%edi
-
-	roll	$20,		%edi
-	movl	%edi,		%eax
-	xorl	%esi,		%edi
-	andl	$0xfff0000f,	%edi
-	xorl	%edi,		%eax
-	xorl	%edi,		%esi
-
-	roll	$14,		%eax
-	movl	%eax,		%edi
-	xorl	%esi,		%eax
-	andl	$0x33333333,	%eax
-	xorl	%eax,		%edi
-	xorl	%eax,		%esi
-
-	roll	$22,		%esi
-	movl	%esi,		%eax
-	xorl	%edi,		%esi
-	andl	$0x03fc03fc,	%esi
-	xorl	%esi,		%eax
-	xorl	%esi,		%edi
-
-	roll	$9,		%eax
-	movl	%eax,		%esi
-	xorl	%edi,		%eax
-	andl	$0xaaaaaaaa,	%eax
-	xorl	%eax,		%esi
-	xorl	%eax,		%edi
-
-.byte 209
-.byte 199		 
-	movl	24(%esp),	%ebp
-	cmpl	$0,		%ebx
-	je	.L000start_decrypt
-
-	 
-	movl	(%ebp),		%eax
-	xorl	%ebx,		%ebx
-	movl	4(%ebp),	%edx
-	xorl	%esi,		%eax
-	xorl	%esi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%edi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%edi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%edi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%edi
-
-	 
-	movl	8(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	12(%ebp),	%edx
-	xorl	%edi,		%eax
-	xorl	%edi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%esi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%esi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%esi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%esi
-
-	 
-	movl	16(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	20(%ebp),	%edx
-	xorl	%esi,		%eax
-	xorl	%esi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%edi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%edi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%edi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%edi
-
-	 
-	movl	24(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	28(%ebp),	%edx
-	xorl	%edi,		%eax
-	xorl	%edi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%esi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%esi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%esi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%esi
-
-	 
-	movl	32(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	36(%ebp),	%edx
-	xorl	%esi,		%eax
-	xorl	%esi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%edi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%edi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%edi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%edi
-
-	 
-	movl	40(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	44(%ebp),	%edx
-	xorl	%edi,		%eax
-	xorl	%edi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%esi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%esi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%esi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%esi
-
-	 
-	movl	48(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	52(%ebp),	%edx
-	xorl	%esi,		%eax
-	xorl	%esi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%edi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%edi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%edi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%edi
-
-	 
-	movl	56(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	60(%ebp),	%edx
-	xorl	%edi,		%eax
-	xorl	%edi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%esi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%esi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%esi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%esi
-
-	 
-	movl	64(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	68(%ebp),	%edx
-	xorl	%esi,		%eax
-	xorl	%esi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%edi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%edi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%edi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%edi
-
-	 
-	movl	72(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	76(%ebp),	%edx
-	xorl	%edi,		%eax
-	xorl	%edi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%esi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%esi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%esi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%esi
-
-	 
-	movl	80(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	84(%ebp),	%edx
-	xorl	%esi,		%eax
-	xorl	%esi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%edi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%edi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%edi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%edi
-
-	 
-	movl	88(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	92(%ebp),	%edx
-	xorl	%edi,		%eax
-	xorl	%edi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%esi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%esi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%esi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%esi
-
-	 
-	movl	96(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	100(%ebp),	%edx
-	xorl	%esi,		%eax
-	xorl	%esi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%edi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%edi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%edi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%edi
-
-	 
-	movl	104(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	108(%ebp),	%edx
-	xorl	%edi,		%eax
-	xorl	%edi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%esi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%esi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%esi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%esi
-
-	 
-	movl	112(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	116(%ebp),	%edx
-	xorl	%esi,		%eax
-	xorl	%esi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%edi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%edi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%edi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%edi
-
-	 
-	movl	120(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	124(%ebp),	%edx
-	xorl	%edi,		%eax
-	xorl	%edi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%esi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%esi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%esi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%esi
-	jmp	.L001end
-.L000start_decrypt:
-
-	 
-	movl	120(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	124(%ebp),	%edx
-	xorl	%esi,		%eax
-	xorl	%esi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%edi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%edi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%edi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%edi
-
-	 
-	movl	112(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	116(%ebp),	%edx
-	xorl	%edi,		%eax
-	xorl	%edi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%esi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%esi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%esi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%esi
-
-	 
-	movl	104(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	108(%ebp),	%edx
-	xorl	%esi,		%eax
-	xorl	%esi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%edi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%edi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%edi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%edi
-
-	 
-	movl	96(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	100(%ebp),	%edx
-	xorl	%edi,		%eax
-	xorl	%edi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%esi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%esi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%esi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%esi
-
-	 
-	movl	88(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	92(%ebp),	%edx
-	xorl	%esi,		%eax
-	xorl	%esi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%edi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%edi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%edi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%edi
-
-	 
-	movl	80(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	84(%ebp),	%edx
-	xorl	%edi,		%eax
-	xorl	%edi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%esi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%esi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%esi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%esi
-
-	 
-	movl	72(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	76(%ebp),	%edx
-	xorl	%esi,		%eax
-	xorl	%esi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%edi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%edi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%edi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%edi
-
-	 
-	movl	64(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	68(%ebp),	%edx
-	xorl	%edi,		%eax
-	xorl	%edi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%esi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%esi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%esi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%esi
-
-	 
-	movl	56(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	60(%ebp),	%edx
-	xorl	%esi,		%eax
-	xorl	%esi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%edi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%edi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%edi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%edi
-
-	 
-	movl	48(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	52(%ebp),	%edx
-	xorl	%edi,		%eax
-	xorl	%edi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%esi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%esi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%esi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%esi
-
-	 
-	movl	40(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	44(%ebp),	%edx
-	xorl	%esi,		%eax
-	xorl	%esi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%edi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%edi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%edi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%edi
-
-	 
-	movl	32(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	36(%ebp),	%edx
-	xorl	%edi,		%eax
-	xorl	%edi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%esi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%esi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%esi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%esi
-
-	 
-	movl	24(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	28(%ebp),	%edx
-	xorl	%esi,		%eax
-	xorl	%esi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%edi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%edi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%edi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%edi
-
-	 
-	movl	16(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	20(%ebp),	%edx
-	xorl	%edi,		%eax
-	xorl	%edi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%esi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%esi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%esi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%esi
-
-	 
-	movl	8(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	12(%ebp),	%edx
-	xorl	%esi,		%eax
-	xorl	%esi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%edi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%edi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%edi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%edi
-
-	 
-	movl	(%ebp),		%eax
-	xorl	%ebx,		%ebx
-	movl	4(%ebp),	%edx
-	xorl	%edi,		%eax
-	xorl	%edi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%esi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%esi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%esi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%esi
-.L001end:
-
-	 
-	movl	20(%esp),	%edx
-.byte 209
-.byte 206		 
-	movl	%edi,		%eax
-	xorl	%esi,		%edi
-	andl	$0xaaaaaaaa,	%edi
-	xorl	%edi,		%eax
-	xorl	%edi,		%esi
-
-	roll	$23,		%eax
-	movl	%eax,		%edi
-	xorl	%esi,		%eax
-	andl	$0x03fc03fc,	%eax
-	xorl	%eax,		%edi
-	xorl	%eax,		%esi
-
-	roll	$10,		%edi
-	movl	%edi,		%eax
-	xorl	%esi,		%edi
-	andl	$0x33333333,	%edi
-	xorl	%edi,		%eax
-	xorl	%edi,		%esi
-
-	roll	$18,		%esi
-	movl	%esi,		%edi
-	xorl	%eax,		%esi
-	andl	$0xfff0000f,	%esi
-	xorl	%esi,		%edi
-	xorl	%esi,		%eax
-
-	roll	$12,		%edi
-	movl	%edi,		%esi
-	xorl	%eax,		%edi
-	andl	$0xf0f0f0f0,	%edi
-	xorl	%edi,		%esi
-	xorl	%edi,		%eax
-
-	rorl	$4,		%eax
-	movl	%eax,		(%edx)
-	movl	%esi,		4(%edx)
-	popl	%ebp
-	popl	%ebx
-	popl	%edi
-	popl	%esi
-	ret
-.des_encrypt_end:
-	.size    des_encrypt , .des_encrypt_end-des_encrypt  
-.ident	"desasm.pl"
-.text
-	.align 16 
-.globl des_encrypt2
-	.type    des_encrypt2 , @function  
-des_encrypt2:
-	pushl	%esi
-	pushl	%edi
-
-	 
-	movl	12(%esp),	%eax
-	xorl	%ecx,		%ecx
-	pushl	%ebx
-	pushl	%ebp
-	movl	(%eax),		%esi
-	movl	28(%esp),	%ebx
-	roll	$3,		%esi
-	movl	4(%eax),	%edi
-	roll	$3,		%edi
-	movl	24(%esp),	%ebp
-	cmpl	$0,		%ebx
-	je	.L002start_decrypt
-
-	 
-	movl	(%ebp),		%eax
-	xorl	%ebx,		%ebx
-	movl	4(%ebp),	%edx
-	xorl	%esi,		%eax
-	xorl	%esi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%edi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%edi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%edi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%edi
-
-	 
-	movl	8(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	12(%ebp),	%edx
-	xorl	%edi,		%eax
-	xorl	%edi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%esi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%esi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%esi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%esi
-
-	 
-	movl	16(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	20(%ebp),	%edx
-	xorl	%esi,		%eax
-	xorl	%esi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%edi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%edi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%edi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%edi
-
-	 
-	movl	24(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	28(%ebp),	%edx
-	xorl	%edi,		%eax
-	xorl	%edi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%esi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%esi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%esi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%esi
-
-	 
-	movl	32(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	36(%ebp),	%edx
-	xorl	%esi,		%eax
-	xorl	%esi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%edi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%edi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%edi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%edi
-
-	 
-	movl	40(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	44(%ebp),	%edx
-	xorl	%edi,		%eax
-	xorl	%edi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%esi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%esi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%esi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%esi
-
-	 
-	movl	48(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	52(%ebp),	%edx
-	xorl	%esi,		%eax
-	xorl	%esi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%edi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%edi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%edi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%edi
-
-	 
-	movl	56(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	60(%ebp),	%edx
-	xorl	%edi,		%eax
-	xorl	%edi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%esi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%esi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%esi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%esi
-
-	 
-	movl	64(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	68(%ebp),	%edx
-	xorl	%esi,		%eax
-	xorl	%esi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%edi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%edi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%edi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%edi
-
-	 
-	movl	72(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	76(%ebp),	%edx
-	xorl	%edi,		%eax
-	xorl	%edi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%esi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%esi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%esi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%esi
-
-	 
-	movl	80(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	84(%ebp),	%edx
-	xorl	%esi,		%eax
-	xorl	%esi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%edi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%edi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%edi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%edi
-
-	 
-	movl	88(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	92(%ebp),	%edx
-	xorl	%edi,		%eax
-	xorl	%edi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%esi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%esi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%esi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%esi
-
-	 
-	movl	96(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	100(%ebp),	%edx
-	xorl	%esi,		%eax
-	xorl	%esi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%edi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%edi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%edi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%edi
-
-	 
-	movl	104(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	108(%ebp),	%edx
-	xorl	%edi,		%eax
-	xorl	%edi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%esi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%esi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%esi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%esi
-
-	 
-	movl	112(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	116(%ebp),	%edx
-	xorl	%esi,		%eax
-	xorl	%esi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%edi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%edi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%edi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%edi
-
-	 
-	movl	120(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	124(%ebp),	%edx
-	xorl	%edi,		%eax
-	xorl	%edi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%esi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%esi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%esi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%esi
-	jmp	.L003end
-.L002start_decrypt:
-
-	 
-	movl	120(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	124(%ebp),	%edx
-	xorl	%esi,		%eax
-	xorl	%esi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%edi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%edi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%edi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%edi
-
-	 
-	movl	112(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	116(%ebp),	%edx
-	xorl	%edi,		%eax
-	xorl	%edi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%esi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%esi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%esi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%esi
-
-	 
-	movl	104(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	108(%ebp),	%edx
-	xorl	%esi,		%eax
-	xorl	%esi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%edi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%edi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%edi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%edi
-
-	 
-	movl	96(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	100(%ebp),	%edx
-	xorl	%edi,		%eax
-	xorl	%edi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%esi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%esi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%esi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%esi
-
-	 
-	movl	88(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	92(%ebp),	%edx
-	xorl	%esi,		%eax
-	xorl	%esi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%edi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%edi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%edi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%edi
-
-	 
-	movl	80(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	84(%ebp),	%edx
-	xorl	%edi,		%eax
-	xorl	%edi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%esi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%esi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%esi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%esi
-
-	 
-	movl	72(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	76(%ebp),	%edx
-	xorl	%esi,		%eax
-	xorl	%esi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%edi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%edi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%edi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%edi
-
-	 
-	movl	64(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	68(%ebp),	%edx
-	xorl	%edi,		%eax
-	xorl	%edi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%esi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%esi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%esi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%esi
-
-	 
-	movl	56(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	60(%ebp),	%edx
-	xorl	%esi,		%eax
-	xorl	%esi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%edi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%edi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%edi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%edi
-
-	 
-	movl	48(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	52(%ebp),	%edx
-	xorl	%edi,		%eax
-	xorl	%edi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%esi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%esi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%esi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%esi
-
-	 
-	movl	40(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	44(%ebp),	%edx
-	xorl	%esi,		%eax
-	xorl	%esi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%edi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%edi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%edi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%edi
-
-	 
-	movl	32(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	36(%ebp),	%edx
-	xorl	%edi,		%eax
-	xorl	%edi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%esi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%esi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%esi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%esi
-
-	 
-	movl	24(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	28(%ebp),	%edx
-	xorl	%esi,		%eax
-	xorl	%esi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%edi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%edi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%edi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%edi
-
-	 
-	movl	16(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	20(%ebp),	%edx
-	xorl	%edi,		%eax
-	xorl	%edi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%esi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%esi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%esi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%esi
-
-	 
-	movl	8(%ebp),	%eax
-	xorl	%ebx,		%ebx
-	movl	12(%ebp),	%edx
-	xorl	%esi,		%eax
-	xorl	%esi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%edi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%edi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%edi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%edi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%edi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%edi
-
-	 
-	movl	(%ebp),		%eax
-	xorl	%ebx,		%ebx
-	movl	4(%ebp),	%edx
-	xorl	%edi,		%eax
-	xorl	%edi,		%edx
-	andl	$0xfcfcfcfc,	%eax
-	andl	$0xcfcfcfcf,	%edx
-	movb	%al,		%bl
-	movb	%ah,		%cl
-	rorl	$4,		%edx
-	movl	      des_SPtrans(%ebx),%ebp
-	movb	%dl,		%bl
-	xorl	%ebp,		%esi
-	movl	0x200+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movb	%dh,		%cl
-	shrl	$16,		%eax
-	movl	0x100+des_SPtrans(%ebx),%ebp
-	xorl	%ebp,		%esi
-	movb	%ah,		%bl
-	shrl	$16,		%edx
-	movl	0x300+des_SPtrans(%ecx),%ebp
-	xorl	%ebp,		%esi
-	movl	24(%esp),	%ebp
-	movb	%dh,		%cl
-	andl	$0xff,		%eax
-	andl	$0xff,		%edx
-	movl	0x600+des_SPtrans(%ebx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x700+des_SPtrans(%ecx),%ebx
-	xorl	%ebx,		%esi
-	movl	0x400+des_SPtrans(%eax),%ebx
-	xorl	%ebx,		%esi
-	movl	0x500+des_SPtrans(%edx),%ebx
-	xorl	%ebx,		%esi
-.L003end:
-
-	 
-	rorl	$3,		%edi
-	movl	20(%esp),	%eax
-	rorl	$3,		%esi
-	movl	%edi,		(%eax)
-	movl	%esi,		4(%eax)
-	popl	%ebp
-	popl	%ebx
-	popl	%edi
-	popl	%esi
-	ret
-.des_encrypt2_end:
-	.size    des_encrypt2 , .des_encrypt2_end-des_encrypt2  
-.ident	"desasm.pl"
-.text
-	.align 16 
-.globl des_encrypt3
-	.type    des_encrypt3 , @function  
-des_encrypt3:
-	pushl	%ebx
-	movl	8(%esp),	%ebx
-	pushl	%ebp
-	pushl	%esi
-	pushl	%edi
-
-	 
-	movl	(%ebx),		%edi
-	movl	4(%ebx),	%esi
-	subl	$12,		%esp
-
-	 
-	roll	$4,		%edi
-	movl	%edi,		%edx
-	xorl	%esi,		%edi
-	andl	$0xf0f0f0f0,	%edi
-	xorl	%edi,		%edx
-	xorl	%edi,		%esi
-
-	roll	$20,		%esi
-	movl	%esi,		%edi
-	xorl	%edx,		%esi
-	andl	$0xfff0000f,	%esi
-	xorl	%esi,		%edi
-	xorl	%esi,		%edx
-
-	roll	$14,		%edi
-	movl	%edi,		%esi
-	xorl	%edx,		%edi
-	andl	$0x33333333,	%edi
-	xorl	%edi,		%esi
-	xorl	%edi,		%edx
-
-	roll	$22,		%edx
-	movl	%edx,		%edi
-	xorl	%esi,		%edx
-	andl	$0x03fc03fc,	%edx
-	xorl	%edx,		%edi
-	xorl	%edx,		%esi
-
-	roll	$9,		%edi
-	movl	%edi,		%edx
-	xorl	%esi,		%edi
-	andl	$0xaaaaaaaa,	%edi
-	xorl	%edi,		%edx
-	xorl	%edi,		%esi
-
-	rorl	$3,		%edx
-	rorl	$2,		%esi
-	movl	%esi,		4(%ebx)
-	movl	36(%esp),	%eax
-	movl	%edx,		(%ebx)
-	movl	40(%esp),	%edi
-	movl	44(%esp),	%esi
-	movl	$1,		8(%esp)
-	movl	%eax,		4(%esp)
-	movl	%ebx,		(%esp)
-	call	des_encrypt2
-	movl	$0,		8(%esp)
-	movl	%edi,		4(%esp)
-	movl	%ebx,		(%esp)
-	call	des_encrypt2
-	movl	$1,		8(%esp)
-	movl	%esi,		4(%esp)
-	movl	%ebx,		(%esp)
-	call	des_encrypt2
-	addl	$12,		%esp
-	movl	(%ebx),		%edi
-	movl	4(%ebx),	%esi
-
-	 
-	roll	$2,		%esi
-	roll	$3,		%edi
-	movl	%edi,		%eax
-	xorl	%esi,		%edi
-	andl	$0xaaaaaaaa,	%edi
-	xorl	%edi,		%eax
-	xorl	%edi,		%esi
-
-	roll	$23,		%eax
-	movl	%eax,		%edi
-	xorl	%esi,		%eax
-	andl	$0x03fc03fc,	%eax
-	xorl	%eax,		%edi
-	xorl	%eax,		%esi
-
-	roll	$10,		%edi
-	movl	%edi,		%eax
-	xorl	%esi,		%edi
-	andl	$0x33333333,	%edi
-	xorl	%edi,		%eax
-	xorl	%edi,		%esi
-
-	roll	$18,		%esi
-	movl	%esi,		%edi
-	xorl	%eax,		%esi
-	andl	$0xfff0000f,	%esi
-	xorl	%esi,		%edi
-	xorl	%esi,		%eax
-
-	roll	$12,		%edi
-	movl	%edi,		%esi
-	xorl	%eax,		%edi
-	andl	$0xf0f0f0f0,	%edi
-	xorl	%edi,		%esi
-	xorl	%edi,		%eax
-
-	rorl	$4,		%eax
-	movl	%eax,		(%ebx)
-	movl	%esi,		4(%ebx)
-	popl	%edi
-	popl	%esi
-	popl	%ebp
-	popl	%ebx
-	ret
-.des_encrypt3_end:
-	.size    des_encrypt3 , .des_encrypt3_end-des_encrypt3  
-.ident	"desasm.pl"
-.text
-	.align 16 
-.globl des_decrypt3
-	.type    des_decrypt3 , @function  
-des_decrypt3:
-	pushl	%ebx
-	movl	8(%esp),	%ebx
-	pushl	%ebp
-	pushl	%esi
-	pushl	%edi
-
-	 
-	movl	(%ebx),		%edi
-	movl	4(%ebx),	%esi
-	subl	$12,		%esp
-
-	 
-	roll	$4,		%edi
-	movl	%edi,		%edx
-	xorl	%esi,		%edi
-	andl	$0xf0f0f0f0,	%edi
-	xorl	%edi,		%edx
-	xorl	%edi,		%esi
-
-	roll	$20,		%esi
-	movl	%esi,		%edi
-	xorl	%edx,		%esi
-	andl	$0xfff0000f,	%esi
-	xorl	%esi,		%edi
-	xorl	%esi,		%edx
-
-	roll	$14,		%edi
-	movl	%edi,		%esi
-	xorl	%edx,		%edi
-	andl	$0x33333333,	%edi
-	xorl	%edi,		%esi
-	xorl	%edi,		%edx
-
-	roll	$22,		%edx
-	movl	%edx,		%edi
-	xorl	%esi,		%edx
-	andl	$0x03fc03fc,	%edx
-	xorl	%edx,		%edi
-	xorl	%edx,		%esi
-
-	roll	$9,		%edi
-	movl	%edi,		%edx
-	xorl	%esi,		%edi
-	andl	$0xaaaaaaaa,	%edi
-	xorl	%edi,		%edx
-	xorl	%edi,		%esi
-
-	rorl	$3,		%edx
-	rorl	$2,		%esi
-	movl	%esi,		4(%ebx)
-	movl	36(%esp),	%esi
-	movl	%edx,		(%ebx)
-	movl	40(%esp),	%edi
-	movl	44(%esp),	%eax
-	movl	$0,		8(%esp)
-	movl	%eax,		4(%esp)
-	movl	%ebx,		(%esp)
-	call	des_encrypt2
-	movl	$1,		8(%esp)
-	movl	%edi,		4(%esp)
-	movl	%ebx,		(%esp)
-	call	des_encrypt2
-	movl	$0,		8(%esp)
-	movl	%esi,		4(%esp)
-	movl	%ebx,		(%esp)
-	call	des_encrypt2
-	addl	$12,		%esp
-	movl	(%ebx),		%edi
-	movl	4(%ebx),	%esi
-
-	 
-	roll	$2,		%esi
-	roll	$3,		%edi
-	movl	%edi,		%eax
-	xorl	%esi,		%edi
-	andl	$0xaaaaaaaa,	%edi
-	xorl	%edi,		%eax
-	xorl	%edi,		%esi
-
-	roll	$23,		%eax
-	movl	%eax,		%edi
-	xorl	%esi,		%eax
-	andl	$0x03fc03fc,	%eax
-	xorl	%eax,		%edi
-	xorl	%eax,		%esi
-
-	roll	$10,		%edi
-	movl	%edi,		%eax
-	xorl	%esi,		%edi
-	andl	$0x33333333,	%edi
-	xorl	%edi,		%eax
-	xorl	%edi,		%esi
-
-	roll	$18,		%esi
-	movl	%esi,		%edi
-	xorl	%eax,		%esi
-	andl	$0xfff0000f,	%esi
-	xorl	%esi,		%edi
-	xorl	%esi,		%eax
-
-	roll	$12,		%edi
-	movl	%edi,		%esi
-	xorl	%eax,		%edi
-	andl	$0xf0f0f0f0,	%edi
-	xorl	%edi,		%esi
-	xorl	%edi,		%eax
-
-	rorl	$4,		%eax
-	movl	%eax,		(%ebx)
-	movl	%esi,		4(%ebx)
-	popl	%edi
-	popl	%esi
-	popl	%ebp
-	popl	%ebx
-	ret
-.des_decrypt3_end:
-	.size    des_decrypt3 , .des_decrypt3_end-des_decrypt3  
-.ident	"desasm.pl"
-.text
-	.align 16 
-.globl des_ncbc_encrypt
-	.type    des_ncbc_encrypt , @function  
-des_ncbc_encrypt:
-
-	pushl	%ebp
-	pushl	%ebx
-	pushl	%esi
-	pushl	%edi
-	movl	28(%esp),	%ebp
-	 
-	movl	36(%esp),	%ebx
-	movl	(%ebx),		%esi
-	movl	4(%ebx),	%edi
-	pushl	%edi
-	pushl	%esi
-	pushl	%edi
-	pushl	%esi
-	movl	%esp,		%ebx
-	movl	36(%esp),	%esi
-	movl	40(%esp),	%edi
-	 
-	movl	56(%esp),	%ecx
-	 
-	pushl	%ecx
-	 
-	movl	52(%esp),	%eax
-	pushl	%eax
-	pushl	%ebx
-	cmpl	$0,		%ecx
-	jz	.L004decrypt
-	andl	$4294967288,	%ebp
-	movl	12(%esp),	%eax
-	movl	16(%esp),	%ebx
-	jz	.L005encrypt_finish
-.L006encrypt_loop:
-	movl	(%esi),		%ecx
-	movl	4(%esi),	%edx
-	xorl	%ecx,		%eax
-	xorl	%edx,		%ebx
-	movl	%eax,		12(%esp)
-	movl	%ebx,		16(%esp)
-	call	des_encrypt
-	movl	12(%esp),	%eax
-	movl	16(%esp),	%ebx
-	movl	%eax,		(%edi)
-	movl	%ebx,		4(%edi)
-	addl	$8,		%esi
-	addl	$8,		%edi
-	subl	$8,		%ebp
-	jnz	.L006encrypt_loop
-.L005encrypt_finish:
-	movl	56(%esp),	%ebp
-	andl	$7,		%ebp
-	jz	.L007finish
-	xorl	%ecx,		%ecx
-	xorl	%edx,		%edx
-	movl	.L008cbc_enc_jmp_table(,%ebp,4),%ebp
-	jmp	*%ebp
-.L009ej7:
-	movb	6(%esi),	%dh
-	sall	$8,		%edx
-.L010ej6:
-	movb	5(%esi),	%dh
-.L011ej5:
-	movb	4(%esi),	%dl
-.L012ej4:
-	movl	(%esi),		%ecx
-	jmp	.L013ejend
-.L014ej3:
-	movb	2(%esi),	%ch
-	sall	$8,		%ecx
-.L015ej2:
-	movb	1(%esi),	%ch
-.L016ej1:
-	movb	(%esi),		%cl
-.L013ejend:
-	xorl	%ecx,		%eax
-	xorl	%edx,		%ebx
-	movl	%eax,		12(%esp)
-	movl	%ebx,		16(%esp)
-	call	des_encrypt
-	movl	12(%esp),	%eax
-	movl	16(%esp),	%ebx
-	movl	%eax,		(%edi)
-	movl	%ebx,		4(%edi)
-	jmp	.L007finish
-.align 16 
-.L004decrypt:
-	andl	$4294967288,	%ebp
-	movl	20(%esp),	%eax
-	movl	24(%esp),	%ebx
-	jz	.L017decrypt_finish
-.L018decrypt_loop:
-	movl	(%esi),		%eax
-	movl	4(%esi),	%ebx
-	movl	%eax,		12(%esp)
-	movl	%ebx,		16(%esp)
-	call	des_encrypt
-	movl	12(%esp),	%eax
-	movl	16(%esp),	%ebx
-	movl	20(%esp),	%ecx
-	movl	24(%esp),	%edx
-	xorl	%eax,		%ecx
-	xorl	%ebx,		%edx
-	movl	(%esi),		%eax
-	movl	4(%esi),	%ebx
-	movl	%ecx,		(%edi)
-	movl	%edx,		4(%edi)
-	movl	%eax,		20(%esp)
-	movl	%ebx,		24(%esp)
-	addl	$8,		%esi
-	addl	$8,		%edi
-	subl	$8,		%ebp
-	jnz	.L018decrypt_loop
-.L017decrypt_finish:
-	movl	56(%esp),	%ebp
-	andl	$7,		%ebp
-	jz	.L007finish
-	movl	(%esi),		%eax
-	movl	4(%esi),	%ebx
-	movl	%eax,		12(%esp)
-	movl	%ebx,		16(%esp)
-	call	des_encrypt
-	movl	12(%esp),	%eax
-	movl	16(%esp),	%ebx
-	movl	20(%esp),	%ecx
-	movl	24(%esp),	%edx
-	xorl	%eax,		%ecx
-	xorl	%ebx,		%edx
-	movl	(%esi),		%eax
-	movl	4(%esi),	%ebx
-.L019dj7:
-	rorl	$16,		%edx
-	movb	%dl,		6(%edi)
-	shrl	$16,		%edx
-.L020dj6:
-	movb	%dh,		5(%edi)
-.L021dj5:
-	movb	%dl,		4(%edi)
-.L022dj4:
-	movl	%ecx,		(%edi)
-	jmp	.L023djend
-.L024dj3:
-	rorl	$16,		%ecx
-	movb	%cl,		2(%edi)
-	sall	$16,		%ecx
-.L025dj2:
-	movb	%ch,		1(%esi)
-.L026dj1:
-	movb	%cl,		(%esi)
-.L023djend:
-	jmp	.L007finish
-.align 16 
-.L007finish:
-	movl	64(%esp),	%ecx
-	addl	$28,		%esp
-	movl	%eax,		(%ecx)
-	movl	%ebx,		4(%ecx)
-	popl	%edi
-	popl	%esi
-	popl	%ebx
-	popl	%ebp
-	ret
-.align 16 
-.L008cbc_enc_jmp_table:
-	.long 0
-	.long .L016ej1
-	.long .L015ej2
-	.long .L014ej3
-	.long .L012ej4
-	.long .L011ej5
-	.long .L010ej6
-	.long .L009ej7
-.align 16 
-.L027cbc_dec_jmp_table:
-	.long 0
-	.long .L026dj1
-	.long .L025dj2
-	.long .L024dj3
-	.long .L022dj4
-	.long .L021dj5
-	.long .L020dj6
-	.long .L019dj7
-.des_ncbc_encrypt_end:
-	.size    des_ncbc_encrypt , .des_ncbc_encrypt_end-des_ncbc_encrypt  
-.ident	"desasm.pl"
-.text
-	.align 16 
-.globl des_ede3_cbc_encrypt
-	.type    des_ede3_cbc_encrypt , @function  
-des_ede3_cbc_encrypt:
-
-	pushl	%ebp
-	pushl	%ebx
-	pushl	%esi
-	pushl	%edi
-	movl	28(%esp),	%ebp
-	 
-	movl	44(%esp),	%ebx
-	movl	(%ebx),		%esi
-	movl	4(%ebx),	%edi
-	pushl	%edi
-	pushl	%esi
-	pushl	%edi
-	pushl	%esi
-	movl	%esp,		%ebx
-	movl	36(%esp),	%esi
-	movl	40(%esp),	%edi
-	 
-	movl	64(%esp),	%ecx
-	 
-	movl	56(%esp),	%eax
-	pushl	%eax
-	 
-	movl	56(%esp),	%eax
-	pushl	%eax
-	 
-	movl	56(%esp),	%eax
-	pushl	%eax
-	pushl	%ebx
-	cmpl	$0,		%ecx
-	jz	.L028decrypt
-	andl	$4294967288,	%ebp
-	movl	16(%esp),	%eax
-	movl	20(%esp),	%ebx
-	jz	.L029encrypt_finish
-.L030encrypt_loop:
-	movl	(%esi),		%ecx
-	movl	4(%esi),	%edx
-	xorl	%ecx,		%eax
-	xorl	%edx,		%ebx
-	movl	%eax,		16(%esp)
-	movl	%ebx,		20(%esp)
-	call	des_encrypt3
-	movl	16(%esp),	%eax
-	movl	20(%esp),	%ebx
-	movl	%eax,		(%edi)
-	movl	%ebx,		4(%edi)
-	addl	$8,		%esi
-	addl	$8,		%edi
-	subl	$8,		%ebp
-	jnz	.L030encrypt_loop
-.L029encrypt_finish:
-	movl	60(%esp),	%ebp
-	andl	$7,		%ebp
-	jz	.L031finish
-	xorl	%ecx,		%ecx
-	xorl	%edx,		%edx
-	movl	.L032cbc_enc_jmp_table(,%ebp,4),%ebp
-	jmp	*%ebp
-.L033ej7:
-	movb	6(%esi),	%dh
-	sall	$8,		%edx
-.L034ej6:
-	movb	5(%esi),	%dh
-.L035ej5:
-	movb	4(%esi),	%dl
-.L036ej4:
-	movl	(%esi),		%ecx
-	jmp	.L037ejend
-.L038ej3:
-	movb	2(%esi),	%ch
-	sall	$8,		%ecx
-.L039ej2:
-	movb	1(%esi),	%ch
-.L040ej1:
-	movb	(%esi),		%cl
-.L037ejend:
-	xorl	%ecx,		%eax
-	xorl	%edx,		%ebx
-	movl	%eax,		16(%esp)
-	movl	%ebx,		20(%esp)
-	call	des_encrypt3
-	movl	16(%esp),	%eax
-	movl	20(%esp),	%ebx
-	movl	%eax,		(%edi)
-	movl	%ebx,		4(%edi)
-	jmp	.L031finish
-.align 16 
-.L028decrypt:
-	andl	$4294967288,	%ebp
-	movl	24(%esp),	%eax
-	movl	28(%esp),	%ebx
-	jz	.L041decrypt_finish
-.L042decrypt_loop:
-	movl	(%esi),		%eax
-	movl	4(%esi),	%ebx
-	movl	%eax,		16(%esp)
-	movl	%ebx,		20(%esp)
-	call	des_decrypt3
-	movl	16(%esp),	%eax
-	movl	20(%esp),	%ebx
-	movl	24(%esp),	%ecx
-	movl	28(%esp),	%edx
-	xorl	%eax,		%ecx
-	xorl	%ebx,		%edx
-	movl	(%esi),		%eax
-	movl	4(%esi),	%ebx
-	movl	%ecx,		(%edi)
-	movl	%edx,		4(%edi)
-	movl	%eax,		24(%esp)
-	movl	%ebx,		28(%esp)
-	addl	$8,		%esi
-	addl	$8,		%edi
-	subl	$8,		%ebp
-	jnz	.L042decrypt_loop
-.L041decrypt_finish:
-	movl	60(%esp),	%ebp
-	andl	$7,		%ebp
-	jz	.L031finish
-	movl	(%esi),		%eax
-	movl	4(%esi),	%ebx
-	movl	%eax,		16(%esp)
-	movl	%ebx,		20(%esp)
-	call	des_decrypt3
-	movl	16(%esp),	%eax
-	movl	20(%esp),	%ebx
-	movl	24(%esp),	%ecx
-	movl	28(%esp),	%edx
-	xorl	%eax,		%ecx
-	xorl	%ebx,		%edx
-	movl	(%esi),		%eax
-	movl	4(%esi),	%ebx
-.L043dj7:
-	rorl	$16,		%edx
-	movb	%dl,		6(%edi)
-	shrl	$16,		%edx
-.L044dj6:
-	movb	%dh,		5(%edi)
-.L045dj5:
-	movb	%dl,		4(%edi)
-.L046dj4:
-	movl	%ecx,		(%edi)
-	jmp	.L047djend
-.L048dj3:
-	rorl	$16,		%ecx
-	movb	%cl,		2(%edi)
-	sall	$16,		%ecx
-.L049dj2:
-	movb	%ch,		1(%esi)
-.L050dj1:
-	movb	%cl,		(%esi)
-.L047djend:
-	jmp	.L031finish
-.align 16 
-.L031finish:
-	movl	76(%esp),	%ecx
-	addl	$32,		%esp
-	movl	%eax,		(%ecx)
-	movl	%ebx,		4(%ecx)
-	popl	%edi
-	popl	%esi
-	popl	%ebx
-	popl	%ebp
-	ret
-.align 16 
-.L032cbc_enc_jmp_table:
-	.long 0
-	.long .L040ej1
-	.long .L039ej2
-	.long .L038ej3
-	.long .L036ej4
-	.long .L035ej5
-	.long .L034ej6
-	.long .L033ej7
-.align 16 
-.L051cbc_dec_jmp_table:
-	.long 0
-	.long .L050dj1
-	.long .L049dj2
-	.long .L048dj3
-	.long .L046dj4
-	.long .L045dj5
-	.long .L044dj6
-	.long .L043dj7
-.des_ede3_cbc_encrypt_end:
-	.size    des_ede3_cbc_encrypt , .des_ede3_cbc_encrypt_end-des_ede3_cbc_encrypt  
-.ident	"desasm.pl"
diff --git a/linux/crypto/ciphers/des/options.txt b/linux/crypto/ciphers/des/options.txt
deleted file mode 100644
index 6e2b50f76..000000000
--- a/linux/crypto/ciphers/des/options.txt
+++ /dev/null
@@ -1,39 +0,0 @@
-Note that the UNROLL option makes the 'inner' des loop unroll all 16 rounds
-instead of the default 4.
-RISC1 and RISC2 are 2 alternatives for the inner loop and
-PTR means to use pointers arithmatic instead of arrays.
-
-FreeBSD - Pentium Pro 200mhz - gcc 2.7.2.2 - assembler		577,000 4620k/s
-IRIX 6.2 - R10000 195mhz - cc (-O3 -n32) - UNROLL RISC2 PTR	496,000 3968k/s
-solaris 2.5.1 usparc 167mhz?? - SC4.0 - UNROLL RISC1 PTR [1]	459,400 3672k/s
-FreeBSD - Pentium Pro 200mhz - gcc 2.7.2.2 - UNROLL RISC1	433,000 3468k/s
-solaris 2.5.1 usparc 167mhz?? - gcc 2.7.2 - UNROLL 		380,000 3041k/s
-linux - pentium 100mhz - gcc 2.7.0 - assembler			281,000 2250k/s
-NT 4.0 - pentium 100mhz - VC 4.2 - assembler			281,000 2250k/s
-AIX 4.1? - PPC604 100mhz - cc - UNROLL 				275,000 2200k/s
-IRIX 5.3 - R4400 200mhz - gcc 2.6.3 - UNROLL RISC2 PTR		235,300 1882k/s
-IRIX 5.3 - R4400 200mhz - cc - UNROLL RISC2 PTR			233,700 1869k/s
-NT 4.0 - pentium 100mhz - VC 4.2 - UNROLL RISC1 PTR		191,000 1528k/s
-DEC Alpha 165mhz??  - cc - RISC2 PTR [2]			181,000 1448k/s
-linux - pentium 100mhz - gcc 2.7.0 - UNROLL RISC1 PTR		158,500 1268k/s
-HPUX 10 - 9000/887 - cc - UNROLL [3]	 			148,000	1190k/s
-solaris 2.5.1 - sparc 10 50mhz - gcc 2.7.2 - UNROLL		123,600  989k/s
-IRIX 5.3 - R4000 100mhz - cc - UNROLL RISC2 PTR			101,000  808k/s
-DGUX - 88100 50mhz(?) - gcc 2.6.3 - UNROLL			 81,000  648k/s
-solaris 2.4 486 50mhz - gcc 2.6.3 - assembler			 65,000  522k/s
-HPUX 10 - 9000/887 - k&r cc (default compiler) - UNROLL PTR	 76,000	 608k/s
-solaris 2.4 486 50mhz - gcc 2.6.3 - UNROLL RISC2		 43,500  344k/s
-AIX - old slow one :-) - cc -					 39,000  312k/s
-
-Notes.
-[1] For the ultra sparc, SunC 4.0 
-    cc -xtarget=ultra -xarch=v8plus -Xa -xO5, running 'des_opts'
-    gives a speed of 344,000 des/s while 'speed' gives 459,000 des/s.
-    I'll record the higher since it is coming from the library but it
-    is all rather weird.
-[2] Similar to the ultra sparc ([1]), 181,000 for 'des_opts' vs 175,000.
-[3] I was unable to get access to this machine when it was not heavily loaded.
-    As such, my timing program was never able to get more that %30 of the CPU.
-    This would cause the program to give much lower speed numbers because
-    it would be 'fighting' to stay in the cache with the other CPU burning
-    processes.
diff --git a/linux/include/mast.h b/linux/include/mast.h
deleted file mode 100644
index 626559b59..000000000
--- a/linux/include/mast.h
+++ /dev/null
@@ -1,33 +0,0 @@
-struct mast_callbacks {
-  int (*packet_encap)(struct device *mast, void *context,
-		      struct sk_buff *skb, int flowref);
-  int (*link_inquire)(struct device *mast, void *context);
-};
-
-
-struct device *mast_init (int family,
-			  struct mast_callbacks *callbacks,
-			  unsigned int flags,
-			  unsigned int desired_unit,
-			  unsigned int max_flowref,
-			  void *context);
-
-int mast_destroy(struct device *mast);
-
-int mast_recv(struct device *mast, struct sk_buff *skb, int flowref);
-
-/* free this skb as being useless, increment failure count. */
-int mast_toast(struct device *mast, struct sk_buff *skb, int flowref);
-
-int mast_linkstat (struct device *mast, int flowref,
-		   int status);
-
-int mast_setreference (struct device *mast,
-		       int defaultSA);
-
-int mast_setneighbor (struct device *mast,
-		      struct sockaddr *source,
-		      struct sockaddr *destination,
-		      int flowref);
-
-
diff --git a/linux/include/zlib/zlib.h b/linux/include/zlib/zlib.h
deleted file mode 100644
index 744e3822c..000000000
--- a/linux/include/zlib/zlib.h
+++ /dev/null
@@ -1,893 +0,0 @@
-/* zlib.h -- interface of the 'zlib' general purpose compression library
-  version 1.1.4, March 11th, 2002
-
-  Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler
-
-  This software is provided 'as-is', without any express or implied
-  warranty.  In no event will the authors be held liable for any damages
-  arising from the use of this software.
-
-  Permission is granted to anyone to use this software for any purpose,
-  including commercial applications, and to alter it and redistribute it
-  freely, subject to the following restrictions:
-
-  1. The origin of this software must not be misrepresented; you must not
-     claim that you wrote the original software. If you use this software
-     in a product, an acknowledgment in the product documentation would be
-     appreciated but is not required.
-  2. Altered source versions must be plainly marked as such, and must not be
-     misrepresented as being the original software.
-  3. This notice may not be removed or altered from any source distribution.
-
-  Jean-loup Gailly        Mark Adler
-  jloup@gzip.org          madler@alumni.caltech.edu
-
-
-  The data format used by the zlib library is described by RFCs (Request for
-  Comments) 1950 to 1952 in the files ftp://ds.internic.net/rfc/rfc1950.txt
-  (zlib format), rfc1951.txt (deflate format) and rfc1952.txt (gzip format).
-*/
-
-#ifndef _ZLIB_H
-#define _ZLIB_H
-
-#include "zconf.h"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#define ZLIB_VERSION "1.1.4"
-
-/* 
-     The 'zlib' compression library provides in-memory compression and
-  decompression functions, including integrity checks of the uncompressed
-  data.  This version of the library supports only one compression method
-  (deflation) but other algorithms will be added later and will have the same
-  stream interface.
-
-     Compression can be done in a single step if the buffers are large
-  enough (for example if an input file is mmap'ed), or can be done by
-  repeated calls of the compression function.  In the latter case, the
-  application must provide more input and/or consume the output
-  (providing more output space) before each call.
-
-     The library also supports reading and writing files in gzip (.gz) format
-  with an interface similar to that of stdio.
-
-     The library does not install any signal handler. The decoder checks
-  the consistency of the compressed data, so the library should never
-  crash even in case of corrupted input.
-*/
-
-typedef voidpf (*alloc_func) OF((voidpf opaque, uInt items, uInt size));
-typedef void   (*free_func)  OF((voidpf opaque, voidpf address));
-
-struct internal_state;
-
-typedef struct z_stream_s {
-    Bytef    *next_in;  /* next input byte */
-    uInt     avail_in;  /* number of bytes available at next_in */
-    uLong    total_in;  /* total nb of input bytes read so far */
-
-    Bytef    *next_out; /* next output byte should be put there */
-    uInt     avail_out; /* remaining free space at next_out */
-    uLong    total_out; /* total nb of bytes output so far */
-
-    const char     *msg;      /* last error message, NULL if no error */
-    struct internal_state FAR *state; /* not visible by applications */
-
-    alloc_func zalloc;  /* used to allocate the internal state */
-    free_func  zfree;   /* used to free the internal state */
-    voidpf     opaque;  /* private data object passed to zalloc and zfree */
-
-    int     data_type;  /* best guess about the data type: ascii or binary */
-    uLong   adler;      /* adler32 value of the uncompressed data */
-    uLong   reserved;   /* reserved for future use */
-} z_stream;
-
-typedef z_stream FAR *z_streamp;
-
-/*
-   The application must update next_in and avail_in when avail_in has
-   dropped to zero. It must update next_out and avail_out when avail_out
-   has dropped to zero. The application must initialize zalloc, zfree and
-   opaque before calling the init function. All other fields are set by the
-   compression library and must not be updated by the application.
-
-   The opaque value provided by the application will be passed as the first
-   parameter for calls of zalloc and zfree. This can be useful for custom
-   memory management. The compression library attaches no meaning to the
-   opaque value.
-
-   zalloc must return Z_NULL if there is not enough memory for the object.
-   If zlib is used in a multi-threaded application, zalloc and zfree must be
-   thread safe.
-
-   On 16-bit systems, the functions zalloc and zfree must be able to allocate
-   exactly 65536 bytes, but will not be required to allocate more than this
-   if the symbol MAXSEG_64K is defined (see zconf.h). WARNING: On MSDOS,
-   pointers returned by zalloc for objects of exactly 65536 bytes *must*
-   have their offset normalized to zero. The default allocation function
-   provided by this library ensures this (see zutil.c). To reduce memory
-   requirements and avoid any allocation of 64K objects, at the expense of
-   compression ratio, compile the library with -DMAX_WBITS=14 (see zconf.h).
-
-   The fields total_in and total_out can be used for statistics or
-   progress reports. After compression, total_in holds the total size of
-   the uncompressed data and may be saved for use in the decompressor
-   (particularly if the decompressor wants to decompress everything in
-   a single step).
-*/
-
-                        /* constants */
-
-#define Z_NO_FLUSH      0
-#define Z_PARTIAL_FLUSH 1 /* will be removed, use Z_SYNC_FLUSH instead */
-#define Z_SYNC_FLUSH    2
-#define Z_FULL_FLUSH    3
-#define Z_FINISH        4
-/* Allowed flush values; see deflate() below for details */
-
-#define Z_OK            0
-#define Z_STREAM_END    1
-#define Z_NEED_DICT     2
-#define Z_ERRNO        (-1)
-#define Z_STREAM_ERROR (-2)
-#define Z_DATA_ERROR   (-3)
-#define Z_MEM_ERROR    (-4)
-#define Z_BUF_ERROR    (-5)
-#define Z_VERSION_ERROR (-6)
-/* Return codes for the compression/decompression functions. Negative
- * values are errors, positive values are used for special but normal events.
- */
-
-#define Z_NO_COMPRESSION         0
-#define Z_BEST_SPEED             1
-#define Z_BEST_COMPRESSION       9
-#define Z_DEFAULT_COMPRESSION  (-1)
-/* compression levels */
-
-#define Z_FILTERED            1
-#define Z_HUFFMAN_ONLY        2
-#define Z_DEFAULT_STRATEGY    0
-/* compression strategy; see deflateInit2() below for details */
-
-#define Z_BINARY   0
-#define Z_ASCII    1
-#define Z_UNKNOWN  2
-/* Possible values of the data_type field */
-
-#define Z_DEFLATED   8
-/* The deflate compression method (the only one supported in this version) */
-
-#define Z_NULL  0  /* for initializing zalloc, zfree, opaque */
-
-#define zlib_version zlibVersion()
-/* for compatibility with versions < 1.0.2 */
-
-                        /* basic functions */
-
-ZEXTERN const char * ZEXPORT zlibVersion OF((void));
-/* The application can compare zlibVersion and ZLIB_VERSION for consistency.
-   If the first character differs, the library code actually used is
-   not compatible with the zlib.h header file used by the application.
-   This check is automatically made by deflateInit and inflateInit.
- */
-
-/* 
-ZEXTERN int ZEXPORT deflateInit OF((z_streamp strm, int level));
-
-     Initializes the internal stream state for compression. The fields
-   zalloc, zfree and opaque must be initialized before by the caller.
-   If zalloc and zfree are set to Z_NULL, deflateInit updates them to
-   use default allocation functions.
-
-     The compression level must be Z_DEFAULT_COMPRESSION, or between 0 and 9:
-   1 gives best speed, 9 gives best compression, 0 gives no compression at
-   all (the input data is simply copied a block at a time).
-   Z_DEFAULT_COMPRESSION requests a default compromise between speed and
-   compression (currently equivalent to level 6).
-
-     deflateInit returns Z_OK if success, Z_MEM_ERROR if there was not
-   enough memory, Z_STREAM_ERROR if level is not a valid compression level,
-   Z_VERSION_ERROR if the zlib library version (zlib_version) is incompatible
-   with the version assumed by the caller (ZLIB_VERSION).
-   msg is set to null if there is no error message.  deflateInit does not
-   perform any compression: this will be done by deflate().
-*/
-
-
-ZEXTERN int ZEXPORT deflate OF((z_streamp strm, int flush));
-/*
-    deflate compresses as much data as possible, and stops when the input
-  buffer becomes empty or the output buffer becomes full. It may introduce some
-  output latency (reading input without producing any output) except when
-  forced to flush.
-
-    The detailed semantics are as follows. deflate performs one or both of the
-  following actions:
-
-  - Compress more input starting at next_in and update next_in and avail_in
-    accordingly. If not all input can be processed (because there is not
-    enough room in the output buffer), next_in and avail_in are updated and
-    processing will resume at this point for the next call of deflate().
-
-  - Provide more output starting at next_out and update next_out and avail_out
-    accordingly. This action is forced if the parameter flush is non zero.
-    Forcing flush frequently degrades the compression ratio, so this parameter
-    should be set only when necessary (in interactive applications).
-    Some output may be provided even if flush is not set.
-
-  Before the call of deflate(), the application should ensure that at least
-  one of the actions is possible, by providing more input and/or consuming
-  more output, and updating avail_in or avail_out accordingly; avail_out
-  should never be zero before the call. The application can consume the
-  compressed output when it wants, for example when the output buffer is full
-  (avail_out == 0), or after each call of deflate(). If deflate returns Z_OK
-  and with zero avail_out, it must be called again after making room in the
-  output buffer because there might be more output pending.
-
-    If the parameter flush is set to Z_SYNC_FLUSH, all pending output is
-  flushed to the output buffer and the output is aligned on a byte boundary, so
-  that the decompressor can get all input data available so far. (In particular
-  avail_in is zero after the call if enough output space has been provided
-  before the call.)  Flushing may degrade compression for some compression
-  algorithms and so it should be used only when necessary.
-
-    If flush is set to Z_FULL_FLUSH, all output is flushed as with
-  Z_SYNC_FLUSH, and the compression state is reset so that decompression can
-  restart from this point if previous compressed data has been damaged or if
-  random access is desired. Using Z_FULL_FLUSH too often can seriously degrade
-  the compression.
-
-    If deflate returns with avail_out == 0, this function must be called again
-  with the same value of the flush parameter and more output space (updated
-  avail_out), until the flush is complete (deflate returns with non-zero
-  avail_out).
-
-    If the parameter flush is set to Z_FINISH, pending input is processed,
-  pending output is flushed and deflate returns with Z_STREAM_END if there
-  was enough output space; if deflate returns with Z_OK, this function must be
-  called again with Z_FINISH and more output space (updated avail_out) but no
-  more input data, until it returns with Z_STREAM_END or an error. After
-  deflate has returned Z_STREAM_END, the only possible operations on the
-  stream are deflateReset or deflateEnd.
-  
-    Z_FINISH can be used immediately after deflateInit if all the compression
-  is to be done in a single step. In this case, avail_out must be at least
-  0.1% larger than avail_in plus 12 bytes.  If deflate does not return
-  Z_STREAM_END, then it must be called again as described above.
-
-    deflate() sets strm->adler to the adler32 checksum of all input read
-  so far (that is, total_in bytes).
-
-    deflate() may update data_type if it can make a good guess about
-  the input data type (Z_ASCII or Z_BINARY). In doubt, the data is considered
-  binary. This field is only for information purposes and does not affect
-  the compression algorithm in any manner.
-
-    deflate() returns Z_OK if some progress has been made (more input
-  processed or more output produced), Z_STREAM_END if all input has been
-  consumed and all output has been produced (only when flush is set to
-  Z_FINISH), Z_STREAM_ERROR if the stream state was inconsistent (for example
-  if next_in or next_out was NULL), Z_BUF_ERROR if no progress is possible
-  (for example avail_in or avail_out was zero).
-*/
-
-
-ZEXTERN int ZEXPORT deflateEnd OF((z_streamp strm));
-/*
-     All dynamically allocated data structures for this stream are freed.
-   This function discards any unprocessed input and does not flush any
-   pending output.
-
-     deflateEnd returns Z_OK if success, Z_STREAM_ERROR if the
-   stream state was inconsistent, Z_DATA_ERROR if the stream was freed
-   prematurely (some input or output was discarded). In the error case,
-   msg may be set but then points to a static string (which must not be
-   deallocated).
-*/
-
-
-/* 
-ZEXTERN int ZEXPORT inflateInit OF((z_streamp strm));
-
-     Initializes the internal stream state for decompression. The fields
-   next_in, avail_in, zalloc, zfree and opaque must be initialized before by
-   the caller. If next_in is not Z_NULL and avail_in is large enough (the exact
-   value depends on the compression method), inflateInit determines the
-   compression method from the zlib header and allocates all data structures
-   accordingly; otherwise the allocation will be deferred to the first call of
-   inflate.  If zalloc and zfree are set to Z_NULL, inflateInit updates them to
-   use default allocation functions.
-
-     inflateInit returns Z_OK if success, Z_MEM_ERROR if there was not enough
-   memory, Z_VERSION_ERROR if the zlib library version is incompatible with the
-   version assumed by the caller.  msg is set to null if there is no error
-   message. inflateInit does not perform any decompression apart from reading
-   the zlib header if present: this will be done by inflate().  (So next_in and
-   avail_in may be modified, but next_out and avail_out are unchanged.)
-*/
-
-
-ZEXTERN int ZEXPORT inflate OF((z_streamp strm, int flush));
-/*
-    inflate decompresses as much data as possible, and stops when the input
-  buffer becomes empty or the output buffer becomes full. It may some
-  introduce some output latency (reading input without producing any output)
-  except when forced to flush.
-
-  The detailed semantics are as follows. inflate performs one or both of the
-  following actions:
-
-  - Decompress more input starting at next_in and update next_in and avail_in
-    accordingly. If not all input can be processed (because there is not
-    enough room in the output buffer), next_in is updated and processing
-    will resume at this point for the next call of inflate().
-
-  - Provide more output starting at next_out and update next_out and avail_out
-    accordingly.  inflate() provides as much output as possible, until there
-    is no more input data or no more space in the output buffer (see below
-    about the flush parameter).
-
-  Before the call of inflate(), the application should ensure that at least
-  one of the actions is possible, by providing more input and/or consuming
-  more output, and updating the next_* and avail_* values accordingly.
-  The application can consume the uncompressed output when it wants, for
-  example when the output buffer is full (avail_out == 0), or after each
-  call of inflate(). If inflate returns Z_OK and with zero avail_out, it
-  must be called again after making room in the output buffer because there
-  might be more output pending.
-
-    If the parameter flush is set to Z_SYNC_FLUSH, inflate flushes as much
-  output as possible to the output buffer. The flushing behavior of inflate is
-  not specified for values of the flush parameter other than Z_SYNC_FLUSH
-  and Z_FINISH, but the current implementation actually flushes as much output
-  as possible anyway.
-
-    inflate() should normally be called until it returns Z_STREAM_END or an
-  error. However if all decompression is to be performed in a single step
-  (a single call of inflate), the parameter flush should be set to
-  Z_FINISH. In this case all pending input is processed and all pending
-  output is flushed; avail_out must be large enough to hold all the
-  uncompressed data. (The size of the uncompressed data may have been saved
-  by the compressor for this purpose.) The next operation on this stream must
-  be inflateEnd to deallocate the decompression state. The use of Z_FINISH
-  is never required, but can be used to inform inflate that a faster routine
-  may be used for the single inflate() call.
-
-     If a preset dictionary is needed at this point (see inflateSetDictionary
-  below), inflate sets strm-adler to the adler32 checksum of the
-  dictionary chosen by the compressor and returns Z_NEED_DICT; otherwise 
-  it sets strm->adler to the adler32 checksum of all output produced
-  so far (that is, total_out bytes) and returns Z_OK, Z_STREAM_END or
-  an error code as described below. At the end of the stream, inflate()
-  checks that its computed adler32 checksum is equal to that saved by the
-  compressor and returns Z_STREAM_END only if the checksum is correct.
-
-    inflate() returns Z_OK if some progress has been made (more input processed
-  or more output produced), Z_STREAM_END if the end of the compressed data has
-  been reached and all uncompressed output has been produced, Z_NEED_DICT if a
-  preset dictionary is needed at this point, Z_DATA_ERROR if the input data was
-  corrupted (input stream not conforming to the zlib format or incorrect
-  adler32 checksum), Z_STREAM_ERROR if the stream structure was inconsistent
-  (for example if next_in or next_out was NULL), Z_MEM_ERROR if there was not
-  enough memory, Z_BUF_ERROR if no progress is possible or if there was not
-  enough room in the output buffer when Z_FINISH is used. In the Z_DATA_ERROR
-  case, the application may then call inflateSync to look for a good
-  compression block.
-*/
-
-
-ZEXTERN int ZEXPORT inflateEnd OF((z_streamp strm));
-/*
-     All dynamically allocated data structures for this stream are freed.
-   This function discards any unprocessed input and does not flush any
-   pending output.
-
-     inflateEnd returns Z_OK if success, Z_STREAM_ERROR if the stream state
-   was inconsistent. In the error case, msg may be set but then points to a
-   static string (which must not be deallocated).
-*/
-
-                        /* Advanced functions */
-
-/*
-    The following functions are needed only in some special applications.
-*/
-
-/*   
-ZEXTERN int ZEXPORT deflateInit2 OF((z_streamp strm,
-                                     int  level,
-                                     int  method,
-                                     int  windowBits,
-                                     int  memLevel,
-                                     int  strategy));
-
-     This is another version of deflateInit with more compression options. The
-   fields next_in, zalloc, zfree and opaque must be initialized before by
-   the caller.
-
-     The method parameter is the compression method. It must be Z_DEFLATED in
-   this version of the library.
-
-     The windowBits parameter is the base two logarithm of the window size
-   (the size of the history buffer).  It should be in the range 8..15 for this
-   version of the library. Larger values of this parameter result in better
-   compression at the expense of memory usage. The default value is 15 if
-   deflateInit is used instead.
-
-     The memLevel parameter specifies how much memory should be allocated
-   for the internal compression state. memLevel=1 uses minimum memory but
-   is slow and reduces compression ratio; memLevel=9 uses maximum memory
-   for optimal speed. The default value is 8. See zconf.h for total memory
-   usage as a function of windowBits and memLevel.
-
-     The strategy parameter is used to tune the compression algorithm. Use the
-   value Z_DEFAULT_STRATEGY for normal data, Z_FILTERED for data produced by a
-   filter (or predictor), or Z_HUFFMAN_ONLY to force Huffman encoding only (no
-   string match).  Filtered data consists mostly of small values with a
-   somewhat random distribution. In this case, the compression algorithm is
-   tuned to compress them better. The effect of Z_FILTERED is to force more
-   Huffman coding and less string matching; it is somewhat intermediate
-   between Z_DEFAULT and Z_HUFFMAN_ONLY. The strategy parameter only affects
-   the compression ratio but not the correctness of the compressed output even
-   if it is not set appropriately.
-
-      deflateInit2 returns Z_OK if success, Z_MEM_ERROR if there was not enough
-   memory, Z_STREAM_ERROR if a parameter is invalid (such as an invalid
-   method). msg is set to null if there is no error message.  deflateInit2 does
-   not perform any compression: this will be done by deflate().
-*/
-                            
-ZEXTERN int ZEXPORT deflateSetDictionary OF((z_streamp strm,
-                                             const Bytef *dictionary,
-                                             uInt  dictLength));
-/*
-     Initializes the compression dictionary from the given byte sequence
-   without producing any compressed output. This function must be called
-   immediately after deflateInit, deflateInit2 or deflateReset, before any
-   call of deflate. The compressor and decompressor must use exactly the same
-   dictionary (see inflateSetDictionary).
-
-     The dictionary should consist of strings (byte sequences) that are likely
-   to be encountered later in the data to be compressed, with the most commonly
-   used strings preferably put towards the end of the dictionary. Using a
-   dictionary is most useful when the data to be compressed is short and can be
-   predicted with good accuracy; the data can then be compressed better than
-   with the default empty dictionary.
-
-     Depending on the size of the compression data structures selected by
-   deflateInit or deflateInit2, a part of the dictionary may in effect be
-   discarded, for example if the dictionary is larger than the window size in
-   deflate or deflate2. Thus the strings most likely to be useful should be
-   put at the end of the dictionary, not at the front.
-
-     Upon return of this function, strm->adler is set to the Adler32 value
-   of the dictionary; the decompressor may later use this value to determine
-   which dictionary has been used by the compressor. (The Adler32 value
-   applies to the whole dictionary even if only a subset of the dictionary is
-   actually used by the compressor.)
-
-     deflateSetDictionary returns Z_OK if success, or Z_STREAM_ERROR if a
-   parameter is invalid (such as NULL dictionary) or the stream state is
-   inconsistent (for example if deflate has already been called for this stream
-   or if the compression method is bsort). deflateSetDictionary does not
-   perform any compression: this will be done by deflate().
-*/
-
-ZEXTERN int ZEXPORT deflateCopy OF((z_streamp dest,
-                                    z_streamp source));
-/*
-     Sets the destination stream as a complete copy of the source stream.
-
-     This function can be useful when several compression strategies will be
-   tried, for example when there are several ways of pre-processing the input
-   data with a filter. The streams that will be discarded should then be freed
-   by calling deflateEnd.  Note that deflateCopy duplicates the internal
-   compression state which can be quite large, so this strategy is slow and
-   can consume lots of memory.
-
-     deflateCopy returns Z_OK if success, Z_MEM_ERROR if there was not
-   enough memory, Z_STREAM_ERROR if the source stream state was inconsistent
-   (such as zalloc being NULL). msg is left unchanged in both source and
-   destination.
-*/
-
-ZEXTERN int ZEXPORT deflateReset OF((z_streamp strm));
-/*
-     This function is equivalent to deflateEnd followed by deflateInit,
-   but does not free and reallocate all the internal compression state.
-   The stream will keep the same compression level and any other attributes
-   that may have been set by deflateInit2.
-
-      deflateReset returns Z_OK if success, or Z_STREAM_ERROR if the source
-   stream state was inconsistent (such as zalloc or state being NULL).
-*/
-
-ZEXTERN int ZEXPORT deflateParams OF((z_streamp strm,
-				      int level,
-				      int strategy));
-/*
-     Dynamically update the compression level and compression strategy.  The
-   interpretation of level and strategy is as in deflateInit2.  This can be
-   used to switch between compression and straight copy of the input data, or
-   to switch to a different kind of input data requiring a different
-   strategy. If the compression level is changed, the input available so far
-   is compressed with the old level (and may be flushed); the new level will
-   take effect only at the next call of deflate().
-
-     Before the call of deflateParams, the stream state must be set as for
-   a call of deflate(), since the currently available input may have to
-   be compressed and flushed. In particular, strm->avail_out must be non-zero.
-
-     deflateParams returns Z_OK if success, Z_STREAM_ERROR if the source
-   stream state was inconsistent or if a parameter was invalid, Z_BUF_ERROR
-   if strm->avail_out was zero.
-*/
-
-/*   
-ZEXTERN int ZEXPORT inflateInit2 OF((z_streamp strm,
-                                     int  windowBits));
-
-     This is another version of inflateInit with an extra parameter. The
-   fields next_in, avail_in, zalloc, zfree and opaque must be initialized
-   before by the caller.
-
-     The windowBits parameter is the base two logarithm of the maximum window
-   size (the size of the history buffer).  It should be in the range 8..15 for
-   this version of the library. The default value is 15 if inflateInit is used
-   instead. If a compressed stream with a larger window size is given as
-   input, inflate() will return with the error code Z_DATA_ERROR instead of
-   trying to allocate a larger window.
-
-      inflateInit2 returns Z_OK if success, Z_MEM_ERROR if there was not enough
-   memory, Z_STREAM_ERROR if a parameter is invalid (such as a negative
-   memLevel). msg is set to null if there is no error message.  inflateInit2
-   does not perform any decompression apart from reading the zlib header if
-   present: this will be done by inflate(). (So next_in and avail_in may be
-   modified, but next_out and avail_out are unchanged.)
-*/
-
-ZEXTERN int ZEXPORT inflateSetDictionary OF((z_streamp strm,
-                                             const Bytef *dictionary,
-                                             uInt  dictLength));
-/*
-     Initializes the decompression dictionary from the given uncompressed byte
-   sequence. This function must be called immediately after a call of inflate
-   if this call returned Z_NEED_DICT. The dictionary chosen by the compressor
-   can be determined from the Adler32 value returned by this call of
-   inflate. The compressor and decompressor must use exactly the same
-   dictionary (see deflateSetDictionary).
-
-     inflateSetDictionary returns Z_OK if success, Z_STREAM_ERROR if a
-   parameter is invalid (such as NULL dictionary) or the stream state is
-   inconsistent, Z_DATA_ERROR if the given dictionary doesn't match the
-   expected one (incorrect Adler32 value). inflateSetDictionary does not
-   perform any decompression: this will be done by subsequent calls of
-   inflate().
-*/
-
-ZEXTERN int ZEXPORT inflateSync OF((z_streamp strm));
-/* 
-    Skips invalid compressed data until a full flush point (see above the
-  description of deflate with Z_FULL_FLUSH) can be found, or until all
-  available input is skipped. No output is provided.
-
-    inflateSync returns Z_OK if a full flush point has been found, Z_BUF_ERROR
-  if no more input was provided, Z_DATA_ERROR if no flush point has been found,
-  or Z_STREAM_ERROR if the stream structure was inconsistent. In the success
-  case, the application may save the current current value of total_in which
-  indicates where valid compressed data was found. In the error case, the
-  application may repeatedly call inflateSync, providing more input each time,
-  until success or end of the input data.
-*/
-
-ZEXTERN int ZEXPORT inflateReset OF((z_streamp strm));
-/*
-     This function is equivalent to inflateEnd followed by inflateInit,
-   but does not free and reallocate all the internal decompression state.
-   The stream will keep attributes that may have been set by inflateInit2.
-
-      inflateReset returns Z_OK if success, or Z_STREAM_ERROR if the source
-   stream state was inconsistent (such as zalloc or state being NULL).
-*/
-
-
-                        /* utility functions */
-
-/*
-     The following utility functions are implemented on top of the
-   basic stream-oriented functions. To simplify the interface, some
-   default options are assumed (compression level and memory usage,
-   standard memory allocation functions). The source code of these
-   utility functions can easily be modified if you need special options.
-*/
-
-ZEXTERN int ZEXPORT compress OF((Bytef *dest,   uLongf *destLen,
-                                 const Bytef *source, uLong sourceLen));
-/*
-     Compresses the source buffer into the destination buffer.  sourceLen is
-   the byte length of the source buffer. Upon entry, destLen is the total
-   size of the destination buffer, which must be at least 0.1% larger than
-   sourceLen plus 12 bytes. Upon exit, destLen is the actual size of the
-   compressed buffer.
-     This function can be used to compress a whole file at once if the
-   input file is mmap'ed.
-     compress returns Z_OK if success, Z_MEM_ERROR if there was not
-   enough memory, Z_BUF_ERROR if there was not enough room in the output
-   buffer.
-*/
-
-ZEXTERN int ZEXPORT compress2 OF((Bytef *dest,   uLongf *destLen,
-                                  const Bytef *source, uLong sourceLen,
-                                  int level));
-/*
-     Compresses the source buffer into the destination buffer. The level
-   parameter has the same meaning as in deflateInit.  sourceLen is the byte
-   length of the source buffer. Upon entry, destLen is the total size of the
-   destination buffer, which must be at least 0.1% larger than sourceLen plus
-   12 bytes. Upon exit, destLen is the actual size of the compressed buffer.
-
-     compress2 returns Z_OK if success, Z_MEM_ERROR if there was not enough
-   memory, Z_BUF_ERROR if there was not enough room in the output buffer,
-   Z_STREAM_ERROR if the level parameter is invalid.
-*/
-
-ZEXTERN int ZEXPORT uncompress OF((Bytef *dest,   uLongf *destLen,
-                                   const Bytef *source, uLong sourceLen));
-/*
-     Decompresses the source buffer into the destination buffer.  sourceLen is
-   the byte length of the source buffer. Upon entry, destLen is the total
-   size of the destination buffer, which must be large enough to hold the
-   entire uncompressed data. (The size of the uncompressed data must have
-   been saved previously by the compressor and transmitted to the decompressor
-   by some mechanism outside the scope of this compression library.)
-   Upon exit, destLen is the actual size of the compressed buffer.
-     This function can be used to decompress a whole file at once if the
-   input file is mmap'ed.
-
-     uncompress returns Z_OK if success, Z_MEM_ERROR if there was not
-   enough memory, Z_BUF_ERROR if there was not enough room in the output
-   buffer, or Z_DATA_ERROR if the input data was corrupted.
-*/
-
-
-typedef voidp gzFile;
-
-ZEXTERN gzFile ZEXPORT gzopen  OF((const char *path, const char *mode));
-/*
-     Opens a gzip (.gz) file for reading or writing. The mode parameter
-   is as in fopen ("rb" or "wb") but can also include a compression level
-   ("wb9") or a strategy: 'f' for filtered data as in "wb6f", 'h' for
-   Huffman only compression as in "wb1h". (See the description
-   of deflateInit2 for more information about the strategy parameter.)
-
-     gzopen can be used to read a file which is not in gzip format; in this
-   case gzread will directly read from the file without decompression.
-
-     gzopen returns NULL if the file could not be opened or if there was
-   insufficient memory to allocate the (de)compression state; errno
-   can be checked to distinguish the two cases (if errno is zero, the
-   zlib error is Z_MEM_ERROR).  */
-
-ZEXTERN gzFile ZEXPORT gzdopen  OF((int fd, const char *mode));
-/*
-     gzdopen() associates a gzFile with the file descriptor fd.  File
-   descriptors are obtained from calls like open, dup, creat, pipe or
-   fileno (in the file has been previously opened with fopen).
-   The mode parameter is as in gzopen.
-     The next call of gzclose on the returned gzFile will also close the
-   file descriptor fd, just like fclose(fdopen(fd), mode) closes the file
-   descriptor fd. If you want to keep fd open, use gzdopen(dup(fd), mode).
-     gzdopen returns NULL if there was insufficient memory to allocate
-   the (de)compression state.
-*/
-
-ZEXTERN int ZEXPORT gzsetparams OF((gzFile file, int level, int strategy));
-/*
-     Dynamically update the compression level or strategy. See the description
-   of deflateInit2 for the meaning of these parameters.
-     gzsetparams returns Z_OK if success, or Z_STREAM_ERROR if the file was not
-   opened for writing.
-*/
-
-ZEXTERN int ZEXPORT    gzread  OF((gzFile file, voidp buf, unsigned len));
-/*
-     Reads the given number of uncompressed bytes from the compressed file.
-   If the input file was not in gzip format, gzread copies the given number
-   of bytes into the buffer.
-     gzread returns the number of uncompressed bytes actually read (0 for
-   end of file, -1 for error). */
-
-ZEXTERN int ZEXPORT    gzwrite OF((gzFile file, 
-				   const voidp buf, unsigned len));
-/*
-     Writes the given number of uncompressed bytes into the compressed file.
-   gzwrite returns the number of uncompressed bytes actually written
-   (0 in case of error).
-*/
-
-ZEXTERN int ZEXPORTVA   gzprintf OF((gzFile file, const char *format, ...));
-/*
-     Converts, formats, and writes the args to the compressed file under
-   control of the format string, as in fprintf. gzprintf returns the number of
-   uncompressed bytes actually written (0 in case of error).
-*/
-
-ZEXTERN int ZEXPORT gzputs OF((gzFile file, const char *s));
-/*
-      Writes the given null-terminated string to the compressed file, excluding
-   the terminating null character.
-      gzputs returns the number of characters written, or -1 in case of error.
-*/
-
-ZEXTERN char * ZEXPORT gzgets OF((gzFile file, char *buf, int len));
-/*
-      Reads bytes from the compressed file until len-1 characters are read, or
-   a newline character is read and transferred to buf, or an end-of-file
-   condition is encountered.  The string is then terminated with a null
-   character.
-      gzgets returns buf, or Z_NULL in case of error.
-*/
-
-ZEXTERN int ZEXPORT    gzputc OF((gzFile file, int c));
-/*
-      Writes c, converted to an unsigned char, into the compressed file.
-   gzputc returns the value that was written, or -1 in case of error.
-*/
-
-ZEXTERN int ZEXPORT    gzgetc OF((gzFile file));
-/*
-      Reads one byte from the compressed file. gzgetc returns this byte
-   or -1 in case of end of file or error.
-*/
-
-ZEXTERN int ZEXPORT    gzflush OF((gzFile file, int flush));
-/*
-     Flushes all pending output into the compressed file. The parameter
-   flush is as in the deflate() function. The return value is the zlib
-   error number (see function gzerror below). gzflush returns Z_OK if
-   the flush parameter is Z_FINISH and all output could be flushed.
-     gzflush should be called only when strictly necessary because it can
-   degrade compression.
-*/
-
-ZEXTERN z_off_t ZEXPORT    gzseek OF((gzFile file,
-				      z_off_t offset, int whence));
-/* 
-      Sets the starting position for the next gzread or gzwrite on the
-   given compressed file. The offset represents a number of bytes in the
-   uncompressed data stream. The whence parameter is defined as in lseek(2);
-   the value SEEK_END is not supported.
-     If the file is opened for reading, this function is emulated but can be
-   extremely slow. If the file is opened for writing, only forward seeks are
-   supported; gzseek then compresses a sequence of zeroes up to the new
-   starting position.
-
-      gzseek returns the resulting offset location as measured in bytes from
-   the beginning of the uncompressed stream, or -1 in case of error, in
-   particular if the file is opened for writing and the new starting position
-   would be before the current position.
-*/
-
-ZEXTERN int ZEXPORT    gzrewind OF((gzFile file));
-/*
-     Rewinds the given file. This function is supported only for reading.
-
-   gzrewind(file) is equivalent to (int)gzseek(file, 0L, SEEK_SET)
-*/
-
-ZEXTERN z_off_t ZEXPORT    gztell OF((gzFile file));
-/*
-     Returns the starting position for the next gzread or gzwrite on the
-   given compressed file. This position represents a number of bytes in the
-   uncompressed data stream.
-
-   gztell(file) is equivalent to gzseek(file, 0L, SEEK_CUR)
-*/
-
-ZEXTERN int ZEXPORT gzeof OF((gzFile file));
-/*
-     Returns 1 when EOF has previously been detected reading the given
-   input stream, otherwise zero.
-*/
-
-ZEXTERN int ZEXPORT    gzclose OF((gzFile file));
-/*
-     Flushes all pending output if necessary, closes the compressed file
-   and deallocates all the (de)compression state. The return value is the zlib
-   error number (see function gzerror below).
-*/
-
-ZEXTERN const char * ZEXPORT gzerror OF((gzFile file, int *errnum));
-/*
-     Returns the error message for the last error which occurred on the
-   given compressed file. errnum is set to zlib error number. If an
-   error occurred in the file system and not in the compression library,
-   errnum is set to Z_ERRNO and the application may consult errno
-   to get the exact error code.
-*/
-
-                        /* checksum functions */
-
-/*
-     These functions are not related to compression but are exported
-   anyway because they might be useful in applications using the
-   compression library.
-*/
-
-ZEXTERN uLong ZEXPORT adler32 OF((uLong adler, const Bytef *buf, uInt len));
-
-/*
-     Update a running Adler-32 checksum with the bytes buf[0..len-1] and
-   return the updated checksum. If buf is NULL, this function returns
-   the required initial value for the checksum.
-   An Adler-32 checksum is almost as reliable as a CRC32 but can be computed
-   much faster. Usage example:
-
-     uLong adler = adler32(0L, Z_NULL, 0);
-
-     while (read_buffer(buffer, length) != EOF) {
-       adler = adler32(adler, buffer, length);
-     }
-     if (adler != original_adler) error();
-*/
-
-ZEXTERN uLong ZEXPORT crc32   OF((uLong crc, const Bytef *buf, uInt len));
-/*
-     Update a running crc with the bytes buf[0..len-1] and return the updated
-   crc. If buf is NULL, this function returns the required initial value
-   for the crc. Pre- and post-conditioning (one's complement) is performed
-   within this function so it shouldn't be done by the application.
-   Usage example:
-
-     uLong crc = crc32(0L, Z_NULL, 0);
-
-     while (read_buffer(buffer, length) != EOF) {
-       crc = crc32(crc, buffer, length);
-     }
-     if (crc != original_crc) error();
-*/
-
-
-                        /* various hacks, don't look :) */
-
-/* deflateInit and inflateInit are macros to allow checking the zlib version
- * and the compiler's view of z_stream:
- */
-ZEXTERN int ZEXPORT deflateInit_ OF((z_streamp strm, int level,
-                                     const char *version, int stream_size));
-ZEXTERN int ZEXPORT inflateInit_ OF((z_streamp strm,
-                                     const char *version, int stream_size));
-ZEXTERN int ZEXPORT deflateInit2_ OF((z_streamp strm, int  level, int  method,
-                                      int windowBits, int memLevel,
-                                      int strategy, const char *version,
-                                      int stream_size));
-ZEXTERN int ZEXPORT inflateInit2_ OF((z_streamp strm, int  windowBits,
-                                      const char *version, int stream_size));
-#define deflateInit(strm, level) \
-        deflateInit_((strm), (level),       ZLIB_VERSION, sizeof(z_stream))
-#define inflateInit(strm) \
-        inflateInit_((strm),                ZLIB_VERSION, sizeof(z_stream))
-#define deflateInit2(strm, level, method, windowBits, memLevel, strategy) \
-        deflateInit2_((strm),(level),(method),(windowBits),(memLevel),\
-                      (strategy),           ZLIB_VERSION, sizeof(z_stream))
-#define inflateInit2(strm, windowBits) \
-        inflateInit2_((strm), (windowBits), ZLIB_VERSION, sizeof(z_stream))
-
-
-#if !defined(_Z_UTIL_H) && !defined(NO_DUMMY_DECL)
-    struct internal_state {int dummy;}; /* hack for buggy compilers */
-#endif
-
-ZEXTERN const char   * ZEXPORT zError           OF((int err));
-ZEXTERN int            ZEXPORT inflateSyncPoint OF((z_streamp z));
-ZEXTERN const uLongf * ZEXPORT get_crc_table    OF((void));
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* _ZLIB_H */
diff --git a/linux/include/zlib/zutil.h b/linux/include/zlib/zutil.h
deleted file mode 100644
index 6214815c6..000000000
--- a/linux/include/zlib/zutil.h
+++ /dev/null
@@ -1,225 +0,0 @@
-/* zutil.h -- internal interface and configuration of the compression library
- * Copyright (C) 1995-2002 Jean-loup Gailly.
- * For conditions of distribution and use, see copyright notice in zlib.h
- */
-
-/* WARNING: this file should *not* be used by applications. It is
-   part of the implementation of the compression library and is
-   subject to change. Applications should only use zlib.h.
- */
-
-/* @(#) $Id: zutil.h,v 1.1 2004/03/15 20:35:25 as Exp $ */
-
-#ifndef _Z_UTIL_H
-#define _Z_UTIL_H
-
-#include "zlib.h"
-
-#include <linux/string.h>
-#define HAVE_MEMCPY
-
-#if 0 // #ifdef STDC
-#  include <stddef.h>
-#  include <string.h>
-#  include <stdlib.h>
-#endif
-#ifndef __KERNEL__
-#ifdef NO_ERRNO_H
-    extern int errno;
-#else
-#   include <errno.h>
-#endif
-#endif
-
-#ifndef local
-#  define local static
-#endif
-/* compile with -Dlocal if your debugger can't find static symbols */
-
-typedef unsigned char  uch;
-typedef uch FAR uchf;
-typedef unsigned short ush;
-typedef ush FAR ushf;
-typedef unsigned long  ulg;
-
-extern const char *z_errmsg[10]; /* indexed by 2-zlib_error */
-/* (size given to avoid silly warnings with Visual C++) */
-
-#define ERR_MSG(err) z_errmsg[Z_NEED_DICT-(err)]
-
-#define ERR_RETURN(strm,err) \
-  return (strm->msg = ERR_MSG(err), (err))
-/* To be used only when the state is known to be valid */
-
-        /* common constants */
-
-#ifndef DEF_WBITS
-#  define DEF_WBITS MAX_WBITS
-#endif
-/* default windowBits for decompression. MAX_WBITS is for compression only */
-
-#if MAX_MEM_LEVEL >= 8
-#  define DEF_MEM_LEVEL 8
-#else
-#  define DEF_MEM_LEVEL  MAX_MEM_LEVEL
-#endif
-/* default memLevel */
-
-#define STORED_BLOCK 0
-#define STATIC_TREES 1
-#define DYN_TREES    2
-/* The three kinds of block type */
-
-#define MIN_MATCH  3
-#define MAX_MATCH  258
-/* The minimum and maximum match lengths */
-
-#define PRESET_DICT 0x20 /* preset dictionary flag in zlib header */
-
-        /* target dependencies */
-
-#ifdef MSDOS
-#  define OS_CODE  0x00
-#  if defined(__TURBOC__) || defined(__BORLANDC__)
-#    if(__STDC__ == 1) && (defined(__LARGE__) || defined(__COMPACT__))
-       /* Allow compilation with ANSI keywords only enabled */
-       void _Cdecl farfree( void *block );
-       void *_Cdecl farmalloc( unsigned long nbytes );
-#    else
-#     include <alloc.h>
-#    endif
-#  else /* MSC or DJGPP */
-#    include <malloc.h>
-#  endif
-#endif
-
-#ifdef OS2
-#  define OS_CODE  0x06
-#endif
-
-#ifdef WIN32 /* Window 95 & Windows NT */
-#  define OS_CODE  0x0b
-#endif
-
-#if defined(VAXC) || defined(VMS)
-#  define OS_CODE  0x02
-#  define F_OPEN(name, mode) \
-     fopen((name), (mode), "mbc=60", "ctx=stm", "rfm=fix", "mrs=512")
-#endif
-
-#ifdef AMIGA
-#  define OS_CODE  0x01
-#endif
-
-#if defined(ATARI) || defined(atarist)
-#  define OS_CODE  0x05
-#endif
-
-#if defined(MACOS) || defined(TARGET_OS_MAC)
-#  define OS_CODE  0x07
-#  if defined(__MWERKS__) && __dest_os != __be_os && __dest_os != __win32_os
-#    include <unix.h> /* for fdopen */
-#  else
-#    ifndef fdopen
-#      define fdopen(fd,mode) NULL /* No fdopen() */
-#    endif
-#  endif
-#endif
-
-#ifdef __50SERIES /* Prime/PRIMOS */
-#  define OS_CODE  0x0F
-#endif
-
-#ifdef TOPS20
-#  define OS_CODE  0x0a
-#endif
-
-#if defined(_BEOS_) || defined(RISCOS)
-#  define fdopen(fd,mode) NULL /* No fdopen() */
-#endif
-
-#if (defined(_MSC_VER) && (_MSC_VER > 600))
-#  define fdopen(fd,type)  _fdopen(fd,type)
-#endif
-
-
-        /* Common defaults */
-
-#ifndef OS_CODE
-#  define OS_CODE  0x03  /* assume Unix */
-#endif
-
-#ifndef F_OPEN
-#  define F_OPEN(name, mode) fopen((name), (mode))
-#endif
-
-         /* functions */
-
-#ifdef HAVE_STRERROR
-   extern char *strerror OF((int));
-#  define zstrerror(errnum) strerror(errnum)
-#else
-#  define zstrerror(errnum) ""
-#endif
-
-#if defined(pyr)
-#  define NO_MEMCPY
-#endif
-#if defined(SMALL_MEDIUM) && !defined(_MSC_VER) && !defined(__SC__)
- /* Use our own functions for small and medium model with MSC <= 5.0.
-  * You may have to use the same strategy for Borland C (untested).
-  * The __SC__ check is for Symantec.
-  */
-#  define NO_MEMCPY
-#endif
-#if defined(STDC) && !defined(HAVE_MEMCPY) && !defined(NO_MEMCPY)
-#  define HAVE_MEMCPY
-#endif
-#ifdef HAVE_MEMCPY
-#  ifdef SMALL_MEDIUM /* MSDOS small or medium model */
-#    define zmemcpy _fmemcpy
-#    define zmemcmp _fmemcmp
-#    define zmemzero(dest, len) _fmemset(dest, 0, len)
-#  else
-#    define zmemcpy memcpy
-#    define zmemcmp memcmp
-#    define zmemzero(dest, len) memset(dest, 0, len)
-#  endif
-#else
-   extern void zmemcpy  OF((Bytef* dest, const Bytef* source, uInt len));
-   extern int  zmemcmp  OF((const Bytef* s1, const Bytef* s2, uInt len));
-   extern void zmemzero OF((Bytef* dest, uInt len));
-#endif
-
-/* Diagnostic functions */
-#ifdef DEBUG
-#  include <stdio.h>
-   extern int z_verbose;
-   extern void z_error    OF((char *m));
-#  define Assert(cond,msg) {if(!(cond)) z_error(msg);}
-#  define Trace(x) {if (z_verbose>=0) fprintf x ;}
-#  define Tracev(x) {if (z_verbose>0) fprintf x ;}
-#  define Tracevv(x) {if (z_verbose>1) fprintf x ;}
-#  define Tracec(c,x) {if (z_verbose>0 && (c)) fprintf x ;}
-#  define Tracecv(c,x) {if (z_verbose>1 && (c)) fprintf x ;}
-#else
-#  define Assert(cond,msg)
-#  define Trace(x)
-#  define Tracev(x)
-#  define Tracevv(x)
-#  define Tracec(c,x)
-#  define Tracecv(c,x)
-#endif
-
-
-typedef uLong (ZEXPORT *check_func) OF((uLong check, const Bytef *buf,
-				       uInt len));
-voidpf zcalloc OF((voidpf opaque, unsigned items, unsigned size));
-void   zcfree  OF((voidpf opaque, voidpf ptr));
-
-#define ZALLOC(strm, items, size) \
-           (*((strm)->zalloc))((strm)->opaque, (items), (size))
-#define ZFREE(strm, addr)  (*((strm)->zfree))((strm)->opaque, (voidpf)(addr))
-#define TRY_FREE(s, p) {if (p) ZFREE(s, p);}
-
-#endif /* _Z_UTIL_H */
diff --git a/linux/lib/libfreeswan/Makefile.objs b/linux/lib/libfreeswan/Makefile.objs
deleted file mode 100644
index 41a89dba9..000000000
--- a/linux/lib/libfreeswan/Makefile.objs
+++ /dev/null
@@ -1,18 +0,0 @@
-obj-y += ultoa.o 
-obj-y += addrtoa.o 
-obj-y += subnettoa.o 
-obj-y += subnetof.o 
-obj-y += goodmask.o 
-obj-y += datatot.o 
-obj-y += rangetoa.o 
-obj-y += satoa.o 
-obj-y += prng.o 
-obj-y += pfkey_v2_parse.o 
-obj-y += pfkey_v2_build.o 
-obj-y += pfkey_v2_debug.o 
-obj-y += pfkey_v2_ext_bits.o 
-obj-y += version.o
-
-
-version.c:	${LIBFREESWANDIR}/version.in.c ${FREESWANSRCDIR}/Makefile.ver
-	sed '/"/s/xxx/$(IPSECVERSION)/' ${LIBFREESWANDIR}/version.in.c >$@
diff --git a/linux/lib/zlib/Makefile b/linux/lib/zlib/Makefile
deleted file mode 100644
index 36cbea81f..000000000
--- a/linux/lib/zlib/Makefile
+++ /dev/null
@@ -1,121 +0,0 @@
-# (kernel) Makefile for IPCOMP zlib deflate code
-# Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs.
-# Copyright (C) 2000  Svenning Soerensen
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:26 as Exp $
-#
-
-
-
-include ../Makefile.inc
-
-
-
-ifndef TOPDIR
-TOPDIR  := /usr/src/linux
-endif
-
-
-L_TARGET := zlib.a
-
-obj-y :=
-
-include Makefile.objs
-
-EXTRA_CFLAGS += $(KLIPSCOMPILE)
-
-EXTRA_CFLAGS += -Wall 
-#EXTRA_CFLAGS += -Wconversion 
-#EXTRA_CFLAGS += -Wmissing-prototypes 
-EXTRA_CFLAGS += -Wpointer-arith 
-#EXTRA_CFLAGS += -Wcast-qual 
-#EXTRA_CFLAGS += -Wmissing-declarations 
-EXTRA_CFLAGS += -Wstrict-prototypes
-#EXTRA_CFLAGS += -pedantic
-#EXTRA_CFLAGS += -W
-#EXTRA_CFLAGS += -Wwrite-strings 
-EXTRA_CFLAGS += -Wbad-function-cast 
-EXTRA_CFLAGS += -DIPCOMP_PREFIX
-
-.S.o:
-	$(CC) -D__ASSEMBLY__ -DNO_UNDERLINE -traditional -c $< -o $*.o
-
-asm-obj-$(CONFIG_M586)		+= match586.o
-asm-obj-$(CONFIG_M586TSC)	+= match586.o
-asm-obj-$(CONFIG_M586MMX)	+= match586.o
-asm-obj-$(CONFIG_M686)		+= match686.o
-asm-obj-$(CONFIG_MPENTIUMIII)	+= match686.o
-asm-obj-$(CONFIG_MPENTIUM4)	+= match686.o
-asm-obj-$(CONFIG_MK6)		+= match586.o
-asm-obj-$(CONFIG_MK7)		+= match686.o
-asm-obj-$(CONFIG_MCRUSOE)	+= match586.o
-asm-obj-$(CONFIG_MWINCHIPC6)	+= match586.o
-asm-obj-$(CONFIG_MWINCHIP2)	+= match686.o
-asm-obj-$(CONFIG_MWINCHIP3D)	+= match686.o
-
-obj-y += $(asm-obj-y)
-ifneq ($(strip $(asm-obj-y)),)
-  EXTRA_CFLAGS += -DASMV
-endif
-
-active-objs     := $(sort $(obj-y) $(obj-m))
-L_OBJS          := $(obj-y)
-M_OBJS          := $(obj-m)
-MIX_OBJS        := $(filter $(export-objs), $(active-objs))
-
-include $(TOPDIR)/Rules.make
-
-$(obj-y) :  $(TOPDIR)/include/linux/config.h $(TOPDIR)/include/linux/autoconf.h
-
-
-clean:
-	-rm -f *.o *.a
-
-checkprograms:
-programs: $(L_TARGET)
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:26  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.9  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-# Revision 1.8  2002/04/24 07:36:44  mcr
-# Moved from ./zlib/Makefile,v
-#
-# Revision 1.7  2002/03/27 23:34:35  mcr
-# 	added programs: target
-#
-# Revision 1.6  2001/12/05 20:19:08  henry
-# use new compile-control variable
-#
-# Revision 1.5  2001/11/27 16:38:08  mcr
-# 	added new "checkprograms" target to deal with programs that
-# 	are required for "make check", but that may not be ready to
-# 	build for every user due to external dependancies.
-#
-# Revision 1.4  2001/10/24 14:46:24  henry
-# Makefile.inc
-#
-# Revision 1.3  2001/04/21 23:05:24  rgb
-# Update asm directives for 2.4 style makefiles.
-#
-# Revision 1.2  2001/01/29 22:22:00  rgb
-# Convert to 2.4 new style with back compat.
-#
-# Revision 1.1.1.1  2000/09/29 18:51:33  rgb
-# zlib_beginnings
-#
-#
diff --git a/linux/lib/zlib/Makefile.objs b/linux/lib/zlib/Makefile.objs
deleted file mode 100644
index 94ed12fc9..000000000
--- a/linux/lib/zlib/Makefile.objs
+++ /dev/null
@@ -1,27 +0,0 @@
-obj-$(CONFIG_IPSEC_IPCOMP) += adler32.o
-obj-$(CONFIG_IPSEC_IPCOMP) += deflate.o
-obj-$(CONFIG_IPSEC_IPCOMP) += infblock.o
-obj-$(CONFIG_IPSEC_IPCOMP) += infcodes.o
-obj-$(CONFIG_IPSEC_IPCOMP) += inffast.o
-obj-$(CONFIG_IPSEC_IPCOMP) += inflate.o
-obj-$(CONFIG_IPSEC_IPCOMP) += inftrees.o
-obj-$(CONFIG_IPSEC_IPCOMP) += infutil.o
-obj-$(CONFIG_IPSEC_IPCOMP) += trees.o
-obj-$(CONFIG_IPSEC_IPCOMP) += zutil.o
-
-asm-obj-$(CONFIG_M586)          += ${LIBZLIBSRCDIR}/match586.o
-asm-obj-$(CONFIG_M586TSC)       += ${LIBZLIBSRCDIR}/match586.o
-asm-obj-$(CONFIG_M586MMX)       += ${LIBZLIBSRCDIR}/match586.o
-asm-obj-$(CONFIG_M686)          += ${LIBZLIBSRCDIR}/match686.o
-asm-obj-$(CONFIG_MPENTIUMIII)   += ${LIBZLIBSRCDIR}/match686.o
-asm-obj-$(CONFIG_MPENTIUM4)     += ${LIBZLIBSRCDIR}/match686.o
-asm-obj-$(CONFIG_MK6)           += ${LIBZLIBSRCDIR}/match586.o
-asm-obj-$(CONFIG_MK7)           += ${LIBZLIBSRCDIR}/match686.o
-asm-obj-$(CONFIG_MCRUSOE)       += ${LIBZLIBSRCDIR}/match586.o
-asm-obj-$(CONFIG_MWINCHIPC6)    += ${LIBZLIBSRCDIR}/match586.o
-asm-obj-$(CONFIG_MWINCHIP2)     += ${LIBZLIBSRCDIR}/match686.o
-asm-obj-$(CONFIG_MWINCHIP3D)    += ${LIBZLIBSRCDIR}/match686.o
-
-EXTRA_CFLAGS += -DIPCOMP_PREFIX
-
-
diff --git a/linux/lib/zlib/README b/linux/lib/zlib/README
deleted file mode 100644
index 29d67146a..000000000
--- a/linux/lib/zlib/README
+++ /dev/null
@@ -1,147 +0,0 @@
-zlib 1.1.4 is a general purpose data compression library.  All the code
-is thread safe.  The data format used by the zlib library
-is described by RFCs (Request for Comments) 1950 to 1952 in the files 
-http://www.ietf.org/rfc/rfc1950.txt (zlib format), rfc1951.txt (deflate
-format) and rfc1952.txt (gzip format). These documents are also available in
-other formats from ftp://ftp.uu.net/graphics/png/documents/zlib/zdoc-index.html
-
-All functions of the compression library are documented in the file zlib.h
-(volunteer to write man pages welcome, contact jloup@gzip.org). A usage
-example of the library is given in the file example.c which also tests that
-the library is working correctly. Another example is given in the file
-minigzip.c. The compression library itself is composed of all source files
-except example.c and minigzip.c.
-
-To compile all files and run the test program, follow the instructions
-given at the top of Makefile. In short "make test; make install"
-should work for most machines. For Unix: "./configure; make test; make install"
-For MSDOS, use one of the special makefiles such as Makefile.msc.
-For VMS, use Make_vms.com or descrip.mms.
-
-Questions about zlib should be sent to <zlib@gzip.org>, or to
-Gilles Vollant <info@winimage.com> for the Windows DLL version.
-The zlib home page is http://www.zlib.org or http://www.gzip.org/zlib/
-Before reporting a problem, please check this site to verify that
-you have the latest version of zlib; otherwise get the latest version and
-check whether the problem still exists or not.
-
-PLEASE read the zlib FAQ http://www.gzip.org/zlib/zlib_faq.html
-before asking for help.
-
-Mark Nelson <markn@ieee.org> wrote an article about zlib for the Jan. 1997
-issue of  Dr. Dobb's Journal; a copy of the article is available in
-http://dogma.net/markn/articles/zlibtool/zlibtool.htm
-
-The changes made in version 1.1.4 are documented in the file ChangeLog.
-The only changes made since 1.1.3 are bug corrections:
-
-- ZFREE was repeated on same allocation on some error conditions.
-  This creates a security problem described in
-  http://www.zlib.org/advisory-2002-03-11.txt
-- Returned incorrect error (Z_MEM_ERROR) on some invalid data
-- Avoid accesses before window for invalid distances with inflate window
-  less than 32K.
-- force windowBits > 8 to avoid a bug in the encoder for a window size
-  of 256 bytes. (A complete fix will be available in 1.1.5).
-
-The beta version 1.1.5beta includes many more changes. A new official
-version 1.1.5 will be released as soon as extensive testing has been
-completed on it.
-
-
-Unsupported third party contributions are provided in directory "contrib".
-
-A Java implementation of zlib is available in the Java Development Kit
-http://www.javasoft.com/products/JDK/1.1/docs/api/Package-java.util.zip.html
-See the zlib home page http://www.zlib.org for details.
-
-A Perl interface to zlib written by Paul Marquess <pmarquess@bfsec.bt.co.uk>
-is in the CPAN (Comprehensive Perl Archive Network) sites
-http://www.cpan.org/modules/by-module/Compress/
-
-A Python interface to zlib written by A.M. Kuchling <amk@magnet.com>
-is available in Python 1.5 and later versions, see
-http://www.python.org/doc/lib/module-zlib.html
-
-A zlib binding for TCL written by Andreas Kupries <a.kupries@westend.com>
-is availlable at http://www.westend.com/~kupries/doc/trf/man/man.html
-
-An experimental package to read and write files in .zip format,
-written on top of zlib by Gilles Vollant <info@winimage.com>, is
-available at http://www.winimage.com/zLibDll/unzip.html
-and also in the contrib/minizip directory of zlib.
-
-
-Notes for some targets:
-
-- To build a Windows DLL version, include in a DLL project zlib.def, zlib.rc
-  and all .c files except example.c and minigzip.c; compile with -DZLIB_DLL
-  The zlib DLL support was initially done by Alessandro Iacopetti and is
-  now maintained by Gilles Vollant <info@winimage.com>. Check the zlib DLL
-  home page at http://www.winimage.com/zLibDll
-
-  From Visual Basic, you can call the DLL functions which do not take
-  a structure as argument: compress, uncompress and all gz* functions.
-  See contrib/visual-basic.txt for more information, or get
-  http://www.tcfb.com/dowseware/cmp-z-it.zip
-
-- For 64-bit Irix, deflate.c must be compiled without any optimization.
-  With -O, one libpng test fails. The test works in 32 bit mode (with
-  the -n32 compiler flag). The compiler bug has been reported to SGI.
-
-- zlib doesn't work with gcc 2.6.3 on a DEC 3000/300LX under OSF/1 2.1   
-  it works when compiled with cc.
-
-- on Digital Unix 4.0D (formely OSF/1) on AlphaServer, the cc option -std1
-  is necessary to get gzprintf working correctly. This is done by configure.
-
-- zlib doesn't work on HP-UX 9.05 with some versions of /bin/cc. It works
-  with other compilers. Use "make test" to check your compiler.
-
-- gzdopen is not supported on RISCOS, BEOS and by some Mac compilers.
-
-- For Turbo C the small model is supported only with reduced performance to
-  avoid any far allocation; it was tested with -DMAX_WBITS=11 -DMAX_MEM_LEVEL=3
-
-- For PalmOs, see http://www.cs.uit.no/~perm/PASTA/pilot/software.html
-  Per Harald Myrvang <perm@stud.cs.uit.no>
-
-
-Acknowledgments:
-
-  The deflate format used by zlib was defined by Phil Katz. The deflate
-  and zlib specifications were written by L. Peter Deutsch. Thanks to all the
-  people who reported problems and suggested various improvements in zlib;
-  they are too numerous to cite here.
-
-Copyright notice:
-
- (C) 1995-2002 Jean-loup Gailly and Mark Adler
-
-  This software is provided 'as-is', without any express or implied
-  warranty.  In no event will the authors be held liable for any damages
-  arising from the use of this software.
-
-  Permission is granted to anyone to use this software for any purpose,
-  including commercial applications, and to alter it and redistribute it
-  freely, subject to the following restrictions:
-
-  1. The origin of this software must not be misrepresented; you must not
-     claim that you wrote the original software. If you use this software
-     in a product, an acknowledgment in the product documentation would be
-     appreciated but is not required.
-  2. Altered source versions must be plainly marked as such, and must not be
-     misrepresented as being the original software.
-  3. This notice may not be removed or altered from any source distribution.
-
-  Jean-loup Gailly        Mark Adler
-  jloup@gzip.org          madler@alumni.caltech.edu
-
-If you use the zlib library in a product, we would appreciate *not*
-receiving lengthy legal documents to sign. The sources are provided
-for free but without warranty of any kind.  The library has been
-entirely written by Jean-loup Gailly and Mark Adler; it does not
-include third-party code.
-
-If you redistribute modified sources, we would appreciate that you include
-in the file ChangeLog history information documenting your changes.
diff --git a/linux/lib/zlib/README.freeswan b/linux/lib/zlib/README.freeswan
deleted file mode 100644
index f34b5cfff..000000000
--- a/linux/lib/zlib/README.freeswan
+++ /dev/null
@@ -1,13 +0,0 @@
-The only changes made to these files for use in FreeS/WAN are:
-
- - In zconf.h, macros are defined to prefix global symbols with "ipcomp_"
-   (or "_ipcomp"), when compiled with -DIPCOMP_PREFIX.
- - The copyright strings are defined local (static)
-
- The above changes are made to avoid name collisions with ppp_deflate
- and ext2compr.
-
- - Files not needed for FreeS/WAN have been removed
-
- See the "README" file for information about where to obtain the complete
- zlib package.
diff --git a/linux/lib/zlib/adler32.c b/linux/lib/zlib/adler32.c
deleted file mode 100644
index a383ec643..000000000
--- a/linux/lib/zlib/adler32.c
+++ /dev/null
@@ -1,49 +0,0 @@
-/* adler32.c -- compute the Adler-32 checksum of a data stream
- * Copyright (C) 1995-2002 Mark Adler
- * For conditions of distribution and use, see copyright notice in zlib.h 
- */
-
-/* @(#) $Id: adler32.c,v 1.1 2004/03/15 20:35:26 as Exp $ */
-
-#include <zlib/zlib.h>
-#include "zconf.h"
-
-#define BASE 65521L /* largest prime smaller than 65536 */
-#define NMAX 5552
-/* NMAX is the largest n such that 255n(n+1)/2 + (n+1)(BASE-1) <= 2^32-1 */
-
-#define DO1(buf,i)  {s1 += buf[i]; s2 += s1;}
-#define DO2(buf,i)  DO1(buf,i); DO1(buf,i+1);
-#define DO4(buf,i)  DO2(buf,i); DO2(buf,i+2);
-#define DO8(buf,i)  DO4(buf,i); DO4(buf,i+4);
-#define DO16(buf)   DO8(buf,0); DO8(buf,8);
-
-/* ========================================================================= */
-uLong ZEXPORT adler32(adler, buf, len)
-    uLong adler;
-    const Bytef *buf;
-    uInt len;
-{
-    unsigned long s1 = adler & 0xffff;
-    unsigned long s2 = (adler >> 16) & 0xffff;
-    int k;
-
-    if (buf == Z_NULL) return 1L;
-
-    while (len > 0) {
-        k = len < NMAX ? len : NMAX;
-        len -= k;
-        while (k >= 16) {
-            DO16(buf);
-	    buf += 16;
-            k -= 16;
-        }
-        if (k != 0) do {
-            s1 += *buf++;
-	    s2 += s1;
-        } while (--k);
-        s1 %= BASE;
-        s2 %= BASE;
-    }
-    return (s2 << 16) | s1;
-}
diff --git a/linux/lib/zlib/deflate.c b/linux/lib/zlib/deflate.c
deleted file mode 100644
index 7eb133a1a..000000000
--- a/linux/lib/zlib/deflate.c
+++ /dev/null
@@ -1,1351 +0,0 @@
-/* deflate.c -- compress data using the deflation algorithm
- * Copyright (C) 1995-2002 Jean-loup Gailly.
- * For conditions of distribution and use, see copyright notice in zlib.h 
- */
-
-/*
- *  ALGORITHM
- *
- *      The "deflation" process depends on being able to identify portions
- *      of the input text which are identical to earlier input (within a
- *      sliding window trailing behind the input currently being processed).
- *
- *      The most straightforward technique turns out to be the fastest for
- *      most input files: try all possible matches and select the longest.
- *      The key feature of this algorithm is that insertions into the string
- *      dictionary are very simple and thus fast, and deletions are avoided
- *      completely. Insertions are performed at each input character, whereas
- *      string matches are performed only when the previous match ends. So it
- *      is preferable to spend more time in matches to allow very fast string
- *      insertions and avoid deletions. The matching algorithm for small
- *      strings is inspired from that of Rabin & Karp. A brute force approach
- *      is used to find longer strings when a small match has been found.
- *      A similar algorithm is used in comic (by Jan-Mark Wams) and freeze
- *      (by Leonid Broukhis).
- *         A previous version of this file used a more sophisticated algorithm
- *      (by Fiala and Greene) which is guaranteed to run in linear amortized
- *      time, but has a larger average cost, uses more memory and is patented.
- *      However the F&G algorithm may be faster for some highly redundant
- *      files if the parameter max_chain_length (described below) is too large.
- *
- *  ACKNOWLEDGEMENTS
- *
- *      The idea of lazy evaluation of matches is due to Jan-Mark Wams, and
- *      I found it in 'freeze' written by Leonid Broukhis.
- *      Thanks to many people for bug reports and testing.
- *
- *  REFERENCES
- *
- *      Deutsch, L.P.,"DEFLATE Compressed Data Format Specification".
- *      Available in ftp://ds.internic.net/rfc/rfc1951.txt
- *
- *      A description of the Rabin and Karp algorithm is given in the book
- *         "Algorithms" by R. Sedgewick, Addison-Wesley, p252.
- *
- *      Fiala,E.R., and Greene,D.H.
- *         Data Compression with Finite Windows, Comm.ACM, 32,4 (1989) 490-595
- *
- */
-
-/* @(#) $Id: deflate.c,v 1.1 2004/03/15 20:35:26 as Exp $ */
-
-#include "deflate.h"
-
-local const char deflate_copyright[] =
-   " deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly ";
-/*
-  If you use the zlib library in a product, an acknowledgment is welcome
-  in the documentation of your product. If for some reason you cannot
-  include such an acknowledgment, I would appreciate that you keep this
-  copyright string in the executable of your product.
- */
-
-/* ===========================================================================
- *  Function prototypes.
- */
-typedef enum {
-    need_more,      /* block not completed, need more input or more output */
-    block_done,     /* block flush performed */
-    finish_started, /* finish started, need only more output at next deflate */
-    finish_done     /* finish done, accept no more input or output */
-} block_state;
-
-typedef block_state (*compress_func) OF((deflate_state *s, int flush));
-/* Compression function. Returns the block state after the call. */
-
-local void fill_window    OF((deflate_state *s));
-local block_state deflate_stored OF((deflate_state *s, int flush));
-local block_state deflate_fast   OF((deflate_state *s, int flush));
-local block_state deflate_slow   OF((deflate_state *s, int flush));
-local void lm_init        OF((deflate_state *s));
-local void putShortMSB    OF((deflate_state *s, uInt b));
-local void flush_pending  OF((z_streamp strm));
-local int read_buf        OF((z_streamp strm, Bytef *buf, unsigned size));
-#ifdef ASMV
-      void match_init OF((void)); /* asm code initialization */
-      uInt longest_match  OF((deflate_state *s, IPos cur_match));
-#else
-local uInt longest_match  OF((deflate_state *s, IPos cur_match));
-#endif
-
-#ifdef DEBUG
-local  void check_match OF((deflate_state *s, IPos start, IPos match,
-                            int length));
-#endif
-
-/* ===========================================================================
- * Local data
- */
-
-#define NIL 0
-/* Tail of hash chains */
-
-#ifndef TOO_FAR
-#  define TOO_FAR 4096
-#endif
-/* Matches of length 3 are discarded if their distance exceeds TOO_FAR */
-
-#define MIN_LOOKAHEAD (MAX_MATCH+MIN_MATCH+1)
-/* Minimum amount of lookahead, except at the end of the input file.
- * See deflate.c for comments about the MIN_MATCH+1.
- */
-
-/* Values for max_lazy_match, good_match and max_chain_length, depending on
- * the desired pack level (0..9). The values given below have been tuned to
- * exclude worst case performance for pathological files. Better values may be
- * found for specific files.
- */
-typedef struct config_s {
-   ush good_length; /* reduce lazy search above this match length */
-   ush max_lazy;    /* do not perform lazy search above this match length */
-   ush nice_length; /* quit search above this match length */
-   ush max_chain;
-   compress_func func;
-} config;
-
-local const config configuration_table[10] = {
-/*      good lazy nice chain */
-/* 0 */ {0,    0,  0,    0, deflate_stored},  /* store only */
-/* 1 */ {4,    4,  8,    4, deflate_fast}, /* maximum speed, no lazy matches */
-/* 2 */ {4,    5, 16,    8, deflate_fast},
-/* 3 */ {4,    6, 32,   32, deflate_fast},
-
-/* 4 */ {4,    4, 16,   16, deflate_slow},  /* lazy matches */
-/* 5 */ {8,   16, 32,   32, deflate_slow},
-/* 6 */ {8,   16, 128, 128, deflate_slow},
-/* 7 */ {8,   32, 128, 256, deflate_slow},
-/* 8 */ {32, 128, 258, 1024, deflate_slow},
-/* 9 */ {32, 258, 258, 4096, deflate_slow}}; /* maximum compression */
-
-/* Note: the deflate() code requires max_lazy >= MIN_MATCH and max_chain >= 4
- * For deflate_fast() (levels <= 3) good is ignored and lazy has a different
- * meaning.
- */
-
-#define EQUAL 0
-/* result of memcmp for equal strings */
-
-struct static_tree_desc_s {int dummy;}; /* for buggy compilers */
-
-/* ===========================================================================
- * Update a hash value with the given input byte
- * IN  assertion: all calls to to UPDATE_HASH are made with consecutive
- *    input characters, so that a running hash key can be computed from the
- *    previous key instead of complete recalculation each time.
- */
-#define UPDATE_HASH(s,h,c) (h = (((h)<<s->hash_shift) ^ (c)) & s->hash_mask)
-
-
-/* ===========================================================================
- * Insert string str in the dictionary and set match_head to the previous head
- * of the hash chain (the most recent string with same hash key). Return
- * the previous length of the hash chain.
- * If this file is compiled with -DFASTEST, the compression level is forced
- * to 1, and no hash chains are maintained.
- * IN  assertion: all calls to to INSERT_STRING are made with consecutive
- *    input characters and the first MIN_MATCH bytes of str are valid
- *    (except for the last MIN_MATCH-1 bytes of the input file).
- */
-#ifdef FASTEST
-#define INSERT_STRING(s, str, match_head) \
-   (UPDATE_HASH(s, s->ins_h, s->window[(str) + (MIN_MATCH-1)]), \
-    match_head = s->head[s->ins_h], \
-    s->head[s->ins_h] = (Pos)(str))
-#else
-#define INSERT_STRING(s, str, match_head) \
-   (UPDATE_HASH(s, s->ins_h, s->window[(str) + (MIN_MATCH-1)]), \
-    s->prev[(str) & s->w_mask] = match_head = s->head[s->ins_h], \
-    s->head[s->ins_h] = (Pos)(str))
-#endif
-
-/* ===========================================================================
- * Initialize the hash table (avoiding 64K overflow for 16 bit systems).
- * prev[] will be initialized on the fly.
- */
-#define CLEAR_HASH(s) \
-    s->head[s->hash_size-1] = NIL; \
-    zmemzero((Bytef *)s->head, (unsigned)(s->hash_size-1)*sizeof(*s->head));
-
-/* ========================================================================= */
-int ZEXPORT deflateInit_(strm, level, version, stream_size)
-    z_streamp strm;
-    int level;
-    const char *version;
-    int stream_size;
-{
-    return deflateInit2_(strm, level, Z_DEFLATED, MAX_WBITS, DEF_MEM_LEVEL,
-			 Z_DEFAULT_STRATEGY, version, stream_size);
-    /* To do: ignore strm->next_in if we use it as window */
-}
-
-/* ========================================================================= */
-int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy,
-		  version, stream_size)
-    z_streamp strm;
-    int  level;
-    int  method;
-    int  windowBits;
-    int  memLevel;
-    int  strategy;
-    const char *version;
-    int stream_size;
-{
-    deflate_state *s;
-    int noheader = 0;
-    static const char* my_version = ZLIB_VERSION;
-
-    ushf *overlay;
-    /* We overlay pending_buf and d_buf+l_buf. This works since the average
-     * output size for (length,distance) codes is <= 24 bits.
-     */
-
-    if (version == Z_NULL || version[0] != my_version[0] ||
-        stream_size != sizeof(z_stream)) {
-	return Z_VERSION_ERROR;
-    }
-    if (strm == Z_NULL) return Z_STREAM_ERROR;
-
-    strm->msg = Z_NULL;
-    if (strm->zalloc == Z_NULL) {
-      return Z_STREAM_ERROR;
-/*	strm->zalloc = zcalloc;
-	strm->opaque = (voidpf)0;*/
-    }
-    if (strm->zfree == Z_NULL) return Z_STREAM_ERROR; /* strm->zfree = zcfree; */
-
-    if (level == Z_DEFAULT_COMPRESSION) level = 6;
-#ifdef FASTEST
-    level = 1;
-#endif
-
-    if (windowBits < 0) { /* undocumented feature: suppress zlib header */
-        noheader = 1;
-        windowBits = -windowBits;
-    }
-    if (memLevel < 1 || memLevel > MAX_MEM_LEVEL || method != Z_DEFLATED ||
-        windowBits < 9 || windowBits > 15 || level < 0 || level > 9 ||
-	strategy < 0 || strategy > Z_HUFFMAN_ONLY) {
-        return Z_STREAM_ERROR;
-    }
-    s = (deflate_state *) ZALLOC(strm, 1, sizeof(deflate_state));
-    if (s == Z_NULL) return Z_MEM_ERROR;
-    strm->state = (struct internal_state FAR *)s;
-    s->strm = strm;
-
-    s->noheader = noheader;
-    s->w_bits = windowBits;
-    s->w_size = 1 << s->w_bits;
-    s->w_mask = s->w_size - 1;
-
-    s->hash_bits = memLevel + 7;
-    s->hash_size = 1 << s->hash_bits;
-    s->hash_mask = s->hash_size - 1;
-    s->hash_shift =  ((s->hash_bits+MIN_MATCH-1)/MIN_MATCH);
-
-    s->window = (Bytef *) ZALLOC(strm, s->w_size, 2*sizeof(Byte));
-    s->prev   = (Posf *)  ZALLOC(strm, s->w_size, sizeof(Pos));
-    s->head   = (Posf *)  ZALLOC(strm, s->hash_size, sizeof(Pos));
-
-    s->lit_bufsize = 1 << (memLevel + 6); /* 16K elements by default */
-
-    overlay = (ushf *) ZALLOC(strm, s->lit_bufsize, sizeof(ush)+2);
-    s->pending_buf = (uchf *) overlay;
-    s->pending_buf_size = (ulg)s->lit_bufsize * (sizeof(ush)+2L);
-
-    if (s->window == Z_NULL || s->prev == Z_NULL || s->head == Z_NULL ||
-        s->pending_buf == Z_NULL) {
-        strm->msg = ERR_MSG(Z_MEM_ERROR);
-        deflateEnd (strm);
-        return Z_MEM_ERROR;
-    }
-    s->d_buf = overlay + s->lit_bufsize/sizeof(ush);
-    s->l_buf = s->pending_buf + (1+sizeof(ush))*s->lit_bufsize;
-
-    s->level = level;
-    s->strategy = strategy;
-    s->method = (Byte)method;
-
-    return deflateReset(strm);
-}
-
-/* ========================================================================= */
-int ZEXPORT deflateSetDictionary (strm, dictionary, dictLength)
-    z_streamp strm;
-    const Bytef *dictionary;
-    uInt  dictLength;
-{
-    deflate_state *s;
-    uInt length = dictLength;
-    uInt n;
-    IPos hash_head = 0;
-
-    if (strm == Z_NULL || strm->state == Z_NULL || dictionary == Z_NULL ||
-        strm->state->status != INIT_STATE) return Z_STREAM_ERROR;
-
-    s = strm->state;
-    strm->adler = adler32(strm->adler, dictionary, dictLength);
-
-    if (length < MIN_MATCH) return Z_OK;
-    if (length > MAX_DIST(s)) {
-	length = MAX_DIST(s);
-#ifndef USE_DICT_HEAD
-	dictionary += dictLength - length; /* use the tail of the dictionary */
-#endif
-    }
-    zmemcpy(s->window, dictionary, length);
-    s->strstart = length;
-    s->block_start = (long)length;
-
-    /* Insert all strings in the hash table (except for the last two bytes).
-     * s->lookahead stays null, so s->ins_h will be recomputed at the next
-     * call of fill_window.
-     */
-    s->ins_h = s->window[0];
-    UPDATE_HASH(s, s->ins_h, s->window[1]);
-    for (n = 0; n <= length - MIN_MATCH; n++) {
-	INSERT_STRING(s, n, hash_head);
-    }
-    if (hash_head) hash_head = 0;  /* to make compiler happy */
-    return Z_OK;
-}
-
-/* ========================================================================= */
-int ZEXPORT deflateReset (strm)
-    z_streamp strm;
-{
-    deflate_state *s;
-    
-    if (strm == Z_NULL || strm->state == Z_NULL ||
-        strm->zalloc == Z_NULL || strm->zfree == Z_NULL) return Z_STREAM_ERROR;
-
-    strm->total_in = strm->total_out = 0;
-    strm->msg = Z_NULL; /* use zfree if we ever allocate msg dynamically */
-    strm->data_type = Z_UNKNOWN;
-
-    s = (deflate_state *)strm->state;
-    s->pending = 0;
-    s->pending_out = s->pending_buf;
-
-    if (s->noheader < 0) {
-        s->noheader = 0; /* was set to -1 by deflate(..., Z_FINISH); */
-    }
-    s->status = s->noheader ? BUSY_STATE : INIT_STATE;
-    strm->adler = 1;
-    s->last_flush = Z_NO_FLUSH;
-
-    _tr_init(s);
-    lm_init(s);
-
-    return Z_OK;
-}
-
-/* ========================================================================= */
-int ZEXPORT deflateParams(strm, level, strategy)
-    z_streamp strm;
-    int level;
-    int strategy;
-{
-    deflate_state *s;
-    compress_func func;
-    int err = Z_OK;
-
-    if (strm == Z_NULL || strm->state == Z_NULL) return Z_STREAM_ERROR;
-    s = strm->state;
-
-    if (level == Z_DEFAULT_COMPRESSION) {
-	level = 6;
-    }
-    if (level < 0 || level > 9 || strategy < 0 || strategy > Z_HUFFMAN_ONLY) {
-	return Z_STREAM_ERROR;
-    }
-    func = configuration_table[s->level].func;
-
-    if (func != configuration_table[level].func && strm->total_in != 0) {
-	/* Flush the last buffer: */
-	err = deflate(strm, Z_PARTIAL_FLUSH);
-    }
-    if (s->level != level) {
-	s->level = level;
-	s->max_lazy_match   = configuration_table[level].max_lazy;
-	s->good_match       = configuration_table[level].good_length;
-	s->nice_match       = configuration_table[level].nice_length;
-	s->max_chain_length = configuration_table[level].max_chain;
-    }
-    s->strategy = strategy;
-    return err;
-}
-
-/* =========================================================================
- * Put a short in the pending buffer. The 16-bit value is put in MSB order.
- * IN assertion: the stream state is correct and there is enough room in
- * pending_buf.
- */
-local void putShortMSB (s, b)
-    deflate_state *s;
-    uInt b;
-{
-    put_byte(s, (Byte)(b >> 8));
-    put_byte(s, (Byte)(b & 0xff));
-}   
-
-/* =========================================================================
- * Flush as much pending output as possible. All deflate() output goes
- * through this function so some applications may wish to modify it
- * to avoid allocating a large strm->next_out buffer and copying into it.
- * (See also read_buf()).
- */
-local void flush_pending(strm)
-    z_streamp strm;
-{
-    unsigned len = strm->state->pending;
-
-    if (len > strm->avail_out) len = strm->avail_out;
-    if (len == 0) return;
-
-    zmemcpy(strm->next_out, strm->state->pending_out, len);
-    strm->next_out  += len;
-    strm->state->pending_out  += len;
-    strm->total_out += len;
-    strm->avail_out  -= len;
-    strm->state->pending -= len;
-    if (strm->state->pending == 0) {
-        strm->state->pending_out = strm->state->pending_buf;
-    }
-}
-
-/* ========================================================================= */
-int ZEXPORT deflate (strm, flush)
-    z_streamp strm;
-    int flush;
-{
-    int old_flush; /* value of flush param for previous deflate call */
-    deflate_state *s;
-
-    if (strm == Z_NULL || strm->state == Z_NULL ||
-	flush > Z_FINISH || flush < 0) {
-        return Z_STREAM_ERROR;
-    }
-    s = strm->state;
-
-    if (strm->next_out == Z_NULL ||
-        (strm->next_in == Z_NULL && strm->avail_in != 0) ||
-	(s->status == FINISH_STATE && flush != Z_FINISH)) {
-        ERR_RETURN(strm, Z_STREAM_ERROR);
-    }
-    if (strm->avail_out == 0) ERR_RETURN(strm, Z_BUF_ERROR);
-
-    s->strm = strm; /* just in case */
-    old_flush = s->last_flush;
-    s->last_flush = flush;
-
-    /* Write the zlib header */
-    if (s->status == INIT_STATE) {
-
-        uInt header = (Z_DEFLATED + ((s->w_bits-8)<<4)) << 8;
-        uInt level_flags = (s->level-1) >> 1;
-
-        if (level_flags > 3) level_flags = 3;
-        header |= (level_flags << 6);
-	if (s->strstart != 0) header |= PRESET_DICT;
-        header += 31 - (header % 31);
-
-        s->status = BUSY_STATE;
-        putShortMSB(s, header);
-
-	/* Save the adler32 of the preset dictionary: */
-	if (s->strstart != 0) {
-	    putShortMSB(s, (uInt)(strm->adler >> 16));
-	    putShortMSB(s, (uInt)(strm->adler & 0xffff));
-	}
-	strm->adler = 1L;
-    }
-
-    /* Flush as much pending output as possible */
-    if (s->pending != 0) {
-        flush_pending(strm);
-        if (strm->avail_out == 0) {
-	    /* Since avail_out is 0, deflate will be called again with
-	     * more output space, but possibly with both pending and
-	     * avail_in equal to zero. There won't be anything to do,
-	     * but this is not an error situation so make sure we
-	     * return OK instead of BUF_ERROR at next call of deflate:
-             */
-	    s->last_flush = -1;
-	    return Z_OK;
-	}
-
-    /* Make sure there is something to do and avoid duplicate consecutive
-     * flushes. For repeated and useless calls with Z_FINISH, we keep
-     * returning Z_STREAM_END instead of Z_BUFF_ERROR.
-     */
-    } else if (strm->avail_in == 0 && flush <= old_flush &&
-	       flush != Z_FINISH) {
-        ERR_RETURN(strm, Z_BUF_ERROR);
-    }
-
-    /* User must not provide more input after the first FINISH: */
-    if (s->status == FINISH_STATE && strm->avail_in != 0) {
-        ERR_RETURN(strm, Z_BUF_ERROR);
-    }
-
-    /* Start a new block or continue the current one.
-     */
-    if (strm->avail_in != 0 || s->lookahead != 0 ||
-        (flush != Z_NO_FLUSH && s->status != FINISH_STATE)) {
-        block_state bstate;
-
-	bstate = (*(configuration_table[s->level].func))(s, flush);
-
-        if (bstate == finish_started || bstate == finish_done) {
-            s->status = FINISH_STATE;
-        }
-        if (bstate == need_more || bstate == finish_started) {
-	    if (strm->avail_out == 0) {
-	        s->last_flush = -1; /* avoid BUF_ERROR next call, see above */
-	    }
-	    return Z_OK;
-	    /* If flush != Z_NO_FLUSH && avail_out == 0, the next call
-	     * of deflate should use the same flush parameter to make sure
-	     * that the flush is complete. So we don't have to output an
-	     * empty block here, this will be done at next call. This also
-	     * ensures that for a very small output buffer, we emit at most
-	     * one empty block.
-	     */
-	}
-        if (bstate == block_done) {
-            if (flush == Z_PARTIAL_FLUSH) {
-                _tr_align(s);
-            } else { /* FULL_FLUSH or SYNC_FLUSH */
-                _tr_stored_block(s, (char*)0, 0L, 0);
-                /* For a full flush, this empty block will be recognized
-                 * as a special marker by inflate_sync().
-                 */
-                if (flush == Z_FULL_FLUSH) {
-                    CLEAR_HASH(s);             /* forget history */
-                }
-            }
-            flush_pending(strm);
-	    if (strm->avail_out == 0) {
-	      s->last_flush = -1; /* avoid BUF_ERROR at next call, see above */
-	      return Z_OK;
-	    }
-        }
-    }
-    Assert(strm->avail_out > 0, "bug2");
-
-    if (flush != Z_FINISH) return Z_OK;
-    if (s->noheader) return Z_STREAM_END;
-
-    /* Write the zlib trailer (adler32) */
-    putShortMSB(s, (uInt)(strm->adler >> 16));
-    putShortMSB(s, (uInt)(strm->adler & 0xffff));
-    flush_pending(strm);
-    /* If avail_out is zero, the application will call deflate again
-     * to flush the rest.
-     */
-    s->noheader = -1; /* write the trailer only once! */
-    return s->pending != 0 ? Z_OK : Z_STREAM_END;
-}
-
-/* ========================================================================= */
-int ZEXPORT deflateEnd (strm)
-    z_streamp strm;
-{
-    int status;
-
-    if (strm == Z_NULL || strm->state == Z_NULL) return Z_STREAM_ERROR;
-
-    status = strm->state->status;
-    if (status != INIT_STATE && status != BUSY_STATE &&
-	status != FINISH_STATE) {
-      return Z_STREAM_ERROR;
-    }
-
-    /* Deallocate in reverse order of allocations: */
-    TRY_FREE(strm, strm->state->pending_buf);
-    TRY_FREE(strm, strm->state->head);
-    TRY_FREE(strm, strm->state->prev);
-    TRY_FREE(strm, strm->state->window);
-
-    ZFREE(strm, strm->state);
-    strm->state = Z_NULL;
-
-    return status == BUSY_STATE ? Z_DATA_ERROR : Z_OK;
-}
-
-/* =========================================================================
- * Copy the source state to the destination state.
- * To simplify the source, this is not supported for 16-bit MSDOS (which
- * doesn't have enough memory anyway to duplicate compression states).
- */
-int ZEXPORT deflateCopy (dest, source)
-    z_streamp dest;
-    z_streamp source;
-{
-#ifdef MAXSEG_64K
-    return Z_STREAM_ERROR;
-#else
-    deflate_state *ds;
-    deflate_state *ss;
-    ushf *overlay;
-
-
-    if (source == Z_NULL || dest == Z_NULL || source->state == Z_NULL) {
-        return Z_STREAM_ERROR;
-    }
-
-    ss = source->state;
-
-    *dest = *source;
-
-    ds = (deflate_state *) ZALLOC(dest, 1, sizeof(deflate_state));
-    if (ds == Z_NULL) return Z_MEM_ERROR;
-    dest->state = (struct internal_state FAR *) ds;
-    *ds = *ss;
-    ds->strm = dest;
-
-    ds->window = (Bytef *) ZALLOC(dest, ds->w_size, 2*sizeof(Byte));
-    ds->prev   = (Posf *)  ZALLOC(dest, ds->w_size, sizeof(Pos));
-    ds->head   = (Posf *)  ZALLOC(dest, ds->hash_size, sizeof(Pos));
-    overlay = (ushf *) ZALLOC(dest, ds->lit_bufsize, sizeof(ush)+2);
-    ds->pending_buf = (uchf *) overlay;
-
-    if (ds->window == Z_NULL || ds->prev == Z_NULL || ds->head == Z_NULL ||
-        ds->pending_buf == Z_NULL) {
-        deflateEnd (dest);
-        return Z_MEM_ERROR;
-    }
-    /* following zmemcpy do not work for 16-bit MSDOS */
-    zmemcpy(ds->window, ss->window, ds->w_size * 2 * sizeof(Byte));
-    zmemcpy(ds->prev, ss->prev, ds->w_size * sizeof(Pos));
-    zmemcpy(ds->head, ss->head, ds->hash_size * sizeof(Pos));
-    zmemcpy(ds->pending_buf, ss->pending_buf, (uInt)ds->pending_buf_size);
-
-    ds->pending_out = ds->pending_buf + (ss->pending_out - ss->pending_buf);
-    ds->d_buf = overlay + ds->lit_bufsize/sizeof(ush);
-    ds->l_buf = ds->pending_buf + (1+sizeof(ush))*ds->lit_bufsize;
-
-    ds->l_desc.dyn_tree = ds->dyn_ltree;
-    ds->d_desc.dyn_tree = ds->dyn_dtree;
-    ds->bl_desc.dyn_tree = ds->bl_tree;
-
-    return Z_OK;
-#endif
-}
-
-/* ===========================================================================
- * Read a new buffer from the current input stream, update the adler32
- * and total number of bytes read.  All deflate() input goes through
- * this function so some applications may wish to modify it to avoid
- * allocating a large strm->next_in buffer and copying from it.
- * (See also flush_pending()).
- */
-local int read_buf(strm, buf, size)
-    z_streamp strm;
-    Bytef *buf;
-    unsigned size;
-{
-    unsigned len = strm->avail_in;
-
-    if (len > size) len = size;
-    if (len == 0) return 0;
-
-    strm->avail_in  -= len;
-
-    if (!strm->state->noheader) {
-        strm->adler = adler32(strm->adler, strm->next_in, len);
-    }
-    zmemcpy(buf, strm->next_in, len);
-    strm->next_in  += len;
-    strm->total_in += len;
-
-    return (int)len;
-}
-
-/* ===========================================================================
- * Initialize the "longest match" routines for a new zlib stream
- */
-local void lm_init (s)
-    deflate_state *s;
-{
-    s->window_size = (ulg)2L*s->w_size;
-
-    CLEAR_HASH(s);
-
-    /* Set the default configuration parameters:
-     */
-    s->max_lazy_match   = configuration_table[s->level].max_lazy;
-    s->good_match       = configuration_table[s->level].good_length;
-    s->nice_match       = configuration_table[s->level].nice_length;
-    s->max_chain_length = configuration_table[s->level].max_chain;
-
-    s->strstart = 0;
-    s->block_start = 0L;
-    s->lookahead = 0;
-    s->match_length = s->prev_length = MIN_MATCH-1;
-    s->match_available = 0;
-    s->ins_h = 0;
-#ifdef ASMV
-    match_init(); /* initialize the asm code */
-#endif
-}
-
-/* ===========================================================================
- * Set match_start to the longest match starting at the given string and
- * return its length. Matches shorter or equal to prev_length are discarded,
- * in which case the result is equal to prev_length and match_start is
- * garbage.
- * IN assertions: cur_match is the head of the hash chain for the current
- *   string (strstart) and its distance is <= MAX_DIST, and prev_length >= 1
- * OUT assertion: the match length is not greater than s->lookahead.
- */
-#ifndef ASMV
-/* For 80x86 and 680x0, an optimized version will be provided in match.asm or
- * match.S. The code will be functionally equivalent.
- */
-#ifndef FASTEST
-local uInt longest_match(s, cur_match)
-    deflate_state *s;
-    IPos cur_match;                             /* current match */
-{
-    unsigned chain_length = s->max_chain_length;/* max hash chain length */
-    register Bytef *scan = s->window + s->strstart; /* current string */
-    register Bytef *match;                       /* matched string */
-    register int len;                           /* length of current match */
-    int best_len = s->prev_length;              /* best match length so far */
-    int nice_match = s->nice_match;             /* stop if match long enough */
-    IPos limit = s->strstart > (IPos)MAX_DIST(s) ?
-        s->strstart - (IPos)MAX_DIST(s) : NIL;
-    /* Stop when cur_match becomes <= limit. To simplify the code,
-     * we prevent matches with the string of window index 0.
-     */
-    Posf *prev = s->prev;
-    uInt wmask = s->w_mask;
-
-#ifdef UNALIGNED_OK
-    /* Compare two bytes at a time. Note: this is not always beneficial.
-     * Try with and without -DUNALIGNED_OK to check.
-     */
-    register Bytef *strend = s->window + s->strstart + MAX_MATCH - 1;
-    register ush scan_start = *(ushf*)scan;
-    register ush scan_end   = *(ushf*)(scan+best_len-1);
-#else
-    register Bytef *strend = s->window + s->strstart + MAX_MATCH;
-    register Byte scan_end1  = scan[best_len-1];
-    register Byte scan_end   = scan[best_len];
-#endif
-
-    /* The code is optimized for HASH_BITS >= 8 and MAX_MATCH-2 multiple of 16.
-     * It is easy to get rid of this optimization if necessary.
-     */
-    Assert(s->hash_bits >= 8 && MAX_MATCH == 258, "Code too clever");
-
-    /* Do not waste too much time if we already have a good match: */
-    if (s->prev_length >= s->good_match) {
-        chain_length >>= 2;
-    }
-    /* Do not look for matches beyond the end of the input. This is necessary
-     * to make deflate deterministic.
-     */
-    if ((uInt)nice_match > s->lookahead) nice_match = s->lookahead;
-
-    Assert((ulg)s->strstart <= s->window_size-MIN_LOOKAHEAD, "need lookahead");
-
-    do {
-        Assert(cur_match < s->strstart, "no future");
-        match = s->window + cur_match;
-
-        /* Skip to next match if the match length cannot increase
-         * or if the match length is less than 2:
-         */
-#if (defined(UNALIGNED_OK) && MAX_MATCH == 258)
-        /* This code assumes sizeof(unsigned short) == 2. Do not use
-         * UNALIGNED_OK if your compiler uses a different size.
-         */
-        if (*(ushf*)(match+best_len-1) != scan_end ||
-            *(ushf*)match != scan_start) continue;
-
-        /* It is not necessary to compare scan[2] and match[2] since they are
-         * always equal when the other bytes match, given that the hash keys
-         * are equal and that HASH_BITS >= 8. Compare 2 bytes at a time at
-         * strstart+3, +5, ... up to strstart+257. We check for insufficient
-         * lookahead only every 4th comparison; the 128th check will be made
-         * at strstart+257. If MAX_MATCH-2 is not a multiple of 8, it is
-         * necessary to put more guard bytes at the end of the window, or
-         * to check more often for insufficient lookahead.
-         */
-        Assert(scan[2] == match[2], "scan[2]?");
-        scan++, match++;
-        do {
-        } while (*(ushf*)(scan+=2) == *(ushf*)(match+=2) &&
-                 *(ushf*)(scan+=2) == *(ushf*)(match+=2) &&
-                 *(ushf*)(scan+=2) == *(ushf*)(match+=2) &&
-                 *(ushf*)(scan+=2) == *(ushf*)(match+=2) &&
-                 scan < strend);
-        /* The funny "do {}" generates better code on most compilers */
-
-        /* Here, scan <= window+strstart+257 */
-        Assert(scan <= s->window+(unsigned)(s->window_size-1), "wild scan");
-        if (*scan == *match) scan++;
-
-        len = (MAX_MATCH - 1) - (int)(strend-scan);
-        scan = strend - (MAX_MATCH-1);
-
-#else /* UNALIGNED_OK */
-
-        if (match[best_len]   != scan_end  ||
-            match[best_len-1] != scan_end1 ||
-            *match            != *scan     ||
-            *++match          != scan[1])      continue;
-
-        /* The check at best_len-1 can be removed because it will be made
-         * again later. (This heuristic is not always a win.)
-         * It is not necessary to compare scan[2] and match[2] since they
-         * are always equal when the other bytes match, given that
-         * the hash keys are equal and that HASH_BITS >= 8.
-         */
-        scan += 2, match++;
-        Assert(*scan == *match, "match[2]?");
-
-        /* We check for insufficient lookahead only every 8th comparison;
-         * the 256th check will be made at strstart+258.
-         */
-        do {
-        } while (*++scan == *++match && *++scan == *++match &&
-                 *++scan == *++match && *++scan == *++match &&
-                 *++scan == *++match && *++scan == *++match &&
-                 *++scan == *++match && *++scan == *++match &&
-                 scan < strend);
-
-        Assert(scan <= s->window+(unsigned)(s->window_size-1), "wild scan");
-
-        len = MAX_MATCH - (int)(strend - scan);
-        scan = strend - MAX_MATCH;
-
-#endif /* UNALIGNED_OK */
-
-        if (len > best_len) {
-            s->match_start = cur_match;
-            best_len = len;
-            if (len >= nice_match) break;
-#ifdef UNALIGNED_OK
-            scan_end = *(ushf*)(scan+best_len-1);
-#else
-            scan_end1  = scan[best_len-1];
-            scan_end   = scan[best_len];
-#endif
-        }
-    } while ((cur_match = prev[cur_match & wmask]) > limit
-             && --chain_length != 0);
-
-    if ((uInt)best_len <= s->lookahead) return (uInt)best_len;
-    return s->lookahead;
-}
-
-#else /* FASTEST */
-/* ---------------------------------------------------------------------------
- * Optimized version for level == 1 only
- */
-local uInt longest_match(s, cur_match)
-    deflate_state *s;
-    IPos cur_match;                             /* current match */
-{
-    register Bytef *scan = s->window + s->strstart; /* current string */
-    register Bytef *match;                       /* matched string */
-    register int len;                           /* length of current match */
-    register Bytef *strend = s->window + s->strstart + MAX_MATCH;
-
-    /* The code is optimized for HASH_BITS >= 8 and MAX_MATCH-2 multiple of 16.
-     * It is easy to get rid of this optimization if necessary.
-     */
-    Assert(s->hash_bits >= 8 && MAX_MATCH == 258, "Code too clever");
-
-    Assert((ulg)s->strstart <= s->window_size-MIN_LOOKAHEAD, "need lookahead");
-
-    Assert(cur_match < s->strstart, "no future");
-
-    match = s->window + cur_match;
-
-    /* Return failure if the match length is less than 2:
-     */
-    if (match[0] != scan[0] || match[1] != scan[1]) return MIN_MATCH-1;
-
-    /* The check at best_len-1 can be removed because it will be made
-     * again later. (This heuristic is not always a win.)
-     * It is not necessary to compare scan[2] and match[2] since they
-     * are always equal when the other bytes match, given that
-     * the hash keys are equal and that HASH_BITS >= 8.
-     */
-    scan += 2, match += 2;
-    Assert(*scan == *match, "match[2]?");
-
-    /* We check for insufficient lookahead only every 8th comparison;
-     * the 256th check will be made at strstart+258.
-     */
-    do {
-    } while (*++scan == *++match && *++scan == *++match &&
-	     *++scan == *++match && *++scan == *++match &&
-	     *++scan == *++match && *++scan == *++match &&
-	     *++scan == *++match && *++scan == *++match &&
-	     scan < strend);
-
-    Assert(scan <= s->window+(unsigned)(s->window_size-1), "wild scan");
-
-    len = MAX_MATCH - (int)(strend - scan);
-
-    if (len < MIN_MATCH) return MIN_MATCH - 1;
-
-    s->match_start = cur_match;
-    return len <= s->lookahead ? len : s->lookahead;
-}
-#endif /* FASTEST */
-#endif /* ASMV */
-
-#ifdef DEBUG
-/* ===========================================================================
- * Check that the match at match_start is indeed a match.
- */
-local void check_match(s, start, match, length)
-    deflate_state *s;
-    IPos start, match;
-    int length;
-{
-    /* check that the match is indeed a match */
-    if (zmemcmp(s->window + match,
-                s->window + start, length) != EQUAL) {
-        fprintf(stderr, " start %u, match %u, length %d\n",
-		start, match, length);
-        do {
-	    fprintf(stderr, "%c%c", s->window[match++], s->window[start++]);
-	} while (--length != 0);
-        z_error("invalid match");
-    }
-    if (z_verbose > 1) {
-        fprintf(stderr,"\\[%d,%d]", start-match, length);
-        do { putc(s->window[start++], stderr); } while (--length != 0);
-    }
-}
-#else
-#  define check_match(s, start, match, length)
-#endif
-
-/* ===========================================================================
- * Fill the window when the lookahead becomes insufficient.
- * Updates strstart and lookahead.
- *
- * IN assertion: lookahead < MIN_LOOKAHEAD
- * OUT assertions: strstart <= window_size-MIN_LOOKAHEAD
- *    At least one byte has been read, or avail_in == 0; reads are
- *    performed for at least two bytes (required for the zip translate_eol
- *    option -- not supported here).
- */
-local void fill_window(s)
-    deflate_state *s;
-{
-    register unsigned n, m;
-    register Posf *p;
-    unsigned more;    /* Amount of free space at the end of the window. */
-    uInt wsize = s->w_size;
-
-    do {
-        more = (unsigned)(s->window_size -(ulg)s->lookahead -(ulg)s->strstart);
-
-        /* Deal with !@#$% 64K limit: */
-        if (more == 0 && s->strstart == 0 && s->lookahead == 0) {
-            more = wsize;
-
-        } else if (more == (unsigned)(-1)) {
-            /* Very unlikely, but possible on 16 bit machine if strstart == 0
-             * and lookahead == 1 (input done one byte at time)
-             */
-            more--;
-
-        /* If the window is almost full and there is insufficient lookahead,
-         * move the upper half to the lower one to make room in the upper half.
-         */
-        } else if (s->strstart >= wsize+MAX_DIST(s)) {
-
-            zmemcpy(s->window, s->window+wsize, (unsigned)wsize);
-            s->match_start -= wsize;
-            s->strstart    -= wsize; /* we now have strstart >= MAX_DIST */
-            s->block_start -= (long) wsize;
-
-            /* Slide the hash table (could be avoided with 32 bit values
-               at the expense of memory usage). We slide even when level == 0
-               to keep the hash table consistent if we switch back to level > 0
-               later. (Using level 0 permanently is not an optimal usage of
-               zlib, so we don't care about this pathological case.)
-             */
-	    n = s->hash_size;
-	    p = &s->head[n];
-	    do {
-		m = *--p;
-		*p = (Pos)(m >= wsize ? m-wsize : NIL);
-	    } while (--n);
-
-	    n = wsize;
-#ifndef FASTEST
-	    p = &s->prev[n];
-	    do {
-		m = *--p;
-		*p = (Pos)(m >= wsize ? m-wsize : NIL);
-		/* If n is not on any hash chain, prev[n] is garbage but
-		 * its value will never be used.
-		 */
-	    } while (--n);
-#endif
-            more += wsize;
-        }
-        if (s->strm->avail_in == 0) return;
-
-        /* If there was no sliding:
-         *    strstart <= WSIZE+MAX_DIST-1 && lookahead <= MIN_LOOKAHEAD - 1 &&
-         *    more == window_size - lookahead - strstart
-         * => more >= window_size - (MIN_LOOKAHEAD-1 + WSIZE + MAX_DIST-1)
-         * => more >= window_size - 2*WSIZE + 2
-         * In the BIG_MEM or MMAP case (not yet supported),
-         *   window_size == input_size + MIN_LOOKAHEAD  &&
-         *   strstart + s->lookahead <= input_size => more >= MIN_LOOKAHEAD.
-         * Otherwise, window_size == 2*WSIZE so more >= 2.
-         * If there was sliding, more >= WSIZE. So in all cases, more >= 2.
-         */
-        Assert(more >= 2, "more < 2");
-
-        n = read_buf(s->strm, s->window + s->strstart + s->lookahead, more);
-        s->lookahead += n;
-
-        /* Initialize the hash value now that we have some input: */
-        if (s->lookahead >= MIN_MATCH) {
-            s->ins_h = s->window[s->strstart];
-            UPDATE_HASH(s, s->ins_h, s->window[s->strstart+1]);
-#if MIN_MATCH != 3
-            Call UPDATE_HASH() MIN_MATCH-3 more times
-#endif
-        }
-        /* If the whole input has less than MIN_MATCH bytes, ins_h is garbage,
-         * but this is not important since only literal bytes will be emitted.
-         */
-
-    } while (s->lookahead < MIN_LOOKAHEAD && s->strm->avail_in != 0);
-}
-
-/* ===========================================================================
- * Flush the current block, with given end-of-file flag.
- * IN assertion: strstart is set to the end of the current match.
- */
-#define FLUSH_BLOCK_ONLY(s, eof) { \
-   _tr_flush_block(s, (s->block_start >= 0L ? \
-                   (charf *)&s->window[(unsigned)s->block_start] : \
-                   (charf *)Z_NULL), \
-		(ulg)((long)s->strstart - s->block_start), \
-		(eof)); \
-   s->block_start = s->strstart; \
-   flush_pending(s->strm); \
-   Tracev((stderr,"[FLUSH]")); \
-}
-
-/* Same but force premature exit if necessary. */
-#define FLUSH_BLOCK(s, eof) { \
-   FLUSH_BLOCK_ONLY(s, eof); \
-   if (s->strm->avail_out == 0) return (eof) ? finish_started : need_more; \
-}
-
-/* ===========================================================================
- * Copy without compression as much as possible from the input stream, return
- * the current block state.
- * This function does not insert new strings in the dictionary since
- * uncompressible data is probably not useful. This function is used
- * only for the level=0 compression option.
- * NOTE: this function should be optimized to avoid extra copying from
- * window to pending_buf.
- */
-local block_state deflate_stored(s, flush)
-    deflate_state *s;
-    int flush;
-{
-    /* Stored blocks are limited to 0xffff bytes, pending_buf is limited
-     * to pending_buf_size, and each stored block has a 5 byte header:
-     */
-    ulg max_block_size = 0xffff;
-    ulg max_start;
-
-    if (max_block_size > s->pending_buf_size - 5) {
-        max_block_size = s->pending_buf_size - 5;
-    }
-
-    /* Copy as much as possible from input to output: */
-    for (;;) {
-        /* Fill the window as much as possible: */
-        if (s->lookahead <= 1) {
-
-            Assert(s->strstart < s->w_size+MAX_DIST(s) ||
-		   s->block_start >= (long)s->w_size, "slide too late");
-
-            fill_window(s);
-            if (s->lookahead == 0 && flush == Z_NO_FLUSH) return need_more;
-
-            if (s->lookahead == 0) break; /* flush the current block */
-        }
-	Assert(s->block_start >= 0L, "block gone");
-
-	s->strstart += s->lookahead;
-	s->lookahead = 0;
-
-	/* Emit a stored block if pending_buf will be full: */
- 	max_start = s->block_start + max_block_size;
-        if (s->strstart == 0 || (ulg)s->strstart >= max_start) {
-	    /* strstart == 0 is possible when wraparound on 16-bit machine */
-	    s->lookahead = (uInt)(s->strstart - max_start);
-	    s->strstart = (uInt)max_start;
-            FLUSH_BLOCK(s, 0);
-	}
-	/* Flush if we may have to slide, otherwise block_start may become
-         * negative and the data will be gone:
-         */
-        if (s->strstart - (uInt)s->block_start >= MAX_DIST(s)) {
-            FLUSH_BLOCK(s, 0);
-	}
-    }
-    FLUSH_BLOCK(s, flush == Z_FINISH);
-    return flush == Z_FINISH ? finish_done : block_done;
-}
-
-/* ===========================================================================
- * Compress as much as possible from the input stream, return the current
- * block state.
- * This function does not perform lazy evaluation of matches and inserts
- * new strings in the dictionary only for unmatched strings or for short
- * matches. It is used only for the fast compression options.
- */
-local block_state deflate_fast(s, flush)
-    deflate_state *s;
-    int flush;
-{
-    IPos hash_head = NIL; /* head of the hash chain */
-    int bflush;           /* set if current block must be flushed */
-
-    for (;;) {
-        /* Make sure that we always have enough lookahead, except
-         * at the end of the input file. We need MAX_MATCH bytes
-         * for the next match, plus MIN_MATCH bytes to insert the
-         * string following the next match.
-         */
-        if (s->lookahead < MIN_LOOKAHEAD) {
-            fill_window(s);
-            if (s->lookahead < MIN_LOOKAHEAD && flush == Z_NO_FLUSH) {
-	        return need_more;
-	    }
-            if (s->lookahead == 0) break; /* flush the current block */
-        }
-
-        /* Insert the string window[strstart .. strstart+2] in the
-         * dictionary, and set hash_head to the head of the hash chain:
-         */
-        if (s->lookahead >= MIN_MATCH) {
-            INSERT_STRING(s, s->strstart, hash_head);
-        }
-
-        /* Find the longest match, discarding those <= prev_length.
-         * At this point we have always match_length < MIN_MATCH
-         */
-        if (hash_head != NIL && s->strstart - hash_head <= MAX_DIST(s)) {
-            /* To simplify the code, we prevent matches with the string
-             * of window index 0 (in particular we have to avoid a match
-             * of the string with itself at the start of the input file).
-             */
-            if (s->strategy != Z_HUFFMAN_ONLY) {
-                s->match_length = longest_match (s, hash_head);
-            }
-            /* longest_match() sets match_start */
-        }
-        if (s->match_length >= MIN_MATCH) {
-            check_match(s, s->strstart, s->match_start, s->match_length);
-
-            _tr_tally_dist(s, s->strstart - s->match_start,
-                           s->match_length - MIN_MATCH, bflush);
-
-            s->lookahead -= s->match_length;
-
-            /* Insert new strings in the hash table only if the match length
-             * is not too large. This saves time but degrades compression.
-             */
-#ifndef FASTEST
-            if (s->match_length <= s->max_insert_length &&
-                s->lookahead >= MIN_MATCH) {
-                s->match_length--; /* string at strstart already in hash table */
-                do {
-                    s->strstart++;
-                    INSERT_STRING(s, s->strstart, hash_head);
-                    /* strstart never exceeds WSIZE-MAX_MATCH, so there are
-                     * always MIN_MATCH bytes ahead.
-                     */
-                } while (--s->match_length != 0);
-                s->strstart++; 
-            } else
-#endif
-	    {
-                s->strstart += s->match_length;
-                s->match_length = 0;
-                s->ins_h = s->window[s->strstart];
-                UPDATE_HASH(s, s->ins_h, s->window[s->strstart+1]);
-#if MIN_MATCH != 3
-                Call UPDATE_HASH() MIN_MATCH-3 more times
-#endif
-                /* If lookahead < MIN_MATCH, ins_h is garbage, but it does not
-                 * matter since it will be recomputed at next deflate call.
-                 */
-            }
-        } else {
-            /* No match, output a literal byte */
-            Tracevv((stderr,"%c", s->window[s->strstart]));
-            _tr_tally_lit (s, s->window[s->strstart], bflush);
-            s->lookahead--;
-            s->strstart++; 
-        }
-        if (bflush) FLUSH_BLOCK(s, 0);
-    }
-    FLUSH_BLOCK(s, flush == Z_FINISH);
-    return flush == Z_FINISH ? finish_done : block_done;
-}
-
-/* ===========================================================================
- * Same as above, but achieves better compression. We use a lazy
- * evaluation for matches: a match is finally adopted only if there is
- * no better match at the next window position.
- */
-local block_state deflate_slow(s, flush)
-    deflate_state *s;
-    int flush;
-{
-    IPos hash_head = NIL;    /* head of hash chain */
-    int bflush;              /* set if current block must be flushed */
-
-    /* Process the input block. */
-    for (;;) {
-        /* Make sure that we always have enough lookahead, except
-         * at the end of the input file. We need MAX_MATCH bytes
-         * for the next match, plus MIN_MATCH bytes to insert the
-         * string following the next match.
-         */
-        if (s->lookahead < MIN_LOOKAHEAD) {
-            fill_window(s);
-            if (s->lookahead < MIN_LOOKAHEAD && flush == Z_NO_FLUSH) {
-	        return need_more;
-	    }
-            if (s->lookahead == 0) break; /* flush the current block */
-        }
-
-        /* Insert the string window[strstart .. strstart+2] in the
-         * dictionary, and set hash_head to the head of the hash chain:
-         */
-        if (s->lookahead >= MIN_MATCH) {
-            INSERT_STRING(s, s->strstart, hash_head);
-        }
-
-        /* Find the longest match, discarding those <= prev_length.
-         */
-        s->prev_length = s->match_length, s->prev_match = s->match_start;
-        s->match_length = MIN_MATCH-1;
-
-        if (hash_head != NIL && s->prev_length < s->max_lazy_match &&
-            s->strstart - hash_head <= MAX_DIST(s)) {
-            /* To simplify the code, we prevent matches with the string
-             * of window index 0 (in particular we have to avoid a match
-             * of the string with itself at the start of the input file).
-             */
-            if (s->strategy != Z_HUFFMAN_ONLY) {
-                s->match_length = longest_match (s, hash_head);
-            }
-            /* longest_match() sets match_start */
-
-            if (s->match_length <= 5 && (s->strategy == Z_FILTERED ||
-                 (s->match_length == MIN_MATCH &&
-                  s->strstart - s->match_start > TOO_FAR))) {
-
-                /* If prev_match is also MIN_MATCH, match_start is garbage
-                 * but we will ignore the current match anyway.
-                 */
-                s->match_length = MIN_MATCH-1;
-            }
-        }
-        /* If there was a match at the previous step and the current
-         * match is not better, output the previous match:
-         */
-        if (s->prev_length >= MIN_MATCH && s->match_length <= s->prev_length) {
-            uInt max_insert = s->strstart + s->lookahead - MIN_MATCH;
-            /* Do not insert strings in hash table beyond this. */
-
-            check_match(s, s->strstart-1, s->prev_match, s->prev_length);
-
-            _tr_tally_dist(s, s->strstart -1 - s->prev_match,
-			   s->prev_length - MIN_MATCH, bflush);
-
-            /* Insert in hash table all strings up to the end of the match.
-             * strstart-1 and strstart are already inserted. If there is not
-             * enough lookahead, the last two strings are not inserted in
-             * the hash table.
-             */
-            s->lookahead -= s->prev_length-1;
-            s->prev_length -= 2;
-            do {
-                if (++s->strstart <= max_insert) {
-                    INSERT_STRING(s, s->strstart, hash_head);
-                }
-            } while (--s->prev_length != 0);
-            s->match_available = 0;
-            s->match_length = MIN_MATCH-1;
-            s->strstart++;
-
-            if (bflush) FLUSH_BLOCK(s, 0);
-
-        } else if (s->match_available) {
-            /* If there was no match at the previous position, output a
-             * single literal. If there was a match but the current match
-             * is longer, truncate the previous match to a single literal.
-             */
-            Tracevv((stderr,"%c", s->window[s->strstart-1]));
-	    _tr_tally_lit(s, s->window[s->strstart-1], bflush);
-	    if (bflush) {
-                FLUSH_BLOCK_ONLY(s, 0);
-            }
-            s->strstart++;
-            s->lookahead--;
-            if (s->strm->avail_out == 0) return need_more;
-        } else {
-            /* There is no previous match to compare with, wait for
-             * the next step to decide.
-             */
-            s->match_available = 1;
-            s->strstart++;
-            s->lookahead--;
-        }
-    }
-    Assert (flush != Z_NO_FLUSH, "no flush?");
-    if (s->match_available) {
-        Tracevv((stderr,"%c", s->window[s->strstart-1]));
-        _tr_tally_lit(s, s->window[s->strstart-1], bflush);
-        s->match_available = 0;
-    }
-    FLUSH_BLOCK(s, flush == Z_FINISH);
-    return flush == Z_FINISH ? finish_done : block_done;
-}
diff --git a/linux/lib/zlib/deflate.h b/linux/lib/zlib/deflate.h
deleted file mode 100644
index 2e39b413b..000000000
--- a/linux/lib/zlib/deflate.h
+++ /dev/null
@@ -1,318 +0,0 @@
-/* deflate.h -- internal compression state
- * Copyright (C) 1995-2002 Jean-loup Gailly
- * For conditions of distribution and use, see copyright notice in zlib.h 
- */
-
-/* WARNING: this file should *not* be used by applications. It is
-   part of the implementation of the compression library and is
-   subject to change. Applications should only use zlib.h.
- */
-
-/* @(#) $Id: deflate.h,v 1.1 2004/03/15 20:35:26 as Exp $ */
-
-#ifndef _DEFLATE_H
-#define _DEFLATE_H
-
-#include "zlib/zutil.h"
-
-/* ===========================================================================
- * Internal compression state.
- */
-
-#define LENGTH_CODES 29
-/* number of length codes, not counting the special END_BLOCK code */
-
-#define LITERALS  256
-/* number of literal bytes 0..255 */
-
-#define L_CODES (LITERALS+1+LENGTH_CODES)
-/* number of Literal or Length codes, including the END_BLOCK code */
-
-#define D_CODES   30
-/* number of distance codes */
-
-#define BL_CODES  19
-/* number of codes used to transfer the bit lengths */
-
-#define HEAP_SIZE (2*L_CODES+1)
-/* maximum heap size */
-
-#define MAX_BITS 15
-/* All codes must not exceed MAX_BITS bits */
-
-#define INIT_STATE    42
-#define BUSY_STATE   113
-#define FINISH_STATE 666
-/* Stream status */
-
-
-/* Data structure describing a single value and its code string. */
-typedef struct ct_data_s {
-    union {
-        ush  freq;       /* frequency count */
-        ush  code;       /* bit string */
-    } fc;
-    union {
-        ush  dad;        /* father node in Huffman tree */
-        ush  len;        /* length of bit string */
-    } dl;
-} FAR ct_data;
-
-#define Freq fc.freq
-#define Code fc.code
-#define Dad  dl.dad
-#define Len  dl.len
-
-typedef struct static_tree_desc_s  static_tree_desc;
-
-typedef struct tree_desc_s {
-    ct_data *dyn_tree;           /* the dynamic tree */
-    int     max_code;            /* largest code with non zero frequency */
-    static_tree_desc *stat_desc; /* the corresponding static tree */
-} FAR tree_desc;
-
-typedef ush Pos;
-typedef Pos FAR Posf;
-typedef unsigned IPos;
-
-/* A Pos is an index in the character window. We use short instead of int to
- * save space in the various tables. IPos is used only for parameter passing.
- */
-
-typedef struct internal_state {
-    z_streamp strm;      /* pointer back to this zlib stream */
-    int   status;        /* as the name implies */
-    Bytef *pending_buf;  /* output still pending */
-    ulg   pending_buf_size; /* size of pending_buf */
-    Bytef *pending_out;  /* next pending byte to output to the stream */
-    int   pending;       /* nb of bytes in the pending buffer */
-    int   noheader;      /* suppress zlib header and adler32 */
-    Byte  data_type;     /* UNKNOWN, BINARY or ASCII */
-    Byte  method;        /* STORED (for zip only) or DEFLATED */
-    int   last_flush;    /* value of flush param for previous deflate call */
-
-                /* used by deflate.c: */
-
-    uInt  w_size;        /* LZ77 window size (32K by default) */
-    uInt  w_bits;        /* log2(w_size)  (8..16) */
-    uInt  w_mask;        /* w_size - 1 */
-
-    Bytef *window;
-    /* Sliding window. Input bytes are read into the second half of the window,
-     * and move to the first half later to keep a dictionary of at least wSize
-     * bytes. With this organization, matches are limited to a distance of
-     * wSize-MAX_MATCH bytes, but this ensures that IO is always
-     * performed with a length multiple of the block size. Also, it limits
-     * the window size to 64K, which is quite useful on MSDOS.
-     * To do: use the user input buffer as sliding window.
-     */
-
-    ulg window_size;
-    /* Actual size of window: 2*wSize, except when the user input buffer
-     * is directly used as sliding window.
-     */
-
-    Posf *prev;
-    /* Link to older string with same hash index. To limit the size of this
-     * array to 64K, this link is maintained only for the last 32K strings.
-     * An index in this array is thus a window index modulo 32K.
-     */
-
-    Posf *head; /* Heads of the hash chains or NIL. */
-
-    uInt  ins_h;          /* hash index of string to be inserted */
-    uInt  hash_size;      /* number of elements in hash table */
-    uInt  hash_bits;      /* log2(hash_size) */
-    uInt  hash_mask;      /* hash_size-1 */
-
-    uInt  hash_shift;
-    /* Number of bits by which ins_h must be shifted at each input
-     * step. It must be such that after MIN_MATCH steps, the oldest
-     * byte no longer takes part in the hash key, that is:
-     *   hash_shift * MIN_MATCH >= hash_bits
-     */
-
-    long block_start;
-    /* Window position at the beginning of the current output block. Gets
-     * negative when the window is moved backwards.
-     */
-
-    uInt match_length;           /* length of best match */
-    IPos prev_match;             /* previous match */
-    int match_available;         /* set if previous match exists */
-    uInt strstart;               /* start of string to insert */
-    uInt match_start;            /* start of matching string */
-    uInt lookahead;              /* number of valid bytes ahead in window */
-
-    uInt prev_length;
-    /* Length of the best match at previous step. Matches not greater than this
-     * are discarded. This is used in the lazy match evaluation.
-     */
-
-    uInt max_chain_length;
-    /* To speed up deflation, hash chains are never searched beyond this
-     * length.  A higher limit improves compression ratio but degrades the
-     * speed.
-     */
-
-    uInt max_lazy_match;
-    /* Attempt to find a better match only when the current match is strictly
-     * smaller than this value. This mechanism is used only for compression
-     * levels >= 4.
-     */
-#   define max_insert_length  max_lazy_match
-    /* Insert new strings in the hash table only if the match length is not
-     * greater than this length. This saves time but degrades compression.
-     * max_insert_length is used only for compression levels <= 3.
-     */
-
-    int level;    /* compression level (1..9) */
-    int strategy; /* favor or force Huffman coding*/
-
-    uInt good_match;
-    /* Use a faster search when the previous match is longer than this */
-
-    int nice_match; /* Stop searching when current match exceeds this */
-
-                /* used by trees.c: */
-    /* Didn't use ct_data typedef below to supress compiler warning */
-    struct ct_data_s dyn_ltree[HEAP_SIZE];   /* literal and length tree */
-    struct ct_data_s dyn_dtree[2*D_CODES+1]; /* distance tree */
-    struct ct_data_s bl_tree[2*BL_CODES+1];  /* Huffman tree for bit lengths */
-
-    struct tree_desc_s l_desc;               /* desc. for literal tree */
-    struct tree_desc_s d_desc;               /* desc. for distance tree */
-    struct tree_desc_s bl_desc;              /* desc. for bit length tree */
-
-    ush bl_count[MAX_BITS+1];
-    /* number of codes at each bit length for an optimal tree */
-
-    int heap[2*L_CODES+1];      /* heap used to build the Huffman trees */
-    int heap_len;               /* number of elements in the heap */
-    int heap_max;               /* element of largest frequency */
-    /* The sons of heap[n] are heap[2*n] and heap[2*n+1]. heap[0] is not used.
-     * The same heap array is used to build all trees.
-     */
-
-    uch depth[2*L_CODES+1];
-    /* Depth of each subtree used as tie breaker for trees of equal frequency
-     */
-
-    uchf *l_buf;          /* buffer for literals or lengths */
-
-    uInt  lit_bufsize;
-    /* Size of match buffer for literals/lengths.  There are 4 reasons for
-     * limiting lit_bufsize to 64K:
-     *   - frequencies can be kept in 16 bit counters
-     *   - if compression is not successful for the first block, all input
-     *     data is still in the window so we can still emit a stored block even
-     *     when input comes from standard input.  (This can also be done for
-     *     all blocks if lit_bufsize is not greater than 32K.)
-     *   - if compression is not successful for a file smaller than 64K, we can
-     *     even emit a stored file instead of a stored block (saving 5 bytes).
-     *     This is applicable only for zip (not gzip or zlib).
-     *   - creating new Huffman trees less frequently may not provide fast
-     *     adaptation to changes in the input data statistics. (Take for
-     *     example a binary file with poorly compressible code followed by
-     *     a highly compressible string table.) Smaller buffer sizes give
-     *     fast adaptation but have of course the overhead of transmitting
-     *     trees more frequently.
-     *   - I can't count above 4
-     */
-
-    uInt last_lit;      /* running index in l_buf */
-
-    ushf *d_buf;
-    /* Buffer for distances. To simplify the code, d_buf and l_buf have
-     * the same number of elements. To use different lengths, an extra flag
-     * array would be necessary.
-     */
-
-    ulg opt_len;        /* bit length of current block with optimal trees */
-    ulg static_len;     /* bit length of current block with static trees */
-    uInt matches;       /* number of string matches in current block */
-    int last_eob_len;   /* bit length of EOB code for last block */
-
-#ifdef DEBUG
-    ulg compressed_len; /* total bit length of compressed file mod 2^32 */
-    ulg bits_sent;      /* bit length of compressed data sent mod 2^32 */
-#endif
-
-    ush bi_buf;
-    /* Output buffer. bits are inserted starting at the bottom (least
-     * significant bits).
-     */
-    int bi_valid;
-    /* Number of valid bits in bi_buf.  All bits above the last valid bit
-     * are always zero.
-     */
-
-} FAR deflate_state;
-
-/* Output a byte on the stream.
- * IN assertion: there is enough room in pending_buf.
- */
-#define put_byte(s, c) {s->pending_buf[s->pending++] = (c);}
-
-
-#define MIN_LOOKAHEAD (MAX_MATCH+MIN_MATCH+1)
-/* Minimum amount of lookahead, except at the end of the input file.
- * See deflate.c for comments about the MIN_MATCH+1.
- */
-
-#define MAX_DIST(s)  ((s)->w_size-MIN_LOOKAHEAD)
-/* In order to simplify the code, particularly on 16 bit machines, match
- * distances are limited to MAX_DIST instead of WSIZE.
- */
-
-        /* in trees.c */
-void _tr_init         OF((deflate_state *s));
-int  _tr_tally        OF((deflate_state *s, unsigned dist, unsigned lc));
-void _tr_flush_block  OF((deflate_state *s, charf *buf, ulg stored_len,
-			  int eof));
-void _tr_align        OF((deflate_state *s));
-void _tr_stored_block OF((deflate_state *s, charf *buf, ulg stored_len,
-                          int eof));
-
-#define d_code(dist) \
-   ((dist) < 256 ? _dist_code[dist] : _dist_code[256+((dist)>>7)])
-/* Mapping from a distance to a distance code. dist is the distance - 1 and
- * must not have side effects. _dist_code[256] and _dist_code[257] are never
- * used.
- */
-
-#ifndef DEBUG
-/* Inline versions of _tr_tally for speed: */
-
-#if defined(GEN_TREES_H) || !defined(STDC)
-  extern uch _length_code[];
-  extern uch _dist_code[];
-#else
-  extern const uch _length_code[];
-  extern const uch _dist_code[];
-#endif
-
-# define _tr_tally_lit(s, c, flush) \
-  { uch cc = (c); \
-    s->d_buf[s->last_lit] = 0; \
-    s->l_buf[s->last_lit++] = cc; \
-    s->dyn_ltree[cc].Freq++; \
-    flush = (s->last_lit == s->lit_bufsize-1); \
-   }
-# define _tr_tally_dist(s, distance, length, flush) \
-  { uch len = (length); \
-    ush dist = (distance); \
-    s->d_buf[s->last_lit] = dist; \
-    s->l_buf[s->last_lit++] = len; \
-    dist--; \
-    s->dyn_ltree[_length_code[len]+LITERALS+1].Freq++; \
-    s->dyn_dtree[d_code(dist)].Freq++; \
-    flush = (s->last_lit == s->lit_bufsize-1); \
-  }
-#else
-# define _tr_tally_lit(s, c, flush) flush = _tr_tally(s, 0, c)
-# define _tr_tally_dist(s, distance, length, flush) \
-              flush = _tr_tally(s, distance, length) 
-#endif
-
-#endif /* _DEFLATE_H */
diff --git a/linux/lib/zlib/infblock.c b/linux/lib/zlib/infblock.c
deleted file mode 100644
index c316ce0c9..000000000
--- a/linux/lib/zlib/infblock.c
+++ /dev/null
@@ -1,403 +0,0 @@
-/* infblock.c -- interpret and process block types to last block
- * Copyright (C) 1995-2002 Mark Adler
- * For conditions of distribution and use, see copyright notice in zlib.h 
- */
-
-#include <zlib/zutil.h>
-#include "infblock.h"
-#include "inftrees.h"
-#include "infcodes.h"
-#include "infutil.h"
-
-struct inflate_codes_state {int dummy;}; /* for buggy compilers */
-
-/* simplify the use of the inflate_huft type with some defines */
-#define exop word.what.Exop
-#define bits word.what.Bits
-
-/* Table for deflate from PKZIP's appnote.txt. */
-local const uInt border[] = { /* Order of the bit length code lengths */
-        16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15};
-
-/*
-   Notes beyond the 1.93a appnote.txt:
-
-   1. Distance pointers never point before the beginning of the output
-      stream.
-   2. Distance pointers can point back across blocks, up to 32k away.
-   3. There is an implied maximum of 7 bits for the bit length table and
-      15 bits for the actual data.
-   4. If only one code exists, then it is encoded using one bit.  (Zero
-      would be more efficient, but perhaps a little confusing.)  If two
-      codes exist, they are coded using one bit each (0 and 1).
-   5. There is no way of sending zero distance codes--a dummy must be
-      sent if there are none.  (History: a pre 2.0 version of PKZIP would
-      store blocks with no distance codes, but this was discovered to be
-      too harsh a criterion.)  Valid only for 1.93a.  2.04c does allow
-      zero distance codes, which is sent as one code of zero bits in
-      length.
-   6. There are up to 286 literal/length codes.  Code 256 represents the
-      end-of-block.  Note however that the static length tree defines
-      288 codes just to fill out the Huffman codes.  Codes 286 and 287
-      cannot be used though, since there is no length base or extra bits
-      defined for them.  Similarily, there are up to 30 distance codes.
-      However, static trees define 32 codes (all 5 bits) to fill out the
-      Huffman codes, but the last two had better not show up in the data.
-   7. Unzip can check dynamic Huffman blocks for complete code sets.
-      The exception is that a single code would not be complete (see #4).
-   8. The five bits following the block type is really the number of
-      literal codes sent minus 257.
-   9. Length codes 8,16,16 are interpreted as 13 length codes of 8 bits
-      (1+6+6).  Therefore, to output three times the length, you output
-      three codes (1+1+1), whereas to output four times the same length,
-      you only need two codes (1+3).  Hmm.
-  10. In the tree reconstruction algorithm, Code = Code + Increment
-      only if BitLength(i) is not zero.  (Pretty obvious.)
-  11. Correction: 4 Bits: # of Bit Length codes - 4     (4 - 19)
-  12. Note: length code 284 can represent 227-258, but length code 285
-      really is 258.  The last length deserves its own, short code
-      since it gets used a lot in very redundant files.  The length
-      258 is special since 258 - 3 (the min match length) is 255.
-  13. The literal/length and distance code bit lengths are read as a
-      single stream of lengths.  It is possible (and advantageous) for
-      a repeat code (16, 17, or 18) to go across the boundary between
-      the two sets of lengths.
- */
-
-
-void inflate_blocks_reset(s, z, c)
-inflate_blocks_statef *s;
-z_streamp z;
-uLongf *c;
-{
-  if (c != Z_NULL)
-    *c = s->check;
-  if (s->mode == BTREE || s->mode == DTREE)
-    ZFREE(z, s->sub.trees.blens);
-  if (s->mode == CODES)
-    inflate_codes_free(s->sub.decode.codes, z);
-  s->mode = TYPE;
-  s->bitk = 0;
-  s->bitb = 0;
-  s->read = s->write = s->window;
-  if (s->checkfn != Z_NULL)
-    z->adler = s->check = (*s->checkfn)(0L, (const Bytef *)Z_NULL, 0);
-  Tracev((stderr, "inflate:   blocks reset\n"));
-}
-
-
-inflate_blocks_statef *inflate_blocks_new(z, c, w)
-z_streamp z;
-check_func c;
-uInt w;
-{
-  inflate_blocks_statef *s;
-
-  if ((s = (inflate_blocks_statef *)ZALLOC
-       (z,1,sizeof(struct inflate_blocks_state))) == Z_NULL)
-    return s;
-  if ((s->hufts =
-       (inflate_huft *)ZALLOC(z, sizeof(inflate_huft), MANY)) == Z_NULL)
-  {
-    ZFREE(z, s);
-    return Z_NULL;
-  }
-  if ((s->window = (Bytef *)ZALLOC(z, 1, w)) == Z_NULL)
-  {
-    ZFREE(z, s->hufts);
-    ZFREE(z, s);
-    return Z_NULL;
-  }
-  s->end = s->window + w;
-  s->checkfn = c;
-  s->mode = TYPE;
-  Tracev((stderr, "inflate:   blocks allocated\n"));
-  inflate_blocks_reset(s, z, Z_NULL);
-  return s;
-}
-
-
-int inflate_blocks(s, z, r)
-inflate_blocks_statef *s;
-z_streamp z;
-int r;
-{
-  uInt t;               /* temporary storage */
-  uLong b;              /* bit buffer */
-  uInt k;               /* bits in bit buffer */
-  Bytef *p;             /* input data pointer */
-  uInt n;               /* bytes available there */
-  Bytef *q;             /* output window write pointer */
-  uInt m;               /* bytes to end of window or read pointer */
-
-  /* copy input/output information to locals (UPDATE macro restores) */
-  LOAD
-
-  /* process input based on current state */
-  while (1) switch (s->mode)
-  {
-    case TYPE:
-      NEEDBITS(3)
-      t = (uInt)b & 7;
-      s->last = t & 1;
-      switch (t >> 1)
-      {
-        case 0:                         /* stored */
-          Tracev((stderr, "inflate:     stored block%s\n",
-                 s->last ? " (last)" : ""));
-          DUMPBITS(3)
-          t = k & 7;                    /* go to byte boundary */
-          DUMPBITS(t)
-          s->mode = LENS;               /* get length of stored block */
-          break;
-        case 1:                         /* fixed */
-          Tracev((stderr, "inflate:     fixed codes block%s\n",
-                 s->last ? " (last)" : ""));
-          {
-            uInt bl, bd;
-            inflate_huft *tl, *td;
-
-            inflate_trees_fixed(&bl, &bd, &tl, &td, z);
-            s->sub.decode.codes = inflate_codes_new(bl, bd, tl, td, z);
-            if (s->sub.decode.codes == Z_NULL)
-            {
-              r = Z_MEM_ERROR;
-              LEAVE
-            }
-          }
-          DUMPBITS(3)
-          s->mode = CODES;
-          break;
-        case 2:                         /* dynamic */
-          Tracev((stderr, "inflate:     dynamic codes block%s\n",
-                 s->last ? " (last)" : ""));
-          DUMPBITS(3)
-          s->mode = TABLE;
-          break;
-        case 3:                         /* illegal */
-          DUMPBITS(3)
-          s->mode = BAD;
-          z->msg = (char*)"invalid block type";
-          r = Z_DATA_ERROR;
-          LEAVE
-      }
-      break;
-    case LENS:
-      NEEDBITS(32)
-      if ((((~b) >> 16) & 0xffff) != (b & 0xffff))
-      {
-        s->mode = BAD;
-        z->msg = (char*)"invalid stored block lengths";
-        r = Z_DATA_ERROR;
-        LEAVE
-      }
-      s->sub.left = (uInt)b & 0xffff;
-      b = k = 0;                      /* dump bits */
-      Tracev((stderr, "inflate:       stored length %u\n", s->sub.left));
-      s->mode = s->sub.left ? STORED : (s->last ? DRY : TYPE);
-      break;
-    case STORED:
-      if (n == 0)
-        LEAVE
-      NEEDOUT
-      t = s->sub.left;
-      if (t > n) t = n;
-      if (t > m) t = m;
-      zmemcpy(q, p, t);
-      p += t;  n -= t;
-      q += t;  m -= t;
-      if ((s->sub.left -= t) != 0)
-        break;
-      Tracev((stderr, "inflate:       stored end, %lu total out\n",
-              z->total_out + (q >= s->read ? q - s->read :
-              (s->end - s->read) + (q - s->window))));
-      s->mode = s->last ? DRY : TYPE;
-      break;
-    case TABLE:
-      NEEDBITS(14)
-      s->sub.trees.table = t = (uInt)b & 0x3fff;
-#ifndef PKZIP_BUG_WORKAROUND
-      if ((t & 0x1f) > 29 || ((t >> 5) & 0x1f) > 29)
-      {
-        s->mode = BAD;
-        z->msg = (char*)"too many length or distance symbols";
-        r = Z_DATA_ERROR;
-        LEAVE
-      }
-#endif
-      t = 258 + (t & 0x1f) + ((t >> 5) & 0x1f);
-      if ((s->sub.trees.blens = (uIntf*)ZALLOC(z, t, sizeof(uInt))) == Z_NULL)
-      {
-        r = Z_MEM_ERROR;
-        LEAVE
-      }
-      DUMPBITS(14)
-      s->sub.trees.index = 0;
-      Tracev((stderr, "inflate:       table sizes ok\n"));
-      s->mode = BTREE;
-    case BTREE:
-      while (s->sub.trees.index < 4 + (s->sub.trees.table >> 10))
-      {
-        NEEDBITS(3)
-        s->sub.trees.blens[border[s->sub.trees.index++]] = (uInt)b & 7;
-        DUMPBITS(3)
-      }
-      while (s->sub.trees.index < 19)
-        s->sub.trees.blens[border[s->sub.trees.index++]] = 0;
-      s->sub.trees.bb = 7;
-      t = inflate_trees_bits(s->sub.trees.blens, &s->sub.trees.bb,
-                             &s->sub.trees.tb, s->hufts, z);
-      if (t != Z_OK)
-      {
-        r = t;
-        if (r == Z_DATA_ERROR)
-        {
-          ZFREE(z, s->sub.trees.blens);
-          s->mode = BAD;
-        }
-        LEAVE
-      }
-      s->sub.trees.index = 0;
-      Tracev((stderr, "inflate:       bits tree ok\n"));
-      s->mode = DTREE;
-    case DTREE:
-      while (t = s->sub.trees.table,
-             s->sub.trees.index < 258 + (t & 0x1f) + ((t >> 5) & 0x1f))
-      {
-        inflate_huft *h;
-        uInt i, j, c;
-
-        t = s->sub.trees.bb;
-        NEEDBITS(t)
-        h = s->sub.trees.tb + ((uInt)b & inflate_mask[t]);
-        t = h->bits;
-        c = h->base;
-        if (c < 16)
-        {
-          DUMPBITS(t)
-          s->sub.trees.blens[s->sub.trees.index++] = c;
-        }
-        else /* c == 16..18 */
-        {
-          i = c == 18 ? 7 : c - 14;
-          j = c == 18 ? 11 : 3;
-          NEEDBITS(t + i)
-          DUMPBITS(t)
-          j += (uInt)b & inflate_mask[i];
-          DUMPBITS(i)
-          i = s->sub.trees.index;
-          t = s->sub.trees.table;
-          if (i + j > 258 + (t & 0x1f) + ((t >> 5) & 0x1f) ||
-              (c == 16 && i < 1))
-          {
-            ZFREE(z, s->sub.trees.blens);
-            s->mode = BAD;
-            z->msg = (char*)"invalid bit length repeat";
-            r = Z_DATA_ERROR;
-            LEAVE
-          }
-          c = c == 16 ? s->sub.trees.blens[i - 1] : 0;
-          do {
-            s->sub.trees.blens[i++] = c;
-          } while (--j);
-          s->sub.trees.index = i;
-        }
-      }
-      s->sub.trees.tb = Z_NULL;
-      {
-        uInt bl, bd;
-        inflate_huft *tl, *td;
-        inflate_codes_statef *c;
-
-        bl = 9;         /* must be <= 9 for lookahead assumptions */
-        bd = 6;         /* must be <= 9 for lookahead assumptions */
-        t = s->sub.trees.table;
-        t = inflate_trees_dynamic(257 + (t & 0x1f), 1 + ((t >> 5) & 0x1f),
-                                  s->sub.trees.blens, &bl, &bd, &tl, &td,
-                                  s->hufts, z);
-        if (t != Z_OK)
-        {
-          if (t == (uInt)Z_DATA_ERROR)
-          {
-            ZFREE(z, s->sub.trees.blens);
-            s->mode = BAD;
-          }
-          r = t;
-          LEAVE
-        }
-        Tracev((stderr, "inflate:       trees ok\n"));
-        if ((c = inflate_codes_new(bl, bd, tl, td, z)) == Z_NULL)
-        {
-          r = Z_MEM_ERROR;
-          LEAVE
-        }
-        s->sub.decode.codes = c;
-      }
-      ZFREE(z, s->sub.trees.blens);
-      s->mode = CODES;
-    case CODES:
-      UPDATE
-      if ((r = inflate_codes(s, z, r)) != Z_STREAM_END)
-        return inflate_flush(s, z, r);
-      r = Z_OK;
-      inflate_codes_free(s->sub.decode.codes, z);
-      LOAD
-      Tracev((stderr, "inflate:       codes end, %lu total out\n",
-              z->total_out + (q >= s->read ? q - s->read :
-              (s->end - s->read) + (q - s->window))));
-      if (!s->last)
-      {
-        s->mode = TYPE;
-        break;
-      }
-      s->mode = DRY;
-    case DRY:
-      FLUSH
-      if (s->read != s->write)
-        LEAVE
-      s->mode = DONE;
-    case DONE:
-      r = Z_STREAM_END;
-      LEAVE
-    case BAD:
-      r = Z_DATA_ERROR;
-      LEAVE
-    default:
-      r = Z_STREAM_ERROR;
-      LEAVE
-  }
-}
-
-
-int inflate_blocks_free(s, z)
-inflate_blocks_statef *s;
-z_streamp z;
-{
-  inflate_blocks_reset(s, z, Z_NULL);
-  ZFREE(z, s->window);
-  ZFREE(z, s->hufts);
-  ZFREE(z, s);
-  Tracev((stderr, "inflate:   blocks freed\n"));
-  return Z_OK;
-}
-
-
-void inflate_set_dictionary(s, d, n)
-inflate_blocks_statef *s;
-const Bytef *d;
-uInt  n;
-{
-  zmemcpy(s->window, d, n);
-  s->read = s->write = s->window + n;
-}
-
-
-/* Returns true if inflate is currently at the end of a block generated
- * by Z_SYNC_FLUSH or Z_FULL_FLUSH. 
- * IN assertion: s != Z_NULL
- */
-int inflate_blocks_sync_point(s)
-inflate_blocks_statef *s;
-{
-  return s->mode == LENS;
-}
diff --git a/linux/lib/zlib/infblock.h b/linux/lib/zlib/infblock.h
deleted file mode 100644
index 173b2267a..000000000
--- a/linux/lib/zlib/infblock.h
+++ /dev/null
@@ -1,39 +0,0 @@
-/* infblock.h -- header to use infblock.c
- * Copyright (C) 1995-2002 Mark Adler
- * For conditions of distribution and use, see copyright notice in zlib.h 
- */
-
-/* WARNING: this file should *not* be used by applications. It is
-   part of the implementation of the compression library and is
-   subject to change. Applications should only use zlib.h.
- */
-
-struct inflate_blocks_state;
-typedef struct inflate_blocks_state FAR inflate_blocks_statef;
-
-extern inflate_blocks_statef * inflate_blocks_new OF((
-    z_streamp z,
-    check_func c,               /* check function */
-    uInt w));                   /* window size */
-
-extern int inflate_blocks OF((
-    inflate_blocks_statef *,
-    z_streamp ,
-    int));                      /* initial return code */
-
-extern void inflate_blocks_reset OF((
-    inflate_blocks_statef *,
-    z_streamp ,
-    uLongf *));                  /* check value on output */
-
-extern int inflate_blocks_free OF((
-    inflate_blocks_statef *,
-    z_streamp));
-
-extern void inflate_set_dictionary OF((
-    inflate_blocks_statef *s,
-    const Bytef *d,  /* dictionary */
-    uInt  n));       /* dictionary length */
-
-extern int inflate_blocks_sync_point OF((
-    inflate_blocks_statef *s));
diff --git a/linux/lib/zlib/infcodes.c b/linux/lib/zlib/infcodes.c
deleted file mode 100644
index f56eae4d7..000000000
--- a/linux/lib/zlib/infcodes.c
+++ /dev/null
@@ -1,251 +0,0 @@
-/* infcodes.c -- process literals and length/distance pairs
- * Copyright (C) 1995-2002 Mark Adler
- * For conditions of distribution and use, see copyright notice in zlib.h 
- */
-
-#include <zlib/zutil.h>
-#include "inftrees.h"
-#include "infblock.h"
-#include "infcodes.h"
-#include "infutil.h"
-#include "inffast.h"
-
-/* simplify the use of the inflate_huft type with some defines */
-#define exop word.what.Exop
-#define bits word.what.Bits
-
-typedef enum {        /* waiting for "i:"=input, "o:"=output, "x:"=nothing */
-      START,    /* x: set up for LEN */
-      LEN,      /* i: get length/literal/eob next */
-      LENEXT,   /* i: getting length extra (have base) */
-      DIST,     /* i: get distance next */
-      DISTEXT,  /* i: getting distance extra */
-      COPY,     /* o: copying bytes in window, waiting for space */
-      LIT,      /* o: got literal, waiting for output space */
-      WASH,     /* o: got eob, possibly still output waiting */
-      END,      /* x: got eob and all data flushed */
-      BADCODE}  /* x: got error */
-inflate_codes_mode;
-
-/* inflate codes private state */
-struct inflate_codes_state {
-
-  /* mode */
-  inflate_codes_mode mode;      /* current inflate_codes mode */
-
-  /* mode dependent information */
-  uInt len;
-  union {
-    struct {
-      inflate_huft *tree;       /* pointer into tree */
-      uInt need;                /* bits needed */
-    } code;             /* if LEN or DIST, where in tree */
-    uInt lit;           /* if LIT, literal */
-    struct {
-      uInt get;                 /* bits to get for extra */
-      uInt dist;                /* distance back to copy from */
-    } copy;             /* if EXT or COPY, where and how much */
-  } sub;                /* submode */
-
-  /* mode independent information */
-  Byte lbits;           /* ltree bits decoded per branch */
-  Byte dbits;           /* dtree bits decoder per branch */
-  inflate_huft *ltree;          /* literal/length/eob tree */
-  inflate_huft *dtree;          /* distance tree */
-
-};
-
-
-inflate_codes_statef *inflate_codes_new(bl, bd, tl, td, z)
-uInt bl, bd;
-inflate_huft *tl;
-inflate_huft *td; /* need separate declaration for Borland C++ */
-z_streamp z;
-{
-  inflate_codes_statef *c;
-
-  if ((c = (inflate_codes_statef *)
-       ZALLOC(z,1,sizeof(struct inflate_codes_state))) != Z_NULL)
-  {
-    c->mode = START;
-    c->lbits = (Byte)bl;
-    c->dbits = (Byte)bd;
-    c->ltree = tl;
-    c->dtree = td;
-    Tracev((stderr, "inflate:       codes new\n"));
-  }
-  return c;
-}
-
-
-int inflate_codes(s, z, r)
-inflate_blocks_statef *s;
-z_streamp z;
-int r;
-{
-  uInt j;               /* temporary storage */
-  inflate_huft *t;      /* temporary pointer */
-  uInt e;               /* extra bits or operation */
-  uLong b;              /* bit buffer */
-  uInt k;               /* bits in bit buffer */
-  Bytef *p;             /* input data pointer */
-  uInt n;               /* bytes available there */
-  Bytef *q;             /* output window write pointer */
-  uInt m;               /* bytes to end of window or read pointer */
-  Bytef *f;             /* pointer to copy strings from */
-  inflate_codes_statef *c = s->sub.decode.codes;  /* codes state */
-
-  /* copy input/output information to locals (UPDATE macro restores) */
-  LOAD
-
-  /* process input and output based on current state */
-  while (1) switch (c->mode)
-  {             /* waiting for "i:"=input, "o:"=output, "x:"=nothing */
-    case START:         /* x: set up for LEN */
-#ifndef SLOW
-      if (m >= 258 && n >= 10)
-      {
-        UPDATE
-        r = inflate_fast(c->lbits, c->dbits, c->ltree, c->dtree, s, z);
-        LOAD
-        if (r != Z_OK)
-        {
-          c->mode = r == Z_STREAM_END ? WASH : BADCODE;
-          break;
-        }
-      }
-#endif /* !SLOW */
-      c->sub.code.need = c->lbits;
-      c->sub.code.tree = c->ltree;
-      c->mode = LEN;
-    case LEN:           /* i: get length/literal/eob next */
-      j = c->sub.code.need;
-      NEEDBITS(j)
-      t = c->sub.code.tree + ((uInt)b & inflate_mask[j]);
-      DUMPBITS(t->bits)
-      e = (uInt)(t->exop);
-      if (e == 0)               /* literal */
-      {
-        c->sub.lit = t->base;
-        Tracevv((stderr, t->base >= 0x20 && t->base < 0x7f ?
-                 "inflate:         literal '%c'\n" :
-                 "inflate:         literal 0x%02x\n", t->base));
-        c->mode = LIT;
-        break;
-      }
-      if (e & 16)               /* length */
-      {
-        c->sub.copy.get = e & 15;
-        c->len = t->base;
-        c->mode = LENEXT;
-        break;
-      }
-      if ((e & 64) == 0)        /* next table */
-      {
-        c->sub.code.need = e;
-        c->sub.code.tree = t + t->base;
-        break;
-      }
-      if (e & 32)               /* end of block */
-      {
-        Tracevv((stderr, "inflate:         end of block\n"));
-        c->mode = WASH;
-        break;
-      }
-      c->mode = BADCODE;        /* invalid code */
-      z->msg = (char*)"invalid literal/length code";
-      r = Z_DATA_ERROR;
-      LEAVE
-    case LENEXT:        /* i: getting length extra (have base) */
-      j = c->sub.copy.get;
-      NEEDBITS(j)
-      c->len += (uInt)b & inflate_mask[j];
-      DUMPBITS(j)
-      c->sub.code.need = c->dbits;
-      c->sub.code.tree = c->dtree;
-      Tracevv((stderr, "inflate:         length %u\n", c->len));
-      c->mode = DIST;
-    case DIST:          /* i: get distance next */
-      j = c->sub.code.need;
-      NEEDBITS(j)
-      t = c->sub.code.tree + ((uInt)b & inflate_mask[j]);
-      DUMPBITS(t->bits)
-      e = (uInt)(t->exop);
-      if (e & 16)               /* distance */
-      {
-        c->sub.copy.get = e & 15;
-        c->sub.copy.dist = t->base;
-        c->mode = DISTEXT;
-        break;
-      }
-      if ((e & 64) == 0)        /* next table */
-      {
-        c->sub.code.need = e;
-        c->sub.code.tree = t + t->base;
-        break;
-      }
-      c->mode = BADCODE;        /* invalid code */
-      z->msg = (char*)"invalid distance code";
-      r = Z_DATA_ERROR;
-      LEAVE
-    case DISTEXT:       /* i: getting distance extra */
-      j = c->sub.copy.get;
-      NEEDBITS(j)
-      c->sub.copy.dist += (uInt)b & inflate_mask[j];
-      DUMPBITS(j)
-      Tracevv((stderr, "inflate:         distance %u\n", c->sub.copy.dist));
-      c->mode = COPY;
-    case COPY:          /* o: copying bytes in window, waiting for space */
-      f = q - c->sub.copy.dist;
-      while (f < s->window)             /* modulo window size-"while" instead */
-        f += s->end - s->window;        /* of "if" handles invalid distances */
-      while (c->len)
-      {
-        NEEDOUT
-        OUTBYTE(*f++)
-        if (f == s->end)
-          f = s->window;
-        c->len--;
-      }
-      c->mode = START;
-      break;
-    case LIT:           /* o: got literal, waiting for output space */
-      NEEDOUT
-      OUTBYTE(c->sub.lit)
-      c->mode = START;
-      break;
-    case WASH:          /* o: got eob, possibly more output */
-      if (k > 7)        /* return unused byte, if any */
-      {
-        Assert(k < 16, "inflate_codes grabbed too many bytes")
-        k -= 8;
-        n++;
-        p--;            /* can always return one */
-      }
-      FLUSH
-      if (s->read != s->write)
-        LEAVE
-      c->mode = END;
-    case END:
-      r = Z_STREAM_END;
-      LEAVE
-    case BADCODE:       /* x: got error */
-      r = Z_DATA_ERROR;
-      LEAVE
-    default:
-      r = Z_STREAM_ERROR;
-      LEAVE
-  }
-#ifdef NEED_DUMMY_RETURN
-  return Z_STREAM_ERROR;  /* Some dumb compilers complain without this */
-#endif
-}
-
-
-void inflate_codes_free(c, z)
-inflate_codes_statef *c;
-z_streamp z;
-{
-  ZFREE(z, c);
-  Tracev((stderr, "inflate:       codes free\n"));
-}
diff --git a/linux/lib/zlib/infcodes.h b/linux/lib/zlib/infcodes.h
deleted file mode 100644
index 27e4a40db..000000000
--- a/linux/lib/zlib/infcodes.h
+++ /dev/null
@@ -1,31 +0,0 @@
-/* infcodes.h -- header to use infcodes.c
- * Copyright (C) 1995-2002 Mark Adler
- * For conditions of distribution and use, see copyright notice in zlib.h 
- */
-
-/* WARNING: this file should *not* be used by applications. It is
-   part of the implementation of the compression library and is
-   subject to change. Applications should only use zlib.h.
- */
-
-#ifndef _INFCODES_H
-#define _INFCODES_H
-
-struct inflate_codes_state;
-typedef struct inflate_codes_state FAR inflate_codes_statef;
-
-extern inflate_codes_statef *inflate_codes_new OF((
-    uInt, uInt,
-    inflate_huft *, inflate_huft *,
-    z_streamp ));
-
-extern int inflate_codes OF((
-    inflate_blocks_statef *,
-    z_streamp ,
-    int));
-
-extern void inflate_codes_free OF((
-    inflate_codes_statef *,
-    z_streamp ));
-
-#endif /* _INFCODES_H */
diff --git a/linux/lib/zlib/inffast.c b/linux/lib/zlib/inffast.c
deleted file mode 100644
index 2a363c5ae..000000000
--- a/linux/lib/zlib/inffast.c
+++ /dev/null
@@ -1,183 +0,0 @@
-/* inffast.c -- process literals and length/distance pairs fast
- * Copyright (C) 1995-2002 Mark Adler
- * For conditions of distribution and use, see copyright notice in zlib.h 
- */
-
-#include <zlib/zutil.h>
-#include "inftrees.h"
-#include "infblock.h"
-#include "infcodes.h"
-#include "infutil.h"
-#include "inffast.h"
-
-struct inflate_codes_state {int dummy;}; /* for buggy compilers */
-
-/* simplify the use of the inflate_huft type with some defines */
-#define exop word.what.Exop
-#define bits word.what.Bits
-
-/* macros for bit input with no checking and for returning unused bytes */
-#define GRABBITS(j) {while(k<(j)){b|=((uLong)NEXTBYTE)<<k;k+=8;}}
-#define UNGRAB {c=z->avail_in-n;c=(k>>3)<c?k>>3:c;n+=c;p-=c;k-=c<<3;}
-
-/* Called with number of bytes left to write in window at least 258
-   (the maximum string length) and number of input bytes available
-   at least ten.  The ten bytes are six bytes for the longest length/
-   distance pair plus four bytes for overloading the bit buffer. */
-
-int inflate_fast(bl, bd, tl, td, s, z)
-uInt bl, bd;
-inflate_huft *tl;
-inflate_huft *td; /* need separate declaration for Borland C++ */
-inflate_blocks_statef *s;
-z_streamp z;
-{
-  inflate_huft *t;      /* temporary pointer */
-  uInt e;               /* extra bits or operation */
-  uLong b;              /* bit buffer */
-  uInt k;               /* bits in bit buffer */
-  Bytef *p;             /* input data pointer */
-  uInt n;               /* bytes available there */
-  Bytef *q;             /* output window write pointer */
-  uInt m;               /* bytes to end of window or read pointer */
-  uInt ml;              /* mask for literal/length tree */
-  uInt md;              /* mask for distance tree */
-  uInt c;               /* bytes to copy */
-  uInt d;               /* distance back to copy from */
-  Bytef *r;             /* copy source pointer */
-
-  /* load input, output, bit values */
-  LOAD
-
-  /* initialize masks */
-  ml = inflate_mask[bl];
-  md = inflate_mask[bd];
-
-  /* do until not enough input or output space for fast loop */
-  do {                          /* assume called with m >= 258 && n >= 10 */
-    /* get literal/length code */
-    GRABBITS(20)                /* max bits for literal/length code */
-    if ((e = (t = tl + ((uInt)b & ml))->exop) == 0)
-    {
-      DUMPBITS(t->bits)
-      Tracevv((stderr, t->base >= 0x20 && t->base < 0x7f ?
-                "inflate:         * literal '%c'\n" :
-                "inflate:         * literal 0x%02x\n", t->base));
-      *q++ = (Byte)t->base;
-      m--;
-      continue;
-    }
-    do {
-      DUMPBITS(t->bits)
-      if (e & 16)
-      {
-        /* get extra bits for length */
-        e &= 15;
-        c = t->base + ((uInt)b & inflate_mask[e]);
-        DUMPBITS(e)
-        Tracevv((stderr, "inflate:         * length %u\n", c));
-
-        /* decode distance base of block to copy */
-        GRABBITS(15);           /* max bits for distance code */
-        e = (t = td + ((uInt)b & md))->exop;
-        do {
-          DUMPBITS(t->bits)
-          if (e & 16)
-          {
-            /* get extra bits to add to distance base */
-            e &= 15;
-            GRABBITS(e)         /* get extra bits (up to 13) */
-            d = t->base + ((uInt)b & inflate_mask[e]);
-            DUMPBITS(e)
-            Tracevv((stderr, "inflate:         * distance %u\n", d));
-
-            /* do the copy */
-            m -= c;
-            r = q - d;
-            if (r < s->window)                  /* wrap if needed */
-            {
-              do {
-                r += s->end - s->window;        /* force pointer in window */
-              } while (r < s->window);          /* covers invalid distances */
-              e = s->end - r;
-              if (c > e)
-              {
-                c -= e;                         /* wrapped copy */
-                do {
-                    *q++ = *r++;
-                } while (--e);
-                r = s->window;
-                do {
-                    *q++ = *r++;
-                } while (--c);
-              }
-              else                              /* normal copy */
-              {
-                *q++ = *r++;  c--;
-                *q++ = *r++;  c--;
-                do {
-                    *q++ = *r++;
-                } while (--c);
-              }
-            }
-            else                                /* normal copy */
-            {
-              *q++ = *r++;  c--;
-              *q++ = *r++;  c--;
-              do {
-                *q++ = *r++;
-              } while (--c);
-            }
-            break;
-          }
-          else if ((e & 64) == 0)
-          {
-            t += t->base;
-            e = (t += ((uInt)b & inflate_mask[e]))->exop;
-          }
-          else
-          {
-            z->msg = (char*)"invalid distance code";
-            UNGRAB
-            UPDATE
-            return Z_DATA_ERROR;
-          }
-        } while (1);
-        break;
-      }
-      if ((e & 64) == 0)
-      {
-        t += t->base;
-        if ((e = (t += ((uInt)b & inflate_mask[e]))->exop) == 0)
-        {
-          DUMPBITS(t->bits)
-          Tracevv((stderr, t->base >= 0x20 && t->base < 0x7f ?
-                    "inflate:         * literal '%c'\n" :
-                    "inflate:         * literal 0x%02x\n", t->base));
-          *q++ = (Byte)t->base;
-          m--;
-          break;
-        }
-      }
-      else if (e & 32)
-      {
-        Tracevv((stderr, "inflate:         * end of block\n"));
-        UNGRAB
-        UPDATE
-        return Z_STREAM_END;
-      }
-      else
-      {
-        z->msg = (char*)"invalid literal/length code";
-        UNGRAB
-        UPDATE
-        return Z_DATA_ERROR;
-      }
-    } while (1);
-  } while (m >= 258 && n >= 10);
-
-  /* not enough input or output--restore pointers and return */
-  UNGRAB
-  UPDATE
-  return Z_OK;
-}
diff --git a/linux/lib/zlib/inffast.h b/linux/lib/zlib/inffast.h
deleted file mode 100644
index 652a0e849..000000000
--- a/linux/lib/zlib/inffast.h
+++ /dev/null
@@ -1,22 +0,0 @@
-/* inffast.h -- header to use inffast.c
- * Copyright (C) 1995-2002 Mark Adler
- * For conditions of distribution and use, see copyright notice in zlib.h 
- */
-
-/* WARNING: this file should *not* be used by applications. It is
-   part of the implementation of the compression library and is
-   subject to change. Applications should only use zlib.h.
- */
-
-#ifndef _INFFAST_H
-#define _INFFAST_H
-
-extern int inflate_fast OF((
-    uInt,
-    uInt,
-    inflate_huft *,
-    inflate_huft *,
-    inflate_blocks_statef *,
-    z_streamp ));
-
-#endif /* _INFFAST_H */
diff --git a/linux/lib/zlib/inffixed.h b/linux/lib/zlib/inffixed.h
deleted file mode 100644
index 77f7e7631..000000000
--- a/linux/lib/zlib/inffixed.h
+++ /dev/null
@@ -1,151 +0,0 @@
-/* inffixed.h -- table for decoding fixed codes
- * Generated automatically by the maketree.c program
- */
-
-/* WARNING: this file should *not* be used by applications. It is
-   part of the implementation of the compression library and is
-   subject to change. Applications should only use zlib.h.
- */
-
-local uInt fixed_bl = 9;
-local uInt fixed_bd = 5;
-local inflate_huft fixed_tl[] = {
-    {{{96,7}},256}, {{{0,8}},80}, {{{0,8}},16}, {{{84,8}},115},
-    {{{82,7}},31}, {{{0,8}},112}, {{{0,8}},48}, {{{0,9}},192},
-    {{{80,7}},10}, {{{0,8}},96}, {{{0,8}},32}, {{{0,9}},160},
-    {{{0,8}},0}, {{{0,8}},128}, {{{0,8}},64}, {{{0,9}},224},
-    {{{80,7}},6}, {{{0,8}},88}, {{{0,8}},24}, {{{0,9}},144},
-    {{{83,7}},59}, {{{0,8}},120}, {{{0,8}},56}, {{{0,9}},208},
-    {{{81,7}},17}, {{{0,8}},104}, {{{0,8}},40}, {{{0,9}},176},
-    {{{0,8}},8}, {{{0,8}},136}, {{{0,8}},72}, {{{0,9}},240},
-    {{{80,7}},4}, {{{0,8}},84}, {{{0,8}},20}, {{{85,8}},227},
-    {{{83,7}},43}, {{{0,8}},116}, {{{0,8}},52}, {{{0,9}},200},
-    {{{81,7}},13}, {{{0,8}},100}, {{{0,8}},36}, {{{0,9}},168},
-    {{{0,8}},4}, {{{0,8}},132}, {{{0,8}},68}, {{{0,9}},232},
-    {{{80,7}},8}, {{{0,8}},92}, {{{0,8}},28}, {{{0,9}},152},
-    {{{84,7}},83}, {{{0,8}},124}, {{{0,8}},60}, {{{0,9}},216},
-    {{{82,7}},23}, {{{0,8}},108}, {{{0,8}},44}, {{{0,9}},184},
-    {{{0,8}},12}, {{{0,8}},140}, {{{0,8}},76}, {{{0,9}},248},
-    {{{80,7}},3}, {{{0,8}},82}, {{{0,8}},18}, {{{85,8}},163},
-    {{{83,7}},35}, {{{0,8}},114}, {{{0,8}},50}, {{{0,9}},196},
-    {{{81,7}},11}, {{{0,8}},98}, {{{0,8}},34}, {{{0,9}},164},
-    {{{0,8}},2}, {{{0,8}},130}, {{{0,8}},66}, {{{0,9}},228},
-    {{{80,7}},7}, {{{0,8}},90}, {{{0,8}},26}, {{{0,9}},148},
-    {{{84,7}},67}, {{{0,8}},122}, {{{0,8}},58}, {{{0,9}},212},
-    {{{82,7}},19}, {{{0,8}},106}, {{{0,8}},42}, {{{0,9}},180},
-    {{{0,8}},10}, {{{0,8}},138}, {{{0,8}},74}, {{{0,9}},244},
-    {{{80,7}},5}, {{{0,8}},86}, {{{0,8}},22}, {{{192,8}},0},
-    {{{83,7}},51}, {{{0,8}},118}, {{{0,8}},54}, {{{0,9}},204},
-    {{{81,7}},15}, {{{0,8}},102}, {{{0,8}},38}, {{{0,9}},172},
-    {{{0,8}},6}, {{{0,8}},134}, {{{0,8}},70}, {{{0,9}},236},
-    {{{80,7}},9}, {{{0,8}},94}, {{{0,8}},30}, {{{0,9}},156},
-    {{{84,7}},99}, {{{0,8}},126}, {{{0,8}},62}, {{{0,9}},220},
-    {{{82,7}},27}, {{{0,8}},110}, {{{0,8}},46}, {{{0,9}},188},
-    {{{0,8}},14}, {{{0,8}},142}, {{{0,8}},78}, {{{0,9}},252},
-    {{{96,7}},256}, {{{0,8}},81}, {{{0,8}},17}, {{{85,8}},131},
-    {{{82,7}},31}, {{{0,8}},113}, {{{0,8}},49}, {{{0,9}},194},
-    {{{80,7}},10}, {{{0,8}},97}, {{{0,8}},33}, {{{0,9}},162},
-    {{{0,8}},1}, {{{0,8}},129}, {{{0,8}},65}, {{{0,9}},226},
-    {{{80,7}},6}, {{{0,8}},89}, {{{0,8}},25}, {{{0,9}},146},
-    {{{83,7}},59}, {{{0,8}},121}, {{{0,8}},57}, {{{0,9}},210},
-    {{{81,7}},17}, {{{0,8}},105}, {{{0,8}},41}, {{{0,9}},178},
-    {{{0,8}},9}, {{{0,8}},137}, {{{0,8}},73}, {{{0,9}},242},
-    {{{80,7}},4}, {{{0,8}},85}, {{{0,8}},21}, {{{80,8}},258},
-    {{{83,7}},43}, {{{0,8}},117}, {{{0,8}},53}, {{{0,9}},202},
-    {{{81,7}},13}, {{{0,8}},101}, {{{0,8}},37}, {{{0,9}},170},
-    {{{0,8}},5}, {{{0,8}},133}, {{{0,8}},69}, {{{0,9}},234},
-    {{{80,7}},8}, {{{0,8}},93}, {{{0,8}},29}, {{{0,9}},154},
-    {{{84,7}},83}, {{{0,8}},125}, {{{0,8}},61}, {{{0,9}},218},
-    {{{82,7}},23}, {{{0,8}},109}, {{{0,8}},45}, {{{0,9}},186},
-    {{{0,8}},13}, {{{0,8}},141}, {{{0,8}},77}, {{{0,9}},250},
-    {{{80,7}},3}, {{{0,8}},83}, {{{0,8}},19}, {{{85,8}},195},
-    {{{83,7}},35}, {{{0,8}},115}, {{{0,8}},51}, {{{0,9}},198},
-    {{{81,7}},11}, {{{0,8}},99}, {{{0,8}},35}, {{{0,9}},166},
-    {{{0,8}},3}, {{{0,8}},131}, {{{0,8}},67}, {{{0,9}},230},
-    {{{80,7}},7}, {{{0,8}},91}, {{{0,8}},27}, {{{0,9}},150},
-    {{{84,7}},67}, {{{0,8}},123}, {{{0,8}},59}, {{{0,9}},214},
-    {{{82,7}},19}, {{{0,8}},107}, {{{0,8}},43}, {{{0,9}},182},
-    {{{0,8}},11}, {{{0,8}},139}, {{{0,8}},75}, {{{0,9}},246},
-    {{{80,7}},5}, {{{0,8}},87}, {{{0,8}},23}, {{{192,8}},0},
-    {{{83,7}},51}, {{{0,8}},119}, {{{0,8}},55}, {{{0,9}},206},
-    {{{81,7}},15}, {{{0,8}},103}, {{{0,8}},39}, {{{0,9}},174},
-    {{{0,8}},7}, {{{0,8}},135}, {{{0,8}},71}, {{{0,9}},238},
-    {{{80,7}},9}, {{{0,8}},95}, {{{0,8}},31}, {{{0,9}},158},
-    {{{84,7}},99}, {{{0,8}},127}, {{{0,8}},63}, {{{0,9}},222},
-    {{{82,7}},27}, {{{0,8}},111}, {{{0,8}},47}, {{{0,9}},190},
-    {{{0,8}},15}, {{{0,8}},143}, {{{0,8}},79}, {{{0,9}},254},
-    {{{96,7}},256}, {{{0,8}},80}, {{{0,8}},16}, {{{84,8}},115},
-    {{{82,7}},31}, {{{0,8}},112}, {{{0,8}},48}, {{{0,9}},193},
-    {{{80,7}},10}, {{{0,8}},96}, {{{0,8}},32}, {{{0,9}},161},
-    {{{0,8}},0}, {{{0,8}},128}, {{{0,8}},64}, {{{0,9}},225},
-    {{{80,7}},6}, {{{0,8}},88}, {{{0,8}},24}, {{{0,9}},145},
-    {{{83,7}},59}, {{{0,8}},120}, {{{0,8}},56}, {{{0,9}},209},
-    {{{81,7}},17}, {{{0,8}},104}, {{{0,8}},40}, {{{0,9}},177},
-    {{{0,8}},8}, {{{0,8}},136}, {{{0,8}},72}, {{{0,9}},241},
-    {{{80,7}},4}, {{{0,8}},84}, {{{0,8}},20}, {{{85,8}},227},
-    {{{83,7}},43}, {{{0,8}},116}, {{{0,8}},52}, {{{0,9}},201},
-    {{{81,7}},13}, {{{0,8}},100}, {{{0,8}},36}, {{{0,9}},169},
-    {{{0,8}},4}, {{{0,8}},132}, {{{0,8}},68}, {{{0,9}},233},
-    {{{80,7}},8}, {{{0,8}},92}, {{{0,8}},28}, {{{0,9}},153},
-    {{{84,7}},83}, {{{0,8}},124}, {{{0,8}},60}, {{{0,9}},217},
-    {{{82,7}},23}, {{{0,8}},108}, {{{0,8}},44}, {{{0,9}},185},
-    {{{0,8}},12}, {{{0,8}},140}, {{{0,8}},76}, {{{0,9}},249},
-    {{{80,7}},3}, {{{0,8}},82}, {{{0,8}},18}, {{{85,8}},163},
-    {{{83,7}},35}, {{{0,8}},114}, {{{0,8}},50}, {{{0,9}},197},
-    {{{81,7}},11}, {{{0,8}},98}, {{{0,8}},34}, {{{0,9}},165},
-    {{{0,8}},2}, {{{0,8}},130}, {{{0,8}},66}, {{{0,9}},229},
-    {{{80,7}},7}, {{{0,8}},90}, {{{0,8}},26}, {{{0,9}},149},
-    {{{84,7}},67}, {{{0,8}},122}, {{{0,8}},58}, {{{0,9}},213},
-    {{{82,7}},19}, {{{0,8}},106}, {{{0,8}},42}, {{{0,9}},181},
-    {{{0,8}},10}, {{{0,8}},138}, {{{0,8}},74}, {{{0,9}},245},
-    {{{80,7}},5}, {{{0,8}},86}, {{{0,8}},22}, {{{192,8}},0},
-    {{{83,7}},51}, {{{0,8}},118}, {{{0,8}},54}, {{{0,9}},205},
-    {{{81,7}},15}, {{{0,8}},102}, {{{0,8}},38}, {{{0,9}},173},
-    {{{0,8}},6}, {{{0,8}},134}, {{{0,8}},70}, {{{0,9}},237},
-    {{{80,7}},9}, {{{0,8}},94}, {{{0,8}},30}, {{{0,9}},157},
-    {{{84,7}},99}, {{{0,8}},126}, {{{0,8}},62}, {{{0,9}},221},
-    {{{82,7}},27}, {{{0,8}},110}, {{{0,8}},46}, {{{0,9}},189},
-    {{{0,8}},14}, {{{0,8}},142}, {{{0,8}},78}, {{{0,9}},253},
-    {{{96,7}},256}, {{{0,8}},81}, {{{0,8}},17}, {{{85,8}},131},
-    {{{82,7}},31}, {{{0,8}},113}, {{{0,8}},49}, {{{0,9}},195},
-    {{{80,7}},10}, {{{0,8}},97}, {{{0,8}},33}, {{{0,9}},163},
-    {{{0,8}},1}, {{{0,8}},129}, {{{0,8}},65}, {{{0,9}},227},
-    {{{80,7}},6}, {{{0,8}},89}, {{{0,8}},25}, {{{0,9}},147},
-    {{{83,7}},59}, {{{0,8}},121}, {{{0,8}},57}, {{{0,9}},211},
-    {{{81,7}},17}, {{{0,8}},105}, {{{0,8}},41}, {{{0,9}},179},
-    {{{0,8}},9}, {{{0,8}},137}, {{{0,8}},73}, {{{0,9}},243},
-    {{{80,7}},4}, {{{0,8}},85}, {{{0,8}},21}, {{{80,8}},258},
-    {{{83,7}},43}, {{{0,8}},117}, {{{0,8}},53}, {{{0,9}},203},
-    {{{81,7}},13}, {{{0,8}},101}, {{{0,8}},37}, {{{0,9}},171},
-    {{{0,8}},5}, {{{0,8}},133}, {{{0,8}},69}, {{{0,9}},235},
-    {{{80,7}},8}, {{{0,8}},93}, {{{0,8}},29}, {{{0,9}},155},
-    {{{84,7}},83}, {{{0,8}},125}, {{{0,8}},61}, {{{0,9}},219},
-    {{{82,7}},23}, {{{0,8}},109}, {{{0,8}},45}, {{{0,9}},187},
-    {{{0,8}},13}, {{{0,8}},141}, {{{0,8}},77}, {{{0,9}},251},
-    {{{80,7}},3}, {{{0,8}},83}, {{{0,8}},19}, {{{85,8}},195},
-    {{{83,7}},35}, {{{0,8}},115}, {{{0,8}},51}, {{{0,9}},199},
-    {{{81,7}},11}, {{{0,8}},99}, {{{0,8}},35}, {{{0,9}},167},
-    {{{0,8}},3}, {{{0,8}},131}, {{{0,8}},67}, {{{0,9}},231},
-    {{{80,7}},7}, {{{0,8}},91}, {{{0,8}},27}, {{{0,9}},151},
-    {{{84,7}},67}, {{{0,8}},123}, {{{0,8}},59}, {{{0,9}},215},
-    {{{82,7}},19}, {{{0,8}},107}, {{{0,8}},43}, {{{0,9}},183},
-    {{{0,8}},11}, {{{0,8}},139}, {{{0,8}},75}, {{{0,9}},247},
-    {{{80,7}},5}, {{{0,8}},87}, {{{0,8}},23}, {{{192,8}},0},
-    {{{83,7}},51}, {{{0,8}},119}, {{{0,8}},55}, {{{0,9}},207},
-    {{{81,7}},15}, {{{0,8}},103}, {{{0,8}},39}, {{{0,9}},175},
-    {{{0,8}},7}, {{{0,8}},135}, {{{0,8}},71}, {{{0,9}},239},
-    {{{80,7}},9}, {{{0,8}},95}, {{{0,8}},31}, {{{0,9}},159},
-    {{{84,7}},99}, {{{0,8}},127}, {{{0,8}},63}, {{{0,9}},223},
-    {{{82,7}},27}, {{{0,8}},111}, {{{0,8}},47}, {{{0,9}},191},
-    {{{0,8}},15}, {{{0,8}},143}, {{{0,8}},79}, {{{0,9}},255}
-  };
-local inflate_huft fixed_td[] = {
-    {{{80,5}},1}, {{{87,5}},257}, {{{83,5}},17}, {{{91,5}},4097},
-    {{{81,5}},5}, {{{89,5}},1025}, {{{85,5}},65}, {{{93,5}},16385},
-    {{{80,5}},3}, {{{88,5}},513}, {{{84,5}},33}, {{{92,5}},8193},
-    {{{82,5}},9}, {{{90,5}},2049}, {{{86,5}},129}, {{{192,5}},24577},
-    {{{80,5}},2}, {{{87,5}},385}, {{{83,5}},25}, {{{91,5}},6145},
-    {{{81,5}},7}, {{{89,5}},1537}, {{{85,5}},97}, {{{93,5}},24577},
-    {{{80,5}},4}, {{{88,5}},769}, {{{84,5}},49}, {{{92,5}},12289},
-    {{{82,5}},13}, {{{90,5}},3073}, {{{86,5}},193}, {{{192,5}},24577}
-  };
diff --git a/linux/lib/zlib/inflate.c b/linux/lib/zlib/inflate.c
deleted file mode 100644
index 3266babb4..000000000
--- a/linux/lib/zlib/inflate.c
+++ /dev/null
@@ -1,368 +0,0 @@
-/* inflate.c -- zlib interface to inflate modules
- * Copyright (C) 1995-2002 Mark Adler
- * For conditions of distribution and use, see copyright notice in zlib.h 
- */
-
-#include <zlib/zutil.h>
-#include "infblock.h"
-
-struct inflate_blocks_state {int dummy;}; /* for buggy compilers */
-
-typedef enum {
-      METHOD,   /* waiting for method byte */
-      FLAG,     /* waiting for flag byte */
-      DICT4,    /* four dictionary check bytes to go */
-      DICT3,    /* three dictionary check bytes to go */
-      DICT2,    /* two dictionary check bytes to go */
-      DICT1,    /* one dictionary check byte to go */
-      DICT0,    /* waiting for inflateSetDictionary */
-      BLOCKS,   /* decompressing blocks */
-      CHECK4,   /* four check bytes to go */
-      CHECK3,   /* three check bytes to go */
-      CHECK2,   /* two check bytes to go */
-      CHECK1,   /* one check byte to go */
-      DONE,     /* finished check, done */
-      BAD}      /* got an error--stay here */
-inflate_mode;
-
-/* inflate private state */
-struct internal_state {
-
-  /* mode */
-  inflate_mode  mode;   /* current inflate mode */
-
-  /* mode dependent information */
-  union {
-    uInt method;        /* if FLAGS, method byte */
-    struct {
-      uLong was;                /* computed check value */
-      uLong need;               /* stream check value */
-    } check;            /* if CHECK, check values to compare */
-    uInt marker;        /* if BAD, inflateSync's marker bytes count */
-  } sub;        /* submode */
-
-  /* mode independent information */
-  int  nowrap;          /* flag for no wrapper */
-  uInt wbits;           /* log2(window size)  (8..15, defaults to 15) */
-  inflate_blocks_statef 
-    *blocks;            /* current inflate_blocks state */
-
-};
-
-
-int ZEXPORT inflateReset(z)
-z_streamp z;
-{
-  if (z == Z_NULL || z->state == Z_NULL)
-    return Z_STREAM_ERROR;
-  z->total_in = z->total_out = 0;
-  z->msg = Z_NULL;
-  z->state->mode = z->state->nowrap ? BLOCKS : METHOD;
-  inflate_blocks_reset(z->state->blocks, z, Z_NULL);
-  Tracev((stderr, "inflate: reset\n"));
-  return Z_OK;
-}
-
-
-int ZEXPORT inflateEnd(z)
-z_streamp z;
-{
-  if (z == Z_NULL || z->state == Z_NULL || z->zfree == Z_NULL)
-    return Z_STREAM_ERROR;
-  if (z->state->blocks != Z_NULL)
-    inflate_blocks_free(z->state->blocks, z);
-  ZFREE(z, z->state);
-  z->state = Z_NULL;
-  Tracev((stderr, "inflate: end\n"));
-  return Z_OK;
-}
-
-
-int ZEXPORT inflateInit2_(z, w, version, stream_size)
-z_streamp z;
-int w;
-const char *version;
-int stream_size;
-{
-  if (version == Z_NULL || version[0] != ZLIB_VERSION[0] ||
-      stream_size != sizeof(z_stream))
-      return Z_VERSION_ERROR;
-
-  /* initialize state */
-  if (z == Z_NULL)
-    return Z_STREAM_ERROR;
-  z->msg = Z_NULL;
-  if (z->zalloc == Z_NULL)
-  {
-    return Z_STREAM_ERROR;
-/*    z->zalloc = zcalloc;
-    z->opaque = (voidpf)0;
-*/
-  }
-  if (z->zfree == Z_NULL) return Z_STREAM_ERROR; /* z->zfree = zcfree; */
-  if ((z->state = (struct internal_state FAR *)
-       ZALLOC(z,1,sizeof(struct internal_state))) == Z_NULL)
-    return Z_MEM_ERROR;
-  z->state->blocks = Z_NULL;
-
-  /* handle undocumented nowrap option (no zlib header or check) */
-  z->state->nowrap = 0;
-  if (w < 0)
-  {
-    w = - w;
-    z->state->nowrap = 1;
-  }
-
-  /* set window size */
-  if (w < 8 || w > 15)
-  {
-    inflateEnd(z);
-    return Z_STREAM_ERROR;
-  }
-  z->state->wbits = (uInt)w;
-
-  /* create inflate_blocks state */
-  if ((z->state->blocks =
-      inflate_blocks_new(z, z->state->nowrap ? Z_NULL : adler32, (uInt)1 << w))
-      == Z_NULL)
-  {
-    inflateEnd(z);
-    return Z_MEM_ERROR;
-  }
-  Tracev((stderr, "inflate: allocated\n"));
-
-  /* reset state */
-  inflateReset(z);
-  return Z_OK;
-}
-
-
-int ZEXPORT inflateInit_(z, version, stream_size)
-z_streamp z;
-const char *version;
-int stream_size;
-{
-  return inflateInit2_(z, DEF_WBITS, version, stream_size);
-}
-
-
-#define NEEDBYTE {if(z->avail_in==0)return r;r=f;}
-#define NEXTBYTE (z->avail_in--,z->total_in++,*z->next_in++)
-
-int ZEXPORT inflate(z, f)
-z_streamp z;
-int f;
-{
-  int r;
-  uInt b;
-
-  if (z == Z_NULL || z->state == Z_NULL || z->next_in == Z_NULL)
-    return Z_STREAM_ERROR;
-  f = f == Z_FINISH ? Z_BUF_ERROR : Z_OK;
-  r = Z_BUF_ERROR;
-  while (1) switch (z->state->mode)
-  {
-    case METHOD:
-      NEEDBYTE
-      if (((z->state->sub.method = NEXTBYTE) & 0xf) != Z_DEFLATED)
-      {
-        z->state->mode = BAD;
-        z->msg = (char*)"unknown compression method";
-        z->state->sub.marker = 5;       /* can't try inflateSync */
-        break;
-      }
-      if ((z->state->sub.method >> 4) + 8 > z->state->wbits)
-      {
-        z->state->mode = BAD;
-        z->msg = (char*)"invalid window size";
-        z->state->sub.marker = 5;       /* can't try inflateSync */
-        break;
-      }
-      z->state->mode = FLAG;
-    case FLAG:
-      NEEDBYTE
-      b = NEXTBYTE;
-      if (((z->state->sub.method << 8) + b) % 31)
-      {
-        z->state->mode = BAD;
-        z->msg = (char*)"incorrect header check";
-        z->state->sub.marker = 5;       /* can't try inflateSync */
-        break;
-      }
-      Tracev((stderr, "inflate: zlib header ok\n"));
-      if (!(b & PRESET_DICT))
-      {
-        z->state->mode = BLOCKS;
-        break;
-      }
-      z->state->mode = DICT4;
-    case DICT4:
-      NEEDBYTE
-      z->state->sub.check.need = (uLong)NEXTBYTE << 24;
-      z->state->mode = DICT3;
-    case DICT3:
-      NEEDBYTE
-      z->state->sub.check.need += (uLong)NEXTBYTE << 16;
-      z->state->mode = DICT2;
-    case DICT2:
-      NEEDBYTE
-      z->state->sub.check.need += (uLong)NEXTBYTE << 8;
-      z->state->mode = DICT1;
-    case DICT1:
-      NEEDBYTE
-      z->state->sub.check.need += (uLong)NEXTBYTE;
-      z->adler = z->state->sub.check.need;
-      z->state->mode = DICT0;
-      return Z_NEED_DICT;
-    case DICT0:
-      z->state->mode = BAD;
-      z->msg = (char*)"need dictionary";
-      z->state->sub.marker = 0;       /* can try inflateSync */
-      return Z_STREAM_ERROR;
-    case BLOCKS:
-      r = inflate_blocks(z->state->blocks, z, r);
-      if (r == Z_DATA_ERROR)
-      {
-        z->state->mode = BAD;
-        z->state->sub.marker = 0;       /* can try inflateSync */
-        break;
-      }
-      if (r == Z_OK)
-        r = f;
-      if (r != Z_STREAM_END)
-        return r;
-      r = f;
-      inflate_blocks_reset(z->state->blocks, z, &z->state->sub.check.was);
-      if (z->state->nowrap)
-      {
-        z->state->mode = DONE;
-        break;
-      }
-      z->state->mode = CHECK4;
-    case CHECK4:
-      NEEDBYTE
-      z->state->sub.check.need = (uLong)NEXTBYTE << 24;
-      z->state->mode = CHECK3;
-    case CHECK3:
-      NEEDBYTE
-      z->state->sub.check.need += (uLong)NEXTBYTE << 16;
-      z->state->mode = CHECK2;
-    case CHECK2:
-      NEEDBYTE
-      z->state->sub.check.need += (uLong)NEXTBYTE << 8;
-      z->state->mode = CHECK1;
-    case CHECK1:
-      NEEDBYTE
-      z->state->sub.check.need += (uLong)NEXTBYTE;
-
-      if (z->state->sub.check.was != z->state->sub.check.need)
-      {
-        z->state->mode = BAD;
-        z->msg = (char*)"incorrect data check";
-        z->state->sub.marker = 5;       /* can't try inflateSync */
-        break;
-      }
-      Tracev((stderr, "inflate: zlib check ok\n"));
-      z->state->mode = DONE;
-    case DONE:
-      return Z_STREAM_END;
-    case BAD:
-      return Z_DATA_ERROR;
-    default:
-      return Z_STREAM_ERROR;
-  }
-#ifdef NEED_DUMMY_RETURN
-  return Z_STREAM_ERROR;  /* Some dumb compilers complain without this */
-#endif
-}
-
-
-int ZEXPORT inflateSetDictionary(z, dictionary, dictLength)
-z_streamp z;
-const Bytef *dictionary;
-uInt  dictLength;
-{
-  uInt length = dictLength;
-
-  if (z == Z_NULL || z->state == Z_NULL || z->state->mode != DICT0)
-    return Z_STREAM_ERROR;
-
-  if (adler32(1L, dictionary, dictLength) != z->adler) return Z_DATA_ERROR;
-  z->adler = 1L;
-
-  if (length >= ((uInt)1<<z->state->wbits))
-  {
-    length = (1<<z->state->wbits)-1;
-    dictionary += dictLength - length;
-  }
-  inflate_set_dictionary(z->state->blocks, dictionary, length);
-  z->state->mode = BLOCKS;
-  return Z_OK;
-}
-
-
-int ZEXPORT inflateSync(z)
-z_streamp z;
-{
-  uInt n;       /* number of bytes to look at */
-  Bytef *p;     /* pointer to bytes */
-  uInt m;       /* number of marker bytes found in a row */
-  uLong r, w;   /* temporaries to save total_in and total_out */
-
-  /* set up */
-  if (z == Z_NULL || z->state == Z_NULL)
-    return Z_STREAM_ERROR;
-  if (z->state->mode != BAD)
-  {
-    z->state->mode = BAD;
-    z->state->sub.marker = 0;
-  }
-  if ((n = z->avail_in) == 0)
-    return Z_BUF_ERROR;
-  p = z->next_in;
-  m = z->state->sub.marker;
-
-  /* search */
-  while (n && m < 4)
-  {
-    static const Byte mark[4] = {0, 0, 0xff, 0xff};
-    if (*p == mark[m])
-      m++;
-    else if (*p)
-      m = 0;
-    else
-      m = 4 - m;
-    p++, n--;
-  }
-
-  /* restore */
-  z->total_in += p - z->next_in;
-  z->next_in = p;
-  z->avail_in = n;
-  z->state->sub.marker = m;
-
-  /* return no joy or set up to restart on a new block */
-  if (m != 4)
-    return Z_DATA_ERROR;
-  r = z->total_in;  w = z->total_out;
-  inflateReset(z);
-  z->total_in = r;  z->total_out = w;
-  z->state->mode = BLOCKS;
-  return Z_OK;
-}
-
-
-/* Returns true if inflate is currently at the end of a block generated
- * by Z_SYNC_FLUSH or Z_FULL_FLUSH. This function is used by one PPP
- * implementation to provide an additional safety check. PPP uses Z_SYNC_FLUSH
- * but removes the length bytes of the resulting empty stored block. When
- * decompressing, PPP checks that at the end of input packet, inflate is
- * waiting for these length bytes.
- */
-int ZEXPORT inflateSyncPoint(z)
-z_streamp z;
-{
-  if (z == Z_NULL || z->state == Z_NULL || z->state->blocks == Z_NULL)
-    return Z_STREAM_ERROR;
-  return inflate_blocks_sync_point(z->state->blocks);
-}
diff --git a/linux/lib/zlib/inftrees.c b/linux/lib/zlib/inftrees.c
deleted file mode 100644
index 59ffb020c..000000000
--- a/linux/lib/zlib/inftrees.c
+++ /dev/null
@@ -1,454 +0,0 @@
-/* inftrees.c -- generate Huffman trees for efficient decoding
- * Copyright (C) 1995-2002 Mark Adler
- * For conditions of distribution and use, see copyright notice in zlib.h 
- */
-
-#include <zlib/zutil.h>
-#include "inftrees.h"
-
-#if !defined(BUILDFIXED) && !defined(STDC)
-#  define BUILDFIXED   /* non ANSI compilers may not accept inffixed.h */
-#endif
-
-local const char inflate_copyright[] =
-   " inflate 1.1.4 Copyright 1995-2002 Mark Adler ";
-/*
-  If you use the zlib library in a product, an acknowledgment is welcome
-  in the documentation of your product. If for some reason you cannot
-  include such an acknowledgment, I would appreciate that you keep this
-  copyright string in the executable of your product.
- */
-struct internal_state  {int dummy;}; /* for buggy compilers */
-
-/* simplify the use of the inflate_huft type with some defines */
-#define exop word.what.Exop
-#define bits word.what.Bits
-
-
-local int huft_build OF((
-    uIntf *,            /* code lengths in bits */
-    uInt,               /* number of codes */
-    uInt,               /* number of "simple" codes */
-    const uIntf *,      /* list of base values for non-simple codes */
-    const uIntf *,      /* list of extra bits for non-simple codes */
-    inflate_huft * FAR*,/* result: starting table */
-    uIntf *,            /* maximum lookup bits (returns actual) */
-    inflate_huft *,     /* space for trees */
-    uInt *,             /* hufts used in space */
-    uIntf * ));         /* space for values */
-
-/* Tables for deflate from PKZIP's appnote.txt. */
-local const uInt cplens[31] = { /* Copy lengths for literal codes 257..285 */
-        3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31,
-        35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258, 0, 0};
-        /* see note #13 above about 258 */
-local const uInt cplext[31] = { /* Extra bits for literal codes 257..285 */
-        0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2, 2, 2, 2,
-        3, 3, 3, 3, 4, 4, 4, 4, 5, 5, 5, 5, 0, 112, 112}; /* 112==invalid */
-local const uInt cpdist[30] = { /* Copy offsets for distance codes 0..29 */
-        1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193,
-        257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145,
-        8193, 12289, 16385, 24577};
-local const uInt cpdext[30] = { /* Extra bits for distance codes */
-        0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 6,
-        7, 7, 8, 8, 9, 9, 10, 10, 11, 11,
-        12, 12, 13, 13};
-
-/*
-   Huffman code decoding is performed using a multi-level table lookup.
-   The fastest way to decode is to simply build a lookup table whose
-   size is determined by the longest code.  However, the time it takes
-   to build this table can also be a factor if the data being decoded
-   is not very long.  The most common codes are necessarily the
-   shortest codes, so those codes dominate the decoding time, and hence
-   the speed.  The idea is you can have a shorter table that decodes the
-   shorter, more probable codes, and then point to subsidiary tables for
-   the longer codes.  The time it costs to decode the longer codes is
-   then traded against the time it takes to make longer tables.
-
-   This results of this trade are in the variables lbits and dbits
-   below.  lbits is the number of bits the first level table for literal/
-   length codes can decode in one step, and dbits is the same thing for
-   the distance codes.  Subsequent tables are also less than or equal to
-   those sizes.  These values may be adjusted either when all of the
-   codes are shorter than that, in which case the longest code length in
-   bits is used, or when the shortest code is *longer* than the requested
-   table size, in which case the length of the shortest code in bits is
-   used.
-
-   There are two different values for the two tables, since they code a
-   different number of possibilities each.  The literal/length table
-   codes 286 possible values, or in a flat code, a little over eight
-   bits.  The distance table codes 30 possible values, or a little less
-   than five bits, flat.  The optimum values for speed end up being
-   about one bit more than those, so lbits is 8+1 and dbits is 5+1.
-   The optimum values may differ though from machine to machine, and
-   possibly even between compilers.  Your mileage may vary.
- */
-
-
-/* If BMAX needs to be larger than 16, then h and x[] should be uLong. */
-#define BMAX 15         /* maximum bit length of any code */
-
-local int huft_build(b, n, s, d, e, t, m, hp, hn, v)
-uIntf *b;               /* code lengths in bits (all assumed <= BMAX) */
-uInt n;                 /* number of codes (assumed <= 288) */
-uInt s;                 /* number of simple-valued codes (0..s-1) */
-const uIntf *d;         /* list of base values for non-simple codes */
-const uIntf *e;         /* list of extra bits for non-simple codes */
-inflate_huft * FAR *t;  /* result: starting table */
-uIntf *m;               /* maximum lookup bits, returns actual */
-inflate_huft *hp;       /* space for trees */
-uInt *hn;               /* hufts used in space */
-uIntf *v;               /* working area: values in order of bit length */
-/* Given a list of code lengths and a maximum table size, make a set of
-   tables to decode that set of codes.  Return Z_OK on success, Z_BUF_ERROR
-   if the given code set is incomplete (the tables are still built in this
-   case), or Z_DATA_ERROR if the input is invalid. */
-{
-
-  uInt a;                       /* counter for codes of length k */
-  uInt c[BMAX+1];               /* bit length count table */
-  uInt f;                       /* i repeats in table every f entries */
-  int g;                        /* maximum code length */
-  int h;                        /* table level */
-  register uInt i;              /* counter, current code */
-  register uInt j;              /* counter */
-  register int k;               /* number of bits in current code */
-  int l;                        /* bits per table (returned in m) */
-  uInt mask;                    /* (1 << w) - 1, to avoid cc -O bug on HP */
-  register uIntf *p;            /* pointer into c[], b[], or v[] */
-  inflate_huft *q;              /* points to current table */
-  struct inflate_huft_s r;      /* table entry for structure assignment */
-  inflate_huft *u[BMAX];        /* table stack */
-  register int w;               /* bits before this table == (l * h) */
-  uInt x[BMAX+1];               /* bit offsets, then code stack */
-  uIntf *xp;                    /* pointer into x */
-  int y;                        /* number of dummy codes added */
-  uInt z;                       /* number of entries in current table */
-
-
-  /* Generate counts for each bit length */
-  p = c;
-#define C0 *p++ = 0;
-#define C2 C0 C0 C0 C0
-#define C4 C2 C2 C2 C2
-  C4                            /* clear c[]--assume BMAX+1 is 16 */
-  p = b;  i = n;
-  do {
-    c[*p++]++;                  /* assume all entries <= BMAX */
-  } while (--i);
-  if (c[0] == n)                /* null input--all zero length codes */
-  {
-    *t = (inflate_huft *)Z_NULL;
-    *m = 0;
-    return Z_OK;
-  }
-
-
-  /* Find minimum and maximum length, bound *m by those */
-  l = *m;
-  for (j = 1; j <= BMAX; j++)
-    if (c[j])
-      break;
-  k = j;                        /* minimum code length */
-  if ((uInt)l < j)
-    l = j;
-  for (i = BMAX; i; i--)
-    if (c[i])
-      break;
-  g = i;                        /* maximum code length */
-  if ((uInt)l > i)
-    l = i;
-  *m = l;
-
-
-  /* Adjust last length count to fill out codes, if needed */
-  for (y = 1 << j; j < i; j++, y <<= 1)
-    if ((y -= c[j]) < 0)
-      return Z_DATA_ERROR;
-  if ((y -= c[i]) < 0)
-    return Z_DATA_ERROR;
-  c[i] += y;
-
-
-  /* Generate starting offsets into the value table for each length */
-  x[1] = j = 0;
-  p = c + 1;  xp = x + 2;
-  while (--i) {                 /* note that i == g from above */
-    *xp++ = (j += *p++);
-  }
-
-
-  /* Make a table of values in order of bit lengths */
-  p = b;  i = 0;
-  do {
-    if ((j = *p++) != 0)
-      v[x[j]++] = i;
-  } while (++i < n);
-  n = x[g];                     /* set n to length of v */
-
-
-  /* Generate the Huffman codes and for each, make the table entries */
-  x[0] = i = 0;                 /* first Huffman code is zero */
-  p = v;                        /* grab values in bit order */
-  h = -1;                       /* no tables yet--level -1 */
-  w = -l;                       /* bits decoded == (l * h) */
-  u[0] = (inflate_huft *)Z_NULL;        /* just to keep compilers happy */
-  q = (inflate_huft *)Z_NULL;   /* ditto */
-  z = 0;                        /* ditto */
-
-  /* go through the bit lengths (k already is bits in shortest code) */
-  for (; k <= g; k++)
-  {
-    a = c[k];
-    while (a--)
-    {
-      /* here i is the Huffman code of length k bits for value *p */
-      /* make tables up to required level */
-      while (k > w + l)
-      {
-        h++;
-        w += l;                 /* previous table always l bits */
-
-        /* compute minimum size table less than or equal to l bits */
-        z = g - w;
-        z = z > (uInt)l ? l : z;        /* table size upper limit */
-        if ((f = 1 << (j = k - w)) > a + 1)     /* try a k-w bit table */
-        {                       /* too few codes for k-w bit table */
-          f -= a + 1;           /* deduct codes from patterns left */
-          xp = c + k;
-          if (j < z)
-            while (++j < z)     /* try smaller tables up to z bits */
-            {
-              if ((f <<= 1) <= *++xp)
-                break;          /* enough codes to use up j bits */
-              f -= *xp;         /* else deduct codes from patterns */
-            }
-        }
-        z = 1 << j;             /* table entries for j-bit table */
-
-        /* allocate new table */
-        if (*hn + z > MANY)     /* (note: doesn't matter for fixed) */
-          return Z_DATA_ERROR;  /* overflow of MANY */
-        u[h] = q = hp + *hn;
-        *hn += z;
-
-        /* connect to last table, if there is one */
-        if (h)
-        {
-          x[h] = i;             /* save pattern for backing up */
-          r.bits = (Byte)l;     /* bits to dump before this table */
-          r.exop = (Byte)j;     /* bits in this table */
-          j = i >> (w - l);
-          r.base = (uInt)(q - u[h-1] - j);   /* offset to this table */
-          u[h-1][j] = r;        /* connect to last table */
-        }
-        else
-          *t = q;               /* first table is returned result */
-      }
-
-      /* set up table entry in r */
-      r.bits = (Byte)(k - w);
-      if (p >= v + n)
-        r.exop = 128 + 64;      /* out of values--invalid code */
-      else if (*p < s)
-      {
-        r.exop = (Byte)(*p < 256 ? 0 : 32 + 64);     /* 256 is end-of-block */
-        r.base = *p++;          /* simple code is just the value */
-      }
-      else
-      {
-        r.exop = (Byte)(e[*p - s] + 16 + 64);/* non-simple--look up in lists */
-        r.base = d[*p++ - s];
-      }
-
-      /* fill code-like entries with r */
-      f = 1 << (k - w);
-      for (j = i >> w; j < z; j += f)
-        q[j] = r;
-
-      /* backwards increment the k-bit code i */
-      for (j = 1 << (k - 1); i & j; j >>= 1)
-        i ^= j;
-      i ^= j;
-
-      /* backup over finished tables */
-      mask = (1 << w) - 1;      /* needed on HP, cc -O bug */
-      while ((i & mask) != x[h])
-      {
-        h--;                    /* don't need to update q */
-        w -= l;
-        mask = (1 << w) - 1;
-      }
-    }
-  }
-
-
-  /* Return Z_BUF_ERROR if we were given an incomplete table */
-  return y != 0 && g != 1 ? Z_BUF_ERROR : Z_OK;
-}
-
-
-int inflate_trees_bits(c, bb, tb, hp, z)
-uIntf *c;               /* 19 code lengths */
-uIntf *bb;              /* bits tree desired/actual depth */
-inflate_huft * FAR *tb; /* bits tree result */
-inflate_huft *hp;       /* space for trees */
-z_streamp z;            /* for messages */
-{
-  int r;
-  uInt hn = 0;          /* hufts used in space */
-  uIntf *v;             /* work area for huft_build */
-
-  if ((v = (uIntf*)ZALLOC(z, 19, sizeof(uInt))) == Z_NULL)
-    return Z_MEM_ERROR;
-  r = huft_build(c, 19, 19, (uIntf*)Z_NULL, (uIntf*)Z_NULL,
-                 tb, bb, hp, &hn, v);
-  if (r == Z_DATA_ERROR)
-    z->msg = (char*)"oversubscribed dynamic bit lengths tree";
-  else if (r == Z_BUF_ERROR || *bb == 0)
-  {
-    z->msg = (char*)"incomplete dynamic bit lengths tree";
-    r = Z_DATA_ERROR;
-  }
-  ZFREE(z, v);
-  return r;
-}
-
-
-int inflate_trees_dynamic(nl, nd, c, bl, bd, tl, td, hp, z)
-uInt nl;                /* number of literal/length codes */
-uInt nd;                /* number of distance codes */
-uIntf *c;               /* that many (total) code lengths */
-uIntf *bl;              /* literal desired/actual bit depth */
-uIntf *bd;              /* distance desired/actual bit depth */
-inflate_huft * FAR *tl; /* literal/length tree result */
-inflate_huft * FAR *td; /* distance tree result */
-inflate_huft *hp;       /* space for trees */
-z_streamp z;            /* for messages */
-{
-  int r;
-  uInt hn = 0;          /* hufts used in space */
-  uIntf *v;             /* work area for huft_build */
-
-  /* allocate work area */
-  if ((v = (uIntf*)ZALLOC(z, 288, sizeof(uInt))) == Z_NULL)
-    return Z_MEM_ERROR;
-
-  /* build literal/length tree */
-  r = huft_build(c, nl, 257, cplens, cplext, tl, bl, hp, &hn, v);
-  if (r != Z_OK || *bl == 0)
-  {
-    if (r == Z_DATA_ERROR)
-      z->msg = (char*)"oversubscribed literal/length tree";
-    else if (r != Z_MEM_ERROR)
-    {
-      z->msg = (char*)"incomplete literal/length tree";
-      r = Z_DATA_ERROR;
-    }
-    ZFREE(z, v);
-    return r;
-  }
-
-  /* build distance tree */
-  r = huft_build(c + nl, nd, 0, cpdist, cpdext, td, bd, hp, &hn, v);
-  if (r != Z_OK || (*bd == 0 && nl > 257))
-  {
-    if (r == Z_DATA_ERROR)
-      z->msg = (char*)"oversubscribed distance tree";
-    else if (r == Z_BUF_ERROR) {
-#ifdef PKZIP_BUG_WORKAROUND
-      r = Z_OK;
-    }
-#else
-      z->msg = (char*)"incomplete distance tree";
-      r = Z_DATA_ERROR;
-    }
-    else if (r != Z_MEM_ERROR)
-    {
-      z->msg = (char*)"empty distance tree with lengths";
-      r = Z_DATA_ERROR;
-    }
-    ZFREE(z, v);
-    return r;
-#endif
-  }
-
-  /* done */
-  ZFREE(z, v);
-  return Z_OK;
-}
-
-
-/* build fixed tables only once--keep them here */
-#ifdef BUILDFIXED
-local int fixed_built = 0;
-#define FIXEDH 544      /* number of hufts used by fixed tables */
-local inflate_huft fixed_mem[FIXEDH];
-local uInt fixed_bl;
-local uInt fixed_bd;
-local inflate_huft *fixed_tl;
-local inflate_huft *fixed_td;
-#else
-#include "inffixed.h"
-#endif
-
-
-int inflate_trees_fixed(bl, bd, tl, td, z)
-uIntf *bl;               /* literal desired/actual bit depth */
-uIntf *bd;               /* distance desired/actual bit depth */
-inflate_huft * FAR *tl;  /* literal/length tree result */
-inflate_huft * FAR *td;  /* distance tree result */
-z_streamp z;             /* for memory allocation */
-{
-#ifdef BUILDFIXED
-  /* build fixed tables if not already */
-  if (!fixed_built)
-  {
-    int k;              /* temporary variable */
-    uInt f = 0;         /* number of hufts used in fixed_mem */
-    uIntf *c;           /* length list for huft_build */
-    uIntf *v;           /* work area for huft_build */
-
-    /* allocate memory */
-    if ((c = (uIntf*)ZALLOC(z, 288, sizeof(uInt))) == Z_NULL)
-      return Z_MEM_ERROR;
-    if ((v = (uIntf*)ZALLOC(z, 288, sizeof(uInt))) == Z_NULL)
-    {
-      ZFREE(z, c);
-      return Z_MEM_ERROR;
-    }
-
-    /* literal table */
-    for (k = 0; k < 144; k++)
-      c[k] = 8;
-    for (; k < 256; k++)
-      c[k] = 9;
-    for (; k < 280; k++)
-      c[k] = 7;
-    for (; k < 288; k++)
-      c[k] = 8;
-    fixed_bl = 9;
-    huft_build(c, 288, 257, cplens, cplext, &fixed_tl, &fixed_bl,
-               fixed_mem, &f, v);
-
-    /* distance table */
-    for (k = 0; k < 30; k++)
-      c[k] = 5;
-    fixed_bd = 5;
-    huft_build(c, 30, 0, cpdist, cpdext, &fixed_td, &fixed_bd,
-               fixed_mem, &f, v);
-
-    /* done */
-    ZFREE(z, v);
-    ZFREE(z, c);
-    fixed_built = 1;
-  }
-#endif
-  *bl = fixed_bl;
-  *bd = fixed_bd;
-  *tl = fixed_tl;
-  *td = fixed_td;
-  return Z_OK;
-}
diff --git a/linux/lib/zlib/inftrees.h b/linux/lib/zlib/inftrees.h
deleted file mode 100644
index ef15b1b82..000000000
--- a/linux/lib/zlib/inftrees.h
+++ /dev/null
@@ -1,63 +0,0 @@
-/* inftrees.h -- header to use inftrees.c
- * Copyright (C) 1995-2002 Mark Adler
- * For conditions of distribution and use, see copyright notice in zlib.h 
- */
-
-/* WARNING: this file should *not* be used by applications. It is
-   part of the implementation of the compression library and is
-   subject to change. Applications should only use zlib.h.
- */
-
-/* Huffman code lookup table entry--this entry is four bytes for machines
-   that have 16-bit pointers (e.g. PC's in the small or medium model). */
-
-#ifndef _INFTREES_H
-#define _INFTREES_H
-
-typedef struct inflate_huft_s FAR inflate_huft;
-
-struct inflate_huft_s {
-  union {
-    struct {
-      Byte Exop;        /* number of extra bits or operation */
-      Byte Bits;        /* number of bits in this code or subcode */
-    } what;
-    uInt pad;           /* pad structure to a power of 2 (4 bytes for */
-  } word;               /*  16-bit, 8 bytes for 32-bit int's) */
-  uInt base;            /* literal, length base, distance base,
-                           or table offset */
-};
-
-/* Maximum size of dynamic tree.  The maximum found in a long but non-
-   exhaustive search was 1004 huft structures (850 for length/literals
-   and 154 for distances, the latter actually the result of an
-   exhaustive search).  The actual maximum is not known, but the
-   value below is more than safe. */
-#define MANY 1440
-
-extern int inflate_trees_bits OF((
-    uIntf *,                    /* 19 code lengths */
-    uIntf *,                    /* bits tree desired/actual depth */
-    inflate_huft * FAR *,       /* bits tree result */
-    inflate_huft *,             /* space for trees */
-    z_streamp));                /* for messages */
-
-extern int inflate_trees_dynamic OF((
-    uInt,                       /* number of literal/length codes */
-    uInt,                       /* number of distance codes */
-    uIntf *,                    /* that many (total) code lengths */
-    uIntf *,                    /* literal desired/actual bit depth */
-    uIntf *,                    /* distance desired/actual bit depth */
-    inflate_huft * FAR *,       /* literal/length tree result */
-    inflate_huft * FAR *,       /* distance tree result */
-    inflate_huft *,             /* space for trees */
-    z_streamp));                /* for messages */
-
-extern int inflate_trees_fixed OF((
-    uIntf *,                    /* literal desired/actual bit depth */
-    uIntf *,                    /* distance desired/actual bit depth */
-    inflate_huft * FAR *,       /* literal/length tree result */
-    inflate_huft * FAR *,       /* distance tree result */
-    z_streamp));                /* for memory allocation */
-
-#endif /* _INFTREES_H */
diff --git a/linux/lib/zlib/infutil.c b/linux/lib/zlib/infutil.c
deleted file mode 100644
index b50358ffa..000000000
--- a/linux/lib/zlib/infutil.c
+++ /dev/null
@@ -1,87 +0,0 @@
-/* inflate_util.c -- data and routines common to blocks and codes
- * Copyright (C) 1995-2002 Mark Adler
- * For conditions of distribution and use, see copyright notice in zlib.h 
- */
-
-#include <zlib/zutil.h>
-#include "infblock.h"
-#include "inftrees.h"
-#include "infcodes.h"
-#include "infutil.h"
-
-struct inflate_codes_state {int dummy;}; /* for buggy compilers */
-
-/* And'ing with mask[n] masks the lower n bits */
-uInt inflate_mask[17] = {
-    0x0000,
-    0x0001, 0x0003, 0x0007, 0x000f, 0x001f, 0x003f, 0x007f, 0x00ff,
-    0x01ff, 0x03ff, 0x07ff, 0x0fff, 0x1fff, 0x3fff, 0x7fff, 0xffff
-};
-
-
-/* copy as much as possible from the sliding window to the output area */
-int inflate_flush(s, z, r)
-inflate_blocks_statef *s;
-z_streamp z;
-int r;
-{
-  uInt n;
-  Bytef *p;
-  Bytef *q;
-
-  /* local copies of source and destination pointers */
-  p = z->next_out;
-  q = s->read;
-
-  /* compute number of bytes to copy as far as end of window */
-  n = (uInt)((q <= s->write ? s->write : s->end) - q);
-  if (n > z->avail_out) n = z->avail_out;
-  if (n && r == Z_BUF_ERROR) r = Z_OK;
-
-  /* update counters */
-  z->avail_out -= n;
-  z->total_out += n;
-
-  /* update check information */
-  if (s->checkfn != Z_NULL)
-    z->adler = s->check = (*s->checkfn)(s->check, q, n);
-
-  /* copy as far as end of window */
-  zmemcpy(p, q, n);
-  p += n;
-  q += n;
-
-  /* see if more to copy at beginning of window */
-  if (q == s->end)
-  {
-    /* wrap pointers */
-    q = s->window;
-    if (s->write == s->end)
-      s->write = s->window;
-
-    /* compute bytes to copy */
-    n = (uInt)(s->write - q);
-    if (n > z->avail_out) n = z->avail_out;
-    if (n && r == Z_BUF_ERROR) r = Z_OK;
-
-    /* update counters */
-    z->avail_out -= n;
-    z->total_out += n;
-
-    /* update check information */
-    if (s->checkfn != Z_NULL)
-      z->adler = s->check = (*s->checkfn)(s->check, q, n);
-
-    /* copy */
-    zmemcpy(p, q, n);
-    p += n;
-    q += n;
-  }
-
-  /* update pointers */
-  z->next_out = p;
-  s->read = q;
-
-  /* done */
-  return r;
-}
diff --git a/linux/lib/zlib/infutil.h b/linux/lib/zlib/infutil.h
deleted file mode 100644
index 959e12e8c..000000000
--- a/linux/lib/zlib/infutil.h
+++ /dev/null
@@ -1,98 +0,0 @@
-/* infutil.h -- types and macros common to blocks and codes
- * Copyright (C) 1995-2002 Mark Adler
- * For conditions of distribution and use, see copyright notice in zlib.h 
- */
-
-/* WARNING: this file should *not* be used by applications. It is
-   part of the implementation of the compression library and is
-   subject to change. Applications should only use zlib.h.
- */
-
-#ifndef _INFUTIL_H
-#define _INFUTIL_H
-
-typedef enum {
-      TYPE,     /* get type bits (3, including end bit) */
-      LENS,     /* get lengths for stored */
-      STORED,   /* processing stored block */
-      TABLE,    /* get table lengths */
-      BTREE,    /* get bit lengths tree for a dynamic block */
-      DTREE,    /* get length, distance trees for a dynamic block */
-      CODES,    /* processing fixed or dynamic block */
-      DRY,      /* output remaining window bytes */
-      DONE,     /* finished last block, done */
-      BAD}      /* got a data error--stuck here */
-inflate_block_mode;
-
-/* inflate blocks semi-private state */
-struct inflate_blocks_state {
-
-  /* mode */
-  inflate_block_mode  mode;     /* current inflate_block mode */
-
-  /* mode dependent information */
-  union {
-    uInt left;          /* if STORED, bytes left to copy */
-    struct {
-      uInt table;               /* table lengths (14 bits) */
-      uInt index;               /* index into blens (or border) */
-      uIntf *blens;             /* bit lengths of codes */
-      uInt bb;                  /* bit length tree depth */
-      inflate_huft *tb;         /* bit length decoding tree */
-    } trees;            /* if DTREE, decoding info for trees */
-    struct {
-      inflate_codes_statef 
-         *codes;
-    } decode;           /* if CODES, current state */
-  } sub;                /* submode */
-  uInt last;            /* true if this block is the last block */
-
-  /* mode independent information */
-  uInt bitk;            /* bits in bit buffer */
-  uLong bitb;           /* bit buffer */
-  inflate_huft *hufts;  /* single malloc for tree space */
-  Bytef *window;        /* sliding window */
-  Bytef *end;           /* one byte after sliding window */
-  Bytef *read;          /* window read pointer */
-  Bytef *write;         /* window write pointer */
-  check_func checkfn;   /* check function */
-  uLong check;          /* check on output */
-
-};
-
-
-/* defines for inflate input/output */
-/*   update pointers and return */
-#define UPDBITS {s->bitb=b;s->bitk=k;}
-#define UPDIN {z->avail_in=n;z->total_in+=p-z->next_in;z->next_in=p;}
-#define UPDOUT {s->write=q;}
-#define UPDATE {UPDBITS UPDIN UPDOUT}
-#define LEAVE {UPDATE return inflate_flush(s,z,r);}
-/*   get bytes and bits */
-#define LOADIN {p=z->next_in;n=z->avail_in;b=s->bitb;k=s->bitk;}
-#define NEEDBYTE {if(n)r=Z_OK;else LEAVE}
-#define NEXTBYTE (n--,*p++)
-#define NEEDBITS(j) {while(k<(j)){NEEDBYTE;b|=((uLong)NEXTBYTE)<<k;k+=8;}}
-#define DUMPBITS(j) {b>>=(j);k-=(j);}
-/*   output bytes */
-#define WAVAIL (uInt)(q<s->read?s->read-q-1:s->end-q)
-#define LOADOUT {q=s->write;m=(uInt)WAVAIL;}
-#define WRAP {if(q==s->end&&s->read!=s->window){q=s->window;m=(uInt)WAVAIL;}}
-#define FLUSH {UPDOUT r=inflate_flush(s,z,r); LOADOUT}
-#define NEEDOUT {if(m==0){WRAP if(m==0){FLUSH WRAP if(m==0) LEAVE}}r=Z_OK;}
-#define OUTBYTE(a) {*q++=(Byte)(a);m--;}
-/*   load local pointers */
-#define LOAD {LOADIN LOADOUT}
-
-/* masks for lower bits (size given to avoid silly warnings with Visual C++) */
-extern uInt inflate_mask[17];
-
-/* copy as much as possible from the sliding window to the output area */
-extern int inflate_flush OF((
-    inflate_blocks_statef *,
-    z_streamp ,
-    int));
-
-struct internal_state      {int dummy;}; /* for buggy compilers */
-
-#endif /* _INFUTIL_H */
diff --git a/linux/lib/zlib/match586.S b/linux/lib/zlib/match586.S
deleted file mode 100644
index 9ca33b03a..000000000
--- a/linux/lib/zlib/match586.S
+++ /dev/null
@@ -1,357 +0,0 @@
-/* match.s -- Pentium-optimized version of longest_match()
- * Written for zlib 1.1.2
- * Copyright (C) 1998 Brian Raiter <breadbox@muppetlabs.com>
- *
- * This is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License.
- */
-
-#ifndef NO_UNDERLINE
-#define	match_init	_ipcomp_match_init
-#define	longest_match	_ipcomp_longest_match
-#else
-#define match_init	ipcomp_match_init
-#define longest_match	ipcomp_longest_match
-#endif
-
-#define	MAX_MATCH	(258)
-#define	MIN_MATCH	(3)
-#define	MIN_LOOKAHEAD	(MAX_MATCH + MIN_MATCH + 1)
-#define	MAX_MATCH_8	((MAX_MATCH + 7) & ~7)
-
-/* stack frame offsets */
-
-#define	wmask			0	/* local copy of s->wmask	*/
-#define	window			4	/* local copy of s->window	*/
-#define	windowbestlen		8	/* s->window + bestlen		*/
-#define	chainlenscanend		12	/* high word: current chain len	*/
-					/* low word: last bytes sought	*/
-#define	scanstart		16	/* first two bytes of string	*/
-#define	scanalign		20	/* dword-misalignment of string	*/
-#define	nicematch		24	/* a good enough match size	*/
-#define	bestlen			28	/* size of best match so far	*/
-#define	scan			32	/* ptr to string wanting match	*/
-
-#define	LocalVarsSize		(36)
-/*	saved ebx		36 */
-/*	saved edi		40 */
-/*	saved esi		44 */
-/*	saved ebp		48 */
-/*	return address		52 */
-#define	deflatestate		56	/* the function arguments	*/
-#define	curmatch		60
-
-/* Offsets for fields in the deflate_state structure. These numbers
- * are calculated from the definition of deflate_state, with the
- * assumption that the compiler will dword-align the fields. (Thus,
- * changing the definition of deflate_state could easily cause this
- * program to crash horribly, without so much as a warning at
- * compile time. Sigh.)
- */
-#define	dsWSize			36
-#define	dsWMask			44
-#define	dsWindow		48
-#define	dsPrev			56
-#define	dsMatchLen		88
-#define	dsPrevMatch		92
-#define	dsStrStart		100
-#define	dsMatchStart		104
-#define	dsLookahead		108
-#define	dsPrevLen		112
-#define	dsMaxChainLen		116
-#define	dsGoodMatch		132
-#define	dsNiceMatch		136
-
-
-.file "match.S"
-
-.globl	match_init, longest_match
-
-.text
-
-/* uInt longest_match(deflate_state *deflatestate, IPos curmatch) */
-
-longest_match:
-
-/* Save registers that the compiler may be using, and adjust %esp to	*/
-/* make room for our stack frame.					*/
-
-		pushl	%ebp
-		pushl	%edi
-		pushl	%esi
-		pushl	%ebx
-		subl	$LocalVarsSize, %esp
-
-/* Retrieve the function arguments. %ecx will hold cur_match		*/
-/* throughout the entire function. %edx will hold the pointer to the	*/
-/* deflate_state structure during the function's setup (before		*/
-/* entering the main loop).						*/
-
-		movl	deflatestate(%esp), %edx
-		movl	curmatch(%esp), %ecx
-
-/* if ((uInt)nice_match > s->lookahead) nice_match = s->lookahead;	*/
-
-		movl	dsNiceMatch(%edx), %eax
-		movl	dsLookahead(%edx), %ebx
-		cmpl	%eax, %ebx
-		jl	LookaheadLess
-		movl	%eax, %ebx
-LookaheadLess:	movl	%ebx, nicematch(%esp)
-
-/* register Bytef *scan = s->window + s->strstart;			*/
-
-		movl	dsWindow(%edx), %esi
-		movl	%esi, window(%esp)
-		movl	dsStrStart(%edx), %ebp
-		lea	(%esi,%ebp), %edi
-		movl	%edi, scan(%esp)
-
-/* Determine how many bytes the scan ptr is off from being		*/
-/* dword-aligned.							*/
-
-		movl	%edi, %eax
-		negl	%eax
-		andl	$3, %eax
-		movl	%eax, scanalign(%esp)
-
-/* IPos limit = s->strstart > (IPos)MAX_DIST(s) ?			*/
-/*     s->strstart - (IPos)MAX_DIST(s) : NIL;				*/
-
-		movl	dsWSize(%edx), %eax
-		subl	$MIN_LOOKAHEAD, %eax
-		subl	%eax, %ebp
-		jg	LimitPositive
-		xorl	%ebp, %ebp
-LimitPositive:
-
-/* unsigned chain_length = s->max_chain_length;				*/
-/* if (s->prev_length >= s->good_match) {				*/
-/*     chain_length >>= 2;						*/
-/* }									*/
-
-		movl	dsPrevLen(%edx), %eax
-		movl	dsGoodMatch(%edx), %ebx
-		cmpl	%ebx, %eax
-		movl	dsMaxChainLen(%edx), %ebx
-		jl	LastMatchGood
-		shrl	$2, %ebx
-LastMatchGood:
-
-/* chainlen is decremented once beforehand so that the function can	*/
-/* use the sign flag instead of the zero flag for the exit test.	*/
-/* It is then shifted into the high word, to make room for the scanend	*/
-/* scanend value, which it will always accompany.			*/
-
-		decl	%ebx
-		shll	$16, %ebx
-
-/* int best_len = s->prev_length;					*/
-
-		movl	dsPrevLen(%edx), %eax
-		movl	%eax, bestlen(%esp)
-
-/* Store the sum of s->window + best_len in %esi locally, and in %esi.	*/
-
-		addl	%eax, %esi
-		movl	%esi, windowbestlen(%esp)
-
-/* register ush scan_start = *(ushf*)scan;				*/
-/* register ush scan_end   = *(ushf*)(scan+best_len-1);			*/
-
-		movw	(%edi), %bx
-		movw	%bx, scanstart(%esp)
-		movw	-1(%edi,%eax), %bx
-		movl	%ebx, chainlenscanend(%esp)
-
-/* Posf *prev = s->prev;						*/
-/* uInt wmask = s->w_mask;						*/
-
-		movl	dsPrev(%edx), %edi
-		movl	dsWMask(%edx), %edx
-		mov	%edx, wmask(%esp)
-
-/* Jump into the main loop.						*/
-
-		jmp	LoopEntry
-
-.balign 16
-
-/* do {
- *     match = s->window + cur_match;
- *     if (*(ushf*)(match+best_len-1) != scan_end ||
- *         *(ushf*)match != scan_start) continue;
- *     [...]
- * } while ((cur_match = prev[cur_match & wmask]) > limit
- *          && --chain_length != 0);
- *
- * Here is the inner loop of the function. The function will spend the
- * majority of its time in this loop, and majority of that time will
- * be spent in the first ten instructions.
- *
- * Within this loop:
- * %ebx = chainlenscanend - i.e., ((chainlen << 16) | scanend)
- * %ecx = curmatch
- * %edx = curmatch & wmask
- * %esi = windowbestlen - i.e., (window + bestlen)
- * %edi = prev
- * %ebp = limit
- *
- * Two optimization notes on the choice of instructions:
- *
- * The first instruction uses a 16-bit address, which costs an extra,
- * unpairable cycle. This is cheaper than doing a 32-bit access and
- * zeroing the high word, due to the 3-cycle misalignment penalty which
- * would occur half the time. This also turns out to be cheaper than
- * doing two separate 8-bit accesses, as the memory is so rarely in the
- * L1 cache.
- *
- * The window buffer, however, apparently spends a lot of time in the
- * cache, and so it is faster to retrieve the word at the end of the
- * match string with two 8-bit loads. The instructions that test the
- * word at the beginning of the match string, however, are executed
- * much less frequently, and there it was cheaper to use 16-bit
- * instructions, which avoided the necessity of saving off and
- * subsequently reloading one of the other registers.
- */
-LookupLoop:
-							/* 1 U & V  */
-		movw	(%edi,%edx,2), %cx		/* 2 U pipe */
-		movl	wmask(%esp), %edx		/* 2 V pipe */
-		cmpl	%ebp, %ecx			/* 3 U pipe */
-		jbe	LeaveNow			/* 3 V pipe */
-		subl	$0x00010000, %ebx		/* 4 U pipe */
-		js	LeaveNow			/* 4 V pipe */
-LoopEntry:	movb	-1(%esi,%ecx), %al		/* 5 U pipe */
-		andl	%ecx, %edx			/* 5 V pipe */
-		cmpb	%bl, %al			/* 6 U pipe */
-		jnz	LookupLoop			/* 6 V pipe */
-		movb	(%esi,%ecx), %ah
-		cmpb	%bh, %ah
-		jnz	LookupLoop
-		movl	window(%esp), %eax
-		movw	(%eax,%ecx), %ax
-		cmpw	scanstart(%esp), %ax
-		jnz	LookupLoop
-
-/* Store the current value of chainlen.					*/
-
-		movl	%ebx, chainlenscanend(%esp)
-
-/* Point %edi to the string under scrutiny, and %esi to the string we	*/
-/* are hoping to match it up with. In actuality, %esi and %edi are	*/
-/* both pointed (MAX_MATCH_8 - scanalign) bytes ahead, and %edx is	*/
-/* initialized to -(MAX_MATCH_8 - scanalign).				*/
-
-		movl	window(%esp), %esi
-		movl	scan(%esp), %edi
-		addl	%ecx, %esi
-		movl	scanalign(%esp), %eax
-		movl	$(-MAX_MATCH_8), %edx
-		lea	MAX_MATCH_8(%edi,%eax), %edi
-		lea	MAX_MATCH_8(%esi,%eax), %esi
-
-/* Test the strings for equality, 8 bytes at a time. At the end,
- * adjust %edx so that it is offset to the exact byte that mismatched.
- *
- * We already know at this point that the first three bytes of the
- * strings match each other, and they can be safely passed over before
- * starting the compare loop. So what this code does is skip over 0-3
- * bytes, as much as necessary in order to dword-align the %edi
- * pointer. (%esi will still be misaligned three times out of four.)
- *
- * It should be confessed that this loop usually does not represent
- * much of the total running time. Replacing it with a more
- * straightforward "rep cmpsb" would not drastically degrade
- * performance.
- */
-LoopCmps:
-		movl	(%esi,%edx), %eax
-		movl	(%edi,%edx), %ebx
-		xorl	%ebx, %eax
-		jnz	LeaveLoopCmps
-		movl	4(%esi,%edx), %eax
-		movl	4(%edi,%edx), %ebx
-		xorl	%ebx, %eax
-		jnz	LeaveLoopCmps4
-		addl	$8, %edx
-		jnz	LoopCmps
-		jmp	LenMaximum
-LeaveLoopCmps4:	addl	$4, %edx
-LeaveLoopCmps:	testl	$0x0000FFFF, %eax
-		jnz	LenLower
-		addl	$2, %edx
-		shrl	$16, %eax
-LenLower:	subb	$1, %al
-		adcl	$0, %edx
-
-/* Calculate the length of the match. If it is longer than MAX_MATCH,	*/
-/* then automatically accept it as the best possible match and leave.	*/
-
-		lea	(%edi,%edx), %eax
-		movl	scan(%esp), %edi
-		subl	%edi, %eax
-		cmpl	$MAX_MATCH, %eax
-		jge	LenMaximum
-
-/* If the length of the match is not longer than the best match we	*/
-/* have so far, then forget it and return to the lookup loop.		*/
-
-		movl	deflatestate(%esp), %edx
-		movl	bestlen(%esp), %ebx
-		cmpl	%ebx, %eax
-		jg	LongerMatch
-		movl	chainlenscanend(%esp), %ebx
-		movl	windowbestlen(%esp), %esi
-		movl	dsPrev(%edx), %edi
-		movl	wmask(%esp), %edx
-		andl	%ecx, %edx
-		jmp	LookupLoop
-
-/*         s->match_start = cur_match;					*/
-/*         best_len = len;						*/
-/*         if (len >= nice_match) break;				*/
-/*         scan_end = *(ushf*)(scan+best_len-1);			*/
-
-LongerMatch:	movl	nicematch(%esp), %ebx
-		movl	%eax, bestlen(%esp)
-		movl	%ecx, dsMatchStart(%edx)
-		cmpl	%ebx, %eax
-		jge	LeaveNow
-		movl	window(%esp), %esi
-		addl	%eax, %esi
-		movl	%esi, windowbestlen(%esp)
-		movl	chainlenscanend(%esp), %ebx
-		movw	-1(%edi,%eax), %bx
-		movl	dsPrev(%edx), %edi
-		movl	%ebx, chainlenscanend(%esp)
-		movl	wmask(%esp), %edx
-		andl	%ecx, %edx
-		jmp	LookupLoop
-
-/* Accept the current string, with the maximum possible length.		*/
-
-LenMaximum:	movl	deflatestate(%esp), %edx
-		movl	$MAX_MATCH, bestlen(%esp)
-		movl	%ecx, dsMatchStart(%edx)
-
-/* if ((uInt)best_len <= s->lookahead) return (uInt)best_len;		*/
-/* return s->lookahead;							*/
-
-LeaveNow:
-		movl	deflatestate(%esp), %edx
-		movl	bestlen(%esp), %ebx
-		movl	dsLookahead(%edx), %eax
-		cmpl	%eax, %ebx
-		jg	LookaheadRet
-		movl	%ebx, %eax
-LookaheadRet:
-
-/* Restore the stack and return from whence we came.			*/
-
-		addl	$LocalVarsSize, %esp
-		popl	%ebx
-		popl	%esi
-		popl	%edi
-		popl	%ebp
-match_init:	ret
diff --git a/linux/lib/zlib/match686.S b/linux/lib/zlib/match686.S
deleted file mode 100644
index 63fce28d4..000000000
--- a/linux/lib/zlib/match686.S
+++ /dev/null
@@ -1,330 +0,0 @@
-/* match.s -- Pentium-Pro-optimized version of longest_match()
- * Written for zlib 1.1.2
- * Copyright (C) 1998 Brian Raiter <breadbox@muppetlabs.com>
- *
- * This is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License.
- */
-
-#ifndef NO_UNDERLINE
-#define	match_init	_ipcomp_match_init
-#define	longest_match	_ipcomp_longest_match
-#else
-#define match_init	ipcomp_match_init
-#define longest_match	ipcomp_longest_match
-#endif
-
-#define	MAX_MATCH	(258)
-#define	MIN_MATCH	(3)
-#define	MIN_LOOKAHEAD	(MAX_MATCH + MIN_MATCH + 1)
-#define	MAX_MATCH_8	((MAX_MATCH + 7) & ~7)
-
-/* stack frame offsets */
-
-#define	chainlenwmask		0	/* high word: current chain len	*/
-					/* low word: s->wmask		*/
-#define	window			4	/* local copy of s->window	*/
-#define	windowbestlen		8	/* s->window + bestlen		*/
-#define	scanstart		16	/* first two bytes of string	*/
-#define	scanend			12	/* last two bytes of string	*/
-#define	scanalign		20	/* dword-misalignment of string	*/
-#define	nicematch		24	/* a good enough match size	*/
-#define	bestlen			28	/* size of best match so far	*/
-#define	scan			32	/* ptr to string wanting match	*/
-
-#define	LocalVarsSize		(36)
-/*	saved ebx		36 */
-/*	saved edi		40 */
-/*	saved esi		44 */
-/*	saved ebp		48 */
-/*	return address		52 */
-#define	deflatestate		56	/* the function arguments	*/
-#define	curmatch		60
-
-/* Offsets for fields in the deflate_state structure. These numbers
- * are calculated from the definition of deflate_state, with the
- * assumption that the compiler will dword-align the fields. (Thus,
- * changing the definition of deflate_state could easily cause this
- * program to crash horribly, without so much as a warning at
- * compile time. Sigh.)
- */
-#define	dsWSize			36
-#define	dsWMask			44
-#define	dsWindow		48
-#define	dsPrev			56
-#define	dsMatchLen		88
-#define	dsPrevMatch		92
-#define	dsStrStart		100
-#define	dsMatchStart		104
-#define	dsLookahead		108
-#define	dsPrevLen		112
-#define	dsMaxChainLen		116
-#define	dsGoodMatch		132
-#define	dsNiceMatch		136
-
-
-.file "match.S"
-
-.globl	match_init, longest_match
-
-.text
-
-/* uInt longest_match(deflate_state *deflatestate, IPos curmatch) */
-
-longest_match:
-
-/* Save registers that the compiler may be using, and adjust %esp to	*/
-/* make room for our stack frame.					*/
-
-		pushl	%ebp
-		pushl	%edi
-		pushl	%esi
-		pushl	%ebx
-		subl	$LocalVarsSize, %esp
-
-/* Retrieve the function arguments. %ecx will hold cur_match		*/
-/* throughout the entire function. %edx will hold the pointer to the	*/
-/* deflate_state structure during the function's setup (before		*/
-/* entering the main loop).						*/
-
-		movl	deflatestate(%esp), %edx
-		movl	curmatch(%esp), %ecx
-
-/* uInt wmask = s->w_mask;						*/
-/* unsigned chain_length = s->max_chain_length;				*/
-/* if (s->prev_length >= s->good_match) {				*/
-/*     chain_length >>= 2;						*/
-/* }									*/
-
-		movl	dsPrevLen(%edx), %eax
-		movl	dsGoodMatch(%edx), %ebx
-		cmpl	%ebx, %eax
-		movl	dsWMask(%edx), %eax
-		movl	dsMaxChainLen(%edx), %ebx
-		jl	LastMatchGood
-		shrl	$2, %ebx
-LastMatchGood:
-
-/* chainlen is decremented once beforehand so that the function can	*/
-/* use the sign flag instead of the zero flag for the exit test.	*/
-/* It is then shifted into the high word, to make room for the wmask	*/
-/* value, which it will always accompany.				*/
-
-		decl	%ebx
-		shll	$16, %ebx
-		orl	%eax, %ebx
-		movl	%ebx, chainlenwmask(%esp)
-
-/* if ((uInt)nice_match > s->lookahead) nice_match = s->lookahead;	*/
-
-		movl	dsNiceMatch(%edx), %eax
-		movl	dsLookahead(%edx), %ebx
-		cmpl	%eax, %ebx
-		jl	LookaheadLess
-		movl	%eax, %ebx
-LookaheadLess:	movl	%ebx, nicematch(%esp)
-
-/* register Bytef *scan = s->window + s->strstart;			*/
-
-		movl	dsWindow(%edx), %esi
-		movl	%esi, window(%esp)
-		movl	dsStrStart(%edx), %ebp
-		lea	(%esi,%ebp), %edi
-		movl	%edi, scan(%esp)
-
-/* Determine how many bytes the scan ptr is off from being		*/
-/* dword-aligned.							*/
-
-		movl	%edi, %eax
-		negl	%eax
-		andl	$3, %eax
-		movl	%eax, scanalign(%esp)
-
-/* IPos limit = s->strstart > (IPos)MAX_DIST(s) ?			*/
-/*     s->strstart - (IPos)MAX_DIST(s) : NIL;				*/
-
-		movl	dsWSize(%edx), %eax
-		subl	$MIN_LOOKAHEAD, %eax
-		subl	%eax, %ebp
-		jg	LimitPositive
-		xorl	%ebp, %ebp
-LimitPositive:
-
-/* int best_len = s->prev_length;					*/
-
-		movl	dsPrevLen(%edx), %eax
-		movl	%eax, bestlen(%esp)
-
-/* Store the sum of s->window + best_len in %esi locally, and in %esi.	*/
-
-		addl	%eax, %esi
-		movl	%esi, windowbestlen(%esp)
-
-/* register ush scan_start = *(ushf*)scan;				*/
-/* register ush scan_end   = *(ushf*)(scan+best_len-1);			*/
-/* Posf *prev = s->prev;						*/
-
-		movzwl	(%edi), %ebx
-		movl	%ebx, scanstart(%esp)
-		movzwl	-1(%edi,%eax), %ebx
-		movl	%ebx, scanend(%esp)
-		movl	dsPrev(%edx), %edi
-
-/* Jump into the main loop.						*/
-
-		movl	chainlenwmask(%esp), %edx
-		jmp	LoopEntry
-
-.balign 16
-
-/* do {
- *     match = s->window + cur_match;
- *     if (*(ushf*)(match+best_len-1) != scan_end ||
- *         *(ushf*)match != scan_start) continue;
- *     [...]
- * } while ((cur_match = prev[cur_match & wmask]) > limit
- *          && --chain_length != 0);
- *
- * Here is the inner loop of the function. The function will spend the
- * majority of its time in this loop, and majority of that time will
- * be spent in the first ten instructions.
- *
- * Within this loop:
- * %ebx = scanend
- * %ecx = curmatch
- * %edx = chainlenwmask - i.e., ((chainlen << 16) | wmask)
- * %esi = windowbestlen - i.e., (window + bestlen)
- * %edi = prev
- * %ebp = limit
- */
-LookupLoop:
-		andl	%edx, %ecx
-		movzwl	(%edi,%ecx,2), %ecx
-		cmpl	%ebp, %ecx
-		jbe	LeaveNow
-		subl	$0x00010000, %edx
-		js	LeaveNow
-LoopEntry:	movzwl	-1(%esi,%ecx), %eax
-		cmpl	%ebx, %eax
-		jnz	LookupLoop
-		movl	window(%esp), %eax
-		movzwl	(%eax,%ecx), %eax
-		cmpl	scanstart(%esp), %eax
-		jnz	LookupLoop
-
-/* Store the current value of chainlen.					*/
-
-		movl	%edx, chainlenwmask(%esp)
-
-/* Point %edi to the string under scrutiny, and %esi to the string we	*/
-/* are hoping to match it up with. In actuality, %esi and %edi are	*/
-/* both pointed (MAX_MATCH_8 - scanalign) bytes ahead, and %edx is	*/
-/* initialized to -(MAX_MATCH_8 - scanalign).				*/
-
-		movl	window(%esp), %esi
-		movl	scan(%esp), %edi
-		addl	%ecx, %esi
-		movl	scanalign(%esp), %eax
-		movl	$(-MAX_MATCH_8), %edx
-		lea	MAX_MATCH_8(%edi,%eax), %edi
-		lea	MAX_MATCH_8(%esi,%eax), %esi
-
-/* Test the strings for equality, 8 bytes at a time. At the end,
- * adjust %edx so that it is offset to the exact byte that mismatched.
- *
- * We already know at this point that the first three bytes of the
- * strings match each other, and they can be safely passed over before
- * starting the compare loop. So what this code does is skip over 0-3
- * bytes, as much as necessary in order to dword-align the %edi
- * pointer. (%esi will still be misaligned three times out of four.)
- *
- * It should be confessed that this loop usually does not represent
- * much of the total running time. Replacing it with a more
- * straightforward "rep cmpsb" would not drastically degrade
- * performance.
- */
-LoopCmps:
-		movl	(%esi,%edx), %eax
-		xorl	(%edi,%edx), %eax
-		jnz	LeaveLoopCmps
-		movl	4(%esi,%edx), %eax
-		xorl	4(%edi,%edx), %eax
-		jnz	LeaveLoopCmps4
-		addl	$8, %edx
-		jnz	LoopCmps
-		jmp	LenMaximum
-LeaveLoopCmps4:	addl	$4, %edx
-LeaveLoopCmps:	testl	$0x0000FFFF, %eax
-		jnz	LenLower
-		addl	$2, %edx
-		shrl	$16, %eax
-LenLower:	subb	$1, %al
-		adcl	$0, %edx
-
-/* Calculate the length of the match. If it is longer than MAX_MATCH,	*/
-/* then automatically accept it as the best possible match and leave.	*/
-
-		lea	(%edi,%edx), %eax
-		movl	scan(%esp), %edi
-		subl	%edi, %eax
-		cmpl	$MAX_MATCH, %eax
-		jge	LenMaximum
-
-/* If the length of the match is not longer than the best match we	*/
-/* have so far, then forget it and return to the lookup loop.		*/
-
-		movl	deflatestate(%esp), %edx
-		movl	bestlen(%esp), %ebx
-		cmpl	%ebx, %eax
-		jg	LongerMatch
-		movl	windowbestlen(%esp), %esi
-		movl	dsPrev(%edx), %edi
-		movl	scanend(%esp), %ebx
-		movl	chainlenwmask(%esp), %edx
-		jmp	LookupLoop
-
-/*         s->match_start = cur_match;					*/
-/*         best_len = len;						*/
-/*         if (len >= nice_match) break;				*/
-/*         scan_end = *(ushf*)(scan+best_len-1);			*/
-
-LongerMatch:	movl	nicematch(%esp), %ebx
-		movl	%eax, bestlen(%esp)
-		movl	%ecx, dsMatchStart(%edx)
-		cmpl	%ebx, %eax
-		jge	LeaveNow
-		movl	window(%esp), %esi
-		addl	%eax, %esi
-		movl	%esi, windowbestlen(%esp)
-		movzwl	-1(%edi,%eax), %ebx
-		movl	dsPrev(%edx), %edi
-		movl	%ebx, scanend(%esp)
-		movl	chainlenwmask(%esp), %edx
-		jmp	LookupLoop
-
-/* Accept the current string, with the maximum possible length.		*/
-
-LenMaximum:	movl	deflatestate(%esp), %edx
-		movl	$MAX_MATCH, bestlen(%esp)
-		movl	%ecx, dsMatchStart(%edx)
-
-/* if ((uInt)best_len <= s->lookahead) return (uInt)best_len;		*/
-/* return s->lookahead;							*/
-
-LeaveNow:
-		movl	deflatestate(%esp), %edx
-		movl	bestlen(%esp), %ebx
-		movl	dsLookahead(%edx), %eax
-		cmpl	%eax, %ebx
-		jg	LookaheadRet
-		movl	%ebx, %eax
-LookaheadRet:
-
-/* Restore the stack and return from whence we came.			*/
-
-		addl	$LocalVarsSize, %esp
-		popl	%ebx
-		popl	%esi
-		popl	%edi
-		popl	%ebp
-match_init:	ret
diff --git a/linux/lib/zlib/trees.c b/linux/lib/zlib/trees.c
deleted file mode 100644
index b268ea305..000000000
--- a/linux/lib/zlib/trees.c
+++ /dev/null
@@ -1,1214 +0,0 @@
-/* trees.c -- output deflated data using Huffman coding
- * Copyright (C) 1995-2002 Jean-loup Gailly
- * For conditions of distribution and use, see copyright notice in zlib.h 
- */
-
-/*
- *  ALGORITHM
- *
- *      The "deflation" process uses several Huffman trees. The more
- *      common source values are represented by shorter bit sequences.
- *
- *      Each code tree is stored in a compressed form which is itself
- * a Huffman encoding of the lengths of all the code strings (in
- * ascending order by source values).  The actual code strings are
- * reconstructed from the lengths in the inflate process, as described
- * in the deflate specification.
- *
- *  REFERENCES
- *
- *      Deutsch, L.P.,"'Deflate' Compressed Data Format Specification".
- *      Available in ftp.uu.net:/pub/archiving/zip/doc/deflate-1.1.doc
- *
- *      Storer, James A.
- *          Data Compression:  Methods and Theory, pp. 49-50.
- *          Computer Science Press, 1988.  ISBN 0-7167-8156-5.
- *
- *      Sedgewick, R.
- *          Algorithms, p290.
- *          Addison-Wesley, 1983. ISBN 0-201-06672-6.
- */
-
-/* @(#) $Id: trees.c,v 1.1 2004/03/15 20:35:26 as Exp $ */
-
-/* #define GEN_TREES_H */
-
-#include "deflate.h"
-
-#ifdef DEBUG
-#  include <ctype.h>
-#endif
-
-/* ===========================================================================
- * Constants
- */
-
-#define MAX_BL_BITS 7
-/* Bit length codes must not exceed MAX_BL_BITS bits */
-
-#define END_BLOCK 256
-/* end of block literal code */
-
-#define REP_3_6      16
-/* repeat previous bit length 3-6 times (2 bits of repeat count) */
-
-#define REPZ_3_10    17
-/* repeat a zero length 3-10 times  (3 bits of repeat count) */
-
-#define REPZ_11_138  18
-/* repeat a zero length 11-138 times  (7 bits of repeat count) */
-
-local const int extra_lbits[LENGTH_CODES] /* extra bits for each length code */
-   = {0,0,0,0,0,0,0,0,1,1,1,1,2,2,2,2,3,3,3,3,4,4,4,4,5,5,5,5,0};
-
-local const int extra_dbits[D_CODES] /* extra bits for each distance code */
-   = {0,0,0,0,1,1,2,2,3,3,4,4,5,5,6,6,7,7,8,8,9,9,10,10,11,11,12,12,13,13};
-
-local const int extra_blbits[BL_CODES]/* extra bits for each bit length code */
-   = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,3,7};
-
-local const uch bl_order[BL_CODES]
-   = {16,17,18,0,8,7,9,6,10,5,11,4,12,3,13,2,14,1,15};
-/* The lengths of the bit length codes are sent in order of decreasing
- * probability, to avoid transmitting the lengths for unused bit length codes.
- */
-
-#define Buf_size (8 * 2*sizeof(char))
-/* Number of bits used within bi_buf. (bi_buf might be implemented on
- * more than 16 bits on some systems.)
- */
-
-/* ===========================================================================
- * Local data. These are initialized only once.
- */
-
-#define DIST_CODE_LEN  512 /* see definition of array dist_code below */
-
-#if defined(GEN_TREES_H) || !defined(STDC)
-/* non ANSI compilers may not accept trees.h */
-
-local ct_data static_ltree[L_CODES+2];
-/* The static literal tree. Since the bit lengths are imposed, there is no
- * need for the L_CODES extra codes used during heap construction. However
- * The codes 286 and 287 are needed to build a canonical tree (see _tr_init
- * below).
- */
-
-local ct_data static_dtree[D_CODES];
-/* The static distance tree. (Actually a trivial tree since all codes use
- * 5 bits.)
- */
-
-uch _dist_code[DIST_CODE_LEN];
-/* Distance codes. The first 256 values correspond to the distances
- * 3 .. 258, the last 256 values correspond to the top 8 bits of
- * the 15 bit distances.
- */
-
-uch _length_code[MAX_MATCH-MIN_MATCH+1];
-/* length code for each normalized match length (0 == MIN_MATCH) */
-
-local int base_length[LENGTH_CODES];
-/* First normalized length for each code (0 = MIN_MATCH) */
-
-local int base_dist[D_CODES];
-/* First normalized distance for each code (0 = distance of 1) */
-
-#else
-#  include "trees.h"
-#endif /* GEN_TREES_H */
-
-struct static_tree_desc_s {
-    const ct_data *static_tree;  /* static tree or NULL */
-    const intf *extra_bits;      /* extra bits for each code or NULL */
-    int     extra_base;          /* base index for extra_bits */
-    int     elems;               /* max number of elements in the tree */
-    int     max_length;          /* max bit length for the codes */
-};
-
-local static_tree_desc  static_l_desc =
-{static_ltree, extra_lbits, LITERALS+1, L_CODES, MAX_BITS};
-
-local static_tree_desc  static_d_desc =
-{static_dtree, extra_dbits, 0,          D_CODES, MAX_BITS};
-
-local static_tree_desc  static_bl_desc =
-{(const ct_data *)0, extra_blbits, 0,   BL_CODES, MAX_BL_BITS};
-
-/* ===========================================================================
- * Local (static) routines in this file.
- */
-
-local void tr_static_init OF((void));
-local void init_block     OF((deflate_state *s));
-local void pqdownheap     OF((deflate_state *s, ct_data *tree, int k));
-local void gen_bitlen     OF((deflate_state *s, tree_desc *desc));
-local void gen_codes      OF((ct_data *tree, int max_code, ushf *bl_count));
-local void build_tree     OF((deflate_state *s, tree_desc *desc));
-local void scan_tree      OF((deflate_state *s, ct_data *tree, int max_code));
-local void send_tree      OF((deflate_state *s, ct_data *tree, int max_code));
-local int  build_bl_tree  OF((deflate_state *s));
-local void send_all_trees OF((deflate_state *s, int lcodes, int dcodes,
-                              int blcodes));
-local void compress_block OF((deflate_state *s, const ct_data *ltree,
-                              const ct_data *dtree));
-local void set_data_type  OF((deflate_state *s));
-local unsigned bi_reverse OF((unsigned value, int length));
-local void bi_windup      OF((deflate_state *s));
-local void bi_flush       OF((deflate_state *s));
-local void copy_block     OF((deflate_state *s, charf *buf, unsigned len,
-                              int header));
-
-#ifdef GEN_TREES_H
-local void gen_trees_header OF((void));
-#endif
-
-#ifndef DEBUG
-#  define send_code(s, c, tree) send_bits(s, tree[c].Code, tree[c].Len)
-   /* Send a code of the given tree. c and tree must not have side effects */
-
-#else /* DEBUG */
-#  define send_code(s, c, tree) \
-     { if (z_verbose>2) fprintf(stderr,"\ncd %3d ",(c)); \
-       send_bits(s, tree[c].Code, tree[c].Len); }
-#endif
-
-/* ===========================================================================
- * Output a short LSB first on the stream.
- * IN assertion: there is enough room in pendingBuf.
- */
-#define put_short(s, w) { \
-    put_byte(s, (uch)((w) & 0xff)); \
-    put_byte(s, (uch)((ush)(w) >> 8)); \
-}
-
-/* ===========================================================================
- * Send a value on a given number of bits.
- * IN assertion: length <= 16 and value fits in length bits.
- */
-#ifdef DEBUG
-local void send_bits      OF((deflate_state *s, int value, int length));
-
-local void send_bits(s, value, length)
-    deflate_state *s;
-    int value;  /* value to send */
-    int length; /* number of bits */
-{
-    Tracevv((stderr," l %2d v %4x ", length, value));
-    Assert(length > 0 && length <= 15, "invalid length");
-    s->bits_sent += (ulg)length;
-
-    /* If not enough room in bi_buf, use (valid) bits from bi_buf and
-     * (16 - bi_valid) bits from value, leaving (width - (16-bi_valid))
-     * unused bits in value.
-     */
-    if (s->bi_valid > (int)Buf_size - length) {
-        s->bi_buf |= (value << s->bi_valid);
-        put_short(s, s->bi_buf);
-        s->bi_buf = (ush)value >> (Buf_size - s->bi_valid);
-        s->bi_valid += length - Buf_size;
-    } else {
-        s->bi_buf |= value << s->bi_valid;
-        s->bi_valid += length;
-    }
-}
-#else /* !DEBUG */
-
-#define send_bits(s, value, length) \
-{ int len = length;\
-  if (s->bi_valid > (int)Buf_size - len) {\
-    int val = value;\
-    s->bi_buf |= (val << s->bi_valid);\
-    put_short(s, s->bi_buf);\
-    s->bi_buf = (ush)val >> (Buf_size - s->bi_valid);\
-    s->bi_valid += len - Buf_size;\
-  } else {\
-    s->bi_buf |= (value) << s->bi_valid;\
-    s->bi_valid += len;\
-  }\
-}
-#endif /* DEBUG */
-
-
-#define MAX(a,b) (a >= b ? a : b)
-/* the arguments must not have side effects */
-
-/* ===========================================================================
- * Initialize the various 'constant' tables.
- */
-local void tr_static_init()
-{
-#if defined(GEN_TREES_H) || !defined(STDC)
-    static int static_init_done = 0;
-    int n;        /* iterates over tree elements */
-    int bits;     /* bit counter */
-    int length;   /* length value */
-    int code;     /* code value */
-    int dist;     /* distance index */
-    ush bl_count[MAX_BITS+1];
-    /* number of codes at each bit length for an optimal tree */
-
-    if (static_init_done) return;
-
-    /* For some embedded targets, global variables are not initialized: */
-    static_l_desc.static_tree = static_ltree;
-    static_l_desc.extra_bits = extra_lbits;
-    static_d_desc.static_tree = static_dtree;
-    static_d_desc.extra_bits = extra_dbits;
-    static_bl_desc.extra_bits = extra_blbits;
-
-    /* Initialize the mapping length (0..255) -> length code (0..28) */
-    length = 0;
-    for (code = 0; code < LENGTH_CODES-1; code++) {
-        base_length[code] = length;
-        for (n = 0; n < (1<<extra_lbits[code]); n++) {
-            _length_code[length++] = (uch)code;
-        }
-    }
-    Assert (length == 256, "tr_static_init: length != 256");
-    /* Note that the length 255 (match length 258) can be represented
-     * in two different ways: code 284 + 5 bits or code 285, so we
-     * overwrite length_code[255] to use the best encoding:
-     */
-    _length_code[length-1] = (uch)code;
-
-    /* Initialize the mapping dist (0..32K) -> dist code (0..29) */
-    dist = 0;
-    for (code = 0 ; code < 16; code++) {
-        base_dist[code] = dist;
-        for (n = 0; n < (1<<extra_dbits[code]); n++) {
-            _dist_code[dist++] = (uch)code;
-        }
-    }
-    Assert (dist == 256, "tr_static_init: dist != 256");
-    dist >>= 7; /* from now on, all distances are divided by 128 */
-    for ( ; code < D_CODES; code++) {
-        base_dist[code] = dist << 7;
-        for (n = 0; n < (1<<(extra_dbits[code]-7)); n++) {
-            _dist_code[256 + dist++] = (uch)code;
-        }
-    }
-    Assert (dist == 256, "tr_static_init: 256+dist != 512");
-
-    /* Construct the codes of the static literal tree */
-    for (bits = 0; bits <= MAX_BITS; bits++) bl_count[bits] = 0;
-    n = 0;
-    while (n <= 143) static_ltree[n++].Len = 8, bl_count[8]++;
-    while (n <= 255) static_ltree[n++].Len = 9, bl_count[9]++;
-    while (n <= 279) static_ltree[n++].Len = 7, bl_count[7]++;
-    while (n <= 287) static_ltree[n++].Len = 8, bl_count[8]++;
-    /* Codes 286 and 287 do not exist, but we must include them in the
-     * tree construction to get a canonical Huffman tree (longest code
-     * all ones)
-     */
-    gen_codes((ct_data *)static_ltree, L_CODES+1, bl_count);
-
-    /* The static distance tree is trivial: */
-    for (n = 0; n < D_CODES; n++) {
-        static_dtree[n].Len = 5;
-        static_dtree[n].Code = bi_reverse((unsigned)n, 5);
-    }
-    static_init_done = 1;
-
-#  ifdef GEN_TREES_H
-    gen_trees_header();
-#  endif
-#endif /* defined(GEN_TREES_H) || !defined(STDC) */
-}
-
-/* ===========================================================================
- * Genererate the file trees.h describing the static trees.
- */
-#ifdef GEN_TREES_H
-#  ifndef DEBUG
-#    include <stdio.h>
-#  endif
-
-#  define SEPARATOR(i, last, width) \
-      ((i) == (last)? "\n};\n\n" :    \
-       ((i) % (width) == (width)-1 ? ",\n" : ", "))
-
-void gen_trees_header()
-{
-    FILE *header = fopen("trees.h", "w");
-    int i;
-
-    Assert (header != NULL, "Can't open trees.h");
-    fprintf(header,
-	    "/* header created automatically with -DGEN_TREES_H */\n\n");
-
-    fprintf(header, "local const ct_data static_ltree[L_CODES+2] = {\n");
-    for (i = 0; i < L_CODES+2; i++) {
-	fprintf(header, "{{%3u},{%3u}}%s", static_ltree[i].Code,
-		static_ltree[i].Len, SEPARATOR(i, L_CODES+1, 5));
-    }
-
-    fprintf(header, "local const ct_data static_dtree[D_CODES] = {\n");
-    for (i = 0; i < D_CODES; i++) {
-	fprintf(header, "{{%2u},{%2u}}%s", static_dtree[i].Code,
-		static_dtree[i].Len, SEPARATOR(i, D_CODES-1, 5));
-    }
-
-    fprintf(header, "const uch _dist_code[DIST_CODE_LEN] = {\n");
-    for (i = 0; i < DIST_CODE_LEN; i++) {
-	fprintf(header, "%2u%s", _dist_code[i],
-		SEPARATOR(i, DIST_CODE_LEN-1, 20));
-    }
-
-    fprintf(header, "const uch _length_code[MAX_MATCH-MIN_MATCH+1]= {\n");
-    for (i = 0; i < MAX_MATCH-MIN_MATCH+1; i++) {
-	fprintf(header, "%2u%s", _length_code[i],
-		SEPARATOR(i, MAX_MATCH-MIN_MATCH, 20));
-    }
-
-    fprintf(header, "local const int base_length[LENGTH_CODES] = {\n");
-    for (i = 0; i < LENGTH_CODES; i++) {
-	fprintf(header, "%1u%s", base_length[i],
-		SEPARATOR(i, LENGTH_CODES-1, 20));
-    }
-
-    fprintf(header, "local const int base_dist[D_CODES] = {\n");
-    for (i = 0; i < D_CODES; i++) {
-	fprintf(header, "%5u%s", base_dist[i],
-		SEPARATOR(i, D_CODES-1, 10));
-    }
-
-    fclose(header);
-}
-#endif /* GEN_TREES_H */
-
-/* ===========================================================================
- * Initialize the tree data structures for a new zlib stream.
- */
-void _tr_init(s)
-    deflate_state *s;
-{
-    tr_static_init();
-
-    s->l_desc.dyn_tree = s->dyn_ltree;
-    s->l_desc.stat_desc = &static_l_desc;
-
-    s->d_desc.dyn_tree = s->dyn_dtree;
-    s->d_desc.stat_desc = &static_d_desc;
-
-    s->bl_desc.dyn_tree = s->bl_tree;
-    s->bl_desc.stat_desc = &static_bl_desc;
-
-    s->bi_buf = 0;
-    s->bi_valid = 0;
-    s->last_eob_len = 8; /* enough lookahead for inflate */
-#ifdef DEBUG
-    s->compressed_len = 0L;
-    s->bits_sent = 0L;
-#endif
-
-    /* Initialize the first block of the first file: */
-    init_block(s);
-}
-
-/* ===========================================================================
- * Initialize a new block.
- */
-local void init_block(s)
-    deflate_state *s;
-{
-    int n; /* iterates over tree elements */
-
-    /* Initialize the trees. */
-    for (n = 0; n < L_CODES;  n++) s->dyn_ltree[n].Freq = 0;
-    for (n = 0; n < D_CODES;  n++) s->dyn_dtree[n].Freq = 0;
-    for (n = 0; n < BL_CODES; n++) s->bl_tree[n].Freq = 0;
-
-    s->dyn_ltree[END_BLOCK].Freq = 1;
-    s->opt_len = s->static_len = 0L;
-    s->last_lit = s->matches = 0;
-}
-
-#define SMALLEST 1
-/* Index within the heap array of least frequent node in the Huffman tree */
-
-
-/* ===========================================================================
- * Remove the smallest element from the heap and recreate the heap with
- * one less element. Updates heap and heap_len.
- */
-#define pqremove(s, tree, top) \
-{\
-    top = s->heap[SMALLEST]; \
-    s->heap[SMALLEST] = s->heap[s->heap_len--]; \
-    pqdownheap(s, tree, SMALLEST); \
-}
-
-/* ===========================================================================
- * Compares to subtrees, using the tree depth as tie breaker when
- * the subtrees have equal frequency. This minimizes the worst case length.
- */
-#define smaller(tree, n, m, depth) \
-   (tree[n].Freq < tree[m].Freq || \
-   (tree[n].Freq == tree[m].Freq && depth[n] <= depth[m]))
-
-/* ===========================================================================
- * Restore the heap property by moving down the tree starting at node k,
- * exchanging a node with the smallest of its two sons if necessary, stopping
- * when the heap property is re-established (each father smaller than its
- * two sons).
- */
-local void pqdownheap(s, tree, k)
-    deflate_state *s;
-    ct_data *tree;  /* the tree to restore */
-    int k;               /* node to move down */
-{
-    int v = s->heap[k];
-    int j = k << 1;  /* left son of k */
-    while (j <= s->heap_len) {
-        /* Set j to the smallest of the two sons: */
-        if (j < s->heap_len &&
-            smaller(tree, s->heap[j+1], s->heap[j], s->depth)) {
-            j++;
-        }
-        /* Exit if v is smaller than both sons */
-        if (smaller(tree, v, s->heap[j], s->depth)) break;
-
-        /* Exchange v with the smallest son */
-        s->heap[k] = s->heap[j];  k = j;
-
-        /* And continue down the tree, setting j to the left son of k */
-        j <<= 1;
-    }
-    s->heap[k] = v;
-}
-
-/* ===========================================================================
- * Compute the optimal bit lengths for a tree and update the total bit length
- * for the current block.
- * IN assertion: the fields freq and dad are set, heap[heap_max] and
- *    above are the tree nodes sorted by increasing frequency.
- * OUT assertions: the field len is set to the optimal bit length, the
- *     array bl_count contains the frequencies for each bit length.
- *     The length opt_len is updated; static_len is also updated if stree is
- *     not null.
- */
-local void gen_bitlen(s, desc)
-    deflate_state *s;
-    tree_desc *desc;    /* the tree descriptor */
-{
-    ct_data *tree        = desc->dyn_tree;
-    int max_code         = desc->max_code;
-    const ct_data *stree = desc->stat_desc->static_tree;
-    const intf *extra    = desc->stat_desc->extra_bits;
-    int base             = desc->stat_desc->extra_base;
-    int max_length       = desc->stat_desc->max_length;
-    int h;              /* heap index */
-    int n, m;           /* iterate over the tree elements */
-    int bits;           /* bit length */
-    int xbits;          /* extra bits */
-    ush f;              /* frequency */
-    int overflow = 0;   /* number of elements with bit length too large */
-
-    for (bits = 0; bits <= MAX_BITS; bits++) s->bl_count[bits] = 0;
-
-    /* In a first pass, compute the optimal bit lengths (which may
-     * overflow in the case of the bit length tree).
-     */
-    tree[s->heap[s->heap_max]].Len = 0; /* root of the heap */
-
-    for (h = s->heap_max+1; h < HEAP_SIZE; h++) {
-        n = s->heap[h];
-        bits = tree[tree[n].Dad].Len + 1;
-        if (bits > max_length) bits = max_length, overflow++;
-        tree[n].Len = (ush)bits;
-        /* We overwrite tree[n].Dad which is no longer needed */
-
-        if (n > max_code) continue; /* not a leaf node */
-
-        s->bl_count[bits]++;
-        xbits = 0;
-        if (n >= base) xbits = extra[n-base];
-        f = tree[n].Freq;
-        s->opt_len += (ulg)f * (bits + xbits);
-        if (stree) s->static_len += (ulg)f * (stree[n].Len + xbits);
-    }
-    if (overflow == 0) return;
-
-    Trace((stderr,"\nbit length overflow\n"));
-    /* This happens for example on obj2 and pic of the Calgary corpus */
-
-    /* Find the first bit length which could increase: */
-    do {
-        bits = max_length-1;
-        while (s->bl_count[bits] == 0) bits--;
-        s->bl_count[bits]--;      /* move one leaf down the tree */
-        s->bl_count[bits+1] += 2; /* move one overflow item as its brother */
-        s->bl_count[max_length]--;
-        /* The brother of the overflow item also moves one step up,
-         * but this does not affect bl_count[max_length]
-         */
-        overflow -= 2;
-    } while (overflow > 0);
-
-    /* Now recompute all bit lengths, scanning in increasing frequency.
-     * h is still equal to HEAP_SIZE. (It is simpler to reconstruct all
-     * lengths instead of fixing only the wrong ones. This idea is taken
-     * from 'ar' written by Haruhiko Okumura.)
-     */
-    for (bits = max_length; bits != 0; bits--) {
-        n = s->bl_count[bits];
-        while (n != 0) {
-            m = s->heap[--h];
-            if (m > max_code) continue;
-            if (tree[m].Len != (unsigned) bits) {
-                Trace((stderr,"code %d bits %d->%d\n", m, tree[m].Len, bits));
-                s->opt_len += ((long)bits - (long)tree[m].Len)
-                              *(long)tree[m].Freq;
-                tree[m].Len = (ush)bits;
-            }
-            n--;
-        }
-    }
-}
-
-/* ===========================================================================
- * Generate the codes for a given tree and bit counts (which need not be
- * optimal).
- * IN assertion: the array bl_count contains the bit length statistics for
- * the given tree and the field len is set for all tree elements.
- * OUT assertion: the field code is set for all tree elements of non
- *     zero code length.
- */
-local void gen_codes (tree, max_code, bl_count)
-    ct_data *tree;             /* the tree to decorate */
-    int max_code;              /* largest code with non zero frequency */
-    ushf *bl_count;            /* number of codes at each bit length */
-{
-    ush next_code[MAX_BITS+1]; /* next code value for each bit length */
-    ush code = 0;              /* running code value */
-    int bits;                  /* bit index */
-    int n;                     /* code index */
-
-    /* The distribution counts are first used to generate the code values
-     * without bit reversal.
-     */
-    for (bits = 1; bits <= MAX_BITS; bits++) {
-        next_code[bits] = code = (code + bl_count[bits-1]) << 1;
-    }
-    /* Check that the bit counts in bl_count are consistent. The last code
-     * must be all ones.
-     */
-    Assert (code + bl_count[MAX_BITS]-1 == (1<<MAX_BITS)-1,
-            "inconsistent bit counts");
-    Tracev((stderr,"\ngen_codes: max_code %d ", max_code));
-
-    for (n = 0;  n <= max_code; n++) {
-        int len = tree[n].Len;
-        if (len == 0) continue;
-        /* Now reverse the bits */
-        tree[n].Code = bi_reverse(next_code[len]++, len);
-
-        Tracecv(tree != static_ltree, (stderr,"\nn %3d %c l %2d c %4x (%x) ",
-             n, (isgraph(n) ? n : ' '), len, tree[n].Code, next_code[len]-1));
-    }
-}
-
-/* ===========================================================================
- * Construct one Huffman tree and assigns the code bit strings and lengths.
- * Update the total bit length for the current block.
- * IN assertion: the field freq is set for all tree elements.
- * OUT assertions: the fields len and code are set to the optimal bit length
- *     and corresponding code. The length opt_len is updated; static_len is
- *     also updated if stree is not null. The field max_code is set.
- */
-local void build_tree(s, desc)
-    deflate_state *s;
-    tree_desc *desc; /* the tree descriptor */
-{
-    ct_data *tree         = desc->dyn_tree;
-    const ct_data *stree  = desc->stat_desc->static_tree;
-    int elems             = desc->stat_desc->elems;
-    int n, m;          /* iterate over heap elements */
-    int max_code = -1; /* largest code with non zero frequency */
-    int node;          /* new node being created */
-
-    /* Construct the initial heap, with least frequent element in
-     * heap[SMALLEST]. The sons of heap[n] are heap[2*n] and heap[2*n+1].
-     * heap[0] is not used.
-     */
-    s->heap_len = 0, s->heap_max = HEAP_SIZE;
-
-    for (n = 0; n < elems; n++) {
-        if (tree[n].Freq != 0) {
-            s->heap[++(s->heap_len)] = max_code = n;
-            s->depth[n] = 0;
-        } else {
-            tree[n].Len = 0;
-        }
-    }
-
-    /* The pkzip format requires that at least one distance code exists,
-     * and that at least one bit should be sent even if there is only one
-     * possible code. So to avoid special checks later on we force at least
-     * two codes of non zero frequency.
-     */
-    while (s->heap_len < 2) {
-        node = s->heap[++(s->heap_len)] = (max_code < 2 ? ++max_code : 0);
-        tree[node].Freq = 1;
-        s->depth[node] = 0;
-        s->opt_len--; if (stree) s->static_len -= stree[node].Len;
-        /* node is 0 or 1 so it does not have extra bits */
-    }
-    desc->max_code = max_code;
-
-    /* The elements heap[heap_len/2+1 .. heap_len] are leaves of the tree,
-     * establish sub-heaps of increasing lengths:
-     */
-    for (n = s->heap_len/2; n >= 1; n--) pqdownheap(s, tree, n);
-
-    /* Construct the Huffman tree by repeatedly combining the least two
-     * frequent nodes.
-     */
-    node = elems;              /* next internal node of the tree */
-    do {
-        pqremove(s, tree, n);  /* n = node of least frequency */
-        m = s->heap[SMALLEST]; /* m = node of next least frequency */
-
-        s->heap[--(s->heap_max)] = n; /* keep the nodes sorted by frequency */
-        s->heap[--(s->heap_max)] = m;
-
-        /* Create a new node father of n and m */
-        tree[node].Freq = tree[n].Freq + tree[m].Freq;
-        s->depth[node] = (uch) (MAX(s->depth[n], s->depth[m]) + 1);
-        tree[n].Dad = tree[m].Dad = (ush)node;
-#ifdef DUMP_BL_TREE
-        if (tree == s->bl_tree) {
-            fprintf(stderr,"\nnode %d(%d), sons %d(%d) %d(%d)",
-                    node, tree[node].Freq, n, tree[n].Freq, m, tree[m].Freq);
-        }
-#endif
-        /* and insert the new node in the heap */
-        s->heap[SMALLEST] = node++;
-        pqdownheap(s, tree, SMALLEST);
-
-    } while (s->heap_len >= 2);
-
-    s->heap[--(s->heap_max)] = s->heap[SMALLEST];
-
-    /* At this point, the fields freq and dad are set. We can now
-     * generate the bit lengths.
-     */
-    gen_bitlen(s, (tree_desc *)desc);
-
-    /* The field len is now set, we can generate the bit codes */
-    gen_codes ((ct_data *)tree, max_code, s->bl_count);
-}
-
-/* ===========================================================================
- * Scan a literal or distance tree to determine the frequencies of the codes
- * in the bit length tree.
- */
-local void scan_tree (s, tree, max_code)
-    deflate_state *s;
-    ct_data *tree;   /* the tree to be scanned */
-    int max_code;    /* and its largest code of non zero frequency */
-{
-    int n;                     /* iterates over all tree elements */
-    int prevlen = -1;          /* last emitted length */
-    int curlen;                /* length of current code */
-    int nextlen = tree[0].Len; /* length of next code */
-    int count = 0;             /* repeat count of the current code */
-    int max_count = 7;         /* max repeat count */
-    int min_count = 4;         /* min repeat count */
-
-    if (nextlen == 0) max_count = 138, min_count = 3;
-    tree[max_code+1].Len = (ush)0xffff; /* guard */
-
-    for (n = 0; n <= max_code; n++) {
-        curlen = nextlen; nextlen = tree[n+1].Len;
-        if (++count < max_count && curlen == nextlen) {
-            continue;
-        } else if (count < min_count) {
-            s->bl_tree[curlen].Freq += count;
-        } else if (curlen != 0) {
-            if (curlen != prevlen) s->bl_tree[curlen].Freq++;
-            s->bl_tree[REP_3_6].Freq++;
-        } else if (count <= 10) {
-            s->bl_tree[REPZ_3_10].Freq++;
-        } else {
-            s->bl_tree[REPZ_11_138].Freq++;
-        }
-        count = 0; prevlen = curlen;
-        if (nextlen == 0) {
-            max_count = 138, min_count = 3;
-        } else if (curlen == nextlen) {
-            max_count = 6, min_count = 3;
-        } else {
-            max_count = 7, min_count = 4;
-        }
-    }
-}
-
-/* ===========================================================================
- * Send a literal or distance tree in compressed form, using the codes in
- * bl_tree.
- */
-local void send_tree (s, tree, max_code)
-    deflate_state *s;
-    ct_data *tree; /* the tree to be scanned */
-    int max_code;       /* and its largest code of non zero frequency */
-{
-    int n;                     /* iterates over all tree elements */
-    int prevlen = -1;          /* last emitted length */
-    int curlen;                /* length of current code */
-    int nextlen = tree[0].Len; /* length of next code */
-    int count = 0;             /* repeat count of the current code */
-    int max_count = 7;         /* max repeat count */
-    int min_count = 4;         /* min repeat count */
-
-    /* tree[max_code+1].Len = -1; */  /* guard already set */
-    if (nextlen == 0) max_count = 138, min_count = 3;
-
-    for (n = 0; n <= max_code; n++) {
-        curlen = nextlen; nextlen = tree[n+1].Len;
-        if (++count < max_count && curlen == nextlen) {
-            continue;
-        } else if (count < min_count) {
-            do { send_code(s, curlen, s->bl_tree); } while (--count != 0);
-
-        } else if (curlen != 0) {
-            if (curlen != prevlen) {
-                send_code(s, curlen, s->bl_tree); count--;
-            }
-            Assert(count >= 3 && count <= 6, " 3_6?");
-            send_code(s, REP_3_6, s->bl_tree); send_bits(s, count-3, 2);
-
-        } else if (count <= 10) {
-            send_code(s, REPZ_3_10, s->bl_tree); send_bits(s, count-3, 3);
-
-        } else {
-            send_code(s, REPZ_11_138, s->bl_tree); send_bits(s, count-11, 7);
-        }
-        count = 0; prevlen = curlen;
-        if (nextlen == 0) {
-            max_count = 138, min_count = 3;
-        } else if (curlen == nextlen) {
-            max_count = 6, min_count = 3;
-        } else {
-            max_count = 7, min_count = 4;
-        }
-    }
-}
-
-/* ===========================================================================
- * Construct the Huffman tree for the bit lengths and return the index in
- * bl_order of the last bit length code to send.
- */
-local int build_bl_tree(s)
-    deflate_state *s;
-{
-    int max_blindex;  /* index of last bit length code of non zero freq */
-
-    /* Determine the bit length frequencies for literal and distance trees */
-    scan_tree(s, (ct_data *)s->dyn_ltree, s->l_desc.max_code);
-    scan_tree(s, (ct_data *)s->dyn_dtree, s->d_desc.max_code);
-
-    /* Build the bit length tree: */
-    build_tree(s, (tree_desc *)(&(s->bl_desc)));
-    /* opt_len now includes the length of the tree representations, except
-     * the lengths of the bit lengths codes and the 5+5+4 bits for the counts.
-     */
-
-    /* Determine the number of bit length codes to send. The pkzip format
-     * requires that at least 4 bit length codes be sent. (appnote.txt says
-     * 3 but the actual value used is 4.)
-     */
-    for (max_blindex = BL_CODES-1; max_blindex >= 3; max_blindex--) {
-        if (s->bl_tree[bl_order[max_blindex]].Len != 0) break;
-    }
-    /* Update opt_len to include the bit length tree and counts */
-    s->opt_len += 3*(max_blindex+1) + 5+5+4;
-    Tracev((stderr, "\ndyn trees: dyn %ld, stat %ld",
-            s->opt_len, s->static_len));
-
-    return max_blindex;
-}
-
-/* ===========================================================================
- * Send the header for a block using dynamic Huffman trees: the counts, the
- * lengths of the bit length codes, the literal tree and the distance tree.
- * IN assertion: lcodes >= 257, dcodes >= 1, blcodes >= 4.
- */
-local void send_all_trees(s, lcodes, dcodes, blcodes)
-    deflate_state *s;
-    int lcodes, dcodes, blcodes; /* number of codes for each tree */
-{
-    int rank;                    /* index in bl_order */
-
-    Assert (lcodes >= 257 && dcodes >= 1 && blcodes >= 4, "not enough codes");
-    Assert (lcodes <= L_CODES && dcodes <= D_CODES && blcodes <= BL_CODES,
-            "too many codes");
-    Tracev((stderr, "\nbl counts: "));
-    send_bits(s, lcodes-257, 5); /* not +255 as stated in appnote.txt */
-    send_bits(s, dcodes-1,   5);
-    send_bits(s, blcodes-4,  4); /* not -3 as stated in appnote.txt */
-    for (rank = 0; rank < blcodes; rank++) {
-        Tracev((stderr, "\nbl code %2d ", bl_order[rank]));
-        send_bits(s, s->bl_tree[bl_order[rank]].Len, 3);
-    }
-    Tracev((stderr, "\nbl tree: sent %ld", s->bits_sent));
-
-    send_tree(s, (ct_data *)s->dyn_ltree, lcodes-1); /* literal tree */
-    Tracev((stderr, "\nlit tree: sent %ld", s->bits_sent));
-
-    send_tree(s, (ct_data *)s->dyn_dtree, dcodes-1); /* distance tree */
-    Tracev((stderr, "\ndist tree: sent %ld", s->bits_sent));
-}
-
-/* ===========================================================================
- * Send a stored block
- */
-void _tr_stored_block(s, buf, stored_len, eof)
-    deflate_state *s;
-    charf *buf;       /* input block */
-    ulg stored_len;   /* length of input block */
-    int eof;          /* true if this is the last block for a file */
-{
-    send_bits(s, (STORED_BLOCK<<1)+eof, 3);  /* send block type */
-#ifdef DEBUG
-    s->compressed_len = (s->compressed_len + 3 + 7) & (ulg)~7L;
-    s->compressed_len += (stored_len + 4) << 3;
-#endif
-    copy_block(s, buf, (unsigned)stored_len, 1); /* with header */
-}
-
-/* ===========================================================================
- * Send one empty static block to give enough lookahead for inflate.
- * This takes 10 bits, of which 7 may remain in the bit buffer.
- * The current inflate code requires 9 bits of lookahead. If the
- * last two codes for the previous block (real code plus EOB) were coded
- * on 5 bits or less, inflate may have only 5+3 bits of lookahead to decode
- * the last real code. In this case we send two empty static blocks instead
- * of one. (There are no problems if the previous block is stored or fixed.)
- * To simplify the code, we assume the worst case of last real code encoded
- * on one bit only.
- */
-void _tr_align(s)
-    deflate_state *s;
-{
-    send_bits(s, STATIC_TREES<<1, 3);
-    send_code(s, END_BLOCK, static_ltree);
-#ifdef DEBUG
-    s->compressed_len += 10L; /* 3 for block type, 7 for EOB */
-#endif
-    bi_flush(s);
-    /* Of the 10 bits for the empty block, we have already sent
-     * (10 - bi_valid) bits. The lookahead for the last real code (before
-     * the EOB of the previous block) was thus at least one plus the length
-     * of the EOB plus what we have just sent of the empty static block.
-     */
-    if (1 + s->last_eob_len + 10 - s->bi_valid < 9) {
-        send_bits(s, STATIC_TREES<<1, 3);
-        send_code(s, END_BLOCK, static_ltree);
-#ifdef DEBUG
-        s->compressed_len += 10L;
-#endif
-        bi_flush(s);
-    }
-    s->last_eob_len = 7;
-}
-
-/* ===========================================================================
- * Determine the best encoding for the current block: dynamic trees, static
- * trees or store, and output the encoded block to the zip file.
- */
-void _tr_flush_block(s, buf, stored_len, eof)
-    deflate_state *s;
-    charf *buf;       /* input block, or NULL if too old */
-    ulg stored_len;   /* length of input block */
-    int eof;          /* true if this is the last block for a file */
-{
-    ulg opt_lenb, static_lenb; /* opt_len and static_len in bytes */
-    int max_blindex = 0;  /* index of last bit length code of non zero freq */
-
-    /* Build the Huffman trees unless a stored block is forced */
-    if (s->level > 0) {
-
-	 /* Check if the file is ascii or binary */
-	if (s->data_type == Z_UNKNOWN) set_data_type(s);
-
-	/* Construct the literal and distance trees */
-	build_tree(s, (tree_desc *)(&(s->l_desc)));
-	Tracev((stderr, "\nlit data: dyn %ld, stat %ld", s->opt_len,
-		s->static_len));
-
-	build_tree(s, (tree_desc *)(&(s->d_desc)));
-	Tracev((stderr, "\ndist data: dyn %ld, stat %ld", s->opt_len,
-		s->static_len));
-	/* At this point, opt_len and static_len are the total bit lengths of
-	 * the compressed block data, excluding the tree representations.
-	 */
-
-	/* Build the bit length tree for the above two trees, and get the index
-	 * in bl_order of the last bit length code to send.
-	 */
-	max_blindex = build_bl_tree(s);
-
-	/* Determine the best encoding. Compute first the block length in bytes*/
-	opt_lenb = (s->opt_len+3+7)>>3;
-	static_lenb = (s->static_len+3+7)>>3;
-
-	Tracev((stderr, "\nopt %lu(%lu) stat %lu(%lu) stored %lu lit %u ",
-		opt_lenb, s->opt_len, static_lenb, s->static_len, stored_len,
-		s->last_lit));
-
-	if (static_lenb <= opt_lenb) opt_lenb = static_lenb;
-
-    } else {
-        Assert(buf != (char*)0, "lost buf");
-	opt_lenb = static_lenb = stored_len + 5; /* force a stored block */
-    }
-
-#ifdef FORCE_STORED
-    if (buf != (char*)0) { /* force stored block */
-#else
-    if (stored_len+4 <= opt_lenb && buf != (char*)0) {
-                       /* 4: two words for the lengths */
-#endif
-        /* The test buf != NULL is only necessary if LIT_BUFSIZE > WSIZE.
-         * Otherwise we can't have processed more than WSIZE input bytes since
-         * the last block flush, because compression would have been
-         * successful. If LIT_BUFSIZE <= WSIZE, it is never too late to
-         * transform a block into a stored block.
-         */
-        _tr_stored_block(s, buf, stored_len, eof);
-
-#ifdef FORCE_STATIC
-    } else if (static_lenb >= 0) { /* force static trees */
-#else
-    } else if (static_lenb == opt_lenb) {
-#endif
-        send_bits(s, (STATIC_TREES<<1)+eof, 3);
-        compress_block(s, static_ltree, static_dtree);
-#ifdef DEBUG
-        s->compressed_len += 3 + s->static_len;
-#endif
-    } else {
-        send_bits(s, (DYN_TREES<<1)+eof, 3);
-        send_all_trees(s, s->l_desc.max_code+1, s->d_desc.max_code+1,
-                       max_blindex+1);
-        compress_block(s, s->dyn_ltree, s->dyn_dtree);
-#ifdef DEBUG
-        s->compressed_len += 3 + s->opt_len;
-#endif
-    }
-    Assert (s->compressed_len == s->bits_sent, "bad compressed size");
-    /* The above check is made mod 2^32, for files larger than 512 MB
-     * and uLong implemented on 32 bits.
-     */
-    init_block(s);
-
-    if (eof) {
-        bi_windup(s);
-#ifdef DEBUG
-        s->compressed_len += 7;  /* align on byte boundary */
-#endif
-    }
-    Tracev((stderr,"\ncomprlen %lu(%lu) ", s->compressed_len>>3,
-           s->compressed_len-7*eof));
-}
-
-/* ===========================================================================
- * Save the match info and tally the frequency counts. Return true if
- * the current block must be flushed.
- */
-int _tr_tally (s, dist, lc)
-    deflate_state *s;
-    unsigned dist;  /* distance of matched string */
-    unsigned lc;    /* match length-MIN_MATCH or unmatched char (if dist==0) */
-{
-    s->d_buf[s->last_lit] = (ush)dist;
-    s->l_buf[s->last_lit++] = (uch)lc;
-    if (dist == 0) {
-        /* lc is the unmatched char */
-        s->dyn_ltree[lc].Freq++;
-    } else {
-        s->matches++;
-        /* Here, lc is the match length - MIN_MATCH */
-        dist--;             /* dist = match distance - 1 */
-        Assert((ush)dist < (ush)MAX_DIST(s) &&
-               (ush)lc <= (ush)(MAX_MATCH-MIN_MATCH) &&
-               (ush)d_code(dist) < (ush)D_CODES,  "_tr_tally: bad match");
-
-        s->dyn_ltree[_length_code[lc]+LITERALS+1].Freq++;
-        s->dyn_dtree[d_code(dist)].Freq++;
-    }
-
-#ifdef TRUNCATE_BLOCK
-    /* Try to guess if it is profitable to stop the current block here */
-    if ((s->last_lit & 0x1fff) == 0 && s->level > 2) {
-        /* Compute an upper bound for the compressed length */
-        ulg out_length = (ulg)s->last_lit*8L;
-        ulg in_length = (ulg)((long)s->strstart - s->block_start);
-        int dcode;
-        for (dcode = 0; dcode < D_CODES; dcode++) {
-            out_length += (ulg)s->dyn_dtree[dcode].Freq *
-                (5L+extra_dbits[dcode]);
-        }
-        out_length >>= 3;
-        Tracev((stderr,"\nlast_lit %u, in %ld, out ~%ld(%ld%%) ",
-               s->last_lit, in_length, out_length,
-               100L - out_length*100L/in_length));
-        if (s->matches < s->last_lit/2 && out_length < in_length/2) return 1;
-    }
-#endif
-    return (s->last_lit == s->lit_bufsize-1);
-    /* We avoid equality with lit_bufsize because of wraparound at 64K
-     * on 16 bit machines and because stored blocks are restricted to
-     * 64K-1 bytes.
-     */
-}
-
-/* ===========================================================================
- * Send the block data compressed using the given Huffman trees
- */
-local void compress_block(s, ltree, dtree)
-    deflate_state *s;
-    const ct_data *ltree; /* literal tree */
-    const ct_data *dtree; /* distance tree */
-{
-    unsigned dist;      /* distance of matched string */
-    int lc;             /* match length or unmatched char (if dist == 0) */
-    unsigned lx = 0;    /* running index in l_buf */
-    unsigned code;      /* the code to send */
-    int extra;          /* number of extra bits to send */
-
-    if (s->last_lit != 0) do {
-        dist = s->d_buf[lx];
-        lc = s->l_buf[lx++];
-        if (dist == 0) {
-            send_code(s, lc, ltree); /* send a literal byte */
-            Tracecv(isgraph(lc), (stderr," '%c' ", lc));
-        } else {
-            /* Here, lc is the match length - MIN_MATCH */
-            code = _length_code[lc];
-            send_code(s, code+LITERALS+1, ltree); /* send the length code */
-            extra = extra_lbits[code];
-            if (extra != 0) {
-                lc -= base_length[code];
-                send_bits(s, lc, extra);       /* send the extra length bits */
-            }
-            dist--; /* dist is now the match distance - 1 */
-            code = d_code(dist);
-            Assert (code < D_CODES, "bad d_code");
-
-            send_code(s, code, dtree);       /* send the distance code */
-            extra = extra_dbits[code];
-            if (extra != 0) {
-                dist -= base_dist[code];
-                send_bits(s, dist, extra);   /* send the extra distance bits */
-            }
-        } /* literal or match pair ? */
-
-        /* Check that the overlay between pending_buf and d_buf+l_buf is ok: */
-        Assert(s->pending < s->lit_bufsize + 2*lx, "pendingBuf overflow");
-
-    } while (lx < s->last_lit);
-
-    send_code(s, END_BLOCK, ltree);
-    s->last_eob_len = ltree[END_BLOCK].Len;
-}
-
-/* ===========================================================================
- * Set the data type to ASCII or BINARY, using a crude approximation:
- * binary if more than 20% of the bytes are <= 6 or >= 128, ascii otherwise.
- * IN assertion: the fields freq of dyn_ltree are set and the total of all
- * frequencies does not exceed 64K (to fit in an int on 16 bit machines).
- */
-local void set_data_type(s)
-    deflate_state *s;
-{
-    int n = 0;
-    unsigned ascii_freq = 0;
-    unsigned bin_freq = 0;
-    while (n < 7)        bin_freq += s->dyn_ltree[n++].Freq;
-    while (n < 128)    ascii_freq += s->dyn_ltree[n++].Freq;
-    while (n < LITERALS) bin_freq += s->dyn_ltree[n++].Freq;
-    s->data_type = (Byte)(bin_freq > (ascii_freq >> 2) ? Z_BINARY : Z_ASCII);
-}
-
-/* ===========================================================================
- * Reverse the first len bits of a code, using straightforward code (a faster
- * method would use a table)
- * IN assertion: 1 <= len <= 15
- */
-local unsigned bi_reverse(code, len)
-    unsigned code; /* the value to invert */
-    int len;       /* its bit length */
-{
-    register unsigned res = 0;
-    do {
-        res |= code & 1;
-        code >>= 1, res <<= 1;
-    } while (--len > 0);
-    return res >> 1;
-}
-
-/* ===========================================================================
- * Flush the bit buffer, keeping at most 7 bits in it.
- */
-local void bi_flush(s)
-    deflate_state *s;
-{
-    if (s->bi_valid == 16) {
-        put_short(s, s->bi_buf);
-        s->bi_buf = 0;
-        s->bi_valid = 0;
-    } else if (s->bi_valid >= 8) {
-        put_byte(s, (Byte)s->bi_buf);
-        s->bi_buf >>= 8;
-        s->bi_valid -= 8;
-    }
-}
-
-/* ===========================================================================
- * Flush the bit buffer and align the output on a byte boundary
- */
-local void bi_windup(s)
-    deflate_state *s;
-{
-    if (s->bi_valid > 8) {
-        put_short(s, s->bi_buf);
-    } else if (s->bi_valid > 0) {
-        put_byte(s, (Byte)s->bi_buf);
-    }
-    s->bi_buf = 0;
-    s->bi_valid = 0;
-#ifdef DEBUG
-    s->bits_sent = (s->bits_sent+7) & ~7;
-#endif
-}
-
-/* ===========================================================================
- * Copy a stored block, storing first the length and its
- * one's complement if requested.
- */
-local void copy_block(s, buf, len, header)
-    deflate_state *s;
-    charf    *buf;    /* the input data */
-    unsigned len;     /* its length */
-    int      header;  /* true if block header must be written */
-{
-    bi_windup(s);        /* align on byte boundary */
-    s->last_eob_len = 8; /* enough lookahead for inflate */
-
-    if (header) {
-        put_short(s, (ush)len);   
-        put_short(s, (ush)~len);
-#ifdef DEBUG
-        s->bits_sent += 2*16;
-#endif
-    }
-#ifdef DEBUG
-    s->bits_sent += (ulg)len<<3;
-#endif
-    while (len--) {
-        put_byte(s, *buf++);
-    }
-}
diff --git a/linux/lib/zlib/trees.h b/linux/lib/zlib/trees.h
deleted file mode 100644
index 72facf900..000000000
--- a/linux/lib/zlib/trees.h
+++ /dev/null
@@ -1,128 +0,0 @@
-/* header created automatically with -DGEN_TREES_H */
-
-local const ct_data static_ltree[L_CODES+2] = {
-{{ 12},{  8}}, {{140},{  8}}, {{ 76},{  8}}, {{204},{  8}}, {{ 44},{  8}},
-{{172},{  8}}, {{108},{  8}}, {{236},{  8}}, {{ 28},{  8}}, {{156},{  8}},
-{{ 92},{  8}}, {{220},{  8}}, {{ 60},{  8}}, {{188},{  8}}, {{124},{  8}},
-{{252},{  8}}, {{  2},{  8}}, {{130},{  8}}, {{ 66},{  8}}, {{194},{  8}},
-{{ 34},{  8}}, {{162},{  8}}, {{ 98},{  8}}, {{226},{  8}}, {{ 18},{  8}},
-{{146},{  8}}, {{ 82},{  8}}, {{210},{  8}}, {{ 50},{  8}}, {{178},{  8}},
-{{114},{  8}}, {{242},{  8}}, {{ 10},{  8}}, {{138},{  8}}, {{ 74},{  8}},
-{{202},{  8}}, {{ 42},{  8}}, {{170},{  8}}, {{106},{  8}}, {{234},{  8}},
-{{ 26},{  8}}, {{154},{  8}}, {{ 90},{  8}}, {{218},{  8}}, {{ 58},{  8}},
-{{186},{  8}}, {{122},{  8}}, {{250},{  8}}, {{  6},{  8}}, {{134},{  8}},
-{{ 70},{  8}}, {{198},{  8}}, {{ 38},{  8}}, {{166},{  8}}, {{102},{  8}},
-{{230},{  8}}, {{ 22},{  8}}, {{150},{  8}}, {{ 86},{  8}}, {{214},{  8}},
-{{ 54},{  8}}, {{182},{  8}}, {{118},{  8}}, {{246},{  8}}, {{ 14},{  8}},
-{{142},{  8}}, {{ 78},{  8}}, {{206},{  8}}, {{ 46},{  8}}, {{174},{  8}},
-{{110},{  8}}, {{238},{  8}}, {{ 30},{  8}}, {{158},{  8}}, {{ 94},{  8}},
-{{222},{  8}}, {{ 62},{  8}}, {{190},{  8}}, {{126},{  8}}, {{254},{  8}},
-{{  1},{  8}}, {{129},{  8}}, {{ 65},{  8}}, {{193},{  8}}, {{ 33},{  8}},
-{{161},{  8}}, {{ 97},{  8}}, {{225},{  8}}, {{ 17},{  8}}, {{145},{  8}},
-{{ 81},{  8}}, {{209},{  8}}, {{ 49},{  8}}, {{177},{  8}}, {{113},{  8}},
-{{241},{  8}}, {{  9},{  8}}, {{137},{  8}}, {{ 73},{  8}}, {{201},{  8}},
-{{ 41},{  8}}, {{169},{  8}}, {{105},{  8}}, {{233},{  8}}, {{ 25},{  8}},
-{{153},{  8}}, {{ 89},{  8}}, {{217},{  8}}, {{ 57},{  8}}, {{185},{  8}},
-{{121},{  8}}, {{249},{  8}}, {{  5},{  8}}, {{133},{  8}}, {{ 69},{  8}},
-{{197},{  8}}, {{ 37},{  8}}, {{165},{  8}}, {{101},{  8}}, {{229},{  8}},
-{{ 21},{  8}}, {{149},{  8}}, {{ 85},{  8}}, {{213},{  8}}, {{ 53},{  8}},
-{{181},{  8}}, {{117},{  8}}, {{245},{  8}}, {{ 13},{  8}}, {{141},{  8}},
-{{ 77},{  8}}, {{205},{  8}}, {{ 45},{  8}}, {{173},{  8}}, {{109},{  8}},
-{{237},{  8}}, {{ 29},{  8}}, {{157},{  8}}, {{ 93},{  8}}, {{221},{  8}},
-{{ 61},{  8}}, {{189},{  8}}, {{125},{  8}}, {{253},{  8}}, {{ 19},{  9}},
-{{275},{  9}}, {{147},{  9}}, {{403},{  9}}, {{ 83},{  9}}, {{339},{  9}},
-{{211},{  9}}, {{467},{  9}}, {{ 51},{  9}}, {{307},{  9}}, {{179},{  9}},
-{{435},{  9}}, {{115},{  9}}, {{371},{  9}}, {{243},{  9}}, {{499},{  9}},
-{{ 11},{  9}}, {{267},{  9}}, {{139},{  9}}, {{395},{  9}}, {{ 75},{  9}},
-{{331},{  9}}, {{203},{  9}}, {{459},{  9}}, {{ 43},{  9}}, {{299},{  9}},
-{{171},{  9}}, {{427},{  9}}, {{107},{  9}}, {{363},{  9}}, {{235},{  9}},
-{{491},{  9}}, {{ 27},{  9}}, {{283},{  9}}, {{155},{  9}}, {{411},{  9}},
-{{ 91},{  9}}, {{347},{  9}}, {{219},{  9}}, {{475},{  9}}, {{ 59},{  9}},
-{{315},{  9}}, {{187},{  9}}, {{443},{  9}}, {{123},{  9}}, {{379},{  9}},
-{{251},{  9}}, {{507},{  9}}, {{  7},{  9}}, {{263},{  9}}, {{135},{  9}},
-{{391},{  9}}, {{ 71},{  9}}, {{327},{  9}}, {{199},{  9}}, {{455},{  9}},
-{{ 39},{  9}}, {{295},{  9}}, {{167},{  9}}, {{423},{  9}}, {{103},{  9}},
-{{359},{  9}}, {{231},{  9}}, {{487},{  9}}, {{ 23},{  9}}, {{279},{  9}},
-{{151},{  9}}, {{407},{  9}}, {{ 87},{  9}}, {{343},{  9}}, {{215},{  9}},
-{{471},{  9}}, {{ 55},{  9}}, {{311},{  9}}, {{183},{  9}}, {{439},{  9}},
-{{119},{  9}}, {{375},{  9}}, {{247},{  9}}, {{503},{  9}}, {{ 15},{  9}},
-{{271},{  9}}, {{143},{  9}}, {{399},{  9}}, {{ 79},{  9}}, {{335},{  9}},
-{{207},{  9}}, {{463},{  9}}, {{ 47},{  9}}, {{303},{  9}}, {{175},{  9}},
-{{431},{  9}}, {{111},{  9}}, {{367},{  9}}, {{239},{  9}}, {{495},{  9}},
-{{ 31},{  9}}, {{287},{  9}}, {{159},{  9}}, {{415},{  9}}, {{ 95},{  9}},
-{{351},{  9}}, {{223},{  9}}, {{479},{  9}}, {{ 63},{  9}}, {{319},{  9}},
-{{191},{  9}}, {{447},{  9}}, {{127},{  9}}, {{383},{  9}}, {{255},{  9}},
-{{511},{  9}}, {{  0},{  7}}, {{ 64},{  7}}, {{ 32},{  7}}, {{ 96},{  7}},
-{{ 16},{  7}}, {{ 80},{  7}}, {{ 48},{  7}}, {{112},{  7}}, {{  8},{  7}},
-{{ 72},{  7}}, {{ 40},{  7}}, {{104},{  7}}, {{ 24},{  7}}, {{ 88},{  7}},
-{{ 56},{  7}}, {{120},{  7}}, {{  4},{  7}}, {{ 68},{  7}}, {{ 36},{  7}},
-{{100},{  7}}, {{ 20},{  7}}, {{ 84},{  7}}, {{ 52},{  7}}, {{116},{  7}},
-{{  3},{  8}}, {{131},{  8}}, {{ 67},{  8}}, {{195},{  8}}, {{ 35},{  8}},
-{{163},{  8}}, {{ 99},{  8}}, {{227},{  8}}
-};
-
-local const ct_data static_dtree[D_CODES] = {
-{{ 0},{ 5}}, {{16},{ 5}}, {{ 8},{ 5}}, {{24},{ 5}}, {{ 4},{ 5}},
-{{20},{ 5}}, {{12},{ 5}}, {{28},{ 5}}, {{ 2},{ 5}}, {{18},{ 5}},
-{{10},{ 5}}, {{26},{ 5}}, {{ 6},{ 5}}, {{22},{ 5}}, {{14},{ 5}},
-{{30},{ 5}}, {{ 1},{ 5}}, {{17},{ 5}}, {{ 9},{ 5}}, {{25},{ 5}},
-{{ 5},{ 5}}, {{21},{ 5}}, {{13},{ 5}}, {{29},{ 5}}, {{ 3},{ 5}},
-{{19},{ 5}}, {{11},{ 5}}, {{27},{ 5}}, {{ 7},{ 5}}, {{23},{ 5}}
-};
-
-const uch _dist_code[DIST_CODE_LEN] = {
- 0,  1,  2,  3,  4,  4,  5,  5,  6,  6,  6,  6,  7,  7,  7,  7,  8,  8,  8,  8,
- 8,  8,  8,  8,  9,  9,  9,  9,  9,  9,  9,  9, 10, 10, 10, 10, 10, 10, 10, 10,
-10, 10, 10, 10, 10, 10, 10, 10, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11,
-11, 11, 11, 11, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12,
-12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 13, 13, 13, 13,
-13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13,
-13, 13, 13, 13, 13, 13, 13, 13, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14,
-14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14,
-14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14,
-14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 15, 15, 15, 15, 15, 15, 15, 15,
-15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15,
-15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15,
-15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15,  0,  0, 16, 17,
-18, 18, 19, 19, 20, 20, 20, 20, 21, 21, 21, 21, 22, 22, 22, 22, 22, 22, 22, 22,
-23, 23, 23, 23, 23, 23, 23, 23, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24,
-24, 24, 24, 24, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25,
-26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
-26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 27, 27, 27, 27, 27, 27, 27, 27,
-27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27,
-27, 27, 27, 27, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28,
-28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28,
-28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28,
-28, 28, 28, 28, 28, 28, 28, 28, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29,
-29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29,
-29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29,
-29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29
-};
-
-const uch _length_code[MAX_MATCH-MIN_MATCH+1]= {
- 0,  1,  2,  3,  4,  5,  6,  7,  8,  8,  9,  9, 10, 10, 11, 11, 12, 12, 12, 12,
-13, 13, 13, 13, 14, 14, 14, 14, 15, 15, 15, 15, 16, 16, 16, 16, 16, 16, 16, 16,
-17, 17, 17, 17, 17, 17, 17, 17, 18, 18, 18, 18, 18, 18, 18, 18, 19, 19, 19, 19,
-19, 19, 19, 19, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20,
-21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 22, 22, 22, 22,
-22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 23, 23, 23, 23, 23, 23, 23, 23,
-23, 23, 23, 23, 23, 23, 23, 23, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24,
-24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24,
-25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25,
-25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 26, 26, 26, 26, 26, 26, 26, 26,
-26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
-26, 26, 26, 26, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27,
-27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 28
-};
-
-local const int base_length[LENGTH_CODES] = {
-0, 1, 2, 3, 4, 5, 6, 7, 8, 10, 12, 14, 16, 20, 24, 28, 32, 40, 48, 56,
-64, 80, 96, 112, 128, 160, 192, 224, 0
-};
-
-local const int base_dist[D_CODES] = {
-    0,     1,     2,     3,     4,     6,     8,    12,    16,    24,
-   32,    48,    64,    96,   128,   192,   256,   384,   512,   768,
- 1024,  1536,  2048,  3072,  4096,  6144,  8192, 12288, 16384, 24576
-};
-
diff --git a/linux/lib/zlib/zconf.h b/linux/lib/zlib/zconf.h
deleted file mode 100644
index bf52dced5..000000000
--- a/linux/lib/zlib/zconf.h
+++ /dev/null
@@ -1,309 +0,0 @@
-/* zconf.h -- configuration of the zlib compression library
- * Copyright (C) 1995-2002 Jean-loup Gailly.
- * For conditions of distribution and use, see copyright notice in zlib.h 
- */
-
-/* @(#) $Id: zconf.h,v 1.1 2004/03/15 20:35:26 as Exp $ */
-
-#ifndef _ZCONF_H
-#define _ZCONF_H
-
-/*
- * If you *really* need a unique prefix for all types and library functions,
- * compile with -DZ_PREFIX. The "standard" zlib should be compiled without it.
- */
-#ifdef IPCOMP_PREFIX
-#  define deflateInit_	ipcomp_deflateInit_
-#  define deflate	ipcomp_deflate
-#  define deflateEnd	ipcomp_deflateEnd
-#  define inflateInit_ 	ipcomp_inflateInit_
-#  define inflate	ipcomp_inflate
-#  define inflateEnd	ipcomp_inflateEnd
-#  define deflateInit2_	ipcomp_deflateInit2_
-#  define deflateSetDictionary ipcomp_deflateSetDictionary
-#  define deflateCopy	ipcomp_deflateCopy
-#  define deflateReset	ipcomp_deflateReset
-#  define deflateParams	ipcomp_deflateParams
-#  define inflateInit2_	ipcomp_inflateInit2_
-#  define inflateSetDictionary ipcomp_inflateSetDictionary
-#  define inflateSync	ipcomp_inflateSync
-#  define inflateSyncPoint ipcomp_inflateSyncPoint
-#  define inflateReset	ipcomp_inflateReset
-#  define compress	ipcomp_compress
-#  define compress2	ipcomp_compress2
-#  define uncompress	ipcomp_uncompress
-#  define adler32	ipcomp_adler32
-#  define crc32		ipcomp_crc32
-#  define get_crc_table ipcomp_get_crc_table
-/* SSS: these also need to be prefixed to avoid clash with ppp_deflate and ext2compression */
-#  define inflate_blocks ipcomp_deflate_blocks
-#  define inflate_blocks_free ipcomp_deflate_blocks_free
-#  define inflate_blocks_new ipcomp_inflate_blocks_new
-#  define inflate_blocks_reset ipcomp_inflate_blocks_reset
-#  define inflate_blocks_sync_point ipcomp_inflate_blocks_sync_point
-#  define inflate_set_dictionary ipcomp_inflate_set_dictionary
-#  define inflate_codes ipcomp_inflate_codes
-#  define inflate_codes_free ipcomp_inflate_codes_free
-#  define inflate_codes_new ipcomp_inflate_codes_new
-#  define inflate_fast ipcomp_inflate_fast
-#  define inflate_trees_bits ipcomp_inflate_trees_bits
-#  define inflate_trees_dynamic ipcomp_inflate_trees_dynamic
-#  define inflate_trees_fixed ipcomp_inflate_trees_fixed
-#  define inflate_flush ipcomp_inflate_flush
-#  define inflate_mask ipcomp_inflate_mask
-#  define _dist_code _ipcomp_dist_code
-#  define _length_code _ipcomp_length_code
-#  define _tr_align _ipcomp_tr_align
-#  define _tr_flush_block _ipcomp_tr_flush_block
-#  define _tr_init _ipcomp_tr_init
-#  define _tr_stored_block _ipcomp_tr_stored_block
-#  define _tr_tally _ipcomp_tr_tally
-#  define zError ipcomp_zError
-#  define z_errmsg ipcomp_z_errmsg
-#  define zlibVersion ipcomp_zlibVersion
-#  define match_init ipcomp_match_init
-#  define longest_match ipcomp_longest_match
-#endif
-
-#ifdef Z_PREFIX
-#  define Byte		z_Byte
-#  define uInt		z_uInt
-#  define uLong		z_uLong
-#  define Bytef	        z_Bytef
-#  define charf		z_charf
-#  define intf		z_intf
-#  define uIntf		z_uIntf
-#  define uLongf	z_uLongf
-#  define voidpf	z_voidpf
-#  define voidp		z_voidp
-#endif
-
-#if (defined(_WIN32) || defined(__WIN32__)) && !defined(WIN32)
-#  define WIN32
-#endif
-#if defined(__GNUC__) || defined(WIN32) || defined(__386__) || defined(i386)
-#  ifndef __32BIT__
-#    define __32BIT__
-#  endif
-#endif
-#if defined(__MSDOS__) && !defined(MSDOS)
-#  define MSDOS
-#endif
-
-/*
- * Compile with -DMAXSEG_64K if the alloc function cannot allocate more
- * than 64k bytes at a time (needed on systems with 16-bit int).
- */
-#if defined(MSDOS) && !defined(__32BIT__)
-#  define MAXSEG_64K
-#endif
-#ifdef MSDOS
-#  define UNALIGNED_OK
-#endif
-
-#if (defined(MSDOS) || defined(_WINDOWS) || defined(WIN32))  && !defined(STDC)
-#  define STDC
-#endif
-#if defined(__STDC__) || defined(__cplusplus) || defined(__OS2__)
-#  ifndef STDC
-#    define STDC
-#  endif
-#endif
-
-#ifndef STDC
-#  ifndef const /* cannot use !defined(STDC) && !defined(const) on Mac */
-#    define const
-#  endif
-#endif
-
-/* Some Mac compilers merge all .h files incorrectly: */
-#if defined(__MWERKS__) || defined(applec) ||defined(THINK_C) ||defined(__SC__)
-#  define NO_DUMMY_DECL
-#endif
-
-/* Old Borland C incorrectly complains about missing returns: */
-#if defined(__BORLANDC__) && (__BORLANDC__ < 0x500)
-#  define NEED_DUMMY_RETURN
-#endif
-
-
-/* Maximum value for memLevel in deflateInit2 */
-#ifndef MAX_MEM_LEVEL
-#  ifdef MAXSEG_64K
-#    define MAX_MEM_LEVEL 8
-#  else
-#    define MAX_MEM_LEVEL 9
-#  endif
-#endif
-
-/* Maximum value for windowBits in deflateInit2 and inflateInit2.
- * WARNING: reducing MAX_WBITS makes minigzip unable to extract .gz files
- * created by gzip. (Files created by minigzip can still be extracted by
- * gzip.)
- */
-#ifndef MAX_WBITS
-#  define MAX_WBITS   15 /* 32K LZ77 window */
-#endif
-
-/* The memory requirements for deflate are (in bytes):
-            (1 << (windowBits+2)) +  (1 << (memLevel+9))
- that is: 128K for windowBits=15  +  128K for memLevel = 8  (default values)
- plus a few kilobytes for small objects. For example, if you want to reduce
- the default memory requirements from 256K to 128K, compile with
-     make CFLAGS="-O -DMAX_WBITS=14 -DMAX_MEM_LEVEL=7"
- Of course this will generally degrade compression (there's no free lunch).
-
-   The memory requirements for inflate are (in bytes) 1 << windowBits
- that is, 32K for windowBits=15 (default value) plus a few kilobytes
- for small objects.
-*/
-
-                        /* Type declarations */
-
-#ifndef OF /* function prototypes */
-#  ifdef STDC
-#    define OF(args)  args
-#  else
-#    define OF(args)  ()
-#  endif
-#endif
-
-/* The following definitions for FAR are needed only for MSDOS mixed
- * model programming (small or medium model with some far allocations).
- * This was tested only with MSC; for other MSDOS compilers you may have
- * to define NO_MEMCPY in zutil.h.  If you don't need the mixed model,
- * just define FAR to be empty.
- */
-#if (defined(M_I86SM) || defined(M_I86MM)) && !defined(__32BIT__)
-   /* MSC small or medium model */
-#  define SMALL_MEDIUM
-#  ifdef _MSC_VER
-#    define FAR _far
-#  else
-#    define FAR far
-#  endif
-#endif
-#if defined(__BORLANDC__) && (defined(__SMALL__) || defined(__MEDIUM__))
-#  ifndef __32BIT__
-#    define SMALL_MEDIUM
-#    define FAR _far
-#  endif
-#endif
-
-/* Compile with -DZLIB_DLL for Windows DLL support */
-#if defined(ZLIB_DLL)
-#  if defined(_WINDOWS) || defined(WINDOWS)
-#    ifdef FAR
-#      undef FAR
-#    endif
-#    include <windows.h>
-#    define ZEXPORT  WINAPI
-#    ifdef WIN32
-#      define ZEXPORTVA  WINAPIV
-#    else
-#      define ZEXPORTVA  FAR _cdecl _export
-#    endif
-#  endif
-#  if defined (__BORLANDC__)
-#    if (__BORLANDC__ >= 0x0500) && defined (WIN32)
-#      include <windows.h>
-#      define ZEXPORT __declspec(dllexport) WINAPI
-#      define ZEXPORTRVA __declspec(dllexport) WINAPIV
-#    else
-#      if defined (_Windows) && defined (__DLL__)
-#        define ZEXPORT _export
-#        define ZEXPORTVA _export
-#      endif
-#    endif
-#  endif
-#endif
-
-#if defined (__BEOS__)
-#  if defined (ZLIB_DLL)
-#    define ZEXTERN extern __declspec(dllexport)
-#  else
-#    define ZEXTERN extern __declspec(dllimport)
-#  endif
-#endif
-
-#ifndef ZEXPORT
-#  define ZEXPORT
-#endif
-#ifndef ZEXPORTVA
-#  define ZEXPORTVA
-#endif
-#ifndef ZEXTERN
-#  define ZEXTERN extern
-#endif
-
-#ifndef FAR
-#   define FAR
-#endif
-
-#if !defined(MACOS) && !defined(TARGET_OS_MAC)
-typedef unsigned char  Byte;  /* 8 bits */
-#endif
-typedef unsigned int   uInt;  /* 16 bits or more */
-typedef unsigned long  uLong; /* 32 bits or more */
-
-#ifdef SMALL_MEDIUM
-   /* Borland C/C++ and some old MSC versions ignore FAR inside typedef */
-#  define Bytef Byte FAR
-#else
-   typedef Byte  FAR Bytef;
-#endif
-typedef char  FAR charf;
-typedef int   FAR intf;
-typedef uInt  FAR uIntf;
-typedef uLong FAR uLongf;
-
-#ifdef STDC
-   typedef void FAR *voidpf;
-   typedef void     *voidp;
-#else
-   typedef Byte FAR *voidpf;
-   typedef Byte     *voidp;
-#endif
-
-#ifdef HAVE_UNISTD_H
-#  include <sys/types.h> /* for off_t */
-#  include <unistd.h>    /* for SEEK_* and off_t */
-#  define z_off_t  off_t
-#endif
-#ifndef SEEK_SET
-#  define SEEK_SET        0       /* Seek from beginning of file.  */
-#  define SEEK_CUR        1       /* Seek from current position.  */
-#  define SEEK_END        2       /* Set file pointer to EOF plus "offset" */
-#endif
-#ifndef z_off_t
-#  define  z_off_t long
-#endif
-
-/* MVS linker does not support external names larger than 8 bytes */
-#if defined(__MVS__)
-#   pragma map(deflateInit_,"DEIN")
-#   pragma map(deflateInit2_,"DEIN2")
-#   pragma map(deflateEnd,"DEEND")
-#   pragma map(inflateInit_,"ININ")
-#   pragma map(inflateInit2_,"ININ2")
-#   pragma map(inflateEnd,"INEND")
-#   pragma map(inflateSync,"INSY")
-#   pragma map(inflateSetDictionary,"INSEDI")
-#   pragma map(inflate_blocks,"INBL")
-#   pragma map(inflate_blocks_new,"INBLNE")
-#   pragma map(inflate_blocks_free,"INBLFR")
-#   pragma map(inflate_blocks_reset,"INBLRE")
-#   pragma map(inflate_codes_free,"INCOFR")
-#   pragma map(inflate_codes,"INCO")
-#   pragma map(inflate_fast,"INFA")
-#   pragma map(inflate_flush,"INFLU")
-#   pragma map(inflate_mask,"INMA")
-#   pragma map(inflate_set_dictionary,"INSEDI2")
-#   pragma map(ipcomp_inflate_copyright,"INCOPY")
-#   pragma map(inflate_trees_bits,"INTRBI")
-#   pragma map(inflate_trees_dynamic,"INTRDY")
-#   pragma map(inflate_trees_fixed,"INTRFI")
-#   pragma map(inflate_trees_free,"INTRFR")
-#endif
-
-#endif /* _ZCONF_H */
diff --git a/linux/lib/zlib/zutil.c b/linux/lib/zlib/zutil.c
deleted file mode 100644
index 81d602d82..000000000
--- a/linux/lib/zlib/zutil.c
+++ /dev/null
@@ -1,227 +0,0 @@
-/* zutil.c -- target dependent utility functions for the compression library
- * Copyright (C) 1995-2002 Jean-loup Gailly.
- * For conditions of distribution and use, see copyright notice in zlib.h 
- */
-
-/* @(#) $Id: zutil.c,v 1.1 2004/03/15 20:35:26 as Exp $ */
-
-#include <zlib/zutil.h>
-
-#define MY_ZCALLOC
-
-struct internal_state      {int dummy;}; /* for buggy compilers */
-
-#ifndef STDC
-extern void exit OF((int));
-#endif
-
-const char *z_errmsg[10] = {
-"need dictionary",     /* Z_NEED_DICT       2  */
-"stream end",          /* Z_STREAM_END      1  */
-"",                    /* Z_OK              0  */
-"file error",          /* Z_ERRNO         (-1) */
-"stream error",        /* Z_STREAM_ERROR  (-2) */
-"data error",          /* Z_DATA_ERROR    (-3) */
-"insufficient memory", /* Z_MEM_ERROR     (-4) */
-"buffer error",        /* Z_BUF_ERROR     (-5) */
-"incompatible version",/* Z_VERSION_ERROR (-6) */
-""};
-
-
-const char * ZEXPORT zlibVersion()
-{
-    return ZLIB_VERSION;
-}
-
-#ifdef DEBUG
-
-#  ifndef verbose
-#    define verbose 0
-#  endif
-int z_verbose = verbose;
-
-void z_error (m)
-    char *m;
-{
-    fprintf(stderr, "%s\n", m);
-    exit(1);
-}
-#endif
-
-/* exported to allow conversion of error code to string for compress() and
- * uncompress()
- */
-const char * ZEXPORT zError(err)
-    int err;
-{
-    return ERR_MSG(err);
-}
-
-
-#ifndef HAVE_MEMCPY
-
-void zmemcpy(dest, source, len)
-    Bytef* dest;
-    const Bytef* source;
-    uInt  len;
-{
-    if (len == 0) return;
-    do {
-        *dest++ = *source++; /* ??? to be unrolled */
-    } while (--len != 0);
-}
-
-int zmemcmp(s1, s2, len)
-    const Bytef* s1;
-    const Bytef* s2;
-    uInt  len;
-{
-    uInt j;
-
-    for (j = 0; j < len; j++) {
-        if (s1[j] != s2[j]) return 2*(s1[j] > s2[j])-1;
-    }
-    return 0;
-}
-
-void zmemzero(dest, len)
-    Bytef* dest;
-    uInt  len;
-{
-    if (len == 0) return;
-    do {
-        *dest++ = 0;  /* ??? to be unrolled */
-    } while (--len != 0);
-}
-#endif
-
-#ifdef __TURBOC__
-#if (defined( __BORLANDC__) || !defined(SMALL_MEDIUM)) && !defined(__32BIT__)
-/* Small and medium model in Turbo C are for now limited to near allocation
- * with reduced MAX_WBITS and MAX_MEM_LEVEL
- */
-#  define MY_ZCALLOC
-
-/* Turbo C malloc() does not allow dynamic allocation of 64K bytes
- * and farmalloc(64K) returns a pointer with an offset of 8, so we
- * must fix the pointer. Warning: the pointer must be put back to its
- * original form in order to free it, use zcfree().
- */
-
-#define MAX_PTR 10
-/* 10*64K = 640K */
-
-local int next_ptr = 0;
-
-typedef struct ptr_table_s {
-    voidpf org_ptr;
-    voidpf new_ptr;
-} ptr_table;
-
-local ptr_table table[MAX_PTR];
-/* This table is used to remember the original form of pointers
- * to large buffers (64K). Such pointers are normalized with a zero offset.
- * Since MSDOS is not a preemptive multitasking OS, this table is not
- * protected from concurrent access. This hack doesn't work anyway on
- * a protected system like OS/2. Use Microsoft C instead.
- */
-
-voidpf zcalloc (voidpf opaque, unsigned items, unsigned size)
-{
-    voidpf buf = opaque; /* just to make some compilers happy */
-    ulg bsize = (ulg)items*size;
-
-    /* If we allocate less than 65520 bytes, we assume that farmalloc
-     * will return a usable pointer which doesn't have to be normalized.
-     */
-    if (bsize < 65520L) {
-        buf = farmalloc(bsize);
-        if (*(ush*)&buf != 0) return buf;
-    } else {
-        buf = farmalloc(bsize + 16L);
-    }
-    if (buf == NULL || next_ptr >= MAX_PTR) return NULL;
-    table[next_ptr].org_ptr = buf;
-
-    /* Normalize the pointer to seg:0 */
-    *((ush*)&buf+1) += ((ush)((uch*)buf-0) + 15) >> 4;
-    *(ush*)&buf = 0;
-    table[next_ptr++].new_ptr = buf;
-    return buf;
-}
-
-void  zcfree (voidpf opaque, voidpf ptr)
-{
-    int n;
-    if (*(ush*)&ptr != 0) { /* object < 64K */
-        farfree(ptr);
-        return;
-    }
-    /* Find the original pointer */
-    for (n = 0; n < next_ptr; n++) {
-        if (ptr != table[n].new_ptr) continue;
-
-        farfree(table[n].org_ptr);
-        while (++n < next_ptr) {
-            table[n-1] = table[n];
-        }
-        next_ptr--;
-        return;
-    }
-    ptr = opaque; /* just to make some compilers happy */
-    Assert(0, "zcfree: ptr not found");
-}
-#endif
-#endif /* __TURBOC__ */
-
-
-#if defined(M_I86) && !defined(__32BIT__)
-/* Microsoft C in 16-bit mode */
-
-#  define MY_ZCALLOC
-
-#if (!defined(_MSC_VER) || (_MSC_VER <= 600))
-#  define _halloc  halloc
-#  define _hfree   hfree
-#endif
-
-voidpf zcalloc (voidpf opaque, unsigned items, unsigned size)
-{
-    if (opaque) opaque = 0; /* to make compiler happy */
-    return _halloc((long)items, size);
-}
-
-void  zcfree (voidpf opaque, voidpf ptr)
-{
-    if (opaque) opaque = 0; /* to make compiler happy */
-    _hfree(ptr);
-}
-
-#endif /* MSC */
-
-
-#ifndef MY_ZCALLOC /* Any system without a special alloc function */
-
-#ifndef STDC
-extern voidp  calloc OF((uInt items, uInt size));
-extern void   free   OF((voidpf ptr));
-#endif
-
-voidpf zcalloc (opaque, items, size)
-    voidpf opaque;
-    unsigned items;
-    unsigned size;
-{
-    if (opaque) items += size - size; /* make compiler happy */
-    return (voidpf)calloc(items, size);
-}
-
-void  zcfree (opaque, ptr)
-    voidpf opaque;
-    voidpf ptr;
-{
-    free(ptr);
-    if (opaque) return; /* make compiler happy */
-}
-
-#endif /* MY_ZCALLOC */
diff --git a/linux/net/Config.in.fs2_0.patch b/linux/net/Config.in.fs2_0.patch
deleted file mode 100644
index 6ff7cf06c..000000000
--- a/linux/net/Config.in.fs2_0.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-RCSID $Id: Config.in.fs2_0.patch,v 1.2 2004/03/30 14:15:03 as Exp $
---- linux/net/Config.in.preipsec	Mon Jul 13 16:47:40 1998
-+++ linux/net/Config.in	Thu Sep 16 11:26:31 1999
-@@ -24,4 +24,8 @@
- if [ "$CONFIG_NETLINK" = "y" ]; then
-   bool 'Routing messages' CONFIG_RTNETLINK
- fi
-+tristate 'IP Security Protocol (strongSwan IPsec)' CONFIG_IPSEC
-+if [ "$CONFIG_IPSEC" != "n" ]; then
-+  source net/ipsec/Config.in
-+fi
- endmenu
diff --git a/linux/net/Config.in.fs2_2.patch b/linux/net/Config.in.fs2_2.patch
deleted file mode 100644
index 5d7c6de53..000000000
--- a/linux/net/Config.in.fs2_2.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-RCSID $Id: Config.in.fs2_2.patch,v 1.2 2004/03/30 14:15:03 as Exp $
---- linux/net/Config.in.preipsec	Thu Feb 25 13:46:47 1999
-+++ linux/net/Config.in	Sat Aug 28 02:24:59 1999
-@@ -63,4 +63,8 @@
-   endmenu
-   fi
- fi
-+tristate 'IP Security Protocol (strongSwan IPsec)' CONFIG_IPSEC
-+if [ "$CONFIG_IPSEC" != "n" ]; then
-+  source net/ipsec/Config.in
-+fi
- endmenu
diff --git a/linux/net/Config.in.fs2_4.patch b/linux/net/Config.in.fs2_4.patch
deleted file mode 100644
index 82ec14188..000000000
--- a/linux/net/Config.in.fs2_4.patch
+++ /dev/null
@@ -1,13 +0,0 @@
---- linux/net/Config.in.orig	Fri Feb  9 14:34:13 2001
-+++ linux/net/Config.in	Thu Feb 22 19:40:08 2001
-@@ -88,4 +88,10 @@
- #bool 'Network code profiler' CONFIG_NET_PROFILE
- endmenu
-
-+tristate 'IP Security Protocol (strongSwan IPsec)' CONFIG_IPSEC
-+define_tristate CONFIG_IPSEC m
-+if [ "$CONFIG_IPSEC" != "n" ]; then
-+  source net/ipsec/Config.in
-+fi
-+
- endmenu
diff --git a/linux/net/Makefile.fs2_0.patch b/linux/net/Makefile.fs2_0.patch
deleted file mode 100644
index 7909f1e6d..000000000
--- a/linux/net/Makefile.fs2_0.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-RCSID $Id: Makefile.fs2_0.patch,v 1.1 2004/03/15 20:35:26 as Exp $
---- linux/net/Makefile.preipsec	Mon Jul 13 16:47:40 1998
-+++ linux/net/Makefile	Thu Sep 16 11:26:31 1999
-@@ -64,6 +64,16 @@
-   endif
- endif
- 
-+ifeq ($(CONFIG_IPSEC),y)
-+ALL_SUB_DIRS += ipsec
-+SUB_DIRS += ipsec
-+else
-+  ifeq ($(CONFIG_IPSEC),m)
-+  ALL_SUB_DIRS += ipsec
-+  MOD_SUB_DIRS += ipsec
-+  endif
-+endif
-+
- L_TARGET     := network.a
- L_OBJS	     := socket.o protocols.o sysctl_net.o $(join $(SUB_DIRS),$(SUB_DIRS:%=/%.o))
- ifeq ($(CONFIG_NET),y)
diff --git a/linux/net/Makefile.fs2_2.patch b/linux/net/Makefile.fs2_2.patch
deleted file mode 100644
index 70e400de9..000000000
--- a/linux/net/Makefile.fs2_2.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-RCSID $Id: Makefile.fs2_2.patch,v 1.1 2004/03/15 20:35:26 as Exp $
---- linux/net/Makefile.preipsec	Tue Jun 20 17:32:27 2000
-+++ linux/net/Makefile	Fri Jun 30 14:44:38 2000
-@@ -195,6 +195,16 @@
-   endif
- endif
- 
-+ifeq ($(CONFIG_IPSEC),y)
-+ALL_SUB_DIRS += ipsec
-+SUB_DIRS += ipsec
-+else
-+  ifeq ($(CONFIG_IPSEC),m)
-+  ALL_SUB_DIRS += ipsec
-+  MOD_SUB_DIRS += ipsec
-+  endif
-+endif
-+
- # We must attach netsyms.o to socket.o, as otherwise there is nothing
- # to pull the object file from the archive.
- 
diff --git a/linux/net/Makefile.fs2_4.ipsec_alg.patch b/linux/net/Makefile.fs2_4.ipsec_alg.patch
deleted file mode 100644
index 9aec86493..000000000
--- a/linux/net/Makefile.fs2_4.ipsec_alg.patch
+++ /dev/null
@@ -1,10 +0,0 @@
---- linux/net/Makefile.dist	Mon Dec 17 12:18:26 2001
-+++ linux/net/Makefile	Tue Jan 22 11:10:24 2002
-@@ -8,6 +8,7 @@
- O_TARGET :=	network.o
- 
- mod-subdirs :=	ipv4/netfilter ipv6/netfilter ipx irda bluetooth atm netlink sched
-+mod-subdirs +=  ipsec
- export-objs :=	netsyms.o
- 
- subdir-y :=	core ethernet
diff --git a/linux/net/Makefile.fs2_4.patch b/linux/net/Makefile.fs2_4.patch
deleted file mode 100644
index 0d2c82a59..000000000
--- a/linux/net/Makefile.fs2_4.patch
+++ /dev/null
@@ -1,11 +0,0 @@
-RCSID $Id: Makefile.fs2_4.patch,v 1.1 2004/03/15 20:35:26 as Exp $
---- linux/net/Makefile.preipsec	Mon Jun 11 22:15:27 2001
-+++ linux/net/Makefile	Tue Nov  6 21:07:43 2001
-@@ -17,6 +17,7 @@
- subdir-$(CONFIG_NET)		+= 802 sched
- subdir-$(CONFIG_INET)		+= ipv4
- subdir-$(CONFIG_NETFILTER)	+= ipv4/netfilter
-+subdir-$(CONFIG_IPSEC)		+= ipsec
- subdir-$(CONFIG_UNIX)		+= unix
- subdir-$(CONFIG_IPV6)		+= ipv6
- 
diff --git a/linux/net/include.net.sock.h.fs2_2.patch b/linux/net/include.net.sock.h.fs2_2.patch
deleted file mode 100644
index 9759dbb7a..000000000
--- a/linux/net/include.net.sock.h.fs2_2.patch
+++ /dev/null
@@ -1,25 +0,0 @@
---- ./include/net/sock.h	Fri Nov  2 17:39:16 2001
-+++ ./include/net/sock.h	Mon Jun 10 19:44:55 2002
-@@ -201,6 +201,12 @@
- 	__u32	end_seq;
- };
- 
-+#if 1
-+struct udp_opt {
-+	__u32 esp_in_udp;
-+};
-+#endif
-+
- struct tcp_opt {
- 	int	tcp_header_len;	/* Bytes of tcp header to send		*/
- 
-@@ -443,6 +449,9 @@
- #if defined(CONFIG_SPX) || defined (CONFIG_SPX_MODULE)
- 		struct spx_opt		af_spx;
- #endif /* CONFIG_SPX */
-+#if 1
-+		struct udp_opt 		af_udp;
-+#endif
- 
- 	} tp_pinfo;
- 
diff --git a/linux/net/include.net.sock.h.fs2_4.patch b/linux/net/include.net.sock.h.fs2_4.patch
deleted file mode 100644
index 9466cf686..000000000
--- a/linux/net/include.net.sock.h.fs2_4.patch
+++ /dev/null
@@ -1,27 +0,0 @@
---- ./include/net/sock.h	2002/02/06 15:25:10	1.1
-+++ ./include/net/sock.h	2002/05/22 12:14:56
-@@ -488,7 +488,13 @@
- 	} bictcp;
- };
-
--
-+#if 1
-+#define UDP_OPT_IN_SOCK 1
-+struct udp_opt {
-+	__u32 esp_in_udp;
-+};
-+#endif
-+
- /*
-  * This structure really needs to be cleaned up.
-  * Most of it is for TCP, and not used by any of
-@@ -655,6 +661,9 @@
- #if defined(CONFIG_SPX) || defined (CONFIG_SPX_MODULE)
- 		struct spx_opt		af_spx;
- #endif /* CONFIG_SPX */
-+#if 1
-+		struct udp_opt          af_udp;
-+#endif
-
- 	} tp_pinfo;
-
diff --git a/linux/net/ipsec/.cvsignore b/linux/net/ipsec/.cvsignore
deleted file mode 100644
index 63cb2042f..000000000
--- a/linux/net/ipsec/.cvsignore
+++ /dev/null
@@ -1,47 +0,0 @@
-.addrtoa.o.flags
-.adler32.o.flags
-.cbc_enc.o.flags
-.datatot.o.flags
-.deflate.o.flags
-.des_enc.o.flags
-.ecb_enc.o.flags
-.goodmask.o.flags
-.infblock.o.flags
-.infcodes.o.flags
-.inffast.o.flags
-.inflate.o.flags
-.inftrees.o.flags
-.infutil.o.flags
-.ipcomp.o.flags
-.ipsec.o.flags
-.ipsec_init.o.flags
-.ipsec_life.o.flags
-.ipsec_md5c.o.flags
-.ipsec_proc.o.flags
-.ipsec_radij.o.flags
-.ipsec_rcv.o.flags
-.ipsec_sa.o.flags
-.ipsec_sha1.o.flags
-.ipsec_tunnel.o.flags
-.pfkey_v2.o.flags
-.pfkey_v2_build.o.flags
-.pfkey_v2_debug.o.flags
-.pfkey_v2_ext_bits.o.flags
-.pfkey_v2_ext_process.o.flags
-.pfkey_v2_parse.o.flags
-.pfkey_v2_parser.o.flags
-.prng.o.flags
-.radij.o.flags
-.rangetoa.o.flags
-.satoa.o.flags
-.set_key.o.flags
-.subnetof.o.flags
-.subnettoa.o.flags
-.sysctl_net_ipsec.o.flags
-.trees.o.flags
-.ultoa.o.flags
-.version.o.flags
-.zutil.o.flags
-version.c
-.*.o.flags
-*.o
diff --git a/linux/net/ipsec/Config.in b/linux/net/ipsec/Config.in
deleted file mode 100644
index 379738a69..000000000
--- a/linux/net/ipsec/Config.in
+++ /dev/null
@@ -1,41 +0,0 @@
-#
-# IPSEC configuration
-# Copyright (C) 1998, 1999, 2000,2001  Richard Guy Briggs.
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Config.in,v 1.3 2004/03/30 21:11:11 as Exp $
-
-comment 'IPsec options (strongSwan)'
-
-bool '   IPSEC: IP-in-IP encapsulation (tunnel mode)' CONFIG_IPSEC_IPIP
-
-bool '   IPSEC: Authentication Header' CONFIG_IPSEC_AH
-if [ "$CONFIG_IPSEC_AH" = "y" -o "$CONFIG_IPSEC_ESP" = "y" ]; then
-  bool '      HMAC-MD5 authentication algorithm' CONFIG_IPSEC_AUTH_HMAC_MD5
-  bool '      HMAC-SHA1 authentication algorithm' CONFIG_IPSEC_AUTH_HMAC_SHA1
-fi
-
-bool '   IPSEC: Encapsulating Security Payload' CONFIG_IPSEC_ESP
-if [ "$CONFIG_IPSEC_ESP" = "y" ]; then
-  bool '      3DES encryption algorithm' CONFIG_IPSEC_ENC_3DES
-fi
-
-bool '   IPSEC Modular Extensions' CONFIG_IPSEC_ALG
-if [ "$CONFIG_IPSEC_ALG" != "n" ]; then
-	source net/ipsec/alg/Config.in
-fi
-
-bool '   IPSEC: IP Compression' CONFIG_IPSEC_IPCOMP
-
-bool '   IPSEC Debugging Option' CONFIG_IPSEC_DEBUG
-
-bool '   IPSEC NAT-Traversal' CONFIG_IPSEC_NAT_TRAVERSAL
diff --git a/linux/net/ipsec/Makefile b/linux/net/ipsec/Makefile
deleted file mode 100644
index 6d834a067..000000000
--- a/linux/net/ipsec/Makefile
+++ /dev/null
@@ -1,529 +0,0 @@
-# Makefile for KLIPS kernel code as a module
-# Copyright (C) 1998, 1999, 2000,2001  Richard Guy Briggs.
-# Copyright (C) 2002	Michael Richardson <mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.2 2004/03/22 21:53:19 as Exp $
-#
-# Note! Dependencies are done automagically by 'make dep', which also
-# removes any old dependencies. DON'T put your own dependencies here
-# unless it's something special (ie not a .c file).
-#
-
-ifeq ($(strip $(KLIPSMODULE)),)
-FREESWANSRCDIR=.
-else
-FREESWANSRCDIR=../../..
-endif
--include ${FREESWANSRCDIR}/Makefile.ver
-
-ifeq ($(strip $(KLIPS_TOP)),)
-KLIPS_TOP=../..
-endif
-
-ifneq ($(strip $(KLIPSMODULE)),)
-
-ifndef TOPDIR
-TOPDIR:=/usr/src/linux
-endif
-export TOPDIR
-
-endif
-
-#
-# This magic from User-Mode-Linux list. It gets list of -I options, as
-# UML needs some extra, that varry by revision.
-#
-KERNEL_CFLAGS= $(shell $(MAKE) -C $(TOPDIR) --no-print-directory -s -f Makefile ARCH=$(ARCH) MAKEFLAGS= script SCRIPT='@echo $$(CFLAGS)'   )
-
-MODULE_CFLAGS= $(shell $(MAKE) -C $(TOPDIR) --no-print-directory -s -f Makefile ARCH=$(ARCH) MAKEFLAGS= script SCRIPT='@echo $$(MODFLAGS)'  )
-
-subdir-  := 
-subdir-n := 
-subdir-y :=
-subdir-m :=
-
-
-MOD_DESTDIR:=net/ipsec
-
-export TOPDIR
-
-all: ipsec.o
-
-foo:
-	echo KERNEL: ${KERNEL_CFLAGS}
-	echo MODULE: ${MODULE_CFLAGS}
-
-ipsec.o: foo
-
-O_TARGET := ipsec.o
-obj-y := ipsec_init.o ipsec_sa.o ipsec_radij.o radij.o
-obj-y += ipsec_life.o ipsec_proc.o
-obj-y += ipsec_tunnel.o ipsec_xmit.o ipsec_rcv.o
-obj-y += sysctl_net_ipsec.o 
-obj-y += pfkey_v2.o pfkey_v2_parser.o pfkey_v2_ext_process.o
-#obj-y += version.o
-
-LIBDESDIR=${KLIPS_TOP}/crypto/ciphers/des
-VPATH+= ${LIBDESDIR}
-
-include ${LIBDESDIR}/Makefile.objs
-
-LIBFREESWANDIR=${KLIPS_TOP}/lib/libfreeswan
-VPATH+=${LIBFREESWANDIR}
-
-include ${LIBFREESWANDIR}/Makefile.objs
-
-# IPcomp stuff
-obj-$(CONFIG_IPSEC_IPCOMP) += ipcomp.o 
-
-LIBZLIBSRCDIR=${KLIPS_TOP}/lib/zlib
-VPATH+=${LIBZLIBSRCDIR}
-
-# LIBCRYPTO Will be overriden eg. when doing  "make module" 
-# from freeswan-2 src root
-# Default value assumes already symlinked libcrypto under $TOPDIR/lib
-LIBCRYPTO=$(TOPDIR)/lib/libcrypto
-VPATH+=${LIBCRYPTO}
-
-alg/static_init_mod.o: dummy
-	$(MAKE) -C alg CC='$(CC)' TOPDIR='$(TOPDIR)' \
-	'EXTRA_CFLAGS=$(EXTRA_CFLAGS)' \
-	static_init_mod.o
-
-
-alg_modules: dummy
-	$(MAKE) $(MODULE_FLAGS) -C alg CC='$(CC)' TOPDIR='$(TOPDIR)' \
-	'LIBCRYPTO=$(LIBCRYPTO)' \
-	'EXTRA_CFLAGS=$(EXTRA_CFLAGS)' \
-	modules
-
-#	CFLAGS='$(CFLAGS)' \
-#	MODULE_CFLAGS='$(MODULE_CFLAGS)' KERNEL_CFLAGS='$(KERNEL_CFLAGS)' \
-#
-include ${LIBZLIBSRCDIR}/Makefile.objs
-
-export-objs := radij.o
-
-# New handling of KERNEL_CFLAGS and MODULE_CFLAGS introduced in 2.0
-# tosses export-objs logic :(
-CFLAGS_ipsec_alg.o += -DEXPORT_SYMTAB
-obj-$(CONFIG_IPSEC_ALG) +=ipsec_alg.o alg/static_init_mod.o
-export-objs += ipsec_alg.o
-subdir-m += alg
-
-EXTRA_CFLAGS += $(ALGO_FLAGS)
-
-
-# include file with .h-style macros that would otherwise be created by
-# config. Must occur before other includes.
-ifneq ($(strip $(MODULE_DEF_INCLUDE)),)
-EXTRA_CFLAGS += -include ${MODULE_DEF_INCLUDE}
-endif
-
-# 'override CFLAGS' should really be 'EXTRA_CFLAGS'
-#EXTRA_CFLAGS += -nostdinc
-EXTRA_CFLAGS += -I${KLIPS_TOP}/include
-
-EXTRA_CFLAGS += -I${TOPDIR}/include 
-EXTRA_CFLAGS += -I${LIBZLIBSRCDIR}
-
-ifeq ($(VERSION).$(PATCHLEVEL).$(SUBLEVEL)$(EXTRAVERSION),2.4.2-2)
-EXTRA_CFLAGS += -DREDHAT_BOGOSITY
-endif
-
-ifeq ($(VERSION).$(PATCHLEVEL).$(SUBLEVEL)$(EXTRAVERSION),2.4.3-12)
-EXTRA_CFLAGS += -DREDHAT_BOGOSITY
-endif
-
-
-#ifeq ($(CONFIG_IPSEC_DEBUG),y)
-#EXTRA_CFLAGS += -g
-#endif
-
-#ifeq ($(CONFIG_IPSEC_ALG), y)
-EXTRA_CFLAGS += -DCONFIG_IPSEC_ALG
-#endif
-# MOST of these flags are in KERNEL_CFLAGS already!
-
-EXTRA_CFLAGS += $(KLIPSCOMPILE)
-EXTRA_CFLAGS += -Wall
-#EXTRA_CFLAGS += -Werror
-#EXTRA_CFLAGS += -Wconversion 
-#EXTRA_CFLAGS += -Wmissing-prototypes 
-# cannot use both -Wpointer-arith and -Werror with CONFIG_HIGHMEM
-# include/linux/highmem.h has an inline function definition that uses void* arithmentic.
-ifeq ($(CONFIG_NOHIGHMEM),y)
-EXTRA_CFLAGS += -Wpointer-arith 
-endif
-#EXTRA_CFLAGS += -Wcast-qual 
-#EXTRA_CFLAGS += -Wmissing-declarations 
-#EXTRA_CFLAGS += -Wstrict-prototypes
-#EXTRA_CFLAGS += -pedantic
-#EXTRA_CFLAGS += -O3
-#EXTRA_CFLAGS += -W
-#EXTRA_CFLAGS += -Wwrite-strings 
-#EXTRA_CFLAGS += -Wbad-function-cast 
-
-ifneq ($(strip $(KLIPSMODULE)),)
-# for when we aren't building in the kernel tree
-EXTRA_CFLAGS += -DARCH=${ARCH} 
-EXTRA_CFLAGS += -DMODVERSIONS
-EXTRA_CFLAGS += -include ${TOPDIR}/include/linux/modversions.h
-EXTRA_CFLAGS += ${MODULE_CFLAGS} 
-endif
-
-EXTRA_CFLAGS += ${KERNEL_CFLAGS}
-
-
-# GCC 3.2 (and we presume any other 3.x) wants -falign-functions
-# in place of the traditional -malign-functions.  Getting this
-# wrong leads to a warning, which is fatal due to our use of -Werror.
-ifeq ($(patsubst 3.%,3,$(shell $(CC) -dumpversion)),3)
-override CFLAGS:=$(subst -malign-functions=,-falign-functions=,$(CFLAGS))
-endif
-
-
-obj-$(CONFIG_IPSEC_AUTH_HMAC_MD5) += ipsec_md5c.o
-obj-$(CONFIG_IPSEC_AUTH_HMAC_SHA1) += ipsec_sha1.o
-
-###
-### Pre Rules.make
-###
-# undo O_TARGET, obj-y if no static
-ifneq ($(CONFIG_IPSEC),y)
-O_TARGET := 
-ipsec_obj-y := $(obj-y)
-obj-y :=
-subdir-y :=
-endif
-
-# Define obj-m if modular ipsec 
-ifeq ($(CONFIG_IPSEC),m)
-obj-m += ipsec.o
-endif
-
-
-# These rules translate from new to old makefile rules
-# Translate to Rules.make lists.
-multi-used      := $(filter $(list-multi), $(obj-y) $(obj-m))
-multi-objs      := $(foreach m, $(multi-used), $($(basename $(m))-objs))
-active-objs     := $(sort $(multi-objs) $(obj-y) $(obj-m))
-O_OBJS          := $(obj-y)
-M_OBJS          := $(obj-m)
-MIX_OBJS        := $(filter $(export-objs), $(active-objs))
-OX_OBJS := $(export-objs)
-SUB_DIRS := $(subdir-y)
-ALL_SUB_DIRS := $(subdir-y) $(subdir-m)
-MOD_SUB_DIRS := $(subdir-m)
-
-#   dunno why, but some 2.2 setups may need explicit -DEXPORT_SYMTAB
-#   uncomment next line if ipsec_alg.c compilation fails with
-#   "parse error before `EXPORT_SYMTAB_not_defined'"  --Juanjo
-# CFLAGS_ipsec_alg.o += -DEXPORT_SYMTAB
-#
-
-include $(TOPDIR)/Rules.make
-
-###
-### Post Rules.make
-###
-# for modular ipsec, no O_TARGET defined => define ipsec.o creation rules
-ifeq ($(CONFIG_IPSEC),m)
-ipsec.o : $(ipsec_obj-y)
-	rm -f $@
-	$(LD) $(LD_EXTRAFLAGS) -r $(ipsec_obj-y) -o $@
-endif
-
-$(ipsec_obj-y) $(obj-y) $(obj-m):  $(TOPDIR)/include/linux/config.h $(TOPDIR)/include/linux/autoconf.h
-
-#$(obj-y) $(obj-m):  $(TOPDIR)/include/linux/config.h $(TOPDIR)/include/linux/autoconf.h
-
-USE_STANDARD_AS_RULE=true
-
-clean:
-	$(MAKE) -C alg clean
-	-rm -f *.o
-	-rm -f .*.o.flags
-	-rm version.c
-
-tags TAGS: *.c *.h libfreeswan/*.c libfreeswan/*.h
-	etags *.c ../../include/*.h ../../include/freeswan/*.h
-	ctags *.c ../../include/*.h ../../include/freeswan/*.h
-
-tar:
-		tar -cvf /dev/f1 .
-
-#
-# $Log: Makefile,v $
-# Revision 1.2  2004/03/22 21:53:19  as
-# merged alg-0.8.1 branch with HEAD
-#
-# Revision 1.1.4.1  2004/03/16 09:48:19  as
-# alg-0.8.1rc12 patch merged
-#
-# Revision 1.1  2004/03/15 20:35:26  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.61  2003/06/22 21:07:46  mcr
-# 	adjusted TAGS target in makefile to be useful in 2.00 source layout.
-#
-# Revision 1.60  2003/05/03 23:45:23  mcr
-# 	rm .o.flags and generated version.c file.
-#
-# Revision 1.59  2003/02/12 19:32:47  rgb
-# Added ipsec_xmit to the list of object files.
-#
-# Revision 1.58  2003/01/03 00:36:44  rgb
-#
-# Added emacs compile-command.
-#
-# Revision 1.57  2002/11/08 23:49:53  mcr
-# 	use KERNEL_CFLAGS and MODULE_CFLAGS to get proper list
-# 	of include directories.
-# 	This also eliminates some of the guesswork in the kernel
-# 	configuration file.
-#
-# Revision 1.56  2002/11/08 23:23:18  mcr
-# 	attempt to guess kernel compilation flags (i.e. list of -I)
-# 	by using some magic targets in the kernel makefile.
-#
-# Revision 1.55  2002/11/08 10:13:33  mcr
-# 	added additional include directories for module builds for 2.4.19.
-#
-# Revision 1.54  2002/10/20 06:10:30  build
-# CONFIG_NOHIGHMEM for -Wpointer-arith RPM building issues.
-#
-# Revision 1.53  2002/10/17 16:32:01  mcr
-# 	enable standard AS rules.
-#
-# Revision 1.52  2002/10/06 06:13:44  sam
-# Altering order of includes, so that architecture-specific header files,
-# used for building RPM modules specifically, are processed first.
-#
-# Revision 1.51  2002/10/05 15:06:38  dhr
-#
-# - To allow for gcc3.2 (used in Red Hat Linux 8.0):  adjust CFLAGS (set
-#   by kernel machinery) to use -falign-functions= in place of
-#   -malign-functions=.  Eliminates a warning (fatal with -Werror).
-#
-# - When CONFIG_HIGHMEM is on, -Wpointer-arith will warn about
-#   include/linux/highmem.h.  Since this is fatal with -Werror, we
-#   suppress -Wpointer-arith if CONFIG_HIGHMEM is set.
-#
-# Revision 1.50  2002/09/16 21:19:45  mcr
-# 	enable -Werror for production - this helps a lot (found a bug in ipsec_rcv.c)
-#
-# Revision 1.49  2002/07/29 05:12:39  mcr
-# 	get rid of some extraneous stuff, now handled by a prefix
-# 	Makefile when building as a module.
-#
-# Revision 1.48  2002/07/28 23:13:49  mcr
-# 	set KLIPS_TOP and use it instead of ../..
-# 	if KLIPSMODULE, then include a bunch of stuff defined in Makefile.inc
-# 	that gets us the "typical" configuration that we want.
-#
-# Revision 1.47  2002/06/02 21:51:41  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.46  2002/05/14 02:35:51  rgb
-# Added file pfkey_v2_ext_process.c.
-#
-# Revision 1.45  2002/05/13 17:21:40  mcr
-# 	mkdep dies when given a -I to a directory that does not exist.
-# 	arch/${ARCH}/include is for UM arch only, so include it for that
-# 	ARCH only.
-#
-# Revision 1.44  2002/04/24 20:38:12  mcr
-# 	moved more stuff behind $KLIPSMODULE=y to get static linking to work.
-#
-# Revision 1.43  2002/04/24 09:16:18  mcr
-# 	include local Makefile.ver as well as FS_rootdir version.
-#
-# Revision 1.42  2002/04/24 08:50:08  mcr
-# 	critical patch is to set TOPDIR with :=.
-#
-# Revision 1.40  2002/04/24 00:41:07  mcr
-# Moved from ./klips/net/ipsec/Makefile,v
-#
-# Revision 1.39  2002/01/17 04:39:40  rgb
-# Take compile options from top level Makefile.inc
-#
-# Revision 1.38  2001/11/27 05:28:07  rgb
-# Shut off -Werror until we figure out a graceful way of quieting down the
-# pfkey_ops defined but not used complaint in the case of SMP in
-# pfkey_v2.c.
-#
-# Revision 1.37  2001/11/27 05:10:15  rgb
-# Added -Ilibdes and removed lib/des* symlinks.
-#
-# Revision 1.36  2001/11/26 09:23:47  rgb
-# Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
-#
-# Revision 1.35.2.1  2001/09/25 02:17:50  mcr
-# 	added ipsec_sa, ipsec_life, ipsec_proc.
-# 	added -Werror to compile flags (see fix for zlib/zutil.h)
-#
-# Revision 1.3  2001/09/21 04:41:26  mcr
-# 	actually, ipsec_proc.c and ipsec_life.c were never actually compiled.
-#
-# Revision 1.2  2001/09/21 04:11:33  mcr
-# 	first compilable version.
-#
-# Revision 1.1.1.2  2001/09/17 01:17:52  mcr
-#   snapshot 2001-09-16
-#
-# Revision 1.35  2001/09/07 22:09:12  rgb
-# Quiet down compilation.
-#
-# Revision 1.34  2001/08/11 17:10:23  henry
-# update bogosity stuff to cover RH7.1 update
-#
-# Revision 1.33  2001/06/14 19:35:07  rgb
-# Update copyright date.
-#
-# Revision 1.32  2001/06/13 21:00:50  rgb
-# Added a kludge to get around RedHat kernel version bogosity...
-#
-# Revision 1.31  2001/01/29 22:19:06  rgb
-# Convert to 2.4 new style with back compat.
-#
-# Revision 1.30  2000/09/29 19:51:57  rgb
-# Moved klips/net/ipsec/ipcomp_* to zlib/* (Svenning).
-#
-# Revision 1.29  2000/09/15 11:37:01  rgb
-# Merge in heavily modified Svenning Soerensen's <svenning@post5.tele.dk>
-# IPCOMP zlib deflate code.
-#
-# Revision 1.28  2000/09/15 04:55:25  rgb
-# Clean up pfkey object inclusion into the default object.
-#
-# Revision 1.27  2000/09/12 03:20:47  rgb
-# Cleared out now unused pfkeyv2 switch.
-# Enabled sysctl.
-#
-# Revision 1.26  2000/09/08 19:12:55  rgb
-# Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
-#
-# Revision 1.25  2000/06/16 03:09:16  rgb
-# Shut up cast lost warning due to changes in 2.4.0-test1.
-#
-# Revision 1.24  2000/03/16 06:40:48  rgb
-# Hardcode PF_KEYv2 support.
-#
-# Revision 1.23  2000/02/14 21:10:38  rgb
-# Added gcc debug flag when KLIPS_DEBUG is swtiched on.
-#
-# Revision 1.22  2000/01/21 09:44:29  rgb
-# Added compiler switches to be a lot more fussy.
-#
-# Revision 1.21  1999/11/25 23:35:20  rgb
-# Removed quotes to fix Alpha compile issues.
-#
-# Revision 1.20  1999/11/17 15:49:34  rgb
-# Changed all occurrences of ../../../lib in pathnames to libfreeswan,
-# which refers to the /usr/src/linux/net/ipsec/lib directory setup by the
-# klink target in the top-level Makefile; and libdeslite.o to
-# libdes/libdes.a.
-# Added SUB_DIRS := lib definition for the kernel libraries.
-#
-# Revision 1.19  1999/04/27 19:06:47  rgb
-# dd libs and dependancies to tags generation.
-#
-# Revision 1.18  1999/04/16 16:28:12  rgb
-# Minor bugfix to avoid including DES if only AH is used.
-#
-# Revision 1.17  1999/04/15 15:37:23  rgb
-# Forward check changes from POST1_00 branch.
-#
-# Revision 1.14.2.1  1999/03/30 17:29:17  rgb
-# Add support for pfkey.
-#
-# Revision 1.16  1999/04/11 00:28:56  henry
-# GPL boilerplate
-#
-# Revision 1.15  1999/04/06 04:54:25  rgb
-# Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
-# patch shell fixes.
-#
-# Revision 1.14  1999/02/18 16:50:45  henry
-# update for new DES library
-#
-# Revision 1.13  1999/02/12 21:11:45  rgb
-# Prepare for newer LIBDES (patch from P.Onion).
-#
-# Revision 1.12  1999/01/26 02:05:08  rgb
-# Remove references to INET_GET_PROTOCOL.
-# Removed CONFIG_IPSEC_ALGO_SWITCH macro.
-# Change from transform switch to algorithm switch.
-#
-# Revision 1.11  1999/01/22 06:16:09  rgb
-# Added algorithm switch code config option.
-#
-# Revision 1.10  1998/11/08 05:31:21  henry
-# be a little fussier
-#
-# Revision 1.9  1998/11/08 05:29:41  henry
-# revisions for new libdes handling
-#
-# Revision 1.8  1998/08/12 00:05:48  rgb
-# Added new xforms to Makefile (moved des-cbc to des-old).
-#
-# Revision 1.7  1998/07/27 21:48:47  rgb
-# Add libkernel.
-#
-# Revision 1.6  1998/07/14 15:50:47  rgb
-# Add dependancies on linux config files.
-#
-# Revision 1.5  1998/07/09 17:44:06  rgb
-# Added 'clean' and 'tags' targets.
-# Added TOPDIR macro.
-# Change module back from symbol exporting to not.
-#
-# Revision 1.3  1998/06/25 19:25:04  rgb
-# Rearrange to support static linking and objects with exported symbol
-# tables.
-#
-# Revision 1.1  1998/06/18 21:27:42  henry
-# move sources from klips/src to klips/net/ipsec, to keep stupid
-# kernel-build scripts happier in the presence of symlinks
-#
-# Revision 1.3  1998/04/15 23:18:43  rgb
-# Unfixed the ../../libdes fix to avoid messing up Henry's script.
-#
-# Revision 1.2  1998/04/14 17:50:47  rgb
-# Fixed to find the new location of libdes.
-#
-# Revision 1.1  1998/04/09 03:05:22  henry
-# sources moved up from linux/net/ipsec
-# modifications to centralize libdes code
-#
-# Revision 1.1.1.1  1998/04/08 05:35:02  henry
-# RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
-#
-# Revision 0.5  1997/06/03 04:24:48  ji
-# Added ESP-3DES-MD5-96
-#
-# Revision 0.4  1997/01/15 01:32:59  ji
-# Added new transforms.
-#
-# Revision 0.3  1996/11/20 14:22:53  ji
-# *** empty log message ***
-#
-#
-# Local Variables:
-# compile-command: "(cd ../../.. && source umlsetup.sh && make -C ${POOLSPACE} module/ipsec.o)"
-# End Variables:
-#
-
diff --git a/linux/net/ipsec/Makefile.algtest b/linux/net/ipsec/Makefile.algtest
deleted file mode 100644
index e68b4ac77..000000000
--- a/linux/net/ipsec/Makefile.algtest
+++ /dev/null
@@ -1,125 +0,0 @@
-IPSECVERSION=2.03
-# vim:aw:ai
-#
-# null-patch, non-root GNUmakefile addon for freeswan modules compilation
-# 
-# It will not "affect" normal KLIPS  building because this GNUmakefile
-# it's not copied to /usr/src/linux
-#
-# Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
-# $Id: Makefile.algtest,v 1.2 2004/03/22 21:53:19 as Exp $
-#
-# 1) Copy me to linux/net/ipsec 
-# 2)  
-#     cd klibs/net/ipsec
-#     make prep TOPDIR=/path/to/usr/src/linux \
-#		[CONFIG=/path/to/.config | CONFIG=/dev/null]
-# 3)  
-#     make all TOPDIR=.... CONFIG=....
-#CONFIG_IPSEC_ENC_3DES=y
-#CONFIG_IPSEC_AUTH_HMAC_MD5=y
-#CONFIG_IPSEC_AUTH_HMAC_SHA1=y
-CONFIG_IPSEC_ALG_AES=m
-
-ifndef TOPDIR
-$(error You _must_ pass TOPDIR= and optionally CONFIG=)
-endif
-CONFIG=$(TOPDIR)/.config
-include $(CONFIG)
-
-ifdef CONFIG_USERMODE
-	ARCH=um
-endif
-CONFIG_IPSEC=m
-CONFIG_IPSEC_MODULE=y
-CONFIG_IPSEC_IPIP=y
-CONFIG_IPSEC_AH=y
-CONFIG_IPSEC_ESP=y
-CONFIG_IPSEC_ALG=y
-CONFIG_IPSEC_IPCOMP=y
-
-CONFIG_M586 :=$(shell uname -m | sed -n "s/i586/y/p" )
-CONFIG_M686 :=$(shell uname -m | sed -n "s/i686/y/p" )
-export CONFIG_M586 CONFIG_M686
-cflags-arch-$(CONFIG_M586) 		+= -march=i586
-cflags-arch-$(CONFIG_M586_TSC)		+= -march=i586
-cflags-arch-$(CONFIG_M686)		+= -march=i686
-cflags-arch-$(CONFIG_MPENTIUMIII)	+= -march=i686
-cflags-arch-$(CONFIG_MK7)		+= -march=i686 -malign-functions=4
-CFLAGS_ARCH := $(cflags-arch-y)
-
-ifndef $(CONFIG_SHELL)
-CONFIG_SHELL=/bin/bash
-endif
-export CONFIG_SHELL TOPDIR
-
-ifdef CONFIG_SMP
-EXTRA_CFLAGS += -D__SMP__
-EXTRA_AFLAGS += -D__SMP__
-endif
-
-CFLAGS_IPSEC:=\
-	-DMODVERSIONS \
-	-DCONFIG_IPSEC_MODULE=1\
-	-DCONFIG_IPSEC_IPIP=1\
-	-DCONFIG_IPSEC_AH=1\
-	-DCONFIG_IPSEC_ESP=1\
-	-DCONFIG_IPSEC_IPCOMP=1\
-	-DCONFIG_IPSEC_DEBUG=1 \
-	-DCONFIG_IPSEC_ALG=1 \
-
-#	-DCONFIG_IPSEC_DEBUG=1 \
-#
-cflags-ipsec-$(CONFIG_IPSEC_ENC_3DES)	+= -DCONFIG_IPSEC_ENC_3DES=1
-cflags-ipsec-$(CONFIG_IPSEC_ALG_AES)	+= -DCONFIG_IPSEC_ALG_AES=1
-cflags-ipsec-$(CONFIG_IPSEC_AUTH_HMAC_MD5)+= -DCONFIG_IPSEC_AUTH_HMAC_MD5=1
-cflags-ipsec-$(CONFIG_IPSEC_AUTH_HMAC_SHA1)+= -DCONFIG_IPSEC_AUTH_HMAC_SHA1=1
-CFLAGS_IPSEC+=$(cflags-ipsec-y)
-export CONFIG_IPSEC
-export CONFIG_IPSEC_MODULE
-
-
-# last bits over CFLAGS ...
-CFLAGS+=$(KINCLUDE) $(CFLAGS_IPSEC) $(CFLAGS_ARCH)  $(CFLAGS_KERNEL)
-EXTRA_CFLAGS:=-I$(LOCALKLIPS) -I$(IPSEC_ROOT)/lib 
-# libdes options: OPTS1
-OPTS1:=$(CFLAGS) $(EXTRA_CFLAGS)
-export OPTS1 CFLAGS
-
-#include Makefile
-KERNEL_CFLAGS= $(shell $(MAKE) -C $(TOPDIR) --no-print-directory -s -f Makefile ARCH=$(ARCH) MAKEFLAGS= script SCRIPT='@echo $$(CFLAGS)'   )
-
-MODULE_CFLAGS= $(shell $(MAKE) -C $(TOPDIR) --no-print-directory -s -f Makefile ARCH=$(ARCH) MAKEFLAGS= script SCRIPT='@echo $$(MODFLAGS)'  ) 
-
-
-ALGO_FLAGS=$(CFLAGS_IPSEC)
-export ALGO_FLAGS
-all: modules alg_modules
-modules:
-	$(MAKE) -C $(TOPDIR) SUBDIRS=$(PWD) modules 
-
-ifdef CONFIG_USERMODE
-local_modversions_h:
-	> local_modversions.h
-else
-local_modversions_h:
-	(echo "#ifndef _LINUX_MODVERSIONS_H";\
-	  echo "#define _LINUX_MODVERSIONS_H"; \
-	  echo "#include <linux/modsetver.h>"; \
-	  cd $(TOPDIR)/include/linux/modules; \
-	  perl -ne 'print "#define __ver_$$1\t$$2$$3\n#define $$1\t_set_ver($$1)\n" if (/ (.*)_R(smp)?([a-z0-9]{8})\W/);' /proc/ksyms ;\
-	  echo "#endif"; \
-	) > local_modversions.h
-endif
-un_local_modversions_h:
-	@rm -f local_modversions.h
-
-all_alg_modules:
-	(cd alg && \
-	        $(MAKE) CC='$(CC)' CFLAGS='$(CFLAGS) $(EXTRA_CFLAGS)' \
-		LIBCRYPTO=$(LOCALKLIPS)/../../../lib/libcrypto \
-		all_alg_modules;)
-
-.PHONY: local_modversions_h 
-
-
diff --git a/linux/net/ipsec/alg/Config.alg_aes.in b/linux/net/ipsec/alg/Config.alg_aes.in
deleted file mode 100644
index 4a2f81a0b..000000000
--- a/linux/net/ipsec/alg/Config.alg_aes.in
+++ /dev/null
@@ -1,3 +0,0 @@
-if [ "$CONFIG_IPSEC_ALG" = "y" ]; then
-  tristate '        AES encryption algorithm' CONFIG_IPSEC_ALG_AES
-fi
diff --git a/linux/net/ipsec/alg/Config.alg_blowfish.in b/linux/net/ipsec/alg/Config.alg_blowfish.in
deleted file mode 100644
index a4e5709b0..000000000
--- a/linux/net/ipsec/alg/Config.alg_blowfish.in
+++ /dev/null
@@ -1,3 +0,0 @@
-if [ "$CONFIG_IPSEC_ALG" = "y" ]; then
-  tristate '        BLOWFISH encryption algorithm' CONFIG_IPSEC_ALG_BLOWFISH
-fi
diff --git a/linux/net/ipsec/alg/Config.alg_cryptoapi.in b/linux/net/ipsec/alg/Config.alg_cryptoapi.in
deleted file mode 100644
index c2c66eed8..000000000
--- a/linux/net/ipsec/alg/Config.alg_cryptoapi.in
+++ /dev/null
@@ -1,3 +0,0 @@
-if [ "$CONFIG_IPSEC_ALG" = "y" ]; then
-  dep_tristate '        CRYPTOAPI ciphers support (needs cryptoapi patch)' CONFIG_IPSEC_ALG_CRYPTOAPI $CONFIG_CRYPTO
-fi
diff --git a/linux/net/ipsec/alg/Config.alg_serpent.in b/linux/net/ipsec/alg/Config.alg_serpent.in
deleted file mode 100644
index fb1a88460..000000000
--- a/linux/net/ipsec/alg/Config.alg_serpent.in
+++ /dev/null
@@ -1,3 +0,0 @@
-if [ "$CONFIG_IPSEC_ALG" = "y" ]; then
-  tristate '        SERPENT encryption algorithm' CONFIG_IPSEC_ALG_SERPENT
-fi
diff --git a/linux/net/ipsec/alg/Config.alg_sha2.in b/linux/net/ipsec/alg/Config.alg_sha2.in
deleted file mode 100644
index 2d26c814b..000000000
--- a/linux/net/ipsec/alg/Config.alg_sha2.in
+++ /dev/null
@@ -1,3 +0,0 @@
-if [ "$CONFIG_IPSEC_ALG" = "y" ]; then
-  tristate '        HMAC_SHA2 auth algorithm' CONFIG_IPSEC_ALG_SHA2
-fi
diff --git a/linux/net/ipsec/alg/Config.alg_twofish.in b/linux/net/ipsec/alg/Config.alg_twofish.in
deleted file mode 100644
index 13655649d..000000000
--- a/linux/net/ipsec/alg/Config.alg_twofish.in
+++ /dev/null
@@ -1,3 +0,0 @@
-if [ "$CONFIG_IPSEC_ALG" = "y" ]; then
-  tristate '        TWOFISH encryption algorithm' CONFIG_IPSEC_ALG_TWOFISH
-fi
diff --git a/linux/net/ipsec/alg/Config.in b/linux/net/ipsec/alg/Config.in
deleted file mode 100644
index be5990e3a..000000000
--- a/linux/net/ipsec/alg/Config.in
+++ /dev/null
@@ -1,7 +0,0 @@
-#Placeholder
-source net/ipsec/alg/Config.alg_aes.in
-source net/ipsec/alg/Config.alg_blowfish.in
-source net/ipsec/alg/Config.alg_twofish.in
-source net/ipsec/alg/Config.alg_serpent.in
-source net/ipsec/alg/Config.alg_cryptoapi.in
-source net/ipsec/alg/Config.alg_sha2.in
diff --git a/linux/net/ipsec/alg/Makefile b/linux/net/ipsec/alg/Makefile
deleted file mode 100644
index 2249668f5..000000000
--- a/linux/net/ipsec/alg/Makefile
+++ /dev/null
@@ -1,112 +0,0 @@
-# $Id: Makefile,v 1.2 2004/03/22 21:53:19 as Exp $
-ifeq ($(strip $(KLIPSMODULE)),)
-FREESWANSRCDIR=.
-else
-FREESWANSRCDIR=../../../..
-endif
-ifeq ($(strip $(KLIPS_TOP)),)
-KLIPS_TOP=../../..
-override EXTRA_CFLAGS += -I$(KLIPS_TOP)/include
-endif
-
-ifeq ($(CONFIG_IPSEC_DEBUG),y)
-override EXTRA_CFLAGS += -g
-endif
-
-# LIBCRYPTO normally comes as an argument from "parent" Makefile
-# (this applies both to FS' "make module" and eg. Linux' "make modules"
-# But make dep doest follow same evaluations, so we need this default:
-LIBCRYPTO=$(TOPDIR)/lib/libcrypto
-
-override EXTRA_CFLAGS += -I$(LIBCRYPTO)/include
-override EXTRA_CFLAGS += -Wall -Wpointer-arith -Wstrict-prototypes
-
-MOD_LIST_NAME := NET_MISC_MODULES
-
-#O_TARGET := static_init.o
-
-subdir-  := 
-subdir-n := 
-subdir-y :=
-subdir-m :=
-
-obj-y := static_init.o
-
-ARCH_ASM-y :=
-ARCH_ASM-$(CONFIG_M586)		:= i586
-ARCH_ASM-$(CONFIG_M586TSC)	:= i586
-ARCH_ASM-$(CONFIG_M586MMX)	:= i586
-ARCH_ASM-$(CONFIG_MK6)		:= i586
-ARCH_ASM-$(CONFIG_M686)		:= i686
-ARCH_ASM-$(CONFIG_MPENTIUMIII)	:= i686
-ARCH_ASM-$(CONFIG_MPENTIUM4)	:= i686
-ARCH_ASM-$(CONFIG_MK7)		:= i686
-ARCH_ASM-$(CONFIG_MCRUSOE)	:= i586
-ARCH_ASM-$(CONFIG_MWINCHIPC6)	:= i586
-ARCH_ASM-$(CONFIG_MWINCHIP2)	:= i586
-ARCH_ASM-$(CONFIG_MWINCHIP3D)	:= i586
-ARCH_ASM-$(CONFIG_USERMODE)	:= i586
-
-ARCH_ASM :=$(ARCH_ASM-y)
-ifdef NO_ASM
-ARCH_ASM :=
-endif
-
-# The algorithm makefiles may put dependences, short-circuit them
-null:
-
-makefiles=$(filter-out %.preipsec, $(wildcard Makefile.alg_*))
-ifneq ($(makefiles),)
-#include Makefile.alg_aes
-#include Makefile.alg_aes-opt
-include $(makefiles)
-endif
-
-# These rules translate from new to old makefile rules
-# Translate to Rules.make lists.
-multi-used      := $(filter $(list-multi), $(obj-y) $(obj-m))
-multi-objs      := $(foreach m, $(multi-used), $($(basename $(m))-objs))
-active-objs     := $(sort $(multi-objs) $(obj-y) $(obj-m))
-O_OBJS          := $(obj-y)
-M_OBJS          := $(obj-m)
-MIX_OBJS        := $(filter $(export-objs), $(active-objs))
-#OX_OBJS := $(export-objs)
-SUB_DIRS := $(subdir-y)
-ALL_SUB_DIRS := $(subdir-y) $(subdir-m)
-MOD_SUB_DIRS := $(subdir-m)
-
-
-static_init_mod.o: $(obj-y) 
-	rm -f $@
-	$(LD) $(LD_EXTRAFLAGS) $(obj-y) -r -o $@
-
-perlasm: $(LIBCRYPTO)/perlasm
-	ln -sf $? $@
-
-$(obj-y) $(obj-m): $(TOPDIR)/include/linux/config.h $(TOPDIR)/include/linux/autoconf.h $(KLIPS_TOP)/include/freeswan/ipsec_alg.h
-$(alg_obj-y) $(alg_obj-m): perlasm $(TOPDIR)/include/linux/config.h $(TOPDIR)/include/linux/autoconf.h $(KLIPS_TOP)/include/freeswan/ipsec_alg.h
-
-
-all_alg_modules: perlasm $(ALG_MODULES)
-	@echo "ALG_MODULES=$(ALG_MODULES)"
-
-
-#
-# Construct alg. init. function: call ipsec_ALGO_init() for every static algo
-# Needed when there are static algos (with static or modular ipsec.o)
-#
-static_init.c: $(TOPDIR)/include/linux/autoconf.h Makefile $(makefiles) scripts/mk-static_init.c.sh
-	@echo "Re-creating $@"
-	$(SHELL) scripts/mk-static_init.c.sh $(static_init-func-y) > $@
-
-clean:
-	@for i in $(ALG_SUBDIRS);do test -d $$i && make -C $$i clean;done;exit 0
-	@find . -type l  -exec rm -f {} \;
-	-rm -f perlasm
-	-rm -rf $(ALG_SUBDIRS)
-	-rm -f *.o .*.o.flags static_init.c
-
-ifdef TOPDIR
-include $(TOPDIR)/Rules.make
-endif
-
diff --git a/linux/net/ipsec/alg/Makefile.alg_aes b/linux/net/ipsec/alg/Makefile.alg_aes
deleted file mode 100644
index 75284c47a..000000000
--- a/linux/net/ipsec/alg/Makefile.alg_aes
+++ /dev/null
@@ -1,23 +0,0 @@
-MOD_AES := ipsec_aes.o
-
-ALG_MODULES += $(MOD_AES)
-ALG_SUBDIRS += libaes
-
-obj-$(CONFIG_IPSEC_ALG_AES) += $(MOD_AES)
-static_init-func-$(CONFIG_IPSEC_ALG_AES)+= ipsec_aes_init
-alg_obj-$(CONFIG_IPSEC_ALG_AES) += ipsec_alg_aes.o
-
-AES_OBJS := ipsec_alg_aes.o libaes/libaes.a 
-
-$(MOD_AES): libaes $(AES_OBJS) 
-	$(LD) $(EXTRA_LDFLAGS) -r $(AES_OBJS) -o $@
-
-libaes: $(LIBCRYPTO)/libaes
-	test -d $@ || mkdir $@ ;exit 0
-	test -d $@/asm || mkdir $@/asm;exit 0
-	cd $@ && ln -sf $?/Makefile $?/*.[chS] .
-	cd $@/asm && ln -sf $?/asm/*.S .
-
-libaes/libaes.a: libaes
-	( cd libaes && \
-		$(MAKE) CC='$(CC)' 'ARCH_ASM=$(ARCH_ASM)' CFLAGS='$(CFLAGS) $(EXTRA_CFLAGS)' libaes.a ;)
diff --git a/linux/net/ipsec/alg/Makefile.alg_blowfish b/linux/net/ipsec/alg/Makefile.alg_blowfish
deleted file mode 100644
index 9413a9f1c..000000000
--- a/linux/net/ipsec/alg/Makefile.alg_blowfish
+++ /dev/null
@@ -1,23 +0,0 @@
-MOD_BLOWFISH := ipsec_blowfish.o
-
-ALG_MODULES += $(MOD_BLOWFISH)
-ALG_SUBDIRS += libblowfish
-
-obj-$(CONFIG_IPSEC_ALG_BLOWFISH) += $(MOD_BLOWFISH)
-static_init-func-$(CONFIG_IPSEC_ALG_BLOWFISH)+= ipsec_blowfish_init
-alg_obj-$(CONFIG_IPSEC_ALG_BLOWFISH) += ipsec_alg_blowfish.o
-
-BLOWFISH_OBJS:= ipsec_alg_blowfish.o libblowfish/libblowfish.a
-
-$(MOD_BLOWFISH): libblowfish $(BLOWFISH_OBJS)
-	$(LD) -r $(BLOWFISH_OBJS) -o $@
-
-libblowfish : $(LIBCRYPTO)/libblowfish 
-	test -d $@ || mkdir $@ ;exit 0
-	test -d $@/asm || mkdir $@/asm;exit 0
-	cd $@ && ln -sf $?/Makefile $?/*.[chS] .
-	cd $@/asm && ln -sf $?/asm/*.pl .
-
-libblowfish/libblowfish.a:
-	( cd libblowfish && \
-		$(MAKE) CC='$(CC)' 'ARCH_ASM=$(ARCH_ASM)' CFLAGS='$(CFLAGS) $(EXTRA_CFLAGS)' EXTRA_CFLAGS='$(EXTRA_CFLAGS)' libblowfish.a ;)
diff --git a/linux/net/ipsec/alg/Makefile.alg_cryptoapi b/linux/net/ipsec/alg/Makefile.alg_cryptoapi
deleted file mode 100644
index 77ee6481f..000000000
--- a/linux/net/ipsec/alg/Makefile.alg_cryptoapi
+++ /dev/null
@@ -1,14 +0,0 @@
-MOD_CRYPTOAPI := ipsec_cryptoapi.o
-
-ifneq ($(wildcard $(TOPDIR)/include/linux/crypto.h),)
-ALG_MODULES += $(MOD_CRYPTOAPI)
-obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += $(MOD_CRYPTOAPI)
-static_init-func-$(CONFIG_IPSEC_ALG_CRYPTOAPI)+= ipsec_cryptoapi_init
-alg_obj-$(CONFIG_IPSEC_ALG_CRYPTOAPI) += ipsec_alg_cryptoapi.o
-else
-$(warning "Linux CryptoAPI (2.4.22+ or 2.6.x) not found, not building ipsec_cryptoapi.o")
-endif
-
-CRYPTOAPI_OBJS := ipsec_alg_cryptoapi.o 
-$(MOD_CRYPTOAPI): $(CRYPTOAPI_OBJS)
-	$(LD) -r $(CRYPTOAPI_OBJS) -o $@
diff --git a/linux/net/ipsec/alg/Makefile.alg_serpent b/linux/net/ipsec/alg/Makefile.alg_serpent
deleted file mode 100644
index 1a2383a6a..000000000
--- a/linux/net/ipsec/alg/Makefile.alg_serpent
+++ /dev/null
@@ -1,21 +0,0 @@
-MOD_SERPENT := ipsec_serpent.o
-
-ALG_MODULES += $(MOD_SERPENT)
-ALG_SUBDIRS += libserpent
-
-obj-$(CONFIG_IPSEC_ALG_SERPENT) += $(MOD_SERPENT)
-static_init-func-$(CONFIG_IPSEC_ALG_SERPENT)+= ipsec_serpent_init
-alg_obj-$(CONFIG_IPSEC_ALG_SERPENT) += ipsec_alg_serpent.o
-
-SERPENT_OBJS=ipsec_alg_serpent.o libserpent/libserpent.a
-$(MOD_SERPENT) : libserpent $(SERPENT_OBJS)
-	$(LD) -r $(SERPENT_OBJS) -o $@
-
-libserpent : $(LIBCRYPTO)/libserpent 
-	test -d $@ || mkdir $@ ;exit 0
-	test -d $@/asm || mkdir $@/asm;exit 0
-	cd $@ && ln -sf $?/Makefile $?/*.[chS] .
-
-libserpent/libserpent.a:
-	( cd libserpent && \
-		$(MAKE) CC='$(CC)' CFLAGS='$(CFLAGS) $(EXTRA_CFLAGS)' EXTRA_CFLAGS='$(EXTRA_CFLAGS)' libserpent.a ;)
diff --git a/linux/net/ipsec/alg/Makefile.alg_sha2 b/linux/net/ipsec/alg/Makefile.alg_sha2
deleted file mode 100644
index 956a0f1a3..000000000
--- a/linux/net/ipsec/alg/Makefile.alg_sha2
+++ /dev/null
@@ -1,22 +0,0 @@
-MOD_SHA2 := ipsec_sha2.o
-
-ALG_MODULES += $(MOD_SHA2)
-ALG_SUBDIRS += libsha2
-
-obj-$(CONFIG_IPSEC_ALG_SHA2) += $(MOD_SHA2)
-static_init-func-$(CONFIG_IPSEC_ALG_SHA2)+= ipsec_sha2_init
-alg_obj-$(CONFIG_IPSEC_ALG_SHA2) += ipsec_alg_sha2.o
-
-SHA2_OBJS := ipsec_alg_sha2.o libsha2/libsha2.a
-
-$(MOD_SHA2): libsha2 $(SHA2_OBJS)
-	$(LD) $(EXTRA_LDFLAGS) -r $(SHA2_OBJS) -o $@
-
-libsha2 : $(LIBCRYPTO)/libsha2 
-	test -d $@ || mkdir $@ ;exit 0
-	test -d $@/asm || mkdir $@/asm;exit 0
-	cd $@ && ln -sf $?/Makefile $?/*.[chS] .
-	
-libsha2/libsha2.a:
-	( cd libsha2 && \
-		$(MAKE) CC='$(CC)' CFLAGS='$(CFLAGS) $(EXTRA_CFLAGS)' EXTRA_CFLAGS='$(EXTRA_CFLAGS)' libsha2.a ;)
diff --git a/linux/net/ipsec/alg/Makefile.alg_twofish b/linux/net/ipsec/alg/Makefile.alg_twofish
deleted file mode 100644
index 559285ddd..000000000
--- a/linux/net/ipsec/alg/Makefile.alg_twofish
+++ /dev/null
@@ -1,21 +0,0 @@
-MOD_TWOFISH := ipsec_twofish.o
-
-ALG_MODULES += $(MOD_TWOFISH)
-ALG_SUBDIRS += libtwofish
-
-obj-$(CONFIG_IPSEC_ALG_TWOFISH) += $(MOD_TWOFISH)
-static_init-func-$(CONFIG_IPSEC_ALG_TWOFISH)+= ipsec_twofish_init
-alg_obj-$(CONFIG_IPSEC_ALG_TWOFISH) += ipsec_alg_twofish.o
-
-TWOFISH_OBJS := ipsec_alg_twofish.o libtwofish/libtwofish.a
-$(MOD_TWOFISH): libtwofish $(TWOFISH_OBJS)
-	$(LD) -r $(TWOFISH_OBJS) -o $@
-
-libtwofish : $(LIBCRYPTO)/libtwofish 
-	test -d $@ || mkdir $@ ;exit 0
-	test -d $@/asm || mkdir $@/asm;exit 0
-	cd $@ && ln -sf $?/Makefile $?/*.[chS] .
-
-libtwofish/libtwofish.a:
-	( cd libtwofish && \
-		$(MAKE) CC='$(CC)' CFLAGS='$(CFLAGS) $(EXTRA_CFLAGS)' EXTRA_CFLAGS='$(EXTRA_CFLAGS)' libtwofish.a ;)
diff --git a/linux/net/ipsec/alg/ipsec_alg_aes.c b/linux/net/ipsec/alg/ipsec_alg_aes.c
deleted file mode 100644
index c6b390281..000000000
--- a/linux/net/ipsec/alg/ipsec_alg_aes.c
+++ /dev/null
@@ -1,253 +0,0 @@
-/*
- * ipsec_alg AES cipher stubs
- *
- * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
- * 
- * $Id: ipsec_alg_aes.c,v 1.2 2004/03/22 21:53:19 as Exp $
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * Fixes by:
- * 	PK:	Pawel Krawczyk <kravietz@aba.krakow.pl>
- * Fixes list:
- * 	PK:	make XCBC comply with latest draft (keylength)
- *
- */
-#include <linux/config.h>
-#include <linux/version.h>
-
-/*	
- *	special case: ipsec core modular with this static algo inside:
- *	must avoid MODULE magic for this file
- */
-#if CONFIG_IPSEC_MODULE && CONFIG_IPSEC_ALG_AES
-#undef MODULE
-#endif
-
-#include <linux/module.h>
-#include <linux/init.h>
-
-#include <linux/kernel.h> /* printk() */
-#include <linux/errno.h>  /* error codes */
-#include <linux/types.h>  /* size_t */
-#include <linux/string.h>
-
-/* Check if __exit is defined, if not null it */
-#ifndef __exit
-#define __exit
-#endif
-
-/*	Low freeswan header coupling	*/
-#include "freeswan/ipsec_alg.h"
-#include "libaes/aes_cbc.h"
-
-#define CONFIG_IPSEC_ALG_AES_MAC 1
-
-#define AES_CONTEXT_T aes_context
-MODULE_AUTHOR("JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>");
-static int debug=0;
-MODULE_PARM(debug, "i");
-static int test=0;
-MODULE_PARM(test, "i");
-static int excl=0;
-MODULE_PARM(excl, "i");
-static int keyminbits=0;
-MODULE_PARM(keyminbits, "i");
-static int keymaxbits=0;
-MODULE_PARM(keymaxbits, "i");
-
-#if CONFIG_IPSEC_ALG_AES_MAC
-#include "libaes/aes_xcbc_mac.h"
-
-/*	
- *	Not IANA number yet (draft-ietf-ipsec-ciph-aes-xcbc-mac-00.txt).
- *	We use 9 for non-modular algorithm and none for modular, thus
- *	forcing user to specify one on module load. -kravietz
- */
-#ifdef MODULE
-static int auth_id=0;
-#else
-static int auth_id=9;
-#endif
-MODULE_PARM(auth_id, "i");
-#endif
-
-#define ESP_AES			12	/* truely _constant_  :)  */
-
-/* 128, 192 or 256 */
-#define ESP_AES_KEY_SZ_MIN	16 	/* 128 bit secret key */
-#define ESP_AES_KEY_SZ_MAX	32 	/* 256 bit secret key */
-#define ESP_AES_CBC_BLK_LEN	16	/* AES-CBC block size */
-
-/* Values according to draft-ietf-ipsec-ciph-aes-xcbc-mac-02.txt
- * -kravietz
- */
-#define ESP_AES_MAC_KEY_SZ	16	/* 128 bit MAC key */
-#define ESP_AES_MAC_BLK_LEN	16	/* 128 bit block */
-
-static int _aes_set_key(struct ipsec_alg_enc *alg, __u8 * key_e, const __u8 * key, size_t keysize) {
-	int ret;
-	AES_CONTEXT_T *ctx=(AES_CONTEXT_T*)key_e;
-	ret=AES_set_key(ctx, key, keysize)!=0? 0: -EINVAL;
-	if (debug > 0)
-		printk(KERN_DEBUG "klips_debug:_aes_set_key:"
-				"ret=%d key_e=%p key=%p keysize=%d\n",
-				ret, key_e, key, keysize);
-	return ret;
-}
-static int _aes_cbc_encrypt(struct ipsec_alg_enc *alg, __u8 * key_e, __u8 * in, int ilen, const __u8 * iv, int encrypt) {
-	AES_CONTEXT_T *ctx=(AES_CONTEXT_T*)key_e;
-	if (debug > 0)
-		printk(KERN_DEBUG "klips_debug:_aes_cbc_encrypt:"
-				"key_e=%p in=%p ilen=%d iv=%p encrypt=%d\n",
-				key_e, in, ilen, iv, encrypt);
-	return AES_cbc_encrypt(ctx, in, in, ilen, iv, encrypt);
-}
-#if CONFIG_IPSEC_ALG_AES_MAC
-static int _aes_mac_set_key(struct ipsec_alg_auth *alg, __u8 * key_a, const __u8 * key, int keylen) {
-	aes_context_mac *ctxm=(aes_context_mac *)key_a;
-	return AES_xcbc_mac_set_key(ctxm, key, keylen)? 0 : -EINVAL;
-}
-static int _aes_mac_hash(struct ipsec_alg_auth *alg, __u8 * key_a, const __u8 * dat, int len, __u8 * hash, int hashlen) {
-	int ret;
-	char hash_buf[16];
-	aes_context_mac *ctxm=(aes_context_mac *)key_a;
-	ret=AES_xcbc_mac_hash(ctxm, dat, len, hash_buf);
-	memcpy(hash, hash_buf, hashlen);
-	return ret;
-}
-static struct ipsec_alg_auth ipsec_alg_AES_MAC = {
-	ixt_version:	IPSEC_ALG_VERSION,
-	ixt_module:	THIS_MODULE,
-	ixt_refcnt:	ATOMIC_INIT(0),
-	ixt_alg_type:	IPSEC_ALG_TYPE_AUTH,
-	ixt_alg_id: 	0,
-	ixt_name: 	"aes_mac",
-	ixt_blocksize:	ESP_AES_MAC_BLK_LEN,
-	ixt_keyminbits:	ESP_AES_MAC_KEY_SZ*8,
-	ixt_keymaxbits:	ESP_AES_MAC_KEY_SZ*8,
-	ixt_a_keylen:	ESP_AES_MAC_KEY_SZ,
-	ixt_a_ctx_size:	sizeof(aes_context_mac),
-	ixt_a_hmac_set_key:	_aes_mac_set_key,
-	ixt_a_hmac_hash:_aes_mac_hash,
-};
-#endif /* CONFIG_IPSEC_ALG_AES_MAC */
-static struct ipsec_alg_enc ipsec_alg_AES = {
-	ixt_version:	IPSEC_ALG_VERSION,
-	ixt_module:	THIS_MODULE,
-	ixt_refcnt:	ATOMIC_INIT(0),
-	ixt_alg_type:	IPSEC_ALG_TYPE_ENCRYPT,
-	ixt_alg_id: 	ESP_AES,
-	ixt_name: 	"aes",
-	ixt_blocksize:	ESP_AES_CBC_BLK_LEN, 
-	ixt_keyminbits:	ESP_AES_KEY_SZ_MIN*8,
-	ixt_keymaxbits:	ESP_AES_KEY_SZ_MAX*8,
-	ixt_e_keylen:	ESP_AES_KEY_SZ_MAX,
-	ixt_e_ctx_size:	sizeof(AES_CONTEXT_T),
-	ixt_e_set_key:	_aes_set_key,
-	ixt_e_cbc_encrypt:_aes_cbc_encrypt,
-};
-	
-IPSEC_ALG_MODULE_INIT( ipsec_aes_init )
-{
-	int ret, test_ret;
-	if (keyminbits)
-		ipsec_alg_AES.ixt_keyminbits=keyminbits;
-	if (keymaxbits) {
-		ipsec_alg_AES.ixt_keymaxbits=keymaxbits;
-		if (keymaxbits*8>ipsec_alg_AES.ixt_keymaxbits)
-			ipsec_alg_AES.ixt_e_keylen=keymaxbits*8;
-	}
-	if (excl) ipsec_alg_AES.ixt_state |= IPSEC_ALG_ST_EXCL;
-	ret=register_ipsec_alg_enc(&ipsec_alg_AES);
-	printk("ipsec_aes_init(alg_type=%d alg_id=%d name=%s): ret=%d\n", 
-			ipsec_alg_AES.ixt_alg_type, 
-			ipsec_alg_AES.ixt_alg_id, 
-			ipsec_alg_AES.ixt_name, 
-			ret);
-	if (ret==0 && test) {
-		test_ret=ipsec_alg_test(
-				ipsec_alg_AES.ixt_alg_type,
-				ipsec_alg_AES.ixt_alg_id, 
-				test);
-		printk("ipsec_aes_init(alg_type=%d alg_id=%d): test_ret=%d\n", 
-				ipsec_alg_AES.ixt_alg_type, 
-				ipsec_alg_AES.ixt_alg_id, 
-				test_ret);
-	}
-#if CONFIG_IPSEC_ALG_AES_MAC
-	if (auth_id!=0){
-		int ret;
-		ipsec_alg_AES_MAC.ixt_alg_id=auth_id;
-		ret=register_ipsec_alg_auth(&ipsec_alg_AES_MAC);
-		printk("ipsec_aes_init(alg_type=%d alg_id=%d name=%s): ret=%d\n", 
-				ipsec_alg_AES_MAC.ixt_alg_type, 
-				ipsec_alg_AES_MAC.ixt_alg_id, 
-				ipsec_alg_AES_MAC.ixt_name, 
-				ret);
-		if (ret==0 && test) {
-			test_ret=ipsec_alg_test(
-					ipsec_alg_AES_MAC.ixt_alg_type,
-					ipsec_alg_AES_MAC.ixt_alg_id, 
-					test);
-			printk("ipsec_aes_init(alg_type=%d alg_id=%d): test_ret=%d\n", 
-					ipsec_alg_AES_MAC.ixt_alg_type, 
-					ipsec_alg_AES_MAC.ixt_alg_id, 
-					test_ret);
-		}
-	} else {
-		printk(KERN_DEBUG "klips_debug: experimental ipsec_alg_AES_MAC not registered [Ok] (auth_id=%d)\n", auth_id);
-	}
-#endif /* CONFIG_IPSEC_ALG_AES_MAC */
-	return ret;
-}
-IPSEC_ALG_MODULE_EXIT( ipsec_aes_fini )
-{
-#if CONFIG_IPSEC_ALG_AES_MAC
-	if (auth_id) unregister_ipsec_alg_auth(&ipsec_alg_AES_MAC);
-#endif /* CONFIG_IPSEC_ALG_AES_MAC */
-	unregister_ipsec_alg_enc(&ipsec_alg_AES);
-	return;
-}
-#ifdef MODULE_LICENSE
-MODULE_LICENSE("GPL");
-#endif
-
-#if 0+NOT_YET
-#ifndef MODULE
-/*
- * 	This is intended for static module setups, currently
- * 	doesn't work for modular ipsec.o with static algos inside
- */
-static int setup_keybits(const char *str)
-{
-	unsigned aux;
-	char *end;
-
-	aux = simple_strtoul(str,&end,0);
-	if (aux != 128 && aux != 192 && aux != 256)
-		return 0;
-	keyminbits = aux;
-
-	if (*end == 0 || *end != ',')
-		return 1;
-	str=end+1;
-	aux = simple_strtoul(str, NULL, 0);
-	if (aux != 128 && aux != 192 && aux != 256)
-		return 0;
-	if (aux >= keyminbits)
-		keymaxbits = aux;
-	return 1;
-}
-__setup("ipsec_aes_keybits=", setup_keybits);
-#endif
-#endif
-EXPORT_NO_SYMBOLS;
diff --git a/linux/net/ipsec/alg/ipsec_alg_blowfish.c b/linux/net/ipsec/alg/ipsec_alg_blowfish.c
deleted file mode 100644
index 6adc22b22..000000000
--- a/linux/net/ipsec/alg/ipsec_alg_blowfish.c
+++ /dev/null
@@ -1,142 +0,0 @@
-/* ipsec_alg BLOWFISH cipher stubs
- *
- * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCS ID $Id: ipsec_alg_blowfish.c,v 1.3 2004/09/17 18:57:30 as Exp $
- */
-
-#include <linux/config.h>
-#include <linux/version.h>
-
-/*	
- *	special case: ipsec core modular with this static algo inside:
- *	must avoid MODULE magic for this file
- */
-#if CONFIG_IPSEC_MODULE && CONFIG_IPSEC_ALG_BLOWFISH
-#undef MODULE
-#endif
-
-#include <linux/module.h>
-#include <linux/init.h>
-
-#include <linux/kernel.h> /* printk() */
-#include <linux/errno.h>  /* error codes */
-#include <linux/types.h>  /* size_t */
-#include <linux/string.h>
-
-/* Check if __exit is defined, if not null it */
-#ifndef __exit
-#define __exit
-#endif
-
-/*	Low freeswan header coupling	*/
-#include "freeswan/ipsec_alg.h"
-#include "libblowfish/blowfish.h"
-#define blowfish_context BF_KEY
-
-#define ESP_BLOWFISH			7	/* truly _constant_  :)  */
-
-#define ESP_BLOWFISH_KEY_SZ_MIN		16 	/* 128 bit secret key min */
-#define ESP_BLOWFISH_KEY_SZ		16 	/* 128 bit secret key */
-#define ESP_BLOWFISH_KEY_SZ_MAX		56 	/* 448 bit secret key max */
-#define ESP_BLOWFISH_CBC_BLK_LEN	8  	/* block size */
-
-MODULE_AUTHOR("JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>");
-static int debug=0;
-MODULE_PARM(debug, "i");
-static int test=0;
-MODULE_PARM(test, "i");
-static int excl=0;
-MODULE_PARM(excl, "i");
-static int keyminbits=0;
-MODULE_PARM(keyminbits, "i");
-static int keymaxbits=0;
-MODULE_PARM(keymaxbits, "i");
-
-static int _blowfish_set_key(struct ipsec_alg_enc *alg, __u8 * key_e, const __u8 * key, size_t keysize) {
-	blowfish_context *ctx=(blowfish_context*)key_e;
-	if (debug > 0)
-		printk(KERN_DEBUG "klips_debug:_blowfish_set_key:"
-				"key_e=%p key=%p keysize=%d\n",
-				key_e, key, keysize);
-	BF_set_key(ctx, keysize, (unsigned char *)key);
-	return 0;
-}
-static int _blowfish_cbc_encrypt(struct ipsec_alg_enc *alg, __u8 * key_e, __u8 * in, int ilen, const __u8 *iv, int encrypt) {
-	/* blowfish toasts passed IV */
-	__u8    iv_buf[ESP_BLOWFISH_CBC_BLK_LEN];
-	blowfish_context *ctx=(blowfish_context*)key_e;
-	*((__u32*)&(iv_buf)) = ((__u32*)(iv))[0];
-	*((__u32*)&(iv_buf)+1) = ((__u32*)(iv))[1];
-	if (debug > 0)
-		printk(KERN_DEBUG "klips_debug:_blowfish_cbc_encrypt:"
-				"key_e=%p in=%p ilen=%d iv=%p encrypt=%d\n",
-				key_e, in, ilen, iv_buf, encrypt);
-	BF_cbc_encrypt(in, in, ilen, ctx, iv_buf, encrypt);
-	return ilen;
-}
-static struct ipsec_alg_enc ipsec_alg_BLOWFISH = {
-	ixt_version:	IPSEC_ALG_VERSION,
-	ixt_module:	THIS_MODULE,
-	ixt_refcnt:	ATOMIC_INIT(0),
-	ixt_alg_type:	IPSEC_ALG_TYPE_ENCRYPT,
-	ixt_alg_id: 	ESP_BLOWFISH,
-	ixt_name: 	"blowfish",
-	ixt_blocksize:	ESP_BLOWFISH_CBC_BLK_LEN,
-	ixt_keyminbits:	ESP_BLOWFISH_KEY_SZ_MIN*8,
-	ixt_keymaxbits:	ESP_BLOWFISH_KEY_SZ_MAX*8,
-	ixt_e_keylen:	ESP_BLOWFISH_KEY_SZ,	
-	ixt_e_ctx_size:	sizeof(blowfish_context),
-	ixt_e_set_key:	_blowfish_set_key,
-	ixt_e_cbc_encrypt:_blowfish_cbc_encrypt,
-};
-
-IPSEC_ALG_MODULE_INIT(ipsec_blowfish_init)
-{
-	int ret, test_ret;
-	if (keyminbits)
-		ipsec_alg_BLOWFISH.ixt_keyminbits=keyminbits;
-	if (keymaxbits) {
-		ipsec_alg_BLOWFISH.ixt_keymaxbits=keymaxbits;
-		if (keymaxbits*8>ipsec_alg_BLOWFISH.ixt_keymaxbits)
-			ipsec_alg_BLOWFISH.ixt_e_keylen=keymaxbits*8;
-	}
-	if (excl) ipsec_alg_BLOWFISH.ixt_state |= IPSEC_ALG_ST_EXCL;
-	ret=register_ipsec_alg_enc(&ipsec_alg_BLOWFISH);
-	printk("ipsec_blowfish_init(alg_type=%d alg_id=%d name=%s): ret=%d\n", 
-			ipsec_alg_BLOWFISH.ixt_alg_type, 
-			ipsec_alg_BLOWFISH.ixt_alg_id, 
-			ipsec_alg_BLOWFISH.ixt_name, 
-			ret);
-	if (ret==0 && test) {
-		test_ret=ipsec_alg_test(
-				ipsec_alg_BLOWFISH.ixt_alg_type,
-				ipsec_alg_BLOWFISH.ixt_alg_id, 
-				test);
-		printk("ipsec_blowfish_init(alg_type=%d alg_id=%d): test_ret=%d\n", 
-				ipsec_alg_BLOWFISH.ixt_alg_type, 
-				ipsec_alg_BLOWFISH.ixt_alg_id, 
-				test_ret);
-	}
-	return ret;
-}
-IPSEC_ALG_MODULE_EXIT(ipsec_blowfish_fini)
-{
-	unregister_ipsec_alg_enc(&ipsec_alg_BLOWFISH);
-	return;
-}
-#ifdef MODULE_LICENSE
-MODULE_LICENSE("GPL");
-#endif
-
-EXPORT_NO_SYMBOLS;
diff --git a/linux/net/ipsec/alg/ipsec_alg_cryptoapi.c b/linux/net/ipsec/alg/ipsec_alg_cryptoapi.c
deleted file mode 100644
index fc68094c2..000000000
--- a/linux/net/ipsec/alg/ipsec_alg_cryptoapi.c
+++ /dev/null
@@ -1,421 +0,0 @@
-/*
- * ipsec_alg to linux cryptoapi GLUE
- *
- * Authors: CODE.ar TEAM
- * 	Harpo MAxx <harpo@linuxmendoza.org.ar>
- * 	JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
- * 	Luciano Ruete <docemeses@softhome.net>
- * 
- * $Id: ipsec_alg_cryptoapi.c,v 1.3 2004/09/17 18:57:30 as Exp $
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * Example usage:
- *   modinfo -p ipsec_cryptoapi   (quite useful info, including supported algos)
- *   modprobe ipsec_cryptoapi
- *   modprobe ipsec_cryptoapi test=1
- *   modprobe ipsec_cryptoapi excl=1                     (exclusive cipher/algo)
- *   modprobe ipsec_cryptoapi noauto=1  aes=1 twofish=1  (only these ciphers)
- *   modprobe ipsec_cryptoapi aes=128,128                (force these keylens)
- *   modprobe ipsec_cryptoapi des_ede3=0                 (everything but 3DES)
- */
-#include <linux/config.h>
-#include <linux/version.h>
-
-/*	
- *	special case: ipsec core modular with this static algo inside:
- *	must avoid MODULE magic for this file
- */
-#if CONFIG_IPSEC_MODULE && CONFIG_IPSEC_ALG_CRYPTOAPI
-#undef MODULE
-#endif
-
-#include <linux/module.h>
-#include <linux/init.h>
-
-#include <linux/kernel.h> /* printk() */
-#include <linux/errno.h>  /* error codes */
-#include <linux/types.h>  /* size_t */
-#include <linux/string.h>
-
-/* Check if __exit is defined, if not null it */
-#ifndef __exit
-#define __exit
-#endif
-
-/* warn the innocent */
-#if !defined (CONFIG_CRYPTO) && !defined (CONFIG_CRYPTO_MODULE)
-#warning "No linux CryptoAPI found, install 2.4.22+ or 2.6.x"
-#define NO_CRYPTOAPI_SUPPORT
-#endif
-/*	Low freeswan header coupling	*/
-#include "freeswan/ipsec_alg.h"
-
-#include <linux/crypto.h>
-#ifdef CRYPTO_API_VERSION_CODE
-#warning "Old CryptoAPI is not supported. Only linux-2.4.22+ or linux-2.6.x are supported"
-#define NO_CRYPTOAPI_SUPPORT
-#endif
-
-#ifdef NO_CRYPTOAPI_SUPPORT
-#warning "Building an unusable module :P"
-/* Catch old CryptoAPI by not allowing module to load */
-IPSEC_ALG_MODULE_INIT( ipsec_cryptoapi_init )
-{
-	printk(KERN_WARNING "ipsec_cryptoapi.o was not built on stock Linux CryptoAPI (2.4.22+ or 2.6.x), not loading.\n");
-	return -EINVAL;
-}
-#else
-#include <asm/scatterlist.h>
-#include <asm/pgtable.h>
-#include <linux/mm.h>
-
-#define CIPHERNAME_AES		"aes"
-#define CIPHERNAME_3DES		"des3_ede"
-#define CIPHERNAME_BLOWFISH	"blowfish"
-#define CIPHERNAME_CAST		"cast5"
-#define CIPHERNAME_SERPENT	"serpent"
-#define CIPHERNAME_TWOFISH	"twofish"
-
-#define ESP_3DES		3
-#define ESP_AES			12
-#define ESP_BLOWFISH		7	/* truly _constant_ :)  */
-#define ESP_CAST		6	/* quite constant :) */
-#define ESP_SERPENT		252	/* from ipsec drafts */
-#define ESP_TWOFISH		253	/* from ipsec drafts */
-
-#define AH_MD5			2
-#define AH_SHA			3
-#define DIGESTNAME_MD5		"md5"
-#define DIGESTNAME_SHA1		"sha1"
-
-MODULE_AUTHOR("Juanjo Ciarlante, Harpo MAxx, Luciano Ruete");
-static int debug=0;
-MODULE_PARM(debug, "i");
-static int test=0;
-MODULE_PARM(test, "i");
-static int excl=0;
-MODULE_PARM(excl, "i");
-
-static int noauto = 0;
-MODULE_PARM(noauto,"i");
-MODULE_PARM_DESC(noauto, "Dont try all known algos, just setup enabled ones");
-
-static int des_ede3[] = {-1, -1};
-static int aes[] = {-1, -1};
-static int blowfish[] = {-1, -1};
-static int cast[] = {-1, -1};
-static int serpent[] = {-1, -1};
-static int twofish[] = {-1, -1};
-
-MODULE_PARM(des_ede3,"1-2i");
-MODULE_PARM(aes,"1-2i");
-MODULE_PARM(blowfish,"1-2i");
-MODULE_PARM(cast,"1-2i");
-MODULE_PARM(serpent,"1-2i");
-MODULE_PARM(twofish,"1-2i");
-MODULE_PARM_DESC(des_ede3, "0: disable | 1: force_enable | min,max: dontuse");
-MODULE_PARM_DESC(aes, "0: disable | 1: force_enable | min,max: keybitlens");
-MODULE_PARM_DESC(blowfish, "0: disable | 1: force_enable | min,max: keybitlens");
-MODULE_PARM_DESC(cast, "0: disable | 1: force_enable | min,max: keybitlens");
-MODULE_PARM_DESC(serpent, "0: disable | 1: force_enable | min,max: keybitlens");
-MODULE_PARM_DESC(twofish, "0: disable | 1: force_enable | min,max: keybitlens");
-
-struct ipsec_alg_capi_cipher {
-	const char *ciphername;	/* cryptoapi's ciphername */
-	unsigned blocksize;
-	unsigned short minbits;
-	unsigned short maxbits;
-	int *parm;		/* lkm param for this cipher */
-	struct ipsec_alg_enc alg;	/* note it's not a pointer */
-};
-static struct ipsec_alg_capi_cipher alg_capi_carray[] = {
-	{ CIPHERNAME_AES ,     16, 128, 256, aes    , { ixt_alg_id: ESP_AES, }},
-	{ CIPHERNAME_TWOFISH , 16, 128, 256, twofish, { ixt_alg_id: ESP_TWOFISH, }},
-	{ CIPHERNAME_SERPENT , 16, 128, 256, serpent, { ixt_alg_id: ESP_SERPENT, }},
-	{ CIPHERNAME_CAST ,     8, 128, 128, cast   , { ixt_alg_id: ESP_CAST, }},
-	{ CIPHERNAME_BLOWFISH , 8, 128, 448, blowfish,{ ixt_alg_id: ESP_BLOWFISH, }},
-	{ CIPHERNAME_3DES ,     8, 192, 192, des_ede3,{ ixt_alg_id: ESP_3DES, }},
-	{ NULL, 0, 0, 0, NULL, {} }
-};
-#ifdef NOT_YET
-struct ipsec_alg_capi_digest {
-	const char *digestname;	/* cryptoapi's digestname */
-	struct digest_implementation *di;
-	struct ipsec_alg_auth alg;	/* note it's not a pointer */
-};
-static struct ipsec_alg_capi_cipher alg_capi_darray[] = {
-	{ DIGESTNAME_MD5,     NULL, { ixt_alg_id: AH_MD5, }},
-	{ DIGESTNAME_SHA1,    NULL, { ixt_alg_id: AH_SHA, }},
-	{ NULL, NULL, {} }
-};
-#endif
-/*
- * 	"generic" linux cryptoapi setup_cipher() function
- */
-int setup_cipher(const char *ciphername)
-{
-	return crypto_alg_available(ciphername, 0);
-}
-
-/*
- * 	setups ipsec_alg_capi_cipher "hyper" struct components, calling
- * 	register_ipsec_alg for cointaned ipsec_alg object
- */
-static void _capi_destroy_key (struct ipsec_alg_enc *alg, __u8 *key_e);
-static __u8 * _capi_new_key (struct ipsec_alg_enc *alg, const __u8 *key, size_t keylen);
-static int _capi_cbc_encrypt(struct ipsec_alg_enc *alg, __u8 * key_e, __u8 * in, int ilen, const __u8 * iv, int encrypt);
-
-static int
-setup_ipsec_alg_capi_cipher(struct ipsec_alg_capi_cipher *cptr)
-{
-	int ret;
-	cptr->alg.ixt_version = IPSEC_ALG_VERSION;
-	cptr->alg.ixt_module = THIS_MODULE;
-	atomic_set (& cptr->alg.ixt_refcnt, 0);
-	strncpy (cptr->alg.ixt_name , cptr->ciphername, sizeof (cptr->alg.ixt_name));
-
-	cptr->alg.ixt_blocksize=cptr->blocksize;
-	cptr->alg.ixt_keyminbits=cptr->minbits;
-	cptr->alg.ixt_keymaxbits=cptr->maxbits;
-	cptr->alg.ixt_state = 0;
-	if (excl) cptr->alg.ixt_state |= IPSEC_ALG_ST_EXCL;
-	cptr->alg.ixt_e_keylen=cptr->alg.ixt_keymaxbits/8;
-	cptr->alg.ixt_e_ctx_size = 0;
-	cptr->alg.ixt_alg_type = IPSEC_ALG_TYPE_ENCRYPT;
-	cptr->alg.ixt_e_new_key = _capi_new_key;
-	cptr->alg.ixt_e_destroy_key = _capi_destroy_key;
-	cptr->alg.ixt_e_cbc_encrypt = _capi_cbc_encrypt;
-	cptr->alg.ixt_data = cptr;
-
-	ret=register_ipsec_alg_enc(&cptr->alg);
-	printk("setup_ipsec_alg_capi_cipher(): " 
-			"alg_type=%d alg_id=%d name=%s "
-			"keyminbits=%d keymaxbits=%d, ret=%d\n", 
-				cptr->alg.ixt_alg_type, 
-				cptr->alg.ixt_alg_id, 
-				cptr->alg.ixt_name, 
-				cptr->alg.ixt_keyminbits,
-				cptr->alg.ixt_keymaxbits,
-				ret);
-	return ret;
-}
-/*
- * 	called in ipsec_sa_wipe() time, will destroy key contexts
- * 	and do 1 unbind()
- */
-static void 
-_capi_destroy_key (struct ipsec_alg_enc *alg, __u8 *key_e)
-{
-	struct crypto_tfm *tfm=(struct crypto_tfm*)key_e;
-	
-	if (debug > 0)
-		printk(KERN_DEBUG "klips_debug: _capi_destroy_key:"
-				"name=%s key_e=%p \n",
-				alg->ixt_name, key_e);
-	if (!key_e) {
-		printk(KERN_ERR "klips_debug: _capi_destroy_key:"
-				"name=%s NULL key_e!\n",
-				alg->ixt_name);
-		return;
-	}
-	crypto_free_tfm(tfm);
-}
-	
-/*
- * 	create new key context, need alg->ixt_data to know which
- * 	(of many) cipher inside this module is the target
- */
-static __u8 *
-_capi_new_key (struct ipsec_alg_enc *alg, const __u8 *key, size_t keylen)
-{
-	struct ipsec_alg_capi_cipher *cptr;
-	struct crypto_tfm *tfm=NULL;
-
-	cptr = alg->ixt_data;
-	if (!cptr) {
-		printk(KERN_ERR "_capi_new_key(): "
-				"NULL ixt_data (?!) for \"%s\" algo\n" 
-				, alg->ixt_name);
-		goto err;
-	}
-	if (debug > 0)
-		printk(KERN_DEBUG "klips_debug:_capi_new_key:"
-				"name=%s cptr=%p key=%p keysize=%d\n",
-				alg->ixt_name, cptr, key, keylen);
-	
-	/*	
-	 *	alloc tfm
-	 */
-	tfm = crypto_alloc_tfm(cptr->ciphername, CRYPTO_TFM_MODE_CBC);
-	if (!tfm) {
-		printk(KERN_ERR "_capi_new_key(): "
-				"NULL tfm for \"%s\" cryptoapi (\"%s\") algo\n" 
-			, alg->ixt_name, cptr->ciphername);
-		goto err;
-	}
-	if (crypto_cipher_setkey(tfm, key, keylen) < 0) {
-		printk(KERN_ERR "_capi_new_key(): "
-				"failed new_key() for \"%s\" cryptoapi algo (keylen=%d)\n" 
-			, alg->ixt_name, keylen);
-		crypto_free_tfm(tfm);
-		tfm=NULL;
-	}
-err:
-	if (debug > 0)
-		printk(KERN_DEBUG "klips_debug:_capi_new_key:"
-				"name=%s key=%p keylen=%d tfm=%p\n",
-				alg->ixt_name, key, keylen, tfm);
-	return (__u8 *) tfm;
-}
-/*
- * 	core encryption function: will use cx->ci to call actual cipher's
- * 	cbc function
- */
-static int 
-_capi_cbc_encrypt(struct ipsec_alg_enc *alg, __u8 * key_e, __u8 * in, int ilen, const __u8 * iv, int encrypt) {
-	int error =0;
-	struct crypto_tfm *tfm=(struct crypto_tfm *)key_e;
-	struct scatterlist sg = { 
-		.page = virt_to_page(in),
-		.offset = (unsigned long)(in) % PAGE_SIZE,
-		.length=ilen,
-	};
-	if (debug > 1)
-		printk(KERN_DEBUG "klips_debug:_capi_cbc_encrypt:"
-				"key_e=%p "
-				"in=%p out=%p ilen=%d iv=%p encrypt=%d\n"
-				, key_e
-				, in, in, ilen, iv, encrypt);
-	crypto_cipher_set_iv(tfm, iv, crypto_tfm_alg_ivsize(tfm));
-	if (encrypt)
-		error = crypto_cipher_encrypt (tfm, &sg, &sg, ilen);
-	else
-		error = crypto_cipher_decrypt (tfm, &sg, &sg, ilen);
-	if (debug > 1)
-		printk(KERN_DEBUG "klips_debug:_capi_cbc_encrypt:"
-				"error=%d\n"
-				, error);
-	return (error<0)? error : ilen;
-}
-/*
- * 	main initialization loop: for each cipher in list, do
- * 	1) setup cryptoapi cipher else continue
- * 	2) register ipsec_alg object
- */
-static int
-setup_cipher_list (struct ipsec_alg_capi_cipher* clist) 
-{
-	struct ipsec_alg_capi_cipher *cptr;
-	/* foreach cipher in list ... */
-	for (cptr=clist;cptr->ciphername;cptr++) {
-		/* 
-		 * see if cipher has been disabled (0) or
-		 * if noauto set and not enabled (1)
-		 */
-		if (cptr->parm[0] == 0 || (noauto && cptr->parm[0] < 0)) {
-			if (debug>0)
-				printk(KERN_INFO "setup_cipher_list(): "
-					"ciphername=%s skipped at user request: "
-					"noauto=%d parm[0]=%d parm[1]=%d\n"
-					, cptr->ciphername
-					, noauto
-					, cptr->parm[0]
-					, cptr->parm[1]);
-			continue;
-		}
-		/* 
-		 * 	use a local ci to avoid touching cptr->ci,
-		 * 	if register ipsec_alg success then bind cipher
-		 */
-		if( setup_cipher(cptr->ciphername) ) {
-			if (debug > 0)
-				printk(KERN_DEBUG "klips_debug:"
-						"setup_cipher_list():"
-						"ciphername=%s found\n"
-				, cptr->ciphername);
-			if (setup_ipsec_alg_capi_cipher(cptr) == 0) {
-				
-				
-			} else {
-				printk(KERN_ERR "klips_debug:"
-						"setup_cipher_list():"
-						"ciphername=%s failed ipsec_alg_register\n"
-				, cptr->ciphername);
-			}
-		} else {
-			if (debug>0)
-				printk(KERN_INFO "setup_cipher_list(): lookup for ciphername=%s: not found \n",
-				cptr->ciphername);
-		}
-	}
-	return 0;
-}
-/*
- * 	deregister ipsec_alg objects and unbind ciphers
- */
-static int
-unsetup_cipher_list (struct ipsec_alg_capi_cipher* clist) 
-{
-	struct ipsec_alg_capi_cipher *cptr;
-	/* foreach cipher in list ... */
-	for (cptr=clist;cptr->ciphername;cptr++) {
-		if (cptr->alg.ixt_state & IPSEC_ALG_ST_REGISTERED) {
-			unregister_ipsec_alg_enc(&cptr->alg);
-		}
-	}
-	return 0;
-}
-/*
- * 	test loop for registered algos
- */
-static int
-test_cipher_list (struct ipsec_alg_capi_cipher* clist) 
-{
-	int test_ret;
-	struct ipsec_alg_capi_cipher *cptr;
-	/* foreach cipher in list ... */
-	for (cptr=clist;cptr->ciphername;cptr++) {
-		if (cptr->alg.ixt_state & IPSEC_ALG_ST_REGISTERED) {
-			test_ret=ipsec_alg_test(
-					cptr->alg.ixt_alg_type,
-					cptr->alg.ixt_alg_id, 
-					test);
-			printk("test_cipher_list(alg_type=%d alg_id=%d): test_ret=%d\n", 
-					cptr->alg.ixt_alg_type, 
-					cptr->alg.ixt_alg_id, 
-					test_ret);
-		}
-	}
-	return 0;
-}
-
-IPSEC_ALG_MODULE_INIT( ipsec_cryptoapi_init )
-{
-	int ret, test_ret;
-	if ((ret=setup_cipher_list(alg_capi_carray)) < 0)
-		return  -EPROTONOSUPPORT;
-	if (ret==0 && test) {
-		test_ret=test_cipher_list(alg_capi_carray);
-	}
-	return ret;
-}
-IPSEC_ALG_MODULE_EXIT( ipsec_cryptoapi_fini )
-{
-	unsetup_cipher_list(alg_capi_carray);
-	return;
-}
-#ifdef MODULE_LICENSE
-MODULE_LICENSE("GPL");
-#endif
-
-EXPORT_NO_SYMBOLS;
-#endif /* NO_CRYPTOAPI_SUPPORT */
diff --git a/linux/net/ipsec/alg/ipsec_alg_serpent.c b/linux/net/ipsec/alg/ipsec_alg_serpent.c
deleted file mode 100644
index 1f26b0b01..000000000
--- a/linux/net/ipsec/alg/ipsec_alg_serpent.c
+++ /dev/null
@@ -1,139 +0,0 @@
-/*
- * ipsec_alg SERPENT cipher stubs
- *
- * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
- * 
- * $Id: ipsec_alg_serpent.c,v 1.2 2004/03/22 21:53:19 as Exp $
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- */
-#include <linux/config.h>
-#include <linux/version.h>
-
-/*	
- *	special case: ipsec core modular with this static algo inside:
- *	must avoid MODULE magic for this file
- */
-#if CONFIG_IPSEC_MODULE && CONFIG_IPSEC_ALG_SERPENT
-#undef MODULE
-#endif
-
-#include <linux/module.h>
-#include <linux/init.h>
-
-#include <linux/kernel.h> /* printk() */
-#include <linux/errno.h>  /* error codes */
-#include <linux/types.h>  /* size_t */
-#include <linux/string.h>
-
-/* Check if __exit is defined, if not null it */
-#ifndef __exit
-#define __exit
-#endif
-
-/*	Low freeswan header coupling	*/
-#include "freeswan/ipsec_alg.h"
-#include "libserpent/serpent.h"
-#include "libserpent/serpent_cbc.h"
-
-#define ESP_SERPENT		252	/* from ipsec drafts */
-
-/* 128, 192 or 256 */
-#define ESP_SERPENT_KEY_SZ_MIN	16 	/* 128 bit secret key */
-#define ESP_SERPENT_KEY_SZ_MAX	32 	/* 256 bit secret key */
-#define ESP_SERPENT_CBC_BLK_LEN	16	/* SERPENT-CBC block size */
-
-MODULE_AUTHOR("JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>");
-static int debug=0;
-MODULE_PARM(debug, "i");
-static int test=0;
-MODULE_PARM(test, "i");
-static int excl=0;
-MODULE_PARM(excl, "i");
-static int keyminbits=0;
-MODULE_PARM(keyminbits, "i");
-static int keymaxbits=0;
-MODULE_PARM(keymaxbits, "i");
-
-static int _serpent_set_key(struct ipsec_alg_enc *alg, __u8 * key_e, const __u8 * key, size_t keysize) {
-	serpent_context *ctx=(serpent_context *)key_e;
-	if (debug > 0)
-		printk(KERN_DEBUG "klips_debug:_serpent_set_key:"
-				"key_e=%p key=%p keysize=%d\n",
-				key_e, key, keysize);
-	serpent_set_key(ctx, key,  keysize);
-	return 0;
-}
-static int _serpent_cbc_encrypt(struct ipsec_alg_enc *alg, __u8 * key_e, __u8 * in, int ilen, const __u8 * iv, int encrypt) {
-	serpent_context *ctx=(serpent_context *)key_e;
-	if (debug > 0)
-		printk(KERN_DEBUG "klips_debug:_serpent_cbc_encrypt:"
-				"key_e=%p in=%p ilen=%d iv=%p encrypt=%d\n",
-				key_e, in, ilen, iv, encrypt);
-	serpent_cbc_encrypt(ctx, in, in, ilen, iv, encrypt);
-	return ilen;
-}
-static struct ipsec_alg_enc ipsec_alg_SERPENT = {
-	ixt_version:	IPSEC_ALG_VERSION,
-	ixt_module:	THIS_MODULE,
-	ixt_refcnt:	ATOMIC_INIT(0),
-	ixt_alg_type:	IPSEC_ALG_TYPE_ENCRYPT,
-	ixt_alg_id: 	ESP_SERPENT,
-	ixt_name: 	"serpent",
-	ixt_blocksize:	ESP_SERPENT_CBC_BLK_LEN,
-	ixt_keyminbits:	ESP_SERPENT_KEY_SZ_MIN * 8,
-	ixt_keymaxbits:	ESP_SERPENT_KEY_SZ_MAX * 8,
-	ixt_e_keylen:	ESP_SERPENT_KEY_SZ_MAX,
-	ixt_e_ctx_size:	sizeof(serpent_context),
-	ixt_e_set_key:	_serpent_set_key,
-	ixt_e_cbc_encrypt:_serpent_cbc_encrypt,
-};
-	
-IPSEC_ALG_MODULE_INIT(ipsec_serpent_init)
-{
-	int ret, test_ret;
-	if (keyminbits)
-		ipsec_alg_SERPENT.ixt_keyminbits=keyminbits;
-	if (keymaxbits) {
-		ipsec_alg_SERPENT.ixt_keymaxbits=keymaxbits;
-		if (keymaxbits*8>ipsec_alg_SERPENT.ixt_keymaxbits)
-			ipsec_alg_SERPENT.ixt_e_keylen=keymaxbits*8;
-	}
-	if (excl) ipsec_alg_SERPENT.ixt_state |= IPSEC_ALG_ST_EXCL;
-	ret=register_ipsec_alg_enc(&ipsec_alg_SERPENT);
-	printk("ipsec_serpent_init(alg_type=%d alg_id=%d name=%s): ret=%d\n",
-			ipsec_alg_SERPENT.ixt_alg_type,
-			ipsec_alg_SERPENT.ixt_alg_id,
-			ipsec_alg_SERPENT.ixt_name,
-			ret);
-	if (ret==0 && test) {
-		test_ret=ipsec_alg_test(
-				ipsec_alg_SERPENT.ixt_alg_type,
-				ipsec_alg_SERPENT.ixt_alg_id,
-				test);
-		printk("ipsec_serpent_init(alg_type=%d alg_id=%d): test_ret=%d\n",
-				ipsec_alg_SERPENT.ixt_alg_type,
-				ipsec_alg_SERPENT.ixt_alg_id,
-				test_ret);
-	}
-	return ret;
-}
-IPSEC_ALG_MODULE_EXIT(ipsec_serpent_fini)
-{
-	unregister_ipsec_alg_enc(&ipsec_alg_SERPENT);
-	return;
-}
-#ifdef MODULE_LICENSE
-MODULE_LICENSE("GPL");
-#endif
-
-EXPORT_NO_SYMBOLS;
diff --git a/linux/net/ipsec/alg/ipsec_alg_sha2.c b/linux/net/ipsec/alg/ipsec_alg_sha2.c
deleted file mode 100644
index 548585c16..000000000
--- a/linux/net/ipsec/alg/ipsec_alg_sha2.c
+++ /dev/null
@@ -1,185 +0,0 @@
-/*
- * ipsec_alg SHA2 hash stubs
- *
- * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
- * 
- * $Id: ipsec_alg_sha2.c,v 1.2 2004/03/22 21:53:19 as Exp $
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- */
-#include <linux/config.h>
-#include <linux/version.h>
-
-/*	
- *	special case: ipsec core modular with this static algo inside:
- *	must avoid MODULE magic for this file
- */
-#if CONFIG_IPSEC_MODULE && CONFIG_IPSEC_ALG_SHA2
-#undef MODULE
-#endif
-
-#include <linux/module.h>
-#include <linux/init.h>
-
-#include <linux/kernel.h> /* printk() */
-#include <linux/errno.h>  /* error codes */
-#include <linux/types.h>  /* size_t */
-#include <linux/string.h>
-
-/* Check if __exit is defined, if not null it */
-#ifndef __exit
-#define __exit
-#endif
-
-/*	Low freeswan header coupling	*/
-#include "freeswan/ipsec_alg.h"
-#include "libsha2/sha2.h"
-#include "libsha2/hmac_sha2.h"
-
-MODULE_AUTHOR("JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>");
-static int debug=0;
-MODULE_PARM(debug, "i");
-static int test=0;
-MODULE_PARM(test, "i");
-static int excl=0;
-MODULE_PARM(excl, "i");
-
-/* almost constants ...: draft-ietf-ipsec-ciph-aes-cbc-03.txt */
-#define AH_SHA2_256               5
-#define AH_SHA2_384               6
-#define AH_SHA2_512               7
-
-static int _sha256_hmac_set_key(struct ipsec_alg_auth *alg, __u8 * key_a, const __u8 * key, int keylen) {
-	sha256_hmac_context *hctx=(sha256_hmac_context*)(key_a);
-	sha256_hmac_set_key(hctx, key, keylen);
-	if (debug > 0)
-		printk(KERN_DEBUG "klips_debug: _sha256_hmac_set_key(): "
-				"key_a=%p key=%p keysize=%d\n",
-				key_a, key, keylen);
-	return 0;
-}
-static int _sha256_hmac_hash(struct ipsec_alg_auth *alg, __u8 * key_a, const __u8 * dat, int len, __u8 * hash, int hashlen) {
-	sha256_hmac_context *hctx=(sha256_hmac_context*)(key_a);
-	if (debug > 0)
-		printk(KERN_DEBUG "klips_debug: _sha256_hmac_hash(): "
-				"key_a=%p dat=%p len=%d hash=%p hashlen=%d\n",
-				key_a, dat, len, hash, hashlen);
-	sha256_hmac_hash(hctx, dat, len, hash, hashlen);
-	return 0;
-}
-static int _sha512_hmac_set_key(struct ipsec_alg_auth *alg, __u8 * key_a, const __u8 * key, int keylen) {
-	sha512_hmac_context *hctx=(sha512_hmac_context*)(key_a);
-	sha512_hmac_set_key(hctx, key, keylen);
-	if (debug > 0)
-		printk(KERN_DEBUG "klips_debug: _sha512_hmac_set_key(): "
-				"key_a=%p key=%p keysize=%d\n",
-				key_a, key, keylen);
-	return 0;
-}
-static int _sha512_hmac_hash(struct ipsec_alg_auth *alg, __u8 * key_a, const __u8 * dat, int len, __u8 * hash, int hashlen) {
-	sha512_hmac_context *hctx=(sha512_hmac_context*)(key_a);
-	if (debug > 0)
-		printk(KERN_DEBUG "klips_debug: _sha512_hmac_hash(): "
-				"key_a=%p dat=%p len=%d hash=%p hashlen=%d\n",
-				key_a, dat, len, hash, hashlen);
-	sha512_hmac_hash(hctx, dat, len, hash, hashlen);
-	return 0;
-}
-static struct ipsec_alg_auth ipsec_alg_SHA2_256 = {
-	ixt_version:	IPSEC_ALG_VERSION,
-	ixt_module:	THIS_MODULE,
-	ixt_refcnt:	ATOMIC_INIT(0),
-	ixt_alg_type:	IPSEC_ALG_TYPE_AUTH,
-	ixt_alg_id: 	AH_SHA2_256,
-	ixt_name: 	"sha2_256",
-	ixt_blocksize:	SHA256_BLOCKSIZE,
-	ixt_keyminbits:	256,
-	ixt_keymaxbits:	256,
-	ixt_a_keylen:	256/8,
-	ixt_a_ctx_size:	sizeof(sha256_hmac_context),
-	ixt_a_hmac_set_key:	_sha256_hmac_set_key,
-	ixt_a_hmac_hash:	_sha256_hmac_hash,
-};
-static struct ipsec_alg_auth ipsec_alg_SHA2_512 = {
-	ixt_version:	IPSEC_ALG_VERSION,
-	ixt_module:	THIS_MODULE,
-	ixt_refcnt:	ATOMIC_INIT(0),
-	ixt_alg_type:	IPSEC_ALG_TYPE_AUTH,
-	ixt_alg_id: 	AH_SHA2_512,
-	ixt_name: 	"sha2_512",
-	ixt_blocksize:	SHA512_BLOCKSIZE,
-	ixt_keyminbits:	512,
-	ixt_keymaxbits:	512,
-	ixt_a_keylen:	512/8,
-	ixt_a_ctx_size:	sizeof(sha512_hmac_context),
-	ixt_a_hmac_set_key:	_sha512_hmac_set_key,
-	ixt_a_hmac_hash:	_sha512_hmac_hash,
-};
-	
-IPSEC_ALG_MODULE_INIT( ipsec_sha2_init )
-{
-	int ret, test_ret;
-	if (excl) ipsec_alg_SHA2_256.ixt_state |= IPSEC_ALG_ST_EXCL;
-	ret=register_ipsec_alg_auth(&ipsec_alg_SHA2_256);
-	printk("ipsec_sha2_init(alg_type=%d alg_id=%d name=%s): ret=%d\n", 
-			ipsec_alg_SHA2_256.ixt_alg_type, 
-			ipsec_alg_SHA2_256.ixt_alg_id, 
-			ipsec_alg_SHA2_256.ixt_name, 
-			ret);
-	if (ret != 0) 
-		goto out;
-	if (ret==0 && test) {
-		test_ret=ipsec_alg_test(
-				ipsec_alg_SHA2_256.ixt_alg_type,
-				ipsec_alg_SHA2_256.ixt_alg_id, 
-				test);
-		printk("ipsec_sha2_init(alg_type=%d alg_id=%d): test_ret=%d\n", 
-				ipsec_alg_SHA2_256.ixt_alg_type, 
-				ipsec_alg_SHA2_256.ixt_alg_id, 
-				test_ret);
-	}
-	if (excl) ipsec_alg_SHA2_512.ixt_state |= IPSEC_ALG_ST_EXCL;
-	ret=register_ipsec_alg_auth(&ipsec_alg_SHA2_512);
-	printk("ipsec_sha2_init(alg_type=%d alg_id=%d name=%s): ret=%d\n", 
-			ipsec_alg_SHA2_512.ixt_alg_type, 
-			ipsec_alg_SHA2_512.ixt_alg_id, 
-			ipsec_alg_SHA2_512.ixt_name, 
-			ret);
-	if (ret != 0) 
-		goto out_256;
-	if (ret==0 && test) {
-		test_ret=ipsec_alg_test(
-				ipsec_alg_SHA2_512.ixt_alg_type,
-				ipsec_alg_SHA2_512.ixt_alg_id, 
-				test);
-		printk("ipsec_sha2_init(alg_type=%d alg_id=%d): test_ret=%d\n", 
-				ipsec_alg_SHA2_512.ixt_alg_type, 
-				ipsec_alg_SHA2_512.ixt_alg_id, 
-				test_ret);
-	}
-	goto out;
-out_256:
-	unregister_ipsec_alg_auth(&ipsec_alg_SHA2_256);
-out:
-	return ret;
-}
-IPSEC_ALG_MODULE_EXIT( ipsec_sha2_fini )
-{
-	unregister_ipsec_alg_auth(&ipsec_alg_SHA2_512);
-	unregister_ipsec_alg_auth(&ipsec_alg_SHA2_256);
-	return;
-}
-#ifdef MODULE_LICENSE
-MODULE_LICENSE("GPL");
-#endif
-
-EXPORT_NO_SYMBOLS;
diff --git a/linux/net/ipsec/alg/ipsec_alg_twofish.c b/linux/net/ipsec/alg/ipsec_alg_twofish.c
deleted file mode 100644
index dfeba1f1b..000000000
--- a/linux/net/ipsec/alg/ipsec_alg_twofish.c
+++ /dev/null
@@ -1,138 +0,0 @@
-/*
- * ipsec_alg TWOFISH cipher stubs
- *
- * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
- * 
- * $Id: ipsec_alg_twofish.c,v 1.2 2004/03/22 21:53:19 as Exp $
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- */
-#include <linux/config.h>
-#include <linux/version.h>
-
-/*	
- *	special case: ipsec core modular with this static algo inside:
- *	must avoid MODULE magic for this file
- */
-#if CONFIG_IPSEC_MODULE && CONFIG_IPSEC_ALG_TWOFISH
-#undef MODULE
-#endif
-
-#include <linux/module.h>
-#include <linux/init.h>
-
-#include <linux/kernel.h> /* printk() */
-#include <linux/errno.h>  /* error codes */
-#include <linux/types.h>  /* size_t */
-#include <linux/string.h>
-
-/* Check if __exit is defined, if not null it */
-#ifndef __exit
-#define __exit
-#endif
-
-/*	Low freeswan header coupling	*/
-#include "freeswan/ipsec_alg.h"
-#include "libtwofish/twofish.h"
-#include "libtwofish/twofish_cbc.h"
-
-#define ESP_TWOFISH		253	/* from ipsec drafts */
-
-/* 128, 192 or 256 */
-#define ESP_TWOFISH_KEY_SZ_MIN	16 	/* 128 bit secret key */
-#define ESP_TWOFISH_KEY_SZ_MAX	32 	/* 256 bit secret key */
-#define ESP_TWOFISH_CBC_BLK_LEN	16	/* TWOFISH-CBC block size */
-
-MODULE_AUTHOR("JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>");
-static int debug=0;
-MODULE_PARM(debug, "i");
-static int test=0;
-MODULE_PARM(test, "i");
-static int excl=0;
-MODULE_PARM(excl, "i");
-static int keyminbits=0;
-MODULE_PARM(keyminbits, "i");
-static int keymaxbits=0;
-MODULE_PARM(keymaxbits, "i");
-
-static int _twofish_set_key(struct ipsec_alg_enc *alg, __u8 * key_e, const __u8 * key, size_t keysize) {
-	twofish_context *ctx=(twofish_context *)key_e;
-	if (debug > 0)
-		printk(KERN_DEBUG "klips_debug:_twofish_set_key:"
-				"key_e=%p key=%p keysize=%d\n",
-				key_e, key, keysize);
-	twofish_set_key(ctx, key,  keysize);
-	return 0;
-}
-static int _twofish_cbc_encrypt(struct ipsec_alg_enc *alg, __u8 * key_e, __u8 * in, int ilen, const __u8 * iv, int encrypt) {
-	twofish_context *ctx=(twofish_context *)key_e;
-	if (debug > 0)
-		printk(KERN_DEBUG "klips_debug:_twofish_cbc_encrypt:"
-				"key_e=%p in=%p ilen=%d iv=%p encrypt=%d\n",
-				key_e, in, ilen, iv, encrypt);
-	twofish_cbc_encrypt(ctx, in, in, ilen, iv, encrypt);
-	return ilen;
-}
-static struct ipsec_alg_enc ipsec_alg_TWOFISH = {
-	ixt_version:	IPSEC_ALG_VERSION,
-	ixt_module:	THIS_MODULE,
-	ixt_refcnt:	ATOMIC_INIT(0),
-	ixt_alg_type:	IPSEC_ALG_TYPE_ENCRYPT,
-	ixt_alg_id: 	ESP_TWOFISH,
-	ixt_name: 	"twofish",
-	ixt_blocksize:	ESP_TWOFISH_CBC_BLK_LEN, 
-	ixt_keyminbits:	ESP_TWOFISH_KEY_SZ_MIN * 8,
-	ixt_keymaxbits:	ESP_TWOFISH_KEY_SZ_MAX * 8,
-	ixt_e_keylen:	ESP_TWOFISH_KEY_SZ_MAX,
-	ixt_e_ctx_size:	sizeof(twofish_context),
-	ixt_e_set_key:	_twofish_set_key,
-	ixt_e_cbc_encrypt:_twofish_cbc_encrypt,
-};
-	
-IPSEC_ALG_MODULE_INIT( ipsec_twofish_init )
-{
-	int ret, test_ret;
-	if (keyminbits)
-		ipsec_alg_TWOFISH.ixt_keyminbits=keyminbits;
-	if (keymaxbits) {
-		ipsec_alg_TWOFISH.ixt_keymaxbits=keymaxbits;
-		if (keymaxbits*8>ipsec_alg_TWOFISH.ixt_keymaxbits)
-			ipsec_alg_TWOFISH.ixt_e_keylen=keymaxbits*8;
-	}
-	if (excl) ipsec_alg_TWOFISH.ixt_state |= IPSEC_ALG_ST_EXCL;
-	ret=register_ipsec_alg_enc(&ipsec_alg_TWOFISH);
-	printk("ipsec_twofish_init(alg_type=%d alg_id=%d name=%s): ret=%d\n", 
-				ipsec_alg_TWOFISH.ixt_alg_type, 
-				ipsec_alg_TWOFISH.ixt_alg_id, 
-				ipsec_alg_TWOFISH.ixt_name, ret);
-	if (ret==0 && test) {
-		test_ret=ipsec_alg_test(
-				ipsec_alg_TWOFISH.ixt_alg_type,
-				ipsec_alg_TWOFISH.ixt_alg_id, 
-				test);
-		printk("ipsec_twofish_init(alg_type=%d alg_id=%d): test_ret=%d\n", 
-			ipsec_alg_TWOFISH.ixt_alg_type, 
-			ipsec_alg_TWOFISH.ixt_alg_id, 
-			ret);
-	}
-	return ret;
-}
-IPSEC_ALG_MODULE_EXIT( ipsec_twofish_fini )
-{
-	unregister_ipsec_alg_enc(&ipsec_alg_TWOFISH);
-	return;
-}
-#ifdef MODULE_LICENSE
-MODULE_LICENSE("GPL");
-
-EXPORT_NO_SYMBOLS;
-#endif
diff --git a/linux/net/ipsec/alg/scripts/mk-static_init.c.sh b/linux/net/ipsec/alg/scripts/mk-static_init.c.sh
deleted file mode 100644
index 8a17c670e..000000000
--- a/linux/net/ipsec/alg/scripts/mk-static_init.c.sh
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/sh
-cat << EOF
-#include <linux/kernel.h>
-#include <linux/list.h>
-#include "freeswan/ipsec_alg.h"
-$(for i in $*; do
-	test -z "$i" && continue
-	echo "extern int $i(void);"
-done)
-void ipsec_alg_static_init(void){ 
-	int __attribute__ ((unused)) err=0;
-$(for i in $*; do
-	test -z "$i" && continue
-	echo "	if ((err=$i()) < 0)"
-	echo "		printk(KERN_WARNING \"$i() returned %d\", err);"
-done)
-}
-EOF
diff --git a/linux/net/ipsec/defconfig b/linux/net/ipsec/defconfig
deleted file mode 100644
index 84be04318..000000000
--- a/linux/net/ipsec/defconfig
+++ /dev/null
@@ -1,140 +0,0 @@
-
-#
-# RCSID $Id: defconfig,v 1.2 2004/03/22 21:53:19 as Exp $
-#
-
-#
-# FreeS/WAN IPSec implementation, KLIPS kernel config defaults
-#
-
-#
-# First, lets override stuff already set or not in the kernel config.
-#
-# We can't even think about leaving this off...
-CONFIG_INET=y
-
-#
-# This must be on for subnet protection.
-CONFIG_IP_FORWARD=y
-
-# Shut off IPSEC masquerading if it has been enabled, since it will 
-# break the compile.  IPPROTO_ESP and IPPROTO_AH were included in 
-# net/ipv4/ip_masq.c when they should have gone into include/linux/in.h.
-CONFIG_IP_MASQUERADE_IPSEC=n
-
-#
-# Next, lets set the recommended FreeS/WAN configuration.
-#
-
-# To config as static (preferred), 'y'.  To config as module, 'm'.
-CONFIG_IPSEC=y
-
-# To do tunnel mode IPSec, this must be enabled.
-CONFIG_IPSEC_IPIP=y
-
-# To enable authentication, say 'y'.   (Highly recommended)
-CONFIG_IPSEC_AH=y
-
-# Authentication algorithm(s):
-CONFIG_IPSEC_AUTH_HMAC_MD5=y
-CONFIG_IPSEC_AUTH_HMAC_SHA1=y
-
-# To enable encryption, say 'y'.   (Highly recommended)
-CONFIG_IPSEC_ESP=y
-
-# Encryption algorithm(s):
-CONFIG_IPSEC_ENC_3DES=y
-
-# modular algo extensions (and new ALGOs)
-CONFIG_IPSEC_ALG=y
-CONFIG_IPSEC_ALG_3DES=m
-CONFIG_IPSEC_ALG_AES=m
-CONFIG_IPSEC_ALG_TWOFISH=m
-CONFIG_IPSEC_ALG_BLOWFISH=m
-CONFIG_IPSEC_ALG_SERPENT=m
-CONFIG_IPSEC_ALG_MD5=m
-CONFIG_IPSEC_ALG_SHA1=m
-CONFIG_IPSEC_ALG_SHA2=m
-#CONFIG_IPSEC_ALG_CAST=n
-#CONFIG_IPSEC_ALG_NULL=n
-
-# Use CryptoAPI for ALG?
-CONFIG_IPSEC_ALG_CRYPTOAPI=m
-
-
-# IP Compression: new, probably still has minor bugs.
-CONFIG_IPSEC_IPCOMP=y
-
-# To enable userspace-switchable KLIPS debugging, say 'y'.
-CONFIG_IPSEC_DEBUG=y
-
-# NAT Traversal
-CONFIG_IPSEC_NAT_TRAVERSAL=y
-
-#
-#
-# $Log: defconfig,v $
-# Revision 1.2  2004/03/22 21:53:19  as
-# merged alg-0.8.1 branch with HEAD
-#
-# Revision 1.1.2.1.2.1  2004/03/16 09:48:19  as
-# alg-0.8.1rc12 patch merged
-#
-# Revision 1.1.2.1  2004/03/15 22:30:06  as
-# nat-0.6c patch merged
-#
-# Revision 1.1  2004/03/15 20:35:26  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.22  2003/02/24 19:37:27  mcr
-# 	changed default compilation mode to static.
-#
-# Revision 1.21  2002/04/24 07:36:27  mcr
-# Moved from ./klips/net/ipsec/defconfig,v
-#
-# Revision 1.20  2002/04/02 04:07:40  mcr
-# 	default build is now 'm'odule for KLIPS
-#
-# Revision 1.19  2002/03/08 18:57:17  rgb
-# Added a blank line at the beginning of the file to make it easier for
-# other projects to patch ./arch/i386/defconfig, for example
-# LIDS+grSecurity requested by Jason Pattie.
-#
-# Revision 1.18  2000/11/30 17:26:56  rgb
-# Cleaned out unused options and enabled ipcomp by default.
-#
-# Revision 1.17  2000/09/15 11:37:01  rgb
-# Merge in heavily modified Svenning Soerensen's <svenning@post5.tele.dk>
-# IPCOMP zlib deflate code.
-#
-# Revision 1.16  2000/09/08 19:12:55  rgb
-# Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
-#
-# Revision 1.15  2000/05/24 19:37:13  rgb
-# *** empty log message ***
-#
-# Revision 1.14  2000/05/11 21:14:57  henry
-# just commenting the FOOBAR=y lines out is not enough
-#
-# Revision 1.13  2000/05/10 20:17:58  rgb
-# Comment out netlink defaults, which are no longer needed.
-#
-# Revision 1.12  2000/05/10 19:13:38  rgb
-# Added configure option to shut off no eroute passthrough.
-#
-# Revision 1.11  2000/03/16 07:09:46  rgb
-# Hardcode PF_KEYv2 support.
-# Disable IPSEC_ICMP by default.
-# Remove DES config option from defaults file.
-#
-# Revision 1.10  2000/01/11 03:09:42  rgb
-# Added a default of 'y' to PF_KEYv2 keying I/F.
-#
-# Revision 1.9  1999/05/08 21:23:12  rgb
-# Added support for 2.2.x kernels.
-#
-# Revision 1.8  1999/04/06 04:54:25  rgb
-# Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
-# patch shell fixes.
-#
-#
diff --git a/linux/net/ipsec/ipcomp.c b/linux/net/ipsec/ipcomp.c
deleted file mode 100644
index ff12f2cdd..000000000
--- a/linux/net/ipsec/ipcomp.c
+++ /dev/null
@@ -1,725 +0,0 @@
-/*
- * IPCOMP zlib interface code.
- * Copyright (C) 2000  Svenning Soerensen <svenning@post5.tele.dk>
- * Copyright (C) 2000, 2001  Richard Guy Briggs <rgb@conscoop.ottawa.on.ca>
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-char ipcomp_c_version[] = "RCSID $Id: ipcomp.c,v 1.2 2004/06/13 19:57:49 as Exp $";
-
-/* SSS */
-
-#include <linux/config.h>
-#include <linux/version.h>
-
-#define __NO_VERSION__
-#include <linux/module.h>
-#include <linux/kernel.h> /* printk() */
-
-#include "freeswan/ipsec_param.h"
-
-#ifdef MALLOC_SLAB
-# include <linux/slab.h> /* kmalloc() */
-#else /* MALLOC_SLAB */
-# include <linux/malloc.h> /* kmalloc() */
-#endif /* MALLOC_SLAB */
-#include <linux/errno.h>  /* error codes */
-#include <linux/types.h>
-#include <linux/netdevice.h>
-#include <linux/ip.h>
-#include <linux/skbuff.h>
-
-#include <linux/netdevice.h>   /* struct device, and other headers */
-#include <linux/etherdevice.h> /* eth_type_trans */
-#include <linux/ip.h>          /* struct iphdr */
-#include <linux/skbuff.h>
-
-#include <freeswan.h>
-
-#ifdef NET_21
-# include <net/dst.h>
-# include <asm/uaccess.h>
-# include <linux/in6.h>
-# define proto_priv cb
-#endif /* NET21 */
-#include <asm/checksum.h>
-#include <net/ip.h>
-
-#include "freeswan/radij.h"
-#include "freeswan/ipsec_encap.h"
-#include "freeswan/ipsec_sa.h"
-
-#include "freeswan/ipsec_xform.h"
-#include "freeswan/ipsec_tunnel.h"
-#include "freeswan/ipsec_rcv.h" /* sysctl_ipsec_inbound_policy_check */
-#include "freeswan/ipcomp.h"
-#include "zlib/zlib.h"
-#include "zlib/zutil.h"
-
-#include <pfkeyv2.h> /* SADB_X_CALG_DEFLATE */
-
-#ifdef CONFIG_IPSEC_DEBUG
-int sysctl_ipsec_debug_ipcomp = 0;
-#endif /* CONFIG_IPSEC_DEBUG */
-
-static
-struct sk_buff *skb_copy_ipcomp(struct sk_buff *skb, int data_growth, int gfp_mask);
-
-static
-voidpf my_zcalloc(voidpf opaque, uInt items, uInt size)
-{
-	return (voidpf) kmalloc(items*size, GFP_ATOMIC);
-}
-
-static
-void my_zfree(voidpf opaque, voidpf address)
-{
-	kfree(address);
-}
-
-struct sk_buff *skb_compress(struct sk_buff *skb, struct ipsec_sa *ips, unsigned int *flags)
-{
-	struct iphdr *iph;
-	unsigned int iphlen, pyldsz, cpyldsz;
-	unsigned char *buffer;
-	z_stream zs;
-	int zresult;
-	
-	KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
-		    "klips_debug:skb_compress: .\n");
-
-	if(skb == NULL) {
-		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
-			    "klips_debug:skb_compress: "
-			    "passed in NULL skb, returning ERROR.\n");
-		if(flags != NULL) {
-			*flags |= IPCOMP_PARMERROR;
-		}
-		return skb;
-	}
-
-	if(ips == NULL) {
-		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
-			    "klips_debug:skb_compress: "
-			    "passed in NULL ipsec_sa needed for cpi, returning ERROR.\n");
-		if(flags) {
-			*flags |= IPCOMP_PARMERROR;
-		}
-		return skb;
-	}
-
-	if (flags == NULL) {
-		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
-			    "klips_debug:skb_compress: "
-			    "passed in NULL flags, returning ERROR.\n");
-		ipsec_kfree_skb(skb);
-		return NULL;
-	}
-	
-#ifdef NET_21
-	iph = skb->nh.iph;
-#else /* NET_21 */
-	iph = skb->ip_hdr;
-#endif /* NET_21 */
-
-	switch (iph->protocol) {
-	case IPPROTO_COMP:
-	case IPPROTO_AH:
-	case IPPROTO_ESP:
-		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
-			    "klips_debug:skb_compress: "
-			    "skipping compression of packet with ip protocol %d.\n",
-			    iph->protocol);
-		*flags |= IPCOMP_UNCOMPRESSABLE;
-		return skb;
-	}
-	
-	/* Don't compress packets already fragmented */
-	if (iph->frag_off & __constant_htons(IP_MF | IP_OFFSET)) {
-		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
-			    "klips_debug:skb_compress: "
-			    "skipping compression of fragmented packet.\n");
-		*flags |= IPCOMP_UNCOMPRESSABLE;
-		return skb;
-	}
-	
-	iphlen = iph->ihl << 2;
-	pyldsz = ntohs(iph->tot_len) - iphlen;
-
-	/* Don't compress less than 90 bytes (rfc 2394) */
-	if (pyldsz < 90) {
-		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
-			    "klips_debug:skb_compress: "
-			    "skipping compression of tiny packet, len=%d.\n",
-			    pyldsz);
-		*flags |= IPCOMP_UNCOMPRESSABLE;
-		return skb;
-	}
-	
-	/* Adaptive decision */
-	if (ips->ips_comp_adapt_skip) {
-		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
-			    "klips_debug:skb_compress: "
-			    "skipping compression: ips_comp_adapt_skip=%d.\n",
-			    ips->ips_comp_adapt_skip);
-		ips->ips_comp_adapt_skip--;
-		*flags |= IPCOMP_UNCOMPRESSABLE;
-		return skb;
-	}
-
-	zs.zalloc = my_zcalloc;
-	zs.zfree = my_zfree;
-	zs.opaque = 0;
-	
-	/* We want to use deflateInit2 because we don't want the adler
-	   header. */
-	zresult = deflateInit2(&zs, Z_DEFAULT_COMPRESSION, Z_DEFLATED, -11,
-			       DEF_MEM_LEVEL,  Z_DEFAULT_STRATEGY);
-	if (zresult != Z_OK) {
-		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
-			    "klips_error:skb_compress: "
-			    "deflateInit2() returned error %d (%s), "
-			    "skipping compression.\n",
-			    zresult,
-			    zs.msg ? zs.msg : zError(zresult));
-		*flags |= IPCOMP_COMPRESSIONERROR;
-		return skb;
-	}
-	
-
-	/* Max output size. Result should be max this size.
-	 * Implementation specific tweak:
-	 * If it's not at least 32 bytes and 6.25% smaller than
-	 * the original packet, it's probably not worth wasting
-	 * the receiver's CPU cycles decompressing it.
-	 * Your mileage may vary.
-	 */
-	cpyldsz = pyldsz - sizeof(struct ipcomphdr) - (pyldsz <= 512 ? 32 : pyldsz >> 4);
-
-	buffer = kmalloc(cpyldsz, GFP_ATOMIC);
-	if (!buffer) {
-		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
-			    "klips_error:skb_compress: "
-			    "unable to kmalloc(%d, GFP_ATOMIC), "
-			    "skipping compression.\n",
-			    cpyldsz);
-		*flags |= IPCOMP_COMPRESSIONERROR;
-		deflateEnd(&zs);
-		return skb;
-	}
-	
-#ifdef CONFIG_IPSEC_DEBUG
-	if(sysctl_ipsec_debug_ipcomp && sysctl_ipsec_debug_verbose) {
-		__u8 *c;
-		int i;
-
-		c = (__u8*)iph + iphlen;
-		for(i = 0; i < pyldsz; i++, c++) {
-			if(!(i % 16)) {
-				printk(KERN_INFO "skb_compress:   before:");
-			}
-			printk("%02x ", *c);
-			if(!((i + 1) % 16)) {
-				printk("\n");
-			}
-		}
-		if(i % 16) {
-			printk("\n");
-		}
-	}
-#endif /* CONFIG_IPSEC_DEBUG */
-
-	zs.next_in = (char *) iph + iphlen; /* start of payload */
-	zs.avail_in = pyldsz;
-	zs.next_out = buffer;     /* start of compressed payload */
-	zs.avail_out = cpyldsz;
-	
-	/* Finish compression in one step */
-	zresult = deflate(&zs, Z_FINISH);
-
-	/* Free all dynamically allocated buffers */
-	deflateEnd(&zs);
-	if (zresult != Z_STREAM_END) {
-		*flags |= IPCOMP_UNCOMPRESSABLE;
-		kfree(buffer);
-
-		/* Adjust adaptive counters */
-		if (++(ips->ips_comp_adapt_tries) == IPCOMP_ADAPT_INITIAL_TRIES) {
-			KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
-				    "klips_debug:skb_compress: "
-				    "first %d packets didn't compress, "
-				    "skipping next %d\n",
-				    IPCOMP_ADAPT_INITIAL_TRIES,
-				    IPCOMP_ADAPT_INITIAL_SKIP);
-			ips->ips_comp_adapt_skip = IPCOMP_ADAPT_INITIAL_SKIP;
-		}
-		else if (ips->ips_comp_adapt_tries == IPCOMP_ADAPT_INITIAL_TRIES + IPCOMP_ADAPT_SUBSEQ_TRIES) {
-			KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
-				    "klips_debug:skb_compress: "
-				    "next %d packets didn't compress, "
-				    "skipping next %d\n",
-				    IPCOMP_ADAPT_SUBSEQ_TRIES,
-				    IPCOMP_ADAPT_SUBSEQ_SKIP);
-			ips->ips_comp_adapt_skip = IPCOMP_ADAPT_SUBSEQ_SKIP;
-			ips->ips_comp_adapt_tries = IPCOMP_ADAPT_INITIAL_TRIES;
-		}
-
-		return skb;
-	}
-	
-	/* resulting compressed size */
-	cpyldsz -= zs.avail_out;
-	
-	/* Insert IPCOMP header */
-	((struct ipcomphdr*) ((char*) iph + iphlen))->ipcomp_nh = iph->protocol;
-	((struct ipcomphdr*) ((char*) iph + iphlen))->ipcomp_flags = 0;
-	/* use the bottom 16 bits of the spi for the cpi.  The top 16 bits are
-	   for internal reference only. */
-	((struct ipcomphdr*) (((char*)iph) + iphlen))->ipcomp_cpi = htons((__u16)(ntohl(ips->ips_said.spi) & 0x0000ffff));
-	KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
-		    "klips_debug:skb_compress: "
-		    "spi=%08x, spi&0xffff=%04x, cpi=%04x, payload size: raw=%d, comp=%d.\n",
-		    ntohl(ips->ips_said.spi),
-		    ntohl(ips->ips_said.spi) & 0x0000ffff,
-		    ntohs(((struct ipcomphdr*)(((char*)iph)+iphlen))->ipcomp_cpi),
-		    pyldsz,
-		    cpyldsz);
-	
-	/* Update IP header */
-	iph->protocol = IPPROTO_COMP;
-	iph->tot_len = htons(iphlen + sizeof(struct ipcomphdr) + cpyldsz);
-#if 1 /* XXX checksum is done by ipsec_tunnel ? */
-	iph->check = 0;
-	iph->check = ip_fast_csum((char *) iph, iph->ihl);
-#endif
-	
-	/* Copy compressed payload */
-	memcpy((char *) iph + iphlen + sizeof(struct ipcomphdr),
-	       buffer,
-	       cpyldsz);
-	kfree(buffer);
-	
-	/* Update skb length/tail by "unputting" the shrinkage */
-	skb_put(skb,
-		cpyldsz + sizeof(struct ipcomphdr) - pyldsz);
-	
-#ifdef CONFIG_IPSEC_DEBUG
-	if(sysctl_ipsec_debug_ipcomp && sysctl_ipsec_debug_verbose) {
-		__u8 *c;
-		int i;
-		
-		c = (__u8*)iph + iphlen + sizeof(struct ipcomphdr);
-		for(i = 0; i < cpyldsz; i++, c++) {
-			if(!(i % 16)) {
-				printk(KERN_INFO "skb_compress:   result:");
-			}
-			printk("%02x ", *c);
-			if(!((i + 1) % 16)) {
-				printk("\n");
-			}
-		}
-		if(i % 16) {
-			printk("\n");
-		}
-	}
-#endif /* CONFIG_IPSEC_DEBUG */
-	
-	ips->ips_comp_adapt_skip = 0;
-	ips->ips_comp_adapt_tries = 0;
-	
-	return skb;
-}
-
-struct sk_buff *skb_decompress(struct sk_buff *skb, struct ipsec_sa *ips, unsigned int *flags)
-{
-	struct sk_buff *nskb = NULL;
-
-	/* original ip header */
-	struct iphdr *oiph, *iph;
-	unsigned int iphlen, pyldsz, cpyldsz;
-	z_stream zs;
-	int zresult;
-
-	KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
-		    "klips_debug:skb_decompress: .\n");
-
-	if(!skb) {
-		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
-			    "klips_error:skb_decompress: "
-			    "passed in NULL skb, returning ERROR.\n");
-		if (flags) *flags |= IPCOMP_PARMERROR;
-		return skb;
-	}
-
-	if(!ips && sysctl_ipsec_inbound_policy_check) {
-		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
-			    "klips_error:skb_decompress: "
-			    "passed in NULL ipsec_sa needed for comp alg, returning ERROR.\n");
-		if (flags) *flags |= IPCOMP_PARMERROR;
-		return skb;
-	}
-
-	if (!flags) {
-		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
-			    "klips_error:skb_decompress: "
-			    "passed in NULL flags, returning ERROR.\n");
-		ipsec_kfree_skb(skb);
-		return NULL;
-	}
-	
-#ifdef NET_21
-	oiph = skb->nh.iph;
-#else /* NET_21 */
-	oiph = skb->ip_hdr;
-#endif /* NET_21 */
-	
-	iphlen = oiph->ihl << 2;
-	
-	if (oiph->protocol != IPPROTO_COMP) {
-		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
-			    "klips_error:skb_decompress: "
-			    "called with non-IPCOMP packet (protocol=%d),"
-			    "skipping decompression.\n",
-			    oiph->protocol);
-		*flags |= IPCOMP_PARMERROR;
-		return skb;
-	}
-	
-	if ( (((struct ipcomphdr*)((char*) oiph + iphlen))->ipcomp_flags != 0)
-	     || ((((struct ipcomphdr*) ((char*) oiph + iphlen))->ipcomp_cpi
-		!= htons(SADB_X_CALG_DEFLATE))
-		 && sysctl_ipsec_inbound_policy_check
-		 && (!ips || (ips && (ips->ips_encalg != SADB_X_CALG_DEFLATE)))) ) {
-		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
-			    "klips_error:skb_decompress: "
-			    "called with incompatible IPCOMP packet (flags=%d, "
-			    "cpi=%d), ips-compalg=%d, skipping decompression.\n",
-			    ntohs(((struct ipcomphdr*) ((char*) oiph + iphlen))->ipcomp_flags),
-			    ntohs(((struct ipcomphdr*) ((char*) oiph + iphlen))->ipcomp_cpi),
-			    ips ? ips->ips_encalg : 0);
-		*flags |= IPCOMP_PARMERROR;
-		
-		return skb;
-	}
-	
-	if (ntohs(oiph->frag_off) & ~0x4000) {
-		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
-			    "klips_error:skb_decompress: "
-			    "called with fragmented IPCOMP packet, "
-			    "skipping decompression.\n");
-		*flags |= IPCOMP_PARMERROR;
-		return skb;
-	}
-	
-	/* original compressed payload size */
-	cpyldsz = ntohs(oiph->tot_len) - iphlen - sizeof(struct ipcomphdr);
-
-	zs.zalloc = my_zcalloc;
-	zs.zfree = my_zfree;
-	zs.opaque = 0;
-	
-	zs.next_in = (char *) oiph + iphlen + sizeof(struct ipcomphdr);
-	zs.avail_in = cpyldsz;
-	
-	/* Maybe we should be a bit conservative about memory
-	   requirements and use inflateInit2 */
-	/* Beware, that this might make us unable to decompress packets
-	   from other implementations - HINT: check PGPnet source code */
-	/* We want to use inflateInit2 because we don't want the adler
-	   header. */
-	zresult = inflateInit2(&zs, -15); 
-	if (zresult != Z_OK) {
-		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
-			    "klips_error:skb_decompress: "
-			    "inflateInit2() returned error %d (%s), "
-			    "skipping decompression.\n",
-			    zresult,
-			    zs.msg ? zs.msg : zError(zresult));
-		*flags |= IPCOMP_DECOMPRESSIONERROR;
-
-		return skb;
-	}
-	
-	/* We have no way of knowing the exact length of the resulting
-	   decompressed output before we have actually done the decompression.
-	   For now, we guess that the packet will not be bigger than the
-	   attached ipsec device's mtu or 16260, whichever is biggest.
-	   This may be wrong, since the sender's mtu may be bigger yet.
-	   XXX This must be dealt with later XXX
-	*/
-	
-	/* max payload size */
-	pyldsz = skb->dev ? (skb->dev->mtu < 16260 ? 16260 : skb->dev->mtu)
-			  : (65520 - iphlen);
-	KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
-		    "klips_debug:skb_decompress: "
-		    "max payload size: %d\n", pyldsz);
-	
-	while (pyldsz > (cpyldsz + sizeof(struct ipcomphdr)) && 
-	       (nskb = skb_copy_ipcomp(skb,
-				       pyldsz - cpyldsz - sizeof(struct ipcomphdr),
-				       GFP_ATOMIC)) == NULL) {
-		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
-			    "klips_error:skb_decompress: "
-			    "unable to skb_copy_ipcomp(skb, %d, GFP_ATOMIC), "
-			    "trying with less payload size.\n",
-			    (int)(pyldsz - cpyldsz - sizeof(struct ipcomphdr)));
-		pyldsz >>=1;
-	}
-	
-	if (!nskb) {
-		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
-			    "klips_error:skb_decompress: "
-			    "unable to allocate memory, dropping packet.\n");
-		*flags |= IPCOMP_DECOMPRESSIONERROR;
-		inflateEnd(&zs);
-
-		return skb;
-	}
-	
-#ifdef CONFIG_IPSEC_DEBUG
-	if(sysctl_ipsec_debug_ipcomp && sysctl_ipsec_debug_verbose) {
-		__u8 *c;
-		int i;
-		
-		c = (__u8*)oiph + iphlen + sizeof(struct ipcomphdr);
-		for(i = 0; i < cpyldsz; i++, c++) {
-			if(!(i % 16)) {
-				printk(KERN_INFO "skb_decompress:   before:");
-			}
-			printk("%02x ", *c);
-			if(!((i + 1) % 16)) {
-				printk("\n");
-			}
-		}
-		if(i % 16) {
-			printk("\n");
-		}
-	}
-#endif /* CONFIG_IPSEC_DEBUG */
-
-#ifdef NET_21
-	iph = nskb->nh.iph;
-#else /* NET_21 */
-	iph = nskb->ip_hdr;
-#endif /* NET_21 */
-	zs.next_out = (char *)iph + iphlen;
-	zs.avail_out = pyldsz;
-
-	zresult = inflate(&zs, Z_SYNC_FLUSH);
-
-	/* work around a bug in zlib, which sometimes wants to taste an extra
-	 * byte when being used in the (undocumented) raw deflate mode.
-	 */
-	if (zresult == Z_OK && !zs.avail_in && zs.avail_out) {
-		__u8 zerostuff = 0;
-		
-		zs.next_in = &zerostuff;
-		zs.avail_in = 1;
-		zresult = inflate(&zs, Z_FINISH);
-	}
-
-	inflateEnd(&zs);
-	if (zresult != Z_STREAM_END) {
-		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
-			    "klips_error:skb_decompress: "
-			    "inflate() returned error %d (%s), "
-			    "skipping decompression.\n",
-			    zresult,
-			    zs.msg ? zs.msg : zError(zresult));
-		*flags |= IPCOMP_DECOMPRESSIONERROR;
-		ipsec_kfree_skb(nskb);
-
-		return skb;
-	}
-	
-	/* Update IP header */
-	/* resulting decompressed size */
-	pyldsz -= zs.avail_out;
-	iph->tot_len = htons(iphlen + pyldsz);
-	iph->protocol = ((struct ipcomphdr*) ((char*) oiph + iphlen))->ipcomp_nh;
-	KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
-		    "klips_debug:skb_decompress: "
-		    "spi=%08x, spi&0xffff=%04x, cpi=%04x, payload size: comp=%d, raw=%d, nh=%d.\n",
-		    ips ? ntohl(ips->ips_said.spi) : 0,
-		    ips ? ntohl(ips->ips_said.spi) & 0x0000ffff : 0,
-		    ntohs(((struct ipcomphdr*)(((char*)oiph)+iphlen))->ipcomp_cpi),
-		    cpyldsz,
-		    pyldsz,
-		    iph->protocol);
-	
-#if 1 /* XXX checksum is done by ipsec_rcv ? */
-	iph->check = 0;
-	iph->check = ip_fast_csum((char*) iph, iph->ihl);
-#endif
-	
-	/* Update skb length/tail by "unputting" the unused data area */
-	skb_put(nskb, -zs.avail_out);
-	
-	ipsec_kfree_skb(skb);
-	
-	if (iph->protocol == IPPROTO_COMP)
-	{
-#ifdef CONFIG_IPSEC_DEBUG
-		if(sysctl_ipsec_debug_ipcomp)
-		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
-			    "klips_debug:skb_decompress: "
-			    "Eh? inner packet is also compressed, dropping.\n");
-#endif /* CONFIG_IPSEC_DEBUG */
-		
-		ipsec_kfree_skb(nskb);
-		return NULL;
-	}
-	
-#ifdef CONFIG_IPSEC_DEBUG
-	if(sysctl_ipsec_debug_ipcomp && sysctl_ipsec_debug_verbose) {
-		__u8 *c;
-		int i;
-		
-		c = (__u8*)iph + iphlen;
-		for(i = 0; i < pyldsz; i++, c++) {
-			if(!(i % 16)) {
-				printk(KERN_INFO "skb_decompress:   result:");
-			}
-			printk("%02x ", *c);
-			if(!((i + 1) % 16)) {
-				printk("\n");
-			}
-		}
-		if(i % 16) {
-			printk("\n");
-		}
-	}
-#endif /* CONFIG_IPSEC_DEBUG */
-	
-	return nskb;
-}
-
-
-/* this is derived from skb_copy() in linux 2.2.14 */
-/* May be incompatible with other kernel versions!! */
-static
-struct sk_buff *skb_copy_ipcomp(struct sk_buff *skb, int data_growth, int gfp_mask)
-{
-        struct sk_buff *n;
-	struct iphdr *iph;
-        unsigned long offset;
-        unsigned int iphlen;
-	
-	if(!skb) {
-		KLIPS_PRINT(sysctl_ipsec_debug_ipcomp,
-			    "klips_debug:skb_copy_ipcomp: "
-			    "passed in NULL skb, returning NULL.\n");
-		return NULL;
-	}
-
-        /*
-         *      Allocate the copy buffer
-         */
-	
-#ifdef NET_21
-	iph = skb->nh.iph;
-#else /* NET_21 */
-	iph = skb->ip_hdr;
-#endif /* NET_21 */
-        if (!iph) return NULL;
-        iphlen = iph->ihl << 2;
-	
-        n=alloc_skb(skb->end - skb->head + data_growth, gfp_mask);
-        if(n==NULL)
-                return NULL;
-	
-        /*
-         *      Shift between the two data areas in bytes
-         */
-	
-        offset=n->head-skb->head;
-
-        /* Set the data pointer */
-        skb_reserve(n,skb->data-skb->head);
-        /* Set the tail pointer and length */
-        skb_put(n,skb->len+data_growth);
-        /* Copy the bytes up to and including the ip header */
-        memcpy(n->head,
-	       skb->head,
-	       ((char *)iph - (char *)skb->head) + iphlen);
-        n->list=NULL;
-	n->next=NULL;
-	n->prev=NULL;
-        n->sk=NULL;
-        n->dev=skb->dev;
-	if (skb->h.raw)
-		n->h.raw=skb->h.raw+offset;
-	else
-		n->h.raw=NULL;
-        n->protocol=skb->protocol;
-#ifdef NET_21
-        n->csum = 0;
-        n->priority=skb->priority;
-        n->dst=dst_clone(skb->dst);
-        n->nh.raw=skb->nh.raw+offset;
-#ifndef NETDEV_23
-        n->is_clone=0;
-#endif /* NETDEV_23 */
-        atomic_set(&n->users, 1);
-        n->destructor = NULL;
-        n->security=skb->security;
-        memcpy(n->cb, skb->cb, sizeof(skb->cb));
-#ifdef CONFIG_IP_FIREWALL
-        n->fwmark = skb->fwmark;
-#endif
-#else /* NET_21 */
-	n->link3=NULL;
-	n->when=skb->when;
-	n->ip_hdr=(struct iphdr *)(((char *)skb->ip_hdr)+offset);
-	n->saddr=skb->saddr;
-	n->daddr=skb->daddr;
-	n->raddr=skb->raddr;
-	n->seq=skb->seq;
-	n->end_seq=skb->end_seq;
-	n->ack_seq=skb->ack_seq;
-	n->acked=skb->acked;
-	n->free=1;
-	n->arp=skb->arp;
-	n->tries=0;
-	n->lock=0;
-	n->users=0;
-	memcpy(n->proto_priv, skb->proto_priv, sizeof(skb->proto_priv));
-#endif /* NET_21 */
-	if (skb->mac.raw)
-		n->mac.raw=skb->mac.raw+offset;
-	else
-		n->mac.raw=NULL;
-#ifndef NETDEV_23
-	n->used=skb->used;
-#endif /* !NETDEV_23 */
-        n->pkt_type=skb->pkt_type;
-#ifndef NETDEV_23
-	n->pkt_bridged=skb->pkt_bridged;
-#endif /* NETDEV_23 */
-	n->ip_summed=0;
-        n->stamp=skb->stamp;
-#ifndef NETDEV_23 /* this seems to have been removed in 2.4 */
-#if defined(CONFIG_SHAPER) || defined(CONFIG_SHAPER_MODULE)
-        n->shapelatency=skb->shapelatency;       /* Latency on frame */
-        n->shapeclock=skb->shapeclock;           /* Time it should go out */
-        n->shapelen=skb->shapelen;               /* Frame length in clocks */
-        n->shapestamp=skb->shapestamp;           /* Stamp for shaper    */
-        n->shapepend=skb->shapepend;             /* Pending */
-#endif /* defined(CONFIG_SHAPER) || defined(CONFIG_SHAPER_MODULE) */
-#endif /* NETDEV_23 */
-#ifdef CONFIG_HIPPI
-        n->private.ifield=skb->private.ifield;
-#endif /* CONFIG_HIPPI */
-
-        return n;
-}
diff --git a/linux/net/ipsec/ipsec_alg.c b/linux/net/ipsec/ipsec_alg.c
deleted file mode 100644
index c402b7e5b..000000000
--- a/linux/net/ipsec/ipsec_alg.c
+++ /dev/null
@@ -1,927 +0,0 @@
-/*
- * Modular extensions service and registration functions
- *
- * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
- * 
- * Version: 0.8.1
- *
- * $Id: ipsec_alg.c,v 1.4 2004/06/13 19:57:49 as Exp $
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- */
-#ifdef CONFIG_IPSEC_ALG
-#define __NO_VERSION__
-#include <linux/module.h>
-#include <linux/kernel.h> /* printk() */
-
-#include <linux/netdevice.h>   /* struct device, and other headers */
-#include <linux/etherdevice.h> /* eth_type_trans */
-#include <linux/ip.h>          /* struct iphdr */
-#include <linux/skbuff.h>
-#include <linux/socket.h>
-#include <linux/in.h>
-#include <linux/types.h>
-#include <linux/string.h>	/* memcmp() */
-#include <linux/random.h>	/* get_random_bytes() */
-#include <linux/errno.h>  /* error codes */
-#ifdef SPINLOCK
-# ifdef SPINLOCK_23
-#  include <linux/spinlock.h> /* *lock* */
-# else /* SPINLOCK_23 */
-#  include <asm/spinlock.h> /* *lock* */
-# endif /* SPINLOCK_23 */
-#endif /* SPINLOCK */
-#ifdef NET_21
-# include <asm/uaccess.h>
-# include <linux/in6.h>
-# define proto_priv cb
-#endif /* NET21 */
-#include "freeswan/ipsec_param.h"
-#include <freeswan.h>
-#include "freeswan/ipsec_sa.h"
-#include "freeswan/radij.h"
-#include "freeswan/ipsec_encap.h"
-#include "freeswan/ipsec_radij.h"
-#include "freeswan/ipsec_xform.h"
-#include "freeswan/ipsec_tunnel.h"
-#include "freeswan/ipsec_rcv.h"
-#if defined(CONFIG_IPSEC_ESP) || defined(CONFIG_IPSEC_AH)
-# include "freeswan/ipsec_ah.h"
-#endif /* defined(CONFIG_IPSEC_ESP) || defined(CONFIG_IPSEC_AH) */
-#ifdef CONFIG_IPSEC_ESP
-# include "freeswan/ipsec_esp.h"
-#endif /* !CONFIG_IPSEC_ESP */
-#ifdef CONFIG_IPSEC_IPCOMP
-# include "freeswan/ipcomp.h"
-#endif /* CONFIG_IPSEC_COMP */
-
-#include <pfkeyv2.h>
-#include <pfkey.h>
-
-#include "freeswan/ipsec_alg.h"
-
-#ifndef CONFIG_IPSEC_ALG
-#error This file _MUST_ be compiled with CONFIG_IPSEC_ALG enabled !
-#endif
-#if SADB_EALG_MAX < 255
-#warning Compiling with limited ESP support ( SADB_EALG_MAX < 256 )
-#endif
-
-static rwlock_t ipsec_alg_lock = RW_LOCK_UNLOCKED;
-#define IPSEC_ALG_HASHSZ	16	/* must be power of 2, even 2^0=1 */
-static struct list_head ipsec_alg_hash_table[IPSEC_ALG_HASHSZ];
-
-/*	Old gcc's will fail here 	*/
-#define barf_out(fmt, args...)  do { printk(KERN_ERR "%s: (%s) " fmt, __FUNCTION__, ixt->ixt_name , ## args)\
-	; goto out; } while(0)
-
-/* 
- * 	Must be already protected by lock 
- */
-static void __ipsec_alg_usage_inc(struct ipsec_alg *ixt) {
-	if (ixt->ixt_module)
-		__MOD_INC_USE_COUNT(ixt->ixt_module);
-	atomic_inc(&ixt->ixt_refcnt);
-}
-static void __ipsec_alg_usage_dec(struct ipsec_alg *ixt) {
-	atomic_dec(&ixt->ixt_refcnt);
-	if (ixt->ixt_module)
-		__MOD_DEC_USE_COUNT(ixt->ixt_module);
-}
-/*
- * 	simple hash function, optimized for 0-hash (1 list) special
- * 	case
- */
-#if IPSEC_ALG_HASHSZ > 1
-static inline unsigned ipsec_alg_hashfn(int alg_type, int alg_id) {
-	return ((alg_type^alg_id)&(IPSEC_ALG_HASHSZ-1));
-}
-#else
-#define ipsec_alg_hashfn(x,y) (0)
-#endif
-
-/*****************************************************************
- *
- * 	INTERNAL table handling: insert, delete, find
- *
- *****************************************************************/
-
-/*	
- *	hash table initialization, called from ipsec_alg_init()
- */
-static void ipsec_alg_hash_init(void) {
-	struct list_head *head = ipsec_alg_hash_table;
-	int i = IPSEC_ALG_HASHSZ;
-	do {
-		INIT_LIST_HEAD(head);
-		head++;
-		i--;
-	} while (i);
-}
-/*
- * 	hash list lookup by {alg_type, alg_id} and table head,
- * 	must be already protected by lock
- */
-static struct ipsec_alg *__ipsec_alg_find(unsigned alg_type, unsigned alg_id, struct list_head * head) {
-	struct list_head *p;
-	struct ipsec_alg *ixt=NULL;
-	for (p=head->next; p!=head; p=p->next) {
-		ixt = list_entry(p, struct ipsec_alg, ixt_list);
-		if (ixt->ixt_alg_type == alg_type && ixt->ixt_alg_id==alg_id) {
-			goto out;
-		}
-	}
-	ixt=NULL;
-out:
-	return ixt;
-}
-/*
- * 	inserts (in front) a new entry in hash table, 
- * 	called from ipsec_alg_register() when new algorithm is registered.
- */
-static int ipsec_alg_insert(struct ipsec_alg *ixt) {
-	int ret=-EINVAL;
-	unsigned hashval=ipsec_alg_hashfn(ixt->ixt_alg_type, ixt->ixt_alg_id);
-	struct list_head *head= ipsec_alg_hash_table + hashval;
-	struct ipsec_alg *ixt_cur;
-	/* 	new element must be virgin ... */
-	if (ixt->ixt_list.next != &ixt->ixt_list || 
-		ixt->ixt_list.prev != &ixt->ixt_list) {
-		printk(KERN_ERR "ipsec_alg_insert: ixt object \"%s\" "
-				"list head not initialized\n",
-				ixt->ixt_name);
-		return ret;
-	}
-	write_lock_bh(&ipsec_alg_lock);
-	ixt_cur = __ipsec_alg_find(ixt->ixt_alg_type, ixt->ixt_alg_id, head);
-	/* if previous (current) ipsec_alg found check excl flag of _anyone_ */
-	if (ixt_cur && ((ixt->ixt_state|ixt_cur->ixt_state) & IPSEC_ALG_ST_EXCL))
-		barf_out("ipsec_alg for alg_type=%d, alg_id=%d already exist. "
-				"Not loaded (ret=%d).\n",
-				ixt->ixt_alg_type,
-				ixt->ixt_alg_id, ret=-EEXIST);
-	list_add(&ixt->ixt_list, head);
-	ixt->ixt_state |= IPSEC_ALG_ST_REGISTERED;
-	ret=0;
-out:
-	write_unlock_bh(&ipsec_alg_lock);
-	return ret;
-}
-/*
- * 	deletes an existing entry in hash table, 
- * 	called from ipsec_alg_unregister() when algorithm is unregistered.
- */
-static int ipsec_alg_delete(struct ipsec_alg *ixt) {
-	write_lock_bh(&ipsec_alg_lock);
-	list_del(&ixt->ixt_list);
-	write_unlock_bh(&ipsec_alg_lock);
-	return 0;
-}
-/*
- * 	here @user context (read-only when @kernel bh context) 
- * 	-> no bh disabling
- *
- * 	called from ipsec_sa_init() -> ipsec_alg_sa_init()
- */
-static struct ipsec_alg *ipsec_alg_get(int alg_type, int alg_id) {
-	unsigned hashval=ipsec_alg_hashfn(alg_type, alg_id);
-	struct list_head *head= ipsec_alg_hash_table + hashval;
-	struct ipsec_alg *ixt;
-	read_lock(&ipsec_alg_lock);
-	ixt=__ipsec_alg_find(alg_type, alg_id, head);
-	if (ixt) __ipsec_alg_usage_inc(ixt);
-	read_unlock(&ipsec_alg_lock);
-	return ixt;
-}
-
-static void ipsec_alg_put(struct ipsec_alg *ixt) {
-	__ipsec_alg_usage_dec((struct ipsec_alg *)ixt);
-}
-
-/*****************************************************************
- *
- * 	INTERFACE for ENC services: key creation, encrypt function
- *
- *****************************************************************/
-
-/*
- * 	main encrypt service entry point
- * 	called from ipsec_rcv() with encrypt=IPSEC_ALG_DECRYPT and
- * 	ipsec_tunnel_start_xmit with encrypt=IPSEC_ALG_ENCRYPT
- */
-int ipsec_alg_esp_encrypt(struct ipsec_sa *sa_p, __u8 * idat, int ilen, const __u8 * iv, int encrypt) {
-	int ret;
-	struct ipsec_alg_enc *ixt_e=sa_p->ips_alg_enc;
-	KLIPS_PRINT(debug_rcv||debug_tunnel,
-		    "klips_debug:ipsec_alg_esp_encrypt: "
-		    "entering with encalg=%d, ixt_e=%p\n",
-		    sa_p->ips_encalg, ixt_e);
-	if (!ixt_e) {
-		KLIPS_PRINT(debug_rcv||debug_tunnel,
-			    "klips_debug:ipsec_alg_esp_encrypt: "
-			    "NULL ipsec_alg_enc object\n");
-		return -1;
-	}
-	KLIPS_PRINT(debug_rcv||debug_tunnel,
-		    "klips_debug:ipsec_alg_esp_encrypt: "
-		    "calling cbc_encrypt encalg=%d "
-		    "ips_key_e=%p idat=%p ilen=%d iv=%p, encrypt=%d\n",
-			sa_p->ips_encalg, 
-			sa_p->ips_key_e, idat, ilen, iv, encrypt);
-	ret=ixt_e->ixt_e_cbc_encrypt(ixt_e, sa_p->ips_key_e, idat, ilen, iv, encrypt);
-	KLIPS_PRINT(debug_rcv||debug_tunnel,
-		    "klips_debug:ipsec_alg_esp_encrypt: "
-		    "returned ret=%d\n",
-		    ret);
-	return ret;
-}
-/*
- * 	encryption key context creation function
- * 	called from pfkey_v2_parser.c:pfkey_ips_init() 
- */
-int ipsec_alg_enc_key_create(struct ipsec_sa *sa_p) {
-	int ret=-EINVAL;
-	int keyminbits, keymaxbits;
-	caddr_t ekp;
-	struct ipsec_alg_enc *ixt_e=sa_p->ips_alg_enc;
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:ipsec_alg_enc_key_create: "
-		    "entering with encalg=%d ixt_e=%p\n",
-		    sa_p->ips_encalg, ixt_e);
-	if (!ixt_e) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:ipsec_alg_enc_key_create: "
-			    "NULL ipsec_alg_enc object\n");
-		return -EPROTO;
-	}
-
-	/* 
-	 * grRRR... DES 7bits jurassic stuff ... f*ckk --jjo 
-	 */
-	switch(ixt_e->ixt_alg_id) {
-		case ESP_3DES:
-			keyminbits=keymaxbits=192;break;
-		case ESP_DES:
-			keyminbits=keymaxbits=64;break;
-		default:
-			keyminbits=ixt_e->ixt_keyminbits;
-			keymaxbits=ixt_e->ixt_keymaxbits;
-	}
-	if(sa_p->ips_key_bits_e<keyminbits || 
-			sa_p->ips_key_bits_e>keymaxbits) {
-		KLIPS_PRINT(debug_pfkey,
-				"klips_debug:ipsec_alg_enc_key_create: "
-				"incorrect encryption key size for id=%d: %d bits -- "
-				"must be between %d,%d bits\n" /*octets (bytes)\n"*/,
-				ixt_e->ixt_alg_id,
-				sa_p->ips_key_bits_e, keyminbits, keymaxbits);
-		ret=-EINVAL;
-		goto ixt_out;
-	}
-	/* save encryption key pointer */
-	ekp = sa_p->ips_key_e;
-
-
-	if (ixt_e->ixt_e_new_key) {
-		sa_p->ips_key_e = ixt_e->ixt_e_new_key(ixt_e,
-				ekp, sa_p->ips_key_bits_e/8);
-		ret =  (sa_p->ips_key_e)? 0 : -EINVAL;
-	} else {
-		if((sa_p->ips_key_e = (caddr_t)
-		    kmalloc((sa_p->ips_key_e_size = ixt_e->ixt_e_ctx_size),
-			    GFP_ATOMIC)) == NULL) {
-			ret=-ENOMEM;
-			goto ixt_out;
-		}
-		/* zero-out key_e */
-		memset(sa_p->ips_key_e, 0, sa_p->ips_key_e_size);
-
-		/* I cast here to allow more decoupling in alg module */
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:ipsec_alg_enc_key_create: about to call:"
-				    "set_key(key_e=%p, ekp=%p, key_size=%d)\n",
-				    (caddr_t)sa_p->ips_key_e, ekp, sa_p->ips_key_bits_e/8);
-		ret = ixt_e->ixt_e_set_key(ixt_e, (caddr_t)sa_p->ips_key_e, ekp, sa_p->ips_key_bits_e/8);
-	}
-	/* paranoid */
-	memset(ekp, 0, sa_p->ips_key_bits_e/8);
-	kfree(ekp);
-ixt_out:
-	return ret;
-}
-
-/***************************************************************
- *
- * 	INTERFACE for AUTH services: key creation, hash functions
- *
- ***************************************************************/
-
-/*
- * 	auth key context creation function
- * 	called from pfkey_v2_parser.c:pfkey_ips_init() 
- */
-int ipsec_alg_auth_key_create(struct ipsec_sa *sa_p) {
-	int ret=-EINVAL;
-	struct ipsec_alg_auth *ixt_a=sa_p->ips_alg_auth;
-	int keyminbits, keymaxbits;
-	unsigned char *akp;
-	unsigned int aks;
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:ipsec_alg_auth_key_create: "
-		    "entering with authalg=%d ixt_a=%p\n",
-		    sa_p->ips_authalg, ixt_a);
-	if (!ixt_a) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:ipsec_alg_auth_key_create: "
-			    "NULL ipsec_alg_auth object\n");
-		return -EPROTO;
-	}
-	keyminbits=ixt_a->ixt_keyminbits;
-	keymaxbits=ixt_a->ixt_keymaxbits;
-	if(sa_p->ips_key_bits_a<keyminbits || sa_p->ips_key_bits_a>keymaxbits) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:ipsec_alg_auth_key_create: incorrect auth"
-			    "key size: %d bits -- must be between %d,%d bits\n"/*octets (bytes)\n"*/,
-			    sa_p->ips_key_bits_a, keyminbits, keymaxbits);
-		ret=-EINVAL;
-		goto ixt_out;
-	}
-	/* save auth key pointer */
-	sa_p->ips_auth_bits = ixt_a->ixt_a_keylen * 8; /* XXX XXX */
-	akp = sa_p->ips_key_a;
-	aks = sa_p->ips_key_a_size;
-
-	/* will hold: 2 ctx and a blocksize buffer: kb */
-	sa_p->ips_key_a_size = ixt_a->ixt_a_ctx_size;
-	if((sa_p->ips_key_a = 
-		(caddr_t) kmalloc(sa_p->ips_key_a_size, GFP_ATOMIC)) == NULL) {
-		ret=-ENOMEM;
-		goto ixt_out;
-	}
-	ixt_a->ixt_a_hmac_set_key(ixt_a, sa_p->ips_key_a, akp, sa_p->ips_key_bits_a/8); /* XXX XXX */
-	ret=0;
-	memset(akp, 0, aks);
-	kfree(akp);
-			
-ixt_out:
-	return ret;
-}
-int ipsec_alg_sa_esp_hash(const struct ipsec_sa *sa_p, const __u8 *espp, int len, __u8 *hash, int hashlen) {
-	struct ipsec_alg_auth *ixt_a=sa_p->ips_alg_auth;
-	if (!ixt_a) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:ipsec_sa_esp_hash: "
-			    "NULL ipsec_alg_auth object\n");
-		return -EPROTO;
-	}
-	KLIPS_PRINT(debug_tunnel|debug_rcv,
-			"klips_debug:ipsec_sa_esp_hash: "
-			"hashing %p (%d bytes) to %p (%d bytes)\n",
-			espp, len,
-			hash, hashlen);
-	ixt_a->ixt_a_hmac_hash(ixt_a,
-			sa_p->ips_key_a, 
-			espp, len,
-			hash, hashlen);
-	return 0;
-}
-
-/***************************************************************
- *
- * 	INTERFACE for module loading,testing, and unloading
- *
- ***************************************************************/
-
-/* validation for registering (enc) module */
-static int check_enc(struct ipsec_alg_enc *ixt) {
-	int ret=-EINVAL;
-	if (ixt->ixt_alg_id==0 || ixt->ixt_alg_id > SADB_EALG_MAX)
-		barf_out("invalid alg_id=%d >= %d\n", ixt->ixt_alg_id, SADB_EALG_MAX);
-	if (ixt->ixt_blocksize==0) /*  || ixt->ixt_blocksize%2) need for ESP_NULL */
-		barf_out(KERN_ERR "invalid blocksize=%d\n", ixt->ixt_blocksize);
-	if (ixt->ixt_keyminbits==0 && ixt->ixt_keymaxbits==0 && ixt->ixt_e_keylen==0)
-		goto zero_key_ok;
-	if (ixt->ixt_keyminbits==0)
-		barf_out(KERN_ERR "invalid keyminbits=%d\n", ixt->ixt_keyminbits);
-	if (ixt->ixt_keymaxbits==0)
-		barf_out(KERN_ERR "invalid keymaxbits=%d\n", ixt->ixt_keymaxbits);
-	if (ixt->ixt_e_keylen==0)
-		barf_out(KERN_ERR "invalid keysize=%d\n", ixt->ixt_e_keylen);
-zero_key_ok:
-	if (ixt->ixt_e_ctx_size==0 && ixt->ixt_e_new_key == NULL)
-		barf_out(KERN_ERR "invalid key_e_size=%d and ixt_e_new_key=NULL\n", ixt->ixt_e_ctx_size);
-	if (ixt->ixt_e_cbc_encrypt==NULL)
-		barf_out(KERN_ERR "e_cbc_encrypt() must be not NULL\n");
-	ret=0;
-out:
-	return ret;
-}
-
-/* validation for registering (auth) module */
-static int check_auth(struct ipsec_alg_auth *ixt) {
-	int ret=-EINVAL;
-	if (ixt->ixt_alg_id==0 || ixt->ixt_alg_id > SADB_AALG_MAX)
-		barf_out("invalid alg_id=%d > %d (SADB_AALG_MAX)\n", ixt->ixt_alg_id, SADB_AALG_MAX);
-	if (ixt->ixt_blocksize==0 || ixt->ixt_blocksize%2)
-		barf_out(KERN_ERR "invalid blocksize=%d\n", ixt->ixt_blocksize);
-	if (ixt->ixt_blocksize>AH_BLKLEN_MAX)
-		barf_out(KERN_ERR "sorry blocksize=%d > %d. "
-			"Please increase AH_BLKLEN_MAX and recompile\n", 
-			ixt->ixt_blocksize,
-			AH_BLKLEN_MAX);
-	if (ixt->ixt_keyminbits==0 && ixt->ixt_keymaxbits==0 && ixt->ixt_a_keylen==0)
-		goto zero_key_ok;
-	if (ixt->ixt_keyminbits==0)
-		barf_out(KERN_ERR "invalid keyminbits=%d\n", ixt->ixt_keyminbits);
-	if (ixt->ixt_keymaxbits==0)
-		barf_out(KERN_ERR "invalid keymaxbits=%d\n", ixt->ixt_keymaxbits);
-	if (ixt->ixt_keymaxbits!=ixt->ixt_keyminbits)
-		barf_out(KERN_ERR "keymaxbits must equal keyminbits (not sure).\n");
-	if (ixt->ixt_a_keylen==0)
-		barf_out(KERN_ERR "invalid keysize=%d\n", ixt->ixt_a_keylen);
-zero_key_ok:
-	if (ixt->ixt_a_ctx_size==0)
-		barf_out(KERN_ERR "invalid a_ctx_size=%d\n", ixt->ixt_a_ctx_size);
-	if (ixt->ixt_a_hmac_set_key==NULL)
-		barf_out(KERN_ERR "a_hmac_set_key() must be not NULL\n");
-	if (ixt->ixt_a_hmac_hash==NULL)
-		barf_out(KERN_ERR "a_hmac_hash() must be not NULL\n");
-	ret=0;
-out:
-	return ret;
-}
-
-/* 
- * Generic (enc, auth) registration entry point 
- */
-int register_ipsec_alg(struct ipsec_alg *ixt) {
-	int ret=-EINVAL;
-	/*	Validation 	*/
-	if (ixt==NULL)
-		barf_out("NULL ipsec_alg object passed\n");
-	if ((ixt->ixt_version&0xffffff00) != (IPSEC_ALG_VERSION&0xffffff00))
-		barf_out("incorrect version: %d.%d.%d-%d, "
-			"must be %d.%d.%d[-%d]\n",
-				IPSEC_ALG_VERSION_QUAD(ixt->ixt_version), 
-				IPSEC_ALG_VERSION_QUAD(IPSEC_ALG_VERSION));
-	switch(ixt->ixt_alg_type) {
-		case IPSEC_ALG_TYPE_AUTH:
-			if ((ret=check_auth((struct ipsec_alg_auth *)ixt)<0))
-				goto out;
-			break;
-		case IPSEC_ALG_TYPE_ENCRYPT: 
-			if ((ret=check_enc((struct ipsec_alg_enc *)ixt)<0))
-				goto out;
- 			/* 
-			 * Adapted two lines below: 
-			 * 	ivlen == 0 is possible (NULL enc has blocksize==1)
-			 *
-			 * fixed NULL support by David De Reu <DeReu@tComLabs.com>
- 			 */
-			if (ixt->ixt_ivlen == 0 && ixt->ixt_blocksize > 1)
-				ixt->ixt_ivlen = ixt->ixt_blocksize*8;
-			break;
-		default:
-			barf_out("alg_type=%d not supported\n", ixt->ixt_alg_type);
-	}
-	INIT_LIST_HEAD(&ixt->ixt_list);
-	ret = ipsec_alg_insert(ixt);
-	if (ret<0) 
-		barf_out(KERN_WARNING "ipsec_alg for alg_id=%d failed."
-				"Not loaded (ret=%d).\n",
-				ixt->ixt_alg_id, ret);
-
-	ret = pfkey_list_insert_supported((struct supported *)&ixt->ixt_support, &(pfkey_supported_list[SADB_SATYPE_ESP]));
-	if (ret==0) {
-		ixt->ixt_state |= IPSEC_ALG_ST_SUPP;
-		/*	send register event to userspace	*/
-		pfkey_register_reply(SADB_SATYPE_ESP, NULL);
-	} else
-		printk(KERN_ERR "pfkey_list_insert_supported returned %d. "
-				"Loading anyway.\n", ret);
-	ret=0;
-out:
-	return ret;
-}
-
-/* 
- * 	unregister ipsec_alg object from own tables, if 
- * 	success => calls pfkey_list_remove_supported()
- */
-int unregister_ipsec_alg(struct ipsec_alg *ixt) {
-	int ret= -EINVAL;
-	switch(ixt->ixt_alg_type) {
-		case IPSEC_ALG_TYPE_AUTH:
-		case IPSEC_ALG_TYPE_ENCRYPT: 
-			break;
-		default:
-			/*	this is not a typo :) */
-			barf_out("frog found in list (\"%s\"): ixt_p=NULL\n", 
-				ixt->ixt_name);
-	}
-
-	ret=ipsec_alg_delete(ixt);
-	if (ixt->ixt_state&IPSEC_ALG_ST_SUPP) {
-		ixt->ixt_state &= ~IPSEC_ALG_ST_SUPP;
-		pfkey_list_remove_supported((struct supported *)&ixt->ixt_support, &(pfkey_supported_list[SADB_SATYPE_ESP]));
-		/*	send register event to userspace	*/
-		pfkey_register_reply(SADB_SATYPE_ESP, NULL);
-	}
-
-out:
-	return ret;
-}
-/*
- * 	Must be called from user context
- * 	used at module load type for testing algo implementation
- */
-static int ipsec_alg_test_encrypt(int enc_alg, int test) {
-	int ret;
-	caddr_t buf = NULL;
-	int iv_size, keysize, key_e_size;
-	struct ipsec_alg_enc *ixt_e;
-	void *tmp_key_e = NULL;
-	#define BUFSZ	1024
-	#define MARGIN	0
-	#define test_enc   (buf+MARGIN)
-	#define test_dec   (test_enc+BUFSZ+MARGIN)
-	#define test_tmp   (test_dec+BUFSZ+MARGIN)
-	#define test_key_e (test_tmp+BUFSZ+MARGIN)
-	#define test_iv    (test_key_e+key_e_size+MARGIN)
-	#define test_key   (test_iv+iv_size+MARGIN)
-	#define test_size  (BUFSZ*3+key_e_size+iv_size+keysize+MARGIN*7)
-	ixt_e=(struct ipsec_alg_enc *)ipsec_alg_get(IPSEC_ALG_TYPE_ENCRYPT, enc_alg);
-	if (ixt_e==NULL) {
-		KLIPS_PRINT(1, 
-			    "klips_debug: ipsec_alg_test_encrypt: "
-			    "encalg=%d object not found\n",
-			    enc_alg);
-		ret=-EINVAL;
-		goto out;
-	}
-	iv_size=ixt_e->ixt_ivlen / 8;
-	key_e_size=ixt_e->ixt_e_ctx_size;
-	keysize=ixt_e->ixt_e_keylen;
-	KLIPS_PRINT(1, 
-		    "klips_debug: ipsec_alg_test_encrypt: "
-		    "enc_alg=%d blocksize=%d key_e_size=%d keysize=%d\n",
-		    enc_alg, iv_size, key_e_size, keysize);
-	if ((buf=kmalloc (test_size, GFP_KERNEL)) == NULL) {
-		ret= -ENOMEM;
-		goto out;
-	}
-	get_random_bytes(test_key, keysize);
-	get_random_bytes(test_iv, iv_size);
-	if (ixt_e->ixt_e_new_key) {
-		tmp_key_e = ixt_e->ixt_e_new_key(ixt_e, test_key, keysize);
-		ret = tmp_key_e ? 0 : -EINVAL;
-	} else {
-		tmp_key_e = test_key_e;
-		ret = ixt_e->ixt_e_set_key(ixt_e, test_key_e, test_key, keysize);
-	}
-	if (ret < 0)
-		goto out;
-	get_random_bytes(test_enc, BUFSZ);
-	memcpy(test_tmp, test_enc, BUFSZ);
-	ret=ixt_e->ixt_e_cbc_encrypt(ixt_e, tmp_key_e, test_enc, BUFSZ, test_iv, 1);
-	printk(KERN_INFO
-		    "klips_info: ipsec_alg_test_encrypt: "
-		    "cbc_encrypt=1 ret=%d\n", 
-		    	ret);
-	ret=memcmp(test_enc, test_tmp, BUFSZ);
-	printk(KERN_INFO
-		    "klips_info: ipsec_alg_test_encrypt: "
-		    "memcmp(enc, tmp) ret=%d: %s\n", ret,
-			ret!=0? "OK. (encr->DIFFers)" : "FAIL! (encr->SAME)" );
-	memcpy(test_dec, test_enc, BUFSZ);
-	ret=ixt_e->ixt_e_cbc_encrypt(ixt_e, tmp_key_e, test_dec, BUFSZ, test_iv, 0);
-	printk(KERN_INFO
-		    "klips_info: ipsec_alg_test_encrypt: "
-		    "cbc_encrypt=0 ret=%d\n", ret);
-	ret=memcmp(test_dec, test_tmp, BUFSZ);
-	printk(KERN_INFO
-		    "klips_info: ipsec_alg_test_encrypt: "
-		    "memcmp(dec,tmp) ret=%d: %s\n", ret,
-			ret==0? "OK. (encr->decr->SAME)" : "FAIL! (encr->decr->DIFFers)" );
-	{
-		/*	Shamelessly taken from drivers/md sources  O:)  */
-		unsigned long now;
-		int i, count, max=0;
-		int encrypt, speed;
-		for (encrypt=0; encrypt <2;encrypt ++) {
-			for (i = 0; i < 5; i++) {
-				now = jiffies;
-				count = 0;
-				while (jiffies == now) {
-					mb();
-					ixt_e->ixt_e_cbc_encrypt(ixt_e, 
-							tmp_key_e, test_tmp, 
-							BUFSZ, test_iv, encrypt);
-					mb();
-					count++;
-					mb();
-				}
-				if (count > max)
-					max = count;
-			}
-			speed = max * (HZ * BUFSZ / 1024);
-			printk(KERN_INFO
-				    "klips_info: ipsec_alg_test_encrypt: "
-				    "%s %s speed=%d KB/s\n", 
-				    ixt_e->ixt_name,
-				    encrypt? "encrypt": "decrypt", speed);
-		}
-	}
-out:
-	if (tmp_key_e && ixt_e->ixt_e_destroy_key) ixt_e->ixt_e_destroy_key(ixt_e, tmp_key_e);
-	if (buf) kfree(buf);
-	if (ixt_e) ipsec_alg_put((struct ipsec_alg *)ixt_e);
-	return ret;
-	#undef test_enc  
-	#undef test_dec  
-	#undef test_tmp  
-	#undef test_key_e
-	#undef test_iv   
-	#undef test_key  
-	#undef test_size 
-}
-/*
- * 	Must be called from user context
- * 	used at module load type for testing algo implementation
- */
-static int ipsec_alg_test_auth(int auth_alg, int test) {
-	int ret;
-	caddr_t buf = NULL;
-	int blocksize, keysize, key_a_size;
-	struct ipsec_alg_auth *ixt_a;
-	#define BUFSZ	1024
-	#define MARGIN	0
-	#define test_auth  (buf+MARGIN)
-	#define test_key_a (test_auth+BUFSZ+MARGIN)
-	#define test_key   (test_key_a+key_a_size+MARGIN)
-	#define test_hash  (test_key+keysize+MARGIN)
-	#define test_size  (BUFSZ+key_a_size+keysize+AHHMAC_HASHLEN+MARGIN*4)
-	ixt_a=(struct ipsec_alg_auth *)ipsec_alg_get(IPSEC_ALG_TYPE_AUTH, auth_alg);
-	if (ixt_a==NULL) {
-		KLIPS_PRINT(1, 
-			    "klips_debug: ipsec_alg_test_auth: "
-			    "encalg=%d object not found\n",
-			    auth_alg);
-		ret=-EINVAL;
-		goto out;
-	}
-	blocksize=ixt_a->ixt_blocksize;
-	key_a_size=ixt_a->ixt_a_ctx_size;
-	keysize=ixt_a->ixt_a_keylen;
-	KLIPS_PRINT(1, 
-		    "klips_debug: ipsec_alg_test_auth: "
-		    "auth_alg=%d blocksize=%d key_a_size=%d keysize=%d\n",
-		    auth_alg, blocksize, key_a_size, keysize);
-	if ((buf=kmalloc (test_size, GFP_KERNEL)) == NULL) {
-		ret= -ENOMEM;
-		goto out;
-	}
-	get_random_bytes(test_key, keysize);
-	ret = ixt_a->ixt_a_hmac_set_key(ixt_a, test_key_a, test_key, keysize);
-	if (ret < 0 )
-		goto out;
-	get_random_bytes(test_auth, BUFSZ);
-	ret=ixt_a->ixt_a_hmac_hash(ixt_a, test_key_a, test_auth, BUFSZ, test_hash, AHHMAC_HASHLEN);
-	printk(KERN_INFO
-		    "klips_info: ipsec_alg_test_auth: "
-		    "ret=%d\n", ret);
-	{
-		/*	Shamelessly taken from drivers/md sources  O:)  */
-		unsigned long now;
-		int i, count, max=0;
-		int speed;
-		for (i = 0; i < 5; i++) {
-			now = jiffies;
-			count = 0;
-			while (jiffies == now) {
-				mb();
-				ixt_a->ixt_a_hmac_hash(ixt_a, test_key_a, test_auth, BUFSZ, test_hash, AHHMAC_HASHLEN);
-				mb();
-				count++;
-				mb();
-			}
-			if (count > max)
-				max = count;
-		}
-		speed = max * (HZ * BUFSZ / 1024);
-		printk(KERN_INFO
-				"klips_info: ipsec_alg_test_auth: "
-				"%s hash speed=%d KB/s\n", 
-				ixt_a->ixt_name,
-				speed);
-	}
-out:
-	if (buf) kfree(buf);
-	if (ixt_a) ipsec_alg_put((struct ipsec_alg *)ixt_a);
-	return ret;
-	#undef test_auth 
-	#undef test_key_a
-	#undef test_key  
-	#undef test_hash 
-	#undef test_size 
-}
-int ipsec_alg_test(unsigned alg_type, unsigned alg_id, int test) {
-	switch(alg_type) {
-		case IPSEC_ALG_TYPE_ENCRYPT:
-			return ipsec_alg_test_encrypt(alg_id, test);
-			break;
-		case IPSEC_ALG_TYPE_AUTH:
-			return ipsec_alg_test_auth(alg_id, test);
-			break;
-	}
-	printk(KERN_ERR "klips_info: ipsec_alg_test() called incorrectly: "
-			"alg_type=%d alg_id=%d\n",
-			alg_type, alg_id);
-	return -EINVAL;
-}
-int ipsec_alg_init(void) {
-	KLIPS_PRINT(1, "klips_info:ipsec_alg_init: "
-			"KLIPS alg v=%d.%d.%d-%d (EALG_MAX=%d, AALG_MAX=%d)\n",
-			IPSEC_ALG_VERSION_QUAD(IPSEC_ALG_VERSION),
-			SADB_EALG_MAX, SADB_AALG_MAX);
-	/*	Initialize tables */
-	write_lock_bh(&ipsec_alg_lock);
-	ipsec_alg_hash_init();
-	write_unlock_bh(&ipsec_alg_lock);
-	/*	Initialize static algos 	*/
-	KLIPS_PRINT(1, "klips_info:ipsec_alg_init: "
-		"calling ipsec_alg_static_init()\n");
-	ipsec_alg_static_init();
-	return 0;
-}
-
-/**********************************************
- *
- * 	INTERFACE for ipsec_sa init and wipe
- *
- **********************************************/
-
-/*	
- *	Called from pluto -> pfkey_v2_parser.c:pfkey_ipsec_sa_init()	
- */
-int ipsec_alg_sa_init(struct ipsec_sa *sa_p) {
-	struct ipsec_alg_enc *ixt_e;
-	struct ipsec_alg_auth *ixt_a;
-
-	/*	Only ESP for now ... */
-	if (sa_p->ips_said.proto != IPPROTO_ESP)
-		return -EPROTONOSUPPORT;
-	KLIPS_PRINT(debug_pfkey, "klips_debug: ipsec_alg_sa_init() :"
-			"entering for encalg=%d, authalg=%d\n",
-			    sa_p->ips_encalg, sa_p->ips_authalg);
-	if ((ixt_e=(struct ipsec_alg_enc *)
-		ipsec_alg_get(IPSEC_ALG_TYPE_ENCRYPT, sa_p->ips_encalg))) {
-		KLIPS_PRINT(debug_pfkey,
-		    "klips_debug: ipsec_alg_sa_init() :"
-		    "found ipsec_alg (ixt_e=%p) for encalg=%d\n",
-		    ixt_e, sa_p->ips_encalg);
-		sa_p->ips_alg_enc=ixt_e;
-	}
-	if ((ixt_a=(struct ipsec_alg_auth *)
-		ipsec_alg_get(IPSEC_ALG_TYPE_AUTH, sa_p->ips_authalg))) {
-		KLIPS_PRINT(debug_pfkey,
-		    "klips_debug: ipsec_alg_sa_init() :"
-		    "found ipsec_alg (ixt_a=%p) for auth=%d\n",
-		    ixt_a, sa_p->ips_authalg);
-		sa_p->ips_alg_auth=ixt_a;
-	}
-	return 0;
-}
-
-/*	
- *	Called from pluto -> ipsec_sa.c:ipsec_sa_delchain()
- */
-int ipsec_alg_sa_wipe(struct ipsec_sa *sa_p) {
-	struct ipsec_alg *ixt;
-	if ((ixt=(struct ipsec_alg *)sa_p->ips_alg_enc)) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug: ipsec_alg_sa_wipe() :"
-				"unlinking for encalg=%d\n",
-				ixt->ixt_alg_id);
-		ipsec_alg_put(ixt);
-	}
-	if ((ixt=(struct ipsec_alg *)sa_p->ips_alg_auth)) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug: ipsec_alg_sa_wipe() :"
-				"unlinking for authalg=%d\n",
-				ixt->ixt_alg_id);
-		ipsec_alg_put(ixt);
-	}
-	return 0;
-}
-
-IPSEC_PROCFS_DEBUG_NO_STATIC
-int
-ipsec_xform_get_info(char *buffer,
-		     char **start,
-		     off_t offset,
-		     int length     IPSEC_PROC_LAST_ARG)
-{
-	int len = 0;
-	off_t begin = 0;
-	int i;
-	struct list_head *head;
-	struct ipsec_alg *ixt;
-
-	KLIPS_PRINT(debug_tunnel & DB_TN_PROCFS,
-		    "klips_debug:ipsec_tncfg_get_info: "
-		    "buffer=0p%p, *start=0p%p, offset=%d, length=%d\n",
-		    buffer,
-		    *start,
-		    (int)offset,
-		    length);
-
-	for(i = 0, head = ipsec_alg_hash_table; i< IPSEC_ALG_HASHSZ; i++, head++)
-	{
-		struct list_head *p;
-		for (p=head->next; p!=head; p=p->next)
-		{
-			ixt = list_entry(p, struct ipsec_alg, ixt_list);
-			len += ipsec_snprintf(buffer+len, length-len,
-					      "VERSION=%d TYPE=%d ID=%d NAME=%s REFCNT=%d ",
-					      ixt->ixt_version, ixt->ixt_alg_type, ixt->ixt_alg_id,
-					      ixt->ixt_name, ixt->ixt_refcnt);
-
-			len += ipsec_snprintf(buffer+len, length-len,
-					      "STATE=%08x BLOCKSIZE=%d IVLEN=%d KEYMINBITS=%d KEYMAXBITS=%d ",
-					      ixt->ixt_state, ixt->ixt_blocksize,
-					      ixt->ixt_ivlen, ixt->ixt_keyminbits, ixt->ixt_keymaxbits);
-
-			len += ipsec_snprintf(buffer+len, length-len,
-					      "IVLEN=%d KEYMINBITS=%d KEYMAXBITS=%d ",
-					      ixt->ixt_ivlen, ixt->ixt_keyminbits, ixt->ixt_keymaxbits);
-
-			switch(ixt->ixt_alg_type)
-			{
-			case IPSEC_ALG_TYPE_AUTH:
-			{
-				struct ipsec_alg_auth *auth = (struct ipsec_alg_auth *)ixt;
-
-				len += ipsec_snprintf(buffer+len, length-len,
-						      "KEYLEN=%d CTXSIZE=%d AUTHLEN=%d ",
-						      auth->ixt_a_keylen, auth->ixt_a_ctx_size,
-						      auth->ixt_a_authlen);
-				break;
-			}
-			case IPSEC_ALG_TYPE_ENCRYPT:
-			{
-				struct ipsec_alg_enc *enc = (struct ipsec_alg_enc *)ixt;
-				len += ipsec_snprintf(buffer+len, length-len,
-						      "KEYLEN=%d CTXSIZE=%d ",
-						      enc->ixt_e_keylen, enc->ixt_e_ctx_size);
-
-				break;
-			}
-			}
-
-			len += ipsec_snprintf(buffer+len, length-len, "\n");
-		}
-	}
-
-	*start = buffer + (offset - begin);	/* Start of wanted data */
-	len -= (offset - begin);			/* Start slop */
-	if (len > length)
-		len = length;
-	return len;
-}
-
-/*
- * 	As the author of this module, I ONLY ALLOW using it from
- * 	GPL (or same LICENSE TERMS as kernel source) modules.
- *
- * 	In respect to hardware crypto engines this means:
- * 	* Closed-source device drivers ARE NOT ALLOWED to use 
- * 	  this interface.
- * 	* Closed-source VHDL/Verilog firmware running on 
- * 	  the crypto hardware device IS ALLOWED to use this interface
- * 	  via a GPL (or same LICENSE TERMS as kernel source) device driver.
- * 	--Juan Jose Ciarlante 20/03/2002 (thanks RGB for the correct wording)
- */
-
-/*	
- *	These symbols can only be used from GPL modules	
- *	for now, I'm disabling this because it creates false
- *	symbol problems for old modutils.
- */
-
-/* #ifndef EXPORT_SYMBOL_GPL */
-#undef EXPORT_SYMBOL_GPL
-#define EXPORT_SYMBOL_GPL EXPORT_SYMBOL
-/* #endif */
-EXPORT_SYMBOL_GPL(register_ipsec_alg);
-EXPORT_SYMBOL_GPL(unregister_ipsec_alg);
-EXPORT_SYMBOL_GPL(ipsec_alg_test);
-#endif /* CONFIG_IPSEC_ALG */
diff --git a/linux/net/ipsec/ipsec_init.c b/linux/net/ipsec/ipsec_init.c
deleted file mode 100644
index 56512acb6..000000000
--- a/linux/net/ipsec/ipsec_init.c
+++ /dev/null
@@ -1,755 +0,0 @@
-/*
- * @(#) Initialization code.
- * Copyright (C) 1996, 1997  John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001, 2002  Richard Guy Briggs <rgb@freeswan.org>
- *                                 2001  Michael Richardson <mcr@freeswan.org>
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * /proc system code was split out into ipsec_proc.c after rev. 1.70.
- *
- */
-
-char ipsec_init_c_version[] = "RCSID $Id: ipsec_init.c,v 1.3 2004/06/13 19:57:49 as Exp $";
-
-#include <linux/config.h>
-#include <linux/version.h>
-#include <linux/module.h>
-#include <linux/kernel.h> /* printk() */
-
-#include "freeswan/ipsec_param.h"
-
-#ifdef MALLOC_SLAB
-# include <linux/slab.h> /* kmalloc() */
-#else /* MALLOC_SLAB */
-# include <linux/malloc.h> /* kmalloc() */
-#endif /* MALLOC_SLAB */
-#include <linux/errno.h>  /* error codes */
-#include <linux/types.h>  /* size_t */
-#include <linux/interrupt.h> /* mark_bh */
-
-#include <linux/netdevice.h>   /* struct device, and other headers */
-#include <linux/etherdevice.h> /* eth_type_trans */
-#include <linux/ip.h>          /* struct iphdr */
-#include <linux/in.h>          /* struct sockaddr_in */
-#include <linux/skbuff.h>
-#include <linux/random.h>       /* get_random_bytes() */
-#include <freeswan.h>
-
-#ifdef SPINLOCK
-# ifdef SPINLOCK_23
-#  include <linux/spinlock.h> /* *lock* */
-# else /* 23_SPINLOCK */
-#  include <asm/spinlock.h> /* *lock* */
-# endif /* 23_SPINLOCK */
-#endif /* SPINLOCK */
-
-#ifdef NET_21
-# include <asm/uaccess.h>
-# include <linux/in6.h>
-#endif /* NET_21 */
-
-#include <asm/checksum.h>
-#include <net/ip.h>
-
-#ifdef CONFIG_PROC_FS
-# include <linux/proc_fs.h>
-#endif /* CONFIG_PROC_FS */
-
-#ifdef NETLINK_SOCK
-# include <linux/netlink.h>
-#else
-# include <net/netlink.h>
-#endif
-
-#include "freeswan/radij.h"
-
-#include "freeswan/ipsec_life.h"
-#include "freeswan/ipsec_stats.h"
-#include "freeswan/ipsec_sa.h"
-
-#include "freeswan/ipsec_encap.h"
-#include "freeswan/ipsec_radij.h"
-#include "freeswan/ipsec_xform.h"
-#include "freeswan/ipsec_tunnel.h"
-
-#include "freeswan/ipsec_rcv.h"
-#include "freeswan/ipsec_ah.h"
-#include "freeswan/ipsec_esp.h"
-
-#ifdef CONFIG_IPSEC_IPCOMP
-# include "freeswan/ipcomp.h"
-#endif /* CONFIG_IPSEC_IPCOMP */
-
-#include "freeswan/ipsec_proto.h"
-#include "freeswan/ipsec_alg.h"
-
-#include <pfkeyv2.h>
-#include <pfkey.h>
-
-#if !defined(CONFIG_IPSEC_ESP) && !defined(CONFIG_IPSEC_AH)
-#error "kernel configuration must include ESP or AH"
-#endif
-
-/*
- * seems to be present in 2.4.10 (Linus), but also in some RH and other
- * distro kernels of a lower number.
- */
-#ifdef MODULE_LICENSE
-MODULE_LICENSE("GPL");
-#endif
-
-#ifdef CONFIG_IPSEC_DEBUG
-int debug_eroute = 0;
-int debug_spi = 0;
-int debug_netlink = 0;
-#endif /* CONFIG_IPSEC_DEBUG */
-
-struct prng ipsec_prng;
-
-extern int ipsec_device_event(struct notifier_block *dnot, unsigned long event, void *ptr);
-/*
- * the following structure is required so that we receive
- * event notifications when network devices are enabled and
- * disabled (ifconfig up and down).
- */
-static struct notifier_block ipsec_dev_notifier={
-	ipsec_device_event,
-	NULL,
-	0
-};
-
-#ifdef CONFIG_SYSCTL
-extern int ipsec_sysctl_register(void);
-extern void ipsec_sysctl_unregister(void);
-#endif
-
-static inline int
-freeswan_inet_add_protocol(struct inet_protocol *prot, unsigned protocol)
-{
-#ifdef NETDEV_25
-	return inet_add_protocol(prot, protocol);
-#else
-	inet_add_protocol(prot);
-	return 0;
-#endif
-}
-
-static inline int
-freeswan_inet_del_protocol(struct inet_protocol *prot, unsigned protocol)
-{
-#ifdef NETDEV_25
-	return inet_del_protocol(prot, protocol);
-#else
-	inet_del_protocol(prot);
-	return 0;
-#endif
-}
-
-/* void */
-int
-ipsec_init(void)
-{
-	int error = 0;
-	unsigned char seed[256];
-#ifdef CONFIG_IPSEC_ENC_3DES
-	extern int des_check_key;
-
-	/* turn off checking of keys */
-	des_check_key=0;
-#endif /* CONFIG_IPSEC_ENC_3DES */
-
-	KLIPS_PRINT(1, "klips_info:ipsec_init: "
-		    "KLIPS startup, FreeS/WAN IPSec version: %s\n",
-		    ipsec_version_code());
-
-	error |= ipsec_proc_init();
-
-#ifdef SPINLOCK
-	ipsec_sadb.sadb_lock = SPIN_LOCK_UNLOCKED;
-#else /* SPINLOCK */
-	ipsec_sadb.sadb_lock = 0;
-#endif /* SPINLOCK */
-
-#ifndef SPINLOCK
-	tdb_lock.lock = 0;
-	eroute_lock.lock = 0;
-#endif /* !SPINLOCK */
-
-	error |= ipsec_sadb_init();
-	error |= ipsec_radijinit();
-
-	error |= pfkey_init();
-
-	error |= register_netdevice_notifier(&ipsec_dev_notifier);
-
-#ifdef CONFIG_IPSEC_ESP
-	freeswan_inet_add_protocol(&esp_protocol, IPPROTO_ESP);
-#endif /* CONFIG_IPSEC_ESP */
-
-#ifdef CONFIG_IPSEC_AH
-	freeswan_inet_add_protocol(&ah_protocol, IPPROTO_AH);
-#endif /* CONFIG_IPSEC_AH */
-
-/* we never actually link IPCOMP to the stack */
-#ifdef IPCOMP_USED_ALONE
-#ifdef CONFIG_IPSEC_IPCOMP
- 	freeswan_inet_add_protocol(&comp_protocol, IPPROTO_COMP);
-#endif /* CONFIG_IPSEC_IPCOMP */
-#endif
-
-	error |= ipsec_tunnel_init_devices();
-
-
-#ifdef CONFIG_SYSCTL
-        error |= ipsec_sysctl_register();
-#endif                                                                          
-
-#ifdef CONFIG_IPSEC_ALG
-	ipsec_alg_init();
-#endif
-
-	get_random_bytes((void *)seed, sizeof(seed));
-	prng_init(&ipsec_prng, seed, sizeof(seed));
-
-	return error;
-}	
-
-
-/* void */
-int
-ipsec_cleanup(void)
-{
-	int error = 0;
-
-#ifdef CONFIG_SYSCTL
-        ipsec_sysctl_unregister();
-#endif                                                                          
-	KLIPS_PRINT(debug_netlink, /* debug_tunnel & DB_TN_INIT, */
-		    "klips_debug:ipsec_cleanup: "
-		    "calling ipsec_tunnel_cleanup_devices.\n");
-	error |= ipsec_tunnel_cleanup_devices();
-
-	KLIPS_PRINT(debug_netlink, "called ipsec_tunnel_cleanup_devices");
-
-/* we never actually link IPCOMP to the stack */
-#ifdef IPCOMP_USED_ALONE
-#ifdef CONFIG_IPSEC_IPCOMP
- 	if (freeswan_inet_del_protocol(&comp_protocol, IPPROTO_COMP) < 0)
-		printk(KERN_INFO "klips_debug:ipsec_cleanup: "
-		       "comp close: can't remove protocol\n");
-#endif /* CONFIG_IPSEC_IPCOMP */
-#endif /* IPCOMP_USED_ALONE */
-
-#ifdef CONFIG_IPSEC_AH
- 	if (freeswan_inet_del_protocol(&ah_protocol, IPPROTO_AH) < 0)
-		printk(KERN_INFO "klips_debug:ipsec_cleanup: "
-		       "ah close: can't remove protocol\n");
-#endif /* CONFIG_IPSEC_AH */
-
-#ifdef CONFIG_IPSEC_ESP
- 	if (freeswan_inet_del_protocol(&esp_protocol, IPPROTO_ESP) < 0)
-		printk(KERN_INFO "klips_debug:ipsec_cleanup: "
-		       "esp close: can't remove protocol\n");
-#endif /* CONFIG_IPSEC_ESP */
-
-	error |= unregister_netdevice_notifier(&ipsec_dev_notifier);
-
-	KLIPS_PRINT(debug_netlink, /* debug_tunnel & DB_TN_INIT, */
-		    "klips_debug:ipsec_cleanup: "
-		    "calling ipsec_sadb_cleanup.\n");
-	error |= ipsec_sadb_cleanup(0);
-	error |= ipsec_sadb_free();
-
-	KLIPS_PRINT(debug_netlink, /* debug_tunnel & DB_TN_INIT, */
-		    "klips_debug:ipsec_cleanup: "
-		    "calling ipsec_radijcleanup.\n");
-	error |= ipsec_radijcleanup();
-	
-	KLIPS_PRINT(debug_pfkey, /* debug_tunnel & DB_TN_INIT, */
-		    "klips_debug:ipsec_cleanup: "
-		    "calling pfkey_cleanup.\n");
-	error |= pfkey_cleanup();
-
-	ipsec_proc_cleanup();
-
-	prng_final(&ipsec_prng);
-
-	return error;
-}
-
-#ifdef MODULE
-int
-init_module(void)
-{
-	int error = 0;
-
-	error |= ipsec_init();
-
-	return error;
-}
-
-int
-cleanup_module(void)
-{
-	int error = 0;
-
-	KLIPS_PRINT(debug_netlink, /* debug_tunnel & DB_TN_INIT, */
-		    "klips_debug:cleanup_module: "
-		    "calling ipsec_cleanup.\n");
-
-	error |= ipsec_cleanup();
-
-	KLIPS_PRINT(1, "klips_info:cleanup_module: "
-		    "ipsec module unloaded.\n");
-
-	return error;
-}
-#endif /* MODULE */
-
-/*
- * $Log: ipsec_init.c,v $
- * Revision 1.3  2004/06/13 19:57:49  as
- * removed inclusion of ipsec_netlink.h
- *
- * Revision 1.2  2004/03/22 21:53:19  as
- * merged alg-0.8.1 branch with HEAD
- *
- * Revision 1.1.4.1  2004/03/16 09:48:19  as
- * alg-0.8.1rc12 patch merged
- *
- * Revision 1.1  2004/03/15 20:35:26  as
- * added files from freeswan-2.04-x509-1.5.3
- *
- * Revision 1.89  2003/07/31 22:47:16  mcr
- * 	preliminary (untested by FS-team) 2.5 patches.
- *
- * Revision 1.88  2003/06/22 20:05:36  mcr
- * 	clarified why IPCOMP was not being registered, and put a new
- * 	#ifdef in rather than #if 0.
- *
- * Revision 1.87  2002/09/20 15:40:51  rgb
- * Added a lock to the global ipsec_sadb struct for future use.
- * Split ipsec_sadb_cleanup from new funciton ipsec_sadb_free to avoid problem
- * of freeing newly created structures when clearing the reftable upon startup
- * to start from a known state.
- *
- * Revision 1.86  2002/08/15 18:39:15  rgb
- * Move ipsec_prng outside debug code.
- *
- * Revision 1.85  2002/05/14 02:35:29  rgb
- * Change reference to tdb to ipsa.
- *
- * Revision 1.84  2002/04/24 07:55:32  mcr
- * 	#include patches and Makefiles for post-reorg compilation.
- *
- * Revision 1.83  2002/04/24 07:36:28  mcr
- * Moved from ./klips/net/ipsec/ipsec_init.c,v
- *
- * Revision 1.82  2002/04/20 00:12:25  rgb
- * Added esp IV CBC attack fix, disabled.
- *
- * Revision 1.81  2002/04/09 16:13:32  mcr
- * 	switch license to straight GPL.
- *
- * Revision 1.80  2002/03/24 07:34:08  rgb
- * Sanity check for at least one of AH or ESP configured.
- *
- * Revision 1.79  2002/02/05 22:55:15  mcr
- * 	added MODULE_LICENSE declaration.
- * 	This macro does not appear in all kernel versions (see comment).
- *
- * Revision 1.78  2002/01/29 17:17:55  mcr
- * 	moved include of ipsec_param.h to after include of linux/kernel.h
- * 	otherwise, it seems that some option that is set in ipsec_param.h
- * 	screws up something subtle in the include path to kernel.h, and
- * 	it complains on the snprintf() prototype.
- *
- * Revision 1.77  2002/01/29 04:00:51  mcr
- * 	more excise of kversions.h header.
- *
- * Revision 1.76  2002/01/29 02:13:17  mcr
- * 	introduction of ipsec_kversion.h means that include of
- * 	ipsec_param.h must preceed any decisions about what files to
- * 	include to deal with differences in kernel source.
- *
- * Revision 1.75  2001/11/26 09:23:48  rgb
- * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
- *
- * Revision 1.74  2001/11/22 05:44:11  henry
- * new version stuff
- *
- * Revision 1.71.2.2  2001/10/22 20:51:00  mcr
- * 	explicitely set des_check_key.
- *
- * Revision 1.71.2.1  2001/09/25 02:19:39  mcr
- * 	/proc manipulation code moved to new ipsec_proc.c
- *
- * Revision 1.73  2001/11/06 19:47:17  rgb
- * Changed lifetime_packets to uint32 from uint64.
- *
- * Revision 1.72  2001/10/18 04:45:19  rgb
- * 2.4.9 kernel deprecates linux/malloc.h in favour of linux/slab.h,
- * lib/freeswan.h version macros moved to lib/kversions.h.
- * Other compiler directive cleanups.
- *
- * Revision 1.71  2001/09/20 15:32:45  rgb
- * Minor pfkey lifetime fixes.
- *
- * Revision 1.70  2001/07/06 19:51:21  rgb
- * Added inbound policy checking code for IPIP SAs.
- *
- * Revision 1.69  2001/06/14 19:33:26  rgb
- * Silence startup message for console, but allow it to be logged.
- * Update copyright date.
- *
- * Revision 1.68  2001/05/29 05:14:36  rgb
- * Added PMTU to /proc/net/ipsec_tncfg output.  See 'man 5 ipsec_tncfg'.
- *
- * Revision 1.67  2001/05/04 16:34:52  rgb
- * Rremove erroneous checking of return codes for proc_net_* in 2.4.
- *
- * Revision 1.66  2001/05/03 19:40:34  rgb
- * Check error return codes in startup and shutdown.
- *
- * Revision 1.65  2001/02/28 05:03:27  rgb
- * Clean up and rationalise startup messages.
- *
- * Revision 1.64  2001/02/27 22:24:53  rgb
- * Re-formatting debug output (line-splitting, joining, 1arg/line).
- * Check for satoa() return codes.
- *
- * Revision 1.63  2000/11/29 20:14:06  rgb
- * Add src= to the output of /proc/net/ipsec_spi and delete dst from IPIP.
- *
- * Revision 1.62  2000/11/06 04:31:24  rgb
- * Ditched spin_lock_irqsave in favour of spin_lock_bh.
- * Fixed longlong for pre-2.4 kernels (Svenning).
- * Add Svenning's adaptive content compression.
- * Disabled registration of ipcomp handler.
- *
- * Revision 1.61  2000/10/11 13:37:54  rgb
- * #ifdef out debug print that causes proc/net/ipsec_version to oops.
- *
- * Revision 1.60  2000/09/20 03:59:01  rgb
- * Change static info functions to DEBUG_NO_STATIC to reveal function names
- * in oopsen.
- *
- * Revision 1.59  2000/09/16 01:06:26  rgb
- * Added cast of var to silence compiler warning about long fed to int
- * format.
- *
- * Revision 1.58  2000/09/15 11:37:01  rgb
- * Merge in heavily modified Svenning Soerensen's <svenning@post5.tele.dk>
- * IPCOMP zlib deflate code.
- *
- * Revision 1.57  2000/09/12 03:21:50  rgb
- * Moved radij_c_version printing to ipsec_version_get_info().
- * Reformatted ipsec_version_get_info().
- * Added sysctl_{,un}register() calls.
- *
- * Revision 1.56  2000/09/08 19:16:50  rgb
- * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
- * Removed all references to CONFIG_IPSEC_PFKEYv2.
- *
- * Revision 1.55  2000/08/30 05:19:03  rgb
- * Cleaned up no longer used spi_next, netlink register/unregister, other
- * minor cleanup.
- * Removed cruft replaced by TDB_XFORM_NAME.
- * Removed all the rest of the references to tdb_spi, tdb_proto, tdb_dst.
- * Moved debug version strings to printk when /proc/net/ipsec_version is
- * called.
- *
- * Revision 1.54  2000/08/20 18:31:05  rgb
- * Changed cosmetic alignment in spi_info.
- * Changed addtime and usetime to use actual value which is relative
- * anyways, as intended. (Momchil)
- *
- * Revision 1.53  2000/08/18 17:37:03  rgb
- * Added an (int) cast to shut up the compiler...
- *
- * Revision 1.52  2000/08/01 14:51:50  rgb
- * Removed _all_ remaining traces of DES.
- *
- * Revision 1.51  2000/07/25 20:41:22  rgb
- * Removed duplicate parameter in spi_getinfo.
- *
- * Revision 1.50  2000/07/17 03:21:45  rgb
- * Removed /proc/net/ipsec_spinew.
- *
- * Revision 1.49  2000/06/28 05:46:51  rgb
- * Renamed ivlen to iv_bits for consistency.
- * Changed output of add and use times to be relative to now.
- *
- * Revision 1.48  2000/05/11 18:26:10  rgb
- * Commented out calls to netlink_attach/detach to avoid activating netlink
- * in the kenrel config.
- *
- * Revision 1.47  2000/05/10 22:35:26  rgb
- * Comment out most of the startup version information.
- *
- * Revision 1.46  2000/03/22 16:15:36  rgb
- * Fixed renaming of dev_get (MB).
- *
- * Revision 1.45  2000/03/16 06:40:48  rgb
- * Hardcode PF_KEYv2 support.
- *
- * Revision 1.44  2000/01/22 23:19:20  rgb
- * Simplified code to use existing macro TDB_XFORM_NAME().
- *
- * Revision 1.43  2000/01/21 06:14:04  rgb
- * Print individual stats only if non-zero.
- * Removed 'bits' from each keylength for brevity.
- * Shortened lifetimes legend for brevity.
- * Changed wording from 'last_used' to the clearer 'idle'.
- *
- * Revision 1.42  1999/12/31 14:57:19  rgb
- * MB fix for new dummy-less proc_get_info in 2.3.35.
- *
- * Revision 1.41  1999/11/23 23:04:03  rgb
- * Use provided macro ADDRTOA_BUF instead of hardcoded value.
- * Sort out pfkey and freeswan headers, putting them in a library path.
- *
- * Revision 1.40  1999/11/18 18:47:01  rgb
- * Added dynamic proc registration for 2.3.25+.
- * Changed all device registrations for static linking to
- * dynamic to reduce the number and size of patches.
- * Changed all protocol registrations for static linking to
- * dynamic to reduce the number and size of patches.
- *
- * Revision 1.39  1999/11/18 04:12:07  rgb
- * Replaced all kernel version macros to shorter, readable form.
- * Added Marc Boucher's 2.3.25 proc patches.
- * Converted all PROC_FS entries to dynamic to reduce kernel patching.
- * Added CONFIG_PROC_FS compiler directives in case it is shut off.
- *
- * Revision 1.38  1999/11/17 15:53:38  rgb
- * Changed all occurrences of #include "../../../lib/freeswan.h"
- * to #include <freeswan.h> which works due to -Ilibfreeswan in the
- * klips/net/ipsec/Makefile.
- *
- * Revision 1.37  1999/10/16 04:23:06  rgb
- * Add stats for replaywin_errs, replaywin_max_sequence_difference,
- * authentication errors, encryption size errors, encryption padding
- * errors, and time since last packet.
- *
- * Revision 1.36  1999/10/16 00:30:47  rgb
- * Added SA lifetime counting.
- *
- * Revision 1.35  1999/10/15 22:14:00  rgb
- * Clean out cruft.
- *
- * Revision 1.34  1999/10/03 18:46:28  rgb
- * Spinlock fixes for 2.0.xx and 2.3.xx.
- *
- * Revision 1.33  1999/10/01 17:08:10  rgb
- * Disable spinlock init.
- *
- * Revision 1.32  1999/10/01 16:22:24  rgb
- * Switch from assignment init. to functional init. of spinlocks.
- *
- * Revision 1.31  1999/10/01 15:44:52  rgb
- * Move spinlock header include to 2.1> scope.
- *
- * Revision 1.30  1999/10/01 00:00:16  rgb
- * Added eroute structure locking.
- * Added tdb structure locking.
- * Minor formatting changes.
- * Add call to initialize tdb hash table.
- *
- * Revision 1.29  1999/09/23 20:22:40  rgb
- * Enable, tidy and fix network notifier code.
- *
- * Revision 1.28  1999/09/18 11:39:56  rgb
- * Start to add (disabled) netdevice notifier code.
- *
- * Revision 1.27  1999/08/28 08:24:47  rgb
- * Add compiler directives to compile cleanly without debugging.
- *
- * Revision 1.26  1999/08/06 16:03:22  rgb
- * Correct error messages on failure to unload /proc entries.
- *
- * Revision 1.25  1999/08/03 17:07:25  rgb
- * Report device MTU, not private MTU.
- *
- * Revision 1.24  1999/05/25 22:24:37  rgb
- * /PROC/NET/ipsec* init problem fix.
- *
- * Revision 1.23  1999/05/25 02:16:38  rgb
- * Make modular proc_fs entries dynamic and fix for 2.2.x.
- *
- * Revision 1.22  1999/05/09 03:25:35  rgb
- * Fix bug introduced by 2.2 quick-and-dirty patch.
- *
- * Revision 1.21  1999/05/05 22:02:30  rgb
- * Add a quick and dirty port to 2.2 kernels by Marc Boucher <marc@mbsi.ca>.
- *
- * Revision 1.20  1999/04/29 15:15:50  rgb
- * Fix undetected iv_len reporting bug.
- * Add sanity checking for null pointer to private data space.
- * Add return values to init and cleanup functions.
- *
- * Revision 1.19  1999/04/27 19:24:44  rgb
- * Added /proc/net/ipsec_klipsdebug support for reading the current debug
- * settings.
- * Instrument module load/init/unload.
- *
- * Revision 1.18  1999/04/15 15:37:24  rgb
- * Forward check changes from POST1_00 branch.
- *
- * Revision 1.15.2.3  1999/04/13 20:29:19  rgb
- * /proc/net/ipsec_* cleanup.
- *
- * Revision 1.15.2.2  1999/04/02 04:28:23  rgb
- * /proc/net/ipsec_* formatting enhancements.
- *
- * Revision 1.15.2.1  1999/03/30 17:08:33  rgb
- * Add pfkey initialisation.
- *
- * Revision 1.17  1999/04/11 00:28:57  henry
- * GPL boilerplate
- *
- * Revision 1.16  1999/04/06 04:54:25  rgb
- * Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
- * patch shell fixes.
- *
- * Revision 1.15  1999/02/24 20:15:07  rgb
- * Update output format.
- *
- * Revision 1.14  1999/02/17 16:49:39  rgb
- * Convert DEBUG_IPSEC to KLIPS_PRINT
- * Ditch NET_IPIP dependancy.
- *
- * Revision 1.13  1999/01/26 02:06:37  rgb
- * Remove ah/esp switching on include files.
- * Removed CONFIG_IPSEC_ALGO_SWITCH macro.
- * Removed dead code.
- * Remove references to INET_GET_PROTOCOL.
- *
- * Revision 1.12  1999/01/22 06:19:18  rgb
- * Cruft clean-out.
- * 64-bit clean-up.
- * Added algorithm switch code.
- *
- * Revision 1.11  1998/12/01 05:54:53  rgb
- * Cleanup and order debug version output.
- *
- * Revision 1.10  1998/11/30 13:22:54  rgb
- * Rationalised all the klips kernel file headers.  They are much shorter
- * now and won't conflict under RH5.2.
- *
- * Revision 1.9  1998/11/10 05:35:13  rgb
- * Print direction in/out flag from /proc/net/ipsec_spi.
- *
- * Revision 1.8  1998/10/27 13:48:10  rgb
- * Cleaned up /proc/net/ipsec_* filesystem for easy parsing by scripts.
- * Fixed less(1) truncated output bug.
- * Code clean-up.
- *
- * Revision 1.7  1998/10/22 06:43:16  rgb
- * Convert to use satoa for printk.
- *
- * Revision 1.6  1998/10/19 14:24:35  rgb
- * Added inclusion of freeswan.h.
- *
- * Revision 1.5  1998/10/09 04:43:35  rgb
- * Added 'klips_debug' prefix to all klips printk debug statements.
- *
- * Revision 1.4  1998/07/27 21:50:22  rgb
- * Not necessary to traverse mask tree for /proc/net/ipsec_eroute.
- *
- * Revision 1.3  1998/06/25 19:51:20  rgb
- * Clean up #endif comments.
- * Shift debugging comment control for procfs to debug_tunnel.
- * Make proc_dir_entries visible to rest of kernel for static link.
- * Replace hardwired fileperms with macros.
- * Use macros for procfs inode numbers.
- * Rearrange initialisations between ipsec_init and module_init as appropriate
- * for static loading.
- *
- * Revision 1.2  1998/06/23 02:55:43  rgb
- * Slightly quieted init-time messages.
- * Re-introduced inet_add_protocol after it mysteriously disappeared...
- * Check for and warn of absence of IPIP protocol on install of module.
- * Move tdbcleanup to ipsec_xform.c.
- *
- * Revision 1.10  1998/06/18 21:29:04  henry
- * move sources from klips/src to klips/net/ipsec, to keep stupid kernel
- * build scripts happier in presence of symbolic links
- *
- * Revision 1.9  1998/06/14 23:49:40  rgb
- * Clarify version reporting on module loading.
- *
- * Revision 1.8  1998/06/11 05:54:23  rgb
- * Added /proc/net/ipsec_version to report freeswan and transform versions.
- * Added /proc/net/ipsec_spinew to generate new and unique spi's..
- * Fixed /proc/net/ipsec_tncfg bug.
- *
- * Revision 1.7  1998/05/25 20:23:13  rgb
- * proc_register changed to dynamic registration to avoid arbitrary inode
- * numbers.
- *
- * Implement memory recovery from tdb and eroute tables.
- *
- * Revision 1.6  1998/05/21 13:08:58  rgb
- * Rewrote procinfo subroutines to avoid *bad things* when more that 3k of
- * information is available for printout.
- *
- * Revision 1.5  1998/05/18 21:29:48  rgb
- * Cleaned up /proc/net/ipsec_* output, including a title line, algorithm
- * names instead of numbers, standard format for numerical output base,
- * whitespace for legibility, and the names themselves for consistency.
- *
- * Added /proc/net/ipsec_spigrp and /proc/net/ipsec_tncfg.
- *
- * Revision 1.4  1998/04/30 15:42:24  rgb
- * Silencing attach for normal operations with #ifdef IPSEC_DEBUG.
- *
- * Revision 1.3  1998/04/21 21:28:58  rgb
- * Rearrange debug switches to change on the fly debug output from user
- * space.  Only kernel changes checked in at this time.  radij.c was also
- * changed to temporarily remove buggy debugging code in rj_delete causing
- * an OOPS and hence, netlink device open errors.
- *
- * Revision 1.2  1998/04/12 22:03:22  rgb
- * Updated ESP-3DES-HMAC-MD5-96,
- * 	ESP-DES-HMAC-MD5-96,
- * 	AH-HMAC-MD5-96,
- * 	AH-HMAC-SHA1-96 since Henry started freeswan cvs repository
- * from old standards (RFC182[5-9] to new (as of March 1998) drafts.
- *
- * Fixed eroute references in /proc/net/ipsec*.
- *
- * Started to patch module unloading memory leaks in ipsec_netlink and
- * radij tree unloading.
- *
- * Revision 1.1  1998/04/09 03:06:05  henry
- * sources moved up from linux/net/ipsec
- *
- * Revision 1.1.1.1  1998/04/08 05:35:02  henry
- * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
- *
- * Revision 0.4  1997/01/15 01:28:15  ji
- * No changes.
- *
- * Revision 0.3  1996/11/20 14:39:04  ji
- * Fixed problem with node names of /proc/net entries.
- * Other minor cleanups.
- * Rationalized debugging code.
- *
- * Revision 0.2  1996/11/02 00:18:33  ji
- * First limited release.
- *
- * Local variables:
- * c-file-style: "linux"
- * End:
- *
- */
diff --git a/linux/net/ipsec/ipsec_life.c b/linux/net/ipsec/ipsec_life.c
deleted file mode 100644
index 384866c06..000000000
--- a/linux/net/ipsec/ipsec_life.c
+++ /dev/null
@@ -1,210 +0,0 @@
-/*
- * @(#) lifetime structure utilities
- *
- * Copyright (C) 2001  Richard Guy Briggs  <rgb@freeswan.org>
- *                 and Michael Richardson  <mcr@freeswan.org>
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: ipsec_life.c,v 1.3 2004/04/28 08:06:22 as Exp $
- *
- */
-
-/* 
- * This provides series of utility functions for dealing with lifetime
- * structures.
- *
- * ipsec_check_lifetime - returns -1    hard lifetime exceeded
- *                                 0    soft lifetime exceeded
- *                                 1    everything is okay
- *                        based upon whether or not the count exceeds hard/soft
- *
- */
-
-#define __NO_VERSION__
-#include <linux/module.h>
-#include <linux/config.h>	/* for CONFIG_IP_FORWARD */
-#include <linux/version.h>
-#include <linux/kernel.h> /* printk() */
-
-#include "freeswan/ipsec_param.h"
-
-#include <linux/netdevice.h>   /* struct device, struct net_device_stats and other headers */
-#include <linux/etherdevice.h> /* eth_type_trans */
-#include <linux/skbuff.h>
-#include <freeswan.h>
-
-#include "freeswan/radij.h"
-#include "freeswan/ipsec_life.h"
-#include "freeswan/ipsec_xform.h"
-#include "freeswan/ipsec_eroute.h"
-#include "freeswan/ipsec_encap.h"
-#include "freeswan/ipsec_radij.h"
-
-#include "freeswan/ipsec_sa.h"
-#include "freeswan/ipsec_tunnel.h"
-#include "freeswan/ipsec_ipe4.h"
-#include "freeswan/ipsec_ah.h"
-#include "freeswan/ipsec_esp.h"
-
-#ifdef CONFIG_IPSEC_IPCOMP
-#include "freeswan/ipcomp.h"
-#endif /* CONFIG_IPSEC_IPCOMP */
-
-#include <pfkeyv2.h>
-#include <pfkey.h>
-
-#include "freeswan/ipsec_proto.h"
-
-
-enum ipsec_life_alive
-ipsec_lifetime_check(struct ipsec_lifetime64 *il64,
-		     const char *lifename,
-		     const char *saname,
-		     enum ipsec_life_type ilt,
-		     enum ipsec_direction idir,
-		     struct ipsec_sa *ips)
-{
-	__u64 count;
-	const char *dir;
-
-	if(saname == NULL) {
-		saname = "unknown-SA";
-	}
-
-	if(idir == ipsec_incoming) {
-		dir = "incoming";
-	} else {
-		dir = "outgoing";
-	}
-		
-
-	if(ilt == ipsec_life_timebased) {
-		count = jiffies/HZ - il64->ipl_count;
-	} else {
-		count = il64->ipl_count;
-	}
-
-	if(il64->ipl_hard &&
-	   (count > il64->ipl_hard)) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
-			    "klips_debug:ipsec_lifetime_check: "
-			    "hard %s lifetime of SA:<%s%s%s> %s has been reached, SA expired, "
-			    "%s packet dropped.\n",
-			    lifename,
-			    IPS_XFORM_NAME(ips),
-			    saname,
-			    dir);
-
-		pfkey_expire(ips, 1);
-		return ipsec_life_harddied;
-	}
-
-	if(il64->ipl_soft &&
-	   (count > il64->ipl_soft)) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
-			    "klips_debug:ipsec_lifetime_check: "
-			    "soft %s lifetime of SA:<%s%s%s> %s has been reached, SA expiring, "
-			    "soft expire message sent up, %s packet still processed.\n",
-			    lifename,
-			    IPS_XFORM_NAME(ips),
-			    saname,
-			    dir);
-
-		if(ips->ips_state != SADB_SASTATE_DYING) {
-			pfkey_expire(ips, 0);
-		}
-		ips->ips_state = SADB_SASTATE_DYING;
-
-		return ipsec_life_softdied;
-	}
-	return ipsec_life_okay;
-}
-
-
-/*
- * This function takes a buffer (with length), a lifetime name and type,
- * and formats a string to represent the current values of the lifetime.
- * 
- * It returns the number of bytes that the format took (or would take,
- * if the buffer were large enough: snprintf semantics).
- * This is used in /proc routines and in debug output.
- */
-int
-ipsec_lifetime_format(char *buffer,
-		      int   buflen,
-		      char *lifename,
-		      enum ipsec_life_type timebaselife,
-		      struct ipsec_lifetime64 *lifetime)
-{
-	int len = 0;
-	__u64 count;
-
-	if(timebaselife == ipsec_life_timebased) {
-		count = jiffies/HZ - lifetime->ipl_count;
-	} else {
-		count = lifetime->ipl_count;
-	}
-
-	if(lifetime->ipl_count > 1 || 
-	   lifetime->ipl_soft      ||
-	   lifetime->ipl_hard) {
-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,0))
-		len = ipsec_snprintf(buffer, buflen,
-			       "%s(%Lu,%Lu,%Lu)",
-			       lifename,
-			       count,
-			       lifetime->ipl_soft,
-			       lifetime->ipl_hard);
-#else /* XXX high 32 bits are not displayed */
-		len = ipsec_snprintf(buffer, buflen,
-				"%s(%lu,%lu,%lu)",
-				lifename,
-				(unsigned long)count,
-				(unsigned long)lifetime->ipl_soft,
-				(unsigned long)lifetime->ipl_hard);
-#endif
-	}
-
-	return len;
-}
-
-void
-ipsec_lifetime_update_hard(struct ipsec_lifetime64 *lifetime,
-			  __u64 newvalue)
-{
-	if(newvalue &&
-	   (!lifetime->ipl_hard ||
-	    (newvalue < lifetime->ipl_hard))) {
-		lifetime->ipl_hard = newvalue;
-
-		if(!lifetime->ipl_soft &&
-		   (lifetime->ipl_hard < lifetime->ipl_soft)) {
-			lifetime->ipl_soft = lifetime->ipl_hard;
-		}
-	}
-}	
-
-void
-ipsec_lifetime_update_soft(struct ipsec_lifetime64 *lifetime,
-			  __u64 newvalue)
-{
-	if(newvalue &&
-	   (!lifetime->ipl_soft ||
-	    (newvalue < lifetime->ipl_soft))) {
-		lifetime->ipl_soft = newvalue;
-
-		if(lifetime->ipl_hard &&
-		   (lifetime->ipl_hard < lifetime->ipl_soft)) {
-			lifetime->ipl_soft = lifetime->ipl_hard;
-		}
-	}
-}
diff --git a/linux/net/ipsec/ipsec_mast.c b/linux/net/ipsec/ipsec_mast.c
deleted file mode 100644
index f5216b541..000000000
--- a/linux/net/ipsec/ipsec_mast.c
+++ /dev/null
@@ -1,1064 +0,0 @@
-/*
- * IPSEC MAST code.
- * Copyright (C) 1996, 1997  John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001, 2002  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-char ipsec_mast_c_version[] = "RCSID $Id: ipsec_mast.c,v 1.2 2004/06/13 19:57:49 as Exp $";
-
-#define __NO_VERSION__
-#include <linux/module.h>
-#include <linux/config.h>	/* for CONFIG_IP_FORWARD */
-#include <linux/version.h>
-#include <linux/kernel.h> /* printk() */
-
-#include "freeswan/ipsec_param.h"
-
-#ifdef MALLOC_SLAB
-# include <linux/slab.h> /* kmalloc() */
-#else /* MALLOC_SLAB */
-# include <linux/malloc.h> /* kmalloc() */
-#endif /* MALLOC_SLAB */
-#include <linux/errno.h>  /* error codes */
-#include <linux/types.h>  /* size_t */
-#include <linux/interrupt.h> /* mark_bh */
-
-#include <linux/netdevice.h>   /* struct device, struct net_device_stats, dev_queue_xmit() and other headers */
-#include <linux/etherdevice.h> /* eth_type_trans */
-#include <linux/ip.h>          /* struct iphdr */
-#include <linux/tcp.h>         /* struct tcphdr */
-#include <linux/udp.h>         /* struct udphdr */
-#include <linux/skbuff.h>
-#include <freeswan.h>
-#include <asm/uaccess.h>
-#include <linux/in6.h>
-#include <net/dst.h>
-#undef dev_kfree_skb
-#define dev_kfree_skb(a,b) kfree_skb(a)
-#define PHYSDEV_TYPE
-#include <asm/checksum.h>
-#include <net/icmp.h>		/* icmp_send() */
-#include <net/ip.h>
-#include <linux/netfilter_ipv4.h>
-
-#include <linux/if_arp.h>
-
-#include "freeswan/radij.h"
-#include "freeswan/ipsec_life.h"
-#include "freeswan/ipsec_xform.h"
-#include "freeswan/ipsec_eroute.h"
-#include "freeswan/ipsec_encap.h"
-#include "freeswan/ipsec_radij.h"
-#include "freeswan/ipsec_sa.h"
-#include "freeswan/ipsec_tunnel.h"
-#include "freeswan/ipsec_mast.h"
-#include "freeswan/ipsec_ipe4.h"
-#include "freeswan/ipsec_ah.h"
-#include "freeswan/ipsec_esp.h"
-
-#include <pfkeyv2.h>
-#include <pfkey.h>
-
-#include "freeswan/ipsec_proto.h"
-
-int ipsec_maxdevice_count = -1;
-
-DEBUG_NO_STATIC int
-ipsec_mast_open(struct device *dev)
-{
-	struct ipsecpriv *prv = dev->priv;
-	
-	/*
-	 * Can't open until attached.
-	 */
-
-	KLIPS_PRINT(debug_mast & DB_MAST_INIT,
-		    "klips_debug:ipsec_mast_open: "
-		    "dev = %s, prv->dev = %s\n",
-		    dev->name, prv->dev?prv->dev->name:"NONE");
-
-	if (prv->dev == NULL)
-		return -ENODEV;
-	
-	MOD_INC_USE_COUNT;
-	return 0;
-}
-
-DEBUG_NO_STATIC int
-ipsec_mast_close(struct device *dev)
-{
-	MOD_DEC_USE_COUNT;
-	return 0;
-}
-
-static inline int ipsec_mast_xmit2(struct sk_buff *skb)
-{
-	return ip_send(skb);
-}
-
-enum ipsec_xmit_value
-ipsec_mast_send(struct ipsec_xmit_state*ixs)
-{
-	/* new route/dst cache code from James Morris */
-	ixs->skb->dev = ixs->physdev;
-	/*skb_orphan(ixs->skb);*/
-	if((ixs->error = ip_route_output(&ixs->route,
-				    ixs->skb->nh.iph->daddr,
-				    ixs->pass ? 0 : ixs->skb->nh.iph->saddr,
-				    RT_TOS(ixs->skb->nh.iph->tos),
-				    ixs->physdev->iflink /* rgb: should this be 0? */))) {
-		ixs->stats->tx_errors++;
-		KLIPS_PRINT(debug_mast & DB_MAST_XMIT,
-			    "klips_debug:ipsec_xmit_send: "
-			    "ip_route_output failed with error code %d, rt->u.dst.dev=%s, dropped\n",
-			    ixs->error,
-			    ixs->route->u.dst.dev->name);
-		return IPSEC_XMIT_ROUTEERR;
-	}
-	if(ixs->dev == ixs->route->u.dst.dev) {
-		ip_rt_put(ixs->route);
-		/* This is recursion, drop it. */
-		ixs->stats->tx_errors++;
-		KLIPS_PRINT(debug_mast & DB_MAST_XMIT,
-			    "klips_debug:ipsec_xmit_send: "
-			    "suspect recursion, dev=rt->u.dst.dev=%s, dropped\n",
-			    ixs->dev->name);
-		return IPSEC_XMIT_RECURSDETECT;
-	}
-	dst_release(ixs->skb->dst);
-	ixs->skb->dst = &ixs->route->u.dst;
-	ixs->stats->tx_bytes += ixs->skb->len;
-	if(ixs->skb->len < ixs->skb->nh.raw - ixs->skb->data) {
-		ixs->stats->tx_errors++;
-		printk(KERN_WARNING
-		       "klips_error:ipsec_xmit_send: "
-		       "tried to __skb_pull nh-data=%ld, %d available.  This should never happen, please report.\n",
-		       (unsigned long)(ixs->skb->nh.raw - ixs->skb->data),
-		       ixs->skb->len);
-		return IPSEC_XMIT_PUSHPULLERR;
-	}
-	__skb_pull(ixs->skb, ixs->skb->nh.raw - ixs->skb->data);
-#ifdef SKB_RESET_NFCT
-	nf_conntrack_put(ixs->skb->nfct);
-	ixs->skb->nfct = NULL;
-#ifdef CONFIG_NETFILTER_DEBUG
-	ixs->skb->nf_debug = 0;
-#endif /* CONFIG_NETFILTER_DEBUG */
-#endif /* SKB_RESET_NFCT */
-	KLIPS_PRINT(debug_mast & DB_MAST_XMIT,
-		    "klips_debug:ipsec_xmit_send: "
-		    "...done, calling ip_send() on device:%s\n",
-		    ixs->skb->dev ? ixs->skb->dev->name : "NULL");
-	KLIPS_IP_PRINT(debug_mast & DB_MAST_XMIT, ixs->skb->nh.iph);
-	{
-		int err;
-
-		err = NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, ixs->skb, NULL, ixs->route->u.dst.dev,
-			      ipsec_mast_xmit2);
-		if(err != NET_XMIT_SUCCESS && err != NET_XMIT_CN) {
-			if(net_ratelimit())
-				printk(KERN_ERR
-				       "klips_error:ipsec_xmit_send: "
-				       "ip_send() failed, err=%d\n", 
-				       -err);
-			ixs->stats->tx_errors++;
-			ixs->stats->tx_aborted_errors++;
-			ixs->skb = NULL;
-			return IPSEC_XMIT_IPSENDFAILURE;
-		}
-	}
-	ixs->stats->tx_packets++;
-
-	ixs->skb = NULL;
-	
-	return IPSEC_XMIT_OK;
-}
-
-void
-ipsec_mast_cleanup(struct ipsec_xmit_state*ixs)
-{
-#if defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE)
-	netif_wake_queue(ixs->dev);
-#else /* defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE) */
-	ixs->dev->tbusy = 0;
-#endif /* defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE) */
-	if(ixs->saved_header) {
-		kfree(ixs->saved_header);
-	}
-	if(ixs->skb) {
-		dev_kfree_skb(ixs->skb, FREE_WRITE);
-	}
-	if(ixs->oskb) {
-		dev_kfree_skb(ixs->oskb, FREE_WRITE);
-	}
-	if (ixs->ips.ips_ident_s.data) {
-		kfree(ixs->ips.ips_ident_s.data);
-	}
-	if (ixs->ips.ips_ident_d.data) {
-		kfree(ixs->ips.ips_ident_d.data);
-	}
-}
-
-#if 0
-/*
- *	This function assumes it is being called from dev_queue_xmit()
- *	and that skb is filled properly by that function.
- */
-int
-ipsec_mast_start_xmit(struct sk_buff *skb, struct device *dev, IPsecSAref_t SAref)
-{
-	struct ipsec_xmit_state ixs_mem;
-	struct ipsec_xmit_state *ixs = &ixs_mem;
-	enum ipsec_xmit_value stat = IPSEC_XMIT_OK;
-
-	/* dev could be a mast device, but should be optional, I think... */
-	/* SAref is also optional, but one of the two must be present. */
-	/* I wonder if it could accept no device or saref and guess? */
-
-/*	ipsec_xmit_sanity_check_dev(ixs); */
-
-	ipsec_xmit_sanity_check_skb(ixs);
-
-	ipsec_xmit_adjust_hard_header(ixs);
-
-	stat = ipsec_xmit_encap_bundle(ixs);
-	if(stat != IPSEC_XMIT_OK) {
-		/* SA processing failed */
-	}
-
-	ipsec_xmit_hard_header_restore();
-}
-#endif
-
-DEBUG_NO_STATIC struct net_device_stats *
-ipsec_mast_get_stats(struct device *dev)
-{
-	return &(((struct ipsecpriv *)(dev->priv))->mystats);
-}
-
-/*
- * Revectored calls.
- * For each of these calls, a field exists in our private structure.
- */
-
-DEBUG_NO_STATIC int
-ipsec_mast_hard_header(struct sk_buff *skb, struct device *dev,
-	unsigned short type, void *daddr, void *saddr, unsigned len)
-{
-	struct ipsecpriv *prv = dev->priv;
-	struct device *tmp;
-	int ret;
-	struct net_device_stats *stats;	/* This device's statistics */
-	
-	if(skb == NULL) {
-		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
-			    "klips_debug:ipsec_mast_hard_header: "
-			    "no skb...\n");
-		return -ENODATA;
-	}
-
-	if(dev == NULL) {
-		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
-			    "klips_debug:ipsec_mast_hard_header: "
-			    "no device...\n");
-		return -ENODEV;
-	}
-
-	KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
-		    "klips_debug:ipsec_mast_hard_header: "
-		    "skb->dev=%s dev=%s.\n",
-		    skb->dev ? skb->dev->name : "NULL",
-		    dev->name);
-	
-	if(prv == NULL) {
-		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
-			    "klips_debug:ipsec_mast_hard_header: "
-			    "no private space associated with dev=%s\n",
-			    dev->name ? dev->name : "NULL");
-		return -ENODEV;
-	}
-
-	stats = (struct net_device_stats *) &(prv->mystats);
-
-	if(prv->dev == NULL) {
-		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
-			    "klips_debug:ipsec_mast_hard_header: "
-			    "no physical device associated with dev=%s\n",
-			    dev->name ? dev->name : "NULL");
-		stats->tx_dropped++;
-		return -ENODEV;
-	}
-
-	/* check if we have to send a IPv6 packet. It might be a Router
-	   Solicitation, where the building of the packet happens in
-	   reverse order:
-	   1. ll hdr,
-	   2. IPv6 hdr,
-	   3. ICMPv6 hdr
-	   -> skb->nh.raw is still uninitialized when this function is
-	   called!!  If this is no IPv6 packet, we can print debugging
-	   messages, otherwise we skip all debugging messages and just
-	   build the ll header */
-	if(type != ETH_P_IPV6) {
-		/* execute this only, if we don't have to build the
-		   header for a IPv6 packet */
-		if(!prv->hard_header) {
-			KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
-				    "klips_debug:ipsec_mast_hard_header: "
-				    "physical device has been detached, packet dropped 0p%p->0p%p len=%d type=%d dev=%s->NULL ",
-				    saddr,
-				    daddr,
-				    len,
-				    type,
-				    dev->name);
-			KLIPS_PRINTMORE(debug_mast & DB_MAST_REVEC,
-					"ip=%08x->%08x\n",
-					(__u32)ntohl(skb->nh.iph->saddr),
-					(__u32)ntohl(skb->nh.iph->daddr) );
-			stats->tx_dropped++;
-			return -ENODEV;
-		}
-		
-#define da ((struct device *)(prv->dev))->dev_addr
-		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
-			    "klips_debug:ipsec_mast_hard_header: "
-			    "Revectored 0p%p->0p%p len=%d type=%d dev=%s->%s dev_addr=%02x:%02x:%02x:%02x:%02x:%02x ",
-			    saddr,
-			    daddr,
-			    len,
-			    type,
-			    dev->name,
-			    prv->dev->name,
-			    da[0], da[1], da[2], da[3], da[4], da[5]);
-		KLIPS_PRINTMORE(debug_mast & DB_MAST_REVEC,
-			    "ip=%08x->%08x\n",
-			    (__u32)ntohl(skb->nh.iph->saddr),
-			    (__u32)ntohl(skb->nh.iph->daddr) );
-	} else {
-		KLIPS_PRINT(debug_mast,
-			    "klips_debug:ipsec_mast_hard_header: "
-			    "is IPv6 packet, skip debugging messages, only revector and build linklocal header.\n");
-	}                                                                       
-	tmp = skb->dev;
-	skb->dev = prv->dev;
-	ret = prv->hard_header(skb, prv->dev, type, (void *)daddr, (void *)saddr, len);
-	skb->dev = tmp;
-	return ret;
-}
-
-DEBUG_NO_STATIC int
-ipsec_mast_rebuild_header(struct sk_buff *skb)
-{
-	struct ipsecpriv *prv = skb->dev->priv;
-	struct device *tmp;
-	int ret;
-	struct net_device_stats *stats;	/* This device's statistics */
-	
-	if(skb->dev == NULL) {
-		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
-			    "klips_debug:ipsec_mast_rebuild_header: "
-			    "no device...");
-		return -ENODEV;
-	}
-
-	if(prv == NULL) {
-		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
-			    "klips_debug:ipsec_mast_rebuild_header: "
-			    "no private space associated with dev=%s",
-			    skb->dev->name ? skb->dev->name : "NULL");
-		return -ENODEV;
-	}
-
-	stats = (struct net_device_stats *) &(prv->mystats);
-
-	if(prv->dev == NULL) {
-		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
-			    "klips_debug:ipsec_mast_rebuild_header: "
-			    "no physical device associated with dev=%s",
-			    skb->dev->name ? skb->dev->name : "NULL");
-		stats->tx_dropped++;
-		return -ENODEV;
-	}
-
-	if(!prv->rebuild_header) {
-		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
-			    "klips_debug:ipsec_mast_rebuild_header: "
-			    "physical device has been detached, packet dropped skb->dev=%s->NULL ",
-			    skb->dev->name);
-		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
-			    "ip=%08x->%08x\n",
-			    (__u32)ntohl(skb->nh.iph->saddr),
-			    (__u32)ntohl(skb->nh.iph->daddr) );
-		stats->tx_dropped++;
-		return -ENODEV;
-	}
-
-	KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
-		    "klips_debug:ipsec_mast: "
-		    "Revectored rebuild_header dev=%s->%s ",
-		    skb->dev->name, prv->dev->name);
-	KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
-		    "ip=%08x->%08x\n",
-		    (__u32)ntohl(skb->nh.iph->saddr),
-		    (__u32)ntohl(skb->nh.iph->daddr) );
-	tmp = skb->dev;
-	skb->dev = prv->dev;
-	
-	ret = prv->rebuild_header(skb);
-	skb->dev = tmp;
-	return ret;
-}
-
-DEBUG_NO_STATIC int
-ipsec_mast_set_mac_address(struct device *dev, void *addr)
-{
-	struct ipsecpriv *prv = dev->priv;
-	
-	struct net_device_stats *stats;	/* This device's statistics */
-	
-	if(dev == NULL) {
-		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
-			    "klips_debug:ipsec_mast_set_mac_address: "
-			    "no device...");
-		return -ENODEV;
-	}
-
-	if(prv == NULL) {
-		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
-			    "klips_debug:ipsec_mast_set_mac_address: "
-			    "no private space associated with dev=%s",
-			    dev->name ? dev->name : "NULL");
-		return -ENODEV;
-	}
-
-	stats = (struct net_device_stats *) &(prv->mystats);
-
-	if(prv->dev == NULL) {
-		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
-			    "klips_debug:ipsec_mast_set_mac_address: "
-			    "no physical device associated with dev=%s",
-			    dev->name ? dev->name : "NULL");
-		stats->tx_dropped++;
-		return -ENODEV;
-	}
-
-	if(!prv->set_mac_address) {
-		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
-			    "klips_debug:ipsec_mast_set_mac_address: "
-			    "physical device has been detached, cannot set - skb->dev=%s->NULL\n",
-			    dev->name);
-		return -ENODEV;
-	}
-
-	KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
-		    "klips_debug:ipsec_mast_set_mac_address: "
-		    "Revectored dev=%s->%s addr=0p%p\n",
-		    dev->name, prv->dev->name, addr);
-	return prv->set_mac_address(prv->dev, addr);
-
-}
-
-DEBUG_NO_STATIC void
-ipsec_mast_cache_update(struct hh_cache *hh, struct device *dev, unsigned char *  haddr)
-{
-	struct ipsecpriv *prv = dev->priv;
-	
-	struct net_device_stats *stats;	/* This device's statistics */
-	
-	if(dev == NULL) {
-		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
-			    "klips_debug:ipsec_mast_cache_update: "
-			    "no device...");
-		return;
-	}
-
-	if(prv == NULL) {
-		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
-			    "klips_debug:ipsec_mast_cache_update: "
-			    "no private space associated with dev=%s",
-			    dev->name ? dev->name : "NULL");
-		return;
-	}
-
-	stats = (struct net_device_stats *) &(prv->mystats);
-
-	if(prv->dev == NULL) {
-		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
-			    "klips_debug:ipsec_mast_cache_update: "
-			    "no physical device associated with dev=%s",
-			    dev->name ? dev->name : "NULL");
-		stats->tx_dropped++;
-		return;
-	}
-
-	if(!prv->header_cache_update) {
-		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
-			    "klips_debug:ipsec_mast_cache_update: "
-			    "physical device has been detached, cannot set - skb->dev=%s->NULL\n",
-			    dev->name);
-		return;
-	}
-
-	KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
-		    "klips_debug:ipsec_mast: "
-		    "Revectored cache_update\n");
-	prv->header_cache_update(hh, prv->dev, haddr);
-	return;
-}
-
-DEBUG_NO_STATIC int
-ipsec_mast_neigh_setup(struct neighbour *n)
-{
-	KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
-		    "klips_debug:ipsec_mast_neigh_setup:\n");
-
-        if (n->nud_state == NUD_NONE) {
-                n->ops = &arp_broken_ops;
-                n->output = n->ops->output;
-        }
-        return 0;
-}
-
-DEBUG_NO_STATIC int
-ipsec_mast_neigh_setup_dev(struct device *dev, struct neigh_parms *p)
-{
-	KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
-		    "klips_debug:ipsec_mast_neigh_setup_dev: "
-		    "setting up %s\n",
-		    dev ? dev->name : "NULL");
-
-        if (p->tbl->family == AF_INET) {
-                p->neigh_setup = ipsec_mast_neigh_setup;
-                p->ucast_probes = 0;
-                p->mcast_probes = 0;
-        }
-        return 0;
-}
-
-/*
- * We call the attach routine to attach another device.
- */
-
-DEBUG_NO_STATIC int
-ipsec_mast_attach(struct device *dev, struct device *physdev)
-{
-        int i;
-	struct ipsecpriv *prv = dev->priv;
-
-	if(dev == NULL) {
-		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
-			    "klips_debug:ipsec_mast_attach: "
-			    "no device...");
-		return -ENODEV;
-	}
-
-	if(prv == NULL) {
-		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
-			    "klips_debug:ipsec_mast_attach: "
-			    "no private space associated with dev=%s",
-			    dev->name ? dev->name : "NULL");
-		return -ENODATA;
-	}
-
-	prv->dev = physdev;
-	prv->hard_start_xmit = physdev->hard_start_xmit;
-	prv->get_stats = physdev->get_stats;
-
-	if (physdev->hard_header) {
-		prv->hard_header = physdev->hard_header;
-		dev->hard_header = ipsec_mast_hard_header;
-	} else
-		dev->hard_header = NULL;
-	
-	if (physdev->rebuild_header) {
-		prv->rebuild_header = physdev->rebuild_header;
-		dev->rebuild_header = ipsec_mast_rebuild_header;
-	} else
-		dev->rebuild_header = NULL;
-	
-	if (physdev->set_mac_address) {
-		prv->set_mac_address = physdev->set_mac_address;
-		dev->set_mac_address = ipsec_mast_set_mac_address;
-	} else
-		dev->set_mac_address = NULL;
-	
-	if (physdev->header_cache_update) {
-		prv->header_cache_update = physdev->header_cache_update;
-		dev->header_cache_update = ipsec_mast_cache_update;
-	} else
-		dev->header_cache_update = NULL;
-
-	dev->hard_header_len = physdev->hard_header_len;
-
-/*	prv->neigh_setup        = physdev->neigh_setup; */
-	dev->neigh_setup        = ipsec_mast_neigh_setup_dev;
-	dev->mtu = 16260; /* 0xfff0; */ /* dev->mtu; */
-	prv->mtu = physdev->mtu;
-
-#ifdef PHYSDEV_TYPE
-	dev->type = physdev->type; /* ARPHRD_MAST; */
-#endif /*  PHYSDEV_TYPE */
-
-	dev->addr_len = physdev->addr_len;
-	for (i=0; i<dev->addr_len; i++) {
-		dev->dev_addr[i] = physdev->dev_addr[i];
-	}
-#ifdef CONFIG_IPSEC_DEBUG
-	if(debug_mast & DB_MAST_INIT) {
-		printk(KERN_INFO "klips_debug:ipsec_mast_attach: "
-		       "physical device %s being attached has HW address: %2x",
-		       physdev->name, physdev->dev_addr[0]);
-		for (i=1; i < physdev->addr_len; i++) {
-			printk(":%02x", physdev->dev_addr[i]);
-		}
-		printk("\n");
-	}
-#endif /* CONFIG_IPSEC_DEBUG */
-
-	return 0;
-}
-
-/*
- * We call the detach routine to detach the ipsec mast from another device.
- */
-
-DEBUG_NO_STATIC int
-ipsec_mast_detach(struct device *dev)
-{
-        int i;
-	struct ipsecpriv *prv = dev->priv;
-
-	if(dev == NULL) {
-		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
-			    "klips_debug:ipsec_mast_detach: "
-			    "no device...");
-		return -ENODEV;
-	}
-
-	if(prv == NULL) {
-		KLIPS_PRINT(debug_mast & DB_MAST_REVEC,
-			    "klips_debug:ipsec_mast_detach: "
-			    "no private space associated with dev=%s",
-			    dev->name ? dev->name : "NULL");
-		return -ENODATA;
-	}
-
-	KLIPS_PRINT(debug_mast & DB_MAST_INIT,
-		    "klips_debug:ipsec_mast_detach: "
-		    "physical device %s being detached from virtual device %s\n",
-		    prv->dev ? prv->dev->name : "NULL",
-		    dev->name);
-
-	prv->dev = NULL;
-	prv->hard_start_xmit = NULL;
-	prv->get_stats = NULL;
-
-	prv->hard_header = NULL;
-#ifdef DETACH_AND_DOWN
-	dev->hard_header = NULL;
-#endif /* DETACH_AND_DOWN */
-	
-	prv->rebuild_header = NULL;
-#ifdef DETACH_AND_DOWN
-	dev->rebuild_header = NULL;
-#endif /* DETACH_AND_DOWN */
-	
-	prv->set_mac_address = NULL;
-#ifdef DETACH_AND_DOWN
-	dev->set_mac_address = NULL;
-#endif /* DETACH_AND_DOWN */
-	
-	prv->header_cache_update = NULL;
-#ifdef DETACH_AND_DOWN
-	dev->header_cache_update = NULL;
-#endif /* DETACH_AND_DOWN */
-
-#ifdef DETACH_AND_DOWN
-	dev->neigh_setup        = NULL;
-#endif /* DETACH_AND_DOWN */
-
-	dev->hard_header_len = 0;
-#ifdef DETACH_AND_DOWN
-	dev->mtu = 0;
-#endif /* DETACH_AND_DOWN */
-	prv->mtu = 0;
-	for (i=0; i<MAX_ADDR_LEN; i++) {
-		dev->dev_addr[i] = 0;
-	}
-	dev->addr_len = 0;
-#ifdef PHYSDEV_TYPE
-	dev->type = ARPHRD_VOID; /* ARPHRD_MAST; */
-#endif /*  PHYSDEV_TYPE */
-	
-	return 0;
-}
-
-/*
- * We call the clear routine to detach all ipsec masts from other devices.
- */
-DEBUG_NO_STATIC int
-ipsec_mast_clear(void)
-{
-	int i;
-	struct device *ipsecdev = NULL, *prvdev;
-	struct ipsecpriv *prv;
-	char name[9];
-	int ret;
-
-	KLIPS_PRINT(debug_mast & DB_MAST_INIT,
-		    "klips_debug:ipsec_mast_clear: .\n");
-
-	for(i = 0; i < IPSEC_NUM_IF; i++) {
-		sprintf(name, IPSEC_DEV_FORMAT, i);
-		if((ipsecdev = ipsec_dev_get(name)) != NULL) {
-			if((prv = (struct ipsecpriv *)(ipsecdev->priv))) {
-				prvdev = (struct device *)(prv->dev);
-				if(prvdev) {
-					KLIPS_PRINT(debug_mast & DB_MAST_INIT,
-						    "klips_debug:ipsec_mast_clear: "
-						    "physical device for device %s is %s\n",
-						    name, prvdev->name);
-					if((ret = ipsec_mast_detach(ipsecdev))) {
-						KLIPS_PRINT(debug_mast & DB_MAST_INIT,
-							    "klips_debug:ipsec_mast_clear: "
-							    "error %d detatching device %s from device %s.\n",
-							    ret, name, prvdev->name);
-						return ret;
-					}
-				}
-			}
-		}
-	}
-	return 0;
-}
-
-DEBUG_NO_STATIC int
-ipsec_mast_ioctl(struct device *dev, struct ifreq *ifr, int cmd)
-{
-	struct ipsecmastconf *cf = (struct ipsecmastconf *)&ifr->ifr_data;
-	struct ipsecpriv *prv = dev->priv;
-	struct device *them; /* physical device */
-#ifdef CONFIG_IP_ALIAS
-	char *colon;
-	char realphysname[IFNAMSIZ];
-#endif /* CONFIG_IP_ALIAS */
-	
-	if(dev == NULL) {
-		KLIPS_PRINT(debug_mast & DB_MAST_INIT,
-			    "klips_debug:ipsec_mast_ioctl: "
-			    "device not supplied.\n");
-		return -ENODEV;
-	}
-
-	KLIPS_PRINT(debug_mast & DB_MAST_INIT,
-		    "klips_debug:ipsec_mast_ioctl: "
-		    "tncfg service call #%d for dev=%s\n",
-		    cmd,
-		    dev->name ? dev->name : "NULL");
-	switch (cmd) {
-	/* attach a virtual ipsec? device to a physical device */
-	case IPSEC_SET_DEV:
-		KLIPS_PRINT(debug_mast & DB_MAST_INIT,
-			    "klips_debug:ipsec_mast_ioctl: "
-			    "calling ipsec_mast_attatch...\n");
-#ifdef CONFIG_IP_ALIAS
-		/* If this is an IP alias interface, get its real physical name */
-		strncpy(realphysname, cf->cf_name, IFNAMSIZ);
-		realphysname[IFNAMSIZ-1] = 0;
-		colon = strchr(realphysname, ':');
-		if (colon) *colon = 0;
-		them = ipsec_dev_get(realphysname);
-#else /* CONFIG_IP_ALIAS */
-		them = ipsec_dev_get(cf->cf_name);
-#endif /* CONFIG_IP_ALIAS */
-
-		if (them == NULL) {
-			KLIPS_PRINT(debug_mast & DB_MAST_INIT,
-				    "klips_debug:ipsec_mast_ioctl: "
-				    "physical device %s requested is null\n",
-				    cf->cf_name);
-			return -ENXIO;
-		}
-		
-#if 0
-		if (them->flags & IFF_UP) {
-			KLIPS_PRINT(debug_mast & DB_MAST_INIT,
-				    "klips_debug:ipsec_mast_ioctl: "
-				    "physical device %s requested is not up.\n",
-				    cf->cf_name);
-			return -ENXIO;
-		}
-#endif
-		
-		if (prv && prv->dev) {
-			KLIPS_PRINT(debug_mast & DB_MAST_INIT,
-				    "klips_debug:ipsec_mast_ioctl: "
-				    "virtual device is already connected to %s.\n",
-				    prv->dev->name ? prv->dev->name : "NULL");
-			return -EBUSY;
-		}
-		return ipsec_mast_attach(dev, them);
-
-	case IPSEC_DEL_DEV:
-		KLIPS_PRINT(debug_mast & DB_MAST_INIT,
-			    "klips_debug:ipsec_mast_ioctl: "
-			    "calling ipsec_mast_detatch.\n");
-		if (! prv->dev) {
-			KLIPS_PRINT(debug_mast & DB_MAST_INIT,
-				    "klips_debug:ipsec_mast_ioctl: "
-				    "physical device not connected.\n");
-			return -ENODEV;
-		}
-		return ipsec_mast_detach(dev);
-	       
-	case IPSEC_CLR_DEV:
-		KLIPS_PRINT(debug_mast & DB_MAST_INIT,
-			    "klips_debug:ipsec_mast_ioctl: "
-			    "calling ipsec_mast_clear.\n");
-		return ipsec_mast_clear();
-
-	default:
-		KLIPS_PRINT(debug_mast & DB_MAST_INIT,
-			    "klips_debug:ipsec_mast_ioctl: "
-			    "unknown command %d.\n",
-			    cmd);
-		return -EOPNOTSUPP;
-	}
-}
-
-int
-ipsec_mast_device_event(struct notifier_block *unused, unsigned long event, void *ptr)
-{
-	struct device *dev = ptr;
-	struct device *ipsec_dev;
-	struct ipsecpriv *priv;
-	char name[9];
-	int i;
-
-	if (dev == NULL) {
-		KLIPS_PRINT(debug_mast & DB_MAST_INIT,
-			    "klips_debug:ipsec_mast_device_event: "
-			    "dev=NULL for event type %ld.\n",
-			    event);
-		return(NOTIFY_DONE);
-	}
-
-	/* check for loopback devices */
-	if (dev && (dev->flags & IFF_LOOPBACK)) {
-		return(NOTIFY_DONE);
-	}
-
-	switch (event) {
-	case NETDEV_DOWN:
-		/* look very carefully at the scope of these compiler
-		   directives before changing anything... -- RGB */
-
-	case NETDEV_UNREGISTER:
-		switch (event) {
-		case NETDEV_DOWN:
-			KLIPS_PRINT(debug_mast & DB_MAST_INIT,
-				    "klips_debug:ipsec_mast_device_event: "
-				    "NETDEV_DOWN dev=%s flags=%x\n",
-				    dev->name,
-				    dev->flags);
-			if(strncmp(dev->name, "ipsec", strlen("ipsec")) == 0) {
-				printk(KERN_CRIT "IPSEC EVENT: KLIPS device %s shut down.\n",
-				       dev->name);
-			}
-			break;
-		case NETDEV_UNREGISTER:
-			KLIPS_PRINT(debug_mast & DB_MAST_INIT,
-				    "klips_debug:ipsec_mast_device_event: "
-				    "NETDEV_UNREGISTER dev=%s flags=%x\n",
-				    dev->name,
-				    dev->flags);
-			break;
-		}
-		
-		/* find the attached physical device and detach it. */
-		for(i = 0; i < IPSEC_NUM_IF; i++) {
-			sprintf(name, IPSEC_DEV_FORMAT, i);
-			ipsec_dev = ipsec_dev_get(name);
-			if(ipsec_dev) {
-				priv = (struct ipsecpriv *)(ipsec_dev->priv);
-				if(priv) {
-					;
-					if(((struct device *)(priv->dev)) == dev) {
-						/* dev_close(ipsec_dev); */
-						/* return */ ipsec_mast_detach(ipsec_dev);
-						KLIPS_PRINT(debug_mast & DB_MAST_INIT,
-							    "klips_debug:ipsec_mast_device_event: "
-							    "device '%s' has been detached.\n",
-							    ipsec_dev->name);
-						break;
-					}
-				} else {
-					KLIPS_PRINT(debug_mast & DB_MAST_INIT,
-						    "klips_debug:ipsec_mast_device_event: "
-						    "device '%s' has no private data space!\n",
-						    ipsec_dev->name);
-				}
-			}
-		}
-		break;
-	case NETDEV_UP:
-		KLIPS_PRINT(debug_mast & DB_MAST_INIT,
-			    "klips_debug:ipsec_mast_device_event: "
-			    "NETDEV_UP dev=%s\n",
-			    dev->name);
-		break;
-	case NETDEV_REBOOT:
-		KLIPS_PRINT(debug_mast & DB_MAST_INIT,
-			    "klips_debug:ipsec_mast_device_event: "
-			    "NETDEV_REBOOT dev=%s\n",
-			    dev->name);
-		break;
-	case NETDEV_CHANGE:
-		KLIPS_PRINT(debug_mast & DB_MAST_INIT,
-			    "klips_debug:ipsec_mast_device_event: "
-			    "NETDEV_CHANGE dev=%s flags=%x\n",
-			    dev->name,
-			    dev->flags);
-		break;
-	case NETDEV_REGISTER:
-		KLIPS_PRINT(debug_mast & DB_MAST_INIT,
-			    "klips_debug:ipsec_mast_device_event: "
-			    "NETDEV_REGISTER dev=%s\n",
-			    dev->name);
-		break;
-	case NETDEV_CHANGEMTU:
-		KLIPS_PRINT(debug_mast & DB_MAST_INIT,
-			    "klips_debug:ipsec_mast_device_event: "
-			    "NETDEV_CHANGEMTU dev=%s to mtu=%d\n",
-			    dev->name,
-			    dev->mtu);
-		break;
-	case NETDEV_CHANGEADDR:
-		KLIPS_PRINT(debug_mast & DB_MAST_INIT,
-			    "klips_debug:ipsec_mast_device_event: "
-			    "NETDEV_CHANGEADDR dev=%s\n",
-			    dev->name);
-		break;
-	case NETDEV_GOING_DOWN:
-		KLIPS_PRINT(debug_mast & DB_MAST_INIT,
-			    "klips_debug:ipsec_mast_device_event: "
-			    "NETDEV_GOING_DOWN dev=%s\n",
-			    dev->name);
-		break;
-	case NETDEV_CHANGENAME:
-		KLIPS_PRINT(debug_mast & DB_MAST_INIT,
-			    "klips_debug:ipsec_mast_device_event: "
-			    "NETDEV_CHANGENAME dev=%s\n",
-			    dev->name);
-		break;
-	default:
-		KLIPS_PRINT(debug_mast & DB_MAST_INIT,
-			    "klips_debug:ipsec_mast_device_event: "
-			    "event type %ld unrecognised for dev=%s\n",
-			    event,
-			    dev->name);
-		break;
-	}
-	return NOTIFY_DONE;
-}
-
-/*
- *	Called when an ipsec mast device is initialized.
- *	The ipsec mast device structure is passed to us.
- */
- 
-int
-ipsec_mast_init(struct device *dev)
-{
-	int i;
-
-	KLIPS_PRINT(debug_mast,
-		    "klips_debug:ipsec_mast_init: "
-		    "allocating %lu bytes initialising device: %s\n",
-		    (unsigned long) sizeof(struct ipsecpriv),
-		    dev->name ? dev->name : "NULL");
-
-	/* Add our mast functions to the device */
-	dev->open		= ipsec_mast_open;
-	dev->stop		= ipsec_mast_close;
-	dev->hard_start_xmit	= ipsec_mast_start_xmit;
-	dev->get_stats		= ipsec_mast_get_stats;
-
-	dev->priv = kmalloc(sizeof(struct ipsecpriv), GFP_KERNEL);
-	if (dev->priv == NULL)
-		return -ENOMEM;
-	memset((caddr_t)(dev->priv), 0, sizeof(struct ipsecpriv));
-
-	for(i = 0; i < sizeof(zeroes); i++) {
-		((__u8*)(zeroes))[i] = 0;
-	}
-	
-	dev->set_multicast_list = NULL;
-	dev->do_ioctl		= ipsec_mast_ioctl;
-	dev->hard_header	= NULL;
-	dev->rebuild_header 	= NULL;
-	dev->set_mac_address 	= NULL;
-	dev->header_cache_update= NULL;
-	dev->neigh_setup        = ipsec_mast_neigh_setup_dev;
-	dev->hard_header_len 	= 0;
-	dev->mtu		= 0;
-	dev->addr_len		= 0;
-	dev->type		= ARPHRD_VOID; /* ARPHRD_MAST; */ /* ARPHRD_ETHER; */
-	dev->tx_queue_len	= 10;		/* Small queue */
-	memset((caddr_t)(dev->broadcast),0xFF, ETH_ALEN);	/* what if this is not attached to ethernet? */
-
-	/* New-style flags. */
-	dev->flags		= IFF_NOARP /* 0 */ /* Petr Novak */;
-	dev_init_buffers(dev);
-
-	/* We're done.  Have I forgotten anything? */
-	return 0;
-}
-
-/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
-/*  Module specific interface (but it links with the rest of IPSEC)  */
-/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
-
-int
-ipsec_mast_probe(struct device *dev)
-{
-	ipsec_mast_init(dev); 
-	return 0;
-}
-
-int 
-ipsec_mast_init_devices(void)
-{
-	return 0;
-}
-
-/* void */
-int
-ipsec_mast_cleanup_devices(void)
-{
-	int error = 0;
-	int i;
-	char name[10];
-	struct device *dev_mast;
-	
-	for(i = 0; i < ipsec_mastdevice_count; i++) {
-		sprintf(name, MAST_DEV_FORMAT, i);
-		if((dev_mast = ipsec_dev_get(name)) == NULL) {
-			break;
-		}
-		unregister_netdev(dev_mast);
-		kfree(dev_mast->priv);
-		dev_mast->priv=NULL;
-	}
-	return error;
-}
diff --git a/linux/net/ipsec/ipsec_md5c.c b/linux/net/ipsec/ipsec_md5c.c
deleted file mode 100644
index 41a1551c1..000000000
--- a/linux/net/ipsec/ipsec_md5c.c
+++ /dev/null
@@ -1,448 +0,0 @@
-/*
- * RCSID $Id: ipsec_md5c.c,v 1.1 2004/03/15 20:35:26 as Exp $
- */
-
-/*
- * The rest of the code is derived from MD5C.C by RSADSI. Minor cosmetic
- * changes to accomodate it in the kernel by ji.
- */
-
-#include <asm/byteorder.h>
-#include <linux/string.h>
-
-#include "freeswan/ipsec_md5h.h"
-
-/* MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm
- */
-
-/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
-rights reserved.
-
-License to copy and use this software is granted provided that it
-is identified as the "RSA Data Security, Inc. MD5 Message-Digest
-Algorithm" in all material mentioning or referencing this software
-or this function.
-
-License is also granted to make and use derivative works provided
-that such works are identified as "derived from the RSA Data
-Security, Inc. MD5 Message-Digest Algorithm" in all material
-mentioning or referencing the derived work.
-
-RSA Data Security, Inc. makes no representations concerning either
-the merchantability of this software or the suitability of this
-software for any particular purpose. It is provided "as is"
-without express or implied warranty of any kind.
-
-These notices must be retained in any copies of any part of this
-documentation and/or software.
- */
-
-/*
- * Additions by JI
- * 
- * HAVEMEMCOPY is defined if mem* routines are available
- *
- * HAVEHTON is defined if htons() and htonl() can be used
- * for big/little endian conversions
- *
- */
-
-#define HAVEMEMCOPY
-#ifdef __LITTLE_ENDIAN
-#define LITTLENDIAN
-#endif
-#ifdef __BIG_ENDIAN
-#define BIGENDIAN
-#endif
-
-/* Constants for MD5Transform routine.
- */
-
-#define S11 7
-#define S12 12
-#define S13 17
-#define S14 22
-#define S21 5
-#define S22 9
-#define S23 14
-#define S24 20
-#define S31 4
-#define S32 11
-#define S33 16
-#define S34 23
-#define S41 6
-#define S42 10
-#define S43 15
-#define S44 21
-
-static void MD5Transform PROTO_LIST ((UINT4 [4], unsigned char [64]));
-
-#ifdef LITTLEENDIAN
-#define Encode MD5_memcpy
-#define Decode MD5_memcpy
-#else
-static void Encode PROTO_LIST
-  ((unsigned char *, UINT4 *, unsigned int));
-static void Decode PROTO_LIST
-  ((UINT4 *, unsigned char *, unsigned int));
-#endif
-
-#ifdef HAVEMEMCOPY
-/* no need to include <memory.h> here; <linux/string.h> defines these */
-#define MD5_memcpy	memcpy
-#define MD5_memset	memset
-#else
-#ifdef HAVEBCOPY
-#define MD5_memcpy(_a,_b,_c) bcopy((_b),(_a),(_c))
-#define MD5_memset(_a,_b,_c) bzero((_a),(_c))
-#else
-static void MD5_memcpy PROTO_LIST ((POINTER, POINTER, unsigned int));
-static void MD5_memset PROTO_LIST ((POINTER, int, unsigned int));
-#endif
-#endif
-static unsigned char PADDING[64] = {
-  0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
-};
-
-/* F, G, H and I are basic MD5 functions.
- */
-#define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
-#define G(x, y, z) (((x) & (z)) | ((y) & (~z)))
-#define H(x, y, z) ((x) ^ (y) ^ (z))
-#define I(x, y, z) ((y) ^ ((x) | (~z)))
-
-/* ROTATE_LEFT rotates x left n bits.
- */
-#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
-
-/* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4.
-Rotation is separate from addition to prevent recomputation.
- */
-#define FF(a, b, c, d, x, s, ac) { \
- (a) += F ((b), (c), (d)) + (x) + (UINT4)(ac); \
- (a) = ROTATE_LEFT ((a), (s)); \
- (a) += (b); \
-  }
-#define GG(a, b, c, d, x, s, ac) { \
- (a) += G ((b), (c), (d)) + (x) + (UINT4)(ac); \
- (a) = ROTATE_LEFT ((a), (s)); \
- (a) += (b); \
-  }
-#define HH(a, b, c, d, x, s, ac) { \
- (a) += H ((b), (c), (d)) + (x) + (UINT4)(ac); \
- (a) = ROTATE_LEFT ((a), (s)); \
- (a) += (b); \
-  }
-#define II(a, b, c, d, x, s, ac) { \
- (a) += I ((b), (c), (d)) + (x) + (UINT4)(ac); \
- (a) = ROTATE_LEFT ((a), (s)); \
- (a) += (b); \
-  }
-
-/*
- * MD5 initialization. Begins an MD5 operation, writing a new context.
- */
-void MD5Init(void *vcontext)
-{
-  MD5_CTX *context = vcontext;                                     
-
-  context->count[0] = context->count[1] = 0;
-  /* Load magic initialization constants.
-*/
-  context->state[0] = 0x67452301;
-  context->state[1] = 0xefcdab89;
-  context->state[2] = 0x98badcfe;
-  context->state[3] = 0x10325476;
-}
-
-/* MD5 block update operation. Continues an MD5 message-digest
-  operation, processing another message block, and updating the
-  context.
- */
-void MD5Update (vcontext, input, inputLen)
-     void *vcontext;
-     unsigned char *input;                                /* input block */
-     __u32 inputLen;                     /* length of input block */
-{
-  MD5_CTX *context = vcontext;                                     
-  __u32 i;
-  unsigned int index, partLen;
-
-  /* Compute number of bytes mod 64 */
-  index = (unsigned int)((context->count[0] >> 3) & 0x3F);
-
-  /* Update number of bits */
-  if ((context->count[0] += ((UINT4)inputLen << 3))
-   < ((UINT4)inputLen << 3))
- context->count[1]++;
-  context->count[1] += ((UINT4)inputLen >> 29);
-
-  partLen = 64 - index;
-
-  /* Transform as many times as possible.
-*/
-  if (inputLen >= partLen) {
- MD5_memcpy
-   ((POINTER)&context->buffer[index], (POINTER)input, partLen);
- MD5Transform (context->state, context->buffer);
-
- for (i = partLen; i + 63 < inputLen; i += 64)
-   MD5Transform (context->state, &input[i]);
-
- index = 0;
-  }
-  else
- i = 0;
-
-  /* Buffer remaining input */
-  MD5_memcpy
- ((POINTER)&context->buffer[index], (POINTER)&input[i],
-  inputLen-i);
-}
-
-/* MD5 finalization. Ends an MD5 message-digest operation, writing the
-  the message digest and zeroizing the context.
- */
-void MD5Final (digest, vcontext)
-unsigned char digest[16];                         /* message digest */
-void *vcontext;                                       /* context */
-{
-  MD5_CTX *context = vcontext;                                     
-  unsigned char bits[8];
-  unsigned int index, padLen;
-
-  /* Save number of bits */
-  Encode (bits, context->count, 8);
-
-  /* Pad out to 56 mod 64.
-*/
-  index = (unsigned int)((context->count[0] >> 3) & 0x3f);
-  padLen = (index < 56) ? (56 - index) : (120 - index);
-  MD5Update (context, PADDING, padLen);
-
-  /* Append length (before padding) */
-  MD5Update (context, bits, 8);
-
-  if (digest != NULL)			/* Bill Simpson's padding */
-  {
-	  /* store state in digest */
-	  Encode (digest, context->state, 16);
-
-	  /* Zeroize sensitive information.
-	   */
-	  MD5_memset ((POINTER)context, 0, sizeof (*context));
-  }
-}
-
-/* MD5 basic transformation. Transforms state based on block.
- */
-static void MD5Transform (state, block)
-UINT4 state[4];
-unsigned char block[64];
-{
-  UINT4 a = state[0], b = state[1], c = state[2], d = state[3], x[16];
-
-  Decode (x, block, 64);
-
-  /* Round 1 */
-  FF (a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */
-  FF (d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */
-  FF (c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */
-  FF (b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */
-  FF (a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */
-  FF (d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */
-  FF (c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */
-  FF (b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */
-  FF (a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */
-  FF (d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */
-  FF (c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */
-  FF (b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */
-  FF (a, b, c, d, x[12], S11, 0x6b901122); /* 13 */
-  FF (d, a, b, c, x[13], S12, 0xfd987193); /* 14 */
-  FF (c, d, a, b, x[14], S13, 0xa679438e); /* 15 */
-  FF (b, c, d, a, x[15], S14, 0x49b40821); /* 16 */
-
- /* Round 2 */
-  GG (a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */
-  GG (d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */
-  GG (c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */
-  GG (b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */
-  GG (a, b, c, d, x[ 5], S21, 0xd62f105d); /* 21 */
-  GG (d, a, b, c, x[10], S22,  0x2441453); /* 22 */
-  GG (c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */
-  GG (b, c, d, a, x[ 4], S24, 0xe7d3fbc8); /* 24 */
-  GG (a, b, c, d, x[ 9], S21, 0x21e1cde6); /* 25 */
-  GG (d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */
-  GG (c, d, a, b, x[ 3], S23, 0xf4d50d87); /* 27 */
-  GG (b, c, d, a, x[ 8], S24, 0x455a14ed); /* 28 */
-  GG (a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */
-  GG (d, a, b, c, x[ 2], S22, 0xfcefa3f8); /* 30 */
-  GG (c, d, a, b, x[ 7], S23, 0x676f02d9); /* 31 */
-  GG (b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */
-
-  /* Round 3 */
-  HH (a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */
-  HH (d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */
-  HH (c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */
-  HH (b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */
-  HH (a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */
-  HH (d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */
-  HH (c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */
-  HH (b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */
-  HH (a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */
-  HH (d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */
-  HH (c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */
-  HH (b, c, d, a, x[ 6], S34,  0x4881d05); /* 44 */
-  HH (a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */
-  HH (d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */
-  HH (c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */
-  HH (b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 */
-
-  /* Round 4 */
-  II (a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */
-  II (d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */
-  II (c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */
-  II (b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */
-  II (a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */
-  II (d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */
-  II (c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */
-  II (b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */
-  II (a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */
-  II (d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */
-  II (c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */
-  II (b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */
-  II (a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */
-  II (d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */
-  II (c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */
-  II (b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */
-
-  state[0] += a;
-  state[1] += b;
-  state[2] += c;
-  state[3] += d;
-
-  /* Zeroize sensitive information.
-*/
-  MD5_memset ((POINTER)x, 0, sizeof (x));
-}
-
-#ifndef LITTLEENDIAN
-
-/* Encodes input (UINT4) into output (unsigned char). Assumes len is
-  a multiple of 4.
- */
-static void Encode (output, input, len)
-unsigned char *output;
-UINT4 *input;
-unsigned int len;
-{
-  unsigned int i, j;
-
-  for (i = 0, j = 0; j < len; i++, j += 4) {
- output[j] = (unsigned char)(input[i] & 0xff);
- output[j+1] = (unsigned char)((input[i] >> 8) & 0xff);
- output[j+2] = (unsigned char)((input[i] >> 16) & 0xff);
- output[j+3] = (unsigned char)((input[i] >> 24) & 0xff);
-  }
-}
-
-/* Decodes input (unsigned char) into output (UINT4). Assumes len is
-  a multiple of 4.
- */
-static void Decode (output, input, len)
-UINT4 *output;
-unsigned char *input;
-unsigned int len;
-{
-  unsigned int i, j;
-
-  for (i = 0, j = 0; j < len; i++, j += 4)
- output[i] = ((UINT4)input[j]) | (((UINT4)input[j+1]) << 8) |
-   (((UINT4)input[j+2]) << 16) | (((UINT4)input[j+3]) << 24);
-}
-
-#endif
-
-#ifndef HAVEMEMCOPY
-#ifndef HAVEBCOPY
-/* Note: Replace "for loop" with standard memcpy if possible.
- */
-
-static void MD5_memcpy (output, input, len)
-POINTER output;
-POINTER input;
-unsigned int len;
-{
-  unsigned int i;
-
-  for (i = 0; i < len; i++)
-
- output[i] = input[i];
-}
-
-/* Note: Replace "for loop" with standard memset if possible.
- */
-
-static void MD5_memset (output, value, len)
-POINTER output;
-int value;
-unsigned int len;
-{
-  unsigned int i;
-
-  for (i = 0; i < len; i++)
- ((char *)output)[i] = (char)value;
-}
-#endif
-#endif
-
-/*
- * $Log: ipsec_md5c.c,v $
- * Revision 1.1  2004/03/15 20:35:26  as
- * added files from freeswan-2.04-x509-1.5.3
- *
- * Revision 1.7  2002/09/10 01:45:14  mcr
- * 	changed type of MD5_CTX and SHA1_CTX to void * so that
- * 	the function prototypes would match, and could be placed
- * 	into a pointer to a function.
- *
- * Revision 1.6  2002/04/24 07:55:32  mcr
- * 	#include patches and Makefiles for post-reorg compilation.
- *
- * Revision 1.5  2002/04/24 07:36:28  mcr
- * Moved from ./klips/net/ipsec/ipsec_md5c.c,v
- *
- * Revision 1.4  1999/12/13 13:59:12  rgb
- * Quick fix to argument size to Update bugs.
- *
- * Revision 1.3  1999/05/21 18:09:28  henry
- * unnecessary <memory.h> include causes trouble in 2.2
- *
- * Revision 1.2  1999/04/06 04:54:26  rgb
- * Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
- * patch shell fixes.
- *
- * Revision 1.1  1998/06/18 21:27:48  henry
- * move sources from klips/src to klips/net/ipsec, to keep stupid
- * kernel-build scripts happier in the presence of symlinks
- *
- * Revision 1.2  1998/04/23 20:54:02  rgb
- * Fixed md5 and sha1 include file nesting issues, to be cleaned up when
- * verified.
- *
- * Revision 1.1  1998/04/09 03:06:08  henry
- * sources moved up from linux/net/ipsec
- *
- * Revision 1.1.1.1  1998/04/08 05:35:04  henry
- * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
- *
- * Revision 0.3  1996/11/20 14:48:53  ji
- * Release update only.
- *
- * Revision 0.2  1996/11/02 00:18:33  ji
- * First limited release.
- *
- *
- */
diff --git a/linux/net/ipsec/ipsec_proc.c b/linux/net/ipsec/ipsec_proc.c
deleted file mode 100644
index 5d2bba554..000000000
--- a/linux/net/ipsec/ipsec_proc.c
+++ /dev/null
@@ -1,1003 +0,0 @@
-/*
- * @(#) /proc file system interface code.
- *
- * Copyright (C) 1996, 1997  John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs <rgb@freeswan.org>
- *                                 2001  Michael Richardson <mcr@freeswan.org>
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * Split out from ipsec_init.c version 1.70.
- */
-
-char ipsec_proc_c_version[] = "RCSID $Id: ipsec_proc.c,v 1.8 2004/04/28 08:06:22 as Exp $";
-
-#include <linux/config.h>
-#include <linux/version.h>
-#define __NO_VERSION__
-#include <linux/module.h>
-#include <linux/kernel.h> /* printk() */
-
-#include "freeswan/ipsec_param.h"
-
-#ifdef MALLOC_SLAB
-# include <linux/slab.h> /* kmalloc() */
-#else /* MALLOC_SLAB */
-# include <linux/malloc.h> /* kmalloc() */
-#endif /* MALLOC_SLAB */
-#include <linux/errno.h>  /* error codes */
-#include <linux/types.h>  /* size_t */
-#include <linux/interrupt.h> /* mark_bh */
-
-#include <linux/netdevice.h>   /* struct device, and other headers */
-#include <linux/etherdevice.h> /* eth_type_trans */
-#include <linux/ip.h>          /* struct iphdr */
-#include <linux/in.h>          /* struct sockaddr_in */
-#include <linux/skbuff.h>
-#include <freeswan.h>
-#ifdef SPINLOCK
-#ifdef SPINLOCK_23
-#include <linux/spinlock.h> /* *lock* */
-#else /* SPINLOCK_23 */
-#include <asm/spinlock.h> /* *lock* */
-#endif /* SPINLOCK_23 */
-#endif /* SPINLOCK */
-#ifdef NET_21
-#include <asm/uaccess.h>
-#include <linux/in6.h>
-#endif /* NET_21 */
-#include <asm/checksum.h>
-#include <net/ip.h>
-#ifdef CONFIG_PROC_FS
-#include <linux/proc_fs.h>
-#endif /* CONFIG_PROC_FS */
-#ifdef NETLINK_SOCK
-#include <linux/netlink.h>
-#else
-#include <net/netlink.h>
-#endif
-
-#include "freeswan/radij.h"
-
-#include "freeswan/ipsec_life.h"
-#include "freeswan/ipsec_stats.h"
-#include "freeswan/ipsec_sa.h"
-
-#include "freeswan/ipsec_encap.h"
-#include "freeswan/ipsec_radij.h"
-#include "freeswan/ipsec_xform.h"
-#include "freeswan/ipsec_tunnel.h"
-#include "freeswan/ipsec_xmit.h"
-
-#include "freeswan/ipsec_rcv.h"
-#include "freeswan/ipsec_ah.h"
-#include "freeswan/ipsec_esp.h"
-
-#ifdef CONFIG_IPSEC_IPCOMP
-#include "freeswan/ipcomp.h"
-#endif /* CONFIG_IPSEC_IPCOMP */
-
-#include "freeswan/ipsec_proto.h"
-
-#include <pfkeyv2.h>
-#include <pfkey.h>
-
-#ifdef CONFIG_PROC_FS
-
-#ifdef IPSEC_PROC_SUBDIRS
-static struct proc_dir_entry *proc_net_ipsec_dir = NULL;
-static struct proc_dir_entry *proc_eroute_dir    = NULL;
-static struct proc_dir_entry *proc_spi_dir       = NULL;
-static struct proc_dir_entry *proc_spigrp_dir    = NULL;
-static struct proc_dir_entry *proc_birth_dir     = NULL;
-static struct proc_dir_entry *proc_stats_dir     = NULL;
-#endif
-
-struct ipsec_birth_reply ipsec_ipv4_birth_packet;
-struct ipsec_birth_reply ipsec_ipv6_birth_packet;
-
-extern int ipsec_xform_get_info(char *buffer, char **start,
-				off_t offset, int length IPSEC_PROC_LAST_ARG);
-
-
-/* ipsec_snprintf: like snprintf except
- * - size is signed and a negative value is treated as if it were 0
- * - the returned result is never negative --
- *   an error generates a "?" or null output (depending on space).
- *   (Our callers are too lazy to check for an error return.)
- *
- * @param buf String buffer
- * @param size Size of the string
- * @param fmt printf string
- * @param ... Variables to be displayed in fmt
- * @return int Return code
- */
-int ipsec_snprintf(char *buf, ssize_t size, const char *fmt, ...)
-{
-       va_list args;
-       int i;
-       size_t possize = size < 0? 0 : size;
-       va_start(args, fmt);
-       i = vsnprintf(buf,possize,fmt,args);
-       va_end(args);
-       if (i < 0) {
-           /* create empty output in place of error */
-           i = 0;
-           if (size > 0) {
-               *buf = '\0';
-           }
-       }
-       return i;
-}
-
-
-IPSEC_PROCFS_DEBUG_NO_STATIC
-int
-ipsec_eroute_get_info(char *buffer, 
-		      char **start, 
-		      off_t offset, 
-		      int length        IPSEC_PROC_LAST_ARG)
-{
-	struct wsbuf w = {buffer, length, offset, 0, 0};
-
-#ifdef CONFIG_IPSEC_DEBUG
-	if (debug_radij & DB_RJ_DUMPTREES)
-	  rj_dumptrees();			/* XXXXXXXXX */
-#endif /* CONFIG_IPSEC_DEBUG */
-
-	KLIPS_PRINT(debug_tunnel & DB_TN_PROCFS,
-		    "klips_debug:ipsec_eroute_get_info: "
-		    "buffer=0p%p, *start=0p%p, offset=%d, length=%d\n",
-		    buffer,
-		    *start,
-		    (int)offset,
-		    length);
-
-	spin_lock_bh(&eroute_lock);
-
-	rj_walktree(rnh, ipsec_rj_walker_procprint, &w);
-/*	rj_walktree(mask_rjhead, ipsec_rj_walker_procprint, &w); */
-
-	spin_unlock_bh(&eroute_lock);
-
-	*start = buffer + (offset - w.begin);	/* Start of wanted data */
-	return w.len - (offset - w.begin);
-}
-
-IPSEC_PROCFS_DEBUG_NO_STATIC
-int
-ipsec_spi_get_info(char *buffer,
-		   char **start,
-		   off_t offset,
-		   int length    IPSEC_PROC_LAST_ARG)
-{
-	/* Limit of useful snprintf output */
-	const int max_content = length > 0? length-1 : 0;
-
-	int len = 0;
-	off_t begin = 0;
-	int i;
-	struct ipsec_sa *sa_p;
-	char sa[SATOA_BUF];
-	char buf_s[SUBNETTOA_BUF];
-	char buf_d[SUBNETTOA_BUF];
-	size_t sa_len;
-
-	KLIPS_PRINT(debug_tunnel & DB_TN_PROCFS,
-		    "klips_debug:ipsec_spi_get_info: "
-		    "buffer=0p%p, *start=0p%p, offset=%d, length=%d\n",
-		    buffer,
-		    *start,
-		    (int)offset,
-		    length);
-	
-	spin_lock_bh(&tdb_lock);
-
-
-	
-	for (i = 0; i < SADB_HASHMOD; i++) {
-		for (sa_p = ipsec_sadb_hash[i];
-		     sa_p;
-		     sa_p = sa_p->ips_hnext) {
-			atomic_inc(&sa_p->ips_refcount);
-			sa_len = satoa(sa_p->ips_said, 0, sa, SATOA_BUF);
-			len += ipsec_snprintf(buffer+len, length-len, "%s ",
-				       sa_len ? sa : " (error)");
-
-			len += ipsec_snprintf(buffer+len, length-len, "%s%s%s",
-				       IPS_XFORM_NAME(sa_p));
-
-			len += ipsec_snprintf(buffer+len, length-len, ": dir=%s",
-				       (sa_p->ips_flags & EMT_INBOUND) ?
-				       "in " : "out");
-
-			if(sa_p->ips_addr_s) {
-				addrtoa(((struct sockaddr_in*)(sa_p->ips_addr_s))->sin_addr,
-					0, buf_s, sizeof(buf_s));
-				len += ipsec_snprintf(buffer+len, length-len, " src=%s",
-					       buf_s);
-			}
-
-			if((sa_p->ips_said.proto == IPPROTO_IPIP)
-			   && (sa_p->ips_flags & SADB_X_SAFLAGS_INFLOW)) {
-				subnettoa(sa_p->ips_flow_s.u.v4.sin_addr,
-					  sa_p->ips_mask_s.u.v4.sin_addr,
-					  0,
-					  buf_s,
-					  sizeof(buf_s));
-
-				subnettoa(sa_p->ips_flow_d.u.v4.sin_addr,
-					  sa_p->ips_mask_d.u.v4.sin_addr,
-					  0,
-					  buf_d,
-					  sizeof(buf_d));
-
-				len += ipsec_snprintf(buffer+len, length-len, " policy=%s->%s",
-					       buf_s, buf_d);
-			}
-			
-			if(sa_p->ips_iv_bits) {
-				int j;
-				len += ipsec_snprintf(buffer+len, length-len, " iv_bits=%dbits iv=0x",
-					       sa_p->ips_iv_bits);
-
-				for(j = 0; j < sa_p->ips_iv_bits / 8; j++) {
-					len += ipsec_snprintf(buffer+len, length-len, "%02x",
-						       (__u32)((__u8*)(sa_p->ips_iv))[j]);
-				}
-			}
-
-			if(sa_p->ips_encalg || sa_p->ips_authalg) {
-				if(sa_p->ips_replaywin) {
-					len += ipsec_snprintf(buffer+len, length-len, " ooowin=%d",
-						       sa_p->ips_replaywin);
-				}
-				if(sa_p->ips_errs.ips_replaywin_errs) {
-					len += ipsec_snprintf(buffer+len, length-len, " ooo_errs=%d",
-						       sa_p->ips_errs.ips_replaywin_errs);
-				}
-				if(sa_p->ips_replaywin_lastseq) {
-                                       len += ipsec_snprintf(buffer+len, length-len, " seq=%d",
-						      sa_p->ips_replaywin_lastseq);
-				}
-				if(sa_p->ips_replaywin_bitmap) {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,0)
-					len += ipsec_snprintf(buffer+len, length-len, " bit=0x%Lx",
-						       sa_p->ips_replaywin_bitmap);
-#else
-					len += ipsec_snprintf(buffer+len, length-len, " bit=0x%x%08x",
-						       (__u32)(sa_p->ips_replaywin_bitmap >> 32),
-						       (__u32)sa_p->ips_replaywin_bitmap);
-#endif
-				}
-				if(sa_p->ips_replaywin_maxdiff) {
-					len += ipsec_snprintf(buffer+len, length-len, " max_seq_diff=%d",
-						       sa_p->ips_replaywin_maxdiff);
-				}
-			}
-			if(sa_p->ips_flags & ~EMT_INBOUND) {
-				len += ipsec_snprintf(buffer+len, length-len, " flags=0x%x",
-					       sa_p->ips_flags & ~EMT_INBOUND);
-				len += ipsec_snprintf(buffer+len, length-len, "<");
-				/* flag printing goes here */
-				len += ipsec_snprintf(buffer+len, length-len, ">");
-			}
-			if(sa_p->ips_auth_bits) {
-				len += ipsec_snprintf(buffer+len, length-len, " alen=%d",
-					       sa_p->ips_auth_bits);
-			}
-			if(sa_p->ips_key_bits_a) {
-				len += ipsec_snprintf(buffer+len, length-len, " aklen=%d",
-					       sa_p->ips_key_bits_a);
-			}
-			if(sa_p->ips_errs.ips_auth_errs) {
-				len += ipsec_snprintf(buffer+len, length-len, " auth_errs=%d",
-					       sa_p->ips_errs.ips_auth_errs);
-			}
-			if(sa_p->ips_key_bits_e) {
-				len += ipsec_snprintf(buffer+len, length-len, " eklen=%d",
-					       sa_p->ips_key_bits_e);
-			}
-			if(sa_p->ips_errs.ips_encsize_errs) {
-				len += ipsec_snprintf(buffer+len, length-len, " encr_size_errs=%d",
-					       sa_p->ips_errs.ips_encsize_errs);
-			}
-			if(sa_p->ips_errs.ips_encpad_errs) {
-				len += ipsec_snprintf(buffer+len, length-len, " encr_pad_errs=%d",
-					       sa_p->ips_errs.ips_encpad_errs);
-			}
-			
-			len += ipsec_snprintf(buffer+len, length-len, " life(c,s,h)=");
-
-			len += ipsec_lifetime_format(buffer + len,
-						     length - len,
-						     "alloc", 
-						     ipsec_life_countbased,
-						     &sa_p->ips_life.ipl_allocations);
-
-			len += ipsec_lifetime_format(buffer + len,
-						     length - len,
-						     "bytes",
-						     ipsec_life_countbased,
-						     &sa_p->ips_life.ipl_bytes);
-
-			len += ipsec_lifetime_format(buffer + len,
-						     length - len,
-						     "addtime",
-						     ipsec_life_timebased,
-						     &sa_p->ips_life.ipl_addtime);
-
-			len += ipsec_lifetime_format(buffer + len,
-						     length - len,
-						     "usetime",
-						     ipsec_life_timebased,
-						     &sa_p->ips_life.ipl_usetime);
-			
-			len += ipsec_lifetime_format(buffer + len,
-						     length - len,
-						     "packets",
-						     ipsec_life_countbased,
-						     &sa_p->ips_life.ipl_packets);
-			
-			if(sa_p->ips_life.ipl_usetime.ipl_last) { /* XXX-MCR should be last? */
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,0)
-				len += ipsec_snprintf(buffer+len, length-len, " idle=%Ld",
-					       jiffies / HZ - sa_p->ips_life.ipl_usetime.ipl_last);
-#else
-				len += ipsec_snprintf(buffer+len, length-len, " idle=%lu",
-					       jiffies / HZ - (unsigned long)sa_p->ips_life.ipl_usetime.ipl_last);
-#endif
-			}
-
-#ifdef CONFIG_IPSEC_IPCOMP
-			if(sa_p->ips_said.proto == IPPROTO_COMP &&
-			   (sa_p->ips_comp_ratio_dbytes ||
-			    sa_p->ips_comp_ratio_cbytes)) {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,3,0)
-				len += ipsec_snprintf(buffer+len, length-len, " ratio=%Ld:%Ld",
-					       sa_p->ips_comp_ratio_dbytes,
-					       sa_p->ips_comp_ratio_cbytes);
-#else
-				len += ipsec_snprintf(buffer+len, length-len, " ratio=%lu:%lu",
-					       (unsigned long)sa_p->ips_comp_ratio_dbytes,
-					       (unsigned long)sa_p->ips_comp_ratio_cbytes);
-#endif
-			}
-#endif /* CONFIG_IPSEC_IPCOMP */
-
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-			if(sa_p->ips_natt_type != 0) {
-				char *natttype_name;
-
-				switch(sa_p->ips_natt_type)
-				{
-				case ESPINUDP_WITH_NON_IKE:
-					natttype_name="nonike";
-					break;
-				case ESPINUDP_WITH_NON_ESP:
-					natttype_name="nonesp";
-					break;
-				default:
-					natttype_name="unknown";
-					break;
-				}
-
-				len += ipsec_snprintf(buffer+len, length-len, " natencap=%s",
-					       natttype_name);
-
-				len += ipsec_snprintf(buffer+len, length-len, " natsport=%d",
-					       sa_p->ips_natt_sport);
-
-				len += ipsec_snprintf(buffer+len, length-len, " natdport=%d",
-					       sa_p->ips_natt_dport);
-			}
-#endif /* CONFIG_IPSEC_NAT_TRAVERSAL */
-
-			len += ipsec_snprintf(buffer+len, length-len, " refcount=%d",
-				       atomic_read(&sa_p->ips_refcount));
-
-			len += ipsec_snprintf(buffer+len, length-len, " ref=%d",
-				       sa_p->ips_ref);
-#ifdef CONFIG_IPSEC_DEBUG
-			if(debug_xform) {
-			len += ipsec_snprintf(buffer+len, length-len, " reftable=%lu refentry=%lu",
-				       (unsigned long)IPsecSAref2table(sa_p->ips_ref),
-				       (unsigned long)IPsecSAref2entry(sa_p->ips_ref));
-			}
-#endif /* CONFIG_IPSEC_DEBUG */
-
-			len += ipsec_snprintf(buffer+len, length-len, "\n");
-
-			atomic_dec(&sa_p->ips_refcount);
-                                        
-			if (len >= max_content) {
-				/* we've done all that can fit -- stop loops */
-				len = max_content;      /* truncate crap */
-				goto done_spi_i;
-			} else {
-				const off_t pos = begin + len;
-
-				if (pos <= offset) {
-					/* all is before first interesting character:
-					* discard, but note where we are.
-					*/
-					len = 0;
-					begin = pos;
-				}
-			}
-		}
-	}
-
-done_spi_i:
-	spin_unlock_bh(&tdb_lock);
-
-	*start = buffer + (offset - begin);	/* Start of wanted data */
-	return len - (offset - begin);
-}
-
-IPSEC_PROCFS_DEBUG_NO_STATIC
-int
-ipsec_spigrp_get_info(char *buffer,
-		      char **start,
-		      off_t offset,
-		      int length     IPSEC_PROC_LAST_ARG)
-{
-	/* limit of useful snprintf output */
-	const int max_content = length > 0? length-1 : 0;
-
-	int len = 0;
-	off_t begin = 0;
-	int i;
-	struct ipsec_sa *sa_p, *sa_p2;
-	char sa[SATOA_BUF];
-	size_t sa_len;
-
-	KLIPS_PRINT(debug_tunnel & DB_TN_PROCFS,
-		    "klips_debug:ipsec_spigrp_get_info: "
-		    "buffer=0p%p, *start=0p%p, offset=%d, length=%d\n",
-		    buffer,
-		    *start,
-		    (int)offset,
-		    length);
-
-	spin_lock_bh(&tdb_lock);
-	
-	for (i = 0; i < SADB_HASHMOD; i++) {
-		for (sa_p = ipsec_sadb_hash[i];
-		     sa_p != NULL;
-		     sa_p = sa_p->ips_hnext)
-		{
-			atomic_inc(&sa_p->ips_refcount);
-			if(sa_p->ips_inext == NULL) {
-				sa_p2 = sa_p;
-				while(sa_p2 != NULL) {
-					atomic_inc(&sa_p2->ips_refcount);
-					sa_len = satoa(sa_p2->ips_said,
-						       0, sa, SATOA_BUF);
-					
-					len += ipsec_snprintf(buffer+len, length-len, "%s ",
-						       sa_len ? sa : " (error)");
-					atomic_dec(&sa_p2->ips_refcount);
-					sa_p2 = sa_p2->ips_onext;
-				}
-				len += ipsec_snprintf(buffer+len, length-len, "\n");
-			}
-
-			atomic_dec(&sa_p->ips_refcount);
-
-			if (len >= max_content) {
-				/* we've done all that can fit -- stop loops */
-				len = max_content;      /* truncate crap */
-				goto done_spigrp_i;
-			} else {
-				const off_t pos = begin + len;
-
-				if (pos <= offset) {
-					/* all is before first interesting character:
-					* discard, but note where we are.
-					*/
-					len = 0;
-					begin = pos;
-				}
-			}
-		}
-	}
-
- done_spigrp_i:	
-	spin_unlock_bh(&tdb_lock);
-
-	*start = buffer + (offset - begin);	/* Start of wanted data */
-	return len - (offset - begin);
-}
-
-IPSEC_PROCFS_DEBUG_NO_STATIC
-int
-ipsec_tncfg_get_info(char *buffer,
-		     char **start,
-		     off_t offset,
-		     int length     IPSEC_PROC_LAST_ARG)
-{
-	/* limit of useful snprintf output */
-	const int max_content = length > 0? length-1 : 0;
-
-	int len = 0;
-	off_t begin = 0;
-	int i;
-	char name[9];
-	struct device *dev, *privdev;
-	struct ipsecpriv *priv;
-
-	KLIPS_PRINT(debug_tunnel & DB_TN_PROCFS,
-		    "klips_debug:ipsec_tncfg_get_info: "
-		    "buffer=0p%p, *start=0p%p, offset=%d, length=%d\n",
-		    buffer,
-		    *start,
-		    (int)offset,
-		    length);
-
-	for(i = 0; i < IPSEC_NUM_IF; i++) {
-		ipsec_snprintf(name, (ssize_t) sizeof(name), IPSEC_DEV_FORMAT, i);
-		dev = __ipsec_dev_get(name);
-		if(dev) {
-			priv = (struct ipsecpriv *)(dev->priv);
-			len += ipsec_snprintf(buffer+len, length-len, "%s",
-				       dev->name);
-			if(priv) {
-				privdev = (struct device *)(priv->dev);
-				len += ipsec_snprintf(buffer+len, length-len, " -> %s",
-					       privdev ? privdev->name : "NULL");
-				len += ipsec_snprintf(buffer+len, length-len, " mtu=%d(%d) -> %d",
-					       dev->mtu,
-					       priv->mtu,
-					       privdev ? privdev->mtu : 0);
-			} else {
-				KLIPS_PRINT(debug_tunnel & DB_TN_PROCFS,
-					    "klips_debug:ipsec_tncfg_get_info: device '%s' has no private data space!\n",
-					    dev->name);
-			}
-			len += ipsec_snprintf(buffer+len, length-len, "\n");
-
-			if (len >= max_content) {
-				/* we've done all that can fit -- stop loop */
-				len = max_content;      /* truncate crap */
-				break;
-			} else {
-				const off_t pos = begin + len;
-				if (pos <= offset) {
-					len = 0;
-					begin = pos;
-				}
-			}
-		}
-	}
-	*start = buffer + (offset - begin);	/* Start of wanted data */
-	len -= (offset - begin);			/* Start slop */
-	if (len > length)
-		len = length;
-	return len;
-}
-
-IPSEC_PROCFS_DEBUG_NO_STATIC
-int
-ipsec_version_get_info(char *buffer,
-		       char **start,
-		       off_t offset,
-		       int length  IPSEC_PROC_LAST_ARG)
-{
-	int len = 0;
-	off_t begin = 0;
-
-	KLIPS_PRINT(debug_tunnel & DB_TN_PROCFS,
-		    "klips_debug:ipsec_version_get_info: "
-		    "buffer=0p%p, *start=0p%p, offset=%d, length=%d\n",
-		    buffer,
-		    *start,
-		    (int)offset,
-		    length);
-
-	len += ipsec_snprintf(buffer+len, length-len, "strongSwan version: %s\n",
-		       ipsec_version_code());
-#if 0
-	KLIPS_PRINT(debug_tunnel & DB_TN_PROCFS,
-		    "klips_debug:ipsec_version_get_info: "
-		    "ipsec_init version: %s\n",
-		    ipsec_init_c_version);
-	KLIPS_PRINT(debug_tunnel & DB_TN_PROCFS,
-		    "klips_debug:ipsec_version_get_info: "
-		    "ipsec_tunnel version: %s\n",
-		    ipsec_tunnel_c_version);
-	KLIPS_PRINT(debug_tunnel & DB_TN_PROCFS,
-		    "klips_debug:ipsec_version_get_info: "
-		    "ipsec_netlink version: %s\n",
-		    ipsec_netlink_c_version);
-	KLIPS_PRINT(debug_tunnel & DB_TN_PROCFS,
-		    "klips_debug:ipsec_version_get_info: "
-		    "radij_c_version: %s\n",
-		    radij_c_version);
-#endif
-
-	*start = buffer + (offset - begin);	/* Start of wanted data */
-	len -= (offset - begin);			/* Start slop */
-	if (len > length)
-		len = length;
-	return len;
-}
-
-IPSEC_PROCFS_DEBUG_NO_STATIC
-int
-ipsec_birth_info(char *page,
-		 char **start,
-		 off_t offset,
-		 int count,
-		 int *eof,
-		 void *data)
-{
-	struct ipsec_birth_reply *ibr = (struct ipsec_birth_reply *)data;
-	int len;
-
-	if(offset >= ibr->packet_template_len) {
-		if(eof) {
-			*eof=1;
-		}
-		return 0;
-	}
-
-	len = ibr->packet_template_len;
-	len -= offset;
-	if (len > count)
-		len = count;
-
-	memcpy(page + offset, ibr->packet_template+offset, len);
-
-	return len;
-}
-
-IPSEC_PROCFS_DEBUG_NO_STATIC
-int
-ipsec_birth_set(struct file *file, const char *buffer,
-		unsigned long count, void *data)
-{
-	struct ipsec_birth_reply *ibr = (struct ipsec_birth_reply *)data;
-	int len;
-
-	MOD_INC_USE_COUNT;
-        if(count > IPSEC_BIRTH_TEMPLATE_MAXLEN) {
-                len = IPSEC_BIRTH_TEMPLATE_MAXLEN;
-	} else {
-                len = count;
-	}
-
-        if(copy_from_user(ibr->packet_template, buffer, len)) {
-                MOD_DEC_USE_COUNT;
-                return -EFAULT;
-        }
-	ibr->packet_template_len = len;
-
-        MOD_DEC_USE_COUNT;
-
-        return len;
-}
-
-
-#ifdef CONFIG_IPSEC_DEBUG
-IPSEC_PROCFS_DEBUG_NO_STATIC
-int
-ipsec_klipsdebug_get_info(char *buffer,
-			  char **start,
-			  off_t offset,
-			  int length      IPSEC_PROC_LAST_ARG)
-{
-	int len = 0;
-	off_t begin = 0;
-
-	KLIPS_PRINT(debug_tunnel & DB_TN_PROCFS,
-		    "klips_debug:ipsec_klipsdebug_get_info: "
-		    "buffer=0p%p, *start=0p%p, offset=%d, length=%d\n",
-		    buffer,
-		    *start,
-		    (int)offset,
-		    length);
-
-	len += ipsec_snprintf(buffer+len, length-len, "debug_tunnel=%08x.\n", debug_tunnel);
-	len += ipsec_snprintf(buffer+len, length-len, "debug_xform=%08x.\n", debug_xform);
-	len += ipsec_snprintf(buffer+len, length-len, "debug_eroute=%08x.\n", debug_eroute);
-	len += ipsec_snprintf(buffer+len, length-len, "debug_spi=%08x.\n", debug_spi);
-	len += ipsec_snprintf(buffer+len, length-len, "debug_radij=%08x.\n", debug_radij);
-	len += ipsec_snprintf(buffer+len, length-len, "debug_esp=%08x.\n", debug_esp);
-	len += ipsec_snprintf(buffer+len, length-len, "debug_ah=%08x.\n", debug_ah);
-	len += ipsec_snprintf(buffer+len, length-len, "debug_rcv=%08x.\n", debug_rcv);
-	len += ipsec_snprintf(buffer+len, length-len, "debug_pfkey=%08x.\n", debug_pfkey);
-
-	*start = buffer + (offset - begin);	/* Start of wanted data */
-	len -= (offset - begin);			/* Start slop */
-	if (len > length)
-		len = length;
-	return len;
-}
-#endif /* CONFIG_IPSEC_DEBUG */
-
-IPSEC_PROCFS_DEBUG_NO_STATIC
-int
-ipsec_stats_get_int_info(char *buffer,
-			 char **start,
-			 off_t offset,
-			 int length,
-			 int *eof,
-			 void *data)
-{
-	/* Limit of useful snprintf output */
-	const int max_content = length > 0? length-1 : 0;
-	
-	int len = 0;
-	int *thing;
-
-	thing = (int *)data;
-	
-	len = ipsec_snprintf(buffer+len, length-len, "%08x\n", *thing);
-
-	if (len >= max_content)
-               len = max_content;      /* truncate crap */
-
-        *start = buffer + offset;       /* Start of wanted data */
-        return len > offset? len - offset : 0;
-}
-
-#ifndef PROC_FS_2325
-struct proc_dir_entry ipsec_eroute =
-{
-	0,
-	12, "ipsec_eroute",
-	S_IFREG | S_IRUGO, 1, 0, 0, 0,
-	&proc_net_inode_operations,
-	ipsec_eroute_get_info,
-	NULL, NULL, NULL, NULL, NULL
-};
-
-struct proc_dir_entry ipsec_spi =
-{
-	0,
-	9, "ipsec_spi",
-	S_IFREG | S_IRUGO, 1, 0, 0, 0,
-	&proc_net_inode_operations,
-	ipsec_spi_get_info,
-	NULL, NULL, NULL, NULL, NULL
-};
-
-struct proc_dir_entry ipsec_spigrp =
-{
-	0,
-	12, "ipsec_spigrp",
-	S_IFREG | S_IRUGO, 1, 0, 0, 0,
-	&proc_net_inode_operations,
-	ipsec_spigrp_get_info,
-	NULL, NULL, NULL, NULL, NULL
-};
-
-struct proc_dir_entry ipsec_tncfg =
-{
-	0,
-	11, "ipsec_tncfg",
-	S_IFREG | S_IRUGO, 1, 0, 0, 0,
-	&proc_net_inode_operations,
-	ipsec_tncfg_get_info,
-	NULL, NULL, NULL, NULL, NULL
-};
-
-struct proc_dir_entry ipsec_version =
-{
-	0,
-	13, "ipsec_version",
-	S_IFREG | S_IRUGO, 1, 0, 0, 0,
-	&proc_net_inode_operations,
-	ipsec_version_get_info,
-	NULL, NULL, NULL, NULL, NULL
-};
-
-#ifdef CONFIG_IPSEC_DEBUG
-struct proc_dir_entry ipsec_klipsdebug =
-{
-	0,
-	16, "ipsec_klipsdebug",
-	S_IFREG | S_IRUGO, 1, 0, 0, 0,
-	&proc_net_inode_operations,
-	ipsec_klipsdebug_get_info,
-	NULL, NULL, NULL, NULL, NULL
-};
-#endif /* CONFIG_IPSEC_DEBUG */
-#endif /* !PROC_FS_2325 */
-#endif /* CONFIG_PROC_FS */
-
-#if defined(PROC_FS_2325) 
-struct ipsec_proc_list {
-	char                   *name;
-	struct proc_dir_entry **parent;
-	struct proc_dir_entry **dir;
-	read_proc_t            *readthing;
-	write_proc_t           *writething;
-	void                   *data;
-};
-static struct ipsec_proc_list proc_items[]={
-#ifdef CONFIG_IPSEC_DEBUG
-	{"klipsdebug", &proc_net_ipsec_dir, NULL,             ipsec_klipsdebug_get_info, NULL, NULL},
-#endif
-	{"eroute",     &proc_net_ipsec_dir, &proc_eroute_dir, NULL, NULL, NULL},
-	{"all",        &proc_eroute_dir,    NULL,             ipsec_eroute_get_info,     NULL, NULL},
-	{"spi",        &proc_net_ipsec_dir, &proc_spi_dir,    NULL, NULL, NULL},
-	{"all",        &proc_spi_dir,       NULL,             ipsec_spi_get_info,        NULL, NULL},
-	{"spigrp",     &proc_net_ipsec_dir, &proc_spigrp_dir, NULL, NULL, NULL},
-	{"all",        &proc_spigrp_dir,    NULL,             ipsec_spigrp_get_info,     NULL, NULL},
-	{"birth",      &proc_net_ipsec_dir, &proc_birth_dir,  NULL,      NULL, NULL},
-	{"ipv4",       &proc_birth_dir,     NULL,             ipsec_birth_info, ipsec_birth_set, (void *)&ipsec_ipv4_birth_packet},
-	{"ipv6",       &proc_birth_dir,     NULL,             ipsec_birth_info, ipsec_birth_set, (void *)&ipsec_ipv6_birth_packet},
-	{"xforms",     &proc_net_ipsec_dir, NULL,             ipsec_xform_get_info,      NULL, NULL},
-	{"tncfg",      &proc_net_ipsec_dir, NULL,             ipsec_tncfg_get_info,      NULL, NULL},
-	{"stats",      &proc_net_ipsec_dir, &proc_stats_dir,  NULL,      NULL, NULL},
-	{"trap_count", &proc_stats_dir,     NULL,             ipsec_stats_get_int_info, NULL, &ipsec_xmit_trap_count},
-	{"trap_sendcount", &proc_stats_dir, NULL,             ipsec_stats_get_int_info, NULL, &ipsec_xmit_trap_sendcount},
-	{"version",    &proc_net_ipsec_dir, NULL,             ipsec_version_get_info,    NULL, NULL},
-	{NULL,         NULL,                NULL,             NULL,      NULL, NULL}
-};
-#endif
-		
-int
-ipsec_proc_init()
-{
-	int error = 0;
-#ifdef IPSEC_PROC_SUBDIRS
-	struct proc_dir_entry *item;
-#endif
-
-	/*
-	 * just complain because pluto won't run without /proc!
-	 */
-#ifndef CONFIG_PROC_FS 
-#error You must have PROC_FS built in to use KLIPS
-#endif
-
-        /* for 2.0 kernels */
-#if !defined(PROC_FS_2325) && !defined(PROC_FS_21)
-	error |= proc_register_dynamic(&proc_net, &ipsec_eroute);
-	error |= proc_register_dynamic(&proc_net, &ipsec_spi);
-	error |= proc_register_dynamic(&proc_net, &ipsec_spigrp);
-	error |= proc_register_dynamic(&proc_net, &ipsec_tncfg);
-	error |= proc_register_dynamic(&proc_net, &ipsec_version);
-#ifdef CONFIG_IPSEC_DEBUG
-	error |= proc_register_dynamic(&proc_net, &ipsec_klipsdebug);
-#endif /* CONFIG_IPSEC_DEBUG */
-#endif
-
-	/* for 2.2 kernels */
-#if !defined(PROC_FS_2325) && defined(PROC_FS_21)
-	error |= proc_register(proc_net, &ipsec_eroute);
-	error |= proc_register(proc_net, &ipsec_spi);
-	error |= proc_register(proc_net, &ipsec_spigrp);
-	error |= proc_register(proc_net, &ipsec_tncfg);
-	error |= proc_register(proc_net, &ipsec_version);
-#ifdef CONFIG_IPSEC_DEBUG
-	error |= proc_register(proc_net, &ipsec_klipsdebug);
-#endif /* CONFIG_IPSEC_DEBUG */
-#endif
-
-	/* for 2.4 kernels */
-#if defined(PROC_FS_2325)
-	/* create /proc/net/ipsec */
-
-	/* zero these out before we initialize /proc/net/ipsec/birth/stuff */
-	memset(&ipsec_ipv4_birth_packet, 0, sizeof(struct ipsec_birth_reply));
-	memset(&ipsec_ipv6_birth_packet, 0, sizeof(struct ipsec_birth_reply));
-
-	proc_net_ipsec_dir = proc_mkdir("ipsec", proc_net);
-	if(proc_net_ipsec_dir == NULL) {
-		/* no point in continuing */
-		return 1;
-	} 	
-
-	{
-		struct ipsec_proc_list *it;
-
-		it=proc_items;
-		while(it->name!=NULL) {
-			if(it->dir) {
-				/* make a dir instead */
-				item = proc_mkdir(it->name, *it->parent);
-				*it->dir = item;
-			} else {
-				item = create_proc_entry(it->name, 0400, *it->parent);
-			}
-			if(item) {
-				item->read_proc  = it->readthing;
-				item->write_proc = it->writething;
-				item->data       = it->data;
-#ifdef MODULE
-				item->owner = THIS_MODULE;
-#endif
-			} else {
-				error |= 1;
-			}
-			it++;
-		}
-	}
-	
-	/* now create some symlinks to provide compatibility */
-	proc_symlink("ipsec_eroute", proc_net, "ipsec/eroute/all");
-	proc_symlink("ipsec_spi",    proc_net, "ipsec/spi/all");
-	proc_symlink("ipsec_spigrp", proc_net, "ipsec/spigrp/all");
-	proc_symlink("ipsec_tncfg",  proc_net, "ipsec/tncfg");
-	proc_symlink("ipsec_version",proc_net, "ipsec/version");
-	proc_symlink("ipsec_klipsdebug",proc_net,"ipsec/klipsdebug");
-
-#endif /* !PROC_FS_2325 */
-
-	return error;
-}
-
-void
-ipsec_proc_cleanup()
-{
-
-	/* for 2.0 and 2.2 kernels */
-#if !defined(PROC_FS_2325) 
-
-#ifdef CONFIG_IPSEC_DEBUG
-	if (proc_net_unregister(ipsec_klipsdebug.low_ino) != 0)
-		printk("klips_debug:ipsec_cleanup: "
-		       "cannot unregister /proc/net/ipsec_klipsdebug\n");
-#endif /* CONFIG_IPSEC_DEBUG */
-
-	if (proc_net_unregister(ipsec_version.low_ino) != 0)
-		printk("klips_debug:ipsec_cleanup: "
-		       "cannot unregister /proc/net/ipsec_version\n");
-	if (proc_net_unregister(ipsec_eroute.low_ino) != 0)
-		printk("klips_debug:ipsec_cleanup: "
-		       "cannot unregister /proc/net/ipsec_eroute\n");
-	if (proc_net_unregister(ipsec_spi.low_ino) != 0)
-		printk("klips_debug:ipsec_cleanup: "
-		       "cannot unregister /proc/net/ipsec_spi\n");
-	if (proc_net_unregister(ipsec_spigrp.low_ino) != 0)
-		printk("klips_debug:ipsec_cleanup: "
-		       "cannot unregister /proc/net/ipsec_spigrp\n");
-	if (proc_net_unregister(ipsec_tncfg.low_ino) != 0)
-		printk("klips_debug:ipsec_cleanup: "
-		       "cannot unregister /proc/net/ipsec_tncfg\n");
-#endif
-
-	/* for 2.4 kernels */
-#if defined(PROC_FS_2325)
-	{
-		struct ipsec_proc_list *it;
-
-		/* find end of list */
-		it=proc_items;
-		while(it->name!=NULL) {
-			it++;
-		}
-		it--;
-
-		do {
-			remove_proc_entry(it->name, *it->parent);
-			it--;
-		} while(it > proc_items);
-	}
-
-
-#ifdef CONFIG_IPSEC_DEBUG
-	remove_proc_entry("ipsec_klipsdebug", proc_net);
-#endif /* CONFIG_IPSEC_DEBUG */
-	remove_proc_entry("ipsec_eroute",     proc_net);
-	remove_proc_entry("ipsec_spi",        proc_net);
-	remove_proc_entry("ipsec_spigrp",     proc_net);
-	remove_proc_entry("ipsec_tncfg",      proc_net);
-	remove_proc_entry("ipsec_version",    proc_net);
-	remove_proc_entry("ipsec",            proc_net);
-#endif /* 2.4 kernel */
-}
-
-
diff --git a/linux/net/ipsec/ipsec_radij.c b/linux/net/ipsec/ipsec_radij.c
deleted file mode 100644
index b20eb7a6f..000000000
--- a/linux/net/ipsec/ipsec_radij.c
+++ /dev/null
@@ -1,550 +0,0 @@
-/*
- * Interface between the IPSEC code and the radix (radij) tree code
- * Copyright (C) 1996, 1997  John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: ipsec_radij.c,v 1.5 2005/04/10 21:38:32 as Exp $
- */
-
-#include <linux/config.h>
-#include <linux/version.h>
-#include <linux/kernel.h> /* printk() */
-
-#include "freeswan/ipsec_param.h"
-
-#ifdef MALLOC_SLAB
-# include <linux/slab.h> /* kmalloc() */
-#else /* MALLOC_SLAB */
-# include <linux/malloc.h> /* kmalloc() */
-#endif /* MALLOC_SLAB */
-#include <linux/errno.h>  /* error codes */
-#include <linux/types.h>  /* size_t */
-#include <linux/interrupt.h> /* mark_bh */
-
-#include <linux/netdevice.h>   /* struct device, struct net_device_stats and other headers */
-#include <linux/etherdevice.h> /* eth_type_trans */
-#include <linux/ip.h>          /* struct iphdr */
-#include <linux/skbuff.h>
-#include <freeswan.h>
-#ifdef SPINLOCK
-# ifdef SPINLOCK_23
-#  include <linux/spinlock.h> /* *lock* */
-# else /* 23_SPINLOCK */
-#  include <asm/spinlock.h> /* *lock* */
-# endif /* 23_SPINLOCK */
-#endif /* SPINLOCK */
-#ifdef NET_21
-# include <asm/uaccess.h>
-# include <linux/in6.h>
-#endif
-#include <asm/checksum.h>
-#include <net/ip.h>
-
-#include "freeswan/ipsec_eroute.h"
-#include "freeswan/ipsec_sa.h"
- 
-#include "freeswan/radij.h"
-#include "freeswan/ipsec_encap.h"
-#include "freeswan/radij.h"
-#include "freeswan/ipsec_encap.h"
-#include "freeswan/ipsec_radij.h"
-#include "freeswan/ipsec_tunnel.h"	/* struct ipsecpriv */
-#include "freeswan/ipsec_xform.h"
- 
-#include <pfkeyv2.h>
-#include <pfkey.h>
-
-#include "freeswan/ipsec_proto.h"
-
-#ifdef CONFIG_IPSEC_DEBUG
-int debug_radij = 0;
-#endif /* CONFIG_IPSEC_DEBUG */
-
-struct radij_node_head *rnh = NULL;
-#ifdef SPINLOCK
-spinlock_t eroute_lock = SPIN_LOCK_UNLOCKED;
-#else /* SPINLOCK */
-spinlock_t eroute_lock;
-#endif /* SPINLOCK */
-
-int
-ipsec_radijinit(void)
-{
-	maj_keylen = sizeof (struct sockaddr_encap);
-
-	rj_init();
-	
-	if (rj_inithead((void **)&rnh, /*16*/offsetof(struct sockaddr_encap, sen_type) * sizeof(__u8)) == 0) /* 16 is bit offset of sen_type */
-		return -1;
-	return 0;
-}
-
-int
-ipsec_radijcleanup(void)
-{
-	int error;
-
-	spin_lock_bh(&eroute_lock);
-
-	error = radijcleanup();
-
-	spin_unlock_bh(&eroute_lock);
-
-	return error;
-}
-
-int
-ipsec_cleareroutes(void)
-{
-	int error;
-
-	spin_lock_bh(&eroute_lock);
-
-	error = radijcleartree();
-
-	spin_unlock_bh(&eroute_lock);
-
-	return error;
-}
-
-int
-ipsec_breakroute(struct sockaddr_encap *eaddr,
-		 struct sockaddr_encap *emask,
-		 struct sk_buff **first,
-		 struct sk_buff **last)
-{
-	struct eroute *ro;
-	struct radij_node *rn;
-	int error;
-#ifdef CONFIG_IPSEC_DEBUG
-
-	if (debug_eroute) {
-                char buf1[SUBNETTOA_BUF], buf2[SUBNETTOA_BUF];
-		
-		subnettoa(eaddr->sen_ip_src, emask->sen_ip_src, 0, buf1, sizeof(buf1));
-		subnettoa(eaddr->sen_ip_dst, emask->sen_ip_dst, 0, buf2, sizeof(buf2));
-		KLIPS_PRINT(debug_eroute,
-			    "klips_debug:ipsec_breakroute: "
-			    "attempting to delete eroute for %s:%d->%s:%d %d\n",
-			    buf1, ntohs(eaddr->sen_sport),
-			    buf2, ntohs(eaddr->sen_dport), eaddr->sen_proto);
-	}
-#endif /* CONFIG_IPSEC_DEBUG */
-
-	spin_lock_bh(&eroute_lock);
-
-	if ((error = rj_delete(eaddr, emask, rnh, &rn)) != 0) {
-		spin_unlock_bh(&eroute_lock);
-		KLIPS_PRINT(debug_eroute, 
-			    "klips_debug:ipsec_breakroute: "
-			    "node not found, eroute delete failed.\n");
-		return error;
-	}
-
-	spin_unlock_bh(&eroute_lock);
-	
-	ro = (struct eroute *)rn;
-	
-	KLIPS_PRINT(debug_eroute, 
-		    "klips_debug:ipsec_breakroute: "
-		    "deleted eroute=0p%p, ident=0p%p->0p%p, first=0p%p, last=0p%p\n",
-		    ro,
-		    ro->er_ident_s.data,
-		    ro->er_ident_d.data,
-		    ro->er_first,
-		    ro->er_last);
-	
-	if (ro->er_ident_s.data != NULL) {
-		kfree(ro->er_ident_s.data);
-	}
-	if (ro->er_ident_d.data != NULL) {
-		kfree(ro->er_ident_d.data);
-	}
-	if (ro->er_first != NULL) {
-#if 0
-		struct net_device_stats *stats = (struct net_device_stats *) &(((struct ipsecpriv *)(ro->er_first->dev->priv))->mystats);
-		stats->tx_dropped--;
-#endif
-		*first = ro->er_first;
-	}
-	if (ro->er_last != NULL) {
-#if 0
-		struct net_device_stats *stats = (struct net_device_stats *) &(((struct ipsecpriv *)(ro->er_last->dev->priv))->mystats);
-		stats->tx_dropped--;
-#endif
-		*last = ro->er_last;
-	}
-	
-	if (rn->rj_flags & (RJF_ACTIVE | RJF_ROOT))
-		panic ("ipsec_breakroute RMT_DELEROUTE root or active node\n");
-	memset((caddr_t)rn, 0, sizeof (struct eroute));
-	kfree(rn);
-	
-	return 0;
-}
-
-int
-ipsec_makeroute(struct sockaddr_encap *eaddr,
-		struct sockaddr_encap *emask,
-		struct sa_id said,
-		uint32_t pid,
-		struct sk_buff *skb,
-		struct ident *ident_s,
-		struct ident *ident_d)
-{
-	struct eroute *retrt;
-	int error;
-	char sa[SATOA_BUF];
-	size_t sa_len;
-#ifdef CONFIG_IPSEC_DEBUG
-
-	if (debug_eroute) {
-		{
-			char buf1[SUBNETTOA_BUF], buf2[SUBNETTOA_BUF];
-
-			subnettoa(eaddr->sen_ip_src, emask->sen_ip_src, 0, buf1, sizeof(buf1));
-			subnettoa(eaddr->sen_ip_dst, emask->sen_ip_dst, 0, buf2, sizeof(buf2));
-			sa_len = satoa(said, 0, sa, SATOA_BUF);
-			KLIPS_PRINT(debug_eroute,
-				"klips_debug:ipsec_makeroute: "
-				"attempting to allocate %lu bytes to insert eroute for %s:%d->%s:%d %d, SA: %s, PID:%d, skb=0p%p, ident:%s->%s\n",
-				(unsigned long) sizeof(struct eroute),
-				buf1, ntohs(eaddr->sen_sport),
-				buf2, ntohs(eaddr->sen_dport),
-				eaddr->sen_proto,
- 				sa_len ? sa : " (error)",
-				pid,
-				skb,
-				(ident_s ? (ident_s->data ? ident_s->data : "NULL") : "NULL"),
-				(ident_d ? (ident_d->data ? ident_d->data : "NULL") : "NULL"));
-		}
-		{
-			char buf1[sizeof(struct sockaddr_encap)*2 + 1];
-			char buf2[sizeof(struct sockaddr_encap)*2 + 1];
-			int i;
-			unsigned char *b1 = buf1,
-			*b2 = buf2,
-			*ea = (unsigned char *)eaddr,
-			*em = (unsigned char *)emask;
-
-			for (i=0; i<sizeof(struct sockaddr_encap); i++) {
-				sprintf(b1, "%02x", ea[i]);
-				sprintf(b2, "%02x", em[i]);
-				b1+=2;
-				b2+=2;
-                        }
-			KLIPS_PRINT(debug_eroute, "klips_debug:ipsec_makeroute: %s / %s \n", buf1, buf2);
-		}
-	}
-#endif /* CONFIG_IPSEC_DEBUG */
-
-	retrt = (struct eroute *)kmalloc(sizeof (struct eroute), GFP_ATOMIC);
-	if (retrt == NULL) {
-		printk("klips_error:ipsec_makeroute: "
-		       "not able to allocate kernel memory");
-		return -ENOMEM;
-	}
-	memset((caddr_t)retrt, 0, sizeof (struct eroute));
-
-	retrt->er_eaddr = *eaddr;
-	retrt->er_emask = *emask;
-	retrt->er_said = said;
-	retrt->er_pid = pid;
-	retrt->er_count = 0;
-	retrt->er_lasttime = jiffies/HZ;
-	{
-		struct sockaddr_encap **rkeyp = (struct sockaddr_encap**)&((retrt->er_rjt).rd_nodes->rj_key);
-		*rkeyp = &(retrt->er_eaddr);
-	}
-	
-	if (ident_s && ident_s->type != SADB_IDENTTYPE_RESERVED) {
-		int data_len = ident_s->len * IPSEC_PFKEYv2_ALIGN - sizeof(struct sadb_ident);
-		
-		retrt->er_ident_s.type = ident_s->type;
-		retrt->er_ident_s.id = ident_s->id;
-		retrt->er_ident_s.len = ident_s->len;
-		if(data_len) {
-			KLIPS_PRINT(debug_eroute, 
-				    "klips_debug:ipsec_makeroute: "
-				    "attempting to allocate %u bytes for ident_s.\n",
-				    data_len);
-			if(!(retrt->er_ident_s.data = kmalloc(data_len, GFP_KERNEL))) {
-				kfree(retrt);
-				printk("klips_error:ipsec_makeroute: not able to allocate kernel memory (%d)\n", data_len);
-				return ENOMEM;
-			}
-			memcpy(retrt->er_ident_s.data, ident_s->data, data_len);
-		} else {
-			retrt->er_ident_s.data = NULL;
-		}
-	}
-	
-	if (ident_d && ident_d->type != SADB_IDENTTYPE_RESERVED) {
-		int data_len = ident_d->len  * IPSEC_PFKEYv2_ALIGN - sizeof(struct sadb_ident);
-		
-		retrt->er_ident_d.type = ident_d->type;
-		retrt->er_ident_d.id = ident_d->id;
-		retrt->er_ident_d.len = ident_d->len;
-		if(data_len) {
-			KLIPS_PRINT(debug_eroute, 
-				    "klips_debug:ipsec_makeroute: "
-				    "attempting to allocate %u bytes for ident_d.\n",
-				    data_len);
-			if(!(retrt->er_ident_d.data = kmalloc(data_len, GFP_KERNEL))) {
-				if (retrt->er_ident_s.data)
-					kfree(retrt->er_ident_s.data);
-				kfree(retrt);
-				printk("klips_error:ipsec_makeroute: not able to allocate kernel memory (%d)\n", data_len);
-				return ENOMEM;
-			}
-			memcpy(retrt->er_ident_d.data, ident_d->data, data_len);
-		} else {
-			retrt->er_ident_d.data = NULL;
-		}
-	}
-	retrt->er_first = skb;
-	retrt->er_last = NULL;
-	
-	KLIPS_PRINT(debug_eroute,
-		    "klips_debug:ipsec_makeroute: "
-		    "calling rj_addroute now\n");
-
-	spin_lock_bh(&eroute_lock);
-	
-	error = rj_addroute(&(retrt->er_eaddr), &(retrt->er_emask), 
-			 rnh, retrt->er_rjt.rd_nodes);
-
-	spin_unlock_bh(&eroute_lock);
-	
-	if(error) {
-		sa_len = satoa(said, 0, sa, SATOA_BUF);
-		KLIPS_PRINT(debug_eroute, 
-			    "klips_debug:ipsec_makeroute: "
-			    "rj_addroute not able to insert eroute for SA:%s (error:%d)\n",
-			    sa_len ? sa : " (error)", error);
-		if (retrt->er_ident_s.data)
-			kfree(retrt->er_ident_s.data);
-		if (retrt->er_ident_d.data)
-			kfree(retrt->er_ident_d.data);
-		
-		kfree(retrt);
-		
-		return error;
-	}
-
-#ifdef CONFIG_IPSEC_DEBUG
-	if (debug_eroute) {
-		char buf1[SUBNETTOA_BUF], buf2[SUBNETTOA_BUF];
-/*
-		subnettoa(eaddr->sen_ip_src, emask->sen_ip_src, 0, buf1, sizeof(buf1));
-		subnettoa(eaddr->sen_ip_dst, emask->sen_ip_dst, 0, buf2, sizeof(buf2));
-*/
-		subnettoa(rd_key((&(retrt->er_rjt)))->sen_ip_src, rd_mask((&(retrt->er_rjt)))->sen_ip_src, 0, buf1, sizeof(buf1));
-		subnettoa(rd_key((&(retrt->er_rjt)))->sen_ip_dst, rd_mask((&(retrt->er_rjt)))->sen_ip_dst, 0, buf2, sizeof(buf2));
-		sa_len = satoa(retrt->er_said, 0, sa, SATOA_BUF);
-		
-		KLIPS_PRINT(debug_eroute,
-			    "klips_debug:ipsec_makeroute: "
-			    "pid=%05d "
-			    "count=%10d "
-			    "lasttime=%6d "
-			    "%-18s -> %-18s => %s\n",
-			    retrt->er_pid,
-			    retrt->er_count,
-			    (int)(jiffies/HZ - retrt->er_lasttime),
-			    buf1,
-			    buf2,
-			    sa_len ? sa : " (error)");
-	}
-#endif /* CONFIG_IPSEC_DEBUG */
-	KLIPS_PRINT(debug_eroute,
-		    "klips_debug:ipsec_makeroute: "
-		    "succeeded.\n");
-	return 0;
-}
-
-struct eroute *
-ipsec_findroute(struct sockaddr_encap *eaddr)
-{
-	struct radij_node *rn;
-#ifdef CONFIG_IPSEC_DEBUG
-	char buf1[ADDRTOA_BUF], buf2[ADDRTOA_BUF];
-	
-	if (debug_radij & DB_RJ_FINDROUTE) {
-		addrtoa(eaddr->sen_ip_src, 0, buf1, sizeof(buf1));
-		addrtoa(eaddr->sen_ip_dst, 0, buf2, sizeof(buf2));
-		KLIPS_PRINT(debug_eroute,
-			    "klips_debug:ipsec_findroute: "
-			    "%s:%d->%s:%d %d\n",
-			    buf1, ntohs(eaddr->sen_sport),
-			    buf2, ntohs(eaddr->sen_dport),
-			    eaddr->sen_proto);
-	}
-#endif /* CONFIG_IPSEC_DEBUG */
-	rn = rj_match((caddr_t)eaddr, rnh);
-	if(rn) {
-		KLIPS_PRINT(debug_eroute && sysctl_ipsec_debug_verbose,
-			    "klips_debug:ipsec_findroute: "
-			    "found, points to proto=%d, spi=%x, dst=%x.\n",
-			    ((struct eroute*)rn)->er_said.proto,
-			    ntohl(((struct eroute*)rn)->er_said.spi),
-			    ntohl(((struct eroute*)rn)->er_said.dst.s_addr));
-	}
-	return (struct eroute *)rn;
-}
-
-#ifdef CONFIG_PROC_FS
-/** ipsec_rj_walker_procprint: print one line of eroute table output.
- *
- * Theoretical BUG: if w->length is less than the length
- * of some line we should produce, that line will never
- * be finished.  In effect, the "file" will stop part way
- * through that line.
- */
-int
-ipsec_rj_walker_procprint(struct radij_node *rn, void *w0)
-{
-	struct eroute *ro = (struct eroute *)rn;
-	struct rjtentry *rd = (struct rjtentry *)rn;
-	struct wsbuf *w = (struct wsbuf *)w0;
-	char buf1[SUBNETTOA_BUF], buf2[SUBNETTOA_BUF];
-	char buf3[16];
-	char sa[SATOA_BUF];
-	size_t sa_len, buf_len;
-	struct sockaddr_encap *key, *mask;
-	
-	KLIPS_PRINT(debug_radij,
-		    "klips_debug:ipsec_rj_walker_procprint: "
-		    "rn=0p%p, w0=0p%p\n",
-		    rn,
-		    w0);
-	if (rn->rj_b >= 0) {
-		return 0;
-	}
-
-	key = rd_key(rd);
-	mask = rd_mask(rd);
-
-	if (key == NULL || mask == NULL) {
-		return 0;
-	}
-
-	buf_len = subnettoa(key->sen_ip_src, mask->sen_ip_src, 0, buf1, sizeof(buf1));
-	if(key->sen_sport != 0) {
-		sprintf(buf1+buf_len-1, ":%d", ntohs(key->sen_sport));
-	}
-
-	buf_len = subnettoa(key->sen_ip_dst, mask->sen_ip_dst, 0, buf2, sizeof(buf2));
-	if(key->sen_dport != 0) {
-		sprintf(buf2+buf_len-1, ":%d", ntohs(key->sen_dport));
-	}
-
-	buf3[0]='\0';
-	if(key->sen_proto != 0) {
-		sprintf(buf3, ":%d", key->sen_proto);
-	}
-
-	sa_len = satoa(ro->er_said, 0, sa, SATOA_BUF);
-
-	w->len += ipsec_snprintf(w->buffer + w->len,
-				w->length - w->len,
-				"%-10d "
-				"%-18s -> %-18s => %s%s\n",
-				ro->er_count,
-				buf1,
-				buf2,
-				sa_len ? sa : " (error)",
-				buf3);
-
-       {
-		/* snprintf can only fill the last character with NUL
-		* so the maximum useful character is w->length-1.
-		* However, if w->length == 0, we cannot go back.
-		* (w->length surely cannot be negative.)
-		*/
-		int max_content = w->length > 0? w->length-1 : 0;
-
-		if (w->len >= max_content) {
-			/* we've done all that can fit -- stop treewalking */
-			w->len = max_content;   /* truncate crap */
-			return -ENOBUFS;
-		} else {
-			const off_t pos = w->begin + w->len;    /* file position of end of what we've generated */
-
-			if (pos <= w->offset) {
-				/* all is before first interesting character:
-				 * discard, but note where we are.
- 				 */
-				w->len = 0;
-				w->begin = pos;
-			}
-			return 0;
-		}
-        }
-}
-#endif          /* CONFIG_PROC_FS */
-
-int
-ipsec_rj_walker_delete(struct radij_node *rn, void *w0)
-{
-	struct eroute *ro;
-	struct rjtentry *rd = (struct rjtentry *)rn;
-	struct radij_node *rn2;
-	int error;
-	struct sockaddr_encap *key, *mask;
-
-	key = rd_key(rd);
-	mask = rd_mask(rd);
-	
-	if(!key || !mask) {
-		return -ENODATA;
-	}
-#ifdef CONFIG_IPSEC_DEBUG
-	if(debug_radij)	{
-		char buf1[SUBNETTOA_BUF], buf2[SUBNETTOA_BUF];
-		
-		subnettoa(key->sen_ip_src, mask->sen_ip_src, 0, buf1, sizeof(buf1));
-		subnettoa(key->sen_ip_dst, mask->sen_ip_dst, 0, buf2, sizeof(buf2));
-		KLIPS_PRINT(debug_radij, 
-			    "klips_debug:ipsec_rj_walker_delete: "
-			    "deleting: %s -> %s\n",
-			    buf1,
-			    buf2);
-	}
-#endif /* CONFIG_IPSEC_DEBUG */
-
-	if((error = rj_delete(key, mask, rnh, &rn2))) {
-		KLIPS_PRINT(debug_radij,
-			    "klips_debug:ipsec_rj_walker_delete: "
-			    "rj_delete failed with error=%d.\n", error);
-		return error;
-	}
-
-	if(rn2 != rn) {
-		printk("klips_debug:ipsec_rj_walker_delete: "
-		       "tried to delete a different node?!?  This should never happen!\n");
-	}
- 
-	ro = (struct eroute *)rn;
-	
-	if (ro->er_ident_s.data)
-		kfree(ro->er_ident_s.data);
-	if (ro->er_ident_d.data)
-		kfree(ro->er_ident_d.data);
-	
-	memset((caddr_t)rn, 0, sizeof (struct eroute));
-	kfree(rn);
-	
-	return 0;
-}
-
diff --git a/linux/net/ipsec/ipsec_rcv.c b/linux/net/ipsec/ipsec_rcv.c
deleted file mode 100644
index 4df839fe2..000000000
--- a/linux/net/ipsec/ipsec_rcv.c
+++ /dev/null
@@ -1,2204 +0,0 @@
-/*
- * receive code
- * Copyright (C) 1996, 1997  John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-char ipsec_rcv_c_version[] = "RCSID $Id: ipsec_rcv.c,v 1.5 2005/04/10 21:38:32 as Exp $";
-
-#include <linux/config.h>
-#include <linux/version.h>
-
-#define __NO_VERSION__
-#include <linux/module.h>
-#include <linux/kernel.h> /* printk() */
-
-#include "freeswan/ipsec_param.h"
-
-#ifdef MALLOC_SLAB
-# include <linux/slab.h> /* kmalloc() */
-#else /* MALLOC_SLAB */
-# include <linux/malloc.h> /* kmalloc() */
-#endif /* MALLOC_SLAB */
-#include <linux/errno.h>  /* error codes */
-#include <linux/types.h>  /* size_t */
-#include <linux/interrupt.h> /* mark_bh */
-
-#include <linux/netdevice.h>	/* struct device, and other headers */
-#include <linux/etherdevice.h>	/* eth_type_trans */
-#include <linux/ip.h>		/* struct iphdr */
-#include <linux/skbuff.h>
-#include <freeswan.h>
-#ifdef SPINLOCK
-# ifdef SPINLOCK_23
-#  include <linux/spinlock.h> /* *lock* */
-# else /* SPINLOCK_23 */
-#  include <asm/spinlock.h> /* *lock* */
-# endif /* SPINLOCK_23 */
-#endif /* SPINLOCK */
-#ifdef NET_21
-# include <asm/uaccess.h>
-# include <linux/in6.h>
-# define proto_priv cb
-#endif /* NET21 */
-#include <asm/checksum.h>
-#include <net/ip.h>
-
-#include "freeswan/radij.h"
-#include "freeswan/ipsec_encap.h"
-#include "freeswan/ipsec_sa.h"
-
-#include "freeswan/ipsec_radij.h"
-#include "freeswan/ipsec_xform.h"
-#include "freeswan/ipsec_tunnel.h"
-#include "freeswan/ipsec_rcv.h"
-
-#if defined(CONFIG_IPSEC_ESP) || defined(CONFIG_IPSEC_AH)
-#include "freeswan/ipsec_ah.h"
-#endif /* defined(CONFIG_IPSEC_ESP) || defined(CONFIG_IPSEC_AH) */
-
-#ifdef CONFIG_IPSEC_ESP
-#include "freeswan/ipsec_esp.h"
-#endif /* !CONFIG_IPSEC_ESP */
-
-#ifdef CONFIG_IPSEC_IPCOMP
-#include "freeswan/ipcomp.h"
-#endif /* CONFIG_IPSEC_COMP */
-
-#include <pfkeyv2.h>
-#include <pfkey.h>
-
-#include "freeswan/ipsec_proto.h"
-#include "freeswan/ipsec_alg.h"
-
-#ifdef CONFIG_IPSEC_DEBUG
-int debug_ah = 0;
-int debug_esp = 0;
-int debug_rcv = 0;
-#endif /* CONFIG_IPSEC_DEBUG */
-
-int sysctl_ipsec_inbound_policy_check = 1;
-
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-#include <linux/udp.h>
-#endif
-
-#ifdef CONFIG_IPSEC_DEBUG
-static void
-rcv_dmp(char *s, caddr_t bb, int len)
-{
-	int i;
-	unsigned char *b = bb;
-  
-	if (debug_rcv && sysctl_ipsec_debug_verbose) {
-		printk(KERN_INFO "klips_debug:ipsec_tunnel_:dmp: "
-		       "at %s, len=%d:",
-		       s,
-		       len);
-		for (i=0; i < len; i++) {
-			if(!(i%16)){
-				printk("\nklips_debug:  ");
-			}
-			printk(" %02x", *b++);
-		}
-		printk("\n");
-	}
-}
-#else /* CONFIG_IPSEC_DEBUG */
-#define rcv_dmp(_x, _y, _z) 
-#endif /* CONFIG_IPSEC_DEBUG */
-
-
-#if defined(CONFIG_IPSEC_ESP) || defined(CONFIG_IPSEC_AH)
-__u32 zeroes[AH_AMAX];
-#endif /* defined(CONFIG_IPSEC_ESP) || defined(CONFIG_IPSEC_AH) */
-
-/*
- * Check-replay-window routine, adapted from the original
- * by J. Hughes, from draft-ietf-ipsec-esp-des-md5-03.txt
- *
- *  This is a routine that implements a 64 packet window. This is intend-
- *  ed on being an implementation sample.
- */
-
-DEBUG_NO_STATIC int
-ipsec_checkreplaywindow(struct ipsec_sa*ipsp, __u32 seq)
-{
-	__u32 diff;
-
-	if (ipsp->ips_replaywin == 0)	/* replay shut off */
-		return 1;
-	if (seq == 0)
-		return 0;		/* first == 0 or wrapped */
-
-	/* new larger sequence number */
-	if (seq > ipsp->ips_replaywin_lastseq) {
-		return 1;		/* larger is good */
-	}
-	diff = ipsp->ips_replaywin_lastseq - seq;
-
-	/* too old or wrapped */ /* if wrapped, kill off SA? */
-	if (diff >= ipsp->ips_replaywin) {
-		return 0;
-	}
-	/* this packet already seen */
-	if (ipsp->ips_replaywin_bitmap & (1 << diff))
-		return 0;
-	return 1;			/* out of order but good */
-}
-
-DEBUG_NO_STATIC int
-ipsec_updatereplaywindow(struct ipsec_sa*ipsp, __u32 seq)
-{
-	__u32 diff;
-
-	if (ipsp->ips_replaywin == 0)	/* replay shut off */
-		return 1;
-	if (seq == 0)
-		return 0;		/* first == 0 or wrapped */
-
-	/* new larger sequence number */
-	if (seq > ipsp->ips_replaywin_lastseq) {
-		diff = seq - ipsp->ips_replaywin_lastseq;
-
-		/* In win, set bit for this pkt */
-		if (diff < ipsp->ips_replaywin)
-			ipsp->ips_replaywin_bitmap =
-				(ipsp->ips_replaywin_bitmap << diff) | 1;
-		else
-			/* This packet has way larger seq num */
-			ipsp->ips_replaywin_bitmap = 1;
-
-		if(seq - ipsp->ips_replaywin_lastseq - 1 > ipsp->ips_replaywin_maxdiff) {
-			ipsp->ips_replaywin_maxdiff = seq - ipsp->ips_replaywin_lastseq - 1;
-		}
-		ipsp->ips_replaywin_lastseq = seq;
-		return 1;		/* larger is good */
-	}
-	diff = ipsp->ips_replaywin_lastseq - seq;
-
-	/* too old or wrapped */ /* if wrapped, kill off SA? */
-	if (diff >= ipsp->ips_replaywin) {
-/*
-		if(seq < 0.25*max && ipsp->ips_replaywin_lastseq > 0.75*max) {
-			ipsec_sa_delchain(ipsp);
-		}
-*/
-		return 0;
-	}
-	/* this packet already seen */
-	if (ipsp->ips_replaywin_bitmap & (1 << diff))
-		return 0;
-	ipsp->ips_replaywin_bitmap |= (1 << diff);	/* mark as seen */
-	return 1;			/* out of order but good */
-}
-
-#ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
-struct auth_alg ipsec_rcv_md5[]={
-	{MD5Init, MD5Update, MD5Final, AHMD596_ALEN}
-};
-
-#endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
-
-#ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
-struct auth_alg ipsec_rcv_sha1[]={
-	{SHA1Init, SHA1Update, SHA1Final, AHSHA196_ALEN}
-};
-#endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
-
-enum ipsec_rcv_value {
-	IPSEC_RCV_LASTPROTO=1,
-	IPSEC_RCV_OK=0,
-	IPSEC_RCV_BADPROTO=-1,
-	IPSEC_RCV_BADLEN=-2,
-	IPSEC_RCV_ESP_BADALG=-3,
-	IPSEC_RCV_3DES_BADBLOCKING=-4,
-	IPSEC_RCV_ESP_DECAPFAIL=-5,
-	IPSEC_RCV_DECAPFAIL=-6,
-	IPSEC_RCV_SAIDNOTFOUND=-7,
-	IPSEC_RCV_IPCOMPALONE=-8,
-	IPSEC_RCV_IPCOMPFAILED=-10,
-	IPSEC_RCV_SAIDNOTLIVE=-11,
-	IPSEC_RCV_FAILEDINBOUND=-12,
-	IPSEC_RCV_LIFETIMEFAILED=-13,
-	IPSEC_RCV_BADAUTH=-14,
-	IPSEC_RCV_REPLAYFAILED=-15,
-	IPSEC_RCV_AUTHFAILED=-16,
-	IPSEC_RCV_REPLAYROLLED=-17,
-	IPSEC_RCV_BAD_DECRYPT=-18
-};
-
-struct ipsec_rcv_state {
-	struct sk_buff *skb;
-	struct net_device_stats *stats;
-	struct iphdr *ipp;
-	struct ipsec_sa *ipsp;
-	int len;
-	int ilen;
-	int authlen;
-	int hard_header_len;
-	int iphlen;
-	struct auth_alg *authfuncs;
-	struct sa_id said;
-	char   sa[SATOA_BUF];
-	size_t sa_len;
-	__u8 next_header;
-	__u8 hash[AH_AMAX];
-	char ipsaddr_txt[ADDRTOA_BUF];
-	char ipdaddr_txt[ADDRTOA_BUF];
-	__u8 *octx;
-	__u8 *ictx;
-	int ictx_len;
-	int octx_len;
-	union {
-		struct {
-			struct esphdr *espp;
-		} espstuff;
-		struct {
-			struct ahhdr *ahp;
-		} ahstuff;
-		struct {
-			struct ipcomphdr *compp;
-		} ipcompstuff;
-	} protostuff;
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-	__u16 natt_len;
-	__u16 natt_sport;
-	__u16 natt_dport;
-	__u8 natt_type;
-#endif	
-};
-
-struct xform_functions {
-	enum ipsec_rcv_value (*checks)(struct ipsec_rcv_state *irs,
-				       struct sk_buff *skb);
-        enum ipsec_rcv_value (*decrypt)(struct ipsec_rcv_state *irs);
-
-	enum ipsec_rcv_value (*setup_auth)(struct ipsec_rcv_state *irs,
-					   struct sk_buff *skb,
-					   __u32          *replay,
-					   unsigned char **authenticator);
-	enum ipsec_rcv_value (*calc_auth)(struct ipsec_rcv_state *irs,
-					struct sk_buff *skb);
-};
-
-#ifdef CONFIG_IPSEC_ESP
-enum ipsec_rcv_value
-ipsec_rcv_esp_checks(struct ipsec_rcv_state *irs,
-		     struct sk_buff *skb)
-{
-	__u8 proto;
-	int len;	/* packet length */
-
-	len = skb->len;
-	proto = irs->ipp->protocol;
-
-	/* XXX this will need to be 8 for IPv6 */
-	if ((proto == IPPROTO_ESP) && ((len - irs->iphlen) % 4)) {
-		printk("klips_error:ipsec_rcv: "
-		       "got packet with content length = %d from %s -- should be on 4 octet boundary, packet dropped\n",
-		       len - irs->iphlen,
-		       irs->ipsaddr_txt);
-		if(irs->stats) {
-			irs->stats->rx_errors++;
-		}
-		return IPSEC_RCV_BADLEN;
-	}
-
-	if(skb->len < (irs->hard_header_len + sizeof(struct iphdr) + sizeof(struct esphdr))) {
-		KLIPS_PRINT(debug_rcv & DB_RX_INAU,
-			    "klips_debug:ipsec_rcv: "
-			    "runt esp packet of skb->len=%d received from %s, dropped.\n",
-			    skb->len,
-			    irs->ipsaddr_txt);
-		if(irs->stats) {
-			irs->stats->rx_errors++;
-		}
-		return IPSEC_RCV_BADLEN;
-	}
-
-	irs->protostuff.espstuff.espp = (struct esphdr *)(skb->data + irs->iphlen);
-	irs->said.spi = irs->protostuff.espstuff.espp->esp_spi;
-
-	return IPSEC_RCV_OK;
-}
-
-enum ipsec_rcv_value
-ipsec_rcv_esp_decrypt_setup(struct ipsec_rcv_state *irs,
-			    struct sk_buff *skb,
-			    __u32          *replay,
-			    unsigned char **authenticator)
-{
-	struct esphdr *espp = irs->protostuff.espstuff.espp;
-
-	KLIPS_PRINT(debug_rcv,
-		    "klips_debug:ipsec_rcv: "
-		    "packet from %s received with seq=%d (iv)=0x%08x%08x iplen=%d esplen=%d sa=%s\n",
-		    irs->ipsaddr_txt,
-		    (__u32)ntohl(espp->esp_rpl),
-		    (__u32)ntohl(*((__u32 *)(espp->esp_iv)    )),
-		    (__u32)ntohl(*((__u32 *)(espp->esp_iv) + 1)),
-		    irs->len,
-		    irs->ilen,
-		    irs->sa_len ? irs->sa : " (error)");
-
-	*replay = ntohl(espp->esp_rpl);
-	*authenticator = &(skb->data[irs->len - irs->authlen]);
-
-	return IPSEC_RCV_OK;
-}
-
-enum ipsec_rcv_value
-ipsec_rcv_esp_authcalc(struct ipsec_rcv_state *irs,
-		       struct sk_buff *skb)
-{
-	struct auth_alg *aa;
-	struct esphdr *espp = irs->protostuff.espstuff.espp;
-	union {
-		MD5_CTX		md5;
-		SHA1_CTX	sha1;
-	} tctx;
-
-#ifdef CONFIG_IPSEC_ALG
-	if (irs->ipsp->ips_alg_auth) {
-		KLIPS_PRINT(debug_rcv,
-				"klips_debug:ipsec_rcv: "
-				"ipsec_alg hashing proto=%d... ",
-				irs->said.proto);
-		if(irs->said.proto == IPPROTO_ESP) {
-			ipsec_alg_sa_esp_hash(irs->ipsp,
-					(caddr_t)espp, irs->ilen,
-					irs->hash, AHHMAC_HASHLEN);
-			return IPSEC_RCV_OK;
-		}
-		return IPSEC_RCV_BADPROTO;
-	}
-#endif
-	aa = irs->authfuncs;
-
-	/* copy the initialized keying material */
-	memcpy(&tctx, irs->ictx, irs->ictx_len);
-
-	(*aa->update)((void *)&tctx, (caddr_t)espp, irs->ilen);
-
-	(*aa->final)(irs->hash, (void *)&tctx);
-
-	memcpy(&tctx, irs->octx, irs->octx_len);
-
-	(*aa->update)((void *)&tctx, irs->hash, aa->hashlen);
-	(*aa->final)(irs->hash, (void *)&tctx);
-
-	return IPSEC_RCV_OK;
-}
-
-
-enum ipsec_rcv_value
-ipsec_rcv_esp_decrypt(struct ipsec_rcv_state *irs)
-{
-	struct ipsec_sa *ipsp = irs->ipsp;
-	struct esphdr *espp = irs->protostuff.espstuff.espp;
-	int esphlen = 0;
-	__u8 *idat;	/* pointer to content to be decrypted/authenticated */
-#ifdef CONFIG_IPSEC_ENC_3DES
-	__u32 iv[2];
-#endif /* !CONFIG_IPSEC_ENC_3DES */
-	int pad = 0, padlen;
-	int badpad = 0;
-	int i;
-	struct sk_buff *skb;
-#ifdef CONFIG_IPSEC_ALG
-	struct ipsec_alg_enc *ixt_e=NULL;
-#endif /* CONFIG_IPSEC_ALG */
-
-	skb=irs->skb;
-
-	idat = skb->data + irs->iphlen;
-
-#ifdef CONFIG_IPSEC_ALG
-	if ((ixt_e=ipsp->ips_alg_enc)) {
-		esphlen = ESP_HEADER_LEN + ixt_e->ixt_ivlen/8;
-		KLIPS_PRINT(debug_rcv,
-				"klips_debug:ipsec_rcv: "
-				"encalg=%d esphlen=%d\n",
-				ipsp->ips_encalg, esphlen);
-	} else
-#endif /* CONFIG_IPSEC_ALG */
-	switch(ipsp->ips_encalg) {
-#ifdef CONFIG_IPSEC_ENC_3DES
-	case ESP_3DES:
-		iv[0] = *((__u32 *)(espp->esp_iv)    );
-		iv[1] = *((__u32 *)(espp->esp_iv) + 1);
-		esphlen = sizeof(struct esphdr);
-		break;
-#endif /* !CONFIG_IPSEC_ENC_3DES */
-	default:
-		ipsp->ips_errs.ips_alg_errs += 1;
-		if(irs->stats) {
-			irs->stats->rx_errors++;
-		}
-		return IPSEC_RCV_ESP_BADALG;
-	}
-
-	idat += esphlen;
-	irs->ilen -= esphlen;
-
-#ifdef CONFIG_IPSEC_ALG
-	if (ixt_e)
-	{
-		if (ipsec_alg_esp_encrypt(ipsp,
-					idat, irs->ilen, espp->esp_iv,
-					IPSEC_ALG_DECRYPT) <= 0)
-		{
-			printk("klips_error:ipsec_rcv: "
-					"got packet with esplen = %d "
-					"from %s -- should be on "
-					"ENC(%d) octet boundary, "
-					"packet dropped\n",
-					irs->ilen,
-					irs->ipsaddr_txt,
-					ipsp->ips_encalg);
-			if(irs->stats) {
-				irs->stats->rx_errors++;
-			}
-			return IPSEC_RCV_BAD_DECRYPT;
-		}
-	} else
-#endif /* CONFIG_IPSEC_ALG */
-	switch(ipsp->ips_encalg) {
-#ifdef CONFIG_IPSEC_ENC_3DES
-	case ESP_3DES:
-		if ((irs->ilen) % 8) {
-			ipsp->ips_errs.ips_encsize_errs += 1;
-			printk("klips_error:ipsec_rcv: "
-			       "got packet with esplen = %d from %s -- should be on 8 octet boundary, packet dropped\n",
-			       irs->ilen,
-			       irs->ipsaddr_txt);
-			if(irs->stats) {
-				irs->stats->rx_errors++;
-			}
-			return IPSEC_RCV_3DES_BADBLOCKING;
-		}
-		des_ede3_cbc_encrypt((des_cblock *)idat,
-				     (des_cblock *)idat,
-				     irs->ilen,
-				     ((struct des_eks *)(ipsp->ips_key_e))[0].ks,
-				     ((struct des_eks *)(ipsp->ips_key_e))[1].ks,
-				     ((struct des_eks *)(ipsp->ips_key_e))[2].ks,
-				     (des_cblock *)iv, 0);
-		break;
-#endif /* !CONFIG_IPSEC_ENC_3DES */
-	}
-
-	rcv_dmp("postdecrypt", skb->data, skb->len);
-
-	irs->next_header = idat[irs->ilen - 1];
-	padlen = idat[irs->ilen - 2];
-	pad = padlen + 2 + irs->authlen;
-
-	KLIPS_PRINT(debug_rcv & DB_RX_IPAD,
-		    "klips_debug:ipsec_rcv: "
-		    "padlen=%d, contents: 0x<offset>: 0x<value> 0x<value> ...\n",
-		    padlen);
-
-	for (i = 1; i <= padlen; i++) {
-		if((i % 16) == 1) {
-			KLIPS_PRINT(debug_rcv & DB_RX_IPAD,
-				    "klips_debug:           %02x:",
-				    i - 1);
-		}
-		KLIPS_PRINTMORE(debug_rcv & DB_RX_IPAD,
-				" %02x",
-				idat[irs->ilen - 2 - padlen + i - 1]);
-		if(i != idat[irs->ilen - 2 - padlen + i - 1]) {
-			badpad = 1;
-		}
-		if((i % 16) == 0) {
-			KLIPS_PRINTMORE(debug_rcv & DB_RX_IPAD,
-					"\n");
-		}
-	}
-	if((i % 16) != 1) {
-		KLIPS_PRINTMORE(debug_rcv & DB_RX_IPAD,
-						"\n");
-	}
-	if(badpad) {
-		KLIPS_PRINT(debug_rcv & DB_RX_IPAD,
-			    "klips_debug:ipsec_rcv: "
-			    "warning, decrypted packet from %s has bad padding\n",
-			    irs->ipsaddr_txt);
-		KLIPS_PRINT(debug_rcv & DB_RX_IPAD,
-			    "klips_debug:ipsec_rcv: "
-			    "...may be bad decryption -- not dropped\n");
-		ipsp->ips_errs.ips_encpad_errs += 1;
-	}
-
-	KLIPS_PRINT(debug_rcv & DB_RX_IPAD,
-		    "klips_debug:ipsec_rcv: "
-		    "packet decrypted from %s: next_header = %d, padding = %d\n",
-		    irs->ipsaddr_txt,
-		    irs->next_header,
-		    pad - 2 - irs->authlen);
-
-	irs->ipp->tot_len = htons(ntohs(irs->ipp->tot_len) - (esphlen + pad));
-
-	/*
-	 * move the IP header forward by the size of the ESP header, which
-	 * will remove the the ESP header from the packet.
-	 */
-	memmove((void *)(skb->data + esphlen),
-		(void *)(skb->data), irs->iphlen);
-
-	rcv_dmp("esp postmove", skb->data, skb->len);
-
-	/* skb_pull below, will move up by esphlen */
-
-	/* XXX not clear how this can happen, as the message indicates */
-	if(skb->len < esphlen) {
-		printk(KERN_WARNING
-		       "klips_error:ipsec_rcv: "
-		       "tried to skb_pull esphlen=%d, %d available.  This should never happen, please report.\n",
-		       esphlen, (int)(skb->len));
-		return IPSEC_RCV_ESP_DECAPFAIL;
-	}
-	skb_pull(skb, esphlen);
-
-	irs->ipp = (struct iphdr *)skb->data;
-
-	rcv_dmp("esp postpull", skb->data, skb->len);
-
-	/* now, trip off the padding from the end */
-	KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
-		    "klips_debug:ipsec_rcv: "
-		    "trimming to %d.\n",
-		    irs->len - esphlen - pad);
-	if(pad + esphlen <= irs->len) {
-		skb_trim(skb, irs->len - esphlen - pad);
-	} else {
-		KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
-			    "klips_debug:ipsec_rcv: "
-			    "bogus packet, size is zero or negative, dropping.\n");
-		return IPSEC_RCV_DECAPFAIL;
-	}
-
-	return IPSEC_RCV_OK;
-}
-
-
-struct xform_functions esp_rcv_funcs[]={
-	{	checks:         ipsec_rcv_esp_checks,
-		setup_auth:     ipsec_rcv_esp_decrypt_setup,
-		calc_auth:      ipsec_rcv_esp_authcalc,
-		decrypt:        ipsec_rcv_esp_decrypt,
-	},
-};
-#endif /* !CONFIG_IPSEC_ESP */
-
-#ifdef CONFIG_IPSEC_AH
-enum ipsec_rcv_value
-ipsec_rcv_ah_checks(struct ipsec_rcv_state *irs,
-		    struct sk_buff *skb)
-{
-	int ahminlen;
-
-	ahminlen = irs->hard_header_len + sizeof(struct iphdr);
-
-	/* take care not to deref this pointer until we check the minlen though */
-	irs->protostuff.ahstuff.ahp = (struct ahhdr *) (skb->data + irs->iphlen);
-
-	if((skb->len < ahminlen+sizeof(struct ahhdr)) ||
-	   (skb->len < ahminlen+(irs->protostuff.ahstuff.ahp->ah_hl << 2))) {
-		KLIPS_PRINT(debug_rcv & DB_RX_INAU,
-			    "klips_debug:ipsec_rcv: "
-			    "runt ah packet of skb->len=%d received from %s, dropped.\n",
-			    skb->len,
-			    irs->ipsaddr_txt);
-		if(irs->stats) {
-			irs->stats->rx_errors++;
-		}
-		return IPSEC_RCV_BADLEN;
-	}
-
-	irs->said.spi = irs->protostuff.ahstuff.ahp->ah_spi;
-
-	/* XXX we only support the one 12-byte authenticator for now */
-	if(irs->protostuff.ahstuff.ahp->ah_hl != ((AHHMAC_HASHLEN+AHHMAC_RPLLEN) >> 2)) {
-		KLIPS_PRINT(debug_rcv & DB_RX_INAU,
-			    "klips_debug:ipsec_rcv: "
-			    "bad authenticator length %ld, expected %lu from %s.\n",
-			    (long)(irs->protostuff.ahstuff.ahp->ah_hl << 2),
-			    (unsigned long) sizeof(struct ahhdr),
-			    irs->ipsaddr_txt);
-		if(irs->stats) {
-			irs->stats->rx_errors++;
-		}
-		return IPSEC_RCV_BADLEN;
-	}
-
-	return IPSEC_RCV_OK;
-}
-
-
-enum ipsec_rcv_value
-ipsec_rcv_ah_setup_auth(struct ipsec_rcv_state *irs,
-			struct sk_buff *skb,
-			__u32          *replay,
-			unsigned char **authenticator)
-{
-	struct ahhdr *ahp = irs->protostuff.ahstuff.ahp;
-
-	*replay = ntohl(ahp->ah_rpl);
-	*authenticator = ahp->ah_data;
-
-	return IPSEC_RCV_OK;
-}
-
-enum ipsec_rcv_value
-ipsec_rcv_ah_authcalc(struct ipsec_rcv_state *irs,
-		      struct sk_buff *skb)
-{
-	struct auth_alg *aa;
-	struct ahhdr *ahp = irs->protostuff.ahstuff.ahp;
-	union {
-		MD5_CTX		md5;
-		SHA1_CTX	sha1;
-	} tctx;
-	struct iphdr ipo;
-	int ahhlen;
-
-	aa = irs->authfuncs;
-
-	/* copy the initialized keying material */
-	memcpy(&tctx, irs->ictx, irs->ictx_len);
-
-	ipo = *irs->ipp;
-	ipo.tos = 0;	/* mutable RFC 2402 3.3.3.1.1.1 */
-	ipo.frag_off = 0;
-	ipo.ttl = 0;
-	ipo.check = 0;
-
-
-	/* do the sanitized header */
-	(*aa->update)((void*)&tctx, (caddr_t)&ipo, sizeof(struct iphdr));
-
-	/* XXX we didn't do the options here! */
-
-	/* now do the AH header itself */
-	ahhlen = AH_BASIC_LEN + (ahp->ah_hl << 2);
-	(*aa->update)((void*)&tctx, (caddr_t)ahp,  ahhlen - AHHMAC_HASHLEN);
-
-	/* now, do some zeroes */
-	(*aa->update)((void*)&tctx, (caddr_t)zeroes,  AHHMAC_HASHLEN);
-
-	/* finally, do the packet contents themselves */
-	(*aa->update)((void*)&tctx,
-		      (caddr_t)skb->data + irs->iphlen + ahhlen,
-		      skb->len - irs->iphlen - ahhlen);
-
-	(*aa->final)(irs->hash, (void *)&tctx);
-
-	memcpy(&tctx, irs->octx, irs->octx_len);
-
-	(*aa->update)((void *)&tctx, irs->hash, aa->hashlen);
-	(*aa->final)(irs->hash, (void *)&tctx);
-
-	return IPSEC_RCV_OK;
-}
-
-enum ipsec_rcv_value
-ipsec_rcv_ah_decap(struct ipsec_rcv_state *irs)
-{
-	struct ahhdr *ahp = irs->protostuff.ahstuff.ahp;
-	struct sk_buff *skb;
-	int ahhlen;
-
-	skb=irs->skb;
-
-	ahhlen = AH_BASIC_LEN + (ahp->ah_hl << 2);
-
-	irs->ipp->tot_len = htons(ntohs(irs->ipp->tot_len) - ahhlen);
-	irs->next_header  = ahp->ah_nh;
-
-	/*
-	 * move the IP header forward by the size of the AH header, which
-	 * will remove the the AH header from the packet.
-	 */
-	memmove((void *)(skb->data + ahhlen),
-		(void *)(skb->data), irs->iphlen);
-
-	rcv_dmp("ah postmove", skb->data, skb->len);
-
-	/* skb_pull below, will move up by ahhlen */
-
-	/* XXX not clear how this can happen, as the message indicates */
-	if(skb->len < ahhlen) {
-		printk(KERN_WARNING
-		       "klips_error:ipsec_rcv: "
-		       "tried to skb_pull ahhlen=%d, %d available.  This should never happen, please report.\n",
-		       ahhlen,
-		       (int)(skb->len));
-		return IPSEC_RCV_DECAPFAIL;
-	}
-	skb_pull(skb, ahhlen);
-
-	irs->ipp = (struct iphdr *)skb->data;
-
-	rcv_dmp("ah postpull", skb->data, skb->len);
-
-	return IPSEC_RCV_OK;
-}
-
-
-struct xform_functions ah_rcv_funcs[]={
-	{	checks:         ipsec_rcv_ah_checks,
-		setup_auth:     ipsec_rcv_ah_setup_auth,
-		calc_auth:      ipsec_rcv_ah_authcalc,
-		decrypt:        ipsec_rcv_ah_decap,
-	},
-};
-
-#endif /* CONFIG_IPSEC_AH */
-
-#ifdef CONFIG_IPSEC_IPCOMP
-enum ipsec_rcv_value
-ipsec_rcv_ipcomp_checks(struct ipsec_rcv_state *irs,
-			struct sk_buff *skb)
-{
-	int ipcompminlen;
-
-	ipcompminlen = irs->hard_header_len + sizeof(struct iphdr);
-
-	if(skb->len < (ipcompminlen + sizeof(struct ipcomphdr))) {
-		KLIPS_PRINT(debug_rcv & DB_RX_INAU,
-			    "klips_debug:ipsec_rcv: "
-			    "runt comp packet of skb->len=%d received from %s, dropped.\n",
-			    skb->len,
-			    irs->ipsaddr_txt);
-		if(irs->stats) {
-			irs->stats->rx_errors++;
-		}
-		return IPSEC_RCV_BADLEN;
-	}
-
-	irs->protostuff.ipcompstuff.compp = (struct ipcomphdr *)(skb->data + irs->iphlen);
-	irs->said.spi = htonl((__u32)ntohs(irs->protostuff.ipcompstuff.compp->ipcomp_cpi));
-	return IPSEC_RCV_OK;
-}
-
-enum ipsec_rcv_value
-ipsec_rcv_ipcomp_decomp(struct ipsec_rcv_state *irs)
-{
-	unsigned int flags = 0;
-	struct ipsec_sa *ipsp = irs->ipsp;
-	struct sk_buff *skb;
-
-	skb=irs->skb;
-
-	rcv_dmp("ipcomp", skb->data, skb->len);
-
-	if(ipsp == NULL) {
-		return IPSEC_RCV_SAIDNOTFOUND;
-	}
-
-#if 0
-	/* we want to check that this wasn't the first SA on the list, because
-	 * we don't support bare IPCOMP, for unexplained reasons. MCR
-	 */
-	if (ipsp->ips_onext != NULL) {
-		KLIPS_PRINT(debug_rcv,
-			    "klips_debug:ipsec_rcv: "
-			    "Incoming packet with outer IPCOMP header SA:%s: not yet supported by KLIPS, dropped\n",
-			    irs->sa_len ? irs->sa : " (error)");
-		if(irs->stats) {
-			irs->stats->rx_dropped++;
-		}
-
-		return IPSEC_RCV_IPCOMPALONE;
-	}
-#endif
-
-	if(sysctl_ipsec_inbound_policy_check &&
-	   ((((ntohl(ipsp->ips_said.spi) & 0x0000ffff) != ntohl(irs->said.spi)) &&
-	     (ipsp->ips_encalg != ntohl(irs->said.spi))   /* this is a workaround for peer non-compliance with rfc2393 */
-		    ))) {
-		char sa2[SATOA_BUF];
-		size_t sa_len2 = 0;
-
-		sa_len2 = satoa(ipsp->ips_said, 0, sa2, SATOA_BUF);
-
-		KLIPS_PRINT(debug_rcv,
-			    "klips_debug:ipsec_rcv: "
-			    "Incoming packet with SA(IPCA):%s does not match policy SA(IPCA):%s cpi=%04x cpi->spi=%08x spi=%08x, spi->cpi=%04x for SA grouping, dropped.\n",
-			    irs->sa_len ? irs->sa : " (error)",
-			    ipsp != NULL ? (sa_len2 ? sa2 : " (error)") : "NULL",
-			    ntohs(irs->protostuff.ipcompstuff.compp->ipcomp_cpi),
-			    (__u32)ntohl(irs->said.spi),
-			    ipsp != NULL ? (__u32)ntohl((ipsp->ips_said.spi)) : 0,
-			    ipsp != NULL ? (__u16)(ntohl(ipsp->ips_said.spi) & 0x0000ffff) : 0);
-		if(irs->stats) {
-			irs->stats->rx_dropped++;
-		}
-		return IPSEC_RCV_SAIDNOTFOUND;
-	}
-
-	ipsp->ips_comp_ratio_cbytes += ntohs(irs->ipp->tot_len);
-	irs->next_header = irs->protostuff.ipcompstuff.compp->ipcomp_nh;
-
-	skb = skb_decompress(skb, ipsp, &flags);
-	if (!skb || flags) {
-		spin_unlock(&tdb_lock);
-		KLIPS_PRINT(debug_rcv,
-			    "klips_debug:ipsec_rcv: "
-			    "skb_decompress() returned error flags=%x, dropped.\n",
-			    flags);
-		if (irs->stats) {
-			if (flags)
-				irs->stats->rx_errors++;
-			else
-				irs->stats->rx_dropped++;
-		}
-		return IPSEC_RCV_IPCOMPFAILED;
-	}
-
-	/* make sure we update the pointer */
-	irs->skb = skb;
-	
-#ifdef NET_21
-	irs->ipp = skb->nh.iph;
-#else /* NET_21 */
-	irs->ipp = skb->ip_hdr;
-#endif /* NET_21 */
-
-	ipsp->ips_comp_ratio_dbytes += ntohs(irs->ipp->tot_len);
-
-	KLIPS_PRINT(debug_rcv,
-		    "klips_debug:ipsec_rcv: "
-		    "packet decompressed SA(IPCA):%s cpi->spi=%08x spi=%08x, spi->cpi=%04x, nh=%d.\n",
-		    irs->sa_len ? irs->sa : " (error)",
-		    (__u32)ntohl(irs->said.spi),
-		    ipsp != NULL ? (__u32)ntohl((ipsp->ips_said.spi)) : 0,
-		    ipsp != NULL ? (__u16)(ntohl(ipsp->ips_said.spi) & 0x0000ffff) : 0,
-		    irs->next_header);
-	KLIPS_IP_PRINT(debug_rcv & DB_RX_PKTRX, irs->ipp);
-
-	return IPSEC_RCV_OK;
-}
-
-
-struct xform_functions ipcomp_rcv_funcs[]={
-	{checks:  ipsec_rcv_ipcomp_checks,
-	 decrypt: ipsec_rcv_ipcomp_decomp,
-	},
-};
-
-#endif /* CONFIG_IPSEC_IPCOMP */
-
-enum ipsec_rcv_value
-ipsec_rcv_decap_once(struct ipsec_rcv_state *irs)
-{
-	int iphlen;
-	unsigned char *dat;
-	__u8 proto;
-	struct in_addr ipsaddr;
-	struct in_addr ipdaddr;
-	int replay = 0;	/* replay value in AH or ESP packet */
-	struct ipsec_sa* ipsnext = NULL;	/* next SA towards inside of packet */
-	struct xform_functions *proto_funcs;
-	struct ipsec_sa *newipsp;
-	struct iphdr *ipp;
-	struct sk_buff *skb;
-#ifdef CONFIG_IPSEC_ALG
-	struct ipsec_alg_auth *ixt_a=NULL;
-#endif /* CONFIG_IPSEC_ALG */
-
-	skb = irs->skb;
-	irs->len = skb->len;
-	dat = skb->data;
-	ipp = irs->ipp;
-	proto = ipp->protocol;
-	ipsaddr.s_addr = ipp->saddr;
-	addrtoa(ipsaddr, 0, irs->ipsaddr_txt, sizeof(irs->ipsaddr_txt));
-	ipdaddr.s_addr = ipp->daddr;
-	addrtoa(ipdaddr, 0, irs->ipdaddr_txt, sizeof(irs->ipdaddr_txt));
-
-	iphlen = ipp->ihl << 2;
-	irs->iphlen=iphlen;
-	ipp->check = 0;			/* we know the sum is good */
-	
-	KLIPS_PRINT(debug_rcv,
-		    "klips_debug:ipsec_rcv_decap_once: "
-		    "decap (%d) from %s -> %s\n",
-		    proto, irs->ipsaddr_txt, irs->ipdaddr_txt);
-
-	switch(proto) {
-#ifdef CONFIG_IPSEC_ESP
-	case IPPROTO_ESP:
-		proto_funcs = esp_rcv_funcs;
-		break;
-#endif /* !CONFIG_IPSEC_ESP */
-
-#ifdef CONFIG_IPSEC_AH
-	case IPPROTO_AH:
-		proto_funcs = ah_rcv_funcs;
-		break;
-#endif /* !CONFIG_IPSEC_AH */
-
-#ifdef CONFIG_IPSEC_IPCOMP
-	case IPPROTO_COMP:
-		proto_funcs = ipcomp_rcv_funcs;
-		break;
-#endif /* !CONFIG_IPSEC_IPCOMP */
-	default:
-		if(irs->stats) {
-			irs->stats->rx_errors++;
-		}
-		return IPSEC_RCV_BADPROTO;
-	}
-
-	/*
-	 * Find tunnel control block and (indirectly) call the
-	 * appropriate tranform routine. The resulting sk_buf
-	 * is a valid IP packet ready to go through input processing.
-	 */
-
-	irs->said.dst.s_addr = ipp->daddr;
-
-	if(proto_funcs->checks) {
-		enum ipsec_rcv_value retval = (*proto_funcs->checks)(irs, skb);
-
-		if(retval < 0) {
-			return retval;
-		}
-	}
-
-	irs->said.proto = proto;
-	irs->sa_len = satoa(irs->said, 0, irs->sa, SATOA_BUF);
-	if(irs->sa_len == 0) {
-		strcpy(irs->sa, "(error)");
-	}
-
-	newipsp = ipsec_sa_getbyid(&irs->said);
-	if (newipsp == NULL) {
-		KLIPS_PRINT(debug_rcv,
-			    "klips_debug:ipsec_rcv: "
-			    "no ipsec_sa for SA:%s: incoming packet with no SA dropped\n",
-			    irs->sa_len ? irs->sa : " (error)");
-		if(irs->stats) {
-			irs->stats->rx_dropped++;
-		}
-		return IPSEC_RCV_SAIDNOTFOUND;
-	}
-
-	/* MCR - XXX this is bizarre. ipsec_sa_getbyid returned it, having incremented the refcount,
-	 * why in the world would we decrement it here?
-
-	 ipsec_sa_put(irs->ipsp);*/ /* incomplete */
-
-	/* If it is in larval state, drop the packet, we cannot process yet. */
-	if(newipsp->ips_state == SADB_SASTATE_LARVAL) {
-		KLIPS_PRINT(debug_rcv,
-			    "klips_debug:ipsec_rcv: "
-			    "ipsec_sa in larval state, cannot be used yet, dropping packet.\n");
-		if(irs->stats) {
-			irs->stats->rx_dropped++;
-		}
-		ipsec_sa_put(newipsp);
-		return IPSEC_RCV_SAIDNOTLIVE;
-	}
-
-	if(newipsp->ips_state == SADB_SASTATE_DEAD) {
-		KLIPS_PRINT(debug_rcv,
-			    "klips_debug:ipsec_rcv: "
-			    "ipsec_sa in dead state, cannot be used any more, dropping packet.\n");
-		if(irs->stats) {
-			irs->stats->rx_dropped++;
-		}
-		ipsec_sa_put(newipsp);
-		return IPSEC_RCV_SAIDNOTLIVE;
-	}
-
-	if(sysctl_ipsec_inbound_policy_check) {
-		if(irs->ipp->saddr != ((struct sockaddr_in*)(newipsp->ips_addr_s))->sin_addr.s_addr) {
-			KLIPS_PRINT(debug_rcv,
-				    "klips_debug:ipsec_rcv: "
-				    "SA:%s, src=%s of pkt does not agree with expected SA source address policy.\n",
-				    irs->sa_len ? irs->sa : " (error)",
-				    irs->ipsaddr_txt);
-			if(irs->stats) {
-				irs->stats->rx_dropped++;
-			}
-			ipsec_sa_put(newipsp);
-			return IPSEC_RCV_FAILEDINBOUND;
-		}
-
-		KLIPS_PRINT(debug_rcv,
-			    "klips_debug:ipsec_rcv: "
-			    "SA:%s, src=%s of pkt agrees with expected SA source address policy.\n",
-			    irs->sa_len ? irs->sa : " (error)",
-			    irs->ipsaddr_txt);
-
-		/*
-		 * at this point, we have looked up a new SA, and we want to make sure that if this
-		 * isn't the first SA in the list, that the previous SA actually points at this one.
-		 */
-		if(irs->ipsp) {
-			if(irs->ipsp->ips_inext != newipsp) {
-				KLIPS_PRINT(debug_rcv,
-					    "klips_debug:ipsec_rcv: "
-					    "unexpected SA:%s: does not agree with ips->inext policy, dropped\n",
-					    irs->sa_len ? irs->sa : " (error)");
-				if(irs->stats) {
-					irs->stats->rx_dropped++;
-				}
-				ipsec_sa_put(newipsp);
-				return IPSEC_RCV_FAILEDINBOUND;
-			}
-			KLIPS_PRINT(debug_rcv,
-				    "klips_debug:ipsec_rcv: "
-				    "SA:%s grouping from previous SA is OK.\n",
-				    irs->sa_len ? irs->sa : " (error)");
-		} else {
-			KLIPS_PRINT(debug_rcv,
-				    "klips_debug:ipsec_rcv: "
-				    "SA:%s First SA in group.\n",
-				    irs->sa_len ? irs->sa : " (error)");
-		}
-
-		/*
-		 * previously, at this point, we checked if the back pointer from the new SA that
-		 * we just found matched the back pointer. But, we won't do this check anymore,
-		 * because we want to be able to nest SAs
-		 */
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-		KLIPS_PRINT(debug_rcv,
-			"klips_debug:ipsec_rcv: "
-			"natt_type=%u tdbp->ips_natt_type=%u : %s\n",
-			irs->natt_type, newipsp->ips_natt_type,
-			(irs->natt_type==newipsp->ips_natt_type)?"ok":"bad");
-		if (irs->natt_type != newipsp->ips_natt_type) {
-			KLIPS_PRINT(debug_rcv,
-				    "klips_debug:ipsec_rcv: "
-				    "SA:%s does not agree with expected NAT-T policy.\n",
-				    irs->sa_len ? irs->sa : " (error)");
-			if(irs->stats) {
-				irs->stats->rx_dropped++;
-			}
-			ipsec_sa_put(newipsp);
-			return IPSEC_RCV_FAILEDINBOUND;
-		}
-#endif		 
-	}
-
-	/* okay, SA checks out, so free any previous SA, and record a new one */
-
-	if(irs->ipsp) {
-		ipsec_sa_put(irs->ipsp);
-	}
-	irs->ipsp=newipsp;
-
-	/* note that the outer code will free the irs->ipsp if there is an error */
-
-
-	/* now check the lifetimes */
-	if(ipsec_lifetime_check(&irs->ipsp->ips_life.ipl_bytes,   "bytes",  irs->sa,
-				ipsec_life_countbased, ipsec_incoming, irs->ipsp) == ipsec_life_harddied ||
-	   ipsec_lifetime_check(&irs->ipsp->ips_life.ipl_addtime, "addtime",irs->sa,
-				ipsec_life_timebased,  ipsec_incoming, irs->ipsp) == ipsec_life_harddied ||
-	   ipsec_lifetime_check(&irs->ipsp->ips_life.ipl_addtime, "usetime",irs->sa,
-				ipsec_life_timebased,  ipsec_incoming, irs->ipsp) == ipsec_life_harddied ||
-	   ipsec_lifetime_check(&irs->ipsp->ips_life.ipl_packets, "packets",irs->sa,
-				ipsec_life_countbased, ipsec_incoming, irs->ipsp) == ipsec_life_harddied) {
-		ipsec_sa_delchain(irs->ipsp);
-		if(irs->stats) {
-			irs->stats->rx_dropped++;
-		}
-		
-		KLIPS_PRINT(debug_rcv,
-			    "klips_debug:ipsec_rcv_decap_once: "
-			    "decap (%d) failed lifetime check\n",
-			    proto);
-
-		return IPSEC_RCV_LIFETIMEFAILED;
-	}
-
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-	if ((irs->natt_type) &&
-		( (irs->ipp->saddr != (((struct sockaddr_in*)(newipsp->ips_addr_s))->sin_addr.s_addr)) ||
-		  (irs->natt_sport != newipsp->ips_natt_sport)
-		)) {
-		struct sockaddr sipaddr;
-		/** Advertise NAT-T addr change to pluto **/
-		sipaddr.sa_family = AF_INET;
-		((struct sockaddr_in*)&sipaddr)->sin_addr.s_addr = irs->ipp->saddr;
-		((struct sockaddr_in*)&sipaddr)->sin_port = htons(irs->natt_sport);
-		pfkey_nat_t_new_mapping(newipsp, &sipaddr, irs->natt_sport);
-		/**
-		 * Then allow or block packet depending on
-		 * sysctl_ipsec_inbound_policy_check.
-		 *
-		 * In all cases, pluto will update SA if new mapping is
-		 * accepted.
-		 */
-		if (sysctl_ipsec_inbound_policy_check) {
-			KLIPS_PRINT(debug_rcv,
-				"klips_debug:ipsec_rcv: "
-				"SA:%s, src=%s:%u of pkt does not agree with expected "
-				"SA source address policy (pluto has been informed).\n",
-				irs->sa_len ? irs->sa : " (error)",
-				irs->ipsaddr_txt, irs->natt_sport);
-			if(irs->stats) {
-				irs->stats->rx_dropped++;
-			}
-			ipsec_sa_put(newipsp);
-			return IPSEC_RCV_FAILEDINBOUND;
-		}
-	}
-#endif
-
-	irs->authfuncs=NULL;
-	/* authenticate, if required */
-#ifdef CONFIG_IPSEC_ALG
-	if ((ixt_a=irs->ipsp->ips_alg_auth)) {
-		irs->authlen = AHHMAC_HASHLEN;
-		irs->authfuncs = NULL;
-		irs->ictx = NULL;
-		irs->octx = NULL;
-		irs->ictx_len = 0;
-		irs->octx_len = 0;
-		KLIPS_PRINT(debug_rcv,
-				"klips_debug:ipsec_rcv: "
-				"authalg=%d authlen=%d\n",
-				irs->ipsp->ips_authalg, 
-				irs->authlen);
-	} else
-#endif /* CONFIG_IPSEC_ALG */
-	switch(irs->ipsp->ips_authalg) {
-#ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
-	case AH_MD5:
-		irs->authlen = AHHMAC_HASHLEN;
-		irs->authfuncs = ipsec_rcv_md5;
-		irs->ictx = (void *)&((struct md5_ctx*)(irs->ipsp->ips_key_a))->ictx;
-		irs->octx = (void *)&((struct md5_ctx*)(irs->ipsp->ips_key_a))->octx;
-		irs->ictx_len = sizeof(((struct md5_ctx*)(irs->ipsp->ips_key_a))->ictx);
-		irs->octx_len = sizeof(((struct md5_ctx*)(irs->ipsp->ips_key_a))->octx);
-		break;
-#endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
-#ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
-	case AH_SHA:
-		irs->authlen = AHHMAC_HASHLEN;
-		irs->authfuncs = ipsec_rcv_sha1;
-		irs->ictx = (void *)&((struct sha1_ctx*)(irs->ipsp->ips_key_a))->ictx;
-		irs->octx = (void *)&((struct sha1_ctx*)(irs->ipsp->ips_key_a))->octx;
-		irs->ictx_len = sizeof(((struct sha1_ctx*)(irs->ipsp->ips_key_a))->ictx);
-		irs->octx_len = sizeof(((struct sha1_ctx*)(irs->ipsp->ips_key_a))->octx);
-		break;
-#endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
-	case AH_NONE:
-		irs->authlen = 0;
-		irs->authfuncs = NULL;
-		irs->ictx = NULL;
-		irs->octx = NULL;
-		irs->ictx_len = 0;
-		irs->octx_len = 0;
-
-		break;
-	default:
-		irs->ipsp->ips_errs.ips_alg_errs += 1;
-		if(irs->stats) {
-			irs->stats->rx_errors++;
-		}
-		return IPSEC_RCV_BADAUTH;
-	}
-
-	irs->ilen = irs->len - iphlen - irs->authlen;
-	if(irs->ilen <= 0) {
-	  KLIPS_PRINT(debug_rcv,
-		      "klips_debug:ipsec_rcv: "
-		      "runt %s packet with no data, dropping.\n",
-		      (proto == IPPROTO_ESP ? "esp" : "ah"));
-	  if(irs->stats) {
-	    irs->stats->rx_dropped++;
-	  }
-	  return IPSEC_RCV_BADLEN;
-	}
-
-#ifdef CONFIG_IPSEC_ALG
-	if(irs->authfuncs || ixt_a) {
-#else
-	if(irs->authfuncs) {
-#endif
-		unsigned char *authenticator = NULL;
-
-		if(proto_funcs->setup_auth) {
-			enum ipsec_rcv_value retval
-			    = (*proto_funcs->setup_auth)(irs, skb,
-							 &replay,
-							 &authenticator);
-			if(retval < 0) {
-				return retval;
-			}
-		}
-
-		if(!authenticator) {
-			irs->ipsp->ips_errs.ips_auth_errs += 1;
-			if(irs->stats) {
-				irs->stats->rx_dropped++;
-			}
-			return IPSEC_RCV_BADAUTH;
-		}
-
-		if(!ipsec_checkreplaywindow(irs->ipsp, replay)) {
-			irs->ipsp->ips_errs.ips_replaywin_errs += 1;
-			KLIPS_PRINT(debug_rcv & DB_RX_REPLAY,
-				    "klips_debug:ipsec_rcv: "
-				    "duplicate frame from %s, packet dropped\n",
-				    irs->ipsaddr_txt);
-			if(irs->stats) {
-				irs->stats->rx_dropped++;
-			}
-			return IPSEC_RCV_REPLAYFAILED;
-		}
-
-		/*
-		 * verify authenticator
-		 */
-
-		KLIPS_PRINT(debug_rcv,
-			    "klips_debug:ipsec_rcv: "
-			    "encalg = %d, authalg = %d.\n",
-			    irs->ipsp->ips_encalg,
-			    irs->ipsp->ips_authalg);
-
-		/* calculate authenticator */
-		if(proto_funcs->calc_auth == NULL) {
-			return IPSEC_RCV_BADAUTH;
-		}
-		(*proto_funcs->calc_auth)(irs, skb);
-
-		if (memcmp(irs->hash, authenticator, irs->authlen)) {
-			irs->ipsp->ips_errs.ips_auth_errs += 1;
-			KLIPS_PRINT(debug_rcv & DB_RX_INAU,
-				    "klips_debug:ipsec_rcv: "
-				    "auth failed on incoming packet from %s: hash=%08x%08x%08x auth=%08x%08x%08x, dropped\n",
-				    irs->ipsaddr_txt,
-				    ntohl(*(__u32*)&irs->hash[0]),
-				    ntohl(*(__u32*)&irs->hash[4]),
-				    ntohl(*(__u32*)&irs->hash[8]),
-				    ntohl(*(__u32*)authenticator),
-				    ntohl(*((__u32*)authenticator + 1)),
-				    ntohl(*((__u32*)authenticator + 2)));
-			if(irs->stats) {
-				irs->stats->rx_dropped++;
-			}
-			return IPSEC_RCV_AUTHFAILED;
-		} else {
-			KLIPS_PRINT(debug_rcv,
-				    "klips_debug:ipsec_rcv: "
-				    "authentication successful.\n");
-		}
-
-		/* Crypto hygiene: clear memory used to calculate autheticator.
-		 * The length varies with the algorithm.
-		 */
-		memset(irs->hash, 0, irs->authlen);
-
-		/* If the sequence number == 0, expire SA, it had rolled */
-		if(irs->ipsp->ips_replaywin && !replay /* !irs->ipsp->ips_replaywin_lastseq */) {
-			ipsec_sa_delchain(irs->ipsp);
-			KLIPS_PRINT(debug_rcv,
-				    "klips_debug:ipsec_rcv: "
-				    "replay window counter rolled, expiring SA.\n");
-			if(irs->stats) {
-				irs->stats->rx_dropped++;
-			}
-			return IPSEC_RCV_REPLAYROLLED;
-		}
-
-		/* now update the replay counter */
-		if (!ipsec_updatereplaywindow(irs->ipsp, replay)) {
-			irs->ipsp->ips_errs.ips_replaywin_errs += 1;
-			KLIPS_PRINT(debug_rcv & DB_RX_REPLAY,
-				    "klips_debug:ipsec_rcv: "
-				    "duplicate frame from %s, packet dropped\n",
-				    irs->ipsaddr_txt);
-			if(irs->stats) {
-				irs->stats->rx_dropped++;
-			}
-			return IPSEC_RCV_REPLAYROLLED;
-		}
-	}
-
-	if(proto_funcs->decrypt) {
-		enum ipsec_rcv_value retval =
-		  (*proto_funcs->decrypt)(irs);
-
-		if(retval != IPSEC_RCV_OK) {
-			return retval;
-		}
-	}
-
-	/*
-	 *	Adjust pointers
-	 */
-	skb = irs->skb;
-	irs->len = skb->len;
-	dat = skb->data;
-
-#ifdef NET_21
-/*		skb->h.ipiph=(struct iphdr *)skb->data; */
-	skb->nh.raw = skb->data;
-	skb->h.raw = skb->nh.raw + (skb->nh.iph->ihl << 2);
-
-	memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
-#else /* NET_21 */
-	skb->h.iph=(struct iphdr *)skb->data;
-	skb->ip_hdr=(struct iphdr *)skb->data;
-	memset(skb->proto_priv, 0, sizeof(struct options));
-#endif /* NET_21 */
-
-	ipp = (struct iphdr *)dat;
-	ipsaddr.s_addr = ipp->saddr;
-	addrtoa(ipsaddr, 0, irs->ipsaddr_txt, sizeof(irs->ipsaddr_txt));
-	ipdaddr.s_addr = ipp->daddr;
-	addrtoa(ipdaddr, 0, irs->ipdaddr_txt, sizeof(irs->ipdaddr_txt));
-	/*
-	 *	Discard the original ESP/AH header
-	 */
-	ipp->protocol = irs->next_header;
-
-	ipp->check = 0;	/* NOTE: this will be included in checksum */
-	ipp->check = ip_fast_csum((unsigned char *)dat, iphlen >> 2);
-
-	KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
-		    "klips_debug:ipsec_rcv: "
-		    "after <%s%s%s>, SA:%s:\n",
-		    IPS_XFORM_NAME(irs->ipsp),
-		    irs->sa_len ? irs->sa : " (error)");
-	KLIPS_IP_PRINT(debug_rcv & DB_RX_PKTRX, ipp);
-
-	skb->protocol = htons(ETH_P_IP);
-	skb->ip_summed = 0;
-
-	ipsnext = irs->ipsp->ips_inext;
-	if(sysctl_ipsec_inbound_policy_check) {
-		if(ipsnext) {
-			if(
-				ipp->protocol != IPPROTO_AH
-				&& ipp->protocol != IPPROTO_ESP
-#ifdef CONFIG_IPSEC_IPCOMP
-				&& ipp->protocol != IPPROTO_COMP
-				&& (ipsnext->ips_said.proto != IPPROTO_COMP
-				    || ipsnext->ips_inext)
-#endif /* CONFIG_IPSEC_IPCOMP */
-				&& ipp->protocol != IPPROTO_IPIP
-				) {
-				KLIPS_PRINT(debug_rcv,
-					    "klips_debug:ipsec_rcv: "
-					    "packet with incomplete policy dropped, last successful SA:%s.\n",
-					    irs->sa_len ? irs->sa : " (error)");
-				if(irs->stats) {
-					irs->stats->rx_dropped++;
-				}
-				return IPSEC_RCV_FAILEDINBOUND;
-			}
-			KLIPS_PRINT(debug_rcv,
-				    "klips_debug:ipsec_rcv: "
-				    "SA:%s, Another IPSEC header to process.\n",
-				    irs->sa_len ? irs->sa : " (error)");
-		} else {
-			KLIPS_PRINT(debug_rcv,
-				    "klips_debug:ipsec_rcv: "
-				    "No ips_inext from this SA:%s.\n",
-				    irs->sa_len ? irs->sa : " (error)");
-		}
-	}
-
-#ifdef CONFIG_IPSEC_IPCOMP
-	/* update ipcomp ratio counters, even if no ipcomp packet is present */
-	if (ipsnext
-	    && ipsnext->ips_said.proto == IPPROTO_COMP
-	    && ipp->protocol != IPPROTO_COMP) {
-		ipsnext->ips_comp_ratio_cbytes += ntohs(ipp->tot_len);
-		ipsnext->ips_comp_ratio_dbytes += ntohs(ipp->tot_len);
-	}
-#endif /* CONFIG_IPSEC_IPCOMP */
-
-	irs->ipsp->ips_life.ipl_bytes.ipl_count += irs->len;
-	irs->ipsp->ips_life.ipl_bytes.ipl_last   = irs->len;
-
-	if(!irs->ipsp->ips_life.ipl_usetime.ipl_count) {
-		irs->ipsp->ips_life.ipl_usetime.ipl_count = jiffies / HZ;
-	}
-	irs->ipsp->ips_life.ipl_usetime.ipl_last = jiffies / HZ;
-	irs->ipsp->ips_life.ipl_packets.ipl_count += 1;
-
-#ifdef CONFIG_NETFILTER
-	if(proto == IPPROTO_ESP || proto == IPPROTO_AH) {
-		skb->nfmark = (skb->nfmark & (~(IPsecSAref2NFmark(IPSEC_SA_REF_MASK))))
-			| IPsecSAref2NFmark(IPsecSA2SAref(irs->ipsp));
-		KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
-			    "klips_debug:ipsec_rcv: "
-			    "%s SA sets skb->nfmark=0x%x.\n",
-			    proto == IPPROTO_ESP ? "ESP" : "AH",
-			    (unsigned)skb->nfmark);
-	}
-#endif /* CONFIG_NETFILTER */
-
-	return IPSEC_RCV_OK;
-}
-
-
-int
-#ifdef PROTO_HANDLER_SINGLE_PARM
-ipsec_rcv(struct sk_buff *skb)
-#else /* PROTO_HANDLER_SINGLE_PARM */
-#ifdef NET_21
-ipsec_rcv(struct sk_buff *skb, unsigned short xlen)
-#else /* NET_21 */
-ipsec_rcv(struct sk_buff *skb, struct device *dev, struct options *opt,
-		__u32 daddr_unused, unsigned short xlen, __u32 saddr,
-				   int redo, struct inet_protocol *protocol)
-#endif /* NET_21 */
-#endif /* PROTO_HANDLER_SINGLE_PARM */
-{
-#ifdef NET_21
-#ifdef CONFIG_IPSEC_DEBUG
-	struct device *dev = skb->dev;
-#endif /* CONFIG_IPSEC_DEBUG */
-#endif /* NET_21 */
-	unsigned char protoc;
-	struct iphdr *ipp;
-#if defined(CONFIG_IPSEC_ESP) || defined(CONFIG_IPSEC_AH)
-#endif /* defined(CONFIG_IPSEC_ESP) || defined(CONFIG_IPSEC_AH) */
-
-	struct ipsec_sa *ipsp = NULL;
-	struct net_device_stats *stats = NULL;		/* This device's statistics */
-	struct device *ipsecdev = NULL, *prvdev;
-	struct ipsecpriv *prv;
-	char name[9];
-	int i;
-	struct in_addr ipsaddr;
-	struct in_addr ipdaddr;
-
-	struct ipsec_sa* ipsnext = NULL;	/* next SA towards inside of packet */
-	struct ipsec_rcv_state irs;
-
-	/* Don't unlink in the middle of a turnaround */
-	MOD_INC_USE_COUNT;
-
-	memset(&irs, 0, sizeof(struct ipsec_rcv_state));
-
-	if (skb == NULL) {
-		KLIPS_PRINT(debug_rcv,
-			    "klips_debug:ipsec_rcv: "
-			    "NULL skb passed in.\n");
-		goto rcvleave;
-	}
-
-	if (skb->data == NULL) {
-		KLIPS_PRINT(debug_rcv,
-			    "klips_debug:ipsec_rcv: "
-			    "NULL skb->data passed in, packet is bogus, dropping.\n");
-		goto rcvleave;
-	}
-
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-	if (skb->sk && skb->nh.iph && skb->nh.iph->protocol==IPPROTO_UDP) {
-		/**
-		 * Packet comes from udp_queue_rcv_skb so it is already defrag,
-		 * checksum verified, ... (ie safe to use)
-		 *
-		 * If the packet is not for us, return -1 and udp_queue_rcv_skb
-		 * will continue to handle it (do not kfree skb !!).
-		 */
-		struct udp_opt *tp =  &(skb->sk->tp_pinfo.af_udp);
-		struct iphdr *ip = (struct iphdr *)skb->nh.iph;
-		struct udphdr *udp = (struct udphdr *)((__u32 *)ip+ip->ihl);
-		__u8 *udpdata = (__u8 *)udp + sizeof(struct udphdr);
-		__u32 *udpdata32 = (__u32 *)udpdata;
-
-		irs.natt_sport = ntohs(udp->source);
-		irs.natt_dport = ntohs(udp->dest);
-
-		KLIPS_PRINT(debug_rcv,
-		    "klips_debug:ipsec_rcv: "
-		    "suspected ESPinUDP packet (NAT-Traversal) [%d].\n",
-			tp->esp_in_udp);
-		KLIPS_IP_PRINT(debug_rcv, ip);
-
-		if (udpdata < skb->tail) {
-			unsigned int len = skb->tail - udpdata;
-			if ((len==1) && (udpdata[0]==0xff)) {
-				KLIPS_PRINT(debug_rcv,
-				    "klips_debug:ipsec_rcv: "
-					/* not IPv6 compliant message */
-				    "NAT-keepalive from %d.%d.%d.%d.\n", NIPQUAD(ip->saddr));
-				goto rcvleave;
-			}
-			else if ( (tp->esp_in_udp == ESPINUDP_WITH_NON_IKE) &&
-				(len > (2*sizeof(__u32) + sizeof(struct esphdr))) &&
-				(udpdata32[0]==0) && (udpdata32[1]==0) ) {
-				/* ESP Packet with Non-IKE header */
-				KLIPS_PRINT(debug_rcv, 
-					"klips_debug:ipsec_rcv: "
-					"ESPinUDP pkt with Non-IKE - spi=0x%x\n",
-					udpdata32[2]);
-				irs.natt_type = ESPINUDP_WITH_NON_IKE;
-				irs.natt_len = sizeof(struct udphdr)+(2*sizeof(__u32));
-			}
-			else if ( (tp->esp_in_udp == ESPINUDP_WITH_NON_ESP) &&
-				(len > sizeof(struct esphdr)) &&
-				(udpdata32[0]!=0) ) {
-				/* ESP Packet without Non-ESP header */
-				irs.natt_type = ESPINUDP_WITH_NON_ESP;
-				irs.natt_len = sizeof(struct udphdr);
-				KLIPS_PRINT(debug_rcv, 
-					"klips_debug:ipsec_rcv: "
-					"ESPinUDP pkt without Non-ESP - spi=0x%x\n",
-					udpdata32[0]);
-			}
-			else {
-				KLIPS_PRINT(debug_rcv,
-				    "klips_debug:ipsec_rcv: "
-					"IKE packet - not handled here\n");
-				MOD_DEC_USE_COUNT;
-				return -1;
-			}
-		}
-		else {
-			MOD_DEC_USE_COUNT;
-			return -1;
-		}
-	}
-#endif
-
-#ifdef IPH_is_SKB_PULLED
-	/* In Linux 2.4.4, the IP header has been skb_pull()ed before the
-	   packet is passed to us. So we'll skb_push() to get back to it. */
-	if (skb->data == skb->h.raw) {
-		skb_push(skb, skb->h.raw - skb->nh.raw);
-	}
-#endif /* IPH_is_SKB_PULLED */
-
-	/* dev->hard_header_len is unreliable and should not be used */
-	irs.hard_header_len = skb->mac.raw ? (skb->data - skb->mac.raw) : 0;
-	if((irs.hard_header_len < 0) || (irs.hard_header_len > skb_headroom(skb)))
-		irs.hard_header_len = 0;
-
-#ifdef NET_21
-	/* if skb was cloned (most likely due to a packet sniffer such as
-	   tcpdump being momentarily attached to the interface), make
-	   a copy of our own to modify */
-	if(skb_cloned(skb)) {
-		/* include any mac header while copying.. */
-		if(skb_headroom(skb) < irs.hard_header_len) {
-			printk(KERN_WARNING "klips_error:ipsec_rcv: "
-			       "tried to skb_push hhlen=%d, %d available.  This should never happen, please report.\n",
-			       irs.hard_header_len,
-			       skb_headroom(skb));
-			goto rcvleave;
-		}
-		skb_push(skb, irs.hard_header_len);
-		if
-#ifdef SKB_COW_NEW
-		  (skb_cow(skb, skb_headroom(skb)) != 0)
-#else /* SKB_COW_NEW */
-		  ((skb = skb_cow(skb, skb_headroom(skb))) == NULL)
-#endif /* SKB_COW_NEW */
-		{
-			goto rcvleave;
-		}
-		if(skb->len < irs.hard_header_len) {
-			printk(KERN_WARNING "klips_error:ipsec_rcv: "
-			       "tried to skb_pull hhlen=%d, %d available.  This should never happen, please report.\n",
-			       irs.hard_header_len,
-			       skb->len);
-			goto rcvleave;
-		}
-		skb_pull(skb, irs.hard_header_len);
-	}
-
-#endif /* NET_21 */
-
-#if IP_FRAGMENT_LINEARIZE
-	/* In Linux 2.4.4, we may have to reassemble fragments. They are
-	   not assembled automatically to save TCP from having to copy
-	   twice.
-	*/
-	if (skb_is_nonlinear(skb)) {
-		if (skb_linearize(skb, GFP_ATOMIC) != 0) {
-			goto rcvleave;
-		}
-	}
-#endif /* IP_FRAGMENT_LINEARIZE */
-
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-	if (irs.natt_len) {
-		/**
-		 * Now, we are sure packet is ESPinUDP. Remove natt_len bytes from
-		 * packet and modify protocol to ESP.
-		 */
-		if (((unsigned char *)skb->data > (unsigned char *)skb->nh.iph) &&
-			((unsigned char *)skb->nh.iph > (unsigned char *)skb->head)) {
-			unsigned int _len = (unsigned char *)skb->data -
-				(unsigned char *)skb->nh.iph;
-			KLIPS_PRINT(debug_rcv,
-				"klips_debug:ipsec_rcv: adjusting skb: skb_push(%u)\n",
-				_len);
-			skb_push(skb, _len);
-		}
-		KLIPS_PRINT(debug_rcv,
-		    "klips_debug:ipsec_rcv: "
-			"removing %d bytes from ESPinUDP packet\n", irs.natt_len);
-		ipp = (struct iphdr *)skb->data;
-		irs.iphlen = ipp->ihl << 2;
-		ipp->tot_len = htons(ntohs(ipp->tot_len) - irs.natt_len);
-		if (skb->len < irs.iphlen + irs.natt_len) {
-			printk(KERN_WARNING
-		       "klips_error:ipsec_rcv: "
-		       "ESPinUDP packet is too small (%d < %d+%d). "
-			   "This should never happen, please report.\n",
-		       (int)(skb->len), irs.iphlen, irs.natt_len);
-			goto rcvleave;
-		}
-		memmove(skb->data + irs.natt_len, skb->data, irs.iphlen);
-		skb_pull(skb, irs.natt_len);
-
-		/* update nh.iph */
-		ipp = skb->nh.iph = (struct iphdr *)skb->data;
-
-		/* modify protocol */
-		ipp->protocol = IPPROTO_ESP;
-
-		skb->sk = NULL;
-
-		KLIPS_IP_PRINT(debug_rcv, skb->nh.iph);
-	}
-#endif
-
-	ipp = skb->nh.iph;
-	ipsaddr.s_addr = ipp->saddr;
-	addrtoa(ipsaddr, 0, irs.ipsaddr_txt, sizeof(irs.ipsaddr_txt));
-	ipdaddr.s_addr = ipp->daddr;
-	addrtoa(ipdaddr, 0, irs.ipdaddr_txt, sizeof(irs.ipdaddr_txt));
-	irs.iphlen = ipp->ihl << 2;
-
-	KLIPS_PRINT(debug_rcv,
-		    "klips_debug:ipsec_rcv: "
-		    "<<< Info -- ");
-	KLIPS_PRINTMORE(debug_rcv && skb->dev, "skb->dev=%s ",
-			skb->dev->name ? skb->dev->name : "NULL");
-	KLIPS_PRINTMORE(debug_rcv && dev, "dev=%s ",
-			dev->name ? dev->name : "NULL");
-	KLIPS_PRINTMORE(debug_rcv, "\n");
-
-	KLIPS_PRINT(debug_rcv && !(skb->dev && dev && (skb->dev == dev)),
-		    "klips_debug:ipsec_rcv: "
-		    "Informational -- **if this happens, find out why** skb->dev:%s is not equal to dev:%s\n",
-		    skb->dev ? (skb->dev->name ? skb->dev->name : "NULL") : "NULL",
-		    dev ? (dev->name ? dev->name : "NULL") : "NULL");
-
-	protoc = ipp->protocol;
-#ifndef NET_21
-	if((!protocol) || (protocol->protocol != protoc)) {
-		KLIPS_PRINT(debug_rcv & DB_RX_IPSA,
-			    "klips_debug:ipsec_rcv: "
-			    "protocol arg is NULL or unequal to the packet contents, this is odd, using value in packet.\n");
-	}
-#endif /* !NET_21 */
-
-	if( (protoc != IPPROTO_AH) &&
-#ifdef CONFIG_IPSEC_IPCOMP_disabled_until_we_register_IPCOMP_HANDLER
-	    (protoc != IPPROTO_COMP) &&
-#endif /* CONFIG_IPSEC_IPCOMP */
-	    (protoc != IPPROTO_ESP) ) {
-		KLIPS_PRINT(debug_rcv & DB_RX_IPSA,
-			    "klips_debug:ipsec_rcv: Why the hell is someone "
-			    "passing me a non-ipsec protocol = %d packet? -- dropped.\n",
-			    protoc);
-		goto rcvleave;
-	}
-
-	if(skb->dev) {
-		for(i = 0; i < IPSEC_NUM_IF; i++) {
-			sprintf(name, IPSEC_DEV_FORMAT, i);
-			if(!strcmp(name, skb->dev->name)) {
-				prv = (struct ipsecpriv *)(skb->dev->priv);
-				if(prv) {
-					stats = (struct net_device_stats *) &(prv->mystats);
-				}
-				ipsecdev = skb->dev;
-				KLIPS_PRINT(debug_rcv,
-					    "klips_debug:ipsec_rcv: "
-					    "Info -- pkt already proc'ed a group of ipsec headers, processing next group of ipsec headers.\n");
-				break;
-			}
-			if((ipsecdev = __ipsec_dev_get(name)) == NULL) {
-				KLIPS_PRINT(debug_rcv,
-					    "klips_error:ipsec_rcv: "
-					    "device %s does not exist\n",
-					    name);
-			}
-			prv = ipsecdev ? (struct ipsecpriv *)(ipsecdev->priv) : NULL;
-			prvdev = prv ? (struct device *)(prv->dev) : NULL;
-
-#if 0
-			KLIPS_PRINT(debug_rcv && prvdev,
-				    "klips_debug:ipsec_rcv: "
-				    "physical device for device %s is %s\n",
-				    name,
-				    prvdev->name);
-#endif
-			if(prvdev && skb->dev &&
-			   !strcmp(prvdev->name, skb->dev->name)) {
-				stats = prv ? ((struct net_device_stats *) &(prv->mystats)) : NULL;
-				skb->dev = ipsecdev;
-				KLIPS_PRINT(debug_rcv && prvdev,
-					    "klips_debug:ipsec_rcv: "
-					    "assigning packet ownership to virtual device %s from physical device %s.\n",
-					    name, prvdev->name);
-				if(stats) {
-					stats->rx_packets++;
-				}
-				break;
-			}
-		}
-	} else {
-		KLIPS_PRINT(debug_rcv,
-			    "klips_debug:ipsec_rcv: "
-			    "device supplied with skb is NULL\n");
-	}
-
-	if(stats == NULL) {
-		KLIPS_PRINT((debug_rcv),
-			    "klips_error:ipsec_rcv: "
-			    "packet received from physical I/F (%s) not connected to ipsec I/F.  Cannot record stats.  May not have SA for decoding.  Is IPSEC traffic expected on this I/F?  Check routing.\n",
-			    skb->dev ? (skb->dev->name ? skb->dev->name : "NULL") : "NULL");
-	}
-		
-	KLIPS_IP_PRINT(debug_rcv, ipp);
-
-	/* begin decapsulating loop here */
-
-	/*
-	  The spinlock is to prevent any other process from
-	  accessing or deleting the ipsec_sa hash table or any of the
-	  ipsec_sa s while we are using and updating them.
-
-	  This is not optimal, but was relatively straightforward
-	  at the time.  A better way to do it has been planned for
-	  more than a year, to lock the hash table and put reference
-	  counts on each ipsec_sa instead.  This is not likely to happen
-	  in KLIPS1 unless a volunteer contributes it, but will be
-	  designed into KLIPS2.
-	*/
-	spin_lock(&tdb_lock);
-
-	/* set up for decap loop */
-	irs.stats= stats;
-	irs.ipp  = ipp;
-	irs.ipsp = NULL;
-	irs.ilen = 0;
-	irs.authlen=0;
-	irs.authfuncs=NULL;
-	irs.skb = skb;
-
-	do {
-	        int decap_stat;
-
-	        decap_stat = ipsec_rcv_decap_once(&irs);
-
-		if(decap_stat != IPSEC_RCV_OK) {
-			spin_unlock(&tdb_lock);
-			KLIPS_PRINT(debug_rcv,
-				    "klips_debug:ipsec_rcv: decap_once failed: %d\n",
-				    decap_stat);
-		
-			goto rcvleave;
-		}
-	/* end decapsulation loop here */
-	} while(   (irs.ipp->protocol == IPPROTO_ESP )
-		|| (irs.ipp->protocol == IPPROTO_AH  )
-#ifdef CONFIG_IPSEC_IPCOMP
-		|| (irs.ipp->protocol == IPPROTO_COMP)
-#endif /* CONFIG_IPSEC_IPCOMP */
-		);
-
-	/* set up for decap loop */
-	ipp  =irs.ipp;
-	ipsp =irs.ipsp;
-	ipsnext = ipsp->ips_inext;
-	skb = irs.skb;
-
-	/* if there is an IPCOMP, but we don't have an IPPROTO_COMP,
-	 * then we can just skip it
-	 */
-#ifdef CONFIG_IPSEC_IPCOMP
-	if(ipsnext && ipsnext->ips_said.proto == IPPROTO_COMP) {
-		ipsp = ipsnext;
-		ipsnext = ipsp->ips_inext;
-	}
-#endif /* CONFIG_IPSEC_IPCOMP */
-
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-	if ((irs.natt_type) && (ipp->protocol != IPPROTO_IPIP)) {
-		/**
-		 * NAT-Traversal and Transport Mode:
-		 *   we need to correct TCP/UDP checksum
-		 *
-		 * If we've got NAT-OA, we can fix checksum without recalculation.
-		 */
-		__u32 natt_oa = ipsp->ips_natt_oa ?
-			((struct sockaddr_in*)(ipsp->ips_natt_oa))->sin_addr.s_addr : 0;
-		__u16 pkt_len = skb->tail - (unsigned char *)ipp;
-		__u16 data_len = pkt_len - (ipp->ihl << 2);
-
-		switch (ipp->protocol) {
-			case IPPROTO_TCP:
-				if (data_len >= sizeof(struct tcphdr)) {
-					struct tcphdr *tcp = (struct tcphdr *)((__u32 *)ipp+ipp->ihl);
-					if (natt_oa) {
-						__u32 buff[2] = { ~natt_oa, ipp->saddr };
-						KLIPS_PRINT(debug_rcv,
-				    		"klips_debug:ipsec_rcv: "
-							"NAT-T & TRANSPORT: "
-							"fix TCP checksum using NAT-OA\n");
-						tcp->check = csum_fold(
-							csum_partial((unsigned char *)buff, sizeof(buff),
-							tcp->check^0xffff));
-					}
-					else {
-						KLIPS_PRINT(debug_rcv,
-			    			"klips_debug:ipsec_rcv: "
-							"NAT-T & TRANSPORT: recalc TCP checksum\n");
-						if (pkt_len > (ntohs(ipp->tot_len)))
-							data_len -= (pkt_len - ntohs(ipp->tot_len));
-						tcp->check = 0;
-						tcp->check = csum_tcpudp_magic(ipp->saddr, ipp->daddr,
-							data_len, IPPROTO_TCP,
-							csum_partial((unsigned char *)tcp, data_len, 0));
-					}
-				}
-				else {
-					KLIPS_PRINT(debug_rcv,
-			    		"klips_debug:ipsec_rcv: "
-						"NAT-T & TRANSPORT: can't fix TCP checksum\n");
-				}
-				break;
-			case IPPROTO_UDP:
-				if (data_len >= sizeof(struct udphdr)) {
-					struct udphdr *udp = (struct udphdr *)((__u32 *)ipp+ipp->ihl);
-					if (udp->check == 0) {
-						KLIPS_PRINT(debug_rcv,
-				    		"klips_debug:ipsec_rcv: "
-							"NAT-T & TRANSPORT: UDP checksum already 0\n");
-					}
-					else if (natt_oa) {
-						__u32 buff[2] = { ~natt_oa, ipp->saddr };
-						KLIPS_PRINT(debug_rcv,
-				    		"klips_debug:ipsec_rcv: "
-							"NAT-T & TRANSPORT: "
-							"fix UDP checksum using NAT-OA\n");
-						udp->check = csum_fold(
-							csum_partial((unsigned char *)buff, sizeof(buff),
-							udp->check^0xffff));
-					}
-					else {
-						KLIPS_PRINT(debug_rcv,
-				    		"klips_debug:ipsec_rcv: "
-							"NAT-T & TRANSPORT: zero UDP checksum\n");
-						udp->check = 0;
-					}
-				}
-				else {
-					KLIPS_PRINT(debug_rcv,
-			    		"klips_debug:ipsec_rcv: "
-						"NAT-T & TRANSPORT: can't fix UDP checksum\n");
-				}
-				break;
-			default:
-				KLIPS_PRINT(debug_rcv,
-			    	"klips_debug:ipsec_rcv: "
-					"NAT-T & TRANSPORT: non TCP/UDP packet -- do nothing\n");
-				break;
-		}
-	}
-#endif
-
-	/*
-	 * XXX this needs to be locked from when it was first looked
-	 * up in the decapsulation loop.  Perhaps it is better to put
-	 * the IPIP decap inside the loop.
-	 */
-	if(ipsnext) {
-		ipsp = ipsnext;
-		irs.sa_len = satoa(irs.said, 0, irs.sa, SATOA_BUF);
-		if(ipp->protocol != IPPROTO_IPIP) {
-			spin_unlock(&tdb_lock);
-			KLIPS_PRINT(debug_rcv,
-				    "klips_debug:ipsec_rcv: "
-				    "SA:%s, Hey!  How did this get through?  Dropped.\n",
-				    irs.sa_len ? irs.sa : " (error)");
-			if(stats) {
-				stats->rx_dropped++;
-			}
-			goto rcvleave;
-		}
-		if(sysctl_ipsec_inbound_policy_check) {
-			if((ipsnext = ipsp->ips_inext)) {
-				char sa2[SATOA_BUF];
-				size_t sa_len2;
-				sa_len2 = satoa(ipsnext->ips_said, 0, sa2, SATOA_BUF);
-				spin_unlock(&tdb_lock);
-				KLIPS_PRINT(debug_rcv,
-					    "klips_debug:ipsec_rcv: "
-					    "unexpected SA:%s after IPIP SA:%s\n",
-					    sa_len2 ? sa2 : " (error)",
-					    irs.sa_len ? irs.sa : " (error)");
-				if(stats) {
-					stats->rx_dropped++;
-				}
-				goto rcvleave;
-			}
-			if(ipp->saddr != ((struct sockaddr_in*)(ipsp->ips_addr_s))->sin_addr.s_addr) {
-				spin_unlock(&tdb_lock);
-				KLIPS_PRINT(debug_rcv,
-					    "klips_debug:ipsec_rcv: "
-					    "SA:%s, src=%s of pkt does not agree with expected SA source address policy.\n",
-					    irs.sa_len ? irs.sa : " (error)",
-					    irs.ipsaddr_txt);
-				if(stats) {
-					stats->rx_dropped++;
-				}
-				goto rcvleave;
-			}
-		}
-
-		/*
-		 * XXX this needs to be locked from when it was first looked
-		 * up in the decapsulation loop.  Perhaps it is better to put
-		 * the IPIP decap inside the loop.
-		 */
-		ipsp->ips_life.ipl_bytes.ipl_count += skb->len;
-		ipsp->ips_life.ipl_bytes.ipl_last   = skb->len;
-
-		if(!ipsp->ips_life.ipl_usetime.ipl_count) {
-			ipsp->ips_life.ipl_usetime.ipl_count = jiffies / HZ;
-		}
-		ipsp->ips_life.ipl_usetime.ipl_last = jiffies / HZ;
-		ipsp->ips_life.ipl_packets.ipl_count += 1;
-
-		if(skb->len < irs.iphlen) {
-			spin_unlock(&tdb_lock);
-			printk(KERN_WARNING "klips_debug:ipsec_rcv: "
-			       "tried to skb_pull iphlen=%d, %d available.  This should never happen, please report.\n",
-			       irs.iphlen,
-			       (int)(skb->len));
-
-			goto rcvleave;
-		}
-		skb_pull(skb, irs.iphlen);
-
-#ifdef NET_21
-		skb->nh.raw = skb->data;
-		ipp = (struct iphdr *)skb->nh.raw;
-		skb->h.raw = skb->nh.raw + (skb->nh.iph->ihl << 2);
-
-		memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
-#else /* NET_21 */
-		ipp = skb->ip_hdr = skb->h.iph = (struct iphdr *)skb->data;
-
-		memset(skb->proto_priv, 0, sizeof(struct options));
-#endif /* NET_21 */
-		ipsaddr.s_addr = ipp->saddr;
-		addrtoa(ipsaddr, 0, irs.ipsaddr_txt, sizeof(irs.ipsaddr_txt));
-		ipdaddr.s_addr = ipp->daddr;
-		addrtoa(ipdaddr, 0, irs.ipdaddr_txt, sizeof(irs.ipdaddr_txt));
-
-		skb->protocol = htons(ETH_P_IP);
-		skb->ip_summed = 0;
-		KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
-			    "klips_debug:ipsec_rcv: "
-			    "IPIP tunnel stripped.\n");
-		KLIPS_IP_PRINT(debug_rcv & DB_RX_PKTRX, ipp);
-
-		if(sysctl_ipsec_inbound_policy_check
-		   /*
-		      Note: "xor" (^) logically replaces "not equal"
-		      (!=) and "bitwise or" (|) logically replaces
-		      "boolean or" (||).  This is done to speed up
-		      execution by doing only bitwise operations and
-		      no branch operations
-		   */
-		   && (((ipp->saddr & ipsp->ips_mask_s.u.v4.sin_addr.s_addr)
-				    ^ ipsp->ips_flow_s.u.v4.sin_addr.s_addr)
-		       | ((ipp->daddr & ipsp->ips_mask_d.u.v4.sin_addr.s_addr)
-				      ^ ipsp->ips_flow_d.u.v4.sin_addr.s_addr)) )
-		{
-			char sflow_txt[SUBNETTOA_BUF], dflow_txt[SUBNETTOA_BUF];
-
-			subnettoa(ipsp->ips_flow_s.u.v4.sin_addr,
-				ipsp->ips_mask_s.u.v4.sin_addr,
-				0, sflow_txt, sizeof(sflow_txt));
-			subnettoa(ipsp->ips_flow_d.u.v4.sin_addr,
-				ipsp->ips_mask_d.u.v4.sin_addr,
-				0, dflow_txt, sizeof(dflow_txt));
-			spin_unlock(&tdb_lock);
-			KLIPS_PRINT(debug_rcv,
-				    "klips_debug:ipsec_rcv: "
-				    "SA:%s, inner tunnel policy [%s -> %s] does not agree with pkt contents [%s -> %s].\n",
-				    irs.sa_len ? irs.sa : " (error)",
-				    sflow_txt,
-				    dflow_txt,
-				    irs.ipsaddr_txt,
-				    irs.ipdaddr_txt);
-			if(stats) {
-				stats->rx_dropped++;
-			}
-			goto rcvleave;
-		}
-#ifdef CONFIG_NETFILTER
-		skb->nfmark = (skb->nfmark & (~(IPsecSAref2NFmark(IPSEC_SA_REF_TABLE_MASK))))
-			| IPsecSAref2NFmark(IPsecSA2SAref(ipsp));
-		KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
-			    "klips_debug:ipsec_rcv: "
-			    "IPIP SA sets skb->nfmark=0x%x.\n",
-			    (unsigned)skb->nfmark);
-#endif /* CONFIG_NETFILTER */
-	}
-
-	spin_unlock(&tdb_lock);
-
-#ifdef NET_21
-	if(stats) {
-		stats->rx_bytes += skb->len;
-	}
-	if(skb->dst) {
-		dst_release(skb->dst);
-		skb->dst = NULL;
-	}
-	skb->pkt_type = PACKET_HOST;
-	if(irs.hard_header_len &&
-	   (skb->mac.raw != (skb->data - irs.hard_header_len)) &&
-	   (irs.hard_header_len <= skb_headroom(skb))) {
-		/* copy back original MAC header */
-		memmove(skb->data - irs.hard_header_len, skb->mac.raw, irs.hard_header_len);
-		skb->mac.raw = skb->data - irs.hard_header_len;
-	}
-#endif /* NET_21 */
-
-#ifdef CONFIG_IPSEC_IPCOMP
-	if(ipp->protocol == IPPROTO_COMP) {
-		unsigned int flags = 0;
-
-		if(sysctl_ipsec_inbound_policy_check) {
-			KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
-				"klips_debug:ipsec_rcv: "
-				"inbound policy checking enabled, IPCOMP follows IPIP, dropped.\n");
-			if (stats) {
-				stats->rx_errors++;
-			}
-			goto rcvleave;
-		}
-		/*
-		  XXX need a ipsec_sa for updating ratio counters but it is not
-		  following policy anyways so it is not a priority
-		*/
-		skb = skb_decompress(skb, NULL, &flags);
-		if (!skb || flags) {
-			KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
-				"klips_debug:ipsec_rcv: "
-				"skb_decompress() returned error flags: %d, dropped.\n",
-				flags);
-			if (stats) {
-				stats->rx_errors++;
-			}
-			goto rcvleave;
-		}
-	}
-#endif /* CONFIG_IPSEC_IPCOMP */
-
-#ifdef SKB_RESET_NFCT
-	nf_conntrack_put(skb->nfct);
-	skb->nfct = NULL;
-#ifdef CONFIG_NETFILTER_DEBUG
-	skb->nf_debug = 0;
-#endif /* CONFIG_NETFILTER_DEBUG */
-#endif /* SKB_RESET_NFCT */
-	KLIPS_PRINT(debug_rcv & DB_RX_PKTRX,
-		    "klips_debug:ipsec_rcv: "
-		    "netif_rx() called.\n");
-	netif_rx(skb);
-
-	MOD_DEC_USE_COUNT;
-	return(0);
-
- rcvleave:
-	if(skb) {
-		ipsec_kfree_skb(skb);
-	}
-
-	MOD_DEC_USE_COUNT;
-	return(0);
-}
-
-struct inet_protocol ah_protocol =
-{
-	ipsec_rcv,				/* AH handler */
-	NULL,				/* TUNNEL error control */
-#ifdef NETDEV_25
-	1,				/* no policy */
-#else
-	0,				/* next */
-	IPPROTO_AH,			/* protocol ID */
-	0,				/* copy */
-	NULL,				/* data */
-	"AH"				/* name */
-#endif
-};
-
-struct inet_protocol esp_protocol =
-{
-	ipsec_rcv,			/* ESP handler		*/
-	NULL,				/* TUNNEL error control */
-#ifdef NETDEV_25
-	1,				/* no policy */
-#else
-	0,				/* next */
-	IPPROTO_ESP,			/* protocol ID */
-	0,				/* copy */
-	NULL,				/* data */
-	"ESP"				/* name */
-#endif
-};
-
-#if 0
-/* We probably don't want to install a pure IPCOMP protocol handler, but
-   only want to handle IPCOMP if it is encapsulated inside an ESP payload
-   (which is already handled) */
-#ifdef CONFIG_IPSEC_IPCOMP
-struct inet_protocol comp_protocol =
-{
-	ipsec_rcv,			/* COMP handler		*/
-	NULL,				/* COMP error control	*/
-#ifdef NETDEV_25
-	1,				/* no policy */
-#else
-	0,				/* next */
-	IPPROTO_COMP,			/* protocol ID */
-	0,				/* copy */
-	NULL,				/* data */
-	"COMP"				/* name */
-#endif
-};
-#endif /* CONFIG_IPSEC_IPCOMP */
-#endif
diff --git a/linux/net/ipsec/ipsec_sa.c b/linux/net/ipsec/ipsec_sa.c
deleted file mode 100644
index 4f73b92f2..000000000
--- a/linux/net/ipsec/ipsec_sa.c
+++ /dev/null
@@ -1,1031 +0,0 @@
-/*
- * Common routines for IPsec SA maintenance routines.
- *
- * Copyright (C) 1996, 1997  John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001, 2002  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: ipsec_sa.c,v 1.3 2004/06/13 19:57:50 as Exp $
- *
- * This is the file formerly known as "ipsec_xform.h"
- *
- */
-
-#include <linux/config.h>
-#include <linux/version.h>
-#include <linux/kernel.h> /* printk() */
-
-#include "freeswan/ipsec_param.h"
-
-#ifdef MALLOC_SLAB
-# include <linux/slab.h> /* kmalloc() */
-#else /* MALLOC_SLAB */
-# include <linux/malloc.h> /* kmalloc() */
-#endif /* MALLOC_SLAB */
-#include <linux/vmalloc.h> /* vmalloc() */
-#include <linux/errno.h>  /* error codes */
-#include <linux/types.h>  /* size_t */
-#include <linux/interrupt.h> /* mark_bh */
-
-#include <linux/netdevice.h>   /* struct device, and other headers */
-#include <linux/etherdevice.h> /* eth_type_trans */
-#include <linux/ip.h>          /* struct iphdr */
-#include <linux/skbuff.h>
-#include <freeswan.h>
-#ifdef SPINLOCK
-#ifdef SPINLOCK_23
-#include <linux/spinlock.h> /* *lock* */
-#else /* SPINLOCK_23 */
-#include <asm/spinlock.h> /* *lock* */
-#endif /* SPINLOCK_23 */
-#endif /* SPINLOCK */
-#ifdef NET_21
-#include <asm/uaccess.h>
-#include <linux/in6.h>
-#endif
-#include <asm/checksum.h>
-#include <net/ip.h>
-
-#include "freeswan/radij.h"
-
-#include "freeswan/ipsec_stats.h"
-#include "freeswan/ipsec_life.h"
-#include "freeswan/ipsec_sa.h"
-#include "freeswan/ipsec_xform.h"
-
-#include "freeswan/ipsec_encap.h"
-#include "freeswan/ipsec_radij.h"
-#include "freeswan/ipsec_xform.h"
-#include "freeswan/ipsec_ipe4.h"
-#include "freeswan/ipsec_ah.h"
-#include "freeswan/ipsec_esp.h"
-
-#include <pfkeyv2.h>
-#include <pfkey.h>
-
-#include "freeswan/ipsec_proto.h"
-#include "freeswan/ipsec_alg.h"
-
-
-#ifdef CONFIG_IPSEC_DEBUG
-int debug_xform = 0;
-#endif /* CONFIG_IPSEC_DEBUG */
-
-#define SENDERR(_x) do { error = -(_x); goto errlab; } while (0)
-
-struct ipsec_sa *ipsec_sadb_hash[SADB_HASHMOD];
-#ifdef SPINLOCK
-spinlock_t tdb_lock = SPIN_LOCK_UNLOCKED;
-#else /* SPINLOCK */
-spinlock_t tdb_lock;
-#endif /* SPINLOCK */
-
-struct ipsec_sadb ipsec_sadb;
-
-#if IPSEC_SA_REF_CODE
-
-/* the sub table must be narrower (or equal) in bits than the variable type
-   in the main table to count the number of unused entries in it. */
-typedef struct {
-	int testSizeOf_refSubTable :
-		((sizeof(IPsecRefTableUnusedCount) * 8) < IPSEC_SA_REF_SUBTABLE_IDX_WIDTH ? -1 : 1);
-} dummy;
-
-
-/* The field where the saref will be hosted in the skb must be wide enough to
-   accomodate the information it needs to store. */
-typedef struct {
-	int testSizeOf_refField : 
-		(IPSEC_SA_REF_HOST_FIELD_WIDTH < IPSEC_SA_REF_TABLE_IDX_WIDTH ? -1 : 1 );
-} dummy2;
-
-
-void
-ipsec_SAtest(void)
-{
-	IPsecSAref_t SAref = 258;
-	struct ipsec_sa ips;
-	ips.ips_ref = 772;
-
-	printk("klips_debug:ipsec_SAtest: "
-	       "IPSEC_SA_REF_SUBTABLE_IDX_WIDTH=%u\n"
-	       "IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES=%u\n"
-	       "IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES=%u\n"
-	       "IPSEC_SA_REF_HOST_FIELD_WIDTH=%lu\n"
-	       "IPSEC_SA_REF_TABLE_MASK=%x\n"
-	       "IPSEC_SA_REF_ENTRY_MASK=%x\n"
-	       "IPsecSAref2table(%d)=%u\n"
-	       "IPsecSAref2entry(%d)=%u\n"
-	       "IPsecSAref2NFmark(%d)=%u\n"
-	       "IPsecSAref2SA(%d)=%p\n"
-	       "IPsecSA2SAref(%p)=%d\n"
-	       ,
-	       IPSEC_SA_REF_SUBTABLE_IDX_WIDTH,
-	       IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES,
-	       IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES,
-	       (unsigned long) IPSEC_SA_REF_HOST_FIELD_WIDTH,
-	       IPSEC_SA_REF_TABLE_MASK,
-	       IPSEC_SA_REF_ENTRY_MASK,
-	       SAref, IPsecSAref2table(SAref),
-	       SAref, IPsecSAref2entry(SAref),
-	       SAref, IPsecSAref2NFmark(SAref),
-	       SAref, IPsecSAref2SA(SAref),
-	       (&ips), IPsecSA2SAref((&ips))
-		);
-	return;
-}
-
-int
-ipsec_SAref_recycle(void)
-{
-	int table;
-	int entry;
-	int error = 0;
-
-	ipsec_sadb.refFreeListHead = -1;
-	ipsec_sadb.refFreeListTail = -1;
-
-	if(ipsec_sadb.refFreeListCont == IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES * IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES) {
-		KLIPS_PRINT(debug_xform,
-			    "klips_debug:ipsec_SAref_recycle: "
-			    "end of table reached, continuing at start..\n");
-		ipsec_sadb.refFreeListCont = 0;
-	}
-
-	KLIPS_PRINT(debug_xform,
-		    "klips_debug:ipsec_SAref_recycle: "
-		    "recycling, continuing from SAref=%d (0p%p), table=%d, entry=%d.\n",
-		    ipsec_sadb.refFreeListCont,
-		    (ipsec_sadb.refTable[IPsecSAref2table(ipsec_sadb.refFreeListCont)] != NULL) ? IPsecSAref2SA(ipsec_sadb.refFreeListCont) : NULL,
-		    IPsecSAref2table(ipsec_sadb.refFreeListCont),
-		    IPsecSAref2entry(ipsec_sadb.refFreeListCont));
-
-	for(table = IPsecSAref2table(ipsec_sadb.refFreeListCont);
-	    table < IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES;
-	    table++) {
-		if(ipsec_sadb.refTable[table] == NULL) {
-			error = ipsec_SArefSubTable_alloc(table);
-			if(error) {
-				return error;
-			}
-		}
-		for(entry = IPsecSAref2entry(ipsec_sadb.refFreeListCont);
-		    entry < IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES;
-		    entry++) {
-			if(ipsec_sadb.refTable[table]->entry[entry] == NULL) {
-				ipsec_sadb.refFreeList[++ipsec_sadb.refFreeListTail] = IPsecSArefBuild(table, entry);
-				if(ipsec_sadb.refFreeListTail == (IPSEC_SA_REF_FREELIST_NUM_ENTRIES - 1)) {
-					ipsec_sadb.refFreeListHead = 0;
-					ipsec_sadb.refFreeListCont = ipsec_sadb.refFreeList[ipsec_sadb.refFreeListTail] + 1;
-					KLIPS_PRINT(debug_xform,
-						    "klips_debug:ipsec_SAref_recycle: "
-						    "SArefFreeList refilled.\n");
-					return 0;
-				}
-			}
-		}
-	}
-
-	if(ipsec_sadb.refFreeListTail == -1) {
-		KLIPS_PRINT(debug_xform,
-			    "klips_debug:ipsec_SAref_recycle: "
-			    "out of room in the SArefTable.\n");
-
-		return(-ENOSPC);
-	}
-
-	ipsec_sadb.refFreeListHead = 0;
-	ipsec_sadb.refFreeListCont = ipsec_sadb.refFreeList[ipsec_sadb.refFreeListTail] + 1;
-	KLIPS_PRINT(debug_xform,
-		    "klips_debug:ipsec_SAref_recycle: "
-		    "SArefFreeList partly refilled to %d of %d.\n",
-		    ipsec_sadb.refFreeListTail,
-		    IPSEC_SA_REF_FREELIST_NUM_ENTRIES);
-	return 0;
-}
-
-int
-ipsec_SArefSubTable_alloc(unsigned table)
-{
-	unsigned entry;
-	struct IPsecSArefSubTable* SArefsub;
-
-	KLIPS_PRINT(debug_xform,
-		    "klips_debug:ipsec_SArefSubTable_alloc: "
-		    "allocating %lu bytes for table %u of %u.\n",
-		    (unsigned long) (IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES * sizeof(struct ipsec_sa *)),
-		    table,
-		    IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES);
-
-	/* allocate another sub-table */
-	SArefsub = vmalloc(IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES * sizeof(struct ipsec_sa *));
-	if(SArefsub == NULL) {
-		KLIPS_PRINT(debug_xform,
-			    "klips_debug:ipsec_SArefSubTable_alloc: "
-			    "error allocating memory for table %u of %u!\n",
-			    table,
-			    IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES);
-		return -ENOMEM;
-	}
-
-	/* add this sub-table to the main table */
-	ipsec_sadb.refTable[table] = SArefsub;
-
-	/* initialise each element to NULL */
-	KLIPS_PRINT(debug_xform,
-		    "klips_debug:ipsec_SArefSubTable_alloc: "
-		    "initialising %u elements (2 ^ %u) of table %u.\n",
-		    IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES,
-		    IPSEC_SA_REF_SUBTABLE_IDX_WIDTH,
-		    table);
-	for(entry = 0; entry < IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES; entry++) {
-		SArefsub->entry[entry] = NULL;
-	}
-
-	return 0;
-}
-#endif /* IPSEC_SA_REF_CODE */
-
-int
-ipsec_saref_freelist_init(void)
-{
-	int i;
-
-	KLIPS_PRINT(debug_xform,
-		    "klips_debug:ipsec_saref_freelist_init: "
-		    "initialising %u elements of FreeList.\n",
-		    IPSEC_SA_REF_FREELIST_NUM_ENTRIES);
-
-	for(i = 0; i < IPSEC_SA_REF_FREELIST_NUM_ENTRIES; i++) {
-		ipsec_sadb.refFreeList[i] = IPSEC_SAREF_NULL;
-	}
-	ipsec_sadb.refFreeListHead = -1;
-	ipsec_sadb.refFreeListCont = 0;
-	ipsec_sadb.refFreeListTail = -1;
-       
-	return 0;
-}
-
-int
-ipsec_sadb_init(void)
-{
-	int error = 0;
-	unsigned i;
-
-	for(i = 0; i < SADB_HASHMOD; i++) {
-		ipsec_sadb_hash[i] = NULL;
-	}
-	/* parts above are for the old style SADB hash table */
-	
-
-#if IPSEC_SA_REF_CODE
-	/* initialise SA reference table */
-
-	/* initialise the main table */
-	KLIPS_PRINT(debug_xform,
-		    "klips_debug:ipsec_sadb_init: "
-		    "initialising main table of size %u (2 ^ %u).\n",
-		    IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES,
-		    IPSEC_SA_REF_MAINTABLE_IDX_WIDTH);
-	{
-		unsigned table;
-		for(table = 0; table < IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES; table++) {
-			ipsec_sadb.refTable[table] = NULL;
-		}
-	}
-
-	/* allocate the first sub-table */
-	error = ipsec_SArefSubTable_alloc(0);
-	if(error) {
-		return error;
-	}
-
-	error = ipsec_saref_freelist_init();
-#endif /* IPSEC_SA_REF_CODE */
-	return error;
-}
-
-#if IPSEC_SA_REF_CODE
-IPsecSAref_t
-ipsec_SAref_alloc(int*error) /* pass in error var by pointer */
-{
-	IPsecSAref_t SAref;
-
-	KLIPS_PRINT(debug_xform,
-		    "klips_debug:ipsec_SAref_alloc: "
-		    "SAref requested... head=%d, cont=%d, tail=%d, listsize=%d.\n",
-		    ipsec_sadb.refFreeListHead,
-		    ipsec_sadb.refFreeListCont,
-		    ipsec_sadb.refFreeListTail,
-		    IPSEC_SA_REF_FREELIST_NUM_ENTRIES);
-
-	if(ipsec_sadb.refFreeListHead == -1) {
-		KLIPS_PRINT(debug_xform,
-			    "klips_debug:ipsec_SAref_alloc: "
-			    "FreeList empty, recycling...\n");
-		*error = ipsec_SAref_recycle();
-		if(*error) {
-			return IPSEC_SAREF_NULL;
-		}
-	}
-
-	SAref = ipsec_sadb.refFreeList[ipsec_sadb.refFreeListHead];
-	if(SAref == IPSEC_SAREF_NULL) {
-		KLIPS_PRINT(debug_xform,
-			    "klips_debug:ipsec_SAref_alloc: "
-			    "unexpected error, refFreeListHead = %d points to invalid entry.\n",
-			    ipsec_sadb.refFreeListHead);
-			*error = -ESPIPE;
-			return IPSEC_SAREF_NULL;
-	}
-
-	KLIPS_PRINT(debug_xform,
-		    "klips_debug:ipsec_SAref_alloc: "
-		    "allocating SAref=%d, table=%u, entry=%u of %u.\n",
-		    SAref,
-		    IPsecSAref2table(SAref),
-		    IPsecSAref2entry(SAref),
-		    IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES * IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES);
-	
-	ipsec_sadb.refFreeList[ipsec_sadb.refFreeListHead] = IPSEC_SAREF_NULL;
-	ipsec_sadb.refFreeListHead++;
-	if(ipsec_sadb.refFreeListHead > ipsec_sadb.refFreeListTail) {
-		KLIPS_PRINT(debug_xform,
-			    "klips_debug:ipsec_SAref_alloc: "
-			    "last FreeList entry allocated, resetting list head to empty.\n");
-		ipsec_sadb.refFreeListHead = -1;
-	}
-
-	return SAref;
-}
-#endif /* IPSEC_SA_REF_CODE */
-
-int
-ipsec_sa_print(struct ipsec_sa *ips)
-{
-        char sa[SATOA_BUF];
-	size_t sa_len;
-
-	printk(KERN_INFO "klips_debug:   SA:");
-	if(ips == NULL) {
-		printk("NULL\n");
-		return -ENOENT;
-	}
-	printk(" ref=%d", ips->ips_ref);
-	printk(" refcount=%d", atomic_read(&ips->ips_refcount));
-	if(ips->ips_hnext != NULL) {
-		printk(" hnext=0p%p", ips->ips_hnext);
-	}
-	if(ips->ips_inext != NULL) {
-		printk(" inext=0p%p", ips->ips_inext);
-	}
-	if(ips->ips_onext != NULL) {
-		printk(" onext=0p%p", ips->ips_onext);
-	}
-	sa_len = satoa(ips->ips_said, 0, sa, SATOA_BUF);
-	printk(" said=%s", sa_len ? sa : " (error)");
-	if(ips->ips_seq) {
-		printk(" seq=%u", ips->ips_seq);
-	}
-	if(ips->ips_pid) {
-		printk(" pid=%u", ips->ips_pid);
-	}
-	if(ips->ips_authalg) {
-		printk(" authalg=%u", ips->ips_authalg);
-	}
-	if(ips->ips_encalg) {
-		printk(" encalg=%u", ips->ips_encalg);
-	}
-	printk(" XFORM=%s%s%s", IPS_XFORM_NAME(ips));
-	if(ips->ips_replaywin) {
-		printk(" ooowin=%u", ips->ips_replaywin);
-	}
-	if(ips->ips_flags) {
-		printk(" flags=%u", ips->ips_flags);
-	}
-	if(ips->ips_addr_s) {
-		char buf[SUBNETTOA_BUF];
-		addrtoa(((struct sockaddr_in*)(ips->ips_addr_s))->sin_addr,
-			0, buf, sizeof(buf));
-		printk(" src=%s", buf);
-	}
-	if(ips->ips_addr_d) {
-		char buf[SUBNETTOA_BUF];
-		addrtoa(((struct sockaddr_in*)(ips->ips_addr_s))->sin_addr,
-			0, buf, sizeof(buf));
-		printk(" dst=%s", buf);
-	}
-	if(ips->ips_addr_p) {
-		char buf[SUBNETTOA_BUF];
-		addrtoa(((struct sockaddr_in*)(ips->ips_addr_p))->sin_addr,
-			0, buf, sizeof(buf));
-		printk(" proxy=%s", buf);
-	}
-	if(ips->ips_key_bits_a) {
-		printk(" key_bits_a=%u", ips->ips_key_bits_a);
-	}
-	if(ips->ips_key_bits_e) {
-		printk(" key_bits_e=%u", ips->ips_key_bits_e);
-	}
-
-	printk("\n");
-	return 0;
-}
-
-struct ipsec_sa*
-ipsec_sa_alloc(int*error) /* pass in error var by pointer */
-{
-	struct ipsec_sa* ips;
-
-	if((ips = kmalloc(sizeof(*ips), GFP_ATOMIC) ) == NULL) {
-		KLIPS_PRINT(debug_xform,
-			    "klips_debug:ipsec_sa_alloc: "
-			    "memory allocation error\n");
-		*error = -ENOMEM;
-		return NULL;
-	}
-	memset((caddr_t)ips, 0, sizeof(*ips));
-#if IPSEC_SA_REF_CODE
-	ips->ips_ref = ipsec_SAref_alloc(error); /* pass in error return by pointer */
-	KLIPS_PRINT(debug_xform,
-		    "klips_debug:ipsec_sa_alloc: "
-		    "allocated %lu bytes for ipsec_sa struct=0p%p ref=%d.\n",
-		    (unsigned long) sizeof(*ips),
-		    ips,
-		    ips->ips_ref);
-	if(ips->ips_ref == IPSEC_SAREF_NULL) {
-		kfree(ips);
-		KLIPS_PRINT(debug_xform,
-			    "klips_debug:ipsec_sa_alloc: "
-			    "SAref allocation error\n");
-		return NULL;
-	}
-
-	atomic_inc(&ips->ips_refcount);
-	IPsecSAref2SA(ips->ips_ref) = ips;
-#endif /* IPSEC_SA_REF_CODE */
-
-	*error = 0;
-	return(ips);
-}
-
-int
-ipsec_sa_free(struct ipsec_sa* ips)
-{
-	return ipsec_sa_wipe(ips);
-}
-
-struct ipsec_sa *
-ipsec_sa_getbyid(struct sa_id *said)
-{
-	int hashval;
-	struct ipsec_sa *ips;
-        char sa[SATOA_BUF];
-	size_t sa_len;
-
-	if(said == NULL) {
-		KLIPS_PRINT(debug_xform,
-			    "klips_error:ipsec_sa_getbyid: "
-			    "null pointer passed in!\n");
-		return NULL;
-	}
-
-	sa_len = satoa(*said, 0, sa, SATOA_BUF);
-
-	hashval = (said->spi+said->dst.s_addr+said->proto) % SADB_HASHMOD;
-	
-	KLIPS_PRINT(debug_xform,
-		    "klips_debug:ipsec_sa_getbyid: "
-		    "linked entry in ipsec_sa table for hash=%d of SA:%s requested.\n",
-		    hashval,
-		    sa_len ? sa : " (error)");
-
-	if((ips = ipsec_sadb_hash[hashval]) == NULL) {
-		KLIPS_PRINT(debug_xform,
-			    "klips_debug:ipsec_sa_getbyid: "
-			    "no entries in ipsec_sa table for hash=%d of SA:%s.\n",
-			    hashval,
-			    sa_len ? sa : " (error)");
-		return NULL;
-	}
-
-	for (; ips; ips = ips->ips_hnext) {
-		if ((ips->ips_said.spi == said->spi) &&
-		    (ips->ips_said.dst.s_addr == said->dst.s_addr) &&
-		    (ips->ips_said.proto == said->proto)) {
-			atomic_inc(&ips->ips_refcount);
-			return ips;
-		}
-	}
-	
-	KLIPS_PRINT(debug_xform,
-		    "klips_debug:ipsec_sa_getbyid: "
-		    "no entry in linked list for hash=%d of SA:%s.\n",
-		    hashval,
-		    sa_len ? sa : " (error)");
-	return NULL;
-}
-
-int
-ipsec_sa_put(struct ipsec_sa *ips)
-{
-        char sa[SATOA_BUF];
-	size_t sa_len;
-
-	if(ips == NULL) {
-		KLIPS_PRINT(debug_xform,
-			    "klips_error:ipsec_sa_put: "
-			    "null pointer passed in!\n");
-		return -1;
-	}
-
-	sa_len = satoa(ips->ips_said, 0, sa, SATOA_BUF);
-
-	KLIPS_PRINT(debug_xform,
-		    "klips_debug:ipsec_sa_put: "
-		    "ipsec_sa SA:%s, ref:%d reference count decremented.\n",
-		    sa_len ? sa : " (error)",
-		    ips->ips_ref);
-
-	atomic_dec(&ips->ips_refcount);
-
-	return 0;
-}
-
-/*
-  The ipsec_sa table better *NOT* be locked before it is handed in, or SMP locks will happen
-*/
-int
-ipsec_sa_add(struct ipsec_sa *ips)
-{
-	int error = 0;
-	unsigned int hashval;
-
-	if(ips == NULL) {
-		KLIPS_PRINT(debug_xform,
-			    "klips_error:ipsec_sa_add: "
-			    "null pointer passed in!\n");
-		return -ENODATA;
-	}
-	hashval = ((ips->ips_said.spi + ips->ips_said.dst.s_addr + ips->ips_said.proto) % SADB_HASHMOD);
-
-	atomic_inc(&ips->ips_refcount);
-	spin_lock_bh(&tdb_lock);
-	
-	ips->ips_hnext = ipsec_sadb_hash[hashval];
-	ipsec_sadb_hash[hashval] = ips;
-	
-	spin_unlock_bh(&tdb_lock);
-
-	return error;
-}
-
-/*
-  The ipsec_sa table better be locked before it is handed in, or races might happen
-*/
-int
-ipsec_sa_del(struct ipsec_sa *ips)
-{
-	unsigned int hashval;
-	struct ipsec_sa *ipstp;
-        char sa[SATOA_BUF];
-	size_t sa_len;
-
-	if(ips == NULL) {
-		KLIPS_PRINT(debug_xform,
-			    "klips_error:ipsec_sa_del: "
-			    "null pointer passed in!\n");
-		return -ENODATA;
-	}
-	
-	sa_len = satoa(ips->ips_said, 0, sa, SATOA_BUF);
-	if(ips->ips_inext || ips->ips_onext) {
-		KLIPS_PRINT(debug_xform,
-			    "klips_error:ipsec_sa_del: "
-			    "SA:%s still linked!\n",
-			    sa_len ? sa : " (error)");
-		return -EMLINK;
-	}
-	
-	hashval = ((ips->ips_said.spi + ips->ips_said.dst.s_addr + ips->ips_said.proto) % SADB_HASHMOD);
-	
-	KLIPS_PRINT(debug_xform,
-		    "klips_debug:ipsec_sa_del: "
-		    "deleting SA:%s, hashval=%d.\n",
-		    sa_len ? sa : " (error)",
-		    hashval);
-	if(ipsec_sadb_hash[hashval] == NULL) {
-		KLIPS_PRINT(debug_xform,
-			    "klips_debug:ipsec_sa_del: "
-			    "no entries in ipsec_sa table for hash=%d of SA:%s.\n",
-			    hashval,
-			    sa_len ? sa : " (error)");
-		return -ENOENT;
-	}
-	
-	if (ips == ipsec_sadb_hash[hashval]) {
-		ipsec_sadb_hash[hashval] = ipsec_sadb_hash[hashval]->ips_hnext;
-		ips->ips_hnext = NULL;
-		atomic_dec(&ips->ips_refcount);
-		KLIPS_PRINT(debug_xform,
-			    "klips_debug:ipsec_sa_del: "
-			    "successfully deleted first ipsec_sa in chain.\n");
-		return 0;
-	} else {
-		for (ipstp = ipsec_sadb_hash[hashval];
-		     ipstp;
-		     ipstp = ipstp->ips_hnext) {
-			if (ipstp->ips_hnext == ips) {
-				ipstp->ips_hnext = ips->ips_hnext;
-				ips->ips_hnext = NULL;
-				atomic_dec(&ips->ips_refcount);
-				KLIPS_PRINT(debug_xform,
-					    "klips_debug:ipsec_sa_del: "
-					    "successfully deleted link in ipsec_sa chain.\n");
-				return 0;
-			}
-		}
-	}
-	
-	KLIPS_PRINT(debug_xform,
-		    "klips_debug:ipsec_sa_del: "
-		    "no entries in linked list for hash=%d of SA:%s.\n",
-		    hashval,
-		    sa_len ? sa : " (error)");
-	return -ENOENT;
-}
-
-/*
-  The ipsec_sa table better be locked before it is handed in, or races
-  might happen
-*/
-int
-ipsec_sa_delchain(struct ipsec_sa *ips)
-{
-	struct ipsec_sa *ipsdel;
-	int error = 0;
-        char sa[SATOA_BUF];
-	size_t sa_len;
-
-	if(ips == NULL) {
-		KLIPS_PRINT(debug_xform,
-			    "klips_error:ipsec_sa_delchain: "
-			    "null pointer passed in!\n");
-		return -ENODATA;
-	}
-
-	sa_len = satoa(ips->ips_said, 0, sa, SATOA_BUF);
-	KLIPS_PRINT(debug_xform,
-		    "klips_debug:ipsec_sa_delchain: "
-		    "passed SA:%s\n",
-		    sa_len ? sa : " (error)");
-	while(ips->ips_onext != NULL) {
-		ips = ips->ips_onext;
-	}
-
-	while(ips) {
-		/* XXX send a pfkey message up to advise of deleted ipsec_sa */
-		sa_len = satoa(ips->ips_said, 0, sa, SATOA_BUF);
-		KLIPS_PRINT(debug_xform,
-			    "klips_debug:ipsec_sa_delchain: "
-			    "unlinking and delting SA:%s",
-			    sa_len ? sa : " (error)");
-		ipsdel = ips;
-		ips = ips->ips_inext;
-		if(ips != NULL) {
-			sa_len = satoa(ips->ips_said, 0, sa, SATOA_BUF);
-			KLIPS_PRINT(debug_xform,
-				    ", inext=%s",
-				    sa_len ? sa : " (error)");
-			atomic_dec(&ipsdel->ips_refcount);
-			ipsdel->ips_inext = NULL;
-			atomic_dec(&ips->ips_refcount);
-			ips->ips_onext = NULL;
-		}
-		KLIPS_PRINT(debug_xform,
-			    ".\n");
-		if((error = ipsec_sa_del(ipsdel))) {
-			KLIPS_PRINT(debug_xform,
-				    "klips_debug:ipsec_sa_delchain: "
-				    "ipsec_sa_del returned error %d.\n", -error);
-			return error;
-		}
-		if((error = ipsec_sa_wipe(ipsdel))) {
-			KLIPS_PRINT(debug_xform,
-				    "klips_debug:ipsec_sa_delchain: "
-				    "ipsec_sa_wipe returned error %d.\n", -error);
-			return error;
-		}
-	}
-	return error;
-}
-
-int 
-ipsec_sadb_cleanup(__u8 proto)
-{
-	unsigned i;
-	int error = 0;
-	struct ipsec_sa *ips, **ipsprev, *ipsdel;
-        char sa[SATOA_BUF];
-	size_t sa_len;
-
-	KLIPS_PRINT(debug_xform,
-		    "klips_debug:ipsec_sadb_cleanup: "
-		    "cleaning up proto=%d.\n",
-		    proto);
-
-	spin_lock_bh(&tdb_lock);
-
-	for (i = 0; i < SADB_HASHMOD; i++) {
-		ipsprev = &(ipsec_sadb_hash[i]);
-		ips = ipsec_sadb_hash[i];
-		if(ips != NULL) {
-			atomic_inc(&ips->ips_refcount);
-		}
-		for(; ips != NULL;) {
-			sa_len = satoa(ips->ips_said, 0, sa, SATOA_BUF);
-			KLIPS_PRINT(debug_xform,
-				    "klips_debug:ipsec_sadb_cleanup: "
-				    "checking SA:%s, hash=%d, ref=%d",
-				    sa_len ? sa : " (error)",
-				    i,
-				    ips->ips_ref);
-			ipsdel = ips;
-			ips = ipsdel->ips_hnext;
-			if(ips != NULL) {
-				atomic_inc(&ips->ips_refcount);
-				sa_len = satoa(ips->ips_said, 0, sa, SATOA_BUF);
-				KLIPS_PRINT(debug_xform,
-					    ", hnext=%s",
-					    sa_len ? sa : " (error)");
-			}
-			if(*ipsprev != NULL) {
-				sa_len = satoa((*ipsprev)->ips_said, 0, sa, SATOA_BUF);
-				KLIPS_PRINT(debug_xform,
-					    ", *ipsprev=%s",
-					    sa_len ? sa : " (error)");
-				if((*ipsprev)->ips_hnext) {
-					sa_len = satoa((*ipsprev)->ips_hnext->ips_said, 0, sa, SATOA_BUF);
-					KLIPS_PRINT(debug_xform,
-						    ", *ipsprev->ips_hnext=%s",
-						    sa_len ? sa : " (error)");
-				}
-			}
-			KLIPS_PRINT(debug_xform,
-				    ".\n");
-			if(proto == 0 || (proto == ipsdel->ips_said.proto)) {
-				sa_len = satoa(ipsdel->ips_said, 0, sa, SATOA_BUF);
-				KLIPS_PRINT(debug_xform,
-					    "klips_debug:ipsec_sadb_cleanup: "
-					    "deleting SA chain:%s.\n",
-					    sa_len ? sa : " (error)");
-				if((error = ipsec_sa_delchain(ipsdel))) {
-					SENDERR(-error);
-				}
-				ipsprev = &(ipsec_sadb_hash[i]);
-				ips = ipsec_sadb_hash[i];
-
-				KLIPS_PRINT(debug_xform,
-					    "klips_debug:ipsec_sadb_cleanup: "
-					    "deleted SA chain:%s",
-					    sa_len ? sa : " (error)");
-				if(ips != NULL) {
-					sa_len = satoa(ips->ips_said, 0, sa, SATOA_BUF);
-					KLIPS_PRINT(debug_xform,
-						    ", ipsec_sadb_hash[%d]=%s",
-						    i,
-						    sa_len ? sa : " (error)");
-				}
-				if(*ipsprev != NULL) {
-					sa_len = satoa((*ipsprev)->ips_said, 0, sa, SATOA_BUF);
-					KLIPS_PRINT(debug_xform,
-						    ", *ipsprev=%s",
-						    sa_len ? sa : " (error)");
-					if((*ipsprev)->ips_hnext != NULL) {
-						sa_len = satoa((*ipsprev)->ips_hnext->ips_said, 0, sa, SATOA_BUF);
-						KLIPS_PRINT(debug_xform,
-							    ", *ipsprev->ips_hnext=%s",
-							    sa_len ? sa : " (error)");
-					}
-				}
-				KLIPS_PRINT(debug_xform,
-					    ".\n");
-			} else {
-				ipsprev = &ipsdel;
-			}
-			if(ipsdel != NULL) {
-				ipsec_sa_put(ipsdel);
-			}
-		}
-	}
- errlab:
-
-	spin_unlock_bh(&tdb_lock);
-
-
-#if IPSEC_SA_REF_CODE
-	/* clean up SA reference table */
-
-	/* go through the ref table and clean out all the SAs */
-	KLIPS_PRINT(debug_xform,
-		    "klips_debug:ipsec_sadb_cleanup: "
-		    "removing SAref entries and tables.");
-	{
-		unsigned table, entry;
-		for(table = 0; table < IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES; table++) {
-			KLIPS_PRINT(debug_xform,
-				    "klips_debug:ipsec_sadb_cleanup: "
-				    "cleaning SAref table=%u.\n",
-				    table);
-			if(ipsec_sadb.refTable[table] == NULL) {
-				printk("\n");
-				KLIPS_PRINT(debug_xform,
-					    "klips_debug:ipsec_sadb_cleanup: "
-					    "cleaned %u used refTables.\n",
-					    table);
-				break;
-			}
-			for(entry = 0; entry < IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES; entry++) {
-				if(ipsec_sadb.refTable[table]->entry[entry] != NULL) {
-					ipsec_sa_delchain(ipsec_sadb.refTable[table]->entry[entry]);
-					ipsec_sadb.refTable[table]->entry[entry] = NULL;
-				}
-			}
-		}
-	}
-#endif /* IPSEC_SA_REF_CODE */
-
-	return(error);
-}
-
-int 
-ipsec_sadb_free(void)
-{
-	int error = 0;
-
-	KLIPS_PRINT(debug_xform,
-		    "klips_debug:ipsec_sadb_free: "
-		    "freeing SArefTable memory.\n");
-
-	/* clean up SA reference table */
-
-	/* go through the ref table and clean out all the SAs if any are
-	   left and free table memory */
-	KLIPS_PRINT(debug_xform,
-		    "klips_debug:ipsec_sadb_free: "
-		    "removing SAref entries and tables.\n");
-	{
-		unsigned table, entry;
-		for(table = 0; table < IPSEC_SA_REF_MAINTABLE_NUM_ENTRIES; table++) {
-			KLIPS_PRINT(debug_xform,
-				    "klips_debug:ipsec_sadb_free: "
-				    "removing SAref table=%u.\n",
-				    table);
-			if(ipsec_sadb.refTable[table] == NULL) {
-				KLIPS_PRINT(debug_xform,
-					    "klips_debug:ipsec_sadb_free: "
-					    "removed %u used refTables.\n",
-					    table);
-				break;
-			}
-			for(entry = 0; entry < IPSEC_SA_REF_SUBTABLE_NUM_ENTRIES; entry++) {
-				if(ipsec_sadb.refTable[table]->entry[entry] != NULL) {
-					ipsec_sa_delchain(ipsec_sadb.refTable[table]->entry[entry]);
-					ipsec_sadb.refTable[table]->entry[entry] = NULL;
-				}
-			}
-			vfree(ipsec_sadb.refTable[table]);
-			ipsec_sadb.refTable[table] = NULL;
-		}
-	}
-
-	return(error);
-}
-
-int
-ipsec_sa_wipe(struct ipsec_sa *ips)
-{
-	if(ips == NULL) {
-		return -ENODATA;
-	}
-
-	/* if(atomic_dec_and_test(ips)) {
-	}; */
-
-#if IPSEC_SA_REF_CODE
-	/* remove me from the SArefTable */
-	{
-		char sa[SATOA_BUF];
-		size_t sa_len;
-		sa_len = satoa(ips->ips_said, 0, sa, SATOA_BUF);
-		KLIPS_PRINT(debug_xform,
-			    "klips_debug:ipsec_sa_wipe: "
-			    "removing SA=%s(0p%p), SAref=%d, table=%d(0p%p), entry=%d from the refTable.\n",
-			    sa_len ? sa : " (error)",
-			    ips,
-			    ips->ips_ref,
-			    IPsecSAref2table(IPsecSA2SAref(ips)),
-			    ipsec_sadb.refTable[IPsecSAref2table(IPsecSA2SAref(ips))],
-			    IPsecSAref2entry(IPsecSA2SAref(ips)));
-	}
-	if(ips->ips_ref == IPSEC_SAREF_NULL) {
-		KLIPS_PRINT(debug_xform,
-			    "klips_debug:ipsec_sa_wipe: "
-			    "why does this SA not have a valid SAref?.\n");
-	}
-	ipsec_sadb.refTable[IPsecSAref2table(IPsecSA2SAref(ips))]->entry[IPsecSAref2entry(IPsecSA2SAref(ips))] = NULL;
-	ips->ips_ref = IPSEC_SAREF_NULL;
-	ipsec_sa_put(ips);
-#endif /* IPSEC_SA_REF_CODE */
-
-	/* paranoid clean up */
-	if(ips->ips_addr_s != NULL) {
-		memset((caddr_t)(ips->ips_addr_s), 0, ips->ips_addr_s_size);
-		kfree(ips->ips_addr_s);
-	}
-	ips->ips_addr_s = NULL;
-
-	if(ips->ips_addr_d != NULL) {
-		memset((caddr_t)(ips->ips_addr_d), 0, ips->ips_addr_d_size);
-		kfree(ips->ips_addr_d);
-	}
-	ips->ips_addr_d = NULL;
-
-	if(ips->ips_addr_p != NULL) {
-		memset((caddr_t)(ips->ips_addr_p), 0, ips->ips_addr_p_size);
-		kfree(ips->ips_addr_p);
-	}
-	ips->ips_addr_p = NULL;
-
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-	if(ips->ips_natt_oa) {
-		memset((caddr_t)(ips->ips_natt_oa), 0, ips->ips_natt_oa_size);
-		kfree(ips->ips_natt_oa);
-	}
-	ips->ips_natt_oa = NULL;
-#endif
-
-	if(ips->ips_key_a != NULL) {
-		memset((caddr_t)(ips->ips_key_a), 0, ips->ips_key_a_size);
-		kfree(ips->ips_key_a);
-	}
-	ips->ips_key_a = NULL;
-
-	if(ips->ips_key_e != NULL) {
-#ifdef CONFIG_IPSEC_ALG
-		if (ips->ips_alg_enc&&ips->ips_alg_enc->ixt_e_destroy_key) {
-			ips->ips_alg_enc->ixt_e_destroy_key(ips->ips_alg_enc, 
-					ips->ips_key_e);
-		} else {
-#endif /* CONFIG_IPSEC_ALG */
-		memset((caddr_t)(ips->ips_key_e), 0, ips->ips_key_e_size);
-		kfree(ips->ips_key_e);
-#ifdef CONFIG_IPSEC_ALG
-		}
-#endif /* CONFIG_IPSEC_ALG */
-	}
-	ips->ips_key_e = NULL;
-
-	if(ips->ips_iv != NULL) {
-		memset((caddr_t)(ips->ips_iv), 0, ips->ips_iv_size);
-		kfree(ips->ips_iv);
-	}
-	ips->ips_iv = NULL;
-
-	if(ips->ips_ident_s.data != NULL) {
-		memset((caddr_t)(ips->ips_ident_s.data),
-                       0,
-		       ips->ips_ident_s.len * IPSEC_PFKEYv2_ALIGN - sizeof(struct sadb_ident));
-		kfree(ips->ips_ident_s.data);
-        }
-	ips->ips_ident_s.data = NULL;
-	
-	if(ips->ips_ident_d.data != NULL) {
-		memset((caddr_t)(ips->ips_ident_d.data),
-                       0,
-		       ips->ips_ident_d.len * IPSEC_PFKEYv2_ALIGN - sizeof(struct sadb_ident));
-		kfree(ips->ips_ident_d.data);
-        }
-	ips->ips_ident_d.data = NULL;
-
-#ifdef CONFIG_IPSEC_ALG
-	if (ips->ips_alg_enc||ips->ips_alg_auth) {
-		ipsec_alg_sa_wipe(ips);
-	}
-#endif /* CONFIG_IPSEC_ALG */
-	
-	memset((caddr_t)ips, 0, sizeof(*ips));
-	kfree(ips);
-	ips = NULL;
-
-	return 0;
-}
diff --git a/linux/net/ipsec/ipsec_sha1.c b/linux/net/ipsec/ipsec_sha1.c
deleted file mode 100644
index 389a55b06..000000000
--- a/linux/net/ipsec/ipsec_sha1.c
+++ /dev/null
@@ -1,219 +0,0 @@
-/*
- * RCSID $Id: ipsec_sha1.c,v 1.1 2004/03/15 20:35:26 as Exp $
- */
-
-/*
- * The rest of the code is derived from sha1.c by Steve Reid, which is
- * public domain.
- * Minor cosmetic changes to accomodate it in the Linux kernel by ji.
- */
-
-#include <asm/byteorder.h>
-#include <linux/string.h>
-
-#include "freeswan/ipsec_sha1.h"
-
-#if defined(rol)
-#undef rol
-#endif
-
-#define SHA1HANDSOFF
-
-#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
-
-/* blk0() and blk() perform the initial expand. */
-/* I got the idea of expanding during the round function from SSLeay */
-#ifdef __LITTLE_ENDIAN
-#define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) \
-    |(rol(block->l[i],8)&0x00FF00FF))
-#else
-#define blk0(i) block->l[i]
-#endif
-#define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] \
-    ^block->l[(i+2)&15]^block->l[i&15],1))
-
-/* (R0+R1), R2, R3, R4 are the different operations used in SHA1 */
-#define R0(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk0(i)+0x5A827999+rol(v,5);w=rol(w,30);
-#define R1(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk(i)+0x5A827999+rol(v,5);w=rol(w,30);
-#define R2(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0x6ED9EBA1+rol(v,5);w=rol(w,30);
-#define R3(v,w,x,y,z,i) z+=(((w|x)&y)|(w&x))+blk(i)+0x8F1BBCDC+rol(v,5);w=rol(w,30);
-#define R4(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0xCA62C1D6+rol(v,5);w=rol(w,30);
-
-
-/* Hash a single 512-bit block. This is the core of the algorithm. */
-
-void SHA1Transform(__u32 state[5], __u8 buffer[64])
-{
-__u32 a, b, c, d, e;
-typedef union {
-    unsigned char c[64];
-    __u32 l[16];
-} CHAR64LONG16;
-CHAR64LONG16* block;
-#ifdef SHA1HANDSOFF
-static unsigned char workspace[64];
-    block = (CHAR64LONG16*)workspace;
-    memcpy(block, buffer, 64);
-#else
-    block = (CHAR64LONG16*)buffer;
-#endif
-    /* Copy context->state[] to working vars */
-    a = state[0];
-    b = state[1];
-    c = state[2];
-    d = state[3];
-    e = state[4];
-    /* 4 rounds of 20 operations each. Loop unrolled. */
-    R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
-    R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
-    R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
-    R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
-    R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
-    R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
-    R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
-    R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
-    R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
-    R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
-    R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
-    R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
-    R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
-    R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
-    R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
-    R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
-    R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
-    R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
-    R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
-    R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
-    /* Add the working vars back into context.state[] */
-    state[0] += a;
-    state[1] += b;
-    state[2] += c;
-    state[3] += d;
-    state[4] += e;
-    /* Wipe variables */
-    a = b = c = d = e = 0;
-}
-
-
-/* SHA1Init - Initialize new context */
-
-void SHA1Init(void *vcontext)
-{
-    SHA1_CTX* context = vcontext;
-
-    /* SHA1 initialization constants */
-    context->state[0] = 0x67452301;
-    context->state[1] = 0xEFCDAB89;
-    context->state[2] = 0x98BADCFE;
-    context->state[3] = 0x10325476;
-    context->state[4] = 0xC3D2E1F0;
-    context->count[0] = context->count[1] = 0;
-}
-
-
-/* Run your data through this. */
-
-void SHA1Update(void *vcontext, unsigned char* data, __u32 len)
-{
-    SHA1_CTX* context = vcontext;
-    __u32 i, j;
-
-    j = context->count[0];
-    if ((context->count[0] += len << 3) < j)
-	context->count[1]++;
-    context->count[1] += (len>>29);
-    j = (j >> 3) & 63;
-    if ((j + len) > 63) {
-        memcpy(&context->buffer[j], data, (i = 64-j));
-        SHA1Transform(context->state, context->buffer);
-        for ( ; i + 63 < len; i += 64) {
-            SHA1Transform(context->state, &data[i]);
-        }
-        j = 0;
-    }
-    else i = 0;
-    memcpy(&context->buffer[j], &data[i], len - i);
-}
-
-
-/* Add padding and return the message digest. */
-
-void SHA1Final(unsigned char digest[20], void *vcontext)
-{
-  __u32 i, j;
-  unsigned char finalcount[8];
-  SHA1_CTX* context = vcontext;
-    
-    for (i = 0; i < 8; i++) {
-        finalcount[i] = (unsigned char)((context->count[(i >= 4 ? 0 : 1)]
-         >> ((3-(i & 3)) * 8) ) & 255);  /* Endian independent */
-    }
-    SHA1Update(context, (unsigned char *)"\200", 1);
-    while ((context->count[0] & 504) != 448) {
-        SHA1Update(context, (unsigned char *)"\0", 1);
-    }
-    SHA1Update(context, finalcount, 8);  /* Should cause a SHA1Transform() */
-    for (i = 0; i < 20; i++) {
-        digest[i] = (unsigned char)
-         ((context->state[i>>2] >> ((3-(i & 3)) * 8) ) & 255);
-    }
-    /* Wipe variables */
-    i = j = 0;
-    memset(context->buffer, 0, 64);
-    memset(context->state, 0, 20);
-    memset(context->count, 0, 8);
-    memset(&finalcount, 0, 8);
-#ifdef SHA1HANDSOFF  /* make SHA1Transform overwrite its own static vars */
-    SHA1Transform(context->state, context->buffer);
-#endif
-}
-
-
-/*
- * $Log: ipsec_sha1.c,v $
- * Revision 1.1  2004/03/15 20:35:26  as
- * added files from freeswan-2.04-x509-1.5.3
- *
- * Revision 1.8  2002/09/10 01:45:14  mcr
- * 	changed type of MD5_CTX and SHA1_CTX to void * so that
- * 	the function prototypes would match, and could be placed
- * 	into a pointer to a function.
- *
- * Revision 1.7  2002/04/24 07:55:32  mcr
- * 	#include patches and Makefiles for post-reorg compilation.
- *
- * Revision 1.6  2002/04/24 07:36:30  mcr
- * Moved from ./klips/net/ipsec/ipsec_sha1.c,v
- *
- * Revision 1.5  1999/12/13 13:59:13  rgb
- * Quick fix to argument size to Update bugs.
- *
- * Revision 1.4  1999/04/11 00:29:00  henry
- * GPL boilerplate
- *
- * Revision 1.3  1999/04/06 04:54:27  rgb
- * Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
- * patch shell fixes.
- *
- * Revision 1.2  1999/01/22 06:55:50  rgb
- * 64-bit clean-up.
- *
- * Revision 1.1  1998/06/18 21:27:50  henry
- * move sources from klips/src to klips/net/ipsec, to keep stupid
- * kernel-build scripts happier in the presence of symlinks
- *
- * Revision 1.2  1998/04/23 20:54:04  rgb
- * Fixed md5 and sha1 include file nesting issues, to be cleaned up when
- * verified.
- *
- * Revision 1.1  1998/04/09 03:06:11  henry
- * sources moved up from linux/net/ipsec
- *
- * Revision 1.1.1.1  1998/04/08 05:35:05  henry
- * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
- *
- * Revision 0.4  1997/01/15 01:28:15  ji
- * New transform
- *
- *
- */
diff --git a/linux/net/ipsec/ipsec_tunnel.c b/linux/net/ipsec/ipsec_tunnel.c
deleted file mode 100644
index de86843bb..000000000
--- a/linux/net/ipsec/ipsec_tunnel.c
+++ /dev/null
@@ -1,1671 +0,0 @@
-/*
- * IPSEC Tunneling code. Heavily based on drivers/net/new_tunnel.c
- * Copyright (C) 1996, 1997  John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-char ipsec_tunnel_c_version[] = "RCSID $Id: ipsec_tunnel.c,v 1.4 2005/06/16 21:21:02 as Exp $";
-
-#define __NO_VERSION__
-#include <linux/module.h>
-#include <linux/config.h>	/* for CONFIG_IP_FORWARD */
-#include <linux/version.h>
-#include <linux/kernel.h> /* printk() */
-
-#include "freeswan/ipsec_param.h"
-
-#ifdef MALLOC_SLAB
-# include <linux/slab.h> /* kmalloc() */
-#else /* MALLOC_SLAB */
-# include <linux/malloc.h> /* kmalloc() */
-#endif /* MALLOC_SLAB */
-#include <linux/errno.h>  /* error codes */
-#include <linux/types.h>  /* size_t */
-#include <linux/interrupt.h> /* mark_bh */
-
-#include <linux/netdevice.h>   /* struct device, struct net_device_stats, dev_queue_xmit() and other headers */
-#include <linux/etherdevice.h> /* eth_type_trans */
-#include <linux/ip.h>          /* struct iphdr */
-#include <linux/tcp.h>         /* struct tcphdr */
-#include <linux/udp.h>         /* struct udphdr */
-#include <linux/skbuff.h>
-#include <freeswan.h>
-#ifdef NET_21
-# include <asm/uaccess.h>
-# include <linux/in6.h>
-# define ip_chk_addr inet_addr_type
-# define IS_MYADDR RTN_LOCAL
-# include <net/dst.h>
-# undef dev_kfree_skb
-# define dev_kfree_skb(a,b) kfree_skb(a)
-# define PHYSDEV_TYPE
-#endif /* NET_21 */
-#include <asm/checksum.h>
-#include <net/icmp.h>		/* icmp_send() */
-#include <net/ip.h>
-#ifdef NETDEV_23
-# include <linux/netfilter_ipv4.h>
-#endif /* NETDEV_23 */
-
-#include <linux/if_arp.h>
-
-#include "freeswan/radij.h"
-#include "freeswan/ipsec_life.h"
-#include "freeswan/ipsec_xform.h"
-#include "freeswan/ipsec_eroute.h"
-#include "freeswan/ipsec_encap.h"
-#include "freeswan/ipsec_radij.h"
-#include "freeswan/ipsec_sa.h"
-#include "freeswan/ipsec_tunnel.h"
-#include "freeswan/ipsec_xmit.h"
-#include "freeswan/ipsec_ipe4.h"
-#include "freeswan/ipsec_ah.h"
-#include "freeswan/ipsec_esp.h"
-
-#include <pfkeyv2.h>
-#include <pfkey.h>
-
-#include "freeswan/ipsec_proto.h"
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-#include <linux/udp.h>
-#endif
-
-static __u32 zeroes[64];
-
-#ifdef CONFIG_IPSEC_DEBUG
-int debug_tunnel = 0;
-#endif /* CONFIG_IPSEC_DEBUG */
-
-DEBUG_NO_STATIC int
-ipsec_tunnel_open(struct device *dev)
-{
-	struct ipsecpriv *prv = dev->priv;
-	
-	/*
-	 * Can't open until attached.
-	 */
-
-	KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-		    "klips_debug:ipsec_tunnel_open: "
-		    "dev = %s, prv->dev = %s\n",
-		    dev->name, prv->dev?prv->dev->name:"NONE");
-
-	if (prv->dev == NULL)
-		return -ENODEV;
-	
-	MOD_INC_USE_COUNT;
-	return 0;
-}
-
-DEBUG_NO_STATIC int
-ipsec_tunnel_close(struct device *dev)
-{
-	MOD_DEC_USE_COUNT;
-	return 0;
-}
-
-#ifdef NETDEV_23
-static inline int ipsec_tunnel_xmit2(struct sk_buff *skb)
-{
-#ifdef NETDEV_25	/* 2.6 kernels */
-	return dst_output(skb);
-#else
-	return ip_send(skb);
-#endif
-}
-#endif /* NETDEV_23 */
-
-enum ipsec_xmit_value
-ipsec_tunnel_strip_hard_header(struct ipsec_xmit_state *ixs)
-{
-	/* ixs->physdev->hard_header_len is unreliable and should not be used */
-	ixs->hard_header_len = (unsigned char *)(ixs->iph) - ixs->skb->data;
-
-	if(ixs->hard_header_len < 0) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
-			    "klips_error:ipsec_xmit_strip_hard_header: "
-			    "Negative hard_header_len (%d)?!\n", ixs->hard_header_len);
-		ixs->stats->tx_dropped++;
-		return IPSEC_XMIT_BADHHLEN;
-	}
-
-	/* while ixs->physdev->hard_header_len is unreliable and
-	 * should not be trusted, it accurate and required for ATM, GRE and
-	 * some other interfaces to work. Thanks to Willy Tarreau
-	 * <willy@w.ods.org>.
-	 */
-	if(ixs->hard_header_len == 0) { /* no hard header present */
-		ixs->hard_header_stripped = 1;
-		ixs->hard_header_len = ixs->physdev->hard_header_len;
-	}
-
-#ifdef CONFIG_IPSEC_DEBUG
-	if (debug_tunnel & DB_TN_XMIT) {
-		int i;
-		char c;
-		
-		printk(KERN_INFO "klips_debug:ipsec_xmit_strip_hard_header: "
-		       ">>> skb->len=%ld hard_header_len:%d",
-		       (unsigned long int)ixs->skb->len, ixs->hard_header_len);
-		c = ' ';
-		for (i=0; i < ixs->hard_header_len; i++) {
-			printk("%c%02x", c, ixs->skb->data[i]);
-			c = ':';
-		}
-		printk(" \n");
-	}
-#endif /* CONFIG_IPSEC_DEBUG */
-
-	KLIPS_IP_PRINT(debug_tunnel & DB_TN_XMIT, ixs->iph);
-
-	KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
-		    "klips_debug:ipsec_xmit_strip_hard_header: "
-		    "Original head,tailroom: %d,%d\n",
-		    skb_headroom(ixs->skb), skb_tailroom(ixs->skb));
-
-	return IPSEC_XMIT_OK;
-}
-
-enum ipsec_xmit_value
-ipsec_tunnel_SAlookup(struct ipsec_xmit_state *ixs)
-{
-	/*
-	 * First things first -- look us up in the erouting tables.
-	 */
-	ixs->matcher.sen_len = sizeof (struct sockaddr_encap);
-	ixs->matcher.sen_family = AF_ENCAP;
-	ixs->matcher.sen_type = SENT_IP4;
-	ixs->matcher.sen_ip_src.s_addr = ixs->iph->saddr;
-	ixs->matcher.sen_ip_dst.s_addr = ixs->iph->daddr;
-	ixs->matcher.sen_proto = ixs->iph->protocol;
-	ipsec_extract_ports(ixs->iph, &ixs->matcher);
-
-	/*
-	 * The spinlock is to prevent any other process from accessing or deleting
-	 * the eroute while we are using and updating it.
-	 */
-	spin_lock(&eroute_lock);
-	
-	ixs->eroute = ipsec_findroute(&ixs->matcher);
-
-	if(ixs->iph->protocol == IPPROTO_UDP) {
-		if(ixs->skb->sk) {
-			ixs->sport=ntohs(ixs->skb->sk->sport);
-			ixs->dport=ntohs(ixs->skb->sk->dport);
-		} else if((ntohs(ixs->iph->frag_off) & IP_OFFSET) == 0 &&
-			  ((ixs->skb->len - ixs->hard_header_len) >=
-			   ((ixs->iph->ihl << 2) + sizeof(struct udphdr)))) {
-			ixs->sport=ntohs(((struct udphdr*)((caddr_t)ixs->iph+(ixs->iph->ihl<<2)))->source);
-			ixs->dport=ntohs(((struct udphdr*)((caddr_t)ixs->iph + (ixs->iph->ihl<<2)))->dest);
-		} else {
-			ixs->sport=0; ixs->dport=0;
-		}
-	}
-
-	/* default to a %drop eroute */
-	ixs->outgoing_said.proto = IPPROTO_INT;
-	ixs->outgoing_said.spi = htonl(SPI_DROP);
-	ixs->outgoing_said.dst.s_addr = INADDR_ANY;
-	KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
-		    "klips_debug:ipsec_xmit_SAlookup: "
-		    "checking for local udp/500 IKE packet "
-		    "saddr=%x, er=0p%p, daddr=%x, er_dst=%x, proto=%d sport=%d dport=%d\n",
-		    ntohl((unsigned int)ixs->iph->saddr),
-		    ixs->eroute,
-		    ntohl((unsigned int)ixs->iph->daddr),
-		    ixs->eroute ? ntohl((unsigned int)ixs->eroute->er_said.dst.s_addr) : 0,
-		    ixs->iph->protocol,
-		    ixs->sport,
-		    ixs->dport); 
-
-	/*
-	 * Quick cheat for now...are we udp/500 or udp/4500? If so, let it through
-	 * without interference since it is most likely an IKE packet.
-	 */
-
-	if (ip_chk_addr((unsigned long)ixs->iph->saddr) == IS_MYADDR
-	    && (!ixs->eroute
-		|| ixs->iph->daddr == ixs->eroute->er_said.dst.s_addr
-		|| INADDR_ANY == ixs->eroute->er_said.dst.s_addr)		
-	    && ((ixs->sport == 500) || (ixs->sport == 4500))) {
-		/* Whatever the eroute, this is an IKE message
-		 * from us (i.e. not being forwarded).
-		 * Furthermore, if there is a tunnel eroute,
-		 * the destination is the peer for this eroute.
-		 * So %pass the packet: modify the default %drop.
-		 */
-		ixs->outgoing_said.spi = htonl(SPI_PASS);
-		if(!(ixs->skb->sk) && ((ntohs(ixs->iph->frag_off) & IP_MF) != 0)) {
-			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
-				    "klips_debug:ipsec_xmit_SAlookup: "
-				    "local UDP/500 (probably IKE) passthrough: base fragment, rest of fragments will probably get filtered.\n");
-		}
-	} else if (ixs->eroute) {
-		ixs->eroute->er_count++;
-		ixs->eroute->er_lasttime = jiffies/HZ;
-		if(ixs->eroute->er_said.proto==IPPROTO_INT
-		   && ixs->eroute->er_said.spi==htonl(SPI_HOLD)) {
-			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
-				    "klips_debug:ipsec_xmit_SAlookup: "
-				    "shunt SA of HOLD: skb stored in HOLD.\n");
-			if(ixs->eroute->er_last != NULL) {
-				kfree_skb(ixs->eroute->er_last);
-			}
-			ixs->eroute->er_last = ixs->skb;
-			ixs->skb = NULL;
-			ixs->stats->tx_dropped++;
-			spin_unlock(&eroute_lock);
-			return IPSEC_XMIT_STOLEN;
-		}
-		ixs->outgoing_said = ixs->eroute->er_said;
-		ixs->eroute_pid = ixs->eroute->er_pid;
-		/* Copy of the ident for the TRAP/TRAPSUBNET eroutes */
-		if(ixs->outgoing_said.proto==IPPROTO_INT
-		   && (ixs->outgoing_said.spi==htonl(SPI_TRAP)
-		       || (ixs->outgoing_said.spi==htonl(SPI_TRAPSUBNET)))) {
-			int len;
-			
-			ixs->ips.ips_ident_s.type = ixs->eroute->er_ident_s.type;
-			ixs->ips.ips_ident_s.id = ixs->eroute->er_ident_s.id;
-			ixs->ips.ips_ident_s.len = ixs->eroute->er_ident_s.len;
-			if (ixs->ips.ips_ident_s.len) {
-				len = ixs->ips.ips_ident_s.len * IPSEC_PFKEYv2_ALIGN - sizeof(struct sadb_ident);
-				KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
-					    "klips_debug:ipsec_xmit_SAlookup: "
-					    "allocating %d bytes for ident_s shunt SA of HOLD: skb stored in HOLD.\n",
-					    len);
-				if ((ixs->ips.ips_ident_s.data = kmalloc(len, GFP_ATOMIC)) == NULL) {
-					printk(KERN_WARNING "klips_debug:ipsec_xmit_SAlookup: "
-					       "Failed, tried to allocate %d bytes for source ident.\n", 
-					       len);
-					ixs->stats->tx_dropped++;
-					spin_unlock(&eroute_lock);
-					return IPSEC_XMIT_ERRMEMALLOC;
-				}
-				memcpy(ixs->ips.ips_ident_s.data, ixs->eroute->er_ident_s.data, len);
-			}
-			ixs->ips.ips_ident_d.type = ixs->eroute->er_ident_d.type;
-			ixs->ips.ips_ident_d.id = ixs->eroute->er_ident_d.id;
-			ixs->ips.ips_ident_d.len = ixs->eroute->er_ident_d.len;
-			if (ixs->ips.ips_ident_d.len) {
-				len = ixs->ips.ips_ident_d.len * IPSEC_PFKEYv2_ALIGN - sizeof(struct sadb_ident);
-				KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
-					    "klips_debug:ipsec_xmit_SAlookup: "
-					    "allocating %d bytes for ident_d shunt SA of HOLD: skb stored in HOLD.\n",
-					    len);
-				if ((ixs->ips.ips_ident_d.data = kmalloc(len, GFP_ATOMIC)) == NULL) {
-					printk(KERN_WARNING "klips_debug:ipsec_xmit_SAlookup: "
-					       "Failed, tried to allocate %d bytes for dest ident.\n", 
-					       len);
-					ixs->stats->tx_dropped++;
-					spin_unlock(&eroute_lock);
-					return IPSEC_XMIT_ERRMEMALLOC;
-				}
-				memcpy(ixs->ips.ips_ident_d.data, ixs->eroute->er_ident_d.data, len);
-			}
-		}
-	}
-
-	spin_unlock(&eroute_lock);
-	return IPSEC_XMIT_OK;
-}
-
-enum ipsec_xmit_value
-ipsec_tunnel_restore_hard_header(struct ipsec_xmit_state*ixs)
-{
-	KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
-		    "klips_debug:ipsec_xmit_restore_hard_header: "
-		    "After recursive xforms -- head,tailroom: %d,%d\n",
-		    skb_headroom(ixs->skb),
-		    skb_tailroom(ixs->skb));
-
-	if(ixs->saved_header) {
-		if(skb_headroom(ixs->skb) < ixs->hard_header_len) {
-			printk(KERN_WARNING
-			       "klips_error:ipsec_xmit_restore_hard_header: "
-			       "tried to skb_push hhlen=%d, %d available.  This should never happen, please report.\n",
-			       ixs->hard_header_len,
-			       skb_headroom(ixs->skb));
-			ixs->stats->tx_errors++;
-			return IPSEC_XMIT_PUSHPULLERR;
-
-		}
-		skb_push(ixs->skb, ixs->hard_header_len);
-		{
-			int i;
-			for (i = 0; i < ixs->hard_header_len; i++) {
-				ixs->skb->data[i] = ixs->saved_header[i];
-			}
-		}
-	}
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-	if (ixs->natt_type && ixs->natt_head) {
-		struct iphdr *ipp = ixs->skb->nh.iph;
-		struct udphdr *udp;
-		KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
-			    "klips_debug:ipsec_tunnel_start_xmit: "
-			    "encapsulating packet into UDP (NAT-Traversal) (%d %d)\n",
-			    ixs->natt_type, ixs->natt_head);
-		ixs->iphlen = ipp->ihl << 2;
-		ipp->tot_len =
-			htons(ntohs(ipp->tot_len) + ixs->natt_head);
-		if(skb_tailroom(ixs->skb) < ixs->natt_head) {
-			printk(KERN_WARNING "klips_error:ipsec_tunnel_start_xmit: "
-				"tried to skb_put %d, %d available. "
-				"This should never happen, please report.\n",
-				ixs->natt_head,
-				skb_tailroom(ixs->skb));
-			ixs->stats->tx_errors++;
-			return IPSEC_XMIT_ESPUDP;
-		}
-		skb_put(ixs->skb, ixs->natt_head);
-		udp = (struct udphdr *)((char *)ipp + ixs->iphlen);
-		/* move ESP hdr after UDP hdr */
-		memmove((void *)((char *)udp + ixs->natt_head),
-			(void *)(udp),
-			ntohs(ipp->tot_len) - ixs->iphlen - ixs->natt_head);
-		/* clear UDP & Non-IKE Markers (if any) */
-		memset(udp, 0, ixs->natt_head);
-		/* fill UDP with usefull informations ;-) */
-		udp->source = htons(ixs->natt_sport);
-		udp->dest = htons(ixs->natt_dport);
-		udp->len = htons(ntohs(ipp->tot_len) - ixs->iphlen);
-		/* set protocol */
-		ipp->protocol = IPPROTO_UDP;
-		/* fix IP checksum */
-		ipp->check = 0;
-		ipp->check = ip_fast_csum((unsigned char *)ipp, ipp->ihl);
-	}
-#endif	
-	KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
-		    "klips_debug:ipsec_xmit_restore_hard_header: "
-		    "With hard_header, final head,tailroom: %d,%d\n",
-		    skb_headroom(ixs->skb),
-		    skb_tailroom(ixs->skb));
-
-	return IPSEC_XMIT_OK;
-}
-
-enum ipsec_xmit_value
-ipsec_tunnel_send(struct ipsec_xmit_state*ixs)
-{
-#ifdef NETDEV_25
-	struct flowi fl;
-#endif
-  
-#ifdef NET_21	/* 2.2 and 2.4 kernels */
-	/* new route/dst cache code from James Morris */
-	ixs->skb->dev = ixs->physdev;
-#ifdef NETDEV_25
- 	fl.oif = ixs->physdev->iflink;
- 	fl.nl_u.ip4_u.daddr = ixs->skb->nh.iph->daddr;
- 	fl.nl_u.ip4_u.saddr = ixs->pass ? 0 : ixs->skb->nh.iph->saddr;
- 	fl.nl_u.ip4_u.tos = RT_TOS(ixs->skb->nh.iph->tos);
- 	fl.proto = ixs->skb->nh.iph->protocol;
- 	if ((ixs->error = ip_route_output_key(&ixs->route, &fl))) {
-#else
-	/*skb_orphan(ixs->skb);*/
-	if((ixs->error = ip_route_output(&ixs->route,
-				    ixs->skb->nh.iph->daddr,
-				    ixs->pass ? 0 : ixs->skb->nh.iph->saddr,
-				    RT_TOS(ixs->skb->nh.iph->tos),
-                                    /* mcr->rgb: should this be 0 instead? */
-				    ixs->physdev->iflink))) {
-#endif
-		ixs->stats->tx_errors++;
-		KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
-			    "klips_debug:ipsec_xmit_send: "
-			    "ip_route_output failed with error code %d, rt->u.dst.dev=%s, dropped\n",
-			    ixs->error,
-			    ixs->route->u.dst.dev->name);
-		return IPSEC_XMIT_ROUTEERR;
-	}
-	if(ixs->dev == ixs->route->u.dst.dev) {
-		ip_rt_put(ixs->route);
-		/* This is recursion, drop it. */
-		ixs->stats->tx_errors++;
-		KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
-			    "klips_debug:ipsec_xmit_send: "
-			    "suspect recursion, dev=rt->u.dst.dev=%s, dropped\n",
-			    ixs->dev->name);
-		return IPSEC_XMIT_RECURSDETECT;
-	}
-	dst_release(ixs->skb->dst);
-	ixs->skb->dst = &ixs->route->u.dst;
-	ixs->stats->tx_bytes += ixs->skb->len;
-	if(ixs->skb->len < ixs->skb->nh.raw - ixs->skb->data) {
-		ixs->stats->tx_errors++;
-		printk(KERN_WARNING
-		       "klips_error:ipsec_xmit_send: "
-		       "tried to __skb_pull nh-data=%ld, %d available.  This should never happen, please report.\n",
-		       (unsigned long)(ixs->skb->nh.raw - ixs->skb->data),
-		       ixs->skb->len);
-		return IPSEC_XMIT_PUSHPULLERR;
-	}
-	__skb_pull(ixs->skb, ixs->skb->nh.raw - ixs->skb->data);
-#ifdef SKB_RESET_NFCT
-	if(!ixs->pass) {
-	  nf_conntrack_put(ixs->skb->nfct);
-	  ixs->skb->nfct = NULL;
-	}
-#ifdef CONFIG_NETFILTER_DEBUG
-	ixs->skb->nf_debug = 0;
-#endif /* CONFIG_NETFILTER_DEBUG */
-#endif /* SKB_RESET_NFCT */
-	KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
-		    "klips_debug:ipsec_xmit_send: "
-		    "...done, calling ip_send() on device:%s\n",
-		    ixs->skb->dev ? ixs->skb->dev->name : "NULL");
-	KLIPS_IP_PRINT(debug_tunnel & DB_TN_XMIT, ixs->skb->nh.iph);
-#ifdef NETDEV_23	/* 2.4 kernels */
-	{
-		int err;
-
-		err = NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, ixs->skb, NULL, ixs->route->u.dst.dev,
-			      ipsec_tunnel_xmit2);
-		if(err != NET_XMIT_SUCCESS && err != NET_XMIT_CN) {
-			if(net_ratelimit())
-				printk(KERN_ERR
-				       "klips_error:ipsec_xmit_send: "
-				       "ip_send() failed, err=%d\n", 
-				       -err);
-			ixs->stats->tx_errors++;
-			ixs->stats->tx_aborted_errors++;
-			ixs->skb = NULL;
-			return IPSEC_XMIT_IPSENDFAILURE;
-		}
-	}
-#else /* NETDEV_23 */	/* 2.2 kernels */
-	ip_send(ixs->skb);
-#endif /* NETDEV_23 */
-#else /* NET_21 */	/* 2.0 kernels */
-	ixs->skb->arp = 1;
-	/* ISDN/ASYNC PPP from Matjaz Godec. */
-	/*	skb->protocol = htons(ETH_P_IP); */
-	KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
-		    "klips_debug:ipsec_xmit_send: "
-		    "...done, calling dev_queue_xmit() or ip_fragment().\n");
-	IP_SEND(ixs->skb, ixs->physdev);
-#endif /* NET_21 */
-	ixs->stats->tx_packets++;
-
-	ixs->skb = NULL;
-	
-	return IPSEC_XMIT_OK;
-}
-
-void
-ipsec_tunnel_cleanup(struct ipsec_xmit_state*ixs)
-{
-#if defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE)
-	netif_wake_queue(ixs->dev);
-#else /* defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE) */
-	ixs->dev->tbusy = 0;
-#endif /* defined(HAS_NETIF_QUEUE) || defined (HAVE_NETIF_QUEUE) */
-	if(ixs->saved_header) {
-		kfree(ixs->saved_header);
-	}
-	if(ixs->skb) {
-		dev_kfree_skb(ixs->skb, FREE_WRITE);
-	}
-	if(ixs->oskb) {
-		dev_kfree_skb(ixs->oskb, FREE_WRITE);
-	}
-	if (ixs->ips.ips_ident_s.data) {
-		kfree(ixs->ips.ips_ident_s.data);
-	}
-	if (ixs->ips.ips_ident_d.data) {
-		kfree(ixs->ips.ips_ident_d.data);
-	}
-}
-
-/*
- *	This function assumes it is being called from dev_queue_xmit()
- *	and that skb is filled properly by that function.
- */
-int
-ipsec_tunnel_start_xmit(struct sk_buff *skb, struct device *dev)
-{
-	struct ipsec_xmit_state ixs_mem;
-	struct ipsec_xmit_state *ixs = &ixs_mem;
-	enum ipsec_xmit_value stat;
-
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-	ixs->natt_type = 0, ixs->natt_head = 0;
-	ixs->natt_sport = 0, ixs->natt_dport = 0;
-#endif
-
-	memset((caddr_t)ixs, 0, sizeof(*ixs));
-	ixs->oskb = NULL;
-	ixs->saved_header = NULL;	/* saved copy of the hard header */
-	ixs->route = NULL;
-	memset((caddr_t)&(ixs->ips), 0, sizeof(ixs->ips));
-	ixs->dev = dev;
-	ixs->skb = skb;
-
-	stat = ipsec_xmit_sanity_check_dev(ixs);
-	if(stat != IPSEC_XMIT_OK) {
-		goto cleanup;
-	}
-
-	stat = ipsec_xmit_sanity_check_skb(ixs);
-	if(stat != IPSEC_XMIT_OK) {
-		goto cleanup;
-	}
-
-	stat = ipsec_tunnel_strip_hard_header(ixs);
-	if(stat != IPSEC_XMIT_OK) {
-		goto cleanup;
-	}
-
-	stat = ipsec_tunnel_SAlookup(ixs);
-	if(stat != IPSEC_XMIT_OK) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
-			    "klips_debug:ipsec_tunnel_start_xmit: SAlookup failed: %d\n",
-			    stat);
-		goto cleanup;
-	}
-	
-	ixs->innersrc = ixs->iph->saddr;
-	/* start encapsulation loop here XXX */
-	do {
- 		stat = ipsec_xmit_encap_bundle(ixs);
-	 	if(stat != IPSEC_XMIT_OK) {
-			if(stat == IPSEC_XMIT_PASS) {
-				goto bypass;
-			}
-			
-			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
-				    "klips_debug:ipsec_tunnel_start_xmit: encap_bundle failed: %d\n",
-				    stat);
- 			goto cleanup;
-	 	}
-
-		ixs->matcher.sen_ip_src.s_addr = ixs->iph->saddr;
-		ixs->matcher.sen_ip_dst.s_addr = ixs->iph->daddr;
-		ixs->matcher.sen_proto = ixs->iph->protocol;
-		ipsec_extract_ports(ixs->iph, &ixs->matcher);
-
-		spin_lock(&eroute_lock);
-		ixs->eroute = ipsec_findroute(&ixs->matcher);
-		if(ixs->eroute) {
-			ixs->outgoing_said = ixs->eroute->er_said;
-			ixs->eroute_pid = ixs->eroute->er_pid;
-			ixs->eroute->er_count++;
-			ixs->eroute->er_lasttime = jiffies/HZ;
-		}
-		spin_unlock(&eroute_lock);
-
-		KLIPS_PRINT((debug_tunnel & DB_TN_XMIT) &&
-			    /* ((ixs->orgdst != ixs->newdst) || (ixs->orgsrc != ixs->newsrc)) */
-			    (ixs->orgedst != ixs->outgoing_said.dst.s_addr) &&
-			    ixs->outgoing_said.dst.s_addr &&
-			    ixs->eroute,
-			    "klips_debug:ipsec_tunnel_start_xmit: "
-			    "We are recursing here.\n");
-
-	} while(/*((ixs->orgdst != ixs->newdst) || (ixs->orgsrc != ixs->newsrc))*/
-		(ixs->orgedst != ixs->outgoing_said.dst.s_addr) &&
-		ixs->outgoing_said.dst.s_addr &&
-		ixs->eroute);
-	
-	stat = ipsec_tunnel_restore_hard_header(ixs);
-	if(stat != IPSEC_XMIT_OK) {
-		goto cleanup;
-	}
-
- bypass:
-	stat = ipsec_tunnel_send(ixs);
-
- cleanup:
-	ipsec_tunnel_cleanup(ixs);
-
-	return 0;
-}
-
-DEBUG_NO_STATIC struct net_device_stats *
-ipsec_tunnel_get_stats(struct device *dev)
-{
-	return &(((struct ipsecpriv *)(dev->priv))->mystats);
-}
-
-/*
- * Revectored calls.
- * For each of these calls, a field exists in our private structure.
- */
-
-DEBUG_NO_STATIC int
-ipsec_tunnel_hard_header(struct sk_buff *skb, struct device *dev,
-	unsigned short type, void *daddr, void *saddr, unsigned len)
-{
-	struct ipsecpriv *prv = dev->priv;
-	struct device *tmp;
-	int ret;
-	struct net_device_stats *stats;	/* This device's statistics */
-	
-	if(skb == NULL) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-			    "klips_debug:ipsec_tunnel_hard_header: "
-			    "no skb...\n");
-		return -ENODATA;
-	}
-
-	if(dev == NULL) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-			    "klips_debug:ipsec_tunnel_hard_header: "
-			    "no device...\n");
-		return -ENODEV;
-	}
-
-	KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-		    "klips_debug:ipsec_tunnel_hard_header: "
-		    "skb->dev=%s dev=%s.\n",
-		    skb->dev ? skb->dev->name : "NULL",
-		    dev->name);
-	
-	if(prv == NULL) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-			    "klips_debug:ipsec_tunnel_hard_header: "
-			    "no private space associated with dev=%s\n",
-			    dev->name ? dev->name : "NULL");
-		return -ENODEV;
-	}
-
-	stats = (struct net_device_stats *) &(prv->mystats);
-
-	if(prv->dev == NULL) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-			    "klips_debug:ipsec_tunnel_hard_header: "
-			    "no physical device associated with dev=%s\n",
-			    dev->name ? dev->name : "NULL");
-		stats->tx_dropped++;
-		return -ENODEV;
-	}
-
-	/* check if we have to send a IPv6 packet. It might be a Router
-	   Solicitation, where the building of the packet happens in
-	   reverse order:
-	   1. ll hdr,
-	   2. IPv6 hdr,
-	   3. ICMPv6 hdr
-	   -> skb->nh.raw is still uninitialized when this function is
-	   called!!  If this is no IPv6 packet, we can print debugging
-	   messages, otherwise we skip all debugging messages and just
-	   build the ll header */
-	if(type != ETH_P_IPV6) {
-		/* execute this only, if we don't have to build the
-		   header for a IPv6 packet */
-		if(!prv->hard_header) {
-			KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-				    "klips_debug:ipsec_tunnel_hard_header: "
-				    "physical device has been detached, packet dropped 0p%p->0p%p len=%d type=%d dev=%s->NULL ",
-				    saddr,
-				    daddr,
-				    len,
-				    type,
-				    dev->name);
-#ifdef NET_21
-			KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC,
-					"ip=%08x->%08x\n",
-					(__u32)ntohl(skb->nh.iph->saddr),
-					(__u32)ntohl(skb->nh.iph->daddr) );
-#else /* NET_21 */
-			KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC,
-					"ip=%08x->%08x\n",
-					(__u32)ntohl(skb->ip_hdr->saddr),
-					(__u32)ntohl(skb->ip_hdr->daddr) );
-#endif /* NET_21 */
-			stats->tx_dropped++;
-			return -ENODEV;
-		}
-		
-#define da ((struct device *)(prv->dev))->dev_addr
-		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-			    "klips_debug:ipsec_tunnel_hard_header: "
-			    "Revectored 0p%p->0p%p len=%d type=%d dev=%s->%s dev_addr=%02x:%02x:%02x:%02x:%02x:%02x ",
-			    saddr,
-			    daddr,
-			    len,
-			    type,
-			    dev->name,
-			    prv->dev->name,
-			    da[0], da[1], da[2], da[3], da[4], da[5]);
-#ifdef NET_21
-		KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC,
-			    "ip=%08x->%08x\n",
-			    (__u32)ntohl(skb->nh.iph->saddr),
-			    (__u32)ntohl(skb->nh.iph->daddr) );
-#else /* NET_21 */
-		KLIPS_PRINTMORE(debug_tunnel & DB_TN_REVEC,
-			    "ip=%08x->%08x\n",
-			    (__u32)ntohl(skb->ip_hdr->saddr),
-			    (__u32)ntohl(skb->ip_hdr->daddr) );
-#endif /* NET_21 */
-	} else {
-		KLIPS_PRINT(debug_tunnel,
-			    "klips_debug:ipsec_tunnel_hard_header: "
-			    "is IPv6 packet, skip debugging messages, only revector and build linklocal header.\n");
-	}                                                                       
-	tmp = skb->dev;
-	skb->dev = prv->dev;
-	ret = prv->hard_header(skb, prv->dev, type, (void *)daddr, (void *)saddr, len);
-	skb->dev = tmp;
-	return ret;
-}
-
-DEBUG_NO_STATIC int
-#ifdef NET_21
-ipsec_tunnel_rebuild_header(struct sk_buff *skb)
-#else /* NET_21 */
-ipsec_tunnel_rebuild_header(void *buff, struct device *dev,
-			unsigned long raddr, struct sk_buff *skb)
-#endif /* NET_21 */
-{
-	struct ipsecpriv *prv = skb->dev->priv;
-	struct device *tmp;
-	int ret;
-	struct net_device_stats *stats;	/* This device's statistics */
-	
-	if(skb->dev == NULL) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-			    "klips_debug:ipsec_tunnel_rebuild_header: "
-			    "no device...");
-		return -ENODEV;
-	}
-
-	if(prv == NULL) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-			    "klips_debug:ipsec_tunnel_rebuild_header: "
-			    "no private space associated with dev=%s",
-			    skb->dev->name ? skb->dev->name : "NULL");
-		return -ENODEV;
-	}
-
-	stats = (struct net_device_stats *) &(prv->mystats);
-
-	if(prv->dev == NULL) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-			    "klips_debug:ipsec_tunnel_rebuild_header: "
-			    "no physical device associated with dev=%s",
-			    skb->dev->name ? skb->dev->name : "NULL");
-		stats->tx_dropped++;
-		return -ENODEV;
-	}
-
-	if(!prv->rebuild_header) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-			    "klips_debug:ipsec_tunnel_rebuild_header: "
-			    "physical device has been detached, packet dropped skb->dev=%s->NULL ",
-			    skb->dev->name);
-#ifdef NET_21
-		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-			    "ip=%08x->%08x\n",
-			    (__u32)ntohl(skb->nh.iph->saddr),
-			    (__u32)ntohl(skb->nh.iph->daddr) );
-#else /* NET_21 */
-		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-			    "ip=%08x->%08x\n",
-			    (__u32)ntohl(skb->ip_hdr->saddr),
-			    (__u32)ntohl(skb->ip_hdr->daddr) );
-#endif /* NET_21 */
-		stats->tx_dropped++;
-		return -ENODEV;
-	}
-
-	KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-		    "klips_debug:ipsec_tunnel: "
-		    "Revectored rebuild_header dev=%s->%s ",
-		    skb->dev->name, prv->dev->name);
-#ifdef NET_21
-	KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-		    "ip=%08x->%08x\n",
-		    (__u32)ntohl(skb->nh.iph->saddr),
-		    (__u32)ntohl(skb->nh.iph->daddr) );
-#else /* NET_21 */
-	KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-		    "ip=%08x->%08x\n",
-		    (__u32)ntohl(skb->ip_hdr->saddr),
-		    (__u32)ntohl(skb->ip_hdr->daddr) );
-#endif /* NET_21 */
-	tmp = skb->dev;
-	skb->dev = prv->dev;
-	
-#ifdef NET_21
-	ret = prv->rebuild_header(skb);
-#else /* NET_21 */
-	ret = prv->rebuild_header(buff, prv->dev, raddr, skb);
-#endif /* NET_21 */
-	skb->dev = tmp;
-	return ret;
-}
-
-DEBUG_NO_STATIC int
-ipsec_tunnel_set_mac_address(struct device *dev, void *addr)
-{
-	struct ipsecpriv *prv = dev->priv;
-	
-	struct net_device_stats *stats;	/* This device's statistics */
-	
-	if(dev == NULL) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-			    "klips_debug:ipsec_tunnel_set_mac_address: "
-			    "no device...");
-		return -ENODEV;
-	}
-
-	if(prv == NULL) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-			    "klips_debug:ipsec_tunnel_set_mac_address: "
-			    "no private space associated with dev=%s",
-			    dev->name ? dev->name : "NULL");
-		return -ENODEV;
-	}
-
-	stats = (struct net_device_stats *) &(prv->mystats);
-
-	if(prv->dev == NULL) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-			    "klips_debug:ipsec_tunnel_set_mac_address: "
-			    "no physical device associated with dev=%s",
-			    dev->name ? dev->name : "NULL");
-		stats->tx_dropped++;
-		return -ENODEV;
-	}
-
-	if(!prv->set_mac_address) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-			    "klips_debug:ipsec_tunnel_set_mac_address: "
-			    "physical device has been detached, cannot set - skb->dev=%s->NULL\n",
-			    dev->name);
-		return -ENODEV;
-	}
-
-	KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-		    "klips_debug:ipsec_tunnel_set_mac_address: "
-		    "Revectored dev=%s->%s addr=0p%p\n",
-		    dev->name, prv->dev->name, addr);
-	return prv->set_mac_address(prv->dev, addr);
-
-}
-
-#ifndef NET_21
-DEBUG_NO_STATIC void
-ipsec_tunnel_cache_bind(struct hh_cache **hhp, struct device *dev,
-				 unsigned short htype, __u32 daddr)
-{
-	struct ipsecpriv *prv = dev->priv;
-	
-	struct net_device_stats *stats;	/* This device's statistics */
-	
-	if(dev == NULL) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-			    "klips_debug:ipsec_tunnel_cache_bind: "
-			    "no device...");
-		return;
-	}
-
-	if(prv == NULL) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-			    "klips_debug:ipsec_tunnel_cache_bind: "
-			    "no private space associated with dev=%s",
-			    dev->name ? dev->name : "NULL");
-		return;
-	}
-
-	stats = (struct net_device_stats *) &(prv->mystats);
-
-	if(prv->dev == NULL) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-			    "klips_debug:ipsec_tunnel_cache_bind: "
-			    "no physical device associated with dev=%s",
-			    dev->name ? dev->name : "NULL");
-		stats->tx_dropped++;
-		return;
-	}
-
-	if(!prv->header_cache_bind) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-			    "klips_debug:ipsec_tunnel_cache_bind: "
-			    "physical device has been detached, cannot set - skb->dev=%s->NULL\n",
-			    dev->name);
-		stats->tx_dropped++;
-		return;
-	}
-
-	KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-		    "klips_debug:ipsec_tunnel_cache_bind: "
-		    "Revectored \n");
-	prv->header_cache_bind(hhp, prv->dev, htype, daddr);
-	return;
-}
-#endif /* !NET_21 */
-
-
-DEBUG_NO_STATIC void
-ipsec_tunnel_cache_update(struct hh_cache *hh, struct device *dev, unsigned char *  haddr)
-{
-	struct ipsecpriv *prv = dev->priv;
-	
-	struct net_device_stats *stats;	/* This device's statistics */
-	
-	if(dev == NULL) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-			    "klips_debug:ipsec_tunnel_cache_update: "
-			    "no device...");
-		return;
-	}
-
-	if(prv == NULL) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-			    "klips_debug:ipsec_tunnel_cache_update: "
-			    "no private space associated with dev=%s",
-			    dev->name ? dev->name : "NULL");
-		return;
-	}
-
-	stats = (struct net_device_stats *) &(prv->mystats);
-
-	if(prv->dev == NULL) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-			    "klips_debug:ipsec_tunnel_cache_update: "
-			    "no physical device associated with dev=%s",
-			    dev->name ? dev->name : "NULL");
-		stats->tx_dropped++;
-		return;
-	}
-
-	if(!prv->header_cache_update) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-			    "klips_debug:ipsec_tunnel_cache_update: "
-			    "physical device has been detached, cannot set - skb->dev=%s->NULL\n",
-			    dev->name);
-		return;
-	}
-
-	KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-		    "klips_debug:ipsec_tunnel: "
-		    "Revectored cache_update\n");
-	prv->header_cache_update(hh, prv->dev, haddr);
-	return;
-}
-
-#ifdef NET_21
-DEBUG_NO_STATIC int
-ipsec_tunnel_neigh_setup(struct neighbour *n)
-{
-	KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-		    "klips_debug:ipsec_tunnel_neigh_setup:\n");
-
-        if (n->nud_state == NUD_NONE) {
-                n->ops = &arp_broken_ops;
-                n->output = n->ops->output;
-        }
-        return 0;
-}
-
-DEBUG_NO_STATIC int
-ipsec_tunnel_neigh_setup_dev(struct device *dev, struct neigh_parms *p)
-{
-	KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-		    "klips_debug:ipsec_tunnel_neigh_setup_dev: "
-		    "setting up %s\n",
-		    dev ? dev->name : "NULL");
-
-        if (p->tbl->family == AF_INET) {
-                p->neigh_setup = ipsec_tunnel_neigh_setup;
-                p->ucast_probes = 0;
-                p->mcast_probes = 0;
-        }
-        return 0;
-}
-#endif /* NET_21 */
-
-/*
- * We call the attach routine to attach another device.
- */
-
-DEBUG_NO_STATIC int
-ipsec_tunnel_attach(struct device *dev, struct device *physdev)
-{
-        int i;
-	struct ipsecpriv *prv = dev->priv;
-
-	if(dev == NULL) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-			    "klips_debug:ipsec_tunnel_attach: "
-			    "no device...");
-		return -ENODEV;
-	}
-
-	if(prv == NULL) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-			    "klips_debug:ipsec_tunnel_attach: "
-			    "no private space associated with dev=%s",
-			    dev->name ? dev->name : "NULL");
-		return -ENODATA;
-	}
-
-	prv->dev = physdev;
-	prv->hard_start_xmit = physdev->hard_start_xmit;
-	prv->get_stats = physdev->get_stats;
-
-	if (physdev->hard_header) {
-		prv->hard_header = physdev->hard_header;
-		dev->hard_header = ipsec_tunnel_hard_header;
-	} else
-		dev->hard_header = NULL;
-	
-	if (physdev->rebuild_header) {
-		prv->rebuild_header = physdev->rebuild_header;
-		dev->rebuild_header = ipsec_tunnel_rebuild_header;
-	} else
-		dev->rebuild_header = NULL;
-	
-	if (physdev->set_mac_address) {
-		prv->set_mac_address = physdev->set_mac_address;
-		dev->set_mac_address = ipsec_tunnel_set_mac_address;
-	} else
-		dev->set_mac_address = NULL;
-	
-#ifndef NET_21
-	if (physdev->header_cache_bind) {
-		prv->header_cache_bind = physdev->header_cache_bind;
-		dev->header_cache_bind = ipsec_tunnel_cache_bind;
-	} else
-		dev->header_cache_bind = NULL;
-#endif /* !NET_21 */
-
-	if (physdev->header_cache_update) {
-		prv->header_cache_update = physdev->header_cache_update;
-		dev->header_cache_update = ipsec_tunnel_cache_update;
-	} else
-		dev->header_cache_update = NULL;
-
-	dev->hard_header_len = physdev->hard_header_len;
-
-#ifdef NET_21
-/*	prv->neigh_setup        = physdev->neigh_setup; */
-	dev->neigh_setup        = ipsec_tunnel_neigh_setup_dev;
-#endif /* NET_21 */
-	dev->mtu = 16260; /* 0xfff0; */ /* dev->mtu; */
-	prv->mtu = physdev->mtu;
-
-#ifdef PHYSDEV_TYPE
-	dev->type = physdev->type; /* ARPHRD_TUNNEL; */
-#endif /*  PHYSDEV_TYPE */
-
-	dev->addr_len = physdev->addr_len;
-	for (i=0; i<dev->addr_len; i++) {
-		dev->dev_addr[i] = physdev->dev_addr[i];
-	}
-#ifdef CONFIG_IPSEC_DEBUG
-	if(debug_tunnel & DB_TN_INIT) {
-		printk(KERN_INFO "klips_debug:ipsec_tunnel_attach: "
-		       "physical device %s being attached has HW address: %2x",
-		       physdev->name, physdev->dev_addr[0]);
-		for (i=1; i < physdev->addr_len; i++) {
-			printk(":%02x", physdev->dev_addr[i]);
-		}
-		printk("\n");
-	}
-#endif /* CONFIG_IPSEC_DEBUG */
-
-	return 0;
-}
-
-/*
- * We call the detach routine to detach the ipsec tunnel from another device.
- */
-
-DEBUG_NO_STATIC int
-ipsec_tunnel_detach(struct device *dev)
-{
-        int i;
-	struct ipsecpriv *prv = dev->priv;
-
-	if(dev == NULL) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-			    "klips_debug:ipsec_tunnel_detach: "
-			    "no device...");
-		return -ENODEV;
-	}
-
-	if(prv == NULL) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_REVEC,
-			    "klips_debug:ipsec_tunnel_detach: "
-			    "no private space associated with dev=%s",
-			    dev->name ? dev->name : "NULL");
-		return -ENODATA;
-	}
-
-	KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-		    "klips_debug:ipsec_tunnel_detach: "
-		    "physical device %s being detached from virtual device %s\n",
-		    prv->dev ? prv->dev->name : "NULL",
-		    dev->name);
-
-	ipsec_dev_put(prv->dev);
-	prv->dev = NULL;
-	prv->hard_start_xmit = NULL;
-	prv->get_stats = NULL;
-
-	prv->hard_header = NULL;
-#ifdef DETACH_AND_DOWN
-	dev->hard_header = NULL;
-#endif /* DETACH_AND_DOWN */
-	
-	prv->rebuild_header = NULL;
-#ifdef DETACH_AND_DOWN
-	dev->rebuild_header = NULL;
-#endif /* DETACH_AND_DOWN */
-	
-	prv->set_mac_address = NULL;
-#ifdef DETACH_AND_DOWN
-	dev->set_mac_address = NULL;
-#endif /* DETACH_AND_DOWN */
-	
-#ifndef NET_21
-	prv->header_cache_bind = NULL;
-#ifdef DETACH_AND_DOWN
-	dev->header_cache_bind = NULL;
-#endif /* DETACH_AND_DOWN */
-#endif /* !NET_21 */
-
-	prv->header_cache_update = NULL;
-#ifdef DETACH_AND_DOWN
-	dev->header_cache_update = NULL;
-#endif /* DETACH_AND_DOWN */
-
-#ifdef NET_21
-/*	prv->neigh_setup        = NULL; */
-#ifdef DETACH_AND_DOWN
-	dev->neigh_setup        = NULL;
-#endif /* DETACH_AND_DOWN */
-#endif /* NET_21 */
-	dev->hard_header_len = 0;
-#ifdef DETACH_AND_DOWN
-	dev->mtu = 0;
-#endif /* DETACH_AND_DOWN */
-	prv->mtu = 0;
-	for (i=0; i<MAX_ADDR_LEN; i++) {
-		dev->dev_addr[i] = 0;
-	}
-	dev->addr_len = 0;
-#ifdef PHYSDEV_TYPE
-	dev->type = ARPHRD_VOID; /* ARPHRD_TUNNEL; */
-#endif /*  PHYSDEV_TYPE */
-	
-	return 0;
-}
-
-/*
- * We call the clear routine to detach all ipsec tunnels from other devices.
- */
-DEBUG_NO_STATIC int
-ipsec_tunnel_clear(void)
-{
-	int i;
-	struct device *ipsecdev = NULL, *prvdev;
-	struct ipsecpriv *prv;
-	char name[9];
-	int ret;
-
-	KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-		    "klips_debug:ipsec_tunnel_clear: .\n");
-
-	for(i = 0; i < IPSEC_NUM_IF; i++) {
-   	        ipsecdev = ipsecdevices[i];
-		if(ipsecdev != NULL) {
-			if((prv = (struct ipsecpriv *)(ipsecdev->priv))) {
-				prvdev = (struct device *)(prv->dev);
-				if(prvdev) {
-					KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-						    "klips_debug:ipsec_tunnel_clear: "
-						    "physical device for device %s is %s\n",
-						    name, prvdev->name);
-					if((ret = ipsec_tunnel_detach(ipsecdev))) {
-						KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-							    "klips_debug:ipsec_tunnel_clear: "
-							    "error %d detatching device %s from device %s.\n",
-							    ret, name, prvdev->name);
-						return ret;
-					}
-				}
-			}
-		}
-	}
-	return 0;
-}
-
-DEBUG_NO_STATIC int
-ipsec_tunnel_ioctl(struct device *dev, struct ifreq *ifr, int cmd)
-{
-	struct ipsectunnelconf *cf = (struct ipsectunnelconf *)&ifr->ifr_data;
-	struct ipsecpriv *prv = dev->priv;
-	struct device *them; /* physical device */
-#ifdef CONFIG_IP_ALIAS
-	char *colon;
-	char realphysname[IFNAMSIZ];
-#endif /* CONFIG_IP_ALIAS */
-	
-	if(dev == NULL) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-			    "klips_debug:ipsec_tunnel_ioctl: "
-			    "device not supplied.\n");
-		return -ENODEV;
-	}
-
-	KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-		    "klips_debug:ipsec_tunnel_ioctl: "
-		    "tncfg service call #%d for dev=%s\n",
-		    cmd,
-		    dev->name ? dev->name : "NULL");
-	switch (cmd) {
-	/* attach a virtual ipsec? device to a physical device */
-	case IPSEC_SET_DEV:
-		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-			    "klips_debug:ipsec_tunnel_ioctl: "
-			    "calling ipsec_tunnel_attatch...\n");
-#ifdef CONFIG_IP_ALIAS
-		/* If this is an IP alias interface, get its real physical name */
-		strncpy(realphysname, cf->cf_name, IFNAMSIZ);
-		realphysname[IFNAMSIZ-1] = 0;
-		colon = strchr(realphysname, ':');
-		if (colon) *colon = 0;
-		them = ipsec_dev_get(realphysname);
-#else /* CONFIG_IP_ALIAS */
-		them = ipsec_dev_get(cf->cf_name);
-#endif /* CONFIG_IP_ALIAS */
-
-		if (them == NULL) {
-			KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-				    "klips_debug:ipsec_tunnel_ioctl: "
-				    "physical device %s requested is null\n",
-				    cf->cf_name);
-			return -ENXIO;
-		}
-		
-#if 0
-		if (them->flags & IFF_UP) {
-			KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-				    "klips_debug:ipsec_tunnel_ioctl: "
-				    "physical device %s requested is not up.\n",
-				    cf->cf_name);
-			ipsec_dev_put(them);
-			return -ENXIO;
-		}
-#endif
-		
-		if (prv && prv->dev) {
-			KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-				    "klips_debug:ipsec_tunnel_ioctl: "
-				    "virtual device is already connected to %s.\n",
-				    prv->dev->name ? prv->dev->name : "NULL");
-			ipsec_dev_put(them);
-			return -EBUSY;
-		}
-		return ipsec_tunnel_attach(dev, them);
-
-	case IPSEC_DEL_DEV:
-		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-			    "klips_debug:ipsec_tunnel_ioctl: "
-			    "calling ipsec_tunnel_detatch.\n");
-		if (! prv->dev) {
-			KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-				    "klips_debug:ipsec_tunnel_ioctl: "
-				    "physical device not connected.\n");
-			return -ENODEV;
-		}
-		return ipsec_tunnel_detach(dev);
-	       
-	case IPSEC_CLR_DEV:
-		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-			    "klips_debug:ipsec_tunnel_ioctl: "
-			    "calling ipsec_tunnel_clear.\n");
-		return ipsec_tunnel_clear();
-
-	default:
-		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-			    "klips_debug:ipsec_tunnel_ioctl: "
-			    "unknown command %d.\n",
-			    cmd);
-		return -EOPNOTSUPP;
-	}
-}
-
-int
-ipsec_device_event(struct notifier_block *unused, unsigned long event, void *ptr)
-{
-	struct device *dev = ptr;
-	struct device *ipsec_dev;
-	struct ipsecpriv *priv;
-	int i;
-
-	if (dev == NULL) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-			    "klips_debug:ipsec_device_event: "
-			    "dev=NULL for event type %ld.\n",
-			    event);
-		return(NOTIFY_DONE);
-	}
-
-	/* check for loopback devices */
-	if (dev && (dev->flags & IFF_LOOPBACK)) {
-		return(NOTIFY_DONE);
-	}
-
-	switch (event) {
-	case NETDEV_DOWN:
-		/* look very carefully at the scope of these compiler
-		   directives before changing anything... -- RGB */
-#ifdef NET_21
-	case NETDEV_UNREGISTER:
-		switch (event) {
-		case NETDEV_DOWN:
-#endif /* NET_21 */
-			KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-				    "klips_debug:ipsec_device_event: "
-				    "NETDEV_DOWN dev=%s flags=%x\n",
-				    dev->name,
-				    dev->flags);
-			if(strncmp(dev->name, "ipsec", strlen("ipsec")) == 0) {
-				printk(KERN_CRIT "IPSEC EVENT: KLIPS device %s shut down.\n",
-				       dev->name);
-			}
-#ifdef NET_21
-			break;
-		case NETDEV_UNREGISTER:
-			KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-				    "klips_debug:ipsec_device_event: "
-				    "NETDEV_UNREGISTER dev=%s flags=%x\n",
-				    dev->name,
-				    dev->flags);
-			break;
-		}
-#endif /* NET_21 */
-		
-		/* find the attached physical device and detach it. */
-		for(i = 0; i < IPSEC_NUM_IF; i++) {
-			ipsec_dev = ipsecdevices[i];
-
-			if(ipsec_dev) {
-				priv = (struct ipsecpriv *)(ipsec_dev->priv);
-				if(priv) {
-					;
-					if(((struct device *)(priv->dev)) == dev) {
-						/* dev_close(ipsec_dev); */
-						/* return */ ipsec_tunnel_detach(ipsec_dev);
-						KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-							    "klips_debug:ipsec_device_event: "
-							    "device '%s' has been detached.\n",
-							    ipsec_dev->name);
-						break;
-					}
-				} else {
-					KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-						    "klips_debug:ipsec_device_event: "
-						    "device '%s' has no private data space!\n",
-						    ipsec_dev->name);
-				}
-			}
-		}
-		break;
-	case NETDEV_UP:
-		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-			    "klips_debug:ipsec_device_event: "
-			    "NETDEV_UP dev=%s\n",
-			    dev->name);
-		break;
-#ifdef NET_21
-	case NETDEV_REBOOT:
-		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-			    "klips_debug:ipsec_device_event: "
-			    "NETDEV_REBOOT dev=%s\n",
-			    dev->name);
-		break;
-	case NETDEV_CHANGE:
-		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-			    "klips_debug:ipsec_device_event: "
-			    "NETDEV_CHANGE dev=%s flags=%x\n",
-			    dev->name,
-			    dev->flags);
-		break;
-	case NETDEV_REGISTER:
-		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-			    "klips_debug:ipsec_device_event: "
-			    "NETDEV_REGISTER dev=%s\n",
-			    dev->name);
-		break;
-	case NETDEV_CHANGEMTU:
-		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-			    "klips_debug:ipsec_device_event: "
-			    "NETDEV_CHANGEMTU dev=%s to mtu=%d\n",
-			    dev->name,
-			    dev->mtu);
-		break;
-	case NETDEV_CHANGEADDR:
-		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-			    "klips_debug:ipsec_device_event: "
-			    "NETDEV_CHANGEADDR dev=%s\n",
-			    dev->name);
-		break;
-	case NETDEV_GOING_DOWN:
-		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-			    "klips_debug:ipsec_device_event: "
-			    "NETDEV_GOING_DOWN dev=%s\n",
-			    dev->name);
-		break;
-	case NETDEV_CHANGENAME:
-		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-			    "klips_debug:ipsec_device_event: "
-			    "NETDEV_CHANGENAME dev=%s\n",
-			    dev->name);
-		break;
-#endif /* NET_21 */
-	default:
-		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-			    "klips_debug:ipsec_device_event: "
-			    "event type %ld unrecognised for dev=%s\n",
-			    event,
-			    dev->name);
-		break;
-	}
-	return NOTIFY_DONE;
-}
-
-/*
- *	Called when an ipsec tunnel device is initialized.
- *	The ipsec tunnel device structure is passed to us.
- */
- 
-int
-ipsec_tunnel_init(struct device *dev)
-{
-	int i;
-
-	KLIPS_PRINT(debug_tunnel,
-		    "klips_debug:ipsec_tunnel_init: "
-		    "allocating %lu bytes initialising device: %s\n",
-		    (unsigned long) sizeof(struct ipsecpriv),
-		    dev->name ? dev->name : "NULL");
-
-	/* Add our tunnel functions to the device */
-	dev->open		= ipsec_tunnel_open;
-	dev->stop		= ipsec_tunnel_close;
-	dev->hard_start_xmit	= ipsec_tunnel_start_xmit;
-	dev->get_stats		= ipsec_tunnel_get_stats;
-
-	dev->priv = kmalloc(sizeof(struct ipsecpriv), GFP_KERNEL);
-	if (dev->priv == NULL)
-		return -ENOMEM;
-	memset((caddr_t)(dev->priv), 0, sizeof(struct ipsecpriv));
-
-	for(i = 0; i < sizeof(zeroes); i++) {
-		((__u8*)(zeroes))[i] = 0;
-	}
-	
-#ifndef NET_21
-	/* Initialize the tunnel device structure */
-	for (i = 0; i < DEV_NUMBUFFS; i++)
-		skb_queue_head_init(&dev->buffs[i]);
-#endif /* !NET_21 */
-
-	dev->set_multicast_list = NULL;
-	dev->do_ioctl		= ipsec_tunnel_ioctl;
-	dev->hard_header	= NULL;
-	dev->rebuild_header 	= NULL;
-	dev->set_mac_address 	= NULL;
-#ifndef NET_21
-	dev->header_cache_bind 	= NULL;
-#endif /* !NET_21 */
-	dev->header_cache_update= NULL;
-
-#ifdef NET_21
-/*	prv->neigh_setup        = NULL; */
-	dev->neigh_setup        = ipsec_tunnel_neigh_setup_dev;
-#endif /* NET_21 */
-	dev->hard_header_len 	= 0;
-	dev->mtu		= 0;
-	dev->addr_len		= 0;
-	dev->type		= ARPHRD_VOID; /* ARPHRD_TUNNEL; */ /* ARPHRD_ETHER; */
-	dev->tx_queue_len	= 10;		/* Small queue */
-	memset((caddr_t)(dev->broadcast),0xFF, ETH_ALEN);	/* what if this is not attached to ethernet? */
-
-	/* New-style flags. */
-	dev->flags		= IFF_NOARP /* 0 */ /* Petr Novak */;
-#ifdef NET_21
-	dev_init_buffers(dev);
-#else /* NET_21 */
-	dev->family		= AF_INET;
-	dev->pa_addr		= 0;
-	dev->pa_brdaddr 	= 0;
-	dev->pa_mask		= 0;
-	dev->pa_alen		= 4;
-#endif /* NET_21 */
-
-	/* We're done.  Have I forgotten anything? */
-	return 0;
-}
-
-/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
-/*  Module specific interface (but it links with the rest of IPSEC)  */
-/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
-
-int
-ipsec_tunnel_probe(struct device *dev)
-{
-	ipsec_tunnel_init(dev); 
-	return 0;
-}
-
-struct device *ipsecdevices[IPSEC_NUM_IF];
-
-int 
-ipsec_tunnel_init_devices(void)
-{
-	int i;
-	char name[IFNAMSIZ];
-	struct device *dev_ipsec;
-	
-	KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-		    "klips_debug:ipsec_tunnel_init_devices: "
-		    "creating and registering IPSEC_NUM_IF=%u devices, allocating %lu per device, IFNAMSIZ=%u.\n",
-		    IPSEC_NUM_IF,
-		    (unsigned long) (sizeof(struct device) + IFNAMSIZ),
-		    IFNAMSIZ);
-
-	for(i = 0; i < IPSEC_NUM_IF; i++) {
-		sprintf(name, IPSEC_DEV_FORMAT, i);
-		dev_ipsec = (struct device*)kmalloc(sizeof(struct device), GFP_KERNEL);
-		if (dev_ipsec == NULL) {
-			KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-				    "klips_debug:ipsec_tunnel_init_devices: "
-				    "failed to allocate memory for device %s, quitting device init.\n",
-				    name);
-			return -ENOMEM;
-		}
-		memset((caddr_t)dev_ipsec, 0, sizeof(struct device));
-#ifdef NETDEV_23
-		strncpy(dev_ipsec->name, name, sizeof(dev_ipsec->name));
-#else /* NETDEV_23 */
-		dev_ipsec->name = (char*)kmalloc(IFNAMSIZ, GFP_KERNEL);
-		if (dev_ipsec->name == NULL) {
-			KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-				    "klips_debug:ipsec_tunnel_init_devices: "
-				    "failed to allocate memory for device %s name, quitting device init.\n",
-				    name);
-			return -ENOMEM;
-		}
-		memset((caddr_t)dev_ipsec->name, 0, IFNAMSIZ);
-		strncpy(dev_ipsec->name, name, IFNAMSIZ);
-#endif /* NETDEV_23 */
-		dev_ipsec->next = NULL;
-		dev_ipsec->init = &ipsec_tunnel_probe;
-		KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-			    "klips_debug:ipsec_tunnel_init_devices: "
-			    "registering device %s\n",
-			    dev_ipsec->name);
-
-		/* reference and hold the device reference */
-		dev_hold(dev_ipsec);
-		ipsecdevices[i]=dev_ipsec;
-
-		if (register_netdev(dev_ipsec) != 0) {
-			KLIPS_PRINT(1 || debug_tunnel & DB_TN_INIT,
-				    "klips_debug:ipsec_tunnel_init_devices: "
-				    "registering device %s failed, quitting device init.\n",
-				    dev_ipsec->name);
-			return -EIO;
-		} else {
-			KLIPS_PRINT(debug_tunnel & DB_TN_INIT,
-				    "klips_debug:ipsec_tunnel_init_devices: "
-				    "registering device %s succeeded, continuing...\n",
-				    dev_ipsec->name);
-		}
-	}
-	return 0;
-}
-
-/* void */
-int
-ipsec_tunnel_cleanup_devices(void)
-{
-	int error = 0;
-	int i;
-	char name[32];
-	struct device *dev_ipsec;
-	
-	for(i = 0; i < IPSEC_NUM_IF; i++) {
-   	        dev_ipsec = ipsecdevices[i];
-		if(dev_ipsec == NULL) {
-		  continue;
-		}
-
-		/* release reference */
-		ipsecdevices[i]=NULL;
-		ipsec_dev_put(dev_ipsec);
-
-		KLIPS_PRINT(debug_tunnel, "Unregistering %s (refcnt=%d)\n",
-			    name,
-			    atomic_read(&dev_ipsec->refcnt));
-		unregister_netdev(dev_ipsec);
-		KLIPS_PRINT(debug_tunnel, "Unregisted %s\n", name);
-#ifndef NETDEV_23
-		kfree(dev_ipsec->name);
-		dev_ipsec->name=NULL;
-#endif /* !NETDEV_23 */
-		kfree(dev_ipsec->priv);
-		dev_ipsec->priv=NULL;
-	}
-	return error;
-}
diff --git a/linux/net/ipsec/ipsec_xform.c b/linux/net/ipsec/ipsec_xform.c
deleted file mode 100644
index 677f83aaf..000000000
--- a/linux/net/ipsec/ipsec_xform.c
+++ /dev/null
@@ -1,73 +0,0 @@
-/*
- * Common routines for IPSEC transformations.
- * Copyright (C) 1996, 1997  John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: ipsec_xform.c,v 1.2 2004/06/13 19:57:50 as Exp $
- */
-
-#include <linux/config.h>
-#include <linux/version.h>
-#include <linux/kernel.h> /* printk() */
-
-#include "freeswan/ipsec_param.h"
-
-#ifdef MALLOC_SLAB
-# include <linux/slab.h> /* kmalloc() */
-#else /* MALLOC_SLAB */
-# include <linux/malloc.h> /* kmalloc() */
-#endif /* MALLOC_SLAB */
-#include <linux/errno.h>  /* error codes */
-#include <linux/types.h>  /* size_t */
-#include <linux/interrupt.h> /* mark_bh */
-
-#include <linux/netdevice.h>   /* struct device, and other headers */
-#include <linux/etherdevice.h> /* eth_type_trans */
-#include <linux/ip.h>          /* struct iphdr */
-#include <linux/skbuff.h>
-#include <linux/random.h>	/* get_random_bytes() */
-#include <freeswan.h>
-#ifdef SPINLOCK
-# ifdef SPINLOCK_23
-#  include <linux/spinlock.h> /* *lock* */
-# else /* SPINLOCK_23 */
-#  include <asm/spinlock.h> /* *lock* */
-# endif /* SPINLOCK_23 */
-#endif /* SPINLOCK */
-#ifdef NET_21
-# include <asm/uaccess.h>
-# include <linux/in6.h>
-#endif
-#include <asm/checksum.h>
-#include <net/ip.h>
-
-#include "freeswan/radij.h"
-#include "freeswan/ipsec_encap.h"
-#include "freeswan/ipsec_radij.h"
-#include "freeswan/ipsec_xform.h"
-#include "freeswan/ipsec_ipe4.h"
-#include "freeswan/ipsec_ah.h"
-#include "freeswan/ipsec_esp.h"
-
-#include <pfkeyv2.h>
-#include <pfkey.h>
-
-#ifdef CONFIG_IPSEC_DEBUG
-int debug_xform = 0;
-#endif /* CONFIG_IPSEC_DEBUG */
-
-#ifdef SPINLOCK
-spinlock_t tdb_lock = SPIN_LOCK_UNLOCKED;
-#else /* SPINLOCK */
-spinlock_t tdb_lock;
-#endif /* SPINLOCK */
diff --git a/linux/net/ipsec/ipsec_xmit.c b/linux/net/ipsec/ipsec_xmit.c
deleted file mode 100644
index bb390bcf9..000000000
--- a/linux/net/ipsec/ipsec_xmit.c
+++ /dev/null
@@ -1,1782 +0,0 @@
-/*
- * IPSEC Transmit code.
- * Copyright (C) 1996, 1997  John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-char ipsec_xmit_c_version[] = "RCSID $Id: ipsec_xmit.c,v 1.3 2004/06/13 19:37:23 as Exp $";
-
-#define __NO_VERSION__
-#include <linux/module.h>
-#include <linux/config.h>	/* for CONFIG_IP_FORWARD */
-#include <linux/version.h>
-#include <linux/kernel.h> /* printk() */
-
-#include "freeswan/ipsec_param.h"
-
-#ifdef MALLOC_SLAB
-# include <linux/slab.h> /* kmalloc() */
-#else /* MALLOC_SLAB */
-# include <linux/malloc.h> /* kmalloc() */
-#endif /* MALLOC_SLAB */
-#include <linux/errno.h>  /* error codes */
-#include <linux/types.h>  /* size_t */
-#include <linux/interrupt.h> /* mark_bh */
-
-#include <linux/netdevice.h>   /* struct device, struct net_device_stats, dev_queue_xmit() and other headers */
-#include <linux/etherdevice.h> /* eth_type_trans */
-#include <linux/ip.h>          /* struct iphdr */
-#include <linux/tcp.h>         /* struct tcphdr */
-#include <linux/udp.h>         /* struct udphdr */
-#include <linux/skbuff.h>
-#include <freeswan.h>
-#ifdef NET_21
-# define MSS_HACK_		/* experimental */
-# include <asm/uaccess.h>
-# include <linux/in6.h>
-# include <net/dst.h>
-# define proto_priv cb
-#endif /* NET_21 */
-#include <asm/checksum.h>
-#include <net/icmp.h>		/* icmp_send() */
-#include <net/ip.h>
-#ifdef NETDEV_23
-# include <linux/netfilter_ipv4.h>
-#endif /* NETDEV_23 */
-
-#include <linux/if_arp.h>
-#ifdef MSS_HACK
-# include <net/tcp.h>		/* TCP options */
-#endif	/* MSS_HACK */
-
-#include "freeswan/radij.h"
-#include "freeswan/ipsec_life.h"
-#include "freeswan/ipsec_xform.h"
-#include "freeswan/ipsec_eroute.h"
-#include "freeswan/ipsec_encap.h"
-#include "freeswan/ipsec_radij.h"
-#include "freeswan/ipsec_xmit.h"
-#include "freeswan/ipsec_sa.h"
-#include "freeswan/ipsec_tunnel.h"
-#include "freeswan/ipsec_ipe4.h"
-#include "freeswan/ipsec_ah.h"
-#include "freeswan/ipsec_esp.h"
-
-#ifdef CONFIG_IPSEC_IPCOMP
-#include "freeswan/ipcomp.h"
-#endif /* CONFIG_IPSEC_IPCOMP */
-
-#include <pfkeyv2.h>
-#include <pfkey.h>
-
-#include "freeswan/ipsec_proto.h"
-#include "freeswan/ipsec_alg.h"
-
-
-/* 
- * Stupid kernel API differences in APIs. Not only do some
- * kernels not have ip_select_ident, but some have differing APIs,
- * and SuSE has one with one parameter, but no way of checking to
- * see what is really what.
- */
-
-#ifdef SUSE_LINUX_2_4_19_IS_STUPID
-#define KLIPS_IP_SELECT_IDENT(iph, skb) ip_select_ident(iph)
-#else
-
-/* simplest case, nothing */
-#if !defined(IP_SELECT_IDENT)
-#define KLIPS_IP_SELECT_IDENT(iph, skb)  do { iph->id = htons(ip_id_count++); } while(0)
-#endif
-
-/* kernels > 2.3.37-ish */
-#if defined(IP_SELECT_IDENT) && !defined(IP_SELECT_IDENT_NEW)
-#define KLIPS_IP_SELECT_IDENT(iph, skb) ip_select_ident(iph, skb->dst)
-#endif
-
-/* kernels > 2.4.2 */
-#if defined(IP_SELECT_IDENT) && defined(IP_SELECT_IDENT_NEW)
-#define KLIPS_IP_SELECT_IDENT(iph, skb) ip_select_ident(iph, skb->dst, NULL)
-#endif
-
-#endif /* SUSE_LINUX_2_4_19_IS_STUPID */
-
-
-static __u32 zeroes[64];
-
-#ifdef CONFIG_IPSEC_DEBUG
-int sysctl_ipsec_debug_verbose = 0;
-#endif /* CONFIG_IPSEC_DEBUG */
-
-int ipsec_xmit_trap_count = 0;
-int ipsec_xmit_trap_sendcount = 0;
-
-int sysctl_ipsec_icmp = 0;
-int sysctl_ipsec_tos = 0;
-
-/*
- * If the IP packet (iph) is a carrying TCP/UDP, then set the encaps
- * source and destination ports to those from the TCP/UDP header.
- */
-void ipsec_extract_ports(struct iphdr * iph, struct sockaddr_encap * er)
-{
-	struct udphdr *udp;
-
-	switch (iph->protocol) {
-	case IPPROTO_UDP:
-	case IPPROTO_TCP:
-		/*
-		 * The ports are at the same offsets in a TCP and UDP
-		 * header so hack it ...
-		 */
-		udp = (struct udphdr*)(((char*)iph)+(iph->ihl<<2));
-		er->sen_sport = udp->source;
-		er->sen_dport = udp->dest;
-		break;
-	default:
-		er->sen_sport = 0;
-		er->sen_dport = 0;
-		break;
-	}
-}
-
-/*
- * A TRAP eroute is installed and we want to replace it with a HOLD
- * eroute.
- */
-static int create_hold_eroute(struct sk_buff * skb, struct iphdr * iph,
-			      uint32_t eroute_pid)
-{
-	struct eroute hold_eroute;
-	struct sa_id hold_said;
-	struct sk_buff *first, *last;
-	int error;
-
-	first = last = NULL;
-	memset((caddr_t)&hold_eroute, 0, sizeof(hold_eroute));
-	memset((caddr_t)&hold_said, 0, sizeof(hold_said));
-	
-	hold_said.proto = IPPROTO_INT;
-	hold_said.spi = htonl(SPI_HOLD);
-	hold_said.dst.s_addr = INADDR_ANY;
-
-	hold_eroute.er_eaddr.sen_len = sizeof(struct sockaddr_encap);
-	hold_eroute.er_emask.sen_len = sizeof(struct sockaddr_encap);
-	hold_eroute.er_eaddr.sen_family = AF_ENCAP;
-	hold_eroute.er_emask.sen_family = AF_ENCAP;
-	hold_eroute.er_eaddr.sen_type = SENT_IP4;
-	hold_eroute.er_emask.sen_type = 255;
-	
-	hold_eroute.er_eaddr.sen_ip_src.s_addr = iph->saddr;
-	hold_eroute.er_eaddr.sen_ip_dst.s_addr = iph->daddr;
-	hold_eroute.er_emask.sen_ip_src.s_addr = INADDR_BROADCAST;
-	hold_eroute.er_emask.sen_ip_dst.s_addr = INADDR_BROADCAST;
-	hold_eroute.er_emask.sen_sport = ~0;
-	hold_eroute.er_emask.sen_dport = ~0;
-	hold_eroute.er_pid = eroute_pid;
-	hold_eroute.er_count = 0;
-	hold_eroute.er_lasttime = jiffies/HZ;
-
-	hold_eroute.er_eaddr.sen_proto = iph->protocol;
-	ipsec_extract_ports(iph, &hold_eroute.er_eaddr);
-
-#ifdef CONFIG_IPSEC_DEBUG
-	if (debug_pfkey) {
-		char buf1[64], buf2[64];
-		subnettoa(hold_eroute.er_eaddr.sen_ip_src,
-			  hold_eroute.er_emask.sen_ip_src, 0, buf1, sizeof(buf1));
-		subnettoa(hold_eroute.er_eaddr.sen_ip_dst,
-			  hold_eroute.er_emask.sen_ip_dst, 0, buf2, sizeof(buf2));
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:ipsec_tunnel_start_xmit: "
-			    "calling breakeroute and makeroute for %s:%d->%s:%d %d HOLD eroute.\n",
-			    buf1, ntohs(hold_eroute.er_eaddr.sen_sport),
-			    buf2, ntohs(hold_eroute.er_eaddr.sen_dport),
-			    hold_eroute.er_eaddr.sen_proto);
-	}
-#endif /* CONFIG_IPSEC_DEBUG */
-
-	if (ipsec_breakroute(&(hold_eroute.er_eaddr), &(hold_eroute.er_emask),
-			     &first, &last)) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:ipsec_tunnel_start_xmit: "
-			    "HOLD breakeroute found nothing.\n");
-	} else {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:ipsec_tunnel_start_xmit: "
-			    "HOLD breakroute deleted %u.%u.%u.%u:%u -> %u.%u.%u.%u:%u %u\n",
-			    NIPQUAD(hold_eroute.er_eaddr.sen_ip_src),
-			    ntohs(hold_eroute.er_eaddr.sen_sport),
-			    NIPQUAD(hold_eroute.er_eaddr.sen_ip_dst),
-			    ntohs(hold_eroute.er_eaddr.sen_dport),
-			    hold_eroute.er_eaddr.sen_proto);
-	}
-	if (first != NULL)
-		kfree_skb(first);
-	if (last != NULL)
-		kfree_skb(last);
-
-	error = ipsec_makeroute(&(hold_eroute.er_eaddr),
-				&(hold_eroute.er_emask),
-				hold_said, eroute_pid, skb, NULL, NULL);
-	if (error) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:ipsec_tunnel_start_xmit: "
-			    "HOLD makeroute returned %d, failed.\n", error);
-	} else {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:ipsec_tunnel_start_xmit: "
-			    "HOLD makeroute call successful.\n");
-	}
-	return (error == 0);
-}
-
-#ifdef CONFIG_IPSEC_DEBUG_
-DEBUG_NO_STATIC void
-dmp(char *s, caddr_t bb, int len)
-{
-	int i;
-	unsigned char *b = bb;
-  
-	if (debug_tunnel) {
-		printk(KERN_INFO "klips_debug:ipsec_tunnel_:dmp: "
-		       "at %s, len=%d:",
-		       s,
-		       len);
-		for (i=0; i < len; i++) {
-			if(!(i%16)){
-				printk("\nklips_debug:  ");
-			}
-			printk(" %02x", *b++);
-		}
-		printk("\n");
-	}
-}
-#else /* CONFIG_IPSEC_DEBUG */
-#define dmp(_x, _y, _z) 
-#endif /* CONFIG_IPSEC_DEBUG */
-
-#ifndef SKB_COPY_EXPAND
-/*
- *	This is mostly skbuff.c:skb_copy().
- */
-struct sk_buff *
-skb_copy_expand(struct sk_buff *skb, int headroom, int tailroom, int priority)
-{
-	struct sk_buff *n;
-	unsigned long offset;
-
-	/*
-	 *	Do sanity checking
-	 */
-	if((headroom < 0) || (tailroom < 0) || ((headroom+tailroom) < 0)) {
-		printk(KERN_WARNING
-		       "klips_error:skb_copy_expand: "
-		       "Illegal negative head,tailroom %d,%d\n",
-		       headroom,
-		       tailroom);
-		return NULL;
-	}
-	/*
-	 *	Allocate the copy buffer
-	 */
-	 
-#ifndef NET_21
-	IS_SKB(skb);
-#endif /* !NET_21 */
-
-
-	n=alloc_skb(skb->end - skb->head + headroom + tailroom, priority);
-
-	KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
-		    "klips_debug:skb_copy_expand: "
-		    "allocating %d bytes, head=0p%p data=0p%p tail=0p%p end=0p%p end-head=%d tail-data=%d\n",
-		    skb->end - skb->head + headroom + tailroom,
-		    skb->head,
-		    skb->data,
-		    skb->tail,
-		    skb->end,
-		    skb->end - skb->head,
-		    skb->tail - skb->data);
-
-	if(n==NULL)
-		return NULL;
-
-	/*
-	 *	Shift between the two data areas in bytes
-	 */
-	 
-	/* Set the data pointer */
-	skb_reserve(n,skb->data-skb->head+headroom);
-	/* Set the tail pointer and length */
-	if(skb_tailroom(n) < skb->len) {
-		printk(KERN_WARNING "klips_error:skb_copy_expand: "
-		       "tried to skb_put %ld, %d available.  This should never happen, please report.\n",
-		       (unsigned long int)skb->len,
-		       skb_tailroom(n));
-		ipsec_kfree_skb(n);
-		return NULL;
-	}
-	skb_put(n,skb->len);
-
-	offset=n->head + headroom - skb->head;
-
-	/* Copy the bytes */
-	memcpy(n->head + headroom, skb->head,skb->end-skb->head);
-#ifdef NET_21
-	n->csum=skb->csum;
-	n->priority=skb->priority;
-	n->dst=dst_clone(skb->dst);
-	if(skb->nh.raw)
-		n->nh.raw=skb->nh.raw+offset;
-#ifndef NETDEV_23
-	n->is_clone=0;
-#endif /* NETDEV_23 */
-	atomic_set(&n->users, 1);
-	n->destructor = NULL;
-	n->security=skb->security;
-#else /* NET_21 */
-	n->link3=NULL;
-	n->when=skb->when;
-	if(skb->ip_hdr)
-	        n->ip_hdr=(struct iphdr *)(((char *)skb->ip_hdr)+offset);
-	n->saddr=skb->saddr;
-	n->daddr=skb->daddr;
-	n->raddr=skb->raddr;
-	n->seq=skb->seq;
-	n->end_seq=skb->end_seq;
-	n->ack_seq=skb->ack_seq;
-	n->acked=skb->acked;
-	n->free=1;
-	n->arp=skb->arp;
-	n->tries=0;
-	n->lock=0;
-	n->users=0;
-#endif /* NET_21 */
-	n->protocol=skb->protocol;
-	n->list=NULL;
-	n->sk=NULL;
-	n->dev=skb->dev;
-	if(skb->h.raw)
-		n->h.raw=skb->h.raw+offset;
-	if(skb->mac.raw) 
-		n->mac.raw=skb->mac.raw+offset;
-	memcpy(n->proto_priv, skb->proto_priv, sizeof(skb->proto_priv));
-#ifndef NETDEV_23
-	n->used=skb->used;
-#endif /* !NETDEV_23 */
-	n->pkt_type=skb->pkt_type;
-	n->stamp=skb->stamp;
-	
-#ifndef NET_21
-	IS_SKB(n);
-#endif /* !NET_21 */
-	return n;
-}
-#endif /* !SKB_COPY_EXPAND */
-
-#ifdef CONFIG_IPSEC_DEBUG
-void
-ipsec_print_ip(struct iphdr *ip)
-{
-	char buf[ADDRTOA_BUF];
-
-	printk(KERN_INFO "klips_debug:   IP:");
-	printk(" ihl:%d", ip->ihl << 2);
-	printk(" ver:%d", ip->version);
-	printk(" tos:%d", ip->tos);
-	printk(" tlen:%d", ntohs(ip->tot_len));
-	printk(" id:%d", ntohs(ip->id));
-	printk(" %s%s%sfrag_off:%d",
-               ip->frag_off & __constant_htons(IP_CE) ? "CE " : "",
-               ip->frag_off & __constant_htons(IP_DF) ? "DF " : "",
-               ip->frag_off & __constant_htons(IP_MF) ? "MF " : "",
-               (ntohs(ip->frag_off) & IP_OFFSET) << 3);
-	printk(" ttl:%d", ip->ttl);
-	printk(" proto:%d", ip->protocol);
-	if(ip->protocol == IPPROTO_UDP)
-		printk(" (UDP)");
-	if(ip->protocol == IPPROTO_TCP)
-		printk(" (TCP)");
-	if(ip->protocol == IPPROTO_ICMP)
-		printk(" (ICMP)");
-	printk(" chk:%d", ntohs(ip->check));
-	addrtoa(*((struct in_addr*)(&ip->saddr)), 0, buf, sizeof(buf));
-	printk(" saddr:%s", buf);
-	if(ip->protocol == IPPROTO_UDP)
-		printk(":%d",
-		       ntohs(((struct udphdr*)((caddr_t)ip + (ip->ihl << 2)))->source));
-	if(ip->protocol == IPPROTO_TCP)
-		printk(":%d",
-		       ntohs(((struct tcphdr*)((caddr_t)ip + (ip->ihl << 2)))->source));
-	addrtoa(*((struct in_addr*)(&ip->daddr)), 0, buf, sizeof(buf));
-	printk(" daddr:%s", buf);
-	if(ip->protocol == IPPROTO_UDP)
-		printk(":%d",
-		       ntohs(((struct udphdr*)((caddr_t)ip + (ip->ihl << 2)))->dest));
-	if(ip->protocol == IPPROTO_TCP)
-		printk(":%d",
-		       ntohs(((struct tcphdr*)((caddr_t)ip + (ip->ihl << 2)))->dest));
-	if(ip->protocol == IPPROTO_ICMP)
-		printk(" type:code=%d:%d",
-		       ((struct icmphdr*)((caddr_t)ip + (ip->ihl << 2)))->type,
-		       ((struct icmphdr*)((caddr_t)ip + (ip->ihl << 2)))->code);
-	printk("\n");
-
-	if(sysctl_ipsec_debug_verbose) {
-		__u8 *c;
-		int i;
-		
-		c = ((__u8*)ip) + ip->ihl*4;
-		for(i = 0; i < ntohs(ip->tot_len) - ip->ihl*4; i++ /*, c++*/) {
-			if(!(i % 16)) {
-				printk(KERN_INFO
-				       "klips_debug:   @%03x:",
-				       i);
-			}
-			printk(" %02x", /***/c[i]);
-			if(!((i + 1) % 16)) {
-				printk("\n");
-			}
-		}
-		if(i % 16) {
-			printk("\n");
-		}
-	}
-}
-#endif /* CONFIG_IPSEC_DEBUG */
-
-#ifdef MSS_HACK
-/*
- * Issues:
- *  1) Fragments arriving in the tunnel should probably be rejected.
- *  2) How does this affect syncookies, mss_cache, dst cache ?
- *  3) Path MTU discovery handling needs to be reviewed.  For example,
- *     if we receive an ICMP 'packet too big' message from an intermediate 
- *     router specifying it's next hop MTU, our stack may process this and
- *     adjust the MSS without taking our AH/ESP overheads into account.
- */
-
- 
-/*
- * Recaclulate checksum using differences between changed datum, 
- * borrowed from netfilter.
- */
-DEBUG_NO_STATIC u_int16_t 
-ipsec_fast_csum(u_int32_t oldvalinv, u_int32_t newval, u_int16_t oldcheck)
-{
-	u_int32_t diffs[] = { oldvalinv, newval };
-	return csum_fold(csum_partial((char *)diffs, sizeof(diffs),
-	oldcheck^0xFFFF));
-}
-
-/*
- * Determine effective MSS.
- *
- * Note that we assume that there is always an MSS option for our own
- * SYN segments, which is mentioned in tcp_syn_build_options(), kernel 2.2.x.
- * This could change, and we should probably parse TCP options instead.
- *
- */
-DEBUG_NO_STATIC u_int8_t
-ipsec_adjust_mss(struct sk_buff *skb, struct tcphdr *tcph, u_int16_t mtu)
-{
-	u_int16_t oldmss, newmss;
-	u_int32_t *mssp;
-	struct sock *sk = skb->sk;
-	
-	newmss = tcp_sync_mss(sk, mtu);
-	printk(KERN_INFO "klips: setting mss to %u\n", newmss);
-	mssp = (u_int32_t *)tcph + sizeof(struct tcphdr) / sizeof(u_int32_t);
-	oldmss = ntohl(*mssp) & 0x0000FFFF;
-	*mssp = htonl((TCPOPT_MSS << 24) | (TCPOLEN_MSS << 16) | newmss);
-	tcph->check = ipsec_fast_csum(htons(~oldmss), 
-	                              htons(newmss), tcph->check);
-	return 1;
-}
-#endif	/* MSS_HACK */
-                                                        
-/*
- * Sanity checks
- */
-enum ipsec_xmit_value
-ipsec_xmit_sanity_check_dev(struct ipsec_xmit_state *ixs)
-{
-
-	if (ixs->dev == NULL) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
-			    "klips_error:ipsec_xmit_sanity_check_dev: "
-			    "No device associated with skb!\n" );
-		return IPSEC_XMIT_NODEV;
-	}
-
-	ixs->prv = ixs->dev->priv;
-	if (ixs->prv == NULL) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
-			    "klips_error:ipsec_xmit_sanity_check_dev: "
-			    "Device has no private structure!\n" );
-		return 	IPSEC_XMIT_NOPRIVDEV;
-	}
-
-	ixs->physdev = ixs->prv->dev;
-	if (ixs->physdev == NULL) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
-			    "klips_error:ipsec_xmit_sanity_check_dev: "
-			    "Device is not attached to physical device!\n" );
-		return IPSEC_XMIT_NOPHYSDEV;
-	}
-
-	ixs->physmtu = ixs->physdev->mtu;
-
-	ixs->stats = (struct net_device_stats *) &(ixs->prv->mystats);
-
-	return IPSEC_XMIT_OK;
-}
-
-enum ipsec_xmit_value
-ipsec_xmit_sanity_check_skb(struct ipsec_xmit_state *ixs)
-{
-	/*
-	 *	Return if there is nothing to do.  (Does this ever happen?) XXX
-	 */
-	if (ixs->skb == NULL) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
-			    "klips_error:ipsec_xmit_sanity_check_skb: "
-			    "Nothing to do!\n" );
-		return IPSEC_XMIT_NOSKB;
-	}
-#ifdef NET_21
-	/* if skb was cloned (most likely due to a packet sniffer such as
-	   tcpdump being momentarily attached to the interface), make
-	   a copy of our own to modify */
-	if(skb_cloned(ixs->skb)) {
-		if
-#ifdef SKB_COW_NEW
-	       (skb_cow(ixs->skb, skb_headroom(ixs->skb)) != 0)
-#else /* SKB_COW_NEW */
-	       ((ixs->skb = skb_cow(ixs->skb, skb_headroom(ixs->skb))) == NULL)
-#endif /* SKB_COW_NEW */
-		{
-			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
-				    "klips_error:ipsec_xmit_sanity_check_skb: "
-				    "skb_cow failed to allocate buffer, dropping.\n" );
-			ixs->stats->tx_dropped++;
-			return IPSEC_XMIT_ERRSKBALLOC;
-		}
-	}
-#endif /* NET_21 */
-
-#ifdef NET_21
-	ixs->iph = ixs->skb->nh.iph;
-#else /* NET_21 */
-	ixs->iph = ixs->skb->ip_hdr;
-#endif /* NET_21 */
-
-	/* sanity check for IP version as we can't handle IPv6 right now */
-	if (ixs->iph->version != 4) {
-		KLIPS_PRINT(debug_tunnel,
-			    "klips_debug:ipsec_xmit_sanity_check_skb: "
-			    "found IP Version %d but cannot process other IP versions than v4.\n",
-			    ixs->iph->version); /* XXX */
-		ixs->stats->tx_dropped++;
-		return IPSEC_XMIT_NOIPV6;
-	}
-	
-#if IPSEC_DISALLOW_IPOPTIONS
-	if ((ixs->iph->ihl << 2) != sizeof (struct iphdr)) {
-		KLIPS_PRINT(debug_tunnel,
-			    "klips_debug:ipsec_xmit_sanity_check_skb: "
-			    "cannot process IP header options yet.  May be mal-formed packet.\n"); /* XXX */
-		ixs->stats->tx_dropped++;
-		return IPSEC_XMIT_NOIPOPTIONS;
-	}
-#endif /* IPSEC_DISALLOW_IPOPTIONS */
-	
-#ifndef NET_21
-	if (ixs->iph->ttl <= 0) {
-		/* Tell the sender its packet died... */
-		ICMP_SEND(ixs->skb, ICMP_TIME_EXCEEDED, ICMP_EXC_TTL, 0, ixs->physdev);
-
-		KLIPS_PRINT(debug_tunnel, "klips_debug:ipsec_xmit_sanity_check_skb: "
-			    "TTL=0, too many hops!\n");
-		ixs->stats->tx_dropped++;
-		return IPSEC_XMIT_TTLEXPIRED;
-	}
-#endif /* !NET_21 */
-	
-	return IPSEC_XMIT_OK;
-}
-
-enum ipsec_xmit_value
-ipsec_xmit_encap_once(struct ipsec_xmit_state *ixs)
-{
-#ifdef CONFIG_IPSEC_ESP
-	struct esphdr *espp;
-#ifdef CONFIG_IPSEC_ENC_3DES
-	__u32 iv[ESP_IV_MAXSZ_INT];
-#endif /* !CONFIG_IPSEC_ENC_3DES */
-	unsigned char *idat, *pad;
-	int authlen = 0, padlen = 0, i;
-#endif /* !CONFIG_IPSEC_ESP */
-#ifdef CONFIG_IPSEC_AH
-	struct iphdr ipo;
-	struct ahhdr *ahp;
-#endif /* CONFIG_IPSEC_AH */
-#if defined(CONFIG_IPSEC_AUTH_HMAC_MD5) || defined(CONFIG_IPSEC_AUTH_HMAC_SHA1)
-	union {
-#ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
-		MD5_CTX md5;
-#endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
-#ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
-		SHA1_CTX sha1;
-#endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
-	} tctx;
-	__u8 hash[AH_AMAX];
-#endif /* defined(CONFIG_IPSEC_AUTH_HMAC_MD5) || defined(CONFIG_IPSEC_AUTH_HMAC_SHA1) */
-	int headroom = 0, tailroom = 0, ilen = 0, len = 0;
-	unsigned char *dat;
-	int blocksize = 8; /* XXX: should be inside ixs --jjo */
-#ifdef CONFIG_IPSEC_ALG
-	struct ipsec_alg_enc *ixt_e = NULL;
-	struct ipsec_alg_auth *ixt_a = NULL;
-#endif /* CONFIG_IPSEC_ALG */
-	
-	ixs->iphlen = ixs->iph->ihl << 2;
-	ixs->pyldsz = ntohs(ixs->iph->tot_len) - ixs->iphlen;
-	ixs->sa_len = satoa(ixs->ipsp->ips_said, 0, ixs->sa_txt, SATOA_BUF);
-	KLIPS_PRINT(debug_tunnel & DB_TN_OXFS,
-		    "klips_debug:ipsec_xmit_encap_once: "
-		    "calling output for <%s%s%s>, SA:%s\n", 
-		    IPS_XFORM_NAME(ixs->ipsp),
-		    ixs->sa_len ? ixs->sa_txt : " (error)");
-	
-	switch(ixs->ipsp->ips_said.proto) {
-#ifdef CONFIG_IPSEC_AH
-	case IPPROTO_AH:
-		headroom += sizeof(struct ahhdr);
-		break;
-#endif /* CONFIG_IPSEC_AH */
-#ifdef CONFIG_IPSEC_ESP
-	case IPPROTO_ESP:
-#ifdef CONFIG_IPSEC_ALG
-		if ((ixt_e=ixs->ipsp->ips_alg_enc)) {
-			blocksize = ixt_e->ixt_blocksize;
-			headroom += ESP_HEADER_LEN + ixt_e->ixt_ivlen/8;
-		} else
-#endif /* CONFIG_IPSEC_ALG */
-		switch(ixs->ipsp->ips_encalg) {
-#ifdef CONFIG_IPSEC_ENC_3DES
-		case ESP_3DES:
-			headroom += sizeof(struct esphdr);
-			break;
-#endif /* CONFIG_IPSEC_ENC_3DES */
-		default:
-			ixs->stats->tx_errors++;
-			return IPSEC_XMIT_ESP_BADALG;
-		}
-#ifdef CONFIG_IPSEC_ALG
-		if ((ixt_a=ixs->ipsp->ips_alg_auth)) {
-			tailroom += AHHMAC_HASHLEN;
-		} else
-#endif /* CONFIG_IPSEC_ALG */
-		switch(ixs->ipsp->ips_authalg) {
-#ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
-		case AH_MD5:
-			authlen = AHHMAC_HASHLEN;
-			break;
-#endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
-#ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
-		case AH_SHA:
-			authlen = AHHMAC_HASHLEN;
-			break;
-#endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
-		case AH_NONE:
-			break;
-		default:
-			ixs->stats->tx_errors++;
-			return IPSEC_XMIT_ESP_BADALG;
-		}		
-#ifdef CONFIG_IPSEC_ALG
-		tailroom += blocksize != 1 ?
-			((blocksize - ((ixs->pyldsz + 2) % blocksize)) % blocksize) + 2 :
-			((4 - ((ixs->pyldsz + 2) % 4)) % 4) + 2;
-#else
-		tailroom += ((8 - ((ixs->pyldsz + 2 * sizeof(unsigned char)) % 8)) % 8) + 2;
-#endif /* CONFIG_IPSEC_ALG */
-		tailroom += authlen;
-		break;
-#endif /* !CONFIG_IPSEC_ESP */
-#ifdef CONFIG_IPSEC_IPIP
-	case IPPROTO_IPIP:
-		headroom += sizeof(struct iphdr);
-		ixs->iphlen = sizeof(struct iphdr);
-		break;
-#endif /* !CONFIG_IPSEC_IPIP */
-#ifdef CONFIG_IPSEC_IPCOMP
-	case IPPROTO_COMP:
-		break;
-#endif /* CONFIG_IPSEC_IPCOMP */
-	default:
-		ixs->stats->tx_errors++;
-		return IPSEC_XMIT_BADPROTO;
-	}
-	
-	KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
-		    "klips_debug:ipsec_xmit_encap_once: "
-		    "pushing %d bytes, putting %d, proto %d.\n", 
-		    headroom, tailroom, ixs->ipsp->ips_said.proto);
-	if(skb_headroom(ixs->skb) < headroom) {
-		printk(KERN_WARNING
-		       "klips_error:ipsec_xmit_encap_once: "
-		       "tried to skb_push headroom=%d, %d available.  This should never happen, please report.\n",
-		       headroom, skb_headroom(ixs->skb));
-		ixs->stats->tx_errors++;
-		return IPSEC_XMIT_ESP_PUSHPULLERR;
-	}
-	dat = skb_push(ixs->skb, headroom);
-	ilen = ixs->skb->len - tailroom;
-	if(skb_tailroom(ixs->skb) < tailroom) {
-		printk(KERN_WARNING
-		       "klips_error:ipsec_xmit_encap_once: "
-		       "tried to skb_put %d, %d available.  This should never happen, please report.\n",
-		       tailroom, skb_tailroom(ixs->skb));
-		ixs->stats->tx_errors++;
-		return IPSEC_XMIT_ESP_PUSHPULLERR;
-	}
-	skb_put(ixs->skb, tailroom);
-	KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
-		    "klips_debug:ipsec_xmit_encap_once: "
-		    "head,tailroom: %d,%d before xform.\n",
-		    skb_headroom(ixs->skb), skb_tailroom(ixs->skb));
-	len = ixs->skb->len;
-	if(len > 0xfff0) {
-		printk(KERN_WARNING "klips_error:ipsec_xmit_encap_once: "
-		       "tot_len (%d) > 65520.  This should never happen, please report.\n",
-		       len);
-		ixs->stats->tx_errors++;
-		return IPSEC_XMIT_BADLEN;
-	}
-	memmove((void *)dat, (void *)(dat + headroom), ixs->iphlen);
-	ixs->iph = (struct iphdr *)dat;
-	ixs->iph->tot_len = htons(ixs->skb->len);
-	
-	switch(ixs->ipsp->ips_said.proto) {
-#ifdef CONFIG_IPSEC_ESP
-	case IPPROTO_ESP:
-		espp = (struct esphdr *)(dat + ixs->iphlen);
-		espp->esp_spi = ixs->ipsp->ips_said.spi;
-		espp->esp_rpl = htonl(++(ixs->ipsp->ips_replaywin_lastseq));
-		
-#ifdef CONFIG_IPSEC_ALG
-		if (!ixt_e)
-#endif /* CONFIG_IPSEC_ALG */
-		switch(ixs->ipsp->ips_encalg) {
-#if defined(CONFIG_IPSEC_ENC_3DES)
-#ifdef CONFIG_IPSEC_ENC_3DES
-		case ESP_3DES:
-#endif /* CONFIG_IPSEC_ENC_3DES */
-			iv[0] = *((__u32*)&(espp->esp_iv)    ) =
-				((__u32*)(ixs->ipsp->ips_iv))[0];
-			iv[1] = *((__u32*)&(espp->esp_iv) + 1) =
-				((__u32*)(ixs->ipsp->ips_iv))[1];
-			break;
-#endif /* defined(CONFIG_IPSEC_ENC_3DES) */
-		default:
-			ixs->stats->tx_errors++;
-			return IPSEC_XMIT_ESP_BADALG;
-		}
-		
-		idat = dat + ixs->iphlen + headroom;
-		ilen = len - (ixs->iphlen + headroom + authlen);
-		
-		/* Self-describing padding */
-		pad = &dat[len - tailroom];
-		padlen = tailroom - 2 - authlen;
-		for (i = 0; i < padlen; i++) {
-			pad[i] = i + 1; 
-		}
-		dat[len - authlen - 2] = padlen;
-		
-		dat[len - authlen - 1] = ixs->iph->protocol;
-		ixs->iph->protocol = IPPROTO_ESP;
-		
-#ifdef CONFIG_IPSEC_ALG
-		/* Do all operations here:
-		 * copy IV->ESP, encrypt, update ips IV
-		 */
-		if (ixt_e) {
-			int ret;
-			memcpy(espp->esp_iv, 
-					ixs->ipsp->ips_iv, 
-					ixt_e->ixt_ivlen/8);
-			ret=ipsec_alg_esp_encrypt(ixs->ipsp, 
-					idat, ilen, espp->esp_iv,
-					IPSEC_ALG_ENCRYPT);
-			memcpy(ixs->ipsp->ips_iv,
-					idat + ilen - ixt_e->ixt_ivlen/8,
-					ixt_e->ixt_ivlen/8);
-		} else
-#endif /* CONFIG_IPSEC_ALG */
-		switch(ixs->ipsp->ips_encalg) {
-#ifdef CONFIG_IPSEC_ENC_3DES
-		case ESP_3DES:
-			des_ede3_cbc_encrypt((des_cblock *)idat,
-					     (des_cblock *)idat,
-					     ilen,
-					     ((struct des_eks *)(ixs->ipsp->ips_key_e))[0].ks,
-					     ((struct des_eks *)(ixs->ipsp->ips_key_e))[1].ks,
-					     ((struct des_eks *)(ixs->ipsp->ips_key_e))[2].ks,
-					     (des_cblock *)iv, 1);
-			break;
-#endif /* CONFIG_IPSEC_ENC_3DES */
-		default:
-			ixs->stats->tx_errors++;
-			return IPSEC_XMIT_ESP_BADALG;
-		}
-		
-#ifdef CONFIG_IPSEC_ALG
-		if (!ixt_e)
-#endif /* CONFIG_IPSEC_ALG */
-		switch(ixs->ipsp->ips_encalg) {
-#if defined(CONFIG_IPSEC_ENC_3DES)
-#ifdef CONFIG_IPSEC_ENC_3DES
-		case ESP_3DES:
-#endif /* CONFIG_IPSEC_ENC_3DES */
-			/* XXX update IV with the last 8 octets of the encryption */
-#if KLIPS_IMPAIRMENT_ESPIV_CBC_ATTACK
-			((__u32*)(ixs->ipsp->ips_iv))[0] =
-				((__u32 *)(idat))[(ilen >> 2) - 2];
-			((__u32*)(ixs->ipsp->ips_iv))[1] =
-				((__u32 *)(idat))[(ilen >> 2) - 1];
-#else /* KLIPS_IMPAIRMENT_ESPIV_CBC_ATTACK */
-			prng_bytes(&ipsec_prng, (char *)ixs->ipsp->ips_iv, EMT_ESPDES_IV_SZ); 
-#endif /* KLIPS_IMPAIRMENT_ESPIV_CBC_ATTACK */
-			break;
-#endif /* defined(CONFIG_IPSEC_ENC_3DES) */
-		default:
-			ixs->stats->tx_errors++;
-			return IPSEC_XMIT_ESP_BADALG;
-		}
-		
-#ifdef CONFIG_IPSEC_ALG
-		if (ixt_a) {
-			ipsec_alg_sa_esp_hash(ixs->ipsp,
-					(caddr_t)espp, len - ixs->iphlen - authlen,
-					&(dat[len - authlen]), authlen);
-
-		} else
-#endif /* CONFIG_IPSEC_ALG */
-		switch(ixs->ipsp->ips_authalg) {
-#ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
-		case AH_MD5:
-			dmp("espp", (char*)espp, len - ixs->iphlen - authlen);
-			tctx.md5 = ((struct md5_ctx*)(ixs->ipsp->ips_key_a))->ictx;
-			dmp("ictx", (char*)&tctx.md5, sizeof(tctx.md5));
-			MD5Update(&tctx.md5, (caddr_t)espp, len - ixs->iphlen - authlen);
-			dmp("ictx+dat", (char*)&tctx.md5, sizeof(tctx.md5));
-			MD5Final(hash, &tctx.md5);
-			dmp("ictx hash", (char*)&hash, sizeof(hash));
-			tctx.md5 = ((struct md5_ctx*)(ixs->ipsp->ips_key_a))->octx;
-			dmp("octx", (char*)&tctx.md5, sizeof(tctx.md5));
-			MD5Update(&tctx.md5, hash, AHMD596_ALEN);
-			dmp("octx+hash", (char*)&tctx.md5, sizeof(tctx.md5));
-			MD5Final(hash, &tctx.md5);
-			dmp("octx hash", (char*)&hash, sizeof(hash));
-			memcpy(&(dat[len - authlen]), hash, authlen);
-			
-			/* paranoid */
-			memset((caddr_t)&tctx.md5, 0, sizeof(tctx.md5));
-			memset((caddr_t)hash, 0, sizeof(*hash));
-			break;
-#endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
-#ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
-		case AH_SHA:
-			tctx.sha1 = ((struct sha1_ctx*)(ixs->ipsp->ips_key_a))->ictx;
-			SHA1Update(&tctx.sha1, (caddr_t)espp, len - ixs->iphlen - authlen);
-			SHA1Final(hash, &tctx.sha1);
-			tctx.sha1 = ((struct sha1_ctx*)(ixs->ipsp->ips_key_a))->octx;
-			SHA1Update(&tctx.sha1, hash, AHSHA196_ALEN);
-			SHA1Final(hash, &tctx.sha1);
-			memcpy(&(dat[len - authlen]), hash, authlen);
-			
-			/* paranoid */
-			memset((caddr_t)&tctx.sha1, 0, sizeof(tctx.sha1));
-			memset((caddr_t)hash, 0, sizeof(*hash));
-			break;
-#endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
-		case AH_NONE:
-			break;
-		default:
-			ixs->stats->tx_errors++;
-			return IPSEC_XMIT_AH_BADALG;
-		}
-#ifdef NET_21
-		ixs->skb->h.raw = (unsigned char*)espp;
-#endif /* NET_21 */
-		break;
-#endif /* !CONFIG_IPSEC_ESP */
-#ifdef CONFIG_IPSEC_AH
-	case IPPROTO_AH:
-		ahp = (struct ahhdr *)(dat + ixs->iphlen);
-		ahp->ah_spi = ixs->ipsp->ips_said.spi;
-		ahp->ah_rpl = htonl(++(ixs->ipsp->ips_replaywin_lastseq));
-		ahp->ah_rv = 0;
-		ahp->ah_nh = ixs->iph->protocol;
-		ahp->ah_hl = (headroom >> 2) - sizeof(__u64)/sizeof(__u32);
-		ixs->iph->protocol = IPPROTO_AH;
-		dmp("ahp", (char*)ahp, sizeof(*ahp));
-		
-		ipo = *ixs->iph;
-		ipo.tos = 0;
-		ipo.frag_off = 0;
-		ipo.ttl = 0;
-		ipo.check = 0;
-		dmp("ipo", (char*)&ipo, sizeof(ipo));
-		
-		switch(ixs->ipsp->ips_authalg) {
-#ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
-		case AH_MD5:
-			tctx.md5 = ((struct md5_ctx*)(ixs->ipsp->ips_key_a))->ictx;
-			dmp("ictx", (char*)&tctx.md5, sizeof(tctx.md5));
-			MD5Update(&tctx.md5, (unsigned char *)&ipo, sizeof (struct iphdr));
-			dmp("ictx+ipo", (char*)&tctx.md5, sizeof(tctx.md5));
-			MD5Update(&tctx.md5, (unsigned char *)ahp, headroom - sizeof(ahp->ah_data));
-			dmp("ictx+ahp", (char*)&tctx.md5, sizeof(tctx.md5));
-			MD5Update(&tctx.md5, (unsigned char *)zeroes, AHHMAC_HASHLEN);
-			dmp("ictx+zeroes", (char*)&tctx.md5, sizeof(tctx.md5));
-			MD5Update(&tctx.md5,  dat + ixs->iphlen + headroom, len - ixs->iphlen - headroom);
-			dmp("ictx+dat", (char*)&tctx.md5, sizeof(tctx.md5));
-			MD5Final(hash, &tctx.md5);
-			dmp("ictx hash", (char*)&hash, sizeof(hash));
-			tctx.md5 = ((struct md5_ctx*)(ixs->ipsp->ips_key_a))->octx;
-			dmp("octx", (char*)&tctx.md5, sizeof(tctx.md5));
-			MD5Update(&tctx.md5, hash, AHMD596_ALEN);
-			dmp("octx+hash", (char*)&tctx.md5, sizeof(tctx.md5));
-			MD5Final(hash, &tctx.md5);
-			dmp("octx hash", (char*)&hash, sizeof(hash));
-					
-			memcpy(ahp->ah_data, hash, AHHMAC_HASHLEN);
-					
-			/* paranoid */
-			memset((caddr_t)&tctx.md5, 0, sizeof(tctx.md5));
-			memset((caddr_t)hash, 0, sizeof(*hash));
-			break;
-#endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
-#ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
-		case AH_SHA:
-			tctx.sha1 = ((struct sha1_ctx*)(ixs->ipsp->ips_key_a))->ictx;
-			SHA1Update(&tctx.sha1, (unsigned char *)&ipo, sizeof (struct iphdr));
-			SHA1Update(&tctx.sha1, (unsigned char *)ahp, headroom - sizeof(ahp->ah_data));
-			SHA1Update(&tctx.sha1, (unsigned char *)zeroes, AHHMAC_HASHLEN);
-			SHA1Update(&tctx.sha1,  dat + ixs->iphlen + headroom, len - ixs->iphlen - headroom);
-			SHA1Final(hash, &tctx.sha1);
-			tctx.sha1 = ((struct sha1_ctx*)(ixs->ipsp->ips_key_a))->octx;
-			SHA1Update(&tctx.sha1, hash, AHSHA196_ALEN);
-			SHA1Final(hash, &tctx.sha1);
-					
-			memcpy(ahp->ah_data, hash, AHHMAC_HASHLEN);
-					
-			/* paranoid */
-			memset((caddr_t)&tctx.sha1, 0, sizeof(tctx.sha1));
-			memset((caddr_t)hash, 0, sizeof(*hash));
-			break;
-#endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
-		default:
-			ixs->stats->tx_errors++;
-			return IPSEC_XMIT_AH_BADALG;
-		}
-#ifdef NET_21
-		ixs->skb->h.raw = (unsigned char*)ahp;
-#endif /* NET_21 */
-		break;
-#endif /* CONFIG_IPSEC_AH */
-#ifdef CONFIG_IPSEC_IPIP
-	case IPPROTO_IPIP:
-		ixs->iph->version  = 4;
-		switch(sysctl_ipsec_tos) {
-		case 0:
-#ifdef NET_21
-			ixs->iph->tos = ixs->skb->nh.iph->tos;
-#else /* NET_21 */
-			ixs->iph->tos = ixs->skb->ip_hdr->tos;
-#endif /* NET_21 */
-			break;
-		case 1:
-			ixs->iph->tos = 0;
-			break;
-		default:
-			break;
-		}
-#ifdef NET_21
-#ifdef NETDEV_23
-		ixs->iph->ttl      = sysctl_ip_default_ttl;
-#else /* NETDEV_23 */
-		ixs->iph->ttl      = ip_statistics.IpDefaultTTL;
-#endif /* NETDEV_23 */
-#else /* NET_21 */
-		ixs->iph->ttl      = 64; /* ip_statistics.IpDefaultTTL; */
-#endif /* NET_21 */
-		ixs->iph->frag_off = 0;
-		ixs->iph->saddr    = ((struct sockaddr_in*)(ixs->ipsp->ips_addr_s))->sin_addr.s_addr;
-		ixs->iph->daddr    = ((struct sockaddr_in*)(ixs->ipsp->ips_addr_d))->sin_addr.s_addr;
-		ixs->iph->protocol = IPPROTO_IPIP;
-		ixs->iph->ihl      = sizeof(struct iphdr) >> 2;
-
-		KLIPS_IP_SELECT_IDENT(ixs->iph, ixs->skb);
-
-		ixs->newdst = (__u32)ixs->iph->daddr;
-		ixs->newsrc = (__u32)ixs->iph->saddr;
-		
-#ifdef NET_21
-		ixs->skb->h.ipiph = ixs->skb->nh.iph;
-#endif /* NET_21 */
-		break;
-#endif /* !CONFIG_IPSEC_IPIP */
-#ifdef CONFIG_IPSEC_IPCOMP
-	case IPPROTO_COMP:
-	{
-		unsigned int flags = 0;
-#ifdef CONFIG_IPSEC_DEBUG
-		unsigned int old_tot_len = ntohs(ixs->iph->tot_len);
-#endif /* CONFIG_IPSEC_DEBUG */
-		ixs->ipsp->ips_comp_ratio_dbytes += ntohs(ixs->iph->tot_len);
-
-		ixs->skb = skb_compress(ixs->skb, ixs->ipsp, &flags);
-
-#ifdef NET_21
-		ixs->iph = ixs->skb->nh.iph;
-#else /* NET_21 */
-		ixs->iph = ixs->skb->ip_hdr;
-#endif /* NET_21 */
-
-		ixs->ipsp->ips_comp_ratio_cbytes += ntohs(ixs->iph->tot_len);
-
-#ifdef CONFIG_IPSEC_DEBUG
-		if (debug_tunnel & DB_TN_CROUT)
-		{
-			if (old_tot_len > ntohs(ixs->iph->tot_len))
-				KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
-					    "klips_debug:ipsec_xmit_encap_once: "
-					    "packet shrunk from %d to %d bytes after compression, cpi=%04x (should be from spi=%08x, spi&0xffff=%04x.\n",
-					    old_tot_len, ntohs(ixs->iph->tot_len),
-					    ntohs(((struct ipcomphdr*)(((char*)ixs->iph) + ((ixs->iph->ihl) << 2)))->ipcomp_cpi),
-					    ntohl(ixs->ipsp->ips_said.spi),
-					    (__u16)(ntohl(ixs->ipsp->ips_said.spi) & 0x0000ffff));
-			else
-				KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
-					    "klips_debug:ipsec_xmit_encap_once: "
-					    "packet did not compress (flags = %d).\n",
-					    flags);
-		}
-#endif /* CONFIG_IPSEC_DEBUG */
-	}
-	break;
-#endif /* CONFIG_IPSEC_IPCOMP */
-	default:
-		ixs->stats->tx_errors++;
-		return IPSEC_XMIT_BADPROTO;
-	}
-			
-#ifdef NET_21
-	ixs->skb->nh.raw = ixs->skb->data;
-#else /* NET_21 */
-	ixs->skb->ip_hdr = ixs->skb->h.iph = (struct iphdr *) ixs->skb->data;
-#endif /* NET_21 */
-	ixs->iph->check = 0;
-	ixs->iph->check = ip_fast_csum((unsigned char *)ixs->iph, ixs->iph->ihl);
-			
-	KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
-		    "klips_debug:ipsec_xmit_encap_once: "
-		    "after <%s%s%s>, SA:%s:\n",
-		    IPS_XFORM_NAME(ixs->ipsp),
-		    ixs->sa_len ? ixs->sa_txt : " (error)");
-	KLIPS_IP_PRINT(debug_tunnel & DB_TN_XMIT, ixs->iph);
- 			
-	ixs->ipsp->ips_life.ipl_bytes.ipl_count += len;
-	ixs->ipsp->ips_life.ipl_bytes.ipl_last = len;
-
-	if(!ixs->ipsp->ips_life.ipl_usetime.ipl_count) {
-		ixs->ipsp->ips_life.ipl_usetime.ipl_count = jiffies / HZ;
-	}
-	ixs->ipsp->ips_life.ipl_usetime.ipl_last = jiffies / HZ;
-	ixs->ipsp->ips_life.ipl_packets.ipl_count++; 
-
-	ixs->ipsp = ixs->ipsp->ips_onext;
-			
-	return IPSEC_XMIT_OK;
-}
-
-enum ipsec_xmit_value
-ipsec_xmit_encap_bundle(struct ipsec_xmit_state *ixs)
-{
-#ifdef CONFIG_IPSEC_ALG
-	struct ipsec_alg_enc *ixt_e = NULL;
-	struct ipsec_alg_auth *ixt_a = NULL;
-	int blocksize = 8;
-#endif /* CONFIG_IPSEC_ALG */
-	enum ipsec_xmit_value bundle_stat = IPSEC_XMIT_OK;
- 
-	ixs->newdst = ixs->orgdst = ixs->iph->daddr;
-	ixs->newsrc = ixs->orgsrc = ixs->iph->saddr;
-	ixs->orgedst = ixs->outgoing_said.dst.s_addr;
-	ixs->iphlen = ixs->iph->ihl << 2;
-	ixs->pyldsz = ntohs(ixs->iph->tot_len) - ixs->iphlen;
-	ixs->max_headroom = ixs->max_tailroom = 0;
-		
-	if (ixs->outgoing_said.proto == IPPROTO_INT) {
-		switch (ntohl(ixs->outgoing_said.spi)) {
-		case SPI_DROP:
-			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
-				    "klips_debug:ipsec_xmit_encap_bundle: "
-				    "shunt SA of DROP or no eroute: dropping.\n");
-			ixs->stats->tx_dropped++;
-			break;
-				
-		case SPI_REJECT:
-			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
-				    "klips_debug:ipsec_xmit_encap_bundle: "
-				    "shunt SA of REJECT: notifying and dropping.\n");
-			ICMP_SEND(ixs->skb,
-				  ICMP_DEST_UNREACH,
-				  ICMP_PKT_FILTERED,
-				  0,
-				  ixs->physdev);
-			ixs->stats->tx_dropped++;
-			break;
-				
-		case SPI_PASS:
-#ifdef NET_21
-			ixs->pass = 1;
-#endif /* NET_21 */
-			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
-				    "klips_debug:ipsec_xmit_encap_bundle: "
-				    "PASS: calling dev_queue_xmit\n");
-			return IPSEC_XMIT_PASS;
-			goto cleanup;
-				
-#if 1 /* now moved up to finderoute so we don't need to lock it longer */
-		case SPI_HOLD:
-			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
-				    "klips_debug:ipsec_xmit_encap_bundle: "
-				    "shunt SA of HOLD: this does not make sense here, dropping.\n");
-			ixs->stats->tx_dropped++;
-			break;
-#endif		
-		case SPI_TRAP:
-		case SPI_TRAPSUBNET:
-		{
-			struct sockaddr_in src, dst;
-#ifdef CONFIG_IPSEC_DEBUG
-			char bufsrc[ADDRTOA_BUF], bufdst[ADDRTOA_BUF];
-#endif /* CONFIG_IPSEC_DEBUG */
-
-			/* Signal all listening KMds with a PF_KEY ACQUIRE */
-			ixs->ips.ips_said.proto = ixs->iph->protocol;
-			src.sin_family = AF_INET;
-			dst.sin_family = AF_INET;
-			src.sin_addr.s_addr = ixs->iph->saddr;
-			dst.sin_addr.s_addr = ixs->iph->daddr;
-			src.sin_port = 
-				(ixs->iph->protocol == IPPROTO_UDP
-				 ? ((struct udphdr*) (((caddr_t)ixs->iph) + (ixs->iph->ihl << 2)))->source
-				 : (ixs->iph->protocol == IPPROTO_TCP
-				    ? ((struct tcphdr*)((caddr_t)ixs->iph + (ixs->iph->ihl << 2)))->source
-				    : 0));
-			dst.sin_port = 
-				(ixs->iph->protocol == IPPROTO_UDP
-				 ? ((struct udphdr*) (((caddr_t)ixs->iph) + (ixs->iph->ihl << 2)))->dest
-				 : (ixs->iph->protocol == IPPROTO_TCP
-				    ? ((struct tcphdr*)((caddr_t)ixs->iph + (ixs->iph->ihl << 2)))->dest
-				    : 0));
-			{
-				int i;
-				for(i = 0;
-				    i < sizeof(struct sockaddr_in)
-					    - offsetof(struct sockaddr_in, sin_zero);
-				    i++) {
-					src.sin_zero[i] = 0;
-					dst.sin_zero[i] = 0;
-				}
-			}
-				
-			ixs->ips.ips_addr_s = (struct sockaddr*)(&src);
-			ixs->ips.ips_addr_d = (struct sockaddr*)(&dst);
-			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
-				    "klips_debug:ipsec_xmit_encap_bundle: "
-				    "SADB_ACQUIRE sent with src=%s:%d, dst=%s:%d, proto=%d.\n",
-				    addrtoa(((struct sockaddr_in*)(ixs->ips.ips_addr_s))->sin_addr, 0, bufsrc, sizeof(bufsrc)) <= ADDRTOA_BUF ? bufsrc : "BAD_ADDR",
-				    ntohs(((struct sockaddr_in*)(ixs->ips.ips_addr_s))->sin_port),
-				    addrtoa(((struct sockaddr_in*)(ixs->ips.ips_addr_d))->sin_addr, 0, bufdst, sizeof(bufdst)) <= ADDRTOA_BUF ? bufdst : "BAD_ADDR",
-				    ntohs(((struct sockaddr_in*)(ixs->ips.ips_addr_d))->sin_port),
-				    ixs->ips.ips_said.proto);
-				
-			/* increment count of total traps needed */
-			ipsec_xmit_trap_count++;
-
-			if (pfkey_acquire(&ixs->ips) == 0) {
-
-				/* note that we succeeded */
-			        ipsec_xmit_trap_sendcount++;
-					
-				if (ixs->outgoing_said.spi==htonl(SPI_TRAPSUBNET)) {
-					/*
-					 * The spinlock is to prevent any other
-					 * process from accessing or deleting
-					 * the eroute while we are using and
-					 * updating it.
-					 */
-					spin_lock(&eroute_lock);
-					ixs->eroute = ipsec_findroute(&ixs->matcher);
-					if(ixs->eroute) {
-						ixs->eroute->er_said.spi = htonl(SPI_HOLD);
-						ixs->eroute->er_first = ixs->skb;
-						ixs->skb = NULL;
-					}
-					spin_unlock(&eroute_lock);
-				} else if (create_hold_eroute(ixs->skb, ixs->iph, ixs->eroute_pid)) {
-					ixs->skb = NULL;
-				}
-			}
-			ixs->stats->tx_dropped++;
-		}
-		default:
-			/* XXX what do we do with an unknown shunt spi? */
-			break;
-		} /* switch (ntohl(ixs->outgoing_said.spi)) */
-		return IPSEC_XMIT_STOLEN;
-	} /* if (ixs->outgoing_said.proto == IPPROTO_INT) */
-		
-	/*
-	  The spinlock is to prevent any other process from
-	  accessing or deleting the ipsec_sa hash table or any of the
-	  ipsec_sa s while we are using and updating them.
-		  
-	  This is not optimal, but was relatively straightforward
-	  at the time.  A better way to do it has been planned for
-	  more than a year, to lock the hash table and put reference
-	  counts on each ipsec_sa instead.  This is not likely to happen
-	  in KLIPS1 unless a volunteer contributes it, but will be
-	  designed into KLIPS2.
-	*/
-	spin_lock(&tdb_lock);
-
-	ixs->ipsp = ipsec_sa_getbyid(&ixs->outgoing_said);
-	ixs->sa_len = satoa(ixs->outgoing_said, 0, ixs->sa_txt, SATOA_BUF);
-
-	if (ixs->ipsp == NULL) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
-			    "klips_debug:ipsec_xmit_encap_bundle: "
-			    "no ipsec_sa for SA%s: outgoing packet with no SA, dropped.\n",
-			    ixs->sa_len ? ixs->sa_txt : " (error)");
-		ixs->stats->tx_dropped++;
-		bundle_stat = IPSEC_XMIT_SAIDNOTFOUND;
-		goto cleanup;
-	}
-		
-	ipsec_sa_put(ixs->ipsp); /* incomplete */
-
-	KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
-		    "klips_debug:ipsec_xmit_encap_bundle: "
-		    "found ipsec_sa -- SA:<%s%s%s> %s\n",
-		    IPS_XFORM_NAME(ixs->ipsp),
-		    ixs->sa_len ? ixs->sa_txt : " (error)");
-		
-	/*
-	 * How much headroom do we need to be able to apply
-	 * all the grouped transforms?
-	 */
-	ixs->ipsq = ixs->ipsp;	/* save the head of the ipsec_sa chain */
-	while (ixs->ipsp) {
-		ixs->sa_len = satoa(ixs->ipsp->ips_said, 0, ixs->sa_txt, SATOA_BUF);
-		if(ixs->sa_len == 0) {
-			strcpy(ixs->sa_txt, "(error)");
-		}
-
-		/* If it is in larval state, drop the packet, we cannot process yet. */
-		if(ixs->ipsp->ips_state == SADB_SASTATE_LARVAL) {
-			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
-				    "klips_debug:ipsec_xmit_encap_bundle: "
-				    "ipsec_sa in larval state for SA:<%s%s%s> %s, cannot be used yet, dropping packet.\n",
-				    IPS_XFORM_NAME(ixs->ipsp),
-				    ixs->sa_len ? ixs->sa_txt : " (error)");
-			ixs->stats->tx_errors++;
-			bundle_stat = IPSEC_XMIT_SAIDNOTLIVE;
-			goto cleanup;
-		}
-
-		if(ixs->ipsp->ips_state == SADB_SASTATE_DEAD) {
-			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
-				    "klips_debug:ipsec_xmit_encap_bundle: "
-				    "ipsec_sa in dead state for SA:<%s%s%s> %s, can no longer be used, dropping packet.\n",
-				    IPS_XFORM_NAME(ixs->ipsp),
-				    ixs->sa_len ? ixs->sa_txt : " (error)");
-			ixs->stats->tx_errors++;
-			bundle_stat = IPSEC_XMIT_SAIDNOTLIVE;
-			goto cleanup;
-		}
-
-		/* If the replay window counter == -1, expire SA, it will roll */
-		if(ixs->ipsp->ips_replaywin && ixs->ipsp->ips_replaywin_lastseq == -1) {
-			pfkey_expire(ixs->ipsp, 1);
-			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
-				    "klips_debug:ipsec_xmit_encap_bundle: "
-				    "replay window counter rolled for SA:<%s%s%s> %s, packet dropped, expiring SA.\n",
-				    IPS_XFORM_NAME(ixs->ipsp),
-				    ixs->sa_len ? ixs->sa_txt : " (error)");
-			ipsec_sa_delchain(ixs->ipsp);
-			ixs->stats->tx_errors++;
-			bundle_stat = IPSEC_XMIT_REPLAYROLLED;
-			goto cleanup;
-		}
-
-		/*
-		 * if this is the first time we are using this SA, mark start time,
-		 * and offset hard/soft counters by "now" for later checking.
-		 */
-#if 0
-		if(ixs->ipsp->ips_life.ipl_usetime.count == 0) {
-			ixs->ipsp->ips_life.ipl_usetime.count = jiffies;
-			ixs->ipsp->ips_life.ipl_usetime.hard += jiffies;
-			ixs->ipsp->ips_life.ipl_usetime.soft += jiffies;
-		}
-#endif
-			  
-
-		if(ipsec_lifetime_check(&ixs->ipsp->ips_life.ipl_bytes, "bytes", ixs->sa_txt, 
-					ipsec_life_countbased, ipsec_outgoing, ixs->ipsp) == ipsec_life_harddied ||
-		   ipsec_lifetime_check(&ixs->ipsp->ips_life.ipl_addtime, "addtime",ixs->sa_txt,
-					ipsec_life_timebased,  ipsec_outgoing, ixs->ipsp) == ipsec_life_harddied ||
-		   ipsec_lifetime_check(&ixs->ipsp->ips_life.ipl_usetime, "usetime",ixs->sa_txt,
-					ipsec_life_timebased,  ipsec_outgoing, ixs->ipsp) == ipsec_life_harddied ||
-		   ipsec_lifetime_check(&ixs->ipsp->ips_life.ipl_packets, "packets",ixs->sa_txt,
-					ipsec_life_countbased, ipsec_outgoing, ixs->ipsp) == ipsec_life_harddied) {
-				
-			ipsec_sa_delchain(ixs->ipsp);
-			ixs->stats->tx_errors++;
-			bundle_stat = IPSEC_XMIT_LIFETIMEFAILED;
-			goto cleanup;
-		}
-			
-
-		ixs->headroom = ixs->tailroom = 0;
-		KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
-			    "klips_debug:ipsec_xmit_encap_bundle: "
-			    "calling room for <%s%s%s>, SA:%s\n", 
-			    IPS_XFORM_NAME(ixs->ipsp),
-			    ixs->sa_len ? ixs->sa_txt : " (error)");
-		switch(ixs->ipsp->ips_said.proto) {
-#ifdef CONFIG_IPSEC_AH
-		case IPPROTO_AH:
-			ixs->headroom += sizeof(struct ahhdr);
-			break;
-#endif /* CONFIG_IPSEC_AH */
-#ifdef CONFIG_IPSEC_ESP
-		case IPPROTO_ESP:
-#ifdef CONFIG_IPSEC_ALG
-			if ((ixt_e=ixs->ipsp->ips_alg_enc)) {
-				blocksize = ixt_e->ixt_blocksize;
-				ixs->headroom += ESP_HEADER_LEN + ixt_e->ixt_ivlen/8;
-			} else
-#endif /* CONFIG_IPSEC_ALG */
-			switch(ixs->ipsp->ips_encalg) {
-#ifdef CONFIG_IPSEC_ENC_3DES
-			case ESP_3DES:
-				ixs->headroom += sizeof(struct esphdr);
-				break;
-#endif /* CONFIG_IPSEC_ENC_3DES */
-			default:
-				ixs->stats->tx_errors++;
-				bundle_stat = IPSEC_XMIT_ESP_BADALG;
-				goto cleanup;
-			}
-#ifdef CONFIG_IPSEC_ALG
-			if ((ixt_a=ixs->ipsp->ips_alg_auth)) {
-				ixs->tailroom += AHHMAC_HASHLEN;
-			} else
-#endif /* CONFIG_IPSEC_ALG */
-			switch(ixs->ipsp->ips_authalg) {
-#ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
-			case AH_MD5:
-				ixs->tailroom += AHHMAC_HASHLEN;
-				break;
-#endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
-#ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
-			case AH_SHA:
-				ixs->tailroom += AHHMAC_HASHLEN;
-				break;
-#endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
-			case AH_NONE:
-				break;
-			default:
-				ixs->stats->tx_errors++;
-				bundle_stat = IPSEC_XMIT_AH_BADALG;
-				goto cleanup;
-			}			
-#ifdef CONFIG_IPSEC_ALG
-			ixs->tailroom += blocksize != 1 ?
-				((blocksize - ((ixs->pyldsz + 2) % blocksize)) % blocksize) + 2 :
-				((4 - ((ixs->pyldsz + 2) % 4)) % 4) + 2;
-#else
-			ixs->tailroom += ((8 - ((ixs->pyldsz + 2 * sizeof(unsigned char)) % 8)) % 8) + 2;
-#endif /* CONFIG_IPSEC_ALG */
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-		if ((ixs->ipsp->ips_natt_type) && (!ixs->natt_type)) {
-			ixs->natt_type = ixs->ipsp->ips_natt_type;
-			ixs->natt_sport = ixs->ipsp->ips_natt_sport;
-			ixs->natt_dport = ixs->ipsp->ips_natt_dport;
-			switch (ixs->natt_type) {
-				case ESPINUDP_WITH_NON_IKE:
-					ixs->natt_head = sizeof(struct udphdr)+(2*sizeof(__u32));
-					break;
-				case ESPINUDP_WITH_NON_ESP:
-					ixs->natt_head = sizeof(struct udphdr);
-					break;
-				default:
-					ixs->natt_head = 0;
-					break;
-			}
-			ixs->tailroom += ixs->natt_head;
-		}
-#endif			
-			break;
-#endif /* !CONFIG_IPSEC_ESP */
-#ifdef CONFIG_IPSEC_IPIP
-		case IPPROTO_IPIP:
-			ixs->headroom += sizeof(struct iphdr);
-			break;
-#endif /* !CONFIG_IPSEC_IPIP */
-		case IPPROTO_COMP:
-#ifdef CONFIG_IPSEC_IPCOMP
-			/*
-			  We can't predict how much the packet will
-			  shrink without doing the actual compression.
-			  We could do it here, if we were the first
-			  encapsulation in the chain.  That might save
-			  us a skb_copy_expand, since we might fit
-			  into the existing skb then.  However, this
-			  would be a bit unclean (and this hack has
-			  bit us once), so we better not do it. After
-			  all, the skb_copy_expand is cheap in
-			  comparison to the actual compression.
-			  At least we know the packet will not grow.
-			*/
-			break;
-#endif /* CONFIG_IPSEC_IPCOMP */
-		default:
-			ixs->stats->tx_errors++;
-			bundle_stat = IPSEC_XMIT_BADPROTO;
-			goto cleanup;
-		}
-		ixs->ipsp = ixs->ipsp->ips_onext;
-		KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
-			    "klips_debug:ipsec_xmit_encap_bundle: "
-			    "Required head,tailroom: %d,%d\n", 
-			    ixs->headroom, ixs->tailroom);
-		ixs->max_headroom += ixs->headroom;
-		ixs->max_tailroom += ixs->tailroom;
-		ixs->pyldsz += (ixs->headroom + ixs->tailroom);
-	}
-	ixs->ipsp = ixs->ipsq;	/* restore the head of the ipsec_sa chain */
-		
-	KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
-		    "klips_debug:ipsec_xmit_encap_bundle: "
-		    "existing head,tailroom: %d,%d before applying xforms with head,tailroom: %d,%d .\n",
-		    skb_headroom(ixs->skb), skb_tailroom(ixs->skb),
-		    ixs->max_headroom, ixs->max_tailroom);
-		
-	ixs->tot_headroom += ixs->max_headroom;
-	ixs->tot_tailroom += ixs->max_tailroom;
-		
-	ixs->mtudiff = ixs->prv->mtu + ixs->tot_headroom + ixs->tot_tailroom - ixs->physmtu;
-
-	KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
-		    "klips_debug:ipsec_xmit_encap_bundle: "
-		    "mtu:%d physmtu:%d tothr:%d tottr:%d mtudiff:%d ippkttotlen:%d\n",
-		    ixs->prv->mtu, ixs->physmtu,
-		    ixs->tot_headroom, ixs->tot_tailroom, ixs->mtudiff, ntohs(ixs->iph->tot_len));
-	if(ixs->mtudiff > 0) {
-		int newmtu = ixs->physmtu - (ixs->tot_headroom + ((ixs->tot_tailroom + 2) & ~7) + 5);
-
-		KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
-			    "klips_info:ipsec_xmit_encap_bundle: "
-			    "dev %s mtu of %d decreased by %d to %d\n",
-			    ixs->dev->name,
-			    ixs->prv->mtu,
-			    ixs->prv->mtu - newmtu,
-			    newmtu);
-		ixs->prv->mtu = newmtu;
-#ifdef NET_21
-#if 0
-		ixs->skb->dst->pmtu = ixs->prv->mtu; /* RGB */
-#endif /* 0 */
-#else /* NET_21 */
-#if 0
-		ixs->dev->mtu = ixs->prv->mtu; /* RGB */
-#endif /* 0 */
-#endif /* NET_21 */
-	}
-
-	/* 
-	   If the sender is doing PMTU discovery, and the
-	   packet doesn't fit within ixs->prv->mtu, notify him
-	   (unless it was an ICMP packet, or it was not the
-	   zero-offset packet) and send it anyways.
-
-	   Note: buggy firewall configuration may prevent the
-	   ICMP packet from getting back.
-	*/
-	if(sysctl_ipsec_icmp
-	   && ixs->prv->mtu < ntohs(ixs->iph->tot_len)
-	   && (ixs->iph->frag_off & __constant_htons(IP_DF)) ) {
-		int notify = ixs->iph->protocol != IPPROTO_ICMP
-			&& (ixs->iph->frag_off & __constant_htons(IP_OFFSET)) == 0;
-			
-#ifdef IPSEC_obey_DF
-		KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
-			    "klips_debug:ipsec_xmit_encap_bundle: "
-			    "fragmentation needed and DF set; %sdropping packet\n",
-			    notify ? "sending ICMP and " : "");
-		if (notify)
-			ICMP_SEND(ixs->skb,
-				  ICMP_DEST_UNREACH,
-				  ICMP_FRAG_NEEDED,
-				  ixs->prv->mtu,
-				  ixs->physdev);
-		ixs->stats->tx_errors++;
-		bundle_stat = IPSEC_XMIT_CANNOTFRAG;
-		goto cleanup;
-#else /* IPSEC_obey_DF */
-		KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
-			    "klips_debug:ipsec_xmit_encap_bundle: "
-			    "fragmentation needed and DF set; %spassing packet\n",
-			    notify ? "sending ICMP and " : "");
-		if (notify)
-			ICMP_SEND(ixs->skb,
-				  ICMP_DEST_UNREACH,
-				  ICMP_FRAG_NEEDED,
-				  ixs->prv->mtu,
-				  ixs->physdev);
-#endif /* IPSEC_obey_DF */
-	}
-		
-#ifdef MSS_HACK
-	/*
-	 * If this is a transport mode TCP packet with
-	 * SYN set, determine an effective MSS based on 
-	 * AH/ESP overheads determined above.
-	 */
-	if (ixs->iph->protocol == IPPROTO_TCP 
-	    && ixs->outgoing_said.proto != IPPROTO_IPIP) {
-		struct tcphdr *tcph = ixs->skb->h.th;
-		if (tcph->syn && !tcph->ack) {
-			if(!ipsec_adjust_mss(ixs->skb, tcph, ixs->prv->mtu)) {
-				printk(KERN_WARNING
-				       "klips_warning:ipsec_xmit_encap_bundle: "
-				       "ipsec_adjust_mss() failed\n");
-				ixs->stats->tx_errors++;
-				bundle_stat = IPSEC_XMIT_MSSERR;
-				goto cleanup;
-			}
-		}
-	}
-#endif /* MSS_HACK */
-
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-      if ((ixs->natt_type) && (ixs->outgoing_said.proto != IPPROTO_IPIP)) {
-	      /**
-	       * NAT-Traversal and Transport Mode:
-	       *   we need to correct TCP/UDP checksum
-	       *
-	       * If we've got NAT-OA, we can fix checksum without recalculation.
-	       * If we don't we can zero udp checksum.
-	       */
-	      __u32 natt_oa = ixs->ipsp->ips_natt_oa ?
-		      ((struct sockaddr_in*)(ixs->ipsp->ips_natt_oa))->sin_addr.s_addr : 0;
-	      __u16 pkt_len = ixs->skb->tail - (unsigned char *)ixs->iph;
-	      __u16 data_len = pkt_len - (ixs->iph->ihl << 2);
-	      switch (ixs->iph->protocol) {
-		      case IPPROTO_TCP:
-			      if (data_len >= sizeof(struct tcphdr)) {
-				      struct tcphdr *tcp = (struct tcphdr *)((__u32 *)ixs->iph+ixs->iph->ihl);
-				      if (natt_oa) {
-					      __u32 buff[2] = { ~ixs->iph->daddr, natt_oa };
-					      KLIPS_PRINT(debug_tunnel,
-						      "klips_debug:ipsec_tunnel_start_xmit: "
-						      "NAT-T & TRANSPORT: "
-						      "fix TCP checksum using NAT-OA\n");
-					      tcp->check = csum_fold(
-						      csum_partial((unsigned char *)buff, sizeof(buff),
-						      tcp->check^0xffff));
-				      }
-				      else {
-					      KLIPS_PRINT(debug_tunnel,
-						      "klips_debug:ipsec_tunnel_start_xmit: "
-						      "NAT-T & TRANSPORT: do not recalc TCP checksum\n");
-				      }
-			      }
-			      else {
-				      KLIPS_PRINT(debug_tunnel,
-					      "klips_debug:ipsec_tunnel_start_xmit: "
-					      "NAT-T & TRANSPORT: can't fix TCP checksum\n");
-			      }
-			      break;
-		      case IPPROTO_UDP:
-			      if (data_len >= sizeof(struct udphdr)) {
-				      struct udphdr *udp = (struct udphdr *)((__u32 *)ixs->iph+ixs->iph->ihl);
-				      if (udp->check == 0) {
-					      KLIPS_PRINT(debug_tunnel,
-						      "klips_debug:ipsec_tunnel_start_xmit: "
-						      "NAT-T & TRANSPORT: UDP checksum already 0\n");
-				      }
-				      else if (natt_oa) {
-					      __u32 buff[2] = { ~ixs->iph->daddr, natt_oa };
-					      KLIPS_PRINT(debug_tunnel,
-						      "klips_debug:ipsec_tunnel_start_xmit: "
-						      "NAT-T & TRANSPORT: "
-						      "fix UDP checksum using NAT-OA\n");
-					      udp->check = csum_fold(
-						      csum_partial((unsigned char *)buff, sizeof(buff),
-						      udp->check^0xffff));
-				      }
-				      else {
-					      KLIPS_PRINT(debug_tunnel,
-						      "klips_debug:ipsec_tunnel_start_xmit: "
-						      "NAT-T & TRANSPORT: zero UDP checksum\n");
-					      udp->check = 0;
-				      }
-			      }
-			      else {
-				      KLIPS_PRINT(debug_tunnel,
-					      "klips_debug:ipsec_tunnel_start_xmit: "
-					      "NAT-T & TRANSPORT: can't fix UDP checksum\n");
-			      }
-			      break;
-		      default:
-			      KLIPS_PRINT(debug_tunnel,
-				      "klips_debug:ipsec_tunnel_start_xmit: "
-				      "NAT-T & TRANSPORT: non TCP/UDP packet -- do nothing\n");
-			      break;
-	      }
-      }
-#endif /* CONFIG_IPSEC_NAT_TRAVERSAL */
-
-	if(!ixs->hard_header_stripped) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
-			    "klips_debug:ipsec_xmit_encap_bundle: "
-			    "allocating %d bytes for hardheader.\n",
-			    ixs->hard_header_len);
-		if((ixs->saved_header = kmalloc(ixs->hard_header_len, GFP_ATOMIC)) == NULL) {
-			printk(KERN_WARNING "klips_debug:ipsec_xmit_encap_bundle: "
-			       "Failed, tried to allocate %d bytes for temp hard_header.\n", 
-			       ixs->hard_header_len);
-			ixs->stats->tx_errors++;
-			bundle_stat = IPSEC_XMIT_ERRMEMALLOC;
-			goto cleanup;
-		}
-		{
-			int i;
-			for (i = 0; i < ixs->hard_header_len; i++) {
-				ixs->saved_header[i] = ixs->skb->data[i];
-			}
-		}
-		if(ixs->skb->len < ixs->hard_header_len) {
-			printk(KERN_WARNING "klips_error:ipsec_xmit_encap_bundle: "
-			       "tried to skb_pull hhlen=%d, %d available.  This should never happen, please report.\n",
-			       ixs->hard_header_len, (int)(ixs->skb->len));
-			ixs->stats->tx_errors++;
-			bundle_stat = IPSEC_XMIT_ESP_PUSHPULLERR;
-			goto cleanup;
-		}
-		skb_pull(ixs->skb, ixs->hard_header_len);
-		ixs->hard_header_stripped = 1;
-			
-/*			ixs->iph = (struct iphdr *) (ixs->skb->data); */
-		KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
-			    "klips_debug:ipsec_xmit_encap_bundle: "
-			    "head,tailroom: %d,%d after hard_header stripped.\n",
-			    skb_headroom(ixs->skb), skb_tailroom(ixs->skb));
-		KLIPS_IP_PRINT(debug_tunnel & DB_TN_CROUT, ixs->iph);
-	} else {
-		KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
-			    "klips_debug:ipsec_xmit_encap_bundle: "
-			    "hard header already stripped.\n");
-	}
-		
-	ixs->ll_headroom = (ixs->hard_header_len + 15) & ~15;
-
-	if ((skb_headroom(ixs->skb) >= ixs->max_headroom + 2 * ixs->ll_headroom) && 
-	    (skb_tailroom(ixs->skb) >= ixs->max_tailroom)
-#ifndef NET_21
-	    && ixs->skb->free
-#endif /* !NET_21 */
-		) {
-		KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
-			    "klips_debug:ipsec_xmit_encap_bundle: "
-			    "data fits in existing skb\n");
-	} else {
-		struct sk_buff* tskb;
-
-		if(!ixs->oskb) {
-			ixs->oskb = ixs->skb;
-		}
-
-		tskb = skb_copy_expand(ixs->skb,
-				       /* The need for 2 * link layer length here remains unexplained...RGB */
-				       ixs->max_headroom + 2 * ixs->ll_headroom,
-				       ixs->max_tailroom,
-				       GFP_ATOMIC);
-#ifdef NET_21
-		if(tskb && ixs->skb->sk) {
-			skb_set_owner_w(tskb, ixs->skb->sk);
-		}
-#endif /* NET_21 */
-		if(ixs->skb != ixs->oskb) {
-			ipsec_kfree_skb(ixs->skb);
-		}
-		ixs->skb = tskb;
-		if (!ixs->skb) {
-			printk(KERN_WARNING
-			       "klips_debug:ipsec_xmit_encap_bundle: "
-			       "Failed, tried to allocate %d head and %d tailroom\n", 
-			       ixs->max_headroom, ixs->max_tailroom);
-			ixs->stats->tx_errors++;
-			bundle_stat = IPSEC_XMIT_ERRSKBALLOC;
-			goto cleanup;
-		}
-		KLIPS_PRINT(debug_tunnel & DB_TN_CROUT,
-			    "klips_debug:ipsec_xmit_encap_bundle: "
-			    "head,tailroom: %d,%d after allocation\n",
-			    skb_headroom(ixs->skb), skb_tailroom(ixs->skb));
-	}
-		
-	/*
-	 * Apply grouped transforms to packet
-	 */
-	while (ixs->ipsp) {
-		enum ipsec_xmit_value encap_stat = IPSEC_XMIT_OK;
-
-		encap_stat = ipsec_xmit_encap_once(ixs);
-		if(encap_stat != IPSEC_XMIT_OK) {
-			KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
-				    "klips_debug:ipsec_xmit_encap_bundle: encap_once failed: %d\n",
-				    encap_stat);
-				
-			bundle_stat = IPSEC_XMIT_ENCAPFAIL;
-			goto cleanup;
-		}
-	}
-	/* end encapsulation loop here XXX */
- cleanup:
-	spin_unlock(&tdb_lock);
-	return bundle_stat;
-}
diff --git a/linux/net/ipsec/pfkey_v2.c b/linux/net/ipsec/pfkey_v2.c
deleted file mode 100644
index a78aaf26e..000000000
--- a/linux/net/ipsec/pfkey_v2.c
+++ /dev/null
@@ -1,2125 +0,0 @@
-/*
- * @(#) RFC2367 PF_KEYv2 Key management API domain socket I/F
- * Copyright (C) 1999, 2000, 2001  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: pfkey_v2.c,v 1.4 2004/09/29 22:27:41 as Exp $
- */
-
-/*
- *		Template from /usr/src/linux-2.0.36/net/unix/af_unix.c.
- *		Hints from /usr/src/linux-2.0.36/net/ipv4/udp.c.
- */
-
-#define __NO_VERSION__
-#include <linux/module.h>
-#include <linux/version.h>
-#include <linux/config.h>
-#include <linux/kernel.h>
-
-#include "freeswan/ipsec_param.h"
-
-#include <linux/major.h>
-#include <linux/signal.h>
-#include <linux/sched.h>
-#include <linux/errno.h>
-#include <linux/string.h>
-#include <linux/stat.h>
-#include <linux/socket.h>
-#include <linux/un.h>
-#include <linux/fcntl.h>
-#include <linux/termios.h>
-#include <linux/socket.h>
-#include <linux/sockios.h>
-#include <linux/net.h> /* struct socket */
-#include <linux/in.h>
-#include <linux/fs.h>
-#ifdef MALLOC_SLAB
-# include <linux/slab.h> /* kmalloc() */
-#else /* MALLOC_SLAB */
-# include <linux/malloc.h> /* kmalloc() */
-#endif /* MALLOC_SLAB */
-#include <asm/segment.h>
-#include <linux/skbuff.h>
-#include <linux/netdevice.h>
-#include <net/sock.h> /* struct sock */
-/* #include <net/tcp.h> */
-#include <net/af_unix.h>
-#ifdef CONFIG_PROC_FS
-# include <linux/proc_fs.h>
-#endif /* CONFIG_PROC_FS */
-
-#include <linux/types.h>
- 
-#include <freeswan.h>
-#ifdef NET_21
-# include <asm/uaccess.h>
-# include <linux/in6.h>
-#endif /* NET_21 */
-
-#include "freeswan/radij.h"
-#include "freeswan/ipsec_encap.h"
-#include "freeswan/ipsec_sa.h"
-
-#include <pfkeyv2.h>
-#include <pfkey.h>
-
-#include "freeswan/ipsec_proto.h"
-
-#ifdef CONFIG_IPSEC_DEBUG
-int debug_pfkey = 0;
-extern int sysctl_ipsec_debug_verbose;
-#endif /* CONFIG_IPSEC_DEBUG */
-
-#define SENDERR(_x) do { error = -(_x); goto errlab; } while (0)
-
-#ifndef SOCKOPS_WRAPPED
-#define SOCKOPS_WRAPPED(name) name
-#endif /* SOCKOPS_WRAPPED */
-
-extern struct proto_ops pfkey_ops;
-struct sock *pfkey_sock_list = NULL;
-struct supported_list *pfkey_supported_list[SADB_SATYPE_MAX+1];
-
-struct socket_list *pfkey_open_sockets = NULL;
-struct socket_list *pfkey_registered_sockets[SADB_SATYPE_MAX+1];
-
-int pfkey_msg_interp(struct sock *, struct sadb_msg *, struct sadb_msg **);
-
-int
-pfkey_list_remove_socket(struct socket *socketp, struct socket_list **sockets)
-{
-	struct socket_list *socket_listp,*prev;
-
-	if(!socketp) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_list_remove_socket: "
-			    "NULL socketp handed in, failed.\n");
-		return -EINVAL;
-	}
-
-	if(!sockets) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_list_remove_socket: "
-			    "NULL sockets list handed in, failed.\n");
-		return -EINVAL;
-	}
-
-	socket_listp = *sockets;
-	prev = NULL;
-	
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_list_remove_socket: "
-		    "removing sock=0p%p\n",
-		    socketp);
-	
-	while(socket_listp != NULL) {
-		if(socket_listp->socketp == socketp) {
-			if(prev != NULL) {
-				prev->next = socket_listp->next;
-			} else {
-				*sockets = socket_listp->next;
-			}
-			
-			kfree((void*)socket_listp);
-			
-			break;
-		}
-		prev = socket_listp;
-		socket_listp = socket_listp->next;
-	}
-
-	return 0;
-}
-
-int
-pfkey_list_insert_socket(struct socket *socketp, struct socket_list **sockets)
-{
-	struct socket_list *socket_listp;
-
-	if(!socketp) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_list_insert_socket: "
-			    "NULL socketp handed in, failed.\n");
-		return -EINVAL;
-	}
-
-	if(!sockets) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_list_insert_socket: "
-			    "NULL sockets list handed in, failed.\n");
-		return -EINVAL;
-	}
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_list_insert_socket: "
-		    "allocating %lu bytes for socketp=0p%p\n",
-		    (unsigned long) sizeof(struct socket_list),
-		    socketp);
-	
-	if((socket_listp = (struct socket_list *)kmalloc(sizeof(struct socket_list), GFP_KERNEL)) == NULL) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_list_insert_socket: "
-			    "memory allocation error.\n");
-		return -ENOMEM;
-	}
-	
-	socket_listp->socketp = socketp;
-	socket_listp->next = *sockets;
-	*sockets = socket_listp;
-
-	return 0;
-}
-  
-int
-pfkey_list_remove_supported(struct supported *supported, struct supported_list **supported_list)
-{
-	struct supported_list *supported_listp = *supported_list, *prev = NULL;
-	
-	if(!supported) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_list_remove_supported: "
-			    "NULL supported handed in, failed.\n");
-		return -EINVAL;
-	}
-
-	if(!supported_list) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_list_remove_supported: "
-			    "NULL supported_list handed in, failed.\n");
-		return -EINVAL;
-	}
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_list_remove_supported: "
-		    "removing supported=0p%p\n",
-		    supported);
-	
-	while(supported_listp != NULL) {
-		if(supported_listp->supportedp == supported) {
-			if(prev != NULL) {
-				prev->next = supported_listp->next;
-			} else {
-				*supported_list = supported_listp->next;
-			}
-			
-			kfree((void*)supported_listp);
-			
-			break;
-		}
-		prev = supported_listp;
-		supported_listp = supported_listp->next;
-	}
-
-	return 0;
-}
-
-int
-pfkey_list_insert_supported(struct supported *supported, struct supported_list **supported_list)
-{
-	struct supported_list *supported_listp;
-
-	if(!supported) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_list_insert_supported: "
-			    "NULL supported handed in, failed.\n");
-		return -EINVAL;
-	}
-
-	if(!supported_list) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_list_insert_supported: "
-			    "NULL supported_list handed in, failed.\n");
-		return -EINVAL;
-	}
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_list_insert_supported: "
-		    "allocating %lu bytes for incoming, supported=0p%p, supported_list=0p%p\n",
-		    (unsigned long) sizeof(struct supported_list),
-		    supported,
-		    supported_list);
-	
-	supported_listp = (struct supported_list *)kmalloc(sizeof(struct supported_list), GFP_KERNEL);
-	if(supported_listp == NULL)	{
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_list_insert_supported: "
-			    "memory allocation error.\n");
-		return -ENOMEM;
-	}
-	
-	supported_listp->supportedp = supported;
-	supported_listp->next = *supported_list;
-	*supported_list = supported_listp;
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_list_insert_supported: "
-		    "outgoing, supported=0p%p, supported_list=0p%p\n",
-		    supported,
-		    supported_list);
-
-	return 0;
-}
-  
-#ifndef NET_21
-DEBUG_NO_STATIC void
-pfkey_state_change(struct sock *sk)
-{
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_state_change: .\n");
-	if(!sk->dead) {
-		wake_up_interruptible(sk->sleep);
-	}
-}
-#endif /* !NET_21 */
-
-#ifndef NET_21
-DEBUG_NO_STATIC void
-pfkey_data_ready(struct sock *sk, int len)
-{
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_data_ready: "
-		    "sk=0p%p len=%d\n",
-		    sk,
-		    len);
-	if(!sk->dead) {
-		wake_up_interruptible(sk->sleep);
-		sock_wake_async(sk->socket, 1);
-	}
-}
-
-DEBUG_NO_STATIC void
-pfkey_write_space(struct sock *sk)
-{
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_write_space: .\n");
-	if(!sk->dead) {
-		wake_up_interruptible(sk->sleep);
-		sock_wake_async(sk->socket, 2);
-	}
-}
-#endif /* !NET_21 */
-
-DEBUG_NO_STATIC void
-pfkey_insert_socket(struct sock *sk)
-{
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_insert_socket: "
-		    "sk=0p%p\n",
-		    sk);
-	cli();
-	sk->next=pfkey_sock_list;
-	pfkey_sock_list=sk;
-	sti();
-}
-
-DEBUG_NO_STATIC void
-pfkey_remove_socket(struct sock *sk)
-{
-	struct sock **s;
-	
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_remove_socket: .\n");
-	cli();
-	s=&pfkey_sock_list;
-
-	while(*s!=NULL) {
-		if(*s==sk) {
-			*s=sk->next;
-			sk->next=NULL;
-			sti();
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_remove_socket: "
-				    "succeeded.\n");
-			return;
-		}
-		s=&((*s)->next);
-	}
-	sti();
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_remove_socket: "
-		    "not found.\n");
-	return;
-}
-
-DEBUG_NO_STATIC void
-pfkey_destroy_socket(struct sock *sk)
-{
-	struct sk_buff *skb;
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_destroy_socket: .\n");
-	pfkey_remove_socket(sk);
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_destroy_socket: "
-		    "pfkey_remove_socket called.\n");
-	
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_destroy_socket: "
-		    "sk(0p%p)->(&0p%p)receive_queue.{next=0p%p,prev=0p%p}.\n",
-		    sk,
-		    &(sk->receive_queue),
-		    sk->receive_queue.next,
-		    sk->receive_queue.prev);
-	while(sk && ((skb=skb_dequeue(&(sk->receive_queue)))!=NULL)) {
-#ifdef NET_21
-#ifdef CONFIG_IPSEC_DEBUG
-		if(debug_pfkey && sysctl_ipsec_debug_verbose) {
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_destroy_socket: "
-				    "skb=0p%p dequeued.\n", skb);
-			printk(KERN_INFO "klips_debug:pfkey_destroy_socket: "
-			       "pfkey_skb contents:");
-			printk(" next:0p%p", skb->next);
-			printk(" prev:0p%p", skb->prev);
-			printk(" list:0p%p", skb->list);
-			printk(" sk:0p%p", skb->sk);
-			printk(" stamp:%ld.%ld", skb->stamp.tv_sec, skb->stamp.tv_usec);
-			printk(" dev:0p%p", skb->dev);
-			if(skb->dev) {
-				if(skb->dev->name) {
-					printk(" dev->name:%s", skb->dev->name);
-				} else {
-					printk(" dev->name:NULL?");
-				}
-			} else {
-				printk(" dev:NULL");
-			}
-			printk(" h:0p%p", skb->h.raw);
-			printk(" nh:0p%p", skb->nh.raw);
-			printk(" mac:0p%p", skb->mac.raw);
-			printk(" dst:0p%p", skb->dst);
-			if(sysctl_ipsec_debug_verbose) {
-				int i;
-				
-				printk(" cb");
-				for(i=0; i<48; i++) {
-					printk(":%2x", skb->cb[i]);
-				}
-			}
-			printk(" len:%d", skb->len);
-			printk(" csum:%d", skb->csum);
-#ifndef NETDEV_23
-			printk(" used:%d", skb->used);
-			printk(" is_clone:%d", skb->is_clone);
-#endif /* NETDEV_23 */
-			printk(" cloned:%d", skb->cloned);
-			printk(" pkt_type:%d", skb->pkt_type);
-			printk(" ip_summed:%d", skb->ip_summed);
-			printk(" priority:%d", skb->priority);
-			printk(" protocol:%d", skb->protocol);
-			printk(" security:%d", skb->security);
-			printk(" truesize:%d", skb->truesize);
-			printk(" head:0p%p", skb->head);
-			printk(" data:0p%p", skb->data);
-			printk(" tail:0p%p", skb->tail);
-			printk(" end:0p%p", skb->end);
-			if(sysctl_ipsec_debug_verbose) {
-				unsigned char* i;
-				printk(" data");
-				for(i = skb->head; i < skb->end; i++) {
-					printk(":%2x", (unsigned char)(*(i)));
-				}
-			}
-			printk(" destructor:0p%p", skb->destructor);
-			printk("\n");
-		}
-#endif /* CONFIG_IPSEC_DEBUG */
-#endif /* NET_21 */
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_destroy_socket: "
-			    "skb=0p%p freed.\n",
-			    skb);
-		ipsec_kfree_skb(skb);
-	}
-
-	sk->dead = 1;
-	sk_free(sk);
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_destroy_socket: destroyed.\n");
-}
-
-int
-pfkey_upmsg(struct socket *sock, struct sadb_msg *pfkey_msg)
-{
-	int error = 0;
-	struct sk_buff * skb = NULL;
-	struct sock *sk;
-
-	if(sock == NULL) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_upmsg: "
-			    "NULL socket passed in.\n");
-		return -EINVAL;
-	}
-
-	if(pfkey_msg == NULL) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_upmsg: "
-			    "NULL pfkey_msg passed in.\n");
-		return -EINVAL;
-	}
-
-#ifdef NET_21
-	sk = sock->sk;
-#else /* NET_21 */
-	sk = sock->data;
-#endif /* NET_21 */
-
-	if(sk == NULL) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_upmsg: "
-			    "NULL sock passed in.\n");
-		return -EINVAL;
-	}
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_upmsg: "
-		    "allocating %d bytes...\n",
-		    (int)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN));
-	if(!(skb = alloc_skb(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN, GFP_ATOMIC) )) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_upmsg: "
-			    "no buffers left to send up a message.\n");
-		return -ENOBUFS;
-	}
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_upmsg: "
-		    "...allocated at 0p%p.\n",
-		    skb);
-	
-	skb->dev = NULL;
-	
-	if(skb_tailroom(skb) < pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN) {
-		printk(KERN_WARNING "klips_error:pfkey_upmsg: "
-		       "tried to skb_put %ld, %d available.  This should never happen, please report.\n",
-		       (unsigned long int)pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN,
-		       skb_tailroom(skb));
-		ipsec_kfree_skb(skb);
-		return -ENOBUFS;
-	}
-	skb->h.raw = skb_put(skb, pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN);
-	memcpy(skb->h.raw, pfkey_msg, pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN);
-
-#ifndef NET_21
-	skb->free = 1;
-#endif /* !NET_21 */
-
-	if((error = sock_queue_rcv_skb(sk, skb)) < 0) {
-		skb->sk=NULL;
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_upmsg: "
-			    "error=%d calling sock_queue_rcv_skb with skb=0p%p.\n",
-			    error,
-			    skb);
-		ipsec_kfree_skb(skb);
-		return error;
-	}
-	return error;
-}
-
-DEBUG_NO_STATIC int
-pfkey_create(struct socket *sock, int protocol)
-{
-	struct sock *sk;
-
-	if(sock == NULL) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_create: "
-			    "socket NULL.\n");
-		return -EINVAL;
-	}
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_create: "
-		    "sock=0p%p type:%d state:%d flags:%ld protocol:%d\n",
-		    sock,
-		    sock->type,
-		    (unsigned int)(sock->state),
-		    sock->flags, protocol);
-
-	if(sock->type != SOCK_RAW) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_create: "
-			    "only SOCK_RAW supported.\n");
-		return -ESOCKTNOSUPPORT;
-	}
-
-	if(protocol != PF_KEY_V2) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_create: "
-			    "protocol not PF_KEY_V2.\n");
-		return -EPROTONOSUPPORT;
-	}
-
-	if((current->uid != 0)) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_create: "
-			    "must be root to open pfkey sockets.\n");
-		return -EACCES;
-	}
-
-#ifdef NET_21
-	sock->state = SS_UNCONNECTED;
-#endif /* NET_21 */
-	MOD_INC_USE_COUNT;
-#ifdef NET_21
-	if((sk=(struct sock *)sk_alloc(PF_KEY, GFP_KERNEL, 1)) == NULL)
-#else /* NET_21 */
-	if((sk=(struct sock *)sk_alloc(GFP_KERNEL)) == NULL)
-#endif /* NET_21 */
-	{
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_create: "
-			    "Out of memory trying to allocate.\n");
-		MOD_DEC_USE_COUNT;
-		return -ENOMEM;
-	}
-
-#ifndef NET_21
-	memset(sk, 0, sizeof(*sk));
-#endif /* !NET_21 */
-
-#ifdef NET_21
-	sock_init_data(sock, sk);
-
-	sk->destruct = NULL;
-	sk->reuse = 1;
-	sock->ops = &pfkey_ops;
-
-	sk->zapped=0;
-	sk->family = PF_KEY;
-/*	sk->num = protocol; */
-	sk->protocol = protocol;
-	key_pid(sk) = current->pid;
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_create: "
-		    "sock->fasync_list=0p%p sk->sleep=0p%p.\n",
-		    sock->fasync_list,
-		    sk->sleep);
-#else /* NET_21 */
-	sk->type=sock->type;
-	init_timer(&sk->timer);
-	skb_queue_head_init(&sk->write_queue);
-	skb_queue_head_init(&sk->receive_queue);
-	skb_queue_head_init(&sk->back_log);
-	sk->rcvbuf=SK_RMEM_MAX;
-	sk->sndbuf=SK_WMEM_MAX;
-	sk->allocation=GFP_KERNEL;
-	sk->state=TCP_CLOSE;
-	sk->priority=SOPRI_NORMAL;
-	sk->state_change=pfkey_state_change;
-	sk->data_ready=pfkey_data_ready;
-	sk->write_space=pfkey_write_space;
-	sk->error_report=pfkey_state_change;
-	sk->mtu=4096;
-	sk->socket=sock;
-	sock->data=(void *)sk;
-	sk->sleep=sock->wait;
-#endif /* NET_21 */
-
-	pfkey_insert_socket(sk);
-	pfkey_list_insert_socket(sock, &pfkey_open_sockets);
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_create: "
-		    "Socket sock=0p%p sk=0p%p initialised.\n", sock, sk);
-	return 0;
-}
-
-#ifndef NET_21
-DEBUG_NO_STATIC int
-pfkey_dup(struct socket *newsock, struct socket *oldsock)
-{
-	struct sock *sk;
-
-	if(newsock==NULL) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_dup: "
-			    "No new socket attached.\n");
-		return -EINVAL;
-	}
-		
-	if(oldsock==NULL) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_dup: "
-			    "No old socket attached.\n");
-		return -EINVAL;
-	}
-		
-#ifdef NET_21
-	sk=oldsock->sk;
-#else /* NET_21 */
-	sk=oldsock->data;
-#endif /* NET_21 */
-	
-	/* May not have data attached */
-	if(sk==NULL) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_dup: "
-			    "No sock attached to old socket.\n");
-		return -EINVAL;
-	}
-		
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_dup: .\n");
-
-	return pfkey_create(newsock, sk->protocol);
-}
-#endif /* !NET_21 */
-
-DEBUG_NO_STATIC int
-#ifdef NETDEV_23
-pfkey_release(struct socket *sock)
-#else /* NETDEV_23 */
-pfkey_release(struct socket *sock, struct socket *peersock)
-#endif /* NETDEV_23 */
-{
-	struct sock *sk;
-	int i;
-
-	if(sock==NULL) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_release: "
-			    "No socket attached.\n");
-		return 0; /* -EINVAL; */
-	}
-		
-#ifdef NET_21
-	sk=sock->sk;
-#else /* NET_21 */
-	sk=sock->data;
-#endif /* NET_21 */
-	
-	/* May not have data attached */
-	if(sk==NULL) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_release: "
-			    "No sk attached to sock=0p%p.\n", sock);
-		return 0; /* -EINVAL; */
-	}
-		
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_release: "
-		    "sock=0p%p sk=0p%p\n", sock, sk);
-
-#ifdef NET_21
-	if(!sk->dead)
-#endif /* NET_21 */
-		if(sk->state_change) {
-			sk->state_change(sk);
-		}
-
-#ifdef NET_21
-	sock->sk = NULL;
-#else /* NET_21 */
-	sock->data = NULL;
-#endif /* NET_21 */
-
-	/* Try to flush out this socket. Throw out buffers at least */
-	pfkey_destroy_socket(sk);
-	pfkey_list_remove_socket(sock, &pfkey_open_sockets);
-	for(i = SADB_SATYPE_UNSPEC; i <= SADB_SATYPE_MAX; i++) {
-		pfkey_list_remove_socket(sock, &(pfkey_registered_sockets[i]));
-	}
-
-	MOD_DEC_USE_COUNT;
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_release: "
-		    "succeeded.\n");
-
-	return 0;
-}
-
-#ifndef NET_21
-DEBUG_NO_STATIC int
-pfkey_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
-{
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_bind: "
-		    "operation not supported.\n");
-	return -EINVAL;
-}
-
-DEBUG_NO_STATIC int
-pfkey_connect(struct socket *sock, struct sockaddr *uaddr, int addr_len, int flags)
-{
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_connect: "
-		    "operation not supported.\n");
-	return -EINVAL;
-}
-
-DEBUG_NO_STATIC int
-pfkey_socketpair(struct socket *a, struct socket *b)
-{
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_socketpair: "
-		    "operation not supported.\n");
-	return -EINVAL;
-}
-
-DEBUG_NO_STATIC int
-pfkey_accept(struct socket *sock, struct socket *newsock, int flags)
-{
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_aaccept: "
-		    "operation not supported.\n");
-	return -EINVAL;
-}
-
-DEBUG_NO_STATIC int
-pfkey_getname(struct socket *sock, struct sockaddr *uaddr, int *uaddr_len,
-		int peer)
-{
-	struct sockaddr *ska = (struct sockaddr*)uaddr;
-	
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_getname: .\n");
-	ska->sa_family = PF_KEY;
-	*uaddr_len = sizeof(*ska);
-	return 0;
-}
-
-DEBUG_NO_STATIC int
-pfkey_select(struct socket *sock, int sel_type, select_table *wait)
-{
-	
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_select: "
-		    ".sock=0p%p sk=0p%p sel_type=%d\n",
-		    sock,
-		    sock->data,
-		    sel_type);
-	if(sock == NULL) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_select: "
-			    "Null socket passed in.\n");
-		return -EINVAL;
-	}
-	return datagram_select(sock->data, sel_type, wait);
-}
-
-DEBUG_NO_STATIC int
-pfkey_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
-{
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_ioctl: "
-		    "not supported.\n");
-	return -EINVAL;
-}
-
-DEBUG_NO_STATIC int
-pfkey_listen(struct socket *sock, int backlog)
-{
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_listen: "
-		    "not supported.\n");
-	return -EINVAL;
-}
-#endif /* !NET_21 */
-
-DEBUG_NO_STATIC int
-pfkey_shutdown(struct socket *sock, int mode)
-{
-	struct sock *sk;
-
-	if(sock == NULL) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_shutdown: "
-			    "NULL socket passed in.\n");
-		return -EINVAL;
-	}
-
-#ifdef NET_21
-	sk=sock->sk;
-#else /* NET_21 */
-	sk=sock->data;
-#endif /* NET_21 */
-	
-	if(sk == NULL) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_shutdown: "
-			    "No sock attached to socket.\n");
-		return -EINVAL;
-	}
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_shutdown: "
-		    "mode=%x.\n", mode);
-	mode++;
-	
-	if(mode&SEND_SHUTDOWN) {
-		sk->shutdown|=SEND_SHUTDOWN;
-		sk->state_change(sk);
-	}
-
-	if(mode&RCV_SHUTDOWN) {
-		sk->shutdown|=RCV_SHUTDOWN;
-		sk->state_change(sk);
-	}
-	return 0;
-}
-
-#ifndef NET_21
-DEBUG_NO_STATIC int
-pfkey_setsockopt(struct socket *sock, int level, int optname, char *optval, int optlen)
-{
-#ifndef NET_21
-	struct sock *sk;
-
-	if(sock == NULL) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_setsockopt: "
-			    "Null socket passed in.\n");
-		return -EINVAL;
-	}
-	
-	sk=sock->data;
-	
-	if(sk == NULL) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_setsockopt: "
-			    "Null sock passed in.\n");
-		return -EINVAL;
-	}
-#endif /* !NET_21 */
-	
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_setsockopt: .\n");
-	if(level!=SOL_SOCKET) {
-		return -EOPNOTSUPP;
-	}
-#ifdef NET_21
-	return sock_setsockopt(sock, level, optname, optval, optlen);
-#else /* NET_21 */
-	return sock_setsockopt(sk, level, optname, optval, optlen);
-#endif /* NET_21 */
-}
-
-DEBUG_NO_STATIC int
-pfkey_getsockopt(struct socket *sock, int level, int optname, char *optval, int *optlen)
-{
-#ifndef NET_21
-	struct sock *sk;
-
-	if(sock == NULL) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_setsockopt: "
-			    "Null socket passed in.\n");
-		return -EINVAL;
-	}
-	
-	sk=sock->data;
-	
-	if(sk == NULL) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_setsockopt: "
-			    "Null sock passed in.\n");
-		return -EINVAL;
-	}
-#endif /* !NET_21 */
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_getsockopt: .\n");
-	if(level!=SOL_SOCKET) {
-		return -EOPNOTSUPP;
-	}
-#ifdef NET_21
-	return sock_getsockopt(sock, level, optname, optval, optlen);
-#else /* NET_21 */
-	return sock_getsockopt(sk, level, optname, optval, optlen);
-#endif /* NET_21 */
-}
-
-DEBUG_NO_STATIC int
-pfkey_fcntl(struct socket *sock, unsigned int cmd, unsigned long arg)
-{
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_fcntl: "
-		    "not supported.\n");
-	return -EINVAL;
-}
-#endif /* !NET_21 */
-
-/*
- *	Send PF_KEY data down.
- */
-		
-DEBUG_NO_STATIC int
-#ifdef NET_21
-pfkey_sendmsg(struct socket *sock, struct msghdr *msg, int len, struct scm_cookie *scm)
-#else /* NET_21 */
-pfkey_sendmsg(struct socket *sock, struct msghdr *msg, int len, int nonblock, int flags)
-#endif /* NET_21 */
-{
-	struct sock *sk;
-	int error = 0;
-	struct sadb_msg *pfkey_msg = NULL, *pfkey_reply = NULL;
-	
-	if(sock == NULL) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_sendmsg: "
-			    "Null socket passed in.\n");
-		SENDERR(EINVAL);
-	}
-	
-#ifdef NET_21
-	sk = sock->sk;
-#else /* NET_21 */
-	sk = sock->data;
-#endif /* NET_21 */
-
-	if(sk == NULL) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_sendmsg: "
-			    "Null sock passed in.\n");
-		SENDERR(EINVAL);
-	}
-	
-	if(msg == NULL) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_sendmsg: "
-			    "Null msghdr passed in.\n");
-		SENDERR(EINVAL);
-	}
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_sendmsg: .\n");
-	if(sk->err) {
-		error = sock_error(sk);
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_sendmsg: "
-			    "sk->err is non-zero, returns %d.\n",
-			    error);
-		SENDERR(-error);
-	}
-
-	if((current->uid != 0)) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_sendmsg: "
-			    "must be root to send messages to pfkey sockets.\n");
-		SENDERR(EACCES);
-	}
-
-#ifdef NET_21
-	if(msg->msg_control)
-#else /* NET_21 */
-	if(flags || msg->msg_control)
-#endif /* NET_21 */
-	{
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_sendmsg: "
-			    "can't set flags or set msg_control.\n");
-		SENDERR(EINVAL);
-	}
-		
-	if(sk->shutdown & SEND_SHUTDOWN) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_sendmsg: "
-			    "shutdown.\n");
-		send_sig(SIGPIPE, current, 0);
-		SENDERR(EPIPE);
-	}
-	
-	if(len < sizeof(struct sadb_msg)) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_sendmsg: "
-			    "bogus msg len of %d, too small.\n", len);
-		SENDERR(EMSGSIZE);
-	}
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_sendmsg: "
-		    "allocating %d bytes for downward message.\n",
-		    len);
-	if((pfkey_msg = (struct sadb_msg*)kmalloc(len, GFP_KERNEL)) == NULL) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_sendmsg: "
-			    "memory allocation error.\n");
-		SENDERR(ENOBUFS);
-	}
-
-	memcpy_fromiovec((void *)pfkey_msg, msg->msg_iov, len);
-
-	if(pfkey_msg->sadb_msg_version != PF_KEY_V2) {
-		KLIPS_PRINT(1 || debug_pfkey,
-			    "klips_debug:pfkey_sendmsg: "
-			    "not PF_KEY_V2 msg, found %d, should be %d.\n",
-			    pfkey_msg->sadb_msg_version,
-			    PF_KEY_V2);
-		kfree((void*)pfkey_msg);
-		return -EINVAL;
-	}
-
-	if(len != pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_sendmsg: "
-			    "bogus msg len of %d, not %d byte aligned.\n",
-			    len, (int)IPSEC_PFKEYv2_ALIGN);
-		SENDERR(EMSGSIZE);
-	}
-
-#if 0
-	/* This check is questionable, since a downward message could be
-	   the result of an ACQUIRE either from kernel (PID==0) or
-	   userspace (some other PID). */
-	/* check PID */
-	if(pfkey_msg->sadb_msg_pid != current->pid) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_sendmsg: "
-			    "pid (%d) does not equal sending process pid (%d).\n",
-			    pfkey_msg->sadb_msg_pid, current->pid);
-		SENDERR(EINVAL);
-	}
-#endif
-
-	if(pfkey_msg->sadb_msg_reserved) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_sendmsg: "
-			    "reserved field must be zero, set to %d.\n",
-			    pfkey_msg->sadb_msg_reserved);
-		SENDERR(EINVAL);
-	}
-	
-	if((pfkey_msg->sadb_msg_type > SADB_MAX) || (!pfkey_msg->sadb_msg_type)){
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_sendmsg: "
-			    "msg type too large or small:%d.\n",
-			    pfkey_msg->sadb_msg_type);
-		SENDERR(EINVAL);
-	}
-	
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_sendmsg: "
-		    "msg sent for parsing.\n");
-	
-	if((error = pfkey_msg_interp(sk, pfkey_msg, &pfkey_reply))) {
-		struct socket_list *pfkey_socketsp;
-
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_sendmsg: "
-			    "pfkey_msg_parse returns %d.\n",
-			    error);
-
-		if((pfkey_reply = (struct sadb_msg*)kmalloc(sizeof(struct sadb_msg), GFP_KERNEL)) == NULL) {
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_sendmsg: "
-				    "memory allocation error.\n");
-			SENDERR(ENOBUFS);
-		}
-		memcpy((void*)pfkey_reply, (void*)pfkey_msg, sizeof(struct sadb_msg));
-		pfkey_reply->sadb_msg_errno = -error;
-		pfkey_reply->sadb_msg_len = sizeof(struct sadb_msg) / IPSEC_PFKEYv2_ALIGN;
-
-		for(pfkey_socketsp = pfkey_open_sockets;
-		    pfkey_socketsp;
-		    pfkey_socketsp = pfkey_socketsp->next) {
-			int error_upmsg = 0;
-			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_sendmsg: "
-				    "sending up error=%d message=0p%p to socket=0p%p.\n",
-				    error,
-				    pfkey_reply,
-				    pfkey_socketsp->socketp);
-			if((error_upmsg = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
-				KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_sendmsg: "
-					    "sending up error message to socket=0p%p failed with error=%d.\n",
-					    pfkey_socketsp->socketp,
-					    error_upmsg);
-				/* pfkey_msg_free(&pfkey_reply); */
-				/* SENDERR(-error); */
-			}
-			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_sendmsg: "
-				    "sending up error message to socket=0p%p succeeded.\n",
-				    pfkey_socketsp->socketp);
-		}
-		
-		pfkey_msg_free(&pfkey_reply);
-		
-		SENDERR(-error);
-	}
-
- errlab:
-	if (pfkey_msg) {
-		kfree((void*)pfkey_msg);
-	}
-	
-	if(error) {
-		return error;
-	} else {
-		return len;
-	}
-}
-
-/*
- *	Receive PF_KEY data up.
- */
-		
-DEBUG_NO_STATIC int
-#ifdef NET_21
-pfkey_recvmsg(struct socket *sock, struct msghdr *msg, int size, int flags, struct scm_cookie *scm)
-#else /* NET_21 */
-pfkey_recvmsg(struct socket *sock, struct msghdr *msg, int size, int noblock, int flags, int *addr_len)
-#endif /* NET_21 */
-{
-	struct sock *sk;
-#ifdef NET_21
-	int noblock = flags & MSG_DONTWAIT;
-#endif /* NET_21 */
-	struct sk_buff *skb;
-	int error;
-
-	if(sock == NULL) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_recvmsg: "
-			    "Null socket passed in.\n");
-		return -EINVAL;
-	}
-
-#ifdef NET_21
-	sk = sock->sk;
-#else /* NET_21 */
-	sk = sock->data;
-#endif /* NET_21 */
-
-	if(sk == NULL) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_recvmsg: "
-			    "Null sock passed in for sock=0p%p.\n", sock);
-		return -EINVAL;
-	}
-
-	if(msg == NULL) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_recvmsg: "
-			    "Null msghdr passed in for sock=0p%p, sk=0p%p.\n",
-			    sock, sk);
-		return -EINVAL;
-	}
-
-	KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
-		    "klips_debug:pfkey_recvmsg: sock=0p%p sk=0p%p msg=0p%p size=%d.\n",
-		    sock, sk, msg, size);
-	if(flags & ~MSG_PEEK) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_sendmsg: "
-			    "flags (%d) other than MSG_PEEK not supported.\n",
-			    flags);
-		return -EOPNOTSUPP;
-	}
-		
-#ifdef NET_21
-	msg->msg_namelen = 0; /* sizeof(*ska); */
-#else /* NET_21 */
-	if(addr_len) {
-		*addr_len = 0; /* sizeof(*ska); */
-	}
-#endif /* NET_21 */
-		
-	if(sk->err) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_sendmsg: "
-			    "sk->err=%d.\n", sk->err);
-		return sock_error(sk);
-	}
-
-	if((skb = skb_recv_datagram(sk, flags, noblock, &error) ) == NULL) {
-                return error;
-	}
-
-	if(size > skb->len) {
-		size = skb->len;
-	}
-#ifdef NET_21
-	else if(size <skb->len) {
-		msg->msg_flags |= MSG_TRUNC;
-	}
-#endif /* NET_21 */
-
-	skb_copy_datagram_iovec(skb, 0, msg->msg_iov, size);
-        sk->stamp=skb->stamp;
-
-	skb_free_datagram(sk, skb);
-	return size;
-}
-
-#ifdef NET_21
-struct net_proto_family pfkey_family_ops = {
-	PF_KEY,
-	pfkey_create
-};
-
-struct proto_ops SOCKOPS_WRAPPED(pfkey_ops) = {
-#ifdef NETDEV_23
-	family:		PF_KEY,
-	release:	pfkey_release,
-	bind:		sock_no_bind,
-	connect:	sock_no_connect,
-	socketpair:	sock_no_socketpair,
-	accept:		sock_no_accept,
-	getname:	sock_no_getname,
-	poll:		datagram_poll,
-	ioctl:		sock_no_ioctl,
-	listen:		sock_no_listen,
-	shutdown:	pfkey_shutdown,
-	setsockopt:	sock_no_setsockopt,
-	getsockopt:	sock_no_getsockopt,
-	sendmsg:	pfkey_sendmsg,
-	recvmsg:	pfkey_recvmsg,
-	mmap:		sock_no_mmap,
-#else /* NETDEV_23 */
-	PF_KEY,
-	sock_no_dup,
-	pfkey_release,
-	sock_no_bind,
-	sock_no_connect,
-	sock_no_socketpair,
-	sock_no_accept,
-	sock_no_getname,
-	datagram_poll,
-	sock_no_ioctl,
-	sock_no_listen,
-	pfkey_shutdown,
-	sock_no_setsockopt,
-	sock_no_getsockopt,
-	sock_no_fcntl,
-	pfkey_sendmsg,
-	pfkey_recvmsg
-#endif /* NETDEV_23 */
-};
-
-#ifdef NETDEV_23
-#include <linux/smp_lock.h>
-SOCKOPS_WRAP(pfkey, PF_KEY);
-#endif /* NETDEV_23 */
-
-#else /* NET_21 */
-struct proto_ops pfkey_proto_ops = {
-	PF_KEY,
-	pfkey_create,
-	pfkey_dup,
-	pfkey_release,
-	pfkey_bind,
-	pfkey_connect,
-	pfkey_socketpair,
-	pfkey_accept,
-	pfkey_getname,
-	pfkey_select,
-	pfkey_ioctl,
-	pfkey_listen,
-	pfkey_shutdown,
-	pfkey_setsockopt,
-	pfkey_getsockopt,
-	pfkey_fcntl,
-	pfkey_sendmsg,
-	pfkey_recvmsg
-};
-#endif /* NET_21 */
-   
-#ifdef CONFIG_PROC_FS
-#ifndef PROC_FS_2325
-DEBUG_NO_STATIC
-#endif /* PROC_FS_2325 */
-int
-pfkey_get_info(char *buffer, char **start, off_t offset, int length
-#ifndef  PROC_NO_DUMMY
-, int dummy
-#endif /* !PROC_NO_DUMMY */
-)
-{
-	const int max_content = length > 0? length-1 : 0;
-	
-	off_t begin=0;
-	int len=0;
-	struct sock *sk=pfkey_sock_list;
-	
-#ifdef CONFIG_IPSEC_DEBUG
-	if(!sysctl_ipsec_debug_verbose) {
-#endif /* CONFIG_IPSEC_DEBUG */
-	len+= snprintf(buffer,length,
-		      "    sock   pid   socket     next     prev e n p sndbf    Flags     Type St\n");
-#ifdef CONFIG_IPSEC_DEBUG
-	} else {
-	len+= snprintf(buffer,length,
-		      "    sock   pid d    sleep   socket     next     prev e r z n p sndbf    stamp    Flags     Type St\n");
-	}
-#endif /* CONFIG_IPSEC_DEBUG */
-	
-	while(sk!=NULL) {
-#ifdef CONFIG_IPSEC_DEBUG
-		if(!sysctl_ipsec_debug_verbose) {
-#endif /* CONFIG_IPSEC_DEBUG */
-		len += ipsec_snprintf(buffer+len, length-len,
-			     "%8p %5d %8p %8p %8p %d %d %d %5d %08lX %8X %2X\n",
-			     sk,
-			     key_pid(sk),
-			     sk->socket,
-			     sk->next,
-			     sk->prev,
-			     sk->err,
-			     sk->num,
-			     sk->protocol,
-			     sk->sndbuf,
-			     sk->socket->flags,
-			     sk->socket->type,
-			     sk->socket->state);
-#ifdef CONFIG_IPSEC_DEBUG
-		} else {
-			len += ipsec_snprintf(buffer+len, length-len,
-			     "%8p %5d %d %8p %8p %8p %8p %d %d %d %d %d %5d %d.%06d %08lX %8X %2X\n",
-			     sk,
-			     key_pid(sk),
-			     sk->dead,
-			     sk->sleep,
-			     sk->socket,
-			     sk->next,
-			     sk->prev,
-			     sk->err,
-			     sk->reuse,
-			     sk->zapped,
-			     sk->num,
-			     sk->protocol,
-			     sk->sndbuf,
-			     (unsigned int)sk->stamp.tv_sec,
-			     (unsigned int)sk->stamp.tv_usec,
-			     sk->socket->flags,
-			     sk->socket->type,
-			     sk->socket->state);
-		}
-#endif /* CONFIG_IPSEC_DEBUG */
-		
-		if (len >= max_content) {
-			/* we've done all that can fit -- stop loop */
-			len = max_content;      /* truncate crap */
-			break;
-		} else {
-			const off_t pos = begin + len;  /* file position of end of what we've generated */
-
-			if (pos <= offset) {
-				/* all is before first interesting character:
-				 * discard, but note where we are.
-				 */
-				len = 0;
-				begin = pos;
-			}
-		}
-		sk=sk->next;
-	}
-
-	*start = buffer + (offset - begin);     /* Start of wanted data */
-	return len - (offset - begin);
-}
-
-#ifndef PROC_FS_2325
-DEBUG_NO_STATIC
-#endif /* PROC_FS_2325 */
-int
-pfkey_supported_get_info(char *buffer, char **start, off_t offset, int length
-#ifndef  PROC_NO_DUMMY
-, int dummy
-#endif /* !PROC_NO_DUMMY */
-)
-{
-	const int max_content = length > 0? length-1 : 0;
-	
-	off_t begin=0;
-	int len=0;
-	int satype;
-	struct supported_list *pfkey_supported_p;
-	
-	len += ipsec_snprintf(buffer, length,
-		      "satype exttype alg_id ivlen minbits maxbits\n");
-	
-	for(satype = SADB_SATYPE_UNSPEC; satype <= SADB_SATYPE_MAX; satype++) {
-		pfkey_supported_p = pfkey_supported_list[satype];
-		while(pfkey_supported_p) {
-			len += ipsec_snprintf(buffer+len, length-len,
-				     "    %2d      %2d     %2d   %3d     %3d     %3d\n",
-				     satype,
-				     pfkey_supported_p->supportedp->supported_alg_exttype,
-				     pfkey_supported_p->supportedp->supported_alg_id,
-				     pfkey_supported_p->supportedp->supported_alg_ivlen,
-				     pfkey_supported_p->supportedp->supported_alg_minbits,
-				     pfkey_supported_p->supportedp->supported_alg_maxbits);
-			
-			if (len >= max_content) {
-				/* we've done all that can fit -- stop loop */
-				len = max_content;      /* truncate crap */
-				break;
-			} else {
-				const off_t pos = begin + len;  /* file position of end of what we've generated */
-
-				if (pos <= offset) {
-					/* all is before first interesting character:
-					 * discard, but note where we are.
-					 */
-					len = 0;
-					begin = pos;
-				}
-			}
-
-			pfkey_supported_p = pfkey_supported_p->next;
-		}
-	}
-	
-	*start = buffer + (offset - begin);     /* Start of wanted data */
-	return len - (offset - begin);
-}
-
-#ifndef PROC_FS_2325
-DEBUG_NO_STATIC
-#endif /* PROC_FS_2325 */
-int
-pfkey_registered_get_info(char *buffer, char **start, off_t offset, int length
-#ifndef  PROC_NO_DUMMY
-, int dummy
-#endif /* !PROC_NO_DUMMY */
-)
-{
-	const int max_content = length > 0? length-1 : 0;
-	
-	off_t begin=0;
-	int len=0;
-	int satype;
-	struct socket_list *pfkey_sockets;
-
-	len += ipsec_snprintf(buffer, length,
-		      "satype   socket   pid       sk\n");
-
-	for(satype = SADB_SATYPE_UNSPEC; satype <= SADB_SATYPE_MAX; satype++) {
-		pfkey_sockets = pfkey_registered_sockets[satype];
-		while(pfkey_sockets) {
-#ifdef NET_21
-			len += ipsec_snprintf(buffer+len, length-len,
-				     "    %2d %8p %5d %8p\n",
-				     satype,
-				     pfkey_sockets->socketp,
-				     key_pid(pfkey_sockets->socketp->sk),
-				     pfkey_sockets->socketp->sk);
-#else /* NET_21 */
-			len += ipsec_snprintf(buffer+len, length-len,
-				     "    %2d %8p   N/A %8p\n",
-				     satype,
-				     pfkey_sockets->socketp,
-#if 0
-				     key_pid((pfkey_sockets->socketp)->data),
-#endif
-				     (pfkey_sockets->socketp)->data);
-#endif /* NET_21 */
-			
-			if (len >= max_content) {
-				/* we've done all that can fit -- stop loop (could stop two) */
-				len = max_content;      /* truncate crap */
-				break;
-			} else {
-				const off_t pos = begin + len;  /* file position of end of what we've generated */
-
-				if (pos <= offset) {
-					/* all is before first interesting character:
-					 * discard, but note where we are.
-                                         */
-					len = 0;
-					begin = pos;
-				}
-			}
-
-			pfkey_sockets = pfkey_sockets->next;
-		}
-	}
-	
-	*start = buffer + (offset - begin);     /* Start of wanted data */
-	return len - (offset - begin);
-}
-
-#ifndef PROC_FS_2325
-struct proc_dir_entry proc_net_pfkey =
-{
-	0,
-	6, "pf_key",
-	S_IFREG | S_IRUGO, 1, 0, 0,
-	0, &proc_net_inode_operations,
-	pfkey_get_info
-};
-struct proc_dir_entry proc_net_pfkey_supported =
-{
-	0,
-	16, "pf_key_supported",
-	S_IFREG | S_IRUGO, 1, 0, 0,
-	0, &proc_net_inode_operations,
-	pfkey_supported_get_info
-};
-struct proc_dir_entry proc_net_pfkey_registered =
-{
-	0,
-	17, "pf_key_registered",
-	S_IFREG | S_IRUGO, 1, 0, 0,
-	0, &proc_net_inode_operations,
-	pfkey_registered_get_info
-};
-#endif /* !PROC_FS_2325 */
-#endif /* CONFIG_PROC_FS */
-
-DEBUG_NO_STATIC int
-supported_add_all(int satype, struct supported supported[], int size)
-{
-	int i;
-	int error = 0;
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:init_pfkey: "
-		    "sizeof(supported_init_<satype=%d>)[%d]/sizeof(struct supported)[%d]=%d.\n",
-		    satype,
-		    size,
-		    (int)sizeof(struct supported),
-		    (int)(size/sizeof(struct supported)));
-
-	for(i = 0; i < size / sizeof(struct supported); i++) {
-		
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:init_pfkey: "
-			    "i=%d inserting satype=%d exttype=%d id=%d ivlen=%d minbits=%d maxbits=%d.\n",
-			    i,
-			    satype,
-			    supported[i].supported_alg_exttype,
-			    supported[i].supported_alg_id,
-			    supported[i].supported_alg_ivlen,
-			    supported[i].supported_alg_minbits,
-			    supported[i].supported_alg_maxbits);
-			    
-		error |= pfkey_list_insert_supported(&(supported[i]),
-					    &(pfkey_supported_list[satype]));
-	}
-	return error;
-}
-
-DEBUG_NO_STATIC int
-supported_remove_all(int satype)
-{
-	int error = 0;
-	struct supported*supportedp;
-
-	while(pfkey_supported_list[satype]) {
-		supportedp = pfkey_supported_list[satype]->supportedp;
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:init_pfkey: "
-			    "removing satype=%d exttype=%d id=%d ivlen=%d minbits=%d maxbits=%d.\n",
-			    satype,
-			    supportedp->supported_alg_exttype,
-			    supportedp->supported_alg_id,
-			    supportedp->supported_alg_ivlen,
-			    supportedp->supported_alg_minbits,
-			    supportedp->supported_alg_maxbits);
-			    
-		error |= pfkey_list_remove_supported(supportedp,
-					    &(pfkey_supported_list[satype]));
-	}
-	return error;
-}
-
-int
-pfkey_init(void)
-{
-	int error = 0;
-	int i;
-	
-	static struct supported supported_init_ah[] = {
-#ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
-		{SADB_EXT_SUPPORTED_AUTH, SADB_AALG_MD5_HMAC, 0, 128, 128},
-#endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
-#ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
-		{SADB_EXT_SUPPORTED_AUTH, SADB_AALG_SHA1_HMAC, 0, 160, 160}
-#endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
-	};
-	static struct supported supported_init_esp[] = {
-#ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
-		{SADB_EXT_SUPPORTED_AUTH, SADB_AALG_MD5_HMAC, 0, 128, 128},
-#endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
-#ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
-		{SADB_EXT_SUPPORTED_AUTH, SADB_AALG_SHA1_HMAC, 0, 160, 160},
-#endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
-#ifdef CONFIG_IPSEC_ENC_3DES
-		{SADB_EXT_SUPPORTED_ENCRYPT, SADB_EALG_3DES_CBC, 64, 168, 168},
-#endif /* CONFIG_IPSEC_ENC_3DES */
-	};
-	static struct supported supported_init_ipip[] = {
-		{SADB_EXT_SUPPORTED_ENCRYPT, SADB_X_TALG_IPv4_in_IPv4, 0, 32, 32}
-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
-		, {SADB_EXT_SUPPORTED_ENCRYPT, SADB_X_TALG_IPv6_in_IPv4, 0, 128, 32}
-		, {SADB_EXT_SUPPORTED_ENCRYPT, SADB_X_TALG_IPv4_in_IPv6, 0, 32, 128}
-		, {SADB_EXT_SUPPORTED_ENCRYPT, SADB_X_TALG_IPv6_in_IPv6, 0, 128, 128}
-#endif /* defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) */
-	};
-#ifdef CONFIG_IPSEC_IPCOMP
-	static struct supported supported_init_ipcomp[] = {
-		{SADB_EXT_SUPPORTED_ENCRYPT, SADB_X_CALG_DEFLATE, 0, 1, 1}
-	};
-#endif /* CONFIG_IPSEC_IPCOMP */
-
-#if 0
-        printk(KERN_INFO
-	       "klips_info:pfkey_init: "
-	       "FreeS/WAN: initialising PF_KEYv2 domain sockets.\n");
-#endif
-
-	for(i = SADB_SATYPE_UNSPEC; i <= SADB_SATYPE_MAX; i++) {
-		pfkey_registered_sockets[i] = NULL;
-		pfkey_supported_list[i] = NULL;
-	}
-
-	error |= supported_add_all(SADB_SATYPE_AH, supported_init_ah, sizeof(supported_init_ah));
-	error |= supported_add_all(SADB_SATYPE_ESP, supported_init_esp, sizeof(supported_init_esp));
-#ifdef CONFIG_IPSEC_IPCOMP
-	error |= supported_add_all(SADB_X_SATYPE_COMP, supported_init_ipcomp, sizeof(supported_init_ipcomp));
-#endif /* CONFIG_IPSEC_IPCOMP */
-	error |= supported_add_all(SADB_X_SATYPE_IPIP, supported_init_ipip, sizeof(supported_init_ipip));
-
-#ifdef NET_21
-        error |= sock_register(&pfkey_family_ops);
-#else /* NET_21 */
-        error |= sock_register(pfkey_proto_ops.family, &pfkey_proto_ops);
-#endif /* NET_21 */
-
-#ifdef CONFIG_PROC_FS
-#  ifndef PROC_FS_2325
-#    ifdef PROC_FS_21
-	error |= proc_register(proc_net, &proc_net_pfkey);
-	error |= proc_register(proc_net, &proc_net_pfkey_supported);
-	error |= proc_register(proc_net, &proc_net_pfkey_registered);
-#    else /* PROC_FS_21 */
-	error |= proc_register_dynamic(&proc_net, &proc_net_pfkey);
-	error |= proc_register_dynamic(&proc_net, &proc_net_pfkey_supported);
-	error |= proc_register_dynamic(&proc_net, &proc_net_pfkey_registered);
-#    endif /* PROC_FS_21 */
-#  else /* !PROC_FS_2325 */
-	proc_net_create ("pf_key", 0, pfkey_get_info);
-	proc_net_create ("pf_key_supported", 0, pfkey_supported_get_info);
-	proc_net_create ("pf_key_registered", 0, pfkey_registered_get_info);
-#  endif /* !PROC_FS_2325 */
-#endif /* CONFIG_PROC_FS */
-
-	return error;
-}
-
-int
-pfkey_cleanup(void)
-{
-	int error = 0;
-	
-        printk(KERN_INFO "klips_info:pfkey_cleanup: "
-	       "shutting down PF_KEY domain sockets.\n");
-#ifdef NET_21
-        error |= sock_unregister(PF_KEY);
-#else /* NET_21 */
-        error |= sock_unregister(pfkey_proto_ops.family);
-#endif /* NET_21 */
-
-	error |= supported_remove_all(SADB_SATYPE_AH);
-	error |= supported_remove_all(SADB_SATYPE_ESP);
-#ifdef CONFIG_IPSEC_IPCOMP
-	error |= supported_remove_all(SADB_X_SATYPE_COMP);
-#endif /* CONFIG_IPSEC_IPCOMP */
-	error |= supported_remove_all(SADB_X_SATYPE_IPIP);
-
-#ifdef CONFIG_PROC_FS
-#  ifndef PROC_FS_2325
-	if (proc_net_unregister(proc_net_pfkey.low_ino) != 0)
-		printk("klips_debug:pfkey_cleanup: "
-		       "cannot unregister /proc/net/pf_key\n");
-	if (proc_net_unregister(proc_net_pfkey_supported.low_ino) != 0)
-		printk("klips_debug:pfkey_cleanup: "
-		       "cannot unregister /proc/net/pf_key_supported\n");
-	if (proc_net_unregister(proc_net_pfkey_registered.low_ino) != 0)
-		printk("klips_debug:pfkey_cleanup: "
-		       "cannot unregister /proc/net/pf_key_registered\n");
-#  else /* !PROC_FS_2325 */
-	proc_net_remove ("pf_key");
-	proc_net_remove ("pf_key_supported");
-	proc_net_remove ("pf_key_registered");
-#  endif /* !PROC_FS_2325 */
-#endif /* CONFIG_PROC_FS */
-
-	/* other module unloading cleanup happens here */
-	return error;
-}
-
-#ifdef MODULE
-#if 0
-int
-init_module(void)
-{
-	pfkey_init();
-	return 0;
-}
-
-void
-cleanup_module(void)
-{
-	pfkey_cleanup();
-}
-#endif /* 0 */
-#else /* MODULE */
-void
-pfkey_proto_init(struct net_proto *pro)
-{
-	pfkey_init();
-}
-#endif /* MODULE */
-
-/*
- * $Log: pfkey_v2.c,v $
- * Revision 1.4  2004/09/29 22:27:41  as
- * changed SADB identifiers
- *
- * Revision 1.3  2004/04/28 08:06:22  as
- * added dhr's freeswan-2.06 changes
- *
- * Revision 1.2  2004/03/22 21:53:19  as
- * merged alg-0.8.1 branch with HEAD
- *
- * Revision 1.1.4.1  2004/03/16 09:48:20  as
- * alg-0.8.1rc12 patch merged
- *
- * Revision 1.1  2004/03/15 20:35:26  as
- * added files from freeswan-2.04-x509-1.5.3
- *
- * Revision 1.78  2003/04/03 17:38:09  rgb
- * Centralised ipsec_kfree_skb and ipsec_dev_{get,put}.
- *
- * Revision 1.77  2002/10/17 16:49:36  mcr
- * 	sock->ops should reference the unwrapped options so that
- * 	we get hacked in locking on SMP systems.
- *
- * Revision 1.76  2002/10/12 23:11:53  dhr
- *
- * [KenB + DHR] more 64-bit cleanup
- *
- * Revision 1.75  2002/09/20 05:01:57  rgb
- * Added memory allocation debugging.
- *
- * Revision 1.74  2002/09/19 02:42:50  mcr
- * 	do not define the pfkey_ops function for now.
- *
- * Revision 1.73  2002/09/17 17:29:23  mcr
- * 	#if 0 out some dead code - pfkey_ops is never used as written.
- *
- * Revision 1.72  2002/07/24 18:44:54  rgb
- * Type fiddling to tame ia64 compiler.
- *
- * Revision 1.71  2002/05/23 07:14:11  rgb
- * Cleaned up %p variants to 0p%p for test suite cleanup.
- *
- * Revision 1.70  2002/04/24 07:55:32  mcr
- * 	#include patches and Makefiles for post-reorg compilation.
- *
- * Revision 1.69  2002/04/24 07:36:33  mcr
- * Moved from ./klips/net/ipsec/pfkey_v2.c,v
- *
- * Revision 1.68  2002/03/08 01:15:17  mcr
- * 	put some internal structure only debug messages behind
- * 	&& sysctl_ipsec_debug_verbose.
- *
- * Revision 1.67  2002/01/29 17:17:57  mcr
- * 	moved include of ipsec_param.h to after include of linux/kernel.h
- * 	otherwise, it seems that some option that is set in ipsec_param.h
- * 	screws up something subtle in the include path to kernel.h, and
- * 	it complains on the snprintf() prototype.
- *
- * Revision 1.66  2002/01/29 04:00:54  mcr
- * 	more excise of kversions.h header.
- *
- * Revision 1.65  2002/01/29 02:13:18  mcr
- * 	introduction of ipsec_kversion.h means that include of
- * 	ipsec_param.h must preceed any decisions about what files to
- * 	include to deal with differences in kernel source.
- *
- * Revision 1.64  2001/11/26 09:23:51  rgb
- * Merge MCR's ipsec_sa, eroute, proc and struct lifetime changes.
- *
- * Revision 1.61.2.1  2001/09/25 02:28:44  mcr
- * 	cleaned up includes.
- *
- * Revision 1.63  2001/11/12 19:38:00  rgb
- * Continue trying other sockets even if one fails and return only original
- * error.
- *
- * Revision 1.62  2001/10/18 04:45:22  rgb
- * 2.4.9 kernel deprecates linux/malloc.h in favour of linux/slab.h,
- * lib/freeswan.h version macros moved to lib/kversions.h.
- * Other compiler directive cleanups.
- *
- * Revision 1.61  2001/09/20 15:32:59  rgb
- * Min/max cleanup.
- *
- * Revision 1.60  2001/06/14 19:35:12  rgb
- * Update copyright date.
- *
- * Revision 1.59  2001/06/13 15:35:48  rgb
- * Fixed #endif comments.
- *
- * Revision 1.58  2001/05/04 16:37:24  rgb
- * Remove erroneous checking of return codes for proc_net_* in 2.4.
- *
- * Revision 1.57  2001/05/03 19:43:36  rgb
- * Initialise error return variable.
- * Check error return codes in startup and shutdown.
- * Standardise on SENDERR() macro.
- *
- * Revision 1.56  2001/04/21 23:05:07  rgb
- * Define out skb->used for 2.4 kernels.
- *
- * Revision 1.55  2001/02/28 05:03:28  rgb
- * Clean up and rationalise startup messages.
- *
- * Revision 1.54  2001/02/27 22:24:55  rgb
- * Re-formatting debug output (line-splitting, joining, 1arg/line).
- * Check for satoa() return codes.
- *
- * Revision 1.53  2001/02/27 06:48:18  rgb
- * Fixed pfkey socket unregister log message to reflect type and function.
- *
- * Revision 1.52  2001/02/26 22:34:38  rgb
- * Fix error return code that was getting overwritten by the error return
- * code of an upmsg.
- *
- * Revision 1.51  2001/01/30 23:42:47  rgb
- * Allow pfkey msgs from pid other than user context required for ACQUIRE
- * and subsequent ADD or UDATE.
- *
- * Revision 1.50  2001/01/23 20:22:59  rgb
- * 2.4 fix to remove removed is_clone member.
- *
- * Revision 1.49  2000/11/06 04:33:47  rgb
- * Changed non-exported functions to DEBUG_NO_STATIC.
- *
- * Revision 1.48  2000/09/29 19:47:41  rgb
- * Update copyright.
- *
- * Revision 1.47  2000/09/22 04:23:04  rgb
- * Added more debugging to pfkey_upmsg() call from pfkey_sendmsg() error.
- *
- * Revision 1.46  2000/09/21 04:20:44  rgb
- * Fixed array size off-by-one error.  (Thanks Svenning!)
- *
- * Revision 1.45  2000/09/20 04:01:26  rgb
- * Changed static functions to DEBUG_NO_STATIC for revealing function names
- * in oopsen.
- *
- * Revision 1.44  2000/09/19 00:33:17  rgb
- * 2.0 fixes.
- *
- * Revision 1.43  2000/09/16 01:28:13  rgb
- * Fixed use of 0 in p format warning.
- *
- * Revision 1.42  2000/09/16 01:09:41  rgb
- * Fixed debug format warning for pointers that was expecting ints.
- *
- * Revision 1.41  2000/09/13 15:54:00  rgb
- * Rewrote pfkey_get_info(), added pfkey_{supported,registered}_get_info().
- * Moved supported algos add and remove to functions.
- *
- * Revision 1.40  2000/09/12 18:49:28  rgb
- * Added IPIP tunnel and IPCOMP register support.
- *
- * Revision 1.39  2000/09/12 03:23:49  rgb
- * Converted #if0 debugs to sysctl.
- * Removed debug_pfkey initialisations that prevented no_debug loading or
- * linking.
- *
- * Revision 1.38  2000/09/09 06:38:02  rgb
- * Return positive errno in pfkey_reply error message.
- *
- * Revision 1.37  2000/09/08 19:19:09  rgb
- * Change references from DEBUG_IPSEC to CONFIG_IPSEC_DEBUG.
- * Clean-up of long-unused crud...
- * Create pfkey error message on on failure.
- * Give pfkey_list_{insert,remove}_{socket,supported}() some error
- * checking.
- *
- * Revision 1.36  2000/09/01 18:49:38  rgb
- * Reap experimental NET_21_ bits.
- * Turned registered sockets list into an array of one list per satype.
- * Remove references to deprecated sklist_{insert,remove}_socket.
- * Removed leaking socket debugging code.
- * Removed duplicate pfkey_insert_socket in pfkey_create.
- * Removed all references to pfkey msg->msg_name, since it is not used for
- * pfkey.
- * Added a supported algorithms array lists, one per satype and registered
- * existing algorithms.
- * Fixed pfkey_list_{insert,remove}_{socket,support}() to allow change to
- * list.
- * Only send pfkey_expire() messages to sockets registered for that satype.
- *
- * Revision 1.35  2000/08/24 17:03:00  rgb
- * Corrected message size error return code for PF_KEYv2.
- * Removed downward error prohibition.
- *
- * Revision 1.34  2000/08/21 16:32:26  rgb
- * Re-formatted for cosmetic consistency and readability.
- *
- * Revision 1.33  2000/08/20 21:38:24  rgb
- * Added a pfkey_reply parameter to pfkey_msg_interp(). (Momchil)
- * Extended the upward message initiation of pfkey_sendmsg(). (Momchil)
- *
- * Revision 1.32  2000/07/28 14:58:31  rgb
- * Changed kfree_s to kfree, eliminating extra arg to fix 2.4.0-test5.
- *
- * Revision 1.31  2000/05/16 03:04:00  rgb
- * Updates for 2.3.99pre8 from MB.
- *
- * Revision 1.30  2000/05/10 19:22:21  rgb
- * Use sklist private functions for 2.3.xx compatibility.
- *
- * Revision 1.29  2000/03/22 16:17:03  rgb
- * Fixed SOCKOPS_WRAPPED macro for SMP (MB).
- *
- * Revision 1.28  2000/02/21 19:30:45  rgb
- * Removed references to pkt_bridged for 2.3.47 compatibility.
- *
- * Revision 1.27  2000/02/14 21:07:00  rgb
- * Fixed /proc/net/pf-key legend spacing.
- *
- * Revision 1.26  2000/01/22 03:46:59  rgb
- * Fixed pfkey error return mechanism so that we are able to free the
- * local copy of the pfkey_msg, plugging a memory leak and silencing
- * the bad object free complaints.
- *
- * Revision 1.25  2000/01/21 06:19:44  rgb
- * Moved pfkey_list_remove_socket() calls to before MOD_USE_DEC_COUNT.
- * Added debugging to pfkey_upmsg.
- *
- * Revision 1.24  2000/01/10 16:38:23  rgb
- * MB fixups for 2.3.x.
- *
- * Revision 1.23  1999/12/09 23:22:16  rgb
- * Added more instrumentation for debugging 2.0 socket
- * selection/reading.
- * Removed erroneous 2.0 wait==NULL check bug in select.
- *
- * Revision 1.22  1999/12/08 20:32:16  rgb
- * Tidied up 2.0.xx support, after major pfkey work, eliminating
- * msg->msg_name twiddling in the process, since it is not defined
- * for PF_KEYv2.
- *
- * Revision 1.21  1999/12/01 22:17:19  rgb
- * Set skb->dev to zero on new skb in case it is a reused skb.
- * Added check for skb_put overflow and freeing to avoid upmsg on error.
- * Added check for wrong pfkey version and freeing to avoid upmsg on
- * error.
- * Shut off content dumping in pfkey_destroy.
- * Added debugging message for size of buffer allocated for upmsg.
- *
- * Revision 1.20  1999/11/27 12:11:00  rgb
- * Minor clean-up, enabling quiet operation of pfkey if desired.
- *
- * Revision 1.19  1999/11/25 19:04:21  rgb
- * Update proc_fs code for pfkey to use dynamic registration.
- *
- * Revision 1.18  1999/11/25 09:07:17  rgb
- * Implemented SENDERR macro for propagating error codes.
- * Fixed error return code bug.
- *
- * Revision 1.17  1999/11/23 23:07:20  rgb
- * Change name of pfkey_msg_parser to pfkey_msg_interp since it no longer
- * parses. (PJO)
- * Sort out pfkey and freeswan headers, putting them in a library path.
- *
- * Revision 1.16  1999/11/20 22:00:22  rgb
- * Moved socketlist type declarations and prototypes for shared use.
- * Renamed reformatted and generically extended for use by other socket
- * lists pfkey_{del,add}_open_socket to pfkey_list_{remove,insert}_socket.
- *
- * Revision 1.15  1999/11/18 04:15:09  rgb
- * Make pfkey_data_ready temporarily available for 2.2.x testing.
- * Clean up pfkey_destroy_socket() debugging statements.
- * Add Peter Onion's code to send messages up to all listening sockets.
- * Changed all occurrences of #include "../../../lib/freeswan.h"
- * to #include <freeswan.h> which works due to -Ilibfreeswan in the
- * klips/net/ipsec/Makefile.
- * Replaced all kernel version macros to shorter, readable form.
- * Added CONFIG_PROC_FS compiler directives in case it is shut off.
- *
- * Revision 1.14  1999/11/17 16:01:00  rgb
- * Make pfkey_data_ready temporarily available for 2.2.x testing.
- * Clean up pfkey_destroy_socket() debugging statements.
- * Add Peter Onion's code to send messages up to all listening sockets.
- * Changed #include "../../../lib/freeswan.h" to #include <freeswan.h>
- * which works due to -Ilibfreeswan in the klips/net/ipsec/Makefile.
- *
- * Revision 1.13  1999/10/27 19:59:51  rgb
- * Removed af_unix comments that are no longer relevant.
- * Added debug prink statements.
- * Added to the /proc output in pfkey_get_info.
- * Made most functions non-static to enable oops tracing.
- * Re-enable skb dequeueing and freeing.
- * Fix skb_alloc() and skb_put() size bug in pfkey_upmsg().
- *
- * Revision 1.12  1999/10/26 17:05:42  rgb
- * Complete re-ordering based on proto_ops structure order.
- * Separated out proto_ops structures for 2.0.x and 2.2.x for clarity.
- * Simplification to use built-in socket ops where possible for 2.2.x.
- * Add shorter macros for compiler directives to visually clean-up.
- * Add lots of sk skb dequeueing debugging statements.
- * Added to the /proc output in pfkey_get_info.
- *
- * Revision 1.11  1999/09/30 02:55:10  rgb
- * Bogus skb detection.
- * Fix incorrect /proc/net/ipsec-eroute printk message.
- *
- * Revision 1.10  1999/09/21 15:22:13  rgb
- * Temporary fix while I figure out the right way to destroy sockets.
- *
- * Revision 1.9  1999/07/08 19:19:44  rgb
- * Fix pointer format warning.
- * Fix missing member error under 2.0.xx kernels.
- *
- * Revision 1.8  1999/06/13 07:24:04  rgb
- * Add more debugging.
- *
- * Revision 1.7  1999/06/10 05:24:17  rgb
- * Clarified compiler directives.
- * Renamed variables to reduce confusion.
- * Used sklist_*_socket() kernel functions to simplify 2.2.x socket support.
- * Added lots of sanity checking.
- *
- * Revision 1.6  1999/06/03 18:59:50  rgb
- * More updates to 2.2.x socket support.  Almost works, oops at end of call.
- *
- * Revision 1.5  1999/05/25 22:44:05  rgb
- * Start fixing 2.2 sockets.
- *
- * Revision 1.4  1999/04/29 15:21:34  rgb
- * Move log to the end of the file.
- * Eliminate min/max redefinition in #include <net/tcp.h>.
- * Correct path for pfkey #includes
- * Standardise an error return method.
- * Add debugging instrumentation.
- * Move message type checking to pfkey_msg_parse().
- * Add check for errno incorrectly set.
- * Add check for valid PID.
- * Add check for reserved illegally set.
- * Add check for message out of bounds.
- *
- * Revision 1.3  1999/04/15 17:58:07  rgb
- * Add RCSID labels.
- *
- * Revision 1.2  1999/04/15 15:37:26  rgb
- * Forward check changes from POST1_00 branch.
- *
- * Revision 1.1.2.2  1999/04/13 20:37:12  rgb
- * Header Title correction.
- *
- * Revision 1.1.2.1  1999/03/26 20:58:55  rgb
- * Add pfkeyv2 support to KLIPS.
- *
- *
- * RFC 2367
- * PF_KEY_v2 Key Management API
- */
diff --git a/linux/net/ipsec/pfkey_v2_ext_process.c b/linux/net/ipsec/pfkey_v2_ext_process.c
deleted file mode 100644
index 9269bd59e..000000000
--- a/linux/net/ipsec/pfkey_v2_ext_process.c
+++ /dev/null
@@ -1,851 +0,0 @@
-/*
- * @(#) RFC2367 PF_KEYv2 Key management API message parser
- * Copyright (C) 1999, 2000, 2001  Richard Guy Briggs <rgb@freeswan.org>
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: pfkey_v2_ext_process.c,v 1.3 2004/06/13 19:57:50 as Exp $
- */
-
-/*
- *		Template from klips/net/ipsec/ipsec/ipsec_netlink.c.
- */
-
-char pfkey_v2_ext_process_c_version[] = "$Id: pfkey_v2_ext_process.c,v 1.3 2004/06/13 19:57:50 as Exp $";
-
-#include <linux/config.h>
-#include <linux/version.h>
-#include <linux/kernel.h> /* printk() */
-
-#include "freeswan/ipsec_param.h"
-
-#ifdef MALLOC_SLAB
-# include <linux/slab.h> /* kmalloc() */
-#else /* MALLOC_SLAB */
-# include <linux/malloc.h> /* kmalloc() */
-#endif /* MALLOC_SLAB */
-#include <linux/errno.h>  /* error codes */
-#include <linux/types.h>  /* size_t */
-#include <linux/interrupt.h> /* mark_bh */
-
-#include <linux/netdevice.h>   /* struct device, and other headers */
-#include <linux/etherdevice.h> /* eth_type_trans */
-#include <linux/ip.h>          /* struct iphdr */
-#include <linux/skbuff.h>
-
-#include <freeswan.h>
-
-#include <crypto/des.h>
-
-#ifdef SPINLOCK
-# ifdef SPINLOCK_23
-#  include <linux/spinlock.h> /* *lock* */
-# else /* SPINLOCK_23 */
-#  include <asm/spinlock.h> /* *lock* */
-# endif /* SPINLOCK_23 */
-#endif /* SPINLOCK */
-#ifdef NET_21
-# include <asm/uaccess.h>
-# include <linux/in6.h>
-# define ip_chk_addr inet_addr_type
-# define IS_MYADDR RTN_LOCAL
-#endif
-#include <asm/checksum.h>
-#include <net/ip.h>
-#ifdef NETLINK_SOCK
-# include <linux/netlink.h>
-#else
-# include <net/netlink.h>
-#endif
-
-#include <linux/random.h>	/* get_random_bytes() */
-
-#include "freeswan/radij.h"
-#include "freeswan/ipsec_encap.h"
-#include "freeswan/ipsec_sa.h"
-
-#include "freeswan/ipsec_radij.h"
-#include "freeswan/ipsec_xform.h"
-#include "freeswan/ipsec_ah.h"
-#include "freeswan/ipsec_esp.h"
-#include "freeswan/ipsec_tunnel.h"
-#include "freeswan/ipsec_rcv.h"
-#include "freeswan/ipcomp.h"
-
-#include <pfkeyv2.h>
-#include <pfkey.h>
-
-#include "freeswan/ipsec_proto.h"
-#include "freeswan/ipsec_alg.h"
-
-#define SENDERR(_x) do { error = -(_x); goto errlab; } while (0)
-
-int
-pfkey_sa_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr)
-{
-	struct sadb_sa *pfkey_sa = (struct sadb_sa *)pfkey_ext;
-	int error = 0;
-	struct ipsec_sa* ipsp;
-	
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_sa_process: .\n");
-
-	if(!extr || !extr->ips) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_sa_process: "
-			    "extr or extr->ips is NULL, fatal\n");
-		SENDERR(EINVAL);
-	}
-
-	switch(pfkey_ext->sadb_ext_type) {
-	case SADB_EXT_SA:
-		ipsp = extr->ips;
-		break;
-	case SADB_X_EXT_SA2:
-		if(extr->ips2 == NULL) {
-			extr->ips2 = ipsec_sa_alloc(&error); /* pass error var by pointer */
-		}
-		if(extr->ips2 == NULL) {
-			SENDERR(-error);
-		}
-		ipsp = extr->ips2;
-		break;
-	default:
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_sa_process: "
-			    "invalid exttype=%d.\n",
-			    pfkey_ext->sadb_ext_type);
-		SENDERR(EINVAL);
-	}
-
-	ipsp->ips_said.spi = pfkey_sa->sadb_sa_spi;
-	ipsp->ips_replaywin = pfkey_sa->sadb_sa_replay;
-	ipsp->ips_state = pfkey_sa->sadb_sa_state;
-	ipsp->ips_flags = pfkey_sa->sadb_sa_flags;
-	ipsp->ips_replaywin_lastseq = ipsp->ips_replaywin_bitmap = 0;
-	ipsp->ips_ref_rel = pfkey_sa->sadb_x_sa_ref;
-	
-	switch(ipsp->ips_said.proto) {
-	case IPPROTO_AH:
-		ipsp->ips_authalg = pfkey_sa->sadb_sa_auth;
-		ipsp->ips_encalg = SADB_EALG_NONE;
-		break;
-	case IPPROTO_ESP:
-		ipsp->ips_authalg = pfkey_sa->sadb_sa_auth;
-		ipsp->ips_encalg = pfkey_sa->sadb_sa_encrypt;
-#ifdef CONFIG_IPSEC_ALG
-		ipsec_alg_sa_init(ipsp);
-#endif /* CONFIG_IPSEC_ALG */
-		break;
-	case IPPROTO_IPIP:
-		ipsp->ips_authalg = AH_NONE;
-		ipsp->ips_encalg = ESP_NONE;
-		break;
-#ifdef CONFIG_IPSEC_IPCOMP
-	case IPPROTO_COMP:
-		ipsp->ips_authalg = AH_NONE;
-		ipsp->ips_encalg = pfkey_sa->sadb_sa_encrypt;
-		break;
-#endif /* CONFIG_IPSEC_IPCOMP */
-	case IPPROTO_INT:
-		ipsp->ips_authalg = AH_NONE;
-		ipsp->ips_encalg = ESP_NONE;
-		break;
-	case 0:
-		break;
-	default:
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_sa_process: "
-			    "unknown proto=%d.\n",
-			    ipsp->ips_said.proto);
-		SENDERR(EINVAL);
-	}
-
-errlab:
-	return error;
-}
-
-int
-pfkey_lifetime_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr)
-{
-	int error = 0;
-	struct sadb_lifetime *pfkey_lifetime = (struct sadb_lifetime *)pfkey_ext;
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_lifetime_process: .\n");
-
-	if(!extr || !extr->ips) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_lifetime_process: "
-			    "extr or extr->ips is NULL, fatal\n");
-		SENDERR(EINVAL);
-	}
-
-	switch(pfkey_lifetime->sadb_lifetime_exttype) {
-	case SADB_EXT_LIFETIME_CURRENT:
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_lifetime_process: "
-			    "lifetime_current not supported yet.\n");
-  		SENDERR(EINVAL);
-  		break;
-	case SADB_EXT_LIFETIME_HARD:
-		ipsec_lifetime_update_hard(&extr->ips->ips_life.ipl_allocations,
-					  pfkey_lifetime->sadb_lifetime_allocations);
-
-		ipsec_lifetime_update_hard(&extr->ips->ips_life.ipl_bytes,
-					  pfkey_lifetime->sadb_lifetime_bytes);
-
-		ipsec_lifetime_update_hard(&extr->ips->ips_life.ipl_addtime,
-					  pfkey_lifetime->sadb_lifetime_addtime);
-
-		ipsec_lifetime_update_hard(&extr->ips->ips_life.ipl_usetime,
-					  pfkey_lifetime->sadb_lifetime_usetime);
-
-		break;
-
-	case SADB_EXT_LIFETIME_SOFT:
-		ipsec_lifetime_update_soft(&extr->ips->ips_life.ipl_allocations,
-					   pfkey_lifetime->sadb_lifetime_allocations);
-
-		ipsec_lifetime_update_soft(&extr->ips->ips_life.ipl_bytes,
-					   pfkey_lifetime->sadb_lifetime_bytes);
-
-		ipsec_lifetime_update_soft(&extr->ips->ips_life.ipl_addtime,
-					   pfkey_lifetime->sadb_lifetime_addtime);
-
-		ipsec_lifetime_update_soft(&extr->ips->ips_life.ipl_usetime,
-					   pfkey_lifetime->sadb_lifetime_usetime);
-
-		break;
-	default:
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_lifetime_process: "
-			    "invalid exttype=%d.\n",
-			    pfkey_ext->sadb_ext_type);
-		SENDERR(EINVAL);
-	}
-
-errlab:
-	return error;
-}
-
-int
-pfkey_address_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr)
-{
-	int error = 0;
-	int saddr_len = 0;
-	char ipaddr_txt[ADDRTOA_BUF];
-	unsigned char **sap;
-	unsigned short * portp = 0;
-	struct sadb_address *pfkey_address = (struct sadb_address *)pfkey_ext;
-	struct sockaddr* s = (struct sockaddr*)((char*)pfkey_address + sizeof(*pfkey_address));
-	struct ipsec_sa* ipsp;
-	
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_address_process:\n");
-	
-	if(!extr || !extr->ips) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_address_process: "
-			    "extr or extr->ips is NULL, fatal\n");
-		SENDERR(EINVAL);
-	}
-
-	switch(s->sa_family) {
-	case AF_INET:
-		saddr_len = sizeof(struct sockaddr_in);
-		addrtoa(((struct sockaddr_in*)s)->sin_addr, 0, ipaddr_txt, sizeof(ipaddr_txt));
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_address_process: "
-			    "found address family=%d, AF_INET, %s.\n",
-			    s->sa_family,
-			    ipaddr_txt);
-		break;
-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
-	case AF_INET6:
-		saddr_len = sizeof(struct sockaddr_in6);
-		break;
-#endif /* defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) */
-	default:
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_address_process: "
-			    "s->sa_family=%d not supported.\n",
-			    s->sa_family);
-		SENDERR(EPFNOSUPPORT);
-	}
-	
-	switch(pfkey_address->sadb_address_exttype) {
-	case SADB_EXT_ADDRESS_SRC:
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_address_process: "
-			    "found src address.\n");
-		sap = (unsigned char **)&(extr->ips->ips_addr_s);
-		extr->ips->ips_addr_s_size = saddr_len;
-		break;
-	case SADB_EXT_ADDRESS_DST:
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_address_process: "
-			    "found dst address.\n");
-		sap = (unsigned char **)&(extr->ips->ips_addr_d);
-		extr->ips->ips_addr_d_size = saddr_len;
-		break;
-	case SADB_EXT_ADDRESS_PROXY:
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_address_process: "
-			    "found proxy address.\n");
-		sap = (unsigned char **)&(extr->ips->ips_addr_p);
-		extr->ips->ips_addr_p_size = saddr_len;
-		break;
-	case SADB_X_EXT_ADDRESS_DST2:
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_address_process: "
-			    "found 2nd dst address.\n");
-		if(extr->ips2 == NULL) {
-			extr->ips2 = ipsec_sa_alloc(&error); /* pass error var by pointer */
-		}
-		if(extr->ips2 == NULL) {
-			SENDERR(-error);
-		}
-		sap = (unsigned char **)&(extr->ips2->ips_addr_d);
-		extr->ips2->ips_addr_d_size = saddr_len;
-		break;
-	case SADB_X_EXT_ADDRESS_SRC_FLOW:
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_address_process: "
-			    "found src flow address.\n");
-		if(pfkey_alloc_eroute(&(extr->eroute)) == ENOMEM) {
-			SENDERR(ENOMEM);
-		}
-		sap = (unsigned char **)&(extr->eroute->er_eaddr.sen_ip_src);
-		portp = &(extr->eroute->er_eaddr.sen_sport);
-		break;
-	case SADB_X_EXT_ADDRESS_DST_FLOW:
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_address_process: "
-			    "found dst flow address.\n");
-		if(pfkey_alloc_eroute(&(extr->eroute)) == ENOMEM) {
-			SENDERR(ENOMEM);
-		}
-		sap = (unsigned char **)&(extr->eroute->er_eaddr.sen_ip_dst);
-		portp = &(extr->eroute->er_eaddr.sen_dport);
-		break;
-	case SADB_X_EXT_ADDRESS_SRC_MASK:
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_address_process: "
-			    "found src mask address.\n");
-		if(pfkey_alloc_eroute(&(extr->eroute)) == ENOMEM) {
-			SENDERR(ENOMEM);
-		}
-		sap = (unsigned char **)&(extr->eroute->er_emask.sen_ip_src);
-		portp = &(extr->eroute->er_emask.sen_sport);
-		break;
-	case SADB_X_EXT_ADDRESS_DST_MASK:
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_address_process: "
-			    "found dst mask address.\n");
-		if(pfkey_alloc_eroute(&(extr->eroute)) == ENOMEM) {
-			SENDERR(ENOMEM);
-		}
-		sap = (unsigned char **)&(extr->eroute->er_emask.sen_ip_dst);
-		portp = &(extr->eroute->er_emask.sen_dport);
-		break;
-#ifdef NAT_TRAVERSAL
-	case SADB_X_EXT_NAT_T_OA:
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_address_process: "
-			    "found NAT-OA address.\n");
-		sap = (unsigned char **)&(extr->ips->ips_natt_oa);
-		extr->ips->ips_natt_oa_size = saddr_len;
-		break;
-#endif		
-	default:
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_address_process: "
-			    "unrecognised ext_type=%d.\n",
-			    pfkey_address->sadb_address_exttype);
-		SENDERR(EINVAL);
-	}
-	
-	switch(pfkey_address->sadb_address_exttype) {
-	case SADB_EXT_ADDRESS_SRC:
-	case SADB_EXT_ADDRESS_DST:
-	case SADB_EXT_ADDRESS_PROXY:
-	case SADB_X_EXT_ADDRESS_DST2:
-#ifdef NAT_TRAVERSAL
-	case SADB_X_EXT_NAT_T_OA:
-#endif	
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_address_process: "
-			    "allocating %d bytes for saddr.\n",
-			    saddr_len);
-		if(!(*sap = kmalloc(saddr_len, GFP_KERNEL))) {
-			SENDERR(ENOMEM);
-		}
-		memcpy(*sap, s, saddr_len);
-		break;
-	default:
-		if(s->sa_family	!= AF_INET) {
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_address_process: "
-				    "s->sa_family=%d not supported.\n",
-				    s->sa_family);
-			SENDERR(EPFNOSUPPORT);
-		}
-		(unsigned long)(*sap) = ((struct sockaddr_in*)s)->sin_addr.s_addr;
-		if (portp != 0)
-			*portp = ((struct sockaddr_in*)s)->sin_port;
-#ifdef CONFIG_IPSEC_DEBUG
-		if(extr->eroute) {
-			char buf1[64], buf2[64];
-			if (debug_pfkey) {
-				subnettoa(extr->eroute->er_eaddr.sen_ip_src,
-					  extr->eroute->er_emask.sen_ip_src, 0, buf1, sizeof(buf1));
-				subnettoa(extr->eroute->er_eaddr.sen_ip_dst,
-					  extr->eroute->er_emask.sen_ip_dst, 0, buf2, sizeof(buf2));
-				KLIPS_PRINT(debug_pfkey,
-					    "klips_debug:pfkey_address_parse: "
-					    "extr->eroute set to %s:%d->%s:%d\n",
-					    buf1,
-					    ntohs(extr->eroute->er_eaddr.sen_sport),
-					    buf2,
-					    ntohs(extr->eroute->er_eaddr.sen_dport));
-			}
-		}
-#endif /* CONFIG_IPSEC_DEBUG */
-	}
-
-	ipsp = extr->ips;
-	switch(pfkey_address->sadb_address_exttype) {
-	case SADB_X_EXT_ADDRESS_DST2:
-		ipsp = extr->ips2;
-	case SADB_EXT_ADDRESS_DST:
-		if(s->sa_family == AF_INET) {
-			ipsp->ips_said.dst.s_addr = ((struct sockaddr_in*)(ipsp->ips_addr_d))->sin_addr.s_addr;
-			addrtoa(((struct sockaddr_in*)(ipsp->ips_addr_d))->sin_addr,
-				0,
-				ipaddr_txt,
-				sizeof(ipaddr_txt));
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_address_process: "
-				    "ips_said.dst set to %s.\n",
-				    ipaddr_txt);
-		} else {
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_address_process: "
-				    "uh, ips_said.dst doesn't do address family=%d yet, said will be invalid.\n",
-				    s->sa_family);
-		}
-	default:
-		break;
-	}
-	
-	/* XXX check if port!=0 */
-	
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_address_process: successful.\n");
- errlab:
-	return error;
-}
-
-int
-pfkey_key_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr)
-{
-        int error = 0;
-        struct sadb_key *pfkey_key = (struct sadb_key *)pfkey_ext;
-	
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_key_process: .\n");
-
-	if(!extr || !extr->ips) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_key_process: "
-			    "extr or extr->ips is NULL, fatal\n");
-		SENDERR(EINVAL);
-	}
-
-        switch(pfkey_key->sadb_key_exttype) {
-        case SADB_EXT_KEY_AUTH:
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_key_process: "
-			    "allocating %d bytes for authkey.\n",
-			    DIVUP(pfkey_key->sadb_key_bits, 8));
-		if(!(extr->ips->ips_key_a = kmalloc(DIVUP(pfkey_key->sadb_key_bits, 8), GFP_KERNEL))) {
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_key_process: "
-				    "memory allocation error.\n");
-			SENDERR(ENOMEM);
-		}
-                extr->ips->ips_key_bits_a = pfkey_key->sadb_key_bits;
-                extr->ips->ips_key_a_size = DIVUP(pfkey_key->sadb_key_bits, 8);
-		memcpy(extr->ips->ips_key_a,
-		       (char*)pfkey_key + sizeof(struct sadb_key),
-		       extr->ips->ips_key_a_size);
-		break;
-	case SADB_EXT_KEY_ENCRYPT: /* Key(s) */
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_key_process: "
-			    "allocating %d bytes for enckey.\n",
-			    DIVUP(pfkey_key->sadb_key_bits, 8));
-		if(!(extr->ips->ips_key_e = kmalloc(DIVUP(pfkey_key->sadb_key_bits, 8), GFP_KERNEL))) {
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_key_process: "
-				    "memory allocation error.\n");
-			SENDERR(ENOMEM);
-		}
-		extr->ips->ips_key_bits_e = pfkey_key->sadb_key_bits;
-		extr->ips->ips_key_e_size = DIVUP(pfkey_key->sadb_key_bits, 8);
-		memcpy(extr->ips->ips_key_e,
-		       (char*)pfkey_key + sizeof(struct sadb_key),
-		       extr->ips->ips_key_e_size);
-		break;
-	default:
-		SENDERR(EINVAL);
- 	}
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_key_process: "
-		    "success.\n");
-errlab:
-	return error;
-}
-
-int
-pfkey_ident_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr)
-{
-        int error = 0;
-        struct sadb_ident *pfkey_ident = (struct sadb_ident *)pfkey_ext;
-	int data_len;
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_ident_process: .\n");
-
-	if(!extr || !extr->ips) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_ident_process: "
-			    "extr or extr->ips is NULL, fatal\n");
-		SENDERR(EINVAL);
-	}
-
-	switch(pfkey_ident->sadb_ident_exttype) {
-	case SADB_EXT_IDENTITY_SRC:
-		data_len = pfkey_ident->sadb_ident_len * IPSEC_PFKEYv2_ALIGN - sizeof(struct sadb_ident);
-		
-		extr->ips->ips_ident_s.type = pfkey_ident->sadb_ident_type;
-		extr->ips->ips_ident_s.id = pfkey_ident->sadb_ident_id;
-		extr->ips->ips_ident_s.len = pfkey_ident->sadb_ident_len;
-		if(data_len) {
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_ident_process: "
-				    "allocating %d bytes for ident_s.\n",
-				    data_len);
-			if(!(extr->ips->ips_ident_s.data
-			     = kmalloc(data_len, GFP_KERNEL))) {
-                                SENDERR(ENOMEM);
-                        }
-			memcpy(extr->ips->ips_ident_s.data,
-                               (char*)pfkey_ident + sizeof(struct sadb_ident),
-			       data_len);
-                } else {
-			extr->ips->ips_ident_s.data = NULL;
-                }
-                break;
-	case SADB_EXT_IDENTITY_DST: /* Identity(ies) */
-		data_len = pfkey_ident->sadb_ident_len * IPSEC_PFKEYv2_ALIGN - sizeof(struct sadb_ident);
-		
-		extr->ips->ips_ident_d.type = pfkey_ident->sadb_ident_type;
-		extr->ips->ips_ident_d.id = pfkey_ident->sadb_ident_id;
-		extr->ips->ips_ident_d.len = pfkey_ident->sadb_ident_len;
-		if(data_len) {
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_ident_process: "
-				    "allocating %d bytes for ident_d.\n",
-				    data_len);
-			if(!(extr->ips->ips_ident_d.data
-			     = kmalloc(data_len, GFP_KERNEL))) {
-                                SENDERR(ENOMEM);
-                        }
-			memcpy(extr->ips->ips_ident_d.data,
-                               (char*)pfkey_ident + sizeof(struct sadb_ident),
-			       data_len);
-                } else {
-			extr->ips->ips_ident_d.data = NULL;
-                }
-                break;
-	default:
-		SENDERR(EINVAL);
- 	}
-errlab:
-	return error;
-}
-
-int
-pfkey_sens_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr)
-{
-        int error = 0;
-	
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_sens_process: "
-		    "Sorry, I can't process exttype=%d yet.\n",
-		    pfkey_ext->sadb_ext_type);
-        SENDERR(EINVAL); /* don't process these yet */
- errlab:
-        return error;
-}
-
-int
-pfkey_prop_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr)
-{
-        int error = 0;
-	
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_prop_process: "
-		    "Sorry, I can't process exttype=%d yet.\n",
-		    pfkey_ext->sadb_ext_type);
-	SENDERR(EINVAL); /* don't process these yet */
-	
- errlab:
-	return error;
-}
-
-int
-pfkey_supported_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr)
-{
-        int error = 0;
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_supported_process: "
-		    "Sorry, I can't process exttype=%d yet.\n",
-		    pfkey_ext->sadb_ext_type);
-	SENDERR(EINVAL); /* don't process these yet */
-
-errlab:
-	return error;
-}
-
-int
-pfkey_spirange_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr)
-{
-        int error = 0;
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_spirange_process: .\n");
-/* errlab: */
-	return error;
-}
-
-int
-pfkey_x_kmprivate_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr)
-{
-	int error = 0;
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_x_kmprivate_process: "
-		    "Sorry, I can't process exttype=%d yet.\n",
-		    pfkey_ext->sadb_ext_type);
-	SENDERR(EINVAL); /* don't process these yet */
-
-errlab:
-	return error;
-}
-
-int
-pfkey_x_satype_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr)
-{
-	int error = 0;
-	struct sadb_x_satype *pfkey_x_satype = (struct sadb_x_satype *)pfkey_ext;
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_x_satype_process: .\n");
-
-	if(!extr || !extr->ips) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_x_satype_process: "
-			    "extr or extr->ips is NULL, fatal\n");
-		SENDERR(EINVAL);
-	}
-
-	if(extr->ips2 == NULL) {
-		extr->ips2 = ipsec_sa_alloc(&error); /* pass error var by pointer */
-	}
-	if(extr->ips2 == NULL) {
-		SENDERR(-error);
-	}
-	if(!(extr->ips2->ips_said.proto = satype2proto(pfkey_x_satype->sadb_x_satype_satype))) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_x_satype_process: "
-			    "proto lookup from satype=%d failed.\n",
-			    pfkey_x_satype->sadb_x_satype_satype);
-		SENDERR(EINVAL);
-	}
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_x_satype_process: "
-		    "protocol==%d decoded from satype==%d(%s).\n",
-		    extr->ips2->ips_said.proto,
-		    pfkey_x_satype->sadb_x_satype_satype,
-		    satype2name(pfkey_x_satype->sadb_x_satype_satype));
-
-errlab:
-	return error;
-}
-
-
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-int
-pfkey_x_nat_t_type_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr)
-{
-	int error = 0;
-	struct sadb_x_nat_t_type *pfkey_x_nat_t_type = (struct sadb_x_nat_t_type *)pfkey_ext;
-
-	if(!pfkey_x_nat_t_type) {
-		printk("klips_debug:pfkey_x_nat_t_type_process: "
-		       "null pointer passed in\n");
-		SENDERR(EINVAL);
-	}
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_x_nat_t_type_process: %d.\n",
-			pfkey_x_nat_t_type->sadb_x_nat_t_type_type);
-
-	if(!extr || !extr->ips) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_nat_t_type_process: "
-			    "extr or extr->ips is NULL, fatal\n");
-		SENDERR(EINVAL);
-	}
-
-	switch(pfkey_x_nat_t_type->sadb_x_nat_t_type_type) {
-		case ESPINUDP_WITH_NON_IKE: /* with Non-IKE */
-		case ESPINUDP_WITH_NON_ESP: /* with Non-ESP */
-			extr->ips->ips_natt_type = pfkey_x_nat_t_type->sadb_x_nat_t_type_type;
-			break;
-		default:
-			KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_x_nat_t_type_process: "
-			    "unknown type %d.\n",
-			    pfkey_x_nat_t_type->sadb_x_nat_t_type_type);
-			SENDERR(EINVAL);
-			break;
-	}
-
-errlab:
-	return error;
-}
-
-int
-pfkey_x_nat_t_port_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr)
-{
-	int error = 0;
-	struct sadb_x_nat_t_port *pfkey_x_nat_t_port = (struct sadb_x_nat_t_port *)pfkey_ext;
-
-	if(!pfkey_x_nat_t_port) {
-		printk("klips_debug:pfkey_x_nat_t_port_process: "
-		       "null pointer passed in\n");
-		SENDERR(EINVAL);
-	}
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_x_nat_t_port_process: %d/%d.\n",
-			pfkey_x_nat_t_port->sadb_x_nat_t_port_exttype,
-			pfkey_x_nat_t_port->sadb_x_nat_t_port_port);
-
-	if(!extr || !extr->ips) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_nat_t_type_process: "
-			    "extr or extr->ips is NULL, fatal\n");
-		SENDERR(EINVAL);
-	}
-
-	switch(pfkey_x_nat_t_port->sadb_x_nat_t_port_exttype) {
-		case SADB_X_EXT_NAT_T_SPORT:
-			extr->ips->ips_natt_sport = pfkey_x_nat_t_port->sadb_x_nat_t_port_port;
-			break;
-		case SADB_X_EXT_NAT_T_DPORT:
-			extr->ips->ips_natt_dport = pfkey_x_nat_t_port->sadb_x_nat_t_port_port;
-			break;
-		default:
-			KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_x_nat_t_port_process: "
-			    "unknown exttype %d.\n",
-			    pfkey_x_nat_t_port->sadb_x_nat_t_port_exttype);
-			SENDERR(EINVAL);
-			break;
-	}
-
-errlab:
-	return error;
-}
-#endif
-
-int
-pfkey_x_debug_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr)
-{
-	int error = 0;
-	struct sadb_x_debug *pfkey_x_debug = (struct sadb_x_debug *)pfkey_ext;
-
-	if(!pfkey_x_debug) {
-		printk("klips_debug:pfkey_x_debug_process: "
-		       "null pointer passed in\n");
-		SENDERR(EINVAL);
-	}
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_x_debug_process: .\n");
-
-#ifdef CONFIG_IPSEC_DEBUG
-		if(pfkey_x_debug->sadb_x_debug_netlink >>
-		   (sizeof(pfkey_x_debug->sadb_x_debug_netlink) * 8 - 1)) {
-			pfkey_x_debug->sadb_x_debug_netlink &=
-				~(1 << (sizeof(pfkey_x_debug->sadb_x_debug_netlink) * 8 -1));
-			debug_tunnel  |= pfkey_x_debug->sadb_x_debug_tunnel;
-			debug_netlink |= pfkey_x_debug->sadb_x_debug_netlink;
-			debug_xform   |= pfkey_x_debug->sadb_x_debug_xform;
-			debug_eroute  |= pfkey_x_debug->sadb_x_debug_eroute;
-			debug_spi     |= pfkey_x_debug->sadb_x_debug_spi;
-			debug_radij   |= pfkey_x_debug->sadb_x_debug_radij;
-			debug_esp     |= pfkey_x_debug->sadb_x_debug_esp;
-			debug_ah      |= pfkey_x_debug->sadb_x_debug_ah;
-			debug_rcv     |= pfkey_x_debug->sadb_x_debug_rcv;
-			debug_pfkey   |= pfkey_x_debug->sadb_x_debug_pfkey;
-#ifdef CONFIG_IPSEC_IPCOMP
-			sysctl_ipsec_debug_ipcomp  |= pfkey_x_debug->sadb_x_debug_ipcomp;
-#endif /* CONFIG_IPSEC_IPCOMP */
-			sysctl_ipsec_debug_verbose |= pfkey_x_debug->sadb_x_debug_verbose;
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_x_debug_process: "
-				    "set\n");
-		} else {
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_x_debug_process: "
-				    "unset\n");
-			debug_tunnel  &= pfkey_x_debug->sadb_x_debug_tunnel;
-			debug_netlink &= pfkey_x_debug->sadb_x_debug_netlink;
-			debug_xform   &= pfkey_x_debug->sadb_x_debug_xform;
-			debug_eroute  &= pfkey_x_debug->sadb_x_debug_eroute;
-			debug_spi     &= pfkey_x_debug->sadb_x_debug_spi;
-			debug_radij   &= pfkey_x_debug->sadb_x_debug_radij;
-			debug_esp     &= pfkey_x_debug->sadb_x_debug_esp;
-			debug_ah      &= pfkey_x_debug->sadb_x_debug_ah;
-			debug_rcv     &= pfkey_x_debug->sadb_x_debug_rcv;
-			debug_pfkey   &= pfkey_x_debug->sadb_x_debug_pfkey;
-#ifdef CONFIG_IPSEC_IPCOMP
-			sysctl_ipsec_debug_ipcomp  &= pfkey_x_debug->sadb_x_debug_ipcomp;
-#endif /* CONFIG_IPSEC_IPCOMP */
-			sysctl_ipsec_debug_verbose &= pfkey_x_debug->sadb_x_debug_verbose;
-		}
-#else /* CONFIG_IPSEC_DEBUG */
-		printk("klips_debug:pfkey_x_debug_process: "
-		       "debugging not enabled\n");
-		SENDERR(EINVAL);
-#endif /* CONFIG_IPSEC_DEBUG */
-	
-errlab:
-	return error;
-}
diff --git a/linux/net/ipsec/pfkey_v2_parser.c b/linux/net/ipsec/pfkey_v2_parser.c
deleted file mode 100644
index d170ddea5..000000000
--- a/linux/net/ipsec/pfkey_v2_parser.c
+++ /dev/null
@@ -1,3420 +0,0 @@
-/*
- * @(#) RFC2367 PF_KEYv2 Key management API message parser
- * Copyright (C) 1999, 2000, 2001  Richard Guy Briggs <rgb@freeswan.org>
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: pfkey_v2_parser.c,v 1.4 2004/09/29 22:27:41 as Exp $
- */
-
-/*
- *		Template from klips/net/ipsec/ipsec/ipsec_netlink.c.
- */
-
-char pfkey_v2_parser_c_version[] = "$Id: pfkey_v2_parser.c,v 1.4 2004/09/29 22:27:41 as Exp $";
-
-#include <linux/config.h>
-#include <linux/version.h>
-#include <linux/kernel.h> /* printk() */
-
-#include "freeswan/ipsec_param.h"
-
-#ifdef MALLOC_SLAB
-# include <linux/slab.h> /* kmalloc() */
-#else /* MALLOC_SLAB */
-# include <linux/malloc.h> /* kmalloc() */
-#endif /* MALLOC_SLAB */
-#include <linux/errno.h>  /* error codes */
-#include <linux/types.h>  /* size_t */
-#include <linux/interrupt.h> /* mark_bh */
-
-#include <linux/netdevice.h>   /* struct device, and other headers */
-#include <linux/etherdevice.h> /* eth_type_trans */
-#include <linux/ip.h>          /* struct iphdr */
-#include <linux/skbuff.h>
-
-#include <freeswan.h>
-
-#include <crypto/des.h>
-
-#ifdef SPINLOCK
-# ifdef SPINLOCK_23
-#  include <linux/spinlock.h> /* *lock* */
-# else /* SPINLOCK_23 */
-#  include <asm/spinlock.h> /* *lock* */
-# endif /* SPINLOCK_23 */
-#endif /* SPINLOCK */
-#ifdef NET_21
-# include <asm/uaccess.h>
-# include <linux/in6.h>
-# define ip_chk_addr inet_addr_type
-# define IS_MYADDR RTN_LOCAL
-#endif
-#include <asm/checksum.h>
-#include <net/ip.h>
-#ifdef NETLINK_SOCK
-# include <linux/netlink.h>
-#else
-# include <net/netlink.h>
-#endif
-
-#include <linux/random.h>	/* get_random_bytes() */
-
-#include "freeswan/radij.h"
-#include "freeswan/ipsec_encap.h"
-#include "freeswan/ipsec_sa.h"
-
-#include "freeswan/ipsec_radij.h"
-#include "freeswan/ipsec_xform.h"
-#include "freeswan/ipsec_ah.h"
-#include "freeswan/ipsec_esp.h"
-#include "freeswan/ipsec_tunnel.h"
-#include "freeswan/ipsec_rcv.h"
-#include "freeswan/ipcomp.h"
-
-#include <pfkeyv2.h>
-#include <pfkey.h>
-
-#include "freeswan/ipsec_proto.h"
-#include "freeswan/ipsec_alg.h"
-
-
-#define SENDERR(_x) do { error = -(_x); goto errlab; } while (0)
-
-struct sklist_t {
-	struct socket *sk;
-	struct sklist_t* next;
-} pfkey_sklist_head, *pfkey_sklist, *pfkey_sklist_prev;
-
-__u32 pfkey_msg_seq = 0;
-
-int
-pfkey_alloc_eroute(struct eroute** eroute)
-{
-	int error = 0;
-	if(*eroute) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_alloc_eroute: "
-			    "eroute struct already allocated\n");
-		SENDERR(EEXIST);
-	}
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_alloc_eroute: "
-		    "allocating %lu bytes for an eroute.\n",
-		    (unsigned long) sizeof(**eroute));
-	if((*eroute = kmalloc(sizeof(**eroute), GFP_ATOMIC) ) == NULL) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_alloc_eroute: "
-			    "memory allocation error\n");
-		SENDERR(ENOMEM);
-	}
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_alloc_eroute: "
-		    "allocated eroute struct=0p%p.\n", eroute);
-	memset((caddr_t)*eroute, 0, sizeof(**eroute));
-	(*eroute)->er_eaddr.sen_len =
-		(*eroute)->er_emask.sen_len = sizeof(struct sockaddr_encap);
-	(*eroute)->er_eaddr.sen_family =
-		(*eroute)->er_emask.sen_family = AF_ENCAP;
-	(*eroute)->er_eaddr.sen_type = SENT_IP4;
-	(*eroute)->er_emask.sen_type = 255;
-	(*eroute)->er_pid = 0;
-	(*eroute)->er_count = 0;
-	(*eroute)->er_lasttime = jiffies/HZ;
-
- errlab:
-	return(error);
-}
-
-DEBUG_NO_STATIC int
-pfkey_x_protocol_process(struct sadb_ext *pfkey_ext,
-			 struct pfkey_extracted_data *extr)
-{
-	int error = 0;
-	struct sadb_protocol * p = (struct sadb_protocol *)pfkey_ext;
-
-	KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_protocol_process: %p\n", extr);
-
-	if (extr == 0) {
-		KLIPS_PRINT(debug_pfkey,
-                         "klips_debug:pfkey_x_protocol_process:"
-			    "extr is NULL, fatal\n");
-		SENDERR(EINVAL);
-	}
-	if (extr->eroute == 0) {
-		KLIPS_PRINT(debug_pfkey,
-                        "klips_debug:pfkey_x_protocol_process:"
-			    "extr->eroute is NULL, fatal\n");
-		SENDERR(EINVAL);
-	}
-	extr->eroute->er_eaddr.sen_proto = p->sadb_protocol_proto;
-	extr->eroute->er_emask.sen_proto = p->sadb_protocol_proto ? ~0:0;
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_x_protocol_process: protocol = %d.\n",
-		    p->sadb_protocol_proto);
- errlab:
-	return error;
-}
-
-DEBUG_NO_STATIC int
-pfkey_ipsec_sa_init(struct ipsec_sa *ipsp, struct sadb_ext **extensions)
-{
-        int error = 0;
-        char sa[SATOA_BUF];
-	size_t sa_len;
-	char ipaddr_txt[ADDRTOA_BUF];
-	char ipaddr2_txt[ADDRTOA_BUF];
-#if defined (CONFIG_IPSEC_AUTH_HMAC_MD5) || defined (CONFIG_IPSEC_AUTH_HMAC_SHA1)
-        int i;
-	unsigned char kb[AHMD596_BLKLEN];
-#endif
-#ifdef CONFIG_IPSEC_ALG
-	struct ipsec_alg_enc *ixt_e = NULL;
-	struct ipsec_alg_auth *ixt_a = NULL;
-#endif /* CONFIG_IPSEC_ALG */
-
-	if(ipsp == NULL) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_ipsec_sa_init: "
-			    "ipsp is NULL, fatal\n");
-		SENDERR(EINVAL);
-	}
-
-	sa_len = satoa(ipsp->ips_said, 0, sa, SATOA_BUF);
-
-        KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_ipsec_sa_init: "
-		    "(pfkey defined) called for SA:%s\n",
-		    sa_len ? sa : " (error)");
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_ipsec_sa_init: "
-		    "calling init routine of %s%s%s\n",
-		    IPS_XFORM_NAME(ipsp));
-	
-	switch(ipsp->ips_said.proto) {
-		
-#ifdef CONFIG_IPSEC_IPIP
-	case IPPROTO_IPIP: {
-		addrtoa(((struct sockaddr_in*)(ipsp->ips_addr_s))->sin_addr,
-			0,
-			ipaddr_txt, sizeof(ipaddr_txt));
-		addrtoa(((struct sockaddr_in*)(ipsp->ips_addr_d))->sin_addr,
-			0,
-			ipaddr2_txt, sizeof(ipaddr_txt));
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_ipsec_sa_init: "
-			    "(pfkey defined) IPIP ipsec_sa set for %s->%s.\n",
-			    ipaddr_txt,
-			    ipaddr2_txt);
-	}
-	break;
-#endif /* !CONFIG_IPSEC_IPIP */
-#ifdef CONFIG_IPSEC_AH
-	case IPPROTO_AH:
-		switch(ipsp->ips_authalg) {
-# ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
-		case AH_MD5: {
-			unsigned char *akp;
-			unsigned int aks;
-			MD5_CTX *ictx;
-			MD5_CTX *octx;
-			
-			if(ipsp->ips_key_bits_a != (AHMD596_KLEN * 8)) {
-				KLIPS_PRINT(debug_pfkey,
-					    "klips_debug:pfkey_ipsec_sa_init: "
-					    "incorrect key size: %d bits -- must be %d bits\n"/*octets (bytes)\n"*/,
-					    ipsp->ips_key_bits_a, AHMD596_KLEN * 8);
-				SENDERR(EINVAL);
-			}
-			
-#  if KLIPS_DIVULGE_HMAC_KEY
-			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
-				    "klips_debug:pfkey_ipsec_sa_init: "
-				    "hmac md5-96 key is 0x%08x %08x %08x %08x\n",
-				    ntohl(*(((__u32 *)ipsp->ips_key_a)+0)),
-				    ntohl(*(((__u32 *)ipsp->ips_key_a)+1)),
-				    ntohl(*(((__u32 *)ipsp->ips_key_a)+2)),
-				    ntohl(*(((__u32 *)ipsp->ips_key_a)+3)));
-#  endif /* KLIPS_DIVULGE_HMAC_KEY */
-			
-			ipsp->ips_auth_bits = AHMD596_ALEN * 8;
-			
-			/* save the pointer to the key material */
-			akp = ipsp->ips_key_a;
-			aks = ipsp->ips_key_a_size;
-			
-			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
-			           "klips_debug:pfkey_ipsec_sa_init: "
-			           "allocating %lu bytes for md5_ctx.\n",
-			           (unsigned long) sizeof(struct md5_ctx));
-			if((ipsp->ips_key_a = (caddr_t)
-			    kmalloc(sizeof(struct md5_ctx), GFP_ATOMIC)) == NULL) {
-				ipsp->ips_key_a = akp;
-				SENDERR(ENOMEM);
-			}
-			ipsp->ips_key_a_size = sizeof(struct md5_ctx);
-
-			for (i = 0; i < DIVUP(ipsp->ips_key_bits_a, 8); i++) {
-				kb[i] = akp[i] ^ HMAC_IPAD;
-			}
-			for (; i < AHMD596_BLKLEN; i++) {
-				kb[i] = HMAC_IPAD;
-			}
-
-			ictx = &(((struct md5_ctx*)(ipsp->ips_key_a))->ictx);
-			MD5Init(ictx);
-			MD5Update(ictx, kb, AHMD596_BLKLEN);
-
-			for (i = 0; i < AHMD596_BLKLEN; i++) {
-				kb[i] ^= (HMAC_IPAD ^ HMAC_OPAD);
-			}
-
-			octx = &(((struct md5_ctx*)(ipsp->ips_key_a))->octx);
-			MD5Init(octx);
-			MD5Update(octx, kb, AHMD596_BLKLEN);
-			
-#  if KLIPS_DIVULGE_HMAC_KEY
-			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
-				    "klips_debug:pfkey_ipsec_sa_init: "
-				    "MD5 ictx=0x%08x %08x %08x %08x octx=0x%08x %08x %08x %08x\n",
-				    ((__u32*)ictx)[0],
-				    ((__u32*)ictx)[1],
-				    ((__u32*)ictx)[2],
-				    ((__u32*)ictx)[3],
-				    ((__u32*)octx)[0],
-				    ((__u32*)octx)[1],
-				    ((__u32*)octx)[2],
-				    ((__u32*)octx)[3] );
-#  endif /* KLIPS_DIVULGE_HMAC_KEY */
-			
-			/* zero key buffer -- paranoid */
-			memset(akp, 0, aks);
-			kfree(akp);
-		}
-		break;
-# endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
-# ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
-		case AH_SHA: {
-			unsigned char *akp;
-			unsigned int aks;
-			SHA1_CTX *ictx;
-			SHA1_CTX *octx;
-			
-			if(ipsp->ips_key_bits_a != (AHSHA196_KLEN * 8)) {
-				KLIPS_PRINT(debug_pfkey,
-					    "klips_debug:pfkey_ipsec_sa_init: "
-					    "incorrect key size: %d bits -- must be %d bits\n"/*octets (bytes)\n"*/,
-					    ipsp->ips_key_bits_a, AHSHA196_KLEN * 8);
-				SENDERR(EINVAL);
-			}
-			
-#  if KLIPS_DIVULGE_HMAC_KEY
-			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
-				    "klips_debug:pfkey_ipsec_sa_init: "
-				    "hmac sha1-96 key is 0x%08x %08x %08x %08x\n",
-				    ntohl(*(((__u32 *)ipsp->ips_key_a)+0)),
-				    ntohl(*(((__u32 *)ipsp->ips_key_a)+1)),
-				    ntohl(*(((__u32 *)ipsp->ips_key_a)+2)),
-				    ntohl(*(((__u32 *)ipsp->ips_key_a)+3)));
-#  endif /* KLIPS_DIVULGE_HMAC_KEY */
-			
-			ipsp->ips_auth_bits = AHSHA196_ALEN * 8;
-			
-			/* save the pointer to the key material */
-			akp = ipsp->ips_key_a;
-			aks = ipsp->ips_key_a_size;
-			
-			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
-			            "klips_debug:pfkey_ipsec_sa_init: "
-			            "allocating %lu bytes for sha1_ctx.\n",
-			            (unsigned long) sizeof(struct sha1_ctx));
-			if((ipsp->ips_key_a = (caddr_t)
-			    kmalloc(sizeof(struct sha1_ctx), GFP_ATOMIC)) == NULL) {
-				ipsp->ips_key_a = akp;
-				SENDERR(ENOMEM);
-			}
-			ipsp->ips_key_a_size = sizeof(struct sha1_ctx);
-
-			for (i = 0; i < DIVUP(ipsp->ips_key_bits_a, 8); i++) {
-				kb[i] = akp[i] ^ HMAC_IPAD;
-			}
-			for (; i < AHMD596_BLKLEN; i++) {
-				kb[i] = HMAC_IPAD;
-			}
-
-			ictx = &(((struct sha1_ctx*)(ipsp->ips_key_a))->ictx);
-			SHA1Init(ictx);
-			SHA1Update(ictx, kb, AHSHA196_BLKLEN);
-
-			for (i = 0; i < AHSHA196_BLKLEN; i++) {
-				kb[i] ^= (HMAC_IPAD ^ HMAC_OPAD);
-			}
-
-			octx = &(((struct sha1_ctx*)(ipsp->ips_key_a))->octx);
-			SHA1Init(octx);
-			SHA1Update(octx, kb, AHSHA196_BLKLEN);
-			
-#  if KLIPS_DIVULGE_HMAC_KEY
-			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
-				    "klips_debug:pfkey_ipsec_sa_init: "
-				    "SHA1 ictx=0x%08x %08x %08x %08x octx=0x%08x %08x %08x %08x\n", 
-				    ((__u32*)ictx)[0],
-				    ((__u32*)ictx)[1],
-				    ((__u32*)ictx)[2],
-				    ((__u32*)ictx)[3],
-				    ((__u32*)octx)[0],
-				    ((__u32*)octx)[1],
-				    ((__u32*)octx)[2],
-				    ((__u32*)octx)[3] );
-#  endif /* KLIPS_DIVULGE_HMAC_KEY */
-			/* zero key buffer -- paranoid */
-			memset(akp, 0, aks);
-			kfree(akp);
-		}
-		break;
-# endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
-		default:
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_ipsec_sa_init: "
-				    "authalg=%d support not available in the kernel",
-				    ipsp->ips_authalg);
-			SENDERR(EINVAL);
-		}
-	break;
-#endif /* CONFIG_IPSEC_AH */
-#ifdef CONFIG_IPSEC_ESP
-	case IPPROTO_ESP: {
-#if defined (CONFIG_IPSEC_AUTH_HMAC_MD5) || defined (CONFIG_IPSEC_AUTH_HMAC_SHA1)
-		unsigned char *akp;
-		unsigned int aks;
-#endif
-#if defined (CONFIG_IPSEC_ENC_3DES)
-		unsigned char *ekp;
-		unsigned int eks;
-#endif
-
-		ipsp->ips_iv_size = 0;
-#ifdef CONFIG_IPSEC_ALG
-		if ((ixt_e=ipsp->ips_alg_enc)) {
-			ipsp->ips_iv_size = ixt_e->ixt_ivlen/8;
-		} else	
-#endif /* CONFIG_IPSEC_ALG */
-		switch(ipsp->ips_encalg) {
-# ifdef CONFIG_IPSEC_ENC_3DES
-		case ESP_3DES:
-# endif /* CONFIG_IPSEC_ENC_3DES */
-# if defined(CONFIG_IPSEC_ENC_3DES)
-			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
-			            "klips_debug:pfkey_ipsec_sa_init: "
-			            "allocating %u bytes for iv.\n",
-			            EMT_ESPDES_IV_SZ);
-			if((ipsp->ips_iv = (caddr_t)
-			    kmalloc((ipsp->ips_iv_size = EMT_ESPDES_IV_SZ), GFP_ATOMIC)) == NULL) {
-				SENDERR(ENOMEM);
-			}
-			prng_bytes(&ipsec_prng, (char *)ipsp->ips_iv, EMT_ESPDES_IV_SZ);
-			ipsp->ips_iv_bits = ipsp->ips_iv_size * 8;
-			ipsp->ips_iv_size = EMT_ESPDES_IV_SZ;
-			break;
-# endif /* defined(CONFIG_IPSEC_ENC_3DES) */
-		case ESP_NONE:
-			break;
-		default:
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_ipsec_sa_init: "
-				    "encalg=%d support not available in the kernel",
-				    ipsp->ips_encalg);
-			SENDERR(EINVAL);
-		}
-
-		/* Create IV */
-		if (ipsp->ips_iv_size) {
-			if((ipsp->ips_iv = (caddr_t)
-			    kmalloc(ipsp->ips_iv_size, GFP_ATOMIC)) == NULL) {
-				SENDERR(ENOMEM);
-			}
-			prng_bytes(&ipsec_prng, (char *)ipsp->ips_iv, ipsp->ips_iv_size);
-			ipsp->ips_iv_bits = ipsp->ips_iv_size * 8;
-		}
-		
-#ifdef CONFIG_IPSEC_ALG
-		if (ixt_e) {
-			if ((error=ipsec_alg_enc_key_create(ipsp)) < 0)
-				SENDERR(-error);
-		} else
-#endif /* CONFIG_IPSEC_ALG */
-		switch(ipsp->ips_encalg) {
-# ifdef CONFIG_IPSEC_ENC_3DES
-		case ESP_3DES:
-			if(ipsp->ips_key_bits_e != (EMT_ESP3DES_KEY_SZ * 8)) {
-				KLIPS_PRINT(debug_pfkey,
-					    "klips_debug:pfkey_ipsec_sa_init: "
-					    "incorrect encryption key size: %d bits -- must be %d bits\n"/*octets (bytes)\n"*/,
-					    ipsp->ips_key_bits_e, EMT_ESP3DES_KEY_SZ * 8);
-				SENDERR(EINVAL);
-			}
-			
-			/* save encryption key pointer */
-			ekp = ipsp->ips_key_e;
-			eks = ipsp->ips_key_e_size;
-			
-			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
-			            "klips_debug:pfkey_ipsec_sa_init: "
-			            "allocating %lu bytes for 3des.\n",
-			            (unsigned long) (3 * sizeof(struct des_eks)));
-			if((ipsp->ips_key_e = (caddr_t)
-			    kmalloc(3 * sizeof(struct des_eks), GFP_ATOMIC)) == NULL) {
-				ipsp->ips_key_e = ekp;
-				SENDERR(ENOMEM);
-			}
-			ipsp->ips_key_e_size = 3 * sizeof(struct des_eks);
-
-			for(i = 0; i < 3; i++) {
-#if KLIPS_DIVULGE_CYPHER_KEY
-				KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
-					    "klips_debug:pfkey_ipsec_sa_init: "
-					    "3des key %d/3 is 0x%08x%08x\n",
-					    i + 1,
-					    ntohl(*((__u32 *)ekp + i * 2)),
-					    ntohl(*((__u32 *)ekp + i * 2 + 1)));
-#  endif
-#if KLIPS_FIXES_DES_PARITY				
-				/* force parity */
-				des_set_odd_parity((des_cblock *)(ekp + EMT_ESPDES_KEY_SZ * i));
-#endif
-				error = des_set_key((des_cblock *)(ekp + EMT_ESPDES_KEY_SZ * i),
-						    ((struct des_eks *)(ipsp->ips_key_e))[i].ks);
-				if (error == -1)
-					printk("klips_debug:pfkey_ipsec_sa_init: "
-					       "parity error in des key %d/3\n",
-					       i + 1);
-				else if (error == -2)
-					printk("klips_debug:pfkey_ipsec_sa_init: "
-					       "illegal weak des key %d/3\n", i + 1);
-				if (error) {
-					memset(ekp, 0, eks);
-					kfree(ekp);
-					SENDERR(EINVAL);
-				}
-			}
-
-			/* paranoid */
-			memset(ekp, 0, eks);
-			kfree(ekp);
-			break;
-# endif /* CONFIG_IPSEC_ENC_3DES */
-                case ESP_NONE:
-			break;
-		default:
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_ipsec_sa_init: "
-				    "encalg=%d support not available in the kernel",
-				    ipsp->ips_encalg);
-			SENDERR(EINVAL);
-		}
-
-#ifdef CONFIG_IPSEC_ALG
-		if ((ixt_a=ipsp->ips_alg_auth)) {
-			if ((error=ipsec_alg_auth_key_create(ipsp)) < 0)
-				SENDERR(-error);
-		} else	
-#endif /* CONFIG_IPSEC_ALG */
-		
-		switch(ipsp->ips_authalg) {
-# ifdef CONFIG_IPSEC_AUTH_HMAC_MD5
-		case AH_MD5: {
-			MD5_CTX *ictx;
-			MD5_CTX *octx;
-
-			if(ipsp->ips_key_bits_a != (AHMD596_KLEN * 8)) {
-				KLIPS_PRINT(debug_pfkey,
-					    "klips_debug:pfkey_ipsec_sa_init: "
-					    "incorrect authorisation key size: %d bits -- must be %d bits\n"/*octets (bytes)\n"*/,
-					    ipsp->ips_key_bits_a,
-					    AHMD596_KLEN * 8);
-				SENDERR(EINVAL);
-			}
-			
-#  if KLIPS_DIVULGE_HMAC_KEY
-			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
-				    "klips_debug:pfkey_ipsec_sa_init: "
-				    "hmac md5-96 key is 0x%08x %08x %08x %08x\n",
-				    ntohl(*(((__u32 *)(ipsp->ips_key_a))+0)),
-				    ntohl(*(((__u32 *)(ipsp->ips_key_a))+1)),
-				    ntohl(*(((__u32 *)(ipsp->ips_key_a))+2)),
-				    ntohl(*(((__u32 *)(ipsp->ips_key_a))+3)));
-#  endif /* KLIPS_DIVULGE_HMAC_KEY */
-			ipsp->ips_auth_bits = AHMD596_ALEN * 8;
-			
-			/* save the pointer to the key material */
-			akp = ipsp->ips_key_a;
-			aks = ipsp->ips_key_a_size;
-			
-			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
-			            "klips_debug:pfkey_ipsec_sa_init: "
-			            "allocating %lu bytes for md5_ctx.\n",
-			            (unsigned long) sizeof(struct md5_ctx));
-			if((ipsp->ips_key_a = (caddr_t)
-			    kmalloc(sizeof(struct md5_ctx), GFP_ATOMIC)) == NULL) {
-				ipsp->ips_key_a = akp;
-				SENDERR(ENOMEM);
-			}
-			ipsp->ips_key_a_size = sizeof(struct md5_ctx);
-
-			for (i = 0; i < DIVUP(ipsp->ips_key_bits_a, 8); i++) {
-				kb[i] = akp[i] ^ HMAC_IPAD;
-			}
-			for (; i < AHMD596_BLKLEN; i++) {
-				kb[i] = HMAC_IPAD;
-			}
-
-			ictx = &(((struct md5_ctx*)(ipsp->ips_key_a))->ictx);
-			MD5Init(ictx);
-			MD5Update(ictx, kb, AHMD596_BLKLEN);
-
-			for (i = 0; i < AHMD596_BLKLEN; i++) {
-				kb[i] ^= (HMAC_IPAD ^ HMAC_OPAD);
-			}
-
-			octx = &(((struct md5_ctx*)(ipsp->ips_key_a))->octx);
-			MD5Init(octx);
-			MD5Update(octx, kb, AHMD596_BLKLEN);
-			
-#  if KLIPS_DIVULGE_HMAC_KEY
-			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
-				    "klips_debug:pfkey_ipsec_sa_init: "
-				    "MD5 ictx=0x%08x %08x %08x %08x octx=0x%08x %08x %08x %08x\n",
-				    ((__u32*)ictx)[0],
-				    ((__u32*)ictx)[1],
-				    ((__u32*)ictx)[2],
-				    ((__u32*)ictx)[3],
-				    ((__u32*)octx)[0],
-				    ((__u32*)octx)[1],
-				    ((__u32*)octx)[2],
-				    ((__u32*)octx)[3] );
-#  endif /* KLIPS_DIVULGE_HMAC_KEY */
-			/* paranoid */
-			memset(akp, 0, aks);
-			kfree(akp);
-			break;
-		}
-# endif /* CONFIG_IPSEC_AUTH_HMAC_MD5 */
-# ifdef CONFIG_IPSEC_AUTH_HMAC_SHA1
-		case AH_SHA: {
-			SHA1_CTX *ictx;
-			SHA1_CTX *octx;
-
-			if(ipsp->ips_key_bits_a != (AHSHA196_KLEN * 8)) {
-				KLIPS_PRINT(debug_pfkey,
-					    "klips_debug:pfkey_ipsec_sa_init: "
-					    "incorrect authorisation key size: %d bits -- must be %d bits\n"/*octets (bytes)\n"*/,
-					    ipsp->ips_key_bits_a,
-					    AHSHA196_KLEN * 8);
-				SENDERR(EINVAL);
-			}
-			
-#  if KLIPS_DIVULGE_HMAC_KEY
-			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
-				    "klips_debug:pfkey_ipsec_sa_init: "
-				    "hmac sha1-96 key is 0x%08x %08x %08x %08x\n",
-				    ntohl(*(((__u32 *)ipsp->ips_key_a)+0)),
-				    ntohl(*(((__u32 *)ipsp->ips_key_a)+1)),
-				    ntohl(*(((__u32 *)ipsp->ips_key_a)+2)),
-				    ntohl(*(((__u32 *)ipsp->ips_key_a)+3)));
-#  endif /* KLIPS_DIVULGE_HMAC_KEY */
-			ipsp->ips_auth_bits = AHSHA196_ALEN * 8;
-			
-			/* save the pointer to the key material */
-			akp = ipsp->ips_key_a;
-			aks = ipsp->ips_key_a_size;
-
-			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
-			            "klips_debug:pfkey_ipsec_sa_init: "
-			            "allocating %lu bytes for sha1_ctx.\n",
-			            (unsigned long) sizeof(struct sha1_ctx));
-			if((ipsp->ips_key_a = (caddr_t)
-			    kmalloc(sizeof(struct sha1_ctx), GFP_ATOMIC)) == NULL) {
-				ipsp->ips_key_a = akp;
-				SENDERR(ENOMEM);
-			}
-			ipsp->ips_key_a_size = sizeof(struct sha1_ctx);
-
-			for (i = 0; i < DIVUP(ipsp->ips_key_bits_a, 8); i++) {
-				kb[i] = akp[i] ^ HMAC_IPAD;
-			}
-			for (; i < AHMD596_BLKLEN; i++) {
-				kb[i] = HMAC_IPAD;
-			}
-
-			ictx = &(((struct sha1_ctx*)(ipsp->ips_key_a))->ictx);
-			SHA1Init(ictx);
-			SHA1Update(ictx, kb, AHSHA196_BLKLEN);
-
-			for (i = 0; i < AHSHA196_BLKLEN; i++) {
-				kb[i] ^= (HMAC_IPAD ^ HMAC_OPAD);
-			}
-
-			octx = &((struct sha1_ctx*)(ipsp->ips_key_a))->octx;
-			SHA1Init(octx);
-			SHA1Update(octx, kb, AHSHA196_BLKLEN);
-			
-#  if KLIPS_DIVULGE_HMAC_KEY
-			KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
-				    "klips_debug:pfkey_ipsec_sa_init: "
-				    "SHA1 ictx=0x%08x %08x %08x %08x octx=0x%08x %08x %08x %08x\n",
-				    ((__u32*)ictx)[0],
-				    ((__u32*)ictx)[1],
-				    ((__u32*)ictx)[2],
-				    ((__u32*)ictx)[3],
-				    ((__u32*)octx)[0],
-				    ((__u32*)octx)[1],
-				    ((__u32*)octx)[2],
-				    ((__u32*)octx)[3] );
-#  endif /* KLIPS_DIVULGE_HMAC_KEY */
-			memset(akp, 0, aks);
-			kfree(akp);
-			break;
-		}
-# endif /* CONFIG_IPSEC_AUTH_HMAC_SHA1 */
-		case AH_NONE:
-			break;
-		default:
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_ipsec_sa_init: "
-				    "authalg=%d support not available in the kernel.\n",
-				    ipsp->ips_authalg);
-			SENDERR(EINVAL);
-		}
-	}
-			break;
-#endif /* !CONFIG_IPSEC_ESP */
-#ifdef CONFIG_IPSEC_IPCOMP
-	case IPPROTO_COMP:
-		ipsp->ips_comp_adapt_tries = 0;
-		ipsp->ips_comp_adapt_skip = 0;
-		ipsp->ips_comp_ratio_cbytes = 0;
-		ipsp->ips_comp_ratio_dbytes = 0;
-		break;
-#endif /* CONFIG_IPSEC_IPCOMP */
-	default:
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_ipsec_sa_init: "
-			    "proto=%d unknown.\n",
-			    ipsp->ips_said.proto);
-		SENDERR(EINVAL);
-	}
-	
- errlab:
-	return(error);
-}
-
-
-int
-pfkey_safe_build(int error, struct sadb_ext *extensions[SADB_MAX+1])
-{
-	KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_safe_build: "
-		    "error=%d\n",
-		    error);
-	if (!error) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_safe_build:"
-			    "success.\n");
-		return 1;
-	} else {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_safe_build:"
-			    "caught error %d\n",
-			    error);
-		pfkey_extensions_free(extensions);
-		return 0;
-	}
-}
-
-
-DEBUG_NO_STATIC int
-pfkey_getspi_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
-{
-	int error = 0;
-	ipsec_spi_t minspi = htonl(256), maxspi = htonl(-1L);
-	int found_avail = 0;
-	struct ipsec_sa *ipsq;
-	char sa[SATOA_BUF];
-	size_t sa_len;
-	struct sadb_ext *extensions_reply[SADB_EXT_MAX+1];
-	struct sadb_msg *pfkey_reply = NULL;
-	struct socket_list *pfkey_socketsp;
-	uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_getspi_parse: .\n");
-
-	pfkey_extensions_init(extensions_reply);
-
-	if(extr == NULL || extr->ips == NULL) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_getspi_parse: "
-			    "error, extr or extr->ipsec_sa pointer NULL\n");
-		SENDERR(EINVAL);
-	}
-
-	if(extensions[SADB_EXT_SPIRANGE]) {
-		minspi = ((struct sadb_spirange *)extensions[SADB_EXT_SPIRANGE])->sadb_spirange_min;
-		maxspi = ((struct sadb_spirange *)extensions[SADB_EXT_SPIRANGE])->sadb_spirange_max;
-	}
-
-	if(maxspi == minspi) {
-		extr->ips->ips_said.spi = maxspi;
-		ipsq = ipsec_sa_getbyid(&(extr->ips->ips_said));
-		if(ipsq != NULL) {
-			sa_len = satoa(extr->ips->ips_said, 0, sa, SATOA_BUF);
-			ipsec_sa_put(ipsq);
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_getspi_parse: "
-				    "EMT_GETSPI found an old ipsec_sa for SA: %s, delete it first.\n",
-				    sa_len ? sa : " (error)");
-			SENDERR(EEXIST);
-		} else {
-			found_avail = 1;
-		}
-	} else {
-		int i = 0;
-		__u32 rand_val;
-		__u32 spi_diff;
-		while( ( i < (spi_diff = (ntohl(maxspi) - ntohl(minspi)))) && !found_avail ) {
-			prng_bytes(&ipsec_prng, (char *) &(rand_val),
-					 ( (spi_diff < (2^8))  ? 1 :
-					   ( (spi_diff < (2^16)) ? 2 :
-					     ( (spi_diff < (2^24)) ? 3 :
-					   4 ) ) ) );
-			extr->ips->ips_said.spi = htonl(ntohl(minspi) +
-					      (rand_val %
-					      (spi_diff + 1)));
-			i++;
-			ipsq = ipsec_sa_getbyid(&(extr->ips->ips_said));
-			if(ipsq == NULL) {
-				found_avail = 1;
-			} else {
-				ipsec_sa_put(ipsq);
-			}
-		}
-	}
-
-	sa_len = satoa(extr->ips->ips_said, 0, sa, SATOA_BUF);
-
-	if (!found_avail) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_getspi_parse: "
-			    "found an old ipsec_sa for SA: %s, delete it first.\n",
-			    sa_len ? sa : " (error)");
-		SENDERR(EEXIST);
-	}
-
-	if(ip_chk_addr((unsigned long)extr->ips->ips_said.dst.s_addr) == IS_MYADDR) {
-		extr->ips->ips_flags |= EMT_INBOUND;
-	}
-	
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_getspi_parse: "
-		    "existing ipsec_sa not found (this is good) for SA: %s, %s-bound, allocating.\n",
-		    sa_len ? sa : " (error)",
-		    extr->ips->ips_flags & EMT_INBOUND ? "in" : "out");
-	
-	/* XXX extr->ips->ips_rcvif = &(enc_softc[em->em_if].enc_if);*/
-	extr->ips->ips_rcvif = NULL;
-	extr->ips->ips_life.ipl_addtime.ipl_count = jiffies/HZ;
-
-	extr->ips->ips_state = SADB_SASTATE_LARVAL;
-
-	if(!extr->ips->ips_life.ipl_allocations.ipl_count) {
-		extr->ips->ips_life.ipl_allocations.ipl_count += 1;
-	}
-
-	if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0],
-							  SADB_GETSPI,
-							  satype,
-							  0,
-							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_seq,
-							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid),
-			      extensions_reply)
-	     && pfkey_safe_build(error = pfkey_sa_ref_build(&extensions_reply[SADB_EXT_SA],
-							SADB_EXT_SA,
-							extr->ips->ips_said.spi,
-							0,
-							SADB_SASTATE_LARVAL,
-							0,
-							0,
-							0,
-							extr->ips->ips_ref),
-				 extensions_reply)
-	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_SRC],
-						     SADB_EXT_ADDRESS_SRC,
-						     0, /*extr->ips->ips_said.proto,*/
-						     0,
-						     extr->ips->ips_addr_s),
-				 extensions_reply)
-	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_DST],
-						     SADB_EXT_ADDRESS_DST,
-						     0, /*extr->ips->ips_said.proto,*/
-						     0,
-						     extr->ips->ips_addr_d),
-				 extensions_reply) )) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_getspi_parse: "
-			    "failed to build the getspi reply message extensions\n");
-		goto errlab;
-	}
-	
-	if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_getspi_parse: "
-			    "failed to build the getspi reply message\n");
-		SENDERR(-error);
-	}
-	for(pfkey_socketsp = pfkey_open_sockets;
-	    pfkey_socketsp;
-	    pfkey_socketsp = pfkey_socketsp->next) {
-		if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
-			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_getspi_parse: "
-				    "sending up getspi reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
-				    satype,
-				    satype2name(satype),
-				    pfkey_socketsp->socketp,
-				    error);
-			SENDERR(-error);
-		}
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_getspi_parse: "
-			    "sending up getspi reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
-			    satype,
-			    satype2name(satype),
-			    pfkey_socketsp->socketp);
-	}
-	
-	if((error = ipsec_sa_add(extr->ips))) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_getspi_parse: "
-			    "failed to add the larval SA=%s with error=%d.\n",
-			    sa_len ? sa : " (error)",
-			    error);
-		SENDERR(-error);
-	}
-	extr->ips = NULL;
-	
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_getspi_parse: "
-		    "successful for SA: %s\n",
-		    sa_len ? sa : " (error)");
-	
- errlab:
-	if (pfkey_reply) {
-		pfkey_msg_free(&pfkey_reply);
-	}
-	pfkey_extensions_free(extensions_reply);
-	return error;
-}
-
-DEBUG_NO_STATIC int
-pfkey_update_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
-{
-	int error = 0;
-	struct ipsec_sa* ipsq;
-	char sa[SATOA_BUF];
-	size_t sa_len;
-	struct sadb_ext *extensions_reply[SADB_EXT_MAX+1];
-	struct sadb_msg *pfkey_reply = NULL;
-	struct socket_list *pfkey_socketsp;
-	uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-	struct ipsec_sa *nat_t_ips_saved = NULL;
-#endif
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_update_parse: .\n");
-
-	pfkey_extensions_init(extensions_reply);
-
-	if(((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state != SADB_SASTATE_MATURE) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_update_parse: "
-			    "error, sa_state=%d must be MATURE=%d\n",
-			    ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state,
-			    SADB_SASTATE_MATURE);
-		SENDERR(EINVAL);
-	}
-
-	if(extr == NULL || extr->ips == NULL) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_update_parse: "
-			    "error, extr or extr->ips pointer NULL\n");
-		SENDERR(EINVAL);
-	}
-
-	sa_len = satoa(extr->ips->ips_said, 0, sa, SATOA_BUF);
-
-	spin_lock_bh(&tdb_lock);
-
-	ipsq = ipsec_sa_getbyid(&(extr->ips->ips_said));
-	if (ipsq == NULL) {
-		spin_unlock_bh(&tdb_lock);
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_update_parse: "
-			    "reserved ipsec_sa for SA: %s not found.  Call SADB_GETSPI first or call SADB_ADD instead.\n",
-			    sa_len ? sa : " (error)");
-		SENDERR(ENOENT);
-	}
-
-	if(ip_chk_addr((unsigned long)extr->ips->ips_said.dst.s_addr) == IS_MYADDR) {
-		extr->ips->ips_flags |= EMT_INBOUND;
-	}
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_update_parse: "
-		    "existing ipsec_sa found (this is good) for SA: %s, %s-bound, updating.\n",
-		    sa_len ? sa : " (error)",
-		    extr->ips->ips_flags & EMT_INBOUND ? "in" : "out");
-
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-	if (extr->ips->ips_natt_sport || extr->ips->ips_natt_dport) {
-		KLIPS_PRINT(debug_pfkey,
-			"klips_debug:pfkey_update_parse: only updating NAT-T ports "
-			"(%u:%u -> %u:%u)\n", 
-			ipsq->ips_natt_sport, ipsq->ips_natt_dport,
-			extr->ips->ips_natt_sport, extr->ips->ips_natt_dport);
-
-		if (extr->ips->ips_natt_sport) {
-			ipsq->ips_natt_sport = extr->ips->ips_natt_sport;
-			if (ipsq->ips_addr_s->sa_family == AF_INET) {
-				((struct sockaddr_in *)(ipsq->ips_addr_s))->sin_port = htons(extr->ips->ips_natt_sport);
-			}
-		}
-
-		if (extr->ips->ips_natt_dport) {
-			ipsq->ips_natt_dport = extr->ips->ips_natt_dport;
-			if (ipsq->ips_addr_d->sa_family == AF_INET) {
-				((struct sockaddr_in *)(ipsq->ips_addr_d))->sin_port = htons(extr->ips->ips_natt_dport);
-			}
-		}
-
-		nat_t_ips_saved = extr->ips;
-		extr->ips = ipsq;
-	}
-	else {
-#endif
-	
-	/* XXX extr->ips->ips_rcvif = &(enc_softc[em->em_if].enc_if);*/
-	extr->ips->ips_rcvif = NULL;
-	if ((error = pfkey_ipsec_sa_init(extr->ips, extensions))) {
-		ipsec_sa_put(ipsq);
-		spin_unlock_bh(&tdb_lock);
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_update_parse: "
-			    "not successful for SA: %s, deleting.\n",
-			    sa_len ? sa : " (error)");
-		SENDERR(-error);
-	}
-
-	extr->ips->ips_life.ipl_addtime.ipl_count = ipsq->ips_life.ipl_addtime.ipl_count;
-	ipsec_sa_put(ipsq);
-	if((error = ipsec_sa_delchain(ipsq))) {
-		spin_unlock_bh(&tdb_lock);
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_update_parse: "
-			    "error=%d, trouble deleting intermediate ipsec_sa for SA=%s.\n",
-			    error,
-			    sa_len ? sa : " (error)");
-		SENDERR(-error);
-	}
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-	}
-#endif
-
-	spin_unlock_bh(&tdb_lock);
-	
-	if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0],
-							  SADB_UPDATE,
-							  satype,
-							  0,
-							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_seq,
-							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid),
-			      extensions_reply)
-	     && pfkey_safe_build(error = pfkey_sa_ref_build(&extensions_reply[SADB_EXT_SA],
-							SADB_EXT_SA,
-							extr->ips->ips_said.spi,
-							extr->ips->ips_replaywin,
-							extr->ips->ips_state,
-							extr->ips->ips_authalg,
-							extr->ips->ips_encalg,
-							extr->ips->ips_flags,
-							extr->ips->ips_ref),
-				 extensions_reply)
-	     /* The 3 lifetime extentions should only be sent if non-zero. */
-	     && (extensions[SADB_EXT_LIFETIME_HARD]
-		 ? pfkey_safe_build(error = pfkey_lifetime_build(&extensions_reply[SADB_EXT_LIFETIME_HARD],
-								 SADB_EXT_LIFETIME_HARD,
-								 extr->ips->ips_life.ipl_allocations.ipl_hard,
-								 extr->ips->ips_life.ipl_bytes.ipl_hard,
-								 extr->ips->ips_life.ipl_addtime.ipl_hard,
-								 extr->ips->ips_life.ipl_usetime.ipl_hard,
-								 extr->ips->ips_life.ipl_packets.ipl_hard),
-				    extensions_reply) : 1)
-	     && (extensions[SADB_EXT_LIFETIME_SOFT]
-		 ? pfkey_safe_build(error = pfkey_lifetime_build(&extensions_reply[SADB_EXT_LIFETIME_SOFT],
-								 SADB_EXT_LIFETIME_SOFT,
-								 extr->ips->ips_life.ipl_allocations.ipl_count,
-								 extr->ips->ips_life.ipl_bytes.ipl_count,
-								 extr->ips->ips_life.ipl_addtime.ipl_count,
-								 extr->ips->ips_life.ipl_usetime.ipl_count,
-								 extr->ips->ips_life.ipl_packets.ipl_count),
-				    extensions_reply) : 1)
-	     && (extr->ips->ips_life.ipl_allocations.ipl_count
-		 || extr->ips->ips_life.ipl_bytes.ipl_count
-		 || extr->ips->ips_life.ipl_addtime.ipl_count
-		 || extr->ips->ips_life.ipl_usetime.ipl_count
-		 || extr->ips->ips_life.ipl_packets.ipl_count
-
-		 ? pfkey_safe_build(error = pfkey_lifetime_build(&extensions_reply[SADB_EXT_LIFETIME_CURRENT],
-								 SADB_EXT_LIFETIME_CURRENT,
-								 extr->ips->ips_life.ipl_allocations.ipl_count,
-								 extr->ips->ips_life.ipl_bytes.ipl_count,
-								 extr->ips->ips_life.ipl_addtime.ipl_count,
-								 extr->ips->ips_life.ipl_usetime.ipl_count,
-								 extr->ips->ips_life.ipl_packets.ipl_count),
-				    extensions_reply) : 1)
-	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_SRC],
-							     SADB_EXT_ADDRESS_SRC,
-							     0, /*extr->ips->ips_said.proto,*/
-							     0,
-							     extr->ips->ips_addr_s),
-				 extensions_reply)
-	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_DST],
-							     SADB_EXT_ADDRESS_DST,
-							     0, /*extr->ips->ips_said.proto,*/
-							     0,
-							     extr->ips->ips_addr_d),
-				 extensions_reply)
-	     && (extr->ips->ips_ident_s.data
-                 ? pfkey_safe_build(error = pfkey_ident_build(&extensions_reply[SADB_EXT_IDENTITY_SRC],
-                                                              SADB_EXT_IDENTITY_SRC,
-							      extr->ips->ips_ident_s.type,
-							      extr->ips->ips_ident_s.id,
-                                                              extr->ips->ips_ident_s.len,
-							      extr->ips->ips_ident_s.data),
-                                    extensions_reply) : 1)
-	     && (extr->ips->ips_ident_d.data
-                 ? pfkey_safe_build(error = pfkey_ident_build(&extensions_reply[SADB_EXT_IDENTITY_DST],
-                                                              SADB_EXT_IDENTITY_DST,
-							      extr->ips->ips_ident_d.type,
-							      extr->ips->ips_ident_d.id,
-                                                              extr->ips->ips_ident_d.len,
-							      extr->ips->ips_ident_d.data),
-                                    extensions_reply) : 1)
-#if 0
-	     /* FIXME: This won't work yet because I have not finished
-		it. */
-	     && (extr->ips->ips_sens_
-		 ? pfkey_safe_build(error = pfkey_sens_build(&extensions_reply[SADB_EXT_SENSITIVITY],
-							     extr->ips->ips_sens_dpd,
-							     extr->ips->ips_sens_sens_level,
-							     extr->ips->ips_sens_sens_len,
-							     extr->ips->ips_sens_sens_bitmap,
-							     extr->ips->ips_sens_integ_level,
-							     extr->ips->ips_sens_integ_len,
-							     extr->ips->ips_sens_integ_bitmap),
-				    extensions_reply) : 1)
-#endif
-		)) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_update_parse: "
-			    "failed to build the update reply message extensions\n");
-		SENDERR(-error);
-	}
-		
-	if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_update_parse: "
-			    "failed to build the update reply message\n");
-		SENDERR(-error);
-	}
-	for(pfkey_socketsp = pfkey_open_sockets;
-	    pfkey_socketsp;
-	    pfkey_socketsp = pfkey_socketsp->next) {
-		if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
-			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_update_parse: "
-				    "sending up update reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
-				    satype,
-				    satype2name(satype),
-				    pfkey_socketsp->socketp,
-				    error);
-			SENDERR(-error);
-		}
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_update_parse: "
-			    "sending up update reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
-			    satype,
-			    satype2name(satype),
-			    pfkey_socketsp->socketp);
-	}
-
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-	if (nat_t_ips_saved) {
-		/**
-		 * As we _really_ update existing SA, we keep tdbq and need to delete
-		 * parsed ips (nat_t_ips_saved, was extr->ips).
-		 *
-		 * goto errlab with extr->ips = nat_t_ips_saved will free it.
-		 */
-
-		extr->ips = nat_t_ips_saved;
-
-		error = 0;
-		KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_update_parse (NAT-T ports): "
-		    "successful for SA: %s\n",
-		    sa_len ? sa : " (error)");
-
-		goto errlab;
-	}
-#endif
-
-	if((error = ipsec_sa_add(extr->ips))) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_update_parse: "
-			    "failed to update the mature SA=%s with error=%d.\n",
-			    sa_len ? sa : " (error)",
-			    error);
-		SENDERR(-error);
-	}
-	extr->ips = NULL;
-	
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_update_parse: "
-		    "successful for SA: %s\n",
-		    sa_len ? sa : " (error)");
-	
- errlab:
-	if (pfkey_reply) {
-		pfkey_msg_free(&pfkey_reply);
-	}
-	pfkey_extensions_free(extensions_reply);
-	return error;
-}
-
-DEBUG_NO_STATIC int
-pfkey_add_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
-{
-	int error = 0;
-	struct ipsec_sa* ipsq;
-	char sa[SATOA_BUF];
-	size_t sa_len;
-	struct sadb_ext *extensions_reply[SADB_EXT_MAX+1];
-	struct sadb_msg *pfkey_reply = NULL;
-	struct socket_list *pfkey_socketsp;
-	uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_add_parse: .\n");
-
-	pfkey_extensions_init(extensions_reply);
-
-	if(((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state != SADB_SASTATE_MATURE) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_add_parse: "
-			    "error, sa_state=%d must be MATURE=%d\n",
-			    ((struct sadb_sa*)extensions[SADB_EXT_SA])->sadb_sa_state,
-			    SADB_SASTATE_MATURE);
-		SENDERR(EINVAL);
-	}
-
-	if(!extr || !extr->ips) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_add_parse: "
-			    "extr or extr->ips pointer NULL\n");
-		SENDERR(EINVAL);
-	}
-
-	sa_len = satoa(extr->ips->ips_said, 0, sa, SATOA_BUF);
-
-	ipsq = ipsec_sa_getbyid(&(extr->ips->ips_said));
-	if(ipsq != NULL) {
-		ipsec_sa_put(ipsq);
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_add_parse: "
-			    "found an old ipsec_sa for SA%s, delete it first.\n",
-			    sa_len ? sa : " (error)");
-		SENDERR(EEXIST);
-	}
-
-	if(ip_chk_addr((unsigned long)extr->ips->ips_said.dst.s_addr) == IS_MYADDR) {
-		extr->ips->ips_flags |= EMT_INBOUND;
-	}
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_add_parse: "
-		    "existing ipsec_sa not found (this is good) for SA%s, %s-bound, allocating.\n",
-		    sa_len ? sa : " (error)",
-		    extr->ips->ips_flags & EMT_INBOUND ? "in" : "out");
-	
-	/* XXX extr->ips->ips_rcvif = &(enc_softc[em->em_if].enc_if);*/
-	extr->ips->ips_rcvif = NULL;
-	
-	if ((error = pfkey_ipsec_sa_init(extr->ips, extensions))) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_add_parse: "
-			    "not successful for SA: %s, deleting.\n",
-			    sa_len ? sa : " (error)");
-		SENDERR(-error);
-	}
-
-	extr->ips->ips_life.ipl_addtime.ipl_count = jiffies / HZ;
-	if(!extr->ips->ips_life.ipl_allocations.ipl_count) {
-		extr->ips->ips_life.ipl_allocations.ipl_count += 1;
-	}
-
-	if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0],
-							  SADB_ADD,
-							  satype,
-							  0,
-							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_seq,
-							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid),
-			      extensions_reply)
-	     && pfkey_safe_build(error = pfkey_sa_ref_build(&extensions_reply[SADB_EXT_SA],
-							SADB_EXT_SA,
-							extr->ips->ips_said.spi,
-							extr->ips->ips_replaywin,
-							extr->ips->ips_state,
-							extr->ips->ips_authalg,
-							extr->ips->ips_encalg,
-							extr->ips->ips_flags,
-							extr->ips->ips_ref),
-				 extensions_reply)
-	     /* The 3 lifetime extentions should only be sent if non-zero. */
-	     && (extensions[SADB_EXT_LIFETIME_HARD]
-		 ? pfkey_safe_build(error = pfkey_lifetime_build(&extensions_reply[SADB_EXT_LIFETIME_HARD],
-								 SADB_EXT_LIFETIME_HARD,
-								 extr->ips->ips_life.ipl_allocations.ipl_hard,
-								 extr->ips->ips_life.ipl_bytes.ipl_hard,
-								 extr->ips->ips_life.ipl_addtime.ipl_hard,
-								 extr->ips->ips_life.ipl_usetime.ipl_hard,
-								 extr->ips->ips_life.ipl_packets.ipl_hard),
-				    extensions_reply) : 1)
-	     && (extensions[SADB_EXT_LIFETIME_SOFT]
-		 ? pfkey_safe_build(error = pfkey_lifetime_build(&extensions_reply[SADB_EXT_LIFETIME_SOFT],
-								 SADB_EXT_LIFETIME_SOFT,
-								 extr->ips->ips_life.ipl_allocations.ipl_soft,
-								 extr->ips->ips_life.ipl_bytes.ipl_soft,
-								 extr->ips->ips_life.ipl_addtime.ipl_soft,
-								 extr->ips->ips_life.ipl_usetime.ipl_soft,
-								 extr->ips->ips_life.ipl_packets.ipl_soft),
-				    extensions_reply) : 1)
-	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_SRC],
-							     SADB_EXT_ADDRESS_SRC,
-							     0, /*extr->ips->ips_said.proto,*/
-							     0,
-							     extr->ips->ips_addr_s),
-				 extensions_reply)
-	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_DST],
-							     SADB_EXT_ADDRESS_DST,
-							     0, /*extr->ips->ips_said.proto,*/
-							     0,
-							     extr->ips->ips_addr_d),
-				 extensions_reply)
-            && (extr->ips->ips_ident_s.data
-                 ? pfkey_safe_build(error = pfkey_ident_build(&extensions_reply[SADB_EXT_IDENTITY_SRC],
-                                                              SADB_EXT_IDENTITY_SRC,
-							      extr->ips->ips_ident_s.type,
-							      extr->ips->ips_ident_s.id,
-                                                              extr->ips->ips_ident_s.len,
-							      extr->ips->ips_ident_s.data),
-                                    extensions_reply) : 1)
-            && (extr->ips->ips_ident_d.data
-                 ? pfkey_safe_build(error = pfkey_ident_build(&extensions_reply[SADB_EXT_IDENTITY_DST],
-                                                              SADB_EXT_IDENTITY_DST,
-							      extr->ips->ips_ident_d.type,
-							      extr->ips->ips_ident_d.id,
-                                                              extr->ips->ips_ident_d.len,
-							      extr->ips->ips_ident_d.data),
-                                    extensions_reply) : 1)
-#if 0
-	     /* FIXME: This won't work yet because I have not finished
-		it. */
-	     && (extr->ips->ips_sens_
-		 ? pfkey_safe_build(error = pfkey_sens_build(&extensions_reply[SADB_EXT_SENSITIVITY],
-							     extr->ips->ips_sens_dpd,
-							     extr->ips->ips_sens_sens_level,
-							     extr->ips->ips_sens_sens_len,
-							     extr->ips->ips_sens_sens_bitmap,
-							     extr->ips->ips_sens_integ_level,
-							     extr->ips->ips_sens_integ_len,
-							     extr->ips->ips_sens_integ_bitmap),
-				    extensions_reply) : 1)
-#endif
-		)) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_add_parse: "
-			    "failed to build the add reply message extensions\n");
-		SENDERR(-error);
-	}
-		
-	if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_add_parse: "
-			    "failed to build the add reply message\n");
-		SENDERR(-error);
-	}
-	for(pfkey_socketsp = pfkey_open_sockets;
-	    pfkey_socketsp;
-	    pfkey_socketsp = pfkey_socketsp->next) {
-		if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
-			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_add_parse: "
-				    "sending up add reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
-				    satype,
-				    satype2name(satype),
-				    pfkey_socketsp->socketp,
-				    error);
-			SENDERR(-error);
-		}
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_add_parse: "
-			    "sending up add reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
-			    satype,
-			    satype2name(satype),
-			    pfkey_socketsp->socketp);
-	}
-
-	if((error = ipsec_sa_add(extr->ips))) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_add_parse: "
-			    "failed to add the mature SA=%s with error=%d.\n",
-			    sa_len ? sa : " (error)",
-			    error);
-		SENDERR(-error);
-	}
-	extr->ips = NULL;
-	
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_add_parse: "
-		    "successful for SA: %s\n",
-		    sa_len ? sa : " (error)");
-	
- errlab:
-	if (pfkey_reply) {
-		pfkey_msg_free(&pfkey_reply);
-	}
-	pfkey_extensions_free(extensions_reply);
-	return error;
-}
-
-DEBUG_NO_STATIC int
-pfkey_delete_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
-{
-	struct ipsec_sa *ipsp;
-	char sa[SATOA_BUF];
-	size_t sa_len;
-	int error = 0;
-	struct sadb_ext *extensions_reply[SADB_EXT_MAX+1];
-	struct sadb_msg *pfkey_reply = NULL;
-	struct socket_list *pfkey_socketsp;
-	uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_delete_parse: .\n");
-
-	pfkey_extensions_init(extensions_reply);
-
-	if(!extr || !extr->ips) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_delete_parse: "
-			    "extr or extr->ips pointer NULL, fatal\n");
-		SENDERR(EINVAL);
-	}
-
-	sa_len = satoa(extr->ips->ips_said, 0, sa, SATOA_BUF);
-
-	spin_lock_bh(&tdb_lock);
-
-	ipsp = ipsec_sa_getbyid(&(extr->ips->ips_said));
-	if (ipsp == NULL) {
-		spin_unlock_bh(&tdb_lock);
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_delete_parse: "
-			    "ipsec_sa not found for SA:%s, could not delete.\n",
-			    sa_len ? sa : " (error)");
-		SENDERR(ESRCH);
-	}
-
-	ipsec_sa_put(ipsp);
-	if((error = ipsec_sa_delchain(ipsp))) {
-		spin_unlock_bh(&tdb_lock);
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_delete_parse: "
-			    "error=%d returned trying to delete ipsec_sa for SA:%s.\n",
-			    error,
-			    sa_len ? sa : " (error)");
-		SENDERR(-error);
-	}
-	spin_unlock_bh(&tdb_lock);
-
-	if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0],
-							  SADB_DELETE,
-							  satype,
-							  0,
-							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_seq,
-							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid),
-			      extensions_reply)
-	     && pfkey_safe_build(error = pfkey_sa_ref_build(&extensions_reply[SADB_EXT_SA],
-							SADB_EXT_SA,
-							extr->ips->ips_said.spi,
-							0,
-							0,
-							0,
-							0,
-							0,
-							extr->ips->ips_ref),
-				 extensions_reply)
-	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_SRC],
-							     SADB_EXT_ADDRESS_SRC,
-							     0, /*extr->ips->ips_said.proto,*/
-							     0,
-							     extr->ips->ips_addr_s),
-				 extensions_reply)
-	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_DST],
-							     SADB_EXT_ADDRESS_DST,
-							     0, /*extr->ips->ips_said.proto,*/
-							     0,
-							     extr->ips->ips_addr_d),
-				 extensions_reply)
-		)) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_delete_parse: "
-			    "failed to build the delete reply message extensions\n");
-		SENDERR(-error);
-	}
-	
-	if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_delete_parse: "
-			    "failed to build the delete reply message\n");
-		SENDERR(-error);
-	}
-	for(pfkey_socketsp = pfkey_open_sockets;
-	    pfkey_socketsp;
-	    pfkey_socketsp = pfkey_socketsp->next) {
-		if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
-			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_delete_parse: "
-				    "sending up delete reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
-				    satype,
-				    satype2name(satype),
-				    pfkey_socketsp->socketp,
-				    error);
-			SENDERR(-error);
-		}
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_delete_parse: "
-			    "sending up delete reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
-			    satype,
-			    satype2name(satype),
-			    pfkey_socketsp->socketp);
-	}
-	
- errlab:
-	if (pfkey_reply) {
-		pfkey_msg_free(&pfkey_reply);
-	}
-	pfkey_extensions_free(extensions_reply);
-	return error;
-}
-
-DEBUG_NO_STATIC int
-pfkey_get_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
-{
-	int error = 0;
-	struct ipsec_sa *ipsp;
-	char sa[SATOA_BUF];
-	size_t sa_len;
-	struct sadb_ext *extensions_reply[SADB_EXT_MAX+1];
-	struct sadb_msg *pfkey_reply = NULL;
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_get_parse: .\n");
-
-	pfkey_extensions_init(extensions_reply);
-
-	if(!extr || !extr->ips) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_get_parse: "
-			    "extr or extr->ips pointer NULL, fatal\n");
-		SENDERR(EINVAL);
-	}
-
-	sa_len = satoa(extr->ips->ips_said, 0, sa, SATOA_BUF);
-
-	spin_lock_bh(&tdb_lock);
-
-	ipsp = ipsec_sa_getbyid(&(extr->ips->ips_said));
-	if (ipsp == NULL) {
-		spin_unlock_bh(&tdb_lock);
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_get_parse: "
-			    "ipsec_sa not found for SA=%s, could not get.\n",
-			    sa_len ? sa : " (error)");
-		SENDERR(ESRCH);
-	}
-	
-	if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0],
-							  SADB_GET,
-							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype,
-							  0,
-							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_seq,
-							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid),
-			      extensions_reply)
-	     && pfkey_safe_build(error = pfkey_sa_ref_build(&extensions_reply[SADB_EXT_SA],
-							SADB_EXT_SA,
-							extr->ips->ips_said.spi,
-							extr->ips->ips_replaywin,
-							extr->ips->ips_state,
-							extr->ips->ips_authalg,
-							extr->ips->ips_encalg,
-							extr->ips->ips_flags,
-							extr->ips->ips_ref),
-				 extensions_reply)
-	     /* The 3 lifetime extentions should only be sent if non-zero. */
-	     && (ipsp->ips_life.ipl_allocations.ipl_count
-		 || ipsp->ips_life.ipl_bytes.ipl_count
-		 || ipsp->ips_life.ipl_addtime.ipl_count
-		 || ipsp->ips_life.ipl_usetime.ipl_count
-		 || ipsp->ips_life.ipl_packets.ipl_count
-		 ? pfkey_safe_build(error = pfkey_lifetime_build(&extensions_reply[SADB_EXT_LIFETIME_CURRENT],
-								 SADB_EXT_LIFETIME_CURRENT,
-								 ipsp->ips_life.ipl_allocations.ipl_count,
-								 ipsp->ips_life.ipl_bytes.ipl_count,
-								 ipsp->ips_life.ipl_addtime.ipl_count,
-								 ipsp->ips_life.ipl_usetime.ipl_count,
-								 ipsp->ips_life.ipl_packets.ipl_count),
-				    extensions_reply) : 1)
-	     && (ipsp->ips_life.ipl_allocations.ipl_hard
-		 || ipsp->ips_life.ipl_bytes.ipl_hard
-		 || ipsp->ips_life.ipl_addtime.ipl_hard
-		 || ipsp->ips_life.ipl_usetime.ipl_hard
-		 || ipsp->ips_life.ipl_packets.ipl_hard
-		 ? pfkey_safe_build(error = pfkey_lifetime_build(&extensions_reply[SADB_EXT_LIFETIME_HARD],
-								 SADB_EXT_LIFETIME_HARD,
-								 ipsp->ips_life.ipl_allocations.ipl_hard,
-								 ipsp->ips_life.ipl_bytes.ipl_hard,
-								 ipsp->ips_life.ipl_addtime.ipl_hard,
-								 ipsp->ips_life.ipl_usetime.ipl_hard,
-								 ipsp->ips_life.ipl_packets.ipl_hard),
-				    extensions_reply) : 1)
-	     && (ipsp->ips_life.ipl_allocations.ipl_soft
-		 || ipsp->ips_life.ipl_bytes.ipl_soft
-		 || ipsp->ips_life.ipl_addtime.ipl_soft
-		 || ipsp->ips_life.ipl_usetime.ipl_soft
-		 || ipsp->ips_life.ipl_packets.ipl_soft
-		 ? pfkey_safe_build(error = pfkey_lifetime_build(&extensions_reply[SADB_EXT_LIFETIME_SOFT],
-								 SADB_EXT_LIFETIME_SOFT,
-								 ipsp->ips_life.ipl_allocations.ipl_soft,
-								 ipsp->ips_life.ipl_bytes.ipl_soft,
-								 ipsp->ips_life.ipl_addtime.ipl_soft,
-								 ipsp->ips_life.ipl_usetime.ipl_soft,
-								 ipsp->ips_life.ipl_packets.ipl_soft),
-				    extensions_reply) : 1)
-	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_SRC],
-							     SADB_EXT_ADDRESS_SRC,
-							     0, /*extr->ips->ips_said.proto,*/
-							     0,
-							     extr->ips->ips_addr_s),
-				 extensions_reply)
-	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_DST],
-							     SADB_EXT_ADDRESS_DST,
-							     0, /*extr->ips->ips_said.proto,*/
-							     0,
-							     extr->ips->ips_addr_d),
-				 extensions_reply)
-	     && (extr->ips->ips_addr_p
-		 ? pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_PROXY],
-								SADB_EXT_ADDRESS_PROXY,
-								0, /*extr->ips->ips_said.proto,*/
-								0,
-								extr->ips->ips_addr_p),
-				    extensions_reply) : 1)
-#if 0
-	     /* FIXME: This won't work yet because the keys are not
-		stored directly in the ipsec_sa.  They are stored as
-		contexts. */
-	     && (extr->ips->ips_key_a_size
-		 ? pfkey_safe_build(error = pfkey_key_build(&extensions_reply[SADB_EXT_KEY_AUTH],
-							    SADB_EXT_KEY_AUTH,
-							    extr->ips->ips_key_a_size * 8,
-							    extr->ips->ips_key_a),
-				    extensions_reply) : 1)
-	     /* FIXME: This won't work yet because the keys are not
-		stored directly in the ipsec_sa.  They are stored as
-		key schedules. */
-	     && (extr->ips->ips_key_e_size
-		 ? pfkey_safe_build(error = pfkey_key_build(&extensions_reply[SADB_EXT_KEY_ENCRYPT],
-							    SADB_EXT_KEY_ENCRYPT,
-							    extr->ips->ips_key_e_size * 8,
-							    extr->ips->ips_key_e),
-				    extensions_reply) : 1)
-#endif
-	     && (extr->ips->ips_ident_s.data
-                 ? pfkey_safe_build(error = pfkey_ident_build(&extensions_reply[SADB_EXT_IDENTITY_SRC],
-                                                              SADB_EXT_IDENTITY_SRC,
-							      extr->ips->ips_ident_s.type,
-							      extr->ips->ips_ident_s.id,
-                                                              extr->ips->ips_ident_s.len,
-							      extr->ips->ips_ident_s.data),
-                                    extensions_reply) : 1)
-	     && (extr->ips->ips_ident_d.data
-                 ? pfkey_safe_build(error = pfkey_ident_build(&extensions_reply[SADB_EXT_IDENTITY_DST],
-                                                              SADB_EXT_IDENTITY_DST,
-							      extr->ips->ips_ident_d.type,
-							      extr->ips->ips_ident_d.id,
-                                                              extr->ips->ips_ident_d.len,
-							      extr->ips->ips_ident_d.data),
-                                    extensions_reply) : 1)
-#if 0
-	     /* FIXME: This won't work yet because I have not finished
-		it. */
-	     && (extr->ips->ips_sens_
-		 ? pfkey_safe_build(error = pfkey_sens_build(&extensions_reply[SADB_EXT_SENSITIVITY],
-							     extr->ips->ips_sens_dpd,
-							     extr->ips->ips_sens_sens_level,
-							     extr->ips->ips_sens_sens_len,
-							     extr->ips->ips_sens_sens_bitmap,
-							     extr->ips->ips_sens_integ_level,
-							     extr->ips->ips_sens_integ_len,
-							     extr->ips->ips_sens_integ_bitmap),
-				    extensions_reply) : 1)
-#endif
-		     )) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_get_parse: "
-			    "failed to build the get reply message extensions\n");
-		ipsec_sa_put(ipsp);
-		spin_unlock_bh(&tdb_lock);
-		SENDERR(-error);
-	}
-		
-	ipsec_sa_put(ipsp);
-	spin_unlock_bh(&tdb_lock);
-	
-	if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_get_parse: "
-			    "failed to build the get reply message\n");
-		SENDERR(-error);
-	}
-	
-	if((error = pfkey_upmsg(sk->socket, pfkey_reply))) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_get_parse: "
-			    "failed to send the get reply message\n");
-		SENDERR(-error);
-	}
-	
-	KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_get_parse: "
-		    "succeeded in sending get reply message.\n");
-	
- errlab:
-	if (pfkey_reply) {
-		pfkey_msg_free(&pfkey_reply);
-	}
-	pfkey_extensions_free(extensions_reply);
-	return error;
-}
-
-DEBUG_NO_STATIC int
-pfkey_acquire_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
-{
-	int error = 0;
-	struct socket_list *pfkey_socketsp;
-	uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_acquire_parse: .\n");
-
-	/* XXX I don't know if we want an upper bound, since userspace may
-	   want to register itself for an satype > SADB_SATYPE_MAX. */
-	if((satype == 0) || (satype > SADB_SATYPE_MAX)) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_acquire_parse: "
-			    "SATYPE=%d invalid.\n",
-			    satype);
-		SENDERR(EINVAL);
-	}
-
-	if(!(pfkey_registered_sockets[satype])) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_acquire_parse: "
-			    "no sockets registered for SAtype=%d(%s).\n",
-			    satype,
-			    satype2name(satype));
-		SENDERR(EPROTONOSUPPORT);
-	}
-
-	for(pfkey_socketsp = pfkey_registered_sockets[satype];
-	    pfkey_socketsp;
-	    pfkey_socketsp = pfkey_socketsp->next) {
-		if((error = pfkey_upmsg(pfkey_socketsp->socketp,
-					((struct sadb_msg*)extensions[SADB_EXT_RESERVED])))) {
-			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_acquire_parse: "
-				    "sending up acquire reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
-				    satype,
-				    satype2name(satype),
-				    pfkey_socketsp->socketp,
-				    error);
-			SENDERR(-error);
-		}
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_acquire_parse: "
-			    "sending up acquire reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
-			    satype,
-			    satype2name(satype),
-			    pfkey_socketsp->socketp);
-	}
-	
- errlab:
-	return error;
-}
-
-DEBUG_NO_STATIC int
-pfkey_register_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
-{
-	int error = 0;
-	uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_register_parse: .\n");
-
-	/* XXX I don't know if we want an upper bound, since userspace may
-	   want to register itself for an satype > SADB_SATYPE_MAX. */
-	if((satype == 0) || (satype > SADB_SATYPE_MAX)) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_register_parse: "
-			    "SATYPE=%d invalid.\n",
-			    satype);
-		SENDERR(EINVAL);
-	}
-
-	if(!pfkey_list_insert_socket(sk->socket,
-				 &(pfkey_registered_sockets[satype]))) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_register_parse: "
-			    "SATYPE=%02d(%s) successfully registered by KMd (pid=%d).\n",
-			    satype,
-			    satype2name(satype),
-			    key_pid(sk));
-	};
-	
-	/* send up register msg with supported SATYPE algos */
-
-	error=pfkey_register_reply(satype, (struct sadb_msg*)extensions[SADB_EXT_RESERVED]);
- errlab:
-	return error;
-}
-int
-pfkey_register_reply(int satype, struct sadb_msg *sadb_msg)
-{
-	struct sadb_ext *extensions_reply[SADB_EXT_MAX+1];
-	struct sadb_msg *pfkey_reply = NULL;
-	struct socket_list *pfkey_socketsp;
-	struct supported_list *pfkey_supported_listp;
-	unsigned int alg_num_a = 0, alg_num_e = 0;
-	struct sadb_alg *alg_a = NULL, *alg_e = NULL, *alg_ap = NULL, *alg_ep = NULL;
-	int error = 0;
-
-	pfkey_extensions_init(extensions_reply);
-
-	if((satype == 0) || (satype > SADB_SATYPE_MAX)) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_register_reply: "
-			    "SAtype=%d unspecified or unknown.\n",
-			    satype);
-		SENDERR(EINVAL);
-	}
-	if(!(pfkey_registered_sockets[satype])) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_register_reply: "
-			    "no sockets registered for SAtype=%d(%s).\n",
-			    satype,
-			    satype2name(satype));
-		SENDERR(EPROTONOSUPPORT);
-	}
-	/* send up register msg with supported SATYPE algos */
-	pfkey_supported_listp = pfkey_supported_list[satype];
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_register_reply: "
-		    "pfkey_supported_list[%d]=0p%p\n",
-		    satype,
-		    pfkey_supported_list[satype]);
-	while(pfkey_supported_listp) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_register_reply: "
-			    "checking supported=0p%p\n",
-			    pfkey_supported_listp);
-		if(pfkey_supported_listp->supportedp->supported_alg_exttype == SADB_EXT_SUPPORTED_AUTH) {
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_register_reply: "
-				    "adding auth alg.\n");
-			alg_num_a++;
-		}
-		if(pfkey_supported_listp->supportedp->supported_alg_exttype == SADB_EXT_SUPPORTED_ENCRYPT) {
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_register_reply: "
-				    "adding encrypt alg.\n");
-			alg_num_e++;
-		}
-		pfkey_supported_listp = pfkey_supported_listp->next;
-	}
-	
-	if(alg_num_a) {
-		KLIPS_PRINT(debug_pfkey,
-		            "klips_debug:pfkey_register_reply: "
-		            "allocating %lu bytes for auth algs.\n",
-		            (unsigned long) (alg_num_a * sizeof(struct sadb_alg)));
-		if((alg_a = kmalloc(alg_num_a * sizeof(struct sadb_alg), GFP_ATOMIC) ) == NULL) {
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_register_reply: "
-				    "auth alg memory allocation error\n");
-			SENDERR(ENOMEM);
-		}
-		alg_ap = alg_a;
-	}
-	
-	if(alg_num_e) {
-		KLIPS_PRINT(debug_pfkey,
-		            "klips_debug:pfkey_register_reply: "
-		            "allocating %lu bytes for enc algs.\n",
-		            (unsigned long) (alg_num_e * sizeof(struct sadb_alg)));
-		if((alg_e = kmalloc(alg_num_e * sizeof(struct sadb_alg), GFP_ATOMIC) ) == NULL) {
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_register_reply: "
-				    "enc alg memory allocation error\n");
-			SENDERR(ENOMEM);
-		}
-		alg_ep = alg_e;
-	}
-	
-	pfkey_supported_listp = pfkey_supported_list[satype];
-	while(pfkey_supported_listp) {
-		if(alg_num_a) {
-			if(pfkey_supported_listp->supportedp->supported_alg_exttype == SADB_EXT_SUPPORTED_AUTH) {
-				alg_ap->sadb_alg_id = pfkey_supported_listp->supportedp->supported_alg_id;
-				alg_ap->sadb_alg_ivlen = pfkey_supported_listp->supportedp->supported_alg_ivlen;
-				alg_ap->sadb_alg_minbits = pfkey_supported_listp->supportedp->supported_alg_minbits;
-				alg_ap->sadb_alg_maxbits = pfkey_supported_listp->supportedp->supported_alg_maxbits;
-				alg_ap->sadb_alg_reserved = 0;
-				KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
-					    "klips_debug:pfkey_register_reply: "
-					    "adding auth=0p%p\n",
-					    alg_ap);
-				alg_ap++;
-			}
-		}
-		if(alg_num_e) {
-			if(pfkey_supported_listp->supportedp->supported_alg_exttype == SADB_EXT_SUPPORTED_ENCRYPT) {
-				alg_ep->sadb_alg_id = pfkey_supported_listp->supportedp->supported_alg_id;
-				alg_ep->sadb_alg_ivlen = pfkey_supported_listp->supportedp->supported_alg_ivlen;
-				alg_ep->sadb_alg_minbits = pfkey_supported_listp->supportedp->supported_alg_minbits;
-				alg_ep->sadb_alg_maxbits = pfkey_supported_listp->supportedp->supported_alg_maxbits;
-				alg_ep->sadb_alg_reserved = 0;
-				KLIPS_PRINT(debug_pfkey && sysctl_ipsec_debug_verbose,
-					    "klips_debug:pfkey_register_reply: "
-					    "adding encrypt=0p%p\n",
-					    alg_ep);
-				alg_ep++;
-			}
-		}
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_register_reply: "
-			    "found satype=%d(%s) exttype=%d id=%d ivlen=%d minbits=%d maxbits=%d.\n",
-			    satype,
-			    satype2name(satype),
-			    pfkey_supported_listp->supportedp->supported_alg_exttype,
-			    pfkey_supported_listp->supportedp->supported_alg_id,
-			    pfkey_supported_listp->supportedp->supported_alg_ivlen,
-			    pfkey_supported_listp->supportedp->supported_alg_minbits,
-			    pfkey_supported_listp->supportedp->supported_alg_maxbits);
-		pfkey_supported_listp = pfkey_supported_listp->next;
-	}
-	if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0],
-							  SADB_REGISTER,
-							  satype,
-							  0,
-							  sadb_msg? sadb_msg->sadb_msg_seq : ++pfkey_msg_seq,
-							  sadb_msg? sadb_msg->sadb_msg_pid: current->pid),
-			      extensions_reply) &&
-	     (alg_num_a ? pfkey_safe_build(error = pfkey_supported_build(&extensions_reply[SADB_EXT_SUPPORTED_AUTH],
-									SADB_EXT_SUPPORTED_AUTH,
-									alg_num_a,
-									alg_a),
-					  extensions_reply) : 1) &&
-	     (alg_num_e ? pfkey_safe_build(error = pfkey_supported_build(&extensions_reply[SADB_EXT_SUPPORTED_ENCRYPT],
-									SADB_EXT_SUPPORTED_ENCRYPT,
-									alg_num_e,
-									alg_e),
-					  extensions_reply) : 1))) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_register_reply: "
-			    "failed to build the register message extensions_reply\n");
-		SENDERR(-error);
-	}
-	
-	if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_register_reply: "
-			    "failed to build the register message\n");
-		SENDERR(-error);
-	}
-	/* this should go to all registered sockets for that satype only */
-	for(pfkey_socketsp = pfkey_registered_sockets[satype];
-	    pfkey_socketsp;
-	    pfkey_socketsp = pfkey_socketsp->next) {
-		if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
-			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_register_reply: "
-				    "sending up acquire message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
-				    satype,
-				    satype2name(satype),
-				    pfkey_socketsp->socketp,
-				    error);
-			SENDERR(-error);
-		}
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_register_reply: "
-			    "sending up register message for satype=%d(%s) to socket=0p%p succeeded.\n",
-			    satype,
-			    satype2name(satype),
-			    pfkey_socketsp->socketp);
-	}
-	
- errlab:
-	if(alg_a) {
-		kfree(alg_a);
-	}
-	if(alg_e) {
-		kfree(alg_e);
-	}
-	if (pfkey_reply) {
-		pfkey_msg_free(&pfkey_reply);
-	}
-	pfkey_extensions_free(extensions_reply);
-	return error;
-}
-
-DEBUG_NO_STATIC int
-pfkey_expire_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
-{
-	int error = 0;
-	struct socket_list *pfkey_socketsp;
-#ifdef CONFIG_IPSEC_DEBUG
-	uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
-#endif /* CONFIG_IPSEC_DEBUG */
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_expire_parse: .\n");
-
-	if(pfkey_open_sockets) {
-		for(pfkey_socketsp = pfkey_open_sockets;
-		    pfkey_socketsp;
-		    pfkey_socketsp = pfkey_socketsp->next) {
-			if((error = pfkey_upmsg(pfkey_socketsp->socketp,
-						((struct sadb_msg*)extensions[SADB_EXT_RESERVED])))) {
-				KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_expire_parse: "
-					    "sending up expire reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
-					    satype,
-					    satype2name(satype),
-					    pfkey_socketsp->socketp,
-					    error);
-				SENDERR(-error);
-			}
-			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_expire_parse: "
-				    "sending up expire reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
-				    satype,
-				    satype2name(satype),
-				    pfkey_socketsp->socketp);
-		}
-	}
-
- errlab:
-	return error;
-}
-
-DEBUG_NO_STATIC int
-pfkey_flush_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
-{
-	int error = 0;
-	struct socket_list *pfkey_socketsp;
-	uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
-	uint8_t proto = 0;
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_flush_parse: "
-		    "flushing type %d SAs\n",
-		    satype);
-
-	if(satype && !(proto = satype2proto(satype))) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_flush_parse: "
-			    "satype %d lookup failed.\n", 
-			    ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype);
-		SENDERR(EINVAL);
-	}
-
-	if ((error = ipsec_sadb_cleanup(proto))) {
-		SENDERR(-error);
-	}
-
-	if(pfkey_open_sockets) {
-		for(pfkey_socketsp = pfkey_open_sockets;
-		    pfkey_socketsp;
-		    pfkey_socketsp = pfkey_socketsp->next) {
-			if((error = pfkey_upmsg(pfkey_socketsp->socketp,
-						((struct sadb_msg*)extensions[SADB_EXT_RESERVED])))) {
-				KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_flush_parse: "
-					    "sending up flush reply message for satype=%d(%s) (proto=%d) to socket=0p%p failed with error=%d.\n",
-					    satype,
-					    satype2name(satype),
-					    proto,
-					    pfkey_socketsp->socketp,
-					    error);
-				SENDERR(-error);
-			}
-			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_flush_parse: "
-				    "sending up flush reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
-				    satype,
-				    satype2name(satype),
-				    pfkey_socketsp->socketp);
-		}
-	}
-
- errlab:
-	return error;
-}
-
-DEBUG_NO_STATIC int
-pfkey_dump_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
-{
-	int error = 0;
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_dump_parse: .\n");
-
-	SENDERR(ENOSYS);
- errlab:
-	return error;
-}
-
-DEBUG_NO_STATIC int
-pfkey_x_promisc_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
-{
-	int error = 0;
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_promisc_parse: .\n");
-
-	SENDERR(ENOSYS);
- errlab:
-	return error;
-}
-
-DEBUG_NO_STATIC int
-pfkey_x_pchange_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
-{
-	int error = 0;
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_x_pchange_parse: .\n");
-
-	SENDERR(ENOSYS);
- errlab:
-	return error;
-}
-
-DEBUG_NO_STATIC int
-pfkey_x_grpsa_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
-{
-	struct ipsec_sa *ips1p, *ips2p, *ipsp;
-	struct sadb_ext *extensions_reply[SADB_EXT_MAX+1];
-	struct sadb_msg *pfkey_reply = NULL;
-	struct socket_list *pfkey_socketsp;
-	uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
-	char sa1[SATOA_BUF], sa2[SATOA_BUF];
-	size_t sa_len1, sa_len2 = 0;
-	int error = 0;
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_x_grpsa_parse: .\n");
-
-	pfkey_extensions_init(extensions_reply);
-
-	if(extr == NULL || extr->ips == NULL) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_x_grpsa_parse: "
-			    "extr or extr->ips is NULL, fatal.\n");
-		SENDERR(EINVAL);
-	}
-
-	sa_len1 = satoa(extr->ips->ips_said, 0, sa1, SATOA_BUF);
-	if(extr->ips2 != NULL) {
-		sa_len2 = satoa(extr->ips2->ips_said, 0, sa2, SATOA_BUF);
-	}
-
-	spin_lock_bh(&tdb_lock);
-
-	ips1p = ipsec_sa_getbyid(&(extr->ips->ips_said));
-	if(ips1p == NULL) {
-		spin_unlock_bh(&tdb_lock);
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_x_grpsa_parse: "
-			    "reserved ipsec_sa for SA1: %s not found.  Call SADB_ADD/UPDATE first.\n",
-			    sa_len1 ? sa1 : " (error)");
-		SENDERR(ENOENT);
-	}
-	if(extr->ips2) { /* GRPSA */
-		ips2p = ipsec_sa_getbyid(&(extr->ips2->ips_said));
-		if(ips2p == NULL) {
-			ipsec_sa_put(ips1p);
-			spin_unlock_bh(&tdb_lock);
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_x_grpsa_parse: "
-				    "reserved ipsec_sa for SA2: %s not found.  Call SADB_ADD/UPDATE first.\n",
-				    sa_len2 ? sa2 : " (error)");
-			SENDERR(ENOENT);
-		}
-
-		/* Is either one already linked? */
-		if(ips1p->ips_onext) {
-			ipsec_sa_put(ips1p);
-			ipsec_sa_put(ips2p);
-			spin_unlock_bh(&tdb_lock);
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_x_grpsa_parse: "
-				    "ipsec_sa for SA: %s is already linked.\n",
-				    sa_len1 ? sa1 : " (error)");
-			SENDERR(EEXIST);
-		}
-		if(ips2p->ips_inext) {
-			ipsec_sa_put(ips1p);
-			ipsec_sa_put(ips2p);
-			spin_unlock_bh(&tdb_lock);
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_x_grpsa_parse: "
-				    "ipsec_sa for SA: %s is already linked.\n",
-				    sa_len2 ? sa2 : " (error)");
-			SENDERR(EEXIST);
-		}
-		
-		/* Is extr->ips already linked to extr->ips2? */
-		ipsp = ips2p;
-		while(ipsp) {
-			if(ipsp == ips1p) {
-				ipsec_sa_put(ips1p);
-				ipsec_sa_put(ips2p);
-				spin_unlock_bh(&tdb_lock);
-				KLIPS_PRINT(debug_pfkey,
-					    "klips_debug:pfkey_x_grpsa_parse: "
-					    "ipsec_sa for SA: %s is already linked to %s.\n",
-					    sa_len1 ? sa1 : " (error)",
-					    sa_len2 ? sa2 : " (error)");
-				SENDERR(EEXIST);
-			}
-			ipsp = ipsp->ips_onext;
-		}
-		
-		/* link 'em */
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_x_grpsa_parse: "
-			    "linking ipsec_sa SA: %s with %s.\n",
-			    sa_len1 ? sa1 : " (error)",
-			    sa_len2 ? sa2 : " (error)");
-		ips1p->ips_onext = ips2p;
-		ips2p->ips_inext = ips1p;
-	} else { /* UNGRPSA */
-		ipsec_sa_put(ips1p);
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_x_grpsa_parse: "
-			    "unlinking ipsec_sa SA: %s.\n",
-			    sa_len1 ? sa1 : " (error)");
-		while(ips1p->ips_onext) {
-			ips1p = ips1p->ips_onext;
-		}
-		while(ips1p->ips_inext) {
-			ipsp = ips1p;
-			ips1p = ips1p->ips_inext;
-			ipsec_sa_put(ips1p);
-			ipsp->ips_inext = NULL;
-			ipsec_sa_put(ipsp);
-			ips1p->ips_onext = NULL;
-		}
-	}
-
-	spin_unlock_bh(&tdb_lock);
-
-	if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0],
-							  SADB_X_GRPSA,
-							  satype,
-							  0,
-							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_seq,
-							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid),
-			      extensions_reply)
-	     && pfkey_safe_build(error = pfkey_sa_ref_build(&extensions_reply[SADB_EXT_SA],
-							SADB_EXT_SA,
-							extr->ips->ips_said.spi,
-							extr->ips->ips_replaywin,
-							extr->ips->ips_state,
-							extr->ips->ips_authalg,
-							extr->ips->ips_encalg,
-							extr->ips->ips_flags,
-							extr->ips->ips_ref),
-				 extensions_reply)
-	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_DST],
-							     SADB_EXT_ADDRESS_DST,
-							     0, /*extr->ips->ips_said.proto,*/
-							     0,
-							     extr->ips->ips_addr_d),
-				 extensions_reply)
-	     && (extr->ips2
-		 ? (pfkey_safe_build(error = pfkey_x_satype_build(&extensions_reply[SADB_X_EXT_SATYPE2],
-								  ((struct sadb_x_satype*)extensions[SADB_X_EXT_SATYPE2])->sadb_x_satype_satype
-								  /* proto2satype(extr->ips2->ips_said.proto) */),
-								  extensions_reply)
-				     && pfkey_safe_build(error = pfkey_sa_ref_build(&extensions_reply[SADB_X_EXT_SA2],
-										SADB_X_EXT_SA2,
-										extr->ips2->ips_said.spi,
-										extr->ips2->ips_replaywin,
-										extr->ips2->ips_state,
-										extr->ips2->ips_authalg,
-										extr->ips2->ips_encalg,
-										extr->ips2->ips_flags,
-										extr->ips2->ips_ref),
-							 extensions_reply)
-				     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_DST2],
-										     SADB_X_EXT_ADDRESS_DST2,
-										     0, /*extr->ips->ips_said.proto,*/
-										     0,
-										     extr->ips2->ips_addr_d),
-							 extensions_reply) ) : 1 )
-		     )) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_grpsa_parse: "
-			    "failed to build the x_grpsa reply message extensions\n");
-		SENDERR(-error);
-	}
-	   
-	if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_grpsa_parse: "
-			    "failed to build the x_grpsa reply message\n");
-		SENDERR(-error);
-	}
-	
-	for(pfkey_socketsp = pfkey_open_sockets;
-	    pfkey_socketsp;
-	    pfkey_socketsp = pfkey_socketsp->next) {
-		if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
-			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_grpsa_parse: "
-				    "sending up x_grpsa reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
-				    satype,
-				    satype2name(satype),
-				    pfkey_socketsp->socketp,
-				    error);
-			SENDERR(-error);
-		}
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_grpsa_parse: "
-			    "sending up x_grpsa reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
-			    satype,
-			    satype2name(satype),
-			    pfkey_socketsp->socketp);
-	}
-	
-	KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_grpsa_parse: "
-		    "succeeded in sending x_grpsa reply message.\n");
-	
- errlab:
-	if (pfkey_reply) {
-		pfkey_msg_free(&pfkey_reply);
-	}
-	pfkey_extensions_free(extensions_reply);
-	return error;
-}
-
-DEBUG_NO_STATIC int
-pfkey_x_addflow_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
-{
-	int error = 0;
-#ifdef CONFIG_IPSEC_DEBUG
-	char buf1[64], buf2[64];
-#endif /* CONFIG_IPSEC_DEBUG */
-	struct sadb_ext *extensions_reply[SADB_EXT_MAX+1];
-	struct sadb_msg *pfkey_reply = NULL;
-	struct socket_list *pfkey_socketsp;
-	uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
-	ip_address srcflow, dstflow, srcmask, dstmask;
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_x_addflow_parse: .\n");
-
-	pfkey_extensions_init(extensions_reply);
-
-	memset((caddr_t)&srcflow, 0, sizeof(srcflow));
-	memset((caddr_t)&dstflow, 0, sizeof(dstflow));
-	memset((caddr_t)&srcmask, 0, sizeof(srcmask));
-	memset((caddr_t)&dstmask, 0, sizeof(dstmask));
-
-	if(!extr || !(extr->ips) || !(extr->eroute)) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_x_addflow_parse: "
-			    "missing extr, ipsec_sa or eroute data.\n");
-		SENDERR(EINVAL);
-	}
-
-	srcflow.u.v4.sin_family = AF_INET;
-	dstflow.u.v4.sin_family = AF_INET;
-	srcmask.u.v4.sin_family = AF_INET;
-	dstmask.u.v4.sin_family = AF_INET;
-	srcflow.u.v4.sin_addr = extr->eroute->er_eaddr.sen_ip_src;
-	dstflow.u.v4.sin_addr = extr->eroute->er_eaddr.sen_ip_dst;
-	srcmask.u.v4.sin_addr = extr->eroute->er_emask.sen_ip_src;
-	dstmask.u.v4.sin_addr = extr->eroute->er_emask.sen_ip_dst;
-
-#ifdef CONFIG_IPSEC_DEBUG
-	if (debug_pfkey) {
-		subnettoa(extr->eroute->er_eaddr.sen_ip_src,
-			  extr->eroute->er_emask.sen_ip_src, 0, buf1, sizeof(buf1));
-		subnettoa(extr->eroute->er_eaddr.sen_ip_dst,
-			  extr->eroute->er_emask.sen_ip_dst, 0, buf2, sizeof(buf2));
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_x_addflow_parse: "
-			    "calling breakeroute and/or makeroute for %s->%s\n",
-			    buf1, buf2);
-	}
-#endif /* CONFIG_IPSEC_DEBUG */
-	if(extr->ips->ips_flags & SADB_X_SAFLAGS_INFLOW) {
-/*	if(ip_chk_addr((unsigned long)extr->ips->ips_said.dst.s_addr) == IS_MYADDR) */ 
-		struct ipsec_sa *ipsp, *ipsq;
-		char sa[SATOA_BUF];
-		size_t sa_len;
-
-		ipsq = ipsec_sa_getbyid(&(extr->ips->ips_said));
-		if(ipsq == NULL) {
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_x_addflow_parse: "
-				    "ipsec_sa not found, cannot set incoming policy.\n");
-			SENDERR(ENOENT);
-		}
-
-		ipsp = ipsq;
-		while(ipsp && ipsp->ips_said.proto != IPPROTO_IPIP) {
-			ipsp = ipsp->ips_inext;
-		}
-
-		if(ipsp == NULL) {
-			ipsec_sa_put(ipsq);
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_x_addflow_parse: "
-				    "SA chain does not have an IPIP SA, cannot set incoming policy.\n");
-			SENDERR(ENOENT);
-		}
-
-		sa_len = satoa(extr->ips->ips_said, 0, sa, SATOA_BUF);
-
-		ipsp->ips_flags |= SADB_X_SAFLAGS_INFLOW;
-		ipsp->ips_flow_s = srcflow;
-		ipsp->ips_flow_d = dstflow;
-		ipsp->ips_mask_s = srcmask;
-		ipsp->ips_mask_d = dstmask;
-
-		ipsec_sa_put(ipsq);
-
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_x_addflow_parse: "
-			    "inbound eroute, setting incoming policy information in IPIP ipsec_sa for SA: %s.\n",
-			    sa_len ? sa : " (error)");
-	} else {
-		struct sk_buff *first = NULL, *last = NULL;
-
-		if(extr->ips->ips_flags & SADB_X_SAFLAGS_REPLACEFLOW) {
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_x_addflow_parse: "
-				    "REPLACEFLOW flag set, calling breakeroute.\n");
-			if ((error = ipsec_breakroute(&(extr->eroute->er_eaddr),
-						      &(extr->eroute->er_emask),
-						      &first, &last))) {
-				KLIPS_PRINT(debug_pfkey,
-					    "klips_debug:pfkey_x_addflow_parse: "
-					    "breakeroute returned %d.  first=0p%p, last=0p%p\n",
-					    error,
-					    first,
-					    last);
-				if(first != NULL) {
-					ipsec_kfree_skb(first);
-				}
-				if(last != NULL) {
-					ipsec_kfree_skb(last);
-				}
-				SENDERR(-error);
-			}
-		}
-		
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_x_addflow_parse: "
-			    "calling makeroute.\n");
-		
-		if ((error = ipsec_makeroute(&(extr->eroute->er_eaddr),
-					     &(extr->eroute->er_emask),
-					     extr->ips->ips_said,
-					     ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid,
-					     NULL,
-					     &(extr->ips->ips_ident_s),
-					     &(extr->ips->ips_ident_d)))) {
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_x_addflow_parse: "
-				    "makeroute returned %d.\n", error);
-			SENDERR(-error);
-		}
-		if(first != NULL) {
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_x_addflow_parse: "
-				    "first=0p%p HOLD packet re-injected.\n",
-				    first);
-			DEV_QUEUE_XMIT(first, first->dev, SOPRI_NORMAL);
-		}
-		if(last != NULL) {
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_x_addflow_parse: "
-				    "last=0p%p HOLD packet re-injected.\n",
-				    last);
-			DEV_QUEUE_XMIT(last, last->dev, SOPRI_NORMAL);
-		}
-	}
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_x_addflow_parse: "
-		    "makeroute call successful.\n");
-
-	if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0],
-							  SADB_X_ADDFLOW,
-							  satype,
-							  0,
-							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_seq,
-							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid),
-			      extensions_reply)
-	     && pfkey_safe_build(error = pfkey_sa_ref_build(&extensions_reply[SADB_EXT_SA],
-							SADB_EXT_SA,
-							extr->ips->ips_said.spi,
-							extr->ips->ips_replaywin,
-							extr->ips->ips_state,
-							extr->ips->ips_authalg,
-							extr->ips->ips_encalg,
-							extr->ips->ips_flags,
-							extr->ips->ips_ref),
-				 extensions_reply)
-	     && (extensions[SADB_EXT_ADDRESS_SRC]
-		 ? pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_SRC],
-								SADB_EXT_ADDRESS_SRC,
-								0, /*extr->ips->ips_said.proto,*/
-								0,
-								extr->ips->ips_addr_s),
-				    extensions_reply) : 1)
-	     && (extensions[SADB_EXT_ADDRESS_DST]
-		 ? pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_EXT_ADDRESS_DST],
-								SADB_EXT_ADDRESS_DST,
-								0, /*extr->ips->ips_said.proto,*/
-								0,
-								extr->ips->ips_addr_d),
-				    extensions_reply) : 1)
-	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_SRC_FLOW],
-							     SADB_X_EXT_ADDRESS_SRC_FLOW,
-							     0, /*extr->ips->ips_said.proto,*/
-							     0,
-							     (struct sockaddr*)&srcflow),
-				 extensions_reply)
-	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_DST_FLOW],
-							     SADB_X_EXT_ADDRESS_DST_FLOW,
-							     0, /*extr->ips->ips_said.proto,*/
-							     0,
-							     (struct sockaddr*)&dstflow),
-				 extensions_reply)
-	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_SRC_MASK],
-							     SADB_X_EXT_ADDRESS_SRC_MASK,
-							     0, /*extr->ips->ips_said.proto,*/
-							     0,
-							     (struct sockaddr*)&srcmask),
-				 extensions_reply)
-	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_DST_MASK],
-							     SADB_X_EXT_ADDRESS_DST_MASK,
-							     0, /*extr->ips->ips_said.proto,*/
-							     0,
-							     (struct sockaddr*)&dstmask),
-				 extensions_reply)
-		)) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_addflow_parse: "
-			    "failed to build the x_addflow reply message extensions\n");
-		SENDERR(-error);
-	}
-		
-	if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_addflow_parse: "
-			    "failed to build the x_addflow reply message\n");
-		SENDERR(-error);
-	}
-	
-	for(pfkey_socketsp = pfkey_open_sockets;
-	    pfkey_socketsp;
-	    pfkey_socketsp = pfkey_socketsp->next) {
-		if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
-			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_addflow_parse: "
-				    "sending up x_addflow reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
-				    satype,
-				    satype2name(satype),
-				    pfkey_socketsp->socketp,
-				    error);
-			SENDERR(-error);
-		}
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_addflow_parse: "
-			    "sending up x_addflow reply message for satype=%d(%s) (proto=%d) to socket=0p%p succeeded.\n",
-			    satype,
-			    satype2name(satype),
-			    extr->ips->ips_said.proto,
-			    pfkey_socketsp->socketp);
-	}
-	
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_x_addflow_parse: "
-		    "extr->ips cleaned up and freed.\n");
-
- errlab:
-	if (pfkey_reply) {
-		pfkey_msg_free(&pfkey_reply);
-	}
-	pfkey_extensions_free(extensions_reply);
-	return error;
-}
-
-DEBUG_NO_STATIC int
-pfkey_x_delflow_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
-{
-	int error = 0;
-#ifdef CONFIG_IPSEC_DEBUG
-	char buf1[64], buf2[64];
-#endif /* CONFIG_IPSEC_DEBUG */
-	struct sadb_ext *extensions_reply[SADB_EXT_MAX+1];
-	struct sadb_msg *pfkey_reply = NULL;
-	struct socket_list *pfkey_socketsp;
-	uint8_t satype = ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_satype;
-	ip_address srcflow, dstflow, srcmask, dstmask;
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_x_delflow_parse: .\n");
-
-	pfkey_extensions_init(extensions_reply);
-
-	memset((caddr_t)&srcflow, 0, sizeof(srcflow));
-	memset((caddr_t)&dstflow, 0, sizeof(dstflow));
-	memset((caddr_t)&srcmask, 0, sizeof(srcmask));
-	memset((caddr_t)&dstmask, 0, sizeof(dstmask));
-
-	if(!extr || !(extr->ips)) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_x_delflow_parse: "
-			    "extr, or extr->ips is NULL, fatal\n");
-		SENDERR(EINVAL);
-	}
-
-	if(extr->ips->ips_flags & SADB_X_SAFLAGS_CLEARFLOW) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_x_delflow_parse: "
-			    "CLEARFLOW flag set, calling cleareroutes.\n");
-		if ((error = ipsec_cleareroutes()))
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_x_delflow_parse: "
-				    "cleareroutes returned %d.\n", error);
-			SENDERR(-error);
-	} else {
-		struct sk_buff *first = NULL, *last = NULL;
-
-		if(!(extr->eroute)) {
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_x_delflow_parse: "
-				    "extr->eroute is NULL, fatal.\n");
-			SENDERR(EINVAL);
-		}
-		
-		srcflow.u.v4.sin_family = AF_INET;
-		dstflow.u.v4.sin_family = AF_INET;
-		srcmask.u.v4.sin_family = AF_INET;
-		dstmask.u.v4.sin_family = AF_INET;
-		srcflow.u.v4.sin_addr = extr->eroute->er_eaddr.sen_ip_src;
-		dstflow.u.v4.sin_addr = extr->eroute->er_eaddr.sen_ip_dst;
-		srcmask.u.v4.sin_addr = extr->eroute->er_emask.sen_ip_src;
-		dstmask.u.v4.sin_addr = extr->eroute->er_emask.sen_ip_dst;
-
-#ifdef CONFIG_IPSEC_DEBUG
-		if (debug_pfkey) {
-			subnettoa(extr->eroute->er_eaddr.sen_ip_src,
-				  extr->eroute->er_emask.sen_ip_src, 0, buf1, sizeof(buf1));
-			subnettoa(extr->eroute->er_eaddr.sen_ip_dst,
-				  extr->eroute->er_emask.sen_ip_dst, 0, buf2, sizeof(buf2));
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_x_delflow_parse: "
-				    "calling breakeroute for %s->%s\n",
-				    buf1, buf2);
-		}
-#endif /* CONFIG_IPSEC_DEBUG */
-		error = ipsec_breakroute(&(extr->eroute->er_eaddr),
-					     &(extr->eroute->er_emask),
-					     &first, &last);
-		if(error) {
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_x_delflow_parse: "
-				    "breakeroute returned %d.  first=0p%p, last=0p%p\n",
-				    error,
-				    first,
-				    last);
-		}
-		if(first != NULL) {
-			ipsec_kfree_skb(first);
-		}
-		if(last != NULL) {
-			ipsec_kfree_skb(last);
-		}
-		if(error) {
-			SENDERR(-error);
-		}
-	}
-	
-	if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0],
-							  SADB_X_DELFLOW,
-							  satype,
-							  0,
-							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_seq,
-							  ((struct sadb_msg*)extensions[SADB_EXT_RESERVED])->sadb_msg_pid),
-			      extensions_reply)
-	     && pfkey_safe_build(error = pfkey_sa_ref_build(&extensions_reply[SADB_EXT_SA],
-							SADB_EXT_SA,
-							extr->ips->ips_said.spi,
-							extr->ips->ips_replaywin,
-							extr->ips->ips_state,
-							extr->ips->ips_authalg,
-							extr->ips->ips_encalg,
-							extr->ips->ips_flags,
-							extr->ips->ips_ref),
-				 extensions_reply)
-	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_SRC_FLOW],
-							     SADB_X_EXT_ADDRESS_SRC_FLOW,
-							     0, /*extr->ips->ips_said.proto,*/
-							     0,
-							     (struct sockaddr*)&srcflow),
-				 extensions_reply)
-	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_DST_FLOW],
-							     SADB_X_EXT_ADDRESS_DST_FLOW,
-							     0, /*extr->ips->ips_said.proto,*/
-							     0,
-							     (struct sockaddr*)&dstflow),
-				 extensions_reply)
-	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_SRC_MASK],
-							     SADB_X_EXT_ADDRESS_SRC_MASK,
-							     0, /*extr->ips->ips_said.proto,*/
-							     0,
-							     (struct sockaddr*)&srcmask),
-				 extensions_reply)
-	     && pfkey_safe_build(error = pfkey_address_build(&extensions_reply[SADB_X_EXT_ADDRESS_DST_MASK],
-							     SADB_X_EXT_ADDRESS_DST_MASK,
-							     0, /*extr->ips->ips_said.proto,*/
-							     0,
-							     (struct sockaddr*)&dstmask),
-				 extensions_reply)
-		)) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_delflow_parse: "
-			    "failed to build the x_delflow reply message extensions\n");
-		SENDERR(-error);
-	}
-		
-	if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_delflow_parse: "
-			    "failed to build the x_delflow reply message\n");
-		SENDERR(-error);
-	}
-	
-	for(pfkey_socketsp = pfkey_open_sockets;
-	    pfkey_socketsp;
-	    pfkey_socketsp = pfkey_socketsp->next) {
-		if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_reply))) {
-			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_delflow_parse: "
-				    "sending up x_delflow reply message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
-				    satype,
-				    satype2name(satype),
-				    pfkey_socketsp->socketp,
-				    error);
-			SENDERR(-error);
-		}
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_x_delflow_parse: "
-			    "sending up x_delflow reply message for satype=%d(%s) to socket=0p%p succeeded.\n",
-			    satype,
-			    satype2name(satype),
-			    pfkey_socketsp->socketp);
-	}
-	
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_x_delflow_parse: "
-		    "extr->ips cleaned up and freed.\n");
-
- errlab:
-	if (pfkey_reply) {
-		pfkey_msg_free(&pfkey_reply);
-	}
-	pfkey_extensions_free(extensions_reply);
-	return error;
-}
-
-DEBUG_NO_STATIC int
-pfkey_x_msg_debug_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
-{
-	int error = 0;
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_x_msg_debug_parse: .\n");
-
-/* errlab:*/
-	return error;
-}
-
-/* pfkey_expire expects the ipsec_sa table to be locked before being called. */
-int
-pfkey_expire(struct ipsec_sa *ipsp, int hard)
-{
-	struct sadb_ext *extensions[SADB_EXT_MAX+1];
-	struct sadb_msg *pfkey_msg = NULL;
-	struct socket_list *pfkey_socketsp;
-	int error = 0;
-	uint8_t satype;
-
-	pfkey_extensions_init(extensions);
-
-	if(!(satype = proto2satype(ipsp->ips_said.proto))) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_expire: "
-			    "satype lookup for protocol %d lookup failed.\n", 
-			    ipsp->ips_said.proto);
-		SENDERR(EINVAL);
-	}
-	
-	if(!pfkey_open_sockets) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_expire: "
-			    "no sockets listening.\n");
-		SENDERR(EPROTONOSUPPORT);
-	}
-
-	if (!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions[0],
-							   SADB_EXPIRE,
-							   satype,
-							   0,
-							   ++pfkey_msg_seq,
-							   0),
-			       extensions)
-	      && pfkey_safe_build(error = pfkey_sa_ref_build(&extensions[SADB_EXT_SA],
-							 SADB_EXT_SA,
-							 ipsp->ips_said.spi,
-							 ipsp->ips_replaywin,
-							 ipsp->ips_state,
-							 ipsp->ips_authalg,
-							 ipsp->ips_encalg,
-							 ipsp->ips_flags,
-							 ipsp->ips_ref),
-				  extensions)
-	      && pfkey_safe_build(error = pfkey_lifetime_build(&extensions[SADB_EXT_LIFETIME_CURRENT],
-							       SADB_EXT_LIFETIME_CURRENT,
-							       ipsp->ips_life.ipl_allocations.ipl_count,
-							       ipsp->ips_life.ipl_bytes.ipl_count,
-							       ipsp->ips_life.ipl_addtime.ipl_count,
-							       ipsp->ips_life.ipl_usetime.ipl_count,
-							       ipsp->ips_life.ipl_packets.ipl_count),
-				  extensions)
-	      && (hard ? 
-		  pfkey_safe_build(error = pfkey_lifetime_build(&extensions[SADB_EXT_LIFETIME_HARD],
-								SADB_EXT_LIFETIME_HARD,
-								ipsp->ips_life.ipl_allocations.ipl_hard,
-								ipsp->ips_life.ipl_bytes.ipl_hard,
-								ipsp->ips_life.ipl_addtime.ipl_hard,
-								ipsp->ips_life.ipl_usetime.ipl_hard,
-								ipsp->ips_life.ipl_packets.ipl_hard),
-				   extensions)
-		  : pfkey_safe_build(error = pfkey_lifetime_build(&extensions[SADB_EXT_LIFETIME_SOFT],
-								  SADB_EXT_LIFETIME_SOFT,
-								  ipsp->ips_life.ipl_allocations.ipl_soft,
-								  ipsp->ips_life.ipl_bytes.ipl_soft,
-								  ipsp->ips_life.ipl_addtime.ipl_soft,
-								  ipsp->ips_life.ipl_usetime.ipl_soft,
-								  ipsp->ips_life.ipl_packets.ipl_soft),
-				     extensions))
-	      && pfkey_safe_build(error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_SRC],
-							      SADB_EXT_ADDRESS_SRC,
-							      0, /* ipsp->ips_said.proto, */
-							      0,
-							      ipsp->ips_addr_s),
-				  extensions)
-	      && pfkey_safe_build(error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_DST],
-							      SADB_EXT_ADDRESS_DST,
-							      0, /* ipsp->ips_said.proto, */
-							      0,
-							      ipsp->ips_addr_d),
-				  extensions))) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_expire: "
-			    "failed to build the expire message extensions\n");
-		spin_unlock(&tdb_lock);
-		goto errlab;
-	}
-	
-	if ((error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_OUT))) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_expire: "
-			    "failed to build the expire message\n");
-		SENDERR(-error);
-	}
-	
-	for(pfkey_socketsp = pfkey_open_sockets;
-	    pfkey_socketsp;
-	    pfkey_socketsp = pfkey_socketsp->next) {
-		if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_msg))) {
-			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_expire: "
-				    "sending up expire message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
-				    satype,
-				    satype2name(satype),
-				    pfkey_socketsp->socketp,
-				    error);
-			SENDERR(-error);
-		}
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_expire: "
-			    "sending up expire message for satype=%d(%s) (proto=%d) to socket=0p%p succeeded.\n",
-			    satype,
-			    satype2name(satype),
-			    ipsp->ips_said.proto,
-			    pfkey_socketsp->socketp);
-	}
-	
- errlab:
-	if (pfkey_msg) {
-		pfkey_msg_free(&pfkey_msg);
-	}
-	pfkey_extensions_free(extensions);
-	return error;
-}
-
-int
-pfkey_acquire(struct ipsec_sa *ipsp)
-{
-	struct sadb_ext *extensions[SADB_EXT_MAX+1];
-	struct sadb_msg *pfkey_msg = NULL;
-	struct socket_list *pfkey_socketsp;
-	int error = 0;
-	struct sadb_comb comb[] = {
-		/* auth; encrypt; flags; */
-		/* auth_minbits; auth_maxbits; encrypt_minbits; encrypt_maxbits; */
-		/* reserved; soft_allocations; hard_allocations; soft_bytes; hard_bytes; */
-		/* soft_addtime; hard_addtime; soft_usetime; hard_usetime; */
-		/* soft_packets; hard_packets; */
-		{ SADB_AALG_MD5_HMAC,  SADB_EALG_3DES_CBC, SADB_SAFLAGS_PFS,
-		  128, 128, 168, 168,
-		  0, 0, 0, 0, 0,
-		  57600, 86400, 57600, 86400,
-		  0, 0 },
-		{ SADB_AALG_SHA1_HMAC, SADB_EALG_3DES_CBC, SADB_SAFLAGS_PFS,
-		  160, 160, 168, 168,
-		  0, 0, 0, 0, 0,
-		  57600, 86400, 57600, 86400,
-		  0, 0 }
-	};
-       
-	/* XXX This should not be hard-coded.  It should be taken from the spdb */
-	uint8_t satype = SADB_SATYPE_ESP;
-
-	pfkey_extensions_init(extensions);
-
-	if((satype == 0) || (satype > SADB_SATYPE_MAX)) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_acquire: "
-			    "SAtype=%d unspecified or unknown.\n",
-			    satype);
-		SENDERR(EINVAL);
-	}
-
-	if(!(pfkey_registered_sockets[satype])) {
-		KLIPS_PRINT(1|debug_pfkey, "klips_debug:pfkey_acquire: "
-			    "no sockets registered for SAtype=%d(%s).\n",
-			    satype,
-			    satype2name(satype));
-		SENDERR(EPROTONOSUPPORT);
-	}
-	
-	if (!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions[0],
-							  SADB_ACQUIRE,
-							  satype,
-							  0,
-							  ++pfkey_msg_seq,
-							  0),
-			      extensions)
-	      && pfkey_safe_build(error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_SRC],
-							      SADB_EXT_ADDRESS_SRC,
-							      ipsp->ips_said.proto,
-							      0,
-							      ipsp->ips_addr_s),
-				  extensions)
-	      && pfkey_safe_build(error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_DST],
-							      SADB_EXT_ADDRESS_DST,
-							      ipsp->ips_said.proto,
-							      0,
-							      ipsp->ips_addr_d),
-				  extensions)
-#if 0
-	      && (ipsp->ips_addr_p
-		  ? pfkey_safe_build(error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_PROXY],
-								 SADB_EXT_ADDRESS_PROXY,
-								 ipsp->ips_said.proto,
-								 0,
-								 ipsp->ips_addr_p),
-				     extensions) : 1)
-#endif
-	      && (ipsp->ips_ident_s.type != SADB_IDENTTYPE_RESERVED
-		  ? pfkey_safe_build(error = pfkey_ident_build(&extensions[SADB_EXT_IDENTITY_SRC],
-							       SADB_EXT_IDENTITY_SRC,
-							       ipsp->ips_ident_s.type,
-							       ipsp->ips_ident_s.id,
-							       ipsp->ips_ident_s.len,
-							       ipsp->ips_ident_s.data),
-				     extensions) : 1)
-
-	      && (ipsp->ips_ident_d.type != SADB_IDENTTYPE_RESERVED
-		  ? pfkey_safe_build(error = pfkey_ident_build(&extensions[SADB_EXT_IDENTITY_DST],
-							       SADB_EXT_IDENTITY_DST,
-							       ipsp->ips_ident_d.type,
-							       ipsp->ips_ident_d.id,
-							       ipsp->ips_ident_d.len,
-							       ipsp->ips_ident_d.data),
-				     extensions) : 1)
-#if 0
-	      /* FIXME: This won't work yet because I have not finished
-		 it. */
-	      && (ipsp->ips_sens_
-		  ? pfkey_safe_build(error = pfkey_sens_build(&extensions[SADB_EXT_SENSITIVITY],
-							      ipsp->ips_sens_dpd,
-							      ipsp->ips_sens_sens_level,
-							      ipsp->ips_sens_sens_len,
-							      ipsp->ips_sens_sens_bitmap,
-							      ipsp->ips_sens_integ_level,
-							      ipsp->ips_sens_integ_len,
-							      ipsp->ips_sens_integ_bitmap),
-				     extensions) : 1)
-#endif
-	      && pfkey_safe_build(error = pfkey_prop_build(&extensions[SADB_EXT_PROPOSAL],
-							   64, /* replay */
-							   sizeof(comb)/sizeof(struct sadb_comb),
-							   &(comb[0])),
-				  extensions)
-		)) {
-		KLIPS_PRINT(1|debug_pfkey, "klips_debug:pfkey_acquire: "
-			    "failed to build the acquire message extensions\n");
-		SENDERR(-error);
-	}
-	
-	if ((error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_OUT))) {
-		KLIPS_PRINT(1|debug_pfkey, "klips_debug:pfkey_acquire: "
-			    "failed to build the acquire message\n");
-		SENDERR(-error);
-	}
-
-#if KLIPS_PFKEY_ACQUIRE_LOSSAGE > 0
-	if(sysctl_ipsec_regress_pfkey_lossage) {
-		return(0);
-	}
-#endif	
-	
-	/* this should go to all registered sockets for that satype only */
-	for(pfkey_socketsp = pfkey_registered_sockets[satype];
-	    pfkey_socketsp;
-	    pfkey_socketsp = pfkey_socketsp->next) {
-		if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_msg))) {
-			KLIPS_PRINT(1|debug_pfkey, "klips_debug:pfkey_acquire: "
-				    "sending up acquire message for satype=%d(%s) to socket=0p%p failed with error=%d.\n",
-				    satype,
-				    satype2name(satype),
-				    pfkey_socketsp->socketp,
-				    error);
-			SENDERR(-error);
-		}
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_acquire: "
-			    "sending up acquire message for satype=%d(%s) to socket=0p%p succeeded.\n",
-			    satype,
-			    satype2name(satype),
-			    pfkey_socketsp->socketp);
-	}
-	
- errlab:
-	if (pfkey_msg) {
-		pfkey_msg_free(&pfkey_msg);
-	}
-	pfkey_extensions_free(extensions);
-	return error;
-}
-
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-int
-pfkey_nat_t_new_mapping(struct ipsec_sa *ipsp, struct sockaddr *ipaddr,
-	__u16 sport)
-{
-	struct sadb_ext *extensions[SADB_EXT_MAX+1];
-	struct sadb_msg *pfkey_msg = NULL;
-	struct socket_list *pfkey_socketsp;
-	int error = 0;
-	uint8_t satype = (ipsp->ips_said.proto==IPPROTO_ESP) ? SADB_SATYPE_ESP : 0;
-
-	/* Construct SADB_X_NAT_T_NEW_MAPPING message */
-
-	pfkey_extensions_init(extensions);
-
-	if((satype == 0) || (satype > SADB_SATYPE_MAX)) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_nat_t_new_mapping: "
-			    "SAtype=%d unspecified or unknown.\n",
-			    satype);
-		SENDERR(EINVAL);
-	}
-
-	if(!(pfkey_registered_sockets[satype])) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_nat_t_new_mapping: "
-			    "no sockets registered for SAtype=%d(%s).\n",
-			    satype,
-			    satype2name(satype));
-		SENDERR(EPROTONOSUPPORT);
-	}
-
-	if (!(pfkey_safe_build
-		(error = pfkey_msg_hdr_build(&extensions[0], SADB_X_NAT_T_NEW_MAPPING,
-			satype, 0, ++pfkey_msg_seq, 0), extensions)
-		/* SA */
-		&& pfkey_safe_build
-		(error = pfkey_sa_build(&extensions[SADB_EXT_SA],
-			SADB_EXT_SA, ipsp->ips_said.spi, 0, 0, 0, 0, 0), extensions)
-		/* ADDRESS_SRC = old addr */
-		&& pfkey_safe_build
-		(error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_SRC],
-			SADB_EXT_ADDRESS_SRC, ipsp->ips_said.proto, 0, ipsp->ips_addr_s),
-			extensions)
-		/* NAT_T_SPORT = old port */
-	    && pfkey_safe_build
-		(error = pfkey_x_nat_t_port_build(&extensions[SADB_X_EXT_NAT_T_SPORT],
-			SADB_X_EXT_NAT_T_SPORT, ipsp->ips_natt_sport), extensions)
-		/* ADDRESS_DST = new addr */
-		&& pfkey_safe_build
-		(error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_DST],
-			SADB_EXT_ADDRESS_DST, ipsp->ips_said.proto, 0, ipaddr), extensions)
-		/* NAT_T_DPORT = new port */
-	    && pfkey_safe_build
-		(error = pfkey_x_nat_t_port_build(&extensions[SADB_X_EXT_NAT_T_DPORT],
-			SADB_X_EXT_NAT_T_DPORT, sport), extensions)
-		)) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_nat_t_new_mapping: "
-			    "failed to build the nat_t_new_mapping message extensions\n");
-		SENDERR(-error);
-	}
-	
-	if ((error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_OUT))) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_nat_t_new_mapping: "
-			    "failed to build the nat_t_new_mapping message\n");
-		SENDERR(-error);
-	}
-
-	/* this should go to all registered sockets for that satype only */
-	for(pfkey_socketsp = pfkey_registered_sockets[satype];
-	    pfkey_socketsp;
-	    pfkey_socketsp = pfkey_socketsp->next) {
-		if((error = pfkey_upmsg(pfkey_socketsp->socketp, pfkey_msg))) {
-			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_nat_t_new_mapping: "
-				    "sending up nat_t_new_mapping message for satype=%d(%s) to socket=%p failed with error=%d.\n",
-				    satype,
-				    satype2name(satype),
-				    pfkey_socketsp->socketp,
-				    error);
-			SENDERR(-error);
-		}
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_nat_t_new_mapping: "
-			    "sending up nat_t_new_mapping message for satype=%d(%s) to socket=%p succeeded.\n",
-			    satype,
-			    satype2name(satype),
-			    pfkey_socketsp->socketp);
-	}
-	
- errlab:
-	if (pfkey_msg) {
-		pfkey_msg_free(&pfkey_msg);
-	}
-	pfkey_extensions_free(extensions);
-	return error;
-}
-
-DEBUG_NO_STATIC int
-pfkey_x_nat_t_new_mapping_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extracted_data* extr)
-{
-	/* SADB_X_NAT_T_NEW_MAPPING not used in kernel */
-	return -EINVAL;
-}
-#endif
-
-DEBUG_NO_STATIC int (*ext_processors[SADB_EXT_MAX+1])(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr) =
-{
-  NULL, /* pfkey_msg_process, */
-        pfkey_sa_process,
-        pfkey_lifetime_process,
-        pfkey_lifetime_process,
-        pfkey_lifetime_process,
-        pfkey_address_process,
-        pfkey_address_process,
-        pfkey_address_process,
-        pfkey_key_process,
-        pfkey_key_process,
-        pfkey_ident_process,
-        pfkey_ident_process,
-        pfkey_sens_process,
-        pfkey_prop_process,
-        pfkey_supported_process,
-        pfkey_supported_process,
-        pfkey_spirange_process,
-        pfkey_x_kmprivate_process,
-        pfkey_x_satype_process,
-        pfkey_sa_process,
-        pfkey_address_process,
-        pfkey_address_process,
-        pfkey_address_process,
-        pfkey_address_process,
-        pfkey_address_process,
-	pfkey_x_debug_process,
-	pfkey_x_protocol_process
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-	,
-	pfkey_x_nat_t_type_process,
-	pfkey_x_nat_t_port_process,
-	pfkey_x_nat_t_port_process,
-	pfkey_address_process
-#endif	
-};
-
-
-DEBUG_NO_STATIC int (*msg_parsers[SADB_MAX +1])(struct sock *sk, struct sadb_ext *extensions[], struct pfkey_extracted_data* extr)
- =
-{
-	NULL, /* RESERVED */
-	pfkey_getspi_parse,
-	pfkey_update_parse,
-	pfkey_add_parse,
-	pfkey_delete_parse,
-	pfkey_get_parse,
-	pfkey_acquire_parse,
-	pfkey_register_parse,
-	pfkey_expire_parse,
-	pfkey_flush_parse,
-	pfkey_dump_parse,
-	pfkey_x_promisc_parse,
-	pfkey_x_pchange_parse,
-	pfkey_x_grpsa_parse,
-	pfkey_x_addflow_parse,
-	pfkey_x_delflow_parse,
-	pfkey_x_msg_debug_parse
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-	, pfkey_x_nat_t_new_mapping_parse
-#endif	
-};
-
-int
-pfkey_build_reply(struct sadb_msg *pfkey_msg, struct pfkey_extracted_data *extr,
-				struct sadb_msg **pfkey_reply)
-{
-	struct sadb_ext *extensions[SADB_EXT_MAX+1];
-	int error = 0;
-	int msg_type = pfkey_msg->sadb_msg_type;
-	int seq = pfkey_msg->sadb_msg_seq;
-
-	KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_build_reply: "
-		    "building reply with type: %d\n",
-		    msg_type);
-	pfkey_extensions_init(extensions);
-	if (!extr || !extr->ips) {
-			KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_build_reply: "
-				    "bad ipsec_sa passed\n");
-			return EINVAL;
-	}
-	error = pfkey_safe_build(pfkey_msg_hdr_build(&extensions[0],
-						     msg_type,
-						     proto2satype(extr->ips->ips_said.proto),
-						     0,
-						     seq,
-						     pfkey_msg->sadb_msg_pid),
-				 extensions) &&
-		(!(extensions_bitmaps[EXT_BITS_OUT][EXT_BITS_REQ][msg_type] &
-		   1 << SADB_EXT_SA)
-		 || pfkey_safe_build(pfkey_sa_ref_build(&extensions[SADB_EXT_SA],
-						    SADB_EXT_SA,
-						    extr->ips->ips_said.spi,
-						    extr->ips->ips_replaywin,
-						    extr->ips->ips_state,
-						    extr->ips->ips_authalg,
-						    extr->ips->ips_encalg,
-						    extr->ips->ips_flags,
-						    extr->ips->ips_ref),
-				     extensions)) &&
-		(!(extensions_bitmaps[EXT_BITS_OUT][EXT_BITS_REQ][msg_type] &
-		   1 << SADB_EXT_LIFETIME_CURRENT)
-		 || pfkey_safe_build(pfkey_lifetime_build(&extensions
-							  [SADB_EXT_LIFETIME_CURRENT],
-							  SADB_EXT_LIFETIME_CURRENT,
-							  extr->ips->ips_life.ipl_allocations.ipl_count,
-							  extr->ips->ips_life.ipl_bytes.ipl_count,
-							  extr->ips->ips_life.ipl_addtime.ipl_count,
-							  extr->ips->ips_life.ipl_usetime.ipl_count,
-							  extr->ips->ips_life.ipl_packets.ipl_count),
-				     extensions)) &&
-		(!(extensions_bitmaps[EXT_BITS_OUT][EXT_BITS_REQ][msg_type] &
-		   1 << SADB_EXT_ADDRESS_SRC)
-		 || pfkey_safe_build(pfkey_address_build(&extensions[SADB_EXT_ADDRESS_SRC],
-							 SADB_EXT_ADDRESS_SRC,
-							 extr->ips->ips_said.proto,
-							 0,
-							 extr->ips->ips_addr_s),
-				     extensions)) &&
-		(!(extensions_bitmaps[EXT_BITS_OUT][EXT_BITS_REQ][msg_type] &
-		   1 << SADB_EXT_ADDRESS_DST)
-		 || pfkey_safe_build(pfkey_address_build(&extensions[SADB_EXT_ADDRESS_DST],
-							 SADB_EXT_ADDRESS_DST,
-							 extr->ips->ips_said.proto,
-							 0,
-							 extr->ips->ips_addr_d),
-				     extensions));
-
-	if (error == 0) {
-		KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_build_reply: "
-			    "building extensions failed\n");
-		return EINVAL;
-	}
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_build_reply: "
-		    "built extensions, proceed to build the message\n");
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_build_reply: "
-		    "extensions[1]=0p%p\n",
-		    extensions[1]);
-	error = pfkey_msg_build(pfkey_reply, extensions, EXT_BITS_OUT);
-	pfkey_extensions_free(extensions);
-
-	return error;
-}
-
-int
-pfkey_msg_interp(struct sock *sk, struct sadb_msg *pfkey_msg,
-				struct sadb_msg **pfkey_reply)
-{
-	int error = 0;
-	int i;
-	struct sadb_ext *extensions[SADB_EXT_MAX+1];
-	struct pfkey_extracted_data extr = {NULL, NULL, NULL};
-	
-	pfkey_extensions_init(extensions);
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_msg_interp: "
-		    "parsing message ver=%d, type=%d, errno=%d, satype=%d(%s), len=%d, res=%d, seq=%d, pid=%d.\n", 
-		    pfkey_msg->sadb_msg_version,
-		    pfkey_msg->sadb_msg_type,
-		    pfkey_msg->sadb_msg_errno,
-		    pfkey_msg->sadb_msg_satype,
-		    satype2name(pfkey_msg->sadb_msg_satype),
-		    pfkey_msg->sadb_msg_len,
-		    pfkey_msg->sadb_msg_reserved,
-		    pfkey_msg->sadb_msg_seq,
-		    pfkey_msg->sadb_msg_pid);
-	
-	extr.ips = ipsec_sa_alloc(&error); /* pass in error var by pointer */
-	if(extr.ips == NULL) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_msg_interp: "
-			    "memory allocation error.\n");
-		SENDERR(-error);
-	}
-
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_msg_interp: "
-		    "allocated extr->ips=0p%p.\n",
-		    extr.ips);
-	
-	if(pfkey_msg->sadb_msg_satype > SADB_SATYPE_MAX) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_msg_interp: "
-			    "satype %d > max %d\n", 
-			    pfkey_msg->sadb_msg_satype,
-			    SADB_SATYPE_MAX);
-		SENDERR(EINVAL);
-	}
-	
-	switch(pfkey_msg->sadb_msg_type) {
-	case SADB_GETSPI:
-	case SADB_UPDATE:
-	case SADB_ADD:
-	case SADB_DELETE:
-	case SADB_X_GRPSA:
-	case SADB_X_ADDFLOW:
-		if(!(extr.ips->ips_said.proto = satype2proto(pfkey_msg->sadb_msg_satype))) {
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_msg_interp: "
-				    "satype %d lookup failed.\n", 
-				    pfkey_msg->sadb_msg_satype);
-			SENDERR(EINVAL);
-		} else {
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_msg_interp: "
-				    "satype %d lookups to proto=%d.\n", 
-				    pfkey_msg->sadb_msg_satype,
-				    extr.ips->ips_said.proto);
-		}
-		break;
-	default:
-		break;
-	}
-	
-	/* The NULL below causes the default extension parsers to be used */
-	/* Parse the extensions */
-	if((error = pfkey_msg_parse(pfkey_msg, NULL, extensions, EXT_BITS_IN)))
-	{
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_msg_interp: "
-			    "message parsing failed with error %d.\n",
-			    error); 
-		SENDERR(-error);
-	}
-	
-	/* Process the extensions */
-	for(i=1; i <= SADB_EXT_MAX;i++)	{
-		if(extensions[i] != NULL) {
-			KLIPS_PRINT(debug_pfkey,
-				    "klips_debug:pfkey_msg_interp: "
-				    "processing ext %d 0p%p with processor 0p%p.\n", 
-				    i, extensions[i], ext_processors[i]);
-			if((error = ext_processors[i](extensions[i], &extr))) {
-				KLIPS_PRINT(debug_pfkey,
-					    "klips_debug:pfkey_msg_interp: "
-					    "extension processing for type %d failed with error %d.\n",
-					    i,
-					    error); 
-				SENDERR(-error);
-			}
-			
-		}
-		
-	}
-	
-	/* Parse the message types */
-	KLIPS_PRINT(debug_pfkey,
-		    "klips_debug:pfkey_msg_interp: "
-		    "parsing message type %d(%s) with msg_parser 0p%p.\n",
-		    pfkey_msg->sadb_msg_type,
-		    pfkey_v2_sadb_type_string(pfkey_msg->sadb_msg_type),
-		    msg_parsers[pfkey_msg->sadb_msg_type]); 
-	if((error = msg_parsers[pfkey_msg->sadb_msg_type](sk, extensions, &extr))) {
-		KLIPS_PRINT(debug_pfkey,
-			    "klips_debug:pfkey_msg_interp: "
-			    "message parsing failed with error %d.\n",
-			    error); 
-		SENDERR(-error);
-	}
-
-#if 0
-	error = pfkey_build_reply(pfkey_msg, &extr, pfkey_reply);
-	if (error) {
-		*pfkey_reply = NULL;
-	}
-#endif	
- errlab:
-	if(extr.ips != NULL) {
-		ipsec_sa_wipe(extr.ips);
-	}
-	if(extr.ips2 != NULL) {
-		ipsec_sa_wipe(extr.ips2);
-	}
-	if (extr.eroute != NULL) {
-		kfree(extr.eroute);
-	}
-	return(error);
-}
-
diff --git a/linux/net/ipsec/radij.c b/linux/net/ipsec/radij.c
deleted file mode 100644
index 7dbec8d37..000000000
--- a/linux/net/ipsec/radij.c
+++ /dev/null
@@ -1,992 +0,0 @@
-char radij_c_version[] = "RCSID $Id: radij.c,v 1.2 2004/06/13 19:57:50 as Exp $";
-
-/*
- * This file is defived from ${SRC}/sys/net/radix.c of BSD 4.4lite
- *
- * Variable and procedure names have been modified so that they don't
- * conflict with the original BSD code, as a small number of modifications
- * have been introduced and we may want to reuse this code in BSD.
- * 
- * The `j' in `radij' is pronounced as a voiceless guttural (like a Greek
- * chi or a German ch sound (as `doch', not as in `milch'), or even a 
- * spanish j as in Juan.  It is not as far back in the throat like
- * the corresponding Hebrew sound, nor is it a soft breath like the English h.
- * It has nothing to do with the Dutch ij sound.
- * 
- * Here is the appropriate copyright notice:
- */
-
-/*
- * Copyright (c) 1988, 1989, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- *	@(#)radix.c	8.2 (Berkeley) 1/4/94
- */
-
-/*
- * Routines to build and maintain radix trees for routing lookups.
- */
-
-#include <linux/config.h>
-#include <linux/version.h>
-#include <linux/kernel.h> /* printk() */
-
-#include "freeswan/ipsec_param.h"
-
-#ifdef MALLOC_SLAB
-# include <linux/slab.h> /* kmalloc() */
-#else /* MALLOC_SLAB */
-# include <linux/malloc.h> /* kmalloc() */
-#endif /* MALLOC_SLAB */
-#include <linux/errno.h>  /* error codes */
-#include <linux/types.h>  /* size_t */
-#include <linux/interrupt.h> /* mark_bh */
-
-#include <linux/netdevice.h>   /* struct device, and other headers */
-#include <linux/etherdevice.h> /* eth_type_trans */
-#include <linux/ip.h>          /* struct iphdr */
-#include <linux/skbuff.h>
-#ifdef NET_21
-# include <asm/uaccess.h>
-# include <linux/in6.h>
-#endif /* NET_21 */
-#include <asm/checksum.h>
-#include <net/ip.h>
-
-#include <freeswan.h>
-
-#include "freeswan/radij.h"
-#include "freeswan/ipsec_encap.h"
-#include "freeswan/ipsec_radij.h"
-
-int	maj_keylen;
-struct radij_mask *rj_mkfreelist;
-struct radij_node_head *mask_rjhead;
-static int gotOddMasks;
-static char *maskedKey;
-static char *rj_zeroes, *rj_ones;
-
-#define rj_masktop (mask_rjhead->rnh_treetop)
-#ifdef Bcmp
-# undef Bcmp
-#endif /* Bcmp */
-#define Bcmp(a, b, l) (l == 0 ? 0 : memcmp((caddr_t)(b), (caddr_t)(a), (size_t)l))
-/*
- * The data structure for the keys is a radix tree with one way
- * branching removed.  The index rj_b at an internal node n represents a bit
- * position to be tested.  The tree is arranged so that all descendants
- * of a node n have keys whose bits all agree up to position rj_b - 1.
- * (We say the index of n is rj_b.)
- *
- * There is at least one descendant which has a one bit at position rj_b,
- * and at least one with a zero there.
- *
- * A route is determined by a pair of key and mask.  We require that the
- * bit-wise logical and of the key and mask to be the key.
- * We define the index of a route to associated with the mask to be
- * the first bit number in the mask where 0 occurs (with bit number 0
- * representing the highest order bit).
- * 
- * We say a mask is normal if every bit is 0, past the index of the mask.
- * If a node n has a descendant (k, m) with index(m) == index(n) == rj_b,
- * and m is a normal mask, then the route applies to every descendant of n.
- * If the index(m) < rj_b, this implies the trailing last few bits of k
- * before bit b are all 0, (and hence consequently true of every descendant
- * of n), so the route applies to all descendants of the node as well.
- *
- * The present version of the code makes no use of normal routes,
- * but similar logic shows that a non-normal mask m such that
- * index(m) <= index(n) could potentially apply to many children of n.
- * Thus, for each non-host route, we attach its mask to a list at an internal
- * node as high in the tree as we can go. 
- */
-
-struct radij_node *
-rj_search(v_arg, head)
-	void *v_arg;
-	struct radij_node *head;
-{
-	register struct radij_node *x;
-	register caddr_t v;
-
-	for (x = head, v = v_arg; x->rj_b >= 0;) {
-		if (x->rj_bmask & v[x->rj_off])
-			x = x->rj_r;
-		else
-			x = x->rj_l;
-	}
-	return (x);
-};
-
-struct radij_node *
-rj_search_m(v_arg, head, m_arg)
-	struct radij_node *head;
-	void *v_arg, *m_arg;
-{
-	register struct radij_node *x;
-	register caddr_t v = v_arg, m = m_arg;
-
-	for (x = head; x->rj_b >= 0;) {
-		if ((x->rj_bmask & m[x->rj_off]) &&
-		    (x->rj_bmask & v[x->rj_off]))
-			x = x->rj_r;
-		else
-			x = x->rj_l;
-	}
-	return x;
-};
-
-int
-rj_refines(m_arg, n_arg)
-	void *m_arg, *n_arg;
-{
-	register caddr_t m = m_arg, n = n_arg;
-	register caddr_t lim, lim2 = lim = n + *(u_char *)n;
-	int longer = (*(u_char *)n++) - (int)(*(u_char *)m++);
-	int masks_are_equal = 1;
-
-	if (longer > 0)
-		lim -= longer;
-	while (n < lim) {
-		if (*n & ~(*m))
-			return 0;
-		if (*n++ != *m++)
-			masks_are_equal = 0;
-			
-	}
-	while (n < lim2)
-		if (*n++)
-			return 0;
-	if (masks_are_equal && (longer < 0))
-		for (lim2 = m - longer; m < lim2; )
-			if (*m++)
-				return 1;
-	return (!masks_are_equal);
-}
-
-
-struct radij_node *
-rj_match(v_arg, head)
-	void *v_arg;
-	struct radij_node_head *head;
-{
-	caddr_t v = v_arg;
-	register struct radij_node *t = head->rnh_treetop, *x;
-	register caddr_t cp = v, cp2, cp3;
-	caddr_t cplim, mstart;
-	struct radij_node *saved_t, *top = t;
-	int off = t->rj_off, vlen = *(u_char *)cp, matched_off;
-
-	/*
-	 * Open code rj_search(v, top) to avoid overhead of extra
-	 * subroutine call.
-	 */
-	for (; t->rj_b >= 0; ) {
-		if (t->rj_bmask & cp[t->rj_off])
-			t = t->rj_r;
-		else
-			t = t->rj_l;
-	}
-	/*
-	 * See if we match exactly as a host destination
-	 */
-	KLIPS_PRINT(debug_radij,
-		    "klips_debug:rj_match: "
-		    "* See if we match exactly as a host destination\n");
-	
-	cp += off; cp2 = t->rj_key + off; cplim = v + vlen;
-	for (; cp < cplim; cp++, cp2++)
-		if (*cp != *cp2)
-			goto on1;
-	/*
-	 * This extra grot is in case we are explicitly asked
-	 * to look up the default.  Ugh!
-	 */
-	if ((t->rj_flags & RJF_ROOT) && t->rj_dupedkey)
-		t = t->rj_dupedkey;
-	return t;
-on1:
-	matched_off = cp - v;
-	saved_t = t;
-	KLIPS_PRINT(debug_radij,
-		    "klips_debug:rj_match: "
-		    "** try to match a leaf, t=0p%p\n", t);
-	do {
-	    if (t->rj_mask) {
-		/*
-		 * Even if we don't match exactly as a hosts;
-		 * we may match if the leaf we wound up at is
-		 * a route to a net.
-		 */
-		cp3 = matched_off + t->rj_mask;
-		cp2 = matched_off + t->rj_key;
-		for (; cp < cplim; cp++)
-			if ((*cp2++ ^ *cp) & *cp3++)
-				break;
-		if (cp == cplim)
-			return t;
-		cp = matched_off + v;
-	    }
-	} while ((t = t->rj_dupedkey));
-	t = saved_t;
-	/* start searching up the tree */
-	KLIPS_PRINT(debug_radij,
-		    "klips_debug:rj_match: "
-		    "*** start searching up the tree, t=0p%p\n",
-		    t);
-	do {
-		register struct radij_mask *m;
-		
-		t = t->rj_p;
-		KLIPS_PRINT(debug_radij,
-			    "klips_debug:rj_match: "
-			    "**** t=0p%p\n",
-			    t);
-		if ((m = t->rj_mklist)) {
-			/*
-			 * After doing measurements here, it may
-			 * turn out to be faster to open code
-			 * rj_search_m here instead of always
-			 * copying and masking.
-			 */
-			/* off = min(t->rj_off, matched_off); */
-			off = t->rj_off;
-			if (matched_off < off)
-				off = matched_off;
-			mstart = maskedKey + off;
-			do {
-				cp2 = mstart;
-				cp3 = m->rm_mask + off;
-				KLIPS_PRINT(debug_radij,
-					    "klips_debug:rj_match: "
-					    "***** cp2=0p%p cp3=0p%p\n",
-					    cp2, cp3);
-				for (cp = v + off; cp < cplim;)
-					*cp2++ =  *cp++ & *cp3++;
-				x = rj_search(maskedKey, t);
-				while (x && x->rj_mask != m->rm_mask)
-					x = x->rj_dupedkey;
-				if (x &&
-				    (Bcmp(mstart, x->rj_key + off,
-					vlen - off) == 0))
-					    return x;
-			} while ((m = m->rm_mklist));
-		}
-	} while (t != top);
-	KLIPS_PRINT(debug_radij,
-		    "klips_debug:rj_match: "
-		    "***** not found.\n");
-	return 0;
-};
-		
-#ifdef RJ_DEBUG
-int	rj_nodenum;
-struct	radij_node *rj_clist;
-int	rj_saveinfo;
-DEBUG_NO_STATIC void traverse(struct radij_node *);
-#ifdef RJ_DEBUG2
-int	rj_debug =  1;
-#else
-int	rj_debug =  0;
-#endif /* RJ_DEBUG2 */
-#endif /* RJ_DEBUG */
-
-struct radij_node *
-rj_newpair(v, b, nodes)
-	void *v;
-	int b;
-	struct radij_node nodes[2];
-{
-	register struct radij_node *tt = nodes, *t = tt + 1;
-	t->rj_b = b; t->rj_bmask = 0x80 >> (b & 7);
-	t->rj_l = tt; t->rj_off = b >> 3;
-	tt->rj_b = -1; tt->rj_key = (caddr_t)v; tt->rj_p = t;
-	tt->rj_flags = t->rj_flags = RJF_ACTIVE;
-#ifdef RJ_DEBUG
-	tt->rj_info = rj_nodenum++; t->rj_info = rj_nodenum++;
-	tt->rj_twin = t; tt->rj_ybro = rj_clist; rj_clist = tt;
-#endif /* RJ_DEBUG */
-	return t;
-}
-
-struct radij_node *
-rj_insert(v_arg, head, dupentry, nodes)
-	void *v_arg;
-	struct radij_node_head *head;
-	int *dupentry;
-	struct radij_node nodes[2];
-{
-	caddr_t v = v_arg;
-	struct radij_node *top = head->rnh_treetop;
-	int head_off = top->rj_off, vlen = (int)*((u_char *)v);
-	register struct radij_node *t = rj_search(v_arg, top);
-	register caddr_t cp = v + head_off;
-	register int b;
-	struct radij_node *tt;
-    	/*
-	 *find first bit at which v and t->rj_key differ
-	 */
-    {
-	register caddr_t cp2 = t->rj_key + head_off;
-	register int cmp_res;
-	caddr_t cplim = v + vlen;
-
-	while (cp < cplim)
-		if (*cp2++ != *cp++)
-			goto on1;
-	*dupentry = 1;
-	return t;
-on1:
-	*dupentry = 0;
-	cmp_res = (cp[-1] ^ cp2[-1]) & 0xff;
-	for (b = (cp - v) << 3; cmp_res; b--)
-		cmp_res >>= 1;
-    }
-    {
-	register struct radij_node *p, *x = top;
-	cp = v;
-	do {
-		p = x;
-		if (cp[x->rj_off] & x->rj_bmask) 
-			x = x->rj_r;
-		else x = x->rj_l;
-	} while (b > (unsigned) x->rj_b); /* x->rj_b < b && x->rj_b >= 0 */
-#ifdef RJ_DEBUG
-	if (rj_debug)
-		printk("klips_debug:rj_insert: Going In:\n"), traverse(p);
-#endif /* RJ_DEBUG */
-	t = rj_newpair(v_arg, b, nodes); tt = t->rj_l;
-	if ((cp[p->rj_off] & p->rj_bmask) == 0)
-		p->rj_l = t;
-	else
-		p->rj_r = t;
-	x->rj_p = t; t->rj_p = p; /* frees x, p as temp vars below */
-	if ((cp[t->rj_off] & t->rj_bmask) == 0) {
-		t->rj_r = x;
-	} else {
-		t->rj_r = tt; t->rj_l = x;
-	}
-#ifdef RJ_DEBUG
-	if (rj_debug)
-		printk("klips_debug:rj_insert: Coming out:\n"), traverse(p);
-#endif /* RJ_DEBUG */
-    }
-	return (tt);
-}
-
-struct radij_node *
-rj_addmask(n_arg, search, skip)
-	int search, skip;
-	void *n_arg;
-{
-	caddr_t netmask = (caddr_t)n_arg;
-	register struct radij_node *x;
-	register caddr_t cp, cplim;
-	register int b, mlen, j;
-	int maskduplicated;
-
-	mlen = *(u_char *)netmask;
-	if (search) {
-		x = rj_search(netmask, rj_masktop);
-		mlen = *(u_char *)netmask;
-		if (Bcmp(netmask, x->rj_key, mlen) == 0)
-			return (x);
-	}
-	R_Malloc(x, struct radij_node *, maj_keylen + 2 * sizeof (*x));
-	if (x == 0)
-		return (0);
-	Bzero(x, maj_keylen + 2 * sizeof (*x));
-	cp = (caddr_t)(x + 2);
-	Bcopy(netmask, cp, mlen);
-	netmask = cp;
-	x = rj_insert(netmask, mask_rjhead, &maskduplicated, x);
-	/*
-	 * Calculate index of mask.
-	 */
-	cplim = netmask + mlen;
-	for (cp = netmask + skip; cp < cplim; cp++)
-		if (*(u_char *)cp != 0xff)
-			break;
-	b = (cp - netmask) << 3;
-	if (cp != cplim) {
-		if (*cp != 0) {
-			gotOddMasks = 1;
-			for (j = 0x80; j; b++, j >>= 1)  
-				if ((j & *cp) == 0)
-					break;
-		}
-	}
-	x->rj_b = -1 - b;
-	return (x);
-}
-
-#if 0
-struct radij_node *
-#endif
-int
-rj_addroute(v_arg, n_arg, head, treenodes)
-	void *v_arg, *n_arg;
-	struct radij_node_head *head;
-	struct radij_node treenodes[2];
-{
-	caddr_t v = (caddr_t)v_arg, netmask = (caddr_t)n_arg;
-	register struct radij_node *t, *x=NULL, *tt;
-	struct radij_node *saved_tt, *top = head->rnh_treetop;
-	short b = 0, b_leaf;
-	int mlen, keyduplicated;
-	caddr_t cplim;
-	struct radij_mask *m, **mp;
-
-	/*
-	 * In dealing with non-contiguous masks, there may be
-	 * many different routes which have the same mask.
-	 * We will find it useful to have a unique pointer to
-	 * the mask to speed avoiding duplicate references at
-	 * nodes and possibly save time in calculating indices.
-	 */
-	if (netmask)  {
-		x = rj_search(netmask, rj_masktop);
-		mlen = *(u_char *)netmask;
-		if (Bcmp(netmask, x->rj_key, mlen) != 0) {
-			x = rj_addmask(netmask, 0, top->rj_off);
-			if (x == 0)
-				return -ENOMEM; /* (0) rgb */
-		}
-		netmask = x->rj_key;
-		b = -1 - x->rj_b;
-	}
-	/*
-	 * Deal with duplicated keys: attach node to previous instance
-	 */
-	saved_tt = tt = rj_insert(v, head, &keyduplicated, treenodes);
-	if (keyduplicated) {
-		do {
-			if (tt->rj_mask == netmask)
-				return -EEXIST; /* -ENXIO; (0) rgb */
-			t = tt;
-			if (netmask == 0 ||
-			    (tt->rj_mask && rj_refines(netmask, tt->rj_mask)))
-				break;
-		} while ((tt = tt->rj_dupedkey));
-		/*
-		 * If the mask is not duplicated, we wouldn't
-		 * find it among possible duplicate key entries
-		 * anyway, so the above test doesn't hurt.
-		 *
-		 * We sort the masks for a duplicated key the same way as
-		 * in a masklist -- most specific to least specific.
-		 * This may require the unfortunate nuisance of relocating
-		 * the head of the list.
-		 */
-		if (tt && t == saved_tt) {
-			struct	radij_node *xx = x;
-			/* link in at head of list */
-			(tt = treenodes)->rj_dupedkey = t;
-			tt->rj_flags = t->rj_flags;
-			tt->rj_p = x = t->rj_p;
-			if (x->rj_l == t) x->rj_l = tt; else x->rj_r = tt;
-			saved_tt = tt; x = xx;
-		} else {
-			(tt = treenodes)->rj_dupedkey = t->rj_dupedkey;
-			t->rj_dupedkey = tt;
-		}
-#ifdef RJ_DEBUG
-		t=tt+1; tt->rj_info = rj_nodenum++; t->rj_info = rj_nodenum++;
-		tt->rj_twin = t; tt->rj_ybro = rj_clist; rj_clist = tt;
-#endif /* RJ_DEBUG */
-		t = saved_tt;
-		tt->rj_key = (caddr_t) v;
-		tt->rj_b = -1;
-		tt->rj_flags = t->rj_flags & ~RJF_ROOT;
-	}
-	/*
-	 * Put mask in tree.
-	 */
-	if (netmask) {
-		tt->rj_mask = netmask;
-		tt->rj_b = x->rj_b;
-	}
-	t = saved_tt->rj_p;
-	b_leaf = -1 - t->rj_b;
-	if (t->rj_r == saved_tt) x = t->rj_l; else x = t->rj_r;
-	/* Promote general routes from below */
-	if (x->rj_b < 0) { 
-		if (x->rj_mask && (x->rj_b >= b_leaf) && x->rj_mklist == 0) {
-			MKGet(m);
-			if (m) {
-				Bzero(m, sizeof *m);
-				m->rm_b = x->rj_b;
-				m->rm_mask = x->rj_mask;
-				x->rj_mklist = t->rj_mklist = m;
-			}
-		}
-	} else if (x->rj_mklist) {
-		/*
-		 * Skip over masks whose index is > that of new node
-		 */
-		for (mp = &x->rj_mklist; (m = *mp); mp = &m->rm_mklist)
-			if (m->rm_b >= b_leaf)
-				break;
-		t->rj_mklist = m; *mp = 0;
-	}
-	/* Add new route to highest possible ancestor's list */
-	if ((netmask == 0) || (b > t->rj_b ))
-		return 0; /* tt rgb */ /* can't lift at all */
-	b_leaf = tt->rj_b;
-	do {
-		x = t;
-		t = t->rj_p;
-	} while (b <= t->rj_b && x != top);
-	/*
-	 * Search through routes associated with node to
-	 * insert new route according to index.
-	 * For nodes of equal index, place more specific
-	 * masks first.
-	 */
-	cplim = netmask + mlen;
-	for (mp = &x->rj_mklist; (m = *mp); mp = &m->rm_mklist) {
-		if (m->rm_b < b_leaf)
-			continue;
-		if (m->rm_b > b_leaf)
-			break;
-		if (m->rm_mask == netmask) {
-			m->rm_refs++;
-			tt->rj_mklist = m;
-			return 0; /* tt rgb */
-		}
-		if (rj_refines(netmask, m->rm_mask))
-			break;
-	}
-	MKGet(m);
-	if (m == 0) {
-		printk("klips_debug:rj_addroute: "
-		       "Mask for route not entered\n");
-		return 0; /* (tt) rgb */
-	}
-	Bzero(m, sizeof *m);
-	m->rm_b = b_leaf;
-	m->rm_mask = netmask;
-	m->rm_mklist = *mp;
-	*mp = m;
-	tt->rj_mklist = m;
-	return 0; /* tt rgb */
-}
-
-int
-rj_delete(v_arg, netmask_arg, head, node)
-	void *v_arg, *netmask_arg;
-	struct radij_node_head *head;
-	struct radij_node **node;
-{
-	register struct radij_node *t, *p, *x, *tt;
-	struct radij_mask *m, *saved_m, **mp;
-	struct radij_node *dupedkey, *saved_tt, *top;
-	caddr_t v, netmask;
-	int b, head_off, vlen;
-
-	v = v_arg;
-	netmask = netmask_arg;
-	x = head->rnh_treetop;
-	tt = rj_search(v, x);
-	head_off = x->rj_off;
-	vlen =  *(u_char *)v;
-	saved_tt = tt;
-	top = x;
-	if (tt == 0 ||
-	    Bcmp(v + head_off, tt->rj_key + head_off, vlen - head_off))
-		return -EFAULT; /* (0) rgb */
-	/*
-	 * Delete our route from mask lists.
-	 */
-	if ((dupedkey = tt->rj_dupedkey)) {
-		if (netmask) 
-			netmask = rj_search(netmask, rj_masktop)->rj_key;
-		while (tt->rj_mask != netmask)
-			if ((tt = tt->rj_dupedkey) == 0)
-				return -ENOENT; /* -ENXIO; (0) rgb */
-	}
-	if (tt->rj_mask == 0 || (saved_m = m = tt->rj_mklist) == 0)
-		goto on1;
-	if (m->rm_mask != tt->rj_mask) {
-		printk("klips_debug:rj_delete: "
-		       "inconsistent annotation\n");
-		goto on1;
-	}
-	if (--m->rm_refs >= 0)
-		goto on1;
-	b = -1 - tt->rj_b;
-	t = saved_tt->rj_p;
-	if (b > t->rj_b)
-		goto on1; /* Wasn't lifted at all */
-	do {
-		x = t;
-		t = t->rj_p;
-	} while (b <= t->rj_b && x != top);
-	for (mp = &x->rj_mklist; (m = *mp); mp = &m->rm_mklist)
-		if (m == saved_m) {
-			*mp = m->rm_mklist;
-			MKFree(m);
-			break;
-		}
-	if (m == 0)
-		printk("klips_debug:rj_delete: "
-		       "couldn't find our annotation\n");
-on1:
-	/*
-	 * Eliminate us from tree
-	 */
-	if (tt->rj_flags & RJF_ROOT)
-		return -EFAULT; /* (0) rgb */
-#ifdef RJ_DEBUG
-	/* Get us out of the creation list */
-	for (t = rj_clist; t && t->rj_ybro != tt; t = t->rj_ybro) {}
-	if (t) t->rj_ybro = tt->rj_ybro;
-#endif /* RJ_DEBUG */
-	t = tt->rj_p;
-	if (dupedkey) {
-		if (tt == saved_tt) {
-			x = dupedkey; x->rj_p = t;
-			if (t->rj_l == tt) t->rj_l = x; else t->rj_r = x;
-		} else {
-			for (x = p = saved_tt; p && p->rj_dupedkey != tt;)
-				p = p->rj_dupedkey;
-			if (p) p->rj_dupedkey = tt->rj_dupedkey;
-			else printk("klips_debug:rj_delete: "
-				       "couldn't find us\n");
-		}
-		t = tt + 1;
-		if  (t->rj_flags & RJF_ACTIVE) {
-#ifndef RJ_DEBUG
-			*++x = *t; p = t->rj_p;
-#else
-			b = t->rj_info; *++x = *t; t->rj_info = b; p = t->rj_p;
-#endif /* RJ_DEBUG */
-			if (p->rj_l == t) p->rj_l = x; else p->rj_r = x;
-			x->rj_l->rj_p = x; x->rj_r->rj_p = x;
-		}
-		goto out;
-	}
-	if (t->rj_l == tt) x = t->rj_r; else x = t->rj_l;
-	p = t->rj_p;
-	if (p->rj_r == t) p->rj_r = x; else p->rj_l = x;
-	x->rj_p = p;
-	/*
-	 * Demote routes attached to us.
-	 */
-	if (t->rj_mklist) {
-		if (x->rj_b >= 0) {
-			for (mp = &x->rj_mklist; (m = *mp);)
-				mp = &m->rm_mklist;
-			*mp = t->rj_mklist;
-		} else {
-			for (m = t->rj_mklist; m;) {
-				struct radij_mask *mm = m->rm_mklist;
-				if (m == x->rj_mklist && (--(m->rm_refs) < 0)) {
-					x->rj_mklist = 0;
-					MKFree(m);
-				} else 
-					printk("klips_debug:rj_delete: "
-					    "Orphaned Mask 0p%p at 0p%p\n", m, x);
-				m = mm;
-			}
-		}
-	}
-	/*
-	 * We may be holding an active internal node in the tree.
-	 */
-	x = tt + 1;
-	if (t != x) {
-#ifndef RJ_DEBUG
-		*t = *x;
-#else
-		b = t->rj_info; *t = *x; t->rj_info = b;
-#endif /* RJ_DEBUG */
-		t->rj_l->rj_p = t; t->rj_r->rj_p = t;
-		p = x->rj_p;
-		if (p->rj_l == x) p->rj_l = t; else p->rj_r = t;
-	}
-out:
-	tt->rj_flags &= ~RJF_ACTIVE;
-	tt[1].rj_flags &= ~RJF_ACTIVE;
-	*node = tt;
-	return 0; /* (tt) rgb */
-}
-
-int
-rj_walktree(h, f, w)
-	struct radij_node_head *h;
-	register int (*f)(struct radij_node *,void *);
-	void *w;
-{
-	int error;
-	struct radij_node *base, *next;
-	register struct radij_node *rn;
-
-	if(!h || !f /* || !w */) {
-		return -ENODATA;
-	}
-
-	rn = h->rnh_treetop;
-	/*
-	 * This gets complicated because we may delete the node
-	 * while applying the function f to it, so we need to calculate
-	 * the successor node in advance.
-	 */
-	/* First time through node, go left */
-	while (rn->rj_b >= 0)
-		rn = rn->rj_l;
-	for (;;) {
-#ifdef CONFIG_IPSEC_DEBUG
-		if(debug_radij) {
-			printk("klips_debug:rj_walktree: "
-			       "for: rn=0p%p rj_b=%d rj_flags=%x",
-			       rn,
-			       rn->rj_b,
-			       rn->rj_flags);
-			rn->rj_b >= 0 ?
-				printk(" node off=%x\n",
-				       rn->rj_off) :
-				printk(" leaf key = %08x->%08x\n",
-				       (u_int)ntohl(((struct sockaddr_encap *)rn->rj_key)->sen_ip_src.s_addr),
-				       (u_int)ntohl(((struct sockaddr_encap *)rn->rj_key)->sen_ip_dst.s_addr))
-				;
-		}
-#endif /* CONFIG_IPSEC_DEBUG */
-		base = rn;
-		/* If at right child go back up, otherwise, go right */
-		while (rn->rj_p->rj_r == rn && (rn->rj_flags & RJF_ROOT) == 0)
-			rn = rn->rj_p;
-		/* Find the next *leaf* since next node might vanish, too */
-		for (rn = rn->rj_p->rj_r; rn->rj_b >= 0;)
-			rn = rn->rj_l;
-		next = rn;
-#ifdef CONFIG_IPSEC_DEBUG
-		if(debug_radij) {
-			printk("klips_debug:rj_walktree: "
-			       "processing leaves, rn=0p%p rj_b=%d rj_flags=%x",
-			       rn,
-			       rn->rj_b,
-			       rn->rj_flags);
-			rn->rj_b >= 0 ?
-				printk(" node off=%x\n",
-				       rn->rj_off) :
-				printk(" leaf key = %08x->%08x\n",
-				       (u_int)ntohl(((struct sockaddr_encap *)rn->rj_key)->sen_ip_src.s_addr),
-				       (u_int)ntohl(((struct sockaddr_encap *)rn->rj_key)->sen_ip_dst.s_addr))
-				;
-		}
-#endif /* CONFIG_IPSEC_DEBUG */
-		/* Process leaves */
-		while ((rn = base)) {
-			base = rn->rj_dupedkey;
-#ifdef CONFIG_IPSEC_DEBUG
-			if(debug_radij) {
-				printk("klips_debug:rj_walktree: "
-				       "while: base=0p%p rn=0p%p rj_b=%d rj_flags=%x",
-				       base,
-				       rn,
-				       rn->rj_b,
-				       rn->rj_flags);
-				rn->rj_b >= 0 ?
-					printk(" node off=%x\n",
-					       rn->rj_off) :
-					printk(" leaf key = %08x->%08x\n",
-					       (u_int)ntohl(((struct sockaddr_encap *)rn->rj_key)->sen_ip_src.s_addr),
-					       (u_int)ntohl(((struct sockaddr_encap *)rn->rj_key)->sen_ip_dst.s_addr))
-					;
-			}
-#endif /* CONFIG_IPSEC_DEBUG */
-			if (!(rn->rj_flags & RJF_ROOT) && (error = (*f)(rn, w)))
-				return (-error);
-		}
-		rn = next;
-		if (rn->rj_flags & RJF_ROOT)
-			return (0);
-	}
-	/* NOTREACHED */
-}
-
-int
-rj_inithead(head, off)
-	void **head;
-	int off;
-{
-	register struct radij_node_head *rnh;
-	register struct radij_node *t, *tt, *ttt;
-	if (*head)
-		return (1);
-	R_Malloc(rnh, struct radij_node_head *, sizeof (*rnh));
-	if (rnh == NULL)
-		return (0);
-	Bzero(rnh, sizeof (*rnh));
-	*head = rnh;
-	t = rj_newpair(rj_zeroes, off, rnh->rnh_nodes);
-	ttt = rnh->rnh_nodes + 2;
-	t->rj_r = ttt;
-	t->rj_p = t;
-	tt = t->rj_l;
-	tt->rj_flags = t->rj_flags = RJF_ROOT | RJF_ACTIVE;
-	tt->rj_b = -1 - off;
-	*ttt = *tt;
-	ttt->rj_key = rj_ones;
-	rnh->rnh_addaddr = rj_addroute;
-	rnh->rnh_deladdr = rj_delete;
-	rnh->rnh_matchaddr = rj_match;
-	rnh->rnh_walktree = rj_walktree;
-	rnh->rnh_treetop = t;
-	return (1);
-}
-
-void
-rj_init()
-{
-	char *cp, *cplim;
-
-	if (maj_keylen == 0) {
-		printk("klips_debug:rj_init: "
-		       "radij functions require maj_keylen be set\n");
-		return;
-	}
-	R_Malloc(rj_zeroes, char *, 3 * maj_keylen);
-	if (rj_zeroes == NULL)
-		panic("rj_init");
-	Bzero(rj_zeroes, 3 * maj_keylen);
-	rj_ones = cp = rj_zeroes + maj_keylen;
-	maskedKey = cplim = rj_ones + maj_keylen;
-	while (cp < cplim)
-		*cp++ = -1;
-	if (rj_inithead((void **)&mask_rjhead, 0) == 0)
-		panic("rj_init 2");
-}
-
-void
-rj_preorder(struct radij_node *rn, int l)
-{
-	int i;
-	
-	if (rn == NULL){
-		printk("klips_debug:rj_preorder: "
-		       "NULL pointer\n");
-		return;
-	}
-	
-	if (rn->rj_b >= 0){
-		rj_preorder(rn->rj_l, l+1);
-		rj_preorder(rn->rj_r, l+1);
-		printk("klips_debug:");
-		for (i=0; i<l; i++)
-			printk("*");
-		printk(" off = %d\n",
-		       rn->rj_off);
-	} else {
-		printk("klips_debug:");
-		for (i=0; i<l; i++)
-			printk("@");
-		printk(" flags = %x",
-		       (u_int)rn->rj_flags);
-		if (rn->rj_flags & RJF_ACTIVE) {
-			printk(" @key=0p%p",
-			       rn->rj_key);
-			printk(" key = %08x->%08x",
-			       (u_int)ntohl(((struct sockaddr_encap *)rn->rj_key)->sen_ip_src.s_addr),
-			       (u_int)ntohl(((struct sockaddr_encap *)rn->rj_key)->sen_ip_dst.s_addr));
-			printk(" @mask=0p%p",
-			       rn->rj_mask);
-			if (rn->rj_mask)
-				printk(" mask = %08x->%08x",
-				       (u_int)ntohl(((struct sockaddr_encap *)rn->rj_mask)->sen_ip_src.s_addr),
-				       (u_int)ntohl(((struct sockaddr_encap *)rn->rj_mask)->sen_ip_dst.s_addr));
-			if (rn->rj_dupedkey)
-				printk(" dupedkey = 0p%p",
-				       rn->rj_dupedkey);
-		}
-		printk("\n");
-	}
-}
-
-#ifdef RJ_DEBUG
-DEBUG_NO_STATIC void traverse(struct radij_node *p)
-{
-  rj_preorder(p, 0);
-}
-#endif /* RJ_DEBUG */
-
-void
-rj_dumptrees(void)
-{
-	rj_preorder(rnh->rnh_treetop, 0);
-}
-
-void
-rj_free_mkfreelist(void)
-{
-	struct radij_mask *mknp, *mknp2;
-
-	mknp = rj_mkfreelist;
-	while(mknp)
-	{
-		mknp2 = mknp;
-		mknp = mknp->rm_mklist;
-		kfree(mknp2);
-	}
-}
-
-int
-radijcleartree(void)
-{
-	return rj_walktree(rnh, ipsec_rj_walker_delete, NULL);
-}
-
-int
-radijcleanup(void)
-{
-	int error = 0;
-
-	error = radijcleartree();
-
-	rj_free_mkfreelist();
-
-/*	rj_walktree(mask_rjhead, ipsec_rj_walker_delete, NULL); */
-  	if(mask_rjhead) {
-		kfree(mask_rjhead);
-	}
-
-	if(rj_zeroes) {
-		kfree(rj_zeroes);
-	}
-
-	if(rnh) {
-		kfree(rnh);
-	}
-
-	return error;
-}
-
diff --git a/linux/net/ipsec/sysctl_net_ipsec.c b/linux/net/ipsec/sysctl_net_ipsec.c
deleted file mode 100644
index b494329f6..000000000
--- a/linux/net/ipsec/sysctl_net_ipsec.c
+++ /dev/null
@@ -1,196 +0,0 @@
-/*
- * sysctl interface to net IPSEC subsystem.
- * Copyright (C) 1998, 1999, 2000, 2001	  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: sysctl_net_ipsec.c,v 1.1 2004/03/15 20:35:27 as Exp $
- */
-
-/* -*- linux-c -*-
- *
- * Initiated April 3, 1998, Richard Guy Briggs <rgb@conscoop.ottawa.on.ca>
- */
-
-#include <linux/mm.h>
-#include <linux/sysctl.h>
-
-#include "freeswan/ipsec_param.h"
-
-#ifdef CONFIG_SYSCTL
-
-#define NET_IPSEC 2112 /* Random number */                                        
-#ifdef CONFIG_IPSEC_DEBUG
-extern int       debug_ah;
-extern int       debug_esp;
-extern int       debug_tunnel;
-extern int       debug_eroute;
-extern int       debug_spi;
-extern int       debug_radij;
-extern int       debug_netlink;
-extern int       debug_xform;
-extern int       debug_rcv;
-extern int       debug_pfkey;
-extern int sysctl_ipsec_debug_verbose;
-#ifdef CONFIG_IPSEC_IPCOMP
-extern int sysctl_ipsec_debug_ipcomp;
-#endif /* CONFIG_IPSEC_IPCOMP */
-#endif /* CONFIG_IPSEC_DEBUG */
-
-extern int sysctl_ipsec_icmp;
-extern int sysctl_ipsec_inbound_policy_check;
-extern int sysctl_ipsec_tos;
-int sysctl_ipsec_regress_pfkey_lossage;
-
-enum {
-#ifdef CONFIG_IPSEC_DEBUG
-	NET_IPSEC_DEBUG_AH=1,
-	NET_IPSEC_DEBUG_ESP=2,
-	NET_IPSEC_DEBUG_TUNNEL=3,
-	NET_IPSEC_DEBUG_EROUTE=4,
-	NET_IPSEC_DEBUG_SPI=5,
-	NET_IPSEC_DEBUG_RADIJ=6,
-	NET_IPSEC_DEBUG_NETLINK=7,
-	NET_IPSEC_DEBUG_XFORM=8,
-	NET_IPSEC_DEBUG_RCV=9,
-	NET_IPSEC_DEBUG_PFKEY=10,
-	NET_IPSEC_DEBUG_VERBOSE=11,
-	NET_IPSEC_DEBUG_IPCOMP=12,
-#endif /* CONFIG_IPSEC_DEBUG */
-	NET_IPSEC_ICMP=13,
-	NET_IPSEC_INBOUND_POLICY_CHECK=14,
-	NET_IPSEC_TOS=15,
-	NET_IPSEC_REGRESS_PFKEY_LOSSAGE=16,
-};
-
-static ctl_table ipsec_table[] = {
-#ifdef CONFIG_IPSEC_DEBUG
-	{ NET_IPSEC_DEBUG_AH, "debug_ah", &debug_ah,
-	  sizeof(int), 0644, NULL, &proc_dointvec},    
-	{ NET_IPSEC_DEBUG_ESP, "debug_esp", &debug_esp,
-	  sizeof(int), 0644, NULL, &proc_dointvec},    
-	{ NET_IPSEC_DEBUG_TUNNEL, "debug_tunnel", &debug_tunnel,
-	  sizeof(int), 0644, NULL, &proc_dointvec},    
-	{ NET_IPSEC_DEBUG_EROUTE, "debug_eroute", &debug_eroute,
-	  sizeof(int), 0644, NULL, &proc_dointvec},    
-	{ NET_IPSEC_DEBUG_SPI, "debug_spi", &debug_spi,
-	  sizeof(int), 0644, NULL, &proc_dointvec},    
-	{ NET_IPSEC_DEBUG_RADIJ, "debug_radij", &debug_radij,
-	  sizeof(int), 0644, NULL, &proc_dointvec},    
-	{ NET_IPSEC_DEBUG_NETLINK, "debug_netlink", &debug_netlink,
-	  sizeof(int), 0644, NULL, &proc_dointvec},    
-	{ NET_IPSEC_DEBUG_XFORM, "debug_xform", &debug_xform,
-	  sizeof(int), 0644, NULL, &proc_dointvec},    
-	{ NET_IPSEC_DEBUG_RCV, "debug_rcv", &debug_rcv,
-	  sizeof(int), 0644, NULL, &proc_dointvec},    
-	{ NET_IPSEC_DEBUG_PFKEY, "debug_pfkey", &debug_pfkey,
-	  sizeof(int), 0644, NULL, &proc_dointvec},    
-	{ NET_IPSEC_DEBUG_VERBOSE, "debug_verbose",&sysctl_ipsec_debug_verbose,
-	  sizeof(int), 0644, NULL, &proc_dointvec},    
-#ifdef CONFIG_IPSEC_IPCOMP
-	{ NET_IPSEC_DEBUG_IPCOMP, "debug_ipcomp", &sysctl_ipsec_debug_ipcomp,
-	  sizeof(int), 0644, NULL, &proc_dointvec},    
-#endif /* CONFIG_IPSEC_IPCOMP */
-
-#ifdef CONFIG_IPSEC_REGRESS
-	{ NET_IPSEC_REGRESS_PFKEY_LOSSAGE, "pfkey_lossage",
-	  &sysctl_ipsec_regress_pfkey_lossage,
-	  sizeof(int), 0644, NULL, &proc_dointvec},
-#endif /* CONFIG_IPSEC_REGRESS */
-
-#endif /* CONFIG_IPSEC_DEBUG */
-	{ NET_IPSEC_ICMP, "icmp", &sysctl_ipsec_icmp,
-	  sizeof(int), 0644, NULL, &proc_dointvec},    
-	{ NET_IPSEC_INBOUND_POLICY_CHECK, "inbound_policy_check", &sysctl_ipsec_inbound_policy_check,
-	  sizeof(int), 0644, NULL, &proc_dointvec},    
-	{ NET_IPSEC_TOS, "tos", &sysctl_ipsec_tos,
-	  sizeof(int), 0644, NULL, &proc_dointvec},    
-	{0}
-};
-
-static ctl_table ipsec_net_table[] = {
-        { NET_IPSEC, "ipsec", NULL, 0, 0555, ipsec_table },
-        { 0 }
-};
- 
-static ctl_table ipsec_root_table[] = {
-        { CTL_NET, "net", NULL, 0, 0555, ipsec_net_table },
-        { 0 }
-};
- 
-static struct ctl_table_header *ipsec_table_header;
-
-int ipsec_sysctl_register(void)
-{
-        ipsec_table_header = register_sysctl_table(ipsec_root_table, 0);
-        if (!ipsec_table_header) {
-                return -ENOMEM;
-	}
-        return 0;
-}
- 
-void ipsec_sysctl_unregister(void)
-{
-        unregister_sysctl_table(ipsec_table_header);
-}
-
-#endif /* CONFIG_SYSCTL */
-
-/*
- * $Log: sysctl_net_ipsec.c,v $
- * Revision 1.1  2004/03/15 20:35:27  as
- * added files from freeswan-2.04-x509-1.5.3
- *
- * Revision 1.15  2002/04/24 07:55:32  mcr
- * 	#include patches and Makefiles for post-reorg compilation.
- *
- * Revision 1.14  2002/04/24 07:36:35  mcr
- * Moved from ./klips/net/ipsec/sysctl_net_ipsec.c,v
- *
- * Revision 1.13  2002/01/12 02:58:32  mcr
- * 	first regression test causes acquire messages to be lost
- * 	100% of the time. This is to help testing of pluto.
- *
- * Revision 1.12  2001/06/14 19:35:13  rgb
- * Update copyright date.
- *
- * Revision 1.11  2001/02/26 19:58:13  rgb
- * Drop sysctl_ipsec_{no_eroute_pass,opportunistic}, replaced by magic SAs.
- *
- * Revision 1.10  2000/09/16 01:50:15  rgb
- * Protect sysctl_ipsec_debug_ipcomp with compiler defines too so that the
- * linker won't blame rj_delete() for missing symbols.  ;->  Damn statics...
- *
- * Revision 1.9  2000/09/15 23:17:51  rgb
- * Moved stuff around to compile with debug off.
- *
- * Revision 1.8  2000/09/15 11:37:02  rgb
- * Merge in heavily modified Svenning Soerensen's <svenning@post5.tele.dk>
- * IPCOMP zlib deflate code.
- *
- * Revision 1.7  2000/09/15 07:37:15  rgb
- * Munged silly log comment that was causing a warning.
- *
- * Revision 1.6  2000/09/15 04:58:23  rgb
- * Added tos runtime switch.
- * Removed 'sysctl_ipsec_' prefix from /proc/sys/net/ipsec/ filenames.
- *
- * Revision 1.5  2000/09/12 03:25:28  rgb
- * Filled in and implemented sysctl.
- *
- * Revision 1.4  1999/04/11 00:29:03  henry
- * GPL boilerplate
- *
- * Revision 1.3  1999/04/06 04:54:29  rgb
- * Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
- * patch shell fixes.
- *
- */
diff --git a/linux/net/ipsec/tagsfile.mak b/linux/net/ipsec/tagsfile.mak
deleted file mode 100644
index b2a5126a2..000000000
--- a/linux/net/ipsec/tagsfile.mak
+++ /dev/null
@@ -1,6 +0,0 @@
-TAGS:
-	etags *.c ../../include/*.h ../../include/freeswan/*.h
-	ctags *.c ../../include/*.h ../../include/freeswan/*.h
-
-
-
diff --git a/linux/net/ipv4/af_inet.c.fs2_0.patch b/linux/net/ipv4/af_inet.c.fs2_0.patch
deleted file mode 100644
index bc8a5083c..000000000
--- a/linux/net/ipv4/af_inet.c.fs2_0.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-RCSID $Id: af_inet.c.fs2_0.patch,v 1.1 2004/03/15 20:35:27 as Exp $
---- ./net/ipv4/af_inet.c.preipsec	Wed Jun  3 18:17:50 1998
-+++ ./net/ipv4/af_inet.c	Fri Sep 17 10:14:12 1999
-@@ -1146,6 +1146,17 @@
- 	ip_alias_init();
- #endif
- 
-+#if defined(CONFIG_IPSEC)
-+	{
-+               extern /* void */ int ipsec_init(void);
-+		/*
-+		 *  Initialise AF_INET ESP and AH protocol support including 
-+		 *  e-routing and SA tables
-+		 */
-+		ipsec_init();
-+	}
-+#endif /* CONFIG_IPSEC */
-+
- #ifdef CONFIG_INET_RARP
- 	rarp_ioctl_hook = rarp_ioctl;
- #endif
diff --git a/linux/net/ipv4/af_inet.c.fs2_2.patch b/linux/net/ipv4/af_inet.c.fs2_2.patch
deleted file mode 100644
index 00c85baf3..000000000
--- a/linux/net/ipv4/af_inet.c.fs2_2.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-RCSID $Id: af_inet.c.fs2_2.patch,v 1.1 2004/03/15 20:35:27 as Exp $
---- ./net/ipv4/af_inet.c.preipsec	Mon Aug  9 15:05:13 1999
-+++ ./net/ipv4/af_inet.c	Fri Sep 17 10:13:07 1999
-@@ -1140,6 +1140,17 @@
- 	ip_mr_init();
- #endif
- 
-+#if defined(CONFIG_IPSEC)
-+	{
-+               extern /* void */ int ipsec_init(void);
-+		/*
-+		 *  Initialise AF_INET ESP and AH protocol support including 
-+		 *  e-routing and SA tables
-+		 */
-+		ipsec_init();
-+	}
-+#endif /* CONFIG_IPSEC */
-+
- #ifdef CONFIG_INET_RARP
- 	rarp_ioctl_hook = rarp_ioctl;
- #endif
diff --git a/linux/net/ipv4/af_inet.c.fs2_4.patch b/linux/net/ipv4/af_inet.c.fs2_4.patch
deleted file mode 100644
index 70290e3c8..000000000
--- a/linux/net/ipv4/af_inet.c.fs2_4.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-RCSID $Id: af_inet.c.fs2_4.patch,v 1.1 2004/03/15 20:35:27 as Exp $
---- ./net/ipv4/af_inet.c.preipsec	Wed Apr 26 15:13:17 2000
-+++ ./net/ipv4/af_inet.c	Fri Jun 30 15:01:27 2000
-@@ -1019,6 +1019,17 @@
- 	ip_mr_init();
- #endif
- 
-+#if defined(CONFIG_IPSEC)
-+	{
-+               extern /* void */ int ipsec_init(void);
-+		/*
-+		 *  Initialise AF_INET ESP and AH protocol support including 
-+		 *  e-routing and SA tables
-+		 */
-+		ipsec_init();
-+	}
-+#endif /* CONFIG_IPSEC */
-+
- 	/*
- 	 *	Create all the /proc entries.
- 	 */
diff --git a/linux/net/ipv4/udp.c.fs2_2.patch b/linux/net/ipv4/udp.c.fs2_2.patch
deleted file mode 100644
index 767ddaa23..000000000
--- a/linux/net/ipv4/udp.c.fs2_2.patch
+++ /dev/null
@@ -1,108 +0,0 @@
---- ./net/ipv4/udp.c	Sun Mar 25 18:37:41 2001
-+++ ./net/ipv4/udp.c	Mon Jun 10 19:53:18 2002
-@@ -965,6 +965,9 @@
- 
- static int udp_queue_rcv_skb(struct sock * sk, struct sk_buff *skb)
- {
-+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-+	struct udp_opt *tp =  &(sk->tp_pinfo.af_udp);
-+#endif
- 	/*
- 	 *	Charge it to the socket, dropping if the queue is full.
- 	 */
-@@ -982,6 +985,38 @@
- 	}
- #endif
- 
-+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-+	if (tp->esp_in_udp) {
-+		/*
-+		 * Set skb->sk and xmit packet to ipsec_rcv.
-+		 *
-+		 * If ret != 0, ipsec_rcv refused the packet (not ESPinUDP),
-+		 * restore skb->sk and fall back to sock_queue_rcv_skb
-+		 */
-+		struct inet_protocol *esp = NULL;
-+
-+#ifdef CONFIG_IPSEC_MODULE
-+		for (esp = (struct inet_protocol *)inet_protos[IPPROTO_ESP & (MAX_INET_PROTOS - 1)];
-+			(esp) && (esp->protocol != IPPROTO_ESP);
-+			esp = esp->next);
-+#else
-+		extern struct inet_protocol esp_protocol;
-+		esp = &esp_protocol;
-+#endif
-+
-+		if (esp && esp->handler) {
-+			struct sock *sav_sk = skb->sk;
-+			skb->sk = sk;
-+			if (esp->handler(skb, 0) == 0) {
-+				skb->sk = sav_sk;
-+				/* not sure we might count ESPinUDP as UDP... */
-+				udp_statistics.UdpInDatagrams++;
-+				return 0;
-+			}
-+			skb->sk = sav_sk;
-+		}
-+	}
-+#endif
- 	if (sock_queue_rcv_skb(sk,skb)<0) {
- 		udp_statistics.UdpInErrors++;
- 		ip_statistics.IpInDiscards++;
-@@ -1165,6 +1200,44 @@
- 	return(0);
- }
- 
-+#if 1
-+static int udp_setsockopt(struct sock *sk, int level, int optname,
-+	char *optval, int optlen)
-+{
-+	struct udp_opt *tp = &(sk->tp_pinfo.af_udp);
-+	int val;
-+	int err = 0;
-+
-+	if (level != SOL_UDP)
-+		return ip_setsockopt(sk, level, optname, optval, optlen);
-+
-+	if(optlen<sizeof(int))
-+		return -EINVAL;
-+
-+	if (get_user(val, (int *)optval))
-+		return -EFAULT;
-+	
-+	lock_sock(sk);
-+
-+	switch(optname) {
-+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-+#ifndef UDP_ESPINUDP
-+#define UDP_ESPINUDP 100
-+#endif
-+		case UDP_ESPINUDP:
-+			tp->esp_in_udp = val;
-+			break;
-+#endif
-+		default:
-+			err = -ENOPROTOOPT;
-+			break;
-+	}
-+
-+	release_sock(sk);
-+	return err;
-+}
-+#endif
-+
- struct proto udp_prot = {
- 	(struct sock *)&udp_prot,	/* sklist_next */
- 	(struct sock *)&udp_prot,	/* sklist_prev */
-@@ -1179,7 +1252,11 @@
- 	NULL,				/* init */
- 	NULL,				/* destroy */
- 	NULL,				/* shutdown */
-+#if 1
-+	udp_setsockopt,			/* setsockopt */
-+#else
- 	ip_setsockopt,			/* setsockopt */
-+#endif
- 	ip_getsockopt,			/* getsockopt */
- 	udp_sendmsg,			/* sendmsg */
- 	udp_recvmsg,			/* recvmsg */
diff --git a/linux/net/ipv4/udp.c.fs2_4.patch b/linux/net/ipv4/udp.c.fs2_4.patch
deleted file mode 100644
index 87b208bac..000000000
--- a/linux/net/ipv4/udp.c.fs2_4.patch
+++ /dev/null
@@ -1,107 +0,0 @@
---- ./net/ipv4/udp.c	2002/02/26 14:54:22	1.2
-+++ ./net/ipv4/udp.c	2002/05/22 12:14:58
-@@ -777,6 +777,9 @@
- 
- static int udp_queue_rcv_skb(struct sock * sk, struct sk_buff *skb)
- {
-+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-+	struct udp_opt *tp =  &(sk->tp_pinfo.af_udp);
-+#endif
- 	/*
- 	 *	Charge it to the socket, dropping if the queue is full.
- 	 */
-@@ -794,6 +797,38 @@
- 	}
- #endif
- 
-+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-+	if (tp->esp_in_udp) {
-+		/*
-+		 * Set skb->sk and xmit packet to ipsec_rcv.
-+		 *
-+		 * If ret != 0, ipsec_rcv refused the packet (not ESPinUDP),
-+		 * restore skb->sk and fall back to sock_queue_rcv_skb
-+		 */
-+		struct inet_protocol *esp = NULL;
-+
-+#ifdef CONFIG_IPSEC_MODULE
-+		for (esp = (struct inet_protocol *)inet_protos[IPPROTO_ESP & (MAX_INET_PROTOS - 1)];
-+			(esp) && (esp->protocol != IPPROTO_ESP);
-+			esp = esp->next);
-+#else
-+		extern struct inet_protocol esp_protocol;
-+		esp = &esp_protocol;
-+#endif
-+
-+		if (esp && esp->handler) {
-+			struct sock *sav_sk = skb->sk;
-+			skb->sk = sk;
-+			if (esp->handler(skb) == 0) {
-+				skb->sk = sav_sk;
-+				/* not sure we might count ESPinUDP as UDP... */
-+				UDP_INC_STATS_BH(UdpInDatagrams);
-+				return 0;
-+			}
-+			skb->sk = sav_sk;
-+		}
-+	}
-+#endif
- 	if (sock_queue_rcv_skb(sk,skb)<0) {
- 		UDP_INC_STATS_BH(UdpInErrors);
- 		IP_INC_STATS_BH(IpInDiscards);
-@@ -1010,13 +1045,55 @@
- 	return len;
- }
- 
-+#if 1
-+static int udp_setsockopt(struct sock *sk, int level, int optname,
-+	char *optval, int optlen)
-+{
-+	struct udp_opt *tp = &(sk->tp_pinfo.af_udp);
-+	int val;
-+	int err = 0;
-+
-+	if (level != SOL_UDP)
-+		return ip_setsockopt(sk, level, optname, optval, optlen);
-+
-+	if(optlen<sizeof(int))
-+		return -EINVAL;
-+
-+	if (get_user(val, (int *)optval))
-+		return -EFAULT;
-+	
-+	lock_sock(sk);
-+
-+	switch(optname) {
-+#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
-+#ifndef UDP_ESPINUDP
-+#define UDP_ESPINUDP 100
-+#endif
-+		case UDP_ESPINUDP:
-+			tp->esp_in_udp = val;
-+			break;
-+#endif
-+		default:
-+			err = -ENOPROTOOPT;
-+			break;
-+	}
-+
-+	release_sock(sk);
-+	return err;
-+}
-+#endif
-+
- struct proto udp_prot = {
-  	name:		"UDP",
- 	close:		udp_close,
- 	connect:	udp_connect,
- 	disconnect:	udp_disconnect,
- 	ioctl:		udp_ioctl,
-+#if 1
-+	setsockopt:	udp_setsockopt,
-+#else
- 	setsockopt:	ip_setsockopt,
-+#endif
- 	getsockopt:	ip_getsockopt,
- 	sendmsg:	udp_sendmsg,
- 	recvmsg:	udp_recvmsg,
diff --git a/ltmain.sh b/ltmain.sh
new file mode 100644
index 000000000..8f7a6ac10
--- /dev/null
+++ b/ltmain.sh
@@ -0,0 +1,6971 @@
+# ltmain.sh - Provide generalized library-building support services.
+# NOTE: Changing this file will not affect anything until you rerun configure.
+#
+# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005
+# Free Software Foundation, Inc.
+# Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+basename="s,^.*/,,g"
+
+# Work around backward compatibility issue on IRIX 6.5. On IRIX 6.4+, sh
+# is ksh but when the shell is invoked as "sh" and the current value of
+# the _XPG environment variable is not equal to 1 (one), the special
+# positional parameter $0, within a function call, is the name of the
+# function.
+progpath="$0"
+
+# define SED for historic ltconfig's generated by Libtool 1.3
+test -z "$SED" && SED=sed
+
+# The name of this program:
+progname=`echo "$progpath" | $SED $basename`
+modename="$progname"
+
+# Global variables:
+EXIT_SUCCESS=0
+EXIT_FAILURE=1
+
+PROGRAM=ltmain.sh
+PACKAGE=libtool
+VERSION=1.5.22
+TIMESTAMP=" (1.1220.2.365 2005/12/18 22:14:06)"
+
+# See if we are running on zsh, and set the options which allow our
+# commands through without removal of \ escapes.
+if test -n "${ZSH_VERSION+set}" ; then
+  setopt NO_GLOB_SUBST
+fi
+# Same for EGREP, and just to be sure, do LTCC as well
+if test "X$EGREP" = X ; then
+    EGREP=egrep
+fi
+if test "X$LTCC" = X ; then
+    LTCC=${CC-gcc}
+fi
+
+# Check that we have a working $echo.
+if test "X$1" = X--no-reexec; then
+  # Discard the --no-reexec flag, and continue.
+  shift
+elif test "X$1" = X--fallback-echo; then
+  # Avoid inline document here, it may be left over
+  :
+elif test "X`($echo '\t') 2>/dev/null`" = 'X\t'; then
+  # Yippee, $echo works!
+  :
+else
+  # Restart under the correct shell, and then maybe $echo will work.
+  exec $SHELL "$progpath" --no-reexec ${1+"$@"}
+fi
+
+if test "X$1" = X--fallback-echo; then
+  # used as fallback echo
+  shift
+  cat <<EOF
+$*
+EOF
+  exit $EXIT_SUCCESS
+fi
+
+default_mode=
+help="Try \`$progname --help' for more information."
+magic="%%%MAGIC variable%%%"
+mkdir="mkdir"
+mv="mv -f"
+rm="rm -f"
+
+# Sed substitution that helps us do robust quoting.  It backslashifies
+# metacharacters that are still active within double-quoted strings.
+Xsed="${SED}"' -e 1s/^X//'
+sed_quote_subst='s/\([\\`\\"$\\\\]\)/\\\1/g'
+# test EBCDIC or ASCII
+case `echo X|tr X '\101'` in
+ A) # ASCII based system
+    # \n is not interpreted correctly by Solaris 8 /usr/ucb/tr
+  SP2NL='tr \040 \012'
+  NL2SP='tr \015\012 \040\040'
+  ;;
+ *) # EBCDIC based system
+  SP2NL='tr \100 \n'
+  NL2SP='tr \r\n \100\100'
+  ;;
+esac
+
+# NLS nuisances.
+# Only set LANG and LC_ALL to C if already set.
+# These must not be set unconditionally because not all systems understand
+# e.g. LANG=C (notably SCO).
+# We save the old values to restore during execute mode.
+if test "${LC_ALL+set}" = set; then
+  save_LC_ALL="$LC_ALL"; LC_ALL=C; export LC_ALL
+fi
+if test "${LANG+set}" = set; then
+  save_LANG="$LANG"; LANG=C; export LANG
+fi
+
+# Make sure IFS has a sensible default
+lt_nl='
+'
+IFS=" 	$lt_nl"
+
+if test "$build_libtool_libs" != yes && test "$build_old_libs" != yes; then
+  $echo "$modename: not configured to build any kind of library" 1>&2
+  $echo "Fatal configuration error.  See the $PACKAGE docs for more information." 1>&2
+  exit $EXIT_FAILURE
+fi
+
+# Global variables.
+mode=$default_mode
+nonopt=
+prev=
+prevopt=
+run=
+show="$echo"
+show_help=
+execute_dlfiles=
+duplicate_deps=no
+preserve_args=
+lo2o="s/\\.lo\$/.${objext}/"
+o2lo="s/\\.${objext}\$/.lo/"
+
+if test -z "$max_cmd_len"; then
+  i=0
+  testring="ABCD"
+  new_result=
+  
+  # If test is not a shell built-in, we'll probably end up computing a
+  # maximum length that is only half of the actual maximum length, but
+  # we can't tell.
+  while (test "X"`$SHELL $0 --fallback-echo "X$testring" 2>/dev/null` \
+             = "XX$testring") >/dev/null 2>&1 &&
+          new_result=`expr "X$testring" : ".*" 2>&1` &&
+          max_cmd_len="$new_result" &&
+          test "$i" != 17 # 1/2 MB should be enough
+  do
+    i=`expr $i + 1`
+    testring="$testring$testring"
+  done
+  testring=
+  # Add a significant safety factor because C++ compilers can tack on massive
+  # amounts of additional arguments before passing them to the linker.
+  # It appears as though 1/2 is a usable value.
+  max_cmd_len=`expr $max_cmd_len \/ 2`
+fi
+
+#####################################
+# Shell function definitions:
+# This seems to be the best place for them
+
+# func_mktempdir [string]
+# Make a temporary directory that won't clash with other running
+# libtool processes, and avoids race conditions if possible.  If
+# given, STRING is the basename for that directory.
+func_mktempdir ()
+{
+    my_template="${TMPDIR-/tmp}/${1-$progname}"
+
+    if test "$run" = ":"; then
+      # Return a directory name, but don't create it in dry-run mode
+      my_tmpdir="${my_template}-$$"
+    else
+
+      # If mktemp works, use that first and foremost
+      my_tmpdir=`mktemp -d "${my_template}-XXXXXXXX" 2>/dev/null`
+
+      if test ! -d "$my_tmpdir"; then
+	# Failing that, at least try and use $RANDOM to avoid a race
+	my_tmpdir="${my_template}-${RANDOM-0}$$"
+
+	save_mktempdir_umask=`umask`
+	umask 0077
+	$mkdir "$my_tmpdir"
+	umask $save_mktempdir_umask
+      fi
+
+      # If we're not in dry-run mode, bomb out on failure
+      test -d "$my_tmpdir" || {
+        $echo "cannot create temporary directory \`$my_tmpdir'" 1>&2
+	exit $EXIT_FAILURE
+      }
+    fi
+
+    $echo "X$my_tmpdir" | $Xsed
+}
+
+
+# func_win32_libid arg
+# return the library type of file 'arg'
+#
+# Need a lot of goo to handle *both* DLLs and import libs
+# Has to be a shell function in order to 'eat' the argument
+# that is supplied when $file_magic_command is called.
+func_win32_libid ()
+{
+  win32_libid_type="unknown"
+  win32_fileres=`file -L $1 2>/dev/null`
+  case $win32_fileres in
+  *ar\ archive\ import\ library*) # definitely import
+    win32_libid_type="x86 archive import"
+    ;;
+  *ar\ archive*) # could be an import, or static
+    if eval $OBJDUMP -f $1 | $SED -e '10q' 2>/dev/null | \
+      $EGREP -e 'file format pe-i386(.*architecture: i386)?' >/dev/null ; then
+      win32_nmres=`eval $NM -f posix -A $1 | \
+	$SED -n -e '1,100{/ I /{s,.*,import,;p;q;};}'`
+      case $win32_nmres in
+      import*)  win32_libid_type="x86 archive import";;
+      *)        win32_libid_type="x86 archive static";;
+      esac
+    fi
+    ;;
+  *DLL*)
+    win32_libid_type="x86 DLL"
+    ;;
+  *executable*) # but shell scripts are "executable" too...
+    case $win32_fileres in
+    *MS\ Windows\ PE\ Intel*)
+      win32_libid_type="x86 DLL"
+      ;;
+    esac
+    ;;
+  esac
+  $echo $win32_libid_type
+}
+
+
+# func_infer_tag arg
+# Infer tagged configuration to use if any are available and
+# if one wasn't chosen via the "--tag" command line option.
+# Only attempt this if the compiler in the base compile
+# command doesn't match the default compiler.
+# arg is usually of the form 'gcc ...'
+func_infer_tag ()
+{
+    if test -n "$available_tags" && test -z "$tagname"; then
+      CC_quoted=
+      for arg in $CC; do
+	case $arg in
+	  *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	  arg="\"$arg\""
+	  ;;
+	esac
+	CC_quoted="$CC_quoted $arg"
+      done
+      case $@ in
+      # Blanks in the command may have been stripped by the calling shell,
+      # but not from the CC environment variable when configure was run.
+      " $CC "* | "$CC "* | " `$echo $CC` "* | "`$echo $CC` "* | " $CC_quoted"* | "$CC_quoted "* | " `$echo $CC_quoted` "* | "`$echo $CC_quoted` "*) ;;
+      # Blanks at the start of $base_compile will cause this to fail
+      # if we don't check for them as well.
+      *)
+	for z in $available_tags; do
+	  if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $z$" < "$progpath" > /dev/null; then
+	    # Evaluate the configuration.
+	    eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$z'$/,/^# ### END LIBTOOL TAG CONFIG: '$z'$/p' < $progpath`"
+	    CC_quoted=
+	    for arg in $CC; do
+	    # Double-quote args containing other shell metacharacters.
+	    case $arg in
+	      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	      arg="\"$arg\""
+	      ;;
+	    esac
+	    CC_quoted="$CC_quoted $arg"
+	  done
+	    # user sometimes does CC=<HOST>-gcc so we need to match that to 'gcc'
+	    trimedcc=`echo ${CC} | $SED -e "s/${host}-//g"`
+	    # and sometimes libtool has CC=<HOST>-gcc but user does CC=gcc
+	    extendcc=${host}-${CC}
+	    # and sometimes libtool has CC=<OLDHOST>-gcc but user has CC=<NEWHOST>-gcc  
+	    # (Gentoo-specific hack because we always export $CHOST)
+	    mungedcc=${CHOST-${host}}-${trimedcc}
+	    case "$@ " in
+	      "cc "* | " cc "* | "${host}-cc "* | " ${host}-cc "*|\
+	      "gcc "* | " gcc "* | "${host}-gcc "* | " ${host}-gcc "*)
+	      tagname=CC
+	      break ;;
+	      "$trimedcc "* | " $trimedcc "* | "`$echo $trimedcc` "* | " `$echo $trimedcc` "*|\
+	      "$extendcc "* | " $extendcc "* | "`$echo $extendcc` "* | " `$echo $extendcc` "*|\
+	      "$mungedcc "* | " $mungedcc "* | "`$echo $mungedcc` "* | " `$echo $mungedcc` "*|\
+	      " $CC "* | "$CC "* | " `$echo $CC` "* | "`$echo $CC` "* | " $CC_quoted"* | "$CC_quoted "* | " `$echo $CC_quoted` "* | "`$echo $CC_quoted` "*)
+	      # The compiler in the base compile command matches
+	      # the one in the tagged configuration.
+	      # Assume this is the tagged configuration we want.
+	      tagname=$z
+	      break
+	      ;;
+	    esac
+	  fi
+	done
+	# If $tagname still isn't set, then no tagged configuration
+	# was found and let the user know that the "--tag" command
+	# line option must be used.
+	if test -z "$tagname"; then
+	  $echo "$modename: unable to infer tagged configuration"
+	  $echo "$modename: specify a tag with \`--tag'" 1>&2
+	  exit $EXIT_FAILURE
+#        else
+#          $echo "$modename: using $tagname tagged configuration"
+	fi
+	;;
+      esac
+    fi
+}
+
+
+# func_extract_an_archive dir oldlib
+func_extract_an_archive ()
+{
+    f_ex_an_ar_dir="$1"; shift
+    f_ex_an_ar_oldlib="$1"
+
+    $show "(cd $f_ex_an_ar_dir && $AR x $f_ex_an_ar_oldlib)"
+    $run eval "(cd \$f_ex_an_ar_dir && $AR x \$f_ex_an_ar_oldlib)" || exit $?
+    if ($AR t "$f_ex_an_ar_oldlib" | sort | sort -uc >/dev/null 2>&1); then
+     :
+    else
+      $echo "$modename: ERROR: object name conflicts: $f_ex_an_ar_dir/$f_ex_an_ar_oldlib" 1>&2
+      exit $EXIT_FAILURE
+    fi
+}
+
+# func_extract_archives gentop oldlib ...
+func_extract_archives ()
+{
+    my_gentop="$1"; shift
+    my_oldlibs=${1+"$@"}
+    my_oldobjs=""
+    my_xlib=""
+    my_xabs=""
+    my_xdir=""
+    my_status=""
+
+    $show "${rm}r $my_gentop"
+    $run ${rm}r "$my_gentop"
+    $show "$mkdir $my_gentop"
+    $run $mkdir "$my_gentop"
+    my_status=$?
+    if test "$my_status" -ne 0 && test ! -d "$my_gentop"; then
+      exit $my_status
+    fi
+
+    for my_xlib in $my_oldlibs; do
+      # Extract the objects.
+      case $my_xlib in
+	[\\/]* | [A-Za-z]:[\\/]*) my_xabs="$my_xlib" ;;
+	*) my_xabs=`pwd`"/$my_xlib" ;;
+      esac
+      my_xlib=`$echo "X$my_xlib" | $Xsed -e 's%^.*/%%'`
+      my_xdir="$my_gentop/$my_xlib"
+
+      $show "${rm}r $my_xdir"
+      $run ${rm}r "$my_xdir"
+      $show "$mkdir $my_xdir"
+      $run $mkdir "$my_xdir"
+      exit_status=$?
+      if test "$exit_status" -ne 0 && test ! -d "$my_xdir"; then
+	exit $exit_status
+      fi
+      case $host in
+      *-darwin*)
+	$show "Extracting $my_xabs"
+	# Do not bother doing anything if just a dry run
+	if test -z "$run"; then
+	  darwin_orig_dir=`pwd`
+	  cd $my_xdir || exit $?
+	  darwin_archive=$my_xabs
+	  darwin_curdir=`pwd`
+	  darwin_base_archive=`$echo "X$darwin_archive" | $Xsed -e 's%^.*/%%'`
+	  darwin_arches=`lipo -info "$darwin_archive" 2>/dev/null | $EGREP Architectures 2>/dev/null`
+	  if test -n "$darwin_arches"; then 
+	    darwin_arches=`echo "$darwin_arches" | $SED -e 's/.*are://'`
+	    darwin_arch=
+	    $show "$darwin_base_archive has multiple architectures $darwin_arches"
+	    for darwin_arch in  $darwin_arches ; do
+	      mkdir -p "unfat-$$/${darwin_base_archive}-${darwin_arch}"
+	      lipo -thin $darwin_arch -output "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}" "${darwin_archive}"
+	      cd "unfat-$$/${darwin_base_archive}-${darwin_arch}"
+	      func_extract_an_archive "`pwd`" "${darwin_base_archive}"
+	      cd "$darwin_curdir"
+	      $rm "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}"
+	    done # $darwin_arches
+      ## Okay now we have a bunch of thin objects, gotta fatten them up :)
+	    darwin_filelist=`find unfat-$$ -type f -name \*.o -print -o -name \*.lo -print| xargs basename | sort -u | $NL2SP`
+	    darwin_file=
+	    darwin_files=
+	    for darwin_file in $darwin_filelist; do
+	      darwin_files=`find unfat-$$ -name $darwin_file -print | $NL2SP`
+	      lipo -create -output "$darwin_file" $darwin_files
+	    done # $darwin_filelist
+	    ${rm}r unfat-$$
+	    cd "$darwin_orig_dir"
+	  else
+	    cd "$darwin_orig_dir"
+ 	    func_extract_an_archive "$my_xdir" "$my_xabs"
+	  fi # $darwin_arches
+	fi # $run
+	;;
+      *)
+        func_extract_an_archive "$my_xdir" "$my_xabs"
+        ;;
+      esac
+      my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | $NL2SP`
+    done
+    func_extract_archives_result="$my_oldobjs"
+}
+# End of Shell function definitions
+#####################################
+
+# Darwin sucks
+eval std_shrext=\"$shrext_cmds\"
+
+disable_libs=no
+
+# Parse our command line options once, thoroughly.
+while test "$#" -gt 0
+do
+  arg="$1"
+  shift
+
+  case $arg in
+  -*=*) optarg=`$echo "X$arg" | $Xsed -e 's/[-_a-zA-Z0-9]*=//'` ;;
+  *) optarg= ;;
+  esac
+
+  # If the previous option needs an argument, assign it.
+  if test -n "$prev"; then
+    case $prev in
+    execute_dlfiles)
+      execute_dlfiles="$execute_dlfiles $arg"
+      ;;
+    tag)
+      tagname="$arg"
+      preserve_args="${preserve_args}=$arg"
+
+      # Check whether tagname contains only valid characters
+      case $tagname in
+      *[!-_A-Za-z0-9,/]*)
+	$echo "$progname: invalid tag name: $tagname" 1>&2
+	exit $EXIT_FAILURE
+	;;
+      esac
+
+      case $tagname in
+      CC)
+	# Don't test for the "default" C tag, as we know, it's there, but
+	# not specially marked.
+	;;
+      *)
+	if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$" < "$progpath" > /dev/null; then
+	  taglist="$taglist $tagname"
+	  # Evaluate the configuration.
+	  eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$tagname'$/,/^# ### END LIBTOOL TAG CONFIG: '$tagname'$/p' < $progpath`"
+	else
+	  $echo "$progname: ignoring unknown tag $tagname" 1>&2
+	fi
+	;;
+      esac
+      ;;
+    *)
+      eval "$prev=\$arg"
+      ;;
+    esac
+
+    prev=
+    prevopt=
+    continue
+  fi
+
+  # Have we seen a non-optional argument yet?
+  case $arg in
+  --help)
+    show_help=yes
+    ;;
+
+  --version)
+    $echo "$PROGRAM (GNU $PACKAGE) $VERSION$TIMESTAMP"
+    $echo
+    $echo "Copyright (C) 2005  Free Software Foundation, Inc."
+    $echo "This is free software; see the source for copying conditions.  There is NO"
+    $echo "warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
+    exit $?
+    ;;
+
+  --config)
+    ${SED} -e '1,/^# ### BEGIN LIBTOOL CONFIG/d' -e '/^# ### END LIBTOOL CONFIG/,$d' $progpath
+    # Now print the configurations for the tags.
+    for tagname in $taglist; do
+      ${SED} -n -e "/^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$/,/^# ### END LIBTOOL TAG CONFIG: $tagname$/p" < "$progpath"
+    done
+    exit $?
+    ;;
+
+  --debug)
+    $echo "$progname: enabling shell trace mode"
+    set -x
+    preserve_args="$preserve_args $arg"
+    ;;
+
+  --dry-run | -n)
+    run=:
+    ;;
+
+  --features)
+    $echo "host: $host"
+    if test "$build_libtool_libs" = yes; then
+      $echo "enable shared libraries"
+    else
+      $echo "disable shared libraries"
+    fi
+    if test "$build_old_libs" = yes; then
+      $echo "enable static libraries"
+    else
+      $echo "disable static libraries"
+    fi
+    exit $?
+    ;;
+
+  --finish) mode="finish" ;;
+
+  --mode) prevopt="--mode" prev=mode ;;
+  --mode=*) mode="$optarg" ;;
+
+  --preserve-dup-deps) duplicate_deps="yes" ;;
+
+  --quiet | --silent)
+    show=:
+    preserve_args="$preserve_args $arg"
+    ;;
+
+  --tag)
+    prevopt="--tag"
+    prev=tag
+    preserve_args="$preserve_args --tag"
+    ;;
+  --tag=*)
+    set tag "$optarg" ${1+"$@"}
+    shift
+    prev=tag
+    preserve_args="$preserve_args --tag"
+    ;;
+
+  -dlopen)
+    prevopt="-dlopen"
+    prev=execute_dlfiles
+    ;;
+
+  -*)
+    $echo "$modename: unrecognized option \`$arg'" 1>&2
+    $echo "$help" 1>&2
+    exit $EXIT_FAILURE
+    ;;
+
+  *)
+    nonopt="$arg"
+    break
+    ;;
+  esac
+done
+
+if test -n "$prevopt"; then
+  $echo "$modename: option \`$prevopt' requires an argument" 1>&2
+  $echo "$help" 1>&2
+  exit $EXIT_FAILURE
+fi
+
+case $disable_libs in
+no) 
+  ;;
+shared)
+  build_libtool_libs=no
+  build_old_libs=yes
+  ;;
+static)
+  build_old_libs=`case $build_libtool_libs in yes) echo no;; *) echo yes;; esac`
+  ;;
+esac
+
+# If this variable is set in any of the actions, the command in it
+# will be execed at the end.  This prevents here-documents from being
+# left over by shells.
+exec_cmd=
+
+if test -z "$show_help"; then
+
+  # Infer the operation mode.
+  if test -z "$mode"; then
+    $echo "*** Warning: inferring the mode of operation is deprecated." 1>&2
+    $echo "*** Future versions of Libtool will require --mode=MODE be specified." 1>&2
+    case $nonopt in
+    *cc | cc* | *++ | gcc* | *-gcc* | g++* | xlc*)
+      mode=link
+      for arg
+      do
+	case $arg in
+	-c)
+	   mode=compile
+	   break
+	   ;;
+	esac
+      done
+      ;;
+    *db | *dbx | *strace | *truss)
+      mode=execute
+      ;;
+    *install*|cp|mv)
+      mode=install
+      ;;
+    *rm)
+      mode=uninstall
+      ;;
+    *)
+      # If we have no mode, but dlfiles were specified, then do execute mode.
+      test -n "$execute_dlfiles" && mode=execute
+
+      # Just use the default operation mode.
+      if test -z "$mode"; then
+	if test -n "$nonopt"; then
+	  $echo "$modename: warning: cannot infer operation mode from \`$nonopt'" 1>&2
+	else
+	  $echo "$modename: warning: cannot infer operation mode without MODE-ARGS" 1>&2
+	fi
+      fi
+      ;;
+    esac
+  fi
+
+  # Only execute mode is allowed to have -dlopen flags.
+  if test -n "$execute_dlfiles" && test "$mode" != execute; then
+    $echo "$modename: unrecognized option \`-dlopen'" 1>&2
+    $echo "$help" 1>&2
+    exit $EXIT_FAILURE
+  fi
+
+  # Change the help message to a mode-specific one.
+  generic_help="$help"
+  help="Try \`$modename --help --mode=$mode' for more information."
+
+  # These modes are in order of execution frequency so that they run quickly.
+  case $mode in
+  # libtool compile mode
+  compile)
+    modename="$modename: compile"
+    # Get the compilation command and the source file.
+    base_compile=
+    srcfile="$nonopt"  #  always keep a non-empty value in "srcfile"
+    suppress_opt=yes
+    suppress_output=
+    arg_mode=normal
+    libobj=
+    later=
+
+    for arg
+    do
+      case $arg_mode in
+      arg  )
+	# do not "continue".  Instead, add this to base_compile
+	lastarg="$arg"
+	arg_mode=normal
+	;;
+
+      target )
+	libobj="$arg"
+	arg_mode=normal
+	continue
+	;;
+
+      normal )
+	# Accept any command-line options.
+	case $arg in
+	-o)
+	  if test -n "$libobj" ; then
+	    $echo "$modename: you cannot specify \`-o' more than once" 1>&2
+	    exit $EXIT_FAILURE
+	  fi
+	  arg_mode=target
+	  continue
+	  ;;
+
+	-static | -prefer-pic | -prefer-non-pic)
+	  later="$later $arg"
+	  continue
+	  ;;
+
+	-no-suppress)
+	  suppress_opt=no
+	  continue
+	  ;;
+
+	-Xcompiler)
+	  arg_mode=arg  #  the next one goes into the "base_compile" arg list
+	  continue      #  The current "srcfile" will either be retained or
+	  ;;            #  replaced later.  I would guess that would be a bug.
+
+	-Wc,*)
+	  args=`$echo "X$arg" | $Xsed -e "s/^-Wc,//"`
+	  lastarg=
+	  save_ifs="$IFS"; IFS=','
+ 	  for arg in $args; do
+	    IFS="$save_ifs"
+
+	    # Double-quote args containing other shell metacharacters.
+	    # Many Bourne shells cannot handle close brackets correctly
+	    # in scan sets, so we specify it separately.
+	    case $arg in
+	      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	      arg="\"$arg\""
+	      ;;
+	    esac
+	    lastarg="$lastarg $arg"
+	  done
+	  IFS="$save_ifs"
+	  lastarg=`$echo "X$lastarg" | $Xsed -e "s/^ //"`
+
+	  # Add the arguments to base_compile.
+	  base_compile="$base_compile $lastarg"
+	  continue
+	  ;;
+
+	* )
+	  # Accept the current argument as the source file.
+	  # The previous "srcfile" becomes the current argument.
+	  #
+	  lastarg="$srcfile"
+	  srcfile="$arg"
+	  ;;
+	esac  #  case $arg
+	;;
+      esac    #  case $arg_mode
+
+      # Aesthetically quote the previous argument.
+      lastarg=`$echo "X$lastarg" | $Xsed -e "$sed_quote_subst"`
+
+      case $lastarg in
+      # Double-quote args containing other shell metacharacters.
+      # Many Bourne shells cannot handle close brackets correctly
+      # in scan sets, and some SunOS ksh mistreat backslash-escaping
+      # in scan sets (worked around with variable expansion),
+      # and furthermore cannot handle '|' '&' '(' ')' in scan sets 
+      # at all, so we specify them separately.
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	lastarg="\"$lastarg\""
+	;;
+      esac
+
+      base_compile="$base_compile $lastarg"
+    done # for arg
+
+    case $arg_mode in
+    arg)
+      $echo "$modename: you must specify an argument for -Xcompile"
+      exit $EXIT_FAILURE
+      ;;
+    target)
+      $echo "$modename: you must specify a target with \`-o'" 1>&2
+      exit $EXIT_FAILURE
+      ;;
+    *)
+      # Get the name of the library object.
+      [ -z "$libobj" ] && libobj=`$echo "X$srcfile" | $Xsed -e 's%^.*/%%'`
+      ;;
+    esac
+
+    # Recognize several different file suffixes.
+    # If the user specifies -o file.o, it is replaced with file.lo
+    xform='[cCFSifmso]'
+    case $libobj in
+    *.ada) xform=ada ;;
+    *.adb) xform=adb ;;
+    *.ads) xform=ads ;;
+    *.asm) xform=asm ;;
+    *.c++) xform=c++ ;;
+    *.cc) xform=cc ;;
+    *.ii) xform=ii ;;
+    *.class) xform=class ;;
+    *.cpp) xform=cpp ;;
+    *.cxx) xform=cxx ;;
+    *.f90) xform=f90 ;;
+    *.for) xform=for ;;
+    *.java) xform=java ;;
+    esac
+
+    libobj=`$echo "X$libobj" | $Xsed -e "s/\.$xform$/.lo/"`
+
+    case $libobj in
+    *.lo) obj=`$echo "X$libobj" | $Xsed -e "$lo2o"` ;;
+    *)
+      $echo "$modename: cannot determine name of library object from \`$libobj'" 1>&2
+      exit $EXIT_FAILURE
+      ;;
+    esac
+
+    func_infer_tag $base_compile
+
+    for arg in $later; do
+      case $arg in
+      -static)
+	build_old_libs=yes
+	continue
+	;;
+
+      -prefer-pic)
+	pic_mode=yes
+	continue
+	;;
+
+      -prefer-non-pic)
+	pic_mode=no
+	continue
+	;;
+      esac
+    done
+
+    qlibobj=`$echo "X$libobj" | $Xsed -e "$sed_quote_subst"`
+    case $qlibobj in
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	qlibobj="\"$qlibobj\"" ;;
+    esac
+    test "X$libobj" != "X$qlibobj" \
+	&& $echo "X$libobj" | grep '[]~#^*{};<>?"'"'"' 	&()|`$[]' \
+	&& $echo "$modename: libobj name \`$libobj' may not contain shell special characters."
+    objname=`$echo "X$obj" | $Xsed -e 's%^.*/%%'`
+    xdir=`$echo "X$obj" | $Xsed -e 's%/[^/]*$%%'`
+    if test "X$xdir" = "X$obj"; then
+      xdir=
+    else
+      xdir=$xdir/
+    fi
+    lobj=${xdir}$objdir/$objname
+
+    if test -z "$base_compile"; then
+      $echo "$modename: you must specify a compilation command" 1>&2
+      $echo "$help" 1>&2
+      exit $EXIT_FAILURE
+    fi
+
+    # Delete any leftover library objects.
+    if test "$build_old_libs" = yes; then
+      removelist="$obj $lobj $libobj ${libobj}T"
+    else
+      removelist="$lobj $libobj ${libobj}T"
+    fi
+
+    $run $rm $removelist
+    trap "$run $rm $removelist; exit $EXIT_FAILURE" 1 2 15
+
+    # On Cygwin there's no "real" PIC flag so we must build both object types
+    case $host_os in
+    cygwin* | mingw* | pw32* | os2*)
+      pic_mode=default
+      ;;
+    esac
+    if test "$pic_mode" = no && test "$deplibs_check_method" != pass_all; then
+      # non-PIC code in shared libraries is not supported
+      pic_mode=default
+    fi
+
+    # Calculate the filename of the output object if compiler does
+    # not support -o with -c
+    if test "$compiler_c_o" = no; then
+      output_obj=`$echo "X$srcfile" | $Xsed -e 's%^.*/%%' -e 's%\.[^.]*$%%'`.${objext}
+      lockfile="$output_obj.lock"
+      removelist="$removelist $output_obj $lockfile"
+      trap "$run $rm $removelist; exit $EXIT_FAILURE" 1 2 15
+    else
+      output_obj=
+      need_locks=no
+      lockfile=
+    fi
+
+    # Lock this critical section if it is needed
+    # We use this script file to make the link, it avoids creating a new file
+    if test "$need_locks" = yes; then
+      until $run ln "$srcfile" "$lockfile" 2>/dev/null; do
+	$show "Waiting for $lockfile to be removed"
+	sleep 2
+      done
+    elif test "$need_locks" = warn; then
+      if test -f "$lockfile"; then
+	$echo "\
+*** ERROR, $lockfile exists and contains:
+`cat $lockfile 2>/dev/null`
+
+This indicates that another process is trying to use the same
+temporary object file, and libtool could not work around it because
+your compiler does not support \`-c' and \`-o' together.  If you
+repeat this compilation, it may succeed, by chance, but you had better
+avoid parallel builds (make -j) in this platform, or get a better
+compiler."
+
+	$run $rm $removelist
+	exit $EXIT_FAILURE
+      fi
+      $echo "$srcfile" > "$lockfile"
+    fi
+
+    if test -n "$fix_srcfile_path"; then
+      eval srcfile=\"$fix_srcfile_path\"
+    fi
+    qsrcfile=`$echo "X$srcfile" | $Xsed -e "$sed_quote_subst"`
+    case $qsrcfile in
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+      qsrcfile="\"$qsrcfile\"" ;;
+    esac
+
+    $run $rm "$libobj" "${libobj}T"
+
+    # Create a libtool object file (analogous to a ".la" file),
+    # but don't create it if we're doing a dry run.
+    test -z "$run" && cat > ${libobj}T <<EOF
+# $libobj - a libtool object file
+# Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP
+#
+# Please DO NOT delete this file!
+# It is necessary for linking the library.
+
+# Name of the PIC object.
+EOF
+
+    # Only build a PIC object if we are building libtool libraries.
+    if test "$build_libtool_libs" = yes; then
+      # Without this assignment, base_compile gets emptied.
+      fbsd_hideous_sh_bug=$base_compile
+
+      if test "$pic_mode" != no; then
+	command="$base_compile $qsrcfile $pic_flag"
+      else
+	# Don't build PIC code
+	command="$base_compile $qsrcfile"
+      fi
+
+      if test ! -d "${xdir}$objdir"; then
+	$show "$mkdir ${xdir}$objdir"
+	$run $mkdir ${xdir}$objdir
+	exit_status=$?
+	if test "$exit_status" -ne 0 && test ! -d "${xdir}$objdir"; then
+	  exit $exit_status
+	fi
+      fi
+
+      if test -z "$output_obj"; then
+	# Place PIC objects in $objdir
+	command="$command -o $lobj"
+      fi
+
+      $run $rm "$lobj" "$output_obj"
+
+      $show "$command"
+      if $run eval "$command"; then :
+      else
+	test -n "$output_obj" && $run $rm $removelist
+	exit $EXIT_FAILURE
+      fi
+
+      if test "$need_locks" = warn &&
+	 test "X`cat $lockfile 2>/dev/null`" != "X$srcfile"; then
+	$echo "\
+*** ERROR, $lockfile contains:
+`cat $lockfile 2>/dev/null`
+
+but it should contain:
+$srcfile
+
+This indicates that another process is trying to use the same
+temporary object file, and libtool could not work around it because
+your compiler does not support \`-c' and \`-o' together.  If you
+repeat this compilation, it may succeed, by chance, but you had better
+avoid parallel builds (make -j) in this platform, or get a better
+compiler."
+
+	$run $rm $removelist
+	exit $EXIT_FAILURE
+      fi
+
+      # Just move the object if needed, then go on to compile the next one
+      if test -n "$output_obj" && test "X$output_obj" != "X$lobj"; then
+	$show "$mv $output_obj $lobj"
+	if $run $mv $output_obj $lobj; then :
+	else
+	  error=$?
+	  $run $rm $removelist
+	  exit $error
+	fi
+      fi
+
+      # Append the name of the PIC object to the libtool object file.
+      test -z "$run" && cat >> ${libobj}T <<EOF
+pic_object='$objdir/$objname'
+
+EOF
+
+      # Allow error messages only from the first compilation.
+      if test "$suppress_opt" = yes; then
+        suppress_output=' >/dev/null 2>&1'
+      fi
+    else
+      # No PIC object so indicate it doesn't exist in the libtool
+      # object file.
+      test -z "$run" && cat >> ${libobj}T <<EOF
+pic_object=none
+
+EOF
+    fi
+
+    # Only build a position-dependent object if we build old libraries.
+    if test "$build_old_libs" = yes; then
+      if test "$pic_mode" != yes; then
+	# Don't build PIC code
+	command="$base_compile $qsrcfile"
+      else
+	command="$base_compile $qsrcfile $pic_flag"
+      fi
+      if test "$compiler_c_o" = yes; then
+	command="$command -o $obj"
+      fi
+
+      # Suppress compiler output if we already did a PIC compilation.
+      command="$command$suppress_output"
+      $run $rm "$obj" "$output_obj"
+      $show "$command"
+      if $run eval "$command"; then :
+      else
+	$run $rm $removelist
+	exit $EXIT_FAILURE
+      fi
+
+      if test "$need_locks" = warn &&
+	 test "X`cat $lockfile 2>/dev/null`" != "X$srcfile"; then
+	$echo "\
+*** ERROR, $lockfile contains:
+`cat $lockfile 2>/dev/null`
+
+but it should contain:
+$srcfile
+
+This indicates that another process is trying to use the same
+temporary object file, and libtool could not work around it because
+your compiler does not support \`-c' and \`-o' together.  If you
+repeat this compilation, it may succeed, by chance, but you had better
+avoid parallel builds (make -j) in this platform, or get a better
+compiler."
+
+	$run $rm $removelist
+	exit $EXIT_FAILURE
+      fi
+
+      # Just move the object if needed
+      if test -n "$output_obj" && test "X$output_obj" != "X$obj"; then
+	$show "$mv $output_obj $obj"
+	if $run $mv $output_obj $obj; then :
+	else
+	  error=$?
+	  $run $rm $removelist
+	  exit $error
+	fi
+      fi
+
+      # Append the name of the non-PIC object the libtool object file.
+      # Only append if the libtool object file exists.
+      test -z "$run" && cat >> ${libobj}T <<EOF
+# Name of the non-PIC object.
+non_pic_object='$objname'
+
+EOF
+    else
+      # Append the name of the non-PIC object the libtool object file.
+      # Only append if the libtool object file exists.
+      test -z "$run" && cat >> ${libobj}T <<EOF
+# Name of the non-PIC object.
+non_pic_object=none
+
+EOF
+    fi
+
+    $run $mv "${libobj}T" "${libobj}"
+
+    # Unlock the critical section if it was locked
+    if test "$need_locks" != no; then
+      $run $rm "$lockfile"
+    fi
+
+    exit $EXIT_SUCCESS
+    ;;
+
+  # libtool link mode
+  link | relink)
+    modename="$modename: link"
+    case $host in
+    *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
+      # It is impossible to link a dll without this setting, and
+      # we shouldn't force the makefile maintainer to figure out
+      # which system we are compiling for in order to pass an extra
+      # flag for every libtool invocation.
+      # allow_undefined=no
+
+      # FIXME: Unfortunately, there are problems with the above when trying
+      # to make a dll which has undefined symbols, in which case not
+      # even a static library is built.  For now, we need to specify
+      # -no-undefined on the libtool link line when we can be certain
+      # that all symbols are satisfied, otherwise we get a static library.
+      allow_undefined=yes
+      ;;
+    *)
+      allow_undefined=yes
+      ;;
+    esac
+    libtool_args="$nonopt"
+    base_compile="$nonopt $@"
+    compile_command="$nonopt"
+    finalize_command="$nonopt"
+
+    compile_rpath=
+    finalize_rpath=
+    compile_shlibpath=
+    finalize_shlibpath=
+    convenience=
+    old_convenience=
+    deplibs=
+    old_deplibs=
+    compiler_flags=
+    linker_flags=
+    dllsearchpath=
+    lib_search_path=`pwd`
+    inst_prefix_dir=
+
+    avoid_version=no
+    dlfiles=
+    dlprefiles=
+    dlself=no
+    export_dynamic=no
+    export_symbols=
+    export_symbols_regex=
+    generated=
+    libobjs=
+    ltlibs=
+    module=no
+    no_install=no
+    objs=
+    non_pic_objects=
+    notinst_path= # paths that contain not-installed libtool libraries
+    precious_files_regex=
+    prefer_static_libs=no
+    preload=no
+    prev=
+    prevarg=
+    release=
+    rpath=
+    xrpath=
+    perm_rpath=
+    temp_rpath=
+    thread_safe=no
+    vinfo=
+    vinfo_number=no
+
+    func_infer_tag $base_compile
+
+    # We need to know -static, to get the right output filenames.
+    for arg
+    do
+      case $arg in
+      -all-static | -static)
+	if test "X$arg" = "X-all-static"; then
+	  if test "$build_libtool_libs" = yes && test -z "$link_static_flag"; then
+	    $echo "$modename: warning: complete static linking is impossible in this configuration" 1>&2
+	  fi
+	  if test -n "$link_static_flag"; then
+	    dlopen_self=$dlopen_self_static
+	  fi
+	  prefer_static_libs=yes
+	else
+	  if test -z "$pic_flag" && test -n "$link_static_flag"; then
+	    dlopen_self=$dlopen_self_static
+	  fi
+	  prefer_static_libs=built
+	fi
+	build_libtool_libs=no
+	build_old_libs=yes
+	break
+	;;
+      esac
+    done
+
+    # See if our shared archives depend on static archives.
+    test -n "$old_archive_from_new_cmds" && build_old_libs=yes
+
+    # Go through the arguments, transforming them on the way.
+    while test "$#" -gt 0; do
+      arg="$1"
+      shift
+      case $arg in
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	qarg=\"`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`\" ### testsuite: skip nested quoting test
+	;;
+      *) qarg=$arg ;;
+      esac
+      libtool_args="$libtool_args $qarg"
+
+      # If the previous option needs an argument, assign it.
+      if test -n "$prev"; then
+	case $prev in
+	output)
+	  compile_command="$compile_command @OUTPUT@"
+	  finalize_command="$finalize_command @OUTPUT@"
+	  ;;
+	esac
+
+	case $prev in
+	dlfiles|dlprefiles)
+	  if test "$preload" = no; then
+	    # Add the symbol object into the linking commands.
+	    compile_command="$compile_command @SYMFILE@"
+	    finalize_command="$finalize_command @SYMFILE@"
+	    preload=yes
+	  fi
+	  case $arg in
+	  *.la | *.lo) ;;  # We handle these cases below.
+	  force)
+	    if test "$dlself" = no; then
+	      dlself=needless
+	      export_dynamic=yes
+	    fi
+	    prev=
+	    continue
+	    ;;
+	  self)
+	    if test "$prev" = dlprefiles; then
+	      dlself=yes
+	    elif test "$prev" = dlfiles && test "$dlopen_self" != yes; then
+	      dlself=yes
+	    else
+	      dlself=needless
+	      export_dynamic=yes
+	    fi
+	    prev=
+	    continue
+	    ;;
+	  *)
+	    if test "$prev" = dlfiles; then
+	      dlfiles="$dlfiles $arg"
+	    else
+	      dlprefiles="$dlprefiles $arg"
+	    fi
+	    prev=
+	    continue
+	    ;;
+	  esac
+	  ;;
+	expsyms)
+	  export_symbols="$arg"
+	  if test ! -f "$arg"; then
+	    $echo "$modename: symbol file \`$arg' does not exist"
+	    exit $EXIT_FAILURE
+	  fi
+	  prev=
+	  continue
+	  ;;
+	expsyms_regex)
+	  export_symbols_regex="$arg"
+	  prev=
+	  continue
+	  ;;
+	inst_prefix)
+	  inst_prefix_dir="$arg"
+	  prev=
+	  continue
+	  ;;
+	precious_regex)
+	  precious_files_regex="$arg"
+	  prev=
+	  continue
+	  ;;
+	release)
+	  release="-$arg"
+	  prev=
+	  continue
+	  ;;
+	objectlist)
+	  if test -f "$arg"; then
+	    save_arg=$arg
+	    moreargs=
+	    for fil in `cat $save_arg`
+	    do
+#	      moreargs="$moreargs $fil"
+	      arg=$fil
+	      # A libtool-controlled object.
+
+	      # Check to see that this really is a libtool object.
+	      if (${SED} -e '2q' $arg | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+		pic_object=
+		non_pic_object=
+
+		# Read the .lo file
+		# If there is no directory component, then add one.
+		case $arg in
+		*/* | *\\*) . $arg ;;
+		*) . ./$arg ;;
+		esac
+
+		if test -z "$pic_object" || \
+		   test -z "$non_pic_object" ||
+		   test "$pic_object" = none && \
+		   test "$non_pic_object" = none; then
+		  $echo "$modename: cannot find name of object for \`$arg'" 1>&2
+		  exit $EXIT_FAILURE
+		fi
+
+		# Extract subdirectory from the argument.
+		xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'`
+		if test "X$xdir" = "X$arg"; then
+		  xdir=
+		else
+		  xdir="$xdir/"
+		fi
+
+		if test "$pic_object" != none; then
+		  # Prepend the subdirectory the object is found in.
+		  pic_object="$xdir$pic_object"
+
+		  if test "$prev" = dlfiles; then
+		    if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then
+		      dlfiles="$dlfiles $pic_object"
+		      prev=
+		      continue
+		    else
+		      # If libtool objects are unsupported, then we need to preload.
+		      prev=dlprefiles
+		    fi
+		  fi
+
+		  # CHECK ME:  I think I busted this.  -Ossama
+		  if test "$prev" = dlprefiles; then
+		    # Preload the old-style object.
+		    dlprefiles="$dlprefiles $pic_object"
+		    prev=
+		  fi
+
+		  # A PIC object.
+		  libobjs="$libobjs $pic_object"
+		  arg="$pic_object"
+		fi
+
+		# Non-PIC object.
+		if test "$non_pic_object" != none; then
+		  # Prepend the subdirectory the object is found in.
+		  non_pic_object="$xdir$non_pic_object"
+
+		  # A standard non-PIC object
+		  non_pic_objects="$non_pic_objects $non_pic_object"
+		  if test -z "$pic_object" || test "$pic_object" = none ; then
+		    arg="$non_pic_object"
+		  fi
+		else
+		  # If the PIC object exists, use it instead.
+		  # $xdir was prepended to $pic_object above.
+		  non_pic_object="$pic_object"
+		  non_pic_objects="$non_pic_objects $non_pic_object"
+		fi
+	      else
+		# Only an error if not doing a dry-run.
+		if test -z "$run"; then
+		  $echo "$modename: \`$arg' is not a valid libtool object" 1>&2
+		  exit $EXIT_FAILURE
+		else
+		  # Dry-run case.
+
+		  # Extract subdirectory from the argument.
+		  xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'`
+		  if test "X$xdir" = "X$arg"; then
+		    xdir=
+		  else
+		    xdir="$xdir/"
+		  fi
+
+		  pic_object=`$echo "X${xdir}${objdir}/${arg}" | $Xsed -e "$lo2o"`
+		  non_pic_object=`$echo "X${xdir}${arg}" | $Xsed -e "$lo2o"`
+		  libobjs="$libobjs $pic_object"
+		  non_pic_objects="$non_pic_objects $non_pic_object"
+		fi
+	      fi
+	    done
+	  else
+	    $echo "$modename: link input file \`$save_arg' does not exist"
+	    exit $EXIT_FAILURE
+	  fi
+	  arg=$save_arg
+	  prev=
+	  continue
+	  ;;
+	rpath | xrpath)
+	  # We need an absolute path.
+	  case $arg in
+	  [\\/]* | [A-Za-z]:[\\/]*) ;;
+	  *)
+	    $echo "$modename: only absolute run-paths are allowed" 1>&2
+	    exit $EXIT_FAILURE
+	    ;;
+	  esac
+	  if test "$prev" = rpath; then
+	    case "$rpath " in
+	    *" $arg "*) ;;
+	    *) rpath="$rpath $arg" ;;
+	    esac
+	  else
+	    case "$xrpath " in
+	    *" $arg "*) ;;
+	    *) xrpath="$xrpath $arg" ;;
+	    esac
+	  fi
+	  prev=
+	  continue
+	  ;;
+	xcompiler)
+	  compiler_flags="$compiler_flags $qarg"
+	  prev=
+	  compile_command="$compile_command $qarg"
+	  finalize_command="$finalize_command $qarg"
+	  continue
+	  ;;
+	xlinker)
+	  linker_flags="$linker_flags $qarg"
+	  compiler_flags="$compiler_flags $wl$qarg"
+	  prev=
+	  compile_command="$compile_command $wl$qarg"
+	  finalize_command="$finalize_command $wl$qarg"
+	  continue
+	  ;;
+	xcclinker)
+	  linker_flags="$linker_flags $qarg"
+	  compiler_flags="$compiler_flags $qarg"
+	  prev=
+	  compile_command="$compile_command $qarg"
+	  finalize_command="$finalize_command $qarg"
+	  continue
+	  ;;
+	shrext)
+  	  shrext_cmds="$arg"
+	  prev=
+	  continue
+	  ;;
+	darwin_framework|darwin_framework_skip)
+	  test "$prev" = "darwin_framework" && compiler_flags="$compiler_flags $arg"
+	  compile_command="$compile_command $arg"
+	  finalize_command="$finalize_command $arg"
+	  prev=
+	  continue
+	  ;;
+	*)
+	  eval "$prev=\"\$arg\""
+	  prev=
+	  continue
+	  ;;
+	esac
+      fi # test -n "$prev"
+
+      prevarg="$arg"
+
+      case $arg in
+      -all-static)
+	if test -n "$link_static_flag"; then
+	  compile_command="$compile_command $link_static_flag"
+	  finalize_command="$finalize_command $link_static_flag"
+	fi
+	continue
+	;;
+
+      -allow-undefined)
+	# FIXME: remove this flag sometime in the future.
+	$echo "$modename: \`-allow-undefined' is deprecated because it is the default" 1>&2
+	continue
+	;;
+
+      -avoid-version)
+	avoid_version=yes
+	continue
+	;;
+
+      -dlopen)
+	prev=dlfiles
+	continue
+	;;
+
+      -dlpreopen)
+	prev=dlprefiles
+	continue
+	;;
+
+      -export-dynamic)
+	export_dynamic=yes
+	continue
+	;;
+
+      -export-symbols | -export-symbols-regex)
+	if test -n "$export_symbols" || test -n "$export_symbols_regex"; then
+	  $echo "$modename: more than one -exported-symbols argument is not allowed"
+	  exit $EXIT_FAILURE
+	fi
+	if test "X$arg" = "X-export-symbols"; then
+	  prev=expsyms
+	else
+	  prev=expsyms_regex
+	fi
+	continue
+	;;
+
+      -framework|-arch|-isysroot)
+	case " $CC " in
+	  *" ${arg} ${1} "* | *" ${arg}	${1} "*) 
+		prev=darwin_framework_skip ;;
+	  *) compiler_flags="$compiler_flags $arg"
+	     prev=darwin_framework ;;
+	esac
+	compile_command="$compile_command $arg"
+	finalize_command="$finalize_command $arg"
+	continue
+	;;
+
+      -inst-prefix-dir)
+	prev=inst_prefix
+	continue
+	;;
+
+      # The native IRIX linker understands -LANG:*, -LIST:* and -LNO:*
+      # so, if we see these flags be careful not to treat them like -L
+      -L[A-Z][A-Z]*:*)
+	case $with_gcc/$host in
+	no/*-*-irix* | /*-*-irix*)
+	  compile_command="$compile_command $arg"
+	  finalize_command="$finalize_command $arg"
+	  ;;
+	esac
+	continue
+	;;
+
+      -L*)
+	dir=`$echo "X$arg" | $Xsed -e 's/^-L//'`
+	# We need an absolute path.
+	case $dir in
+	[\\/]* | [A-Za-z]:[\\/]*) ;;
+	*)
+	  absdir=`cd "$dir" && pwd`
+	  if test -z "$absdir"; then
+	    $echo "$modename: cannot determine absolute directory name of \`$dir'" 1>&2
+	    absdir="$dir"
+	    notinst_path="$notinst_path $dir"
+	  fi
+	  dir="$absdir"
+	  ;;
+	esac
+	case "$deplibs " in
+	*" -L$dir "*) ;;
+	*)
+	  deplibs="$deplibs -L$dir"
+	  lib_search_path="$lib_search_path $dir"
+	  ;;
+	esac
+	case $host in
+	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
+	  testbindir=`$echo "X$dir" | $Xsed -e 's*/lib$*/bin*'`
+	  case :$dllsearchpath: in
+	  *":$dir:"*) ;;
+	  *) dllsearchpath="$dllsearchpath:$dir";;
+	  esac
+	  case :$dllsearchpath: in
+	  *":$testbindir:"*) ;;
+	  *) dllsearchpath="$dllsearchpath:$testbindir";;
+	  esac
+	  ;;
+	esac
+	continue
+	;;
+
+      -l*)
+	if test "X$arg" = "X-lc" || test "X$arg" = "X-lm"; then
+	  case $host in
+	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-beos*)
+	    # These systems don't actually have a C or math library (as such)
+	    continue
+	    ;;
+	  *-*-os2*)
+	    # These systems don't actually have a C library (as such)
+	    test "X$arg" = "X-lc" && continue
+	    ;;
+	  *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*)
+	    # Do not include libc due to us having libc/libc_r.
+	    test "X$arg" = "X-lc" && continue
+	    ;;
+	  *-*-rhapsody* | *-*-darwin1.[012])
+	    # Rhapsody C and math libraries are in the System framework
+	    deplibs="$deplibs -framework System"
+	    continue
+	    ;;
+	  *-*-sco3.2v5* | *-*-sco5v6*)
+	    # Causes problems with __ctype
+	    test "X$arg" = "X-lc" && continue
+	    ;;
+	  *-*-sysv4.2uw2* | *-*-sysv5* | *-*-unixware* | *-*-OpenUNIX*)
+	    # Compiler inserts libc in the correct place for threads to work
+	    test "X$arg" = "X-lc" && continue
+	    ;;
+	  esac
+	elif test "X$arg" = "X-lc_r"; then
+	 case $host in
+	 *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*)
+	   # Do not include libc_r directly, use -pthread flag.
+	   continue
+	   ;;
+	 esac
+	fi
+	deplibs="$deplibs $arg"
+	continue
+	;;
+
+      # Tru64 UNIX uses -model [arg] to determine the layout of C++
+      # classes, name mangling, and exception handling.
+      -model)
+	compile_command="$compile_command $arg"
+	compiler_flags="$compiler_flags $arg"
+	finalize_command="$finalize_command $arg"
+	prev=xcompiler
+	continue
+	;;
+
+     -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe)
+	compiler_flags="$compiler_flags $arg"
+	compile_command="$compile_command $arg"
+	finalize_command="$finalize_command $arg"
+	continue
+	;;
+
+      -module)
+	module=yes
+	continue
+	;;
+
+      # -64, -mips[0-9] enable 64-bit mode on the SGI compiler
+      # -r[0-9][0-9]* specifies the processor on the SGI compiler
+      # -xarch=*, -xtarget=* enable 64-bit mode on the Sun compiler
+      # +DA*, +DD* enable 64-bit mode on the HP compiler
+      # -q* pass through compiler args for the IBM compiler
+      # -m* pass through architecture-specific compiler args for GCC
+      # -m*, -t[45]*, -txscale* pass through architecture-specific
+      # compiler args for GCC
+      # -pg pass through profiling flag for GCC
+      # @file GCC response files
+      -64|-mips[0-9]|-r[0-9][0-9]*|-xarch=*|-xtarget=*|+DA*|+DD*|-q*|-m*|-pg| \
+      -t[45]*|-txscale*|@*)
+
+	# Unknown arguments in both finalize_command and compile_command need
+	# to be aesthetically quoted because they are evaled later.
+	arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+	case $arg in
+	*[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	  arg="\"$arg\""
+	  ;;
+	esac
+        compile_command="$compile_command $arg"
+        finalize_command="$finalize_command $arg"
+        compiler_flags="$compiler_flags $arg"
+        continue
+        ;;
+
+      -shrext)
+	prev=shrext
+	continue
+	;;
+
+      -no-fast-install)
+	fast_install=no
+	continue
+	;;
+
+      -no-install)
+	case $host in
+	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
+	  # The PATH hackery in wrapper scripts is required on Windows
+	  # in order for the loader to find any dlls it needs.
+	  $echo "$modename: warning: \`-no-install' is ignored for $host" 1>&2
+	  $echo "$modename: warning: assuming \`-no-fast-install' instead" 1>&2
+	  fast_install=no
+	  ;;
+	*) no_install=yes ;;
+	esac
+	continue
+	;;
+
+      -no-undefined)
+	allow_undefined=no
+	continue
+	;;
+
+      -objectlist)
+	prev=objectlist
+	continue
+	;;
+
+      -o) prev=output ;;
+
+      -precious-files-regex)
+	prev=precious_regex
+	continue
+	;;
+
+      -release)
+	prev=release
+	continue
+	;;
+
+      -rpath)
+	prev=rpath
+	continue
+	;;
+
+      -R)
+	prev=xrpath
+	continue
+	;;
+
+      -R*)
+	dir=`$echo "X$arg" | $Xsed -e 's/^-R//'`
+	# We need an absolute path.
+	case $dir in
+	[\\/]* | [A-Za-z]:[\\/]*) ;;
+	*)
+	  $echo "$modename: only absolute run-paths are allowed" 1>&2
+	  exit $EXIT_FAILURE
+	  ;;
+	esac
+	case "$xrpath " in
+	*" $dir "*) ;;
+	*) xrpath="$xrpath $dir" ;;
+	esac
+	continue
+	;;
+
+      -static)
+	# The effects of -static are defined in a previous loop.
+	# We used to do the same as -all-static on platforms that
+	# didn't have a PIC flag, but the assumption that the effects
+	# would be equivalent was wrong.  It would break on at least
+	# Digital Unix and AIX.
+	continue
+	;;
+
+      -thread-safe)
+	thread_safe=yes
+	continue
+	;;
+
+      -version-info)
+	prev=vinfo
+	continue
+	;;
+      -version-number)
+	prev=vinfo
+	vinfo_number=yes
+	continue
+	;;
+
+      -Wc,*)
+	args=`$echo "X$arg" | $Xsed -e "$sed_quote_subst" -e 's/^-Wc,//'`
+	arg=
+	save_ifs="$IFS"; IFS=','
+	for flag in $args; do
+	  IFS="$save_ifs"
+	  case $flag in
+	    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	    flag="\"$flag\""
+	    ;;
+	  esac
+	  arg="$arg $wl$flag"
+	  compiler_flags="$compiler_flags $flag"
+	done
+	IFS="$save_ifs"
+	arg=`$echo "X$arg" | $Xsed -e "s/^ //"`
+	;;
+
+      -Wl,*)
+	args=`$echo "X$arg" | $Xsed -e "$sed_quote_subst" -e 's/^-Wl,//'`
+	arg=
+	save_ifs="$IFS"; IFS=','
+	for flag in $args; do
+	  IFS="$save_ifs"
+	  case $flag in
+	    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	    flag="\"$flag\""
+	    ;;
+	  esac
+	  arg="$arg $wl$flag"
+	  compiler_flags="$compiler_flags $wl$flag"
+	  linker_flags="$linker_flags $flag"
+	done
+	IFS="$save_ifs"
+	arg=`$echo "X$arg" | $Xsed -e "s/^ //"`
+	;;
+
+      -Xcompiler)
+	prev=xcompiler
+	continue
+	;;
+
+      -Xlinker)
+	prev=xlinker
+	continue
+	;;
+
+      -XCClinker)
+	prev=xcclinker
+	continue
+	;;
+
+      # Some other compiler flag.
+      -* | +*)
+	# Unknown arguments in both finalize_command and compile_command need
+	# to be aesthetically quoted because they are evaled later.
+	arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+	case $arg in
+	*[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	  arg="\"$arg\""
+	  ;;
+	esac
+	;;
+
+      *.$objext)
+	# A standard object.
+	objs="$objs $arg"
+	;;
+
+      *.lo)
+	# A libtool-controlled object.
+
+	# Check to see that this really is a libtool object.
+	if (${SED} -e '2q' $arg | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+	  pic_object=
+	  non_pic_object=
+
+	  # Read the .lo file
+	  # If there is no directory component, then add one.
+	  case $arg in
+	  */* | *\\*) . $arg ;;
+	  *) . ./$arg ;;
+	  esac
+
+	  if test -z "$pic_object" || \
+	     test -z "$non_pic_object" ||
+	     test "$pic_object" = none && \
+	     test "$non_pic_object" = none; then
+	    $echo "$modename: cannot find name of object for \`$arg'" 1>&2
+	    exit $EXIT_FAILURE
+	  fi
+
+	  # Extract subdirectory from the argument.
+	  xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'`
+	  if test "X$xdir" = "X$arg"; then
+	    xdir=
+ 	  else
+	    xdir="$xdir/"
+	  fi
+
+	  if test "$pic_object" != none; then
+	    # Prepend the subdirectory the object is found in.
+	    pic_object="$xdir$pic_object"
+
+	    if test "$prev" = dlfiles; then
+	      if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then
+		dlfiles="$dlfiles $pic_object"
+		prev=
+		continue
+	      else
+		# If libtool objects are unsupported, then we need to preload.
+		prev=dlprefiles
+	      fi
+	    fi
+
+	    # CHECK ME:  I think I busted this.  -Ossama
+	    if test "$prev" = dlprefiles; then
+	      # Preload the old-style object.
+	      dlprefiles="$dlprefiles $pic_object"
+	      prev=
+	    fi
+
+	    # A PIC object.
+	    libobjs="$libobjs $pic_object"
+	    arg="$pic_object"
+	  fi
+
+	  # Non-PIC object.
+	  if test "$non_pic_object" != none; then
+	    # Prepend the subdirectory the object is found in.
+	    non_pic_object="$xdir$non_pic_object"
+
+	    # A standard non-PIC object
+	    non_pic_objects="$non_pic_objects $non_pic_object"
+	    if test -z "$pic_object" || test "$pic_object" = none ; then
+	      arg="$non_pic_object"
+	    fi
+	  else
+	    # If the PIC object exists, use it instead.
+	    # $xdir was prepended to $pic_object above.
+	    non_pic_object="$pic_object"
+	    non_pic_objects="$non_pic_objects $non_pic_object"
+	  fi
+	else
+	  # Only an error if not doing a dry-run.
+	  if test -z "$run"; then
+	    $echo "$modename: \`$arg' is not a valid libtool object" 1>&2
+	    exit $EXIT_FAILURE
+	  else
+	    # Dry-run case.
+
+	    # Extract subdirectory from the argument.
+	    xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'`
+	    if test "X$xdir" = "X$arg"; then
+	      xdir=
+	    else
+	      xdir="$xdir/"
+	    fi
+
+	    pic_object=`$echo "X${xdir}${objdir}/${arg}" | $Xsed -e "$lo2o"`
+	    non_pic_object=`$echo "X${xdir}${arg}" | $Xsed -e "$lo2o"`
+	    libobjs="$libobjs $pic_object"
+	    non_pic_objects="$non_pic_objects $non_pic_object"
+	  fi
+	fi
+	;;
+
+      *.$libext)
+	# An archive.
+	deplibs="$deplibs $arg"
+	old_deplibs="$old_deplibs $arg"
+	continue
+	;;
+
+      *.la)
+	# A libtool-controlled library.
+
+	if test "$prev" = dlfiles; then
+	  # This library was specified with -dlopen.
+	  dlfiles="$dlfiles $arg"
+	  prev=
+	elif test "$prev" = dlprefiles; then
+	  # The library was specified with -dlpreopen.
+	  dlprefiles="$dlprefiles $arg"
+	  prev=
+	else
+	  deplibs="$deplibs $arg"
+	fi
+	continue
+	;;
+
+      # Some other compiler argument.
+      *)
+	# Unknown arguments in both finalize_command and compile_command need
+	# to be aesthetically quoted because they are evaled later.
+	arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+	case $arg in
+	*[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	  arg="\"$arg\""
+	  ;;
+	esac
+	;;
+      esac # arg
+
+      # Now actually substitute the argument into the commands.
+      if test -n "$arg"; then
+	compile_command="$compile_command $arg"
+	finalize_command="$finalize_command $arg"
+      fi
+    done # argument parsing loop
+
+    if test -n "$prev"; then
+      $echo "$modename: the \`$prevarg' option requires an argument" 1>&2
+      $echo "$help" 1>&2
+      exit $EXIT_FAILURE
+    fi
+
+    if test "$export_dynamic" = yes && test -n "$export_dynamic_flag_spec"; then
+      eval arg=\"$export_dynamic_flag_spec\"
+      compile_command="$compile_command $arg"
+      finalize_command="$finalize_command $arg"
+    fi
+
+    oldlibs=
+    # calculate the name of the file, without its directory
+    outputname=`$echo "X$output" | $Xsed -e 's%^.*/%%'`
+    libobjs_save="$libobjs"
+
+    if test -n "$shlibpath_var"; then
+      # get the directories listed in $shlibpath_var
+      eval shlib_search_path=\`\$echo \"X\${$shlibpath_var}\" \| \$Xsed -e \'s/:/ /g\'\`
+    else
+      shlib_search_path=
+    fi
+    eval sys_lib_search_path=\"$sys_lib_search_path_spec\"
+    eval sys_lib_dlsearch_path=\"$sys_lib_dlsearch_path_spec\"
+
+    output_objdir=`$echo "X$output" | $Xsed -e 's%/[^/]*$%%'`
+    if test "X$output_objdir" = "X$output"; then
+      output_objdir="$objdir"
+    else
+      output_objdir="$output_objdir/$objdir"
+    fi
+    # Create the object directory.
+    if test ! -d "$output_objdir"; then
+      $show "$mkdir $output_objdir"
+      $run $mkdir $output_objdir
+      exit_status=$?
+      if test "$exit_status" -ne 0 && test ! -d "$output_objdir"; then
+	exit $exit_status
+      fi
+    fi
+
+    # Determine the type of output
+    case $output in
+    "")
+      $echo "$modename: you must specify an output file" 1>&2
+      $echo "$help" 1>&2
+      exit $EXIT_FAILURE
+      ;;
+    *.$libext) linkmode=oldlib ;;
+    *.lo | *.$objext) linkmode=obj ;;
+    *.la) linkmode=lib ;;
+    *) linkmode=prog ;; # Anything else should be a program.
+    esac
+
+    case $host in
+    *cygwin* | *mingw* | *pw32*)
+      # don't eliminate duplications in $postdeps and $predeps
+      duplicate_compiler_generated_deps=yes
+      ;;
+    *)
+      duplicate_compiler_generated_deps=$duplicate_deps
+      ;;
+    esac
+    specialdeplibs=
+
+    libs=
+    # Find all interdependent deplibs by searching for libraries
+    # that are linked more than once (e.g. -la -lb -la)
+    for deplib in $deplibs; do
+      if test "X$duplicate_deps" = "Xyes" ; then
+	case "$libs " in
+	*" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	esac
+      fi
+      libs="$libs $deplib"
+    done
+
+    if test "$linkmode" = lib; then
+      libs="$predeps $libs $compiler_lib_search_path $postdeps"
+
+      # Compute libraries that are listed more than once in $predeps
+      # $postdeps and mark them as special (i.e., whose duplicates are
+      # not to be eliminated).
+      pre_post_deps=
+      if test "X$duplicate_compiler_generated_deps" = "Xyes" ; then
+	for pre_post_dep in $predeps $postdeps; do
+	  case "$pre_post_deps " in
+	  *" $pre_post_dep "*) specialdeplibs="$specialdeplibs $pre_post_deps" ;;
+	  esac
+	  pre_post_deps="$pre_post_deps $pre_post_dep"
+	done
+      fi
+      pre_post_deps=
+    fi
+
+    deplibs=
+    newdependency_libs=
+    newlib_search_path=
+    need_relink=no # whether we're linking any uninstalled libtool libraries
+    notinst_deplibs= # not-installed libtool libraries
+    case $linkmode in
+    lib)
+	passes="conv link"
+	for file in $dlfiles $dlprefiles; do
+	  case $file in
+	  *.la) ;;
+	  *)
+	    $echo "$modename: libraries can \`-dlopen' only libtool libraries: $file" 1>&2
+	    exit $EXIT_FAILURE
+	    ;;
+	  esac
+	done
+	;;
+    prog)
+	compile_deplibs=
+	finalize_deplibs=
+	alldeplibs=no
+	newdlfiles=
+	newdlprefiles=
+	passes="conv scan dlopen dlpreopen link"
+	;;
+    *)  passes="conv"
+	;;
+    esac
+    for pass in $passes; do
+      if test "$linkmode,$pass" = "lib,link" ||
+	 test "$linkmode,$pass" = "prog,scan"; then
+	libs="$deplibs"
+	deplibs=
+      fi
+      if test "$linkmode" = prog; then
+	case $pass in
+	dlopen) libs="$dlfiles" ;;
+	dlpreopen) libs="$dlprefiles" ;;
+	link) libs="$deplibs %DEPLIBS% $dependency_libs" ;;
+	esac
+      fi
+      if test "$pass" = dlopen; then
+	# Collect dlpreopened libraries
+	save_deplibs="$deplibs"
+	deplibs=
+      fi
+      for deplib in $libs; do
+	lib=
+	found=no
+	case $deplib in
+	-mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe)
+	  if test "$linkmode,$pass" = "prog,link"; then
+	    compile_deplibs="$deplib $compile_deplibs"
+	    finalize_deplibs="$deplib $finalize_deplibs"
+	  else
+	    compiler_flags="$compiler_flags $deplib"
+	  fi
+	  continue
+	  ;;
+	-l*)
+	  if test "$linkmode" != lib && test "$linkmode" != prog; then
+	    $echo "$modename: warning: \`-l' is ignored for archives/objects" 1>&2
+	    continue
+	  fi
+	  name=`$echo "X$deplib" | $Xsed -e 's/^-l//'`
+	  for searchdir in $newlib_search_path $lib_search_path $sys_lib_search_path $shlib_search_path; do
+	    for search_ext in .la $std_shrext .so .a; do
+	      # Search the libtool library
+	      lib="$searchdir/lib${name}${search_ext}"
+	      if test -f "$lib"; then
+		if test "$search_ext" = ".la"; then
+		  found=yes
+		else
+		  found=no
+		fi
+		break 2
+	      fi
+	    done
+	  done
+	  if test "$found" != yes; then
+	    # deplib doesn't seem to be a libtool library
+	    if test "$linkmode,$pass" = "prog,link"; then
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    else
+	      deplibs="$deplib $deplibs"
+	      test "$linkmode" = lib && newdependency_libs="$deplib $newdependency_libs"
+	    fi
+	    continue
+	  else # deplib is a libtool library
+	    # If $allow_libtool_libs_with_static_runtimes && $deplib is a stdlib,
+	    # We need to do some special things here, and not later.
+	    if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
+	      case " $predeps $postdeps " in
+	      *" $deplib "*)
+		if (${SED} -e '2q' $lib |
+                    grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+		  library_names=
+		  old_library=
+		  case $lib in
+		  */* | *\\*) . $lib ;;
+		  *) . ./$lib ;;
+		  esac
+		  for l in $old_library $library_names; do
+		    ll="$l"
+		  done
+		  if test "X$ll" = "X$old_library" ; then # only static version available
+		    found=no
+		    ladir=`$echo "X$lib" | $Xsed -e 's%/[^/]*$%%'`
+		    test "X$ladir" = "X$lib" && ladir="."
+		    lib=$ladir/$old_library
+		    if test "$linkmode,$pass" = "prog,link"; then
+		      compile_deplibs="$deplib $compile_deplibs"
+		      finalize_deplibs="$deplib $finalize_deplibs"
+		    else
+		      deplibs="$deplib $deplibs"
+		      test "$linkmode" = lib && newdependency_libs="$deplib $newdependency_libs"
+		    fi
+		    continue
+		  fi
+		fi
+	        ;;
+	      *) ;;
+	      esac
+	    fi
+	  fi
+	  ;; # -l
+	-L*)
+	  case $linkmode in
+	  lib)
+	    deplibs="$deplib $deplibs"
+	    test "$pass" = conv && continue
+	    newdependency_libs="$deplib $newdependency_libs"
+	    newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`
+	    ;;
+	  prog)
+	    if test "$pass" = conv; then
+	      deplibs="$deplib $deplibs"
+	      continue
+	    fi
+	    if test "$pass" = scan; then
+	      deplibs="$deplib $deplibs"
+	    else
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    fi
+	    newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`
+	    ;;
+	  *)
+	    $echo "$modename: warning: \`-L' is ignored for archives/objects" 1>&2
+	    ;;
+	  esac # linkmode
+	  continue
+	  ;; # -L
+	-R*)
+	  if test "$pass" = link; then
+	    dir=`$echo "X$deplib" | $Xsed -e 's/^-R//'`
+	    # Make sure the xrpath contains only unique directories.
+	    case "$xrpath " in
+	    *" $dir "*) ;;
+	    *) xrpath="$xrpath $dir" ;;
+	    esac
+	  fi
+	  deplibs="$deplib $deplibs"
+	  continue
+	  ;;
+	*.la) lib="$deplib" ;;
+	*.$libext)
+	  if test "$pass" = conv; then
+	    deplibs="$deplib $deplibs"
+	    continue
+	  fi
+	  case $linkmode in
+	  lib)
+	    valid_a_lib=no
+	    case $deplibs_check_method in
+	      match_pattern*)
+		set dummy $deplibs_check_method
+	        match_pattern_regex=`expr "$deplibs_check_method" : "$2 \(.*\)"`
+		if eval $echo \"$deplib\" 2>/dev/null \
+		    | $SED 10q \
+		    | $EGREP "$match_pattern_regex" > /dev/null; then
+		  valid_a_lib=yes
+		fi
+		;;
+	      pass_all)
+		valid_a_lib=yes
+		;;
+            esac
+	    if test "$valid_a_lib" != yes; then
+	      $echo
+	      $echo "*** Warning: Trying to link with static lib archive $deplib."
+	      $echo "*** I have the capability to make that library automatically link in when"
+	      $echo "*** you link to this library.  But I can only do this if you have a"
+	      $echo "*** shared version of the library, which you do not appear to have"
+	      $echo "*** because the file extensions .$libext of this argument makes me believe"
+	      $echo "*** that it is just a static archive that I should not used here."
+	    else
+	      $echo
+	      $echo "*** Warning: Linking the shared library $output against the"
+	      $echo "*** static library $deplib is not portable!"
+	      deplibs="$deplib $deplibs"
+	    fi
+	    continue
+	    ;;
+	  prog)
+	    if test "$pass" != link; then
+	      deplibs="$deplib $deplibs"
+	    else
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    fi
+	    continue
+	    ;;
+	  esac # linkmode
+	  ;; # *.$libext
+	*.lo | *.$objext)
+	  if test "$pass" = conv; then
+	    deplibs="$deplib $deplibs"
+	  elif test "$linkmode" = prog; then
+	    if test "$pass" = dlpreopen || test "$dlopen_support" != yes || test "$build_libtool_libs" = no; then
+	      # If there is no dlopen support or we're linking statically,
+	      # we need to preload.
+	      newdlprefiles="$newdlprefiles $deplib"
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    else
+	      newdlfiles="$newdlfiles $deplib"
+	    fi
+	  fi
+	  continue
+	  ;;
+	%DEPLIBS%)
+	  alldeplibs=yes
+	  continue
+	  ;;
+	esac # case $deplib
+	if test "$found" = yes || test -f "$lib"; then :
+	else
+	  $echo "$modename: cannot find the library \`$lib' or unhandled argument \`$deplib'" 1>&2
+	  exit $EXIT_FAILURE
+	fi
+
+	# Check to see that this really is a libtool archive.
+	if (${SED} -e '2q' $lib | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
+	else
+	  $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
+	  exit $EXIT_FAILURE
+	fi
+
+	ladir=`$echo "X$lib" | $Xsed -e 's%/[^/]*$%%'`
+	test "X$ladir" = "X$lib" && ladir="."
+
+	dlname=
+	dlopen=
+	dlpreopen=
+	libdir=
+	library_names=
+	old_library=
+	# If the library was installed with an old release of libtool,
+	# it will not redefine variables installed, or shouldnotlink
+	installed=yes
+	shouldnotlink=no
+	avoidtemprpath=
+
+
+	# Read the .la file
+	case $lib in
+	*/* | *\\*) . $lib ;;
+	*) . ./$lib ;;
+	esac
+
+	if test "$linkmode,$pass" = "lib,link" ||
+	   test "$linkmode,$pass" = "prog,scan" ||
+	   { test "$linkmode" != prog && test "$linkmode" != lib; }; then
+	  test -n "$dlopen" && dlfiles="$dlfiles $dlopen"
+	  test -n "$dlpreopen" && dlprefiles="$dlprefiles $dlpreopen"
+	fi
+
+	if test "$pass" = conv; then
+	  # Only check for convenience libraries
+	  deplibs="$lib $deplibs"
+	  if test -z "$libdir"; then
+	    if test -z "$old_library"; then
+	      $echo "$modename: cannot find name of link library for \`$lib'" 1>&2
+	      exit $EXIT_FAILURE
+	    fi
+	    # It is a libtool convenience library, so add in its objects.
+	    convenience="$convenience $ladir/$objdir/$old_library"
+	    old_convenience="$old_convenience $ladir/$objdir/$old_library"
+	    tmp_libs=
+	    for deplib in $dependency_libs; do
+	      deplibs="$deplib $deplibs"
+              if test "X$duplicate_deps" = "Xyes" ; then
+	        case "$tmp_libs " in
+	        *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	        esac
+              fi
+	      tmp_libs="$tmp_libs $deplib"
+	    done
+	  elif test "$linkmode" != prog && test "$linkmode" != lib; then
+	    $echo "$modename: \`$lib' is not a convenience library" 1>&2
+	    exit $EXIT_FAILURE
+	  fi
+	  continue
+	fi # $pass = conv
+
+
+	# Get the name of the library we link against.
+	linklib=
+	for l in $old_library $library_names; do
+	  linklib="$l"
+	done
+	if test -z "$linklib"; then
+	  $echo "$modename: cannot find name of link library for \`$lib'" 1>&2
+	  exit $EXIT_FAILURE
+	fi
+
+	# This library was specified with -dlopen.
+	if test "$pass" = dlopen; then
+	  if test -z "$libdir"; then
+	    $echo "$modename: cannot -dlopen a convenience library: \`$lib'" 1>&2
+	    exit $EXIT_FAILURE
+	  fi
+	  if test -z "$dlname" ||
+	     test "$dlopen_support" != yes ||
+	     test "$build_libtool_libs" = no; then
+	    # If there is no dlname, no dlopen support or we're linking
+	    # statically, we need to preload.  We also need to preload any
+	    # dependent libraries so libltdl's deplib preloader doesn't
+	    # bomb out in the load deplibs phase.
+	    dlprefiles="$dlprefiles $lib $dependency_libs"
+	  else
+	    newdlfiles="$newdlfiles $lib"
+	  fi
+	  continue
+	fi # $pass = dlopen
+
+	# We need an absolute path.
+	case $ladir in
+	[\\/]* | [A-Za-z]:[\\/]*) abs_ladir="$ladir" ;;
+	*)
+	  abs_ladir=`cd "$ladir" && pwd`
+	  if test -z "$abs_ladir"; then
+	    $echo "$modename: warning: cannot determine absolute directory name of \`$ladir'" 1>&2
+	    $echo "$modename: passing it literally to the linker, although it might fail" 1>&2
+	    abs_ladir="$ladir"
+	  fi
+	  ;;
+	esac
+	laname=`$echo "X$lib" | $Xsed -e 's%^.*/%%'`
+
+	# Find the relevant object directory and library name.
+	if test "X$installed" = Xyes; then
+	  if test ! -f "$libdir/$linklib" && test -f "$abs_ladir/$linklib"; then
+	    $echo "$modename: warning: library \`$lib' was moved." 1>&2
+	    dir="$ladir"
+	    absdir="$abs_ladir"
+	    libdir="$abs_ladir"
+	  else
+	    dir="$libdir"
+	    absdir="$libdir"
+	  fi
+	  test "X$hardcode_automatic" = Xyes && avoidtemprpath=yes
+	else
+	  if test ! -f "$ladir/$objdir/$linklib" && test -f "$abs_ladir/$linklib"; then
+	    dir="$ladir"
+	    absdir="$abs_ladir"
+	    # Remove this search path later
+	    notinst_path="$notinst_path $abs_ladir"
+	  else
+	    dir="$ladir/$objdir"
+	    absdir="$abs_ladir/$objdir"
+	    # Remove this search path later
+	    notinst_path="$notinst_path $abs_ladir"
+	  fi
+	fi # $installed = yes
+	name=`$echo "X$laname" | $Xsed -e 's/\.la$//' -e 's/^lib//'`
+
+	# This library was specified with -dlpreopen.
+	if test "$pass" = dlpreopen; then
+	  if test -z "$libdir"; then
+	    $echo "$modename: cannot -dlpreopen a convenience library: \`$lib'" 1>&2
+	    exit $EXIT_FAILURE
+	  fi
+	  # Prefer using a static library (so that no silly _DYNAMIC symbols
+	  # are required to link).
+	  if test -n "$old_library"; then
+	    newdlprefiles="$newdlprefiles $dir/$old_library"
+	  # Otherwise, use the dlname, so that lt_dlopen finds it.
+	  elif test -n "$dlname"; then
+	    newdlprefiles="$newdlprefiles $dir/$dlname"
+	  else
+	    newdlprefiles="$newdlprefiles $dir/$linklib"
+	  fi
+	fi # $pass = dlpreopen
+
+	if test -z "$libdir"; then
+	  # Link the convenience library
+	  if test "$linkmode" = lib; then
+	    deplibs="$dir/$old_library $deplibs"
+	  elif test "$linkmode,$pass" = "prog,link"; then
+	    compile_deplibs="$dir/$old_library $compile_deplibs"
+	    finalize_deplibs="$dir/$old_library $finalize_deplibs"
+	  else
+	    deplibs="$lib $deplibs" # used for prog,scan pass
+	  fi
+	  continue
+	fi
+
+
+	if test "$linkmode" = prog && test "$pass" != link; then
+	  newlib_search_path="$newlib_search_path $ladir"
+	  deplibs="$lib $deplibs"
+
+	  linkalldeplibs=no
+	  if test "$link_all_deplibs" != no || test -z "$library_names" ||
+	     test "$build_libtool_libs" = no; then
+	    linkalldeplibs=yes
+	  fi
+
+	  tmp_libs=
+	  for deplib in $dependency_libs; do
+	    case $deplib in
+	    -L*) newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`;; ### testsuite: skip nested quoting test
+	    esac
+	    # Need to link against all dependency_libs?
+	    if test "$linkalldeplibs" = yes; then
+	      deplibs="$deplib $deplibs"
+	    else
+	      # Need to hardcode shared library paths
+	      # or/and link against static libraries
+	      newdependency_libs="$deplib $newdependency_libs"
+	    fi
+	    if test "X$duplicate_deps" = "Xyes" ; then
+	      case "$tmp_libs " in
+	      *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	      esac
+	    fi
+	    tmp_libs="$tmp_libs $deplib"
+	  done # for deplib
+	  continue
+	fi # $linkmode = prog...
+
+	if test "$linkmode,$pass" = "prog,link"; then
+	  if test -n "$library_names" &&
+	     { test "$prefer_static_libs" = no || test -z "$old_library"; }; then
+	    # We need to hardcode the library path
+	    if test -n "$shlibpath_var" && test -z "$avoidtemprpath" ; then
+	      # Make sure the rpath contains only unique directories.
+	      case "$temp_rpath " in
+	      *" $dir "*) ;;
+	      *" $absdir "*) ;;
+	      *) temp_rpath="$temp_rpath $absdir" ;;
+	      esac
+	    fi
+
+	    # Hardcode the library path.
+	    # Skip directories that are in the system default run-time
+	    # search path.
+	    case " $sys_lib_dlsearch_path " in
+	    *" $absdir "*) ;;
+	    *)
+	      case "$compile_rpath " in
+	      *" $absdir "*) ;;
+	      *) compile_rpath="$compile_rpath $absdir"
+	      esac
+	      ;;
+	    esac
+	    case " $sys_lib_dlsearch_path " in
+	    *" $libdir "*) ;;
+	    *)
+	      case "$finalize_rpath " in
+	      *" $libdir "*) ;;
+	      *) finalize_rpath="$finalize_rpath $libdir"
+	      esac
+	      ;;
+	    esac
+	  fi # $linkmode,$pass = prog,link...
+
+	  if test "$alldeplibs" = yes &&
+	     { test "$deplibs_check_method" = pass_all ||
+	       { test "$build_libtool_libs" = yes &&
+		 test -n "$library_names"; }; }; then
+	    # We only need to search for static libraries
+	    continue
+	  fi
+	fi
+
+	link_static=no # Whether the deplib will be linked statically
+	use_static_libs=$prefer_static_libs
+	if test "$use_static_libs" = built && test "$installed" = yes ; then
+	  use_static_libs=no
+	fi
+	if test -n "$library_names" &&
+	   { test "$use_static_libs" = no || test -z "$old_library"; }; then
+	  if test "$installed" = no; then
+	    notinst_deplibs="$notinst_deplibs $lib"
+	    need_relink=yes
+	  fi
+	  # This is a shared library
+
+	  # Warn about portability, can't link against -module's on
+	  # some systems (darwin)
+	  if test "$shouldnotlink" = yes && test "$pass" = link ; then
+	    $echo
+	    if test "$linkmode" = prog; then
+	      $echo "*** Warning: Linking the executable $output against the loadable module"
+	    else
+	      $echo "*** Warning: Linking the shared library $output against the loadable module"
+	    fi
+	    $echo "*** $linklib is not portable!"
+	  fi
+	  if test "$linkmode" = lib &&
+	     test "$hardcode_into_libs" = yes; then
+	    # Hardcode the library path.
+	    # Skip directories that are in the system default run-time
+	    # search path.
+	    case " $sys_lib_dlsearch_path " in
+	    *" $absdir "*) ;;
+	    *)
+	      case "$compile_rpath " in
+	      *" $absdir "*) ;;
+	      *) compile_rpath="$compile_rpath $absdir"
+	      esac
+	      ;;
+	    esac
+	    case " $sys_lib_dlsearch_path " in
+	    *" $libdir "*) ;;
+	    *)
+	      case "$finalize_rpath " in
+	      *" $libdir "*) ;;
+	      *) finalize_rpath="$finalize_rpath $libdir"
+	      esac
+	      ;;
+	    esac
+	  fi
+
+	  if test -n "$old_archive_from_expsyms_cmds"; then
+	    # figure out the soname
+	    set dummy $library_names
+	    realname="$2"
+	    shift; shift
+	    libname=`eval \\$echo \"$libname_spec\"`
+	    # use dlname if we got it. it's perfectly good, no?
+	    if test -n "$dlname"; then
+	      soname="$dlname"
+	    elif test -n "$soname_spec"; then
+	      # bleh windows
+	      case $host in
+	      *cygwin* | mingw*)
+		major=`expr $current - $age`
+		versuffix="-$major"
+		;;
+	      esac
+	      eval soname=\"$soname_spec\"
+	    else
+	      soname="$realname"
+	    fi
+
+	    # Make a new name for the extract_expsyms_cmds to use
+	    soroot="$soname"
+	    soname=`$echo $soroot | ${SED} -e 's/^.*\///'`
+	    newlib="libimp-`$echo $soname | ${SED} 's/^lib//;s/\.dll$//'`.a"
+
+	    # If the library has no export list, then create one now
+	    if test -f "$output_objdir/$soname-def"; then :
+	    else
+	      $show "extracting exported symbol list from \`$soname'"
+	      save_ifs="$IFS"; IFS='~'
+	      cmds=$extract_expsyms_cmds
+	      for cmd in $cmds; do
+		IFS="$save_ifs"
+		eval cmd=\"$cmd\"
+		$show "$cmd"
+		$run eval "$cmd" || exit $?
+	      done
+	      IFS="$save_ifs"
+	    fi
+
+	    # Create $newlib
+	    if test -f "$output_objdir/$newlib"; then :; else
+	      $show "generating import library for \`$soname'"
+	      save_ifs="$IFS"; IFS='~'
+	      cmds=$old_archive_from_expsyms_cmds
+	      for cmd in $cmds; do
+		IFS="$save_ifs"
+		eval cmd=\"$cmd\"
+		$show "$cmd"
+		$run eval "$cmd" || exit $?
+	      done
+	      IFS="$save_ifs"
+	    fi
+	    # make sure the library variables are pointing to the new library
+	    dir=$output_objdir
+	    linklib=$newlib
+	  fi # test -n "$old_archive_from_expsyms_cmds"
+
+	  if test "$linkmode" = prog || test "$mode" != relink; then
+	    add_shlibpath=
+	    add_dir=
+	    add=
+	    lib_linked=yes
+	    case $hardcode_action in
+	    immediate | unsupported)
+	      if test "$hardcode_direct" = no; then
+		add="$dir/$linklib"
+		case $host in
+		  *-*-sco3.2v5.0.[024]*) add_dir="-L$dir" ;;
+		  *-*-sysv4*uw2*) add_dir="-L$dir" ;;
+		  *-*-sysv5OpenUNIX* | *-*-sysv5UnixWare7.[01].[10]* | \
+		    *-*-unixware7*) add_dir="-L$dir" ;;
+		  *-*-darwin* )
+		    # if the lib is a module then we can not link against
+		    # it, someone is ignoring the new warnings I added
+		    if /usr/bin/file -L $add 2> /dev/null |
+                      $EGREP ": [^:]* bundle" >/dev/null ; then
+		      $echo "** Warning, lib $linklib is a module, not a shared library"
+		      if test -z "$old_library" ; then
+		        $echo
+		        $echo "** And there doesn't seem to be a static archive available"
+		        $echo "** The link will probably fail, sorry"
+		      else
+		        add="$dir/$old_library"
+		      fi
+		    fi
+		esac
+	      elif test "$hardcode_minus_L" = no; then
+		case $host in
+		*-*-sunos*) add_shlibpath="$dir" ;;
+		esac
+		add_dir="-L$dir"
+		add="-l$name"
+	      elif test "$hardcode_shlibpath_var" = no; then
+		add_shlibpath="$dir"
+		add="-l$name"
+	      else
+		lib_linked=no
+	      fi
+	      ;;
+	    relink)
+	      if test "$hardcode_direct" = yes; then
+		add="$dir/$linklib"
+	      elif test "$hardcode_minus_L" = yes; then
+		add_dir="-L$dir"
+		# Try looking first in the location we're being installed to.
+		if test -n "$inst_prefix_dir"; then
+		  case $libdir in
+		    [\\/]*)
+		      add_dir="$add_dir -L$inst_prefix_dir$libdir"
+		      ;;
+		  esac
+		fi
+		add="-l$name"
+	      elif test "$hardcode_shlibpath_var" = yes; then
+		add_shlibpath="$dir"
+		add="-l$name"
+	      else
+		lib_linked=no
+	      fi
+	      ;;
+	    *) lib_linked=no ;;
+	    esac
+
+	    if test "$lib_linked" != yes; then
+	      $echo "$modename: configuration error: unsupported hardcode properties"
+	      exit $EXIT_FAILURE
+	    fi
+
+	    if test -n "$add_shlibpath"; then
+	      case :$compile_shlibpath: in
+	      *":$add_shlibpath:"*) ;;
+	      *) compile_shlibpath="$compile_shlibpath$add_shlibpath:" ;;
+	      esac
+	    fi
+	    if test "$linkmode" = prog; then
+	      test -n "$add_dir" && compile_deplibs="$add_dir $compile_deplibs"
+	      test -n "$add" && compile_deplibs="$add $compile_deplibs"
+	    else
+	      test -n "$add_dir" && deplibs="$add_dir $deplibs"
+	      test -n "$add" && deplibs="$add $deplibs"
+	      if test "$hardcode_direct" != yes && \
+		 test "$hardcode_minus_L" != yes && \
+		 test "$hardcode_shlibpath_var" = yes; then
+		case :$finalize_shlibpath: in
+		*":$libdir:"*) ;;
+		*) finalize_shlibpath="$finalize_shlibpath$libdir:" ;;
+		esac
+	      fi
+	    fi
+	  fi
+
+	  if test "$linkmode" = prog || test "$mode" = relink; then
+	    add_shlibpath=
+	    add_dir=
+	    add=
+	    # Finalize command for both is simple: just hardcode it.
+	    if test "$hardcode_direct" = yes; then
+	      add="$libdir/$linklib"
+	    elif test "$hardcode_minus_L" = yes; then
+	      add_dir="-L$libdir"
+	      add="-l$name"
+	    elif test "$hardcode_shlibpath_var" = yes; then
+	      case :$finalize_shlibpath: in
+	      *":$libdir:"*) ;;
+	      *) finalize_shlibpath="$finalize_shlibpath$libdir:" ;;
+	      esac
+	      add="-l$name"
+	    elif test "$hardcode_automatic" = yes; then
+	      if test -n "$inst_prefix_dir" &&
+		 test -f "$inst_prefix_dir$libdir/$linklib" ; then
+	        add="$inst_prefix_dir$libdir/$linklib"
+	      else
+	        add="$libdir/$linklib"
+	      fi
+	    else
+	      # We cannot seem to hardcode it, guess we'll fake it.
+	      add_dir="-L$libdir"
+	      # Try looking first in the location we're being installed to.
+	      if test -n "$inst_prefix_dir"; then
+		case $libdir in
+		  [\\/]*)
+		    add_dir="$add_dir -L$inst_prefix_dir$libdir"
+		    ;;
+		esac
+	      fi
+	      add="-l$name"
+	    fi
+
+	    if test "$linkmode" = prog; then
+	      test -n "$add_dir" && finalize_deplibs="$add_dir $finalize_deplibs"
+	      test -n "$add" && finalize_deplibs="$add $finalize_deplibs"
+	    else
+	      test -n "$add_dir" && deplibs="$add_dir $deplibs"
+	      test -n "$add" && deplibs="$add $deplibs"
+	    fi
+	  fi
+	elif test "$linkmode" = prog; then
+	  # Here we assume that one of hardcode_direct or hardcode_minus_L
+	  # is not unsupported.  This is valid on all known static and
+	  # shared platforms.
+	  if test "$hardcode_direct" != unsupported; then
+	    test -n "$old_library" && linklib="$old_library"
+	    compile_deplibs="$dir/$linklib $compile_deplibs"
+	    finalize_deplibs="$dir/$linklib $finalize_deplibs"
+	  else
+	    compile_deplibs="-l$name -L$dir $compile_deplibs"
+	    finalize_deplibs="-l$name -L$dir $finalize_deplibs"
+	  fi
+	elif test "$build_libtool_libs" = yes; then
+	  # Not a shared library
+	  if test "$deplibs_check_method" != pass_all; then
+	    # We're trying link a shared library against a static one
+	    # but the system doesn't support it.
+
+	    # Just print a warning and add the library to dependency_libs so
+	    # that the program can be linked against the static library.
+	    $echo
+	    $echo "*** Warning: This system can not link to static lib archive $lib."
+	    $echo "*** I have the capability to make that library automatically link in when"
+	    $echo "*** you link to this library.  But I can only do this if you have a"
+	    $echo "*** shared version of the library, which you do not appear to have."
+	    if test "$module" = yes; then
+	      $echo "*** But as you try to build a module library, libtool will still create "
+	      $echo "*** a static module, that should work as long as the dlopening application"
+	      $echo "*** is linked with the -dlopen flag to resolve symbols at runtime."
+	      if test -z "$global_symbol_pipe"; then
+		$echo
+		$echo "*** However, this would only work if libtool was able to extract symbol"
+		$echo "*** lists from a program, using \`nm' or equivalent, but libtool could"
+		$echo "*** not find such a program.  So, this module is probably useless."
+		$echo "*** \`nm' from GNU binutils and a full rebuild may help."
+	      fi
+	      if test "$build_old_libs" = no; then
+		build_libtool_libs=module
+		build_old_libs=yes
+	      else
+		build_libtool_libs=no
+	      fi
+	    fi
+	  else
+	    deplibs="$dir/$old_library $deplibs"
+	    link_static=yes
+	  fi
+	fi # link shared/static library?
+
+	if test "$linkmode" = lib; then
+	  if test -n "$dependency_libs" &&
+	     { test "$hardcode_into_libs" != yes ||
+	       test "$build_old_libs" = yes ||
+	       test "$link_static" = yes; }; then
+	    # Extract -R from dependency_libs
+	    temp_deplibs=
+	    for libdir in $dependency_libs; do
+	      case $libdir in
+	      -R*) temp_xrpath=`$echo "X$libdir" | $Xsed -e 's/^-R//'`
+		   case " $xrpath " in
+		   *" $temp_xrpath "*) ;;
+		   *) xrpath="$xrpath $temp_xrpath";;
+		   esac;;
+	      *) temp_deplibs="$temp_deplibs $libdir";;
+	      esac
+	    done
+	    dependency_libs="$temp_deplibs"
+	  fi
+
+	  newlib_search_path="$newlib_search_path $absdir"
+	  # Link against this library
+	  test "$link_static" = no && newdependency_libs="$abs_ladir/$laname $newdependency_libs"
+	  # ... and its dependency_libs
+	  tmp_libs=
+	  for deplib in $dependency_libs; do
+	    newdependency_libs="$deplib $newdependency_libs"
+	    if test "X$duplicate_deps" = "Xyes" ; then
+	      case "$tmp_libs " in
+	      *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	      esac
+	    fi
+	    tmp_libs="$tmp_libs $deplib"
+	  done
+
+	  if test "$link_all_deplibs" != no; then
+	    # Add the search paths of all dependency libraries
+	    for deplib in $dependency_libs; do
+	      case $deplib in
+	      -L*) path="$deplib" ;;
+	      *.la)
+		dir=`$echo "X$deplib" | $Xsed -e 's%/[^/]*$%%'`
+		test "X$dir" = "X$deplib" && dir="."
+		# We need an absolute path.
+		case $dir in
+		[\\/]* | [A-Za-z]:[\\/]*) absdir="$dir" ;;
+		*)
+		  absdir=`cd "$dir" && pwd`
+		  if test -z "$absdir"; then
+		    $echo "$modename: warning: cannot determine absolute directory name of \`$dir'" 1>&2
+		    absdir="$dir"
+		  fi
+		  ;;
+		esac
+		if grep "^installed=no" $deplib > /dev/null; then
+		  path="$absdir/$objdir"
+		else
+		  eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
+		  if test -z "$libdir"; then
+		    $echo "$modename: \`$deplib' is not a valid libtool archive" 1>&2
+		    exit $EXIT_FAILURE
+		  fi
+		  if test "$absdir" != "$libdir"; then
+		    $echo "$modename: warning: \`$deplib' seems to be moved" 1>&2
+		  fi
+		  path="$absdir"
+		fi
+		depdepl=
+		case $host in
+		*-*-darwin*)
+		  # we do not want to link against static libs,
+		  # but need to link against shared
+		  eval deplibrary_names=`${SED} -n -e 's/^library_names=\(.*\)$/\1/p' $deplib`
+		  if test -n "$deplibrary_names" ; then
+		    for tmp in $deplibrary_names ; do
+		      depdepl=$tmp
+		    done
+		    if test -f "$path/$depdepl" ; then
+		      depdepl="$path/$depdepl"
+		    fi
+		    # do not add paths which are already there
+		    case " $newlib_search_path " in
+		    *" $path "*) ;;
+		    *) newlib_search_path="$newlib_search_path $path";;
+		    esac
+		  fi
+		  path=""
+		  ;;
+		*)
+		  path="-L$path"
+		  ;;
+		esac
+		;;
+	      -l*)
+		case $host in
+		*-*-darwin*)
+		  # Again, we only want to link against shared libraries
+		  eval tmp_libs=`$echo "X$deplib" | $Xsed -e "s,^\-l,,"`
+		  for tmp in $newlib_search_path ; do
+		    if test -f "$tmp/lib$tmp_libs.dylib" ; then
+		      eval depdepl="$tmp/lib$tmp_libs.dylib"
+		      break
+		    fi
+		  done
+		  path=""
+		  ;;
+		*) continue ;;
+		esac
+		;;
+	      *) continue ;;
+	      esac
+	      case " $deplibs " in
+	      *" $path "*) ;;
+	      *) deplibs="$path $deplibs" ;;
+	      esac
+	      case " $deplibs " in
+	      *" $depdepl "*) ;;
+	      *) deplibs="$depdepl $deplibs" ;;
+	      esac
+	    done
+	  fi # link_all_deplibs != no
+	fi # linkmode = lib
+      done # for deplib in $libs
+      dependency_libs="$newdependency_libs"
+      if test "$pass" = dlpreopen; then
+	# Link the dlpreopened libraries before other libraries
+	for deplib in $save_deplibs; do
+	  deplibs="$deplib $deplibs"
+	done
+      fi
+      if test "$pass" != dlopen; then
+	if test "$pass" != conv; then
+	  # Make sure lib_search_path contains only unique directories.
+	  lib_search_path=
+	  for dir in $newlib_search_path; do
+	    case "$lib_search_path " in
+	    *" $dir "*) ;;
+	    *) lib_search_path="$lib_search_path $dir" ;;
+	    esac
+	  done
+	  newlib_search_path=
+	fi
+
+	if test "$linkmode,$pass" != "prog,link"; then
+	  vars="deplibs"
+	else
+	  vars="compile_deplibs finalize_deplibs"
+	fi
+	for var in $vars dependency_libs; do
+	  # Add libraries to $var in reverse order
+	  eval tmp_libs=\"\$$var\"
+	  new_libs=
+	  for deplib in $tmp_libs; do
+	    # FIXME: Pedantically, this is the right thing to do, so
+	    #        that some nasty dependency loop isn't accidentally
+	    #        broken:
+	    #new_libs="$deplib $new_libs"
+	    # Pragmatically, this seems to cause very few problems in
+	    # practice:
+	    case $deplib in
+	    -L*) new_libs="$deplib $new_libs" ;;
+	    -R*) ;;
+	    *)
+	      # And here is the reason: when a library appears more
+	      # than once as an explicit dependence of a library, or
+	      # is implicitly linked in more than once by the
+	      # compiler, it is considered special, and multiple
+	      # occurrences thereof are not removed.  Compare this
+	      # with having the same library being listed as a
+	      # dependency of multiple other libraries: in this case,
+	      # we know (pedantically, we assume) the library does not
+	      # need to be listed more than once, so we keep only the
+	      # last copy.  This is not always right, but it is rare
+	      # enough that we require users that really mean to play
+	      # such unportable linking tricks to link the library
+	      # using -Wl,-lname, so that libtool does not consider it
+	      # for duplicate removal.
+	      case " $specialdeplibs " in
+	      *" $deplib "*) new_libs="$deplib $new_libs" ;;
+	      *)
+		case " $new_libs " in
+		*" $deplib "*) ;;
+		*) new_libs="$deplib $new_libs" ;;
+		esac
+		;;
+	      esac
+	      ;;
+	    esac
+	  done
+	  tmp_libs=
+	  for deplib in $new_libs; do
+	    case $deplib in
+	    -L*)
+	      case " $tmp_libs " in
+	      *" $deplib "*) ;;
+	      *) tmp_libs="$tmp_libs $deplib" ;;
+	      esac
+	      ;;
+	    *) tmp_libs="$tmp_libs $deplib" ;;
+	    esac
+	  done
+	  eval $var=\"$tmp_libs\"
+	done # for var
+      fi
+      # Last step: remove runtime libs from dependency_libs
+      # (they stay in deplibs)
+      tmp_libs=
+      for i in $dependency_libs ; do
+	case " $predeps $postdeps $compiler_lib_search_path " in
+	*" $i "*)
+	  i=""
+	  ;;
+	esac
+	if test -n "$i" ; then
+	  tmp_libs="$tmp_libs $i"
+	fi
+      done
+      dependency_libs=$tmp_libs
+    done # for pass
+    if test "$linkmode" = prog; then
+      dlfiles="$newdlfiles"
+      dlprefiles="$newdlprefiles"
+    fi
+
+    case $linkmode in
+    oldlib)
+      if test -n "$deplibs"; then
+	$echo "$modename: warning: \`-l' and \`-L' are ignored for archives" 1>&2
+      fi
+
+      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
+	$echo "$modename: warning: \`-dlopen' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$rpath"; then
+	$echo "$modename: warning: \`-rpath' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$xrpath"; then
+	$echo "$modename: warning: \`-R' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$vinfo"; then
+	$echo "$modename: warning: \`-version-info/-version-number' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$release"; then
+	$echo "$modename: warning: \`-release' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$export_symbols" || test -n "$export_symbols_regex"; then
+	$echo "$modename: warning: \`-export-symbols' is ignored for archives" 1>&2
+      fi
+
+      # Now set the variables for building old libraries.
+      build_libtool_libs=no
+      oldlibs="$output"
+      objs="$objs$old_deplibs"
+      ;;
+
+    lib)
+      # Make sure we only generate libraries of the form `libNAME.la'.
+      case $outputname in
+      lib*)
+	name=`$echo "X$outputname" | $Xsed -e 's/\.la$//' -e 's/^lib//'`
+	eval shared_ext=\"$shrext_cmds\"
+	eval libname=\"$libname_spec\"
+	;;
+      *)
+	if test "$module" = no; then
+	  $echo "$modename: libtool library \`$output' must begin with \`lib'" 1>&2
+	  $echo "$help" 1>&2
+	  exit $EXIT_FAILURE
+	fi
+	if test "$need_lib_prefix" != no; then
+	  # Add the "lib" prefix for modules if required
+	  name=`$echo "X$outputname" | $Xsed -e 's/\.la$//'`
+	  eval shared_ext=\"$shrext_cmds\"
+	  eval libname=\"$libname_spec\"
+	else
+	  libname=`$echo "X$outputname" | $Xsed -e 's/\.la$//'`
+	fi
+	;;
+      esac
+
+      if test -n "$objs"; then
+	if test "$deplibs_check_method" != pass_all; then
+	  $echo "$modename: cannot build libtool library \`$output' from non-libtool objects on this host:$objs" 2>&1
+	  exit $EXIT_FAILURE
+	else
+	  $echo
+	  $echo "*** Warning: Linking the shared library $output against the non-libtool"
+	  $echo "*** objects $objs is not portable!"
+	  libobjs="$libobjs $objs"
+	fi
+      fi
+
+      if test "$dlself" != no; then
+	$echo "$modename: warning: \`-dlopen self' is ignored for libtool libraries" 1>&2
+      fi
+
+      set dummy $rpath
+      if test "$#" -gt 2; then
+	$echo "$modename: warning: ignoring multiple \`-rpath's for a libtool library" 1>&2
+      fi
+      install_libdir="$2"
+
+      oldlibs=
+      if test -z "$rpath"; then
+	if test "$build_libtool_libs" = yes; then
+	  # Building a libtool convenience library.
+	  # Some compilers have problems with a `.al' extension so
+	  # convenience libraries should have the same extension an
+	  # archive normally would.
+	  oldlibs="$output_objdir/$libname.$libext $oldlibs"
+	  build_libtool_libs=convenience
+	  build_old_libs=yes
+	fi
+
+	if test -n "$vinfo"; then
+	  $echo "$modename: warning: \`-version-info/-version-number' is ignored for convenience libraries" 1>&2
+	fi
+
+	if test -n "$release"; then
+	  $echo "$modename: warning: \`-release' is ignored for convenience libraries" 1>&2
+	fi
+      else
+
+	# Parse the version information argument.
+	save_ifs="$IFS"; IFS=':'
+	set dummy $vinfo 0 0 0
+	IFS="$save_ifs"
+
+	if test -n "$8"; then
+	  $echo "$modename: too many parameters to \`-version-info'" 1>&2
+	  $echo "$help" 1>&2
+	  exit $EXIT_FAILURE
+	fi
+
+	# convert absolute version numbers to libtool ages
+	# this retains compatibility with .la files and attempts
+	# to make the code below a bit more comprehensible
+
+	case $vinfo_number in
+	yes)
+	  number_major="$2"
+	  number_minor="$3"
+	  number_revision="$4"
+	  #
+	  # There are really only two kinds -- those that
+	  # use the current revision as the major version
+	  # and those that subtract age and use age as
+	  # a minor version.  But, then there is irix
+	  # which has an extra 1 added just for fun
+	  #
+	  case $version_type in
+	  darwin|linux|osf|windows)
+	    current=`expr $number_major + $number_minor`
+	    age="$number_minor"
+	    revision="$number_revision"
+	    ;;
+	  freebsd-aout|freebsd-elf|sunos)
+	    current="$number_major"
+	    revision="$number_minor"
+	    age="0"
+	    ;;
+	  irix|nonstopux)
+	    current=`expr $number_major + $number_minor - 1`
+	    age="$number_minor"
+	    revision="$number_minor"
+	    ;;
+	  esac
+	  ;;
+	no)
+	  current="$2"
+	  revision="$3"
+	  age="$4"
+	  ;;
+	esac
+
+	# Check that each of the things are valid numbers.
+	case $current in
+	0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;;
+	*)
+	  $echo "$modename: CURRENT \`$current' must be a nonnegative integer" 1>&2
+	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
+	  exit $EXIT_FAILURE
+	  ;;
+	esac
+
+	case $revision in
+	0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;;
+	*)
+	  $echo "$modename: REVISION \`$revision' must be a nonnegative integer" 1>&2
+	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
+	  exit $EXIT_FAILURE
+	  ;;
+	esac
+
+	case $age in
+	0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;;
+	*)
+	  $echo "$modename: AGE \`$age' must be a nonnegative integer" 1>&2
+	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
+	  exit $EXIT_FAILURE
+	  ;;
+	esac
+
+	if test "$age" -gt "$current"; then
+	  $echo "$modename: AGE \`$age' is greater than the current interface number \`$current'" 1>&2
+	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
+	  exit $EXIT_FAILURE
+	fi
+
+	# Calculate the version variables.
+	major=
+	versuffix=
+	verstring=
+	case $version_type in
+	none) ;;
+
+	darwin)
+	  # Like Linux, but with the current version available in
+	  # verstring for coding it into the library header
+	  major=.`expr $current - $age`
+	  versuffix="$major.$age.$revision"
+	  # Darwin ld doesn't like 0 for these options...
+	  minor_current=`expr $current + 1`
+	  verstring="${wl}-compatibility_version ${wl}$minor_current ${wl}-current_version ${wl}$minor_current.$revision"
+	  ;;
+
+	freebsd-aout)
+	  major=".$current"
+	  versuffix=".$current.$revision";
+	  ;;
+
+	freebsd-elf)
+	  major=".$current"
+	  versuffix=".$current";
+	  ;;
+
+	irix | nonstopux)
+	  major=`expr $current - $age + 1`
+
+	  case $version_type in
+	    nonstopux) verstring_prefix=nonstopux ;;
+	    *)         verstring_prefix=sgi ;;
+	  esac
+	  verstring="$verstring_prefix$major.$revision"
+
+	  # Add in all the interfaces that we are compatible with.
+	  loop=$revision
+	  while test "$loop" -ne 0; do
+	    iface=`expr $revision - $loop`
+	    loop=`expr $loop - 1`
+	    verstring="$verstring_prefix$major.$iface:$verstring"
+	  done
+
+	  # Before this point, $major must not contain `.'.
+	  major=.$major
+	  versuffix="$major.$revision"
+	  ;;
+
+	linux)
+	  major=.`expr $current - $age`
+	  versuffix="$major.$age.$revision"
+	  ;;
+
+	osf)
+	  major=.`expr $current - $age`
+	  versuffix=".$current.$age.$revision"
+	  verstring="$current.$age.$revision"
+
+	  # Add in all the interfaces that we are compatible with.
+	  loop=$age
+	  while test "$loop" -ne 0; do
+	    iface=`expr $current - $loop`
+	    loop=`expr $loop - 1`
+	    verstring="$verstring:${iface}.0"
+	  done
+
+	  # Make executables depend on our current version.
+	  verstring="$verstring:${current}.0"
+	  ;;
+
+	sunos)
+	  major=".$current"
+	  versuffix=".$current.$revision"
+	  ;;
+
+	windows)
+	  # Use '-' rather than '.', since we only want one
+	  # extension on DOS 8.3 filesystems.
+	  major=`expr $current - $age`
+	  versuffix="-$major"
+	  ;;
+
+	*)
+	  $echo "$modename: unknown library version type \`$version_type'" 1>&2
+	  $echo "Fatal configuration error.  See the $PACKAGE docs for more information." 1>&2
+	  exit $EXIT_FAILURE
+	  ;;
+	esac
+
+	# Clear the version info if we defaulted, and they specified a release.
+	if test -z "$vinfo" && test -n "$release"; then
+	  major=
+	  case $version_type in
+	  darwin)
+	    # we can't check for "0.0" in archive_cmds due to quoting
+	    # problems, so we reset it completely
+	    verstring=
+	    ;;
+	  *)
+	    verstring="0.0"
+	    ;;
+	  esac
+	  if test "$need_version" = no; then
+	    versuffix=
+	  else
+	    versuffix=".0.0"
+	  fi
+	fi
+
+	# Remove version info from name if versioning should be avoided
+	if test "$avoid_version" = yes && test "$need_version" = no; then
+	  major=
+	  versuffix=
+	  verstring=""
+	fi
+
+	# Check to see if the archive will have undefined symbols.
+	if test "$allow_undefined" = yes; then
+	  if test "$allow_undefined_flag" = unsupported; then
+	    $echo "$modename: warning: undefined symbols not allowed in $host shared libraries" 1>&2
+	    build_libtool_libs=no
+	    build_old_libs=yes
+	  fi
+	else
+	  # Don't allow undefined symbols.
+	  allow_undefined_flag="$no_undefined_flag"
+	fi
+      fi
+
+      if test "$mode" != relink; then
+	# Remove our outputs, but don't remove object files since they
+	# may have been created when compiling PIC objects.
+	removelist=
+	tempremovelist=`$echo "$output_objdir/*"`
+	for p in $tempremovelist; do
+	  case $p in
+	    *.$objext)
+	       ;;
+	    $output_objdir/$outputname | $output_objdir/$libname.* | $output_objdir/${libname}${release}.*)
+	       if test "X$precious_files_regex" != "X"; then
+	         if echo $p | $EGREP -e "$precious_files_regex" >/dev/null 2>&1
+	         then
+		   continue
+		 fi
+	       fi
+	       removelist="$removelist $p"
+	       ;;
+	    *) ;;
+	  esac
+	done
+	if test -n "$removelist"; then
+	  $show "${rm}r $removelist"
+	  $run ${rm}r $removelist
+	fi
+      fi
+
+      # Now set the variables for building old libraries.
+      if test "$build_old_libs" = yes && test "$build_libtool_libs" != convenience ; then
+	oldlibs="$oldlibs $output_objdir/$libname.$libext"
+
+	# Transform .lo files to .o files.
+	oldobjs="$objs "`$echo "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}'$/d' -e "$lo2o" | $NL2SP`
+      fi
+
+      # Eliminate all temporary directories.
+      for path in $notinst_path; do
+	lib_search_path=`$echo "$lib_search_path " | ${SED} -e "s% $path % %g"`
+	deplibs=`$echo "$deplibs " | ${SED} -e "s% -L$path % %g"`
+	dependency_libs=`$echo "$dependency_libs " | ${SED} -e "s% -L$path % %g"`
+      done
+
+      if test -n "$xrpath"; then
+	# If the user specified any rpath flags, then add them.
+	temp_xrpath=
+	for libdir in $xrpath; do
+	  temp_xrpath="$temp_xrpath -R$libdir"
+	  case "$finalize_rpath " in
+	  *" $libdir "*) ;;
+	  *) finalize_rpath="$finalize_rpath $libdir" ;;
+	  esac
+	done
+	if test "$hardcode_into_libs" != yes || test "$build_old_libs" = yes; then
+	  dependency_libs="$temp_xrpath $dependency_libs"
+	fi
+      fi
+
+      # Make sure dlfiles contains only unique files that won't be dlpreopened
+      old_dlfiles="$dlfiles"
+      dlfiles=
+      for lib in $old_dlfiles; do
+	case " $dlprefiles $dlfiles " in
+	*" $lib "*) ;;
+	*) dlfiles="$dlfiles $lib" ;;
+	esac
+      done
+
+      # Make sure dlprefiles contains only unique files
+      old_dlprefiles="$dlprefiles"
+      dlprefiles=
+      for lib in $old_dlprefiles; do
+	case "$dlprefiles " in
+	*" $lib "*) ;;
+	*) dlprefiles="$dlprefiles $lib" ;;
+	esac
+      done
+
+      if test "$build_libtool_libs" = yes; then
+	if test -n "$rpath"; then
+	  case $host in
+	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-beos*)
+	    # these systems don't actually have a c library (as such)!
+	    ;;
+	  *-*-rhapsody* | *-*-darwin1.[012])
+	    # Rhapsody C library is in the System framework
+	    deplibs="$deplibs -framework System"
+	    ;;
+	  *-*-netbsd*)
+	    # Don't link with libc until the a.out ld.so is fixed.
+	    ;;
+	  *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*)
+	    # Do not include libc due to us having libc/libc_r.
+	    ;;
+	  *-*-sco3.2v5* | *-*-sco5v6*)
+	    # Causes problems with __ctype
+	    ;;
+	  *-*-sysv4.2uw2* | *-*-sysv5* | *-*-unixware* | *-*-OpenUNIX*)
+	    # Compiler inserts libc in the correct place for threads to work
+	    ;;
+ 	  *)
+	    # Add libc to deplibs on all other systems if necessary.
+	    if test "$build_libtool_need_lc" = "yes"; then
+	      deplibs="$deplibs -lc"
+	    fi
+	    ;;
+	  esac
+	fi
+
+	# Transform deplibs into only deplibs that can be linked in shared.
+	name_save=$name
+	libname_save=$libname
+	release_save=$release
+	versuffix_save=$versuffix
+	major_save=$major
+	# I'm not sure if I'm treating the release correctly.  I think
+	# release should show up in the -l (ie -lgmp5) so we don't want to
+	# add it in twice.  Is that correct?
+	release=""
+	versuffix=""
+	major=""
+	newdeplibs=
+	droppeddeps=no
+	case $deplibs_check_method in
+	pass_all)
+	  # Don't check for shared/static.  Everything works.
+	  # This might be a little naive.  We might want to check
+	  # whether the library exists or not.  But this is on
+	  # osf3 & osf4 and I'm not really sure... Just
+	  # implementing what was already the behavior.
+	  newdeplibs=$deplibs
+	  ;;
+	test_compile)
+	  # This code stresses the "libraries are programs" paradigm to its
+	  # limits. Maybe even breaks it.  We compile a program, linking it
+	  # against the deplibs as a proxy for the library.  Then we can check
+	  # whether they linked in statically or dynamically with ldd.
+	  $rm conftest.c
+	  cat > conftest.c <<EOF
+	  int main() { return 0; }
+EOF
+	  $rm conftest
+	  $LTCC $LTCFLAGS -o conftest conftest.c $deplibs
+	  if test "$?" -eq 0 ; then
+	    ldd_output=`ldd conftest`
+	    for i in $deplibs; do
+	      name=`expr $i : '-l\(.*\)'`
+	      # If $name is empty we are operating on a -L argument.
+              if test "$name" != "" && test "$name" -ne "0"; then
+		if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
+		  case " $predeps $postdeps " in
+		  *" $i "*)
+		    newdeplibs="$newdeplibs $i"
+		    i=""
+		    ;;
+		  esac
+	        fi
+		if test -n "$i" ; then
+		  libname=`eval \\$echo \"$libname_spec\"`
+		  deplib_matches=`eval \\$echo \"$library_names_spec\"`
+		  set dummy $deplib_matches
+		  deplib_match=$2
+		  if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
+		    newdeplibs="$newdeplibs $i"
+		  else
+		    droppeddeps=yes
+		    $echo
+		    $echo "*** Warning: dynamic linker does not accept needed library $i."
+		    $echo "*** I have the capability to make that library automatically link in when"
+		    $echo "*** you link to this library.  But I can only do this if you have a"
+		    $echo "*** shared version of the library, which I believe you do not have"
+		    $echo "*** because a test_compile did reveal that the linker did not use it for"
+		    $echo "*** its dynamic dependency list that programs get resolved with at runtime."
+		  fi
+		fi
+	      else
+		newdeplibs="$newdeplibs $i"
+	      fi
+	    done
+	  else
+	    # Error occurred in the first compile.  Let's try to salvage
+	    # the situation: Compile a separate program for each library.
+	    for i in $deplibs; do
+	      name=`expr $i : '-l\(.*\)'`
+	      # If $name is empty we are operating on a -L argument.
+              if test "$name" != "" && test "$name" != "0"; then
+		$rm conftest
+		$LTCC $LTCFLAGS -o conftest conftest.c $i
+		# Did it work?
+		if test "$?" -eq 0 ; then
+		  ldd_output=`ldd conftest`
+		  if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
+		    case " $predeps $postdeps " in
+		    *" $i "*)
+		      newdeplibs="$newdeplibs $i"
+		      i=""
+		      ;;
+		    esac
+		  fi
+		  if test -n "$i" ; then
+		    libname=`eval \\$echo \"$libname_spec\"`
+		    deplib_matches=`eval \\$echo \"$library_names_spec\"`
+		    set dummy $deplib_matches
+		    deplib_match=$2
+		    if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
+		      newdeplibs="$newdeplibs $i"
+		    else
+		      droppeddeps=yes
+		      $echo
+		      $echo "*** Warning: dynamic linker does not accept needed library $i."
+		      $echo "*** I have the capability to make that library automatically link in when"
+		      $echo "*** you link to this library.  But I can only do this if you have a"
+		      $echo "*** shared version of the library, which you do not appear to have"
+		      $echo "*** because a test_compile did reveal that the linker did not use this one"
+		      $echo "*** as a dynamic dependency that programs can get resolved with at runtime."
+		    fi
+		  fi
+		else
+		  droppeddeps=yes
+		  $echo
+		  $echo "*** Warning!  Library $i is needed by this library but I was not able to"
+		  $echo "***  make it link in!  You will probably need to install it or some"
+		  $echo "*** library that it depends on before this library will be fully"
+		  $echo "*** functional.  Installing it before continuing would be even better."
+		fi
+	      else
+		newdeplibs="$newdeplibs $i"
+	      fi
+	    done
+	  fi
+	  ;;
+	file_magic*)
+	  set dummy $deplibs_check_method
+	  file_magic_regex=`expr "$deplibs_check_method" : "$2 \(.*\)"`
+	  for a_deplib in $deplibs; do
+	    name=`expr $a_deplib : '-l\(.*\)'`
+	    # If $name is empty we are operating on a -L argument.
+            if test "$name" != "" && test  "$name" != "0"; then
+	      if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
+		case " $predeps $postdeps " in
+		*" $a_deplib "*)
+		  newdeplibs="$newdeplibs $a_deplib"
+		  a_deplib=""
+		  ;;
+		esac
+	      fi
+	      if test -n "$a_deplib" ; then
+		libname=`eval \\$echo \"$libname_spec\"`
+		for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do
+		  potential_libs=`ls $i/$libname[.-]* 2>/dev/null`
+		  for potent_lib in $potential_libs; do
+		      # Follow soft links.
+		      if ls -lLd "$potent_lib" 2>/dev/null \
+			 | grep " -> " >/dev/null; then
+			continue
+		      fi
+		      # The statement above tries to avoid entering an
+		      # endless loop below, in case of cyclic links.
+		      # We might still enter an endless loop, since a link
+		      # loop can be closed while we follow links,
+		      # but so what?
+		      potlib="$potent_lib"
+		      while test -h "$potlib" 2>/dev/null; do
+			potliblink=`ls -ld $potlib | ${SED} 's/.* -> //'`
+			case $potliblink in
+			[\\/]* | [A-Za-z]:[\\/]*) potlib="$potliblink";;
+			*) potlib=`$echo "X$potlib" | $Xsed -e 's,[^/]*$,,'`"$potliblink";;
+			esac
+		      done
+		      # It is ok to link against an archive when
+		      # building a shared library.
+		      if $AR -t $potlib > /dev/null 2>&1; then
+		        newdeplibs="$newdeplibs $a_deplib"
+		        a_deplib=""
+		        break 2
+		      fi
+		      if eval $file_magic_cmd \"\$potlib\" 2>/dev/null \
+			 | ${SED} 10q \
+			 | $EGREP "$file_magic_regex" > /dev/null; then
+			newdeplibs="$newdeplibs $a_deplib"
+			a_deplib=""
+			break 2
+		      fi
+		  done
+		done
+	      fi
+	      if test -n "$a_deplib" ; then
+		droppeddeps=yes
+		$echo
+		$echo "*** Warning: linker path does not have real file for library $a_deplib."
+		$echo "*** I have the capability to make that library automatically link in when"
+		$echo "*** you link to this library.  But I can only do this if you have a"
+		$echo "*** shared version of the library, which you do not appear to have"
+		$echo "*** because I did check the linker path looking for a file starting"
+		if test -z "$potlib" ; then
+		  $echo "*** with $libname but no candidates were found. (...for file magic test)"
+		else
+		  $echo "*** with $libname and none of the candidates passed a file format test"
+		  $echo "*** using a file magic. Last file checked: $potlib"
+		fi
+	      fi
+	    else
+	      # Add a -L argument.
+	      newdeplibs="$newdeplibs $a_deplib"
+	    fi
+	  done # Gone through all deplibs.
+	  ;;
+	match_pattern*)
+	  set dummy $deplibs_check_method
+	  match_pattern_regex=`expr "$deplibs_check_method" : "$2 \(.*\)"`
+	  for a_deplib in $deplibs; do
+	    name=`expr $a_deplib : '-l\(.*\)'`
+	    # If $name is empty we are operating on a -L argument.
+	    if test -n "$name" && test "$name" != "0"; then
+	      if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
+		case " $predeps $postdeps " in
+		*" $a_deplib "*)
+		  newdeplibs="$newdeplibs $a_deplib"
+		  a_deplib=""
+		  ;;
+		esac
+	      fi
+	      if test -n "$a_deplib" ; then
+		libname=`eval \\$echo \"$libname_spec\"`
+		for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do
+		  potential_libs=`ls $i/$libname[.-]* 2>/dev/null`
+		  for potent_lib in $potential_libs; do
+		    potlib="$potent_lib" # see symlink-check above in file_magic test
+		    if eval $echo \"$potent_lib\" 2>/dev/null \
+		        | ${SED} 10q \
+		        | $EGREP "$match_pattern_regex" > /dev/null; then
+		      newdeplibs="$newdeplibs $a_deplib"
+		      a_deplib=""
+		      break 2
+		    fi
+		  done
+		done
+	      fi
+	      if test -n "$a_deplib" ; then
+		droppeddeps=yes
+		$echo
+		$echo "*** Warning: linker path does not have real file for library $a_deplib."
+		$echo "*** I have the capability to make that library automatically link in when"
+		$echo "*** you link to this library.  But I can only do this if you have a"
+		$echo "*** shared version of the library, which you do not appear to have"
+		$echo "*** because I did check the linker path looking for a file starting"
+		if test -z "$potlib" ; then
+		  $echo "*** with $libname but no candidates were found. (...for regex pattern test)"
+		else
+		  $echo "*** with $libname and none of the candidates passed a file format test"
+		  $echo "*** using a regex pattern. Last file checked: $potlib"
+		fi
+	      fi
+	    else
+	      # Add a -L argument.
+	      newdeplibs="$newdeplibs $a_deplib"
+	    fi
+	  done # Gone through all deplibs.
+	  ;;
+	none | unknown | *)
+	  newdeplibs=""
+	  tmp_deplibs=`$echo "X $deplibs" | $Xsed -e 's/ -lc$//' \
+	    -e 's/ -[LR][^ ]*//g'`
+	  if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
+	    for i in $predeps $postdeps ; do
+	      # can't use Xsed below, because $i might contain '/'
+	      tmp_deplibs=`$echo "X $tmp_deplibs" | ${SED} -e "1s,^X,," -e "s,$i,,"`
+	    done
+	  fi
+	  if $echo "X $tmp_deplibs" | $Xsed -e 's/[ 	]//g' \
+	    | grep . >/dev/null; then
+	    $echo
+	    if test "X$deplibs_check_method" = "Xnone"; then
+	      $echo "*** Warning: inter-library dependencies are not supported in this platform."
+	    else
+	      $echo "*** Warning: inter-library dependencies are not known to be supported."
+	    fi
+	    $echo "*** All declared inter-library dependencies are being dropped."
+	    droppeddeps=yes
+	  fi
+	  ;;
+	esac
+	versuffix=$versuffix_save
+	major=$major_save
+	release=$release_save
+	libname=$libname_save
+	name=$name_save
+
+	case $host in
+	*-*-rhapsody* | *-*-darwin1.[012])
+	  # On Rhapsody replace the C library is the System framework
+	  newdeplibs=`$echo "X $newdeplibs" | $Xsed -e 's/ -lc / -framework System /'`
+	  ;;
+	esac
+
+	if test "$droppeddeps" = yes; then
+	  if test "$module" = yes; then
+	    $echo
+	    $echo "*** Warning: libtool could not satisfy all declared inter-library"
+	    $echo "*** dependencies of module $libname.  Therefore, libtool will create"
+	    $echo "*** a static module, that should work as long as the dlopening"
+	    $echo "*** application is linked with the -dlopen flag."
+	    if test -z "$global_symbol_pipe"; then
+	      $echo
+	      $echo "*** However, this would only work if libtool was able to extract symbol"
+	      $echo "*** lists from a program, using \`nm' or equivalent, but libtool could"
+	      $echo "*** not find such a program.  So, this module is probably useless."
+	      $echo "*** \`nm' from GNU binutils and a full rebuild may help."
+	    fi
+	    if test "$build_old_libs" = no; then
+	      oldlibs="$output_objdir/$libname.$libext"
+	      build_libtool_libs=module
+	      build_old_libs=yes
+	    else
+	      build_libtool_libs=no
+	    fi
+	  else
+	    $echo "*** The inter-library dependencies that have been dropped here will be"
+	    $echo "*** automatically added whenever a program is linked with this library"
+	    $echo "*** or is declared to -dlopen it."
+
+	    if test "$allow_undefined" = no; then
+	      $echo
+	      $echo "*** Since this library must not contain undefined symbols,"
+	      $echo "*** because either the platform does not support them or"
+	      $echo "*** it was explicitly requested with -no-undefined,"
+	      $echo "*** libtool will only create a static version of it."
+	      if test "$build_old_libs" = no; then
+		oldlibs="$output_objdir/$libname.$libext"
+		build_libtool_libs=module
+		build_old_libs=yes
+	      else
+		build_libtool_libs=no
+	      fi
+	    fi
+	  fi
+	fi
+	# Done checking deplibs!
+	deplibs=$newdeplibs
+      fi
+
+
+      # move library search paths that coincide with paths to not yet
+      # installed libraries to the beginning of the library search list
+      new_libs=
+      for path in $notinst_path; do
+	case " $new_libs " in
+	*" -L$path/$objdir "*) ;;
+	*)
+	  case " $deplibs " in
+	  *" -L$path/$objdir "*)
+	    new_libs="$new_libs -L$path/$objdir" ;;
+	  esac
+	  ;;
+	esac
+      done
+      for deplib in $deplibs; do
+	case $deplib in
+	-L*)
+	  case " $new_libs " in
+	  *" $deplib "*) ;;
+	  *) new_libs="$new_libs $deplib" ;;
+	  esac
+	  ;;
+	*) new_libs="$new_libs $deplib" ;;
+	esac
+      done
+      deplibs="$new_libs"
+
+
+      # All the library-specific variables (install_libdir is set above).
+      library_names=
+      old_library=
+      dlname=
+
+      # Test again, we may have decided not to build it any more
+      if test "$build_libtool_libs" = yes; then
+	if test "$hardcode_into_libs" = yes; then
+	  # Hardcode the library paths
+	  hardcode_libdirs=
+	  dep_rpath=
+	  rpath="$finalize_rpath"
+	  test "$mode" != relink && rpath="$compile_rpath$rpath"
+	  for libdir in $rpath; do
+	    if test -n "$hardcode_libdir_flag_spec"; then
+	      if test -n "$hardcode_libdir_separator"; then
+		if test -z "$hardcode_libdirs"; then
+		  hardcode_libdirs="$libdir"
+		else
+		  # Just accumulate the unique libdirs.
+		  case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
+		  *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
+		    ;;
+		  *)
+		    hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		    ;;
+		  esac
+		fi
+	      else
+		eval flag=\"$hardcode_libdir_flag_spec\"
+		dep_rpath="$dep_rpath $flag"
+	      fi
+	    elif test -n "$runpath_var"; then
+	      case "$perm_rpath " in
+	      *" $libdir "*) ;;
+	      *) perm_rpath="$perm_rpath $libdir" ;;
+	      esac
+	    fi
+	  done
+	  # Substitute the hardcoded libdirs into the rpath.
+	  if test -n "$hardcode_libdir_separator" &&
+	     test -n "$hardcode_libdirs"; then
+	    libdir="$hardcode_libdirs"
+	    if test -n "$hardcode_libdir_flag_spec_ld"; then
+	      eval dep_rpath=\"$hardcode_libdir_flag_spec_ld\"
+	    else
+	      eval dep_rpath=\"$hardcode_libdir_flag_spec\"
+	    fi
+	  fi
+	  if test -n "$runpath_var" && test -n "$perm_rpath"; then
+	    # We should set the runpath_var.
+	    rpath=
+	    for dir in $perm_rpath; do
+	      rpath="$rpath$dir:"
+	    done
+	    eval "$runpath_var='$rpath\$$runpath_var'; export $runpath_var"
+	  fi
+	  test -n "$dep_rpath" && deplibs="$dep_rpath $deplibs"
+	fi
+
+	shlibpath="$finalize_shlibpath"
+	test "$mode" != relink && shlibpath="$compile_shlibpath$shlibpath"
+	if test -n "$shlibpath"; then
+	  eval "$shlibpath_var='$shlibpath\$$shlibpath_var'; export $shlibpath_var"
+	fi
+
+	# Get the real and link names of the library.
+	eval shared_ext=\"$shrext_cmds\"
+	eval library_names=\"$library_names_spec\"
+	set dummy $library_names
+	realname="$2"
+	shift; shift
+
+	if test -n "$soname_spec"; then
+	  eval soname=\"$soname_spec\"
+	else
+	  soname="$realname"
+	fi
+	if test -z "$dlname"; then
+	  dlname=$soname
+	fi
+
+	lib="$output_objdir/$realname"
+	linknames=
+	for link
+	do
+	  linknames="$linknames $link"
+	done
+
+	# Use standard objects if they are pic
+	test -z "$pic_flag" && libobjs=`$echo "X$libobjs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+
+	# Prepare the list of exported symbols
+	if test -z "$export_symbols"; then
+	  if test "$always_export_symbols" = yes || test -n "$export_symbols_regex"; then
+	    $show "generating symbol list for \`$libname.la'"
+	    export_symbols="$output_objdir/$libname.exp"
+	    $run $rm $export_symbols
+	    cmds=$export_symbols_cmds
+	    save_ifs="$IFS"; IFS='~'
+	    for cmd in $cmds; do
+	      IFS="$save_ifs"
+	      eval cmd=\"$cmd\"
+	      if len=`expr "X$cmd" : ".*"` &&
+	       test "$len" -le "$max_cmd_len" || test "$max_cmd_len" -le -1; then
+	        $show "$cmd"
+	        $run eval "$cmd" || exit $?
+	        skipped_export=false
+	      else
+	        # The command line is too long to execute in one step.
+	        $show "using reloadable object file for export list..."
+	        skipped_export=:
+		# Break out early, otherwise skipped_export may be
+		# set to false by a later but shorter cmd.
+		break
+	      fi
+	    done
+	    IFS="$save_ifs"
+	    if test -n "$export_symbols_regex"; then
+	      $show "$EGREP -e \"$export_symbols_regex\" \"$export_symbols\" > \"${export_symbols}T\""
+	      $run eval '$EGREP -e "$export_symbols_regex" "$export_symbols" > "${export_symbols}T"'
+	      $show "$mv \"${export_symbols}T\" \"$export_symbols\""
+	      $run eval '$mv "${export_symbols}T" "$export_symbols"'
+	    fi
+	  fi
+	fi
+
+	if test -n "$export_symbols" && test -n "$include_expsyms"; then
+	  $run eval '$echo "X$include_expsyms" | $SP2NL >> "$export_symbols"'
+	fi
+
+	tmp_deplibs=
+	for test_deplib in $deplibs; do
+		case " $convenience " in
+		*" $test_deplib "*) ;;
+		*)
+			tmp_deplibs="$tmp_deplibs $test_deplib"
+			;;
+		esac
+	done
+	deplibs="$tmp_deplibs"
+
+	if test -n "$convenience"; then
+	  if test -n "$whole_archive_flag_spec"; then
+	    save_libobjs=$libobjs
+	    eval libobjs=\"\$libobjs $whole_archive_flag_spec\"
+	  else
+	    gentop="$output_objdir/${outputname}x"
+	    generated="$generated $gentop"
+
+	    func_extract_archives $gentop $convenience
+	    libobjs="$libobjs $func_extract_archives_result"
+	  fi
+	fi
+	
+	if test "$thread_safe" = yes && test -n "$thread_safe_flag_spec"; then
+	  eval flag=\"$thread_safe_flag_spec\"
+	  linker_flags="$linker_flags $flag"
+	fi
+
+	# Make a backup of the uninstalled library when relinking
+	if test "$mode" = relink; then
+	  $run eval '(cd $output_objdir && $rm ${realname}U && $mv $realname ${realname}U)' || exit $?
+	fi
+
+	# Do each of the archive commands.
+	if test "$module" = yes && test -n "$module_cmds" ; then
+	  if test -n "$export_symbols" && test -n "$module_expsym_cmds"; then
+	    eval test_cmds=\"$module_expsym_cmds\"
+	    cmds=$module_expsym_cmds
+	  else
+	    eval test_cmds=\"$module_cmds\"
+	    cmds=$module_cmds
+	  fi
+	else
+	if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then
+	  eval test_cmds=\"$archive_expsym_cmds\"
+	  cmds=$archive_expsym_cmds
+	else
+	  eval test_cmds=\"$archive_cmds\"
+	  cmds=$archive_cmds
+	  fi
+	fi
+
+	if test "X$skipped_export" != "X:" &&
+	   len=`expr "X$test_cmds" : ".*" 2>/dev/null` &&
+	   test "$len" -le "$max_cmd_len" || test "$max_cmd_len" -le -1; then
+	  :
+	else
+	  # The command line is too long to link in one step, link piecewise.
+	  $echo "creating reloadable object files..."
+
+	  # Save the value of $output and $libobjs because we want to
+	  # use them later.  If we have whole_archive_flag_spec, we
+	  # want to use save_libobjs as it was before
+	  # whole_archive_flag_spec was expanded, because we can't
+	  # assume the linker understands whole_archive_flag_spec.
+	  # This may have to be revisited, in case too many
+	  # convenience libraries get linked in and end up exceeding
+	  # the spec.
+	  if test -z "$convenience" || test -z "$whole_archive_flag_spec"; then
+	    save_libobjs=$libobjs
+	  fi
+	  save_output=$output
+	  output_la=`$echo "X$output" | $Xsed -e "$basename"`
+
+	  # Clear the reloadable object creation command queue and
+	  # initialize k to one.
+	  test_cmds=
+	  concat_cmds=
+	  objlist=
+	  delfiles=
+	  last_robj=
+	  k=1
+	  output=$output_objdir/$output_la-${k}.$objext
+	  # Loop over the list of objects to be linked.
+	  for obj in $save_libobjs
+	  do
+	    eval test_cmds=\"$reload_cmds $objlist $last_robj\"
+	    if test "X$objlist" = X ||
+	       { len=`expr "X$test_cmds" : ".*" 2>/dev/null` &&
+		 test "$len" -le "$max_cmd_len"; }; then
+	      objlist="$objlist $obj"
+	    else
+	      # The command $test_cmds is almost too long, add a
+	      # command to the queue.
+	      if test "$k" -eq 1 ; then
+		# The first file doesn't have a previous command to add.
+		eval concat_cmds=\"$reload_cmds $objlist $last_robj\"
+	      else
+		# All subsequent reloadable object files will link in
+		# the last one created.
+		eval concat_cmds=\"\$concat_cmds~$reload_cmds $objlist $last_robj\"
+	      fi
+	      last_robj=$output_objdir/$output_la-${k}.$objext
+	      k=`expr $k + 1`
+	      output=$output_objdir/$output_la-${k}.$objext
+	      objlist=$obj
+	      len=1
+	    fi
+	  done
+	  # Handle the remaining objects by creating one last
+	  # reloadable object file.  All subsequent reloadable object
+	  # files will link in the last one created.
+	  test -z "$concat_cmds" || concat_cmds=$concat_cmds~
+	  eval concat_cmds=\"\${concat_cmds}$reload_cmds $objlist $last_robj\"
+
+	  if ${skipped_export-false}; then
+	    $show "generating symbol list for \`$libname.la'"
+	    export_symbols="$output_objdir/$libname.exp"
+	    $run $rm $export_symbols
+	    libobjs=$output
+	    # Append the command to create the export file.
+	    eval concat_cmds=\"\$concat_cmds~$export_symbols_cmds\"
+          fi
+
+	  # Set up a command to remove the reloadable object files
+	  # after they are used.
+	  i=0
+	  while test "$i" -lt "$k"
+	  do
+	    i=`expr $i + 1`
+	    delfiles="$delfiles $output_objdir/$output_la-${i}.$objext"
+	  done
+
+	  $echo "creating a temporary reloadable object file: $output"
+
+	  # Loop through the commands generated above and execute them.
+	  save_ifs="$IFS"; IFS='~'
+	  for cmd in $concat_cmds; do
+	    IFS="$save_ifs"
+	    $show "$cmd"
+	    $run eval "$cmd" || exit $?
+	  done
+	  IFS="$save_ifs"
+
+	  libobjs=$output
+	  # Restore the value of output.
+	  output=$save_output
+
+	  if test -n "$convenience" && test -n "$whole_archive_flag_spec"; then
+	    eval libobjs=\"\$libobjs $whole_archive_flag_spec\"
+	  fi
+	  # Expand the library linking commands again to reset the
+	  # value of $libobjs for piecewise linking.
+
+	  # Do each of the archive commands.
+	  if test "$module" = yes && test -n "$module_cmds" ; then
+	    if test -n "$export_symbols" && test -n "$module_expsym_cmds"; then
+	      cmds=$module_expsym_cmds
+	    else
+	      cmds=$module_cmds
+	    fi
+	  else
+	  if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then
+	    cmds=$archive_expsym_cmds
+	  else
+	    cmds=$archive_cmds
+	    fi
+	  fi
+
+	  # Append the command to remove the reloadable object files
+	  # to the just-reset $cmds.
+	  eval cmds=\"\$cmds~\$rm $delfiles\"
+	fi
+	save_ifs="$IFS"; IFS='~'
+	for cmd in $cmds; do
+	  IFS="$save_ifs"
+	  eval cmd=\"$cmd\"
+	  $show "$cmd"
+	  $run eval "$cmd" || {
+	    lt_exit=$?
+
+	    # Restore the uninstalled library and exit
+	    if test "$mode" = relink; then
+	      $run eval '(cd $output_objdir && $rm ${realname}T && $mv ${realname}U $realname)'
+	    fi
+
+	    exit $lt_exit
+	  }
+	done
+	IFS="$save_ifs"
+
+	# Restore the uninstalled library and exit
+	if test "$mode" = relink; then
+	  $run eval '(cd $output_objdir && $rm ${realname}T && $mv $realname ${realname}T && $mv "$realname"U $realname)' || exit $?
+
+	  if test -n "$convenience"; then
+	    if test -z "$whole_archive_flag_spec"; then
+	      $show "${rm}r $gentop"
+	      $run ${rm}r "$gentop"
+	    fi
+	  fi
+
+	  exit $EXIT_SUCCESS
+	fi
+
+	# Create links to the real library.
+	for linkname in $linknames; do
+	  if test "$realname" != "$linkname"; then
+	    $show "(cd $output_objdir && $rm $linkname && $LN_S $realname $linkname)"
+	    $run eval '(cd $output_objdir && $rm $linkname && $LN_S $realname $linkname)' || exit $?
+	  fi
+	done
+
+	# If -module or -export-dynamic was specified, set the dlname.
+	if test "$module" = yes || test "$export_dynamic" = yes; then
+	  # On all known operating systems, these are identical.
+	  dlname="$soname"
+	fi
+      fi
+      ;;
+
+    obj)
+      if test -n "$deplibs"; then
+	$echo "$modename: warning: \`-l' and \`-L' are ignored for objects" 1>&2
+      fi
+
+      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
+	$echo "$modename: warning: \`-dlopen' is ignored for objects" 1>&2
+      fi
+
+      if test -n "$rpath"; then
+	$echo "$modename: warning: \`-rpath' is ignored for objects" 1>&2
+      fi
+
+      if test -n "$xrpath"; then
+	$echo "$modename: warning: \`-R' is ignored for objects" 1>&2
+      fi
+
+      if test -n "$vinfo"; then
+	$echo "$modename: warning: \`-version-info' is ignored for objects" 1>&2
+      fi
+
+      if test -n "$release"; then
+	$echo "$modename: warning: \`-release' is ignored for objects" 1>&2
+      fi
+
+      case $output in
+      *.lo)
+	if test -n "$objs$old_deplibs"; then
+	  $echo "$modename: cannot build library object \`$output' from non-libtool objects" 1>&2
+	  exit $EXIT_FAILURE
+	fi
+	libobj="$output"
+	obj=`$echo "X$output" | $Xsed -e "$lo2o"`
+	;;
+      *)
+	libobj=
+	obj="$output"
+	;;
+      esac
+
+      # Delete the old objects.
+      $run $rm $obj $libobj
+
+      # Objects from convenience libraries.  This assumes
+      # single-version convenience libraries.  Whenever we create
+      # different ones for PIC/non-PIC, this we'll have to duplicate
+      # the extraction.
+      reload_conv_objs=
+      gentop=
+      # reload_cmds runs $LD directly, so let us get rid of
+      # -Wl from whole_archive_flag_spec
+      wl=
+
+      if test -n "$convenience"; then
+	if test -n "$whole_archive_flag_spec"; then
+	  eval reload_conv_objs=\"\$reload_objs $whole_archive_flag_spec\"
+	else
+	  gentop="$output_objdir/${obj}x"
+	  generated="$generated $gentop"
+
+	  func_extract_archives $gentop $convenience
+	  reload_conv_objs="$reload_objs $func_extract_archives_result"
+	fi
+      fi
+
+      # Create the old-style object.
+      reload_objs="$objs$old_deplibs "`$echo "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}$'/d' -e '/\.lib$/d' -e "$lo2o" | $NL2SP`" $reload_conv_objs" ### testsuite: skip nested quoting test
+
+      output="$obj"
+      cmds=$reload_cmds
+      save_ifs="$IFS"; IFS='~'
+      for cmd in $cmds; do
+	IFS="$save_ifs"
+	eval cmd=\"$cmd\"
+	$show "$cmd"
+	$run eval "$cmd" || exit $?
+      done
+      IFS="$save_ifs"
+
+      # Exit if we aren't doing a library object file.
+      if test -z "$libobj"; then
+	if test -n "$gentop"; then
+	  $show "${rm}r $gentop"
+	  $run ${rm}r $gentop
+	fi
+
+	exit $EXIT_SUCCESS
+      fi
+
+      if test "$build_libtool_libs" != yes; then
+	if test -n "$gentop"; then
+	  $show "${rm}r $gentop"
+	  $run ${rm}r $gentop
+	fi
+
+	# Create an invalid libtool object if no PIC, so that we don't
+	# accidentally link it into a program.
+	# $show "echo timestamp > $libobj"
+	# $run eval "echo timestamp > $libobj" || exit $?
+	exit $EXIT_SUCCESS
+      fi
+
+      if test -n "$pic_flag" || test "$pic_mode" != default; then
+	# Only do commands if we really have different PIC objects.
+	reload_objs="$libobjs $reload_conv_objs"
+	output="$libobj"
+	cmds=$reload_cmds
+	save_ifs="$IFS"; IFS='~'
+	for cmd in $cmds; do
+	  IFS="$save_ifs"
+	  eval cmd=\"$cmd\"
+	  $show "$cmd"
+	  $run eval "$cmd" || exit $?
+	done
+	IFS="$save_ifs"
+      fi
+
+      if test -n "$gentop"; then
+	$show "${rm}r $gentop"
+	$run ${rm}r $gentop
+      fi
+
+      exit $EXIT_SUCCESS
+      ;;
+
+    prog)
+      case $host in
+	*cygwin*) output=`$echo $output | ${SED} -e 's,.exe$,,;s,$,.exe,'` ;;
+      esac
+      if test -n "$vinfo"; then
+	$echo "$modename: warning: \`-version-info' is ignored for programs" 1>&2
+      fi
+
+      if test -n "$release"; then
+	$echo "$modename: warning: \`-release' is ignored for programs" 1>&2
+      fi
+
+      if test "$preload" = yes; then
+	if test "$dlopen_support" = unknown && test "$dlopen_self" = unknown &&
+	   test "$dlopen_self_static" = unknown; then
+	  $echo "$modename: warning: \`AC_LIBTOOL_DLOPEN' not used. Assuming no dlopen support."
+	fi
+      fi
+
+      case $host in
+      *-*-rhapsody* | *-*-darwin1.[012])
+	# On Rhapsody replace the C library is the System framework
+	compile_deplibs=`$echo "X $compile_deplibs" | $Xsed -e 's/ -lc / -framework System /'`
+	finalize_deplibs=`$echo "X $finalize_deplibs" | $Xsed -e 's/ -lc / -framework System /'`
+	;;
+      esac
+
+      case $host in
+      *darwin*)
+        # Don't allow lazy linking, it breaks C++ global constructors
+        if test "$tagname" = CXX ; then
+        compile_command="$compile_command ${wl}-bind_at_load"
+        finalize_command="$finalize_command ${wl}-bind_at_load"
+        fi
+        ;;
+      esac
+
+
+      # move library search paths that coincide with paths to not yet
+      # installed libraries to the beginning of the library search list
+      new_libs=
+      for path in $notinst_path; do
+	case " $new_libs " in
+	*" -L$path/$objdir "*) ;;
+	*)
+	  case " $compile_deplibs " in
+	  *" -L$path/$objdir "*)
+	    new_libs="$new_libs -L$path/$objdir" ;;
+	  esac
+	  ;;
+	esac
+      done
+      for deplib in $compile_deplibs; do
+	case $deplib in
+	-L*)
+	  case " $new_libs " in
+	  *" $deplib "*) ;;
+	  *) new_libs="$new_libs $deplib" ;;
+	  esac
+	  ;;
+	*) new_libs="$new_libs $deplib" ;;
+	esac
+      done
+      compile_deplibs="$new_libs"
+
+
+      compile_command="$compile_command $compile_deplibs"
+      finalize_command="$finalize_command $finalize_deplibs"
+
+      if test -n "$rpath$xrpath"; then
+	# If the user specified any rpath flags, then add them.
+	for libdir in $rpath $xrpath; do
+	  # This is the magic to use -rpath.
+	  case "$finalize_rpath " in
+	  *" $libdir "*) ;;
+	  *) finalize_rpath="$finalize_rpath $libdir" ;;
+	  esac
+	done
+      fi
+
+      # Now hardcode the library paths
+      rpath=
+      hardcode_libdirs=
+      for libdir in $compile_rpath $finalize_rpath; do
+	if test -n "$hardcode_libdir_flag_spec"; then
+	  if test -n "$hardcode_libdir_separator"; then
+	    if test -z "$hardcode_libdirs"; then
+	      hardcode_libdirs="$libdir"
+	    else
+	      # Just accumulate the unique libdirs.
+	      case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
+	      *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
+		;;
+	      *)
+		hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		;;
+	      esac
+	    fi
+	  else
+	    eval flag=\"$hardcode_libdir_flag_spec\"
+	    rpath="$rpath $flag"
+	  fi
+	elif test -n "$runpath_var"; then
+	  case "$perm_rpath " in
+	  *" $libdir "*) ;;
+	  *) perm_rpath="$perm_rpath $libdir" ;;
+	  esac
+	fi
+	case $host in
+	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
+	  testbindir=`$echo "X$libdir" | $Xsed -e 's*/lib$*/bin*'`
+	  case :$dllsearchpath: in
+	  *":$libdir:"*) ;;
+	  *) dllsearchpath="$dllsearchpath:$libdir";;
+	  esac
+	  case :$dllsearchpath: in
+	  *":$testbindir:"*) ;;
+	  *) dllsearchpath="$dllsearchpath:$testbindir";;
+	  esac
+	  ;;
+	esac
+      done
+      # Substitute the hardcoded libdirs into the rpath.
+      if test -n "$hardcode_libdir_separator" &&
+	 test -n "$hardcode_libdirs"; then
+	libdir="$hardcode_libdirs"
+	eval rpath=\" $hardcode_libdir_flag_spec\"
+      fi
+      compile_rpath="$rpath"
+
+      rpath=
+      hardcode_libdirs=
+      for libdir in $finalize_rpath; do
+	if test -n "$hardcode_libdir_flag_spec"; then
+	  if test -n "$hardcode_libdir_separator"; then
+	    if test -z "$hardcode_libdirs"; then
+	      hardcode_libdirs="$libdir"
+	    else
+	      # Just accumulate the unique libdirs.
+	      case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
+	      *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
+		;;
+	      *)
+		hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		;;
+	      esac
+	    fi
+	  else
+	    eval flag=\"$hardcode_libdir_flag_spec\"
+	    rpath="$rpath $flag"
+	  fi
+	elif test -n "$runpath_var"; then
+	  case "$finalize_perm_rpath " in
+	  *" $libdir "*) ;;
+	  *) finalize_perm_rpath="$finalize_perm_rpath $libdir" ;;
+	  esac
+	fi
+      done
+      # Substitute the hardcoded libdirs into the rpath.
+      if test -n "$hardcode_libdir_separator" &&
+	 test -n "$hardcode_libdirs"; then
+	libdir="$hardcode_libdirs"
+	eval rpath=\" $hardcode_libdir_flag_spec\"
+      fi
+      finalize_rpath="$rpath"
+
+      if test -n "$libobjs" && test "$build_old_libs" = yes; then
+	# Transform all the library objects into standard objects.
+	compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+	finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+      fi
+
+      dlsyms=
+      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
+	if test -n "$NM" && test -n "$global_symbol_pipe"; then
+	  dlsyms="${outputname}S.c"
+	else
+	  $echo "$modename: not configured to extract global symbols from dlpreopened files" 1>&2
+	fi
+      fi
+
+      if test -n "$dlsyms"; then
+	case $dlsyms in
+	"") ;;
+	*.c)
+	  # Discover the nlist of each of the dlfiles.
+	  nlist="$output_objdir/${outputname}.nm"
+
+	  $show "$rm $nlist ${nlist}S ${nlist}T"
+	  $run $rm "$nlist" "${nlist}S" "${nlist}T"
+
+	  # Parse the name list into a source file.
+	  $show "creating $output_objdir/$dlsyms"
+
+	  test -z "$run" && $echo > "$output_objdir/$dlsyms" "\
+/* $dlsyms - symbol resolution table for \`$outputname' dlsym emulation. */
+/* Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP */
+
+#ifdef __cplusplus
+extern \"C\" {
+#endif
+
+/* Prevent the only kind of declaration conflicts we can make. */
+#define lt_preloaded_symbols some_other_symbol
+
+/* External symbol declarations for the compiler. */\
+"
+
+	  if test "$dlself" = yes; then
+	    $show "generating symbol list for \`$output'"
+
+	    test -z "$run" && $echo ': @PROGRAM@ ' > "$nlist"
+
+	    # Add our own program objects to the symbol list.
+	    progfiles=`$echo "X$objs$old_deplibs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+	    for arg in $progfiles; do
+	      $show "extracting global C symbols from \`$arg'"
+	      $run eval "$NM $arg | $global_symbol_pipe >> '$nlist'"
+	    done
+
+	    if test -n "$exclude_expsyms"; then
+	      $run eval '$EGREP -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T'
+	      $run eval '$mv "$nlist"T "$nlist"'
+	    fi
+
+	    if test -n "$export_symbols_regex"; then
+	      $run eval '$EGREP -e "$export_symbols_regex" "$nlist" > "$nlist"T'
+	      $run eval '$mv "$nlist"T "$nlist"'
+	    fi
+
+	    # Prepare the list of exported symbols
+	    if test -z "$export_symbols"; then
+	      export_symbols="$output_objdir/$outputname.exp"
+	      $run $rm $export_symbols
+	      $run eval "${SED} -n -e '/^: @PROGRAM@ $/d' -e 's/^.* \(.*\)$/\1/p' "'< "$nlist" > "$export_symbols"'
+              case $host in
+              *cygwin* | *mingw* )
+	        $run eval "echo EXPORTS "'> "$output_objdir/$outputname.def"'
+		$run eval 'cat "$export_symbols" >> "$output_objdir/$outputname.def"'
+                ;;
+              esac
+	    else
+	      $run eval "${SED} -e 's/\([].[*^$]\)/\\\\\1/g' -e 's/^/ /' -e 's/$/$/'"' < "$export_symbols" > "$output_objdir/$outputname.exp"'
+	      $run eval 'grep -f "$output_objdir/$outputname.exp" < "$nlist" > "$nlist"T'
+	      $run eval 'mv "$nlist"T "$nlist"'
+              case $host in
+              *cygwin* | *mingw* )
+	        $run eval "echo EXPORTS "'> "$output_objdir/$outputname.def"'
+		$run eval 'cat "$nlist" >> "$output_objdir/$outputname.def"'
+                ;;
+              esac
+	    fi
+	  fi
+
+	  for arg in $dlprefiles; do
+	    $show "extracting global C symbols from \`$arg'"
+	    name=`$echo "$arg" | ${SED} -e 's%^.*/%%'`
+	    $run eval '$echo ": $name " >> "$nlist"'
+	    $run eval "$NM $arg | $global_symbol_pipe >> '$nlist'"
+	  done
+
+	  if test -z "$run"; then
+	    # Make sure we have at least an empty file.
+	    test -f "$nlist" || : > "$nlist"
+
+	    if test -n "$exclude_expsyms"; then
+	      $EGREP -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T
+	      $mv "$nlist"T "$nlist"
+	    fi
+
+	    # Try sorting and uniquifying the output.
+	    if grep -v "^: " < "$nlist" |
+		if sort -k 3 </dev/null >/dev/null 2>&1; then
+		  sort -k 3
+		else
+		  sort +2
+		fi |
+		uniq > "$nlist"S; then
+	      :
+	    else
+	      grep -v "^: " < "$nlist" > "$nlist"S
+	    fi
+
+	    if test -f "$nlist"S; then
+	      eval "$global_symbol_to_cdecl"' < "$nlist"S >> "$output_objdir/$dlsyms"'
+	    else
+	      $echo '/* NONE */' >> "$output_objdir/$dlsyms"
+	    fi
+
+	    $echo >> "$output_objdir/$dlsyms" "\
+
+#undef lt_preloaded_symbols
+
+#if defined (__STDC__) && __STDC__
+# define lt_ptr void *
+#else
+# define lt_ptr char *
+# define const
+#endif
+
+/* The mapping between symbol names and symbols. */
+"
+
+	    case $host in
+	    *cygwin* | *mingw* )
+	  $echo >> "$output_objdir/$dlsyms" "\
+/* DATA imports from DLLs on WIN32 can't be const, because
+   runtime relocations are performed -- see ld's documentation
+   on pseudo-relocs */
+struct {
+"
+	      ;;
+	    * )
+	  $echo >> "$output_objdir/$dlsyms" "\
+const struct {
+"
+	      ;;
+	    esac
+
+
+	  $echo >> "$output_objdir/$dlsyms" "\
+  const char *name;
+  lt_ptr address;
+}
+lt_preloaded_symbols[] =
+{\
+"
+
+	    eval "$global_symbol_to_c_name_address" < "$nlist" >> "$output_objdir/$dlsyms"
+
+	    $echo >> "$output_objdir/$dlsyms" "\
+  {0, (lt_ptr) 0}
+};
+
+/* This works around a problem in FreeBSD linker */
+#ifdef FREEBSD_WORKAROUND
+static const void *lt_preloaded_setup() {
+  return lt_preloaded_symbols;
+}
+#endif
+
+#ifdef __cplusplus
+}
+#endif\
+"
+	  fi
+
+	  pic_flag_for_symtable=
+	  case $host in
+	  # compiling the symbol table file with pic_flag works around
+	  # a FreeBSD bug that causes programs to crash when -lm is
+	  # linked before any other PIC object.  But we must not use
+	  # pic_flag when linking with -static.  The problem exists in
+	  # FreeBSD 2.2.6 and is fixed in FreeBSD 3.1.
+	  *-*-freebsd2*|*-*-freebsd3.0*|*-*-freebsdelf3.0*)
+	    case "$compile_command " in
+	    *" -static "*) ;;
+	    *) pic_flag_for_symtable=" $pic_flag -DFREEBSD_WORKAROUND";;
+	    esac;;
+	  *-*-hpux*)
+	    case "$compile_command " in
+	    *" -static "*) ;;
+	    *) pic_flag_for_symtable=" $pic_flag";;
+	    esac
+	  esac
+
+	  # Now compile the dynamic symbol file.
+	  $show "(cd $output_objdir && $LTCC  $LTCFLAGS -c$no_builtin_flag$pic_flag_for_symtable \"$dlsyms\")"
+	  $run eval '(cd $output_objdir && $LTCC  $LTCFLAGS -c$no_builtin_flag$pic_flag_for_symtable "$dlsyms")' || exit $?
+
+	  # Clean up the generated files.
+	  $show "$rm $output_objdir/$dlsyms $nlist ${nlist}S ${nlist}T"
+	  $run $rm "$output_objdir/$dlsyms" "$nlist" "${nlist}S" "${nlist}T"
+
+	  # Transform the symbol file into the correct name.
+          case $host in
+          *cygwin* | *mingw* )
+            if test -f "$output_objdir/${outputname}.def" ; then
+              compile_command=`$echo "X$compile_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}.def $output_objdir/${outputname}S.${objext}%"`
+              finalize_command=`$echo "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}.def $output_objdir/${outputname}S.${objext}%"`
+            else
+              compile_command=`$echo "X$compile_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%"`
+              finalize_command=`$echo "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%"`
+             fi
+            ;;
+          * )
+            compile_command=`$echo "X$compile_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%"`
+            finalize_command=`$echo "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%"`
+            ;;
+          esac
+	  ;;
+	*)
+	  $echo "$modename: unknown suffix for \`$dlsyms'" 1>&2
+	  exit $EXIT_FAILURE
+	  ;;
+	esac
+      else
+	# We keep going just in case the user didn't refer to
+	# lt_preloaded_symbols.  The linker will fail if global_symbol_pipe
+	# really was required.
+
+	# Nullify the symbol file.
+	compile_command=`$echo "X$compile_command" | $Xsed -e "s% @SYMFILE@%%"`
+	finalize_command=`$echo "X$finalize_command" | $Xsed -e "s% @SYMFILE@%%"`
+      fi
+
+      if test "$need_relink" = no || test "$build_libtool_libs" != yes; then
+	# Replace the output file specification.
+	compile_command=`$echo "X$compile_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'`
+	link_command="$compile_command$compile_rpath"
+
+	# We have no uninstalled library dependencies, so finalize right now.
+	$show "$link_command"
+	$run eval "$link_command"
+	exit_status=$?
+
+	# Delete the generated files.
+	if test -n "$dlsyms"; then
+	  $show "$rm $output_objdir/${outputname}S.${objext}"
+	  $run $rm "$output_objdir/${outputname}S.${objext}"
+	fi
+
+	exit $exit_status
+      fi
+
+      if test -n "$shlibpath_var"; then
+	# We should set the shlibpath_var
+	rpath=
+	for dir in $temp_rpath; do
+	  case $dir in
+	  [\\/]* | [A-Za-z]:[\\/]*)
+	    # Absolute path.
+	    rpath="$rpath$dir:"
+	    ;;
+	  *)
+	    # Relative path: add a thisdir entry.
+	    rpath="$rpath\$thisdir/$dir:"
+	    ;;
+	  esac
+	done
+	temp_rpath="$rpath"
+      fi
+
+      if test -n "$compile_shlibpath$finalize_shlibpath"; then
+	compile_command="$shlibpath_var=\"$compile_shlibpath$finalize_shlibpath\$$shlibpath_var\" $compile_command"
+      fi
+      if test -n "$finalize_shlibpath"; then
+	finalize_command="$shlibpath_var=\"$finalize_shlibpath\$$shlibpath_var\" $finalize_command"
+      fi
+
+      compile_var=
+      finalize_var=
+      if test -n "$runpath_var"; then
+	if test -n "$perm_rpath"; then
+	  # We should set the runpath_var.
+	  rpath=
+	  for dir in $perm_rpath; do
+	    rpath="$rpath$dir:"
+	  done
+	  compile_var="$runpath_var=\"$rpath\$$runpath_var\" "
+	fi
+	if test -n "$finalize_perm_rpath"; then
+	  # We should set the runpath_var.
+	  rpath=
+	  for dir in $finalize_perm_rpath; do
+	    rpath="$rpath$dir:"
+	  done
+	  finalize_var="$runpath_var=\"$rpath\$$runpath_var\" "
+	fi
+      fi
+
+      if test "$no_install" = yes; then
+	# We don't need to create a wrapper script.
+	link_command="$compile_var$compile_command$compile_rpath"
+	# Replace the output file specification.
+	link_command=`$echo "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'`
+	# Delete the old output file.
+	$run $rm $output
+	# Link the executable and exit
+	$show "$link_command"
+	$run eval "$link_command" || exit $?
+	exit $EXIT_SUCCESS
+      fi
+
+      if test "$hardcode_action" = relink; then
+	# Fast installation is not supported
+	link_command="$compile_var$compile_command$compile_rpath"
+	relink_command="$finalize_var$finalize_command$finalize_rpath"
+
+	$echo "$modename: warning: this platform does not like uninstalled shared libraries" 1>&2
+	$echo "$modename: \`$output' will be relinked during installation" 1>&2
+      else
+	if test "$fast_install" != no; then
+	  link_command="$finalize_var$compile_command$finalize_rpath"
+	  if test "$fast_install" = yes; then
+	    relink_command=`$echo "X$compile_var$compile_command$compile_rpath" | $Xsed -e 's%@OUTPUT@%\$progdir/\$file%g'`
+	  else
+	    # fast_install is set to needless
+	    relink_command=
+	  fi
+	else
+	  link_command="$compile_var$compile_command$compile_rpath"
+	  relink_command="$finalize_var$finalize_command$finalize_rpath"
+	fi
+      fi
+
+      # Replace the output file specification.
+      link_command=`$echo "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output_objdir/$outputname"'%g'`
+
+      # Delete the old output files.
+      $run $rm $output $output_objdir/$outputname $output_objdir/lt-$outputname
+
+      $show "$link_command"
+      $run eval "$link_command" || exit $?
+
+      # Now create the wrapper script.
+      $show "creating $output"
+
+      # Quote the relink command for shipping.
+      if test -n "$relink_command"; then
+	# Preserve any variables that may affect compiler behavior
+	for var in $variables_saved_for_relink; do
+	  if eval test -z \"\${$var+set}\"; then
+	    relink_command="{ test -z \"\${$var+set}\" || unset $var || { $var=; export $var; }; }; $relink_command"
+	  elif eval var_value=\$$var; test -z "$var_value"; then
+	    relink_command="$var=; export $var; $relink_command"
+	  else
+	    var_value=`$echo "X$var_value" | $Xsed -e "$sed_quote_subst"`
+	    relink_command="$var=\"$var_value\"; export $var; $relink_command"
+	  fi
+	done
+	relink_command="(cd `pwd`; $relink_command)"
+	relink_command=`$echo "X$relink_command" | $Xsed -e "$sed_quote_subst"`
+      fi
+
+      # Quote $echo for shipping.
+      if test "X$echo" = "X$SHELL $progpath --fallback-echo"; then
+	case $progpath in
+	[\\/]* | [A-Za-z]:[\\/]*) qecho="$SHELL $progpath --fallback-echo";;
+	*) qecho="$SHELL `pwd`/$progpath --fallback-echo";;
+	esac
+	qecho=`$echo "X$qecho" | $Xsed -e "$sed_quote_subst"`
+      else
+	qecho=`$echo "X$echo" | $Xsed -e "$sed_quote_subst"`
+      fi
+
+      # Only actually do things if our run command is non-null.
+      if test -z "$run"; then
+	# win32 will think the script is a binary if it has
+	# a .exe suffix, so we strip it off here.
+	case $output in
+	  *.exe) output=`$echo $output|${SED} 's,.exe$,,'` ;;
+	esac
+	# test for cygwin because mv fails w/o .exe extensions
+	case $host in
+	  *cygwin*)
+	    exeext=.exe
+	    outputname=`$echo $outputname|${SED} 's,.exe$,,'` ;;
+	  *) exeext= ;;
+	esac
+	case $host in
+	  *cygwin* | *mingw* )
+            output_name=`basename $output`
+            output_path=`dirname $output`
+            cwrappersource="$output_path/$objdir/lt-$output_name.c"
+            cwrapper="$output_path/$output_name.exe"
+            $rm $cwrappersource $cwrapper
+            trap "$rm $cwrappersource $cwrapper; exit $EXIT_FAILURE" 1 2 15
+
+	    cat > $cwrappersource <<EOF
+
+/* $cwrappersource - temporary wrapper executable for $objdir/$outputname
+   Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP
+
+   The $output program cannot be directly executed until all the libtool
+   libraries that it depends on are installed.
+
+   This wrapper executable should never be moved out of the build directory.
+   If it is, it will not operate correctly.
+
+   Currently, it simply execs the wrapper *script* "/bin/sh $output",
+   but could eventually absorb all of the scripts functionality and
+   exec $objdir/$outputname directly.
+*/
+EOF
+	    cat >> $cwrappersource<<"EOF"
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <malloc.h>
+#include <stdarg.h>
+#include <assert.h>
+#include <string.h>
+#include <ctype.h>
+#include <sys/stat.h>
+
+#if defined(PATH_MAX)
+# define LT_PATHMAX PATH_MAX
+#elif defined(MAXPATHLEN)
+# define LT_PATHMAX MAXPATHLEN
+#else
+# define LT_PATHMAX 1024
+#endif
+
+#ifndef DIR_SEPARATOR
+# define DIR_SEPARATOR '/'
+# define PATH_SEPARATOR ':'
+#endif
+
+#if defined (_WIN32) || defined (__MSDOS__) || defined (__DJGPP__) || \
+  defined (__OS2__)
+# define HAVE_DOS_BASED_FILE_SYSTEM
+# ifndef DIR_SEPARATOR_2
+#  define DIR_SEPARATOR_2 '\\'
+# endif
+# ifndef PATH_SEPARATOR_2
+#  define PATH_SEPARATOR_2 ';'
+# endif
+#endif
+
+#ifndef DIR_SEPARATOR_2
+# define IS_DIR_SEPARATOR(ch) ((ch) == DIR_SEPARATOR)
+#else /* DIR_SEPARATOR_2 */
+# define IS_DIR_SEPARATOR(ch) \
+        (((ch) == DIR_SEPARATOR) || ((ch) == DIR_SEPARATOR_2))
+#endif /* DIR_SEPARATOR_2 */
+
+#ifndef PATH_SEPARATOR_2
+# define IS_PATH_SEPARATOR(ch) ((ch) == PATH_SEPARATOR)
+#else /* PATH_SEPARATOR_2 */
+# define IS_PATH_SEPARATOR(ch) ((ch) == PATH_SEPARATOR_2)
+#endif /* PATH_SEPARATOR_2 */
+
+#define XMALLOC(type, num)      ((type *) xmalloc ((num) * sizeof(type)))
+#define XFREE(stale) do { \
+  if (stale) { free ((void *) stale); stale = 0; } \
+} while (0)
+
+/* -DDEBUG is fairly common in CFLAGS.  */
+#undef DEBUG
+#if defined DEBUGWRAPPER
+# define DEBUG(format, ...) fprintf(stderr, format, __VA_ARGS__)
+#else
+# define DEBUG(format, ...)
+#endif
+
+const char *program_name = NULL;
+
+void * xmalloc (size_t num);
+char * xstrdup (const char *string);
+const char * base_name (const char *name);
+char * find_executable(const char *wrapper);
+int    check_executable(const char *path);
+char * strendzap(char *str, const char *pat);
+void lt_fatal (const char *message, ...);
+
+int
+main (int argc, char *argv[])
+{
+  char **newargz;
+  int i;
+
+  program_name = (char *) xstrdup (base_name (argv[0]));
+  DEBUG("(main) argv[0]      : %s\n",argv[0]);
+  DEBUG("(main) program_name : %s\n",program_name);
+  newargz = XMALLOC(char *, argc+2);
+EOF
+
+            cat >> $cwrappersource <<EOF
+  newargz[0] = (char *) xstrdup("$SHELL");
+EOF
+
+            cat >> $cwrappersource <<"EOF"
+  newargz[1] = find_executable(argv[0]);
+  if (newargz[1] == NULL)
+    lt_fatal("Couldn't find %s", argv[0]);
+  DEBUG("(main) found exe at : %s\n",newargz[1]);
+  /* we know the script has the same name, without the .exe */
+  /* so make sure newargz[1] doesn't end in .exe */
+  strendzap(newargz[1],".exe");
+  for (i = 1; i < argc; i++)
+    newargz[i+1] = xstrdup(argv[i]);
+  newargz[argc+1] = NULL;
+
+  for (i=0; i<argc+1; i++)
+  {
+    DEBUG("(main) newargz[%d]   : %s\n",i,newargz[i]);
+    ;
+  }
+
+EOF
+
+            case $host_os in
+              mingw*)
+                cat >> $cwrappersource <<EOF
+  execv("$SHELL",(char const **)newargz);
+EOF
+              ;;
+              *)
+                cat >> $cwrappersource <<EOF
+  execv("$SHELL",newargz);
+EOF
+              ;;
+            esac
+
+            cat >> $cwrappersource <<"EOF"
+  return 127;
+}
+
+void *
+xmalloc (size_t num)
+{
+  void * p = (void *) malloc (num);
+  if (!p)
+    lt_fatal ("Memory exhausted");
+
+  return p;
+}
+
+char *
+xstrdup (const char *string)
+{
+  return string ? strcpy ((char *) xmalloc (strlen (string) + 1), string) : NULL
+;
+}
+
+const char *
+base_name (const char *name)
+{
+  const char *base;
+
+#if defined (HAVE_DOS_BASED_FILE_SYSTEM)
+  /* Skip over the disk name in MSDOS pathnames. */
+  if (isalpha ((unsigned char)name[0]) && name[1] == ':')
+    name += 2;
+#endif
+
+  for (base = name; *name; name++)
+    if (IS_DIR_SEPARATOR (*name))
+      base = name + 1;
+  return base;
+}
+
+int
+check_executable(const char * path)
+{
+  struct stat st;
+
+  DEBUG("(check_executable)  : %s\n", path ? (*path ? path : "EMPTY!") : "NULL!");
+  if ((!path) || (!*path))
+    return 0;
+
+  if ((stat (path, &st) >= 0) &&
+      (
+        /* MinGW & native WIN32 do not support S_IXOTH or S_IXGRP */
+#if defined (S_IXOTH)
+       ((st.st_mode & S_IXOTH) == S_IXOTH) ||
+#endif
+#if defined (S_IXGRP)
+       ((st.st_mode & S_IXGRP) == S_IXGRP) ||
+#endif
+       ((st.st_mode & S_IXUSR) == S_IXUSR))
+      )
+    return 1;
+  else
+    return 0;
+}
+
+/* Searches for the full path of the wrapper.  Returns
+   newly allocated full path name if found, NULL otherwise */
+char *
+find_executable (const char* wrapper)
+{
+  int has_slash = 0;
+  const char* p;
+  const char* p_next;
+  /* static buffer for getcwd */
+  char tmp[LT_PATHMAX + 1];
+  int tmp_len;
+  char* concat_name;
+
+  DEBUG("(find_executable)  : %s\n", wrapper ? (*wrapper ? wrapper : "EMPTY!") : "NULL!");
+
+  if ((wrapper == NULL) || (*wrapper == '\0'))
+    return NULL;
+
+  /* Absolute path? */
+#if defined (HAVE_DOS_BASED_FILE_SYSTEM)
+  if (isalpha ((unsigned char)wrapper[0]) && wrapper[1] == ':')
+  {
+    concat_name = xstrdup (wrapper);
+    if (check_executable(concat_name))
+      return concat_name;
+    XFREE(concat_name);
+  }
+  else
+  {
+#endif
+    if (IS_DIR_SEPARATOR (wrapper[0]))
+    {
+      concat_name = xstrdup (wrapper);
+      if (check_executable(concat_name))
+        return concat_name;
+      XFREE(concat_name);
+    }
+#if defined (HAVE_DOS_BASED_FILE_SYSTEM)
+  }
+#endif
+
+  for (p = wrapper; *p; p++)
+    if (*p == '/')
+    {
+      has_slash = 1;
+      break;
+    }
+  if (!has_slash)
+  {
+    /* no slashes; search PATH */
+    const char* path = getenv ("PATH");
+    if (path != NULL)
+    {
+      for (p = path; *p; p = p_next)
+      {
+        const char* q;
+        size_t p_len;
+        for (q = p; *q; q++)
+          if (IS_PATH_SEPARATOR(*q))
+            break;
+        p_len = q - p;
+        p_next = (*q == '\0' ? q : q + 1);
+        if (p_len == 0)
+        {
+          /* empty path: current directory */
+          if (getcwd (tmp, LT_PATHMAX) == NULL)
+            lt_fatal ("getcwd failed");
+          tmp_len = strlen(tmp);
+          concat_name = XMALLOC(char, tmp_len + 1 + strlen(wrapper) + 1);
+          memcpy (concat_name, tmp, tmp_len);
+          concat_name[tmp_len] = '/';
+          strcpy (concat_name + tmp_len + 1, wrapper);
+        }
+        else
+        {
+          concat_name = XMALLOC(char, p_len + 1 + strlen(wrapper) + 1);
+          memcpy (concat_name, p, p_len);
+          concat_name[p_len] = '/';
+          strcpy (concat_name + p_len + 1, wrapper);
+        }
+        if (check_executable(concat_name))
+          return concat_name;
+        XFREE(concat_name);
+      }
+    }
+    /* not found in PATH; assume curdir */
+  }
+  /* Relative path | not found in path: prepend cwd */
+  if (getcwd (tmp, LT_PATHMAX) == NULL)
+    lt_fatal ("getcwd failed");
+  tmp_len = strlen(tmp);
+  concat_name = XMALLOC(char, tmp_len + 1 + strlen(wrapper) + 1);
+  memcpy (concat_name, tmp, tmp_len);
+  concat_name[tmp_len] = '/';
+  strcpy (concat_name + tmp_len + 1, wrapper);
+
+  if (check_executable(concat_name))
+    return concat_name;
+  XFREE(concat_name);
+  return NULL;
+}
+
+char *
+strendzap(char *str, const char *pat)
+{
+  size_t len, patlen;
+
+  assert(str != NULL);
+  assert(pat != NULL);
+
+  len = strlen(str);
+  patlen = strlen(pat);
+
+  if (patlen <= len)
+  {
+    str += len - patlen;
+    if (strcmp(str, pat) == 0)
+      *str = '\0';
+  }
+  return str;
+}
+
+static void
+lt_error_core (int exit_status, const char * mode,
+          const char * message, va_list ap)
+{
+  fprintf (stderr, "%s: %s: ", program_name, mode);
+  vfprintf (stderr, message, ap);
+  fprintf (stderr, ".\n");
+
+  if (exit_status >= 0)
+    exit (exit_status);
+}
+
+void
+lt_fatal (const char *message, ...)
+{
+  va_list ap;
+  va_start (ap, message);
+  lt_error_core (EXIT_FAILURE, "FATAL", message, ap);
+  va_end (ap);
+}
+EOF
+          # we should really use a build-platform specific compiler
+          # here, but OTOH, the wrappers (shell script and this C one)
+          # are only useful if you want to execute the "real" binary.
+          # Since the "real" binary is built for $host, then this
+          # wrapper might as well be built for $host, too.
+          $run $LTCC $LTCFLAGS -s -o $cwrapper $cwrappersource
+          ;;
+        esac
+        $rm $output
+        trap "$rm $output; exit $EXIT_FAILURE" 1 2 15
+
+	$echo > $output "\
+#! $SHELL
+
+# $output - temporary wrapper script for $objdir/$outputname
+# Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP
+#
+# The $output program cannot be directly executed until all the libtool
+# libraries that it depends on are installed.
+#
+# This wrapper script should never be moved out of the build directory.
+# If it is, it will not operate correctly.
+
+# Sed substitution that helps us do robust quoting.  It backslashifies
+# metacharacters that are still active within double-quoted strings.
+Xsed='${SED} -e 1s/^X//'
+sed_quote_subst='$sed_quote_subst'
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+
+relink_command=\"$relink_command\"
+
+# This environment variable determines our operation mode.
+if test \"\$libtool_install_magic\" = \"$magic\"; then
+  # install mode needs the following variable:
+  notinst_deplibs='$notinst_deplibs'
+else
+  # When we are sourced in execute mode, \$file and \$echo are already set.
+  if test \"\$libtool_execute_magic\" != \"$magic\"; then
+    echo=\"$qecho\"
+    file=\"\$0\"
+    # Make sure echo works.
+    if test \"X\$1\" = X--no-reexec; then
+      # Discard the --no-reexec flag, and continue.
+      shift
+    elif test \"X\`(\$echo '\t') 2>/dev/null\`\" = 'X\t'; then
+      # Yippee, \$echo works!
+      :
+    else
+      # Restart under the correct shell, and then maybe \$echo will work.
+      exec $SHELL \"\$0\" --no-reexec \${1+\"\$@\"}
+    fi
+  fi\
+"
+	$echo >> $output "\
+
+  # Find the directory that this script lives in.
+  thisdir=\`\$echo \"X\$file\" | \$Xsed -e 's%/[^/]*$%%'\`
+  test \"x\$thisdir\" = \"x\$file\" && thisdir=.
+
+  # Follow symbolic links until we get to the real thisdir.
+  file=\`ls -ld \"\$file\" | ${SED} -n 's/.*-> //p'\`
+  while test -n \"\$file\"; do
+    destdir=\`\$echo \"X\$file\" | \$Xsed -e 's%/[^/]*\$%%'\`
+
+    # If there was a directory component, then change thisdir.
+    if test \"x\$destdir\" != \"x\$file\"; then
+      case \"\$destdir\" in
+      [\\\\/]* | [A-Za-z]:[\\\\/]*) thisdir=\"\$destdir\" ;;
+      *) thisdir=\"\$thisdir/\$destdir\" ;;
+      esac
+    fi
+
+    file=\`\$echo \"X\$file\" | \$Xsed -e 's%^.*/%%'\`
+    file=\`ls -ld \"\$thisdir/\$file\" | ${SED} -n 's/.*-> //p'\`
+  done
+
+  # Try to get the absolute directory name.
+  absdir=\`cd \"\$thisdir\" && pwd\`
+  test -n \"\$absdir\" && thisdir=\"\$absdir\"
+"
+
+	if test "$fast_install" = yes; then
+	  $echo >> $output "\
+  program=lt-'$outputname'$exeext
+  progdir=\"\$thisdir/$objdir\"
+
+  if test ! -f \"\$progdir/\$program\" || \\
+     { file=\`ls -1dt \"\$progdir/\$program\" \"\$progdir/../\$program\" 2>/dev/null | ${SED} 1q\`; \\
+       test \"X\$file\" != \"X\$progdir/\$program\"; }; then
+
+    file=\"\$\$-\$program\"
+
+    if test ! -d \"\$progdir\"; then
+      $mkdir \"\$progdir\"
+    else
+      $rm \"\$progdir/\$file\"
+    fi"
+
+	  $echo >> $output "\
+
+    # relink executable if necessary
+    if test -n \"\$relink_command\"; then
+      if relink_command_output=\`eval \$relink_command 2>&1\`; then :
+      else
+	$echo \"\$relink_command_output\" >&2
+	$rm \"\$progdir/\$file\"
+	exit $EXIT_FAILURE
+      fi
+    fi
+
+    $mv \"\$progdir/\$file\" \"\$progdir/\$program\" 2>/dev/null ||
+    { $rm \"\$progdir/\$program\";
+      $mv \"\$progdir/\$file\" \"\$progdir/\$program\"; }
+    $rm \"\$progdir/\$file\"
+  fi"
+	else
+	  $echo >> $output "\
+  program='$outputname'
+  progdir=\"\$thisdir/$objdir\"
+"
+	fi
+
+	$echo >> $output "\
+
+  if test -f \"\$progdir/\$program\"; then"
+
+	# Export our shlibpath_var if we have one.
+	if test "$shlibpath_overrides_runpath" = yes && test -n "$shlibpath_var" && test -n "$temp_rpath"; then
+	  $echo >> $output "\
+    # Add our own library path to $shlibpath_var
+    $shlibpath_var=\"$temp_rpath\$$shlibpath_var\"
+
+    # Some systems cannot cope with colon-terminated $shlibpath_var
+    # The second colon is a workaround for a bug in BeOS R4 sed
+    $shlibpath_var=\`\$echo \"X\$$shlibpath_var\" | \$Xsed -e 's/::*\$//'\`
+
+    export $shlibpath_var
+"
+	fi
+
+	# fixup the dll searchpath if we need to.
+	if test -n "$dllsearchpath"; then
+	  $echo >> $output "\
+    # Add the dll search path components to the executable PATH
+    PATH=$dllsearchpath:\$PATH
+"
+	fi
+
+	$echo >> $output "\
+    if test \"\$libtool_execute_magic\" != \"$magic\"; then
+      # Run the actual program with our arguments.
+
+      # Make sure env LD_LIBRARY_PATH does not mess us up
+      if test -n \"\${LD_LIBRARY_PATH+set}\"; then
+        export LD_LIBRARY_PATH=\$progdir:\$LD_LIBRARY_PATH
+      fi
+"
+	case $host in
+	# Backslashes separate directories on plain windows
+	*-*-mingw | *-*-os2*)
+	  $echo >> $output "\
+      exec \"\$progdir\\\\\$program\" \${1+\"\$@\"}
+"
+	  ;;
+
+	*)
+	  $echo >> $output "\
+      exec \"\$progdir/\$program\" \${1+\"\$@\"}
+"
+	  ;;
+	esac
+	$echo >> $output "\
+      \$echo \"\$0: cannot exec \$program \${1+\"\$@\"}\"
+      exit $EXIT_FAILURE
+    fi
+  else
+    # The program doesn't exist.
+    \$echo \"\$0: error: \\\`\$progdir/\$program' does not exist\" 1>&2
+    \$echo \"This script is just a wrapper for \$program.\" 1>&2
+    $echo \"See the $PACKAGE documentation for more information.\" 1>&2
+    exit $EXIT_FAILURE
+  fi
+fi\
+"
+	chmod +x $output
+      fi
+      exit $EXIT_SUCCESS
+      ;;
+    esac
+
+    # See if we need to build an old-fashioned archive.
+    for oldlib in $oldlibs; do
+
+      if test "$build_libtool_libs" = convenience; then
+	oldobjs="$libobjs_save"
+	addlibs="$convenience"
+	build_libtool_libs=no
+      else
+	if test "$build_libtool_libs" = module; then
+	  oldobjs="$libobjs_save"
+	  build_libtool_libs=no
+	else
+	  oldobjs="$old_deplibs $non_pic_objects"
+	fi
+	addlibs="$old_convenience"
+      fi
+
+      if test -n "$addlibs"; then
+	gentop="$output_objdir/${outputname}x"
+	generated="$generated $gentop"
+
+	func_extract_archives $gentop $addlibs
+	oldobjs="$oldobjs $func_extract_archives_result"
+      fi
+
+      # Do each command in the archive commands.
+      if test -n "$old_archive_from_new_cmds" && test "$build_libtool_libs" = yes; then
+       cmds=$old_archive_from_new_cmds
+      else
+	# POSIX demands no paths to be encoded in archives.  We have
+	# to avoid creating archives with duplicate basenames if we
+	# might have to extract them afterwards, e.g., when creating a
+	# static archive out of a convenience library, or when linking
+	# the entirety of a libtool archive into another (currently
+	# not supported by libtool).
+	if (for obj in $oldobjs
+	    do
+	      $echo "X$obj" | $Xsed -e 's%^.*/%%'
+	    done | sort | sort -uc >/dev/null 2>&1); then
+	  :
+	else
+	  $echo "copying selected object files to avoid basename conflicts..."
+
+	  if test -z "$gentop"; then
+	    gentop="$output_objdir/${outputname}x"
+	    generated="$generated $gentop"
+
+	    $show "${rm}r $gentop"
+	    $run ${rm}r "$gentop"
+	    $show "$mkdir $gentop"
+	    $run $mkdir "$gentop"
+	    exit_status=$?
+	    if test "$exit_status" -ne 0 && test ! -d "$gentop"; then
+	      exit $exit_status
+	    fi
+	  fi
+
+	  save_oldobjs=$oldobjs
+	  oldobjs=
+	  counter=1
+	  for obj in $save_oldobjs
+	  do
+	    objbase=`$echo "X$obj" | $Xsed -e 's%^.*/%%'`
+	    case " $oldobjs " in
+	    " ") oldobjs=$obj ;;
+	    *[\ /]"$objbase "*)
+	      while :; do
+		# Make sure we don't pick an alternate name that also
+		# overlaps.
+		newobj=lt$counter-$objbase
+		counter=`expr $counter + 1`
+		case " $oldobjs " in
+		*[\ /]"$newobj "*) ;;
+		*) if test ! -f "$gentop/$newobj"; then break; fi ;;
+		esac
+	      done
+	      $show "ln $obj $gentop/$newobj || cp $obj $gentop/$newobj"
+	      $run ln "$obj" "$gentop/$newobj" ||
+	      $run cp "$obj" "$gentop/$newobj"
+	      oldobjs="$oldobjs $gentop/$newobj"
+	      ;;
+	    *) oldobjs="$oldobjs $obj" ;;
+	    esac
+	  done
+	fi
+
+	eval cmds=\"$old_archive_cmds\"
+
+	if len=`expr "X$cmds" : ".*"` &&
+	     test "$len" -le "$max_cmd_len" || test "$max_cmd_len" -le -1; then
+	  cmds=$old_archive_cmds
+	else
+	  # the command line is too long to link in one step, link in parts
+	  $echo "using piecewise archive linking..."
+	  save_RANLIB=$RANLIB
+	  RANLIB=:
+	  objlist=
+	  concat_cmds=
+	  save_oldobjs=$oldobjs
+
+	  # Is there a better way of finding the last object in the list?
+	  for obj in $save_oldobjs
+	  do
+	    last_oldobj=$obj
+	  done
+	  for obj in $save_oldobjs
+	  do
+	    oldobjs="$objlist $obj"
+	    objlist="$objlist $obj"
+	    eval test_cmds=\"$old_archive_cmds\"
+	    if len=`expr "X$test_cmds" : ".*" 2>/dev/null` &&
+	       test "$len" -le "$max_cmd_len"; then
+	      :
+	    else
+	      # the above command should be used before it gets too long
+	      oldobjs=$objlist
+	      if test "$obj" = "$last_oldobj" ; then
+	        RANLIB=$save_RANLIB
+	      fi
+	      test -z "$concat_cmds" || concat_cmds=$concat_cmds~
+	      eval concat_cmds=\"\${concat_cmds}$old_archive_cmds\"
+	      objlist=
+	    fi
+	  done
+	  RANLIB=$save_RANLIB
+	  oldobjs=$objlist
+	  if test "X$oldobjs" = "X" ; then
+	    eval cmds=\"\$concat_cmds\"
+	  else
+	    eval cmds=\"\$concat_cmds~\$old_archive_cmds\"
+	  fi
+	fi
+      fi
+      save_ifs="$IFS"; IFS='~'
+      for cmd in $cmds; do
+        eval cmd=\"$cmd\"
+	IFS="$save_ifs"
+	$show "$cmd"
+	$run eval "$cmd" || exit $?
+      done
+      IFS="$save_ifs"
+    done
+
+    if test -n "$generated"; then
+      $show "${rm}r$generated"
+      $run ${rm}r$generated
+    fi
+
+    # Now create the libtool archive.
+    case $output in
+    *.la)
+      old_library=
+      test "$build_old_libs" = yes && old_library="$libname.$libext"
+      $show "creating $output"
+
+      # Preserve any variables that may affect compiler behavior
+      for var in $variables_saved_for_relink; do
+	if eval test -z \"\${$var+set}\"; then
+	  relink_command="{ test -z \"\${$var+set}\" || unset $var || { $var=; export $var; }; }; $relink_command"
+	elif eval var_value=\$$var; test -z "$var_value"; then
+	  relink_command="$var=; export $var; $relink_command"
+	else
+	  var_value=`$echo "X$var_value" | $Xsed -e "$sed_quote_subst"`
+	  relink_command="$var=\"$var_value\"; export $var; $relink_command"
+	fi
+      done
+      # Quote the link command for shipping.
+      relink_command="(cd `pwd`; $SHELL $progpath $preserve_args --mode=relink $libtool_args @inst_prefix_dir@)"
+      relink_command=`$echo "X$relink_command" | $Xsed -e "$sed_quote_subst"`
+      if test "$hardcode_automatic" = yes ; then
+	relink_command=
+      fi
+
+
+      # Only create the output if not a dry run.
+      if test -z "$run"; then
+	for installed in no yes; do
+	  if test "$installed" = yes; then
+	    if test -z "$install_libdir"; then
+	      break
+	    fi
+	    output="$output_objdir/$outputname"i
+	    # Replace all uninstalled libtool libraries with the installed ones
+	    newdependency_libs=
+	    for deplib in $dependency_libs; do
+	      case $deplib in
+	      *.la)
+		name=`$echo "X$deplib" | $Xsed -e 's%^.*/%%'`
+		eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
+		if test -z "$libdir"; then
+		  $echo "$modename: \`$deplib' is not a valid libtool archive" 1>&2
+		  exit $EXIT_FAILURE
+		fi
+		if test "X$EGREP" = X ; then
+			EGREP=egrep
+		fi
+		# We do not want portage's install root ($D) present.  Check only for
+		# this if the .la is being installed.
+		if test "$installed" = yes && test "$D"; then
+		  eval mynewdependency_lib=`echo "$libdir/$name" |sed -e "s:$D:/:g" -e 's:/\+:/:g'`
+		else
+		  mynewdependency_lib="$libdir/$name"
+		fi
+		# Do not add duplicates
+		if test "$mynewdependency_lib"; then
+		  my_little_ninja_foo_1=`echo $newdependency_libs |$EGREP -e "$mynewdependency_lib"`
+		  if test -z "$my_little_ninja_foo_1"; then
+		    newdependency_libs="$newdependency_libs $mynewdependency_lib"
+		  fi
+		fi
+		;;
+		  *)
+		if test "$installed" = yes; then
+		  # Rather use S=WORKDIR if our version of portage supports it.
+		  # This is because some ebuild (gcc) do not use $S as buildroot.
+		  if test "$PWORKDIR"; then
+		    S="$PWORKDIR"
+		  fi
+		  # We do not want portage's build root ($S) present.
+		  my_little_ninja_foo_2=`echo $deplib |$EGREP -e "$S"`
+		  # We do not want portage's install root ($D) present.
+		  my_little_ninja_foo_3=`echo $deplib |$EGREP -e "$D"`
+		  if test -n "$my_little_ninja_foo_2" && test "$S"; then
+		    mynewdependency_lib=""
+		  elif test -n "$my_little_ninja_foo_3" && test "$D"; then
+		    eval mynewdependency_lib=`echo "$deplib" |sed -e "s:$D:/:g" -e 's:/\+:/:g'`
+		  else
+		    mynewdependency_lib="$deplib"
+		  fi
+		else
+		  mynewdependency_lib="$deplib"
+		fi
+		# Do not add duplicates
+		if test "$mynewdependency_lib"; then
+		  my_little_ninja_foo_4=`echo $newdependency_libs |$EGREP -e "$mynewdependency_lib"`
+		  if test -z "$my_little_ninja_foo_4"; then
+			newdependency_libs="$newdependency_libs $mynewdependency_lib"
+		  fi
+		fi
+		;;
+	      esac
+	    done
+	    dependency_libs="$newdependency_libs"
+	    newdlfiles=
+	    for lib in $dlfiles; do
+	      name=`$echo "X$lib" | $Xsed -e 's%^.*/%%'`
+	      eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
+	      if test -z "$libdir"; then
+		$echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
+		exit $EXIT_FAILURE
+	      fi
+	      newdlfiles="$newdlfiles $libdir/$name"
+	    done
+	    dlfiles="$newdlfiles"
+	    newdlprefiles=
+	    for lib in $dlprefiles; do
+	      name=`$echo "X$lib" | $Xsed -e 's%^.*/%%'`
+	      eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
+	      if test -z "$libdir"; then
+		$echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
+		exit $EXIT_FAILURE
+	      fi
+	      newdlprefiles="$newdlprefiles $libdir/$name"
+	    done
+	    dlprefiles="$newdlprefiles"
+	  else
+	    newdlfiles=
+	    for lib in $dlfiles; do
+	      case $lib in
+		[\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;;
+		*) abs=`pwd`"/$lib" ;;
+	      esac
+	      newdlfiles="$newdlfiles $abs"
+	    done
+	    dlfiles="$newdlfiles"
+	    newdlprefiles=
+	    for lib in $dlprefiles; do
+	      case $lib in
+		[\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;;
+		*) abs=`pwd`"/$lib" ;;
+	      esac
+	      newdlprefiles="$newdlprefiles $abs"
+	    done
+	    dlprefiles="$newdlprefiles"
+	  fi
+	  $rm $output
+	  # place dlname in correct position for cygwin
+	  tdlname=$dlname
+	  case $host,$output,$installed,$module,$dlname in
+	    *cygwin*,*lai,yes,no,*.dll | *mingw*,*lai,yes,no,*.dll) tdlname=../bin/$dlname ;;
+	  esac
+	  # Do not add duplicates
+	  if test "$installed" = yes && test "$D"; then
+	    install_libdir=`echo "$install_libdir" |sed -e "s:$D:/:g" -e 's:/\+:/:g'`
+	  fi
+	  $echo > $output "\
+# $outputname - a libtool library file
+# Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP
+#
+# Please DO NOT delete this file!
+# It is necessary for linking the library.
+
+# The name that we can dlopen(3).
+dlname='$tdlname'
+
+# Names of this library.
+library_names='$library_names'
+
+# The name of the static archive.
+old_library='$old_library'
+
+# Libraries that this one depends upon.
+dependency_libs='$dependency_libs'
+
+# Version information for $libname.
+current=$current
+age=$age
+revision=$revision
+
+# Is this an already installed library?
+installed=$installed
+
+# Should we warn about portability when linking against -modules?
+shouldnotlink=$module
+
+# Files to dlopen/dlpreopen
+dlopen='$dlfiles'
+dlpreopen='$dlprefiles'
+
+# Directory that this library needs to be installed in:
+libdir='$install_libdir'"
+	  if test "$installed" = no && test "$need_relink" = yes; then
+	    $echo >> $output "\
+relink_command=\"$relink_command\""
+	  fi
+	done
+      fi
+
+      # Do a symbolic link so that the libtool archive can be found in
+      # LD_LIBRARY_PATH before the program is installed.
+      $show "(cd $output_objdir && $rm $outputname && $LN_S ../$outputname $outputname)"
+      $run eval '(cd $output_objdir && $rm $outputname && $LN_S ../$outputname $outputname)' || exit $?
+      ;;
+    esac
+    exit $EXIT_SUCCESS
+    ;;
+
+  # libtool install mode
+  install)
+    modename="$modename: install"
+
+    # There may be an optional sh(1) argument at the beginning of
+    # install_prog (especially on Windows NT).
+    if test "$nonopt" = "$SHELL" || test "$nonopt" = /bin/sh ||
+       # Allow the use of GNU shtool's install command.
+       $echo "X$nonopt" | grep shtool > /dev/null; then
+      # Aesthetically quote it.
+      arg=`$echo "X$nonopt" | $Xsed -e "$sed_quote_subst"`
+      case $arg in
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	arg="\"$arg\""
+	;;
+      esac
+      install_prog="$arg "
+      arg="$1"
+      shift
+    else
+      install_prog=
+      arg=$nonopt
+    fi
+
+    # The real first argument should be the name of the installation program.
+    # Aesthetically quote it.
+    arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+    case $arg in
+    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+      arg="\"$arg\""
+      ;;
+    esac
+    install_prog="$install_prog$arg"
+
+    # We need to accept at least all the BSD install flags.
+    dest=
+    files=
+    opts=
+    prev=
+    install_type=
+    isdir=no
+    stripme=
+    for arg
+    do
+      if test -n "$dest"; then
+	files="$files $dest"
+	dest=$arg
+	continue
+      fi
+
+      case $arg in
+      -d) isdir=yes ;;
+      -f) 
+      	case " $install_prog " in
+	*[\\\ /]cp\ *) ;;
+	*) prev=$arg ;;
+	esac
+	;;
+      -g | -m | -o) prev=$arg ;;
+      -s)
+	stripme=" -s"
+	continue
+	;;
+      -*)
+	;;
+      *)
+	# If the previous option needed an argument, then skip it.
+	if test -n "$prev"; then
+	  prev=
+	else
+	  dest=$arg
+	  continue
+	fi
+	;;
+      esac
+
+      # Aesthetically quote the argument.
+      arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+      case $arg in
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	arg="\"$arg\""
+	;;
+      esac
+      install_prog="$install_prog $arg"
+    done
+
+    if test -z "$install_prog"; then
+      $echo "$modename: you must specify an install program" 1>&2
+      $echo "$help" 1>&2
+      exit $EXIT_FAILURE
+    fi
+
+    if test -n "$prev"; then
+      $echo "$modename: the \`$prev' option requires an argument" 1>&2
+      $echo "$help" 1>&2
+      exit $EXIT_FAILURE
+    fi
+
+    if test -z "$files"; then
+      if test -z "$dest"; then
+	$echo "$modename: no file or destination specified" 1>&2
+      else
+	$echo "$modename: you must specify a destination" 1>&2
+      fi
+      $echo "$help" 1>&2
+      exit $EXIT_FAILURE
+    fi
+
+    # Strip any trailing slash from the destination.
+    dest=`$echo "X$dest" | $Xsed -e 's%/$%%'`
+
+    # Check to see that the destination is a directory.
+    test -d "$dest" && isdir=yes
+    if test "$isdir" = yes; then
+      destdir="$dest"
+      destname=
+    else
+      destdir=`$echo "X$dest" | $Xsed -e 's%/[^/]*$%%'`
+      test "X$destdir" = "X$dest" && destdir=.
+      destname=`$echo "X$dest" | $Xsed -e 's%^.*/%%'`
+
+      # Not a directory, so check to see that there is only one file specified.
+      set dummy $files
+      if test "$#" -gt 2; then
+	$echo "$modename: \`$dest' is not a directory" 1>&2
+	$echo "$help" 1>&2
+	exit $EXIT_FAILURE
+      fi
+    fi
+    case $destdir in
+    [\\/]* | [A-Za-z]:[\\/]*) ;;
+    *)
+      for file in $files; do
+	case $file in
+	*.lo) ;;
+	*)
+	  $echo "$modename: \`$destdir' must be an absolute directory name" 1>&2
+	  $echo "$help" 1>&2
+	  exit $EXIT_FAILURE
+	  ;;
+	esac
+      done
+      ;;
+    esac
+
+    # This variable tells wrapper scripts just to set variables rather
+    # than running their programs.
+    libtool_install_magic="$magic"
+
+    staticlibs=
+    future_libdirs=
+    current_libdirs=
+    for file in $files; do
+
+      # Do each installation.
+      case $file in
+      *.$libext)
+	# Do the static libraries later.
+	staticlibs="$staticlibs $file"
+	;;
+
+      *.la)
+	# Check to see that this really is a libtool archive.
+	if (${SED} -e '2q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
+	else
+	  $echo "$modename: \`$file' is not a valid libtool archive" 1>&2
+	  $echo "$help" 1>&2
+	  exit $EXIT_FAILURE
+	fi
+
+	library_names=
+	old_library=
+	relink_command=
+	# If there is no directory component, then add one.
+	case $file in
+	*/* | *\\*) . $file ;;
+	*) . ./$file ;;
+	esac
+
+	# Add the libdir to current_libdirs if it is the destination.
+	if test "X$destdir" = "X$libdir"; then
+	  case "$current_libdirs " in
+	  *" $libdir "*) ;;
+	  *) current_libdirs="$current_libdirs $libdir" ;;
+	  esac
+	else
+	  # Note the libdir as a future libdir.
+	  case "$future_libdirs " in
+	  *" $libdir "*) ;;
+	  *) future_libdirs="$future_libdirs $libdir" ;;
+	  esac
+	fi
+
+	dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`/
+	test "X$dir" = "X$file/" && dir=
+	dir="$dir$objdir"
+
+	if test -n "$relink_command"; then
+	  # Determine the prefix the user has applied to our future dir.
+	  inst_prefix_dir=`$echo "$destdir" | $SED "s%$libdir\$%%"`
+
+	  # Don't allow the user to place us outside of our expected
+	  # location b/c this prevents finding dependent libraries that
+	  # are installed to the same prefix.
+	  # At present, this check doesn't affect windows .dll's that
+	  # are installed into $libdir/../bin (currently, that works fine)
+	  # but it's something to keep an eye on.
+	  if test "$inst_prefix_dir" = "$destdir"; then
+	    $echo "$modename: error: cannot install \`$file' to a directory not ending in $libdir" 1>&2
+	    exit $EXIT_FAILURE
+	  fi
+
+	  if test -n "$inst_prefix_dir"; then
+	    # Stick the inst_prefix_dir data into the link command.
+	    relink_command=`$echo "$relink_command" | $SED "s%@inst_prefix_dir@%-inst-prefix-dir $inst_prefix_dir%"`
+	  else
+	    relink_command=`$echo "$relink_command" | $SED "s%@inst_prefix_dir@%%"`
+	  fi
+
+	  $echo "$modename: warning: relinking \`$file'" 1>&2
+	  $show "$relink_command"
+	  if $run eval "$relink_command"; then :
+	  else
+	    $echo "$modename: error: relink \`$file' with the above command before installing it" 1>&2
+	    exit $EXIT_FAILURE
+	  fi
+	fi
+
+	# See the names of the shared library.
+	set dummy $library_names
+	if test -n "$2"; then
+	  realname="$2"
+	  shift
+	  shift
+
+	  srcname="$realname"
+	  test -n "$relink_command" && srcname="$realname"T
+
+	  # Install the shared library and build the symlinks.
+	  $show "$install_prog $dir/$srcname $destdir/$realname"
+	  $run eval "$install_prog $dir/$srcname $destdir/$realname" || exit $?
+	  if test -n "$stripme" && test -n "$striplib"; then
+	    $show "$striplib $destdir/$realname"
+	    $run eval "$striplib $destdir/$realname" || exit $?
+	  fi
+
+	  if test "$#" -gt 0; then
+	    # Delete the old symlinks, and create new ones.
+	    # Try `ln -sf' first, because the `ln' binary might depend on
+	    # the symlink we replace!  Solaris /bin/ln does not understand -f,
+	    # so we also need to try rm && ln -s.
+	    for linkname
+	    do
+	      if test "$linkname" != "$realname"; then
+                $show "(cd $destdir && { $LN_S -f $realname $linkname || { $rm $linkname && $LN_S $realname $linkname; }; })"
+                $run eval "(cd $destdir && { $LN_S -f $realname $linkname || { $rm $linkname && $LN_S $realname $linkname; }; })"
+	      fi
+	    done
+	  fi
+
+	  # Do each command in the postinstall commands.
+	  lib="$destdir/$realname"
+	  cmds=$postinstall_cmds
+	  save_ifs="$IFS"; IFS='~'
+	  for cmd in $cmds; do
+	    IFS="$save_ifs"
+	    eval cmd=\"$cmd\"
+	    $show "$cmd"
+	    $run eval "$cmd" || {
+	      lt_exit=$?
+
+	      # Restore the uninstalled library and exit
+	      if test "$mode" = relink; then
+		$run eval '(cd $output_objdir && $rm ${realname}T && $mv ${realname}U $realname)'
+	      fi
+
+	      exit $lt_exit
+	    }
+	  done
+	  IFS="$save_ifs"
+	fi
+
+	# Install the pseudo-library for information purposes.
+	name=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+	instname="$dir/$name"i
+	$show "$install_prog $instname $destdir/$name"
+	$run eval "$install_prog $instname $destdir/$name" || exit $?
+
+	# Maybe install the static library, too.
+	test -n "$old_library" && staticlibs="$staticlibs $dir/$old_library"
+	;;
+
+      *.lo)
+	# Install (i.e. copy) a libtool object.
+
+	# Figure out destination file name, if it wasn't already specified.
+	if test -n "$destname"; then
+	  destfile="$destdir/$destname"
+	else
+	  destfile=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+	  destfile="$destdir/$destfile"
+	fi
+
+	# Deduce the name of the destination old-style object file.
+	case $destfile in
+	*.lo)
+	  staticdest=`$echo "X$destfile" | $Xsed -e "$lo2o"`
+	  ;;
+	*.$objext)
+	  staticdest="$destfile"
+	  destfile=
+	  ;;
+	*)
+	  $echo "$modename: cannot copy a libtool object to \`$destfile'" 1>&2
+	  $echo "$help" 1>&2
+	  exit $EXIT_FAILURE
+	  ;;
+	esac
+
+	# Install the libtool object if requested.
+	if test -n "$destfile"; then
+	  $show "$install_prog $file $destfile"
+	  $run eval "$install_prog $file $destfile" || exit $?
+	fi
+
+	# Install the old object if enabled.
+	if test "$build_old_libs" = yes; then
+	  # Deduce the name of the old-style object file.
+	  staticobj=`$echo "X$file" | $Xsed -e "$lo2o"`
+
+	  $show "$install_prog $staticobj $staticdest"
+	  $run eval "$install_prog \$staticobj \$staticdest" || exit $?
+	fi
+	exit $EXIT_SUCCESS
+	;;
+
+      *)
+	# Figure out destination file name, if it wasn't already specified.
+	if test -n "$destname"; then
+	  destfile="$destdir/$destname"
+	else
+	  destfile=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+	  destfile="$destdir/$destfile"
+	fi
+
+	# If the file is missing, and there is a .exe on the end, strip it
+	# because it is most likely a libtool script we actually want to
+	# install
+	stripped_ext=""
+	case $file in
+	  *.exe)
+	    if test ! -f "$file"; then
+	      file=`$echo $file|${SED} 's,.exe$,,'`
+	      stripped_ext=".exe"
+	    fi
+	    ;;
+	esac
+
+	# Do a test to see if this is really a libtool program.
+	case $host in
+	*cygwin*|*mingw*)
+	    wrapper=`$echo $file | ${SED} -e 's,.exe$,,'`
+	    ;;
+	*)
+	    wrapper=$file
+	    ;;
+	esac
+	if (${SED} -e '4q' $wrapper | grep "^# Generated by .*$PACKAGE")>/dev/null 2>&1; then
+	  notinst_deplibs=
+	  relink_command=
+
+	  # Note that it is not necessary on cygwin/mingw to append a dot to
+	  # foo even if both foo and FILE.exe exist: automatic-append-.exe
+	  # behavior happens only for exec(3), not for open(2)!  Also, sourcing
+	  # `FILE.' does not work on cygwin managed mounts.
+	  #
+	  # If there is no directory component, then add one.
+	  case $wrapper in
+	  */* | *\\*) . ${wrapper} ;;
+	  *) . ./${wrapper} ;;
+	  esac
+
+	  # Check the variables that should have been set.
+	  if test -z "$notinst_deplibs"; then
+	    $echo "$modename: invalid libtool wrapper script \`$wrapper'" 1>&2
+	    exit $EXIT_FAILURE
+	  fi
+
+	  finalize=yes
+	  for lib in $notinst_deplibs; do
+	    # Check to see that each library is installed.
+	    libdir=
+	    if test -f "$lib"; then
+	      # If there is no directory component, then add one.
+	      case $lib in
+	      */* | *\\*) . $lib ;;
+	      *) . ./$lib ;;
+	      esac
+	    fi
+	    libfile="$libdir/"`$echo "X$lib" | $Xsed -e 's%^.*/%%g'` ### testsuite: skip nested quoting test
+	    if test -n "$libdir" && test ! -f "$libfile"; then
+	      $echo "$modename: warning: \`$lib' has not been installed in \`$libdir'" 1>&2
+	      finalize=no
+	    fi
+	  done
+
+	  relink_command=
+	  # Note that it is not necessary on cygwin/mingw to append a dot to
+	  # foo even if both foo and FILE.exe exist: automatic-append-.exe
+	  # behavior happens only for exec(3), not for open(2)!  Also, sourcing
+	  # `FILE.' does not work on cygwin managed mounts.
+	  #
+	  # If there is no directory component, then add one.
+	  case $wrapper in
+	  */* | *\\*) . ${wrapper} ;;
+	  *) . ./${wrapper} ;;
+	  esac
+
+	  outputname=
+	  if test "$fast_install" = no && test -n "$relink_command"; then
+	    if test "$finalize" = yes && test -z "$run"; then
+	      tmpdir=`func_mktempdir`
+	      file=`$echo "X$file$stripped_ext" | $Xsed -e 's%^.*/%%'`
+	      outputname="$tmpdir/$file"
+	      # Replace the output file specification.
+	      relink_command=`$echo "X$relink_command" | $Xsed -e 's%@OUTPUT@%'"$outputname"'%g'`
+
+	      $show "$relink_command"
+	      if $run eval "$relink_command"; then :
+	      else
+		$echo "$modename: error: relink \`$file' with the above command before installing it" 1>&2
+		${rm}r "$tmpdir"
+		continue
+	      fi
+	      file="$outputname"
+	    else
+	      $echo "$modename: warning: cannot relink \`$file'" 1>&2
+	    fi
+	  else
+	    # Install the binary that we compiled earlier.
+	    file=`$echo "X$file$stripped_ext" | $Xsed -e "s%\([^/]*\)$%$objdir/\1%"`
+	  fi
+	fi
+
+	# remove .exe since cygwin /usr/bin/install will append another
+	# one anyway 
+	case $install_prog,$host in
+	*/usr/bin/install*,*cygwin*)
+	  case $file:$destfile in
+	  *.exe:*.exe)
+	    # this is ok
+	    ;;
+	  *.exe:*)
+	    destfile=$destfile.exe
+	    ;;
+	  *:*.exe)
+	    destfile=`$echo $destfile | ${SED} -e 's,.exe$,,'`
+	    ;;
+	  esac
+	  ;;
+	esac
+	$show "$install_prog$stripme $file $destfile"
+	$run eval "$install_prog\$stripme \$file \$destfile" || exit $?
+	test -n "$outputname" && ${rm}r "$tmpdir"
+	;;
+      esac
+    done
+
+    for file in $staticlibs; do
+      name=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+
+      # Set up the ranlib parameters.
+      oldlib="$destdir/$name"
+
+      $show "$install_prog $file $oldlib"
+      $run eval "$install_prog \$file \$oldlib" || exit $?
+
+      if test -n "$stripme" && test -n "$old_striplib"; then
+	$show "$old_striplib $oldlib"
+	$run eval "$old_striplib $oldlib" || exit $?
+      fi
+
+      # Do each command in the postinstall commands.
+      cmds=$old_postinstall_cmds
+      save_ifs="$IFS"; IFS='~'
+      for cmd in $cmds; do
+	IFS="$save_ifs"
+	eval cmd=\"$cmd\"
+	$show "$cmd"
+	$run eval "$cmd" || exit $?
+      done
+      IFS="$save_ifs"
+    done
+
+    if test -n "$future_libdirs"; then
+      $echo "$modename: warning: remember to run \`$progname --finish$future_libdirs'" 1>&2
+    fi
+
+    if test -n "$current_libdirs"; then
+      # Maybe just do a dry run.
+      test -n "$run" && current_libdirs=" -n$current_libdirs"
+      exec_cmd='$SHELL $progpath $preserve_args --finish$current_libdirs'
+    else
+      exit $EXIT_SUCCESS
+    fi
+    ;;
+
+  # libtool finish mode
+  finish)
+    modename="$modename: finish"
+    libdirs="$nonopt"
+    admincmds=
+
+    if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then
+      for dir
+      do
+	libdirs="$libdirs $dir"
+      done
+
+      for libdir in $libdirs; do
+	if test -n "$finish_cmds"; then
+	  # Do each command in the finish commands.
+	  cmds=$finish_cmds
+	  save_ifs="$IFS"; IFS='~'
+	  for cmd in $cmds; do
+	    IFS="$save_ifs"
+	    eval cmd=\"$cmd\"
+	    $show "$cmd"
+	    $run eval "$cmd" || admincmds="$admincmds
+       $cmd"
+	  done
+	  IFS="$save_ifs"
+	fi
+	if test -n "$finish_eval"; then
+	  # Do the single finish_eval.
+	  eval cmds=\"$finish_eval\"
+	  $run eval "$cmds" || admincmds="$admincmds
+       $cmds"
+	fi
+      done
+    fi
+
+    # Exit here if they wanted silent mode.
+    test "$show" = : && exit $EXIT_SUCCESS
+
+    $echo "X----------------------------------------------------------------------" | $Xsed
+    $echo "Libraries have been installed in:"
+    for libdir in $libdirs; do
+      $echo "   $libdir"
+    done
+    $echo
+    $echo "If you ever happen to want to link against installed libraries"
+    $echo "in a given directory, LIBDIR, you must either use libtool, and"
+    $echo "specify the full pathname of the library, or use the \`-LLIBDIR'"
+    $echo "flag during linking and do at least one of the following:"
+    if test -n "$shlibpath_var"; then
+      $echo "   - add LIBDIR to the \`$shlibpath_var' environment variable"
+      $echo "     during execution"
+    fi
+    if test -n "$runpath_var"; then
+      $echo "   - add LIBDIR to the \`$runpath_var' environment variable"
+      $echo "     during linking"
+    fi
+    if test -n "$hardcode_libdir_flag_spec"; then
+      libdir=LIBDIR
+      eval flag=\"$hardcode_libdir_flag_spec\"
+
+      $echo "   - use the \`$flag' linker flag"
+    fi
+    if test -n "$admincmds"; then
+      $echo "   - have your system administrator run these commands:$admincmds"
+    fi
+    if test -f /etc/ld.so.conf; then
+      $echo "   - have your system administrator add LIBDIR to \`/etc/ld.so.conf'"
+    fi
+    $echo
+    $echo "See any operating system documentation about shared libraries for"
+    $echo "more information, such as the ld(1) and ld.so(8) manual pages."
+    $echo "X----------------------------------------------------------------------" | $Xsed
+    exit $EXIT_SUCCESS
+    ;;
+
+  # libtool execute mode
+  execute)
+    modename="$modename: execute"
+
+    # The first argument is the command name.
+    cmd="$nonopt"
+    if test -z "$cmd"; then
+      $echo "$modename: you must specify a COMMAND" 1>&2
+      $echo "$help"
+      exit $EXIT_FAILURE
+    fi
+
+    # Handle -dlopen flags immediately.
+    for file in $execute_dlfiles; do
+      if test ! -f "$file"; then
+	$echo "$modename: \`$file' is not a file" 1>&2
+	$echo "$help" 1>&2
+	exit $EXIT_FAILURE
+      fi
+
+      dir=
+      case $file in
+      *.la)
+	# Check to see that this really is a libtool archive.
+	if (${SED} -e '2q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
+	else
+	  $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
+	  $echo "$help" 1>&2
+	  exit $EXIT_FAILURE
+	fi
+
+	# Read the libtool library.
+	dlname=
+	library_names=
+
+	# If there is no directory component, then add one.
+	case $file in
+	*/* | *\\*) . $file ;;
+	*) . ./$file ;;
+	esac
+
+	# Skip this library if it cannot be dlopened.
+	if test -z "$dlname"; then
+	  # Warn if it was a shared library.
+	  test -n "$library_names" && $echo "$modename: warning: \`$file' was not linked with \`-export-dynamic'"
+	  continue
+	fi
+
+	dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`
+	test "X$dir" = "X$file" && dir=.
+
+	if test -f "$dir/$objdir/$dlname"; then
+	  dir="$dir/$objdir"
+	else
+	  $echo "$modename: cannot find \`$dlname' in \`$dir' or \`$dir/$objdir'" 1>&2
+	  exit $EXIT_FAILURE
+	fi
+	;;
+
+      *.lo)
+	# Just add the directory containing the .lo file.
+	dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`
+	test "X$dir" = "X$file" && dir=.
+	;;
+
+      *)
+	$echo "$modename: warning \`-dlopen' is ignored for non-libtool libraries and objects" 1>&2
+	continue
+	;;
+      esac
+
+      # Get the absolute pathname.
+      absdir=`cd "$dir" && pwd`
+      test -n "$absdir" && dir="$absdir"
+
+      # Now add the directory to shlibpath_var.
+      if eval "test -z \"\$$shlibpath_var\""; then
+	eval "$shlibpath_var=\"\$dir\""
+      else
+	eval "$shlibpath_var=\"\$dir:\$$shlibpath_var\""
+      fi
+    done
+
+    # This variable tells wrapper scripts just to set shlibpath_var
+    # rather than running their programs.
+    libtool_execute_magic="$magic"
+
+    # Check if any of the arguments is a wrapper script.
+    args=
+    for file
+    do
+      case $file in
+      -*) ;;
+      *)
+	# Do a test to see if this is really a libtool program.
+	if (${SED} -e '4q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+	  # If there is no directory component, then add one.
+	  case $file in
+	  */* | *\\*) . $file ;;
+	  *) . ./$file ;;
+	  esac
+
+	  # Transform arg to wrapped name.
+	  file="$progdir/$program"
+	fi
+	;;
+      esac
+      # Quote arguments (to preserve shell metacharacters).
+      file=`$echo "X$file" | $Xsed -e "$sed_quote_subst"`
+      args="$args \"$file\""
+    done
+
+    if test -z "$run"; then
+      if test -n "$shlibpath_var"; then
+	# Export the shlibpath_var.
+	eval "export $shlibpath_var"
+      fi
+
+      # Restore saved environment variables
+      if test "${save_LC_ALL+set}" = set; then
+	LC_ALL="$save_LC_ALL"; export LC_ALL
+      fi
+      if test "${save_LANG+set}" = set; then
+	LANG="$save_LANG"; export LANG
+      fi
+
+      # Now prepare to actually exec the command.
+      exec_cmd="\$cmd$args"
+    else
+      # Display what would be done.
+      if test -n "$shlibpath_var"; then
+	eval "\$echo \"\$shlibpath_var=\$$shlibpath_var\""
+	$echo "export $shlibpath_var"
+      fi
+      $echo "$cmd$args"
+      exit $EXIT_SUCCESS
+    fi
+    ;;
+
+  # libtool clean and uninstall mode
+  clean | uninstall)
+    modename="$modename: $mode"
+    rm="$nonopt"
+    files=
+    rmforce=
+    exit_status=0
+
+    # This variable tells wrapper scripts just to set variables rather
+    # than running their programs.
+    libtool_install_magic="$magic"
+
+    for arg
+    do
+      case $arg in
+      -f) rm="$rm $arg"; rmforce=yes ;;
+      -*) rm="$rm $arg" ;;
+      *) files="$files $arg" ;;
+      esac
+    done
+
+    if test -z "$rm"; then
+      $echo "$modename: you must specify an RM program" 1>&2
+      $echo "$help" 1>&2
+      exit $EXIT_FAILURE
+    fi
+
+    rmdirs=
+
+    origobjdir="$objdir"
+    for file in $files; do
+      dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`
+      if test "X$dir" = "X$file"; then
+	dir=.
+	objdir="$origobjdir"
+      else
+	objdir="$dir/$origobjdir"
+      fi
+      name=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+      test "$mode" = uninstall && objdir="$dir"
+
+      # Remember objdir for removal later, being careful to avoid duplicates
+      if test "$mode" = clean; then
+	case " $rmdirs " in
+	  *" $objdir "*) ;;
+	  *) rmdirs="$rmdirs $objdir" ;;
+	esac
+      fi
+
+      # Don't error if the file doesn't exist and rm -f was used.
+      if (test -L "$file") >/dev/null 2>&1 \
+	|| (test -h "$file") >/dev/null 2>&1 \
+	|| test -f "$file"; then
+	:
+      elif test -d "$file"; then
+	exit_status=1
+	continue
+      elif test "$rmforce" = yes; then
+	continue
+      fi
+
+      rmfiles="$file"
+
+      case $name in
+      *.la)
+	# Possibly a libtool archive, so verify it.
+	if (${SED} -e '2q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+	  . $dir/$name
+
+	  # Delete the libtool libraries and symlinks.
+	  for n in $library_names; do
+	    rmfiles="$rmfiles $objdir/$n"
+	  done
+	  test -n "$old_library" && rmfiles="$rmfiles $objdir/$old_library"
+
+	  case "$mode" in
+	  clean)
+	    case "  $library_names " in
+	    # "  " in the beginning catches empty $dlname
+	    *" $dlname "*) ;;
+	    *) rmfiles="$rmfiles $objdir/$dlname" ;;
+	    esac
+	     test -n "$libdir" && rmfiles="$rmfiles $objdir/$name $objdir/${name}i"
+	    ;;
+	  uninstall)
+	    if test -n "$library_names"; then
+	      # Do each command in the postuninstall commands.
+	      cmds=$postuninstall_cmds
+	      save_ifs="$IFS"; IFS='~'
+	      for cmd in $cmds; do
+		IFS="$save_ifs"
+		eval cmd=\"$cmd\"
+		$show "$cmd"
+		$run eval "$cmd"
+		if test "$?" -ne 0 && test "$rmforce" != yes; then
+		  exit_status=1
+		fi
+	      done
+	      IFS="$save_ifs"
+	    fi
+
+	    if test -n "$old_library"; then
+	      # Do each command in the old_postuninstall commands.
+	      cmds=$old_postuninstall_cmds
+	      save_ifs="$IFS"; IFS='~'
+	      for cmd in $cmds; do
+		IFS="$save_ifs"
+		eval cmd=\"$cmd\"
+		$show "$cmd"
+		$run eval "$cmd"
+		if test "$?" -ne 0 && test "$rmforce" != yes; then
+		  exit_status=1
+		fi
+	      done
+	      IFS="$save_ifs"
+	    fi
+	    # FIXME: should reinstall the best remaining shared library.
+	    ;;
+	  esac
+	fi
+	;;
+
+      *.lo)
+	# Possibly a libtool object, so verify it.
+	if (${SED} -e '2q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+
+	  # Read the .lo file
+	  . $dir/$name
+
+	  # Add PIC object to the list of files to remove.
+	  if test -n "$pic_object" \
+	     && test "$pic_object" != none; then
+	    rmfiles="$rmfiles $dir/$pic_object"
+	  fi
+
+	  # Add non-PIC object to the list of files to remove.
+	  if test -n "$non_pic_object" \
+	     && test "$non_pic_object" != none; then
+	    rmfiles="$rmfiles $dir/$non_pic_object"
+	  fi
+	fi
+	;;
+
+      *)
+	if test "$mode" = clean ; then
+	  noexename=$name
+	  case $file in
+	  *.exe)
+	    file=`$echo $file|${SED} 's,.exe$,,'`
+	    noexename=`$echo $name|${SED} 's,.exe$,,'`
+	    # $file with .exe has already been added to rmfiles,
+	    # add $file without .exe
+	    rmfiles="$rmfiles $file"
+	    ;;
+	  esac
+	  # Do a test to see if this is a libtool program.
+	  if (${SED} -e '4q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+	    relink_command=
+	    . $dir/$noexename
+
+	    # note $name still contains .exe if it was in $file originally
+	    # as does the version of $file that was added into $rmfiles
+	    rmfiles="$rmfiles $objdir/$name $objdir/${name}S.${objext}"
+	    if test "$fast_install" = yes && test -n "$relink_command"; then
+	      rmfiles="$rmfiles $objdir/lt-$name"
+	    fi
+	    if test "X$noexename" != "X$name" ; then
+	      rmfiles="$rmfiles $objdir/lt-${noexename}.c"
+	    fi
+	  fi
+	fi
+	;;
+      esac
+      $show "$rm $rmfiles"
+      $run $rm $rmfiles || exit_status=1
+    done
+    objdir="$origobjdir"
+
+    # Try to remove the ${objdir}s in the directories where we deleted files
+    for dir in $rmdirs; do
+      if test -d "$dir"; then
+	$show "rmdir $dir"
+	$run rmdir $dir >/dev/null 2>&1
+      fi
+    done
+
+    exit $exit_status
+    ;;
+
+  "")
+    $echo "$modename: you must specify a MODE" 1>&2
+    $echo "$generic_help" 1>&2
+    exit $EXIT_FAILURE
+    ;;
+  esac
+
+  if test -z "$exec_cmd"; then
+    $echo "$modename: invalid operation mode \`$mode'" 1>&2
+    $echo "$generic_help" 1>&2
+    exit $EXIT_FAILURE
+  fi
+fi # test -z "$show_help"
+
+if test -n "$exec_cmd"; then
+  eval exec $exec_cmd
+  exit $EXIT_FAILURE
+fi
+
+# We need to display help for each of the modes.
+case $mode in
+"") $echo \
+"Usage: $modename [OPTION]... [MODE-ARG]...
+
+Provide generalized library-building support services.
+
+    --config          show all configuration variables
+    --debug           enable verbose shell tracing
+-n, --dry-run         display commands without modifying any files
+    --features        display basic configuration information and exit
+    --finish          same as \`--mode=finish'
+    --help            display this help message and exit
+    --mode=MODE       use operation mode MODE [default=inferred from MODE-ARGS]
+    --quiet           same as \`--silent'
+    --silent          don't print informational messages
+    --tag=TAG         use configuration variables from tag TAG
+    --version         print version information
+
+MODE must be one of the following:
+
+      clean           remove files from the build directory
+      compile         compile a source file into a libtool object
+      execute         automatically set library path, then run a program
+      finish          complete the installation of libtool libraries
+      install         install libraries or executables
+      link            create a library or an executable
+      uninstall       remove libraries from an installed directory
+
+MODE-ARGS vary depending on the MODE.  Try \`$modename --help --mode=MODE' for
+a more detailed description of MODE.
+
+Report bugs to <bug-libtool@gnu.org>."
+  exit $EXIT_SUCCESS
+  ;;
+
+clean)
+  $echo \
+"Usage: $modename [OPTION]... --mode=clean RM [RM-OPTION]... FILE...
+
+Remove files from the build directory.
+
+RM is the name of the program to use to delete files associated with each FILE
+(typically \`/bin/rm').  RM-OPTIONS are options (such as \`-f') to be passed
+to RM.
+
+If FILE is a libtool library, object or program, all the files associated
+with it are deleted. Otherwise, only FILE itself is deleted using RM."
+  ;;
+
+compile)
+  $echo \
+"Usage: $modename [OPTION]... --mode=compile COMPILE-COMMAND... SOURCEFILE
+
+Compile a source file into a libtool library object.
+
+This mode accepts the following additional options:
+
+  -o OUTPUT-FILE    set the output file name to OUTPUT-FILE
+  -prefer-pic       try to building PIC objects only
+  -prefer-non-pic   try to building non-PIC objects only
+  -static           always build a \`.o' file suitable for static linking
+
+COMPILE-COMMAND is a command to be used in creating a \`standard' object file
+from the given SOURCEFILE.
+
+The output file name is determined by removing the directory component from
+SOURCEFILE, then substituting the C source code suffix \`.c' with the
+library object suffix, \`.lo'."
+  ;;
+
+execute)
+  $echo \
+"Usage: $modename [OPTION]... --mode=execute COMMAND [ARGS]...
+
+Automatically set library path, then run a program.
+
+This mode accepts the following additional options:
+
+  -dlopen FILE      add the directory containing FILE to the library path
+
+This mode sets the library path environment variable according to \`-dlopen'
+flags.
+
+If any of the ARGS are libtool executable wrappers, then they are translated
+into their corresponding uninstalled binary, and any of their required library
+directories are added to the library path.
+
+Then, COMMAND is executed, with ARGS as arguments."
+  ;;
+
+finish)
+  $echo \
+"Usage: $modename [OPTION]... --mode=finish [LIBDIR]...
+
+Complete the installation of libtool libraries.
+
+Each LIBDIR is a directory that contains libtool libraries.
+
+The commands that this mode executes may require superuser privileges.  Use
+the \`--dry-run' option if you just want to see what would be executed."
+  ;;
+
+install)
+  $echo \
+"Usage: $modename [OPTION]... --mode=install INSTALL-COMMAND...
+
+Install executables or libraries.
+
+INSTALL-COMMAND is the installation command.  The first component should be
+either the \`install' or \`cp' program.
+
+The rest of the components are interpreted as arguments to that command (only
+BSD-compatible install options are recognized)."
+  ;;
+
+link)
+  $echo \
+"Usage: $modename [OPTION]... --mode=link LINK-COMMAND...
+
+Link object files or libraries together to form another library, or to
+create an executable program.
+
+LINK-COMMAND is a command using the C compiler that you would use to create
+a program from several object files.
+
+The following components of LINK-COMMAND are treated specially:
+
+  -all-static       do not do any dynamic linking at all
+  -avoid-version    do not add a version suffix if possible
+  -dlopen FILE      \`-dlpreopen' FILE if it cannot be dlopened at runtime
+  -dlpreopen FILE   link in FILE and add its symbols to lt_preloaded_symbols
+  -export-dynamic   allow symbols from OUTPUT-FILE to be resolved with dlsym(3)
+  -export-symbols SYMFILE
+		    try to export only the symbols listed in SYMFILE
+  -export-symbols-regex REGEX
+		    try to export only the symbols matching REGEX
+  -LLIBDIR          search LIBDIR for required installed libraries
+  -lNAME            OUTPUT-FILE requires the installed library libNAME
+  -module           build a library that can dlopened
+  -no-fast-install  disable the fast-install mode
+  -no-install       link a not-installable executable
+  -no-undefined     declare that a library does not refer to external symbols
+  -o OUTPUT-FILE    create OUTPUT-FILE from the specified objects
+  -objectlist FILE  Use a list of object files found in FILE to specify objects
+  -precious-files-regex REGEX
+                    don't remove output files matching REGEX
+  -release RELEASE  specify package release information
+  -rpath LIBDIR     the created library will eventually be installed in LIBDIR
+  -R[ ]LIBDIR       add LIBDIR to the runtime path of programs and libraries
+  -static           do not do any dynamic linking of libtool libraries
+  -version-info CURRENT[:REVISION[:AGE]]
+		    specify library version info [each variable defaults to 0]
+
+All other options (arguments beginning with \`-') are ignored.
+
+Every other argument is treated as a filename.  Files ending in \`.la' are
+treated as uninstalled libtool libraries, other files are standard or library
+object files.
+
+If the OUTPUT-FILE ends in \`.la', then a libtool library is created,
+only library objects (\`.lo' files) may be specified, and \`-rpath' is
+required, except when creating a convenience library.
+
+If OUTPUT-FILE ends in \`.a' or \`.lib', then a standard library is created
+using \`ar' and \`ranlib', or on Windows using \`lib'.
+
+If OUTPUT-FILE ends in \`.lo' or \`.${objext}', then a reloadable object file
+is created, otherwise an executable program is created."
+  ;;
+
+uninstall)
+  $echo \
+"Usage: $modename [OPTION]... --mode=uninstall RM [RM-OPTION]... FILE...
+
+Remove libraries from an installation directory.
+
+RM is the name of the program to use to delete files associated with each FILE
+(typically \`/bin/rm').  RM-OPTIONS are options (such as \`-f') to be passed
+to RM.
+
+If FILE is a libtool library, all the files associated with it are deleted.
+Otherwise, only FILE itself is deleted using RM."
+  ;;
+
+*)
+  $echo "$modename: invalid operation mode \`$mode'" 1>&2
+  $echo "$help" 1>&2
+  exit $EXIT_FAILURE
+  ;;
+esac
+
+$echo
+$echo "Try \`$modename --help' for more information about other modes."
+
+exit $?
+
+# The TAGs below are defined such that we never get into a situation
+# in which we disable both kinds of libraries.  Given conflicting
+# choices, we go for a static library, that is the most portable,
+# since we can't tell whether shared libraries were disabled because
+# the user asked for that or because the platform doesn't support
+# them.  This is particularly important on AIX, because we don't
+# support having both static and shared libraries enabled at the same
+# time on that platform, so we default to a shared-only configuration.
+# If a disable-shared tag is given, we'll fallback to a static-only
+# configuration.  But we'll never go from static-only to shared-only.
+
+# ### BEGIN LIBTOOL TAG CONFIG: disable-shared
+disable_libs=shared
+# ### END LIBTOOL TAG CONFIG: disable-shared
+
+# ### BEGIN LIBTOOL TAG CONFIG: disable-static
+disable_libs=static
+# ### END LIBTOOL TAG CONFIG: disable-static
+
+# Local Variables:
+# mode:shell-script
+# sh-indentation:2
+# End:
diff --git a/missing b/missing
new file mode 100755
index 000000000..894e786e1
--- /dev/null
+++ b/missing
@@ -0,0 +1,360 @@
+#! /bin/sh
+# Common stub for a few missing GNU programs while installing.
+
+scriptversion=2005-06-08.21
+
+# Copyright (C) 1996, 1997, 1999, 2000, 2002, 2003, 2004, 2005
+#   Free Software Foundation, Inc.
+# Originally by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996.
+
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+# 02110-1301, USA.
+
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+if test $# -eq 0; then
+  echo 1>&2 "Try \`$0 --help' for more information"
+  exit 1
+fi
+
+run=:
+
+# In the cases where this matters, `missing' is being run in the
+# srcdir already.
+if test -f configure.ac; then
+  configure_ac=configure.ac
+else
+  configure_ac=configure.in
+fi
+
+msg="missing on your system"
+
+case "$1" in
+--run)
+  # Try to run requested program, and just exit if it succeeds.
+  run=
+  shift
+  "$@" && exit 0
+  # Exit code 63 means version mismatch.  This often happens
+  # when the user try to use an ancient version of a tool on
+  # a file that requires a minimum version.  In this case we
+  # we should proceed has if the program had been absent, or
+  # if --run hadn't been passed.
+  if test $? = 63; then
+    run=:
+    msg="probably too old"
+  fi
+  ;;
+
+  -h|--h|--he|--hel|--help)
+    echo "\
+$0 [OPTION]... PROGRAM [ARGUMENT]...
+
+Handle \`PROGRAM [ARGUMENT]...' for when PROGRAM is missing, or return an
+error status if there is no known handling for PROGRAM.
+
+Options:
+  -h, --help      display this help and exit
+  -v, --version   output version information and exit
+  --run           try to run the given command, and emulate it if it fails
+
+Supported PROGRAM values:
+  aclocal      touch file \`aclocal.m4'
+  autoconf     touch file \`configure'
+  autoheader   touch file \`config.h.in'
+  automake     touch all \`Makefile.in' files
+  bison        create \`y.tab.[ch]', if possible, from existing .[ch]
+  flex         create \`lex.yy.c', if possible, from existing .c
+  help2man     touch the output file
+  lex          create \`lex.yy.c', if possible, from existing .c
+  makeinfo     touch the output file
+  tar          try tar, gnutar, gtar, then tar without non-portable flags
+  yacc         create \`y.tab.[ch]', if possible, from existing .[ch]
+
+Send bug reports to <bug-automake@gnu.org>."
+    exit $?
+    ;;
+
+  -v|--v|--ve|--ver|--vers|--versi|--versio|--version)
+    echo "missing $scriptversion (GNU Automake)"
+    exit $?
+    ;;
+
+  -*)
+    echo 1>&2 "$0: Unknown \`$1' option"
+    echo 1>&2 "Try \`$0 --help' for more information"
+    exit 1
+    ;;
+
+esac
+
+# Now exit if we have it, but it failed.  Also exit now if we
+# don't have it and --version was passed (most likely to detect
+# the program).
+case "$1" in
+  lex|yacc)
+    # Not GNU programs, they don't have --version.
+    ;;
+
+  tar)
+    if test -n "$run"; then
+       echo 1>&2 "ERROR: \`tar' requires --run"
+       exit 1
+    elif test "x$2" = "x--version" || test "x$2" = "x--help"; then
+       exit 1
+    fi
+    ;;
+
+  *)
+    if test -z "$run" && ($1 --version) > /dev/null 2>&1; then
+       # We have it, but it failed.
+       exit 1
+    elif test "x$2" = "x--version" || test "x$2" = "x--help"; then
+       # Could not run --version or --help.  This is probably someone
+       # running `$TOOL --version' or `$TOOL --help' to check whether
+       # $TOOL exists and not knowing $TOOL uses missing.
+       exit 1
+    fi
+    ;;
+esac
+
+# If it does not exist, or fails to run (possibly an outdated version),
+# try to emulate it.
+case "$1" in
+  aclocal*)
+    echo 1>&2 "\
+WARNING: \`$1' is $msg.  You should only need it if
+         you modified \`acinclude.m4' or \`${configure_ac}'.  You might want
+         to install the \`Automake' and \`Perl' packages.  Grab them from
+         any GNU archive site."
+    touch aclocal.m4
+    ;;
+
+  autoconf)
+    echo 1>&2 "\
+WARNING: \`$1' is $msg.  You should only need it if
+         you modified \`${configure_ac}'.  You might want to install the
+         \`Autoconf' and \`GNU m4' packages.  Grab them from any GNU
+         archive site."
+    touch configure
+    ;;
+
+  autoheader)
+    echo 1>&2 "\
+WARNING: \`$1' is $msg.  You should only need it if
+         you modified \`acconfig.h' or \`${configure_ac}'.  You might want
+         to install the \`Autoconf' and \`GNU m4' packages.  Grab them
+         from any GNU archive site."
+    files=`sed -n 's/^[ ]*A[CM]_CONFIG_HEADER(\([^)]*\)).*/\1/p' ${configure_ac}`
+    test -z "$files" && files="config.h"
+    touch_files=
+    for f in $files; do
+      case "$f" in
+      *:*) touch_files="$touch_files "`echo "$f" |
+				       sed -e 's/^[^:]*://' -e 's/:.*//'`;;
+      *) touch_files="$touch_files $f.in";;
+      esac
+    done
+    touch $touch_files
+    ;;
+
+  automake*)
+    echo 1>&2 "\
+WARNING: \`$1' is $msg.  You should only need it if
+         you modified \`Makefile.am', \`acinclude.m4' or \`${configure_ac}'.
+         You might want to install the \`Automake' and \`Perl' packages.
+         Grab them from any GNU archive site."
+    find . -type f -name Makefile.am -print |
+	   sed 's/\.am$/.in/' |
+	   while read f; do touch "$f"; done
+    ;;
+
+  autom4te)
+    echo 1>&2 "\
+WARNING: \`$1' is needed, but is $msg.
+         You might have modified some files without having the
+         proper tools for further handling them.
+         You can get \`$1' as part of \`Autoconf' from any GNU
+         archive site."
+
+    file=`echo "$*" | sed -n 's/.*--output[ =]*\([^ ]*\).*/\1/p'`
+    test -z "$file" && file=`echo "$*" | sed -n 's/.*-o[ ]*\([^ ]*\).*/\1/p'`
+    if test -f "$file"; then
+	touch $file
+    else
+	test -z "$file" || exec >$file
+	echo "#! /bin/sh"
+	echo "# Created by GNU Automake missing as a replacement of"
+	echo "#  $ $@"
+	echo "exit 0"
+	chmod +x $file
+	exit 1
+    fi
+    ;;
+
+  bison|yacc)
+    echo 1>&2 "\
+WARNING: \`$1' $msg.  You should only need it if
+         you modified a \`.y' file.  You may need the \`Bison' package
+         in order for those modifications to take effect.  You can get
+         \`Bison' from any GNU archive site."
+    rm -f y.tab.c y.tab.h
+    if [ $# -ne 1 ]; then
+        eval LASTARG="\${$#}"
+	case "$LASTARG" in
+	*.y)
+	    SRCFILE=`echo "$LASTARG" | sed 's/y$/c/'`
+	    if [ -f "$SRCFILE" ]; then
+	         cp "$SRCFILE" y.tab.c
+	    fi
+	    SRCFILE=`echo "$LASTARG" | sed 's/y$/h/'`
+	    if [ -f "$SRCFILE" ]; then
+	         cp "$SRCFILE" y.tab.h
+	    fi
+	  ;;
+	esac
+    fi
+    if [ ! -f y.tab.h ]; then
+	echo >y.tab.h
+    fi
+    if [ ! -f y.tab.c ]; then
+	echo 'main() { return 0; }' >y.tab.c
+    fi
+    ;;
+
+  lex|flex)
+    echo 1>&2 "\
+WARNING: \`$1' is $msg.  You should only need it if
+         you modified a \`.l' file.  You may need the \`Flex' package
+         in order for those modifications to take effect.  You can get
+         \`Flex' from any GNU archive site."
+    rm -f lex.yy.c
+    if [ $# -ne 1 ]; then
+        eval LASTARG="\${$#}"
+	case "$LASTARG" in
+	*.l)
+	    SRCFILE=`echo "$LASTARG" | sed 's/l$/c/'`
+	    if [ -f "$SRCFILE" ]; then
+	         cp "$SRCFILE" lex.yy.c
+	    fi
+	  ;;
+	esac
+    fi
+    if [ ! -f lex.yy.c ]; then
+	echo 'main() { return 0; }' >lex.yy.c
+    fi
+    ;;
+
+  help2man)
+    echo 1>&2 "\
+WARNING: \`$1' is $msg.  You should only need it if
+	 you modified a dependency of a manual page.  You may need the
+	 \`Help2man' package in order for those modifications to take
+	 effect.  You can get \`Help2man' from any GNU archive site."
+
+    file=`echo "$*" | sed -n 's/.*-o \([^ ]*\).*/\1/p'`
+    if test -z "$file"; then
+	file=`echo "$*" | sed -n 's/.*--output=\([^ ]*\).*/\1/p'`
+    fi
+    if [ -f "$file" ]; then
+	touch $file
+    else
+	test -z "$file" || exec >$file
+	echo ".ab help2man is required to generate this page"
+	exit 1
+    fi
+    ;;
+
+  makeinfo)
+    echo 1>&2 "\
+WARNING: \`$1' is $msg.  You should only need it if
+         you modified a \`.texi' or \`.texinfo' file, or any other file
+         indirectly affecting the aspect of the manual.  The spurious
+         call might also be the consequence of using a buggy \`make' (AIX,
+         DU, IRIX).  You might want to install the \`Texinfo' package or
+         the \`GNU make' package.  Grab either from any GNU archive site."
+    # The file to touch is that specified with -o ...
+    file=`echo "$*" | sed -n 's/.*-o \([^ ]*\).*/\1/p'`
+    if test -z "$file"; then
+      # ... or it is the one specified with @setfilename ...
+      infile=`echo "$*" | sed 's/.* \([^ ]*\) *$/\1/'`
+      file=`sed -n '/^@setfilename/ { s/.* \([^ ]*\) *$/\1/; p; q; }' $infile`
+      # ... or it is derived from the source name (dir/f.texi becomes f.info)
+      test -z "$file" && file=`echo "$infile" | sed 's,.*/,,;s,.[^.]*$,,'`.info
+    fi
+    # If the file does not exist, the user really needs makeinfo;
+    # let's fail without touching anything.
+    test -f $file || exit 1
+    touch $file
+    ;;
+
+  tar)
+    shift
+
+    # We have already tried tar in the generic part.
+    # Look for gnutar/gtar before invocation to avoid ugly error
+    # messages.
+    if (gnutar --version > /dev/null 2>&1); then
+       gnutar "$@" && exit 0
+    fi
+    if (gtar --version > /dev/null 2>&1); then
+       gtar "$@" && exit 0
+    fi
+    firstarg="$1"
+    if shift; then
+	case "$firstarg" in
+	*o*)
+	    firstarg=`echo "$firstarg" | sed s/o//`
+	    tar "$firstarg" "$@" && exit 0
+	    ;;
+	esac
+	case "$firstarg" in
+	*h*)
+	    firstarg=`echo "$firstarg" | sed s/h//`
+	    tar "$firstarg" "$@" && exit 0
+	    ;;
+	esac
+    fi
+
+    echo 1>&2 "\
+WARNING: I can't seem to be able to run \`tar' with the given arguments.
+         You may want to install GNU tar or Free paxutils, or check the
+         command line arguments."
+    exit 1
+    ;;
+
+  *)
+    echo 1>&2 "\
+WARNING: \`$1' is needed, and is $msg.
+         You might have modified some files without having the
+         proper tools for further handling them.  Check the \`README' file,
+         it often tells you about the needed prerequisites for installing
+         this package.  You may also peek at any GNU archive site, in case
+         some other package would contain this missing \`$1' program."
+    exit 1
+    ;;
+esac
+
+exit 0
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "scriptversion="
+# time-stamp-format: "%:y-%02m-%02d.%02H"
+# time-stamp-end: "$"
+# End:
diff --git a/packaging/ipkg/conffiles b/packaging/ipkg/conffiles
deleted file mode 100644
index ff0851c29..000000000
--- a/packaging/ipkg/conffiles
+++ /dev/null
@@ -1 +0,0 @@
-/etc/ipsec.conf
diff --git a/packaging/ipkg/control-freeswan-module.dist b/packaging/ipkg/control-freeswan-module.dist
deleted file mode 100644
index aec4091f1..000000000
--- a/packaging/ipkg/control-freeswan-module.dist
+++ /dev/null
@@ -1,8 +0,0 @@
-Package: freeswan-module
-Priority: optional
-Section: Communications
-Version: VERSION
-Architecture: ARCH
-Maintainer: FreeS/WAN <users@lists.freeswan.org>
-Depends: freeswan
-Description: FreeS/WAN ipsec.o binary module
diff --git a/packaging/ipkg/control-freeswan.dist b/packaging/ipkg/control-freeswan.dist
deleted file mode 100644
index 376647e6f..000000000
--- a/packaging/ipkg/control-freeswan.dist
+++ /dev/null
@@ -1,8 +0,0 @@
-Package: freeswan
-Priority: optional
-Section: Communications
-Version: VERSION
-Architecture: ARCH
-Maintainer: FreeS/WAN <users@lists.freeswan.org>
-Depends: gawk libgmp
-Description: FreeS/WAN daemons and userland tools
diff --git a/packaging/ipkg/debian-binary b/packaging/ipkg/debian-binary
deleted file mode 100644
index cd5ac039d..000000000
--- a/packaging/ipkg/debian-binary
+++ /dev/null
@@ -1 +0,0 @@
-2.0
diff --git a/packaging/ipkg/generate-ipkg b/packaging/ipkg/generate-ipkg
deleted file mode 100755
index 5a288f34e..000000000
--- a/packaging/ipkg/generate-ipkg
+++ /dev/null
@@ -1,43 +0,0 @@
-#!/bin/sh
-
-# This script expects the following variables to be in the environment:
-# DESTDIR
-# FREESWANSRCDIR
-# ARCH
-# IPSECVERSION
-
-#set -e
-
-cd $DESTDIR 
-rm -f *.tar.gz 
-
-mkdir -p $FREESWANSRCDIR/packaging/ipkg/ipkg
-cp $FREESWANSRCDIR/packaging/ipkg/debian-binary . 
-cp $FREESWANSRCDIR/packaging/ipkg/conffiles . 
-
-cat $FREESWANSRCDIR/packaging/ipkg/control-freeswan.dist | sed s/VERSION/$IPSECVERSION/ |sed s/ARCH/$ARCH/ > $FREESWANSRCDIR/packaging/ipkg/control-freeswan 
-
-cp $FREESWANSRCDIR/packaging/ipkg/control-freeswan control 
-
-tar -czf ./control.tar.gz ./conffiles ./control --owner=root --group=root 
-
-tar -czf ./data.tar.gz ./* --owner=root --group=root --exclude=control.tar.gz --exclude=conffiles --exclude=control --exclude=debian-binary 
-
-tar -czf $FREESWANSRCDIR/packaging/ipkg/ipkg/freeswan-utils-$IPSECVERSION.arm.ipk ./debian-binary ./control.tar.gz ./data.tar.gz --owner=root --group=root 
-mkdir -p $FREESWANSRCDIR/packaging/ipkg/kernel-module 
-cd $FREESWANSRCDIR/packaging/ipkg/kernel-module 
-
-rm -f *.tar.gz 
-cp $FREESWANSRCDIR/packaging/ipkg/debian-binary . 
-
-cat $FREESWANSRCDIR/packaging/ipkg/control-freeswan-module.dist | sed s/VERSION/$IPSECVERSION/ |sed s/ARCH/$ARCH/ > $FREESWANSRCDIR/packaging/ipkg/control-freeswan-module 
-
-cp $FREESWANSRCDIR/packaging/ipkg/control-freeswan-module control 
-
-tar czf ./control.tar.gz ./control --owner=root --group=root 
-
-tar czf ./data.tar.gz * --owner=root --group=root --exclude=control.tar.gz --exclude=control --exclude=debian-binary 
-
-tar czf $FREESWANSRCDIR/packaging/ipkg/ipkg/freeswan-module-$IPSECVERSION.arm.ipk ./debian-binary ./control.tar.gz ./data.tar.gz --owner=root --group=root 
-rm -rf $FREESWANSRCDIR/packaging/ipkg/ipkg/binaries/* 
-rm -rf $FREESWANSRCDIR/packaging/ipkg/ipkg/kernel-module/*
diff --git a/packaging/linus/config-all.h b/packaging/linus/config-all.h
deleted file mode 100644
index b34203372..000000000
--- a/packaging/linus/config-all.h
+++ /dev/null
@@ -1,62 +0,0 @@
-#ifndef _CONFIG_ALL_H_
-/*
- * Copyright (C) 2002              Michael Richardson <mcr@freeswan.org>
- * 
- * This kernel module is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
- * This kernel module is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public
- * License for more details.
- *
- * RCSID $Id: config-all.h,v 1.1 2004/03/15 20:35:27 as Exp $
- */
-#define	_CONFIG_ALL_H_	/* seen it, no need to see it again */
-
-#define CONFIG_IPSEC 1
-
-#ifndef CONFIG_IPSEC_AH
-#define CONFIG_IPSEC_AH 1
-#endif
-
-#ifndef CONFIG_IPSEC_DEBUG 
-#define CONFIG_IPSEC_DEBUG 1
-#endif
-
-#ifndef CONFIG_IPSEC_ESP
-#define CONFIG_IPSEC_ESP 1
-#endif
-
-#ifndef CONFIG_IPSEC_IPCOMP
-#define CONFIG_IPSEC_IPCOMP 1
-#endif
-
-#ifndef CONFIG_IPSEC_IPIP
-#define CONFIG_IPSEC_IPIP 1
-#endif
-
-#ifndef CONFIG_IPSEC_AUTH_HMAC_MD5
-#define CONFIG_IPSEC_AUTH_HMAC_MD5 1
-#endif
-
-#ifndef CONFIG_IPSEC_AUTH_HMAC_SHA1
-#define CONFIG_IPSEC_AUTH_HMAC_SHA1 1
-#endif 
-
-#ifndef CONFIG_IPSEC_DYNDEV
-#define CONFIG_IPSEC_DYNDEV 1
-#endif
-
-#ifndef CONFIG_IPSEC_ENC_3DES
-#define CONFIG_IPSEC_ENC_3DES 1
-#endif
-
-#ifndef CONFIG_IPSEC_REGRESS
-#define CONFIG_IPSEC_REGRESS 0
-#endif
-
-
-#endif /* _CONFIG_ALL_H */
diff --git a/packaging/makefiles/module.make b/packaging/makefiles/module.make
deleted file mode 100644
index af6047362..000000000
--- a/packaging/makefiles/module.make
+++ /dev/null
@@ -1,5 +0,0 @@
-include ${FREESWANSRCDIR}/Makefile.inc
-
-KLIPS_TOP=${FREESWANSRCDIR}/linux
-VPATH+=${KLIPSSRC}
-include ${KLIPSSRC}/Makefile
diff --git a/packaging/redhat/.cvsignore b/packaging/redhat/.cvsignore
deleted file mode 100644
index 630b0ff36..000000000
--- a/packaging/redhat/.cvsignore
+++ /dev/null
@@ -1,12 +0,0 @@
-BUILD.athlon
-BUILD.athlon-smp
-BUILD.i386
-BUILD.i386-smp
-BUILD.i586
-BUILD.i586-smp
-BUILD.i586-up
-BUILD.i686
-BUILD.i686-smp
-rpms
-rpm.spec
-tmp.rpmbuild
diff --git a/packaging/redhat/Makefile b/packaging/redhat/Makefile
deleted file mode 100644
index 45f775734..000000000
--- a/packaging/redhat/Makefile
+++ /dev/null
@@ -1,100 +0,0 @@
-# FreeS/WAN RedHat RPM makefile
-# Copyright (C) 2002  Michael Richardson <mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $
-
-FREESWANSRCDIR=$(shell cd ../.. && pwd)
-include ${FREESWANSRCDIR}/Makefile.inc
-include ${FREESWANSRCDIR}/Makefile.ver
-
-
-# temporary directory to be used when building RPMs, and where to put the
-# resulting RPM tree
-RPMKERNDIR := $(shell echo `pwd`/tmp.rpmkernel)
-RPMTMPDIR=$(shell echo `pwd`/tmp.rpmbuild)
-RPMDEST := $(shell echo `pwd`/rpms)
-
-# definitions from main Makefile that may be relevant
-
-KERNELKLIPS=$(KERNELSRC)/net/ipsec
-KERNELCRYPTODES=$(KERNELSRC)/crypto/ciphers/des
-KERNELLIBFREESWAN=$(KERNELSRC)/lib/libfreeswan
-KERNELLIBZLIB=$(KERNELSRC)/lib/zlib
-KERNELINCLUDE=$(KERNELSRC)/include
-
-MAKEUTILS=${FREESWANSRCDIR}/packaging/utils
-ERRCHECK=${MAKEUTILS}/errcheck
-KVUTIL=${MAKEUTILS}/kernelversion
-KVSHORTUTIL=${MAKEUTILS}/kernelversion-short
-
-
-clean:	
-	rm -rf $(shell echo `pwd`/BUILD.*)
-	rm -rf ${RPMTMPDIR}
-	rm -rf ${RPMDEST} 
-	rm -f $(shell echo `pwd`/rpm.spec)
-
-rpm:	rpm_userland rpm_modules rpm.spec final_rpm
-
-# RPM-build userland install in temporary directory
-rpm_userland: clean
-	mkdir -p $(RPMTMPDIR)
-	(cd ${FREESWANSRCDIR} && $(MAKE) programs install DESTDIR=$(RPMTMPDIR) && cd `pwd`)
-	for extras in README CHANGES ; do \
-		cp -f $(FREESWANSRCDIR)/$$extras $(RPMTMPDIR)$(FINALEXAMPLECONFDIR)/ ; \
-	done
-
-rpm_modules:
-	@if [ ! -d ${RH_KERNELSRC}/configs ]; then echo "Please fix RH_KERNELSRC in Makefile.inc (${RH_KERNELSRC})"; exit 1; fi
-	@KV=`${KVUTIL} $(RH_KERNELSRC)/Makefile | sed -e 's/custom//'` ; \
-	MD=${RPMTMPDIR}/lib/modules/$$KV/kernel/net/ipsec; mkdir -p $$MD; \
-	echo Installing into $$MD for $$KV; \
-	rm -rf BUILD.*; \
-	cat kernel-list.txt | while read kerneltype arch subarch; \
-	do \
-	    mkdir -p BUILD.$$kerneltype; \
-	    if [ -z "$$subarch" ]; then subarch=$$arch; fi; \
-	    BUILDDIR=`pwd`/BUILD.$$kerneltype; \
-	    HERE=`pwd` ;\
-	    echo Building $$KV-$$kerneltype in $$BUILDDIR; \
-	    ${MAKE} -C ${FREESWANSRCDIR} MODBUILDDIR=$$BUILDDIR KERNELSRC=${RH_KERNELSRC} ARCH=$$arch SUBARCH=$$subarch MODULE_DEF_INCLUDE=$$HERE/config-$$kerneltype.h module;\
-	    cp $$BUILDDIR/ipsec.o $$MD/ipsec.o-$$kerneltype; \
-	    goo="`nm -ao $$BUILDDIR/ipsec.o | ${FREESWANSRCDIR}/programs/calcgoo/calcgoo`"; \
-	    (cd $$MD && ln -f ipsec.o-$$kerneltype $$goo); \
-	done
-
-# build spec file for building RPMs
-rpm.spec:	rpm.in $(RH_KERNELSRC)/Makefile
-	KVORIG=`${KVUTIL} $(RH_KERNELSRC)/Makefile | sed -e 's/custom//'` ; \
-	KV=`echo $$KVORIG | sed -e 's/-/_/g' ` ; \
-	IPSECVERSIONFIXED=`echo ${IPSECVERSION} | sed -e 's/-/_/g'`; \
-	echo KVORIG: $$KVORIG KV: $$KV IV: $$IPSECVERSIONFIXED; \
-	sed -e "/@KERNELVERSION@/s;;$$KV;" \
-		-e "/@KERNELVERSIONORIG@/s;;$$KVORIG;" \
-		-e "/@IPSECVERSION@/s;;$$IPSECVERSIONFIXED;" \
-		-e '/@PUBDIR@/s;;$(PUBDIR);' \
-		-e '/@FINALBINDIR@/s;;$(FINALBINDIR);' \
-		-e '/@FINALLIBDIR@/s;;$(FINALLIBDIR);' \
-		-e '/@FINALCONFDDIR@/s;;$(FINALCONFDDIR);' \
-		-e '/@FINALCONFDIR@/s;;$(FINALCONFDIR);' \
-		-e '/@FINALEXAMPLECONFDIR@/s;;$(FINALEXAMPLECONFDIR);' \
-		-e '/@MANTREE@/s;;$(MANTREE);' rpm.in > rpm.spec
-
-# build RPMs
-final_rpm:	rpm.spec
-	mkdir -p $(RPMDEST)
-	cd $(RPMDEST) ; mkdir -p SRPMS BUILD RPMS SPECS SOURCES
-	cd $(RPMDEST)/RPMS ; mkdir -p $(ARCH) noarch
-	$(RPMBUILD) -bb --define "buildroot $(RPMTMPDIR)" \
-		--define "_topdir $(RPMDEST)" rpm.spec
-	# that has, incidentally, gotten rid of $(RPMTMPDIR)
diff --git a/packaging/redhat/config-athlon-smp.h b/packaging/redhat/config-athlon-smp.h
deleted file mode 100644
index 2aa764477..000000000
--- a/packaging/redhat/config-athlon-smp.h
+++ /dev/null
@@ -1,79 +0,0 @@
-#ifndef _CONFIG_RH_I586_H_
-/*
- * Copyright (C) 2002              Michael Richardson <mcr@freeswan.org>
- * 
- * This kernel module is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
- * This kernel module is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public
- * License for more details.
- *
- * RCSID $Id: config-athlon-smp.h,v 1.1 2004/03/15 20:35:27 as Exp $
- */
-#define	_CONFIG_RH_ATHLON_SMP_H_	/* seen it, no need to see it again */
-
-#define CONFIG_IPSEC 1
-
-#ifndef CONFIG_IPSEC_AH
-#define CONFIG_IPSEC_AH 1
-#endif
-
-#ifndef CONFIG_IPSEC_DEBUG 
-#define CONFIG_IPSEC_DEBUG 1
-#endif
-
-#ifndef CONFIG_IPSEC_ESP
-#define CONFIG_IPSEC_ESP 1
-#endif
-
-#ifndef CONFIG_IPSEC_IPCOMP
-#define CONFIG_IPSEC_IPCOMP 1
-#endif
-
-#ifndef CONFIG_IPSEC_IPIP
-#define CONFIG_IPSEC_IPIP 1
-#endif
-
-#ifndef CONFIG_IPSEC_AUTH_HMAC_MD5
-#define CONFIG_IPSEC_AUTH_HMAC_MD5 1
-#endif
-
-#ifndef CONFIG_IPSEC_AUTH_HMAC_SHA1
-#define CONFIG_IPSEC_AUTH_HMAC_SHA1 1
-#endif 
-
-#ifndef CONFIG_IPSEC_DYNDEV
-#define CONFIG_IPSEC_DYNDEV 1
-#endif
-
-#ifndef CONFIG_IPSEC_ENC_3DES
-#define CONFIG_IPSEC_ENC_3DES 1
-#endif
-
-#ifndef CONFIG_IPSEC_REGRESS
-#define CONFIG_IPSEC_REGRESS 0
-#endif
-
-/* keep rhconfig.h from doing anything */
-#define __rh_config_h__ 
-
-/* pick which arch we are supposed to be */
-#define __module__smp
-#undef  __module__up
-#define __module__athlon
-#define __module__athlon_smp
-
-#if defined(__module__smp) || defined(__module__BOOTsmp) || defined(__module__enterprise) || defined(__module__bigmem)
-#define _ver_str(x) smp_ ## x
-#else
-#define _ver_str(x) x
-#endif
-
-#define RED_HAT_LINUX_KERNEL 1
-
-#endif /* _CONFIG_RH_ATHLON_SMP_H_ */
-
diff --git a/packaging/redhat/config-athlon.h b/packaging/redhat/config-athlon.h
deleted file mode 100644
index f9d51fc01..000000000
--- a/packaging/redhat/config-athlon.h
+++ /dev/null
@@ -1,79 +0,0 @@
-#ifndef _CONFIG_RH_I586_H_
-/*
- * Copyright (C) 2002              Michael Richardson <mcr@freeswan.org>
- * 
- * This kernel module is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
- * This kernel module is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public
- * License for more details.
- *
- * RCSID $Id: config-athlon.h,v 1.1 2004/03/15 20:35:27 as Exp $
- */
-#define	_CONFIG_RH_ATHLON_H_	/* seen it, no need to see it again */
-
-#define CONFIG_IPSEC 1
-
-#ifndef CONFIG_IPSEC_AH
-#define CONFIG_IPSEC_AH 1
-#endif
-
-#ifndef CONFIG_IPSEC_DEBUG 
-#define CONFIG_IPSEC_DEBUG 1
-#endif
-
-#ifndef CONFIG_IPSEC_ESP
-#define CONFIG_IPSEC_ESP 1
-#endif
-
-#ifndef CONFIG_IPSEC_IPCOMP
-#define CONFIG_IPSEC_IPCOMP 1
-#endif
-
-#ifndef CONFIG_IPSEC_IPIP
-#define CONFIG_IPSEC_IPIP 1
-#endif
-
-#ifndef CONFIG_IPSEC_AUTH_HMAC_MD5
-#define CONFIG_IPSEC_AUTH_HMAC_MD5 1
-#endif
-
-#ifndef CONFIG_IPSEC_AUTH_HMAC_SHA1
-#define CONFIG_IPSEC_AUTH_HMAC_SHA1 1
-#endif 
-
-#ifndef CONFIG_IPSEC_DYNDEV
-#define CONFIG_IPSEC_DYNDEV 1
-#endif
-
-#ifndef CONFIG_IPSEC_ENC_3DES
-#define CONFIG_IPSEC_ENC_3DES 1
-#endif
-
-#ifndef CONFIG_IPSEC_REGRESS
-#define CONFIG_IPSEC_REGRESS 0
-#endif
-
-/* keep rhconfig.h from doing anything */
-#define __rh_config_h__ 
-
-/* pick which arch we are supposed to be */
-#undef  __module__smp
-#define __module__up
-#define __module__athlon
-#define __module__athlon_up
-
-#if defined(__module__smp) || defined(__module__BOOTsmp) || defined(__module__enterprise) || defined(__module__bigmem)
-#define _ver_str(x) smp_ ## x
-#else
-#define _ver_str(x) x
-#endif
-
-#define RED_HAT_LINUX_KERNEL 1
-
-#endif /* _CONFIG_RH_ATHLON_H_ */
-
diff --git a/packaging/redhat/config-i386-smp.h b/packaging/redhat/config-i386-smp.h
deleted file mode 100644
index 2971ef9e0..000000000
--- a/packaging/redhat/config-i386-smp.h
+++ /dev/null
@@ -1,79 +0,0 @@
-#ifndef _CONFIG_RH_I586_H_
-/*
- * Copyright (C) 2002              Michael Richardson <mcr@freeswan.org>
- * 
- * This kernel module is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
- * This kernel module is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public
- * License for more details.
- *
- * RCSID $Id: config-i386-smp.h,v 1.1 2004/03/15 20:35:27 as Exp $
- */
-#define	_CONFIG_RH_I386_SMP_H_	/* seen it, no need to see it again */
-
-#define CONFIG_IPSEC 1
-
-#ifndef CONFIG_IPSEC_AH
-#define CONFIG_IPSEC_AH 1
-#endif
-
-#ifndef CONFIG_IPSEC_DEBUG 
-#define CONFIG_IPSEC_DEBUG 1
-#endif
-
-#ifndef CONFIG_IPSEC_ESP
-#define CONFIG_IPSEC_ESP 1
-#endif
-
-#ifndef CONFIG_IPSEC_IPCOMP
-#define CONFIG_IPSEC_IPCOMP 1
-#endif
-
-#ifndef CONFIG_IPSEC_IPIP
-#define CONFIG_IPSEC_IPIP 1
-#endif
-
-#ifndef CONFIG_IPSEC_AUTH_HMAC_MD5
-#define CONFIG_IPSEC_AUTH_HMAC_MD5 1
-#endif
-
-#ifndef CONFIG_IPSEC_AUTH_HMAC_SHA1
-#define CONFIG_IPSEC_AUTH_HMAC_SHA1 1
-#endif 
-
-#ifndef CONFIG_IPSEC_DYNDEV
-#define CONFIG_IPSEC_DYNDEV 1
-#endif
-
-#ifndef CONFIG_IPSEC_ENC_3DES
-#define CONFIG_IPSEC_ENC_3DES 1
-#endif
-
-#ifndef CONFIG_IPSEC_REGRESS
-#define CONFIG_IPSEC_REGRESS 0
-#endif
-
-/* keep rhconfig.h from doing anything */
-#define __rh_config_h__ 
-
-/* pick which arch we are supposed to be */
-#undef  __module__up
-#define __module__smp
-#define __module__i386
-#define __module__i386_smp
-
-#if defined(__module__smp) || defined(__module__BOOTsmp) || defined(__module__enterprise) || defined(__module__bigmem)
-#define _ver_str(x) smp_ ## x
-#else
-#define _ver_str(x) x
-#endif
-
-#define RED_HAT_LINUX_KERNEL 1
-
-#endif /* _CONFIG_RH_I386_SMP_H_ */
-
diff --git a/packaging/redhat/config-i386.h b/packaging/redhat/config-i386.h
deleted file mode 100644
index dd6cde171..000000000
--- a/packaging/redhat/config-i386.h
+++ /dev/null
@@ -1,79 +0,0 @@
-#ifndef _CONFIG_RH_I586_H_
-/*
- * Copyright (C) 2002              Michael Richardson <mcr@freeswan.org>
- * 
- * This kernel module is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
- * This kernel module is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public
- * License for more details.
- *
- * RCSID $Id: config-i386.h,v 1.1 2004/03/15 20:35:27 as Exp $
- */
-#define	_CONFIG_RH_I386_H_	/* seen it, no need to see it again */
-
-#define CONFIG_IPSEC 1
-
-#ifndef CONFIG_IPSEC_AH
-#define CONFIG_IPSEC_AH 1
-#endif
-
-#ifndef CONFIG_IPSEC_DEBUG 
-#define CONFIG_IPSEC_DEBUG 1
-#endif
-
-#ifndef CONFIG_IPSEC_ESP
-#define CONFIG_IPSEC_ESP 1
-#endif
-
-#ifndef CONFIG_IPSEC_IPCOMP
-#define CONFIG_IPSEC_IPCOMP 1
-#endif
-
-#ifndef CONFIG_IPSEC_IPIP
-#define CONFIG_IPSEC_IPIP 1
-#endif
-
-#ifndef CONFIG_IPSEC_AUTH_HMAC_MD5
-#define CONFIG_IPSEC_AUTH_HMAC_MD5 1
-#endif
-
-#ifndef CONFIG_IPSEC_AUTH_HMAC_SHA1
-#define CONFIG_IPSEC_AUTH_HMAC_SHA1 1
-#endif 
-
-#ifndef CONFIG_IPSEC_DYNDEV
-#define CONFIG_IPSEC_DYNDEV 1
-#endif
-
-#ifndef CONFIG_IPSEC_ENC_3DES
-#define CONFIG_IPSEC_ENC_3DES 1
-#endif
-
-#ifndef CONFIG_IPSEC_REGRESS
-#define CONFIG_IPSEC_REGRESS 0
-#endif
-
-/* keep rhconfig.h from doing anything */
-#define __rh_config_h__ 
-
-/* pick which arch we are supposed to be */
-#undef  __module__smp
-#define __module__up
-#define __module__i386
-#define __module__i386_up
-
-#if defined(__module__smp) || defined(__module__BOOTsmp) || defined(__module__enterprise) || defined(__module__bigmem)
-#define _ver_str(x) smp_ ## x
-#else
-#define _ver_str(x) x
-#endif
-
-#define RED_HAT_LINUX_KERNEL 1
-
-#endif /* _CONFIG_RH_I386_H_ */
-
diff --git a/packaging/redhat/config-i586-smp.h b/packaging/redhat/config-i586-smp.h
deleted file mode 100644
index c56c55219..000000000
--- a/packaging/redhat/config-i586-smp.h
+++ /dev/null
@@ -1,79 +0,0 @@
-#ifndef _CONFIG_RH_I586_H_
-/*
- * Copyright (C) 2002              Michael Richardson <mcr@freeswan.org>
- * 
- * This kernel module is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
- * This kernel module is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public
- * License for more details.
- *
- * RCSID $Id: config-i586-smp.h,v 1.1 2004/03/15 20:35:27 as Exp $
- */
-#define	_CONFIG_RH_I586_SMP_H_	/* seen it, no need to see it again */
-
-#define CONFIG_IPSEC 1
-
-#ifndef CONFIG_IPSEC_AH
-#define CONFIG_IPSEC_AH 1
-#endif
-
-#ifndef CONFIG_IPSEC_DEBUG 
-#define CONFIG_IPSEC_DEBUG 1
-#endif
-
-#ifndef CONFIG_IPSEC_ESP
-#define CONFIG_IPSEC_ESP 1
-#endif
-
-#ifndef CONFIG_IPSEC_IPCOMP
-#define CONFIG_IPSEC_IPCOMP 1
-#endif
-
-#ifndef CONFIG_IPSEC_IPIP
-#define CONFIG_IPSEC_IPIP 1
-#endif
-
-#ifndef CONFIG_IPSEC_AUTH_HMAC_MD5
-#define CONFIG_IPSEC_AUTH_HMAC_MD5 1
-#endif
-
-#ifndef CONFIG_IPSEC_AUTH_HMAC_SHA1
-#define CONFIG_IPSEC_AUTH_HMAC_SHA1 1
-#endif 
-
-#ifndef CONFIG_IPSEC_DYNDEV
-#define CONFIG_IPSEC_DYNDEV 1
-#endif
-
-#ifndef CONFIG_IPSEC_ENC_3DES
-#define CONFIG_IPSEC_ENC_3DES 1
-#endif
-
-#ifndef CONFIG_IPSEC_REGRESS
-#define CONFIG_IPSEC_REGRESS 0
-#endif
-
-/* keep rhconfig.h from doing anything */
-#define __rh_config_h__ 
-
-/* pick which arch we are supposed to be */
-#undef  __module__up
-#define __module__smp
-#define __module__i586
-#define __module__i586_smp
-
-#if defined(__module__smp) || defined(__module__BOOTsmp) || defined(__module__enterprise) || defined(__module__bigmem)
-#define _ver_str(x) smp_ ## x
-#else
-#define _ver_str(x) x
-#endif
-
-#define RED_HAT_LINUX_KERNEL 1
-
-#endif /* _CONFIG_RH_I586_H_ */
-
diff --git a/packaging/redhat/config-i586-up.h b/packaging/redhat/config-i586-up.h
deleted file mode 100644
index 54b64caf3..000000000
--- a/packaging/redhat/config-i586-up.h
+++ /dev/null
@@ -1,79 +0,0 @@
-#ifndef _CONFIG_RH_I586_H_
-/*
- * Copyright (C) 2002              Michael Richardson <mcr@freeswan.org>
- * 
- * This kernel module is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
- * This kernel module is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public
- * License for more details.
- *
- * RCSID $Id: config-i586-up.h,v 1.1 2004/03/15 20:35:27 as Exp $
- */
-#define	_CONFIG_RH_I586_H_	/* seen it, no need to see it again */
-
-#define CONFIG_IPSEC 1
-
-#ifndef CONFIG_IPSEC_AH
-#define CONFIG_IPSEC_AH 1
-#endif
-
-#ifndef CONFIG_IPSEC_DEBUG 
-#define CONFIG_IPSEC_DEBUG 1
-#endif
-
-#ifndef CONFIG_IPSEC_ESP
-#define CONFIG_IPSEC_ESP 1
-#endif
-
-#ifndef CONFIG_IPSEC_IPCOMP
-#define CONFIG_IPSEC_IPCOMP 1
-#endif
-
-#ifndef CONFIG_IPSEC_IPIP
-#define CONFIG_IPSEC_IPIP 1
-#endif
-
-#ifndef CONFIG_IPSEC_AUTH_HMAC_MD5
-#define CONFIG_IPSEC_AUTH_HMAC_MD5 1
-#endif
-
-#ifndef CONFIG_IPSEC_AUTH_HMAC_SHA1
-#define CONFIG_IPSEC_AUTH_HMAC_SHA1 1
-#endif 
-
-#ifndef CONFIG_IPSEC_DYNDEV
-#define CONFIG_IPSEC_DYNDEV 1
-#endif
-
-#ifndef CONFIG_IPSEC_ENC_3DES
-#define CONFIG_IPSEC_ENC_3DES 1
-#endif
-
-#ifndef CONFIG_IPSEC_REGRESS
-#define CONFIG_IPSEC_REGRESS 0
-#endif
-
-/* keep rhconfig.h from doing anything */
-#define __rh_config_h__ 
-
-/* pick which arch we are supposed to be */
-#undef  __module__smp
-#define __module__up
-#define __module__i586
-#define __module__i586_up
-
-#if defined(__module__smp) || defined(__module__BOOTsmp) || defined(__module__enterprise) || defined(__module__bigmem)
-#define _ver_str(x) smp_ ## x
-#else
-#define _ver_str(x) x
-#endif
-
-#define RED_HAT_LINUX_KERNEL 1
-
-#endif /* _CONFIG_RH_I586_H_ */
-
diff --git a/packaging/redhat/config-i586.h b/packaging/redhat/config-i586.h
deleted file mode 100644
index 6877c9f92..000000000
--- a/packaging/redhat/config-i586.h
+++ /dev/null
@@ -1,79 +0,0 @@
-#ifndef _CONFIG_RH_I586_H_
-/*
- * Copyright (C) 2002              Michael Richardson <mcr@freeswan.org>
- * 
- * This kernel module is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
- * This kernel module is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public
- * License for more details.
- *
- * RCSID $Id: config-i586.h,v 1.1 2004/03/15 20:35:27 as Exp $
- */
-#define	_CONFIG_RH_I586_H_	/* seen it, no need to see it again */
-
-#define CONFIG_IPSEC 1
-
-#ifndef CONFIG_IPSEC_AH
-#define CONFIG_IPSEC_AH 1
-#endif
-
-#ifndef CONFIG_IPSEC_DEBUG 
-#define CONFIG_IPSEC_DEBUG 1
-#endif
-
-#ifndef CONFIG_IPSEC_ESP
-#define CONFIG_IPSEC_ESP 1
-#endif
-
-#ifndef CONFIG_IPSEC_IPCOMP
-#define CONFIG_IPSEC_IPCOMP 1
-#endif
-
-#ifndef CONFIG_IPSEC_IPIP
-#define CONFIG_IPSEC_IPIP 1
-#endif
-
-#ifndef CONFIG_IPSEC_AUTH_HMAC_MD5
-#define CONFIG_IPSEC_AUTH_HMAC_MD5 1
-#endif
-
-#ifndef CONFIG_IPSEC_AUTH_HMAC_SHA1
-#define CONFIG_IPSEC_AUTH_HMAC_SHA1 1
-#endif 
-
-#ifndef CONFIG_IPSEC_DYNDEV
-#define CONFIG_IPSEC_DYNDEV 1
-#endif
-
-#ifndef CONFIG_IPSEC_ENC_3DES
-#define CONFIG_IPSEC_ENC_3DES 1
-#endif
-
-#ifndef CONFIG_IPSEC_REGRESS
-#define CONFIG_IPSEC_REGRESS 0
-#endif
-
-/* keep rhconfig.h from doing anything */
-#define __rh_config_h__ 
-
-/* pick which arch we are supposed to be */
-#undef  __module__smp
-#define __module__up
-#define __module__i586
-#define __module__i586_up
-
-#if defined(__module__smp) || defined(__module__BOOTsmp) || defined(__module__enterprise) || defined(__module__bigmem)
-#define _ver_str(x) smp_ ## x
-#else
-#define _ver_str(x) x
-#endif
-
-#define RED_HAT_LINUX_KERNEL 1
-
-#endif /* _CONFIG_RH_I586_H_ */
-
diff --git a/packaging/redhat/config-i686-bigmem.h b/packaging/redhat/config-i686-bigmem.h
deleted file mode 100644
index 4d870cbaf..000000000
--- a/packaging/redhat/config-i686-bigmem.h
+++ /dev/null
@@ -1,78 +0,0 @@
-#ifndef _CONFIG_RH_I586_H_
-/*
- * Copyright (C) 2002              Michael Richardson <mcr@freeswan.org>
- * 
- * This kernel module is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
- * This kernel module is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public
- * License for more details.
- *
- * RCSID $Id: config-i686-bigmem.h,v 1.1 2004/03/15 20:35:27 as Exp $
- */
-#define	_CONFIG_RH_I686_BIGMEM_H_	/* seen it, no need to see it again */
-
-#define CONFIG_IPSEC 1
-
-#ifndef CONFIG_IPSEC_AH
-#define CONFIG_IPSEC_AH 1
-#endif
-
-#ifndef CONFIG_IPSEC_DEBUG 
-#define CONFIG_IPSEC_DEBUG 1
-#endif
-
-#ifndef CONFIG_IPSEC_ESP
-#define CONFIG_IPSEC_ESP 1
-#endif
-
-#ifndef CONFIG_IPSEC_IPCOMP
-#define CONFIG_IPSEC_IPCOMP 1
-#endif
-
-#ifndef CONFIG_IPSEC_IPIP
-#define CONFIG_IPSEC_IPIP 1
-#endif
-
-#ifndef CONFIG_IPSEC_AUTH_HMAC_MD5
-#define CONFIG_IPSEC_AUTH_HMAC_MD5 1
-#endif
-
-#ifndef CONFIG_IPSEC_AUTH_HMAC_SHA1
-#define CONFIG_IPSEC_AUTH_HMAC_SHA1 1
-#endif 
-
-#ifndef CONFIG_IPSEC_DYNDEV
-#define CONFIG_IPSEC_DYNDEV 1
-#endif
-
-#ifndef CONFIG_IPSEC_ENC_3DES
-#define CONFIG_IPSEC_ENC_3DES 1
-#endif
-
-#ifndef CONFIG_IPSEC_REGRESS
-#define CONFIG_IPSEC_REGRESS 0
-#endif
-
-/* keep rhconfig.h from doing anything */
-#define __rh_config_h__ 
-
-/* pick which arch we are supposed to be */
-#undef  __module__up
-#define __module__bigmem
-#define __module__i686_bigmem
-
-#if defined(__module__smp) || defined(__module__BOOTsmp) || defined(__module__enterprise) || defined(__module__bigmem)
-#define _ver_str(x) smp_ ## x
-#else
-#define _ver_str(x) x
-#endif
-
-#define RED_HAT_LINUX_KERNEL 1
-
-#endif /* _CONFIG_RH_I686_BIGMEM_H_ */
-
diff --git a/packaging/redhat/config-i686-smp.h b/packaging/redhat/config-i686-smp.h
deleted file mode 100644
index 9abd7a7d1..000000000
--- a/packaging/redhat/config-i686-smp.h
+++ /dev/null
@@ -1,79 +0,0 @@
-#ifndef _CONFIG_RH_I586_H_
-/*
- * Copyright (C) 2002              Michael Richardson <mcr@freeswan.org>
- * 
- * This kernel module is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
- * This kernel module is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public
- * License for more details.
- *
- * RCSID $Id: config-i686-smp.h,v 1.1 2004/03/15 20:35:27 as Exp $
- */
-#define	_CONFIG_RH_I686_SMP_H_	/* seen it, no need to see it again */
-
-#define CONFIG_IPSEC 1
-
-#ifndef CONFIG_IPSEC_AH
-#define CONFIG_IPSEC_AH 1
-#endif
-
-#ifndef CONFIG_IPSEC_DEBUG 
-#define CONFIG_IPSEC_DEBUG 1
-#endif
-
-#ifndef CONFIG_IPSEC_ESP
-#define CONFIG_IPSEC_ESP 1
-#endif
-
-#ifndef CONFIG_IPSEC_IPCOMP
-#define CONFIG_IPSEC_IPCOMP 1
-#endif
-
-#ifndef CONFIG_IPSEC_IPIP
-#define CONFIG_IPSEC_IPIP 1
-#endif
-
-#ifndef CONFIG_IPSEC_AUTH_HMAC_MD5
-#define CONFIG_IPSEC_AUTH_HMAC_MD5 1
-#endif
-
-#ifndef CONFIG_IPSEC_AUTH_HMAC_SHA1
-#define CONFIG_IPSEC_AUTH_HMAC_SHA1 1
-#endif 
-
-#ifndef CONFIG_IPSEC_DYNDEV
-#define CONFIG_IPSEC_DYNDEV 1
-#endif
-
-#ifndef CONFIG_IPSEC_ENC_3DES
-#define CONFIG_IPSEC_ENC_3DES 1
-#endif
-
-#ifndef CONFIG_IPSEC_REGRESS
-#define CONFIG_IPSEC_REGRESS 0
-#endif
-
-/* keep rhconfig.h from doing anything */
-#define __rh_config_h__ 
-
-/* pick which arch we are supposed to be */
-#undef  __module__up
-#define __module__smp
-#define __module__i686
-#define __module__i686_smp
-
-#if defined(__module__smp) || defined(__module__BOOTsmp) || defined(__module__enterprise) || defined(__module__bigmem)
-#define _ver_str(x) smp_ ## x
-#else
-#define _ver_str(x) x
-#endif
-
-#define RED_HAT_LINUX_KERNEL 1
-
-#endif /* _CONFIG_RH_I686_SMP_H_ */
-
diff --git a/packaging/redhat/config-i686.h b/packaging/redhat/config-i686.h
deleted file mode 100644
index 4e4d7b292..000000000
--- a/packaging/redhat/config-i686.h
+++ /dev/null
@@ -1,79 +0,0 @@
-#ifndef _CONFIG_RH_I586_H_
-/*
- * Copyright (C) 2002              Michael Richardson <mcr@freeswan.org>
- * 
- * This kernel module is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
- * 
- * This kernel module is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public
- * License for more details.
- *
- * RCSID $Id: config-i686.h,v 1.1 2004/03/15 20:35:27 as Exp $
- */
-#define	_CONFIG_RH_I686_H_	/* seen it, no need to see it again */
-
-#define CONFIG_IPSEC 1
-
-#ifndef CONFIG_IPSEC_AH
-#define CONFIG_IPSEC_AH 1
-#endif
-
-#ifndef CONFIG_IPSEC_DEBUG 
-#define CONFIG_IPSEC_DEBUG 1
-#endif
-
-#ifndef CONFIG_IPSEC_ESP
-#define CONFIG_IPSEC_ESP 1
-#endif
-
-#ifndef CONFIG_IPSEC_IPCOMP
-#define CONFIG_IPSEC_IPCOMP 1
-#endif
-
-#ifndef CONFIG_IPSEC_IPIP
-#define CONFIG_IPSEC_IPIP 1
-#endif
-
-#ifndef CONFIG_IPSEC_AUTH_HMAC_MD5
-#define CONFIG_IPSEC_AUTH_HMAC_MD5 1
-#endif
-
-#ifndef CONFIG_IPSEC_AUTH_HMAC_SHA1
-#define CONFIG_IPSEC_AUTH_HMAC_SHA1 1
-#endif 
-
-#ifndef CONFIG_IPSEC_DYNDEV
-#define CONFIG_IPSEC_DYNDEV 1
-#endif
-
-#ifndef CONFIG_IPSEC_ENC_3DES
-#define CONFIG_IPSEC_ENC_3DES 1
-#endif
-
-#ifndef CONFIG_IPSEC_REGRESS
-#define CONFIG_IPSEC_REGRESS 0
-#endif
-
-/* keep rhconfig.h from doing anything */
-#define __rh_config_h__ 
-
-/* pick which arch we are supposed to be */
-#undef  __module__smp
-#define __module__up
-#define __module__i686
-#define __module__i686_up
-
-#if defined(__module__smp) || defined(__module__BOOTsmp) || defined(__module__enterprise) || defined(__module__bigmem)
-#define _ver_str(x) smp_ ## x
-#else
-#define _ver_str(x) x
-#endif
-
-#define RED_HAT_LINUX_KERNEL 1
-
-#endif /* _CONFIG_RH_I686_H_ */
-
diff --git a/packaging/redhat/freeswan.spec b/packaging/redhat/freeswan.spec
deleted file mode 100644
index 83b59fc8c..000000000
--- a/packaging/redhat/freeswan.spec
+++ /dev/null
@@ -1,176 +0,0 @@
-Summary: FreeS/WAN IPSEC implementation
-Name: freeswan
-Version: 2.04
-%define defkv %(rpm -q --qf='%{Version}-%{Release}\\n' kernel-source|tail -1)
-# The default kernel version to build for is the latest of
-# the installed kernel-source RPMs.
-# This can be overridden by "--define 'kversion x.x.x-y.y.y'"
-%{!?kversion: %{expand: %%define kversion %defkv}}
-%define	krelver		%(echo %{kversion} | tr -s '-' '_')
-# FreeS/WAN -pre/-rc nomenclature has to co-exist with hyphen paranoia
-%define srcpkgver	%(echo %{version} | tr -s '_' '-')
-%define our_release 1fs
-%define debug_package %{nil}
-Release: %{our_release}
-License: GPL
-Url: http://www.freeswan.org/
-Source: freeswan-%{srcpkgver}.tar.gz
-Group: System Environment/Daemons
-BuildRoot: /var/tmp/%{name}-%{PACKAGE_VERSION}-root
-%define __spec_install_post /usr/lib/rpm/brp-compress || :
-BuildRequires: kernel-source = %{kversion}
-
-%package userland
-Summary: FreeS/WAN IPSEC usermod tools
-Group: System Environment/Daemons
-Provides: ipsec-userland
-Obsoletes: freeswan
-Requires: ipsec-kernel
-Release: %{our_release}
-
-%package doc
-Summary: FreeS/WAN IPSEC full documentation
-Group: System Environment/Daemons
-Release: %{our_release}
-
-%package module
-Summary: FreeS/Wan kernel module
-Group:  System Environment/Kernel
-Release: %{krelver}_%{our_release}
-Provides: ipsec-kernel
-Requires: kernel = %{kversion}
-# do not make the dependancy circular for now.
-#Requires: ipsec-userland
-
-%description userland
-FreeS/WAN is a free implementation of IPSEC & IKE for Linux.  IPSEC is 
-the Internet Protocol Security and uses strong cryptography to provide
-both authentication and encryption services.  These services allow you
-to build secure tunnels through untrusted networks.  Everything passing
-through the untrusted net is encrypted by the ipsec gateway machine and 
-decrypted by the gateway at the other end of the tunnel.  The resulting
-tunnel is a virtual private network or VPN.
-
-This package contains the daemons and userland tools for setting up
-FreeS/WAN on a freeswan enabled kernel.
-
-%description module
-This package contains only the ipsec module for the RedHat series of kernels.
-
-%description doc
-This package contains extensive documentation of the FreeeS/WAN IPSEC
-system.
-
-%description
-A dummy package that installs userland and kernel pieces.
-
-%prep
-%setup -q -n freeswan-%{srcpkgver}
-
-%build
-%{__make} \
-  USERCOMPILE="-g %{optflags}" \
-  INC_USRLOCAL=%{_prefix} \
-  MANTREE=%{_mandir} \
-  INC_RCDEFAULT=%{_initrddir} \
-  programs
-FS=$(pwd)
-mkdir -p BUILD.%{_target_cpu}
-mkdir -p BUILD.%{_target_cpu}-smp
-
-cd packaging/redhat
-for smp in -smp ""
-do
-%{__make} -C $FS MODBUILDDIR=$FS/BUILD.%{_target_cpu}$smp \
-    FREESWANSRCDIR=$FS \
-    KERNELSRC=/usr/src/linux-%{kversion} \
-    ARCH=%{_arch} \
-    SUBARCH=%{_arch} \
-    MODULE_DEF_INCLUDE=$FS/packaging/redhat/config-%{_target_cpu}$smp.h \
-    module
-done
-
-%install
-%{__make} \
-  DESTDIR=%{buildroot} \
-  INC_USRLOCAL=%{_prefix} \
-  MANTREE=%{buildroot}%{_mandir} \
-  INC_RCDEFAULT=%{_initrddir} \
-  install
-install -d -m700 %{buildroot}%{_localstatedir}/run/pluto
-install -d %{buildroot}%{_sbindir}
-
-mkdir -p %{buildroot}/lib/modules/%{kversion}/kernel/net/ipsec
-cp BUILD.%{_target_cpu}/ipsec.o \
- %{buildroot}/lib/modules/%{kversion}/kernel/net/ipsec
-
-mkdir -p %{buildroot}/lib/modules/%{kversion}smp/kernel/net/ipsec
-cp BUILD.%{_target_cpu}-smp/ipsec.o \
- %{buildroot}/lib/modules/%{kversion}smp/kernel/net/ipsec
-
-%clean
-rm -rf ${RPM_BUILD_ROOT}
-
-%files doc
-%defattr(-,root,root)
-%doc doc
-%doc %{_defaultdocdir}/freeswan/ipsec.conf-sample
-
-%files userland
-%defattr(-,root,root)
-%doc BUGS CHANGES COPYING
-%doc CREDITS INSTALL README
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.conf
-%attr(0700,root,root) %dir %{_sysconfdir}/ipsec.d
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipsec.d/policies/*
-%config(noreplace) %{_initrddir}/ipsec
-%{_libdir}/ipsec
-%{_sbindir}/ipsec
-%{_libexecdir}/ipsec
-%doc %{_mandir}/*/*
-%{_localstatedir}/run/pluto
-
-%files module
-%defattr (-,root,root)
-/lib/modules/%{kversion}/kernel/net/ipsec
-/lib/modules/%{kversion}smp/kernel/net/ipsec
-
-%pre userland
-%preun userland
-if [ $1 = 0 ]; then
-    /sbin/service ipsec stop || :
-    /sbin/chkconfig --del ipsec
-fi
-
-%postun userland
-if [ $1 -ge 1 ] ; then
-  /sbin/service ipsec stop 2>&1 > /dev/null && /sbin/service ipsec start  2>&1 > /dev/null || :
-fi
-
-%postun module
-%post module
-
-%post userland
-chkconfig --add ipsec
-
-%changelog
-* Fri Aug 22 2003 Sam Sgro <sam@freeswan.org>
-- Juggling release/source package names to allow for 
-  -pre/-rc releases to build.
-
-* Thu Aug 14 2003 Sam Sgro <sam@freeswan.org>
-- Reverting back to pre-x.509 version, cosmetic changes.
-
-* Tue May 20 2003 Charlie Brady <charlieb@e-smith.com> 2.0.0-x509_1.3.2_2es
-- Add "Obsoletes: freeswan" to userland RPM.
-
-* Fri May 16 2003 Charlie Brady <charlieb@e-smith.com> 2.0.0-x509_1.3.2_1es
-- Add version 1.3.2 of the x509 patch.
-- Add missing /usr/libexec/ipsec dir and files.
-- Minor tidy up of spec file.
-
-* Thu May 15 2003 Charlie Brady <charlieb@e-smith.com> 2.0.0-1es
-- Based on work by Paul Lahaie of Steamballoon, Michael
-  Richardson of freeS/WAN team and Tuomo Soini <tis@foobar.fi>.
-- Build freeswan RPMs from a single source RPM, for RedHat, but
-  should work on any RPM based system.
diff --git a/packaging/redhat/kernel-list.txt b/packaging/redhat/kernel-list.txt
deleted file mode 100644
index e24d827e1..000000000
--- a/packaging/redhat/kernel-list.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-athlon-smp	i386	i386
-athlon		i386	i386
-i386-smp	i386	i386
-i386		i386	i386
-i586-smp	i386	i386
-i586		i386	i386
-i686-smp	i386	i386
-i686-bigmem	i386	i386
-i686		i386	i386
diff --git a/packaging/redhat/rpm.in b/packaging/redhat/rpm.in
deleted file mode 100644
index 4ede8ebc5..000000000
--- a/packaging/redhat/rpm.in
+++ /dev/null
@@ -1,149 +0,0 @@
-# fairly minimal RPM spec file, does only packaging
-# Based on work by Paul Lahaie of Steamballoon.
-# This file is touched up by sed (in the Makefile) before it is actually used.
-Summary: Kernel with FreeS/WAN
-Name: freeswan
-Version: @IPSECVERSION@_@KERNELVERSION@
-Release: 0
-Copyright: GPL
-Source: freeswan-%{version}.tar.gz
-Group: System Environment/Daemons
-BuildRoot: /var/tmp/%{name}-%{PACKAGE_VERSION}-root
-%define __spec_install_post /usr/lib/rpm/brp-compress || :
-%define KernelVer @KERNELVERSIONORIG@
-Requires: ipsec-userland ipsec-kernel
-
-%package userland
-Summary: Kernel with FreeS/WAN
-Group: System Environment/Daemons
-Provides: ipsec-userland
-Requires: ipsec-kernel
-
-%package module
-Summary: FreeS/Wan kernel module
-Group:  System Environment/Kernel
-Provides: ipsec-kernel
-# do not make the dependancy circular for now.
-#Requires: ipsec-userland
-
-%description userland
-This package contains the daemons and userland tools for setting up
-FreeS/WAN on a freeswan enabled kernel.
-
-%description module
-This package contains only the ipsec module for the RedHat series of kernels.
-
-%description
-A dummy package that installs userland and kernel pieces.
-
-%prep
-
-%build
-
-%install
-
-%clean
-rm -rf ${RPM_BUILD_ROOT}
-
-%files userland
-%defattr(-,root,root)
-@PUBDIR@/ipsec
-@FINALBINDIR@/*
-@FINALLIBDIR@/*
-/etc/rc.d/init.d/ipsec
-
-%attr(0644,root,root)	%config	@FINALCONFDIR@/ipsec.conf
-%attr(0644,root,root)	%config @FINALCONFDDIR@/policies/clear
-%attr(0644,root,root)	%config @FINALCONFDDIR@/policies/private
-%attr(0644,root,root)	%config @FINALCONFDDIR@/policies/block
-%attr(0644,root,root)	%config @FINALCONFDDIR@/policies/private-or-clear
-%attr(0644,root,root)	%config @FINALCONFDDIR@/policies/clear-or-private
-
-%doc @MANTREE@/man3/*
-%doc @MANTREE@/man5/*
-%doc @MANTREE@/man8/*
-%doc @FINALEXAMPLECONFDIR@/*
-
-%files module
-%defattr (-,root,root)
-/lib/modules/%{KernelVer}/kernel/net/ipsec
-
-%pre userland
-if [ -f /etc/ipsec.conf ]
-then
-   cp -f --backup=t /etc/ipsec.conf /etc/ipsec.conf.prerpm > /dev/null 2> /dev/null
-fi
-
-%preun userland
-sh /etc/rc.d/init.d/ipsec stop || exit 0
-
-%postun module
-# This is a kludge to handle the fact that ipsec.o is not deleted
-# on plain jane RPM uninstall.
-for i in /lib/modules/*@KERNELVERSIONORIG@*
-   do
-    mv -f --backup=t "$i"/kernel/net/ipsec/ipsec.o "$i"/kernel/net/ipsec/ipsec.o.rpmbak > /dev/null 2> /dev/null
-   done || exit 0
-
-%post module
-# Same RPM uninstall kludge.
-for i in /lib/modules/*@KERNELVERSIONORIG@*
-   do
-    mv -f --backup=t "$i"/kernel/net/ipsec/ipsec.o "$i"/kernel/net/ipsec/ipsec.o.rpmbak > /dev/null 2> /dev/null
-   done
-echo "do not forget to install the userland utilities"
-exit 0
-
-%post userland
-chkconfig --add ipsec
-echo "invoke \"service ipsec start\" or reboot to begin"
-
-%changelog
-#
-# $Log: rpm.in,v $
-# Revision 1.1  2004/03/15 20:35:27  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.6  2003/01/30 23:31:34  sam
-#
-# dhr contributed changes. still may need modification, but I'm committing
-# before I leave.
-#
-# Revision 1.5  2003/01/14 22:03:44  sam
-# include policy files in RPM.
-#
-# Revision 1.4  2003/01/04 07:38:11  build
-# *** empty log message ***
-#
-# Revision 1.3  2002/12/12 05:45:41  sam
-# new template file from 1.99 pulled up in part
-#
-# Revision 1.2.2.1  2002/12/07 23:47:22  sam
-# merging in a few 1.99 rpm.in changes.
-#
-# Revision 1.2  2002/10/30 06:54:15  sam
-# Updates to take into account lib vs libexec - so we don't miss files.
-#
-# Revision 1.1  2002/10/06 08:35:54  sam
-# RPM template
-#
-# Revision 1.9  2002/06/16 21:53:49  mcr
-# 	added missing clauses to userland section.
-#
-# Revision 1.8  2002/06/16 20:18:41  mcr
-# 	2.00 series RPM will have a "freeswan-userland" rather than
-# 	a "freeswan-X" RPM. Among other things, it makes regexp easier
-# 	to locate the different pieces.
-#
-# Revision 1.7  2002/06/11 23:10:53  mcr
-# 	added dependancies from userland->kernel.
-# 	cross-dependancies considered but cause too much user pain.
-#
-# Revision 1.6  2002/06/09 15:46:41  mcr
-# 	move installed modules for make rpm to kernel versioned directory.
-#
-# Revision 1.5  2002/04/11 02:50:30  mcr
-# 	added %post to make ipsec start, and %post to shut it down.
-# 	added %changelog as well.
-#
-#
diff --git a/packaging/utils/backup b/packaging/utils/backup
deleted file mode 100755
index 0c860c280..000000000
--- a/packaging/utils/backup
+++ /dev/null
@@ -1,80 +0,0 @@
-#! /bin/sh
-# make backup of FreeSwan repository
-# -l	local build only, do not transmit
-
-#scphost=freeswan@xs1.xs4all.nl
-scphost=henry@adams.freeswan.org
-scpdir=backup
-pfile=~freeswan/etc/relpass
-ppfile=~freeswan/etc/bpp
-
-PATH=/bin:/usr/bin
-export PATH
-umask 077
-
-tmpdir=~freeswan/tmp
-tarname=freeswan.tar
-
-. ~freeswan/setup
-
-cd $tmpdir
-rm -f $tarname $tarname.gz
-touch $tarname
-
-cd ~freeswan
-tar -cf $tmpdir/$tarname `ls -a |
-	egrep -v '^(\.|\.\.|archive|\.nobak|\.ssh|\.ssh2|tmp)$'`
-
-cd $tmpdir
-gzip -9 $tarname
-ls -l $tarname.gz
-
-if test " $1" = " -l"
-then
-	exit 0
-fi
-
-echo updating >notice
-
-date
-expect -nN -c "
-	set scphost $scphost
-	set scpdir $scpdir
-	set pfile $pfile
-	set ppfile $ppfile
-	set tarname $tarname
-	"'
-	# canned procedure for scp copying
-	proc scp {from to} {
-		global p scphost scpdir
-		spawn scp2 -p -q $from $scphost:$scpdir/$to
-		set timeout -1
-		expect {
-		"word:" {
-			set fname $pfile
-			# fall out
-		}
-		{":} {
-			set fname $ppfile
-			# fall out
-		}
-		eof {
-			puts "eofed!"
-			return
-		}}
-		sleep 3
-		set f [open $fname r]
-		set p [read $f]
-		close $f
-		send "$p\r"
-		expect "\n"
-		expect eof
-		wait
-	}
-
-	scp notice $tarname.gz
-	scp $tarname.gz $tarname.gz
-	# done'
-date
-
-rm -f $tarname.gz
diff --git a/packaging/utils/branch b/packaging/utils/branch
deleted file mode 100755
index 2c13d4b6a..000000000
--- a/packaging/utils/branch
+++ /dev/null
@@ -1,70 +0,0 @@
-#! /bin/sh
-# branch release
-
-PATH=/bin:/usr/bin ; export PATH
-umask 022
-
-. $HOME/freeswan-regress-env.sh
-
-case "$1" in
-*.*)	;;
-*)	echo "Usage: $0 release [file...]" >&2 ; exit 2	;;
-esac
-
-rel="$1"
-shift
-tr="`echo $rel | tr '.' '_'`"
-pre=PRE$tr
-base=BASE$pre
-
-echo "generating key for branch"
-SNAPPGP=$SNAPSHOTSIGDIR/$base 
-# Note: PGPPATH is limited to 50 characters.
-PGPPATH=$SNAPPGP export PGPPATH
-mkdir -p $PGPPATH
-touch $PGPPATH/pgpdoc1.txt
-touch $PGPPATH/pgpdoc2.txt
-
-if [ ! -f $PGPPATH/secring.pgp ]
-then
-	echo "Please set userid to '<build+snap$tr@freeswan.org>'$PGPPATH"
-	pgp -kg
-
-	echo -n "Please insert release key floppy for signature"
-	read ans
-	mount /mnt/build
-	PGPPATH=/mnt/build/freeswan export PGPPATH
-
-	echo "Now signing key - please answer yes."
-	pgp $SNAPPGP/pubring.pgp
-
-	echo Please put key in $SNAPPGP/signedkey.asc
-	pgp -kxa build+snap$tr@freeswan.org
- 
-	umount /mnt/build
-
-fi
-
-if [ ! -f snapshotsigs.pgp ]
-then
-	PGPPATH=$SNAPPGP export PGPPATH
-	echo "Now importing key"
-	pgp $SNAPPGP/signedkey.asc
-
-	cp $SNAPPGP/signedkey.asc snapshotsigs.pgp
-	cvs add snapshotsigs.pgp
-	cvs commit -m"Signing key for $rel" snapshotsigs.pgp
-fi
-
-echo -n "PGP finished, now budding, press enter"
-read ans
-
-echo "budding..."
-rm -f Makefile.ver
-cvs tag $opt -c $base $*
-echo
-echo "branching..."
-cvs tag $opt -b -r $base $pre $*
-
-
-
diff --git a/packaging/utils/canrel b/packaging/utils/canrel
deleted file mode 100755
index 567ce96a8..000000000
--- a/packaging/utils/canrel
+++ /dev/null
@@ -1,55 +0,0 @@
-#! /bin/sh
-# canrel [-F] release
-# -F means override previous run
-# current versions in the repository are used
-# must be run in a release-branch CVS working directory with current top/*
-
-PATH=/bin:/usr/bin ; export PATH
-umask 022
-
-. ~build/freeswan-regress-env.sh
-
-opt=
-case "$1" in
--F)	opt=-F ; shift	;;
-esac
-
-case "$#:$1" in
-1:*.*)	;;
-*)	echo "Usage: $0 release" >&2 ; exit 2	;;
-esac
-
-rel="$1"
-pretag="PRE`echo $rel | tr '.' '_'`"
-rtag="R`echo $rel | tr '.' '_'`"
-
-sed '1s/xxx/'"$rel"'/' README >README.$$
-if cmp -s README README.$$
-then
-	: already current, for some reason
-	rm -f README.$$
-else
-	mv README.$$ README
-	cvs -Q commit -m "update for release $rel" README
-fi
-sed '/=.*/s//='"$rel"'/' Makefile.ver >mversion.$$
-if cmp -s Makefile.ver mversion.$$
-then
-	: already current, for some reason
-	rm -f mversion.$$
-else
-	mv mversion.$$ Makefile.ver
-	cvs -Q commit -m "update for release $rel" Makefile.ver
-fi
-sed '1s/xxx/'"$rel"'/' CHANGES >CHANGES.$$
-if cmp -s CHANGES CHANGES.$$
-then
-	: already current, for some reason
-	rm -f CHANGES.$$
-else
-	mv CHANGES.$$ CHANGES
-	cvs -Q commit -m "update for release $rel" CHANGES
-fi
-cd ..
-
-cvs rtag $opt -r $pretag $rtag all
diff --git a/packaging/utils/disttools.pl b/packaging/utils/disttools.pl
deleted file mode 100644
index 4ea8db61d..000000000
--- a/packaging/utils/disttools.pl
+++ /dev/null
@@ -1,357 +0,0 @@
-#!/usr/bin/perl
-
-#
-# $Id: disttools.pl,v 1.1 2004/03/15 20:35:27 as Exp $
-#
-# $Log: disttools.pl,v $
-# Revision 1.1  2004/03/15 20:35:27  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.13  2003/06/17 22:30:06  build
-# 	adjusted userid to pick
-# 	use key that is offline.
-#
-# Revision 1.12  2002/09/30 16:02:17  mcr
-# 	added handling for date stamp.
-#
-# Revision 1.11  2002/08/30 01:30:25  mcr
-# 	changed code to write maintain local copy of FTP site,
-# 	and rsync things up when needed.
-#
-# Revision 1.10  2002/07/29 05:13:33  mcr
-# 	append .gz to patch files before they are signed.
-#
-# Revision 1.9  2002/07/29 04:02:21  mcr
-# 	removed errant ) from tar copy line.
-#
-# Revision 1.8  2002/07/29 03:57:59  mcr
-# 	produce kernel patches as part of the snapshots, candidates
-# 	and releases.
-#
-# Revision 1.7  2002/06/07 18:23:49  mcr
-# 	adjusted sendfiles to use tar to copy rather than scp.
-# 	mkcand now prints usage if you don't give it enough arguments.
-# 	It also now updates the "CANDIDATE" symlink.
-# 	mksnap properly quotes the wildcards in the -name for find.
-#
-# Revision 1.6  2002/06/03 03:10:58  mcr
-# 	"upload" now takes argument to indicate name to
-# 	install/upload for the symlink.
-#
-# Revision 1.5  2002/06/03 02:19:40  mcr
-# 	fixed bug in datelettername() - y/sed was not applied to $let,
-# 	but to $_.
-#
-# Revision 1.4  2002/06/03 02:14:16  mcr
-# 	die statements are now numbered for easier backtracking.
-# 	candidate checks are now done if $candidate arg=1: edit README
-# 	and CHANGES file for mkcand.
-#
-# Revision 1.3  2002/05/30 23:24:22  mcr
-# 	working "mksnap" and disttools.pl.
-#
-# Revision 1.2  2002/05/30 22:20:56  mcr
-# 	initial debugging done.
-#
-# Revision 1.1  2002/05/30 21:24:00  mcr
-# 	perl-ified mksnap.
-#
-#
-
-@supportedkernels=("2.0", "2.2", "2.4");
-
-sub nicesystem {
-  if($debug) {
-    print STDERR "System: ",join(' ',@_)."\n";
-  }
-  system(@_);
-  if($? == 0) {
-    return 1;
-  } else {
-    return 0;
-  }
-}
-
-sub kpatchname {
-  local($pkgname, $ver)=@_;
-  local($name);
-
-  $name = $pkgname.".k".$ver.".patch";
-  return $name;
-}
-  
-
-sub datelettername {
-  @MoY = ('jan','feb','mar','apr','may','jun',
-	  'jul','aug','sep','oct','nov','dec');
-
-  $letters="abcdefghjklmnpqrstuvwxyz";
-
-  ($sec, $min, $hour, $mday, $mon, $year) = gmtime(time);
-	
-  $let=substr($letters, $hour-1, 1);
-  if($min >= 30) {
-    $let =~ y/a-z/A-Z/;
-  }
-
-  if($year < 1900) {
-    $year += 1900;
-  }
-  
-  $ver=sprintf("%04d%s%02d%s", $year, $MoY[$mon], $mday, $let);
-  $ver;
-}
-
-sub snapname {
-  local($prefix)=@_;
-  $snapname=$prefix.&datelettername;
-  $snapname;
-}
-
-sub suckvars {
-  $envvar=$ENV{'HOME'}."/freeswan-regress-env.sh";
-
-  if(-f $envvar) {
-    
-    open(SHVARS, $envvar) || die "001:  Can not open $envvar: $!\n";
-    while(<SHVARS>) {
-      chop;
-      next if (/^\#/);
-
-      if(/(\S+)\=(\S+)/) {
-	$var=$1;
-	$value=$2;
-
-	$ENV{$var}=$value;
-      }
-    }
-    close(SHVARS);
-  }
-}
-      
-sub defvar {
-  local($var,$value)=@_;
-  
-  if(!defined($ENV{$var})) {
-    $ENV{$var}=$value;
-  }
-}
-
-sub defvars {
-  &defvar('BTMP', '/btmp');
-  if($ENV{'DEBUGFREESWANDIST'}) {
-    $debug=$ENV{'DEBUGFREESWANDIST'};
-  }
-}
-
-sub setuppgp {
-  local($lastrel)=@_;
-
-  $lastrel =~ y/\./\_/;
-
-  $ENV{'PGPPATH'}=$ENV{'SNAPSHOTSIGDIR'}."/BASEPRE$lastrel";
-  $ENV{'PGPNAME'}="build+snap".$lastrel."\@freeswan.org";
-}
-
-sub dopgpsig {
-  local($pkgname)=@_;
-
-  local($tarfile);
-  $tarfile=$pkgname.".tar";
-  
-  $userid=$ENV{'PGPNAME'};
-  &nicesystem("pgp -sba $tarfile.gz -u $userid -o $tarfile.gz.sig") || die "002:  PGP failed: $?\n";
-  &nicesystem("chmod a+r $tarfile.gz.sig");
-
-  foreach $ver (@supportedkernels) {
-    $file=&kpatchname($pkgname,$ver).".gz";
-    &nicesystem("pgp -sba $file -u $userid -o $file.sig") || die "002:  PGP failed: $?\n";
-    &nicesystem("chmod a+r $file.sig");
-  }
-}
-  
-
-# this function now does two things: 
-#   1) makes the tar file of old
-#   2) makes the kernel patch file of new.
-#
-
-sub makedisttarfile {
-  local($tmpdir, $pkgname, $vername, $dirname, $date, $relopt, $candidate)=@_;
-  local($file);
-
-  &nicesystem("mkdir -p $tmpdir") || die "003:  Can not mkdir $tmpdir\n";
-  chdir($tmpdir) || die "004:  makedisttarfile: Can not chdir to $tmpdir\n";
-
-  # nuke anything that was there before
-  &nicesystem("rm -rf $dirname");
-
-  if(defined($date) && $date ne '') {
-    $minusD="-D \"${date}\"";
-  }
-
-  print "cvs -Q export $minusD ${relopt} -d ${dirname} freeswan\n";
-
-  &nicesystem("cvs -Q export $minusD ${relopt} -d ${dirname} freeswan") || die "005:  CVS failed!\n";
-
-  chdir($dirname) || die "006:  Can not chdir to $dirname\n";
-
-  open(VERSIONFILE, ">Makefile.ver") || die "007:  failed to open Makefile.ver\n";
-  print VERSIONFILE "IPSECVERSION=".$vername."\n";
-  close(VERSIONFILE);
-
-  if($candidate) {
-    open(README, "README")     || die "008:  Can not edit README: $!\n";
-    $nreadme="README.$$";
-    open(NREADME, ">$nreadme") || die "009:  Can not write README: $!\n";
-    $lines=1;
-    while(<README>) {
-      if($lines == 1) {
-	s/xxx/$vername/;
-      }
-#      if(/^---$/) {
-#	print STDERR "README not ready, run prepcand first\n";
-#	die;
-#     }
-      $lines++;
-      print NREADME;
-    }
-    close(NREADME);
-    close(README);
-    unlink("README") || die "010:  Can not remove README: $!\n";
-    rename("$nreadme", "README") || die "011:  Can not rename $nreadme to README: $!\n";
-
-    # now edit CHANGES file
-    open(CHANGES, "CHANGES")     || die "012:  Can not edit README: $!\n";
-    $nchanges="CHANGES.$$";
-    open(NCHANGES,">$nchanges") || die "013:  Can not write README: $!\n";
-    $lines=1;
-    while(<CHANGES>) {
-      if($lines == 1) {
-	if(/since last release/) {
-	  die "CHANGES not ready, run prepcand first";
-	}
-	s/xxx/$vername/;
-      }
-      $lines++;
-      print NCHANGES;
-    }
-    close(NCHANGES);
-    close(CHANGES);
-    unlink("CHANGES") || die "014:  Can not remove CHANGES: $!\n";
-    rename("$nchanges", "CHANGES") || die "015:  Can not rename $nreadme to README: $!\n";
-  }
-  
-  &nicesystem("make -f dtrmakefile -s snapready") || die "016:  failed to make snapshot ready for distribution: $?\n";
-  
-  chdir("..") || die "017:  failed to go to parent dir: $!\n";
-
-  unlink("$pkgname.tar");
-  unlink("$pkgname.tar.gz");
-  unlink("$pkgname.tar.gz.md5");
-  
-  &nicesystem("tar -cf $pkgname.tar $dirname") || die "018:  Failed to tar file: $?\n";
-
-  # make the kernelpatch for each of 2.0, 2.2, and 2.4.
-  foreach $ver (@supportedkernels) {
-    $file=&kpatchname($pkgname,$ver);
-    &nicesystem("make -C $dirname kernelpatch$ver >$file");
-    &nicesystem("gzip -9 $file");
-  }
-
-  &nicesystem("rm -rf $dirname") || warn "failed to cleanup $dirname\n";
-
-  &nicesystem("gzip -9 $pkgname.tar") || die "019:  gzip died: $?\n";
-
-  &nicesystem("ls -l $pkgname.tar.gz");
-
-  &nicesystem("md5sum $pkgname.tar.gz >$pkgname.tar.gz.md5");
-  &nicesystem("chmod a+r $pkgname.tar.gz");
-}
-
-sub sendfiles {
-  local(@thefiles)=@_;
-
-  local($file, $localroot);
-  
-if($ENV{'DEV_DIR'}) { $localroot=$ENV{'DEV_DIR'}; } else {  $localroot=$ENV{'LOCAL_ARCHIVE'}; }
-
-  foreach $file (@thefiles) {
-    $dir=$file;
-    if(!($dir =~ s,(.*)/([^/]*),\1,)) {
-      $dir=".";
-    } else {
-      $file=$2;
-    }
-
-    &nicesystem("tar -C $dir -c -f - $file | tar -C ${localroot} -x -f -");
-  }
-}
-
-
-sub remotecmd {
-  local($cmd)=@_;
-
-  $distuser=$ENV{'DISTUSER'};
-  $disthost=$ENV{'DISTHOST'};
-  $distdir =$ENV{'DISTDIR'};
-  $ssh     =$ENV{'ssh'};
-
-  &nicesystem("$ssh -l $distuser $disthost '$cmd'");
-}
-
-
-sub upload {
-  local($pkgname, $symlinkname)=@_;
-
-  local($localroot);
-  
-if($ENV{'DEV_DIR'}) { $localroot=$ENV{'DEV_DIR'}; } else {  $localroot=$ENV{'LOCAL_ARCHIVE'}; }
-
-  &sendfiles("$pkgname.tar.gz",
-	     "$pkgname.tar.gz.sig",
-	     "$pkgname.tar.gz.md5");
-
-  foreach $ver (@supportedkernels) {
-    $file=&kpatchname($pkgname,$ver).".gz";
-    &sendfiles($file, "$file.sig");
-  }
-
-  if(defined($symlinkname)) {
-    &sendfiles($symlinkname.".tar.gz.md5");
-    &nicesystem("cd $localroot && ln -f -s $pkgname.tar.gz $symlinkname.tar.gz && ln -f -s $pkgname.tar.gz.sig $symlinkname.tar.gz.sig");
-
-    foreach $ver (@supportedkernels) {
-      $file=&kpatchname($pkgname,$ver);
-      $newname=&kpatchname($symlinkname,$ver);
-      &nicesystem("cd $localroot && ln -f -s $file.gz $newname.gz && ln -f -s $file.gz.sig $newname.gz.sig");
-    }
-    
-  }
-}
-
-sub upsync {
-  
-  local($localroot, $distuser, $disthost, $distdir, $spoolhost, $spooluser);
-  local($masterhost, $masteruser, $masterdir);
-
-  $localroot=$ENV{'LOCAL_ARCHIVE'};
-  $distuser=$ENV{'DISTUSER'};
-  $disthost=$ENV{'DISTHOST'};
-  $distdir =$ENV{'DISTDIR'};
-  $ssh     =$ENV{'ssh'};
-  $masterhost = $ENV{'MASTERHOST'};
-  $masteruser = $ENV{'MASTERUSER'};
-  $masterdir = $ENV{'MASTERDIR'};
-
-  # sync stuff to distribution site.
-  &nicesystem("rsync -e $ssh -r --delete -a -v -c $localroot/ $masteruser\@$masterhost:$masterdir/");
-
-  # sync stuff to xs4all site.
-  &nicesystem(print "rsync -e $ssh -r --delete -a -v -c $localroot/ $distuser\@$disthost:$distdir/");
-  &nicesystem("rsync -e $ssh -r --delete -a -v -c $localroot/ $distuser\@$disthost:$distdir/");
-
-}
-
-1;
-
diff --git a/packaging/utils/errcheck b/packaging/utils/errcheck
deleted file mode 100755
index 1a1ab5037..000000000
--- a/packaging/utils/errcheck
+++ /dev/null
@@ -1,40 +0,0 @@
-#! /bin/sh
-# internal utility for testing kernel make output for errors
-# Copyright (C) 1998, 1999  Henry Spencer.
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: errcheck,v 1.1 2004/03/15 20:35:27 as Exp $
-
-# the errors.[och] stuff is for math emulation
-# the HiSax nonsense is due to a Red Hat 5.2 botch
-# RH7.2 "make dep" builds stuff in drivers/macintosh (!!) using <asm/init.h>
-# Red Hat's 2.2.19 whines about function read_rx_long_length_errors in e100.c
-# 2.4.18: 53c700.h:40:2: #error "Config.in must define either CONFIG_53C700_IO_MAPPED or CONFIG_53C700_MEM_MAPPED to use this scsi core."
-oops="`sed -e 's/-Werror/-Weror/g' \
-	   -e '/errors*\.[och]/s/errors*\./eror./g' \
-	   -e '/scsi_error/s//scsi_eror/' \
-           -e '/KBUILD_BASENAME=errors/s/errors/eror/g' \
-	   -e '/#error .HiSax: No cards configured/s/error/eror/' \
-	   -e '/#error .<asm.init.h> should never be used/s/error/eror/' \
-	   -e '/53c700.h:[0-9:]* #error "Config.in must define either CONFIG_53C700_IO_MAPPED or CONFIG_53C700_MEM_MAPPED to use this scsi core."/s/error/eror/' \
-	   -e '/^e100.c: In function/s/length_errors/length_erors/' $* |
-	egrep -i 'error|\*\*\*' | egrep -v ': warning:'`"
-if test " $oops" != " "
-then
-	echo
-	echo "***ERRORS DETECTED in $* (examine file for details):"
-	echo "$oops"
-	echo
-	exit 1
-else
-	exit 0
-fi
diff --git a/packaging/utils/kernel.patch.gen.sh b/packaging/utils/kernel.patch.gen.sh
deleted file mode 100644
index 0bc726dd1..000000000
--- a/packaging/utils/kernel.patch.gen.sh
+++ /dev/null
@@ -1,52 +0,0 @@
-#!/bin/bash
-#
-# RCSID $Id: kernel.patch.gen.sh,v 1.1 2004/03/15 20:35:27 as Exp $
-
-patchdir=`pwd`
-kernelsrc=/usr/src/linux
-[ "$1~" = "~" ] || kernelsrc=$1
-cd $kernelsrc
-# clean out destination file for all patch
-#echo "">$patchdir/all
-
-# find files to patch and loop
-for i in  `find . -name '*.preipsec'`
-do
-
-# strip off '.preipsec' suffix
-j=${i%.preipsec}
-
-# strip off './' prefix
-k=${j#\.\/}
-
-# single unified diff
-#diff -u $i $j >>$patchdir/all
-
-# convert '/' in filename to '.' to avoid subdirectories
-sed -e 's/\//\./g' << EOI > /tmp/t
-$k
-EOI
-l=`cat /tmp/t`
-rm -f /tmp/t
-
-# *with* path from source root
-#echo do diff -u $i $j '>' $patchdir/$l
-echo found $i
-echo "RCSID \$Id: kernel.patch.gen.sh,v 1.1 2004/03/15 20:35:27 as Exp $" >$patchdir/$l
-diff -u $i $j >>$patchdir/$l
-
-done
-
-#
-# $Log: kernel.patch.gen.sh,v $
-# Revision 1.1  2004/03/15 20:35:27  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.6  2002/04/25 17:04:16  mcr
-# 	resurrected kernel.patch.gen.sh
-#
-# Revision 1.4  1999/04/06 04:54:30  rgb
-# Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
-# patch shell fixes.
-#
-#
diff --git a/packaging/utils/kerneldiff b/packaging/utils/kerneldiff
deleted file mode 100755
index 5cd4f73e2..000000000
--- a/packaging/utils/kerneldiff
+++ /dev/null
@@ -1,35 +0,0 @@
-#!/bin/sh
-
-# wander through a FreeSWAN linux directory, comparing each file to 
-# a corresponding file in the argument $KERNELSRC directory, creating
-# a diff that can be used to update the FreeSWAN source tree.
-#
-# This script is useful if you have used "make kernelpatch" to patch 
-# a kernel, and then had to edit the source code in the kernel tree.
-#
-# $Id: kerneldiff,v 1.1 2004/03/15 20:35:27 as Exp $
-#
-
-KERNELSRC=$1
-shift
-
-(cd linux && find . -type f -print) | grep -v CVS | egrep -v './Makefile' | while read file 
-do 
-  base=`basename $file`
-  case $base in 
-    .cvsignore) ;;
-    .*.o.flags) ;;
-    *.o) ;;
-    *~) ;;
-    *.$patchname.patch) ;;
-    *.patch) ;;
-    *.orig) ;;
-    *.rej) ;;
-    version.c);;
-    *) diff -u linux/$file $KERNELSRC/$file ;;
-  esac
-done
-
-exit 0
-
-	
diff --git a/packaging/utils/kernelpatch b/packaging/utils/kernelpatch
deleted file mode 100755
index d2b8e86f1..000000000
--- a/packaging/utils/kernelpatch
+++ /dev/null
@@ -1,55 +0,0 @@
-#!/bin/sh
-
-# wander through a FreeSWAN linux directory, creating a patch file (to stdout)
-# that will apply the code to a kernel source directory.
-#
-# $Id: kernelpatch,v 1.1 2004/03/15 20:35:27 as Exp $
-#
-
-KERN=$1
-shift
-
-case $KERN in
-    2.0) patchname=fs2_0;;
-    2.2) patchname=fs2_2;;
-    2.4) patchname=fs2_4;;
-    2.5) patchname=fs2_5;;
-    *) echo "Invalid kernel patch target: $KERN"; exit 1;;
-esac
-
-# make sure that sort gets the right locale.
-LANG=C export LANG
-LC_ALL=C export LC_ALL
-
-
-find linux -type f -print | grep -v CVS | egrep -v 'linux/Makefile' | sort | while read file 
-do 
-  base=`basename $file`
-  case $base in 
-    TAGS) ;;
-    tags) ;;
-    .cvsignore) ;;
-    .*.o.flags) ;;
-    .\#*);;
-    *.o) ;;
-    *~) ;;
-    tagsfile.mak) ;;
-    *.$patchname.patch) cat $file;;
-    *.patch) ;;
-    *) diff -u /dev/null $file;;
-  esac
-done
-
-#
-# finally, we have to produce a diff for linux/net/linux/Makefile.ver, 
-# a file which is generated at runtime, so there is nothing in CVS.
-#
-echo '--- /dev/null   Fri May 10 13:59:54 2002'
-echo '+++ linux/net/ipsec/Makefile.ver  Sun Jul 28 22:10:40 2002'
-echo '@@ -0,0 +1 @@'
-echo -n '+'
-grep IPSECVERSION Makefile.ver
-
-exit 0
-
-	
diff --git a/packaging/utils/kernelversion b/packaging/utils/kernelversion
deleted file mode 100755
index a021398af..000000000
--- a/packaging/utils/kernelversion
+++ /dev/null
@@ -1,10 +0,0 @@
-#! /bin/sh
-# determine kernel version code, mostly for use in RPM building
-
-awk 'BEGIN { FS = " *= *" }
-	NF != 2 { next }
-	$1 == "VERSION" { maj = $2 }
-	$1 == "PATCHLEVEL" { mid = $2 }
-	$1 == "SUBLEVEL" { min = $2 }
-	$1 == "EXTRAVERSION" { ext = $2 }
-	END { print maj "." mid "." min ext }' $*
diff --git a/packaging/utils/kernelversion-short b/packaging/utils/kernelversion-short
deleted file mode 100755
index 677f7b4da..000000000
--- a/packaging/utils/kernelversion-short
+++ /dev/null
@@ -1,8 +0,0 @@
-#! /bin/sh
-# determine kernel version code, mostly for use in RPM building
-
-awk 'BEGIN { FS = " *= *" }
-	NF != 2 { next }
-	$1 == "VERSION" { maj = $2 }
-	$1 == "PATCHLEVEL" { mid = $2 }
-	END { print maj "." mid }' $*
diff --git a/packaging/utils/manlink b/packaging/utils/manlink
deleted file mode 100755
index 84e6031b2..000000000
--- a/packaging/utils/manlink
+++ /dev/null
@@ -1,74 +0,0 @@
-#! /bin/sh
-#
-# $Id: manlink,v 1.1 2004/03/15 20:35:27 as Exp $
-#
-# make list of alternate names for manpages
-
-PATH=/bin:/usr/bin ; export PATH
-usage="$0 manpage ..."
-
-for m
-do
-    bm=`basename $m`
-	if test ! -f $m
-	then
-		echo "$0: cannot find \`$m'" >&2
-		exit 1
-	fi
-	suf=$(expr $bm : '.*\([.][^.][^.]*\)$')
-
-	# a .\"+ line rules
-	them=$(awk '/^\.\\"\+[ 	]/ { for (i = 2; i <= NF; i++) print $i }' $m)
-
-	# otherwise, try to intuit the list of names from the NAME section
-	if test " $them" = " "
-	then
-		them=$(	awk '/^\.SH[ \t]+NAME/,/^\.SH[ \t]+[^N]/' $m |
-			egrep -v '^\.' | tr '	,' '  ' |
-			sed -n '/  *\\*-  *.*/s///p' | tr -s ' ' '\012' |
-			egrep -v '^ipsec$' )
-	fi
-
-	# do it
-	for f in $them
-	do
-		case $f in
-		ipsec*)	ff="$f"		;;	# ipsec.8, ipsec.conf.5, etc.
-		*)	ff="ipsec_$f"	;;
-		esac
-		case $ff in
-		*.[1-8])			;;
-		*)		ff="$ff$suf"	;;
-		esac
-		#echo "Q: $bm FF: $ff" >&2
-		if [ " $ff" != " $bm" ] && [ " $ff" != " ipsec_$bm" ]
-		then
-   		    echo $bm $ff
-		fi
-	done
-done
-
-#
-# $Log: manlink,v $
-# Revision 1.1  2004/03/15 20:35:27  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.8  2002/09/17 20:17:16  sam
-#
-# The "make doc" fix broke "make install" silently; some man page symlinks
-# were being linked incorrectly. This resulted in files which passed the make
-# install test but linked to nothing.
-#
-# Revision 1.7  2002/08/07 06:23:35  sam
-#
-#  	freeswan/packaging/utils/manlink
-#
-# Revision 1.6  2002/05/06 21:20:24  mcr
-# 	manlink -n idea is a fail. It depended upon being able to
-# 	read the man page at the installed location, which isn't going
-# 	to work consistently. manlink now just generates a list of links
-# 	that should be made, leaving the Makefile script to decide what
-# 	to do with them. Further, it now processes the files found in the
-# 	repository, rather than the ones installed.
-#
-#
diff --git a/packaging/utils/maysnap b/packaging/utils/maysnap
deleted file mode 100755
index 9685c1d20..000000000
--- a/packaging/utils/maysnap
+++ /dev/null
@@ -1,41 +0,0 @@
-#! /bin/sh
-# consider making snapshot of FreeSwan code
-
-who=mcr
-USER=build export USER
-
-. ~build/freeswan-regress-env.sh
-
-umask 022
-
-cd ~build/WANTSNAP
-
-if test ! -f dosnap
-then
-	exit 0
-fi
-
-set -x
-
-if test -f doingsnap
-then
-	echo "snapshot already in progress" | mail -s "snapshot averted" $who
-	exit 0
-fi
-
-echo $$ >doingsnap
-sort -u dosnap >/tmp/snap$$
-echo === >>/tmp/snap$$
-if ~build/bin/mksnap -S >>/tmp/snap$$ 2>&1
-then
-  #if ~build/bin/mksnap -r 1.97 -p pre1.98 >>/tmp/snap$$ 2>&1
-  #then
-	rm -f dosnap
-  #fi
-fi
-
-mail -s "snapshot report $reqd" $who </tmp/snap$$
-rm -f /tmp/snap$$ doingsnap
-
-find /btmp/build/snapshots -type f -ctime +5 -print | xargs -r rm
-
diff --git a/packaging/utils/maytest b/packaging/utils/maytest
deleted file mode 100755
index 6bc08da11..000000000
--- a/packaging/utils/maytest
+++ /dev/null
@@ -1,42 +0,0 @@
-#! /bin/sh
-# consider making snapshot of FreeSwan code
-
-who=mcr
-USER=build export USER
-
-. ~build/freeswan-regress-env.sh
-
-umask 022
-
-cd ~build/WANTSNAP
-
-if test ! -f dotest
-then
-	exit 0
-fi
-
-if test -f doingtest
-then
-	exit 0
-fi
-
-trap "rm -f ~build/WANTSNAP/doingtest ~build/WANTSNAP/dotest; exit 0" 0 1 2 15 
-
-set -x
-
-echo $$ >doingtest
-sort -u doingtest >/tmp/nightly$$
-echo === >>/tmp/test$$
-if ~build/bin/nightly.sh >>/tmp/snap$$ 2>&1
-then
-   rm -f doingtest
-   rm -f dotest
-fi
-
-mail -s "nightly test report $reqd" $who </tmp/nightly$$
-rm -f /tmp/nightly$$ dotest
-
-# kill any wayward linux processes
-killuml linux
-
-
diff --git a/packaging/utils/mkcand b/packaging/utils/mkcand
deleted file mode 100755
index 91e69f62b..000000000
--- a/packaging/utils/mkcand
+++ /dev/null
@@ -1,126 +0,0 @@
-#!/usr/bin/perl
-# mkcand m.nn
-# package candidate, leaving it in tmp directory
-
-require($ENV{'HOME'}."/bin/disttools.pl");
-
-&defvars;
-&suckvars;
-
-umask(022);
-
-$localdir=$ENV{'HOME'}."/archive";
-$ENV{'DEV_DIR'}=$localdir."/development";
-$tmpdir=$ENV{'BTMP'}."/".$ENV{'USER'}."/snapshots";
-
-$transmit=1;
-$snapprefix="";
-$tarinfix="";
-$date="now";
-$lastrel=$ENV{'LASTREL'};
-
-sub usage {
-    print STDERR "mkcand:\n";
-    print STDERR "\t-l          do not transmit\n";
-    print STDERR "\t-p name     set candidate name\n";
-    print STDERR "\t-r rel      set release branch\n";
-}
-
-while(@ARGV) {
-  $_=shift;
-
-  if(/^-l/) {
-    $transmit=0;
-
-  } elsif(/^-S/) {
-    $symlink=1;
-
-  } elsif(/^-p/) {
-    $rel=shift;
-    $snapprefix="pre$rel-";
-
-  } elsif(/^-r/) {
-    $arg=shift;
-    ($lastrel=$arg) =~ y/\./\_/;
-    $relopt="-r PRE${lastrel}"
-
-#  } elsif(/^-d/) {
-#    $arg=shift;
-#    $transmit=0;
-#    $date=$arg;
-
-  } else {
-    &usage;
-    exit;
-  }
-}
-
-
-
-if(!defined($relopt) ||
-   !defined($rel)) {
-	&usage;
-	exit;
-}
-
-if($rel < 2.00) {
-   undef(@supportedkernels);
-}
-
-
-$candname=&snapname($snapprefix);
-$dirname="freeswan-cand".$candname;
-# $pkgname="candidate-".$candname;
-$pkgname=$dirname;
-$tarname=$pkgname.".tar";
-$vername="cand-".$candname;
-
-&nicesystem("mkdir -p $tmpdir");
-print "BUILDING candidate $candname in $dirname\n";
-if($transmit) {
-  print "WILL TRANSMIT TO $ENV{'DISTHOST'}\n"
-} else {
-  print "WILL NOT TRANSMIT\n";
-}
-
-&setuppgp($lastrel);
-
-&makedisttarfile($tmpdir, $pkgname, $vername, $dirname, $date, $relopt, 1);
-
-unlink("CANDIDATE.tar.gz");
-&nicesystem("ln $tarname.gz CANDIDATE.tar.gz") || die "failed to symlink to CANDIDATE.tar.gz: $?\n";
-&nicesystem("md5sum CANDIDATE.tar.gz >CANDIDATE.tar.gz.md5") || die "failed to md5sum of CANDIDATE.tar.gz: $?\n";
-
-&dopgpsig($pkgname);
-
-&nicesystem("pgp -kxa $ENV{'PGPNAME'} $pkgname.tar.gz.pgpkey && chmod +r $pkgname.tar.gz.pgpkey.asc");
-
-if($transmit) {
-  system("date");
-
-  local($snapprefix);
-
-  &upload($pkgname);
-
-  if($symlink) {
-    &sendfiles("CANDIDATE.tar.gz.md5");
-
-    &remotecmd("cd ".$ENV{'DISTDIR'}." && ln -f -s $pkgname.tar.gz CANDIDATE.tar.gz && ln -f -s $tarname.gz.sig CANDIDATE.tar.gz.sig");
-
-    foreach $ver (@supportedkernels) {
-      &remotecmd("cd ".$ENV{'DISTDIR'}." && ln -f -s $pkgname$ver.patch.gz CAND.KERN$ver.gz && ln -f -s $tarname.gz.sig CAND.KERN$ver.gz.sig");
-    }
-  }
-
-  print "Cleaning up old candidates\n";
-
-  local($file, $localroot);
-  
-  $localroot=$ENV{'DEV_DIR'};
-  &nicesystem("cd $localroot && find . -mtime +3 | grep 'freeswan-cand$snapprefix' | xargs rm");
-
-  &upsync;
- 
-  system("date");
-}
-
diff --git a/packaging/utils/mkrel b/packaging/utils/mkrel
deleted file mode 100755
index 3182d9d06..000000000
--- a/packaging/utils/mkrel
+++ /dev/null
@@ -1,95 +0,0 @@
-#!/usr/bin/perl
-# mkcand m.nn
-# package candidate, leaving it in tmp directory
-
-require($ENV{'HOME'}."/bin/disttools.pl");
-
-&defvars;
-&suckvars;
-
-umask(022);
-
-$localdir=$ENV{'HOME'}."/archive";
-
-$tmpdir=$ENV{'BTMP'}."/".$ENV{'USER'}."/snapshots";
-
-$transmit=1;
-$snapprefix="";
-$tarinfix="";
-$date="";
-$lastrel=$ENV{'LASTREL'};
-
-sub usage {
-    print STDERR "mkrel:\n";
-    print STDERR "\t-l          do not transmit\n";
-    print STDERR "\t-p name     set release name\n";
-    print STDERR "\t-r rel      set release branch\n";
-}
-
-while(@ARGV) {
-  $_=shift;
-
-  if(/^-l/) {
-    $transmit=0;
-
-  } elsif(/^-S/) {
-    $symlink=1;
-
-  } elsif(/^-p/) {
-    $rel=shift;
-    $snapprefix="pre$rel-";
-
-  } elsif(/^-r/) {
-    $arg=shift;
-    ($lastrel=$arg) =~ y/\./\_/;
-    $relopt="-r PRE${lastrel}"
-
-  } else {
-    &usage;
-    exit;
-  }
-}
-
-if(!defined($relopt) ||
-   !defined($rel)) {
-	&usage;
-	exit;
-}
-
-$dirname="freeswan-".$rel;
-$pkgname="freeswan-".$rel;
-$tarname=$pkgname.".tar";
-$vername=$rel;
-
-&nicesystem("mkdir -p $tmpdir");
-print "BUILDING release $rel in $dirname\n";
-if($transmit) {
-  print "WILL TRANSMIT TO $ENV{'DISTHOST'}\n"
-} else {
-  print "WILL NOT TRANSMIT\n";
-}
-
-$ENV{'PGPPATH'}="/mnt/build/freeswan";
-$ENV{'PGPNAME'}="build\@freeswan.org";
-
-&makedisttarfile($tmpdir, $pkgname, $vername, $dirname, $date, $relopt, 1);
-
-print "Please insert release key floppy for signature";
-$ans=<STDIN>;
-system("mount /mnt/build");
-&dopgpsig($pkgname);
-system("umount /mnt/build");
-
-if($transmit) {
-  print "Now transmitting to XS4all\n";
-  print "Starting on: ";
-  system("date");
-
-  &upload($pkgname);
-
-  &upsync;
- 
-  print "Finished on: ";
-  system("date");
-}
-
diff --git a/packaging/utils/mksnap b/packaging/utils/mksnap
deleted file mode 100755
index 4f336fc7a..000000000
--- a/packaging/utils/mksnap
+++ /dev/null
@@ -1,114 +0,0 @@
-#!/usr/bin/perl
-# make snapshot of FreeSwan code
-# -l	local build only, do not transmit
-# -p nn	pre-nn version (where nn is a release like 1.00)
-# -d ddd	build as of date ddd (implies -l)
-
-require($ENV{'HOME'}."/bin/disttools.pl");
-
-&defvars;
-&suckvars;
-
-umask(022);
-
-$localdir=$ENV{'HOME'}."/archive";
-$ENV{'DEV_DIR'}=$localdir."/development";
-
-if(!defined($ENV{'USER'})) {
-	$ENV{'USER'}="build";
-}
-
-$tmpdir=$ENV{'BTMP'}."/".$ENV{'USER'}."/snapshots";
-
-$transmit=1;
-$symlink=0;
-$snapprefix="";
-$tarinfix="";
-$relopt="";
-$date="now";
-$lastrel=$ENV{'LASTREL'};
-$lastrel =~ y/\./\_/;
-
-while(@ARGV) {
-  $_=shift;
-
-  if(/^-l/) {
-    $transmit=0;
-
-  } elsif(/^-D/) {
-    $debug++;
-
-  } elsif(/^-S/) {
-    $symlink=1;
-
-  } elsif(/^-p/) {
-    $arg=shift;
-    $snapprefix="$arg-";
-
-  } elsif(/^-r/) {
-    $arg=shift;
-    ($lastrel=$arg) =~ y/\./\_/;
-    $relopt="-r PRE${lastrel}"
-
-#  } elsif(/^-d/) {
-#    $arg=shift;
-#    $transmit=0;
-#    $date=$arg;
-
-  } else {
-    print STDERR "mksnap:\n";
-    print STDERR "\t-l          do not transmit\n";
-    print STDERR "\t-p stuff    set snapshot prefix\n";
-    print STDERR "\t-r rel      set release branch\n";
-    print STDERR "\t-d date     set snapshot date\n";
-    exit;
-  }
-}
-
-$snapname=&snapname($snapprefix);
-
-#if($date ne "now") {
-#  $snapname="`echo $date | tr -d ' :'`"	;;
-#}
-
-$dirname="freeswan-snap".$snapname;
-$pkgname="snapshot-".$snapname;
-$tarname=$pkgname.".tar";
-
-&nicesystem("mkdir -p $tmpdir");
-print "BUILDING snapshot $dirname\n";
-if($transmit) {
-  print "WILL TRANSMIT TO $ENV{'DISTHOST'}\n"
-} else {
-  print "WILL NOT TRANSMIT\n";
-}
-
-&setuppgp($lastrel);
-
-&makedisttarfile($tmpdir, $pkgname, "$lastrel_$snapname", $dirname, $date, $relopt, 0);
-
-unlink("snapshot.tar.gz");
-&nicesystem("ln -s $tarname.gz snapshot.tar.gz") || die "failed to symlink to snapshot.tar.gz: $?\n";
-&nicesystem("md5sum snapshot.tar.gz >snapshot.tar.gz.md5") || die "failed to md5sum of snapshot.tar.gz: $?\n";
-
-&dopgpsig($pkgname);
-
-if($transmit) {
-  system("date");
-
-  &upload($pkgname, "snapshot");
-
-  print "Cleaning up old snapshots\n";
-
-  local($file, $localroot);
-  
-  $localroot=$ENV{'DEV_DIR'};
-
-  &nicesystem("cd $localroot && find . -name \"snapshot-*\" -print | grep -v $pkgname | xargs -r rm --");
-
-  &upsync;
- 
-  system("date");
-}
-
-
diff --git a/packaging/utils/mvcand b/packaging/utils/mvcand
deleted file mode 100755
index 6e29bc490..000000000
--- a/packaging/utils/mvcand
+++ /dev/null
@@ -1,62 +0,0 @@
-#! /bin/sh
-# mvcand
-# move packaged candidate to distribution site (password supplied manually)
-
-PATH=/bin:/usr/bin
-export PATH
-umask 022
-
-. $HOME/freeswan-regress-env.sh
-
-localplace=~build/archive
-site=freeswan@xs4.xs4all.nl
-place=FTP
-linkname=CANDIDATE.tar
-ssh=/usr/bin/ssh
-scp=/usr/bin/scp
-
-localonly=
-remove=yes
-for dummy
-do
-	case "$1" in
-	-l)	localonly=yes	;;
-	-k)	remove=		;;
-	--)	shift ; break	;;
-	-*)	echo "$0: unknown option \'$1'" >&2 ; exit 2	;;
-	*)	break		;;
-	esac
-	shift
-done
-
-case "$#" in
-0)	;;
-*)	echo "Usage: $0" >&2 ; exit	;;
-esac
-
-cd ~build/tmp
-tarname=`ls | sed -n '/^freeswan-.*\.gz$/s/\.gz$//p' | tail -1`
-echo "moving $tarname.gz"
-
-(
-	cd $localplace
-	rm -f freeswan-cand* $linkname.*
-	ln -s $tarname.gz $linkname.gz
-)
-cp -p $tarname.gz $tarname.gz.md5 $tarname.gz.sig CANDIDATE.tar.gz.md5 $localplace
-
-if test "$localonly"
-then
-	exit 0		# leaving the original around
-fi
-
-$ssh $site "cd $place ; rm -f freeswan-cand* $linkname.* ;
-			ln -s $tarname.gz $linkname.gz ;
-			ln -s $tarname.gz.sig $linkname.gz.sig"
-
-$scp -p $tarname.gz.md5 $tarname.gz.sig $tarname.gz CANDIDATE.tar.gz.md5 $site:$place
-
-if test "$remove"
-then
-	rm -f $tarname.*
-fi
diff --git a/packaging/utils/mvrel b/packaging/utils/mvrel
deleted file mode 100755
index 66b1180a8..000000000
--- a/packaging/utils/mvrel
+++ /dev/null
@@ -1,65 +0,0 @@
-#! /bin/sh
-# mvrel major minor
-# move packaged release to distribution site (password supplied manually)
-
-PATH=/bin:/usr/bin
-export PATH
-umask 022
-
-. $HOME/freeswan-regress-env.sh
-
-localplace=~build/archive
-site=freeswan@xs4.xs4all.nl
-place=FTP
-linkname=LATEST.tar
-ssh=/usr/bin/ssh
-scp=/usr/bin/scp
-
-localonly=
-remove=yes
-for dummy
-do
-	case "$1" in
-	-l)	localonly=yes	;;
-	-c)	site=adams.freeswan.org ; place=/home/team ; scp=scp2 ; ssh=ssh2	;;
-	-k)	remove=		;;
-	--)	shift ; break	;;
-	-*)	echo "$0: unknown option \'$1'" >&2 ; exit 2	;;
-	*)	break		;;
-	esac
-	shift
-done
-
-case "$#:$1" in
-1:*.*)	;;
-*)	echo "Usage: $0 [-l] [-c] release" >&2 ; exit	;;
-esac
-
-tarname=freeswan-$1.tar
-
-cd ~build/tmp
-if test ! -r $tarname.gz
-then
-	echo "$0: no $tarname.gz!" >&2
-	exit 1
-fi
-
-rm -f $localplace/$tarname.*
-cp -p $tarname.gz $tarname.gz.sig $localplace
-
-if test "$localonly"
-then
-	exit 0		# leaving the original around
-fi
-
-$ssh $site "cd $place ; rm -f $tarname.gz.sig $tarname.gz LATEST.* ;
-			rm -f CANDIDATE.* freeswan-cand* ;
-			mv freeswan-[0-9]* old ;
-			ln -s $tarname.gz LATEST.tar.gz ;
-			ln -s $tarname.gz.sig LATEST.tar.gz.sig"
-$scp -p $tarname.gz.sig $tarname.gz $site:$place
-
-if test "$remove"
-then
-	rm -f $tarname.*
-fi
diff --git a/packaging/utils/patcher b/packaging/utils/patcher
deleted file mode 100755
index ba31bdd26..000000000
--- a/packaging/utils/patcher
+++ /dev/null
@@ -1,188 +0,0 @@
-#! /bin/sh
-# smart patch applier
-# Copyright (C) 1999, 2001  Henry Spencer.
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# patcher [-v] [-c] targetdir target [ key patchfile ] ...
-# In targetdir, patch target from patchfile unless it already contains
-# key and it appears to have been patched with the same patch.  (If the
-# patch has changed, undo the old one and then put the new one in.)  Save
-# original as target.preipsec, and patched copy as target.wipsec, with
-# patch md5sum stored as target.ipsecmd5.  If the patch doesn't work,
-# put the original back and save the patch attempt as target.mangled.
-# If there are no key+patchfile pairs, undo any old patch and leave it
-# at that.
-# -v means verbose
-# -c means do "patching" by appending rather than by using patch(1)
-#
-# RCSID $Id: patcher,v 1.1 2004/03/15 20:35:27 as Exp $
-
-PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin
-export PATH
-umask 022
-
-verbose=
-modifier=patch
-for dummy
-do
-	case "$1" in
-	-v)	verbose=yes		;;
-	-c)	modifier=cat		;;
-	--)	shift ; break		;;
-	-*)	echo "$0: unknown option \`$1'" >&2 ; exit 2	;;
-	*)	break			;;
-	esac
-	shift
-done
-if test $# -lt 2
-then
-	echo "Usage: $0 [-v] [-c] targetdir target [ key patchfile ] ..." >&2
-	exit 2
-fi
-
-need() {
-	if test ! -f $1
-	then
-		echo "$0: cannot find file \`$1'" >&2
-		exit 1
-	fi
-}
-
-note() {
-	if test "$verbose"
-	then
-		echo "* $1"
-	fi
-}
-
-dir="$1"
-target="$2"
-shift ; shift
-it=$dir/$target
-need $it
-
-
-
-patches=
-if test ! -s $it.ipsecmd5
-then
-	# no records of patching...
-	while test $# -ge 2
-	do
-		key="$1"
-		patchfile="$2"
-		shift ; shift
-		need $patchfile
-
-		if egrep -q "$key" $it
-		then
-			# patched but no record of how
-			note "$it no longer needs patch $patchfile"
-		else
-			patches="$patches $patchfile"
-		fi
-	done
-elif test ! -f $it.preipsec -o ! -f $it.wipsec
-then
-	echo "$0: $it.preipsec or .wipsec is missing!" >&2
-	exit 1
-else
-	# determine whether patches have changed
-	tmp=/tmp/patcher.$$
-	>$tmp
-	while test $# -ge 2
-	do
-		key="$1"
-		patchfile="$2"
-		shift ; shift
-		need $patchfile
-		md5sum $patchfile | awk '{print $1}' >>$tmp
-
-		if egrep -q "$key" $it.preipsec
-		then
-			note "$it no longer needs patch $patchfile"
-		else
-			patches="$patches $patchfile"
-		fi
-	done
-	if cmp -s $tmp $it.ipsecmd5
-	then
-		note "$it already fully patched"
-		rm -f $tmp
-		exit 0
-	fi
-	rm -f $tmp
-
-	# must undo old patch(es)
-	note "$it old patches must be undone, undoing them..."
-	if ! cmp -s $it $it.wipsec
-	then
-		note "$it has changed, cannot undo old patches!"
-		echo "$0: cannot unpatch $it, it has changed since patching" >&2
-		exit 1
-	fi
-	rm $it
-	mv $it.preipsec $it
-	rm $it.wipsec $it.ipsecmd5
-fi
-
-# if no necessary patches, we're done
-if test " $patches" = " "
-then
-	note "$it no longer needs patching"
-	exit 0
-fi
-
-# try to figure out patch options
-if test " $modifier" = " patch"
-then
-	if patch --help >/dev/null 2>/dev/null
-	then
-		# looks like a modern version
-		popts='-p1 -b'
-	else
-		# looks like an old one
-		popts='-p1'
-	fi
-fi
-
-# do it
->$it.ipsecmd5
-for patchfile in $patches
-do
-	note "applying $patchfile to $it..."
-
-	# make local copy - this defeats hard and soft links
-        mv $it $it.preipsec || exit 0
-        rm -f $it
-        cp -p $it.preipsec $it
-
-	case "$modifier" in
-	patch)	( cd $dir ; patch $popts ) <$patchfile	;;
-	cat)	cat $patchfile >>$it			;;
-	esac
-	status=$?
-	if test $status -ne 0
-	then
-		note "$it patch failed, restoring original"
-		echo "$0: patch on $it failed!" >&2
-		echo "$0: restoring original $it," >&2
-		echo "$0: leaving patch attempt in $it.mangled" >&2
-		mv $it $it.mangled
-		mv $it.preipsec $it
-		rm -f $it.ipsecmd5
-		exit 1
-	fi
-	rm -f $it.orig		# some patch versions leave debris
-	md5sum $patchfile | awk '{print $1}' >>$it.ipsecmd5
-done
-cp -p $it $it.wipsec
diff --git a/packaging/utils/prepcand b/packaging/utils/prepcand
deleted file mode 100755
index 31c382501..000000000
--- a/packaging/utils/prepcand
+++ /dev/null
@@ -1,33 +0,0 @@
-#! /bin/sh
-# prepcand m.nn
-# prepare candidate for building, must be done in top working dir
-
-PATH=/bin:/usr/bin
-export PATH
-umask 022
-
-case "$#:$1" in
-1:*.*)	;;
-*)	echo "Usage: $0 release" >&2 ; exit	;;
-esac
-
-rel="$1"
-tag="PRE`echo $rel | tr '.' '_'`"
-
-# update from snapshot form to candidate/release form, if necessary
-if egrep -q -e '^---$' README
-then
-	sed '1,/^---$/d' README | sed '1s/This is release xxx of Linux FreeS\/WAN/This is release '$rel' of Linux FreeS\/WAN/' > README.$$
-	mv README.$$ README
-	cvs -Q commit -m "update for candidates of release $rel" README
-fi
-
-if sed -n 1p CHANGES | egrep -q 'since last release'
-then
-	sed '1s/since last release/in '$rel'/' CHANGES >CHANGES.$$
-	mv CHANGES.$$ CHANGES
-	cvs -Q commit -m "update for candidates of release $rel" CHANGES
-fi
-
-echo "IPSECVERSION=$rel" >Makefile.ver
-cvs -Q commit -m "update for candidate of release $rel" Makefile
diff --git a/packaging/utils/recan b/packaging/utils/recan
deleted file mode 100755
index eaaf9436a..000000000
--- a/packaging/utils/recan
+++ /dev/null
@@ -1,17 +0,0 @@
-#! /bin/sh
-# recan release
-# run in a working directory to recan contents of same where necessary
-
-PATH=/bin:/usr/bin ; export PATH
-umask 022
-
-. ~freeswan/setup
-
-case $# in
-0)	echo "Usage: $0 release [file] ..." >&2 ; exit 2	;;
-esac
-
-tag="R`echo $1 | tr '.' '_'`"
-shift
-
-cvs tag -F -D now $tag $*
diff --git a/packaging/utils/setup b/packaging/utils/setup
deleted file mode 100755
index 5d250bb37..000000000
--- a/packaging/utils/setup
+++ /dev/null
@@ -1,9 +0,0 @@
-# shell file setting up environment for freeswan CVS access
-# This is here, rather than in .profiles, because Henry has local access
-# and doesn't want to duplicate this stuff.
-
-PATH=$PATH:/sandel/bin export PATH
-CVSROOT=/freeswan/MASTER
-CVSUMASK=002 
-
-export CVSROOT CVSUMASK
diff --git a/packaging/utils/sshenv b/packaging/utils/sshenv
deleted file mode 100755
index 8075b9d09..000000000
--- a/packaging/utils/sshenv
+++ /dev/null
@@ -1,4 +0,0 @@
-# ssh environment file for freeswan CVS access
-# user .ssh directories have links to this, so this info is in one place
-CVSROOT=/home/freeswan/cvs
-CVSUMASK=002
diff --git a/packaging/utils/tattle b/packaging/utils/tattle
deleted file mode 100755
index 37d015b0f..000000000
--- a/packaging/utils/tattle
+++ /dev/null
@@ -1,33 +0,0 @@
-#! /bin/sh
-# tattle [-f] subject address ...
-# report a freeswan CVS change made by someone other than "owner" of files
-
-PATH=/bin:/usr/bin ; export PATH
-
-noself=yes			# don't mail to person making change
-case "$1" in
--f)	noself= ; shift	;;
-esac
-
-msg="freeswan commit: $1"
-shift
-
-them=
-if test "$noself"
-then
-	iam="`id -un`"
-	for who
-	do
-		if test " $who" != " $iam"
-		then
-			them="$them $who"
-		fi
-	done
-else
-	them="$*"
-fi
-
-if test " $them" != " "
-then
-	mail -s "$msg" $them
-fi
diff --git a/packaging/utils/wantsnap b/packaging/utils/wantsnap
deleted file mode 100755
index 74b4287da..000000000
--- a/packaging/utils/wantsnap
+++ /dev/null
@@ -1,3 +0,0 @@
-#! /bin/sh
-umask 002
-id -un >>~build/WANTSNAP/dosnap
diff --git a/packaging/utils/wanttest b/packaging/utils/wanttest
deleted file mode 100755
index 9cbdde8d0..000000000
--- a/packaging/utils/wanttest
+++ /dev/null
@@ -1,10 +0,0 @@
-#! /bin/sh
-
-if [ -f ~build/WANTSNAP/doingtest ]
-then
-	echo Test already in progress.
-	exit 1
-fi
-
-umask 002
-id -un >>~build/WANTSNAP/dotest
diff --git a/programs/Makefile b/programs/Makefile
deleted file mode 100644
index dbc03f416..000000000
--- a/programs/Makefile
+++ /dev/null
@@ -1,46 +0,0 @@
-# Makefile for the KLIPS interface utilities
-# Copyright (C) 1998, 1999  Henry Spencer.
-# Copyright (C) 1999, 2000, 2001  Richard Guy Briggs
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.9 2006/08/28 11:12:36 as Exp $
-
-FREESWANSRCDIR=..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-SUBDIRS=spi eroute spigrp tncfg klipsdebug pf_key proc pluto 
-SUBDIRS+=_confread _copyright _include _keycensor _plutoload _plutorun
-SUBDIRS+=_realsetup _secretcensor _startklips _updown _updown_espmark
-SUBDIRS+=auto barf ipsec look manual ranbits secrets starter
-SUBDIRS+=rsasigkey send-pr setup showdefaults showhostkey calcgoo mailkey
-SUBDIRS+=ikeping examples openac scepclient
-
-ifeq ($(USE_LWRES),true)
-SUBDIRS+=lwdnsq
-endif
-
-ifeq ($(USE_IPSECPOLICY),true)
-SUBDIRS+=showpolicy
-endif
-
-def:
-	@echo "Please read doc/intro.html or INSTALL before running make"
-	@false
-
-# programs
-
-cleanall distclean mostlyclean realclean install programs checkprograms check clean spotless install_file_list:
-	@for d in $(SUBDIRS) ; \
-	do \
-		(cd $$d && $(MAKE) FREESWANSRCDIR=$(FREESWANSRCDIR)/.. $@ ) || exit 1;\
-	done; 
-
diff --git a/programs/Makefile.program b/programs/Makefile.program
deleted file mode 100644
index 14d2d8269..000000000
--- a/programs/Makefile.program
+++ /dev/null
@@ -1,154 +0,0 @@
-
-include ${FREESWANSRCDIR}/Makefile.ver
-
-CFLAGS+=$(USERCOMPILE) -I${KLIPSINC}
-
-CFLAGS+= -Wall
-#CFLAGS+= -Wconversion
-#CFLAGS+= -Wmissing-prototypes
-CFLAGS+= -Wpointer-arith
-CFLAGS+= -Wcast-qual
-#CFLAGS+= -Wmissing-declarations
-CFLAGS+= -Wstrict-prototypes
-#CFLAGS+= -pedantic
-#CFLAGS+= -W
-#CFLAGS+= -Wwrite-strings
-CFLAGS+= -Wbad-function-cast 
-
-# die if there are any warnings
-ifndef WERROR
-WERROR:= -Werror
-endif
-
-#CFLAGS+= ${WERROR}
-
-ifeq ($(USE_NAT_TRAVERSAL),true)
-  CFLAGS+= -DNAT_TRAVERSAL
-endif
-
-ifneq ($(LD_LIBRARY_PATH),)
-LDFLAGS=-L$(LD_LIBRARY_PATH)
-endif
-
-MANDIR8=$(MANTREE)/man8
-MANDIR5=$(MANTREE)/man5
-
-ifndef PROGRAMDIR
-PROGRAMDIR=${LIBEXECDIR}
-endif
-
-ifndef MANPROGPREFIX
-MANPROGPREFIX=ipsec_
-endif
-
-ifndef CONFDSUBDIR
-CONFDSUBDIR=.
-endif
-
-all: $(PROGRAM)
-
-programs: all
-
-ifneq ($(PROGRAM),check)
-check: $(PROGRAM)
-endif
-
-
-ifneq ($(NOINSTALL),true)
-
-install:: $(PROGRAM) $(CONFFILES) $(EXTRA8MAN) $(EXTRA5MAN) $(EXTRA5PROC) $(LIBFILES) $(CONFDFILES)
-	@mkdir -p $(PROGRAMDIR) $(MANDIR8) $(MANDIR5) $(LIBDIR) $(CONFDIR) $(CONFDDIR) $(CONFDDIR)/$(CONFDSUBDIR) $(EXAMPLECONFDIR)
-	@if [ -n "$(PROGRAM)" ]; then $(INSTALL) $(INSTBINFLAGS) $(PROGRAM) $(PROGRAMDIR); fi
-	@$(foreach f, $(addsuffix .8, $(PROGRAM)), \
-		$(INSTALL) $(INSTMANFLAGS) $f $(MANDIR8)/$(MANPROGPREFIX)$f || exit 1; \
-	)
-	@$(foreach f, $(EXTRA8MAN), \
-		$(INSTALL) $(INSTMANFLAGS) $f $(MANDIR8)/ipsec_$f || exit 1; \
-	)
-	@$(foreach f, $(EXTRA5MAN), \
-		$(INSTALL) $(INSTMANFLAGS) $f $(MANDIR5)/$f || exit 1 ;\
-	)
-	@$(foreach f, $(EXTRA5PROC), \
-		$(INSTALL) $(INSTMANFLAGS) $f $(MANDIR5)/ipsec_$f || exit 1 ;\
-	)
-	@$(foreach f, $(LIBFILES), \
-		$(INSTALL) $(INSTCONFFLAGS) $f $(LIBDIR)/$f || exit 1 ;\
-	)
-	@$(foreach f, $(CONFFILES), \
-		if [ ! -f $(CONFDIR)/$f ]; then $(INSTALL) $(INSTCONFFLAGS) $f $(CONFDIR)/$f || exit 1; fi;\
-		$(INSTALL) $(INSTCONFFLAGS) $f $(EXAMPLECONFDIR)/$f-sample || exit 1; \
-	)
-	@$(foreach f, $(CONFDFILES), \
-		if [ ! -f $(CONFDDIR)/$(CONFDSUBDIR)/$f ]; then $(INSTALL) $(INSTCONFFLAGS) $f $(CONFDDIR)/$(CONFDSUBDIR)/$f || exit 1; fi;\
-	)
-
-install_file_list::
-	@if [ -n "$(PROGRAM)" ]; then echo $(PROGRAMDIR)/$(PROGRAM); fi
-	@$(foreach f, $(addsuffix .8, $(PROGRAM)), \
-		echo $(MANDIR8)/${MANPROGPREFIX}$f; \
-	)
-	@$(foreach f, $(EXTRA8MAN), \
-		echo $(MANDIR8)/ipsec_$f; \
-	)
-	@$(foreach f, $(EXTRA5MAN), \
-		echo $(MANDIR5)/$f;\
-	)
-	@$(foreach f, $(EXTRA5PROC), \
-		echo $(MANDIR5)/ipsec_$f; \
-	)
-	@$(foreach f, $(LIBFILES), \
-		echo $(LIBDIR)/$f;\
-	)
-	@$(foreach f, $(CONFFILES), \
-		echo $(CONFDIR)/$f;\
-		echo $(EXAMPLECONFDIR)/$f-sample;\
-	)
-	@$(foreach f, $(CONFDFILES), \
-		echo $(CONFDDIR)/${CONFDSUBDIR}/$f;\
-	)
-
-endif
-
-# cancel the rule that compiles directly
-%: %.c 
-
-%: %.o $(OBJS)
-	$(CC) $(CFLAGS) -o $@ $@.o ${OBJS} $(LDFLAGS) $(LIBS)
-
-%: %.in ${FREESWANSRCDIR}/Makefile.inc ${FREESWANSRCDIR}/Makefile.ver
-	cat $< | sed -e "s/xxx/$(IPSECVERSION)/" \
-			-e "s:@IPSEC_DIR@:$(FINALBINDIR):" \
-			-e "s:@IPSEC_EXECDIR@:$(FINALLIBEXECDIR):" \
-			-e "s:@IPSEC_SBINDIR@:$(FINALSBINDIR):" \
-			-e "s:@IPSEC_LIBDIR@:$(FINALLIBDIR):" \
-			-e "s:@FINALCONFDIR@:$(FINALCONFDIR):" \
-			-e "s:@EXAMPLECONFDIR@:$(EXAMPLECONFDIR):" \
-			-e "s:@FINALDOCDIR@:$(FINALDOCDIR):" \
-			-e "s:@FINALEXAMPLECONFDIR@:$(FINALEXAMPLECONFDIR):" \
-			-e "s:@MODULE_GOO_LIST@:$(MODULE_GOO_LIST):" \
-			-e "s:@IPSEC_CONFS@:$(FINALCONFDIR):" \
-			-e "s:@IPSEC_CONFDDIR@:$(FINALCONFDDIR):" \
-			-e "s:@USE_IPROUTE2@:$(USE_IPROUTE2):" \
-			-e "s:@IPSEC_FIREWALLTYPE@:$(IPSEC_FIREWALLTYPE):" \
-	| cat >$@
-	if [ -x $< ]; then chmod +x $@; fi
-	if [ "${PROGRAM}.in" = $< ]; then chmod +x $@; fi
-
-cleanall: clean
-
-distclean: clean
-
-mostlyclean: clean
-
-realclean: clean
-
-clean::
-ifneq ($(strip $(PROGRAM)),)
-	@if [ -r $(PROGRAM).in ]; then rm -f $(PROGRAM); fi
-	@if [ -r $(PROGRAM).c ];  then rm -f $(PROGRAM); fi
-	@if [ -n "$(OBJS)" ];     then rm -f $(PROGRAM); fi
-endif
-	@rm -f *.o
-
-checkprograms:
-
diff --git a/programs/_confread/.cvsignore b/programs/_confread/.cvsignore
deleted file mode 100644
index 405492384..000000000
--- a/programs/_confread/.cvsignore
+++ /dev/null
@@ -1,7 +0,0 @@
-_confread
-ipsec.conf
-block
-clear
-private
-clear-or-private
-private-or-clear
diff --git a/programs/_confread/Makefile b/programs/_confread/Makefile
deleted file mode 100644
index 1bdc9a3f0..000000000
--- a/programs/_confread/Makefile
+++ /dev/null
@@ -1,27 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.2 2004/03/31 19:23:00 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=_confread
-PROGRAMDIR=${LIBDIR}
-EXTRA5MAN=ipsec.conf.5
-CONFFILES=ipsec.conf
-
-CONFDSUBDIR=policies
-CONFDFILES=clear clear-or-private private-or-clear private block
-
-include ../Makefile.program
diff --git a/programs/_confread/README.conf.V2 b/programs/_confread/README.conf.V2
deleted file mode 100644
index 244e245c5..000000000
--- a/programs/_confread/README.conf.V2
+++ /dev/null
@@ -1,103 +0,0 @@
-Subject: [Design] changes to ipsec.conf
-# RCSID $Id: README.conf.V2,v 1.1 2004/03/15 20:35:27 as Exp $
-
-We are changing ipsec.conf for the 2.0 series of FreeS/WAN.
-
-OE is enabled by default.  This is accomplished by automatically
-defining a conn "OEself" UNLESS the sysadmin defines one with the same
-name:
-
-conn OEself
-	# authby=rsasig   # default
-	left=%defaultroute
-	leftrsasigkey=%dnsondemand	# default
-	right=%opportunistic
-	rightrsasigkey=%dnsondemand	# default
-	keyingtries=3
-	ikelifetime=1h
-	keylife=1h	# default
-	rekey=no
-	# disablearrivalcheck=no  # default
-	auto=route
-
-This will only work if %defaultroute works.
-The leftid will be the resulting IP address (won't work if
-you haven't filled in the reverse DNS entry).
-Unlike other conns, nothing in this implicit conn is changed by conn %default.
-
-We'd like a better name.  A conn name starting with % cannot be
-defined by the sysadmin, so that is out.  Names that haven't grabbed
-us: OEhost, OElocalhost, OEthishost, OEforself, OE4self.
-
-There is no requirement to have /etc/ipsec.conf.  If you do, the first
-significant line (non-blank, non-comment) must be (not indented):
-version 2.0
-This signifies that the file was intended for FreeS/WAN version 2.0.
-
-
-The following table shows most changes.  "-" means that the option
-doesn't exist.  "Recent Boilerplate" shows the effect of the "conn
-%default" in the automatically installed /etc/ipsec.conf (not
-installed if you already had one).
-
-Option		Old Default	Recent Boilerplate	New Default
-======		===========	==================	===========
-
-config setup:
-interfaces	""		%defaultroute		%defaultroute
-plutoload	""		%search			- [same as %search]
-plutostart	""		%search			- [same as %search]
-uniqueids	no		yes			yes
-rp_filter	-		-			0
-plutowait	yes		yes			no
-dump		no		no			- [use dumpdir]
-plutobackgroundload ignored	ignored			-
-no_eroute_pass	no		no			- [use packetdefault]
-
-conn %default:
-keyingtries	3		0			%forever [0 means this]
-disablearrivalcheck  yes	no			no
-authby		secret		rsasig			rsasig
-leftrsasigkey	""		%dnsondemand		%dnsondemand
-rightrsasigkey	""		%dnsondemand		%dnsondemand
-lifetime	==keylife	==keylife		- [use keylife]
-rekeystart	==rekeymargin	==rekeymargin		- [use rekeymargin]
-rekeytries	==keyingtries	==keyingtries		- [use keyingtries]
-
-======		===========	==================	===========
-Option		Old Default	Recent Boilerplate	New Default
-
-
-The auto= mechanism has been extended to support manual conns.  If you
-specify auto=manual in a conn, an "ipsec manual" will be performed on
-it at startup (ipsec setup start).
-
-
-There is a new config setup option "rp_filter".  It controls
-	/proc/sys/net/ipv4/conf/PHYS/rp_filter
-for each PHYSical IP interface used by FreeS/WAN.  Settings are:
-	%unchanged	do not touch (but warn if wrong)
-	0		set to 0; default; means: no filtering
-	1		set to 1; means: loose filter
-	2		set to 1; means: strict filter
-0 is often necessary for FreeS/WAN to function.  Some folks
-want other settings.  Shutting down FreeS/WAN does not restore
-the original value.
-
-Currently ikelife defaults to 1 hour and keylife defaults to 8 hours.
-There have been some rumblings that these are the wrong defaults, but
-it isn't clear what would be best.  Perhaps both should be closer.
-Any thoughts of what these should be?  Any Road Warrior or OE conn
-should probably have carefully thought-out values explicitly
-specified.  The settings don't matter much for VPN connections.
-
-keyingtries=%forever is the new improved notation for keyingtries=0.
-Eventually the 0 notation will be eliminated.
-
-Some options can now be set to %none to signify no setting.  Otherwise
-there would be no way for the user to override a default setting:
-	leftrsasigkey, rightrsasigkey [added in 1.98]
-	interfaces
-
-Hugh Redelmeier
-hugh@mimosa.com  voice: +1 416 482-8253
diff --git a/programs/_confread/_confread.8 b/programs/_confread/_confread.8
deleted file mode 100644
index 20d92a002..000000000
--- a/programs/_confread/_confread.8
+++ /dev/null
@@ -1,28 +0,0 @@
-.TH _CONFREAD 8 "25 Apr 2002"
-.\"
-.\" RCSID $Id: _confread.8,v 1.1 2004/03/15 20:35:27 as Exp $
-.\"
-.SH NAME
-ipsec _confread \- internal routing to parse config file
-.SH DESCRIPTION
-.I _confread 
-is an internal script used for parsing /etc/ipsec.conf into a canonical format.
-.SH "SEE ALSO"
-ipsec(8), ipsec_conf(8)
-.SH HISTORY
-Man page written for the Linux FreeS/WAN project <http://www.freeswan.org/>
-by Michael Richardson. Program written by Henry Spencer.
-.\"
-.\" $Log: _confread.8,v $
-.\" Revision 1.1  2004/03/15 20:35:27  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.3  2002/09/16 01:28:43  dhr
-.\"
-.\" typo
-.\"
-.\" Revision 1.2  2002/04/29 22:39:31  mcr
-.\" 	added basic man page for all internal commands.
-.\"
-.\"
-.\"
diff --git a/programs/_confread/_confread.in b/programs/_confread/_confread.in
deleted file mode 100755
index 4561af9fe..000000000
--- a/programs/_confread/_confread.in
+++ /dev/null
@@ -1,520 +0,0 @@
-#!/bin/sh
-# configuration-file reader utility
-# Copyright (C) 1999-2002  Henry Spencer.
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: _confread.in,v 1.15 2006/04/20 04:42:12 as Exp $
-#
-# Extract configuration info from /etc/ipsec.conf, repackage as assignments
-# to shell variables or tab-delimited fields.  Success or failure is reported
-# inline, as extra data, due to the vagaries of shell backquote handling.
-# In the absence of --varprefix, output is tab-separated fields, like:
-#	=	sectionname
-#	:	parameter	value
-#	!	status (empty for success, else complaint)
-# In the presence of (say) "--varprefix IPSEC", output is like:
-#	IPSEC_confreadsection="sectionname"
-#	IPSECparameter="value"
-#	IPSEC_confreadstatus="status" (same empty/complaint convention)
-#
-# The "--search parametername" option inverts the search:  instead of
-# yielding the parameters of the specified name(s), it yields the names
-# of sections with parameter <parametername> having (one of) the
-# specified value(s).  In this case, --varprefix output is a list of
-# names in the <prefix>_confreadnames variable.  Search values with
-# white space in them are currently not handled properly.
-#
-# Typical usage:
-# eval `ipsec _confread --varprefix IPSEC --type config setup`
-# if test " $IPSEC_confreadstatus" != " "
-# then
-#	echo "$0: $IPSEC_confreadstatus -- aborting" 2>&1
-#	exit 1
-# fi
-
-# absent default config file treated as empty
-config=${IPSEC_CONFS-@FINALCONFDIR@}/ipsec.conf
-if test ! -f "$config" ; then config=/dev/null ; fi
-
-include=yes
-type=conn
-fieldfmt=yes
-prefix=
-search=
-export=0
-version=
-optional=0
-me="ipsec _confread"
-
-for dummy
-do
-	case "$1" in
-	--config)	config="$2" ; shift	;;
-	--noinclude)	include=		;;
-	--type)		type="$2" ; shift	;;
-	--varprefix)	fieldfmt=
-			prefix="$2"
-			shift			;;
-	--export)	export=1		;;
-	--search)	search="$2" ; shift	;;
-	--version)	echo "$me $IPSEC_VERSION" ; exit 0	;;
-	--optional)	optional=1		;;
-	--)		shift ; break		;;
-	-*)		echo "$0: unknown option \`$1'" >&2 ; exit 2	;;
-	*)		break			;;
-	esac
-	shift
-done
-
-if test "$include"
-then
-	ipsec _include --inband $config
-else
-	cat $config
-fi |
-awk 'BEGIN {
-	type = "'"$type"'"
-	names = "'"$*"'"
-	prefix = "'"$prefix"'"
-	export = "'"$export"'"
-	optional = 0 + '"$optional"'
-	myid = "'"$IPSECmyid"'"
-	search = "'"$search"'"
-	searching = 0
-	if (search != "") {
-		searching = 1
-		searchpat = search "[ \t]*=[ \t]*"
-	}
-	fieldfmt = 0
-	if ("'"$fieldfmt"'" == "yes")
-		fieldfmt = 1
-	including = 0
-	if ("'"$include"'" == "yes")
-		including = 1
-	filename = "'"$config"'"
-	lineno = 0
-	originalfilename = filename
-	if (fieldfmt)
-		bq = eq = "\""
-	else
-		bq = eq = "\\\""
-	failed = 0
-	insection = 0
-	wrongtype = 0
-	indefault = 0
-	outputting = 0
-	sawnondefault = 0
-	OFS = "\t"
-	o_status = "!"
-	o_parm = ":"
-	o_section = "="
-	o_names = "%"
-	o_end = "."
-	n = split(names, na, " ")
-	if (n == 0)
-		fail("no section names supplied")
-	for (i = 1; i <= n; i++) {
-		if (na[i] in wanted)
-			fail("section " bq na[i] eq " requested more than once")
-		wanted[na[i]] = 1
-		pending[na[i]] = 1
-		if (!searching && na[i] !~ /^[a-zA-Z][a-zA-Z0-9._-]*$/)
-			fail("invalid section name " bq na[i] eq)
-	}
-
-	good = "also alsoflip type auto authby _plutodevel"
-	left = " left leftsubnet leftnexthop leftfirewall lefthostaccess leftupdown"
-	akey = " keyexchange auth pfs keylife rekey rekeymargin rekeyfuzz"
-	akey = akey " dpdaction dpddelay dpdtimeout"
-	akey = akey " pfsgroup compress"
-	akey = akey " keyingtries ikelifetime disablearrivalcheck failureshunt ike"
-	mkey = " spibase spi esp espenckey espauthkey espreplay_window"
-	left = left " leftespenckey leftespauthkey leftahkey"
-	left = left " leftespspi leftahspi leftid leftrsasigkey leftrsasigkey2"
-	left = left " leftsendcert leftcert leftca leftsubnetwithin leftprotoport"
-	left = left " leftgroups leftsourceip"
-	mkey = mkey " ah ahkey ahreplay_window"
-	right = left
-	gsub(/left/, "right", right)
-	n = split(good left right akey mkey, g)
-	for (i = 1; i <= n; i++)
-		goodnames["conn:" g[i]] = 1
-
-	good = "also interfaces forwardcontrol myid"
-	good = good " syslog klipsdebug plutodebug plutoopts plutostderrlog"
-	good = good " plutorestartoncrash"
-	good = good " dumpdir manualstart pluto"
-	good = good " plutowait prepluto postpluto"
-	good = good " fragicmp hidetos rp_filter uniqueids"
-	good = good " overridemtu pkcs11module pkcs11keepstate pkcs11proxy"
-	good = good " nocrsend strictcrlpolicy crlcheckinterval cachecrls"
-	good = good " nat_traversal keep_alive force_keepalive"
-	good = good " disable_port_floating virtual_private"
-
-	n = split(good, g)
-	for (i = 1; i <= n; i++)
-		goodnames["config:" g[i]] = 1
-
-	good = "auto cacert ldaphost ldapbase crluri crluri2 ocspuri"
-	good = good " strictcrlpolicy"
-
-	n = split(good, g)
-	for (i = 1; i <= n; i++)
-		goodnames["ca:" g[i]] = 1
-
-	goodtypes["conn"] = 1
-	goodtypes["config"] = 1
-	goodtypes["ca"] = 1
-
-	badchars = ""
-	for (i = 1; i < 32; i++)
-		badchars = badchars sprintf("%c", i)
-	for (i = 127; i < 128+32; i++)
-		badchars = badchars sprintf("%c", i)
-	badchar = "[" badchars "]"
-
-	# if searching, seen is set of sectionnames which match
-	# if not searching, seen is set of parameter names found
-	seen[""] = ""
-	defaults[""] = ""
-	usesdefault[""] = ""
-	orientation = 1
-}
-
-
-
-function output(code, v1, v2) {
-	if (code == o_parm) {
-		if (v2 == "")		# suppress empty parameters
-			return
-		if (privatename(v1))	# and private ones
-			return
-		if (v2 ~ badchar)
-			fail("parameter value " bq v2 eq " contains unprintable character")
-	}
-
-	if (fieldfmt) {
-		print code, v1, v2
-		return
-	}
-
-	if (code == o_status) {
-		v2 = v1
-		v1 = "_confreadstatus"
-	} else if (code == o_section) {
-		v2 = v1
-		v1 = "_confreadsection"
-	} else if (code == o_names) {
-		v2 = v1
-		v1 = "_confreadnames"
-	} else if (code != o_parm)
-		return		# currently no variable version of o_end
-
-	print prefix v1 "=\"" v2 "\""
-	if (export)
-		print "export " prefix v1
-}
-function searchfound(sectionname,    n, i, reflist) {
-	# a hit in x is a hit in everybody who refers to x too
-	n = split(refsto[sectionname], reflist, ";")
-	for (i = 1; i <= n; i++)
-		if (reflist[i] in seen)
-			fail("duplicated parameter " bq search eq)
-		else
-			seen[reflist[i]] = 1
-	seen[sectionname] = 1
-}
-function fail(msg) {
-	output(o_status, ("(" filename ", line " lineno ") " msg))
-	failed = 1
-	while ((getline junk) > 0)
-		continue
-	exit
-}
-function badname(n) {
-	if ((type ":" n) in goodnames)
-		return 0
-	if (privatename(n))
-		return 0
-	return 1
-}
-function privatename(n) {
-	if (n ~ /^[xX][-_]/)
-		return 1
-	return 0
-}
-function orient(n) {
-	if (orientation == -1) {
-		if (n ~ /left/)
-			gsub(/left/, "right", n)
-		else if (n ~ /right/)
-			gsub(/right/, "left", n)
-	}
-	return n
-}
-# in searching, referencing is transitive:  xyz->from->to
-function chainref(from, to,    i, reflist, listnum) {
-	if (from in refsto) {
-		listnum = split(refsto[from], reflist, ";")
-		for (i = 1; i <= listnum; i++)
-			chainref(reflist[i], to)
-	}
-	if (to in refsto)
-		refsto[to] = refsto[to] ";" from
-	else
-		refsto[to] = from
-}
-
-# start of rules
-
-{
-	lineno++
-	# lineno is now the number of this line
-
-	# we must remember indentation because comment stripping loses it
-	exdented = $0 !~ /^[ \t]/
-	sub(/^[ \t]+/, "")		# get rid of leading white space
-	sub(/[ \t]+$/, "")		# get rid of trailing white space
-}
-including && $0 ~ /^#[<>:]/ {
-	# _include control line
-	if ($1 ~ /^#[<>]$/) {
-		filename = $2
-		lineno = $3 - 1
-	} else if ($0 ~ /^#:/) {
-		msg = substr($0, 3)
-		gsub(/"/, "\\\"", msg)
-		fail(msg)
-	}
-	next
-}
-exdented {
-	# any non-leading-white-space line is a section end
-	### but not the end of relevant stuff, might be also= sections later
-	###if (insection && !indefault && !searching && outputting)
-	###	output(o_end)
-	insection = 0
-	wrongtype = 0
-	indefault = 0
-	outputting = 0
-}
-/[ \t]#/ {
-	# strip trailing comments including the leading whitespace
-	# tricky because we must respect quotes
-	q = 0
-	for (i = 1; i <= NF; i++) {
-		if ($i ~ /^#/ && q % 2 == 0) {
-			NF = i - 1;
-			break
-		}
-		# using $i in gsub loses whitespace?!?
-		junk = $i
-		q += gsub(/"/, "&", junk)
-	}
-}
-$0 == "" || $0 ~ /^#/ {
-	# empty lines and comments are ignored
-	next
-}
-exdented && NF != 2 {
-	# bad section header
-	fail("section header " bq $0 eq " has wrong number of fields (" NF ")")
-}
-exdented && $1 == "version" {
-	version = $2 + 0
-	if (version < 2.0 || 2.0 < version)
-		fail("we only support version 2.0 ipsec.conf files, not " bq version eq)
-	next
-}
-version == "" {
-	fail("we only support version 2 ipsec.conf files")
-}
-exdented && !($1 in goodtypes) {
-	# unknown section type
-	fail("section type " bq $1 eq " not recognized")
-}
-exdented && $1 != type {
-	# section header, but not of the type we want
-	insection = 1
-	wrongtype = 1
-	next
-}
-extented {
-	# type fits
-	wrongtype = 0
-}
-exdented && $1 == "config" && $2 != "setup" {
-	fail("unknown config section " bq $2 eq)
-}
-exdented && $2 != "%default" {
-	# non-default section header of our type
-	sawnondefault = 1
-}
-exdented && searching && $2 != "%default" {
-	# section header, during search
-	insection = 1
-	sectionname = $2
-	usesdefault[sectionname] = 1		# tentatively
-	next
-}
-exdented && !searching && $2 in wanted {
-	# one of our wanted section headers
-	if (!($2 in pending))
-		fail("duplicate " type " section " bq $2 eq)
-	delete pending[$2]
-	tag = bq type " " $2 eq
-	outputting = 1
-	insection = 1
-	orientation = wanted[$2]
-	output(o_section, $2)
-	next
-}
-exdented && $2 == "%default" {
-	# relevant default section header
-	if (sawnondefault)
-		fail(bq $1 " %default" eq " sections must precede non-default ones")
-	tag = bq type " " $2 eq
-	indefault = 1
-	next
-}
-exdented {
-	# section header, but not one we want
-	insection = 1
-	next
-}
-!insection && !indefault {
-	# starts with white space but not in a section... oops
-	fail("parameter is not within a section")
-}
-!wrongtype && searching && $0 ~ searchpat {
-	# search found the right parameter name
-	match($0, searchpat)
-	rest = substr($0, RLENGTH+1)
-	if (rest ~ /^".*"$/)
-		rest = substr(rest, 2, length(rest)-2)
-	if (!indefault) {
-		if (!usesdefault[sectionname])
-			fail("duplicated parameter " bq search eq)
-		usesdefault[sectionname] = 0
-	} else if (search in defaults)
-		fail("duplicated parameter " bq search eq)
-	if (rest in wanted) {	# a hit
-		if (indefault)
-			defaults[search] = rest
-		else
-			searchfound(sectionname)
-	} else {
-		# rather a kludge, but must check this somewhere
-		if (search == "auto" && rest !~ /^(add|route|start|ignore|manual)$/)
-			fail("illegal auto value " bq rest eq)
-	}
-	next
-}
-!searching && !outputting && !indefault {
-	# uninteresting line
-	next
-}
-$0 ~ /"/ && $0 !~ /^[^=]+=[ \t]*"[^"]*"$/ {
-	if (!searching)
-		fail("mismatched quotes in parameter value")
-	else
-		gsub(/"/, "", $0)
-}
-$0 !~ /^[a-zA-Z_][a-zA-Z0-9_-]*[ \t]*=/ {
-	if (searching)
-		next			# just ignore it
-	fail("syntax error or illegal parameter name")
-}
-{
-	sub(/[ \t]*=[ \t]*/, "=")	# get rid of white space around =
-}
-$0 ~ /^(also|alsoflip)=/ {
-	v = orientation
-	if ($0 ~ /^alsoflip/)
-		v = -v;
-	if (indefault)
-		fail("%default section may not contain " bq "also" eq " or " bq "alsoflip" eq " parameter")
-	sub(/^(also|alsoflip)=/, "")
-	if ($0 !~ /^[a-zA-Z][a-zA-Z0-9._-]*$/)
-		fail("invalid section name " bq $0 eq)
-	if (!searching) {
-		if ($0 in wanted)
-			fail("section " bq $0 eq " requested more than once")
-		wanted[$0] = v
-		pending[$0] = 1
-	} else
-		chainref(sectionname, $0)
-	next
-}
-!outputting && !indefault {
-	# uninteresting line even for a search
-	next
-}
-{
-	equal = match($0, /[=]/)
-	name = substr($0, 1, equal-1)
-	if (badname(name))
-		fail("unknown parameter name " bq name eq)
-	value = substr($0, equal+1)
-	if (value ~ /^"/)
-		value = substr(value, 2, length(value)-2)
-	else if (value ~ /[ \t]/)
-		fail("white space within non-quoted parameter " bq name eq)
-}
-indefault {
-	if (name in defaults)
-		fail("duplicated default parameter " bq name eq)
-	defaults[name] = value
-	next
-}
-{
-	name = orient(name)
-	if (name in seen)
-		fail("duplicated parameter " bq name eq)
-	seen[name] = 1
-	output(o_parm, name, value)
-}
-END {
-	if (failed)
-		exit 1
-
-	filename = originalfilename
-	unseen = ""
-	for (i in pending)
-		unseen = unseen " " i
-	if (!optional && !searching && unseen != "")
-		fail("did not find " type " section(s) " bq substr(unseen, 2) eq)
-	if (!searching) {
-		for (name in defaults)
-			if (!(name in seen))
-				output(o_parm, name, defaults[name])
-	} else {
-		if (defaults[search] in wanted)
-			for (name in usesdefault)
-				if (usesdefault[name])
-					seen[name] = 1
-		delete seen[""]
-		if (fieldfmt)
-			for (name in seen)
-				output(o_section, name)
-		else {
-			outlist = ""
-			for (name in seen)
-				if (outlist == "")
-					outlist = name
-				else
-					outlist = outlist " " name
-			output(o_names, outlist)
-		}
-	}
-	output(o_status, "")
-}'
diff --git a/programs/_confread/block.in b/programs/_confread/block.in
deleted file mode 100644
index e3a4b2dd5..000000000
--- a/programs/_confread/block.in
+++ /dev/null
@@ -1,8 +0,0 @@
-# This file defines the set of CIDRs (network/mask-length) to which
-# communication should never be allowed.
-#
-# See @FINALDOCDIR@/policygroups.html for details.
-#
-# $Id: block.in,v 1.1 2004/03/15 20:35:27 as Exp $
-#
-
diff --git a/programs/_confread/clear-or-private.in b/programs/_confread/clear-or-private.in
deleted file mode 100644
index 800093d94..000000000
--- a/programs/_confread/clear-or-private.in
+++ /dev/null
@@ -1,8 +0,0 @@
-# This file defines the set of CIDRs (network/mask-length) to which
-# we will communicate in the clear, or, if the other side initiates IPSEC,
-# using encryption.  This behaviour is also called "Opportunistic Responder".
-#
-# See @FINALDOCDIR@/policygroups.html for details.
-#
-# $Id: clear-or-private.in,v 1.1 2004/03/15 20:35:27 as Exp $
-#
diff --git a/programs/_confread/clear.in b/programs/_confread/clear.in
deleted file mode 100644
index 46e63388e..000000000
--- a/programs/_confread/clear.in
+++ /dev/null
@@ -1,7 +0,0 @@
-# This file defines the set of CIDRs (network/mask-length) to which
-# communication should always be in the clear.
-#
-# See @FINALDOCDIR@/policygroups.html for details.
-#
-# $Id: clear.in,v 1.1 2004/03/15 20:35:27 as Exp $
-#
diff --git a/programs/_confread/private-or-clear.in b/programs/_confread/private-or-clear.in
deleted file mode 100644
index c66b1d29f..000000000
--- a/programs/_confread/private-or-clear.in
+++ /dev/null
@@ -1,14 +0,0 @@
-# This file defines the set of CIDRs (network/mask-length) to which
-# communication should be private, if possible, but in the clear otherwise.
-#
-# If the target has a TXT (later IPSECKEY) record that specifies
-# authentication material, we will require private (i.e. encrypted)
-# communications.  If no such record is found, communications will be
-# in the clear.
-#
-# See @FINALDOCDIR@/policygroups.html for details.
-#
-# $Id: private-or-clear.in,v 1.1 2004/03/15 20:35:27 as Exp $
-#
-
-0.0.0.0/0
diff --git a/programs/_confread/private.in b/programs/_confread/private.in
deleted file mode 100644
index 9d4bd6c67..000000000
--- a/programs/_confread/private.in
+++ /dev/null
@@ -1,6 +0,0 @@
-# This file defines the set of CIDRs (network/mask-length) to which
-# communication should always be private (i.e. encrypted).
-# See @FINALDOCDIR@/policygroups.html for details.
-#
-# $Id: private.in,v 1.1 2004/03/15 20:35:27 as Exp $
-#
diff --git a/programs/_confread/randomize b/programs/_confread/randomize
deleted file mode 100755
index 26d80a8f3..000000000
--- a/programs/_confread/randomize
+++ /dev/null
@@ -1,28 +0,0 @@
-#! /bin/sh
-# internal utility for putting random keys into sample configuration file
-# Copyright (C) 1998, 1999  Henry Spencer.
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: randomize,v 1.1 2004/03/15 20:35:27 as Exp $
-
-awk '/`[0-9]+`/ {
-	match($0, /`[0-9]+`/)
-	n = substr($0, RSTART+1, RLENGTH-2)
-	cmd = "./ranbits --quick " n
-	cmd | getline key
-	cmd | getline eof
-	close(cmd)
-	sub(/`[0-9]+`/, key, $0)
-	print
-	next
-}
-{ print }' $*
diff --git a/programs/_copyright/.cvsignore b/programs/_copyright/.cvsignore
deleted file mode 100644
index 23ebcb381..000000000
--- a/programs/_copyright/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-_copyright
diff --git a/programs/_copyright/Makefile b/programs/_copyright/Makefile
deleted file mode 100644
index 52c594b68..000000000
--- a/programs/_copyright/Makefile
+++ /dev/null
@@ -1,44 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=_copyright
-PROGRAMDIR=${LIBDIR}
-LIBS=${FREESWANLIB}
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:27  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.3  2002/08/02 16:01:07  mcr
-# 	moved user visible programs to $PREFIX/libexec, while moving
-# 	private files to $PREFIX/lib.
-#
-# Revision 1.2  2002/06/02 22:02:14  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/_include/.cvsignore b/programs/_include/.cvsignore
deleted file mode 100644
index ab6204115..000000000
--- a/programs/_include/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-_include
diff --git a/programs/_include/Makefile b/programs/_include/Makefile
deleted file mode 100644
index 6b5f11682..000000000
--- a/programs/_include/Makefile
+++ /dev/null
@@ -1,43 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=_include
-PROGRAMDIR=${LIBDIR}
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:27  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.3  2002/08/02 16:01:11  mcr
-# 	moved user visible programs to $PREFIX/libexec, while moving
-# 	private files to $PREFIX/lib.
-#
-# Revision 1.2  2002/06/02 22:02:14  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/_include/_include.8 b/programs/_include/_include.8
deleted file mode 100644
index 56ffa0723..000000000
--- a/programs/_include/_include.8
+++ /dev/null
@@ -1,35 +0,0 @@
-.TH _INCLUDE 8 "25 Apr 2002"
-.\"
-.\" RCSID $Id: _include.8,v 1.1 2004/03/15 20:35:27 as Exp $
-.\"
-.SH NAME
-ipsec _include \- internal script to process config files
-.SH DESCRIPTION
-.I _include
-is used by 
-.I _confread 
-to process 
-.B include 
-directives in /etc/ipsec.conf.
-.SH "SEE ALSO"
-ipsec(8), ipsec__confread(8)
-.SH HISTORY
-Man page written for the Linux FreeS/WAN project <http://www.freeswan.org/>
-by Michael Richardson. Program written by Henry Spencer.
-.\"
-.\" $Log: _include.8,v $
-.\" Revision 1.1  2004/03/15 20:35:27  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.2  2002/04/29 22:39:31  mcr
-.\" 	added basic man page for all internal commands.
-.\"
-.\" Revision 1.1  2002/04/26 01:21:43  mcr
-.\" 	while tracking down a missing (not installed) /etc/ipsec.conf,
-.\" 	MCR has decided that it is not okay for each program subdir to have
-.\" 	some subset (determined with -f) of possible files.
-.\" 	Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file.
-.\" 	Optional PROGRAM.5 files have been added to the makefiles.
-.\"
-.\"
-.\"
diff --git a/programs/_include/_include.in b/programs/_include/_include.in
deleted file mode 100755
index 10a8a49e4..000000000
--- a/programs/_include/_include.in
+++ /dev/null
@@ -1,102 +0,0 @@
-#! /bin/sh
-# implements nested file inclusion for control files, including wildcarding
-# Copyright (C) 1998, 1999  Henry Spencer.
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: _include.in,v 1.2 2004/03/15 21:03:06 as Exp $
-#
-# Output includes marker lines for file changes:
-#	"#< filename lineno" signals entry into that file
-#	"#> filename lineno" signals return to that file
-# The lineno is the line number of the *next* line.
-#
-# Errors are reported with a "#:message" line rather than on stderr.
-#
-# Lines which look like marker and report lines are never passed through.
-
-IPSEC_NAME="strongSwan"
-
-usage="Usage: $0 file ..."
-me="ipsec _include"
-
-for dummy
-do
-	case "$1" in
-	--inband)				;;	# back compatibility
-	--help)		echo "$usage" ; exit 0	;;
-	--version)	echo "$me $IPSEC_VERSION" ; exit 0		;;
-	--)		shift ; break		;;
-	-*)		echo "$0: unknown option \`$1'" >&2 ; exit 2	;;
-	*)		break			;;
-	esac
-	shift
-done
-
-case $# in
-0)	echo "$usage" >&2 ; exit 2	;;
-esac
-
-for f
-do
-	if test ! -r "$f"
-	then
-		if test ! "$f" = "/etc/ipsec.conf"
-		then
-			echo "#:cannot open configuration file \'$f\'"
-			if test "$f" = "/etc/ipsec.secrets"
-			then
-				echo "#:Your secrets file will be created when you start $IPSEC_NAME for the first time."
-			fi
-			exit 1
-		else
-			exit 1
-		fi
-	fi
-done
-
-awk 'BEGIN {
-	wasfile = ""
-}
-FNR == 1 {
-	print ""
-	print "#<", FILENAME, 1
-	lineno = 0
-	wasfile = FILENAME
-}
-{
-	lineno++
-	# lineno is now the number of this line
-}
-/^#[<>:]/ {
-	next
-}
-/^include[ \t]+/ {
-	orig = $0
-	sub(/[ \t]+#.*$/, "")
-	if (NF != 2) {
-		msg = "(" FILENAME ", line " lineno ")"
-		msg = msg " include syntax error in \"" orig "\""
-		print "#:" msg
-		exit 1
-	}
-	newfile = $2
-	if (newfile !~ /^\// && FILENAME ~ /\//) {
-		prefix = FILENAME
-		sub("[^/]+$", "", prefix)
-		newfile = prefix newfile
-	}
-	system("ipsec _include " newfile)
-	print ""
-	print "#>", FILENAME, lineno + 1
-	next
-}
-{ print }' $*
diff --git a/programs/_keycensor/.cvsignore b/programs/_keycensor/.cvsignore
deleted file mode 100644
index 97d0bb2bf..000000000
--- a/programs/_keycensor/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-_keycensor
diff --git a/programs/_keycensor/Makefile b/programs/_keycensor/Makefile
deleted file mode 100644
index bc495328f..000000000
--- a/programs/_keycensor/Makefile
+++ /dev/null
@@ -1,43 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=_keycensor
-PROGRAMDIR=${LIBDIR}
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:27  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.3  2002/08/02 16:01:15  mcr
-# 	moved user visible programs to $PREFIX/libexec, while moving
-# 	private files to $PREFIX/lib.
-#
-# Revision 1.2  2002/06/02 22:02:14  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/_keycensor/_keycensor.8 b/programs/_keycensor/_keycensor.8
deleted file mode 100644
index 89a97a9f9..000000000
--- a/programs/_keycensor/_keycensor.8
+++ /dev/null
@@ -1,33 +0,0 @@
-.TH _KEYCENSOR 8 "25 Apr 2002"
-.\"
-.\" RCSID $Id: _keycensor.8,v 1.1 2004/03/15 20:35:27 as Exp $
-.\"
-.SH NAME
-ipsec _keycensor \- internal routine to remove sensitive information
-.SH DESCRIPTION
-.I _keycensor
-is used by 
-.B ipsec barf
-to process the /etc/ipsec.secrets file, removing private key info.
-.SH "SEE ALSO"
-ipsec(8), ipsec_barf(8)
-.SH HISTORY
-Man page written for the Linux FreeS/WAN project <http://www.freeswan.org/>
-by Michael Richardson. Original program by Henry Spencer.
-.\"
-.\" $Log: _keycensor.8,v $
-.\" Revision 1.1  2004/03/15 20:35:27  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.2  2002/04/29 22:39:31  mcr
-.\" 	added basic man page for all internal commands.
-.\"
-.\" Revision 1.1  2002/04/26 01:21:43  mcr
-.\" 	while tracking down a missing (not installed) /etc/ipsec.conf,
-.\" 	MCR has decided that it is not okay for each program subdir to have
-.\" 	some subset (determined with -f) of possible files.
-.\" 	Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file.
-.\" 	Optional PROGRAM.5 files have been added to the makefiles.
-.\"
-.\"
-.\"
diff --git a/programs/_keycensor/_keycensor.in b/programs/_keycensor/_keycensor.in
deleted file mode 100755
index 7d6f257e5..000000000
--- a/programs/_keycensor/_keycensor.in
+++ /dev/null
@@ -1,52 +0,0 @@
-#! /bin/sh
-# implements key censoring for barf
-# Copyright (C) 1999, 2002  Henry Spencer.
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: _keycensor.in,v 1.1 2004/03/15 20:35:27 as Exp $
-
-usage="Usage: $0 [file ...]"
-me="ipsec _keycensor"
-
-for dummy
-do
-	case "$1" in
-	--help)		echo "$usage" ; exit 0	;;
-	--version)	echo "$me $IPSEC_VERSION" ; exit 0		;;
-	--)		shift ; break		;;
-	-*)		echo "$0: unknown option \`$1'" >&2 ; exit 2	;;
-	*)		break			;;
-	esac
-	shift
-done
-
-awk '	/(sig|enc|auth)key[ \t]*=[ \t]*[^%]/ {
-		i = match($0, /key[ \t]*=[ \t]*/)
-		i += RLENGTH
-		cold = substr($0, 1, i-1)
-		hot = substr($0, i)
-		sub(/[ \t]+(#.*)?$/, "", hot)
-		q = "'"'"'"	# single quote
-		if (hot ~ q)
-			cooled = "[cannot be condensed]"
-		else if (hot ~ /^0s/)
-			cooled = "[keyid " substr(hot, 3, 9) "]"
-		else {
-			run = "echo " q hot q " | md5sum"
-			run | getline
-			close(run)
-			cooled = "[sums to " substr($1, 1, 4) "...]"
-		}
-		print cold cooled
-		next
-	}
-	{ print }' $*
diff --git a/programs/_plutoload/.cvsignore b/programs/_plutoload/.cvsignore
deleted file mode 100644
index cbcf7e699..000000000
--- a/programs/_plutoload/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-_plutoload
diff --git a/programs/_plutoload/Makefile b/programs/_plutoload/Makefile
deleted file mode 100644
index af9ffee18..000000000
--- a/programs/_plutoload/Makefile
+++ /dev/null
@@ -1,43 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=_plutoload
-PROGRAMDIR=${LIBDIR}
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:27  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.3  2002/08/02 16:01:19  mcr
-# 	moved user visible programs to $PREFIX/libexec, while moving
-# 	private files to $PREFIX/lib.
-#
-# Revision 1.2  2002/06/02 22:02:14  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/_plutoload/_plutoload.8 b/programs/_plutoload/_plutoload.8
deleted file mode 100644
index ba421b6c3..000000000
--- a/programs/_plutoload/_plutoload.8
+++ /dev/null
@@ -1,33 +0,0 @@
-.TH _PLUTOLOAD 8 "25 Apr 2002"
-.\"
-.\" RCSID $Id: _plutoload.8,v 1.1 2004/03/15 20:35:27 as Exp $
-.\"
-.SH NAME
-ipsec _plutoload \- internal script to start pluto
-.SH DESCRIPTION
-.I _plutoload
-is called by 
-.B _plutorun
-to actually start the pluto executable.
-.SH "SEE ALSO"
-ipsec(8), ipsec_setup(8), ipsec__realsetup(8), ipsec__plutorun(8)
-.SH HISTORY
-Man page written for the Linux FreeS/WAN project <http://www.freeswan.org/>
-by Michael Richardson. Original program by Henry Spencer.
-.\"
-.\" $Log: _plutoload.8,v $
-.\" Revision 1.1  2004/03/15 20:35:27  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.2  2002/04/29 22:39:31  mcr
-.\" 	added basic man page for all internal commands.
-.\"
-.\" Revision 1.1  2002/04/26 01:21:43  mcr
-.\" 	while tracking down a missing (not installed) /etc/ipsec.conf,
-.\" 	MCR has decided that it is not okay for each program subdir to have
-.\" 	some subset (determined with -f) of possible files.
-.\" 	Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file.
-.\" 	Optional PROGRAM.5 files have been added to the makefiles.
-.\"
-.\"
-.\"
diff --git a/programs/_plutoload/_plutoload.in b/programs/_plutoload/_plutoload.in
deleted file mode 100755
index 73841197d..000000000
--- a/programs/_plutoload/_plutoload.in
+++ /dev/null
@@ -1,164 +0,0 @@
-#!/bin/sh
-# Pluto database-loading script
-# Copyright (C) 1998, 1999, 2001  Henry Spencer.
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: _plutoload.in,v 1.2 2004/03/31 16:15:10 as Exp $
-#
-# exit status is 13 for protocol violation, that of Pluto otherwise
-
-me='ipsec _plutoload'		# for messages
-
-for dummy
-do
-	case "$1" in
-	--load)	plutoload="$2" ; shift	;;
-	--start)	plutostart="$2" ; shift	;;
-	--wait)	plutowait="$2" ; shift	;;
-	--post)	postpluto="$2" ; shift	;;
-	--)	shift ; break	;;
-	-*)	echo "$me: unknown option \`$1'" >&2 ; exit 2	;;
-	*)	break	;;
-	esac
-	shift
-done
-
-# load ca information
-eval `ipsec _confread --varprefix PLUTO --type ca --search auto add start`
-if test " $PLUTO_confreadstatus" != " "
-then
-	echo "auto=add/start search: $PLUTO_confreadstatus"
-	echo "unable to determine what ca information to add -- adding none"
-	caload=
-else
-	caload="$PLUTO_confreadnames"
-fi
-
-# searches, if needed
-# the way the searches were done ensures plutoload >= plutoroute >= plutostart
-
-# search for things to "ipsec auto --add": auto in "add" "route" "start"
-eval `ipsec _confread --varprefix PLUTO --search auto add route start`
-if test " $PLUTO_confreadstatus" != " "
-then
-	echo "auto=add/route/start search: $PLUTO_confreadstatus"
-	echo "unable to determine what conns to add -- adding none"
-	plutoload=
-else
-	plutoload="$PLUTO_confreadnames"
-fi
-
-# search for things to "ipsec auto --route": auto in  "route" "start"
-eval `ipsec _confread --varprefix PLUTO --search auto route start`
-if test " $PLUTO_confreadstatus" != " "
-then
-	echo "auto=route/start search: $PLUTO_confreadstatus"
-	echo "unable to determine what conns to route -- routing none"
-	plutoroute=
-else
-	plutoroute="$PLUTO_confreadnames"
-fi
-
-# search for things to "ipsec auto --up": auto in  "start"
-eval `ipsec _confread --varprefix PLUTO --search auto start`
-if test " $PLUTO_confreadstatus" != " "
-then
-	echo "auto=start search: $PLUTO_confreadstatus"
-	echo "unable to determine what conns to start -- starting none"
-	plutostart=
-else
-	plutostart="$PLUTO_confreadnames"
-fi
-
-# await Pluto's readiness (not likely to be an issue, but...)
-eofed=y
-while read saying
-do
-	case "$saying" in
-	'Pluto initialized')	eofed= ; break	;;	# NOTE BREAK OUT
-	*)	echo "pluto unexpectedly said \`$saying'"	;;
-	esac
-done
-if test "$eofed"
-then
-	echo "pluto died unexpectedly!?!"
-	exit 13
-fi
-
-# ca database load
-for tu in $caload
-do
-	ipsec auto --type ca --add $tu ||
-		echo "...could not add ca \"$tu\""
-done
-
-# conn database load
-for tu in $plutoload
-do
-	ipsec auto --add $tu ||
-		echo "...could not add conn \"$tu\""
-done
-
-# enable listening
-ipsec auto --ready
-
-# execute any post-startup cleanup
-if test " $postpluto" != " "
-then
-	$postpluto
-	st=$?
-	if test " $st" -ne 0
-	then
-		echo "...postpluto command exited with status $st"
-	fi
-fi
-
-# quickly establish routing
-for tu in $plutoroute
-do
-	ipsec auto --route $tu ||
-		echo "...could not route conn \"$tu\""
-done
-
-# tunnel initiation, which may take a while
-async=
-if test " $plutowait" = " no"
-then
-	async="--asynchronous"
-fi
-for tu in $plutostart
-do
-	ipsec auto --up $async $tu ||
-		echo "...could not start conn \"$tu\""
-done
-
-# report any further utterances, and watch for exit status
-eofed=y
-while read saying
-do
-	case "$saying" in
-	exit)	eofed= ; break	;;		# NOTE BREAK OUT
-	*)	echo "pluto unexpectedly says \`$saying'"	;;
-	esac
-done
-if test "$eofed"
-then
-	echo "pluto died without exit status!?!"
-	exit 13
-fi
-if read status
-then
-	exit $status
-else
-	echo "pluto yielded no exit status!?!"
-	exit 13
-fi
diff --git a/programs/_plutorun/.cvsignore b/programs/_plutorun/.cvsignore
deleted file mode 100644
index 13e0ae1a1..000000000
--- a/programs/_plutorun/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-_plutorun
diff --git a/programs/_plutorun/Makefile b/programs/_plutorun/Makefile
deleted file mode 100644
index b0928797c..000000000
--- a/programs/_plutorun/Makefile
+++ /dev/null
@@ -1,43 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=_plutorun
-PROGRAMDIR=${LIBDIR}
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:27  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.3  2002/08/02 16:01:26  mcr
-# 	moved user visible programs to $PREFIX/libexec, while moving
-# 	private files to $PREFIX/lib.
-#
-# Revision 1.2  2002/06/02 22:02:14  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/_plutorun/_plutorun.8 b/programs/_plutorun/_plutorun.8
deleted file mode 100644
index 9de6927dc..000000000
--- a/programs/_plutorun/_plutorun.8
+++ /dev/null
@@ -1,37 +0,0 @@
-.TH _PLUTORUN 8 "25 Apr 2002"
-.\"
-.\" RCSID $Id: _plutorun.8,v 1.1 2004/03/15 20:35:27 as Exp $
-.\"
-.SH NAME
-ipsec _plutorun \- internal script to start pluto
-.SH DESCRIPTION
-.I _plutorun
-is called by
-.B _realsetup
-to configure and bring up 
-.B ipsec_pluto(8).
-It calls 
-.B _plutoload
-to invoke pluto, and watches to makes sure that pluto is restarted if it fails.
-.SH "SEE ALSO"
-ipsec(8), ipsec_setup(8), ipsec__realsetup(8), ipsec__plutoload(8), ipsec_pluto(8).
-.SH HISTORY
-Man page written for the Linux FreeS/WAN project <http://www.freeswan.org/>
-by Michael Richardson. Original program written by Henry Spencer.
-.\"
-.\" $Log: _plutorun.8,v $
-.\" Revision 1.1  2004/03/15 20:35:27  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.2  2002/04/29 22:39:31  mcr
-.\" 	added basic man page for all internal commands.
-.\"
-.\" Revision 1.1  2002/04/26 01:21:43  mcr
-.\" 	while tracking down a missing (not installed) /etc/ipsec.conf,
-.\" 	MCR has decided that it is not okay for each program subdir to have
-.\" 	some subset (determined with -f) of possible files.
-.\" 	Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file.
-.\" 	Optional PROGRAM.5 files have been added to the makefiles.
-.\"
-.\"
-.\"
diff --git a/programs/_plutorun/_plutorun.in b/programs/_plutorun/_plutorun.in
deleted file mode 100755
index b02afeefb..000000000
--- a/programs/_plutorun/_plutorun.in
+++ /dev/null
@@ -1,281 +0,0 @@
-#!/bin/sh
-# Pluto control daemon
-# Copyright (C) 1998, 1999, 2001  Henry Spencer.
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: _plutorun.in,v 1.9 2005/10/16 13:28:15 as Exp $
-
-me='ipsec _plutorun'		# for messages
-
-info=/var/run/ipsec.info
-
-popts=
-stderrlog=
-plutorestartoncrash=true
-
-wherelog=daemon.error
-pidfile=/var/run/pluto.pid
-verb="Starting"
-for dummy
-do
-	case "$1" in
-	--re)	verb="Restarting"	;;
-	--plutorestartoncrash) plutorestartoncrash="$2"; shift ;;
-	--debug)	plutodebug="$2" ; shift	;;
-	--uniqueids)	uniqueids="$2" ; shift	;;
-	--nat_traversal)    nat_traversal="$2" ; shift  ;;
-	--keep_alive)   keep_alive="$2" ; shift ;;
-	--force_keepalive)   force_keepalive="$2" ; shift ;;
-	--disable_port_floating)    disable_port_floating="$2" ; shift  ;;
-	--virtual_private)  virtual_private="$2" ; shift ;; 	
-	--nocrsend)	nocrsend="$2" ; shift	;;
-	--strictcrlpolicy)	strictcrlpolicy="$2" ; shift ;;
-	--crlcheckinterval)	crlcheckinterval="$2"; shift ;;
-	--cachecrls)		cachecrls="$2" ; shift	;;
-	--pkcs11module)		pkcs11module="$2"; shift ;;
-	--pkcs11keepstate)	pkcs11keepstate="$2"; shift ;;
-	--pkcs11proxy)		pkcs11proxy="$2"; shift	;;
-	--dump)	dumpdir="$2" ; shift	;;
-	--opts)	popts="$2" ; shift	;;
-	--stderrlog) stderrlog="$2" ; shift	;;
-	--wait)	plutowait="$2" ; shift	;;
-	--pre)	prepluto="$2" ; shift	;;
-	--post)	postpluto="$2" ; shift	;;
-	--log)	wherelog="$2" ; shift	;;
-	--pid)	pidfile="$2" ; shift	;;
-	--)	shift ; break	;;
-	-*)	echo "$me: unknown option \`$1'" >&2 ; exit 2	;;
-	*)	break	;;
-	esac
-	shift
-done
-
-# initially we are in the foreground, with parent looking after logging
-
-# precautions
-if test -f $pidfile
-then
-	echo "pluto appears to be running already (\`$pidfile' exists), will not start another"
-	exit 1
-fi
-if test ! -e /dev/urandom
-then
-	echo "cannot start Pluto, system lacks \`/dev/urandom'!?!"
-	exit 1
-fi
-
-# sort out options
-for d in $plutodebug
-do
-	popts="$popts --debug-$d"
-done
-case "$uniqueids" in
-yes)	popts="$popts --uniqueids"	;;
-no|'')				;;
-*)	echo "unknown uniqueids value (not yes/no) \`$IPSECuniqueids'"	;;
-esac
-case "$nocrsend" in
-yes)  popts="$popts --nocrsend"       ;;
-no|'')                                ;;
-*)    echo "unknown nocrsend value (not yes/no) \`$IPSECnocrsend'"    ;;
-esac
-case "$strictcrlpolicy" in
-yes)  popts="$popts --strictcrlpolicy"        ;;
-no|'')                                ;;
-*)    echo "unknown strictcrlpolicy value (not yes/no) \`$IPSECstrictcrlpolicy'"      ;;
-esac
-case "$cachecrls" in
-yes)  popts="$popts --cachecrls"        ;;
-no|'')                                ;;
-*)    echo "unknown cachecrls value (not yes/no) \`$IPSECcachecrls'"      ;;
-esac
-case "$nat_traversal" in
-yes)  popts="$popts --nat_traversal"  ;;
-no|'')                ;;
-*)    echo "unknown nat_traversal value (not yes/no) \`$IPSECnat_traversal'" ;;
-esac
-[ -n "$keep_alive" ] && popts="$popts --keep_alive $keep_alive"
-case "$force_keepalive" in
-yes)  popts="$popts --force_keepalive"  ;;
-no|'')                ;;
-*)    echo "unknown force_keepalive value (not yes/no) \`$IPSECforce_keepalive'" ;;
-esac
-case "$disable_port_floating" in
-yes)  popts="$popts --disable_port_floating"  ;;
-no|'')                ;;
-*)    echo "unknown disable_port_floating (not yes/no) \`$disable_port_floating'" ;;
-esac
-case "$pkcs11keepstate" in
-yes)  popts="$popts --pkcs11keepstate" ;;
-no|'')                ;;
-*)    echo "unknown pkcs11keepstate value (not yes/no) \`$IPSECpkcs11keepstate'" ;;
-esac
-case "$pkcs11proxy" in
-yes)  popts="$popts --pkcs11proxy" ;;
-no|'')                ;;
-*)    echo "unknown pkcs11proxy value (not yes/no) \`$IPSECpkcs11proxy'" ;;
-esac
-
-[ -n "$virtual_private" ] && popts="$popts --virtual_private $virtual_private"
-
-# add crl check interval
-if test ${crlcheckinterval:-0} -gt 0
-then
-	popts="$popts --crlcheckinterval $crlcheckinterval"
-fi
-
-if test -n "$pkcs11module"
-then
-	popts="$popts --pkcs11module $pkcs11module"
-fi
-
-if test -n "$stderrlog"
-then
-	popts="$popts --stderrlog 2>>$stderrlog"
-
-	if test -f $stderrlog
-	then
-		if test ! -w $stderrlog
-		then
-			echo Cannot write to \"$stderrlog\".
-			exit 1
-		fi
-	else
-		if test ! -w "`dirname $stderrlog`"
-		then
-			echo Cannot write to directory to create \"$stderrlog\".
-			exit 1
-		fi
-	fi
-
-	echo "Plutorun started on "`date` >$stderrlog
-fi
-
-# set up dump directory
-if test " $dumpdir" = " "
-then
-	ulimit -c 0			# preclude core dumps
-elif test ! -d "$dumpdir"
-then
-	echo "dumpdir \`$dumpdir' does not exist, ignored"
-	ulimit -c 0			# preclude core dumps
-elif cd $dumpdir			# put them where desired
-then
-	ulimit -c unlimited		# permit them
-else
-	echo "cannot cd to dumpdir \`$dumpdir', ignored"
-	ulimit -c 0			# preclude them
-fi
-
-# execute any preliminaries
-if test " $prepluto" != " "
-then
-	$prepluto
-	st=$?
-	if test " $st" -ne 0
-	then
-		echo "...prepluto command exited with status $st"
-	fi
-fi
-
-IPSEC_SECRETS=${IPSEC_CONFS}/ipsec.secrets
-if test ! -f "${IPSEC_SECRETS}"
-then
-    ( logger -p authpriv.info -t ipsec__plutorun No file ${IPSEC_SECRETS}, generating key.
-      ipsec scepclient --out pkcs1 --out cert-self --quiet
-      echo -e "# /etc/ipsec.secrets - strongSwan IPsec secrets file\n" > ${IPSEC_SECRETS}
-      chmod 600 ${IPSEC_SECRETS}
-      echo ": RSA myKey.der" >> ${IPSEC_SECRETS}
-
-      # tell pluto to go re-read the file
-      ipsec auto --rereadsecrets
-    ) &
-fi
-
-# 
-# make sure that the isakmp port is open!
-#
-if test -f /etc/sysconfig/ipchains
-then
-    if egrep -q 500:500 /etc/sysconfig/ipchains
-    then
-	:
-    else
-	ipchains -I input 1 -p udp -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 500:500 -j ACCEPT
-	# if it redhat, then save the rules again.
-	if [ -f /etc/redhat-release ]
-	then
-	    sh /etc/rc.d/init.d/ipchains save
-	fi
-    fi
-fi
-
-# spin off into the background, with our own logging
-echo "$verb Pluto subsystem..." | logger -p authpriv.error -t ipsec__plutorun
-execdir=${IPSEC_EXECDIR-@IPSEC_EXECDIR@}
-libdir=${IPSEC_LIBDIR-@IPSEC_LIBDIR@}
-until (
-	if test -s $info
-	then
-		. $info
-		export defaultroutephys defaultroutevirt defaultrouteaddr defaultroutenexthop
-	fi
-	# eval allows $popts to contain redirection and other magic
-	eval $execdir/pluto --nofork --secretsfile "$IPSEC_SECRETS" --policygroupsdir "${IPSEC_CONFS}/ipsec.d/policies" $popts
-	status=$?
-	echo "exit"
-	echo $status
-	) | $libdir/_plutoload --wait "$plutowait" --post "$postpluto"
-do
-	status=$?
-	case "$status" in
-	13)	echo "internal failure in pluto scripts, impossible to carry on"
-		exit 1
-		;;
-	10)	echo "pluto apparently already running (?!?), giving up"
-		exit 1
-		;;
-	137)	echo "pluto killed by SIGKILL, terminating without restart or unlock"
-		exit 0
-		;;
-	143)	echo "pluto killed by SIGTERM, terminating without restart"
-		# pluto now does its own unlock for this
-		exit 0
-		;;
-	*)	st=$status
-	        if $plutorestartoncrash
-		then
-		    :
-		else
-		    exit 0
-		fi
-
-		if test $st -gt 128
-		then
-			st="$st (signal `expr $st - 128`)"
-		fi
-		echo "!pluto failure!:  exited with error status $st"
-		echo "restarting IPsec after pause..."
-		(
-			sleep 10
-			ipsec setup _autorestart
-		) </dev/null >/dev/null 2>&1 &
-		exit 1
-		###sleep 10
-		###rm -rf $pidfile
-		#### and go around the loop again
-		;;
-	esac
-done </dev/null 2>&1 |
-	logger -s -p $wherelog -t ipsec__plutorun >/dev/null 2>/dev/null &
-
-exit 0
diff --git a/programs/_realsetup/.cvsignore b/programs/_realsetup/.cvsignore
deleted file mode 100644
index 54941b8a3..000000000
--- a/programs/_realsetup/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-_realsetup
diff --git a/programs/_realsetup/Makefile b/programs/_realsetup/Makefile
deleted file mode 100644
index c339007e0..000000000
--- a/programs/_realsetup/Makefile
+++ /dev/null
@@ -1,43 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=_realsetup
-PROGRAMDIR=${LIBDIR}
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:27  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.3  2002/08/02 16:01:34  mcr
-# 	moved user visible programs to $PREFIX/libexec, while moving
-# 	private files to $PREFIX/lib.
-#
-# Revision 1.2  2002/06/02 22:02:14  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/_realsetup/_realsetup.8 b/programs/_realsetup/_realsetup.8
deleted file mode 100644
index 51b647115..000000000
--- a/programs/_realsetup/_realsetup.8
+++ /dev/null
@@ -1,36 +0,0 @@
-.TH _REALSETUP 8 "25 Apr 2002"
-.\"
-.\" RCSID $Id: _realsetup.8,v 1.1 2004/03/15 20:35:27 as Exp $
-.\"
-.SH NAME
-ipsec _realsetup \- internal routine to start FreeS/WAN.
-.SH DESCRIPTION
-.I _realsetup
-is called by the system init scripts to start the FreeS/WAN 
-system. It starts 
-.B KLIPS 
-(the kernel component) and 
-.B pluto 
-(the userspace keying component).
-.SH "SEE ALSO"
-ipsec(8), ipsec__klipsstart(8), ipsec__plutorun(8).
-.SH HISTORY
-Man page written for the Linux FreeS/WAN project <http://www.freeswan.org/>
-by Michael Richardson. Original program by Henry Spencer.
-.\"
-.\" $Log: _realsetup.8,v $
-.\" Revision 1.1  2004/03/15 20:35:27  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.2  2002/04/29 22:39:31  mcr
-.\" 	added basic man page for all internal commands.
-.\"
-.\" Revision 1.1  2002/04/26 01:21:43  mcr
-.\" 	while tracking down a missing (not installed) /etc/ipsec.conf,
-.\" 	MCR has decided that it is not okay for each program subdir to have
-.\" 	some subset (determined with -f) of possible files.
-.\" 	Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file.
-.\" 	Optional PROGRAM.5 files have been added to the makefiles.
-.\"
-.\"
-.\"
diff --git a/programs/_realsetup/_realsetup.in b/programs/_realsetup/_realsetup.in
deleted file mode 100755
index 91b6e98d3..000000000
--- a/programs/_realsetup/_realsetup.in
+++ /dev/null
@@ -1,456 +0,0 @@
-#!/bin/sh
-# IPsec startup and shutdown command
-# Copyright (C) 1998, 1999, 2001  Henry Spencer.
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: _realsetup.in,v 1.10 2005/09/25 21:30:52 as Exp $
-
-IPSEC_NAME=strongSwan
-
-me='ipsec setup'		# for messages
-
-# Misc. paths (some of this should perhaps be overrideable from ipsec.conf).
-plutopid=/var/run/pluto.pid
-subsyslock=/var/lock/subsys/ipsec
-lock=/var/run/ipsec_setup.pid
-info=/var/run/ipsec.info
-sysflags=/proc/sys/net/ipsec
-modules=/proc/modules
-ipforward=/proc/sys/net/ipv4/ip_forward
-ipsecversion=/proc/net/ipsec_version
-kamepfkey=/proc/net/pfkey
-
-# make sure output of (e.g.) ifconfig is in English
-unset LANG LANGUAGE LC_ALL LC_MESSAGES
-
-# check we were called properly
-if test " $IPSEC_confreadsection" != " setup"
-then
-	echo "$me: $0 must be called by ipsec_setup" >&2
-	exit 1
-fi
-# defaults for "config setup" items
-
-IPSECinterfaces=${IPSECinterfaces:-%defaultroute}
-	if test " $IPSECinterfaces" = " %none" ; then IPSECinterfaces= ; fi
-# IPSECforwardcontrol	"no"
-# IPSECsyslog	"daemon.error"
-# IPSECklipsdebug	"none"
-# IPSECplutodebug	"none"
-# IPSECdumpdir	"" (no dump)
-# IPSECmanualstart	""
-# IPSECpluto	"yes"
-IPSECplutowait=${IPSECplutowait:-no}
-# IPSECprepluto	""
-# IPSECpostpluto	""
-# IPSECfragicmp	"yes"
-# IPSEChidetos	"yes"
-IPSECrp_filter=${IPSECrp_filter:-0}
-IPSECuniqueids=${IPSECuniqueids:-yes}
-IPSECcrlcheckinterval=${IPSECcrlcheckinterval:-0}
-# IPSECpkcs11module	""
-# IPSECoverridemtu	""
-
-# Shall we trace?
-execute="true"
-display="false"
-for i in $IPSEC_setupflags
-do
-	case "$i" in
-	"--showonly")	execute="false" ; display=true ;;
-	"--show")	display=true ;;
-	esac
-done
-
-if $display
-then
-	echo "	" PATH="$PATH"
-fi
-
-perform() {
-	if $display
-	then
-		echo "	" "$*"
-	fi
-
-	if $execute
-	then
-		eval "$*"
-	fi
-}
-
-# function to set up manually-keyed connections
-manualconns() {
-	if test " $IPSECmanualstart" != " "
-	then
-		for tu in $IPSECmanualstart
-		do
-			perform ipsec manual --up $tu
-		done
-	fi
-
-	# search for things to "ipsec manual --up": auto == "manual"
-	eval `ipsec _confread --varprefix MANUALSTART --search auto manual`
-	if test " $MANUALSTART_confreadstatus" != " "
-	then
-		echo "auto=manual search: $MANUALSTART_confreadstatus"
-		echo "unable to determine what conns to manual --up; none done"
-	elif test " $MANUALSTART_confreadnames" != " "
-	then
-		for tu in $MANUALSTART_confreadnames
-		do
-			perform ipsec manual --up $tu
-		done
-	fi
-}
-
-# for no-stdout logging:
-LOGONLY="logger -p $IPSECsyslog -t ipsec_setup"
-
-# What an ugly string.
-# Must be a string, not a function, because it is nested
-# within another sequence (for plutorun).
-# Luckily there are NO substitutions in it.
-KILLKLIPS='ifl=` ifconfig | sed -n -e "/^ipsec/s/ .*//p" ` ;
-	test "X$ifl" != "X" &&
-	for i in  $ifl ;
-	do
-		ifconfig $i down ;
-		ipsec tncfg --detach --virtual $i ;
-	done ;
-	test -r /proc/net/ipsec_klipsdebug && ipsec klipsdebug --none ;
-	ipsec eroute --clear ;
-	ipsec spi --clear ;
-	for alg in aes serpent twofish blowfish sha2 ;
-	do
-		lsmod 2>&1 | grep "^ipsec_$alg" > /dev/null && rmmod ipsec_$alg ;
-	done ;
-	lsmod 2>&1 | grep "^ipsec" > /dev/null && rmmod ipsec'
-
-if test -f $kamepfkey
-then
-	KILLKLIPS='
-		if ip xfrm state > /dev/null 2>&1 ;
-		then
-			ip xfrm state flush ;
-			ip xfrm policy flush ;
-		elif type setkey > /dev/null 2>&1 ;
-		then
-			setkey -F ;
-			setkey -FP ;
-		fi'
-fi
-
-
-
-# do it
-case "$1" in
-  start|--start|_autostart)
-	# First, does it seem to be going already?
-	perform test ! -f $lock "||" "{" \
-		echo "\"$IPSEC_NAME IPsec apparently already running, start aborted\"" ";" \
-		exit 1 ";" \
-		"}"
-
-	# announcement
-	# (Warning, changes to this log message may affect barf.)
-	version="`ipsec --version | awk 'NR == 1 { print $(3) }' | sed -e 's/^U\(.*\)\/K(.*/\1/'`"
-	case "$1" in
-	start|--start)	perform echo "\"Starting $IPSEC_NAME IPsec $version...\""	;;
-	_autostart)	perform echo "\"Restarting $IPSEC_NAME IPsec $version...\""	;;
-	esac
-
-	# preliminaries
-	perform rm -f $lock
-
-	for f in /dev/random /dev/urandom
-	do
-		perform test -r $f "||" "{" \
-			echo "\"...unable to start $IPSEC_NAME IPsec, no $f!\"" ";" \
-			exit 1 ";" \
-			"}"
-	    done
-
-	# the meaning of $$ at a different runtime is questionable!
-	perform echo '$$' ">" $lock
-	perform test -s $lock "||" "{" \
-		echo "\"...unable to create $lock, aborting start!\"" ";" \
-		rm -f $lock ";" \
-		exit 1 ";" \
-		"}"
-
-	perform ">" $info
-
-	# here we go
-	perform ipsec _startklips \
-			--info $info \
-			--debug "\"$IPSECklipsdebug\"" \
-			--omtu "\"$IPSECoverridemtu\"" \
-			--fragicmp "\"$IPSECfragicmp\"" \
-			--hidetos "\"$IPSEChidetos\"" \
-			--rpfilter "\"$IPSECrp_filter\"" \
-			--log "\"$IPSECsyslog\"" \
-			$IPSECinterfaces "||" \
-		"{" rm -f $lock ";" exit 1 ";" "}"
-
-	perform test -f $ipsecversion "||" \
-		test -f $kamepfkey "||" "{" \
-		echo "\"OOPS, should have aborted!  Broken shell!\"" ";" \
-		exit 1 ";" \
-		"}"
-
-	# misc pre-Pluto setup
-
-	perform test -d `dirname $subsyslock` "&&" touch $subsyslock
-
-	if test " $IPSECforwardcontrol" = " yes"
-	then
-		perform grep '"^0"' $ipforward ">" /dev/null "&&" "{" \
-			echo "\"enabling IP forwarding:\"" "|" $LOGONLY ";" \
-			echo "\"ipforwardingwas=$fw\"" ">>" $info ";" \
-			echo 1 ">" $ipforward ";" \
-			"}"
-	fi
-	manualconns
-
-	plutorestartoncrash=""
-	case "$IPSECplutorestartoncrash" in
-	    true|[yY]|yes|restart) plutorestartoncrash="--plutorestartoncrash true";;
-	    false|[nN]|no|die) plutorestartoncrash="--plutorestartoncrash false" ;;
-        esac
-
-	# Pluto
-	case "$1" in
-	start|--start)	re=	;;
-	_autostart)	re=--re	;;
-	esac
-	if test " $IPSECpluto" != " no"
-	then
-		perform ipsec _plutorun $re \
-			--debug "\"$IPSECplutodebug\"" \
-			--uniqueids "\"$IPSECuniqueids\"" \
-			--nocrsend "\"$IPSECnocrsend\"" \
-			--strictcrlpolicy "\"$IPSECstrictcrlpolicy\"" \
-			--cachecrls "\"$IPSECcachecrls\"" \
-			--nat_traversal "\"$IPSECnat_traversal\"" \
-			--keep_alive "\"$IPSECkeep_alive\"" \
-			--force_keepalive "\"$IPSECforce_keepalive\"" \
-			--disable_port_floating "\"$IPSECdisable_port_floating\"" \
-			--virtual_private "\"$IPSECvirtual_private\"" \
-			--crlcheckinterval "\"$IPSECcrlcheckinterval\"" \
-			--pkcs11module "\"$IPSECpkcs11module\"" \
-			--pkcs11keepstate "\"$IPSECpkcs11keepstate\"" \
-			--pkcs11proxy "\"$IPSECpkcs11proxy\"" \
-			--dump "\"$IPSECdumpdir\"" \
-			--opts "\"$IPSECplutoopts\"" \
-			--stderrlog "\"$IPSECplutostderrlog\"" \
-			--wait "\"$IPSECplutowait\"" \
-			--pre "\"$IPSECprepluto\"" \
-			--post "\"$IPSECpostpluto\"" \
-			--log "\"$IPSECsyslog\"" $plutorestartoncrash \
-			--pid "\"$plutopid\"" "||" "{" \
-		    $KILLKLIPS ";" \
-		    rm -f $lock ";" \
-		    exit 1 ";" \
-		    "}"
-	fi
-
-	# done!
-	perform echo "\"...$IPSEC_NAME IPsec started\"" "|" $LOGONLY
-	;;
-
-  stop|--stop|_autostop)		# _autostop is same as stop
-	# Shut things down.
-	perform echo "\"Stopping $IPSEC_NAME IPsec...\""
-	perform \
-		if test -r $lock ";" \
-		then \
-			status=0 ";" \
-			. $info ";" \
-		else \
-			echo "\"stop ordered, but IPsec does not appear to be running!\"" ";" \
-			echo "\"doing cleanup anyway...\"" ";" \
-			status=1 ";" \
-		fi
-	if test " $IPSECforwardcontrol" = " yes"
-	then
-		perform test "\"X\$ipforwardingwas\"" = "\"X0\"" "&&" "{" \
-			echo "\"disabling IP forwarding:\"" "|" $LOGONLY ";" \
-			echo 0 ">" $ipforward ";" \
-			"}"
-	fi
-
-	perform test -f $plutopid "&&" "{" \
-		if ps -p '`' cat $plutopid '`' ">" /dev/null ";" \
-		then \
-			ipsec whack --shutdown "|" grep -v "^002" ";" \
-			sleep 1 ";" \
-			if test -s $plutopid ";" \
-			then \
-				echo "\"Attempt to shut Pluto down failed!  Trying kill:\"" ";" \
-				kill '`' cat $plutopid '`' ";" \
-				sleep 5 ";" \
-			fi ";" \
-		else \
-			echo "\"Removing orphaned $plutopid:\"" ";" \
-		fi ";" \
-		rm -f $plutopid ";" \
-		"}"
-
-	perform $KILLKLIPS
-
-	perform test -d `dirname $subsyslock` "&&" rm -f $subsyslock
-
-	perform rm -f $info $lock
-	perform echo "...$IPSEC_NAME IPsec stopped" "|" $LOGONLY
-	perform exit \$status
-	;;
-
-  status|--status)
-	if test " $IPSEC_setupflags" != " "
-	then
-		echo "$me $1 does not support $IPSEC_setupflags"
-		exit 1
-	fi
-
-	if test -f $info
-	then
-		hasinfo=yes
-	fi
-
-	if test -f $lock
-	then
-		haslock=yes
-	fi
-
-	if test -f $subsyslock
-	then
-		hassublock=yes
-	fi
-
-	if test -s $plutopid
-	then
-		if ps -p `cat $plutopid` >/dev/null
-		then
-			plutokind=normal
-		elif ps -C pluto >/dev/null
-		then
-			plutokind=illicit
-		fi
-	elif ps -C pluto >/dev/null
-	then
-		plutokind=orphaned
-	else
-		plutokind=no
-	fi
-
-	if test -r /proc/net/ipsec_eroute
-	then
-		if test " `wc -l </proc/net/ipsec_eroute`" -gt 0
-		then
-			eroutes=yes
-		fi
-	fi
-
-	if test -r $ipsecversion
-	then
-		klips=yes
-	elif test -r $modules
-	then
-		klips=maybe
-	else
-		klips=none
-	fi
-		
-	if test "$haslock"
-	then
-		echo "IPsec running"
-		# might not be a subsystem lock dir, ignore that issue
-		if test "$plutokind" = "normal" -a "$klips" = "yes" -a "$hasinfo"
-		then
-			echo "pluto pid `cat $plutopid`"
-			exit 0
-		fi
-		echo "but..."
-		if test "$plutokind" != "normal"
-		then
-			echo "$plutokind Pluto running!"
-		fi
-		if test ! "$hasinfo"
-		then
-			echo "$info file missing!"
-		fi
-		case $klips in
-		maybe)	echo "KLIPS module is not loaded!"	;;
-		none)	echo "no KLIPS in kernel!"		;;
-		esac
-		if test "$eroutes"
-		then
-			echo "some eroutes exist"
-		fi
-		exit 1
-	else
-		echo "IPsec stopped"
-		if test ! "$hassublock" -a ! "$hasinfo" -a "$plutokind" = "no" \
-								-a ! "$eroutes"
-		then
-			exit 0
-		fi
-		echo "but..."
-		if test "$hassublock"
-		then
-			echo "has subsystem lock ($subsyslock)!"
-		fi
-		if test "$hasinfo"
-		then
-			echo "has $info file!"
-		fi
-		if test "$plutokind" != "normal"
-		then
-			echo "$plutokind Pluto is running!"
-		fi
-		if test "$eroutes"
-		then
-			echo "some eroutes exist!"
-		fi
-		exit 1
-	fi
-	;;
-
-  --version)
-	if test " $IPSEC_setupflags" != " "
-	then
-		echo "$me $1 does not support $IPSEC_setupflags"
-		exit 1
-	fi
-
-	echo "$me $IPSEC_VERSION"
-	exit 0
-	;;
-
-  --help)
-	if test " $IPSEC_setupflags" != " "
-	then
-		echo "$me $1 does not support $IPSEC_setupflags"
-		exit 1
-	fi
-
-	echo "Usage: $me {--start|--stop|--restart|--status}"
-	exit 0
-	;;
-
-  *)
-	echo "Usage: $me {--start|--stop|--restart|--status}" >&2
-	exit 2
-esac
-
-exit 0
diff --git a/programs/_secretcensor/.cvsignore b/programs/_secretcensor/.cvsignore
deleted file mode 100644
index 202d856fe..000000000
--- a/programs/_secretcensor/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-_secretcensor
diff --git a/programs/_secretcensor/Makefile b/programs/_secretcensor/Makefile
deleted file mode 100644
index 3df15286e..000000000
--- a/programs/_secretcensor/Makefile
+++ /dev/null
@@ -1,43 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=_secretcensor
-PROGRAMDIR=${LIBDIR}
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:27  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.3  2002/08/02 16:01:38  mcr
-# 	moved user visible programs to $PREFIX/libexec, while moving
-# 	private files to $PREFIX/lib.
-#
-# Revision 1.2  2002/06/02 22:02:14  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/_secretcensor/_secretcensor.8 b/programs/_secretcensor/_secretcensor.8
deleted file mode 100644
index d502bbd37..000000000
--- a/programs/_secretcensor/_secretcensor.8
+++ /dev/null
@@ -1,34 +0,0 @@
-.TH _SECRETCENSOR 8 "25 Apr 2002"
-.\"
-.\" RCSID $Id: _secretcensor.8,v 1.1 2004/03/15 20:35:27 as Exp $
-.\"
-.SH NAME
-ipsec _secretcensor \- internal routing to sanitize files
-.SH DESCRIPTION
-.I _secretcensor
-is called by
-.B ipsec barf
-to process the /etc/ipsec.secrets file to remove the private key components
-from the file prior to revealing the contents.
-.SH "SEE ALSO"
-ipsec(8), ipsec_barf(8).
-.SH HISTORY
-Man page written for the Linux FreeS/WAN project <http://www.freeswan.org/>
-by Michael Richardson. Original program by Henry Spencer.
-.\"
-.\" $Log: _secretcensor.8,v $
-.\" Revision 1.1  2004/03/15 20:35:27  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.2  2002/04/29 22:39:31  mcr
-.\" 	added basic man page for all internal commands.
-.\"
-.\" Revision 1.1  2002/04/26 01:21:43  mcr
-.\" 	while tracking down a missing (not installed) /etc/ipsec.conf,
-.\" 	MCR has decided that it is not okay for each program subdir to have
-.\" 	some subset (determined with -f) of possible files.
-.\" 	Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file.
-.\" 	Optional PROGRAM.5 files have been added to the makefiles.
-.\"
-.\"
-.\"
diff --git a/programs/_secretcensor/_secretcensor.in b/programs/_secretcensor/_secretcensor.in
deleted file mode 100755
index 150c13cbc..000000000
--- a/programs/_secretcensor/_secretcensor.in
+++ /dev/null
@@ -1,75 +0,0 @@
-#! /bin/sh
-# implements secret censoring for barf
-# Copyright (C) 1999  Henry Spencer.
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: _secretcensor.in,v 1.1 2004/03/15 20:35:27 as Exp $
-
-usage="Usage: $0 [file ...]"
-me="ipsec _secretcensor"
-
-for dummy
-do
-	case "$1" in
-	--help)		echo "$usage" ; exit 0	;;
-	--version)	echo "$me $IPSEC_VERSION" ; exit 0		;;
-	--)		shift ; break		;;
-	-*)		echo "$0: unknown option \`$1'" >&2 ; exit 2	;;
-	*)		break			;;
-	esac
-	shift
-done
-
-awk '	function cool(hot,   q, cooled, run) {
-		# warning:  may destroy input line!
-		q = "'"'"'"	# single quote
-		if (hot ~ q)
-			return "[cannot be summed]"
-		if (hot ~ /^0s/)
-			return "[keyid " substr(hot, 3, 9) "]"
-		run = "echo " q hot q " | md5sum"
-		run | getline
-		close(run)
-		return "[sums to " substr($1, 1, 4) "...]"
-	}
-	/"/ {
-		i = match($0, /"[^"]+"/)
-		cold1 = substr($0, 1, i)
-		cold2 = substr($0, i+RLENGTH-1)
-		hot = substr($0, i+1, RLENGTH-2)
-		print cold1 cool(hot) cold2
-		next
-	}
-	/#pubkey=/ {
-		i = match($0, /^.*#pubkey=/)
-		i += RLENGTH-1
-		cold = substr($0, 1, i)
-		hot = substr($0, i+1)
-		print cold cool(hot)
-		next
-	}
-	/#IN KEY / {
-		i = match($0, /^.*[ \t][^ \t]/)
-		i += RLENGTH-2
-		cold = substr($0, 1, i)
-		hot = substr($0, i+1)
-		print cold cool("0s" hot)
-		next
-	}
-	/^[ \t]+(Modulus|P[a-z]+Exponent|Prime[12]|Exponent[12]|Coefficient):/ {
-		i = match($0, /^[^:]*:[ \t]*/)
-		i += RLENGTH-1
-		cold = substr($0, 1, i)
-		print cold "[...]"
-		next
-	}
-	{ print }' $*
diff --git a/programs/_startklips/.cvsignore b/programs/_startklips/.cvsignore
deleted file mode 100644
index a206fe65f..000000000
--- a/programs/_startklips/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-_startklips
diff --git a/programs/_startklips/Makefile b/programs/_startklips/Makefile
deleted file mode 100644
index 9df701b0e..000000000
--- a/programs/_startklips/Makefile
+++ /dev/null
@@ -1,43 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=_startklips
-PROGRAMDIR=${LIBDIR}
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:27  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.3  2002/08/02 16:01:42  mcr
-# 	moved user visible programs to $PREFIX/libexec, while moving
-# 	private files to $PREFIX/lib.
-#
-# Revision 1.2  2002/06/02 22:02:14  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/_startklips/_startklips.8 b/programs/_startklips/_startklips.8
deleted file mode 100644
index 066699085..000000000
--- a/programs/_startklips/_startklips.8
+++ /dev/null
@@ -1,33 +0,0 @@
-.TH _STARTKLIPS 8 "25 Apr 2002"
-.\"
-.\" RCSID $Id: _startklips.8,v 1.1 2004/03/15 20:35:27 as Exp $
-.\"
-.SH NAME
-ipsec _startklips \- internal script to bring up kernel components
-.SH DESCRIPTION
-.I _startklips
-brings up the FreeS/WAN kernel component. This involves loading any
-required modules, attaching and configuring the ipsecX pseudo-devices and
-attaching the pseudo-devices to the physical devices.
-.SH "SEE ALSO"
-ipsec(8), ipsec_tncfg(8).
-.SH HISTORY
-Man page written for the Linux FreeS/WAN project <http://www.freeswan.org/>
-by Michael Richardson. Original program by Henry Spencer.
-.\"
-.\" $Log: _startklips.8,v $
-.\" Revision 1.1  2004/03/15 20:35:27  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.2  2002/04/29 22:39:31  mcr
-.\" 	added basic man page for all internal commands.
-.\"
-.\" Revision 1.1  2002/04/26 01:21:43  mcr
-.\" 	while tracking down a missing (not installed) /etc/ipsec.conf,
-.\" 	MCR has decided that it is not okay for each program subdir to have
-.\" 	some subset (determined with -f) of possible files.
-.\" 	Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file.
-.\" 	Optional PROGRAM.5 files have been added to the makefiles.
-.\"
-.\"
-.\"
diff --git a/programs/_startklips/_startklips.in b/programs/_startklips/_startklips.in
deleted file mode 100755
index 7f85a94de..000000000
--- a/programs/_startklips/_startklips.in
+++ /dev/null
@@ -1,367 +0,0 @@
-#!/bin/sh
-# KLIPS startup script
-# Copyright (C) 1998, 1999, 2001, 2002  Henry Spencer.
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: _startklips.in,v 1.6 2005/05/06 22:11:33 as Exp $
-
-me='ipsec _startklips'		# for messages
-
-# KLIPS-related paths
-sysflags=/proc/sys/net/ipsec
-modules=/proc/modules
-# full rp_filter path is $rpfilter1/interface/$rpfilter2
-rpfilter1=/proc/sys/net/ipv4/conf
-rpfilter2=rp_filter
-# %unchanged or setting (0, 1, or 2)
-rpfiltercontrol=0
-ipsecversion=/proc/net/ipsec_version
-moduleplace=/lib/modules/`uname -r`/kernel/net/ipsec
-bareversion=`uname -r | sed -e 's/^\(2\.[0-9]\.[1-9][0-9]*-[1-9][0-9]*\(\.[0-9][0-9]*\)*\(\.x\)*\).*$/\1/'`
-moduleinstplace=/lib/modules/$bareversion/kernel/net/ipsec
-modulename=ipsec.o
-klips=true
-netkey=/proc/net/pfkey
-
-info=/dev/null
-log=daemon.error
-for dummy
-do
-	case "$1" in
-	--log)		log="$2" ; shift	;;
-	--info)		info="$2" ; shift	;;
-	--debug)	debug="$2" ; shift	;;
-	--omtu)		omtu="$2" ; shift	;;
-	--fragicmp)	fragicmp="$2" ; shift	;;
-	--hidetos)	hidetos="$2" ; shift	;;
-	--rpfilter)	rpfiltercontrol="$2" ; shift	;;
-	--)	shift ; break	;;
-	-*)	echo "$me: unknown option \`$1'" >&2 ; exit 2	;;
-	*)	break	;;
-	esac
-	shift
-done
-
-
-
-# some shell functions, to clarify the actual code
-
-# set up a system flag based on a variable
-# sysflag value shortname default flagname
-sysflag() {
-	case "$1" in
-	'')	v="$3"	;;
-	*)	v="$1"	;;
-	esac
-	if test ! -f $sysflags/$4
-	then
-		if test " $v" != " $3"
-		then
-			echo "cannot do $2=$v, $sysflags/$4 does not exist"
-			exit 1
-		else
-			return	# can't set, but it's the default anyway
-		fi
-	fi
-	case "$v" in
-	yes|no)	;;
-	*)	echo "unknown (not yes/no) $2 value \`$1'"
-		exit 1
-		;;
-	esac
-	case "$v" in
-	yes)	echo 1 >$sysflags/$4	;;
-	no)	echo 0 >$sysflags/$4	;;
-	esac
-}
-
-# set up a Klips interface
-klipsinterface() {
-	# pull apart the interface spec
-	virt=`expr $1 : '\([^=]*\)=.*'`
-	phys=`expr $1 : '[^=]*=\(.*\)'`
-	case "$virt" in
-	ipsec[0-9])	;;
-	*)	echo "invalid interface \`$virt' in \`$1'" ; exit 1	;;
-	esac
-
-	# figure out ifconfig for interface
-	addr=
-	eval `ifconfig $phys |
-		awk '$1 == "inet" && $2 ~ /^addr:/ && $NF ~ /^Mask:/ {
-			gsub(/:/, " ", $0)
-			print "addr=" $3
-			other = $5
-			if ($4 == "Bcast")
-				print "type=broadcast"
-			else if ($4 == "P-t-P")
-				print "type=pointopoint"
-			else if (NF == 5) {
-				print "type="
-				other = ""
-			} else
-				print "type=unknown"
-			print "otheraddr=" other
-			print "mask=" $NF
-		}'`
-	if test " $addr" = " "
-	then
-		echo "unable to determine address of \`$phys'"
-		exit 1
-	fi
-	if test " $type" = " unknown"
-	then
-		echo "\`$phys' is of an unknown type"
-		exit 1
-	fi
-	if test " $omtu" != " "
-	then
-		mtu="mtu $omtu"
-	else
-		mtu=
-	fi
-	echo "KLIPS $virt on $phys $addr/$mask $type $otheraddr $mtu" | logonly
-
-	if $klips
-	then
-		# attach the interface and bring it up
-		ipsec tncfg --attach --virtual $virt --physical $phys
-		ifconfig $virt inet $addr $type $otheraddr netmask $mask $mtu
-	fi
-
-	# if %defaultroute, note the facts
-	if test " $2" != " "
-	then
-		(
-			echo "defaultroutephys=$phys"
-			echo "defaultroutevirt=$virt"
-			echo "defaultrouteaddr=$addr"
-			if test " $2" != " 0.0.0.0"
-			then
-				echo "defaultroutenexthop=$2"
-			fi
-		) >>$info
-	else
-		echo '#dr: no default route' >>$info
-	fi
-
-	# check for rp_filter trouble
-	checkif $phys			# thought to be a problem only on phys
-}
-
-# check an interface for problems
-checkif() {
-	$klips || return 0
-	rpf=$rpfilter1/$1/$rpfilter2
-	if test -f $rpf
-	then
-		r="`cat $rpf`"
-		if test " $r" != " 0"
-		then
-			case "$r-$rpfiltercontrol" in
-			0-%unchanged|0-0|1-1|2-2)
-				# happy state
-				;;
-			*-%unchanged)
-				echo "WARNING: $1 has route filtering turned on; KLIPS may not work ($rpf is $r)"
-				;;
-			[012]-[012])
-				echo "WARNING: changing route filtering on $1 (changing $rpf from $r to $rpfiltercontrol)"
-				echo "$rpfiltercontrol" >$rpf
-				;;
-			[012]-*)
-				echo "ERROR: unknown rpfilter setting: $rpfiltercontrol"
-				;;
-			*)
-				echo "ERROR: unknown $rpf value $r"
-				;;
-			esac
-		fi
-	fi
-}
-
-# interfaces=%defaultroute:  put ipsec0 on top of default route's interface
-defaultinterface() {
-	phys=`netstat -nr |
-		awk '$1 == "0.0.0.0" && $3 == "0.0.0.0" { print $NF }'`
-	if test " $phys" = " "
-	then
-		echo "no default route, %defaultroute cannot cope!!!"
-		exit 1
-	fi
-	if test `echo " $phys" | wc -l` -gt 1
-	then
-		echo "multiple default routes, %defaultroute cannot cope!!!"
-		exit 1
-	fi
-	next=`netstat -nr |
-		awk '$1 == "0.0.0.0" && $3 == "0.0.0.0" { print $2 }'`
-	klipsinterface "ipsec0=$phys" $next
-}
-
-# log only to syslog, not to stdout/stderr
-logonly() {
-	logger -p $log -t ipsec_setup
-}
-
-# sort out which module is appropriate, changing it if necessary
-setmodule() {
-        wantgoo="`ipsec calcgoo /proc/ksyms`"
-        module=$moduleplace/$modulename
-        if test -f $module
-        then
-                goo="`nm -ao $module | ipsec calcgoo`"
-                if test " $wantgoo" = " $goo"
-                then
-                        return          # looks right
-                fi
-        fi
-        if test -f $moduleinstplace/$wantgoo
-        then
-                echo "insmod failed, but found matching template module $wantgoo."
-                echo "Copying $moduleinstplace/$wantgoo to $module."
-                rm -f $module
-                mkdir -p $moduleplace
-                cp -p $moduleinstplace/$wantgoo $module
-                # "depmod -a" gets done by caller
-        fi
-}
-
-
-
-# main line
-
-# load module if possible
-if test ! -f $ipsecversion && test ! -f $netkey
-then
-    # statically compiled KLIPS not found; try to load the module
-    insmod ipsec
-fi
-
-if test ! -f $ipsecversion && test ! -f $netkey
-then
-	modprobe -v af_key
-fi
-
-if test -f $netkey
-then
-	klips=false
-	if test -f $modules
-	then
-		modprobe -qv ah4
-		modprobe -qv esp4
-		modprobe -qv ipcomp
-		modprobe -qv xfrm4_tunnel
-		modprobe -qv xfrm_user
-	fi
-fi
-
-if test ! -f $ipsecversion && $klips
-then
-        if test -r $modules             # kernel does have modules
-        then
-                setmodule
-                unset MODPATH MODULECONF        # no user overrides!
-                depmod -a >/dev/null 2>&1
-                modprobe -v ipsec
-        fi
-        if test ! -f $ipsecversion
-        then
-                echo "kernel appears to lack KLIPS"
-                exit 1
-        fi
-fi
-
-# load all compiled algo modules
-if $klips
-then
-	for alg in aes serpent twofish blowfish sha2
-	do
-		if test -f $moduleinstplace/alg/ipsec_$alg.o
-		then
-			modprobe ipsec_$alg
-		fi
-	done
-fi
-
-# figure out debugging flags
-case "$debug" in
-'')	debug=none	;;
-esac
-if test -r /proc/net/ipsec_klipsdebug
-then
-	echo "KLIPS debug \`$debug'" | logonly
-	case "$debug" in
-	none)	ipsec klipsdebug --none	;;
-	all)	ipsec klipsdebug --all	;;
-	*)	ipsec klipsdebug --none
-		for d in $debug
-		do
-			ipsec klipsdebug --set $d
-		done
-		;;
-	esac
-elif $klips
-then
-	if test " $debug" != " none"
-	then
-		echo "klipsdebug=\`$debug' ignored, KLIPS lacks debug facilities"
-	fi
-fi
-
-# figure out misc. kernel config
-if test -d $sysflags
-then
-	sysflag "$fragicmp" "fragicmp" yes icmp
-	echo 1 >$sysflags/inbound_policy_check		# no debate
-	sysflag no "no_eroute_pass" no no_eroute_pass	# obsolete parm
-	sysflag no "opportunistic" no opportunistic	# obsolete parm
-	sysflag "$hidetos" "hidetos" yes tos
-elif $klips
-then
-	echo "WARNING: cannot adjust KLIPS flags, no $sysflags directory!"
-	# carry on
-fi
-
-if $klips; then
-	# clear tables out in case dregs have been left over
-	ipsec eroute --clear
-	ipsec spi --clear
-elif test $netkey
-then
-	if ip xfrm state > /dev/null 2>&1
-	then
-		ip xfrm state flush
-		ip xfrm policy flush
-	elif type setkey > /dev/null 2>&1
-	then
-          	setkey -F
-          	setkey -FP
-	else
-        	echo "WARNING: cannot flush state/policy database -- \`$1'" |
-                	logger -s -p $log -t ipsec_setup
-  	fi
-fi
-
-# figure out interfaces
-for i
-do
-	case "$i" in
-	ipsec*=?*)	klipsinterface "$i"	;;
-	%defaultroute)	defaultinterface	;;
-	*)	echo "interface \`$i' not understood"
-		exit 1
-		;;
-	esac
-done
-
-exit 0
diff --git a/programs/_updown/.cvsignore b/programs/_updown/.cvsignore
deleted file mode 100644
index 81e2e4f86..000000000
--- a/programs/_updown/.cvsignore
+++ /dev/null
@@ -1,2 +0,0 @@
-_updown
-_updown.in
diff --git a/programs/_updown/Makefile b/programs/_updown/Makefile
deleted file mode 100644
index e0aaab488..000000000
--- a/programs/_updown/Makefile
+++ /dev/null
@@ -1,22 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.3 2006/04/17 06:48:49 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=_updown
-PROGRAMDIR=${LIBDIR}
-
-include ../Makefile.program
diff --git a/programs/_updown_espmark/Makefile b/programs/_updown_espmark/Makefile
deleted file mode 100644
index bd9cd38cb..000000000
--- a/programs/_updown_espmark/Makefile
+++ /dev/null
@@ -1,22 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2005/04/07 21:34:19 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=_updown_espmark
-PROGRAMDIR=${LIBDIR}
-
-include ../Makefile.program
diff --git a/programs/auto/.cvsignore b/programs/auto/.cvsignore
deleted file mode 100644
index 865faf10c..000000000
--- a/programs/auto/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-auto
diff --git a/programs/auto/Makefile b/programs/auto/Makefile
deleted file mode 100644
index 035dbf708..000000000
--- a/programs/auto/Makefile
+++ /dev/null
@@ -1,21 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.2 2006/02/10 11:28:38 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=auto
-
-include ../Makefile.program
diff --git a/programs/auto/auto.8 b/programs/auto/auto.8
deleted file mode 100644
index 21b5fd11b..000000000
--- a/programs/auto/auto.8
+++ /dev/null
@@ -1,481 +0,0 @@
-.TH IPSEC_AUTO 8 "17 December 2004"
-.\" RCSID $Id: auto.8,v 1.6 2004/12/17 22:34:38 as Exp $
-.SH NAME
-ipsec auto \- control automatically-keyed IPsec connections
-.SH SYNOPSIS
-.B ipsec
-.B auto
-[
-.B \-\-show
-] [
-.B \-\-showonly
-] [
-.B \-\-asynchronous
-]
-.br
-\ \ \ [
-.B \-\-config
-configfile
-] [
-.B \-\-verbose
-] [
-.B \-\-type conn
-]
-.br
-\ \ \ operation
-connection
-.sp
-.B ipsec
-.B auto
-[
-.B \-\-show
-] [
-.B \-\-showonly
-]
-.br
-\ \ \ [
-.B \-\-config
-configfile
-] [
-.B \-\-verbose
-]
-.B \-\-type ca
-.br
-\ \ \ operation
-ca
-.sp
-.B ipsec
-.B auto
-[
-.B \-\-show
-] [
-.B \-\-showonly
-] operation
-.SH DESCRIPTION
-.I Auto
-manipulates automatically-keyed strongSwan IPsec connections,
-setting them up and shutting them down
-based on the information in the IPsec configuration file.
-In the normal usage,
-.I connection
-is the name of a connection specification in the configuration file;
-.I ca
-is the name of a Certification Authority (CA) specification in the configuration file;
-.I operation
-is
-.BR \-\-add ,
-.BR \-\-delete ,
-.BR \-\-replace ,
-.BR \-\-up ,
-.BR \-\-down ,
-.BR \-\-route ,
-or
-.BR \-\-unroute .
-The
-.BR \-\-status
-and
-.BR \-\-statusall
-.I operations
-may take a
-.I connection
-name.
-The
-.BR \-\-ready ,
-.BR \-\-rereadsecrets ,
-.BR \-\-rereadgroups ,
-.BR \-\-rereadcacerts ,
-.BR \-\-rereadaacerts ,
-.BR \-\-rereadocspcerts ,
-.BR \-\-rereadacerts ,
-.BR \-\-rereadcrls ,
-.BR \-\-rereadall ,
-.BR \-\-listalgs ,
-.BR \-\-listpubkeys ,
-.BR \-\-listcerts ,
-.BR \-\-listcacerts ,
-.BR \-\-listaacerts ,
-.BR \-\-listocspcerts ,
-.BR \-\-listacerts ,
-.BR \-\-listgroups ,
-.BR \-\-listcainfos ,
-.BR \-\-listcrls ,
-.BR \-\-listocsp ,
-.BR \-\-listcards ,
-.BR \-\-listall ,
-and
-.BR \-\-purgeocsp
-.I operations
-do not take a connection name.
-.I Auto
-generates suitable
-commands and feeds them to a shell for execution.
-.PP
-The
-.B \-\-add
-operation adds a connection or ca specification to the internal database
-within
-.IR pluto ;
-it will fail if
-.I pluto
-already has a specification by that name.
-The
-.B \-\-delete
-operation deletes a connection or ca specification from
-.IR pluto 's
-internal database (also tearing down any connections based on it);
-it will fail if the specification does not exist.
-The
-.B \-\-replace
-operation is equivalent to
-.B \-\-delete
-(if there is already a specification by the given name)
-followed by
-.BR \-\-add ,
-and is a convenience for updating
-.IR pluto 's
-internal specification to match an external one.
-(Note that a
-.B \-\-rereadsecrets
-may also be needed.)
-The
-.B \-\-rereadgroups
-operation causes any changes to the policy group files to take effect
-(this is currently a synonym for
-.BR \-\-ready ,
-but that may change).
-None of the other operations alters the internal database.
-.PP
-The
-.B \-\-up
-operation asks
-.I pluto
-to establish a connection based on an entry in its internal database.
-The
-.B \-\-down
-operation tells
-.I pluto
-to tear down such a connection.
-.PP
-Normally,
-.I pluto
-establishes a route to the destination specified for a connection as
-part of the
-.B \-\-up
-operation.
-However, the route and only the route can be established with the
-.B \-\-route
-operation.
-Until and unless an actual connection is established,
-this discards any packets sent there,
-which may be preferable to having them sent elsewhere based on a more
-general route (e.g., a default route).
-.PP
-Normally,
-.IR pluto 's
-route to a destination remains in place when a
-.B \-\-down
-operation is used to take the connection down
-(or if connection setup, or later automatic rekeying, fails).
-This permits establishing a new connection (perhaps using a
-different specification; the route is altered as necessary)
-without having a ``window'' in which packets might go elsewhere
-based on a more general route.
-Such a route can be removed using the
-.B \-\-unroute
-operation
-(and is implicitly removed by
-.BR \-\-delete ).
-.PP
-The
-.B \-\-ready
-operation tells
-.I pluto
-to listen for connection-setup requests from other hosts.
-Doing an
-.B \-\-up
-operation before doing
-.B \-\-ready
-on both ends is futile and will not work,
-although this is now automated as part of IPsec startup and
-should not normally be an issue.
-.PP
-The
-.B \-\-status
-operation asks
-.I pluto
-for current connection status either for all connections 
-(no connection argument) or a for specified
-.I connection
-name. For more detailed information use
-.B \-\-statusall
-\. The output format is ad-hoc and likely to change.
-.PP
-The
-.B \-\-rereadsecrets
-operation tells
-.I pluto
-to re-read the
-.I /etc/ipsec.secrets
-secret-keys file,
-which it normally reads only at startup time.
-(This is currently a synonym for
-.BR \-\-ready ,
-but that may change.)
-.PP
-The
-.B \-\-rereadcacerts
-operation reads all certificate files contained in the
-.IR /etc/ipsec.d/cacerts
-directory and adds them to
-.IR pluto 's
-list of Certification Authority (CA) certificates.
-.PP
-The
-.B \-\-rereadaacerts
-operation reads all certificate files contained in the
-.IR /etc/ipsec.d/aacerts
-directory and adds them to
-.IR pluto 's
-list of Authorization Authority (AA) certificates.
-.PP
-The
-.B \-\-rereadocspcerts
-operation reads all certificate files contained in the
-.IR /etc/ipsec.d/ocspcerts
-directory and adds them to
-.IR pluto 's
-list of OCSP signer certificates.
-.PP
-The
-.B \-\-rereadacerts
-operation reads all certificate files contained in the
-.IR /etc/ipsec.d/acerts
-directory and adds them to
-.IR pluto 's
-list of attribute certificates.
-.PP
-The
-.B \-\-rereadcrls
-operation reads all certificate revocation list (CRL) files
-contained in the
-.IR /etc/ipsec.d/crls
-directory and adds them to
-.IR pluto 's
-list of CRLs.
-.PP
-The
-.B \-\-rereadall
-operation is equivalent to the execution of
-.BR \-\-rereadsecrets ,
-.BR \-\-rereadcacerts ,
-.BR \-\-rereadaacerts ,
-.BR \-\-rereadocspcerts ,
-.BR \-\-rereadacerts ,
-and
-.BR \-\-rereadcrls .
-.PP
-The
-.B \-\-listalgs
-operation lists all registed IKE encryption and hash algorithms,
-that are available to
-.IR pluto ,
-as well as the Diffie-Hellman (DH) groups.
-.PP
-The
-.B \-\-listpubkeys
-operation lists all RSA public keys either received from peers
-via the IKE protocol embedded in authenticated certificate payloads
-or loaded locally using the
-.BR rightcert  \ /
-.BR leftcert
-or
-.BR rightrsasigkey \ /
-.BR leftrsasigkey
-parameters in
-.IR ipsec.conf (5).
-.PP
-The
-.B \-\-listcerts
-operation lists all X.509 and OpenPGP certificates loaded locally using the
-.BR rightcert
-and
-.BR leftcert
-parameters in
-.IR ipsec.conf (5).
-.PP
-The
-.B \-\-listcacerts
-operation lists all X.509 CA certificates either loaded locally from the
-.IR /etc/ipsec.d/cacerts
-directory or received in PKCS#7-wrapped certificate payloads via
-the IKE protocol.
-.PP
-The
-.B \-\-listaacerts
-operation lists all X.509 AA certificates loaded locally from the
-.IR /etc/ipsec.d/aacerts
-directory.
-.PP
-The
-.B \-\-listocspcerts
-operation lists all OCSP signer certificates either loaded locally from the
-.IR /etc/ipsec.d/ocspcerts
-directory or received via the Online Certificate Status Protocol
-from an OCSP server.
-.PP
-The
-.B \-\-listacerts
-operation lists all X.509 attribute certificates loaded locally from the
-.IR /etc/ipsec.d/acerts
-directory.
-.PP
-The
-.B \-\-listgropus
-operation lists all groups that are either used in connection definitions in
-.IR ipsec.conf (5)
-or are embedded in loaded X.509 attributes certificates.
-.PP
-The
-.B \-\-listcainfos
-operation lists the certification authority information specified in the ca
-sections of
-.IR ipsec.conf (5).
-.PP
-The
-.B \-\-listcrls
-operation lists all Certificate Revocation Lists (CRLs) either loaded
-locally from the
-.IR /etc/ipsec.d/crls
-directory or fetched dynamically from an HTTP or LDAP server.
-.PP
-The
-.B \-\-listocsp
-operation lists the certicates status information fetched from
-OCSP servers.
-.PP
-The
-.B \-\-purgeocsp
-operation deletes any cached certificate status information and pending
-OCSP fetch requests.
-.PP
-The
-.B \-\-listcards
-operation lists information about attached smartcards or crypto tokens.
-.PP
-The
-.B \-\-listall
-operation is equivalent to the execution of
-.BR \-\-listalgs ,
-.BR \-\-listpubkeys ,
-.BR \-\-listcerts ,
-.BR \-\-listcacerts ,
-.BR \-\-listaacerts ,
-.BR \-\-listocspcerts ,
-.BR \-\-listacerts ,
-.BR \-\-listgroups ,
-.BR \-\-listcainfos ,
-.BR \-\-listcrls ,
-.BR \-\-listocsp ,
-and
-.BR \-\-listcards .
-.PP
-The
-.B \-\-show
-option turns on the
-.B \-x
-option of the shell used to execute the commands,
-so each command is shown as it is executed.
-.PP
-The
-.B \-\-showonly
-option causes
-.I auto
-to show the commands it would run, on standard output,
-and not run them.
-.PP
-The
-.B \-\-asynchronous
-option, applicable only to the
-.B up
-operation,
-tells
-.I pluto
-to attempt to establish the connection,
-but does not delay to report results.
-This is especially useful to start multiple connections in parallel
-when network links are slow.
-.PP
-The
-.B \-\-verbose
-option instructs
-.I auto
-to pass through all output from
-.IR ipsec_whack (8),
-including log output that is normally filtered out as uninteresting.
-.PP
-The
-.B \-\-config
-option specifies a non-standard location for the IPsec
-configuration file (default
-.IR /etc/ipsec.conf ).
-.PP
-See
-.IR ipsec.conf (5)
-for details of the configuration file.
-Apart from the basic parameters which specify the endpoints and routing
-of a connection (\fBleft\fR
-and
-.BR right ,
-plus possibly
-.BR leftsubnet ,
-.BR leftnexthop ,
-.BR leftfirewall ,
-their
-.B right
-equivalents,
-and perhaps
-.BR type ),
-an
-.I auto
-connection almost certainly needs a
-.B keyingtries
-parameter (since the
-.B keyingtries
-default is poorly chosen).
-.SH FILES
-.ta \w'/var/run/ipsec.info'u+4n
-/etc/ipsec.conf	default IPSEC configuration file
-.br
-/var/run/ipsec.info	\fB%defaultroute\fR information
-.SH SEE ALSO
-ipsec.conf(5), ipsec(8), ipsec_pluto(8), ipsec_whack(8), ipsec_manual(8)
-.SH HISTORY
-Written for the FreeS/WAN project
-<http://www.freeswan.org>
-by Henry Spencer.
-Extended for the strongSwan project
-<http://www.strongswan.org>
-by Andreas Steffen.
-.SH BUGS
-Although an
-.B \-\-up
-operation does connection setup on both ends,
-.B \-\-down
-tears only one end of the connection down
-(although the orphaned end will eventually time out).
-.PP
-There is no support for
-.B passthrough
-connections.
-.PP
-A connection description which uses
-.B %defaultroute
-for one of its
-.B nexthop
-parameters but not the other may be falsely
-rejected as erroneous in some circumstances.
-.PP
-The exit status of
-.B \-\-showonly
-does not always reflect errors discovered during processing of the request.
-(This is fine for human inspection, but not so good for use in scripts.)
diff --git a/programs/auto/auto.in b/programs/auto/auto.in
deleted file mode 100755
index 05568f9b5..000000000
--- a/programs/auto/auto.in
+++ /dev/null
@@ -1,660 +0,0 @@
-#! /bin/sh
-# user interface to automatic keying and Pluto in general
-# Copyright (C) 1998, 1999, 2000  Henry Spencer.
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: auto.in,v 1.17 2006/04/20 04:42:12 as Exp $
-
-me='ipsec auto'
-usage="Usage:
-	$me [--showonly] [--asynchronous] --up connectionname
-	$me [--showonly] [-- type conn|ca] --{add|delete|replace|down} name
-	$me [--showonly] --{route|unroute} connectionname
-	$me [--showonly] --ready
-	$me [--showonly] --{status|statusall} [connectionname]
-	$me [--showonly] --{rereadsecrets|rereadgroups}
-	$me [--showonly] --{rereadcacerts|rereadaacerts|rereadocspcerts}
-	$me [--showonly] --{rereadacerts|rereadcrls|rereadall}
-	$me [--showonly] [--utc] --{listalgs|listpubkeys|listcerts}
-	$me [--showonly] [--utc] --{listcacerts|listaacerts|listocspcerts}
-	$me [--showonly] [--utc] --{listacerts|listgroups|listcainfos}
-	$me [--showonly] [--utc] --{listcrls|listocsp|listcards|listall}
-	$me [--showonly] --purgeocsp
-
-	other options: [--config ipsecconfigfile] [--verbose] [--show]"
-
-showonly=
-config=
-info=/var/run/ipsec.info
-shopts=
-noinclude=
-async=
-logfilter='$1 != "002"'
-op=
-argc=
-utc=
-type="conn"
-name="--name"
-
-for dummy
-do
-	case "$1" in
-	--help)		echo "$usage" ; exit 0	;;
-	--version)	echo "$me $IPSEC_VERSION" ; exit 0	;;
-	--show)		shopts=-x		;;
-	--showonly)	showonly=yes		;;
-	--utc)		utc="$1"		;;
-	--config)	config="--config $2" ; shift	;;
-	--noinclude)	noinclude=--noinclude	;;
-	--asynchronous)	async="--asynchronous"	;;
-	--verbose)	logfilter='1'		;;
-	--type)		type="$2" ; shift	;;
-	--up|--down|--add|--delete|--replace|--route|--unroute)
-			if test " $op" != " "
-			then
-				echo "$usage" >&2
-				exit 2
-			fi
-			op="$1"
-			argc=1
-			if test "$type" = "ca"
-			then
-				name="--caname"
-				case "$op" in
-				--add|--delete|--replace) ;;
-				--*) echo "$op option not supported for --type ca";
-				     exit 3 ;;
-				esac
-			fi
-			;;
-	--status|--statusall)
-			if test " $op" != " "
-			then
-				echo "$usage" >&2
-				exit 2
-			fi
-			op="$1"
-			argc=1
-			if test $# -eq 1
-			then
-				argc=0; name=
-			fi
-			;;
-	--ready|--rereadsecrets|--rereadgroups|\
-	--rereadcacerts|--rereadaacerts|--rereadocspcerts|\
-	--rereadacerts|--rereadcrls|--rereadall|\
-	--listalgs|--listpubkeys|--listcerts|\
-	--listcacerts|--listaacerts|--listocspcerts|\
-	--listacerts|--listgroups|--listcainfos|\
-	--listcrls|--listocsp|--listcards|--listall|\
-	--purgeocsp)
-			if test " $op" != " "
-			then
-				echo "$usage" >&2
-				exit 2
-			fi
-			op="$1"
-			argc=0
-			;;
-	--)		shift ; break		;;
-	-*)		echo "$me: unknown option \`$1'" >&2 ; exit 2 ;;
-	*)		break			;;
-	esac
-	shift
-done
-
-names=
-case "$op" in
---*)		if test " $argc" -ne $#
-		then
-			echo "$usage" >&2
-			exit 2
-		fi
-		names="$*"
-		;;
-*)		echo "$usage" >&2 ; exit 2	;;
-esac
-
-
-runit() {
-	if test "$showonly"
-	then
-		cat
-	else
-		(
-			echo '('
-			cat
-			echo ')'
-			echo 'echo = $?'
-		) | sh $shopts |
-			awk "/^= / { exit \$2 } $logfilter { print }"
-	fi
-}
-
-case "$op" in
---ready)	   echo "ipsec whack --listen"		       | runit ; exit ;;
---rereadsecrets)   echo "ipsec whack --rereadsecrets"	       | runit ; exit ;;
---rereadgroups)	   echo "ipsec whack --listen"		       | runit ; exit ;;
---rereadcacerts)   echo "ipsec whack --rereadcacerts"          | runit ; exit ;;
---rereadaacerts)   echo "ipsec whack --rereadaacerts"          | runit ; exit ;;
---rereadocspcerts) echo "ipsec whack --rereadocspcerts"        | runit ; exit ;;
---rereadacerts)    echo "ipsec whack --rereadacerts"           | runit ; exit ;;
---rereadcrls)	   echo "ipsec whack --rereadcrls"	       | runit ; exit ;;
---rereadall)	   echo "ipsec whack --rereadall"	       | runit ; exit ;;
---listalgs)	   echo "ipsec whack --listalgs"               | runit ; exit ;;
---listpubkeys)	   echo "ipsec whack $utc --listpubkeys"       | runit ; exit ;;
---listcerts)	   echo "ipsec whack $utc --listcerts"         | runit ; exit ;;
---listcacerts)	   echo "ipsec whack $utc --listcacerts"       | runit ; exit ;;
---listaacerts)	   echo "ipsec whack $utc --listaacerts"       | runit ; exit ;;
---listocspcerts)   echo "ipsec whack $utc --listocspcerts"     | runit ; exit ;;
---listacerts)	   echo "ipsec whack $utc --listacerts"        | runit ; exit ;;
---listgroups)	   echo "ipsec whack $utc --listgroups"        | runit ; exit ;;
---listcainfos)	   echo "ipsec whack $utc --listcainfos"       | runit ; exit ;;
---listcrls)	   echo "ipsec whack $utc --listcrls"          | runit ; exit ;;
---listocsp)	   echo "ipsec whack $utc --listocsp"          | runit ; exit ;;
---listcards)	   echo "ipsec whack $utc --listcards"         | runit ; exit ;;
---listall)	   echo "ipsec whack $utc --listall"           | runit ; exit ;;
---purgeocsp)	   echo "ipsec whack $utc --purgeocsp"         | runit ; exit ;;
---up)	echo "ipsec whack $async --name $names --initiate"     | runit ; exit ;;
---down)	echo "ipsec whack --name $names --terminate"	       | runit ; exit ;;
---delete)	   echo "ipsec whack $name $names --delete"    | runit ; exit ;;
---route)	   echo "ipsec whack --name $names --route"    | runit ; exit ;;
---unroute)	   echo "ipsec whack --name $names --unroute"  | runit ; exit ;;
---status)	   echo "ipsec whack $name $names --status"    | runit ; exit ;;
---statusall)	   echo "ipsec whack $name $names --statusall" | runit ; exit ;;
-esac
-
-if test -s $info
-then
-	. $info
-fi
-
-ipsec _confread $config $noinclude --type $type $names |
-awk -v section="$type" '	BEGIN {
-		FS = "\t"
-		op = "'"$op"'"
-		err = "cat >&2"
-		draddr = "'"$defaultrouteaddr"'"
-		drnexthop = "'"$defaultroutenexthop"'"
-		failed = 0
-		s[""] = ""
-		init()
-		print "PATH=\"'"$PATH"'\""
-		print "export PATH"
-		flip["left"] = "right"
-		flip["right"] = "left"
-	}
-	function init(n) {
-		for (n in s)
-			delete s[n]
-		name = ""
-		seensome = 0
-	}
-	$1 == ":" {
-		s[$2] = $3
-		seensome = 1
-		next
-	}
-	$1 == "!" {
-		if ($2 != "")
-			fail($2)
-		next
-	}
-	$1 == "=" {
-		if (name == "")
-			name = $2
-		next
-	}
-	$1 == "." {
-		if (section == "ca")
-			output_ca()
-		else
-			output()
-		init()
-		next
-	}
-	{
-		fail("internal error, unknown type code " v($1))
-	}
-	function fail(m) {
-		print "ipsec_auto: fatal error in " v(name) ": " m |err
-		failed = 1
-		exit
-	}
-	function yesno(k) {
-		if ((k in s) && s[k] != "yes" && s[k] != "no")
-			fail("parameter " v(k) " must be \"yes\" or \"no\"")
-	}
-	function setdefault(k, val) {
-		if (!(k in s))
-			s[k] = val
-	}
-	function was(new, old) {
-		if (!(new in s) && (old in s))
-			s[new] = s[old]
-	}
-	function need(k) {
-		if (!(k in s))
-			fail("connection has no " v(k) " parameter specified")
-		if (s[k] == "")
-			fail("parameter " v(k) " value must be non-empty")
-	}
-	function integer(k) {
-		if (!(k in s))
-			return
-		if (s[k] !~ /^[0-9]+$/)
-			fail("parameter " v(k) " value must be integer")
-	}
-	function duration(k,   n, t) {
-		if (!(k in s))
-			return
-		t = s[k]
-		n = substr(t, 1, length(t)-1)
-		if (t ~ /^[0-9]+$/)
-			s[k] = t
-		else if (t ~ /^[0-9]+s$/)
-			s[k] = n
-		else if (t ~ /^[0-9]+(\.[0-9]+)?m$/)
-			s[k] = int(n*60)
-		else if (t ~ /^[0-9]+(\.[0-9]+)?h$/)
-			s[k] = int(n*3600)
-		else if (t ~ /^[0-9]+(\.[0-9]+)?d$/)
-			s[k] = int(n*3600*24)
-		else
-			fail("parameter " v(k) " not valid time, must be nnn[smhd]")
-	}
-	function nexthopset(dir, val,   k) {
-		k = dir "nexthop"
-		if (k in s)
-			fail("non-default value of " k " is being overridden")
-		if (val != "")
-			s[k] = val
-		else if (k in s)
-			delete s[k]
-	}
-	function id(dir,   k) {
-		k = dir "id"
-		if (!(k in s))
-			k = dir
-		return s[k]
-	}
-	function whackkey(dir, which, flag,   rk, n) {
-		if (id(dir) == "%opportunistic")
-			return
-		rk = s[dir which]
-		if (rk == "%dnsondemand")
-		{
-			kod="--dnskeyondemand"
-			return
-		}
-		if (rk == "" || rk == "%none" || rk == "%cert" || rk == "0x00")
-			return
-		n = "\"\\\"" name "\\\" " dir which"\""
-		if (rk == "%dns" || rk == "%dnsonload")
-		{
-			if (id(flip[dir]) == "%opportunistic" || s[flip[dir]] == "%any")
-				return
-			print "ipsec whack --label", n, flag,
-						"--keyid", q(id(dir)), "\\"
-		}
-		else
-		{
-			print "ipsec whack --label", n, flag,
-						"--keyid", q(id(dir)),
-						"--pubkeyrsa", q(rk), "\\"
-		}
-		print "\t|| exit $?"
-	}
-	function q(str) {	# quoting for shell
-		return "\"" str "\""
-	}
-	function qs(k) {	# utility abbreviation for q(s[k])
-		return q(s[k])
-	}
-	function v(str) {	# quoting for human viewing
-		return "\"" str "\""
-	}
-	function output() {
-		if (!seensome)
-			fail("internal error, output called inappropriately")
-
-		setdefault("type", "tunnel")
-		type_flags = ""
-		t = s["type"]
-		if (t == "tunnel") {
-			# do NOT default subnets to side/32, despite what
-			# the docs say...
-			type_flags = "--tunnel"
-		} else if (t == "transport") {
-			if ("leftsubnet" in s)
-				fail("type=transport incompatible with leftsubnet")
-			if ("rightsubnet" in s)
-				fail("type=transport incompatible with rightsubnet")
-			type_flags = ""
-		} else if (t == "passthrough") {
-			type_flags = "--pass"
-		} else if (t == "drop") {
-			type_flags = "--drop"
-		} else if (t == "reject") {
-			type_flags = "--reject"
-		} else
-			fail("unknown type " v(t))
-
-		setdefault("failureshunt", "none")
-		t = s["failureshunt"]
-		if (t == "passthrough")
-			type_flags = type_flags " --failpass";
-		else if (t == "drop")
-			type_flags = type_flags " --faildrop";
-		else if (t == "reject")
-			type_flags = type_flags " --failreject";
-		else if (t != "none")
-			fail("unknown failureshunt value " v(t))
-
-		need("left")
-		need("right")
-		if (s["left"] == "%defaultroute") {
-			if (s["right"] == "%defaultroute")
-				fail("left and right cannot both be %defaultroute")
-			if (draddr == "")
-				fail("%defaultroute requested but not known")
-			s["left"] = draddr
-			nexthopset("left", drnexthop)
-		} else if (s["right"] == "%defaultroute") {
-			if (draddr == "")
-				fail("%defaultroute requested but not known")
-			s["right"] = draddr
-			nexthopset("right", drnexthop)
-		}
-
-		setdefault("keyexchange", "ike")
-		if (s["keyexchange"] != "ike")
-			fail("only know how to do keyexchange=ike")
-		setdefault("auth", "esp")
-		if (("auth" in s) && s["auth"] != "esp" && s["auth"] != "ah")
-			fail("only know how to do auth=esp or auth=ah")
-		yesno("pfs")
-
-		setdefault("pfs", "yes")
-		duration("dpddelay")
-		duration("dpdtimeout")
-		if ("dpdaction" in s)
-		{
-			setdefault("dpddelay",30)
-			setdefault("dpdtimeout",120)
-		}
-		yesno("compress")
-		setdefault("compress", "no")
-		setdefault("keylife", "1h")
-		duration("keylife")
-		yesno("rekey")
-		setdefault("rekey", "yes")
-		setdefault("rekeymargin", "9m")
-		duration("rekeymargin")
-		setdefault("keyingtries", "%forever")
-		if (s["keyingtries"] == "%forever")
-			s["keyingtries"] = 0
-		integer("keyingtries")
-		if ("rekeyfuzz" in s) {
-			if (s["rekeyfuzz"] !~ /%$/)
-				fail("rekeyfuzz must be nnn%")
-			r = s["rekeyfuzz"]
-			s["rekeyfuzz"] = substr(r, 1, length(r)-1)
-			integer("rekeyfuzz")
-		}
-		duration("ikelifetime")
-		setdefault("disablearrivalcheck", "no")
-
-		setdefault("leftsendcert", "always")
-		setdefault("rightsendcert", "always")
-
-		setdefault("leftnexthop", "%direct")
-		setdefault("rightnexthop", "%direct")
-		if (s["leftnexthop"] == s["left"])
-			fail("left and leftnexthop must not be the same")
-		if (s["rightnexthop"] == s["right"])
-			fail("right and rightnexthop must not be the same")
-		if (s["leftnexthop"] == "%defaultroute") {
-			if (drnexthop == "")
-				fail("%defaultroute requested but not known")
-			s["leftnexthop"] = drnexthop
-		}
-		if (s["rightnexthop"] == "%defaultroute") {
-			if (drnexthop == "")
-				fail("%defaultroute requested but not known")
-			s["rightnexthop"] = drnexthop
-		}
-
-		if ("leftfirewall" in s && "leftupdown" in s)
-			fail("cannot have both leftfirewall and leftupdown")
-		if ("rightfirewall" in s && "rightupdown" in s)
-			fail("cannot have both rightfirewall and rightupdown")
-		setdefault("leftupdown", "ipsec _updown")
-		setdefault("rightupdown", "ipsec _updown")
-		setdefault("lefthostaccess", "no")
-		setdefault("righthostaccess", "no")
-		yesno("lefthostaccess")
-		yesno("righthostaccess")
-		lha = ""
-		if (s["lefthostaccess"] == "yes")
-			lha = "--hostaccess"
-		rha = ""
-		if (s["righthostaccess"] == "yes")
-			rha = "--hostaccess"
-		setdefault("leftfirewall", "no")
-		setdefault("rightfirewall", "no")
-		yesno("leftfirewall")
-		yesno("rightfirewall")
-		if (s["leftfirewall"] == "yes")
-			s["leftupdown"] = s["leftupdown"] " iptables"
-		if (s["rightfirewall"] == "yes")
-			s["rightupdown"] = s["rightupdown"] " iptables"
-
-		setdefault("authby", "rsasig")
-		t = s["authby"]
-		if (t == "rsasig" || t == "secret|rsasig" || t == "rsasig|secret") {
-			authtype = "--rsasig"
-			type_flags = "--encrypt " type_flags
-			if (!("leftcert" in s)) {
-				setdefault("leftrsasigkey", "%cert")
-				if (id("left") == "%any" &&
-				    !(s["leftrsasigkey"] == "%cert" ||
-				      s["leftrsasigkey"] == "0x00") )
-					fail("ID " v(id("left")) " cannot have RSA key")
-			}
-			if (!("rightcert" in s)) {
-				setdefault("rightrsasigkey", "%cert")
-				if (id("right") == "%any" &&
-				    !(s["rightrsasigkey"] == "%cert" ||
-				      s["rightrsasigkey"] == "0x00") )
-					fail("ID " v(id("right")) " cannot have RSA key")
-			}
-			if (t != "rsasig")
-				authtype = authtype " --psk"
- 		} else if (t == "secret") {
-			authtype = "--psk"
-			type_flags = "--encrypt " type_flags
-		} else if (t == "never") {
-			authtype = ""
-		} else {
-			fail("unknown authby value " v(t))
-		}
-
-		settings = type_flags
-		setdefault("ike", "3des-sha,3des-md5")
-		if (s["ike"] != "")
-			settings = settings " --ike " qs("ike")
-		setdefault("esp", "3des")
-		if (s["esp"] != "")
-			settings = settings " --esp " qs("esp")
-		if (s["auth"] == "ah")
-			settings = settings " --authenticate"
-		if (s["pfs"] == "yes") {
-			settings = settings " --pfs"
-			if (s["pfsgroup"] != "")
-				settings = settings " --pfsgroup " qs("pfsgroup")
-		}
-		
-		if (s["dpdaction"])
-			settings = settings " --dpdaction " qs("dpdaction")
-		if (s["dpddelay"])
-			settings = settings " --dpddelay " qs("dpddelay")
-		if (s["dpdtimeout"])
-			settings = settings " --dpdtimeout " qs("dpdtimeout")
-
-		if (s["compress"] == "yes")
-			settings = settings " --compress"
-		if (op == "--replace")
-			settings = settings " --delete"
-		if ("ikelifetime" in s)
-			settings = settings " --ikelifetime " qs("ikelifetime")
-		if (s["disablearrivalcheck"] == "yes")
-			settings = settings " --disablearrivalcheck"
-		settings = settings " " authtype
-
-		lc = ""
-		rc = ""
-		if ("leftsubnet" in s)
-			lc = "--client " qs("leftsubnet")
-		if ("rightsubnet" in s)
-			rc = "--client " qs("rightsubnet")
-		if ("leftsubnetwithin" in s)
-			lc = lc " --clientwithin " qs("leftsubnetwithin")
-		if ("rightsubnetwithin" in s)
-			rc = rc " --clientwithin " qs("rightsubnetwithin")
-		lp = ""
-		rp = ""
-		if ("leftprotoport" in s)
-			lp = "--clientprotoport " qs("leftprotoport")
-		if ("rightprotoport" in s)
-			rp = "--clientprotoport " qs("rightprotoport")
-		lud = "--updown " qs("leftupdown")
-		rud = "--updown " qs("rightupdown")
-		
-		lid = ""
-		if ("leftid" in s)
-			lid = "--id " qs("leftid")
-		rid = ""
-		if ("rightid" in s)
-			rid = "--id " qs("rightid")
-		lsip = ""
-		if ("leftsourceip" in s)
-		        lsip = "--srcip " qs("leftsourceip")
-		rsip = ""
-		if ("rightsourceip" in s)
-			rsip = "--srcip " qs("rightsourceip")
-		lscert = ""
-		if ("leftsendcert" in s)
-			lscert = "--sendcert " qs("leftsendcert")
-		rscert = ""
-		if ("rightsendcert" in s)
-			rscert = "--sendcert " qs("rightsendcert")
-		lcert = ""
-		if ("leftcert" in s)
-			lcert = "--cert " qs("leftcert")
-		rcert = ""
-		if ("rightcert" in s)
-			rcert = "--cert " qs("rightcert")
-		lca = ""
-		if ("leftca" in s)
-			lca = "--ca " qs("leftca")
-		rca = ""
-		if ("rightca" in s)
-			rca = "--ca " qs("rightca")
-		lgr = ""
-		if ("leftgroups" in s)
-			lgr = "--groups " qs("leftgroups")
-		rgr = ""
-		if ("rightgroups" in s)
-			rgr = "--groups " qs("rightgroups")
-		fuzz = ""
-		if ("rekeyfuzz" in s)
-			fuzz = "--rekeyfuzz " qs("rekeyfuzz")
-		rk = ""
-		if (s["rekey"] == "no")
-			rk = "--dontrekey"
-		pd = ""
-		if ("_plutodevel" in s)
-			pd = "--plutodevel " s["_plutodevel"]	# not qs()
-
-		lkod = ""
-		rkod = ""
-		if (authtype != "--psk") {
-			kod = ""
-			whackkey("left", "rsasigkey", "")
-			whackkey("left", "rsasigkey2", "--addkey")
-			lkod = kod
-			kod = ""
-			whackkey("right", "rsasigkey", "")
-			whackkey("right", "rsasigkey2", "--addkey")
-			rkod = kod
-		}
-		print "ipsec whack --name", name, settings, "\\"
-		print "\t--host", qs("left"), lc, lp, "--nexthop",
-			qs("leftnexthop"), lud, lha, lid, lkod, lscert, lcert, lca, lsip, lgr, "\\"
-		print "\t--to", "--host", qs("right"), rc, rp, "--nexthop",
-			qs("rightnexthop"), rud, rha, rid, rkod, rscert, rcert, rca, rsip, rgr, "\\"
-		print "\t--ipseclifetime", qs("keylife"),
-			"--rekeymargin", qs("rekeymargin"), "\\"
-		print "\t--keyingtries", qs("keyingtries"), fuzz, rk, pd, "\\"
-		print "\t|| exit $?"
-	}
-	function output_ca() {
-		if (!seensome)
-			fail("internal error, output called inappropriately")
-		settings = ""
-		if (op == "--replace")
-			settings = "--delete"
-		cacert = ""
-		if ("cacert" in s)
-			cacert = "--cacert " qs("cacert")
-		ldaphost = ""
-		if ("ldaphost" in s)
-			ldaphost = "--ldaphost " qs("ldaphost")
-		ldapbase = ""
-		if ("ldapbase" in s)
-			ldapbase = "--ldapbase " qs("ldapbase")
-		crluri = ""
-		if ("crluri" in s)
-			crluri = "--crluri " qs("crluri")
-		crluri2 = ""
-		if ("crluri2" in s)
-			crluri2 = "--crluri2 " qs("crluri2")
-		ocspuri = ""
-		if ("ocspuri" in s)
-			ocspuri = "--ocspuri " qs("ocspuri")
-		yesno("strictcrlpolicy")
-		setdefault("strictcrlpolicy", "no")
-		if (s["strictcrlpolicy"] == "yes")
-			settings = settings " --strictcrlpolicy"
-		yesno("cachecrls")
-		setdefault("cachecrls", "no")
-		if (s["cachecrls"] == "yes")
-			settings = settings " --cachecrls"
-
-		print "ipsec whack --caname", name, settings, cacert, ldaphost, ldapbase,
-			crluri, crluri2, ocspuri, "\\"
-		print "\t|| exit $?"
-	}
-	END {
-		if (failed) {
-			print "# fatal error discovered, force failure using \"false\" command"
-			print "false"
-			exit 1		# just on general principles
-		}
-		if (seensome) {
-			if (section == "ca")
-				output_ca()
-			else
-				output()
-		}
-	}' | runit
diff --git a/programs/barf/.cvsignore b/programs/barf/.cvsignore
deleted file mode 100644
index bca77a6ee..000000000
--- a/programs/barf/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-barf
diff --git a/programs/barf/Makefile b/programs/barf/Makefile
deleted file mode 100644
index 6a20d4ee2..000000000
--- a/programs/barf/Makefile
+++ /dev/null
@@ -1,38 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=barf
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:27  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.2  2002/06/02 22:02:14  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/barf/barf.8 b/programs/barf/barf.8
deleted file mode 100644
index e692a4e5f..000000000
--- a/programs/barf/barf.8
+++ /dev/null
@@ -1,84 +0,0 @@
-.TH IPSEC_BARF 8 "17 March 2002"
-.\" RCSID $Id: barf.8,v 1.1 2004/03/15 20:35:27 as Exp $
-.SH NAME
-ipsec barf \- spew out collected IPsec debugging information
-.SH SYNOPSIS
-.B ipsec
-.B barf
-[
-.B \-\-short
-]
-.sp
-.SH DESCRIPTION
-.I Barf
-outputs (on standard output) a collection of debugging information
-(contents of files, selections from logs, etc.)
-related to the IPsec encryption/authentication system.
-It is primarily a convenience for remote debugging,
-a single command which packages up (and labels) all information
-that might be relevant to diagnosing a problem in IPsec.
-.PP
-.PP
-The
-.B \-\-short
-option limits the length of
-the log portion of
-.IR barf 's
-output, which can otherwise be extremely voluminous
-if debug logging is turned on.
-.PP
-.I Barf
-censors its output,
-replacing keys
-and secrets with brief checksums to avoid revealing sensitive information.
-.PP
-Beware that the output of both commands is aimed at humans,
-not programs,
-and the output format is subject to change without warning.
-.PP
-.I Barf
-has to figure out which files in
-.I /var/log
-contain the IPsec log messages.
-It looks for KLIPS and general log messages first in
-.IR messages
-and
-.IR syslog ,
-and for Pluto messages first in
-.IR secure ,
-.IR auth.log ,
-and
-.IR debug .
-In both cases,
-if it does not find what it is looking for in one of those ``likely'' places,
-it will resort to a brute-force search of most (non-compressed) files in
-.IR /var/log .
-.SH FILES
-.nf
-/proc/net/*
-/var/log/*
-/etc/ipsec.conf
-/etc/ipsec.secrets
-.fi
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org>
-by Henry Spencer.
-.SH BUGS
-.I Barf
-uses heuristics to try to pick relevant material out of the logs,
-and relevant messages
-which are not labelled with any of the tags that
-.I barf
-looks for will be lost.
-We think we've eliminated the last such case, but one never knows...
-.PP
-Finding
-.I updown
-scripts (so they can be included in output) is, in general, difficult.
-.I Barf
-uses a very simple heuristic that is easily fooled.
-.PP
-The brute-force search for the right log files can get expensive on
-systems with a lot of clutter in
-.IR /var/log .
diff --git a/programs/barf/barf.in b/programs/barf/barf.in
deleted file mode 100755
index 99cc3546c..000000000
--- a/programs/barf/barf.in
+++ /dev/null
@@ -1,296 +0,0 @@
-#! /bin/sh
-# dump assorted information of use in debugging
-# Copyright (C) 1998, 1999  Henry Spencer.
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: barf.in,v 1.4 2004/09/23 21:08:23 as Exp $
-
-IPSEC_NAME="strongSwan"
-
-KERNSRC=${KERNSRC-/usr/src/linux}
-LOGS=${LOGS-/var/log}
-CONFS=${IPSEC_CONFS-/etc}
-CONFDDIR=${IPSEC_CONFDDIR-/etc/ipsec.d}
-me="ipsec barf"
-
-# kludge to produce no barf output mentioning policygroups if none are present.
-# This will not catch ".file" policygroups. 
-PREPOLICIES=${CONFDDIR}/policies
-if [ `ls $PREPOLICIES 2> /dev/null | wc -l` -ne 0 ]
-then
-	POLICIES=$PREPOLICIES
-fi
-
-# message patterns that start relevant parts of logs
-fstart="Starting $IPSEC_NAME"
-pstart='Starting Pluto subsystem'
-
-case "$1" in
---help)		echo "Usage: ipsec barf" ; exit 0	;;
---version)	echo "$me $IPSEC_VERSION" ; exit 0	;;
-esac
-
-# make sure output is in English
-unset LANG LANGUAGE LC_ALL LC_MESSAGES
-
-# log-location guesser, results in $findlog_file and $findlog_startline
-# Fine point:  startline is the *last* line containing "string", or
-# failing that, the *first* line containing "fallbackstring".
-findlog() {		# findlog string fallbackstring possiblefile ...
-	s="$1"
-	shift
-	t="$1"
-	shift
-	# try the suggested files first
-	for f in $*
-	do
-		if test -r $LOGS/$f -a -f $LOGS/$f && egrep -q "$s" $LOGS/$f
-		then
-			# aha, this one has it
-			findlog_file=$LOGS/$f
-			findlog_startline=`egrep -n "$s" $LOGS/$f |
-				sed -n '$s/:.*//p'`
-			return 0
-		fi
-	done
-	for f in $*
-	do
-		if test -r $LOGS/$f -a -f $LOGS/$f && egrep -q "$t" $LOGS/$f
-		then
-			# aha, this one has it
-			findlog_file=$LOGS/$f
-			findlog_startline=`egrep -n "$t" $LOGS/$f |
-				sed -n '1s/:.*//p'`
-			return 0
-		fi
-	done
-	# nope, resort to a search, newest first, of uncompressed logs
-	for f in `ls -t $LOGS | egrep -v '^mail' | egrep -v '\.(gz|Z)$'`
-	do
-		if test -r $LOGS/$f -a ! -d $LOGS/$f && egrep -q "$s" $LOGS/$f
-		then
-			# found it
-			findlog_file=$LOGS/$f
-			findlog_startline=`egrep -n "$s" $LOGS/$f |
-				sed -n '$s/:.*//p'`
-			return 0
-		fi
-	done
-	for f in `ls -t $LOGS | egrep -v '^mail' | egrep -v '\.(gz|Z)$'`
-	do
-		if test -r $LOGS/$f -a -f $LOGS/$f && egrep -q "$t" $LOGS/$f
-		then
-			# found it
-			findlog_file=$LOGS/$f
-			findlog_startline=`egrep -n "$t" $LOGS/$f |
-				sed -n '1s/:.*//p'`
-			return 0
-		fi
-	done
-# 	echo "$0: unable to find $LOGS/$1 or local equivalent" >&2
-	findlog_file=/dev/null
-	findlog_startline=1		# arbitrary
-}
-
-# try to guess where logs are
-findlog "$fstart" "klips" messages syslog
-if test " $findlog_file" = " /dev/null" 
-then
-echo "Unable to find KLIPS messages, typically found in /var/log/messages or equivalent. You may need to run $IPSEC_NAME for the first time; alternatively, your log files have been emptied (ie, logwatch) or we do not understand your logging configuration."
-fi
-klog=$findlog_file
-kline=$findlog_startline
-
-findlog "$pstart" "Pluto" secure auth.log debug
-if test " $findlog_file" = " /dev/null" 
-then
-echo "Unable to find Pluto messages, typically found in /var/log/secure or equivalent. You may need to run $IPSEC_NAME for the first time; alternatively, your log files have been emptied (ie, logwatch) or we do not understand your logging configuration."
-fi 
-plog=$findlog_file
-pline=$findlog_startline
-
-# /lib/modules examiner
-modulegoo() {
-	set +x
-	for d in `ls /lib/modules`
-	do
-		if test -d /lib/modules/$d
-		then
-			f=/lib/modules/$d/$1
-			if test -f $f
-			then
-				nm -g $f | egrep "$2"
-			else
-				echo
-			fi | sed "s;^;$d: ;"
-		fi
-	done
-	set -x
-}
-
-# advanced shell deviousness to get dividers into output
-_________________________() {
-	$2	# something to do nothing and not echo anything
-}
-
-exec 2>&1		# stderr on stdout, so errors go into main output
-
-hostname ; date
-set -x
-_________________________ version
-ipsec --version
-_________________________ proc/version
-cat /proc/version
-_________________________ proc/net/ipsec_eroute
-sort -sg +3 /proc/net/ipsec_eroute || cat /proc/net/ipsec_eroute
-_________________________ netstat-rn
-netstat -nr
-_________________________ proc/net/ipsec_spi
-cat /proc/net/ipsec_spi
-_________________________ proc/net/ipsec_spigrp
-cat /proc/net/ipsec_spigrp
-_________________________ proc/net/ipsec_tncfg
-cat /proc/net/ipsec_tncfg
-_________________________ proc/net/pf_key
-cat /proc/net/pf_key
-_________________________ proc/net/pf_key-star
-( cd /proc/net && egrep '^' pf_key_* )
-_________________________ proc/sys/net/ipsec-star
-( cd /proc/sys/net/ipsec && egrep '^' * )
-_________________________ ipsec/statusall
-ipsec auto --statusall
-_________________________ ifconfig-a
-ifconfig -a
-_________________________ mii-tool
-if [ -x /sbin/mii-tool ] 
-then
-    /sbin/mii-tool -v
-elif [ -x /usr/sbin/mii-tool ] 
-then
-    /usr/sbin/mii-tool -v
-else
-    mii-tool -v
-fi
-_________________________ ipsec/directory
-ipsec --directory
-_________________________ hostname/fqdn
-hostname --fqdn
-_________________________ hostname/ipaddress
-hostname --ip-address
-_________________________ uptime
-uptime
-_________________________ ps
-# -i ppid picks up the header
-ps alxwf | egrep -i 'ppid|pluto|ipsec|klips'
-_________________________ ipsec/showdefaults
-ipsec showdefaults
-_________________________ ipsec/conf
-ipsec _include $CONFS/ipsec.conf | ipsec _keycensor
-_________________________ ipsec/secrets
-ipsec _include $CONFS/ipsec.secrets | ipsec _secretcensor
-_________________________ ipsec/listall
-ipsec auto --listall
-if [ $POLICIES ]
-then
-	for policy in $POLICIES/*; do base=`basename $policy`;
-	   _________________________ ipsec/policies/$base
-	   cat $policy
-	done
-fi
-_________________________ ipsec/ls-libdir
-ls -l ${IPSEC_LIBDIR-/usr/local/lib/ipsec}
-_________________________ ipsec/ls-execdir
-ls -l ${IPSEC_EXECDIR-/usr/local/libexec/ipsec}
-_________________________ ipsec/updowns
-for f in `ls ${IPSEC_EXECDIR-/usr/local/libexec/ipsec} | egrep updown`
-do
-	cat ${IPSEC_EXECDIR-/usr/local/libexec/ipsec}/$f
-done
-_________________________ proc/net/dev
-cat /proc/net/dev
-_________________________ proc/net/route
-cat /proc/net/route
-_________________________ proc/sys/net/ipv4/ip_forward
-cat /proc/sys/net/ipv4/ip_forward
-_________________________ proc/sys/net/ipv4/conf/star-rp_filter
-( cd /proc/sys/net/ipv4/conf && egrep '^' */rp_filter )
-_________________________ uname-a
-uname -a
-_________________________ redhat-release
-if test -r /etc/redhat-release
-then
-	cat /etc/redhat-release
-fi
-_________________________ proc/net/ipsec_version
-cat /proc/net/ipsec_version
-_________________________ iptables/list
-iptables -L -v -n
-_________________________ ipchains/list
-ipchains -L -v -n
-_________________________ ipfwadm/forward
-ipfwadm -F -l -n -e
-_________________________ ipfwadm/input
-ipfwadm -I -l -n -e
-_________________________ ipfwadm/output
-ipfwadm -O -l -n -e
-_________________________ iptables/nat
-iptables -t nat -L -v -n
-_________________________ ipchains/masq
-ipchains -M -L -v -n
-_________________________ ipfwadm/masq
-ipfwadm -M -l -n -e
-_________________________ iptables/mangle
-iptables -t mangle -L -v -n
-_________________________ proc/modules
-cat /proc/modules
-_________________________ proc/meminfo
-cat /proc/meminfo
-_________________________ dev/ipsec-ls
-ls -l /dev/ipsec*
-_________________________ proc/net/ipsec-ls
-ls -l /proc/net/ipsec_*
-_________________________ usr/src/linux/.config
-if test -f $KERNSRC/.config
-then
-	egrep 'IP|NETLINK' $KERNSRC/.config
-fi
-_________________________ etc/syslog.conf
-cat /etc/syslog.conf
-_________________________ etc/resolv.conf
-cat /etc/resolv.conf
-_________________________ lib/modules-ls
-ls -ltr /lib/modules
-_________________________ proc/ksyms-netif_rx
-egrep netif_rx /proc/ksyms
-_________________________ lib/modules-netif_rx
-modulegoo kernel/net/ipv4/ipip.o netif_rx
-_________________________ kern.debug
-if test -f $LOGS/kern.debug
-then
-	tail -100 $LOGS/kern.debug
-fi
-_________________________ klog
-sed -n $kline,'$'p $klog |
-	egrep -i 'ipsec|klips|pluto' |
-	case "$1" in
-	--short)	tail -500	;;
-	*)		cat		;;
-	esac
-_________________________ plog
-sed -n $pline,'$'p $plog |
-	egrep -i 'pluto' |
-	case "$1" in
-	--short)	tail -500	;;
-	*)		cat		;;
-	esac
-_________________________ date
-date
diff --git a/programs/calcgoo/.cvsignore b/programs/calcgoo/.cvsignore
deleted file mode 100644
index b4aa748b7..000000000
--- a/programs/calcgoo/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-calcgoo
diff --git a/programs/calcgoo/Makefile b/programs/calcgoo/Makefile
deleted file mode 100644
index 8e3cae9ea..000000000
--- a/programs/calcgoo/Makefile
+++ /dev/null
@@ -1,41 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=calcgoo
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:27  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.1  2002/06/10 04:27:25  mcr
-# 	calcgoo program processes kernel symbol list and generates a
-# 	composite value by xor'ing the programmed symbol.
-#
-# Revision 1.1  2002/06/10 00:19:44  mcr
-# 	rename "ipsec check" to "ipsec verify"
-#
-# Revision 1.1  2002/06/08 17:01:25  mcr
-# 	added new program "ipsec check" to do rudamentary testing
-# 	on a newly installed system to see if it is OE ready.
-#
-#
-#
-
diff --git a/programs/calcgoo/calcgoo.8 b/programs/calcgoo/calcgoo.8
deleted file mode 100644
index ceb576e41..000000000
--- a/programs/calcgoo/calcgoo.8
+++ /dev/null
@@ -1,31 +0,0 @@
-.TH IPSEC_CALCGOO 8 "8 June 2002"
-.\" RCSID $Id: calcgoo.8,v 1.1 2004/03/15 20:35:27 as Exp $
-.SH NAME
-ipsec calcgoo \- calculate hex value for matching modules and kernels
-.SH SYNOPSIS
-.B ipsec
-.B calcgoo
-.SH DESCRIPTION
-.I calcgoo
-accepts the output of 
-.B nm -ao
-or 
-.B /proc/ksyms
-and extracts a release dependant list of symbols from it. The symbols
-are processed to extract the values assigned during the MODVERSIONS 
-process. This process makes sure that Linux modules are only loaded
-on matching kernels.
-.P
-This routine is used to find an appropriate module to match the currently
-running kernel by _startklips.
-.SH FILES
-.nf
-/proc/ksyms
-.fi
-.SH "SEE ALSO"
-ipsec__startklips(8), genksyms(8)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org>
-by Michael Richardson.
-.SH BUGS
diff --git a/programs/calcgoo/calcgoo.in b/programs/calcgoo/calcgoo.in
deleted file mode 100644
index 0d383d173..000000000
--- a/programs/calcgoo/calcgoo.in
+++ /dev/null
@@ -1,43 +0,0 @@
-#!/usr/bin/perl
-
-$MODULE_GOO_LIST="@MODULE_GOO_LIST@";
-
-@goo = split(/\s+/,$MODULE_GOO_LIST);
-
-$sep="(";
-$goore=" ";
-
-#print "GOO: ",join('|',@goo),"\n";
-
-foreach $sym (@goo) {
-	$goore=${goore}.${sep}.${sym};
-	$sep="|";
-}
-$goore=${goore}.")_R(smp_){0,1}([0-9A-F]{8})";
-
-#print "GOORE: $goore\n";
-
-while(<>) {
-  chomp;
-  if(/$goore/io) {
-    $sym=$1;
-    $goosym=$3;
-    $bingoo=hex($goosym);
-    if($2 eq "smp_") {
-      $bingoo++;
-    }
-    #print STDERR "Processing $goosym (from $_)\n";
-    $bingoo{$sym}=$bingoo;
-  }
-}
-$wholegoo=0;
-foreach $sym (keys %bingoo) {
-  $wholegoo=$wholegoo ^ $bingoo{$sym};
-}
-print sprintf("%08x", $wholegoo)."\n";
-
-# Local variables::
-# mode: perl
-# End variables::
-
-
diff --git a/programs/eroute/.cvsignore b/programs/eroute/.cvsignore
deleted file mode 100644
index 133c4b456..000000000
--- a/programs/eroute/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-eroute
diff --git a/programs/eroute/Makefile b/programs/eroute/Makefile
deleted file mode 100644
index 6d8f68033..000000000
--- a/programs/eroute/Makefile
+++ /dev/null
@@ -1,52 +0,0 @@
-# Makefile for the KLIPS interface utilities
-# Copyright (C) 1998, 1999  Henry Spencer.
-# Copyright (C) 1999, 2000, 2001  Richard Guy Briggs
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM:=eroute
-EXTRA5PROC=eroute.5
-
-LIBS:=${FREESWANLIB}
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:27  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.4  2002/06/03 20:25:31  mcr
-# 	man page for files actually existant in /proc/net changed back to
-# 	ipsec_foo via new EXTRA5PROC process.
-#
-# Revision 1.3  2002/06/02 22:02:14  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.2  2002/04/26 01:21:26  mcr
-# 	while tracking down a missing (not installed) /etc/ipsec.conf,
-# 	MCR has decided that it is not okay for each program subdir to have
-# 	some subset (determined with -f) of possible files.
-# 	Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file.
-# 	Optional PROGRAM.5 files have been added to the makefiles.
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
diff --git a/programs/eroute/eroute.5 b/programs/eroute/eroute.5
deleted file mode 100644
index 52b3f4d25..000000000
--- a/programs/eroute/eroute.5
+++ /dev/null
@@ -1,272 +0,0 @@
-.TH IPSEC_EROUTE 5 "20 Sep 2001"
-.\"
-.\" RCSID $Id: eroute.5,v 1.1 2004/03/15 20:35:27 as Exp $
-.\"
-.SH NAME
-ipsec_eroute \- list of existing eroutes
-.SH SYNOPSIS
-.B ipsec
-.B eroute
-.PP
-.B cat
-.B /proc/net/ipsec_eroute
-.SH DESCRIPTION
-.I /proc/net/ipsec_eroute
-lists the IPSEC extended routing tables,
-which control what (if any) processing is applied
-to non-encrypted packets arriving for IPSEC processing and forwarding.
-At this point it is a read-only file.
-.PP
-A table entry consists of:
-.IP + 3
-packet count,
-.IP +
-source address with mask and source port (0 if all ports or not applicable)
-.IP +
-a '->' separator for visual and automated parsing between src and dst
-.IP +
-destination address with mask and destination port (0 if all ports or
-not applicable)
-.IP +
-a '=>' separator for visual and automated parsing between selection
-criteria and SAID to use
-.IP +
-SAID (Security Association IDentifier), comprised of:
-.IP + 6
-protocol
-(\fIproto\fR),
-.IP +
-address family
-(\fIaf\fR),
-where '.' stands for IPv4 and ':' for IPv6
-.IP +
-Security Parameters Index
-(\fISPI\fR),
-.IP +
-effective destination
-(\fIedst\fR),
-where the packet should be forwarded after processing
-(normally the other security gateway)
-together indicate which Security Association should be used to process
-the packet,
-.IP + 3
-a ':' separating the SAID from the transport protocol (0 if all protocols)
-.IP +
-source identity text string with no whitespace, in parens,
-.IP +
-destination identity text string with no whitespace, in parens
-.PP
-Addresses are written as IPv4 dotted quads or IPv6 coloned hex,
-protocol is one of "ah", "esp", "comp" or "tun"
-and
-SPIs are prefixed hexadecimal numbers where the prefix '.' is for IPv4 and the prefix ':' is for IPv6
-.
-.PP
-SAIDs are written as "protoafSPI@edst".  There are also 5
-"magic" SAIDs which have special meaning:
-.IP + 3
-.B %drop
-means that matches are to be dropped
-.IP +
-.B %reject
-means that matches are to be dropped and an ICMP returned, if
-possible to inform
-.IP +
-.B %trap
-means that matches are to trigger an ACQUIRE message to the Key
-Management daemon(s) and a hold eroute will be put in place to
-prevent subsequent packets also triggering ACQUIRE messages.
-.IP +
-.B %hold
-means that matches are to stored until the eroute is replaced or
-until that eroute gets reaped
-.IP +
-.B %pass
-means that matches are to allowed to pass without IPSEC processing
-.br
-.ne 5
-.SH EXAMPLES
-.LP
-.B "1867     172.31.252.0/24:0  -> 0.0.0.0/0:0        => tun0x130@192.168.43.1:0 "
-.br
-.B "        ()	()"
-.LP
-means that 1,867 packets have been sent to an
-.BR eroute
-that has been set up to protect traffic between the subnet
-.BR 172.31.252.0
-with a subnet mask of
-.BR 24
-bits and the default address/mask represented by an address of
-.BR 0.0.0.0
-with a subnet mask of
-.BR 0
-bits using the local machine as a security gateway on this end of the
-tunnel and the machine
-.BR 192.168.43.1
-on the other end of the tunnel with a Security Association IDentifier of
-.BR tun0x130@192.168.43.1
-which means that it is a tunnel mode connection (4, IPPROTO_IPIP) with a
-Security Parameters Index of
-.BR 130
-in hexadecimal with no identies defined for either end.
-.LP
-.B "746     192.168.2.110/32:0  -> 192.168.2.120/32:25   => esp0x130@192.168.2.120:6 "
-.br
-.B "        ()	()"
-.LP
-means that 746 packets have been sent to an
-.BR eroute
-that has been set up to protect traffic sent from any port on the host
-.BR 192.168.2.110
-to the SMTP (TCP, port 25) port on the host
-.BR 192.168.2.120
-with a Security Association IDentifier of
-.BR tun0x130@192.168.2.120
-which means that it is a transport mode connection with a
-Security Parameters Index of
-.BR 130
-in hexadecimal with no identies defined for either end.
-.LP
-.B 125      3049:1::/64    -> 0:0/0          => tun:130@3058:4::5	()	()
-.LP
-means that 125 packets have been sent to an
-.BR eroute
-that has been set up to protect traffic between the subnet
-.BR 3049:1::
-with a subnet mask of
-.BR 64
-bits and the default address/mask represented by an address of
-.BR 0:0
-with a subnet mask of
-.BR 0
-bits using the local machine as a security gateway on this end of the
-tunnel and the machine
-.BR 3058:4::5
-on the other end of the tunnel with a Security Association IDentifier of
-.BR tun:130@3058:4::5
-which means that it is a tunnel mode connection with a
-Security Parameters Index of
-.BR 130
-in hexadecimal with no identies defined for either end.
-.LP
-.B 42         192.168.6.0/24:0   -> 192.168.7.0/24:0   => %passthrough
-.LP
-means that 42 packets have been sent to an
-.BR eroute
-that has been set up to pass the traffic from the subnet
-.BR 192.168.6.0
-with a subnet mask of
-.BR 24
-bits and to subnet
-.BR 192.168.7.0
-with a subnet mask of
-.BR 24
-bits without any IPSEC processing with no identies defined for either end.
-.LP
-.B 2112     192.168.8.55/32:0  -> 192.168.9.47/24:0  => %hold	(east)	()
-.LP
-means that 2112 packets have been sent to an
-.BR eroute
-that has been set up to hold the traffic from the host
-.BR 192.168.8.55
-and to host
-.BR 192.168.9.47
-until a key exchange from a Key Management daemon
-succeeds and puts in an SA or fails and puts in a pass
-or drop eroute depending on the default configuration with the local client
-defined as "east" and no identy defined for the remote end.
-.LP
-.B "2001     192.168.2.110/32:0  -> 192.168.2.120/32:0 => "
-.br
-.B "        esp0xe6de@192.168.2.120:0	()	()"
-.LP
-means that 2001 packets have been sent to an
-.BR eroute
-that has been set up to protect traffic between the host
-.BR 192.168.2.110
-and the host
-.BR 192.168.2.120
-using
-.BR 192.168.2.110
-as a security gateway on this end of the
-connection and the machine
-.BR 192.168.2.120
-on the other end of the connection with a Security Association IDentifier of
-.BR esp0xe6de@192.168.2.120
-which means that it is a transport mode connection with a Security
-Parameters Index of
-.BR e6de
-in hexadecimal using Encapsuation Security Payload protocol (50,
-IPPROTO_ESP) with no identies defined for either end.
-.LP
-.B "1984     3049:1::110/128   -> 3049:1::120/128   => "
-.br
-.B "        ah:f5ed@3049:1::120	()	()"
-.LP
-means that 1984 packets have been sent to an
-.BR eroute
-that has been set up to authenticate traffic between the host
-.BR 3049:1::110
-and the host
-.BR 3049:1::120
-using
-.BR 3049:1::110
-as a security gateway on this end of the
-connection and the machine
-.BR 3049:1::120
-on the other end of the connection with a Security Association IDentifier of
-.BR ah:f5ed@3049:1::120
-which means that it is a transport mode connection with a Security
-Parameters Index of
-.BR f5ed
-in hexadecimal using Authentication Header protocol (51,
-IPPROTO_AH) with no identies defined for either end.
-.SH FILES
-/proc/net/ipsec_eroute, /usr/local/bin/ipsec
-.SH "SEE ALSO"
-ipsec(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_spi(5),
-ipsec_spigrp(5), ipsec_klipsdebug(5), ipsec_eroute(8), ipsec_version(5),
-ipsec_pf_key(5)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Richard Guy Briggs.
-.\"
-.\" $Log: eroute.5,v $
-.\" Revision 1.1  2004/03/15 20:35:27  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.9  2002/04/24 07:35:38  mcr
-.\" Moved from ./klips/utils/eroute.5,v
-.\"
-.\" Revision 1.8  2001/09/20 15:33:13  rgb
-.\" PF_KEYv2 ident extension output documentation.
-.\"
-.\" Revision 1.7  2001/05/29 05:15:31  rgb
-.\" Added packet count field at beginning of line.
-.\"
-.\" Revision 1.6  2001/02/26 19:58:32  rgb
-.\" Put SAID elements in order they appear in SAID.
-.\" Implement magic SAs %drop, %reject, %trap, %hold, %pass as part
-.\" of the new SPD and to support opportunistic.
-.\"
-.\" Revision 1.5  2000/09/17 18:56:48  rgb
-.\" Added IPCOMP support.
-.\"
-.\" Revision 1.4  2000/09/13 15:54:31  rgb
-.\" Added Gerhard's ipv6 updates.
-.\"
-.\" Revision 1.3  2000/06/30 18:21:55  rgb
-.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5)
-.\" and correct FILES sections to no longer refer to /dev/ipsec which has
-.\" been removed since PF_KEY does not use it.
-.\"
-.\" Revision 1.2  2000/06/28 12:44:11  henry
-.\" format touchup
-.\"
-.\" Revision 1.1  2000/06/28 05:43:00  rgb
-.\" Added manpages for all 5 klips utils.
-.\"
-.\"
-.\"
diff --git a/programs/eroute/eroute.8 b/programs/eroute/eroute.8
deleted file mode 100644
index d9449632b..000000000
--- a/programs/eroute/eroute.8
+++ /dev/null
@@ -1,354 +0,0 @@
-.TH IPSEC_EROUTE 8 "21 Jun 2000"
-.\"
-.\" RCSID $Id: eroute.8,v 1.1 2004/03/15 20:35:27 as Exp $
-.\"
-.SH NAME
-ipsec eroute \- manipulate IPSEC extended routing tables
-.SH SYNOPSIS
-.B ipsec
-.B eroute
-.PP
-.B ipsec
-.B eroute
-.B \-\-add
-.B \-\-eraf (inet | inet6)
-.B \-\-src
-src/srcmaskbits|srcmask
-.B \-\-dst
-dst/dstmaskbits|dstmask
-[
-.B \-\-transport\-proto
-transport-protocol
-]
-[
-.B \-\-src\-port
-source-port
-]
-[
-.B \-\-dst\-port
-dest-port
-]
-<SAID>
-.PP
-.B ipsec
-.B eroute
-.B \-\-replace
-.B \-\-eraf (inet | inet6)
-.B \-\-src
-src/srcmaskbits|srcmask
-.B \-\-dst
-dst/dstmaskbits|dstmask
-[
-.B \-\-transport\-proto
-transport-protocol
-]
-[
-.B \-\-src\-port
-source-port
-]
-[
-.B \-\-dst\-port
-dest-port
-]
-<SAID>
-.PP
-.B ipsec
-.B eroute
-.B \-\-del
-.B \-\-eraf (inet | inet6)
-.B \-\-src
-src/srcmaskbits|srcmask
-.B \-\-dst
-dst/dstmaskbits|dstmask
-[
-.B \-\-transport\-proto
-transport-protocol
-]
-[
-.B \-\-src\-port
-source-port
-]
-[
-.B \-\-dst\-port
-dest-port
-]
-.PP
-.B ipsec
-.B eroute
-.B \-\-clear
-.PP
-.B ipsec
-.B eroute
-.B \-\-help
-.PP
-.B ipsec
-.B eroute
-.B \-\-version
-.PP
-Where <SAID> is
-.B \-\-af
-(inet | inet6)
-.B \-\-edst
-edst
-.B \-\-spi
-spi
-.B \-\-proto
-proto
-OR
-.B \-\-said
-said
-OR
-.B \-\-said
-.B (%passthrough | %passthrough4 | %passthrough6 | %drop | %reject | %trap | %hold | %pass )
-.SH DESCRIPTION
-.I Eroute
-manages the IPSEC extended routing tables,
-which control what (if any) processing is applied
-to non-encrypted packets arriving for IPSEC processing and forwarding.
-The form with no additional arguments lists the contents of
-/proc/net/ipsec_eroute.
-The
-.B \-\-add
-form adds a table entry, the
-.B \-\-replace
-form replaces a table entry, while the
-.B \-\-del
-form deletes one.  The
-.B \-\-clear
-form deletes the entire table.
-.PP
-A table entry consists of:
-.IP + 3
-source and destination addresses,
-with masks, source and destination ports and protocol
-for selection of packets.  The source and destination ports are only
-legal if the transport protocol is
-.BR TCP
-or
-.BR UDP.
-A port can be specified as either decimal, hexadecimal (leading 0x),
-octal (leading 0) or a name listed in the first column of /etc/services.
-A transport protocol can be specified as either decimal, hexadecimal
-(leading 0x), octal (leading 0) or a name listed in the first column
-of /etc/protocols.  If a transport protocol or port is not specified
-then it defaults to 0 which means all protocols or all ports
-respectively.
-.IP +
-Security Association IDentifier, comprised of:
-.IP + 6
-protocol
-(\fIproto\fR), indicating (together with the
-effective destination and the security parameters index)
-which Security Association should be used to process the packet
-.IP +
-address family
-(\fIaf\fR),
-.IP +
-Security Parameters Index
-(\fIspi\fR), indicating (together with the
-effective destination and protocol)
-which Security Association should be used to process the packet
-(must be larger than or equal to 0x100)
-.IP +
-effective destination
-(\fIedst\fR),
-where the packet should be forwarded after processing
-(normally the other security gateway)
-.IP + 3
-OR
-.IP + 6
-SAID
-(\fIsaid\fR), indicating 
-which Security Association should be used to process the packet
-.PP
-Addresses are written as IPv4 dotted quads or IPv6 coloned hex,
-protocol is one of "ah", "esp", "comp" or "tun" and SPIs are
-prefixed hexadecimal numbers where '.' represents IPv4 and ':'
-stands for IPv6.
-.PP
-SAIDs are written as "protoafSPI@address".  There are also 5
-"magic" SAIDs which have special meaning:
-.IP + 3
-.B %drop
-means that matches are to be dropped
-.IP +
-.B %reject
-means that matches are to be dropped and an ICMP returned, if
-possible to inform
-.IP +
-.B %trap
-means that matches are to trigger an ACQUIRE message to the Key
-Management daemon(s) and a hold eroute will be put in place to
-prevent subsequent packets also triggering ACQUIRE messages.
-.IP +
-.B %hold
-means that matches are to stored until the eroute is replaced or
-until that eroute gets reaped
-.IP +
-.B %pass
-means that matches are to allowed to pass without IPSEC processing
-.PP
-The format of /proc/net/ipsec_eroute is listed in ipsec_eroute(5).
-.br
-.ne 5
-.SH EXAMPLES
-.LP
-.B "ipsec eroute \-\-add \-\-eraf inet \-\-src 192.168.0.1/32 \e"
-.br
-.B "   \-\-dst 192.168.2.0/24 \-\-af inet \-\-edst 192.168.0.2 \e"
-.br
-.B "   \-\-spi 0x135 \-\-proto tun"
-.LP
-sets up an
-.BR eroute
-on a Security Gateway to protect traffic between the host
-.BR 192.168.0.1
-and the subnet
-.BR 192.168.2.0
-with
-.BR 24
-bits of subnet mask via Security Gateway
-.BR 192.168.0.2
-using the Security Association with address
-.BR 192.168.0.2 ,
-Security Parameters Index
-.BR 0x135
-and protocol
-.BR tun
-(50, IPPROTO_ESP).
-.LP
-.B "ipsec eroute \-\-add \-\-eraf inet6 \-\-src 3049:1::1/128 \e"
-.br
-.B "   \-\-dst 3049:2::/64 \-\-af inet6 \-\-edst 3049:1::2 \e"
-.br
-.B "   \-\-spi 0x145 \-\-proto tun"
-.LP
-sets up an
-.BR eroute
-on a Security Gateway to protect traffic between the host
-.BR 3049:1::1
-and the subnet
-.BR 3049:2::
-with
-.BR 64
-bits of subnet mask via Security Gateway
-.BR 3049:1::2
-using the Security Association with address
-.BR 3049:1::2 ,
-Security Parameters Index
-.BR 0x145
-and protocol
-.BR tun
-(50, IPPROTO_ESP).
-.LP
-.B "ipsec eroute \-\-replace \-\-eraf inet \-\-src company.com/24 \e"
-.br
-.B "   \-\-dst ftp.ngo.org/32 \-\-said tun.135@gw.ngo.org"
-.LP
-replaces an
-.BR eroute
-on a Security Gateway to protect traffic between the subnet
-.BR company.com 
-with
-.BR 24
-bits of subnet mask and the host
-.BR ftp.ngo.org
-via Security Gateway
-.BR gw.ngo.org
-using the Security Association with Security Association ID
-.BR tun0x135@gw.ngo.org
-.LP
-.B "ipsec eroute \-\-del \-\-eraf inet \-\-src company.com/24 \e"
-.br
-.B "   \-\-dst www.ietf.org/32 \-\-said %passthrough4"
-.LP
-deletes an
-.BR eroute
-on a Security Gateway that allowed traffic between the subnet
-.BR company.com 
-with
-.BR 24
-bits of subnet mask and the host
-.BR www.ietf.org
-to pass in the clear, unprocessed.
-.LP
-.B "ipsec eroute \-\-add \-\-eraf inet \-\-src company.com/24 \e"
-.br
-.B "   \-\-dst mail.ngo.org/32 \-\-transport-proto 6 \e"
-.br
-.B "   \-\-dst\-port 110 \-\-said tun.135@mail.ngo.org"
-.LP
-sets up an 
-.BR eroute
-on on a Security Gateway to protect only TCP traffic on port 110
-(pop3) between the subnet
-.BR company.com 
-with
-.BR 24
-bits of subnet mask and the host
-.BR ftp.ngo.org
-via Security Gateway
-.BR mail.ngo.org
-using the Security Association with Security Association ID
-.BR tun0x135@mail.ngo.org.
-Note that any other traffic bound for
-.BR mail.ngo.org
-that is routed via the ipsec device will be dropped.  If you wish to
-allow other traffic to pass through then you must add a %pass rule.
-For example the following rule when combined with the above will
-ensure that POP3 messages read from
-.BR mail.ngo.org
-will be encrypted but all other traffic to/from
-.BR mail.ngo.org
-will be in clear text.
-.LP
-.B "ipsec eroute \-\-add \-\-eraf inet \-\-src company.com/24 \e"
-.br
-.B "   \-\-dst mail.ngo.org/32 \-\-said %pass"
-.br
-.LP
-.SH FILES
-/proc/net/ipsec_eroute, /usr/local/bin/ipsec
-.SH "SEE ALSO"
-ipsec(8), ipsec_manual(8), ipsec_tncfg(8), ipsec_spi(8),
-ipsec_spigrp(8), ipsec_klipsdebug(8), ipsec_eroute(5)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Richard Guy Briggs.
-.\"
-.\" $Log: eroute.8,v $
-.\" Revision 1.1  2004/03/15 20:35:27  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.25  2002/04/24 07:35:38  mcr
-.\" Moved from ./klips/utils/eroute.8,v
-.\"
-.\" Revision 1.24  2001/02/26 19:58:49  rgb
-.\" Added a comment on the restriction of spi > 0x100.
-.\" Implement magic SAs %drop, %reject, %trap, %hold, %pass as part
-.\" of the new SPD and to support opportunistic.
-.\"
-.\" Revision 1.23  2000/09/17 18:56:48  rgb
-.\" Added IPCOMP support.
-.\"
-.\" Revision 1.22  2000/09/13 15:54:31  rgb
-.\" Added Gerhard's ipv6 updates.
-.\"
-.\" Revision 1.21  2000/06/30 18:21:55  rgb
-.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5)
-.\" and correct FILES sections to no longer refer to /dev/ipsec which has
-.\" been removed since PF_KEY does not use it.
-.\"
-.\" Revision 1.20  2000/06/21 16:54:57  rgb
-.\" Added 'no additional args' text for listing contents of
-.\" /proc/net/ipsec_* files.
-.\"
-.\" Revision 1.19  1999/07/19 18:47:24  henry
-.\" fix slightly-misformed comments
-.\"
-.\" Revision 1.18  1999/04/06 04:54:37  rgb
-.\" Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
-.\" patch shell fixes.
-.\"
-.\"
diff --git a/programs/eroute/eroute.c b/programs/eroute/eroute.c
deleted file mode 100644
index d1b2bff0a..000000000
--- a/programs/eroute/eroute.c
+++ /dev/null
@@ -1,1044 +0,0 @@
-/*
- * manipulate eroutes
- * Copyright (C) 1996  John Ioannidis.
- * Copyright (C) 1997, 1998, 1999, 2000, 2001  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-char eroute_c_version[] = "RCSID $Id: eroute.c,v 1.3 2005/02/24 20:03:46 as Exp $";
-
-
-#include <sys/types.h>
-#include <linux/types.h> /* new */
-#include <string.h>
-#include <errno.h>
-#include <stdlib.h> /* system(), strtoul() */
-
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <netdb.h>
-
-
-#include <unistd.h>
-#include <freeswan.h>
-#if 0
-#include <linux/autoconf.h>	/* CONFIG_IPSEC_PFKEYv2 */
-#endif
-/* permanently turn it on since netlink support has been disabled */
-
-#include <signal.h>
-#include <pfkeyv2.h>
-#include <pfkey.h>
-
-#include "freeswan/radij.h"
-#include "freeswan/ipsec_encap.h"
-
-#include <stdio.h>
-#include <getopt.h>
-
-char *program_name;
-char me[] = "ipsec eroute";
-extern char *optarg;
-extern int optind, opterr, optopt;
-char *eroute_af_opt, *said_af_opt, *edst_opt, *spi_opt, *proto_opt, *said_opt, *dst_opt, *src_opt;
-char *transport_proto_opt, *src_port_opt, *dst_port_opt;
-int action_type = 0;
-
-int pfkey_sock;
-fd_set pfkey_socks;
-uint32_t pfkey_seq = 0;
-
-#define EMT_IFADDR	  1	/* set enc if addr */
-#define EMT_SETSPI	  2	/* Set SPI properties */
-#define EMT_DELSPI	  3	/* Delete an SPI */
-#define EMT_GRPSPIS	  4	/* Group SPIs (output order)  */
-#define EMT_SETEROUTE	  5	/* set an extended route */
-#define EMT_DELEROUTE	  6	/* del an extended route */
-#define EMT_TESTROUTE	  7	/* try to find route, print to console */
-#define EMT_SETDEBUG	  8	/* set debug level if active */
-#define EMT_UNGRPSPIS	  9	/* UnGroup SPIs (output order)  */
-#define EMT_CLREROUTE	 10	/* clear the extended route table */
-#define EMT_CLRSPIS	 11	/* clear the spi table */
-#define EMT_REPLACEROUTE 12	/* set an extended route */
-#define EMT_GETDEBUG	 13	/* get debug level if active */
-#define EMT_INEROUTE	 14	/* set incoming policy for IPIP on a chain */
-
-static void
-add_port(int af, ip_address * addr, short port)
-{
-    switch (af)
-    {
-    case AF_INET:
-	addr->u.v4.sin_port = port;
-	break;
-    case AF_INET6:
-	addr->u.v6.sin6_port = port;
-	break;
-    }
-}
-
-static void
-usage(char* arg)
-{
-    fprintf(stdout, "usage: %s --{add,addin,replace} --eraf <inet | inet6> --src <src>/<srcmaskbits>|<srcmask> --dst <dst>/<dstmaskbits>|<dstmask> [ --transport-proto <protocol> ] [ --src-port <source-port> ] [ --dst-port <dest-port> ] <SA>\n", arg);
-    fprintf(stdout, "            where <SA> is '--af <inet | inet6> --edst <edst> --spi <spi> --proto <proto>'\n");
-    fprintf(stdout, "                       OR '--said <said>'\n");
-    fprintf(stdout, "                       OR '--said <%%passthrough | %%passthrough4 | %%passthrough6 | %%drop | %%reject | %%trap | %%hold | %%pass>'.\n");
-    fprintf(stdout, "       %s --del --eraf <inet | inet6>--src <src>/<srcmaskbits>|<srcmask> --dst <dst>/<dstmaskbits>|<dstmask> [ --transport-proto <protocol> ] [ --src-port <source-port> ] [ --dst-port <dest-port> ]\n", arg);
-    fprintf(stdout, "       %s --clear\n", arg);
-    fprintf(stdout, "       %s --help\n", arg);
-    fprintf(stdout, "       %s --version\n", arg);
-    fprintf(stdout, "       %s\n", arg);
-    fprintf(stdout, "        [ --debug ] is optional to any %s command.\n", arg);
-    fprintf(stdout, "        [ --label <label> ] is optional to any %s command.\n", arg);
-    exit(1);
-}
-
-static struct option const longopts[] =
-{
-	{"dst", 1, 0, 'D'},
-	{"src", 1, 0, 'S'},
-	{"eraf", 1, 0, 'f'},
-	{"add", 0, 0, 'a'},
-	{"addin", 0, 0, 'A'},
-	{"replace", 0, 0, 'r'},
-	{"clear", 0, 0, 'c'},
-	{"del", 0, 0, 'd'},
-	{"af", 1, 0, 'i'},
-	{"edst", 1, 0, 'e'},
-	{"proto", 1, 0, 'p'},
-	{"transport-proto", 1, 0, 'P'},
-	{"src-port", 1, 0, 'Q'},
-	{"dst-port", 1, 0, 'R'},
-	{"help", 0, 0, 'h'},
-	{"spi", 1, 0, 's'},
-	{"said", 1, 0, 'I'},
-	{"version", 0, 0, 'v'},
-	{"label", 1, 0, 'l'},
-	{"optionsfrom", 1, 0, '+'},
-	{"debug", 0, 0, 'g'},
-	{0, 0, 0, 0}
-};
-
-int
-main(int argc, char **argv)
-{
-    /* int fd; */
-    char *endptr;
-    /* int ret; */
-    int c, previous = -1;
-    const char* error_s;
-    int debug = 0;
-
-    int error = 0;
-
-    char ipaddr_txt[ADDRTOT_BUF];
-    struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-    struct sadb_msg *pfkey_msg;
-    ip_address pfkey_address_s_ska;
-    /*struct sockaddr_in pfkey_address_d_ska;*/
-    ip_address pfkey_address_sflow_ska;
-    ip_address pfkey_address_dflow_ska;
-    ip_address pfkey_address_smask_ska;
-    ip_address pfkey_address_dmask_ska;
-
-    int transport_proto = 0;
-    int src_port = 0;
-    int dst_port = 0;
-    ip_said said;
-    ip_subnet s_subnet, d_subnet;
-    int eroute_af = 0;
-    int said_af = 0;
-
-    int argcount = argc;
-
-    const char permitted_options[] =
-	"%s: Only one of '--add', '--addin', '--replace', '--clear', or '--del' options permitted.\n";
-
-    program_name = argv[0];
-    eroute_af_opt = said_af_opt = edst_opt = spi_opt = proto_opt = said_opt = dst_opt = src_opt = NULL;
-
-    while((c = getopt_long(argc, argv, ""/*"acdD:e:i:hprs:S:f:vl:+:g"*/, longopts, 0)) != EOF)
-    {
-	switch(c)
-	{
-	case 'g':
-	    debug = 1;
-	    pfkey_lib_debug = PF_KEY_DEBUG_PARSE_MAX;
-	    argcount--;
-	    break;
-	case 'a':
-	    if (action_type)
-	    {
-		fprintf(stderr, permitted_options, program_name);
-		exit(1);
-	    }
-	    action_type = EMT_SETEROUTE;
-	    break;
-	case 'A':
-	    if (action_type)
-	    {
-		fprintf(stderr, permitted_options, program_name);
-		exit(1);
-	    }
-	    action_type = EMT_INEROUTE;
-	    break;
-	case 'r':
-	    if (action_type)
-	    {
-		fprintf(stderr, permitted_options, program_name);
-		exit(1);
-	    }
-	    action_type = EMT_REPLACEROUTE;
-	    break;
-	case 'c':
-	    if (action_type)
-	    {
-		fprintf(stderr, permitted_options, program_name);
-		exit(1);
-	    }
-	    action_type = EMT_CLREROUTE;
-	    break;
-	case 'd':
-	    if (action_type)
-	    {
-		fprintf(stderr, permitted_options, program_name);
-		exit(1);
-	    }
-	    action_type = EMT_DELEROUTE;
-	    break;
-	case 'e':
-	    if (said_opt)
-	    {
-		fprintf(stderr, "%s: Error, EDST parameter redefined:%s, already defined in SA:%s\n"
-				, program_name, optarg, said_opt);
-		exit (1);
-	    }
-	    if (edst_opt)
-	    {
-		fprintf(stderr, "%s: Error, EDST parameter redefined:%s, already defined as:%s\n"
-				, program_name, optarg, edst_opt);
-		exit (1);
-	    }
-	    error_s = ttoaddr(optarg, 0, said_af, &said.dst);
-	    if (error_s != NULL)
-	    {
-		fprintf(stderr, "%s: Error, %s converting --edst argument:%s\n"
-				, program_name, error_s, optarg);
-		exit (1);
-	    }
-	    edst_opt = optarg;
-	    break;
-	case 'h':
-	case '?':
-	    usage(program_name);
-	    exit(1);
-	case 's':
-	    if (said_opt)
-	    {
-		fprintf(stderr, "%s: Error, SPI parameter redefined:%s, already defined in SA:%s\n"
-				, program_name, optarg, said_opt);
-		exit (1);
-	    }
-	    if (spi_opt)
-	    {
-		fprintf(stderr, "%s: Error, SPI parameter redefined:%s, already defined as:%s\n"
-				, program_name, optarg, spi_opt);
-		exit (1);
-	    }
-	    said.spi = htonl(strtoul(optarg, &endptr, 0));
-	    if (!(endptr == optarg + strlen(optarg)))
-	    {
-		fprintf(stderr, "%s: Invalid character in SPI parameter: %s\n"
-				, program_name, optarg);
-		exit (1);
-	    }
-	    if (ntohl(said.spi) < 0x100)
-	    {
-		fprintf(stderr, "%s: Illegal reserved spi: %s => 0x%x Must be larger than 0x100.\n"
-				, program_name, optarg, ntohl(said.spi));
-		exit(1);
-	    }
-	    spi_opt = optarg;
-	    break;
-	case 'p':
-	    if (said_opt)
-	    {
-		fprintf(stderr, "%s: Error, PROTO parameter redefined:%s, already defined in SA:%s\n"
-				, program_name, optarg, said_opt);
-		exit (1);
-	    }
-	    if (proto_opt)
-	    {
-		fprintf(stderr, "%s: Error, PROTO parameter redefined:%s, already defined as:%s\n"
-				, program_name, optarg, proto_opt);
-		exit (1);
-	    }
-#if 0
-	    if (said.proto)
-	    {
-		fprintf(stderr, "%s: Warning, PROTO parameter redefined:%s\n"
-				, program_name, optarg);
-		exit (1);
-	    }
-#endif
-	    if (!strcmp(optarg, "ah"))
-		said.proto = SA_AH;
-	    if (!strcmp(optarg, "esp"))
-		said.proto = SA_ESP;
-	    if (!strcmp(optarg, "tun"))
-		said.proto = SA_IPIP;
-	    if (!strcmp(optarg, "comp"))
-		said.proto = SA_COMP;
-	    if (said.proto == 0)
-	    {
-		fprintf(stderr, "%s: Invalid PROTO parameter: %s\n"
-				, program_name, optarg);
-		exit (1);
-	    }
-	    proto_opt = optarg;
-	    break;
-	case 'I':
-	    if (said_opt)
-	    {
-		fprintf(stderr, "%s: Error, SAID parameter redefined:%s, already defined in SA:%s\n"
-				, program_name, optarg, said_opt);
-		exit (1);
-	    }
-	    if (proto_opt)
-	    {
-		fprintf(stderr, "%s: Error, PROTO parameter redefined in SA:%s, already defined as:%s\n"
-				, program_name, optarg, proto_opt);
-		exit (1);
-	    }
-	    if (edst_opt)
-	    {
-		fprintf(stderr, "%s: Error, EDST parameter redefined in SA:%s, already defined as:%s\n"
-				, program_name, optarg, edst_opt);
-		exit (1);
-	    }
-	    if (spi_opt)
-	    {
-		fprintf(stderr, "%s: Error, SPI parameter redefined in SA:%s, already defined as:%s\n"
-				, program_name, optarg, spi_opt);
-		exit (1);
-	    }
-	    if (said_af_opt)
-	    {
-		fprintf(stderr, "%s: Error, address family parameter redefined in SA:%s, already defined as:%s\n"
-				, program_name, optarg, said_af_opt);
-		exit (1);
-	    }
-	    error_s = ttosa(optarg, 0, &said);
-	    if (error_s != NULL)
-	    {
-		fprintf(stderr, "%s: Error, %s converting --sa argument:%s\n"
-				, program_name, error_s, optarg);
-		exit (1);
-	    }
-	    else if (ntohl(said.spi) < 0x100)
-	    {
-		fprintf(stderr, "%s: Illegal reserved spi: %s => 0x%x Must be larger than or equal to 0x100.\n"
-				, program_name, optarg, said.spi);
-		exit(1);
-	    }
-	    said_af = addrtypeof(&said.dst);
-	    said_opt = optarg;
-	    break;
-	case 'v':
-	    fprintf(stdout, "%s %s\n", me, ipsec_version_code());
-	    fprintf(stdout, "See `ipsec --copyright' for copyright information.\n");
-	    exit(1);
-	case 'D':
-	    if (dst_opt)
-	    {
-		fprintf(stderr, "%s: Error, --dst parameter redefined:%s, already defined as:%s\n"
-				, program_name, optarg, dst_opt);
-		exit (1);
-	    }
-	    error_s = ttosubnet(optarg, 0, eroute_af, &d_subnet);
-	    if (error_s != NULL)
-	    {
-		fprintf(stderr, "%s: Error, %s converting --dst argument: %s\n"
-				, program_name, error_s, optarg);
-		exit (1);
-	    }
-	    dst_opt = optarg;
-	    break;
-	case 'S':
-	    if (src_opt)
-	    {
-		fprintf(stderr, "%s: Error, --src parameter redefined:%s, already defined as:%s\n"
-				, program_name, optarg, src_opt);
-		exit (1);
-	    }
-	    error_s = ttosubnet(optarg, 0, eroute_af, &s_subnet);
-	    if (error_s != NULL)
-	    {
-		fprintf(stderr, "%s: Error, %s converting --src argument: %s\n"
-				, program_name, error_s, optarg);
-		exit (1);
-	    }
-	    src_opt = optarg;
-	    break;
-	case 'P':
-	    if (transport_proto_opt)
-	    {
-		fprintf(stderr, "%s: Error, --transport-proto parameter redefined:%s, already defined as:%s\n"
-				, program_name, optarg, transport_proto_opt);
-		exit(1);
-	    }
-	    transport_proto_opt = optarg;
-	    break;
-	case 'Q':
-	    if (src_port_opt)
-	    {
-		fprintf(stderr, "%s: Error, --src-port parameter redefined:%s, already defined as:%s\n"
-				, program_name, optarg, src_port_opt);
-		exit(1);
-	    }
-	    src_port_opt = optarg;
-	    break;
-	case 'R':
-	    if (dst_port_opt)
-	    {
-		fprintf(stderr, "%s: Error, --dst-port parameter redefined:%s, already defined as:%s\n"
-				, program_name, optarg, dst_port_opt);
-		exit(1);
-	    }
-	    dst_port_opt = optarg;
-	    break;
-	case 'l':
-	    program_name = malloc(strlen(argv[0])
-			+ 10 /* update this when changing the sprintf() */
-			+ strlen(optarg));
-	    sprintf(program_name, "%s --label %s", argv[0], optarg);
-	    argcount -= 2;
-	    break;
-	case 'i': /* specifies the address family of the SAID, stored in said_af */
-	    if (said_af_opt)
-	    {
-		fprintf(stderr, "%s: Error, address family of SAID redefined:%s, already defined as:%s\n"
-				, program_name, optarg, said_af_opt);
-		exit (1);
-	    }
-	    if (!strcmp(optarg, "inet"))
-		said_af = AF_INET;
-	    if (!strcmp(optarg, "inet6"))
-		said_af = AF_INET6;
-	    if (said_af == 0)
-	    {
-		fprintf(stderr, "%s: Invalid address family parameter for SAID: %s\n"
-				, program_name, optarg);
-		exit (1);
-	    }
-	    said_af_opt = optarg;
-	    break;
-	case 'f': /* specifies the address family of the eroute, stored in eroute_af */
-	    if (eroute_af_opt)
-	    {
-		fprintf(stderr, "%s: Error, address family of eroute redefined:%s, already defined as:%s\n"
-				, program_name, optarg, eroute_af_opt);
-		exit (1);
-	    }
-	    if (!strcmp(optarg, "inet"))
-		eroute_af = AF_INET;
-	    if (!strcmp(optarg, "inet6"))
-		eroute_af = AF_INET6;
-	    if (eroute_af == 0)
-	    {
-		fprintf(stderr, "%s: Invalid address family parameter for eroute: %s\n"
-				, program_name, optarg);
-		exit (1);
-	    }
-	    eroute_af_opt = optarg;
-	    break;
-	case '+': /* optionsfrom */
-	    optionsfrom(optarg, &argc, &argv, optind, stderr);
-	    /* no return on error */
-	    break;
-	default:
-	    break;
-	}
-	previous = c;
-    }
-
-    if (debug)
-    {
-	fprintf(stdout, "%s: DEBUG: argc=%d\n", program_name, argc);
-    }
-	
-    if (argcount == 1)
-    {
-	system("cat /proc/net/ipsec_eroute");
-	exit(0);
-    }
-
-    /* Sanity checks */
-
-    if (debug)
-    {
-	fprintf(stdout, "%s: DEBUG: action_type=%d\n", program_name, action_type);
-    }
-
-    if (transport_proto_opt != 0)
-    {
-	struct protoent * proto = getprotobyname(transport_proto_opt);
-
-	if (proto != 0)
-	{
-	    transport_proto = proto->p_proto;
-	}
-	else
-	{
-	    transport_proto = strtoul(transport_proto_opt, &endptr, 0);
-
-	    if ((*endptr != '\0')
-	    || (transport_proto == 0 && endptr == transport_proto_opt))
-	    {
-		fprintf(stderr, "%s: Invalid character in --transport-proto parameter: %s\n"
-				, program_name, transport_proto_opt);
-		exit (1);
-	    }
-	    if (transport_proto > 255)
-	    {
-		fprintf(stderr, "%s: --transport-proto parameter: %s must be in the range 0 to 255 inclusive\n"
-				, program_name, transport_proto_opt);
-		exit (1);
-	    }
-	}
-    }
-
-    if (src_port_opt != 0 || dst_port_opt != 0)
-    {
-	switch (transport_proto)
-	{
-	case IPPROTO_UDP:
-	case IPPROTO_TCP:
-	    break;
-	default:
-	    fprintf(stderr, "%s: --transport-proto with either UDP or TCP must be specified if --src-port or --dst-port is used\n"
-	    		, program_name);
-	    exit(1);
-	}
-    }
-
-    if (src_port_opt)
-    {
-	struct servent * ent = getservbyname(src_port_opt, 0);
-
-	if (ent != 0)
-	{
-	    src_port = ent->s_port;
-	}
-	else
-	{
-	    src_port = strtoul(src_port_opt, &endptr, 0);
-
-	    if ((*endptr != '\0')
-	    || (src_port == 0 && endptr == src_port_opt))
-	    {
-		fprintf(stderr, "%s: Invalid character in --src-port parameter: %s\n"
-				, program_name, src_port_opt);
-		exit (1);
-	    }
-	    if (src_port > 65535)
-	    {
-		fprintf(stderr, "%s: --src-port parameter: %s must be in the range 0 to 65535 inclusive\n"
-				, program_name, src_port_opt);
-	    }
-	    src_port = htons(src_port);
-	}
-    }
-
-    if (dst_port_opt)
-    {
-	struct servent * ent = getservbyname(dst_port_opt, 0);
-
-	if (ent != 0)
-	{
-	    dst_port = ent->s_port;
-	}
-	else
-	{
-	    dst_port = strtoul(dst_port_opt, &endptr, 0);
-
-	    if ((*endptr != '\0')
-	    || (dst_port == 0 && endptr == dst_port_opt))
-	    {
-		fprintf(stderr, "%s: Invalid character in --dst-port parameter: %s\n"
-				, program_name, dst_port_opt);
-		exit (1);
-	    }
-	    if (dst_port > 65535)
-	    {
-		fprintf(stderr, "%s: --dst-port parameter: %s must be in the range 0 to 65535 inclusive\n"
-				, program_name, dst_port_opt);
-	    }
-	    dst_port = htons(dst_port);
-	}
-    }
-
-    switch(action_type)
-    {
-    case EMT_SETEROUTE:
-    case EMT_REPLACEROUTE:
-    case EMT_INEROUTE:
-	if (!(said_af_opt && edst_opt && spi_opt && proto_opt) && !(said_opt))
-	{
-	    fprintf(stderr, "%s: add and addin options must have SA specified.\n"
-			, program_name);
-	    exit(1);
-	}
-    case EMT_DELEROUTE:
-	if (!src_opt)
-	{
-	    fprintf(stderr, "%s: Error -- %s option '--src' is required.\n"
-			, program_name, (action_type == EMT_SETEROUTE) ? "add" : "del");
-	    exit(1);
-	}
-	if (!dst_opt)
-	{
-	    fprintf(stderr, "%s: Error -- %s option '--dst' is required.\n"
-			, program_name, (action_type == EMT_SETEROUTE) ? "add" : "del");
-	    exit(1);
-	}
-    case EMT_CLREROUTE:
-	break;
-    default:
-	fprintf(stderr, "%s: exactly one of '--add', '--addin', '--replace', '--del' or '--clear' options must be specified.\n"
-			"Try %s --help' for usage information.\n"
-			, program_name, program_name);
-	exit(1);
-    }
-
-    if ((pfkey_sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2) ) < 0)
-    {
-	fprintf(stderr, "%s: Trouble opening PF_KEY family socket with error: "
-			, program_name);
-	switch(errno)
-	{
-	case ENOENT:
-	    fprintf(stderr, "device does not exist.  See FreeS/WAN installation procedure.\n");
-	    break;
-	case EACCES:
-	    fprintf(stderr, "access denied.  ");
-	    if (getuid() == 0)
-	    {
-		fprintf(stderr, "Check permissions.  Should be 600.\n");
-	    }
-	    else
-	    {
-		fprintf(stderr, "You must be root to open this file.\n");
-	    }
-	    break;
-	case EUNATCH:
-	    fprintf(stderr, "KLIPS not loaded.\n");
-	    break;
-	case ENODEV:
-	    fprintf(stderr, "KLIPS not loaded or enabled.\n");
-	    break;
-	case EBUSY:
-	    fprintf(stderr, "KLIPS is busy.  Most likely a serious internal error occured in a previous command. "
-	    		    "Please report as much detail as possible to development team.\n");
-	    break;
-	case EINVAL:
-	    fprintf(stderr, "Invalid argument, KLIPS not loaded or check kernel log messages for specifics.\n");
-	    break;
-	case ENOBUFS:
-	case ENOMEM:
-	case ENFILE:
-	    fprintf(stderr, "No kernel memory to allocate socket.\n");
-	    break;
-	case EMFILE:
-	    fprintf(stderr, "Process file table overflow.\n");
-	    break;
-	case ESOCKTNOSUPPORT:
-	    fprintf(stderr, "Socket type not supported.\n");
-	    break;
-	case EPROTONOSUPPORT:
-	    fprintf(stderr, "Protocol version not supported.\n");
-	    break;
-	case EAFNOSUPPORT:
-	    fprintf(stderr, "KLIPS not loaded or enabled.\n");
-	    break;
-	default:
-	    fprintf(stderr, "Unknown file open error %d.  Please report as much detail as possible to development team.\n"
-	    		, errno);
-	}
-	exit(1);
-    }
-
-    if (debug)
-    {
-	fprintf(stdout, "%s: DEBUG: PFKEYv2 socket successfully openned=%d.\n"
-			, program_name, pfkey_sock);
-    }
-
-    /* Build an SADB_X_ADDFLOW or SADB_X_DELFLOW message to send down. */
-    /* It needs <base, SA, address(SD), flow(SD), mask(SD)> minimum. */
-    pfkey_extensions_init(extensions);
-
-    error = pfkey_msg_hdr_build(&extensions[0]
-		, (action_type == EMT_SETEROUTE || action_type == EMT_REPLACEROUTE
-		|| action_type == EMT_INEROUTE)? SADB_X_ADDFLOW : SADB_X_DELFLOW
-	    	, proto2satype(said.proto)
-		, 0
-		, ++pfkey_seq
-		, getpid()
-	    );
-
-    if (error)
-    {
-	fprintf(stderr, "%s: Trouble building message header, error=%d.\n"
-			, program_name, error);
-	pfkey_extensions_free(extensions);
-	exit(1);
-    }
-
-    if (debug)
-    {
-	fprintf(stdout, "%s: DEBUG: pfkey_msg_hdr_build successfull.\n"
-			, program_name);
-    }
-
-    switch (action_type)
-    {
-    case EMT_SETEROUTE:
-    case EMT_REPLACEROUTE:
-    case EMT_INEROUTE:
-    case EMT_CLREROUTE:
-	error = pfkey_sa_build(&extensions[SADB_EXT_SA]
-		    , SADB_EXT_SA
-		    , said.spi /* in network order */
-		    , 0
-		    , 0
-		    , 0
-		    , 0
-		    , (action_type == EMT_CLREROUTE) ? SADB_X_SAFLAGS_CLEARFLOW : 0
-		);
-
-	if (error)
-	{
-	    fprintf(stderr, "%s: Trouble building sa extension, error=%d.\n"
-			, program_name, error);
-	    pfkey_extensions_free(extensions);
-	    exit(1);
-	}
-	if (debug)
-	{
-	    fprintf(stdout, "%s: DEBUG: pfkey_sa_build successful.\n"
-	    		, program_name);
-	}
-    default:
-	break;
-    }
-
-    switch (action_type)
-    {
-    case EMT_SETEROUTE:
-    case EMT_REPLACEROUTE:
-    case EMT_INEROUTE:
-	anyaddr(said_af, &pfkey_address_s_ska);
-	error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_SRC]
-			, SADB_EXT_ADDRESS_SRC
-			, 0
-			, 0
-			, sockaddrof(&pfkey_address_s_ska)
-		);
-	if (error)
-	{
-	    addrtot(&pfkey_address_s_ska, 0, ipaddr_txt, sizeof(ipaddr_txt));
-	    fprintf(stderr, "%s: Trouble building address_s extension (%s), error=%d.\n"
-			, program_name, ipaddr_txt, error);
-	    pfkey_extensions_free(extensions);
-	    exit(1);
-	}
-	if (debug)
-	{
-	    fprintf(stdout, "%s: DEBUG: pfkey_address_build successful for src.\n"
-	    		, program_name);
-	}
-
-	error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_DST]
-			, SADB_EXT_ADDRESS_DST
-			, 0
-			, 0
-			, sockaddrof(&said.dst)
-		);
-
-	if (error)
-	{
-	    addrtot(&said.dst, 0, ipaddr_txt, sizeof(ipaddr_txt));
-	    fprintf(stderr, "%s: Trouble building address_d extension (%s), error=%d.\n"
-			, program_name, ipaddr_txt, error);
-	    pfkey_extensions_free(extensions);
-	    exit(1);
-	}
-	if (debug)
-	{
-	    fprintf(stdout, "%s: DEBUG: pfkey_address_build successful for dst.\n"
-	    		, program_name);
-	}
-    default:
-	break;
-    }
-	
-    switch (action_type)
-    {
-    case EMT_SETEROUTE:
-    case EMT_REPLACEROUTE:
-    case EMT_INEROUTE:
-    case EMT_DELEROUTE:
-	networkof(&s_subnet, &pfkey_address_sflow_ska); /* src flow */
-	add_port(eroute_af, &pfkey_address_sflow_ska, src_port);
-
-	error = pfkey_address_build(&extensions[SADB_X_EXT_ADDRESS_SRC_FLOW]
-			, SADB_X_EXT_ADDRESS_SRC_FLOW
-			, 0
-			, 0
-			, sockaddrof(&pfkey_address_sflow_ska)
-		);
-
-	if (error)
-	{
-	    addrtot(&pfkey_address_sflow_ska, 0, ipaddr_txt, sizeof(ipaddr_txt));
-	    fprintf(stderr, "%s: Trouble building address_sflow extension (%s), error=%d.\n",
-			program_name, ipaddr_txt, error);
-	    pfkey_extensions_free(extensions);
-	    exit(1);
-	}
-	if (debug)
-	{
-	    fprintf(stdout, "%s: DEBUG: pfkey_address_build successful for src flow.\n"
-			, program_name);
-	}
-	
-	networkof(&d_subnet, &pfkey_address_dflow_ska); /* dst flow */
-	add_port(eroute_af, &pfkey_address_dflow_ska, dst_port);
-
-	error = pfkey_address_build(&extensions[SADB_X_EXT_ADDRESS_DST_FLOW]
-			, SADB_X_EXT_ADDRESS_DST_FLOW
-			, 0
-			, 0
-			, sockaddrof(&pfkey_address_dflow_ska)
-		);
-
-	if (error)
-	{
-	    addrtot(&pfkey_address_dflow_ska, 0, ipaddr_txt, sizeof(ipaddr_txt));
-	    fprintf(stderr, "%s: Trouble building address_dflow extension (%s), error=%d.\n"
-			, program_name, ipaddr_txt, error);
-	    pfkey_extensions_free(extensions);
-	    exit(1);
-	}
-	if (debug)
-	{
-	    fprintf(stdout, "%s: DEBUG: pfkey_address_build successful for dst flow.\n"
-	    		, program_name);
-	}
-		
-	maskof(&s_subnet, &pfkey_address_smask_ska); /* src mask */
-	add_port(eroute_af, &pfkey_address_smask_ska, src_port ? ~0:0);
-
-	error = pfkey_address_build(&extensions[SADB_X_EXT_ADDRESS_SRC_MASK]
-			, SADB_X_EXT_ADDRESS_SRC_MASK
-			, 0
-			, 0
-			, sockaddrof(&pfkey_address_smask_ska)
-		);
-
-	if (error)
-	{
-	    addrtot(&pfkey_address_smask_ska, 0, ipaddr_txt, sizeof(ipaddr_txt));
-	    fprintf(stderr, "%s: Trouble building address_smask extension (%s), error=%d.\n"
-			, program_name, ipaddr_txt, error);
-	    pfkey_extensions_free(extensions);
-	    exit(1);
-	}
-	if (debug)
-	{
-	    fprintf(stdout, "%s: DEBUG: pfkey_address_build successful for src mask.\n"
-	    		, program_name);
-	}
-		
-	maskof(&d_subnet, &pfkey_address_dmask_ska); /* dst mask */
-	add_port(eroute_af, &pfkey_address_dmask_ska, dst_port ? ~0:0);
-
-	error = pfkey_address_build(&extensions[SADB_X_EXT_ADDRESS_DST_MASK]
-			, SADB_X_EXT_ADDRESS_DST_MASK
-			, 0
-			, 0
-			, sockaddrof(&pfkey_address_dmask_ska)
-		);
-
-	if (error)
-	{
-	    addrtot(&pfkey_address_dmask_ska, 0, ipaddr_txt, sizeof(ipaddr_txt));
-	    fprintf(stderr, "%s: Trouble building address_dmask extension (%s), error=%d.\n"
-			, program_name, ipaddr_txt, error);
-	    pfkey_extensions_free(extensions);
-	    exit(1);
-	}
-	if (debug)
-	{
-	    fprintf(stdout, "%s: DEBUG: pfkey_address_build successful for dst mask.\n"
-	    		, program_name);
-	}
-    }
-	
-    if (transport_proto != 0)
-    {
-	error = pfkey_x_protocol_build(&extensions[SADB_X_EXT_PROTOCOL]
-			, transport_proto);
-	
-	if (error)
-	{
-	    fprintf(stderr, "%s: Trouble building transport protocol extension, error=%d.\n"
-			, program_name, error);
-	    exit(1);
-	}
-    }
-
-    error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_IN);
-     
-    if (error)
-    {
-	fprintf(stderr, "%s: Trouble building pfkey message, error=%d.\n"
-			, program_name, error);
-	pfkey_extensions_free(extensions);
-	pfkey_msg_free(&pfkey_msg);
-	exit(1);
-    }
-    if (debug)
-    {
-	fprintf(stdout, "%s: DEBUG: pfkey_msg_build successful.\n"
-			, program_name);
-    }
-
-    error = write(pfkey_sock
-		, pfkey_msg
-		, pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN
-	    )
-	    != (ssize_t)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN);
-	    
-    if (error)
-    {
-	fprintf(stderr, "%s: pfkey write failed, returning %d with errno=%d.\n"
-			, program_name, error, errno);
-	pfkey_extensions_free(extensions);
-	pfkey_msg_free(&pfkey_msg);
-
-	switch (errno)
-	{
-	case EINVAL:
-	    fprintf(stderr, "Invalid argument, check kernel log messages for specifics.\n");
-	    break;
-	case ENXIO:
-	    if (action_type == EMT_SETEROUTE || action_type == EMT_REPLACEROUTE)
-	    {
-		fprintf(stderr, "Invalid mask.\n");
-		break;
-	    }
-	    if (action_type == EMT_DELEROUTE)
-	    {
-		fprintf(stderr, "Mask not found.\n");
-		break;
-	    }
-	case EFAULT:
-	    if (action_type == EMT_SETEROUTE || action_type == EMT_REPLACEROUTE)
-	    {
-		fprintf(stderr, "Invalid address.\n");
-		break;
-	    }
-	    if (action_type == EMT_DELEROUTE)
-	    {
-		fprintf(stderr, "Address not found.\n");
-		break;
-	    }
-	case EACCES:
-	    fprintf(stderr, "access denied.  ");
-	    if (getuid() == 0)
-	    {
-		fprintf(stderr, "Check permissions.  Should be 600.\n");
-	    }
-	    else 
-	    {
-		fprintf(stderr, "You must be root to open this file.\n");
-	    }
-	    break;
-	case EUNATCH:
-	    fprintf(stderr, "KLIPS not loaded.\n");
-	    break;
-	case EBUSY:
-	    fprintf(stderr, "KLIPS is busy.  Most likely a serious internal error occured in a previous command. "
-			    "Please report as much detail as possible to development team.\n");
-	    break;
-	case ENODEV:
-	    fprintf(stderr, "KLIPS not loaded or enabled.\n");
-	    fprintf(stderr, "No device?!?\n");
-	    break;
-	case ENOBUFS:
-	    fprintf(stderr, "No kernel memory to allocate SA.\n");
-	    break;
-	case ESOCKTNOSUPPORT:
-	    fprintf(stderr, "Algorithm support not available in the kernel.  Please compile in support.\n");
-	    break;
-	case EEXIST:
-	    fprintf(stderr, "eroute already in use.  Delete old one first.\n");
-	    break;
-	case ENOENT:
-	    if (action_type == EMT_INEROUTE)
-	    {
-		fprintf(stderr, "non-existant IPIP SA.\n");
-		break;
-	    }
-	    fprintf(stderr, "eroute doesn't exist.  Can't delete.\n");
-	    break;
-	case ENOSPC:
-	    fprintf(stderr, "no room in kernel SAref table.  Cannot process request.\n");
-	    break;
-	case ESPIPE:
-	    fprintf(stderr, "kernel SAref table internal error.  Cannot process request.\n");
-	    break;
-	default:
-	    fprintf(stderr, "Unknown socket write error %d.  Please report as much detail as possible to development team.\n"
-	    		, errno);
-	}
-/*	fprintf(stderr, "%s: socket write returned errno %d\n",
-			program_name, errno);*/
-	exit(1);
-    }
-    if (debug)
-    {
-	fprintf(stdout, "%s: DEBUG: pfkey write successful.\n"
-			, program_name);
-    }
-
-    if (pfkey_msg)
-    {
-	pfkey_extensions_free(extensions);
-	pfkey_msg_free(&pfkey_msg);
-    }
-
-    (void) close(pfkey_sock);  /* close the socket */
-
-    if (debug)
-    {
-	fprintf(stdout, "%s: DEBUG: write ok\n", program_name);
-    }
-
-    exit(0);
-}
diff --git a/programs/examples/Makefile b/programs/examples/Makefile
deleted file mode 100644
index 114008a73..000000000
--- a/programs/examples/Makefile
+++ /dev/null
@@ -1,22 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/08/28 11:25:09 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-CONFDSUBDIR=examples
-CONFDFILES=oe.conf
-
-include ../Makefile.program
diff --git a/programs/examples/oe.conf.in b/programs/examples/oe.conf.in
deleted file mode 100644
index 4eff4d0dd..000000000
--- a/programs/examples/oe.conf.in
+++ /dev/null
@@ -1,68 +0,0 @@
-# defines default policy groups for Opportunistic Encryption (OE)
-#
-# RCSID $Id: oe.conf.in,v 1.1 2004/08/28 11:25:09 as Exp $
-
-conn packetdefault
-	type=tunnel
-	leftsubnet=0.0.0.0/0
-	right=%opportunistic
-	failureshunt=passthrough
-	keyingtries=3
-	ikelifetime=1h
-	keylife=1h
-	rekey=no
-	also=oe_defaults
-	auto=route
-
-conn clear
-	type=passthrough
-	authby=never
-	right=%group
-	also=oe_defaults
-	auto=route
-
-conn clear-or-private
-	type=passthrough
-	right=%opportunisticgroup
-	failureshunt=passthrough
-	keyingtries=3
-	ikelifetime=1h
-	keylife=1h
-	rekey=no
-	also=oe_defaults
-	auto=route
-
-conn private-or-clear
-	type=tunnel
-	right=%opportunisticgroup
-	failureshunt=passthrough
-	keyingtries=3
-	ikelifetime=1h
-	keylife=1h
-	rekey=no
-	also=oe_defaults
-	auto=route
-
-conn private
-	type=tunnel
-	right=%opportunisticgroup
-	failureshunt=drop
-	keyingtries=3
-	ikelifetime=1h
-	keylife=1h
-	rekey=no
-	also=oe_defaults
-	auto=route
-
-conn block
-	type=reject
-	authby=never
-	right=%group
-	also=oe_defaults
-	auto=route
-
-conn oe_defaults
-	left=%defaultroute
-	leftid=%myid
-	leftrsasigkey=%dnsondemand
-	rightrsasigkey=%dnsondemand
diff --git a/programs/ikeping/.cvsignore b/programs/ikeping/.cvsignore
deleted file mode 100644
index 755295a5f..000000000
--- a/programs/ikeping/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-ikeping
diff --git a/programs/ikeping/Makefile b/programs/ikeping/Makefile
deleted file mode 100644
index 6c7b31d59..000000000
--- a/programs/ikeping/Makefile
+++ /dev/null
@@ -1,57 +0,0 @@
-# Makefile for the KLIPS interface utilities
-# Copyright (C) 1998, 1999  Henry Spencer.
-# Copyright (C) 1999, 2000, 2001  Richard Guy Briggs
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:27 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=ikeping
-LIBS=${FREESWANLIB}
-
-ifeq ($(USE_IKEPING),false)
-NOINSTALL=true
-install:
-	# do nothing
-
-install_file_list:
-	# do nothing
-
-endif
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:27  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.4  2003/06/29 21:34:49  mcr
-# 	added "NOINSTALL" to omit install: target from common
-# 	Makefile so that it can be overridden
-#
-# Revision 1.3  2003/06/25 03:57:45  mcr
-# 	build, but do not install "ikeping" even when we do not
-# 	want it as part of the system.
-#
-# Revision 1.2  2002/06/02 22:02:14  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
diff --git a/programs/ikeping/ikeping.8 b/programs/ikeping/ikeping.8
deleted file mode 100644
index a9b80b46d..000000000
--- a/programs/ikeping/ikeping.8
+++ /dev/null
@@ -1,71 +0,0 @@
-.TH IPSEC_IKEPING 8 "23 Feb 2002"
-.\" RCSID $Id: ikeping.8,v 1.1 2004/03/15 20:35:27 as Exp $
-.SH NAME
-ipsec ikeping \- send/receive ISAKMP/IKE echo requests/replies
-.SH SYNOPSIS
-.B ipsec
-.B ikeping
-[
-.B \-\-listen
-] [
-.B \-\-verbose
-] [
-.B \-\-wait 
-time ] [
-.B \-\-exchangenum 
-num ] [
-.B \-\-ikeport 
-localport ] [
-.B \-\-ikeaddress 
-address ] [ 
-.B \-\-inet
-] [
-.B \-\-inet6
-] destaddr[/dstport] ...
-.SH DESCRIPTION
-.I Ikeping
-sends and receives ISAKMP/IKE echo request and echo reply packets. These
-packets are intended for diagnostics purposes, in a manner similar to 
-.IR ping (8)
-does for ICMP echo request/reply packets.
-.PP
-At the time of this writing, the ISAKMP echo request/reply exchange is still
-an internet-draft, and is therefore completely non-standard.
-.PP
-.I Ikeping
-will bind to the local address given by 
-.B \-\-ikeaddress
-and the port number given by
-.B \-\-ikeport
-defaulting to the wildcard address and the ISAKMP port 500. An ISAKMP
-exchange of type 244 (a private use number) is sent to each of the
-address/ports listed on the command line. The exchange number may be
-overridden by the  
-.B \-\-exchangenum 
-option.
-.PP
-.I Ikeping
-then listens for replies, printing them as they are received. Replies
-are of exchange type 245 or the specified exchange number plus 1.
-.I Ikeping 
-will keep listening until it either receives as many echo responses as it sent,
-or until the timeout period (10 seconds) has been reached. Receipt of a
-packet will reset the timer. The 
-.B \-\-wait
-option can be used to specify a different timeout period. 
-.PP
-If the 
-.B \-\-listen
-option is given, then 
-.I ikeping
-will not send any packets. Instead, it will listen for them and reply to
-each request received.
-.SH FILES
-no external files
-.SH SEE ALSO
-ping(8), ipsec_pluto(8)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org>
-by Michael Richardson.
-.SH BUGS
diff --git a/programs/ikeping/ikeping.c b/programs/ikeping/ikeping.c
deleted file mode 100644
index 7efb26ad7..000000000
--- a/programs/ikeping/ikeping.c
+++ /dev/null
@@ -1,483 +0,0 @@
-/* send out an IKE "ping" packet.
- * Copyright (C) 2002 Michael Richardson
- * Copyright (C) 2002 D. Hugh Redelmeier.
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: ikeping.c,v 1.1 2004/03/15 20:35:27 as Exp $
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <stddef.h>
-#include <string.h>
-#include <ctype.h>
-#include <unistd.h>
-#include <errno.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/un.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <getopt.h>
-#include <assert.h>
-#include <poll.h>
-
-#include <freeswan.h>
-
-#include "../pluto/constants.h"
-#include "../pluto/packet.h"
-
-#ifndef ISAKMP_XCHG_ECHOREQUEST
-#define ISAKMP_XCHG_ECHOREQUEST 30      /* Echo Request */
-#define ISAKMP_XCHG_ECHOREPLY   31      /* Echo Reply   */
-#endif
-
-#ifndef ISAKMP_XCGH_ECHOREQUEST_PRIV
-#define ISAKMP_XCHG_ECHOREQUEST_PRIV 244     /* Private Echo Request */
-#define ISAKMP_XCHG_ECHOREPLY_PRIV   245     /* Private Echo Reply   */
-#endif
-
-
-/* what exchange number to use for outgoing requests */
-static int exchange_number;
-
-static void
-help(void)
-{
-    fprintf(stderr,
-	"Usage:\n\n"
-	"ikeping"
-	    " [--listen]     causes IKEping to open a socket and reply to requests.\n"
-	    " [--verbose]    causes IKEping to hexdump all packets sent/received.\n"
-	    " [--ikeport <port-number>]      port to listen on/send from\n"
-	    " [--ikeaddress <address>]       address to listen on/send from\n"
-	    " [--inet]       just send/listen on IPv4 socket\n"
-	    " [--inet6]      just send/listen on IPv6 socket\n"
-	    " [--version]    just dump version number and exit\n"
-	    " [--exchangenum num]    use num instead of 244 for the exchange type.\n"
-	    " [--wait seconds]    time to wait for replies, defaults to 10 seconds.\n"
-	    " host/port ...\n\n"
-	"FreeS/WAN %s\n",
-	ipsec_version_code());
-}
-
-static void
-hton_ping(struct isakmp_hdr *ih)
-{
-	u_int32_t *ihp;
-
-	ihp=(u_int32_t *)ih;
-
-	/* put it in network byte order. */
-	/* cookies are byte viewed anyway */
-	ihp[4]=htonl(ihp[4]);
-	ih->isa_msgid  = htonl(ih->isa_msgid);
-	ih->isa_length = htonl(ih->isa_length);
-}
-
-static void
-ntoh_ping(struct isakmp_hdr *ih)
-{
-	u_int32_t *ihp;
-
-	ihp=(u_int32_t *)ih;
-
-	/* put it in network byte order. */
-	/* cookies are byte viewed anyway */
-	ihp[4]=ntohl(ihp[4]);
-	ih->isa_msgid  = ntohl(ih->isa_msgid);
-	ih->isa_length = ntohl(ih->isa_length);
-}
-
-
-/*
- * send an IKE ping
- *
- */
-static void
-send_ping(int afamily,
-	  int s,
-	  ip_address *raddr,
-	  int rport)
-{
-	struct isakmp_hdr ih;
-	int i, raddrlen;
-
-	raddrlen=0;
-
-	for(i=0; i<COOKIE_SIZE; i++) {
-		ih.isa_icookie[i]=rand()&0xff;		
-	}
-	     
-	for(i=0; i<COOKIE_SIZE; i++) {
-		ih.isa_rcookie[i]=rand()&0xff;		
-	}
-	     
-	ih.isa_np    = NOTHING_WRONG;
-	ih.isa_version = (1 << ISA_MAJ_SHIFT) | 0;
-	ih.isa_xchg  = (exchange_number ?
-			exchange_number : ISAKMP_XCHG_ECHOREQUEST_PRIV);
-	ih.isa_flags =0;
-	ih.isa_msgid =rand();
-	ih.isa_length=0;
-
-	switch(afamily) {
-	case AF_INET:
-		raddr->u.v4.sin_port = htons(rport);
-		raddrlen=sizeof(raddr->u.v4);
-		break;
-	  
-	case AF_INET6:
-		raddr->u.v6.sin6_port = htons(rport);
-		raddrlen=sizeof(raddr->u.v6);
-		break;
-	}
-
-	hton_ping(&ih);
-
-	if(sendto(s, &ih, sizeof(ih), 0, (struct sockaddr *)raddr, raddrlen) < 0) {
-		perror("sendto");
-		exit(5);
-	}
-}
-
-/*
- * send an IKE ping
- *
- */
-static void
-reply_packet(int afamily,
-	     int s,
-	     ip_address *dst_addr,
-	     int         dst_len,
-	     struct isakmp_hdr *op)
-{
-	int i, tmp;
-
-	tmp=afamily;  /* shut up compiler */
-
-	for(i=0; i<COOKIE_SIZE; i++) {
-		tmp=op->isa_icookie[i];
-		op->isa_icookie[i]=op->isa_rcookie[i];
-		op->isa_rcookie[i]=tmp;
-	}
-	     
-	op->isa_np    = NOTHING_WRONG;
-	op->isa_version = (1 << ISA_MAJ_SHIFT) | 0;
-	op->isa_xchg  = ISAKMP_XCHG_ECHOREPLY;
-	op->isa_flags =0;
-	op->isa_msgid =rand();
-	op->isa_length=0;
-
-	hton_ping(op);
-
-	if(sendto(s, op, sizeof(*op), 0, (struct sockaddr *)dst_addr, dst_len) < 0) {
-		perror("sendto");
-		exit(5);
-	}
-}
-
-/*
- * receive and decode packet.
- *
- */
-static void
-receive_ping(int afamily, int s, int reply)
-{
-	ip_address sender;
-	struct isakmp_hdr ih;
-	char   buf[64];
-	int n, rport, sendlen;
-	const char *xchg_name;
-	int xchg;
-
-	rport = 500;
-	xchg  = 0;
-	sendlen=sizeof(sender);
-	n = recvfrom(s, &ih, sizeof(ih), 0, (struct sockaddr *)&sender, &sendlen);
-
-	addrtot(&sender, 0, buf, sizeof(buf));
-	switch(afamily) {
-	case AF_INET:
-		rport = sender.u.v4.sin_port;
-		break;
-	  
-	case AF_INET6:
-		rport = sender.u.v6.sin6_port;
-		break;
-	}
-
-	if((unsigned int)n < sizeof(ih)) {
-		fprintf(stderr, "read short packet (%d) from %s/%d\n",
-			n, buf, rport);
-		return;
-	}
-
-	/* translate from network byte order */
-	ntoh_ping(&ih);
-
-
-	if(ih.isa_xchg == ISAKMP_XCHG_ECHOREQUEST       ||
-	   ih.isa_xchg == ISAKMP_XCHG_ECHOREQUEST_PRIV  ||
-	   (exchange_number!=0 && ih.isa_xchg == exchange_number)) {
-		xchg_name="echo-request";
-		xchg=ISAKMP_XCHG_ECHOREQUEST;
-	} else if(ih.isa_xchg == ISAKMP_XCHG_ECHOREPLY ||
-		  ih.isa_xchg == ISAKMP_XCHG_ECHOREPLY_PRIV ||
-		  (exchange_number!=0 && ih.isa_xchg == exchange_number+1)) {
-		xchg_name="echo-reply";
-	} else {
-		xchg_name="";
-	}
-
-	printf("received %d(%s) packet from %s/%d of len: %d\n",
-	       ih.isa_xchg, xchg_name, buf, ntohs(rport), n);
-	printf("\trcookie=%08x_%08x icookie=%08x_%08x msgid=%08x\n",
-	       *(u_int32_t *)(ih.isa_icookie), 
-	       *(u_int32_t *)(ih.isa_icookie+4), 
-	       *(u_int32_t *)(ih.isa_rcookie), 
-	       *(u_int32_t *)(ih.isa_rcookie+4),
-	       ih.isa_msgid);
-	printf("\tnp=%03d  version=%d.%d    xchg=%s(%d)\n",
-	       ih.isa_np,
-	       ih.isa_version >> ISA_MAJ_SHIFT,
-	       ih.isa_version & ISA_MIN_MASK,
-	       xchg_name,
-	       ih.isa_xchg);
-
-	if(reply && xchg==ISAKMP_XCHG_ECHOREQUEST) {
-		reply_packet(afamily, s, &sender, sendlen, &ih);
-	}
-}
-
-static const struct option long_opts[] = {
-    /* name, has_arg, flag, val */
-    { "help",        no_argument, NULL, 'h' },
-    { "version",     no_argument, NULL, 'V' },
-    { "verbose",     no_argument, NULL, 'v' },
-    { "listen",      no_argument, NULL, 's' },
-    { "ikeport",     required_argument, NULL, 'p' },
-    { "ikeaddress",  required_argument, NULL, 'b' },
-    { "inet",        no_argument, NULL, '4' },
-    { "inet6",       no_argument, NULL, '6' },
-    { "exchangenum", required_argument, NULL, 'n' },
-    { "wait",        required_argument, NULL, 'w' },
-    { 0,0,0,0 }
-};
-
-int
-main(int argc, char **argv)
-{
-  char *foo;
-  const char *errstr;
-  int   s;
-  int   listen_only;
-  int   lport,dport;
-  int   afamily;
-  int   pfamily;
-  int   c;
-  int   numSenders, numReceived, noDNS;
-  int   waitTime;
-  int   verbose, timedOut;
-  ip_address laddr, raddr;
-
-  afamily=AF_INET;
-  pfamily=PF_INET;
-  lport=500;
-  dport=500;
-  waitTime=10;
-  verbose=0;
-  listen_only=0;
-  noDNS=0;
-  bzero(&laddr, sizeof(laddr));
-
-  while((c = getopt_long(argc, argv, "hVnvsp:b:46E:w:", long_opts, 0))!=EOF) {
-    switch (c) {
-      case 'h':	        /* --help */
-	help();
-	return 0;	/* GNU coding standards say to stop here */
-	
-      case 'V':               /* --version */
-	fprintf(stderr, "FreeS/WAN %s\n", ipsec_version_code());
-	return 0;	/* GNU coding standards say to stop here */
-	
-      case 'v':	/* --label <string> */
-	verbose++;
-	continue;
-	
-      case 'n':
-	      noDNS=1;
-	      break;
-	
-      case 'E':
-	exchange_number=strtol(optarg, &foo, 0);
-	if(optarg==foo || exchange_number < 1 || exchange_number>255) {
-	  fprintf(stderr, "Invalid exchange number '%s' (should be 1<=x<255)\n",
-		  optarg);
-	  exit(1);
-	}
-	continue;
-	
-	
-      case 's':
-	listen_only++;
-	continue;
-	
-      case 'p':
-	lport=strtol(optarg, &foo, 0);
-	if(optarg==foo || lport <0 || lport>65535) {
-	  fprintf(stderr, "Invalid port number '%s' (should be 0<=x<65536)\n",
-		  optarg);
-	  exit(1);
-	}
-	continue;
-	
-      case 'w':
-	waitTime=strtol(optarg, &foo, 0);
-	if(optarg==foo || waitTime < 0) {
-	  fprintf(stderr, "Invalid waittime number '%s' (should be 0<=x)\n",
-		  optarg);
-	  exit(1);
-	}
-	continue;
-	
-      case 'b':
-	errstr = ttoaddr(optarg, strlen(optarg), afamily, &laddr);
-	if(errstr!=NULL) {
-	  fprintf(stderr, "Invalid local address '%s': %s\n",
-		  optarg, errstr);
-	  exit(1);
-	}
-	continue;
-	
-      case '4':
-	afamily=AF_INET;
-	pfamily=PF_INET;
-	continue;
-	
-      case '6':
-	afamily=AF_INET6;
-	pfamily=PF_INET6;
-	continue;
-	
-      default:
-	assert(FALSE);	/* unknown return value */
-    }
-  }
-
-  s=socket(pfamily, SOCK_DGRAM, IPPROTO_UDP);
-  if(s < 0) {
-    perror("socket");
-    exit(3);
-  }
-
-  switch(afamily) {
-  case AF_INET:
-	  laddr.u.v4.sin_port = htons(lport);
-	  if(bind(s, (struct sockaddr *)&laddr.u.v4, sizeof(laddr.u.v4)) < 0) {
-		  perror("v4 bind");
-		  exit(5);
-	  }
-	  break;
-	  
-  case AF_INET6:
-	  laddr.u.v6.sin6_port = htons(lport);
-	  if(bind(s, (struct sockaddr *)&laddr.u.v6, sizeof(laddr.u.v6)) < 0) {
-		  perror("v6 bind");
-		  exit(5);
-	  }
-	  break;
-  }
-
-  numSenders = 0;
-
-  if(!listen_only) {
-	  while(optind < argc) {
-		  char *port;
-		  char *host;
-		  char  namebuf[128];
-
-		  host = argv[optind];
-
-		  port = strchr(host, '/');
-		  dport=500;
-		  if(port) {
-			 *port='\0';
-			  port++;
-			  dport= strtol(port, &foo, 0);
-			  if(port==foo || dport < 0 || dport > 65535) {
-				  fprintf(stderr, "Invalid port number '%s' "
-					  "(should be 0<=x<65536)\n",
-					  port);
-				  exit(1);
-			  }
-		  }
-
-		  errstr = ttoaddr(host, strlen(host),
-				   afamily, &raddr);
-		  if(errstr!=NULL) {
-			  fprintf(stderr, "Invalid remote address '%s': %s\n",
-				  host, errstr);
-			  exit(1);
-		  }
-
-		  addrtot(&raddr, 0, namebuf, sizeof(namebuf));
-
-		  printf("Sending packet to %s/%d\n", namebuf, dport);
-			 
-		  send_ping(afamily, s, &raddr, dport);
-		  numSenders++;
-		  optind++;
-	  }
-  }
-
-  timedOut = 0;
-  numReceived=0;
-
-  /* really should catch ^C and print stats on exit */
-  while(numSenders > 0 || listen_only) {
-	  struct pollfd  ready;
-	  int n;
-
-	  ready.fd = s;
-	  ready.events = POLLIN;
-
-	  n = poll(&ready, 1, waitTime);
-	  if(n < 0) {
-		  perror("poll");
-		  exit(1);
-	  }
-	  
-	  if(n == 0 && !listen_only) {
-		  break;
-	  }
-
-	  if(n == 1) {
-		  numReceived++;
-		  receive_ping(afamily, s, listen_only);
-	  }
-  }
-
-  if(numReceived > 0) {
-    printf("%d packets sent, %d packets received. %d packet loss\n",
-  	   numSenders, numReceived, numSenders*100/numReceived);
-  }
-  exit(0);
-}
-
-/*
- * Local variables:
- * c-file-style: "linux"
- * c-basic-offset: 4
- * End:
- *
- */
diff --git a/programs/ipsec/.cvsignore b/programs/ipsec/.cvsignore
deleted file mode 100644
index 70025a7f8..000000000
--- a/programs/ipsec/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-ipsec
diff --git a/programs/ipsec/Makefile b/programs/ipsec/Makefile
deleted file mode 100644
index fdff3728a..000000000
--- a/programs/ipsec/Makefile
+++ /dev/null
@@ -1,28 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.2 2006/02/10 11:27:31 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=ipsec
-PROGRAMDIR=${SBINDIR}
-MANPROGPREFIX:=./
-LIBFILES:=$(wildcard distro.txt)
-
-include ../Makefile.program
-
-install:: ipsec
-	@$(INSTALL) $(INSTBINFLAGS) ipsec $(RCDIR)/ipsec
-
diff --git a/programs/ipsec/distro.txt b/programs/ipsec/distro.txt
deleted file mode 100644
index 80f4192a4..000000000
--- a/programs/ipsec/distro.txt
+++ /dev/null
@@ -1 +0,0 @@
-distributed by Andreas Steffen <andreas.steffen@strongswan.org>
diff --git a/programs/klipsdebug/.cvsignore b/programs/klipsdebug/.cvsignore
deleted file mode 100644
index 03c1d474c..000000000
--- a/programs/klipsdebug/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-klipsdebug
diff --git a/programs/klipsdebug/Makefile b/programs/klipsdebug/Makefile
deleted file mode 100644
index 6c98e7592..000000000
--- a/programs/klipsdebug/Makefile
+++ /dev/null
@@ -1,80 +0,0 @@
-# Makefile for the KLIPS interface utilities
-# Copyright (C) 1998, 1999  Henry Spencer.
-# Copyright (C) 1999, 2000, 2001  Richard Guy Briggs
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:28 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM:=klipsdebug
-EXTRA5PROC=${PROGRAM}.5
-
-LIBS:=${FREESWANLIB}
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:28  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.4  2002/06/03 20:25:31  mcr
-# 	man page for files actually existant in /proc/net changed back to
-# 	ipsec_foo via new EXTRA5PROC process.
-#
-# Revision 1.3  2002/06/02 22:02:14  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.2  2002/04/26 01:21:26  mcr
-# 	while tracking down a missing (not installed) /etc/ipsec.conf,
-# 	MCR has decided that it is not okay for each program subdir to have
-# 	some subset (determined with -f) of possible files.
-# 	Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file.
-# 	Optional PROGRAM.5 files have been added to the makefiles.
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:28  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.4  2002/06/03 20:25:31  mcr
-# 	man page for files actually existant in /proc/net changed back to
-# 	ipsec_foo via new EXTRA5PROC process.
-#
-# Revision 1.3  2002/06/02 22:02:14  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.2  2002/04/26 01:21:26  mcr
-# 	while tracking down a missing (not installed) /etc/ipsec.conf,
-# 	MCR has decided that it is not okay for each program subdir to have
-# 	some subset (determined with -f) of possible files.
-# 	Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file.
-# 	Optional PROGRAM.5 files have been added to the makefiles.
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
diff --git a/programs/klipsdebug/klipsdebug.5 b/programs/klipsdebug/klipsdebug.5
deleted file mode 100644
index 8e5f985f0..000000000
--- a/programs/klipsdebug/klipsdebug.5
+++ /dev/null
@@ -1,138 +0,0 @@
-.TH IPSEC_KLIPSDEBUG 5 "26 Jun 2000"
-.\"
-.\" RCSID $Id: klipsdebug.5,v 1.1 2004/03/15 20:35:28 as Exp $
-.\"
-.SH NAME
-ipsec_klipsdebug \- list KLIPS (kernel IPSEC support) debug features and level
-.SH SYNOPSIS
-.B ipsec
-.B klipsdebug
-.PP
-.B cat
-.B /proc/net/ipsec_klipsdebug
-.SH DESCRIPTION
-.I /proc/net/ipsec_klipsdebug
-lists flags that control various parts of the debugging output of Klips
-(the kernel portion of FreeS/WAN IPSEC).
-At this point it is a read-only file.
-.PP
-A table entry consists of:
-.IP + 3
-a KLIPS debug variable
-.IP +
-a '=' separator for visual and automated parsing between the variable
-name and its current value
-.IP +
-hexadecimal bitmap of variable's flags.
-.PP
-The variable names roughly describe the scope of the debugging variable.
-Currently, no flags are documented or individually accessible yet except
-tunnel-xmit.
-.ne 5
-.PP
-The variable names are:
-.TP 8
-.B tunnel
-tunnelling code
-.TP
-.B netlink
-userspace communication code (obsolete)
-.TP
-.B xform
-transform selection and manipulation code
-.TP
-.B eroute
-eroute table manipulation code
-.TP
-.B spi
-SA table manipulation code
-.TP
-.B radij
-radij tree manipulation code
-.TP
-.B esp
-encryptions transforms code
-.TP
-.B ah
-authentication transforms code
-.TP
-.B rcv
-receive code
-.TP
-.B ipcomp
-ip compression transforms code
-.TP
-.B verbose
-give even more information, beware this will probably trample the 4k kernel printk buffer giving inaccurate output
-.PP
-All KLIPS debug output appears as
-.B kernel.info
-messages to
-.IR syslogd (8).
-Most systems are set up
-to log these messages to
-.IR /var/log/messages .
-.PP
-.SH EXAMPLES
-.LP
-.B debug_tunnel=00000010.
-.br
-.B debug_netlink=00000000.
-.br
-.B debug_xform=00000000.
-.br
-.B debug_eroute=00000000.
-.br
-.B debug_spi=00000000.
-.br
-.B debug_radij=00000000.
-.br
-.B debug_esp=00000000.
-.br
-.B debug_ah=00000000.
-.br
-.B debug_rcv=00000000.
-.br
-.B debug_pfkey=ffffffff.
-.LP
-means that one
-.B tunnel
-flag has been set (tunnel-xmit),
-full
-.B pfkey
-sockets debugging has been set and everything else is not set.
-.LP
-.SH FILES
-/proc/net/ipsec_klipsdebug, /usr/local/bin/ipsec
-.SH "SEE ALSO"
-ipsec(8), ipsec_manual(8), ipsec_tncfg(8), ipsec_eroute(8),
-ipsec_spi(8), ipsec_spigrp(8), ipsec_klipsdebug(5), ipsec_version(5),
-ipsec_pf_key(5)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Richard Guy Briggs.
-.\"
-.\" $Log: klipsdebug.5,v $
-.\" Revision 1.1  2004/03/15 20:35:28  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.5  2002/04/24 07:35:38  mcr
-.\" Moved from ./klips/utils/klipsdebug.5,v
-.\"
-.\" Revision 1.4  2000/10/10 20:10:19  rgb
-.\" Added support for debug_ipcomp and debug_verbose to klipsdebug.
-.\"
-.\" Revision 1.3  2000/06/30 18:21:55  rgb
-.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5)
-.\" and correct FILES sections to no longer refer to /dev/ipsec which has
-.\" been removed since PF_KEY does not use it.
-.\"
-.\" Revision 1.2  2000/06/28 12:44:12  henry
-.\" format touchup
-.\"
-.\" Revision 1.1  2000/06/28 05:43:00  rgb
-.\" Added manpages for all 5 klips utils.
-.\"
-.\"
-.\"
diff --git a/programs/klipsdebug/klipsdebug.8 b/programs/klipsdebug/klipsdebug.8
deleted file mode 100644
index 60d018eec..000000000
--- a/programs/klipsdebug/klipsdebug.8
+++ /dev/null
@@ -1,164 +0,0 @@
-.TH IPSEC_KLIPSDEBUG 8 "21 Jun 2000"
-.\"
-.\" RCSID $Id: klipsdebug.8,v 1.1 2004/03/15 20:35:28 as Exp $
-.\"
-.SH NAME
-ipsec klipsdebug \- set KLIPS (kernel IPSEC support) debug features and level
-.SH SYNOPSIS
-.B ipsec
-.B klipsdebug
-.PP
-.B ipsec
-.B klipsdebug
-.B \-\-set
-flagname
-.PP
-.B ipsec
-.B klipsdebug
-.B \-\-clear
-flagname
-.PP
-.B ipsec
-.B klipsdebug
-.B \-\-all
-.PP
-.B ipsec
-.B klipsdebug
-.B \-\-none
-.PP
-.B ipsec
-.B klipsdebug
-.B \-\-help
-.PP
-.B ipsec
-.B klipsdebug
-.B \-\-version
-.SH DESCRIPTION
-.I Klipsdebug
-sets and clears flags that control
-various parts of the debugging output of Klips
-(the kernel portion of FreeS/WAN IPSEC).
-The form with no additional arguments lists the present contents of
-/proc/net/ipsec_klipsdebug.
-The
-.B \-\-set
-form turns the specified flag on,
-while the
-.B \-\-clear
-form turns the specified flag off.
-The 
-.B \-\-all
-form 
-turns all flags on except verbose, while the
-.B \-\-none
-form turns all flags off.
-.PP
-The current flag names are:
-.TP 8
-.B tunnel
-tunnelling code
-.TP
-.B tunnel-xmit
-tunnelling transmit only code
-.TP
-.B pfkey
-userspace communication code
-.TP
-.B xform
-transform selection and manipulation code
-.TP
-.B eroute
-eroute table manipulation code
-.TP
-.B spi
-SA table manipulation code
-.TP
-.B radij
-radij tree manipulation code
-.TP
-.B esp
-encryptions transforms code
-.TP
-.B ah
-authentication transforms code
-.B rcv
-receive code
-.TP
-.B ipcomp
-ip compression transforms code
-.TP
-.B verbose
-give even more information, BEWARE:
-a)this will print authentication and encryption keys in the logs
-b)this will probably trample the 4k kernel printk buffer giving inaccurate output
-.PP
-All Klips debug output appears as
-.B kernel.info
-messages to
-.IR syslogd (8).
-Most systems are set up
-to log these messages to
-.IR /var/log/messages .
-Beware that
-.B klipsdebug
-.B \-\-all
-produces a lot of output and the log file will grow quickly.
-.PP
-The file format for /proc/net/ipsec_klipsdebug is discussed in
-ipsec_klipsdebug(5).
-.SH EXAMPLES
-.TP
-.B klipsdebug \-\-all
-turns on all KLIPS debugging except verbose.
-.TP
-.B klipsdebug \-\-clear tunnel
-turns off only the
-.B tunnel
-debugging messages.
-.LP
-.SH FILES
-/proc/net/ipsec_klipsdebug, /usr/local/bin/ipsec
-.SH "SEE ALSO"
-ipsec(8), ipsec_manual(8), ipsec_tncfg(8), ipsec_eroute(8),
-ipsec_spi(8), ipsec_spigrp(8), ipsec_klipsdebug(5)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Richard Guy Briggs.
-.SH BUGS
-It really ought to be possible to set or unset selective combinations
-of flags.
-.\"
-.\" $Log: klipsdebug.8,v $
-.\" Revision 1.1  2004/03/15 20:35:28  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.18  2002/04/24 07:35:39  mcr
-.\" Moved from ./klips/utils/klipsdebug.8,v
-.\"
-.\" Revision 1.17  2000/10/10 20:10:19  rgb
-.\" Added support for debug_ipcomp and debug_verbose to klipsdebug.
-.\"
-.\" Revision 1.16  2000/08/18 17:33:11  rgb
-.\" Updated obsolete netlink reference and added pfkey and tunnel-xmit.
-.\"
-.\" Revision 1.15  2000/06/30 18:21:55  rgb
-.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5)
-.\" and correct FILES sections to no longer refer to /dev/ipsec which has
-.\" been removed since PF_KEY does not use it.
-.\"
-.\" Revision 1.14  2000/06/28 05:53:09  rgb
-.\" Mention that netlink is obsolete.
-.\"
-.\" Revision 1.13  2000/06/21 16:54:58  rgb
-.\" Added 'no additional args' text for listing contents of
-.\" /proc/net/ipsec_* files.
-.\"
-.\" Revision 1.12  1999/07/19 18:47:24  henry
-.\" fix slightly-misformed comments
-.\"
-.\" Revision 1.11  1999/04/06 04:54:37  rgb
-.\" Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
-.\" patch shell fixes.
-.\"
-.\"
diff --git a/programs/klipsdebug/klipsdebug.c b/programs/klipsdebug/klipsdebug.c
deleted file mode 100644
index c205038a1..000000000
--- a/programs/klipsdebug/klipsdebug.c
+++ /dev/null
@@ -1,436 +0,0 @@
-/*
- * control KLIPS debugging options
- * Copyright (C) 1996  John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs <rgb@freeswan.org>
- *                                 2001  Michael Richardson <mcr@freeswan.org>
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-char klipsdebug_c_version[] = "RCSID $Id: klipsdebug.c,v 1.2 2004/06/07 15:16:34 as Exp $";
-
-
-#include <sys/types.h>
-#include <linux/types.h> /* new */
-#include <string.h>
-#include <errno.h>
-#include <stdlib.h> /* system(), strtoul() */
-#include <sys/stat.h> /* open() */
-#include <fcntl.h> /* open() */
-
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-
-
-#include <unistd.h>
-#include <freeswan.h>
-#if 0
-#include <linux/autoconf.h>	/* CONFIG_IPSEC_PFKEYv2 */
-#endif
-
-/* permanently turn it on since netlink support has been disabled */
-#include <signal.h>
-#include <pfkeyv2.h>
-#include <pfkey.h>
-
-#include "freeswan/radij.h"
-#include "freeswan/ipsec_encap.h"
-#ifndef CONFIG_IPSEC_DEBUG
-#define CONFIG_IPSEC_DEBUG
-#endif /* CONFIG_IPSEC_DEBUG */
-#include "freeswan/ipsec_tunnel.h"
-
-#include <stdio.h>
-#include <getopt.h>
-
-__u32 bigbuf[1024];
-char *program_name;
-
-int pfkey_sock;
-fd_set pfkey_socks;
-uint32_t pfkey_seq = 0;
-
-char copyright[] =
-"Copyright (C) 1999 Henry Spencer, Richard Guy Briggs, D. Hugh Redelmeier,\n\
-	Sandy Harris, Angelos D. Keromytis, John Ioannidis.\n\
-\n\
-   This program is free software; you can redistribute it and/or modify it\n\
-   under the terms of the GNU General Public License as published by the\n\
-   Free Software Foundation; either version 2 of the License, or (at your\n\
-   option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.\n\
-\n\
-   This program is distributed in the hope that it will be useful, but\n\
-   WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY\n\
-   or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License\n\
-   (file COPYING in the distribution) for more details.\n";
-
-static void
-usage(char * arg)
-{
-	fprintf(stdout, "usage: %s {--set|--clear} {tunnel|tunnel-xmit|netlink|xform|eroute|spi|radij|esp|ah|rcv|pfkey|ipcomp|verbose}\n", arg);
-	fprintf(stdout, "       %s {--all|--none}\n", arg);
-	fprintf(stdout, "       %s --help\n", arg);
-	fprintf(stdout, "       %s --version\n", arg);
-	fprintf(stdout, "       %s\n", arg);
-	fprintf(stdout, "        [ --debug ] is optional to any %s command\n", arg);
-	fprintf(stdout, "        [ --label <label> ] is optional to any %s command.\n", arg);
-	exit(1);
-}
-
-static struct option const longopts[] =
-{
-	{"set", 1, 0, 's'},
-	{"clear", 1, 0, 'c'},
-	{"all", 0, 0, 'a'},
-	{"none", 0, 0, 'n'},
-	{"help", 0, 0, 'h'},
-	{"version", 0, 0, 'v'},
-	{"label", 1, 0, 'l'},
-	{"optionsfrom", 1, 0, '+'},
-	{"debug", 0, 0, 'd'},
-	{0, 0, 0, 0}
-};
-
-int
-main(int argc, char **argv)
-{
-/*	int fd; */
-	unsigned char action = 0;
-	int c, previous = -1;
-	
-	int debug = 0;
-	int error = 0;
-	int argcount = argc;
-	int em_db_tn, em_db_nl, em_db_xf, em_db_er, em_db_sp;
-	int em_db_rj, em_db_es, em_db_ah, em_db_rx, em_db_ky;
-	int em_db_gz, em_db_vb;
-
-	struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-	struct sadb_msg *pfkey_msg;
-	
-	em_db_tn=em_db_nl=em_db_xf=em_db_er=em_db_sp=0;
-	em_db_rj=em_db_es=em_db_ah=em_db_rx=em_db_ky=0;
-	em_db_gz=em_db_vb=0;
-
-
-	program_name = argv[0];
-
-	while((c = getopt_long(argc, argv, ""/*"s:c:anhvl:+:d"*/, longopts, 0)) != EOF) {
-		switch(c) {
-		case 'd':
-			debug = 1;
-			pfkey_lib_debug = PF_KEY_DEBUG_PARSE_MAX;
-			argcount--;
-			break;
-		case 's':
-			if(action) {
-				fprintf(stderr, "%s: Only one of '--set', '--clear', '--all' or '--none' options permitted.\n",
-					program_name);
-				exit(1);
-			}
-			action = 's';
-			em_db_tn=em_db_nl=em_db_xf=em_db_er=em_db_sp=0;
-			em_db_rj=em_db_es=em_db_ah=em_db_rx=em_db_ky=0;
-			em_db_gz=em_db_vb=0;
-			if(strcmp(optarg, "tunnel") == 0) {
-				em_db_tn = -1L;
-			} else if(strcmp(optarg, "tunnel-xmit") == 0) {
-				em_db_tn = DB_TN_XMIT;
-			} else if(strcmp(optarg, "netlink") == 0) {
-				em_db_nl = -1L;
-			} else if(strcmp(optarg, "xform") == 0) {
-				em_db_xf = -1L;
-			} else if(strcmp(optarg, "eroute") == 0) {
-				em_db_er = -1L;
-			} else if(strcmp(optarg, "spi") == 0) {
-				em_db_sp = -1L;
-			} else if(strcmp(optarg, "radij") == 0) {
-				em_db_rj = -1L;
-			} else if(strcmp(optarg, "esp") == 0) {
-				em_db_es = -1L;
-			} else if(strcmp(optarg, "ah") == 0) {
-				em_db_ah = -1L;
-			} else if(strcmp(optarg, "rcv") == 0) {
-				em_db_rx = -1L;
-			} else if(strcmp(optarg, "pfkey") == 0) {
-				em_db_ky = -1L;
-			} else if(strcmp(optarg, "comp") == 0) {
-				em_db_gz = -1L;
-			} else if(strcmp(optarg, "verbose") == 0) {
-				em_db_vb = -1L;
-			} else {
-				usage(program_name);
-			}
-			em_db_nl |= 1 << (sizeof(em_db_nl) * 8 -1);
-			break;
-		case 'c':
-			if(action) {
-				fprintf(stderr, "%s: Only one of '--set', '--clear', '--all' or '--none' options permitted.\n",
-					program_name);
-				exit(1);
-			}
-			em_db_tn=em_db_nl=em_db_xf=em_db_er=em_db_sp=-1;
-			em_db_rj=em_db_es=em_db_ah=em_db_rx=em_db_ky=-1;
-			em_db_gz=em_db_vb=-1;
-
-			action = 'c';
-			if(strcmp(optarg, "tunnel") == 0) {
-				em_db_tn = 0;
-			} else if(strcmp(optarg, "tunnel-xmit") == 0) {
-				em_db_tn = ~DB_TN_XMIT;
-			} else if(strcmp(optarg, "netlink") == 0) {
-				em_db_nl = 0;
-			} else if(strcmp(optarg, "xform") == 0) {
-				em_db_xf = 0;
-			} else if(strcmp(optarg, "eroute") == 0) {
-				em_db_er = 0;
-			} else if(strcmp(optarg, "spi") == 0) {
-				em_db_sp = 0;
-			} else if(strcmp(optarg, "radij") == 0) {
-				em_db_rj = 0;
-			} else if(strcmp(optarg, "esp") == 0) {
-				em_db_es = 0;
-			} else if(strcmp(optarg, "ah") == 0) {
-				em_db_ah = 0;
-			} else if(strcmp(optarg, "rcv") == 0) {
-				em_db_rx = 0;
-			} else if(strcmp(optarg, "pfkey") == 0) {
-				em_db_ky = 0;
-			} else if(strcmp(optarg, "comp") == 0) {
-				em_db_gz = 0;
-			} else if(strcmp(optarg, "verbose") == 0) {
-				em_db_vb = 0;
-			} else {
-				usage(program_name);
-			}
-			em_db_nl &= ~(1 << (sizeof(em_db_nl) * 8 -1));
-			break;
-		case 'a':
-			if(action) {
-				fprintf(stderr, "%s: Only one of '--set', '--clear', '--all' or '--none' options permitted.\n",
-					program_name);
-				exit(1);
-			}
-			action = 'a';
-			em_db_tn=em_db_nl=em_db_xf=em_db_er=em_db_sp=-1;
-			em_db_rj=em_db_es=em_db_ah=em_db_rx=em_db_ky=-1;
-			em_db_gz=-1;
-			em_db_vb= 0;
-			break;
-		case 'n':
-			if(action) {
-				fprintf(stderr, "%s: Only one of '--set', '--clear', '--all' or '--none' options permitted.\n",
-					program_name);
-				exit(1);
-			}
-			action = 'n';
-			em_db_tn=em_db_nl=em_db_xf=em_db_er=em_db_sp=0;
-			em_db_rj=em_db_es=em_db_ah=em_db_rx=em_db_ky=0;
-			em_db_gz=em_db_vb=0;
-			break;
-		case 'h':
-		case '?':
-			usage(program_name);
-			exit(1);
-		case 'v':
-			fprintf(stdout, "klipsdebug (Linux FreeS/WAN %s) %s\n",
-				ipsec_version_code(), klipsdebug_c_version);
-			fputs(copyright, stdout);
-			exit(0);
-		case 'l':
-			program_name = malloc(strlen(argv[0])
-					      + 10 /* update this when changing the sprintf() */
-					      + strlen(optarg));
-			sprintf(program_name, "%s --label %s",
-				argv[0],
-				optarg);
-			argcount -= 2;
-			break;
-		case '+': /* optionsfrom */
-			optionsfrom(optarg, &argc, &argv, optind, stderr);
-			/* no return on error */
-			break;
-		default:
-			break;
-		}
-		previous = c;
-	}
-
-	if(argcount == 1) {
-		system("cat /proc/net/ipsec_klipsdebug");
-		exit(0);
-	}
-
-	if(!action) {
-		usage(program_name);
-	}
-
-	if((pfkey_sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2) ) < 0) {
-		fprintf(stderr, "%s: Trouble opening PF_KEY family socket with error: ",
-			program_name);
-		switch(errno) {
-		case ENOENT:
-			fprintf(stderr, "device does not exist.  See FreeS/WAN installation procedure.\n");
-			break;
-		case EACCES:
-			fprintf(stderr, "access denied.  ");
-			if(getuid() == 0) {
-				fprintf(stderr, "Check permissions.  Should be 600.\n");
-			} else {
-				fprintf(stderr, "You must be root to open this file.\n");
-			}
-			break;
-		case EUNATCH:
-			fprintf(stderr, "Netlink not enabled OR KLIPS not loaded.\n");
-			break;
-		case ENODEV:
-			fprintf(stderr, "KLIPS not loaded or enabled.\n");
-			break;
-		case EBUSY:
-			fprintf(stderr, "KLIPS is busy.  Most likely a serious internal error occured in a previous command.  Please report as much detail as possible to development team.\n");
-			break;
-		case EINVAL:
-			fprintf(stderr, "Invalid argument, KLIPS not loaded or check kernel log messages for specifics.\n");
-			break;
-		case ENOBUFS:
-			fprintf(stderr, "No kernel memory to allocate SA.\n");
-			break;
-		case ESOCKTNOSUPPORT:
-			fprintf(stderr, "Algorithm support not available in the kernel.  Please compile in support.\n");
-			break;
-		case EEXIST:
-			fprintf(stderr, "SA already in use.  Delete old one first.\n");
-			break;
-		case ENXIO:
-			fprintf(stderr, "SA does not exist.  Cannot delete.\n");
-			break;
-		case EAFNOSUPPORT:
-			fprintf(stderr, "KLIPS not loaded or enabled.\n");
-			break;
-		default:
-			fprintf(stderr, "Unknown file open error %d.  Please report as much detail as possible to development team.\n", errno);
-		}
-		exit(1);
-	}
-
-	pfkey_extensions_init(extensions);
-
-	if((error = pfkey_msg_hdr_build(&extensions[0],
-					SADB_X_DEBUG,
-					0,
-					0,
-					++pfkey_seq,
-					getpid()))) {
-		fprintf(stderr, "%s: Trouble building message header, error=%d.\n",
-			program_name, error);
-		pfkey_extensions_free(extensions);
-		exit(1);
-	}
-	
-	if((error = pfkey_x_debug_build(&extensions[SADB_X_EXT_DEBUG],
-					em_db_tn,
-					em_db_nl,
-					em_db_xf,
-					em_db_er,
-					em_db_sp,
-					em_db_rj,
-					em_db_es,
-					em_db_ah,
-					em_db_rx,
-					em_db_ky,
-					em_db_gz,
-					em_db_vb))) {
-		fprintf(stderr, "%s: Trouble building message header, error=%d.\n",
-			program_name, error);
-		pfkey_extensions_free(extensions);
-		exit(1);
-	}
-	
-	if((error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_IN))) {
-		fprintf(stderr, "%s: Trouble building pfkey message, error=%d.\n",
-			program_name, error);
-		pfkey_extensions_free(extensions);
-		pfkey_msg_free(&pfkey_msg);
-		exit(1);
-	}
-	
-	if((error = write(pfkey_sock,
-			  pfkey_msg,
-			  pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) !=
-	   (ssize_t)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) {
-		fprintf(stderr,
-			"%s: pfkey write failed, tried to write %u octets, returning %d with errno=%d.\n",
-			program_name,
-			(unsigned)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN),
-			error,
-			errno);
-		pfkey_extensions_free(extensions);
-		pfkey_msg_free(&pfkey_msg);
-		switch(errno) {
-		case EACCES:
-			fprintf(stderr, "access denied.  ");
-			if(getuid() == 0) {
-				fprintf(stderr, "Check permissions.  Should be 600.\n");
-			} else {
-				fprintf(stderr, "You must be root to open this file.\n");
-			}
-			break;
-		case EUNATCH:
-			fprintf(stderr, "Netlink not enabled OR KLIPS not loaded.\n");
-			break;
-		case EBUSY:
-			fprintf(stderr, "KLIPS is busy.  Most likely a serious internal error occured in a previous command.  Please report as much detail as possible to development team.\n");
-			break;
-		case EINVAL:
-			fprintf(stderr, "Invalid argument, check kernel log messages for specifics.\n");
-			break;
-		case ENODEV:
-			fprintf(stderr, "KLIPS not loaded or enabled.\n");
-			fprintf(stderr, "No device?!?\n");
-			break;
-		case ENOBUFS:
-			fprintf(stderr, "No kernel memory to allocate SA.\n");
-			break;
-		case ESOCKTNOSUPPORT:
-			fprintf(stderr, "Algorithm support not available in the kernel.  Please compile in support.\n");
-			break;
-		case EEXIST:
-			fprintf(stderr, "SA already in use.  Delete old one first.\n");
-			break;
-		case ENOENT:
-			fprintf(stderr, "device does not exist.  See FreeS/WAN installation procedure.\n");
-			break;
-		case ENXIO:
-			fprintf(stderr, "SA does not exist.  Cannot delete.\n");
-			break;
-		case ENOSPC:
-			fprintf(stderr, "no room in kernel SAref table.  Cannot process request.\n");
-			break;
-		case ESPIPE:
-			fprintf(stderr, "kernel SAref table internal error.  Cannot process request.\n");
-			break;
-		default:
-			fprintf(stderr, "Unknown socket write error %d.  Please report as much detail as possible to development team.\n", errno);
-		}
-		exit(1);
-	}
-
-	if(pfkey_msg) {
-		pfkey_extensions_free(extensions);
-		pfkey_msg_free(&pfkey_msg);
-	}
-
-	(void) close(pfkey_sock);  /* close the socket */
-	exit(0);
-}
diff --git a/programs/look/.cvsignore b/programs/look/.cvsignore
deleted file mode 100644
index 6f094f8d7..000000000
--- a/programs/look/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-look
diff --git a/programs/look/Makefile b/programs/look/Makefile
deleted file mode 100644
index e66ca60c1..000000000
--- a/programs/look/Makefile
+++ /dev/null
@@ -1,38 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:28 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=look
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:28  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.2  2002/06/02 22:02:14  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/look/look.8 b/programs/look/look.8
deleted file mode 100644
index fc2d53eca..000000000
--- a/programs/look/look.8
+++ /dev/null
@@ -1,45 +0,0 @@
-.TH look 8 "25 Apr 2002"
-.\"
-.\" RCSID $Id: look.8,v 1.1 2004/03/15 20:35:28 as Exp $
-.\"
-.SH NAME
-ipsec look \- get a quick summary of FreeS/WAN status
-.SH SYNOPSIS
-.I look
-is used to get a quick overview of what the status of FreeSWAN is.
-It is equivalent to:
-\ \ \ ipsec eroute
-
-\ \ \ ipsec spigrp
-
-\ \ \ ipsec tncfg
-
-\ \ \ ipsec spi
-
-\ \ \ netstat -rn
-
-.LP
-However a bit of processing is done to combine the outputs.
-.SH "SEE ALSO"
-ipsec(8), ipsec_tncfg(8), ipsec_spi(8), ipsec_spigrp(8), ipsec_eroute(5),
-netstat(8).
-.SH HISTORY
-Man page written for the Linux FreeS/WAN project <http://www.freeswan.org/>
-by Michael Richardson. Original program written by Henry Spencer.
-.\"
-.\" $Log: look.8,v $
-.\" Revision 1.1  2004/03/15 20:35:28  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.2  2002/04/29 22:39:31  mcr
-.\" 	added basic man page for all internal commands.
-.\"
-.\" Revision 1.1  2002/04/26 01:21:43  mcr
-.\" 	while tracking down a missing (not installed) /etc/ipsec.conf,
-.\" 	MCR has decided that it is not okay for each program subdir to have
-.\" 	some subset (determined with -f) of possible files.
-.\" 	Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file.
-.\" 	Optional PROGRAM.5 files have been added to the makefiles.
-.\"
-.\"
-.\"
diff --git a/programs/look/look.in b/programs/look/look.in
deleted file mode 100755
index a5331c03b..000000000
--- a/programs/look/look.in
+++ /dev/null
@@ -1,87 +0,0 @@
-#! /bin/sh
-# quick look at current connections and related information
-# Copyright (C) 1998, 1999  Henry Spencer.
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: look.in,v 1.1 2004/03/15 20:35:28 as Exp $
-
-info=/var/run/ipsec.info
-me="ipsec look"
-
-case "$1" in
---help)		echo "Usage: ipsec look" ; exit 0	;;
---version)	echo "$me $IPSEC_VERSION" ; exit 0	;;
-esac
-
-# clear out variables that have strange effects on sort etc.
-unset LANG LANGUAGE LC_ALL LC_MESSAGES
-
-# Pick up IPsec configuration etc.
-eval `ipsec _confread --varprefix IPSEC --optional --type config setup`
-if test " $IPSEC_confreadstatus" != " "
-then
-	echo "$IPSEC_confreadstatus -- aborting" |
-		logger -s -p daemon.error -t ipsec_look
-	exit 1
-fi
-if test -s $info
-then
-	. $info
-fi
-
-# label it just to be sure
-echo "`hostname` `date`"
-
-# combine spigrp and eroute
-cat /proc/net/ipsec_spigrp /proc/net/ipsec_eroute |
-	awk '
-		function pad(subnet) {
-			sub("/", ".", subnet)
-			split(subnet, d, ".")
-			return sprintf("%03s%03s%03s%03s%03s", d[1], d[2],
-							d[3], d[4], d[5])
-		}
-		$2 == "->" {
-			printf "%s:%-18s -> %-18s => %s\n",
-				(pad($1) pad($3)),
-				$1, $3, (($5 in tun) ? tun[$5] : $5)
-			next
-		}
-		$3 == "->" {
-			printf "%s:%-18s -> %-18s => %s (%s)\n",
-				(pad($2) pad($4)),
-				$2, $4, (($6 in tun) ? tun[$6] : $6), $1
-			next
-		}
-		{ tun[$1] = $0 }
-	' | sort | sed 's/^[^:]*://'
-
-# tncfg (mostly as a divider line)
-egrep -v 'NULL[ \t]+mtu=0\(0\)[ \t]+->[ \t]+0' /proc/net/ipsec_tncfg |
-	paste -d % | sed 's/%/   /g' | sed 's/ -> /->/g'
-
-# SAs
-sort /proc/net/ipsec_spi
-
-# relevant routing information, including header line (which is good
-# enough as a separator, no need for another bar)
-pat="^Dest"
-if test " $defaultroutephys" != " "
-then
-	pat="$pat|$defaultroutephys\$|$defaultroutevirt\$"
-else
-	for i in `echo "$IPSECinterfaces" | tr '=' ' '`
-	do
-		pat="$pat|$i\$"
-	done
-fi
-netstat -nr | egrep "$pat" | sed '/^Dest/s/^/ /' | sort | sed '/^ Dest/s/ //'
diff --git a/programs/lwdnsq/.cvsignore b/programs/lwdnsq/.cvsignore
deleted file mode 100644
index b1ff942bf..000000000
--- a/programs/lwdnsq/.cvsignore
+++ /dev/null
@@ -1,4 +0,0 @@
-dnskey
-dnskey.cat8
-lwdnsq
-lwdnsq.xml
diff --git a/programs/lwdnsq/CONTRACT.txt b/programs/lwdnsq/CONTRACT.txt
deleted file mode 100644
index 77335e8cf..000000000
--- a/programs/lwdnsq/CONTRACT.txt
+++ /dev/null
@@ -1,106 +0,0 @@
-The only delays are after START, and after CNAME.
-
-add the time to each line.
-
-put DNSSEC status on each line.
-
-The format of the replies is:
-
-    <ID> <TIME> <TTL> <TYPE> <TYPE-SPECIFIC> \n
-        ^- whitespace.
-
-ID is a unique number that identifies the transaction. It is determined
-by the caller. lwdnsq treats this ID as a string, and does nothing
-with it other than repeat it on each line.
-There is no predetermined bound on the length, but the total line
-length of input to lwdnsq must not exceed LWDNSQ_CMDBUF_LEN (1024).
-LWDNSQ_CMDBUF_LEN is defined in <freeswan.h>
-
-The output of lwdnsq is currently limited to LWDNSQ_RESULT_LEN_MAX (4096) byte
-lines.  LWDNSQ_RESULT_LEN_MAX is defined in <freeswan.h>
-
-Time is a decimal encoded integer, currently 32-bit time (time_t) since Unix
-epoch. On systems with a 64-bit time_t, it would be 64-bit in range.
-
-The TTL field gives the number of seconds that the result is valid for.
-(starting at the time given). If there is no useful TTL value for the
-record, it will be either "0".
-
-Type is a case-insensitive, one of:
-structure
-     START      (optional comments) acknowledges start of transaction
-     DONE	(optional comments) signals the end of data for a transaction
-
-errors
-     RETRY	same as for FATAL, but this implies that the data
-		was not found, but could be found later.
-
-     FATAL	Following this, is text detailing the fault,
-		in a human readable form.
-		"FATAL" results likely mean that the lwdnsq should
-		be restarted.
-
-     WARNING    Log this result, but do not cancel transaction.
-
-		Errors are still followed by "DONE".
-
-
-
-data answers
-     DNSSEC	followed by "OKAY" or "not present"
-     NAME	followed by canonical name for requested RR,
-		i.e. the result of any CNAMEs/DNAMEs that were chased
-		by the recursive resolving server.
-     CNAME	followed by the name which has been followed.
-     CNAMEFROM	the thing that was mapped
-     TXT	followed by RR-specific Presentation Format
-     SIG	"
-     A		"
-     AAAA	"
-     PTR	"
-     KEY	"
-     AD-TXT	followed by RR-specific Presentation Format - DNSSEC
-     TXT	followed by RR-specific Presentation Format - DNSSEC
-     AD-KEY	followed by RR-specific Presentation Format - DNSSEC
-     KEY	followed by RR-specific Presentation Format - DNSSEC
-
-If there is no data of the type requested, even after lwdnsq
-has attempted to follow CNAMEs, then there will be no resource
-records returned. This is the formal indication of the lack of
-the records, however, in addition, an error will be returned, of the type:
-       RETRY the record "foobar" does not have a RR resource record.
-
-The -ldns library from bind9 will deal with the presentation format,
-producing a structure breakout from it. The functions are:
-
-dns_rdata_fromtext(3)
-	Presentation Format -> Wire Format
-dns_rdata_tostruct(3)
-	Wire Format -> C-structure
-
-dns_rdata_totext(3)
-	Wire Format -> Presentation Format
-
-(Above from  .../src/bind-9.3.0s20020722/lib/dns/include/dns/rdata.h)
-
-The lwdnsq program uses dns_rdata_totext(3) to format the resource record
-(received from lwres in wire format) into its presentation format.
-
-The documentation is in the bind-9.3 source tree, in the header files.
-(They are likely all installed into the include directories).
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/programs/lwdnsq/Makefile b/programs/lwdnsq/Makefile
deleted file mode 100644
index 2fca5e249..000000000
--- a/programs/lwdnsq/Makefile
+++ /dev/null
@@ -1,96 +0,0 @@
-# Makefile for the KLIPS interface utilities
-# Copyright (C) 1998, 1999  Henry Spencer.
-# Copyright (C) 1999, 2000, 2001  Richard Guy Briggs
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:28 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM:=lwdnsq
-
-OBJS:=cmds.o lookup.o
-
-LWRESINCL=${LWRESDIR}/include
-
-LIBS:=${FREESWANLIB} ${LWRESLIB} ${BIND9STATICLIBDIR}/libdns.a ${BIND9STATICLIBDIR}/libisc.a
-CFLAGS+=-I${LWRESINCL}
-#USERCOMPILE=-g
-
-
-include ../Makefile.program
-
-lwdnsq.8: lwdnsq.xml
-	xmlto man lwdnsq.xml
-
-lwdnsq.xml: lwdnsq.xml.in
-
-TAGS: 
-	etags *.[ch] ../../lib/liblwres/*.[ch] ../../lib/liblwres/include/lwres/*.h
-
-# manually maintained dependancies
-lwdnsq.o:	lwdnsq.c lwdnsq.h 
-cmds.o:		cmds.c lwdnsq.h
-lookup.o:	lookup.c lwdnsq.h
-
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:28  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.9  2003/09/03 01:13:24  mcr
-# 	first attempt at async capable lwdnsq.
-#
-# Revision 1.8  2003/02/27 09:29:02  mcr
-# 	moved targets to after include file so that XML-conversion
-# 	does not occur by default.
-#
-# Revision 1.7  2003/02/01 01:36:53  mcr
-#    updates to lwdnsq man page to reflect CONTRACT
-#
-# Revision 1.6  2003/01/14 03:01:14  dhr
-#
-# improve diagnostics; tidy
-#
-# Revision 1.5  2003/01/10 23:20:40  dhr
-#
-# remove reference to /sandel
-#
-# Revision 1.4  2002/12/19 05:45:47  mcr
-# 	use BIND9STATICLIBDIR to find -lisc/-ldns.
-#
-# Revision 1.3  2002/12/12 06:03:41  mcr
-# 	added --regress option to force times to be regular
-#
-# Revision 1.2  2002/12/04 03:21:06  mcr
-# 	DNS zone files (with signed versions) for DNSSEC enabled testing root.
-#
-# Revision 1.1  2002/10/30 02:25:31  mcr
-# 	renamed version of files from dnskey/
-#
-# Revision 1.4  2002/10/18 04:08:02  mcr
-# 	added -ldns and -lisc to libraries, but it isn't clear
-# 	where we will find these only-slightly standard libraries yet.
-#
-# Revision 1.3  2002/10/09 20:13:10  mcr
-# 	get appropriate LWRES include directory.
-#
-# Revision 1.2  2002/09/30 18:55:54  mcr
-# 	skeleton for dnskey helper program.
-#
-# Revision 1.1  2002/09/30 16:50:23  mcr
-# 	documentation for "dnskey" helper
-#
-#
-#
diff --git a/programs/lwdnsq/cmds.c b/programs/lwdnsq/cmds.c
deleted file mode 100644
index 1b15202ff..000000000
--- a/programs/lwdnsq/cmds.c
+++ /dev/null
@@ -1,351 +0,0 @@
-/*
- * DNS KEY lookup helper - command implementation
- * Copyright (C) 2002 Michael Richardson <mcr@freeswan.org>
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h> 
-#include <unistd.h> 
-
-#include <freeswan.h>
-
-#include <errno.h>
-#include <arpa/nameser.h>
-#include <lwres/netdb.h>
-#include <time.h>
-
-#include <isc/lang.h>
-#include <isc/magic.h>
-#include <isc/types.h>
-#include <isc/result.h>
-#include <isc/mem.h>
-#include <isc/buffer.h>
-#include <isc/region.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdatastruct.h>
-#include <lwres/netdb.h>
-#include <lwres/async.h>
-
-
-#include "lwdnsq.h"
-
-static void cmd_not_implemented(dnskey_glob *gs, const char *what)
-{
-  fprintf(gs->cmdproto_out, "0 FATAL unimplemented command \"%s\"\n", what);
-}
-
-void output_transaction_line(dnskey_glob *gs,
-			    char *id,
-			    int ttl,
-			    char *cmd,
-			    char *data)
-{
-	time_t t;
-
-	t=time(NULL);
-	
-	/* regularlize time for regression testing */
-	if(gs->regress) {
-		t=3145915;
-	}
-
-	if(data) {
-		fprintf(gs->cmdproto_out,
-			"%s %ld %d %s %s\n",
-			id, t, ttl, cmd, data);
-	} else {
-		fprintf(gs->cmdproto_out,
-			"%s %ld %d %s\n",
-			id, t, ttl, cmd);
-	}
-		
-}
-	
-void output_transaction_line_limited(dnskey_glob *gs,
-				   char *id,
-				   int ttl,
-				   char *cmd,
-				   int   max,
-				   char *data)
-{
-	time_t t;
-
-	t=time(NULL);
-	
-	/* regularlize time for regression testing */
-	if(gs->regress) {
-		t=3145915;
-	}
-
-	fprintf(gs->cmdproto_out,
-			"%s %ld %d %s %.*s\n",
-			id, t, ttl, cmd, max, data);
-}
-	
-			    
-#if 0
-again:
-
-	lwres_getrrsetbyname_xmit(ctx, &las);
-	timeout.tv_sec = lwres_async_timeout(ctx);
-	sock = lwres_async_fd(ctx);
-
-	FD_ZERO(&readfds);
-	FD_SET(sock, &readfds);
-	ret2 = select(sock + 1, &readfds, NULL, NULL, &timeout);
-	
-	/*
-	 * What happened with select?
-	 */
-	if (ret2 < 0) {
-		success = LWRES_R_IOERROR;
-		goto out3;
-	}
-	if (ret2 == 0) {
-		success = LWRES_R_TIMEOUT;
-		goto out3;
-	}
-
- out:
-	if (ctx != NULL)
-		lwres_context_destroy(&ctx);
-
- out2:	
-
-#endif
-	
-
-void lookup_key(dnskey_glob *gs,
-		int    argc,
-		char **argv)
-{
-	char *id;
-	char *fqdn;
-	char simplebuf[80];
-
-	/* process arguments */
-	/* KEY 31459 east.uml.freeswan.org */
-	if(argc!=3) {
-		snprintf(simplebuf, sizeof(simplebuf), "wrong number of arguments %d", argc);
-		output_transaction_line(gs, "0", 0, "FATAL", simplebuf);
-		return;
-	}
-
-	id=argv[1];
-	fqdn=argv[2];
-	
-	lookup_thing(gs, dns_rdatatype_key, "KEY", id, fqdn);
-}
-
-void lookup_key4(dnskey_glob *gs,
-		 int    argc,
-		 char **argv)
-{
-  cmd_not_implemented(gs, "key4");
-}
-
-void lookup_key6(dnskey_glob *gs,
-		 int    argc,
-		 char **argv)
-{
-  cmd_not_implemented(gs, "key6");
-}
-
-
-void lookup_txt(dnskey_glob *gs,
-		int    argc,
-		char **argv)
-{
-	char *id;
-	char *fqdn;
-	char simplebuf[80];
-
-	/* process arguments */
-	/* KEY 31459 east.uml.freeswan.org */
-	if(argc != 3) {
-		snprintf(simplebuf, sizeof(simplebuf), "wrong number of arguments to TXT: %d", argc);
-		output_transaction_line(gs, "0", 0, "FATAL", simplebuf);
-		return;
-	}
-
-	id=argv[1];
-	fqdn=argv[2];
-
-	lookup_thing(gs, dns_rdatatype_txt, "TXT", id, fqdn);
-}
-
-void lookup_txt4(dnskey_glob *gs,
-		 int    argc,
-		 char **argv)
-{
-	char *id;
-	char *ipv4;
-	struct in_addr in4;
-	char simplebuf[80];
-
-	/* process arguments */
-	/* KEY 31459 east.uml.freeswan.org */
-	if(argc != 3) {
-		snprintf(simplebuf, sizeof(simplebuf), "wrong number of arguments to TXT: %d", argc);
-		output_transaction_line(gs, "0", 0, "FATAL", simplebuf);
-		return;
-	}
-
-	id=argv[1];
-	ipv4=argv[2];
-
-	if(inet_pton(AF_INET, ipv4, &in4) <= 0) {
-		snprintf(simplebuf, sizeof(simplebuf), "invalid IPv4 address: %s", ipv4);
-		output_transaction_line(gs, "0", 0, "FATAL", simplebuf);
-		return;
-	}
-		
-	snprintf(simplebuf, 80, "%d.%d.%d.%d.in-addr.arpa",
-		 in4.s_addr & 0xff,
-		 (in4.s_addr & 0xff00) >> 8,
-		 (in4.s_addr & 0xff0000) >> 16,
-		 (in4.s_addr & 0xff000000) >> 24);
-
-	lookup_thing(gs, dns_rdatatype_txt, "TXT4", id, simplebuf);
-}
-
-void lookup_txt6(dnskey_glob *gs,
-		 int    argc,
-		 char **argv)
-{
-  cmd_not_implemented(gs, "txt6");
-}
-
-void lookup_ipseckey(dnskey_glob *gs,
-		int    argc,
-		char **argv)
-{
-  cmd_not_implemented(gs, "ipseckey");
-}
-
-void lookup_ipseckey4(dnskey_glob *gs,
-		 int    argc,
-		 char **argv)
-{
-  cmd_not_implemented(gs, "ipseckey4");
-}
-
-void lookup_ipseckey6(dnskey_glob *gs,
-		 int    argc,
-		 char **argv)
-{
-  cmd_not_implemented(gs, "ipseckey6");
-}
-
-void lookup_oe4(dnskey_glob *gs,
-		 int    argc,
-		 char **argv)
-{
-  cmd_not_implemented(gs, "oe4");
-}
-
-void lookup_oe6(dnskey_glob *gs,
-		 int    argc,
-		 char **argv)
-{
-  cmd_not_implemented(gs, "oe6");
-}
-
-void lookup_a(dnskey_glob *gs,
-		 int    argc,
-		 char **argv)
-{
-  cmd_not_implemented(gs, "a");
-}
-
-void lookup_aaaa(dnskey_glob *gs,
-		 int    argc,
-		 char **argv)
-{
-  cmd_not_implemented(gs, "aaaa");
-}
-
-
-
-
-
-	
-/*
- * $Log: cmds.c,v $
- * Revision 1.1  2004/03/15 20:35:28  as
- * added files from freeswan-2.04-x509-1.5.3
- *
- * Revision 1.11  2003/09/03 01:13:24  mcr
- * 	first attempt at async capable lwdnsq.
- *
- * Revision 1.10  2003/05/22 16:33:51  mcr
- * 	added trailing . to CNAME return and cleaned up "CNAMEFROM" output.
- *
- * Revision 1.9  2003/05/14 15:47:39  mcr
- * 	processing of IP address into pieces was not done with
- * 	the right order of operations.
- *
- * Revision 1.8  2003/02/27 09:27:17  mcr
- * 	adjusted lwdnsq so that it adheres to contract - TXT records
- * 	are returned in a single piece. Requires custom decoding.
- * 	implemented "txt4" lookup type.
- *
- * Revision 1.7  2003/01/14 07:53:29  dhr
- *
- * - attempt to diagnose lack of lwdnsq
- * - increase too-small buffer size
- *
- * Revision 1.6  2003/01/14 03:01:14  dhr
- *
- * improve diagnostics; tidy
- *
- * Revision 1.5  2002/12/12 06:03:41  mcr
- * 	added --regress option to force times to be regular
- *
- * Revision 1.4  2002/11/25 18:37:28  mcr
- * 	added AD- marking of each record that was DNSSEC verified.
- *
- * Revision 1.3  2002/11/16 02:53:53  mcr
- * 	lwdnsq - with new contract added.
- *
- * Revision 1.2  2002/11/12 04:33:44  mcr
- * 	print DNSSEC status as we process CNAMEs.
- *
- * Revision 1.1  2002/10/30 02:25:31  mcr
- * 	renamed version of files from dnskey/
- *
- * Revision 1.4  2002/10/18 23:11:02  mcr
- * 	if we get ENOENT, then see if we can get a CNAME. If so, then
- * 	follow it.
- * 	Be careful when following them to avoid recursion.
- *
- * Revision 1.3  2002/10/18 04:08:47  mcr
- * 	use -ldns routines to decode lwres results and format them nicely.
- *
- * Revision 1.2  2002/10/09 20:13:34  mcr
- * 	first set of real code - lookup KEY records in forward.
- *
- * Revision 1.1  2002/09/30 18:55:54  mcr
- * 	skeleton for dnskey helper program.
- *
- * Revision 1.1  2002/09/30 16:50:23  mcr
- * 	documentation for "dnskey" helper
- *
- * Local variables:
- * c-file-style: "linux"
- * c-basic-offset: 2
- * End:
- *
- */
diff --git a/programs/lwdnsq/lookup.c b/programs/lwdnsq/lookup.c
deleted file mode 100644
index 700c4adbe..000000000
--- a/programs/lwdnsq/lookup.c
+++ /dev/null
@@ -1,632 +0,0 @@
-/*
- * DNS KEY lookup helper
- * Copyright (C) 2002 Michael Richardson <mcr@freeswan.org>
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-char lookup_c_version[] = "@(#) RCSID $Id: lookup.c,v 1.1 2004/03/15 20:35:28 as Exp $";
-
-
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h> 
-#include <unistd.h> 
-
-#include <freeswan.h>
-
-#include <errno.h>
-#include <getopt.h>
-#include <setjmp.h>
-#include <ctype.h>
-#include <signal.h>
-
-#include <isc/mem.h>
-#include <isc/buffer.h>
-#include <dns/rdata.h>
-#include <dns/rdatastruct.h>
-#include <dns/name.h>
-#include <lwres/netdb.h>
-#include <lwres/async.h>
-#include "lwdnsq.h"
-
-static int lwresd_has_spoken = 0;
-
-char *xstrdup(const char *s)
-{
-	char *n;
-
-	n = strdup(s);
-	if(n == NULL) {
-		abort();
-	}
-	return n;
-}
-
-void free_dl(dnskey_glob *gs, dnskey_lookup *dl)
-{
-	dnskey_lookup **walk;
-
-	walk = &gs->dns_outstanding;
-	while(*walk!=NULL && *walk != dl)
-	{
-		walk = &((*walk)->next);
-	}
-	if(*walk != NULL)
-	{
-		/* if we exit with it non-null, then we
-		 * found a matching location, remove
-		 * it.
-		 */
-		*walk = dl->next;
-		dl->next = NULL;
-	}
-	gs->dns_inflight--;
-
-	if(dl->tracking_id) {
-		free(dl->tracking_id);
-		dl->tracking_id = NULL;
-	}
-	if(dl->wantedtype_name) {
-		free(dl->wantedtype_name);
-		dl->wantedtype_name = NULL;
-	}
-	if(dl->fqdn) {
-		free(dl->fqdn);
-		dl->fqdn = NULL;
-	}
-#if 0
-	if(dl->last_cname_used) {
-		dns_name_free(&dl->last_cname, gs->iscmem);
-	}
-#endif
-	
-	free(dl);
-}
-
-void lookup_thing(dnskey_glob *gs,
-		  dns_rdatatype_t wantedtype,
-		  char *wantedtype_name,
-		  char *id,
-		  char *fqdn)
-{
-	isc_mem_t    *iscmem;
-	isc_buffer_t *iscbuf;
-	int success;
-	dnskey_lookup *dl;
-
-	iscmem=NULL;
-	iscbuf=NULL;
-	dl = malloc(sizeof(*dl));
-	memset(dl, 0, sizeof(*dl));
-
-	dl->tracking_id = strdup(id);
-	dl->step = dkl_start;
-
-	output_transaction_line(gs, id, 0, "START", NULL);
-
-	success = lwres_getrrsetbyname_init(fqdn, dns_rdataclass_in,
-					    wantedtype, 0 /*flags*/,
-					    gs->lwctx, &dl->las);
-
-	if(success != ERRSET_SUCCESS) {
-		/* screwed: */
-		output_transaction_line(gs, id, 0, "FATAL", "isc buffer error");
-		return;
-	}
-
-	lwres_getrrsetbyname_xmit(gs->lwctx, &dl->las);
-
-	dl->step = dkl_first;
-	dl->wantedtype = wantedtype;
-	dl->wantedtype_name = xstrdup(wantedtype_name);
-	dl->fqdn = xstrdup(fqdn);
-	dl->tracking_id = xstrdup(id);
-
-	/* link it in */
-	dl->next = gs->dns_outstanding;
-	gs->dns_outstanding = dl;
-	
-	gs->dns_inflight++;
-
-	return;
-}
-
-
-int setup_follow_possible_cname(dnskey_glob   *gs,
-				dnskey_lookup *dl)
-{
-	int ret;
-
-	dl->cname_count++;
-
-	/*
-	 * If we are on an odd cycle (starting with 1),
-	 * then convert to dns_name_t so that we can compare later.
-	 *
-	 * This detects loops in the CNAME processing, while still
-	 * allowing an arbitrary number of CNAMEs to be followed. 
-	 */
-	if(dl->cname_count & 1) 
-	{
-		isc_buffer_t fqdn_src;
-		isc_buffer_t *fqdn_dst;
-
-		if(dl->cname_count == 1)
-		{
-			memset(&dl->last_cname, 0, sizeof(dl->last_cname));
-			dns_name_init(&dl->last_cname, NULL);
-		}
-		else
-		{
-			dns_name_reset(&dl->last_cname);
-		}
-
-		fqdn_dst=NULL;
-
-		isc_buffer_init(&fqdn_src, dl->fqdn, strlen(dl->fqdn));
-		isc_buffer_add(&fqdn_src, strlen(dl->fqdn));
-
-		isc_buffer_allocate(gs->iscmem, &fqdn_dst, strlen(dl->fqdn)+1);
-
-#if 0
-		if(dl->last_cname_used) {
-			dns_name_free(&dl->last_cname, gs->iscmem);
-		}
-#endif
-		dl->last_cname_used = 1;
-		if(dns_name_fromtext(&dl->last_cname,
-				     &fqdn_src,
-				     NULL,
-				     1,
-				     fqdn_dst) != ISC_R_SUCCESS) {
-			return 0;
-		}
-
-		/* something else here ? */
-	}
-				 
-	ret = lwres_getrrsetbyname_init(dl->fqdn, dns_rdataclass_in,
-					dns_rdatatype_cname, 0 /*flags*/,
-					gs->lwctx,
-					&dl->las);
-
-	if(ret != ERRSET_SUCCESS) {
-		return 0;
-	}
-
-	lwres_getrrsetbyname_xmit(gs->lwctx, &dl->las);
-
-	return 1;
-}
-
-
-/*
- * we asked for, and got a CNAME of some kind.
- */
-void process_step_cname(dnskey_glob *gs,
-			dnskey_lookup *dl,
-			struct rrsetinfo *ans,
-			int success)
-{
-	struct rdatainfo *ri;
-	isc_region_t  region;
-	dns_rdata_t   rd;
-	dns_rdata_cname_t cn;
-	char simplebuf[80];
-	isc_buffer_t *cname_text;
-	char cname_buf[DNS_NAME_MAXTEXT];
-	/* char cname_buf2[DNS_NAME_MAXTEXT]; */
-
-	switch(success) {
-	case ERRSET_NONAME:
-	case ERRSET_NODATA:
-		/* no, no CNAME found, thing isn't there */
-		snprintf(simplebuf, sizeof(simplebuf),
-			 "RR of type %s for %s was not found (tried CNAMEs)",
-			 dl->wantedtype_name,
-			 dl->fqdn);
-		output_transaction_line(gs, dl->tracking_id, 0, "RETRY", 
-					simplebuf);
-		dl->step = dkl_done;
-		return;
-		
-	case 0:
-		/* aha! found a CNAME */
-		break;
-
-	default:
-	fatal:
-		/* some other error */
-		snprintf(simplebuf, sizeof(simplebuf), "err=%d", success);
-		output_transaction_line(gs, dl->tracking_id, 0, "FATAL", simplebuf);
-		dl->step = dkl_done;
-		return;
-	}
-
-	/*
-	 * now process out the CNAMEs, and look them up, one by one...
-	 * there should be only one... We just use the first one that works.
-	 */
-
-	if(ans->rri_flags & RRSET_VALIDATED) {
-		output_transaction_line(gs, dl->tracking_id, 0, "DNSSEC", "OKAY");
-	} else {
-		output_transaction_line(gs, dl->tracking_id, 0, "DNSSEC", "not present");
-	}
-
-	if(ans->rri_nrdatas != 1) {
-		/* we got a number of CNAMEs different from 1! */
-		success=0;
-		snprintf(simplebuf, sizeof(simplebuf), "illegal number of CNAMES: %d", ans->rri_nrdatas);
-		output_transaction_line(gs, dl->tracking_id, 0, "FATAL", simplebuf);
-		dl->step = dkl_done;
-		return;
-	}
-
-	/* process first CNAME record */
-	ri= &ans->rri_rdatas[0];
-
-	memset(&region, 0, sizeof(region));
-	memset(&rd,     0, sizeof(rd));
-	
-	region.base   =  ri->rdi_data;
-	region.length =  ri->rdi_length;
-
-	dns_rdata_fromregion(&rd, dns_rdataclass_in,
-			     dns_rdatatype_cname, &region);
-	
-	/* we set mctx to NULL, which means that the tenure for
-	 * the stuff pointed to by cn will persist only as long
-	 * as rd persists.
-	 */
-	if(dns_rdata_tostruct(&rd, &cn, NULL) != ISC_R_SUCCESS) {
-		/* failed, try next return error */
-		success=0;
-		goto fatal;
-	}
-
-	cname_text=NULL;
-	if(isc_buffer_allocate(gs->iscmem, &cname_text, DNS_NAME_MAXTEXT)) {
-		success=0;
-		goto fatal;
-	}
-
-	if(dns_name_totext(&cn.cname, ISC_TRUE, cname_text) !=
-	   ISC_R_SUCCESS) {
-		success=0;
-		goto fatal;
-	}
-	
-	cname_buf[0]='\0';
-	strncat(cname_buf,
-		isc_buffer_base(cname_text),
-		isc_buffer_usedlength(cname_text));
-
-	/* free up buffer */
-	isc_buffer_free(&cname_text);
-	
-	{
-		/* add a trailing . */
-		char *end;
-		end = &cname_buf[strlen(cname_buf)];
-		if(*end != '.') {
-			strncat(cname_buf, ".", sizeof(cname_buf));
-		}
-	}
-	
-	/* format out a text version */
-	output_transaction_line(gs, dl->tracking_id, 0, "CNAME", cname_buf);
-	output_transaction_line(gs, dl->tracking_id, 0, "CNAMEFROM", dl->fqdn);
-	
-	/* check for loops in the CNAMEs! */
-	if(dns_name_equal(&dl->last_cname, &cn.cname) == ISC_TRUE) {
-		/* damn, we found a loop! */
-		dl->step = dkl_done;
-		return;
-	}
-
-	/* send new request. */
-	/* okay, so look this new thing up */		
-	success = lwres_getrrsetbyname_init(cname_buf, dns_rdataclass_in,
-					    dl->wantedtype, 0 /*flags*/,
-					    gs->lwctx, &dl->las);
-
-	if(success != ERRSET_SUCCESS) {
-		return;
-	}
-
-	lwres_getrrsetbyname_xmit(gs->lwctx, &dl->las);
-
-	dl->step = dkl_second;
-}
-
-void process_step_first(dnskey_glob *gs,
-			dnskey_lookup *dl,
-			struct rrsetinfo *ans,
-			int success,
-			int attempt)  /* attempt = 0 first time, 1 after cname */
-{
-	char simplebuf[132], typebuf[16];
-	char txtbuf[1024];
-	int i;
-
-	switch(success) {
-	case ERRSET_NODATA:
-		if(attempt == 0) {
-			lwresd_has_spoken = 1;
-			setup_follow_possible_cname(gs, dl);
-			dl->step = dkl_cname;
-			return;
-		} 
-		/* FALLTHROUGH */
-	case ERRSET_NONAME:
-		lwresd_has_spoken = 1;
-		snprintf(simplebuf, sizeof(simplebuf),
-			 "RR of type %s for %s was not found",
-			 dl->wantedtype_name,
-			 dl->fqdn);
-		output_transaction_line(gs, dl->tracking_id, 0, "RETRY", 
-					simplebuf);
-		dl->step = dkl_done;
-		goto done;
-		
-	case ERRSET_NOMEMORY:
-		snprintf(simplebuf, sizeof(simplebuf),
-			 "ran out of memory while looking up RR of type %s for %s",
-			 dl->wantedtype_name, dl->fqdn);
-		output_transaction_line(gs, dl->tracking_id, 0, "FATAL", simplebuf);
-		dl->step = dkl_done;
-		goto done;
-
-	case ERRSET_FAIL:
-		snprintf(simplebuf, sizeof(simplebuf),
-			 "unspecified failure while looking up RR of type %s for %s%s",
-			 dl->wantedtype_name, dl->fqdn,
-			 lwresd_has_spoken ? "" : " (is lwresd running?)");
-		output_transaction_line(gs, dl->tracking_id, 0, "FATAL", simplebuf);
-		dl->step = dkl_done;
-		goto done;
-		
-	case ERRSET_INVAL:
-		snprintf(simplebuf, sizeof(simplebuf),
-			 "invalid input while looking up RR of type %s for %s",
-			 dl->wantedtype_name, dl->fqdn);
-		output_transaction_line(gs, dl->tracking_id, 0, "RETRY", simplebuf);
-		dl->step = dkl_done;
-		goto done;
-
-	default:
-		snprintf(simplebuf, sizeof(simplebuf), " unknown error %d", success);
-		output_transaction_line(gs, dl->tracking_id, 0, "RETRY", simplebuf);
-		dl->step = dkl_done;
-	done:
-		return;
-		
-	case 0:
-		/* everything okay */
-		lwresd_has_spoken = 1;
-		dl->step = dkl_done;
-		break;
-	}
-
-	/* output the rest of the data */
-
-	if(ans->rri_flags & RRSET_VALIDATED) {
-		output_transaction_line(gs, dl->tracking_id, 0, "DNSSEC", "OKAY");
-		snprintf(typebuf, sizeof(typebuf), "AD-%s", dl->wantedtype_name);
-		if(dl->wantedtype_name) free(dl->wantedtype_name);
-		dl->wantedtype_name=xstrdup(typebuf);
-	} else {
-		output_transaction_line(gs, dl->tracking_id, 0, "DNSSEC", "not present");
-	}
-
-	output_transaction_line(gs, dl->tracking_id, 0, "NAME", ans->rri_name);
-
-	for(i=0; i<ans->rri_nrdatas; i++) {
-		struct rdatainfo *ri = &ans->rri_rdatas[i];
-		isc_region_t  region;
-		dns_rdata_t    rd;
-
-		isc_buffer_clear(gs->iscbuf);
-		memset(&region, 0, sizeof(region));
-		memset(&rd,     0, sizeof(rd));
-		
-		region.base   =  ri->rdi_data;
-		region.length =  ri->rdi_length;
-
-		if(dl->wantedtype == dns_rdatatype_txt) {
-			/* special treatment for TXT records */
-			unsigned int len, rdatalen, totlen;
-			unsigned char *txtp, *rdata;
-
-			txtp     = txtbuf;
-			totlen   = 0;
-			rdatalen = ri->rdi_length;
-			rdata    = ri->rdi_data;
-
-			while(rdatalen > 0) {
-				len= (unsigned)rdata[0];
-				memcpy(txtp, rdata+1, len);
-				totlen   += len;
-				txtp     += len;
-				rdata    += len+1;
-				rdatalen -= len+1;
-			}
-			*txtp = '\0';
-
-			output_transaction_line_limited(gs, dl->tracking_id, 0,
-							dl->wantedtype_name,
-							totlen, txtbuf);
-
-		} else {
-			dns_rdata_fromregion(&rd, dns_rdataclass_in,
-					     dl->wantedtype, &region);
-			
-			if(dns_rdata_totext(&rd, NULL, gs->iscbuf) != ISC_R_SUCCESS) {
-
-			}
-			
-			output_transaction_line_limited(gs, dl->tracking_id, 0,
-							dl->wantedtype_name,
-					(int)isc_buffer_usedlength(gs->iscbuf),
-					(char *)isc_buffer_base(gs->iscbuf));
-		}
-	}
-		
-	for(i=0; i<ans->rri_nsigs; i++) {
-		struct rdatainfo *ri = &ans->rri_sigs[i];
-		isc_region_t  region;
-		dns_rdata_t    rd;
-
-		isc_buffer_clear(gs->iscbuf);
-		memset(&region, 0, sizeof(region));
-		memset(&rd,     0, sizeof(rd));
-		
-		region.base   =  ri->rdi_data;
-		region.length =  ri->rdi_length;
-
-		dns_rdata_fromregion(&rd, dns_rdataclass_in,
-				     dns_rdatatype_sig, &region);
-		if(dns_rdata_totext(&rd, NULL, gs->iscbuf) != ISC_R_SUCCESS) {
-			output_transaction_line(gs, dl->tracking_id, 0, "FATAL", "isc totext error");
-			return;
-		}
-		
-		output_transaction_line_limited(gs, dl->tracking_id, 0, "SIG",
-					(int)isc_buffer_usedlength(gs->iscbuf),
-					(char *)isc_buffer_base(gs->iscbuf));
-	}
-}	
-
-
-
-void lookup_step(dnskey_glob *gs,
-		 dnskey_lookup *dl,
-		 struct rrsetinfo *ans,
-		 int success)
-{
-	/* char simplebuf[80]; */
-	int  nextstate;
-
-	nextstate = dkl_done;
-
-	if(dl == NULL)
-	{
-		return;
-	}
-
-	switch(dl->step)
-	{
-	case dkl_start:
-		/* first request done, why are still in this state? */
-		break;
-
-	case dkl_first:
-		/* okay, got the reply from the first step! */
-		process_step_first(gs, dl, ans, success, 0);
-		nextstate = dl->step;
-		break;
-		
-	case dkl_cname:
-		/*
-		 * we asked for a cname, and we have some result to deal
-		 * with here.
-		 */
-		process_step_cname(gs, dl, ans, success);
-		nextstate = dl->step;
-		break;
-
-	case dkl_second:
-		/*
-		 * we had asked for something, for a cname, and we followed
-		 * it, and we'll see what we got back.
-		 */
-		process_step_first(gs, dl, ans, success, 1);
-		nextstate = dl->step;
-		break;
-
-	case dkl_done:
-		/* this should not happen, really, just book keeping, so,
-		 * just free up the structure, and return.
-		 */
-		nextstate = dl->step;
-		return;
-	}
-
-
-	/* we have been through, made a state transition, if we are
-	 * done, then do that.
-	 */
-	if(nextstate == dkl_done)
-	{
-		output_transaction_line(gs, dl->tracking_id, 0, "DONE", NULL);
-		free_dl(gs, dl);
-		dl=NULL;
-	}
-	return;
-}
-
-void process_dns_reply(dnskey_glob *gs)
-{
-  dnskey_lookup *dl;
-  struct lwres_async_state *plas;
-  struct rrsetinfo *res;
-  int success;
-
-  plas = NULL;
-
-  success = lwres_getrrsetbyname_read(&plas, gs->lwctx, &res);
-
-  /* cast answer back to dnskey_lookup structure */
-  dl = (dnskey_lookup *)plas;
-
-  if(success == LWRES_R_RETRY) {
-	  /* XXX we got something from some other weird place!
-	   * transmit again, in the hope of getting the right answer
-	   */
-	  dl->retry_count--;
-	  if(dl->retry_count > 0) {
-		  lwres_getrrsetbyname_xmit(gs->lwctx, plas);
-	  } else {
-		  output_transaction_line(gs, dl->tracking_id, 0, "FATAL", "too many retries");
-		  free_dl(gs, dl);
-	  }
-	  return;
-  }
-
-  /* perform next step for this one */
-  lookup_step(gs, dl, res, success);
-}
-	
-/*
- * $Log: lookup.c,v $
- * Revision 1.1  2004/03/15 20:35:28  as
- * added files from freeswan-2.04-x509-1.5.3
- *
- * Revision 1.3  2003/09/18 02:17:39  mcr
- * 	if we have tried a CNAME lookup, then take a NODATA
- * 	reply as a no-name.
- *
- * Revision 1.2  2003/09/10 17:55:14  mcr
- * 	the CNAME message had the s removed, which changes test
- * 	results gratuitously.
- *
- * Revision 1.1  2003/09/03 01:13:24  mcr
- * 	first attempt at async capable lwdnsq.
- *
- *
- * Local variables:
- * c-file-style: "linux"
- * c-basic-offset: 2
- * End:
- *
- */
diff --git a/programs/lwdnsq/lwdnsq.8 b/programs/lwdnsq/lwdnsq.8
deleted file mode 100644
index bb07985f2..000000000
--- a/programs/lwdnsq/lwdnsq.8
+++ /dev/null
@@ -1,250 +0,0 @@
-.\"Generated by db2man.xsl. Don't modify this, modify the source.
-.de Sh \" Subsection
-.br
-.if t .Sp
-.ne 5
-.PP
-\fB\\$1\fR
-.PP
-..
-.de Sp \" Vertical space (when we can't use .PP)
-.if t .sp .5v
-.if n .sp
-..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
-.TH "IPSEC LWDNSQ" 8 "" "" ""
-.SH NAME
-lwdnsq \- lookup items in DNS to help pluto (and others)
-.SH "SYNOPSIS"
-
-.nf
-\fBipsec lwdnsq\fR lwdnsq\fR [\fB\-\-prompt\fR] [\fB\-\-serial\fR]
-.fi
-
-.nf
-\fBipsec lwdnsq\fR lwdnsq\fR [\fB\-\-help\fR]
-.fi
-
-.SH "DESCRIPTION"
-
-.PP
-The \fBipsec lwdnsq\fR is a helper program that does DNS lookups for other programs. It implements an asynchronous interface on stdin/stdout, with an ASCII driven command language.
-
-.PP
-If stdin is a tty or if the \fB\-\-prompt\fR option is given, then it issues a prompt to the user. Otherwise, it is silent, except for results.
-
-.PP
-The program will accept multiple queries concurrently, with each result being marked with the ID provided on the output. The IDs are strings.
-
-.PP
-If the \fB\-\-serial\fR option is given, then the program will not attempt to execute concurrent queries, but will serialize all input and output.
-
-.SH "QUERY LANGUAGE"
-
-.PP
-There are eleven command that the program understands. This is to lookup different types of records in both the forward and reverse maps. Every query includes a queryid, which is returned in the output, on every single line to identify the transaction.
-
-.SS "KEY queryid FQDN"
-
-.PP
-This request looks up the KEY resource record for the given \fBFQDN.\fR.
-
-.SS "KEY4 queryid A.B.C.D"
-
-.PP
-This request looks up the KEY resource record found in the reverse map for the IP version 4 address \fBA.B.C.D\fR, i.e. it looks up D.C.B.A.in\-addr.arpa.
-
-.SS "KEY6 queryid A:B::C:D"
-
-.PP
-This request looks up the KEY resource record found in the reverse map for the IPv6 address \fBA:B::C:D\fR, i.e. it looks the 32\-nibble long entry in ip6.arpa (and ip6.int).
-
-.SS "TXT4 queryid A.B.C.D"
-
-.PP
-This request looks up the TXT resource record found in the reverse map for the IP version 4 address \fBA.B.C.D\fR, i.e. it looks up D.C.B.A.in\-addr.arpa.
-
-.SS "TXT6 queryid A:B::C:D"
-
-.PP
-This request looks up the TXT resource record found in the reverse map for the IPv6 address \fBA:B::C:D\fR, i.e. it looks the 32\-nibble long entry in ip6.arpa (and ip6.int).
-
-.SS "KEY queryid FQDN"
-
-.PP
-This request looks up the IPSECKEY resource record for the given \fBFQDN.\fR. See note about IPSECKEY processing, below.
-
-.SS "IPSECKEY4 queryid A.B.C.D"
-
-.PP
-This request looks up the IPSECKEY resource record found in the reverse map for the IP version 4 address \fBA.B.C.D\fR, i.e. it looks up D.C.B.A.in\-addr.arpa. See special note about IPSECKEY processing, below.
-
-.SS "IPSECKEY6 queryid A:B::C:D"
-
-.PP
-This request looks up the IPSECKEY resource record found in the reverse map for the IPv6 address \fBA:B::C:D\fR, i.e. it looks the 32\-nibble long entry in ip6.arpa (and ip6.int). See special note about IPSECKEY processing, below.
-
-.SS "OE4 queryid A.B.C.D"
-
-.PP
-This request looks an appropriate record for Opportunistic Encryption for the given IP address. This attempts to look for the delegation record. This may be one of IPSECKEY, KEY, or TXT record. Unless configured otherwise, (see OE4 Directives, below), then a query type of ANY will be used to retrieve all relevant records, and all will be returned.
-
-.SS "OE6 queryid A:B::C:D"
-
-.PP
-This request looks an appropriate record for Opportunistic Encryption for the given IPv6 address. This attempts to look for the delegation record. This may be one of IPSECKEY, KEY, or TXT record. Unless configured otherwise, (see OE Directives, below), then a query type of ALL will be used to retrieve all relevant records, and all will be returned. i.e. it looks the 32\-nibble long entry in ip6.arpa (and ip6.int).
-
-.SS "A queryid FQDN"
-
-.PP
-This request looks up the A (IPv4) resource record for the given \fBFQDN.\fR.
-
-.SS "AAAA queryid FQDN"
-
-.PP
-This request looks up the AAAA (IPv6) resource record for the given \fBFQDN.\fR.
-
-.SH "REPLIES TO QUERIES"
-
-.PP
-All replies from the queries are in the following format: 
-
-.nf
-
-<ID> <TIME> <TTL> <TYPE> <TYPE\-SPECIFIC> \\n
-
-.fi
-  
-
-.TP
-\fIID\fR
-this is the \fBqueryid\fR value that was provided in the query. It is repeated on every line to permit the replies to be properly associated with the query. When the response is not ascribable to particular query (such as for a mis\-formed query), then the query ID "0" will be used.
-
-.TP
-\fITIME\fR
-this is the current time in seconds since epoch.
-
-.TP
-\fITTL\fR
-for answers which have a time to live, this is the current value. The answer is valid for this number of seconds. If there is no useful value here, then the number 0 is used.
-
-.TP
-\fITYPE\fR
-This is the type of the record that is being returned. The types are described in the next section. The TYPE specific data that follows is specific to the type.
- 
-
-.PP
-The replies are limited to 4096 bytes, a value defined as \fBLWDNSQ_RESULT_LEN_MAX\fR. This is defined in \fIfreeswan.h\fR.
-
-.PP
-All of the replies which include resource records use the standard presentation format (with no line feeds or carriage returns) in their answer.
-
-.SS "START"
-
-.PP
-This reply indicates that a query has been received and has been started. It serves as an anchor point for timing, as well as an acknowledgement.
-
-.SS "DONE"
-
-.PP
-This reply indicates that a query is entirely over, and no further information from this query will be sent.
-
-.SS "RETRY"
-
-.PP
-This reply indicates that a query is entirely over, but that no data was found. The records may exist, but appropriate servers could not be reached.
-
-.SS "FATAL"
-
-.PP
-This reply indicates that a query is entirely over, and that no data of the type requested could be found. There were no timeouts, and all servers were available and confirmed non\-existances. There may be NXT records returned prior to this.
-
-.SS "CNAME"
-
-.PP
-This is an interim reply, and indicates that a CNAME was found (and followed) while performing the query. The value of the CNAME is present in the type specific section.
-
-.SS "CNAMEFROM"
-
-.PP
-This is an interim reply, and indicates that a CNAME was found. The original name that was queries for was not the canonical name, and this reply indicates the name that was actually followed.
-
-.SS "NAME"
-
-.PP
-This is an interim reply. The original name that was queries for was not the canonical name. This reply indicates the canonical name.
-
-.SS "DNSSEC"
-
-.PP
-This is an interim reply. It is followed either by "OKAY" or "not present. It indicates if DNSSEC was available on the reply.
-
-.SS "TXT and AD-TXT"
-
-.PP
-This is an interim reply. If there are TXT resource records in the reply, then each one is presented using this type. If preceeded by AD\-, then this record was signed with DNSSEC.
-
-.SS "A and AD-A"
-
-.PP
-This is an interim reply. If there are A resource records in the reply, then each one is presented using this type. If preceeded by AD\-, then this record was signed with DNSSEC.
-
-.SS "AAAA and AD-AAAA"
-
-.PP
-This is an interim reply. If there are AAAA resource records in the reply, then each one is presented using this type. If preceeded by AD\-, then this record was signed with DNSSEC.
-
-.SS "PTR and AD-PTR"
-
-.PP
-This is an interim reply. If there are PTR resource records in the reply, then each one is presented using this type. If preceeded by AD\-, then this record was signed with DNSSEC.
-
-.SS "KEY and AD-KEY"
-
-.PP
-This is an interim reply. If there are KEY resource records in the reply, then each one is presented using this type. If preceeded by AD\-, then this record was signed with DNSSEC.
-
-.SS "IPSECKEY and AD-IPSECKEY"
-
-.PP
-This is an interim reply. If there are IPSEC resource records in the reply, then each one is presented using this type. If preceeded by AD\-, then this record was signed with DNSSEC.
-
-.SH "SPECIAL IPSECKEY PROCESSING"
-
-.PP
-At the time of this writing, the IPSECKEY resource record is not entirely specified. In particular no resource record number has been assigned. This program assumes that it is resource record number 45. If the file /etc/ipsec.d/lwdnsq.conf exists, and contains a line like 
-
-.nf
-
-ipseckey_rr=\fBnumber\fR
-
-.fi
- then this number will be used instead. The file is read only once at startup.
-
-.SH "OE DIRECTIVES"
-
-.PP
-If the file /etc/ipsec.d/lwdnsq.conf exists, and contains a line like 
-
-.nf
-
-queryany=false
-
-.fi
- then instead of doing an ALL query when looking for OE delegation records, lwdnsq will do a series of queries. It will first look for IPSECKEY, and then TXT record. If it finds neither, it will then look for KEY records of all kinds, although they do not contain delegation information.
-
-.SH "SPECIAL IPSECKEY PROCESSING"
-
-.nf
-
-/etc/ipsec.d/lwdnsq.conf
-
-.fi
-
-.SH AUTHOR
-Michael Richardson <mcr@sandelman.ottawa.on.ca>.
diff --git a/programs/lwdnsq/lwdnsq.c b/programs/lwdnsq/lwdnsq.c
deleted file mode 100644
index 2684a7d45..000000000
--- a/programs/lwdnsq/lwdnsq.c
+++ /dev/null
@@ -1,506 +0,0 @@
-/*
- * DNS KEY lookup helper
- * Copyright (C) 2002 Michael Richardson <mcr@freeswan.org>
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-char tncfg_c_version[] = "RCSID $Id: lwdnsq.c,v 1.1 2004/03/15 20:35:28 as Exp $";
-
-
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h> 
-#include <unistd.h> 
-
-#include <freeswan.h>
-
-#include <errno.h>
-#include <getopt.h>
-#include <setjmp.h>
-#include <ctype.h>
-#include <signal.h>
-
-#include <isc/lang.h>
-#include <isc/magic.h>
-#include <isc/types.h>
-#include <isc/result.h>
-#include <isc/mem.h>
-#include <isc/buffer.h>
-#include <isc/region.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdatastruct.h>
-#include <lwres/netdb.h>
-#include <lwres/async.h>
-
-#include "lwdnsq.h"
-
-static void
-usage(char *name)
-{	
-	fprintf(stdout,"%s --attach --virtual <virtual-device> --physical <physical-device>\n",
-		name);
-	exit(1);
-}
-
-static struct option const longopts[] =
-{
-	{"prompt", 0, 0, 'i'},
-	{"serial", 0, 0, 's'},
-	{"debug",  0, 0, 'g'},
-	{"regress",0, 0, 'X'},
-	{"ignoreeof",0, 0, 'Z'},
-	{0, 0, 0, 0}
-};
-
-/* globals */
-jmp_buf getMeOut;
-
-void sig_handler(int sig)
-{
-  fprintf(stderr, "Caught signal %d, cleaning up and exiting\n", sig);
-  longjmp(getMeOut, 1);
-}
-
-void cmdprompt(dnskey_glob *gs)
-{
-	if(gs->prompt) {
-		printf("lwdnsq> ");
-	}
-	fflush(gs->cmdproto_out);
-}
-
-void quitprog(dnskey_glob *gs,
-	      int argc,
-	      char **argv)
-{
-	gs->done=1;
-}
-
-void setdebug(dnskey_glob *gs,
-	      int argc,
-	      char **argv)
-{
-	if(argc > 1) {
-		gs->debug=strtoul(argv[1],NULL,0);
-	}
-	printf("0 DEBUG is %d\n",gs->debug);
-}
-
-
-int cmdparse(dnskey_glob *gs,
-	     char *cmdline)
-{
-	char *argv[256];
-	int   argc;
-	char *arg;
-	static const struct cmd_entry {
-		const char *cmdname;
-		void (*cmdfunc)(dnskey_glob *, int, char **);
-	} cmds[]={
-		{"key",       lookup_key},
-		{"key4",      lookup_key4},
-		{"key6",      lookup_key6},
-		{"txt",       lookup_txt},
-		{"txt4",      lookup_txt4},
-		{"txt6",      lookup_txt6},
-		{"ipseckey",  lookup_ipseckey},
-		{"ipseckey4", lookup_ipseckey4},
-		{"ipseckey6", lookup_ipseckey6},
-		{"oe4",       lookup_oe4},
-		{"oe6",       lookup_oe6},
-		{"vpn4",      lookup_key4},
-		{"vpn6",      lookup_key6},
-		{"quit",      quitprog},
-		{"a",         lookup_a},
-		{"aaaa",      lookup_aaaa},
-		{"debug",     setdebug},
-		{NULL,        NULL}};
-	const struct cmd_entry *ce = cmds;
-
-	argc=0;
-	
-	/* skip initial spaces */
-	while(cmdline && isspace(*cmdline)) {
-		cmdline++;
-	}
-
-	while(cmdline && *cmdline!='\0' &&
-	      (arg=strsep(&cmdline, " \t\n"))!=NULL) {
-	  if (argc < sizeof(argv)/sizeof(*argv - 1)) {
-	    /* ignore arguments that would overflow.
-	     * XXX should generate a diagnostic.
-	     */
-	    argv[argc++]=arg;
-	  }
-	  while(cmdline && isspace(*cmdline)) {
-	    cmdline++;
-	  }
-	}
-	argv[argc]=NULL;
-
-	if(argc==0 || argv[0][0]=='\0') {
-	    /* ignore empty line */
-	} else if(strcasecmp("help", argv[0]) == 0) {
-	    fprintf(gs->cmdproto_out, "0 HELP\n");
-	    for (; ce->cmdname != NULL; ce++)
-		fprintf(gs->cmdproto_out, "0 HELP %s\n", ce->cmdname);
-	} else {
-	    for (;; ce++) {
-		if (ce->cmdname == NULL) {
-		    fprintf(gs->cmdproto_out, "0 FATAL unknown command \"%s\"\n", argv[0]);
-		    break;
-		}
-		if(strcasecmp(ce->cmdname, argv[0])==0) {
-		    (*ce->cmdfunc)(gs, argc, argv);
-		    break;
-		}
-	    }
-	}
-
-	if (!gs->done)
-	    cmdprompt(gs);
-	return 0;
-}
-
-int cmdread(dnskey_glob *gs,
-	    char  *buf,
-	    int    len)
-{
-	unsigned char *nl;
-	int   cmdlen;
-
-	cmdlen=0;
-
-	/* 
-	 * have to handle partial reads and multiple commands
-	 * per read, since this may in fact be a file or a pipe.
-	 */
-	if((gs->cmdloc + len + 1) > sizeof(gs->cmdbuf)) {
-		fprintf(stderr, "command '%.*s...' is too long, discarding!\n",
-			40, buf);
-		fflush(stdout);
-		
-		gs->cmdloc=0;
-		return 0;
-	}
-	memcpy(gs->cmdbuf+gs->cmdloc, buf, len);
-	gs->cmdloc+=len;
-	gs->cmdbuf[gs->cmdloc]='\0';
-
-	while((nl = strchr(gs->cmdbuf, '\n')) != NULL) {
-		/* found a newline, so turn it into a \0, and process the
-		 * command, and then we will pull the rest of the buffer
-		 * up.
-		 */
-		*nl='\0';
-		cmdlen= nl - gs->cmdbuf +1;
-
-		cmdparse(gs, gs->cmdbuf);
-
-		gs->cmdloc -= cmdlen;
-		memmove(gs->cmdbuf, gs->cmdbuf+cmdlen, gs->cmdloc);
-	}
-	return 1;
-}
-
-int
-main(int argc, char *argv[])
-{
-	char *program_name;
-	dnskey_glob gs;
-	int c;
-	static int ignoreeof=0;  /* static to avoid longjmp clobber */
-	int ineof;
-
-	memset(&gs, 0, sizeof(dnskey_glob));
-
-#if 0
-	printf("PID: %d\n", getpid());
-	sleep(60);
-#endif
-
-	program_name = argv[0];
-	gs.concurrent = 1;
-
-	if(lwres_async_init(&gs.lwctx) != ERRSET_SUCCESS) {
-		fprintf(stderr, "Can not initialize async context\n");
-		exit(3);
-	}
-
-	if(isc_mem_create(0,0,&gs.iscmem) != ISC_R_SUCCESS) {
-		fprintf(stderr, "Can not initialize isc memory allocator\n");
-		exit(4);
-	}
-
-	if(isc_buffer_allocate(gs.iscmem, &gs.iscbuf, LWDNSQ_RESULT_LEN_MAX)) {
-		fprintf(stderr, "Can not allocate a result buffer\n");
-		exit(5);
-	}
-
-	while((c = getopt_long_only(argc, argv, "dgsiXZ", longopts, 0)) != EOF) {
-		switch(c) {
-		case 'd':
-			gs.debug+=2;
-			break;
-
-		case 'g':
-			gs.debug++;
-			break;
-		case 's':
-			gs.concurrent=0;
-			break;
-		case 'i':
-			gs.prompt=1;
-			break;
-		case 'X':
-			gs.regress++;
-			break;
-
-		case 'Z':
-			ignoreeof=1;
-			break;
-
-		default:
-			usage(program_name);
-			break;
-		}
-	}
-
-	if(gs.debug && ignoreeof) {
-		fprintf(stderr, "Ignoring end of file\n");
-	}
-
-	if(isatty(0)) {
-		gs.prompt=1;
-	}
-
-	/* do various bits of setup */
-	if(setjmp(getMeOut)!=0) {
-		signal(SIGINT,  SIG_DFL);
-		signal(SIGPIPE, SIG_IGN);
-		
-		/* cleanup_crap(); */
-		
-		exit(1);
-	}
-	
-	if(signal(SIGINT, sig_handler) < 0)
-		perror("Setting handler for SIGINT");
-	
-	if(signal(SIGPIPE, sig_handler) < 0)
-		perror("Setting handler for SIGINT");
-	
-	cmdprompt(&gs);
-
-	ineof = 0;
-	gs.done = 0;
-	gs.cmdproto_out = stdout;
-	gs.l_fds[0].events = POLLIN|POLLHUP;
-	gs.l_fds[0].fd=0;
-
-	gs.l_fds[1].events = POLLIN|POLLHUP|POLLERR;
-	gs.l_fds[1].fd = lwres_async_fd(gs.lwctx);
-
-	gs.l_nfds= 2;
-
-	while(!gs.done) 
-	{
-		int    timeout;
-		char   buf[128];
-		int    n;
-		int    rlen;
-
-		timeout=-1;
-
-		gs.l_fds[0].revents = 0;
-
-		gs.l_fds[1].events = POLLIN|POLLHUP|POLLERR;
-		gs.l_fds[1].revents = 0;
-		gs.l_fds[1].fd = lwres_async_fd(gs.lwctx);
-
-		if(gs.debug > 1) {
-			fprintf(stderr, "=== invoking poll(,%d,) with %s\n",
-				gs.l_nfds,
-				timeout>0 ? "waittime" : "no wait");
-			for(n = 0; n < gs.l_nfds; n++) {
-				fprintf(stderr, "=== waiting on fd#%d\n",
-					gs.l_fds[n].fd);
-			}
-			fprintf(stderr, "=== inflight: %d\n", gs.dns_inflight);
-		}
-
-		n = poll(gs.l_fds, gs.l_nfds, timeout);
-
-		if(n == 0) {
-			/* timeout! */
-		}
-
-		if(n < 0) {
-			perror("poll");
-		}
-
-		if(gs.debug > 1) {
-			fprintf(stderr, "=== poll returned with %d\n", n);
-		}
-				
-		while(n>0) {
-			if((gs.l_fds[0].revents & POLLERR) == POLLERR ||
-			   (gs.l_fds[1].revents & POLLERR) == POLLERR)
-			{
-				break;
-			}
-
-			/* see if there are DNS events coming back */
-			if((gs.l_fds[1].revents & POLLIN) == POLLIN) {
-				if(gs.debug > 1) {
-					fprintf(stderr,
-						"=== new responses from lwdnsd\n");
-				}
-
-				process_dns_reply(&gs);
-				fflush(stdout);
-				n--;
-			}
-
-			if(!ignoreeof &&
-			   (gs.l_fds[0].revents & POLLHUP) == POLLHUP)
-			{
-				break;
-			}
-
-			if((gs.l_fds[0].revents & POLLIN) == POLLIN) {
-				
-				rlen=read(0, buf, sizeof(buf));
-
-				if(gs.debug > 1) {
-					if(rlen > 0) {
-						buf[rlen]='\0';
-					}
-					fprintf(stderr,
-						"=== new commands on fd 0: %d: %s\n",
-						rlen, buf);
-				}
-
-				if(rlen > 0) {
-					cmdread(&gs, buf, rlen);
-				} else if(rlen == 0) {
-					ineof = 1;
-					if(!ignoreeof) {
-						/* EOF, die */
-						gs.done=1;
-					}
-				}
-				n--;
-			} 
-
-		}
-
-		if((gs.l_fds[0].revents & POLLHUP) == POLLHUP)
-		{
-			ineof = 1;
-			if(!ignoreeof)
-			{
-				gs.done=1;
-			}
-		}
-
-		if(ignoreeof) {
-			/* if we have exhausted the input,
-			 * and there are none in flight,
-			 * then exit, finally.
-			 */
-			if(ineof) { 
-				if(gs.dns_inflight == 0) {
-					gs.done=1;
-				}
-			}
-		}
-
-		if(gs.debug) {
-			fprintf(stderr, "=== ineof: %d inflight: %d\n",
-				ineof, gs.dns_inflight);
-		}
-
-	}
-
-	signal(SIGINT,  SIG_DFL);
-	signal(SIGPIPE, SIG_IGN);
-  
-	exit(0);
-}
-	
-/*
- * $Log: lwdnsq.c,v $
- * Revision 1.1  2004/03/15 20:35:28  as
- * added files from freeswan-2.04-x509-1.5.3
- *
- * Revision 1.12  2003/09/16 05:01:14  mcr
- * 	prefix all debugging with === so that it can be easily removed.
- *
- * Revision 1.11  2003/09/10 04:43:52  mcr
- * 	final fixes to lwdnsq to exit only when all requests are done,
- * 	and we have been told to wait, *OR* if there is an EOF in stdin.
- *
- * Revision 1.10  2003/09/03 01:13:24  mcr
- * 	first attempt at async capable lwdnsq.
- *
- * Revision 1.9  2003/04/02 07:37:57  dhr
- *
- * lwdnsq: fix non-deterministic bug in handling batched input
- *
- * Revision 1.8  2003/02/08 04:03:06  mcr
- * 	renamed --single to --serial.
- *
- * Revision 1.7  2003/01/14 03:01:14  dhr
- *
- * improve diagnostics; tidy
- *
- * Revision 1.6  2002/12/19 07:29:47  dhr
- *
- * - avoid (improbable) buffer overflow
- * - suppress prompt after "quit" command
- * - add space to prompt to match aesthetics and man page
- * - elminate a magic number
- *
- * Revision 1.5  2002/12/19 07:08:42  dhr
- *
- * continue renaming dnskey => lwdnsq
- *
- * Revision 1.4  2002/12/12 06:03:41  mcr
- * 	added --regress option to force times to be regular
- *
- * Revision 1.3  2002/11/25 18:37:48  mcr
- * 	make sure that we exit cleanly upon EOF.
- *
- * Revision 1.2  2002/11/16 02:53:53  mcr
- * 	lwdnsq - with new contract added.
- *
- * Revision 1.1  2002/10/30 02:25:31  mcr
- * 	renamed version of files from dnskey/
- *
- * Revision 1.3  2002/10/09 20:14:16  mcr
- * 	make sure to flush stdout at the right time - do it regardless
- * 	of whether or not we are printing prompts.
- *
- * Revision 1.2  2002/09/30 18:55:54  mcr
- * 	skeleton for dnskey helper program.
- *
- * Revision 1.1  2002/09/30 16:50:23  mcr
- * 	documentation for "dnskey" helper
- *
- * Local variables:
- * c-file-style: "linux"
- * c-basic-offset: 2
- * End:
- *
- */
diff --git a/programs/lwdnsq/lwdnsq.h b/programs/lwdnsq/lwdnsq.h
deleted file mode 100644
index 109b39507..000000000
--- a/programs/lwdnsq/lwdnsq.h
+++ /dev/null
@@ -1,121 +0,0 @@
-/*
- * DNS KEY lookup global definitions
- * Copyright (C) 2002 Michael Richardson <mcr@freeswan.org>
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#ifndef POLLIN
-#include <poll.h>
-#endif
-
-#include "freeswan.h"
-
-/*
- * a base-64 encoded 2192 bit key takes:
- *   2192/8 * 4/3 = 365 bytes.
- *
- * a base-64 encoded 16384 bit key takes:
- *   16384/8*4/3  = 2730 bytes.
- *
- * so, we pick 4096 bytes as the maximum.
- *
- * Note that TXT records may have an introducer (X-IPsec) and an ID which
- * is either an IP address or @FQDN that preceeds the base64 encoded key.
- *
- */
-
-enum dkl_state {
-	dkl_start,      /* no work yet none - initial state */
-	dkl_first,      /* sent first DNS request. */
-	dkl_cname,      /* sent request for CNAME record */
-	dkl_second,     /* sent request for thing CNAME pointed to */
-	dkl_done        /* done */
-};
-
-typedef struct dnskey_lookup dnskey_lookup;
-
-struct dnskey_lookup {
-	struct lwres_async_state las;
-	dnskey_lookup           *next;
-	char                    *tracking_id;
-	enum dkl_state           step;
-	/* lwres_context_t         *ctx; */
-	char                    *wantedtype_name;
-	dns_rdatatype_t          wantedtype;
-	char                    *fqdn;
-	int                      cname_count;
-	int                      last_cname_used;
-	dns_name_t               last_cname;
-	int                      retry_count;
-};
-
-typedef struct dnskey_glob {
-	int debug;
-	int prompt;
-	int concurrent;
-	int done;
-        int regress;                  /* if 1, then we are doing regression testing */
-	struct pollfd   l_fds[5];     /* array of input sources */
-	int             l_nfds;       /* number of relevant entries */
-	int             cmdloc;
-	unsigned char   cmdbuf[LWDNSQ_CMDBUF_LEN];
-	FILE           *cmdproto_out;
-	dnskey_lookup  *dns_outstanding;
-	int             dns_inflight;
-	lwres_context_t *lwctx;
-	isc_mem_t       *iscmem;
-	isc_buffer_t    *iscbuf;
-} dnskey_glob;
-
-/* in cmds.c */
-extern void lookup_key(dnskey_glob *gs,int, char **);
-extern void lookup_key4(dnskey_glob *gs,int, char **);
-extern void lookup_key6(dnskey_glob *gs,int, char **);
-extern void lookup_txt(dnskey_glob *gs,int, char **);
-extern void lookup_txt4(dnskey_glob *gs,int, char **);
-extern void lookup_txt6(dnskey_glob *gs,int, char **);
-extern void lookup_ipseckey(dnskey_glob *gs,int, char **);
-extern void lookup_ipseckey4(dnskey_glob *gs,int, char **);
-extern void lookup_ipseckey6(dnskey_glob *gs,int, char **);
-extern void lookup_oe4(dnskey_glob *gs,int, char **);
-extern void lookup_oe6(dnskey_glob *gs,int, char **);
-extern void lookup_a(dnskey_glob *gs,int, char **);
-extern void lookup_aaaa(dnskey_glob *gs,int, char **);
-extern void output_transaction_line(dnskey_glob *gs,
-				    char *id,
-				    int ttl,
-				    char *cmd,
-				    char *data);
-extern void output_transaction_line_limited(dnskey_glob *gs,
-					    char *id,
-					    int ttl,
-					    char *cmd,
-					    int   max,
-					    char *data);
-
-
-/* lookup code */
-extern void process_dns_reply(dnskey_glob *gs);
-extern void lookup_thing(dnskey_glob *gs,
-			 dns_rdatatype_t wantedtype,
-			 char *wantedtype_name,
-			 char *id,
-			 char *fqdn);
-
-/*
- *
- * Local variables:
- * c-file-style: "linux"
- * c-basic-offset: 2
- * End:
- *
- */
diff --git a/programs/lwdnsq/lwdnsq.xml.in b/programs/lwdnsq/lwdnsq.xml.in
deleted file mode 100644
index 4c4039120..000000000
--- a/programs/lwdnsq/lwdnsq.xml.in
+++ /dev/null
@@ -1,446 +0,0 @@
-<?xml version='1.0'?> <!-- -*- docbook -*- -->
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
- "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
-
-<article>
-  <articleinfo>
-    <title>lwdnsq</title>
-
-    <author>
-      <firstname>Michael</firstname>
-      <surname>Richardson</surname>
-      <affiliation>
-         <address><email>mcr@sandelman.ottawa.on.ca</email></address>
-      </affiliation>
-    </author>
-
-    <copyright>
-      <year>2003</year>
-      <holder>Michael Richardson</holder>
-    </copyright>
-  </articleinfo>
-
-  <section>
-    <title>Reference</title>
-
-<refentry id="ipsec_lwdnsq">
-
-<refmeta>
-<refentrytitle>ipsec lwdnsq</refentrytitle>
-<manvolnum>8</manvolnum>
-</refmeta>
-
-<refnamediv>
-<refname>lwdnsq</refname>
-<refpurpose>lookup items in DNS to help pluto (and others)</refpurpose>
-</refnamediv>
-
-<refsynopsisdiv>
-
-<cmdsynopsis>
-  <command>ipsec lwdnsq</command>
-  <arg choice="opt"><option>--prompt</option></arg>
-  <arg choice="opt"><option>--serial</option></arg>
-</cmdsynopsis>
-
-<cmdsynopsis>
-  <command>ipsec lwdnsq</command>
-  <arg choice="opt"><option>--help</option></arg>
-</cmdsynopsis>
-
-</refsynopsisdiv>
-
-<refsect1><title>Description</title>
-<para>
-The
-<command>ipsec lwdnsq</command>
-is a helper program that does DNS lookups for other programs. It implements
-an asynchronous interface on stdin/stdout, with an ASCII driven command
-language.
-</para>
-
-<para>
-If stdin is a tty or if the
-<option>--prompt</option>
-option is given, then it issues a prompt to the user. Otherwise, it is
-silent, except for results.
-</para>
-
-<para>
-The program will accept multiple queries concurrently, with each result
-being marked with the ID provided on the output. The IDs are strings.
-</para>
-
-<para>
-If the
-<option>--serial</option>
-option is given, then the program will not attempt to execute concurrent
-queries, but will serialize all input and output.
-</para>
-
-</refsect1>
-
-<refsect1><title>QUERY LANGUAGE</title>
-
-<para>
-There are eleven command that the program understands. This is to lookup
-different types of records in both the forward and reverse maps. Every query
-includes a queryid, which is returned in the output, on every single line to
-identify the transaction. 
-</para>
-
-<refsect2><title>KEY <option>queryid</option> <option>FQDN</option></title>
-<para>
-This request looks up the KEY resource record for the given <option>FQDN.</option>.
-</para>
-</refsect2>
-
-<refsect2>
-<title>KEY4 <option>queryid</option> <option>A.B.C.D</option></title>
-<para>
-This request looks up the KEY resource record found in the reverse map for
-the IP version 4 address <option>A.B.C.D</option>, i.e. it looks
-up D.C.B.A.in-addr.arpa.   
-</para>
-</refsect2>
-
-<refsect2>
-<title>KEY6 <option>queryid</option> <option>A:B::C:D</option></title>
-<para>
-This request looks up the KEY resource record found in the reverse map
-for the IPv6 address <option>A:B::C:D</option>, i.e.
-it looks the 32-nibble long entry in ip6.arpa (and ip6.int).
-</para>
-</refsect2>
-
-<refsect2>
-<title>TXT4 <option>queryid</option> <option>A.B.C.D</option></title>
-<para>
-This request looks up the TXT resource record found in the reverse map for
-the IP version 4 address <option>A.B.C.D</option>, i.e. it looks
-up D.C.B.A.in-addr.arpa.   
-</para>
-</refsect2>
-
-<refsect2>
-<title>TXT6 <option>queryid</option> <option>A:B::C:D</option></title>
-<para>
-This request looks up the TXT resource record found in the reverse map
-for the IPv6 address <option>A:B::C:D</option>, i.e.
-it looks the 32-nibble long entry in ip6.arpa (and ip6.int).
-</para>
-</refsect2>
-
-<refsect2>
-<title>KEY <option>queryid</option> <option>FQDN</option></title>
-<para>
-This request looks up the IPSECKEY resource record for the given
-<option>FQDN.</option>. See note about IPSECKEY processing, below.
-</para>
-</refsect2>
-
-<refsect2>
-<title>IPSECKEY4 <option>queryid</option> <option>A.B.C.D</option></title>
-<para>
-This request looks up the IPSECKEY resource record found in the reverse map for
-the IP version 4 address <option>A.B.C.D</option>, i.e. it looks
-up D.C.B.A.in-addr.arpa. See special note about IPSECKEY processing, below.
-</para>
-</refsect2>
-
-<refsect2>
-<title>IPSECKEY6 <option>queryid</option> <option>A:B::C:D</option></title>
-<para>
-This request looks up the IPSECKEY resource record found in the reverse map
-for the IPv6 address <option>A:B::C:D</option>, i.e.
-it looks the 32-nibble long entry in ip6.arpa (and ip6.int). See
-special note about IPSECKEY processing, below.
-</para>
-</refsect2>
-
-<refsect2>
-<title>OE4 <option>queryid</option> <option>A.B.C.D</option></title>
-<para>
-This request looks an appropriate record for Opportunistic
-Encryption for the given IP address. This attempts to look for the
-delegation record. This may be one of IPSECKEY, KEY, or TXT
-record. Unless configured otherwise, (see OE4 Directives, below), then
-a query type of ANY will be used to retrieve all relevant records, and
-all will be returned.
-</para>
-</refsect2>
-
-<refsect2>
-<title>OE6 <option>queryid</option> <option>A:B::C:D</option></title>
-<para>
-This request looks an appropriate record for Opportunistic
-Encryption for the given IPv6 address. This attempts to look for the
-delegation record. This may be one of IPSECKEY, KEY, or TXT
-record. Unless configured otherwise, (see OE Directives, below), then
-a query type of ALL will be used to retrieve all relevant records, and
-all will be returned.
-i.e. it looks the 32-nibble long entry in ip6.arpa (and ip6.int). 
-</para>
-</refsect2>
-
-<refsect2>
-<title>A <option>queryid</option> <option>FQDN</option></title>
-<para>
-This request looks up the A (IPv4) resource record for the given
-<option>FQDN.</option>. 
-</para>
-</refsect2>
-
-<refsect2>
-<title>AAAA <option>queryid</option> <option>FQDN</option></title>
-<para>
-This request looks up the AAAA (IPv6) resource record for the given
-<option>FQDN.</option>. 
-</para>
-</refsect2>
-
-</refsect1>
-
-<refsect1><title>Replies to queries</title>
-
-<para>
-All replies from the queries are in the following format:
-<programlisting>
-&lt;ID&gt; &lt;TIME&gt; &lt;TTL&gt; &lt;TYPE&gt; &lt;TYPE-SPECIFIC&gt; \n
-</programlisting>
-
-<variablelist>
-
-<varlistentry><term><parameter>ID</parameter></term>
-<listitem>
-<para>
-this is the <option>queryid</option> value that was provided in
-the query. It is repeated on every line to permit the replies to be
-properly associated with the query. When the response is not ascribable to 
-particular query (such as for a mis-formed query), then the query ID "0" will
-be used.
-</para>
-</listitem>
-</varlistentry>
-
-<varlistentry><term><parameter>TIME</parameter></term>
-<listitem>
-<para>
-this is the current time in seconds since epoch.
-</para>
-</listitem>
-</varlistentry>
-
-<varlistentry><term><parameter>TTL</parameter></term>
-<listitem>
-<para>
-for answers which have a time to live, this is the current value. The
-answer is valid for this number of seconds. If there is no useful
-value here, then the number 0 is used.
-</para>
-</listitem>
-</varlistentry>
-
-
-<varlistentry><term><parameter>TYPE</parameter></term>
-<listitem>
-<para>
-This is the type of the record that is being returned. The types are
-described in the next section. The TYPE specific data that follows is
-specific to the type.
-</para>
-</listitem>
-</varlistentry>
-</variablelist>
-
-</para>
-
-<para>
-The replies are limited to 4096 bytes, a value defined as
-<constant>LWDNSQ_RESULT_LEN_MAX</constant>. This is defined in
-<filename>freeswan.h</filename>.
-</para>
-
-<para>All of the replies which include resource records use the
-standard presentation format (with no line feeds or carriage returns)
-in their answer.</para>
-
-<refsect2>
-<title>START</title>
-<para>
-This reply indicates that a query has been received and has been
-started. It serves as an anchor point for timing, as well as an acknowledgement.
-</para>
-</refsect2>
-
-<refsect2>
-<title>DONE</title>
-<para>
-This reply indicates that a query is entirely over, and no further
-information from this query will be sent.
-</para>
-</refsect2>
-
-<refsect2>
-<title>RETRY</title>
-<para>
-This reply indicates that a query is entirely over, but that no 
-data was found. The records may exist, but appropriate servers could
-not be reached.
-</para>
-</refsect2>
-
-<refsect2>
-<title>FATAL</title>
-<para>
-This reply indicates that a query is entirely over, and that no
-data of the type requested could be found. There were no timeouts, and
-all servers were available and confirmed non-existances. There may be
-NXT records returned prior to this.
-</para>
-</refsect2>
-
-<refsect2>
-<title>CNAME</title>
-<para>
-This is an interim reply, and indicates that a CNAME was found (and
-followed) while performing the query. The value of the CNAME is
-present in the type specific section.
-</para>
-</refsect2>
-
-<refsect2>
-<title>CNAMEFROM</title>
-<para>
-This is an interim reply, and indicates that a CNAME was found. The
-original name that was queries for was not the canonical name, and
-this reply indicates the name that was actually followed.
-</para>
-</refsect2>
-
-<refsect2>
-<title>NAME</title>
-<para>
-This is an interim reply. The original name that was queries for was
-not the canonical name. This reply indicates the canonical name.
-</para>
-</refsect2>
-
-<refsect2>
-<title>DNSSEC</title>
-<para>
-This is an interim reply. It is followed either by "OKAY" or "not
-present.
-It indicates if DNSSEC was available on the reply.
-</para>
-</refsect2>
-
-<refsect2>
-<title>TXT and AD-TXT</title>
-<para>
-This is an interim reply. If there are TXT resource records in the
-reply, then each one is presented using this type. If preceeded by
-AD-, then this record was signed with DNSSEC.
-</para>
-</refsect2>
-
-<refsect2>
-<title>A and AD-A</title>
-<para>
-This is an interim reply. If there are A resource records in the
-reply, then each one is presented using this type. If preceeded by
-AD-, then this record was signed with DNSSEC.
-</para>
-</refsect2>
-
-<refsect2>
-<title>AAAA and AD-AAAA</title>
-<para>
-This is an interim reply. If there are AAAA resource records in the
-reply, then each one is presented using this type. If preceeded by
-AD-, then this record was signed with DNSSEC.
-</para>
-</refsect2>
-
-<refsect2>
-<title>PTR and AD-PTR</title>
-<para>
-This is an interim reply. If there are PTR resource records in the
-reply, then each one is presented using this type. If preceeded by
-AD-, then this record was signed with DNSSEC.
-</para>
-</refsect2>
-
-<refsect2>
-<title>KEY and AD-KEY</title>
-<para>
-This is an interim reply. If there are KEY resource records in the
-reply, then each one is presented using this type. If preceeded by
-AD-, then this record was signed with DNSSEC.
-</para>
-</refsect2>
-
-
-<refsect2>
-<title>IPSECKEY and AD-IPSECKEY</title>
-<para>
-This is an interim reply. If there are IPSEC resource records in the
-reply, then each one is presented using this type. If preceeded by
-AD-, then this record was signed with DNSSEC.
-</para>
-</refsect2>
-
-
-</refsect1>
-
-<refsect1><title>Special IPSECKEY processing</title>
-
-<para>
-At the time of this writing, the IPSECKEY resource record is not
-entirely specified. In particular no resource record number has been
-assigned. This program assumes that it is resource record number
-45. If the file 
-@IPSEC_CONFDDIR@/lwdnsq.conf
-exists, and contains a line like
-<programlisting>
-ipseckey_rr=<option>number</option>
-</programlisting>
-then this number will be used instead. The file is read only once at
-startup.
-</para>
-</refsect1>
-
-<refsect1><title>OE Directives</title>
-
-<para>
-If the file
-@IPSEC_CONFDDIR@/lwdnsq.conf
-exists, and contains a line like
-<programlisting>
-queryany=false
-</programlisting>
-then instead of doing an ALL query when looking for OE delegation
-records, lwdnsq will do a series of queries. It will first look for
-IPSECKEY, and then TXT record. If it finds neither, it will then look
-for KEY records of all kinds, although they do not contain delegation
-information.
-</para>
-</refsect1>
-
-<refsect1><title>Special IPSECKEY processing</title>
-
-<programlisting>
-/etc/ipsec.d/lwdnsq.conf
-</programlisting>
-
-</refsect1>
-
-</refentry>
-</section>
-</article>
-
-
-
-
-
-
diff --git a/programs/lwdnsq/states.fig b/programs/lwdnsq/states.fig
deleted file mode 100644
index 6a28249ee..000000000
--- a/programs/lwdnsq/states.fig
+++ /dev/null
@@ -1,66 +0,0 @@
-#FIG 3.2
-Landscape
-Center
-Metric
-A4      
-100.00
-Single
--2
-1200 2
-6 1305 1530 3330 2205
-2 4 0 1 0 7 50 0 -1 0.000 0 0 7 0 0 5
-	 3330 2205 3330 1530 1305 1530 1305 2205 3330 2205
-4 1 0 50 0 0 20 0.0000 4 255 1575 2385 1935 initial request\001
--6
-6 1350 5850 3375 6525
-2 4 0 1 0 7 50 0 -1 0.000 0 0 7 0 0 5
-	 3375 6525 3375 5850 1350 5850 1350 6525 3375 6525
-4 1 0 50 0 0 20 0.0000 4 135 825 2430 6255 success\001
--6
-6 4275 2700 6525 3375
-2 4 0 1 0 7 50 0 -1 0.000 0 0 7 0 0 5
-	 6525 3375 6525 2700 4275 2700 4275 3375 6525 3375
-4 1 0 50 0 0 20 0.0000 4 195 2115 5400 3150 ASK for CNAME\001
--6
-6 225 3825 2250 4500
-2 4 0 1 0 7 50 0 -1 0.000 0 0 7 0 0 5
-	 2250 4500 2250 3825 225 3825 225 4500 2250 4500
-4 1 0 50 0 0 20 0.0000 4 195 750 1305 4230 failure\001
--6
-6 5625 4545 7875 5220
-2 4 0 1 0 7 50 0 -1 0.000 0 0 7 0 0 5
-	 7875 5220 7875 4545 5625 4545 5625 5220 7875 5220
-4 1 0 50 0 0 20 0.0000 4 255 1740 6750 4995 ASK for target\001
--6
-2 1 0 1 0 7 50 0 -1 0.000 0 0 -1 1 0 2
-	2 0 1.00 60.00 120.00
-	 3330 1935 4275 2745
-2 1 0 1 0 7 50 0 -1 0.000 0 0 -1 1 0 2
-	2 0 1.00 60.00 120.00
-	 2250 2205 1305 3825
-2 1 0 1 0 7 50 0 -1 0.000 0 0 -1 1 0 2
-	2 0 1.00 60.00 120.00
-	 4275 3330 2250 4050
-2 1 0 1 0 7 50 0 -1 0.000 0 0 -1 1 0 2
-	2 0 1.00 60.00 120.00
-	 2880 2250 2880 5850
-2 1 0 1 0 7 50 0 -1 0.000 0 0 -1 1 0 2
-	2 0 1.00 60.00 120.00
-	 5895 5220 3375 6120
-2 1 0 1 0 7 50 0 -1 0.000 0 0 -1 1 0 2
-	2 0 1.00 60.00 120.00
-	 5625 4950 2250 4275
-2 1 0 1 0 7 50 0 -1 0.000 0 0 -1 1 0 2
-	2 0 1.00 60.00 120.00
-	 6030 3375 6570 4545
-2 1 0 1 0 7 50 0 -1 0.000 0 0 -1 1 0 2
-	2 0 1.00 60.00 120.00
-	 7695 4545 6525 3150
-4 0 0 50 0 0 14 0.0000 4 195 1830 3825 2295 ERRSET_NODATA\001
-4 2 0 50 0 0 14 0.0000 4 195 1875 1575 3150 ERRSET_NONAME\001
-4 0 0 50 0 0 14 0.0000 4 150 300 2970 5175 OK\001
-4 0 0 50 0 0 14 0.0000 4 150 300 4500 5895 OK\001
-4 0 0 50 0 0 14 0.0000 4 195 1875 3420 3825 ERRSET_NONAME\001
-4 0 0 50 0 0 14 0.0000 4 195 1875 3420 4500 ERRSET_NONAME\001
-4 0 0 50 0 0 14 0.0000 4 150 300 6390 3960 OK\001
-4 0 0 50 0 0 14 0.0000 4 195 1830 7110 3825 ERRSET_NODATA\001
diff --git a/programs/lwdnsq/states.png b/programs/lwdnsq/states.png
deleted file mode 100644
index ceb5b3c45..000000000
--- a/programs/lwdnsq/states.png
+++ /dev/null
diff --git a/programs/mailkey/.cvsignore b/programs/mailkey/.cvsignore
deleted file mode 100644
index 5af485234..000000000
--- a/programs/mailkey/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-mailkey
diff --git a/programs/mailkey/Makefile b/programs/mailkey/Makefile
deleted file mode 100644
index 4b0385823..000000000
--- a/programs/mailkey/Makefile
+++ /dev/null
@@ -1,41 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:28 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=mailkey
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:28  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.1  2003/02/22 03:26:55  sam
-# remaining pieces of mailkey
-#
-# Revision 1.2  2002/06/02 21:51:41  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/mailkey/mailkey.8 b/programs/mailkey/mailkey.8
deleted file mode 100644
index be6b4ff93..000000000
--- a/programs/mailkey/mailkey.8
+++ /dev/null
@@ -1,47 +0,0 @@
-.TH IPSEC_MAILKEY 8 "21 Feb 2002"
-.\" RCSID $Id: mailkey.8,v 1.1 2004/03/15 20:35:28 as Exp $
-.SH NAME
-ipsec mailkey \- mail DNS records for Opportunistic Encryption
-.SH SYNOPSIS
-.B ipsec
-.B mailkey
-\-\-me
-my@address.tld
-[
-.B \-\-reverse
-1.2.3.4
-] [
-.B \-\-forward
-hostname.domain.tld
-]
-.SH DESCRIPTION
-.I mailkey
-is a meta-program. It generates a script which will attempt to mail the TXT 
-records required to enable Opportunistic Encryption (OE).
-.PP
-An e-mail address for the domain's DNS administrator is derived from SOA records. 
-The mail body and destination address are freely editable in the script.
-.PP
-If no administrator can be located, the output file will not be executable.
-.PP
-.TP
-\fB\-\-me\fP\ \fImy@address.tld\fP
-set the Reply-To: address of the mail to be sent.
-.TP
-\fB\-\-forward\fP\ \fIhostname.domain.tld\fP
-the domain name to be used for initator-only OE.  
-.TP
-\fB\-\-reverse\fP\ \fI1.2.3.4\fP
-the IP address to be used for full Opportunistic Encryption.
-.PP
-Only one of --forward or --reverse may be specified.
-.SH FILES
-.nf
-/etc/ipsec.secrets
-.fi
-.SH SEE ALSO
-ipsec_showhostkey(8), host(8)
-.SH HISTORY
-Written for the Linux FreeS/WAN project <http://www.freeswan.org> by Sam Sgro.
-.SH BUGS
-May produce indeterminate results when processing non-routable IPs.
diff --git a/programs/mailkey/mailkey.in b/programs/mailkey/mailkey.in
deleted file mode 100755
index fecdcf62c..000000000
--- a/programs/mailkey/mailkey.in
+++ /dev/null
@@ -1,241 +0,0 @@
-#! /bin/sh
-# mail OE DNS RR info to relevent administrator
-#
-# Copyright (C) 2003 Sam Sgro <sam@freeswan.org>
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: mailkey.in,v 1.1 2004/03/15 20:35:28 as Exp $
-
-me="ipsec mailkey"
-
-PATH=/sbin:/usr/bin:/usr/local/sbin:@IPSEC_SBINDIR@:$PATH export PATH
-
-reverse=0
-forward=0
-mymail=""
-usage="Usage:
-        $me --me my@address.tld --forward hostname.domain.tld
-        $me --me my@address.tld --reverse 1.2.3.4"
-
-for dummy
-do
-        case "$1" in
-        --help)         echo "$usage" ; exit 0  ;;
-        --forward)      forward=1 ; reverse=0 ; hostname="$2" ; shift	;;
-        --reverse)      reverse=1 ; forward=0 ; reverseip="$2" ; shift	;;
-        --me)           mymail="$2" ; shift	;;
-        --)             shift ; break           ;;
-        -*)             echo "$0: unknown option \`$1'" >&2 ; exit 2    ;;
-        *)              break                   ;;
-        esac
-        shift
-done
-
-# only do one of iOE || (pOE/rOE/fOE/insert acronym here) at a time
-# but you have to choose one. Plus, if ya ain't specified your mail address...
-if [ "$forward" -eq "$reverse" ] || [ ! "$mymail" ]
-then
-{ 
-echo "$usage"; exit 0;
-}
-fi 
-
-# Test to see if there is a key to process in the first place.
-test1st=`ipsec showhostkey --txt 1.2.3.4 2>&1`
-test2nd=`echo $test1st | grep TXT`
-if [ ! "$test2nd" ]
-then
-{
-echo "Our attempt to retrieve your RSA key using 'ipsec showhostkey' failed
-with the following error:
-
-"$test1st"
-
-Common concerns: This account must be able to read /etc/ipsec.secrets. 
-If you haven't generated your key yet, please run 'ipsec newhostkey'." 
-exit 0
-}
-fi
-
-
-# This is where we will save the script.
-save_mail_file=~/"OE_mail_""$reverseip$hostname"
-
-# RSA/SOA processing functions.
-# takes two arguments - the IP address/hostname to be used, and an attempt to guess the
-# beginning of the DNS record for the administrator
-txtprocess(){
-ipsec showhostkey --txt $1 | sed "s/^.*	IN	TXT/$2.	IN	TXT/" | grep TXT
-}
-
-# Find the hostmaster part of the SOA.
-# This only works with the "net" portion of in-addr.arpa. commands - 20.168.192.in-addr.arpa. -
-# or the domain portion of FQDNs. The data is prepped using host_data in the individual sections
-# for $forward and $reverse.
-# Note: I've experienced it returning SOAs for non-routeable IP addresses! This needs to be
-# addressed.
-hostprocess(){
-host -t soa $1 | grep SOA | while read a b c d e
-do 
-echo $d | sed -e "s/\(^[a-zA-Z0-9-]*\)\.\([a-zA-Z0-9-\.]*\).$/\1@\2/"
-done
-}
-
-# generate the pieces that go into the template, which are dependent on the type of OE.
-if [ "$reverse" -eq 1 ]; then
-{
-# convert the reverse ip to something appropriate for a DNS record.
-arpaip=`echo $reverseip | sed -e "s/\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\)/\4.\3.\2.\1.in-addr.arpa/"`
-# prepare data for hostprocess()
-host_data=`echo $arpaip | sed -e "s/^[0-9]*\.\(.*\)/\1/"`
-
-firstsub="  I'm contacting you in your role as the administrator of the domain
-\"$arpaip\" as listed in its SOA record.
-
-  My network security software, which employs IPSec, requires the
-below keying information to be published as a RR in the DNS domain 
-which you are responsible for.
-
-"
-
-txt=`txtprocess $reverseip $arpaip`
-secondsub="  To this end, I need you to publish the following TXT record:
-
---DNS_RESOURCE_RECORDS--
-
-"$txt"
-
---DNS_RESOURCE_RECORDS--"
-
-thirdsub="to enable full Opportunistic Encryption using the IP address: 
-
-"$reverseip
-
-fourthsub="and TXT records are"
-
-proposed_email=`hostprocess $host_data`
-}
-elif [ "$forward" -eq 1 ]; then
-{
-# prepare data for hostprocess()
-# leave only the domain name
-domain_data=`echo $hostname | sed -e "s/.*\.\([a-zA-Z0-9-]*\.[a-zA-Z0-9-]*$\)/\1/"`
-# leave only the host name
-host_data=`echo $hostname | sed -e "s/\(.*\)\.[a-zA-Z0-9-]*\.[a-zA-Z0-9-]*$/\1/"`
-
-firstsub="  I'm contacting you in your role as the administrator of the domain
-\"$hostname\" as listed in its SOA record.
-
-  My network security software, which employs IPSec, requires the
-below keying information to be published as a RR in the DNS domain
-which you are responsible for.
-
-"
-
-txt=`txtprocess @$hostname $host_data`
-secondsub="  To this end, please publish the following TXT record for the hostname 
-$hostname:
-
-
---DNS_RESOURCE_RECORDS--
-
-$txt
-
---DNS_RESOURCE_RECORDS--"
-thirdsub="to allow me to use the hostname: 
-
-"$hostname" 
-
-for initiator-only Opportunistic Encryption."
-fourthsub="record is"
-
-proposed_email=`hostprocess $domain_data`
-}
-fi
-
-# Create the template used for the body of the e-mail.
-
-mailbody=$firstsub$secondsub"
-
-
-  Please be careful to preserve the spaces and/or quotation marks as written. 
-These are important for the RSA key to survive DNS processing.
-
-  Thanks for your help in securing the 'net!
-
-	$mymail
-	(Generated by '$me' for $mymail)
-
-
-
-Opportunistic Encryption (OE) is the result of ongoing effort by the FreeS/WAN
-project (www.freeswan.org). It allows for the creation of dynamic IPSec 
-connections between hosts without pre-arrangement, authenticated via RSA keys 
-stored in DNS records.
-
-Technical information on OE can be found in this RFC draft:
-
-http://www.freeswan.org/freeswan_snaps/CURRENT-SNAP/doc/draft-richardson-ipsec-opportunistic.txt
-
-If you have any questions about these TXT records, or about OE in general, 
-please direct them to the FreeS/WAN support lists: 
-
-users@lists.freeswan.org
-"
-
-# If we managed to find a hostmaster, make the appropriate modifications to the mail's body and 
-# our instructions to the user.
-if [ "$proposed_email" ]; then
-{
-
-# This is now converting the mail test into an executable script. 
-# Most users will have reached this stage; they can edit the contact_email
-# if they know better than us.
-# -s - Subject line. By extending it, we can "hack" the mail program to
-# include a customized Reply-To header.
-
-mailbody="#!/bin/sh
-#
-# Edit this variable to send this message to an alternate destination
-contact_email=$proposed_email
-
-mail \$contact_email -s 'DNS records for Opportunistic Encryption ($hostname$reverseip) 
-Reply-To: $mymail' <<EOF
-
-"$mailbody"
-
-EOF
-"
-
-screenoutput="Executable mail file saved to:  "$save_mail_file
-}
-else
-{
-# Slightly different instructions if we have nothing to tell the user.
-
-screenoutput="$me: error: Unable to locate SOA record for this domain. Not generating executable file.
-Sample mail file saved to:  "$save_mail_file
-}
-fi
-
-# Create the output that has been prepared.
-echo "$mailbody" > $save_mail_file
-
-# Only make it executable if we've guessed a destination e-mail address.
-if [ "$proposed_email" ]; then
-{
-chmod u+x $save_mail_file
-}
-fi
-
-# Tell the user what'sgoing on.
-echo "$screenoutput"
diff --git a/programs/manual/.cvsignore b/programs/manual/.cvsignore
deleted file mode 100644
index 2905494b6..000000000
--- a/programs/manual/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-manual
diff --git a/programs/manual/Makefile b/programs/manual/Makefile
deleted file mode 100644
index 68cfb9110..000000000
--- a/programs/manual/Makefile
+++ /dev/null
@@ -1,38 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:28 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=manual
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:28  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.2  2002/06/02 21:51:41  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/manual/manual.8 b/programs/manual/manual.8
deleted file mode 100644
index a439544da..000000000
--- a/programs/manual/manual.8
+++ /dev/null
@@ -1,267 +0,0 @@
-.TH IPSEC_MANUAL 8 "17 July 2001"
-.\" RCSID $Id: manual.8,v 1.1 2004/03/15 20:35:28 as Exp $
-.SH NAME
-ipsec manual \- take manually-keyed IPsec connections up and down
-.SH SYNOPSIS
-.B ipsec
-.B manual
-[
-.B \-\-show
-] [
-.B \-\-showonly
-] [
-.B \-\-other
-]
-.br
-\ \ \ [
-.B \-\-iam
-.RB address "@" interface
-] [
-.B \-\-config
-configfile
-]
-.br
-\ \ \ operation connection
-.sp 0.5
-.B ipsec
-.B manual
-[
-.I options
-]
-.B \-\-union
-operation part ...
-.SH DESCRIPTION
-.I Manual
-manipulates manually-keyed FreeS/WAN IPsec connections,
-setting them up and shutting them down,
-based on the information in the IPsec configuration file.
-In the normal usage,
-.I connection
-is the name of a connection specification in the configuration file;
-.I operation
-is
-.BR \-\-up ,
-.BR \-\-down ,
-.BR \-\-route ,
-or
-.BR \-\-unroute .
-.I Manual
-generates setup (\c
-.BR \-\-route
-or
-.BR \-\-up )
-or
-teardown (\c
-.BR \-\-down
-or
-.BR \-\-unroute )
-commands for the connection and feeds them to a shell for execution.
-.PP
-The
-.B \-\-up
-operation brings the specified connection up, including establishing a
-suitable route for it if necessary.
-.PP
-The
-.B \-\-route
-operation just establishes the route for a connection.
-Unless and until an
-.B \-\-up
-operation is done, packets routed by that route will simply be discarded.
-.PP
-The
-.B \-\-down
-operation tears the specified connection down,
-.I except
-that it leaves the route in place.
-Unless and until an
-.B \-\-unroute
-operation is done, packets routed by that route will simply be discarded.
-This permits establishing another connection to the same destination
-without any ``window'' in which packets can pass without encryption.
-.PP
-The
-.B \-\-unroute
-operation (and only the
-.B \-\-unroute
-operation) deletes any route established for a connection.
-.PP
-In the
-.B \-\-union
-usage, each
-.I part
-is the name of a partial connection specification in the configuration file,
-and the union of all the partial specifications is the
-connection specification used.
-The effect is as if the contents of the partial specifications were
-concatenated together;
-restrictions on duplicate parameters, etc., do apply to the result.
-(The same effect can now be had, more gracefully, using the
-.B also
-parameter in connection descriptions;
-see
-.IR ipsec.conf (5)
-for details.)
-.PP
-The
-.B \-\-show
-option turns on the
-.B \-x
-option of the shell used to execute the commands,
-so each command is shown as it is executed.
-.PP
-The
-.B \-\-showonly
-option causes
-.I manual
-to show the commands it would run, on standard output,
-and not run them.
-.PP
-The
-.B \-\-other
-option causes
-.I manual
-to pretend it is the other end of the connection.
-This is probably not useful except in combination with
-.BR \-\-showonly .
-.PP
-The
-.B \-\-iam
-option causes
-.I manual
-to believe it is running on the host with the specified IP
-.IR address ,
-and that it should use the specified
-.I interface
-(normally it determines all this automatically,
-based on what IPsec interfaces are up and how they are configured).
-.PP
-The
-.B \-\-config
-option specifies a non-standard location for the FreeS/WAN IPsec
-configuration file (default
-.IR /etc/ipsec.conf ).
-.PP
-See
-.IR ipsec.conf (5)
-for details of the configuration file.
-Apart from the basic parameters which specify the endpoints and routing
-of a connection (\fBleft\fR
-and
-.BR right ,
-plus possibly
-.BR leftsubnet ,
-.BR leftnexthop ,
-.BR leftfirewall ,
-their
-.B right
-equivalents,
-and perhaps
-.BR type ),
-a non-\fBpassthrough\fR
-.I manual
-connection needs an
-.B spi
-or
-.B spibase
-parameter and some parameters specifying encryption, authentication, or
-both, most simply
-.BR esp ,
-.BR espenckey ,
-and
-.BR espauthkey .
-Moderately-secure keys can be obtained from
-.IR ipsec_ranbits (8).
-For production use of manually-keyed connections,
-it is strongly recommended that the keys be kept in a separate file
-(with permissions
-.BR rw\-\-\-\-\-\-\- )
-using the
-.B include
-and
-.B also
-facilities of the configuration file (see
-.IR ipsec.conf (5)).
-.PP
-If an
-.B spi
-parameter is given,
-.I manual
-uses that value as the SPI number for all the SAs
-(which are in separate number spaces anyway).
-If an
-.B spibase
-parameter is given instead,
-.I manual
-assigns SPI values by altering the bottom digit
-of that value;
-SAs going from left to right get even digits starting at 0,
-SAs going from right to left get odd digits starting at 1.
-Either way, it is suggested that manually-keyed connections use
-three-digit SPIs with the first digit non-zero,
-i.e. in the range
-.B 0x100
-through
-.BR 0xfff ;
-FreeS/WAN reserves those for manual keying and will not
-attempt to use them for automatic keying (unless requested to,
-presumably by a non-FreeS/WAN other end).
-.SH FILES
-.ta \w'/var/run/ipsec.nexthop'u+4n
-/etc/ipsec.conf	default IPsec configuration file
-.br
-/var/run/ipsec.info	\fB%defaultroute\fR information
-.SH SEE ALSO
-ipsec(8), ipsec.conf(5), ipsec_spi(8), ipsec_eroute(8), ipsec_spigrp(8),
-route(8)
-.SH HISTORY
-Written for the FreeS/WAN project
-<http://www.freeswan.org/>
-by Henry Spencer.
-.SH BUGS
-It's not nearly as generous about the syntax of subnets,
-addresses, etc. as the usual FreeS/WAN user interfaces.
-Four-component dotted-decimal must be used for all addresses.
-It
-.I is
-smart enough to translate bit-count netmasks to dotted-decimal form.
-.PP
-If the connection specification for a connection is changed between an
-.B \-\-up
-and the ensuing
-.BR \-\-down ,
-chaos may ensue.
-.PP
-The
-.B \-\-up
-operation is not smart enough to notice whether the connection is already up.
-.PP
-.I Manual
-is not smart enough to reject insecure combinations of algorithms,
-e.g. encryption with no authentication at all.
-.PP
-Any non-IPsec route to the other end which is replaced by the
-.B \-\-up
-or
-.B \-\-route
-operation will not be re-established by
-.BR \-\-unroute .
-Whether this is a feature or a bug depends on your viewpoint.
-.PP
-The optional parameters which
-override the automatic
-.BR spibase -based
-SPI assignment are a messy area of the code and bugs are likely.
-.PP
-``Road warrior'' handling,
-and other special forms of setup which
-require negotiation between the two security gateways,
-inherently cannot be done with
-.IR manual .
-.PP
-.I Manual
-generally lags behind
-.I auto
-in support of various features,
-even when implementation \fIwould\fR be possible.
-For example, currently it does not do IPComp content compression.
diff --git a/programs/manual/manual.in b/programs/manual/manual.in
deleted file mode 100755
index bda4bafa0..000000000
--- a/programs/manual/manual.in
+++ /dev/null
@@ -1,637 +0,0 @@
-#! /bin/sh
-# user interface to manual keying
-# Copyright (C) 1998, 1999  Henry Spencer.
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: manual.in,v 1.1 2004/03/15 20:35:28 as Exp $
-
-me='ipsec manual'
-usage="Usage:
-  $me [--showonly] --{up|down|route|unroute} name
-  $me [--showonly] --{up|down|route|unroute} --union partname ... 
-
-  other options: [--config ipsecconfigfile] [--other] [--show]
-			[--iam ipaddress@interface]"
-
-# make sure outputs of (e.g.) ifconfig are in English
-unset LANG LANGUAGE LC_ALL LC_MESSAGES
-
-showonly=
-config=
-info=/var/run/ipsec.info
-shopts=
-other=0
-union=0
-noinclude=
-interfs=
-op=
-
-for dummy
-do
-	case "$1" in
-	--help)		echo "$usage" ; exit 0	;;
-	--version)	echo "$me $IPSEC_VERSION" ; exit 0	;;
-	--show)		shopts=-x		;;
-	--showonly)	showonly=yes		;;
-	--other)	other=1			;;
-	--union)	union=1			;;
-	--config)	config="--config $2" ; shift	;;
-	--noinclude)	noinclude=--noinclude	;;
-	--iam)		interfs="$2" ; shift	;;
-	--up|--down|--route|--unroute)
-			if test " $op" != " "
-			then
-				echo "$usage" >&2
-				exit 2
-			fi
-			op="$1"
-			;;
-	--)		shift ; break		;;
-	-*)		echo "$me: unknown option \`$1'" >&2 ; exit 2	;;
-	*)		break			;;
-	esac
-	shift
-done
-
-case "$op$#:$union" in
-[01]:*)		echo "$usage" >&2 ; exit 2	;;
-2:0)		echo "$me: warning: obsolete command syntax used" >&2
-		op="--$2"
-		names="$1"
-		;;
-[0-9]*:1)	;;
---*)		if test $# -eq 0
-		then
-			echo "$usage" >&2
-			exit 2
-		fi
-		names="$*"
-		;;
-*)		echo "$usage" >&2 ; exit 2	;;
-esac
-if test " $op" = " "
-then
-	# --union obsolete-syntax case, op is last argument
-	echo "$me: warning: obsolete command syntax used" >&2
-	names=
-	prev=
-	for arg
-	do
-		names="$names $prev"
-		prev="$arg"
-	done
-	op="--$prev"
-fi
-case "$op" in
---up|--down|--route|--unroute)		;;
-*)	echo "$usage" >&2 ; exit 2	;;
-esac
-
-case "$interfs" in
-'')	interfs="`ifconfig |
-		awk '	/^ipsec/ { interf = $1 ; next }
-			/^[^ \t]/ { interf = "" ; next }
-			/^[ \t]*inet addr/ {
-				sub(/:/, " ", $0)
-				if (interf != "")
-					print $3 "@" interf
-			 }' | tr '\n' ' '`"
-	;;
-esac
-
-if test -s $info
-then
-	. $info
-fi
-
-ipsec _confread $config $noinclude $names |
-awk '	BEGIN {
-		FS = "\t"
-		myname = "'"$me"'"
-		err = "cat >&2"
-		op = "'"$op"'"
-		other = '"$other"'
-		names = "'"$names"'"
-		interfs = "'"$interfs"'"
-		ni = split(interfs, terfs, " ")
-		if (ni == 0)
-			fail("no IPsec-enabled interfaces found")
-		for (i = 1; i <= ni; i++) {
-			nc = split(terfs[i], cpts, "@")
-			if (nc != 2)
-				fail("internal error on " terfs[i])
-			interface[cpts[1]] = cpts[2]
-		}
-		draddr = "'"$defaultrouteaddr"'"
-		drnexthop = "'"$defaultroutenexthop"'"
-		s[""] = ""
-		nlspi = 0
-		nrspi = 0
-		failed = 0
-		maskbits[0] = "0.0.0.0"
-		maskbits[1] = "128.0.0.0"
-		maskbits[2] = "192.0.0.0"
-		maskbits[3] = "224.0.0.0"
-		maskbits[4] = "240.0.0.0"
-		maskbits[5] = "248.0.0.0"
-		maskbits[6] = "252.0.0.0"
-		maskbits[7] = "254.0.0.0"
-		maskbits[8] = "255.0.0.0"
-		maskbits[9] = "255.128.0.0"
-		maskbits[10] = "255.192.0.0"
-		maskbits[11] = "255.224.0.0"
-		maskbits[12] = "255.240.0.0"
-		maskbits[13] = "255.248.0.0"
-		maskbits[14] = "255.252.0.0"
-		maskbits[15] = "255.254.0.0"
-		maskbits[16] = "255.255.0.0"
-		maskbits[17] = "255.255.128.0"
-		maskbits[18] = "255.255.192.0"
-		maskbits[19] = "255.255.224.0"
-		maskbits[20] = "255.255.240.0"
-		maskbits[21] = "255.255.248.0"
-		maskbits[22] = "255.255.252.0"
-		maskbits[23] = "255.255.254.0"
-		maskbits[24] = "255.255.255.0"
-		maskbits[25] = "255.255.255.128"
-		maskbits[26] = "255.255.255.192"
-		maskbits[27] = "255.255.255.224"
-		maskbits[28] = "255.255.255.240"
-		maskbits[29] = "255.255.255.248"
-		maskbits[30] = "255.255.255.252"
-		maskbits[31] = "255.255.255.254"
-		maskbits[32] = "255.255.255.255"
-	}
-	$1 == "=" {
-		next
-	}
-	$1 == "!" {
-		if ($2 != "")
-			fail($2)
-		next
-	}
-	$1 != ":" {
-		fail("internal error, unknown type code \"" $1 "\"")
-	}
-	{ s[$2] = $3 }
-	function q(s) {
-		return "\"" s "\""
-	}
-	function fail(m) {
-		print myname ": fatal error in " q(names) ": " m   |err
-		failed = 1
-		exit
-	}
-	function swap(k,   t, l, r) {
-		l = "left" k
-		r = "right" k
-		if ((l in s) && (r in s)) {
-			t = s[l]
-			s[l] = s[r]
-			s[r] = t
-		} else if (l in s) {	# but not r
-			s[r] = s[l]
-			delete s[l]
-		} else if (r in s) {	# but not l
-			s[l] = s[r]
-			delete s[r]
-		}
-	}
-	function yesno(k) {
-		if ((k in s) && s[k] != "yes" && s[k] != "no")
-			fail("parameter \"" k "\" must be \"yes\" or \"no\"")
-	}
-	function default(k, v) {
-		if (!(k in s))
-			s[k] = v
-	}
-	function need(k) {
-		if (!(k in s))
-			fail("connection has no \"" k "\" parameter specified")
-		if (s[k] == "")
-			fail("parameter \"" k "\" value must be non-empty")
-	}
-	function integer(k) {
-		if (!(k in s))
-			return
-		if (s[k] !~ /^[0-9]+$/)
-			fail("parameter \"" k "\" value must be integer")
-	}
-	function nexthopset(dir, val,   k) {
-		k = dir "nexthop"
-		if (k in s)
-			fail("non-default value of " k " is being overridden")
-		if (val != "")
-			s[k] = val
-		else if (k in s)
-			delete s[k]
-	}
-	function leftward(   t) {
-		nlspi++
-		if ("spi" in s)
-			return s["spi"]
-		t = spibase spil
-		spil += 2
-		return t
-	}
-	function rightward(   t) {
-		nrspi++
-		if ("spi" in s)
-			return s["spi"]
-		t = spibase spir
-		spir += 2
-		return t
-	}
-	function netfix(dir,   n, t) {
-		n = s[dir "subnet"]
-		if (n == "%default")
-			n = "0.0.0.0/0"
-		if (n !~ /\//)
-			fail(dir "subnet=" n " has no mask specified")
-		t = split(n, netfixarray, "/")
-		if (t != 2)
-			fail("bad syntax in " dir "subnet=" n)
-		s[dir "net"] = netfixarray[1]
-		s[dir "mask"] = mask(netfixarray[2])
-	}
-	function mask(m) {
-		if (m ~ /\./)
-			return m
-		if (!(m in maskbits))
-			fail("unknown mask syntax \"" m "\"")
-		return maskbits[m]
-	}
-	function bidir(name,   l, r) {
-		l = "left" name
-		r = "right" name
-		if (!(l in s) && (name in s))
-			s[l] = s[name]
-		if (!(r in s) && (name in s))
-			s[r] = s[name]
-		if ((l in s) != (r in s))
-			fail("must give both or neither \"" l "\" and \"" \
-									r "\"")
-	}
-	function espspi(src, dest, spi,   dir) {
-		if (!("esp" in s))
-			return
-		dir = (dest == me) ? "left" : "right"
-		print "ipsec spi --label", q(names), "--af inet",
-			"--said", ("esp" spi "@" dest), "\\"
-		print "\t--esp", s["esp"], "--src", src, "\\"
-		if ((dir "espauthkey") in s)
-			print "\t--authkey", s[dir "espauthkey"], "\\"
-		if ("espreplay_window" in s)
-			print "\t--replay_window", s["espreplay_window"], "\\"
-		if ((dir "espenckey") in s)
-			print "\t--enckey", s[dir "espenckey"], "&&"
-		else
-			print "\t&&"
-	}
-	function ahspi(src, dest, spi,   dir) {
-		if (!("ah" in s))
-			return
-		dir = (dest == me) ? "left" : "right"
-		if (!((dir "ahkey") in s))
-			fail("AH specified but no ahkey= given")
-		print "ipsec spi --label", q(names), "--af inet",
-			"--said", ("ah" spi "@" dest), "\\"
-		print "\t--ah", s["ah"], "--src", src, "\\"
-		if ("ahreplay_window" in s)
-			print "\t--replay_window", s["ahreplay_window"], "\\"
-		print "\t--authkey", s[dir "ahkey"], "&&"
-	}
-	# issue a suitable invocation of updown command
-	function updown(verb, suffix,   cmd) {
-		if ("leftupdown" in s) {
-			cmd = s["leftupdown"]
-			if (s["leftfirewall"] == "yes")
-				fail("cannot specify both updown and firewall")
-		} else {
-			cmd = "ipsec _updown"
-			if (s["leftfirewall"] == "yes")
-				cmd = cmd " ipfwadm"
-		}
-		print "PLUTO_VERB=" verb verbsuf " " cmd " " suffix
-	}
-	END {
-	#########
-	if (failed)
-		exit 1
-	default("type", "tunnel")
-	type = s["type"]
-	shunt = 0
-	if (type == "transport") {
-		if ("leftsubnet" in s)
-			fail("type=transport incompatible with leftsubnet")
-		if ("rightsubnet" in s)
-			fail("type=transport incompatible with rightsubnet")
-	} else if (type == "passthrough") {
-		shunt = 1;
-		p = "%pass"
-	} else if (type == "drop" || type == "reject") {
-		shunt = 1;
-		p = "%" type
-	} else if (type != "tunnel")
-		fail("only know how to do types tunnel/transport/passthrough")
-	if (shunt) {
-		if (("ah" in s) || ("esp" in s))
-			fail(type " connection may not specify AH or ESP")
-	} else {
-		if (!("ah" in s) && !("esp" in s))
-			fail("neither AH nor ESP specified for connection")
-	}
-
-	need("left")
-	need("right")
-	if (s["left"] == "%defaultroute") {
-		if (s["right"] == "%defaultroute")
-			fail("left and right cannot both be %defaultroute")
-		if (draddr == "")
-			fail("%defaultroute requested but not known")
-		s["left"] = draddr
-		nexthopset("left", drnexthop)
-	} else if (s["right"] == "%defaultroute") {
-		if (draddr == "")
-			fail("%defaultroute requested but not known")
-		s["right"] = draddr
-		nexthopset("right", drnexthop)
-	}
-
-	leftsub = ("leftsubnet" in s) ? 1 : 0
-	default("leftsubnet", s["left"] "/32")
-	rightsub = ("rightsubnet" in s) ? 1 : 0
-	default("rightsubnet", s["right"] "/32")
-	default("leftfirewall", "no")
-	default("rightfirewall", "no")
-	yesno("leftfirewall")
-	yesno("rightfirewall")
-	integer("espreplay_window")
-	if (("espreplay_window" in s) && s["espreplay_window"] == 0)
-		delete s["espreplay_window"]
-	integer("ahreplay_window")
-	if (("ahreplay_window" in s) && s["ahreplay_window"] == 0)
-		delete s["ahreplay_window"]
-	netfix("left")
-	netfix("right")
-
-	default("leftnexthop", s["right"])
-	default("rightnexthop", s["left"])
-	if (s["leftnexthop"] == s["left"])
-		fail("left and leftnexthop must not be the same")
-	if (s["rightnexthop"] == s["right"])
-		fail("right and rightnexthop must not be the same")
-
-	bidir("espenckey")
-	bidir("espauthkey")
-	bidir("ahkey")
-	if ("spi" in s && "spibase" in s)
-		fail("cannot specify both spi and spibase")
-	if (!shunt) {
-		if ("spibase" in s) {
-			b = s["spibase"]
-			if (b !~ /^0x[0-9a-fA-F]+0$/)
-				fail("bad syntax in spibase -- must be 0x...0")
-			spibase = substr(b, 1, length(b)-1)
-		} else {
-			need("spi")
-			if (s["spi"] !~ /^0x[0-9a-fA-F]+$/)
-				fail("bad syntax in spi -- must be 0x...")
-		}
-	}
-	spir = 0
-	spil = 1
-
-	# who am I?
-	me = ""
-	for (addr in interface) {
-		if (addr == s["left"] || addr == s["right"]) {
-			if (me != "")
-				fail("ambiguous:  could be on \"" iface \
-					"\" or \"" interface[addr] "\"")
-			me = addr
-			iface = interface[addr]
-		}
-	}
-	if (me == "")
-		fail("cannot find interface for " s["left"] " or " s["right"])
-	if (other) {
-		if (s["left"] == me)
-			me = s["right"]
-		else if (s["right"] == me)
-			me = s["left"]
-	}
-	havesubnet = leftsubnet
-	if (s["right"] == me) {
-		swap("")		# swaps "left" and "right"
-		swap("subnet")
-		swap("nexthop")
-		swap("net")
-		swap("mask")
-		swap("firewall")
-		swap("espspi")
-		swap("ahspi")
-		swap("espenckey")
-		swap("espauthkey")
-		swap("ahkey")
-		swap("updown")
-		t = spil
-		spil = spir
-		spir = t
-		havesubnet = rightsubnet
-	}
-	him = s["right"]
-
-	if (s["leftnexthop"] == "%defaultroute") {
-		if (drnexthop == "")
-			fail("%defaultroute requested but not known")
-		s["leftnexthop"] = drnexthop
-	}
-
-	tspi = rightward()
-	if (type == "tunnel") {
-		espi = rightward()
-		intspi = leftward()
-	} else
-		espi = tspi
-	if (s["rightespspi"] != "")
-		espi = s["rightespspi"]
-	respi = leftward()
-	if (s["leftespspi"] != "")
-		respi = s["leftespspi"]
-	if ("ah" in s) {
-		if ("esp" in s) {
-			aspi = rightward()
-			raspi = leftward()
-		} else {
-			aspi = espi
-			raspi = respi
-		}
-		if (s["rightahspi"] != "")
-			aspi = s["rightahspi"]
-		if (s["leftahspi"] != "")
-			raspi = s["leftahspi"]
-	}
-	routeid = "-net " s["rightnet"] " netmask " s["rightmask"]
-	if (s["rightmask"] == "255.255.255.255")
-		routeid = "-host " s["rightnet"]
-
-	print "PATH=\"'"$PATH"'\""
-	print "export PATH"
-	print "PLUTO_VERSION=1.1"
-	verbsuf = (havesubnet) ? "-client" : "-host"
-	print "PLUTO_CONNECTION=" q(names)
-	print "PLUTO_NEXT_HOP=" s["leftnexthop"]
-	print "PLUTO_INTERFACE=" iface
-	print "PLUTO_ME=" me
-	print "PLUTO_MY_CLIENT=" s["leftsubnet"]
-	print "PLUTO_MY_CLIENT_NET=" s["leftnet"]
-	print "PLUTO_MY_CLIENT_MASK=" s["leftmask"]
-	print "PLUTO_PEER=" him
-	print "PLUTO_PEER_CLIENT=" s["rightsubnet"]
-	print "PLUTO_PEER_CLIENT_NET=" s["rightnet"]
-	print "PLUTO_PEER_CLIENT_MASK=" s["rightmask"]
-	print "export PLUTO_VERSION PLUTO_CONNECTION PLUTO_NEXT_HOP"
-	print "export PLUTO_INTERFACE PLUTO_ME PLUTO_MY_CLIENT"
-	print "export PLUTO_MY_CLIENT_NET PLUTO_MY_CLIENT_MASK PLUTO_PEER"
-	print "export PLUTO_PEER_CLIENT PLUTO_PEER_CLIENT_NET"
-	print "export PLUTO_PEER_CLIENT_MASK"
-
-	if (op == "--up") {
-		print "{"
-		# first, the outbound SAs
-		if (type == "tunnel") {
-			print "ipsec spi --label", q(names), "--af inet",
-					"--said", ("tun" tspi "@" him), "\\"
-			print "\t--ip4", "--src", me, "--dst", him, "&&"
-		}
-		espspi(me, him, espi)
-		ahspi(me, him, aspi)
-		if (nrspi > 1) {
-			# group them
-			printf "ipsec spigrp --label %s --said ", q(names)
-			if (type == "tunnel")
-				printf "tun%s@%s ", tspi, him
-			if (("esp" in s))
-				printf "esp%s@%s ", espi, him
-			if ("ah" in s)
-				printf "ah%s@%s ", aspi, him
-			printf " &&\n"
-		}
-		# inbound SAs
-		if (type == "tunnel") {
-			print "ipsec spi --label", q(names), "--af inet",
-					"--said", ("tun" intspi "@" me), "\\"
-			print "\t--ip4", "--src", him, "--dst", me, "&&"
-		}
-		espspi(him, me, respi)
-		ahspi(him, me, raspi)
-		if (nlspi > 1) {
-			# group them
-			printf "ipsec spigrp --label %s --said ", q(names)
-			if (type == "tunnel")
-				printf "tun%s@%s ", intspi, me
-			if (("esp" in s))
-				printf "esp%s@%s ", respi, me
-			if ("ah" in s)
-				printf "ah%s@%s ", raspi, me
-			printf " &&\n"
-		}
-		# with the SAs in place, eroute to them
-		print "ipsec eroute --label", q(names),
-						"--eraf inet --replace", "\\"
-		if (!shunt) {
-			if (type == "tunnel")
-				p = "tun"
-			else if (("esp" in s))
-				p = "esp"
-			else
-				p = "ah"
-			p = p tspi "@" him
-		}
-		print "\t--src", s["leftsubnet"], "--dst", s["rightsubnet"],
-							"--said", p, "&&"
-		# with the eroute in place, NOW we can route to it
-		#print "{ route del", routeid, "2>/dev/null ; true ; } &&"
-		updown("prepare", "&&")
-		#print "route add", routeid, "dev", iface, "gw",
-		#					s["leftnexthop"], "&&"
-		updown("route", "&&")
-		# and with all processing in place, we can penetrate firewall
-		#if (s["leftfirewall"] == "yes") {
-		#	print "ipfwadm -F -i accept -b -S", s["leftsubnet"],
-		#				"-D", s["rightsubnet"], "&&"
-		#}
-		updown("up", "&&")
-		print "true"
-		print "} || {"
-	} else if (op == "--route") {
-		#print "{ route del", routeid, "2>/dev/null ; true ; } &&"
-		updown("prepare", "&&")
-		#print "route add", routeid, "dev", iface, "gw",
-		#					s["leftnexthop"]
-		updown("route")
-		exit 0
-	} else if (op == "--unroute") {
-		#print "route del", routeid, "dev", iface, "gw",
-		#					s["leftnexthop"]
-		updown("unroute")
-		exit 0
-	} else			# down
-		print "{"
-
-	# now do "down", unconditionally, since the desired output for "up"
-	# is { up && up && up && true } || { down ; down ; down }
-	# tear things down in fairly strict reverse order
-	#if (s["leftfirewall"] == "yes")
-	#	print "ipfwadm -F -d accept -b -S", s["leftsubnet"],
-	#					"-D", s["rightsubnet"]
-	updown("down")
-	#print "route del", routeid, "dev", iface, "gw", s["leftnexthop"]
-	print "# do not delete route"
-	print "ipsec eroute --label", q(names), "--eraf inet --del", "\\"
-	print "\t--src", s["leftsubnet"], "--dst", s["rightsubnet"]
-	#if ("ah" in s) {
-	#	print "ipsec spi --label", q(names), "--af inet", "--del",
-	#		"--said", ("ah" raspi "@" me)
-	#}
-	#if ("esp" in s) {
-	#	print "ipsec spi --label", q(names), "--af inet", "--del",
-	#		"--said", ("esp" respi "@" me)
-	#}
-	if (!shunt) {
-		if (type == "tunnel")
-			p = "tun"
-		else if (("esp" in s))
-			p = "esp"
-		else
-			p = "ah"
-		print "ipsec spi --label", q(names), "--af inet", "--del",
-				"--said", (p tspi "@" him),
-				"  # outbound"
-		print "ipsec spi --label", q(names), "--af inet", "--del",
-				"--said", (p intspi "@" me),
-				"  # inbound"
-	}
-
-	if (op == "--up")
-		print "} 2>/dev/null"
-	else
-		print "}"
-	#########
-	}' |
-if test $showonly
-then
-	cat
-else
-	sh $shopts
-fi
diff --git a/programs/openac/Makefile b/programs/openac/Makefile
deleted file mode 100644
index 98051f7bc..000000000
--- a/programs/openac/Makefile
+++ /dev/null
@@ -1,162 +0,0 @@
-# Makefile for the openac attribute certificate generation tool
-# Copyright (C) 2004  Andreas Steffen
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.17 2007/02/21 14:19:45 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-CONFDIR=$(DESTDIR)/etc/openac
-PLUTODIR=../pluto
-
-PROGRAM=openac
-EXTRA8PROC=${PROGRAM}.8
-
-# where to find sha2.h
-LIBCRYPTO=$(FREESWANSRCDIR)/lib/libcrypto
-LIBSHA2=$(LIBCRYPTO)/libsha2
-CFLAGS+= -I$(LIBCRYPTO)
-
-LIBS=${FREESWANLIB} $(LIBDESLITE) -lgmp
-CFLAGS+= -DDEBUG -DNO_PLUTO
-
-# This compile option activates the leak detective
-ifeq ($(USE_LEAK_DETECTIVE),true)
-  CFLAGS+= -DLEAK_DETECTIVE
-endif
-
-X509_OBJS= ac.o asn1.o ca.o certs.o constants.o crl.o defs.o mp_defs.o fetch.o \
-           id.o keys.o lex.o md2.o md5.o ocsp.o oid.o pem.o pgp.o pkcs1.o \
-           rnd.o sha1.o sha2.o smartcard.o x509.o
-
-OBJS= build.o loglite.o ${X509_OBJS}
-
-include ../Makefile.program
-
-build.o : build.c build.h
-	$(CC) $(CFLAGS) -c -o $@ $<
-
-loglite.o : loglite.c $(PLUTODIR)/log.h
-	$(CC) $(CFLAGS) -c -o $@ $<
-
-# X.509 library
-
-ac.o : $(PLUTODIR)/ac.c $(PLUTODIR)/ac.h
-	$(CC) $(CFLAGS) -c -o $@ $<
-
-asn1.o : $(PLUTODIR)/asn1.c $(PLUTODIR)/asn1.h
-	$(CC) $(CFLAGS) -c -o $@ $<
-
-ca.o : $(PLUTODIR)/ca.c $(PLUTODIR)/ca.h
-	$(CC) $(CFLAGS) -c -o $@ $<
-
-certs.o : $(PLUTODIR)/certs.c $(PLUTODIR)/certs.h
-	$(CC) $(CFLAGS) -c -o $@ $<
-
-constants.o : $(PLUTODIR)/constants.c $(PLUTODIR)/constants.h
-	$(CC) $(CFLAGS) -c -o $@ $<
-
-crl.o : $(PLUTODIR)/crl.c $(PLUTODIR)/crl.h
-	$(CC) $(CFLAGS) -c -o $@ $<
-
-defs.o : $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
-	$(CC) $(CFLAGS) -c -o $@ $<
-
-mp_defs.o : $(PLUTODIR)/mp_defs.c $(PLUTODIR)/mp_defs.h
-	$(CC) $(CFLAGS) -c -o $@ $<
-
-fetch.o : $(PLUTODIR)/fetch.c $(PLUTODIR)/fetch.h
-	$(CC) $(CFLAGS) -c -o $@ $<
-
-id.o : $(PLUTODIR)/id.c $(PLUTODIR)/id.h
-	$(CC) $(CFLAGS) -c -o $@ $<
-
-keys.o : $(PLUTODIR)/keys.c $(PLUTODIR)/keys.h
-	$(CC) $(CFLAGS) -c -o $@ $<
-
-lex.o : $(PLUTODIR)/lex.c $(PLUTODIR)/lex.h
-	$(CC) $(CFLAGS) -c -o $@ $<
-
-md2.o : $(PLUTODIR)/md2.c $(PLUTODIR)/md2.h
-	$(CC) $(CFLAGS) -c -o $@ $<
-
-md5.o : $(PLUTODIR)/md5.c $(PLUTODIR)/md5.h
-	$(CC) $(CFLAGS) -c -o $@ $<
-
-ocsp.o : $(PLUTODIR)/ocsp.c $(PLUTODIR)/ocsp.h
-	$(CC) $(CFLAGS) -c -o $@ $<
-
-oid.o : $(PLUTODIR)/oid.c $(PLUTODIR)/oid.h
-	$(CC) $(CFLAGS) -c -o $@ $<
-
-pem.o : $(PLUTODIR)/pem.c $(PLUTODIR)/pem.h
-	$(CC) $(CFLAGS) -c -o $@ $<
-
-pgp.o : $(PLUTODIR)/pgp.c $(PLUTODIR)/pgp.h
-	$(CC) $(CFLAGS) -c -o $@ $<
-
-pkcs1.o : $(PLUTODIR)/pkcs1.c $(PLUTODIR)/pkcs1.h
-	$(CC) $(CFLAGS) -c -o $@ $<
-
-rnd.o : $(PLUTODIR)/rnd.c $(PLUTODIR)/rnd.h
-	$(CC) $(CFLAGS) -c -o $@ $<
-
-sha1.o : $(PLUTODIR)/sha1.c $(PLUTODIR)/sha1.h
-	$(CC) $(CFLAGS) -c -o $@ $<
-
-sha2.o : $(LIBSHA2)/sha2.c $(LIBSHA2)/sha2.h
-	$(CC) $(CFLAGS) -c -o $@ $<
-
-smartcard.o : $(PLUTODIR)/smartcard.c $(PLUTODIR)/smartcard.h
-	$(CC) $(CFLAGS) -c -o $@ $<
-
-x509.o : $(PLUTODIR)/x509.c $(PLUTODIR)/x509.h
-	$(CC) $(CFLAGS) -c -o $@ $<
-
-# Stolen from pluto/Makefile
-
-gatherdeps:
-		@ls | grep '\.c$$' | sed -e 's/\(.*\)\.c$$/\1.o: \1.c/'
-		@echo
-		@ls | grep '\.c$$' | xargs grep '^#[    ]*include[      ]*"' | \
-                sed -e 's/\.c:#[        ]*include[      ]*"/.o: /' -e 's/".*//'
-
-# Dependencies generated by "make gatherdeps":
-
-build.o: build.c
-loglite.o: loglite.c
-openac.o: openac.c
-
-build.o: ../pluto/constants.h
-build.o: ../pluto/defs.h
-build.o: ../pluto/oid.h
-build.o: ../pluto/asn1.h
-build.o: ../pluto/x509.h
-build.o: ../pluto/log.h
-build.o: build.h
-loglite.o: ../pluto/constants.h
-loglite.o: ../pluto/defs.h
-loglite.o: ../pluto/log.h
-loglite.o: ../pluto/whack.h
-openac.o: ../pluto/constants.h
-openac.o: ../pluto/defs.h
-openac.o: ../pluto/mp_defs.h
-openac.o: ../pluto/log.h
-openac.o: ../pluto/asn1.h
-openac.o: ../pluto/certs.h
-openac.o: ../pluto/x509.h
-openac.o: ../pluto/crl.h
-openac.o: ../pluto/keys.h
-openac.o: ../pluto/ac.h
-openac.o: build.h
diff --git a/programs/pf_key/.cvsignore b/programs/pf_key/.cvsignore
deleted file mode 100644
index 323068235..000000000
--- a/programs/pf_key/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-pf_key
diff --git a/programs/pf_key/Makefile b/programs/pf_key/Makefile
deleted file mode 100644
index 6af45c8d1..000000000
--- a/programs/pf_key/Makefile
+++ /dev/null
@@ -1,49 +0,0 @@
-# Makefile for the KLIPS interface utilities
-# Copyright (C) 1998, 1999  Henry Spencer.
-# Copyright (C) 1999, 2000, 2001  Richard Guy Briggs
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:28 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM:=pf_key
-EXTRA5MAN=${PROGRAM}.5
-
-LIBS:=${FREESWANLIB}
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:28  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.3  2002/06/02 22:02:14  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.2  2002/04/26 01:21:26  mcr
-# 	while tracking down a missing (not installed) /etc/ipsec.conf,
-# 	MCR has decided that it is not okay for each program subdir to have
-# 	some subset (determined with -f) of possible files.
-# 	Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file.
-# 	Optional PROGRAM.5 files have been added to the makefiles.
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/pf_key/pf_key.5 b/programs/pf_key/pf_key.5
deleted file mode 100644
index f5eab9a96..000000000
--- a/programs/pf_key/pf_key.5
+++ /dev/null
@@ -1,122 +0,0 @@
-.TH IPSEC_PF_KEY 5 "29 Jun 2000"
-.\"
-.\" RCSID $Id: pf_key.5,v 1.1 2004/03/15 20:35:28 as Exp $
-.\"
-.SH NAME
-ipsec_pf_key \- lists PF_KEY sockets registered with KLIPS
-.SH SYNOPSIS
-.B cat
-.B /proc/net/pf_key
-.SH DESCRIPTION
-.I /proc/net/pf_key
-is a read-only file which lists the presently open PF_KEY sockets on the
-local system and their parameters.
-.PP
-Each line lists one PF_KEY socket.
-A table entry consists of:
-.IP + 3
-sock pointer (sock)
-.IP +
-PID of the socket owner (pid)
-.IP +
-flag to indicate if the socket is dead (d)
-.IP +
-socket wait queue (sleep)
-.IP +
-socket pointer (socket)
-.IP +
-next socket in chain (next)
-.IP +
-previous socket in chain (prev)
-.IP +
-last socket error (e)
-.IP +
-pointer to destruct routine (destruct)
-.IP +
-is this a reused socket (r)
-.IP +
-has this socket been zapped (z)
-.IP +
-socket family to which this socket belongs (fa)
-.IP +
-local port number (n)
-.IP +
-protocol version number (p)
-.IP +
-Receive queue bytes committed (r)
-.IP +
-Transmit queue bytes committed (w)
-.IP +
-option memory allocations (o)
-.IP +
-size of send buffer in bytes (sndbf)
-.IP +
-timestamp in seconds (stamp)
-.IP +
-socket flags (Flags)
-.IP +
-socket type (Type)
-.IP +
-connection state (St)
-.BR 
-.SH EXAMPLES
-.TP
-.\".B "sock     pid  d sleep    socket   next     prev     e destruct r z fa n p r w o sndbf stamp    Flags    Type     St"
-.TP
-.B c3b8c140 3553 0 c0599818 c05997fc        0        0 0        0 1 0 15 0 2 0 0 0 65535 0.103232 00000000 00000003 01
-.LP
-shows that there is one pf_key socket set up that starts at
-.BR c3b8c140 ,
-whose owning process has PID
-.BR 3553 ,
-the socket is not dead, its wait queue is at
-.BR c0599818 ,
-whose owning socket is at
-.BR c05997fc ,
-with no other sockets in the chain, no errors, no destructor, it is a
-reused socket which has not been zapped, from protocol family
-.BR 15
-(PF_KEY), local port number
-.BR 0 ,
-protocol socket version
-.BR 2 ,
-no memory allocated to transmit, receive or option queues, a send buffer
-of almost
-.BR 64kB ,
-a timestamp of
-.BR 0.103232 ,
-no flags set, type
-.BR 3 ,
-in state
-.BR 1 .
-.SH "FILES"
-/proc/net/pf_key
-.SH "SEE ALSO"
-ipsec(8), ipsec_manual(8), ipsec_eroute(5), ipsec_spi(5),
-ipsec_spigrp(5), ipsec_klipsdebug(5), ipsec_tncfg(8), ipsec_version(5)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Richard Guy Briggs.
-.\"
-.\" $Log: pf_key.5,v $
-.\" Revision 1.1  2004/03/15 20:35:28  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.4  2002/04/24 07:35:39  mcr
-.\" Moved from ./klips/utils/pf_key.5,v
-.\"
-.\" Revision 1.3  2001/01/23 23:51:49  rgb
-.\" Fix outdated references to /proc/net/ipsec_pf_key.
-.\"
-.\" Revision 1.2  2000/06/30 18:21:55  rgb
-.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5)
-.\" and correct FILES sections to no longer refer to /dev/ipsec which has
-.\" been removed since PF_KEY does not use it.
-.\"
-.\" Revision 1.1  2000/06/30 06:19:27  rgb
-.\" manpages for the last two /proc/net/ipsec* files that don't have a
-.\" corresponding utility.
-.\"
-.\"
-.\"
diff --git a/programs/pf_key/pf_key.8 b/programs/pf_key/pf_key.8
deleted file mode 100644
index dd42bf541..000000000
--- a/programs/pf_key/pf_key.8
+++ /dev/null
@@ -1,73 +0,0 @@
-.TH IPSEC_PF_KEY 8 "17 Oct 2001"
-.\"
-.\" RCSID $Id: pf_key.8,v 1.2 2005/07/07 19:07:43 as Exp $
-.\"
-.SH NAME
-pf_key \- shows pfkey messages emitted by the kernel
-.SH SYNOPSIS
-.B pf_key
-.B \-\-ah
-.B \-\-esp
-.B \-\-ipip
-.B \-\-ipcomp
-.B \-\-daemon 
-.I file
-.BR hmac-md5-96 | hmac-sha1-96
-.SH DESCRIPTION
-.B pf_key
-is a program to open a PF_KEY socket and print all messages that are received
-from it. With no options, it will register itself to receive key requests for
-AH, ESP, IPIP and IPCOMP security associations. If given more specific
-options, then it will listen only to those protocols which are listed.
-.PP
-If the messages are recognized, the messages will be decoded.
-.PP
-If the option 
-.B \-\-daemon
-is provided, then after doing the registrations, the program will fork
-into the background. The provided file will be opened and the process ID of
-the background process will be written to it. This option is present to
-present race conditions in regression testing.
-.SH EXAMPLES
-.TP
-.\".B "pfkey v.2 msg. type 3 seq=20 len=2 errno=22 satype=3"
-.SH "FILES"
-/proc/net/pf_key
-.SH "SEE ALSO"
-pf_key(5), ipsec(8), ipsec_manual(8), ipsec_eroute(5), ipsec_spi(5),
-ipsec_spigrp(5), ipsec_klipsdebug(5), ipsec_tncfg(8), ipsec_version(5)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Michael Richardson <mcr@freeswan.org>
-.\"
-.\" $Log: pf_key.8,v $
-.\" Revision 1.2  2005/07/07 19:07:43  as
-.\" fixed man page type
-.\"
-.\" Revision 1.1  2004/03/15 20:35:28  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.4  2002/07/16 02:53:42  mcr
-.\" 	added --daemon <pidfile> to "ipsec pf_key" command.
-.\" 	this is used in *-trap-* tests to avoid race conditions between
-.\" 	registration of PF_KEY listeners and arrival of first test packet.
-.\"
-.\" Revision 1.3  2002/04/24 07:35:39  mcr
-.\" Moved from ./klips/utils/pf_key.8,v
-.\"
-.\" Revision 1.2  2001/11/23 07:23:14  mcr
-.\" 	pulled up klips2 Makefile and pf_key code.
-.\"
-.\" Revision 1.1.2.1  2001/10/23 18:49:12  mcr
-.\" 	renamed man page to section 8.
-.\" 	added --ah, --esp, --ipcomp and --ipip to control which
-.\" 	protocols are printed.
-.\" 	incomplete messages which include at least an sadb header are printed.
-.\"
-.\" Revision 1.1.2.1  2001/10/17 23:25:37  mcr
-.\" 	added "pk_key" program to dump raw kernel pf messages.
-.\" 	(program is still skeletal)
-.\"
-.\"
-.\"
diff --git a/programs/pf_key/pf_key.c b/programs/pf_key/pf_key.c
deleted file mode 100644
index af7365d65..000000000
--- a/programs/pf_key/pf_key.c
+++ /dev/null
@@ -1,353 +0,0 @@
-/*
- * @(#) pfkey socket manipulator/observer
- *
- * Copyright (C) 2001  Richard Guy Briggs  <rgb@freeswan.org>
- *                 and Michael Richardson  <mcr@freeswan.org>
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: pf_key.c,v 1.2 2004/04/20 21:23:25 as Exp $
- *
- */
-
-/* 
- * This program opens a pfkey socket and prints all messages that it sees.
- *
- * This can be used to diagnose problems.
- *
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <getopt.h>
-#include <errno.h>
-#include <setjmp.h>
-#include <signal.h>
-
-#include <sys/socket.h>
-
-#include <sys/types.h>
-#include <stdint.h>
-#include <freeswan.h>
-#include <pfkeyv2.h>
-#include <pfkey.h>
-
-char *progname;
-uint32_t pfkey_seq = 0;
-int pfkey_sock;
-
-static void
-Usage(char *progname)
-{
-	fprintf(stderr, "%s: Usage: %s [--help]\n"
-		"\tby default listens for AH, ESP, IPIP and IPCOMP\n"
-		"\t--daemon <file>  fork before printing, stuffing the PID in the file\n"
-		"\t--ah       listen for AH messages\n"
-		"\t--esp      listen for ESP messages\n"
-		"\t--ipip     listen for IPIP messages\n"
-		"\t--ipcomp   listen for IPCOMP messages\n",
-		progname, progname);
-	exit(1);
-}
-
-void
-pfkey_register(uint8_t satype) {
-	/* for registering SA types that can be negotiated */
-	int error = 0;
-	struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-	struct sadb_msg *pfkey_msg;
-
-	pfkey_extensions_init(extensions);
-	if((error = pfkey_msg_hdr_build(&extensions[0],
-					SADB_REGISTER,
-					satype,
-					0,
-					++pfkey_seq,
-					getpid()))) {
-		fprintf(stderr, "%s: Trouble building message header, error=%d.\n",
-			progname, error);
-		pfkey_extensions_free(extensions);
-		exit(1);
-	}
-	if((error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_IN))) {
-		fprintf(stderr, "%s: Trouble building pfkey message, error=%d.\n",
-			progname, error);
-		pfkey_extensions_free(extensions);
-		pfkey_msg_free(&pfkey_msg);
-		exit(1);
-	}
-	if(write(pfkey_sock, pfkey_msg,
-		 pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN) !=
-	   (ssize_t)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) {
-		/* cleanup code here */
-		fprintf(stderr, "%s: Trouble writing to channel PF_KEY.\n", progname);
-		pfkey_extensions_free(extensions);
-		pfkey_msg_free(&pfkey_msg);
-		exit(1);
-	}
-	pfkey_extensions_free(extensions);
-	pfkey_msg_free(&pfkey_msg);
-}
-
-int dienow;
-
-void controlC(int foo)
-{
-	fflush(stdout);
-	printf("%s: Exiting on signal 15\n", progname);
-	fflush(stderr);
-	exit(0);
-}
-
-int
-main(int argc, char *argv[])
-{
-	int opt;
-	ssize_t readlen;
-	unsigned char pfkey_buf[256];
-	struct sadb_msg *msg;
-	int fork_after_register;
-	char *pidfilename;
-
-	static int ah_register;
-	static int esp_register;
-	static int ipip_register;
-	static int ipcomp_register;
-
-	static struct option long_options[] =
-	{
-		{"help",        no_argument, 0, 'h'},
-		{"daemon",      required_argument, 0, 'f'},
-		{"ah",          no_argument, &ah_register, 1},
-		{"esp",         no_argument, &esp_register, 1},
-		{"ipip",        no_argument, &ipip_register, 1},
-		{"ipcomp",      no_argument, &ipcomp_register, 1},
-	};
-
-	ah_register   = 0;
-	esp_register  = 0;
-	ipip_register = 0;
-	ipcomp_register=0;
-	dienow = 0;
-	fork_after_register=0;
-	pidfilename=NULL;
-	
-	progname = argv[0];
-	if(strrchr(progname, '/')) {
-		progname=strrchr(progname, '/')+1;
-	}
-	
-	while((opt = getopt_long(argc, argv, "hf:",
-				 long_options, NULL)) !=  EOF) {
-		switch(opt) {
-		case 'f':
-			pidfilename=optarg;
-			fork_after_register=1;
-			break;
-		case 'h':
-			Usage(progname);
-			break;
-		case '0':
-			/* it was a long option with a flag */
-			break;
-		}
-	}
-	
-	if((pfkey_sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2) ) < 0) {
-		fprintf(stderr, "%s: failed to open PF_KEY family socket: %s\n",
-			progname, strerror(errno));
-		exit(1);
-	}
-
-	if(ah_register == 0 &&
-	   esp_register== 0 &&
-	   ipip_register==0 &&
-	   ipcomp_register==0) {
-		ah_register=1;
-		esp_register=1;
-		ipip_register=1;
-		ipcomp_register=1;
-	}
-
-	if(ah_register) {
-		pfkey_register(SADB_SATYPE_AH);
-	}
-	if(esp_register) {
-		pfkey_register(SADB_SATYPE_ESP);
-	}
-	if(ipip_register) {
-		pfkey_register(SADB_X_SATYPE_IPIP);
-	}
-	if(ipcomp_register) {
-		pfkey_register(SADB_X_SATYPE_COMP);
-	}
-
-	if(fork_after_register) {
-		/*
-		 * to aid in regression testing, we offer to register 
-		 * everything first, and then we fork. As part of this
-		 * we write the PID of the new process to a file
-		 * provided.
-		 */
-		int pid;
-		FILE *pidfile;
-		
-		fflush(stdout);
-		fflush(stderr);
-
-		pid=fork();
-		if(pid!=0) {
-			/* in parent! */
-			exit(0);
-		}
-		
-		if((pidfile=fopen(pidfilename, "w"))==NULL) {
-			perror(pidfilename);
-		} else {
-			fprintf(pidfile, "%d", getpid());
-			fclose(pidfile);
-		}
-	}
-			
-	signal(SIGINT,  controlC);
-	signal(SIGTERM, controlC);
-
-	while((readlen = read(pfkey_sock, pfkey_buf, sizeof(pfkey_buf))) > 0) {
-		struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-		msg = (struct sadb_msg *)pfkey_buf;
-		
-		/* first, see if we got enough for an sadb_msg */
-		if((size_t)readlen < sizeof(struct sadb_msg)) {
-			printf("%s: runt packet of size: %d (<%lu)\n",
-			       progname, (int)readlen, (unsigned long)sizeof(struct sadb_msg));
-			continue;
-		}
-		
-		/* okay, we got enough for a message, print it out */
-		printf("\npfkey v%d msg. type=%d(%s) seq=%d len=%d pid=%d errno=%d satype=%d(%s)\n",
-		       msg->sadb_msg_version,
-		       msg->sadb_msg_type,
-		       pfkey_v2_sadb_type_string(msg->sadb_msg_type),
-		       msg->sadb_msg_seq,
-		       msg->sadb_msg_len,
-		       msg->sadb_msg_pid,
-		       msg->sadb_msg_errno,
-		       msg->sadb_msg_satype,
-		       satype2name(msg->sadb_msg_satype));
-		
-		if((size_t)readlen != msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)
-		{
-			printf("%s: packet size read from socket=%d doesn't equal sadb_msg_len %d * %u; message not decoded\n",
-			       progname,
-			       (int)readlen,
-			       msg->sadb_msg_len,
-			       (int) IPSEC_PFKEYv2_ALIGN);
-			continue;
-		}
-		
-		pfkey_lib_debug = PF_KEY_DEBUG_PARSE_STRUCT;
-		if (pfkey_msg_parse(msg, NULL, extensions, EXT_BITS_OUT)) {
-			printf("%s: unparseable PF_KEY message.\n",
-			       progname);
-		} else {
-			printf("%s: parseable PF_KEY message.\n",
-			       progname);
-		}
-	}
-	printf("%s: exited normally\n", progname);
-	exit(0);
-}
-	
-/*
- * $Log: pf_key.c,v $
- * Revision 1.2  2004/04/20 21:23:25  as
- * int cast fix for 64 bit platforms
- *
- * Revision 1.1  2004/03/15 20:35:28  as
- * added files from freeswan-2.04-x509-1.5.3
- *
- * Revision 1.15  2003/09/10 00:01:30  mcr
- * 	fixes for gcc 3.3 from Matthias Bethke <Matthias.Bethke@gmx.net>
- *
- * Revision 1.14  2002/10/09 03:12:05  dhr
- *
- * [kenb+dhr] 64-bit fixes
- *
- * Revision 1.13  2002/09/20 05:02:15  rgb
- * Cleaned up pfkey_lib_debug usage.
- *
- * Revision 1.12  2002/09/13 23:02:23  rgb
- * Type fiddling to tame ia64 compiler.
- * Added text labels to elucidate numeric values presented.
- *
- * Revision 1.11  2002/08/26 03:05:25  mcr
- * 	duh, pf_key much catch SIGTERM as well as SIGINT...
- *
- * Revision 1.10  2002/08/13 19:01:27  mcr
- * 	patches from kenb to permit compilation of FreeSWAN on ia64.
- * 	des library patched to use proper DES_LONG type for ia64.
- *
- * Revision 1.9  2002/07/16 02:53:42  mcr
- * 	added --daemon <pidfile> to "ipsec pf_key" command.
- * 	this is used in *-trap-* tests to avoid race conditions between
- * 	registration of PF_KEY listeners and arrival of first test packet.
- *
- * Revision 1.8  2002/06/17 04:32:55  mcr
- * 	exit nicely from pf_key when SIGINT (^C) is sent.
- * 	This is needed so that the stdout will flush properly.
- *
- * Revision 1.7  2002/04/24 07:55:32  mcr
- * 	#include patches and Makefiles for post-reorg compilation.
- *
- * Revision 1.6  2002/04/24 07:35:39  mcr
- * Moved from ./klips/utils/pf_key.c,v
- *
- * Revision 1.5  2002/03/08 21:44:04  rgb
- * Update for all GNU-compliant --version strings.
- *
- * Revision 1.4  2001/11/27 05:19:06  mcr
- * 	added extra newline between packets.
- * 	set pfkey_lib_debug to enum rather than just to "1".
- *
- * Revision 1.3  2001/11/27 03:35:29  rgb
- * Added stdlib *again*.
- *
- * Revision 1.2  2001/11/23 07:23:14  mcr
- * 	pulled up klips2 Makefile and pf_key code.
- *
- * Revision 1.1.2.5  2001/10/23 18:49:12  mcr
- * 	renamed man page to section 8.
- * 	added --ah, --esp, --ipcomp and --ipip to control which
- * 	protocols are printed.
- * 	incomplete messages which include at least an sadb header are printed.
- *
- * Revision 1.1.2.4  2001/10/22 21:50:51  rgb
- * Added pfkey register for AH, ESP, IPIP and COMP.
- *
- * Revision 1.1.2.3  2001/10/21 21:51:06  rgb
- * Bug fixes to get working.
- *
- * Revision 1.1.2.2  2001/10/20 22:45:31  rgb
- * Added check for exact length and a call to message parser to get some
- * idea of the contents of each extension.
- *
- * Revision 1.1.2.1  2001/10/17 23:25:37  mcr
- * 	added "pk_key" program to dump raw kernel pf messages.
- * 	(program is still skeletal)
- *
- *
- * Local variables:
- * c-file-style: "linux"
- * End:
- *
- */
diff --git a/programs/pluto/.cvsignore b/programs/pluto/.cvsignore
deleted file mode 100644
index fb96dae41..000000000
--- a/programs/pluto/.cvsignore
+++ /dev/null
@@ -1,3 +0,0 @@
-_pluto_adns
-pluto
-whack
diff --git a/programs/pluto/Makefile b/programs/pluto/Makefile
deleted file mode 100644
index d466d0209..000000000
--- a/programs/pluto/Makefile
+++ /dev/null
@@ -1,1090 +0,0 @@
-# Pluto Makefile
-# Copyright (C) 1997 Angelos D. Keromytis.
-# Copyright (C) 1998-2001  D. Hugh Redelmeier
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.49 2007/01/29 08:27:19 as Exp $
-
-# relative path to top directory of FreeS/WAN source
-# Note: referenced in ${FREESWANSRCDIR}/Makefile.inc
-FREESWANSRCDIR=../..
-
-include ${FREESWANSRCDIR}/Makefile.inc
-
-FMANDIR=$(MANTREE)/man5
-PMANDIR=$(MANTREE)/man8
-
-# -O on Linux makes gcc coredump when compiling sha1.c
-# -Wundef is nice but RHL5.2 compiler doesn't support it
-CFLAGS = -g -Wall -W -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast \
-	-Wcast-qual -Wmissing-declarations -Wwrite-strings \
-	-Wstrict-prototypes # -Wundef
-
-# where to find klips headers and FreeS/WAN headers
-HDRDIRS = -I$(KLIPSINC) -I${FREESWANSRCDIR}/programs/pluto/linux26
-
-# where to find sha2.h
-LIBCRYPTO=$(FREESWANSRCDIR)/lib/libcrypto
-HDRDIRS += -I$(LIBCRYPTO)
-
-# On non-LINUX systems, these one of these may be needed (see endian.h)
-# BYTE_ORDER = -DBIG_ENDIAN=4321 -DLITTLE_ENDIAN=1234 -DBYTE_ORDER=BIG_ENDIAN
-# BYTE_ORDER = -DBIG_ENDIAN=4321 -DLITTLE_ENDIAN=1234 -DBYTE_ORDER=LITTLE_ENDIAN
-
-# -DKLIPS enables interface to Kernel LINUX IPsec code
-# -DDEBUG enables debugging code, allowing for debugging output
-#    (note that output must also be selected at runtime, so it is
-#    reasonable to always define this)
-# -DVENDORID enables Pluto to send out a VendorID payload.
-#    this can be used by remote nodes to work around faults (bugs),
-#    but is most useful to humans who are debugging things.
-# -DGCC_LINT uses gcc-specific declarations to improve compile-time
-#    diagnostics.
-# -DLEAK_DETECTIVE enables crude code to find memory allocation leaks.
-# -DOLD_RESOLVER.  At some point, the resolver interface changed.
-#    This macro enables Pluto support for the old interface.
-#    It is automatically defined, based on the value of the <resolver.h>
-#    macro __RES.  We don't know the correct threshold, so you may
-#    find that you must manually define this.  If so, please inform
-#    us so that we can refine the threshold.
-# -DLIBCURL includes libcurl functions for the support of http-based protocols.
-# -DLDAP_VER includes openldap functions for the support of ldap-based queries.
-#    LDAPv2 and LDAPv3 are supported.
-# -DTHREADS enables an asynchronous thread managing CRL fetching.
-#    This option is activated either by -DLIBCURL or -DLDAP_VER.
-# -DSMARTCARD enables PKCS11-based smartcard support
-# -DPKCS11_DEFAULT_LIB defines a default PKCS11 library module which will be
-#    loaded during runtime and is overridden by the pkcs11module parameter in
-#    ipsec.conf. This option is activated by -DSMARTCARD.
-# -DI_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
-#     allows IPsec transport mode in NAT-ed environments. Because of the 
-#     inherent security risks of such scenarios this options is deactivated
-#     by default.
-
-# The following are best left undefined -- each can be overridden at runtime
-# if need be.
-# -DPORT=n sets the default UDP port for IKE messages (otherwise 500)
-# -DSHARED_SECRETS_FILE=string overrides /etc/ipsec.secrets as the
-#    default name of the file containing secrets used to authenticate other
-#    IKE daemons.  In the Makefile, two levels of quoting are needed:
-# -DSHARED_SECRETS_FILE='"/etc/ipsec.secrets"'
-# -DDEFAULT_CTLBASE=string overrides /var/run/pluto as default directory
-#    and basename for pluto's lockfile (.pid) and control socket (.ctl).
-#    Double quoting may be needed.
-
-ifeq ($(USE_LWRES),true)
-  LWRESDEF=-DUSE_LWRES
-  USE_ADNS=false
-  BINNAMEADNSIFNEEDE=
-else
-  USE_ADNS=true
-  BINNAMEADNSIFNEEDED=$(BINNAMEADNS)
-endif
-
-ifeq ($(USE_KEYRR),true)
-  KEYRR_DEFINES=-DUSE_KEYRR
-endif
-
-ifeq ($(USE_KERNEL26),true)
-  KERNEL26_DEFS=-DKERNEL26_SUPPORT -DKERNEL26_HAS_KAME_DUPLICATES
-  KERNEL26_SRCS=kernel_netlink.c kernel_netlink.h
-  KERNEL26_OBJS=kernel_netlink.o
-endif
-
-ifeq ($(USE_NAT_TRAVERSAL),true)
-  NAT_DEFS=-DNAT_TRAVERSAL -DVIRTUAL_IP
-endif
-
-ifeq ($(USE_NAT_TRAVERSAL_TRANSPORT_MODE),true)
-  NAT_DEFS+=-DI_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
-endif
-
-DEFINES = $(EXTRA_DEFINES) \
-	$(IPSECPOLICY_DEFINES) \
-	$(KEYRR_DEFINES) \
-	$(BYTE_ORDER) \
-	$(LWRESDEF) \
-	$(KERNEL26_DEFS) \
-	-DPLUTO \
-	-DKLIPS \
-	-DDEBUG \
-	-DGCC_LINT \
-	$(NAT_DEFS)
-
-# libefence is a free memory allocation debugger
-# Solaris 2 needs -lsocket -lnsl
-LIBSPLUTO = $(OBJSGCRYPT) $(LIBDESLITE) $(FREESWANLIB) $(IPSECPOLICY_LIBS)
-LIBSPLUTO+= -lgmp -ldl -lresolv # -lefence
-
-
-ifeq ($(USE_VENDORID),true)
-  DEFINES+= -DVENDORID
-endif
-
-ifeq ($(USE_CISCO_QUIRKS),true)
-  DEFINES+= -DCISCO_QUIRKS
-endif
-
-# This compile option activates dynamic URL fetching using libcurl
-ifeq ($(USE_LIBCURL),true)
-  DEFINES+= -DLIBCURL
-  LIBSPLUTO+= -lcurl
-  THREADS=1   # Asynchronous cURL queries require threads
-endif
-
-# This compile option activates dynamic LDAP CRL fetching
-ifeq ($(USE_LDAP),true)
-  DEFINES+= -DLDAP_VER=$(LDAP_VERSION)
-  LIBSPLUTO+= -lldap -llber
-  THREADS=1   # Asynchronous LDAP queries require threads
-endif
-
-# This compile option activates the use of threads
-ifdef THREADS
-  DEFINES+= -DTHREADS
-  LIBSPLUTO+= -lpthread
-endif
-
-# This compile option activates smartcard support
-ifeq ($(USE_SMARTCARD),true)
-  DEFINES+= -DSMARTCARD
-  ifdef PKCS11_DEFAULT_LIB
-    DEFINES+= -DPKCS11_DEFAULT_LIB=$(PKCS11_DEFAULT_LIB)
-  endif
-endif
-
-# This compile option activates the leak detective
-ifeq ($(USE_LEAK_DETECTIVE),true)
-  DEFINES+= -DLEAK_DETECTIVE
-endif
-
-CPPFLAGS = $(HDRDIRS) $(DEFINES) \
-	-DSHARED_SECRETS_FILE=\"${FINALCONFDIR}/ipsec.secrets\" \
-	-DPOLICYGROUPSDIR=\"${FINALCONFDDIR}/policies\" \
-	-DPERPEERLOGDIR=\"${FINALLOGDIR}/pluto/peer\"
-
-ALLFLAGS = $(CPPFLAGS) $(CFLAGS) $(USERCOMPILE)
-
-ifneq ($(LD_LIBRARY_PATH),)
-  LDFLAGS=-L$(LD_LIBRARY_PATH)
-endif
-
-LIBSADNS = $(FREESWANLIB)
-LIBSADNS += -lresolv # -lefence
-
-# Solaris needs -lsocket -lnsl
-LIBSWHACK = ${FREESWANLIB}
-
-BINNAMEPLUTO = pluto
-BINNAMEWHACK = whack
-BINNAMEADNS = _pluto_adns
-
-RM = /bin/rm
-RMFLAGS = -f
-
-.SUFFIXES:
-.SUFFIXES: .c .o
-
-# files for a (source) distribution
-
-DISTMISC = CHANGES PLUTO-CONVENTIONS TODO ipsec.secrets Makefile routing.txt \
-	 pluto.8 ipsec.secrets.5 .cvsignore
-
-DISTGCRYPT = \
-	gcryptfix.c gcryptfix.h \
-	dsa.c dsa.h \
-	elgamal.c elgamal.h \
-	primegen.c \
-	smallprime.c
-
-DISTSRC = \
-	ac.c ac.h \
-	asn1.c asn1.h \
-	ca.c ca.h \
-	certs.c certs.h \
-	connections.c connections.h \
-	crl.c crl.h \
-	foodgroups.c foodgroups.h \
-	constants.c constants.h \
-	cookie.c cookie.h \
-	crypto.h crypto.c \
-	defs.h defs.c \
-	mp_defs.h mp_defs.c \
-	demux.c demux.h \
-	dnskey.c dnskey.h \
-	fetch.c fetch.h \
-	id.c id.h \
-	ipsec_doi.c ipsec_doi.h \
-	kernel.c kernel.h \
-	kernel_netlink.c kernel_netlink.h \
-	kernel_pfkey.c kernel_pfkey.h \
-	kernel_noklips.c kernel_noklips.h \
-	kernel_alg.c kernel_alg.h \
-	ike_alg.c ike_alg.h \
-	alg_info.c alg_info.h \
-	rcv_whack.c rcv_whack.h \
-	$(IPSECPOLICY_FILES) \
-	log.c log.h \
-	plutomain.c \
-	md2.c md2.h \
-	md5.c md5.h \
-	modecfg.c modecfg.h \
-	ocsp.c ocsp.h \
-	oid.txt oid.pl oid.c oid.h \
-	packet.c packet.h \
-	pem.c pem.h \
-	pgp.c pgp.h \
-	pkcs1.c pkcs1.h \
-	pkcs7.c pkcs7.h \
-	lex.c lex.h \
-	keys.c keys.h \
-	rnd.c rnd.h \
-	server.c server.h \
-	sha1.c sha1.h \
-	smartcard.c smartcard.h \
-	spdb.c spdb.h \
-	state.c state.h \
-	timer.c timer.h \
-	xauth.c xauth.h \
-	x509.c x509.h \
-	$(DISTGCRYPT) \
-	vendor.c nat_traversal.c virtual.c \
-	adns.c adns.h \
-	whack.c whack.h
-
-DIST = $(DISTMISC) $(DISTSRC)
-
-
-# start of support for DSS/DSA.  Not currently used.
-# OBJSGCRYPT =  gcryptfix.o dsa.o elgamal.o primegen.o smallprime.o
-OBJSGCRYPT =
-
-OBJSPLUTO = asn1.o connections.o constants.o cookie.o crypto.o defs.o fetch.o foodgroups.o \
-	log.o state.o plutomain.o server.o timer.o oid.o pem.o pgp.o pkcs1.o pkcs7.o x509.o \
-	ca.o certs.o id.o ipsec_doi.o kernel.o $(KERNEL26_OBJS) kernel_pfkey.o mp_defs.o \
-	kernel_noklips.o rcv_whack.o ${IPSECPOLICY_OBJS} demux.o packet.o lex.o keys.o \
-	dnskey.o smartcard.o ac.o rnd.o spdb.o sha1.o md5.o md2.o modecfg.o ocsp.o crl.o \
-	vendor.o nat_traversal.o virtual.o xauth.o
-
-OBJSADNS = adns.o
-
-OBJSWHACK = whack.o
-
-all: $(BINNAMEPLUTO) $(BINNAMEADNSIFNEEDED) $(BINNAMEWHACK)
-programs: $(BINNAMEPLUTO) $(BINNAMEADNSIFNEEDED) $(BINNAMEWHACK)
-
-oid.c: oid.txt oid.pl
-	perl oid.pl
-
-oid.h: oid.txt oid.pl
-	perl oid.pl
-
-install: all
-	mkdir -p ${LIBEXECDIR} ${LIBDIR}
-	mkdir -p -m 755 $(CONFDIR)/ipsec.d
-	mkdir -p -m 755 $(CONFDIR)/ipsec.d/cacerts
-	mkdir -p -m 755 $(CONFDIR)/ipsec.d/ocspcerts
-	mkdir -p -m 755 $(CONFDIR)/ipsec.d/certs
-	mkdir -p -m 755 $(CONFDIR)/ipsec.d/acerts
-	mkdir -p -m 755 $(CONFDIR)/ipsec.d/aacerts
-	mkdir -p -m 755 $(CONFDIR)/ipsec.d/crls
-	mkdir -p -m 755 $(CONFDIR)/ipsec.d/reqs
-	mkdir -p -m 700 $(CONFDIR)/ipsec.d/private
-	$(INSTALL) $(INSTBINFLAGS) $(BINNAMEPLUTO) $(BINNAMEWHACK) $(LIBEXECDIR)
-	if $(USE_ADNS) ; then $(INSTALL) $(INSTBINFLAGS) $(BINNAMEADNS)                  $(LIBDIR) ; fi
-	$(INSTALL) $(INSTMANFLAGS) pluto.8 $(PMANDIR)/ipsec_pluto.8
-	sh ${FREESWANSRCDIR}/packaging/utils/manlink pluto.8 | \
-		while read from to ; \
-		do \
-			ln -s -f ipsec_$$from $(PMANDIR)/$$to; \
-		done
-	$(INSTALL) $(INSTMANFLAGS) ipsec.secrets.5 $(FMANDIR)
-	sh ${FREESWANSRCDIR}/packaging/utils/manlink ipsec.secrets.5 | \
-		while read from to ; \
-		do \
-		 ln -s -f $$from $(FMANDIR)/$$to; \
-		done
-
-install_file_list:
-	@echo $(LIBEXECDIR)/$(BINNAMEPLUTO)
-	@if $(USE_ADNS) ; then echo $(LIBDIR)/$(BINNAMEADNS) ; fi
-	@echo $(LIBEXECDIR)/$(BINNAMEWHACK)
-	@echo $(PMANDIR)/ipsec_pluto.8
-	@sh ${FREESWANSRCDIR}/packaging/utils/manlink pluto.8 | \
-		while read from to; \
-		do\
-			 echo $(PMANDIR)/$$to; \
-		done
-	@echo $(FMANDIR)/ipsec.secrets.5
-	@sh ${FREESWANSRCDIR}/packaging/utils/manlink ipsec.secrets.5 | \
-		while read from to; \
-		do \
-			echo $(FMANDIR)/$$to; \
-		done
-
-alg_info_test: alg_info_test.o alg_info.o kernel_alg.o ike_alg.o constants.o defs.o log.o db_ops.o crypto.o $(LIBDESLITE) $(FREESWANLIB)
-	$(CC) -o $@ $^ $(LIBSPLUTO)
-
-# alg/libalg.o contains an already resolved object built with
-# additional crypto algos inside.
-OBJSPLUTO:= kernel_alg.o ike_alg.o alg_info.o db_ops.o $(OBJSPLUTO) alg/libalg.o 
-# if new alg source is created in alg directory,
-# trigger libalg.o rebuild
-alg/libalg.o: alg alg/Config.ike_alg
-	make -C alg libalg.o
-	touch alg/libalg.o
-
-# helper for creating alg/Make.common
-showdefs:
-	@echo DEFINES=$(DEFINES)
-	@echo CFLAGS=$(CFLAGS)
-	@echo CPPFLAGS=$(CPPFLAGS)
-	@echo COPTS=$(COPTS)
-
-$(BINNAMEPLUTO): $(OBJSPLUTO) $(ALG_LIBS)
-	$(CC) -o $(BINNAMEPLUTO) $(LDFLAGS) $(OBJSPLUTO) $(LIBSPLUTO)
-
-$(BINNAMEADNS): $(OBJSADNS)
-	$(CC) -o $(BINNAMEADNS) $(OBJSADNS) $(LIBSADNS)
-
-$(BINNAMEWHACK): $(OBJSWHACK)
-	$(CC) -o $(BINNAMEWHACK) $(OBJSWHACK) $(LIBSWHACK)
-
-distlist:
-	@echo $(DIST)
-
-# Exuberant Ctags doesn't work if LC_ALL is set to something other than C
-
-CTAGSFLAGS = -N --format=1 # fishy options required for Exuberant Ctags
-
-tags:	$(DISTSRC)
-	LC_ALL=C ctags $(CTAGSFLAGS) $(DISTSRC) $(LIBFREESWANDIR)/*.[ch]
-
-TAGS:	$(DISTSRC)
-	LC_ALL=C etags $(ETAGSFLAGS) $(DISTSRC) $(LIBFREESWANDIR)/*.[ch]
-
-cleanall: clean
-
-distclean: clean
-
-mostlyclean: clean
-
-realclean: clean
-
-clean:
-	$(RM) $(RMFLAGS) *.core core *~ a.out ktrace.out \
-		$(OBJSPLUTO) $(BINNAMEPLUTO) \
-		$(OBJSWHACK) $(BINNAMEWHACK) \
-		$(OBJSADNS) $(BINNAMEADNS)
-	make -C alg clean
-
-check:
-	echo no checks in lib right now.
-
-checkprograms:
-
-.c.o:
-	$(CC) $(COPTS) $(ALLFLAGS) -c $<
-
-# Gather dependencies caused by explicit #includes within .c files
-#
-# Each .c is assumed to compile into a .o with the corresponding name.
-# Only dependencies on based on "" includes are considered, not <>.
-# Dependencies caused by includes within headers are not noticed.
-# Unlike dependencies generated by the compiler, these include dependencies
-# suppressed by conditional compilation (good, we think).
-# This code can be tricked by embeding #include in comments or
-# vice-versa, but we're among friends.
-
-gatherdeps:
-	@ls $(DISTSRC) | grep '\.c' | sed -e 's/\(.*\)\.c$$/\1.o: \1.c/'
-	@echo
-	@ls $(DISTSRC) | grep '\.c' | xargs grep '^#[ 	]*include[ 	]*"' | \
-		sed -e 's/\.c:#[ 	]*include[ 	]*"/.o: /' -e 's/".*//'
-
-# Dependencies generated by "make gatherdeps":
-
-ac.o: ac.c
-adns.o: adns.c
-alg_info.o: alg_info.c
-asn1.o: asn1.c
-ca.o: ca.c
-certs.o: certs.c
-connections.o: connections.c
-constants.o: constants.c
-cookie.o: cookie.c
-crl.o: crl.c
-crypto.o: crypto.c
-defs.o: defs.c
-demux.o: demux.c
-dnskey.o: dnskey.c
-dsa.o: dsa.c
-elgamal.o: elgamal.c
-fetch.o: fetch.c
-foodgroups.o: foodgroups.c
-gcryptfix.o: gcryptfix.c
-id.o: id.c
-ike_alg.o: ike_alg.c
-ipsec_doi.o: ipsec_doi.c
-kernel.o: kernel.c
-kernel_alg.o: kernel_alg.c
-kernel_netlink.o: kernel_netlink.c
-kernel_noklips.o: kernel_noklips.c
-kernel_pfkey.o: kernel_pfkey.c
-keys.o: keys.c
-lex.o: lex.c
-log.o: log.c
-md2.o: md2.c
-md5.o: md5.c
-modecfg.o: modecfg.c
-mp_defs.o: mp_defs.c
-nat_traversal.o: nat_traversal.c
-ocsp.o: ocsp.c
-oid.o: oid.c
-packet.o: packet.c
-pem.o: pem.c
-pgp.o: pgp.c
-pkcs1.o: pkcs1.c
-pkcs7.o: pkcs7.c
-plutomain.o: plutomain.c
-primegen.o: primegen.c
-rcv_whack.o: rcv_whack.c
-rnd.o: rnd.c
-server.o: server.c
-sha1.o: sha1.c
-smallprime.o: smallprime.c
-smartcard.o: smartcard.c
-spdb.o: spdb.c
-state.o: state.c
-timer.o: timer.c
-vendor.o: vendor.c
-virtual.o: virtual.c
-whack.o: whack.c
-x509.o: x509.c
-xauth.o: xauth.c
-
-ac.o: constants.h
-ac.o: defs.h
-ac.o: asn1.h
-ac.o: oid.h
-ac.o: ac.h
-ac.o: x509.h
-ac.o: crl.h
-ac.o: ca.h
-ac.o: certs.h
-ac.o: log.h
-ac.o: whack.h
-ac.o: fetch.h
-adns.o: constants.h
-adns.o: adns.h
-alg_info.o: alg_info.h
-alg_info.o: constants.h
-alg_info.o: defs.h
-alg_info.o: log.h
-alg_info.o: whack.h
-alg_info.o: sha1.h
-alg_info.o: md5.h
-alg_info.o: crypto.h
-alg_info.o: kernel_alg.h
-alg_info.o: ike_alg.h
-asn1.o: constants.h
-asn1.o: defs.h
-asn1.o: mp_defs.h
-asn1.o: asn1.h
-asn1.o: oid.h
-asn1.o: log.h
-ca.o: constants.h
-ca.o: defs.h
-ca.o: log.h
-ca.o: x509.h
-ca.o: ca.h
-ca.o: certs.h
-ca.o: whack.h
-ca.o: fetch.h
-certs.o: constants.h
-certs.o: defs.h
-certs.o: log.h
-certs.o: asn1.h
-certs.o: id.h
-certs.o: x509.h
-certs.o: pgp.h
-certs.o: pem.h
-certs.o: certs.h
-certs.o: pkcs1.h
-connections.o: kameipsec.h
-connections.o: constants.h
-connections.o: defs.h
-connections.o: id.h
-connections.o: x509.h
-connections.o: ca.h
-connections.o: crl.h
-connections.o: pgp.h
-connections.o: certs.h
-connections.o: ac.h
-connections.o: smartcard.h
-connections.o: fetch.h
-connections.o: connections.h
-connections.o: foodgroups.h
-connections.o: demux.h
-connections.o: state.h
-connections.o: timer.h
-connections.o: ipsec_doi.h
-connections.o: server.h
-connections.o: kernel.h
-connections.o: log.h
-connections.o: keys.h
-connections.o: adns.h
-connections.o: dnskey.h
-connections.o: whack.h
-connections.o: alg_info.h
-connections.o: ike_alg.h
-connections.o: kernel_alg.h
-connections.o: nat_traversal.h
-connections.o: virtual.h
-constants.o: constants.h
-constants.o: defs.h
-constants.o: log.h
-constants.o: packet.h
-cookie.o: constants.h
-cookie.o: defs.h
-cookie.o: sha1.h
-cookie.o: rnd.h
-cookie.o: cookie.h
-crl.o: constants.h
-crl.o: defs.h
-crl.o: log.h
-crl.o: asn1.h
-crl.o: oid.h
-crl.o: x509.h
-crl.o: crl.h
-crl.o: ca.h
-crl.o: certs.h
-crl.o: keys.h
-crl.o: whack.h
-crl.o: fetch.h
-crl.o: sha1.h
-crypto.o: constants.h
-crypto.o: defs.h
-crypto.o: state.h
-crypto.o: log.h
-crypto.o: md5.h
-crypto.o: sha1.h
-crypto.o: crypto.h
-crypto.o: alg_info.h
-crypto.o: ike_alg.h
-defs.o: constants.h
-defs.o: defs.h
-defs.o: log.h
-defs.o: whack.h
-demux.o: constants.h
-demux.o: defs.h
-demux.o: cookie.h
-demux.o: connections.h
-demux.o: state.h
-demux.o: packet.h
-demux.o: md5.h
-demux.o: sha1.h
-demux.o: crypto.h
-demux.o: ike_alg.h
-demux.o: log.h
-demux.o: demux.h
-demux.o: ipsec_doi.h
-demux.o: timer.h
-demux.o: whack.h
-demux.o: server.h
-demux.o: nat_traversal.h
-demux.o: vendor.h
-demux.o: modecfg.h
-dnskey.o: constants.h
-dnskey.o: adns.h
-dnskey.o: defs.h
-dnskey.o: log.h
-dnskey.o: id.h
-dnskey.o: connections.h
-dnskey.o: keys.h
-dnskey.o: dnskey.h
-dnskey.o: packet.h
-dnskey.o: timer.h
-dsa.o: constants.h
-dsa.o: defs.h
-dsa.o: log.h
-dsa.o: rnd.h
-dsa.o: gcryptfix.h
-dsa.o: dsa.h
-elgamal.o: constants.h
-elgamal.o: defs.h
-elgamal.o: log.h
-elgamal.o: rnd.h
-elgamal.o: gcryptfix.h
-elgamal.o: elgamal.h
-fetch.o: constants.h
-fetch.o: defs.h
-fetch.o: log.h
-fetch.o: id.h
-fetch.o: asn1.h
-fetch.o: pem.h
-fetch.o: x509.h
-fetch.o: ca.h
-fetch.o: whack.h
-fetch.o: ocsp.h
-fetch.o: crl.h
-fetch.o: fetch.h
-foodgroups.o: constants.h
-foodgroups.o: defs.h
-foodgroups.o: connections.h
-foodgroups.o: foodgroups.h
-foodgroups.o: kernel.h
-foodgroups.o: lex.h
-foodgroups.o: log.h
-foodgroups.o: whack.h
-gcryptfix.o: constants.h
-gcryptfix.o: defs.h
-gcryptfix.o: log.h
-gcryptfix.o: rnd.h
-gcryptfix.o: gcryptfix.h
-id.o: constants.h
-id.o: defs.h
-id.o: id.h
-id.o: log.h
-id.o: connections.h
-id.o: packet.h
-id.o: whack.h
-ike_alg.o: constants.h
-ike_alg.o: defs.h
-ike_alg.o: sha1.h
-ike_alg.o: md5.h
-ike_alg.o: crypto.h
-ike_alg.o: state.h
-ike_alg.o: packet.h
-ike_alg.o: log.h
-ike_alg.o: whack.h
-ike_alg.o: spdb.h
-ike_alg.o: alg_info.h
-ike_alg.o: ike_alg.h
-ike_alg.o: db_ops.h
-ike_alg.o: connections.h
-ike_alg.o: kernel.h
-ipsec_doi.o: constants.h
-ipsec_doi.o: defs.h
-ipsec_doi.o: mp_defs.h
-ipsec_doi.o: state.h
-ipsec_doi.o: id.h
-ipsec_doi.o: x509.h
-ipsec_doi.o: crl.h
-ipsec_doi.o: ca.h
-ipsec_doi.o: certs.h
-ipsec_doi.o: smartcard.h
-ipsec_doi.o: connections.h
-ipsec_doi.o: keys.h
-ipsec_doi.o: packet.h
-ipsec_doi.o: demux.h
-ipsec_doi.o: adns.h
-ipsec_doi.o: dnskey.h
-ipsec_doi.o: kernel.h
-ipsec_doi.o: log.h
-ipsec_doi.o: cookie.h
-ipsec_doi.o: server.h
-ipsec_doi.o: spdb.h
-ipsec_doi.o: timer.h
-ipsec_doi.o: rnd.h
-ipsec_doi.o: ipsec_doi.h
-ipsec_doi.o: whack.h
-ipsec_doi.o: fetch.h
-ipsec_doi.o: pkcs7.h
-ipsec_doi.o: asn1.h
-ipsec_doi.o: sha1.h
-ipsec_doi.o: md5.h
-ipsec_doi.o: crypto.h
-ipsec_doi.o: vendor.h
-ipsec_doi.o: alg_info.h
-ipsec_doi.o: ike_alg.h
-ipsec_doi.o: kernel_alg.h
-ipsec_doi.o: nat_traversal.h
-ipsec_doi.o: virtual.h
-kernel.o: kameipsec.h
-kernel.o: constants.h
-kernel.o: defs.h
-kernel.o: rnd.h
-kernel.o: id.h
-kernel.o: connections.h
-kernel.o: state.h
-kernel.o: timer.h
-kernel.o: kernel.h
-kernel.o: kernel_netlink.h
-kernel.o: kernel_pfkey.h
-kernel.o: kernel_noklips.h
-kernel.o: log.h
-kernel.o: ca.h
-kernel.o: server.h
-kernel.o: whack.h
-kernel.o: keys.h
-kernel.o: packet.h
-kernel.o: nat_traversal.h
-kernel.o: alg_info.h
-kernel.o: kernel_alg.h
-kernel_alg.o: constants.h
-kernel_alg.o: defs.h
-kernel_alg.o: connections.h
-kernel_alg.o: state.h
-kernel_alg.o: packet.h
-kernel_alg.o: spdb.h
-kernel_alg.o: kernel.h
-kernel_alg.o: kernel_alg.h
-kernel_alg.o: alg_info.h
-kernel_alg.o: log.h
-kernel_alg.o: whack.h
-kernel_alg.o: db_ops.h
-kernel_netlink.o: kameipsec.h
-kernel_netlink.o: linux26/rtnetlink.h
-kernel_netlink.o: linux26/xfrm.h
-kernel_netlink.o: constants.h
-kernel_netlink.o: defs.h
-kernel_netlink.o: kernel.h
-kernel_netlink.o: kernel_netlink.h
-kernel_netlink.o: kernel_pfkey.h
-kernel_netlink.o: log.h
-kernel_netlink.o: whack.h
-kernel_netlink.o: kernel_alg.h
-kernel_noklips.o: constants.h
-kernel_noklips.o: defs.h
-kernel_noklips.o: kernel.h
-kernel_noklips.o: kernel_noklips.h
-kernel_noklips.o: log.h
-kernel_noklips.o: whack.h
-kernel_pfkey.o: constants.h
-kernel_pfkey.o: defs.h
-kernel_pfkey.o: kernel.h
-kernel_pfkey.o: kernel_pfkey.h
-kernel_pfkey.o: log.h
-kernel_pfkey.o: whack.h
-kernel_pfkey.o: demux.h
-kernel_pfkey.o: nat_traversal.h
-kernel_pfkey.o: alg_info.h
-kernel_pfkey.o: kernel_alg.h
-keys.o: constants.h
-keys.o: defs.h
-keys.o: mp_defs.h
-keys.o: id.h
-keys.o: x509.h
-keys.o: pgp.h
-keys.o: certs.h
-keys.o: smartcard.h
-keys.o: connections.h
-keys.o: state.h
-keys.o: lex.h
-keys.o: keys.h
-keys.o: adns.h
-keys.o: dnskey.h
-keys.o: log.h
-keys.o: whack.h
-keys.o: timer.h
-keys.o: fetch.h
-keys.o: xauth.h
-lex.o: constants.h
-lex.o: defs.h
-lex.o: log.h
-lex.o: whack.h
-lex.o: lex.h
-log.o: constants.h
-log.o: defs.h
-log.o: log.h
-log.o: server.h
-log.o: state.h
-log.o: connections.h
-log.o: kernel.h
-log.o: whack.h
-log.o: timer.h
-md2.o: md2.h
-md5.o: md5.h
-modecfg.o: constants.h
-modecfg.o: defs.h
-modecfg.o: state.h
-modecfg.o: demux.h
-modecfg.o: timer.h
-modecfg.o: ipsec_doi.h
-modecfg.o: log.h
-modecfg.o: md5.h
-modecfg.o: sha1.h
-modecfg.o: crypto.h
-modecfg.o: modecfg.h
-modecfg.o: whack.h
-modecfg.o: xauth.h
-mp_defs.o: constants.h
-mp_defs.o: defs.h
-mp_defs.o: mp_defs.h
-mp_defs.o: log.h
-nat_traversal.o: constants.h
-nat_traversal.o: defs.h
-nat_traversal.o: log.h
-nat_traversal.o: server.h
-nat_traversal.o: state.h
-nat_traversal.o: connections.h
-nat_traversal.o: packet.h
-nat_traversal.o: demux.h
-nat_traversal.o: kernel.h
-nat_traversal.o: whack.h
-nat_traversal.o: timer.h
-nat_traversal.o: cookie.h
-nat_traversal.o: sha1.h
-nat_traversal.o: md5.h
-nat_traversal.o: crypto.h
-nat_traversal.o: vendor.h
-nat_traversal.o: ike_alg.h
-nat_traversal.o: nat_traversal.h
-ocsp.o: constants.h
-ocsp.o: defs.h
-ocsp.o: log.h
-ocsp.o: x509.h
-ocsp.o: crl.h
-ocsp.o: ca.h
-ocsp.o: rnd.h
-ocsp.o: asn1.h
-ocsp.o: certs.h
-ocsp.o: smartcard.h
-ocsp.o: oid.h
-ocsp.o: whack.h
-ocsp.o: pkcs1.h
-ocsp.o: keys.h
-ocsp.o: fetch.h
-ocsp.o: ocsp.h
-oid.o: oid.h
-packet.o: constants.h
-packet.o: defs.h
-packet.o: log.h
-packet.o: packet.h
-packet.o: whack.h
-pem.o: constants.h
-pem.o: defs.h
-pem.o: log.h
-pem.o: md5.h
-pem.o: whack.h
-pem.o: pem.h
-pgp.o: constants.h
-pgp.o: defs.h
-pgp.o: mp_defs.h
-pgp.o: log.h
-pgp.o: id.h
-pgp.o: pgp.h
-pgp.o: certs.h
-pgp.o: md5.h
-pgp.o: whack.h
-pgp.o: pkcs1.h
-pgp.o: keys.h
-pkcs1.o: constants.h
-pkcs1.o: defs.h
-pkcs1.o: mp_defs.h
-pkcs1.o: asn1.h
-pkcs1.o: oid.h
-pkcs1.o: log.h
-pkcs1.o: pkcs1.h
-pkcs1.o: md2.h
-pkcs1.o: md5.h
-pkcs1.o: sha1.h
-pkcs1.o: rnd.h
-pkcs7.o: constants.h
-pkcs7.o: defs.h
-pkcs7.o: asn1.h
-pkcs7.o: oid.h
-pkcs7.o: log.h
-pkcs7.o: x509.h
-pkcs7.o: certs.h
-pkcs7.o: pkcs7.h
-pkcs7.o: rnd.h
-plutomain.o: constants.h
-plutomain.o: defs.h
-plutomain.o: id.h
-plutomain.o: ca.h
-plutomain.o: certs.h
-plutomain.o: ac.h
-plutomain.o: connections.h
-plutomain.o: foodgroups.h
-plutomain.o: packet.h
-plutomain.o: demux.h
-plutomain.o: server.h
-plutomain.o: kernel.h
-plutomain.o: log.h
-plutomain.o: keys.h
-plutomain.o: adns.h
-plutomain.o: dnskey.h
-plutomain.o: rnd.h
-plutomain.o: state.h
-plutomain.o: ipsec_doi.h
-plutomain.o: ocsp.h
-plutomain.o: crl.h
-plutomain.o: fetch.h
-plutomain.o: xauth.h
-plutomain.o: sha1.h
-plutomain.o: md5.h
-plutomain.o: crypto.h
-plutomain.o: virtual.h
-plutomain.o: nat_traversal.h
-primegen.o: constants.h
-primegen.o: defs.h
-primegen.o: log.h
-primegen.o: rnd.h
-primegen.o: gcryptfix.h
-rcv_whack.o: constants.h
-rcv_whack.o: defs.h
-rcv_whack.o: id.h
-rcv_whack.o: ca.h
-rcv_whack.o: certs.h
-rcv_whack.o: ac.h
-rcv_whack.o: smartcard.h
-rcv_whack.o: connections.h
-rcv_whack.o: foodgroups.h
-rcv_whack.o: whack.h
-rcv_whack.o: packet.h
-rcv_whack.o: demux.h
-rcv_whack.o: state.h
-rcv_whack.o: ipsec_doi.h
-rcv_whack.o: kernel.h
-rcv_whack.o: rcv_whack.h
-rcv_whack.o: log.h
-rcv_whack.o: keys.h
-rcv_whack.o: adns.h
-rcv_whack.o: dnskey.h
-rcv_whack.o: server.h
-rcv_whack.o: fetch.h
-rcv_whack.o: ocsp.h
-rcv_whack.o: crl.h
-rcv_whack.o: kernel_alg.h
-rcv_whack.o: ike_alg.h
-rnd.o: sha1.h
-rnd.o: constants.h
-rnd.o: defs.h
-rnd.o: rnd.h
-rnd.o: log.h
-rnd.o: timer.h
-server.o: constants.h
-server.o: defs.h
-server.o: state.h
-server.o: connections.h
-server.o: kernel.h
-server.o: log.h
-server.o: server.h
-server.o: timer.h
-server.o: packet.h
-server.o: demux.h
-server.o: rcv_whack.h
-server.o: keys.h
-server.o: adns.h
-server.o: dnskey.h
-server.o: whack.h
-server.o: kameipsec.h
-server.o: nat_traversal.h
-sha1.o: sha1.h
-smallprime.o: constants.h
-smallprime.o: defs.h
-smallprime.o: gcryptfix.h
-smartcard.o: constants.h
-smartcard.o: rsaref/unix.h
-smartcard.o: rsaref/pkcs11.h
-smartcard.o: defs.h
-smartcard.o: mp_defs.h
-smartcard.o: log.h
-smartcard.o: x509.h
-smartcard.o: ca.h
-smartcard.o: certs.h
-smartcard.o: keys.h
-smartcard.o: smartcard.h
-smartcard.o: whack.h
-smartcard.o: fetch.h
-spdb.o: constants.h
-spdb.o: defs.h
-spdb.o: id.h
-spdb.o: connections.h
-spdb.o: state.h
-spdb.o: packet.h
-spdb.o: keys.h
-spdb.o: kernel.h
-spdb.o: log.h
-spdb.o: spdb.h
-spdb.o: whack.h
-spdb.o: sha1.h
-spdb.o: md5.h
-spdb.o: crypto.h
-spdb.o: alg_info.h
-spdb.o: kernel_alg.h
-spdb.o: ike_alg.h
-spdb.o: db_ops.h
-spdb.o: nat_traversal.h
-state.o: constants.h
-state.o: defs.h
-state.o: connections.h
-state.o: state.h
-state.o: kernel.h
-state.o: log.h
-state.o: packet.h
-state.o: keys.h
-state.o: rnd.h
-state.o: timer.h
-state.o: whack.h
-state.o: demux.h
-state.o: ipsec_doi.h
-state.o: sha1.h
-state.o: md5.h
-state.o: crypto.h
-timer.o: constants.h
-timer.o: defs.h
-timer.o: connections.h
-timer.o: state.h
-timer.o: demux.h
-timer.o: ipsec_doi.h
-timer.o: kernel.h
-timer.o: server.h
-timer.o: log.h
-timer.o: rnd.h
-timer.o: timer.h
-timer.o: whack.h
-timer.o: nat_traversal.h
-vendor.o: constants.h
-vendor.o: defs.h
-vendor.o: log.h
-vendor.o: md5.h
-vendor.o: connections.h
-vendor.o: packet.h
-vendor.o: demux.h
-vendor.o: whack.h
-vendor.o: vendor.h
-vendor.o: kernel.h
-vendor.o: nat_traversal.h
-virtual.o: constants.h
-virtual.o: defs.h
-virtual.o: log.h
-virtual.o: connections.h
-virtual.o: whack.h
-virtual.o: virtual.h
-whack.o: constants.h
-whack.o: defs.h
-whack.o: whack.h
-x509.o: constants.h
-x509.o: defs.h
-x509.o: mp_defs.h
-x509.o: log.h
-x509.o: id.h
-x509.o: asn1.h
-x509.o: oid.h
-x509.o: pkcs1.h
-x509.o: x509.h
-x509.o: crl.h
-x509.o: ca.h
-x509.o: certs.h
-x509.o: keys.h
-x509.o: whack.h
-x509.o: fetch.h
-x509.o: ocsp.h
-x509.o: sha1.h
-xauth.o: constants.h
-xauth.o: defs.h
-xauth.o: xauth.h
-xauth.o: keys.h
-xauth.o: log.h
diff --git a/programs/pluto/PLUTO-CONVENTIONS b/programs/pluto/PLUTO-CONVENTIONS
deleted file mode 100644
index 5288dd2bb..000000000
--- a/programs/pluto/PLUTO-CONVENTIONS
+++ /dev/null
@@ -1,127 +0,0 @@
-Notes on Pluto Conventions
-==========================
-
-RCSID $Id: PLUTO-CONVENTIONS,v 1.1 2004/03/15 20:35:28 as Exp $
-
-Pluto has its own stylistic conventions.  They are fairly easily
-inferred by reading the code.
-
-- sample formatting:
-
-void
-fun(char *s)
-{
-    if (s == NULL)
-    {
-	return "";
-    }
-    else
-    {
-	switch (*s)
-	{
-	default:
-	    s++;
-	    /* fall through */
-	case '\0':
-	    return s;
-	}
-    }
-}
-
-- a function definition has its function identifier at the margin
-
-- indentation is in steps of 4 columns (tabstops are every 8 columns)
-
-- try to keep lines shorter than 80 columns
-
-- space should be canonical:
-  + no line should have trailing whitespace
-  + leading whitespace should use tabs where possible
-  + indentation should be precise
-  + there should be no empty lines at the end of a file.
-
-- braces go on their own line, indented the same as the start of what they are part of
-
-- switch labels are indented the same as the enclosing braces
-
-- if a case falls through, say so explicitly
-
-- spaces follow control flow reserved words (but not function names)
-
-- the operand of return need not be parenthesized
-
-- be careful with types.  For example, use size_t and ssize_t.
-  Use const wherever possible.
-
-- we pretend that C has a strong boolean type.
-  We actually define bool with constants TRUE and FALSE.
-  Other types cannot be used as the complete expression in a test.
-  Hence:
-    if (s == NULL)
-  One exception: lset_t values can be treated as booleans
-  (technically they are, in the original sense of the word)
-
-
-- memsetting a pointer to binary zero is not guaranteed to make it NULL
-
-- side-effects of expressions are to be avoided.
-  BAD:  if (i++ == 9)
-  OK:	i++;
-
-- variables are to have as small a scope as is possible.
-  Move definitions into inner blocks whenever possible.
-  Often initializing definitions become possible and are clearer.
-
-- within a block that has declarations, separate the declarations from
-  the other statements with a blank line.
-
-- "magic numbers" are suspect.  Most integers in code stand for something.
-  They should be given a name, and that name used consistently.
-
-- don't use malloc/free -- use the wrappers (see defs.h)
-
-- it is good to put comments on #else and #endif to show what
-  they match with.  I use ! to indicate the sense of the test:
-  #ifdef CRUD
-  #else /* !CRUD */
-  #endif /* !CRUD */
-
-  #ifndef CRUD
-  #else /* CRUD */
-  #endif /* CRUD */
-
-- all functions and variables that are exported from a .c file should
-  be declared in that file's header file.  Because the .c includes the
-  header, the declaration and the definition will be checked by the
-  compiler.  There is almost no excuse for the "extern" keyword
-  in a .c file.
-
-- when lines are too long and expressions are to be broken, try to
-  break just before a binary operator.  The outermost binary operator
-  is preferred.  This is perhaps the most unconventional convention.
-  It allows the structure of code to be evident from a scan of the
-  left margin.  Example:
-		    if (next_step == vos_his_client
-		    && sameaddr(&c->spd.that.host_addr, &his_client))
-			next_step = vos_done;
-  and
-		    p = oppo_instantiate(p, &c->spd.that.host_addr, &c->spd.that.id
-			, NULL, &our_client, &his_client);
-  Note the different indentation of the continuations.  The continuation
-  of a control flow statement is not indented but other continuations are.
-
-- Never put two statements on one line.
-  REALLY BAD: if (cat);
-  Exception: some macro definitions.
-
-- C preprocessor macros are implemented by a kind of textual substitution.
-  Be sure to put parentheses around references to macro arguments and
-  around the whole macro body.  If the body is meant to be a statement,
-  put braces around it instead.
-
-    #define RETURN_STF_FAILURE(f) \
-	{ int r = (f); if (r != NOTHING_WRONG) return STF_FAIL + r; }
-
-- adding #include statements adds dependencies.  The Makefile should be
-  changed to reflect them.  Target "makedepend" will try to list dependencies
-  in a way suitable for pasting into Makefile
diff --git a/programs/pluto/alg/Config.ike_alg b/programs/pluto/alg/Config.ike_alg
deleted file mode 100644
index 0fcda4cad..000000000
--- a/programs/pluto/alg/Config.ike_alg
+++ /dev/null
@@ -1,9 +0,0 @@
-##
-## IKE algorithms config. for static linking into pluto
-## By now  3DES,MD5 and SHA1 are already present in pluto.
-##
-CONFIG_IKE_ALG_AES=y
-CONFIG_IKE_ALG_BLOWFISH=y
-CONFIG_IKE_ALG_SERPENT=y
-CONFIG_IKE_ALG_TWOFISH=y
-CONFIG_IKE_ALG_SHA2=y
diff --git a/programs/pluto/alg/Makefile b/programs/pluto/alg/Makefile
deleted file mode 100644
index 9732cc80e..000000000
--- a/programs/pluto/alg/Makefile
+++ /dev/null
@@ -1,93 +0,0 @@
-# pluto/alg Makefile
-# Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# $Id: Makefile,v 1.3 2004/06/23 04:45:20 as Exp $
-
-Make.common: ../Makefile
-	make -s -C .. showdefs > $@
-
--include Make.common
-include Config.ike_alg
-
-LIBCRYPTO:=../../../lib/libcrypto
-ALLFLAGS=$(CPPFLAGS) $(CFLAGS) -I .. -I-  -I ../../../linux/include -I $(LIBCRYPTO)
-LIBALG := libalg.o
-
-all : $(LIBALG)
-
-include $(wildcard Makefile.ike_alg_*)
-#include $(wildcard Makefile.ike_alg_[ab]*)
-
-ALG_DIRS:=$(ALG_DIRS-y)
-ALG_LIBS:=$(ALG_LIBS-y)
-ALG_SRCS:=$(ALG_SRCS-y)
-ALG_OBJS:=$(ALG_OBJS-y)
-$(LIBALG): ike_alginit.o $(ALG_OBJS) $(ALG_LIBS) 
-	$(LD) -r -o $@ $^
-
-# Search for IKE_ALG_INIT_NAME: in ike_alg_*.c to
-# build ike_alginit.c:ike_alginit()
-
-ike_alginit.c: $(ALG_SRCS) Makefile Config.ike_alg
-	@awk '	\
-		BEGIN { print "extern int ike_alg_init(void); \
-			int ike_alg_init(void) {" } \
-		/IKE_ALG_INIT_NAME:/ \
-			{ print "{ extern int " $$2" (void); " $$2 "();}" } \
-		END   { print "return 0;}" } \
-		' $(ALG_SRCS) /dev/null > $@ 
-
-clean :
-	@for i in $(ALG_DIRS);do make -C $$i clean;done
-	rm -f *.[oa] ike_alginit.c Make.common
-
-gatherdeps:
-	@ls $(ALG_SRCS) | grep '\.c' | sed -e 's/\(.*\)\.c$$/\1.o: \1.c/'
-	@echo
-	@ls $(ALG_SRCS) | grep '\.c' | xargs grep '^#[ 	]*include[ 	]*"' | \
-		sed -n -e '/#include.*"lib/d' \
-		-e 's/\.c:#[ 	]*include[ 	]*"/.o: ..\//' -e 's/".*//p'
-
-# Dependencies generated by "make gatherdeps":
-
-ike_alg_aes.o: ike_alg_aes.c
-ike_alg_blowfish.o: ike_alg_blowfish.c
-ike_alg_serpent.o: ike_alg_serpent.c
-ike_alg_sha2.o: ike_alg_sha2.c
-ike_alg_twofish.o: ike_alg_twofish.c
-
-ike_alg_aes.o: ../constants.h
-ike_alg_aes.o: ../defs.h
-ike_alg_aes.o: ../log.h
-ike_alg_aes.o: ../alg_info.h
-ike_alg_aes.o: ../ike_alg.h
-ike_alg_blowfish.o: ../constants.h
-ike_alg_blowfish.o: ../defs.h
-ike_alg_blowfish.o: ../log.h
-ike_alg_blowfish.o: ../alg_info.h
-ike_alg_blowfish.o: ../ike_alg.h
-ike_alg_serpent.o: ../constants.h
-ike_alg_serpent.o: ../defs.h
-ike_alg_serpent.o: ../log.h
-ike_alg_serpent.o: ../alg_info.h
-ike_alg_serpent.o: ../ike_alg.h
-ike_alg_sha2.o: ../constants.h
-ike_alg_sha2.o: ../defs.h
-ike_alg_sha2.o: ../log.h
-ike_alg_sha2.o: ../alg_info.h
-ike_alg_sha2.o: ../ike_alg.h
-ike_alg_twofish.o: ../constants.h
-ike_alg_twofish.o: ../defs.h
-ike_alg_twofish.o: ../log.h
-ike_alg_twofish.o: ../alg_info.h
-ike_alg_twofish.o: ../ike_alg.h
diff --git a/programs/pluto/alg/Makefile.ike_alg_aes b/programs/pluto/alg/Makefile.ike_alg_aes
deleted file mode 100644
index 12009ba5c..000000000
--- a/programs/pluto/alg/Makefile.ike_alg_aes
+++ /dev/null
@@ -1,14 +0,0 @@
-ALG:=aes
-CONFIG_YES:=$(CONFIG_IKE_ALG_AES)
-DIR_AES:=$(LIBCRYPTO)/libaes
-
-ALG_DIRS-$(CONFIG_YES)  := $(ALG_DIRS-$(CONFIG_YES)) $(DIR_AES)
-ALG_LIBS-$(CONFIG_YES)  := $(ALG_LIBS-$(CONFIG_YES)) $(DIR_AES)/libaes.a
-ALG_SRCS-$(CONFIG_YES)  := $(ALG_SRCS-$(CONFIG_YES)) ike_alg_$(ALG).c
-ALG_OBJS-$(CONFIG_YES)  := $(ALG_OBJS-$(CONFIG_YES)) ike_alg_$(ALG).o
-
-$(DIR_AES)/libaes.a:
-	make -C $(DIR_AES) CFLAGS="$(CFLAGS)" libaes.a
-
-ike_alg_$(ALG).o: ike_alg_$(ALG).c
-	$(CC) -I $(LIBCRYPTO) -I$(DIR_AES) $(COPTS) $(ALLFLAGS) -c $<
diff --git a/programs/pluto/alg/Makefile.ike_alg_blowfish b/programs/pluto/alg/Makefile.ike_alg_blowfish
deleted file mode 100644
index c3af6199b..000000000
--- a/programs/pluto/alg/Makefile.ike_alg_blowfish
+++ /dev/null
@@ -1,13 +0,0 @@
-ALG:=blowfish
-CONFIG_YES:=$(CONFIG_IKE_ALG_BLOWFISH)
-DIR_BLOWFISH:=$(LIBCRYPTO)/libblowfish
-ALG_DIRS-$(CONFIG_YES) := $(ALG_DIRS-$(CONFIG_YES)) $(DIR_BLOWFISH)
-ALG_LIBS-$(CONFIG_YES) := $(ALG_LIBS-$(CONFIG_YES)) $(DIR_BLOWFISH)/libblowfish.a
-ALG_SRCS-$(CONFIG_YES) := $(ALG_SRCS-$(CONFIG_YES)) ike_alg_$(ALG).c
-ALG_OBJS-$(CONFIG_YES) := $(ALG_OBJS-$(CONFIG_YES)) ike_alg_$(ALG).o
-
-$(DIR_BLOWFISH)/libblowfish.a:
-	make -C $(DIR_BLOWFISH) CFLAGS="$(CFLAGS)" libblowfish.a
-
-ike_alg_$(ALG).o: ike_alg_$(ALG).c
-	$(CC) -I $(LIBCRYPTO) -I$(DIR_BLOWFISH) $(COPTS) $(ALLFLAGS) -c $<
diff --git a/programs/pluto/alg/Makefile.ike_alg_serpent b/programs/pluto/alg/Makefile.ike_alg_serpent
deleted file mode 100644
index 3395ac0ea..000000000
--- a/programs/pluto/alg/Makefile.ike_alg_serpent
+++ /dev/null
@@ -1,13 +0,0 @@
-ALG:=serpent
-CONFIG_YES:=$(CONFIG_IKE_ALG_SERPENT)
-DIR_SERPENT:=$(LIBCRYPTO)/libserpent
-ALG_DIRS-$(CONFIG_YES) := $(ALG_DIRS-$(CONFIG_YES)) $(DIR_SERPENT)
-ALG_LIBS-$(CONFIG_YES) := $(ALG_LIBS-$(CONFIG_YES)) $(DIR_SERPENT)/libserpent.a
-ALG_SRCS-$(CONFIG_YES) := $(ALG_SRCS-$(CONFIG_YES)) ike_alg_$(ALG).c
-ALG_OBJS-$(CONFIG_YES) := $(ALG_OBJS-$(CONFIG_YES)) ike_alg_$(ALG).o
-
-$(DIR_SERPENT)/libserpent.a:
-	make -C $(DIR_SERPENT) CFLAGS="$(CFLAGS)" libserpent.a
-
-ike_alg_$(ALG).o: ike_alg_$(ALG).c
-	$(CC) -I $(LIBCRYPTO) -I$(DIR_SERPENT) $(COPTS) $(ALLFLAGS) -c $<
diff --git a/programs/pluto/alg/Makefile.ike_alg_sha2 b/programs/pluto/alg/Makefile.ike_alg_sha2
deleted file mode 100644
index 67e68a667..000000000
--- a/programs/pluto/alg/Makefile.ike_alg_sha2
+++ /dev/null
@@ -1,13 +0,0 @@
-ALG:=sha2
-CONFIG_YES:=$(CONFIG_IKE_ALG_SHA2)
-DIR_SHA2:=$(LIBCRYPTO)/libsha2
-ALG_DIRS-$(CONFIG_YES) := $(ALG_DIRS-$(CONFIG_YES)) $(DIR_SHA2)
-ALG_LIBS-$(CONFIG_YES) := $(ALG_LIBS-$(CONFIG_YES)) $(DIR_SHA2)/libsha2.a
-ALG_SRCS-$(CONFIG_YES) := $(ALG_SRCS-$(CONFIG_YES)) ike_alg_$(ALG).c
-ALG_OBJS-$(CONFIG_YES) := $(ALG_OBJS-$(CONFIG_YES)) ike_alg_$(ALG).o
-
-$(DIR_SHA2)/libsha2.a:
-	make -C $(DIR_SHA2) libsha2.a
-
-ike_alg_$(ALG).o: ike_alg_$(ALG).c
-	$(CC) -I $(LIBCRYPTO) -I$(DIR_SHA2) $(COPTS) $(ALLFLAGS) -c $<
diff --git a/programs/pluto/alg/Makefile.ike_alg_twofish b/programs/pluto/alg/Makefile.ike_alg_twofish
deleted file mode 100644
index dcd30dd3e..000000000
--- a/programs/pluto/alg/Makefile.ike_alg_twofish
+++ /dev/null
@@ -1,13 +0,0 @@
-ALG:=twofish
-CONFIG_YES:=$(CONFIG_IKE_ALG_TWOFISH)
-DIR_TWOFISH:=$(LIBCRYPTO)/libtwofish
-ALG_DIRS-$(CONFIG_YES) := $(ALG_DIRS-$(CONFIG_YES)) $(DIR_TWOFISH)
-ALG_LIBS-$(CONFIG_YES) := $(ALG_LIBS-$(CONFIG_YES)) $(DIR_TWOFISH)/libtwofish.a
-ALG_SRCS-$(CONFIG_YES) := $(ALG_SRCS-$(CONFIG_YES)) ike_alg_$(ALG).c
-ALG_OBJS-$(CONFIG_YES) := $(ALG_OBJS-$(CONFIG_YES)) ike_alg_$(ALG).o
-
-$(DIR_TWOFISH)/libtwofish.a:
-	make -C $(DIR_TWOFISH) CFLAGS="$(CFLAGS)" libtwofish.a
-
-ike_alg_$(ALG).o: ike_alg_$(ALG).c
-	$(CC) -I $(LIBCRYPTO) -I$(DIR_TWOFISH) $(COPTS) $(ALLFLAGS) -c $<
diff --git a/programs/pluto/pluto-style.el b/programs/pluto/pluto-style.el
deleted file mode 100644
index 0de474e44..000000000
--- a/programs/pluto/pluto-style.el
+++ /dev/null
@@ -1,4 +0,0 @@
-(c-add-style "pluto" '("bsd"
-		       (c-basic-offset . 4)
-		       (c-offsets-alias . ((substatement-open . 0)))))
-
diff --git a/programs/pluto/routing.txt b/programs/pluto/routing.txt
deleted file mode 100644
index a69b8a542..000000000
--- a/programs/pluto/routing.txt
+++ /dev/null
@@ -1,331 +0,0 @@
-Routing and Erouting in Pluto
-=============================
-
-RCSID $Id: routing.txt,v 1.1 2004/03/15 20:35:29 as Exp $
-
-This is meant as internal documentation for Pluto.  As such, it
-presumes some understanding of Pluto's code.
-
-It also describes KLIPS 1 erouting, including details not otherwise
-documented.  KLIPS 1 documentation would be better included in KLIPS.
-
-Routing and erouting are complicated enough that the Pluto code needs
-a guide.  This document is meant to be that guide.
-
-
-Mechanisms available to Pluto
------------------------------
-
-All outbound packets that are to be processed by KLIPS 1 must be
-routed to an ipsecN network interface.  Pluto only uses normal routing
-(as opposed to "Advanced Routing"), so the selection of packets is
-made solely on the basis of the destination address.  (Since the
-actual routing commands are in the updown script, they could be
-changed by the administrator, but Pluto needs to understand what is
-going on, and it currently assumes normal routing is used.)
-
-When an outbound packet hits an ipsecN interface, KLIPS figures out
-how to process it by finding an eroute that applies to the source and
-destination addresses.  Eroutes are global: they are not specific to a
-particular ipsecN interface (routing needs to get the packets to any
-ipsecN interface; erouting takes it from there, ignoring issues of
-source IP address and nexthop (because nobody knows!)).  If multiple
-eroutes apply to the packet, among the ones with the most specific
-source subnet, the one with the most specific destination subset is
-chosen (RGB thinks).  If no eroute is discovered, KLIPS acts as if it
-was covered by a DROP eroute (this is the default behaviour; it can be
-changed).  At most one eroute can exist for a particular pair of
-client subnets.
-
-There are fundamentally two kinds of eroutes: "shunt" eroutes and ones
-that specify that a packet is to be processed by a group of IPSEC SAs.
-Shunt eroutes specify what is to be done with the packet.  Remember
-that these only apply to outbound packets.
-
-- TRAP: notify Pluto of the packet (presumably to attempt to negotiate
-  an appropriate group of IPSEC SAs).  At the same time, KLIPS
-  installs a HOLD shunt (see below) for the specific source and
-  destination addresses from the packet and retains the packet
-  for later reprocessing (KLIPS does not yet implement retention).
-  Beware: if the TRAP's subnets both contained a single IP address
-  then installing the HOLD would actually delete the TRAP.
-
-- PASS: let the packet through in the clear
-
-- DROP: discard the packet
-
-- REJECT: discard the packet and notify the sender
-
-- HOLD: (automatically created by KLIPS when a TRAP fires) block
-  the packet, but retain it.  If there is already a retained
-  packet, drop the old one and retain the new.  When the HOLD
-  shunt is deleted or replaced, the retained packet is reinjected --
-  there might now be a tunnel.  Note that KLIPS doesn't yet
-  implement the retention part, so HOLD is really like a DROP.
-
-One consequence of there being only one eroute for a pair of clients
-is that KLIPS will only use one SA group for output for this pair,
-even though there could be several SA groups that are authorised and
-live.  Pluto chooses to make this the youngest such group.
-
-
-
-KLIPS lets through in the clear outbound UDP/500 packets that would
-otherwise be processed if they originate on this host and meet certain
-other conditions.  The actual test is
-	source == me
-	&& (no_eroute || dest == eroute.dest || isanyaddr(eroute.dest))
-	&& port == UDP/500
-The idea is that IKE packets between us and a peer should not be
-sent through an IPSEC tunnel negotiated between us.  Furthermore,
-our shunt eroutes should not apply to our IKE packets (shunt eroutes
-will generally have an eroute.dest of 0.0.0.0 or its IPv6 equivalent).
-
-Inbound behaviour is controlled in a quite different way.  KLIPS
-processes only those inbound packets of ESP or AH protocol, with a
-destination address for this machine's ipsecN interfaces. The
-processing is as dictated by the SAs involved.  Unfortunately, the
-decapsulated packet's source and destination address are not checked
-(part of "inbound policy checking").
-
-To prevent clear packets being accepted, firewall rules must be put in
-place.  This has nothing to do with KLIPS, but is nonetheless in
-important part of security.  It isn't clear what firewalling makes
-sense when Opportunism is allowed.
-
-
-For routing and firewalling, Pluto invokes the updown script.  Pluto
-installs eroutes via extended PF_KEY messages.
-
-
-Current Pluto Behaviour
------------------------
-
-Data Structures:
-
-Routes and most eroutes are associated with connections (struct
-connection, a potential connection description).  The enum routing_t
-field "routing" in struct connection records the state of routing and
-erouting for that connection.  The values are:
-    RT_UNROUTED,	/* unrouted */
-    RT_UNROUTED_HOLD,	/* unrouted, but HOLD shunt installed */
-    RT_ROUTED_PROSPECTIVE,	/* routed, and TRAP shunt installed */
-    RT_ROUTED_HOLD,	/* routed, and HOLD shunt installed */
-    RT_ROUTED_FAILURE,	/* routed, and failure-context shunt installed */
-    RT_ROUTED_TUNNEL	/* routed, and erouted to an IPSEC SA group */
-Notice that the routing and erouting are not independent: erouting
-(except for HOLD) implies that the connection is routed.
-
-Several struct connections may have the same destination subnet.  If
-they agree on what the route should be, they can share it -- any of
-them may have routing >= RT_ROUTED_PROSPECTIVE.  If they disagree,
-they cannot simultaneously be routed.
-
-invariant: for all struct connections c, d:
-    (c.that.client == d.that.client
-	    && c.routing >= RT_ROUTED_PROSPECTIVE
-	    && d.routing >= RT_ROUTED_PROSPECTIVE)
-    => c.interface == d.interface && c.this.nexthop == d.this.nexthop
-
-There are two kinds of eroutes: shunt eroutes and ones for an IPSEC SA
-Group.  Most eroutes are associated with and are represeented in a
-connection.  The exception is that some HOLD and PASS shunts do not
-correspond to connections; those are represented in the bare_shunt
-table.
-
-An eroute for an IPSEC SA Group is associated with the state object
-for that Group.  The existence of such an eroute is also represented
-by the "so_serial_t eroute_owner" field in the struct connection.  The
-value is the serial number of the state object for the Group.  The
-special value SOS_NOBODY means that there is no owner associated with
-this connection for the eroute and hence no normal eroute.  At most
-one eroute owner may exist for a particular (source subnet,
-destination subnet) pair.  A Pluto-managed eroute cannot be associated
-with an RT_UNROUTED connection.
-
-invariant: for all struct connection c:
-    c.routing == RT_EROUTED_TUNNEL || c.eroute_owner == SOS_NOBODY
-
-invariant: for all struct connections c, d:
-    c.this.client == d.this.client && c.that.client == d.that.client
-        && &c != &d
-    => c.routing == RT_UNROUTED || d.routing == RT_UNROUTED
-
-If no normal eroute is set for a particular (source subnet,
-destination subnet) pair for which a connection is routed, then a
-shunt eroute would have been installed.  This specifies what should
-happen to packets snared by the route.
-
-When Pluto is notified by KLIPS of a packet that has been TRAPped,
-there is no connection with which to associate the HOLD.  It is
-temporarily held in the "bare_shunt table".  If Opportunism is
-attempted but DNS doesn't provide Security Gateway information, Pluto
-will replace the HOLD with a PASS shunt.  Since this PASS isn't
-associated with a connection, it too will reside in the bare_shunt
-table.  If the HOLD can be associated with a connection, it will be
-removed from the bare_shunt table and represented in the connection.
-
-There are two contexts for which shunt eroutes are installed by Pluto
-for a particular connection.  The first context is with the prospect
-of dealing with packets before any negotiation has been attempted.  I
-call this context "prospective".  Currently is a TRAP shunt, used to
-catch packets for initiate opportunistic negotiation.  In the future,
-it might also be used to implement preordained PASS, DROP, or REJECT
-rules.
-
-The second context is after a failed negotiation.  I call this context
-"failure".  At this point a different kind of shunt eroute is
-appropriate.  Depending on policy, it could be PASS, DROP, or REJECT,
-but it is unlikely to be TRAP.  The shunt eroute should have a
-lifetime (this isn't yet implemented).  When the lifetime expires, the
-failure shunt eroute should be replaced by the prospective shunt
-eroute.
-
-The kind and duration of a failure shunt eroute should perhaps depend
-on the nature of the failure, at least as imperfectly detected by
-Pluto.  We haven't looked at this.  In particular, the mapping from
-observations to robust respose isn't obvious.
-
-The shunt eroute policies should be a function of the potential
-connection.  The failure shunt eroute can be specified for a
-particular connection with the flags --pass and --drop in a connection
-definition.  There are four combinations, and each has a distinct
-meaning.  The failure shunt eroute is incompletely implemented and
-cannot be represented in /etc/ipsec.conf.
-
-There is as yet no control over the prospective shunt eroute: it is
-always TRAP as far as Pluto is concerned.  This is probably
-reasonable: any other fate suggests that no negotiation will be done,
-and so a connection definition is inappropriate.  These should be
-implemented as manual conns.  There remains the issue of whether Pluto
-should be aware of them -- currently it is not.
-
-
-Routines:
-
-[in kernel.c]
-
-bool do_command(struct connection *c, const char *verb)
-    Run the updown script to perform such tasks as installing a route
-    and adjust the firewall.
-
-bool could_route(struct connection *c)
-    Check to see whether we could route and eroute the connection.
-    <- shunt_eroute_connection (to check if --route can be performed)
-    <- install_inbound_ipsec_sa (to see if it will be possible
-       to (later) install route and eroute the corresponding outbound SA)
-    <- install_ipsec_sa (to see if the outbound SA can be routed and erouted)
-
-bool trap_connection(struct connection *c)
-    Install a TRAP shunt eroute for this connection.  This implements
-    "whack --route", the way an admin can specify that packets for a
-    connection should be caught without first bringing it up.
-
-void unroute_connection(struct connection *c)
-    Delete any eroute for a connection and unroute it if route isn't shared.
-    <- release_connection
-    <- whack_handle (for "whack --unroute)
-
-bool eroute_connection(struct connection *c
-, ipsec_spi_t spi, unsigned int proto, unsigned int satype
-, unsigned int op, const char *opname UNUSED)
-    Issue PF_KEY commands to KLIPS to add, replace, or delete an eroute.
-    The verb is specified by op and described (for logging) by opname.
-    <- assign_hold
-    <- sag_eroute
-    <- shunt_eroute
-
-bool assign_hold(struct connection *c
-, const ip_address *src, const ip_address *dst)
-    Take a HOLD from the bare_shunt table and assign it to a connection.
-    If the HOLD is broadened (i.e. the connection's source or destination
-    subnets contain more than one IP address), this will involve replacing
-    the HOLD with a different one.
-
-bool sag_eroute(struct state *st, unsigned op, const char *opname)
-    SA Group eroute manipulation.  The SA Group concerned is
-    identified with a state object.
-    <- route_and_eroute several times
-
-bool shunt_eroute(struct connection *c, unsigned int op, const char *opname)
-    shunt eroute manipulation.  Shunt eroutes are associated with
-    connections.
-    <- unroute_connection
-    <- route_and_eroute
-    <- delete_ipsec_sa
-
-bool route_and_eroute(struct connection *c, struct state *st)
-    Install a route and then a prospective shunt eroute or an SA group
-    eroute.  The code assumes that could_route had previously
-    given the go-ahead.  Any SA group to be erouted must already
-    exist.
-    <- shunt_eroute_connection
-    <- install_ipsec_sa
-
-void scan_proc_shunts(void)
-    Every SHUNT_SCAN_INTERVAL scan /proc/net/ipsec_eroute.
-    Delete any PASS eroute in the bare_shunt table that hasn't been used
-    within the last SHUNT_PATIENCE seconds.
-    For any HOLD for which Pluto hasn't received an ACQUIRE (possibly
-    lost due to congestion), act as if an ACQUIRE were received.
-
-[in connection.c]
-
-struct connection *route_owner(struct connection *c, struct connection **erop)
-    Find the connection to connection c's peer's client with the
-    largest value of .routing.  All other things being equal,
-    preference is given to c.  Return NULL if no connection is routed
-    at all.  If erop is non-null, sets it to a connection sharing both
-    our client subnet and peer's client subnet with the largest value
-    of .routing.
-    The return value is used to find other connections sharing
-    a route.  The value of *erop is used to find other connections
-    sharing an eroute.
-    <- could_route (to find any conflicting routes or eroutes)
-    <- unroute_connection (to find out if our route is still in use
-       after this connection is finished with it)
-    <- install_inbound_ipsec_sa (to find other IPSEC SAs for the
-       same peer clients; when we find them WE KILL THEM; a
-       kludge to deal with road warriors reconnecting)
-    <- route_and_eroute (to find all the connections from which the
-       route or eroute is being stolen)
-
-Uses:
-
-- setting up route & shunt eroute to TRAP packets for opportunism
-  (whack --route).  Perhaps also manually designating DROP, REJECT, or
-  PASS for certain packets.
-
-  whack_handle() responds to --route; calls route_connection()
-
-
-- removing same (whack --unroute)
-
-  whack_handle() responds to --unroute; calls unroute_connection()
-
-- installing route & normal eroute for a newly negotiated group of
-  outbound IPSEC SAs
-
-  + perhaps an (additional) route is not needed: if the negotiation
-    was initiated by a TRAPped outgoing packet, then there must
-    already have been a route that got the packet to ipsecN.  Mind
-    you, it could have been the wrong N!
-
-  install_ipsec_sa()
-
-- updating a normal eroute when a new group of IPSEC SAs replaces
-  an old one due to rekeying.
-
-  install_ipsec_sa()
-
-- replacing an old eroute when a negotiation fails.  But this is
-  tricky.  If this was a rekeying, we should just leave the old
-  normal eroute be -- it might still work.  Otherwise, this was
-  an initial negotiation: we should replace the shunt eroute
-  with one appropriate for the failure context.
-
-- when a group of IPSEC SAs dies or is killed, and it had the eroute,
-  its normal eroute should be replaced by a shunt eroute.  If there
-  was an attempt to replace the group, the replacement is in the
-  failure context; otherwise the replacement is in the prospective
-  context.
diff --git a/programs/proc/Makefile b/programs/proc/Makefile
deleted file mode 100644
index 023356440..000000000
--- a/programs/proc/Makefile
+++ /dev/null
@@ -1,51 +0,0 @@
-# Makefile for the KLIPS interface utilities
-# Copyright (C) 1998, 1999  Henry Spencer.
-# Copyright (C) 1999, 2000, 2001  Richard Guy Briggs
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:30 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-EXTRA5PROC:=version.5 trap_count.5 trap_sendcount.5
-
-LIBS:=${FREESWANLIB}
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:30  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.5  2003/06/20 02:56:20  mcr
-# 	added documentation for /proc/net/ipsec/stats/trap_* and
-# 	amendments to test cases.
-#
-# Revision 1.4  2002/06/03 20:25:31  mcr
-# 	man page for files actually existant in /proc/net changed back to
-# 	ipsec_foo via new EXTRA5PROC process.
-#
-# Revision 1.3  2002/06/02 21:51:41  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.2  2002/05/05 23:09:49  mcr
-# 	EXTRA35MAN should have the extensions on it.
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
diff --git a/programs/proc/trap_count.5 b/programs/proc/trap_count.5
deleted file mode 100644
index e4cfd5871..000000000
--- a/programs/proc/trap_count.5
+++ /dev/null
@@ -1,35 +0,0 @@
-.TH IPSEC_TRAP_COUNT 5 "19 Jun 2003"
-.\"
-.\" RCSID $Id: trap_count.5,v 1.1 2004/03/15 20:35:30 as Exp $
-.\"
-.SH NAME
-trap_count \- KLIPS statistic on number of ACQUIREs
-.SH SYNOPSIS
-.B cat
-.B /proc/net/ipsec/stats/trap_count
-.SH DESCRIPTION
-.I /proc/net/ipsec/stats/trap_count
-is a read-only file. It contains a hexadecimal number which records the
-number of attempts to send PF_ACQUIRE messages. Only those recorded by
-trap_sendcount were actually successfully passed to userland. Note that the
-userland may still have lost them on its own.
-.LP
-.SH "FILES"
-/proc/net/ipsec/stats/trap_sendcount
-.SH "SEE ALSO"
-ipsec(8), ipsec_pf_key(5), trap_sendcount(5), pluto(8)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Michael C. Richardson <mcr@freeswan.org>
-.\"
-.\" $Log: trap_count.5,v $
-.\" Revision 1.1  2004/03/15 20:35:30  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.1  2003/06/20 02:56:20  mcr
-.\" 	added documentation for /proc/net/ipsec/stats/trap_* and
-.\" 	amendments to test cases.
-.\"
-.\"
-.\"
diff --git a/programs/proc/trap_sendcount.5 b/programs/proc/trap_sendcount.5
deleted file mode 100644
index 27090b52b..000000000
--- a/programs/proc/trap_sendcount.5
+++ /dev/null
@@ -1,33 +0,0 @@
-.TH IPSEC_TRAP_SENDCOUNT 5 "19 Jun 2003"
-.\"
-.\" RCSID $Id: trap_sendcount.5,v 1.1 2004/03/15 20:35:30 as Exp $
-.\"
-.SH NAME
-trap_sendcount \- KLIPS statistic on number of successful ACQUIREs
-.SH SYNOPSIS
-.B cat
-.B /proc/net/ipsec/stats/trap_sendcount
-.SH DESCRIPTION
-.I /proc/net/ipsec/stats/trap_sendcount
-is a read-only file. It contains a hexadecimal number which records the
-number of successful PF_ACQUIRE messages that were sent.
-.LP
-.SH "FILES"
-/proc/net/ipsec/stats/trap_sendcount
-.SH "SEE ALSO"
-ipsec(8), ipsec_pf_key(5), trap_count(5), pluto(8)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Michael C. Richardson <mcr@freeswan.org>
-.\"
-.\" $Log: trap_sendcount.5,v $
-.\" Revision 1.1  2004/03/15 20:35:30  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.1  2003/06/20 02:56:20  mcr
-.\" 	added documentation for /proc/net/ipsec/stats/trap_* and
-.\" 	amendments to test cases.
-.\"
-.\"
-.\"
diff --git a/programs/proc/version.5 b/programs/proc/version.5
deleted file mode 100644
index c763d6d17..000000000
--- a/programs/proc/version.5
+++ /dev/null
@@ -1,54 +0,0 @@
-.TH IPSEC_VERSION 5 "29 Jun 2000"
-.\"
-.\" RCSID $Id: version.5,v 1.1 2004/03/15 20:35:30 as Exp $
-.\"
-.SH NAME
-ipsec_version \- lists KLIPS version information
-.SH SYNOPSIS
-.B cat
-.B /proc/net/ipsec_version
-.SH DESCRIPTION
-.I /proc/net/ipsec_version
-is a read-only file which lists the currently running KLIPS version
-information.
-.PP
-.SH EXAMPLES
-.TP
-.B FreeS/WAN version: 1.4
-.LP
-shows that the currently loaded
-.B KLIPS
-is from
-.B FreeS/WAN 1.4.
-.LP
-.SH "FILES"
-/proc/net/ipsec_version
-.SH "SEE ALSO"
-ipsec(8), ipsec_manual(8), ipsec_eroute(5), ipsec_spi(5),
-ipsec_spigrp(5), ipsec_klipsdebug(5), ipsec_tncfg(8), ipsec_pf_key(5)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Richard Guy Briggs.
-.\"
-.\" $Log: version.5,v $
-.\" Revision 1.1  2004/03/15 20:35:30  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.4  2002/04/24 07:35:41  mcr
-.\" Moved from ./klips/utils/version.5,v
-.\"
-.\" Revision 1.3  2000/06/30 18:21:55  rgb
-.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5)
-.\" and correct FILES sections to no longer refer to /dev/ipsec which has
-.\" been removed since PF_KEY does not use it.
-.\"
-.\" Revision 1.2  2000/06/30 06:22:22  rgb
-.\" Fix SYNOPSIS since there is no 'ipsec version' command.
-.\"
-.\" Revision 1.1  2000/06/30 06:19:26  rgb
-.\" manpages for the last two /proc/net/ipsec* files that don't have a
-.\" corresponding utility.
-.\"
-.\"
-.\"
diff --git a/programs/ranbits/.cvsignore b/programs/ranbits/.cvsignore
deleted file mode 100644
index 910103faa..000000000
--- a/programs/ranbits/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-ranbits
diff --git a/programs/ranbits/Makefile b/programs/ranbits/Makefile
deleted file mode 100644
index 558318e8e..000000000
--- a/programs/ranbits/Makefile
+++ /dev/null
@@ -1,39 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:30 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=ranbits
-LIBS=${FREESWANLIB}
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:30  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.2  2002/06/02 21:51:41  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/ranbits/ranbits.8 b/programs/ranbits/ranbits.8
deleted file mode 100644
index 5a99a088f..000000000
--- a/programs/ranbits/ranbits.8
+++ /dev/null
@@ -1,77 +0,0 @@
-.TH IPSEC_RANBITS 8 "22 Aug 2000"
-.\" RCSID $Id: ranbits.8,v 1.1 2004/03/15 20:35:30 as Exp $
-.SH NAME
-ipsec ranbits \- generate random bits in ASCII form
-.SH SYNOPSIS
-.B ipsec
-.B ranbits
-[
-.B \-\-quick
-] [
-.B \-\-continuous
-] [
-.B \-\-bytes
-] nbits
-.SH DESCRIPTION
-.I Ranbits
-obtains
-.I nbits
-(rounded up to the nearest byte)
-high-quality random bits from
-.IR random (4),
-and emits them on standard output as an ASCII string.
-The default output format is
-.IR datatot (3)
-.B h
-format:
-lowercase hexadecimal with a
-.B 0x
-prefix and an underscore every 32 bits.
-.PP
-The
-.B \-\-quick
-option produces quick-and-dirty random bits:
-instead of using the high-quality random bits from
-.IR /dev/random ,
-which may take some time to supply the necessary bits if
-.I nbits
-is large,
-.I ranbits
-uses
-.IR /dev/urandom ,
-which yields prompt results but lower-quality randomness.
-.PP
-The
-.B \-\-continuous
-option uses
-.IR datatot (3)
-.B x
-output format, like
-.B h
-but without the underscores.
-.PP
-The
-.B \-\-bytes
-option causes
-.I nbits
-to be interpreted as a byte count rather than a bit count.
-.SH FILES
-/dev/random, /dev/urandom
-.SH SEE ALSO
-ipsec_datatot(3), random(4)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org>
-by Henry Spencer.
-.SH BUGS
-There is an internal limit on
-.IR nbits ,
-currently 20000.
-.PP
-Without
-.BR \-\-quick ,
-.IR ranbits 's
-run time is difficult to predict.
-A request for a large number of bits,
-at a time when the system's entropy pool is low on randomness,
-may take quite a while to satisfy.
diff --git a/programs/ranbits/ranbits.c b/programs/ranbits/ranbits.c
deleted file mode 100644
index 7b9a0f76e..000000000
--- a/programs/ranbits/ranbits.c
+++ /dev/null
@@ -1,146 +0,0 @@
-/*
- * random bit generation for scripts, control files, etc.
- * Copyright (C) 1998, 1999, 2000  Henry Spencer.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: ranbits.c,v 1.1 2004/03/15 20:35:30 as Exp $
- */
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <stdio.h>
-#include <limits.h>
-#include <errno.h>
-#include <string.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <getopt.h>
-#include <fcntl.h>
-#include <netinet/in.h>
-#include <freeswan.h>
-
-#ifndef DEVICE
-#define	DEVICE	"/dev/random"
-#endif
-#ifndef QDEVICE
-#define	QDEVICE	"/dev/urandom"
-#endif
-#ifndef MAXBITS
-#define	MAXBITS	20000
-#endif
-
-char usage[] = "Usage: ranbits [--quick] [--continuous] [--bytes] nbits";
-struct option opts[] = {
-  {"quick",	0,	NULL,	'q',},
-  {"continuous",	0,	NULL,	'c',},
-  {"bytes",	0,	NULL,	'b',},
-  {"help",		0,	NULL,	'h',},
-  {"version",	0,	NULL,	'v',},
-  {0,		0,	NULL,	0,}
-};
-int quick = 0;			/* quick and dirty? */
-char format = 'h';		/* datatot() format code */
-int isbytes = 0;		/* byte count rather than bits? */
-
-char me[] = "ipsec ranbits";	/* for messages */
-
-char buf[MAXBITS/CHAR_BIT];
-char outbuf[3*sizeof(buf)];
-
-int main(int argc, char *argv[])
-{
-	int opt;
-	extern int optind;
-	int errflg = 0;
-	int nbits;
-	size_t nbytes;
-	char *devname;
-	int dev;
-	size_t ndone;
-	size_t nneeded;
-	ssize_t got;
-
-	while ((opt = getopt_long(argc, argv, "", opts, NULL)) != EOF)
-		switch (opt) {
-		case 'q':	/* quick and dirty randomness */
-			quick = 1;
-			break;
-		case 'c':	/* continuous hex, no underscores */
-			format = 'x';
-			break;
-		case 'b':	/* byte count, not bit count */
-			isbytes = 1;
-			break;
-		case 'h':	/* help */
-			printf("%s\n", usage);
-			exit(0);
-			break;
-		case 'v':	/* version */
-			printf("%s %s\n", me, ipsec_version_code());
-			exit(0);
-			break;
-		case '?':
-		default:
-			errflg = 1;
-			break;
-		}
-	if (errflg || optind != argc-1) {
-		fprintf(stderr, "%s\n", usage);
-		exit(2);
-	}
-
-	nbits = atoi(argv[optind]);
-	if (isbytes)
-		nbits *= CHAR_BIT;
-	if (nbits <= 0) {
-		fprintf(stderr, "%s: invalid bit count (%d)\n", me, nbits);
-		exit(1);
-	}
-	if (nbits > MAXBITS) {
-		fprintf(stderr, "%s: overlarge bit count (max %d)\n", me,
-								MAXBITS);
-		exit(1);
-	}
-	nbytes = (size_t)(nbits + CHAR_BIT - 1) / CHAR_BIT;
-
-	devname = (quick) ? QDEVICE : DEVICE;
-	dev = open(devname, 0);
-	if (dev < 0) {
-		fprintf(stderr, "%s: could not open %s (%s)\n", me,
-						devname, strerror(errno));
-		exit(1);
-	}
-
-	ndone = 0;
-	while (ndone < nbytes) {
-		got = read(dev, buf + ndone, nbytes - ndone);
-		if (got < 0) {
-			fprintf(stderr, "%s: read error on %s (%s)\n", me,
-						devname, strerror(errno));
-			exit(1);
-		}
-		if (got == 0) {
-			fprintf(stderr, "%s: eof on %s!?!\n", me, devname);
-			exit(1);
-		}
-		ndone += got;
-	}
-
-	nneeded = datatot(buf, nbytes, format, outbuf, sizeof(outbuf));
-	if (nneeded > sizeof(outbuf)) {
-		fprintf(stderr, "%s: buffer overflow (need %ld bytes)?!?\n",
-						me, (long)nneeded);
-		exit(1);
-	}
-	printf("%s\n", outbuf);
-	exit(0);
-}
diff --git a/programs/rsasigkey/.cvsignore b/programs/rsasigkey/.cvsignore
deleted file mode 100644
index f9e610b4d..000000000
--- a/programs/rsasigkey/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-rsasigkey
diff --git a/programs/rsasigkey/Makefile b/programs/rsasigkey/Makefile
deleted file mode 100644
index c2b82e5c8..000000000
--- a/programs/rsasigkey/Makefile
+++ /dev/null
@@ -1,39 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:30 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=rsasigkey
-LIBS=${FREESWANLIB} -lgmp
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:30  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.2  2002/06/02 21:51:41  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/rsasigkey/rsasigkey.8 b/programs/rsasigkey/rsasigkey.8
deleted file mode 100644
index c64dd46bd..000000000
--- a/programs/rsasigkey/rsasigkey.8
+++ /dev/null
@@ -1,259 +0,0 @@
-.TH IPSEC_RSASIGKEY 8 "22 July 2001"
-.\" RCSID $Id: rsasigkey.8,v 1.1 2004/03/15 20:35:30 as Exp $
-.SH NAME
-ipsec rsasigkey \- generate RSA signature key
-.SH SYNOPSIS
-.B ipsec
-.B rsasigkey
-[
-.B \-\-verbose
-] [
-.B \-\-random
-filename
-]
-.B \e
-.br
-\ \ \ [
-.B \-\-rounds
-nr
-] [
-.B \-\-hostname
-host ] [
-.B \-\-noopt
-] nbits
-.br
-.B ipsec
-.B rsasigkey
-[
-.B \-\-verbose
-] [
-.B \-\-hostname
-host ]
-.B \e
-.br
-\ \ \ 
-[
-.B \-\-noopt
-]
-.B \-\-oldkey
-file
-.SH DESCRIPTION
-.I Rsasigkey
-generates an RSA public/private key pair,
-suitable for digital signatures,
-of (exactly)
-.I nbits
-bits (that is, two primes each of exactly
-.IR nbits /2
-bits,
-and related numbers)
-and emits it on standard output as ASCII (mostly hex) data.
-.I nbits
-must be a multiple of 16.
-.PP
-The public exponent is forced to the value
-.BR 3 ,
-which has important speed advantages for signature checking.
-Beware that the resulting keys have known weaknesses as encryption keys
-\fIand should not be used for that purpose\fR.
-.PP
-The
-.B \-\-verbose
-option makes
-.I rsasigkey
-give a running commentary on standard error.
-By default, it works in silence until it is ready to generate output.
-.PP
-The
-.B \-\-random
-option specifies a source for random bits.
-The default is
-.I /dev/random
-(see
-.IR random (4)).
-Normally,
-.I rsasigkey
-reads exactly
-.I nbits
-random bits from the source;
-in extremely-rare circumstances it may need more.
-.PP
-The
-.B \-\-rounds
-option specifies the number of rounds to be done by the
-.I mpz_probab_prime_p
-probabilistic primality checker.
-The default, 30, is fairly rigorous and should not normally
-have to be overridden.
-.PP
-The
-.B \-\-hostname
-option specifies what host name to use in
-the first line of the output (see below);
-the default is what
-.IR gethostname (2)
-returns.
-.PP
-The
-.B \-\-noopt
-option suppresses an optimization of the private key
-(to be precise, setting of the decryption exponent to
-.B lcm(p\-1,q\-1)
-rather than
-.BR (p\-1)*(q\-1) )
-which speeds up operations on it slightly
-but can cause it to flunk a validity check in old RSA implementations
-(notably, obsolete versions of
-.IR ipsec_pluto (8)).
-.PP
-The
-.B \-\-oldkey
-option specifies that rather than generate a new key,
-.I rsasigkey
-should read an old key from the
-.I file
-(the name
-.B \-
-means ``standard input'')
-and use that to generate its output.
-Input lines which do not look like
-.I rsasigkey
-output are silently ignored.
-This permits updating old keys to the current format.
-.PP
-The output format looks like this (with long numbers trimmed down
-for clarity):
-.PP
-.ne 15
-.nf
-	# RSA 2048 bits   xy.example.com   Sat Apr 15 13:53:22 2000
-	# for signatures only, UNSAFE FOR ENCRYPTION
-	#pubkey=0sAQOF8tZ2NZt...Y1P+buFuFn/
-	Modulus: 0xcc2a86fcf440...cf1011abb82d1
-	PublicExponent: 0x03
-	# everything after this point is secret
-	PrivateExponent: 0x881c59fdf8...ab05c8c77d23
-	Prime1: 0xf49fd1f779...46504c7bf3
-	Prime2: 0xd5a9108453...321d43cb2b
-	Exponent1: 0xa31536a4fb...536d98adda7f7
-	Exponent2: 0x8e70b5ad8d...9142168d7dcc7
-	Coefficient: 0xafb761d001...0c13e98d98
-.fi
-.PP
-The first (comment) line,
-indicating the nature and date of the key,
-and giving a host name,
-is used by
-.IR ipsec_showhostkey (8)
-when generating some forms of key output.
-.PP
-The commented-out
-.B pubkey=
-line contains the public key\(emthe public exponent and the modulus\(emcombined
-in approximately RFC 2537 format
-(the one deviation is that the combined value is given with a
-.B 0s
-prefix, rather than in unadorned base-64),
-suitable for use in the
-.I ipsec.conf
-file.
-.PP
-The
-.BR Modulus ,
-.BR PublicExponent ,
-and
-.B PrivateExponent
-lines give the basic signing and verification data.
-.PP
-The
-.B Prime1
-and
-.B Prime2
-lines give the primes themselves (aka
-.I p
-and
-.IR q ),
-largest first.
-The
-.B Exponent1
-and
-.B Exponent2
-lines give
-the private exponent mod
-.IR p\-1
-and
-.IR q\-1
-respectively.
-The
-.B Coefficient
-line gives the Chinese Remainder Theorem coefficient,
-which is the inverse of
-.IR q ,
-mod
-.IR p .
-These additional numbers (which must all be kept as secret as the
-private exponent) are precomputed aids to rapid signature generation.
-.PP
-No attempt is made to break long lines.
-.PP
-The US patent on the RSA algorithm expired 20 Sept 2000.
-.SH EXAMPLES
-.TP
-.B "ipsec rsasigkey \-\-verbose 2192 >mykey"
-generates a 2192-bit signature key and puts it in the file
-.IR mykey ,
-with running commentary on standard error.
-The file contents can be inserted verbatim into a suitable entry in the
-.I ipsec.secrets
-file (see
-.IR ipsec.secrets (5)),
-and the public key can then be extracted and edited into the
-.I ipsec.conf
-file (see
-.IR ipsec.conf (5)).
-.TP
-.B "ipsec rsasigkey \-\-verbose \-\-oldkey oldie >latest"
-takes the old signature key from file
-.I oldie
-and puts a version in the current format into the file
-.IR latest ,
-with running commentary on standard error.
-.SH FILES
-/dev/random
-.SH SEE ALSO
-random(4), ipsec_showhostkey(8)
-.br
-\fIApplied Cryptography\fR, 2nd. ed., by Bruce Schneier, Wiley 1996.
-.br
-RFCs 2537, 2313.
-.br
-\fIGNU MP, the GNU multiple precision arithmetic library, edition 2.0.2\fR,
-by Torbj Granlund.
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org>
-by Henry Spencer.
-.SH BUGS
-There is an internal limit on
-.IR nbits ,
-currently 20000.
-.PP
-.IR Rsasigkey 's
-run time is difficult to predict,
-since
-.I /dev/random
-output can be arbitrarily delayed if
-the system's entropy pool is low on randomness,
-and the time taken by the search for primes is also somewhat unpredictable.
-A reasonably typical time for a 1024-bit key on a quiet 200MHz Pentium MMX
-with plenty of randomness available is 20 seconds,
-almost all of it in the prime searches.
-Generating a 2192-bit key on the same system usually takes several minutes.
-A 4096-bit key took an hour and a half of CPU time.
-.PP
-The
-.B \-\-oldkey
-option does not check its input format as rigorously as it might.
-Corrupted
-.I rsasigkey
-output may confuse it.
diff --git a/programs/rsasigkey/rsasigkey.c b/programs/rsasigkey/rsasigkey.c
deleted file mode 100644
index b55dbb889..000000000
--- a/programs/rsasigkey/rsasigkey.c
+++ /dev/null
@@ -1,573 +0,0 @@
-/*
- * RSA signature key generation
- * Copyright (C) 1999, 2000, 2001  Henry Spencer.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: rsasigkey.c,v 1.2 2005/08/11 10:35:58 as Exp $
- */
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stdio.h>
-#include <time.h>
-#include <limits.h>
-#include <errno.h>
-#include <string.h>
-#include <assert.h>
-#include <getopt.h>
-#include <freeswan.h>
-#include "gmp.h"
-
-#ifndef DEVICE
-#define	DEVICE	"/dev/random"
-#endif
-#ifndef MAXBITS
-#define	MAXBITS	20000
-#endif
-
-/* the code in getoldkey() knows about this */
-#define	E	3		/* standard public exponent */
-
-char usage[] = "rsasigkey [--verbose] [--random device] nbits";
-char usage2[] = "rsasigkey [--verbose] --oldkey filename";
-struct option opts[] = {
-  {"verbose",	0,	NULL,	'v',},
-  {"random",	1,	NULL,	'r',},
-  {"rounds",	1,	NULL,	'p',},
-  {"oldkey",	1,	NULL,	'o',},
-  {"hostname",	1,	NULL,	'H',},
-  {"noopt",	0,	NULL,	'n',},
-  {"help",	0,	NULL,	'h',},
-  {"version",	0,	NULL,	'V',},
-  {0,		0,	NULL,	0,}
-};
-int verbose = 0;		/* narrate the action? */
-char *device = DEVICE;		/* where to get randomness */
-int nrounds = 30;		/* rounds of prime checking; 25 is good */
-mpz_t prime1;			/* old key's prime1 */
-mpz_t prime2;			/* old key's prime2 */
-char outputhostname[1024];	/* hostname for output */
-int do_lcm = 1;			/* use lcm(p-1, q-1), not (p-1)*(q-1) */
-
-char me[] = "ipsec rsasigkey";	/* for messages */
-
-/* forwards */
-int getoldkey(char *filename);
-void rsasigkey(int nbits, int useoldkey);
-void initprime(mpz_t var, int nbits, int eval);
-void initrandom(mpz_t var, int nbits);
-void getrandom(size_t nbytes, char *buf);
-char *bundle(int e, mpz_t n, size_t *sizep);
-char *conv(char *bits, size_t nbytes, int format);
-char *hexout(mpz_t var);
-void report(char *msg);
-
-/*
- - main - mostly argument parsing
- */
-int main(int argc, char *argv[])
-{
-	int opt;
-	extern int optind;
-	extern char *optarg;
-	int errflg = 0;
-	int i;
-	int nbits;
-	char *oldkeyfile = NULL;
-
-	while ((opt = getopt_long(argc, argv, "", opts, NULL)) != EOF)
-		switch (opt) {
-		case 'v':	/* verbose description */
-			verbose = 1;
-			break;
-		case 'r':	/* nonstandard /dev/random */
-			device = optarg;
-			break;
-		case 'p':	/* number of prime-check rounds */
-			nrounds = atoi(optarg);
-			if (nrounds <= 0) {
-				fprintf(stderr, "%s: rounds must be > 0\n", me);
-				exit(2);
-			}
-			break;
-		case 'o':	/* reformat old key */
-			oldkeyfile = optarg;
-			break;
-		case 'H':	/* set hostname for output */
-			strcpy(outputhostname, optarg);
-			break;
-		case 'n':	/* don't optimize the private key */
-			do_lcm = 0;
-			break;
-		case 'h':	/* help */
-			printf("Usage:\t%s\n", usage);
-			printf("\tor\n");
-			printf("\t%s\n", usage2);
-			exit(0);
-			break;
-		case 'V':	/* version */
-			printf("%s %s\n", me, ipsec_version_code());
-			exit(0);
-			break;
-		case '?':
-		default:
-			errflg = 1;
-			break;
-		}
-	if (errflg || optind != ((oldkeyfile != NULL) ? argc : argc-1)) {
-		printf("Usage:\t%s\n", usage);
-		printf("\tor\n");
-		printf("\t%s\n", usage2);
-		exit(2);
-	}
-
-	if (outputhostname[0] == '\0') {
-		i = gethostname(outputhostname, sizeof(outputhostname));
-		if (i < 0) {
-			fprintf(stderr, "%s: gethostname failed (%s)\n",
-				me,
-				strerror(errno));
-			exit(1);
-		}
-	}
-
-	if (oldkeyfile == NULL) {
-		assert(argv[optind] != NULL);
-		nbits = atoi(argv[optind]);
-	} else
-		nbits = getoldkey(oldkeyfile);
-
-	if (nbits <= 0) {
-		fprintf(stderr, "%s: invalid bit count (%d)\n", me, nbits);
-		exit(1);
-	} else if (nbits > MAXBITS) {
-		fprintf(stderr, "%s: overlarge bit count (max %d)\n", me,
-								MAXBITS);
-		exit(1);
-	} else if (nbits % (CHAR_BIT*2) != 0) {	/* *2 for nbits/2-bit primes */
-		fprintf(stderr, "%s: bit count (%d) not multiple of %d\n", me,
-						nbits, (int)CHAR_BIT*2);
-		exit(1);
-	}
-
-	rsasigkey(nbits, (oldkeyfile == NULL) ? 0 : 1);
-	exit(0);
-}
-
-/*
- - getoldkey - fetch an old key's primes
- */
-int				/* nbits */
-getoldkey(filename)
-char *filename;
-{
-	FILE *f;
-	char line[MAXBITS/2];
-	char *p;
-	char *value;
-	static char pube[] = "PublicExponent:";
-	static char pubevalue[] = "0x03";
-	static char pr1[] = "Prime1:";
-	static char pr2[] = "Prime2:";
-#	define	STREQ(a, b)	(strcmp(a, b) == 0)
-	int sawpube = 0;
-	int sawpr1 = 0;
-	int sawpr2 = 0;
-	int nbits;
-
-	nbits = 0;
- 
-	if (STREQ(filename, "-"))
-		f = stdin;
-	else
-		f = fopen(filename, "r");
-	if (f == NULL) {
-		fprintf(stderr, "%s: unable to open file `%s' (%s)\n", me,
-						filename, strerror(errno));
-		exit(1);
-	}
-	if (verbose)
-		fprintf(stderr, "getting old key from %s...\n", filename);
-
-	while (fgets(line, sizeof(line), f) != NULL) {
-		p = line + strlen(line) - 1;
-		if (*p != '\n') {
-			fprintf(stderr, "%s: over-long line in file `%s'\n",
-							me, filename);
-			exit(1);
-		}
-		*p = '\0';
-
-		p = line + strspn(line, " \t");		/* p -> first word */
-		value = strpbrk(p, " \t");		/* value -> after it */
-		if (value != NULL) {
-			*value++ = '\0';
-			value += strspn(value, " \t");
-			/* value -> second word if any */
-		}
-
-		if (value == NULL || *value == '\0') {
-			/* wrong format */
-		} else if (STREQ(p, pube)) {
-			sawpube = 1;
-			if (!STREQ(value, pubevalue)) {
-				fprintf(stderr, "%s: wrong public exponent (`%s') in old key\n",
-					me, value);
-				exit(1);
-			}
-		} else if (STREQ(p, pr1)) {
-			if (sawpr1) {
-				fprintf(stderr, "%s: duplicate `%s' lines in `%s'\n",
-					me, pr1, filename);
-				exit(1);
-			}
-			sawpr1 = 1;
-			nbits = (strlen(value) - 2) * 4 * 2;
-			if (mpz_init_set_str(prime1, value, 0) < 0) {
-				fprintf(stderr, "%s: conversion error in reading old prime1\n",
-					me);
-				exit(1);
-			}
-		} else if (STREQ(p, pr2)) {
-			if (sawpr2) {
-				fprintf(stderr, "%s: duplicate `%s' lines in `%s'\n",
-					me, pr2, filename);
-				exit(1);
-			}
-			sawpr2 = 1;
-			if (mpz_init_set_str(prime2, value, 0) < 0) {
-				fprintf(stderr, "%s: conversion error in reading old prime2\n",
-					me);
-				exit(1);
-			}
-		}
-	}
-	
-	if (f != stdin)
-		fclose(f);
-
-	if (!sawpube || !sawpr1 || !sawpr2) {
-		fprintf(stderr, "%s: old key missing or incomplete\n", me);
-		exit(1);
-	}
-
-	assert(sawpr1);		/* and thus nbits is known */
-	return(nbits);
-}
-
-/*
- - rsasigkey - generate an RSA signature key
- * e is fixed at 3, without discussion.  That would not be wise if these
- * keys were to be used for encryption, but for signatures there are some
- * real speed advantages.
- */
-void
-rsasigkey(nbits, useoldkey)
-int nbits;
-int useoldkey;			/* take primes from old key? */
-{
-	mpz_t p;
-	mpz_t q;
-	mpz_t n;
-	mpz_t e;
-	mpz_t d;
-	mpz_t q1;			/* temporary */
-	mpz_t m;			/* internal modulus, (p-1)*(q-1) */
-	mpz_t t;			/* temporary */
-	mpz_t exp1;
-	mpz_t exp2;
-	mpz_t coeff;
-	char *bundp;
-	size_t bs;
-	int success;
-	time_t now = time((time_t *)NULL);
-
-	/* the easy stuff */
-	if (useoldkey) {
-		mpz_init_set(p, prime1);
-		mpz_init_set(q, prime2);
-	} else {
-		initprime(p, nbits/2, E);
-		initprime(q, nbits/2, E);
-	}
-	mpz_init(t);
-	if (mpz_cmp(p, q) < 0) {
-		report("swapping primes so p is the larger...");
-		mpz_set(t, p);
-		mpz_set(p, q);
-		mpz_set(q, t);
-	}
-	report("computing modulus...");
-	mpz_init(n);
-	mpz_mul(n, p, q);		/* n = p*q */
-	mpz_init_set_ui(e, E);
-
-	/* internal modulus */
-	report("computing lcm(p-1, q-1)...");
-	mpz_init_set(m, p);
-	mpz_sub_ui(m, m, 1);
-	mpz_init_set(q1, q);
-	mpz_sub_ui(q1, q1, 1);
-	mpz_gcd(t, m, q1);		/* t = gcd(p-1, q-1) */
-	mpz_mul(m, m, q1);		/* m = (p-1)*(q-1) */
-	if (do_lcm)
-		mpz_divexact(m, m, t);		/* m = lcm(p-1, q-1) */
-	mpz_gcd(t, m, e);
-	assert(mpz_cmp_ui(t, 1) == 0);	/* m and e relatively prime */
-
-	/* decryption key */
-	report("computing d...");
-	mpz_init(d);
-	success = mpz_invert(d, e, m);
-	assert(success);		/* e has an inverse mod m */
-	if (mpz_cmp_ui(d, 0) < 0)
-		mpz_add(d, d, m);
-	assert(mpz_cmp(d, m) < 0);
-
-	/* the speedup hacks */
-	report("computing exp1, exp1, coeff...");
-	mpz_init(exp1);
-	mpz_sub_ui(t, p, 1);
-	mpz_mod(exp1, d, t);		/* exp1 = d mod p-1 */
-	mpz_init(exp2);
-	mpz_sub_ui(t, q, 1);
-	mpz_mod(exp2, d, t);		/* exp2 = d mod q-1 */
-	mpz_init(coeff);
-	mpz_invert(coeff, q, p);	/* coeff = q^-1 mod p */
-	if (mpz_cmp_ui(coeff, 0) < 0)
-		mpz_add(coeff, coeff, p);
-	assert(mpz_cmp(coeff, p) < 0);
-
-	/* and the output */
-	/* note, getoldkey() knows about some of this */
-	report("output...\n");		/* deliberate extra newline */
-	printf("\t# RSA %d bits   %s   %s", nbits, outputhostname, ctime(&now));
-							/* ctime provides \n */
-	printf("\t# for signatures only, UNSAFE FOR ENCRYPTION\n");
-	bundp = bundle(E, n, &bs);
-	printf("\t#pubkey=%s\n", conv(bundp, bs, 's'));	/* RFC2537ish format */
-	printf("\tModulus: %s\n", hexout(n));
-	printf("\tPublicExponent: %s\n", hexout(e));
-	printf("\t# everything after this point is secret\n");
-	printf("\tPrivateExponent: %s\n", hexout(d));
-	printf("\tPrime1: %s\n", hexout(p));
-	printf("\tPrime2: %s\n", hexout(q));
-	printf("\tExponent1: %s\n", hexout(exp1));
-	printf("\tExponent2: %s\n", hexout(exp2));
-	printf("\tCoefficient: %s\n", hexout(coeff));
-}
-
-/*
- - initprime - initialize an mpz_t to a random prime of specified size
- * Efficiency tweak:  we reject candidates that are 1 higher than a multiple
- * of e, since they will make the internal modulus not relatively prime to e.
- */
-void
-initprime(var, nbits, eval)
-mpz_t var;
-int nbits;			/* known to be a multiple of CHAR_BIT */
-int eval;			/* value of e; 0 means don't bother w. tweak */
-{
-	unsigned long tries;
-	size_t len;
-#	define	OKAY(p)	(eval == 0 || mpz_fdiv_ui(p, eval) != 1)
-
-	initrandom(var, nbits);
-	assert(mpz_fdiv_ui(var, 2) == 1);	/* odd number */
-
-	report("looking for a prime starting there (can take a while)...");
-	tries = 1;
-	while (!( OKAY(var) && mpz_probab_prime_p(var, nrounds) )) {
-		mpz_add_ui(var, var, 2);
-		tries++;
-	}
-
-	len = mpz_sizeinbase(var, 2);
-	assert(len == (size_t)nbits || len == (size_t)(nbits+1));
-	if (len == (size_t)(nbits+1)) {
-		report("carry out occurred (!), retrying...");
-		mpz_clear(var);
-		initprime(var, nbits, eval);
-		return;
-	}
-	if (verbose)
-		fprintf(stderr, "found it after %lu tries.\n", tries);
-}
-
-/*
- - initrandom - initialize an mpz_t to a random number, specified bit count
- * Converting via hex is a bit weird, but it's the best route GMP gives us.
- * Note that highmost and lowmost bits are forced on -- highmost to give a
- * number of exactly the specified length, lowmost so it is an odd number.
- */
-void
-initrandom(var, nbits)
-mpz_t var;
-int nbits;			/* known to be a multiple of CHAR_BIT */
-{
-	size_t nbytes = (size_t)(nbits / CHAR_BIT);
-	static char bitbuf[MAXBITS/CHAR_BIT];
-	static char hexbuf[2 + MAXBITS/4 + 1];
-	size_t hsize = sizeof(hexbuf);
-
-	assert(nbytes <= sizeof(bitbuf));
-	getrandom(nbytes, bitbuf);
-	bitbuf[0] |= 01 << (CHAR_BIT-1);	/* force high bit on */
-	bitbuf[nbytes-1] |= 01;			/* force low bit on */
-	if (datatot(bitbuf, nbytes, 'x', hexbuf, hsize) > hsize) {
-		fprintf(stderr, "%s: can't-happen buffer overflow\n", me);
-		exit(1);
-	}
-	if (mpz_init_set_str(var, hexbuf, 0) < 0) {
-		fprintf(stderr, "%s: can't-happen hex conversion error\n", me);
-		exit(1);
-	}
-}
-
-/*
- - getrandom - get some random bytes from /dev/random (or wherever)
- */
-void
-getrandom(nbytes, buf)
-size_t nbytes;
-char *buf;			/* known to be big enough */
-{
-	size_t ndone;
-	int dev;
-	size_t got;
-
-	dev = open(device, 0);
-	if (dev < 0) {
-		fprintf(stderr, "%s: could not open %s (%s)\n", me,
-						device, strerror(errno));
-		exit(1);
-	}
-
-	ndone = 0;
-	if (verbose)
-		fprintf(stderr, "getting %d random bytes from %s...\n", (int) nbytes,
-							device);
-	while (ndone < nbytes) {
-		got = read(dev, buf + ndone, nbytes - ndone);
-		if (got < 0) {
-			fprintf(stderr, "%s: read error on %s (%s)\n", me,
-						device, strerror(errno));
-			exit(1);
-		}
-		if (got == 0) {
-			fprintf(stderr, "%s: eof on %s!?!\n", me, device);
-			exit(1);
-		}
-		ndone += got;
-	}
-
-	close(dev);
-}
-
-/*
- - hexout - prepare hex output, guaranteeing even number of digits
- * (The current FreeS/WAN conversion routines want an even digit count,
- * but mpz_get_str doesn't promise one.)
- */
-char *				/* pointer to static buffer (ick) */
-hexout(var)
-mpz_t var;
-{
-	static char hexbuf[3 + MAXBITS/4 + 1];
-	char *hexp;
-
-	mpz_get_str(hexbuf+3, 16, var);
-	if (strlen(hexbuf+3)%2 == 0)	/* even number of hex digits */
-		hexp = hexbuf+1;
-	else {				/* odd, must pad */
-		hexp = hexbuf;
-		hexp[2] = '0';
-	}
-	hexp[0] = '0';
-	hexp[1] = 'x';
-
-	return hexp;
-}
-
-/*
- - bundle - bundle e and n into an RFC2537-format lump
- * Note, calls hexout.
- */
-char *				/* pointer to static buffer (ick) */
-bundle(e, n, sizep)
-int e;
-mpz_t n;
-size_t *sizep;
-{
-	char *hexp = hexout(n);
-	static char bundbuf[2 + MAXBITS/8];
-	const char *er;
-	size_t size;
-
-	assert(e <= 255);
-	bundbuf[0] = 1;
-	bundbuf[1] = e;
-	er = ttodata(hexp, 0, 0, bundbuf+2, sizeof(bundbuf)-2, &size);
-	if (er != NULL) {
-		fprintf(stderr, "%s: can't-happen bundle convert error `%s'\n",
-								me, er);
-		exit(1);
-	}
-	if (size > sizeof(bundbuf)-2) {
-		fprintf(stderr, "%s: can't-happen bundle overflow (need %d)\n",
-								me, (int) size);
-		exit(1);
-	}
-	if (sizep != NULL)
-		*sizep = size + 2;
-	return bundbuf;
-}
-
-/*
- - conv - convert bits to output in specified format
- */
-char *				/* pointer to static buffer (ick) */
-conv(bits, nbytes, format)
-char *bits;
-size_t nbytes;
-int format;			/* datatot() code */
-{
-	static char convbuf[MAXBITS/4 + 50];	/* enough for hex */
-	size_t n;
-
-	n = datatot(bits, nbytes, format, convbuf, sizeof(convbuf));
-	if (n == 0) {
-		fprintf(stderr, "%s: can't-happen convert error\n", me);
-		exit(1);
-	}
-	if (n > sizeof(convbuf)) {
-		fprintf(stderr, "%s: can't-happen convert overflow (need %d)\n",
-								me, (int) n);
-		exit(1);
-	}
-	return convbuf;
-}
-
-/*
- - report - report progress, if indicated
- */
-void
-report(msg)
-char *msg;
-{
-	if (!verbose)
-		return;
-	fprintf(stderr, "%s\n", msg);
-}
diff --git a/programs/scepclient/Makefile b/programs/scepclient/Makefile
deleted file mode 100644
index d42320236..000000000
--- a/programs/scepclient/Makefile
+++ /dev/null
@@ -1,192 +0,0 @@
-# Makefile for the scepclient
-# Copyright (C) 2005 Jan Hutter, Martin Willi
-# Hochschule fuer Technik Rapperswil
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PLUTODIR=../pluto
-OPENACDIR=../openac
-
-PROGRAM=scepclient
-EXTRA8PROC=${PROGRAM}.8
-
-# where to find sha2.h
-LIBCRYPTO=$(FREESWANSRCDIR)/lib/libcrypto
-LIBSHA2=$(LIBCRYPTO)/libsha2
-CFLAGS+= -I$(LIBCRYPTO)
-
-LIBS=${FREESWANLIB} $(LIBDESLITE) -lgmp
-CFLAGS+= -DDEBUG -DNO_PLUTO
-
-# This compile option activates the leak detective
-ifeq ($(USE_LEAK_DETECTIVE),true)
-  CFLAGS+= -DLEAK_DETECTIVE
-endif
-
-# This compile option activates dynamic URL fetching using libcurl
-ifeq ($(USE_LIBCURL),true)
-  CFLAGS+= -DLIBCURL
-  LIBS+= -lcurl
-endif
-
-X509_OBJS= asn1.o ca.o certs.o constants.o crl.o defs.o fetch.o id.o keys.o \
-           lex.o md2.o md5.o mp_defs.o ocsp.o oid.o pem.o pgp.o pkcs1.o pkcs7.o \
-           rnd.o sha1.o sha2.o smartcard.o x509.o
-
-OBJS= rsakey.o pkcs10.o loglite.o scep.o ${X509_OBJS}
-
-include ../Makefile.program
-
-loglite.o :	$(OPENACDIR)/loglite.c $(PLUTODIR)/log.h
-		$(CC) $(CFLAGS) -c -o $@ $<
-	
-rsakey.o :	rsakey.c rsakey.h
-		$(CC) $(CFLAGS) -c -o $@ $<
-
-pkcs10.o : 	pkcs10.c pkcs10.h
-		$(CC) $(CFLAGS) -c -o $@ $<
-
-scep.o :	scep.c scep.h
-		$(CC) $(CFLAGS) -c -o $@ $<
-
-# X.509 library
-
-asn1.o : 	$(PLUTODIR)/asn1.c $(PLUTODIR)/asn1.h
-		$(CC) $(CFLAGS) -c -o $@ $<
-
-ca.o : 		$(PLUTODIR)/ca.c $(PLUTODIR)/ca.h
-		$(CC) $(CFLAGS) -c -o $@ $<
-
-crl.o :		$(PLUTODIR)/crl.c $(PLUTODIR)/crl.h
-		$(CC) $(CFLAGS) -c -o $@ $<
-
-certs.o :	$(PLUTODIR)/certs.c $(PLUTODIR)/certs.h
-		$(CC) $(CFLAGS) -c -o $@ $<
-
-constants.o :	$(PLUTODIR)/constants.c $(PLUTODIR)/constants.h
-		$(CC) $(CFLAGS) -c -o $@ $<
-
-defs.o :	$(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
-		$(CC) $(CFLAGS) -c -o $@ $<
-
-fetch.o :	$(PLUTODIR)/fetch.c $(PLUTODIR)/fetch.h
-		$(CC) $(CFLAGS) -c -o $@ $<
-
-id.o :		$(PLUTODIR)/id.c $(PLUTODIR)/id.h
-		$(CC) $(CFLAGS) -c -o $@ $<
-
-keys.o :	$(PLUTODIR)/keys.c $(PLUTODIR)/keys.h
-		$(CC) $(CFLAGS) -c -o $@ $<
-
-lex.o :		$(PLUTODIR)/lex.c $(PLUTODIR)/lex.h
-		$(CC) $(CFLAGS) -c -o $@ $<
-
-md2.o :		$(PLUTODIR)/md2.c $(PLUTODIR)/md2.h
-		$(CC) $(CFLAGS) -c -o $@ $<
-
-md5.o :		$(PLUTODIR)/md5.c $(PLUTODIR)/md5.h
-		$(CC) $(CFLAGS) -c -o $@ $<
-
-mp_defs.o :	$(PLUTODIR)/mp_defs.c $(PLUTODIR)/mp_defs.h
-		$(CC) $(CFLAGS) -c -o $@ $<
-
-ocsp.o :	$(PLUTODIR)/ocsp.c $(PLUTODIR)/ocsp.h
-		$(CC) $(CFLAGS) -c -o $@ $<
-
-oid.o :		$(PLUTODIR)/oid.c $(PLUTODIR)/oid.h
-		$(CC) $(CFLAGS) -c -o $@ $<
-
-pem.o :		$(PLUTODIR)/pem.c $(PLUTODIR)/pem.h
-		$(CC) $(CFLAGS) -c -o $@ $<
-
-pgp.o :		$(PLUTODIR)/pgp.c $(PLUTODIR)/pgp.h
-		$(CC) $(CFLAGS) -c -o $@ $<
-
-pkcs1.o :	$(PLUTODIR)/pkcs1.c $(PLUTODIR)/pkcs1.h
-		$(CC) $(CFLAGS) -c -o $@ $<
-
-pkcs7.o :	$(PLUTODIR)/pkcs7.c $(PLUTODIR)/pkcs7.h
-		$(CC) $(CFLAGS) -c -o $@ $<
-
-rnd.o :		$(PLUTODIR)/rnd.c $(PLUTODIR)/rnd.h
-		$(CC) $(CFLAGS) -c -o $@ $<
-
-sha1.o :	$(PLUTODIR)/sha1.c $(PLUTODIR)/sha1.h
-		$(CC) $(CFLAGS) -c -o $@ $<
-
-sha2.o :	$(LIBSHA2)/sha2.c $(LIBSHA2)/sha2.h
-		$(CC) $(CFLAGS) -c -o $@ $<
-
-smartcard.o :	$(PLUTODIR)/smartcard.c $(PLUTODIR)/smartcard.h
-		$(CC) $(CFLAGS) -c -o $@ $<
-
-x509.o :	$(PLUTODIR)/x509.c $(PLUTODIR)/x509.h
-		$(CC) $(CFLAGS) -c -o $@ $<
-
-doxygen : 
-		doxygen doxyconfig.DoxyFile
-
-# Stolen from pluto/Makefile
-
-gatherdeps:
-		@ls | grep '\.c$$' | sed -e 's/\(.*\)\.c$$/\1.o: \1.c/'
-		@echo
-		@ls | grep '\.c$$' | xargs grep '^#[    ]*include[      ]*"' | \
-                sed -e 's/\.c:#[        ]*include[      ]*"/.o: /' -e 's/".*//'
-
-# Dependencies generated by "make gatherdeps":
-
-pkcs10.o: pkcs10.c
-rsakey.o: rsakey.c
-scep.o: scep.c
-scepclient.o: scepclient.c
-
-pkcs10.o: ../pluto/constants.h
-pkcs10.o: ../pluto/defs.h
-pkcs10.o: ../pluto/oid.h
-pkcs10.o: ../pluto/asn1.h
-pkcs10.o: ../pluto/pkcs1.h
-pkcs10.o: ../pluto/log.h
-pkcs10.o: ../pluto/x509.h
-pkcs10.o: pkcs10.h
-rsakey.o: ../pluto/constants.h
-rsakey.o: ../pluto/defs.h
-rsakey.o: ../pluto/mp_defs.h
-rsakey.o: ../pluto/log.h
-rsakey.o: ../pluto/asn1.h
-rsakey.o: ../pluto/pkcs1.h
-rsakey.o: rsakey.h
-scep.o: ../pluto/constants.h
-scep.o: ../pluto/defs.h
-scep.o: ../pluto/rnd.h
-scep.o: ../pluto/oid.h
-scep.o: ../pluto/asn1.h
-scep.o: ../pluto/pkcs1.h
-scep.o: ../pluto/fetch.h
-scep.o: ../pluto/log.h
-scep.o: scep.h
-scepclient.o: ../pluto/constants.h
-scepclient.o: ../pluto/defs.h
-scepclient.o: ../pluto/log.h
-scepclient.o: ../pluto/oid.h
-scepclient.o: ../pluto/asn1.h
-scepclient.o: ../pluto/pkcs1.h
-scepclient.o: ../pluto/pkcs7.h
-scepclient.o: ../pluto/certs.h
-scepclient.o: ../pluto/fetch.h
-scepclient.o: ../pluto/rnd.h
-scepclient.o: rsakey.h
-scepclient.o: pkcs10.h
-scepclient.o: scep.h
diff --git a/programs/secrets/Makefile b/programs/secrets/Makefile
deleted file mode 100644
index a853d22f2..000000000
--- a/programs/secrets/Makefile
+++ /dev/null
@@ -1,38 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:30 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=secrets
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:30  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.2  2002/06/02 22:02:14  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/secrets/secrets.8 b/programs/secrets/secrets.8
deleted file mode 100644
index 2333a0a3e..000000000
--- a/programs/secrets/secrets.8
+++ /dev/null
@@ -1,20 +0,0 @@
-.TH IPSEC_SECRETS 8 "31 Aug 2003"
-.\" RCSID $Id: secrets.8,v 1.1 2004/03/15 20:35:30 as Exp $
-.SH NAME
-ipsec secrets \- prompt for PIN codes and passphrases
-.SH SYNOPSIS
-.B ipsec
-.B secrets
-.SH DESCRIPTION
-.I Secrets
-is an alias for
-.B ipsec auto --rereadsecrets
-and prompts for PIN codes and passphrases protecting private RSA keys.
-.SH SEE ALSO
-ipsec.secrets(5)
-.SH HISTORY
-Written for the FreeS/WAN project
-<http://www.freeswan.org>
-by Andreas Steffen.
-.SH BUGS
-None
diff --git a/programs/secrets/secrets.in b/programs/secrets/secrets.in
deleted file mode 100644
index b7e486098..000000000
--- a/programs/secrets/secrets.in
+++ /dev/null
@@ -1,18 +0,0 @@
-#! /bin/sh
-# program which prompts for PINs and passphrases
-# alias for ipsec auto --rereadsecrets
-# Copyright (C) 2003  Andreas Steffen
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: secrets.in,v 1.1 2004/03/15 20:35:31 as Exp $
-
-ipsec auto --rereadsecrets
diff --git a/programs/send-pr/.cvsignore b/programs/send-pr/.cvsignore
deleted file mode 100644
index 953bfcf5a..000000000
--- a/programs/send-pr/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-send-pr
diff --git a/programs/send-pr/Makefile b/programs/send-pr/Makefile
deleted file mode 100644
index db7d51929..000000000
--- a/programs/send-pr/Makefile
+++ /dev/null
@@ -1,39 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:31 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=send-pr
-LIBFILES=ipsec_pr.template
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:31  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.2  2002/06/02 21:51:41  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/send-pr/ipsec_pr.template b/programs/send-pr/ipsec_pr.template
deleted file mode 100644
index 3e809a677..000000000
--- a/programs/send-pr/ipsec_pr.template
+++ /dev/null
@@ -1,54 +0,0 @@
-SEND-PR: -*- send-pr -*-
-SEND-PR: Lines starting with `SEND-PR' will be removed automatically, as
-SEND-PR: will all comments (text enclosed in `<' and `>').
-SEND-PR: 
-SEND-PR: Please consult the send-pr man page `send-pr(1)' or the Texinfo
-SEND-PR: manual if you are not sure how to fill out a problem report.
-SEND-PR: Note that the Synopsis field is mandatory.  The Subject (for
-SEND-PR: the mail) will be made the same as Synopsis unless explicitly
-SEND-PR: changed.
-SEND-PR:
-SEND-PR: Choose from the following categories:
-SEND-PR: 
-SEND-PR: pluto	- Problems with IKE daemon
-SEND-PR: klips  - Problems with kernel code
-SEND-PR: startup- Problems with start/configuration code
-SEND-PR: doc    - Problems with documentation
-SEND-PR: interop- Problems with interoperability
-SEND-PR: source - source code patches/contributions
-SEND-PR: admin  - Problems with freeswan.org machines
-SEND-PR:
-To: gnats-bugs@freeswan.org
-Subject: 
-From: <FROM>
-Reply-To: <REPLYTO>
-Cc: 
-X-send-pr-version: 4.0-alpha
-X-GNATS-Notify: 
-
->Submitter-Id: <SUBMITTER>
->Originator:   <DEFAULT_ORIGINATOR>
->Organization:
-	unknown
->Synopsis:     <One-line summary of the PR (one line)>
->Confidential: <[ yes | no ] (one line)>
->Severity:     <[ critical | serious | non-critical ] (one line)>
->Priority:     <[ high | medium | low ] (one line)>
->Category:     <choose from a category listed above (one line)>
->Class:        <[ sw-bug | dos | interop | mtu | log | doc-bug | support | change-request | mistaken | duplicate ] (one line)>
->Release:      <DEFAULT_VERSION>
->Environment:  
-        <DEFAULT_ENVIRONMENT>
-
->IPsec-barf-location:	<DEFAULT_BARF>
-	<some URL with the output of ipsec barf.>
-
->Description:  
-        <Precise description of the problem (multiple lines)>
->How-To-Repeat:
-        <code/input/activities to reproduce the problem (multiple lines)>
->Fix:          
-        <How to correct or work around the problem, if known (multiple lines)>
-
->IPsec-look:
-
diff --git a/programs/send-pr/send-pr.8 b/programs/send-pr/send-pr.8
deleted file mode 100644
index 73a5bbf3c..000000000
--- a/programs/send-pr/send-pr.8
+++ /dev/null
@@ -1,291 +0,0 @@
-.\" -*- nroff -*-
-.\" ---------------------------------------------------------------------------
-.\"    man page for send-pr (by Heinz G. Seidl, hgs@cygnus.com)
-.\"    updated Feb 1993 for GNATS 3.00 by Jeffrey Osier, jeffrey@cygnus.com
-.\"
-.\"    This file is part of the Problem Report Management System (GNATS)
-.\"    Copyright 1992 Cygnus Support
-.\"
-.\"    This program is free software; you can redistribute it and/or
-.\"    modify it under the terms of the GNU General Public
-.\"    License as published by the Free Software Foundation; either
-.\"    version 2 of the License, or (at your option) any later version.
-.\"
-.\"    This program is distributed in the hope that it will be useful,
-.\"    but WITHOUT ANY WARRANTY; without even the implied warranty of
-.\"    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-.\"    General Public License for more details.
-.\"
-.\"    You should have received a copy of the GNU Library General Public
-.\"    License along with this program; if not, write to the Free
-.\"    Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
-.\"
-.\" ---------------------------------------------------------------------------
-.nh
-.TH SEND-PR 8 xVERSIONx "February 1993"
-.SH NAME
-ipsec send-pr \- send problem report (PR) to a central support site
-.SH SYNOPSIS
-.B ipsec send-pr
-[
-.I site
-]
-[
-.B \-f
-.I problem-report
-]
-[
-.B \-t
-.I mail-address
-]
-.br
-.in +0.8i
-[
-.B \-P
-]
-[
-.B \-L
-]
-[
-.B \-s
-.I severity
-]
-[
-.B \-c
-.I address
-]
-.br
-[
-.B \-\-request-id
-]
-[
-.B \-V
-]
-.SH DESCRIPTION
-.B ipsec send-pr
-is a tool used to submit 
-.I problem reports 
-.\" SITE ADMINISTRATORS - change this if you use a local default
-(PRs) to a central support site.  In most cases the correct 
-.I site
-will be the default.  This argument indicates the support site which
-is responsible for the category of problem involved.  Some sites may
-use a local address as a default.  
-.I site
-values are defined by using the 
-.BR aliases (5).
-.LP
-.B ipsec send-pr
-invokes an editor on a problem report template (after trying to fill
-in some fields with reasonable default values).  When you exit the
-editor,
-.B ipsec send-pr 
-sends the completed form to the
-.I Problem Report Management System
-(\fBGNATS\fR) at a central support site.  At the support site, the PR
-is assigned a unique number and is stored in the \fBGNATS\fR database
-according to its category and submitter-id.  \fBGNATS\fR automatically
-replies with an acknowledgement, citing the category and the PR
-number.
-.LP
-To ensure that a PR is handled promptly, it should contain your (unique)
-\fIsubmitter-id\fR and one of the available \fIcategories\fR to identify the
-problem area.  (Use
-.B `ipsec send-pr -L'
-to see a list of categories.)
-.LP
-The
-.B ipsec send-pr
-template at your site should already be customized with your
-submitter-id (running `\|\fBinstall-sid\fP \fIsubmitter-id\fP\|' to
-accomplish this is part of the installation procedures for
-.BR ipsec send-pr ).
-If this hasn't been done, see your system administrator for your
-submitter-id, or request one from your support site by invoking
-.B `ipsec send-pr \-\-request\-id'.
-If your site does not distinguish between different user sites, or if
-you are not affiliated with the support site, use
-.B `net'
-for this field.
-.LP
-The more precise your problem description and the more complete your
-information, the faster your support team can solve your problems.
-.SH OPTIONS
-.TP
-.BI \-f " problem-report"
-specify a file (\fIproblem-report\fR) which already contains a
-complete problem report.
-.B ipsec send-pr
-sends the contents of the file without invoking the editor.  If 
-the value for 
-.I problem-report
-is
-.BR `\|\-\|' ,
-then
-.B ipsec send-pr
-reads from standard input.
-.TP
-.BI \-s " severity"
-Give the problem report the severity
-.IR severity .
-.TP
-.BI \-t " mail-address"
-Change mail address at the support site for problem reports.  The
-default 
-.I mail-address
-is the address used for the default 
-.IR site .  
-Use the
-.I site
-argument rather than this option in nearly all cases.
-.TP
-.BI \-c " address"
-Put
-.I address
-in the 
-.B Cc:
-header of the message.
-.TP
-.B \-P
-print the form specified by the environment variable 
-.B PR_FORM 
-on standard output.  If 
-.B PR_FORM
-is not set, print the standard blank PR template.  No mail is sent.
-.TP
-.B -L
-print the list of available categories.  No mail is sent.
-.TP
-.B \-\-request\-id
-sends mail to the default support site, or
-.I site
-if specified, with a request for your 
-.IR submitter-id . 
-If you are
-not affiliated with 
-.IR site ,
-use a
-.I submitter-id
-of
-.BR net \|'.
-.TP
-.B \-V
-Display the 
-.B ipsec send-pr
-version number.
-.LP
-Note: use
-.B ipsec send-pr
-to submit problem reports rather than mailing them directly.  Using
-both the template and
-.B ipsec send-pr
-itself will help ensure all necessary information will reach the
-support site.
-.SH ENVIRONMENT
-The environment variable 
-.B EDITOR
-specifies the editor to invoke on the template.
-.br
-default:
-.B vi
-.sp
-If the environment variable 
-.B PR_FORM
-is set, then its value is used as the file name of the template for
-your problem-report editing session.  You can use this to start with a
-partially completed form (for example, a form with the identification
-fields already completed).
-.SH "HOW TO FILL OUT A PROBLEM REPORT"
-Problem reports have to be in a particular form so that a program can
-easily manage them.  Please remember the following guidelines:
-.IP \(bu 3m 
-describe only 
-.B one problem
-with each problem report.
-.IP \(bu 3m
-For follow-up mail, use the same subject line as the one in the automatic
-acknowledgent. It consists of category, PR number and the original synopsis
-line.  This allows the support site to relate several mail messages to a
-particular PR and to record them automatically.
-.IP \(bu 3m 
-Please try to be as accurate as possible in the subject and/or synopsis line.
-.IP \(bu 3m 
-The subject and the synopsis line are not confidential.  This is
-because open-bugs lists are compiled from them.  Avoid confidential
-information there.
-.LP
-See the GNU 
-.B Info 
-file
-.B send-pr.info
-or the document \fIReporting Problems With send-pr\fR\ for detailed
-information on reporting problems
-.SH "HOW TO SUBMIT TEST CASES, CODE, ETC."
-Submit small code samples with the PR.  Contact the support site for
-instructions on submitting larger test cases and problematic source
-code.
-.SH FILES
-.ta \w'/tmp/pbad$$  'u
-/tmp/p$$	copy of PR used in editing session
-.br
-/tmp/pf$$	copy of empty PR form, for testing purposes
-.br
-/tmp/pbad$$	file for rejected PRs
-.br 
-@IPSEC_DIR@/send-pr.conf	script to customize send-pr.
-.SH EMACS USER INTERFACE
-An Emacs user interface for 
-.B send-pr
-with completion of field values is part of the 
-.B send-pr
-distribution (invoked with
-.BR "M-x send-pr" ).
-See the file
-.B send-pr.info
-or the ASCII file
-.B INSTALL
-in the top level directory of the distribution for configuration and
-installation information.  The Emacs LISP template file is 
-.B send-pr-el.in
-and is installed as
-.BR send-pr.el .
-.SH INSTALLATION AND CONFIGURATION
-See 
-.B send-pr.info
-or
-.B INSTALL
-for installation instructions.
-.SH SEE ALSO
-.I Reporting Problems Using send-pr
-(also installed as the GNU Info file
-.BR send-pr.info ).
-.LP
-.BR gnats (l),
-.BR query-pr (1),
-.BR edit-pr (1),
-.BR gnats (8),
-.BR queue-pr (8),
-.BR at-pr (8),
-.BR mkcat (8),
-.BR mkdist (8).
-.SH AUTHORS
-Jeffrey Osier, Brendan Kehoe, Jason Merrill, Heinz G. Seidl (Cygnus
-Support)
-.SH COPYING
-Copyright (c) 1992, 1993 Free Software Foundation, Inc.
-.PP
-Permission is granted to make and distribute verbatim copies of
-this manual provided the copyright notice and this permission notice
-are preserved on all copies.
-.PP
-Permission is granted to copy and distribute modified versions of this
-manual under the conditions for verbatim copying, provided that the
-entire resulting derived work is distributed under the terms of a
-permission notice identical to this one.
-.PP
-Permission is granted to copy and distribute translations of this
-manual into another language, under the above conditions for modified
-versions, except that this permission notice may be included in
-translations approved by the Free Software Foundation instead of in
-the original English.
-
diff --git a/programs/send-pr/send-pr.in b/programs/send-pr/send-pr.in
deleted file mode 100755
index 6cd202470..000000000
--- a/programs/send-pr/send-pr.in
+++ /dev/null
@@ -1,643 +0,0 @@
-#!/bin/sh
-# Submit a problem report to a GNATS site.
-# Copyright (C) 2001 Milan Zamazal
-# Copyright (C) 1993, 2001 Free Software Foundation, Inc.
-# Contributed by Brendan Kehoe (brendan@cygnus.com), based on a
-# version written by Heinz G. Seidl (hgs@cygnus.com).
-# Further edited by Milan Zamazal (pdm@zamazal.org).
-# mktemp support by Yngve Svendsen (yngve.svendsen@clustra.com).
-#
-# This file is part of GNU GNATS.
-#
-# GNU GNATS is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2, or (at your option)
-# any later version.
-#
-# GNU GNATS is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with GNU GNATS; see the file COPYING.  If not, write to
-# the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
-
-#
-# $Id: send-pr.in,v 1.1 2004/03/15 20:35:31 as Exp $
-#
-
-# The version of this send-pr.
-VERSION=4.0-alpha
-
-#SWAN_VERSION=
-
-# The submitter-id for your site.
-SUBMITTER=net
-
-# The place where our usual binaries live.
-BINDIR=@IPSEC_DIR@
-
-# The place where the builtin binaries are located.
-LIBDIR=@IPSEC_LIBDIR@
-LIBEXECDIR=@IPSEC_EXECDIR@
-
-# The default release for this host.
-DEFAULT_RELEASE="gnats-4.0-alpha"
-
-# The default organization.
-DEFAULT_ORGANIZATION="net"
-
-# How to read the passwd database.
-PASSWD="cat /etc/passwd"
-
-# Is the mktemp command available?
-MKTEMP="yes"
-
-ECHON=bsd
-
-# By default send-pr connects directly to the database.  However, it
-# can be configured to use an existing template file by setting the
-# TEMPLATE variable below to point to a PR template generated from
-# "send-pr -P".
-TEMPLATE="$LIBDIR/ipsec_pr.template"
-
-# send-pr can use mail to submit PRs, instead of connecting to the
-# database directly.  MAILPROG needs to point to a compatible mailer
-# (sendmail will work).  If MAILPROG needs to have the address that
-# the mail is being sent to specified on the command line, it should
-# be specified here as well (for example, the command
-# MAILPROG="mail bugs@foo.bar.com"
-# should work).  If sendmail is used, this should be set to
-# MAILPROG="/usr/lib/sendmail -oi -t"
-MAILPROG="/usr/sbin/sendmail -oi -t"
-
-# The address that PRs are sent to.  Normally this can be left as "bugs";
-# however, if using mail to submit PRs, this should be set to the address
-# where PRs should be sent.
-MAILADDR="freeswan-bugs@freeswan.org"
-
-if [ $ECHON = bsd ] ; then
-  ECHON1="echo -n"
-  ECHON2=
-elif [ $ECHON = sysv ] ; then
-  ECHON1=echo
-  ECHON2='\c'
-else
-  ECHON1=echo
-  ECHON2=
-fi
-
-# Configuration file to be read.  It must be a shell script that can redefine
-# the variables above to fit a local configuration.
-CONFIGFILE=@IPSEC_DIR@/send-pr.conf
-
-if [ -r $CONFIGFILE ]; then
-  . $CONFIGFILE
-fi
-
-#
-
-if [ -z "$TMPDIR" ]; then
-  TMPDIR=/tmp
-else
-  if [ "`echo $TMPDIR | grep '/$'`" != "" ]; then
-    TMPDIR="`echo $TMPDIR | sed -e 's,/$,,'`"
-  fi
-fi
-
-# TEMP:   Temporary copy of the PR, to be edited by the user.
-# BAD:    The PR will end up here if the user aborts.
-# REF:    The 'reference' copy of the PR template, used to verify that the user
-#         actually did edit the template.
-# FIXFIL: A sed script used to remove comments from the template before
-#         processing.
-if [ $MKTEMP = yes ]; then
-  TEMP=`mktemp $TMPDIR/pXXXXXX` || exit 1
-  BAD=`mktemp $TMPDIR/pbadXXXXXX` || exit 1
-  REF=`mktemp $TMPDIR/pfXXXXXX` || exit 1
-  FIXFIL=`mktemp $TMPDIR/fixXXXXXX` || exit 1
-else
-  TEMP=$TMPDIR/p$$
-  BAD=$TMPDIR/pbad$$
-  REF=$TMPDIR/pf$$
-  FIXFIL=$TMPDIR/fix$$
-  bad_temp=0
-  : > $TEMP || bad_temp=1
-  : > $BAD || bad_temp=1
-  : > $REF || bad_temp=1
-  : > $FIXFIL || bad_temp=1
-  if [ $bad_temp = 1 ]; then
-      rm -f $TEMP $BAD $REF $FIXFIL
-      exit 1;
-  fi
-fi
-REMOVE_TEMP="rm -f $TEMP $BAD $REF"
-
-# find a user name
-if [ "$LOGNAME" = "" ]; then
-	if [ "$USER" != "" ]; then
-		LOGNAME="$USER"
-	else
-		LOGNAME="UNKNOWN"
-	fi
-fi
-
-FROM="$LOGNAME"
-REPLYTO="${REPLY_TO:-${REPLYTO:-$LOGNAME}}"
-if [ "x$MAILPROG" != "x" ]
-then
-    RESP_ALIAS="`query-pr --adm-field responsible --adm-key $LOGNAME --adm-subfield alias 2>/dev/null`"
-else
-    RESP_ALIAS=""
-fi
-
-# Find out the name of the originator of this PR.
-if [ -n "$NAME" ]; then
-  DEFAULT_ORIGINATOR="$NAME"
-elif [ -f $HOME/.fullname ]; then
-  DEFAULT_ORIGINATOR="`sed -e '1q' $HOME/.fullname`"
-else
-  # Must use temp file due to incompatibilities in quoting behavior
-  # and to protect shell metacharacters in the expansion of $LOGNAME
-  $PASSWD | grep "^$LOGNAME:" | awk -F: '{print $5}' | sed -e 's/,.*//' > $TEMP
-  if [ "x$RESP_ALIAS" != "x" ]
-  then
-    DEFAULT_ORIGINATOR="$RESP_ALIAS (`cat $TEMP`)"
-  else
-    DEFAULT_ORIGINATOR="$FROM (`cat $TEMP`)"
-  fi
-  rm -f $TEMP
-fi
-
-if [ -z "$ORGANIZATION" ]
-then
-  ORGANIZATION="$DEFAULT_ORGANIZATION";
-fi
-
-if [ -n "$ORGANIZATION" -a "x$ORGANIZATION" != "xunknown" ]; then
-  if [ -f "$ORGANIZATION" ]; then
-    ORGANIZATION="`cat $ORGANIZATION`"
-  fi
-  if [ -n "$ORGANIZATION" ]; then
-    ORGANIZATION="$ORGANIZATION"
-  elif [ -f $HOME/.organization ]; then
-    ORGANIZATION="`cat $HOME/.organization`"
-  fi
-fi
-
-if [ "x$ORGANIZATION" = "xunknown" ]; then
-  cat <<__EOF__
-It seems that send-pr is not installed with your organization set to a useful
-value.  To fix this, you need to edit the configuration file
-$CONFIGFILE
-and fill in the organization with the correct value.
-
-__EOF__
-  ORGANIZATION="";
-fi 1>&2
-
-# If they don't have a preferred editor set, then use
-if [ -z "$VISUAL" ]; then
-  if [ -z "$EDITOR" ]; then
-    EDIT=vi
-  else
-    EDIT="$EDITOR"
-  fi
-else
-  EDIT="$VISUAL"
-fi
-
-# Find out some information.
-SYSTEM=`( [ -f /bin/uname ] && /bin/uname -a ) || \
-        ( [ -f /usr/bin/uname ] && /usr/bin/uname -a ) || echo "" | sed -e 's,|,\\|,'`
-
-# Our base command name.
-COMMAND=`echo $0 | sed -e 's,.*/,,'`
-USAGE="Usage: $COMMAND [OPTION]...
-
-  -b --batch              run without printing most messages
-     --barf               include a full barf inline rather than just look
-  -c --cc=LINE            put LINE to the CC header
-  -d --database=DATABASE  submit PR to DATABASE
-  -f --file=FILE          read the PR template from FILE (\`-' for stdin)
-  -p --print              just print the template and exit
-     --request-id         send a request for a user id
-  -s --severity=SEVERITY  PR severity
-  
-  -h --help               display this help and exit
-  -V --version            output version information and exit
-"
-REMOVE=
-BATCH=
-CC=
-DEFAULT_SEVERITY=
-BARF=${BARF-false}
-
-if [ "$SYSTEM" != "" ]
-then
-    DEFAULT_ENVIRONMENT="System: $SYSTEM"
-fi
-
-if [ "$SWAN_VERSION" != "" ]
-then
-    DEFAULT_VERSION="$SWAN_VERSION";
-else
-    DEFAULT_VERSION=`ipsec --versioncode`
-fi
-DEFAULT_VERSION=`echo $DEFAULT_VERSION | sed -e 's,\/,\\\/,'`
-
-while [ $# -gt 0 ]; do
-  case "$1" in
-    -r) ;; 		# Ignore for backward compat.
-    -f | --file) if [ $# -eq 1 ]; then echo "$USAGE"; exit 1; fi
-	shift ; IN_FILE="$1"
-	if [ "$IN_FILE" != "-" -a ! -r "$IN_FILE" ]; then
-	  echo "$COMMAND: cannot read $IN_FILE"
-	  exit 1
-	fi
-	;;
-    -b | --batch) BATCH=true ;;
-    --barf) BARF=true ;;
-    -c | --cc) if [ $# -eq 1 ]; then echo "$USAGE"; exit 1; fi
-	shift ; CC="$1"
-	;;
-    -d | --database) if [ $# -eq 1 ]; then echo "$USAGE"; exit 1; fi
-        shift; GNATSDB="$1"; export GNATSDB
-    ;;
-    -s | --severity) if [ $# -eq 1 ]; then echo "$USAGE"; exit 1; fi
-	shift ; DEFAULT_SEVERITY="$1"
-	;;
-    -p | -P | --print) PRINT=true ;;
-    --request-id) REQUEST_ID=true ;;
-    -h | --help) echo "$USAGE"; exit 0 ;;
-    -V | --version) echo "$VERSION"; exit 0 ;;
-    -*) echo "$USAGE" ; exit 1 ;;
-    *)  echo "$USAGE" ; exit 1 ;;
- esac
- shift
-done
-
-if [ "x$SUBMITTER" = "x" ]
-then
-  SUBMITTER="unknown"
-fi
-
-if [ "x$SUBMITTER" = "xunknown" -a -z "$REQUEST_ID" -a -z "$IN_FILE" ]; then
-  cat << '__EOF__'
-It seems that send-pr is not installed with your unique submitter-id.
-You need to run
-
-          install-sid YOUR-SID
-
-where YOUR-SID is the identification code you received with `send-pr'.
-`send-pr' will automatically insert this value into the template field
-`>Submitter-Id'.  If you've downloaded `send-pr' from the Net, use `net'
-for this value.  If you do not know your id, run `send-pr --request-id' to 
-get one from your support site.
-__EOF__
-  exit 1
-fi
-
-# So the template generation code finds it.
-DEFAULT_SUBMITTERID=${SUBMITTER}
-
-# Catch some signals. ($xs kludge needed by Sun /bin/sh)
-xs=0
-trap 'rm -f $REF $TEMP $FIXFIL; exit $xs' 0
-trap 'echo "$COMMAND: Aborting ..."; rm -f $REF $TEMP $FIXFIL; xs=1; exit' 1 3 13 15
-
-if [ "x$PRINT" = "xtrue" ]; then
-  FROM="<FROM>"
-  REPLYTO="<REPLYTO>"
-  DEFAULT_ORIGINATOR="<DEFAULT_ORIGINATOR>"
-  DEFAULT_SUBMITTERID="<SUBMITTER>"
-fi
-
-# If they told us to use a specific file, then do so.
-if [ -n "$IN_FILE" ]; then
-  if [ "$IN_FILE" = "-" ]; then
-    # The PR is coming from the standard input.
-    cat > $TEMP
-  else
-    # Use the file they named.
-    cat $IN_FILE > $TEMP
-  fi
-else
-  if [ -n "$TEMPLATE" -a -z "$PRINT_INTERN" ]; then
-    # If their TEMPLATE points to a bogus entry, then bail.
-    if [ ! -f "$TEMPLATE" -o ! -r "$TEMPLATE" -o ! -s "$TEMPLATE" ]; then
-      echo "$COMMAND: can't seem to read your template file (\`$TEMPLATE'), ignoring TEMPLATE"
-      sleep 1
-      PRINT_INTERN=bad_prform
-    fi
-  fi
-
-  if [ -n "$TEMPLATE" -a -z "$PRINT_INTERN" ]; then
-    sed "s/<FROM>/$FROM/;s/<REPLYTO>/$REPLYTO/;s/<DEFAULT_ORIGINATOR>/$DEFAULT_ORIGINATOR/;s/<SUBMITTER>/$DEFAULT_SUBMITTERID/;s|<DEFAULT_ENVIRONMENT>|$DEFAULT_ENVIRONMENT|;s/<DEFAULT_BARF>/$DEFAULT_BARF/;s/<DEFAULT_VERSION>/$DEFAULT_VERSION/;" < $TEMPLATE > $TEMP ||
-      ( echo "$COMMAND: could not copy $TEMPLATE" ; xs=1; exit )
-  else
-    # Which genius thought of iterating through this loop twice, when the
-    # cp command would suffice?
-    for file in $TEMP ; do
-      cat  > $file << '__EOF__'
-SEND-PR: -*- send-pr -*-
-SEND-PR: Lines starting with `SEND-PR' will be removed automatically, as
-SEND-PR: will all comments (text enclosed in `<' and `>').
-SEND-PR: 
-SEND-PR: Please consult the send-pr man page `send-pr(1)' or the Texinfo
-SEND-PR: manual if you are not sure how to fill out a problem report.
-SEND-PR: Note that the Synopsis field is mandatory.  The Subject (for
-SEND-PR: the mail) will be made the same as Synopsis unless explicitly
-SEND-PR: changed.
-SEND-PR:
-SEND-PR: Choose from the following categories:
-SEND-PR:
-__EOF__
-
-      # Format the categories so they fit onto lines.
-        CATEGORIES=`${BINDIR}/query-pr --valid-values Category`;
-	l=`echo "$CATEGORIES" | \
-	awk 'BEGIN {max = 0; } { if (length($0) > max) { max = length($0); } }
-	     END {print max + 1;}'`
-	c=`expr 61 / $l`
-	if [ $c -eq 0 ]; then c=1; fi
-	echo "$CATEGORIES" | \
-        awk 'BEGIN {printf "SEND-PR: "; i = 0 }
-          { printf ("%-'$l'.'$l's", $0);
-	    if ((++i % '$c') == 0) { printf "\nSEND-PR: " } }
-            END { printf "\nSEND-PR:\n"; }' >> $file
-
-	cat >> $file << __EOF__
-To: $MAILADDR
-Subject: 
-From: $FROM
-Reply-To: $REPLYTO
-Cc: $CC
-X-send-pr-version: $VERSION
-X-GNATS-Notify: 
-
-
-__EOF__
-
-	#
-	# Iterate through the list of input fields.  fieldname is the
-	# name of the field.  fmtname is the formatted name of the field,
-	# with >, : and extra spaces to cause the field contents to be
-	# aligned.
-	#
-	${BINDIR}/query-pr --list-input-fields | awk '{a[NR]=$1""; mnr = NR+1; len = length($1) + 2; if (mlen < len) mlen = len; } END { for (x = 1; x < mnr; x++) { b = ">"a[x]":"; printf ("%s %-"mlen"s&\n", a[x], b); } }' |  while read fieldname fmtname
-	do
-	    fmtname="`echo "$fmtname" | sed 's/[&]$//;'`"
-	    upname="`echo $fieldname | sed 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/;s/-//g;'`"
-	    # Grab the default value for this field.
-	    eval 'default_val="$DEFAULT_'${upname}'"'
-	    # What's stored in the field?
-	    type=`${BINDIR}/query-pr --field-type $fieldname | sed 'y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/'`
-	    case $type in
-		enum)
-		    if [ "$default_val" != "" ]
-		    then
-			desc=$default_val;
-		    else
-			if [ "$fieldname" != "Category" ]
-			then
-			    values=`${BINDIR}/query-pr --valid-values $fieldname | tr '\n' ' ' | sed 's/ *$//g;s/ / | /g;s/^/[ /;s/$/ ]/;'`
-			    valslen=`echo "$values" | wc -c`
-			else
-			    values="choose from a category listed above"
-			    valslen=1;
-			fi
-			if [ "$valslen" -gt 160 ]
-			then
-				desc="<`${BINDIR}/query-pr --field-description $fieldname` (one line)>";
-			else
-				desc="<${values} (one line)>";
-			fi
-			dpat=`echo "$desc" | tr '\]\[*+^$|\()&/' '............'`
-			echo "/^>${fieldname}:/ s/${dpat}//" >> $FIXFIL
-		    fi
-		    echo "${fmtname}${desc}" >> $file
-		    ;;
-		multitext)
-		    if [ "$default_val" != "" ]
-		    then
-			desc="	$default_val";
-		    else
-		        desc="	<`${BINDIR}/query-pr --field-description $fieldname` (multiple lines)>";
-			dpat=`echo "$desc" | tr '\]\[*+^$|\()&/' '............'`
-			echo "s/^${dpat}//" >> $FIXFIL
-		    fi
-		    echo "${fmtname}" >> $file;
-		    echo "$desc" >> $file;
-		    ;;
-		*)
-		    if [ "$default_val" != "" ]
-		    then
-			desc="${default_val}"
-		    else
-			desc="<`${BINDIR}/query-pr --field-description $fieldname` (one line)>"
-			dpat=`echo "$desc" | tr '\]\[*+^$|\()&/' '............'`
-			echo "/^>${fieldname}:/ s/${dpat}//" >> $FIXFIL
-		    fi
-		    echo "${fmtname}${desc}" >> $file
-		    ;;
-	    esac
-	done
-    done
-  fi
-
-  if [ "$PRINT" = true -o "$PRINT_INTERN" = true ]; then
-    cat $TEMP
-    xs=0; exit
-  fi
-
-  if $BARF
-  then
-    ipsec barf >>$TEMP
-  else
-    ipsec look >>$TEMP
-  fi
-
-  cp $TEMP $REF
-
-  chmod u+w $TEMP
-  if [ -z "$REQUEST_ID" ]; then
-    eval $EDIT $TEMP
-  else
-    ed -s $TEMP << '__EOF__'
-/^Subject/s/^Subject:.*/Subject: request for a customer id/
-/^>Category/s/^>Category:.*/>Category: send-pr/
-w
-q
-__EOF__
-  fi
-
-  if cmp -s $REF $TEMP ; then
-    echo "$COMMAND: problem report not filled out, therefore not sent"
-    xs=1; exit
-  fi
-fi
-
-# TEMP is the PR that we are editing.  When we're done, REF will contain
-# the final PR to be sent.
-
-while [ -z "$REQUEST_ID" ]; do
-  CNT=0
-
-  #
-  #	Remove comments.
-  #
-  echo '/^SEND-PR:/d' >> $FIXFIL
-  sed -f $FIXFIL $TEMP > $REF
-
-  # REF now has the actual PR that we want to send.
-
-  #
-  # Check that synopsis is not empty.
-  #
-  if grep "^>Synopsis:[ 	]*$" $REF > /dev/null
-  then
-    echo "$COMMAND: Synopsis must not be empty."
-    CNT=`expr $CNT + 1`
-  fi
-
-  if [ "x$MAILPROG" = "x" ]
-  then
-    # Since we're not using mail, use pr-edit to check the PR.  We can't
-    # do much checking otherwise, sorry.
-    $LIBEXECDIR/pr-edit --check-initial < $REF || CNT=`expr $CNT + 1`
-  fi
-
-  [ $CNT -gt 0 -a -z "$BATCH" ] && 
-    echo "Errors were found with the problem report."
-
-  while true; do
-    if [ -z "$BATCH" ]; then
-      $ECHON1 "a)bort, e)dit or s)end? $ECHON2"
-      read input
-    else
-      if [ $CNT -eq 0 ]; then
-        input=s
-      else
-        input=a
-      fi
-    fi
-    case "$input" in
-      a*)
-	if [ -z "$BATCH" ]; then
-	  echo "$COMMAND: the problem report remains in $BAD and is not sent."
-	  mv $TEMP $BAD
-        else
-	  echo "$COMMAND: the problem report is not sent."
-	fi
-	xs=1; exit
-	;;
-      e*)
-        eval $EDIT $TEMP
-	continue 2
-	;;
-      s*)
-	break 2
-	;;
-    esac
-  done
-done
-
-#
-# Make sure the mail has got a Subject.  If not, use the same as
-# in Synopsis.
-#
-
-if grep '^Subject:[ 	]*$' $REF > /dev/null
-then
-  SYNOPSIS=`grep '^>Synopsis:' $REF | sed -e 's/^>Synopsis:[ 	]*//'`
-  ed -s $REF << __EOF__
-/^Subject:/s/:.*\$/: $SYNOPSIS/
-w
-q
-__EOF__
-fi
-
-while :
-do
-  if [ "x$MAILPROG" != "x" ]
-  then
-    # Use mail to send the PR.
-    if $MAILPROG < $REF
-    then
-       echo "$COMMAND: problem report mailed"
-       xs=0; exit
-    else
-       echo "$MAILPROG failed!"
-    fi
-  else
-    if $LIBEXECDIR/pr-edit --submit < $REF; then
-      echo "$COMMAND: problem report filed"
-      xs=0; exit
-    else
-      echo "$COMMAND: the problem report is not sent."
-    fi
-  fi
-  while true
-  do
-    if [ -z "$BATCH" ]; then
-      $ECHON1 "a)bort or s)end? (file=$REF) $ECHON2"
-      read input
-      case "$input" in
-        a*)
-	  break 2 ;;
-        s*)
-	  break ;;
-      esac
-    else
-      break 2;
-    fi
-  done
-done
-
-if [ -z "$BATCH" ]; then
-  echo "$COMMAND: the problem report remains in $BAD and is not sent."
-  mv $TEMP $BAD
-else
-  echo "$COMMAND: the problem report is not sent, is in $REF."
-fi
-
-xs=1; exit;
-
-#
-# $Log: send-pr.in,v $
-# Revision 1.1  2004/03/15 20:35:31  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.10  2003/07/14 12:26:17  mcr
-# 	use | as delimitor for $DEFAULT_ENVIRONMENT.
-# 	switch | to \\| when in $DEFAULT_ENVIRONMENT.
-# 	this is due to PR#236 where the "uname" output
-# 	says GNU/Linux, screwing up sed.
-#
-# Revision 1.9  2003/02/03 21:51:06  mcr
-# 	if MAILPROG fails, then offer to try again.
-#
-# Revision 1.8  2002/12/10 02:28:13  mcr
-# 	adjusted template to use gnats-bugs@freeswan.org
-# 	fix sed script to deal with version sanitizer.
-#
-# Revision 1.7  2002/12/10 02:17:34  mcr
-# 	need to init variables first
-#
-# Revision 1.6  2002/12/10 02:16:23  mcr
-# 	adjusted send-pr to look at LIBDIR, not LIBEXECDIR
-#
-# Revision 1.5  2002/09/30 16:04:05  mcr
-# 	fix for sed bug in "send-pr"
-#
-# Revision 1.4  2002/04/24 07:36:10  mcr
-# Moved from ./utils/send-pr.sh,v
-#
-# Revision 1.3  2001/11/27 15:02:55  mcr
-# 	added rcsids.
-# 	fixed submission address to be freeswan-bugs@freeswan.org
-# 	use new ipsec --versioncode to get version info.
-#
-#
diff --git a/programs/setup/.cvsignore b/programs/setup/.cvsignore
deleted file mode 100644
index 146f275e0..000000000
--- a/programs/setup/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-setup
diff --git a/programs/setup/Makefile b/programs/setup/Makefile
deleted file mode 100644
index f12d452b2..000000000
--- a/programs/setup/Makefile
+++ /dev/null
@@ -1,22 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.3 2006/02/10 11:28:15 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=setup
-EXTRA8MAN=setup.8
-
-include ../Makefile.program
diff --git a/programs/setup/setup.8 b/programs/setup/setup.8
deleted file mode 100644
index e2980ee74..000000000
--- a/programs/setup/setup.8
+++ /dev/null
@@ -1,142 +0,0 @@
-.TH IPSEC_SETUP 8 "23 July 2001"
-.\" RCSID $Id: setup.8,v 1.1 2004/03/15 20:35:31 as Exp $
-.SH NAME
-ipsec setup \- control IPsec subsystem
-.SH SYNOPSIS
-.B ipsec
-.B setup
-[
-.B \-\-show
-|
-.B \-\-showonly
-]
-command
-.SH DESCRIPTION
-.I Setup
-controls the FreeS/WAN IPsec subsystem,
-including both the Klips kernel code and the Pluto key-negotiation daemon.
-(It is a synonym for the ``rc'' script for the subsystem;
-the system runs the equivalent of
-.B "ipsec setup start"
-at boot time,
-and
-.B "ipsec setup stop"
-at shutdown time, more or less.)
-.PP
-The action taken depends on the specific
-.IR command ,
-and on the contents of the
-.B config
-.B setup
-section of the
-IPsec configuration file (\c
-.IR /etc/ipsec.conf ,
-see
-.IR ipsec.conf (5)).
-Current
-.IR command s
-are:
-.TP 10
-.B start
-start Klips and Pluto,
-including setting up Klips to do crypto operations on the 
-interface(s) specified in the configuration file,
-and (if the configuration file so specifies)
-setting up manually-keyed connections and/or
-asking Pluto to negotiate automatically-keyed connections
-to other security gateways
-.TP
-.B stop
-shut down Klips and Pluto,
-including tearing down all existing crypto connections
-.TP
-.B restart
-equivalent to
-.B stop
-followed by
-.B start
-.TP
-.B status
-report the status of the subsystem;
-normally just reports
-.B "IPsec running"
-and
-.BR "pluto pid \fInnn\fP" ,
-or
-.BR "IPsec stopped" ,
-and exits with status 0,
-but will go into more detail (and exit with status 1)
-if something strange is found.
-(An ``illicit'' Pluto is one that does not match the process ID in
-Pluto's lock file;
-an ``orphaned'' Pluto is one with no lock file.)
-.PP
-The
-.B stop
-operation tries to clean up properly even if assorted accidents
-have occurred,
-e.g. Pluto having died without removing its lock file.
-If
-.B stop
-discovers that the subsystem is (supposedly) not running,
-it will complain,
-but will do its cleanup anyway before exiting with status 1.
-.PP
-Although a number of configuration-file parameters influence
-.IR setup 's
-operations, the key one is the
-.B interfaces
-parameter, which must be right or chaos will ensue.
-.PP
-The
-.B \-\-show
-and
-.B \-\-showonly
-options cause
-.I setup
-to display the shell commands that it would execute.
-.B \-\-showonly
-suppresses their execution.
-Only
-.BR start ,
-.BR stop ,
-and
-.B restart
-commands recognize these flags.
-.SH FILES
-.ta \w'/proc/sys/net/ipv4/ip_forward'u+2n
-/etc/rc.d/init.d/ipsec	the script itself
-.br
-/etc/init.d/ipsec	alternate location for the script
-.br
-/etc/ipsec.conf	IPsec configuration file
-.br
-/proc/sys/net/ipv4/ip_forward	forwarding control
-.br
-/var/run/ipsec.info	saved information
-.br
-/var/run/pluto.pid	Pluto lock file
-.br
-/var/run/ipsec_setup.pid	IPsec lock file
-.SH SEE ALSO
-ipsec.conf(5), ipsec(8), ipsec_manual(8), ipsec_auto(8), route(8)
-.SH DIAGNOSTICS
-All output from the commands
-.B start
-and
-.B stop
-goes both to standard
-output and to
-.IR syslogd (8),
-via
-.IR logger (1).
-Selected additional information is logged only to
-.IR syslogd (8).
-.SH HISTORY
-Written for the FreeS/WAN project
-<http://www.freeswan.org>
-by Henry Spencer.
-.SH BUGS
-Old versions of
-.IR logger (1)
-inject spurious extra newlines onto standard output.
diff --git a/programs/setup/setup.in b/programs/setup/setup.in
deleted file mode 100755
index 1e43d0d67..000000000
--- a/programs/setup/setup.in
+++ /dev/null
@@ -1,162 +0,0 @@
-#!/bin/sh
-# IPsec startup and shutdown script
-# Copyright (C) 1998, 1999, 2001  Henry Spencer.
-# Copyright (C) 2002              Michael Richardson <mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: setup.in,v 1.1 2004/03/15 20:35:31 as Exp $
-#
-# ipsec         init.d script for starting and stopping
-#               the IPsec security subsystem (KLIPS and Pluto).
-#
-# This script becomes /etc/rc.d/init.d/ipsec (or possibly /etc/init.d/ipsec)
-# and is also accessible as "ipsec setup" (the preferred route for human
-# invocation).
-#
-# The startup and shutdown times are a difficult compromise (in particular,
-# it is almost impossible to reconcile them with the insanely early/late
-# times of NFS filesystem startup/shutdown).  Startup is after startup of
-# syslog and pcmcia support; shutdown is just before shutdown of syslog.
-#
-# chkconfig: 2345 47 68
-# description: IPsec provides encrypted and authenticated communications; \
-# KLIPS is the kernel half of it, Pluto is the user-level management daemon.
-
-me='ipsec setup'		# for messages
-
-
-# where the private directory and the config files are
-IPSEC_EXECDIR="${IPSEC_EXECDIR-@IPSEC_EXECDIR@}"
-IPSEC_LIBDIR="${IPSEC_LIBDIR-@IPSEC_LIBDIR@}"
-IPSEC_SBINDIR="${IPSEC_SBINDIR-@IPSEC_SBINDIR@}"
-IPSEC_CONFS="${IPSEC_CONFS-@IPSEC_CONFS@}"
-
-if test " $IPSEC_DIR" = " "	# if we were not called by the ipsec command
-then
-    # we must establish a suitable PATH ourselves
-    PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin
-    export PATH
-
-    IPSEC_DIR="$IPSEC_LIBDIR"
-    export IPSEC_DIR IPSEC_CONFS IPSEC_LIBDIR IPSEC_EXECDIR
-fi
-
-# Check that the ipsec command is available.
-found=
-for dir in `echo $PATH | tr ':' ' '`
-do
-	if test -f $dir/ipsec -a -x $dir/ipsec
-	then
-		found=yes
-		break			# NOTE BREAK OUT
-	fi
-done
-if ! test "$found"
-then
-	echo "cannot find ipsec command -- \`$1' aborted" |
-		logger -s -p daemon.error -t ipsec_setup
-	exit 1
-fi
-
-# accept a few flags
-
-export IPSEC_setupflags
-IPSEC_setupflags=""
-
-config=""
-
-for dummy
-do
-	case "$1" in
-	--showonly|--show)  IPSEC_setupflags="$1" ;;
-	--config)  config="--config $2" ; shift	;;
-	*) break ;;
-	esac
-	shift
-done
-
-
-# Pick up IPsec configuration (until we have done this, successfully, we
-# do not know where errors should go, hence the explicit "daemon.error"s.)
-# Note the "--export", which exports the variables created.
-eval `ipsec _confread $config --optional --varprefix IPSEC --export --type config setup`
-if test " $IPSEC_confreadstatus" != " "
-then
-	echo "$IPSEC_confreadstatus -- \`$1' aborted" |
-		logger -s -p daemon.error -t ipsec_setup
-	exit 1
-fi
-
-IPSEC_confreadsection=${IPSEC_confreadsection:-setup}
-export IPSEC_confreadsection
-
-IPSECsyslog=${IPSECsyslog-daemon.error}
-export IPSECsyslog
-
-# misc setup
-umask 022
-
-
-# do it
-case "$1" in
-  start|--start|stop|--stop|_autostop|_autostart)
-	if test " `id -u`" != " 0"
-	then
-		echo "permission denied (must be superuser)" |
-			logger -s -p $IPSECsyslog -t ipsec_setup 2>&1
-		exit 1
-	fi
-	tmp=/var/run/ipsec_setup.st
-	(
-		ipsec _realsetup $1
-		echo "$?" >$tmp
-	) 2>&1 | logger -s -p $IPSECsyslog -t ipsec_setup 2>&1
-	st=$?
-	if test -f $tmp
-	then
-		st=`cat $tmp`
-		rm -f $tmp
-	fi
-	exit $st
-	;;
-
-  restart|--restart|force-reload)
-	$0 $IPSEC_setupflags stop
-	$0 $IPSEC_setupflags start
-	;;
-
-  _autorestart)			# for internal use only
-	$0 $IPSEC_setupflags _autostop
-	$0 $IPSEC_setupflags _autostart
-	;;
-
-  status|--status)
-	ipsec _realsetup $1
-	exit
-	;;
-
-  --version)
-	echo "$me $IPSEC_VERSION"
-	exit 0
-	;;
-
-  --help)
-	echo "Usage: $me {--start|--stop|--restart|--status}"
-	exit 0
-	;;
-
-  *)
-	echo "Usage: $me {--start|--stop|--restart|--status}" >&2
-	exit 2
-esac
-
-exit 0
diff --git a/programs/showdefaults/.cvsignore b/programs/showdefaults/.cvsignore
deleted file mode 100644
index 609b55e81..000000000
--- a/programs/showdefaults/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-showdefaults
diff --git a/programs/showdefaults/Makefile b/programs/showdefaults/Makefile
deleted file mode 100644
index d2c8f9be8..000000000
--- a/programs/showdefaults/Makefile
+++ /dev/null
@@ -1,38 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:31 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=showdefaults
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:31  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.2  2002/06/02 21:51:41  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/showdefaults/showdefaults.8 b/programs/showdefaults/showdefaults.8
deleted file mode 100644
index 4a8db9c49..000000000
--- a/programs/showdefaults/showdefaults.8
+++ /dev/null
@@ -1,34 +0,0 @@
-.TH IPSEC_SHOWDEFAULTS 8 "23 Jan 2000"
-.\" RCSID $Id: showdefaults.8,v 1.1 2004/03/15 20:35:31 as Exp $
-.SH NAME
-ipsec showdefaults \- show %defaultroute defaults
-.SH SYNOPSIS
-.B ipsec
-.B showdefaults
-.SH DESCRIPTION
-.I Showdefaults
-outputs (on standard output) a terse description of the defaults
-used by the
-.B %defaultroute
-facilities in
-.IR ipsec_auto (8)
-and
-.IR ipsec_manual (8).
-.PP
-Beware that the exact output format is subject to change.
-.SH DIAGNOSTICS
-Normal exit status is 0.
-If no defaults are available,
-i.e. the
-.B interfaces
-parameter in
-.B "config setup"
-is not
-.BR %defaultroute ,
-produces a message on standard error and exits with status 1.
-.SH FILES
-/var/run/ipsec.info
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org>
-by Henry Spencer.
diff --git a/programs/showdefaults/showdefaults.in b/programs/showdefaults/showdefaults.in
deleted file mode 100755
index 67daf7fd8..000000000
--- a/programs/showdefaults/showdefaults.in
+++ /dev/null
@@ -1,33 +0,0 @@
-#! /bin/sh
-# show defaults for %defaultroute
-# Copyright (C) 2000  Henry Spencer.
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: showdefaults.in,v 1.1 2004/03/15 20:35:31 as Exp $
-
-info=/var/run/ipsec.info
-me="ipsec showdefaults"
-
-case "$1" in
---help)		echo "Usage: ipsec showdefaults" ; exit 0	;;
---version)	echo "$me $IPSEC_VERSION" ; exit 0	;;
-esac
-
-# Pick up the info.
-if test -s $info
-then
-	sed -n '/^defaultroute/s/default//p' $info
-	sed -n '/^#dr:/s/dr://p' $info
-else
-	echo "$me: cannot find defaults file \`$info'" >&2
-	exit 1
-fi
diff --git a/programs/showhostkey/.cvsignore b/programs/showhostkey/.cvsignore
deleted file mode 100644
index 8496cd633..000000000
--- a/programs/showhostkey/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-showhostkey
diff --git a/programs/showhostkey/Makefile b/programs/showhostkey/Makefile
deleted file mode 100644
index db819c906..000000000
--- a/programs/showhostkey/Makefile
+++ /dev/null
@@ -1,38 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:31 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=showhostkey
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:31  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.2  2002/06/02 21:51:41  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/showhostkey/showhostkey.8 b/programs/showhostkey/showhostkey.8
deleted file mode 100644
index 2c0043fca..000000000
--- a/programs/showhostkey/showhostkey.8
+++ /dev/null
@@ -1,168 +0,0 @@
-.TH IPSEC_SHOWHOSTKEY 8 "5 March 2002"
-.\" RCSID $Id: showhostkey.8,v 1.1 2004/03/15 20:35:31 as Exp $
-.SH NAME
-ipsec showhostkey \- show host's authentication key
-.SH SYNOPSIS
-.B ipsec
-.B showhostkey
-[
-.B \-\-key
-] [
-.B \-\-left
-] [
-.B \-\-right
-] [
-.B \-\-txt
-gateway
-] [
-.B \-\-dhclient
-] [
-.B \-\-file
-secretfile
-] [
-.B \-\-id
-identity
-]
-.SH DESCRIPTION
-.I Showhostkey
-outputs (on standard output) a public key suitable for this host,
-in the format specified,
-using the host key information stored in
-.IR /etc/ipsec.secrets .
-In general only the super-user can run this command,
-since only he can read
-.IR ipsec.secrets .
-.PP
-The
-.B \-\-txt
-option causes the output to be in opportunistic-encryption DNS TXT record
-format,
-with the specified
-.I gateway
-value.
-If information about how the key was generated is available,
-that is provided as a DNS-file comment.
-For example,
-.B "\-\-txt 10.11.12.13"
-might give (with the key data trimmed for clarity):
-.PP
-.nf
-  ; RSA 2048 bits   xy.example.com   Sat Apr 15 13:53:22 2000
-      IN TXT  "X-IPsec-Server(10)=10.11.12.13 AQOF8tZ2...+buFuFn/"
-.fi
-.PP
-No name is supplied in the TXT record
-because there are too many possibilities,
-depending on how it will be used.
-If the text string is longer than 255 bytes,
-it is split up into multiple strings (matching the restrictions of
-the DNS TXT binary format).
-If any split is needed, the first split will be at the start of the key:
-this increases the chances that later hand editing will work.
-.PP
-The
-.B \-\-left
-and
-.B \-\-right
-options cause the output to be in
-.IR ipsec.conf (5)
-format, as a
-.B leftrsasigkey
-or
-.B rightrsasigkey
-parameter respectively.
-Again, generation information is included if available.
-For example,
-.B \-\-left
-might give (with the key data trimmed down for clarity):
-.PP
-.nf
-  # RSA 2048 bits   xy.example.com   Sat Apr 15 13:53:22 2000
-  leftrsasigkey=0sAQOF8tZ2...+buFuFn/
-.fi
-.PP
-The
-.B \-\-dhclient
-option cause the output to be suitable for inclusion in
-.IR dhclient.conf (5)
-as part of configuring WAVEsec.
-See <http://www.wavesec.org>.
-.PP
-If
-.B \-\-key
-is specified,
-the output format is the text form of a DNS KEY record;
-the host name is the one included in the key information
-(or, if that is not available,
-the output of
-.BR "hostname\ \-\-fqdn" ),
-with a
-.B \&.
-appended.
-Again, generation information is included if available.
-For example (with the key data trimmed down for clarity):
-.PP
-.nf
-  ; RSA 2048 bits   xy.example.com   Sat Apr 15 13:53:22 2000
-  xy.example.com.   IN   KEY   0x4200 4 1 AQOF8tZ2...+buFuFn/
-.fi
-.PP
-Normally, the default key for this host
-(the one with no host identities specified for it) is the one extracted.
-The
-.B \-\-id
-option overrides this,
-causing extraction of the key labeled with the specified
-.IR identity ,
-if any.
-The specified
-.I identity
-must
-.I exactly
-match the identity in the file;
-in particular, the comparison is case-sensitive.
-.PP
-The
-.B \-\-file
-option overrides the default for where the key information should be
-found, and takes it from the specified
-.IR secretfile .
-.SH DIAGNOSTICS
-A complaint about ``no pubkey line found'' indicates that the
-host has a key but it was generated with an old version of FreeS/WAN
-and does not contain the information that
-.I showhostkey
-needs.
-.SH FILES
-/etc/ipsec.secrets
-.SH SEE ALSO
-ipsec.secrets(5), ipsec.conf(5), ipsec_rsasigkey(8)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org>
-by Henry Spencer.
-.SH BUGS
-Arguably,
-rather than just reporting the no-IN-KEY-line-found problem,
-.I showhostkey
-should be smart enough to run the existing key through
-.I rsasigkey
-with the
-.B \-\-oldkey
-option, to generate a suitable output line.
-.PP
-The need to specify the gateway address (etc.) for
-.B \-\-txt
-is annoying, but there is no good way to determine it automatically.
-.PP
-There should be a way to specify the priority value for TXT records;
-currently it is hardwired to
-.BR 10 .
-.PP
-The
-.B \-\-id
-option assumes that the
-.I identity
-appears on the same line as the
-.B ":\ RSA\ {"
-that begins the key proper.
diff --git a/programs/showhostkey/showhostkey.in b/programs/showhostkey/showhostkey.in
deleted file mode 100755
index 7194363e8..000000000
--- a/programs/showhostkey/showhostkey.in
+++ /dev/null
@@ -1,180 +0,0 @@
-#! /bin/sh
-# show key for this host, in DNS (or other) format
-# Copyright (C) 2000, 2001  Henry Spencer.
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: showhostkey.in,v 1.1 2004/03/15 20:35:31 as Exp $
-
-me="ipsec showhostkey"
-usage="Usage: $me [--file secrets] [--left] [--right] [--txt gateway] [--id id]
-                  [--dhclient]"
-
-file=/etc/ipsec.secrets
-fmt=""
-gw=
-id=
-for dummy
-do
-	case "$1" in
-	--key)	fmt="dns"		;;
-	--file)	file="$2" ; shift	;;
-	--left)	fmt="left"		;;
-	--right)	fmt="right"	;;
-	--dhclient)	fmt="dhclient"	;;
-	--txt)	fmt="txt" ; gw="$2" ; shift	;;
-	--wavesec) fmt="wavesec" ;;
-	--id)	id="$2" ; shift		;;
-	--version)	echo "$me $IPSEC_VERSION" ; exit 0	;;
-	--help)	echo "$usage" ; exit 0	;;
-	--)	shift ; break		;;
-	-*)	echo "$me: unknown option \`$1'" >&2 ; exit 2	;;
-	*)	break			;;
-	esac
-	shift
-done
-if test " $fmt" = " "
-then
-	echo "$me: must specify a format for the result" >&2
-	exit 2
-fi
-if test " $fmt" = " txt" -a " $gw" = " "
-then
-	echo "$me: --txt gateway value cannot be empty" >&2
-	exit 2
-fi
-
-if test ! -f $file
-then
-	echo "$me: file \`$file' does not exist" >&2
-	exit 1
-elif test ! -r $file
-then
-	echo "$me: permission denied (cannot read \`$file')" >&2
-	exit 1
-fi
-
-host="`hostname --fqdn`"
-
-awk '	BEGIN {
-		inkey = 0
-		seenkey = 0
-		nfound = 0
-		err = "cat >&2"
-		me = "'"$me"'"
-		host = "'"$host"'"
-		file = "'"$file"'"
-		fmt = "'"$fmt"'"
-		gw = "'"$gw"'"
-		id = "'"$id"'"
-		comment = ""
-		s = "[ \t]+"
-		os = "[ \t]*"
-		x = "[^ \t]+"
-		oc = "(#.*)?"
-		suffix = ":" os "[rR][sS][aA]" os "{" os oc "$"
-		if (id == "") {
-			pat = "^" suffix
-			printid = "default"
-		} else {
-			pat = "^(" x s ")*" id "(" s x ")*" os suffix
-			printid = quote(id)
-		}
-		paydirt = "^[ \t]+#pubkey=0s"
-		status = 0
-	}
-	$0 ~ pat {
-		inkey = 1
-		seenkey = 1
-	}
-	/^[ \t]+}$/ {
-		inkey = 0
-	}
-	inkey && $0 ~ /^[ \t]+# RSA [0-9]+ bits/ {
-		comment = $0
-		if (fmt == "dns" || fmt == "txt" || fmt == "dhclient")
-			sub(/^[ \t]+#/, "#", comment)
-		host = $5
-	}
-	inkey && $0 ~ /^[ \t]+#pubkey=0s/ {
-		
-	}
-	inkey && fmt == "dns" && $0 ~ paydirt {
-		out = $0
-		sub(paydirt, (host ".\tIN\tKEY\t0x4200 4 1 "), out)
-		nfound++
-	}
-	inkey && fmt == "dhclient" && $0 ~ paydirt {
-		# NOT YET ADJUSTED TO KEY RR elimination
-		boilerplate = "option oe-key code 159 = string;\n" \
-			"option oe-gateway code 160 = ip-address;\n" \
-			"send oe-key = "
-		out = $0
-		sub(paydirt, "0x4200 4 1 ", out)
-		out = "option oe-key code 159 = string;\n" \
-			"option oe-gateway code 160 = ip-address;\n" \
-			"send oe-key = " quote(out) ";"
-		nfound++
-	}
-	inkey && fmt == "txt" && $0 ~ paydirt {
-		if (gw !~ /^@/ && gw !~ /^[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$/ )
-		{
-			grump("gateway must be @FQDN or IPv4 address, not " quote(gw))
-			exit(status)
-		}
-		out = $0
-		gsub(/[ \t]+/, " ", out)
-		sub(paydirt, "", out)
-		out = " " out
-		str = "X-IPsec-Server(10)=" gw 
-		if (length(str) < 255 && length(str) + length(out) > 255) {
-			str = " " quote(str)
-		} else {
-			out = str out
-			str = ""
-		}
-		while (length(out) > 255) {
-			str = str " " quote(substr(out, 1, 255))
-			out = substr(out, 256)
-		}
-		if (length(out) > 0)
-			str = str " " quote(out)
-		out = "\tIN\tTXT\t" substr(str, 2)
-		nfound++
-	}
-	inkey && (fmt == "left" || fmt == "right") && $0 ~ /^[ \t]+#pubkey=/ {
-		out = $0
-		sub(/^[ \t]+#pubkey=/, ("\t" fmt "rsasigkey="), out)
-		nfound++
-	}
-	function quote(s) {
-		return "\"" s "\""
-	}
-	function grump(s) {
-		print me ": " s |err
-		status = 1
-	}
-	END {
-		if (status != 0)
-			exit(status)
-		if (!seenkey)
-			grump("no " printid " key in " quote(file))
-		else if (nfound == 0) {
-			grump("no pubkey line found -- key information old?")
-		} else if (nfound > 1)
-			grump("multiple " printid " keys found!?!")
-		else {
-			if (comment != "")
-				print comment
-			print out
-		}
-		exit(status)
-	}' $file
diff --git a/programs/showpolicy/.cvsignore b/programs/showpolicy/.cvsignore
deleted file mode 100644
index e4fad4e23..000000000
--- a/programs/showpolicy/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-showpolicy
diff --git a/programs/showpolicy/Makefile b/programs/showpolicy/Makefile
deleted file mode 100644
index b3ea5a0a8..000000000
--- a/programs/showpolicy/Makefile
+++ /dev/null
@@ -1,38 +0,0 @@
-# Makefile for the KLIPS interface utilities
-# Copyright (C) 2003	Michael Richardson <mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:31 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=showpolicy
-EXTRA5PROC=${PROGRAM}.8
-
-LIBS=${POLICYLIB} ${FREESWANLIB} 
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:31  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.2  2003/05/14 02:12:27  mcr
-# 	addition of CGI-focused interface to policy lookup interface
-#
-# Revision 1.1  2003/05/11 00:45:08  mcr
-# 	program to interogate ipsec policy of stdin.
-# 	run this from inetd.
-#
-#
diff --git a/programs/showpolicy/showpolicy.8 b/programs/showpolicy/showpolicy.8
deleted file mode 100644
index 4fbc2e40e..000000000
--- a/programs/showpolicy/showpolicy.8
+++ /dev/null
@@ -1,41 +0,0 @@
-.TH IPSEC_SHOWPOLICY 8 "7 May 2003"
-.\"
-.\" RCSID $Id: showpolicy.8,v 1.1 2004/03/15 20:35:31 as Exp $
-.\"
-.SH NAME
-ipsec showpolicy \- dump policy of socket found as stdin
-.SH SYNOPSIS
-.PP
-.B ipsec
-.B showpolicy
-.PP
-.SH DESCRIPTION
-.I showpolicy
-calls the 
-.IR ipsec_policy_lookup (3) 
-function on the file description which is its stdin.
-.PP
-It then dumps the resulting query in a human readable form.
-.PP
-This is a test program. One might run it from inetd, via:
-.TP
-discard stream tcp nowait nobody /usr/local/libexec/ipsec/showpolicy showpolicy
-.SH FILES
-/var/run/ipsecpolicy.ctl
-.SH "SEE ALSO"
-ipsec(8), ipsec_policy_query(3), ipsec_pluto(8)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Michael Richardson
-.SH BUGS
-.\"
-.\" $Log: showpolicy.8,v $
-.\" Revision 1.1  2004/03/15 20:35:31  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.1  2003/05/11 00:45:08  mcr
-.\" 	program to interogate ipsec policy of stdin.
-.\" 	run this from inetd.
-.\"
-.\"
diff --git a/programs/showpolicy/showpolicy.c b/programs/showpolicy/showpolicy.c
deleted file mode 100644
index 114cc3936..000000000
--- a/programs/showpolicy/showpolicy.c
+++ /dev/null
@@ -1,251 +0,0 @@
-/*
- * A program to dump the IPsec status of the socket found on stdin.
- * Run me from inetd, for instance.
- * Copyright (C) 2003                Michael Richardson <mcr@freeswan.org>
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-char showpolicy_version[] = "RCSID $Id: showpolicy.c,v 1.1 2004/03/15 20:35:31 as Exp $";
-
-#include <stdio.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <sys/socket.h>
-#include <getopt.h>
-#include "freeswan.h"
-#include "freeswan/ipsec_policy.h"
-
-char *program_name;
-
-static void
-help(void)
-{
-    fprintf(stderr,
-	"Usage:\n\n"
-	"showpolicy"
-	    " [--cgi]        lookup the particulars from CGI variables.\n"
-	    " [--socket]     lookup the particulars from the socket on stdin.\n"
-	    " [--textual]    dump output in human friendly form\n"
-	    " [--plaintext X]    string to dump if no security\n"
-	    " [--vpntext X]      string to dump if VPN configured tunnel\n"
-	    " [--privacytext X]  string to dump if just plain DNS OE\n"
-	    " [--dnssectext X]   string to dump if just DNSSEC OE\n"
-            "\n\n"
-	"FreeS/WAN %s\n",
-	ipsec_version_code());
-}
-
-static const struct option long_opts[] = {
-    /* name, has_arg, flag, val */
-    { "help",        no_argument, NULL, 'h' },
-    { "version",     no_argument, NULL, 'V' },
-    { "socket",      no_argument, NULL, 'i' },
-    { "cgi",         no_argument, NULL, 'g' },
-    { "textual",     no_argument, NULL, 't' },
-    { "plaintext",   required_argument, NULL, 'c' },
-    { "vpntext",     required_argument, NULL, 'v' },
-    { "privacytext", required_argument, NULL, 'p' },
-    { "dnssectext",  required_argument, NULL, 's' },
-    { 0,0,0,0 }
-};
-
-void dump_policyreply(struct ipsec_policy_cmd_query *q)
-{
-  char src[ADDRTOT_BUF], dst[ADDRTOT_BUF];
-
-  /* now print it! */
-  addrtot(&q->query_local,  0, src, sizeof(src));
-  addrtot(&q->query_remote, 0, dst, sizeof(dst));
-  
-  printf("Results of query on %s -> %s with seq %d\n",
-	 src, dst, q->head.ipm_msg_seq);
-  
-  printf("Received reply of %d bytes.\n", q->head.ipm_msg_len);
-
-  printf("Strength:   %d\n", q->strength);
-  printf("Bandwidth:  %d\n", q->bandwidth);
-  printf("authdetail: %d\n", q->auth_detail);
-  printf("esp_detail: %d\n", q->esp_detail);
-  printf("comp_detail: %d\n",q->comp_detail);
-  
-  printf("credentials: %d\n", q->credential_count);
-  if(q->credential_count > 0) {
-    int c;
-
-    for(c=0; c<q->credential_count; c++) {
-      switch(q->credentials[c].ii_format) {
-      case CERT_DNS_SIGNED_KEY:
-	printf("\tDNSSEC identity: %s (SIG %s)\n",
-	       q->credentials[c].ii_credential.ipsec_dns_signed.fqdn,
-	       q->credentials[c].ii_credential.ipsec_dns_signed.dns_sig);
-	break;
-	
-      case CERT_RAW_RSA:
-	printf("\tlocal identity: %s\n",
-	       q->credentials[c].ii_credential.ipsec_raw_key.id_name);
-
-      case CERT_NONE:
-	printf("\tDNS identity: %s\n",
-	       q->credentials[c].ii_credential.ipsec_dns_signed.fqdn);
-	break;
-	
-      default:
-	printf("\tUnknown identity type %d", q->credentials[c].ii_format);
-	break;
-      }
-    }
-  }
-}
-
-
-int main(int argc, char *argv[])
-{
-  struct ipsec_policy_cmd_query q;
-  err_t ret;
-  int   c;
-
-  /* set the defaults */
-  char lookup_style = 'i';
-  char output_style = 's';
-  
-  char *plaintext   = "clear";
-  char *vpntext     = "vpn";
-  char *privacytext = "private";
-  char *dnssectext  = "secure";
-
-  while((c = getopt_long(argc, argv, "hVighc:v:p:s:", long_opts, 0))!=EOF) {
-    switch (c) {
-    default:
-    case 'h':	        /* --help */
-      help();
-      return 0;	/* GNU coding standards say to stop here */
-      
-    case 'V':               /* --version */
-      fprintf(stderr, "FreeS/WAN %s\n", ipsec_version_code());
-      return 0;	/* GNU coding standards say to stop here */
-      
-    case 'i':
-      if(isatty(0)) {
-	printf("please run this connected to a socket\n");
-	exit(1);
-      }
-      
-      lookup_style = 'i';
-      break;
-
-    case 'g':
-      lookup_style = 'g';
-      break;
-      
-    case 't':
-      output_style = 't';
-      break;
-
-    case 'c':
-      plaintext = optarg;
-      break;
-
-    case 'v':
-      vpntext = optarg;
-      break;
-
-    case 'p':
-      privacytext = optarg;
-      break;
-      
-    case 's':
-      dnssectext = optarg;
-      break;
-    }
-  }
-	
-  if((ret = ipsec_policy_init()) != NULL) {
-    perror(ret);
-    exit(2);
-  }
-
-  switch(lookup_style) {
-  case 'i':
-    if((ret = ipsec_policy_lookup(0, &q)) != NULL) {
-      perror(ret);
-      exit(3);
-    }
-    break;
-    
-  case 'g':
-    if((ret = ipsec_policy_cgilookup(&q)) != NULL) {
-      perror(ret);
-      exit(3);
-    }
-    break;
-    
-  default:
-    abort();
-    break;
-  }
-
-
-  if(output_style == 't') {
-    dump_policyreply(&q);
-  } else {
-    /* start by seeing if there was any crypto */
-    if(q.strength < IPSEC_PRIVACY_PRIVATE) {
-      /* no, so say clear */
-      puts(plaintext);
-      exit(0);
-    }
-
-    /* we now it is crypto, but authentic is it? */
-    if(q.credential_count == 0) {
-      puts(vpntext);
-      exit(0);
-    }
-
-    switch(q.credentials[0].ii_format) {
-    case CERT_DNS_SIGNED_KEY:
-      puts(dnssectext);
-      exit(0);
-
-    case CERT_RAW_RSA:
-      puts(vpntext);
-      exit(0);
-      
-    default:
-      puts(privacytext);
-      exit(0);
-    }
-  }
-  
-  exit(0);
-}
-
-/*
- * $Log: showpolicy.c,v $
- * Revision 1.1  2004/03/15 20:35:31  as
- * added files from freeswan-2.04-x509-1.5.3
- *
- * Revision 1.4  2003/05/14 15:46:44  mcr
- * 	switch statement was missing break statements and was running on.
- *
- * Revision 1.3  2003/05/14 02:12:27  mcr
- * 	addition of CGI-focused interface to policy lookup interface
- *
- * Revision 1.2  2003/05/13 03:25:34  mcr
- * 	print credentials, if any were provided.
- *
- * Revision 1.1  2003/05/11 00:45:08  mcr
- * 	program to interogate ipsec policy of stdin.
- * 	run this from inetd.
- *
- *
- *
- */
diff --git a/programs/spi/.cvsignore b/programs/spi/.cvsignore
deleted file mode 100644
index c928c4b77..000000000
--- a/programs/spi/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-spi
diff --git a/programs/spi/Makefile b/programs/spi/Makefile
deleted file mode 100644
index 10a1eaa9c..000000000
--- a/programs/spi/Makefile
+++ /dev/null
@@ -1,69 +0,0 @@
-# Makefile for the KLIPS interface utilities
-# Copyright (C) 1998, 1999  Henry Spencer.
-# Copyright (C) 1999, 2000, 2001  Richard Guy Briggs
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.2 2004/03/22 21:53:21 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=spi
-EXTRA5PROC=${PROGRAM}.5
-
-LIBS=${FREESWANLIB}
-
-OBJS=constants.o alg_info.o kernel_alg.o
-
-include ../Makefile.program
-
-constants.o : ../pluto/constants.c ../pluto/constants.h
-	$(CC) $(CFLAGS) -c -o $@ $<
-
-alg_info.o : ../pluto/alg_info.c ../pluto/alg_info.h
-	$(CC) $(CFLAGS) -DNO_PLUTO -c -o $@ $<
-
-kernel_alg.o : ../pluto/kernel_alg.c ../pluto/kernel_alg.h
-	$(CC) $(CFLAGS) -DNO_PLUTO -c -o $@ $<
-
-#
-# $Log: Makefile,v $
-# Revision 1.2  2004/03/22 21:53:21  as
-# merged alg-0.8.1 branch with HEAD
-#
-# Revision 1.1.4.1  2004/03/16 09:48:22  as
-# alg-0.8.1rc12 patch merged
-#
-# Revision 1.1  2004/03/15 20:35:31  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.4  2002/06/03 20:25:31  mcr
-# 	man page for files actually existant in /proc/net changed back to
-# 	ipsec_foo via new EXTRA5PROC process.
-#
-# Revision 1.3  2002/06/02 21:51:41  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.2  2002/04/26 01:21:26  mcr
-# 	while tracking down a missing (not installed) /etc/ipsec.conf,
-# 	MCR has decided that it is not okay for each program subdir to have
-# 	some subset (determined with -f) of possible files.
-# 	Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file.
-# 	Optional PROGRAM.5 files have been added to the makefiles.
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
diff --git a/programs/spi/spi.5 b/programs/spi/spi.5
deleted file mode 100644
index a8faebee4..000000000
--- a/programs/spi/spi.5
+++ /dev/null
@@ -1,213 +0,0 @@
-.TH IPSEC_SPI 5 "26 Jun 2000"
-.\"
-.\" RCSID $Id: spi.5,v 1.1 2004/03/15 20:35:31 as Exp $
-.\"
-.SH NAME
-ipsec_spi \- list IPSEC Security Associations
-.SH SYNOPSIS
-.B ipsec
-.B spi
-.PP
-.B cat
-.B /proc/net/ipsec_spi
-.PP
-.SH DESCRIPTION
-.I /proc/net/ipsec_spi
-is a read-only file that lists the current IPSEC Security Associations.
-A Security Association (SA) is a transform through which packet contents
-are to be processed before being forwarded.  A transform can be an
-IPv4-in-IPv4 or IPv6-in-IPv6 encapsulation, an IPSEC Authentication Header (authentication
-with no encryption), or an IPSEC Encapsulation Security Payload
-(encryption, possibly including authentication).
-.PP
-When a packet is passed from a higher networking layer through an IPSEC
-virtual interface, a search in the extended routing table (see
-.IR ipsec_eroute (5))
-yields
-a IP protocol number
-,
-a Security Parameters Index (SPI)
-and
-an effective destination address
-.
-When an IPSEC packet arrives from the network,
-its ostensible destination, an SPI and an IP protocol
-specified by its outermost IPSEC header are used.
-The destination/SPI/protocol combination is used to select a relevant SA.
-(See
-.IR ipsec_spigrp (5)
-for discussion of how multiple transforms are combined.)
-.PP
-An
-.I spi ,
-.I proto, 
-.I daddr
-and
-.IR address_family
-arguments specify an SAID.
-.I Proto
-is an ASCII string, "ah", "esp", "comp" or "tun", specifying the IP protocol.
-.I Spi
-is a number, preceded by '.' indicating hexadecimal and IPv4 or by ':' indicating hexadecimal and IPv6,
-where each hexadecimal digit represents 4 bits,
-between
-.B 0x100
-and
-.BR 0xffffffff ;
-values from
-.B 0x0
-to
-.B 0xff
-are reserved.
-.I Daddr
-is a dotted-decimal IPv4 destination address or a coloned hex IPv6 destination address.
-.PP
-An
-.I SAID
-combines the three parameters above, such as: "tun.101@1.2.3.4" for IPv4 or "tun:101@3049:1::1" for IPv6
-.PP
-A table entry consists of:
-.IP + 3
-.BR SAID
-.IP +
-<transform name (proto,encalg,authalg)>:
-.IP +
-direction (dir=)
-.IP +
-source address (src=)
-.IP +
-source and destination addresses and masks for inner header policy check
-addresses (policy=), as dotted-quads or coloned hex, separated by '->',
-for IPv4-in-IPv4 or IPv6-in-IPv6 SAs only
-.IP +
-initialisation vector length and value (iv_bits=, iv=) if non-zero
-.IP +
-out-of-order window size, number of out-of-order errors, sequence
-number, recently received packet bitmask, maximum difference between
-sequence numbers (ooowin=, ooo_errs=, seq=, bit=, max_seq_diff=) if SA
-is AH or ESP and if individual items are non-zero
-.IP +
-extra flags (flags=) if any are set
-.IP +
-authenticator length in bits (alen=) if non-zero
-.IP +
-authentication key length in bits (aklen=) if non-zero
-.IP +
-authentication errors (auth_errs=) if non-zero
-.IP +
-encryption key length in bits (eklen=) if non-zero
-.IP +
-encryption size errors (encr_size_errs=) if non-zero
-.IP +
-encryption padding error warnings (encr_pad_errs=) if non-zero
-.IP +
-lifetimes legend, c=Current status, s=Soft limit when exceeded will
-initiate rekeying, h=Hard limit will cause termination of SA (life(c,s,h)=)
-.IP + 6
-number of connections to which the SA is allocated (c), that will cause a
-rekey (s), that will cause an expiry (h) (alloc=), if any value is non-zero
-.IP +
-number of bytes processesd by this SA (c), that will cause a rekey (s), that
-will cause an expiry (h) (bytes=), if any value is non-zero
-.IP +
-time since the SA was added (c), until rekey (s), until expiry (h), in seconds (add=)
-.IP +
-time since the SA was first used (c), until rekey (s), until expiry (h), in seconds (used=),
-if any value is non-zero
-.IP +
-number of packets processesd by this SA (c), that will cause a rekey (s), that
-will cause an expiry (h) (packets=), if any value is non-zero
-.IP + 3
-time since the last packet was processed, in seconds (idle=), if SA has
-been used
-.IP
-average compression ratio (ratio=)
-.SH EXAMPLES
-.B "tun.12a@192.168.43.1 IPIP: dir=out src=192.168.43.2"
-.br
-.B "      life(c,s,h)=bytes(14073,0,0)add(269,0,0)"
-.br
-.B "      use(149,0,0)packets(14,0,0)"
-.br
-.B "      idle=23
-.LP
-is an outbound IPv4-in-IPv4 (protocol 4) tunnel-mode SA set up between machines
-192.168.43.2 and 192.168.43.1 with an SPI of 12a in hexadecimal that has
-passed about 14 kilobytes of traffic in 14 packets since it was created,
-269 seconds ago, first used 149 seconds ago and has been idle for 23
-seconds.
-.LP
-.B "esp:9a35fc02@3049:1::1 ESP_3DES_HMAC_MD5:"
-.br
-.B "      dir=in src=9a35fc02@3049:1::2"
-.br
-.B "      ooowin=32 seq=7149 bit=0xffffffff"
-.br
-.B "      alen=128 aklen=128 eklen=192"
-.br
-.B "      life(c,s,h)=bytes(1222304,0,0)add(4593,0,0)"
-.br
-.B "      use(3858,0,0)packets(7149,0,0)"
-.br
-.B "      idle=23"
-.LP
-is an inbound Encapsulating Security Payload (protocol 50) SA on machine
-3049:1::1 with an SPI of 9a35fc02 that uses 3DES as the encryption
-cipher, HMAC MD5 as the authentication algorithm, an out-of-order
-window of 32 packets, a present sequence number of 7149, every one of
-the last 32 sequence numbers was received, the authenticator length and
-keys is 128 bits, the encryption key is 192 bits (actually 168 for 3DES
-since 1 of 8 bits is a parity bit), has passed 1.2 Mbytes of data in
-7149 packets, was added 4593 seconds ago, first used
-3858 seconds ago and has been idle for 23 seconds.
-.LP
-.SH FILES
-/proc/net/ipsec_spi, /usr/local/bin/ipsec
-.SH "SEE ALSO"
-ipsec(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_eroute(5),
-ipsec_spigrp(5), ipsec_klipsdebug(5), ipsec_spi(8), ipsec_version(5),
-ipsec_pf_key(5)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Richard Guy Briggs.
-.SH BUGS
-The add and use times are awkward, displayed in seconds since machine
-start.  It would be better to display them in seconds before now for
-human readability.
-.\"
-.\" $Log: spi.5,v $
-.\" Revision 1.1  2004/03/15 20:35:31  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.9  2002/04/24 07:35:39  mcr
-.\" Moved from ./klips/utils/spi.5,v
-.\"
-.\" Revision 1.8  2001/08/01 23:22:44  rgb
-.\" Fix inconsistancies between manpage and output.
-.\"
-.\" Revision 1.7  2000/11/30 16:47:28  rgb
-.\" Added src= to /proc/net/ipsec_spi manpage.
-.\"
-.\" Revision 1.6  2000/09/17 18:56:48  rgb
-.\" Added IPCOMP support.
-.\"
-.\" Revision 1.5  2000/09/13 15:54:32  rgb
-.\" Added Gerhard's ipv6 updates.
-.\"
-.\" Revision 1.4  2000/07/05 17:24:03  rgb
-.\" Updated for relative, rather than absolute values for addtime and
-.\" usetime.
-.\"
-.\" Revision 1.3  2000/06/30 18:21:55  rgb
-.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5)
-.\" and correct FILES sections to no longer refer to /dev/ipsec which has
-.\" been removed since PF_KEY does not use it.
-.\"
-.\" Revision 1.2  2000/06/28 12:44:12  henry
-.\" format touchup
-.\"
-.\" Revision 1.1  2000/06/28 05:43:00  rgb
-.\" Added manpages for all 5 klips utils.
-.\"
-.\"
diff --git a/programs/spi/spi.8 b/programs/spi/spi.8
deleted file mode 100644
index fe6537c07..000000000
--- a/programs/spi/spi.8
+++ /dev/null
@@ -1,525 +0,0 @@
-.TH IPSEC_SPI 8 "23 Oct 2001"
-.\"
-.\" RCSID $Id: spi.8,v 1.1 2004/03/15 20:35:31 as Exp $
-.\"
-.SH NAME
-ipsec spi \- manage IPSEC Security Associations
-.SH SYNOPSIS
-.br
-Note: In the following,
-.br
-.B <SA>
-means:
-.B \-\-af
-(inet | inet6)
-.B \-\-edst
-daddr
-.B \-\-spi
-spi
-.B \-\-proto
-proto OR 
-.B \-\-said
-said,
-.br
-.B <life>
-means:
-.B \-\-life
-(soft | hard)\-(allocations | bytes | addtime | usetime | packets)=value[,...]
-.PP
-.B ipsec
-.B spi
-.PP
-.B ipsec
-.B spi
-.B <SA>
-.B \-\-src
-src
-.B \-\-ah
-.BR hmac-md5-96 | hmac-sha1-96
-[
-.B \-\-replay_window
-replayw ]
-[
-.B <life>
-]
-.B \-\-authkey
-akey
-.PP
-.B ipsec
-.B spi
-.B <SA>
-.B \-\-src
-src
-.B \-\-esp
-.BR 3des
-[
-.B \-\-replay_window
-replayw ]
-[
-.B <life>
-]
-.B \-\-enckey
-ekey
-.PP
-.B ipsec
-.B spi
-.B <SA>
-.B \-\-src
-src
-.B \-\-esp
-.BR 3des-md5-96 | 3des-sha1-96
-[
-.B \-\-replay_window
-replayw ]
-[
-.B <life>
-]
-.B \-\-enckey
-ekey
-.B \-\-authkey
-akey
-.PP
-.B ipsec
-.B spi
-.B <SA>
-.B \-\-src
-src
-.B \-\-comp
-.BR deflate
-.PP
-.B ipsec
-.B spi
-.B <SA>
-.B \-\-ip4
-.B \-\-src
-encap-src
-.B \-\-dst
-encap-dst
-.PP
-.B ipsec
-.B spi
-.B <SA>
-.B \-\-ip6
-.B \-\-src
-encap-src
-.B \-\-dst
-encap-dst
-.PP
-.B ipsec
-.B spi
-.B <SA>
-.B \-\-del
-.PP
-.B ipsec
-.B spi
-.B \-\-help
-.PP
-.B ipsec
-.B spi
-.B \-\-version
-.PP
-.B ipsec
-.B spi
-.B \-\-clear
-.PP
-.SH DESCRIPTION
-.I Spi
-creates and deletes IPSEC Security Associations.
-A Security Association (SA) is a transform through which packet
-contents are to be processed before being forwarded.
-A transform can be an IPv4-in-IPv4 or an IPv6-in-IPv6 encapsulation,
-an IPSEC Authentication Header (authentication with no encryption),
-or an IPSEC Encapsulation Security Payload (encryption, possibly
-including authentication).
-.PP
-When a packet is passed from a higher networking layer
-through an IPSEC virtual interface,
-a search in the extended routing table (see
-.IR ipsec_eroute (8))
-yields an effective destination address, a
-Security Parameters Index (SPI) and a IP protocol number.
-When an IPSEC packet arrives from the network,
-its ostensible destination, an SPI and an IP protocol
-specified by its outermost IPSEC header are used.
-The destination/SPI/protocol combination is used to select a relevant SA.
-(See
-.IR ipsec_spigrp (8)
-for discussion of how multiple transforms are combined.)
-.PP
-The
-.IR af ,
-.IR daddr ,
-.I spi
-and
-.I proto
-arguments specify the SA to be created or deleted.
-.I af
-is the address family (inet for IPv4, inet6 for IPv6).
-.I Daddr
-is a destination address
-in dotted-decimal notation for IPv4 
-or in a coloned hex notation for IPv6.
-.I Spi
-is a number, preceded by '0x' for hexadecimal,
-between
-.B 0x100
-and
-.BR 0xffffffff ;
-values from
-.B 0x0
-to
-.B 0xff
-are reserved.
-.I Proto
-is an ASCII string, "ah", "esp", "comp" or "tun", specifying the IP protocol.
-The protocol must agree with the algorithm selected.
-.PP
-Alternatively, the
-.I said
-argument can also specify an SA to be created or deleted.
-.I Said
-combines the three parameters above, such as: "tun.101@1.2.3.4" or "tun:101@1:2::3:4",
-where the address family is specified by "." for IPv4 and ":" for IPv6. The address
-family indicators substitute the "0x" for hexadecimal.
-.PP
-The source address,
-.IR src ,
-must also be provided for the inbound policy check to
-function.  The source address does not need to be included if inbound
-policy checking has been disabled.
-.PP
-Keys vectors must be entered as hexadecimal or base64 numbers.
-They should be cryptographically strong random numbers.
-.PP
-All hexadecimal numbers are entered as strings of hexadecimal digits
-(0-9 and a-f), without spaces, preceded by '0x', where each hexadecimal
-digit represents 4 bits.
-All base64 numbers are entered as strings of base64 digits
- (0-9, A-Z, a-z, '+' and '/'), without spaces, preceded by '0s',
-where each hexadecimal digit represents 6 bits and '=' is used for padding.
-.PP
-The deletion of an SA which has been grouped will result in the entire chain
-being deleted.
-.PP
-The form with no additional arguments lists the contents of
-/proc/net/ipsec_spi.  The format of /proc/net/ipsec_spi is discussed in
-ipsec_spi(5).
-.PP
-The lifetime severity of
-.B soft
-sets a limit when the key management daemons are asked to rekey the SA.
-The lifetime severity of
-.B hard
-sets a limit when the SA must expire.
-The lifetime type
-.B allocations
-tells the system when to expire the SA because it is being shared by too many
-eroutes (not currently used).  The lifetime type of
-.B bytes
-tells the system to expire the SA after a certain number of bytes have been
-processed with that SA.  The lifetime type of
-.B addtime
-tells the system to expire the SA a certain number of seconds after the SA was
-installed.  The lifetime type of
-.B usetime
-tells the system to expire the SA a certain number of seconds after that SA has
-processed its first packet.  The lifetime type of
-.B packets
-tells the system to expire the SA after a certain number of packets have been
-processed with that SA.
-.SH OPTIONS
-.TP 10
-.B \-\-af
-specifies the address family (inet for IPv4, inet6 for IPv6)
-.TP
-.B \-\-edst
-specifies the effective destination
-.I daddr
-of the Security Association
-.TP
-.B \-\-spi
-specifies the Security Parameters Index
-.I spi
-of the Security Association
-.TP
-.B \-\-proto
-specifies the IP protocol
-.I proto
-of the Security Association
-.TP
-.B \-\-said
-specifies the Security Association in monolithic format
-.TP
-.B \-\-ah
-add an SA for an IPSEC Authentication Header,
-specified by the following transform identifier
-(\c
-.BR hmac-md5-96
-or
-.BR hmac-sha1-96 )
-(RFC2402, obsoletes RFC1826)
-.TP
-.B hmac-md5-96
-transform following the HMAC and MD5 standards,
-using a 128-bit
-.I key
-to produce a 96-bit authenticator (RFC2403)
-.TP
-.B hmac-sha1-96
-transform following the HMAC and SHA1 standards,
-using a 160-bit
-.I key
-to produce a 96-bit authenticator (RFC2404)
-.TP
-.B \-\-esp
-add an SA for an IPSEC Encapsulation Security Payload,
-specified by the following
-transform identifier (\c
-.BR 3des ,
-or
-.BR 3des-md5-96 )
-(RFC2406, obsoletes RFC1827)
-.TP
-.B 3des
-encryption transform following the Triple-DES standard in
-Cipher-Block-Chaining mode using a 64-bit
-.I iv
-(internally generated) and a 192-bit 3DES
-.I ekey
-(RFC2451)
-.TP
-.B 3des-md5-96
-encryption transform following the Triple-DES standard in
-Cipher-Block-Chaining mode with authentication provided by
-HMAC and MD5
-(96-bit authenticator),
-using a 64-bit
-.IR iv
-(internally generated), a 192-bit 3DES
-.I ekey
-and a 128-bit HMAC-MD5
-.I akey
-(RFC2451, RFC2403)
-.TP
-.B 3des-sha1-96
-encryption transform following the Triple-DES standard in
-Cipher-Block-Chaining mode with authentication provided by
-HMAC and SHA1
-(96-bit authenticator),
-using a 64-bit
-.IR iv
-(internally generated), a 192-bit 3DES
-.I ekey
-and a 160-bit HMAC-SHA1
-.I akey
-(RFC2451, RFC2404)
-.TP
-.BR \-\-replay_window " replayw"
-sets the replay window size; valid values are decimal, 1 to 64
-.TP
-.BR \-\-life " life_param[,life_param]"
-sets the lifetime expiry; the format of
-.B life_param
-consists of a comma-separated list of lifetime specifications without spaces;
-a lifetime specification is comprised of a severity of
-.BR soft " or " hard
-followed by a '-', followed by a lifetime type of
-.BR allocations ", " bytes ", " addtime ", " usetime " or " packets
-followed by an '=' and finally by a value
-.TP
-.B \-\-comp
-add an SA for IPSEC IP Compression,
-specified by the following
-transform identifier (\c
-.BR deflate )
-(RFC2393)
-.TP
-.B deflate
-compression transform following the patent-free Deflate compression algorithm
-(RFC2394)
-.TP
-.B \-\-ip4
-add an SA for an IPv4-in-IPv4
-tunnel from
-.I encap-src
-to
-.I encap-dst
-.TP
-.B \-\-ip6
-add an SA for an IPv6-in-IPv6
-tunnel from
-.I encap-src
-to
-.I encap-dst
-.TP
-.B \-\-src
-specify the source end of an IP-in-IP tunnel from
-.I encap-src
-to
-.I encap-dst
-and also specifies the source address of the Security Association to be
-used in inbound policy checking and must be the same address
-family as
-.I af
-and
-.I edst
-.TP
-.B \-\-dst
-specify the destination end of an IP-in-IP tunnel from
-.I encap-src
-to
-.I encap-dst
-.TP
-.B \-\-del
-delete the specified SA
-.TP
-.BR \-\-clear
-clears the table of
-.BR SA s
-.TP
-.BR \-\-help
-display synopsis
-.TP
-.BR \-\-version
-display version information
-.SH EXAMPLES
-To keep line lengths down and reduce clutter,
-some of the long keys in these examples have been abbreviated
-by replacing part of their text with
-.RI `` ... ''.
-Keys used when the programs are actually run must,
-of course, be the full length required for the particular algorithm.
-.LP
-.B "ipsec spi \-\-af inet \-\-edst gw2 \-\-spi 0x125 \-\-proto esp \e"
-.br
-.B "   \-\-src gw1 \e"
-.br
-.B "   \-\-esp 3des\-md5\-96 \e"
-.br
-.BI "\ \ \ \-\-enckey\ 0x6630" "..." "97ce\ \e"
-.br
-.BI "   \-\-authkey 0x9941" "..." "71df"
-.LP
-sets up an SA from
-.BR gw1
-to
-.BR gw2
-with an SPI of 
-.BR 0x125
-and protocol
-.BR ESP
-(50) using
-.BR 3DES
-encryption with integral
-.BR MD5-96
-authentication transform, using an encryption key of
-.BI 0x6630 ... 97ce
-and an authentication key of
-.BI 0x9941 ... 71df
-(see note above about abbreviated keys).
-.LP
-.B "ipsec spi \-\-af inet6 \-\-edst 3049:9::9000:3100 \-\-spi 0x150 \-\-proto ah \e"
-.br
-.B "   \-\-src 3049:9::9000:3101 \e"
-.br
-.B "   \-\-ah hmac\-md5\-96 \e"
-.br
-.BI "\ \ \ \-\-authkey\ 0x1234" "..." "2eda\ \e"
-.LP
-sets up an SA from
-.BR 3049:9::9000:3101
-to
-.BR 3049:9::9000:3100
-with an SPI of 
-.BR 0x150
-and protocol
-.BR AH
-(50) using
-.BR MD5-96
-authentication transform, using an authentication key of
-.BI 0x1234 ... 2eda
-(see note above about abbreviated keys).
-.LP
-.B "ipsec spi \-\-said tun.987@192.168.100.100 \-\-del "
-.LP
-deletes an SA to
-.BR 192.168.100.100
-with an SPI of 
-.BR 0x987
-and protocol
-.BR IPv4-in-IPv4
-(4).
-.LP
-.B "ipsec spi \-\-said tun:500@3049:9::1000:1 \-\-del "
-.LP
-deletes an SA to
-.BR 3049:9::1000:1
-with an SPI of 
-.BR 0x500
-and protocol
-.BR IPv6-in-IPv6
-(4).
-.LP
-.SH FILES
-/proc/net/ipsec_spi, /usr/local/bin/ipsec
-.SH "SEE ALSO"
-ipsec(8), ipsec_manual(8), ipsec_tncfg(8), ipsec_eroute(8),
-ipsec_spigrp(8), ipsec_klipsdebug(8), ipsec_spi(5)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Richard Guy Briggs.
-.SH BUGS
-The syntax is messy and the transform naming needs work.
-.\"
-.\" $Log: spi.8,v $
-.\" Revision 1.1  2004/03/15 20:35:31  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.32  2002/04/24 07:35:40  mcr
-.\" Moved from ./klips/utils/spi.8,v
-.\"
-.\" Revision 1.31  2001/11/06 20:18:47  rgb
-.\" Added lifetime parameters.
-.\"
-.\" Revision 1.30  2001/10/24 03:23:32  rgb
-.\" Added lifetime option and parameters.
-.\"
-.\" Revision 1.29  2001/05/30 08:14:04  rgb
-.\" Removed vestiges of esp-null transforms.
-.\"
-.\" Revision 1.28  2000/11/29 19:15:20  rgb
-.\" Add --src requirement for inbound policy routing.
-.\"
-.\" Revision 1.27  2000/09/17 18:56:48  rgb
-.\" Added IPCOMP support.
-.\"
-.\" Revision 1.26  2000/09/13 15:54:32  rgb
-.\" Added Gerhard's ipv6 updates.
-.\"
-.\" Revision 1.25  2000/09/12 22:36:45  rgb
-.\" Gerhard's IPv6 support.
-.\"
-.\" Revision 1.24  2000/06/30 18:21:55  rgb
-.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5)
-.\" and correct FILES sections to no longer refer to /dev/ipsec which has
-.\" been removed since PF_KEY does not use it.
-.\"
-.\" Revision 1.23  2000/06/21 16:54:57  rgb
-.\" Added 'no additional args' text for listing contents of
-.\" /proc/net/ipsec_* files.
-.\"
-.\" Revision 1.22  1999/08/11 08:35:16  rgb
-.\" Update, deleting references to obsolete and insecure algorithms.
-.\"
-.\" Revision 1.21  1999/07/19 18:53:55  henry
-.\" improve font usage in key abbreviations
-.\"
-.\" Revision 1.20  1999/07/19 18:50:09  henry
-.\" fix slightly-misformed comments
-.\" abbreviate long keys to avoid long-line complaints
-.\"
-.\" Revision 1.19  1999/04/06 04:54:38  rgb
-.\" Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
-.\" patch shell fixes.
-.\"
diff --git a/programs/spi/spi.c b/programs/spi/spi.c
deleted file mode 100644
index 369d556c7..000000000
--- a/programs/spi/spi.c
+++ /dev/null
@@ -1,1689 +0,0 @@
-/*
- * All-in-one program to set Security Association parameters
- * Copyright (C) 1996  John Ioannidis.
- * Copyright (C) 1997, 1998, 1999, 2000, 2001, 2002  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-char spi_c_version[] = "RCSID $Id: spi.c,v 1.7 2004/10/14 20:03:26 as Exp $";
-
-#include <asm/types.h>
-#include <sys/types.h>
-#include <sys/ioctl.h>
-/* #include <linux/netdevice.h> */
-#include <net/if.h>
-/* #include <linux/types.h> */ /* new */
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <string.h>
-#include <errno.h>
-
-/* #include <sys/socket.h> */
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-/* #include <linux/ip.h> */
-#include <netdb.h>
-
-#include <unistd.h>
-#include <getopt.h>
-#include <ctype.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <freeswan.h>
-#if 0
-#include <linux/autoconf.h>    /* CONFIG_IPSEC_PFKEYv2 */
-#endif
-     #include <signal.h>
-     #include <sys/socket.h>
-     #include <pfkeyv2.h>
-     #include <pfkey.h>
-
-#include "freeswan/radij.h"
-#include "freeswan/ipsec_encap.h"
-#include "freeswan/ipsec_xform.h"
-#include "freeswan/ipsec_ipe4.h"
-#include "freeswan/ipsec_ah.h"
-#include "freeswan/ipsec_esp.h"
-#include "freeswan/ipsec_sa.h"  /* IPSEC_SAREF_NULL */
-
-/* 	
- * 	Manual conn support for ipsec_alg (modular algos).
- * 	Rather ugly to include from pluto dir but avoids
- * 	code duplication.
- */
-#ifndef NO_KERNEL_ALG
-#include "../pluto/alg_info.h"
-#include "../pluto/constants.h"
-struct connection;
-#include "../pluto/kernel_alg.h"
-#endif /* NO_KERNEL_ALG */
-
-char *program_name;
-int debug = 0;
-int saref = 0;
-char *command;
-extern char *optarg;
-extern int optind, opterr, optopt;
-char scratch[2];
-char *iv = NULL, *enckey = NULL, *authkey = NULL;
-size_t ivlen = 0, enckeylen = 0, authkeylen = 0;
-ip_address edst, dst, src;
-int address_family = 0;
-unsigned char proto = 0;
-int alg = 0;
-
-#ifndef NO_KERNEL_ALG
-/* 
- * 	Manual connection support for modular algos (ipsec_alg) --Juanjo.
- */
-#define XF_OTHER_ALG (XF_CLR-1)	/* define magic XF_ symbol for alg_info's */
-#include <assert.h>
-const char *alg_string = NULL;	/* algorithm string */
-struct alg_info_esp *alg_info = NULL;	/* algorithm info got from string */
-struct esp_info *esp_info = NULL;	/* esp info from 1st (only) element */
-const char *alg_err;		/* auxiliar for parsing errors */
-int proc_read_ok = 0;		/* /proc/net/pf_key_support read ok */
-#endif /* NO_KERNEL_ALG */
-
-int replay_window = 0;
-char sa[SATOT_BUF];
-
-extern unsigned int pfkey_lib_debug; /* used by libfreeswan/pfkey_v2_build */
-int pfkey_sock;
-fd_set pfkey_socks;
-uint32_t pfkey_seq = 0;
-enum life_severity {
-	life_soft = 0,
-	life_hard = 1,
-	life_maxsever = 2
-};
-enum life_type {
-	life_alloc = 0,
-	life_bytes = 1,
-	life_addtime = 2,
-	life_usetime = 3,
-	life_packets = 4,
-	life_maxtype = 5
-};
-
-#define streql(_a,_b) (!strcmp((_a),(_b)))
-
-static const char *usage_string = "\
-Usage:\n\
-	in the following, <SA> is: --af <inet | inet6> --edst <dstaddr> --spi <spi> --proto <proto>\n\
-                               OR: --said <proto><.|:><spi>@<dstaddr>\n\
-	                  <life> is: --life <soft|hard>-<allocations|bytes|addtime|usetime|packets>=<value>[,...]\n\
-spi --clear\n\
-spi --help\n\
-spi --version\n\
-spi\n\
-spi --del <SA>\n\
-spi --ip4 <SA> --src <encap-src> --dst <encap-dst>\n\
-spi --ip6 <SA> --src <encap-src> --dst <encap-dst>\n\
-spi --ah <algo> <SA> [<life> ][ --replay_window <replay_window> ] --authkey <key>\n\
-	where <algo> is one of:	hmac-md5-96 | hmac-sha1-96\n\
-spi --esp <algo> <SA> [<life> ][ --replay_window <replay-window> ] --enckey <ekey> --authkey <akey>\n\
-	where <algo> is one of:	3des-md5-96 | 3des-sha1-96\n\
-spi --esp <algo> <SA> [<life> ][ --replay_window <replay-window> ] --enckey <ekey>\n\
-	where <algo> is:	3des\n\
-spi --comp <algo> <SA>\n\
-	where <algo> is:	deflate\n\
-[ --debug ] is optional to any spi command.\n\
-[ --label <label> ] is optional to any spi command.\n\
-[ --listenreply ]   is optional, and causes the command to stick\n\
-                    around and listen to what the PF_KEY socket says.\n\
-";
-
-
-static void
-usage(char *s, FILE *f)
-{
-	/* s argument is actually ignored, at present */
-	fprintf(f, "%s:%s", s, usage_string);
-	exit(-1);
-}
-
-int
-parse_life_options(uint32_t life[life_maxsever][life_maxtype],
-		   char *life_opt[life_maxsever][life_maxtype],
-		   char *optarg)
-{
-	char *optargp = optarg;
-	char *endptr;
-	
-	do {
-		int life_severity, life_type;
-		char *optargt = optargp;
-		
-		if(strncmp(optargp, "soft", sizeof("soft")-1) == 0) {
-			life_severity = life_soft;
-			optargp += sizeof("soft")-1;
-		} else if(strncmp(optargp, "hard", sizeof("hard")-1) == 0) {
-			life_severity = life_hard;
-			optargp += sizeof("hard")-1;
-		} else {
-			fprintf(stderr,
-				"%s: missing lifetime severity in %s, optargt=0p%p, optargp=0p%p, sizeof(\"soft\")=%d\n",
-				program_name,
-				optargt,
-				optargt,
-				optargp,
-				(int)sizeof("soft"));
-			usage(program_name, stderr);
-			return(1);
-		}
-		if(debug) {
-			fprintf(stdout,
-				"%s: debug: life_severity=%d, optargt=0p%p=\"%s\", optargp=0p%p=\"%s\", sizeof(\"soft\")=%d\n",
-				program_name,
-				life_severity,
-				optargt,
-				optargt,
-				optargp,
-				optargp,
-				(int)sizeof("soft"));
-		}
-		if(*(optargp++) != '-') {
-			fprintf(stderr,
-				"%s: expected '-' after severity of lifetime parameter to --life option.\n",
-				program_name);
-			usage(program_name, stderr);
-			return(1);
-		}
-		if(debug) {
-			fprintf(stdout,
-				"%s: debug: optargt=0p%p=\"%s\", optargp=0p%p=\"%s\", strlen(optargt)=%d, strlen(optargp)=%d, strncmp(optargp, \"addtime\", sizeof(\"addtime\")-1)=%d\n",
-				program_name,
-				optargt,
-				optargt,
-				optargp,
-				optargp,
-				(int)strlen(optargt),
-				(int)strlen(optargp),
-				strncmp(optargp, "addtime", sizeof("addtime")-1));
-		}
-		if(strncmp(optargp, "allocations", sizeof("allocations")-1) == 0) {
-			life_type = life_alloc;
-			optargp += sizeof("allocations")-1;
-		} else if(strncmp(optargp, "bytes", sizeof("bytes")-1) == 0) {
-			life_type = life_bytes;
-			optargp += sizeof("bytes")-1;
-		} else if(strncmp(optargp, "addtime", sizeof("addtime")-1) == 0) {
-			life_type = life_addtime;
-			optargp += sizeof("addtime")-1;
-		} else if(strncmp(optargp, "usetime", sizeof("usetime")-1) == 0) {
-			life_type = life_usetime;
-			optargp += sizeof("usetime")-1;
-		} else if(strncmp(optargp, "packets", sizeof("packets")-1) == 0) {
-			life_type = life_packets;
-			optargp += sizeof("packets")-1;
-		} else {
-			fprintf(stderr,
-				"%s: missing lifetime type after '-' in %s\n",
-				program_name,
-				optargt);
-			usage(program_name, stderr);
-			return(1);
-		}
-		if(debug) {
-			fprintf(stdout,
-				"%s: debug: life_type=%d\n",
-				program_name,
-				life_type);
-		}
-		if(life_opt[life_severity][life_type] != NULL) {
-			fprintf(stderr,
-				"%s: Error, lifetime parameter redefined:%s, already defined as:0p%p\n",
-				program_name,
-				optargt,
-				life_opt[life_severity][life_type]);
-			return(1);
-		}
-		if(*(optargp++) != '=') {
-			fprintf(stderr,
-				"%s: expected '=' after type of lifetime parameter to --life option.\n",
-				program_name);
-			usage(program_name, stderr);
-			return(1);
-		}
-		if(debug) {
-			fprintf(stdout,
-				"%s: debug: optargt=0p%p, optargt+strlen(optargt)=0p%p, optargp=0p%p, strlen(optargp)=%d\n",
-				program_name,
-				optargt,
-				optargt+strlen(optargt),
-				optargp,
-				(int)strlen(optargp));
-		}
-		if(strlen(optargp) == 0) {
-			fprintf(stderr,
-				"%s: expected value after '=' in --life option. optargt=0p%p, optargt+strlen(optargt)=0p%p, optargp=0p%p\n",
-				program_name,
-				optargt,
-				optargt+strlen(optargt),
-				optargp);
-			usage(program_name, stderr);
-			return(1);
-		}
-		life[life_severity][life_type] = strtoul(optargp, &endptr, 0);
-
-		if(!((endptr == optargp + strlen(optargp)) || (endptr == optargp + strcspn(optargp, ", ")))) {
-			fprintf(stderr,
-				"%s: Invalid character='%c' at offset %d in lifetime option parameter: '%s', parameter string is %d characters long, %d valid value characters found.\n",
-				program_name,
-				*endptr,
-				(int)(endptr - optarg),
-				optarg,
-				(int)strlen(optarg),
-				(int)(strcspn(optargp, ", ") - 1));
-			return(1);
-		}
-		life_opt[life_severity][life_type] = optargt;
-		if(debug) {
-			fprintf(stdout, "%s lifetime %s set to %d.\n",
-				program_name, optargt, life[life_severity][life_type]);
-		}
-		optargp=endptr+1;
-	} while(*endptr==',' || isspace(*endptr));
-	
-	return(0);
-}
-
-int
-pfkey_register(uint8_t satype) {
-	/* for registering SA types that can be negotiated */
-	int error;
-	ssize_t wlen;
-	struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-	struct sadb_msg *pfkey_msg;
-
-	pfkey_extensions_init(extensions);
-	error = pfkey_msg_hdr_build(&extensions[0],
-				    SADB_REGISTER,
-				    satype,
-				    0,
-				    ++pfkey_seq,
-				    getpid());
-	if(error != 0) {
-		fprintf(stderr, "%s: Trouble building message header, error=%d.\n",
-			program_name, error);
-		pfkey_extensions_free(extensions);
-		return(1);
-	}
-
-	error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_IN);
-	if(error != 0) {
-		fprintf(stderr, "%s: Trouble building pfkey message, error=%d.\n",
-			program_name, error);
-		pfkey_extensions_free(extensions);
-		pfkey_msg_free(&pfkey_msg);
-		return(1);
-	}
-	wlen = write(pfkey_sock, pfkey_msg,
-		     pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN);
-	if(wlen != (ssize_t)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) {
-		/* cleanup code here */
-		if(wlen < 0)
-			fprintf(stderr, "%s: Trouble writing to channel PF_KEY: %s\n",
-				program_name,
-				strerror(errno));
-		else
-			fprintf(stderr, "%s: write to channel PF_KEY truncated.\n",
-				program_name);
-		pfkey_extensions_free(extensions);
-		pfkey_msg_free(&pfkey_msg);
-		return(1);
-	}
-	pfkey_extensions_free(extensions);
-	pfkey_msg_free(&pfkey_msg);
-	
-	return(0);
-}
-
-static struct option const longopts[] =
-{
-	{"ah", 1, 0, 'H'},
-	{"esp", 1, 0, 'P'},
-	{"comp", 1, 0, 'Z'},
-	{"ip4", 0, 0, '4'},
-	{"ip6", 0, 0, '6'},
-	{"del", 0, 0, 'd'},
-
-	{"authkey", 1, 0, 'A'},
-	{"enckey", 1, 0, 'E'},
-	{"edst", 1, 0, 'e'},
-	{"spi", 1, 0, 's'},
-	{"proto", 1, 0, 'p'},
-	{"af", 1, 0, 'a'},
-	{"replay_window", 1, 0, 'w'},
-	{"iv", 1, 0, 'i'},
-	{"dst", 1, 0, 'D'},
-	{"src", 1, 0, 'S'},
-	{"said", 1, 0, 'I'},
-
-	{"help", 0, 0, 'h'},
-	{"version", 0, 0, 'v'},
-	{"clear", 0, 0, 'c'},
-	{"label", 1, 0, 'l'},
-	{"debug", 0, 0, 'g'},
-	{"optionsfrom", 1, 0, '+'},
-	{"life", 1, 0, 'f'},
-	{"saref", 0, 0, 'r'},
-	{"listenreply", 0, 0, 'R'},
-	{0, 0, 0, 0}
-};
-
-int
-main(int argc, char *argv[])
-{
-	char *endptr;
-	__u32 spi = 0;
-	int c, previous = -1;
-/*	int ret; */
-	ip_said said;
-	size_t sa_len;
-	const char* error_s;
-	char ipaddr_txt[ADDRTOT_BUF];
-	char ipsaid_txt[SATOT_BUF];
-
-	int error = 0;
-	ssize_t io_error;
-	int argcount = argc;
-	pid_t mypid;
-	int listenreply = 0;
-
-	unsigned char authalg, encryptalg;
-	struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-	struct sadb_msg *pfkey_msg;
-	char *iv_opt, *akey_opt, *ekey_opt, *alg_opt, *edst_opt, *spi_opt, *proto_opt, *af_opt, *said_opt, *dst_opt, *src_opt;
-#if 0
-	ip_address pfkey_address_p_ska;
-	ip_address pfkey_ident_s_ska;
-	ip_address pfkey_ident_d_ska;
-#endif
-	uint32_t life[life_maxsever][life_maxtype];
-	char *life_opt[life_maxsever][life_maxtype];
-	
-	program_name = argv[0];
-	mypid = getpid();
-
-	memset(&said, 0, sizeof(said));
-	iv_opt = akey_opt = ekey_opt = alg_opt = edst_opt = spi_opt = proto_opt = af_opt = said_opt = dst_opt = src_opt = NULL;
-	{
-		int i,j;
-		for(i = 0; i < life_maxsever; i++) {
-			for(j = 0; j < life_maxtype; j++) {
-				life_opt[i][j] = NULL;
-				life[i][j] = 0;
-			}
-		}
-	}
-
-	while((c = getopt_long(argc, argv, ""/*"H:P:Z:46dcA:E:e:s:a:w:i:D:S:hvgl:+:f:"*/, longopts, 0)) != EOF) {
-		switch(c) {
-		case 'g':
-			debug = 1;
-			pfkey_lib_debug = PF_KEY_DEBUG_PARSE_MAX;
-			argcount--;
-			break;
-
-		case 'R':
-			listenreply = 1;
-			argcount--;
-			break;
-
-		case 'r':
-			saref = 1;
-			argcount--;
-			break;
-
-		case 'l':
-			program_name = malloc(strlen(argv[0])
-					      + 10 /* update this when changing the sprintf() */
-					      + strlen(optarg));
-			sprintf(program_name, "%s --label %s",
-				argv[0],
-				optarg);
-			argcount -= 2;
-			break;
-		case 'H':
-			if(alg) {
-				fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear'  options permitted.\n",
-					program_name);
-				exit(1);
-			}
-			if       (!strcmp(optarg, "hmac-md5-96")) {
-				alg = XF_AHHMACMD5;
-			} else if(!strcmp(optarg, "hmac-sha1-96")) {
-				alg = XF_AHHMACSHA1;
-			} else {
-				fprintf(stderr, "%s: Unknown authentication algorithm '%s' follows '--ah' option.\n",
-					program_name, optarg);
-				exit(1);
-			}
-			if(debug) {
-				fprintf(stdout, "%s: Algorithm %d selected.\n",
-					program_name,
-					alg);
-			}
-			alg_opt = optarg;
-			break;
-		case 'P':
-			if(alg) {
-				fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear'  options permitted.\n",
-					program_name);
-				exit(1);
-			}
-			if       (!strcmp(optarg, "3des-md5-96")) {
-				alg = XF_ESP3DESMD596;
-			} else if(!strcmp(optarg, "3des-sha1-96")) {
-				alg = XF_ESP3DESSHA196;
-			} else if(!strcmp(optarg, "3des")) {
-				alg = XF_ESP3DES;
-#ifndef NO_KERNEL_ALG
-			} else if((alg_info=alg_info_esp_create_from_str(optarg, &alg_err))) {
-				int esp_ealg_id, esp_aalg_id;
-				alg = XF_OTHER_ALG;
-				if (alg_info->alg_info_cnt>1) {
-					fprintf(stderr, "%s: Invalid encryption algorithm '%s' "
-						"follows '--esp' option: lead too many(%d) "
-						"transforms\n",
-						program_name, optarg, alg_info->alg_info_cnt);
-					exit(1);
-				}
-				alg_string=optarg;
-				esp_info=&alg_info->esp[0];
-				if (debug) {
-					fprintf(stdout, "%s: alg_info: cnt=%d ealg[0]=%d aalg[0]=%d\n",
-						program_name, 
-						alg_info->alg_info_cnt,
-						esp_info->encryptalg,
-						esp_info->authalg);
-				}
-				esp_ealg_id=esp_info->esp_ealg_id;
-				esp_aalg_id=esp_info->esp_aalg_id;
-				if (kernel_alg_proc_read()==0) {
-					proc_read_ok++;
-					if (!kernel_alg_esp_enc_ok(esp_ealg_id, 0, 0))
-					{
-						fprintf(stderr, "%s: ESP encryptalg=%d (\"%s\") "
-								"not present\n",
-							program_name,
-							esp_ealg_id,
-							enum_name(&esp_transformid_names, esp_ealg_id));
-						exit(1);
-					}
-					if (!kernel_alg_esp_auth_ok(esp_aalg_id, 0))
-					{
-						fprintf(stderr, "%s: ESP authalg=%d (\"%s\")"
-								"not present\n",
-							program_name,
-							esp_aalg_id,
-							enum_name(&auth_alg_names, esp_aalg_id));
-						exit(1);
-					}
-				}
-#endif /* NO_KERNEL_ALG */
-			} else {
-				fprintf(stderr, "%s: Invalid encryption algorithm '%s' follows '--esp' option.\n",
-					program_name, optarg);
-				exit(1);
-			}
-			if(debug) {
-				fprintf(stdout, "%s: Algorithm %d selected.\n",
-					program_name,
-					alg);
-			}
-			alg_opt = optarg;
-			break;
-		case 'Z':
-			if(alg) {
-				fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear'  options permitted.\n",
-					program_name);
-				exit(1);
-			}
-			if       (!strcmp(optarg, "deflate")) {
-				alg = XF_COMPDEFLATE;
-			} else {
-				fprintf(stderr, "%s: Unknown compression algorithm '%s' follows '--comp' option.\n",
-					program_name, optarg);
-				exit(1);
-			}
-			if(debug) {
-				fprintf(stdout, "%s: Algorithm %d selected.\n",
-					program_name,
-					alg);
-			}
-			alg_opt = optarg;
-			break;
-		case '4':
-			if(alg) {
-				fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n",
-					program_name);
-				exit(1);
-			}
-		       	alg = XF_IP4;
-			address_family = AF_INET;
-			if(debug) {
-				fprintf(stdout, "%s: Algorithm %d selected.\n",
-					program_name,
-					alg);
-			}
-			alg_opt = optarg;
-			break;
-		case '6':
-			if(alg) {
-				fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n",
-					program_name);
-				exit(1);
-			}
-		       	alg = XF_IP6;
-			address_family = AF_INET6;
-			if(debug) {
-				fprintf(stdout, "%s: Algorithm %d selected.\n",
-					program_name,
-					alg);
-			}
-			alg_opt = optarg;
-			break;
-		case 'd':
-			if(alg) {
-				fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear'  options permitted.\n",
-					program_name);
-				exit(1);
-			}
-			alg = XF_DEL;
-			if(debug) {
-				fprintf(stdout, "%s: Algorithm %d selected.\n",
-					program_name,
-					alg);
-			}
-			alg_opt = optarg;
-			break;
-		case 'c':
-			if(alg) {
-				fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear'  options permitted.\n",
-					program_name);
-				exit(1);
-			}
-			alg = XF_CLR;
-			if(debug) {
-				fprintf(stdout, "%s: Algorithm %d selected.\n",
-					program_name,
-					alg);
-			}
-			alg_opt = optarg;
-			break;
-		case 'e':
-			if(said_opt) {
-				fprintf(stderr, "%s: Error, EDST parameter redefined:%s, already defined in SA:%s\n",
-					program_name, optarg, said_opt);
-				exit (1);
-			}				
-			if(edst_opt) {
-				fprintf(stderr, "%s: Error, EDST parameter redefined:%s, already defined as:%s\n",
-					program_name, optarg, edst_opt);
-				exit (1);
-			}
-			error_s = ttoaddr(optarg, 0, address_family, &edst);
-			if(error_s != NULL) {
-				if(error_s) {
-					fprintf(stderr, "%s: Error, %s converting --edst argument:%s\n",
-						program_name, error_s, optarg);
-					exit (1);
-				}
-			}
-			edst_opt = optarg;
-			if(debug) {
-				addrtot(&edst, 0, ipaddr_txt, sizeof(ipaddr_txt));
-				fprintf(stdout, "%s: edst=%s.\n",
-					program_name,
-					ipaddr_txt);
-			}
-			break;
-		case 's':
-			if(said_opt) {
-				fprintf(stderr, "%s: Error, SPI parameter redefined:%s, already defined in SA:%s\n",
-					program_name, optarg, said_opt);
-				exit (1);
-			}				
-			if(spi_opt) {
-				fprintf(stderr, "%s: Error, SPI parameter redefined:%s, already defined as:%s\n",
-					program_name, optarg, spi_opt);
-				exit (1);
-			}				
-			spi = strtoul(optarg, &endptr, 0);
-			if(!(endptr == optarg + strlen(optarg))) {
-				fprintf(stderr, "%s: Invalid character in SPI parameter: %s\n",
-					program_name, optarg);
-				exit (1);
-			}
-			if(spi < 0x100) {
-				fprintf(stderr, "%s: Illegal reserved spi: %s => 0x%x Must be larger than 0x100.\n",
-					program_name, optarg, spi);
-				exit(1);
-			}
-			spi_opt = optarg;
-			break;
-		case 'p':
-			if(said_opt) {
-				fprintf(stderr, "%s: Error, PROTO parameter redefined:%s, already defined in SA:%s\n",
-					program_name, optarg, said_opt);
-				exit (1);
-			}				
-			if(proto_opt) {
-				fprintf(stderr, "%s: Error, PROTO parameter redefined:%s, already defined as:%s\n",
-					program_name, optarg, proto_opt);
-				exit (1);
-			}
-			if(!strcmp(optarg, "ah"))
-				proto = SA_AH;
-			if(!strcmp(optarg, "esp"))
-				proto = SA_ESP;
-			if(!strcmp(optarg, "tun"))
-				proto = SA_IPIP;
-			if(!strcmp(optarg, "comp"))
-				proto = SA_COMP;
-			if(proto == 0) {
-				fprintf(stderr, "%s: Invalid PROTO parameter: %s\n",
-					program_name, optarg);
-				exit (1);
-			}
-			proto_opt = optarg;
-			break;
-		case 'a':
-			if(said_opt) {
-				fprintf(stderr, "%s: Error, ADDRESS FAMILY parameter redefined:%s, already defined in SA:%s\n",
-					program_name, optarg, said_opt);
-				exit (1);
-			}				
-			if(af_opt) {
-				fprintf(stderr, "%s: Error, ADDRESS FAMILY parameter redefined:%s, already defined as:%s\n",
-					program_name, optarg, af_opt);
-				exit (1);
-			}
-			if(strcmp(optarg, "inet") == 0) {
-				address_family = AF_INET;
-				/* currently we ensure that all addresses belong to the same address family */
-				anyaddr(address_family, &dst);
-				anyaddr(address_family, &edst);
-				anyaddr(address_family, &src);
-			}
-			if(strcmp(optarg, "inet6") == 0) {
-				address_family = AF_INET6;
-				/* currently we ensure that all addresses belong to the same address family */
-				anyaddr(address_family, &dst);
-				anyaddr(address_family, &edst);
-				anyaddr(address_family, &src);
-			}
-			if((strcmp(optarg, "inet") != 0) && (strcmp(optarg, "inet6") != 0)) {
-				fprintf(stderr, "%s: Invalid ADDRESS FAMILY parameter: %s.\n",
-					program_name, optarg);
-				exit (1);
-			}
-			af_opt = optarg;
-			break;
-		case 'I':
-			if(said_opt) {
-				fprintf(stderr, "%s: Error, SAID parameter redefined:%s, already defined in SA:%s\n",
-					program_name, optarg, said_opt);
-				exit (1);
-			}				
-			if(proto_opt) {
-				fprintf(stderr, "%s: Error, PROTO parameter redefined in SA:%s, already defined as:%s\n",
-					program_name, optarg, proto_opt);
-				exit (1);
-			}
-			if(edst_opt) {
-				fprintf(stderr, "%s: Error, EDST parameter redefined in SA:%s, already defined as:%s\n",
-					program_name, optarg, edst_opt);
-				exit (1);
-			}
-			if(spi_opt) {
-				fprintf(stderr, "%s: Error, SPI parameter redefined in SA:%s, already defined as:%s\n",
-					program_name, optarg, spi_opt);
-				exit (1);
-			}
-			error_s = ttosa(optarg, 0, &said);
-			if(error_s != NULL) {
-				fprintf(stderr, "%s: Error, %s converting --sa argument:%s\n",
-					program_name, error_s, optarg);
-				exit (1);
-			}
-			if(debug) {
-				satot(&said, 0, ipsaid_txt, sizeof(ipsaid_txt));
-				fprintf(stdout, "%s: said=%s.\n",
-					program_name,
-					ipsaid_txt);
-			}
-			/* init the src and dst with the same address family */
-			if(address_family == 0) {
-				address_family = addrtypeof(&said.dst);
-			} else if(address_family != addrtypeof(&said.dst)) {
-				fprintf(stderr, "%s: Error, specified address family (%d) is different that of SAID: %s\n",
-					program_name, address_family, optarg);
-				exit (1);
-			}
-			anyaddr(address_family, &dst);
-			anyaddr(address_family, &edst);
-			anyaddr(address_family, &src);
-			said_opt = optarg;
-			break;
-		case 'A':
-			if(optarg[0] == '0') {
-				switch(optarg[1]) {
-				case 't':
-				case 'x':
-				case 's':
-					break;
-				default:
-					fprintf(stderr, "%s: Authentication key must have a '0x', '0t' or '0s' prefix to select the format: %s\n",
-						program_name, optarg);
-					exit(1);
-				}
-			}
-			authkeylen = atodata(optarg, 0, NULL, 0);
-			if(!authkeylen) {
-				fprintf(stderr, "%s: unknown format or syntax error in authentication key: %s\n",
-					program_name, optarg);
-				exit (1);
-			}
-			authkey = malloc(authkeylen);
-			if(authkey == NULL) {
-				fprintf(stderr, "%s: Memory allocation error.\n", program_name);
-				exit(1);
-			}
-			memset(authkey, 0, authkeylen);
-			authkeylen = atodata(optarg, 0, authkey, authkeylen);
-			akey_opt = optarg;
-			break;
-		case 'E':
-			if(optarg[0] == '0') {
-				switch(optarg[1]) {
-				case 't':
-				case 'x':
-				case 's':
-					break;
-				default:
-					fprintf(stderr, "%s: Encryption key must have a '0x', '0t' or '0s' prefix to select the format: %s\n",
-						program_name, optarg);
-					exit(1);
-				}
-			}
-			enckeylen = atodata(optarg, 0, NULL, 0);
-			if(!enckeylen) {
-				fprintf(stderr, "%s: unknown format or syntax error in encryption key: %s\n",
-					program_name, optarg);
-				exit (1);
-			}
-			enckey = malloc(enckeylen);
-			if(enckey == NULL) {
-				fprintf(stderr, "%s: Memory allocation error.\n", program_name);
-				exit(1);
-			}
-			memset(enckey, 0, enckeylen);
-			enckeylen = atodata(optarg, 0, enckey, enckeylen);
-			ekey_opt = optarg;
-			break;
-		case 'w':
-			replay_window = strtoul(optarg, &endptr, 0);
-			if(!(endptr == optarg + strlen(optarg))) {
-				fprintf(stderr, "%s: Invalid character in replay_window parameter: %s\n",
-					program_name, optarg);
-				exit (1);
-			}
-			if((replay_window < 0x1) || (replay_window > 64)) {
-				fprintf(stderr, "%s: Failed -- Illegal window size: arg=%s, replay_window=%d, must be 1 <= size <= 64.\n",
-					program_name, optarg, replay_window);
-				exit(1);
-			}
-			break;
-		case 'i':
-			if(optarg[0] == '0') {
-				switch(optarg[1]) {
-				case 't':
-				case 'x':
-				case 's':
-					break;
-				default:
-					fprintf(stderr, "%s: IV must have a '0x', '0t' or '0s' prefix to select the format, found '%c'.\n",
-						program_name, optarg[1]);
-					exit(1);
-				}
-			}
-			ivlen = atodata(optarg, 0, NULL, 0);
-			if(!ivlen) {
-				fprintf(stderr, "%s: unknown format or syntax error in IV: %s\n",
-					program_name, optarg);
-				exit (1);
-			}
-			iv = malloc(ivlen);
-			if(iv == NULL) {
-				fprintf(stderr, "%s: Memory allocation error.\n", program_name);
-				exit(1);
-			}
-			memset(iv, 0, ivlen);
-			ivlen = atodata(optarg, 0, iv, ivlen);
-			iv_opt = optarg;
-			break;
-		case 'D':
-			if(dst_opt) {
-				fprintf(stderr, "%s: Error, DST parameter redefined:%s, already defined as:%s\n",
-					program_name, optarg, dst_opt);
-				exit (1);
-			}				
-			error_s = ttoaddr(optarg, 0, address_family, &dst);
-			if(error_s != NULL) {
-				fprintf(stderr, "%s: Error, %s converting --dst argument:%s\n",
-					program_name, error_s, optarg);
-				exit (1);
-			}
-			dst_opt = optarg;
-			if(debug) {
-				addrtot(&dst, 0, ipaddr_txt, sizeof(ipaddr_txt));
-				fprintf(stdout, "%s: dst=%s.\n",
-					program_name,
-					ipaddr_txt);
-			}
-			break;
-		case 'S':
-			if(src_opt) {
-				fprintf(stderr, "%s: Error, SRC parameter redefined:%s, already defined as:%s\n",
-					program_name, optarg, src_opt);
-				exit (1);
-			}				
-			error_s = ttoaddr(optarg, 0, address_family, &src);
-			if(error_s != NULL) {
-				fprintf(stderr, "%s: Error, %s converting --src argument:%s\n",
-					program_name, error_s, optarg);
-				exit (1);
-			}
-			src_opt = optarg;
-			if(debug) {
-				addrtot(&src, 0, ipaddr_txt, sizeof(ipaddr_txt));
-				fprintf(stdout, "%s: src=%s.\n",
-					program_name,
-					ipaddr_txt);
-			}
-			break;
-		case 'h':
-			usage(program_name, stdout);
-			exit(0);
-		case '?':
-			usage(program_name, stderr);
-			exit(1);
-		case 'v':
-			fprintf(stdout, "%s, %s\n", program_name, spi_c_version);
-			exit(1);
-		case '+': /* optionsfrom */
-			optionsfrom(optarg, &argc, &argv, optind, stderr);
-			/* no return on error */
-			break;
-		case 'f':
-			if(parse_life_options(life,
-					   life_opt,
-					   optarg) != 0) {
-				exit(1);
-			};
-			break;
-		default:
-			fprintf(stderr, "%s: unrecognized option '%c', update option processing.\n",
-				program_name, c);
-			exit(1);
-		}
-		previous = c;
-	}
-	if(debug) {
-		fprintf(stdout, "%s: All options processed.\n",
-				program_name);
-	}
-
-	if(argcount == 1) {
-		system("cat /proc/net/ipsec_spi");
-		exit(0);
-	}
-
-	switch(alg) {
-#ifndef NO_KERNEL_ALG
-	case XF_OTHER_ALG: 
-		/* validate keysizes */
-		if (proc_read_ok) {
-		       const struct sadb_alg *alg_p;
-		       size_t keylen, minbits, maxbits;
-
-		       alg_p=kernel_alg_sadb_alg_get(SADB_SATYPE_ESP,SADB_EXT_SUPPORTED_ENCRYPT, 
-				       esp_info->encryptalg);
-		       assert(alg_p);
-		       keylen=enckeylen * 8;
-
-		       if (alg_p->sadb_alg_id==ESP_3DES || alg_p->sadb_alg_id==ESP_DES) {
-			       maxbits=minbits=alg_p->sadb_alg_minbits * 8 /7;
-		       } else {
-			       minbits=alg_p->sadb_alg_minbits;
-			       maxbits=alg_p->sadb_alg_maxbits;
-		       }
-		       /* 
-			* if explicit keylen told in encrypt algo, eg "aes128"
-			* check actual keylen "equality"
-			*/
-		       if (esp_info->esp_ealg_keylen &&
-			       esp_info->esp_ealg_keylen!=keylen) {
-			       fprintf(stderr, "%s: invalid encryption keylen=%d, "
-					       "required %d by encrypt algo string=\"%s\"\n",
-				       program_name, 
-				       (int)keylen,
-				       (int)esp_info->esp_ealg_keylen,
-				       alg_string);
-			       exit(1);
-
-		       }
-		       /* thanks DES for this sh*t */
-
-		       if (minbits > keylen || maxbits < keylen) {
-			       fprintf(stderr, "%s: invalid encryption keylen=%d, "
-					       "must be between %d and %d bits\n",
-					       program_name, 
-					       (int)keylen, (int)minbits, (int)maxbits);
-			       exit(1);
-		       }
-		       alg_p=kernel_alg_sadb_alg_get(SADB_SATYPE_ESP,SADB_EXT_SUPPORTED_AUTH, 
-				       esp_info->authalg);
-		       assert(alg_p);
-		       keylen=authkeylen * 8;
-		       minbits=alg_p->sadb_alg_minbits;
-		       maxbits=alg_p->sadb_alg_maxbits;
-		       if (minbits > keylen || maxbits < keylen) {
-			       fprintf(stderr, "%s: invalid auth keylen=%d, "
-					       "must be between %d and %d bits\n",
-					       program_name, 
-					       (int)keylen, (int)minbits, (int)maxbits);
-			       exit(1);
-		       }
-
-		}
-#endif /* NO_KERNEL_ALG */
-	case XF_IP4:
-	case XF_IP6:
-	case XF_DEL:
-	case XF_AHHMACMD5:
-	case XF_AHHMACSHA1:
-	case XF_ESP3DESMD596:
-	case XF_ESP3DESSHA196:
-	case XF_ESP3DES:
-	case XF_COMPDEFLATE:
-		if(!said_opt) {
-			if(isanyaddr(&edst)) {
-				fprintf(stderr, "%s: SA destination not specified.\n",
-					program_name);
-				exit(1);
-			}
-			if(!spi) {
-				fprintf(stderr, "%s: SA SPI not specified.\n",
-					program_name);
-				exit(1);
-			}
-			if(!proto) {
-				fprintf(stderr, "%s: SA PROTO not specified.\n",
-					program_name);
-				exit(1);
-			}
-			initsaid(&edst, htonl(spi), proto, &said);
-		} else {
-			proto = said.proto;
-			spi = ntohl(said.spi);
-			edst = said.dst;
-		}
-		if((address_family != 0) && (address_family != addrtypeof(&said.dst))) {
-			fprintf(stderr, "%s: Defined address family and address family of SA missmatch.\n",
-				program_name);
-			exit(1);
-		}
-		sa_len = satot(&said, 0, sa, sizeof(sa));
-
-		if(debug) {
-			fprintf(stdout, "%s: SA valid.\n",
-				program_name);
-		}
-		break;
-	case XF_CLR:
-		break;
-	default:
-		fprintf(stderr, "%s: No action chosen.  See '%s --help' for usage.\n",
-			program_name, program_name);
-		exit(1);
-	}
-
-	switch(alg) {
-	case XF_CLR:
-	case XF_DEL:
-	case XF_IP4:
-	case XF_IP6:
-	case XF_AHHMACMD5:
-	case XF_AHHMACSHA1:
-	case XF_ESP3DESMD596:
-	case XF_ESP3DESSHA196:
-	case XF_ESP3DES:
-	case XF_COMPDEFLATE:
-#ifndef NO_KERNEL_ALG
-	case XF_OTHER_ALG:
-#endif /* NO_KERNEL_ALG */
-		break;
-	default:
-		fprintf(stderr, "%s: No action chosen.  See '%s --help' for usage.\n",
-			program_name, program_name);
-		exit(1);
-	}
-	if(debug) {
-		fprintf(stdout, "%s: Algorithm ok.\n",
-			program_name);
-	}
-
-	if((pfkey_sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2) ) < 0) {
-		fprintf(stderr, "%s: Trouble opening PF_KEY family socket with error: ",
-			program_name);
-		switch(errno) {
-		case ENOENT:
-			fprintf(stderr, "device does not exist.  See FreeS/WAN installation procedure.\n");
-			break;
-		case EACCES:
-			fprintf(stderr, "access denied.  ");
-			if(getuid() == 0) {
-				fprintf(stderr, "Check permissions.  Should be 600.\n");
-			} else {
-				fprintf(stderr, "You must be root to open this file.\n");
-			}
-			break;
-		case EUNATCH:
-			fprintf(stderr, "Netlink not enabled OR KLIPS not loaded.\n");
-			break;
-		case ENODEV:
-			fprintf(stderr, "KLIPS not loaded or enabled.\n");
-			break;
-		case EBUSY:
-			fprintf(stderr, "KLIPS is busy.  Most likely a serious internal error occured in a previous command.  Please report as much detail as possible to development team.\n");
-			break;
-		case EINVAL:
-			fprintf(stderr, "Invalid argument, KLIPS not loaded or check kernel log messages for specifics.\n");
-			break;
-		case ENOBUFS:
-			fprintf(stderr, "No kernel memory to allocate SA.\n");
-			break;
-		case ESOCKTNOSUPPORT:
-			fprintf(stderr, "Algorithm support not available in the kernel.  Please compile in support.\n");
-			break;
-		case EEXIST:
-			fprintf(stderr, "SA already in use.  Delete old one first.\n");
-			break;
-		case ENXIO:
-			fprintf(stderr, "SA does not exist.  Cannot delete.\n");
-			break;
-		case EAFNOSUPPORT:
-			fprintf(stderr, "KLIPS not loaded or enabled.\n");
-			break;
-		default:
-			fprintf(stderr, "Unknown file open error %d.  Please report as much detail as possible to development team.\n", errno);
-		}
-		exit(1);
-	}
-
-#ifdef MANUAL_IS_NOT_ABLE_TO_NEGOTIATE
-	/* for registering SA types that can be negotiated */
-	if(pfkey_register(SADB_SATYPE_AH) != 0) {
-		exit(1);
-	}
-	if(pfkey_register(SADB_SATYPE_ESP) != 0) {
-		exit(1);
-	}
-	if(pfkey_register(SADB_X_SATYPE_IPIP) != 0) {
-		exit(1);
-	}
-	if(pfkey_register(SADB_X_SATYPE_COMP) != 0) {
-		exit(1);
-	}
-#endif /* MANUAL_IS_NOT_ABLE_TO_NEGOTIATE */
-
-	/* Build an SADB_ADD message to send down. */
-	/* It needs <base, SA, address(SD), key(AE)> minimum. */
-	/*   Lifetime(HS) could be added before addresses. */
-	pfkey_extensions_init(extensions);
-	if(debug) {
-		fprintf(stdout, "%s: extensions=0p%p &extensions=0p%p extensions[0]=0p%p &extensions[0]=0p%p cleared.\n",
-			program_name,
-			extensions,
-			&extensions,
-			extensions[0],
-			&extensions[0]);
-	}
-	if((error = pfkey_msg_hdr_build(&extensions[0],
-					(alg == XF_DEL ? SADB_DELETE : alg == XF_CLR ? SADB_FLUSH : SADB_ADD),
-					proto2satype(proto),
-					0,
-					++pfkey_seq,
-					mypid))) {
-		fprintf(stderr, "%s: Trouble building message header, error=%d.\n",
-			program_name, error);
-		pfkey_extensions_free(extensions);
-		exit(1);
-	}
-	if(debug) {
-		fprintf(stdout, "%s: extensions=0p%p &extensions=0p%p extensions[0]=0p%p &extensions[0]=0p%p set w/msghdr.\n",
-			program_name,
-			extensions,
-			&extensions,
-			extensions[0],
-			&extensions[0]);
-	}
-	if(debug) {
-		fprintf(stdout, "%s: base message assembled.\n", program_name);
-	}
-	
-	switch(alg) {
-	case XF_AHHMACMD5:
-	case XF_ESP3DESMD596:
-		authalg = SADB_AALG_MD5_HMAC;
-		break;
-	case XF_AHHMACSHA1:
-	case XF_ESP3DESSHA196:
-		authalg = SADB_AALG_SHA1_HMAC;
-		break;
-#ifndef NO_KERNEL_ALG
-	case XF_OTHER_ALG:
-		authalg= esp_info->authalg;
-		if(debug) {
-			fprintf(stdout, "%s: debug: authalg=%d\n",
-				program_name, authalg);
-		}
-		break;
-#endif /* NO_KERNEL_ALG */
-	case XF_ESP3DESMD5:
-	default:
-		authalg = SADB_AALG_NONE;
-	}
-	switch(alg) {
-	case XF_ESP3DES:
-	case XF_ESP3DESMD596:
-	case XF_ESP3DESSHA196:
-		encryptalg = SADB_EALG_3DES_CBC;
-		break;
-	case XF_COMPDEFLATE:
-		encryptalg = SADB_X_CALG_DEFLATE;
-		break;
-#ifndef NO_KERNEL_ALG
-	case XF_OTHER_ALG:
-		encryptalg= esp_info->encryptalg;
-		if(debug) {
-			fprintf(stdout, "%s: debug: encryptalg=%d\n",
-				program_name, encryptalg);
-		}
-		break;
-#endif /* NO_KERNEL_ALG */
-	default:
-		encryptalg = SADB_EALG_NONE;
-	}
-	if(!(alg == XF_CLR /* IE: pfkey_msg->sadb_msg_type == SADB_FLUSH */)) {
-		if((error = pfkey_sa_build(&extensions[SADB_EXT_SA],
-					   SADB_EXT_SA,
-					   htonl(spi), /* in network order */
-					   replay_window,
-					   SADB_SASTATE_MATURE,
-					   authalg,
-					   encryptalg,
-					   0))) {
-			fprintf(stderr, "%s: Trouble building sa extension, error=%d.\n",
-				program_name, error);
-			pfkey_extensions_free(extensions);
-			exit(1);
-		}
-		if(debug) {
-			fprintf(stdout, "%s: extensions[0]=0p%p previously set with msg_hdr.\n",
-				program_name,
-				extensions[0]);
-		}
-		if(debug) {
-			fprintf(stdout, "%s: assembled SA extension, pfkey msg authalg=%d encalg=%d.\n",
-				program_name,
-				authalg,
-				encryptalg);
-		}
-		
-		if(debug) {
-			int i,j;
-			for(i = 0; i < life_maxsever; i++) {
-				for(j = 0; j < life_maxtype; j++) {
-					fprintf(stdout, "%s: i=%d, j=%d, life_opt[%d][%d]=0p%p, life[%d][%d]=%d\n",
-						program_name,
-						i, j, i, j, life_opt[i][j], i, j, life[i][j]);
-				}
-			}
-		}
-		if(life_opt[life_soft][life_alloc] != NULL ||
-		   life_opt[life_soft][life_bytes] != NULL ||
-		   life_opt[life_soft][life_addtime] != NULL ||
-		   life_opt[life_soft][life_usetime] != NULL ||
-		   life_opt[life_soft][life_packets] != NULL) {
-			if((error = pfkey_lifetime_build(&extensions[SADB_EXT_LIFETIME_SOFT],
-							 SADB_EXT_LIFETIME_SOFT,
-							 life[life_soft][life_alloc],/*-1,*/		/*allocations*/
-							 life[life_soft][life_bytes],/*-1,*/		/*bytes*/
-							 life[life_soft][life_addtime],/*-1,*/		/*addtime*/
-							 life[life_soft][life_usetime],/*-1,*/		/*usetime*/
-							 life[life_soft][life_packets]/*-1*/))) {	/*packets*/
-				fprintf(stderr, "%s: Trouble building lifetime_s extension, error=%d.\n",
-					program_name, error);
-				pfkey_extensions_free(extensions);
-				exit(1);
-			}
-			if(debug) {
-				fprintf(stdout, "%s: lifetime_s extension assembled.\n",
-					program_name);
-			}
-		}
-
-		if(life_opt[life_hard][life_alloc] != NULL ||
-		   life_opt[life_hard][life_bytes] != NULL ||
-		   life_opt[life_hard][life_addtime] != NULL ||
-		   life_opt[life_hard][life_usetime] != NULL ||
-		   life_opt[life_hard][life_packets] != NULL) {
-			if((error = pfkey_lifetime_build(&extensions[SADB_EXT_LIFETIME_HARD],
-							 SADB_EXT_LIFETIME_HARD,
-							 life[life_hard][life_alloc],/*-1,*/		/*allocations*/
-							 life[life_hard][life_bytes],/*-1,*/		/*bytes*/
-							 life[life_hard][life_addtime],/*-1,*/		/*addtime*/
-							 life[life_hard][life_usetime],/*-1,*/		/*usetime*/
-							 life[life_hard][life_packets]/*-1*/))) {	/*packets*/
-				fprintf(stderr, "%s: Trouble building lifetime_h extension, error=%d.\n",
-					program_name, error);
-				pfkey_extensions_free(extensions);
-				exit(1);
-			}
-			if(debug) {
-				fprintf(stdout, "%s: lifetime_h extension assembled.\n",
-					program_name);
-			}
-		}
-		
-		if(debug) {
-                	addrtot(&src, 0, ipaddr_txt, sizeof(ipaddr_txt));
-			fprintf(stdout, "%s: assembling address_s extension (%s).\n",
-				program_name, ipaddr_txt);
-		}
-	
-		if((error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_SRC],
-						SADB_EXT_ADDRESS_SRC,
-						0,
-						0,
-						sockaddrof(&src)))) {
-                	addrtot(&src, 0, ipaddr_txt, sizeof(ipaddr_txt));
-			fprintf(stderr, "%s: Trouble building address_s extension (%s), error=%d.\n",
-				program_name, ipaddr_txt, error);
-			pfkey_extensions_free(extensions);
-			exit(1);
-		}
-		if(debug) {
-			ip_address temp_addr;
-			
-			switch(address_family) {
-				case AF_INET:
-					initaddr((const unsigned char *)&(((struct sockaddr_in*)( ((struct sadb_address*)(extensions[SADB_EXT_ADDRESS_SRC])) + 1))->sin_addr),
-						sockaddrlenof(&src), address_family, &temp_addr);
-					break;
-				case AF_INET6:
-					initaddr((const unsigned char *)&(((struct sockaddr_in6*)( ((struct sadb_address*)(extensions[SADB_EXT_ADDRESS_SRC])) + 1))->sin6_addr),
-						sockaddrlenof(&src), address_family, &temp_addr);
-					break;
-				default:
-					fprintf(stdout, "%s: unknown address family (%d).\n",
-						program_name, address_family);
-					exit(1);
-			}
-                	addrtot(&temp_addr, 0, ipaddr_txt, sizeof(ipaddr_txt));
-			fprintf(stdout, "%s: address_s extension assembled (%s).\n",
-				program_name, ipaddr_txt);
-		}
-	
-		if(debug) {
-                	addrtot(&edst, 0, ipaddr_txt, sizeof(ipaddr_txt));
-			fprintf(stdout, "%s: assembling address_d extension (%s).\n",
-				program_name, ipaddr_txt);
-		}
-	
-		if((error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_DST],
-						SADB_EXT_ADDRESS_DST,
-						0,
-						0,
-						sockaddrof(&edst)))) {
-                	addrtot(&edst, 0, ipaddr_txt, sizeof(ipaddr_txt));
-			fprintf(stderr, "%s: Trouble building address_d extension (%s), error=%d.\n",
-				program_name, ipaddr_txt, error);
-			pfkey_extensions_free(extensions);
-			exit(1);
-		}
-		if(debug) {
-			ip_address temp_addr;
-			switch(address_family) {
-				case AF_INET:
-					initaddr((const unsigned char *)&(((struct sockaddr_in*)( ((struct sadb_address*)(extensions[SADB_EXT_ADDRESS_DST])) + 1))->sin_addr),
-						4, address_family, &temp_addr);
-					break;
-				case AF_INET6:
-					initaddr((const unsigned char *)&(((struct sockaddr_in6*)( ((struct sadb_address*)(extensions[SADB_EXT_ADDRESS_DST])) + 1))->sin6_addr),
-						16, address_family, &temp_addr);
-					break;
-				default:
-					fprintf(stdout, "%s: unknown address family (%d).\n",
-						program_name, address_family);
-					exit(1);
-			}
-                	addrtot(&temp_addr, 0, ipaddr_txt, sizeof(ipaddr_txt));
-			fprintf(stdout, "%s: address_d extension assembled (%s).\n",
-				program_name, ipaddr_txt);
-		}
-
-#if PFKEY_PROXY
-		anyaddr(address_family, &pfkey_address_p_ska);
-		if((error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_PROXY],
-						SADB_EXT_ADDRESS_PROXY,
-						0,
-						0,
-						sockaddrof(&pfkey_address_p_ska)))) {
-			fprintf(stderr, "%s: Trouble building address_p extension, error=%d.\n",
-				program_name, error);
-			pfkey_extensions_free(extensions);
-			exit(1);
-		}
-		if(debug) {
-			fprintf(stdout, "%s: address_p extension assembled.\n", program_name);
-		}
-#endif /* PFKEY_PROXY */
-		
-		switch(alg) {
-#ifndef NO_KERNEL_ALG
-		/*	Allow no auth ... after all is local root decision 8)  */
-		case XF_OTHER_ALG:
-			if (!authalg)
-				break;
-#endif /* NO_KERNEL_ALG */
-		case XF_AHHMACMD5:
-		case XF_ESP3DESMD596:
-		case XF_AHHMACSHA1:
-		case XF_ESP3DESSHA196:
-			if((error = pfkey_key_build(&extensions[SADB_EXT_KEY_AUTH],
-						    SADB_EXT_KEY_AUTH,
-						    authkeylen * 8,
-						    authkey))) {
-				fprintf(stderr, "%s: Trouble building key_a extension, error=%d.\n",
-					program_name, error);
-				pfkey_extensions_free(extensions);
-				exit(1);
-			}
-			if(debug) {
-				fprintf(stdout, "%s: key_a extension assembled.\n",
-					program_name);
-			}
-			break;
-		default:
-			break;
-		}
-		
-		switch(alg) {
-		case XF_ESP3DES:
-		case XF_ESP3DESMD596:
-		case XF_ESP3DESSHA196:
-#ifndef NO_KERNEL_ALG
-		case XF_OTHER_ALG:
-#endif /* NO_KERNEL_ALG */
-			if((error = pfkey_key_build(&extensions[SADB_EXT_KEY_ENCRYPT],
-						    SADB_EXT_KEY_ENCRYPT,
-						    enckeylen * 8,
-						    enckey))) {
-				fprintf(stderr, "%s: Trouble building key_e extension, error=%d.\n",
-					program_name, error);
-				pfkey_extensions_free(extensions);
-				exit(1);
-			}
-			if(debug) {
-				fprintf(stdout, "%s: key_e extension assembled.\n",
-					program_name);
-			}
-			break;
-		default:
-			break;
-		}
-		
-#ifdef PFKEY_IDENT /* GG: looks wierd, not touched */
-		if((pfkey_ident_build(&extensions[SADB_EXT_IDENTITY_SRC],
-				      SADB_EXT_IDENTITY_SRC,
-				      SADB_IDENTTYPE_PREFIX,
-				      0,
-				      strlen(pfkey_ident_s_ska),
-				      pfkey_ident_s_ska))) {
-			fprintf(stderr, "%s: Trouble building ident_s extension, error=%d.\n",
-				program_name, error);
-			pfkey_extensions_free(extensions);
-			exit(1);
-		}
-		if(subnettoa(addr, mask, format, pfkey_ident_s_ska,
-			     sizeof(pfkey_ident_s_ska) ) !=
-		   sizeof(pfkey_ident_s_ska) ) {
-			exit (1);
-		}
-		
-		if((error = pfkey_ident_build(&extensions[SADB_EXT_IDENTITY_DST],
-					      SADB_EXT_IDENTITY_DST,
-					      SADB_IDENTTYPE_PREFIX,
-					      0,
-					      strlen(pfkey_ident_d_ska),
-					      pfkey_ident_d_ska))) {
-			fprintf(stderr, "%s: Trouble building ident_d extension, error=%d.\n",
-				program_name, error);
-			pfkey_extensions_free(extensions);
-			exit(1);
-		}
-		if(subnettoa(addr, mask, format, pfkey_ident_d_ska,
-			     sizeof(pfkey_ident_d_ska) ) !=
-		   sizeof(pfkey_ident_d_ska) ) {
-			exit (1);
-		}
-
-		if(debug) {
-			fprintf(stdout, "%s: ident extensions assembled.\n",
-				program_name);
-		}
-#endif /* PFKEY_IDENT */
-	}
-	
-	if(debug) {
-		fprintf(stdout, "%s: assembling pfkey msg....\n",
-			program_name);
-	}
-	if((error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_IN))) {
-		fprintf(stderr, "%s: Trouble building pfkey message, error=%d.\n",
-			program_name, error);
-		pfkey_extensions_free(extensions);
-		pfkey_msg_free(&pfkey_msg);
-		exit(1);
-	}
-	if(debug) {
-		fprintf(stdout, "%s: assembled.\n",
-			program_name);
-	}
-	if(debug) {
-		fprintf(stdout, "%s: writing pfkey msg.\n",
-			program_name);
-	}
-	io_error = write(pfkey_sock,
-			 pfkey_msg,
-			 pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN);
-	if(io_error < 0) {
-		fprintf(stderr, "%s: pfkey write failed (errno=%d): ",
-			program_name, errno);
-		pfkey_extensions_free(extensions);
-		pfkey_msg_free(&pfkey_msg);
-		switch(errno) {
-		case EACCES:
-			fprintf(stderr, "access denied.  ");
-			if(getuid() == 0) {
-				fprintf(stderr, "Check permissions.  Should be 600.\n");
-			} else {
-				fprintf(stderr, "You must be root to open this file.\n");
-			}
-			break;
-		case EUNATCH:
-			fprintf(stderr, "Netlink not enabled OR KLIPS not loaded.\n");
-			break;
-		case EBUSY:
-			fprintf(stderr, "KLIPS is busy.  Most likely a serious internal error occured in a previous command.  Please report as much detail as possible to development team.\n");
-			break;
-		case EINVAL:
-			fprintf(stderr, "Invalid argument, check kernel log messages for specifics.\n");
-			break;
-		case ENODEV:
-			fprintf(stderr, "KLIPS not loaded or enabled.\n");
-			fprintf(stderr, "No device?!?\n");
-			break;
-		case ENOBUFS:
-			fprintf(stderr, "No kernel memory to allocate SA.\n");
-			break;
-		case ESOCKTNOSUPPORT:
-			fprintf(stderr, "Algorithm support not available in the kernel.  Please compile in support.\n");
-			break;
-		case EEXIST:
-			fprintf(stderr, "SA already in use.  Delete old one first.\n");
-			break;
-		case ENOENT:
-			fprintf(stderr, "device does not exist.  See FreeS/WAN installation procedure.\n");
-			break;
-		case ENXIO:
-		case ESRCH:
-			fprintf(stderr, "SA does not exist.  Cannot delete.\n");
-			break;
-		case ENOSPC:
-			fprintf(stderr, "no room in kernel SAref table.  Cannot process request.\n");
-			break;
-		case ESPIPE:
-			fprintf(stderr, "kernel SAref table internal error.  Cannot process request.\n");
-			break;
-		default:
-			fprintf(stderr, "Unknown socket write error %d (%s).  Please report as much detail as possible to development team.\n",
-				errno, strerror(errno));
-		}
-		exit(1);
-	} else if (io_error != (ssize_t)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) {
-		fprintf(stderr, "%s: pfkey write truncated to %d bytes\n",
-			program_name, (int)io_error);
-		pfkey_extensions_free(extensions);
-		pfkey_msg_free(&pfkey_msg);
-		exit(1);
-	}
-
-	if(debug) {
-		fprintf(stdout, "%s: pfkey command written to socket.\n",
-			program_name);
-	}
-
-	if(pfkey_msg) {
-		pfkey_extensions_free(extensions);
-		pfkey_msg_free(&pfkey_msg);
-	}
-	if(debug) {
-		fprintf(stdout, "%s: pfkey message buffer freed.\n",
-			program_name);
-	}
-	if(authkey) {
-		memset((caddr_t)authkey, 0, authkeylen);
-		free(authkey);
-	}
-	if(enckey) {
-		memset((caddr_t)enckey, 0, enckeylen);
-		free(enckey);
-	}
-	if(iv) {
-		memset((caddr_t)iv, 0, ivlen);
-		free(iv);
-	}
-
-	if(listenreply || saref) {
-		ssize_t readlen;
-		unsigned char pfkey_buf[PFKEYv2_MAX_MSGSIZE];
-		
-		while((readlen = read(pfkey_sock, pfkey_buf, sizeof(pfkey_buf))) > 0) {
-			struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-			pfkey_extensions_init(extensions);
-			pfkey_msg = (struct sadb_msg *)pfkey_buf;
-			
-			/* first, see if we got enough for an sadb_msg */
-			if((size_t)readlen < sizeof(struct sadb_msg)) {
-				if(debug) {
-					printf("%s: runt packet of size: %ld (<%lu)\n",
-					       program_name, (long)readlen, (unsigned long)sizeof(struct sadb_msg));
-				}
-				continue;
-			}
-			
-			/* okay, we got enough for a message, print it out */
-			if(debug) {
-				printf("%s: pfkey v%d msg received. type=%d(%s) seq=%d len=%d pid=%d errno=%d satype=%d(%s)\n",
-				       program_name,
-				       pfkey_msg->sadb_msg_version,
-				       pfkey_msg->sadb_msg_type,
-				       pfkey_v2_sadb_type_string(pfkey_msg->sadb_msg_type),
-				       pfkey_msg->sadb_msg_seq,
-				       pfkey_msg->sadb_msg_len,
-				       pfkey_msg->sadb_msg_pid,
-				       pfkey_msg->sadb_msg_errno,
-				       pfkey_msg->sadb_msg_satype,
-				       satype2name(pfkey_msg->sadb_msg_satype));
-			}
-			
-			if(readlen != (ssize_t)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN))
-			{
-				if(debug) {
-					printf("%s: packet size read from socket=%d doesn't equal sadb_msg_len %u * %u; message not decoded\n",
-					       program_name,
-					       (int)readlen, 
-					       (unsigned)pfkey_msg->sadb_msg_len,
-					       (unsigned)IPSEC_PFKEYv2_ALIGN);
-				}
-				continue;
-			}
-			
-			if (pfkey_msg_parse(pfkey_msg, NULL, extensions, EXT_BITS_OUT)) {
-				if(debug) {
-					printf("%s: unparseable PF_KEY message.\n",
-					       program_name);
-				}
-				continue;
-			} else {
-				if(debug) {
-					printf("%s: parseable PF_KEY message.\n",
-					       program_name);
-				}
-			}
-			if((pid_t)pfkey_msg->sadb_msg_pid == mypid) {
-				if(saref) {
-					printf("%s: saref=%d\n",
-					       program_name,
-					       (extensions[SADB_EXT_SA] != NULL)
-					       ? ((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_x_sa_ref
-					       : IPSEC_SAREF_NULL);
-				}
-				break;
-			}
-		}
-	}
-	(void) close(pfkey_sock);  /* close the socket */
-	if(debug || listenreply) {
-		printf("%s: exited normally\n", program_name);
-	}
-	exit(0);
-}
diff --git a/programs/spigrp/.cvsignore b/programs/spigrp/.cvsignore
deleted file mode 100644
index 4fee1abcf..000000000
--- a/programs/spigrp/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-spigrp
diff --git a/programs/spigrp/Makefile b/programs/spigrp/Makefile
deleted file mode 100644
index df8899eaf..000000000
--- a/programs/spigrp/Makefile
+++ /dev/null
@@ -1,52 +0,0 @@
-# Makefile for miscelaneous programs
-# Copyright (C) 2002  Michael Richardson	<mcr@freeswan.org>
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:31 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=spigrp
-EXTRA5PROC=${PROGRAM}.5
-
-LIBS=${FREESWANLIB}
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:31  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.4  2002/06/03 20:25:31  mcr
-# 	man page for files actually existant in /proc/net changed back to
-# 	ipsec_foo via new EXTRA5PROC process.
-#
-# Revision 1.3  2002/06/02 21:51:41  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.2  2002/04/26 01:21:26  mcr
-# 	while tracking down a missing (not installed) /etc/ipsec.conf,
-# 	MCR has decided that it is not okay for each program subdir to have
-# 	some subset (determined with -f) of possible files.
-# 	Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file.
-# 	Optional PROGRAM.5 files have been added to the makefiles.
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
-
diff --git a/programs/spigrp/spigrp.5 b/programs/spigrp/spigrp.5
deleted file mode 100644
index b00d7ae73..000000000
--- a/programs/spigrp/spigrp.5
+++ /dev/null
@@ -1,116 +0,0 @@
-.TH IPSEC_SPIGRP 5 "27 Jun 2000"
-.\"
-.\" RCSID $Id: spigrp.5,v 1.1 2004/03/15 20:35:31 as Exp $
-.\"
-.SH NAME
-ipsec_spigrp \- list IPSEC Security Association groupings
-.SH SYNOPSIS
-.B ipsec
-.B spigrp
-.PP
-.B cat
-.B /proc/net/ipsec_spigrp
-.PP
-.SH DESCRIPTION
-.I /proc/net/ipsec_spigrp
-is a read-only file that lists groups of IPSEC Security Associations
-(SAs).
-.PP
-An entry in the IPSEC extended routing table can only point (via an
-SAID) to one SA.  If more than one transform must be applied to a given
-type of packet, this can be accomplished by setting up several SAs with
-the same destination address but potentially different SPIs and
-protocols, and grouping them with
-.IR ipsec_spigrp(8) .
-.PP
-The SA groups are listed, one line per connection/group, as a sequence
-of SAs to be applied (or that should have been applied, in the case of
-an incoming packet) from inside to outside the packet.  An SA is
-identified by its SAID, which consists of protocol ("ah", "esp", "comp" or
-"tun"), SPI (with '.' for IPv4 or ':' for IPv6 prefixed hexadecimal number ) and destination address
-(IPv4 dotted quad or IPv6 coloned hex) prefixed by '@', in the format <proto><af><spi>@<dest>.
-.SH EXAMPLES
-.TP
-.B tun.3d0@192.168.2.110
-.B comp.3d0@192.168.2.110
-.B esp.187a101b@192.168.2.110
-.B ah.187a101a@192.168.2.110 
-.LP
-is a group of 3 SAs, destined for 
-.BR 192.168.2.110
-with an IPv4-in-IPv4 tunnel SA applied first with an SPI of
-.BR 3d0
-in hexadecimal, followed by a Deflate compression header to compress
-the packet with CPI of
-.BR 3d0
-in hexadecimal, followed by an Encapsulating Security Payload header to
-encrypt the packet with SPI
-.BR 187a101b
-in hexadecimal, followed by an Authentication Header to authenticate the
-packet with SPI
-.BR 187a101a
-in hexadecimal, applied from inside to outside the packet.  This could
-be an incoming or outgoing group, depending on the address of the local
-machine.
-.LP
-.TP
-.B tun:3d0@3049:1::2
-.B comp:3d0@3049:1::2
-.B esp:187a101b@3049:1::2
-.B ah:187a101a@3049:1::2 
-.LP
-is a group of 3 SAs, destined for 
-.BR 3049:1::2
-with an IPv6-in-IPv6 tunnel SA applied first with an SPI of
-.BR 3d0
-in hexadecimal, followed by a Deflate compression header to compress
-the packet with CPI of
-.BR 3d0
-in hexadecimal, followed by an Encapsulating Security Payload header to
-encrypt the packet with SPI
-.BR 187a101b
-in hexadecimal, followed by an Authentication Header to authenticate the
-packet with SPI
-.BR 187a101a
-in hexadecimal, applied from inside to outside the packet.  This could
-be an incoming or outgoing group, depending on the address of the local
-machine.
-.LP
-.SH FILES
-/proc/net/ipsec_spigrp, /usr/local/bin/ipsec
-.SH "SEE ALSO"
-ipsec(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_eroute(5),
-ipsec_spi(5), ipsec_klipsdebug(5), ipsec_spigrp(8), ipsec_version(5),
-ipsec_pf_key(5)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Richard Guy Briggs.
-.SH BUGS
-:-)
-.\"
-.\" $Log: spigrp.5,v $
-.\" Revision 1.1  2004/03/15 20:35:31  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.6  2002/04/24 07:35:40  mcr
-.\" Moved from ./klips/utils/spigrp.5,v
-.\"
-.\" Revision 1.5  2000/09/17 18:56:48  rgb
-.\" Added IPCOMP support.
-.\"
-.\" Revision 1.4  2000/09/13 15:54:32  rgb
-.\" Added Gerhard's ipv6 updates.
-.\"
-.\" Revision 1.3  2000/06/30 18:21:55  rgb
-.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5)
-.\" and correct FILES sections to no longer refer to /dev/ipsec which has
-.\" been removed since PF_KEY does not use it.
-.\"
-.\" Revision 1.2  2000/06/28 12:44:12  henry
-.\" format touchup
-.\"
-.\" Revision 1.1  2000/06/28 05:43:00  rgb
-.\" Added manpages for all 5 klips utils.
-.\"
-.\"
diff --git a/programs/spigrp/spigrp.8 b/programs/spigrp/spigrp.8
deleted file mode 100644
index 418ed5c3e..000000000
--- a/programs/spigrp/spigrp.8
+++ /dev/null
@@ -1,174 +0,0 @@
-.TH IPSEC_SPIGRP 8 "21 Jun 2000"
-.\"
-.\" RCSID $Id: spigrp.8,v 1.1 2004/03/15 20:35:31 as Exp $
-.\"
-.SH NAME
-ipsec spigrp \- group/ungroup IPSEC Security Associations
-.SH SYNOPSIS
-.B ipsec
-.B spigrp
-.PP
-.B ipsec
-.B spigrp
-[
-.B \-\-label
-label ]
-af1 dst1 spi1 proto1 [ af2 dst2 spi2 proto2 [ af3 dst3 spi3 proto3 [ af4 dst4 spi4 proto4 ] ] ] 
-.PP
-.B ipsec
-.B spigrp
-[
-.B \-\-label
-label ]
-.B \-\-said
-SA1 [ SA2 [ SA3 [ SA4 ] ] ] 
-.PP
-.B ipsec
-.B spigrp
-.B \-\-help
-.PP
-.B ipsec
-.B spigrp
-.B \-\-version
-.PP
-.SH DESCRIPTION
-.I Spigrp
-groups IPSEC Security Associations (SAs) together or ungroups
-previously grouped SAs.
-An entry in the IPSEC extended
-routing table can only point
-(via a destination address, a Security Parameters Index (SPI) and
-a protocol identifier) to one SA.
-If more than one transform must be applied to a given type of packet,
-this can be accomplished by setting up several SAs
-with the same destination address but potentially different SPIs and protocols,
-and grouping them with
-.IR spigrp .
-.PP
-The SAs to be grouped,
-specified by destination address (DNS name lookup, IPv4 dotted quad or IPv6 coloned hex), SPI
-('0x'-prefixed hexadecimal number) and protocol ("ah", "esp", "comp" or "tun"),
-are listed from the inside transform to the
-outside;
-in other words, the transforms are applied in
-the order of the command line and removed in the reverse
-order.
-The resulting SA group is referred to by its first SA (by
-.IR af1 ,
-.IR dst1 ,
-.IR spi1
-and
-.IR proto1 ).
-.PP
-The \-\-said option indicates that the SA IDs are to be specified as
-one argument each, in the format <proto><af><spi>@<dest>.  The SA IDs must
-all be specified as separate parameters without the \-\-said option or
-all as monolithic parameters after the \-\-said option.
-.PP
-The SAs must already exist and must not already
-be part of a group.
-.PP
-If
-.I spigrp
-is invoked with only one SA specification,
-it ungroups the previously-grouped set of SAs containing
-the SA specified.
-.PP
-The \-\-label option identifies all responses from that command
-invocation with a user-supplied label, provided as an argument to the
-label option.  This can be helpful for debugging one invocation of the
-command out of a large number.
-.PP
-The command form with no additional arguments lists the contents of
-/proc/net/ipsec_spigrp.  The format of /proc/net/ipsec_spigrp is
-discussed in ipsec_spigrp(5).
-.SH EXAMPLES
-.TP
-.B ipsec spigrp inet gw2 0x113 tun inet gw2 0x115 esp inet gw2 0x116 ah
-groups 3 SAs together, all destined for
-.BR gw2 ,
-but with an IPv4-in-IPv4 tunnel SA applied first with SPI
-.BR 0x113 ,
-then an ESP header to encrypt the packet with SPI
-.BR 0x115 ,
-and finally an AH header to authenticate the packet with SPI
-.BR 0x116 .
-.LP
-.TP
-.B ipsec spigrp --said tun.113@gw2 esp.115@gw2 ah.116@gw2 
-groups 3 SAs together, all destined for
-.BR gw2 ,
-but with an IPv4-in-IPv4 tunnel SA applied first with SPI
-.BR 0x113 ,
-then an ESP header to encrypt the packet with SPI
-.BR 0x115 ,
-and finally an AH header to authenticate the packet with SPI
-.BR 0x116 .
-.LP
-.TP
-.B ipsec spigrp --said tun:233@3049:1::1 esp:235@3049:1::1 ah:236@3049:1::1 
-groups 3 SAs together, all destined for
-.BR 3049:1::1,
-but with an IPv6-in-IPv6 tunnel SA applied first with SPI
-.BR 0x233 ,
-then an ESP header to encrypt the packet with SPI
-.BR 0x235 ,
-and finally an AH header to authenticate the packet with SPI
-.BR 0x236 .
-.LP
-.TP
-.B ipsec spigrp inet6 3049:1::1 0x233 tun inet6 3049:1::1 0x235 esp inet6 3049:1::1 0x236 ah
-groups 3 SAs together, all destined for
-.BR 3049:1::1,
-but with an IPv6-in-IPv6 tunnel SA applied first with SPI
-.BR 0x233 ,
-then an ESP header to encrypt the packet with SPI
-.BR 0x235 ,
-and finally an AH header to authenticate the packet with SPI
-.BR 0x236 .
-.LP
-.SH FILES
-/proc/net/ipsec_spigrp, /usr/local/bin/ipsec
-.SH "SEE ALSO"
-ipsec(8), ipsec_manual(8), ipsec_tncfg(8), ipsec_eroute(8),
-ipsec_spi(8), ipsec_klipsdebug(8), ipsec_spigrp(5)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Richard Guy Briggs.
-.SH BUGS
-Yes, it really is limited to a maximum of four SAs,
-although admittedly it's hard to see why you would need more.
-.\"
-.\" $Log: spigrp.8,v $
-.\" Revision 1.1  2004/03/15 20:35:31  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.20  2002/04/24 07:35:41  mcr
-.\" Moved from ./klips/utils/spigrp.8,v
-.\"
-.\" Revision 1.19  2000/09/17 18:56:48  rgb
-.\" Added IPCOMP support.
-.\"
-.\" Revision 1.18  2000/09/13 15:54:32  rgb
-.\" Added Gerhard's ipv6 updates.
-.\"
-.\" Revision 1.17  2000/06/30 18:21:55  rgb
-.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5)
-.\" and correct FILES sections to no longer refer to /dev/ipsec which has
-.\" been removed since PF_KEY does not use it.
-.\"
-.\" Revision 1.16  2000/06/21 16:54:57  rgb
-.\" Added 'no additional args' text for listing contents of
-.\" /proc/net/ipsec_* files.
-.\"
-.\" Revision 1.15  2000/02/14 21:08:30  rgb
-.\" Added description of --said option.
-.\"
-.\" Revision 1.14  1999/07/19 18:47:25  henry
-.\" fix slightly-misformed comments
-.\"
-.\" Revision 1.13  1999/04/06 04:54:39  rgb
-.\" Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
-.\" patch shell fixes.
-.\"
diff --git a/programs/spigrp/spigrp.c b/programs/spigrp/spigrp.c
deleted file mode 100644
index 4cbac304d..000000000
--- a/programs/spigrp/spigrp.c
+++ /dev/null
@@ -1,491 +0,0 @@
-/*
- * SA grouping
- * Copyright (C) 1996  John Ioannidis.
- * Copyright (C) 1997, 1998, 1999, 2000, 2001  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-char spigrp_c_version[] = "RCSID $Id: spigrp.c,v 1.2 2004/06/07 15:16:34 as Exp $";
-
-
-#include <sys/types.h>
-#include <linux/types.h> /* new */
-#include <string.h>
-#include <errno.h>
-#include <sys/stat.h> /* open() */
-#include <fcntl.h> /* open() */
-#include <stdlib.h> /* system(), strtoul() */
-
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-/* #include <linux/ip.h> */
-
-#include <unistd.h>
-#include <stdio.h>
-#include <netdb.h>
-#include <freeswan.h>
-#if 0
-#include <linux/autoconf.h>	/* CONFIG_IPSEC_PFKEYv2 */
-#endif
-
-#include <signal.h>
-#include <pfkeyv2.h>
-#include <pfkey.h>
-
-#include "freeswan/radij.h"
-#include "freeswan/ipsec_encap.h"
-#include "freeswan/ipsec_ah.h"
-
-
-char *program_name;
-
-int pfkey_sock;
-fd_set pfkey_socks;
-uint32_t pfkey_seq = 0;
- 
-struct said_af {
- 	int af;
- 	ip_said said;
-}; /* to store the given saids and their address families in an array */
- /* XXX: Note that we do *not* check if the address families of all SAID?s are the same.
-  *      This can make it possible to group SAs for IPv4 addresses with SAs for
-  *      IPv6 addresses (perhaps some kind of IPv4-over-secIPv6 or vice versa).
-  *      Do not know, if this is a bug or feature */
-
-static void
-usage(char *s)
-{
-	fprintf(stdout, "usage: Note: position of options and arguments is important!\n");
-	fprintf(stdout, "usage: %s [ --debug ] [ --label <label> ] af1 dst1 spi1 proto1 [ af2 dst2 spi2 proto2 [ af3 dst3 spi3 proto3 [ af4 dst4 spi4 proto4 ] ] ]\n", s);
-	fprintf(stdout, "usage: %s [ --debug ] [ --label <label> ] --said <SA1> [ <SA2> [ <SA3> [ <SA4> ] ] ]\n", s);
-	fprintf(stdout, "usage: %s --help\n", s);
-	fprintf(stdout, "usage: %s --version\n", s);
-	fprintf(stdout, "usage: %s\n", s);
-	fprintf(stdout, "        [ --debug ] is optional to any %s command.\n", s);
-	fprintf(stdout, "        [ --label <label> ] is optional to any %s command.\n", s);
-}
-
-	
-int
-main(int argc, char **argv)
-{
-	int i, nspis;
-	char *endptr;
-	int said_opt = 0;
-
-	const char* error_s = NULL;
-	char ipaddr_txt[ADDRTOT_BUF];
-	int debug = 0;
-	int j;
-	struct said_af said_af_array[4];
-
-	int error = 0;
-
-	struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-	struct sadb_msg *pfkey_msg;
-#if 0
-	ip_address pfkey_address_s_ska;
-#endif
-	
-	program_name = argv[0];
-	for(i = 0; i < 4; i++) {
-		memset(&said_af_array[i], 0, sizeof(struct said_af));
-	}
-
-        if(argc > 1 && strcmp(argv[1], "--debug") == 0) {
-		debug = 1;
-		if(debug) {
-			fprintf(stdout, "\"--debug\" option requested.\n");
-		}
-		argv += 1;
-		argc -= 1;
-		pfkey_lib_debug = PF_KEY_DEBUG_PARSE_MAX;
-        }
-
-	if(debug) {
-		fprintf(stdout, "argc=%d (%d incl. --debug option).\n",
-			argc,
-			argc + 1);
-	}
-
-        if(argc > 1 && strcmp(argv[1], "--label") == 0) {
-		if(argc > 2) {
-			program_name = malloc(strlen(argv[0])
-					      + 10 /* update this when changing the sprintf() */
-					      + strlen(argv[2]));
-			sprintf(program_name, "%s --label %s",
-				argv[0],
-				argv[2]);
-			if(debug) {
-				fprintf(stdout, "using \"%s\" as a label.\n", program_name);
-			}
-			argv += 2;
-			argc -= 2;
-		} else {
-			fprintf(stderr, "%s: --label option requires an argument.\n",
-				program_name);
-			exit(1);
-		}
-        }
-  
-	if(debug) {
-		fprintf(stdout, "...After check for --label option.\n");
-	}
-
-	if(argc == 1) {
-		system("cat /proc/net/ipsec_spigrp");
-		exit(0);
-	}
-
-	if(debug) {
-		fprintf(stdout, "...After check for no option to print /proc/net/ipsec_spigrp.\n");
-	}
-
-        if(strcmp(argv[1], "--help") == 0) {
-		if(debug) {
-			fprintf(stdout, "\"--help\" option requested.\n");
-		}
-                usage(program_name);
-                exit(1);
-        }
-
-	if(debug) {
-		fprintf(stdout, "...After check for --help option.\n");
-	}
-
-        if(strcmp(argv[1], "--version") == 0) {
-		if(debug) {
-			fprintf(stdout, "\"--version\" option requested.\n");
-		}
-                fprintf(stderr, "%s, %s\n", program_name, spigrp_c_version);
-                exit(1);
-        }
-
-	if(debug) {
-		fprintf(stdout, "...After check for --version option.\n");
-	}
-
-        if(strcmp(argv[1], "--said") == 0) {
-		if(debug) {
-			fprintf(stdout, "processing %d args with --said flag.\n", argc);
-		}
-		said_opt = 1;
-        }
-	
-	if(debug) {
-		fprintf(stdout, "...After check for --said option.\n");
-	}
-
-	if(said_opt) {
-		if (argc < 3 /*|| argc > 5*/) {
-			fprintf(stderr, "expecting 3 or more args with --said, got %d.\n", argc);
-			usage(program_name);
-                	exit(1);
-		}
-		nspis = argc - 2;
-	} else {
-		if ((argc < 5) || (argc > 17) || ((argc % 4) != 1)) {
-			fprintf(stderr, "expecting 5 or more args without --said, got %d.\n", argc);
-			usage(program_name);
-                	exit(1);
-		}
-		nspis = argc / 4;
-	}
-
-	if(debug) {
-		fprintf(stdout, "processing %d nspis.\n", nspis);
-	}
-
-	for(i = 0; i < nspis; i++) {
-		if(debug) {
-			fprintf(stdout, "processing spi #%d.\n", i);
-		}
-
-		if(said_opt) {
-			error_s = ttosa((const char *)argv[i+2], 0, (ip_said*)&(said_af_array[i].said));
-			if(error_s != NULL) {
-				fprintf(stderr, "%s: Error, %s converting --sa argument:%s\n",
-					program_name, error_s, argv[i+2]);
-				exit (1);
-			}
-			said_af_array[i].af = addrtypeof(&(said_af_array[i].said.dst));
-			if(debug) {
-				addrtot(&said_af_array[i].said.dst, 0, ipaddr_txt, sizeof(ipaddr_txt));
-				fprintf(stdout, "said[%d].dst=%s.\n", i, ipaddr_txt);
-			}
-		} else {
-			if(!strcmp(argv[i*4+4], "ah")) {
-				said_af_array[i].said.proto = SA_AH;
-			}
-			if(!strcmp(argv[i*4+4], "esp")) {
-				said_af_array[i].said.proto = SA_ESP;
-			}
-			if(!strcmp(argv[i*4+4], "tun")) {
-				said_af_array[i].said.proto = SA_IPIP;
-			}
-			if(!strcmp(argv[i*4+4], "comp")) {
-				said_af_array[i].said.proto = SA_COMP;
-			}
-			if(said_af_array[i].said.proto == 0) {
-				fprintf(stderr, "%s: Badly formed proto: %s\n",
-					program_name, argv[i*4+4]);
-				exit(1);
-			}
-			said_af_array[i].said.spi = htonl(strtoul(argv[i*4+3], &endptr, 0));
-			if(!(endptr == argv[i*4+3] + strlen(argv[i*4+3]))) {
-				fprintf(stderr, "%s: Badly formed spi: %s\n",
-					program_name, argv[i*4+3]);
-				exit(1);
-			}
-			if(!strcmp(argv[i*4+1], "inet")) {
-				said_af_array[i].af = AF_INET;
-			}
-			if(!strcmp(argv[i*4+1], "inet6")) {
-				said_af_array[i].af = AF_INET6;
-			}
-			if((said_af_array[i].af != AF_INET) && (said_af_array[i].af != AF_INET6)) {
-				fprintf(stderr, "%s: Address family %s not supported\n",
-					program_name, argv[i*4+1]);
-				exit(1);
-			}
-			error_s = ttoaddr(argv[i*4+2], 0, said_af_array[i].af, &(said_af_array[i].said.dst));
-			if(error_s != NULL) {
-				fprintf(stderr, "%s: Error, %s converting %dth address argument:%s\n",
-					program_name, error_s, i, argv[i*4+2]);
-				exit (1);
-			}
-		}
-		if(debug) {
-			fprintf(stdout, "SA %d contains: ", i+1);
-			fprintf(stdout, "\n");
-			fprintf(stdout, "proto = %d\n", said_af_array[i].said.proto);
-			fprintf(stdout, "spi = %08x\n", said_af_array[i].said.spi);
-			addrtot(&said_af_array[i].said.dst, 0, ipaddr_txt, sizeof(ipaddr_txt));
-			fprintf(stdout, "edst = %s\n", ipaddr_txt);
-		}
-	}	
-
-	if(debug) {
-		fprintf(stdout, "Opening pfkey socket.\n");
-	}
-
-	if((pfkey_sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2) ) < 0) {
-		fprintf(stderr, "%s: Trouble opening PF_KEY family socket with error: ",
-			program_name);
-		switch(errno) {
-		case ENOENT:
-			fprintf(stderr, "device does not exist.  See FreeS/WAN installation procedure.\n");
-			break;
-		case EACCES:
-			fprintf(stderr, "access denied.  ");
-			if(getuid() == 0) {
-				fprintf(stderr, "Check permissions.  Should be 600.\n");
-			} else {
-				fprintf(stderr, "You must be root to open this file.\n");
-			}
-			break;
-		case EUNATCH:
-			fprintf(stderr, "Netlink not enabled OR KLIPS not loaded.\n");
-			break;
-		case ENODEV:
-			fprintf(stderr, "KLIPS not loaded or enabled.\n");
-			break;
-		case EBUSY:
-			fprintf(stderr, "KLIPS is busy.  Most likely a serious internal error occured in a previous command.  Please report as much detail as possible to development team.\n");
-			break;
-		case EINVAL:
-			fprintf(stderr, "Invalid argument, KLIPS not loaded or check kernel log messages for specifics.\n");
-			break;
-		case ENOBUFS:
-			fprintf(stderr, "No kernel memory to allocate SA.\n");
-			break;
-		case ESOCKTNOSUPPORT:
-			fprintf(stderr, "Algorithm support not available in the kernel.  Please compile in support.\n");
-			break;
-		case EEXIST:
-			fprintf(stderr, "SA already in use.  Delete old one first.\n");
-			break;
-		case ENXIO:
-			fprintf(stderr, "SA does not exist.  Cannot delete.\n");
-			break;
-		case EAFNOSUPPORT:
-			fprintf(stderr, "KLIPS not loaded or enabled.\n");
-			break;
-		default:
-			fprintf(stderr, "Unknown file open error %d.  Please report as much detail as possible to development team.\n", errno);
-		}
-		exit(1);
-	}
-
-	for(i = 0; i < (((nspis - 1) < 2) ? 1 : (nspis - 1)); i++) {
-		if(debug) {
-			fprintf(stdout, "processing %dth pfkey message.\n", i);
-		}
-
-		pfkey_extensions_init(extensions);
-		for(j = 0; j < ((nspis == 1) ? 1 : 2); j++) {
-			if(debug) {
-				fprintf(stdout, "processing %dth said of %dth pfkey message.\n", j, i);
-			}
-
-			/* Build an SADB_X_GRPSA message to send down. */
-			/* It needs <base, SA, SA2, address(D,D2) > minimum. */
-			if(!j) {
-				if((error = pfkey_msg_hdr_build(&extensions[0],
-								SADB_X_GRPSA,
-								proto2satype(said_af_array[i].said.proto),
-								0,
-								++pfkey_seq,
-								getpid()))) {
-					fprintf(stderr, "%s: Trouble building message header, error=%d.\n",
-						program_name, error);
-					pfkey_extensions_free(extensions);
-					exit(1);
-				}
-			} else {
-				if(debug) {
-					fprintf(stdout, "setting x_satype proto=%d satype=%d\n",
-						said_af_array[i+j].said.proto,
-						proto2satype(said_af_array[i+j].said.proto)
-						);
-				}
-
-				if((error = pfkey_x_satype_build(&extensions[SADB_X_EXT_SATYPE2],
-								 proto2satype(said_af_array[i+j].said.proto)
-					))) {
-					fprintf(stderr, "%s: Trouble building message header, error=%d.\n",
-						program_name, error);
-					pfkey_extensions_free(extensions);
-					exit(1);
-				}
-			}
-
-			if((error = pfkey_sa_build(&extensions[!j ? SADB_EXT_SA : SADB_X_EXT_SA2],
-						   !j ? SADB_EXT_SA : SADB_X_EXT_SA2,
-						   said_af_array[i+j].said.spi, /* in network order */
-						   0,
-						   0,
-						   0,
-						   0,
-						   0))) {
-				fprintf(stderr, "%s: Trouble building sa extension, error=%d.\n",
-					program_name, error);
-				pfkey_extensions_free(extensions);
-				exit(1);
-			}
-			
-#if 0
-			if(!j) {
-				anyaddr(said_af_array[i].af, &pfkey_address_s_ska); /* Is the address family correct ?? */
-				if((error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_SRC],
-								SADB_EXT_ADDRESS_SRC,
-								0,
-								0,
-								sockaddrof(&pfkey_address_s_ska)))) {
-					addrtot(&pfkey_address_s_ska, 0, ipaddr_txt, sizeof(ipaddr_txt));
-					fprintf(stderr, "%s: Trouble building address_s extension (%s), error=%d.\n",
-						program_name, ipaddr_txt, error);
-					pfkey_extensions_free(extensions);
-					exit(1);
-				}
-			}
-#endif			
-			if((error = pfkey_address_build(&extensions[!j ? SADB_EXT_ADDRESS_DST : SADB_X_EXT_ADDRESS_DST2],
-							!j ? SADB_EXT_ADDRESS_DST : SADB_X_EXT_ADDRESS_DST2,
-							0,
-							0,
-							sockaddrof(&said_af_array[i+j].said.dst)))) {
-				addrtot(&said_af_array[i+j].said.dst,
-					0, ipaddr_txt, sizeof(ipaddr_txt));
-				fprintf(stderr, "%s: Trouble building address_d extension (%s), error=%d.\n",
-					program_name, ipaddr_txt, error);
-				pfkey_extensions_free(extensions);
-				exit(1);
-			}
-			
-		}
-
-		if((error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_IN))) {
-			fprintf(stderr, "%s: Trouble building pfkey message, error=%d.\n",
-				program_name, error);
-			pfkey_extensions_free(extensions);
-			pfkey_msg_free(&pfkey_msg);
-			exit(1);
-		}
-		
-		if((error = write(pfkey_sock,
-				  pfkey_msg,
-				  pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) !=
-		   (ssize_t)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) {
-			fprintf(stderr, "%s: pfkey write failed, returning %d with errno=%d.\n",
-				program_name, error, errno);
-			pfkey_extensions_free(extensions);
-			pfkey_msg_free(&pfkey_msg);
-			switch(errno) {
-			case EACCES:
-				fprintf(stderr, "access denied.  ");
-				if(getuid() == 0) {
-					fprintf(stderr, "Check permissions.  Should be 600.\n");
-				} else {
-					fprintf(stderr, "You must be root to open this file.\n");
-				}
-				break;
-			case EUNATCH:
-				fprintf(stderr, "Netlink not enabled OR KLIPS not loaded.\n");
-				break;
-			case EBUSY:
-				fprintf(stderr, "KLIPS is busy.  Most likely a serious internal error occured in a previous command.  Please report as much detail as possible to development team.\n");
-				break;
-			case EINVAL:
-				fprintf(stderr, "Invalid argument, check kernel log messages for specifics.\n");
-				break;
-			case ENODEV:
-				fprintf(stderr, "KLIPS not loaded or enabled.\n");
-				fprintf(stderr, "No device?!?\n");
-				break;
-			case ENOBUFS:
-				fprintf(stderr, "No kernel memory to allocate SA.\n");
-				break;
-			case ESOCKTNOSUPPORT:
-				fprintf(stderr, "Algorithm support not available in the kernel.  Please compile in support.\n");
-				break;
-			case EEXIST:
-				fprintf(stderr, "SA already in use.  Delete old one first.\n");
-				break;
-			case ENOENT:
-				fprintf(stderr, "device does not exist.  See FreeS/WAN installation procedure.\n");
-				break;
-			case ENXIO:
-				fprintf(stderr, "SA does not exist.  Cannot delete.\n");
-				break;
-			case ENOSPC:
-				fprintf(stderr, "no room in kernel SAref table.  Cannot process request.\n");
-				break;
-			case ESPIPE:
-				fprintf(stderr, "kernel SAref table internal error.  Cannot process request.\n");
-				break;
-			default:
-				fprintf(stderr, "Unknown socket write error %d.  Please report as much detail as possible to development team.\n", errno);
-			}
-			exit(1);
-		}
-		if(pfkey_msg) {
-			pfkey_extensions_free(extensions);
-			pfkey_msg_free(&pfkey_msg);
-		}
-	}
-
-	(void) close(pfkey_sock);  /* close the socket */
-	exit(0);
-}
diff --git a/programs/starter/Makefile b/programs/starter/Makefile
deleted file mode 100644
index 60e95d360..000000000
--- a/programs/starter/Makefile
+++ /dev/null
@@ -1,182 +0,0 @@
-# ipsec starter Makefile
-# Copyright (C) 2001 Mathieu Lafon - Arkoon Network Security
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.14 2006/02/17 19:34:02 as Exp $
-
-FREESWANSRCDIR?=$(shell cd ../..; pwd)
-include ${FREESWANSRCDIR}/Makefile.inc
-
-LD=$(CC)
-RM=rm
-LEX=flex
-BISON=bison
-GPERF=gperf
-
-FREESWANDIR=../..
-FREESWANLIB=$(FREESWANDIR)/lib/libfreeswan/libfreeswan.a
-PLUTODIR=../pluto
-OPENACDIR=../openac
-
-DEFINES+= -DVIRTUAL_IP -DDEBUG
-
-# This compile option activates the leak detective
-ifeq ($(USE_LEAK_DETECTIVE),true)
-  DEFINES+= -DLEAK_DETECTIVE
-endif
-
-INCLUDES=-I${FREESWANDIR}/linux/include
-CFLAGS=$(DEFINES) $(INCLUDES) -Wall
-CFLAGS+=-DIPSEC_EXECDIR=\"${FINALLIBEXECDIR}\" -DIPSEC_CONFDDIR=\"${FINALCONFDDIR}\"
-CFLAGS+=-DIPSEC_CONFDIR=\"${FINALCONFDIR}\"
-LDFLAGS=
-
-PLUTO_OBJS=defs.o
-
-OBJS=starter.o parser.tab.o lex.yy.o keywords.o args.o invokepluto.o \
-     starterwhack.o klips.o netkey.o interfaces.o exec.o cmp.o confread.o \
-     loglite.o ${PLUTO_OBJS}
-
-DISTSRC=$(OBJS:.o=.c)
-DISTSRC+=cmp.h confread.h confwrite.h exec.h files.h interfaces.h klips.h netkey.h
-DISTSRC+=parser.h args.h invokepluto.h starterwhack.h keywords.h keywords.txt
-
-LIBS=$(FREESWANLIB)
-
-PROGRAM=starter
-
-include ../Makefile.program
-
-all:	starter
-
-starter:	$(OBJS) $(FREESWANLIB)
-		$(LD) $(LDFLAGS) -o starter $(OBJS) $(LIBS)
-
-lex.yy.c:	parser.tab.c parser.l parser.y parser.h
-		$(LEX) parser.l
-
-parser.tab.c:	parser.l parser.y parser.h
-		$(BISON) -v -d parser.y
-
-keywords.c:	keywords.txt keywords.h
-		$(GPERF) -C -G -t < keywords.txt > keywords.c
-
-.c.o:
-		$(CC) $(CFLAGS) -c $<
-
-loglite.o :	$(OPENACDIR)/loglite.c $(PLUTODIR)/log.h
-		$(CC) $(CFLAGS) -c -o $@ $<
-
-# pluto library
-
-defs.o : 	$(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
-		$(CC) $(CFLAGS) -c -o $@ $<
-
-clean::
-		$(RM) -f starter $(OBJS) parser.tab.* lex.yy.*
-
-# Stolen from pluto/Makefile
-
-gatherdeps:
-		@ls | grep '\.c$$' | sed -e 's/\(.*\)\.c$$/\1.o: \1.c/'
-		@echo
-		@ls | grep '\.c$$' | xargs grep '^#[    ]*include[      ]*"' | \
-                sed -e 's/\.c:#[        ]*include[      ]*"/.o: /' -e 's/".*//'
-
-# Dependencies generated by "make gatherdeps":
-
-args.o: args.c
-cmp.o: cmp.c
-confread.o: confread.c
-exec.o: exec.c
-interfaces.o: interfaces.c
-invokepluto.o: invokepluto.c
-keywords.o: keywords.c
-klips.o: klips.c
-lex.yy.o: lex.yy.c
-netkey.o: netkey.c
-parser.tab.o: parser.tab.c
-starter.o: starter.c
-starterwhack.o: starterwhack.c
-
-args.o: ../pluto/constants.h
-args.o: ../pluto/defs.h
-args.o: ../pluto/log.h
-args.o: keywords.h
-args.o: parser.h
-args.o: confread.h
-args.o: args.h
-cmp.o: ../pluto/constants.h
-cmp.o: ../pluto/defs.h
-cmp.o: confread.h
-cmp.o: args.h
-cmp.o: interfaces.h
-cmp.o: cmp.h
-confread.o: ../pluto/constants.h
-confread.o: ../pluto/defs.h
-confread.o: ../pluto/log.h
-confread.o: keywords.h
-confread.o: parser.h
-confread.o: confread.h
-confread.o: args.h
-confread.o: interfaces.h
-exec.o: ../pluto/constants.h
-exec.o: ../pluto/defs.h
-exec.o: ../pluto/log.h
-exec.o: exec.h
-interfaces.o: ../pluto/constants.h
-interfaces.o: ../pluto/defs.h
-interfaces.o: ../pluto/log.h
-interfaces.o: interfaces.h
-interfaces.o: exec.h
-interfaces.o: files.h
-invokepluto.o: ../pluto/constants.h
-invokepluto.o: ../pluto/defs.h
-invokepluto.o: ../pluto/log.h
-invokepluto.o: confread.h
-invokepluto.o: invokepluto.h
-invokepluto.o: files.h
-invokepluto.o: starterwhack.h
-keywords.o: keywords.h
-klips.o: ../pluto/constants.h
-klips.o: ../pluto/defs.h
-klips.o: ../pluto/log.h
-klips.o: confread.h
-klips.o: klips.h
-klips.o: files.h
-klips.o: exec.h
-lex.yy.o: parser.tab.h
-netkey.o: ../pluto/constants.h
-netkey.o: ../pluto/defs.h
-netkey.o: ../pluto/log.h
-netkey.o: files.h
-parser.tab.o: ../pluto/constants.h
-parser.tab.o: ../pluto/defs.h
-parser.tab.o: parser.h
-starter.o: ../pluto/constants.h
-starter.o: ../pluto/defs.h
-starter.o: ../pluto/log.h
-starter.o: confread.h
-starter.o: files.h
-starter.o: starterwhack.h
-starter.o: invokepluto.h
-starter.o: klips.h
-starter.o: netkey.h
-starter.o: cmp.h
-starter.o: interfaces.h
-starterwhack.o: ../pluto/constants.h
-starterwhack.o: ../pluto/defs.h
-starterwhack.o: ../pluto/log.h
-starterwhack.o: ../pluto/whack.h
-starterwhack.o: starterwhack.h
-starterwhack.o: confread.h
-starterwhack.o: files.h
diff --git a/programs/starter/confread.c b/programs/starter/confread.c
deleted file mode 100644
index 63010685b..000000000
--- a/programs/starter/confread.c
+++ /dev/null
@@ -1,908 +0,0 @@
-/* strongSwan IPsec config file parser
- * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: confread.c,v 1.40 2007/01/11 21:27:27 as Exp $
- */
-
-#include <stddef.h>
-#include <stdlib.h>
-#include <string.h>
-#include <assert.h>
-
-#include <freeswan.h>
-
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/log.h"
-
-#include "keywords.h"
-#include "parser.h"
-#include "confread.h"
-#include "args.h"
-#include "interfaces.h"
-
-/* strings containing a colon are interpreted as an IPv6 address */
-#define ip_version(string)	(strchr(string, ':') != NULL)? AF_INET6 : AF_INET;
-
-static const char ike_defaults[] = "3des-sha, 3des-md5";
-static const char esp_defaults[] = "3des-sha1, 3des-md5";
-
-static const char firewall_defaults[] = "ipsec _updown iptables";
-
-static void
-default_values(starter_config_t *cfg)
-{
-    if (cfg == NULL)
-	return;
-
-    memset(cfg, 0, sizeof(struct starter_config));
-
-    /* is there enough space for all seen flags? */
-    assert(KW_SETUP_LAST - KW_SETUP_FIRST <
-	sizeof(cfg->setup.seen) * BITS_PER_BYTE);
-    assert(KW_CONN_LAST  - KW_CONN_FIRST <
-	sizeof(cfg->conn_default.seen) * BITS_PER_BYTE);
-    assert(KW_END_LAST - KW_END_FIRST <
-	sizeof(cfg->conn_default.right.seen) * BITS_PER_BYTE);
-    assert(KW_CA_LAST - KW_CA_FIRST <
-	sizeof(cfg->ca_default.seen) * BITS_PER_BYTE);
-
-    cfg->setup.seen       = LEMPTY;
-    cfg->setup.fragicmp   = TRUE;
-    cfg->setup.hidetos    = TRUE;
-    cfg->setup.uniqueids  = TRUE;
-    cfg->setup.interfaces = new_list("%defaultroute");
-
-    cfg->conn_default.seen    = LEMPTY;
-    cfg->conn_default.startup = STARTUP_NO;
-    cfg->conn_default.state   = STATE_IGNORE;
-    cfg->conn_default.policy  = POLICY_ENCRYPT | POLICY_TUNNEL | POLICY_RSASIG
-			      | POLICY_PFS;
-
-    cfg->conn_default.ike                   = clone_str(ike_defaults, "ike_defaults");
-    cfg->conn_default.esp                   = clone_str(esp_defaults, "esp_defaults");
-    cfg->conn_default.sa_ike_life_seconds   = OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT;
-    cfg->conn_default.sa_ipsec_life_seconds = PLUTO_SA_LIFE_DURATION_DEFAULT;
-    cfg->conn_default.sa_rekey_margin       = SA_REPLACEMENT_MARGIN_DEFAULT;
-    cfg->conn_default.sa_rekey_fuzz         = SA_REPLACEMENT_FUZZ_DEFAULT;
-    cfg->conn_default.sa_keying_tries       = SA_REPLACEMENT_RETRIES_DEFAULT;
-    cfg->conn_default.addr_family           = AF_INET;
-    cfg->conn_default.tunnel_addr_family    = AF_INET;
-
-    cfg->conn_default.left.seen  = LEMPTY;
-    cfg->conn_default.right.seen = LEMPTY;
-
-    anyaddr(AF_INET, &cfg->conn_default.left.addr);
-    anyaddr(AF_INET, &cfg->conn_default.left.nexthop);
-    anyaddr(AF_INET, &cfg->conn_default.left.srcip);
-    anyaddr(AF_INET, &cfg->conn_default.right.addr);
-    anyaddr(AF_INET, &cfg->conn_default.right.nexthop);
-    anyaddr(AF_INET, &cfg->conn_default.right.srcip);
-
-    cfg->ca_default.seen = LEMPTY;
-}
-
-#define KW_POLICY_FLAG(sy, sn, fl) \
-		if (streq(kw->value, sy)) { conn->policy |= fl; } \
-		else if (streq(kw->value, sn)) { conn->policy &= ~fl; } \
-		else { plog("# bad policy value: %s=%s", kw->entry->name, kw->value); cfg->err++; }
-
-static void
-load_setup(starter_config_t *cfg, config_parsed_t *cfgp)
-{
-    kw_list_t *kw;
-
-    DBG(DBG_CONTROL,
-	DBG_log("Loading config setup")
-    )
-
-    for (kw = cfgp->config_setup; kw; kw = kw->next)
-    {
-	bool assigned = FALSE;
-
-	kw_token_t token = kw->entry->token;
- 
-	if (token < KW_SETUP_FIRST || token > KW_SETUP_LAST)
-	{
-	    plog("# unsupported keyword '%s' in config setup", kw->entry->name);
-	    cfg->err++;
-	    continue;
-	}
-
-	if (!assign_arg(token, KW_SETUP_FIRST, kw, (char *)cfg, &assigned))
-	{
-	    plog("  bad argument value in config setup");
-	    cfg->err++;
-	    continue;
-	}
-    }
-}
-
-static void
-kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
-    , kw_list_t *kw, char *conn_name, starter_config_t *cfg)
-{
-    err_t ugh = NULL;
-    bool assigned = FALSE;
-    int has_port_wildcard;        /* set if port is %any */
-
-    char *name  = kw->entry->name;
-    char *value = kw->value;
-
-    if (!assign_arg(token, KW_END_FIRST, kw, (char *)end, &assigned))
-	goto err;
-
-    if (token == KW_SENDCERT)
-    {
-	if (end->sendcert == CERT_YES_SEND)
-	    end->sendcert = CERT_ALWAYS_SEND;
-	else if (end->sendcert == CERT_NO_SEND)
-	    end->sendcert = CERT_NEVER_SEND;
-    }
-
-    if (assigned)
-	return;
-
-    switch (token)
-    {
-    case KW_HOST:
-	if (streq(value, "%defaultroute"))
-	{
-	    if (cfg->defaultroute.defined)
-	    {
-		end->addr    = cfg->defaultroute.addr;
-		end->nexthop = cfg->defaultroute.nexthop;
-	    }
-	    else
-	    {
-		plog("# default route not known: %s=%s", name, value);
-		goto err;
-	    }
-	}
-	else if (streq(value, "%any"))
-	{
-	    anyaddr(conn->addr_family, &end->addr);
-	}
-	else if (streq(value, "%any6"))
-	{
-	    conn->addr_family = AF_INET6;
-	    anyaddr(conn->addr_family, &end->addr);
-	}
-	else if (value[0] == '%')
-	{
-	    if (end->iface)
-		pfree(end->iface);
-	    end->iface = clone_str(value+1, "iface");
-	    if (starter_iface_find(end->iface, conn->addr_family, &end->addr,
-		&end->nexthop) == -1)
-	    {
-		conn->state = STATE_INVALID;
-	    }
-	}
-	else
-	{
-	    conn->addr_family = ip_version(value);
-	    ugh = ttoaddr(value, 0, conn->addr_family, &end->addr);
-	    if (ugh != NULL)
-	    {
-		plog("# bad addr: %s=%s [%s]", name, value, ugh);
-		goto err;
-	    }
-	}
-	break;
-    case KW_NEXTHOP:
-	if (streq(value, "%defaultroute"))
-	{
-	    if (cfg->defaultroute.defined)
-		end->nexthop = cfg->defaultroute.nexthop;
-	    else
-	    {
-		plog("# default route not known: %s=%s", name, value);
-		goto err;
-	    }
-	}
-	else if (streq(value, "%direct"))
-	{
-	    ugh = anyaddr(conn->addr_family, &end->nexthop);
-	}
-	else
-	{
-	    conn->addr_family = ip_version(value);
-	    ugh = ttoaddr(value, 0, conn->addr_family, &end->nexthop);
-	}
-	if (ugh != NULL)
-	{
-	    plog("# bad addr: %s=%s [%s]", name, value, ugh);
-	    goto err;
-	}
-	break;
-    case KW_SUBNET:
-	if ((strlen(value) >= 6 && strncmp(value,"vhost:",6) == 0)
-	||  (strlen(value) >= 5 && strncmp(value,"vnet:",5) == 0))
-	{
-	    end->virt = clone_str(value, "virt");
-	}
-	else
-	{
-	    end->has_client = TRUE;
-	    conn->tunnel_addr_family = ip_version(value);
-	    ugh = ttosubnet(value, 0, conn->tunnel_addr_family, &end->subnet);
-	    if (ugh != NULL)
-	    {
-		plog("# bad subnet: %s=%s [%s]", name, value, ugh);
-		goto err;
-	    }
-	}
-	break;
-    case KW_SUBNETWITHIN:
-	end->has_client = TRUE;
-	end->has_client_wildcard = TRUE;
-	conn->tunnel_addr_family = ip_version(value);
-	ugh = ttosubnet(value, 0, conn->tunnel_addr_family, &end->subnet);
-	break;
-    case KW_PROTOPORT:
-	ugh = ttoprotoport(value, 0, &end->protocol, &end->port, &has_port_wildcard);
-	end->has_port_wildcard = has_port_wildcard;
-	break;
-    case KW_SOURCEIP:
-	if (end->has_natip)
-	{
-	    plog("# natip and sourceip cannot be defined at the same time");
-	    goto err;
-	}
-	if (streq(value, "%modeconfig") || streq(value, "%modecfg"))
-	{
-	    end->modecfg = TRUE;
-	}
-	else
-	{
-	    conn->tunnel_addr_family = ip_version(value);
-	    ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &end->srcip);
-	    if (ugh != NULL)
-	    {
-		plog("# bad addr: %s=%s [%s]", name, value, ugh);
-		goto err;
-	    }
-	    end->has_srcip = TRUE;
-	}
-	conn->policy |= POLICY_TUNNEL;
-	break;
-    case KW_NATIP:
-	if (end->has_srcip)
-	{
-	    plog("# natip and sourceip cannot be defined at the same time");
-	    goto err;
-	}
-	conn->tunnel_addr_family = ip_version(value);
-	ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &end->srcip);
-	if (ugh != NULL)
-	{
-	    plog("# bad addr: %s=%s [%s]", name, value, ugh);
-	    goto err;
-	}
-	end->has_natip = TRUE;
-	conn->policy |= POLICY_TUNNEL;
-	break;
-    default:
-	break;
-    }
-    return;
-
-err:
-    plog("  bad argument value in conn '%s'", conn_name);
-    cfg->err++;
-}
-
-/*
- * handles left|rightfirewall and left|rightupdown parameters
- */
-static void
-handle_firewall( const char *label, starter_end_t *end, starter_config_t *cfg)
-{
-    if (end->firewall && (end->seen & LELEM(KW_FIREWALL - KW_END_FIRST)))
-    {
-	if (end->updown != NULL)
-	{
-	    plog("# cannot have both %sfirewall and %supdown", label, label);
-	    cfg->err++;
-	}
-	else
-	{
-	    end->updown = clone_str(firewall_defaults, "firewall_defaults");
-	    end->firewall = FALSE;
-	}
-    }
-}
-
-/*
- * parse a conn section
- */
-static void
-load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
-{
-    char *conn_name = (conn->name == NULL)? "%default":conn->name;
-
-    for ( ; kw; kw = kw->next)
-    {
-	bool assigned = FALSE;
-
-	kw_token_t token = kw->entry->token;
-
-	if (token >= KW_LEFT_FIRST && token <= KW_LEFT_LAST)
-	{
-	    kw_end(conn, &conn->left, token - KW_LEFT_FIRST + KW_END_FIRST
-		  , kw, conn_name, cfg);
-	    continue;
-	}
-	else if (token >= KW_RIGHT_FIRST && token <= KW_RIGHT_LAST)
-	{
-	    kw_end(conn, &conn->right, token - KW_RIGHT_FIRST + KW_END_FIRST
-		  , kw, conn_name, cfg);
-	    continue;
-	}
-
-	if (token == KW_AUTO)
-	{
-	    token = KW_CONN_SETUP;
-	}
-	else if (token == KW_ALSO)
-	{
-	    if (cfg->parse_also)
-	    {
-		also_t *also = alloc_thing(also_t, "also_t");
-
-		also->name = clone_str(kw->value, "also");
-		also->next = conn->also;
-		conn->also = also;
-
-		DBG(DBG_CONTROL,
-		    DBG_log("  also=%s", kw->value)
-		)
-	    }
-	    continue;
-	}
-
-	if (token < KW_CONN_FIRST || token > KW_CONN_LAST)
-	{
-	    plog("# unsupported keyword '%s' in conn '%s'"
-		, kw->entry->name, conn_name);
-	    cfg->err++;
-	    continue;
-	}
-
-	if (!assign_arg(token, KW_CONN_FIRST, kw, (char *)conn, &assigned))
-	{
-	    plog("  bad argument value in conn '%s'", conn_name);
-	    cfg->err++;
-	    continue;
-	}
-
-	if (assigned)
-	    continue;
-
-	switch (token)
-	{
-	case KW_TYPE:
-	    conn->policy &= ~(POLICY_TUNNEL | POLICY_SHUNT_MASK);
-	    if (streq(kw->value, "tunnel"))
-		conn->policy |= POLICY_TUNNEL;
-	    else if (streq(kw->value, "passthrough") || streq(kw->value, "pass"))
-		conn->policy |= POLICY_SHUNT_PASS;
-	    else if (streq(kw->value, "drop"))
-		conn->policy |= POLICY_SHUNT_DROP;
-	    else if (streq(kw->value, "reject"))
-		conn->policy |= POLICY_SHUNT_REJECT;
-	    else if (strcmp(kw->value, "transport") != 0)
-	    {
-		plog("# bad policy value: %s=%s", kw->entry->name, kw->value);
-		cfg->err++;
-	    }
-	   break;
-	case KW_PFS:
-	    KW_POLICY_FLAG("yes", "no", POLICY_PFS)
-	    break;
-	case KW_COMPRESS:
-	    KW_POLICY_FLAG("yes", "no", POLICY_COMPRESS)
-	    break; 
-	case KW_AUTH:
-	    KW_POLICY_FLAG("ah", "esp", POLICY_AUTHENTICATE)
-	    break; 
-	case KW_AUTHBY:
-	    conn->policy &= ~(POLICY_ID_AUTH_MASK | POLICY_ENCRYPT);
-
-	    if (strcmp(kw->value, "never") != 0)
-	    {
-		char *value = kw->value;
-		char *second = strchr(kw->value, '|');
-
-		if (second != NULL)
-		    *second = '\0';
-
-		/* also handles the cases secret|rsasig and rsasig|secret */
-		for (;;)
-		{
-		    if (streq(value, "rsasig"))
-			conn->policy |= POLICY_RSASIG | POLICY_ENCRYPT;
-		    else if (streq(value, "secret") || streq(value, "psk"))
-			conn->policy |= POLICY_PSK | POLICY_ENCRYPT;
-		    else if (streq(value, "xauthrsasig"))
-			conn->policy |= POLICY_XAUTH_RSASIG | POLICY_ENCRYPT;
-		    else if (streq(value, "xauthpsk"))
-			conn->policy |= POLICY_XAUTH_PSK | POLICY_ENCRYPT;
-		    else
-		    {
-			plog("# bad policy value: %s=%s", kw->entry->name, kw->value);
-			cfg->err++;
-			break;
-		    }
-		    if (second == NULL)
-			break;
-		    value = second;
-		    second = NULL; /* traverse the loop no more than twice */
-		}
-	    }
-	    break;
-	case KW_REKEY:
-	    KW_POLICY_FLAG("no", "yes", POLICY_DONT_REKEY)
-	    break;
-	case KW_MODECONFIG:
-	    KW_POLICY_FLAG("push", "pull", POLICY_MODECFG_PUSH)
-	    break;
-	case KW_XAUTH:
-	    KW_POLICY_FLAG("server", "client", POLICY_XAUTH_SERVER)
-	    break;
-	default:
-	    break;
-	}
-    }
-    handle_firewall("left", &conn->left, cfg);
-    handle_firewall("right", &conn->right, cfg);
-}
-
-/*
- * initialize a conn object with the default conn
- */
-static void
-conn_default(char *name, starter_conn_t *conn, starter_conn_t *def)
-{
-    memcpy(conn, def, sizeof(starter_conn_t));
-    conn->name = clone_str(name, "conn name");
-
-    clone_args(KW_CONN_FIRST, KW_CONN_LAST
-	     , (char *)conn, (char *)def);
-    clone_args(KW_END_FIRST, KW_END_LAST
-	     , (char *)&conn->left, (char *)&def->left);
-    clone_args(KW_END_FIRST, KW_END_LAST
-	    , (char *)&conn->right, (char *)&def->right);
-}
-
-/*
- * parse a ca section
- */
-static void
-load_ca(starter_ca_t *ca, kw_list_t *kw, starter_config_t *cfg)
-{
-    char *ca_name = (ca->name == NULL)? "%default":ca->name;
-
-    for ( ; kw; kw = kw->next)
-    {
-	bool assigned = FALSE;
-
-	kw_token_t token = kw->entry->token;
-
-	if (token == KW_AUTO)
-	{
-	    token = KW_CA_SETUP;
-	}
-	else if (token == KW_ALSO)
-	{
-	    if (cfg->parse_also)
-	    {
-		also_t *also = alloc_thing(also_t, "also_t");
-
-		also->name = clone_str(kw->value, "also");
-		also->next = ca->also;
-		ca->also = also;
-
-		DBG(DBG_CONTROL,
-		    DBG_log("  also=%s", kw->value)
-		)
-	    }
-	    continue;
-	}
-
-	if (token < KW_CA_FIRST || token > KW_CA_LAST)
-	{
-	    plog("# unsupported keyword '%s' in ca '%s'"
-		     , kw->entry->name, ca_name);
-	    cfg->err++;
-	    continue;
-	}
-
-	if (!assign_arg(token, KW_CA_FIRST, kw, (char *)ca, &assigned))
-	{
-	    plog("  bad argument value in ca '%s'", ca_name);
-	    cfg->err++;
-	}
-    }
-
-    /* treat 'route' and 'start' as 'add' */
-    if (ca->startup != STARTUP_NO)
-	ca->startup = STARTUP_ADD;
-}
-
-/*
- * initialize a ca object with the default ca
- */
-static void
-ca_default(char *name, starter_ca_t *ca, starter_ca_t *def)
-{
-    memcpy(ca, def, sizeof(starter_ca_t));
-    ca->name = clone_str(name, "ca name");
-
-    clone_args(KW_CA_FIRST, KW_CA_LAST, (char *)ca, (char *)def);
-}
-
-static kw_list_t*
-find_also_conn(const char* name, starter_conn_t *conn, starter_config_t *cfg);
-
-static void
-load_also_conns(starter_conn_t *conn, also_t *also, starter_config_t *cfg)
-{
-    while (also != NULL)
-    {
-	kw_list_t *kw = find_also_conn(also->name, conn, cfg);
-
-	if (kw == NULL)
-	{
-	    plog("  conn '%s' cannot include '%s'", conn->name, also->name);
-	}
-	else
-	{
-	    DBG(DBG_CONTROL,
-		DBG_log("conn '%s' includes '%s'", conn->name, also->name)
-	    )
-	    /* only load if no error occurred in the first round */
-	    if (cfg->err == 0)
-		load_conn(conn, kw, cfg);
-	}
-	also = also->next;
-    }
-}
-
-/*
- * find a conn included by also
- */
-static kw_list_t*
-find_also_conn(const char* name, starter_conn_t *conn, starter_config_t *cfg)
-{
-    starter_conn_t *c = cfg->conn_first;
-
-    while (c != NULL)
-    {
-	if (streq(name, c->name))
-	{
-	    if (conn->visit == c->visit)
-	    {
-		plog("# detected also loop");
-		cfg->err++;
-		return NULL;
-	    }
-	    c->visit = conn->visit;
-	    load_also_conns(conn, c->also, cfg);
-	    return c->kw;
-	}
-	c = c->next;
-    }
-
-    plog("# also '%s' not found", name);
-    cfg->err++;
-    return NULL;
-}
-
-static kw_list_t*
-find_also_ca(const char* name, starter_ca_t *ca, starter_config_t *cfg);
-
-static void
-load_also_cas(starter_ca_t *ca, also_t *also, starter_config_t *cfg)
-{
-    while (also != NULL)
-    {
-	kw_list_t *kw = find_also_ca(also->name, ca, cfg);
-
-	if (kw == NULL)
-	{
-	    plog("  ca '%s' cannot include '%s'", ca->name, also->name);
-	}
-	else
-	{
-	    DBG(DBG_CONTROL,
-		DBG_log("ca '%s' includes '%s'", ca->name, also->name)
-	    )
-	    /* only load if no error occurred in the first round */
-	    if (cfg->err == 0)
-		load_ca(ca, kw, cfg);
-	}
-	also = also->next;
-    }
-}
-
-/*
- * find a ca included by also
- */
-static kw_list_t*
-find_also_ca(const char* name, starter_ca_t *ca, starter_config_t *cfg)
-{
-    starter_ca_t *c = cfg->ca_first;
-
-    while (c != NULL)
-    {
-	if (streq(name, c->name))
-	{
-	    if (ca->visit == c->visit)
-	    {
-		plog("# detected also loop");
-		cfg->err++;
-		return NULL;
-	    }
-	    c->visit = ca->visit;
-	    load_also_cas(ca, c->also, cfg);
-	    return c->kw;
-	}
-	c = c->next;
-    }
-
-    plog("# also '%s' not found", name);
-    cfg->err++;
-    return NULL;
-}
-
-
-
-/*
- * load and parse an IPsec configuration file
- */
-starter_config_t *
-confread_load(const char *file)
-{
-    starter_config_t *cfg = NULL;
-    config_parsed_t  *cfgp;
-    section_list_t   *sconn, *sca;
-    starter_conn_t   *conn;
-    starter_ca_t     *ca;
-
-    u_int visit	= 0;
-
-    /* load IPSec configuration file  */
-    cfgp = parser_load_conf(file);
-    if (!cfgp)
-	return NULL;
-
-    cfg = (starter_config_t *)alloc_thing(starter_config_t, "starter_config_t");
-
-    /* set default values */
-    default_values(cfg);
-
-    /* determine default route */
-    get_defaultroute(&cfg->defaultroute);
- 
-    /* load config setup section */
-    load_setup(cfg, cfgp);
-
-    /* in the first round parse also statements */
-    cfg->parse_also = TRUE;
-
-     /* find %default ca section */
-    for (sca = cfgp->ca_first; sca; sca = sca->next)
-    {
-	if (streq(sca->name, "%default"))
-	{
-	    DBG(DBG_CONTROL,
-		DBG_log("Loading ca %%default")
-	    )
-	    load_ca(&cfg->ca_default, sca->kw, cfg);
-	}
-    }
-
-    /* parameters defined in ca %default sections can be overloads */
-    cfg->ca_default.seen = LEMPTY;
-
-    /* load other ca sections */
-    for (sca = cfgp->ca_first; sca; sca = sca->next)
-    {
-	/* skip %default ca section */
-	if (streq(sca->name, "%default"))
-	    continue;
-
-	DBG(DBG_CONTROL,
-	    DBG_log("Loading ca '%s'", sca->name)
-	)
-	ca = (starter_ca_t *)alloc_thing(starter_ca_t, "starter_ca_t");
-
-	ca_default(sca->name, ca, &cfg->ca_default);
-	ca->kw =  sca->kw;
-	ca->next = NULL;
-
-	if (cfg->ca_last)
-	    cfg->ca_last->next = ca;
-	cfg->ca_last = ca;
-	if (!cfg->ca_first)
-	    cfg->ca_first = ca;
-
-	load_ca(ca, ca->kw, cfg);
-    }
-
-    for (ca = cfg->ca_first; ca; ca = ca->next)
-    {
-	also_t *also = ca->also;
-	
-	while (also != NULL)
-	{
-	    kw_list_t *kw = find_also_ca(also->name, cfg->ca_first, cfg);
-
-	    load_ca(ca, kw, cfg);
-	    also = also->next;
-	}
-
-	if (ca->startup != STARTUP_NO)
-	    ca->state = STATE_TO_ADD;
-    }
-
-    /* find %default conn sections */
-    for (sconn = cfgp->conn_first; sconn; sconn = sconn->next)
-    {
-	if (streq(sconn->name, "%default"))
-	{
-	    DBG(DBG_CONTROL,
-		DBG_log("Loading conn %%default")
-	    )
-	    load_conn(&cfg->conn_default, sconn->kw, cfg);
-	}
-    }
-
-    /* parameter defined in conn %default sections can be overloaded */
-    cfg->conn_default.seen       = LEMPTY;
-    cfg->conn_default.right.seen = LEMPTY;
-    cfg->conn_default.left.seen  = LEMPTY;
-
-    /* load other conn sections */
-    for (sconn = cfgp->conn_first; sconn; sconn = sconn->next)
-    {
-	/* skip %default conn section */
-	if (streq(sconn->name, "%default"))
-	    continue;
-
-	DBG(DBG_CONTROL,
-	    DBG_log("Loading conn '%s'", sconn->name)
-	)
-	conn = (starter_conn_t *)alloc_thing(starter_conn_t, "starter_conn_t");
-
-	conn_default(sconn->name, conn, &cfg->conn_default);
-	conn->kw =  sconn->kw;
-	conn->next = NULL;
-
-	if (cfg->conn_last)
-	    cfg->conn_last->next = conn;
-	cfg->conn_last = conn;
-	if (!cfg->conn_first)
-	    cfg->conn_first = conn;
-
-	load_conn(conn, conn->kw, cfg);
-    }
-
-    /* in the second round do not parse also statements */
-    cfg->parse_also = FALSE;
-
-    for (ca = cfg->ca_first; ca; ca = ca->next)
-    {
-	ca->visit = ++visit;
-	load_also_cas(ca, ca->also, cfg);
-
-	if (ca->startup != STARTUP_NO)
-	    ca->state = STATE_TO_ADD;
-    }
-
-    for (conn = cfg->conn_first; conn; conn = conn->next)
-    {
-	conn->visit = ++visit;
-	load_also_conns(conn, conn->also, cfg);
-
-	if (conn->startup != STARTUP_NO)
-	    conn->state = STATE_TO_ADD;
-    }
-
-    parser_free_conf(cfgp);
-
-    if (cfg->err)
-    {
-	plog("### %d parsing error%s ###", cfg->err, (cfg->err > 1)?"s":"");
-	confread_free(cfg);
-	cfg = NULL;
-    }
-
-    return cfg;
-}
-
-/*
- * free the memory used by also_t objects
- */
-static void
-free_also(also_t *head)
-{
-    while (head != NULL)
-    {
-	also_t *also = head;
-
-	head = also->next;
-	pfree(also->name);
-	pfree(also);
-    }
-}
-
-/*
- * free the memory used by a starter_conn_t object
- */
-static void
-confread_free_conn(starter_conn_t *conn)
-{
-    free_args(KW_END_FIRST, KW_END_LAST,  (char *)&conn->left);
-    free_args(KW_END_FIRST, KW_END_LAST,  (char *)&conn->right);
-    free_args(KW_CONN_NAME, KW_CONN_LAST, (char *)conn);
-    free_also(conn->also);
-}
-
-/*
- * free the memory used by a starter_ca_t object
- */
-static void
-confread_free_ca(starter_ca_t *ca)
-{
-    free_args(KW_CA_NAME, KW_CA_LAST, (char *)ca);
-    free_also(ca->also);
-}
-
-/*
- * free the memory used by a starter_config_t object
- */
-void 
-confread_free(starter_config_t *cfg)
-{
-    starter_conn_t *conn = cfg->conn_first;
-    starter_ca_t   *ca   = cfg->ca_first;
-
-    free_args(KW_SETUP_FIRST, KW_SETUP_LAST, (char *)cfg);
-
-    confread_free_conn(&cfg->conn_default);
-
-    while (conn != NULL)
-    {
-	starter_conn_t *conn_aux = conn;
-
-	conn = conn->next;
-	confread_free_conn(conn_aux);
-	pfree(conn_aux);
-    }
-
-    confread_free_ca(&cfg->ca_default);
-
-    while (ca != NULL)
-    {
-	starter_ca_t *ca_aux = ca;
-
-	ca = ca->next;
-	confread_free_ca(ca_aux);
-	pfree(ca_aux);
-    }
-
-    pfree(cfg);
-}
diff --git a/programs/starter/klips.c b/programs/starter/klips.c
deleted file mode 100644
index 5595eb6eb..000000000
--- a/programs/starter/klips.c
+++ /dev/null
@@ -1,134 +0,0 @@
-/* strongSwan KLIPS starter
- * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- *
- * RCSID $Id: klips.c,v 1.8 2006/02/15 18:33:57 as Exp $
- */
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <freeswan.h>
-
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/log.h"
-
-#include "confread.h"
-#include "klips.h"
-#include "files.h"
-#include "exec.h"
-
-static int _klips_module_loaded = 0;
-
-bool
-starter_klips_init(void)
-{
-    struct stat stb;
-
-    if (stat(PROC_IPSECVERSION, &stb) != 0)
-    {
-	if (stat(PROC_MODULES, &stb) == 0)
-	{
-	    unsetenv("MODPATH");
-	    unsetenv("MODULECONF");
-	    system("depmod -a >/dev/null 2>&1");
-	    system("modprobe -qv ipsec");
-	}
-	if (stat(PROC_IPSECVERSION, &stb) == 0)
-	{
-	    _klips_module_loaded = 1;
-	}
-	else
-	{
-	    DBG(DBG_CONTROL,
-		DBG_log("kernel appears to lack KLIPS")
-	    )
-	    return FALSE;
-	}
-    }
-
-    /* make sure that all available crypto algorithms are loaded */
-    if (stat(PROC_MODULES, &stb) == 0)
-    {
-	system("modprobe -qv ipsec_aes");
-	system("modprobe -qv ipsec_serpent");
-	system("modprobe -qv ipsec_twofish");
-	system("modprobe -qv ipsec_blowfish");
-	system("modprobe -qv ipsec_sha2");
-    }
-
-    starter_klips_clear();
-
-    DBG(DBG_CONTROL,
-	DBG_log("Found KLIPS IPsec stack")
-    )
-    return TRUE;
-}
-
-static void
-_sysflags (char *name, int value)
-{
-    int res = starter_exec("echo %d >%s/%s 2>/dev/null"
-			, value? 1 : 0, PROC_SYSFLAGS, name);
-
-    if (res)
-	plog("can't set sysflag %s to %d", name, value? 1 : 0);
-}
-
-void
-starter_klips_set_config(starter_config_t *cfg)
-{
-    char **l;
-
-    _sysflags("icmp", cfg->setup.fragicmp);
-    _sysflags("inbound_policy_check", 1);
-    /* _sysflags("no_eroute_pass", 0); */
-    /* _sysflags("opportunistic", 0);  */
-    _sysflags("tos", cfg->setup.hidetos);
-
-    starter_exec("%s/klipsdebug --none", IPSEC_EXECDIR);
-    for (l = cfg->setup.klipsdebug; l && *l; l++)
-    {
-	if ((streq(*l, "none")) || (streq(*l, "all")))
-	    starter_exec("%s/klipsdebug --%s", IPSEC_EXECDIR, *l);
-	else
-	    starter_exec("%s/klipsdebug --set %s", IPSEC_EXECDIR, *l);
-    }
-
-    starter_exec("%s/eroute --del --eraf inet --src 0/0 --dst 0/0 2>/dev/null"
-		, IPSEC_EXECDIR);
-    starter_exec("%s/eroute --label packetdefault --replace --eraf inet "
-		 "--src 0/0 --dst 0/0 --said %%%s", IPSEC_EXECDIR
-		, cfg->setup.packetdefault ? cfg->setup.packetdefault : "drop");
-}
-
-void
-starter_klips_clear(void)
-{
-    system(IPSEC_EXECDIR"/eroute --clear");
-    system(IPSEC_EXECDIR"/spi --clear");
-    system(IPSEC_EXECDIR"/klipsdebug --none");
-}
-
-void
-starter_klips_cleanup(void)
-{
-    starter_klips_clear();
-    if (_klips_module_loaded)
-    {
-	system("rmmod ipsec");
-	_klips_module_loaded = 0;
-    }
-}
diff --git a/programs/starter/parser.output b/programs/starter/parser.output
deleted file mode 100644
index ddb01e89a..000000000
--- a/programs/starter/parser.output
+++ /dev/null
@@ -1,351 +0,0 @@
-Grammar
-
-    0 $accept: config_file $end
-
-    1 config_file: config_file section_or_include
-    2            | /* empty */
-
-    3 section_or_include: VERSION STRING EOL
-
-    4 @1: /* empty */
-
-    5 section_or_include: CONFIG SETUP EOL @1 kw_section
-
-    6 @2: /* empty */
-
-    7 section_or_include: CONN STRING EOL @2 kw_section
-
-    8 @3: /* empty */
-
-    9 section_or_include: CA STRING EOL @3 kw_section
-
-   10 @4: /* empty */
-
-   11 section_or_include: INCLUDE STRING @4 EOL
-   12                   | EOL
-
-   13 kw_section: FIRST_SPACES statement_kw EOL kw_section
-   14           | /* empty */
-
-   15 statement_kw: STRING EQUAL STRING
-   16             | STRING EQUAL
-   17             | /* empty */
-
-
-Terminals, with rules where they appear
-
-$end (0) 0
-error (256)
-EQUAL (258) 15 16
-FIRST_SPACES (259) 13
-EOL (260) 3 5 7 9 11 12 13
-CONFIG (261) 5
-SETUP (262) 5
-CONN (263) 7
-CA (264) 9
-INCLUDE (265) 11
-VERSION (266) 3
-STRING (267) 3 7 9 11 15 16
-
-
-Nonterminals, with rules where they appear
-
-$accept (13)
-    on left: 0
-config_file (14)
-    on left: 1 2, on right: 0 1
-section_or_include (15)
-    on left: 3 5 7 9 11 12, on right: 1
-@1 (16)
-    on left: 4, on right: 5
-@2 (17)
-    on left: 6, on right: 7
-@3 (18)
-    on left: 8, on right: 9
-@4 (19)
-    on left: 10, on right: 11
-kw_section (20)
-    on left: 13 14, on right: 5 7 9 13
-statement_kw (21)
-    on left: 15 16 17, on right: 13
-
-
-state 0
-
-    0 $accept: . config_file $end
-
-    $default  reduce using rule 2 (config_file)
-
-    config_file  go to state 1
-
-
-state 1
-
-    0 $accept: config_file . $end
-    1 config_file: config_file . section_or_include
-
-    $end     shift, and go to state 2
-    EOL      shift, and go to state 3
-    CONFIG   shift, and go to state 4
-    CONN     shift, and go to state 5
-    CA       shift, and go to state 6
-    INCLUDE  shift, and go to state 7
-    VERSION  shift, and go to state 8
-
-    section_or_include  go to state 9
-
-
-state 2
-
-    0 $accept: config_file $end .
-
-    $default  accept
-
-
-state 3
-
-   12 section_or_include: EOL .
-
-    $default  reduce using rule 12 (section_or_include)
-
-
-state 4
-
-    5 section_or_include: CONFIG . SETUP EOL @1 kw_section
-
-    SETUP  shift, and go to state 10
-
-
-state 5
-
-    7 section_or_include: CONN . STRING EOL @2 kw_section
-
-    STRING  shift, and go to state 11
-
-
-state 6
-
-    9 section_or_include: CA . STRING EOL @3 kw_section
-
-    STRING  shift, and go to state 12
-
-
-state 7
-
-   11 section_or_include: INCLUDE . STRING @4 EOL
-
-    STRING  shift, and go to state 13
-
-
-state 8
-
-    3 section_or_include: VERSION . STRING EOL
-
-    STRING  shift, and go to state 14
-
-
-state 9
-
-    1 config_file: config_file section_or_include .
-
-    $default  reduce using rule 1 (config_file)
-
-
-state 10
-
-    5 section_or_include: CONFIG SETUP . EOL @1 kw_section
-
-    EOL  shift, and go to state 15
-
-
-state 11
-
-    7 section_or_include: CONN STRING . EOL @2 kw_section
-
-    EOL  shift, and go to state 16
-
-
-state 12
-
-    9 section_or_include: CA STRING . EOL @3 kw_section
-
-    EOL  shift, and go to state 17
-
-
-state 13
-
-   11 section_or_include: INCLUDE STRING . @4 EOL
-
-    $default  reduce using rule 10 (@4)
-
-    @4  go to state 18
-
-
-state 14
-
-    3 section_or_include: VERSION STRING . EOL
-
-    EOL  shift, and go to state 19
-
-
-state 15
-
-    5 section_or_include: CONFIG SETUP EOL . @1 kw_section
-
-    $default  reduce using rule 4 (@1)
-
-    @1  go to state 20
-
-
-state 16
-
-    7 section_or_include: CONN STRING EOL . @2 kw_section
-
-    $default  reduce using rule 6 (@2)
-
-    @2  go to state 21
-
-
-state 17
-
-    9 section_or_include: CA STRING EOL . @3 kw_section
-
-    $default  reduce using rule 8 (@3)
-
-    @3  go to state 22
-
-
-state 18
-
-   11 section_or_include: INCLUDE STRING @4 . EOL
-
-    EOL  shift, and go to state 23
-
-
-state 19
-
-    3 section_or_include: VERSION STRING EOL .
-
-    $default  reduce using rule 3 (section_or_include)
-
-
-state 20
-
-    5 section_or_include: CONFIG SETUP EOL @1 . kw_section
-
-    FIRST_SPACES  shift, and go to state 24
-
-    $default  reduce using rule 14 (kw_section)
-
-    kw_section  go to state 25
-
-
-state 21
-
-    7 section_or_include: CONN STRING EOL @2 . kw_section
-
-    FIRST_SPACES  shift, and go to state 24
-
-    $default  reduce using rule 14 (kw_section)
-
-    kw_section  go to state 26
-
-
-state 22
-
-    9 section_or_include: CA STRING EOL @3 . kw_section
-
-    FIRST_SPACES  shift, and go to state 24
-
-    $default  reduce using rule 14 (kw_section)
-
-    kw_section  go to state 27
-
-
-state 23
-
-   11 section_or_include: INCLUDE STRING @4 EOL .
-
-    $default  reduce using rule 11 (section_or_include)
-
-
-state 24
-
-   13 kw_section: FIRST_SPACES . statement_kw EOL kw_section
-
-    STRING  shift, and go to state 28
-
-    $default  reduce using rule 17 (statement_kw)
-
-    statement_kw  go to state 29
-
-
-state 25
-
-    5 section_or_include: CONFIG SETUP EOL @1 kw_section .
-
-    $default  reduce using rule 5 (section_or_include)
-
-
-state 26
-
-    7 section_or_include: CONN STRING EOL @2 kw_section .
-
-    $default  reduce using rule 7 (section_or_include)
-
-
-state 27
-
-    9 section_or_include: CA STRING EOL @3 kw_section .
-
-    $default  reduce using rule 9 (section_or_include)
-
-
-state 28
-
-   15 statement_kw: STRING . EQUAL STRING
-   16             | STRING . EQUAL
-
-    EQUAL  shift, and go to state 30
-
-
-state 29
-
-   13 kw_section: FIRST_SPACES statement_kw . EOL kw_section
-
-    EOL  shift, and go to state 31
-
-
-state 30
-
-   15 statement_kw: STRING EQUAL . STRING
-   16             | STRING EQUAL .
-
-    STRING  shift, and go to state 32
-
-    $default  reduce using rule 16 (statement_kw)
-
-
-state 31
-
-   13 kw_section: FIRST_SPACES statement_kw EOL . kw_section
-
-    FIRST_SPACES  shift, and go to state 24
-
-    $default  reduce using rule 14 (kw_section)
-
-    kw_section  go to state 33
-
-
-state 32
-
-   15 statement_kw: STRING EQUAL STRING .
-
-    $default  reduce using rule 15 (statement_kw)
-
-
-state 33
-
-   13 kw_section: FIRST_SPACES statement_kw EOL kw_section .
-
-    $default  reduce using rule 13 (kw_section)
diff --git a/programs/starter/starter.8 b/programs/starter/starter.8
deleted file mode 100644
index e69de29bb..000000000
--- a/programs/starter/starter.8
+++ /dev/null
diff --git a/programs/tncfg/.cvsignore b/programs/tncfg/.cvsignore
deleted file mode 100644
index c05ca8d9a..000000000
--- a/programs/tncfg/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-tncfg
diff --git a/programs/tncfg/Makefile b/programs/tncfg/Makefile
deleted file mode 100644
index ded364dbf..000000000
--- a/programs/tncfg/Makefile
+++ /dev/null
@@ -1,52 +0,0 @@
-# Makefile for the KLIPS interface utilities
-# Copyright (C) 1998, 1999  Henry Spencer.
-# Copyright (C) 1999, 2000, 2001  Richard Guy Briggs
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.1 2004/03/15 20:35:31 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM:=tncfg
-EXTRA5PROC=${PROGRAM}.5
-
-LIBS:=${FREESWANLIB}
-
-include ../Makefile.program
-
-#
-# $Log: Makefile,v $
-# Revision 1.1  2004/03/15 20:35:31  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.4  2002/06/03 20:25:31  mcr
-# 	man page for files actually existant in /proc/net changed back to
-# 	ipsec_foo via new EXTRA5PROC process.
-#
-# Revision 1.3  2002/06/02 21:51:41  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.2  2002/04/26 01:21:26  mcr
-# 	while tracking down a missing (not installed) /etc/ipsec.conf,
-# 	MCR has decided that it is not okay for each program subdir to have
-# 	some subset (determined with -f) of possible files.
-# 	Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file.
-# 	Optional PROGRAM.5 files have been added to the makefiles.
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
diff --git a/programs/tncfg/tncfg.5 b/programs/tncfg/tncfg.5
deleted file mode 100644
index e4de862c6..000000000
--- a/programs/tncfg/tncfg.5
+++ /dev/null
@@ -1,109 +0,0 @@
-.TH IPSEC_TNCFG 5 "27 Jun 2000"
-.\"
-.\" RCSID $Id: tncfg.5,v 1.1 2004/03/15 20:35:31 as Exp $
-.\"
-.SH NAME
-ipsec_tncfg \- lists IPSEC virtual interfaces attached to real interfaces
-.SH SYNOPSIS
-.B ipsec
-.B tncfg
-.PP
-.B cat
-.B /proc/net/ipsec_tncfg
-.SH DESCRIPTION
-.I /proc/net/ipsec_tncfg
-is a read-only file which lists which IPSEC virtual interfaces are
-attached to which real interfaces, through which packets will be
-forwarded once processed by IPSEC.
-.PP
-Each line lists one ipsec I/F.
-A table entry consists of:
-.IP + 3
-an ipsec virtual I/F name
-.IP +
-a visual and machine parsable separator '->', separating the virtual I/F
-and the physical I/F,
-.IP +
-a physical I/F name, to which the ipsec virtual I/F is attached or NULL
-if it is not attached,
-.IP +
-the keyword
-.BR mtu= ,
-.IP +
-the MTU of the ipsec virtual I/F,
-.IP +
-the automatically adjusted effective MTU for PMTU discovery, in brackets,
-.IP +
-a visual and machine parsable separator '->', separating the virtual I/F
-MTU and the physical I/F MTU,
-.IP +
-the MTU of the attached physical I/F.
-.BR 
-.SH EXAMPLES
-.TP
-.B ipsec2 -> eth3 mtu=16260(1443) -> 1500
-.LP
-shows that virtual device
-.B ipsec2
-with an MTU of
-.B 16260
-is connected to physical device
-.B eth3
-with an MTU of
-.B 1500
-and that the effective MTU as a result of PMTU discovery has been
-automatically set to
-.BR 1443.
-.TP
-.B ipsec0 \-> wvlan0 mtu=1400(16260) \-> 1500
-.LP
-shows that virtual device
-.B ipsec0
-with an MTU of
-.B 1400
-is connected to physical device
-.B wvlan0
-with an MTU of
-.B 1500
-and no PMTU packets have gotten far enough to bump down the effective MTU
-from its default of 16260.
-.TP
-.B ipsec3 \-> NULL mtu=0(0) \-> 0
-.LP
-shows that virtual device
-.B ipsec3
-is not connected to any physical device.
-.LP
-.SH "FILES"
-/proc/net/ipsec_tncfg, /usr/local/bin/ipsec
-.SH "SEE ALSO"
-ipsec(8), ipsec_manual(8), ipsec_eroute(5), ipsec_spi(5),
-ipsec_spigrp(5), ipsec_klipsdebug(5), ipsec_tncfg(8), ipsec_version(5),
-ipsec_pf_key(5)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Richard Guy Briggs.
-.\"
-.\" $Log: tncfg.5,v $
-.\" Revision 1.1  2004/03/15 20:35:31  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.5  2002/04/24 07:35:41  mcr
-.\" Moved from ./klips/utils/tncfg.5,v
-.\"
-.\" Revision 1.4  2001/05/29 05:15:53  rgb
-.\" Added PMTU to output format.
-.\"
-.\" Revision 1.3  2000/06/30 18:21:55  rgb
-.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5)
-.\" and correct FILES sections to no longer refer to /dev/ipsec which has
-.\" been removed since PF_KEY does not use it.
-.\"
-.\" Revision 1.2  2000/06/28 12:44:12  henry
-.\" format touchup
-.\"
-.\" Revision 1.1  2000/06/28 05:43:01  rgb
-.\" Added manpages for all 5 klips utils.
-.\"
-.\"
diff --git a/programs/tncfg/tncfg.8 b/programs/tncfg/tncfg.8
deleted file mode 100644
index f888f2539..000000000
--- a/programs/tncfg/tncfg.8
+++ /dev/null
@@ -1,113 +0,0 @@
-.TH IPSEC_TNCFG 8 "21 Jun 2000"
-.\"
-.\" RCSID $Id: tncfg.8,v 1.1 2004/03/15 20:35:31 as Exp $
-.\"
-.SH NAME
-ipsec tncfg \- associate IPSEC virtual interface with physical interface
-.SH SYNOPSIS
-.B ipsec
-.B tncfg
-.PP
-.B ipsec
-.B tncfg
-.B \-\-attach
-.B \-\-virtual
-virtual
-.B \-\-physical
-physical
-.PP
-.B ipsec
-.B tncfg
-.B \-\-detach
-.B \-\-virtual
-virtual
-.PP
-.B ipsec
-.B tncfg
-.B \-\-clear
-.PP
-.B ipsec
-.B tncfg
-.B \-\-version
-.PP
-.B ipsec
-.B tncfg
-.B \-\-help
-.SH DESCRIPTION
-.I Tncfg
-attaches/detaches IPSEC virtual interfaces to/from
-physical interfaces,
-through which packets will be forwarded once processed by IPSEC.
-.PP
-The form with no additional arguments lists the contents of
-/proc/net/ipsec_tncfg.  The format of /proc/net/ipsec_tncfg is discussed
-in ipsec_tncfg(5).
-The
-.B \-\-attach
-form attaches the
-.I virtual
-interface to the
-.I physical
-one.
-The
-.B \-\-detach
-form detaches the
-.I virtual
-interface from whichever physical interface it is attached to.
-The
-.B \-\-clear
-form clears all the
-.I virtual
-interfaces from whichever physical interfaces they were attached to.
-.PP
-Virtual interfaces typically have names like
-.BR ipsec0 ,
-while physical interfaces typically have names like
-.B eth0
-or
-.BR ppp0 .
-.SH EXAMPLES
-.TP
-.B ipsec tncfg \-\-attach \-\-virtual ipsec0 \-\-physical eth0
-attaches the
-.B ipsec0
-virtual device to the
-.B eth0
-physical device.
-.LP
-.SH "FILES"
-/proc/net/ipsec_tncfg, /usr/local/bin/ipsec
-.SH "SEE ALSO"
-ipsec(8), ipsec_manual(8), ipsec_eroute(8), ipsec_spi(8),
-ipsec_spigrp(8), ipsec_klipsdebug(8), ipsec_tncfg(5)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Richard Guy Briggs.
-.\"
-.\" $Log: tncfg.8,v $
-.\" Revision 1.1  2004/03/15 20:35:31  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.15  2002/04/24 07:35:41  mcr
-.\" Moved from ./klips/utils/tncfg.8,v
-.\"
-.\" Revision 1.14  2000/09/12 13:09:04  rgb
-.\" Fixed real/physical discrepancy between tncfg.8 and tncfg.c.
-.\"
-.\" Revision 1.13  2000/06/30 18:21:55  rgb
-.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5)
-.\" and correct FILES sections to no longer refer to /dev/ipsec which has
-.\" been removed since PF_KEY does not use it.
-.\"
-.\" Revision 1.12  2000/06/21 16:54:58  rgb
-.\" Added 'no additional args' text for listing contents of
-.\" /proc/net/ipsec_* files.
-.\"
-.\" Revision 1.11  1999/07/19 18:47:25  henry
-.\" fix slightly-misformed comments
-.\"
-.\" Revision 1.10  1999/04/06 04:54:39  rgb
-.\" Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
-.\" patch shell fixes.
-.\"
diff --git a/programs/tncfg/tncfg.c b/programs/tncfg/tncfg.c
deleted file mode 100644
index f6aeae0e2..000000000
--- a/programs/tncfg/tncfg.c
+++ /dev/null
@@ -1,393 +0,0 @@
-/*
- * IPSEC interface configuration
- * Copyright (C) 1996  John Ioannidis.
- * Copyright (C) 1998, 1999, 2000, 2001  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-char tncfg_c_version[] = "RCSID $Id: tncfg.c,v 1.1 2004/03/15 20:35:31 as Exp $";
-
-
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h> /* system(), strtoul() */
-#include <unistd.h> /* getuid() */
-#include <linux/types.h>
-#include <sys/ioctl.h> /* ioctl() */
-
-#include <freeswan.h>
-#ifdef NET_21 /* from freeswan.h */
-#include <linux/sockios.h>
-#include <sys/socket.h>
-#endif /* NET_21 */ /* from freeswan.h */
-
-#if 0
-#include <linux/if.h>
-#else
-#include <net/if.h>
-#endif
-#include <sys/types.h>
-#include <errno.h>
-#include <getopt.h>
-
-#include "freeswan/ipsec_tunnel.h"
-
-static void
-usage(char *name)
-{	
-	fprintf(stdout,"%s --attach --virtual <virtual-device> --physical <physical-device>\n",
-		name);
-	fprintf(stdout,"%s --detach --virtual <virtual-device>\n",
-		name);
-	fprintf(stdout,"%s --clear\n",
-		name);
-	fprintf(stdout,"%s --help\n",
-		name);
-	fprintf(stdout,"%s --version\n",
-		name);
-	fprintf(stdout,"%s\n",
-		name);
-	fprintf(stdout, "        [ --debug ] is optional to any %s command.\n", name);
-	fprintf(stdout, "        [ --label <label> ] is optional to any %s command.\n", name);
-	exit(1);
-}
-
-static struct option const longopts[] =
-{
-	{"virtual", 1, 0, 'V'},
-	{"physical", 1, 0, 'P'},
-	{"attach", 0, 0, 'a'},
-	{"detach", 0, 0, 'd'},
-	{"clear", 0, 0, 'c'},
-	{"help", 0, 0, 'h'},
-	{"version", 0, 0, 'v'},
-	{"label", 1, 0, 'l'},
-	{"optionsfrom", 1, 0, '+'},
-	{"debug", 0, 0, 'g'},
-	{0, 0, 0, 0}
-};
-
-int
-main(int argc, char *argv[])
-{
-	struct ifreq ifr;
-	struct ipsectunnelconf *shc=(struct ipsectunnelconf *)&ifr.ifr_data;
-	int s;
-	int c, previous = -1;
-	char *program_name;
-	int debug = 0;
-	int argcount = argc;
-     
-	memset(&ifr, 0, sizeof(ifr));
-	program_name = argv[0];
-
-	while((c = getopt_long_only(argc, argv, ""/*"adchvV:P:l:+:"*/, longopts, 0)) != EOF) {
-		switch(c) {
-		case 'g':
-			debug = 1;
-			argcount--;
-			break;
-		case 'a':
-			if(shc->cf_cmd) {
-				fprintf(stderr, "%s: exactly one of '--attach', '--detach' or '--clear' options must be specified.\n",	program_name);
-				exit(1);
-			}
-			shc->cf_cmd = IPSEC_SET_DEV;
-			break;
-		case 'd':
-			if(shc->cf_cmd) {
-				fprintf(stderr, "%s: exactly one of '--attach', '--detach' or '--clear' options must be specified.\n",	program_name);
-				exit(1);
-			}
-			shc->cf_cmd = IPSEC_DEL_DEV;
-			break;
-		case 'c':
-			if(shc->cf_cmd) {
-				fprintf(stderr, "%s: exactly one of '--attach', '--detach' or '--clear' options must be specified.\n",	program_name);
-				exit(1);
-			}
-			shc->cf_cmd = IPSEC_CLR_DEV;
-			break;
-		case 'h':
-			usage(program_name);
-			break;
-		case 'v':
-			if(optarg) {
-				fprintf(stderr, "%s: warning; '-v' and '--version' options don't expect arguments, arg '%s' found, perhaps unintended.\n",
-					program_name, optarg);
-			}
-			fprintf(stdout, "%s, %s\n", program_name, tncfg_c_version);
-			exit(1);
-			break;
-		case 'V':
-			strcpy(ifr.ifr_name, optarg);
-			break;
-		case 'P':
-			strcpy(shc->cf_name, optarg);
-			break;
-		case 'l':
-			program_name = malloc(strlen(argv[0])
-					      + 10 /* update this when changing the sprintf() */
-					      + strlen(optarg));
-			sprintf(program_name, "%s --label %s",
-				argv[0],
-				optarg);
-			argcount -= 2;
-			break;
-		case '+': /* optionsfrom */
-			optionsfrom(optarg, &argc, &argv, optind, stderr);
-			/* no return on error */
-			break;
-		default:
-			usage(program_name);
-			break;
-		}
-		previous = c;
-	}
-
-	if(argcount == 1) {
-		system("cat /proc/net/ipsec_tncfg");
-		exit(0);
-	}
-
-	switch(shc->cf_cmd) {
-	case IPSEC_SET_DEV:
-		if(!shc->cf_name) {
-			fprintf(stderr, "%s: physical I/F parameter missing.\n",
-				program_name);
-			exit(1);
-		}
-	case IPSEC_DEL_DEV:
-		if(!ifr.ifr_name) {
-			fprintf(stderr, "%s: virtual I/F parameter missing.\n",
-				program_name);
-			exit(1);
-		}
-		break;
-	case IPSEC_CLR_DEV:
-		strcpy(ifr.ifr_name, "ipsec0");
-		break;
-	default:
-		fprintf(stderr, "%s: exactly one of '--attach', '--detach' or '--clear' options must be specified.\n"
-			"Try %s --help' for usage information.\n",
-			program_name, program_name);
-		exit(1);
-	}
-
-	s=socket(AF_INET, SOCK_DGRAM,0);
-	if(s==-1)
-	{
-		fprintf(stderr, "%s: Socket creation failed -- ", program_name);
-		switch(errno)
-		{
-		case EACCES:
-			if(getuid()==0)
-				fprintf(stderr, "Root denied permission!?!\n");
-			else
-				fprintf(stderr, "Run as root user.\n");
-			break;
-		case EPROTONOSUPPORT:
-			fprintf(stderr, "Internet Protocol not enabled");
-			break;
-		case EMFILE:
-		case ENFILE:
-		case ENOBUFS:
-			fprintf(stderr, "Insufficient system resources.\n");
-			break;
-		case ENODEV:
-			fprintf(stderr, "No such device.  Is the virtual device valid?  Is the ipsec module linked into the kernel or loaded as a module?\n");
-			break;
-		default:
-			fprintf(stderr, "Unknown socket error %d.\n", errno);
-		}
-		exit(1);
-	}
-	if(ioctl(s, shc->cf_cmd, &ifr)==-1)
-	{
-		if(shc->cf_cmd == IPSEC_SET_DEV) {
-			fprintf(stderr, "%s: Socket ioctl failed on attach -- ", program_name);
-			switch(errno)
-			{
-			case EINVAL:
-				fprintf(stderr, "Invalid argument, check kernel log messages for specifics.\n");
-				break;
-			case ENODEV:
-				fprintf(stderr, "No such device.  Is the virtual device valid?  Is the ipsec module linked into the kernel or loaded as a module?\n");
-				break;
-			case ENXIO:
-				fprintf(stderr, "No such device.  Is the physical device valid?\n");
-				break;
-			case EBUSY:
-				fprintf(stderr, "Device busy.  Virtual device %s is already attached to a physical device -- Use detach first.\n",
-				       ifr.ifr_name);
-				break;
-			default:
-				fprintf(stderr, "Unknown socket error %d.\n", errno);
-			}
-			exit(1);
-		}
-		if(shc->cf_cmd == IPSEC_DEL_DEV) {
-			fprintf(stderr, "%s: Socket ioctl failed on detach -- ", program_name);
-			switch(errno)
-			{
-			case EINVAL:
-				fprintf(stderr, "Invalid argument, check kernel log messages for specifics.\n");
-				break;
-			case ENODEV:
-				fprintf(stderr, "No such device.  Is the virtual device valid?  The ipsec module may not be linked into the kernel or loaded as a module.\n");
-				break;
-			case ENXIO:
-				fprintf(stderr, "Device requested is not linked to any physical device.\n");
-				break;
-			default:
-				fprintf(stderr, "Unknown socket error %d.\n", errno);
-			}
-			exit(1);
-		}
-		if(shc->cf_cmd == IPSEC_CLR_DEV) {
-			fprintf(stderr, "%s: Socket ioctl failed on clear -- ", program_name);
-			switch(errno)
-			{
-			case EINVAL:
-				fprintf(stderr, "Invalid argument, check kernel log messages for specifics.\n");
-				break;
-			case ENODEV:
-				fprintf(stderr, "Failed.  Is the ipsec module linked into the kernel or loaded as a module?.\n");
-				break;
-			default:
-				fprintf(stderr, "Unknown socket error %d.\n", errno);
-			}
-			exit(1);
-		}
-	}
-	exit(0);
-}
-	
-/*
- * $Log: tncfg.c,v $
- * Revision 1.1  2004/03/15 20:35:31  as
- * added files from freeswan-2.04-x509-1.5.3
- *
- * Revision 1.30  2002/04/24 07:55:32  mcr
- * 	#include patches and Makefiles for post-reorg compilation.
- *
- * Revision 1.29  2002/04/24 07:35:41  mcr
- * Moved from ./klips/utils/tncfg.c,v
- *
- * Revision 1.28  2002/03/08 21:44:05  rgb
- * Update for all GNU-compliant --version strings.
- *
- * Revision 1.27  2001/06/14 19:35:15  rgb
- * Update copyright date.
- *
- * Revision 1.26  2001/05/21 02:02:55  rgb
- * Eliminate 1-letter options.
- *
- * Revision 1.25  2001/05/16 05:07:20  rgb
- * Fixed --label option in KLIPS manual utils to add the label to the
- * command name rather than replace it in error text.
- * Fix 'print table' non-option in KLIPS manual utils to deal with --label
- * and --debug options.
- *
- * Revision 1.24  2000/09/12 13:09:05  rgb
- * Fixed real/physical discrepancy between tncfg.8 and tncfg.c.
- *
- * Revision 1.23  2000/08/27 01:48:30  rgb
- * Update copyright.
- *
- * Revision 1.22  2000/07/26 03:41:46  rgb
- * Changed all printf's to fprintf's.  Fixed tncfg's usage to stderr.
- *
- * Revision 1.21  2000/06/21 16:51:27  rgb
- * Added no additional argument option to usage text.
- *
- * Revision 1.20  2000/01/21 06:26:31  rgb
- * Added --debug switch to command line.
- *
- * Revision 1.19  1999/12/08 20:32:41  rgb
- * Cleaned out unused cruft.
- * Changed include file, limiting scope, to avoid conflicts in 2.0.xx
- * kernels.
- *
- * Revision 1.18  1999/12/07 18:27:10  rgb
- * Added headers to silence fussy compilers.
- * Converted local functions to static to limit scope.
- *
- * Revision 1.17  1999/11/18 04:09:21  rgb
- * Replaced all kernel version macros to shorter, readable form.
- *
- * Revision 1.16  1999/05/25 01:45:36  rgb
- * Fix version macros for 2.0.x as a module.
- *
- * Revision 1.15  1999/05/05 22:02:34  rgb
- * Add a quick and dirty port to 2.2 kernels by Marc Boucher <marc@mbsi.ca>.
- *
- * Revision 1.14  1999/04/15 15:37:28  rgb
- * Forward check changes from POST1_00 branch.
- *
- * Revision 1.10.6.2  1999/04/13 20:58:10  rgb
- * Add argc==1 --> /proc/net/ipsec_*.
- *
- * Revision 1.10.6.1  1999/03/30 17:01:36  rgb
- * Make main() return type explicit.
- *
- * Revision 1.13  1999/04/11 00:12:09  henry
- * GPL boilerplate
- *
- * Revision 1.12  1999/04/06 04:54:39  rgb
- * Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
- * patch shell fixes.
- *
- * Revision 1.11  1999/03/17 15:40:54  rgb
- * Make explicit main() return type of int.
- *
- * Revision 1.10  1998/11/12 21:08:04  rgb
- * Add --label option to identify caller from scripts.
- *
- * Revision 1.9  1998/10/09 18:47:30  rgb
- * Add 'optionfrom' to get more options from a named file.
- *
- * Revision 1.8  1998/10/09 04:36:55  rgb
- * Changed help output from stderr to stdout.
- * Deleted old commented out cruft.
- *
- * Revision 1.7  1998/08/28 03:15:14  rgb
- * Add some manual long options to the usage text.
- *
- * Revision 1.6  1998/08/05 22:29:00  rgb
- * Change includes to accomodate RH5.x.
- * Force long option names.
- * Add ENXIO error return code to narrow down error reporting.
- *
- * Revision 1.5  1998/07/29 21:45:28  rgb
- * Convert to long option names.
- *
- * Revision 1.4  1998/07/09 18:14:11  rgb
- * Added error checking to IP's and keys.
- * Made most error messages more specific rather than spamming usage text.
- * Added more descriptive kernel error return codes and messages.
- * Converted all spi translations to unsigned.
- * Removed all invocations of perror.
- *
- * Revision 1.3  1998/05/27 18:48:20  rgb
- * Adding --help and --version directives.
- *
- * Revision 1.2  1998/04/23 21:11:39  rgb
- * Fixed 0 argument usage case to prevent sigsegv.
- *
- * Revision 1.1.1.1  1998/04/08 05:35:09  henry
- * RGB's ipsec-0.8pre2.tar.gz ipsec-0.8
- *
- * Revision 0.5  1997/06/03 04:31:55  ji
- * New file.
- *
- */
diff --git a/src/Makefile.am b/src/Makefile.am
new file mode 100644
index 000000000..a3f90f39e
--- /dev/null
+++ b/src/Makefile.am
@@ -0,0 +1 @@
+SUBDIRS = libfreeswan libcrypto libstrongswan pluto whack charon stroke starter openac scepclient ipsec _updown _updown_espmark _copyright 
diff --git a/src/Makefile.in b/src/Makefile.in
new file mode 100644
index 000000000..6fa95d413
--- /dev/null
+++ b/src/Makefile.in
@@ -0,0 +1,497 @@
+# Makefile.in generated by automake 1.9.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+top_builddir = ..
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+INSTALL = @INSTALL@
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+SOURCES =
+DIST_SOURCES =
+RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
+	html-recursive info-recursive install-data-recursive \
+	install-exec-recursive install-info-recursive \
+	install-recursive installcheck-recursive installdirs-recursive \
+	pdf-recursive ps-recursive uninstall-info-recursive \
+	uninstall-recursive
+ETAGS = etags
+CTAGS = ctags
+DIST_SUBDIRS = $(SUBDIRS)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMDEP_FALSE = @AMDEP_FALSE@
+AMDEP_TRUE = @AMDEP_TRUE@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BUILD_EAP_SIM_FALSE = @BUILD_EAP_SIM_FALSE@
+BUILD_EAP_SIM_TRUE = @BUILD_EAP_SIM_TRUE@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+USE_CISCO_QUIRKS_FALSE = @USE_CISCO_QUIRKS_FALSE@
+USE_CISCO_QUIRKS_TRUE = @USE_CISCO_QUIRKS_TRUE@
+USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
+USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
+USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
+USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
+USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
+USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
+USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
+USE_SMARTCARD_TRUE = @USE_SMARTCARD_TRUE@
+USE_VENDORID_FALSE = @USE_VENDORID_FALSE@
+USE_VENDORID_TRUE = @USE_VENDORID_TRUE@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__fastdepCC_FALSE = @am__fastdepCC_FALSE@
+am__fastdepCC_TRUE = @am__fastdepCC_TRUE@
+am__fastdepCXX_FALSE = @am__fastdepCXX_FALSE@
+am__fastdepCXX_TRUE = @am__fastdepCXX_TRUE@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+eapdir = @eapdir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+SUBDIRS = libfreeswan libcrypto libstrongswan pluto whack charon stroke starter openac scepclient ipsec _updown _updown_espmark _copyright 
+all: all-recursive
+
+.SUFFIXES:
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+	-rm -f libtool
+uninstall-info-am:
+
+# This directory's subdirectories are mostly independent; you can cd
+# into them and run `make' without going through this Makefile.
+# To change the values of `make' variables: instead of editing Makefiles,
+# (1) if the variable is set in `config.status', edit `config.status'
+#     (which will cause the Makefiles to be regenerated when you run `make');
+# (2) otherwise, pass the desired values on the `make' command line.
+$(RECURSIVE_TARGETS):
+	@failcom='exit 1'; \
+	for f in x $$MAKEFLAGS; do \
+	  case $$f in \
+	    *=* | --[!k]*);; \
+	    *k*) failcom='fail=yes';; \
+	  esac; \
+	done; \
+	dot_seen=no; \
+	target=`echo $@ | sed s/-recursive//`; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    dot_seen=yes; \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	  || eval $$failcom; \
+	done; \
+	if test "$$dot_seen" = "no"; then \
+	  $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
+	fi; test -z "$$fail"
+
+mostlyclean-recursive clean-recursive distclean-recursive \
+maintainer-clean-recursive:
+	@failcom='exit 1'; \
+	for f in x $$MAKEFLAGS; do \
+	  case $$f in \
+	    *=* | --[!k]*);; \
+	    *k*) failcom='fail=yes';; \
+	  esac; \
+	done; \
+	dot_seen=no; \
+	case "$@" in \
+	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
+	  *) list='$(SUBDIRS)' ;; \
+	esac; \
+	rev=''; for subdir in $$list; do \
+	  if test "$$subdir" = "."; then :; else \
+	    rev="$$subdir $$rev"; \
+	  fi; \
+	done; \
+	rev="$$rev ."; \
+	target=`echo $@ | sed s/-recursive//`; \
+	for subdir in $$rev; do \
+	  echo "Making $$target in $$subdir"; \
+	  if test "$$subdir" = "."; then \
+	    local_target="$$target-am"; \
+	  else \
+	    local_target="$$target"; \
+	  fi; \
+	  (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+	  || eval $$failcom; \
+	done && test -z "$$fail"
+tags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \
+	done
+ctags-recursive:
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  test "$$subdir" = . || (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \
+	done
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
+	  include_option=--etags-include; \
+	  empty_fix=.; \
+	else \
+	  include_option=--include; \
+	  empty_fix=; \
+	fi; \
+	list='$(SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    test ! -f $$subdir/TAGS || \
+	      tags="$$tags $$include_option=$$here/$$subdir/TAGS"; \
+	  fi; \
+	done; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS: ctags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
+	list='$(DISTFILES)'; for file in $$list; do \
+	  case $$file in \
+	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
+	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
+	  esac; \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
+	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
+	    dir="/$$dir"; \
+	    $(mkdir_p) "$(distdir)$$dir"; \
+	  else \
+	    dir=''; \
+	  fi; \
+	  if test -d $$d/$$file; then \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+	  if test "$$subdir" = .; then :; else \
+	    test -d "$(distdir)/$$subdir" \
+	    || $(mkdir_p) "$(distdir)/$$subdir" \
+	    || exit 1; \
+	    distdir=`$(am__cd) $(distdir) && pwd`; \
+	    top_distdir=`$(am__cd) $(top_distdir) && pwd`; \
+	    (cd $$subdir && \
+	      $(MAKE) $(AM_MAKEFLAGS) \
+	        top_distdir="$$top_distdir" \
+	        distdir="$$distdir/$$subdir" \
+	        distdir) \
+	      || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-recursive
+all-am: Makefile
+installdirs: installdirs-recursive
+installdirs-am:
+install: install-recursive
+install-exec: install-exec-recursive
+install-data: install-data-recursive
+uninstall: uninstall-recursive
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-recursive
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-recursive
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-recursive
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic distclean-libtool \
+	distclean-tags
+
+dvi: dvi-recursive
+
+dvi-am:
+
+html: html-recursive
+
+info: info-recursive
+
+info-am:
+
+install-data-am:
+
+install-exec-am:
+
+install-info: install-info-recursive
+
+install-man:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-recursive
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-recursive
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-recursive
+
+pdf-am:
+
+ps: ps-recursive
+
+ps-am:
+
+uninstall-am: uninstall-info-am
+
+uninstall-info: uninstall-info-recursive
+
+.PHONY: $(RECURSIVE_TARGETS) CTAGS GTAGS all all-am check check-am \
+	clean clean-generic clean-libtool clean-recursive ctags \
+	ctags-recursive distclean distclean-generic distclean-libtool \
+	distclean-recursive distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-exec install-exec-am install-info \
+	install-info-am install-man install-strip installcheck \
+	installcheck-am installdirs installdirs-am maintainer-clean \
+	maintainer-clean-generic maintainer-clean-recursive \
+	mostlyclean mostlyclean-generic mostlyclean-libtool \
+	mostlyclean-recursive pdf pdf-am ps ps-am tags tags-recursive \
+	uninstall uninstall-am uninstall-info-am
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/_copyright/Makefile.am b/src/_copyright/Makefile.am
new file mode 100644
index 000000000..d8dcfb3f1
--- /dev/null
+++ b/src/_copyright/Makefile.am
@@ -0,0 +1,6 @@
+ipsec_PROGRAMS = _copyright
+_copyright_SOURCES = _copyright.c
+dist_man8_MANS = _copyright.8
+
+INCLUDES = -I$(top_srcdir)/src/libfreeswan
+_copyright_LDADD = $(top_srcdir)/src/libfreeswan/libfreeswan.a
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
new file mode 100644
index 000000000..7e78b9185
--- /dev/null
+++ b/src/_copyright/Makefile.in
@@ -0,0 +1,529 @@
+# Makefile.in generated by automake 1.9.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+top_builddir = ../..
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+INSTALL = @INSTALL@
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+ipsec_PROGRAMS = _copyright$(EXEEXT)
+subdir = src/_copyright
+DIST_COMMON = $(dist_man8_MANS) $(srcdir)/Makefile.am \
+	$(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
+ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
+PROGRAMS = $(ipsec_PROGRAMS)
+am__copyright_OBJECTS = _copyright.$(OBJEXT)
+_copyright_OBJECTS = $(am__copyright_OBJECTS)
+_copyright_DEPENDENCIES = $(top_srcdir)/src/libfreeswan/libfreeswan.a
+DEFAULT_INCLUDES = -I. -I$(srcdir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+SOURCES = $(_copyright_SOURCES)
+DIST_SOURCES = $(_copyright_SOURCES)
+man8dir = $(mandir)/man8
+NROFF = nroff
+MANS = $(dist_man8_MANS)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMDEP_FALSE = @AMDEP_FALSE@
+AMDEP_TRUE = @AMDEP_TRUE@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BUILD_EAP_SIM_FALSE = @BUILD_EAP_SIM_FALSE@
+BUILD_EAP_SIM_TRUE = @BUILD_EAP_SIM_TRUE@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+USE_CISCO_QUIRKS_FALSE = @USE_CISCO_QUIRKS_FALSE@
+USE_CISCO_QUIRKS_TRUE = @USE_CISCO_QUIRKS_TRUE@
+USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
+USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
+USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
+USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
+USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
+USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
+USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
+USE_SMARTCARD_TRUE = @USE_SMARTCARD_TRUE@
+USE_VENDORID_FALSE = @USE_VENDORID_FALSE@
+USE_VENDORID_TRUE = @USE_VENDORID_TRUE@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__fastdepCC_FALSE = @am__fastdepCC_FALSE@
+am__fastdepCC_TRUE = @am__fastdepCC_TRUE@
+am__fastdepCXX_FALSE = @am__fastdepCXX_FALSE@
+am__fastdepCXX_TRUE = @am__fastdepCXX_TRUE@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+eapdir = @eapdir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+_copyright_SOURCES = _copyright.c
+dist_man8_MANS = _copyright.8
+INCLUDES = -I$(top_srcdir)/src/libfreeswan
+_copyright_LDADD = $(top_srcdir)/src/libfreeswan/libfreeswan.a
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/_copyright/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/_copyright/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	test -z "$(ipsecdir)" || $(mkdir_p) "$(DESTDIR)$(ipsecdir)"
+	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
+	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  if test -f $$p \
+	     || test -f $$p1 \
+	  ; then \
+	    f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
+	   echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(ipsecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \
+	   $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(ipsecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(ipsecdir)/$$f" || exit 1; \
+	  else :; fi; \
+	done
+
+uninstall-ipsecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
+	  f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
+	  echo " rm -f '$(DESTDIR)$(ipsecdir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(ipsecdir)/$$f"; \
+	done
+
+clean-ipsecPROGRAMS:
+	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
+	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  echo " rm -f $$p $$f"; \
+	  rm -f $$p $$f ; \
+	done
+_copyright$(EXEEXT): $(_copyright_OBJECTS) $(_copyright_DEPENDENCIES) 
+	@rm -f _copyright$(EXEEXT)
+	$(LINK) $(_copyright_LDFLAGS) $(_copyright_OBJECTS) $(_copyright_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/_copyright.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ `$(CYGPATH_W) '$<'`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	if $(LTCOMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Plo"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+	-rm -f libtool
+uninstall-info-am:
+install-man8: $(man8_MANS) $(man_MANS)
+	@$(NORMAL_INSTALL)
+	test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)"
+	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    8*) ;; \
+	    *) ext='8' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
+	  $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \
+	done
+uninstall-man8:
+	@$(NORMAL_UNINSTALL)
+	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    8*) ;; \
+	    *) ext='8' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \
+	  rm -f "$(DESTDIR)$(man8dir)/$$inst"; \
+	done
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
+	list='$(DISTFILES)'; for file in $$list; do \
+	  case $$file in \
+	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
+	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
+	  esac; \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
+	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
+	    dir="/$$dir"; \
+	    $(mkdir_p) "$(distdir)$$dir"; \
+	  else \
+	    dir=''; \
+	  fi; \
+	  if test -d $$d/$$file; then \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(PROGRAMS) $(MANS)
+installdirs:
+	for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"; do \
+	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-libtool distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-ipsecPROGRAMS install-man
+
+install-exec-am:
+
+install-info: install-info-am
+
+install-man: install-man8
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-info-am uninstall-ipsecPROGRAMS uninstall-man
+
+uninstall-man: uninstall-man8
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-ipsecPROGRAMS clean-libtool ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-exec \
+	install-exec-am install-info install-info-am \
+	install-ipsecPROGRAMS install-man install-man8 install-strip \
+	installcheck installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-info-am \
+	uninstall-ipsecPROGRAMS uninstall-man uninstall-man8
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/programs/_copyright/_copyright.8 b/src/_copyright/_copyright.8
index 87e4adc98..87e4adc98 100644
--- a/programs/_copyright/_copyright.8
+++ b/src/_copyright/_copyright.8
diff --git a/programs/_copyright/_copyright.c b/src/_copyright/_copyright.c
index 0fb360f40..0fb360f40 100644
--- a/programs/_copyright/_copyright.c
+++ b/src/_copyright/_copyright.c
diff --git a/src/_updown/Makefile.am b/src/_updown/Makefile.am
new file mode 100644
index 000000000..27a467c4f
--- /dev/null
+++ b/src/_updown/Makefile.am
@@ -0,0 +1,3 @@
+dist_ipsec_SCRIPTS = _updown
+dist_man8_MANS = _updown.8
+
diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in
new file mode 100644
index 000000000..ccb176fbc
--- /dev/null
+++ b/src/_updown/Makefile.in
@@ -0,0 +1,421 @@
+# Makefile.in generated by automake 1.9.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+top_builddir = ../..
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+INSTALL = @INSTALL@
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/_updown
+DIST_COMMON = $(dist_ipsec_SCRIPTS) $(dist_man8_MANS) \
+	$(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
+dist_ipsecSCRIPT_INSTALL = $(INSTALL_SCRIPT)
+SCRIPTS = $(dist_ipsec_SCRIPTS)
+SOURCES =
+DIST_SOURCES =
+man8dir = $(mandir)/man8
+NROFF = nroff
+MANS = $(dist_man8_MANS)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMDEP_FALSE = @AMDEP_FALSE@
+AMDEP_TRUE = @AMDEP_TRUE@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BUILD_EAP_SIM_FALSE = @BUILD_EAP_SIM_FALSE@
+BUILD_EAP_SIM_TRUE = @BUILD_EAP_SIM_TRUE@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+USE_CISCO_QUIRKS_FALSE = @USE_CISCO_QUIRKS_FALSE@
+USE_CISCO_QUIRKS_TRUE = @USE_CISCO_QUIRKS_TRUE@
+USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
+USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
+USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
+USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
+USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
+USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
+USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
+USE_SMARTCARD_TRUE = @USE_SMARTCARD_TRUE@
+USE_VENDORID_FALSE = @USE_VENDORID_FALSE@
+USE_VENDORID_TRUE = @USE_VENDORID_TRUE@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__fastdepCC_FALSE = @am__fastdepCC_FALSE@
+am__fastdepCC_TRUE = @am__fastdepCC_TRUE@
+am__fastdepCXX_FALSE = @am__fastdepCXX_FALSE@
+am__fastdepCXX_TRUE = @am__fastdepCXX_TRUE@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+eapdir = @eapdir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+dist_ipsec_SCRIPTS = _updown
+dist_man8_MANS = _updown.8
+all: all-am
+
+.SUFFIXES:
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/_updown/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/_updown/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-dist_ipsecSCRIPTS: $(dist_ipsec_SCRIPTS)
+	@$(NORMAL_INSTALL)
+	test -z "$(ipsecdir)" || $(mkdir_p) "$(DESTDIR)$(ipsecdir)"
+	@list='$(dist_ipsec_SCRIPTS)'; for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  if test -f $$d$$p; then \
+	    f=`echo "$$p" | sed 's|^.*/||;$(transform)'`; \
+	    echo " $(dist_ipsecSCRIPT_INSTALL) '$$d$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \
+	    $(dist_ipsecSCRIPT_INSTALL) "$$d$$p" "$(DESTDIR)$(ipsecdir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-dist_ipsecSCRIPTS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(dist_ipsec_SCRIPTS)'; for p in $$list; do \
+	  f=`echo "$$p" | sed 's|^.*/||;$(transform)'`; \
+	  echo " rm -f '$(DESTDIR)$(ipsecdir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(ipsecdir)/$$f"; \
+	done
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+	-rm -f libtool
+uninstall-info-am:
+install-man8: $(man8_MANS) $(man_MANS)
+	@$(NORMAL_INSTALL)
+	test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)"
+	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    8*) ;; \
+	    *) ext='8' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
+	  $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \
+	done
+uninstall-man8:
+	@$(NORMAL_UNINSTALL)
+	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    8*) ;; \
+	    *) ext='8' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \
+	  rm -f "$(DESTDIR)$(man8dir)/$$inst"; \
+	done
+tags: TAGS
+TAGS:
+
+ctags: CTAGS
+CTAGS:
+
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
+	list='$(DISTFILES)'; for file in $$list; do \
+	  case $$file in \
+	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
+	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
+	  esac; \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
+	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
+	    dir="/$$dir"; \
+	    $(mkdir_p) "$(distdir)$$dir"; \
+	  else \
+	    dir=''; \
+	  fi; \
+	  if test -d $$d/$$file; then \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(SCRIPTS) $(MANS)
+installdirs:
+	for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"; do \
+	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic distclean-libtool
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-dist_ipsecSCRIPTS install-man
+
+install-exec-am:
+
+install-info: install-info-am
+
+install-man: install-man8
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-dist_ipsecSCRIPTS uninstall-info-am \
+	uninstall-man
+
+uninstall-man: uninstall-man8
+
+.PHONY: all all-am check check-am clean clean-generic clean-libtool \
+	distclean distclean-generic distclean-libtool distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dist_ipsecSCRIPTS \
+	install-exec install-exec-am install-info install-info-am \
+	install-man install-man8 install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am uninstall uninstall-am \
+	uninstall-dist_ipsecSCRIPTS uninstall-info-am uninstall-man \
+	uninstall-man8
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/programs/_updown/_updown.in b/src/_updown/_updown
index 8db74f737..8db74f737 100755
--- a/programs/_updown/_updown.in
+++ b/src/_updown/_updown
diff --git a/programs/_updown/_updown.8 b/src/_updown/_updown.8
index 5107d3694..5107d3694 100644
--- a/programs/_updown/_updown.8
+++ b/src/_updown/_updown.8
diff --git a/src/_updown_espmark/Makefile.am b/src/_updown_espmark/Makefile.am
new file mode 100644
index 000000000..456702690
--- /dev/null
+++ b/src/_updown_espmark/Makefile.am
@@ -0,0 +1,2 @@
+dist_ipsec_SCRIPTS = _updown_espmark
+dist_man8_MANS = _updown_espmark.8
diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in
new file mode 100644
index 000000000..0286c8f58
--- /dev/null
+++ b/src/_updown_espmark/Makefile.in
@@ -0,0 +1,421 @@
+# Makefile.in generated by automake 1.9.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+top_builddir = ../..
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+INSTALL = @INSTALL@
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/_updown_espmark
+DIST_COMMON = $(dist_ipsec_SCRIPTS) $(dist_man8_MANS) \
+	$(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
+dist_ipsecSCRIPT_INSTALL = $(INSTALL_SCRIPT)
+SCRIPTS = $(dist_ipsec_SCRIPTS)
+SOURCES =
+DIST_SOURCES =
+man8dir = $(mandir)/man8
+NROFF = nroff
+MANS = $(dist_man8_MANS)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMDEP_FALSE = @AMDEP_FALSE@
+AMDEP_TRUE = @AMDEP_TRUE@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BUILD_EAP_SIM_FALSE = @BUILD_EAP_SIM_FALSE@
+BUILD_EAP_SIM_TRUE = @BUILD_EAP_SIM_TRUE@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+USE_CISCO_QUIRKS_FALSE = @USE_CISCO_QUIRKS_FALSE@
+USE_CISCO_QUIRKS_TRUE = @USE_CISCO_QUIRKS_TRUE@
+USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
+USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
+USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
+USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
+USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
+USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
+USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
+USE_SMARTCARD_TRUE = @USE_SMARTCARD_TRUE@
+USE_VENDORID_FALSE = @USE_VENDORID_FALSE@
+USE_VENDORID_TRUE = @USE_VENDORID_TRUE@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__fastdepCC_FALSE = @am__fastdepCC_FALSE@
+am__fastdepCC_TRUE = @am__fastdepCC_TRUE@
+am__fastdepCXX_FALSE = @am__fastdepCXX_FALSE@
+am__fastdepCXX_TRUE = @am__fastdepCXX_TRUE@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+eapdir = @eapdir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+dist_ipsec_SCRIPTS = _updown_espmark
+dist_man8_MANS = _updown_espmark.8
+all: all-am
+
+.SUFFIXES:
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/_updown_espmark/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/_updown_espmark/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-dist_ipsecSCRIPTS: $(dist_ipsec_SCRIPTS)
+	@$(NORMAL_INSTALL)
+	test -z "$(ipsecdir)" || $(mkdir_p) "$(DESTDIR)$(ipsecdir)"
+	@list='$(dist_ipsec_SCRIPTS)'; for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  if test -f $$d$$p; then \
+	    f=`echo "$$p" | sed 's|^.*/||;$(transform)'`; \
+	    echo " $(dist_ipsecSCRIPT_INSTALL) '$$d$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \
+	    $(dist_ipsecSCRIPT_INSTALL) "$$d$$p" "$(DESTDIR)$(ipsecdir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-dist_ipsecSCRIPTS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(dist_ipsec_SCRIPTS)'; for p in $$list; do \
+	  f=`echo "$$p" | sed 's|^.*/||;$(transform)'`; \
+	  echo " rm -f '$(DESTDIR)$(ipsecdir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(ipsecdir)/$$f"; \
+	done
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+	-rm -f libtool
+uninstall-info-am:
+install-man8: $(man8_MANS) $(man_MANS)
+	@$(NORMAL_INSTALL)
+	test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)"
+	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    8*) ;; \
+	    *) ext='8' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
+	  $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \
+	done
+uninstall-man8:
+	@$(NORMAL_UNINSTALL)
+	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    8*) ;; \
+	    *) ext='8' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \
+	  rm -f "$(DESTDIR)$(man8dir)/$$inst"; \
+	done
+tags: TAGS
+TAGS:
+
+ctags: CTAGS
+CTAGS:
+
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
+	list='$(DISTFILES)'; for file in $$list; do \
+	  case $$file in \
+	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
+	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
+	  esac; \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
+	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
+	    dir="/$$dir"; \
+	    $(mkdir_p) "$(distdir)$$dir"; \
+	  else \
+	    dir=''; \
+	  fi; \
+	  if test -d $$d/$$file; then \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(SCRIPTS) $(MANS)
+installdirs:
+	for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"; do \
+	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic distclean-libtool
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-dist_ipsecSCRIPTS install-man
+
+install-exec-am:
+
+install-info: install-info-am
+
+install-man: install-man8
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-dist_ipsecSCRIPTS uninstall-info-am \
+	uninstall-man
+
+uninstall-man: uninstall-man8
+
+.PHONY: all all-am check check-am clean clean-generic clean-libtool \
+	distclean distclean-generic distclean-libtool distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-dist_ipsecSCRIPTS \
+	install-exec install-exec-am install-info install-info-am \
+	install-man install-man8 install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am uninstall uninstall-am \
+	uninstall-dist_ipsecSCRIPTS uninstall-info-am uninstall-man \
+	uninstall-man8
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/programs/_updown_espmark/_updown_espmark.in b/src/_updown_espmark/_updown_espmark
index 3627d470d..3627d470d 100644
--- a/programs/_updown_espmark/_updown_espmark.in
+++ b/src/_updown_espmark/_updown_espmark
diff --git a/programs/_updown_espmark/_updown_espmark.8 b/src/_updown_espmark/_updown_espmark.8
index 91eaa5cb7..91eaa5cb7 100644
--- a/programs/_updown_espmark/_updown_espmark.8
+++ b/src/_updown_espmark/_updown_espmark.8
diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am
new file mode 100644
index 000000000..9522b6e6d
--- /dev/null
+++ b/src/charon/Makefile.am
@@ -0,0 +1,87 @@
+# SUBDIRS = . testing
+
+eap_LTLIBRARIES = libeapidentity.la
+
+# always build EAP Identity module
+libeapidentity_la_SOURCES = sa/authenticators/eap/eap_identity.h sa/authenticators/eap/eap_identity.c
+libeapidentity_la_LDFLAGS = -module
+
+# build optional EAP modules
+if BUILD_EAP_SIM
+  eap_LTLIBRARIES += libeapsim.la
+  libeapsim_la_SOURCES = sa/authenticators/eap/eap_sim.h sa/authenticators/eap/eap_sim.c
+  libeapsim_la_LDFLAGS = -module
+endif
+
+ipsec_PROGRAMS = charon
+
+charon_SOURCES = \
+bus/bus.c bus/bus.h \
+bus/listeners/sys_logger.c bus/listeners/sys_logger.h \
+bus/listeners/file_logger.c bus/listeners/file_logger.h \
+config/connections/connection.c config/connections/connection.h \
+config/connections/local_connection_store.c config/connections/local_connection_store.h config/connections/connection_store.h \
+config/policies/policy.c config/policies/policy.h \
+config/policies/local_policy_store.c config/policies/policy_store.h config/policies/local_policy_store.h \
+config/credentials/local_credential_store.c config/credentials/local_credential_store.h \
+config/traffic_selector.c config/traffic_selector.h \
+config/proposal.c config/proposal.h config/configuration.c config/configuration.h \
+sa/authenticators/eap_authenticator.h sa/authenticators/eap_authenticator.c \
+sa/authenticators/eap/eap_method.h sa/authenticators/eap/eap_method.c \
+sa/child_sa.c sa/child_sa.h sa/ike_sa.c sa/ike_sa.h sa/ike_sa_manager.c sa/ike_sa_manager.h \
+sa/ike_sa_id.c sa/ike_sa_id.h sa/tasks/task.c sa/tasks/task.h \
+sa/tasks/ike_init.c sa/tasks/ike_init.h \
+sa/tasks/ike_natd.c sa/tasks/ike_natd.h \
+sa/tasks/ike_auth.c sa/tasks/ike_auth.h \
+sa/tasks/ike_config.c sa/tasks/ike_config.h \
+sa/tasks/ike_cert.c sa/tasks/ike_cert.h \
+sa/tasks/ike_rekey.c sa/tasks/ike_rekey.h \
+sa/tasks/ike_delete.c sa/tasks/ike_delete.h \
+sa/tasks/ike_dpd.c sa/tasks/ike_dpd.h \
+sa/tasks/child_create.c sa/tasks/child_create.h \
+sa/tasks/child_delete.c sa/tasks/child_delete.h \
+sa/tasks/child_rekey.c sa/tasks/child_rekey.h \
+sa/authenticators/authenticator.c sa/authenticators/authenticator.h \
+sa/authenticators/rsa_authenticator.c sa/authenticators/rsa_authenticator.h \
+sa/authenticators/psk_authenticator.c sa/authenticators/psk_authenticator.h \
+sa/task_manager.c sa/task_manager.h encoding/payloads/encryption_payload.c \
+encoding/payloads/cert_payload.c encoding/payloads/payload.h encoding/payloads/traffic_selector_substructure.c \
+encoding/payloads/configuration_attribute.h encoding/payloads/proposal_substructure.h \
+encoding/payloads/transform_attribute.c encoding/payloads/transform_attribute.h \
+encoding/payloads/configuration_attribute.c encoding/payloads/transform_substructure.c \
+encoding/payloads/encryption_payload.h encoding/payloads/auth_payload.c encoding/payloads/ike_header.c \
+encoding/payloads/transform_substructure.h encoding/payloads/nonce_payload.c encoding/payloads/cert_payload.h \
+encoding/payloads/eap_payload.c encoding/payloads/ike_header.h encoding/payloads/auth_payload.h \
+encoding/payloads/ts_payload.c encoding/payloads/traffic_selector_substructure.h encoding/payloads/nonce_payload.h \
+encoding/payloads/notify_payload.c encoding/payloads/eap_payload.h encoding/payloads/notify_payload.h \
+encoding/payloads/ts_payload.h encoding/payloads/id_payload.c encoding/payloads/ke_payload.c \
+encoding/payloads/unknown_payload.c encoding/payloads/encodings.c encoding/payloads/id_payload.h \
+encoding/payloads/cp_payload.c encoding/payloads/delete_payload.c encoding/payloads/sa_payload.c \
+encoding/payloads/ke_payload.h encoding/payloads/unknown_payload.h encoding/payloads/encodings.h \
+encoding/payloads/certreq_payload.c encoding/payloads/cp_payload.h encoding/payloads/delete_payload.h \
+encoding/payloads/sa_payload.h encoding/payloads/vendor_id_payload.c encoding/payloads/certreq_payload.h \
+encoding/payloads/vendor_id_payload.h encoding/payloads/proposal_substructure.c encoding/payloads/payload.c \
+encoding/parser.h encoding/message.c encoding/generator.c encoding/message.h encoding/generator.h \
+encoding/parser.c daemon.c daemon.h network/packet.c \
+network/socket.c network/packet.h network/socket.h queues/jobs/job.h queues/jobs/job.c \
+queues/jobs/retransmit_job.h queues/jobs/initiate_job.h \
+queues/jobs/process_message_job.h queues/jobs/process_message_job.c \
+queues/jobs/delete_ike_sa_job.c queues/jobs/delete_ike_sa_job.h \
+queues/jobs/retransmit_job.c queues/jobs/initiate_job.c \
+queues/jobs/send_keepalive_job.c queues/jobs/send_keepalive_job.h \
+queues/jobs/rekey_child_sa_job.c queues/jobs/rekey_child_sa_job.h queues/jobs/delete_child_sa_job.c queues/jobs/delete_child_sa_job.h \
+queues/jobs/send_dpd_job.c queues/jobs/send_dpd_job.h queues/jobs/route_job.c queues/jobs/route_job.h \
+queues/jobs/acquire_job.c queues/jobs/acquire_job.h queues/jobs/rekey_ike_sa_job.c queues/jobs/rekey_ike_sa_job.h \
+queues/job_queue.c queues/event_queue.c queues/job_queue.h queues/event_queue.h \
+threads/kernel_interface.c threads/thread_pool.c threads/scheduler.c threads/sender.c \
+threads/sender.h threads/kernel_interface.h threads/scheduler.h threads/receiver.c threads/stroke_interface.c \
+threads/thread_pool.h threads/receiver.h threads/stroke_interface.h
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon -I$(top_srcdir)/src/stroke
+AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\"
+charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lgmp -lpthread -lm -ldl
+
+if USE_LIBCURL
+   charon_LDADD += -lcurl
+endif
+
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
new file mode 100644
index 000000000..0f2979d32
--- /dev/null
+++ b/src/charon/Makefile.in
@@ -0,0 +1,1878 @@
+# Makefile.in generated by automake 1.9.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+# SUBDIRS = . testing
+
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+top_builddir = ../..
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+INSTALL = @INSTALL@
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+
+# build optional EAP modules
+@BUILD_EAP_SIM_TRUE@am__append_1 = libeapsim.la
+ipsec_PROGRAMS = charon$(EXEEXT)
+@USE_LIBCURL_TRUE@am__append_2 = -lcurl
+subdir = src/charon
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(eapdir)" "$(DESTDIR)$(ipsecdir)"
+eapLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(eap_LTLIBRARIES)
+libeapidentity_la_LIBADD =
+am_libeapidentity_la_OBJECTS = eap_identity.lo
+libeapidentity_la_OBJECTS = $(am_libeapidentity_la_OBJECTS)
+libeapsim_la_LIBADD =
+am__libeapsim_la_SOURCES_DIST = sa/authenticators/eap/eap_sim.h \
+	sa/authenticators/eap/eap_sim.c
+@BUILD_EAP_SIM_TRUE@am_libeapsim_la_OBJECTS = eap_sim.lo
+libeapsim_la_OBJECTS = $(am_libeapsim_la_OBJECTS)
+@BUILD_EAP_SIM_TRUE@am_libeapsim_la_rpath = -rpath $(eapdir)
+ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
+PROGRAMS = $(ipsec_PROGRAMS)
+am_charon_OBJECTS = bus.$(OBJEXT) sys_logger.$(OBJEXT) \
+	file_logger.$(OBJEXT) connection.$(OBJEXT) \
+	local_connection_store.$(OBJEXT) policy.$(OBJEXT) \
+	local_policy_store.$(OBJEXT) local_credential_store.$(OBJEXT) \
+	traffic_selector.$(OBJEXT) proposal.$(OBJEXT) \
+	configuration.$(OBJEXT) eap_authenticator.$(OBJEXT) \
+	eap_method.$(OBJEXT) child_sa.$(OBJEXT) ike_sa.$(OBJEXT) \
+	ike_sa_manager.$(OBJEXT) ike_sa_id.$(OBJEXT) task.$(OBJEXT) \
+	ike_init.$(OBJEXT) ike_natd.$(OBJEXT) ike_auth.$(OBJEXT) \
+	ike_config.$(OBJEXT) ike_cert.$(OBJEXT) ike_rekey.$(OBJEXT) \
+	ike_delete.$(OBJEXT) ike_dpd.$(OBJEXT) child_create.$(OBJEXT) \
+	child_delete.$(OBJEXT) child_rekey.$(OBJEXT) \
+	authenticator.$(OBJEXT) rsa_authenticator.$(OBJEXT) \
+	psk_authenticator.$(OBJEXT) task_manager.$(OBJEXT) \
+	encryption_payload.$(OBJEXT) cert_payload.$(OBJEXT) \
+	traffic_selector_substructure.$(OBJEXT) \
+	transform_attribute.$(OBJEXT) \
+	configuration_attribute.$(OBJEXT) \
+	transform_substructure.$(OBJEXT) auth_payload.$(OBJEXT) \
+	ike_header.$(OBJEXT) nonce_payload.$(OBJEXT) \
+	eap_payload.$(OBJEXT) ts_payload.$(OBJEXT) \
+	notify_payload.$(OBJEXT) id_payload.$(OBJEXT) \
+	ke_payload.$(OBJEXT) unknown_payload.$(OBJEXT) \
+	encodings.$(OBJEXT) cp_payload.$(OBJEXT) \
+	delete_payload.$(OBJEXT) sa_payload.$(OBJEXT) \
+	certreq_payload.$(OBJEXT) vendor_id_payload.$(OBJEXT) \
+	proposal_substructure.$(OBJEXT) payload.$(OBJEXT) \
+	message.$(OBJEXT) generator.$(OBJEXT) parser.$(OBJEXT) \
+	daemon.$(OBJEXT) packet.$(OBJEXT) socket.$(OBJEXT) \
+	job.$(OBJEXT) process_message_job.$(OBJEXT) \
+	delete_ike_sa_job.$(OBJEXT) retransmit_job.$(OBJEXT) \
+	initiate_job.$(OBJEXT) send_keepalive_job.$(OBJEXT) \
+	rekey_child_sa_job.$(OBJEXT) delete_child_sa_job.$(OBJEXT) \
+	send_dpd_job.$(OBJEXT) route_job.$(OBJEXT) \
+	acquire_job.$(OBJEXT) rekey_ike_sa_job.$(OBJEXT) \
+	job_queue.$(OBJEXT) event_queue.$(OBJEXT) \
+	kernel_interface.$(OBJEXT) thread_pool.$(OBJEXT) \
+	scheduler.$(OBJEXT) sender.$(OBJEXT) receiver.$(OBJEXT) \
+	stroke_interface.$(OBJEXT)
+charon_OBJECTS = $(am_charon_OBJECTS)
+am__DEPENDENCIES_1 =
+charon_DEPENDENCIES =  \
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(am__DEPENDENCIES_1)
+DEFAULT_INCLUDES = -I. -I$(srcdir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+SOURCES = $(libeapidentity_la_SOURCES) $(libeapsim_la_SOURCES) \
+	$(charon_SOURCES)
+DIST_SOURCES = $(libeapidentity_la_SOURCES) \
+	$(am__libeapsim_la_SOURCES_DIST) $(charon_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMDEP_FALSE = @AMDEP_FALSE@
+AMDEP_TRUE = @AMDEP_TRUE@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BUILD_EAP_SIM_FALSE = @BUILD_EAP_SIM_FALSE@
+BUILD_EAP_SIM_TRUE = @BUILD_EAP_SIM_TRUE@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+USE_CISCO_QUIRKS_FALSE = @USE_CISCO_QUIRKS_FALSE@
+USE_CISCO_QUIRKS_TRUE = @USE_CISCO_QUIRKS_TRUE@
+USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
+USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
+USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
+USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
+USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
+USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
+USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
+USE_SMARTCARD_TRUE = @USE_SMARTCARD_TRUE@
+USE_VENDORID_FALSE = @USE_VENDORID_FALSE@
+USE_VENDORID_TRUE = @USE_VENDORID_TRUE@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__fastdepCC_FALSE = @am__fastdepCC_FALSE@
+am__fastdepCC_TRUE = @am__fastdepCC_TRUE@
+am__fastdepCXX_FALSE = @am__fastdepCXX_FALSE@
+am__fastdepCXX_TRUE = @am__fastdepCXX_TRUE@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+eapdir = @eapdir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+eap_LTLIBRARIES = libeapidentity.la $(am__append_1)
+
+# always build EAP Identity module
+libeapidentity_la_SOURCES = sa/authenticators/eap/eap_identity.h sa/authenticators/eap/eap_identity.c
+libeapidentity_la_LDFLAGS = -module
+@BUILD_EAP_SIM_TRUE@libeapsim_la_SOURCES = sa/authenticators/eap/eap_sim.h sa/authenticators/eap/eap_sim.c
+@BUILD_EAP_SIM_TRUE@libeapsim_la_LDFLAGS = -module
+charon_SOURCES = \
+bus/bus.c bus/bus.h \
+bus/listeners/sys_logger.c bus/listeners/sys_logger.h \
+bus/listeners/file_logger.c bus/listeners/file_logger.h \
+config/connections/connection.c config/connections/connection.h \
+config/connections/local_connection_store.c config/connections/local_connection_store.h config/connections/connection_store.h \
+config/policies/policy.c config/policies/policy.h \
+config/policies/local_policy_store.c config/policies/policy_store.h config/policies/local_policy_store.h \
+config/credentials/local_credential_store.c config/credentials/local_credential_store.h \
+config/traffic_selector.c config/traffic_selector.h \
+config/proposal.c config/proposal.h config/configuration.c config/configuration.h \
+sa/authenticators/eap_authenticator.h sa/authenticators/eap_authenticator.c \
+sa/authenticators/eap/eap_method.h sa/authenticators/eap/eap_method.c \
+sa/child_sa.c sa/child_sa.h sa/ike_sa.c sa/ike_sa.h sa/ike_sa_manager.c sa/ike_sa_manager.h \
+sa/ike_sa_id.c sa/ike_sa_id.h sa/tasks/task.c sa/tasks/task.h \
+sa/tasks/ike_init.c sa/tasks/ike_init.h \
+sa/tasks/ike_natd.c sa/tasks/ike_natd.h \
+sa/tasks/ike_auth.c sa/tasks/ike_auth.h \
+sa/tasks/ike_config.c sa/tasks/ike_config.h \
+sa/tasks/ike_cert.c sa/tasks/ike_cert.h \
+sa/tasks/ike_rekey.c sa/tasks/ike_rekey.h \
+sa/tasks/ike_delete.c sa/tasks/ike_delete.h \
+sa/tasks/ike_dpd.c sa/tasks/ike_dpd.h \
+sa/tasks/child_create.c sa/tasks/child_create.h \
+sa/tasks/child_delete.c sa/tasks/child_delete.h \
+sa/tasks/child_rekey.c sa/tasks/child_rekey.h \
+sa/authenticators/authenticator.c sa/authenticators/authenticator.h \
+sa/authenticators/rsa_authenticator.c sa/authenticators/rsa_authenticator.h \
+sa/authenticators/psk_authenticator.c sa/authenticators/psk_authenticator.h \
+sa/task_manager.c sa/task_manager.h encoding/payloads/encryption_payload.c \
+encoding/payloads/cert_payload.c encoding/payloads/payload.h encoding/payloads/traffic_selector_substructure.c \
+encoding/payloads/configuration_attribute.h encoding/payloads/proposal_substructure.h \
+encoding/payloads/transform_attribute.c encoding/payloads/transform_attribute.h \
+encoding/payloads/configuration_attribute.c encoding/payloads/transform_substructure.c \
+encoding/payloads/encryption_payload.h encoding/payloads/auth_payload.c encoding/payloads/ike_header.c \
+encoding/payloads/transform_substructure.h encoding/payloads/nonce_payload.c encoding/payloads/cert_payload.h \
+encoding/payloads/eap_payload.c encoding/payloads/ike_header.h encoding/payloads/auth_payload.h \
+encoding/payloads/ts_payload.c encoding/payloads/traffic_selector_substructure.h encoding/payloads/nonce_payload.h \
+encoding/payloads/notify_payload.c encoding/payloads/eap_payload.h encoding/payloads/notify_payload.h \
+encoding/payloads/ts_payload.h encoding/payloads/id_payload.c encoding/payloads/ke_payload.c \
+encoding/payloads/unknown_payload.c encoding/payloads/encodings.c encoding/payloads/id_payload.h \
+encoding/payloads/cp_payload.c encoding/payloads/delete_payload.c encoding/payloads/sa_payload.c \
+encoding/payloads/ke_payload.h encoding/payloads/unknown_payload.h encoding/payloads/encodings.h \
+encoding/payloads/certreq_payload.c encoding/payloads/cp_payload.h encoding/payloads/delete_payload.h \
+encoding/payloads/sa_payload.h encoding/payloads/vendor_id_payload.c encoding/payloads/certreq_payload.h \
+encoding/payloads/vendor_id_payload.h encoding/payloads/proposal_substructure.c encoding/payloads/payload.c \
+encoding/parser.h encoding/message.c encoding/generator.c encoding/message.h encoding/generator.h \
+encoding/parser.c daemon.c daemon.h network/packet.c \
+network/socket.c network/packet.h network/socket.h queues/jobs/job.h queues/jobs/job.c \
+queues/jobs/retransmit_job.h queues/jobs/initiate_job.h \
+queues/jobs/process_message_job.h queues/jobs/process_message_job.c \
+queues/jobs/delete_ike_sa_job.c queues/jobs/delete_ike_sa_job.h \
+queues/jobs/retransmit_job.c queues/jobs/initiate_job.c \
+queues/jobs/send_keepalive_job.c queues/jobs/send_keepalive_job.h \
+queues/jobs/rekey_child_sa_job.c queues/jobs/rekey_child_sa_job.h queues/jobs/delete_child_sa_job.c queues/jobs/delete_child_sa_job.h \
+queues/jobs/send_dpd_job.c queues/jobs/send_dpd_job.h queues/jobs/route_job.c queues/jobs/route_job.h \
+queues/jobs/acquire_job.c queues/jobs/acquire_job.h queues/jobs/rekey_ike_sa_job.c queues/jobs/rekey_ike_sa_job.h \
+queues/job_queue.c queues/event_queue.c queues/job_queue.h queues/event_queue.h \
+threads/kernel_interface.c threads/thread_pool.c threads/scheduler.c threads/sender.c \
+threads/sender.h threads/kernel_interface.h threads/scheduler.h threads/receiver.c threads/stroke_interface.c \
+threads/thread_pool.h threads/receiver.h threads/stroke_interface.h
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon -I$(top_srcdir)/src/stroke
+AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\"
+charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \
+	-lgmp -lpthread -lm -ldl $(am__append_2)
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/charon/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/charon/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-eapLTLIBRARIES: $(eap_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(eapdir)" || $(mkdir_p) "$(DESTDIR)$(eapdir)"
+	@list='$(eap_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) --mode=install $(eapLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(eapdir)/$$f'"; \
+	    $(LIBTOOL) --mode=install $(eapLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(eapdir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-eapLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@set -x; list='$(eap_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(eapdir)/$$p'"; \
+	  $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(eapdir)/$$p"; \
+	done
+
+clean-eapLTLIBRARIES:
+	-test -z "$(eap_LTLIBRARIES)" || rm -f $(eap_LTLIBRARIES)
+	@list='$(eap_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libeapidentity.la: $(libeapidentity_la_OBJECTS) $(libeapidentity_la_DEPENDENCIES) 
+	$(LINK) -rpath $(eapdir) $(libeapidentity_la_LDFLAGS) $(libeapidentity_la_OBJECTS) $(libeapidentity_la_LIBADD) $(LIBS)
+libeapsim.la: $(libeapsim_la_OBJECTS) $(libeapsim_la_DEPENDENCIES) 
+	$(LINK) $(am_libeapsim_la_rpath) $(libeapsim_la_LDFLAGS) $(libeapsim_la_OBJECTS) $(libeapsim_la_LIBADD) $(LIBS)
+install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	test -z "$(ipsecdir)" || $(mkdir_p) "$(DESTDIR)$(ipsecdir)"
+	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
+	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  if test -f $$p \
+	     || test -f $$p1 \
+	  ; then \
+	    f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
+	   echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(ipsecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \
+	   $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(ipsecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(ipsecdir)/$$f" || exit 1; \
+	  else :; fi; \
+	done
+
+uninstall-ipsecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
+	  f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
+	  echo " rm -f '$(DESTDIR)$(ipsecdir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(ipsecdir)/$$f"; \
+	done
+
+clean-ipsecPROGRAMS:
+	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
+	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  echo " rm -f $$p $$f"; \
+	  rm -f $$p $$f ; \
+	done
+charon$(EXEEXT): $(charon_OBJECTS) $(charon_DEPENDENCIES) 
+	@rm -f charon$(EXEEXT)
+	$(LINK) $(charon_LDFLAGS) $(charon_OBJECTS) $(charon_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/acquire_job.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_payload.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/authenticator.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bus.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cert_payload.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certreq_payload.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/child_create.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/child_delete.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/child_rekey.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/child_sa.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/configuration.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/configuration_attribute.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/connection.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cp_payload.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/daemon.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/delete_child_sa_job.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/delete_ike_sa_job.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/delete_payload.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_authenticator.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_identity.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_method.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_payload.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/encodings.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/encryption_payload.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/event_queue.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/file_logger.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/generator.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/id_payload.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_auth.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_cert.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_config.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_delete.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_dpd.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_header.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_init.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_natd.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_rekey.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_sa.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_sa_id.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_sa_manager.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initiate_job.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/job.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/job_queue.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ke_payload.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_interface.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/local_connection_store.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/local_credential_store.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/local_policy_store.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/message.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nonce_payload.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/notify_payload.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/packet.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/parser.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/payload.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/policy.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/process_message_job.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/proposal.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/proposal_substructure.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/psk_authenticator.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/receiver.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rekey_child_sa_job.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rekey_ike_sa_job.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/retransmit_job.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/route_job.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rsa_authenticator.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sa_payload.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scheduler.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/send_dpd_job.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/send_keepalive_job.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sender.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/socket.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_interface.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sys_logger.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/task.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/task_manager.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/thread_pool.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/traffic_selector.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/traffic_selector_substructure.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform_attribute.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform_substructure.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ts_payload.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unknown_payload.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vendor_id_payload.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ `$(CYGPATH_W) '$<'`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	if $(LTCOMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Plo"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+eap_identity.lo: sa/authenticators/eap/eap_identity.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_identity.lo -MD -MP -MF "$(DEPDIR)/eap_identity.Tpo" -c -o eap_identity.lo `test -f 'sa/authenticators/eap/eap_identity.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_identity.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/eap_identity.Tpo" "$(DEPDIR)/eap_identity.Plo"; else rm -f "$(DEPDIR)/eap_identity.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap/eap_identity.c' object='eap_identity.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_identity.lo `test -f 'sa/authenticators/eap/eap_identity.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_identity.c
+
+eap_sim.lo: sa/authenticators/eap/eap_sim.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_sim.lo -MD -MP -MF "$(DEPDIR)/eap_sim.Tpo" -c -o eap_sim.lo `test -f 'sa/authenticators/eap/eap_sim.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_sim.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/eap_sim.Tpo" "$(DEPDIR)/eap_sim.Plo"; else rm -f "$(DEPDIR)/eap_sim.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap/eap_sim.c' object='eap_sim.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_sim.lo `test -f 'sa/authenticators/eap/eap_sim.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_sim.c
+
+bus.o: bus/bus.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT bus.o -MD -MP -MF "$(DEPDIR)/bus.Tpo" -c -o bus.o `test -f 'bus/bus.c' || echo '$(srcdir)/'`bus/bus.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/bus.Tpo" "$(DEPDIR)/bus.Po"; else rm -f "$(DEPDIR)/bus.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bus/bus.c' object='bus.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o bus.o `test -f 'bus/bus.c' || echo '$(srcdir)/'`bus/bus.c
+
+bus.obj: bus/bus.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT bus.obj -MD -MP -MF "$(DEPDIR)/bus.Tpo" -c -o bus.obj `if test -f 'bus/bus.c'; then $(CYGPATH_W) 'bus/bus.c'; else $(CYGPATH_W) '$(srcdir)/bus/bus.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/bus.Tpo" "$(DEPDIR)/bus.Po"; else rm -f "$(DEPDIR)/bus.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bus/bus.c' object='bus.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o bus.obj `if test -f 'bus/bus.c'; then $(CYGPATH_W) 'bus/bus.c'; else $(CYGPATH_W) '$(srcdir)/bus/bus.c'; fi`
+
+sys_logger.o: bus/listeners/sys_logger.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sys_logger.o -MD -MP -MF "$(DEPDIR)/sys_logger.Tpo" -c -o sys_logger.o `test -f 'bus/listeners/sys_logger.c' || echo '$(srcdir)/'`bus/listeners/sys_logger.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/sys_logger.Tpo" "$(DEPDIR)/sys_logger.Po"; else rm -f "$(DEPDIR)/sys_logger.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bus/listeners/sys_logger.c' object='sys_logger.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sys_logger.o `test -f 'bus/listeners/sys_logger.c' || echo '$(srcdir)/'`bus/listeners/sys_logger.c
+
+sys_logger.obj: bus/listeners/sys_logger.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sys_logger.obj -MD -MP -MF "$(DEPDIR)/sys_logger.Tpo" -c -o sys_logger.obj `if test -f 'bus/listeners/sys_logger.c'; then $(CYGPATH_W) 'bus/listeners/sys_logger.c'; else $(CYGPATH_W) '$(srcdir)/bus/listeners/sys_logger.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/sys_logger.Tpo" "$(DEPDIR)/sys_logger.Po"; else rm -f "$(DEPDIR)/sys_logger.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bus/listeners/sys_logger.c' object='sys_logger.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sys_logger.obj `if test -f 'bus/listeners/sys_logger.c'; then $(CYGPATH_W) 'bus/listeners/sys_logger.c'; else $(CYGPATH_W) '$(srcdir)/bus/listeners/sys_logger.c'; fi`
+
+file_logger.o: bus/listeners/file_logger.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT file_logger.o -MD -MP -MF "$(DEPDIR)/file_logger.Tpo" -c -o file_logger.o `test -f 'bus/listeners/file_logger.c' || echo '$(srcdir)/'`bus/listeners/file_logger.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/file_logger.Tpo" "$(DEPDIR)/file_logger.Po"; else rm -f "$(DEPDIR)/file_logger.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bus/listeners/file_logger.c' object='file_logger.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o file_logger.o `test -f 'bus/listeners/file_logger.c' || echo '$(srcdir)/'`bus/listeners/file_logger.c
+
+file_logger.obj: bus/listeners/file_logger.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT file_logger.obj -MD -MP -MF "$(DEPDIR)/file_logger.Tpo" -c -o file_logger.obj `if test -f 'bus/listeners/file_logger.c'; then $(CYGPATH_W) 'bus/listeners/file_logger.c'; else $(CYGPATH_W) '$(srcdir)/bus/listeners/file_logger.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/file_logger.Tpo" "$(DEPDIR)/file_logger.Po"; else rm -f "$(DEPDIR)/file_logger.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='bus/listeners/file_logger.c' object='file_logger.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o file_logger.obj `if test -f 'bus/listeners/file_logger.c'; then $(CYGPATH_W) 'bus/listeners/file_logger.c'; else $(CYGPATH_W) '$(srcdir)/bus/listeners/file_logger.c'; fi`
+
+connection.o: config/connections/connection.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT connection.o -MD -MP -MF "$(DEPDIR)/connection.Tpo" -c -o connection.o `test -f 'config/connections/connection.c' || echo '$(srcdir)/'`config/connections/connection.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/connection.Tpo" "$(DEPDIR)/connection.Po"; else rm -f "$(DEPDIR)/connection.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/connections/connection.c' object='connection.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o connection.o `test -f 'config/connections/connection.c' || echo '$(srcdir)/'`config/connections/connection.c
+
+connection.obj: config/connections/connection.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT connection.obj -MD -MP -MF "$(DEPDIR)/connection.Tpo" -c -o connection.obj `if test -f 'config/connections/connection.c'; then $(CYGPATH_W) 'config/connections/connection.c'; else $(CYGPATH_W) '$(srcdir)/config/connections/connection.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/connection.Tpo" "$(DEPDIR)/connection.Po"; else rm -f "$(DEPDIR)/connection.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/connections/connection.c' object='connection.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o connection.obj `if test -f 'config/connections/connection.c'; then $(CYGPATH_W) 'config/connections/connection.c'; else $(CYGPATH_W) '$(srcdir)/config/connections/connection.c'; fi`
+
+local_connection_store.o: config/connections/local_connection_store.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT local_connection_store.o -MD -MP -MF "$(DEPDIR)/local_connection_store.Tpo" -c -o local_connection_store.o `test -f 'config/connections/local_connection_store.c' || echo '$(srcdir)/'`config/connections/local_connection_store.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/local_connection_store.Tpo" "$(DEPDIR)/local_connection_store.Po"; else rm -f "$(DEPDIR)/local_connection_store.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/connections/local_connection_store.c' object='local_connection_store.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o local_connection_store.o `test -f 'config/connections/local_connection_store.c' || echo '$(srcdir)/'`config/connections/local_connection_store.c
+
+local_connection_store.obj: config/connections/local_connection_store.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT local_connection_store.obj -MD -MP -MF "$(DEPDIR)/local_connection_store.Tpo" -c -o local_connection_store.obj `if test -f 'config/connections/local_connection_store.c'; then $(CYGPATH_W) 'config/connections/local_connection_store.c'; else $(CYGPATH_W) '$(srcdir)/config/connections/local_connection_store.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/local_connection_store.Tpo" "$(DEPDIR)/local_connection_store.Po"; else rm -f "$(DEPDIR)/local_connection_store.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/connections/local_connection_store.c' object='local_connection_store.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o local_connection_store.obj `if test -f 'config/connections/local_connection_store.c'; then $(CYGPATH_W) 'config/connections/local_connection_store.c'; else $(CYGPATH_W) '$(srcdir)/config/connections/local_connection_store.c'; fi`
+
+policy.o: config/policies/policy.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT policy.o -MD -MP -MF "$(DEPDIR)/policy.Tpo" -c -o policy.o `test -f 'config/policies/policy.c' || echo '$(srcdir)/'`config/policies/policy.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/policy.Tpo" "$(DEPDIR)/policy.Po"; else rm -f "$(DEPDIR)/policy.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/policies/policy.c' object='policy.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o policy.o `test -f 'config/policies/policy.c' || echo '$(srcdir)/'`config/policies/policy.c
+
+policy.obj: config/policies/policy.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT policy.obj -MD -MP -MF "$(DEPDIR)/policy.Tpo" -c -o policy.obj `if test -f 'config/policies/policy.c'; then $(CYGPATH_W) 'config/policies/policy.c'; else $(CYGPATH_W) '$(srcdir)/config/policies/policy.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/policy.Tpo" "$(DEPDIR)/policy.Po"; else rm -f "$(DEPDIR)/policy.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/policies/policy.c' object='policy.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o policy.obj `if test -f 'config/policies/policy.c'; then $(CYGPATH_W) 'config/policies/policy.c'; else $(CYGPATH_W) '$(srcdir)/config/policies/policy.c'; fi`
+
+local_policy_store.o: config/policies/local_policy_store.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT local_policy_store.o -MD -MP -MF "$(DEPDIR)/local_policy_store.Tpo" -c -o local_policy_store.o `test -f 'config/policies/local_policy_store.c' || echo '$(srcdir)/'`config/policies/local_policy_store.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/local_policy_store.Tpo" "$(DEPDIR)/local_policy_store.Po"; else rm -f "$(DEPDIR)/local_policy_store.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/policies/local_policy_store.c' object='local_policy_store.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o local_policy_store.o `test -f 'config/policies/local_policy_store.c' || echo '$(srcdir)/'`config/policies/local_policy_store.c
+
+local_policy_store.obj: config/policies/local_policy_store.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT local_policy_store.obj -MD -MP -MF "$(DEPDIR)/local_policy_store.Tpo" -c -o local_policy_store.obj `if test -f 'config/policies/local_policy_store.c'; then $(CYGPATH_W) 'config/policies/local_policy_store.c'; else $(CYGPATH_W) '$(srcdir)/config/policies/local_policy_store.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/local_policy_store.Tpo" "$(DEPDIR)/local_policy_store.Po"; else rm -f "$(DEPDIR)/local_policy_store.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/policies/local_policy_store.c' object='local_policy_store.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o local_policy_store.obj `if test -f 'config/policies/local_policy_store.c'; then $(CYGPATH_W) 'config/policies/local_policy_store.c'; else $(CYGPATH_W) '$(srcdir)/config/policies/local_policy_store.c'; fi`
+
+local_credential_store.o: config/credentials/local_credential_store.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT local_credential_store.o -MD -MP -MF "$(DEPDIR)/local_credential_store.Tpo" -c -o local_credential_store.o `test -f 'config/credentials/local_credential_store.c' || echo '$(srcdir)/'`config/credentials/local_credential_store.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/local_credential_store.Tpo" "$(DEPDIR)/local_credential_store.Po"; else rm -f "$(DEPDIR)/local_credential_store.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/credentials/local_credential_store.c' object='local_credential_store.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o local_credential_store.o `test -f 'config/credentials/local_credential_store.c' || echo '$(srcdir)/'`config/credentials/local_credential_store.c
+
+local_credential_store.obj: config/credentials/local_credential_store.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT local_credential_store.obj -MD -MP -MF "$(DEPDIR)/local_credential_store.Tpo" -c -o local_credential_store.obj `if test -f 'config/credentials/local_credential_store.c'; then $(CYGPATH_W) 'config/credentials/local_credential_store.c'; else $(CYGPATH_W) '$(srcdir)/config/credentials/local_credential_store.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/local_credential_store.Tpo" "$(DEPDIR)/local_credential_store.Po"; else rm -f "$(DEPDIR)/local_credential_store.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/credentials/local_credential_store.c' object='local_credential_store.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o local_credential_store.obj `if test -f 'config/credentials/local_credential_store.c'; then $(CYGPATH_W) 'config/credentials/local_credential_store.c'; else $(CYGPATH_W) '$(srcdir)/config/credentials/local_credential_store.c'; fi`
+
+traffic_selector.o: config/traffic_selector.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector.o -MD -MP -MF "$(DEPDIR)/traffic_selector.Tpo" -c -o traffic_selector.o `test -f 'config/traffic_selector.c' || echo '$(srcdir)/'`config/traffic_selector.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/traffic_selector.Tpo" "$(DEPDIR)/traffic_selector.Po"; else rm -f "$(DEPDIR)/traffic_selector.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/traffic_selector.c' object='traffic_selector.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o traffic_selector.o `test -f 'config/traffic_selector.c' || echo '$(srcdir)/'`config/traffic_selector.c
+
+traffic_selector.obj: config/traffic_selector.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector.obj -MD -MP -MF "$(DEPDIR)/traffic_selector.Tpo" -c -o traffic_selector.obj `if test -f 'config/traffic_selector.c'; then $(CYGPATH_W) 'config/traffic_selector.c'; else $(CYGPATH_W) '$(srcdir)/config/traffic_selector.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/traffic_selector.Tpo" "$(DEPDIR)/traffic_selector.Po"; else rm -f "$(DEPDIR)/traffic_selector.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/traffic_selector.c' object='traffic_selector.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o traffic_selector.obj `if test -f 'config/traffic_selector.c'; then $(CYGPATH_W) 'config/traffic_selector.c'; else $(CYGPATH_W) '$(srcdir)/config/traffic_selector.c'; fi`
+
+proposal.o: config/proposal.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal.o -MD -MP -MF "$(DEPDIR)/proposal.Tpo" -c -o proposal.o `test -f 'config/proposal.c' || echo '$(srcdir)/'`config/proposal.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/proposal.Tpo" "$(DEPDIR)/proposal.Po"; else rm -f "$(DEPDIR)/proposal.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/proposal.c' object='proposal.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal.o `test -f 'config/proposal.c' || echo '$(srcdir)/'`config/proposal.c
+
+proposal.obj: config/proposal.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal.obj -MD -MP -MF "$(DEPDIR)/proposal.Tpo" -c -o proposal.obj `if test -f 'config/proposal.c'; then $(CYGPATH_W) 'config/proposal.c'; else $(CYGPATH_W) '$(srcdir)/config/proposal.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/proposal.Tpo" "$(DEPDIR)/proposal.Po"; else rm -f "$(DEPDIR)/proposal.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/proposal.c' object='proposal.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal.obj `if test -f 'config/proposal.c'; then $(CYGPATH_W) 'config/proposal.c'; else $(CYGPATH_W) '$(srcdir)/config/proposal.c'; fi`
+
+configuration.o: config/configuration.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT configuration.o -MD -MP -MF "$(DEPDIR)/configuration.Tpo" -c -o configuration.o `test -f 'config/configuration.c' || echo '$(srcdir)/'`config/configuration.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/configuration.Tpo" "$(DEPDIR)/configuration.Po"; else rm -f "$(DEPDIR)/configuration.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/configuration.c' object='configuration.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o configuration.o `test -f 'config/configuration.c' || echo '$(srcdir)/'`config/configuration.c
+
+configuration.obj: config/configuration.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT configuration.obj -MD -MP -MF "$(DEPDIR)/configuration.Tpo" -c -o configuration.obj `if test -f 'config/configuration.c'; then $(CYGPATH_W) 'config/configuration.c'; else $(CYGPATH_W) '$(srcdir)/config/configuration.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/configuration.Tpo" "$(DEPDIR)/configuration.Po"; else rm -f "$(DEPDIR)/configuration.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='config/configuration.c' object='configuration.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o configuration.obj `if test -f 'config/configuration.c'; then $(CYGPATH_W) 'config/configuration.c'; else $(CYGPATH_W) '$(srcdir)/config/configuration.c'; fi`
+
+eap_authenticator.o: sa/authenticators/eap_authenticator.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_authenticator.o -MD -MP -MF "$(DEPDIR)/eap_authenticator.Tpo" -c -o eap_authenticator.o `test -f 'sa/authenticators/eap_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/eap_authenticator.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/eap_authenticator.Tpo" "$(DEPDIR)/eap_authenticator.Po"; else rm -f "$(DEPDIR)/eap_authenticator.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap_authenticator.c' object='eap_authenticator.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_authenticator.o `test -f 'sa/authenticators/eap_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/eap_authenticator.c
+
+eap_authenticator.obj: sa/authenticators/eap_authenticator.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_authenticator.obj -MD -MP -MF "$(DEPDIR)/eap_authenticator.Tpo" -c -o eap_authenticator.obj `if test -f 'sa/authenticators/eap_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/eap_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap_authenticator.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/eap_authenticator.Tpo" "$(DEPDIR)/eap_authenticator.Po"; else rm -f "$(DEPDIR)/eap_authenticator.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap_authenticator.c' object='eap_authenticator.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_authenticator.obj `if test -f 'sa/authenticators/eap_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/eap_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap_authenticator.c'; fi`
+
+eap_method.o: sa/authenticators/eap/eap_method.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_method.o -MD -MP -MF "$(DEPDIR)/eap_method.Tpo" -c -o eap_method.o `test -f 'sa/authenticators/eap/eap_method.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_method.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/eap_method.Tpo" "$(DEPDIR)/eap_method.Po"; else rm -f "$(DEPDIR)/eap_method.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap/eap_method.c' object='eap_method.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_method.o `test -f 'sa/authenticators/eap/eap_method.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_method.c
+
+eap_method.obj: sa/authenticators/eap/eap_method.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_method.obj -MD -MP -MF "$(DEPDIR)/eap_method.Tpo" -c -o eap_method.obj `if test -f 'sa/authenticators/eap/eap_method.c'; then $(CYGPATH_W) 'sa/authenticators/eap/eap_method.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap/eap_method.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/eap_method.Tpo" "$(DEPDIR)/eap_method.Po"; else rm -f "$(DEPDIR)/eap_method.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/eap/eap_method.c' object='eap_method.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_method.obj `if test -f 'sa/authenticators/eap/eap_method.c'; then $(CYGPATH_W) 'sa/authenticators/eap/eap_method.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/eap/eap_method.c'; fi`
+
+child_sa.o: sa/child_sa.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_sa.o -MD -MP -MF "$(DEPDIR)/child_sa.Tpo" -c -o child_sa.o `test -f 'sa/child_sa.c' || echo '$(srcdir)/'`sa/child_sa.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/child_sa.Tpo" "$(DEPDIR)/child_sa.Po"; else rm -f "$(DEPDIR)/child_sa.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/child_sa.c' object='child_sa.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_sa.o `test -f 'sa/child_sa.c' || echo '$(srcdir)/'`sa/child_sa.c
+
+child_sa.obj: sa/child_sa.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_sa.obj -MD -MP -MF "$(DEPDIR)/child_sa.Tpo" -c -o child_sa.obj `if test -f 'sa/child_sa.c'; then $(CYGPATH_W) 'sa/child_sa.c'; else $(CYGPATH_W) '$(srcdir)/sa/child_sa.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/child_sa.Tpo" "$(DEPDIR)/child_sa.Po"; else rm -f "$(DEPDIR)/child_sa.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/child_sa.c' object='child_sa.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_sa.obj `if test -f 'sa/child_sa.c'; then $(CYGPATH_W) 'sa/child_sa.c'; else $(CYGPATH_W) '$(srcdir)/sa/child_sa.c'; fi`
+
+ike_sa.o: sa/ike_sa.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa.o -MD -MP -MF "$(DEPDIR)/ike_sa.Tpo" -c -o ike_sa.o `test -f 'sa/ike_sa.c' || echo '$(srcdir)/'`sa/ike_sa.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_sa.Tpo" "$(DEPDIR)/ike_sa.Po"; else rm -f "$(DEPDIR)/ike_sa.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa.c' object='ike_sa.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa.o `test -f 'sa/ike_sa.c' || echo '$(srcdir)/'`sa/ike_sa.c
+
+ike_sa.obj: sa/ike_sa.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa.obj -MD -MP -MF "$(DEPDIR)/ike_sa.Tpo" -c -o ike_sa.obj `if test -f 'sa/ike_sa.c'; then $(CYGPATH_W) 'sa/ike_sa.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_sa.Tpo" "$(DEPDIR)/ike_sa.Po"; else rm -f "$(DEPDIR)/ike_sa.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa.c' object='ike_sa.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa.obj `if test -f 'sa/ike_sa.c'; then $(CYGPATH_W) 'sa/ike_sa.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa.c'; fi`
+
+ike_sa_manager.o: sa/ike_sa_manager.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_manager.o -MD -MP -MF "$(DEPDIR)/ike_sa_manager.Tpo" -c -o ike_sa_manager.o `test -f 'sa/ike_sa_manager.c' || echo '$(srcdir)/'`sa/ike_sa_manager.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_sa_manager.Tpo" "$(DEPDIR)/ike_sa_manager.Po"; else rm -f "$(DEPDIR)/ike_sa_manager.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa_manager.c' object='ike_sa_manager.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_manager.o `test -f 'sa/ike_sa_manager.c' || echo '$(srcdir)/'`sa/ike_sa_manager.c
+
+ike_sa_manager.obj: sa/ike_sa_manager.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_manager.obj -MD -MP -MF "$(DEPDIR)/ike_sa_manager.Tpo" -c -o ike_sa_manager.obj `if test -f 'sa/ike_sa_manager.c'; then $(CYGPATH_W) 'sa/ike_sa_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa_manager.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_sa_manager.Tpo" "$(DEPDIR)/ike_sa_manager.Po"; else rm -f "$(DEPDIR)/ike_sa_manager.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa_manager.c' object='ike_sa_manager.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_manager.obj `if test -f 'sa/ike_sa_manager.c'; then $(CYGPATH_W) 'sa/ike_sa_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa_manager.c'; fi`
+
+ike_sa_id.o: sa/ike_sa_id.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_id.o -MD -MP -MF "$(DEPDIR)/ike_sa_id.Tpo" -c -o ike_sa_id.o `test -f 'sa/ike_sa_id.c' || echo '$(srcdir)/'`sa/ike_sa_id.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_sa_id.Tpo" "$(DEPDIR)/ike_sa_id.Po"; else rm -f "$(DEPDIR)/ike_sa_id.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa_id.c' object='ike_sa_id.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_id.o `test -f 'sa/ike_sa_id.c' || echo '$(srcdir)/'`sa/ike_sa_id.c
+
+ike_sa_id.obj: sa/ike_sa_id.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_sa_id.obj -MD -MP -MF "$(DEPDIR)/ike_sa_id.Tpo" -c -o ike_sa_id.obj `if test -f 'sa/ike_sa_id.c'; then $(CYGPATH_W) 'sa/ike_sa_id.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa_id.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_sa_id.Tpo" "$(DEPDIR)/ike_sa_id.Po"; else rm -f "$(DEPDIR)/ike_sa_id.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/ike_sa_id.c' object='ike_sa_id.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_sa_id.obj `if test -f 'sa/ike_sa_id.c'; then $(CYGPATH_W) 'sa/ike_sa_id.c'; else $(CYGPATH_W) '$(srcdir)/sa/ike_sa_id.c'; fi`
+
+task.o: sa/tasks/task.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task.o -MD -MP -MF "$(DEPDIR)/task.Tpo" -c -o task.o `test -f 'sa/tasks/task.c' || echo '$(srcdir)/'`sa/tasks/task.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/task.Tpo" "$(DEPDIR)/task.Po"; else rm -f "$(DEPDIR)/task.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/task.c' object='task.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task.o `test -f 'sa/tasks/task.c' || echo '$(srcdir)/'`sa/tasks/task.c
+
+task.obj: sa/tasks/task.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task.obj -MD -MP -MF "$(DEPDIR)/task.Tpo" -c -o task.obj `if test -f 'sa/tasks/task.c'; then $(CYGPATH_W) 'sa/tasks/task.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/task.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/task.Tpo" "$(DEPDIR)/task.Po"; else rm -f "$(DEPDIR)/task.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/task.c' object='task.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task.obj `if test -f 'sa/tasks/task.c'; then $(CYGPATH_W) 'sa/tasks/task.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/task.c'; fi`
+
+ike_init.o: sa/tasks/ike_init.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_init.o -MD -MP -MF "$(DEPDIR)/ike_init.Tpo" -c -o ike_init.o `test -f 'sa/tasks/ike_init.c' || echo '$(srcdir)/'`sa/tasks/ike_init.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_init.Tpo" "$(DEPDIR)/ike_init.Po"; else rm -f "$(DEPDIR)/ike_init.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_init.c' object='ike_init.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_init.o `test -f 'sa/tasks/ike_init.c' || echo '$(srcdir)/'`sa/tasks/ike_init.c
+
+ike_init.obj: sa/tasks/ike_init.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_init.obj -MD -MP -MF "$(DEPDIR)/ike_init.Tpo" -c -o ike_init.obj `if test -f 'sa/tasks/ike_init.c'; then $(CYGPATH_W) 'sa/tasks/ike_init.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_init.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_init.Tpo" "$(DEPDIR)/ike_init.Po"; else rm -f "$(DEPDIR)/ike_init.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_init.c' object='ike_init.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_init.obj `if test -f 'sa/tasks/ike_init.c'; then $(CYGPATH_W) 'sa/tasks/ike_init.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_init.c'; fi`
+
+ike_natd.o: sa/tasks/ike_natd.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_natd.o -MD -MP -MF "$(DEPDIR)/ike_natd.Tpo" -c -o ike_natd.o `test -f 'sa/tasks/ike_natd.c' || echo '$(srcdir)/'`sa/tasks/ike_natd.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_natd.Tpo" "$(DEPDIR)/ike_natd.Po"; else rm -f "$(DEPDIR)/ike_natd.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_natd.c' object='ike_natd.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_natd.o `test -f 'sa/tasks/ike_natd.c' || echo '$(srcdir)/'`sa/tasks/ike_natd.c
+
+ike_natd.obj: sa/tasks/ike_natd.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_natd.obj -MD -MP -MF "$(DEPDIR)/ike_natd.Tpo" -c -o ike_natd.obj `if test -f 'sa/tasks/ike_natd.c'; then $(CYGPATH_W) 'sa/tasks/ike_natd.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_natd.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_natd.Tpo" "$(DEPDIR)/ike_natd.Po"; else rm -f "$(DEPDIR)/ike_natd.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_natd.c' object='ike_natd.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_natd.obj `if test -f 'sa/tasks/ike_natd.c'; then $(CYGPATH_W) 'sa/tasks/ike_natd.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_natd.c'; fi`
+
+ike_auth.o: sa/tasks/ike_auth.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth.o -MD -MP -MF "$(DEPDIR)/ike_auth.Tpo" -c -o ike_auth.o `test -f 'sa/tasks/ike_auth.c' || echo '$(srcdir)/'`sa/tasks/ike_auth.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_auth.Tpo" "$(DEPDIR)/ike_auth.Po"; else rm -f "$(DEPDIR)/ike_auth.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_auth.c' object='ike_auth.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth.o `test -f 'sa/tasks/ike_auth.c' || echo '$(srcdir)/'`sa/tasks/ike_auth.c
+
+ike_auth.obj: sa/tasks/ike_auth.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth.obj -MD -MP -MF "$(DEPDIR)/ike_auth.Tpo" -c -o ike_auth.obj `if test -f 'sa/tasks/ike_auth.c'; then $(CYGPATH_W) 'sa/tasks/ike_auth.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_auth.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_auth.Tpo" "$(DEPDIR)/ike_auth.Po"; else rm -f "$(DEPDIR)/ike_auth.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_auth.c' object='ike_auth.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth.obj `if test -f 'sa/tasks/ike_auth.c'; then $(CYGPATH_W) 'sa/tasks/ike_auth.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_auth.c'; fi`
+
+ike_config.o: sa/tasks/ike_config.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_config.o -MD -MP -MF "$(DEPDIR)/ike_config.Tpo" -c -o ike_config.o `test -f 'sa/tasks/ike_config.c' || echo '$(srcdir)/'`sa/tasks/ike_config.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_config.Tpo" "$(DEPDIR)/ike_config.Po"; else rm -f "$(DEPDIR)/ike_config.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_config.c' object='ike_config.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_config.o `test -f 'sa/tasks/ike_config.c' || echo '$(srcdir)/'`sa/tasks/ike_config.c
+
+ike_config.obj: sa/tasks/ike_config.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_config.obj -MD -MP -MF "$(DEPDIR)/ike_config.Tpo" -c -o ike_config.obj `if test -f 'sa/tasks/ike_config.c'; then $(CYGPATH_W) 'sa/tasks/ike_config.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_config.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_config.Tpo" "$(DEPDIR)/ike_config.Po"; else rm -f "$(DEPDIR)/ike_config.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_config.c' object='ike_config.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_config.obj `if test -f 'sa/tasks/ike_config.c'; then $(CYGPATH_W) 'sa/tasks/ike_config.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_config.c'; fi`
+
+ike_cert.o: sa/tasks/ike_cert.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cert.o -MD -MP -MF "$(DEPDIR)/ike_cert.Tpo" -c -o ike_cert.o `test -f 'sa/tasks/ike_cert.c' || echo '$(srcdir)/'`sa/tasks/ike_cert.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_cert.Tpo" "$(DEPDIR)/ike_cert.Po"; else rm -f "$(DEPDIR)/ike_cert.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_cert.c' object='ike_cert.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cert.o `test -f 'sa/tasks/ike_cert.c' || echo '$(srcdir)/'`sa/tasks/ike_cert.c
+
+ike_cert.obj: sa/tasks/ike_cert.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_cert.obj -MD -MP -MF "$(DEPDIR)/ike_cert.Tpo" -c -o ike_cert.obj `if test -f 'sa/tasks/ike_cert.c'; then $(CYGPATH_W) 'sa/tasks/ike_cert.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_cert.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_cert.Tpo" "$(DEPDIR)/ike_cert.Po"; else rm -f "$(DEPDIR)/ike_cert.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_cert.c' object='ike_cert.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_cert.obj `if test -f 'sa/tasks/ike_cert.c'; then $(CYGPATH_W) 'sa/tasks/ike_cert.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_cert.c'; fi`
+
+ike_rekey.o: sa/tasks/ike_rekey.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_rekey.o -MD -MP -MF "$(DEPDIR)/ike_rekey.Tpo" -c -o ike_rekey.o `test -f 'sa/tasks/ike_rekey.c' || echo '$(srcdir)/'`sa/tasks/ike_rekey.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_rekey.Tpo" "$(DEPDIR)/ike_rekey.Po"; else rm -f "$(DEPDIR)/ike_rekey.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_rekey.c' object='ike_rekey.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_rekey.o `test -f 'sa/tasks/ike_rekey.c' || echo '$(srcdir)/'`sa/tasks/ike_rekey.c
+
+ike_rekey.obj: sa/tasks/ike_rekey.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_rekey.obj -MD -MP -MF "$(DEPDIR)/ike_rekey.Tpo" -c -o ike_rekey.obj `if test -f 'sa/tasks/ike_rekey.c'; then $(CYGPATH_W) 'sa/tasks/ike_rekey.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_rekey.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_rekey.Tpo" "$(DEPDIR)/ike_rekey.Po"; else rm -f "$(DEPDIR)/ike_rekey.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_rekey.c' object='ike_rekey.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_rekey.obj `if test -f 'sa/tasks/ike_rekey.c'; then $(CYGPATH_W) 'sa/tasks/ike_rekey.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_rekey.c'; fi`
+
+ike_delete.o: sa/tasks/ike_delete.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_delete.o -MD -MP -MF "$(DEPDIR)/ike_delete.Tpo" -c -o ike_delete.o `test -f 'sa/tasks/ike_delete.c' || echo '$(srcdir)/'`sa/tasks/ike_delete.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_delete.Tpo" "$(DEPDIR)/ike_delete.Po"; else rm -f "$(DEPDIR)/ike_delete.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_delete.c' object='ike_delete.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_delete.o `test -f 'sa/tasks/ike_delete.c' || echo '$(srcdir)/'`sa/tasks/ike_delete.c
+
+ike_delete.obj: sa/tasks/ike_delete.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_delete.obj -MD -MP -MF "$(DEPDIR)/ike_delete.Tpo" -c -o ike_delete.obj `if test -f 'sa/tasks/ike_delete.c'; then $(CYGPATH_W) 'sa/tasks/ike_delete.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_delete.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_delete.Tpo" "$(DEPDIR)/ike_delete.Po"; else rm -f "$(DEPDIR)/ike_delete.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_delete.c' object='ike_delete.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_delete.obj `if test -f 'sa/tasks/ike_delete.c'; then $(CYGPATH_W) 'sa/tasks/ike_delete.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_delete.c'; fi`
+
+ike_dpd.o: sa/tasks/ike_dpd.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_dpd.o -MD -MP -MF "$(DEPDIR)/ike_dpd.Tpo" -c -o ike_dpd.o `test -f 'sa/tasks/ike_dpd.c' || echo '$(srcdir)/'`sa/tasks/ike_dpd.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_dpd.Tpo" "$(DEPDIR)/ike_dpd.Po"; else rm -f "$(DEPDIR)/ike_dpd.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_dpd.c' object='ike_dpd.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_dpd.o `test -f 'sa/tasks/ike_dpd.c' || echo '$(srcdir)/'`sa/tasks/ike_dpd.c
+
+ike_dpd.obj: sa/tasks/ike_dpd.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_dpd.obj -MD -MP -MF "$(DEPDIR)/ike_dpd.Tpo" -c -o ike_dpd.obj `if test -f 'sa/tasks/ike_dpd.c'; then $(CYGPATH_W) 'sa/tasks/ike_dpd.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_dpd.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_dpd.Tpo" "$(DEPDIR)/ike_dpd.Po"; else rm -f "$(DEPDIR)/ike_dpd.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/ike_dpd.c' object='ike_dpd.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_dpd.obj `if test -f 'sa/tasks/ike_dpd.c'; then $(CYGPATH_W) 'sa/tasks/ike_dpd.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/ike_dpd.c'; fi`
+
+child_create.o: sa/tasks/child_create.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_create.o -MD -MP -MF "$(DEPDIR)/child_create.Tpo" -c -o child_create.o `test -f 'sa/tasks/child_create.c' || echo '$(srcdir)/'`sa/tasks/child_create.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/child_create.Tpo" "$(DEPDIR)/child_create.Po"; else rm -f "$(DEPDIR)/child_create.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_create.c' object='child_create.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_create.o `test -f 'sa/tasks/child_create.c' || echo '$(srcdir)/'`sa/tasks/child_create.c
+
+child_create.obj: sa/tasks/child_create.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_create.obj -MD -MP -MF "$(DEPDIR)/child_create.Tpo" -c -o child_create.obj `if test -f 'sa/tasks/child_create.c'; then $(CYGPATH_W) 'sa/tasks/child_create.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_create.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/child_create.Tpo" "$(DEPDIR)/child_create.Po"; else rm -f "$(DEPDIR)/child_create.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_create.c' object='child_create.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_create.obj `if test -f 'sa/tasks/child_create.c'; then $(CYGPATH_W) 'sa/tasks/child_create.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_create.c'; fi`
+
+child_delete.o: sa/tasks/child_delete.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_delete.o -MD -MP -MF "$(DEPDIR)/child_delete.Tpo" -c -o child_delete.o `test -f 'sa/tasks/child_delete.c' || echo '$(srcdir)/'`sa/tasks/child_delete.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/child_delete.Tpo" "$(DEPDIR)/child_delete.Po"; else rm -f "$(DEPDIR)/child_delete.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_delete.c' object='child_delete.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_delete.o `test -f 'sa/tasks/child_delete.c' || echo '$(srcdir)/'`sa/tasks/child_delete.c
+
+child_delete.obj: sa/tasks/child_delete.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_delete.obj -MD -MP -MF "$(DEPDIR)/child_delete.Tpo" -c -o child_delete.obj `if test -f 'sa/tasks/child_delete.c'; then $(CYGPATH_W) 'sa/tasks/child_delete.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_delete.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/child_delete.Tpo" "$(DEPDIR)/child_delete.Po"; else rm -f "$(DEPDIR)/child_delete.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_delete.c' object='child_delete.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_delete.obj `if test -f 'sa/tasks/child_delete.c'; then $(CYGPATH_W) 'sa/tasks/child_delete.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_delete.c'; fi`
+
+child_rekey.o: sa/tasks/child_rekey.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_rekey.o -MD -MP -MF "$(DEPDIR)/child_rekey.Tpo" -c -o child_rekey.o `test -f 'sa/tasks/child_rekey.c' || echo '$(srcdir)/'`sa/tasks/child_rekey.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/child_rekey.Tpo" "$(DEPDIR)/child_rekey.Po"; else rm -f "$(DEPDIR)/child_rekey.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_rekey.c' object='child_rekey.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_rekey.o `test -f 'sa/tasks/child_rekey.c' || echo '$(srcdir)/'`sa/tasks/child_rekey.c
+
+child_rekey.obj: sa/tasks/child_rekey.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_rekey.obj -MD -MP -MF "$(DEPDIR)/child_rekey.Tpo" -c -o child_rekey.obj `if test -f 'sa/tasks/child_rekey.c'; then $(CYGPATH_W) 'sa/tasks/child_rekey.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_rekey.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/child_rekey.Tpo" "$(DEPDIR)/child_rekey.Po"; else rm -f "$(DEPDIR)/child_rekey.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/tasks/child_rekey.c' object='child_rekey.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o child_rekey.obj `if test -f 'sa/tasks/child_rekey.c'; then $(CYGPATH_W) 'sa/tasks/child_rekey.c'; else $(CYGPATH_W) '$(srcdir)/sa/tasks/child_rekey.c'; fi`
+
+authenticator.o: sa/authenticators/authenticator.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT authenticator.o -MD -MP -MF "$(DEPDIR)/authenticator.Tpo" -c -o authenticator.o `test -f 'sa/authenticators/authenticator.c' || echo '$(srcdir)/'`sa/authenticators/authenticator.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/authenticator.Tpo" "$(DEPDIR)/authenticator.Po"; else rm -f "$(DEPDIR)/authenticator.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/authenticator.c' object='authenticator.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o authenticator.o `test -f 'sa/authenticators/authenticator.c' || echo '$(srcdir)/'`sa/authenticators/authenticator.c
+
+authenticator.obj: sa/authenticators/authenticator.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT authenticator.obj -MD -MP -MF "$(DEPDIR)/authenticator.Tpo" -c -o authenticator.obj `if test -f 'sa/authenticators/authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/authenticator.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/authenticator.Tpo" "$(DEPDIR)/authenticator.Po"; else rm -f "$(DEPDIR)/authenticator.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/authenticator.c' object='authenticator.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o authenticator.obj `if test -f 'sa/authenticators/authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/authenticator.c'; fi`
+
+rsa_authenticator.o: sa/authenticators/rsa_authenticator.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rsa_authenticator.o -MD -MP -MF "$(DEPDIR)/rsa_authenticator.Tpo" -c -o rsa_authenticator.o `test -f 'sa/authenticators/rsa_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/rsa_authenticator.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/rsa_authenticator.Tpo" "$(DEPDIR)/rsa_authenticator.Po"; else rm -f "$(DEPDIR)/rsa_authenticator.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/rsa_authenticator.c' object='rsa_authenticator.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rsa_authenticator.o `test -f 'sa/authenticators/rsa_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/rsa_authenticator.c
+
+rsa_authenticator.obj: sa/authenticators/rsa_authenticator.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rsa_authenticator.obj -MD -MP -MF "$(DEPDIR)/rsa_authenticator.Tpo" -c -o rsa_authenticator.obj `if test -f 'sa/authenticators/rsa_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/rsa_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/rsa_authenticator.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/rsa_authenticator.Tpo" "$(DEPDIR)/rsa_authenticator.Po"; else rm -f "$(DEPDIR)/rsa_authenticator.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/rsa_authenticator.c' object='rsa_authenticator.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rsa_authenticator.obj `if test -f 'sa/authenticators/rsa_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/rsa_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/rsa_authenticator.c'; fi`
+
+psk_authenticator.o: sa/authenticators/psk_authenticator.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT psk_authenticator.o -MD -MP -MF "$(DEPDIR)/psk_authenticator.Tpo" -c -o psk_authenticator.o `test -f 'sa/authenticators/psk_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/psk_authenticator.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/psk_authenticator.Tpo" "$(DEPDIR)/psk_authenticator.Po"; else rm -f "$(DEPDIR)/psk_authenticator.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/psk_authenticator.c' object='psk_authenticator.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o psk_authenticator.o `test -f 'sa/authenticators/psk_authenticator.c' || echo '$(srcdir)/'`sa/authenticators/psk_authenticator.c
+
+psk_authenticator.obj: sa/authenticators/psk_authenticator.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT psk_authenticator.obj -MD -MP -MF "$(DEPDIR)/psk_authenticator.Tpo" -c -o psk_authenticator.obj `if test -f 'sa/authenticators/psk_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/psk_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/psk_authenticator.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/psk_authenticator.Tpo" "$(DEPDIR)/psk_authenticator.Po"; else rm -f "$(DEPDIR)/psk_authenticator.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/authenticators/psk_authenticator.c' object='psk_authenticator.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o psk_authenticator.obj `if test -f 'sa/authenticators/psk_authenticator.c'; then $(CYGPATH_W) 'sa/authenticators/psk_authenticator.c'; else $(CYGPATH_W) '$(srcdir)/sa/authenticators/psk_authenticator.c'; fi`
+
+task_manager.o: sa/task_manager.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task_manager.o -MD -MP -MF "$(DEPDIR)/task_manager.Tpo" -c -o task_manager.o `test -f 'sa/task_manager.c' || echo '$(srcdir)/'`sa/task_manager.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/task_manager.Tpo" "$(DEPDIR)/task_manager.Po"; else rm -f "$(DEPDIR)/task_manager.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/task_manager.c' object='task_manager.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task_manager.o `test -f 'sa/task_manager.c' || echo '$(srcdir)/'`sa/task_manager.c
+
+task_manager.obj: sa/task_manager.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT task_manager.obj -MD -MP -MF "$(DEPDIR)/task_manager.Tpo" -c -o task_manager.obj `if test -f 'sa/task_manager.c'; then $(CYGPATH_W) 'sa/task_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/task_manager.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/task_manager.Tpo" "$(DEPDIR)/task_manager.Po"; else rm -f "$(DEPDIR)/task_manager.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sa/task_manager.c' object='task_manager.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task_manager.obj `if test -f 'sa/task_manager.c'; then $(CYGPATH_W) 'sa/task_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/task_manager.c'; fi`
+
+encryption_payload.o: encoding/payloads/encryption_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encryption_payload.o -MD -MP -MF "$(DEPDIR)/encryption_payload.Tpo" -c -o encryption_payload.o `test -f 'encoding/payloads/encryption_payload.c' || echo '$(srcdir)/'`encoding/payloads/encryption_payload.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/encryption_payload.Tpo" "$(DEPDIR)/encryption_payload.Po"; else rm -f "$(DEPDIR)/encryption_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/encryption_payload.c' object='encryption_payload.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encryption_payload.o `test -f 'encoding/payloads/encryption_payload.c' || echo '$(srcdir)/'`encoding/payloads/encryption_payload.c
+
+encryption_payload.obj: encoding/payloads/encryption_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encryption_payload.obj -MD -MP -MF "$(DEPDIR)/encryption_payload.Tpo" -c -o encryption_payload.obj `if test -f 'encoding/payloads/encryption_payload.c'; then $(CYGPATH_W) 'encoding/payloads/encryption_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/encryption_payload.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/encryption_payload.Tpo" "$(DEPDIR)/encryption_payload.Po"; else rm -f "$(DEPDIR)/encryption_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/encryption_payload.c' object='encryption_payload.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encryption_payload.obj `if test -f 'encoding/payloads/encryption_payload.c'; then $(CYGPATH_W) 'encoding/payloads/encryption_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/encryption_payload.c'; fi`
+
+cert_payload.o: encoding/payloads/cert_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cert_payload.o -MD -MP -MF "$(DEPDIR)/cert_payload.Tpo" -c -o cert_payload.o `test -f 'encoding/payloads/cert_payload.c' || echo '$(srcdir)/'`encoding/payloads/cert_payload.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/cert_payload.Tpo" "$(DEPDIR)/cert_payload.Po"; else rm -f "$(DEPDIR)/cert_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/cert_payload.c' object='cert_payload.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_payload.o `test -f 'encoding/payloads/cert_payload.c' || echo '$(srcdir)/'`encoding/payloads/cert_payload.c
+
+cert_payload.obj: encoding/payloads/cert_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cert_payload.obj -MD -MP -MF "$(DEPDIR)/cert_payload.Tpo" -c -o cert_payload.obj `if test -f 'encoding/payloads/cert_payload.c'; then $(CYGPATH_W) 'encoding/payloads/cert_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/cert_payload.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/cert_payload.Tpo" "$(DEPDIR)/cert_payload.Po"; else rm -f "$(DEPDIR)/cert_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/cert_payload.c' object='cert_payload.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_payload.obj `if test -f 'encoding/payloads/cert_payload.c'; then $(CYGPATH_W) 'encoding/payloads/cert_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/cert_payload.c'; fi`
+
+traffic_selector_substructure.o: encoding/payloads/traffic_selector_substructure.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector_substructure.o -MD -MP -MF "$(DEPDIR)/traffic_selector_substructure.Tpo" -c -o traffic_selector_substructure.o `test -f 'encoding/payloads/traffic_selector_substructure.c' || echo '$(srcdir)/'`encoding/payloads/traffic_selector_substructure.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/traffic_selector_substructure.Tpo" "$(DEPDIR)/traffic_selector_substructure.Po"; else rm -f "$(DEPDIR)/traffic_selector_substructure.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/traffic_selector_substructure.c' object='traffic_selector_substructure.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o traffic_selector_substructure.o `test -f 'encoding/payloads/traffic_selector_substructure.c' || echo '$(srcdir)/'`encoding/payloads/traffic_selector_substructure.c
+
+traffic_selector_substructure.obj: encoding/payloads/traffic_selector_substructure.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector_substructure.obj -MD -MP -MF "$(DEPDIR)/traffic_selector_substructure.Tpo" -c -o traffic_selector_substructure.obj `if test -f 'encoding/payloads/traffic_selector_substructure.c'; then $(CYGPATH_W) 'encoding/payloads/traffic_selector_substructure.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/traffic_selector_substructure.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/traffic_selector_substructure.Tpo" "$(DEPDIR)/traffic_selector_substructure.Po"; else rm -f "$(DEPDIR)/traffic_selector_substructure.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/traffic_selector_substructure.c' object='traffic_selector_substructure.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o traffic_selector_substructure.obj `if test -f 'encoding/payloads/traffic_selector_substructure.c'; then $(CYGPATH_W) 'encoding/payloads/traffic_selector_substructure.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/traffic_selector_substructure.c'; fi`
+
+transform_attribute.o: encoding/payloads/transform_attribute.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT transform_attribute.o -MD -MP -MF "$(DEPDIR)/transform_attribute.Tpo" -c -o transform_attribute.o `test -f 'encoding/payloads/transform_attribute.c' || echo '$(srcdir)/'`encoding/payloads/transform_attribute.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/transform_attribute.Tpo" "$(DEPDIR)/transform_attribute.Po"; else rm -f "$(DEPDIR)/transform_attribute.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/transform_attribute.c' object='transform_attribute.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o transform_attribute.o `test -f 'encoding/payloads/transform_attribute.c' || echo '$(srcdir)/'`encoding/payloads/transform_attribute.c
+
+transform_attribute.obj: encoding/payloads/transform_attribute.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT transform_attribute.obj -MD -MP -MF "$(DEPDIR)/transform_attribute.Tpo" -c -o transform_attribute.obj `if test -f 'encoding/payloads/transform_attribute.c'; then $(CYGPATH_W) 'encoding/payloads/transform_attribute.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/transform_attribute.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/transform_attribute.Tpo" "$(DEPDIR)/transform_attribute.Po"; else rm -f "$(DEPDIR)/transform_attribute.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/transform_attribute.c' object='transform_attribute.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o transform_attribute.obj `if test -f 'encoding/payloads/transform_attribute.c'; then $(CYGPATH_W) 'encoding/payloads/transform_attribute.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/transform_attribute.c'; fi`
+
+configuration_attribute.o: encoding/payloads/configuration_attribute.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT configuration_attribute.o -MD -MP -MF "$(DEPDIR)/configuration_attribute.Tpo" -c -o configuration_attribute.o `test -f 'encoding/payloads/configuration_attribute.c' || echo '$(srcdir)/'`encoding/payloads/configuration_attribute.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/configuration_attribute.Tpo" "$(DEPDIR)/configuration_attribute.Po"; else rm -f "$(DEPDIR)/configuration_attribute.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/configuration_attribute.c' object='configuration_attribute.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o configuration_attribute.o `test -f 'encoding/payloads/configuration_attribute.c' || echo '$(srcdir)/'`encoding/payloads/configuration_attribute.c
+
+configuration_attribute.obj: encoding/payloads/configuration_attribute.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT configuration_attribute.obj -MD -MP -MF "$(DEPDIR)/configuration_attribute.Tpo" -c -o configuration_attribute.obj `if test -f 'encoding/payloads/configuration_attribute.c'; then $(CYGPATH_W) 'encoding/payloads/configuration_attribute.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/configuration_attribute.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/configuration_attribute.Tpo" "$(DEPDIR)/configuration_attribute.Po"; else rm -f "$(DEPDIR)/configuration_attribute.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/configuration_attribute.c' object='configuration_attribute.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o configuration_attribute.obj `if test -f 'encoding/payloads/configuration_attribute.c'; then $(CYGPATH_W) 'encoding/payloads/configuration_attribute.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/configuration_attribute.c'; fi`
+
+transform_substructure.o: encoding/payloads/transform_substructure.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT transform_substructure.o -MD -MP -MF "$(DEPDIR)/transform_substructure.Tpo" -c -o transform_substructure.o `test -f 'encoding/payloads/transform_substructure.c' || echo '$(srcdir)/'`encoding/payloads/transform_substructure.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/transform_substructure.Tpo" "$(DEPDIR)/transform_substructure.Po"; else rm -f "$(DEPDIR)/transform_substructure.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/transform_substructure.c' object='transform_substructure.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o transform_substructure.o `test -f 'encoding/payloads/transform_substructure.c' || echo '$(srcdir)/'`encoding/payloads/transform_substructure.c
+
+transform_substructure.obj: encoding/payloads/transform_substructure.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT transform_substructure.obj -MD -MP -MF "$(DEPDIR)/transform_substructure.Tpo" -c -o transform_substructure.obj `if test -f 'encoding/payloads/transform_substructure.c'; then $(CYGPATH_W) 'encoding/payloads/transform_substructure.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/transform_substructure.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/transform_substructure.Tpo" "$(DEPDIR)/transform_substructure.Po"; else rm -f "$(DEPDIR)/transform_substructure.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/transform_substructure.c' object='transform_substructure.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o transform_substructure.obj `if test -f 'encoding/payloads/transform_substructure.c'; then $(CYGPATH_W) 'encoding/payloads/transform_substructure.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/transform_substructure.c'; fi`
+
+auth_payload.o: encoding/payloads/auth_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_payload.o -MD -MP -MF "$(DEPDIR)/auth_payload.Tpo" -c -o auth_payload.o `test -f 'encoding/payloads/auth_payload.c' || echo '$(srcdir)/'`encoding/payloads/auth_payload.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/auth_payload.Tpo" "$(DEPDIR)/auth_payload.Po"; else rm -f "$(DEPDIR)/auth_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/auth_payload.c' object='auth_payload.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_payload.o `test -f 'encoding/payloads/auth_payload.c' || echo '$(srcdir)/'`encoding/payloads/auth_payload.c
+
+auth_payload.obj: encoding/payloads/auth_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_payload.obj -MD -MP -MF "$(DEPDIR)/auth_payload.Tpo" -c -o auth_payload.obj `if test -f 'encoding/payloads/auth_payload.c'; then $(CYGPATH_W) 'encoding/payloads/auth_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/auth_payload.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/auth_payload.Tpo" "$(DEPDIR)/auth_payload.Po"; else rm -f "$(DEPDIR)/auth_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/auth_payload.c' object='auth_payload.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_payload.obj `if test -f 'encoding/payloads/auth_payload.c'; then $(CYGPATH_W) 'encoding/payloads/auth_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/auth_payload.c'; fi`
+
+ike_header.o: encoding/payloads/ike_header.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_header.o -MD -MP -MF "$(DEPDIR)/ike_header.Tpo" -c -o ike_header.o `test -f 'encoding/payloads/ike_header.c' || echo '$(srcdir)/'`encoding/payloads/ike_header.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_header.Tpo" "$(DEPDIR)/ike_header.Po"; else rm -f "$(DEPDIR)/ike_header.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ike_header.c' object='ike_header.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_header.o `test -f 'encoding/payloads/ike_header.c' || echo '$(srcdir)/'`encoding/payloads/ike_header.c
+
+ike_header.obj: encoding/payloads/ike_header.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_header.obj -MD -MP -MF "$(DEPDIR)/ike_header.Tpo" -c -o ike_header.obj `if test -f 'encoding/payloads/ike_header.c'; then $(CYGPATH_W) 'encoding/payloads/ike_header.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ike_header.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_header.Tpo" "$(DEPDIR)/ike_header.Po"; else rm -f "$(DEPDIR)/ike_header.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ike_header.c' object='ike_header.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_header.obj `if test -f 'encoding/payloads/ike_header.c'; then $(CYGPATH_W) 'encoding/payloads/ike_header.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ike_header.c'; fi`
+
+nonce_payload.o: encoding/payloads/nonce_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nonce_payload.o -MD -MP -MF "$(DEPDIR)/nonce_payload.Tpo" -c -o nonce_payload.o `test -f 'encoding/payloads/nonce_payload.c' || echo '$(srcdir)/'`encoding/payloads/nonce_payload.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/nonce_payload.Tpo" "$(DEPDIR)/nonce_payload.Po"; else rm -f "$(DEPDIR)/nonce_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/nonce_payload.c' object='nonce_payload.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nonce_payload.o `test -f 'encoding/payloads/nonce_payload.c' || echo '$(srcdir)/'`encoding/payloads/nonce_payload.c
+
+nonce_payload.obj: encoding/payloads/nonce_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT nonce_payload.obj -MD -MP -MF "$(DEPDIR)/nonce_payload.Tpo" -c -o nonce_payload.obj `if test -f 'encoding/payloads/nonce_payload.c'; then $(CYGPATH_W) 'encoding/payloads/nonce_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/nonce_payload.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/nonce_payload.Tpo" "$(DEPDIR)/nonce_payload.Po"; else rm -f "$(DEPDIR)/nonce_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/nonce_payload.c' object='nonce_payload.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o nonce_payload.obj `if test -f 'encoding/payloads/nonce_payload.c'; then $(CYGPATH_W) 'encoding/payloads/nonce_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/nonce_payload.c'; fi`
+
+eap_payload.o: encoding/payloads/eap_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_payload.o -MD -MP -MF "$(DEPDIR)/eap_payload.Tpo" -c -o eap_payload.o `test -f 'encoding/payloads/eap_payload.c' || echo '$(srcdir)/'`encoding/payloads/eap_payload.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/eap_payload.Tpo" "$(DEPDIR)/eap_payload.Po"; else rm -f "$(DEPDIR)/eap_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/eap_payload.c' object='eap_payload.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_payload.o `test -f 'encoding/payloads/eap_payload.c' || echo '$(srcdir)/'`encoding/payloads/eap_payload.c
+
+eap_payload.obj: encoding/payloads/eap_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_payload.obj -MD -MP -MF "$(DEPDIR)/eap_payload.Tpo" -c -o eap_payload.obj `if test -f 'encoding/payloads/eap_payload.c'; then $(CYGPATH_W) 'encoding/payloads/eap_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/eap_payload.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/eap_payload.Tpo" "$(DEPDIR)/eap_payload.Po"; else rm -f "$(DEPDIR)/eap_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/eap_payload.c' object='eap_payload.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_payload.obj `if test -f 'encoding/payloads/eap_payload.c'; then $(CYGPATH_W) 'encoding/payloads/eap_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/eap_payload.c'; fi`
+
+ts_payload.o: encoding/payloads/ts_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ts_payload.o -MD -MP -MF "$(DEPDIR)/ts_payload.Tpo" -c -o ts_payload.o `test -f 'encoding/payloads/ts_payload.c' || echo '$(srcdir)/'`encoding/payloads/ts_payload.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ts_payload.Tpo" "$(DEPDIR)/ts_payload.Po"; else rm -f "$(DEPDIR)/ts_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ts_payload.c' object='ts_payload.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ts_payload.o `test -f 'encoding/payloads/ts_payload.c' || echo '$(srcdir)/'`encoding/payloads/ts_payload.c
+
+ts_payload.obj: encoding/payloads/ts_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ts_payload.obj -MD -MP -MF "$(DEPDIR)/ts_payload.Tpo" -c -o ts_payload.obj `if test -f 'encoding/payloads/ts_payload.c'; then $(CYGPATH_W) 'encoding/payloads/ts_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ts_payload.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ts_payload.Tpo" "$(DEPDIR)/ts_payload.Po"; else rm -f "$(DEPDIR)/ts_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ts_payload.c' object='ts_payload.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ts_payload.obj `if test -f 'encoding/payloads/ts_payload.c'; then $(CYGPATH_W) 'encoding/payloads/ts_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ts_payload.c'; fi`
+
+notify_payload.o: encoding/payloads/notify_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT notify_payload.o -MD -MP -MF "$(DEPDIR)/notify_payload.Tpo" -c -o notify_payload.o `test -f 'encoding/payloads/notify_payload.c' || echo '$(srcdir)/'`encoding/payloads/notify_payload.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/notify_payload.Tpo" "$(DEPDIR)/notify_payload.Po"; else rm -f "$(DEPDIR)/notify_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/notify_payload.c' object='notify_payload.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o notify_payload.o `test -f 'encoding/payloads/notify_payload.c' || echo '$(srcdir)/'`encoding/payloads/notify_payload.c
+
+notify_payload.obj: encoding/payloads/notify_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT notify_payload.obj -MD -MP -MF "$(DEPDIR)/notify_payload.Tpo" -c -o notify_payload.obj `if test -f 'encoding/payloads/notify_payload.c'; then $(CYGPATH_W) 'encoding/payloads/notify_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/notify_payload.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/notify_payload.Tpo" "$(DEPDIR)/notify_payload.Po"; else rm -f "$(DEPDIR)/notify_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/notify_payload.c' object='notify_payload.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o notify_payload.obj `if test -f 'encoding/payloads/notify_payload.c'; then $(CYGPATH_W) 'encoding/payloads/notify_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/notify_payload.c'; fi`
+
+id_payload.o: encoding/payloads/id_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT id_payload.o -MD -MP -MF "$(DEPDIR)/id_payload.Tpo" -c -o id_payload.o `test -f 'encoding/payloads/id_payload.c' || echo '$(srcdir)/'`encoding/payloads/id_payload.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/id_payload.Tpo" "$(DEPDIR)/id_payload.Po"; else rm -f "$(DEPDIR)/id_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/id_payload.c' object='id_payload.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o id_payload.o `test -f 'encoding/payloads/id_payload.c' || echo '$(srcdir)/'`encoding/payloads/id_payload.c
+
+id_payload.obj: encoding/payloads/id_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT id_payload.obj -MD -MP -MF "$(DEPDIR)/id_payload.Tpo" -c -o id_payload.obj `if test -f 'encoding/payloads/id_payload.c'; then $(CYGPATH_W) 'encoding/payloads/id_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/id_payload.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/id_payload.Tpo" "$(DEPDIR)/id_payload.Po"; else rm -f "$(DEPDIR)/id_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/id_payload.c' object='id_payload.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o id_payload.obj `if test -f 'encoding/payloads/id_payload.c'; then $(CYGPATH_W) 'encoding/payloads/id_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/id_payload.c'; fi`
+
+ke_payload.o: encoding/payloads/ke_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ke_payload.o -MD -MP -MF "$(DEPDIR)/ke_payload.Tpo" -c -o ke_payload.o `test -f 'encoding/payloads/ke_payload.c' || echo '$(srcdir)/'`encoding/payloads/ke_payload.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ke_payload.Tpo" "$(DEPDIR)/ke_payload.Po"; else rm -f "$(DEPDIR)/ke_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ke_payload.c' object='ke_payload.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ke_payload.o `test -f 'encoding/payloads/ke_payload.c' || echo '$(srcdir)/'`encoding/payloads/ke_payload.c
+
+ke_payload.obj: encoding/payloads/ke_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ke_payload.obj -MD -MP -MF "$(DEPDIR)/ke_payload.Tpo" -c -o ke_payload.obj `if test -f 'encoding/payloads/ke_payload.c'; then $(CYGPATH_W) 'encoding/payloads/ke_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ke_payload.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ke_payload.Tpo" "$(DEPDIR)/ke_payload.Po"; else rm -f "$(DEPDIR)/ke_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/ke_payload.c' object='ke_payload.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ke_payload.obj `if test -f 'encoding/payloads/ke_payload.c'; then $(CYGPATH_W) 'encoding/payloads/ke_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/ke_payload.c'; fi`
+
+unknown_payload.o: encoding/payloads/unknown_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unknown_payload.o -MD -MP -MF "$(DEPDIR)/unknown_payload.Tpo" -c -o unknown_payload.o `test -f 'encoding/payloads/unknown_payload.c' || echo '$(srcdir)/'`encoding/payloads/unknown_payload.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/unknown_payload.Tpo" "$(DEPDIR)/unknown_payload.Po"; else rm -f "$(DEPDIR)/unknown_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/unknown_payload.c' object='unknown_payload.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unknown_payload.o `test -f 'encoding/payloads/unknown_payload.c' || echo '$(srcdir)/'`encoding/payloads/unknown_payload.c
+
+unknown_payload.obj: encoding/payloads/unknown_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unknown_payload.obj -MD -MP -MF "$(DEPDIR)/unknown_payload.Tpo" -c -o unknown_payload.obj `if test -f 'encoding/payloads/unknown_payload.c'; then $(CYGPATH_W) 'encoding/payloads/unknown_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/unknown_payload.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/unknown_payload.Tpo" "$(DEPDIR)/unknown_payload.Po"; else rm -f "$(DEPDIR)/unknown_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/unknown_payload.c' object='unknown_payload.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unknown_payload.obj `if test -f 'encoding/payloads/unknown_payload.c'; then $(CYGPATH_W) 'encoding/payloads/unknown_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/unknown_payload.c'; fi`
+
+encodings.o: encoding/payloads/encodings.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encodings.o -MD -MP -MF "$(DEPDIR)/encodings.Tpo" -c -o encodings.o `test -f 'encoding/payloads/encodings.c' || echo '$(srcdir)/'`encoding/payloads/encodings.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/encodings.Tpo" "$(DEPDIR)/encodings.Po"; else rm -f "$(DEPDIR)/encodings.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/encodings.c' object='encodings.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encodings.o `test -f 'encoding/payloads/encodings.c' || echo '$(srcdir)/'`encoding/payloads/encodings.c
+
+encodings.obj: encoding/payloads/encodings.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT encodings.obj -MD -MP -MF "$(DEPDIR)/encodings.Tpo" -c -o encodings.obj `if test -f 'encoding/payloads/encodings.c'; then $(CYGPATH_W) 'encoding/payloads/encodings.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/encodings.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/encodings.Tpo" "$(DEPDIR)/encodings.Po"; else rm -f "$(DEPDIR)/encodings.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/encodings.c' object='encodings.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o encodings.obj `if test -f 'encoding/payloads/encodings.c'; then $(CYGPATH_W) 'encoding/payloads/encodings.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/encodings.c'; fi`
+
+cp_payload.o: encoding/payloads/cp_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cp_payload.o -MD -MP -MF "$(DEPDIR)/cp_payload.Tpo" -c -o cp_payload.o `test -f 'encoding/payloads/cp_payload.c' || echo '$(srcdir)/'`encoding/payloads/cp_payload.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/cp_payload.Tpo" "$(DEPDIR)/cp_payload.Po"; else rm -f "$(DEPDIR)/cp_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/cp_payload.c' object='cp_payload.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cp_payload.o `test -f 'encoding/payloads/cp_payload.c' || echo '$(srcdir)/'`encoding/payloads/cp_payload.c
+
+cp_payload.obj: encoding/payloads/cp_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cp_payload.obj -MD -MP -MF "$(DEPDIR)/cp_payload.Tpo" -c -o cp_payload.obj `if test -f 'encoding/payloads/cp_payload.c'; then $(CYGPATH_W) 'encoding/payloads/cp_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/cp_payload.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/cp_payload.Tpo" "$(DEPDIR)/cp_payload.Po"; else rm -f "$(DEPDIR)/cp_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/cp_payload.c' object='cp_payload.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cp_payload.obj `if test -f 'encoding/payloads/cp_payload.c'; then $(CYGPATH_W) 'encoding/payloads/cp_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/cp_payload.c'; fi`
+
+delete_payload.o: encoding/payloads/delete_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_payload.o -MD -MP -MF "$(DEPDIR)/delete_payload.Tpo" -c -o delete_payload.o `test -f 'encoding/payloads/delete_payload.c' || echo '$(srcdir)/'`encoding/payloads/delete_payload.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/delete_payload.Tpo" "$(DEPDIR)/delete_payload.Po"; else rm -f "$(DEPDIR)/delete_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/delete_payload.c' object='delete_payload.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_payload.o `test -f 'encoding/payloads/delete_payload.c' || echo '$(srcdir)/'`encoding/payloads/delete_payload.c
+
+delete_payload.obj: encoding/payloads/delete_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_payload.obj -MD -MP -MF "$(DEPDIR)/delete_payload.Tpo" -c -o delete_payload.obj `if test -f 'encoding/payloads/delete_payload.c'; then $(CYGPATH_W) 'encoding/payloads/delete_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/delete_payload.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/delete_payload.Tpo" "$(DEPDIR)/delete_payload.Po"; else rm -f "$(DEPDIR)/delete_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/delete_payload.c' object='delete_payload.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_payload.obj `if test -f 'encoding/payloads/delete_payload.c'; then $(CYGPATH_W) 'encoding/payloads/delete_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/delete_payload.c'; fi`
+
+sa_payload.o: encoding/payloads/sa_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sa_payload.o -MD -MP -MF "$(DEPDIR)/sa_payload.Tpo" -c -o sa_payload.o `test -f 'encoding/payloads/sa_payload.c' || echo '$(srcdir)/'`encoding/payloads/sa_payload.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/sa_payload.Tpo" "$(DEPDIR)/sa_payload.Po"; else rm -f "$(DEPDIR)/sa_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/sa_payload.c' object='sa_payload.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sa_payload.o `test -f 'encoding/payloads/sa_payload.c' || echo '$(srcdir)/'`encoding/payloads/sa_payload.c
+
+sa_payload.obj: encoding/payloads/sa_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sa_payload.obj -MD -MP -MF "$(DEPDIR)/sa_payload.Tpo" -c -o sa_payload.obj `if test -f 'encoding/payloads/sa_payload.c'; then $(CYGPATH_W) 'encoding/payloads/sa_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/sa_payload.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/sa_payload.Tpo" "$(DEPDIR)/sa_payload.Po"; else rm -f "$(DEPDIR)/sa_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/sa_payload.c' object='sa_payload.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sa_payload.obj `if test -f 'encoding/payloads/sa_payload.c'; then $(CYGPATH_W) 'encoding/payloads/sa_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/sa_payload.c'; fi`
+
+certreq_payload.o: encoding/payloads/certreq_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT certreq_payload.o -MD -MP -MF "$(DEPDIR)/certreq_payload.Tpo" -c -o certreq_payload.o `test -f 'encoding/payloads/certreq_payload.c' || echo '$(srcdir)/'`encoding/payloads/certreq_payload.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/certreq_payload.Tpo" "$(DEPDIR)/certreq_payload.Po"; else rm -f "$(DEPDIR)/certreq_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/certreq_payload.c' object='certreq_payload.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o certreq_payload.o `test -f 'encoding/payloads/certreq_payload.c' || echo '$(srcdir)/'`encoding/payloads/certreq_payload.c
+
+certreq_payload.obj: encoding/payloads/certreq_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT certreq_payload.obj -MD -MP -MF "$(DEPDIR)/certreq_payload.Tpo" -c -o certreq_payload.obj `if test -f 'encoding/payloads/certreq_payload.c'; then $(CYGPATH_W) 'encoding/payloads/certreq_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/certreq_payload.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/certreq_payload.Tpo" "$(DEPDIR)/certreq_payload.Po"; else rm -f "$(DEPDIR)/certreq_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/certreq_payload.c' object='certreq_payload.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o certreq_payload.obj `if test -f 'encoding/payloads/certreq_payload.c'; then $(CYGPATH_W) 'encoding/payloads/certreq_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/certreq_payload.c'; fi`
+
+vendor_id_payload.o: encoding/payloads/vendor_id_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT vendor_id_payload.o -MD -MP -MF "$(DEPDIR)/vendor_id_payload.Tpo" -c -o vendor_id_payload.o `test -f 'encoding/payloads/vendor_id_payload.c' || echo '$(srcdir)/'`encoding/payloads/vendor_id_payload.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/vendor_id_payload.Tpo" "$(DEPDIR)/vendor_id_payload.Po"; else rm -f "$(DEPDIR)/vendor_id_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/vendor_id_payload.c' object='vendor_id_payload.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o vendor_id_payload.o `test -f 'encoding/payloads/vendor_id_payload.c' || echo '$(srcdir)/'`encoding/payloads/vendor_id_payload.c
+
+vendor_id_payload.obj: encoding/payloads/vendor_id_payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT vendor_id_payload.obj -MD -MP -MF "$(DEPDIR)/vendor_id_payload.Tpo" -c -o vendor_id_payload.obj `if test -f 'encoding/payloads/vendor_id_payload.c'; then $(CYGPATH_W) 'encoding/payloads/vendor_id_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/vendor_id_payload.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/vendor_id_payload.Tpo" "$(DEPDIR)/vendor_id_payload.Po"; else rm -f "$(DEPDIR)/vendor_id_payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/vendor_id_payload.c' object='vendor_id_payload.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o vendor_id_payload.obj `if test -f 'encoding/payloads/vendor_id_payload.c'; then $(CYGPATH_W) 'encoding/payloads/vendor_id_payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/vendor_id_payload.c'; fi`
+
+proposal_substructure.o: encoding/payloads/proposal_substructure.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal_substructure.o -MD -MP -MF "$(DEPDIR)/proposal_substructure.Tpo" -c -o proposal_substructure.o `test -f 'encoding/payloads/proposal_substructure.c' || echo '$(srcdir)/'`encoding/payloads/proposal_substructure.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/proposal_substructure.Tpo" "$(DEPDIR)/proposal_substructure.Po"; else rm -f "$(DEPDIR)/proposal_substructure.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/proposal_substructure.c' object='proposal_substructure.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal_substructure.o `test -f 'encoding/payloads/proposal_substructure.c' || echo '$(srcdir)/'`encoding/payloads/proposal_substructure.c
+
+proposal_substructure.obj: encoding/payloads/proposal_substructure.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT proposal_substructure.obj -MD -MP -MF "$(DEPDIR)/proposal_substructure.Tpo" -c -o proposal_substructure.obj `if test -f 'encoding/payloads/proposal_substructure.c'; then $(CYGPATH_W) 'encoding/payloads/proposal_substructure.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/proposal_substructure.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/proposal_substructure.Tpo" "$(DEPDIR)/proposal_substructure.Po"; else rm -f "$(DEPDIR)/proposal_substructure.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/proposal_substructure.c' object='proposal_substructure.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal_substructure.obj `if test -f 'encoding/payloads/proposal_substructure.c'; then $(CYGPATH_W) 'encoding/payloads/proposal_substructure.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/proposal_substructure.c'; fi`
+
+payload.o: encoding/payloads/payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT payload.o -MD -MP -MF "$(DEPDIR)/payload.Tpo" -c -o payload.o `test -f 'encoding/payloads/payload.c' || echo '$(srcdir)/'`encoding/payloads/payload.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/payload.Tpo" "$(DEPDIR)/payload.Po"; else rm -f "$(DEPDIR)/payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/payload.c' object='payload.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o payload.o `test -f 'encoding/payloads/payload.c' || echo '$(srcdir)/'`encoding/payloads/payload.c
+
+payload.obj: encoding/payloads/payload.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT payload.obj -MD -MP -MF "$(DEPDIR)/payload.Tpo" -c -o payload.obj `if test -f 'encoding/payloads/payload.c'; then $(CYGPATH_W) 'encoding/payloads/payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/payload.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/payload.Tpo" "$(DEPDIR)/payload.Po"; else rm -f "$(DEPDIR)/payload.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/payloads/payload.c' object='payload.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o payload.obj `if test -f 'encoding/payloads/payload.c'; then $(CYGPATH_W) 'encoding/payloads/payload.c'; else $(CYGPATH_W) '$(srcdir)/encoding/payloads/payload.c'; fi`
+
+message.o: encoding/message.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT message.o -MD -MP -MF "$(DEPDIR)/message.Tpo" -c -o message.o `test -f 'encoding/message.c' || echo '$(srcdir)/'`encoding/message.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/message.Tpo" "$(DEPDIR)/message.Po"; else rm -f "$(DEPDIR)/message.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/message.c' object='message.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o message.o `test -f 'encoding/message.c' || echo '$(srcdir)/'`encoding/message.c
+
+message.obj: encoding/message.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT message.obj -MD -MP -MF "$(DEPDIR)/message.Tpo" -c -o message.obj `if test -f 'encoding/message.c'; then $(CYGPATH_W) 'encoding/message.c'; else $(CYGPATH_W) '$(srcdir)/encoding/message.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/message.Tpo" "$(DEPDIR)/message.Po"; else rm -f "$(DEPDIR)/message.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/message.c' object='message.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o message.obj `if test -f 'encoding/message.c'; then $(CYGPATH_W) 'encoding/message.c'; else $(CYGPATH_W) '$(srcdir)/encoding/message.c'; fi`
+
+generator.o: encoding/generator.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT generator.o -MD -MP -MF "$(DEPDIR)/generator.Tpo" -c -o generator.o `test -f 'encoding/generator.c' || echo '$(srcdir)/'`encoding/generator.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/generator.Tpo" "$(DEPDIR)/generator.Po"; else rm -f "$(DEPDIR)/generator.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/generator.c' object='generator.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o generator.o `test -f 'encoding/generator.c' || echo '$(srcdir)/'`encoding/generator.c
+
+generator.obj: encoding/generator.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT generator.obj -MD -MP -MF "$(DEPDIR)/generator.Tpo" -c -o generator.obj `if test -f 'encoding/generator.c'; then $(CYGPATH_W) 'encoding/generator.c'; else $(CYGPATH_W) '$(srcdir)/encoding/generator.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/generator.Tpo" "$(DEPDIR)/generator.Po"; else rm -f "$(DEPDIR)/generator.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/generator.c' object='generator.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o generator.obj `if test -f 'encoding/generator.c'; then $(CYGPATH_W) 'encoding/generator.c'; else $(CYGPATH_W) '$(srcdir)/encoding/generator.c'; fi`
+
+parser.o: encoding/parser.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT parser.o -MD -MP -MF "$(DEPDIR)/parser.Tpo" -c -o parser.o `test -f 'encoding/parser.c' || echo '$(srcdir)/'`encoding/parser.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/parser.Tpo" "$(DEPDIR)/parser.Po"; else rm -f "$(DEPDIR)/parser.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/parser.c' object='parser.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o parser.o `test -f 'encoding/parser.c' || echo '$(srcdir)/'`encoding/parser.c
+
+parser.obj: encoding/parser.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT parser.obj -MD -MP -MF "$(DEPDIR)/parser.Tpo" -c -o parser.obj `if test -f 'encoding/parser.c'; then $(CYGPATH_W) 'encoding/parser.c'; else $(CYGPATH_W) '$(srcdir)/encoding/parser.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/parser.Tpo" "$(DEPDIR)/parser.Po"; else rm -f "$(DEPDIR)/parser.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='encoding/parser.c' object='parser.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o parser.obj `if test -f 'encoding/parser.c'; then $(CYGPATH_W) 'encoding/parser.c'; else $(CYGPATH_W) '$(srcdir)/encoding/parser.c'; fi`
+
+packet.o: network/packet.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT packet.o -MD -MP -MF "$(DEPDIR)/packet.Tpo" -c -o packet.o `test -f 'network/packet.c' || echo '$(srcdir)/'`network/packet.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/packet.Tpo" "$(DEPDIR)/packet.Po"; else rm -f "$(DEPDIR)/packet.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/packet.c' object='packet.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o packet.o `test -f 'network/packet.c' || echo '$(srcdir)/'`network/packet.c
+
+packet.obj: network/packet.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT packet.obj -MD -MP -MF "$(DEPDIR)/packet.Tpo" -c -o packet.obj `if test -f 'network/packet.c'; then $(CYGPATH_W) 'network/packet.c'; else $(CYGPATH_W) '$(srcdir)/network/packet.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/packet.Tpo" "$(DEPDIR)/packet.Po"; else rm -f "$(DEPDIR)/packet.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/packet.c' object='packet.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o packet.obj `if test -f 'network/packet.c'; then $(CYGPATH_W) 'network/packet.c'; else $(CYGPATH_W) '$(srcdir)/network/packet.c'; fi`
+
+socket.o: network/socket.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT socket.o -MD -MP -MF "$(DEPDIR)/socket.Tpo" -c -o socket.o `test -f 'network/socket.c' || echo '$(srcdir)/'`network/socket.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/socket.Tpo" "$(DEPDIR)/socket.Po"; else rm -f "$(DEPDIR)/socket.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/socket.c' object='socket.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o socket.o `test -f 'network/socket.c' || echo '$(srcdir)/'`network/socket.c
+
+socket.obj: network/socket.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT socket.obj -MD -MP -MF "$(DEPDIR)/socket.Tpo" -c -o socket.obj `if test -f 'network/socket.c'; then $(CYGPATH_W) 'network/socket.c'; else $(CYGPATH_W) '$(srcdir)/network/socket.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/socket.Tpo" "$(DEPDIR)/socket.Po"; else rm -f "$(DEPDIR)/socket.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='network/socket.c' object='socket.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o socket.obj `if test -f 'network/socket.c'; then $(CYGPATH_W) 'network/socket.c'; else $(CYGPATH_W) '$(srcdir)/network/socket.c'; fi`
+
+job.o: queues/jobs/job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT job.o -MD -MP -MF "$(DEPDIR)/job.Tpo" -c -o job.o `test -f 'queues/jobs/job.c' || echo '$(srcdir)/'`queues/jobs/job.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/job.Tpo" "$(DEPDIR)/job.Po"; else rm -f "$(DEPDIR)/job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/job.c' object='job.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o job.o `test -f 'queues/jobs/job.c' || echo '$(srcdir)/'`queues/jobs/job.c
+
+job.obj: queues/jobs/job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT job.obj -MD -MP -MF "$(DEPDIR)/job.Tpo" -c -o job.obj `if test -f 'queues/jobs/job.c'; then $(CYGPATH_W) 'queues/jobs/job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/job.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/job.Tpo" "$(DEPDIR)/job.Po"; else rm -f "$(DEPDIR)/job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/job.c' object='job.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o job.obj `if test -f 'queues/jobs/job.c'; then $(CYGPATH_W) 'queues/jobs/job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/job.c'; fi`
+
+process_message_job.o: queues/jobs/process_message_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT process_message_job.o -MD -MP -MF "$(DEPDIR)/process_message_job.Tpo" -c -o process_message_job.o `test -f 'queues/jobs/process_message_job.c' || echo '$(srcdir)/'`queues/jobs/process_message_job.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/process_message_job.Tpo" "$(DEPDIR)/process_message_job.Po"; else rm -f "$(DEPDIR)/process_message_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/process_message_job.c' object='process_message_job.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o process_message_job.o `test -f 'queues/jobs/process_message_job.c' || echo '$(srcdir)/'`queues/jobs/process_message_job.c
+
+process_message_job.obj: queues/jobs/process_message_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT process_message_job.obj -MD -MP -MF "$(DEPDIR)/process_message_job.Tpo" -c -o process_message_job.obj `if test -f 'queues/jobs/process_message_job.c'; then $(CYGPATH_W) 'queues/jobs/process_message_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/process_message_job.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/process_message_job.Tpo" "$(DEPDIR)/process_message_job.Po"; else rm -f "$(DEPDIR)/process_message_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/process_message_job.c' object='process_message_job.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o process_message_job.obj `if test -f 'queues/jobs/process_message_job.c'; then $(CYGPATH_W) 'queues/jobs/process_message_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/process_message_job.c'; fi`
+
+delete_ike_sa_job.o: queues/jobs/delete_ike_sa_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_ike_sa_job.o -MD -MP -MF "$(DEPDIR)/delete_ike_sa_job.Tpo" -c -o delete_ike_sa_job.o `test -f 'queues/jobs/delete_ike_sa_job.c' || echo '$(srcdir)/'`queues/jobs/delete_ike_sa_job.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/delete_ike_sa_job.Tpo" "$(DEPDIR)/delete_ike_sa_job.Po"; else rm -f "$(DEPDIR)/delete_ike_sa_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/delete_ike_sa_job.c' object='delete_ike_sa_job.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_ike_sa_job.o `test -f 'queues/jobs/delete_ike_sa_job.c' || echo '$(srcdir)/'`queues/jobs/delete_ike_sa_job.c
+
+delete_ike_sa_job.obj: queues/jobs/delete_ike_sa_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_ike_sa_job.obj -MD -MP -MF "$(DEPDIR)/delete_ike_sa_job.Tpo" -c -o delete_ike_sa_job.obj `if test -f 'queues/jobs/delete_ike_sa_job.c'; then $(CYGPATH_W) 'queues/jobs/delete_ike_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/delete_ike_sa_job.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/delete_ike_sa_job.Tpo" "$(DEPDIR)/delete_ike_sa_job.Po"; else rm -f "$(DEPDIR)/delete_ike_sa_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/delete_ike_sa_job.c' object='delete_ike_sa_job.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_ike_sa_job.obj `if test -f 'queues/jobs/delete_ike_sa_job.c'; then $(CYGPATH_W) 'queues/jobs/delete_ike_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/delete_ike_sa_job.c'; fi`
+
+retransmit_job.o: queues/jobs/retransmit_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT retransmit_job.o -MD -MP -MF "$(DEPDIR)/retransmit_job.Tpo" -c -o retransmit_job.o `test -f 'queues/jobs/retransmit_job.c' || echo '$(srcdir)/'`queues/jobs/retransmit_job.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/retransmit_job.Tpo" "$(DEPDIR)/retransmit_job.Po"; else rm -f "$(DEPDIR)/retransmit_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/retransmit_job.c' object='retransmit_job.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o retransmit_job.o `test -f 'queues/jobs/retransmit_job.c' || echo '$(srcdir)/'`queues/jobs/retransmit_job.c
+
+retransmit_job.obj: queues/jobs/retransmit_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT retransmit_job.obj -MD -MP -MF "$(DEPDIR)/retransmit_job.Tpo" -c -o retransmit_job.obj `if test -f 'queues/jobs/retransmit_job.c'; then $(CYGPATH_W) 'queues/jobs/retransmit_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/retransmit_job.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/retransmit_job.Tpo" "$(DEPDIR)/retransmit_job.Po"; else rm -f "$(DEPDIR)/retransmit_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/retransmit_job.c' object='retransmit_job.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o retransmit_job.obj `if test -f 'queues/jobs/retransmit_job.c'; then $(CYGPATH_W) 'queues/jobs/retransmit_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/retransmit_job.c'; fi`
+
+initiate_job.o: queues/jobs/initiate_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT initiate_job.o -MD -MP -MF "$(DEPDIR)/initiate_job.Tpo" -c -o initiate_job.o `test -f 'queues/jobs/initiate_job.c' || echo '$(srcdir)/'`queues/jobs/initiate_job.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/initiate_job.Tpo" "$(DEPDIR)/initiate_job.Po"; else rm -f "$(DEPDIR)/initiate_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/initiate_job.c' object='initiate_job.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o initiate_job.o `test -f 'queues/jobs/initiate_job.c' || echo '$(srcdir)/'`queues/jobs/initiate_job.c
+
+initiate_job.obj: queues/jobs/initiate_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT initiate_job.obj -MD -MP -MF "$(DEPDIR)/initiate_job.Tpo" -c -o initiate_job.obj `if test -f 'queues/jobs/initiate_job.c'; then $(CYGPATH_W) 'queues/jobs/initiate_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/initiate_job.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/initiate_job.Tpo" "$(DEPDIR)/initiate_job.Po"; else rm -f "$(DEPDIR)/initiate_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/initiate_job.c' object='initiate_job.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o initiate_job.obj `if test -f 'queues/jobs/initiate_job.c'; then $(CYGPATH_W) 'queues/jobs/initiate_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/initiate_job.c'; fi`
+
+send_keepalive_job.o: queues/jobs/send_keepalive_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_keepalive_job.o -MD -MP -MF "$(DEPDIR)/send_keepalive_job.Tpo" -c -o send_keepalive_job.o `test -f 'queues/jobs/send_keepalive_job.c' || echo '$(srcdir)/'`queues/jobs/send_keepalive_job.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/send_keepalive_job.Tpo" "$(DEPDIR)/send_keepalive_job.Po"; else rm -f "$(DEPDIR)/send_keepalive_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/send_keepalive_job.c' object='send_keepalive_job.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_keepalive_job.o `test -f 'queues/jobs/send_keepalive_job.c' || echo '$(srcdir)/'`queues/jobs/send_keepalive_job.c
+
+send_keepalive_job.obj: queues/jobs/send_keepalive_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_keepalive_job.obj -MD -MP -MF "$(DEPDIR)/send_keepalive_job.Tpo" -c -o send_keepalive_job.obj `if test -f 'queues/jobs/send_keepalive_job.c'; then $(CYGPATH_W) 'queues/jobs/send_keepalive_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/send_keepalive_job.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/send_keepalive_job.Tpo" "$(DEPDIR)/send_keepalive_job.Po"; else rm -f "$(DEPDIR)/send_keepalive_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/send_keepalive_job.c' object='send_keepalive_job.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_keepalive_job.obj `if test -f 'queues/jobs/send_keepalive_job.c'; then $(CYGPATH_W) 'queues/jobs/send_keepalive_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/send_keepalive_job.c'; fi`
+
+rekey_child_sa_job.o: queues/jobs/rekey_child_sa_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_child_sa_job.o -MD -MP -MF "$(DEPDIR)/rekey_child_sa_job.Tpo" -c -o rekey_child_sa_job.o `test -f 'queues/jobs/rekey_child_sa_job.c' || echo '$(srcdir)/'`queues/jobs/rekey_child_sa_job.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/rekey_child_sa_job.Tpo" "$(DEPDIR)/rekey_child_sa_job.Po"; else rm -f "$(DEPDIR)/rekey_child_sa_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/rekey_child_sa_job.c' object='rekey_child_sa_job.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_child_sa_job.o `test -f 'queues/jobs/rekey_child_sa_job.c' || echo '$(srcdir)/'`queues/jobs/rekey_child_sa_job.c
+
+rekey_child_sa_job.obj: queues/jobs/rekey_child_sa_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_child_sa_job.obj -MD -MP -MF "$(DEPDIR)/rekey_child_sa_job.Tpo" -c -o rekey_child_sa_job.obj `if test -f 'queues/jobs/rekey_child_sa_job.c'; then $(CYGPATH_W) 'queues/jobs/rekey_child_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/rekey_child_sa_job.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/rekey_child_sa_job.Tpo" "$(DEPDIR)/rekey_child_sa_job.Po"; else rm -f "$(DEPDIR)/rekey_child_sa_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/rekey_child_sa_job.c' object='rekey_child_sa_job.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_child_sa_job.obj `if test -f 'queues/jobs/rekey_child_sa_job.c'; then $(CYGPATH_W) 'queues/jobs/rekey_child_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/rekey_child_sa_job.c'; fi`
+
+delete_child_sa_job.o: queues/jobs/delete_child_sa_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_child_sa_job.o -MD -MP -MF "$(DEPDIR)/delete_child_sa_job.Tpo" -c -o delete_child_sa_job.o `test -f 'queues/jobs/delete_child_sa_job.c' || echo '$(srcdir)/'`queues/jobs/delete_child_sa_job.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/delete_child_sa_job.Tpo" "$(DEPDIR)/delete_child_sa_job.Po"; else rm -f "$(DEPDIR)/delete_child_sa_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/delete_child_sa_job.c' object='delete_child_sa_job.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_child_sa_job.o `test -f 'queues/jobs/delete_child_sa_job.c' || echo '$(srcdir)/'`queues/jobs/delete_child_sa_job.c
+
+delete_child_sa_job.obj: queues/jobs/delete_child_sa_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT delete_child_sa_job.obj -MD -MP -MF "$(DEPDIR)/delete_child_sa_job.Tpo" -c -o delete_child_sa_job.obj `if test -f 'queues/jobs/delete_child_sa_job.c'; then $(CYGPATH_W) 'queues/jobs/delete_child_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/delete_child_sa_job.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/delete_child_sa_job.Tpo" "$(DEPDIR)/delete_child_sa_job.Po"; else rm -f "$(DEPDIR)/delete_child_sa_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/delete_child_sa_job.c' object='delete_child_sa_job.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o delete_child_sa_job.obj `if test -f 'queues/jobs/delete_child_sa_job.c'; then $(CYGPATH_W) 'queues/jobs/delete_child_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/delete_child_sa_job.c'; fi`
+
+send_dpd_job.o: queues/jobs/send_dpd_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_dpd_job.o -MD -MP -MF "$(DEPDIR)/send_dpd_job.Tpo" -c -o send_dpd_job.o `test -f 'queues/jobs/send_dpd_job.c' || echo '$(srcdir)/'`queues/jobs/send_dpd_job.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/send_dpd_job.Tpo" "$(DEPDIR)/send_dpd_job.Po"; else rm -f "$(DEPDIR)/send_dpd_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/send_dpd_job.c' object='send_dpd_job.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_dpd_job.o `test -f 'queues/jobs/send_dpd_job.c' || echo '$(srcdir)/'`queues/jobs/send_dpd_job.c
+
+send_dpd_job.obj: queues/jobs/send_dpd_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT send_dpd_job.obj -MD -MP -MF "$(DEPDIR)/send_dpd_job.Tpo" -c -o send_dpd_job.obj `if test -f 'queues/jobs/send_dpd_job.c'; then $(CYGPATH_W) 'queues/jobs/send_dpd_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/send_dpd_job.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/send_dpd_job.Tpo" "$(DEPDIR)/send_dpd_job.Po"; else rm -f "$(DEPDIR)/send_dpd_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/send_dpd_job.c' object='send_dpd_job.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_dpd_job.obj `if test -f 'queues/jobs/send_dpd_job.c'; then $(CYGPATH_W) 'queues/jobs/send_dpd_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/send_dpd_job.c'; fi`
+
+route_job.o: queues/jobs/route_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT route_job.o -MD -MP -MF "$(DEPDIR)/route_job.Tpo" -c -o route_job.o `test -f 'queues/jobs/route_job.c' || echo '$(srcdir)/'`queues/jobs/route_job.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/route_job.Tpo" "$(DEPDIR)/route_job.Po"; else rm -f "$(DEPDIR)/route_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/route_job.c' object='route_job.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o route_job.o `test -f 'queues/jobs/route_job.c' || echo '$(srcdir)/'`queues/jobs/route_job.c
+
+route_job.obj: queues/jobs/route_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT route_job.obj -MD -MP -MF "$(DEPDIR)/route_job.Tpo" -c -o route_job.obj `if test -f 'queues/jobs/route_job.c'; then $(CYGPATH_W) 'queues/jobs/route_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/route_job.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/route_job.Tpo" "$(DEPDIR)/route_job.Po"; else rm -f "$(DEPDIR)/route_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/route_job.c' object='route_job.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o route_job.obj `if test -f 'queues/jobs/route_job.c'; then $(CYGPATH_W) 'queues/jobs/route_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/route_job.c'; fi`
+
+acquire_job.o: queues/jobs/acquire_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT acquire_job.o -MD -MP -MF "$(DEPDIR)/acquire_job.Tpo" -c -o acquire_job.o `test -f 'queues/jobs/acquire_job.c' || echo '$(srcdir)/'`queues/jobs/acquire_job.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/acquire_job.Tpo" "$(DEPDIR)/acquire_job.Po"; else rm -f "$(DEPDIR)/acquire_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/acquire_job.c' object='acquire_job.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o acquire_job.o `test -f 'queues/jobs/acquire_job.c' || echo '$(srcdir)/'`queues/jobs/acquire_job.c
+
+acquire_job.obj: queues/jobs/acquire_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT acquire_job.obj -MD -MP -MF "$(DEPDIR)/acquire_job.Tpo" -c -o acquire_job.obj `if test -f 'queues/jobs/acquire_job.c'; then $(CYGPATH_W) 'queues/jobs/acquire_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/acquire_job.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/acquire_job.Tpo" "$(DEPDIR)/acquire_job.Po"; else rm -f "$(DEPDIR)/acquire_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/acquire_job.c' object='acquire_job.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o acquire_job.obj `if test -f 'queues/jobs/acquire_job.c'; then $(CYGPATH_W) 'queues/jobs/acquire_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/acquire_job.c'; fi`
+
+rekey_ike_sa_job.o: queues/jobs/rekey_ike_sa_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_ike_sa_job.o -MD -MP -MF "$(DEPDIR)/rekey_ike_sa_job.Tpo" -c -o rekey_ike_sa_job.o `test -f 'queues/jobs/rekey_ike_sa_job.c' || echo '$(srcdir)/'`queues/jobs/rekey_ike_sa_job.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/rekey_ike_sa_job.Tpo" "$(DEPDIR)/rekey_ike_sa_job.Po"; else rm -f "$(DEPDIR)/rekey_ike_sa_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/rekey_ike_sa_job.c' object='rekey_ike_sa_job.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_ike_sa_job.o `test -f 'queues/jobs/rekey_ike_sa_job.c' || echo '$(srcdir)/'`queues/jobs/rekey_ike_sa_job.c
+
+rekey_ike_sa_job.obj: queues/jobs/rekey_ike_sa_job.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rekey_ike_sa_job.obj -MD -MP -MF "$(DEPDIR)/rekey_ike_sa_job.Tpo" -c -o rekey_ike_sa_job.obj `if test -f 'queues/jobs/rekey_ike_sa_job.c'; then $(CYGPATH_W) 'queues/jobs/rekey_ike_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/rekey_ike_sa_job.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/rekey_ike_sa_job.Tpo" "$(DEPDIR)/rekey_ike_sa_job.Po"; else rm -f "$(DEPDIR)/rekey_ike_sa_job.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/jobs/rekey_ike_sa_job.c' object='rekey_ike_sa_job.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rekey_ike_sa_job.obj `if test -f 'queues/jobs/rekey_ike_sa_job.c'; then $(CYGPATH_W) 'queues/jobs/rekey_ike_sa_job.c'; else $(CYGPATH_W) '$(srcdir)/queues/jobs/rekey_ike_sa_job.c'; fi`
+
+job_queue.o: queues/job_queue.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT job_queue.o -MD -MP -MF "$(DEPDIR)/job_queue.Tpo" -c -o job_queue.o `test -f 'queues/job_queue.c' || echo '$(srcdir)/'`queues/job_queue.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/job_queue.Tpo" "$(DEPDIR)/job_queue.Po"; else rm -f "$(DEPDIR)/job_queue.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/job_queue.c' object='job_queue.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o job_queue.o `test -f 'queues/job_queue.c' || echo '$(srcdir)/'`queues/job_queue.c
+
+job_queue.obj: queues/job_queue.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT job_queue.obj -MD -MP -MF "$(DEPDIR)/job_queue.Tpo" -c -o job_queue.obj `if test -f 'queues/job_queue.c'; then $(CYGPATH_W) 'queues/job_queue.c'; else $(CYGPATH_W) '$(srcdir)/queues/job_queue.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/job_queue.Tpo" "$(DEPDIR)/job_queue.Po"; else rm -f "$(DEPDIR)/job_queue.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/job_queue.c' object='job_queue.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o job_queue.obj `if test -f 'queues/job_queue.c'; then $(CYGPATH_W) 'queues/job_queue.c'; else $(CYGPATH_W) '$(srcdir)/queues/job_queue.c'; fi`
+
+event_queue.o: queues/event_queue.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT event_queue.o -MD -MP -MF "$(DEPDIR)/event_queue.Tpo" -c -o event_queue.o `test -f 'queues/event_queue.c' || echo '$(srcdir)/'`queues/event_queue.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/event_queue.Tpo" "$(DEPDIR)/event_queue.Po"; else rm -f "$(DEPDIR)/event_queue.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/event_queue.c' object='event_queue.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o event_queue.o `test -f 'queues/event_queue.c' || echo '$(srcdir)/'`queues/event_queue.c
+
+event_queue.obj: queues/event_queue.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT event_queue.obj -MD -MP -MF "$(DEPDIR)/event_queue.Tpo" -c -o event_queue.obj `if test -f 'queues/event_queue.c'; then $(CYGPATH_W) 'queues/event_queue.c'; else $(CYGPATH_W) '$(srcdir)/queues/event_queue.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/event_queue.Tpo" "$(DEPDIR)/event_queue.Po"; else rm -f "$(DEPDIR)/event_queue.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='queues/event_queue.c' object='event_queue.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o event_queue.obj `if test -f 'queues/event_queue.c'; then $(CYGPATH_W) 'queues/event_queue.c'; else $(CYGPATH_W) '$(srcdir)/queues/event_queue.c'; fi`
+
+kernel_interface.o: threads/kernel_interface.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_interface.o -MD -MP -MF "$(DEPDIR)/kernel_interface.Tpo" -c -o kernel_interface.o `test -f 'threads/kernel_interface.c' || echo '$(srcdir)/'`threads/kernel_interface.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/kernel_interface.Tpo" "$(DEPDIR)/kernel_interface.Po"; else rm -f "$(DEPDIR)/kernel_interface.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threads/kernel_interface.c' object='kernel_interface.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_interface.o `test -f 'threads/kernel_interface.c' || echo '$(srcdir)/'`threads/kernel_interface.c
+
+kernel_interface.obj: threads/kernel_interface.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT kernel_interface.obj -MD -MP -MF "$(DEPDIR)/kernel_interface.Tpo" -c -o kernel_interface.obj `if test -f 'threads/kernel_interface.c'; then $(CYGPATH_W) 'threads/kernel_interface.c'; else $(CYGPATH_W) '$(srcdir)/threads/kernel_interface.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/kernel_interface.Tpo" "$(DEPDIR)/kernel_interface.Po"; else rm -f "$(DEPDIR)/kernel_interface.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threads/kernel_interface.c' object='kernel_interface.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o kernel_interface.obj `if test -f 'threads/kernel_interface.c'; then $(CYGPATH_W) 'threads/kernel_interface.c'; else $(CYGPATH_W) '$(srcdir)/threads/kernel_interface.c'; fi`
+
+thread_pool.o: threads/thread_pool.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT thread_pool.o -MD -MP -MF "$(DEPDIR)/thread_pool.Tpo" -c -o thread_pool.o `test -f 'threads/thread_pool.c' || echo '$(srcdir)/'`threads/thread_pool.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/thread_pool.Tpo" "$(DEPDIR)/thread_pool.Po"; else rm -f "$(DEPDIR)/thread_pool.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threads/thread_pool.c' object='thread_pool.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o thread_pool.o `test -f 'threads/thread_pool.c' || echo '$(srcdir)/'`threads/thread_pool.c
+
+thread_pool.obj: threads/thread_pool.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT thread_pool.obj -MD -MP -MF "$(DEPDIR)/thread_pool.Tpo" -c -o thread_pool.obj `if test -f 'threads/thread_pool.c'; then $(CYGPATH_W) 'threads/thread_pool.c'; else $(CYGPATH_W) '$(srcdir)/threads/thread_pool.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/thread_pool.Tpo" "$(DEPDIR)/thread_pool.Po"; else rm -f "$(DEPDIR)/thread_pool.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threads/thread_pool.c' object='thread_pool.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o thread_pool.obj `if test -f 'threads/thread_pool.c'; then $(CYGPATH_W) 'threads/thread_pool.c'; else $(CYGPATH_W) '$(srcdir)/threads/thread_pool.c'; fi`
+
+scheduler.o: threads/scheduler.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT scheduler.o -MD -MP -MF "$(DEPDIR)/scheduler.Tpo" -c -o scheduler.o `test -f 'threads/scheduler.c' || echo '$(srcdir)/'`threads/scheduler.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/scheduler.Tpo" "$(DEPDIR)/scheduler.Po"; else rm -f "$(DEPDIR)/scheduler.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threads/scheduler.c' object='scheduler.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o scheduler.o `test -f 'threads/scheduler.c' || echo '$(srcdir)/'`threads/scheduler.c
+
+scheduler.obj: threads/scheduler.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT scheduler.obj -MD -MP -MF "$(DEPDIR)/scheduler.Tpo" -c -o scheduler.obj `if test -f 'threads/scheduler.c'; then $(CYGPATH_W) 'threads/scheduler.c'; else $(CYGPATH_W) '$(srcdir)/threads/scheduler.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/scheduler.Tpo" "$(DEPDIR)/scheduler.Po"; else rm -f "$(DEPDIR)/scheduler.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threads/scheduler.c' object='scheduler.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o scheduler.obj `if test -f 'threads/scheduler.c'; then $(CYGPATH_W) 'threads/scheduler.c'; else $(CYGPATH_W) '$(srcdir)/threads/scheduler.c'; fi`
+
+sender.o: threads/sender.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sender.o -MD -MP -MF "$(DEPDIR)/sender.Tpo" -c -o sender.o `test -f 'threads/sender.c' || echo '$(srcdir)/'`threads/sender.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/sender.Tpo" "$(DEPDIR)/sender.Po"; else rm -f "$(DEPDIR)/sender.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threads/sender.c' object='sender.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sender.o `test -f 'threads/sender.c' || echo '$(srcdir)/'`threads/sender.c
+
+sender.obj: threads/sender.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sender.obj -MD -MP -MF "$(DEPDIR)/sender.Tpo" -c -o sender.obj `if test -f 'threads/sender.c'; then $(CYGPATH_W) 'threads/sender.c'; else $(CYGPATH_W) '$(srcdir)/threads/sender.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/sender.Tpo" "$(DEPDIR)/sender.Po"; else rm -f "$(DEPDIR)/sender.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threads/sender.c' object='sender.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sender.obj `if test -f 'threads/sender.c'; then $(CYGPATH_W) 'threads/sender.c'; else $(CYGPATH_W) '$(srcdir)/threads/sender.c'; fi`
+
+receiver.o: threads/receiver.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT receiver.o -MD -MP -MF "$(DEPDIR)/receiver.Tpo" -c -o receiver.o `test -f 'threads/receiver.c' || echo '$(srcdir)/'`threads/receiver.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/receiver.Tpo" "$(DEPDIR)/receiver.Po"; else rm -f "$(DEPDIR)/receiver.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threads/receiver.c' object='receiver.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o receiver.o `test -f 'threads/receiver.c' || echo '$(srcdir)/'`threads/receiver.c
+
+receiver.obj: threads/receiver.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT receiver.obj -MD -MP -MF "$(DEPDIR)/receiver.Tpo" -c -o receiver.obj `if test -f 'threads/receiver.c'; then $(CYGPATH_W) 'threads/receiver.c'; else $(CYGPATH_W) '$(srcdir)/threads/receiver.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/receiver.Tpo" "$(DEPDIR)/receiver.Po"; else rm -f "$(DEPDIR)/receiver.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threads/receiver.c' object='receiver.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o receiver.obj `if test -f 'threads/receiver.c'; then $(CYGPATH_W) 'threads/receiver.c'; else $(CYGPATH_W) '$(srcdir)/threads/receiver.c'; fi`
+
+stroke_interface.o: threads/stroke_interface.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT stroke_interface.o -MD -MP -MF "$(DEPDIR)/stroke_interface.Tpo" -c -o stroke_interface.o `test -f 'threads/stroke_interface.c' || echo '$(srcdir)/'`threads/stroke_interface.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/stroke_interface.Tpo" "$(DEPDIR)/stroke_interface.Po"; else rm -f "$(DEPDIR)/stroke_interface.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threads/stroke_interface.c' object='stroke_interface.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o stroke_interface.o `test -f 'threads/stroke_interface.c' || echo '$(srcdir)/'`threads/stroke_interface.c
+
+stroke_interface.obj: threads/stroke_interface.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT stroke_interface.obj -MD -MP -MF "$(DEPDIR)/stroke_interface.Tpo" -c -o stroke_interface.obj `if test -f 'threads/stroke_interface.c'; then $(CYGPATH_W) 'threads/stroke_interface.c'; else $(CYGPATH_W) '$(srcdir)/threads/stroke_interface.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/stroke_interface.Tpo" "$(DEPDIR)/stroke_interface.Po"; else rm -f "$(DEPDIR)/stroke_interface.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='threads/stroke_interface.c' object='stroke_interface.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o stroke_interface.obj `if test -f 'threads/stroke_interface.c'; then $(CYGPATH_W) 'threads/stroke_interface.c'; else $(CYGPATH_W) '$(srcdir)/threads/stroke_interface.c'; fi`
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+	-rm -f libtool
+uninstall-info-am:
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
+	list='$(DISTFILES)'; for file in $$list; do \
+	  case $$file in \
+	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
+	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
+	  esac; \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
+	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
+	    dir="/$$dir"; \
+	    $(mkdir_p) "$(distdir)$$dir"; \
+	  else \
+	    dir=''; \
+	  fi; \
+	  if test -d $$d/$$file; then \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS)
+installdirs:
+	for dir in "$(DESTDIR)$(eapdir)" "$(DESTDIR)$(ipsecdir)"; do \
+	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-eapLTLIBRARIES clean-generic clean-ipsecPROGRAMS \
+	clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-libtool distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-eapLTLIBRARIES install-ipsecPROGRAMS
+
+install-exec-am:
+
+install-info: install-info-am
+
+install-man:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-eapLTLIBRARIES uninstall-info-am \
+	uninstall-ipsecPROGRAMS
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean \
+	clean-eapLTLIBRARIES clean-generic clean-ipsecPROGRAMS \
+	clean-libtool ctags distclean distclean-compile \
+	distclean-generic distclean-libtool distclean-tags distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-eapLTLIBRARIES \
+	install-exec install-exec-am install-info install-info-am \
+	install-ipsecPROGRAMS install-man install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-eapLTLIBRARIES \
+	uninstall-info-am uninstall-ipsecPROGRAMS
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon/bus/bus.c b/src/charon/bus/bus.c
new file mode 100644
index 000000000..740663d5c
--- /dev/null
+++ b/src/charon/bus/bus.c
@@ -0,0 +1,397 @@
+/**
+ * @file bus.c
+ *
+ * @brief Implementation of bus_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "bus.h"
+
+#include <pthread.h>
+
+ENUM(signal_names, SIG_ANY, SIG_MAX,
+	/** should not get printed */
+	"SIG_ANY",
+	/** debugging message types */
+	"DMN",
+	"MGR",
+	"IKE",
+	"CHD",
+	"JOB",
+	"CFG",
+	"KNL",
+	"NET",
+	"ENC",
+	"LIB",
+	/** should not get printed */
+	"SIG_DBG_MAX",
+	/** all level0 signals are AUDIT signals */
+	"AUD", "AUD", "AUD",
+	"AUD", "AUD", "AUD",
+	"AUD", "AUD", "AUD",
+	"AUD", "AUD", "AUD",
+	"AUD", "AUD", "AUD",
+	"AUD", "AUD", "AUD",
+	"AUD", "AUD", "AUD",
+	"AUD", "AUD", "AUD",
+	/** should not get printed */
+	"SIG_MAX",
+);
+
+typedef struct active_listener_t active_listener_t;
+
+/**
+ * information for a active listener
+ */
+struct active_listener_t {
+	
+	/**
+	 * associated thread
+	 */
+	pthread_t id;
+	
+	/**
+	 * condvar to wait for a signal
+	 */
+	pthread_cond_t cond;
+	
+	/**
+	 * state of the thread
+	 */
+	enum {
+		/** not registered, do not wait for thread */
+		UNREGISTERED,
+		/** registered, if a signal occurs, wait until it is LISTENING */
+		REGISTERED,
+		/** listening, deliver signal */
+		LISTENING,
+	} state;
+	
+	/**
+	 * currently processed signals type
+	 */
+	signal_t signal;
+	
+	/**
+	 * verbosity level of the signal
+	 */
+	level_t level;
+	
+	/**
+	 * current processed signals thread number
+	 */
+	int thread;
+	
+	/**
+	 * currently processed signals ike_sa
+	 */
+	ike_sa_t *ike_sa;
+	
+	/**
+	 * currently processed signals format string
+	 */
+	char *format;
+	
+	/**
+	 * currently processed signals format varargs
+	 */
+	va_list args;
+	
+};
+
+typedef struct private_bus_t private_bus_t;
+
+/**
+ * Private data of a bus_t object.
+ */
+struct private_bus_t {
+	/**
+	 * Public part of a bus_t object.
+	 */
+	bus_t public;
+	
+	/**
+	 * List of registered listeners implementing the bus_t interface
+	 */
+	linked_list_t *listeners;
+	
+	/**
+	 * List of active listeners with listener_state TRUE
+	 */
+	linked_list_t *active_listeners;
+	
+	/**
+	 * mutex to synchronize active listeners
+	 */
+	pthread_mutex_t mutex;
+	
+	/**
+	 * Thread local storage for a unique, simple thread ID
+	 */
+	pthread_key_t thread_id;
+	
+	/**
+	 * Thread local storage the threads IKE_SA
+	 */
+	pthread_key_t thread_sa;
+	
+};
+
+/**
+ * Get a unique thread number for a calling thread. Since
+ * pthread_self returns large and ugly numbers, use this function
+ * for logging; these numbers are incremental starting at 1
+ */
+static int get_thread_number(private_bus_t *this)
+{
+	static long current_num = 0;
+	static long stored_num;
+	
+	stored_num = (long)pthread_getspecific(this->thread_id);
+	if (stored_num == 0)
+	{	/* first call of current thread */
+		pthread_setspecific(this->thread_id, (void*)++current_num);
+		return current_num;
+	}
+	else
+	{
+		return stored_num;
+	}
+}
+
+/**
+ * Implementation of bus_t.add_listener.
+ */
+static void add_listener(private_bus_t *this, bus_listener_t *listener)
+{
+	pthread_mutex_lock(&this->mutex);
+	this->listeners->insert_last(this->listeners, listener);
+	pthread_mutex_unlock(&this->mutex);
+}
+
+/**
+ * Get the listener object for the calling thread
+ */
+static active_listener_t *get_active_listener(private_bus_t *this)
+{
+	active_listener_t *current, *found = NULL;
+	iterator_t *iterator;
+	
+	/* if the thread was here once before, we have a active_listener record */
+	iterator = this->active_listeners->create_iterator(this->active_listeners, TRUE);
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		if (current->id == pthread_self())
+		{
+			found = current;
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+	
+	if (found == NULL)
+	{
+		/* create a new object for a never-seen thread */
+		found = malloc_thing(active_listener_t);
+		found->id = pthread_self();
+		pthread_cond_init(&found->cond, NULL);
+		this->active_listeners->insert_last(this->active_listeners, found);
+	}
+	
+	return found;
+}
+
+/**
+ * Implementation of bus_t.listen.
+ */
+static signal_t listen_(private_bus_t *this, level_t *level, int *thread,
+						ike_sa_t **ike_sa, char** format, va_list* args)
+{
+	active_listener_t *listener;
+	
+	pthread_mutex_lock(&this->mutex);
+	listener = get_active_listener(this);
+	/* go "listening", say hello to a thread which have a signal for us */
+	listener->state = LISTENING;
+	pthread_cond_broadcast(&listener->cond);
+	/* wait until it has us delivered a signal, and go back to "registered" */
+	pthread_cond_wait(&listener->cond, &this->mutex);
+	pthread_mutex_unlock(&this->mutex);
+	
+	/* return signal values */
+	*level  = listener->level;
+	*thread = listener->thread;
+	*ike_sa = listener->ike_sa;
+	*format = listener->format;
+	va_copy(*args, listener->args);
+	va_end(listener->args);
+	
+	return listener->signal;
+}
+
+/**
+ * Implementation of bus_t.set_listen_state.
+ */
+static void set_listen_state(private_bus_t *this, bool active)
+{
+	active_listener_t *listener;
+	
+	pthread_mutex_lock(&this->mutex);
+	
+	listener = get_active_listener(this);
+	if (active)
+	{
+		listener->state = REGISTERED;
+	}
+	else
+	{
+		listener->state = UNREGISTERED;
+		/* say hello to signal emitter; we are finished processing the signal */
+		pthread_cond_signal(&listener->cond);
+	}
+	
+	pthread_mutex_unlock(&this->mutex);
+}
+
+
+/**
+ * Implementation of bus_t.set_sa.
+ */
+static void set_sa(private_bus_t *this, ike_sa_t *ike_sa)
+{
+	pthread_setspecific(this->thread_sa, ike_sa);
+}
+
+/**
+ * Implementation of bus_t.vsignal.
+ */
+static void vsignal(private_bus_t *this, signal_t signal, level_t level,
+					char* format, va_list args)
+{
+	iterator_t *iterator;
+	bus_listener_t *listener;
+	active_listener_t *active_listener;
+	ike_sa_t *ike_sa;
+	long thread;
+	
+	ike_sa = pthread_getspecific(this->thread_sa);
+	thread = get_thread_number(this);
+	
+	pthread_mutex_lock(&this->mutex);
+	
+	/* do the job for all passive bus_listeners */
+	iterator = this->listeners->create_iterator(this->listeners, TRUE);
+	while (iterator->iterate(iterator, (void**)&listener))
+	{
+		va_list args_copy;
+		
+		va_copy(args_copy, args);
+		if (!listener->signal(listener, signal, level, thread, 
+							  ike_sa, format, args_copy))
+		{
+			/* unregister listener if requested */
+			iterator->remove(iterator);
+		}
+		va_end(args_copy);
+	}
+	iterator->destroy(iterator);
+	
+	/* wake up all active listeners */
+	iterator = this->active_listeners->create_iterator(this->active_listeners, TRUE);
+	while (iterator->iterate(iterator, (void**)&active_listener))
+	{
+		/* wait until it is back */
+		while (active_listener->state == REGISTERED)
+		{
+			pthread_cond_wait(&active_listener->cond, &this->mutex);
+		}
+		/* if thread is listening now, give it the signal to process */
+		if (active_listener->state == LISTENING)
+		{
+			active_listener->level = level;
+			active_listener->thread = thread;
+			active_listener->ike_sa = ike_sa;
+			active_listener->signal = signal;
+			active_listener->format = format;
+			va_copy(active_listener->args, args);
+			active_listener->state = REGISTERED;
+			pthread_cond_signal(&active_listener->cond);
+		}
+	}
+	
+	/* we must wait now until all are not in state REGISTERED,
+	 * as they may still use our arguments */
+	iterator->reset(iterator);
+	while (iterator->iterate(iterator, (void**)&active_listener))
+	{
+		while (active_listener->state == REGISTERED)
+		{
+			pthread_cond_wait(&active_listener->cond, &this->mutex);
+		}
+	}
+	iterator->destroy(iterator);
+	
+	pthread_mutex_unlock(&this->mutex);
+}
+
+/**
+ * Implementation of bus_t.signal.
+ */
+static void signal_(private_bus_t *this, signal_t signal, level_t level, 
+					char* format, ...)
+{
+	va_list args;
+	
+	va_start(args, format);
+	vsignal(this, signal, level, format, args);
+	va_end(args);
+}
+
+/**
+ * Implementation of bus_t.destroy.
+ */
+static void destroy(private_bus_t *this)
+{
+	this->active_listeners->destroy_function(this->active_listeners, free);
+	this->listeners->destroy(this->listeners);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+bus_t *bus_create()
+{
+	private_bus_t *this = malloc_thing(private_bus_t);
+	
+	this->public.add_listener = (void(*)(bus_t*,bus_listener_t*))add_listener;
+	this->public.listen = (signal_t(*)(bus_t*,level_t*,int*,ike_sa_t**,char**,va_list*))listen_;
+	this->public.set_listen_state = (void(*)(bus_t*,bool))set_listen_state;
+	this->public.set_sa = (void(*)(bus_t*,ike_sa_t*))set_sa;
+	this->public.signal = (void(*)(bus_t*,signal_t,level_t,char*,...))signal_;
+	this->public.vsignal = (void(*)(bus_t*,signal_t,level_t,char*,va_list))vsignal;
+	this->public.destroy = (void(*)(bus_t*)) destroy;
+	
+	this->listeners = linked_list_create();
+	this->active_listeners = linked_list_create();
+	pthread_mutex_init(&this->mutex, NULL);
+	pthread_key_create(&this->thread_id, NULL);
+	pthread_key_create(&this->thread_sa, NULL);
+	
+	return &(this->public);
+}
diff --git a/src/charon/bus/bus.h b/src/charon/bus/bus.h
new file mode 100644
index 000000000..200525fb7
--- /dev/null
+++ b/src/charon/bus/bus.h
@@ -0,0 +1,366 @@
+/**
+ * @file bus.h
+ *
+ * @brief Interface of bus_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef BUS_H_
+#define BUS_H_
+
+typedef enum signal_t signal_t;
+typedef enum level_t level_t;
+typedef struct bus_listener_t bus_listener_t;
+typedef struct bus_t bus_t;
+
+#include <stdarg.h>
+
+#include <sa/ike_sa.h>
+#include <sa/child_sa.h>
+
+
+/**
+ * @brief signals emitted by the daemon.
+ *
+ * Signaling is for different purporses. First, it allows debugging via
+ * "debugging signal messages", sencondly, it allows to follow certain
+ * mechanisms currently going on in the daemon. As we are multithreaded, 
+ * and of multiple transactions are involved, it's not possible to follow
+ * one connection setup without further infrastructure. These infrastructure
+ * is provided by the bus and the signals the daemon emits to the bus.
+ *
+ * There are different scenarios to follow these signals, but all have
+ * the same scheme. First, a START signal is emitted to indicate the daemon
+ * has started to 
+ *
+ * @ingroup bus
+ */
+enum signal_t {
+	/** pseudo signal, representing any other signal */
+	SIG_ANY,
+	
+	/** debugging message from daemon main loop */
+	DBG_DMN,
+	/** debugging message from IKE_SA_MANAGER */
+	DBG_MGR,
+	/** debugging message from an IKE_SA */
+	DBG_IKE,
+	/** debugging message from a CHILD_SA */
+	DBG_CHD,
+	/** debugging message from job processing */
+	DBG_JOB,
+	/** debugging message from configuration backends */
+	DBG_CFG,
+	/** debugging message from kernel interface */
+	DBG_KNL,
+	/** debugging message from networking */
+	DBG_NET,
+	/** debugging message from message encoding/decoding */
+	DBG_ENC,
+	/** debugging message from libstrongswan via logging hook */
+	DBG_LIB,
+	
+	/** number of debug signals */
+	DBG_MAX,
+	
+	/** signals for IKE_SA establishment */
+	IKE_UP_START,
+	IKE_UP_SUCCESS,
+	IKE_UP_FAILED,
+	
+	/** signals for IKE_SA delete */
+	IKE_DOWN_START,
+	IKE_DOWN_SUCCESS,
+	IKE_DOWN_FAILED,
+	
+	/** signals for IKE_SA rekeying */
+	IKE_REKEY_START,
+	IKE_REKEY_SUCCESS,
+	IKE_REKEY_FAILED,
+	
+	/** signals for CHILD_SA establishment */
+	CHILD_UP_START,
+	CHILD_UP_SUCCESS,
+	CHILD_UP_FAILED,
+	
+	/** signals for CHILD_SA delete */
+	CHILD_DOWN_START,
+	CHILD_DOWN_SUCCESS,
+	CHILD_DOWN_FAILED,
+	
+	/** signals for CHILD_SA rekeying */
+	CHILD_REKEY_START,
+	CHILD_REKEY_SUCCESS,
+	CHILD_REKEY_FAILED,
+	
+	/** signals for CHILD_SA routing */
+	CHILD_ROUTE_START,
+	CHILD_ROUTE_SUCCESS,
+	CHILD_ROUTE_FAILED,
+	
+	/** signals for CHILD_SA routing */
+	CHILD_UNROUTE_START,
+	CHILD_UNROUTE_SUCCESS,
+	CHILD_UNROUTE_FAILED,
+	
+	SIG_MAX
+};
+
+/**
+ * short names of signals using 3 chars
+ */
+extern enum_name_t *signal_names;
+
+/**
+ * Signal levels used to control output verbosity.
+ */
+enum level_t {
+	/** numerical levels from 0 to 4 */
+	LEVEL_0 = 0,
+	LEVEL_1 = 1,
+	LEVEL_2 = 2,
+	LEVEL_3 = 3,
+	LEVEL_4 = 4,
+	/** absolutely silent, no signal is emitted with this level */
+	LEVEL_SILENT = -1,
+	/** alias for numberical levels */
+	LEVEL_AUDIT = LEVEL_0,
+	LEVEL_CTRL = LEVEL_1,
+	LEVEL_CTRLMORE = LEVEL_2,
+	LEVEL_RAW = LEVEL_3,
+	LEVEL_PRIVATE = LEVEL_4,
+};
+
+#ifndef DEBUG_LEVEL
+# define DEBUG_LEVEL 4
+#endif /* DEBUG_LEVEL */
+
+#if DEBUG_LEVEL >= 1
+/**
+ * @brief Log a debug message via the signal bus.
+ *
+ * @param signal	signal_t signal description
+ * @param format	printf() style format string
+ * @param ...		printf() style agument list
+ */
+# define DBG1(sig, format, ...) charon->bus->signal(charon->bus, sig, LEVEL_1, format, ##__VA_ARGS__)
+#endif /* DEBUG_LEVEL */
+#if DEBUG_LEVEL >= 2
+#define DBG2(sig, format, ...) charon->bus->signal(charon->bus, sig, LEVEL_2, format, ##__VA_ARGS__)
+#endif /* DEBUG_LEVEL */
+#if DEBUG_LEVEL >= 3
+#define DBG3(sig, format, ...) charon->bus->signal(charon->bus, sig, LEVEL_3, format, ##__VA_ARGS__)
+#endif /* DEBUG_LEVEL */
+#if DEBUG_LEVEL >= 4
+#define DBG4(sig, format, ...) charon->bus->signal(charon->bus, sig, LEVEL_4, format, ##__VA_ARGS__)
+#endif /* DEBUG_LEVEL */
+
+#ifndef DBG1
+# define DBG1(...) {}
+#endif /* DBG1 */
+#ifndef DBG2
+# define DBG2(...) {}
+#endif /* DBG2 */
+#ifndef DBG3
+# define DBG3(...) {}
+#endif /* DBG3 */
+#ifndef DBG4
+# define DBG4(...) {}
+#endif /* DBG4 */
+
+/**
+ * @brief Raise a signal for an occured event.
+ *
+ * @param sig		signal_t signal description
+ * @param format	printf() style format string
+ * @param ...		printf() style agument list
+ */
+#define SIG(sig, format, ...) charon->bus->signal(charon->bus, sig, LEVEL_0, format, ##__VA_ARGS__)
+
+/**
+ * @brief Get the type of a signal.
+ *
+ * A signal may be a debugging signal with a specific context. They have
+ * a level specific for their context > 0. All audit signals use the
+ * type 0. This allows filtering of singals by their type.
+ *
+ * @param signal	signal to get the type from
+ * @return			type of the signal, between 0..(DBG_MAX-1)
+ */
+#define SIG_TYPE(sig) (sig > DBG_MAX ? SIG_ANY : sig)
+
+
+/**
+ * @brief Interface for registering at the signal bus.
+ *
+ * To receive signals from the bus, the client implementing the
+ * bus_listener_t interface registers itself at the signal bus.
+ *
+ * @ingroup bus
+ */
+struct bus_listener_t {
+	
+	/**
+	 * @brief Send a signal to a bus listener.
+	 *
+	 * A numerical identification for the thread is included, as the
+	 * associated IKE_SA, if any. Signal specifies the type of
+	 * the event occured. The format string specifies
+	 * an additional informational or error message with a printf() like
+	 * variable argument list. This is in the va_list form, as forwarding
+	 * a "..." parameters to functions is not (cleanly) possible.
+	 * The implementing signal function returns TRUE to stay registered
+	 * to the bus, or FALSE to unregister itself.
+	 *
+	 * @param this		listener
+	 * @param singal	kind of the signal (up, down, rekeyed, ...)
+	 * @param level		verbosity level of the signal
+	 * @param thread	ID of the thread raised this signal
+	 * @param ike_sa	IKE_SA associated to the event
+	 * @param format	printf() style format string
+	 * @param args		vprintf() style va_list argument list
+	 " @return			TRUE to stay registered, FALSE to unregister
+	 */
+	bool (*signal) (bus_listener_t *this, signal_t signal, level_t level,
+					int thread, ike_sa_t *ike_sa, char* format, va_list args);
+};
+
+/**
+ * @brief Signal bus which sends signals to registered listeners.
+ *
+ * The signal bus is not much more than a multiplexer. A listener interested
+ * in receiving event signals registers at the bus. Any signals sent to
+ * are delivered to all registered listeners.
+ * To deliver signals to threads, the blocking listen() call may be used
+ * to wait for a signal.
+ *
+ * @ingroup bus
+ */
+struct bus_t {
+	
+	/**
+	 * @brief Register a listener to the bus.
+	 *
+	 * A registered listener receives all signals which are sent to the bus.
+	 * The listener is passive; the thread which emitted the signal
+	 * processes the listener routine.
+	 *
+	 * @param this		bus
+	 * @param listener	listener to register.
+	 */
+	void (*add_listener) (bus_t *this, bus_listener_t *listener);
+	
+	/**
+	 * @brief Listen actively on the bus.
+	 *
+	 * As we are fully multithreaded, we must provide a mechanism
+	 * for active threads to listen to the bus. With the listen() method,
+	 * a thread waits until a signal occurs, and then processes it.
+	 * To prevent the listen() calling thread to miss signals emitted while
+	 * it processes a signal, registration is required. This is done through
+	 * the set_listen_state() method, see below.
+	 *
+	 * @param this		bus
+	 * @param level		verbosity level of the signal
+	 * @param thread	receives thread number emitted the signal
+	 * @param ike_sa	receives the IKE_SA involved in the signal, or NULL
+	 * @param format	receives the format string supplied with the signal
+	 * @param va_list	receives the variable argument list for format
+	 * @return			the emitted signal type
+	 */
+	signal_t (*listen) (bus_t *this, level_t* level, int *thread,
+						ike_sa_t **ike_sa, char** format, va_list* args);
+	
+	/**
+	 * @brief Set the listening state of the calling thread.
+	 *
+	 * To prevent message loss for active listeners using listen(), threads
+	 * must register themself to the bus before starting to listen(). When
+	 * a signal occurs, the emitter waits until all threads with listen_state
+	 * TRUE are waiting in the listen() method to process the signal.
+	 * It is important that a thread with liste_state TRUE calls listen()
+	 * periodically, or sets it's listening state to FALSE; otherwise
+	 * all signal emitting threads get blocked on the bus.
+	 *
+	 * @param this		bus
+	 * @param active	TRUE to set to listening
+	 */
+	void (*set_listen_state) (bus_t *this, bool active);
+	
+	/**
+	 * @brief Set the IKE_SA the calling thread is using.
+	 *
+	 * To associate an received signal to an IKE_SA without passing it as
+	 * parameter each time, the thread registers it's used IKE_SA each
+	 * time it checked it out. Before checking it in, the thread unregisters
+	 * the IKE_SA (by passing NULL). This IKE_SA is stored per-thread, so each
+	 * thread has one IKE_SA registered (or not).
+	 * 
+	 * @param this		bus
+	 * @param ike_sa	ike_sa to register, or NULL to unregister
+	 */
+	void (*set_sa) (bus_t *this, ike_sa_t *ike_sa);
+	
+	/**
+	 * @brief Send a signal to the bus.
+	 *
+	 * The signal specifies the type of the event occured. The format string
+	 * specifies an additional informational or error message with a
+	 * printf() like variable argument list.
+	 * Some useful macros are available to shorten this call.
+	 * @see SIG(), DBG1()
+	 *
+	 * @param this		bus
+	 * @param singal	kind of the signal (up, down, rekeyed, ...)
+	 * @param level		verbosity level of the signal
+	 * @param format	printf() style format string
+	 * @param ...		printf() style argument list
+	 */
+	void (*signal) (bus_t *this, signal_t signal, level_t level, char* format, ...);
+	
+	/**
+	 * @brief Send a signal to the bus using va_list arguments.
+	 *
+	 * Same as bus_t.signal(), but uses va_list argument list.
+	 *
+	 * @param this		bus
+	 * @param singal	kind of the signal (up, down, rekeyed, ...)
+	 * @param level		verbosity level of the signal
+	 * @param format	printf() style format string
+	 * @param args		va_list arguments
+	 */
+	void (*vsignal) (bus_t *this, signal_t signal, level_t level, char* format, va_list args);
+	
+	/**
+	 * @brief Destroy the signal bus.
+	 *
+	 * @param this		bus to destroy
+	 */
+	void (*destroy) (bus_t *this);
+};
+
+/**
+ * @brief Create the signal bus which multiplexes signals to its listeners.
+ *
+ * @return		signal bus instance
+ * 
+ * @ingroup bus
+ */
+bus_t *bus_create();
+
+#endif /* BUS_H_ */
diff --git a/src/charon/bus/listeners/file_logger.c b/src/charon/bus/listeners/file_logger.c
new file mode 100644
index 000000000..14f9f72cf
--- /dev/null
+++ b/src/charon/bus/listeners/file_logger.c
@@ -0,0 +1,128 @@
+/**
+ * @file file_logger.c
+ *
+ * @brief Implementation of file_logger_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include "file_logger.h"
+
+
+typedef struct private_file_logger_t private_file_logger_t;
+
+/**
+ * Private data of a file_logger_t object
+ */
+struct private_file_logger_t {
+	
+	/**
+	 * Public data.
+	 */
+	file_logger_t public;
+	
+	/**
+	 * output file
+	 */
+	FILE *out;
+	
+	/**
+	 * Maximum level to log
+	 */
+	level_t levels[DBG_MAX];
+};
+
+
+/**
+ * Implementation of bus_listener_t.signal.
+ */
+static bool signal_(private_file_logger_t *this, signal_t signal, level_t level,
+					int thread, ike_sa_t* ike_sa, char *format, va_list args)
+{
+	if (level <= this->levels[SIG_TYPE(signal)])
+	{
+		char buffer[8192];
+		char *current = buffer, *next;
+		
+		/* write in memory buffer first */
+		vsnprintf(buffer, sizeof(buffer), format, args);
+		
+		/* prepend a prefix in front of every line */
+		while (current)
+		{
+			next = strchr(current, '\n');
+			if (next)
+			{
+				*(next++) = '\0';
+			}
+			fprintf(this->out, "%.2d[%N] %s\n", thread, signal_names, signal, current);
+			current = next;
+		}
+	}
+	/* always stay registered */
+	return TRUE;
+}
+
+/**
+ * Implementation of file_logger_t.set_level.
+ */
+static void set_level(private_file_logger_t *this, signal_t signal, level_t level)
+{
+	if (signal == SIG_ANY)
+	{
+		int i;
+		for (i = 0; i < DBG_MAX; i++)
+		{
+			this->levels[i] = level;
+		}
+	}
+	else
+	{
+		
+		this->levels[SIG_TYPE(signal)] = level;
+	}
+}
+
+/**
+ * Implementation of file_logger_t.destroy.
+ */
+static void destroy(private_file_logger_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+file_logger_t *file_logger_create(FILE *out)
+{
+	private_file_logger_t *this = malloc_thing(private_file_logger_t);
+	
+	/* public functions */
+	this->public.listener.signal = (bool(*)(bus_listener_t*,signal_t,level_t,int,ike_sa_t*,char*,va_list))signal_;
+	this->public.set_level = (void(*)(file_logger_t*,signal_t,level_t))set_level;
+	this->public.destroy = (void(*)(file_logger_t*))destroy;
+	
+	/* private variables */
+	this->out = out;
+	set_level(this, SIG_ANY, LEVEL_SILENT);
+	
+	return &this->public;
+}
diff --git a/src/charon/bus/listeners/file_logger.h b/src/charon/bus/listeners/file_logger.h
new file mode 100644
index 000000000..d67daba25
--- /dev/null
+++ b/src/charon/bus/listeners/file_logger.h
@@ -0,0 +1,73 @@
+/**
+ * @file file_logger.h
+ *
+ * @brief Interface of file_logger_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef FILE_LOGGER_H_
+#define FILE_LOGGER_H_
+
+typedef struct file_logger_t file_logger_t;
+
+#include <bus/bus.h>
+
+/**
+ * @brief Logger to files which implements bus_listener_t.
+ *
+ * @b Constructors:
+ *  - file_logger_create()
+ *
+ * @ingroup listeners
+ */
+struct file_logger_t {
+	
+	/**
+	 * Implements the bus_listener_t interface.
+	 */
+	bus_listener_t listener;
+	
+	/**
+	 * @brief Set the loglevel for a signal type.
+	 *
+	 * @param this		stream_logger_t object
+	 * @param singal	type of signal
+	 * @param level		max level to log (0..4)
+	 */
+	void (*set_level) (file_logger_t *this, signal_t signal, level_t level);
+	
+	/**
+	 * @brief Destroys a file_logger_t object.
+	 *
+	 * @param this		file_logger_t object
+	 */
+	void (*destroy) (file_logger_t *this);
+};
+
+/**
+ * @brief Constructor to create a file_logger_t object.
+ *
+ * @param out		FILE to write to
+ * @return			file_logger_t object
+ *
+ * @ingroup listeners
+ */
+file_logger_t *file_logger_create(FILE *out);
+
+
+#endif /* FILE_LOGGER_H_ */
diff --git a/src/charon/bus/listeners/sys_logger.c b/src/charon/bus/listeners/sys_logger.c
new file mode 100644
index 000000000..d26d14dc0
--- /dev/null
+++ b/src/charon/bus/listeners/sys_logger.c
@@ -0,0 +1,131 @@
+/**
+ * @file sys_logger.c
+ *
+ * @brief Implementation of sys_logger_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <pthread.h>
+
+#include "sys_logger.h"
+
+
+typedef struct private_sys_logger_t private_sys_logger_t;
+
+/**
+ * Private data of a sys_logger_t object
+ */
+struct private_sys_logger_t {
+	
+	/**
+	 * Public data.
+	 */
+	sys_logger_t public;
+	
+	/**
+	 * syslog facility to use
+	 */
+	int facility;
+	
+	/**
+	 * Maximum level to log
+	 */
+	level_t levels[DBG_MAX];
+};
+
+
+/**
+ * Implementation of bus_listener_t.signal.
+ */
+static bool signal_(private_sys_logger_t *this, signal_t signal, level_t level,
+					int thread, ike_sa_t* ike_sa, char *format, va_list args)
+{
+	if (level <= this->levels[SIG_TYPE(signal)])
+	{
+		char buffer[8192];
+		char *current = buffer, *next;
+		
+		/* write in memory buffer first */
+		vsnprintf(buffer, sizeof(buffer), format, args);
+		
+		/* do a syslog with every line */
+		while (current)
+		{
+			next = strchr(current, '\n');
+			if (next)
+			{
+				*(next++) = '\0';
+			}
+			syslog(this->facility|LOG_INFO, "%.2d[%N] %s\n",
+				   thread, signal_names, signal, current);
+			current = next;
+		}
+	}
+	/* always stay registered */
+	return TRUE;
+}
+
+/**
+ * Implementation of sys_logger_t.set_level.
+ */
+static void set_level(private_sys_logger_t *this, signal_t signal, level_t level)
+{
+	if (signal == SIG_ANY)
+	{
+		int i;
+		for (i = 0; i < DBG_MAX; i++)
+		{
+			this->levels[i] = level;
+		}
+	}
+	else
+	{
+		
+		this->levels[SIG_TYPE(signal)] = level;
+	}
+}
+
+/**
+ * Implementation of sys_logger_t.destroy.
+ */
+static void destroy(private_sys_logger_t *this)
+{
+	closelog();
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+sys_logger_t *sys_logger_create(int facility)
+{
+	private_sys_logger_t *this = malloc_thing(private_sys_logger_t);
+	
+	/* public functions */
+	this->public.listener.signal = (bool(*)(bus_listener_t*,signal_t,level_t,int,ike_sa_t*,char*,va_list))signal_;
+	this->public.set_level = (void(*)(sys_logger_t*,signal_t,level_t))set_level;
+	this->public.destroy = (void(*)(sys_logger_t*))destroy;
+	
+	/* private variables */
+	this->facility = facility;
+	set_level(this, SIG_ANY, LEVEL_SILENT);
+	
+	return &this->public;
+}
diff --git a/src/charon/bus/listeners/sys_logger.h b/src/charon/bus/listeners/sys_logger.h
new file mode 100644
index 000000000..091217313
--- /dev/null
+++ b/src/charon/bus/listeners/sys_logger.h
@@ -0,0 +1,75 @@
+/**
+ * @file sys_logger.h
+ *
+ * @brief Interface of sys_logger_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef SYS_LOGGER_H_
+#define SYS_LOGGER_H_
+
+typedef struct sys_logger_t sys_logger_t;
+
+#include <syslog.h>
+
+#include <bus/bus.h>
+
+/**
+ * @brief Logger for syslog which implements bus_listener_t.
+ *
+ * @b Constructors:
+ *  - sys_logger_create()
+ *
+ * @ingroup listeners
+ */
+struct sys_logger_t {
+	
+	/**
+	 * Implements the bus_listener_t interface.
+	 */
+	bus_listener_t listener;
+	
+	/**
+	 * @brief Set the loglevel for a signal type.
+	 *
+	 * @param this		stream_logger_t object
+	 * @param singal	type of signal
+	 * @param level		max level to log
+	 */
+	void (*set_level) (sys_logger_t *this, signal_t signal, level_t level);
+	
+	/**
+	 * @brief Destroys a sys_logger_t object.
+	 *
+	 * @param this		sys_logger_t object
+	 */
+	void (*destroy) (sys_logger_t *this);
+};
+
+/**
+ * @brief Constructor to create a sys_logger_t object.
+ *
+ * @param facility	syslog facility to use
+ * @return			sys_logger_t object
+ *
+ * @ingroup listeners
+ */
+sys_logger_t *sys_logger_create(int facility);
+
+
+#endif /* SYS_LOGGER_H_ */
diff --git a/src/charon/config/configuration.c b/src/charon/config/configuration.c
new file mode 100755
index 000000000..488ba9a5e
--- /dev/null
+++ b/src/charon/config/configuration.c
@@ -0,0 +1,162 @@
+/**
+ * @file configuration.c
+ * 
+ * @brief Implementation of configuration_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+#include <math.h>
+
+#include "configuration.h"
+
+#include <library.h>
+
+/**
+ * Timeout in milliseconds after that a half open IKE_SA gets deleted.
+ */
+#define HALF_OPEN_IKE_SA_TIMEOUT 30000
+
+/**
+ * Retransmission uses a backoff algorithm. The timeout is calculated using
+ * TIMEOUT * (BASE ** try).
+ * When try reaches TRIES, retransmission is given up.
+ *
+ * Using an initial TIMEOUT of 4s, a BASE of 1.8, and 5 TRIES gives us:
+ *
+ *                        | relative | absolute
+ * ---------------------------------------------------------
+ * 4s * (1.8 ** (0  % 5)) =    4s         4s
+ * 4s * (1.8 ** (1  % 5)) =    7s        11s
+ * 4s * (1.8 ** (2  % 5)) =   13s        24s
+ * 4s * (1.8 ** (3  % 5)) =   23s        47s
+ * 4s * (1.8 ** (4  % 5)) =   42s        89s
+ * 4s * (1.8 ** (5  % 5)) =   76s       165s
+ *
+ * The peer is considered dead after 2min 45s when no reply comes in.
+ */
+
+/**
+ * First retransmit timeout in milliseconds.
+ * Timeout value is increasing in each retransmit round.
+ */
+#define RETRANSMIT_TIMEOUT 4000
+
+/**
+ * Base which is raised to the power of the retransmission count.
+ */
+#define RETRANSMIT_BASE 1.8
+
+/**
+ * Number of retransmits done in a retransmit sequence
+ */
+#define RETRANSMIT_TRIES 5
+
+/**
+ * Keepalive interval in seconds.
+ */
+#define KEEPALIVE_INTERVAL 20
+
+/**
+ * retry interval in seconds.
+ */
+#define RETRY_INTERVAL 30
+
+/**
+ * jitter to user for retrying
+ */
+#define RETRY_JITTER 20
+
+
+typedef struct private_configuration_t private_configuration_t;
+
+/**
+ * Private data of an configuration_t object.
+ */
+struct private_configuration_t {
+
+	/**
+	 * Public part of configuration_t object.
+	 */
+	configuration_t public;
+
+};
+
+/**
+ * Implementation of configuration_t.get_retransmit_timeout.
+ */
+static u_int32_t get_retransmit_timeout (private_configuration_t *this,
+										 u_int32_t retransmit_count)
+{
+	if (retransmit_count > RETRANSMIT_TRIES)
+	{
+		/* give up */
+		return 0;
+	}
+	return (u_int32_t)
+				(RETRANSMIT_TIMEOUT * pow(RETRANSMIT_BASE, retransmit_count));
+}
+
+/**
+ * Implementation of configuration_t.get_half_open_ike_sa_timeout.
+ */
+static u_int32_t get_half_open_ike_sa_timeout (private_configuration_t *this)
+{
+	return HALF_OPEN_IKE_SA_TIMEOUT;
+}
+
+/**
+ * Implementation of configuration_t.get_keepalive_interval.
+ */
+static u_int32_t get_keepalive_interval (private_configuration_t *this)
+{
+	return KEEPALIVE_INTERVAL;
+}
+
+/**
+ * Implementation of configuration_t.get_retry_interval.
+ */
+static u_int32_t get_retry_interval (private_configuration_t *this)
+{
+	return RETRY_INTERVAL - (random() % RETRY_JITTER);
+}
+
+/**
+ * Implementation of configuration_t.destroy.
+ */
+static void destroy(private_configuration_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header-file
+ */
+configuration_t *configuration_create()
+{
+	private_configuration_t *this = malloc_thing(private_configuration_t);
+	
+	/* public functions */
+	this->public.destroy = (void(*)(configuration_t*))destroy;
+	this->public.get_retransmit_timeout = (u_int32_t (*) (configuration_t*,u_int32_t))get_retransmit_timeout;
+	this->public.get_half_open_ike_sa_timeout = (u_int32_t (*) (configuration_t*)) get_half_open_ike_sa_timeout;
+	this->public.get_keepalive_interval = (u_int32_t (*) (configuration_t*)) get_keepalive_interval;
+	this->public.get_retry_interval = (u_int32_t (*) (configuration_t*)) get_retry_interval;
+	
+	return (&this->public);
+}
diff --git a/src/charon/config/configuration.h b/src/charon/config/configuration.h
new file mode 100755
index 000000000..c1207171d
--- /dev/null
+++ b/src/charon/config/configuration.h
@@ -0,0 +1,102 @@
+/**
+ * @file configuration.h
+ * 
+ * @brief Interface configuration_t.
+ *  
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef CONFIGURATION_H_
+#define CONFIGURATION_H_
+
+typedef struct configuration_t configuration_t;
+
+#include <library.h>
+
+/**
+ * @brief The interface for various daemon related configs.
+ * 
+ * @b Constructors:
+ * 	- configuration_create()
+ * 
+ * @ingroup config
+ */
+struct configuration_t {
+
+	/**
+	 * @brief Returns the retransmit timeout.
+	 *
+	 * A return value of zero means the request should not be
+	 * retransmitted again.
+	 *
+	 * @param this				calling object
+	 * @param retransmitted		number of times a message was retransmitted so far
+	 * @return					time in milliseconds, when to do next retransmit
+	 */
+	u_int32_t (*get_retransmit_timeout) (configuration_t *this, 
+										 u_int32_t retransmitted);
+	
+	/**
+	 * @brief Returns the timeout for an half open IKE_SA in ms.
+	 *
+	 * Half open means that the IKE_SA is still on a not established state
+	 *
+	 * @param this				calling object
+	 * @return					timeout in milliseconds (ms)
+	 */
+	u_int32_t (*get_half_open_ike_sa_timeout) (configuration_t *this);
+
+	/**
+	 * @brief Returns the keepalive interval in s.
+	 * 
+	 * The keepalive interval defines the idle time after which a
+	 * NAT keepalive packet should be sent.
+	 * 
+	 * @param this				calling object
+	 * @return					interval in s
+	 */	
+	u_int32_t (*get_keepalive_interval) (configuration_t *this);
+
+	/**
+	 * @brief Returns the interval to retry a failed action again.
+	 *
+	 * In some situations, the protocol may be in a state where processing
+	 * is not possible and an action must be retried (e.g. rekeying).
+	 * 
+	 * @param this				calling object
+	 * @return					interval in s
+	 */	
+	u_int32_t (*get_retry_interval) (configuration_t *this);
+
+	/**
+	 * @brief Destroys a configuration_t object.
+	 * 
+	 * @param this 					calling object
+	 */
+	void (*destroy) (configuration_t *this);
+};
+
+/**
+ * @brief Creates a configuration backend.
+ * 
+ * @return static_configuration_t object
+ * 
+ * @ingroup config
+ */
+configuration_t *configuration_create(void);
+
+#endif /*CONFIGURATION_H_*/
diff --git a/src/charon/config/connections/connection.c b/src/charon/config/connections/connection.c
new file mode 100644
index 000000000..ffe508992
--- /dev/null
+++ b/src/charon/config/connections/connection.c
@@ -0,0 +1,404 @@
+/**
+ * @file connection.c
+ *
+ * @brief Implementation of connection_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include <config/connections/connection.h>
+#include <utils/linked_list.h>
+
+ENUM(cert_policy_names, CERT_ALWAYS_SEND, CERT_NEVER_SEND,
+	"CERT_ALWAYS_SEND",
+	"CERT_SEND_IF_ASKED",
+	"CERT_NEVER_SEND"
+);
+
+typedef struct private_connection_t private_connection_t;
+
+/**
+ * Private data of an connection_t object
+ */
+struct private_connection_t {
+
+	/**
+	 * Public part
+	 */
+	connection_t public;
+	
+	/**
+	 * Number of references hold by others to this connection
+	 */
+	refcount_t refcount;
+
+	/**
+	 * Name of the connection
+	 */
+	char *name;
+	
+	/** 
+	 * Does charon handle this connection? Or can he ignore it?
+	 */
+	bool ikev2;
+	
+	/**
+	 * should we send a certificate request?
+	 */
+	cert_policy_t certreq_policy;
+	
+	/**
+	 * should we send a certificates?
+	 */
+	cert_policy_t cert_policy;
+	
+	/**
+	 * ID of us
+	 */
+	identification_t *my_id;
+
+	/**
+	 * Host information of my host.
+	 */
+	host_t *my_host;
+
+	/**
+	 * Host information of other host.
+	 */	
+	host_t *other_host;
+	
+	/**
+	 * Interval to send DPD liveness checks on inactivity
+	 */
+	u_int32_t dpd_delay;
+	
+	/**
+	 * Number of retransmission sequences to send bevore giving up
+	 */
+	u_int32_t keyingtries;
+	
+	/**
+	 * Supported proposals
+	 */
+	linked_list_t *proposals;
+	
+	/**
+	 * Time before an SA gets invalid
+	 */
+	u_int32_t soft_lifetime;
+	
+	/**
+	 * Time before an SA gets rekeyed
+	 */
+	u_int32_t hard_lifetime;
+	
+	/**
+	 * Use full reauthentication instead of rekeying
+	 */
+	bool reauth;
+	
+	/**
+	 * Time, which specifies the range of a random value
+	 * substracted from soft_lifetime.
+	 */
+	u_int32_t jitter;
+};
+
+/**
+ * Implementation of connection_t.get_name.
+ */
+static char *get_name (private_connection_t *this)
+{
+	return this->name;
+}
+
+/**
+ * Implementation of connection_t.is_ikev2.
+ */
+static bool is_ikev2 (private_connection_t *this)
+{
+	return this->ikev2;
+}
+
+/**
+ * Implementation of connection_t.get_certreq_policy.
+ */
+static cert_policy_t get_certreq_policy (private_connection_t *this)
+{
+	return this->certreq_policy;
+}
+
+/**
+ * Implementation of connection_t.get_cert_policy.
+ */
+static cert_policy_t get_cert_policy (private_connection_t *this)
+{
+	return this->cert_policy;
+}
+
+/**
+ * Implementation of connection_t.get_my_host.
+ */
+static host_t *get_my_host (private_connection_t *this)
+{
+	return this->my_host;
+}
+
+/**
+ * Implementation of connection_t.get_other_host.
+ */
+static host_t *get_other_host (private_connection_t *this)
+{
+	return this->other_host;
+}
+
+/**
+ * Implementation of connection_t.get_proposals.
+ */
+static linked_list_t* get_proposals(private_connection_t *this)
+{
+	iterator_t *iterator;
+	proposal_t *current;
+	linked_list_t *proposals = linked_list_create();
+	
+	iterator = this->proposals->create_iterator(this->proposals, TRUE);
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		current = current->clone(current);
+		proposals->insert_last(proposals, (void*)current);
+	}
+	iterator->destroy(iterator);
+	
+	return proposals;
+}
+	
+/**
+ * Implementation of connection_t.select_proposal.
+ */
+static proposal_t *select_proposal(private_connection_t *this, linked_list_t *proposals)
+{
+	iterator_t *stored_iter, *supplied_iter;
+	proposal_t *stored, *supplied, *selected;
+	
+	stored_iter = this->proposals->create_iterator(this->proposals, TRUE);
+	supplied_iter = proposals->create_iterator(proposals, TRUE);
+	
+	/* compare all stored proposals with all supplied. Stored ones are preferred. */
+	while (stored_iter->iterate(stored_iter, (void**)&stored))
+	{
+		supplied_iter->reset(supplied_iter);
+		
+		while (supplied_iter->iterate(supplied_iter, (void**)&supplied))
+		{
+			selected = stored->select(stored, supplied);
+			if (selected)
+			{
+				/* they match, return */
+				stored_iter->destroy(stored_iter);
+				supplied_iter->destroy(supplied_iter);
+				return selected;
+			}
+		}
+	}
+	/* no proposal match :-(, will result in a NO_PROPOSAL_CHOSEN... */
+	stored_iter->destroy(stored_iter);
+	supplied_iter->destroy(supplied_iter);
+	
+	return NULL;
+}
+
+/**
+ * Implementation of connection_t.add_proposal.
+ */
+static void add_proposal(private_connection_t *this, proposal_t *proposal)
+{
+	this->proposals->insert_last(this->proposals, proposal);
+}
+
+/**
+ * Implementation of connection_t.get_dpd_delay.
+ */
+static u_int32_t get_dpd_delay(private_connection_t *this)
+{
+	return this->dpd_delay;
+}
+
+/**
+ * Implementation of connection_t.get_keyingtries.
+ */
+static u_int32_t get_keyingtries(private_connection_t *this)
+{
+	return this->keyingtries;
+}
+
+/**
+ * Implementation of connection_t.get_dh_group.
+ */
+static diffie_hellman_group_t get_dh_group(private_connection_t *this)
+{
+	iterator_t *iterator;
+	proposal_t *proposal;
+	algorithm_t *algo;
+	diffie_hellman_group_t dh_group = MODP_NONE;
+	
+	iterator = this->proposals->create_iterator(this->proposals, TRUE);
+	while (iterator->iterate(iterator, (void**)&proposal))
+	{
+		if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, &algo))
+		{
+			dh_group = algo->algorithm;
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+	return dh_group;
+}
+
+/**
+ * Implementation of connection_t.check_dh_group.
+ */
+static bool check_dh_group(private_connection_t *this, diffie_hellman_group_t dh_group)
+{
+	iterator_t *prop_iter, *alg_iter;
+	proposal_t *proposal;
+	algorithm_t *algo;
+	
+	prop_iter = this->proposals->create_iterator(this->proposals, TRUE);
+	while (prop_iter->iterate(prop_iter, (void**)&proposal))
+	{
+		alg_iter = proposal->create_algorithm_iterator(proposal, DIFFIE_HELLMAN_GROUP);
+		while (alg_iter->iterate(alg_iter, (void**)&algo))
+		{
+			if (algo->algorithm == dh_group)
+			{
+				prop_iter->destroy(prop_iter);
+				alg_iter->destroy(alg_iter);
+				return TRUE;
+			}
+		}
+		alg_iter->destroy(alg_iter);
+	}
+	prop_iter->destroy(prop_iter);
+	return FALSE;
+}
+/**
+ * Implementation of connection_t.get_soft_lifetime
+ */
+static u_int32_t get_soft_lifetime(private_connection_t *this)
+{
+	if (this->jitter == 0)
+	{
+		return this->soft_lifetime ;
+	}
+	return this->soft_lifetime - (random() % this->jitter);
+}
+
+/**
+ * Implementation of connection_t.get_hard_lifetime.
+ */
+static u_int32_t get_hard_lifetime(private_connection_t *this)
+{
+	return this->hard_lifetime;
+}
+
+/**
+ * Implementation of connection_t.get_reauth.
+ */
+static bool get_reauth(private_connection_t *this)
+{
+	return this->reauth;
+}
+
+/**
+ * Implementation of connection_t.get_ref.
+ */
+static void get_ref(private_connection_t *this)
+{
+	ref_get(&this->refcount);
+}
+
+/**
+ * Implementation of connection_t.destroy.
+ */
+static void destroy(private_connection_t *this)
+{
+	if (ref_put(&this->refcount))
+	{
+		this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
+		this->my_host->destroy(this->my_host);
+		this->other_host->destroy(this->other_host);
+		free(this->name);
+		free(this);
+	}
+}
+
+/**
+ * Described in header.
+ */
+connection_t * connection_create(char *name, bool ikev2,
+								 cert_policy_t cert_policy,
+								 cert_policy_t certreq_policy,
+								 host_t *my_host, host_t *other_host,
+								 u_int32_t dpd_delay, bool reauth,
+								 u_int32_t keyingtries,
+								 u_int32_t hard_lifetime,
+								 u_int32_t soft_lifetime, u_int32_t jitter)
+{
+	private_connection_t *this = malloc_thing(private_connection_t);
+	
+	/* public functions */
+	this->public.get_name = (char*(*)(connection_t*))get_name;
+	this->public.is_ikev2 = (bool(*)(connection_t*))is_ikev2;
+	this->public.get_cert_policy = (cert_policy_t(*)(connection_t*))get_cert_policy;
+	this->public.get_certreq_policy = (cert_policy_t(*)(connection_t*))get_certreq_policy;
+	this->public.get_my_host = (host_t*(*)(connection_t*))get_my_host;
+	this->public.get_other_host = (host_t*(*)(connection_t*))get_other_host;
+	this->public.get_proposals = (linked_list_t*(*)(connection_t*))get_proposals;
+	this->public.select_proposal = (proposal_t*(*)(connection_t*,linked_list_t*))select_proposal;
+	this->public.add_proposal = (void(*)(connection_t*, proposal_t*)) add_proposal;
+	this->public.get_dpd_delay = (u_int32_t(*)(connection_t*)) get_dpd_delay;
+	this->public.get_reauth = (bool(*)(connection_t*)) get_reauth;
+	this->public.get_keyingtries = (u_int32_t(*)(connection_t*)) get_keyingtries;
+	this->public.get_dh_group = (diffie_hellman_group_t(*)(connection_t*)) get_dh_group;
+	this->public.check_dh_group = (bool(*)(connection_t*,diffie_hellman_group_t)) check_dh_group;
+	this->public.get_soft_lifetime = (u_int32_t (*) (connection_t *))get_soft_lifetime;
+	this->public.get_hard_lifetime = (u_int32_t (*) (connection_t *))get_hard_lifetime;
+	this->public.get_ref = (void(*)(connection_t*))get_ref;
+	this->public.destroy = (void(*)(connection_t*))destroy;
+	
+	/* private variables */
+	this->refcount = 1;
+	this->name = strdup(name);
+	this->ikev2 = ikev2;
+	this->cert_policy = cert_policy;
+	this->certreq_policy = certreq_policy;
+	this->my_host = my_host;
+	this->other_host = other_host;
+	this->dpd_delay = dpd_delay;
+	this->reauth = reauth;
+	this->keyingtries = keyingtries;
+	this->hard_lifetime = hard_lifetime;
+	this->soft_lifetime = soft_lifetime;
+	this->jitter = jitter;
+	
+	this->proposals = linked_list_create();
+	
+	return &this->public;
+}
diff --git a/src/charon/config/connections/connection.h b/src/charon/config/connections/connection.h
new file mode 100644
index 000000000..d0788876f
--- /dev/null
+++ b/src/charon/config/connections/connection.h
@@ -0,0 +1,292 @@
+/**
+ * @file connection.h
+ *
+ * @brief Interface of connection_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef CONNECTION_H_
+#define CONNECTION_H_
+
+typedef enum cert_policy_t cert_policy_t;
+typedef struct connection_t connection_t;
+
+#include <library.h>
+#include <utils/host.h>
+#include <utils/linked_list.h>
+#include <utils/identification.h>
+#include <config/proposal.h>
+#include <crypto/diffie_hellman.h>
+
+
+/**
+ * Certificate sending policy. This is also used for certificate
+ * requests when using this definition for the other peer. If
+ * it is CERT_NEVER_SEND, a certreq is omitted, otherwise its
+ * included.
+ *
+ * @ingroup config
+ * 
+ * @warning These definitions must be the same as in pluto/starter,
+ * as they are sent over the stroke socket.
+ */
+enum cert_policy_t {
+	/** always send certificates, even when not requested */
+	CERT_ALWAYS_SEND   = 0,
+	/** send certificate upon cert request */
+	CERT_SEND_IF_ASKED = 1,
+	/** never send a certificate, even when requested */
+	CERT_NEVER_SEND    = 2,
+};
+
+/**
+ * enum strings for cert_policy_t
+ * 
+ * @ingroup config
+ */
+extern enum_name_t *cert_policy_names;
+
+/**
+ * @brief A connection_t defines the rules to set up an IKE_SA.
+ *
+ * @b Constructors:
+ *  - connection_create()
+ *
+ * @ingroup config
+ */
+struct connection_t {
+
+	/**
+	 * @brief Get my address as host_t object.
+	 * 
+	 * Object is NOT getting cloned.
+	 * 
+	 * @param this	calling object
+	 * @return		host information as host_t object
+	 */
+	host_t *(*get_my_host) (connection_t *this);
+
+	/**
+	 * @brief Get others address as host_t object.
+	 * 
+	 * Object is NOT getting cloned.
+	 * 
+	 * @param this	calling object
+	 * @return		host information as host_t object
+	 */
+	host_t *(*get_other_host) (connection_t *this);
+	
+	/**
+	 * @brief Returns a list of all supported proposals.
+	 * 
+	 * Returned list and its proposals  must be destroyed after usage.
+	 * 
+	 * @param this		calling object
+	 * @return 			list containing all the proposals
+	 */
+	linked_list_t *(*get_proposals) (connection_t *this);
+	
+	/**
+	 * @brief Adds a proposal to the list.
+	 * 
+	 * The first added proposal has the highest priority, the last
+	 * added the lowest.
+	 * 
+	 * @param this		calling object
+	 * @param proposal	proposal to add
+	 */
+	void (*add_proposal) (connection_t *this, proposal_t *proposal);
+	
+	/**
+	 * @brief Select a proposed from suggested proposals.
+	 * 
+	 * Returned proposal must be destroyed after usage.
+	 * 
+	 * @param this		calling object
+	 * @param proposals	list of proposals to select from
+	 * @return			selected proposal, or NULL if none matches.
+	 */
+	proposal_t *(*select_proposal) (connection_t *this, linked_list_t *proposals);
+	
+	/**
+	 * @brief Get the DPD check interval.
+	 * 
+	 * @param this		calling object
+	 * @return			dpd_delay in seconds
+	 */
+	u_int32_t (*get_dpd_delay) (connection_t *this);
+	
+	/**
+	 * @brief Should a full reauthentication be done instead of rekeying?
+	 * 
+	 * @param this		calling object
+	 * @return			TRUE to use full reauthentication
+	 */
+	bool (*get_reauth) (connection_t *this);
+	
+	/**
+	 * @brief Get the max number of retransmission sequences.
+	 *
+	 * @param this		calling object
+	 * @return			max number of retransmission sequences
+	 */
+	u_int32_t (*get_keyingtries) (connection_t *this);
+	
+	/**
+	 * @brief Get the connection name.
+	 * 
+	 * Name must not be freed, since it points to 
+	 * internal data.
+	 * 
+	 * @param this		calling object
+	 * @return			name of the connection
+	 */
+	char* (*get_name) (connection_t *this);
+	
+	/**
+	 * @brief Check if the connection is marked as an IKEv2 connection.
+	 * 
+	 * Since all connections (IKEv1+2) are loaded, but charon handles 
+	 * only those marked with IKEv2, this flag can tell us if we must
+	 * ignore a connection on initiaton. Then pluto will do it for us.
+	 * 
+	 * @param this		calling object
+	 * @return			- TRUE, if this is an IKEv2 connection
+	 */
+	bool (*is_ikev2) (connection_t *this);
+	
+	/**
+	 * @brief Should be sent a certificate request for this connection?
+	 *
+	 * A certificate request contains serials of our trusted CA certificates.
+	 * This flag says if such a request is sent on connection setup to
+	 * the peer. It should be omitted when CERT_SEND_NEVER, sended otherwise.
+	 *
+	 * @param this		calling object
+	 * @return			certificate request sending policy
+	 */
+	cert_policy_t (*get_certreq_policy) (connection_t *this);
+	
+	/**
+	 * @brief Should be sent a certificate for this connection?
+	 *
+	 * Return the policy used to send the certificate.
+	 *
+	 * @param this		calling object
+	 * @return			certificate sending policy
+	 */
+	cert_policy_t (*get_cert_policy) (connection_t *this);
+	
+	/**
+	 * @brief Get the DH group to use for connection initialization.
+	 * 
+	 * @param this		calling object
+	 * @return			dh group to use for initialization
+	 */
+	diffie_hellman_group_t (*get_dh_group) (connection_t *this);
+	
+	/**
+	 * @brief Check if a suggested dh group is acceptable.
+	 * 
+	 * If we guess a wrong DH group for IKE_SA_INIT, the other
+	 * peer will send us a offer. But is this acceptable for us?
+	 * 
+	 * @param this		calling object
+	 * @return			TRUE if group acceptable
+	 */
+	bool (*check_dh_group) (connection_t *this, diffie_hellman_group_t dh_group);
+
+	/**
+	 * @brief Get the lifetime of a connection, before IKE_SA rekeying starts.
+	 * 
+	 * A call to this function automatically adds a jitter to
+	 * avoid simultanous rekeying.
+	 * 
+	 * @param this		calling object
+	 * @return			lifetime in seconds
+	 */
+	u_int32_t (*get_soft_lifetime) (connection_t *this);
+	
+	/**
+	 * @brief Get the lifetime of a connection, before IKE_SA gets deleted.
+	 * 
+	 * @param this		calling object
+	 * @return			lifetime in seconds
+	 */
+	u_int32_t (*get_hard_lifetime) (connection_t *this);
+	
+	/**
+	 * @brief Get a new reference to this connection.
+	 *
+	 * Get a new reference to this connection by increasing
+	 * it's internal reference counter.
+	 * Do not call get_ref or any other function until you
+	 * already have a reference. Otherwise the object may get
+	 * destroyed while calling get_ref(),
+	 *
+	 * @param this		calling object
+	 */
+	void (*get_ref) (connection_t *this);
+	
+	/**
+	 * @brief Destroys a connection_t object.
+	 * 
+	 * Decrements the internal reference counter and
+	 * destroys the connection when it reaches zero.
+	 * 
+	 * @param this		calling object
+	 */
+	void (*destroy) (connection_t *this);
+};
+
+/**
+ * @brief Creates a connection_t object.
+ *
+ * Supplied hosts become owned by connection, so
+ * do not modify or destroy them after a call to
+ * connection_create(). Name gets cloned internally.
+ * The retrasmit sequence number says how fast we give up when the peer
+ * does not respond. A high value may bridge-over temporary connection 
+ * problems, a small value can detect dead peers faster.
+ *
+ * @param name				connection identifier
+ * @param ikev2				TRUE if this is an IKEv2 connection
+ * @param cert_policy		certificate send policy
+ * @param cert_req_policy	certificate request send policy
+ * @param my_host			host_t representing local address
+ * @param other_host		host_t representing remote address
+ * @param dpd_delay			interval of DPD liveness checks
+ * @param reauth			use full reauthentication instead of rekeying
+ * @param keyingtries		number of retransmit sequences to use
+ * @param hard_lifetime		lifetime before deleting an IKE_SA
+ * @param soft_lifetime		lifetime before rekeying an IKE_SA
+ * @param jitter			range of randomization time
+ * @return 					connection_t object.
+ * 
+ * @ingroup config
+ */
+connection_t * connection_create(char *name, bool ikev2,
+								 cert_policy_t cert_pol, cert_policy_t req_pol,
+								 host_t *my_host, host_t *other_host,
+								 u_int32_t dpd_delay, bool reauth,
+								 u_int32_t keyingtries,
+								 u_int32_t hard_lifetime, u_int32_t soft_lifetime, 
+								 u_int32_t jitter);
+
+#endif /* CONNECTION_H_ */
diff --git a/src/charon/config/connections/connection_store.h b/src/charon/config/connections/connection_store.h
new file mode 100755
index 000000000..70f209d3b
--- /dev/null
+++ b/src/charon/config/connections/connection_store.h
@@ -0,0 +1,118 @@
+/**
+ * @file connection_store.h
+ *
+ * @brief Interface connection_store_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef CONNECTION_STORE_H_
+#define CONNECTION_STORE_H_
+
+typedef struct connection_store_t connection_store_t;
+
+#include <library.h>
+#include <config/connections/connection.h>
+#include <utils/iterator.h>
+
+/**
+ * @brief The interface for a store of connection_t's.
+ *
+ * @b Constructors:
+ *	- stroke_create()
+ *
+ * @ingroup config
+ */
+struct connection_store_t {
+
+	/**
+	 * @brief Returns a connection definition identified by two hosts.
+	 * 
+	 * This call is usefull to get a connection identified by addresses.
+	 * It may be used after kernel request for traffic protection.
+	 * The returned connection gets created/cloned and therefore must
+	 * be destroyed after usage.
+	 *
+	 * @param this				calling object
+	 * @param my_id				own address of connection
+	 * @param other_id			others address of connection
+	 * @return		
+	 * 							- connection_t, if found
+	 * 							- NULL otherwise
+	 */
+	connection_t *(*get_connection_by_hosts)(connection_store_t *this, 
+											 host_t *my_host, host_t *other_host);
+	
+	/**
+	 * @brief Returns a connection identified by its name.
+	 *
+	 * This call is usefull to get a connection identified its
+	 * name, as on an connection setup.
+	 *
+	 * @param this				calling object
+	 * @param name				name of the connection to get
+	 * @return		
+	 * 							- connection_t, if found
+	 * 							- NULL otherwise
+	 */
+	connection_t *(*get_connection_by_name) (connection_store_t *this, char *name);
+	
+	/**
+	 * @brief Add a connection to the store.
+	 *
+	 * After a successful call, the connection is owned by the store and may
+	 * not be manipulated nor destroyed.
+	 *
+	 * @param this				calling object
+	 * @param connection		connection to add
+	 * @return
+	 * 							- SUCCESS, or
+	 * 							- FAILED
+	 */
+	status_t (*add_connection) (connection_store_t *this, connection_t *connection);
+	
+	/**
+	 * @brief Delete a connection from the store.
+	 *
+	 * Remove a connection from the connection store, identified
+	 * by the connections name.
+	 *
+	 * @param this				calling object
+	 * @param name				name of the connection to delete
+	 * @return
+	 * 							- SUCCESS, or
+	 * 							- NOT_FOUND
+	 */
+	status_t (*delete_connection) (connection_store_t *this, char *name);
+	
+	/**
+	 * @brief Get an iterator for the stored connections.
+	 *
+	 * @param this				calling object
+	 * @return					iterator over all stored connections
+	 */
+	iterator_t* (*create_iterator) (connection_store_t *this);
+	
+	/**
+	 * @brief Destroys a connection_store_t object.
+	 *
+	 * @param this 					calling object
+	 */
+	void (*destroy) (connection_store_t *this);
+};
+
+#endif /* CONNECTION_STORE_H_ */
diff --git a/src/charon/config/connections/local_connection_store.c b/src/charon/config/connections/local_connection_store.c
new file mode 100644
index 000000000..df4ec230a
--- /dev/null
+++ b/src/charon/config/connections/local_connection_store.c
@@ -0,0 +1,237 @@
+/**
+ * @file local_connection_store.c
+ *
+ * @brief Implementation of local_connection_store_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include "local_connection_store.h"
+
+#include <daemon.h>
+#include <utils/linked_list.h>
+
+
+typedef struct private_local_connection_store_t private_local_connection_store_t;
+
+/**
+ * Private data of an local_connection_store_t object
+ */
+struct private_local_connection_store_t {
+
+	/**
+	 * Public part
+	 */
+	local_connection_store_t public;
+	
+	/**
+	 * stored connection
+	 */
+	linked_list_t *connections;
+	
+	/**
+	 * Mutex to exclusivly access connection list
+	 */
+	pthread_mutex_t mutex;
+};
+
+
+/**
+ * Implementation of connection_store_t.get_connection_by_hosts.
+ */
+static connection_t *get_connection_by_hosts(private_local_connection_store_t *this, host_t *my_host, host_t *other_host)
+{
+	typedef enum {
+		PRIO_UNDEFINED=		0x00,
+		PRIO_ADDR_ANY= 		0x01,
+		PRIO_ADDR_MATCH=	0x02
+	} prio_t;
+
+	prio_t best_prio = PRIO_UNDEFINED;
+
+	iterator_t *iterator;
+	connection_t *candidate;
+	connection_t *found = NULL;
+	
+	DBG2(DBG_CFG, "looking for connection for host pair %H...%H",
+		 my_host, other_host);
+	
+	pthread_mutex_lock(&(this->mutex));
+	iterator = this->connections->create_iterator(this->connections, TRUE);
+	/* determine closest matching connection */
+	while (iterator->iterate(iterator, (void**)&candidate))
+	{
+		host_t *candidate_my_host;
+		host_t *candidate_other_host;
+
+		candidate_my_host = candidate->get_my_host(candidate);
+		candidate_other_host = candidate->get_other_host(candidate);
+
+		/* my_host addresses must match*/
+		if (my_host->ip_equals(my_host, candidate_my_host))
+		{
+			prio_t prio = PRIO_UNDEFINED;
+
+			/* exact match of peer host address or wildcard address? */
+			if (other_host->ip_equals(other_host, candidate_other_host))
+			{
+				prio |= PRIO_ADDR_MATCH;
+			}
+			else if (candidate_other_host->is_anyaddr(candidate_other_host))
+			{
+				prio |= PRIO_ADDR_ANY;
+			}
+
+			DBG2(DBG_CFG, "candidate connection \"%s\": %H...%H (prio=%d)",
+				 candidate->get_name(candidate),
+				 candidate_my_host, candidate_other_host, prio);
+
+			if (prio > best_prio)
+			{
+				found = candidate;
+				best_prio = prio;
+			}
+		}
+	}
+	iterator->destroy(iterator);
+	
+	if (found)
+	{
+		DBG2(DBG_CFG, "found matching connection \"%s\": %H...%H (prio=%d)",
+			 found->get_name(found), found->get_my_host(found),
+			 found->get_other_host(found), best_prio);
+		
+		/* give out a new reference to it */
+		found->get_ref(found);
+	}
+	pthread_mutex_unlock(&(this->mutex));
+	return found;
+}
+
+/**
+ * Implementation of connection_store_t.get_connection_by_name.
+ */
+static connection_t *get_connection_by_name(private_local_connection_store_t *this, char *name)
+{
+	iterator_t *iterator;
+	connection_t *current, *found = NULL;
+	
+	pthread_mutex_lock(&(this->mutex));
+	iterator = this->connections->create_iterator(this->connections, TRUE);
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		if (strcmp(name, current->get_name(current)) == 0)
+		{
+			found = current;
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+	pthread_mutex_unlock(&(this->mutex));
+	
+	if (found)
+	{
+		/* get a new reference for it */
+		found->get_ref(found);
+	}
+	return found;
+}
+
+/**
+ * Implementation of connection_store_t.delete_connection.
+ */
+static status_t delete_connection(private_local_connection_store_t *this, char *name)
+{
+	iterator_t *iterator;
+	connection_t *current;
+	bool found = FALSE;
+	
+	pthread_mutex_lock(&(this->mutex));
+	iterator = this->connections->create_iterator(this->connections, TRUE);
+	while (iterator->iterate(iterator, (void **)&current))
+	{
+		if (strcmp(current->get_name(current), name) == 0)
+		{
+			/* remove connection from list, and destroy it */
+			iterator->remove(iterator);
+			current->destroy(current);
+			found = TRUE;
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+	pthread_mutex_unlock(&(this->mutex));
+	if (found)
+	{
+		return SUCCESS;
+	}
+	return NOT_FOUND;
+}
+
+/**
+ * Implementation of connection_store_t.add_connection.
+ */
+static status_t add_connection(private_local_connection_store_t *this, connection_t *connection)
+{
+	pthread_mutex_lock(&(this->mutex));
+	this->connections->insert_last(this->connections, connection);
+	pthread_mutex_unlock(&(this->mutex));
+	return SUCCESS;
+}
+
+/**
+ * Implementation of connection_store_t.create_iterator.
+ */
+static iterator_t* create_iterator(private_local_connection_store_t *this)
+{
+	return this->connections->create_iterator_locked(this->connections,
+													 &this->mutex);
+}
+
+/**
+ * Implementation of connection_store_t.destroy.
+ */
+static void destroy (private_local_connection_store_t *this)
+{
+	pthread_mutex_lock(&(this->mutex));
+	this->connections->destroy_offset(this->connections, offsetof(connection_t, destroy));
+	pthread_mutex_unlock(&(this->mutex));
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+local_connection_store_t * local_connection_store_create(void)
+{
+	private_local_connection_store_t *this = malloc_thing(private_local_connection_store_t);
+
+	this->public.connection_store.get_connection_by_hosts = (connection_t*(*)(connection_store_t*,host_t*,host_t*))get_connection_by_hosts;
+	this->public.connection_store.get_connection_by_name = (connection_t*(*)(connection_store_t*,char*))get_connection_by_name;
+	this->public.connection_store.delete_connection = (status_t(*)(connection_store_t*,char*))delete_connection;
+	this->public.connection_store.add_connection = (status_t(*)(connection_store_t*,connection_t*))add_connection;
+	this->public.connection_store.create_iterator = (iterator_t*(*)(connection_store_t*))create_iterator;
+	this->public.connection_store.destroy = (void(*)(connection_store_t*))destroy;
+	
+	/* private variables */
+	this->connections = linked_list_create();
+	pthread_mutex_init(&(this->mutex), NULL);
+
+	return (&this->public);
+}
diff --git a/src/charon/config/connections/local_connection_store.h b/src/charon/config/connections/local_connection_store.h
new file mode 100644
index 000000000..e78ed809a
--- /dev/null
+++ b/src/charon/config/connections/local_connection_store.h
@@ -0,0 +1,62 @@
+/**
+ * @file local_connection_store.h
+ * 
+ * @brief Interface of local_connection_store_t.
+ *  
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+ 
+#ifndef LOCAL_CONNECTION_H_
+#define LOCAL_CONNECTION_H_
+
+typedef struct local_connection_store_t local_connection_store_t;
+
+#include <library.h>
+#include <config/connections/connection_store.h>
+
+/**
+ * @brief A connection_store_t implementation using a simple connection list.
+ *
+ * The local_connection_store_t class implements the connection_store_t interface
+ * as simple as possible. connection_t's are stored in an in-memory list.
+ *
+ * @b Constructors:
+ *  - local_connection_store_create()
+ *
+ * @todo Make thread-save first
+ * @todo Add remove_connection method
+ *
+ * @ingroup config
+ */
+struct local_connection_store_t {
+	
+	/**
+	 * Implements connection_store_t interface
+	 */
+	connection_store_t connection_store;
+};
+
+/**
+ * @brief Creates a local_connection_store_t instance.
+ *
+ * @return connection store instance.
+ * 
+ * @ingroup config
+ */
+local_connection_store_t * local_connection_store_create(void);
+
+#endif /* LOCAL_CONNECTION_H_ */
diff --git a/src/charon/config/credentials/local_credential_store.c b/src/charon/config/credentials/local_credential_store.c
new file mode 100644
index 000000000..b7b71b9e7
--- /dev/null
+++ b/src/charon/config/credentials/local_credential_store.c
@@ -0,0 +1,1363 @@
+/**
+ * @file local_credential_store.c
+ * 
+ * @brief Implementation of local_credential_store_t.
+ *  
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <sys/stat.h>
+#include <dirent.h>
+#include <string.h>
+#include <pthread.h>
+
+#include <library.h>
+#include <utils/lexparser.h>
+#include <utils/linked_list.h>
+#include <crypto/rsa/rsa_public_key.h>
+#include <crypto/certinfo.h>
+#include <crypto/x509.h>
+#include <crypto/ca.h>
+#include <crypto/crl.h>
+#include <asn1/ttodata.h>
+
+#include "local_credential_store.h"
+
+#define PATH_BUF			256
+#define MAX_CA_PATH_LEN		7
+
+typedef struct shared_key_t shared_key_t;
+
+/**
+ * Private date of a shared_key_t object
+ */
+struct shared_key_t {
+
+	/**
+	 * shared secret
+	 */
+	chunk_t secret;
+
+	/**
+	 * list of peer IDs
+	 */
+	linked_list_t *peers;
+};
+
+
+/**
+ * Implementation of shared_key_t.destroy.
+ */
+static void shared_key_destroy(shared_key_t *this)
+{
+	this->peers->destroy_offset(this->peers, offsetof(identification_t, destroy));
+	chunk_free(&this->secret);
+	free(this);
+}
+
+/**
+ * @brief Creates a shared_key_t object.
+ * 
+ * @param shared_key		shared key value
+ * @return					shared_key_t object
+ * 
+ * @ingroup config
+ */
+static shared_key_t *shared_key_create(chunk_t secret)
+{
+	shared_key_t *this = malloc_thing(shared_key_t);
+
+	/* private data */
+	this->secret = chunk_clone(secret);
+	this->peers = linked_list_create();
+
+	return (this);
+}
+
+/* ------------------------------------------------------------------------ *
+ * the ca_info_t object as a central control element
+
++--------------------------------------------------------+
+| local_credential_store_t                               |
++--------------------------------------------------------+
+  |                              |
++---------------------------+  +-------------------------+
+| linked_list_t *auth_certs |  | linked_list_t *ca_infos |
++---------------------------+  +-------------------------+
+  |                              |
+  |                 +------------------------- +
+  |                 | ca_info_t                |
+  |                 +--------------------------+
++---------------+   | char *name               |
+| x509_t        |<--| x509_t *cacert           |   +----------------------+
++---------------+   | linked_list_t *certinfos |-->| certinfo_t           |
+| chunk_t keyid |   | linked_list_t *ocspuris  |   +----------------------+
++---------------+   | crl_t *crl               |   | chunk_t serialNumber |
+  |                 | linked_list_t *crluris   |   | cert_status_t status |
+  |                 | pthread_mutex_t mutex    |   | time_t thisUpdate    |
++---------------+   +--------------------------+   | time_t nextUpdate    |
+| x509_t        |                |                 | bool once            |
++---------------+                |                 +----------------------+
+| chunk_t keyid |                |                   |
++---------------+   +------------------------- +   +----------------------+
+  |                 | ca_info_t                |   | certinfo_t           |
+  |                 +--------------------------+   +----------------------+
++---------------+   | char *name               |   | chunk_t serialNumber |
+| x509_t        |<--| x509_t *cacert           |   | cert_status_t status |
++---------------+   | linked_list_t *certinfos |   | time_t thisUpdate    |
+| chunk_t keyid |   | linked_list_t *ocspuris  |   | time_t nextUpdate    |
++---------------+   | crl_t *crl               |   | bool once            |
+  |                 | linked_list_t *crluris   |   +----------------------+
+  |                 | pthread_mutex_t mutex;   |     |
+  |                 +--------------------------+
+  |                              |
+
+ * ------------------------------------------------------------------------ */
+
+typedef struct private_local_credential_store_t private_local_credential_store_t;
+
+/**
+ * Private data of an local_credential_store_t object
+ */
+struct private_local_credential_store_t {
+
+	/**
+	 * Public part
+	 */
+	local_credential_store_t public;
+	
+	/**
+	 * list of shared keys
+	 */
+	linked_list_t *shared_keys;
+	
+	/**
+	 * list of EAP keys
+	 */
+	linked_list_t *eap_keys;
+	
+	/**
+	 * list of key_entry_t's with private keys
+	 */
+	linked_list_t *private_keys;
+	
+	/**
+	 * list of X.509 certificates with public keys
+	 */
+	linked_list_t *certs;
+
+	/**
+	 * list of X.509 authority certificates with public keys
+	 */
+	linked_list_t *auth_certs;
+
+	/**
+	 * list of X.509 CA information records
+	 */
+	linked_list_t *ca_infos;
+
+	/**
+	 * enforce strict crl policy
+	 */
+	bool strict;
+};
+
+
+/**
+ * Get a key from a list with shared_key_t's
+ */	
+static status_t get_key(linked_list_t *keys,
+							   identification_t *my_id,
+							   identification_t *other_id, chunk_t *secret)
+{
+	typedef enum {
+		PRIO_UNDEFINED=		0x00,
+		PRIO_ANY_MATCH= 	0x01,
+		PRIO_MY_MATCH= 		0x02,
+		PRIO_OTHER_MATCH=	0x04,
+	} prio_t;
+
+	prio_t best_prio = PRIO_UNDEFINED;
+	chunk_t found = chunk_empty;
+	shared_key_t *shared_key;
+
+	iterator_t *iterator = keys->create_iterator(keys, TRUE);
+
+	while (iterator->iterate(iterator, (void**)&shared_key))
+	{
+		iterator_t *peer_iterator;
+		identification_t *peer_id;
+		prio_t prio = PRIO_UNDEFINED;
+
+		peer_iterator = shared_key->peers->create_iterator(shared_key->peers, TRUE);
+
+		if (peer_iterator->get_count(peer_iterator) == 0)
+		{
+			/* this is a wildcard shared key */
+			prio = PRIO_ANY_MATCH;
+		}
+		else
+		{
+			while (peer_iterator->iterate(peer_iterator, (void**)&peer_id))
+			{
+				if (my_id->equals(my_id, peer_id))
+				{
+					prio |= PRIO_MY_MATCH; 
+				}
+				if (other_id->equals(other_id, peer_id))
+				{
+					prio |= PRIO_OTHER_MATCH; 
+				}
+			}
+		}
+		peer_iterator->destroy(peer_iterator);
+
+		if (prio > best_prio)
+		{
+			best_prio = prio;
+			found = shared_key->secret;
+		}
+	}
+	iterator->destroy(iterator);
+
+	if (best_prio == PRIO_UNDEFINED)
+	{
+		return NOT_FOUND;
+	}
+	else
+	{
+		*secret = chunk_clone(found);
+		return SUCCESS;
+	}
+}
+
+
+/**
+ * Implementation of local_credential_store_t.get_shared_key.
+ */	
+static status_t get_shared_key(private_local_credential_store_t *this,
+							   identification_t *my_id,
+							   identification_t *other_id, chunk_t *secret)
+{
+	return get_key(this->shared_keys, my_id, other_id, secret);
+}
+
+/**
+ * Implementation of local_credential_store_t.get_eap_key.
+ */	
+static status_t get_eap_key(private_local_credential_store_t *this,
+							identification_t *my_id,
+							identification_t *other_id, chunk_t *secret)
+{
+	return get_key(this->eap_keys, my_id, other_id, secret);
+}
+
+/**
+ * Implementation of credential_store_t.get_certificate.
+ */
+static x509_t* get_certificate(private_local_credential_store_t *this,
+							   identification_t *id)
+{
+	x509_t *found = NULL;
+	x509_t *current_cert;
+
+	iterator_t *iterator = this->certs->create_iterator(this->certs, TRUE);
+
+	while (iterator->iterate(iterator, (void**)&current_cert))
+	{
+		if (id->equals(id, current_cert->get_subject(current_cert)) ||
+			current_cert->equals_subjectAltName(current_cert, id))
+		{
+			found = current_cert;
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+	return found;
+}
+
+/**
+ * Implementation of local_credential_store_t.get_rsa_public_key.
+ */
+static rsa_public_key_t *get_rsa_public_key(private_local_credential_store_t *this,
+											identification_t *id)
+{
+	x509_t *cert = get_certificate(this, id);
+
+	return (cert == NULL)? NULL:cert->get_public_key(cert);
+}
+
+/**
+ * Implementation of local_credential_store_t.get_trusted_public_key.
+ */
+static rsa_public_key_t *get_trusted_public_key(private_local_credential_store_t *this,
+												identification_t *id)
+{
+	cert_status_t status;
+	err_t ugh;
+
+	x509_t *cert = get_certificate(this, id);
+
+	if (cert == NULL)
+		return NULL;
+
+	ugh = cert->is_valid(cert, NULL);
+	if (ugh != NULL)
+	{
+		DBG1(DBG_CFG, "certificate %s", ugh);
+		return NULL;
+	}
+
+	status = cert->get_status(cert);
+	if (status == CERT_REVOKED || status == CERT_UNTRUSTED || (this->strict && status != CERT_GOOD))
+	{
+		DBG1(DBG_CFG, "certificate status: %N", cert_status_names, status);
+		return NULL;
+	}
+	if (status == CERT_GOOD && cert->get_until(cert) < time(NULL))
+	{
+		DBG1(DBG_CFG, "certificate is good but crl is stale");
+		return NULL;
+	}
+
+	return cert->get_public_key(cert);
+}
+
+/**
+ * Implementation of local_credential_store_t.get_rsa_private_key.
+ */
+static rsa_private_key_t *get_rsa_private_key(private_local_credential_store_t *this,
+											  rsa_public_key_t *pubkey)
+{
+	rsa_private_key_t *found = NULL, *current;
+
+	iterator_t *iterator = this->private_keys->create_iterator(this->private_keys, TRUE);
+
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		if (current->belongs_to(current, pubkey))
+		{
+			found = current->clone(current);
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+	return found;
+}
+
+/**
+ * Implementation of local_credential_store_t.has_rsa_private_key.
+ */
+static bool has_rsa_private_key(private_local_credential_store_t *this, rsa_public_key_t *pubkey)
+{
+	bool found = FALSE;
+	rsa_private_key_t *current;
+
+	iterator_t *iterator = this->private_keys->create_iterator(this->private_keys, TRUE);
+
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		if (current->belongs_to(current, pubkey))
+		{
+			found = TRUE;
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+	return found;
+}
+
+/**
+ * Implementation of credential_store_t.get_auth_certificate.
+ */
+static x509_t* get_auth_certificate(private_local_credential_store_t *this,
+									u_int auth_flags,
+									identification_t *id)
+{
+	x509_t *found = NULL;
+	x509_t *current_cert;
+
+	iterator_t *iterator = this->auth_certs->create_iterator(this->auth_certs, TRUE);
+
+	while (iterator->iterate(iterator, (void**)&current_cert))
+	{
+		if (current_cert->has_authority_flag(current_cert, auth_flags)
+		&&  id->equals(id, current_cert->get_subject(current_cert)))
+		{
+			found = current_cert;
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+
+	return found;
+}
+
+/**
+ * Implementation of credential_store_t.get_ca_certificate_by_keyid.
+ */
+static x509_t* get_ca_certificate_by_keyid(private_local_credential_store_t *this,
+										   chunk_t keyid)
+{
+	x509_t *found = NULL;
+	x509_t *current_cert;
+
+	iterator_t *iterator = this->auth_certs->create_iterator(this->auth_certs, TRUE);
+
+	while (iterator->iterate(iterator, (void**)&current_cert))
+	{
+		rsa_public_key_t *pubkey = current_cert->get_public_key(current_cert);
+
+		if (current_cert->has_authority_flag(current_cert, AUTH_CA)
+		&&  chunk_equals(keyid, pubkey->get_keyid(pubkey)))
+		{
+			found = current_cert;
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+
+	return found;
+}
+
+/**
+ * Implementation of credential_store_t.get_issuer.
+ */
+static ca_info_t* get_issuer(private_local_credential_store_t *this, const x509_t *cert)
+{
+	ca_info_t *found = NULL;
+	ca_info_t *ca_info;
+
+	iterator_t *iterator = this->ca_infos->create_iterator(this->ca_infos, TRUE);
+
+	while (iterator->iterate(iterator, (void**)&ca_info))
+	{
+		if (ca_info->is_cert_issuer(ca_info, cert))
+		{
+			found = ca_info;
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+
+	return found;
+}
+
+/**
+ * Find an exact copy of a certificate in a linked list
+ */
+static x509_t* find_certificate(linked_list_t *certs, x509_t *cert)
+{
+	x509_t *found_cert = NULL, *current_cert;
+
+	iterator_t *iterator = certs->create_iterator(certs, TRUE);
+
+	while (iterator->iterate(iterator, (void**)&current_cert))
+	{
+		if (cert->equals(cert, current_cert))
+		{
+			found_cert = current_cert;
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+
+	return found_cert;
+}
+
+/**
+ * Adds crl and ocsp uris to the corresponding issuer info record
+ */
+static void add_uris(ca_info_t *issuer, x509_t *cert)
+{
+	iterator_t *iterator;
+	identification_t *uri;
+
+	/* add any crl distribution points to the issuer ca info record */
+	iterator = cert->create_crluri_iterator(cert);
+	
+	while (iterator->iterate(iterator, (void**)&uri))
+	{
+		issuer->add_crluri(issuer, uri->get_encoding(uri));
+	}
+	iterator->destroy(iterator);
+
+	/* add any ocsp access points to the issuer ca info record */
+	iterator = cert->create_ocspuri_iterator(cert);
+	
+	while (iterator->iterate(iterator, (void**)&uri))
+	{
+		issuer->add_ocspuri(issuer, uri->get_encoding(uri));
+	}
+	iterator->destroy(iterator);
+}
+
+/**
+ * Implementation of credential_store_t.is_trusted
+ */
+static bool is_trusted(private_local_credential_store_t *this, x509_t *cert)
+{
+	int pathlen;
+	time_t until = UNDEFINED_TIME;
+	x509_t *cert_to_be_trusted = cert;
+
+	DBG2(DBG_CFG, "establishing trust in certificate:");
+
+	for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++)
+	{
+		err_t ugh = NULL;
+		ca_info_t *issuer;
+		x509_t *issuer_cert;
+		rsa_public_key_t *issuer_public_key;
+		bool valid_signature;
+
+		DBG2(DBG_CFG, "subject: '%D'", cert->get_subject(cert));
+		DBG2(DBG_CFG, "issuer:  '%D'", cert->get_issuer(cert));
+
+		ugh = cert->is_valid(cert, &until);
+		if (ugh != NULL)
+		{
+			DBG1(DBG_CFG, "certificate %s", ugh);
+			return FALSE;
+		}
+		DBG2(DBG_CFG, "certificate is valid");
+	
+		issuer = get_issuer(this, cert);
+		if (issuer == NULL)
+		{
+			DBG1(DBG_CFG, "issuer not found");
+			return FALSE;
+		}
+		DBG2(DBG_CFG, "issuer found");
+
+		issuer_cert = issuer->get_certificate(issuer);
+		issuer_public_key = issuer_cert->get_public_key(issuer_cert);
+		valid_signature = cert->verify(cert, issuer_public_key);
+
+		if (!valid_signature)
+		{
+			DBG1(DBG_CFG, "certificate signature is invalid");
+			return FALSE;
+		}
+		DBG2(DBG_CFG, "certificate signature is valid");
+
+		/* check if cert is a self-signed root ca */
+		if (pathlen > 0 && cert->is_self_signed(cert))
+		{
+			DBG2(DBG_CFG, "reached self-signed root ca");
+			cert_to_be_trusted->set_until(cert_to_be_trusted, until);
+			cert_to_be_trusted->set_status(cert_to_be_trusted, CERT_GOOD);
+			return TRUE;
+		}
+		else
+		{
+			/* go up one step in the trust chain */
+			cert = issuer_cert;
+		}
+	}
+	DBG1(DBG_CFG, "maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN);
+	return FALSE;
+}
+
+/**
+ * Implementation of credential_store_t.verify.
+ */
+static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *found)
+{
+	int pathlen;
+	time_t until = UNDEFINED_TIME;
+
+	x509_t *end_cert = cert;
+	x509_t *cert_copy = find_certificate(this->certs, end_cert);
+	
+	DBG2(DBG_CFG, "verifying end entity certificate:");
+
+	*found = (cert_copy != NULL);
+	if (*found)
+	{
+		DBG2(DBG_CFG,
+			 "end entitity certificate is already in credential store");
+	}
+
+	for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++)
+	{
+		err_t ugh = NULL;
+		ca_info_t *issuer;
+		x509_t *issuer_cert;
+		rsa_public_key_t *issuer_public_key;
+		bool valid_signature;
+
+		DBG1(DBG_CFG, "subject: '%D'", cert->get_subject(cert));
+		DBG1(DBG_CFG, "issuer:  '%D'", cert->get_issuer(cert));
+
+		ugh = cert->is_valid(cert, &until);
+		if (ugh != NULL)
+		{
+			DBG1(DBG_CFG, "certificate %s", ugh);
+			return FALSE;
+		}
+		DBG2(DBG_CFG, "certificate is valid");
+
+		issuer = get_issuer(this, cert);
+		if (issuer == NULL)
+		{
+			DBG1(DBG_CFG, "issuer not found");
+			return FALSE;
+		}
+		DBG2(DBG_CFG, "issuer found");
+
+		issuer_cert = issuer->get_certificate(issuer);
+		issuer_public_key = issuer_cert->get_public_key(issuer_cert);
+		valid_signature = cert->verify(cert, issuer_public_key);
+
+		if (!valid_signature)
+		{
+			DBG1(DBG_CFG, "certificate signature is invalid");
+			return FALSE;
+		}
+		DBG2(DBG_CFG, "certificate signature is valid");
+
+		/* check if cert is a self-signed root ca */
+		if (pathlen > 0 && cert->is_self_signed(cert))
+		{
+			DBG1(DBG_CFG, "reached self-signed root ca");
+
+			/* set the definite status and trust interval of the end entity certificate */
+			end_cert->set_until(end_cert, until);
+			if (cert_copy)
+			{
+				cert_copy->set_status(cert_copy, end_cert->get_status(end_cert));
+				cert_copy->set_until(cert_copy, until);
+			}
+			return TRUE;
+		}
+		else
+		{
+			time_t nextUpdate;
+			cert_status_t status;
+			certinfo_t *certinfo = certinfo_create(cert->get_serialNumber(cert));
+
+			certinfo->set_nextUpdate(certinfo, until);
+
+			if (pathlen == 0)
+			{
+				/* add any crl and ocsp uris contained in the certificate under test */
+				add_uris(issuer, cert);
+			}
+
+			/* first check certificate revocation using ocsp */
+			status = issuer->verify_by_ocsp(issuer, certinfo, &this->public.credential_store);
+
+			/* if ocsp service is not available then fall back to crl */
+			if ((status == CERT_UNDEFINED) || (status == CERT_UNKNOWN && this->strict))
+			{
+				status = issuer->verify_by_crl(issuer, certinfo, CRL_DIR);
+			}
+			
+			nextUpdate = certinfo->get_nextUpdate(certinfo);
+			cert->set_status(cert, status);
+
+			switch (status)
+			{
+				case CERT_GOOD:
+					/* set nextUpdate */
+					cert->set_until(cert, nextUpdate);
+
+					/* if status information is stale */
+					if (this->strict && nextUpdate < time(NULL))
+					{
+						DBG2(DBG_CFG, "certificate is good but status is stale");
+						certinfo->destroy(certinfo);
+						return FALSE;
+					}
+					DBG1(DBG_CFG, "certificate is good");
+
+					/* with strict crl policy the public key must have the same
+					 * lifetime as the validity of the ocsp status or crl lifetime
+					 */
+					if (this->strict && nextUpdate < until)
+		    			until = nextUpdate;
+					break;
+				case CERT_REVOKED:
+					{
+						time_t revocationTime = certinfo->get_revocationTime(certinfo);
+						DBG1(DBG_CFG,
+							 "certificate was revoked on %T, reason: %N",
+							 &revocationTime, crl_reason_names,
+							 certinfo->get_revocationReason(certinfo));
+
+						/* set revocationTime */
+						cert->set_until(cert, revocationTime);
+
+						/* update status of end certificate in the credential store */
+						if (cert_copy)
+						{
+							if (pathlen > 0)
+							{
+								cert_copy->set_status(cert_copy, CERT_UNTRUSTED);
+							}
+							else
+							{
+								cert_copy->set_status(cert_copy, CERT_REVOKED);
+								cert_copy->set_until(cert_copy,
+										certinfo->get_revocationTime(certinfo));
+							}
+						}
+						certinfo->destroy(certinfo);
+						return FALSE;
+					}
+				case CERT_UNKNOWN:
+				case CERT_UNDEFINED:
+				default:
+					DBG1(DBG_CFG, "certificate status unknown");
+					if (this->strict)
+					{
+						/* update status of end certificate in the credential store */
+						if (cert_copy)
+						{
+							cert_copy->set_status(cert_copy, CERT_UNTRUSTED);
+						}
+						certinfo->destroy(certinfo);
+						return FALSE;
+					}
+					break;
+			}
+			certinfo->destroy(certinfo);
+		}
+		/* go up one step in the trust chain */
+		cert = issuer_cert;
+	}
+	DBG1(DBG_CFG, "maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN);
+	return FALSE;
+}
+
+/**
+ * Add a unique certificate to a linked list
+ */
+static x509_t* add_certificate(linked_list_t *certs, x509_t *cert)
+{
+	x509_t *found_cert = find_certificate(certs, cert);
+
+	if (found_cert)
+	{
+		/* add the authority flags */
+		found_cert->add_authority_flags(found_cert, cert->get_authority_flags(cert));
+
+		cert->destroy(cert);
+		return found_cert;
+	}
+	else
+	{
+		certs->insert_last(certs, (void*)cert);
+		return cert;
+	}
+}
+
+/**
+ * Add a unique ca info record to a linked list
+ */
+static void add_ca_info(private_local_credential_store_t *this, ca_info_t *ca_info)
+{
+	ca_info_t *current_ca_info;
+	ca_info_t *found_ca_info = NULL;
+
+	iterator_t *iterator = this->ca_infos->create_iterator(this->ca_infos, TRUE);
+
+	while (iterator->iterate(iterator, (void**)&current_ca_info))
+	{
+		if (current_ca_info->equals(current_ca_info, ca_info))
+		{
+			found_ca_info = current_ca_info;
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+
+	if (found_ca_info)
+	{
+		current_ca_info->add_info(current_ca_info, ca_info);
+		ca_info->destroy(ca_info);
+	}
+	else
+	{
+		this->ca_infos->insert_last(this->ca_infos, (void*)ca_info);
+	}
+}
+
+/**
+ * Release ca info record of a given name
+ */
+static status_t release_ca_info(private_local_credential_store_t *this, const char *name)
+{
+	status_t status = NOT_FOUND;
+	ca_info_t *ca_info;
+
+	iterator_t *iterator = this->ca_infos->create_iterator(this->ca_infos, TRUE);
+
+	while (iterator->iterate(iterator, (void**)&ca_info))
+	{
+		if (ca_info->equals_name_release_info(ca_info, name))
+		{
+			status = SUCCESS;
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+	
+	return status;
+}
+
+/**
+ * Implements local_credential_store_t.add_end_certificate
+ */
+static x509_t* add_end_certificate(private_local_credential_store_t *this, x509_t *cert)
+{
+	x509_t *ret_cert = add_certificate(this->certs, cert);
+
+	/* add crl and ocsp uris the first time the certificate is added */
+	if (ret_cert == cert)
+	{
+		ca_info_t *issuer = get_issuer(this, cert);
+
+		if (issuer)
+		{
+			add_uris(issuer, cert);
+		}
+	}
+	return ret_cert;
+}
+
+/**
+ * Implements local_credential_store_t.add_auth_certificate
+ */
+static x509_t* add_auth_certificate(private_local_credential_store_t *this, x509_t *cert, u_int auth_flags)
+{
+	cert->add_authority_flags(cert, auth_flags);
+	return add_certificate(this->auth_certs, cert);
+}
+
+/**
+ * Implements local_credential_store_t.create_cert_iterator
+ */
+static iterator_t* create_cert_iterator(private_local_credential_store_t *this)
+{
+	return this->certs->create_iterator(this->certs, TRUE);
+}
+
+/**
+ * Implements local_credential_store_t.create_cacert_iterator
+ */
+static iterator_t* create_auth_cert_iterator(private_local_credential_store_t *this)
+{
+	return this->auth_certs->create_iterator(this->auth_certs, TRUE);
+}
+
+/**
+ * Implements local_credential_store_t.create_cainfo_iterator
+ */
+static iterator_t* create_cainfo_iterator(private_local_credential_store_t *this)
+{
+	return this->ca_infos->create_iterator(this->ca_infos, TRUE);
+}
+
+/**
+ * Implements local_credential_store_t.load_auth_certificates
+ */
+static void load_auth_certificates(private_local_credential_store_t *this,
+								   u_int auth_flag,
+								   const char* label,
+								   const char* path)
+{
+	struct dirent* entry;
+	struct stat stb;
+	DIR* dir;
+	
+	DBG1(DBG_CFG, "loading %s certificates from '%s/'", label, path);
+
+	dir = opendir(path);
+	if (dir == NULL)
+	{
+		DBG1(DBG_CFG, "error opening %s certs directory %s'", label, path);
+		return;
+	}
+
+	while ((entry = readdir(dir)) != NULL)
+	{
+		char file[PATH_BUF];
+
+		snprintf(file, sizeof(file), "%s/%s", path, entry->d_name);
+		
+		if (stat(file, &stb) == -1)
+		{
+			continue;
+		}
+		/* try to parse all regular files */
+		if (stb.st_mode & S_IFREG)
+		{
+			x509_t *cert = x509_create_from_file(file, label);
+
+			if (cert)
+			{
+				err_t ugh = cert->is_valid(cert, NULL);
+
+				if (ugh != NULL)
+				{
+					DBG1(DBG_CFG, "warning: %s certificate %s", label, ugh);
+				}
+
+				if (auth_flag == AUTH_CA && !cert->is_ca(cert))
+				{
+					DBG1(DBG_CFG, "  CA basic constraints flag not set, cert discarded");
+					cert->destroy(cert);
+				}
+				else
+				{
+					x509_t *ret_cert;
+
+					cert->add_authority_flags(cert, auth_flag);
+
+					ret_cert = add_certificate(this->auth_certs, cert);
+
+					if (auth_flag == AUTH_CA && ret_cert == cert)
+					{
+						ca_info_t *ca_info = ca_info_create(NULL, cert);
+
+						add_ca_info(this, ca_info);
+					}
+				}
+			}
+		}
+	}
+	closedir(dir);
+}
+
+/**
+ * Implements local_credential_store_t.load_ca_certificates
+ */
+static void load_ca_certificates(private_local_credential_store_t *this)
+{
+	load_auth_certificates(this, AUTH_CA, "ca", CA_CERTIFICATE_DIR);
+
+	/* add any crl and ocsp uris found in the ca certificates to the
+     * corresponding issuer info record. We can do this only after all
+     * ca certificates have been loaded and the ca hierarchy is known.
+     */
+	{
+		iterator_t *iterator = this->ca_infos->create_iterator(this->ca_infos, TRUE);
+		ca_info_t *ca_info;
+
+		while (iterator->iterate(iterator, (void **)&ca_info))
+		{
+			x509_t *cacert = ca_info->get_certificate(ca_info);
+			ca_info_t *issuer = get_issuer(this, cacert);
+
+			if (issuer)
+			{
+				add_uris(issuer, cacert);
+			}
+		}
+		iterator->destroy(iterator);
+	}
+}
+
+/**
+ * Implements local_credential_store_t.load_ocsp_certificates
+ */
+static void load_ocsp_certificates(private_local_credential_store_t *this)
+{
+	load_auth_certificates(this, AUTH_OCSP, "ocsp", OCSP_CERTIFICATE_DIR);
+}
+
+/**
+ * Add the latest crl to the issuing ca
+ */
+static void add_crl(private_local_credential_store_t *this, crl_t *crl, const char *path)
+{
+	iterator_t *iterator = this->ca_infos->create_iterator(this->ca_infos, TRUE);
+	ca_info_t *ca_info;
+	bool found = FALSE;
+
+	while (iterator->iterate(iterator, (void**)&ca_info))
+	{
+		if (ca_info->is_crl_issuer(ca_info, crl))
+		{
+			char buffer[BUF_LEN];
+			chunk_t uri = { buffer, 7 + strlen(path) };
+
+			ca_info->add_crl(ca_info, crl);
+			if (uri.len < BUF_LEN)
+			{
+				snprintf(buffer, BUF_LEN, "file://%s", path);
+				ca_info->add_crluri(ca_info, uri);
+			}
+			found = TRUE;
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+	
+	if (!found)
+	{
+		crl->destroy(crl);
+		DBG2(DBG_CFG, "  no issuing ca found for this crl - discarded");
+	}
+}
+
+/**
+ * Implements local_credential_store_t.load_crls
+ */
+static void load_crls(private_local_credential_store_t *this)
+{
+	struct dirent* entry;
+	struct stat stb;
+	DIR* dir;
+	crl_t *crl;
+	
+	DBG1(DBG_CFG, "loading crls from '%s/'", CRL_DIR);
+
+	dir = opendir(CRL_DIR);
+	if (dir == NULL)
+	{
+		DBG1(DBG_CFG, "error opening crl directory %s'", CRL_DIR);
+		return;
+	}
+
+	while ((entry = readdir(dir)) != NULL)
+	{
+		char file[PATH_BUF];
+
+		snprintf(file, sizeof(file), "%s/%s", CRL_DIR, entry->d_name);
+		
+		if (stat(file, &stb) == -1)
+		{
+			continue;
+		}
+		/* try to parse all regular files */
+		if (stb.st_mode & S_IFREG)
+		{
+			crl = crl_create_from_file(file);
+			if (crl)
+			{
+				DBG1(DBG_CFG, "  crl is %s", crl->is_valid(crl)? "valid":"stale");
+				add_crl(this, crl, file);
+			}
+		}
+	}
+	closedir(dir);
+}
+
+/**
+ * Convert a string of characters into a binary secret
+ * A string between single or double quotes is treated as ASCII characters
+ * A string prepended by 0x is treated as HEX and prepended by 0s as Base64
+ */
+static err_t extract_secret(chunk_t *secret, chunk_t *line)
+{
+	chunk_t raw_secret;
+	char delimiter = ' ';
+	bool quotes = FALSE;
+
+	if (!eat_whitespace(line))
+	{
+		return "missing secret";
+	}
+
+	if (*line->ptr == '\'' || *line->ptr == '"')
+	{
+		quotes = TRUE;
+		delimiter = *line->ptr;
+		line->ptr++;  line->len--;
+	}
+
+	if (!extract_token(&raw_secret, delimiter, line))
+	{
+		if (delimiter == ' ')
+		{
+			raw_secret = *line;
+		}
+		else
+		{
+			return "missing second delimiter";
+		}
+	}
+
+	if (quotes)
+	{	/* treat as an ASCII string */
+		if (raw_secret.len > secret->len)
+			return "secret larger than buffer";
+		memcpy(secret->ptr, raw_secret.ptr, raw_secret.len);
+		secret->len = raw_secret.len;
+	}
+	else
+	{	/* convert from HEX or Base64 to binary */
+		size_t len;
+		err_t ugh = ttodata(raw_secret.ptr, raw_secret.len, 0, secret->ptr, secret->len, &len);
+
+	    if (ugh != NULL)
+			return ugh;
+		if (len > secret->len)
+			return "secret larger than buffer";
+		secret->len = len;
+	}
+	return NULL;
+}
+
+/**
+ * Implements local_credential_store_t.load_secrets
+ */
+static void load_secrets(private_local_credential_store_t *this)
+{
+	FILE *fd = fopen(SECRETS_FILE, "r");
+
+	if (fd)
+	{
+		int bytes;
+		int line_nr = 0;
+    	chunk_t chunk, src, line;
+
+		DBG1(DBG_CFG, "loading secrets from \"%s\"", SECRETS_FILE);
+
+		fseek(fd, 0, SEEK_END);
+		chunk.len = ftell(fd);
+		rewind(fd);
+		chunk.ptr = malloc(chunk.len);
+		bytes = fread(chunk.ptr, 1, chunk.len, fd);
+		fclose(fd);
+
+		src = chunk;
+
+		while (fetchline(&src, &line))
+		{
+			chunk_t ids, token;
+			bool is_eap = FALSE;
+
+			line_nr++;
+
+			if (!eat_whitespace(&line))
+			{
+				continue;
+			}
+			if (!extract_token(&ids, ':', &line))
+			{
+				DBG1(DBG_CFG, "line %d: missing ':' separator", line_nr);
+				goto error;
+			}
+			/* NULL terminate the ids string by replacing the : separator */
+			*(ids.ptr + ids.len) = '\0';
+
+			if (!eat_whitespace(&line) || !extract_token(&token, ' ', &line))
+			{
+				DBG1(DBG_CFG, "line %d: missing token", line_nr);
+				goto error;
+			}
+			if (match("RSA", &token))
+			{
+				char path[PATH_BUF];
+				chunk_t filename;
+
+				char buf[BUF_LEN];
+				chunk_t secret = { buf, BUF_LEN };
+				chunk_t *passphrase = NULL;
+
+				rsa_private_key_t *key;
+
+				err_t ugh = extract_value(&filename, &line);
+
+				if (ugh != NULL)
+				{
+					DBG1(DBG_CFG, "line %d: %s", line_nr, ugh);
+					goto error;
+				}
+				if (filename.len == 0)
+				{
+					DBG1(DBG_CFG, "line %d: empty filename", line_nr);
+					goto error;
+				}
+				if (*filename.ptr == '/')
+				{
+					/* absolute path name */
+					snprintf(path, sizeof(path), "%.*s", filename.len, filename.ptr);
+				}
+				else
+				{
+					/* relative path name */
+					snprintf(path, sizeof(path), "%s/%.*s", PRIVATE_KEY_DIR, 
+							 filename.len, filename.ptr);
+				}
+
+				/* check for optional passphrase */
+				if (eat_whitespace(&line))
+				{
+					ugh = extract_secret(&secret, &line);
+					if (ugh != NULL)
+					{
+						DBG1(DBG_CFG, "line %d: malformed passphrase: %s", line_nr, ugh);
+						goto error;
+					}
+					if (secret.len > 0)
+						passphrase = &secret;
+				}
+				key = rsa_private_key_create_from_file(path, passphrase);
+				if (key)
+				{
+					this->private_keys->insert_last(this->private_keys, (void*)key);
+				}
+			}
+			else if ( match("PSK", &token) ||
+					((match("EAP", &token) || match("XAUTH", &token)) && (is_eap = TRUE)))
+			{
+				shared_key_t *shared_key;
+
+				char buf[BUF_LEN];
+				chunk_t secret = { buf, BUF_LEN };
+
+				err_t ugh = extract_secret(&secret, &line);
+				if (ugh != NULL)
+				{
+					DBG1(DBG_CFG, "line %d: malformed secret: %s", line_nr, ugh);
+					goto error;
+				}
+				
+				DBG1(DBG_CFG, "  loading %s key for %s", 
+					 is_eap ? "EAP" : "shared", 
+					 ids.len > 0 ? (char*)ids.ptr : "%any");
+
+				DBG4(DBG_CFG, "  secret:", secret);
+
+				shared_key = shared_key_create(secret);
+				if (shared_key)
+				{
+					if (is_eap)
+					{
+						this->eap_keys->insert_last(this->eap_keys, (void*)shared_key);
+					}
+					else
+					{
+						this->shared_keys->insert_last(this->shared_keys, (void*)shared_key);
+					}
+				}
+				while (ids.len > 0)
+				{
+					chunk_t id;
+					identification_t *peer_id;
+
+					ugh = extract_value(&id, &ids);
+					if (ugh != NULL)
+					{
+						DBG1(DBG_CFG, "line %d: %s", line_nr, ugh);
+						goto error;
+					}
+					if (id.len == 0)
+					{
+						continue;
+					}
+
+					/* NULL terminate the ID string */
+					*(id.ptr + id.len) = '\0';
+
+					peer_id = identification_create_from_string(id.ptr);
+					if (peer_id == NULL)
+					{
+						DBG1(DBG_CFG, "line %d: malformed ID: %s", line_nr, id.ptr);
+						goto error;
+					}
+					
+					if (peer_id->get_type(peer_id) == ID_ANY)
+					{
+						peer_id->destroy(peer_id);
+						continue;
+					}
+					shared_key->peers->insert_last(shared_key->peers, (void*)peer_id);
+				}
+			}
+			else if (match("PIN", &token))
+			{
+
+			}
+			else
+			{
+				DBG1(DBG_CFG, "line %d: token must be either "
+					 "RSA, PSK, EAP, or PIN", line_nr, token.len);
+				goto error;
+			}
+		}
+error:
+		free(chunk.ptr);
+	}
+	else
+	{
+		DBG1(DBG_CFG, "could not open file '%s'", SECRETS_FILE);
+	}
+}
+
+/**
+ * Implementation of local_credential_store_t.destroy.
+ */
+static void destroy(private_local_credential_store_t *this)
+{
+	this->certs->destroy_offset(this->certs, offsetof(x509_t, destroy));
+	this->auth_certs->destroy_offset(this->auth_certs, offsetof(x509_t, destroy));
+	this->ca_infos->destroy_offset(this->ca_infos, offsetof(ca_info_t, destroy));
+	this->private_keys->destroy_offset(this->private_keys, offsetof(rsa_private_key_t, destroy));
+	this->shared_keys->destroy_function(this->shared_keys, (void*)shared_key_destroy);
+	this->eap_keys->destroy_function(this->eap_keys, (void*)shared_key_destroy);
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+local_credential_store_t * local_credential_store_create(bool strict)
+{
+	private_local_credential_store_t *this = malloc_thing(private_local_credential_store_t);
+	
+	this->public.credential_store.get_shared_key = (status_t (*) (credential_store_t*,identification_t*,identification_t*,chunk_t*))get_shared_key;
+	this->public.credential_store.get_eap_key = (status_t (*) (credential_store_t*,identification_t*,identification_t*,chunk_t*))get_eap_key;
+	this->public.credential_store.get_rsa_public_key = (rsa_public_key_t*(*)(credential_store_t*,identification_t*))get_rsa_public_key;
+	this->public.credential_store.get_rsa_private_key = (rsa_private_key_t* (*) (credential_store_t*,rsa_public_key_t*))get_rsa_private_key;
+	this->public.credential_store.has_rsa_private_key = (bool (*) (credential_store_t*,rsa_public_key_t*))has_rsa_private_key;
+	this->public.credential_store.get_trusted_public_key = (rsa_public_key_t*(*)(credential_store_t*,identification_t*))get_trusted_public_key;
+	this->public.credential_store.get_certificate = (x509_t* (*) (credential_store_t*,identification_t*))get_certificate;
+	this->public.credential_store.get_auth_certificate = (x509_t* (*) (credential_store_t*,u_int,identification_t*))get_auth_certificate;
+	this->public.credential_store.get_ca_certificate_by_keyid = (x509_t* (*) (credential_store_t*,chunk_t))get_ca_certificate_by_keyid;
+	this->public.credential_store.get_issuer = (ca_info_t* (*) (credential_store_t*,const x509_t*))get_issuer;
+	this->public.credential_store.is_trusted = (bool (*) (credential_store_t*,x509_t*))is_trusted;
+	this->public.credential_store.verify = (bool (*) (credential_store_t*,x509_t*,bool*))verify;
+	this->public.credential_store.add_end_certificate = (x509_t* (*) (credential_store_t*,x509_t*))add_end_certificate;
+	this->public.credential_store.add_auth_certificate = (x509_t* (*) (credential_store_t*,x509_t*,u_int))add_auth_certificate;
+	this->public.credential_store.add_ca_info = (void (*) (credential_store_t*,ca_info_t*))add_ca_info;
+	this->public.credential_store.release_ca_info = (status_t (*) (credential_store_t*,const char*))release_ca_info;
+	this->public.credential_store.create_cert_iterator = (iterator_t* (*) (credential_store_t*))create_cert_iterator;
+	this->public.credential_store.create_auth_cert_iterator = (iterator_t* (*) (credential_store_t*))create_auth_cert_iterator;
+	this->public.credential_store.create_cainfo_iterator = (iterator_t* (*) (credential_store_t*))create_cainfo_iterator;
+	this->public.credential_store.load_ca_certificates = (void (*) (credential_store_t*))load_ca_certificates;
+	this->public.credential_store.load_ocsp_certificates = (void (*) (credential_store_t*))load_ocsp_certificates;
+	this->public.credential_store.load_crls = (void (*) (credential_store_t*))load_crls;
+	this->public.credential_store.load_secrets = (void (*) (credential_store_t*))load_secrets;
+	this->public.credential_store.destroy = (void (*) (credential_store_t*))destroy;
+	
+	/* private variables */
+	this->shared_keys = linked_list_create();
+	this->eap_keys = linked_list_create();
+	this->private_keys = linked_list_create();
+	this->certs = linked_list_create();
+	this->auth_certs = linked_list_create();
+	this->ca_infos = linked_list_create();
+	this->strict = strict;
+
+	return (&this->public);
+}
diff --git a/src/charon/config/credentials/local_credential_store.h b/src/charon/config/credentials/local_credential_store.h
new file mode 100644
index 000000000..88a94d6f9
--- /dev/null
+++ b/src/charon/config/credentials/local_credential_store.h
@@ -0,0 +1,64 @@
+/**
+ * @file local_credential_store.h
+ *
+ * @brief Interface of local_credential_store_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+ 
+#ifndef LOCAL_CREDENTIAL_H_
+#define LOCAL_CREDENTIAL_H_
+
+typedef struct local_credential_store_t local_credential_store_t;
+
+#include <library.h>
+#include <credential_store.h>
+#include <daemon.h>
+
+
+/**
+ * @brief A credential_store_t implementation using simple credentail lists.
+ *
+ * The local_credential_store_t class implements the credential_store_t interface
+ * as simple as possible. The credentials are stored in lists, and are loaded from
+ * files on the disk.
+ * Shared secret are not handled yet, so get_shared_secret always returns NOT_FOUND.
+ *
+ * @b Constructors:
+ *  - local_credential_store_create(bool strict)
+ * 
+ * @ingroup config
+ */
+struct local_credential_store_t {
+	
+	/**
+	 * Implements credential_store_t interface
+	 */
+	credential_store_t credential_store;
+};
+
+/**
+ * @brief Creates a local_credential_store_t instance.
+ *
+ * @param  strict		enforce a strict crl policy
+ * @return 				credential store instance.
+ *
+ * @ingroup config
+ */
+local_credential_store_t *local_credential_store_create(bool strict);
+
+#endif /* LOCAL_CREDENTIAL_H_ */
diff --git a/src/charon/config/policies/local_policy_store.c b/src/charon/config/policies/local_policy_store.c
new file mode 100644
index 000000000..dd22b43a0
--- /dev/null
+++ b/src/charon/config/policies/local_policy_store.c
@@ -0,0 +1,282 @@
+/**
+ * @file local_policy_store.c
+ *
+ * @brief Implementation of local_policy_store_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include "local_policy_store.h"
+
+#include <daemon.h>
+#include <utils/linked_list.h>
+
+
+typedef struct private_local_policy_store_t private_local_policy_store_t;
+
+/**
+ * Private data of an local_policy_store_t object
+ */
+struct private_local_policy_store_t {
+
+	/**
+	 * Public part
+	 */
+	local_policy_store_t public;
+	
+	/**
+	 * list of policy_t's
+	 */
+	linked_list_t *policies;
+	
+	/**
+	 * Mutex to exclusivly access list
+	 */
+	pthread_mutex_t mutex;
+};
+
+/**
+ * Implementation of policy_store_t.add_policy.
+ */
+static void add_policy(private_local_policy_store_t *this, policy_t *policy)
+{
+	pthread_mutex_lock(&(this->mutex));
+	this->policies->insert_last(this->policies, (void*)policy);
+	pthread_mutex_unlock(&(this->mutex));
+}
+
+/**
+ * Check if a policy contains traffic selectors
+ */
+static bool contains_traffic_selectors(policy_t *policy, bool mine, 
+									   linked_list_t *ts, host_t *host)
+{
+	linked_list_t *selected;
+	bool contains = FALSE;
+	
+	if (mine)
+	{
+		selected = policy->select_my_traffic_selectors(policy, ts, host);
+	}
+	else
+	{
+		selected = policy->select_other_traffic_selectors(policy, ts, host);
+	}
+	if (selected->get_count(selected))
+	{
+		contains = TRUE;
+	}
+	selected->destroy_offset(selected, offsetof(traffic_selector_t, destroy));
+	return contains;
+}
+
+/**
+ * Implementation of policy_store_t.get_policy.
+ */
+static policy_t *get_policy(private_local_policy_store_t *this, 
+							identification_t *my_id, identification_t *other_id,
+						    linked_list_t *my_ts, linked_list_t *other_ts,
+						    host_t *my_host, host_t *other_host)
+{
+	typedef enum {
+		PRIO_UNDEFINED = 	0x00,
+		PRIO_TS_MISMATCH =  0x01,
+		PRIO_ID_ANY = 		0x02,
+		PRIO_ID_MATCH =		PRIO_ID_ANY + MAX_WILDCARDS,
+	} prio_t;
+
+	prio_t best_prio = PRIO_UNDEFINED;
+
+	iterator_t *iterator;
+	policy_t *candidate;
+	policy_t *found = NULL;
+	traffic_selector_t *ts;
+	
+	DBG1(DBG_CFG, "searching policy for '%D'...'%D'", my_id, other_id);
+	iterator = my_ts->create_iterator(my_ts, TRUE);
+	while (iterator->iterate(iterator, (void**)&ts))
+	{
+		DBG1(DBG_CFG, "  local TS:  %R", ts);
+	}
+	iterator->destroy(iterator);
+	iterator = other_ts->create_iterator(other_ts, TRUE);
+	while (iterator->iterate(iterator, (void**)&ts))
+	{
+		DBG1(DBG_CFG, "  remote TS: %R", ts);
+	}
+	iterator->destroy(iterator);
+
+	pthread_mutex_lock(&(this->mutex));
+	iterator = this->policies->create_iterator(this->policies, TRUE);
+
+	/* determine closest matching policy */
+	while (iterator->iterate(iterator, (void**)&candidate))
+	{
+		identification_t *candidate_my_id;
+		identification_t *candidate_other_id;
+		int wildcards;
+
+		candidate_my_id = candidate->get_my_id(candidate);
+		candidate_other_id = candidate->get_other_id(candidate);
+
+		/* my_id is either %any or if set must match exactly */
+		if (candidate_my_id->matches(candidate_my_id, my_id, &wildcards))
+		{
+			prio_t prio = PRIO_UNDEFINED;
+
+			/* wildcard match for other_id */
+			if (!other_id->matches(other_id, candidate_other_id, &wildcards))
+			{
+				continue;
+			}
+			prio = PRIO_ID_MATCH - wildcards;
+			
+			/* only accept if traffic selectors match */
+			if (!contains_traffic_selectors(candidate, TRUE, my_ts, my_host) ||
+				!contains_traffic_selectors(candidate, FALSE, other_ts, other_host))
+			{
+				DBG2(DBG_CFG, "candidate '%s' inacceptable due traffic "
+					 "selector mismatch", candidate->get_name(candidate));
+				prio = PRIO_TS_MISMATCH;
+			}
+
+			DBG2(DBG_CFG, "candidate policy '%s': '%D'...'%D' (prio=%d)",
+				 candidate->get_name(candidate),
+				 candidate_my_id, candidate_other_id, prio);
+
+			if (prio > best_prio)
+			{
+				found = candidate;
+				best_prio = prio;
+			}
+		}
+	}
+	iterator->destroy(iterator);
+	
+	if (found)
+	{
+		DBG1(DBG_CFG, "found matching policy '%s': '%D'...'%D' (prio=%d)",
+			 found->get_name(found), found->get_my_id(found),
+			 found->get_other_id(found), best_prio);
+		/* give out a new reference to it */
+		found->get_ref(found);
+	}
+	pthread_mutex_unlock(&(this->mutex));
+	return found;
+}
+
+/**
+ * Implementation of policy_store_t.get_policy_by_name.
+ */
+static policy_t *get_policy_by_name(private_local_policy_store_t *this, char *name)
+{
+	iterator_t *iterator;
+	policy_t *current, *found = NULL;
+	
+	DBG2(DBG_CFG, "looking for policy '%s'", name);
+	
+	pthread_mutex_lock(&(this->mutex));
+	iterator = this->policies->create_iterator(this->policies, TRUE);
+	while (iterator->iterate(iterator, (void **)&current))
+	{
+		if (strcmp(current->get_name(current), name) == 0)
+		{
+			found = current;
+		}
+	}
+	iterator->destroy(iterator);
+	pthread_mutex_unlock(&(this->mutex));
+	
+	/* give out a new reference */
+	found->get_ref(found);
+	return found;
+}
+
+/**
+ * Implementation of policy_store_t.delete_policy.
+ */
+static status_t delete_policy(private_local_policy_store_t *this, char *name)
+{
+	iterator_t *iterator;
+	policy_t *current;
+	bool found = FALSE;
+	
+	pthread_mutex_lock(&(this->mutex));
+	iterator = this->policies->create_iterator(this->policies, TRUE);
+	while (iterator->iterate(iterator, (void **)&current))
+	{
+		if (strcmp(current->get_name(current), name) == 0)
+		{
+			/* remove policy from list, and destroy it */
+			iterator->remove(iterator);
+			current->destroy(current);
+			found = TRUE;
+			/* we do not break here, as there may be multipe policies */
+		}
+	}
+	iterator->destroy(iterator);
+	pthread_mutex_unlock(&(this->mutex));
+	if (found)
+	{
+		return SUCCESS;
+	}
+	return NOT_FOUND;
+}
+
+/**
+ * Implementation of policy_store_t.create_iterator.
+ */
+static iterator_t* create_iterator(private_local_policy_store_t *this)
+{
+	return this->policies->create_iterator_locked(this->policies,
+												  &this->mutex);
+}
+
+/**
+ * Implementation of policy_store_t.destroy.
+ */
+static void destroy(private_local_policy_store_t *this)
+{
+	pthread_mutex_lock(&(this->mutex));
+	this->policies->destroy_offset(this->policies, offsetof(policy_t, destroy));
+	pthread_mutex_unlock(&(this->mutex));
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+local_policy_store_t *local_policy_store_create(void)
+{
+	private_local_policy_store_t *this = malloc_thing(private_local_policy_store_t);
+	
+	this->public.policy_store.add_policy = (void (*) (policy_store_t*,policy_t*))add_policy;
+	this->public.policy_store.get_policy = (policy_t* (*) (policy_store_t*,identification_t*,identification_t*,
+											linked_list_t*,linked_list_t*,host_t*,host_t*))get_policy;
+	this->public.policy_store.get_policy_by_name = (policy_t* (*) (policy_store_t*,char*))get_policy_by_name;
+	this->public.policy_store.delete_policy = (status_t (*) (policy_store_t*,char*))delete_policy;
+	this->public.policy_store.create_iterator = (iterator_t* (*) (policy_store_t*))create_iterator;
+	this->public.policy_store.destroy = (void (*) (policy_store_t*))destroy;
+	
+	/* private variables */
+	this->policies = linked_list_create();
+	pthread_mutex_init(&(this->mutex), NULL);
+	
+	return (&this->public);
+}
diff --git a/src/charon/config/policies/local_policy_store.h b/src/charon/config/policies/local_policy_store.h
new file mode 100644
index 000000000..01d5d2d60
--- /dev/null
+++ b/src/charon/config/policies/local_policy_store.h
@@ -0,0 +1,60 @@
+/**
+ * @file local_policy_store.h
+ *
+ * @brief Interface of local_policy_store_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+ 
+#ifndef LOCAL_POLICY_STORE_H_
+#define LOCAL_POLICY_STORE_H_
+
+typedef struct local_policy_store_t local_policy_store_t;
+
+#include <library.h>
+#include <config/policies/policy_store.h>
+
+
+/**
+ * @brief A policy_store_t implementation using a simple policy lists.
+ *
+ * The local_policy_store_t class implements the policy_store_t interface
+ * as simple as possible. The policies are stored in a in-memory list.
+ *
+ * @b Constructors:
+ *  - local_policy_store_create()
+ * 
+ * @ingroup config
+ */
+struct local_policy_store_t {
+	
+	/**
+	 * Implements policy_store_t interface
+	 */
+	policy_store_t policy_store;
+};
+
+/**
+ * @brief Creates a local_policy_store_t instance.
+ *
+ * @return policy store instance.
+ * 
+ * @ingroup config
+ */
+local_policy_store_t *local_policy_store_create(void);
+
+#endif /* LOCAL_POLICY_STORE_H_ */
diff --git a/src/charon/config/policies/policy.c b/src/charon/config/policies/policy.c
new file mode 100644
index 000000000..363d1609f
--- /dev/null
+++ b/src/charon/config/policies/policy.c
@@ -0,0 +1,635 @@
+/**
+ * @file policy.c
+ * 
+ * @brief Implementation of policy_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <time.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "policy.h"
+
+#include <daemon.h>
+#include <utils/linked_list.h>
+#include <utils/identification.h>
+
+ENUM(dpd_action_names, DPD_NONE, DPD_RESTART,
+	"DPD_NONE",
+	"DPD_CLEAR",
+	"DPD_ROUTE",
+	"DPD_RESTART"
+);
+
+ENUM(mode_names, MODE_TRANSPORT, MODE_BEET,
+	"TRANSPORT",
+	"TUNNEL",
+	"2",
+	"3",
+	"BEET"
+);
+
+typedef struct private_policy_t private_policy_t;
+
+/**
+ * Private data of an policy_t object
+ */
+struct private_policy_t {
+
+	/**
+	 * Public part
+	 */
+	policy_t public;
+	
+	/**
+	 * Number of references hold by others to this policy
+	 */
+	refcount_t refcount;
+	
+	/**
+	 * Name of the policy, used to query it
+	 */
+	char *name;
+	
+	/**
+	 * id to use to identify us
+	 */
+	identification_t *my_id;
+	
+	/**
+	 * allowed id for other
+	 */
+	identification_t *other_id;
+	
+	/**
+	 * virtual IP to use locally
+	 */
+	host_t *my_virtual_ip;
+	
+	/**
+	 * virtual IP to use remotly
+	 */
+	host_t *other_virtual_ip;
+	
+	/**
+	 * Method to use for own authentication data
+	 */
+	auth_method_t auth_method;
+	
+	/**
+	 * EAP type to use for peer authentication
+	 */
+	eap_type_t eap_type;
+	
+	/**
+	 * we have a cert issued by this CA
+	 */
+	identification_t *my_ca;
+	
+	/**
+	 * we require the other end to have a cert issued by this CA
+	 */
+	identification_t *other_ca;
+	
+	/**
+	 * updown script
+	 */
+	char *updown;
+	
+	/**
+	 * allow host access
+	 */
+	bool hostaccess;
+	
+	/**
+	 * list for all proposals
+	 */
+	linked_list_t *proposals;
+	
+	/**
+	 * list for traffic selectors for my site
+	 */
+	linked_list_t *my_ts;
+	
+	/**
+	 * list for traffic selectors for others site
+	 */
+	linked_list_t *other_ts;
+	
+	/**
+	 * Time before an SA gets invalid
+	 */
+	u_int32_t soft_lifetime;
+	
+	/**
+	 * Time before an SA gets rekeyed
+	 */
+	u_int32_t hard_lifetime;
+	
+	/**
+	 * Time, which specifies the range of a random value
+	 * substracted from soft_lifetime.
+	 */
+	u_int32_t jitter;
+	
+	/**
+	 * What to do with an SA when other peer seams to be dead?
+	 */
+	bool dpd_action;
+	
+	/**
+	 * Mode to propose for a initiated CHILD: tunnel/transport
+	 */
+	mode_t mode;
+};
+
+/**
+ * Implementation of policy_t.get_name
+ */
+static char *get_name(private_policy_t *this)
+{
+	return this->name;
+}
+
+/**
+ * Implementation of policy_t.get_my_id
+ */
+static identification_t *get_my_id(private_policy_t *this)
+{
+	return this->my_id;
+}
+
+/**
+ * Implementation of policy_t.get_other_id
+ */
+static identification_t *get_other_id(private_policy_t *this)
+{
+	return this->other_id;
+}
+
+/**
+ * Implementation of policy_t.get_my_ca
+ */
+static identification_t *get_my_ca(private_policy_t *this)
+{
+	return this->my_ca;
+}
+
+/**
+ * Implementation of policy_t.get_other_ca
+ */
+static identification_t *get_other_ca(private_policy_t *this)
+{
+	return this->other_ca;
+}
+
+/**
+ * Implementation of connection_t.auth_method_t.
+ */
+static auth_method_t get_auth_method(private_policy_t *this)
+{
+	return this->auth_method;
+}
+
+/**
+ * Implementation of connection_t.get_eap_type.
+ */
+static eap_type_t get_eap_type(private_policy_t *this)
+{
+	return this->eap_type;
+}
+
+/**
+ * Get traffic selectors, with wildcard-address update
+ */
+static linked_list_t *get_traffic_selectors(private_policy_t *this,
+											linked_list_t *list, host_t *host)
+{
+	iterator_t *iterator;
+	traffic_selector_t *current;
+	linked_list_t *result = linked_list_create();
+	
+	iterator = list->create_iterator(list, TRUE);
+	
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		/* we make a copy of the TS, this allows us to update wildcard
+		 * addresses in it. We won't pollute the shared policy. */
+		current = current->clone(current);
+		if (host)
+		{
+			current->set_address(current, host);
+		}
+		
+		result->insert_last(result, (void*)current);
+	}
+	iterator->destroy(iterator);
+	return result;
+}
+
+/**
+ * Implementation of policy_t.get_my_traffic_selectors
+ */
+static linked_list_t *get_my_traffic_selectors(private_policy_t *this, host_t *me)
+{
+	return get_traffic_selectors(this, this->my_ts, me);
+}
+
+/**
+ * Implementation of policy_t.get_other_traffic_selectors
+ */
+static linked_list_t *get_other_traffic_selectors(private_policy_t *this, host_t *other)
+{
+	return get_traffic_selectors(this, this->other_ts, other);
+}
+
+/**
+ * Narrow traffic selectors, with wildcard-address update in "stored".
+ */
+static linked_list_t *select_traffic_selectors(private_policy_t *this,
+											   linked_list_t *stored,
+											   linked_list_t *supplied,
+											   host_t *host)
+{
+	iterator_t *supplied_iter, *stored_iter, *i1, *i2;
+	traffic_selector_t *supplied_ts, *stored_ts, *selected_ts, *ts1, *ts2;
+	linked_list_t *selected = linked_list_create();
+	
+	DBG2(DBG_CFG, "selecting traffic selectors");
+	
+	stored_iter = stored->create_iterator(stored, TRUE);
+	supplied_iter = supplied->create_iterator(supplied, TRUE);
+	
+	/* iterate over all stored selectors */
+	while (stored_iter->iterate(stored_iter, (void**)&stored_ts))
+	{
+		/* we make a copy of the TS, this allows us to update wildcard
+		 * addresses in it. We won't pollute the shared policy. */
+		stored_ts = stored_ts->clone(stored_ts);
+		if (host)
+		{
+			stored_ts->set_address(stored_ts, host);
+		}
+		
+		supplied_iter->reset(supplied_iter);
+		/* iterate over all supplied traffic selectors */
+		while (supplied_iter->iterate(supplied_iter, (void**)&supplied_ts))
+		{
+			DBG2(DBG_CFG, "stored %R <=> %R received",
+				 stored_ts, supplied_ts);
+			
+			selected_ts = stored_ts->get_subset(stored_ts, supplied_ts);
+			if (selected_ts)
+			{
+				/* got a match, add to list */
+				selected->insert_last(selected, (void*)selected_ts);
+				
+				DBG2(DBG_CFG, "found traffic selector for %s: %R", 
+					 stored == this->my_ts ? "us" : "other", selected_ts);
+			}
+		}
+		stored_ts->destroy(stored_ts);
+	}
+	stored_iter->destroy(stored_iter);
+	supplied_iter->destroy(supplied_iter);
+	
+	/* remove any redundant traffic selectors in the list */
+	i1 = selected->create_iterator(selected, TRUE);
+	i2 = selected->create_iterator(selected, TRUE);
+	while (i1->iterate(i1, (void**)&ts1))
+	{
+		while (i2->iterate(i2, (void**)&ts2))
+		{
+			if (ts1 != ts2)
+			{
+				if (ts2->is_contained_in(ts2, ts1))
+				{
+					i2->remove(i2);
+					ts2->destroy(ts2);
+					i1->reset(i1);
+					break;
+				}
+				if (ts1->is_contained_in(ts1, ts2))
+				{
+					i1->remove(i1);
+					ts1->destroy(ts1);
+					i2->reset(i2);
+					break;
+				}
+			}
+		}
+	}
+	i1->destroy(i1);
+	i2->destroy(i2);
+	
+	return selected;
+}
+
+/**
+ * Implementation of private_policy_t.select_my_traffic_selectors
+ */
+static linked_list_t *select_my_traffic_selectors(private_policy_t *this,
+												  linked_list_t *supplied,
+												  host_t *me)
+{
+	return select_traffic_selectors(this, this->my_ts, supplied, me);
+}
+
+/**
+ * Implementation of private_policy_t.select_other_traffic_selectors
+ */
+static linked_list_t *select_other_traffic_selectors(private_policy_t *this,
+		 											 linked_list_t *supplied,
+													 host_t* other)
+{
+	return select_traffic_selectors(this, this->other_ts, supplied, other);
+}
+
+/**
+ * Implementation of policy_t.get_proposal_iterator
+ */
+static linked_list_t *get_proposals(private_policy_t *this)
+{
+	iterator_t *iterator;
+	proposal_t *current;
+	linked_list_t *proposals = linked_list_create();
+	
+	iterator = this->proposals->create_iterator(this->proposals, TRUE);
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		current = current->clone(current);
+		proposals->insert_last(proposals, (void*)current);
+	}
+	iterator->destroy(iterator);
+	
+	return proposals;
+}
+
+/**
+ * Implementation of policy_t.select_proposal
+ */
+static proposal_t *select_proposal(private_policy_t *this, linked_list_t *proposals)
+{
+	iterator_t *stored_iter, *supplied_iter;
+	proposal_t *stored, *supplied, *selected;
+	
+	stored_iter = this->proposals->create_iterator(this->proposals, TRUE);
+	supplied_iter = proposals->create_iterator(proposals, TRUE);
+	
+	/* compare all stored proposals with all supplied. Stored ones are preferred. */
+	while (stored_iter->iterate(stored_iter, (void**)&stored))
+	{
+		supplied_iter->reset(supplied_iter);
+		while (supplied_iter->iterate(supplied_iter, (void**)&supplied))
+		{
+			selected = stored->select(stored, supplied);
+			if (selected)
+			{
+				/* they match, return */
+				stored_iter->destroy(stored_iter);
+				supplied_iter->destroy(supplied_iter);
+				return selected;
+			}
+		}
+	}
+	
+	/* no proposal match :-(, will result in a NO_PROPOSAL_CHOSEN... */
+	stored_iter->destroy(stored_iter);
+	supplied_iter->destroy(supplied_iter);
+	
+	return NULL;
+}
+
+/**
+ * Implementation of policy_t.add_authorities
+ */
+static void add_authorities(private_policy_t *this, identification_t *my_ca, identification_t *other_ca)
+{
+	this->my_ca = my_ca;
+	this->other_ca = other_ca;
+}
+
+/**
+ * Implementation of policy_t.get_updown
+ */
+static char* get_updown(private_policy_t *this)
+{
+	return this->updown;
+}
+
+/**
+ * Implementation of policy_t.get_hostaccess
+ */
+static bool get_hostaccess(private_policy_t *this)
+{
+	return this->hostaccess;
+}
+
+/**
+ * Implements policy_t.get_dpd_action
+ */
+static dpd_action_t get_dpd_action(private_policy_t *this)
+{
+	return this->dpd_action;
+}
+
+/**
+ * Implementation of policy_t.add_my_traffic_selector
+ */
+static void add_my_traffic_selector(private_policy_t *this, traffic_selector_t *traffic_selector)
+{
+	this->my_ts->insert_last(this->my_ts, (void*)traffic_selector);
+}
+
+/**
+ * Implementation of policy_t.add_other_traffic_selector
+ */
+static void add_other_traffic_selector(private_policy_t *this, traffic_selector_t *traffic_selector)
+{
+	this->other_ts->insert_last(this->other_ts, (void*)traffic_selector);
+}
+
+/**
+ * Implementation of policy_t.add_proposal
+ */
+static void add_proposal(private_policy_t *this, proposal_t *proposal)
+{
+	this->proposals->insert_last(this->proposals, (void*)proposal);
+}
+
+/**
+ * Implementation of policy_t.get_soft_lifetime
+ */
+static u_int32_t get_soft_lifetime(private_policy_t *this)
+{
+	if (this->jitter == 0)
+	{
+		return this->soft_lifetime ;
+	}
+	return this->soft_lifetime - (random() % this->jitter);
+}
+
+/**
+ * Implementation of policy_t.get_hard_lifetime
+ */
+static u_int32_t get_hard_lifetime(private_policy_t *this)
+{
+	return this->hard_lifetime;
+}
+
+/**
+ * Implementation of policy_t.get_mode.
+ */
+static mode_t get_mode(private_policy_t *this)
+{
+	return this->mode;
+}
+
+/**
+ * Implementation of policy_t.get_virtual_ip.
+ */
+static host_t* get_virtual_ip(private_policy_t *this, host_t *suggestion)
+{
+	if (suggestion == NULL)
+	{
+		if (this->my_virtual_ip)
+		{
+			return this->my_virtual_ip->clone(this->my_virtual_ip);
+		}
+		return NULL;
+	}
+	if (this->other_virtual_ip)
+	{
+		return this->other_virtual_ip->clone(this->other_virtual_ip);
+	}
+	if (suggestion->is_anyaddr(suggestion))
+	{
+		return NULL;
+	}
+	return suggestion->clone(suggestion);
+}
+
+/**
+ * Implements policy_t.get_ref.
+ */
+static void get_ref(private_policy_t *this)
+{
+	ref_get(&this->refcount);
+}
+
+/**
+ * Implements policy_t.destroy.
+ */
+static void destroy(private_policy_t *this)
+{
+	if (ref_put(&this->refcount))
+	{
+		
+		this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
+		this->my_ts->destroy_offset(this->my_ts, offsetof(traffic_selector_t, destroy));
+		this->other_ts->destroy_offset(this->other_ts, offsetof(traffic_selector_t, destroy));
+		
+		/* delete certification authorities */
+		DESTROY_IF(this->my_ca);
+		DESTROY_IF(this->other_ca);
+		
+		/* delete updown script */
+		if (this->updown)
+		{
+			free(this->updown);
+		}
+		
+		/* delete ids */
+		this->my_id->destroy(this->my_id);
+		this->other_id->destroy(this->other_id);
+		DESTROY_IF(this->my_virtual_ip);
+		DESTROY_IF(this->other_virtual_ip);
+		
+		free(this->name);
+		free(this);
+	}
+}
+
+/*
+ * Described in header-file
+ */
+policy_t *policy_create(char *name, identification_t *my_id, identification_t *other_id,
+						host_t *my_virtual_ip, host_t *other_virtual_ip,
+						auth_method_t auth_method, eap_type_t eap_type,
+						u_int32_t hard_lifetime, u_int32_t soft_lifetime, 
+						u_int32_t jitter, char *updown, bool hostaccess,
+						mode_t mode, dpd_action_t dpd_action)
+{
+	private_policy_t *this = malloc_thing(private_policy_t);
+
+	/* public functions */
+	this->public.get_name = (char* (*) (policy_t*))get_name;
+	this->public.get_my_id = (identification_t* (*) (policy_t*))get_my_id;
+	this->public.get_other_id = (identification_t* (*) (policy_t*))get_other_id;
+	this->public.get_my_ca = (identification_t* (*) (policy_t*))get_my_ca;
+	this->public.get_other_ca = (identification_t* (*) (policy_t*))get_other_ca;
+	this->public.get_auth_method = (auth_method_t (*) (policy_t*)) get_auth_method;
+	this->public.get_eap_type = (eap_type_t (*) (policy_t*)) get_eap_type;
+	this->public.get_my_traffic_selectors = (linked_list_t* (*) (policy_t*,host_t*))get_my_traffic_selectors;
+	this->public.get_other_traffic_selectors = (linked_list_t* (*) (policy_t*,host_t*))get_other_traffic_selectors;
+	this->public.select_my_traffic_selectors = (linked_list_t* (*) (policy_t*,linked_list_t*,host_t*))select_my_traffic_selectors;
+	this->public.select_other_traffic_selectors = (linked_list_t* (*) (policy_t*,linked_list_t*,host_t*))select_other_traffic_selectors;
+	this->public.get_proposals = (linked_list_t* (*) (policy_t*))get_proposals;
+	this->public.select_proposal = (proposal_t* (*) (policy_t*,linked_list_t*))select_proposal;
+	this->public.add_my_traffic_selector = (void (*) (policy_t*,traffic_selector_t*))add_my_traffic_selector;
+	this->public.add_other_traffic_selector = (void (*) (policy_t*,traffic_selector_t*))add_other_traffic_selector;
+	this->public.add_proposal = (void (*) (policy_t*,proposal_t*))add_proposal;
+	this->public.add_authorities = (void (*) (policy_t*,identification_t*,identification_t*))add_authorities;
+	this->public.get_updown = (char* (*) (policy_t*))get_updown;
+	this->public.get_hostaccess = (bool (*) (policy_t*))get_hostaccess;
+	this->public.get_dpd_action = (dpd_action_t (*) (policy_t*))get_dpd_action;
+	this->public.get_soft_lifetime = (u_int32_t (*) (policy_t *))get_soft_lifetime;
+	this->public.get_hard_lifetime = (u_int32_t (*) (policy_t *))get_hard_lifetime;
+	this->public.get_mode = (mode_t (*) (policy_t *))get_mode;
+	this->public.get_virtual_ip = (host_t* (*)(policy_t*,host_t*))get_virtual_ip;
+	this->public.get_ref = (void (*) (policy_t*))get_ref;
+	this->public.destroy = (void (*) (policy_t*))destroy;
+	
+	/* apply init values */
+	this->name = strdup(name);
+	this->my_id = my_id;
+	this->other_id = other_id;
+	this->my_virtual_ip = my_virtual_ip;
+	this->other_virtual_ip = other_virtual_ip;
+	this->auth_method = auth_method;
+	this->eap_type = eap_type;
+	this->hard_lifetime = hard_lifetime;
+	this->soft_lifetime = soft_lifetime;
+	this->jitter = jitter;
+	this->updown = (updown == NULL) ? NULL : strdup(updown);
+	this->hostaccess = hostaccess;
+	this->dpd_action = dpd_action;
+	this->mode = mode;
+	
+	/* initialize private members*/
+	this->refcount = 1;
+	this->my_ca = NULL;
+	this->other_ca = NULL;
+	this->proposals = linked_list_create();
+	this->my_ts = linked_list_create();
+	this->other_ts = linked_list_create();
+
+	return &this->public;
+}
diff --git a/src/charon/config/policies/policy.h b/src/charon/config/policies/policy.h
new file mode 100644
index 000000000..d8916b29e
--- /dev/null
+++ b/src/charon/config/policies/policy.h
@@ -0,0 +1,413 @@
+/**
+ * @file policy.h
+ * 
+ * @brief Interface of policy_t.
+ *  
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef POLICY_H_
+#define POLICY_H_
+
+typedef enum dpd_action_t dpd_action_t;
+typedef struct policy_t policy_t;
+
+#include <library.h>
+#include <utils/identification.h>
+#include <config/traffic_selector.h>
+#include <config/proposal.h>
+#include <sa/authenticators/authenticator.h>
+#include <sa/authenticators/eap/eap_method.h>
+
+
+/**
+ * @brief Actions to take when a peer does not respond (dead peer detected).
+ *
+ * These values are the same as in pluto/starter, so do not modify them!
+ *
+ * @ingroup config
+ */
+enum dpd_action_t {
+	/** DPD disabled */
+	DPD_NONE,
+	/** remove CHILD_SA without replacement */
+	DPD_CLEAR,
+	/** route the CHILD_SA to resetup when needed */
+	DPD_ROUTE,
+	/** restart CHILD_SA in a new IKE_SA, immediately */
+	DPD_RESTART,
+};
+
+/**
+ * enum names for dpd_action_t.
+ */
+extern enum_name_t *dpd_action_names;
+
+/**
+ * @brief Mode of an IPsec SA.
+ *
+ * These are equal to those defined in XFRM, so don't change.
+ *
+ * @ingroup config
+ */
+enum mode_t {
+	/** transport mode, no inner address */
+	MODE_TRANSPORT = 0,
+	/** tunnel mode, inner and outer addresses */
+	MODE_TUNNEL = 1,
+	/** BEET mode, tunnel mode but fixed, bound inner addresses */
+	MODE_BEET = 4,
+};
+
+/**
+ * enum names for mode_t.
+ */
+extern enum_name_t *mode_names;
+
+/**
+ * @brief A policy_t defines the policies to apply to CHILD_SAs.
+ *
+ * The given two IDs identify a policy. These rules define how
+ * child SAs may be set up and which traffic may be IPsec'ed.
+ *
+ * @b Constructors:
+ *   - policy_create()
+ *
+ * @ingroup config
+ */
+struct policy_t {
+	
+	/**
+	 * @brief Get the name of the policy.
+	 * 
+	 * Returned object is not getting cloned.
+	 * 
+	 * @param this			calling object
+	 * @return				policy's name
+	 */
+	char *(*get_name) (policy_t *this);
+	
+	/**
+	 * @brief Get own id.
+	 * 
+	 * Returned object is not getting cloned.
+	 * 
+	 * @param this			calling object
+	 * @return				own id
+	 */
+	identification_t *(*get_my_id) (policy_t *this);
+	
+	/**
+	 * @brief Get peer id.
+	 *
+	 * Returned object is not getting cloned.
+	 * 
+	 * @param this			calling object
+	 * @return				other id
+	 */
+	identification_t *(*get_other_id) (policy_t *this);
+	
+	/**
+	 * @brief Get own ca.
+	 *
+	 * Returned object is not getting cloned.
+	 * 
+	 * @param this			calling object
+	 * @return				own ca
+	 */
+	identification_t *(*get_my_ca) (policy_t *this);
+
+	/**
+	 * @brief Get peer ca.
+	 *
+	 * Returned object is not getting cloned.
+	 * 
+	 * @param this			calling object
+	 * @return				other ca
+	 */
+	identification_t *(*get_other_ca) (policy_t *this);
+
+	/**
+	 * @brief Get the authentication method to use.
+	 * 
+	 * @param this		calling object
+	 * @return			authentication method
+	 */
+	auth_method_t (*get_auth_method) (policy_t *this);
+
+	/**
+	 * @brief Get the EAP type to use for peer authentication.
+	 * 
+	 * @param this		calling object
+	 * @return			authentication method
+	 */
+	eap_type_t (*get_eap_type) (policy_t *this);
+	
+	/**
+	 * @brief Get configured traffic selectors for our site.
+	 * 
+	 * Returns a list with all traffic selectors for the local
+	 * site. List and items must be destroyed after usage.
+	 * 
+	 * @param this			calling object
+	 * @return				list with traffic selectors
+	 */
+	linked_list_t *(*get_my_traffic_selectors) (policy_t *this, host_t *me);
+	
+	/**
+	 * @brief Get configured traffic selectors for others site.
+	 * 
+	 * Returns a list with all traffic selectors for the remote
+	 * site. List and items must be destroyed after usage.
+	 * 
+	 * @param this			calling object
+	 * @return				list with traffic selectors
+	 */
+	linked_list_t *(*get_other_traffic_selectors) (policy_t *this, host_t* other);
+	
+	/**
+	 * @brief Select traffic selectors from a supplied list for local site.
+	 * 
+	 * Resulted list and traffic selectors must be destroyed after usage.
+	 * As the traffic selectors may contain a wildcard address (0.0.0.0) for
+	 * addresses we don't know in previous, an address may be supplied to
+	 * replace these 0.0.0.0 addresses on-the-fly.
+	 * 
+	 * @param this			calling object
+	 * @param supplied		linked list with traffic selectors
+	 * @param me			host address used by us
+	 * @return				list containing the selected traffic selectors
+	 */
+	linked_list_t *(*select_my_traffic_selectors) (policy_t *this, 
+												   linked_list_t *supplied,
+												   host_t *me);
+		
+	/**
+	 * @brief Select traffic selectors from a supplied list for remote site.
+	 * 
+	 * Resulted list and traffic selectors must be destroyed after usage.
+	 * As the traffic selectors may contain a wildcard address (0.0.0.0) for
+	 * addresses we don't know in previous, an address may be supplied to
+	 * replace these 0.0.0.0 addresses on-the-fly.
+	 *
+	 * @param this			calling object
+	 * @param supplied		linked list with traffic selectors
+	 * @return				list containing the selected traffic selectors
+	 */
+	linked_list_t *(*select_other_traffic_selectors) (policy_t *this, 
+													  linked_list_t *supplied,
+													  host_t *other);
+	
+	/**
+	 * @brief Get the list of internally stored proposals.
+	 * 
+	 * policy_t does store proposals for AH/ESP, IKE proposals are in 
+	 * the connection_t.
+	 * Resulting list and all of its proposals must be freed after usage.
+	 *
+	 * @param this			calling object
+	 * @return				lists with proposals
+	 */
+	linked_list_t *(*get_proposals) (policy_t *this);
+	
+	/**
+	 * @brief Select a proposal from a supplied list.
+	 *
+	 * Returned propsal is newly created and must be destroyed after usage.
+	 * 
+	 * @param this			calling object
+	 * @param proposals		list from from wich proposals are selected
+	 * @return				selected proposal, or NULL if nothing matches
+	 */
+	proposal_t *(*select_proposal) (policy_t *this, linked_list_t *proposals);
+	
+	/**
+	 * @brief Add a traffic selector to the list for local site.
+	 * 
+	 * After add, traffic selector is owned by policy.
+	 * 
+	 * @param this				calling object
+	 * @param traffic_selector	traffic_selector to add
+	 */
+	void (*add_my_traffic_selector) (policy_t *this, traffic_selector_t *traffic_selector);
+	
+	/**
+	 * @brief Add a traffic selector to the list for remote site.
+	 * 
+	 * After add, traffic selector is owned by policy.
+	 * 
+	 * @param this				calling object
+	 * @param traffic_selector	traffic_selector to add
+	 */
+	void (*add_other_traffic_selector) (policy_t *this, traffic_selector_t *traffic_selector);
+	
+	/**
+	 * @brief Add a proposal to the list. 
+	 * 
+	 * The proposals are stored by priority, first added
+	 * is the most prefered.
+	 * After add, proposal is owned by policy.
+	 * 
+	 * @param this			calling object
+	 * @param proposal		proposal to add
+	 */
+	void (*add_proposal) (policy_t *this, proposal_t *proposal);
+	
+	/**
+	 * @brief Add certification authorities.
+	 * 
+	 * @param this			calling object
+	 * @param my_ca			issuer of my certificate
+	 * @param other_ca		required issuer of the peer's certificate
+	 */
+	void (*add_authorities) (policy_t *this, identification_t *my_ca, identification_t *other_ca);
+
+	/**
+	 * @brief Get updown script
+	 * 
+	 * @param this			calling object
+	 * @return				path to updown script
+	 */
+	char* (*get_updown) (policy_t *this);
+	
+	/**
+	 * @brief Get hostaccess flag
+	 * 
+	 * @param this			calling object
+	 * @return				value of hostaccess flag
+	 */
+	bool (*get_hostaccess) (policy_t *this);
+	
+	/**
+	 * @brief What should be done with a CHILD_SA, when other peer does not respond.
+	 *
+	 * @param this 		calling object
+	 * @return			dpd action
+	 */	
+	dpd_action_t (*get_dpd_action) (policy_t *this);
+
+	/**
+	 * @brief Get the lifetime of a policy, before rekeying starts.
+	 * 
+	 * A call to this function automatically adds a jitter to
+	 * avoid simultanous rekeying.
+	 * 
+	 * @param this			policy 
+	 * @return				lifetime in seconds
+	 */
+	u_int32_t (*get_soft_lifetime) (policy_t *this);
+	
+	/**
+	 * @brief Get the lifetime of a policy, before SA gets deleted.
+	 * 
+	 * @param this			policy
+	 * @return				lifetime in seconds
+	 */
+	u_int32_t (*get_hard_lifetime) (policy_t *this);
+	
+	/**
+	 * @brief Get the mode to use for the CHILD_SA, tunnel, transport or BEET.
+	 * 
+	 * @param this			policy
+	 * @return				lifetime in seconds
+	 */
+	mode_t (*get_mode) (policy_t *this);
+	
+	/**
+	 * @brief Get a virtual IP for the local or the remote host.
+	 *
+	 * By supplying NULL as IP, an IP for the local host is requested. It
+	 * may be %any or specific. 
+	 * By supplying %any as host, an IP from the pool is selected to be
+	 * served to the peer.
+	 * If a specified host is supplied, it is checked if this address
+	 * is acceptable to serve to the peer. If so, it is returned. Otherwise,
+	 * an alternative IP is returned.
+	 * In any mode, this call may return NULL indicating virtual IP should
+	 * not be used.
+	 * 
+	 * @param this			policy
+	 * @param suggestion	NULL, %any or specific, see description
+	 * @return				clone of an IP to use, or NULL
+	 */
+	host_t* (*get_virtual_ip) (policy_t *this, host_t *suggestion);
+	
+	/**
+	 * @brief Get a new reference.
+	 *
+	 * Get a new reference to this policy by increasing
+	 * it's internal reference counter.
+	 * Do not call get_ref or any other function until you
+	 * already have a reference. Otherwise the object may get
+	 * destroyed while calling get_ref(),
+	 * 
+	 * @param this				calling object
+	 */
+	void (*get_ref) (policy_t *this);
+	
+	/**
+	 * @brief Destroys the policy object.
+	 *
+	 * Decrements the internal reference counter and
+	 * destroys the policy when it reaches zero.
+	 * 
+	 * @param this				calling object
+	 */
+	void (*destroy) (policy_t *this);
+};
+
+/**
+ * @brief Create a configuration object for IKE_AUTH and later.
+ * 
+ * name-string gets cloned, ID's not.
+ * Virtual IPs are used if they are != NULL. A %any host means the virtual
+ * IP should be obtained from the other peer.
+ * Lifetimes are in seconds. To prevent to peers to start rekeying at the
+ * same time, a jitter may be specified. Rekeying of an SA starts at
+ * (soft_lifetime - random(0, jitter)). After a successful rekeying, 
+ * the hard_lifetime limit counter is reset. You should specify
+ * hard_lifetime > soft_lifetime > jitter.
+ * After a call to create, a reference is obtained (refcount = 1).
+ * 
+ * @param name				name of the policy
+ * @param my_id 			identification_t for ourselves
+ * @param other_id 			identification_t for the remote guy
+ * @param my_virtual_ip		virtual IP for local host, or NULL
+ * @param other_virtual_ip	virtual IP for remote host, or NULL
+ * @param auth_method		Authentication method to use for our(!) auth data
+ * @param eap_type			EAP type to use for peer authentication
+ * @param hard_lifetime		lifetime before deleting an SA
+ * @param soft_lifetime		lifetime before rekeying an SA
+ * @param jitter			range of randomization time
+ * @param updown			updown script to execute on up/down event
+ * @param hostaccess		allow access to the host itself (used by the updown script)
+ * @param mode				mode to propose for CHILD_SA, transport, tunnel or BEET
+ * @param dpd_action		what to to with a CHILD_SA when other peer does not respond
+ * @return 					policy_t object
+ * 
+ * @ingroup config
+ */
+policy_t *policy_create(char *name, 
+						identification_t *my_id, identification_t *other_id,
+						host_t *my_virtual_ip, host_t *other_virtual_ip,
+						auth_method_t auth_method, eap_type_t eap_type,
+						u_int32_t hard_lifetime, u_int32_t soft_lifetime,
+						u_int32_t jitter, char *updown, bool hostaccess,
+						mode_t mode, dpd_action_t dpd_action);
+
+#endif /* POLICY_H_ */
diff --git a/src/charon/config/policies/policy_store.h b/src/charon/config/policies/policy_store.h
new file mode 100755
index 000000000..cd8870953
--- /dev/null
+++ b/src/charon/config/policies/policy_store.h
@@ -0,0 +1,119 @@
+/**
+ * @file policy_store.h
+ * 
+ * @brief Interface policy_store_t.
+ *  
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef POLICY_STORE_H_
+#define POLICY_STORE_H_
+
+typedef struct policy_store_t policy_store_t;
+
+#include <library.h>
+#include <config/policies/policy.h>
+#include <utils/linked_list.h>
+
+
+/**
+ * @brief The interface for a store of policy_t's.
+ *
+ * The store uses reference counting to manage their lifetime. Call
+ * destroy() for a policy which is returned from the store after usage.
+ *
+ * @b Constructors:
+ * - stroke_create()
+ * 
+ * @ingroup config
+ */
+struct policy_store_t {
+
+	/**
+	 * @brief Returns a policy identified by two IDs and a set of traffic selectors.
+	 *
+	 * other_id must be fully qualified. my_id may be %any, as the
+	 * other peer may not include an IDr Request.
+	 *
+	 * @param this			calling object
+	 * @param my_id			own ID of the policy
+	 * @param other_id		others ID of the policy
+	 * @param my_ts			traffic selectors requested for local host
+	 * @param other_ts		traffic selectors requested for remote host
+	 * @param my_host		host to use for wilcards in TS compare
+	 * @param other_host	host to use for wildcards in TS compare
+	 * @return
+	 *						- matching policy_t, if found
+	 *						- NULL otherwise
+	 */
+	policy_t *(*get_policy) (policy_store_t *this, 
+							 identification_t *my_id, identification_t *other_id,
+							 linked_list_t *my_ts, linked_list_t *other_ts,
+							 host_t *my_host, host_t* other_host);
+
+	/**
+	 * @brief Returns a policy identified by a connection name.
+	 *
+	 * @param this		calling object
+	 * @param name		name of the policy
+	 * @return
+	 *					- matching policy_t, if found
+	 *					- NULL otherwise
+	 */
+	policy_t *(*get_policy_by_name) (policy_store_t *this, char *name);
+
+	/**
+	 * @brief Add a policy to the list.
+	 *
+	 * The policy is owned by the store after the call. Do
+	 * not modify nor free.
+	 *
+	 * @param this		calling object
+	 * @param policy	policy to add
+	 */
+	void (*add_policy) (policy_store_t *this, policy_t *policy);
+
+	/**
+	 * @brief Delete a policy from the store.
+	 *
+	 * Remove a policy from the store identified by its name.
+	 *
+	 * @param this		calling object
+	 * @param policy	policy to add
+	 * @return
+	 *					- SUCCESS, or
+	 *					- NOT_FOUND
+	 */
+	status_t (*delete_policy) (policy_store_t *this, char *name);
+	
+	/**
+	 * @brief Get an iterator for the stored policies.
+	 *
+	 * @param this				calling object
+	 * @return					iterator over all stored policies
+	 */
+	iterator_t* (*create_iterator) (policy_store_t *this);
+	
+	/**
+	 * @brief Destroys a policy_store_t object.
+	 *
+	 * @param this 					calling object
+	 */
+	void (*destroy) (policy_store_t *this);
+};
+
+#endif /*POLICY_STORE_H_*/
diff --git a/src/charon/config/proposal.c b/src/charon/config/proposal.c
new file mode 100644
index 000000000..dcab8cbdd
--- /dev/null
+++ b/src/charon/config/proposal.c
@@ -0,0 +1,641 @@
+/**
+ * @file proposal.c
+ * 
+ * @brief Implementation of proposal_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include "proposal.h"
+
+#include <daemon.h>
+#include <utils/linked_list.h>
+#include <utils/identification.h>
+#include <utils/lexparser.h>
+#include <crypto/prfs/prf.h>
+#include <crypto/crypters/crypter.h>
+#include <crypto/signers/signer.h>
+
+
+ENUM(protocol_id_names, PROTO_NONE, PROTO_ESP,
+	"PROTO_NONE",
+	"IKE",
+	"AH",
+	"ESP",
+);
+
+ENUM_BEGIN(transform_type_names, UNDEFINED_TRANSFORM_TYPE, UNDEFINED_TRANSFORM_TYPE, 
+	"UNDEFINED_TRANSFORM_TYPE");
+ENUM_NEXT(transform_type_names, ENCRYPTION_ALGORITHM, EXTENDED_SEQUENCE_NUMBERS, UNDEFINED_TRANSFORM_TYPE,
+	"ENCRYPTION_ALGORITHM",
+	"PSEUDO_RANDOM_FUNCTION",
+	"INTEGRITY_ALGORITHM",
+	"DIFFIE_HELLMAN_GROUP",
+	"EXTENDED_SEQUENCE_NUMBERS");
+ENUM_END(transform_type_names, EXTENDED_SEQUENCE_NUMBERS);
+
+ENUM(extended_sequence_numbers_names, NO_EXT_SEQ_NUMBERS, EXT_SEQ_NUMBERS,
+	"NO_EXT_SEQ_NUMBERS",
+	"EXT_SEQ_NUMBERS",
+);
+
+typedef struct private_proposal_t private_proposal_t;
+
+/**
+ * Private data of an proposal_t object
+ */
+struct private_proposal_t {
+
+	/**
+	 * Public part
+	 */
+	proposal_t public;
+	
+	/**
+	 * protocol (ESP or AH)
+	 */
+	protocol_id_t protocol;
+	
+	/**
+	 * priority ordered list of encryption algorithms
+	 */
+	linked_list_t *encryption_algos;
+	
+	/**
+	 * priority ordered list of integrity algorithms
+	 */
+	linked_list_t *integrity_algos;
+	
+	/**
+	 * priority ordered list of pseudo random functions
+	 */
+	linked_list_t *prf_algos;
+	
+	/**
+	 * priority ordered list of dh groups
+	 */
+	linked_list_t *dh_groups;
+	
+	/**
+	 * priority ordered list of extended sequence number flags
+	 */
+	linked_list_t *esns;
+	
+	/** 
+	 * senders SPI
+	 */
+	u_int64_t spi;
+};
+
+/**
+ * Add algorithm/keysize to a algorithm list
+ */
+static void add_algo(linked_list_t *list, u_int16_t algo, size_t key_size)
+{
+	algorithm_t *algo_key;
+	
+	algo_key = malloc_thing(algorithm_t);
+	algo_key->algorithm = algo;
+	algo_key->key_size = key_size;
+	list->insert_last(list, (void*)algo_key);
+}
+
+/**
+ * Implements proposal_t.add_algorithm
+ */
+static void add_algorithm(private_proposal_t *this, transform_type_t type, u_int16_t algo, size_t key_size)
+{
+	switch (type)
+	{
+		case ENCRYPTION_ALGORITHM:
+			add_algo(this->encryption_algos, algo, key_size);
+			break;
+		case INTEGRITY_ALGORITHM:
+			add_algo(this->integrity_algos, algo, key_size);
+			break;
+		case PSEUDO_RANDOM_FUNCTION:
+			add_algo(this->prf_algos, algo, key_size);
+			break;
+		case DIFFIE_HELLMAN_GROUP:
+			add_algo(this->dh_groups, algo, 0);
+			break;
+		case EXTENDED_SEQUENCE_NUMBERS:
+			add_algo(this->esns, algo, 0);
+			break;
+		default:
+			break;
+	}
+}
+
+/**
+ * Implements proposal_t.get_algorithm.
+ */
+static bool get_algorithm(private_proposal_t *this, transform_type_t type, algorithm_t** algo)
+{
+	linked_list_t *list;
+	switch (type)
+	{
+		case ENCRYPTION_ALGORITHM:
+			list = this->encryption_algos;
+			break;
+		case INTEGRITY_ALGORITHM:
+			list = this->integrity_algos;
+			break;
+		case PSEUDO_RANDOM_FUNCTION:
+			list = this->prf_algos;
+			break;
+		case DIFFIE_HELLMAN_GROUP:
+			list = this->dh_groups;
+			break;
+		case EXTENDED_SEQUENCE_NUMBERS:
+			list = this->esns;
+			break;
+		default:
+			return FALSE;
+	}
+	if (list->get_first(list, (void**)algo) != SUCCESS)
+	{
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Implements proposal_t.create_algorithm_iterator.
+ */
+static iterator_t *create_algorithm_iterator(private_proposal_t *this, transform_type_t type)
+{
+	switch (type)
+	{
+		case ENCRYPTION_ALGORITHM:
+			return this->encryption_algos->create_iterator(this->encryption_algos, TRUE);
+		case INTEGRITY_ALGORITHM:
+			return this->integrity_algos->create_iterator(this->integrity_algos, TRUE);
+		case PSEUDO_RANDOM_FUNCTION:
+			return this->prf_algos->create_iterator(this->prf_algos, TRUE);
+		case DIFFIE_HELLMAN_GROUP:
+			return this->dh_groups->create_iterator(this->dh_groups, TRUE);
+		case EXTENDED_SEQUENCE_NUMBERS:
+			return this->esns->create_iterator(this->esns, TRUE);
+		default:
+			break;
+	}
+	return NULL;
+}
+
+/**
+ * Find a matching alg/keysize in two linked lists
+ */
+static bool select_algo(linked_list_t *first, linked_list_t *second, bool *add, u_int16_t *alg, size_t *key_size)
+{
+	iterator_t *first_iter, *second_iter;
+	algorithm_t *first_alg, *second_alg;
+	
+	/* if in both are zero algorithms specified, we HAVE a match */
+	if (first->get_count(first) == 0 && second->get_count(second) == 0)
+	{
+		*add = FALSE;
+		return TRUE;
+	}
+	
+	first_iter = first->create_iterator(first, TRUE);
+	second_iter = second->create_iterator(second, TRUE);
+	/* compare algs, order of algs in "first" is preferred */
+	while (first_iter->iterate(first_iter, (void**)&first_alg))
+	{
+		second_iter->reset(second_iter);
+		while (second_iter->iterate(second_iter, (void**)&second_alg))
+		{
+			if (first_alg->algorithm == second_alg->algorithm &&
+				first_alg->key_size == second_alg->key_size)
+			{
+				/* ok, we have an algorithm */
+				*alg = first_alg->algorithm;
+				*key_size = first_alg->key_size;
+				*add = TRUE;
+				first_iter->destroy(first_iter);
+				second_iter->destroy(second_iter);
+				return TRUE;
+			}
+		}
+	}
+	/* no match in all comparisons */
+	first_iter->destroy(first_iter);
+	second_iter->destroy(second_iter);
+	return FALSE;
+}
+
+/**
+ * Implements proposal_t.select.
+ */
+static proposal_t *select_proposal(private_proposal_t *this, private_proposal_t *other)
+{
+	proposal_t *selected;
+	u_int16_t algo;
+	size_t key_size;
+	bool add;
+	
+	DBG2(DBG_CFG, "selecting proposal:");
+	
+	/* check protocol */
+	if (this->protocol != other->protocol)
+	{
+		DBG2(DBG_CFG, "  protocol mismatch, skipping");
+		return NULL;
+	}
+	
+	selected = proposal_create(this->protocol);
+	
+	/* select encryption algorithm */
+	if (select_algo(this->encryption_algos, other->encryption_algos, &add, &algo, &key_size))
+	{
+		if (add)
+		{
+			selected->add_algorithm(selected, ENCRYPTION_ALGORITHM, algo, key_size);
+		}
+	}
+	else
+	{
+		selected->destroy(selected);
+		DBG2(DBG_CFG, "  no acceptable ENCRYPTION_ALGORITHM found, skipping");
+		return NULL;
+	}
+	/* select integrity algorithm */
+	if (select_algo(this->integrity_algos, other->integrity_algos, &add, &algo, &key_size))
+	{
+		if (add)
+		{
+			selected->add_algorithm(selected, INTEGRITY_ALGORITHM, algo, key_size);
+		}
+	}
+	else
+	{
+		selected->destroy(selected);
+		DBG2(DBG_CFG, "  no acceptable INTEGRITY_ALGORITHM found, skipping");
+		return NULL;
+	}
+	/* select prf algorithm */
+	if (select_algo(this->prf_algos, other->prf_algos, &add, &algo, &key_size))
+	{
+		if (add)
+		{
+			selected->add_algorithm(selected, PSEUDO_RANDOM_FUNCTION, algo, key_size);
+		}
+	}
+	else
+	{
+		selected->destroy(selected);
+		DBG2(DBG_CFG, "  no acceptable PSEUDO_RANDOM_FUNCTION found, skipping");
+		return NULL;
+	}
+	/* select a DH-group */
+	if (select_algo(this->dh_groups, other->dh_groups, &add, &algo, &key_size))
+	{
+		if (add)
+		{
+			selected->add_algorithm(selected, DIFFIE_HELLMAN_GROUP, algo, 0);
+		}
+	}
+	else
+	{
+		selected->destroy(selected);
+		DBG2(DBG_CFG, "  no acceptable DIFFIE_HELLMAN_GROUP found, skipping");
+		return NULL;
+	}
+	/* select if we use ESNs */
+	if (select_algo(this->esns, other->esns, &add, &algo, &key_size))
+	{
+		if (add)
+		{
+			selected->add_algorithm(selected, EXTENDED_SEQUENCE_NUMBERS, algo, 0);
+		}
+	}
+	else
+	{
+		selected->destroy(selected);
+		DBG2(DBG_CFG, "  no acceptable EXTENDED_SEQUENCE_NUMBERS found, skipping");
+		return NULL;
+	}
+	DBG2(DBG_CFG, "  proposal matches");
+	
+	/* apply SPI from "other" */
+	selected->set_spi(selected, other->spi);
+	
+	/* everything matched, return new proposal */
+	return selected;
+}
+
+/**
+ * Implements proposal_t.get_protocols.
+ */
+static protocol_id_t get_protocol(private_proposal_t *this)
+{
+	return this->protocol;
+}
+
+/**
+ * Implements proposal_t.set_spi.
+ */
+static void set_spi(private_proposal_t *this, u_int64_t spi)
+{
+	this->spi = spi;
+}
+
+/**
+ * Implements proposal_t.get_spi.
+ */
+static u_int64_t get_spi(private_proposal_t *this)
+{
+	return this->spi;
+}
+
+/**
+ * Clone a algorithm list
+ */
+static void clone_algo_list(linked_list_t *list, linked_list_t *clone_list)
+{
+	algorithm_t *algo, *clone_algo;
+	iterator_t *iterator = list->create_iterator(list, TRUE);
+	while (iterator->iterate(iterator, (void**)&algo))
+	{
+		clone_algo = malloc_thing(algorithm_t);
+		memcpy(clone_algo, algo, sizeof(algorithm_t));
+		clone_list->insert_last(clone_list, (void*)clone_algo);
+	}
+	iterator->destroy(iterator);
+}
+
+/**
+ * Implements proposal_t.clone
+ */
+static proposal_t *clone_(private_proposal_t *this)
+{
+	private_proposal_t *clone = (private_proposal_t*)proposal_create(this->protocol);
+	
+	clone_algo_list(this->encryption_algos, clone->encryption_algos);
+	clone_algo_list(this->integrity_algos, clone->integrity_algos);
+	clone_algo_list(this->prf_algos, clone->prf_algos);
+	clone_algo_list(this->dh_groups, clone->dh_groups);
+	clone_algo_list(this->esns, clone->esns);
+	
+	clone->spi = this->spi;
+	
+	return &clone->public;
+}
+
+static status_t add_string_algo(private_proposal_t *this, chunk_t alg)
+{
+	if (strncmp(alg.ptr, "null", alg.len) == 0)
+	{
+		add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_NULL, 0);
+	}
+	else if (strncmp(alg.ptr, "aes128", alg.len) == 0)
+	{
+		add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128);
+	}
+	else if (strncmp(alg.ptr, "aes192", alg.len) == 0)
+	{
+		add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192);
+	}
+	else if (strncmp(alg.ptr, "aes256", alg.len) == 0)
+	{
+		add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256);
+	}
+	else if (strncmp(alg.ptr, "3des", alg.len) == 0)
+	{
+		add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_3DES, 0);
+	}
+	/* blowfish only uses some predefined key sizes yet */
+	else if (strncmp(alg.ptr, "blowfish128", alg.len) == 0)
+	{
+		add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128);
+	}
+	else if (strncmp(alg.ptr, "blowfish192", alg.len) == 0)
+	{
+		add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 192);
+	}
+	else if (strncmp(alg.ptr, "blowfish256", alg.len) == 0)
+	{
+		add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256);
+	}
+	else if (strncmp(alg.ptr, "sha", alg.len) == 0 ||
+			 strncmp(alg.ptr, "sha1", alg.len) == 0)
+	{
+		/* sha means we use SHA for both, PRF and AUTH */
+		add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
+		if (this->protocol == PROTO_IKE)
+		{
+			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1, 0);
+		}
+	}
+	else if (strncmp(alg.ptr, "sha256", alg.len) == 0)
+	{
+		add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0);
+		if (this->protocol == PROTO_IKE)
+		{
+			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256, 0);
+		}
+	}
+	else if (strncmp(alg.ptr, "sha384", alg.len) == 0)
+	{
+		add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0);
+		if (this->protocol == PROTO_IKE)
+		{
+			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384, 0);
+		}
+	}
+	else if (strncmp(alg.ptr, "sha512", alg.len) == 0)
+	{
+		add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0);
+		if (this->protocol == PROTO_IKE)
+		{
+			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_512, 0);
+		}
+	}
+	else if (strncmp(alg.ptr, "md5", alg.len) == 0)
+	{
+		add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
+		if (this->protocol == PROTO_IKE)
+		{
+			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 0);
+		}
+	}
+	else if (strncmp(alg.ptr, "modp768", alg.len) == 0)
+	{
+		add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_768_BIT, 0);
+	}
+	else if (strncmp(alg.ptr, "modp1024", alg.len) == 0)
+	{
+		add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0);
+	}
+	else if (strncmp(alg.ptr, "modp1536", alg.len) == 0)
+	{
+		add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_1536_BIT, 0);
+	}
+	else if (strncmp(alg.ptr, "modp2048", alg.len) == 0)
+	{
+		add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0);
+	}
+	else if (strncmp(alg.ptr, "modp4096", alg.len) == 0)
+	{
+		add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_4096_BIT, 0);
+	}
+	else if (strncmp(alg.ptr, "modp8192", alg.len) == 0)
+	{
+		add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_8192_BIT, 0);
+	}
+	else
+	{
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implements proposal_t.destroy.
+ */
+static void destroy(private_proposal_t *this)
+{
+	this->encryption_algos->destroy_function(this->encryption_algos, free);
+	this->integrity_algos->destroy_function(this->integrity_algos, free);
+	this->prf_algos->destroy_function(this->prf_algos, free);
+	this->dh_groups->destroy_function(this->dh_groups, free);
+	this->esns->destroy_function(this->esns, free);
+	free(this);
+}
+
+/*
+ * Describtion in header-file
+ */
+proposal_t *proposal_create(protocol_id_t protocol)
+{
+	private_proposal_t *this = malloc_thing(private_proposal_t);
+	
+	this->public.add_algorithm = (void (*)(proposal_t*,transform_type_t,u_int16_t,size_t))add_algorithm;
+	this->public.create_algorithm_iterator = (iterator_t* (*)(proposal_t*,transform_type_t))create_algorithm_iterator;
+	this->public.get_algorithm = (bool (*)(proposal_t*,transform_type_t,algorithm_t**))get_algorithm;
+	this->public.select = (proposal_t* (*)(proposal_t*,proposal_t*))select_proposal;
+	this->public.get_protocol = (protocol_id_t(*)(proposal_t*))get_protocol;
+	this->public.set_spi = (void(*)(proposal_t*,u_int64_t))set_spi;
+	this->public.get_spi = (u_int64_t(*)(proposal_t*))get_spi;
+	this->public.clone = (proposal_t*(*)(proposal_t*))clone_;
+	this->public.destroy = (void(*)(proposal_t*))destroy;
+	
+	this->spi = 0;
+	this->protocol = protocol;
+	
+	this->encryption_algos = linked_list_create();
+	this->integrity_algos = linked_list_create();
+	this->prf_algos = linked_list_create();
+	this->dh_groups = linked_list_create();
+	this->esns = linked_list_create();
+	
+	return &this->public;
+}
+
+/*
+ * Describtion in header-file
+ */
+proposal_t *proposal_create_default(protocol_id_t protocol)
+{
+	private_proposal_t *this = (private_proposal_t*)proposal_create(protocol);
+	
+	switch (protocol)
+	{
+		case PROTO_IKE:
+			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,         128);
+			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,         192);
+			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,         256);
+			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_3DES,              0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_SHA2_256_128,	0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_SHA1_96,      0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_MD5_96,       0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_SHA2_384_192,	0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_SHA2_512_256,	0);
+			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256,      0);
+			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1,          0);
+			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5,           0);
+			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384,      0);
+			add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_512,      0);
+			add_algorithm(this, DIFFIE_HELLMAN_GROUP,   MODP_2048_BIT, 		    0);
+			add_algorithm(this, DIFFIE_HELLMAN_GROUP,   MODP_1536_BIT,          0);
+			add_algorithm(this, DIFFIE_HELLMAN_GROUP,   MODP_1024_BIT,          0);
+			add_algorithm(this, DIFFIE_HELLMAN_GROUP,   MODP_4096_BIT,          0);
+			add_algorithm(this, DIFFIE_HELLMAN_GROUP,   MODP_8192_BIT,          0);
+			break;
+		case PROTO_ESP:
+			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,         128);
+			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,         192);
+			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_AES_CBC,         256);
+			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_3DES,              0);
+			add_algorithm(this, ENCRYPTION_ALGORITHM,   ENCR_BLOWFISH,        256);
+			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_SHA1_96,      0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_MD5_96,       0);
+			add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS,  0);
+			break;
+		case PROTO_AH:
+			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_SHA1_96,      0);
+			add_algorithm(this, INTEGRITY_ALGORITHM,    AUTH_HMAC_MD5_96,       0);
+			add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS,  0);
+			break;
+		default:
+			break;
+	}
+	
+	return &this->public;
+}
+
+/*
+ * Describtion in header-file
+ */
+proposal_t *proposal_create_from_string(protocol_id_t protocol, const char *algs)
+{
+	private_proposal_t *this = (private_proposal_t*)proposal_create(protocol);
+	chunk_t string = {(void*)algs, strlen(algs)};
+	chunk_t alg;
+	status_t status = SUCCESS;
+	
+	eat_whitespace(&string);
+	if (string.len < 1)
+	{
+		destroy(this);
+		return NULL;
+	}
+	
+	/* get all tokens, separated by '-' */
+	while (extract_token(&alg, '-', &string))
+	{
+		status |= add_string_algo(this, alg);
+	}
+	if (string.len)
+	{
+		status |= add_string_algo(this, string);
+	}
+	if (status != SUCCESS)
+	{
+		destroy(this);
+		return NULL;
+	}
+	
+	if (protocol == PROTO_AH || protocol == PROTO_ESP)
+	{
+		add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0);
+	}
+	return &this->public;
+}
diff --git a/src/charon/config/proposal.h b/src/charon/config/proposal.h
new file mode 100644
index 000000000..abcb40999
--- /dev/null
+++ b/src/charon/config/proposal.h
@@ -0,0 +1,266 @@
+/**
+ * @file proposal.h
+ *
+ * @brief Interface of proposal_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef PROPOSAL_H_
+#define PROPOSAL_H_
+
+typedef enum protocol_id_t protocol_id_t;
+typedef enum transform_type_t transform_type_t;
+typedef enum extended_sequence_numbers_t extended_sequence_numbers_t;
+typedef struct algorithm_t algorithm_t;
+typedef struct proposal_t proposal_t;
+
+#include <library.h>
+#include <utils/identification.h>
+#include <utils/linked_list.h>
+#include <utils/host.h>
+#include <crypto/crypters/crypter.h>
+#include <crypto/signers/signer.h>
+#include <crypto/diffie_hellman.h>
+#include <config/traffic_selector.h>
+
+/**
+ * Protocol ID of a proposal.
+ *
+ * @ingroup config
+ */
+enum protocol_id_t {
+	PROTO_NONE = 0,
+	PROTO_IKE = 1,
+	PROTO_AH = 2,
+	PROTO_ESP = 3,
+};
+
+/**
+ * enum names for protocol_id_t
+ *
+ * @ingroup config
+ */
+extern enum_name_t *protocol_id_names;
+
+
+/**
+ * Type of a transform, as in IKEv2 RFC 3.3.2.
+ *
+ * @ingroup config
+ */
+enum transform_type_t {
+	UNDEFINED_TRANSFORM_TYPE = 241,
+	ENCRYPTION_ALGORITHM = 1,
+	PSEUDO_RANDOM_FUNCTION = 2,
+	INTEGRITY_ALGORITHM = 3,
+	DIFFIE_HELLMAN_GROUP = 4,
+	EXTENDED_SEQUENCE_NUMBERS = 5
+};
+
+/**
+ * enum names for transform_type_t.
+ *
+ * @ingroup config
+ */
+extern enum_name_t *transform_type_names;
+
+
+/**
+ * Extended sequence numbers, as in IKEv2 RFC 3.3.2.
+ *
+ * @ingroup config
+ */
+enum extended_sequence_numbers_t {
+	NO_EXT_SEQ_NUMBERS = 0,
+	EXT_SEQ_NUMBERS = 1
+};
+
+/**
+ * enum strings for extended_sequence_numbers_t.
+ *
+ * @ingroup config
+ */
+extern enum_name_t *extended_sequence_numbers_names;
+
+
+
+/**
+ * Struct used to store different kinds of algorithms. The internal
+ * lists of algorithms contain such structures.
+ */
+struct algorithm_t {
+	/**
+	 * Value from an encryption_algorithm_t/integrity_algorithm_t/...
+	 */
+	u_int16_t algorithm;
+	
+	/**
+	 * the associated key size in bits, or zero if not needed
+	 */
+	u_int16_t key_size;
+};
+
+/**
+ * @brief Stores a set of algorithms used for an SA.
+ * 
+ * A proposal stores algorithms for a specific 
+ * protocol. It can store algorithms for one protocol.
+ * Proposals with multiple protocols are not supported,
+ * as it's not specified in RFC4301 anymore.
+ * 
+ * @b Constructors:
+ *   - proposal_create()
+ * 
+ * @ingroup config
+ */
+struct proposal_t {
+	
+	/**
+	 * @brief Add an algorithm to the proposal.
+	 * 
+	 * The algorithms are stored by priority, first added
+	 * is the most preferred.
+	 * Key size is only needed for encryption algorithms
+	 * with variable key size (such as AES). Must be set
+	 * to zero if key size is not specified.
+	 * The alg parameter accepts encryption_algorithm_t,
+	 * integrity_algorithm_t, dh_group_number_t and
+	 * extended_sequence_numbers_t.
+	 * 
+	 * @param this					calling object
+	 * @param type					kind of algorithm
+	 * @param alg					identifier for algorithm
+	 * @param key_size				key size to use
+	 */
+	void (*add_algorithm) (proposal_t *this, transform_type_t type, u_int16_t alg, size_t key_size);
+	
+	/**
+	 * @brief Get an iterator over algorithms for a specifc algo type.
+	 * 
+	 * @param this					calling object
+	 * @param type					kind of algorithm
+	 * @return						iterator over algorithm_t's
+	 */
+	iterator_t *(*create_algorithm_iterator) (proposal_t *this, transform_type_t type);
+	
+	/**
+	 * @brief Get the algorithm for a type to use.
+	 * 
+	 * If there are multiple algorithms, only the first is returned.
+	 * Result is still owned by proposal, do not modify!
+	 * 
+	 * @param this					calling object
+	 * @param type					kind of algorithm
+	 * @param[out] algo				pointer which receives algorithm and key size
+	 * @return						TRUE if algorithm of this kind available
+	 */
+	bool (*get_algorithm) (proposal_t *this, transform_type_t type, algorithm_t** algo);
+
+	/**
+	 * @brief Compare two proposal, and select a matching subset.
+	 * 
+	 * If the proposals are for the same protocols (AH/ESP), they are
+	 * compared. If they have at least one algorithm of each type
+	 * in common, a resulting proposal of this kind is created.
+	 * 
+	 * @param this					calling object
+	 * @param other					proposal to compair agains
+	 * @return						
+	 * 								- selected proposal, if possible
+	 * 								- NULL, if proposals don't match
+	 */
+	proposal_t *(*select) (proposal_t *this, proposal_t *other);
+	
+	/**
+	 * @brief Get the protocol ID of the proposal.
+	 *
+	 * @param this				calling object
+	 * @return					protocol of the proposal
+	 */
+	protocol_id_t (*get_protocol) (proposal_t *this);
+	
+	/**
+	 * @brief Get the SPI of the proposal.
+	 * 
+	 * @param this				calling object
+	 * @return					spi for proto
+	 */
+	u_int64_t (*get_spi) (proposal_t *this);
+	
+	/**
+	 * @brief Set the SPI of the proposal.
+	 * 
+	 * @param this				calling object
+	 * @param spi				spi to set for proto
+	 */
+	void (*set_spi) (proposal_t *this, u_int64_t spi);
+	
+	/**
+	 * @brief Clone a proposal.
+	 * 
+	 * @param this				proposal to clone
+	 * @return					clone of it
+	 */
+	proposal_t *(*clone) (proposal_t *this);
+	
+	/**
+	 * @brief Destroys the proposal object.
+	 * 
+	 * @param this				calling object
+	 */
+	void (*destroy) (proposal_t *this);
+};
+
+/**
+ * @brief Create a child proposal for AH, ESP or IKE.
+ *
+ * @param protocol			protocol, such as PROTO_ESP
+ * @return 					proposal_t object
+ *
+ * @ingroup config
+ */
+proposal_t *proposal_create(protocol_id_t protocol);
+
+/**
+ * @brief Create a default proposal if nothing further specified.
+ *
+ * @param protocol			protocol, such as PROTO_ESP
+ * @return 					proposal_t object
+ *
+ * @ingroup config
+ */
+proposal_t *proposal_create_default(protocol_id_t protocol);
+
+/**
+ * @brief Create a proposal from a string identifying the algorithms.
+ *
+ * The string is in the same form as a in the ipsec.conf file.
+ * E.g.:	aes128-sha2_256-modp2048
+ *          3des-md5
+ * An additional '!' at the end of the string forces this proposal,
+ * without it the peer may choose another algorithm we support.
+ *
+ * @param protocol			protocol, such as PROTO_ESP
+ * @param algs				algorithms as string
+ * @return 					proposal_t object
+ * 
+ * @ingroup config
+ */
+proposal_t *proposal_create_from_string(protocol_id_t protocol, const char *algs);
+
+#endif /* PROPOSAL_H_ */
diff --git a/src/charon/config/traffic_selector.c b/src/charon/config/traffic_selector.c
new file mode 100644
index 000000000..2fb012e16
--- /dev/null
+++ b/src/charon/config/traffic_selector.c
@@ -0,0 +1,795 @@
+/**
+ * @file traffic_selector.c
+ * 
+ * @brief Implementation of traffic_selector_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2007 Tobias Brunner
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <arpa/inet.h>
+#include <string.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <printf.h>
+
+#include "traffic_selector.h"
+
+#include <daemon.h>
+#include <utils/linked_list.h>
+#include <utils/identification.h>
+
+ENUM(ts_type_name, TS_IPV4_ADDR_RANGE, TS_IPV6_ADDR_RANGE,
+	"TS_IPV4_ADDR_RANGE",
+	"TS_IPV6_ADDR_RANGE",
+);
+
+typedef struct private_traffic_selector_t private_traffic_selector_t;
+
+/**
+ * Private data of an traffic_selector_t object
+ */
+struct private_traffic_selector_t {
+
+	/**
+	 * Public part
+	 */
+	traffic_selector_t public;
+	
+	/**
+	 * Type of address
+	 */
+	ts_type_t type;
+	
+	/**
+	 * IP protocol (UDP, TCP, ICMP, ...)
+	 */
+	u_int8_t protocol;
+	
+	/**
+	 * narrow this traffic selector to hosts external ip
+	 * if set, from and to have no meaning until set_address() is called
+	 */
+	bool dynamic;
+	
+	/** 
+	 * begin of address range, network order
+	 */
+	union {
+		/** dummy char for common address manipulation */
+		char from[0];
+		/** IPv4 address */
+		u_int32_t from4[1];
+		/** IPv6 address */
+		u_int32_t from6[4];
+	};
+	
+	/**
+	 * end of address range, network order
+	 */
+	union {
+		/** dummy char for common address manipulation */
+		char to[0];
+		/** IPv4 address */
+		u_int32_t to4[1];
+		/** IPv6 address */
+		u_int32_t to6[4];
+	};
+	
+	/**
+	 * begin of port range 
+	 */
+	u_int16_t from_port;
+	
+	/**
+	 * end of port range 
+	 */
+	u_int16_t to_port;
+};
+
+/**
+ * calculate to "to"-address for the "from" address and a subnet size
+ */
+static void calc_range(private_traffic_selector_t *this, u_int8_t netbits)
+{
+	int byte;
+	size_t size = (this->type == TS_IPV4_ADDR_RANGE) ? 4 : 16;
+	
+	/* go through the from address, starting at the tail. While we
+	 * have not processed the bits belonging to the host, set them to 1 on
+	 * the to address. If we reach the bits for the net, copy them from "from". */
+	for (byte = size - 1; byte >=0; byte--)
+	{
+		u_char mask = 0x00;
+		int shift;
+		
+		shift = (byte+1) * 8 - netbits;
+		if (shift > 0)
+		{
+			mask = 1 << shift;
+			if (mask != 0xFF)
+			{
+				mask--;
+			}
+		}
+		this->to[byte] = this->from[byte] | mask;
+	}
+}
+
+/**
+ * calculate to subnet size from "to"- and "from"-address
+ */
+static u_int8_t calc_netbits(private_traffic_selector_t *this)
+{
+	int byte, bit;
+	size_t size = (this->type == TS_IPV4_ADDR_RANGE) ? 4 : 16;
+	
+	/* go trough all bits of the addresses, begging in the front. 
+	 * As longer as they equal, the subnet gets larger */
+	for (byte = 0; byte < size; byte++)
+	{
+		for (bit = 7; bit >= 0; bit--)
+		{
+			if ((1<<bit & this->from[byte]) != (1<<bit & this->to[byte]))
+			{
+				return ((7 - bit) + (byte * 8));
+			}
+		}
+	}
+	/* single host, netmask is 32/128 */
+	return (size * 8);
+}
+
+/**
+ * internal generic constructor
+ */
+static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol, ts_type_t type, u_int16_t from_port, u_int16_t to_port);
+
+/**
+ * output handler in printf()
+ */
+static int print(FILE *stream, const struct printf_info *info,
+				 const void *const *args)
+{
+	private_traffic_selector_t *this = *((private_traffic_selector_t**)(args[0]));
+	char addr_str[INET6_ADDRSTRLEN] = "";
+	char *serv_proto = NULL;
+	u_int8_t mask;
+	bool has_proto;
+	bool has_ports;
+	size_t written = 0;
+	
+	if (this == NULL)
+	{
+		return fprintf(stream, "(null)");
+	}
+	
+	if (this->type == TS_IPV4_ADDR_RANGE)
+	{
+		inet_ntop(AF_INET, &this->from4, addr_str, sizeof(addr_str));
+	}
+	else
+	{
+		inet_ntop(AF_INET6, &this->from6, addr_str, sizeof(addr_str));
+	}
+	mask = calc_netbits(this);
+	
+	written += fprintf(stream, "%s/%d", addr_str, mask);
+	
+	/* check if we have protocol and/or port selectors */
+	has_proto = this->protocol != 0;
+	has_ports = !(this->from_port == 0 && this->to_port == 0xFFFF);
+
+	if (!has_proto && !has_ports)
+	{
+		return written;
+	}
+
+	written += fprintf(stream, "[");
+
+	/* build protocol string */
+	if (has_proto)
+	{
+		struct protoent *proto = getprotobynumber(this->protocol);
+
+		if (proto)
+		{
+			written += fprintf(stream, "%s", proto->p_name);
+			serv_proto = proto->p_name;
+		}
+		else
+		{
+			written += fprintf(stream, "%d", this->protocol);
+		}
+	}
+	
+	if (has_proto && has_ports)
+	{
+		written += fprintf(stream, "/");
+	}
+
+	/* build port string */
+	if (has_ports)
+	{
+		if (this->from_port == this->to_port)
+		{
+			struct servent *serv = getservbyport(htons(this->from_port), serv_proto);
+
+			if (serv)
+			{
+				written += fprintf(stream, "%s", serv->s_name);
+			}
+			else
+			{
+				written += fprintf(stream, "%d", this->from_port);
+			}
+		}
+		else
+		{
+			written += fprintf(stream, "%d-%d", this->from_port, this->to_port);
+		}
+	}
+	
+	written += fprintf(stream, "]");
+
+	return written;
+}
+
+/**
+ * register printf() handlers
+ */
+static void __attribute__ ((constructor))print_register()
+{
+	register_printf_function(PRINTF_TRAFFIC_SELECTOR, print, arginfo_ptr);
+}
+
+/**
+ * implements traffic_selector_t.get_subset
+ */
+static traffic_selector_t *get_subset(private_traffic_selector_t *this, private_traffic_selector_t *other)
+{
+	if (this->type == other->type && (this->protocol == other->protocol ||
+								this->protocol == 0 || other->protocol == 0))
+	{
+		u_int16_t from_port, to_port;
+		u_char *from, *to;
+		u_int8_t protocol;
+		size_t size;
+		private_traffic_selector_t *new_ts;
+		
+		/* calculate the maximum port range allowed for both */
+		from_port = max(this->from_port, other->from_port);
+		to_port = min(this->to_port, other->to_port);
+		if (from_port > to_port)
+		{
+			return NULL;
+		}
+		/* select protocol, which is not zero */
+		protocol = max(this->protocol, other->protocol);
+		
+		switch (this->type)
+		{
+			case TS_IPV4_ADDR_RANGE:
+				size = sizeof(this->from4);
+				break;
+			case TS_IPV6_ADDR_RANGE:
+				size = sizeof(this->from6);
+				break;
+			default:
+				return NULL;
+		}
+		
+		/* get higher from-address */
+		if (memcmp(this->from, other->from, size) > 0)
+		{
+			from = this->from;
+		}
+		else
+		{
+			from = other->from;
+		}
+		/* get lower to-address */
+		if (memcmp(this->to, other->to, size) > 0)
+		{
+			to = other->to;
+		}
+		else
+		{
+			to = this->to;
+		}
+		/* if "from" > "to", we don't have a match */
+		if (memcmp(from, to, size) > 0)
+		{
+			return NULL;
+		}
+		
+		/* we have a match in protocol, port, and address: return it... */
+		new_ts = traffic_selector_create(protocol, this->type, from_port, to_port);
+		new_ts->type = this->type;
+		memcpy(new_ts->from, from, size);
+		memcpy(new_ts->to, to, size);
+		
+		return &new_ts->public;
+	}
+	return NULL;
+}
+
+/**
+ * implements traffic_selector_t.equals
+ */
+static bool equals(private_traffic_selector_t *this, private_traffic_selector_t *other)
+{
+	if (this->type != other->type)
+	{
+		return FALSE;
+	}
+	if (!(this->from_port == other->from_port &&
+		  this->to_port == other->to_port &&
+		  this->protocol == other->protocol))
+	{
+		return FALSE;
+	}
+	switch (this->type)
+	{
+		case TS_IPV4_ADDR_RANGE:
+			if (memeq(this->from4, other->from4, sizeof(this->from4)))
+			{
+				return TRUE;
+			}
+			break;
+		case TS_IPV6_ADDR_RANGE:
+			if (memeq(this->from6, other->from6, sizeof(this->from6)))
+			{
+				return TRUE;
+			}
+			break;
+		default:
+			break;
+	}
+	return FALSE;
+}
+
+/**
+ * Implements traffic_selector_t.get_from_address.
+ */
+static chunk_t get_from_address(private_traffic_selector_t *this)
+{
+	chunk_t from = chunk_empty;
+	
+	switch (this->type)
+	{
+		case TS_IPV4_ADDR_RANGE:
+		{
+			from.len = sizeof(this->from4);
+			from.ptr = malloc(from.len);
+			memcpy(from.ptr, this->from4, from.len);
+			break;
+		}
+		case TS_IPV6_ADDR_RANGE:
+		{
+			from.len = sizeof(this->from6);
+			from.ptr = malloc(from.len);
+			memcpy(from.ptr, this->from6, from.len);
+			break;
+		}
+	}
+	return from;
+}
+	
+/**
+ * Implements traffic_selector_t.get_to_address.
+ */
+static chunk_t get_to_address(private_traffic_selector_t *this)
+{
+	chunk_t to = chunk_empty;
+	
+	switch (this->type)
+	{
+		case TS_IPV4_ADDR_RANGE:
+		{
+			to.len = sizeof(this->to4);
+			to.ptr = malloc(to.len);
+			memcpy(to.ptr, this->to4, to.len);
+			break;
+		}
+		case TS_IPV6_ADDR_RANGE:
+		{
+			to.len = sizeof(this->to6);
+			to.ptr = malloc(to.len);
+			memcpy(to.ptr, this->to6, to.len);
+			break;
+		}
+	}
+	return to;
+}
+	
+/**
+ * Implements traffic_selector_t.get_from_port.
+ */
+static u_int16_t get_from_port(private_traffic_selector_t *this)
+{
+	return this->from_port;
+}
+	
+/**
+ * Implements traffic_selector_t.get_to_port.
+ */
+static u_int16_t get_to_port(private_traffic_selector_t *this)
+{
+	return this->to_port;
+}
+
+/**
+ * Implements traffic_selector_t.get_type.
+ */
+static ts_type_t get_type(private_traffic_selector_t *this)
+{
+	return this->type;
+}
+
+/**
+ * Implements traffic_selector_t.get_protocol.
+ */
+static u_int8_t get_protocol(private_traffic_selector_t *this)
+{
+	return this->protocol;
+}
+
+/**
+ * Implements traffic_selector_t.is_host.
+ */
+static bool is_host(private_traffic_selector_t *this, host_t *host)
+{
+	if (this->dynamic)
+	{
+		return TRUE;
+	}
+
+	if (host)
+	{
+		chunk_t addr;
+		int family = host->get_family(host);
+		
+		if ((family == AF_INET && this->type == TS_IPV4_ADDR_RANGE) ||
+			(family == AF_INET6 && this->type == TS_IPV6_ADDR_RANGE))
+		{
+			addr = host->get_address(host);
+			if (memeq(addr.ptr, this->from, addr.len) &&
+				memeq(addr.ptr, this->to, addr.len))
+			{
+				return TRUE;
+			}
+		}
+	}
+	else
+	{
+		size_t length =  (this->type == TS_IPV4_ADDR_RANGE) ? 4 : 16;
+		
+		if (memeq(this->from, this->to, length))
+		{
+			return TRUE;
+		}
+	}
+	return FALSE;
+}
+
+/**
+ * Implements traffic_selector_t.set_address.
+ */
+static void set_address(private_traffic_selector_t *this, host_t *host)
+{
+	if (this->dynamic)
+	{
+		this->type = host->get_family(host) == AF_INET ?
+				TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE;
+		
+		chunk_t from = host->get_address(host);
+		memcpy(this->from, from.ptr, from.len);
+		memcpy(this->to, from.ptr, from.len);
+	}
+}
+
+/**
+ * Implements traffic_selector_t.is_contained_in.
+ */
+static bool is_contained_in(private_traffic_selector_t *this,
+							private_traffic_selector_t *other)
+{
+	private_traffic_selector_t *subset;
+	bool contained_in = FALSE;
+	
+	subset = (private_traffic_selector_t*)get_subset(this, other);
+	
+	if (subset)
+	{
+		if (equals(subset, this))
+		{
+			contained_in = TRUE;
+		}
+		free(subset);
+	}
+	return contained_in;	
+}
+
+/**
+ * Implements traffic_selector_t.includes.
+ */
+static bool includes(private_traffic_selector_t *this, host_t *host)
+{
+	chunk_t addr;
+	int family = host->get_family(host);
+
+	if ((family == AF_INET && this->type == TS_IPV4_ADDR_RANGE) ||
+		(family == AF_INET6 && this->type == TS_IPV6_ADDR_RANGE))
+	{
+		addr = host->get_address(host);
+		
+		return memcmp(this->from, addr.ptr, addr.len) <= 0 &&
+				memcmp(this->to, addr.ptr, addr.len) >= 0;
+	}
+
+	return FALSE;	
+}
+
+/**
+ * Implements traffic_selector_t.clone.
+ */
+static traffic_selector_t *clone_(private_traffic_selector_t *this)
+{
+	private_traffic_selector_t *clone;
+	
+	clone = traffic_selector_create(this->protocol, this->type, 
+									this->from_port, this->to_port);
+	
+	clone->dynamic = this->dynamic;
+	switch (clone->type)
+	{
+		case TS_IPV4_ADDR_RANGE:
+		{
+			memcpy(clone->from4, this->from4, sizeof(this->from4));
+			memcpy(clone->to4, this->to4, sizeof(this->to4));
+			return &clone->public;
+		}
+		case TS_IPV6_ADDR_RANGE:
+		{
+			memcpy(clone->from6, this->from6, sizeof(this->from6));
+			memcpy(clone->to6, this->to6, sizeof(this->to6));
+			return &clone->public;
+		}
+		default:
+		{
+			/* unreachable */
+			return &clone->public;
+		}
+	}
+}
+
+/**
+ * Implements traffic_selector_t.destroy.
+ */
+static void destroy(private_traffic_selector_t *this)
+{
+	free(this);
+}
+
+/*
+ * see header
+ */
+traffic_selector_t *traffic_selector_create_from_bytes(u_int8_t protocol,
+												ts_type_t type, 
+												chunk_t from, u_int16_t from_port, 
+												chunk_t to, u_int16_t to_port)
+{
+	private_traffic_selector_t *this = traffic_selector_create(protocol, type,
+															from_port, to_port);
+	
+	switch (type)
+	{
+		case TS_IPV4_ADDR_RANGE:
+		{
+			if (from.len != 4 || to.len != 4)
+			{
+				free(this);
+				return NULL;
+			}
+			memcpy(this->from4, from.ptr, from.len);
+			memcpy(this->to4, to.ptr, to.len);
+			break;
+		}
+		case TS_IPV6_ADDR_RANGE:
+		{
+			if (from.len != 16 || to.len != 16)
+			{
+				free(this);
+				return NULL;
+			}
+			memcpy(this->from6, from.ptr, from.len);
+			memcpy(this->to6, to.ptr, to.len);
+			break;
+		}
+		default:
+		{
+			free(this);
+			return NULL;	
+		}
+	}
+	return (&this->public);
+}
+
+/*
+ * see header
+ */
+traffic_selector_t *traffic_selector_create_from_subnet(host_t *net, 
+							u_int8_t netbits, u_int8_t protocol, u_int16_t port)
+{
+	private_traffic_selector_t *this = traffic_selector_create(protocol, 0, 0, 65535);
+
+	switch (net->get_family(net))
+	{
+		case AF_INET:
+		{
+			chunk_t from;
+			
+			this->type = TS_IPV4_ADDR_RANGE;
+			from = net->get_address(net);
+			memcpy(this->from4, from.ptr, from.len);
+			if (this->from4[0] == 0)
+			{
+				/* use /0 for 0.0.0.0 */
+				this->to4[0] = ~0;
+			}
+			else
+			{
+				calc_range(this, netbits);
+			}
+			break;
+		}
+		case AF_INET6:
+		{
+			chunk_t from;
+			
+			this->type = TS_IPV6_ADDR_RANGE;
+			from = net->get_address(net);
+			memcpy(this->from6, from.ptr, from.len);
+			if (this->from6[0] == 0 && this->from6[1] == 0 &&
+				this->from6[2] == 0 && this->from6[3] == 0)
+			{
+				/* use /0 for ::0 */
+				this->to6[0] = ~0;
+				this->to6[1] = ~0;
+				this->to6[2] = ~0;
+				this->to6[3] = ~0;
+			}
+			else
+			{
+				calc_range(this, netbits);
+			}
+			break;
+		}
+		default:
+		{
+			free(this);
+			return NULL;
+		}
+	}
+	if (port)
+	{
+		this->from_port = port;
+		this->to_port = port;
+	}
+	return (&this->public);
+}
+
+/*
+ * see header
+ */
+traffic_selector_t *traffic_selector_create_from_string(
+										u_int8_t protocol, ts_type_t type,
+										char *from_addr, u_int16_t from_port,
+										char *to_addr, u_int16_t to_port)
+{
+	private_traffic_selector_t *this = traffic_selector_create(protocol, type,
+															from_port, to_port);
+
+	this->type = type;
+	switch (type)
+	{
+		case TS_IPV4_ADDR_RANGE:
+		{
+			if (inet_pton(AF_INET, from_addr, (struct in_addr*)this->from4) < 0)
+			{
+				free(this);
+				return NULL;
+			}
+			if (inet_pton(AF_INET, to_addr, (struct in_addr*)this->to4) < 0)
+			{
+				free(this);
+				return NULL;
+			}
+			break;	
+		}
+		case TS_IPV6_ADDR_RANGE:
+		{
+			if (inet_pton(AF_INET6, from_addr, (struct in6_addr*)this->from6) < 0)
+			{
+				free(this);
+				return NULL;
+			}
+			if (inet_pton(AF_INET6, to_addr, (struct in6_addr*)this->to6) < 0)
+			{
+				free(this);
+				return NULL;
+			}
+			break;
+		}
+	}
+	return (&this->public);
+}
+
+/*
+ * see header
+ */
+traffic_selector_t *traffic_selector_create_dynamic(
+									u_int8_t protocol, ts_type_t type,
+									u_int16_t from_port, u_int16_t to_port)
+{
+	private_traffic_selector_t *this = traffic_selector_create(protocol, type,
+															from_port, to_port);
+	
+	memset(this->from6, 0, sizeof(this->from6));
+	memset(this->to6, 0xFF, sizeof(this->to6));
+	
+	this->dynamic = TRUE;
+	
+	return &this->public;
+}
+
+/*
+ * see declaration
+ */
+static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol,
+						ts_type_t type, u_int16_t from_port, u_int16_t to_port)
+{
+	private_traffic_selector_t *this = malloc_thing(private_traffic_selector_t);
+
+	/* public functions */
+	this->public.get_subset = (traffic_selector_t*(*)(traffic_selector_t*,traffic_selector_t*))get_subset;
+	this->public.equals = (bool(*)(traffic_selector_t*,traffic_selector_t*))equals;
+	this->public.get_from_address = (chunk_t(*)(traffic_selector_t*))get_from_address;
+	this->public.get_to_address = (chunk_t(*)(traffic_selector_t*))get_to_address;
+	this->public.get_from_port = (u_int16_t(*)(traffic_selector_t*))get_from_port;
+	this->public.get_to_port = (u_int16_t(*)(traffic_selector_t*))get_to_port;	
+	this->public.get_type = (ts_type_t(*)(traffic_selector_t*))get_type;
+	this->public.get_protocol = (u_int8_t(*)(traffic_selector_t*))get_protocol;
+	this->public.is_host = (bool(*)(traffic_selector_t*,host_t*))is_host;
+	this->public.is_contained_in = (bool(*)(traffic_selector_t*,traffic_selector_t*))is_contained_in;
+	this->public.includes = (bool(*)(traffic_selector_t*,host_t*))includes;
+	this->public.set_address = (void(*)(traffic_selector_t*,host_t*))set_address;
+	this->public.clone = (traffic_selector_t*(*)(traffic_selector_t*))clone_;
+	this->public.destroy = (void(*)(traffic_selector_t*))destroy;
+	
+	this->from_port = from_port;
+	this->to_port = to_port;
+	this->protocol = protocol;
+	this->type = type;
+	this->dynamic = FALSE;
+	
+	return this;
+}
+
+/* vim: set ts=4 sw=4 noet: */
diff --git a/src/charon/config/traffic_selector.h b/src/charon/config/traffic_selector.h
new file mode 100644
index 000000000..0e798fc6a
--- /dev/null
+++ b/src/charon/config/traffic_selector.h
@@ -0,0 +1,312 @@
+/**
+ * @file traffic_selector.h
+ * 
+ * @brief Interface of traffic_selector_t.
+ *  
+ */
+
+/*
+ * Copyright (C) 2007 Tobias Brunner
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef TRAFFIC_SELECTOR_H_
+#define TRAFFIC_SELECTOR_H_
+
+typedef enum ts_type_t ts_type_t;
+typedef struct traffic_selector_t traffic_selector_t;
+
+#include <library.h>
+#include <utils/host.h>
+
+/**
+ * Traffic selector types.
+ * 
+ * @ingroup config
+ */
+enum ts_type_t {
+	
+	/**
+	 * A range of IPv4 addresses, represented by two four (4) octet
+     * values.  The first value is the beginning IPv4 address
+     * (inclusive) and the second value is the ending IPv4 address
+     * (inclusive). All addresses falling between the two specified
+     * addresses are considered to be within the list.
+     */
+	TS_IPV4_ADDR_RANGE = 7,
+	
+	/**
+	 * A range of IPv6 addresses, represented by two sixteen (16)
+     * octet values.  The first value is the beginning IPv6 address
+     * (inclusive) and the second value is the ending IPv6 address
+     * (inclusive). All addresses falling between the two specified
+     *  addresses are considered to be within the list.
+	 */
+	TS_IPV6_ADDR_RANGE = 8
+};
+
+/**
+ * enum names for ts_type_t
+ */
+extern enum_name_t *ts_type_name;
+
+/**
+ * @brief Object representing a traffic selector entry.
+ *
+ * A traffic selector defines an range of addresses
+ * and a range of ports. IPv6 is not fully supported yet.
+ *
+ * @b Constructors:
+ * - traffic_selector_create_from_bytes()
+ * - traffic_selector_create_from_string()
+ *
+ * @todo Add IPv6 support
+ *
+ * @ingroup config
+ */
+struct traffic_selector_t {
+	
+	/**
+	 * @brief Compare two traffic selectors, and create a new one
+	 * which is the largest subset of both (subnet & port).
+	 *
+	 * Resulting traffic_selector is newly created and must be destroyed.
+	 *
+	 * @param this		first to compare
+	 * @param other		second to compare
+	 * @return
+	 * 					- created subset of them
+	 * 					- or NULL if no match between this and other
+	 */
+	traffic_selector_t *(*get_subset)  (traffic_selector_t *this, 
+										traffic_selector_t *other);
+	
+	/**
+	 * @brief Clone a traffic selector.
+	 *
+	 * @param this		traffic selector to clone
+	 * @return			clone of it
+	 */
+	traffic_selector_t *(*clone) (traffic_selector_t *this);
+	
+	/**
+	 * @brief Get starting address of this ts as a chunk.
+	 *
+	 * Chunk is in network order gets allocated.
+	 *
+	 * @param this		called object
+	 * @return			chunk containing the address
+	 */
+	chunk_t (*get_from_address) (traffic_selector_t *this);
+	
+	/**
+	 * @brief Get ending address of this ts as a chunk.
+	 *
+	 * Chunk is in network order gets allocated.
+	 *
+	 * @param this		called object
+	 * @return			chunk containing the address
+	 */
+	chunk_t (*get_to_address) (traffic_selector_t *this);
+	
+	/**
+	 * @brief Get starting port of this ts.
+	 * 
+	 * Port is in host order, since the parser converts it.
+	 * Size depends on protocol.
+	 *  
+	 * @param this		called object
+	 * @return			port
+	 */
+	u_int16_t (*get_from_port) (traffic_selector_t *this);
+	
+	/**
+	 * @brief Get ending port of this ts.
+	 *
+	 * Port is in host order, since the parser converts it.
+	 * Size depends on protocol.
+	 *
+	 * @param this		called object
+	 * @return			port
+	 */
+	u_int16_t (*get_to_port) (traffic_selector_t *this);
+	
+	/**
+	 * @brief Get the type of the traffic selector.
+	 *
+	 * @param this		called object
+	 * @return			ts_type_t specifying the type
+	 */
+	ts_type_t (*get_type) (traffic_selector_t *this);
+	
+	/**
+	 * @brief Get the protocol id of this ts.
+	 *
+	 * @param this		called object
+	 * @return			protocol id
+	 */
+	u_int8_t (*get_protocol) (traffic_selector_t *this);
+	
+	/**
+	 * @brief Check if the traffic selector is for a single host.
+	 *
+	 * Traffic selector may describe the end of *-to-host tunnel. In this
+	 * case, the address range is a single address equal to the hosts
+	 * peer address.
+	 * If host is NULL, the traffic selector is checked if it is a single host,
+	 * but not a specific one.
+	 *
+	 * @param this		called object
+	 * @param host		host_t specifying the address range
+	 */
+	bool (*is_host) (traffic_selector_t *this, host_t* host);
+	
+	/**
+	 * @brief Update the address of a traffic selector.
+	 *
+	 * Update the address range of a traffic selector, if it is
+	 * constructed with the traffic_selector_create_dynamic().
+	 *
+	 * @param this		called object
+	 * @param host		host_t specifying the address
+	 */
+	void (*set_address) (traffic_selector_t *this, host_t* host);
+	
+	/**
+	 * @brief Compare two traffic selectors for equality.
+	 * 
+	 * @param this		first to compare
+	 * @param other		second to compare with first
+	 * @return 			pointer to a string.
+	 */
+	bool (*equals) (traffic_selector_t *this, traffic_selector_t *other);
+	
+	/**
+	 * @brief Check if a traffic selector is contained completly in another.
+	 *
+	 * contains() allows to check if multiple traffic selectors are redundant.
+	 *
+	 * @param this		ts that is contained in another
+	 * @param other		ts that contains this
+	 * @return			TRUE if other contains this completly, FALSE otherwise
+	 */
+	bool (*is_contained_in) (traffic_selector_t *this, traffic_selector_t *other);
+
+	/**
+	 * @brief Check if a specific host is included in the address range of 
+	 * this traffic selector.
+	 *
+	 * @param this		called object
+	 * @param host		the host to check
+	 */
+	bool (*includes) (traffic_selector_t *this, host_t *host);
+	
+	/**
+	 * @brief Destroys the ts object
+	 *
+	 * @param this		called object
+	 */
+	void (*destroy) (traffic_selector_t *this);
+};
+
+/**
+ * @brief Create a new traffic selector using human readable params.
+ * 
+ * @param protocol 		protocol for this ts, such as TCP or UDP
+ * @param type			type of following addresses, such as TS_IPV4_ADDR_RANGE
+ * @param from_addr		start of address range as string
+ * @param from_port		port number in host order
+ * @param to_addr		end of address range as string
+ * @param to_port		port number in host order
+ * @return
+ * 						- traffic_selector_t object
+ * 						- NULL if invalid address strings/protocol
+ * 
+ * @ingroup config
+ */
+traffic_selector_t *traffic_selector_create_from_string(
+									u_int8_t protocol, ts_type_t type,
+									char *from_addr, u_int16_t from_port,
+									char *to_addr, u_int16_t to_port);
+
+/**
+ * @brief Create a new traffic selector using data read from the net.
+ * 
+ * There exists a mix of network and host order in the params.
+ * But the parser gives us this data in this format, so we
+ * don't have to convert twice.
+ * 
+ * @param protocol 		protocol for this ts, such as TCP or UDP
+ * @param type			type of following addresses, such as TS_IPV4_ADDR_RANGE
+ * @param from_address	start of address range, network order
+ * @param from_port		port number, host order
+ * @param to_address	end of address range as string, network
+ * @param to_port		port number, host order
+ * @return				traffic_selector_t object
+ *
+ * @ingroup config
+ */
+traffic_selector_t *traffic_selector_create_from_bytes(
+								u_int8_t protocol, ts_type_t type,
+								chunk_t from_address, u_int16_t from_port,
+								chunk_t to_address, u_int16_t to_port);
+
+/**
+ * @brief Create a new traffic selector defining a whole subnet.
+ * 
+ * In most cases, definition of a traffic selector for full subnets
+ * is sufficient. This constructor creates a traffic selector for
+ * all protocols, all ports and the address range specified by the
+ * subnet.
+ * Additionally, a protocol and a port may be specified. Port ranges
+ * are not supported via this constructor.
+ * 
+ * @param net			subnet to use
+ * @param netbits		size of the subnet, as used in e.g. 192.168.0.0/24 notation
+ * @return
+ * 						- traffic_selector_t object
+ * 						- NULL if address family of net not supported
+ *
+ * @ingroup config
+ */
+traffic_selector_t *traffic_selector_create_from_subnet(
+									host_t *net, u_int8_t netbits, 
+									u_int8_t protocol, u_int16_t port);
+
+/**
+ * @brief Create a traffic selector for host-to-host cases.
+ * 
+ * For host2host or virtual IP setups, the traffic selectors gets
+ * created at runtime using the external/virtual IP. Using this constructor,
+ * a call to set_address() sets this traffic selector to the supplied host.
+ * 
+ * 
+ * @param protocol		upper layer protocl to allow
+ * @param type			family type
+ * @param from_port		start of allowed port range
+ * @param to_port		end of range
+ * @return
+ * 						- traffic_selector_t object
+ * 						- NULL if type not supported
+ *
+ * @ingroup config
+ */
+traffic_selector_t *traffic_selector_create_dynamic(
+									u_int8_t protocol, ts_type_t type,
+									u_int16_t from_port, u_int16_t to_port);
+
+#endif /* TRAFFIC_SELECTOR_H_ */
+
+/* vim: set ts=4 sw=4 noet: */
diff --git a/src/charon/daemon.c b/src/charon/daemon.c
new file mode 100644
index 000000000..7671aea86
--- /dev/null
+++ b/src/charon/daemon.c
@@ -0,0 +1,529 @@
+/**
+ * @file daemon.c
+ * 
+ * @brief Implementation of daemon_t and main of IKEv2-Daemon.
+ * 
+ */
+
+/*
+ * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdio.h>
+#include <signal.h>
+#include <pthread.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <time.h>
+#include <string.h>
+#include <getopt.h>
+#include <errno.h>
+#ifdef HAVE_BACKTRACE
+# include <execinfo.h>
+#endif /* HAVE_BACKTRACE */
+
+#include "daemon.h"
+
+#include <library.h>
+#include <crypto/ca.h>
+#include <utils/fetcher.h>
+#include <config/credentials/local_credential_store.h>
+#include <config/connections/local_connection_store.h>
+#include <config/policies/local_policy_store.h>
+#include <sa/authenticators/eap/eap_method.h>
+
+
+typedef struct private_daemon_t private_daemon_t;
+
+/**
+ * Private additions to daemon_t, contains threads and internal functions.
+ */
+struct private_daemon_t {
+	/**
+	 * Public members of daemon_t.
+	 */
+	daemon_t public;
+	
+	/**
+	 * Signal set used for signal handling.
+	 */
+	sigset_t signal_set;
+	
+	/** 
+	 * The thread_id of main-thread.
+	 */
+	pthread_t main_thread_id;
+};
+
+/**
+ * One and only instance of the daemon.
+ */
+daemon_t *charon;
+
+/**
+ * hook in library for debugging messages
+ */
+extern void (*dbg) (int level, char *fmt, ...);
+
+/**
+ * Logging hook for library logs, spreads debug message over bus
+ */
+static void dbg_bus(int level, char *fmt, ...)
+{
+	va_list args;
+	
+	va_start(args, fmt);
+	charon->bus->vsignal(charon->bus, DBG_LIB, level, fmt, args);
+	va_end(args);
+}
+
+/**
+ * Logging hook for library logs, using stderr output
+ */
+static void dbg_stderr(int level, char *fmt, ...)
+{
+	va_list args;
+	
+	va_start(args, fmt);
+	fprintf(stderr, "00[LIB] ");
+	vfprintf(stderr, fmt, args);
+	fprintf(stderr, "\n");
+	va_end(args);
+}
+
+/**
+ * Run the daemon and handle unix signals
+ */
+static void run(private_daemon_t *this)
+{
+	/* reselect signals for this thread */
+	sigemptyset(&(this->signal_set));
+	sigaddset(&(this->signal_set), SIGINT); 
+	sigaddset(&(this->signal_set), SIGHUP); 
+	sigaddset(&(this->signal_set), SIGTERM); 
+	pthread_sigmask(SIG_BLOCK, &(this->signal_set), 0);
+	
+	while(TRUE)
+	{
+		int signal_number;
+		int error;
+		
+		error = sigwait(&(this->signal_set), &signal_number);
+		if(error)
+		{
+			DBG1(DBG_DMN, "error %d while waiting for a signal", error);
+			return;
+		}
+		switch (signal_number)
+		{
+			case SIGHUP:
+			{
+				DBG1(DBG_DMN, "signal of type SIGHUP received. Ignored");
+				break;
+			}
+			case SIGINT:
+			{
+				DBG1(DBG_DMN, "signal of type SIGINT received. Shutting down");
+				return;
+			}
+			case SIGTERM:
+				DBG1(DBG_DMN, "signal of type SIGTERM received. Shutting down");
+				return;
+			default:
+			{
+				DBG1(DBG_DMN, "unknown signal %d received. Ignored", signal_number);
+				break;
+			}
+		}
+	}
+}
+
+/**
+ * Clean up all daemon resources
+ */
+static void destroy(private_daemon_t *this)
+{
+	/* destruction is a non trivial task, we need to follow 
+	* a strict order to prevent threading issues! 
+	* Kill active threads first, except the sender, as
+	* the killed IKE_SA want to send delete messages.
+	*/
+	/* we don't want to receive anything anymore... */
+	DESTROY_IF(this->public.receiver);
+	/* ignore all incoming user requests */
+	DESTROY_IF(this->public.stroke);
+	/* stop scheduing jobs */
+	DESTROY_IF(this->public.scheduler);
+	/* stop processing jobs */
+	DESTROY_IF(this->public.thread_pool);
+	/* shut down manager with all IKE SAs */
+	DESTROY_IF(this->public.ike_sa_manager);
+	/* all child SAs should be down now, so kill kernel interface */
+	DESTROY_IF(this->public.kernel_interface);
+	/* destroy other infrastructure */
+	DESTROY_IF(this->public.job_queue);
+	DESTROY_IF(this->public.event_queue);
+	DESTROY_IF(this->public.configuration);
+	DESTROY_IF(this->public.credentials);
+	DESTROY_IF(this->public.connections);
+	DESTROY_IF(this->public.policies);
+	sched_yield();
+	/* we hope the sender could send the outstanding deletes, but 
+	 * we shut down here at any cost */
+	DESTROY_IF(this->public.sender);
+	DESTROY_IF(this->public.socket);
+	/* before destroying bus with its listeners, rehook library logs */
+	dbg = dbg_stderr;
+	DESTROY_IF(this->public.bus);
+	DESTROY_IF(this->public.outlog);
+	DESTROY_IF(this->public.syslog);
+	DESTROY_IF(this->public.authlog);
+	free(this);
+}
+
+/**
+ * Enforce daemon shutdown, with a given reason to do so.
+ */
+static void kill_daemon(private_daemon_t *this, char *reason)
+{
+	/* we send SIGTERM, so the daemon can cleanly shut down */
+	DBG1(DBG_DMN, "killing daemon: %s", reason);
+	if (this->main_thread_id == pthread_self())
+	{
+		/* initialization failed, terminate daemon */
+		destroy(this);
+		unlink(PID_FILE);
+		exit(-1);
+	}
+	else
+	{
+		DBG1(DBG_DMN, "sending SIGTERM to ourself");
+		raise(SIGTERM);
+		/* thread must die, since he produced a ciritcal failure and can't continue */
+		pthread_exit(NULL);
+	}
+}
+
+/**
+ * Initialize the daemon, optional with a strict crl policy
+ */
+static void initialize(private_daemon_t *this, bool strict, bool syslog,
+					   level_t levels[])
+{
+	credential_store_t* credentials;
+	signal_t signal;
+	
+	/* for uncritical pseudo random numbers */
+	srandom(time(NULL) + getpid());
+	
+	/* setup bus and it's listeners first to enable log output */
+	this->public.bus = bus_create();
+	this->public.outlog = file_logger_create(stdout);
+	this->public.syslog = sys_logger_create(LOG_DAEMON);
+	this->public.authlog = sys_logger_create(LOG_AUTHPRIV);
+	this->public.bus->add_listener(this->public.bus, &this->public.syslog->listener);
+	this->public.bus->add_listener(this->public.bus, &this->public.outlog->listener);
+	this->public.bus->add_listener(this->public.bus, &this->public.authlog->listener);
+	this->public.authlog->set_level(this->public.authlog, SIG_ANY, LEVEL_AUDIT);
+	/* set up hook to log dbg message in library via charons message bus */
+	dbg = dbg_bus;
+	
+	/* apply loglevels */
+	for (signal = 0; signal < DBG_MAX; signal++)
+	{
+		if (syslog)
+		{
+			this->public.syslog->set_level(this->public.syslog,
+										   signal, levels[signal]);
+		}
+		else
+		{
+			this->public.outlog->set_level(this->public.outlog,
+										   signal, levels[signal]);
+		}
+	}
+	
+	DBG1(DBG_DMN, "starting charon (strongSwan Version %s)", VERSION);
+	
+	this->public.configuration = configuration_create();
+	this->public.socket = socket_create(IKEV2_UDP_PORT, IKEV2_NATT_PORT);
+	this->public.ike_sa_manager = ike_sa_manager_create();
+	this->public.job_queue = job_queue_create();
+	this->public.event_queue = event_queue_create();
+	this->public.connections = (connection_store_t*)local_connection_store_create();
+	this->public.policies = (policy_store_t*)local_policy_store_create();
+	this->public.credentials = (credential_store_t*)local_credential_store_create(strict);
+
+	/* initialize fetcher_t class */
+	fetcher_initialize();
+
+	/* load secrets, ca certificates and crls */
+	credentials = this->public.credentials;
+	credentials->load_ca_certificates(credentials);
+	credentials->load_ocsp_certificates(credentials);
+	credentials->load_crls(credentials);
+	credentials->load_secrets(credentials);
+	
+	/* start building threads, we are multi-threaded NOW */
+	this->public.stroke = stroke_create();
+	this->public.sender = sender_create();
+	this->public.receiver = receiver_create();
+	this->public.scheduler = scheduler_create();
+	this->public.kernel_interface = kernel_interface_create();
+	this->public.thread_pool = thread_pool_create(NUMBER_OF_WORKING_THREADS);
+}
+
+/**
+ * Handle SIGSEGV/SIGILL signals raised by threads
+ */
+void signal_handler(int signal)
+{
+#ifdef HAVE_BACKTRACE
+	void *array[20];
+	size_t size;
+	char **strings;
+	size_t i;
+
+	size = backtrace(array, 20);
+	strings = backtrace_symbols(array, size);
+
+	DBG1(DBG_DMN, "thread %u received %s. Dumping %d frames from stack:",
+		 pthread_self(), signal == SIGSEGV ? "SIGSEGV" : "SIGILL", size);
+
+	for (i = 0; i < size; i++)
+	{
+		DBG1(DBG_DMN, "    %s", strings[i]);
+	}
+	free (strings);
+#else /* !HAVE_BACKTRACE */
+	DBG1(DBG_DMN, "thread %u received %s",
+		 pthread_self(), signal == SIGSEGV ? "SIGSEGV" : "SIGILL");
+#endif /* HAVE_BACKTRACE */
+	DBG1(DBG_DMN, "killing ourself hard after SIGSEGV");
+	raise(SIGKILL);
+}
+
+/**
+ * Create the daemon.
+ */
+private_daemon_t *daemon_create(void)
+{	
+	private_daemon_t *this = malloc_thing(private_daemon_t);
+	struct sigaction action;
+		
+	/* assign methods */
+	this->public.kill = (void (*) (daemon_t*,char*))kill_daemon;
+	
+	/* NULL members for clean destruction */
+	this->public.socket = NULL;
+	this->public.ike_sa_manager = NULL;
+	this->public.job_queue = NULL;
+	this->public.event_queue = NULL;
+	this->public.configuration = NULL;
+	this->public.credentials = NULL;
+	this->public.connections = NULL;
+	this->public.policies = NULL;
+	this->public.sender= NULL;
+	this->public.receiver = NULL;
+	this->public.scheduler = NULL;
+	this->public.kernel_interface = NULL;
+	this->public.thread_pool = NULL;
+	this->public.stroke = NULL;
+	this->public.bus = NULL;
+	this->public.outlog = NULL;
+	this->public.syslog = NULL;
+	this->public.authlog = NULL;
+	
+	this->main_thread_id = pthread_self();
+	
+	/* setup signal handling for all threads */
+	sigemptyset(&(this->signal_set));
+	sigaddset(&(this->signal_set), SIGSEGV);
+	sigaddset(&(this->signal_set), SIGINT); 
+	sigaddset(&(this->signal_set), SIGHUP); 
+	sigaddset(&(this->signal_set), SIGTERM); 
+	pthread_sigmask(SIG_BLOCK, &(this->signal_set), 0);
+	
+	/* setup SIGSEGV handler for all threads */
+	action.sa_handler = signal_handler;
+	action.sa_mask = this->signal_set;
+	action.sa_flags = 0;
+	sigaction(SIGSEGV, &action, NULL);
+	sigaction(SIGILL, &action, NULL);
+	return this;
+}
+
+/**
+ * print command line usage and exit
+ */
+static void usage(const char *msg)
+{
+	if (msg != NULL && *msg != '\0')
+	{
+		fprintf(stderr, "%s\n", msg);
+	}
+	fprintf(stderr, "Usage: charon\n"
+					"         [--help]\n"
+					"         [--version]\n"
+					"         [--strictcrlpolicy]\n"
+					"         [--cachecrls]\n"
+					"         [--crlcheckinterval <interval>]\n"
+					"         [--eapdir <dir>]\n"
+					"         [--use-syslog]\n"
+					"         [--debug-<type> <level>]\n"
+					"           <type>:  log context type (dmn|mgr|ike|chd|job|cfg|knl|net|enc|lib)\n"
+					"           <level>: log verbosity (-1 = silent, 0 = audit, 1 = control,\n"
+					"                                    2 = controlmore, 3 = raw, 4 = private)\n"
+					"\n"
+		   );
+	exit(msg == NULL? 0 : 1);
+}
+
+/**
+ * Main function, manages the daemon.
+ */
+int main(int argc, char *argv[])
+{
+	u_int crl_check_interval = 0;
+	bool strict_crl_policy = FALSE;
+	bool cache_crls = FALSE;
+	bool use_syslog = FALSE;
+	char *eapdir = IPSEC_EAPDIR;
+
+	private_daemon_t *private_charon;
+	FILE *pid_file;
+	struct stat stb;
+	linked_list_t *list;
+	host_t *host;
+	level_t levels[DBG_MAX];
+	int signal;
+	
+	/* use CTRL loglevel for default */
+	for (signal = 0; signal < DBG_MAX; signal++)
+	{
+		levels[signal] = LEVEL_CTRL;
+	}
+	
+	/* handle arguments */
+	for (;;)
+	{
+		struct option long_opts[] = {
+			{ "help", no_argument, NULL, 'h' },
+			{ "version", no_argument, NULL, 'v' },
+			{ "use-syslog", no_argument, NULL, 'l' },
+			{ "strictcrlpolicy", no_argument, NULL, 'r' },
+			{ "cachecrls", no_argument, NULL, 'C' },
+			{ "crlcheckinterval", required_argument, NULL, 'x' },
+			{ "eapdir", required_argument, NULL, 'e' },
+			/* TODO: handle "debug-all" */
+			{ "debug-dmn", required_argument, &signal, DBG_DMN },
+			{ "debug-mgr", required_argument, &signal, DBG_MGR },
+			{ "debug-ike", required_argument, &signal, DBG_IKE },
+			{ "debug-chd", required_argument, &signal, DBG_CHD },
+			{ "debug-job", required_argument, &signal, DBG_JOB },
+			{ "debug-cfg", required_argument, &signal, DBG_CFG },
+			{ "debug-knl", required_argument, &signal, DBG_KNL },
+			{ "debug-net", required_argument, &signal, DBG_NET },
+			{ "debug-enc", required_argument, &signal, DBG_ENC },
+			{ "debug-lib", required_argument, &signal, DBG_LIB },
+			{ 0,0,0,0 }
+		};
+		
+		int c = getopt_long(argc, argv, "", long_opts, NULL);
+		switch (c)
+		{
+			case EOF:
+	    		break;
+			case 'h':
+				usage(NULL);
+				break;
+			case 'v':
+				printf("Linux strongSwan %s\n", VERSION);
+				exit(0);
+			case 'l':
+				use_syslog = TRUE;
+				continue;
+			case 'r':
+				strict_crl_policy = TRUE;
+				continue;
+			case 'C':
+				cache_crls = TRUE;
+				continue;
+			case 'x':
+				crl_check_interval = atoi(optarg);
+				continue;
+			case 'e':
+				eapdir = optarg;
+				continue;
+			case 0:
+				/* option is in signal */
+				levels[signal] = atoi(optarg);
+				continue;
+			default:
+				usage("");
+				break;
+		}
+		break;
+	}
+
+	private_charon = daemon_create();
+	charon = (daemon_t*)private_charon;
+	
+	/* initialize daemon */
+	initialize(private_charon, strict_crl_policy, use_syslog, levels);
+
+	/* load pluggable EAP modules */
+	eap_method_load(eapdir);
+	
+	/* set cache_crls and crl_check_interval options */
+	ca_info_set_options(cache_crls, crl_check_interval);
+
+	/* check/setup PID file */
+	if (stat(PID_FILE, &stb) == 0)
+	{
+		DBG1(DBG_DMN, "charon already running (\""PID_FILE"\" exists)");
+		destroy(private_charon);
+		exit(-1);
+	}
+	pid_file = fopen(PID_FILE, "w");
+	if (pid_file)
+	{
+		fprintf(pid_file, "%d\n", getpid());
+		fclose(pid_file);
+	}
+	
+	/* log socket info */
+	list = charon->kernel_interface->create_address_list(charon->kernel_interface);
+	DBG1(DBG_NET, "listening on %d addresses:", list->get_count(list));
+	while (list->remove_first(list, (void**)&host) == SUCCESS)
+	{
+		DBG1(DBG_NET, "  %H", host);
+		host->destroy(host);
+	}
+	list->destroy(list);
+	
+	/* run daemon */
+	run(private_charon);
+	
+	eap_method_unload();
+	fetcher_finalize();
+	/* normal termination, cleanup and exit */
+	destroy(private_charon);
+	unlink(PID_FILE);
+	
+	return 0;
+}
diff --git a/src/charon/daemon.h b/src/charon/daemon.h
new file mode 100644
index 000000000..420262474
--- /dev/null
+++ b/src/charon/daemon.h
@@ -0,0 +1,403 @@
+/**
+ * @file daemon.h
+ *
+ * @brief Interface of daemon_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef DAEMON_H_
+#define DAEMON_H_
+
+typedef struct daemon_t daemon_t;
+
+#include <credential_store.h>
+
+#include <threads/sender.h>
+#include <threads/receiver.h>
+#include <threads/scheduler.h>
+#include <threads/kernel_interface.h>
+#include <threads/thread_pool.h>
+#include <threads/stroke_interface.h>
+#include <network/socket.h>
+#include <bus/bus.h>
+#include <bus/listeners/file_logger.h>
+#include <bus/listeners/sys_logger.h>
+#include <sa/ike_sa_manager.h>
+#include <queues/job_queue.h>
+#include <queues/event_queue.h>
+#include <config/configuration.h>
+#include <config/connections/connection_store.h>
+#include <config/policies/policy_store.h>
+
+/**
+ * @defgroup charon charon
+ *
+ * @brief IKEv2 keying daemon.
+ *
+ * @section Architecture
+ *
+ * All IKEv2 stuff is handled in charon. It uses a newer and more flexible
+ * architecture than pluto. Charon uses a thread-pool, which allows parallel
+ * execution SA-management. Beside the thread-pool, there are some special purpose
+ * threads which do their job for the common health of the daemon.
+   @verbatim 
+                         +------+
+                         | E  Q |
+                         | v  u |---+                   +------+  +------+
+                         | e  e |   |                   |      |  | IKE- |
+                         | n  u |  +-----------+        |      |--| SA   |
+                         | t  e |  |           |        | I  M |  +------+
+       +------------+    | -    |  | Scheduler |        | K  a |
+       |  receiver  |    +------+  |           |        | E  n |  +------+
+       +----+-------+              +-----------+        | -  a |  | IKE- |
+            |      |     +------+   |                   | S  g |--| SA   |
+    +-------+--+   +-----| J  Q |---+  +------------+   | A  e |  +------+
+   -|  socket  |         | o  u |      |            |   | -  r |
+    +-------+--+         | b  e |      |   Thread-  |   |      |
+            |            | -  u |      |   Pool     |   |      |
+       +----+-------+    |    e |------|            |---|      |
+       |   sender   |    +------+      +------------+   +------+
+       +------------+
+
+   @endverbatim
+ * The thread-pool is the heart of the architecture. It processes jobs from a
+ * (fully synchronized) job-queue. Mostly, a job is associated with a specific
+ * IKE SA. These IKE SAs are synchronized, only one thread can work one an IKE SA.
+ * This makes it unnecesary to use further synchronisation methods once a IKE SA
+ * is checked out. The (rather complex) synchronization of IKE SAs is completely
+ * done in the IKE SA manager.
+ * The sceduler is responsible for event firing. It waits until a event in the
+ * (fully synchronized) event-queue is ready for processing and pushes the event
+ * down to the job-queue. A thread form the pool will pick it up as quick as
+ * possible. Every thread can queue events or jobs. Furter, an event can place a
+ * packet in the sender. The sender thread waits for those packets and sends
+ * them over the wire, via the socket. The receiver does exactly the opposite of
+ * the sender. It waits on the socket, reads in packets an places them on the
+ * job-queue for further processing by a thread from the pool.
+ * There are even more threads, not drawn in the upper scheme. The stroke thread
+ * is responsible for reading and processessing commands from another process. The
+ * kernel interface thread handles communication from and to the kernel via a
+ * netlink socket. It waits for kernel events and processes them appropriately.
+ */
+
+/**
+ * @defgroup config config
+ *
+ * Classes implementing configuration related things.
+ *
+ * @ingroup charon
+ */
+
+/**
+ * @defgroup encoding encoding
+ *
+ * Classes used to encode and decode IKEv2 messages.
+ *
+ * @ingroup charon
+ */
+
+ /**
+ * @defgroup payloads payloads
+ *
+ * Classes representing specific IKEv2 payloads.
+ *
+ * @ingroup encoding
+ */
+
+/**
+ * @defgroup network network
+ *
+ * Classes for network relevant stuff.
+ *
+ * @ingroup charon
+ */
+
+/**
+ * @defgroup queues queues
+ *
+ * Different kind of queues
+ * (thread save lists).
+ *
+ * @ingroup charon
+ */
+
+/**
+ * @defgroup jobs jobs
+ *
+ * Jobs used in job queue and event queue.
+ *
+ * @ingroup queues
+ */
+
+/**
+ * @defgroup sa sa
+ *
+ * Security associations for IKE and IPSec,
+ * and some helper classes.
+ *
+ * @ingroup charon
+ */
+
+/**
+ * @defgroup tasks tasks
+ *
+ * Tasks process and build message payloads. They are used to create
+ * and process multiple exchanges.
+ *
+ * @ingroup sa
+ */
+
+/**
+ * @defgroup authenticators authenticators
+ *
+ * Authenticator classes to prove identity of peer.
+ *
+ * @ingroup sa
+ */
+
+/**
+ * @defgroup eap eap
+ *
+ * EAP authentication module interface and it's implementations.
+ *
+ * @ingroup authenticators
+ */
+
+/**
+ * @defgroup threads threads
+ *
+ * Threaded classes, which will do their job alone.
+ *
+ * @ingroup charon
+ */
+
+/**
+ * @defgroup bus bus
+ *
+ * Signaling bus and its listeners.
+ *
+ * @ingroup charon
+ */
+
+/**
+ * Name of the daemon.
+ *
+ * @ingroup charon
+ */
+#define DAEMON_NAME "charon"
+
+/**
+ * @brief Number of threads in the thread pool.
+ * 
+ * There are several other threads, this defines
+ * only the number of threads in thread_pool_t.
+ * 
+ * @ingroup charon
+ */
+#define NUMBER_OF_WORKING_THREADS 4
+
+/**
+ * UDP Port on which the daemon will listen for incoming traffic.
+ * 
+ * @ingroup charon
+ */
+#define IKEV2_UDP_PORT 500
+
+/**
+ * UDP Port to which the daemon will float to if NAT is detected.
+ *
+ * @ingroup charon
+ */
+#define IKEV2_NATT_PORT 4500
+
+/**
+ * PID file, in which charon stores its process id
+ * 
+ * @ingroup charon
+ */
+#define PID_FILE IPSEC_PIDDIR "/charon.pid"
+
+/**
+ * Configuration directory
+ * 
+ * @ingroup charon
+ */
+#define CONFIG_DIR IPSEC_CONFDIR
+
+/**
+ * Directory of IPsec relevant files
+ * 
+ * @ingroup charon
+ */
+#define IPSEC_D_DIR CONFIG_DIR "/ipsec.d"
+
+/**
+ * Default directory for private keys
+ * 
+ * @ingroup charon
+ */
+#define PRIVATE_KEY_DIR IPSEC_D_DIR "/private"
+
+/**
+ * Default directory for end entity certificates
+ * 
+ * @ingroup charon
+ */
+#define CERTIFICATE_DIR IPSEC_D_DIR "/certs"
+
+/**
+ * Default directory for trusted CA certificates
+ * 
+ * @ingroup charon
+ */
+#define CA_CERTIFICATE_DIR IPSEC_D_DIR "/cacerts"
+
+/**
+ * Default directory for OCSP signing certificates
+ * 
+ * @ingroup charon
+ */
+#define OCSP_CERTIFICATE_DIR IPSEC_D_DIR "/ocspcerts"
+
+/**
+ * Default directory for CRLs
+ * 
+ * @ingroup charon
+ */
+#define CRL_DIR IPSEC_D_DIR "/crls"
+
+/**
+ * Secrets files
+ * 
+ * @ingroup charon
+ */
+#define SECRETS_FILE CONFIG_DIR "/ipsec.secrets"
+
+/**
+ * @brief Main class of daemon, contains some globals.
+ *
+ * @ingroup charon
+ */
+struct daemon_t {
+	/**
+	 * A socket_t instance.
+	 */
+	socket_t *socket;
+	
+	/**
+	 * A job_queue_t instance.
+	 */
+	job_queue_t *job_queue;
+	
+	/**
+	 * A event_queue_t instance.
+	 */
+	event_queue_t *event_queue;
+
+	/**
+	 * A ike_sa_manager_t instance.
+	 */
+	ike_sa_manager_t *ike_sa_manager;
+	
+	/**
+	 * A configuration_t instance.
+	 */
+	configuration_t *configuration;
+	
+	/**
+	 * A connection_store_t instance.
+	 */
+	connection_store_t *connections;
+	
+	/**
+	 * A policy_store_t instance.
+	 */
+	policy_store_t *policies;
+	
+	/**
+	 * A credential_store_t instance.
+	 */
+	credential_store_t *credentials;
+	
+	/**
+	 * The Sender-Thread.
+ 	 */
+	sender_t *sender;
+	
+	/**
+	 * The Receiver-Thread.
+	 */
+	receiver_t *receiver;
+	
+	/**
+	 * The Scheduler-Thread.
+	 */
+	scheduler_t *scheduler;
+	
+	/**
+	 * The Thread pool managing the worker threads.
+	 */
+	thread_pool_t *thread_pool;
+	
+	/**
+	 * The signaling bus.
+	 */
+	bus_t *bus;
+	
+	/**
+	 * A bus listener logging to stdout
+	 */
+	file_logger_t *outlog;
+	
+	/**
+	 * A bus listener logging to syslog
+	 */
+	sys_logger_t *syslog;
+	
+	/**
+	 * A bus listener logging most important events
+	 */
+	sys_logger_t *authlog;
+	
+	/**
+	 * Kernel Interface to communicate with kernel
+	 */
+	kernel_interface_t *kernel_interface;
+	
+	/**
+	 * IPC interface, as whack in pluto
+	 */
+	stroke_t *stroke;
+	
+	/**
+	 * @brief Shut down the daemon.
+	 * 
+	 * @param this		the daemon to kill
+	 * @param reason	describtion why it will be killed
+	 */
+	void (*kill) (daemon_t *this, char *reason);
+};
+
+/**
+ * The one and only instance of the daemon.
+ */
+extern daemon_t *charon;
+
+#endif /*DAEMON_H_*/
diff --git a/src/charon/encoding/generator.c b/src/charon/encoding/generator.c
new file mode 100644
index 000000000..efa845bb3
--- /dev/null
+++ b/src/charon/encoding/generator.c
@@ -0,0 +1,1063 @@
+/**
+ * @file generator.c
+ *
+ * @brief Implementation of generator_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <arpa/inet.h>
+#include <stdio.h>
+
+
+#include "generator.h"
+
+#include <library.h>
+#include <daemon.h>
+#include <utils/linked_list.h>
+#include <encoding/payloads/payload.h>
+#include <encoding/payloads/proposal_substructure.h>
+#include <encoding/payloads/transform_substructure.h>
+#include <encoding/payloads/sa_payload.h>
+#include <encoding/payloads/ke_payload.h>
+#include <encoding/payloads/notify_payload.h>
+#include <encoding/payloads/nonce_payload.h>
+#include <encoding/payloads/id_payload.h>
+#include <encoding/payloads/auth_payload.h>
+#include <encoding/payloads/cert_payload.h>
+#include <encoding/payloads/certreq_payload.h>
+#include <encoding/payloads/ts_payload.h>
+#include <encoding/payloads/delete_payload.h>
+#include <encoding/payloads/vendor_id_payload.h>
+#include <encoding/payloads/cp_payload.h>
+#include <encoding/payloads/configuration_attribute.h>
+#include <encoding/payloads/eap_payload.h>
+
+
+typedef struct private_generator_t private_generator_t;
+
+/**
+ * Private part of a generator_t object.
+ */
+struct private_generator_t {
+	/**
+	 * Public part of a generator_t object.
+	 */
+	 generator_t public;
+	 
+	/**
+	 * Generates a U_INT-Field type and writes it to buffer.
+	 *
+	 * @param this 					private_generator_t object
+	 * @param int_type 				type of U_INT field (U_INT_4, U_INT_8, etc.)
+	 * 								ATTRIBUTE_TYPE is also generated in this function
+	 * @param offset 				offset of value in data struct
+	 * @param generator_contexts	generator_contexts_t object where the context is written or read from
+	 * @return
+	 *  							- SUCCESS
+	 * 								- FAILED if allignment is wrong
+	 */
+	void (*generate_u_int_type) (private_generator_t *this,encoding_type_t int_type,u_int32_t offset);
+
+	/**
+	 * Get size of current buffer in bytes.
+	 *
+	 * @param this 					private_generator_t object
+	 * @return 						Size of buffer in bytes
+	 */
+	size_t (*get_current_buffer_size) (private_generator_t *this);
+	
+	/**
+	 * Get free space of current buffer in bytes.
+	 *
+	 * @param this 					private_generator_t object
+	 * @return 						space in buffer in bytes
+	 */
+	size_t (*get_current_buffer_space) (private_generator_t *this);
+
+	/**
+	 * Get length of data in buffer (in bytes).
+	 *
+	 * @param this 					private_generator_t object
+	 * @return 						length of data in bytes
+	 */	
+	size_t (*get_current_data_length) (private_generator_t *this);
+
+	/**
+	 * Get current offset in buffer (in bytes).
+	 *
+	 * @param this 					private_generator_t object
+	 * @return 						offset in bytes
+	 */	
+	u_int32_t (*get_current_buffer_offset) (private_generator_t *this);
+	
+	/**
+	 * Generates a RESERVED BIT field or a RESERVED BYTE field and writes 
+	 * it to the buffer.
+	 *
+	 * @param this 					private_generator_t object
+	 * @param generator_contexts	generator_contexts_t object where the context is written or read from
+	 * @param bits 					number of bits to generate
+	 */
+	void (*generate_reserved_field) (private_generator_t *this,int bits);
+	
+	/**
+	 * Generates a FLAG field.
+	 *
+	 * @param this 					private_generator_t object
+	 * @param generator_contexts	generator_contexts_t object where the context is written or read from
+	 * @param offset				offset of flag value in data struct
+	 */
+	void (*generate_flag) (private_generator_t *this,u_int32_t offset);
+	
+	/**
+	 * Writes the current buffer content into a chunk_t.
+	 * 
+	 * Memory of specific chunk_t gets allocated.
+	 *
+ 	 * @param this				calling private_generator_t object
+	 * @param data				pointer of chunk_t to write to
+	 */
+	void (*write_chunk) (private_generator_t *this,chunk_t *data);
+	
+	/**
+	 * Generates a bytestream from a chunk_t.
+	 *
+	 * @param this 				private_generator_t object
+	 * @param offset			offset of chunk_t value in data struct
+	 */
+	void (*generate_from_chunk) (private_generator_t *this,u_int32_t offset);	
+
+	/**
+	 * Makes sure enough space is available in buffer to store amount of bits.
+     *
+	 * If buffer is to small to hold the specific amount of bits it 
+	 * is increased using reallocation function of allocator.
+	 *
+ 	 * @param this 				calling private_generator_t object
+	 * @param bits 				number of bits to make available in buffer
+	 */
+	void (*make_space_available) (private_generator_t *this,size_t bits);
+
+	/**
+	 * Writes a specific amount of byte into the buffer.
+	 * 
+	 * If buffer is to small to hold the specific amount of bytes it 
+	 * is increased.
+	 *
+ 	 * @param this				calling private_generator_t object
+	 * @param bytes 			pointer to bytes to write
+	 * @param number_of_bytes	number of bytes to write into buffer
+	 */
+	void (*write_bytes_to_buffer) (private_generator_t *this,void * bytes,size_t number_of_bytes);
+	
+	
+	/**
+	 * Writes a specific amount of byte into the buffer at a specific offset.
+	 * 
+	 * @warning buffer size is not check to hold the data if offset is to large.
+	 *
+ 	 * @param this				calling private_generator_t object
+	 * @param bytes 			pointer to bytes to write
+	 * @param number_of_bytes	number of bytes to write into buffer
+	 * @param offset			offset to write the data into
+	 */
+	void (*write_bytes_to_buffer_at_offset) (private_generator_t *this,void * bytes,size_t number_of_bytes,u_int32_t offset);
+	
+	/**
+	 * Buffer used to generate the data into.
+	 */
+	u_int8_t *buffer;
+
+	/**
+	 * Current write position in buffer (one byte aligned).
+	 */
+	u_int8_t *out_position;
+
+	/**
+	 * Position of last byte in buffer.
+	 */
+	u_int8_t *roof_position;
+
+	/**
+	 * Current bit writing to in current byte (between 0 and 7).
+	 */
+	size_t current_bit;
+
+	/**
+	 * Associated data struct to read informations from.
+	 */
+	void * data_struct;
+	
+	/*
+	 * Last payload length position offset in the buffer.
+	 */
+	u_int32_t last_payload_length_position_offset;
+	
+	/**
+	 * Offset of the header length field in the buffer.
+	 */
+	u_int32_t header_length_position_offset;
+	
+	/**
+	 * Last SPI size.
+	 */
+	u_int8_t last_spi_size;
+	
+	/**
+	 * Attribute format of the last generated transform attribute.
+	 *
+	 * Used to check if a variable value field is used or not for 
+	 * the transform attribute value.
+	 */
+	bool attribute_format;
+	
+	/**
+	 * Depending on the value of attribute_format this field is used
+	 * to hold the length of the transform attribute in bytes.
+	 */
+	u_int16_t attribute_length;
+};
+
+/**
+ * Implementation of private_generator_t.get_current_buffer_size.
+ */
+static size_t get_current_buffer_size (private_generator_t *this)
+{
+	return ((this->roof_position) - (this->buffer));
+}
+
+/**
+ * Implementation of private_generator_t.get_current_buffer_space.
+ */
+static size_t get_current_buffer_space (private_generator_t *this)
+{
+	/* we know, one byte more */
+	size_t space = (this->roof_position) - (this->out_position);
+	return (space);
+}
+
+/**
+ * Implementation of private_generator_t.get_current_data_length.
+ */
+static size_t get_current_data_length (private_generator_t *this)
+{
+	return (this->out_position - this->buffer);
+}
+
+/**
+ * Implementation of private_generator_t.get_current_buffer_offset.
+ */
+static u_int32_t get_current_buffer_offset (private_generator_t *this)
+{
+	return (this->out_position - this->buffer);
+}
+
+/**
+ * Implementation of private_generator_t.generate_u_int_type.
+ */
+static void generate_u_int_type (private_generator_t *this,encoding_type_t int_type,u_int32_t offset)
+{
+	size_t number_of_bits = 0;
+
+	/* find out number of bits of each U_INT type to check for enough space 
+	   in buffer */
+	switch (int_type)
+	{
+			case U_INT_4:
+				number_of_bits = 4;
+				break;
+			case TS_TYPE:
+			case U_INT_8:
+				number_of_bits = 8;
+				break;
+			case U_INT_16:
+			case CONFIGURATION_ATTRIBUTE_LENGTH:
+				number_of_bits = 16;
+				break;
+			case U_INT_32:
+				number_of_bits = 32;
+				break;
+			case U_INT_64:
+				number_of_bits = 64;
+				break;
+			case ATTRIBUTE_TYPE:
+				number_of_bits = 15;
+				break;
+			case IKE_SPI:
+				number_of_bits = 64;
+				break;
+
+			default:
+			DBG1(DBG_ENC, "U_INT Type %N is not supported",
+				 encoding_type_names, int_type);
+
+			return;
+	}
+	/* U_INT Types of multiple then 8 bits must be aligned */
+	if (((number_of_bits % 8) == 0) && (this->current_bit != 0))
+	{
+		DBG1(DBG_ENC, "U_INT Type %N is not 8 Bit aligned",
+			 encoding_type_names, int_type);
+		/* current bit has to be zero for values multiple of 8 bits */
+		return;
+	}
+	
+	/* make sure enough space is available in buffer */
+	this->make_space_available(this,number_of_bits);
+	/* now handle each u int type differently */
+	switch (int_type)
+	{
+		case U_INT_4:
+		{
+			if (this->current_bit == 0)
+			{
+				/* highval of current byte in buffer has to be set to the new value*/
+				u_int8_t high_val = *((u_int8_t *)(this->data_struct + offset)) << 4;
+				/* lowval in buffer is not changed */
+				u_int8_t low_val = *(this->out_position) & 0x0F;
+				/* highval is set, low_val is not changed */
+				*(this->out_position) = high_val | low_val;
+				DBG3(DBG_ENC, "   => %d", *(this->out_position));
+				/* write position is not changed, just bit position is moved */
+				this->current_bit = 4;
+			}
+			else if (this->current_bit == 4)
+			{
+				/* highval in buffer is not changed */
+				u_int high_val = *(this->out_position) & 0xF0;
+				/* lowval of current byte in buffer has to be set to the new value*/
+				u_int low_val = *((u_int8_t *)(this->data_struct + offset)) & 0x0F;
+				*(this->out_position) = high_val | low_val;
+				DBG3(DBG_ENC, "   => %d", *(this->out_position));
+				this->out_position++;
+				this->current_bit = 0;
+
+			}
+			else
+			{
+				DBG1(DBG_ENC, "U_INT_4 Type is not 4 Bit aligned");
+				/* 4 Bit integers must have a 4 bit alignment */
+				return;
+			};
+			break;
+		}
+		case TS_TYPE:
+		case U_INT_8:
+		{
+			/* 8 bit values are written as they are */
+			*this->out_position = *((u_int8_t *)(this->data_struct + offset));
+			DBG3(DBG_ENC, "   => %d", *(this->out_position));
+			this->out_position++;
+			break;
+
+		}
+		case ATTRIBUTE_TYPE:
+		{
+			/* attribute type must not change first bit uf current byte ! */
+			if (this->current_bit != 1)
+			{
+				DBG1(DBG_ENC, "ATTRIBUTE FORMAT flag is not set");
+				/* first bit has to be set! */
+				return;
+			}
+			/* get value of attribute format flag */
+			u_int8_t attribute_format_flag = *(this->out_position) & 0x80;
+			/* get attribute type value as 16 bit integer*/
+			u_int16_t int16_val = *((u_int16_t*)(this->data_struct + offset));
+			/* unset most significant bit */
+			int16_val &= 0x7FFF;
+			if (attribute_format_flag)
+			{
+				int16_val |= 0x8000;
+			}
+			int16_val = htons(int16_val);
+			DBG3(DBG_ENC, "   => %d", int16_val);
+			/* write bytes to buffer (set bit is overwritten)*/				
+			this->write_bytes_to_buffer(this,&int16_val,sizeof(u_int16_t));
+			this->current_bit = 0;
+			break;
+			
+		}
+		case U_INT_16:
+		case CONFIGURATION_ATTRIBUTE_LENGTH:
+		{
+			u_int16_t int16_val = htons(*((u_int16_t*)(this->data_struct + offset)));
+			DBG3(DBG_ENC, "   => %b", (void*)&int16_val, sizeof(int16_val));
+			this->write_bytes_to_buffer(this,&int16_val,sizeof(u_int16_t));
+			break;
+		}
+		case U_INT_32:
+		{
+			u_int32_t int32_val = htonl(*((u_int32_t*)(this->data_struct + offset)));
+			DBG3(DBG_ENC, "   => %b", (void*)&int32_val, sizeof(int32_val));
+			this->write_bytes_to_buffer(this,&int32_val,sizeof(u_int32_t));
+			break;
+		}
+		case U_INT_64:
+		{
+			/* 64 bit integers are written as two 32 bit integers */
+			u_int32_t int32_val_low = htonl(*((u_int32_t*)(this->data_struct + offset)));
+			u_int32_t int32_val_high = htonl(*((u_int32_t*)(this->data_struct + offset) + 1));
+			DBG3(DBG_ENC, "   => %b %b",
+				 (void*)&int32_val_low, sizeof(int32_val_low),
+				 (void*)&int32_val_high, sizeof(int32_val_high));
+			/* TODO add support for big endian machines */
+			this->write_bytes_to_buffer(this,&int32_val_high,sizeof(u_int32_t));
+			this->write_bytes_to_buffer(this,&int32_val_low,sizeof(u_int32_t));
+			break;
+		}
+		
+		case IKE_SPI:
+		{
+			/* 64 bit are written as they come :-) */
+			this->write_bytes_to_buffer(this,(this->data_struct + offset),sizeof(u_int64_t));
+			DBG3(DBG_ENC, "   => %b", (void*)(this->data_struct + offset), sizeof(u_int64_t));
+			break;
+		}
+		default:
+		{
+			DBG1(DBG_ENC, "U_INT Type %N is not supported",
+				 encoding_type_names, int_type);
+			return;
+		}
+	}
+}
+
+/**
+ * Implementation of private_generator_t.generate_reserved_field.
+ */
+static void generate_reserved_field(private_generator_t *this,int bits)
+{
+	/* only one bit or 8 bit fields are supported */
+	if ((bits != 1) && (bits != 8))
+	{
+		DBG1(DBG_ENC, "reserved field of %d bits cannot be generated", bits);
+		return ;
+	}
+	/* make sure enough space is available in buffer */
+	this->make_space_available(this,bits);
+	
+	if (bits == 1)
+	{	
+		/* one bit processing */
+		u_int8_t reserved_bit = ~(1 << (7 - this->current_bit));
+		*(this->out_position) = *(this->out_position) & reserved_bit;
+		if (this->current_bit == 0)
+		{
+			/* memory must be zero */
+			*(this->out_position) = 0x00;
+		}
+
+
+		this->current_bit++;
+		if (this->current_bit >= 8)
+		{
+			this->current_bit = this->current_bit % 8;
+			this->out_position++;
+		}
+	}
+	else
+	{
+		/* one byte processing*/
+		if (this->current_bit > 0)
+		{
+			DBG1(DBG_ENC, "reserved field cannot be written cause "
+				 "alignement of current bit is %d", this->current_bit);
+			return;
+		}
+		*(this->out_position) = 0x00;
+		this->out_position++;
+	}
+}
+
+/**
+ * Implementation of private_generator_t.generate_flag.
+ */
+static void generate_flag (private_generator_t *this,u_int32_t offset)
+{
+	/* value of current flag */
+	u_int8_t flag_value;
+	/* position of flag in current byte */
+	u_int8_t flag;
+	
+	/* if the value in the data_struct is TRUE, flag_value is set to 1, 0 otherwise */
+	flag_value = (*((bool *) (this->data_struct + offset))) ? 1 : 0;
+	/* get flag position */
+	flag = (flag_value << (7 - this->current_bit));
+	
+	/* make sure one bit is available in buffer */
+	this->make_space_available(this,1);
+	if (this->current_bit == 0)
+	{
+		/* memory must be zero */
+		*(this->out_position) = 0x00;
+	}
+
+	*(this->out_position) = *(this->out_position) | flag;
+	
+	
+	DBG3(DBG_ENC, "   => %d", *(this->out_position));
+
+	this->current_bit++;
+	if (this->current_bit >= 8)
+	{
+		this->current_bit = this->current_bit % 8;
+		this->out_position++;
+	}
+}
+
+/**
+ * Implementation of private_generator_t.generate_from_chunk.
+ */
+static void generate_from_chunk (private_generator_t *this,u_int32_t offset)
+{
+	if (this->current_bit != 0)
+	{
+		DBG1(DBG_ENC, "can not generate a chunk at Bitpos %d", this->current_bit);
+		return ;
+	}
+	
+	/* position in buffer */
+	chunk_t *attribute_value = (chunk_t *)(this->data_struct + offset);
+	
+	DBG3(DBG_ENC, "   => %B", attribute_value);
+	
+	/* use write_bytes_to_buffer function to do the job */
+	this->write_bytes_to_buffer(this,attribute_value->ptr,attribute_value->len);
+}
+
+/**
+ * Implementation of private_generator_t.make_space_available.
+ */
+static void make_space_available (private_generator_t *this, size_t bits)
+{
+	while (((this->get_current_buffer_space(this) * 8) - this->current_bit) < bits)
+	{
+		/* must increase buffer */
+		size_t old_buffer_size = this->get_current_buffer_size(this);
+		size_t new_buffer_size = old_buffer_size + GENERATOR_DATA_BUFFER_INCREASE_VALUE;
+		size_t out_position_offset = ((this->out_position) - (this->buffer));
+
+		DBG2(DBG_ENC, "increased gen buffer from %d to %d byte", 
+			 old_buffer_size, new_buffer_size);
+		
+		/* Reallocate space for new buffer */
+		this->buffer = realloc(this->buffer,new_buffer_size);
+
+		this->out_position = (this->buffer + out_position_offset);
+		this->roof_position = (this->buffer + new_buffer_size);
+	}
+}
+
+/**
+ * Implementation of private_generator_t.write_bytes_to_buffer.
+ */
+static void write_bytes_to_buffer (private_generator_t *this,void * bytes, size_t number_of_bytes)
+{
+	int i;
+	u_int8_t *read_position = (u_int8_t *) bytes;
+	
+	this->make_space_available(this,number_of_bytes * 8);
+
+	for (i = 0; i < number_of_bytes; i++)
+	{
+		*(this->out_position) = *(read_position);
+		read_position++;
+		this->out_position++;
+	}
+}
+
+/**
+ * Implementation of private_generator_t.write_bytes_to_buffer_at_offset.
+ */
+static void write_bytes_to_buffer_at_offset (private_generator_t *this,void * bytes,size_t number_of_bytes,u_int32_t offset)
+{
+	int i;
+	u_int8_t *read_position = (u_int8_t *) bytes;
+	u_int8_t *write_position;
+	u_int32_t free_space_after_offset = (this->get_current_buffer_size(this) - offset);
+
+	/* check first if enough space for new data is available */	
+	if (number_of_bytes > free_space_after_offset)
+	{
+		this->make_space_available(this,(number_of_bytes - free_space_after_offset) * 8);
+	}
+	
+	write_position = this->buffer + offset;
+	for (i = 0; i < number_of_bytes; i++)
+	{
+		*(write_position) = *(read_position);
+		read_position++;
+		write_position++;
+	}
+}
+
+/**
+ * Implementation of private_generator_t.write_to_chunk.
+ */
+static void write_to_chunk (private_generator_t *this,chunk_t *data)
+{
+	size_t data_length = this->get_current_data_length(this);
+	u_int32_t header_length_field = data_length;
+	
+	/* write length into header length field */
+	if (this->header_length_position_offset > 0)
+	{
+		u_int32_t int32_val = htonl(header_length_field);
+		this->write_bytes_to_buffer_at_offset(this,&int32_val,sizeof(u_int32_t),this->header_length_position_offset);
+	}
+
+	if (this->current_bit > 0)
+	data_length++;
+	data->ptr = malloc(data_length);
+	memcpy(data->ptr,this->buffer,data_length);
+	data->len = data_length;
+	
+	DBG3(DBG_ENC, "generated data of this generator %B", data);
+}
+
+/**
+ * Implementation of private_generator_t.generate_payload.
+ */
+static void generate_payload (private_generator_t *this,payload_t *payload)
+{
+	int i;
+	this->data_struct = payload;
+	size_t rule_count;
+	encoding_rule_t *rules;
+	payload_type_t payload_type;
+	u_int8_t *payload_start;
+	
+	/* get payload type */
+	payload_type = payload->get_type(payload);
+	/* spi size has to get reseted */
+	this->last_spi_size = 0;
+	
+	payload_start = this->out_position;
+	
+	DBG2(DBG_ENC, "generating payload of type %N",
+		 payload_type_names, payload_type);
+	
+	/* each payload has its own encoding rules */
+	payload->get_encoding_rules(payload,&rules,&rule_count);
+
+	for (i = 0; i < rule_count;i++)
+	{
+		DBG2(DBG_ENC, "  generating rule %d %N",
+			 i, encoding_type_names, rules[i].type);
+		switch (rules[i].type)
+		{
+			/* all u int values, IKE_SPI,TS_TYPE and ATTRIBUTE_TYPE are generated in generate_u_int_type */
+			case U_INT_4:
+			case U_INT_8:
+			case U_INT_16:
+			case U_INT_32:
+			case U_INT_64:
+			case IKE_SPI:
+			case TS_TYPE:
+			case ATTRIBUTE_TYPE:
+			case CONFIGURATION_ATTRIBUTE_LENGTH:
+			{
+				this->generate_u_int_type(this,rules[i].type,rules[i].offset);
+				break;
+			}
+			case RESERVED_BIT:
+			{
+				this->generate_reserved_field(this,1);
+				break;
+			}
+			case RESERVED_BYTE:
+			{
+				this->generate_reserved_field(this,8);
+				break;
+			} 
+			case FLAG:
+			{
+				this->generate_flag(this,rules[i].offset);
+				break;
+			}
+			case PAYLOAD_LENGTH:
+			{
+				/* position of payload lenght field is temporary stored */
+				this->last_payload_length_position_offset = this->get_current_buffer_offset(this);
+				/* payload length is generated like an U_INT_16 */
+				this->generate_u_int_type(this,U_INT_16,rules[i].offset);
+				break;
+			}
+			case HEADER_LENGTH:
+			{
+				/* position of header length field is temporary stored */			
+				this->header_length_position_offset = this->get_current_buffer_offset(this);	
+				/* header length is generated like an U_INT_32 */
+				this->generate_u_int_type(this,U_INT_32,rules[i].offset);
+				break;
+			}
+			case SPI_SIZE:
+				/* spi size is handled as 8 bit unsigned integer */
+				this->generate_u_int_type(this,U_INT_8,rules[i].offset);
+				/* last spi size is temporary stored */
+				this->last_spi_size = *((u_int8_t *)(this->data_struct + rules[i].offset));
+				break;
+			case ADDRESS:
+			{
+				/* the Address value is generated from chunk */
+				this->generate_from_chunk(this,rules[i].offset);
+				break;
+			}
+			case SPI:
+			{
+				/* the SPI value is generated from chunk */
+				this->generate_from_chunk(this,rules[i].offset);
+				break;
+			}
+			case KEY_EXCHANGE_DATA:
+			case NOTIFICATION_DATA:
+			case NONCE_DATA:
+			case ID_DATA:
+			case AUTH_DATA:
+			case CERT_DATA:
+			case CERTREQ_DATA:
+			case SPIS:
+			case CONFIGURATION_ATTRIBUTE_VALUE:
+			case VID_DATA:
+			case EAP_DATA:
+			{
+				u_int32_t payload_length_position_offset;
+				u_int16_t length_of_payload;
+				u_int16_t header_length = 0;
+				u_int16_t length_in_network_order;
+
+				switch(rules[i].type)
+				{
+					case KEY_EXCHANGE_DATA:
+						header_length = KE_PAYLOAD_HEADER_LENGTH;
+						break;
+					case NOTIFICATION_DATA:
+						header_length = NOTIFY_PAYLOAD_HEADER_LENGTH + this->last_spi_size ;
+						break;
+					case NONCE_DATA:
+						header_length = NONCE_PAYLOAD_HEADER_LENGTH;
+						break;
+					case ID_DATA:
+						header_length = ID_PAYLOAD_HEADER_LENGTH;
+						break;
+					case AUTH_DATA:
+						header_length = AUTH_PAYLOAD_HEADER_LENGTH;
+						break;
+					case CERT_DATA:
+						header_length = CERT_PAYLOAD_HEADER_LENGTH;
+						break;
+					case CERTREQ_DATA:
+						header_length = CERTREQ_PAYLOAD_HEADER_LENGTH;
+						break;
+					case SPIS:
+						header_length = DELETE_PAYLOAD_HEADER_LENGTH;
+						break;
+					case VID_DATA:
+						header_length = VENDOR_ID_PAYLOAD_HEADER_LENGTH;
+						break;
+					case CONFIGURATION_ATTRIBUTE_VALUE:
+						header_length = CONFIGURATION_ATTRIBUTE_HEADER_LENGTH;
+						break;
+					case EAP_DATA:
+						header_length = EAP_PAYLOAD_HEADER_LENGTH;
+						break;
+					default:
+						break;
+				}
+				
+				/* the data value is generated from chunk */
+				this->generate_from_chunk(this,rules[i].offset);
+
+				payload_length_position_offset = this->last_payload_length_position_offset;
+				
+				
+				/* Length of payload is calculated */
+				length_of_payload = header_length + ((chunk_t *)(this->data_struct + rules[i].offset))->len;
+
+				length_in_network_order = htons(length_of_payload);			
+				this->write_bytes_to_buffer_at_offset(this,&length_in_network_order,sizeof(u_int16_t),payload_length_position_offset);
+				break;
+			}
+			case PROPOSALS:
+			{
+				/* before iterative generate the transforms, store the current payload length position */
+				u_int32_t payload_length_position_offset = this->last_payload_length_position_offset;
+				/* Length of SA_PAYLOAD is calculated */
+				u_int16_t length_of_sa_payload = SA_PAYLOAD_HEADER_LENGTH;
+				u_int16_t int16_val;
+				/* proposals are stored in a linked list and so accessed */
+				linked_list_t *proposals = *((linked_list_t **)(this->data_struct + rules[i].offset));
+				iterator_t *iterator;
+				payload_t *current_proposal;
+				
+				/* create forward iterator */
+				iterator = proposals->create_iterator(proposals,TRUE);
+				/* every proposal is processed (iterative call )*/
+				while (iterator->iterate(iterator, (void**)&current_proposal))
+				{
+					u_int32_t before_generate_position_offset;
+					u_int32_t after_generate_position_offset;
+					
+					before_generate_position_offset = this->get_current_buffer_offset(this);
+					this->public.generate_payload(&(this->public),current_proposal);
+					after_generate_position_offset = this->get_current_buffer_offset(this);
+					
+					/* increase size of transform */
+					length_of_sa_payload += (after_generate_position_offset - before_generate_position_offset);
+				}
+				iterator->destroy(iterator);
+				
+				int16_val = htons(length_of_sa_payload);
+				this->write_bytes_to_buffer_at_offset(this,&int16_val,sizeof(u_int16_t),payload_length_position_offset);
+				break;
+			}
+			case TRANSFORMS:
+			{
+				/* before iterative generate the transforms, store the current length position */
+				u_int32_t payload_length_position_offset = this->last_payload_length_position_offset;
+				u_int16_t length_of_proposal = PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH + this->last_spi_size;
+				u_int16_t int16_val;
+				linked_list_t *transforms = *((linked_list_t **)(this->data_struct + rules[i].offset));
+				iterator_t *iterator;
+				payload_t *current_transform;
+				
+				/* create forward iterator */
+				iterator = transforms->create_iterator(transforms,TRUE);
+				while (iterator->iterate(iterator, (void**)&current_transform))
+				{
+					u_int32_t before_generate_position_offset;
+					u_int32_t after_generate_position_offset;
+					
+					before_generate_position_offset = this->get_current_buffer_offset(this);
+					this->public.generate_payload(&(this->public),current_transform);
+					after_generate_position_offset = this->get_current_buffer_offset(this);
+					
+					/* increase size of transform */
+					length_of_proposal += (after_generate_position_offset - before_generate_position_offset);
+				}
+				
+				iterator->destroy(iterator);
+				
+				int16_val = htons(length_of_proposal);
+				this->write_bytes_to_buffer_at_offset(this,&int16_val,sizeof(u_int16_t),payload_length_position_offset);
+				
+				break;
+			}	
+			case TRANSFORM_ATTRIBUTES:
+			{
+				/* before iterative generate the transform attributes, store the current length position */
+				u_int32_t transform_length_position_offset = this->last_payload_length_position_offset;
+				u_int16_t length_of_transform = TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH;
+				u_int16_t int16_val;
+				linked_list_t *transform_attributes =*((linked_list_t **)(this->data_struct + rules[i].offset));
+				iterator_t *iterator;
+				payload_t *current_attribute;
+				
+				/* create forward iterator */
+				iterator = transform_attributes->create_iterator(transform_attributes,TRUE);
+				while (iterator->iterate(iterator, (void**)&current_attribute))
+				{
+					u_int32_t before_generate_position_offset;
+					u_int32_t after_generate_position_offset;
+					
+					before_generate_position_offset = this->get_current_buffer_offset(this);
+					this->public.generate_payload(&(this->public),current_attribute);
+					after_generate_position_offset = this->get_current_buffer_offset(this);
+					
+					/* increase size of transform */
+					length_of_transform += (after_generate_position_offset - before_generate_position_offset);
+				}
+				
+				iterator->destroy(iterator);
+				
+				int16_val = htons(length_of_transform);
+				this->write_bytes_to_buffer_at_offset(this,&int16_val,sizeof(u_int16_t),transform_length_position_offset);
+				
+				break;
+			}
+			case CONFIGURATION_ATTRIBUTES:
+			{
+				/* before iterative generate the configuration attributes, store the current length position */
+				u_int32_t configurations_length_position_offset = this->last_payload_length_position_offset;
+				u_int16_t length_of_configurations = CP_PAYLOAD_HEADER_LENGTH;
+				u_int16_t int16_val;
+				linked_list_t *configuration_attributes =*((linked_list_t **)(this->data_struct + rules[i].offset));
+				iterator_t *iterator;
+				payload_t *current_attribute;
+				
+				/* create forward iterator */
+				iterator = configuration_attributes->create_iterator(configuration_attributes,TRUE);
+				while (iterator->iterate(iterator, (void**)&current_attribute))
+				{
+					u_int32_t before_generate_position_offset;
+					u_int32_t after_generate_position_offset;
+					
+					before_generate_position_offset = this->get_current_buffer_offset(this);
+					this->public.generate_payload(&(this->public),current_attribute);
+					after_generate_position_offset = this->get_current_buffer_offset(this);
+					
+					/* increase size of transform */
+					length_of_configurations += (after_generate_position_offset - before_generate_position_offset);
+				}
+				
+				iterator->destroy(iterator);
+				
+				int16_val = htons(length_of_configurations);
+				this->write_bytes_to_buffer_at_offset(this,&int16_val,sizeof(u_int16_t),configurations_length_position_offset);
+				
+				break;
+			}	
+			case ATTRIBUTE_FORMAT:
+			{
+				this->generate_flag(this,rules[i].offset);
+				/* Attribute format is a flag which is stored in context*/
+				this->attribute_format = *((bool *) (this->data_struct + rules[i].offset));
+				break;
+			}	
+
+			case ATTRIBUTE_LENGTH_OR_VALUE:
+			{
+				if (this->attribute_format == FALSE)
+				{
+					this->generate_u_int_type(this,U_INT_16,rules[i].offset);
+					/* this field hold the length of the attribute */
+					this->attribute_length = *((u_int16_t *)(this->data_struct + rules[i].offset));
+				}
+				else
+				{
+					this->generate_u_int_type(this,U_INT_16,rules[i].offset);
+				}
+				break;
+			}
+			case ATTRIBUTE_VALUE:
+			{
+				if (this->attribute_format == FALSE)
+				{
+					DBG2(DBG_ENC, "attribute value has not fixed size");
+					/* the attribute value is generated */
+					this->generate_from_chunk(this,rules[i].offset);
+				}
+				break;
+			}
+			case TRAFFIC_SELECTORS:
+			{
+				/* before iterative generate the traffic_selectors, store the current payload length position */
+				u_int32_t payload_length_position_offset = this->last_payload_length_position_offset;
+				/* Length of SA_PAYLOAD is calculated */
+				u_int16_t length_of_ts_payload = TS_PAYLOAD_HEADER_LENGTH;
+				u_int16_t int16_val;
+				/* traffic selectors are stored in a linked list and so accessed */
+				linked_list_t *traffic_selectors = *((linked_list_t **)(this->data_struct + rules[i].offset));
+				iterator_t *iterator;
+				payload_t *current_traffic_selector_substructure;
+				
+				/* create forward iterator */
+				iterator = traffic_selectors->create_iterator(traffic_selectors,TRUE);
+				/* every proposal is processed (iterative call )*/
+				while (iterator->iterate(iterator, (void **)&current_traffic_selector_substructure))
+				{
+					u_int32_t before_generate_position_offset;
+					u_int32_t after_generate_position_offset;
+
+					before_generate_position_offset = this->get_current_buffer_offset(this);
+					this->public.generate_payload(&(this->public),current_traffic_selector_substructure);
+					after_generate_position_offset = this->get_current_buffer_offset(this);
+					
+					/* increase size of transform */
+					length_of_ts_payload += (after_generate_position_offset - before_generate_position_offset);
+				}
+				iterator->destroy(iterator);
+				
+				int16_val = htons(length_of_ts_payload);
+				this->write_bytes_to_buffer_at_offset(this,&int16_val,sizeof(u_int16_t),payload_length_position_offset);
+				break;
+			}	
+			
+			case ENCRYPTED_DATA:
+			{
+				this->generate_from_chunk(this, rules[i].offset);
+				break;
+			}
+			default:
+				DBG1(DBG_ENC, "field type %N is not supported",
+					 encoding_type_names, rules[i].type);
+				return;
+		}
+	}
+	DBG2(DBG_ENC, "generating %N payload finished",
+		 payload_type_names, payload_type);
+	DBG3(DBG_ENC, "generated data for this payload %b",
+		 payload_start, this->out_position-payload_start);
+}
+
+/**
+ * Implementation of generator_t.destroy.
+ */
+static status_t destroy(private_generator_t *this)
+{
+	free(this->buffer);
+	free(this);
+	return SUCCESS;
+}
+
+/*
+ * Described in header
+ */
+generator_t *generator_create()
+{
+	private_generator_t *this;
+
+	this = malloc_thing(private_generator_t);
+
+	/* initiate public functions */
+	this->public.generate_payload = (void(*)(generator_t*, payload_t *)) generate_payload;
+	this->public.destroy = (void(*)(generator_t*)) destroy;
+	this->public.write_to_chunk = (void (*) (generator_t *,chunk_t *)) write_to_chunk;
+	
+	
+	/* initiate private functions */
+	this->get_current_buffer_size = get_current_buffer_size;
+	this->get_current_buffer_space = get_current_buffer_space;
+	this->get_current_data_length = get_current_data_length;
+	this->get_current_buffer_offset = get_current_buffer_offset;
+	this->generate_u_int_type = generate_u_int_type;
+	this->generate_reserved_field = generate_reserved_field;
+	this->generate_flag = generate_flag;
+	this->generate_from_chunk = generate_from_chunk;
+	this->make_space_available = make_space_available;
+	this->write_bytes_to_buffer = write_bytes_to_buffer;
+	this->write_bytes_to_buffer_at_offset = write_bytes_to_buffer_at_offset;
+
+
+	/* allocate memory for buffer */
+	this->buffer = malloc(GENERATOR_DATA_BUFFER_SIZE);
+
+	/* initiate private variables */
+	this->out_position = this->buffer;
+	this->roof_position = this->buffer + GENERATOR_DATA_BUFFER_SIZE;
+	this->data_struct = NULL;
+	this->current_bit = 0;
+	this->last_payload_length_position_offset = 0;
+	this->header_length_position_offset = 0;
+
+	return &(this->public);
+}
diff --git a/src/charon/encoding/generator.h b/src/charon/encoding/generator.h
new file mode 100644
index 000000000..8eff957cc
--- /dev/null
+++ b/src/charon/encoding/generator.h
@@ -0,0 +1,102 @@
+/**
+ * @file generator.h
+ *
+ * @brief Interface of generator_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef GENERATOR_H_
+#define GENERATOR_H_
+
+typedef struct generator_t generator_t;
+
+#include <library.h>
+#include <encoding/payloads/encodings.h>
+#include <encoding/payloads/payload.h>
+
+/**
+ * Generating is done in a data buffer.
+ * This is thehe start size of this buffer in bytes.
+ *
+ * @ingroup enconding
+ */
+#define GENERATOR_DATA_BUFFER_SIZE 500
+
+/**
+ * Number of bytes to increase the buffer, if it is to small.
+ *
+ * @ingroup enconding
+ */
+#define GENERATOR_DATA_BUFFER_INCREASE_VALUE 500
+
+
+/**
+ * @brief A generator_t class used to generate IKEv2 payloads.
+ *
+ * After creation, multiple payloads can be generated with the generate_payload
+ * method. The generated bytes are appended. After all payloads are added, 
+ * the write_to_chunk method writes out all generated data since
+ * the creation of the generator. After that, the generator must be destroyed.
+ * The generater uses a set of encoding rules, which it can get from
+ * the supplied payload. With this rules, the generater can generate
+ * the payload and all substructures automatically.
+ * 
+ * @b Constructor:
+ * - generator_create()
+ * 
+ * @ingroup encoding
+ */
+struct generator_t {
+	
+	/**
+	 * @brief Generates a specific payload from given payload object.
+	 *
+	 * Remember: Header and substructures are also handled as payloads.
+	 *
+	 * @param this 				generator_t object
+	 * @param[in] payload 		interface payload_t implementing object
+	 */
+	void (*generate_payload) (generator_t *this,payload_t *payload);
+	
+	/**
+	 * @brief Writes all generated data of the generator to a chunk.
+	 *
+	 * @param this 				generator_t object
+ 	 * @param[out] data 		chunk to write the data to
+	 */
+	void (*write_to_chunk) (generator_t *this,chunk_t *data);
+
+	/**
+	 * @brief Destroys a generator_t object.
+	 *
+	 * @param this 				generator_t object
+	 */
+	void (*destroy) (generator_t *this);
+};
+
+/**
+ * @brief Constructor to create a generator.
+ * 
+ * @return generator_t object.
+ * 
+ * @ingroup encoding
+ */
+generator_t *generator_create(void);
+
+#endif /*GENERATOR_H_*/
diff --git a/src/charon/encoding/message.c b/src/charon/encoding/message.c
new file mode 100644
index 000000000..5f3f91f8b
--- /dev/null
+++ b/src/charon/encoding/message.c
@@ -0,0 +1,1316 @@
+/**
+ * @file message.c
+ *
+ * @brief Implementation of message_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <printf.h>
+
+#include "message.h"
+
+#include <library.h>
+#include <daemon.h>
+#include <sa/ike_sa_id.h>
+#include <encoding/generator.h>
+#include <encoding/parser.h>
+#include <utils/linked_list.h>
+#include <encoding/payloads/encodings.h>
+#include <encoding/payloads/payload.h>
+#include <encoding/payloads/encryption_payload.h>
+#include <encoding/payloads/unknown_payload.h>
+
+/**
+ * Max number of notify payloads per IKEv2 Message
+ */
+#define MAX_NOTIFY_PAYLOADS 20
+
+
+typedef struct payload_rule_t payload_rule_t;
+
+/**
+ * A payload rule defines the rules for a payload
+ * in a specific message rule. It defines if and how 
+ * many times a payload must/can occur in a message
+ * and if it must be encrypted.
+ */
+struct payload_rule_t {
+	/**
+	 * Payload type.
+	 */
+	 payload_type_t payload_type;
+	 
+	 /**
+	  * Minimal occurence of this payload.
+	  */
+	 size_t min_occurence;
+
+	 /**
+	  * Max occurence of this payload.
+	  */
+	 size_t max_occurence;
+	 
+	 /**
+	  * TRUE if payload must be encrypted
+	  */
+	 bool encrypted;
+	 
+	 /**
+	  * If this payload occurs, the message rule is
+	  * fullfilled in any case. This applies e.g. to 
+	  * notify_payloads.
+	  */
+	 bool sufficient;
+};
+
+typedef struct message_rule_t message_rule_t;
+
+/**
+ * A message rule defines the kind of a message,
+ * if it has encrypted contents and a list
+ * of payload rules.
+ * 
+ */
+struct message_rule_t {
+	/**
+	 * Type of message.
+	 */
+	exchange_type_t exchange_type;
+	
+	/**
+	 * Is message a request or response.
+	 */
+	bool is_request;
+
+	/**
+	 * Message contains encrypted content.
+	 */
+	bool encrypted_content;
+	
+	/**
+	 * Number of payload rules which will follow
+	 */
+	size_t payload_rule_count;
+	 
+	/**
+	 * Pointer to first payload rule
+	 */
+	payload_rule_t *payload_rules;
+};
+
+/**
+ * Message rule for IKE_SA_INIT from initiator.
+ */
+static payload_rule_t ike_sa_init_i_payload_rules[] = {
+	{NOTIFY,0,MAX_NOTIFY_PAYLOADS,FALSE,FALSE},
+	{SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
+	{KEY_EXCHANGE,1,1,FALSE,FALSE},
+	{NONCE,1,1,FALSE,FALSE},
+	{VENDOR_ID,0,10,FALSE,FALSE},
+};
+
+/**
+ * Message rule for IKE_SA_INIT from responder.
+ */
+static payload_rule_t ike_sa_init_r_payload_rules[] = {
+	{NOTIFY,0,MAX_NOTIFY_PAYLOADS,FALSE,TRUE},
+	{SECURITY_ASSOCIATION,1,1,FALSE,FALSE},
+	{KEY_EXCHANGE,1,1,FALSE,FALSE},
+	{NONCE,1,1,FALSE,FALSE},
+	{VENDOR_ID,0,10,FALSE,FALSE},
+};
+
+/**
+ * Message rule for IKE_AUTH from initiator.
+ */
+static payload_rule_t ike_auth_i_payload_rules[] = {
+	{NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
+	{EXTENSIBLE_AUTHENTICATION,0,1,TRUE,TRUE},
+	{AUTHENTICATION,0,1,TRUE,TRUE},
+	{ID_INITIATOR,1,1,TRUE,FALSE},
+	{CERTIFICATE,0,1,TRUE,FALSE},
+	{CERTIFICATE_REQUEST,0,1,TRUE,FALSE},
+	{ID_RESPONDER,0,1,TRUE,FALSE},
+	{SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
+	{TRAFFIC_SELECTOR_INITIATOR,1,1,TRUE,FALSE},
+	{TRAFFIC_SELECTOR_RESPONDER,1,1,TRUE,FALSE},
+	{CONFIGURATION,0,1,TRUE,FALSE},
+	{VENDOR_ID,0,10,TRUE,FALSE},
+};
+
+/**
+ * Message rule for IKE_AUTH from responder.
+ */
+static payload_rule_t ike_auth_r_payload_rules[] = {
+	{NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,TRUE},
+	{EXTENSIBLE_AUTHENTICATION,0,1,TRUE,TRUE},
+	{CERTIFICATE,0,1,TRUE,FALSE},
+	{ID_RESPONDER,0,1,TRUE,FALSE},
+	{AUTHENTICATION,0,1,TRUE,FALSE},
+	{SECURITY_ASSOCIATION,0,1,TRUE,FALSE},
+	{TRAFFIC_SELECTOR_INITIATOR,0,1,TRUE,FALSE},
+	{TRAFFIC_SELECTOR_RESPONDER,0,1,TRUE,FALSE},
+	{CONFIGURATION,0,1,TRUE,FALSE},
+	{VENDOR_ID,0,10,TRUE,FALSE},
+};
+
+
+/**
+ * Message rule for INFORMATIONAL from initiator.
+ */
+static payload_rule_t informational_i_payload_rules[] = {
+	{NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
+	{CONFIGURATION,0,1,TRUE,FALSE},
+	{DELETE,0,1,TRUE,FALSE},
+	{VENDOR_ID,0,10,TRUE,FALSE},
+	
+};
+
+/**
+ * Message rule for INFORMATIONAL from responder.
+ */
+static payload_rule_t informational_r_payload_rules[] = {
+	{NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
+	{CONFIGURATION,0,1,TRUE,FALSE},
+	{DELETE,0,1,TRUE,FALSE},
+	{VENDOR_ID,0,10,TRUE,FALSE},
+};
+
+/**
+ * Message rule for CREATE_CHILD_SA from initiator.
+ */
+static payload_rule_t create_child_sa_i_payload_rules[] = {
+	{NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
+	{SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
+	{NONCE,1,1,TRUE,FALSE},
+	{KEY_EXCHANGE,0,1,TRUE,FALSE},
+	{TRAFFIC_SELECTOR_INITIATOR,0,1,TRUE,FALSE},
+	{TRAFFIC_SELECTOR_RESPONDER,0,1,TRUE,FALSE},
+	{CONFIGURATION,0,1,TRUE,FALSE},
+	{VENDOR_ID,0,10,TRUE,FALSE},
+};
+
+/**
+ * Message rule for CREATE_CHILD_SA from responder.
+ */
+static payload_rule_t create_child_sa_r_payload_rules[] = {
+	{NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,TRUE},
+	{SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
+	{NONCE,1,1,TRUE,FALSE},
+	{KEY_EXCHANGE,0,1,TRUE,FALSE},
+	{TRAFFIC_SELECTOR_INITIATOR,0,1,TRUE,FALSE},
+	{TRAFFIC_SELECTOR_RESPONDER,0,1,TRUE,FALSE},
+	{CONFIGURATION,0,1,TRUE,FALSE},
+	{VENDOR_ID,0,10,TRUE,FALSE},
+};
+
+
+/**
+ * Message rules, defines allowed payloads.
+ */
+static message_rule_t message_rules[] = {
+	{IKE_SA_INIT,TRUE,FALSE,(sizeof(ike_sa_init_i_payload_rules)/sizeof(payload_rule_t)),ike_sa_init_i_payload_rules},
+	{IKE_SA_INIT,FALSE,FALSE,(sizeof(ike_sa_init_r_payload_rules)/sizeof(payload_rule_t)),ike_sa_init_r_payload_rules},
+	{IKE_AUTH,TRUE,TRUE,(sizeof(ike_auth_i_payload_rules)/sizeof(payload_rule_t)),ike_auth_i_payload_rules},
+	{IKE_AUTH,FALSE,TRUE,(sizeof(ike_auth_r_payload_rules)/sizeof(payload_rule_t)),ike_auth_r_payload_rules},
+	{INFORMATIONAL,TRUE,TRUE,(sizeof(informational_i_payload_rules)/sizeof(payload_rule_t)),informational_i_payload_rules},
+	{INFORMATIONAL,FALSE,TRUE,(sizeof(informational_r_payload_rules)/sizeof(payload_rule_t)),informational_r_payload_rules},
+	{CREATE_CHILD_SA,TRUE,TRUE,(sizeof(create_child_sa_i_payload_rules)/sizeof(payload_rule_t)),create_child_sa_i_payload_rules},
+	{CREATE_CHILD_SA,FALSE,TRUE,(sizeof(create_child_sa_r_payload_rules)/sizeof(payload_rule_t)),create_child_sa_r_payload_rules},
+};
+
+
+typedef struct private_message_t private_message_t;
+
+/**
+ * Private data of an message_t object.
+ */
+struct private_message_t {
+
+	/**
+	 * Public part of a message_t object.
+	 */
+	message_t public;
+
+	/**
+	 * Minor version of message.
+	 */
+	u_int8_t major_version;
+	
+	/**
+	 * Major version of message.
+	 */
+	u_int8_t minor_version;
+	
+	/**
+	 * First Payload in message.
+	 */
+	payload_type_t first_payload;
+
+	/**
+	 * Assigned exchange type.
+	 */
+	exchange_type_t exchange_type;
+
+	/**
+	 * TRUE if message is a request, FALSE if a reply.
+	 */
+	bool is_request;
+	
+	/**
+	 * Message ID of this message.
+	 */
+	u_int32_t message_id;
+	
+	/**
+	 * ID of assigned IKE_SA.
+	 */
+	ike_sa_id_t *ike_sa_id;
+	
+	/**
+	 * Assigned UDP packet, stores incoming packet or last generated one.
+	 */
+	packet_t *packet;
+	 
+	/**
+	 * Linked List where payload data are stored in.
+	 */
+	linked_list_t *payloads;
+	
+	 /**
+	  * Assigned parser to parse Header and Body of this message.
+	  */
+	parser_t *parser;
+	
+	/**
+	 * The message rule for this message instance
+	 */
+	message_rule_t *message_rule;
+};
+
+/**
+ * Implementation of private_message_t.set_message_rule.
+ */
+static  status_t set_message_rule(private_message_t *this)
+{
+	int i;
+		
+	for (i = 0; i < (sizeof(message_rules) / sizeof(message_rule_t)); i++)
+	{
+		if ((this->exchange_type == message_rules[i].exchange_type) &&
+			(this->is_request == message_rules[i].is_request))
+		{
+			/* found rule for given exchange_type*/
+			this->message_rule = &(message_rules[i]);
+			return SUCCESS;
+		}
+	}
+	this->message_rule = NULL;
+	return NOT_FOUND;
+}
+
+/**
+ * Implementation of private_message_t.get_payload_rule.
+ */
+static status_t get_payload_rule(private_message_t *this, payload_type_t payload_type, payload_rule_t **payload_rule)
+{
+	int i;
+	
+	for (i = 0; i < this->message_rule->payload_rule_count;i++)
+	{
+		if (this->message_rule->payload_rules[i].payload_type == payload_type)
+		{
+			*payload_rule = &(this->message_rule->payload_rules[i]);
+			return SUCCESS;
+		}
+	}
+	
+	*payload_rule = NULL;
+	return NOT_FOUND;
+}
+
+/**
+ * Implementation of message_t.set_ike_sa_id.
+ */
+static void set_ike_sa_id (private_message_t *this,ike_sa_id_t *ike_sa_id)
+{
+	DESTROY_IF(this->ike_sa_id);
+	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
+}
+
+/**
+ * Implementation of message_t.get_ike_sa_id.
+ */
+static ike_sa_id_t* get_ike_sa_id (private_message_t *this)
+{
+	return this->ike_sa_id;
+}
+
+/**
+ * Implementation of message_t.set_message_id.
+ */
+static void set_message_id (private_message_t *this,u_int32_t message_id)
+{
+	this->message_id = message_id;
+}
+
+/**
+ * Implementation of message_t.get_message_id.
+ */
+static u_int32_t get_message_id (private_message_t *this)
+{
+	return this->message_id;
+}
+
+/**
+ * Implementation of message_t.get_initiator_spi.
+ */
+static u_int64_t get_initiator_spi (private_message_t *this)
+{
+	return (this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
+}
+
+/**
+ * Implementation of message_t.get_responder_spi.
+ */
+static u_int64_t get_responder_spi (private_message_t *this)
+{
+	return (this->ike_sa_id->get_responder_spi(this->ike_sa_id));
+}
+
+/**
+ * Implementation of message_t.set_major_version.
+ */
+static void set_major_version (private_message_t *this,u_int8_t major_version)
+{
+	this->major_version = major_version;
+}
+
+
+/**
+ * Implementation of message_t.set_major_version.
+ */
+static u_int8_t get_major_version (private_message_t *this)
+{
+	return this->major_version;
+}
+
+/**
+ * Implementation of message_t.set_minor_version.
+ */
+static void set_minor_version (private_message_t *this,u_int8_t minor_version)
+{
+	this->minor_version = minor_version;
+}
+
+/**
+ * Implementation of message_t.get_minor_version.
+ */
+static u_int8_t get_minor_version (private_message_t *this)
+{
+	return this->minor_version;
+}
+
+/**
+ * Implementation of message_t.set_exchange_type.
+ */
+static void set_exchange_type (private_message_t *this,exchange_type_t exchange_type)
+{
+	this->exchange_type = exchange_type;
+}
+
+/**
+ * Implementation of message_t.get_exchange_type.
+ */
+static exchange_type_t get_exchange_type (private_message_t *this)
+{
+	return this->exchange_type;
+}
+
+/**
+ * Implementation of message_t.set_request.
+ */
+static void set_request (private_message_t *this,bool request)
+{
+	this->is_request = request;
+}
+
+/**
+ * Implementation of message_t.get_request.
+ */
+static exchange_type_t get_request (private_message_t *this)
+{
+	return this->is_request;
+}
+
+/**
+ * Is this message in an encoded form?
+ */
+static bool is_encoded(private_message_t *this)
+{
+	chunk_t data = this->packet->get_data(this->packet);
+	
+	if (data.ptr == NULL)
+	{
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of message_t.add_payload.
+ */
+static void add_payload(private_message_t *this, payload_t *payload)
+{
+	payload_t *last_payload, *first_payload;
+	
+	if ((this->is_request && payload->get_type(payload) == ID_INITIATOR) ||
+		(!this->is_request && payload->get_type(payload) == ID_RESPONDER))
+	{
+		/* HOTD: insert ID payload in the beginning to respect RFC */
+		if (this->payloads->get_first(this->payloads,
+									  (void **)&first_payload) == SUCCESS)
+		{
+			payload->set_next_type(payload, first_payload->get_type(first_payload));
+		}
+		else
+		{
+			payload->set_next_type(payload, NO_PAYLOAD);
+		}
+		this->first_payload = payload->get_type(payload);
+		this->payloads->insert_first(this->payloads, payload);
+	}
+	else
+	{
+		if (this->payloads->get_count(this->payloads) > 0)
+		{
+			this->payloads->get_last(this->payloads,(void **) &last_payload);
+			last_payload->set_next_type(last_payload, payload->get_type(payload));
+		}
+		else
+		{
+			this->first_payload = payload->get_type(payload);
+		}
+		payload->set_next_type(payload, NO_PAYLOAD);
+		this->payloads->insert_last(this->payloads, payload);
+	}
+
+	DBG2(DBG_ENC ,"added payload of type %N to message",
+		 payload_type_names, payload->get_type(payload));
+}
+
+/**
+ * Implementation of message_t.add_notify.
+ */
+static void add_notify(private_message_t *this, bool flush, notify_type_t type, 
+					   chunk_t data)
+{
+	notify_payload_t *notify;
+	payload_t *payload;
+	
+	if (flush)
+	{
+		while (this->payloads->remove_last(this->payloads, 
+												(void**)&payload) == SUCCESS)
+		{
+			payload->destroy(payload);
+		}
+	}
+	notify = notify_payload_create();
+	notify->set_notify_type(notify, type);
+	notify->set_notification_data(notify, data);
+	add_payload(this, (payload_t*)notify);
+}
+
+/**
+ * Implementation of message_t.set_source.
+ */
+static void set_source(private_message_t *this, host_t *host)
+{
+	this->packet->set_source(this->packet, host);
+}
+
+/**
+ * Implementation of message_t.set_destination.
+ */
+static void set_destination(private_message_t *this, host_t *host)
+{
+	this->packet->set_destination(this->packet, host);
+}
+
+/**
+ * Implementation of message_t.get_source.
+ */
+static host_t* get_source(private_message_t *this)
+{
+	return this->packet->get_source(this->packet);
+}
+
+/**
+ * Implementation of message_t.get_destination.
+ */
+static host_t * get_destination(private_message_t *this)
+{
+	return this->packet->get_destination(this->packet);
+}
+
+/**
+ * Implementation of message_t.get_payload_iterator.
+ */
+static iterator_t *get_payload_iterator(private_message_t *this)
+{
+	return this->payloads->create_iterator(this->payloads, TRUE);
+}
+
+/**
+ * Implementation of message_t.get_payload.
+ */
+static payload_t *get_payload(private_message_t *this, payload_type_t type)
+{
+	payload_t *current, *found = NULL;
+	iterator_t *iterator;
+	
+	iterator = this->payloads->create_iterator(this->payloads, TRUE);
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		if (current->get_type(current) == type)
+		{
+			found = current;
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+	return found;
+}
+
+/**
+ * output handler in printf()
+ */
+static int print(FILE *stream, const struct printf_info *info,
+				 const void *const *args)
+{
+	private_message_t *this = *((private_message_t**)(args[0]));
+	iterator_t *iterator;
+	payload_t *payload;
+	bool first = TRUE;
+	size_t total_written = 0;
+	size_t written;
+	
+	if (this == NULL)
+	{
+		return fprintf(stream, "(null)");
+	}
+	
+	written = fprintf(stream, "%N %s [", 
+					  exchange_type_names, this->exchange_type,
+					  this->is_request ? "request" : "response");
+	if (written < 0)
+	{
+		return written;
+	}
+	total_written += written;
+	
+	iterator = this->payloads->create_iterator(this->payloads, TRUE);
+	while (iterator->iterate(iterator, (void**)&payload))
+	{
+		if (!first)
+		{
+			written = fprintf(stream, " ");
+			if (written < 0)
+			{
+				return written;
+			}
+			total_written += written;
+		}
+		else
+		{
+			first = FALSE;
+		}
+		written = fprintf(stream, "%N", payload_type_short_names,
+						  payload->get_type(payload));
+		if (written < 0)
+		{
+			return written;
+		}
+		total_written += written;
+	}
+	iterator->destroy(iterator);
+	written = fprintf(stream, "]");
+	if (written < 0)
+	{
+		return written;
+	}
+	total_written += written;
+	return total_written;
+}
+
+/**
+ * register printf() handlers
+ */
+static void __attribute__ ((constructor))print_register()
+{
+	register_printf_function(PRINTF_MESSAGE, print, arginfo_ptr);
+}
+
+/**
+ * Implementation of private_message_t.encrypt_payloads.
+ */
+static status_t encrypt_payloads (private_message_t *this,crypter_t *crypter, signer_t* signer)
+{
+	encryption_payload_t *encryption_payload = NULL;
+	status_t status;
+	linked_list_t *all_payloads;
+	
+	if (!this->message_rule->encrypted_content)
+	{
+		DBG2(DBG_ENC, "message doesn't have to be encrypted");
+		/* message contains no content to encrypt */
+		return SUCCESS;
+	}
+	
+	DBG2(DBG_ENC, "copy all payloads to a temporary list");
+	all_payloads = linked_list_create();
+	
+	/* first copy all payloads in a temporary list */
+	while (this->payloads->get_count(this->payloads) > 0)
+	{
+		void *current_payload;
+		this->payloads->remove_first(this->payloads,&current_payload);
+		all_payloads->insert_last(all_payloads,current_payload);
+	}
+	
+	encryption_payload = encryption_payload_create();
+
+	DBG2(DBG_ENC, "check each payloads if they have to get encrypted");
+	while (all_payloads->get_count(all_payloads) > 0)
+	{
+		payload_rule_t *payload_rule;
+		payload_t *current_payload;
+		bool to_encrypt = FALSE;
+		
+		all_payloads->remove_first(all_payloads,(void **)&current_payload);
+		
+		status = get_payload_rule(this,
+					current_payload->get_type(current_payload),&payload_rule);
+		/* for payload types which are not found in supported payload list, 
+		 * it is presumed that they don't have to be encrypted */
+		if ((status == SUCCESS) && (payload_rule->encrypted))
+		{
+			DBG2(DBG_ENC, "payload %N gets encrypted",
+				 payload_type_names, current_payload->get_type(current_payload));
+			to_encrypt = TRUE;
+		}
+		
+		if (to_encrypt)
+		{
+			DBG2(DBG_ENC, "insert payload %N to encryption payload",
+				 payload_type_names, current_payload->get_type(current_payload));
+			encryption_payload->add_payload(encryption_payload,current_payload);
+		}
+		else
+		{
+			DBG2(DBG_ENC, "insert payload %N unencrypted",
+				 payload_type_names ,current_payload->get_type(current_payload));
+			add_payload(this, (payload_t*)encryption_payload);
+		}
+	}
+
+	status = SUCCESS;
+	DBG2(DBG_ENC, "encrypting encryption payload");
+	encryption_payload->set_transforms(encryption_payload, crypter,signer);
+	status = encryption_payload->encrypt(encryption_payload);
+	DBG2(DBG_ENC, "add encrypted payload to payload list");
+	add_payload(this, (payload_t*)encryption_payload);
+	
+	all_payloads->destroy(all_payloads);
+	
+	return status;
+}
+
+/**
+ * Implementation of message_t.generate.
+ */
+static status_t generate(private_message_t *this, crypter_t *crypter, signer_t* signer, packet_t **packet)
+{
+	generator_t *generator;
+	ike_header_t *ike_header;
+	payload_t *payload, *next_payload;
+	iterator_t *iterator;
+	status_t status;
+	chunk_t packet_data;
+	
+	if (is_encoded(this))
+	{
+		/* already generated, return a new packet clone */
+		*packet = this->packet->clone(this->packet);
+		return SUCCESS;
+	}
+	
+	DBG1(DBG_ENC, "generating %M", this);
+	
+	if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED)
+	{
+		DBG1(DBG_ENC, "exchange type is not defined");
+		return INVALID_STATE;
+	}
+	
+	if (this->packet->get_source(this->packet) == NULL ||
+		this->packet->get_destination(this->packet) == NULL) 
+	{
+		DBG1(DBG_ENC, "%s not defined",
+			 !this->packet->get_source(this->packet) ? "source" : "destination");
+		return INVALID_STATE;
+	}
+	
+	/* set the rules for this messge */
+	status = set_message_rule(this);
+	if (status != SUCCESS)
+	{
+		DBG1(DBG_ENC, "no message rules specified for this message type");
+		return NOT_SUPPORTED;
+	}
+	
+	/* going to encrypt all content which have to be encrypted */
+	status = encrypt_payloads(this, crypter, signer);
+	if (status != SUCCESS)
+	{
+		DBG1(DBG_ENC, "payload encryption failed");
+		return status;
+	}
+	
+	/* build ike header */
+	ike_header = ike_header_create();
+	
+	ike_header->set_exchange_type(ike_header, this->exchange_type);
+	ike_header->set_message_id(ike_header, this->message_id);
+	ike_header->set_response_flag(ike_header, !this->is_request);
+	ike_header->set_initiator_flag(ike_header, this->ike_sa_id->is_initiator(this->ike_sa_id));
+	ike_header->set_initiator_spi(ike_header, this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
+	ike_header->set_responder_spi(ike_header, this->ike_sa_id->get_responder_spi(this->ike_sa_id));
+
+	generator = generator_create();
+	
+	payload = (payload_t*)ike_header;
+
+	
+	/* generate every payload expect last one, this is doen later*/
+	iterator = this->payloads->create_iterator(this->payloads, TRUE);
+	while(iterator->iterate(iterator, (void**)&next_payload))
+	{
+		payload->set_next_type(payload, next_payload->get_type(next_payload));
+		generator->generate_payload(generator, payload);
+		payload = next_payload;
+	}
+	iterator->destroy(iterator);
+	
+	/* last payload has no next payload*/
+	payload->set_next_type(payload, NO_PAYLOAD);
+
+	generator->generate_payload(generator, payload);
+
+	ike_header->destroy(ike_header);
+		
+	/* build packet */
+	generator->write_to_chunk(generator, &packet_data);
+	generator->destroy(generator);
+	
+	/* if last payload is of type encrypted, integrity checksum if necessary */
+	if (payload->get_type(payload) == ENCRYPTED)
+	{
+		DBG2(DBG_ENC, "build signature on whole message");
+		encryption_payload_t *encryption_payload = (encryption_payload_t*)payload;
+		status = encryption_payload->build_signature(encryption_payload, packet_data);
+		if (status != SUCCESS)
+		{
+			return status;
+		}
+	}
+	
+	this->packet->set_data(this->packet, packet_data);
+	
+	/* clone packet for caller */
+	*packet = this->packet->clone(this->packet);
+	
+	DBG2(DBG_ENC, "message generated successfully");
+	return SUCCESS;
+}
+
+/**
+ * Implementation of message_t.get_packet.
+ */
+static packet_t *get_packet (private_message_t *this)
+{
+	if (this->packet == NULL)
+	{
+		return NULL;
+	}
+	return this->packet->clone(this->packet);
+}
+
+/**
+ * Implementation of message_t.get_packet_data.
+ */
+static chunk_t get_packet_data (private_message_t *this)
+{
+	if (this->packet == NULL)
+	{
+		return chunk_empty;
+	}
+	return chunk_clone(this->packet->get_data(this->packet));
+}
+
+/**
+ * Implementation of message_t.parse_header.
+ */
+static status_t parse_header(private_message_t *this)
+{
+	ike_header_t *ike_header;
+	status_t status;
+	
+	DBG2(DBG_ENC, "parsing header of message");
+	
+	this->parser->reset_context(this->parser);
+	status = this->parser->parse_payload(this->parser,HEADER,(payload_t **) &ike_header);
+	if (status != SUCCESS)
+	{
+		DBG1(DBG_ENC, "header could not be parsed");
+		return status;
+		
+	}
+	
+	/* verify payload */
+	status = ike_header->payload_interface.verify(&(ike_header->payload_interface));
+	if (status != SUCCESS)
+	{
+		DBG1(DBG_ENC, "header verification failed");
+		ike_header->destroy(ike_header);
+		return status;
+	}
+	
+	if (this->ike_sa_id != NULL)
+	{
+		this->ike_sa_id->destroy(this->ike_sa_id);
+	}
+	
+	this->ike_sa_id = ike_sa_id_create(ike_header->get_initiator_spi(ike_header),
+									   ike_header->get_responder_spi(ike_header),
+									   ike_header->get_initiator_flag(ike_header));
+
+	this->exchange_type = ike_header->get_exchange_type(ike_header);
+	this->message_id = ike_header->get_message_id(ike_header);
+	this->is_request = (!(ike_header->get_response_flag(ike_header)));
+	this->major_version = ike_header->get_maj_version(ike_header);
+	this->minor_version = ike_header->get_min_version(ike_header);
+	this->first_payload = ike_header->payload_interface.get_next_type(&(ike_header->payload_interface));
+	
+	DBG2(DBG_ENC, "parsed a %N %s", exchange_type_names, this->exchange_type,
+		 this->is_request ? "request" : "response");
+	
+	ike_header->destroy(ike_header);
+	
+	/* get the rules for this messge */
+	status = set_message_rule(this);
+	if (status != SUCCESS)
+	{
+		DBG1(DBG_ENC, "no message rules specified for a %N %s",
+			 exchange_type_names, this->exchange_type,
+			 this->is_request ? "request" : "response");
+	}
+	
+	return status;
+}
+
+/**
+ * Implementation of private_message_t.decrypt_and_verify_payloads.
+ */
+static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, signer_t* signer)
+{
+	bool current_payload_was_encrypted = FALSE;
+	payload_t *previous_payload = NULL;
+	int payload_number = 1;
+	iterator_t *iterator;
+	payload_t *current_payload;
+	status_t status;
+
+	iterator = this->payloads->create_iterator(this->payloads,TRUE);
+
+	/* process each payload and decrypt a encryption payload */
+	while(iterator->iterate(iterator, (void**)&current_payload))
+	{
+		payload_rule_t *payload_rule;
+		payload_type_t current_payload_type;
+		
+		/* needed to check */
+		current_payload_type = current_payload->get_type(current_payload);
+		
+		DBG2(DBG_ENC, "process payload of type %N",
+			 payload_type_names, current_payload_type);
+		
+		if (current_payload_type == ENCRYPTED)
+		{
+			encryption_payload_t *encryption_payload;
+			payload_t *current_encrypted_payload;
+			
+			encryption_payload = (encryption_payload_t*)current_payload;
+			
+			DBG2(DBG_ENC, "found an encryption payload");
+
+			if (payload_number != this->payloads->get_count(this->payloads))
+			{
+				/* encrypted payload is not last one */
+				DBG1(DBG_ENC, "encrypted payload is not last payload");
+				iterator->destroy(iterator);
+				return VERIFY_ERROR;
+			}
+			/* decrypt */
+			encryption_payload->set_transforms(encryption_payload, crypter, signer);
+			DBG2(DBG_ENC, "verify signature of encryption payload");
+			status = encryption_payload->verify_signature(encryption_payload,
+										this->packet->get_data(this->packet));
+			if (status != SUCCESS)
+			{
+				DBG1(DBG_ENC, "encryption payload signature invalid");
+				iterator->destroy(iterator);
+				return FAILED;
+			}
+			DBG2(DBG_ENC, "decrypting content of encryption payload");
+			status = encryption_payload->decrypt(encryption_payload);
+			if (status != SUCCESS)
+			{
+				DBG1(DBG_ENC, "encrypted payload could not be decrypted and parsed");
+				iterator->destroy(iterator);
+				return PARSE_ERROR;
+			}
+			
+			/* needed later to find out if a payload was encrypted */
+			current_payload_was_encrypted = TRUE;
+			
+			/* check if there are payloads contained in the encryption payload */
+			if (encryption_payload->get_payload_count(encryption_payload) == 0)
+			{
+				DBG2(DBG_ENC, "encrypted payload is empty");
+				/* remove the encryption payload, is not needed anymore */
+				iterator->remove(iterator);
+				/* encrypted payload contains no other payload */
+				current_payload_type = NO_PAYLOAD;
+			}
+			else
+			{
+				/* encryption_payload is replaced with first payload contained in encryption_payload */
+				encryption_payload->remove_first_payload(encryption_payload, &current_encrypted_payload);
+				iterator->replace(iterator,NULL,(void *) current_encrypted_payload);
+				current_payload_type = current_encrypted_payload->get_type(current_encrypted_payload);
+			}
+			
+			/* is the current paylad the first in the message? */
+			if (previous_payload == NULL)
+			{
+				/* yes, set the first payload type of the message to the current type */
+				this->first_payload = current_payload_type;
+			}
+			else
+			{
+				/* no, set the next_type of the previous payload to the current type */
+				previous_payload->set_next_type(previous_payload, current_payload_type);
+			}
+			
+			/* all encrypted payloads are added to the payload list */
+			while (encryption_payload->get_payload_count(encryption_payload) > 0)
+			{
+				encryption_payload->remove_first_payload(encryption_payload, &current_encrypted_payload);
+				DBG2(DBG_ENC, "insert unencrypted payload of type %N at end of list",
+					 payload_type_names, current_encrypted_payload->get_type(current_encrypted_payload));
+				this->payloads->insert_last(this->payloads,current_encrypted_payload);
+			}
+			
+			/* encryption payload is processed, payloads are moved. Destroy it. */
+			encryption_payload->destroy(encryption_payload);	
+		}
+
+		/* we allow unknown payloads of any type and don't bother if it was encrypted. Not our problem. */
+		if (current_payload_type != UNKNOWN_PAYLOAD && current_payload_type != NO_PAYLOAD)
+		{
+			/* get the ruleset for found payload */
+			status = get_payload_rule(this, current_payload_type, &payload_rule);
+			if (status != SUCCESS)
+			{
+				/* payload is not allowed */
+				DBG1(DBG_ENC, "payload type %N not allowed",
+								  payload_type_names, current_payload_type);
+				iterator->destroy(iterator);
+				return VERIFY_ERROR;
+			}
+			
+			/* check if the payload was encrypted, and if it should been have encrypted */
+			if (payload_rule->encrypted != current_payload_was_encrypted)
+			{
+				/* payload was not encrypted, but should have been. or vice-versa */
+				DBG1(DBG_ENC, "payload type %N should be %s!",
+					 payload_type_names, current_payload_type,
+					 (payload_rule->encrypted) ? "encrypted" : "not encrypted");
+				iterator->destroy(iterator);
+				return VERIFY_ERROR;
+			}
+		}
+		/* advance to the next payload */
+		payload_number++;
+		/* is stored to set next payload in case of found encryption payload */
+		previous_payload = current_payload;
+	}
+	iterator->destroy(iterator);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of private_message_t.verify.
+ */
+static status_t verify(private_message_t *this)
+{
+	int i;
+	iterator_t *iterator;
+	payload_t *current_payload;
+	size_t total_found_payloads = 0;
+	
+	DBG2(DBG_ENC, "verifying message structure");
+	
+	iterator = this->payloads->create_iterator(this->payloads,TRUE);
+	/* check for payloads with wrong count*/
+	for (i = 0; i < this->message_rule->payload_rule_count;i++)
+	{
+		size_t found_payloads = 0;
+	
+		/* check all payloads for specific rule */
+		iterator->reset(iterator);
+		
+		while(iterator->iterate(iterator,(void **)&current_payload))
+		{
+			payload_type_t current_payload_type;
+			
+			current_payload_type = current_payload->get_type(current_payload);
+			if (current_payload_type == UNKNOWN_PAYLOAD)
+			{
+				/* unknown payloads are ignored, IF they are not critical */
+				unknown_payload_t *unknown_payload = (unknown_payload_t*)current_payload;
+				if (unknown_payload->is_critical(unknown_payload))
+				{
+					DBG1(DBG_ENC, "%N is not supported, but its critical!",
+						 payload_type_names, current_payload_type);
+					iterator->destroy(iterator);
+					return NOT_SUPPORTED;	
+				}
+			}
+			else if (current_payload_type == this->message_rule->payload_rules[i].payload_type)
+			{
+				found_payloads++;
+				total_found_payloads++;
+				DBG2(DBG_ENC, "found payload of type %N",
+					 payload_type_names, this->message_rule->payload_rules[i].payload_type);
+				
+				/* as soon as ohe payload occures more then specified, the verification fails */
+				if (found_payloads > this->message_rule->payload_rules[i].max_occurence)
+				{
+					DBG1(DBG_ENC, "payload of type %N more than %d times (%d) occured in current message",
+						 payload_type_names, current_payload_type,
+						 this->message_rule->payload_rules[i].max_occurence, found_payloads);
+					iterator->destroy(iterator);
+					return VERIFY_ERROR;
+				}
+			}
+		}
+		
+		if (found_payloads < this->message_rule->payload_rules[i].min_occurence)
+		{
+			DBG1(DBG_ENC, "payload of type %N not occured %d times (%d)",
+				 payload_type_names, this->message_rule->payload_rules[i].payload_type,
+				 this->message_rule->payload_rules[i].min_occurence, found_payloads);
+			iterator->destroy(iterator);
+			return VERIFY_ERROR;
+		}
+		if ((this->message_rule->payload_rules[i].sufficient) && (this->payloads->get_count(this->payloads) == total_found_payloads))
+		{
+			iterator->destroy(iterator);
+			return SUCCESS;	
+		}
+	}
+	iterator->destroy(iterator);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of message_t.parse_body.
+ */
+static status_t parse_body(private_message_t *this, crypter_t *crypter, signer_t *signer)
+{
+	status_t status = SUCCESS;
+	payload_type_t current_payload_type;
+		
+	current_payload_type = this->first_payload;	
+		
+	DBG2(DBG_ENC, "parsing body of message, first payload is %N",
+		 payload_type_names, current_payload_type);
+
+	/* parse payload for payload, while there are more available */
+	while ((current_payload_type != NO_PAYLOAD))
+	{
+		payload_t *current_payload;
+		
+		DBG2(DBG_ENC, "starting parsing a %N payload", 
+			 payload_type_names, current_payload_type);
+		
+		/* parse current payload */
+		status = this->parser->parse_payload(this->parser,current_payload_type,(payload_t **) &current_payload);
+		
+		if (status != SUCCESS)
+		{
+			DBG1(DBG_ENC, "payload type %N could not be parsed",
+				 payload_type_names, current_payload_type);
+			return PARSE_ERROR;
+		}
+
+		DBG2(DBG_ENC, "verifying payload of type %N",
+			 payload_type_names, current_payload_type);
+		
+		/* verify it, stop parsig if its invalid */
+		status = current_payload->verify(current_payload);
+		if (status != SUCCESS)
+		{
+			DBG1(DBG_ENC, "%N payload verification failed",
+				 payload_type_names, current_payload_type);
+			current_payload->destroy(current_payload);
+			return VERIFY_ERROR;
+		}
+		
+		DBG2(DBG_ENC, "%N payload verified. Adding to payload list",
+			 payload_type_names, current_payload_type);
+		this->payloads->insert_last(this->payloads,current_payload);
+		
+		/* an encryption payload is the last one, so STOP here. decryption is done later */
+		if (current_payload_type == ENCRYPTED)
+		{
+			DBG2(DBG_ENC, "%N payload found. Stop parsing",
+				 payload_type_names, current_payload_type);
+			break;
+		}
+		
+		/* get next payload type */
+		current_payload_type = current_payload->get_next_type(current_payload);
+	}
+
+	if (current_payload_type == ENCRYPTED)
+	{
+		status = decrypt_payloads(this,crypter,signer);
+		if (status != SUCCESS)
+		{
+			DBG1(DBG_ENC, "could not decrypt payloads");
+			return status;
+		}
+	}
+	
+	status = verify(this);
+	if (status != SUCCESS)
+	{
+		return status;
+	}
+	
+	DBG1(DBG_ENC, "parsed %M", this);
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of message_t.destroy.
+ */
+static void destroy (private_message_t *this)
+{
+	DESTROY_IF(this->ike_sa_id);
+	this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
+	this->packet->destroy(this->packet);
+	this->parser->destroy(this->parser);
+	free(this);
+}
+
+/*
+ * Described in Header-File
+ */
+message_t *message_create_from_packet(packet_t *packet)
+{
+	private_message_t *this = malloc_thing(private_message_t);
+
+	/* public functions */
+	this->public.set_major_version = (void(*)(message_t*, u_int8_t))set_major_version;
+	this->public.get_major_version = (u_int8_t(*)(message_t*))get_major_version;
+	this->public.set_minor_version = (void(*)(message_t*, u_int8_t))set_minor_version;
+	this->public.get_minor_version = (u_int8_t(*)(message_t*))get_minor_version;
+	this->public.set_message_id = (void(*)(message_t*, u_int32_t))set_message_id;
+	this->public.get_message_id = (u_int32_t(*)(message_t*))get_message_id;
+	this->public.get_initiator_spi = (u_int64_t(*)(message_t*))get_initiator_spi;
+	this->public.get_responder_spi = (u_int64_t(*)(message_t*))get_responder_spi;
+	this->public.set_ike_sa_id = (void(*)(message_t*, ike_sa_id_t *))set_ike_sa_id;
+	this->public.get_ike_sa_id = (ike_sa_id_t*(*)(message_t*))get_ike_sa_id;
+	this->public.set_exchange_type = (void(*)(message_t*, exchange_type_t))set_exchange_type;
+	this->public.get_exchange_type = (exchange_type_t(*)(message_t*))get_exchange_type;
+	this->public.set_request = (void(*)(message_t*, bool))set_request;
+	this->public.get_request = (bool(*)(message_t*))get_request;
+	this->public.add_payload = (void(*)(message_t*,payload_t*))add_payload;
+	this->public.add_notify = (void(*)(message_t*,bool,notify_type_t,chunk_t))add_notify;
+	this->public.generate = (status_t (*) (message_t *,crypter_t*,signer_t*,packet_t**)) generate;
+	this->public.set_source = (void (*) (message_t*,host_t*)) set_source;
+	this->public.get_source = (host_t * (*) (message_t*)) get_source;
+	this->public.set_destination = (void (*) (message_t*,host_t*)) set_destination;
+	this->public.get_destination = (host_t * (*) (message_t*)) get_destination;
+	this->public.get_payload_iterator = (iterator_t * (*) (message_t *)) get_payload_iterator;
+	this->public.get_payload = (payload_t * (*) (message_t *, payload_type_t)) get_payload;
+	this->public.parse_header = (status_t (*) (message_t *)) parse_header;
+	this->public.parse_body = (status_t (*) (message_t *,crypter_t*,signer_t*)) parse_body;
+	this->public.get_packet = (packet_t * (*) (message_t*)) get_packet;
+	this->public.get_packet_data = (chunk_t (*) (message_t *this)) get_packet_data;
+	this->public.destroy = (void(*)(message_t*))destroy;
+		
+	/* private values */
+	this->exchange_type = EXCHANGE_TYPE_UNDEFINED;
+	this->is_request = TRUE;
+	this->ike_sa_id = NULL;
+	this->first_payload = NO_PAYLOAD;
+	this->message_id = 0;
+	
+	/* private values */
+	if (packet == NULL)
+	{
+		packet = packet_create();	
+	}
+	this->message_rule = NULL;
+	this->packet = packet;
+	this->payloads = linked_list_create();
+	
+	/* parser is created from data of packet */
+	this->parser = parser_create(this->packet->get_data(this->packet));
+	
+	return (&this->public);
+}
+
+/*
+ * Described in Header.
+ */
+message_t *message_create()
+{
+	return message_create_from_packet(NULL);
+}
diff --git a/src/charon/encoding/message.h b/src/charon/encoding/message.h
new file mode 100644
index 000000000..73c2e05c6
--- /dev/null
+++ b/src/charon/encoding/message.h
@@ -0,0 +1,390 @@
+/**
+ * @file message.h
+ *
+ * @brief Interface of message_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef MESSAGE_H_
+#define MESSAGE_H_
+
+typedef struct message_t message_t;
+
+#include <library.h>
+#include <sa/ike_sa_id.h>
+#include <network/packet.h>
+#include <encoding/payloads/ike_header.h>
+#include <encoding/payloads/notify_payload.h>
+#include <utils/linked_list.h>
+#include <crypto/crypters/crypter.h>
+#include <crypto/signers/signer.h>
+
+/**
+ * @brief This class is used to represent an IKEv2-Message.
+ *
+ * The message handles parsing and generation of payloads
+ * via parser_t/generator_t. Encryption is done transparently
+ * via the encryption_payload_t. A set of rules for messages
+ * and payloads does check parsed messages.
+ * 
+ * @b Constructors:
+ * - message_create()
+ * - message_create_from_packet()
+ * - message_create_notify_reply()
+ *
+ * @ingroup encoding
+ */
+struct message_t {
+
+	/**
+	 * @brief Sets the IKE major version of the message.
+	 *
+	 * @param this 			message_t object
+	 * @param major_version	major version to set
+	 */
+	void (*set_major_version) (message_t *this,u_int8_t major_version);
+
+	/**
+	 * @brief Gets the IKE major version of the message.
+	 *
+	 * @param this 			message_t object
+	 * @return				major version of the message
+	 */
+	u_int8_t (*get_major_version) (message_t *this);
+	
+	/**
+	 * @brief Sets the IKE minor version of the message.
+	 *
+	 * @param this 			message_t object
+	 * @param minor_version	minor version to set
+	 */
+	void (*set_minor_version) (message_t *this,u_int8_t minor_version);
+
+	/**
+	 * @brief Gets the IKE minor version of the message.
+	 *
+	 * @param this 			message_t object
+	 * @return				minor version of the message
+	 */
+	u_int8_t (*get_minor_version) (message_t *this);
+
+	/**
+	 * @brief Sets the Message ID of the message.
+	 *
+	 * @param this 			message_t object
+	 * @param message_id		message_id to set
+	 */
+	void (*set_message_id) (message_t *this,u_int32_t message_id);
+
+	/**
+	 * @brief Gets the Message ID of the message.
+	 *
+	 * @param this 			message_t object
+	 * @return				message_id type of the message
+	 */
+	u_int32_t (*get_message_id) (message_t *this);
+	
+	/**
+	 * @brief Gets the initiator SPI of the message.
+	 *
+	 * @param this 			message_t object
+	 * @return				initiator spi of the message
+	 */
+	u_int64_t (*get_initiator_spi) (message_t *this);
+
+	/**
+	 * @brief Gets the responder SPI of the message.
+	 *
+	 * @param this 			message_t object
+	 * @return				responder spi of the message
+	 */
+	u_int64_t (*get_responder_spi) (message_t *this);
+
+	/**
+	 * @brief Sets the IKE_SA ID of the message.
+	 * 
+	 * ike_sa_id gets cloned.
+	 *
+	 * @param this 			message_t object
+	 * @param ike_sa_id		ike_sa_id to set
+	 */
+	void (*set_ike_sa_id) (message_t *this, ike_sa_id_t * ike_sa_id);
+
+	/**
+	 * @brief Gets the IKE_SA ID of the message.
+	 *
+	 * The ike_sa_id points to the message internal id, do not modify.
+	 *
+	 * @param this 			message_t object
+	 * @return				ike_sa_id of message
+	 */
+	ike_sa_id_t *(*get_ike_sa_id) (message_t *this);
+
+	/**
+	 * @brief Sets the exchange type of the message.
+	 *
+	 * @param this 			message_t object
+	 * @param exchange_type	exchange_type to set
+	 */
+	void (*set_exchange_type) (message_t *this,exchange_type_t exchange_type);
+
+	/**
+	 * @brief Gets the exchange type of the message.
+	 *
+	 * @param this 			message_t object
+	 * @return				exchange type of the message
+	 */
+	exchange_type_t (*get_exchange_type) (message_t *this);
+
+	/**
+	 * @brief Sets the request flag.
+	 *
+	 * @param this 					message_t object
+	 * @param original_initiator		TRUE if message is a request, FALSE if it is a reply
+	 */
+	void (*set_request) (message_t *this,bool request);
+
+	/**
+	 * @brief Gets request flag.
+	 *
+	 * @param this 			message_t object
+	 * @return				TRUE if message is a request, FALSE if it is a reply
+	 */
+	bool (*get_request) (message_t *this);
+
+	/**
+	 * @brief Append a payload to the message.
+	 * 
+	 * If the payload must be encrypted is not specified here. Encryption
+	 * of payloads is evaluated via internal rules for the messages and
+	 * is done before generation. The order of payloads may change, since
+	 * all payloads to encrypt are added to the encryption payload, which is 
+	 * always the last one.
+	 *
+	 * @param this 			message_t object
+	 * @param payload 		payload to append
+	 */	
+	void (*add_payload) (message_t *this, payload_t *payload);
+
+	/**
+	 * @brief Build a notify payload and add it to the message.
+	 * 
+	 * This is a helper method to create notify messages or add
+	 * notify payload to messages. The flush parameter specifies if existing
+	 * payloads should get removed before appending the notify.
+	 *
+	 * @param this 			message_t object
+	 * @param flush			TRUE to remove existing payloads
+	 * @param type			type of the notify
+	 * @param data			a chunk of data to add to the notify, gets cloned
+	 */	
+	void (*add_notify) (message_t *this, bool flush, notify_type_t type, 
+						chunk_t data);
+
+	/**
+	 * @brief Parses header of message.
+	 * 
+	 * Begins parisng of a message created via message_create_from_packet().
+	 * The parsing context is stored, so a subsequent call to parse_body()
+	 * will continue the parsing process.
+	 *
+	 * @param this 		message_t object
+	 * @return
+	 * 					- SUCCESS if header could be parsed
+	 *					- PARSE_ERROR if corrupted/invalid data found
+	 * 					- FAILED if consistence check of header failed
+	 */
+	status_t (*parse_header) (message_t *this);
+	
+	/**
+	 * @brief Parses body of message.
+	 * 
+	 * The body gets not only parsed, but rather it gets verified. 
+	 * All payloads are verified if they are allowed to exist in the message 
+	 * of this type and if their own structure is ok. 
+	 * If there are encrypted payloads, they get decrypted via the supplied 
+	 * crypter. Also the message integrity gets verified with the supplied
+	 * signer.
+	 * Crypter/signer can be omitted (by passing NULL) when no encryption 
+	 * payload is expected.
+	 *
+	 * @param this 		message_t object
+	 * @param crypter	crypter to decrypt encryption payloads
+	 * @param signer	signer to verifiy a message with an encryption payload
+	 * @return
+	 * 					- SUCCESS if parsing successful
+	 * 					- NOT_SUPPORTED if ciritcal unknown payloads found
+	 * 					- NOT_SUPPORTED if message type is not supported!
+	 *					- PARSE_ERROR if message parsing failed
+	 * 					- VERIFY_ERROR if message verification failed (bad syntax)
+	 * 					- FAILED if integrity check failed
+	 * 					- INVALID_STATE if crypter/signer not supplied, but needed
+	 */
+	status_t (*parse_body) (message_t *this, crypter_t *crypter, signer_t *signer);
+
+	/**
+	 * @brief Generates the UDP packet of specific message.
+	 * 
+	 * Payloads which must be encrypted are generated first and added to
+	 * an encryption payload. This encryption payload will get encrypted via 
+	 * the supplied crypter. Then all other payloads and the header get generated.
+	 * After that, the checksum is added to the encryption payload over the full 
+	 * message.
+	 * Crypter/signer can be omitted (by passing NULL) when no encryption 
+	 * payload is expected.
+	 * Generation is only done once, multiple calls will just return a packet copy.
+	 *
+	 * @param this 		message_t object
+	 * @param crypter	crypter to use when a payload must be encrypted
+	 * @param signer	signer to build a mac
+	 * @param packet	copy of generated packet
+	 * @return
+	 * 					- SUCCESS if packet could be generated
+	 * 					- INVALID_STATE if exchange type is currently not set
+	 * 					- NOT_FOUND if no rules found for message generation
+	 * 					- INVALID_STATE if crypter/signer not supplied but needed.
+	 */	
+	status_t (*generate) (message_t *this, crypter_t *crypter, signer_t *signer, packet_t **packet);
+
+	/**
+	 * @brief Gets the source host informations. 
+	 * 
+	 * @warning Returned host_t object is not getting cloned, 
+	 * do not destroy nor modify.
+	 *
+	 * @param this 		message_t object
+	 * @return			host_t object representing source host
+	 */	
+	host_t * (*get_source) (message_t *this);
+	
+	/**
+	 * @brief Sets the source host informations. 
+	 * 
+	 * @warning host_t object is not getting cloned and gets destroyed by
+	 * 			message_t.destroy or next call of message_t.set_source.
+	 *
+	 * @param this 		message_t object
+	 * @param host		host_t object representing source host
+	 */	
+	void (*set_source) (message_t *this, host_t *host);
+
+	/**
+	 * @brief Gets the destination host informations. 
+	 * 
+	 * @warning Returned host_t object is not getting cloned, 
+	 * do not destroy nor modify.
+	 *
+	 * @param this 		message_t object
+	 * @return			host_t object representing destination host
+	 */	
+	host_t * (*get_destination) (message_t *this);
+
+	/**
+	 * @brief Sets the destination host informations. 
+	 * 
+	 * @warning host_t object is not getting cloned and gets destroyed by
+	 * 			message_t.destroy or next call of message_t.set_destination.
+	 *
+	 * @param this 		message_t object
+	 * @param host		host_t object representing destination host
+	 */	
+	void (*set_destination) (message_t *this, host_t *host);
+	
+	/**
+	 * @brief Returns an iterator on all stored payloads.
+	 * 
+	 * @warning Don't insert payloads over this iterator. 
+	 * 			Use add_payload() instead.
+	 *
+	 * @param this 		message_t object
+	 * @return			iterator_t object which has to get destroyd by the caller
+	 */	
+	iterator_t * (*get_payload_iterator) (message_t *this);
+	
+	/**
+	 * @brief Find a payload of a spicific type.
+	 * 
+	 * Returns the first occurance. 
+	 *
+	 * @param this 		message_t object
+	 * @param type		type of the payload to find
+	 * @return			payload, or NULL if no such payload found
+	 */	
+	payload_t* (*get_payload) (message_t *this, payload_type_t type);
+	
+	/**
+	 * @brief Returns a clone of the internal stored packet_t object.
+	 *
+	 * @param this 		message_t object
+	 * @return			packet_t object as clone of internal one
+	 */	
+	packet_t * (*get_packet) (message_t *this);
+	
+	/**
+	 * @brief Returns a clone of the internal stored packet_t data.
+	 *
+	 * @param this 		message_t object
+	 * @return			clone of the internal stored packet_t data.
+	 */	
+	chunk_t (*get_packet_data) (message_t *this);
+	
+	/**
+	 * @brief Destroys a message and all including objects.
+	 *
+	 * @param this 		message_t object
+	 */
+	void (*destroy) (message_t *this);
+};
+
+/**
+ * @brief Creates an message_t object from a incoming UDP Packet.
+ * 
+ * @warning the given packet_t object is not copied and gets 
+ *			destroyed in message_t's destroy call.
+ * 
+ * @warning Packet is not parsed in here!
+ * 
+ * - exchange_type is set to NOT_SET
+ * - original_initiator is set to TRUE
+ * - is_request is set to TRUE
+ * Call message_t.parse_header afterwards.
+ * 
+ * @param packet		packet_t object which is assigned to message	
+ * @return 				message_t object
+ * 
+ * @ingroup encoding
+ */
+message_t * message_create_from_packet(packet_t *packet);
+
+
+/**
+ * @brief Creates an empty message_t object.
+ *
+ * - exchange_type is set to NOT_SET
+ * - original_initiator is set to TRUE
+ * - is_request is set to TRUE
+ * 
+ * @return message_t object
+ *
+ * @ingroup encoding
+ */
+message_t * message_create(void);
+
+#endif /*MESSAGE_H_*/
diff --git a/src/charon/encoding/parser.c b/src/charon/encoding/parser.c
new file mode 100644
index 000000000..d7caf7099
--- /dev/null
+++ b/src/charon/encoding/parser.c
@@ -0,0 +1,1048 @@
+/**
+ * @file parser.c
+ *
+ * @brief Implementation of parser_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+#include <arpa/inet.h>
+#include <string.h>
+
+#include "parser.h"
+
+#include <library.h>
+#include <daemon.h>
+#include <utils/linked_list.h>
+#include <encoding/payloads/encodings.h>
+#include <encoding/payloads/payload.h>
+#include <encoding/payloads/sa_payload.h>
+#include <encoding/payloads/proposal_substructure.h>
+#include <encoding/payloads/transform_substructure.h>
+#include <encoding/payloads/transform_attribute.h>
+#include <encoding/payloads/ke_payload.h>
+#include <encoding/payloads/nonce_payload.h>
+#include <encoding/payloads/id_payload.h>
+#include <encoding/payloads/notify_payload.h>
+#include <encoding/payloads/encryption_payload.h>
+#include <encoding/payloads/auth_payload.h>
+#include <encoding/payloads/cert_payload.h>
+#include <encoding/payloads/certreq_payload.h>
+#include <encoding/payloads/ts_payload.h>
+#include <encoding/payloads/delete_payload.h>
+#include <encoding/payloads/vendor_id_payload.h>
+#include <encoding/payloads/cp_payload.h>
+#include <encoding/payloads/configuration_attribute.h>
+#include <encoding/payloads/eap_payload.h>
+#include <encoding/payloads/unknown_payload.h>
+
+
+typedef struct private_parser_t private_parser_t;
+
+/**
+ * Private data stored in a context.
+ * 
+ * Contains pointers and counters to store current state.
+ */
+struct private_parser_t {
+	/**
+	 * Public members, see parser_t.
+	 */
+	parser_t public;
+	
+	/**
+	 * @brief Parse a 4-Bit unsigned integer from the current parsing position.
+	 * 
+	 * @param this				parser_t object
+	 * @param rule_number		number of current rule
+	 * @param[out] output_pos	pointer where to write the parsed result
+	 * @return 					
+	 * 							- SUCCESS or
+	 * 							- PARSE_ERROR when not successful
+	 */
+	status_t (*parse_uint4)  (private_parser_t *this, int rule_number, u_int8_t *output_pos);
+	
+	/**
+	 * @brief Parse a 8-Bit unsigned integer from the current parsing position.
+	 * 
+	 * @param this				parser_t object
+	 * @param rule_number		number of current rule
+	 * @param[out] output_pos	pointer where to write the parsed result
+	 * @return 					
+	 * 							- SUCCESS or
+	 * 							- PARSE_ERROR when not successful
+	 */
+	status_t (*parse_uint8)  (private_parser_t *this, int rule_number, u_int8_t *output_pos);
+	
+	/**
+	 * @brief Parse a 15-Bit unsigned integer from the current parsing position.
+	 * 
+	 * This is a special case used for ATTRIBUTE_TYPE.
+	 * Big-/Little-endian conversion is done here.
+	 * 
+	 * @param this				parser_t object
+	 * @param rule_number		number of current rule
+	 * @param[out] output_pos	pointer where to write the parsed result
+	 * @return 					
+	 * 							- SUCCESS or
+	 * 							- PARSE_ERROR when not successful
+	 */
+	status_t (*parse_uint15) (private_parser_t *this, int rule_number, u_int16_t *output_pos);
+	
+	/**
+	 * @brief Parse a 16-Bit unsigned integer from the current parsing position.
+	 * 
+	 * Big-/Little-endian conversion is done here.
+	 * 
+	 * @param this				parser_t object
+	 * @param rule_number		number of current rule
+	 * @param[out] output_pos	pointer where to write the parsed result
+	 * @return 					
+	 * 							- SUCCESS or
+	 * 							- PARSE_ERROR when not successful
+	 */
+	status_t (*parse_uint16) (private_parser_t *this, int rule_number, u_int16_t *output_pos);
+	
+	/**
+	 * @brief Parse a 32-Bit unsigned integer from the current parsing position.
+	 * 
+	 * Big-/Little-endian conversion is done here.
+	 * 
+	 * @param this				parser_t object
+	 * @param rule_number		number of current rule
+	 * @param[out] output_pos	pointer where to write the parsed result
+	 * @return 					
+	 * 							- SUCCESS or
+	 * 							- PARSE_ERROR when not successful
+	 */
+	status_t (*parse_uint32) (private_parser_t *this, int rule_number, u_int32_t *output_pos);
+	
+	/**
+	 * @brief Parse a 64-Bit unsigned integer from the current parsing position.
+	 * 
+	 * @todo add support for big-endian machines.
+	 * 
+	 * @param this				parser_t object
+	 * @param rule_number		number of current rule
+	 * @param[out] output_pos	pointer where to write the parsed result
+	 * @return 					
+	 * 							- SUCCESS or
+	 * 							- PARSE_ERROR when not successful
+	 */
+	status_t (*parse_uint64) (private_parser_t *this, int rule_number, u_int64_t *output_pos);
+	
+	/**
+	 * @brief Parse a given amount of bytes and writes them to a specific location
+	 * 
+	 * @param this				parser_t object
+	 * @param rule_number		number of current rule
+	 * @param[out] output_pos	pointer where to write the parsed result
+	 * @param bytes				number of bytes to parse
+	 * @return 					
+	 * 							- SUCCESS or
+	 * 							- PARSE_ERROR when not successful
+	 */
+	status_t (*parse_bytes) (private_parser_t *this, int rule_number, u_int8_t *output_pos,size_t bytes);
+	
+	/**
+	 * @brief Parse a single Bit from the current parsing position
+	 * 
+	 * @param this				parser_t object
+	 * @param rule_number		number of current rule
+	 * @param[out] output_pos	pointer where to write the parsed result
+	 * @return 					
+	 * 							- SUCCESS or
+	 * 							- PARSE_ERROR when not successful
+	 */
+	status_t (*parse_bit)    (private_parser_t *this, int rule_number, bool *output_pos);
+	
+	/**
+	 * @brief Parse substructures in a list
+	 * 
+	 * This function calls the parser recursively to parse contained substructures
+	 * in a linked_list_t. The list must already be created. Payload defines
+	 * the type of the substructures. parsing is continued until the specified length
+	 * is completely parsed.
+	 * 
+	 * @param this				parser_t object
+	 * @param rule_number		number of current rule
+	 * @param[out] output_pos	pointer of a linked_list where substructures are added
+	 * @param payload_type		type of the contained substructures to parse
+	 * @param length			number of bytes to parse in this list
+	 * @return 					
+	 * 							- SUCCESS or
+	 * 							- PARSE_ERROR when not successful
+	 */
+	status_t (*parse_list)   (private_parser_t *this, int rule_number, linked_list_t **output_pos, payload_type_t payload_ype, size_t length);
+	
+	/**
+	 * @brief Parse data from current parsing position in a chunk.
+	 * 
+	 * This function clones length number of bytes to output_pos, without 
+	 * modifiyng them. Space will be allocated and must be freed by caller.
+	 * 
+	 * @param this				parser_t object
+	 * @param rule_number		number of current rule
+	 * @param[out] output_pos	pointer of a chunk which will point to the allocated data
+	 * @param length			number of bytes to clone
+	 * @return 					
+	 * 							- SUCCESS or
+	 * 							- PARSE_ERROR when not successful
+	 */
+	status_t (*parse_chunk)  (private_parser_t *this, int rule_number, chunk_t *output_pos, size_t length);
+
+	/**
+	 * Current bit for reading in input data.
+	 */
+	u_int8_t bit_pos;
+	
+	/**
+	 * Current byte for reading in input data.
+	 */
+	u_int8_t *byte_pos;
+	
+	/**
+	 * Input data to parse.
+	 */
+	u_int8_t *input;
+	
+	/**
+	 * Roof of input, used for length-checking.
+	 */
+	u_int8_t *input_roof;
+	
+	/**
+	 * Set of encoding rules for this parsing session.
+	 */
+	encoding_rule_t *rules;
+};
+
+/**
+ * Implementation of private_parser_t.parse_uint4.
+ */
+static status_t parse_uint4(private_parser_t *this, int rule_number, u_int8_t *output_pos)
+{
+	if (this->byte_pos + sizeof(u_int8_t)  > this->input_roof)
+	{
+		DBG1(DBG_ENC, "  not enough input to parse rule %d %N",
+			 rule_number, encoding_type_names, this->rules[rule_number].type);
+		return PARSE_ERROR;
+	}
+	switch (this->bit_pos)
+	{
+		case 0:
+			/* caller interested in result ? */
+			if (output_pos != NULL)
+			{
+				*output_pos = *(this->byte_pos) >> 4;
+			}
+			this->bit_pos = 4;
+			break;
+		case 4:	
+			/* caller interested in result ? */
+			if (output_pos != NULL)
+			{
+				*output_pos = *(this->byte_pos) & 0x0F;
+			}
+			this->bit_pos = 0;
+			this->byte_pos++;
+			break;
+		default:
+			DBG2(DBG_ENC, "  found rule %d %N on bitpos %d",
+				 rule_number, encoding_type_names,
+				 this->rules[rule_number].type, this->bit_pos);
+			return PARSE_ERROR;
+	}
+	
+	if (output_pos != NULL)
+	{
+		DBG3(DBG_ENC, "   => %d", *output_pos);
+	}
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of private_parser_t.parse_uint8.
+ */
+static status_t parse_uint8(private_parser_t *this, int rule_number, u_int8_t *output_pos)
+{
+	if (this->byte_pos + sizeof(u_int8_t)  > this->input_roof)
+	{
+		DBG1(DBG_ENC, "  not enough input to parse rule %d %N",
+			 rule_number, encoding_type_names, this->rules[rule_number].type);
+		return PARSE_ERROR;
+	}
+	if (this->bit_pos)
+	{
+		DBG1(DBG_ENC, "  found rule %d %N on bitpos %d",
+			 rule_number, encoding_type_names,
+			 this->rules[rule_number].type, this->bit_pos);
+		return PARSE_ERROR;
+	}
+
+	/* caller interested in result ? */
+	if (output_pos != NULL)
+	{
+		*output_pos = *(this->byte_pos);
+		DBG3(DBG_ENC, "   => %d", *output_pos);
+	}
+	this->byte_pos++;
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of private_parser_t.parse_uint15.
+ */
+static status_t parse_uint15(private_parser_t *this, int rule_number, u_int16_t *output_pos)
+{
+	if (this->byte_pos + sizeof(u_int16_t) > this->input_roof)
+	{
+		DBG1(DBG_ENC, "  not enough input to parse rule %d %N",
+			 rule_number, encoding_type_names, this->rules[rule_number].type);
+		return PARSE_ERROR;
+	}
+	if (this->bit_pos != 1)
+	{
+		DBG2(DBG_ENC, "  found rule %d %N on bitpos %d", rule_number,
+			 encoding_type_names, this->rules[rule_number].type, this->bit_pos);
+		return PARSE_ERROR;
+	}
+	/* caller interested in result ? */
+	if (output_pos != NULL)
+	{
+		*output_pos = ntohs(*((u_int16_t*)this->byte_pos)) & ~0x8000;
+		DBG3(DBG_ENC, "   => %d", *output_pos);
+	}
+	this->byte_pos += 2;
+	this->bit_pos = 0;
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of private_parser_t.parse_uint16.
+ */
+static status_t parse_uint16(private_parser_t *this, int rule_number, u_int16_t *output_pos)
+{
+	if (this->byte_pos + sizeof(u_int16_t) > this->input_roof)
+	{
+		DBG1(DBG_ENC, "  not enough input to parse rule %d %N",
+			 rule_number, encoding_type_names, this->rules[rule_number].type);
+		return PARSE_ERROR;
+	}
+	if (this->bit_pos)
+	{
+		DBG1(DBG_ENC, "  found rule %d %N on bitpos %d", rule_number,
+			 encoding_type_names, this->rules[rule_number].type, this->bit_pos);
+		return PARSE_ERROR;
+	}
+	/* caller interested in result ? */
+	if (output_pos != NULL)
+	{
+		*output_pos = ntohs(*((u_int16_t*)this->byte_pos));
+		
+		DBG3(DBG_ENC, "   => %d", *output_pos);
+	}
+	this->byte_pos += 2;
+	
+	return SUCCESS;
+}
+/**
+ * Implementation of private_parser_t.parse_uint32.
+ */
+static status_t parse_uint32(private_parser_t *this, int rule_number, u_int32_t *output_pos)
+{
+	if (this->byte_pos + sizeof(u_int32_t) > this->input_roof)
+	{
+		DBG1(DBG_ENC, "  not enough input to parse rule %d %N",
+			 rule_number, encoding_type_names, this->rules[rule_number].type);
+		return PARSE_ERROR;
+	}
+	if (this->bit_pos)
+	{
+		DBG1(DBG_ENC, "  found rule %d %N on bitpos %d", rule_number,
+			 encoding_type_names, this->rules[rule_number].type, this->bit_pos);
+		return PARSE_ERROR;
+	}
+	/* caller interested in result ? */
+	if (output_pos != NULL)
+	{
+		*output_pos = ntohl(*((u_int32_t*)this->byte_pos));
+		
+		DBG3(DBG_ENC, "   => %d", *output_pos);
+	}
+	this->byte_pos += 4;
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of private_parser_t.parse_uint64.
+ */
+static status_t parse_uint64(private_parser_t *this, int rule_number, u_int64_t *output_pos)
+{
+	if (this->byte_pos + sizeof(u_int64_t) > this->input_roof)
+	{
+		DBG1(DBG_ENC, "  not enough input to parse rule %d %N",
+			 rule_number, encoding_type_names, this->rules[rule_number].type);
+		return PARSE_ERROR;
+	}
+	if (this->bit_pos)
+	{
+		DBG1(DBG_ENC, "  found rule %d %N on bitpos %d", rule_number,
+			 encoding_type_names, this->rules[rule_number].type, this->bit_pos);
+		return PARSE_ERROR;
+	}
+	/* caller interested in result ? */
+	if (output_pos != NULL)
+	{
+		/* assuming little endian host order */
+		*(output_pos + 1) = ntohl(*((u_int32_t*)this->byte_pos));
+		*output_pos = ntohl(*(((u_int32_t*)this->byte_pos) + 1));
+		
+		DBG3(DBG_ENC, "   => %b", (void*)output_pos, sizeof(u_int64_t));
+	}
+	this->byte_pos += 8;
+
+	return SUCCESS;
+}
+
+/**
+ * Implementation of private_parser_t.parse_bytes.
+ */
+static status_t parse_bytes (private_parser_t *this, int rule_number, u_int8_t *output_pos,size_t bytes)
+{
+	if (this->byte_pos + bytes > this->input_roof)
+	{
+		DBG1(DBG_ENC, "  not enough input to parse rule %d %N",
+			 rule_number, encoding_type_names, this->rules[rule_number].type);
+		return PARSE_ERROR;
+	}
+	if (this->bit_pos)
+	{
+		DBG1(DBG_ENC, "  found rule %d %N on bitpos %d", rule_number,
+			 encoding_type_names, this->rules[rule_number].type, this->bit_pos);
+		return PARSE_ERROR;
+	}
+
+	/* caller interested in result ? */
+	if (output_pos != NULL)
+	{
+		memcpy(output_pos,this->byte_pos,bytes);
+		
+		DBG3(DBG_ENC, "   => %b", (void*)output_pos, bytes);
+	}
+	this->byte_pos += bytes;
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of private_parser_t.parse_bit.
+ */
+static status_t parse_bit(private_parser_t *this, int rule_number, bool *output_pos)
+{
+	if (this->byte_pos + sizeof(u_int8_t) > this->input_roof)
+	{
+		DBG1(DBG_ENC, "  not enough input to parse rule %d %N",
+			 rule_number, encoding_type_names, this->rules[rule_number].type);
+		return PARSE_ERROR;
+	}
+	/* caller interested in result ? */
+	if (output_pos != NULL)
+	{	
+		u_int8_t mask;
+		mask = 0x01 << (7 - this->bit_pos);
+		*output_pos = *this->byte_pos & mask;
+	
+		if (*output_pos)
+		{
+			/* set to a "clean", comparable true */
+			*output_pos = TRUE;
+		}
+		
+		DBG3(DBG_ENC, "   => %d", *output_pos);
+	}
+	this->bit_pos = (this->bit_pos + 1) % 8;
+	if (this->bit_pos == 0) 
+	{
+		this->byte_pos++;	
+	}
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of private_parser_t.parse_list.
+ */
+static status_t parse_list(private_parser_t *this, int rule_number, linked_list_t **output_pos, payload_type_t payload_type, size_t length)
+{
+	linked_list_t * list = *output_pos;
+	
+	if (length < 0)
+	{
+		DBG1(DBG_ENC, "  invalid length for rule %d %N",
+			 rule_number, encoding_type_names, this->rules[rule_number].type);
+		return PARSE_ERROR;	
+	}
+	
+	if (this->bit_pos)
+	{
+		DBG1(DBG_ENC, "  found rule %d %N on bitpos %d", rule_number,
+			 encoding_type_names, this->rules[rule_number].type, this->bit_pos);
+		return PARSE_ERROR;
+	}
+	
+	while (length > 0)
+	{
+		u_int8_t *pos_before = this->byte_pos;
+		payload_t *payload;
+		status_t status;
+		DBG2(DBG_ENC, "  %d bytes left, parsing recursively %N",
+			 length, payload_type_names, payload_type);
+		status = this->public.parse_payload((parser_t*)this, payload_type, &payload);
+		if (status != SUCCESS)
+		{
+			DBG1(DBG_ENC, "  parsing of a %N substructure failed",
+				 payload_type_names, payload_type);
+			return status;
+		}
+		list->insert_last(list, payload);
+		length -= this->byte_pos - pos_before;
+	}
+	*output_pos = list;
+	return SUCCESS;	
+}
+
+/**
+ * Implementation of private_parser_t.parse_chunk.
+ */
+static status_t parse_chunk(private_parser_t *this, int rule_number, chunk_t *output_pos, size_t length)
+{
+	if (this->byte_pos + length > this->input_roof)
+	{
+		DBG1(DBG_ENC, "  not enough input (%d bytes) to parse rule %d %N",
+			 length, rule_number, encoding_type_names, this->rules[rule_number].type);
+		return PARSE_ERROR;
+	}
+	if (this->bit_pos)
+	{
+		DBG1(DBG_ENC, "  found rule %d %N on bitpos %d", rule_number,
+			 encoding_type_names, this->rules[rule_number].type, this->bit_pos);
+		return PARSE_ERROR;
+	}
+	if (output_pos != NULL)
+	{
+		output_pos->len = length;
+		output_pos->ptr = malloc(length);
+		memcpy(output_pos->ptr, this->byte_pos, length);
+	}
+	this->byte_pos += length;
+	DBG3(DBG_ENC, "   => %b", (void*)output_pos->ptr, length);
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of parser_t.parse_payload.
+ */
+static status_t parse_payload(private_parser_t *this, payload_type_t payload_type, payload_t **payload)
+{
+	payload_t *pld;
+	void *output;
+	size_t rule_count, payload_length = 0, spi_size = 0, attribute_length = 0;
+	u_int16_t ts_type = 0;
+	bool attribute_format = FALSE;
+	int rule_number;
+	encoding_rule_t *rule;
+	
+	/* create instance of the payload to parse */
+	pld = payload_create(payload_type);
+	
+	DBG2(DBG_ENC, "parsing %N payload, %d bytes left",
+		 payload_type_names, payload_type, this->input_roof - this->byte_pos);
+	
+	DBG3(DBG_ENC, "parsing payload from %b",
+		 this->byte_pos, this->input_roof-this->byte_pos);
+	
+	if (pld->get_type(pld) == UNKNOWN_PAYLOAD)
+	{
+		DBG1(DBG_ENC, "  payload type %d is unknown, handling as %N",
+			 payload_type, payload_type_names, UNKNOWN_PAYLOAD);
+	}
+	
+	/* base pointer for output, avoids casting in every rule */
+	output = pld;
+	
+	/* parse the payload with its own rulse */
+	pld->get_encoding_rules(pld, &(this->rules), &rule_count);
+	for (rule_number = 0; rule_number < rule_count; rule_number++)
+	{
+		rule = &(this->rules[rule_number]);
+		DBG2(DBG_ENC, "  parsing rule %d %N",
+			 rule_number, encoding_type_names, rule->type);
+		switch (rule->type)
+		{
+			case U_INT_4:
+			{
+				if (this->parse_uint4(this, rule_number, output + rule->offset) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case U_INT_8:
+			{
+				if (this->parse_uint8(this, rule_number, output + rule->offset) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case U_INT_16:
+			{
+				if (this->parse_uint16(this, rule_number, output + rule->offset) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case U_INT_32:
+			{
+				if (this->parse_uint32(this, rule_number, output + rule->offset) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case U_INT_64:
+			{
+				if (this->parse_uint64(this, rule_number, output + rule->offset) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case IKE_SPI:
+			{
+				if (this->parse_bytes(this, rule_number, output + rule->offset,8) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case RESERVED_BIT:
+			{
+				if (this->parse_bit(this, rule_number, NULL) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case RESERVED_BYTE:
+			{
+				if (this->parse_uint8(this, rule_number, NULL) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case FLAG:
+			{
+				if (this->parse_bit(this, rule_number, output + rule->offset) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case PAYLOAD_LENGTH:
+			{
+				if (this->parse_uint16(this, rule_number, output + rule->offset) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				payload_length = *(u_int16_t*)(output + rule->offset);
+				break;
+			}
+			case HEADER_LENGTH:
+			{
+				if (this->parse_uint32(this, rule_number, output + rule->offset) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case SPI_SIZE:
+			{
+				if (this->parse_uint8(this, rule_number, output + rule->offset) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				spi_size = *(u_int8_t*)(output + rule->offset);
+				break;
+			}
+			case SPI:
+			{
+				if (this->parse_chunk(this, rule_number, output + rule->offset, spi_size) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case PROPOSALS:
+			{
+				size_t proposals_length = payload_length - SA_PAYLOAD_HEADER_LENGTH;
+				if (this->parse_list(this, rule_number, output + rule->offset, PROPOSAL_SUBSTRUCTURE, proposals_length) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case TRANSFORMS:
+			{
+				size_t transforms_length = payload_length - spi_size - PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH;
+				if (this->parse_list(this, rule_number, output + rule->offset, TRANSFORM_SUBSTRUCTURE, transforms_length) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case TRANSFORM_ATTRIBUTES:
+			{
+				size_t transform_a_length = payload_length - TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH;
+				if (this->parse_list(this, rule_number, output + rule->offset, TRANSFORM_ATTRIBUTE, transform_a_length) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case CONFIGURATION_ATTRIBUTES:
+			{
+				size_t configuration_attributes_length = payload_length - CP_PAYLOAD_HEADER_LENGTH;
+				if (this->parse_list(this, rule_number, output + rule->offset, CONFIGURATION_ATTRIBUTE, configuration_attributes_length) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case ATTRIBUTE_FORMAT:
+			{
+				if (this->parse_bit(this, rule_number, output + rule->offset) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				attribute_format = *(bool*)(output + rule->offset);
+				break;
+			}
+			case ATTRIBUTE_TYPE:
+			{
+				if (this->parse_uint15(this, rule_number, output + rule->offset) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				attribute_format = *(bool*)(output + rule->offset);
+				break;
+			}
+			case CONFIGURATION_ATTRIBUTE_LENGTH:
+			{
+				if (this->parse_uint16(this, rule_number, output + rule->offset) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				attribute_length = *(u_int16_t*)(output + rule->offset);
+				break;
+			}
+			case ATTRIBUTE_LENGTH_OR_VALUE:
+			{	
+				if (this->parse_uint16(this, rule_number, output + rule->offset) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				attribute_length = *(u_int16_t*)(output + rule->offset);
+				break;
+			}
+			case ATTRIBUTE_VALUE:
+			{
+				if (attribute_format == FALSE)
+				{
+					if (this->parse_chunk(this, rule_number, output + rule->offset, attribute_length) != SUCCESS) 
+					{
+						pld->destroy(pld);
+						return PARSE_ERROR;
+					}
+				}
+				break;
+			}
+			case NONCE_DATA:
+			{
+				size_t nonce_length = payload_length - NONCE_PAYLOAD_HEADER_LENGTH;
+				if (this->parse_chunk(this, rule_number, output + rule->offset, nonce_length) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}		
+				break;
+			}
+			case ID_DATA:
+			{
+				size_t data_length = payload_length - ID_PAYLOAD_HEADER_LENGTH;
+				if (this->parse_chunk(this, rule_number, output + rule->offset, data_length) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}	
+				break;
+			}
+			case AUTH_DATA:
+			{
+				size_t data_length = payload_length - AUTH_PAYLOAD_HEADER_LENGTH;
+				if (this->parse_chunk(this, rule_number, output + rule->offset, data_length) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case CERT_DATA:
+			{
+				size_t data_length = payload_length - CERT_PAYLOAD_HEADER_LENGTH;
+				if (this->parse_chunk(this, rule_number, output + rule->offset, data_length) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case CERTREQ_DATA:
+			{
+				size_t data_length = payload_length - CERTREQ_PAYLOAD_HEADER_LENGTH;
+				if (this->parse_chunk(this, rule_number, output + rule->offset, data_length) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case EAP_DATA:
+			{
+				size_t data_length = payload_length - EAP_PAYLOAD_HEADER_LENGTH;
+				if (this->parse_chunk(this, rule_number, output + rule->offset, data_length) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;
+			}
+			case SPIS:
+			{
+				size_t data_length = payload_length - DELETE_PAYLOAD_HEADER_LENGTH;
+				if (this->parse_chunk(this, rule_number, output + rule->offset, data_length) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}		
+				break;			
+			}
+			case VID_DATA:
+			{
+				size_t data_length = payload_length - VENDOR_ID_PAYLOAD_HEADER_LENGTH;
+				if (this->parse_chunk(this, rule_number, output + rule->offset, data_length) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}		
+				break;			
+			}
+			case CONFIGURATION_ATTRIBUTE_VALUE:
+			{
+				size_t data_length = attribute_length;
+				if (this->parse_chunk(this, rule_number, output + rule->offset, data_length) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}		
+				break;			
+			}
+			case KEY_EXCHANGE_DATA:
+			{
+				size_t keydata_length = payload_length - KE_PAYLOAD_HEADER_LENGTH;
+				if (this->parse_chunk(this, rule_number, output + rule->offset, keydata_length) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}		
+				break;			
+			}
+			case NOTIFICATION_DATA:
+			{
+				size_t notify_length = payload_length - NOTIFY_PAYLOAD_HEADER_LENGTH - spi_size;
+				if (this->parse_chunk(this, rule_number, output + rule->offset, notify_length) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}		
+				break;			
+			}
+			case ENCRYPTED_DATA:
+			{				
+				size_t data_length = payload_length - ENCRYPTION_PAYLOAD_HEADER_LENGTH;
+				if (this->parse_chunk(this, rule_number, output + rule->offset, data_length) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}		
+				break;	
+			}
+			case TS_TYPE:
+			{
+				if (this->parse_uint8(this, rule_number, output + rule->offset) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				ts_type = *(u_int8_t*)(output + rule->offset);
+				break;							
+			}
+			case ADDRESS:
+			{
+				size_t address_length = (ts_type == TS_IPV4_ADDR_RANGE) ? 4 : 16;
+				if (this->parse_chunk(this, rule_number, output + rule->offset,address_length) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;							
+			}
+			case TRAFFIC_SELECTORS:
+			{
+				size_t traffic_selectors_length = payload_length - TS_PAYLOAD_HEADER_LENGTH;
+				if (this->parse_list(this, rule_number, output + rule->offset, TRAFFIC_SELECTOR_SUBSTRUCTURE, traffic_selectors_length) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;							
+			}
+			case UNKNOWN_PAYLOAD:
+			{
+				size_t unknown_payload_data_length = payload_length - UNKNOWN_PAYLOAD_HEADER_LENGTH;
+				if (this->parse_chunk(this, rule_number, output + rule->offset, unknown_payload_data_length) != SUCCESS) 
+				{
+					pld->destroy(pld);
+					return PARSE_ERROR;
+				}
+				break;							
+			}
+			default:
+			{
+				DBG1(DBG_ENC, "  no rule to parse rule %d %N",
+					 rule_number, encoding_type_names, rule->type);
+				pld->destroy(pld);
+				return PARSE_ERROR;
+			}
+		}
+		/* process next rulue */
+		rule++;
+	}
+	
+	*payload = pld;
+	DBG2(DBG_ENC, "parsing %N payload finished",
+		 payload_type_names, payload_type);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of parser_t.get_remaining_byte_count.
+ */
+static int get_remaining_byte_count (private_parser_t *this)
+{
+	int count = (this->input_roof - this->byte_pos);
+	return count;
+}
+
+/**
+ * Implementation of parser_t.reset_context.
+ */
+static void reset_context (private_parser_t *this)
+{
+	this->byte_pos = this->input;
+	this->bit_pos = 0;
+}
+
+/**
+ * Implementation of parser_t.destroy.
+ */
+static void destroy(private_parser_t *this)
+{
+	free(this);	
+}
+
+/*
+ * Described in header.
+ */
+parser_t *parser_create(chunk_t data)
+{
+	private_parser_t *this = malloc_thing(private_parser_t);
+	
+	this->public.parse_payload = (status_t(*)(parser_t*,payload_type_t,payload_t**)) parse_payload;
+	this->public.reset_context = (void(*)(parser_t*)) reset_context;
+	this->public.get_remaining_byte_count = (int (*) (parser_t *))get_remaining_byte_count;
+	this->public.destroy = (void(*)(parser_t*)) destroy;
+	
+	this->parse_uint4 = parse_uint4;
+	this->parse_uint8 = parse_uint8;
+	this->parse_uint15 = parse_uint15;
+	this->parse_uint16 = parse_uint16;
+	this->parse_uint32 = parse_uint32;
+	this->parse_uint64 = parse_uint64;
+	this->parse_bytes = parse_bytes;
+	this->parse_bit = parse_bit;
+	this->parse_list = parse_list;
+	this->parse_chunk = parse_chunk;
+	
+	this->input = data.ptr;
+	this->byte_pos = data.ptr;
+	this->bit_pos = 0;
+	this->input_roof = data.ptr + data.len;
+	
+	return (parser_t*)this;
+}
diff --git a/src/charon/encoding/parser.h b/src/charon/encoding/parser.h
new file mode 100644
index 000000000..e9978524c
--- /dev/null
+++ b/src/charon/encoding/parser.h
@@ -0,0 +1,95 @@
+/**
+ * @file parser.h
+ *
+ * @brief Interface of parser_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef PARSER_H_
+#define PARSER_H_
+
+typedef struct parser_t parser_t;
+
+#include <library.h>
+#include <encoding/payloads/encodings.h>
+#include <encoding/payloads/payload.h>
+
+/**
+ * @brief A parser_t class to parse IKEv2 payloads.
+ *
+ * A parser is used for parsing one chunk of data. Multiple
+ * payloads can be parsed out of the chunk using parse_payload.
+ * The parser remains the state until destroyed.
+ *
+ * @b Constructors:
+ * - parser_create()
+ *
+ * @ingroup encoding
+ */
+struct parser_t {
+	
+	/**
+	 * @brief Parses the next payload.
+	 * 
+	 * @warning Caller is responsible for freeing allocated payload.
+	 * 
+	 * Rules for parsing are described in the payload definition.
+	 *
+	 * @param this				parser_t bject
+	 * @param payload_type		payload type to parse
+	 * @param[out] payload		pointer where parsed payload was allocated
+	 * @return 			
+	 * 							- SUCCESSFUL if succeeded,
+	 * 							- PARSE_ERROR if corrupted/invalid data found
+	 */
+	status_t (*parse_payload) (parser_t *this, payload_type_t payload_type, payload_t **payload);
+	
+	/**
+	 * Gets the remaining byte count which is not currently parsed.
+	 * 
+	 * @param parser		parser_t object
+	 */
+	int (*get_remaining_byte_count) (parser_t *this);
+	
+	/**
+	 * @brief Resets the current parser context.
+	 *
+	 * @param parser		parser_t object
+	 */
+	void (*reset_context) (parser_t *this);
+	
+	/**
+	 * @brief Destroys a parser_t object.
+	 *
+	 * @param parser		parser_t object
+	 */
+	void (*destroy) (parser_t *this);
+};
+
+/**
+ * @brief Constructor to create a parser_t object.
+ * 
+ * @param data				chunk of data to parse with this parser_t object
+ * @return 					parser_t object
+ * 
+ * @ingroup encoding
+ */
+parser_t *parser_create(chunk_t data);
+
+#endif /*PARSER_H_*/
diff --git a/src/charon/encoding/payloads/auth_payload.c b/src/charon/encoding/payloads/auth_payload.c
new file mode 100644
index 000000000..256d6c8a4
--- /dev/null
+++ b/src/charon/encoding/payloads/auth_payload.c
@@ -0,0 +1,265 @@
+/**
+ * @file auth_payload.h
+ * 
+ * @brief Implementation of auth_payload_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "auth_payload.h"
+
+#include <encoding/payloads/encodings.h>
+
+
+typedef struct private_auth_payload_t private_auth_payload_t;
+
+/**
+ * Private data of an auth_payload_t object.
+ * 
+ */
+struct private_auth_payload_t {
+	
+	/**
+	 * Public auth_payload_t interface.
+	 */
+	auth_payload_t public;
+	
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t  next_payload;
+
+	/**
+	 * Critical flag.
+	 */
+	bool critical;
+	
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+	
+	/**
+	 * Method of the AUTH Data.
+	 */
+	u_int8_t auth_method;
+	
+	/**
+	 * The contained auth data value.
+	 */
+	chunk_t auth_data;
+};
+
+/**
+ * Encoding rules to parse or generate a AUTH payload
+ * 
+ * The defined offsets are the positions in a object of type 
+ * private_auth_payload_t.
+ */
+encoding_rule_t auth_payload_encodings[] = {
+ 	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_auth_payload_t, next_payload) 	},
+	/* the critical bit */
+	{ FLAG,				offsetof(private_auth_payload_t, critical) 		},
+ 	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,		0 												},
+	{ RESERVED_BIT,		0 												},
+	{ RESERVED_BIT,		0 												},
+	{ RESERVED_BIT,		0 												},
+	{ RESERVED_BIT,		0 												},
+	{ RESERVED_BIT,		0 												},
+	{ RESERVED_BIT,		0 												},
+	/* Length of the whole payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_auth_payload_t, payload_length)},
+ 	/* 1 Byte AUTH type*/
+	{ U_INT_8,			offsetof(private_auth_payload_t, auth_method)	},
+	/* 3 reserved bytes */
+	{ RESERVED_BYTE,	0 												},
+	{ RESERVED_BYTE,	0 												},
+	{ RESERVED_BYTE,	0 												},
+	/* some auth data bytes, length is defined in PAYLOAD_LENGTH */
+	{ AUTH_DATA,		offsetof(private_auth_payload_t, auth_data) 	}
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !C!  RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Auth Method   !                RESERVED                       !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                      Authentication Data                      ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_auth_payload_t *this)
+{
+	if (this->auth_method == 0 ||
+		(this->auth_method >= 4 && this->auth_method <= 200))
+	{
+		/* reserved IDs */
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of auth_payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_auth_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = auth_payload_encodings;
+	*rule_count = sizeof(auth_payload_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_payload_type(private_auth_payload_t *this)
+{
+	return AUTHENTICATION;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_auth_payload_t *this)
+{
+	return (this->next_payload);
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_auth_payload_t *this,payload_type_t type)
+{
+	this->next_payload = type;
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_auth_payload_t *this)
+{
+	return this->payload_length;
+}
+
+/**
+ * Implementation of auth_payload_t.set_auth_method.
+ */
+static void set_auth_method (private_auth_payload_t *this, auth_method_t method)
+{
+	this->auth_method = method;
+}
+
+/**
+ * Implementation of auth_payload_t.get_auth_method.
+ */
+static auth_method_t get_auth_method (private_auth_payload_t *this)
+{
+	return (this->auth_method);
+}
+
+/**
+ * Implementation of auth_payload_t.set_data.
+ */
+static void set_data (private_auth_payload_t *this, chunk_t data)
+{
+	if (this->auth_data.ptr != NULL)
+	{
+		chunk_free(&(this->auth_data));
+	}
+	this->auth_data.ptr = clalloc(data.ptr,data.len);
+	this->auth_data.len = data.len;
+	this->payload_length = AUTH_PAYLOAD_HEADER_LENGTH + this->auth_data.len;
+}
+
+/**
+ * Implementation of auth_payload_t.get_data.
+ */
+static chunk_t get_data (private_auth_payload_t *this)
+{
+	return (this->auth_data);
+}
+
+/**
+ * Implementation of auth_payload_t.get_data_clone.
+ */
+static chunk_t get_data_clone (private_auth_payload_t *this)
+{
+	chunk_t cloned_data;
+	if (this->auth_data.ptr == NULL)
+	{
+		return (this->auth_data);
+	}
+	cloned_data.ptr = clalloc(this->auth_data.ptr,this->auth_data.len);
+	cloned_data.len = this->auth_data.len;
+	return cloned_data;
+}
+
+/**
+ * Implementation of payload_t.destroy and auth_payload_t.destroy.
+ */
+static void destroy(private_auth_payload_t *this)
+{
+	if (this->auth_data.ptr != NULL)
+	{
+		chunk_free(&(this->auth_data));
+	}
+	
+	free(this);	
+}
+
+/*
+ * Described in header
+ */
+auth_payload_t *auth_payload_create()
+{
+	private_auth_payload_t *this = malloc_thing(private_auth_payload_t);
+
+	/* interface functions */
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+	
+	/* public functions */
+	this->public.destroy = (void (*) (auth_payload_t *)) destroy;
+	this->public.set_auth_method = (void (*) (auth_payload_t *,auth_method_t)) set_auth_method;
+	this->public.get_auth_method = (auth_method_t (*) (auth_payload_t *)) get_auth_method;
+	this->public.set_data = (void (*) (auth_payload_t *,chunk_t)) set_data;
+	this->public.get_data_clone = (chunk_t (*) (auth_payload_t *)) get_data_clone;
+	this->public.get_data = (chunk_t (*) (auth_payload_t *)) get_data;
+	
+	/* private variables */
+	this->critical = FALSE;
+	this->next_payload = NO_PAYLOAD;
+	this->payload_length =AUTH_PAYLOAD_HEADER_LENGTH;
+	this->auth_data = chunk_empty;
+
+	return (&(this->public));
+}
diff --git a/src/charon/encoding/payloads/auth_payload.h b/src/charon/encoding/payloads/auth_payload.h
new file mode 100644
index 000000000..2db82ec0b
--- /dev/null
+++ b/src/charon/encoding/payloads/auth_payload.h
@@ -0,0 +1,121 @@
+/**
+ * @file auth_payload.h
+ * 
+ * @brief Interface of auth_payload_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef AUTH_PAYLOAD_H_
+#define AUTH_PAYLOAD_H_
+
+typedef struct auth_payload_t auth_payload_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+#include <sa/authenticators/authenticator.h>
+
+/**
+ * Length of a auth payload without the auth data in bytes.
+ * 
+ * @ingroup payloads
+ */
+#define AUTH_PAYLOAD_HEADER_LENGTH 8
+
+/**
+ * @brief Class representing an IKEv2 AUTH payload.
+ *
+ * The AUTH payload format is described in RFC section 3.8.
+ *
+ * @b Constructors:
+ * - auth_payload_create()
+ *
+ * @ingroup payloads
+ */
+struct auth_payload_t {
+	
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * @brief Set the AUTH method.
+	 *
+	 * @param this 			calling auth_payload_t object
+	 * @param method		auth_method_t to use
+	 */
+	void (*set_auth_method) (auth_payload_t *this, auth_method_t method);
+	
+	/**
+	 * @brief Get the AUTH method.
+	 *
+	 * @param this 			calling auth_payload_t object
+	 * @return				auth_method_t used
+	 */
+	auth_method_t (*get_auth_method) (auth_payload_t *this);
+	
+	/**
+	 * @brief Set the AUTH data.
+	 * 
+	 * Data are getting cloned.
+	 *
+	 * @param this 			calling auth_payload_t object
+	 * @param data			AUTH data as chunk_t
+	 */
+	void (*set_data) (auth_payload_t *this, chunk_t data);
+	
+	/**
+	 * @brief Get the AUTH data.
+	 * 
+	 * Returned data are a copy of the internal one.
+	 *
+	 * @param this 			calling auth_payload_t object
+	 * @return				AUTH data as chunk_t
+	 */
+	chunk_t (*get_data_clone) (auth_payload_t *this);
+	
+	/**
+	 * @brief Get the AUTH data.
+	 * 
+	 * Returned data are NOT copied
+	 *
+	 * @param this 			calling auth_payload_t object
+	 * @return				AUTH data as chunk_t
+	 */
+	chunk_t (*get_data) (auth_payload_t *this);
+	
+	/**
+	 * @brief Destroys an auth_payload_t object.
+	 *
+	 * @param this 			auth_payload_t object to destroy
+	 */
+	void (*destroy) (auth_payload_t *this);
+};
+
+/**
+ * @brief Creates an empty auth_payload_t object.
+ * 
+ * @return auth_payload_t object
+ * 
+ * @ingroup payloads
+ */
+auth_payload_t *auth_payload_create(void);
+
+
+#endif /* AUTH_PAYLOAD_H_ */
diff --git a/src/charon/encoding/payloads/cert_payload.c b/src/charon/encoding/payloads/cert_payload.c
new file mode 100644
index 000000000..c456f4936
--- /dev/null
+++ b/src/charon/encoding/payloads/cert_payload.c
@@ -0,0 +1,290 @@
+/**
+ * @file cert_payload.c
+ * 
+ * @brief Implementation of cert_payload_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+
+#include "cert_payload.h"
+
+
+ENUM(cert_encoding_names, CERT_NONE, CERT_OCSP_CONTENT,
+	"CERT_NONE",
+	"CERT_PKCS7_WRAPPED_X509",
+	"CERT_PGP",
+	"CERT_DNS_SIGNED_KEY",
+	"CERT_X509_SIGNATURE",
+	"CERT_X509_KEY_EXCHANGE",
+	"CERT_KERBEROS_TOKENS",
+	"CERT_CRL",
+	"CERT_ARL",
+	"CERT_SPKI",
+	"CERT_X509_ATTRIBUTE",
+	"CERT_RAW_RSA_KEY",
+	"CERT_X509_HASH_AND_URL",
+	"CERT_X509_HASH_AND_URL_BUNDLE",
+	"CERT_OCSP_CONTENT",
+);
+
+typedef struct private_cert_payload_t private_cert_payload_t;
+
+/**
+ * Private data of an cert_payload_t object.
+ * 
+ */
+struct private_cert_payload_t {
+	/**
+	 * Public cert_payload_t interface.
+	 */
+	cert_payload_t public;
+	
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t  next_payload;
+
+	/**
+	 * Critical flag.
+	 */
+	bool critical;
+	
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+	
+	/**
+	 * Encoding of the CERT Data.
+	 */
+	u_int8_t cert_encoding;
+	
+	/**
+	 * The contained cert data value.
+	 */
+	chunk_t cert_data;
+};
+
+/**
+ * Encoding rules to parse or generate a CERT payload
+ * 
+ * The defined offsets are the positions in a object of type 
+ * private_cert_payload_t.
+ * 
+ */
+encoding_rule_t cert_payload_encodings[] = {
+ 	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_cert_payload_t, next_payload) 	},
+	/* the critical bit */
+	{ FLAG,				offsetof(private_cert_payload_t, critical) 		},
+ 	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	/* Length of the whole payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_cert_payload_t, payload_length)},
+ 	/* 1 Byte CERT type*/
+	{ U_INT_8,			offsetof(private_cert_payload_t, cert_encoding)	},
+	/* some cert data bytes, length is defined in PAYLOAD_LENGTH */
+	{ CERT_DATA,			offsetof(private_cert_payload_t, cert_data) }
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !C!  RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Cert Encoding !                                               !
+      +-+-+-+-+-+-+-+-+                                               !
+      ~                       Certificate Data                        ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_cert_payload_t *this)
+{
+	if ((this->cert_encoding == 0) ||
+		((this->cert_encoding >= CERT_ROOF) && (this->cert_encoding <= 200)))
+	{
+		/* reserved IDs */
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of cert_payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_cert_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = cert_payload_encodings;
+	*rule_count = sizeof(cert_payload_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_payload_type(private_cert_payload_t *this)
+{
+	return CERTIFICATE;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_cert_payload_t *this)
+{
+	return (this->next_payload);
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_cert_payload_t *this,payload_type_t type)
+{
+	this->next_payload = type;
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_cert_payload_t *this)
+{
+	return this->payload_length;
+}
+
+/**
+ * Implementation of cert_payload_t.set_cert_encoding.
+ */
+static void set_cert_encoding (private_cert_payload_t *this, cert_encoding_t encoding)
+{
+	this->cert_encoding = encoding;
+}
+
+/**
+ * Implementation of cert_payload_t.get_cert_encoding.
+ */
+static cert_encoding_t get_cert_encoding (private_cert_payload_t *this)
+{
+	return (this->cert_encoding);
+}
+
+/**
+ * Implementation of cert_payload_t.set_data.
+ */
+static void set_data (private_cert_payload_t *this, chunk_t data)
+{
+	if (this->cert_data.ptr != NULL)
+	{
+		chunk_free(&(this->cert_data));
+	}
+	this->cert_data.ptr = clalloc(data.ptr,data.len);
+	this->cert_data.len = data.len;
+	this->payload_length = CERT_PAYLOAD_HEADER_LENGTH + this->cert_data.len;
+}
+
+/**
+ * Implementation of cert_payload_t.get_data.
+ */
+static chunk_t get_data (private_cert_payload_t *this)
+{
+	return (this->cert_data);
+}
+
+/**
+ * Implementation of cert_payload_t.get_data_clone.
+ */
+static chunk_t get_data_clone (private_cert_payload_t *this)
+{
+	chunk_t cloned_data;
+	if (this->cert_data.ptr == NULL)
+	{
+		return (this->cert_data);
+	}
+	cloned_data.ptr = clalloc(this->cert_data.ptr,this->cert_data.len);
+	cloned_data.len = this->cert_data.len;
+	return cloned_data;
+}
+
+/**
+ * Implementation of payload_t.destroy and cert_payload_t.destroy.
+ */
+static void destroy(private_cert_payload_t *this)
+{
+	if (this->cert_data.ptr != NULL)
+	{
+		chunk_free(&(this->cert_data));
+	}
+	
+	free(this);	
+}
+
+/*
+ * Described in header
+ */
+cert_payload_t *cert_payload_create()
+{
+	private_cert_payload_t *this = malloc_thing(private_cert_payload_t);
+
+	/* interface functions */
+	this->public.payload_interface.verify = (status_t (*) (payload_t*))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t*,encoding_rule_t**, size_t*))get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t*))get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t*))get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t*,payload_type_t))set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t*))get_payload_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t*))destroy;
+	
+	/* public functions */
+	this->public.destroy = (void (*) (cert_payload_t*))destroy;
+	this->public.set_cert_encoding = (void (*) (cert_payload_t*,cert_encoding_t))set_cert_encoding;
+	this->public.get_cert_encoding = (cert_encoding_t (*) (cert_payload_t*))get_cert_encoding;
+	this->public.set_data = (void (*) (cert_payload_t*,chunk_t))set_data;
+	this->public.get_data_clone = (chunk_t (*) (cert_payload_t*))get_data_clone;
+	this->public.get_data = (chunk_t (*) (cert_payload_t*))get_data;
+	
+	/* private variables */
+	this->critical = FALSE;
+	this->next_payload = NO_PAYLOAD;
+	this->payload_length = CERT_PAYLOAD_HEADER_LENGTH;
+	this->cert_data = chunk_empty;
+
+	return (&(this->public));
+}
+
+/*
+ * Described in header
+ */
+cert_payload_t *cert_payload_create_from_x509(x509_t *cert)
+{
+	cert_payload_t *this = cert_payload_create();
+
+	this->set_cert_encoding(this, CERT_X509_SIGNATURE);
+	this->set_data(this, cert->get_certificate(cert));
+	return this;
+}
diff --git a/src/charon/encoding/payloads/cert_payload.h b/src/charon/encoding/payloads/cert_payload.h
new file mode 100644
index 000000000..bcb961398
--- /dev/null
+++ b/src/charon/encoding/payloads/cert_payload.h
@@ -0,0 +1,166 @@
+/**
+ * @file cert_payload.h
+ * 
+ * @brief Interface of cert_payload_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef CERT_PAYLOAD_H_
+#define CERT_PAYLOAD_H_
+
+typedef enum cert_encoding_t cert_encoding_t;
+typedef struct cert_payload_t cert_payload_t;
+
+#include <library.h>
+#include <crypto/x509.h>
+#include <encoding/payloads/payload.h>
+
+/**
+ * Length of a cert payload without the cert data in bytes.
+ * 
+ * @ingroup payloads
+ */
+#define CERT_PAYLOAD_HEADER_LENGTH 5
+
+/**
+ * @brief Certificate encoding, as described in IKEv2 RFC section 3.6
+ *
+ * @ingroup payloads
+ */
+enum cert_encoding_t {
+	CERT_NONE =						 0,
+	CERT_PKCS7_WRAPPED_X509 =		 1,
+	CERT_PGP =						 2,
+	CERT_DNS_SIGNED_KEY =			 3,
+	CERT_X509_SIGNATURE =			 4,
+	CERT_KERBEROS_TOKEN	=			 6,
+	CERT_CRL =						 7,
+	CERT_ARL =						 8,
+	CERT_SPKI =						 9,
+	CERT_X509_ATTRIBUTE =			10,
+	CERT_RAW_RSA_KEY =				11,
+	CERT_X509_HASH_AND_URL =		12,
+	CERT_X509_HASH_AND_URL_BUNDLE =	13,
+	CERT_OCSP_CONTENT =				14,  /* from RFC 4806 */
+	CERT_ROOF =						15
+};
+
+/**
+ * string mappings for cert_encoding_t.
+ * 
+ * @ingroup payloads
+ */
+extern enum_name_t *cert_encoding_names;
+
+/**
+ * @brief Class representing an IKEv2 CERT payload.
+ *
+ * The CERT payload format is described in RFC section 3.6.
+ * This is just a dummy implementation to fullfill the standards
+ * requirements. A full implementation would offer setters/getters
+ * for the different encoding types.
+ * 
+ * @b Constructors:
+ * - cert_payload_create()
+ *
+ * @todo Implement setters/getters for the different certificate encodings.
+ *
+ * @ingroup payloads
+ */
+struct cert_payload_t {
+	
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * @brief Set the CERT encoding.
+	 *
+	 * @param this 			calling cert_payload_t object
+	 * @param encoding		CERT encoding
+	 */
+	void (*set_cert_encoding) (cert_payload_t *this, cert_encoding_t encoding);
+	
+	/**
+	 * @brief Get the CERT encoding.
+	 *
+	 * @param this 			calling cert_payload_t object
+	 * @return				Encoding of the CERT 
+	 */
+	cert_encoding_t (*get_cert_encoding) (cert_payload_t *this);
+	
+	/**
+	 * @brief Set the CERT data.
+	 * 
+	 * Data are getting cloned.
+	 *
+	 * @param this 			calling cert_payload_t object
+	 * @param data			CERT data as chunk_t
+	 */
+	void (*set_data) (cert_payload_t *this, chunk_t data);
+	
+	/**
+	 * @brief Get the CERT data.
+	 * 
+	 * Returned data are a copy of the internal one.
+	 *
+	 * @param this 			calling cert_payload_t object
+	 * @return				CERT data as chunk_t
+	 */
+	chunk_t (*get_data_clone) (cert_payload_t *this);
+	
+	/**
+	 * @brief Get the CERT data.
+	 * 
+	 * Returned data are NOT copied.
+	 *
+	 * @param this 			calling cert_payload_t object
+	 * @return				CERT data as chunk_t
+	 */
+	chunk_t (*get_data) (cert_payload_t *this);
+	
+	/**
+	 * @brief Destroys an cert_payload_t object.
+	 *
+	 * @param this 			cert_payload_t object to destroy
+	 */
+	void (*destroy) (cert_payload_t *this);
+};
+
+/**
+ * @brief Creates an empty cert_payload_t object.
+ * 
+ * @return					cert_payload_t object
+ * 
+ * @ingroup payloads
+ */
+cert_payload_t *cert_payload_create(void);
+
+/**
+ * @brief Creates a cert_payload_t object with an X.509 certificate.
+ * 
+ * @param cert				X.509 certificate
+ * @return					cert_payload_t object
+ * 
+ * @ingroup payloads
+ */
+cert_payload_t *cert_payload_create_from_x509(x509_t *cert);
+
+#endif /* CERT_PAYLOAD_H_ */
diff --git a/src/charon/encoding/payloads/certreq_payload.c b/src/charon/encoding/payloads/certreq_payload.c
new file mode 100644
index 000000000..46663811a
--- /dev/null
+++ b/src/charon/encoding/payloads/certreq_payload.c
@@ -0,0 +1,335 @@
+/**
+ * @file certreq_payload.c
+ * 
+ * @brief Implementation of certreq_payload_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+#include <string.h>
+
+#include <daemon.h>
+#include <crypto/hashers/hasher.h>
+#include <crypto/ca.h>
+
+#include "certreq_payload.h"
+
+
+typedef struct private_certreq_payload_t private_certreq_payload_t;
+
+/**
+ * Private data of an certreq_payload_t object.
+ * 
+ */
+struct private_certreq_payload_t {
+	/**
+	 * Public certreq_payload_t interface.
+	 */
+	certreq_payload_t public;
+	
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t  next_payload;
+
+	/**
+	 * Critical flag.
+	 */
+	bool critical;
+	
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+	
+	/**
+	 * Encoding of the CERT Data.
+	 */
+	u_int8_t cert_encoding;
+	
+	/**
+	 * The contained certreq data value.
+	 */
+	chunk_t certreq_data;
+};
+
+/**
+ * Encoding rules to parse or generate a CERTREQ payload
+ * 
+ * The defined offsets are the positions in a object of type 
+ * private_certreq_payload_t.
+ * 
+ */
+encoding_rule_t certreq_payload_encodings[] = {
+	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_certreq_payload_t, next_payload) 	},
+	/* the critical bit */
+	{ FLAG,				offsetof(private_certreq_payload_t, critical) 		},
+	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	/* Length of the whole payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_certreq_payload_t, payload_length)},
+	/* 1 Byte CERTREQ type*/
+	{ U_INT_8,			offsetof(private_certreq_payload_t, cert_encoding)},
+	/* some certreq data bytes, length is defined in PAYLOAD_LENGTH */
+	{ CERTREQ_DATA,			offsetof(private_certreq_payload_t, certreq_data)}
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !C!  RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Cert Encoding !                                               !
+      +-+-+-+-+-+-+-+-+                                               !
+      ~                    Certification Authority                    ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_certreq_payload_t *this)
+{
+	if ((this->cert_encoding == 0) ||
+		((this->cert_encoding >= CERT_ROOF) && (this->cert_encoding <= 200)))
+	{
+		/* reserved IDs */
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of certreq_payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_certreq_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = certreq_payload_encodings;
+	*rule_count = sizeof(certreq_payload_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_payload_type(private_certreq_payload_t *this)
+{
+	return CERTIFICATE_REQUEST;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_certreq_payload_t *this)
+{
+	return (this->next_payload);
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_certreq_payload_t *this,payload_type_t type)
+{
+	this->next_payload = type;
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_certreq_payload_t *this)
+{
+	return this->payload_length;
+}
+
+/**
+ * Implementation of certreq_payload_t.set_cert_encoding.
+ */
+static void set_cert_encoding (private_certreq_payload_t *this, cert_encoding_t encoding)
+{
+	this->cert_encoding = encoding;
+}
+
+/**
+ * Implementation of certreq_payload_t.get_cert_encoding.
+ */
+static cert_encoding_t get_cert_encoding (private_certreq_payload_t *this)
+{
+	return (this->cert_encoding);
+}
+
+/**
+ * Implementation of certreq_payload_t.set_data.
+ */
+static void set_data (private_certreq_payload_t *this, chunk_t data)
+{
+	if (this->certreq_data.ptr != NULL)
+	{
+		chunk_free(&(this->certreq_data));
+	}
+	this->certreq_data.ptr = clalloc(data.ptr,data.len);
+	this->certreq_data.len = data.len;
+	this->payload_length = CERTREQ_PAYLOAD_HEADER_LENGTH + this->certreq_data.len;
+}
+
+/**
+ * Implementation of certreq_payload_t.get_data.
+ */
+static chunk_t get_data (private_certreq_payload_t *this)
+{
+	return (this->certreq_data);
+}
+
+/**
+ * Implementation of certreq_payload_t.get_data_clone.
+ */
+static chunk_t get_data_clone (private_certreq_payload_t *this)
+{
+	chunk_t cloned_data;
+	if (this->certreq_data.ptr == NULL)
+	{
+		return (this->certreq_data);
+	}
+	cloned_data.ptr = clalloc(this->certreq_data.ptr,this->certreq_data.len);
+	cloned_data.len = this->certreq_data.len;
+	return cloned_data;
+}
+
+/**
+ * Implementation of payload_t.destroy and certreq_payload_t.destroy.
+ */
+static void destroy(private_certreq_payload_t *this)
+{
+	if (this->certreq_data.ptr != NULL)
+	{
+		chunk_free(&(this->certreq_data));
+	}
+	
+	free(this);	
+}
+
+/*
+ * Described in header
+ */
+certreq_payload_t *certreq_payload_create()
+{
+	private_certreq_payload_t *this = malloc_thing(private_certreq_payload_t);
+
+	/* interface functions */
+	this->public.payload_interface.verify = (status_t (*) (payload_t*))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t*,encoding_rule_t**,size_t*))get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t*))get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t*))get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t*,payload_type_t))set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t*))get_payload_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t*))destroy;
+	
+	/* public functions */
+	this->public.destroy = (void (*) (certreq_payload_t*)) destroy;
+	this->public.set_cert_encoding = (void (*) (certreq_payload_t*,cert_encoding_t))set_cert_encoding;
+	this->public.get_cert_encoding = (cert_encoding_t (*) (certreq_payload_t*))get_cert_encoding;
+	this->public.set_data = (void (*) (certreq_payload_t*,chunk_t))set_data;
+	this->public.get_data_clone = (chunk_t (*) (certreq_payload_t*))get_data_clone;
+	this->public.get_data = (chunk_t (*) (certreq_payload_t*))get_data;
+	
+	/* private variables */
+	this->critical = FALSE;
+	this->next_payload = NO_PAYLOAD;
+	this->payload_length =CERTREQ_PAYLOAD_HEADER_LENGTH;
+	this->certreq_data = chunk_empty;
+
+	return (&(this->public));
+}
+
+/*
+ * Described in header
+ */
+certreq_payload_t *certreq_payload_create_from_cacert(identification_t *id)
+{
+	x509_t *cacert;
+	rsa_public_key_t *pubkey;
+	chunk_t keyid;
+	certreq_payload_t *this;
+	
+	cacert = charon->credentials->get_auth_certificate(charon->credentials, AUTH_CA, id);
+	if (cacert == NULL)
+	{
+		/* no such CA cert */
+		return NULL;
+	}
+
+	this = certreq_payload_create();
+	pubkey = cacert->get_public_key(cacert);
+	keyid = pubkey->get_keyid(pubkey);
+
+	DBG2(DBG_IKE, "requesting certificate issued by '%D'", id);
+	DBG2(DBG_IKE, "  with keyid %#B", &keyid);
+
+	this->set_cert_encoding(this, CERT_X509_SIGNATURE);
+	this->set_data(this, keyid);
+	return this;
+}
+
+/*
+ * Described in header
+ */
+certreq_payload_t *certreq_payload_create_from_cacerts(void)
+{
+	certreq_payload_t *this;
+	chunk_t keyids;
+	u_char *pos;
+	ca_info_t *cainfo;
+
+	iterator_t *iterator = charon->credentials->create_cainfo_iterator(charon->credentials);
+	int count = iterator->get_count(iterator);
+
+	if (count == 0)
+	{
+		iterator->destroy(iterator);
+		return NULL;
+	}
+
+	this = certreq_payload_create();
+	keyids = chunk_alloc(count * HASH_SIZE_SHA1);
+	pos = keyids.ptr;
+
+	while (iterator->iterate(iterator, (void**)&cainfo))
+	{
+		x509_t *cacert = cainfo->get_certificate(cainfo);
+		chunk_t keyid = cacert->get_keyid(cacert);
+
+		DBG2(DBG_IKE, "requesting certificate issued by '%D'", cacert->get_subject(cacert));
+		DBG2(DBG_IKE, "  with keyid %#B", &keyid);
+		memcpy(pos, keyid.ptr, keyid.len);
+		pos += HASH_SIZE_SHA1;
+	}
+	iterator->destroy(iterator);
+
+	this->set_cert_encoding(this, CERT_X509_SIGNATURE);
+	this->set_data(this, keyids);
+	free(keyids.ptr);
+	return this;
+}
diff --git a/src/charon/encoding/payloads/certreq_payload.h b/src/charon/encoding/payloads/certreq_payload.h
new file mode 100644
index 000000000..2985fdae1
--- /dev/null
+++ b/src/charon/encoding/payloads/certreq_payload.h
@@ -0,0 +1,144 @@
+/**
+ * @file certreq_payload.h
+ * 
+ * @brief Interface of certreq_payload_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef CERTREQ_PAYLOAD_H_
+#define CERTREQ_PAYLOAD_H_
+
+typedef struct certreq_payload_t certreq_payload_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+#include <encoding/payloads/cert_payload.h>
+
+/**
+ * Length of a CERTREQ payload without the CERTREQ data in bytes.
+ * 
+ * @ingroup payloads
+ */
+#define CERTREQ_PAYLOAD_HEADER_LENGTH 5
+
+
+/**
+ * @brief Class representing an IKEv2 CERTREQ payload.
+ *
+ * The CERTREQ payload format is described in RFC section 3.7.
+ * This is just a dummy implementation to fullfill the standards
+ * requirements. A full implementation would offer setters/getters
+ * for the different encoding types.
+ *
+ * @b Constructors:
+ * - certreq_payload_create()
+ *
+ * @todo Implement payload functionality.
+ *
+ * @ingroup payloads
+ */
+struct certreq_payload_t {
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * @brief Set the CERT encoding.
+	 *
+	 * @param this 			calling certreq_payload_t object
+	 * @param encoding		CERT encoding
+	 */
+	void (*set_cert_encoding) (certreq_payload_t *this, cert_encoding_t encoding);
+	
+	/**
+	 * @brief Get the CERT encoding.
+	 *
+	 * @param this 			calling certreq_payload_t object
+	 * @return				Encoding of the CERT 
+	 */
+	cert_encoding_t (*get_cert_encoding) (certreq_payload_t *this);
+	
+	/**
+	 * @brief Set the CERTREQ data.
+	 * 
+	 * Data are getting cloned.
+	 *
+	 * @param this 			calling certreq_payload_t object
+	 * @param data			CERTREQ data as chunk_t
+	 */
+	void (*set_data) (certreq_payload_t *this, chunk_t data);
+	
+	/**
+	 * @brief Get the CERTREQ data.
+	 * 
+	 * Returned data are a copy of the internal one.
+	 *
+	 * @param this 			calling certreq_payload_t object
+	 * @return				CERTREQ data as chunk_t
+	 */
+	chunk_t (*get_data_clone) (certreq_payload_t *this);
+	
+	/**
+	 * @brief Get the CERTREQ data.
+	 * 
+	 * Returned data are NOT copied.
+	 *
+	 * @param this 			calling certreq_payload_t object
+	 * @return				CERTREQ data as chunk_t
+	 */
+	chunk_t (*get_data) (certreq_payload_t *this);
+	
+	/**
+	 * @brief Destroys an certreq_payload_t object.
+	 *
+	 * @param this 	certreq_payload_t object to destroy
+	 */
+	void (*destroy) (certreq_payload_t *this);
+};
+
+/**
+ * @brief Creates an empty certreq_payload_t object.
+ * 
+ * @return certreq_payload_t object
+ * 
+ * @ingroup payloads
+ */
+certreq_payload_t *certreq_payload_create(void);
+
+/**
+ * @brief Creates a certreq_payload_t object from a ca certificate
+ * 
+ * @param id				subject distinguished name of CA certificate
+ * @return					certreq_payload_t object
+ * 
+ * @ingroup payloads
+ */
+certreq_payload_t *certreq_payload_create_from_cacert(identification_t *id);
+
+/**
+ * @brief Creates a certreq_payload_t object from all ca certificates
+ * 
+ * @return					certreq_payload_t object
+ * 
+ * @ingroup payloads
+ */
+certreq_payload_t *certreq_payload_create_from_cacerts(void);
+
+#endif /* CERTREQ_PAYLOAD_H_ */
diff --git a/src/charon/encoding/payloads/configuration_attribute.c b/src/charon/encoding/payloads/configuration_attribute.c
new file mode 100644
index 000000000..0aa82169f
--- /dev/null
+++ b/src/charon/encoding/payloads/configuration_attribute.c
@@ -0,0 +1,313 @@
+/**
+ * @file configuration_attribute.c
+ * 
+ * @brief Implementation of configuration_attribute_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+
+#include "configuration_attribute.h"
+
+#include <encoding/payloads/encodings.h>
+#include <library.h>
+#include <daemon.h>
+
+
+typedef struct private_configuration_attribute_t private_configuration_attribute_t;
+
+/**
+ * Private data of an configuration_attribute_t object.
+ * 
+ */
+struct private_configuration_attribute_t {
+	/**
+	 * Public configuration_attribute_t interface.
+	 */
+	configuration_attribute_t public;
+	
+	/**
+	 * Type of the attribute.
+	 */
+	u_int16_t attribute_type;
+	
+	/**
+	 * Length of the attribute.
+	 */
+	u_int16_t attribute_length;
+
+	/**
+	 * Attribute value as chunk.
+	 */
+	chunk_t attribute_value;
+};
+
+ENUM_BEGIN(configuration_attribute_type_names, INTERNAL_IP4_ADDRESS, INTERNAL_IP6_ADDRESS,
+	"INTERNAL_IP4_ADDRESS",
+	"INTERNAL_IP4_NETMASK",
+	"INTERNAL_IP4_DNS",
+	"INTERNAL_IP4_NBNS",
+	"INTERNAL_ADDRESS_EXPIRY",
+	"INTERNAL_IP4_DHCP",
+	"APPLICATION_VERSION",
+	"INTERNAL_IP6_ADDRESS");
+ENUM_NEXT(configuration_attribute_type_names, INTERNAL_IP6_DNS, INTERNAL_IP6_SUBNET, INTERNAL_IP6_ADDRESS,
+	"INTERNAL_IP6_DNS",
+	"INTERNAL_IP6_NBNS",
+	"INTERNAL_IP6_DHCP",
+	"INTERNAL_IP4_SUBNET",
+	"SUPPORTED_ATTRIBUTES",
+	"INTERNAL_IP6_SUBNET");
+ENUM_END(configuration_attribute_type_names, INTERNAL_IP6_SUBNET);
+
+/**
+ * Encoding rules to parse or generate a configuration attribute.
+ * 
+ * The defined offsets are the positions in a object of type 
+ * private_configuration_attribute_t.
+ * 
+ */
+encoding_rule_t configuration_attribute_encodings[] = {
+
+	{ RESERVED_BIT,	0																					},
+	/* type of the attribute as 15 bit unsigned integer */
+	{ ATTRIBUTE_TYPE,			offsetof(private_configuration_attribute_t, attribute_type)				},	
+	/* Length of attribute value */
+	{ CONFIGURATION_ATTRIBUTE_LENGTH,		offsetof(private_configuration_attribute_t, attribute_length)},
+	/* Value of attribute if attribute format flag is zero */
+	{ CONFIGURATION_ATTRIBUTE_VALUE,		offsetof(private_configuration_attribute_t, attribute_value)}
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !R|         Attribute Type      !            Length             |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |                                                               |
+      ~                             Value                             ~
+      |                                                               |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_configuration_attribute_t *this)
+{
+	bool failed = FALSE;
+
+	if (this->attribute_length != this->attribute_value.len)
+	{
+		DBG1(DBG_ENC, "invalid attribute length");
+		return FAILED;
+	}
+
+	switch (this->attribute_type)
+	{
+         case INTERNAL_IP4_ADDRESS:
+         case INTERNAL_IP4_NETMASK:
+		 case INTERNAL_IP4_DNS:
+		 case INTERNAL_IP4_NBNS:
+		 case INTERNAL_ADDRESS_EXPIRY:
+		 case INTERNAL_IP4_DHCP:
+		 	if (this->attribute_length != 0 && this->attribute_length != 4)
+		 	{
+				failed = TRUE;
+		 	}
+			break;
+		 case INTERNAL_IP4_SUBNET:
+		 	if (this->attribute_length != 0 && this->attribute_length != 8)
+		 	{
+				failed = TRUE;
+		 	}
+			break;
+		 case INTERNAL_IP6_ADDRESS:
+		 case INTERNAL_IP6_SUBNET:
+		 	if (this->attribute_length != 0 && this->attribute_length != 17)
+		 	{
+				failed = TRUE;
+		 	}
+			break;
+		 case INTERNAL_IP6_DNS:
+		 case INTERNAL_IP6_NBNS:
+		 case INTERNAL_IP6_DHCP:
+		 	if (this->attribute_length != 0 && this->attribute_length != 16)
+		 	{
+				failed = TRUE;
+		 	}
+			break;
+		 case SUPPORTED_ATTRIBUTES:
+		 	if (this->attribute_length % 2)
+		 	{
+				failed = TRUE;
+		 	}
+			break;
+		 case APPLICATION_VERSION:
+		 	/* any length acceptable */
+		 	break;
+		 default:
+			DBG1(DBG_ENC, "unknown attribute type %N", 
+				 configuration_attribute_type_names, this->attribute_type);
+		 	return FAILED;
+	}
+	
+	if (failed)
+	{
+		DBG1(DBG_ENC, "invalid attribute length %d for %N",
+			 this->attribute_length, configuration_attribute_type_names,
+			 this->attribute_type);
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_configuration_attribute_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = configuration_attribute_encodings;
+	*rule_count = sizeof(configuration_attribute_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_type(private_configuration_attribute_t *this)
+{
+	return CONFIGURATION_ATTRIBUTE;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_configuration_attribute_t *this)
+{
+	return (NO_PAYLOAD);
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_configuration_attribute_t *this,payload_type_t type)
+{
+}
+
+/**
+ * Implementation of configuration_attribute_t.get_length.
+ */
+static size_t get_length(private_configuration_attribute_t *this)
+{
+	return (this->attribute_value.len + CONFIGURATION_ATTRIBUTE_HEADER_LENGTH);
+}
+
+/**
+ * Implementation of configuration_attribute_t.set_value.
+ */
+static void set_value(private_configuration_attribute_t *this, chunk_t value)
+{
+	if (this->attribute_value.ptr != NULL)
+	{
+		/* free existing value */
+		chunk_free(&(this->attribute_value));		
+	}
+	
+	this->attribute_value.ptr = clalloc(value.ptr,value.len);
+	this->attribute_value.len = value.len;
+	
+	this->attribute_length = this->attribute_value.len;
+}
+
+/**
+ * Implementation of configuration_attribute_t.get_value.
+ */
+static chunk_t get_value (private_configuration_attribute_t *this)
+{
+	return this->attribute_value;
+}
+
+/**
+ * Implementation of configuration_attribute_t.set_type.
+ */
+static void set_attribute_type (private_configuration_attribute_t *this, u_int16_t type)
+{
+	this->attribute_type = type & 0x7FFF;
+}
+
+/**
+ * Implementation of configuration_attribute_t.get_type.
+ */
+static u_int16_t get_attribute_type (private_configuration_attribute_t *this)
+{
+	return this->attribute_type;
+}
+
+/**
+ * Implementation of configuration_attribute_t.get_length.
+ */
+static u_int16_t get_attribute_length (private_configuration_attribute_t *this)
+{
+	return this->attribute_length;
+}
+
+
+/**
+ * Implementation of configuration_attribute_t.destroy and payload_t.destroy.
+ */
+static void destroy(private_configuration_attribute_t *this)
+{
+	if (this->attribute_value.ptr != NULL)
+	{
+		free(this->attribute_value.ptr);
+	}	
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+configuration_attribute_t *configuration_attribute_create()
+{
+	private_configuration_attribute_t *this = malloc_thing(private_configuration_attribute_t);
+
+	/* payload interface */
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+	
+	/* public functions */
+	this->public.set_value = (void (*) (configuration_attribute_t *,chunk_t)) set_value;
+	this->public.get_value = (chunk_t (*) (configuration_attribute_t *)) get_value;
+	this->public.set_type = (void (*) (configuration_attribute_t *,u_int16_t type)) set_attribute_type;
+	this->public.get_type = (u_int16_t (*) (configuration_attribute_t *)) get_attribute_type;
+	this->public.get_length = (u_int16_t (*) (configuration_attribute_t *)) get_attribute_length;
+	this->public.destroy = (void (*) (configuration_attribute_t *)) destroy;
+	
+	/* set default values of the fields */
+	this->attribute_type = 0;
+	this->attribute_value = chunk_empty;
+	this->attribute_length = 0;
+
+	return (&(this->public));
+}
diff --git a/src/charon/encoding/payloads/configuration_attribute.h b/src/charon/encoding/payloads/configuration_attribute.h
new file mode 100644
index 000000000..5c4f65b14
--- /dev/null
+++ b/src/charon/encoding/payloads/configuration_attribute.h
@@ -0,0 +1,147 @@
+/**
+ * @file configuration_attribute.h
+ * 
+ * @brief Interface of configuration_attribute_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef CONFIGURATION_ATTRIBUTE_H_
+#define CONFIGURATION_ATTRIBUTE_H_
+
+typedef enum configuration_attribute_type_t configuration_attribute_type_t;
+typedef struct configuration_attribute_t configuration_attribute_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+
+
+/**
+ * Configuration attribute header length in bytes.
+ * 
+ * @ingroup payloads
+ */
+#define CONFIGURATION_ATTRIBUTE_HEADER_LENGTH 4
+
+/**
+ * Type of the attribute, as in IKEv2 RFC 3.15.1.
+ * 
+ * @ingroup payloads
+ */
+enum configuration_attribute_type_t {
+	INTERNAL_IP4_ADDRESS = 1,
+	INTERNAL_IP4_NETMASK = 2,
+	INTERNAL_IP4_DNS = 3,
+	INTERNAL_IP4_NBNS = 4,
+	INTERNAL_ADDRESS_EXPIRY = 5,
+	INTERNAL_IP4_DHCP = 6,
+	APPLICATION_VERSION = 7,
+	INTERNAL_IP6_ADDRESS = 8,
+	INTERNAL_IP6_DNS = 10,
+	INTERNAL_IP6_NBNS = 11,
+	INTERNAL_IP6_DHCP = 12,
+	INTERNAL_IP4_SUBNET = 13,
+	SUPPORTED_ATTRIBUTES = 14,
+	INTERNAL_IP6_SUBNET = 15
+};
+
+/** 
+ * enum names for configuration_attribute_type_t.
+ * 
+ * @ingroup payloads
+ */
+extern enum_name_t *configuration_attribute_type_names;
+
+/**
+ * @brief Class representing an IKEv2-CONFIGURATION Attribute.
+ * 
+ * The CONFIGURATION ATTRIBUTE format is described in RFC section 3.15.1.
+ * 
+ * @b Constructors:
+ * - configuration_attribute_create()
+ * 
+ * @ingroup payloads
+ */
+struct configuration_attribute_t {
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * @brief Returns the currently set value of the attribute.
+	 * 	
+	 * @warning Returned data are not copied.
+	 * 
+	 * @param this 	calling configuration_attribute_t object
+	 * @return 		chunk_t pointing to the value
+	 */
+	chunk_t (*get_value) (configuration_attribute_t *this);
+	
+	/**
+	 * @brief Sets the value of the attribute.
+	 * 	
+	 * @warning Value is getting copied.
+	 * 
+	 * @param this 	calling configuration_attribute_t object
+	 * @param value chunk_t pointing to the value to set
+	 */
+	void (*set_value) (configuration_attribute_t *this, chunk_t value);
+
+	/**
+	 * @brief Sets the type of the attribute.
+	 * 	
+	 * @param this 	calling configuration_attribute_t object
+	 * @param type	type to set (most significant bit is set to zero)
+	 */
+	void (*set_type) (configuration_attribute_t *this, u_int16_t type);
+	
+	/**
+	 * @brief get the type of the attribute.
+	 * 	
+	 * @param this 	calling configuration_attribute_t object
+	 * @return 		type of the value
+	 */
+	u_int16_t (*get_type) (configuration_attribute_t *this);
+	
+	/**
+	 * @brief get the length of an attribute.
+	 * 	
+	 * @param this 	calling configuration_attribute_t object
+	 * @return 		type of the value
+	 */
+	u_int16_t (*get_length) (configuration_attribute_t *this);
+	
+	/**
+	 * @brief Destroys an configuration_attribute_t object.
+	 *
+	 * @param this 	configuration_attribute_t object to destroy
+	 */
+	void (*destroy) (configuration_attribute_t *this);
+};
+
+/**
+ * @brief Creates an empty configuration_attribute_t object.
+ * 
+ * @return			created configuration_attribute_t object
+ * 
+ * @ingroup payloads
+ */
+configuration_attribute_t *configuration_attribute_create(void);
+
+#endif /* CONFIGURATION_ATTRIBUTE_H_*/
diff --git a/src/charon/encoding/payloads/cp_payload.c b/src/charon/encoding/payloads/cp_payload.c
new file mode 100644
index 000000000..380ed9681
--- /dev/null
+++ b/src/charon/encoding/payloads/cp_payload.c
@@ -0,0 +1,277 @@
+/**
+ * @file cp_payload.c
+ * 
+ * @brief Implementation of cp_payload_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+
+#include "cp_payload.h"
+
+#include <encoding/payloads/encodings.h>
+#include <utils/linked_list.h>
+
+ENUM(config_type_names, CFG_REQUEST, CFG_ACK,
+	"CFG_REQUEST",
+	"CFG_REPLY",
+	"CFG_SET",
+	"CFG_ACK",
+);
+
+typedef struct private_cp_payload_t private_cp_payload_t;
+
+/**
+ * Private data of an cp_payload_t object.
+ * 
+ */
+struct private_cp_payload_t {
+	/**
+	 * Public cp_payload_t interface.
+	 */
+	cp_payload_t public;
+	
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t  next_payload;
+
+	/**
+	 * Critical flag.
+	 */
+	bool critical;
+	
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+	
+	/**
+	 * Configuration Attributes in this payload are stored in a linked_list_t.
+	 */
+	linked_list_t * attributes;
+	
+	/**
+	 * Config Type.
+	 */
+	u_int8_t config_type;
+};
+
+/**
+ * Encoding rules to parse or generate a IKEv2-CP Payload
+ * 
+ * The defined offsets are the positions in a object of type 
+ * private_cp_payload_t.
+ * 
+ */
+encoding_rule_t cp_payload_encodings[] = {
+ 	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,		offsetof(private_cp_payload_t, next_payload) 			},
+	/* the critical bit */
+	{ FLAG,			offsetof(private_cp_payload_t, critical) 				},	
+ 	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 														}, 
+	{ RESERVED_BIT,	0 														}, 
+	{ RESERVED_BIT,	0 														}, 
+	{ RESERVED_BIT,	0 														}, 
+	{ RESERVED_BIT,	0 														}, 
+	{ RESERVED_BIT,	0 														}, 
+	{ RESERVED_BIT,	0 														}, 
+	/* Length of the whole CP payload*/
+	{ PAYLOAD_LENGTH,		offsetof(private_cp_payload_t, payload_length) 	},	
+	/* Proposals are stored in a proposal substructure, 
+	   offset points to a linked_list_t pointer */
+	{ U_INT_8,		offsetof(private_cp_payload_t, config_type)				},
+	{ RESERVED_BYTE,0 														}, 
+	{ RESERVED_BYTE,0														}, 
+	{ RESERVED_BYTE,0														}, 	
+	{ CONFIGURATION_ATTRIBUTES,	offsetof(private_cp_payload_t, attributes)	}
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !C! RESERVED    !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !   CFG Type    !                    RESERVED                   !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                   Configuration Attributes                    ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_cp_payload_t *this)
+{
+	status_t status = SUCCESS;
+	iterator_t *iterator;
+	configuration_attribute_t *attribute;
+	
+	iterator = this->attributes->create_iterator(this->attributes,TRUE);
+	while(iterator->iterate(iterator, (void**)&attribute))
+	{
+		status = attribute->payload_interface.verify(&attribute->payload_interface);
+		if (status != SUCCESS)
+		{
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+	return status;
+}
+
+/**
+ * Implementation of payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_cp_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = cp_payload_encodings;
+	*rule_count = sizeof(cp_payload_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_type(private_cp_payload_t *this)
+{
+	return CONFIGURATION;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_cp_payload_t *this)
+{
+	return (this->next_payload);
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_cp_payload_t *this,payload_type_t type)
+{
+	this->next_payload = type;
+}
+
+/**
+ * recompute the length of the payload.
+ */
+static void compute_length(private_cp_payload_t *this)
+{
+	iterator_t *iterator;
+	payload_t *current_attribute;
+	size_t length = CP_PAYLOAD_HEADER_LENGTH;
+	
+	iterator = this->attributes->create_iterator(this->attributes,TRUE);
+	while (iterator->iterate(iterator, (void**)&current_attribute))
+	{
+		length += current_attribute->get_length(current_attribute);
+	}
+	iterator->destroy(iterator);
+	
+	this->payload_length = length;
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_cp_payload_t *this)
+{
+	compute_length(this);
+	return this->payload_length;
+}
+
+/**
+ * Implementation of cp_payload_t.create_configuration_attribute_iterator.
+ */
+static iterator_t *create_attribute_iterator (private_cp_payload_t *this)
+{
+	return this->attributes->create_iterator(this->attributes, TRUE);
+}
+
+/**
+ * Implementation of cp_payload_t.add_proposal_substructure.
+ */
+static void add_configuration_attribute (private_cp_payload_t *this,configuration_attribute_t *attribute)
+{
+	this->attributes->insert_last(this->attributes,(void *) attribute);
+	compute_length(this);
+}
+
+/**
+ * Implementation of cp_payload_t.set_config_type.
+ */
+static void set_config_type (private_cp_payload_t *this,config_type_t config_type)
+{
+	this->config_type = config_type;
+}
+
+/**
+ * Implementation of cp_payload_t.get_config_type.
+ */
+static config_type_t get_config_type (private_cp_payload_t *this)
+{
+	return this->config_type;
+}
+
+/**
+ * Implementation of payload_t.destroy and cp_payload_t.destroy.
+ */
+static void destroy(private_cp_payload_t *this)
+{
+	this->attributes->destroy_offset(this->attributes,
+									 offsetof(configuration_attribute_t, destroy));
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+cp_payload_t *cp_payload_create()
+{
+	private_cp_payload_t *this = malloc_thing(private_cp_payload_t);
+	
+	/* public interface */
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+	
+	/* public functions */
+	this->public.create_attribute_iterator = (iterator_t* (*) (cp_payload_t *)) create_attribute_iterator;
+	this->public.add_configuration_attribute = (void (*) (cp_payload_t *,configuration_attribute_t *)) add_configuration_attribute;
+	this->public.set_config_type = (void (*) (cp_payload_t *, config_type_t)) set_config_type;
+	this->public.get_config_type = (config_type_t (*) (cp_payload_t *)) get_config_type;
+	this->public.destroy = (void (*) (cp_payload_t *)) destroy;
+	
+	/* set default values of the fields */
+	this->critical = FALSE;
+	this->next_payload = NO_PAYLOAD;
+	this->payload_length = CP_PAYLOAD_HEADER_LENGTH;
+
+	this->attributes = linked_list_create();
+	return (&(this->public));
+}
diff --git a/src/charon/encoding/payloads/cp_payload.h b/src/charon/encoding/payloads/cp_payload.h
new file mode 100644
index 000000000..27ff41005
--- /dev/null
+++ b/src/charon/encoding/payloads/cp_payload.h
@@ -0,0 +1,132 @@
+/**
+ * @file cp_payload.h
+ * 
+ * @brief Interface of cp_payload_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef CP_PAYLOAD_H_
+#define CP_PAYLOAD_H_
+
+typedef enum config_type_t config_type_t;
+typedef struct cp_payload_t cp_payload_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+#include <encoding/payloads/configuration_attribute.h>
+#include <utils/linked_list.h>
+
+/**
+ * CP_PAYLOAD length in bytes without any proposal substructure.
+ * 
+ * @ingroup payloads
+ */
+#define CP_PAYLOAD_HEADER_LENGTH 8
+
+/**
+ * Config Type of an Configuration Payload.
+ *
+ * @ingroup payloads
+ */
+enum config_type_t {
+	CFG_REQUEST = 1,
+	CFG_REPLY = 2,
+	CFG_SET = 3,
+	CFG_ACK = 4,
+};
+
+/**
+ * enum name for config_type_t.
+ *
+ * @ingroup payloads
+ */
+extern enum_name_t *config_type_names;
+
+/**
+ * @brief Class representing an IKEv2-CP Payload.
+ * 
+ * The CP Payload format is described in RFC section 3.15.
+ * 
+ * @b Constructors:
+ * - cp_payload_create()
+ * 
+ * @ingroup payloads
+ */
+struct cp_payload_t {
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+	
+	/**
+	 * @brief Creates an iterator of stored configuration_attribute_t objects.
+	 * 
+	 * When deleting an attribute using this iterator, the length of this
+	 * configuration_attribute_t has to be refreshed by calling get_length()!
+	 *
+	 * @param this 			calling cp_payload_t object
+	 * @return				created iterator_t object
+	 */
+	iterator_t *(*create_attribute_iterator) (cp_payload_t *this);
+	
+	/**
+	 * @brief Adds a configuration_attribute_t object to this object.
+	 * 
+	 * The added configuration_attribute_t object is getting destroyed in
+	 * destroy function of cp_payload_t.
+	 *
+	 * @param this 			calling cp_payload_t object
+	 * @param attribute		configuration_attribute_t object to add
+	 */
+	void (*add_configuration_attribute) (cp_payload_t *this, configuration_attribute_t *attribute);
+	
+	/**
+	 * @brief Set the config type.
+	 *
+	 * @param this 			calling cp_payload_t object
+	 * @param config_type	config_type_t to set
+	 */
+	void (*set_config_type) (cp_payload_t *this,config_type_t config_type);
+	
+	/**
+	 * @brief Get the config type.
+	 *
+	 * @param this 			calling cp_payload_t object
+	 * @return				config_type_t
+	 */
+	config_type_t (*get_config_type) (cp_payload_t *this);
+	
+	/**
+	 * @brief Destroys an cp_payload_t object.
+	 *
+	 * @param this 			cp_payload_t object to destroy
+	 */
+	void (*destroy) (cp_payload_t *this);
+};
+
+/**
+ * @brief Creates an empty cp_payload_t object
+ * 
+ * @return cp_payload_t object
+ * 
+ * @ingroup payloads
+ */
+cp_payload_t *cp_payload_create(void);
+
+#endif /*CP_PAYLOAD_H_*/
diff --git a/src/charon/encoding/payloads/delete_payload.c b/src/charon/encoding/payloads/delete_payload.c
new file mode 100644
index 000000000..1d42a3af2
--- /dev/null
+++ b/src/charon/encoding/payloads/delete_payload.c
@@ -0,0 +1,299 @@
+/**
+ * @file delete_payload.c
+ * 
+ * @brief Implementation of delete_payload_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+
+#include "delete_payload.h"
+
+
+typedef struct private_delete_payload_t private_delete_payload_t;
+
+/**
+ * Private data of an delete_payload_t object.
+ * 
+ */
+struct private_delete_payload_t {
+	/**
+	 * Public delete_payload_t interface.
+	 */
+	delete_payload_t public;
+	
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t  next_payload;
+
+	/**
+	 * Critical flag.
+	 */
+	bool critical;
+	
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+	
+	/**
+	 * Protocol ID.
+	 */
+	u_int8_t protocol_id;
+
+	/**
+	 * SPI Size.
+	 */
+	u_int8_t spi_size;
+	
+	/**
+	 * Number of SPI's.
+	 */
+	u_int16_t spi_count;
+	
+	/**
+	 * The contained SPI's.
+	 */
+	chunk_t spis;
+	
+	/**
+	 * List containing u_int32_t spis 
+	 */
+	linked_list_t *spi_list;
+};
+
+/**
+ * Encoding rules to parse or generate a DELETE payload
+ * 
+ * The defined offsets are the positions in a object of type 
+ * private_delete_payload_t.
+ * 
+ */
+encoding_rule_t delete_payload_encodings[] = {
+ 	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_delete_payload_t, next_payload) 	},
+	/* the critical bit */
+	{ FLAG,				offsetof(private_delete_payload_t, critical) 		},
+ 	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	/* Length of the whole payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_delete_payload_t, payload_length)},
+	{ U_INT_8,			offsetof(private_delete_payload_t, protocol_id)		},
+	{ U_INT_8,			offsetof(private_delete_payload_t, spi_size)		},
+	{ U_INT_16,			offsetof(private_delete_payload_t, spi_count)		},
+	/* some delete data bytes, length is defined in PAYLOAD_LENGTH */
+	{ SPIS,			offsetof(private_delete_payload_t, spis) 				}
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !C!  RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Protocol ID   !   SPI Size    !           # of SPIs           !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~               Security Parameter Index(es) (SPI)              ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_delete_payload_t *this)
+{
+	switch (this->protocol_id)
+	{
+		case PROTO_AH:
+		case PROTO_ESP:
+			if (this->spi_size != 4)
+			{
+				return FAILED;
+			}
+			break;
+		case PROTO_IKE:
+		case 0:
+			/* IKE deletion has no spi assigned! */
+			if (this->spi_size != 0)
+			{
+				return FAILED;
+			}
+			break;
+		default:
+			return FAILED;
+	}
+	if (this->spis.len != (this->spi_count * this->spi_size))
+	{
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of delete_payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_delete_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = delete_payload_encodings;
+	*rule_count = sizeof(delete_payload_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_payload_type(private_delete_payload_t *this)
+{
+	return DELETE;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_delete_payload_t *this)
+{
+	return (this->next_payload);
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_delete_payload_t *this,payload_type_t type)
+{
+	this->next_payload = type;
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_delete_payload_t *this)
+{
+	return this->payload_length;
+}
+
+/**
+ * Implementation of delete_payload_t.get_protocol_id.
+ */
+static protocol_id_t get_protocol_id (private_delete_payload_t *this)
+{
+	return (this->protocol_id);
+}
+
+/**
+ * Implementation of delete_payload_t.add_spi.
+ */
+static void add_spi(private_delete_payload_t *this, u_int32_t spi)
+{
+	/* only add SPIs if AH|ESP, ignore others */
+	if (this->protocol_id == PROTO_AH || this->protocol_id == PROTO_ESP)
+	{
+		this->spi_count += 1;
+		this->spis.len += this->spi_size;
+		this->spis.ptr = realloc(this->spis.ptr, this->spis.len);
+		*(u_int32_t*)(this->spis.ptr + (this->spis.len / this->spi_size - 1)) = spi;
+		if (this->spi_list)
+		{
+			/* reset SPI iterator list */
+			this->spi_list->destroy(this->spi_list);
+			this->spi_list = NULL;
+		}
+	}
+}
+
+/**
+ * Implementation of delete_payload_t.create_spi_iterator.
+ */
+static iterator_t* create_spi_iterator(private_delete_payload_t *this)
+{
+	int i;
+	
+	if (this->spi_list == NULL)
+	{
+		this->spi_list = linked_list_create();
+		/* only parse SPIs if AH|ESP */
+		if (this->protocol_id == PROTO_AH || this->protocol_id == PROTO_ESP)
+		{
+			for (i = 0; i < this->spi_count; i++)
+			{
+				this->spi_list->insert_last(this->spi_list, this->spis.ptr + i *
+															this->spi_size);
+			}
+		}
+	}
+	return this->spi_list->create_iterator(this->spi_list, TRUE);
+}
+
+/**
+ * Implementation of payload_t.destroy and delete_payload_t.destroy.
+ */
+static void destroy(private_delete_payload_t *this)
+{
+	if (this->spis.ptr != NULL)
+	{
+		chunk_free(&this->spis);
+	}
+	if (this->spi_list)
+	{
+		this->spi_list->destroy(this->spi_list);
+	}
+	free(this);	
+}
+
+/*
+ * Described in header
+ */
+delete_payload_t *delete_payload_create(protocol_id_t protocol_id)
+{
+	private_delete_payload_t *this = malloc_thing(private_delete_payload_t);
+
+	/* interface functions */
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+	
+	/* public functions */
+	this->public.destroy = (void (*) (delete_payload_t *)) destroy;
+	this->public.get_protocol_id = (protocol_id_t (*) (delete_payload_t *)) get_protocol_id;
+	this->public.add_spi = (void (*) (delete_payload_t *,u_int32_t))add_spi;
+	this->public.create_spi_iterator = (iterator_t* (*) (delete_payload_t *)) create_spi_iterator;
+	
+	/* private variables */
+	this->critical = FALSE;
+	this->next_payload = NO_PAYLOAD;
+	this->payload_length = DELETE_PAYLOAD_HEADER_LENGTH;
+	this->protocol_id = protocol_id;
+	this->spi_size = protocol_id == PROTO_AH || protocol_id == PROTO_ESP ? 4 : 0;
+	this->spi_count = 0;
+	this->spis = chunk_empty;
+	this->spi_list = NULL;
+
+	return (&this->public);
+}
diff --git a/src/charon/encoding/payloads/delete_payload.h b/src/charon/encoding/payloads/delete_payload.h
new file mode 100644
index 000000000..508f7fba2
--- /dev/null
+++ b/src/charon/encoding/payloads/delete_payload.h
@@ -0,0 +1,102 @@
+/**
+ * @file delete_payload.h
+ * 
+ * @brief Interface of delete_payload_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef DELETE_PAYLOAD_H_
+#define DELETE_PAYLOAD_H_
+
+typedef struct delete_payload_t delete_payload_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+#include <encoding/payloads/proposal_substructure.h>
+
+/**
+ * Length of a delete payload without the SPI in bytes.
+ *
+ * @ingroup payloads
+ */
+#define DELETE_PAYLOAD_HEADER_LENGTH 8
+
+/**
+ * @brief Class representing an IKEv2 DELETE payload.
+ *
+ * The DELETE payload format is described in RFC section 3.11.
+ *
+ * @b Constructors:
+ * - delete_payload_create()
+ *
+ * @todo Implement better setter/getters
+ *
+ * @ingroup payloads
+ */
+struct delete_payload_t {
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+	
+	/**
+	 * @brief Get the protocol ID.
+	 *
+	 * @param this 			calling delete_payload_t object
+	 * @return				protocol ID
+	 */
+	protocol_id_t (*get_protocol_id) (delete_payload_t *this);
+	
+	/**
+	 * @brief Add an SPI to the list of deleted SAs.
+	 *
+	 * @param this 			calling delete_payload_t object
+	 * @param spi			spi to add
+	 */
+	void (*add_spi) (delete_payload_t *this, u_int32_t spi);
+	
+	/**
+	 * @brief Get an iterator over the SPIs.
+	 *
+	 * The iterate() function returns a pointer to a u_int32_t SPI.
+	 *
+	 * @param this 			calling delete_payload_t object
+	 * @return				iterator over SPIs
+	 */
+	iterator_t *(*create_spi_iterator) (delete_payload_t *this);
+	
+	/**
+	 * @brief Destroys an delete_payload_t object.
+	 *
+	 * @param this 	delete_payload_t object to destroy
+	 */
+	void (*destroy) (delete_payload_t *this);
+};
+
+/**
+ * @brief Creates an empty delete_payload_t object.
+ * 
+ * @param protocol_id	protocol, such as AH|ESP
+ * @return 				delete_payload_t object
+ * 
+ * @ingroup payloads
+ */
+delete_payload_t *delete_payload_create(protocol_id_t protocol_id);
+
+#endif /* DELETE_PAYLOAD_H_ */
diff --git a/src/charon/encoding/payloads/eap_payload.c b/src/charon/encoding/payloads/eap_payload.c
new file mode 100644
index 000000000..79ab32fe5
--- /dev/null
+++ b/src/charon/encoding/payloads/eap_payload.c
@@ -0,0 +1,331 @@
+/**
+ * @file eap_payload.c
+ * 
+ * @brief Implementation of eap_payload_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+
+#include "eap_payload.h"
+
+#include <daemon.h>
+
+typedef struct private_eap_payload_t private_eap_payload_t;
+
+/**
+ * Private data of an eap_payload_t object.
+ * 
+ */
+struct private_eap_payload_t {
+	/**
+	 * Public eap_payload_t interface.
+	 */
+	eap_payload_t public;
+	
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t  next_payload;
+
+	/**
+	 * Critical flag.
+	 */
+	bool critical;
+	
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+	
+	/**
+	 * EAP message data, if available
+	 */
+	chunk_t data;
+};
+
+/**
+ * Encoding rules to parse or generate a EAP payload.
+ * 
+ * The defined offsets are the positions in a object of type 
+ * private_eap_payload_t.
+ * 
+ */
+encoding_rule_t eap_payload_encodings[] = {
+ 	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_eap_payload_t, next_payload) 	},
+	/* the critical bit */
+	{ FLAG,				offsetof(private_eap_payload_t, critical) 		},
+ 	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	/* Length of the whole payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_eap_payload_t, payload_length)	},
+	/* chunt to data, starting at "code" */
+	{ EAP_DATA,			offsetof(private_eap_payload_t, data)			},
+};
+
+/*
+                            1                   2                   3
+        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+       ! Next Payload  !C!  RESERVED   !         Payload Length        !
+       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+       !     Code      ! Identifier    !           Length              !
+       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+       !     Type      ! Type_Data...
+       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_eap_payload_t *this)
+{
+	u_int16_t length;
+	u_int8_t code;
+	
+	if (this->data.len < 4)
+	{
+		DBG1(DBG_ENC, "EAP payloads EAP message too short (%d)", this->data.len);
+		return FAILED;
+	}
+	code = *this->data.ptr;
+	length = htons(*(u_int16_t*)(this->data.ptr + 2));
+	if (this->data.len != length)
+	{
+		DBG1(DBG_ENC, "EAP payload length (%d) does not match contained message length (%d)",
+			 this->data.len, length);
+		return FAILED;
+	}
+	switch (code)
+	{
+		case EAP_REQUEST:
+		case EAP_RESPONSE:
+		{
+			if (this->data.len < 4)
+			{
+				DBG1(DBG_ENC, "EAP Request/Response does not have any data");
+				return FAILED;
+			}
+			break;
+		}
+		case EAP_SUCCESS:
+		case EAP_FAILURE:
+		{
+			if (this->data.len != 4)
+			{
+				DBG1(DBG_ENC, "EAP Success/Failure has data");
+				return FAILED;
+			}
+			break;
+		}
+		default:
+			return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of eap_payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_eap_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = eap_payload_encodings;
+	*rule_count = sizeof(eap_payload_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_payload_type(private_eap_payload_t *this)
+{
+	return EXTENSIBLE_AUTHENTICATION;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_eap_payload_t *this)
+{
+	return (this->next_payload);
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_eap_payload_t *this,payload_type_t type)
+{
+	this->next_payload = type;
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_eap_payload_t *this)
+{
+	return this->payload_length;
+}
+
+/**
+ * Implementation of eap_payload_t.get_data.
+ */
+static chunk_t get_data(private_eap_payload_t *this)
+{
+	return this->data;
+}
+
+/**
+ * Implementation of eap_payload_t.set_data.
+ */
+static void set_data(private_eap_payload_t *this, chunk_t data)
+{
+	chunk_free(&this->data);
+	this->data = chunk_clone(data);
+	this->payload_length = this->data.len + 4;
+}
+
+/**
+ * Implementation of eap_payload_t.get_code.
+ */
+static eap_code_t get_code(private_eap_payload_t *this)
+{
+	if (this->data.len > 0)
+	{
+		return *this->data.ptr;
+	}
+	/* should not happen, as it is verified */
+	return 0;
+}
+
+/**
+ * Implementation of eap_payload_t.get_identifier.
+ */
+static u_int8_t get_identifier(private_eap_payload_t *this)
+{
+	if (this->data.len > 1)
+	{
+		return *(this->data.ptr + 1);
+	}
+	/* should not happen, as it is verified */
+	return 0;
+}
+
+/**
+ * Implementation of eap_payload_t.get_type.
+ */
+static eap_type_t get_type(private_eap_payload_t *this)
+{
+	if (this->data.len > 4)
+	{
+		return *(this->data.ptr + 4);
+	}
+	return 0;
+}
+
+/**
+ * Implementation of payload_t.destroy and eap_payload_t.destroy.
+ */
+static void destroy(private_eap_payload_t *this)
+{
+	chunk_free(&this->data);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+eap_payload_t *eap_payload_create()
+{
+	private_eap_payload_t *this = malloc_thing(private_eap_payload_t);
+	
+	/* interface functions */
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+	
+	/* public functions */
+	this->public.destroy = (void (*) (eap_payload_t *)) destroy;
+	this->public.get_data = (chunk_t (*) (eap_payload_t*))get_data;
+	this->public.set_data = (void (*) (eap_payload_t *,chunk_t))set_data;
+	this->public.get_code = (eap_code_t (*) (eap_payload_t*))get_code;
+	this->public.get_identifier = (u_int8_t (*) (eap_payload_t*))get_identifier;
+	this->public.get_type = (eap_type_t (*) (eap_payload_t*))get_type;
+	
+	/* private variables */
+	this->critical = FALSE;
+	this->next_payload = NO_PAYLOAD;
+	this->payload_length = EAP_PAYLOAD_HEADER_LENGTH;
+	this->data = chunk_empty;
+	
+	return &(this->public);
+}
+
+/*
+ * Described in header
+ */
+eap_payload_t *eap_payload_create_data(chunk_t data)
+{
+	eap_payload_t *this = eap_payload_create();
+	
+	this->set_data(this, data);
+	return this;
+}
+
+/*
+ * Described in header
+ */
+eap_payload_t *eap_payload_create_code(eap_code_t code)
+{
+	eap_payload_t *this = eap_payload_create();
+	chunk_t data = chunk_alloca(4);
+	
+	*(data.ptr + 0) = code;
+	*(data.ptr + 1) = 0;
+	*(u_int16_t*)(data.ptr + 2) = htons(data.len);
+	
+	this->set_data(this, data);
+	return this;
+}
+
+/*
+ * Described in header
+ */
+eap_payload_t *eap_payload_create_nak()
+{
+	eap_payload_t *this = eap_payload_create();
+	chunk_t data = chunk_alloca(5);
+	
+	*(data.ptr + 0) = EAP_RESPONSE;
+	*(data.ptr + 1) = 0;
+	*(u_int16_t*)(data.ptr + 2) = htons(data.len);
+	*(data.ptr + 4) = EAP_NAK;
+	
+	this->set_data(this, data);
+	return this;
+}
diff --git a/src/charon/encoding/payloads/eap_payload.h b/src/charon/encoding/payloads/eap_payload.h
new file mode 100644
index 000000000..13c0ade80
--- /dev/null
+++ b/src/charon/encoding/payloads/eap_payload.h
@@ -0,0 +1,149 @@
+/**
+ * @file eap_payload.h
+ * 
+ * @brief Interface of eap_payload_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef EAP_PAYLOAD_H_
+#define EAP_PAYLOAD_H_
+
+typedef struct eap_payload_t eap_payload_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+#include <sa/authenticators/eap/eap_method.h>
+
+/**
+ * Length of a EAP payload without the EAP Message in bytes.
+ * 
+ * @ingroup payloads
+ */
+#define EAP_PAYLOAD_HEADER_LENGTH 4
+
+/**
+ * @brief Class representing an IKEv2 EAP payload.
+ *
+ * The EAP payload format is described in RFC section 3.16.
+ * 
+ * @b Constructors:
+ * - eap_payload_create()
+ *
+ * @ingroup payloads
+ */
+struct eap_payload_t {
+	
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+	
+	/**
+	 * @brief Set the contained EAP data.
+	 *
+	 * This contains the FULL EAP message starting with "code".
+	 * Chunk gets cloned.
+	 *
+	 * @param this 		calling eap_payload_t object
+	 * @param message	EAP data
+	 */
+	void (*set_data) (eap_payload_t *this, chunk_t data);
+	
+	/**
+	 * @brief Get the contained EAP data.
+	 *
+	 * This contains the FULL EAP message starting with "code".
+	 *
+	 * @param this 		calling eap_payload_t object
+	 * @return			EAP data (pointer to internal data)
+	 */
+	chunk_t (*get_data) (eap_payload_t *this);
+	
+	/**
+	 * @brief Get the EAP code.
+	 *
+	 * @param this 		calling eap_payload_t object
+	 * @return			EAP message as chunk_t
+	 */
+	eap_code_t (*get_code) (eap_payload_t *this);
+	
+	/**
+	 * @brief Get the EAP identifier.
+	 *
+	 * @param this 		calling eap_payload_t object
+	 * @return			unique identifier
+	 */
+	u_int8_t (*get_identifier) (eap_payload_t *this);
+	
+	/**
+	 * @brief Get the EAP method type.
+	 *
+	 * @param this 		calling eap_payload_t object
+	 * @return			EAP method type
+	 */
+	eap_type_t (*get_type) (eap_payload_t *this);
+	
+	/**
+	 * @brief Destroys an eap_payload_t object.
+	 *
+	 * @param this 		eap_payload_t object to destroy
+	 */
+	void (*destroy) (eap_payload_t *this);
+};
+
+/**
+ * @brief Creates an empty eap_payload_t object.
+ *
+ * @return eap_payload_t object
+ *
+ * @ingroup payloads
+ */
+eap_payload_t *eap_payload_create(void);
+
+/**
+ * @brief Creates an eap_payload_t object with data.
+ *
+ * @return eap_payload_t object
+ *
+ * @ingroup payloads
+ */
+eap_payload_t *eap_payload_create_data(chunk_t data);
+
+/**
+ * @brief Creates an eap_payload_t object with a code.
+ *
+ * Could should be either EAP_SUCCESS/EAP_FAILURE, use 
+ * constructor above otherwise.
+ *
+ * @return eap_payload_t object
+ *
+ * @ingroup payloads
+ */
+eap_payload_t *eap_payload_create_code(eap_code_t code);
+
+/**
+ * @brief Creates an eap_payload_t EAP_RESPONSE containing an EAP_NAK.
+ *
+ * @return eap_payload_t object
+ *
+ * @ingroup payloads
+ */
+eap_payload_t *eap_payload_create_nak();
+
+#endif /* EAP_PAYLOAD_H_ */
diff --git a/src/charon/encoding/payloads/encodings.c b/src/charon/encoding/payloads/encodings.c
new file mode 100644
index 000000000..55a7cf132
--- /dev/null
+++ b/src/charon/encoding/payloads/encodings.c
@@ -0,0 +1,66 @@
+/**
+ * @file encodings.c
+ * 
+ * @brief String mappings of encoding_type_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "encodings.h"
+
+ENUM(encoding_type_names, U_INT_4, ENCRYPTED_DATA,
+	"U_INT_4",
+	"U_INT_8",
+	"U_INT_16",
+	"U_INT_32",
+	"U_INT_64",
+	"RESERVED_BIT",
+	"RESERVED_BYTE",
+	"FLAG",
+	"PAYLOAD_LENGTH",
+	"HEADER_LENGTH",
+	"SPI_SIZE",
+	"SPI",
+	"KEY_EXCHANGE_DATA",
+	"NOTIFICATION_DATA",
+	"PROPOSALS",
+	"TRANSFORMS",
+	"TRANSFORM_ATTRIBUTES",
+	"CONFIGURATION_ATTRIBUTES",
+	"CONFIGURATION_ATTRIBUTE_VALUE",
+	"ATTRIBUTE_FORMAT",
+	"ATTRIBUTE_TYPE",
+	"ATTRIBUTE_LENGTH_OR_VALUE",
+	"CONFIGURATION_ATTRIBUTE_LENGTH",
+	"ATTRIBUTE_VALUE",
+	"TRAFFIC_SELECTORS",
+	"TS_TYPE",
+	"ADDRESS",
+	"NONCE_DATA",
+	"ID_DATA",
+	"AUTH_DATA",
+	"CERT_DATA",
+	"CERTREQ_DATA",
+	"EAP_DATA",
+	"SPIS",
+	"VID_DATA",
+	"UNKNOWN_DATA",
+	"IKE_SPI",
+	"ENCRYPTED_DATA",
+);
diff --git a/src/charon/encoding/payloads/encodings.h b/src/charon/encoding/payloads/encodings.h
new file mode 100644
index 000000000..5e07fbfab
--- /dev/null
+++ b/src/charon/encoding/payloads/encodings.h
@@ -0,0 +1,537 @@
+/**
+ * @file encodings.h
+ * 
+ * @brief Definition of encoding_type_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef ENCODINGS_H_
+#define ENCODINGS_H_
+
+typedef enum encoding_type_t encoding_type_t;
+typedef struct encoding_rule_t encoding_rule_t;
+
+#include <library.h>
+
+/**
+ * @brief All different kinds of encoding types. 
+ *
+ * Each field of an IKEv2-Message (in header or payload) 
+ * which has to be parsed or generated differently has its own
+ * type defined here.
+ *
+ * Header is parsed like a payload and gets its one payload_id 
+ * from PRIVATE USE space. Also the substructures 
+ * of specific payload types get their own payload_id 
+ * from PRIVATE_USE space. See IKEv2-Draft for more informations.
+ *
+ * @ingroup payloads
+ */
+enum encoding_type_t {
+	
+	/**
+	 * Representing a 4 Bit unsigned int value.
+	 * 
+	 * 
+	 * When generating it must be changed from host to network order.
+	 * The value is read from the associated data struct.
+	 * The current write position is moved 4 bit forward afterwards.
+	 * 
+	 * When parsing it must be changed from network to host order.
+	 * The value is written to the associated data struct.
+	 * The current read pointer is moved 4 bit forward afterwards.
+	 */
+	U_INT_4,
+	
+	/**
+	 * Representing a 8 Bit unsigned int value.
+	 * 
+	 * 
+	 * When generating it must be changed from host to network order.
+	 * The value is read from the associated data struct.
+	 * The current write position is moved 8 bit forward afterwards.
+	 *  
+	 * When parsing it must be changed from network to host order.
+	 * The value is written to the associated data struct.
+	 * The current read pointer is moved 8 bit forward afterwards.
+	 */
+	U_INT_8,
+	
+	/**
+	 * Representing a 16 Bit unsigned int value.
+	 * 
+	 * 
+	 * When generating it must be changed from host to network order.
+	 * The value is read from the associated data struct.
+ 	 * The current write position is moved 16 bit forward afterwards.
+	 * 
+	 * When parsing it must be changed from network to host order.
+	 * The value is written to the associated data struct.
+	 * The current read pointer is moved 16 bit forward afterwards.
+	 */
+	U_INT_16,
+	
+	/**
+	 * Representing a 32 Bit unsigned int value.
+	 * 
+	 * When generating it must be changed from host to network order.
+	 * The value is read from the associated data struct.
+	 * The current write position is moved 32 bit forward afterwards.
+	 * 
+	 * When parsing it must be changed from network to host order.
+	 * The value is written to the associated data struct.
+	 * The current read pointer is moved 32 bit forward afterwards.
+	 */
+	U_INT_32,
+	
+	/**
+	 * Representing a 64 Bit unsigned int value.
+	 * 
+	 * When generating it must be changed from host to network order.
+	 * The value is read from the associated data struct.
+	 * The current write position is moved 64 bit forward afterwards.
+	 * 
+	 * When parsing it must be changed from network to host order.
+	 * The value is written to the associated data struct.
+	 * The current read pointer is moved 64 bit forward afterwards.
+	 */
+	U_INT_64,
+	
+	/**
+	 * @brief represents a RESERVED_BIT used in FLAG-Bytes.
+	 * 
+	 * When generating, the next bit is set to zero and the current write 
+	 * position is moved one bit forward.
+	 * No value is read from the associated data struct.
+	 * The current write position is moved 1 bit forward afterwards.
+	 * 
+	 * When parsing, the current read pointer is moved one bit forward.
+	 * No value is written to the associated data struct.
+	 * The current read pointer is moved 1 bit forward afterwards.
+	 */
+	RESERVED_BIT,
+	
+	/**
+	 * @brief represents a RESERVED_BYTE.
+	 * 
+	 * When generating, the next byte is set to zero and the current write 
+	 * position is moved one byte forward.
+	 * No value is read from the associated data struct.
+	 * The current write position is moved 1 byte forward afterwards.
+	 * 
+	 * When parsing, the current read pointer is moved one byte forward.
+	 * No value is written to the associated data struct.
+	 * The current read pointer is moved 1 byte forward afterwards.
+	 */
+	RESERVED_BYTE,
+	
+	/**
+	 * Representing a 1 Bit flag.
+	 * 
+	 * When generation, the next bit is set to 1 if the associated value 
+	 * in the data struct is TRUE, 0 otherwise. The current write position 
+	 * is moved 1 bit forward afterwards.
+	 *
+	 * When parsing, the next bit is read and stored in the associated data 
+	 * struct. 0 means FALSE, 1 means TRUE, The current read pointer 
+	 * is moved 1 bit forward afterwards
+	 */
+	FLAG,
+	
+	/**
+	 * Representating a length field of a payload.
+	 * 
+ 	 * When generating it must be changed from host to network order.
+	 * The value is read from the associated data struct.
+	 * The current write position is moved 16 bit forward afterwards.
+	 * 
+	 * When parsing it must be changed from network to host order.
+	 * The value is written to the associated data struct.
+	 * The current read pointer is moved 16 bit forward afterwards.
+	 */
+	PAYLOAD_LENGTH,
+	
+	/**
+	 * Representating a length field of a header.
+	 * 
+ 	 * When generating it must be changed from host to network order.
+	 * The value is read from the associated data struct.
+	 * The current write position is moved 32 bit forward afterwards.
+	 * 
+	 * When parsing it must be changed from network to host order.
+	 * The value is written to the associated data struct.
+	 * The current read pointer is moved 32 bit forward afterwards.
+	 */
+	HEADER_LENGTH,
+	
+	/**
+	 * Representating a spi size field.
+	 * 
+ 	 * When generating it must be changed from host to network order.
+	 * The value is read from the associated data struct.
+	 * The current write position is moved 8 bit forward afterwards.
+	 * 
+	 * When parsing it must be changed from network to host order.
+	 * The value is written to the associated data struct.
+	 * The current read pointer is moved 8 bit forward afterwards.
+	 */
+	SPI_SIZE,
+	
+	/**
+	 * Representating a spi field.
+	 * 
+ 	 * When generating the content of the chunkt pointing to 
+ 	 * is written.
+	 * 
+	 * When parsing SPI_SIZE bytes are read and written into the chunk pointing to.
+	 */
+	SPI,
+	
+	/**
+	 * Representating a Key Exchange Data field.
+	 * 
+ 	 * When generating the content of the chunkt pointing to 
+ 	 * is written.
+	 * 
+	 * When parsing (Payload Length - 8) bytes are read and written into the chunk pointing to.
+	 */
+	KEY_EXCHANGE_DATA,
+	
+	/**
+	 * Representating a Notification field.
+	 * 
+ 	 * When generating the content of the chunkt pointing to 
+ 	 * is written.
+	 * 
+	 * When parsing (Payload Length - spi size - 8) bytes are read and written into the chunk pointing to.
+	 */
+	NOTIFICATION_DATA,
+	
+	/**
+	 * Representating one or more proposal substructures.
+	 * 
+	 * The offset points to a linked_list_t pointer.
+	 * 
+	 * When generating the proposal_substructure_t objects are stored 
+	 * in the pointed linked_list.
+	 * 
+	 * When parsing the parsed proposal_substructure_t objects have 
+	 * to be stored in the pointed linked_list.
+	 */	
+	PROPOSALS,
+	
+	/**
+	 * Representating one or more transform substructures.
+	 * 
+	 * The offset points to a linked_list_t pointer.
+	 * 
+	 * When generating the transform_substructure_t objects are stored 
+	 * in the pointed linked_list.
+	 * 
+	 * When parsing the parsed transform_substructure_t objects have 
+	 * to be stored in the pointed linked_list.
+	 */	
+	TRANSFORMS,
+	
+	/**
+	 * Representating one or more Attributes of a transform substructure.
+	 * 
+	 * The offset points to a linked_list_t pointer.
+	 * 
+	 * When generating the transform_attribute_t objects are stored 
+	 * in the pointed linked_list.
+	 * 
+	 * When parsing the parsed transform_attribute_t objects have 
+	 * to be stored in the pointed linked_list.
+	 */	
+	TRANSFORM_ATTRIBUTES,
+
+	/**
+	 * Representating one or more Attributes of a configuration payload.
+	 * 
+	 * The offset points to a linked_list_t pointer.
+	 * 
+	 * When generating the configuration_attribute_t objects are stored 
+	 * in the pointed linked_list.
+	 * 
+	 * When parsing the parsed configuration_attribute_t objects have 
+	 * to be stored in the pointed linked_list.
+	 */		
+	CONFIGURATION_ATTRIBUTES,
+	
+	/**
+	 * 
+ 	 * When generating the content of the chunkt pointing to 
+ 	 * is written.
+	 * 
+	 * When parsing (Payload Length - 4) bytes are read and written into the chunk pointing to.
+	 */
+	CONFIGURATION_ATTRIBUTE_VALUE,
+	
+	/**
+	 * Representing a 1 Bit flag specifying the format of a transform attribute.
+	 * 
+	 * When generation, the next bit is set to 1 if the associated value 
+	 * in the data struct is TRUE, 0 otherwise. The current write position 
+	 * is moved 1 bit forward afterwards.
+	 *
+	 * When parsing, the next bit is read and stored in the associated data 
+	 * struct. 0 means FALSE, 1 means TRUE, The current read pointer 
+	 * is moved 1 bit forward afterwards.
+	 */
+	ATTRIBUTE_FORMAT,
+	/**
+	 * Representing a 15 Bit unsigned int value used as attribute type 
+	 * in an attribute transform.
+	 * 
+	 * 
+	 * When generating it must be changed from host to network order.
+	 * The value is read from the associated data struct.
+ 	 * The current write position is moved 15 bit forward afterwards.
+	 * 
+	 * When parsing it must be changed from network to host order.
+	 * The value is written to the associated data struct.
+	 * The current read pointer is moved 15 bit forward afterwards.
+	 */
+	ATTRIBUTE_TYPE,
+
+	/**
+	 * Depending on the field of type ATTRIBUTE_FORMAT
+	 * this field contains the length or the value of an transform attribute.
+	 * Its stored in a 16 unsigned integer field.
+	 * 
+	 * When generating it must be changed from host to network order.
+	 * The value is read from the associated data struct.
+ 	 * The current write position is moved 16 bit forward afterwards.
+	 * 
+	 * When parsing it must be changed from network to host order.
+	 * The value is written to the associated data struct.
+	 * The current read pointer is moved 16 bit forward afterwards.
+	 */
+	ATTRIBUTE_LENGTH_OR_VALUE,
+
+	/**
+	 * This field contains the length or the value of an configuration attribute.
+	 * Its stored in a 16 unsigned integer field.
+	 * 
+	 * When generating it must be changed from host to network order.
+	 * The value is read from the associated data struct.
+ 	 * The current write position is moved 16 bit forward afterwards.
+	 * 
+	 * When parsing it must be changed from network to host order.
+	 * The value is written to the associated data struct.
+	 * The current read pointer is moved 16 bit forward afterwards.
+	 */
+	CONFIGURATION_ATTRIBUTE_LENGTH,
+
+	/**
+	 * Depending on the field of type ATTRIBUTE_FORMAT
+	 * this field is available or missing and so parsed/generated 
+	 * or not parsed/not generated.
+	 * 
+ 	 * When generating the content of the chunkt pointing to 
+ 	 * is written.
+	 * 
+	 * When parsing SPI_SIZE bytes are read and written into the chunk pointing to.
+	 */
+	ATTRIBUTE_VALUE,
+	
+	/**
+	 * Representating one or more Traffic selectors of a TS payload.
+	 * 
+	 * The offset points to a linked_list_t pointer.
+	 * 
+	 * When generating the traffic_selector_substructure_t objects are stored 
+	 * in the pointed linked_list.
+	 * 
+	 * When parsing the parsed traffic_selector_substructure_t objects have 
+	 * to be stored in the pointed linked_list.
+	 */	
+	TRAFFIC_SELECTORS,
+	
+	/**
+	 * Representating a Traffic selector type field.
+	 * 
+	 * When generating it must be changed from host to network order.
+	 * The value is read from the associated data struct.
+ 	 * The current write position is moved 16 bit forward afterwards.
+	 * 
+	 * When parsing it must be changed from network to host order.
+	 * The value is written to the associated data struct.
+	 * The current read pointer is moved 16 bit forward afterwards.
+	 */
+	TS_TYPE,
+	
+	/**
+	 * Representating an address field in a traffic selector.
+	 * 
+	 * Depending on the last field of type TS_TYPE
+	 * this field is either 4 or 16 byte long.
+	 * 
+ 	 * When generating the content of the chunkt pointing to 
+ 	 * is written.
+	 * 
+	 * When parsing 4 or 16 bytes are read and written into the chunk pointing to.
+	 */
+	ADDRESS,
+
+	/**
+	 * Representating a Nonce Data field.
+	 * 
+ 	 * When generating the content of the chunkt pointing to 
+ 	 * is written.
+	 * 
+	 * When parsing (Payload Length - 4) bytes are read and written into the chunk pointing to.
+	 */
+	NONCE_DATA,
+	
+	/**
+	 * Representating a ID Data field.
+	 * 
+ 	 * When generating the content of the chunkt pointing to 
+ 	 * is written.
+	 * 
+	 * When parsing (Payload Length - 8) bytes are read and written into the chunk pointing to.
+	 */
+	ID_DATA,
+	
+	/**
+	 * Representating a AUTH Data field.
+	 * 
+ 	 * When generating the content of the chunkt pointing to 
+ 	 * is written.
+	 * 
+	 * When parsing (Payload Length - 8) bytes are read and written into the chunk pointing to.
+	 */
+	AUTH_DATA,
+	
+	/**
+	 * Representating a CERT Data field.
+	 * 
+ 	 * When generating the content of the chunkt pointing to 
+ 	 * is written.
+	 * 
+	 * When parsing (Payload Length - 5) bytes are read and written into the chunk pointing to.
+	 */
+	CERT_DATA,
+
+	/**
+	 * Representating a CERTREQ Data field.
+	 * 
+ 	 * When generating the content of the chunkt pointing to 
+ 	 * is written.
+	 * 
+	 * When parsing (Payload Length - 5) bytes are read and written into the chunk pointing to.
+	 */
+	CERTREQ_DATA,
+	
+	/**
+	 * Representating an EAP message field.
+	 * 
+ 	 * When generating the content of the chunkt pointing to 
+ 	 * is written.
+	 * 
+	 * When parsing (Payload Length - 4) bytes are read and written into the chunk pointing to.
+	 */
+	EAP_DATA,
+	
+	/**
+	 * Representating the SPIS field in a DELETE payload.
+	 * 
+ 	 * When generating the content of the chunkt pointing to 
+ 	 * is written.
+	 * 
+	 * When parsing (Payload Length - 8) bytes are read and written into the chunk pointing to.
+	 */
+	SPIS,
+	
+	/**
+	 * Representating the VID DATA field in a VENDOR ID payload.
+	 * 
+ 	 * When generating the content of the chunkt pointing to 
+ 	 * is written.
+	 * 
+	 * When parsing (Payload Length - 4) bytes are read and written into the chunk pointing to.
+	 */
+	VID_DATA,
+	
+	/**
+	 * Representating the DATA of an unknown payload.
+	 * 
+ 	 * When generating the content of the chunkt pointing to 
+ 	 * is written.
+	 * 
+	 * When parsing (Payload Length - 4) bytes are read and written into the chunk pointing to.
+	 */
+	UNKNOWN_DATA,
+	
+	/**
+	 * Representating an IKE_SPI field in an IKEv2 Header.
+	 * 
+ 	 * When generating the value of the u_int64_t pointing to 
+ 	 * is written (host and networ order is not changed).
+	 * 
+	 * When parsing 8 bytes are read and written into the u_int64_t pointing to.
+	 */
+	IKE_SPI,
+	
+	/**
+	 * Representing the encrypted data body of a encryption payload.
+	 */
+	ENCRYPTED_DATA,
+};
+
+/**
+ * enum name for encoding_type_t
+ * 
+ * @ingroup payloads
+ */
+extern enum_name_t *encoding_type_names;
+
+/**
+ * An encoding rule is a mapping of a specific encoding type to 
+ * a location in the data struct where the current field is stored to
+ * or read from.
+ * 
+ * For examples see files in this directory.
+ * 
+ * This rules are used by parser and generator.
+ * 
+ * @ingroup payloads
+ */
+struct encoding_rule_t {
+	
+	/**
+	 * Encoding type.
+	 */
+	encoding_type_t type;
+	
+	/**
+	 * Offset in the data struct.
+	 * 
+	 * When parsing, data are written to this offset of the 
+	 * data struct.
+	 * 
+	 * When generating, data are read from this offset in the 
+	 * data struct.
+	 */
+	u_int32_t offset;
+};
+
+#endif /*ENCODINGS_H_*/
diff --git a/src/charon/encoding/payloads/encryption_payload.c b/src/charon/encoding/payloads/encryption_payload.c
new file mode 100644
index 000000000..23b6e8d9f
--- /dev/null
+++ b/src/charon/encoding/payloads/encryption_payload.c
@@ -0,0 +1,646 @@
+/**
+ * @file encryption_payload.c
+ * 
+ * @brief Implementation of encryption_payload_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+#include <string.h>
+
+#include "encryption_payload.h"
+
+#include <daemon.h>
+#include <encoding/payloads/encodings.h>
+#include <utils/linked_list.h>
+#include <encoding/generator.h>
+#include <encoding/parser.h>
+#include <utils/iterator.h>
+#include <utils/randomizer.h>
+#include <crypto/signers/signer.h>
+
+
+typedef struct private_encryption_payload_t private_encryption_payload_t;
+
+/**
+ * Private data of an encryption_payload_t' Object.
+ * 
+ */
+struct private_encryption_payload_t {
+	
+	/**
+	 * Public encryption_payload_t interface.
+	 */
+	encryption_payload_t public;
+	
+	/**
+	 * There is no next payload for an encryption payload, 
+	 * since encryption payload MUST be the last one.
+	 * next_payload means here the first payload of the 
+	 * contained, encrypted payload.
+	 */
+	u_int8_t next_payload;
+
+	/**
+	 * Critical flag.
+	 */
+	bool critical;
+	
+	/**
+	 * Length of this payload
+	 */
+	u_int16_t payload_length;
+	
+	/**
+	 * Chunk containing the iv, data, padding,
+	 * and (an eventually not calculated) signature.
+	 */
+	chunk_t encrypted;
+	
+	/**
+	 * Chunk containing the data in decrypted (unpadded) form.
+	 */
+	chunk_t decrypted;
+	
+	/**
+	 * Signer set by set_signer.
+	 */
+	signer_t *signer;
+	
+	/**
+	 * Crypter, supplied by encrypt/decrypt
+	 */
+	crypter_t *crypter;
+	
+	/**
+	 * Contained payloads of this encrpytion_payload.
+	 */
+	linked_list_t *payloads;
+};
+
+/**
+ * Encoding rules to parse or generate a IKEv2-Encryption Payload.
+ * 
+ * The defined offsets are the positions in a object of type 
+ * private_encryption_payload_t.
+ * 
+ */
+encoding_rule_t encryption_payload_encodings[] = {
+	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_encryption_payload_t, next_payload) 	},
+	/* the critical bit */
+	{ FLAG,				offsetof(private_encryption_payload_t, critical) 		},
+	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,		0 														},
+	{ RESERVED_BIT,		0 														},
+	{ RESERVED_BIT,		0 														},
+	{ RESERVED_BIT,		0 														},
+	{ RESERVED_BIT,		0 														},
+	{ RESERVED_BIT,		0 														},
+	{ RESERVED_BIT,		0 														},
+	/* Length of the whole encryption payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_encryption_payload_t, payload_length) 	},
+	/* encrypted data, stored in a chunk. contains iv, data, padding */
+	{ ENCRYPTED_DATA,	offsetof(private_encryption_payload_t, encrypted)			},
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !C!  RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                     Initialization Vector                     !
+      !         (length is block size for encryption algorithm)       !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                    Encrypted IKE Payloads                     !
+      +               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !               !             Padding (0-255 octets)            !
+      +-+-+-+-+-+-+-+-+                               +-+-+-+-+-+-+-+-+
+      !                                               !  Pad Length   !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ~                    Integrity Checksum Data                    ~
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_encryption_payload_t *this)
+{
+	return SUCCESS;
+}
+
+/**
+ * Implementation of payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_encryption_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = encryption_payload_encodings;
+	*rule_count = sizeof(encryption_payload_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_type(private_encryption_payload_t *this)
+{
+	return ENCRYPTED;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_encryption_payload_t *this)
+{
+	/* returns first contained payload here */
+	return (this->next_payload);
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_encryption_payload_t *this, payload_type_t type)
+{
+	/* set next type is not allowed, since this payload MUST be the last one 
+	 * and so nothing is done in here*/
+}
+
+/**
+ * (re-)compute the lenght of the whole payload
+ */
+static void compute_length(private_encryption_payload_t *this)
+{
+	iterator_t *iterator;
+	payload_t *current_payload;
+	size_t block_size, length = 0;
+	iterator = this->payloads->create_iterator(this->payloads, TRUE);
+
+	/* count payload length */
+	while (iterator->iterate(iterator, (void **) &current_payload))
+	{
+		length += current_payload->get_length(current_payload);
+	}
+	iterator->destroy(iterator);
+	
+	if (this->crypter && this->signer)
+	{
+		/* append one byte for padding length */
+		length++;
+		/* append padding */
+		block_size = this->crypter->get_block_size(this->crypter);
+		length += block_size - length % block_size;
+		/* add iv */
+		length += block_size;
+		/* add signature */
+		length += this->signer->get_block_size(this->signer);
+	}
+	length += ENCRYPTION_PAYLOAD_HEADER_LENGTH;
+	this->payload_length = length;
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_encryption_payload_t *this)
+{
+	compute_length(this);
+	return this->payload_length;
+}
+
+/**
+ * Implementation of payload_t.create_payload_iterator.
+ */
+static  iterator_t *create_payload_iterator (private_encryption_payload_t *this, bool forward)
+{
+	return (this->payloads->create_iterator(this->payloads, forward));
+}
+
+/**
+ * Implementation of payload_t.add_payload.
+ */
+static void add_payload(private_encryption_payload_t *this, payload_t *payload)
+{
+	payload_t *last_payload;
+	if (this->payloads->get_count(this->payloads) > 0)
+	{
+		this->payloads->get_last(this->payloads,(void **) &last_payload);
+		last_payload->set_next_type(last_payload, payload->get_type(payload));
+	}
+	else
+	{
+		this->next_payload = payload->get_type(payload);
+	}
+	payload->set_next_type(payload, NO_PAYLOAD);
+	this->payloads->insert_last(this->payloads, (void*)payload);
+	compute_length(this);
+}
+
+/**
+ * Implementation of encryption_payload_t.remove_first_payload.
+ */
+static status_t remove_first_payload(private_encryption_payload_t *this, payload_t **payload)
+{
+	return this->payloads->remove_first(this->payloads, (void**)payload);
+}
+
+/**
+ * Implementation of encryption_payload_t.get_payload_count.
+ */
+static size_t get_payload_count(private_encryption_payload_t *this)
+{
+	return this->payloads->get_count(this->payloads);
+}
+
+/**
+ * Generate payload before encryption.
+ */
+static void generate(private_encryption_payload_t *this)
+{
+	payload_t *current_payload, *next_payload;
+	generator_t *generator;
+	iterator_t *iterator;
+	
+	/* recalculate length before generating */
+	compute_length(this);
+	
+	/* create iterator */
+	iterator = this->payloads->create_iterator(this->payloads, TRUE);
+	
+	/* get first payload */
+	if (iterator->iterate(iterator, (void**)&current_payload))
+	{
+		this->next_payload = current_payload->get_type(current_payload);
+	}
+	else
+	{
+		/* no paylads? */
+		DBG2(DBG_ENC, "generating contained payloads, but none available");
+		free(this->decrypted.ptr);
+		this->decrypted = chunk_empty;
+		iterator->destroy(iterator);
+		return;
+	}
+	
+	generator = generator_create();
+	
+	/* build all payload, except last */
+	while(iterator->iterate(iterator, (void**)&next_payload))
+	{
+		current_payload->set_next_type(current_payload, next_payload->get_type(next_payload));
+		generator->generate_payload(generator, current_payload);
+		current_payload = next_payload;
+	}
+	iterator->destroy(iterator);
+	
+	/* build last payload */
+	current_payload->set_next_type(current_payload, NO_PAYLOAD);
+	generator->generate_payload(generator, current_payload);
+	
+	/* free already generated data */
+	free(this->decrypted.ptr);
+	
+	generator->write_to_chunk(generator, &(this->decrypted));
+	generator->destroy(generator);
+	DBG2(DBG_ENC, "successfully generated content in encryption payload");
+}
+
+/**
+ * Implementation of encryption_payload_t.encrypt.
+ */
+static status_t encrypt(private_encryption_payload_t *this)
+{
+	chunk_t iv, padding, to_crypt, result;
+	randomizer_t *randomizer;
+	status_t status;
+	size_t block_size;
+	
+	if (this->signer == NULL || this->crypter == NULL)
+	{
+		DBG1(DBG_ENC, "could not encrypt, signer/crypter not set");
+		return INVALID_STATE;
+	}
+	
+	/* for random data in iv and padding */
+	randomizer = randomizer_create();
+	
+	/* build payload chunk */
+	generate(this);
+	
+	DBG2(DBG_ENC, "encrypting payloads");
+	DBG3(DBG_ENC, "data to encrypt %B", &this->decrypted);
+	
+	/* build padding */
+	block_size = this->crypter->get_block_size(this->crypter);
+	padding.len = block_size - ((this->decrypted.len + 1) %  block_size);
+	status = randomizer->allocate_pseudo_random_bytes(randomizer, padding.len, &padding);
+	if (status != SUCCESS)
+	{
+		randomizer->destroy(randomizer);
+		return status;
+	}
+	
+	/* concatenate payload data, padding, padding len */
+	to_crypt.len = this->decrypted.len + padding.len + 1;
+	to_crypt.ptr = malloc(to_crypt.len);
+
+	memcpy(to_crypt.ptr, this->decrypted.ptr, this->decrypted.len);
+	memcpy(to_crypt.ptr + this->decrypted.len, padding.ptr, padding.len);
+	*(to_crypt.ptr + to_crypt.len - 1) = padding.len;
+		
+	/* build iv */
+	iv.len = block_size;
+	status = randomizer->allocate_pseudo_random_bytes(randomizer, iv.len, &iv);
+	randomizer->destroy(randomizer);
+	if (status != SUCCESS)
+	{
+		chunk_free(&to_crypt);
+		chunk_free(&padding);
+		return status;
+	}
+	
+	DBG3(DBG_ENC, "data before encryption with padding %B", &to_crypt);
+	
+	/* encrypt to_crypt chunk */
+	free(this->encrypted.ptr);
+	status = this->crypter->encrypt(this->crypter, to_crypt, iv, &result);
+	free(padding.ptr);
+	free(to_crypt.ptr);
+	if (status != SUCCESS)
+	{
+		DBG2(DBG_ENC, "encryption failed");
+		free(iv.ptr);
+		return status;
+	}
+	DBG3(DBG_ENC, "data after encryption %B", &result);
+	
+	/* build encrypted result with iv and signature */
+	this->encrypted.len = iv.len + result.len + this->signer->get_block_size(this->signer);
+	free(this->encrypted.ptr);
+	this->encrypted.ptr = malloc(this->encrypted.len);
+	
+	/* fill in result, signature is left out */
+	memcpy(this->encrypted.ptr, iv.ptr, iv.len);
+	memcpy(this->encrypted.ptr + iv.len, result.ptr, result.len);
+	
+	free(result.ptr);
+	free(iv.ptr);
+	DBG3(DBG_ENC, "data after encryption with IV and (invalid) signature %B",
+		 &this->encrypted);
+	
+	return SUCCESS;
+}
+
+/**
+ * Parse the payloads after decryption.
+ */
+static status_t parse(private_encryption_payload_t *this)
+{
+	parser_t *parser;
+	status_t status;
+	payload_type_t current_payload_type;
+	
+	/* build a parser on the decrypted data */
+	parser = parser_create(this->decrypted);
+	
+	current_payload_type = this->next_payload;
+	/* parse all payloads */
+	while (current_payload_type != NO_PAYLOAD)
+	{
+		payload_t *current_payload;	
+		
+		status = parser->parse_payload(parser, current_payload_type, (payload_t**)&current_payload);
+		if (status != SUCCESS)
+		{
+			parser->destroy(parser);
+			return PARSE_ERROR;
+		}
+
+		status = current_payload->verify(current_payload);
+		if (status != SUCCESS)
+		{
+			DBG1(DBG_ENC, "%N verification failed",
+				 payload_type_names, current_payload->get_type(current_payload));
+			current_payload->destroy(current_payload);
+			parser->destroy(parser);
+			return VERIFY_ERROR;
+		}
+
+		/* get next payload type */
+		current_payload_type = current_payload->get_next_type(current_payload);
+		
+		this->payloads->insert_last(this->payloads,current_payload);
+	}
+	parser->destroy(parser);
+	DBG2(DBG_ENC, "succesfully parsed content of encryption payload");
+	return SUCCESS;
+}
+
+/**
+ * Implementation of encryption_payload_t.encrypt.
+ */
+static status_t decrypt(private_encryption_payload_t *this)
+{
+	chunk_t iv, concatenated;
+	u_int8_t padding_length;
+	status_t status;
+	
+	DBG2(DBG_ENC, "decrypting encryption payload");
+	DBG3(DBG_ENC, "data before decryption with IV and (invalid) signature %B",
+		 &this->encrypted);
+	
+	if (this->signer == NULL || this->crypter == NULL)
+	{
+		DBG1(DBG_ENC, "could not decrypt, no crypter/signer set");
+		return INVALID_STATE;
+	}
+	
+	/* get IV */
+	iv.len = this->crypter->get_block_size(this->crypter);
+	
+	iv.ptr = this->encrypted.ptr;
+	
+	/* point concatenated to data + padding + padding_length*/
+	concatenated.ptr = this->encrypted.ptr + iv.len;
+	concatenated.len = this->encrypted.len - iv.len - this->signer->get_block_size(this->signer);
+		
+	/* check the size of input:
+	 * concatenated  must be at least on block_size of crypter
+	 */
+	if (concatenated.len < iv.len)
+	{
+		DBG1(DBG_ENC, "could not decrypt, invalid input");
+		return FAILED;
+	}
+	
+	/* free previus data, if any */
+	free(this->decrypted.ptr);
+	
+	DBG3(DBG_ENC, "data before decryption %B", &concatenated);
+	
+	status = this->crypter->decrypt(this->crypter, concatenated, iv, &(this->decrypted));
+	if (status != SUCCESS)
+	{
+		DBG1(DBG_ENC, "could not decrypt, decryption failed");
+		return FAILED;
+	}
+	DBG3(DBG_ENC, "data after decryption with padding %B", &this->decrypted);
+	
+	
+	/* get padding length, sits just bevore signature */
+	padding_length = *(this->decrypted.ptr + this->decrypted.len - 1);
+	/* add one byte to the padding length, since the padding_length field is not included */
+	padding_length++;
+	this->decrypted.len -= padding_length;
+	
+	/* check size again */
+	if (padding_length > concatenated.len || this->decrypted.len < 0)
+	{
+		DBG1(DBG_ENC, "decryption failed, invalid padding length found. Invalid key?");
+		/* decryption failed :-/ */
+		return FAILED;
+	}
+	
+	/* free padding */
+	this->decrypted.ptr = realloc(this->decrypted.ptr, this->decrypted.len);
+	DBG3(DBG_ENC, "data after decryption without padding %B", &this->decrypted);
+	DBG2(DBG_ENC, "decryption successful, trying to parse content");
+	return parse(this);
+}
+
+/**
+ * Implementation of encryption_payload_t.set_transforms.
+ */
+static void set_transforms(private_encryption_payload_t *this, crypter_t* crypter, signer_t* signer)
+{
+	this->signer = signer;
+	this->crypter = crypter;
+}
+
+/**
+ * Implementation of encryption_payload_t.build_signature.
+ */
+static status_t build_signature(private_encryption_payload_t *this, chunk_t data)
+{
+	chunk_t data_without_sig = data;
+	chunk_t sig;
+	
+	if (this->signer == NULL)
+	{
+		DBG1(DBG_ENC, "unable to build signature, no signer set");
+		return INVALID_STATE;
+	}
+	
+	sig.len = this->signer->get_block_size(this->signer);
+	data_without_sig.len -= sig.len;
+	sig.ptr = data.ptr + data_without_sig.len;
+	DBG2(DBG_ENC, "building signature");
+	this->signer->get_signature(this->signer, data_without_sig, sig.ptr);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of encryption_payload_t.verify_signature.
+ */
+static status_t verify_signature(private_encryption_payload_t *this, chunk_t data)
+{
+	chunk_t sig, data_without_sig;
+	bool valid;
+	
+	if (this->signer == NULL)
+	{
+		DBG1(DBG_ENC, "unable to verify signature, no signer set");
+		return INVALID_STATE;
+	}
+	/* find signature in data chunk */
+	sig.len = this->signer->get_block_size(this->signer);
+	if (data.len <= sig.len)
+	{
+		DBG1(DBG_ENC, "unable to verify signature, invalid input");
+		return FAILED;
+	}
+	sig.ptr = data.ptr + data.len - sig.len;
+	
+	/* verify it */
+	data_without_sig.len = data.len - sig.len;
+	data_without_sig.ptr = data.ptr;
+	valid = this->signer->verify_signature(this->signer, data_without_sig, sig);
+	
+	if (!valid)
+	{
+		DBG1(DBG_ENC, "signature verification failed");
+		return FAILED;
+	}
+	
+	DBG2(DBG_ENC, "signature verification successful");
+	return SUCCESS;
+}
+
+/**
+ * Implementation of payload_t.destroy.
+ */
+static void destroy(private_encryption_payload_t *this)
+{
+	this->payloads->destroy_offset(this->payloads, offsetof(payload_t, destroy));
+	free(this->encrypted.ptr);
+	free(this->decrypted.ptr);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+encryption_payload_t *encryption_payload_create()
+{
+	private_encryption_payload_t *this = malloc_thing(private_encryption_payload_t);
+	
+	/* payload_t interface functions */
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+	
+	/* public functions */
+	this->public.create_payload_iterator = (iterator_t * (*) (encryption_payload_t *,bool)) create_payload_iterator;
+	this->public.add_payload = (void (*) (encryption_payload_t *,payload_t *)) add_payload;
+	this->public.remove_first_payload = (status_t (*)(encryption_payload_t*, payload_t **)) remove_first_payload;
+	this->public.get_payload_count = (size_t (*)(encryption_payload_t*)) get_payload_count;
+	
+	this->public.encrypt = (status_t (*) (encryption_payload_t *)) encrypt;
+	this->public.decrypt = (status_t (*) (encryption_payload_t *)) decrypt;
+	this->public.set_transforms = (void (*) (encryption_payload_t*,crypter_t*,signer_t*)) set_transforms;
+	this->public.build_signature = (status_t (*) (encryption_payload_t*, chunk_t)) build_signature;
+	this->public.verify_signature = (status_t (*) (encryption_payload_t*, chunk_t)) verify_signature;
+	this->public.destroy = (void (*) (encryption_payload_t *)) destroy;
+	
+	/* set default values of the fields */
+	this->critical = FALSE;
+	this->next_payload = NO_PAYLOAD;
+	this->payload_length = ENCRYPTION_PAYLOAD_HEADER_LENGTH;
+	this->encrypted = chunk_empty;
+	this->decrypted = chunk_empty;
+	this->signer = NULL;
+	this->crypter = NULL;
+	this->payloads = linked_list_create();
+	
+	return (&(this->public));
+}
diff --git a/src/charon/encoding/payloads/encryption_payload.h b/src/charon/encoding/payloads/encryption_payload.h
new file mode 100644
index 000000000..7cf53619f
--- /dev/null
+++ b/src/charon/encoding/payloads/encryption_payload.h
@@ -0,0 +1,197 @@
+/**
+ * @file encryption_payload.h
+ * 
+ * @brief Interface of encryption_payload_t.
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef ENCRYPTION_PAYLOAD_H_
+#define ENCRYPTION_PAYLOAD_H_
+
+typedef struct encryption_payload_t encryption_payload_t;
+
+#include <library.h>
+#include <crypto/crypters/crypter.h>
+#include <crypto/signers/signer.h>
+#include <encoding/payloads/payload.h>
+#include <utils/linked_list.h>
+
+/**
+ * Encrpytion payload length in bytes without IV and following data.
+ * 
+ * @ingroup payloads
+ */
+#define ENCRYPTION_PAYLOAD_HEADER_LENGTH 4
+
+
+/**
+ * @brief The encryption payload as described in RFC section 3.14.
+ *
+ * Before any crypt/decrypt/sign/verify operation can occur, 
+ * the transforms must be set. After that, a parsed encryption payload
+ * can be decrypted, which also will parse the contained payloads.
+ * Encryption is done the same way, added payloads will get generated
+ * and then encrypted.
+ * For signature building, there is the FULL packet needed. Meaning it
+ * must be builded after generation of all payloads and the encryption
+ * of the encryption payload.
+ * Signature verificatin is done before decryption.
+ *
+ * @b Constructors:
+ * - encryption_payload_create()
+ *
+ * @ingroup payloads
+ */
+struct encryption_payload_t {
+	/**
+	 * Implements payload_t interface.
+	 */
+	payload_t payload_interface;
+	
+	/**
+	 * @brief Creates an iterator for all contained payloads.
+	 * 
+	 * @warning iterator_t object has to get destroyed by the caller.
+	 *
+	 * @param this 			calling encryption_payload_t object
+	 * @param[in] forward 	iterator direction (TRUE: front to end)
+	 * return				created iterator_t object
+	 */
+	 iterator_t *(*create_payload_iterator) (encryption_payload_t *this, bool forward);
+	
+	/**
+	 * @brief Adds a payload to this encryption payload.
+	 *
+	 * @param this 			calling encryption_payload_t object
+	 * @param payload		payload_t object to add
+	 */
+	void (*add_payload) (encryption_payload_t *this, payload_t *payload);
+	
+	/**
+	 * @brief Reove the last payload in the contained payload list.
+	 *
+	 * @param this 			calling encryption_payload_t object
+	 * @param[out] payload	removed payload
+	 * @return
+	 * 						- SUCCESS, or
+	 * 						- NOT_FOUND if list empty
+	 */
+	status_t (*remove_first_payload) (encryption_payload_t *this, payload_t **payload);
+	
+	/**
+	 * @brief Get the number of payloads.
+	 *
+	 * @param this 			calling encryption_payload_t object
+	 * @return				number of contained payloads
+	 */
+	size_t (*get_payload_count) (encryption_payload_t *this);
+	
+	/**
+	 * @brief Set transforms to use.
+	 * 
+	 * To decryption, encryption, signature building and verifying,
+	 * the payload needs a crypter and a signer object.
+	 * 
+	 * @warning Do NOT call this function again after encryption, since
+	 * the signer must be the same while encrypting and signature building!
+	 *
+	 * @param this			calling encryption_payload_t
+	 * @param crypter		crypter_t to use for data de-/encryption
+	 * @param signer		signer_t to use for data signing/verifying
+	 */
+	void (*set_transforms) (encryption_payload_t *this, crypter_t *crypter, signer_t *signer);
+	
+	/**
+	 * @brief Generate and encrypt contained payloads.
+	 * 
+	 * This function generates the content for added payloads
+	 * and encrypts them. Signature is not built, since we need
+	 * additional data (the full message).
+	 *
+	 * @param this			calling encryption_payload_t
+	 * @return
+	 * 						- SUCCESS, or
+	 * 						- INVALID_STATE if transforms not set
+	 */
+	status_t (*encrypt) (encryption_payload_t *this);
+	
+	/**
+	 * @brief Decrypt and parse contained payloads.
+	 * 
+	 * This function decrypts the contained data. After, 
+	 * the payloads are parsed internally and are accessible
+	 * via the iterator.
+	 *
+	 * @param this			calling encryption_payload_t
+	 * @return
+	 * 						- SUCCESS, or
+	 * 						- INVALID_STATE if transforms not set, or
+	 * 						- FAILED if data is invalid
+	 */
+	status_t (*decrypt) (encryption_payload_t *this);
+	
+	/**
+	 * @brief Build the signature.
+	 * 
+	 * The signature is built over the FULL message, so the header
+	 * and every payload (inclusive this one) must already be generated.
+	 * The generated message is supplied via the data paramater.
+	 * 
+	 * @param this			calling encryption_payload_t
+	 * @param data			chunk contains the already generated message
+	 * @return
+	 * 						- SUCCESS, or
+	 * 						- INVALID_STATE if transforms not set
+	 */
+	status_t (*build_signature) (encryption_payload_t *this, chunk_t data);
+		
+	/**
+	 * @brief Verify the signature.
+	 * 
+	 * Since the signature is built over the full message, we need
+	 * this data to do the verification. The message data
+	 * is supplied via the data argument.
+	 * 
+	 * @param this			calling encryption_payload_t
+	 * @param data			chunk contains the message 
+	 * @return
+	 * 						- SUCCESS, or
+	 * 						- FAILED if signature invalid, or
+	 * 						- INVALID_STATE if transforms not set
+	 */
+	status_t (*verify_signature) (encryption_payload_t *this, chunk_t data);
+
+	/**
+	 * @brief Destroys an encryption_payload_t object.
+	 *
+	 * @param this 			encryption_payload_t object to destroy
+	 */
+	void (*destroy) (encryption_payload_t *this);
+};
+
+/**
+ * @brief Creates an empty encryption_payload_t object.
+ * 
+ * @return encryption_payload_t object
+ * 
+ * @ingroup payloads
+ */
+encryption_payload_t *encryption_payload_create(void);
+
+
+#endif /*ENCRYPTION_PAYLOAD_H_*/
diff --git a/src/charon/encoding/payloads/id_payload.c b/src/charon/encoding/payloads/id_payload.c
new file mode 100644
index 000000000..74c0ce870
--- /dev/null
+++ b/src/charon/encoding/payloads/id_payload.c
@@ -0,0 +1,323 @@
+/**
+ * @file id_payload.h
+ * 
+ * @brief Interface of id_payload_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+
+#include "id_payload.h"
+
+#include <daemon.h>
+#include <encoding/payloads/encodings.h>
+
+typedef struct private_id_payload_t private_id_payload_t;
+
+/**
+ * Private data of an id_payload_t object.
+ * 
+ */
+struct private_id_payload_t {
+	/**
+	 * Public id_payload_t interface.
+	 */
+	id_payload_t public;
+	
+	/**
+	 * TRUE if this ID payload is of type IDi, FALSE for IDr.
+	 */
+	bool is_initiator;
+	
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t  next_payload;
+
+	/**
+	 * Critical flag.
+	 */
+	bool critical;
+	
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+	
+	/**
+	 * Type of the ID Data.
+	 */
+	u_int8_t id_type;
+	
+	/**
+	 * The contained id data value.
+	 */
+	chunk_t id_data;
+};
+
+/**
+ * Encoding rules to parse or generate a ID payload
+ * 
+ * The defined offsets are the positions in a object of type 
+ * private_id_payload_t.
+ * 
+ */
+encoding_rule_t id_payload_encodings[] = {
+ 	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_id_payload_t, next_payload) 	},
+	/* the critical bit */
+	{ FLAG,				offsetof(private_id_payload_t, critical) 		},
+ 	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	/* Length of the whole payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_id_payload_t, payload_length) 	},
+ 	/* 1 Byte ID type*/
+	{ U_INT_8,			offsetof(private_id_payload_t, id_type)		 	},
+	/* 3 reserved bytes */
+	{ RESERVED_BYTE,	0 												},
+	{ RESERVED_BYTE,	0 												},
+	{ RESERVED_BYTE,	0 												},
+	/* some id data bytes, length is defined in PAYLOAD_LENGTH */
+	{ ID_DATA,			offsetof(private_id_payload_t, id_data) 		}
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !C!  RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !   ID Type     !                 RESERVED                      |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                   Identification Data                         ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_id_payload_t *this)
+{
+	if ((this->id_type == 0) ||
+		(this->id_type == 4) ||
+		((this->id_type >= 6) && (this->id_type <= 8)) ||
+		((this->id_type >= 12) && (this->id_type <= 200)))
+	{
+		/* reserved IDs */
+		DBG1(DBG_ENC, "received ID with reserved type %d", this->id_type);
+		return FAILED;
+	}
+		
+	return SUCCESS;
+}
+
+/**
+ * Implementation of id_payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_id_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = id_payload_encodings;
+	*rule_count = sizeof(id_payload_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_payload_type(private_id_payload_t *this)
+{
+	if (this->is_initiator)
+	{
+		return ID_INITIATOR;
+	}
+	else
+	{
+		return ID_RESPONDER;
+	}
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_id_payload_t *this)
+{
+	return (this->next_payload);
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_id_payload_t *this,payload_type_t type)
+{
+	this->next_payload = type;
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_id_payload_t *this)
+{
+	return this->payload_length;
+}
+
+/**
+ * Implementation of id_payload_t.set_type.
+ */
+static void set_id_type (private_id_payload_t *this, id_type_t type)
+{
+	this->id_type = type;
+}
+
+/**
+ * Implementation of id_payload_t.get_id_type.
+ */
+static id_type_t get_id_type (private_id_payload_t *this)
+{
+	return (this->id_type);
+}
+
+/**
+ * Implementation of id_payload_t.set_data.
+ */
+static void set_data (private_id_payload_t *this, chunk_t data)
+{
+	if (this->id_data.ptr != NULL)
+	{
+		chunk_free(&(this->id_data));
+	}
+	this->id_data.ptr = clalloc(data.ptr,data.len);
+	this->id_data.len = data.len;
+	this->payload_length = ID_PAYLOAD_HEADER_LENGTH + this->id_data.len;
+}
+
+
+/**
+ * Implementation of id_payload_t.get_data_clone.
+ */
+static chunk_t get_data (private_id_payload_t *this)
+{
+	return (this->id_data);
+}
+
+/**
+ * Implementation of id_payload_t.get_data_clone.
+ */
+static chunk_t get_data_clone (private_id_payload_t *this)
+{
+	chunk_t cloned_data;
+	if (this->id_data.ptr == NULL)
+	{
+		return (this->id_data);
+	}
+	cloned_data.ptr = clalloc(this->id_data.ptr,this->id_data.len);
+	cloned_data.len = this->id_data.len;
+	return cloned_data;
+}
+
+/**
+ * Implementation of id_payload_t.get_initiator.
+ */
+static bool get_initiator (private_id_payload_t *this)
+{
+	return (this->is_initiator);
+}
+
+/**
+ * Implementation of id_payload_t.set_initiator.
+ */
+static void set_initiator (private_id_payload_t *this,bool is_initiator)
+{
+	this->is_initiator = is_initiator;
+}
+
+/**
+ * Implementation of id_payload_t.get_identification.
+ */
+static identification_t *get_identification (private_id_payload_t *this)
+{
+	return identification_create_from_encoding(this->id_type,this->id_data);
+}
+
+/**
+ * Implementation of payload_t.destroy and id_payload_t.destroy.
+ */
+static void destroy(private_id_payload_t *this)
+{
+	if (this->id_data.ptr != NULL)
+	{
+		chunk_free(&(this->id_data));
+	}
+	free(this);	
+}
+
+/*
+ * Described in header.
+ */
+id_payload_t *id_payload_create(bool is_initiator)
+{
+	private_id_payload_t *this = malloc_thing(private_id_payload_t);
+
+	/* interface functions */
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+	
+	/* public functions */
+	this->public.destroy = (void (*) (id_payload_t *)) destroy;
+	this->public.set_id_type = (void (*) (id_payload_t *,id_type_t)) set_id_type;
+	this->public.get_id_type = (id_type_t (*) (id_payload_t *)) get_id_type;
+	this->public.set_data = (void (*) (id_payload_t *,chunk_t)) set_data;
+	this->public.get_data = (chunk_t (*) (id_payload_t *)) get_data;
+	this->public.get_data_clone = (chunk_t (*) (id_payload_t *)) get_data_clone;
+	
+	this->public.get_initiator = (bool (*) (id_payload_t *)) get_initiator;
+	this->public.set_initiator = (void (*) (id_payload_t *,bool)) set_initiator;
+	this->public.get_identification = (identification_t * (*) (id_payload_t *this)) get_identification;
+
+	/* private variables */
+	this->critical = FALSE;
+	this->next_payload = NO_PAYLOAD;
+	this->payload_length =ID_PAYLOAD_HEADER_LENGTH;
+	this->id_data = chunk_empty;
+	this->is_initiator = is_initiator;
+
+	return (&(this->public));
+}
+
+/*
+ * Described in header.
+ */
+id_payload_t *id_payload_create_from_identification(bool is_initiator,identification_t *identification)
+{
+	id_payload_t *this= id_payload_create(is_initiator);
+	this->set_data(this,identification->get_encoding(identification));
+	this->set_id_type(this,identification->get_type(identification));
+	return this;
+}
diff --git a/src/charon/encoding/payloads/id_payload.h b/src/charon/encoding/payloads/id_payload.h
new file mode 100644
index 000000000..b67d85d2e
--- /dev/null
+++ b/src/charon/encoding/payloads/id_payload.h
@@ -0,0 +1,172 @@
+/**
+ * @file id_payload.h
+ * 
+ * @brief Interface of id_payload_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#ifndef ID_PAYLOAD_H_
+#define ID_PAYLOAD_H_
+
+typedef struct id_payload_t id_payload_t;
+
+#include <library.h>
+#include <utils/identification.h>
+#include <encoding/payloads/payload.h>
+
+/**
+ * Length of a id payload without the data in bytes.
+ * 
+ * @ingroup payloads
+ */
+#define ID_PAYLOAD_HEADER_LENGTH 8
+
+/**
+ * Object representing an IKEv2 ID payload.
+ *
+ * The ID payload format is described in RFC section 3.5.
+ *
+ * @b Constructors:
+ * - id_payload_create_from_identification()
+ * - id_payload_create()
+ *
+ * @ingroup payloads
+ */
+struct id_payload_t {
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * @brief Set the ID type.
+	 *
+	 * @param this 			calling id_payload_t object
+	 * @param type			Type of ID
+	 */
+	void (*set_id_type) (id_payload_t *this, id_type_t type);
+	
+	/**
+	 * @brief Get the ID type.
+	 *
+	 * @param this 			calling id_payload_t object
+	 * @return				type of the ID 
+	 */
+	id_type_t (*get_id_type) (id_payload_t *this);
+	
+	/**
+	 * @brief Set the ID data.
+	 * 
+	 * Data are getting cloned.
+	 *
+	 * @param this 			calling id_payload_t object
+	 * @param data			ID data as chunk_t
+	 */
+	void (*set_data) (id_payload_t *this, chunk_t data);
+	
+	/**
+	 * @brief Get the ID data.
+	 * 
+	 * Returned data are a copy of the internal one
+	 *
+	 * @param this 			calling id_payload_t object
+	 * @return				ID data as chunk_t
+	 */
+	chunk_t (*get_data_clone) (id_payload_t *this);
+	
+	/**
+	 * @brief Get the ID data.
+	 * 
+	 * Returned data are NOT copied.
+	 *
+	 * @param this 			calling id_payload_t object
+	 * @return				ID data as chunk_t
+	 */
+	chunk_t (*get_data) (id_payload_t *this);
+
+	/**
+	 * @brief Creates an identification object of this id payload.
+	 * 
+	 * Returned object has to get destroyed by the caller.
+	 *
+	 * @param this 			calling id_payload_t object
+	 * @return				identification_t object 
+	 */
+	identification_t *(*get_identification) (id_payload_t *this);
+	
+	/**
+	 * @brief Get the type of ID payload (IDi or IDr).
+	 *
+	 * @param this 			calling id_payload_t object
+	 * @return
+	 * 						- TRUE if this payload is of type IDi
+	 * 						- FALSE if this payload is of type IDr
+	 * 
+	 */
+	bool (*get_initiator) (id_payload_t *this);
+	
+	/**
+	 * @brief Set the type of ID payload (IDi or IDr).
+	 *
+	 * @param this 			calling id_payload_t object
+	 * @param is_initiator	
+	 * 						- TRUE if this payload is of type IDi
+	 * 						- FALSE if this payload is of type IDr
+	 * 
+	 */
+	void (*set_initiator) (id_payload_t *this,bool is_initiator);
+	
+	/**
+	 * @brief Destroys an id_payload_t object.
+	 *
+	 * @param this 	id_payload_t object to destroy
+	 */
+	void (*destroy) (id_payload_t *this);
+};
+
+/**
+ * @brief Creates an empty id_payload_t object.
+ * 
+ * @param is_initiator	
+ * 						- TRUE if this payload is of type IDi
+ * 						- FALSE if this payload is of type IDr
+ * 
+ * @return				id_payload_t object
+ * 
+ * @ingroup payloads
+ */
+id_payload_t *id_payload_create(bool is_initiator);
+
+/**
+ * @brief Creates an id_payload_t from an existing identification_t object.
+ * 
+ * @param is_initiator	
+ * 							- TRUE if this payload is of type IDi
+ * 							- FALSE if this payload is of type IDr
+ * @param identification	identification_t object
+ * @return					id_payload_t object
+ * 
+ * @ingroup payloads
+ */
+id_payload_t *id_payload_create_from_identification(bool is_initiator,identification_t *identification);
+
+
+
+#endif /* ID_PAYLOAD_H_ */
diff --git a/src/charon/encoding/payloads/ike_header.c b/src/charon/encoding/payloads/ike_header.c
new file mode 100644
index 000000000..b1b4fbf87
--- /dev/null
+++ b/src/charon/encoding/payloads/ike_header.c
@@ -0,0 +1,406 @@
+/**
+ * @file ike_header.c
+ * 
+ * @brief Implementation of ike_header_t. 
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/* offsetof macro */
+#include <stddef.h>
+
+#include "ike_header.h"
+
+#include <encoding/payloads/encodings.h>
+
+
+typedef struct private_ike_header_t private_ike_header_t;
+
+/**
+ * Private data of an ike_header_t object.
+ * 
+ */
+struct private_ike_header_t {
+	/**
+	 * Public interface.
+	 */
+	ike_header_t public;
+	
+	/**
+	 * SPI of the initiator.
+	 */
+	u_int64_t initiator_spi;
+
+	/**
+	 * SPI of the responder.
+	 */
+	u_int64_t responder_spi;
+
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t  next_payload;
+	/**
+	 * IKE major version.
+	 */
+	u_int8_t  maj_version;
+
+	/**
+	 * IKE minor version.
+	 */	
+	u_int8_t  min_version;
+
+	/**
+	 * Exchange type .
+	 */	
+	u_int8_t  exchange_type;
+	
+	/**
+	 * Flags of the Message.
+	 * 
+	 */
+	struct { 
+		/**
+		 * Sender is initiator of the associated IKE_SA_INIT-Exchange.
+		 */
+		bool initiator;
+
+		/**
+		 * Is protocol supporting higher version?
+		 */
+		bool version;
+
+		/**
+		 * TRUE, if this is a response, FALSE if its a Request.
+		 */
+		bool response;
+	} flags;
+
+	/**
+	 * Associated Message-ID.
+	 */
+	u_int32_t message_id;
+	
+	/**
+	 * Length of the whole IKEv2-Message (header and all payloads).
+	 */
+	u_int32_t length;	
+};
+
+ENUM_BEGIN(exchange_type_names, EXCHANGE_TYPE_UNDEFINED, EXCHANGE_TYPE_UNDEFINED,
+	"EXCHANGE_TYPE_UNDEFINED");
+ENUM_NEXT(exchange_type_names, IKE_SA_INIT, INFORMATIONAL, EXCHANGE_TYPE_UNDEFINED,
+	"IKE_SA_INIT",
+	"IKE_AUTH",
+	"CREATE_CHILD_SA",
+	"INFORMATIONAL");
+ENUM_END(exchange_type_names, INFORMATIONAL);
+
+/**
+ * Encoding rules to parse or generate a IKEv2-Header.
+ * 
+ * The defined offsets are the positions in a object of type 
+ * ike_header_t.
+ * 
+ */
+encoding_rule_t ike_header_encodings[] = {
+ 	/* 8 Byte SPI, stored in the field initiator_spi */
+	{ IKE_SPI,		offsetof(private_ike_header_t, initiator_spi)	},
+ 	/* 8 Byte SPI, stored in the field responder_spi */
+	{ IKE_SPI,		offsetof(private_ike_header_t, responder_spi) 	},
+ 	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,		offsetof(private_ike_header_t, next_payload) 	},
+ 	/* 4 Bit major version, stored in the field maj_version */
+	{ U_INT_4,		offsetof(private_ike_header_t, maj_version) 	},
+ 	/* 4 Bit minor version, stored in the field min_version */
+	{ U_INT_4,		offsetof(private_ike_header_t, min_version) 	},
+	/* 8 Bit for the exchange type */
+	{ U_INT_8,		offsetof(private_ike_header_t, exchange_type) 	},
+ 	/* 2 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 										}, 
+	{ RESERVED_BIT,	0 										}, 
+ 	/* 3 Bit flags, stored in the fields response, version and initiator */
+	{ FLAG,			offsetof(private_ike_header_t, flags.response) 	},	
+	{ FLAG,			offsetof(private_ike_header_t, flags.version) 	},
+	{ FLAG,			offsetof(private_ike_header_t, flags.initiator) },
+ 	/* 3 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 										},
+	{ RESERVED_BIT,	0 										},
+	{ RESERVED_BIT,	0 										},
+ 	/* 4 Byte message id, stored in the field message_id */
+	{ U_INT_32,		offsetof(private_ike_header_t, message_id) 		},
+ 	/* 4 Byte length fied, stored in the field length */
+	{ HEADER_LENGTH,	offsetof(private_ike_header_t, length) 			}
+};
+
+
+/*                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                       IKE_SA Initiator's SPI                  !
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                       IKE_SA Responder's SPI                  !
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !  Next Payload ! MjVer ! MnVer ! Exchange Type !     Flags     !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                          Message ID                           !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                            Length                             !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_ike_header_t *this)
+{
+	if ((this->exchange_type < IKE_SA_INIT) || (this->exchange_type > INFORMATIONAL))
+	{
+		/* unsupported exchange type */
+		return FAILED;
+	}
+	if (this->initiator_spi == 0)
+	{
+		/* initiator spi not set */
+		return FAILED;
+	}
+	
+	/* verification of version is not done in here */
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(payload_t *this,payload_type_t type)
+{
+	((private_ike_header_t *)this)->next_payload = type;
+}
+/**
+ * Implementation of ike_header_t.get_initiator_spi.
+ */
+static u_int64_t get_initiator_spi(private_ike_header_t *this)
+{
+	return this->initiator_spi;	
+}
+
+/**
+ * Implementation of ike_header_t.set_initiator_spi.
+ */
+static void set_initiator_spi(private_ike_header_t *this, u_int64_t initiator_spi)
+{
+	this->initiator_spi = initiator_spi;
+}
+
+/**
+ * Implementation of ike_header_t.get_responder_spi.
+ */
+static u_int64_t get_responder_spi(private_ike_header_t *this)
+{
+	return this->responder_spi;	
+}
+
+/**
+ * Implementation of ike_header_t.set_responder_spi.
+ */
+static void set_responder_spi(private_ike_header_t *this, u_int64_t responder_spi)
+{
+	this->responder_spi = responder_spi;
+}
+
+/**
+ * Implementation of ike_header_t.get_maj_version.
+ */
+static u_int8_t get_maj_version(private_ike_header_t *this)
+{
+	return this->maj_version;	
+}
+
+/**
+ * Implementation of ike_header_t.get_min_version.
+ */
+static u_int8_t get_min_version(private_ike_header_t *this)
+{
+	return this->min_version;	
+}
+
+/**
+ * Implementation of ike_header_t.get_response_flag.
+ */
+static bool get_response_flag(private_ike_header_t *this)
+{
+	return this->flags.response;	
+}
+
+/**
+ * Implementation of ike_header_t.set_response_flag.
+ */
+static void set_response_flag(private_ike_header_t *this, bool response)
+{
+	this->flags.response = response;	
+}
+
+/**
+ * Implementation of ike_header_t.get_version_flag.
+ */
+static bool get_version_flag(private_ike_header_t *this)
+{
+	return this->flags.version;	
+}
+
+/**
+ * Implementation of ike_header_t.get_initiator_flag.
+ */
+static bool get_initiator_flag(private_ike_header_t *this)
+{
+	return this->flags.initiator;	
+}
+
+/**
+ * Implementation of ike_header_t.set_initiator_flag.
+ */
+static void set_initiator_flag(private_ike_header_t *this, bool initiator)
+{
+	this->flags.initiator = initiator;	
+}
+
+/**
+ * Implementation of ike_header_t.get_exchange_type.
+ */
+static u_int8_t get_exchange_type(private_ike_header_t *this)
+{
+	return this->exchange_type;	
+}
+
+/**
+ * Implementation of ike_header_t.set_exchange_type.
+ */
+static void set_exchange_type(private_ike_header_t *this, u_int8_t exchange_type)
+{
+	this->exchange_type = exchange_type;	
+}
+
+/**
+ * Implements ike_header_t's get_message_id function.
+ * See #ike_header_t.get_message_id  for description.
+ */
+static u_int32_t get_message_id(private_ike_header_t *this)
+{
+	return this->message_id;	
+}
+
+/**
+ * Implementation of ike_header_t.set_message_id.
+ */
+static void set_message_id(private_ike_header_t *this, u_int32_t message_id)
+{
+	this->message_id = message_id;
+}
+
+/**
+ * Implementation of ike_header_t.destroy and payload_t.destroy.
+ */
+static void destroy(ike_header_t *this)
+{
+	free(this);
+}
+
+/**
+ * Implementation of payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = ike_header_encodings;
+	*rule_count = sizeof(ike_header_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_type(payload_t *this)
+{
+	return HEADER;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(payload_t *this)
+{
+	return (((private_ike_header_t*)this)->next_payload);
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(payload_t *this)
+{
+	return (((private_ike_header_t*)this)->length);
+}
+
+/*
+ * Described in header.
+ */
+ike_header_t *ike_header_create()
+{
+	private_ike_header_t *this = malloc_thing(private_ike_header_t);
+	
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = get_encoding_rules;
+	this->public.payload_interface.get_length = get_length;
+	this->public.payload_interface.get_next_type = get_next_type;
+	this->public.payload_interface.set_next_type = set_next_type;
+	this->public.payload_interface.get_type = get_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+	this->public.destroy = destroy;
+	
+	this->public.get_initiator_spi = (u_int64_t (*) (ike_header_t*))get_initiator_spi;
+	this->public.set_initiator_spi = (void (*) (ike_header_t*,u_int64_t))set_initiator_spi;
+	this->public.get_responder_spi = (u_int64_t (*) (ike_header_t*))get_responder_spi;
+	this->public.set_responder_spi = (void (*) (ike_header_t *,u_int64_t))set_responder_spi;
+	this->public.get_maj_version = (u_int8_t (*) (ike_header_t*))get_maj_version;
+	this->public.get_min_version = (u_int8_t (*) (ike_header_t*))get_min_version;
+	this->public.get_response_flag = (bool (*) (ike_header_t*))get_response_flag;
+	this->public.set_response_flag = (void (*) (ike_header_t*,bool))set_response_flag;
+	this->public.get_version_flag = (bool (*) (ike_header_t*))get_version_flag;
+	this->public.get_initiator_flag = (bool (*) (ike_header_t*))get_initiator_flag;
+	this->public.set_initiator_flag = (void (*) (ike_header_t*,bool))set_initiator_flag;
+	this->public.get_exchange_type = (u_int8_t (*) (ike_header_t*))get_exchange_type;
+	this->public.set_exchange_type = (void (*) (ike_header_t*,u_int8_t))set_exchange_type;
+	this->public.get_message_id = (u_int32_t (*) (ike_header_t*))get_message_id;
+	this->public.set_message_id = (void (*) (ike_header_t*,u_int32_t))set_message_id;
+	
+	/* set default values of the fields */
+	this->initiator_spi = 0;
+	this->responder_spi = 0;
+	this->next_payload = 0;
+	this->maj_version = IKE_MAJOR_VERSION;
+	this->min_version = IKE_MINOR_VERSION;
+	this->exchange_type = EXCHANGE_TYPE_UNDEFINED;
+	this->flags.initiator = TRUE;
+	this->flags.version = HIGHER_VERSION_SUPPORTED_FLAG;
+	this->flags.response = FALSE;
+	this->message_id = 0;
+	this->length = IKE_HEADER_LENGTH;
+	
+	return (ike_header_t*)this;
+}
diff --git a/src/charon/encoding/payloads/ike_header.h b/src/charon/encoding/payloads/ike_header.h
new file mode 100644
index 000000000..95c20f810
--- /dev/null
+++ b/src/charon/encoding/payloads/ike_header.h
@@ -0,0 +1,260 @@
+/**
+ * @file ike_header.h
+ * 
+ * @brief Interface of ike_header_t. 
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef IKE_HEADER_H_
+#define IKE_HEADER_H_
+
+typedef enum exchange_type_t exchange_type_t;
+typedef struct ike_header_t ike_header_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+
+/**
+ * Major Version of IKEv2.
+ * 
+ * @ingroup payloads
+ */
+#define IKE_MAJOR_VERSION 2
+
+/**
+ * Minor Version of IKEv2.
+ * 
+ * @ingroup payloads
+ */
+#define IKE_MINOR_VERSION 0
+
+/**
+ * Flag in IKEv2-Header. Always 0.
+ * 
+ * @ingroup payloads
+ */
+#define HIGHER_VERSION_SUPPORTED_FLAG 0
+
+/**
+ * Length of IKE Header in Bytes.
+ * 
+ * @ingroup payloads
+ */
+#define IKE_HEADER_LENGTH 28
+
+/**
+ * @brief Different types of IKE-Exchanges.
+ *
+ * See Draft for different types.
+ * 
+ * @ingroup payloads
+ */
+enum exchange_type_t{
+
+	/**
+	 * EXCHANGE_TYPE_UNDEFINED. In private space, since not a official message type.
+	 */
+	EXCHANGE_TYPE_UNDEFINED = 240,
+	
+	/**
+	 * IKE_SA_INIT.
+	 */
+	IKE_SA_INIT = 34,
+
+	/**
+	 * IKE_AUTH.
+	 */
+	IKE_AUTH = 35,
+
+	/**
+	 * CREATE_CHILD_SA.
+	 */
+	CREATE_CHILD_SA = 36,
+
+	/**
+	 * INFORMATIONAL.
+	 */
+	INFORMATIONAL = 37 
+};
+
+/**
+ * enum name for exchange_type_t
+ * 
+ * @ingroup payloads
+ */
+extern enum_name_t *exchange_type_names;
+
+/**
+ * @brief An object of this type represents an IKEv2 header and is used to 
+ * generate and parse IKEv2 headers.
+ * 
+ * The header format of an IKEv2-Message is compatible to the 
+ * ISAKMP-Header format to allow implementations supporting 
+ * both versions of the IKE-protocol.
+ * 
+ * @b Constructors:
+ * - ike_header_create()
+ * 
+ * @ingroup payloads
+ */
+struct ike_header_t {
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+	
+	/**
+	 * @brief Get the initiator spi.
+	 *
+	 * @param this 			ike_header_t object
+	 * @return 				initiator_spi
+	 */
+	u_int64_t (*get_initiator_spi) (ike_header_t *this);
+	
+	/**
+	 * @brief Set the initiator spi.
+	 *
+	 * @param this 			ike_header_t object
+	 * @param initiator_spi	initiator_spi
+	 */
+	void (*set_initiator_spi) (ike_header_t *this, u_int64_t initiator_spi);
+	
+	/**
+	 * @brief Get the responder spi.
+	 *
+	 * @param this 			ike_header_t object
+	 * @return 				responder_spi
+	 */
+	u_int64_t (*get_responder_spi) (ike_header_t *this);
+	
+	/**
+	 * @brief Set the responder spi.
+	 *
+	 * @param this 			ike_header_t object
+	 * @param responder_spi	responder_spi
+	 */
+	void (*set_responder_spi) (ike_header_t *this, u_int64_t responder_spi);
+	
+	/**
+	 * @brief Get the major version.
+	 *
+	 * @param this 			ike_header_t object
+	 * @return 				major version
+	 */
+	u_int8_t (*get_maj_version) (ike_header_t *this);
+	
+	/**
+	 * @brief Get the minor version.
+	 *
+	 * @param this 			ike_header_t object
+	 * @return 				minor version
+	 */
+	u_int8_t (*get_min_version) (ike_header_t *this);
+	
+	/**
+	 * @brief Get the response flag.
+	 *
+	 * @param this 			ike_header_t object
+	 * @return 				response flag
+	 */
+	bool (*get_response_flag) (ike_header_t *this);
+	
+	/**
+	 * @brief Set the response flag-
+	 *
+	 * @param this 			ike_header_t object
+	 * @param response		response flag
+	 * 
+	 */
+	void (*set_response_flag) (ike_header_t *this, bool response);
+	/**
+	 * @brief Get "higher version supported"-flag.
+	 *
+	 * @param this 			ike_header_t object
+	 * @return 				version flag
+	 */
+	bool (*get_version_flag) (ike_header_t *this);
+	
+	/**
+	 * @brief Get the initiator flag.
+	 *
+	 * @param this 			ike_header_t object
+	 * @return 				initiator flag
+	 */
+	bool (*get_initiator_flag) (ike_header_t *this);
+	
+	/**
+	 * @brief Set the initiator flag.
+	 *
+	 * @param this 			ike_header_t object
+	 * @param initiator		initiator flag
+	 * 
+	 */
+	void (*set_initiator_flag) (ike_header_t *this, bool initiator);
+
+	/**
+	 * @brief Get the exchange type.
+	 *
+	 * @param this 			ike_header_t object
+	 * @return 				 exchange type
+	 */
+	u_int8_t (*get_exchange_type) (ike_header_t *this);
+	
+	/**
+	 * @brief Set the  exchange type.
+	 *
+	 * @param this 			ike_header_t object
+	 * @param exchange_type	exchange type
+	 */
+	void (*set_exchange_type) (ike_header_t *this, u_int8_t exchange_type);
+	
+	/**
+	 * @brief Get the message id.
+	 *
+	 * @param this 			ike_header_t object
+	 * @return 				message id
+	 */
+	u_int32_t (*get_message_id) (ike_header_t *this);
+	
+	/**
+	 * @brief Set the message id.
+	 *
+	 * @param this 			ike_header_t object
+	 * @param initiator_spi	message id
+	 */
+	void (*set_message_id) (ike_header_t *this, u_int32_t message_id);
+	
+	/**
+	 * @brief Destroys a ike_header_t object.
+	 *
+	 * @param this 			ike_header_t object to destroy
+	 */
+	void (*destroy) (ike_header_t *this);
+};
+
+/**
+ * @brief Create an ike_header_t object
+ * 
+ * @return ike_header_t object
+ * 
+ * @ingroup payloads
+ */
+ike_header_t *ike_header_create(void);
+
+#endif /*IKE_HEADER_H_*/
diff --git a/src/charon/encoding/payloads/ke_payload.c b/src/charon/encoding/payloads/ke_payload.c
new file mode 100644
index 000000000..8926b15f9
--- /dev/null
+++ b/src/charon/encoding/payloads/ke_payload.c
@@ -0,0 +1,277 @@
+/**
+ * @file ke_payload.c
+ * 
+ * @brief Implementation of ke_payload_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+
+#include "ke_payload.h"
+
+#include <encoding/payloads/encodings.h>
+
+
+typedef struct private_ke_payload_t private_ke_payload_t;
+
+/**
+ * Private data of an ke_payload_t object.
+ * 
+ */
+struct private_ke_payload_t {
+	/**
+	 * Public ke_payload_t interface.
+	 */
+	ke_payload_t public;
+	
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t  next_payload;
+
+	/**
+	 * Critical flag.
+	 */
+	bool critical;
+		
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+	
+	/**
+	 * DH Group Number.
+	 */
+	u_int16_t dh_group_number;
+	
+	/**
+	 * Key Exchange Data of this KE payload.
+	 */
+	chunk_t key_exchange_data;
+};
+
+/**
+ * Encoding rules to parse or generate a IKEv2-KE Payload.
+ * 
+ * The defined offsets are the positions in a object of type 
+ * private_ke_payload_t.
+ * 
+ */
+encoding_rule_t ke_payload_encodings[] = {
+ 	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_ke_payload_t, next_payload) 		},
+	/* the critical bit */
+	{ FLAG,				offsetof(private_ke_payload_t, critical) 			},	
+ 	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 														}, 
+	{ RESERVED_BIT,	0 														}, 
+	{ RESERVED_BIT,	0 														}, 
+	{ RESERVED_BIT,	0 														}, 
+	{ RESERVED_BIT,	0 														}, 
+	{ RESERVED_BIT,	0 														}, 
+	{ RESERVED_BIT,	0 														}, 
+	/* Length of the whole payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_ke_payload_t, payload_length) 		},	
+	/* DH Group number as 16 bit field*/
+	{ U_INT_16,			offsetof(private_ke_payload_t, dh_group_number) 	},
+	{ RESERVED_BYTE,	0 													}, 
+	{ RESERVED_BYTE,	0 													}, 
+	/* Key Exchange Data is from variable size */
+	{ KEY_EXCHANGE_DATA,	offsetof(private_ke_payload_t, key_exchange_data)}
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !C!  RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !          DH Group #           !           RESERVED            !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                       Key Exchange Data                       ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_ke_payload_t *this)
+{
+	/* dh group is not verified in here */
+	return SUCCESS;
+}
+
+/**
+ * Implementation of payload_t.destroy.
+ */
+static void destroy(private_ke_payload_t *this)
+{
+	if (this->key_exchange_data.ptr != NULL)
+	{
+		free(this->key_exchange_data.ptr);
+	}
+	free(this);
+}
+
+/**
+ * Implementation of payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_ke_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = ke_payload_encodings;
+	*rule_count = sizeof(ke_payload_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_type(private_ke_payload_t *this)
+{
+	return KEY_EXCHANGE;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_ke_payload_t *this)
+{
+	return (this->next_payload);
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_ke_payload_t *this,payload_type_t type)
+{
+	this->next_payload = type;
+}
+
+/**
+ * recompute the length of the payload.
+ */
+static void compute_length(private_ke_payload_t *this)
+{
+	size_t length = KE_PAYLOAD_HEADER_LENGTH;
+	if (this->key_exchange_data.ptr != NULL)
+	{
+		length += this->key_exchange_data.len;
+	}	
+	this->payload_length = length;
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_ke_payload_t *this)
+{
+	compute_length(this);
+	return this->payload_length;
+}
+
+/**
+ * Implementation of ke_payload_t.get_key_exchange_data.
+ */
+static chunk_t get_key_exchange_data(private_ke_payload_t *this)
+{
+	return (this->key_exchange_data);
+}
+
+/**
+ * Implementation of ke_payload_t.set_key_exchange_data.
+ */
+static void set_key_exchange_data(private_ke_payload_t *this, chunk_t key_exchange_data)
+{
+	/* destroy existing data first */
+	if (this->key_exchange_data.ptr != NULL)
+	{
+		/* free existing value */
+		free(this->key_exchange_data.ptr);
+		this->key_exchange_data.ptr = NULL;
+		this->key_exchange_data.len = 0;
+		
+	}
+	
+	this->key_exchange_data = chunk_clone(key_exchange_data);
+	compute_length(this);
+}
+
+/**
+ * Implementation of ke_payload_t.get_dh_group_number.
+ */
+static diffie_hellman_group_t get_dh_group_number(private_ke_payload_t *this)
+{
+	return this->dh_group_number;
+}
+
+/**
+ * Implementation of ke_payload_t.set_dh_group_number.
+ */
+static void set_dh_group_number(private_ke_payload_t *this, diffie_hellman_group_t dh_group_number)
+{
+	this->dh_group_number = dh_group_number;
+}
+
+/*
+ * Described in header
+ */
+ke_payload_t *ke_payload_create()
+{
+	private_ke_payload_t *this = malloc_thing(private_ke_payload_t);
+
+	/* interface functions */
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+
+	/* public functions */
+	this->public.get_key_exchange_data = (chunk_t (*) (ke_payload_t *)) get_key_exchange_data;
+	this->public.set_key_exchange_data = (void (*) (ke_payload_t *,chunk_t)) set_key_exchange_data;
+	this->public.get_dh_group_number = (diffie_hellman_group_t (*) (ke_payload_t *)) get_dh_group_number;
+	this->public.set_dh_group_number =(void (*) (ke_payload_t *,diffie_hellman_group_t)) set_dh_group_number;
+	this->public.destroy = (void (*) (ke_payload_t *)) destroy;
+	
+	/* set default values of the fields */
+	this->critical = FALSE;
+	this->next_payload = NO_PAYLOAD;
+	this->payload_length = KE_PAYLOAD_HEADER_LENGTH;
+	this->key_exchange_data = chunk_empty;
+	this->dh_group_number = MODP_NONE;
+
+	return &this->public;
+}
+
+/*
+ * Described in header
+ */
+ke_payload_t *ke_payload_create_from_diffie_hellman(diffie_hellman_t *dh)
+{
+	private_ke_payload_t *this = (private_ke_payload_t*)ke_payload_create();
+	
+	dh->get_my_public_value(dh, &this->key_exchange_data);
+	this->dh_group_number = dh->get_dh_group(dh);
+	compute_length(this);
+	
+	return &this->public;
+}
diff --git a/src/charon/encoding/payloads/ke_payload.h b/src/charon/encoding/payloads/ke_payload.h
new file mode 100644
index 000000000..52be8ffe3
--- /dev/null
+++ b/src/charon/encoding/payloads/ke_payload.h
@@ -0,0 +1,121 @@
+/**
+ * @file ke_payload.h
+ * 
+ * @brief Interface of ke_payload_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef KE_PAYLOAD_H_
+#define KE_PAYLOAD_H_
+
+typedef struct ke_payload_t ke_payload_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+#include <encoding/payloads/transform_substructure.h>
+#include <utils/linked_list.h>
+#include <crypto/diffie_hellman.h>
+
+/**
+ * KE payload length in bytes without any key exchange data.
+ * 
+ * @ingroup payloads
+ */
+#define KE_PAYLOAD_HEADER_LENGTH 8
+
+/**
+ * @brief Class representing an IKEv2-KE Payload.
+ *
+ * The KE Payload format is described in RFC section 3.4.
+ *
+ * @b Constructors:
+ * - ke_payload_create()
+ *
+ * @ingroup payloads
+ */
+struct ke_payload_t {
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+	
+	/**
+	 * @brief Returns the currently set key exchange data of this KE payload.
+	 * 	
+	 * @warning Returned data are not copied.
+	 * 
+	 * @param this 	calling ke_payload_t object
+	 * @return 		chunk_t pointing to the value
+	 */
+	chunk_t (*get_key_exchange_data) (ke_payload_t *this);
+	
+	/**
+	 * @brief Sets the key exchange data of this KE payload.
+	 * 	
+	 * @warning Value is getting copied.
+	 * 
+	 * @param this 				calling ke_payload_t object
+	 * @param key_exchange_data 	chunk_t pointing to the value to set
+	 */
+	void (*set_key_exchange_data) (ke_payload_t *this, chunk_t key_exchange_data);
+
+	/**
+	 * @brief Gets the Diffie-Hellman Group Number of this KE payload.
+	 * 	
+	 * @param this 		calling ke_payload_t object
+	 * @return 			DH Group Number of this payload
+	 */
+	diffie_hellman_group_t (*get_dh_group_number) (ke_payload_t *this);
+
+	/**
+	 * @brief Sets the Diffie-Hellman Group Number of this KE payload.
+	 * 	
+	 * @param this 				calling ke_payload_t object
+	 * @param dh_group_number	DH Group to set
+	 */
+	void (*set_dh_group_number) (ke_payload_t *this, diffie_hellman_group_t dh_group_number);
+
+	/**
+	 * @brief Destroys an ke_payload_t object.
+	 *
+	 * @param this 	ke_payload_t object to destroy
+	 */
+	void (*destroy) (ke_payload_t *this);
+};
+
+/**
+ * @brief Creates an empty ke_payload_t object
+ * 
+ * @return ke_payload_t object
+ * 
+ * @ingroup payloads
+ */
+ke_payload_t *ke_payload_create(void);
+
+/**
+ * @brief Creates a ke_payload_t from a diffie_hellman_t
+ * 
+ * @param diffie_hellman	diffie hellman object containing group and key
+ * @return 					ke_payload_t object
+ * 
+ * @ingroup payloads
+ */
+ke_payload_t *ke_payload_create_from_diffie_hellman(diffie_hellman_t *diffie_hellman);
+
+#endif /* KE_PAYLOAD_H_ */
diff --git a/src/charon/encoding/payloads/nonce_payload.c b/src/charon/encoding/payloads/nonce_payload.c
new file mode 100644
index 000000000..8e1fc505e
--- /dev/null
+++ b/src/charon/encoding/payloads/nonce_payload.c
@@ -0,0 +1,232 @@
+/**
+ * @file nonce_payload.h
+ * 
+ * @brief Implementation of nonce_payload_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+ 
+/* offsetof macro */
+#include <stddef.h>
+
+#include "nonce_payload.h"
+
+#include <encoding/payloads/encodings.h>
+
+
+typedef struct private_nonce_payload_t private_nonce_payload_t;
+
+/**
+ * Private data of an nonce_payload_t object.
+ * 
+ */
+struct private_nonce_payload_t {
+	/**
+	 * Public nonce_payload_t interface.
+	 */
+	nonce_payload_t public;
+	
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t  next_payload;
+
+	/**
+	 * Critical flag.
+	 */
+	bool critical;
+	
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+	
+	/**
+	 * The contained nonce value.
+	 */
+	chunk_t nonce;
+};
+
+/**
+ * Encoding rules to parse or generate a nonce payload
+ * 
+ * The defined offsets are the positions in a object of type 
+ * private_nonce_payload_t.
+ * 
+ */
+encoding_rule_t nonce_payload_encodings[] = {
+ 	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_nonce_payload_t, next_payload) 	},
+	/* the critical bit */
+	{ FLAG,				offsetof(private_nonce_payload_t, critical) 		},	
+ 	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 														}, 
+	{ RESERVED_BIT,	0 														}, 
+	{ RESERVED_BIT,	0 														}, 
+	{ RESERVED_BIT,	0 														}, 
+	{ RESERVED_BIT,	0 														}, 
+	{ RESERVED_BIT,	0 														}, 
+	{ RESERVED_BIT,	0 														}, 
+	/* Length of the whole nonce payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_nonce_payload_t, payload_length) 	},	
+	/* some nonce bytes, lenth is defined in PAYLOAD_LENGTH */
+	{ NONCE_DATA,			offsetof(private_nonce_payload_t, nonce) 		}
+};
+
+/*                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !C!  RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                            Nonce Data                         ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_nonce_payload_t *this)
+{
+	if ((this->nonce.len < 16) || ((this->nonce.len > 256)))
+	{
+		/* nonce length is wrong */
+		return FAILED;
+	}
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of nonce_payload_t.set_nonce.
+ */
+static status_t set_nonce(private_nonce_payload_t *this, chunk_t nonce)
+{
+	this->nonce.ptr = clalloc(nonce.ptr, nonce.len);
+	this->nonce.len = nonce.len;
+	this->payload_length = NONCE_PAYLOAD_HEADER_LENGTH + nonce.len;
+	return SUCCESS;
+}
+
+/**
+ * Implementation of nonce_payload_t.get_nonce.
+ */
+static chunk_t get_nonce(private_nonce_payload_t *this)
+{
+	chunk_t nonce;
+	nonce.ptr = clalloc(this->nonce.ptr,this->nonce.len);
+	nonce.len = this->nonce.len;
+	return nonce;
+}
+
+/**
+ * Implementation of nonce_payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_nonce_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = nonce_payload_encodings;
+	*rule_count = sizeof(nonce_payload_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_type(private_nonce_payload_t *this)
+{
+	return NONCE;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_nonce_payload_t *this)
+{
+	return (this->next_payload);
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_nonce_payload_t *this,payload_type_t type)
+{
+	this->next_payload = type;
+}
+
+/**
+ * recompute the length of the payload.
+ */
+static void compute_length(private_nonce_payload_t *this)
+{
+	this->payload_length = NONCE_PAYLOAD_HEADER_LENGTH + this->nonce.len;
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_nonce_payload_t *this)
+{
+	compute_length(this);
+	return this->payload_length;
+}
+
+/**
+ * Implementation of payload_t.destroy and nonce_payload_t.destroy.
+ */
+static void destroy(private_nonce_payload_t *this)
+{
+	if (this->nonce.ptr != NULL)
+	{
+		free(this->nonce.ptr);
+	}
+	
+	free(this);	
+}
+
+/*
+ * Described in header
+ */
+nonce_payload_t *nonce_payload_create()
+{
+	private_nonce_payload_t *this = malloc_thing(private_nonce_payload_t);
+
+	/* interface functions */
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+	
+	/* public functions */
+	this->public.destroy = (void (*) (nonce_payload_t *)) destroy;
+	this->public.set_nonce = (void (*) (nonce_payload_t *,chunk_t)) set_nonce;
+	this->public.get_nonce = (chunk_t (*) (nonce_payload_t *)) get_nonce;
+	
+	/* private variables */
+	this->critical = FALSE;
+	this->next_payload = NO_PAYLOAD;
+	this->payload_length = NONCE_PAYLOAD_HEADER_LENGTH;
+	this->nonce.ptr = NULL;
+	this->nonce.len = 0;
+
+	return (&(this->public));
+}
+
+
diff --git a/src/charon/encoding/payloads/nonce_payload.h b/src/charon/encoding/payloads/nonce_payload.h
new file mode 100644
index 000000000..96d83b028
--- /dev/null
+++ b/src/charon/encoding/payloads/nonce_payload.h
@@ -0,0 +1,99 @@
+/**
+ * @file nonce_payload.h
+ * 
+ * @brief Interface of nonce_payload_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef NONCE_PAYLOAD_H_
+#define NONCE_PAYLOAD_H_
+
+typedef struct nonce_payload_t nonce_payload_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+
+/**
+ * Nonce size in bytes for nonces sending to other peer.
+ * 
+ * @warning Nonce size MUST be between 16 and 256 bytes.
+ * 
+ * @ingroup payloads
+ */
+#define NONCE_SIZE 16
+
+/**
+ * Length of a nonce payload without a nonce in bytes.
+ * 
+ * @ingroup payloads
+ */
+#define NONCE_PAYLOAD_HEADER_LENGTH 4
+
+/**
+ * Object representing an IKEv2 Nonce payload.
+ * 
+ * The Nonce payload format is described in RFC section 3.3.
+ * 
+ * @b Constructors:
+ * - nonce_payload_create()
+ * 
+ * @ingroup payloads
+ */
+struct nonce_payload_t {
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * @brief Set the nonce value.
+	 *
+	 * @param this 			calling nonce_payload_t object
+	 * @param nonce	  		chunk containing the nonce, will be cloned
+	 */
+	void (*set_nonce) (nonce_payload_t *this, chunk_t nonce);
+	
+	/**
+	 * @brief Get the nonce value.
+	 *
+	 * @param this 			calling nonce_payload_t object
+	 * @return				a chunk containing the cloned nonce
+	 */
+	chunk_t (*get_nonce) (nonce_payload_t *this);
+	
+	/**
+	 * @brief Destroys an nonce_payload_t object.
+	 *
+	 * @param this 	nonce_payload_t object to destroy
+	 */
+	void (*destroy) (nonce_payload_t *this);
+};
+
+/**
+ * @brief Creates an empty nonce_payload_t object
+ * 
+ * @return nonce_payload_t object
+ * 
+ * @ingroup payloads
+ */
+ 
+nonce_payload_t *nonce_payload_create(void);
+
+
+#endif /*NONCE_PAYLOAD_H_*/
diff --git a/src/charon/encoding/payloads/notify_payload.c b/src/charon/encoding/payloads/notify_payload.c
new file mode 100644
index 000000000..a04901a90
--- /dev/null
+++ b/src/charon/encoding/payloads/notify_payload.c
@@ -0,0 +1,481 @@
+/**
+ * @file notify_payload.c
+ * 
+ * @brief Implementation of notify_payload_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+
+#include "notify_payload.h"
+
+#include <daemon.h>
+#include <encoding/payloads/encodings.h>
+#include <crypto/hashers/hasher.h>
+
+ENUM_BEGIN(notify_type_names, UNSUPPORTED_CRITICAL_PAYLOAD, UNSUPPORTED_CRITICAL_PAYLOAD,
+	"UNSUPPORTED_CRITICAL_PAYLOAD");
+ENUM_NEXT(notify_type_names, INVALID_IKE_SPI, INVALID_MAJOR_VERSION, UNSUPPORTED_CRITICAL_PAYLOAD,
+	"INVALID_IKE_SPI",
+	"INVALID_MAJOR_VERSION");
+ENUM_NEXT(notify_type_names, INVALID_SYNTAX, INVALID_SYNTAX, INVALID_MAJOR_VERSION,
+	"INVALID_SYNTAX");
+ENUM_NEXT(notify_type_names, INVALID_MESSAGE_ID, INVALID_MESSAGE_ID, INVALID_SYNTAX,
+	"INVALID_MESSAGE_ID");
+ENUM_NEXT(notify_type_names, INVALID_SPI, INVALID_SPI, INVALID_MESSAGE_ID,
+	"INVALID_SPI");
+ENUM_NEXT(notify_type_names, NO_PROPOSAL_CHOSEN, NO_PROPOSAL_CHOSEN, INVALID_SPI,
+	"NO_PROPOSAL_CHOSEN");
+ENUM_NEXT(notify_type_names, INVALID_KE_PAYLOAD, INVALID_KE_PAYLOAD, NO_PROPOSAL_CHOSEN,
+	"INVALID_KE_PAYLOAD");
+ENUM_NEXT(notify_type_names, AUTHENTICATION_FAILED, AUTHENTICATION_FAILED, INVALID_KE_PAYLOAD,
+	"AUTHENTICATION_FAILED");
+ENUM_NEXT(notify_type_names, SINGLE_PAIR_REQUIRED, INVALID_SELECTORS, AUTHENTICATION_FAILED,
+	"SINGLE_PAIR_REQUIRED",
+	"NO_ADDITIONAL_SAS",
+	"INTERNAL_ADDRESS_FAILURE",
+	"FAILED_CP_REQUIRED",
+	"TS_UNACCEPTABLE",
+	"INVALID_SELECTORS");
+ENUM_NEXT(notify_type_names, INITIAL_CONTACT, AUTH_LIFETIME, INVALID_SELECTORS,
+	"INITIAL_CONTACT",
+	"SET_WINDOW_SIZE",
+	"ADDITIONAL_TS_POSSIBLE",
+	"IPCOMP_SUPPORTED",
+	"NAT_DETECTION_SOURCE_IP",
+	"NAT_DETECTION_DESTINATION_IP",
+	"COOKIE",
+	"USE_TRANSPORT_MODE",
+	"HTTP_CERT_LOOKUP_SUPPORTED",
+	"REKEY_SA",
+	"ESP_TFC_PADDING_NOT_SUPPORTED",
+	"NON_FIRST_FRAGMENTS_ALSO",
+	"MOBIKE_SUPPORTED",
+	"ADDITIONAL_IP4_ADDRESS",
+	"ADDITIONAL_IP6_ADDRESS",
+	"NO_ADDITIONAL_ADDRESSES",
+	"UPDATE_SA_ADDRESSES",
+	"COOKIE2",
+	"NO_NATS_ALLOWED",
+	"AUTH_LIFETIME");
+ENUM_NEXT(notify_type_names, EAP_ONLY_AUTHENTICATION, EAP_ONLY_AUTHENTICATION, AUTH_LIFETIME,
+	"EAP_ONLY_AUTHENTICATION");
+ENUM_END(notify_type_names, EAP_ONLY_AUTHENTICATION);
+
+typedef struct private_notify_payload_t private_notify_payload_t;
+
+/**
+ * Private data of an notify_payload_t object.
+ * 
+ */
+struct private_notify_payload_t {
+	/**
+	 * Public notify_payload_t interface.
+	 */
+	notify_payload_t public;
+	
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t  next_payload;
+
+	/**
+	 * Critical flag.
+	 */
+	bool critical;
+		
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+		
+	/**
+	 * Protocol id.
+	 */
+	u_int8_t protocol_id;
+	
+	/**
+	 * Spi size.
+	 */
+	u_int8_t spi_size;
+	
+	/**
+	 * Notify message type.
+	 */
+	u_int16_t notify_type;
+	
+	/**
+	 * Security parameter index (spi).
+	 */
+	chunk_t spi;
+
+	/**
+	 * Notification data.
+	 */
+	chunk_t notification_data;
+};
+
+/**
+ * Encoding rules to parse or generate a IKEv2-Notify Payload.
+ * 
+ * The defined offsets are the positions in a object of type 
+ * private_notify_payload_t.
+ * 
+ */
+encoding_rule_t notify_payload_encodings[] = {
+ 	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_notify_payload_t, next_payload) 		},
+	/* the critical bit */
+	{ FLAG,				offsetof(private_notify_payload_t, critical) 			},	
+ 	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 														}, 
+	{ RESERVED_BIT,	0 														}, 
+	{ RESERVED_BIT,	0 														}, 
+	{ RESERVED_BIT,	0 														}, 
+	{ RESERVED_BIT,	0 														}, 
+	{ RESERVED_BIT,	0 														}, 
+	{ RESERVED_BIT,	0 														}, 
+	/* Length of the whole payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_notify_payload_t, payload_length) 		},	
+	/* Protocol ID as 8 bit field*/
+	{ U_INT_8,			offsetof(private_notify_payload_t, protocol_id) 			},
+	/* SPI Size as 8 bit field*/
+	{ SPI_SIZE,			offsetof(private_notify_payload_t, spi_size) 			},
+	/* Notify message type as 16 bit field*/
+	{ U_INT_16,			offsetof(private_notify_payload_t, notify_type)	},
+	/* SPI as variable length field*/
+	{ SPI,				offsetof(private_notify_payload_t, spi)		 			},
+	/* Key Exchange Data is from variable size */
+	{ NOTIFICATION_DATA,	offsetof(private_notify_payload_t, notification_data) 	}
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !C!  RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !  Protocol ID  !   SPI Size    !      Notify Message Type      !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                Security Parameter Index (SPI)                 ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                       Notification Data                       ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_notify_payload_t *this)
+{
+	switch (this->protocol_id)
+	{
+		case PROTO_NONE:
+		case PROTO_IKE:
+		case PROTO_AH:
+		case PROTO_ESP:
+			break;
+		default:
+			DBG1(DBG_ENC, "Unknown protocol (%d)", this->protocol_id);
+			return FAILED;
+	}
+	
+	switch (this->notify_type)
+	{
+		case INVALID_KE_PAYLOAD:
+		{
+			/* check notification data */
+			diffie_hellman_group_t dh_group;
+			if (this->notification_data.len != 2)
+			{
+				DBG1(DBG_ENC, "invalid notify data length for %N (%d)",
+					 notify_type_names, this->notify_type,
+					 this->notification_data.len);
+				return FAILED;
+			}
+			dh_group = ntohs(*((u_int16_t*)this->notification_data.ptr));
+			switch (dh_group)
+			{
+				case MODP_768_BIT:
+				case MODP_1024_BIT:
+				case MODP_1536_BIT:
+				case MODP_2048_BIT:
+				case MODP_3072_BIT:
+				case MODP_4096_BIT:
+				case MODP_6144_BIT:
+				case MODP_8192_BIT:
+					break;
+				default:
+					DBG1(DBG_ENC, "Bad DH group (%d)", dh_group);
+					return FAILED;
+			}
+			break;
+		}
+		case NAT_DETECTION_SOURCE_IP:
+		case NAT_DETECTION_DESTINATION_IP:
+		{
+			if (this->notification_data.len != HASH_SIZE_SHA1)
+			{
+				DBG1(DBG_ENC, "invalid %N notify length",
+					 notify_type_names, this->notify_type);
+				return FAILED;
+			}
+			break;
+		}
+		case INVALID_SYNTAX:
+		case INVALID_MAJOR_VERSION:
+		case NO_PROPOSAL_CHOSEN:
+		{
+			if (this->notification_data.len != 0)
+			{
+				DBG1(DBG_ENC, "invalid %N notify",
+					 notify_type_names, this->notify_type);
+				return FAILED;
+			}
+			break;
+		}
+		default:
+			/* TODO: verify */
+			break;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_notify_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = notify_payload_encodings;
+	*rule_count = sizeof(notify_payload_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_type(private_notify_payload_t *this)
+{
+	return NOTIFY;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_notify_payload_t *this)
+{
+	return (this->next_payload);
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_notify_payload_t *this,payload_type_t type)
+{
+	this->next_payload = type;
+}
+
+/**
+ * recompute the payloads length.
+ */
+static void compute_length (private_notify_payload_t *this)
+{
+	size_t length = NOTIFY_PAYLOAD_HEADER_LENGTH;
+	if (this->notification_data.ptr != NULL)
+	{
+		length += this->notification_data.len;
+	}
+	if (this->spi.ptr != NULL)
+	{
+		length += this->spi.len;
+	}
+	this->payload_length = length;
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_notify_payload_t *this)
+{
+	compute_length(this);
+	return this->payload_length;
+}
+
+/**
+ * Implementation of notify_payload_t.get_protocol_id.
+ */
+static u_int8_t get_protocol_id(private_notify_payload_t *this)
+{
+	return this->protocol_id;
+}
+
+/**
+ * Implementation of notify_payload_t.set_protocol_id.
+ */
+static void set_protocol_id(private_notify_payload_t *this, u_int8_t protocol_id)
+{
+	this->protocol_id = protocol_id;
+}
+
+/**
+ * Implementation of notify_payload_t.get_notify_type.
+ */
+static notify_type_t get_notify_type(private_notify_payload_t *this)
+{
+	return this->notify_type;
+}
+
+/**
+ * Implementation of notify_payload_t.set_notify_type.
+ */
+static void set_notify_type(private_notify_payload_t *this, u_int16_t notify_type)
+{
+	this->notify_type = notify_type;
+}
+
+/**
+ * Implementation of notify_payload_t.get_spi.
+ */
+static u_int32_t get_spi(private_notify_payload_t *this)
+{
+	switch (this->protocol_id)
+	{
+		case PROTO_AH:
+		case PROTO_ESP:
+			if (this->spi.len == 4)
+			{
+				return *((u_int32_t*)this->spi.ptr);
+			}
+		default:
+			break;
+	}
+	return 0;
+}
+
+/**
+ * Implementation of notify_payload_t.set_spi.
+ */
+static void set_spi(private_notify_payload_t *this, u_int32_t spi)
+{
+	chunk_free(&this->spi);
+	switch (this->protocol_id)
+	{
+		case PROTO_AH:
+		case PROTO_ESP:
+			this->spi = chunk_alloc(4);
+			*((u_int32_t*)this->spi.ptr) = spi;
+			break;
+		default:
+			break;
+	}
+	this->spi_size = this->spi.len;
+	compute_length(this);
+}
+
+/**
+ * Implementation of notify_payload_t.get_notification_data.
+ */
+static chunk_t get_notification_data(private_notify_payload_t *this)
+{
+	return (this->notification_data);
+}
+
+/**
+ * Implementation of notify_payload_t.set_notification_data.
+ */
+static status_t set_notification_data(private_notify_payload_t *this, chunk_t notification_data)
+{
+	chunk_free(&this->notification_data);
+	if (notification_data.len > 0)
+	{
+		this->notification_data = chunk_clone(notification_data);
+	}
+	compute_length(this);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of notify_payload_t.destroy and notify_payload_t.destroy.
+ */
+static status_t destroy(private_notify_payload_t *this)
+{
+	chunk_free(&this->notification_data);
+	chunk_free(&this->spi);
+	free(this);
+	return SUCCESS;
+}
+
+/*
+ * Described in header
+ */
+notify_payload_t *notify_payload_create()
+{
+	private_notify_payload_t *this = malloc_thing(private_notify_payload_t);
+
+	/* interface functions */
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+
+	/* public functions */
+	this->public.get_protocol_id = (u_int8_t (*) (notify_payload_t *)) get_protocol_id;
+	this->public.set_protocol_id  = (void (*) (notify_payload_t *,u_int8_t)) set_protocol_id;
+	this->public.get_notify_type = (notify_type_t (*) (notify_payload_t *)) get_notify_type;
+	this->public.set_notify_type = (void (*) (notify_payload_t *,notify_type_t)) set_notify_type;
+	this->public.get_spi = (u_int32_t (*) (notify_payload_t *)) get_spi;
+	this->public.set_spi = (void (*) (notify_payload_t *,u_int32_t)) set_spi;
+	this->public.get_notification_data = (chunk_t (*) (notify_payload_t *)) get_notification_data;
+	this->public.set_notification_data = (void (*) (notify_payload_t *,chunk_t)) set_notification_data;
+	this->public.destroy = (void (*) (notify_payload_t *)) destroy;
+	
+	/* set default values of the fields */
+	this->critical = FALSE;
+	this->next_payload = NO_PAYLOAD;
+	this->payload_length = NOTIFY_PAYLOAD_HEADER_LENGTH;
+	this->protocol_id = 0;
+	this->notify_type = 0;
+	this->spi.ptr = NULL;
+	this->spi.len = 0;
+	this->spi_size = 0;
+	this->notification_data.ptr = NULL;
+	this->notification_data.len = 0;
+	
+	return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+notify_payload_t *notify_payload_create_from_protocol_and_type(protocol_id_t protocol_id, notify_type_t notify_type)
+{
+	notify_payload_t *notify = notify_payload_create();
+
+	notify->set_notify_type(notify,notify_type);
+	notify->set_protocol_id(notify,protocol_id);
+	
+	return notify;
+}
diff --git a/src/charon/encoding/payloads/notify_payload.h b/src/charon/encoding/payloads/notify_payload.h
new file mode 100644
index 000000000..431932631
--- /dev/null
+++ b/src/charon/encoding/payloads/notify_payload.h
@@ -0,0 +1,224 @@
+/**
+ * @file notify_payload.h
+ * 
+ * @brief Interface of notify_payload_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#ifndef NOTIFY_PAYLOAD_H_
+#define NOTIFY_PAYLOAD_H_
+
+typedef enum notify_type_t notify_type_t;
+typedef struct notify_payload_t notify_payload_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+#include <encoding/payloads/proposal_substructure.h>
+#include <utils/linked_list.h>
+
+/**
+ * Notify payload length in bytes without any spi and notification data.
+ * 
+ * @ingroup payloads
+ */
+#define NOTIFY_PAYLOAD_HEADER_LENGTH 8
+
+/**
+ * @brief Notify message types.
+ *
+ * See IKEv2 RFC 3.10.1.
+ *
+ * @ingroup payloads
+ */
+enum notify_type_t {
+	/* notify error messages */
+	UNSUPPORTED_CRITICAL_PAYLOAD = 1,
+	INVALID_IKE_SPI = 4,
+	INVALID_MAJOR_VERSION = 5,
+	INVALID_SYNTAX = 7,
+	INVALID_MESSAGE_ID = 9,
+	INVALID_SPI = 11,
+	NO_PROPOSAL_CHOSEN = 14,
+	INVALID_KE_PAYLOAD = 17,
+	AUTHENTICATION_FAILED = 24,
+	SINGLE_PAIR_REQUIRED = 34,
+	NO_ADDITIONAL_SAS = 35,
+	INTERNAL_ADDRESS_FAILURE = 36,
+	FAILED_CP_REQUIRED = 37,
+	TS_UNACCEPTABLE = 38,
+	INVALID_SELECTORS = 39,
+	/* notify status messages */
+	INITIAL_CONTACT = 16384,
+	SET_WINDOW_SIZE = 16385,
+	ADDITIONAL_TS_POSSIBLE = 16386,
+	IPCOMP_SUPPORTED = 16387,
+	NAT_DETECTION_SOURCE_IP = 16388,
+	NAT_DETECTION_DESTINATION_IP = 16389,
+	COOKIE = 16390,
+	USE_TRANSPORT_MODE = 16391,
+	HTTP_CERT_LOOKUP_SUPPORTED = 16392,
+	REKEY_SA = 16393,
+	ESP_TFC_PADDING_NOT_SUPPORTED = 16394,
+	NON_FIRST_FRAGMENTS_ALSO = 16395,
+	/* mobike extension, RFC4555 */
+	MOBIKE_SUPPORTED = 16396,
+	ADDITIONAL_IP4_ADDRESS = 16397,
+	ADDITIONAL_IP6_ADDRESS = 16398,
+	NO_ADDITIONAL_ADDRESSES = 16399,
+	UPDATE_SA_ADDRESSES = 16400,
+	COOKIE2 = 16401,
+	NO_NATS_ALLOWED = 16402,
+	/* repeated authentication extension, RFC4478 */
+	AUTH_LIFETIME = 16403,
+	/* draft-eronen-ipsec-ikev2-eap-auth, not assigned by IANA yet */
+	EAP_ONLY_AUTHENTICATION = 40960,
+	/* BEET mode, not even a draft yet. private use */
+	USE_BEET_MODE = 40961,
+};
+
+/**
+ * enum name for notify_type_t.
+ *
+ * @ingroup payloads
+ */
+extern enum_name_t *notify_type_names;
+
+/**
+ * @brief Class representing an IKEv2-Notify Payload.
+ * 
+ * The Notify Payload format is described in Draft section 3.10.
+ * 
+ * @b Constructors:
+ * - notify_payload_create()
+ * - notify_payload_create_from_protocol_and_type()
+ * 
+ * @todo Build specified constructor/getter for notify's
+ *
+ * @ingroup payloads
+ */
+struct notify_payload_t {
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+	
+	/**
+	 * @brief Gets the protocol id of this payload.
+	 * 	
+	 * @param this 		calling notify_payload_t object
+	 * @return 			protocol id of this payload
+	 */
+	u_int8_t (*get_protocol_id) (notify_payload_t *this);
+
+	/**
+	 * @brief Sets the protocol id of this payload.
+	 * 	
+	 * @param this 			calling notify_payload_t object
+	 * @param protocol_id	protocol id to set
+	 */
+	void (*set_protocol_id) (notify_payload_t *this, u_int8_t protocol_id);
+
+	/**
+	 * @brief Gets the notify message type of this payload.
+	 * 	
+	 * @param this 		calling notify_payload_t object
+	 * @return 			notify message type of this payload
+	 */
+	notify_type_t (*get_notify_type) (notify_payload_t *this);
+
+	/**
+	 * @brief Sets notify message type of this payload.
+	 * 	
+	 * @param this 		calling notify_payload_t object
+	 * @param type		notify message type to set
+	 */
+	void (*set_notify_type) (notify_payload_t *this, notify_type_t type);
+
+	/**
+	 * @brief Returns the currently set spi of this payload.
+	 * 
+	 * This is only valid for notifys with protocol AH|ESP
+	 *
+	 * @param this 	calling notify_payload_t object
+	 * @return 		SPI value
+	 */
+	u_int32_t (*get_spi) (notify_payload_t *this);
+	
+	/**
+	 * @brief Sets the spi of this payload.
+	 * 
+	 * This is only valid for notifys with protocol AH|ESP
+	 * 
+	 * @param this 	calling notify_payload_t object
+	 * @param spi	SPI value
+	 */
+	void (*set_spi) (notify_payload_t *this, u_int32_t spi);
+
+	/**
+	 * @brief Returns the currently set notification data of payload.
+	 * 	
+	 * @warning Returned data are not copied.
+	 * 
+	 * @param this 	calling notify_payload_t object
+	 * @return 		chunk_t pointing to the value
+	 */
+	chunk_t (*get_notification_data) (notify_payload_t *this);
+	
+	/**
+	 * @brief Sets the notification data of this payload.
+	 * 	
+	 * @warning Value is getting copied.
+	 * 
+	 * @param this 					calling notify_payload_t object
+	 * @param notification_data 	chunk_t pointing to the value to set
+	 */
+	void (*set_notification_data) (notify_payload_t *this, chunk_t notification_data);
+
+	/**
+	 * @brief Destroys an notify_payload_t object.
+	 *
+	 * @param this 	notify_payload_t object to destroy
+	 */
+	void (*destroy) (notify_payload_t *this);
+};
+
+/**
+ * @brief Creates an empty notify_payload_t object
+ * 
+ * @return			created notify_payload_t object
+ * 
+ * @ingroup payloads
+ */
+notify_payload_t *notify_payload_create(void);
+
+/**
+ * @brief Creates an notify_payload_t object of specific type for specific protocol id.
+ * 
+ * @param protocol_id			protocol id (IKE, AH or ESP)
+ * @param type					notify type (see notify_type_t)
+ * @return						notify_payload_t object
+ * 
+ * @ingroup payloads
+ */
+notify_payload_t *notify_payload_create_from_protocol_and_type(protocol_id_t protocol_id, notify_type_t type);
+
+
+#endif /*NOTIFY_PAYLOAD_H_*/
diff --git a/src/charon/encoding/payloads/payload.c b/src/charon/encoding/payloads/payload.c
new file mode 100644
index 000000000..3bd4cdb13
--- /dev/null
+++ b/src/charon/encoding/payloads/payload.c
@@ -0,0 +1,161 @@
+/**
+ * @file payload.c
+ * 
+ * @brief Generic constructor to the payload_t interface.
+ * 
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "payload.h"
+
+#include <encoding/payloads/ike_header.h>
+#include <encoding/payloads/sa_payload.h>
+#include <encoding/payloads/nonce_payload.h>
+#include <encoding/payloads/id_payload.h>
+#include <encoding/payloads/ke_payload.h>
+#include <encoding/payloads/notify_payload.h>
+#include <encoding/payloads/auth_payload.h>
+#include <encoding/payloads/cert_payload.h>
+#include <encoding/payloads/certreq_payload.h>
+#include <encoding/payloads/encryption_payload.h>
+#include <encoding/payloads/ts_payload.h>
+#include <encoding/payloads/delete_payload.h>
+#include <encoding/payloads/vendor_id_payload.h>
+#include <encoding/payloads/cp_payload.h>
+#include <encoding/payloads/configuration_attribute.h>
+#include <encoding/payloads/eap_payload.h>
+#include <encoding/payloads/unknown_payload.h>
+
+
+ENUM_BEGIN(payload_type_names, NO_PAYLOAD, NO_PAYLOAD,
+	"NO_PAYLOAD");
+ENUM_NEXT(payload_type_names, SECURITY_ASSOCIATION, EXTENSIBLE_AUTHENTICATION, NO_PAYLOAD,
+	"SECURITY_ASSOCIATION",
+	"KEY_EXCHANGE",
+	"ID_INITIATOR",
+	"ID_RESPONDER",
+	"CERTIFICATE",
+	"CERTIFICATE_REQUEST",
+	"AUTHENTICATION",
+	"NONCE",
+	"NOTIFY",
+	"DELETE",
+	"VENDOR_ID",
+	"TRAFFIC_SELECTOR_INITIATOR",
+	"TRAFFIC_SELECTOR_RESPONDER",
+	"ENCRYPTED",
+	"CONFIGURATION",
+	"EXTENSIBLE_AUTHENTICATION");
+ENUM_NEXT(payload_type_names, HEADER, UNKNOWN_PAYLOAD, EXTENSIBLE_AUTHENTICATION,
+	"HEADER",
+	"PROPOSAL_SUBSTRUCTURE",
+	"TRANSFORM_SUBSTRUCTURE",
+	"TRANSFORM_ATTRIBUTE",
+	"TRAFFIC_SELECTOR_SUBSTRUCTURE",
+	"CONFIGURATION_ATTRIBUTE",
+	"UNKNOWN_PAYLOAD");
+ENUM_END(payload_type_names, UNKNOWN_PAYLOAD);
+
+/* short forms of payload names */
+ENUM_BEGIN(payload_type_short_names, NO_PAYLOAD, NO_PAYLOAD,
+	"--");
+ENUM_NEXT(payload_type_short_names, SECURITY_ASSOCIATION, EXTENSIBLE_AUTHENTICATION, NO_PAYLOAD,
+	"SA",
+	"KE",
+	"IDi",
+	"IDr",
+	"CERT",
+	"CERTREQ",
+	"AUTH",
+	"No",
+	"N",
+	"D",
+	"V",
+	"TSi",
+	"TSr",
+	"E",
+	"CP",
+	"EAP");
+ENUM_NEXT(payload_type_short_names, HEADER, UNKNOWN_PAYLOAD, EXTENSIBLE_AUTHENTICATION,
+	"HDR",
+	"PROP",
+	"TRANS",
+	"TRANSATTR",
+	"TSSUB",
+	"CPATTR",
+	"??");
+ENUM_END(payload_type_short_names, UNKNOWN_PAYLOAD);
+
+/*
+ * see header
+ */
+payload_t *payload_create(payload_type_t type)
+{
+	switch (type)
+	{
+		case HEADER:
+			return (payload_t*)ike_header_create();
+		case SECURITY_ASSOCIATION:
+			return (payload_t*)sa_payload_create();
+		case PROPOSAL_SUBSTRUCTURE:
+			return (payload_t*)proposal_substructure_create();
+		case TRANSFORM_SUBSTRUCTURE:
+			return (payload_t*)transform_substructure_create();
+		case TRANSFORM_ATTRIBUTE:
+			return (payload_t*)transform_attribute_create();
+		case NONCE:
+			return (payload_t*)nonce_payload_create();
+		case ID_INITIATOR:
+			return (payload_t*)id_payload_create(TRUE);
+		case ID_RESPONDER:
+			return (payload_t*)id_payload_create(FALSE);
+		case AUTHENTICATION:
+			return (payload_t*)auth_payload_create();
+		case CERTIFICATE:
+			return (payload_t*)cert_payload_create();
+		case CERTIFICATE_REQUEST:
+			return (payload_t*)certreq_payload_create();
+		case TRAFFIC_SELECTOR_SUBSTRUCTURE:
+			return (payload_t*)traffic_selector_substructure_create();
+		case TRAFFIC_SELECTOR_INITIATOR:
+			return (payload_t*)ts_payload_create(TRUE);
+		case TRAFFIC_SELECTOR_RESPONDER:
+			return (payload_t*)ts_payload_create(FALSE);
+		case KEY_EXCHANGE:
+			return (payload_t*)ke_payload_create();
+		case NOTIFY:
+			return (payload_t*)notify_payload_create();
+		case DELETE:
+			return (payload_t*)delete_payload_create(0);
+		case VENDOR_ID:
+			return (payload_t*)vendor_id_payload_create();
+		case CONFIGURATION:
+			return (payload_t*)cp_payload_create();
+		case CONFIGURATION_ATTRIBUTE:
+			return (payload_t*)configuration_attribute_create();
+		case EXTENSIBLE_AUTHENTICATION:
+			return (payload_t*)eap_payload_create();
+		case ENCRYPTED:
+			return (payload_t*)encryption_payload_create();
+		default:
+			return (payload_t*)unknown_payload_create();
+	}
+}
+
diff --git a/src/charon/encoding/payloads/payload.h b/src/charon/encoding/payloads/payload.h
new file mode 100644
index 000000000..9a8c2f482
--- /dev/null
+++ b/src/charon/encoding/payloads/payload.h
@@ -0,0 +1,282 @@
+/**
+ * @file payload.h
+ * 
+ * @brief Interface payload_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef PAYLOAD_H_
+#define PAYLOAD_H_
+
+typedef enum payload_type_t payload_type_t;
+typedef struct payload_t payload_t;
+
+#include <library.h>
+#include <encoding/payloads/encodings.h>
+
+
+/**
+ * @brief Payload-Types of a IKEv2-Message.
+ *
+ * Header and substructures are also defined as 
+ * payload types with values from PRIVATE USE space.
+ *
+ * @ingroup payloads
+ */
+enum payload_type_t{
+
+	/**
+	 * End of payload list in next_payload
+	 */
+	NO_PAYLOAD = 0,
+	
+	/**
+	 * The security association (SA) payload containing proposals.
+	 */
+	SECURITY_ASSOCIATION = 33,
+
+	/**
+	 * The key exchange (KE) payload containing diffie-hellman values.
+	 */
+	KEY_EXCHANGE = 34,
+
+	/**
+	 * Identification for the original initiator (IDi).
+	 */
+	ID_INITIATOR = 35,
+
+	/**
+	 * Identification for the original responder (IDr).
+	 */
+	ID_RESPONDER = 36,
+
+	/**
+	 * Certificate payload with certificates (CERT).
+	 */
+	CERTIFICATE = 37,
+
+	/**
+	 * Certificate request payload (CERTREQ).
+	 */
+	CERTIFICATE_REQUEST = 38,
+
+	/**
+	 * Authentication payload contains auth data (AUTH).
+	 */
+	AUTHENTICATION = 39,
+
+	/**
+	 * Nonces, for initator and responder (Ni, Nr, N)
+	 */
+	NONCE = 40,
+
+	/**
+	 * Notif paylaod (N).
+	 */
+	NOTIFY = 41,
+
+	/**
+	 * Delete payload (D)
+	 */
+	DELETE = 42,
+
+	/**
+	 * Vendor id paylpoad (V).
+	 */
+	VENDOR_ID = 43,
+
+	/**
+	 * Traffic selector for the original initiator (TSi).
+	 */
+	TRAFFIC_SELECTOR_INITIATOR = 44,
+
+	/**
+	 * Traffic selector for the original responser (TSr).
+	 */
+	TRAFFIC_SELECTOR_RESPONDER = 45,
+
+	/**
+	 * Encryption payload, contains other payloads (E).
+	 */
+	ENCRYPTED = 46,
+
+	/**
+	 * Configuration payload (CP).
+	 */
+	CONFIGURATION = 47,
+
+	/**
+	 * Extensible authentication payload (EAP).
+	 */
+	EXTENSIBLE_AUTHENTICATION = 48,
+	
+	/**
+	 * Header has a value of PRIVATE USE space.
+	 * 
+	 * This payload type is not send over wire and just 
+	 * used internally to handle IKEv2-Header like a payload.
+	 */
+	HEADER = 140,
+	
+	/**
+	 * PROPOSAL_SUBSTRUCTURE has a value of PRIVATE USE space.
+	 * 
+	 * This payload type is not send over wire and just 
+	 * used internally to handle a proposal substructure like a payload.
+	 */
+	PROPOSAL_SUBSTRUCTURE = 141,
+
+	/**
+	 * TRANSFORM_SUBSTRUCTURE has a value of PRIVATE USE space.
+	 * 
+	 * This payload type is not send over wire and just 
+	 * used internally to handle a transform substructure like a payload.
+	 */
+	TRANSFORM_SUBSTRUCTURE = 142,
+	
+	/**
+	 * TRANSFORM_ATTRIBUTE has a value of PRIVATE USE space.
+	 * 
+	 * This payload type is not send over wire and just 
+	 * used internally to handle a transform attribute like a payload.
+	 */
+	TRANSFORM_ATTRIBUTE = 143,
+
+	/**
+	 * TRAFFIC_SELECTOR_SUBSTRUCTURE has a value of PRIVATE USE space.
+	 * 
+	 * This payload type is not send over wire and just 
+	 * used internally to handle a transform selector like a payload.
+	 */	
+	TRAFFIC_SELECTOR_SUBSTRUCTURE = 144,
+	
+	/**
+	 * CONFIGURATION_ATTRIBUTE has a value of PRIVATE USE space.
+	 * 
+	 * This payload type is not send over wire and just 
+	 * used internally to handle a transform attribute like a payload.
+	 */
+	CONFIGURATION_ATTRIBUTE = 145,
+	
+	/**
+	 * A unknown payload has a value of PRIVATE USE space.
+	 * 
+	 * This payload type is not send over wire and just 
+	 * used internally to handle a unknown payload.
+	 */
+	UNKNOWN_PAYLOAD = 146,
+};
+
+
+/**
+ * enum names for payload_type_t.
+ */
+extern enum_name_t *payload_type_names;
+
+/**
+ * enum names for payload_type_t in a short form.
+ */
+extern enum_name_t *payload_type_short_names;
+
+/**
+ * @brief Generic interface for all payload types (incl.header and substructures).
+ * 
+ * To handle all kinds of payloads on a generic way, this interface must
+ * be implemented by every payload. This allows parser_t/generator_t a simple
+ * handling of all payloads.
+ * 
+ * @b Constructors:
+ * - payload_create() with the payload to instantiate.
+ * 
+ * @ingroup payloads
+ */
+struct payload_t {
+	
+	/**
+	 * @brief Get encoding rules for this payload.
+	 *
+	 * @param this 				calling object
+	 * @param[out] rules		location to store pointer of first rule
+	 * @param[out] rule_count	location to store number of rules
+	 */
+	void (*get_encoding_rules) (payload_t *this, encoding_rule_t **rules, size_t *rule_count);
+
+	/**
+	 * @brief Get type of payload.
+	 *
+	 * @param this 				calling object
+	 * @return 					type of this payload
+	 */
+	payload_type_t (*get_type) (payload_t *this);
+
+	/**
+	 * @brief Get type of next payload or NO_PAYLOAD (0) if this is the last one.
+	 *
+	 * @param this 				calling object
+	 * @return 					type of next payload
+	 */
+	payload_type_t (*get_next_type) (payload_t *this);
+	
+	/**
+	 * @brief Set type of next payload.
+	 *
+	 * @param this 				calling object
+	 * @param type 				type of next payload
+	 */
+	void (*set_next_type) (payload_t *this,payload_type_t type);
+
+	/**
+	 * @brief Get length of payload.
+	 *
+	 * @param this 				calling object
+	 * @return 					length of this payload
+	 */
+	size_t (*get_length) (payload_t *this);
+	
+	/**
+	 * @brief Verifies payload structure and makes consistence check.
+	 *
+	 * @param this 				calling object
+	 * @return 					
+	 *							- SUCCESS
+	 * 							- FAILED if consistence not given
+	 */
+	status_t (*verify) (payload_t *this);
+	
+	/**
+	 * @brief Destroys a payload and all included substructures.
+	 *
+	 * @param this 				payload to destroy
+	 */
+	void (*destroy) (payload_t *this);
+};
+
+/**
+ * @brief Create an empty payload.
+ * 
+ * Useful for the parser, who wants a generic constructor for all payloads.
+ * It supports all payload_t methods. If a payload type is not known, 
+ * an unknwon_paylod is created with the chunk of data in it.
+ * 
+ * @param type		type of the payload to create
+ * @return			payload_t object
+ */
+payload_t *payload_create(payload_type_t type);
+
+#endif /*PAYLOAD_H_*/
diff --git a/src/charon/encoding/payloads/proposal_substructure.c b/src/charon/encoding/payloads/proposal_substructure.c
new file mode 100644
index 000000000..182d2b6e8
--- /dev/null
+++ b/src/charon/encoding/payloads/proposal_substructure.c
@@ -0,0 +1,603 @@
+/**
+ * @file proposal_substructure.h
+ * 
+ * @brief Implementation of proposal_substructure_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+
+#include "proposal_substructure.h"
+
+#include <encoding/payloads/encodings.h>
+#include <encoding/payloads/transform_substructure.h>
+#include <library.h>
+#include <utils/linked_list.h>
+#include <daemon.h>
+
+
+/**
+ * IKEv1 Value for a proposal payload.
+ */
+#define PROPOSAL_TYPE_VALUE 2
+
+
+typedef struct private_proposal_substructure_t private_proposal_substructure_t;
+
+/**
+ * Private data of an proposal_substructure_t object.
+ * 
+ */
+struct private_proposal_substructure_t {
+	/**
+	 * Public proposal_substructure_t interface.
+	 */
+	proposal_substructure_t public;
+	
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t  next_payload;
+
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t proposal_length;
+	
+	/**
+	 * Proposal number.
+	 */
+	u_int8_t proposal_number;
+	
+	/**
+	 * Protocol ID.
+	 */
+	u_int8_t protocol_id;
+
+	/**
+	 * SPI size of the following SPI.
+	 */
+ 	u_int8_t  spi_size;
+
+	/**
+	 * Number of transforms.
+	 */
+ 	u_int8_t  transforms_count;
+ 	
+ 	/**
+ 	 * SPI is stored as chunk.
+ 	 */
+ 	chunk_t spi;
+ 	
+ 	/**
+ 	 * Transforms are stored in a linked_list_t.
+ 	 */
+	linked_list_t * transforms;
+};
+
+/**
+ * Encoding rules to parse or generate a Proposal substructure.
+ *
+ * The defined offsets are the positions in a object of type 
+ * private_proposal_substructure_t.
+ */
+encoding_rule_t proposal_substructure_encodings[] = {
+ 	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_proposal_substructure_t, next_payload) 		},
+	/* Reserved Byte is skipped */
+	{ RESERVED_BYTE,		0															},
+	/* Length of the whole proposal substructure payload*/
+	{ PAYLOAD_LENGTH,		offsetof(private_proposal_substructure_t, proposal_length) 	},
+	/* proposal number is a number of 8 bit */
+	{ U_INT_8,				offsetof(private_proposal_substructure_t, proposal_number) 	},
+	/* protocol ID is a number of 8 bit */
+	{ U_INT_8,				offsetof(private_proposal_substructure_t, protocol_id)		},
+	/* SPI Size has its own type */
+	{ SPI_SIZE,				offsetof(private_proposal_substructure_t, spi_size)			},
+	/* Number of transforms is a number of 8 bit */
+	{ U_INT_8,				offsetof(private_proposal_substructure_t, transforms_count)	},
+	/* SPI is a chunk of variable size*/
+	{ SPI,					offsetof(private_proposal_substructure_t, spi)				},
+	/* Transforms are stored in a transform substructure, 
+	   offset points to a linked_list_t pointer */
+	{ TRANSFORMS,			offsetof(private_proposal_substructure_t, transforms) 		}
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! 0 (last) or 2 !   RESERVED    !         Proposal Length       !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Proposal #    !  Protocol ID  !    SPI Size   !# of Transforms!
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ~                        SPI (variable)                         ~
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                        <Transforms>                           ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_proposal_substructure_t *this)
+{
+	status_t status = SUCCESS;
+	iterator_t *iterator;
+	payload_t *current_transform;
+	
+	if ((this->next_payload != NO_PAYLOAD) && (this->next_payload != 2))
+	{
+		/* must be 0 or 2 */
+		DBG1(DBG_ENC, "inconsistent next payload");
+		return FAILED;
+	}
+	if (this->transforms_count != this->transforms->get_count(this->transforms))
+	{
+		/* must be the same! */
+		DBG1(DBG_ENC, "transform count invalid");
+		return FAILED;
+	}
+
+	switch (this->protocol_id)
+	{
+		case PROTO_AH:
+		case PROTO_ESP:
+			if (this->spi.len != 4)
+			{
+				DBG1(DBG_ENC, "invalid SPI length in %N proposal",
+								  protocol_id_names, this->protocol_id);
+				return FAILED;
+			}
+			break;
+		case PROTO_IKE:
+			if (this->spi.len != 0 && this->spi.len  != 8)
+			{
+				DBG1(DBG_ENC, "invalid SPI length in IKE proposal");
+				return FAILED;
+			}
+			break;
+		default:
+			DBG1(DBG_ENC, "invalid proposal protocol (%d)", this->protocol_id);
+			return FAILED;
+	}
+	if ((this->protocol_id == 0) || (this->protocol_id >= 4))
+	{
+		/* reserved are not supported */
+		DBG1(DBG_ENC, "invalid protocol");
+		return FAILED;
+	}
+	
+	iterator = this->transforms->create_iterator(this->transforms,TRUE);
+	while(iterator->iterate(iterator, (void**)&current_transform))
+	{
+		status = current_transform->verify(current_transform);
+		if (status != SUCCESS)
+		{
+			DBG1(DBG_ENC, "TRANSFORM_SUBSTRUCTURE verification failed");
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+	
+	/* proposal number is checked in SA payload */	
+	return status;
+}
+
+/**
+ * Implementation of payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_proposal_substructure_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = proposal_substructure_encodings;
+	*rule_count = sizeof(proposal_substructure_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_type(private_proposal_substructure_t *this)
+{
+	return PROPOSAL_SUBSTRUCTURE;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_proposal_substructure_t *this)
+{
+	return (this->next_payload);
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_proposal_substructure_t *this,payload_type_t type)
+{
+}
+
+/**
+ * (re-)compute the length of the payload.
+ */
+static void compute_length(private_proposal_substructure_t *this)
+{
+	iterator_t *iterator;
+	payload_t *current_transform;
+	size_t transforms_count = 0;
+	size_t length = PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH;
+	
+	iterator = this->transforms->create_iterator(this->transforms,TRUE);
+	while (iterator->iterate(iterator, (void**)&current_transform))
+	{
+		length += current_transform->get_length(current_transform);
+		transforms_count++;
+	}
+	iterator->destroy(iterator);
+	
+	length += this->spi.len;
+	this->transforms_count = transforms_count;
+	this->proposal_length = length;
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_proposal_substructure_t *this)
+{
+	compute_length(this);
+	return this->proposal_length;
+}
+
+/**
+ * Implementation of proposal_substructure_t.create_transform_substructure_iterator.
+ */
+static iterator_t *create_transform_substructure_iterator (private_proposal_substructure_t *this,bool forward)
+{
+	return (this->transforms->create_iterator(this->transforms,forward));
+}
+
+/**
+ * Implementation of proposal_substructure_t.add_transform_substructure.
+ */
+static void add_transform_substructure (private_proposal_substructure_t *this,transform_substructure_t *transform)
+{
+	status_t status;
+	if (this->transforms->get_count(this->transforms) > 0)
+	{
+		transform_substructure_t *last_transform;
+		status = this->transforms->get_last(this->transforms,(void **) &last_transform);
+		/* last transform is now not anymore last one */
+		last_transform->set_is_last_transform(last_transform,FALSE);
+
+	}
+	transform->set_is_last_transform(transform,TRUE);
+	
+	this->transforms->insert_last(this->transforms,(void *) transform);
+	compute_length(this);
+}
+
+/**
+ * Implementation of proposal_substructure_t.proposal_substructure_t.
+ */
+static void set_is_last_proposal (private_proposal_substructure_t *this, bool is_last)
+{
+	this->next_payload = (is_last) ? 0: PROPOSAL_TYPE_VALUE;
+}
+
+/**
+ * Implementation of proposal_substructure_t.set_proposal_number.
+ */
+static void set_proposal_number(private_proposal_substructure_t *this,u_int8_t proposal_number)
+{
+	this->proposal_number = proposal_number;
+}
+
+/**
+ * Implementation of proposal_substructure_t.get_proposal_number.
+ */
+static u_int8_t get_proposal_number (private_proposal_substructure_t *this)
+{
+	return (this->proposal_number);
+}
+
+/**
+ * Implementation of proposal_substructure_t.set_protocol_id.
+ */
+static void set_protocol_id(private_proposal_substructure_t *this,u_int8_t protocol_id)
+{
+	this->protocol_id = protocol_id;
+}
+
+/**
+ * Implementation of proposal_substructure_t.get_protocol_id.
+ */
+static u_int8_t get_protocol_id(private_proposal_substructure_t *this)
+{
+	return (this->protocol_id);
+}
+
+/**
+ * Implementation of proposal_substructure_t.set_spi.
+ */
+static void set_spi(private_proposal_substructure_t *this, chunk_t spi)
+{
+	/* first delete already set spi value */
+	if (this->spi.ptr != NULL)
+	{
+		free(this->spi.ptr);
+		this->spi.ptr = NULL;
+		this->spi.len = 0;
+		compute_length(this);
+	}
+	
+	this->spi.ptr = clalloc(spi.ptr,spi.len);
+	this->spi.len = spi.len;
+	this->spi_size = spi.len;
+	compute_length(this);
+}
+
+/**
+ * Implementation of proposal_substructure_t.get_spi.
+ */
+static chunk_t get_spi(private_proposal_substructure_t *this)
+{
+	chunk_t spi;
+	spi.ptr = this->spi.ptr;
+	spi.len = this->spi.len;
+	
+	return spi;
+}
+
+/**
+ * Implementation of proposal_substructure_t.get_transform_count.
+ */
+static size_t get_transform_count (private_proposal_substructure_t *this)
+{
+	return this->transforms->get_count(this->transforms);
+}
+
+/**
+ * Implementation of proposal_substructure_t.get_spi_size.
+ */
+static size_t get_spi_size (private_proposal_substructure_t *this)
+{
+	return this->spi.len;
+}
+
+/**
+ * Implementation of proposal_substructure_t.get_proposal.
+ */
+proposal_t* get_proposal(private_proposal_substructure_t *this)
+{
+	iterator_t *iterator;
+	transform_substructure_t *transform;
+	proposal_t *proposal;
+	u_int64_t spi;
+	
+	proposal = proposal_create(this->protocol_id);
+	
+	iterator = this->transforms->create_iterator(this->transforms, TRUE);
+	while (iterator->iterate(iterator, (void**)&transform))
+	{
+		transform_type_t transform_type;
+		u_int16_t transform_id;
+		u_int16_t key_length = 0;
+		
+		transform_type = transform->get_transform_type(transform);
+		transform_id = transform->get_transform_id(transform);
+		transform->get_key_length(transform, &key_length);
+		
+		proposal->add_algorithm(proposal, transform_type, transform_id, key_length);
+	}
+	iterator->destroy(iterator);
+	
+	switch (this->spi.len)
+	{
+		case 4:
+			spi = *((u_int32_t*)this->spi.ptr);
+			break;
+		case 8:
+			spi = *((u_int64_t*)this->spi.ptr);
+			break;
+		default:
+			spi = 0;
+	}
+	proposal->set_spi(proposal, spi);
+	
+	return proposal;
+}
+
+/**
+ * Implementation of proposal_substructure_t.clone.
+ */
+static private_proposal_substructure_t* clone_(private_proposal_substructure_t *this)
+{
+	private_proposal_substructure_t *clone;
+	iterator_t *transforms;
+	transform_substructure_t *current_transform;
+	
+	clone = (private_proposal_substructure_t *) proposal_substructure_create();
+	clone->next_payload = this->next_payload;
+	clone->proposal_number = this->proposal_number;
+	clone->protocol_id = this->protocol_id;
+	clone->spi_size = this->spi_size;
+	if (this->spi.ptr != NULL)
+	{
+		clone->spi.ptr = clalloc(this->spi.ptr,this->spi.len);
+		clone->spi.len = this->spi.len;
+	}
+
+	transforms = this->transforms->create_iterator(this->transforms,FALSE);
+	while (transforms->iterate(transforms, (void**)&current_transform))
+	{
+		current_transform = current_transform->clone(current_transform);
+		clone->public.add_transform_substructure(&clone->public, current_transform);
+	}
+	transforms->destroy(transforms);	
+	
+	return clone;
+}
+
+/**
+ * Implements payload_t's and proposal_substructure_t's destroy function.
+ * See #payload_s.destroy or proposal_substructure_s.destroy for description.
+ */
+static void destroy(private_proposal_substructure_t *this)
+{
+	this->transforms->destroy_offset(this->transforms,
+									 offsetof(transform_substructure_t, destroy));
+	chunk_free(&this->spi);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+proposal_substructure_t *proposal_substructure_create()
+{
+	private_proposal_substructure_t *this = malloc_thing(private_proposal_substructure_t);
+
+	/* interface functions */	
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;	
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+	
+	
+	/* public functions */
+	this->public.create_transform_substructure_iterator = (iterator_t* (*) (proposal_substructure_t *,bool)) create_transform_substructure_iterator;
+	this->public.add_transform_substructure = (void (*) (proposal_substructure_t *,transform_substructure_t *)) add_transform_substructure;
+	this->public.set_proposal_number = (void (*) (proposal_substructure_t *,u_int8_t))set_proposal_number;
+	this->public.get_proposal_number = (u_int8_t (*) (proposal_substructure_t *)) get_proposal_number;
+	this->public.set_protocol_id = (void (*) (proposal_substructure_t *,u_int8_t))set_protocol_id;
+	this->public.get_protocol_id = (u_int8_t (*) (proposal_substructure_t *)) get_protocol_id;
+	this->public.set_is_last_proposal = (void (*) (proposal_substructure_t *,bool)) set_is_last_proposal;
+	this->public.get_proposal = (proposal_t* (*) (proposal_substructure_t*))get_proposal;
+	this->public.set_spi = (void (*) (proposal_substructure_t *,chunk_t))set_spi;
+	this->public.get_spi = (chunk_t (*) (proposal_substructure_t *)) get_spi;
+	this->public.get_transform_count = (size_t (*) (proposal_substructure_t *)) get_transform_count;
+	this->public.get_spi_size = (size_t (*) (proposal_substructure_t *)) get_spi_size;	
+	this->public.clone = (proposal_substructure_t * (*) (proposal_substructure_t *)) clone_;
+	this->public.destroy = (void (*) (proposal_substructure_t *)) destroy;
+	
+	/* set default values of the fields */
+	this->next_payload = NO_PAYLOAD;
+	this->proposal_length = 0;
+	this->proposal_number = 0;
+	this->protocol_id = 0;
+	this->transforms_count = 0;
+	this->spi_size = 0;
+	this->spi.ptr = NULL;
+	this->spi.len = 0;
+	
+	this->transforms = linked_list_create();
+	
+	return (&(this->public));
+}
+
+/*
+ * Described in header.
+ */
+proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *proposal)
+{
+	private_proposal_substructure_t *this = (private_proposal_substructure_t*)
+												proposal_substructure_create();
+	iterator_t *iterator;
+	algorithm_t *algo;
+	transform_substructure_t *transform;
+	
+	/* encryption algorithm is only availble in ESP */
+	iterator = proposal->create_algorithm_iterator(proposal, ENCRYPTION_ALGORITHM);
+	while (iterator->iterate(iterator, (void**)&algo))
+	{
+		transform = transform_substructure_create_type(ENCRYPTION_ALGORITHM,
+												algo->algorithm, algo->key_size);
+		this->public.add_transform_substructure(&(this->public), transform);
+	}
+	iterator->destroy(iterator);
+	
+	/* integrity algorithms */
+	iterator = proposal->create_algorithm_iterator(proposal, INTEGRITY_ALGORITHM);
+	while (iterator->iterate(iterator, (void**)&algo))
+	{
+		transform = transform_substructure_create_type(INTEGRITY_ALGORITHM,
+												algo->algorithm, algo->key_size);
+		this->public.add_transform_substructure(&(this->public), transform);
+	}
+	iterator->destroy(iterator);
+	
+	/* prf algorithms */
+	iterator = proposal->create_algorithm_iterator(proposal, PSEUDO_RANDOM_FUNCTION);
+	while (iterator->iterate(iterator, (void**)&algo))
+	{
+		transform = transform_substructure_create_type(PSEUDO_RANDOM_FUNCTION,
+												algo->algorithm, algo->key_size);
+		this->public.add_transform_substructure(&(this->public), transform);
+	}
+	iterator->destroy(iterator);
+	
+	/* dh groups */
+	iterator = proposal->create_algorithm_iterator(proposal, DIFFIE_HELLMAN_GROUP);
+	while (iterator->iterate(iterator, (void**)&algo))
+	{
+		transform = transform_substructure_create_type(DIFFIE_HELLMAN_GROUP, algo->algorithm, 0);
+		this->public.add_transform_substructure(&(this->public), transform);
+	}
+	iterator->destroy(iterator);
+	
+	/* extended sequence numbers */
+	iterator = proposal->create_algorithm_iterator(proposal, EXTENDED_SEQUENCE_NUMBERS);
+	while (iterator->iterate(iterator, (void**)&algo))
+	{
+		transform = transform_substructure_create_type(EXTENDED_SEQUENCE_NUMBERS,
+															algo->algorithm, 0);
+		this->public.add_transform_substructure(&(this->public), transform);
+	}
+	iterator->destroy(iterator);
+	
+	/* add SPI, if necessary */
+	switch (proposal->get_protocol(proposal))
+	{
+		case PROTO_AH:
+		case PROTO_ESP:
+			this->spi_size = this->spi.len = 4;
+			this->spi.ptr = malloc(this->spi_size);
+			*((u_int32_t*)this->spi.ptr) = proposal->get_spi(proposal);
+			break;
+		case PROTO_IKE:
+			if (proposal->get_spi(proposal))
+			{	/* IKE only uses SPIS when rekeying, but on initial setup */
+				this->spi_size = this->spi.len = 8;
+				this->spi.ptr = malloc(this->spi_size);
+				*((u_int64_t*)this->spi.ptr) = proposal->get_spi(proposal);
+			}
+			break;
+		default:
+			break;
+	}
+	this->proposal_number = 0;
+	this->protocol_id = proposal->get_protocol(proposal);
+	
+	return &this->public;
+}
diff --git a/src/charon/encoding/payloads/proposal_substructure.h b/src/charon/encoding/payloads/proposal_substructure.h
new file mode 100644
index 000000000..93a8d7b2f
--- /dev/null
+++ b/src/charon/encoding/payloads/proposal_substructure.h
@@ -0,0 +1,206 @@
+/**
+ * @file proposal_substructure.h
+ * 
+ * @brief Interface of proposal_substructure_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef PROPOSAL_SUBSTRUCTURE_H_
+#define PROPOSAL_SUBSTRUCTURE_H_
+
+typedef struct proposal_substructure_t proposal_substructure_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+#include <encoding/payloads/transform_substructure.h>
+#include <config/proposal.h>
+#include <utils/linked_list.h>
+
+
+/**
+ * Length of the proposal substructure header (without spi).
+ * 
+ * @ingroup payloads
+ */
+#define PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH 8
+
+/**
+ * @brief Class representing an IKEv2-PROPOSAL SUBSTRUCTURE.
+ * 
+ * The PROPOSAL SUBSTRUCTURE format is described in RFC section 3.3.1.
+ * 
+ * @b Constructors:
+ * - proposal_substructure_create()
+ * 
+ * @ingroup payloads
+ */
+struct proposal_substructure_t {
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * @brief Creates an iterator of stored transform_substructure_t objects.
+	 * 
+	 * @warning The created iterator has to get destroyed by the caller!
+	 * 			When deleting any transform over this iterator, call 
+	 * 			get_size to make sure the length and number values are ok.
+	 *
+	 * @param this			calling proposal_substructure_t object
+	 * @param forward		iterator direction (TRUE: front to end)
+	 * @return				created iterator_t object
+	 */
+	iterator_t *(*create_transform_substructure_iterator) (proposal_substructure_t *this, bool forward);
+	
+	/**
+	 * @brief Adds a transform_substructure_t object to this object.
+	 * 
+	 * @warning The added transform_substructure_t object is
+	 * 			getting destroyed in destroy function of proposal_substructure_t.
+	 *
+	 * @param this 		calling proposal_substructure_t object
+	 * @param transform transform_substructure_t object to add
+	 */
+	void (*add_transform_substructure) (proposal_substructure_t *this,transform_substructure_t *transform);
+	
+	/**
+	 * @brief Sets the proposal number of current proposal.
+	 *
+	 * @param this 		calling proposal_substructure_t object
+	 * @param id		proposal number to set
+	 */
+	void (*set_proposal_number) (proposal_substructure_t *this,u_int8_t proposal_number);
+	
+	/**
+	 * @brief get proposal number of current proposal.
+	 * 
+	 * @param this 		calling proposal_substructure_t object
+	 * @return 			proposal number of current proposal substructure.
+	 */
+	u_int8_t (*get_proposal_number) (proposal_substructure_t *this);
+
+	/**
+	 * @brief get the number of transforms in current proposal.
+	 * 
+	 * @param this 		calling proposal_substructure_t object
+	 * @return 			transform count in current proposal
+	 */
+	size_t (*get_transform_count) (proposal_substructure_t *this);
+
+	/**
+	 * @brief get size of the set spi in bytes.
+	 * 
+	 * @param this 		calling proposal_substructure_t object
+	 * @return 			size of the spi in bytes
+	 */
+	size_t (*get_spi_size) (proposal_substructure_t *this);
+
+	/**
+	 * @brief Sets the protocol id of current proposal.
+	 *
+	 * @param this 		calling proposal_substructure_t object
+	 * @param id			protocol id to set
+	 */
+	void (*set_protocol_id) (proposal_substructure_t *this,u_int8_t protocol_id);
+	
+	/**
+	 * @brief get protocol id of current proposal.
+	 * 
+	 * @param this 		calling proposal_substructure_t object
+	 * @return 			protocol id of current proposal substructure.
+	 */
+	u_int8_t (*get_protocol_id) (proposal_substructure_t *this);
+	
+	/**
+	 * @brief Sets the next_payload field of this substructure
+	 * 
+	 * If this is the last proposal, next payload field is set to 0,
+	 * otherwise to 2
+	 *
+	 * @param this 		calling proposal_substructure_t object
+	 * @param is_last	When TRUE, next payload field is set to 0, otherwise to 2
+	 */
+	void (*set_is_last_proposal) (proposal_substructure_t *this, bool is_last);
+	
+	/**
+	 * @brief Returns the currently set SPI of this proposal.
+	 * 	
+	 * @warning Returned data are not copied
+	 * 
+	 * @param this 	calling proposal_substructure_t object
+	 * @return 		chunk_t pointing to the value
+	 */
+	chunk_t (*get_spi) (proposal_substructure_t *this);
+	
+	/**
+	 * @brief Sets the SPI of the current proposal.
+	 * 	
+	 * @warning SPI is getting copied
+	 * 
+	 * @param this 	calling proposal_substructure_t object
+	 * @param spi	chunk_t pointing to the value to set
+	 */
+	void (*set_spi) (proposal_substructure_t *this, chunk_t spi);
+	
+	/**
+	 * @brief Get a proposal_t from the propsal_substructure_t.
+	 * 
+	 * @param this 		calling proposal_substructure_t object
+	 * @return			proposal_t
+	 */
+	proposal_t * (*get_proposal) (proposal_substructure_t *this);
+
+	/**
+	 * @brief Clones an proposal_substructure_t object.
+	 *
+	 * @param this 	proposal_substructure_t object to clone
+	 * @return		cloned object
+	 */
+	proposal_substructure_t* (*clone) (proposal_substructure_t *this);
+
+	/**
+	 * @brief Destroys an proposal_substructure_t object.
+	 *
+	 * @param this 	proposal_substructure_t object to destroy
+	 */
+	void (*destroy) (proposal_substructure_t *this);
+};
+
+/**
+ * @brief Creates an empty proposal_substructure_t object
+ * 
+ * @return proposal_substructure_t object
+ * 
+ * @ingroup payloads
+ */
+proposal_substructure_t *proposal_substructure_create(void);
+
+/**
+ * @brief Creates a proposal_substructure_t from a proposal_t.
+ *
+ * @param proposal		proposal to build a substruct out of it
+ * @return 				proposal_substructure_t object
+ * 
+ * @ingroup payloads
+ */
+proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t *proposal);
+
+
+#endif /*PROPOSAL_SUBSTRUCTURE_H_*/
diff --git a/src/charon/encoding/payloads/sa_payload.c b/src/charon/encoding/payloads/sa_payload.c
new file mode 100644
index 000000000..e264b2123
--- /dev/null
+++ b/src/charon/encoding/payloads/sa_payload.c
@@ -0,0 +1,375 @@
+/**
+ * @file sa_payload.c
+ * 
+ * @brief Implementation of sa_payload_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+
+#include "sa_payload.h"
+
+#include <encoding/payloads/encodings.h>
+#include <utils/linked_list.h>
+#include <daemon.h>
+
+
+typedef struct private_sa_payload_t private_sa_payload_t;
+
+/**
+ * Private data of an sa_payload_t object.
+ * 
+ */
+struct private_sa_payload_t {
+	/**
+	 * Public sa_payload_t interface.
+	 */
+	sa_payload_t public;
+	
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t  next_payload;
+
+	/**
+	 * Critical flag.
+	 */
+	bool critical;
+	
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+	
+	/**
+	 * Proposals in this payload are stored in a linked_list_t.
+	 */
+	linked_list_t * proposals;
+};
+
+/**
+ * Encoding rules to parse or generate a IKEv2-SA Payload
+ * 
+ * The defined offsets are the positions in a object of type 
+ * private_sa_payload_t.
+ * 
+ */
+encoding_rule_t sa_payload_encodings[] = {
+ 	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,		offsetof(private_sa_payload_t, next_payload) 			},
+	/* the critical bit */
+	{ FLAG,			offsetof(private_sa_payload_t, critical) 				},	
+ 	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 														}, 
+	{ RESERVED_BIT,	0 														}, 
+	{ RESERVED_BIT,	0 														}, 
+	{ RESERVED_BIT,	0 														}, 
+	{ RESERVED_BIT,	0 														}, 
+	{ RESERVED_BIT,	0 														}, 
+	{ RESERVED_BIT,	0 														}, 
+	/* Length of the whole SA payload*/
+	{ PAYLOAD_LENGTH,		offsetof(private_sa_payload_t, payload_length) 	},	
+	/* Proposals are stored in a proposal substructure, 
+	   offset points to a linked_list_t pointer */
+	{ PROPOSALS,		offsetof(private_sa_payload_t, proposals) 				}
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !C!  RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                          <Proposals>                          ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_sa_payload_t *this)
+{
+	int expected_number = 1, current_number;
+	status_t status = SUCCESS;
+	iterator_t *iterator;
+	proposal_substructure_t *current_proposal;
+	bool first = TRUE;
+
+	/* check proposal numbering */
+	iterator = this->proposals->create_iterator(this->proposals,TRUE);
+	
+	while(iterator->iterate(iterator, (void**)&current_proposal))
+	{
+		current_number = current_proposal->get_proposal_number(current_proposal);
+		if (current_number < expected_number)
+		{			
+			if (current_number != (expected_number + 1))
+			{
+				DBG1(DBG_ENC, "proposal number is %d, excepted %d or %d",
+					 current_number, expected_number, expected_number + 1);
+				status = FAILED;
+				break;
+			}
+		}
+		else if (current_number < expected_number)
+		{
+			/* must not be smaller then proceeding one */
+			DBG1(DBG_ENC, "proposal number smaller than that of previous proposal");
+			status = FAILED;
+			break;
+		}
+		
+		status = current_proposal->payload_interface.verify(&(current_proposal->payload_interface));
+		if (status != SUCCESS)
+		{
+			DBG1(DBG_ENC, "PROPOSAL_SUBSTRUCTURE verification failed");
+			break;
+		}
+		first = FALSE;
+		expected_number = current_number;
+	}
+	
+	iterator->destroy(iterator);
+	return status;
+}
+
+
+/**
+ * Implementation of payload_t.destroy and sa_payload_t.destroy.
+ */
+static status_t destroy(private_sa_payload_t *this)
+{
+	this->proposals->destroy_offset(this->proposals,
+									offsetof(proposal_substructure_t, destroy));
+	free(this);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_sa_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = sa_payload_encodings;
+	*rule_count = sizeof(sa_payload_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_type(private_sa_payload_t *this)
+{
+	return SECURITY_ASSOCIATION;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_sa_payload_t *this)
+{
+	return (this->next_payload);
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_sa_payload_t *this,payload_type_t type)
+{
+	this->next_payload = type;
+}
+
+/**
+ * recompute length of the payload.
+ */
+static void compute_length (private_sa_payload_t *this)
+{
+	iterator_t *iterator;
+	payload_t *current_proposal;
+	size_t length = SA_PAYLOAD_HEADER_LENGTH;
+	
+	iterator = this->proposals->create_iterator(this->proposals,TRUE);
+	while (iterator->iterate(iterator, (void **)&current_proposal))
+	{
+		length += current_proposal->get_length(current_proposal);
+	}
+	iterator->destroy(iterator);
+	
+	this->payload_length = length;
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_sa_payload_t *this)
+{
+	compute_length(this);
+	return this->payload_length;
+}
+
+/**
+ * Implementation of sa_payload_t.create_proposal_substructure_iterator.
+ */
+static iterator_t *create_proposal_substructure_iterator (private_sa_payload_t *this,bool forward)
+{
+	return this->proposals->create_iterator(this->proposals,forward);
+}
+
+/**
+ * Implementation of sa_payload_t.add_proposal_substructure.
+ */
+static void add_proposal_substructure(private_sa_payload_t *this,proposal_substructure_t *proposal)
+{
+	status_t status;
+	u_int proposal_count = this->proposals->get_count(this->proposals);
+	
+	if (proposal_count > 0)
+	{
+		proposal_substructure_t *last_proposal;
+		status = this->proposals->get_last(this->proposals,(void **) &last_proposal);
+		/* last transform is now not anymore last one */
+		last_proposal->set_is_last_proposal(last_proposal, FALSE);
+	}
+	proposal->set_is_last_proposal(proposal, TRUE);
+	proposal->set_proposal_number(proposal, proposal_count + 1);
+	this->proposals->insert_last(this->proposals,(void *) proposal);
+	compute_length(this);
+}
+
+/**
+ * Implementation of sa_payload_t.add_proposal.
+ */
+static void add_proposal(private_sa_payload_t *this, proposal_t *proposal)
+{
+	proposal_substructure_t *substructure;
+	
+	substructure = proposal_substructure_create_from_proposal(proposal);
+	add_proposal_substructure(this, substructure);
+}
+
+/**
+ * Implementation of sa_payload_t.get_proposals.
+ */
+static linked_list_t *get_proposals(private_sa_payload_t *this)
+{
+	int struct_number = 0;
+	int ignore_struct_number = 0;
+	iterator_t *iterator;
+	proposal_substructure_t *proposal_struct;
+	linked_list_t *proposal_list;
+	
+	/* this list will hold our proposals */
+	proposal_list = linked_list_create();
+	
+	/* we do not support proposals split up to two proposal substructures, as
+	 * AH+ESP bundles are not supported in RFC4301 anymore.
+	 * To handle such structures safely, we just skip proposals with multiple
+	 * protocols.
+	 */
+	iterator = this->proposals->create_iterator(this->proposals, TRUE);
+	while (iterator->iterate(iterator, (void **)&proposal_struct))
+	{
+		proposal_t *proposal;
+		
+		/* check if a proposal has a single protocol */
+		if (proposal_struct->get_proposal_number(proposal_struct) == struct_number)
+		{
+			if (ignore_struct_number < struct_number)
+			{
+				/* remova an already added, if first of series */
+				proposal_list->remove_last(proposal_list, (void**)&proposal);
+				proposal->destroy(proposal);
+				ignore_struct_number = struct_number;
+			}
+			continue;
+		}
+		struct_number++;
+		proposal = proposal_struct->get_proposal(proposal_struct);
+		if (proposal)
+		{
+			proposal_list->insert_last(proposal_list, proposal);
+		}
+	}
+	iterator->destroy(iterator);
+	return proposal_list;
+}
+
+/*
+ * Described in header.
+ */
+sa_payload_t *sa_payload_create()
+{
+	private_sa_payload_t *this = malloc_thing(private_sa_payload_t);
+	
+	/* public interface */
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+	
+	/* public functions */
+	this->public.create_proposal_substructure_iterator = (iterator_t* (*) (sa_payload_t *,bool)) create_proposal_substructure_iterator;
+	this->public.add_proposal_substructure = (void (*) (sa_payload_t *,proposal_substructure_t *)) add_proposal_substructure;
+	this->public.add_proposal = (void (*) (sa_payload_t*,proposal_t*))add_proposal;
+	this->public.get_proposals = (linked_list_t* (*) (sa_payload_t *)) get_proposals;
+	this->public.destroy = (void (*) (sa_payload_t *)) destroy;
+	
+	/* set default values of the fields */
+	this->critical = FALSE;
+	this->next_payload = NO_PAYLOAD;
+	this->payload_length = SA_PAYLOAD_HEADER_LENGTH;
+	this->proposals = linked_list_create();
+	return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+sa_payload_t *sa_payload_create_from_proposal_list(linked_list_t *proposals)
+{
+	iterator_t *iterator;
+	proposal_t *proposal;
+	sa_payload_t *sa_payload = sa_payload_create();
+	
+	/* add every payload from the list */
+	iterator = proposals->create_iterator(proposals, TRUE);
+	while (iterator->iterate(iterator, (void**)&proposal))
+	{
+		add_proposal((private_sa_payload_t*)sa_payload, proposal);
+	}
+	iterator->destroy(iterator);
+	
+	return sa_payload;
+}
+
+/*
+ * Described in header.
+ */
+sa_payload_t *sa_payload_create_from_proposal(proposal_t *proposal)
+{
+	sa_payload_t *sa_payload = sa_payload_create();
+	
+	add_proposal((private_sa_payload_t*)sa_payload, proposal);
+	
+	return sa_payload;
+}
diff --git a/src/charon/encoding/payloads/sa_payload.h b/src/charon/encoding/payloads/sa_payload.h
new file mode 100644
index 000000000..67d687857
--- /dev/null
+++ b/src/charon/encoding/payloads/sa_payload.h
@@ -0,0 +1,141 @@
+/**
+ * @file sa_payload.h
+ * 
+ * @brief Interface of sa_payload_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef SA_PAYLOAD_H_
+#define SA_PAYLOAD_H_
+
+typedef struct sa_payload_t sa_payload_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+#include <encoding/payloads/proposal_substructure.h>
+#include <utils/linked_list.h>
+
+/**
+ * SA_PAYLOAD length in bytes without any proposal substructure.
+ * 
+ * @ingroup payloads
+ */
+#define SA_PAYLOAD_HEADER_LENGTH 4
+
+/**
+ * @brief Class representing an IKEv2-SA Payload.
+ *
+ * The SA Payload format is described in RFC section 3.3.
+ *
+ * @b Constructors:
+ * - sa_payload_create()
+ * - sa_payload_create_from_ike_proposals()
+ * - sa_payload_create_from_proposal()
+ *
+ * @todo Add support of algorithms without specified keylength in get_proposals and get_ike_proposals.
+ *
+ * @ingroup payloads
+ */
+struct sa_payload_t {
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+	
+	/**
+	 * @brief Creates an iterator of stored proposal_substructure_t objects.
+	 * 
+	 * @warning The created iterator has to get destroyed by the caller!
+	 * 
+	 * @warning When deleting an proposal using this iterator, 
+	 * 			the length of this transform substructure has to be refreshed 
+	 * 			by calling get_length()!
+	 *
+	 * @param this 				calling sa_payload_t object
+	 * @param[in] forward 		iterator direction (TRUE: front to end)
+	 * @return					created iterator_t object
+	 */
+	iterator_t *(*create_proposal_substructure_iterator) (sa_payload_t *this, bool forward);
+	
+	/**
+	 * @brief Adds a proposal_substructure_t object to this object.
+	 * 
+	 * @warning The added proposal_substructure_t object  is 
+	 * 			getting destroyed in destroy function of sa_payload_t.
+	 *
+	 * @param this 				calling sa_payload_t object
+	 * @param proposal  		proposal_substructure_t object to add
+	 */
+	void (*add_proposal_substructure) (sa_payload_t *this,proposal_substructure_t *proposal);
+
+	/**
+	 * @brief Gets the proposals in this payload as a list.
+	 * 
+	 * @return					a list containing proposal_t s
+	 */
+	linked_list_t *(*get_proposals) (sa_payload_t *this);
+	
+	/**
+	 * @brief Add a child proposal (AH/ESP) to the payload.
+	 * 
+	 * @param proposal			child proposal to add to the payload
+	 */
+	void (*add_proposal) (sa_payload_t *this, proposal_t *proposal);
+	
+	/**
+	 * @brief Destroys an sa_payload_t object.
+	 *
+	 * @param this 	sa_payload_t object to destroy
+	 */
+	void (*destroy) (sa_payload_t *this);
+};
+
+/**
+ * @brief Creates an empty sa_payload_t object
+ * 
+ * @return					created sa_payload_t object
+ * 
+ * @ingroup payloads
+ */
+sa_payload_t *sa_payload_create(void);
+
+/**
+ * @brief Creates a sa_payload_t object from a list of proposals.
+ * 
+ * @param proposals			list of proposals to build the payload from
+ * @return					sa_payload_t object
+ * 
+ * @ingroup payloads
+ */
+sa_payload_t *sa_payload_create_from_proposal_list(linked_list_t *proposals);
+
+/**
+ * @brief Creates a sa_payload_t object from a single proposal.
+ * 
+ * This is only for convenience. Use sa_payload_create_from_proposal_list
+ * if you want to add more than one proposal.
+ * 
+ * @param proposal			proposal from which the payload should be built.
+ * @return					sa_payload_t object
+ * 
+ * @ingroup payloads
+ */
+sa_payload_t *sa_payload_create_from_proposal(proposal_t *proposal);
+
+#endif /*SA_PAYLOAD_H_*/
diff --git a/src/charon/encoding/payloads/traffic_selector_substructure.c b/src/charon/encoding/payloads/traffic_selector_substructure.c
new file mode 100644
index 000000000..573139bf3
--- /dev/null
+++ b/src/charon/encoding/payloads/traffic_selector_substructure.c
@@ -0,0 +1,283 @@
+/**
+ * @file traffic_selector_substructure.c
+ * 
+ * @brief Interface of traffic_selector_substructure_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "traffic_selector_substructure.h"
+
+#include <encoding/payloads/encodings.h>
+#include <utils/linked_list.h>
+
+
+typedef struct private_traffic_selector_substructure_t private_traffic_selector_substructure_t;
+
+/**
+ * Private data of an traffic_selector_substructure_t object.
+ * 
+ */
+struct private_traffic_selector_substructure_t {
+	/**
+	 * Public traffic_selector_substructure_t interface.
+	 */
+	traffic_selector_substructure_t public;
+	
+	/**
+	 * Type of traffic selector.
+	 */
+	u_int8_t ts_type;
+	
+	/**
+	 * IP Protocol ID.
+	 */
+	u_int8_t ip_protocol_id;
+
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+	
+	/**
+	 * Start port number.
+	 */
+	u_int16_t start_port;
+
+	/**
+	 * End port number.
+	 */
+	u_int16_t end_port;
+	
+	/**
+	 * Starting address.
+	 */
+	chunk_t starting_address;
+
+	/**
+	 * Ending address.
+	 */
+	chunk_t ending_address;
+};
+
+/**
+ * Encoding rules to parse or generate a TS payload
+ * 
+ * The defined offsets are the positions in a object of type 
+ * private_traffic_selector_substructure_t.
+ * 
+ */
+encoding_rule_t traffic_selector_substructure_encodings[] = {
+ 	/* 1 Byte next ts type*/
+	{ TS_TYPE,			offsetof(private_traffic_selector_substructure_t, ts_type) 			},
+ 	/* 1 Byte IP protocol id*/
+	{ U_INT_8,			offsetof(private_traffic_selector_substructure_t, ip_protocol_id) 	},
+	/* Length of the whole payload*/	
+	{ PAYLOAD_LENGTH,	offsetof(private_traffic_selector_substructure_t, payload_length)		},
+ 	/* 2 Byte start port*/
+	{ U_INT_16,		offsetof(private_traffic_selector_substructure_t, start_port)			},
+ 	/* 2 Byte end port*/
+	{ U_INT_16,		offsetof(private_traffic_selector_substructure_t, end_port)			},
+	/* starting address is either 4 or 16 byte */
+	{ ADDRESS,			offsetof(private_traffic_selector_substructure_t, starting_address)	},
+	/* ending address is either 4 or 16 byte */
+	{ ADDRESS,			offsetof(private_traffic_selector_substructure_t, ending_address)		}
+
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !   TS Type     !IP Protocol ID*|       Selector Length         |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |           Start Port*         |           End Port*           |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                         Starting Address*                     ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                         Ending Address*                       ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_traffic_selector_substructure_t *this)
+{
+	if (this->start_port > this->end_port)
+	{
+		return FAILED;
+	}
+	switch (this->ts_type)
+	{
+		case TS_IPV4_ADDR_RANGE:
+		{
+			if ((this->starting_address.len != 4) || 
+				(this->ending_address.len != 4))
+			{
+				/* ipv4 address must be 4 bytes long */
+				return FAILED;
+			}
+			break;
+		}
+		case TS_IPV6_ADDR_RANGE:
+		{
+			if ((this->starting_address.len != 16) ||
+				(this->ending_address.len != 16))
+			{
+				/* ipv6 address must be 16 bytes long */
+				return FAILED;
+			}
+			break;
+		}
+		default:
+		{
+			/* not supported ts type */
+			return FAILED;
+		}
+	}
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of traffic_selector_substructure_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_traffic_selector_substructure_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = traffic_selector_substructure_encodings;
+	*rule_count = sizeof(traffic_selector_substructure_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_payload_type(private_traffic_selector_substructure_t *this)
+{
+	return TRAFFIC_SELECTOR_SUBSTRUCTURE;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_traffic_selector_substructure_t *this)
+{
+	return 0;
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_traffic_selector_substructure_t *this,payload_type_t type)
+{
+	
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_traffic_selector_substructure_t *this)
+{
+	return this->payload_length;
+}
+
+/**
+ * Implementation of traffic_selector_substructure_t.get_traffic_selector.
+ */
+static traffic_selector_t *get_traffic_selector(private_traffic_selector_substructure_t *this)
+{
+	traffic_selector_t *ts;
+	ts = traffic_selector_create_from_bytes(this->ip_protocol_id, this->ts_type, 
+											this->starting_address, this->start_port, 
+											this->ending_address, this->end_port);
+	return ts;
+}
+
+/**
+ * recompute length field of the payload
+ */
+void compute_length(private_traffic_selector_substructure_t *this)
+{
+	this->payload_length = TRAFFIC_SELECTOR_HEADER_LENGTH +
+			this->ending_address.len + this->starting_address.len;
+}
+
+/**
+ * Implementation of payload_t.destroy and traffic_selector_substructure_t.destroy.
+ */
+static void destroy(private_traffic_selector_substructure_t *this)
+{
+	free(this->starting_address.ptr);
+	free(this->ending_address.ptr);
+	free(this);	
+}
+
+/*
+ * Described in header
+ */
+traffic_selector_substructure_t *traffic_selector_substructure_create()
+{
+	private_traffic_selector_substructure_t *this = malloc_thing(private_traffic_selector_substructure_t);
+
+	/* interface functions */
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+	
+	/* public functions */
+	this->public.get_traffic_selector = (traffic_selector_t* (*)(traffic_selector_substructure_t*))get_traffic_selector;
+	this->public.destroy = (void (*) (traffic_selector_substructure_t *)) destroy;
+	
+	/* private variables */
+	this->payload_length = TRAFFIC_SELECTOR_HEADER_LENGTH;
+	this->start_port = 0;
+	this->end_port = 0;
+	this->starting_address = chunk_empty;
+	this->ending_address = chunk_empty;
+	this->ip_protocol_id = 0;
+	/* must be set to be valid */
+	this->ts_type = TS_IPV4_ADDR_RANGE;
+
+	return (&(this->public));
+}
+
+/*
+ * Described in header
+ */
+traffic_selector_substructure_t *traffic_selector_substructure_create_from_traffic_selector(traffic_selector_t *traffic_selector)
+{
+	private_traffic_selector_substructure_t *this = (private_traffic_selector_substructure_t*)traffic_selector_substructure_create();
+	this->ts_type = traffic_selector->get_type(traffic_selector);
+	this->ip_protocol_id = traffic_selector->get_protocol(traffic_selector);
+	this->start_port = traffic_selector->get_from_port(traffic_selector);
+	this->end_port = traffic_selector->get_to_port(traffic_selector);
+	this->starting_address = traffic_selector->get_from_address(traffic_selector);
+	this->ending_address = traffic_selector->get_to_address(traffic_selector);
+	
+	compute_length(this);
+	
+	return &(this->public);
+}
diff --git a/src/charon/encoding/payloads/traffic_selector_substructure.h b/src/charon/encoding/payloads/traffic_selector_substructure.h
new file mode 100644
index 000000000..14efccc89
--- /dev/null
+++ b/src/charon/encoding/payloads/traffic_selector_substructure.h
@@ -0,0 +1,172 @@
+/**
+ * @file traffic_selector_substructure.h
+ * 
+ * @brief Interface of traffic_selector_substructure_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#ifndef TRAFFIC_SELECTOR_SUBSTRUCTURE_H_
+#define TRAFFIC_SELECTOR_SUBSTRUCTURE_H_
+
+typedef struct traffic_selector_substructure_t traffic_selector_substructure_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+#include <utils/host.h>
+#include <config/traffic_selector.h>
+
+/**
+ * Length of a TRAFFIC SELECTOR SUBSTRUCTURE without start and end address.
+ * 
+ * @ingroup payloads
+ */
+#define TRAFFIC_SELECTOR_HEADER_LENGTH 8
+
+/**
+ * @brief Class representing an IKEv2 TRAFFIC SELECTOR.
+ * 
+ * The TRAFFIC SELECTOR format is described in RFC section 3.13.1.
+ * 
+ * @b Constructors:
+ * - traffic_selector_substructure_create()
+ * - traffic_selector_substructure_create_from_traffic_selector()
+ * 
+ * @ingroup payloads
+ */
+struct traffic_selector_substructure_t {
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+	
+	/**
+	 * @brief Get the type of Traffic selector.
+	 *
+	 * @param this 		calling traffic_selector_substructure_t object
+	 * @return			type of traffic selector
+	 *  
+	 */
+	ts_type_t (*get_ts_type) (traffic_selector_substructure_t *this);
+	
+	/**
+	 * @brief Set the type of Traffic selector.
+	 *
+	 * @param this 		calling traffic_selector_substructure_t object
+	 * @param ts_type	type of traffic selector	
+	 */
+	void (*set_ts_type) (traffic_selector_substructure_t *this,ts_type_t ts_type);
+	
+	/**
+	 * @brief Get the IP protocol ID of Traffic selector.
+	 *
+	 * @param this 		calling traffic_selector_substructure_t object
+	 * @return			type of traffic selector
+	 *  
+	 */
+	u_int8_t (*get_protocol_id) (traffic_selector_substructure_t *this);
+	
+	/**
+	 * @brief Set the IP protocol ID of Traffic selector
+	 *
+	 * @param this 			calling traffic_selector_substructure_t object
+	 * @param protocol_id	protocol ID of traffic selector	
+	 */
+	void (*set_protocol_id) (traffic_selector_substructure_t *this,u_int8_t protocol_id);
+	
+	/**
+	 * @brief Get the start port and address as host_t object.
+	 *
+	 * Returned host_t object has to get destroyed by the caller.
+	 * 
+	 * @param this 		calling traffic_selector_substructure_t object
+	 * @return			start host as host_t object
+	 *  
+	 */
+	host_t *(*get_start_host) (traffic_selector_substructure_t *this);
+	
+	/**
+	 * @brief Set the start port and address as host_t object.
+	 *
+	 * @param this 			calling traffic_selector_substructure_t object
+	 * @param start_host	start host as host_t object
+	 */
+	void (*set_start_host) (traffic_selector_substructure_t *this,host_t *start_host);
+	
+	/**
+	 * @brief Get the end port and address as host_t object.
+	 *
+	 * Returned host_t object has to get destroyed by the caller.
+	 * 
+	 * @param this 		calling traffic_selector_substructure_t object
+	 * @return			end host as host_t object
+	 *  
+	 */
+	host_t *(*get_end_host) (traffic_selector_substructure_t *this);
+	
+	/**
+	 * @brief Set the end port and address as host_t object.
+	 *
+	 * @param this 		calling traffic_selector_substructure_t object
+	 * @param end_host	end host as host_t object
+	 */
+	void (*set_end_host) (traffic_selector_substructure_t *this,host_t *end_host);
+	
+	/**
+	 * @brief Get a traffic_selector_t from this substructure.
+	 *
+	 * @warning traffic_selector_t must be destroyed after usage.
+	 * 
+	 * @param this 		calling traffic_selector_substructure_t object
+	 * @return			contained traffic_selector_t
+	 */
+	traffic_selector_t *(*get_traffic_selector) (traffic_selector_substructure_t *this);
+	
+	/**
+	 * @brief Destroys an traffic_selector_substructure_t object.
+	 *
+	 * @param this 	traffic_selector_substructure_t object to destroy
+	 */
+	void (*destroy) (traffic_selector_substructure_t *this);
+};
+
+/**
+ * @brief Creates an empty traffic_selector_substructure_t object.
+ *
+ * TS type is set to default TS_IPV4_ADDR_RANGE!
+ *  
+ * @return 					traffic_selector_substructure_t object
+ * 
+ * @ingroup payloads
+ */
+traffic_selector_substructure_t *traffic_selector_substructure_create(void);
+
+/**
+ * @brief Creates an initialized traffif selector substructure using
+ * the values from a traffic_selector_t.
+ * 
+ * @param traffic_selector	traffic_selector_t to use for initialization
+ * @return					traffic_selector_substructure_t object
+ * 
+ * @ingroup payloads
+ */
+traffic_selector_substructure_t *traffic_selector_substructure_create_from_traffic_selector(traffic_selector_t *traffic_selector);
+
+
+#endif /* /TRAFFIC_SELECTOR_SUBSTRUCTURE_H_ */
diff --git a/src/charon/encoding/payloads/transform_attribute.c b/src/charon/encoding/payloads/transform_attribute.c
new file mode 100644
index 000000000..066885c55
--- /dev/null
+++ b/src/charon/encoding/payloads/transform_attribute.c
@@ -0,0 +1,332 @@
+/**
+ * @file transform_attribute.c
+ * 
+ * @brief Implementation of transform_attribute_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+#include <stddef.h>
+
+#include "transform_attribute.h"
+
+#include <encoding/payloads/encodings.h>
+#include <library.h>
+
+typedef struct private_transform_attribute_t private_transform_attribute_t;
+
+/**
+ * Private data of an transform_attribute_t object.
+ * 
+ */
+struct private_transform_attribute_t {
+	/**
+	 * Public transform_attribute_t interface.
+	 */
+	transform_attribute_t public;
+	
+	/**
+	 * Attribute Format Flag.
+	 * 
+	 * - TRUE means value is stored in attribute_length_or_value
+	 * - FALSE means value is stored in attribute_value
+	 */
+	bool attribute_format;
+	
+	/**
+	 * Type of the attribute.
+	 */
+	u_int16_t attribute_type;
+	
+	/**
+	 * Attribute Length if attribute_format is 0, attribute Value otherwise.
+	 */
+	u_int16_t attribute_length_or_value;
+	
+	/**
+	 * Attribute value as chunk if attribute_format is 0 (FALSE).
+	 */
+	chunk_t attribute_value;
+};
+
+
+ENUM_BEGIN(transform_attribute_type_name, ATTRIBUTE_UNDEFINED, ATTRIBUTE_UNDEFINED,
+	"ATTRIBUTE_UNDEFINED");
+ENUM_NEXT(transform_attribute_type_name, KEY_LENGTH, KEY_LENGTH, ATTRIBUTE_UNDEFINED,
+	"KEY_LENGTH");
+ENUM_END(transform_attribute_type_name, KEY_LENGTH);
+
+/**
+ * Encoding rules to parse or generate a Transform attribute.
+ * 
+ * The defined offsets are the positions in a object of type 
+ * private_transform_attribute_t.
+ * 
+ */
+encoding_rule_t transform_attribute_encodings[] = {
+	/* Flag defining the format of this payload */
+	{ ATTRIBUTE_FORMAT,			offsetof(private_transform_attribute_t, attribute_format) 			},
+	/* type of the attribute as 15 bit unsigned integer */
+	{ ATTRIBUTE_TYPE,			offsetof(private_transform_attribute_t, attribute_type)				},	
+	/* Length or value, depending on the attribute format flag */
+	{ ATTRIBUTE_LENGTH_OR_VALUE,	offsetof(private_transform_attribute_t, attribute_length_or_value)	},
+	/* Value of attribute if attribute format flag is zero */
+	{ ATTRIBUTE_VALUE,			offsetof(private_transform_attribute_t, attribute_value) 			}
+};
+
+/*
+                          1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !A!       Attribute Type        !    AF=0  Attribute Length     !
+      !F!                             !    AF=1  Attribute Value      !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                   AF=0  Attribute Value                       !
+      !                   AF=1  Not Transmitted                       !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_transform_attribute_t *this)
+{
+	if (this->attribute_type != KEY_LENGTH)
+	{
+		return FAILED;
+	}
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_transform_attribute_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = transform_attribute_encodings;
+	*rule_count = sizeof(transform_attribute_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_type(private_transform_attribute_t *this)
+{
+	return TRANSFORM_ATTRIBUTE;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_transform_attribute_t *this)
+{
+	return (NO_PAYLOAD);
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_transform_attribute_t *this,payload_type_t type)
+{
+}
+
+/**
+ * Implementation of transform_attribute_t.get_length.
+ */
+static size_t get_length(private_transform_attribute_t *this)
+{
+	if (this->attribute_format == TRUE)
+	{
+		/*Attribute size is only 4 byte */
+		return 4;
+	}
+	return (this->attribute_length_or_value + 4);
+}
+
+/**
+ * Implementation of transform_attribute_t.set_value_chunk.
+ */
+static void set_value_chunk(private_transform_attribute_t *this, chunk_t value)
+{
+	if (this->attribute_value.ptr != NULL)
+	{
+		/* free existing value */
+		free(this->attribute_value.ptr);
+		this->attribute_value.ptr = NULL;
+		this->attribute_value.len = 0;
+		
+	}
+	
+	if (value.len > 2)
+	{
+		this->attribute_value.ptr = clalloc(value.ptr,value.len);
+		this->attribute_value.len = value.len;
+		this->attribute_length_or_value = value.len;
+		/* attribute has not a fixed length */
+		this->attribute_format = FALSE;		
+	}
+	else
+	{
+		memcpy(&(this->attribute_length_or_value),value.ptr,value.len);
+	}
+}
+
+/**
+ * Implementation of transform_attribute_t.set_value.
+ */
+static void set_value(private_transform_attribute_t *this, u_int16_t value)
+{
+	if (this->attribute_value.ptr != NULL)
+	{
+		/* free existing value */
+		free(this->attribute_value.ptr);
+		this->attribute_value.ptr = NULL;
+		this->attribute_value.len = 0;
+		
+	}
+	this->attribute_length_or_value = value;
+}
+
+/**
+ * Implementation of transform_attribute_t.get_value_chunk.
+ */
+static chunk_t get_value_chunk (private_transform_attribute_t *this)
+{
+	chunk_t value;
+
+	if (this->attribute_format == FALSE)
+	{
+		value.ptr = this->attribute_value.ptr;
+		value.len = this->attribute_value.len;		
+	}
+	else
+	{
+		value.ptr = (void *) &(this->attribute_length_or_value);
+		value.len = 2;
+	}
+	
+	return value;
+}
+
+/**
+ * Implementation of transform_attribute_t.get_value.
+ */
+static u_int16_t get_value (private_transform_attribute_t *this)
+{
+	return this->attribute_length_or_value;
+}
+
+
+/**
+ * Implementation of transform_attribute_t.set_attribute_type.
+ */
+static void set_attribute_type (private_transform_attribute_t *this, u_int16_t type)
+{
+	this->attribute_type = type & 0x7FFF;
+}
+
+/**
+ * Implementation of transform_attribute_t.get_attribute_type.
+ */
+static u_int16_t get_attribute_type (private_transform_attribute_t *this)
+{
+	return this->attribute_type;
+}
+
+/**
+ * Implementation of transform_attribute_t.clone.
+ */
+static transform_attribute_t * clone(private_transform_attribute_t *this)
+{
+	private_transform_attribute_t *new_clone;
+	
+	new_clone = (private_transform_attribute_t *) transform_attribute_create();
+	
+	new_clone->attribute_format = this->attribute_format;
+	new_clone->attribute_type = this->attribute_type;
+	new_clone->attribute_length_or_value = this->attribute_length_or_value;
+	
+	if (!new_clone->attribute_format)
+	{
+		new_clone->attribute_value.ptr = clalloc(this->attribute_value.ptr,this->attribute_value.len);		
+		new_clone->attribute_value.len = this->attribute_value.len;
+	}
+	
+	return (transform_attribute_t *) new_clone;
+}
+
+/**
+ * Implementation of transform_attribute_t.destroy and payload_t.destroy.
+ */
+static void destroy(private_transform_attribute_t *this)
+{
+	if (this->attribute_value.ptr != NULL)
+	{
+		free(this->attribute_value.ptr);
+	}	
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+transform_attribute_t *transform_attribute_create()
+{
+	private_transform_attribute_t *this = malloc_thing(private_transform_attribute_t);
+
+	/* payload interface */
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+	
+	/* public functions */
+	this->public.set_value_chunk = (void (*) (transform_attribute_t *,chunk_t)) set_value_chunk;
+	this->public.set_value = (void (*) (transform_attribute_t *,u_int16_t)) set_value;
+	this->public.get_value_chunk = (chunk_t (*) (transform_attribute_t *)) get_value_chunk;
+	this->public.get_value = (u_int16_t (*) (transform_attribute_t *)) get_value;
+	this->public.set_attribute_type = (void (*) (transform_attribute_t *,u_int16_t type)) set_attribute_type;
+	this->public.get_attribute_type = (u_int16_t (*) (transform_attribute_t *)) get_attribute_type;
+	this->public.clone = (transform_attribute_t * (*) (transform_attribute_t *)) clone;
+	this->public.destroy = (void (*) (transform_attribute_t *)) destroy;
+	
+	/* set default values of the fields */
+	this->attribute_format = TRUE;
+	this->attribute_type = 0;
+	this->attribute_length_or_value = 0;
+	this->attribute_value.ptr = NULL;
+	this->attribute_value.len = 0;
+
+	return (&(this->public));
+}
+
+/*
+ * Described in header.
+ */
+transform_attribute_t *transform_attribute_create_key_length(u_int16_t key_length)
+{
+	transform_attribute_t *attribute = transform_attribute_create();
+	attribute->set_attribute_type(attribute,KEY_LENGTH);
+	attribute->set_value(attribute,key_length);
+	return attribute;
+}
diff --git a/src/charon/encoding/payloads/transform_attribute.h b/src/charon/encoding/payloads/transform_attribute.h
new file mode 100644
index 000000000..30583b23f
--- /dev/null
+++ b/src/charon/encoding/payloads/transform_attribute.h
@@ -0,0 +1,154 @@
+/**
+ * @file transform_attribute.h
+ * 
+ * @brief Interface of transform_attribute_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef TRANSFORM_ATTRIBUTE_H_
+#define TRANSFORM_ATTRIBUTE_H_
+
+typedef enum transform_attribute_type_t transform_attribute_type_t;
+typedef struct transform_attribute_t transform_attribute_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+
+
+/**
+ * Type of the attribute, as in IKEv2 RFC 3.3.5.
+ * 
+ * @ingroup payloads
+ */
+enum transform_attribute_type_t {
+	ATTRIBUTE_UNDEFINED = 16384,
+	KEY_LENGTH = 14
+};
+
+/** 
+ * enum name for transform_attribute_type_t.
+ * 
+ * @ingroup payloads
+ */
+extern enum_name_t *transform_attribute_type_names;
+
+/**
+ * @brief Class representing an IKEv2- TRANSFORM Attribute.
+ * 
+ * The TRANSFORM ATTRIBUTE format is described in RFC section 3.3.5.
+ * 
+ * @ingroup payloads
+ */
+struct transform_attribute_t {
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * @brief Returns the currently set value of the attribute.
+	 * 	
+	 * @warning Returned data are not copied.
+	 * 
+	 * @param this 	calling transform_attribute_t object
+	 * @return 		chunk_t pointing to the value
+	 */
+	chunk_t (*get_value_chunk) (transform_attribute_t *this);
+	
+	/**
+	 * @brief Returns the currently set value of the attribute.
+	 * 	
+	 * @warning Returned data are not copied.
+	 * 
+	 * @param this 	calling transform_attribute_t object
+	 * @return 		value
+	 */
+	u_int16_t (*get_value) (transform_attribute_t *this);
+	
+	/**
+	 * @brief Sets the value of the attribute.
+	 * 	
+	 * @warning Value is getting copied.
+	 * 
+	 * @param this 	calling transform_attribute_t object
+	 * @param value chunk_t pointing to the value to set
+	 */
+	void (*set_value_chunk) (transform_attribute_t *this, chunk_t value);
+
+	/**
+	 * @brief Sets the value of the attribute.
+	 * 
+	 * @param this 	calling transform_attribute_t object
+	 * @param value value to set
+	 */
+	void (*set_value) (transform_attribute_t *this, u_int16_t value);
+
+	/**
+	 * @brief Sets the type of the attribute.
+	 * 	
+	 * @param this 	calling transform_attribute_t object
+	 * @param type	type to set (most significant bit is set to zero)
+	 */
+	void (*set_attribute_type) (transform_attribute_t *this, u_int16_t type);
+	
+	/**
+	 * @brief get the type of the attribute.
+	 * 	
+	 * @param this 	calling transform_attribute_t object
+	 * @return 		type of the value
+	 */
+	u_int16_t (*get_attribute_type) (transform_attribute_t *this);
+	
+	/**
+	 * @brief Clones an transform_attribute_t object.
+	 *
+	 * @param this 	transform_attribute_t object to clone
+	 * @return		cloned transform_attribute_t object
+	 */
+	transform_attribute_t * (*clone) (transform_attribute_t *this);
+
+	/**
+	 * @brief Destroys an transform_attribute_t object.
+	 *
+	 * @param this 	transform_attribute_t object to destroy
+	 */
+	void (*destroy) (transform_attribute_t *this);
+};
+
+/**
+ * @brief Creates an empty transform_attribute_t object.
+ * 
+ * @return				transform_attribute_t object
+ * 
+ * @ingroup payloads
+ */
+transform_attribute_t *transform_attribute_create(void);
+
+/**
+ * @brief Creates an transform_attribute_t of type KEY_LENGTH.
+ * 
+ * @param key_length	key length in bytes
+ * @return				transform_attribute_t object
+ * 
+ * @ingroup payloads
+ */
+transform_attribute_t *transform_attribute_create_key_length(u_int16_t key_length);
+
+
+#endif /*TRANSFORM_ATTRIBUTE_H_*/
diff --git a/src/charon/encoding/payloads/transform_substructure.c b/src/charon/encoding/payloads/transform_substructure.c
new file mode 100644
index 000000000..d64d6c754
--- /dev/null
+++ b/src/charon/encoding/payloads/transform_substructure.c
@@ -0,0 +1,409 @@
+/**
+ * @file transform_substructure.h
+ * 
+ * @brief Implementation of transform_substructure_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+
+#include "transform_substructure.h"
+
+#include <encoding/payloads/transform_attribute.h>
+#include <encoding/payloads/encodings.h>
+#include <library.h>
+#include <utils/linked_list.h>
+#include <daemon.h>
+
+
+typedef struct private_transform_substructure_t private_transform_substructure_t;
+
+/**
+ * Private data of an transform_substructure_t object.
+ * 
+ */
+struct private_transform_substructure_t {
+	/**
+	 * Public transform_substructure_t interface.
+	 */
+	transform_substructure_t public;
+	
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t  next_payload;
+
+	
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t transform_length;
+	
+	
+	/**
+	 * Type of the transform.
+	 */
+	u_int8_t transform_type;
+	
+	/**
+	 * Transform ID.
+	 */
+	u_int16_t transform_id;
+	
+ 	/**
+	 * Transforms Attributes are stored in a linked_list_t.
+	 */
+	linked_list_t *attributes;
+};
+
+
+/**
+ * Encoding rules to parse or generate a Transform substructure.
+ * 
+ * The defined offsets are the positions in a object of type 
+ * private_transform_substructure_t.
+ * 
+ */
+encoding_rule_t transform_substructure_encodings[] = {
+ 	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_transform_substructure_t, next_payload) 		},
+	/* Reserved Byte is skipped */
+	{ RESERVED_BYTE,		0																},	
+	/* Length of the whole transform substructure*/
+	{ PAYLOAD_LENGTH,		offsetof(private_transform_substructure_t, transform_length)	},	
+	/* transform type is a number of 8 bit */
+	{ U_INT_8,				offsetof(private_transform_substructure_t, transform_type) 	},	
+	/* Reserved Byte is skipped */
+	{ RESERVED_BYTE,		0																},	
+	/* tranform ID is a number of 8 bit */
+	{ U_INT_16,				offsetof(private_transform_substructure_t, transform_id)		},	
+	/* Attributes are stored in a transform attribute, 
+	   offset points to a linked_list_t pointer */
+	{ TRANSFORM_ATTRIBUTES,	offsetof(private_transform_substructure_t, attributes) 		}
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! 0 (last) or 3 !   RESERVED    !        Transform Length       !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !Transform Type !   RESERVED    !          Transform ID         !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                      Transform Attributes                     ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_transform_substructure_t *this)
+{
+	status_t status = SUCCESS;
+	iterator_t *iterator;
+	payload_t *current_attributes;
+	
+	if ((this->next_payload != NO_PAYLOAD) && (this->next_payload != 3))
+	{
+		/* must be 0 or 3 */
+		DBG1(DBG_ENC, "inconsistent next payload");
+		return FAILED;
+	}
+
+	switch (this->transform_type)
+	{
+		case ENCRYPTION_ALGORITHM:
+		case PSEUDO_RANDOM_FUNCTION:
+		case INTEGRITY_ALGORITHM:
+		case DIFFIE_HELLMAN_GROUP:
+		case EXTENDED_SEQUENCE_NUMBERS:
+			/* we don't check transform ID, we want to reply
+			 * cleanly with NO_PROPOSAL_CHOSEN or so if we don't support it */
+			break;
+		default:
+		{
+			DBG1(DBG_ENC, "invalid transform type: %d", this->transform_type);
+			return FAILED;
+		}
+	}
+	iterator = this->attributes->create_iterator(this->attributes,TRUE);
+	
+	while(iterator->iterate(iterator, (void**)&current_attributes))
+	{
+		status = current_attributes->verify(current_attributes);
+		if (status != SUCCESS)
+		{
+			DBG1(DBG_ENC, "TRANSFORM_ATTRIBUTE verification failed");
+		}
+	}
+	iterator->destroy(iterator);
+	
+	/* proposal number is checked in SA payload */	
+	return status;
+}
+
+/**
+ * Implementation of payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_transform_substructure_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = transform_substructure_encodings;
+	*rule_count = sizeof(transform_substructure_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_type(private_transform_substructure_t *this)
+{
+	return TRANSFORM_SUBSTRUCTURE;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_transform_substructure_t *this)
+{
+	return (this->next_payload);
+}
+
+/**
+ * recompute the length of the payload.
+ */
+static void compute_length (private_transform_substructure_t *this)
+{
+	iterator_t *iterator;
+	payload_t *current_attribute;
+	size_t length = TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH;
+	
+	iterator = this->attributes->create_iterator(this->attributes,TRUE);
+	while (iterator->iterate(iterator, (void**)&current_attribute))
+	{
+		length += current_attribute->get_length(current_attribute);
+	}
+	iterator->destroy(iterator);
+	
+	this->transform_length = length;
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_transform_substructure_t *this)
+{
+	compute_length(this);
+	return this->transform_length;
+}
+
+/**
+ * Implementation of transform_substructure_t.create_transform_attribute_iterator.
+ */
+static iterator_t *create_transform_attribute_iterator (private_transform_substructure_t *this,bool forward)
+{
+	return this->attributes->create_iterator(this->attributes,forward);
+}
+
+/**
+ * Implementation of transform_substructure_t.add_transform_attribute.
+ */
+static void add_transform_attribute (private_transform_substructure_t *this,transform_attribute_t *attribute)
+{
+	this->attributes->insert_last(this->attributes,(void *) attribute);
+	compute_length(this);
+}
+
+/**
+ * Implementation of transform_substructure_t.set_is_last_transform.
+ */
+static void set_is_last_transform (private_transform_substructure_t *this, bool is_last)
+{
+	this->next_payload = (is_last) ? 0: TRANSFORM_TYPE_VALUE;
+}
+
+/**
+ * Implementation of transform_substructure_t.get_is_last_transform.
+ */
+static bool get_is_last_transform (private_transform_substructure_t *this)
+{
+	return ((this->next_payload == TRANSFORM_TYPE_VALUE) ? FALSE : TRUE);
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_transform_substructure_t *this,payload_type_t type)
+{
+}
+
+/**
+ * Implementation of transform_substructure_t.set_transform_type.
+ */
+static void set_transform_type (private_transform_substructure_t *this,u_int8_t type)
+{
+	this->transform_type = type;
+}
+	
+/**
+ * Implementation of transform_substructure_t.get_transform_type.
+ */
+static u_int8_t get_transform_type (private_transform_substructure_t *this)
+{
+	return this->transform_type;
+}
+
+/**
+ * Implementation of transform_substructure_t.set_transform_id.
+ */
+static void set_transform_id (private_transform_substructure_t *this,u_int16_t id)
+{
+	this->transform_id = id;
+}
+	
+/**
+ * Implementation of transform_substructure_t.get_transform_id.
+ */
+static u_int16_t get_transform_id (private_transform_substructure_t *this)
+{
+	return this->transform_id;
+}
+
+/**
+ * Implementation of transform_substructure_t.clone.
+ */
+static transform_substructure_t *clone_(private_transform_substructure_t *this)
+{
+	private_transform_substructure_t *clone;
+	iterator_t *attributes;
+	transform_attribute_t *current_attribute;
+	
+	clone = (private_transform_substructure_t *) transform_substructure_create();
+	clone->next_payload = this->next_payload;
+	clone->transform_type = this->transform_type;
+	clone->transform_id = this->transform_id;
+	
+	attributes = this->attributes->create_iterator(this->attributes, FALSE);
+	while (attributes->iterate(attributes, (void**)&current_attribute))
+	{
+		current_attribute = current_attribute->clone(current_attribute);
+		clone->public.add_transform_attribute(&clone->public, current_attribute);
+	}
+	attributes->destroy(attributes);	
+	
+	return &clone->public;
+}
+
+
+/**
+ * Implementation of transform_substructure_t.get_key_length.
+ */
+static status_t get_key_length(private_transform_substructure_t *this, u_int16_t *key_length)
+{
+	iterator_t *attributes;
+	transform_attribute_t *current_attribute;
+	
+	attributes = this->attributes->create_iterator(this->attributes, TRUE);
+	while (attributes->iterate(attributes, (void**)&current_attribute))
+	{
+		if (current_attribute->get_attribute_type(current_attribute) == KEY_LENGTH)
+		{
+			*key_length = current_attribute->get_value(current_attribute);
+			attributes->destroy(attributes);	
+			return SUCCESS;
+		}
+	}
+	attributes->destroy(attributes);
+	return FAILED;
+}
+
+
+/**
+ * Implementation of transform_substructure_t.destroy and payload_t.destroy.
+ */
+static void destroy(private_transform_substructure_t *this)
+{
+	this->attributes->destroy_offset(this->attributes,
+									 offsetof(transform_attribute_t, destroy));
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+transform_substructure_t *transform_substructure_create()
+{
+	private_transform_substructure_t *this = malloc_thing(private_transform_substructure_t);
+
+	/* payload interface */
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;	
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+	
+	/* public functions */
+	this->public.create_transform_attribute_iterator = (iterator_t * (*) (transform_substructure_t *,bool)) create_transform_attribute_iterator;
+	this->public.add_transform_attribute = (void (*) (transform_substructure_t *,transform_attribute_t *)) add_transform_attribute;
+	this->public.set_is_last_transform = (void (*) (transform_substructure_t *,bool)) set_is_last_transform;
+	this->public.get_is_last_transform = (bool (*) (transform_substructure_t *)) get_is_last_transform;
+	this->public.set_transform_type = (void (*) (transform_substructure_t *,u_int8_t)) set_transform_type;
+	this->public.get_transform_type = (u_int8_t (*) (transform_substructure_t *)) get_transform_type;
+	this->public.set_transform_id = (void (*) (transform_substructure_t *,u_int16_t)) set_transform_id;
+	this->public.get_transform_id = (u_int16_t (*) (transform_substructure_t *)) get_transform_id;
+	this->public.get_key_length = (status_t (*) (transform_substructure_t *,u_int16_t *)) get_key_length;
+	this->public.clone = (transform_substructure_t* (*) (transform_substructure_t *)) clone_;
+	this->public.destroy = (void (*) (transform_substructure_t *)) destroy;
+	
+	/* set default values of the fields */
+	this->next_payload = NO_PAYLOAD;
+	this->transform_length = TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH;
+	this->transform_id = 0;
+	this->transform_type = 0;
+	this->attributes = linked_list_create();
+	
+	return (&(this->public));
+}
+
+/*
+ * Described in header
+ */
+transform_substructure_t *transform_substructure_create_type(transform_type_t transform_type, u_int16_t transform_id, u_int16_t key_length)
+{
+	transform_substructure_t *transform = transform_substructure_create();
+	
+	transform->set_transform_type(transform,transform_type);
+	transform->set_transform_id(transform,transform_id);
+	
+	/* a keylength attribute is only created for variable length algos */
+	if (transform_type == ENCRYPTION_ALGORITHM &&
+		(transform_id == ENCR_AES_CBC ||
+		 transform_id == ENCR_IDEA ||
+		 transform_id == ENCR_CAST ||
+		 transform_id == ENCR_BLOWFISH))
+	{
+		transform_attribute_t *attribute = transform_attribute_create_key_length(key_length);
+		transform->add_transform_attribute(transform,attribute);
+	}
+
+	return transform;
+}
diff --git a/src/charon/encoding/payloads/transform_substructure.h b/src/charon/encoding/payloads/transform_substructure.h
new file mode 100644
index 000000000..97f587d5d
--- /dev/null
+++ b/src/charon/encoding/payloads/transform_substructure.h
@@ -0,0 +1,198 @@
+/**
+ * @file transform_substructure.h
+ * 
+ * @brief Interface of transform_substructure_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef TRANSFORM_SUBSTRUCTURE_H_
+#define TRANSFORM_SUBSTRUCTURE_H_
+
+typedef struct transform_substructure_t transform_substructure_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+#include <encoding/payloads/transform_attribute.h>
+#include <utils/linked_list.h>
+#include <crypto/diffie_hellman.h>
+#include <crypto/signers/signer.h>
+#include <crypto/prfs/prf.h>
+#include <crypto/crypters/crypter.h>
+#include <config/proposal.h>
+
+
+/**
+ * IKEv1 Value for a transform payload.
+ * 
+ * @ingroup payloads
+ */
+#define TRANSFORM_TYPE_VALUE 3
+
+/**
+ * Length of the transform substructure header in bytes.
+ * 
+ * @ingroup payloads
+ */
+#define TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH 8
+
+
+/**
+ * @brief Class representing an IKEv2- TRANSFORM SUBSTRUCTURE.
+ * 
+ * The TRANSFORM SUBSTRUCTURE format is described in RFC section 3.3.2.
+ * 
+ * @ingroup payloads
+ */
+struct transform_substructure_t {
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+	
+	/**
+	 * @brief Creates an iterator of stored transform_attribute_t objects.
+	 * 
+	 * @warning The created iterator has to get destroyed by the caller!
+	 * 
+	 * @warning When deleting an transform attribute using this iterator, 
+	 * 			the length of this transform substructure has to be refreshed 
+	 * 			by calling get_length()!
+	 *
+	 * @param this 			calling transform_substructure_t object
+	 * @param[in] forward 	iterator direction (TRUE: front to end)
+	 * @return				created iterator_t object.
+	 */
+	iterator_t * (*create_transform_attribute_iterator) (transform_substructure_t *this, bool forward);
+	
+	/**
+	 * @brief Adds a transform_attribute_t object to this object.
+	 * 
+	 * @warning The added proposal_substructure_t object  is 
+	 * 			getting destroyed in destroy function of transform_substructure_t.
+	 *
+	 * @param this 		calling transform_substructure_t object
+	 * @param proposal  transform_attribute_t object to add
+	 */
+	void (*add_transform_attribute) (transform_substructure_t *this,transform_attribute_t *attribute);
+	
+	/**
+	 * @brief Sets the next_payload field of this substructure
+	 * 
+	 * If this is the last transform, next payload field is set to 0,
+	 * otherwise to 3
+	 *
+	 * @param this 		calling transform_substructure_t object
+	 * @param is_last	When TRUE, next payload field is set to 0, otherwise to 3
+	 */
+	void (*set_is_last_transform) (transform_substructure_t *this, bool is_last);
+	
+	/**
+	 * @brief Checks if this is the last transform.
+	 * 
+	 * @param this 		calling transform_substructure_t object
+	 * @return 			TRUE if this is the last Transform, FALSE otherwise
+	 */
+	bool (*get_is_last_transform) (transform_substructure_t *this);
+	
+	/**
+	 * @brief Sets transform type of the current transform substructure.
+	 *
+	 * @param this 		calling transform_substructure_t object
+	 * @param type		type value to set
+	 */
+	void (*set_transform_type) (transform_substructure_t *this,u_int8_t type);
+	
+	/**
+	 * @brief get transform type of the current transform.
+	 * 
+	 * @param this 		calling transform_substructure_t object
+	 * @return 			Transform type of current transform substructure.
+	 */
+	u_int8_t (*get_transform_type) (transform_substructure_t *this);
+	
+	/**
+	 * @brief Sets transform id of the current transform substructure.
+	 *
+	 * @param this 		calling transform_substructure_t object
+	 * @param id			transform id to set
+	 */
+	void (*set_transform_id) (transform_substructure_t *this,u_int16_t id);
+	
+	/**
+	 * @brief get transform id of the current transform.
+	 * 
+	 * @param this 		calling transform_substructure_t object
+	 * @return 			Transform id of current transform substructure.
+	 */
+	u_int16_t (*get_transform_id) (transform_substructure_t *this);
+	
+	/**
+	 * @brief get transform id of the current transform.
+	 * 
+	 * @param this 			calling transform_substructure_t object
+	 * @param key_length		The key length is written to this location	
+	 * @return 			
+	 * 						- SUCCESS if a key length attribute is contained
+	 * 						- FAILED if no key length attribute is part of this 
+	 * 						  transform or key length uses more then 16 bit!
+	 */
+	status_t (*get_key_length) (transform_substructure_t *this,u_int16_t *key_length);
+
+	/**
+	 * @brief Clones an transform_substructure_t object.
+	 *
+	 * @param this 	transform_substructure_t object to clone
+	 * @return		cloned transform_substructure_t object
+	 */
+	transform_substructure_t* (*clone) (transform_substructure_t *this);
+
+	/**
+	 * @brief Destroys an transform_substructure_t object.
+	 *
+	 * @param this 	transform_substructure_t object to destroy
+	 */
+	void (*destroy) (transform_substructure_t *this);
+};
+
+/**
+ * @brief Creates an empty transform_substructure_t object.
+ * 
+ * @return			created transform_substructure_t object
+ * 
+ * @ingroup payloads
+ */
+transform_substructure_t *transform_substructure_create(void);
+
+/**
+ * @brief Creates an empty transform_substructure_t object.
+ * 
+ * The key length is used for the transport types ENCRYPTION_ALGORITHM,
+ * PSEUDO_RANDOM_FUNCTION, INTEGRITY_ALGORITHM. For all 
+ * other transport types the key_length parameter is not used
+ * 
+ * @param transform_type	type of transform to create
+ * @param transform_id		transform id specifying the specific algorithm of a transform type
+ * @param key_length		Key length for key lenght attribute
+ * @return					transform_substructure_t object
+ * 
+ * @ingroup payloads
+ */
+transform_substructure_t *transform_substructure_create_type(transform_type_t transform_type, u_int16_t transform_id, u_int16_t key_length);
+
+#endif /*TRANSFORM_SUBSTRUCTURE_H_*/
diff --git a/src/charon/encoding/payloads/ts_payload.c b/src/charon/encoding/payloads/ts_payload.c
new file mode 100644
index 000000000..ae89919f6
--- /dev/null
+++ b/src/charon/encoding/payloads/ts_payload.c
@@ -0,0 +1,341 @@
+/**
+ * @file ts_payload.c
+ * 
+ * @brief Implementation of ts_payload_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+
+#include "ts_payload.h"
+
+#include <encoding/payloads/encodings.h>
+#include <utils/linked_list.h>
+
+typedef struct private_ts_payload_t private_ts_payload_t;
+
+/**
+ * Private data of an ts_payload_t object.
+ * 
+ */
+struct private_ts_payload_t {
+	/**
+	 * Public ts_payload_t interface.
+	 */
+	ts_payload_t public;
+	
+	/**
+	 * TRUE if this TS payload is of type TSi, FALSE for TSr.
+	 */
+	bool is_initiator;
+	
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t  next_payload;
+
+	/**
+	 * Critical flag.
+	 */
+	bool critical;
+	
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+	
+	/**
+	 * Number of traffic selectors
+	 */
+	u_int8_t number_of_traffic_selectors;
+	
+	/**
+	 * Contains the traffic selectors of type traffic_selector_substructure_t.
+	 */
+	linked_list_t *traffic_selectors;
+};
+
+/**
+ * Encoding rules to parse or generate a TS payload
+ * 
+ * The defined offsets are the positions in a object of type 
+ * private_ts_payload_t.
+ * 
+ */
+encoding_rule_t ts_payload_encodings[] = {
+ 	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_ts_payload_t, next_payload) 				},
+	/* the critical bit */
+	{ FLAG,				offsetof(private_ts_payload_t, critical) 					},
+ 	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 																},
+	{ RESERVED_BIT,	0 																},
+	{ RESERVED_BIT,	0 																},
+	{ RESERVED_BIT,	0 																},
+	{ RESERVED_BIT,	0 																},
+	{ RESERVED_BIT,	0 																},
+	{ RESERVED_BIT,	0 																},
+	/* Length of the whole payload*/	
+	{ PAYLOAD_LENGTH,	offsetof(private_ts_payload_t, payload_length)},
+ 	/* 1 Byte TS type*/
+	{ U_INT_8,			offsetof(private_ts_payload_t, number_of_traffic_selectors)	},
+	/* 3 reserved bytes */
+	{ RESERVED_BYTE,	0 															},
+	{ RESERVED_BYTE,	0 															},
+	{ RESERVED_BYTE,	0 															},
+	/* some ts data bytes, length is defined in PAYLOAD_LENGTH */
+	{ TRAFFIC_SELECTORS,	offsetof(private_ts_payload_t, traffic_selectors)		}
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !C!  RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Number of TSs !                 RESERVED                      !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      !                                                               !
+      ~                       <Traffic Selectors>                     ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_ts_payload_t *this)
+{
+	iterator_t *iterator;
+	payload_t *current_traffic_selector;
+	status_t status = SUCCESS;
+	
+	if (this->number_of_traffic_selectors != (this->traffic_selectors->get_count(this->traffic_selectors)))
+	{
+		/* must be the same */
+		return FAILED;
+	}
+	
+	iterator = this->traffic_selectors->create_iterator(this->traffic_selectors,TRUE);
+	while(iterator->iterate(iterator, (void**)&current_traffic_selector))
+	{
+		status = current_traffic_selector->verify(current_traffic_selector);
+		if (status != SUCCESS)
+		{
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+	
+	return status;
+}
+
+/**
+ * Implementation of ts_payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_ts_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = ts_payload_encodings;
+	*rule_count = sizeof(ts_payload_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_payload_type(private_ts_payload_t *this)
+{
+	if (this->is_initiator)
+	{
+		return TRAFFIC_SELECTOR_INITIATOR;
+	}
+	else
+	{
+		return TRAFFIC_SELECTOR_RESPONDER;
+	}
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_ts_payload_t *this)
+{
+	return (this->next_payload);
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_ts_payload_t *this,payload_type_t type)
+{
+	this->next_payload = type;
+}
+
+/**
+ * recompute the length of the payload.
+ */
+static void compute_length (private_ts_payload_t *this)
+{
+	iterator_t *iterator;
+	size_t ts_count = 0;
+	size_t length = TS_PAYLOAD_HEADER_LENGTH;
+	payload_t *current_traffic_selector;
+	
+	iterator = this->traffic_selectors->create_iterator(this->traffic_selectors,TRUE);
+	while (iterator->iterate(iterator, (void**)&current_traffic_selector))
+	{
+		length += current_traffic_selector->get_length(current_traffic_selector);
+		ts_count++;
+	}
+	iterator->destroy(iterator);
+	
+	this->number_of_traffic_selectors= ts_count;
+	this->payload_length = length;	
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_ts_payload_t *this)
+{
+	compute_length(this);
+	return this->payload_length;
+}
+
+/**
+ * Implementation of ts_payload_t.get_initiator.
+ */
+static bool get_initiator (private_ts_payload_t *this)
+{
+	return (this->is_initiator);
+}
+
+/**
+ * Implementation of ts_payload_t.set_initiator.
+ */
+static void set_initiator (private_ts_payload_t *this,bool is_initiator)
+{
+	this->is_initiator = is_initiator;
+}
+
+/**
+ * Implementation of ts_payload_t.add_traffic_selector_substructure.
+ */
+static void add_traffic_selector_substructure (private_ts_payload_t *this,traffic_selector_substructure_t *traffic_selector)
+{
+	this->traffic_selectors->insert_last(this->traffic_selectors,traffic_selector);
+	this->number_of_traffic_selectors = this->traffic_selectors->get_count(this->traffic_selectors);
+}
+
+/**
+ * Implementation of ts_payload_t.create_traffic_selector_substructure_iterator.
+ */
+static iterator_t * create_traffic_selector_substructure_iterator (private_ts_payload_t *this, bool forward)
+{
+	return this->traffic_selectors->create_iterator(this->traffic_selectors,forward);
+}
+
+/**
+ * Implementation of ts_payload_t.get_traffic_selectors.
+ */
+static linked_list_t *get_traffic_selectors(private_ts_payload_t *this)
+{
+	traffic_selector_t *ts;
+	iterator_t *iterator;
+	traffic_selector_substructure_t *ts_substructure;
+	linked_list_t *ts_list = linked_list_create();
+	
+	iterator = this->traffic_selectors->create_iterator(this->traffic_selectors, TRUE);
+	while (iterator->iterate(iterator, (void**)&ts_substructure))
+	{
+		ts = ts_substructure->get_traffic_selector(ts_substructure);
+		ts_list->insert_last(ts_list, (void*)ts);
+	}
+	iterator->destroy(iterator);
+	
+	return ts_list;
+}
+
+/**
+ * Implementation of payload_t.destroy and ts_payload_t.destroy.
+ */
+static void destroy(private_ts_payload_t *this)
+{
+	this->traffic_selectors->destroy_offset(this->traffic_selectors,
+											offsetof(payload_t, destroy));
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+ts_payload_t *ts_payload_create(bool is_initiator)
+{
+	private_ts_payload_t *this = malloc_thing(private_ts_payload_t);
+
+	/* interface functions */
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+	
+	/* public functions */
+	this->public.destroy = (void (*) (ts_payload_t *)) destroy;
+	this->public.get_initiator = (bool (*) (ts_payload_t *)) get_initiator;
+	this->public.set_initiator = (void (*) (ts_payload_t *,bool)) set_initiator;
+	this->public.add_traffic_selector_substructure = (void (*) (ts_payload_t *,traffic_selector_substructure_t *)) add_traffic_selector_substructure;
+	this->public.create_traffic_selector_substructure_iterator = (iterator_t* (*) (ts_payload_t *,bool)) create_traffic_selector_substructure_iterator;
+	this->public.get_traffic_selectors = (linked_list_t *(*) (ts_payload_t *)) get_traffic_selectors;
+	
+	/* private variables */
+	this->critical = FALSE;
+	this->next_payload = NO_PAYLOAD;
+	this->payload_length =TS_PAYLOAD_HEADER_LENGTH;
+	this->is_initiator = is_initiator;
+	this->number_of_traffic_selectors = 0;
+	this->traffic_selectors = linked_list_create();  
+
+	return &(this->public);
+}
+
+/*
+ * Described in header
+ */
+ts_payload_t *ts_payload_create_from_traffic_selectors(bool is_initiator, linked_list_t *traffic_selectors)
+{
+	iterator_t *iterator;
+	traffic_selector_t *ts;
+	traffic_selector_substructure_t *ts_substructure;
+	private_ts_payload_t *this;
+	
+	this = (private_ts_payload_t*)ts_payload_create(is_initiator);
+	
+	iterator = traffic_selectors->create_iterator(traffic_selectors, TRUE);
+	while (iterator->iterate(iterator, (void**)&ts))
+	{
+		ts_substructure = traffic_selector_substructure_create_from_traffic_selector(ts);
+		this->public.add_traffic_selector_substructure(&(this->public), ts_substructure);
+	}
+	iterator->destroy(iterator);
+	
+	return &(this->public);
+}
+
diff --git a/src/charon/encoding/payloads/ts_payload.h b/src/charon/encoding/payloads/ts_payload.h
new file mode 100644
index 000000000..1addee22c
--- /dev/null
+++ b/src/charon/encoding/payloads/ts_payload.h
@@ -0,0 +1,153 @@
+/**
+ * @file ts_payload.h
+ * 
+ * @brief Interface of ts_payload_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#ifndef TS_PAYLOAD_H_
+#define TS_PAYLOAD_H_
+
+typedef struct ts_payload_t ts_payload_t;
+
+#include <library.h>
+#include <utils/linked_list.h>
+#include <config/traffic_selector.h>
+#include <encoding/payloads/payload.h>
+#include <encoding/payloads/traffic_selector_substructure.h>
+
+/**
+ * Length of a TS payload without the Traffic selectors.
+ * 
+ * @ingroup payloads
+ */
+#define TS_PAYLOAD_HEADER_LENGTH 8
+
+
+/**
+ * @brief Class representing an IKEv2 TS payload.
+ *
+ * The TS payload format is described in RFC section 3.13.
+ *
+ * @b Constructors:
+ * - ts_payload_create()
+ * - ts_payload_create_from_traffic_selectors()
+ *
+ * @ingroup payloads
+ */
+struct ts_payload_t {
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+	
+	/**
+	 * @brief Get the type of TSpayload (TSi or TSr).
+	 *
+	 * @param this 			calling id_payload_t object
+	 * @return
+	 * 						- TRUE if this payload is of type TSi
+	 * 						- FALSE if this payload is of type TSr
+	 */
+	bool (*get_initiator) (ts_payload_t *this);
+	
+	/**
+	 * @brief Set the type of TS payload (TSi or TSr).
+	 *
+	 * @param this 			calling id_payload_t object
+	 * @param is_initiator	
+	 * 						- TRUE if this payload is of type TSi
+	 * 						- FALSE if this payload is of type TSr
+	 */
+	void (*set_initiator) (ts_payload_t *this,bool is_initiator);
+	
+	/**
+	 * @brief Adds a traffic_selector_substructure_t object to this object.
+	 * 
+	 * @warning The added traffic_selector_substructure_t object  is 
+	 * 			getting destroyed in destroy function of ts_payload_t.
+	 *
+	 * @param this 				calling ts_payload_t object
+	 * @param traffic_selector  traffic_selector_substructure_t object to add
+	 */
+	void (*add_traffic_selector_substructure) (ts_payload_t *this,traffic_selector_substructure_t *traffic_selector);
+	
+	/**
+	 * @brief Creates an iterator of stored traffic_selector_substructure_t objects.
+	 * 
+	 * @warning The created iterator has to get destroyed by the caller!
+	 * 
+	 * @warning When removing an traffic_selector_substructure_t object 
+	 * 			using this iterator, the length of this payload 
+	 * 			has to get refreshed by calling payload_t.get_length!
+	 *
+	 * @param this 			calling ts_payload_t object
+	 * @param[in] forward 	iterator direction (TRUE: front to end)
+	 * @return				created iterator_t object
+	 */
+	iterator_t *(*create_traffic_selector_substructure_iterator) (ts_payload_t *this, bool forward);
+	
+	/**
+	 * @brief Get a list of nested traffic selectors as traffic_selector_t.
+	 * 
+	 * Resulting list and its traffic selectors must be destroyed after usage
+	 *
+	 * @param this 			calling ts_payload_t object
+	 * @return				list of traffic selectors
+	 */
+	linked_list_t *(*get_traffic_selectors) (ts_payload_t *this);
+
+	/**
+	 * @brief Destroys an ts_payload_t object.
+	 *
+	 * @param this 	ts_payload_t object to destroy
+	 */
+	void (*destroy) (ts_payload_t *this);
+};
+
+/**
+ * @brief Creates an empty ts_payload_t object.
+ * 
+ * 
+ * @param is_initiator	
+ * 						- TRUE if this payload is of type TSi
+ * 						- FALSE if this payload is of type TSr
+ * @return				ts_payload_t object
+ * 
+ * @ingroup payloads
+ */
+ts_payload_t *ts_payload_create(bool is_initiator);
+
+/**
+ * @brief Creates ts_payload with a list of traffic_selector_t
+ * 
+ * 
+ * @param is_initiator	
+ * 							- TRUE if this payload is of type TSi
+ * 							- FALSE if this payload is of type TSr
+ * @param traffic_selectors	list of traffic selectors to include
+ * @return					ts_payload_t object
+ * 
+ * @ingroup payloads
+ */
+ts_payload_t *ts_payload_create_from_traffic_selectors(bool is_initiator, linked_list_t *traffic_selectors);
+
+
+#endif /* TS_PAYLOAD_H_ */
diff --git a/src/charon/encoding/payloads/unknown_payload.c b/src/charon/encoding/payloads/unknown_payload.c
new file mode 100644
index 000000000..bbe736085
--- /dev/null
+++ b/src/charon/encoding/payloads/unknown_payload.c
@@ -0,0 +1,208 @@
+/**
+ * @file unknown_payload.c
+ * 
+ * @brief Implementation of unknown_payload_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+
+#include "unknown_payload.h"
+
+
+
+typedef struct private_unknown_payload_t private_unknown_payload_t;
+
+/**
+ * Private data of an unknown_payload_t object.
+ */
+struct private_unknown_payload_t {
+	
+	/**
+	 * Public unknown_payload_t interface.
+	 */
+	unknown_payload_t public;
+	
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t next_payload;
+
+	/**
+	 * Critical flag.
+	 */
+	bool critical;
+	
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+	
+	/**
+	 * The contained data.
+	 */
+	chunk_t data;
+};
+
+/**
+ * Encoding rules to parse an payload which is not further specified.
+ * 
+ * The defined offsets are the positions in a object of type 
+ * private_unknown_payload_t.
+ * 
+ */
+encoding_rule_t unknown_payload_encodings[] = {
+ 	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_unknown_payload_t, next_payload)},
+	/* the critical bit */
+	{ FLAG,				offsetof(private_unknown_payload_t, critical) 	},
+ 	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	{ RESERVED_BIT,	0 													},
+	/* Length of the whole payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_unknown_payload_t, payload_length)},
+	/* some unknown data bytes, length is defined in PAYLOAD_LENGTH */
+	{ UNKNOWN_DATA,		offsetof(private_unknown_payload_t, data) 		}
+};
+
+/*
+                           1                   2                   3
+        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+       ! Next Payload  !C!  RESERVED   !         Payload Length        !
+       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+       !                                                               !
+       ~                       Data of any type                        ~
+       !                                                               !
+       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_unknown_payload_t *this)
+{
+	/* can't do any checks, so we assume its good */
+	return SUCCESS;
+}
+
+/**
+ * Implementation of payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_unknown_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = unknown_payload_encodings;
+	*rule_count = sizeof(unknown_payload_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_payload_type(private_unknown_payload_t *this)
+{
+	return UNKNOWN_PAYLOAD;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_unknown_payload_t *this)
+{
+	return (this->next_payload);
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_unknown_payload_t *this,payload_type_t type)
+{
+	this->next_payload = type;
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_unknown_payload_t *this)
+{
+	return this->payload_length;
+}
+
+/**
+ * Implementation of unknown_payload_t.get_data.
+ */
+static bool is_critical(private_unknown_payload_t *this)
+{
+	return this->critical;	
+}
+
+/**
+ * Implementation of unknown_payload_t.get_data.
+ */
+static chunk_t get_data (private_unknown_payload_t *this)
+{
+	return (this->data);
+}
+
+/**
+ * Implementation of payload_t.destroy and unknown_payload_t.destroy.
+ */
+static void destroy(private_unknown_payload_t *this)
+{
+	if (this->data.ptr != NULL)
+	{
+		chunk_free(&(this->data));
+	}
+	
+	free(this);	
+}
+
+/*
+ * Described in header
+ */
+unknown_payload_t *unknown_payload_create()
+{
+	private_unknown_payload_t *this = malloc_thing(private_unknown_payload_t);
+
+	/* interface functions */
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+	
+	/* public functions */
+	this->public.destroy = (void (*) (unknown_payload_t *)) destroy;
+	this->public.is_critical = (bool (*) (unknown_payload_t *)) is_critical;
+	this->public.get_data = (chunk_t (*) (unknown_payload_t *)) get_data;
+	
+	/* private variables */
+	this->critical = FALSE;
+	this->next_payload = NO_PAYLOAD;
+	this->payload_length = UNKNOWN_PAYLOAD_HEADER_LENGTH;
+	this->data = chunk_empty;
+
+	return (&(this->public));
+}
diff --git a/src/charon/encoding/payloads/unknown_payload.h b/src/charon/encoding/payloads/unknown_payload.h
new file mode 100644
index 000000000..8d13a03a3
--- /dev/null
+++ b/src/charon/encoding/payloads/unknown_payload.h
@@ -0,0 +1,95 @@
+/**
+ * @file unknown_payload.h
+ * 
+ * @brief Interface of unknown_payload_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef UNKNOWN_PAYLOAD_H_
+#define UNKNOWN_PAYLOAD_H_
+
+typedef struct unknown_payload_t unknown_payload_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+
+/**
+ * Header length of the unknown payload.
+ * 
+ * @ingroup payloads
+ */
+#define UNKNOWN_PAYLOAD_HEADER_LENGTH 4
+
+/**
+ * @brief Payload which can't be processed further.
+ *
+ * When the parser finds an unknown payload, he builds an instance of
+ * this class. This allows further processing of this payload, such as
+ * a check for the critical bit in the header.
+ *
+ * @b Constructors:
+ * - unknown_payload_create()
+ *
+ * @ingroup payloads
+ */
+struct unknown_payload_t {
+	
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+	
+	/**
+	 * @brief Get the raw data of this payload, without 
+	 * the generic payload header.
+	 * 
+	 * Returned data are NOT copied and must not be freed.
+	 *
+	 * @param this 			calling unknown_payload_t object
+	 * @return				data as chunk_t
+	 */
+	chunk_t (*get_data) (unknown_payload_t *this);
+	
+	/**
+	 * @brief Get the critical flag.
+	 *
+	 * @param this			calling unknown_payload_t object
+	 * @return				TRUE if payload is critical, FALSE if not
+	 */
+	bool (*is_critical) (unknown_payload_t *this);
+	
+	/**
+	 * @brief Destroys an unknown_payload_t object.
+	 *
+	 * @param this 	unknown_payload_t object to destroy
+	 */
+	void (*destroy) (unknown_payload_t *this);
+};
+
+/**
+ * @brief Creates an empty unknown_payload_t object.
+ * 
+ * @return unknown_payload_t object
+ * 
+ * @ingroup payloads
+ */
+unknown_payload_t *unknown_payload_create(void);
+
+
+#endif /* UNKNOWN_PAYLOAD_H_ */
diff --git a/src/charon/encoding/payloads/vendor_id_payload.c b/src/charon/encoding/payloads/vendor_id_payload.c
new file mode 100644
index 000000000..e3a4d2e1f
--- /dev/null
+++ b/src/charon/encoding/payloads/vendor_id_payload.c
@@ -0,0 +1,228 @@
+/**
+ * @file vendor_id_payload.c
+ * 
+ * @brief Implementation of vendor_id_payload_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+
+#include "vendor_id_payload.h"
+
+
+typedef struct private_vendor_id_payload_t private_vendor_id_payload_t;
+
+/**
+ * Private data of an vendor_id_payload_t object.
+ * 
+ */
+struct private_vendor_id_payload_t {
+	/**
+	 * Public vendor_id_payload_t interface.
+	 */
+	vendor_id_payload_t public;
+	
+	/**
+	 * Next payload type.
+	 */
+	u_int8_t  next_payload;
+
+	/**
+	 * Critical flag.
+	 */
+	bool critical;
+	
+	/**
+	 * Length of this payload.
+	 */
+	u_int16_t payload_length;
+	
+	/**
+	 * The contained vendor_id data value.
+	 */
+	chunk_t vendor_id_data;
+};
+
+/**
+ * Encoding rules to parse or generate a VENDOR ID payload
+ * 
+ * The defined offsets are the positions in a object of type 
+ * private_vendor_id_payload_t.
+ * 
+ */
+encoding_rule_t vendor_id_payload_encodings[] = {
+ 	/* 1 Byte next payload type, stored in the field next_payload */
+	{ U_INT_8,			offsetof(private_vendor_id_payload_t, next_payload) },
+	/* the critical bit */
+	{ FLAG,				offsetof(private_vendor_id_payload_t, critical)		},
+ 	/* 7 Bit reserved bits, nowhere stored */
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	{ RESERVED_BIT,	0 														},
+	/* Length of the whole payload*/
+	{ PAYLOAD_LENGTH,	offsetof(private_vendor_id_payload_t, payload_length)},
+	/* some vendor_id data bytes, length is defined in PAYLOAD_LENGTH */
+	{ VID_DATA,			offsetof(private_vendor_id_payload_t, vendor_id_data) }
+};
+
+/*
+                           1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Next Payload  !C!  RESERVED   !         Payload Length        !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      ! Cert Encoding !                                               !
+      +-+-+-+-+-+-+-+-+                                               !
+      ~                       Certificate Data                        ~
+      !                                                               !
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+
+/**
+ * Implementation of payload_t.verify.
+ */
+static status_t verify(private_vendor_id_payload_t *this)
+{
+	return SUCCESS;
+}
+
+/**
+ * Implementation of vendor_id_payload_t.get_encoding_rules.
+ */
+static void get_encoding_rules(private_vendor_id_payload_t *this, encoding_rule_t **rules, size_t *rule_count)
+{
+	*rules = vendor_id_payload_encodings;
+	*rule_count = sizeof(vendor_id_payload_encodings) / sizeof(encoding_rule_t);
+}
+
+/**
+ * Implementation of payload_t.get_type.
+ */
+static payload_type_t get_payload_type(private_vendor_id_payload_t *this)
+{
+	return VENDOR_ID;
+}
+
+/**
+ * Implementation of payload_t.get_next_type.
+ */
+static payload_type_t get_next_type(private_vendor_id_payload_t *this)
+{
+	return (this->next_payload);
+}
+
+/**
+ * Implementation of payload_t.set_next_type.
+ */
+static void set_next_type(private_vendor_id_payload_t *this,payload_type_t type)
+{
+	this->next_payload = type;
+}
+
+/**
+ * Implementation of payload_t.get_length.
+ */
+static size_t get_length(private_vendor_id_payload_t *this)
+{
+	return this->payload_length;
+}
+
+/**
+ * Implementation of vendor_id_payload_t.set_data.
+ */
+static void set_data (private_vendor_id_payload_t *this, chunk_t data)
+{
+	if (this->vendor_id_data.ptr != NULL)
+	{
+		chunk_free(&(this->vendor_id_data));
+	}
+	this->vendor_id_data.ptr = clalloc(data.ptr,data.len);
+	this->vendor_id_data.len = data.len;
+	this->payload_length = VENDOR_ID_PAYLOAD_HEADER_LENGTH + this->vendor_id_data.len;
+}
+
+/**
+ * Implementation of vendor_id_payload_t.get_data.
+ */
+static chunk_t get_data (private_vendor_id_payload_t *this)
+{
+	return (this->vendor_id_data);
+}
+
+/**
+ * Implementation of vendor_id_payload_t.get_data_clone.
+ */
+static chunk_t get_data_clone (private_vendor_id_payload_t *this)
+{
+	chunk_t cloned_data;
+	if (this->vendor_id_data.ptr == NULL)
+	{
+		return (this->vendor_id_data);
+	}
+	cloned_data.ptr = clalloc(this->vendor_id_data.ptr,this->vendor_id_data.len);
+	cloned_data.len = this->vendor_id_data.len;
+	return cloned_data;
+}
+
+/**
+ * Implementation of payload_t.destroy and vendor_id_payload_t.destroy.
+ */
+static void destroy(private_vendor_id_payload_t *this)
+{
+	if (this->vendor_id_data.ptr != NULL)
+	{
+		chunk_free(&(this->vendor_id_data));
+	}
+	free(this);	
+}
+
+/*
+ * Described in header
+ */
+vendor_id_payload_t *vendor_id_payload_create()
+{
+	private_vendor_id_payload_t *this = malloc_thing(private_vendor_id_payload_t);
+
+	/* interface functions */
+	this->public.payload_interface.verify = (status_t (*) (payload_t *))verify;
+	this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules;
+	this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length;
+	this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type;
+	this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type;
+	this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type;
+	this->public.payload_interface.destroy = (void (*) (payload_t *))destroy;
+	
+	/* public functions */
+	this->public.destroy = (void (*) (vendor_id_payload_t *)) destroy;
+	this->public.set_data = (void (*) (vendor_id_payload_t *,chunk_t)) set_data;
+	this->public.get_data_clone = (chunk_t (*) (vendor_id_payload_t *)) get_data_clone;
+	this->public.get_data = (chunk_t (*) (vendor_id_payload_t *)) get_data;
+	
+	/* private variables */
+	this->critical = FALSE;
+	this->next_payload = NO_PAYLOAD;
+	this->payload_length = VENDOR_ID_PAYLOAD_HEADER_LENGTH;
+	this->vendor_id_data = chunk_empty;
+
+	return (&(this->public));
+}
diff --git a/src/charon/encoding/payloads/vendor_id_payload.h b/src/charon/encoding/payloads/vendor_id_payload.h
new file mode 100644
index 000000000..c7eebc155
--- /dev/null
+++ b/src/charon/encoding/payloads/vendor_id_payload.h
@@ -0,0 +1,104 @@
+/**
+ * @file vendor_id_payload.h
+ * 
+ * @brief Interface of vendor_id_payload_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef VENDOR_ID_PAYLOAD_H_
+#define VENDOR_ID_PAYLOAD_H_
+
+typedef struct vendor_id_payload_t vendor_id_payload_t;
+
+#include <library.h>
+#include <encoding/payloads/payload.h>
+
+/**
+ * Length of a VENDOR ID payload without the VID data in bytes.
+ * 
+ * @ingroup payloads
+ */
+#define VENDOR_ID_PAYLOAD_HEADER_LENGTH 4
+
+
+/**
+ * @brief Class representing an IKEv2 VENDOR ID payload.
+ *
+ * The VENDOR ID payload format is described in RFC section 3.12.
+ *
+ * @b Constructors:
+ * - vendor_id_payload_create()
+ *
+ * @ingroup payloads
+ */
+struct vendor_id_payload_t {
+	/**
+	 * The payload_t interface.
+	 */
+	payload_t payload_interface;
+
+	/**
+	 * @brief Set the VID data.
+	 * 
+	 * Data are getting cloned.
+	 *
+	 * @param this 			calling vendor_id_payload_t object
+	 * @param data			VID data as chunk_t
+	 */
+	void (*set_data) (vendor_id_payload_t *this, chunk_t data);
+	
+	/**
+	 * @brief Get the VID data.
+	 * 
+	 * Returned data are a copy of the internal one.
+	 *
+	 * @param this 			calling vendor_id_payload_t object
+	 * @return				VID data as chunk_t
+	 */
+	chunk_t (*get_data_clone) (vendor_id_payload_t *this);
+	
+	/**
+	 * @brief Get the VID data.
+	 * 
+	 * Returned data are NOT copied.
+	 *
+	 * @param this 			calling vendor_id_payload_t object
+	 * @return				VID data as chunk_t
+	 */
+	chunk_t (*get_data) (vendor_id_payload_t *this);
+	
+	/**
+	 * @brief Destroys an vendor_id_payload_t object.
+	 *
+	 * @param this 	vendor_id_payload_t object to destroy
+	 */
+	void (*destroy) (vendor_id_payload_t *this);
+};
+
+/**
+ * @brief Creates an empty vendor_id_payload_t object.
+ * 
+ * @return vendor_id_payload_t object
+ * 
+ * @ingroup payloads
+ */
+vendor_id_payload_t *vendor_id_payload_create(void);
+
+
+#endif /* VENDOR_ID_PAYLOAD_H_ */
diff --git a/src/charon/network/packet.c b/src/charon/network/packet.c
new file mode 100644
index 000000000..f2fa91569
--- /dev/null
+++ b/src/charon/network/packet.c
@@ -0,0 +1,168 @@
+/**
+ * @file packet.c
+ * 
+ * @brief Implementation of packet_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "packet.h"
+
+
+typedef struct private_packet_t private_packet_t;
+
+/**
+ * Private data of an packet_t object.
+ */
+struct private_packet_t {
+
+	/**
+	 * Public part of a packet_t object.
+	 */
+	packet_t public;
+	
+	/**
+	 * source address
+	 */
+	host_t *source;
+		
+	/**
+	 * destination address
+	 */
+	host_t *destination;
+	 
+	 /**
+	  * message data
+	  */
+	chunk_t data;
+};
+
+/**
+ * Implements packet_t.get_source
+ */
+static void set_source(private_packet_t *this, host_t *source)
+{
+	DESTROY_IF(this->source);
+	this->source = source;
+}
+
+/**
+ * Implements packet_t.set_destination
+ */
+static void set_destination(private_packet_t *this, host_t *destination)
+{
+	DESTROY_IF(this->destination);
+	this->destination = destination;
+}
+
+/**
+ * Implements packet_t.get_source
+ */
+static host_t *get_source(private_packet_t *this)
+{
+	return this->source;
+}
+
+/**
+ * Implements packet_t.get_destination
+ */
+static host_t *get_destination(private_packet_t *this)
+{
+	return this->destination;
+}
+	
+/**
+ * Implements packet_t.get_data
+ */
+static chunk_t get_data(private_packet_t *this)
+{
+	return this->data;
+}
+
+/**
+ * Implements packet_t.set_data
+ */
+static void set_data(private_packet_t *this, chunk_t data)
+{
+	free(this->data.ptr);
+	this->data = data;
+}
+
+/**
+ * Implements packet_t.destroy.
+ */
+static void destroy(private_packet_t *this)
+{
+	if (this->source != NULL)
+	{
+		this->source->destroy(this->source);
+	}	
+	if (this->destination != NULL)
+	{
+		this->destination->destroy(this->destination);
+	}
+	free(this->data.ptr);
+	free(this);
+}
+
+/**
+ * Implements packet_t.clone.
+ */
+static packet_t *clone_(private_packet_t *this)
+{
+	private_packet_t *other = (private_packet_t*)packet_create();
+	
+	if (this->destination != NULL)
+	{
+		other->destination = this->destination->clone(this->destination);
+	}
+	if (this->source != NULL)
+	{
+		other->source = this->source->clone(this->source);
+	}
+	if (this->data.ptr != NULL)
+	{
+		other->data.ptr = clalloc(this->data.ptr,this->data.len);
+		other->data.len = this->data.len;
+	}
+	return &(other->public);
+}
+
+/*
+ * Documented in header
+ */
+packet_t *packet_create(void)
+{
+	private_packet_t *this = malloc_thing(private_packet_t);
+
+	this->public.set_data = (void(*) (packet_t *,chunk_t)) set_data;
+	this->public.get_data = (chunk_t(*) (packet_t *)) get_data;
+	this->public.set_source = (void(*) (packet_t *,host_t*)) set_source;
+	this->public.get_source = (host_t*(*) (packet_t *)) get_source;
+	this->public.set_destination = (void(*) (packet_t *,host_t*)) set_destination;
+	this->public.get_destination = (host_t*(*) (packet_t *)) get_destination;
+	this->public.clone = (packet_t*(*) (packet_t *))clone_;
+	this->public.destroy = (void(*) (packet_t *)) destroy;
+	
+	this->destination = NULL;
+	this->source = NULL;
+	this->data = chunk_empty;
+	
+	return &(this->public);
+}
diff --git a/src/charon/network/packet.h b/src/charon/network/packet.h
new file mode 100644
index 000000000..acf953032
--- /dev/null
+++ b/src/charon/network/packet.h
@@ -0,0 +1,134 @@
+/**
+ * @file packet.h
+ * 
+ * @brief Interface of packet_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef PACKET_H_
+#define PACKET_H_
+
+typedef struct packet_t packet_t;
+
+#include <library.h>
+#include <utils/host.h>
+
+/**
+ * @brief Abstraction of an UDP-Packet, contains data, sender and receiver.
+ *
+ * @b Constructors:
+ * - packet_create()
+ *
+ * @ingroup network
+ */
+struct packet_t {
+
+	/**
+	 * @brief Set the source address.
+	 * 
+	 * Set host_t is now owned by packet_t, it will destroy
+	 * it if necessary.
+	 * 
+	 * @param this		calling object
+	 * @param source	address to set as source
+	 */
+	void (*set_source) (packet_t *packet, host_t *source);
+	
+	/**
+	 * @brief Set the destination address.
+	 * 
+	 * Set host_t is now owned by packet_t, it will destroy
+	 * it if necessary.
+	 * 
+	 * @param this		calling object
+	 * @param source	address to set as destination
+	 */
+	void (*set_destination) (packet_t *packet, host_t *destination);
+	
+	/**
+	 * @brief Get the source address.
+	 * 
+	 * Set host_t is still owned by packet_t, clone it
+	 * if needed.
+	 * 
+	 * @param this		calling object
+	 * @return			source address
+	 */
+	host_t *(*get_source) (packet_t *packet);
+	
+	/**
+	 * @brief Get the destination address.
+	 * 
+	 * Set host_t is still owned by packet_t, clone it
+	 * if needed.
+	 * 
+	 * @param this		calling object
+	 * @return			destination address
+	 */
+	host_t *(*get_destination) (packet_t *packet);
+	
+	/**
+	 * @brief Get the data from the packet.
+	 * 
+	 * The data pointed by the chunk is still owned 
+	 * by the packet. Clone it if needed.
+	 * 
+	 * @param this		calling object
+	 * @return			chunk containing the data
+	 */
+	chunk_t (*get_data) (packet_t *packet);
+	
+	/**
+	 * @brief Set the data in the packet.
+	 * 
+	 * Supplied chunk data is now owned by the 
+	 * packet. It will free it.
+	 * 
+	 * @param this		calling object
+	 * @param data		chunk with data to set
+	 */
+	void (*set_data) (packet_t *packet, chunk_t data);
+	
+	/**
+	 * @brief Clones a packet_t object.
+	 *  
+	 * @param packet	calling object
+	 * @param clone		pointer to a packet_t object pointer where the new object is stored
+	 */
+	packet_t* (*clone) (packet_t *packet);
+	
+	/**
+	 * @brief Destroy the packet, freeing contained data.
+	 *  
+	 * @param packet	packet to destroy	
+	 */
+	void (*destroy) (packet_t *packet);
+};
+
+/**
+ * @brief create an empty packet
+ *  
+ * @return packet_t object
+ * 
+ * @ingroup network
+ */
+packet_t *packet_create(void);
+
+
+#endif /*PACKET_H_*/
diff --git a/src/charon/network/socket.c b/src/charon/network/socket.c
new file mode 100644
index 000000000..00ba22d5a
--- /dev/null
+++ b/src/charon/network/socket.c
@@ -0,0 +1,755 @@
+/**
+ * @file socket.c
+ *
+ * @brief Implementation of socket_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <pthread.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <string.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <sys/ioctl.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
+#include <netinet/ip6.h>
+#include <netinet/udp.h>
+#include <linux/ipsec.h>
+#include <linux/filter.h>
+#include <net/if.h>
+
+#include "socket.h"
+
+#include <daemon.h>
+
+/* constants for packet handling */
+#define IP_LEN sizeof(struct iphdr)
+#define IP6_LEN sizeof(struct ip6_hdr)
+#define UDP_LEN sizeof(struct udphdr)
+#define MARKER_LEN sizeof(u_int32_t)
+
+/* offsets for packet handling */
+#define IP_PROTO_OFFSET 9
+#define IP6_PROTO_OFFSET 6
+#define IKE_VERSION_OFFSET 17
+#define IKE_LENGTH_OFFSET 24
+
+/* from linux/in.h */
+#ifndef IP_IPSEC_POLICY
+#define IP_IPSEC_POLICY 16
+#endif /*IP_IPSEC_POLICY*/
+
+/* from linux/udp.h */
+#ifndef UDP_ENCAP
+#define UDP_ENCAP 100
+#endif /*UDP_ENCAP*/
+
+#ifndef UDP_ENCAP_ESPINUDP
+#define UDP_ENCAP_ESPINUDP 2
+#endif /*UDP_ENCAP_ESPINUDP*/
+
+/* needed for older kernel headers */
+#ifndef IPV6_2292PKTINFO
+#define IPV6_2292PKTINFO 2
+#endif /*IPV6_2292PKTINFO*/
+
+/* missing on uclibc */
+#ifndef IPV6_IPSEC_POLICY
+#define IPV6_IPSEC_POLICY 34
+#endif /*IPV6_IPSEC_POLICY*/
+
+typedef struct private_socket_t private_socket_t;
+
+/**
+ * Private data of an socket_t object
+ */
+struct private_socket_t{
+	/**
+	 * public functions
+	 */
+	 socket_t public;
+
+	 /**
+	  * regular port
+	  */
+	 int port;
+
+	 /**
+	  * port used for nat-t
+	  */
+	 int natt_port;
+	 
+	 /**
+	  * raw receiver socket for IPv4
+	  */
+	 int recv4;
+	 
+	 /**
+	  * raw receiver socket for IPv6
+	  */
+	 int recv6;
+
+	 /**
+	  * send socket on regular port for IPv4
+	  */
+	 int send4;
+
+	 /**
+	  * send socket on regular port for IPv6
+	  */
+	 int send6;
+
+	 /**
+	  * send socket on nat-t port for IPv4
+	  */
+	 int send4_natt;
+
+	 /**
+	  * send socket on nat-t port for IPv6
+	  */
+	 int send6_natt;
+};
+
+/**
+ * implementation of socket_t.receive
+ */
+static status_t receiver(private_socket_t *this, packet_t **packet)
+{
+	char buffer[MAX_PACKET];
+	chunk_t data;
+	packet_t *pkt;
+	struct udphdr *udp;
+	host_t *source = NULL, *dest = NULL;
+	int bytes_read = 0;
+	int data_offset, oldstate;
+	fd_set rfds;
+
+	FD_ZERO(&rfds);
+	
+	if (this->recv4)
+	{
+		FD_SET(this->recv4, &rfds);
+	}
+	if (this->recv6)
+	{
+		FD_SET(this->recv6, &rfds);
+	}
+	
+	DBG2(DBG_NET, "waiting for data on raw sockets");
+	
+	pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+	if (select(max(this->recv4, this->recv6) + 1, &rfds, NULL, NULL, NULL) <= 0)
+	{
+		pthread_setcancelstate(oldstate, NULL);
+		return FAILED;
+	}
+	pthread_setcancelstate(oldstate, NULL);
+	
+	if (this->recv4 && FD_ISSET(this->recv4, &rfds))
+	{
+		/* IPv4 raw sockets return the IP header. We read src/dest
+		 * information directly from the raw header */
+		struct iphdr *ip;
+		struct sockaddr_in src, dst;
+		
+		bytes_read = recv(this->recv4, buffer, MAX_PACKET, 0);
+		if (bytes_read < 0)
+		{
+			DBG1(DBG_NET, "error reading from IPv4 socket: %m");
+			return FAILED;
+		}
+		DBG3(DBG_NET, "received IPv4 packet %b", buffer, bytes_read);
+		
+		/* read source/dest from raw IP/UDP header */
+		if (bytes_read < IP_LEN + UDP_LEN + MARKER_LEN)
+		{
+			DBG1(DBG_NET, "received IPv4 packet too short (%d bytes)",
+				 bytes_read);
+			return FAILED;
+		}
+		ip = (struct iphdr*) buffer;
+		udp = (struct udphdr*) (buffer + IP_LEN);
+		src.sin_family = AF_INET;
+		src.sin_addr.s_addr = ip->saddr;
+		src.sin_port = udp->source;
+		dst.sin_family = AF_INET;
+		dst.sin_addr.s_addr = ip->daddr;
+		dst.sin_port = udp->dest;
+		source = host_create_from_sockaddr((sockaddr_t*)&src);
+		dest = host_create_from_sockaddr((sockaddr_t*)&dst);
+		
+		pkt = packet_create();
+		pkt->set_source(pkt, source);
+		pkt->set_destination(pkt, dest);
+		DBG2(DBG_NET, "received packet: from %#H to %#H", source, dest);
+		data_offset = IP_LEN + UDP_LEN;
+		/* remove non esp marker */	
+		if (dest->get_port(dest) == this->natt_port)
+		{
+			data_offset += MARKER_LEN;
+		}
+		/* fill in packet */
+		data.len = bytes_read - data_offset;
+		data.ptr = malloc(data.len);
+		memcpy(data.ptr, buffer + data_offset, data.len);
+		pkt->set_data(pkt, data);
+	}
+	else if (this->recv6 && FD_ISSET(this->recv6, &rfds))
+	{
+		/* IPv6 raw sockets return no IP header. We must query
+		 * src/dest via socket options/ancillary data */
+		struct msghdr msg;
+		struct cmsghdr *cmsgptr;
+		struct sockaddr_in6 src, dst;
+		struct iovec iov;
+		char ancillary[64];
+		
+		msg.msg_name = &src;
+		msg.msg_namelen = sizeof(src);
+		iov.iov_base = buffer;
+		iov.iov_len = sizeof(buffer);
+		msg.msg_iov = &iov;
+		msg.msg_iovlen = 1;
+		msg.msg_control = ancillary;
+		msg.msg_controllen = sizeof(ancillary);
+		msg.msg_flags = 0;
+		
+		bytes_read = recvmsg(this->recv6, &msg, 0);
+		if (bytes_read < 0)
+		{
+			DBG1(DBG_NET, "error reading from IPv6 socket: %m");
+			return FAILED;
+		}
+		DBG3(DBG_NET, "received IPv6 packet %b", buffer, bytes_read);
+		
+		if (bytes_read < IP_LEN + UDP_LEN + MARKER_LEN)
+		{
+			DBG3(DBG_NET, "received IPv6 packet too short (%d bytes)",
+				 bytes_read);
+			return FAILED;
+		}
+		
+		/* read ancillary data to get destination address */
+		for (cmsgptr = CMSG_FIRSTHDR(&msg); cmsgptr != NULL;
+			 cmsgptr = CMSG_NXTHDR(&msg, cmsgptr))
+		{
+			if (cmsgptr->cmsg_len == 0)
+			{
+				DBG1(DBG_NET, "error reading IPv6 ancillary data");
+				return FAILED;
+			}	
+			if (cmsgptr->cmsg_level == SOL_IPV6 &&
+				cmsgptr->cmsg_type == IPV6_2292PKTINFO)
+			{
+				struct in6_pktinfo *pktinfo;
+				pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsgptr);
+				
+				memset(&dst, 0, sizeof(dst));
+				memcpy(&dst.sin6_addr, &pktinfo->ipi6_addr, sizeof(dst.sin6_addr));
+				dst.sin6_family = AF_INET6;
+				udp = (struct udphdr*) (buffer);
+				dst.sin6_port = udp->dest;
+				src.sin6_port = udp->source;
+				dest = host_create_from_sockaddr((sockaddr_t*)&dst);
+			}
+		}
+		/* ancillary data missing? */
+		if (dest == NULL)
+		{
+			DBG1(DBG_NET, "error reading IPv6 packet header");
+			return FAILED;
+		}
+		
+		source = host_create_from_sockaddr((sockaddr_t*)&src);
+		
+		pkt = packet_create();
+		pkt->set_source(pkt, source);
+		pkt->set_destination(pkt, dest);
+		DBG2(DBG_NET, "received packet: from %#H to %#H", source, dest);
+		data_offset = UDP_LEN;
+		/* remove non esp marker */	
+		if (dest->get_port(dest) == this->natt_port)
+		{
+			data_offset += MARKER_LEN;
+		}
+		/* fill in packet */
+		data.len = bytes_read - data_offset;
+		data.ptr = malloc(data.len);
+		memcpy(data.ptr, buffer + data_offset, data.len);
+		pkt->set_data(pkt, data);
+	}
+	else
+	{
+		/* oops, shouldn't happen */
+		return FAILED;
+	}
+	
+	/* return packet */
+	*packet = pkt;
+	return SUCCESS;
+}
+
+/**
+ * implementation of socket_t.send
+ */
+status_t sender(private_socket_t *this, packet_t *packet)
+{
+	int sport, skt, family;
+	ssize_t bytes_sent;
+	chunk_t data, marked;
+	host_t *src, *dst;
+	struct msghdr msg;
+	struct cmsghdr *cmsg;
+	struct iovec iov;
+	
+	src = packet->get_source(packet);
+	dst = packet->get_destination(packet);
+	data = packet->get_data(packet);
+
+	DBG2(DBG_NET, "sending packet: from %#H to %#H", src, dst);
+	
+	/* send data */
+	sport = src->get_port(src);
+	family = dst->get_family(dst);
+	if (sport == this->port)
+	{
+		if (family == AF_INET)
+		{
+			skt = this->send4;
+		}
+		else
+		{
+			skt = this->send6;
+		}
+	}
+	else if (sport == this->natt_port)
+	{
+		if (family == AF_INET)
+		{
+			skt = this->send4_natt;
+		}
+		else
+		{
+			skt = this->send6_natt;
+		}
+		/* NAT keepalives without marker */
+		if (data.len != 1 || data.ptr[0] != 0xFF)
+		{
+			/* add non esp marker to packet */
+			if (data.len > MAX_PACKET - MARKER_LEN)
+			{
+				DBG1(DBG_NET, "unable to send packet: it's too big (%d bytes)",
+					 data.len);
+				return FAILED;
+			}
+			marked = chunk_alloc(data.len + MARKER_LEN);
+			memset(marked.ptr, 0, MARKER_LEN);
+			memcpy(marked.ptr + MARKER_LEN, data.ptr, data.len);
+			/* let the packet do the clean up for us */
+			packet->set_data(packet, marked);
+			data = marked;
+		}
+	}
+	else
+	{
+		DBG1(DBG_NET, "unable to locate a send socket for port %d", sport);
+		return FAILED;
+	}
+	
+	memset(&msg, 0, sizeof(struct msghdr));
+	msg.msg_name = dst->get_sockaddr(dst);;
+	msg.msg_namelen = *dst->get_sockaddr_len(dst);
+	iov.iov_base = data.ptr;
+	iov.iov_len = data.len;
+	msg.msg_iov = &iov;
+	msg.msg_iovlen = 1;
+	msg.msg_flags = 0;
+	
+	if (!dst->is_anyaddr(dst))
+	{
+		if (family == AF_INET)
+		{
+			char buf[CMSG_SPACE(sizeof(struct in_pktinfo))];
+			struct in_pktinfo *pktinfo;
+			struct sockaddr_in *sin;
+			
+			msg.msg_control = buf;
+			msg.msg_controllen = sizeof(buf);
+			cmsg = CMSG_FIRSTHDR(&msg);
+			cmsg->cmsg_level = SOL_IP;
+			cmsg->cmsg_type = IP_PKTINFO;
+			cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
+			pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsg);
+			memset(pktinfo, 0, sizeof(struct in_pktinfo));
+			sin = (struct sockaddr_in*)src->get_sockaddr(src);
+			memcpy(&pktinfo->ipi_spec_dst, &sin->sin_addr, sizeof(struct in_addr));
+		}
+		else
+		{
+			char buf[CMSG_SPACE(sizeof(struct in6_pktinfo))];
+			struct in6_pktinfo *pktinfo;
+			struct sockaddr_in6 *sin;
+			
+			msg.msg_control = buf;
+			msg.msg_controllen = sizeof(buf);
+			cmsg = CMSG_FIRSTHDR(&msg);
+			cmsg->cmsg_level = SOL_IPV6;
+			cmsg->cmsg_type = IPV6_2292PKTINFO;
+			cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
+			pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg);
+			memset(pktinfo, 0, sizeof(struct in6_pktinfo));
+			sin = (struct sockaddr_in6*)src->get_sockaddr(src);
+			memcpy(&pktinfo->ipi6_addr, &sin->sin6_addr, sizeof(struct in6_addr));
+		}
+	}
+	
+	bytes_sent = sendmsg(skt, &msg, 0);
+
+	if (bytes_sent != data.len)
+	{
+		DBG1(DBG_NET, "error writing to socket: %m");
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * open a socket to send packets
+ */
+static int open_send_socket(private_socket_t *this, int family, u_int16_t port)
+{
+	int on = TRUE;
+	int type = UDP_ENCAP_ESPINUDP;
+	struct sockaddr_storage addr;
+	u_int sol, ipsec_policy;
+	struct sadb_x_policy policy;
+	int skt;
+	
+	memset(&addr, 0, sizeof(addr));
+	/* precalculate constants depending on address family */
+	switch (family)
+	{
+		case AF_INET:
+		{
+			struct sockaddr_in *sin = (struct sockaddr_in *)&addr;
+			sin->sin_family = AF_INET;
+			sin->sin_addr.s_addr = INADDR_ANY;
+			sin->sin_port = htons(port);
+			sol = SOL_IP;
+			ipsec_policy = IP_IPSEC_POLICY;
+			break;
+		}
+		case AF_INET6:
+		{
+			struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&addr;
+			sin6->sin6_family = AF_INET6;
+			memcpy(&sin6->sin6_addr, &in6addr_any, sizeof(in6addr_any));
+			sin6->sin6_port = htons(port);
+			sol = SOL_IPV6;
+			ipsec_policy = IPV6_IPSEC_POLICY;
+			break;
+		}
+		default:
+			return 0;
+	}
+	
+	skt = socket(family, SOCK_DGRAM, IPPROTO_UDP);
+	if (skt < 0)
+	{
+		DBG1(DBG_NET, "could not open send socket: %m");
+		return 0;
+	}
+	
+	if (setsockopt(skt, SOL_SOCKET, SO_REUSEADDR, (void*)&on, sizeof(on)) < 0)
+	{
+		DBG1(DBG_NET, "unable to set SO_REUSEADDR on send socket: %m");
+		close(skt);
+		return 0;
+	}
+	
+	/* bypass outgoung IKE traffic on send socket */
+	memset(&policy, 0, sizeof(policy));
+	policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
+	policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+	policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
+	policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
+	
+	if (setsockopt(skt, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
+	{
+		DBG1(DBG_NET, "unable to set IPSEC_POLICY on send socket: %m");
+		close(skt);
+		return 0;
+	}
+	
+	/* We don't receive packets on the send socket, but we need a INBOUND policy.
+	 * Otherwise, UDP decapsulation does not work!!! */
+	policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
+	if (setsockopt(skt, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
+	{
+		DBG1(DBG_NET, "unable to set IPSEC_POLICY on send socket: %m");
+		close(skt);
+		return 0;
+	}
+	
+	/* bind the send socket */
+	if (bind(skt, (struct sockaddr *)&addr, sizeof(addr)) < 0)
+	{
+		DBG1(DBG_NET, "unable to bind send socket: %m");
+		close(skt);
+		return 0;
+	}
+	
+	if (family == AF_INET)
+	{
+		/* enable UDP decapsulation globally, only for one socket needed */
+		if (setsockopt(skt, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
+		{
+			DBG1(DBG_NET, "unable to set UDP_ENCAP: %m; NAT-T may fail");
+		}
+	}
+	
+	return skt;
+}
+
+/**
+ * open a socket to receive packets
+ */
+static int open_recv_socket(private_socket_t *this, int family)
+{
+	int skt;
+	int on = TRUE;
+	u_int proto_offset, ip_len, sol, ipsec_policy, udp_header, ike_header;
+	struct sadb_x_policy policy;
+	
+	/* precalculate constants depending on address family */
+	switch (family)
+	{
+		case AF_INET:
+			proto_offset = IP_PROTO_OFFSET;
+			ip_len = IP_LEN;
+			sol = SOL_IP;
+			ipsec_policy = IP_IPSEC_POLICY;
+			break;
+		case AF_INET6:
+			proto_offset = IP6_PROTO_OFFSET;
+			ip_len = 0; /* IPv6 raw sockets contain no IP header */
+			sol = SOL_IPV6;
+			ipsec_policy = IPV6_IPSEC_POLICY;
+			break;
+		default:
+			return 0;
+	}
+	udp_header = ip_len;
+	ike_header = ip_len + UDP_LEN;
+	
+	/* This filter code filters out all non-IKEv2 traffic on
+	 * a SOCK_RAW IP_PROTP_UDP socket. Handling of other
+	 * IKE versions is done in pluto.
+	 */
+	struct sock_filter ikev2_filter_code[] =
+	{
+		/* Destination Port must be either port or natt_port */
+		BPF_STMT(BPF_LD+BPF_H+BPF_ABS, udp_header + 2),
+		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, this->port, 1, 0),
+		BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, this->natt_port, 5, 12),
+		/* port */
+			/* IKE version must be 2.0 */
+			BPF_STMT(BPF_LD+BPF_B+BPF_ABS, ike_header + IKE_VERSION_OFFSET),
+			BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x20, 0, 10),
+			/* packet length is length in IKEv2 header + ip header + udp header */
+			BPF_STMT(BPF_LD+BPF_W+BPF_ABS, ike_header + IKE_LENGTH_OFFSET),
+			BPF_STMT(BPF_ALU+BPF_ADD+BPF_K, ip_len + UDP_LEN),
+			BPF_STMT(BPF_RET+BPF_A, 0),
+		/* natt_port */
+			/* nat-t: check for marker */
+			BPF_STMT(BPF_LD+BPF_W+BPF_ABS, ike_header),
+			BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 0, 5),
+			/* nat-t: IKE version must be 2.0 */
+			BPF_STMT(BPF_LD+BPF_B+BPF_ABS, ike_header + MARKER_LEN + IKE_VERSION_OFFSET),
+			BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x20, 0, 3),
+			/* nat-t: packet length is length in IKEv2 header + ip header + udp header + non esp marker */
+			BPF_STMT(BPF_LD+BPF_W+BPF_ABS, ike_header + MARKER_LEN + IKE_LENGTH_OFFSET),
+			BPF_STMT(BPF_ALU+BPF_ADD+BPF_K, ip_len + UDP_LEN + MARKER_LEN),
+			BPF_STMT(BPF_RET+BPF_A, 0),
+		/* packet doesn't match, ignore */
+		BPF_STMT(BPF_RET+BPF_K, 0),
+	};
+
+	/* Filter struct to use with setsockopt */
+	struct sock_fprog ikev2_filter = {
+		sizeof(ikev2_filter_code) / sizeof(struct sock_filter),
+		ikev2_filter_code
+	};
+	
+	/* set up a raw socket */
+	skt = socket(family, SOCK_RAW, IPPROTO_UDP);
+	if (skt < 0)
+	{
+		DBG1(DBG_NET, "unable to create raw socket: %m");
+		return 0;
+	}
+	
+	if (setsockopt(skt, SOL_SOCKET, SO_ATTACH_FILTER,
+				   &ikev2_filter, sizeof(ikev2_filter)) < 0)
+	{
+		DBG1(DBG_NET, "unable to attach IKEv2 filter to raw socket: %m");
+		close(skt);
+		return 0;
+	}
+	
+	if (family == AF_INET6 &&
+		/* we use IPV6_2292PKTINFO, as IPV6_PKTINFO is defined as
+		 * 2 or 50 depending on kernel header version */
+		setsockopt(skt, sol, IPV6_2292PKTINFO, &on, sizeof(on)) < 0)
+	{
+		DBG1(DBG_NET, "unable to set IPV6_PKTINFO on raw socket: %m");
+		close(skt);
+		return 0;
+	}
+	
+	/* bypass incomining IKE traffic on this socket */
+	memset(&policy, 0, sizeof(policy));
+	policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
+	policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+	policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
+	policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
+	
+	if (setsockopt(skt, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
+	{
+		DBG1(DBG_NET, "unable to set IPSEC_POLICY on raw socket: %m");
+		close(skt);
+		return 0;
+	}
+	
+	return skt;
+}
+
+/**
+ * implementation of socket_t.destroy
+ */
+static void destroy(private_socket_t *this)
+{
+	if (this->recv4)
+	{
+		close(this->recv4);
+	}
+	if (this->recv6)
+	{
+		close(this->recv6);
+	}
+	if (this->send4)
+	{
+		close(this->send4);
+	}
+	if (this->send6)
+	{
+		close(this->send6);
+	}
+	if (this->send4_natt)
+	{
+		close(this->send4_natt);
+	}
+	if (this->send6_natt)
+	{
+		close(this->send6_natt);
+	}
+	free(this);
+}
+
+/*
+ * See header for description
+ */
+socket_t *socket_create(u_int16_t port, u_int16_t natt_port)
+{
+	private_socket_t *this = malloc_thing(private_socket_t);
+
+	/* public functions */
+	this->public.send = (status_t(*)(socket_t*, packet_t*))sender;
+	this->public.receive = (status_t(*)(socket_t*, packet_t**))receiver;
+	this->public.destroy = (void(*)(socket_t*)) destroy;
+	
+	this->port = port;
+	this->natt_port = natt_port;
+	this->recv4 = 0;
+	this->recv6 = 0;
+	this->send4 = 0;
+	this->send6 = 0;
+	this->send4_natt = 0;
+	this->send6_natt = 0;
+	
+	this->recv4 = open_recv_socket(this, AF_INET);
+	if (this->recv4 == 0)
+	{
+		DBG1(DBG_NET, "could not open IPv4 receive socket, IPv4 disabled");
+	}
+	else
+	{
+		this->send4 = open_send_socket(this, AF_INET, this->port);
+		if (this->send4 == 0)
+		{
+			DBG1(DBG_NET, "could not open IPv4 send socket, IPv4 disabled");
+			close(this->recv4);
+		}
+		else
+		{
+			this->send4_natt = open_send_socket(this, AF_INET, this->natt_port);
+			if (this->send4_natt == 0)
+			{
+				DBG1(DBG_NET, "could not open IPv4 NAT-T send socket");
+			}
+		}
+	}
+	
+	this->recv6 = open_recv_socket(this, AF_INET6);
+	if (this->recv6 == 0)
+	{
+		DBG1(DBG_NET, "could not open IPv6 receive socket, IPv6 disabled");
+	}
+	else
+	{
+		this->send6 = open_send_socket(this, AF_INET6, this->port);
+		if (this->send6 == 0)
+		{
+			DBG1(DBG_NET, "could not open IPv6 send socket, IPv6 disabled");
+			close(this->recv6);
+		}
+		else
+		{
+			this->send6_natt = open_send_socket(this, AF_INET6, this->natt_port);
+			if (this->send6_natt == 0)
+			{
+				DBG1(DBG_NET, "could not open IPv6 NAT-T send socket");
+			}
+		}
+	}
+	
+	if (!(this->send4 || this->send6) || !(this->recv4 || this->recv6))
+	{
+		DBG1(DBG_NET, "could not create any sockets");
+		destroy(this);
+		charon->kill(charon, "socket initialization failed");
+	}
+	
+	return (socket_t*)this;
+}
diff --git a/src/charon/network/socket.h b/src/charon/network/socket.h
new file mode 100644
index 000000000..ef60fa7b6
--- /dev/null
+++ b/src/charon/network/socket.h
@@ -0,0 +1,112 @@
+/**
+ * @file socket.h
+ * 
+ * @brief Interface for socket_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef SOCKET_H_
+#define SOCKET_H_
+
+typedef struct socket_t socket_t;
+
+#include <library.h>
+#include <network/packet.h>
+#include <utils/host.h>
+#include <utils/linked_list.h>
+
+/**
+ * @brief Maximum size of a packet.
+ *
+ * 3000 Bytes should be sufficient, see IKEv2 RFC.
+ *
+ * @ingroup network
+ */
+#define MAX_PACKET 3000
+
+/**
+ * @brief Abstraction of all sockets (IPv6/IPv6 send/receive).
+ *
+ * All available sockets are bound and the receive function
+ * reads from them. To allow binding of other daemons (pluto) to
+ * UDP/500, this implementation uses RAW sockets. An installed
+ * "Linux socket filter" filters out all non-IKEv2 traffic and handles
+ * just IKEv2 messages. An other daemon (pluto) must handle all traffic
+ * seperatly, e.g. ignore IKEv2 traffic, since charon handles that. 
+ * 
+ * @b Constructors:
+ * - socket_create()
+ * 
+ * @ingroup network
+ */
+struct socket_t {
+	
+	/**
+	 * @brief Receive a packet.
+	 * 
+	 * Reads a packet from the socket and sets source/dest
+	 * appropriately.
+	 * 
+	 * @param this			socket_t object to work on
+	 * @param packet		pinter gets address from allocated packet_t
+	 * @return 				
+	 * 						- SUCCESS when packet successfully received
+	 * 						- FAILED when unable to receive
+	 */
+	status_t (*receive) (socket_t *this, packet_t **packet);
+	
+	/**
+	 * @brief Send a packet.
+	 * 
+	 * Sends a packet to the net using destination from the packet.
+	 * Packet is sent using default routing mechanisms, thus the 
+	 * source address in packet is ignored.
+	 * 
+	 * @param this			socket_t object to work on
+	 * @param packet[out]	packet_t to send
+	 * @return 				
+	 * 						- SUCCESS when packet successfully sent
+	 * 						- FAILED when unable to send
+	 */
+	status_t (*send) (socket_t *this, packet_t *packet);
+	
+	/**
+	 * @brief Destroy sockets.
+	 * 
+	 * close sockets and destroy socket_t object
+	 * 
+	 * @param this 			socket_t to destroy
+	 */
+	void (*destroy) (socket_t *this);
+};
+
+/**
+ * @brief Create a socket_t, wich binds multiple sockets.
+ *
+ * @param port				port to bind socket to
+ * @param natt_port			port to float to in NAT-T
+ * @return  				socket_t object
+ *
+ * @ingroup network
+ */
+socket_t *socket_create(u_int16_t port, u_int16_t natt_port);
+
+
+#endif /*SOCKET_H_*/
diff --git a/src/charon/queues/event_queue.c b/src/charon/queues/event_queue.c
new file mode 100644
index 000000000..40bcb1ed8
--- /dev/null
+++ b/src/charon/queues/event_queue.c
@@ -0,0 +1,290 @@
+/**
+ * @file event_queue.c
+ *
+ * @brief Implementation of event_queue_t
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <pthread.h>
+#include <stdlib.h>
+
+#include "event_queue.h"
+
+#include <library.h>
+#include <utils/linked_list.h>
+
+
+
+typedef struct event_t event_t;
+
+/**
+ * Event containing a job and a schedule time
+ */
+struct event_t {
+	/**
+	 * Time to fire the event.
+	 */
+	timeval_t time;
+
+	/**
+	 * Every event has its assigned job.
+	 */
+	job_t * job;
+};
+
+/**
+ * destroy an event and its job
+ */
+static void event_destroy(event_t *event)
+{
+	event->job->destroy(event->job);
+	free(event);
+}
+
+typedef struct private_event_queue_t private_event_queue_t;
+
+/**
+ * Private Variables and Functions of event_queue_t class.
+ */
+struct private_event_queue_t {
+	/**
+	 * Public part.
+	 */
+ 	event_queue_t public;
+
+	/**
+	 * The events are stored in a linked list of type linked_list_t.
+	 */
+	linked_list_t *list;
+
+	/**
+	 * Access to linked_list is locked through this mutex.
+	 */
+	pthread_mutex_t mutex;
+
+	/**
+	 * If the queue is empty or an event has not to be fired
+	 * a thread has to wait.
+	 * 
+	 * This condvar is used to wake up such a thread.
+	 */
+	pthread_cond_t condvar;
+};
+
+/**
+ * Returns the difference of to timeval structs in milliseconds
+ */
+static long time_difference(struct timeval *end_time, struct timeval *start_time)
+{
+	time_t s;
+	suseconds_t us;
+	
+	s = (end_time->tv_sec - start_time->tv_sec);
+	us = (end_time->tv_usec - start_time->tv_usec);
+	return ((s * 1000) + us/1000);
+}
+
+/**
+ * Implements event_queue_t.get_count
+ */
+static int get_count(private_event_queue_t *this)
+{
+	int count;
+	pthread_mutex_lock(&(this->mutex));
+	count = this->list->get_count(this->list);
+	pthread_mutex_unlock(&(this->mutex));
+	return count;
+}
+
+/**
+ * Implements event_queue_t.get
+ */
+static job_t *get(private_event_queue_t *this)
+{
+	timespec_t timeout;
+	timeval_t current_time;
+	event_t * next_event;
+	job_t *job;
+	int oldstate;
+	
+	pthread_mutex_lock(&(this->mutex));
+	
+	while (TRUE)
+	{
+		while(this->list->get_count(this->list) == 0)
+		{
+			/* add mutex unlock handler for cancellation, enable cancellation */
+			pthread_cleanup_push((void(*)(void*))pthread_mutex_unlock, (void*)&(this->mutex));
+			pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+			
+			pthread_cond_wait( &(this->condvar), &(this->mutex));
+			
+			/* reset cancellation, remove mutex-unlock handler (without executing) */
+			pthread_setcancelstate(oldstate, NULL);
+			pthread_cleanup_pop(0);
+		}
+		
+		this->list->get_first(this->list, (void **)&next_event);
+		
+		gettimeofday(&current_time, NULL);
+		long difference = time_difference(&current_time,&(next_event->time));
+		if (difference <= 0)
+		{
+			timeout.tv_sec = next_event->time.tv_sec;
+			timeout.tv_nsec = next_event->time.tv_usec * 1000;
+			
+			/* add mutex unlock handler for cancellation, enable cancellation */
+			pthread_cleanup_push((void(*)(void*))pthread_mutex_unlock, (void*)&(this->mutex));
+			pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+			
+			pthread_cond_timedwait(&(this->condvar), &(this->mutex), &timeout);
+			
+			/* reset cancellation, remove mutex-unlock handler (without executing) */
+			pthread_setcancelstate(oldstate, NULL);
+			pthread_cleanup_pop(0);
+		}
+		else
+		{
+			/* event available */
+			this->list->remove_first(this->list, (void **)&next_event);
+			job = next_event->job;
+			free(next_event);
+			break;
+		}
+	}
+	pthread_cond_signal( &(this->condvar));
+	pthread_mutex_unlock(&(this->mutex));
+	
+	return job;
+}
+
+/**
+ * Implements function add_absolute of event_queue_t.
+ * See #event_queue_s.add_absolute for description.
+ */
+static void add_absolute(private_event_queue_t *this, job_t *job, timeval_t time)
+{
+	event_t *event;
+	event_t *current_event;
+	iterator_t *iterator;
+	
+	/* create event */
+	event = malloc_thing(event_t);
+	event->time = time;
+	event->job = job;
+
+	pthread_mutex_lock(&(this->mutex));
+
+	/* while just used to break out */
+	while(TRUE)
+	{
+		if (this->list->get_count(this->list) == 0)
+		{
+			this->list->insert_first(this->list,event);
+			break;
+		}
+
+		/* check last entry */
+		this->list->get_last(this->list,(void **) &current_event);
+
+		if (time_difference(&(event->time), &(current_event->time)) >= 0)
+		{
+			/* my event has to be fired after the last event in list */
+			this->list->insert_last(this->list,event);
+			break;
+		}
+
+		/* check first entry */
+		this->list->get_first(this->list,(void **) &current_event);
+
+		if (time_difference(&(event->time), &(current_event->time)) < 0)
+		{
+			/* my event has to be fired before the first event in list */
+			this->list->insert_first(this->list,event);
+			break;
+		}
+		
+		iterator = this->list->create_iterator(this->list,TRUE);
+		iterator->iterate(iterator, (void**)&current_event);
+		/* first element has not to be checked (already done) */
+		while(iterator->iterate(iterator, (void**)&current_event))
+		{
+			if (time_difference(&(event->time), &(current_event->time)) <= 0)
+			{
+				/* my event has to be fired before the current event in list */
+				iterator->insert_before(iterator,event);
+				break;
+			}
+		}
+		iterator->destroy(iterator);
+		break;
+	}
+
+	pthread_cond_signal( &(this->condvar));
+	pthread_mutex_unlock(&(this->mutex));
+}
+
+/**
+ * Implements  event_queue_t.add_relative.
+ */
+static void add_relative(event_queue_t *this, job_t *job, u_int32_t ms)
+{
+	timeval_t current_time;
+	timeval_t time;
+	
+	time_t s = ms / 1000;
+	suseconds_t us = (ms - s * 1000) * 1000;
+	
+	gettimeofday(&current_time, NULL);
+	
+	time.tv_usec = (current_time.tv_usec + us) % 1000000;
+	time.tv_sec = current_time.tv_sec + (current_time.tv_usec + us)/1000000 + s;
+	
+	this->add_absolute(this, job, time);
+}
+
+
+/**
+ * Implements event_queue_t.destroy.
+ */
+static void event_queue_destroy(private_event_queue_t *this)
+{
+	this->list->destroy_function(this->list, (void*)event_destroy);
+	free(this);
+}
+
+/*
+ * Documented in header
+ */
+event_queue_t *event_queue_create()
+{
+	private_event_queue_t *this = malloc_thing(private_event_queue_t);
+
+	this->public.get_count = (int (*) (event_queue_t *event_queue)) get_count;
+	this->public.get = (job_t *(*) (event_queue_t *event_queue)) get;
+	this->public.add_absolute = (void (*) (event_queue_t *event_queue, job_t *job, timeval_t time)) add_absolute;
+	this->public.add_relative = (void (*) (event_queue_t *event_queue, job_t *job, u_int32_t ms)) add_relative;
+	this->public.destroy = (void (*) (event_queue_t *event_queue)) event_queue_destroy;
+
+	this->list = linked_list_create();
+	pthread_mutex_init(&(this->mutex), NULL);
+	pthread_cond_init(&(this->condvar), NULL);
+
+	return (&this->public);
+}
diff --git a/src/charon/queues/event_queue.h b/src/charon/queues/event_queue.h
new file mode 100644
index 000000000..cd275123b
--- /dev/null
+++ b/src/charon/queues/event_queue.h
@@ -0,0 +1,118 @@
+/**
+ * @file event_queue.h
+ *
+ * @brief Interface of job_queue_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef EVENT_QUEUE_H_
+#define EVENT_QUEUE_H_
+
+typedef struct event_queue_t event_queue_t;
+
+#include <sys/time.h>
+
+#include <library.h>
+#include <queues/jobs/job.h>
+
+/**
+ * @brief Event-Queue used to store timed events.
+ * 
+ * Added events are sorted. The get method blocks until
+ * the time is elapsed to process the next event. The get 
+ * method is called from the scheduler_t thread, which
+ * will add the jobs to to job_queue_t for further processing.
+ *
+ * Although the event-queue is based on a linked_list_t
+ * all access functions are thread-save implemented.
+ * 
+ * @b Constructors:
+ * - event_queue_create()
+ * 
+ * @ingroup queues
+ */
+struct event_queue_t {
+
+	/**
+	 * @brief Returns number of events in queue.
+	 *
+	 * @param event_queue 	calling object
+	 * @return 				number of events in queue
+	 */
+	int (*get_count) (event_queue_t *event_queue);
+
+	/**
+	 * @brief Get the next job from the event-queue.
+	 *
+	 * If no event is pending, this function blocks until a job can be returned.
+	 *
+	 * @param event_queue 	calling object
+ 	 * @param[out] job 		pointer to a job pointer where to job is returned to
+	 * @return 				next job
+	 */
+	job_t *(*get) (event_queue_t *event_queue);
+
+	/**
+	 * @brief Adds a event to the queue, using a relative time.
+	 *
+	 * This function is non blocking and adds a job_t at a specific time to the list.
+	 * The specific job object has to get destroyed by the thread which
+	 * removes the job.
+	 *
+	 * @param event_queue 	calling object
+ 	 * @param[in] job 		job to add to the queue (job is not copied)
+  	 * @param[in] time 		relative time, when the event has to get fired
+	 */
+	void (*add_relative) (event_queue_t *event_queue, job_t *job, u_int32_t ms);
+
+	/**
+	 * @brief Adds a event to the queue, using an absolute time.
+	 *
+	 * This function is non blocking and adds a job_t at a specific time to the list.
+	 * The specific job object has to get destroyed by the thread which
+	 * removes the job.
+	 *
+	 * @param event_queue 	calling object
+ 	 * @param[in] job		job to add to the queue (job is not copied)
+  	 * @param[in] time		absolute time, when the event has to get fired
+	 */
+	void (*add_absolute) (event_queue_t *event_queue, job_t *job, timeval_t time);
+
+	/**
+	 * @brief Destroys a event_queue object.
+	 *
+	 * @warning The caller of this function has to make sure
+	 * that no thread is going to add or get an event from the event_queue
+	 * after calling this function.
+	 *
+	 * @param event_queue 	calling object
+	 */
+	void (*destroy) (event_queue_t *event_queue);
+};
+
+/**
+ * @brief Creates an empty event_queue.
+ *
+ * @returns event_queue_t object
+ * 
+ * @ingroup queues
+ */
+event_queue_t *event_queue_create(void);
+		  
+#endif /*EVENT_QUEUE_H_*/
diff --git a/src/charon/queues/job_queue.c b/src/charon/queues/job_queue.c
new file mode 100644
index 000000000..2310ca6ff
--- /dev/null
+++ b/src/charon/queues/job_queue.c
@@ -0,0 +1,139 @@
+/**
+ * @file job_queue.c
+ *
+ * @brief Implementation of job_queue_t
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+#include <pthread.h>
+
+#include "job_queue.h"
+
+#include <utils/linked_list.h>
+
+
+typedef struct private_job_queue_t private_job_queue_t;
+
+/**
+ * @brief Private Variables and Functions of job_queue class
+ *
+ */
+struct private_job_queue_t {
+	
+	/**
+	 * public members
+	 */
+ 	job_queue_t public;
+
+	/**
+	 * The jobs are stored in a linked list
+	 */
+	linked_list_t *list;
+	
+	/**
+	 * access to linked_list is locked through this mutex
+	 */
+	pthread_mutex_t mutex;
+
+	/**
+	 * If the queue is empty a thread has to wait
+	 * This condvar is used to wake up such a thread
+	 */
+	pthread_cond_t condvar;
+};
+
+
+/**
+ * implements job_queue_t.get_count
+ */
+static int get_count(private_job_queue_t *this)
+{
+	int count;
+	pthread_mutex_lock(&(this->mutex));
+	count = this->list->get_count(this->list);
+	pthread_mutex_unlock(&(this->mutex));
+	return count;
+}
+
+/**
+ * implements job_queue_t.get
+ */
+static job_t *get(private_job_queue_t *this)
+{
+	int oldstate;
+	job_t *job;
+	pthread_mutex_lock(&(this->mutex));
+	/* go to wait while no jobs available */
+	while(this->list->get_count(this->list) == 0)
+	{
+		/* add mutex unlock handler for cancellation, enable cancellation */
+		pthread_cleanup_push((void(*)(void*))pthread_mutex_unlock, (void*)&(this->mutex));
+		pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+		
+		pthread_cond_wait( &(this->condvar), &(this->mutex));
+		
+		/* reset cancellation, remove mutex-unlock handler (without executing) */
+		pthread_setcancelstate(oldstate, NULL);
+		pthread_cleanup_pop(0);
+	}
+	this->list->remove_first(this->list, (void **)&job);
+	pthread_mutex_unlock(&(this->mutex));
+	return job;
+}
+
+/**
+ * implements function job_queue_t.add
+ */
+static void add(private_job_queue_t *this, job_t *job)
+{
+	pthread_mutex_lock(&(this->mutex));
+	this->list->insert_last(this->list,job);
+	pthread_cond_signal( &(this->condvar));
+	pthread_mutex_unlock(&(this->mutex));
+}
+
+/**
+ * implements job_queue_t.destroy
+ */
+static void job_queue_destroy (private_job_queue_t *this)
+{
+	this->list->destroy_offset(this->list, offsetof(job_t, destroy));
+	free(this);
+}
+
+/*
+ *
+ * Documented in header
+ */
+job_queue_t *job_queue_create(void)
+{
+	private_job_queue_t *this = malloc_thing(private_job_queue_t);
+
+	this->public.get_count = (int(*)(job_queue_t*))get_count;
+	this->public.get = (job_t*(*)(job_queue_t*))get;
+	this->public.add = (void(*)(job_queue_t*, job_t*))add;
+	this->public.destroy = (void(*)(job_queue_t*))job_queue_destroy;
+
+	this->list = linked_list_create();
+	pthread_mutex_init(&(this->mutex), NULL);
+	pthread_cond_init(&(this->condvar), NULL);
+
+	return (&this->public);
+}
diff --git a/src/charon/queues/job_queue.h b/src/charon/queues/job_queue.h
new file mode 100644
index 000000000..c971ba514
--- /dev/null
+++ b/src/charon/queues/job_queue.h
@@ -0,0 +1,100 @@
+/**
+ * @file job_queue.h
+ *
+ * @brief Interface of job_queue_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef JOB_QUEUE_H_
+#define JOB_QUEUE_H_
+
+typedef struct job_queue_t job_queue_t;
+
+#include <library.h>
+#include <queues/jobs/job.h>
+
+/**
+ * @brief The job queue stores jobs, which will be processed by the thread_pool_t.
+ *
+ * Jobs are added from various sources, from the threads and 
+ * from the event_queue_t.
+ * Although the job-queue is based on a linked_list_t
+ * all access functions are thread-save implemented.
+ * 
+ * @b Constructors:
+ * - job_queue_create()
+ * 
+ * @ingroup queues
+ */
+struct job_queue_t {
+
+	/**
+	 * @brief Returns number of jobs in queue.
+	 *
+	 * @param job_queue_t 	calling object
+	 * @returns 			number of items in queue
+	 */
+	int (*get_count) (job_queue_t *job_queue);
+
+	/**
+	 * @brief Get the next job from the queue.
+	 *
+	 * If the queue is empty, this function blocks until a job can be returned.
+	 * After using, the returned job has to get destroyed by the caller.
+	 *
+	 * @param job_queue_t 	calling object
+ 	 * @param[out] job 		pointer to a job pointer where to job is returned to
+	 * @return				next job
+	 */
+	job_t *(*get) (job_queue_t *job_queue);
+
+	/**
+	 * @brief Adds a job to the queue.
+	 *
+	 * This function is non blocking and adds a job_t to the list.
+	 * The specific job object has to get destroyed by the thread which
+	 * removes the job.
+	 *
+	 * @param job_queue_t 	calling object
+ 	 * @param job 			job to add to the queue (job is not copied)
+	 */
+	void (*add) (job_queue_t *job_queue, job_t *job);
+
+	/**
+	 * @brief Destroys a job_queue object.
+	 *
+	 * @warning The caller of this function has to make sure
+	 * that no thread is going to add or get a job from the job_queue
+	 * after calling this function.
+	 *
+	 * @param job_queue_t 	calling object
+	 */
+	void (*destroy) (job_queue_t *job_queue);
+};
+
+/**
+ * @brief Creates an empty job_queue.
+ *
+ * @return job_queue_t object
+ * 
+ * @ingroup queues
+ */
+job_queue_t *job_queue_create(void);
+
+#endif /*JOB_QUEUE_H_*/
diff --git a/src/charon/queues/jobs/acquire_job.c b/src/charon/queues/jobs/acquire_job.c
new file mode 100644
index 000000000..b4ffb258d
--- /dev/null
+++ b/src/charon/queues/jobs/acquire_job.c
@@ -0,0 +1,98 @@
+/**
+ * @file acquire_job.c
+ * 
+ * @brief Implementation of acquire_job_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "acquire_job.h"
+
+#include <daemon.h>
+
+
+typedef struct private_acquire_job_t private_acquire_job_t;
+
+/**
+ * Private data of an acquire_job_t object.
+ */
+struct private_acquire_job_t {
+	/**
+	 * Public acquire_job_t interface.
+	 */
+	acquire_job_t public;
+	
+	/**
+	 * reqid of the child to rekey
+	 */
+	u_int32_t reqid;
+};
+
+/**
+ * Implementation of job_t.get_type.
+ */
+static job_type_t get_type(private_acquire_job_t *this)
+{
+	return ACQUIRE;
+}
+
+/**
+ * Implementation of job_t.execute.
+ */
+static status_t execute(private_acquire_job_t *this)
+{
+	ike_sa_t *ike_sa;
+	
+	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
+													this->reqid, TRUE);
+	if (ike_sa == NULL)
+	{
+		DBG2(DBG_JOB, "CHILD_SA with reqid %d not found for acquiring",
+			 this->reqid);
+		return DESTROY_ME;
+	}
+	ike_sa->acquire(ike_sa, this->reqid);
+	
+	charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	return DESTROY_ME;
+}
+
+/**
+ * Implementation of job_t.destroy.
+ */
+static void destroy(private_acquire_job_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+acquire_job_t *acquire_job_create(u_int32_t reqid)
+{
+	private_acquire_job_t *this = malloc_thing(private_acquire_job_t);
+	
+	/* interface functions */
+	this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type;
+	this->public.job_interface.execute = (status_t (*) (job_t *)) execute;
+	this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
+	
+	/* private variables */
+	this->reqid = reqid;
+	
+	return &(this->public);
+}
diff --git a/src/charon/queues/jobs/acquire_job.h b/src/charon/queues/jobs/acquire_job.h
new file mode 100644
index 000000000..54f1b9b5b
--- /dev/null
+++ b/src/charon/queues/jobs/acquire_job.h
@@ -0,0 +1,60 @@
+/**
+ * @file acquire_job.h
+ * 
+ * @brief Interface of acquire_job_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef ACQUIRE_JOB_H_
+#define ACQUIRE_JOB_H_
+
+typedef struct acquire_job_t acquire_job_t;
+
+#include <library.h>
+#include <queues/jobs/job.h>
+
+/**
+ * @brief Class representing an ACQUIRE Job.
+ * 
+ * This job initiates a CHILD SA on kernel request.
+ * 
+ * @b Constructors:
+ *  - acquire_job_create()
+ * 
+ * @ingroup jobs
+ */
+struct acquire_job_t {
+	/**
+	 * The job_t interface.
+	 */
+	job_t job_interface;
+};
+
+/**
+ * @brief Creates a job of type ACQUIRE.
+ *
+ * We use the reqid to find the routed CHILD_SA.
+ *
+ * @param reqid		reqid of the CHILD_SA to acquire
+ * @return			acquire_job_t object
+ * 
+ * @ingroup jobs
+ */
+acquire_job_t *acquire_job_create(u_int32_t reqid);
+
+#endif /* REKEY_CHILD_SA_JOB_H_ */
diff --git a/src/charon/queues/jobs/delete_child_sa_job.c b/src/charon/queues/jobs/delete_child_sa_job.c
new file mode 100644
index 000000000..f694696b0
--- /dev/null
+++ b/src/charon/queues/jobs/delete_child_sa_job.c
@@ -0,0 +1,113 @@
+/**
+ * @file delete_child_sa_job.c
+ *
+ * @brief Implementation of delete_child_sa_job_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "delete_child_sa_job.h"
+
+#include <daemon.h>
+
+
+typedef struct private_delete_child_sa_job_t private_delete_child_sa_job_t;
+
+/**
+ * Private data of an delete_child_sa_job_t object.
+ */
+struct private_delete_child_sa_job_t {
+	/**
+
+	 * Public delete_child_sa_job_t interface.
+	 */
+	delete_child_sa_job_t public;
+	
+	/**
+	 * reqid of the CHILD_SA
+	 */
+	u_int32_t reqid;
+	
+	/**
+	 * protocol of the CHILD_SA (ESP/AH)
+	 */
+	protocol_id_t protocol;
+	
+	/**
+	 * inbound SPI of the CHILD_SA
+	 */
+	u_int32_t spi;
+};
+
+/**
+ * Implementation of job_t.get_type.
+ */
+static job_type_t get_type(private_delete_child_sa_job_t *this)
+{
+	return DELETE_CHILD_SA;
+}
+
+/**
+ * Implementation of job_t.execute.
+ */
+static status_t execute(private_delete_child_sa_job_t *this)
+{
+	ike_sa_t *ike_sa;
+	
+	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
+													this->reqid, TRUE);
+	if (ike_sa == NULL)
+	{
+		DBG1(DBG_JOB, "CHILD_SA with reqid %d not found for delete",
+			 this->reqid);
+		return DESTROY_ME;
+	}
+	ike_sa->delete_child_sa(ike_sa, this->protocol, this->spi);
+	
+	charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	return DESTROY_ME;
+}
+
+/**
+ * Implementation of job_t.destroy.
+ */
+static void destroy(private_delete_child_sa_job_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid, 
+												  protocol_id_t protocol, 
+												  u_int32_t spi)
+{
+	private_delete_child_sa_job_t *this = malloc_thing(private_delete_child_sa_job_t);
+	
+	/* interface functions */
+	this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type;
+	this->public.job_interface.execute = (status_t (*) (job_t *)) execute;
+	this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
+	
+	/* private variables */
+	this->reqid = reqid;
+	this->protocol = protocol;
+	this->spi = spi;
+	
+	return &(this->public);
+}
diff --git a/src/charon/queues/jobs/delete_child_sa_job.h b/src/charon/queues/jobs/delete_child_sa_job.h
new file mode 100644
index 000000000..9c2e4fa4d
--- /dev/null
+++ b/src/charon/queues/jobs/delete_child_sa_job.h
@@ -0,0 +1,68 @@
+/**
+ * @file delete_child_sa_job.h
+ * 
+ * @brief Interface of delete_child_sa_job_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef DELETE_CHILD_SA_JOB_H_
+#define DELETE_CHILD_SA_JOB_H_
+
+typedef struct delete_child_sa_job_t delete_child_sa_job_t;
+
+#include <library.h>
+#include <sa/ike_sa_id.h>
+#include <queues/jobs/job.h>
+#include <config/proposal.h>
+
+
+/**
+ * @brief Class representing an DELETE_CHILD_SA Job.
+ * 
+ * This job initiates the delete of a CHILD SA.
+ * 
+ * @b Constructors:
+ *  - delete_child_sa_job_create()
+ * 
+ * @ingroup jobs
+ */
+struct delete_child_sa_job_t {
+	/**
+	 * The job_t interface.
+	 */
+	job_t job_interface;
+};
+
+/**
+ * @brief Creates a job of type DELETE_CHILD_SA.
+ *
+ * The CHILD_SA is identified by its reqid, protocol (AH/ESP) and its
+ * inbound SPI.
+ *
+ * @param reqid		reqid of the CHILD_SA, as used in kernel
+ * @param protocol	protocol of the CHILD_SA
+ * @param spi		security parameter index of the CHILD_SA
+ * @return			delete_child_sa_job_t object
+ * 
+ * @ingroup jobs
+ */
+delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid, 
+												  protocol_id_t protocol, 
+												  u_int32_t spi);
+
+#endif /* DELETE_CHILD_SA_JOB_H_ */
diff --git a/src/charon/queues/jobs/delete_ike_sa_job.c b/src/charon/queues/jobs/delete_ike_sa_job.c
new file mode 100644
index 000000000..706155aa6
--- /dev/null
+++ b/src/charon/queues/jobs/delete_ike_sa_job.c
@@ -0,0 +1,126 @@
+/**
+ * @file delete_ike_sa_job.c
+ * 
+ * @brief Implementation of delete_ike_sa_job_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "delete_ike_sa_job.h"
+
+#include <daemon.h>
+
+typedef struct private_delete_ike_sa_job_t private_delete_ike_sa_job_t;
+
+/**
+ * Private data of an delete_ike_sa_job_t Object
+ */
+struct private_delete_ike_sa_job_t {
+	/**
+	 * public delete_ike_sa_job_t interface
+	 */
+	delete_ike_sa_job_t public;
+	
+	/**
+	 * ID of the ike_sa to delete
+	 */
+	ike_sa_id_t *ike_sa_id;
+	
+	/**
+	 * Should the IKE_SA be deleted if it is in ESTABLISHED state?
+	 */
+	bool delete_if_established;
+};
+
+/**
+ * Implements job_t.get_type.
+ */
+static job_type_t get_type(private_delete_ike_sa_job_t *this)
+{
+	return DELETE_IKE_SA;
+}
+
+/**
+ * Implementation of job_t.execute.
+ */
+static status_t execute(private_delete_ike_sa_job_t *this)
+{
+	ike_sa_t *ike_sa;
+	
+	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
+											  this->ike_sa_id);
+	if (ike_sa)
+	{
+		if (this->delete_if_established)
+		{
+			if (ike_sa->delete(ike_sa) == DESTROY_ME)
+			{
+				charon->ike_sa_manager->checkin_and_destroy(
+												charon->ike_sa_manager, ike_sa);
+			}
+			else
+			{
+				charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+			}
+		}
+		else
+		{
+			/* destroy only if not ESTABLISHED */
+			if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED)
+			{
+				charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+			}
+			else
+			{
+				DBG1(DBG_JOB, "deleting half open IKE_SA after timeout");
+				charon->ike_sa_manager->checkin_and_destroy(
+												charon->ike_sa_manager, ike_sa);
+			}
+		}
+	}
+	return DESTROY_ME;
+}
+
+/**
+ * Implements job_t.destroy.
+ */
+static void destroy(private_delete_ike_sa_job_t *this)
+{
+	this->ike_sa_id->destroy(this->ike_sa_id);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+delete_ike_sa_job_t *delete_ike_sa_job_create(ike_sa_id_t *ike_sa_id, 
+											  bool delete_if_established)
+{
+	private_delete_ike_sa_job_t *this = malloc_thing(private_delete_ike_sa_job_t);
+	
+	/* interface functions */
+	this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type;
+	this->public.job_interface.execute = (status_t (*) (job_t *)) execute;
+	this->public.job_interface.destroy = (void (*)(job_t *)) destroy;;
+	
+	/* private variables */
+	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
+	this->delete_if_established = delete_if_established;
+	
+	return &(this->public);
+}
diff --git a/src/charon/queues/jobs/delete_ike_sa_job.h b/src/charon/queues/jobs/delete_ike_sa_job.h
new file mode 100644
index 000000000..43701a354
--- /dev/null
+++ b/src/charon/queues/jobs/delete_ike_sa_job.h
@@ -0,0 +1,66 @@
+/**
+ * @file delete_ike_sa_job.h
+ * 
+ * @brief Interface of delete_ike_sa_job_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+ 
+#ifndef DELETE_IKE_SA_JOB_H_
+#define DELETE_IKE_SA_JOB_H_
+
+typedef struct delete_ike_sa_job_t delete_ike_sa_job_t;
+
+#include <library.h>
+#include <sa/ike_sa_id.h>
+#include <queues/jobs/job.h>
+
+
+/**
+ * @brief Class representing an DELETE_IKE_SA Job.
+ *
+ * This job is responsible for deleting established or half open IKE_SAs. 
+ * A half open IKE_SA is every IKE_SA which hasn't reache the SA_ESTABLISHED
+ * state.
+ *
+ * @b Constructors:
+ *  - delete_ike_sa_job_create()
+ *
+ * @ingroup jobs
+ */
+struct delete_ike_sa_job_t {
+	
+	/**
+	 * The job_t interface.
+	 */
+	job_t job_interface;
+};
+
+/**
+ * @brief Creates a job of type DELETE_IKE_SA.
+ * 
+ * @param ike_sa_id				id of the IKE_SA to delete
+ * @param delete_if_established	should the IKE_SA be deleted if it is established?
+ * @return						created delete_ike_sa_job_t object
+ * 
+ * @ingroup jobs
+ */
+delete_ike_sa_job_t *delete_ike_sa_job_create(ike_sa_id_t *ike_sa_id,
+											  bool delete_if_established);
+
+#endif /* DELETE_IKE_SA_JOB_H_ */
diff --git a/src/charon/queues/jobs/initiate_job.c b/src/charon/queues/jobs/initiate_job.c
new file mode 100644
index 000000000..af50663d6
--- /dev/null
+++ b/src/charon/queues/jobs/initiate_job.c
@@ -0,0 +1,112 @@
+/**
+ * @file initiate_job.c
+ * 
+ * @brief Implementation of initiate_job_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include <stdlib.h>
+
+#include "initiate_job.h"
+
+#include <daemon.h>
+
+typedef struct private_initiate_job_t private_initiate_job_t;
+
+/**
+ * Private data of an initiate_job_t Object
+ */
+struct private_initiate_job_t {
+	/**
+	 * public initiate_job_t interface
+	 */
+	initiate_job_t public;
+	
+	/**
+	 * associated connection to initiate
+	 */
+	connection_t *connection;
+	
+	/**
+	 * associated policy to initiate
+	 */
+	policy_t *policy;
+};
+
+/**
+ * Implements initiate_job_t.get_type.
+ */
+static job_type_t get_type(private_initiate_job_t *this)
+{
+	return INITIATE;
+}
+
+/**
+ * Implementation of job_t.execute.
+ */
+static status_t execute(private_initiate_job_t *this)
+{
+	ike_sa_t *ike_sa;
+	
+	ike_sa = charon->ike_sa_manager->checkout_by_peer(charon->ike_sa_manager,
+							this->connection->get_my_host(this->connection),
+							this->connection->get_other_host(this->connection),
+							this->policy->get_my_id(this->policy),
+							this->policy->get_other_id(this->policy));
+
+	if (ike_sa->initiate(ike_sa, this->connection, this->policy) != SUCCESS)
+	{
+		DBG1(DBG_JOB, "initiation failed, going to delete IKE_SA");
+		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
+		return DESTROY_ME;
+	}
+	
+	charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	return DESTROY_ME;
+}
+
+/**
+ * Implements job_t.destroy.
+ */
+static void destroy(private_initiate_job_t *this)
+{
+	this->connection->destroy(this->connection);
+	this->policy->destroy(this->policy);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+initiate_job_t *initiate_job_create(connection_t *connection, policy_t *policy)
+{
+	private_initiate_job_t *this = malloc_thing(private_initiate_job_t);
+	
+	/* interface functions */
+	this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type;
+	this->public.job_interface.execute = (status_t (*) (job_t *)) execute;
+	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
+	
+	/* private variables */
+	this->connection = connection;
+	this->policy = policy;
+	
+	return &this->public;
+}
diff --git a/src/charon/queues/jobs/initiate_job.h b/src/charon/queues/jobs/initiate_job.h
new file mode 100644
index 000000000..af1dd9ece
--- /dev/null
+++ b/src/charon/queues/jobs/initiate_job.h
@@ -0,0 +1,61 @@
+/**
+ * @file initiate_job.h
+ * 
+ * @brief Interface of initiate_job_t.
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef INITIATE_IKE_SA_JOB_H_
+#define INITIATE_IKE_SA_JOB_H_
+
+typedef struct initiate_job_t initiate_job_t;
+
+#include <library.h>
+#include <queues/jobs/job.h>
+#include <config/connections/connection.h>
+#include <config/policies/policy.h>
+
+/**
+ * @brief Class representing an INITIATE_IKE_SA Job.
+ * 
+ * This job is created if an IKE_SA should be iniated.
+ * 
+ * @b Constructors:
+ * - initiate_job_create()
+ * 
+ * @ingroup jobs
+ */
+struct initiate_job_t {
+	/**
+	 * implements job_t interface
+	 */
+	job_t job_interface;
+};
+
+/**
+ * @brief Creates a job of type INITIATE_IKE_SA.
+ * 
+ * @param connection	connection_t to initialize
+ * @param policy		policy to set up
+ * @return				initiate_job_t object
+ * 
+ * @ingroup jobs
+ */
+initiate_job_t *initiate_job_create(connection_t *connection, policy_t *policy);
+
+#endif /*INITIATE_IKE_SA_JOB_H_*/
diff --git a/programs/starter/klips.h b/src/charon/queues/jobs/job.c
index d07c6cca4..d32d1bc61 100644
--- a/programs/starter/klips.h
+++ b/src/charon/queues/jobs/job.c
@@ -1,5 +1,14 @@
-/* strongSwan klips initialization and cleanup 
- * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
+/**
+ * @file job.c
+ * 
+ * @brief Interface additions to job_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -10,17 +19,21 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
- *
- * RCSID $Id: klips.h,v 1.2 2005/12/30 19:03:56 as Exp $
  */
 
-#ifndef _STARTER_KLIPS_H_
-#define _STARTER_KLIPS_H_
-
-extern bool starter_klips_init (void);
-extern void starter_klips_set_config (struct starter_config *);
-extern void starter_klips_cleanup (void);
-extern void starter_klips_clear (void);
 
-#endif /* _STARTER_KLIPS_H_ */
+#include "job.h"
 
+ENUM(job_type_names, PROCESS_MESSAGE, SEND_DPD,
+	"PROCESS_MESSAGE",
+	"RETRANSMIT",
+	"INITIATE",
+	"ROUTE",
+	"ACQUIRE",
+	"DELETE_IKE_SA",
+	"DELETE_CHILD_SA",
+	"REKEY_CHILD_SA",
+	"REKEY_IKE_SA",
+	"SEND_KEEPALIVE",
+	"SEND_DPD",
+);
diff --git a/src/charon/queues/jobs/job.h b/src/charon/queues/jobs/job.h
new file mode 100644
index 000000000..28632672d
--- /dev/null
+++ b/src/charon/queues/jobs/job.h
@@ -0,0 +1,165 @@
+/**
+ * @file job.h
+ * 
+ * @brief Interface job_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef JOB_H_
+#define JOB_H_
+
+typedef enum job_type_t job_type_t;
+typedef struct job_t job_t;
+
+#include <library.h>
+
+/**
+ * @brief Definition of the various job types.
+ *
+ * @ingroup jobs
+ */
+enum job_type_t {
+	/** 
+	 * Process an incoming IKEv2-Message.
+	 * 
+ 	 * Job is implemented in class process_message_job_t
+	 */
+	PROCESS_MESSAGE,
+	
+	/** 
+	 * Retransmit an IKEv2-Message.
+	 * 
+	 * Job is implemented in class retransmit_job_t
+	 */
+	RETRANSMIT,
+	
+	/** 
+	 * Set up a CHILD_SA, optional with an IKE_SA.
+	 * 
+	 * Job is implemented in class initiate_job_t
+	 */
+	INITIATE,
+	
+	/** 
+	 * Install SPD entries.
+	 * 
+	 * Job is implemented in class route_job_t
+	 */
+	ROUTE,
+	
+	/** 
+	 * React on a acquire message from the kernel (e.g. setup CHILD_SA)
+	 * 
+	 * Job is implemented in class acquire_job_t
+	 */
+	ACQUIRE,
+	
+	/** 
+	 * Delete an IKE_SA.
+	 * 
+	 * Job is implemented in class delete_ike_sa_job_t
+	 */
+	DELETE_IKE_SA,
+	
+	/**
+	 * Delete a CHILD_SA.
+	 * 
+	 * Job is implemented in class delete_child_sa_job_t
+	 */
+	DELETE_CHILD_SA,
+	
+	/**
+	 * Rekey a CHILD_SA.
+	 * 
+	 * Job is implemented in class rekey_child_sa_job_t
+	 */
+	REKEY_CHILD_SA,
+	
+	/**
+	 * Rekey an IKE_SA.
+	 * 
+	 * Job is implemented in class rekey_ike_sa_job_t
+	 */
+	REKEY_IKE_SA,
+	
+	/**
+	 * Send a keepalive packet.
+	 * 
+	 * Job is implemented in class type send_keepalive_job_t
+	 */
+	SEND_KEEPALIVE,
+	
+	/**
+	 * Send a DPD packet.
+	 * 
+	 * Job is implemented in class type send_dpd_job_t
+	 */
+	SEND_DPD
+};
+
+/**
+ * enum name  for job_type_t
+ * 
+ * @ingroup jobs
+ */
+extern enum_name_t *job_type_names;
+
+
+/**
+ * @brief Job-Interface as it is stored in the job queue.
+ * 
+ * A job consists of a job-type and one or more assigned values.
+ * 
+ * @b Constructors:
+ * - None, use specific implementation of the interface.
+ * 
+ * @ingroup jobs
+ */
+struct job_t {
+
+	/**
+	 * @brief get type of job.
+	 *
+	 * @param this 				calling object
+	 * @return 					type of this job
+	 */
+	job_type_t (*get_type) (job_t *this);
+
+	/**
+	 * @brief Execute a job.
+	 * 
+	 * Call the internall job routine to process the
+	 * job. If this method returns DESTROY_ME, the job
+	 * must be destroyed by the caller.
+	 *
+	 * @param this 				calling object
+	 * @return 					status of job execution
+	 */
+	status_t (*execute) (job_t *this);
+
+	/**
+	 * @brief Destroys a job_t object
+	 * 
+	 * @param job_t calling object
+	 */
+	void (*destroy) (job_t *job);
+};
+
+
+#endif /* JOB_H_ */
diff --git a/src/charon/queues/jobs/process_message_job.c b/src/charon/queues/jobs/process_message_job.c
new file mode 100644
index 000000000..ee7484bbd
--- /dev/null
+++ b/src/charon/queues/jobs/process_message_job.c
@@ -0,0 +1,106 @@
+/**
+ * @file process_message_job.h
+ * 
+ * @brief Implementation of process_message_job_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "process_message_job.h"
+
+#include <daemon.h>
+
+typedef struct private_process_message_job_t private_process_message_job_t;
+
+/**
+ * Private data of an process_message_job_t Object
+ */
+struct private_process_message_job_t {
+	/**
+	 * public process_message_job_t interface
+	 */
+	process_message_job_t public;
+	
+	/**
+	 * Message associated with this job
+	 */
+	message_t *message;
+};
+
+/**
+ * Implements job_t.get_type.
+ */
+static job_type_t get_type(private_process_message_job_t *this)
+{
+	return PROCESS_MESSAGE;
+}
+
+/**
+ * Implementation of job_t.execute.
+ */
+static status_t execute(private_process_message_job_t *this)
+{
+	ike_sa_t *ike_sa;
+	
+	ike_sa = charon->ike_sa_manager->checkout_by_message(charon->ike_sa_manager,
+														 this->message);
+	if (ike_sa)
+	{
+		DBG1(DBG_NET, "received packet: from %#H to %#H",
+			 this->message->get_source(this->message),
+			 this->message->get_destination(this->message));
+		if (ike_sa->process_message(ike_sa, this->message) == DESTROY_ME)
+		{
+			charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
+														ike_sa);
+		}
+		else
+		{
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		}
+	}
+	return DESTROY_ME;
+}
+
+/**
+ * Implements job_t.destroy.
+ */
+static void destroy(private_process_message_job_t *this)
+{
+	this->message->destroy(this->message);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+process_message_job_t *process_message_job_create(message_t *message)
+{
+	private_process_message_job_t *this = malloc_thing(private_process_message_job_t);
+
+	/* interface functions */
+	this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type;
+	this->public.job_interface.execute = (status_t (*) (job_t *)) execute;
+	this->public.job_interface.destroy = (void(*)(job_t*))destroy;
+	
+	/* private variables */
+	this->message = message;
+	
+	return &(this->public);
+}
diff --git a/src/charon/queues/jobs/process_message_job.h b/src/charon/queues/jobs/process_message_job.h
new file mode 100644
index 000000000..2e60a298c
--- /dev/null
+++ b/src/charon/queues/jobs/process_message_job.h
@@ -0,0 +1,58 @@
+/**
+ * @file process_message_job.h
+ * 
+ * @brief Interface of process_message_job_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef PROCESS_MESSAGE_JOB_H_
+#define PROCESS_MESSAGE_JOB_H_
+
+typedef struct process_message_job_t process_message_job_t;
+
+#include <library.h>
+#include <encoding/message.h>
+#include <queues/jobs/job.h>
+
+/**
+ * @brief Class representing an PROCESS_MESSAGE job.
+ *
+ * @b Constructors:
+ * - process_message_job_create()
+ *
+ * @ingroup jobs
+ */
+struct process_message_job_t {
+	/**
+	 * implements job_t interface
+	 */
+	job_t job_interface;
+};
+
+/**
+ * @brief Creates a job of type PROCESS_MESSAGE.
+ * 
+ * @param message		message to process
+ * @return				created process_message_job_t object
+ * 
+ * @ingroup jobs
+ */
+process_message_job_t *process_message_job_create(message_t *message);
+
+#endif /*PROCESS_MESSAGE_JOB_H_*/
diff --git a/src/charon/queues/jobs/rekey_child_sa_job.c b/src/charon/queues/jobs/rekey_child_sa_job.c
new file mode 100644
index 000000000..3422b614d
--- /dev/null
+++ b/src/charon/queues/jobs/rekey_child_sa_job.c
@@ -0,0 +1,112 @@
+/**
+ * @file rekey_child_sa_job.c
+ * 
+ * @brief Implementation of rekey_child_sa_job_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "rekey_child_sa_job.h"
+
+#include <daemon.h>
+
+
+typedef struct private_rekey_child_sa_job_t private_rekey_child_sa_job_t;
+
+/**
+ * Private data of an rekey_child_sa_job_t object.
+ */
+struct private_rekey_child_sa_job_t {
+	/**
+	 * Public rekey_child_sa_job_t interface.
+	 */
+	rekey_child_sa_job_t public;
+	
+	/**
+	 * reqid of the child to rekey
+	 */
+	u_int32_t reqid;
+	
+	/**
+	 * protocol of the CHILD_SA (ESP/AH)
+	 */
+	protocol_id_t protocol;
+	
+	/**
+	 * inbound SPI of the CHILD_SA
+	 */
+	u_int32_t spi;
+};
+
+/**
+ * Implementation of job_t.get_type.
+ */
+static job_type_t get_type(private_rekey_child_sa_job_t *this)
+{
+	return REKEY_CHILD_SA;
+}
+
+/**
+ * Implementation of job_t.execute.
+ */
+static status_t execute(private_rekey_child_sa_job_t *this)
+{
+	ike_sa_t *ike_sa;
+	
+	ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
+													this->reqid, TRUE);
+	if (ike_sa == NULL)
+	{
+		DBG2(DBG_JOB, "CHILD_SA with reqid %d not found for rekeying",
+			 this->reqid);
+		return DESTROY_ME;
+	}
+	ike_sa->rekey_child_sa(ike_sa, this->protocol, this->spi);
+	
+	charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	return DESTROY_ME;
+}
+
+/**
+ * Implementation of job_t.destroy.
+ */
+static void destroy(private_rekey_child_sa_job_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid, 
+												protocol_id_t protocol, 
+												u_int32_t spi)
+{
+	private_rekey_child_sa_job_t *this = malloc_thing(private_rekey_child_sa_job_t);
+	
+	/* interface functions */
+	this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type;
+	this->public.job_interface.execute = (status_t (*) (job_t *)) execute;
+	this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
+		
+	/* private variables */
+	this->reqid = reqid;
+	this->protocol = protocol;
+	this->spi = spi;
+	
+	return &(this->public);
+}
diff --git a/src/charon/queues/jobs/rekey_child_sa_job.h b/src/charon/queues/jobs/rekey_child_sa_job.h
new file mode 100644
index 000000000..19e1b5d32
--- /dev/null
+++ b/src/charon/queues/jobs/rekey_child_sa_job.h
@@ -0,0 +1,65 @@
+/**
+ * @file rekey_child_sa_job.h
+ * 
+ * @brief Interface of rekey_child_sa_job_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef REKEY_CHILD_SA_JOB_H_
+#define REKEY_CHILD_SA_JOB_H_
+
+typedef struct rekey_child_sa_job_t rekey_child_sa_job_t;
+
+#include <library.h>
+#include <sa/ike_sa_id.h>
+#include <queues/jobs/job.h>
+#include <config/proposal.h>
+
+/**
+ * @brief Class representing an REKEY_CHILD_SA Job.
+ *
+ * This job initiates the rekeying of a CHILD SA.
+ *
+ * @b Constructors:
+ *  - rekey_child_sa_job_create()
+ *
+ * @ingroup jobs
+ */
+struct rekey_child_sa_job_t {
+	/**
+	 * The job_t interface.
+	 */
+	job_t job_interface;
+};
+
+/**
+ * @brief Creates a job of type REKEY_CHILD_SA.
+ *
+ * The CHILD_SA is identified by its protocol (AH/ESP) and its
+ * inbound SPI.
+ *
+ * @param reqid		reqid of the CHILD_SA to rekey
+ * @param protocol	protocol of the CHILD_SA
+ * @param spi		security parameter index of the CHILD_SA
+ * @return			rekey_child_sa_job_t object
+ * 
+ * @ingroup jobs
+ */
+rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid, protocol_id_t protocol, u_int32_t spi);
+
+#endif /* REKEY_CHILD_SA_JOB_H_ */
diff --git a/src/charon/queues/jobs/rekey_ike_sa_job.c b/src/charon/queues/jobs/rekey_ike_sa_job.c
new file mode 100644
index 000000000..2539d997e
--- /dev/null
+++ b/src/charon/queues/jobs/rekey_ike_sa_job.c
@@ -0,0 +1,120 @@
+/**
+ * @file rekey_ike_sa_job.c
+ * 
+ * @brief Implementation of rekey_ike_sa_job_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "rekey_ike_sa_job.h"
+
+#include <daemon.h>
+
+
+typedef struct private_rekey_ike_sa_job_t private_rekey_ike_sa_job_t;
+
+/**
+ * Private data of an rekey_ike_sa_job_t object.
+ */
+struct private_rekey_ike_sa_job_t {
+	/**
+	 * Public rekey_ike_sa_job_t interface.
+	 */
+	rekey_ike_sa_job_t public;
+	
+	/**
+	 * ID of the IKE_SA to rekey
+	 */
+	ike_sa_id_t *ike_sa_id;
+	
+	/**
+	 * force reauthentication of the peer (full IKE_SA setup)
+	 */
+	bool reauth;
+};
+
+/**
+ * Implementation of job_t.get_type.
+ */
+static job_type_t get_type(private_rekey_ike_sa_job_t *this)
+{
+	return REKEY_IKE_SA;
+}
+
+/**
+ * Implementation of job_t.execute.
+ */
+static status_t execute(private_rekey_ike_sa_job_t *this)
+{
+	ike_sa_t *ike_sa;
+	status_t status = SUCCESS;
+	
+	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
+											  this->ike_sa_id);
+	if (ike_sa == NULL)
+	{
+		DBG2(DBG_JOB, "IKE_SA %J to rekey not found", this->ike_sa_id);
+		return DESTROY_ME;
+	}
+	
+	if (this->reauth)
+	{
+		ike_sa->reestablish(ike_sa);
+	}
+	else
+	{
+		status = ike_sa->rekey(ike_sa);
+	}
+	
+	if (status == DESTROY_ME)
+	{
+		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
+	}
+	else
+	{
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	}
+	return DESTROY_ME;
+}
+
+/**
+ * Implementation of job_t.destroy.
+ */
+static void destroy(private_rekey_ike_sa_job_t *this)
+{
+	this->ike_sa_id->destroy(this->ike_sa_id);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+rekey_ike_sa_job_t *rekey_ike_sa_job_create(ike_sa_id_t *ike_sa_id, bool reauth)
+{
+	private_rekey_ike_sa_job_t *this = malloc_thing(private_rekey_ike_sa_job_t);
+	
+	/* interface functions */
+	this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type;
+	this->public.job_interface.execute = (status_t (*) (job_t *)) execute;
+	this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
+		
+	/* private variables */
+	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
+	this->reauth = reauth;
+	
+	return &(this->public);
+}
diff --git a/src/charon/queues/jobs/rekey_ike_sa_job.h b/src/charon/queues/jobs/rekey_ike_sa_job.h
new file mode 100644
index 000000000..f3e336fb3
--- /dev/null
+++ b/src/charon/queues/jobs/rekey_ike_sa_job.h
@@ -0,0 +1,60 @@
+/**
+ * @file rekey_ike_sa_job.h
+ * 
+ * @brief Interface of rekey_ike_sa_job_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef REKEY_IKE_SA_JOB_H_
+#define REKEY_IKE_SA_JOB_H_
+
+typedef struct rekey_ike_sa_job_t rekey_ike_sa_job_t;
+
+#include <library.h>
+#include <sa/ike_sa_id.h>
+#include <queues/jobs/job.h>
+
+/**
+ * @brief Class representing an REKEY_IKE_SA Job.
+ * 
+ * This job initiates the rekeying of an IKE_SA.
+ * 
+ * @b Constructors:
+ *  - rekey_ike_sa_job_create()
+ * 
+ * @ingroup jobs
+ */
+struct rekey_ike_sa_job_t {
+	/**
+	 * The job_t interface.
+	 */
+	job_t job_interface;
+};
+
+/**
+ * @brief Creates a job of type REKEY_IKE_SA.
+ *
+ * @param ike_sa_id		ID of the IKE_SA to rekey
+ * @param reauth		TRUE to reauthenticate peer, FALSE for rekeying only
+ * @return				rekey_ike_sa_job_t object
+ * 
+ * @ingroup jobs
+ */
+rekey_ike_sa_job_t *rekey_ike_sa_job_create(ike_sa_id_t *ike_sa_id, bool reauth);
+
+#endif /* REKEY_IKE_SA_JOB_H_ */
diff --git a/src/charon/queues/jobs/retransmit_job.c b/src/charon/queues/jobs/retransmit_job.c
new file mode 100644
index 000000000..5bfa20dfd
--- /dev/null
+++ b/src/charon/queues/jobs/retransmit_job.c
@@ -0,0 +1,109 @@
+/**
+ * @file retransmit_job.c
+ * 
+ * @brief Implementation of retransmit_job_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+ 
+#include "retransmit_job.h"
+
+#include <daemon.h>
+
+typedef struct private_retransmit_job_t private_retransmit_job_t;
+
+/**
+ * Private data of an retransmit_job_t Object.
+ */
+struct private_retransmit_job_t {
+	/**
+	 * Public retransmit_job_t interface.
+	 */
+	retransmit_job_t public;
+	
+	/**
+	 * Message ID of the request to resend.
+	 */
+	u_int32_t message_id;
+
+	/**
+	 * ID of the IKE_SA which the message belongs to.
+	 */
+	ike_sa_id_t *ike_sa_id;
+};
+
+/**
+ * Implements job_t.get_type.
+ */
+static job_type_t get_type(private_retransmit_job_t *this)
+{
+	return RETRANSMIT;
+}
+
+/**
+ * Implementation of job_t.execute.
+ */
+static status_t execute(private_retransmit_job_t *this)
+{
+	ike_sa_t *ike_sa;
+	
+	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
+											  this->ike_sa_id);
+	if (ike_sa)
+	{
+		if (ike_sa->retransmit(ike_sa, this->message_id) == DESTROY_ME)
+		{
+			/* retransmitted to many times, giving up */
+			charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
+														ike_sa);
+		}
+		else
+		{
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+		}
+	}
+	return DESTROY_ME;
+}
+
+/**
+ * Implements job_t.destroy.
+ */
+static void destroy(private_retransmit_job_t *this)
+{
+	this->ike_sa_id->destroy(this->ike_sa_id);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+retransmit_job_t *retransmit_job_create(u_int32_t message_id,ike_sa_id_t *ike_sa_id)
+{
+	private_retransmit_job_t *this = malloc_thing(private_retransmit_job_t);
+	
+	/* interface functions */
+	this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type;
+	this->public.job_interface.execute = (status_t (*) (job_t *)) execute;
+	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
+
+	/* private variables */
+	this->message_id = message_id;
+	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
+	
+	return &this->public;
+}
diff --git a/src/charon/queues/jobs/retransmit_job.h b/src/charon/queues/jobs/retransmit_job.h
new file mode 100644
index 000000000..19e29b909
--- /dev/null
+++ b/src/charon/queues/jobs/retransmit_job.h
@@ -0,0 +1,64 @@
+/**
+ * @file retransmit_job.h
+ * 
+ * @brief Interface of retransmit_job_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef RETRANSMIT_JOB_H_
+#define RETRANSMIT_JOB_H_
+
+typedef struct retransmit_job_t retransmit_job_t;
+
+#include <library.h>
+#include <queues/jobs/job.h>
+#include <sa/ike_sa_id.h>
+
+/**
+ * @brief Class representing an retransmit Job.
+ *
+ * This job is scheduled every time a request is sent over the
+ * wire. If the response to the request is not received at schedule
+ * time, the retransmission will be initiated.
+ *
+ * @b Constructors:
+ * - retransmit_job_create()
+ *
+ * @ingroup jobs
+ */
+struct retransmit_job_t {
+	/**
+	 * The job_t interface.
+	 */
+	job_t job_interface;
+};
+
+/**
+ * @brief Creates a job of type retransmit.
+ * 
+ * @param message_id		message_id of the request to resend
+ * @param ike_sa_id			identification of the ike_sa as ike_sa_id_t
+ * @return					retransmit_job_t object
+ * 
+ * @ingroup jobs
+ */
+retransmit_job_t *retransmit_job_create(u_int32_t message_id,
+										ike_sa_id_t *ike_sa_id);
+
+#endif /* RETRANSMIT_JOB_H_ */
diff --git a/src/charon/queues/jobs/route_job.c b/src/charon/queues/jobs/route_job.c
new file mode 100644
index 000000000..bb6281dcc
--- /dev/null
+++ b/src/charon/queues/jobs/route_job.c
@@ -0,0 +1,125 @@
+/**
+ * @file route_job.c
+ * 
+ * @brief Implementation of route_job_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include <stdlib.h>
+
+#include "route_job.h"
+
+#include <daemon.h>
+
+typedef struct private_route_job_t private_route_job_t;
+
+/**
+ * Private data of an route_job_t Object
+ */
+struct private_route_job_t {
+	/**
+	 * public route_job_t interface
+	 */
+	route_job_t public;
+	
+	/**
+	 * associated connection to route
+	 */
+	connection_t *connection;
+	
+	/**
+	 * associated policy to route
+	 */
+	policy_t *policy;
+	
+	/**
+	 * route or unroute?
+	 */
+	bool route;
+};
+
+/**
+ * Implements route_job_t.get_type.
+ */
+static job_type_t get_type(private_route_job_t *this)
+{
+	return ROUTE;
+}
+
+/**
+ * Implementation of job_t.execute.
+ */
+static status_t execute(private_route_job_t *this)
+{
+	ike_sa_t *ike_sa;
+	
+	ike_sa = charon->ike_sa_manager->checkout_by_peer(charon->ike_sa_manager,
+							this->connection->get_my_host(this->connection),
+							this->connection->get_other_host(this->connection),
+							this->policy->get_my_id(this->policy),
+							this->policy->get_other_id(this->policy));
+	if (this->route)
+	{
+		if (ike_sa->route(ike_sa, this->connection, this->policy) != SUCCESS)
+		{
+			DBG1(DBG_JOB, "routing failed");
+		}
+	}
+	else
+	{
+		if (ike_sa->unroute(ike_sa, this->policy) == DESTROY_ME)
+		{
+			DBG1(DBG_JOB, "removing IKE_SA, as last routed CHILD_SA unrouted");
+			charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
+			return DESTROY_ME;
+		}
+	}
+	charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	return DESTROY_ME;
+}
+
+/**
+ * Implements job_t.destroy.
+ */
+static void destroy(private_route_job_t *this)
+{
+	this->connection->destroy(this->connection);
+	this->policy->destroy(this->policy);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+route_job_t *route_job_create(connection_t *connection, policy_t *policy, bool route)
+{
+	private_route_job_t *this = malloc_thing(private_route_job_t);
+	
+	/* interface functions */
+	this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type;
+	this->public.job_interface.execute = (status_t (*) (job_t *)) execute;
+	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
+	
+	/* private variables */
+	this->connection = connection;
+	this->policy = policy;
+	this->route = route;
+	
+	return &this->public;
+}
diff --git a/src/charon/queues/jobs/route_job.h b/src/charon/queues/jobs/route_job.h
new file mode 100644
index 000000000..2743a70ab
--- /dev/null
+++ b/src/charon/queues/jobs/route_job.h
@@ -0,0 +1,59 @@
+/**
+ * @file route_job.h
+ * 
+ * @brief Interface of route_job_t.
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef ROUTE_JOB_H_
+#define ROUTE_JOB_H_
+
+typedef struct route_job_t route_job_t;
+
+#include <library.h>
+#include <queues/jobs/job.h>
+#include <config/policies/policy.h>
+#include <config/connections/connection.h>
+
+/**
+ * @brief Class representing an ROUTE Job.
+ *
+ * @b Constructors:
+ * - route_job_create()
+ *
+ * @ingroup jobs
+ */
+struct route_job_t {
+	/**
+	 * implements job_t interface
+	 */
+	job_t job_interface;
+};
+
+/**
+ * @brief Creates a job of type ROUTE.
+ * 
+ * @param connection	connection used for routing
+ * @param policy		policy to set up
+ * @param route			TRUE to route, FALSE to unroute
+ * @return				route_job_t object
+ * 
+ * @ingroup jobs
+ */
+route_job_t *route_job_create(connection_t *connection, policy_t *policy, bool route);
+
+#endif /*ROUTE_JOB_H_*/
diff --git a/src/charon/queues/jobs/send_dpd_job.c b/src/charon/queues/jobs/send_dpd_job.c
new file mode 100644
index 000000000..7294d78d5
--- /dev/null
+++ b/src/charon/queues/jobs/send_dpd_job.c
@@ -0,0 +1,110 @@
+/**
+ * @file send_dpd_job.c
+ * 
+ * @brief Implementation of send_dpd_job_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include <stdlib.h>
+
+#include "send_dpd_job.h"
+
+#include <sa/ike_sa.h>
+#include <daemon.h>
+
+
+typedef struct private_send_dpd_job_t private_send_dpd_job_t;
+
+/**
+ * Private data of an send_dpd_job_t Object
+ */
+struct private_send_dpd_job_t {
+	/**
+	 * public send_dpd_job_t interface
+	 */
+	send_dpd_job_t public;
+	
+	/**
+	 * ID of the IKE_SA which the message belongs to.
+	 */
+	ike_sa_id_t *ike_sa_id;
+};
+
+/**
+ * Implements send_dpd_job_t.get_type.
+ */
+static job_type_t get_type(private_send_dpd_job_t *this)
+{
+	return SEND_DPD;
+}
+
+/**
+ * Implementation of job_t.execute. 
+ */ 
+static status_t execute(private_send_dpd_job_t *this)
+{
+	ike_sa_t *ike_sa;
+	
+	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
+											  this->ike_sa_id);
+	if (ike_sa == NULL)
+	{
+		return DESTROY_ME;
+	}
+	
+	if (ike_sa->send_dpd(ike_sa) == DESTROY_ME)
+	{
+		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
+	}
+	else
+	{
+		charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	}
+	return DESTROY_ME;
+}
+
+/**
+ * Implements job_t.destroy.
+ */
+static void destroy(private_send_dpd_job_t *this)
+{
+	this->ike_sa_id->destroy(this->ike_sa_id);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+send_dpd_job_t *send_dpd_job_create(ike_sa_id_t *ike_sa_id)
+{
+	private_send_dpd_job_t *this = malloc_thing(private_send_dpd_job_t);
+	
+	/* interface functions */
+	this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type;
+	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
+	this->public.job_interface.execute = (status_t (*) (job_t *)) execute;
+	
+	/* public functions */
+	this->public.destroy = (void (*)(send_dpd_job_t *)) destroy;
+	
+	/* private variables */
+	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
+
+	return &(this->public);
+}
diff --git a/src/charon/queues/jobs/send_dpd_job.h b/src/charon/queues/jobs/send_dpd_job.h
new file mode 100644
index 000000000..f3900f9a2
--- /dev/null
+++ b/src/charon/queues/jobs/send_dpd_job.h
@@ -0,0 +1,68 @@
+/**
+ * @file send_dpd_job.h
+ * 
+ * @brief Interface of send_dpd_job_t.
+ */
+
+/*
+ * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef SEND_DPD_JOB_H_
+#define SEND_DPD_JOB_H_
+
+typedef struct send_dpd_job_t send_dpd_job_t;
+
+#include <library.h>
+#include <queues/jobs/job.h>
+#include <config/connections/connection.h>
+#include <sa/ike_sa_id.h>
+
+/**
+ * @brief Class representing a SEND_DPD Job.
+ * 
+ * Job to periodically send a Dead Peer Detection (DPD) request,
+ * ie. an IKE request with no payloads other than the encrypted payload
+ * required by the syntax.
+ * 
+ * @b Constructors:
+ * - send_dpd_job_create()
+ * 
+ * @ingroup jobs
+ */
+struct send_dpd_job_t {
+	/**
+	 * implements job_t interface
+	 */
+	job_t job_interface;
+	
+	/**
+	 * @brief Destroys an send_dpd_job_t object.
+	 *
+	 * @param this 	send_dpd_job_t object to destroy
+	 */
+	void (*destroy) (send_dpd_job_t *this);
+};
+
+/**
+ * @brief Creates a job of type SEND_DPD.
+ * 
+ * @param ike_sa_id		identification of the ike_sa as ike_sa_id_t object (gets cloned)
+ * @return				initiate_ike_sa_job_t object
+ * 
+ * @ingroup jobs
+ */
+send_dpd_job_t *send_dpd_job_create(ike_sa_id_t *ike_sa_id);
+
+#endif /*SEND_DPD_JOB_H_*/
diff --git a/src/charon/queues/jobs/send_keepalive_job.c b/src/charon/queues/jobs/send_keepalive_job.c
new file mode 100644
index 000000000..1c1cb288e
--- /dev/null
+++ b/src/charon/queues/jobs/send_keepalive_job.c
@@ -0,0 +1,103 @@
+/**
+ * @file send_keepalive_job.c
+ * 
+ * @brief Implementation of send_keepalive_job_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include <stdlib.h>
+
+#include "send_keepalive_job.h"
+
+#include <sa/ike_sa.h>
+#include <daemon.h>
+
+
+typedef struct private_send_keepalive_job_t private_send_keepalive_job_t;
+
+/**
+ * Private data of an send_keepalive_job_t Object
+ */
+struct private_send_keepalive_job_t {
+	/**
+	 * public send_keepalive_job_t interface
+	 */
+	send_keepalive_job_t public;
+	
+	/**
+	 * ID of the IKE_SA which the message belongs to.
+	 */
+	ike_sa_id_t *ike_sa_id;
+};
+
+/**
+ * Implements send_keepalive_job_t.get_type.
+ */
+static job_type_t get_type(private_send_keepalive_job_t *this)
+{
+	return SEND_KEEPALIVE;
+}
+
+/**
+ * Implementation of job_t.execute.
+ */ 
+static status_t execute(private_send_keepalive_job_t *this)
+{
+	ike_sa_t *ike_sa;
+	
+	ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
+											  this->ike_sa_id);
+	if (ike_sa == NULL)
+	{
+		return DESTROY_ME;
+	}
+	ike_sa->send_keepalive(ike_sa);
+	charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+	return DESTROY_ME;
+}
+
+/**
+ * Implements job_t.destroy.
+ */
+static void destroy(private_send_keepalive_job_t *this)
+{
+	this->ike_sa_id->destroy(this->ike_sa_id);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+send_keepalive_job_t *send_keepalive_job_create(ike_sa_id_t *ike_sa_id)
+{
+	private_send_keepalive_job_t *this = malloc_thing(private_send_keepalive_job_t);
+	
+	/* interface functions */
+	this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type;
+	this->public.job_interface.destroy = (void (*) (job_t *)) destroy;
+	this->public.job_interface.execute = (status_t (*) (job_t *)) execute;
+	
+	/* public functions */
+	this->public.destroy = (void (*)(send_keepalive_job_t *)) destroy;
+	
+	/* private variables */
+	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
+
+	return &(this->public);
+}
diff --git a/src/charon/queues/jobs/send_keepalive_job.h b/src/charon/queues/jobs/send_keepalive_job.h
new file mode 100644
index 000000000..c7d05be65
--- /dev/null
+++ b/src/charon/queues/jobs/send_keepalive_job.h
@@ -0,0 +1,67 @@
+/**
+ * @file send_keepalive_job.h
+ * 
+ * @brief Interface of send_keepalive_job_t.
+ */
+
+/*
+ * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef SEND_KEEPALIVE_JOB_H_
+#define SEND_KEEPALIVE_JOB_H_
+
+typedef struct send_keepalive_job_t send_keepalive_job_t;
+
+#include <library.h>
+#include <queues/jobs/job.h>
+#include <config/connections/connection.h>
+#include <sa/ike_sa_id.h>
+
+/**
+ * @brief Class representing a SEND_KEEPALIVE Job.
+ * 
+ * This job will send a NAT keepalive packet if the IKE SA is still alive,
+ * and reinsert itself into the event queue.
+ * 
+ * @b Constructors:
+ * - send_keepalive_job_create()
+ * 
+ * @ingroup jobs
+ */
+struct send_keepalive_job_t {
+	/**
+	 * implements job_t interface
+	 */
+	job_t job_interface;
+	
+	/**
+	 * @brief Destroys an send_keepalive_job_t object.
+	 *
+	 * @param this 	send_keepalive_job_t object to destroy
+	 */
+	void (*destroy) (send_keepalive_job_t *this);
+};
+
+/**
+ * @brief Creates a job of type SEND_KEEPALIVE.
+ * 
+ * @param ike_sa_id		identification of the ike_sa as ike_sa_id_t object (gets cloned)
+ * @return				initiate_ike_sa_job_t object
+ * 
+ * @ingroup jobs
+ */
+send_keepalive_job_t *send_keepalive_job_create(ike_sa_id_t *ike_sa_id);
+
+#endif /*SEND_KEEPALIVE_JOB_H_*/
diff --git a/src/charon/sa/authenticators/authenticator.c b/src/charon/sa/authenticators/authenticator.c
new file mode 100644
index 000000000..707aae9ad
--- /dev/null
+++ b/src/charon/sa/authenticators/authenticator.c
@@ -0,0 +1,56 @@
+/**
+ * @file authenticator.c
+ *
+ * @brief Generic constructor for authenticators.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include "authenticator.h"
+
+#include <sa/authenticators/rsa_authenticator.h>
+#include <sa/authenticators/psk_authenticator.h>
+#include <sa/authenticators/eap_authenticator.h>
+
+
+ENUM_BEGIN(auth_method_names, AUTH_RSA, AUTH_DSS,
+	"RSA signature",
+	"pre-shared key",
+	"DSS signature");
+ENUM_NEXT(auth_method_names, AUTH_EAP, AUTH_EAP, AUTH_DSS,
+	"EAP");
+ENUM_END(auth_method_names, AUTH_EAP);
+
+/*
+ * Described in header.
+ */
+authenticator_t *authenticator_create(ike_sa_t *ike_sa, auth_method_t auth_method)
+{
+	switch (auth_method)
+	{
+		case AUTH_RSA:
+			return (authenticator_t*)rsa_authenticator_create(ike_sa);
+		case AUTH_PSK:
+			return (authenticator_t*)psk_authenticator_create(ike_sa);
+		case AUTH_EAP:
+			return (authenticator_t*)eap_authenticator_create(ike_sa);
+		default:
+			return NULL;
+	}
+}
diff --git a/src/charon/sa/authenticators/authenticator.h b/src/charon/sa/authenticators/authenticator.h
new file mode 100644
index 000000000..c7b0fc81a
--- /dev/null
+++ b/src/charon/sa/authenticators/authenticator.h
@@ -0,0 +1,139 @@
+/**
+ * @file authenticator.h
+ *
+ * @brief Interface of authenticator_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef AUTHENTICATOR_H_
+#define AUTHENTICATOR_H_
+
+typedef enum auth_method_t auth_method_t;
+typedef struct authenticator_t authenticator_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <encoding/payloads/auth_payload.h>
+
+/**
+ * Method to use for authentication.
+ *
+ * @ingroup authenticators
+ */
+enum auth_method_t {
+	/**
+	 * Computed as specified in section 2.15 of RFC using 
+	 * an RSA private key over a PKCS#1 padded hash.
+	 */
+	AUTH_RSA = 1,
+	
+	/**
+	 * Computed as specified in section 2.15 of RFC using the 
+	 * shared key associated with the identity in the ID payload 
+	 * and the negotiated prf function
+	 */
+	AUTH_PSK = 2,
+	
+	/**
+	 * Computed as specified in section 2.15 of RFC using a 
+	 * DSS private key over a SHA-1 hash.
+	 */
+	AUTH_DSS = 3,
+	
+	/**
+	 * EAP authentication. This value is never negotiated and therefore
+	 * a value from private use.
+	 */
+	AUTH_EAP = 201,
+};
+
+/**
+ * enum names for auth_method_t.
+ *
+ * @ingroup authenticators
+ */
+extern enum_name_t *auth_method_names;
+
+/**
+ * @brief Authenticator interface implemented by the various authenticators.
+ *
+ * Currently the following two AUTH methods are supported:
+ *  - shared key message integrity code (AUTH_PSK)
+ *  - RSA digital signature (AUTH_RSA)
+ *
+ * @b Constructors:
+ *  - authenticator_create()
+ *
+ * @ingroup authenticators
+ */
+struct authenticator_t {
+
+	/**
+	 * @brief Verify a received authentication payload.
+	 *
+	 * @param this 				calling object
+	 * @param ike_sa_init		binary representation of received ike_sa_init
+	 * @param my_nonce			the sent nonce
+	 * @param auth_payload		authentication payload to verify
+	 *
+	 * @return
+	 *							- SUCCESS,
+	 *							- FAILED if verification failed
+	 *							- INVALID_ARG if auth_method does not match
+	 *							- NOT_FOUND if credentials not found
+	 */
+	status_t (*verify) (authenticator_t *this, chunk_t ike_sa_init,
+						chunk_t my_nonce, auth_payload_t *auth_payload);
+
+	/**
+	 * @brief Build an authentication payload to send to the other peer.
+	 *
+	 * @param this 				calling object
+	 * @param ike_sa_init		binary representation of sent ike_sa_init
+	 * @param other_nonce		the received nonce
+	 * @param[out] auth_payload	the resulting authentication payload
+	 *
+	 * @return
+	 *							- SUCCESS,
+	 *							- NOT_FOUND if the data for AUTH method could not be found
+	 */
+	status_t (*build) (authenticator_t *this, chunk_t ike_sa_init,
+					   chunk_t other_nonce, auth_payload_t **auth_payload);
+
+	/**
+	 * @brief Destroys a authenticator_t object.
+	 *
+	 * @param this 				calling object
+	 */
+	void (*destroy) (authenticator_t *this);
+};
+
+/**
+ * @brief Creates an authenticator for the specified auth method.
+ *
+ * @param ike_sa		associated ike_sa
+ * @param auth_method	authentication method to use for build()/verify()
+ *
+ * @return				authenticator_t object
+ *
+ * @ingroup authenticators
+ */
+authenticator_t *authenticator_create(ike_sa_t *ike_sa, auth_method_t auth_method);
+
+#endif /* AUTHENTICATOR_H_ */
diff --git a/src/charon/sa/authenticators/eap/eap_identity.c b/src/charon/sa/authenticators/eap/eap_identity.c
new file mode 100644
index 000000000..12a8bf7cc
--- /dev/null
+++ b/src/charon/sa/authenticators/eap/eap_identity.c
@@ -0,0 +1,135 @@
+/**
+ * @file eap_identity.c
+ *
+ * @brief Implementation of eap_identity_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_identity.h"
+
+#include <daemon.h>
+#include <library.h>
+
+typedef struct private_eap_identity_t private_eap_identity_t;
+
+/**
+ * Private data of an eap_identity_t object.
+ */
+struct private_eap_identity_t {
+	
+	/**
+	 * Public authenticator_t interface.
+	 */
+	eap_identity_t public;
+	
+	/**
+	 * ID of the peer
+	 */
+	identification_t *peer;
+};
+
+/**
+ * Implementation of eap_method_t.process for the peer
+ */
+static status_t process(private_eap_identity_t *this,
+						eap_payload_t *in, eap_payload_t **out)
+{
+	chunk_t id, hdr;
+	
+	hdr = chunk_alloca(5);
+	id = this->peer->get_encoding(this->peer);
+	
+	*(hdr.ptr + 0) = EAP_RESPONSE;
+	*(hdr.ptr + 1) = in->get_identifier(in);
+	*(u_int16_t*)(hdr.ptr + 2) = htons(hdr.len + id.len);
+	*(hdr.ptr + 4) = EAP_IDENTITY;
+	
+	*out = eap_payload_create_data(chunk_cata("cc", hdr, id));
+	return SUCCESS;
+	
+}
+
+/**
+ * Implementation of eap_method_t.initiate for the peer
+ */
+static status_t initiate(private_eap_identity_t *this, eap_payload_t **out)
+{
+	/* peer never initiates */
+	return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.get_type.
+ */
+static eap_type_t get_type(private_eap_identity_t *this)
+{
+	return EAP_IDENTITY;
+}
+
+/**
+ * Implementation of eap_method_t.get_msk.
+ */
+static status_t get_msk(private_eap_identity_t *this, chunk_t *msk)
+{
+	return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.is_mutual.
+ */
+static bool is_mutual(private_eap_identity_t *this)
+{
+	return FALSE;
+}
+
+/**
+ * Implementation of eap_method_t.destroy.
+ */
+static void destroy(private_eap_identity_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+eap_identity_t *eap_create(eap_role_t role,
+					  	   identification_t *server, identification_t *peer)
+{
+	private_eap_identity_t *this;
+	
+	if (role != EAP_PEER)
+	{
+		return NULL;
+	}
+	
+	this = malloc_thing(private_eap_identity_t);
+	
+	/* public functions */
+	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate;
+	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process;
+	this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*))get_type;
+	this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
+	this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
+	this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
+	
+	/* private data */
+	this->peer = peer;
+	
+	return &this->public;
+}
diff --git a/src/charon/sa/authenticators/eap/eap_identity.h b/src/charon/sa/authenticators/eap/eap_identity.h
new file mode 100644
index 000000000..20f0f0b67
--- /dev/null
+++ b/src/charon/sa/authenticators/eap/eap_identity.h
@@ -0,0 +1,59 @@
+/**
+ * @file eap_identity.h
+ *
+ * @brief Interface of eap_identity_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef EAP_IDENTITY_H_
+#define EAP_IDENTITY_H_
+
+typedef struct eap_identity_t eap_identity_t;
+
+#include <sa/authenticators/eap/eap_method.h>
+
+/**
+ * @brief Implementation of the eap_method_t interface using EAP Identity.
+ *
+ * @b Constructors:
+ *  - eap_identity_create()
+ *  - eap_client_create() using eap_method EAP_IDENTITY
+ *
+ * @ingroup eap
+ */
+struct eap_identity_t {
+
+	/**
+	 * Implemented eap_method_t interface.
+	 */
+	eap_method_t eap_method_interface;
+};
+
+/**
+ * @brief Creates the EAP method EAP Identity.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_identity_t object
+ *
+ * @ingroup eap
+ */
+eap_identity_t *eap_create(eap_role_t role,
+					  	   identification_t *server, identification_t *peer);
+
+#endif /* EAP_IDENTITY_H_ */
diff --git a/src/charon/sa/authenticators/eap/eap_method.c b/src/charon/sa/authenticators/eap/eap_method.c
new file mode 100644
index 000000000..a4d8abb58
--- /dev/null
+++ b/src/charon/sa/authenticators/eap/eap_method.c
@@ -0,0 +1,245 @@
+/**
+ * @file eap_method.c
+ *
+ * @brief Generic constructor for eap_methods.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+#include <sys/stat.h>
+#include <dirent.h>
+#include <error.h>
+#include <dlfcn.h>
+
+#include "eap_method.h"
+
+#include <daemon.h>
+#include <library.h>
+#include <utils/linked_list.h>
+#include <utils/identification.h>
+
+
+ENUM_BEGIN(eap_type_names, EAP_IDENTITY, EAP_TOKEN_CARD,
+	"EAP_IDENTITY",
+	"EAP_NOTIFICATION",
+	"EAP_NAK",
+	"EAP_MD5",
+	"EAP_ONE_TIME_PASSWORD",
+	"EAP_TOKEN_CARD");
+ENUM_NEXT(eap_type_names, EAP_SIM, EAP_SIM, EAP_TOKEN_CARD,
+	"EAP_SIM");
+ENUM_NEXT(eap_type_names, EAP_AKA, EAP_AKA, EAP_SIM,
+	"EAP_AKA");
+ENUM_END(eap_type_names, EAP_AKA);
+
+ENUM(eap_code_names, EAP_REQUEST, EAP_FAILURE,
+	"EAP_REQUEST",
+	"EAP_RESPONSE",
+	"EAP_SUCCESS",
+	"EAP_FAILURE",
+);
+
+ENUM(eap_role_names, EAP_SERVER, EAP_PEER,
+	"EAP_SERVER",
+	"EAP_PEER",
+);
+
+
+typedef struct module_entry_t module_entry_t;
+
+/**
+ * Representation of a loaded module: EAP type, library handle, constructor
+ */
+struct module_entry_t {
+	eap_type_t type;
+	void *handle;
+	eap_constructor_t constructor;
+};
+
+/** List of module_entry_t's */
+static linked_list_t *modules = NULL;
+
+/**
+ * unload modules at daemon shutdown
+ */
+void eap_method_unload()
+{
+	if (modules)
+	{
+		module_entry_t *entry;
+		
+		while (modules->remove_last(modules, (void**)&entry) == SUCCESS)
+		{
+			DBG2(DBG_CFG, "unloaded module for %s", eap_type_names, entry->type);
+			dlclose(entry->handle);
+			free(entry);
+		}
+		modules->destroy(modules);
+		modules = NULL;
+	}
+}
+
+/**
+ * Load EAP modules at daemon startup
+ */
+void eap_method_load(char *directory)
+{
+	struct dirent* entry;
+	struct stat stb;
+	DIR* dir;
+	
+	eap_method_unload();	
+	modules = linked_list_create();
+	
+	if (stat(directory, &stb) == -1 || !(stb.st_mode & S_IFDIR))
+	{
+		DBG1(DBG_CFG, "error opening EAP modules directory %s", directory);
+		return;
+	}
+	if (stb.st_uid != 0)
+	{
+		DBG1(DBG_CFG, "EAP modules directory %s not owned by root, skipped", directory);
+		return;
+	}
+	if (stb.st_mode & S_IWOTH || stb.st_mode & S_IWGRP)
+	{
+		DBG1(DBG_CFG, "EAP modules directory %s writable by others, skipped", directory);
+		return;
+	}
+
+	dir = opendir(directory);
+	if (dir == NULL)
+	{
+		DBG1(DBG_CFG, "error opening EAP modules directory %s", directory);
+		return;
+	}
+	
+	DBG1(DBG_CFG, "loading EAP modules from '%s'", directory);
+
+	while ((entry = readdir(dir)) != NULL)
+	{
+		char file[256];
+		module_entry_t module, *loaded_module;
+		eap_method_t *method;
+		identification_t *id;
+		char *ending;
+		
+		snprintf(file, sizeof(file), "%s/%s", directory, entry->d_name);
+		
+		if (stat(file, &stb) == -1 || !(stb.st_mode & S_IFREG))
+		{
+			DBG2(DBG_CFG, "  skipping %s, doesn't look like a file",
+				 entry->d_name);
+			continue;
+		}
+		ending = entry->d_name + strlen(entry->d_name) - 3;
+		if (ending <= entry->d_name || !streq(ending, ".so"))
+		{
+			/* skip anything which does not look like a library */
+			DBG2(DBG_CFG, "  skipping %s, doesn't look like a library",
+				 entry->d_name);
+			continue;
+		}
+		if (stb.st_uid != 0)
+		{
+			DBG1(DBG_CFG, "  skipping %s, file is not owned by root", entry->d_name);
+			return;
+		}
+		if (stb.st_mode & S_IWOTH || stb.st_mode & S_IWGRP)
+		{
+			DBG1(DBG_CFG, "  skipping %s, file is writeable by others", entry->d_name);
+			continue;
+		}
+		
+		/* try to load the library */
+		module.handle = dlopen(file, RTLD_LAZY);
+		if (module.handle == NULL)
+		{
+			DBG1(DBG_CFG, "  opening EAP module %s failed: %s", entry->d_name,
+				 dlerror());
+			continue;
+		}
+		module.constructor = dlsym(module.handle, "eap_create");
+		if (module.constructor == NULL)
+		{
+			DBG1(DBG_CFG, "  EAP module %s has no eap_create() function, skipped",
+				entry->d_name);
+			dlclose(module.handle);
+			continue;
+		}
+		
+		/* get the type implemented in the method, create an instance for it */
+		id = identification_create_from_string("john@doe.xyz");
+		method = module.constructor(EAP_SERVER, id, id);
+		if (method == NULL)
+		{
+			method = module.constructor(EAP_PEER, id, id);
+		}
+		id->destroy(id);
+		if (method == NULL)
+		{
+			DBG1(DBG_CFG, "  unable to create instance of EAP method %s, skipped",
+				 entry->d_name);
+			dlclose(module.handle);
+			continue;
+		}
+		module.type = method->get_type(method);
+		method->destroy(method);
+		
+		DBG1(DBG_CFG, "  loaded EAP method %N successfully from %s",
+			 eap_type_names, module.type, entry->d_name);
+			 
+		loaded_module = malloc_thing(module_entry_t);
+		memcpy(loaded_module, &module, sizeof(module));
+		modules->insert_last(modules, loaded_module);
+	}
+	closedir(dir);
+}
+
+/*
+ * Described in header.
+ */
+eap_method_t *eap_method_create(eap_type_t type, eap_role_t role,
+								identification_t *server,
+								identification_t *peer)
+{
+	eap_method_t *method = NULL;
+	iterator_t *iterator;
+	module_entry_t *entry;
+	
+	iterator = modules->create_iterator(modules, TRUE);
+	while (iterator->iterate(iterator, (void**)&entry))
+	{
+		if (entry->type == type)
+		{
+			method = entry->constructor(role, server, peer);
+			if (method)
+			{
+				break;
+			}
+		}
+	}
+	iterator->destroy(iterator);
+	
+	if (method == NULL)
+	{
+		DBG1(DBG_CFG, "no EAP module found for %N %N",
+			 eap_type_names, type, eap_role_names, role);
+	}
+	return method;
+}
diff --git a/src/charon/sa/authenticators/eap/eap_method.h b/src/charon/sa/authenticators/eap/eap_method.h
new file mode 100644
index 000000000..d43dc001f
--- /dev/null
+++ b/src/charon/sa/authenticators/eap/eap_method.h
@@ -0,0 +1,242 @@
+/**
+ * @file eap_method.h
+ *
+ * @brief Interface eap_method_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef EAP_METHOD_H_
+#define EAP_METHOD_H_
+
+typedef struct eap_method_t eap_method_t;
+typedef enum eap_role_t eap_role_t;
+typedef enum eap_type_t eap_type_t;
+typedef enum eap_code_t eap_code_t;
+
+#include <library.h>
+#include <utils/identification.h>
+#include <encoding/payloads/eap_payload.h>
+
+/**
+ * Role of an eap_method, SERVER or PEER (client)
+ *
+ * @ingroup eap
+ */
+enum eap_role_t {
+	EAP_SERVER,
+	EAP_PEER,
+};
+/**
+ * enum names for eap_role_t.
+ *
+ * @ingroup eap
+ */
+extern enum_name_t *eap_role_names;
+
+/**
+ * EAP types, defines the EAP method implementation
+ *
+ * @ingroup eap
+ */
+enum eap_type_t {
+	EAP_IDENTITY = 1,
+	EAP_NOTIFICATION = 2,
+	EAP_NAK = 3,
+	EAP_MD5 = 4,
+	EAP_ONE_TIME_PASSWORD = 5,
+	EAP_TOKEN_CARD = 6,
+	EAP_SIM = 18,
+	EAP_AKA = 23,
+};
+
+/**
+ * enum names for eap_type_t.
+ *
+ * @ingroup eap
+ */
+extern enum_name_t *eap_type_names;
+
+/**
+ * EAP code, type of an EAP message
+ *
+ * @ingroup eap
+ */
+enum eap_code_t {
+	EAP_REQUEST = 1,
+	EAP_RESPONSE = 2,
+	EAP_SUCCESS = 3,
+	EAP_FAILURE = 4,
+};
+
+/**
+ * enum names for eap_code_t.
+ *
+ * @ingroup eap
+ */
+extern enum_name_t *eap_code_names;
+
+
+/**
+ * @brief Interface of an EAP method for server and client side.
+ *
+ * An EAP method initiates an EAP exchange and processes requests and
+ * responses. An EAP method may need multiple exchanges before succeeding, and
+ * the eap_authentication may use multiple EAP methods to authenticate a peer.
+ * To accomplish these requirements, all EAP methods have their own
+ * implementation while the eap_authenticatior uses one or more of these
+ * EAP methods. Sending of EAP(SUCCESS/FAILURE) message is not the job
+ * of the method, the eap_authenticator does this.
+ * An EAP method may establish a MSK, this is used the complete the
+ * authentication. Even if a mutual EAP method is used, the traditional
+ * AUTH payloads are required. Only these include the nonces and messages from
+ * ike_sa_init and therefore prevent man in the middle attacks.
+ *
+ * @b Constructors:
+ *  - eap_method_create()
+ *
+ * @ingroup eap
+ */
+struct eap_method_t {
+	
+	/**
+	 * @brief Initiate the EAP exchange.
+	 *
+	 * initiate() is only useable for server implementations, as clients only
+	 * reply to server requests.
+	 * A eap_payload is created in "out" if result is NEED_MORE.
+	 *
+	 * @param this 		calling object
+	 * @param out		eap_payload to send to the client
+	 * @return
+	 * 					- NEED_MORE, if an other exchange is required
+	 * 					- FAILED, if unable to create eap request payload
+	 */
+	status_t (*initiate) (eap_method_t *this, eap_payload_t **out);
+	
+	/**
+	 * @brief Process a received EAP message.
+	 *
+	 * A eap_payload is created in "out" if result is NEED_MORE.
+	 *
+	 * @param this 		calling object
+	 * @param in		eap_payload response received
+	 * @param out		created eap_payload to send
+	 * @return
+	 * 					- NEED_MORE, if an other exchange is required
+	 * 					- FAILED, if EAP method failed
+	 * 					- SUCCESS, if EAP method succeeded
+	 */
+	status_t (*process) (eap_method_t *this, eap_payload_t *in,
+						 eap_payload_t **out);
+	
+	/**
+	 * @brief Get the EAP type implemented in this method.
+	 *
+	 * @param this 		calling object
+	 * @return			type of the EAP method
+	 */
+	eap_type_t (*get_type) (eap_method_t *this);
+	
+	/**
+	 * @brief Check if this EAP method authenticates the server.
+	 *
+	 * Some EAP methods provide mutual authentication and 
+	 * allow authentication using only EAP, if the peer supports it.
+	 *
+	 * @param this 		calling object
+	 * @return			TRUE if methods provides mutual authentication
+	 */
+	bool (*is_mutual) (eap_method_t *this);
+	
+	/**
+	 * @brief Get the MSK established by this EAP method.
+	 *
+	 * Not all EAP methods establish a shared secret.
+	 *
+	 * @param this 		calling object
+	 * @param msk		chunk receiving internal stored MSK
+	 * @return
+	 *					- SUCCESS, or
+	 * 					- FAILED, if MSK not established (yet)
+	 */
+	status_t (*get_msk) (eap_method_t *this, chunk_t *msk);
+	
+	/**
+	 * @brief Destroys a eap_method_t object.
+	 *
+	 * @param this 				calling object
+	 */
+	void (*destroy) (eap_method_t *this);
+};
+
+/**
+ * @brief Creates an EAP method for a specific type and role.
+ *
+ * @param eap_type		EAP type to use
+ * @param role			role of the eap_method, server or peer
+ * @param server		ID of acting server
+ * @param peer			ID of involved peer (client)
+ * @return				eap_method_t object
+ *
+ * @ingroup eap
+ */
+eap_method_t *eap_method_create(eap_type_t eap_type, eap_role_t role,
+								identification_t *server, identification_t *peer);
+
+/**
+ * @brief (Re-)Load all EAP modules in the EAP modules directory.
+ *
+ * For security reasons, the directory and all it's modules must be owned
+ * by root and must not be writeable by someone else.
+ *
+ * @param dir			directory of the EAP modules
+ *
+ * @ingroup eap
+ */
+void eap_method_load(char *directory);
+
+/**
+ * @brief Unload all loaded EAP modules
+ *
+ * @ingroup eap
+ */
+void eap_method_unload();
+
+/**
+ * @brief Constructor definition for a pluggable EAP module.
+ *
+ * Each EAP module must define a constructor function which will return
+ * an initialized object with the methods defined in eap_method_t. The
+ * constructor must be named eap_create() and it's signature must be equal
+ * to that of eap_constructor_t.
+ * A module may implement only a single role. If it does not support the role
+ * requested, NULL should be returned. Multiple modules are allowed of the
+ * same EAP type to support seperate implementations of peer/server.
+ *
+ * @param role			role the module will play, peer or server
+ * @param server		ID of the server to use for credential lookup
+ * @param peer			ID of the peer to use for credential lookup
+ * @return				implementation of the eap_method_t interface
+ *
+ * @ingroup eap
+ */
+typedef eap_method_t *(*eap_constructor_t)(eap_role_t role,
+										   identification_t *server,
+										   identification_t *peer);
+
+#endif /* EAP_METHOD_H_ */
diff --git a/src/charon/sa/authenticators/eap/eap_sim.c b/src/charon/sa/authenticators/eap/eap_sim.c
new file mode 100644
index 000000000..3dc59fb6b
--- /dev/null
+++ b/src/charon/sa/authenticators/eap/eap_sim.c
@@ -0,0 +1,703 @@
+/**
+ * @file eap_sim.c
+ *
+ * @brief Implementation of eap_sim_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "eap_sim.h"
+
+#include <dlfcn.h>
+
+#include <daemon.h>
+#include <library.h>
+
+#define MAX_TRIES 3
+
+ENUM(sim_subtype_names, SIM_START, SIM_CLIENT_ERROR,
+	"SIM_START",
+	"SIM_CHALLENGE",
+	"SIM_NOTIFICATION",
+	"SIM_13",
+	"SIM_CLIENT_ERROR",
+);
+
+ENUM_BEGIN(sim_attribute_names, AT_END, AT_CLIENT_ERROR_CODE,
+	"AT_END",
+	"AT_0",
+	"AT_RAND",
+	"AT_AUTN",
+	"AT_RES",
+	"AT_AUTS",
+	"AT_5",
+	"AT_PADDING",
+	"AT_NONCE_MT",
+	"AT_8",
+	"AT_9",
+	"AT_PERMANENT_ID_REQ",
+	"AT_MAC",
+	"AT_NOTIFICATION",
+	"AT_ANY_ID_REQ",
+	"AT_IDENTITY",
+	"AT_VERSION_LIST",
+	"AT_SELECTED_VERSION",
+	"AT_FULLAUTH_ID_REQ",
+	"AT_18",
+	"AT_COUNTER",
+	"AT_COUNTER_TOO_SMALL",
+	"AT_NONCE_S",
+	"AT_CLIENT_ERROR_CODE");
+ENUM_NEXT(sim_attribute_names, AT_IV, AT_RESULT_IND, AT_CLIENT_ERROR_CODE,
+	"AT_IV",
+	"AT_ENCR_DATA",
+	"AT_131",
+	"AT_NEXT_PSEUDONYM",
+	"AT_NEXT_REAUTH_ID",
+	"AT_CHECKCODE",
+	"AT_RESULT_IND");
+ENUM_END(sim_attribute_names, AT_RESULT_IND);
+
+
+typedef struct private_eap_sim_t private_eap_sim_t;
+
+/**
+ * Private data of an eap_sim_t object.
+ */
+struct private_eap_sim_t {
+	
+	/**
+	 * Public authenticator_t interface.
+	 */
+	eap_sim_t public;
+	
+	/**
+	 * ID of ourself
+	 */
+	identification_t *peer;
+	
+	/**
+	 * SIM cardreader function loaded from library
+	 */
+	sim_algo_t alg;
+	
+	/**
+	 * handle of the loaded library
+	 */
+	void *handle;
+	
+	/**
+	 * how many times we try to authenticate
+	 */
+	int tries;
+	
+	/**
+	 * version this implementation uses
+	 */
+	chunk_t version;
+	
+	/**
+	 * version list received from server
+	 */
+	chunk_t version_list;
+	
+	/**
+	 * Nonce value used in AT_NONCE_MT
+	 */
+	chunk_t nonce;
+	
+	/**
+	 * k_encr key derived from MK
+	 */
+	chunk_t k_encr;
+	
+	/**
+	 * k_auth key derived from MK, used for AT_MAC verification
+	 */
+	chunk_t k_auth;
+	
+	/**
+	 * MSK, used for EAP-SIM based IKEv2 authentication
+	 */
+	chunk_t msk;
+	
+	/**
+	 * EMSK, extendes MSK for further uses
+	 */
+	chunk_t emsk;
+};
+
+/** length of the AT_NONCE_MT nonce value */
+#define NONCE_LEN 16
+/** length of the AT_MAC value */
+#define MAC_LEN 16
+/** length of the AT_RAND value */
+#define RAND_LEN 16
+/** length of the k_encr key */
+#define KENCR_LEN 16
+/** length of the k_auth key */
+#define KAUTH_LEN 16
+/** length of the MSK */
+#define MSK_LEN 64
+/** length of the EMSK */
+#define EMSK_LEN 64
+
+/* client error codes used in AT_CLIENT_ERROR_CODE */
+char client_error_general_buf[] = {0x00, 0x01};
+char client_error_unsupported_buf[] = {0x00, 0x02};
+char client_error_insufficient_buf[] = {0x00, 0x03};
+char client_error_notfresh_buf[] = {0x00, 0x04};
+chunk_t client_error_general = chunk_from_buf(client_error_general_buf);
+chunk_t client_error_unsupported = chunk_from_buf(client_error_unsupported_buf);
+chunk_t client_error_insufficient = chunk_from_buf(client_error_insufficient_buf);
+chunk_t client_error_notfresh = chunk_from_buf(client_error_notfresh_buf);
+
+/**
+ * Read EAP and EAP-SIM header, return SIM type
+ */
+static sim_subtype_t read_header(chunk_t *message)
+{
+	sim_subtype_t type;
+
+	if (message->len < 8)
+	{
+		*message = chunk_empty;
+		return 0;
+	}
+	type = *(message->ptr + 5);
+	*message = chunk_skip(*message, 8);
+	return type;
+}
+
+/**
+ * read the next attribute from the chunk data
+ */
+static sim_attribute_t read_attribute(chunk_t *message, chunk_t *data)
+{
+	sim_attribute_t attribute;
+	size_t length;
+	
+	DBG3(DBG_IKE, "reading attribute from %B", message);
+	
+	if (message->len < 2)
+	{
+		return AT_END;
+	}
+	attribute = *message->ptr++;
+	length = *message->ptr++ * 4 - 2;
+	message->len -= 2;
+	DBG3(DBG_IKE, "found attribute %N with length %d",
+		 sim_attribute_names, attribute, length);
+
+	if (length > message->len)
+	{
+		return AT_END;
+	}
+	data->len = length;
+	data->ptr = message->ptr;
+	*message = chunk_skip(*message, length);
+	return attribute;
+}
+
+/**
+ * Build an EAP-SIM payload using a variable length attribute list.
+ * The variable argument takes a sim_attribute_t followed by its data in a chunk.
+ */
+static eap_payload_t *build_payload(private_eap_sim_t *this, u_int8_t identifier,
+									sim_subtype_t type, ...)
+{
+	chunk_t message = chunk_alloca(512);
+	chunk_t pos = message;
+	eap_payload_t *payload;
+	va_list args;
+	sim_attribute_t attr;
+	u_int8_t *mac_pos = NULL;
+	chunk_t mac_data = chunk_empty;
+	
+	/* write EAP header, skip length bytes */
+	*pos.ptr++ = EAP_RESPONSE;
+	*pos.ptr++ = identifier;
+	pos.ptr += 2;
+	pos.len -= 4;
+	/* write SIM header with type and subtype, zero reserved bytes */
+	*pos.ptr++ = EAP_SIM;
+	*pos.ptr++ = type;
+	*pos.ptr++ = 0;
+	*pos.ptr++ = 0;
+	pos.len -= 4;
+	
+	va_start(args, type);
+	while ((attr = va_arg(args, sim_attribute_t)) != AT_END)
+	{
+		chunk_t data = va_arg(args, chunk_t);
+		
+		DBG3(DBG_IKE, "building %N %B", sim_attribute_names, attr, &data);
+		
+		/* write attribute header */
+		*pos.ptr++ = attr;
+		pos.len--;
+		
+		switch (attr)
+		{
+			case AT_CLIENT_ERROR_CODE:
+			case AT_SELECTED_VERSION:
+			{
+				*pos.ptr = data.len/4 + 1;
+				pos = chunk_skip(pos, 1);
+				memcpy(pos.ptr, data.ptr, data.len);
+				pos = chunk_skip(pos, data.len);
+				break;
+			}
+			case AT_IDENTITY:
+			{
+				/* align up to four byte */
+				if (data.len % 4)
+				{
+					chunk_t tmp = chunk_alloca((data.len/4)*4 + 4);
+					memset(tmp.ptr, 0, tmp.len);
+					memcpy(tmp.ptr, data.ptr, data.len);
+					data = tmp;
+				}
+				*pos.ptr = data.len/4 + 1;
+				pos = chunk_skip(pos, 1);
+				/* actual length in bytes */
+				*(u_int16_t*)pos.ptr = htons(data.len);
+				pos = chunk_skip(pos, sizeof(u_int16_t));
+				memcpy(pos.ptr, data.ptr, data.len);
+				pos = chunk_skip(pos, data.len);
+				break;
+			}
+			case AT_NONCE_MT:
+			{
+				*pos.ptr = data.len/4 + 1;
+				pos = chunk_skip(pos, 1);
+				memset(pos.ptr, 0, 2);
+				pos = chunk_skip(pos, 2);
+				memcpy(pos.ptr, data.ptr, data.len);
+				pos = chunk_skip(pos, data.len);
+				break;
+			}
+			case AT_MAC:
+			{
+				*pos.ptr++ = 5; pos.len--;
+				*pos.ptr++ = 0; pos.len--;
+				*pos.ptr++ = 0; pos.len--;
+				mac_pos = pos.ptr;
+				memset(mac_pos, 0, MAC_LEN);
+				pos = chunk_skip(pos, MAC_LEN);
+				mac_data = data;
+				break;
+			}
+			case AT_RAND:
+			{
+				*pos.ptr++ = data.len/4 + 1; pos.len--;
+				*pos.ptr++ = 0; pos.len--;
+				*pos.ptr++ = 0; pos.len--;
+				memcpy(pos.ptr, data.ptr, data.len);
+				pos = chunk_skip(pos, data.len);
+				break;
+			}
+			default:
+				DBG1(DBG_IKE, "no rule to build EAP_SIM attribute %N, skipped",
+					 sim_attribute_names, attr);
+				break;
+		}
+	}
+	va_end(args);
+	
+	/* calculate message length, write into header */
+	message.len = pos.ptr - message.ptr;
+	*(u_int16_t*)(message.ptr + 2) = htons(message.len);
+	
+	/* create MAC if AT_MAC attribte was included. Append supplied va_arg
+	 * chunk mac_data to "to-sign" chunk */
+	if (mac_pos)
+	{
+		signer_t *signer = signer_create(AUTH_HMAC_SHA1_128);
+		signer->set_key(signer, this->k_auth);
+		mac_data = chunk_cata("cc", message, mac_data);
+		signer->get_signature(signer, mac_data, mac_pos);
+		DBG3(DBG_IKE, "AT_MAC signature of %B\n is %b",
+			 &mac_data, mac_pos, MAC_LEN);
+		signer->destroy(signer);
+	}
+	
+	payload = eap_payload_create_data(message);
+	
+	DBG3(DBG_IKE, "created EAP message %B", &message);
+	return payload;
+}
+
+/**
+ * process an EAP-SIM/Request/Start message
+ */
+static status_t process_start(private_eap_sim_t *this, eap_payload_t *in,
+							  eap_payload_t **out)
+{
+	chunk_t message, data;
+	sim_attribute_t attribute, include_id = AT_END;
+	u_int8_t identifier;
+
+	identifier = in->get_identifier(in);
+	message = in->get_data(in);
+	read_header(&message);
+
+	while ((attribute = read_attribute(&message, &data)) != AT_END)
+	{
+		switch (attribute)
+		{
+			case AT_VERSION_LIST:
+			{
+				/* check if server supports our implementation */
+				bool found = FALSE;
+				if (data.len > 2)
+				{
+					/* read actual length first */
+					data.len = min(data.len, ntohs(*(u_int16_t*)data.ptr) + 2);
+					data = chunk_skip(data, 2);
+					chunk_free(&this->version_list);
+					this->version_list = chunk_clone(data);
+					while (data.len >= this->version.len)
+					{
+						if (memeq(data.ptr, this->version.ptr, this->version.len))
+						{
+							found = TRUE;
+							break;
+						}
+						data = chunk_skip(data, this->version.len);
+					}
+				}
+				if (!found)
+				{
+					DBG1(DBG_IKE, "server does not support EAP_SIM "
+						 "version number %#B", &this->version);
+					*out = build_payload(this, identifier, SIM_CLIENT_ERROR,
+							AT_CLIENT_ERROR_CODE, client_error_unsupported,
+							AT_END);
+					return NEED_MORE;
+				}
+				break;
+			}
+			case AT_PERMANENT_ID_REQ:
+			case AT_FULLAUTH_ID_REQ:
+			case AT_ANY_ID_REQ:
+				/* only include AT_IDENTITY if requested */
+				include_id = AT_IDENTITY;
+				break;
+			default:
+				DBG1(DBG_IKE, "ignoring EAP_SIM attribute %N",
+					 sim_attribute_names, attribute);
+				break;
+		}
+	}
+	
+	/* build payload. If "include_id" is AT_END, AT_IDENTITY is ommited */
+	*out = build_payload(this, identifier, SIM_START,
+						 AT_SELECTED_VERSION, this->version,
+						 AT_NONCE_MT, this->nonce,
+						 include_id, this->peer->get_encoding(this->peer),
+						 AT_END);
+	return NEED_MORE;
+}
+
+/**
+ * process an EAP-SIM/Request/Challenge message
+ */
+static status_t process_challenge(private_eap_sim_t *this, eap_payload_t *in,
+								  eap_payload_t **out)
+{
+	chunk_t message, data, tmp, kcs, kc, sreses, sres, mk;
+	sim_attribute_t attribute;
+	u_int8_t identifier, i;
+	chunk_t mac = chunk_empty, rands = chunk_empty;
+	signer_t *signer;
+	hasher_t *hasher;
+	prf_t *prf;
+	
+	if (this->tries-- <= 0)
+	{
+		/* give up without notification. This hack is required as some buggy
+		 * server implementations won't respect our client-error. */
+		return FAILED;
+	}
+
+	identifier = in->get_identifier(in);
+	message = in->get_data(in);
+	read_header(&message);
+
+	while ((attribute = read_attribute(&message, &data)) != AT_END)
+	{
+		switch (attribute)
+		{
+			case AT_RAND:
+			{
+				rands = chunk_skip(data, 2);
+				break;
+			}
+			case AT_MAC:
+			{
+				/* backup MAC, zero it inline for later verification */
+				data = chunk_skip(data, 2);
+				mac = chunk_clonea(data);
+				memset(data.ptr, 0, data.len);
+				break;
+			}
+			default:
+				DBG1(DBG_IKE, "ignoring EAP_SIM attribute %N",
+					 sim_attribute_names, attribute);
+				break;
+		}
+	}
+	
+	/* excepting two or three RAND, each 16 bytes. We require two valid
+	 * and different RANDs */
+	if ((rands.len != 2 * RAND_LEN && rands.len != 3 * RAND_LEN) ||
+		memeq(rands.ptr, rands.ptr + RAND_LEN, RAND_LEN))
+	{
+		DBG1(DBG_IKE, "no valid AT_RAND received");
+		*out = build_payload(this, identifier, SIM_CLIENT_ERROR,
+							 AT_CLIENT_ERROR_CODE, client_error_insufficient,
+							 AT_END);
+		return FAILED;
+	}
+	if (mac.len != MAC_LEN)
+	{
+		DBG1(DBG_IKE, "no valid AT_MAC received");
+		*out = build_payload(this, identifier, SIM_CLIENT_ERROR,
+							 AT_CLIENT_ERROR_CODE, client_error_general,
+							 AT_END);
+		return NEED_MORE;
+	}
+	
+	/* get two or three KCs/SRESes from SIM using RANDs */
+	kcs = kc = chunk_alloca(rands.len / 2);
+	sreses = sres = chunk_alloca(rands.len / 4);
+	while (rands.len > 0)
+	{
+		int kc_len = kc.len, sres_len = sres.len;
+		
+		if (this->alg(rands.ptr, RAND_LEN, sres.ptr, &sres_len, kc.ptr, &kc_len))
+		{
+			DBG1(DBG_IKE, "unable to get triplets from SIM");
+			*out = build_payload(this, identifier, SIM_CLIENT_ERROR,
+								 AT_CLIENT_ERROR_CODE, client_error_general,
+								 AT_END);
+			return NEED_MORE;
+		}
+		DBG3(DBG_IKE, "got triplet for RAND %b\n  Kc %b\n  SRES %b",
+			 rands.ptr, RAND_LEN, sres.ptr, sres_len, kc.ptr, kc_len);
+		kc = chunk_skip(kc, kc_len);
+		sres = chunk_skip(sres, sres_len);
+		rands = chunk_skip(rands, RAND_LEN);
+	}
+	
+	/* build MK = SHA1(Identity|n*Kc|NONCE_MT|Version List|Selected Version) */
+	tmp = chunk_cata("ccccc", this->peer->get_encoding(this->peer), kcs,
+					 this->nonce, this->version_list, this->version);
+	hasher = hasher_create(HASH_SHA1);
+	mk = chunk_alloca(hasher->get_hash_size(hasher));
+	hasher->get_hash(hasher, tmp, mk.ptr);
+	hasher->destroy(hasher);
+	DBG3(DBG_IKE, "MK = SHA1(%B\n) = %B", &tmp, &mk);
+	
+	/* K_encr | K_auth | MSK | EMSK = prf() | prf() | prf() | prf()
+	 * FIPS PRF has 320 bit block size, we need 160 byte for keys
+	 *  => run prf four times */
+	prf = prf_create(PRF_FIPS_SHA1_160);
+	prf->set_key(prf, mk);
+	tmp = chunk_alloca(prf->get_block_size(prf) * 4);
+	for (i = 0; i < 4; i++)
+	{
+		prf->get_bytes(prf, chunk_empty, tmp.ptr + tmp.len / 4 * i);
+	}
+	prf->destroy(prf);
+	chunk_free(&this->k_encr);
+	chunk_free(&this->k_auth);
+	chunk_free(&this->msk);
+	chunk_free(&this->emsk);
+	chunk_split(tmp, "aaaa", KENCR_LEN, &this->k_encr, KAUTH_LEN, &this->k_auth,
+				MSK_LEN, &this->msk, EMSK_LEN, &this->emsk);
+	DBG3(DBG_IKE, "K_encr %B\nK_auth %B\nMSK %B\nEMSK %B",
+		 &this->k_encr, &this->k_auth, &this->msk, &this->emsk);
+	
+	/* verify AT_MAC attribute, signature is over "EAP packet | NONCE_MT"  */
+	signer = signer_create(AUTH_HMAC_SHA1_128);
+	signer->set_key(signer, this->k_auth);
+	tmp = chunk_cata("cc", in->get_data(in), this->nonce);
+	if (!signer->verify_signature(signer, tmp, mac))
+	{
+		DBG1(DBG_IKE, "AT_MAC verification failed");
+		signer->destroy(signer);
+		*out = build_payload(this, identifier, SIM_CLIENT_ERROR,
+							 AT_CLIENT_ERROR_CODE, client_error_general,
+							 AT_END);
+		return NEED_MORE;
+	}
+	signer->destroy(signer);
+	
+	/* build response, AT_MAC is built over "EAP packet | n*SRES" */
+	*out = build_payload(this, identifier, SIM_CHALLENGE,
+						 AT_MAC, sreses,
+						 AT_END);
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of eap_method_t.process for the peer
+ */
+static status_t process(private_eap_sim_t *this,
+						eap_payload_t *in, eap_payload_t **out)
+{
+	sim_subtype_t type;
+	chunk_t message;
+	
+	message = in->get_data(in);
+	type = read_header(&message);
+	
+	switch (type)
+	{
+		case SIM_START:
+			return process_start(this, in, out);
+		case SIM_CHALLENGE:
+			return process_challenge(this, in, out);
+		default:
+			DBG1(DBG_IKE, "unable to process EAP_SIM subtype %N",
+				 sim_subtype_names, type);
+			*out = build_payload(this, in->get_identifier(in), SIM_CLIENT_ERROR,
+					AT_CLIENT_ERROR_CODE, client_error_general, AT_END);
+			return NEED_MORE;
+	}
+}
+
+/**
+ * Implementation of eap_method_t.initiate for the peer
+ */
+static status_t initiate(private_eap_sim_t *this, eap_payload_t **out)
+{
+	/* peer never initiates */
+	return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.get_type.
+ */
+static eap_type_t get_type(private_eap_sim_t *this)
+{
+	return EAP_SIM;
+}
+
+/**
+ * Implementation of eap_method_t.get_msk.
+ */
+static status_t get_msk(private_eap_sim_t *this, chunk_t *msk)
+{
+	if (this->msk.ptr)
+	{
+		*msk = this->msk;
+		return SUCCESS;
+	}
+	return FAILED;
+}
+
+/**
+ * Implementation of eap_method_t.is_mutual.
+ */
+static bool is_mutual(private_eap_sim_t *this)
+{
+	return TRUE;
+}
+
+/**
+ * Implementation of eap_method_t.destroy.
+ */
+static void destroy(private_eap_sim_t *this)
+{
+	dlclose(this->handle);
+	chunk_free(&this->nonce);
+	chunk_free(&this->version_list);
+	chunk_free(&this->k_auth);
+	chunk_free(&this->k_encr);
+	chunk_free(&this->msk);
+	chunk_free(&this->emsk);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+eap_sim_t *eap_create(eap_role_t role,
+					  identification_t *server, identification_t *peer)
+{
+	private_eap_sim_t *this;
+	randomizer_t *randomizer;
+	static char version[] = {0x00,0x01};
+	
+	if (role != EAP_PEER)
+	{
+		return NULL;
+	}	
+	this = malloc_thing(private_eap_sim_t);
+	
+	this->handle = dlopen(SIM_READER_LIB, RTLD_LAZY);
+	if (this->handle == NULL)
+	{
+		DBG1(DBG_IKE, "unable to open SIM reader '%s'", SIM_READER_LIB);		
+		free(this);
+		return NULL;
+	}
+	this->alg = dlsym(this->handle, SIM_READER_ALG);
+	if (this->alg == NULL)
+	{
+		DBG1(DBG_IKE, "unable to open SIM reader function '%s' in '%s'",
+			 SIM_READER_ALG, SIM_READER_LIB);
+		dlclose(this->handle);
+		free(this);
+		return NULL;
+	}
+	
+	randomizer = randomizer_create();
+	if (randomizer->allocate_pseudo_random_bytes(randomizer, NONCE_LEN,
+												 &this->nonce))
+	{
+		DBG1(DBG_IKE, "unable to generate NONCE for EAP_SIM");		
+		randomizer->destroy(randomizer);
+		free(this);
+		return NULL;
+	}
+	randomizer->destroy(randomizer);
+	
+	/* public functions */
+	this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate;
+	this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process;
+	this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*))get_type;
+	this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual;
+	this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk;
+	this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy;
+	
+	/* private data */
+	this->peer = peer;
+	this->tries = MAX_TRIES;
+	this->version.ptr = version;
+	this->version.len = sizeof(version);
+	this->version_list = chunk_empty;
+	this->k_auth = chunk_empty;
+	this->k_encr = chunk_empty;
+	this->msk = chunk_empty;
+	this->emsk = chunk_empty;
+	
+	return &this->public;
+}
diff --git a/src/charon/sa/authenticators/eap/eap_sim.h b/src/charon/sa/authenticators/eap/eap_sim.h
new file mode 100644
index 000000000..10640babe
--- /dev/null
+++ b/src/charon/sa/authenticators/eap/eap_sim.h
@@ -0,0 +1,141 @@
+/**
+ * @file eap_sim.h
+ *
+ * @brief Interface of eap_sim_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef EAP_SIM_H_
+#define EAP_SIM_H_
+
+typedef struct eap_sim_t eap_sim_t;
+typedef enum sim_subtype_t sim_subtype_t;
+typedef enum sim_attribute_t sim_attribute_t;
+
+#include <sa/authenticators/eap/eap_method.h>
+
+/**
+ * Subtypes of SIM messages
+ */
+enum sim_subtype_t {
+	SIM_START = 10,
+	SIM_CHALLENGE = 11,
+	SIM_NOTIFICATION = 12,
+	SIM_CLIENT_ERROR = 14,
+};
+
+/**
+ * enum names for sim_subtype_t
+ */
+extern enum_name_t *sim_subtype_names;
+
+enum sim_attribute_t {
+	/** defines the end of attribute list */
+	AT_END = -1,
+	AT_RAND = 1,
+	AT_AUTN = 2,
+	AT_RES = 3,
+	AT_AUTS = 4,
+	AT_PADDING = 6,
+	AT_NONCE_MT = 7,
+	AT_PERMANENT_ID_REQ = 10,
+	AT_MAC = 11,
+	AT_NOTIFICATION = 12,
+	AT_ANY_ID_REQ = 13,
+	AT_IDENTITY = 14,
+	AT_VERSION_LIST = 15,
+	AT_SELECTED_VERSION = 16,
+	AT_FULLAUTH_ID_REQ = 17,
+	AT_COUNTER = 19,
+	AT_COUNTER_TOO_SMALL = 20,
+	AT_NONCE_S = 21,
+	AT_CLIENT_ERROR_CODE = 22,
+	AT_IV = 129,
+	AT_ENCR_DATA = 130,
+	AT_NEXT_PSEUDONYM = 132,
+	AT_NEXT_REAUTH_ID = 133,
+	AT_CHECKCODE = 134,
+	AT_RESULT_IND = 135,
+};
+
+/**
+ * enum names for sim_subtype_t
+ */
+extern enum_name_t *sim_attribute_names;
+
+/** 
+ * @brief Cardreaders SIM function.
+ *
+ * @param rand			RAND to run algo with
+ * @param rand_length	length of value in rand
+ * @param sres			buffer to get SRES
+ * @param sres_length	size of buffer in sres, returns bytes written to SRES
+ * @param kc			buffer to get Kc
+ * @param kc_length		size of buffer in Kc, returns bytes written to Kc
+ * @return				zero on success
+ */
+typedef int (*sim_algo_t)(const unsigned char *rand, int rand_length,
+						  unsigned char *sres, int *sres_length, 
+						  unsigned char *kc, int *kc_length);
+
+#ifndef SIM_READER_LIB
+/** the library containing the cardreader with the SIM function */
+#error SIM_READER_LIB not specified, use --with-sim-reader option
+#endif /* SIM_READER_LIB */
+
+#ifndef SIM_READER_ALG
+/** the SIM_READER_LIB's algorithm, uses sim_algo_t signature */
+#define SIM_READER_ALG "sim_run_alg"
+#endif /* SIM_READER_ALG */
+
+
+/**
+ * @brief Implementation of the eap_method_t interface using EAP-SIM.
+ *
+ * This EAP-SIM client implementation uses another pluggable library to
+ * access the SIM card. This module is specified using the SIM_READER_LIB
+ * definition. The function to run the algorithm has the sim_algo_t type and
+ * is named as SIM_READER_ALG is defined.
+ *
+ * @b Constructors:
+ *  - eap_create() of this module
+ *  - eap_client_create() using eap_method EAP_SIM
+ *
+ * @ingroup eap
+ */
+struct eap_sim_t {
+
+	/**
+	 * Implemented eap_method_t interface.
+	 */
+	eap_method_t eap_method_interface;
+};
+
+/**
+ * @brief Creates the EAP method EAP-SIM.
+ *
+ * @param server	ID of the EAP server
+ * @param peer		ID of the EAP client
+ * @return			eap_sim_t object
+ *
+ * @ingroup eap
+ */
+eap_sim_t *eap_create(eap_role_t role,
+					  identification_t *server, identification_t *peer);
+
+#endif /* EAP_SIM_H_ */
diff --git a/src/charon/sa/authenticators/eap_authenticator.c b/src/charon/sa/authenticators/eap_authenticator.c
new file mode 100644
index 000000000..6c8ca8d8f
--- /dev/null
+++ b/src/charon/sa/authenticators/eap_authenticator.c
@@ -0,0 +1,360 @@
+/**
+ * @file eap_authenticator.c
+ *
+ * @brief Implementation of eap_authenticator_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include "eap_authenticator.h"
+
+#include <daemon.h>
+#include <config/policies/policy.h>
+#include <sa/authenticators/eap/eap_method.h>
+
+typedef struct private_eap_authenticator_t private_eap_authenticator_t;
+
+/**
+ * Private data of an eap_authenticator_t object.
+ */
+struct private_eap_authenticator_t {
+	
+	/**
+	 * Public authenticator_t interface.
+	 */
+	eap_authenticator_t public;
+	
+	/**
+	 * Assigned IKE_SA
+	 */
+	ike_sa_t *ike_sa;
+	
+	/**
+	 * Role of this authenticator, PEER or SERVER
+	 */
+	eap_role_t role;
+	
+	/**
+	 * Current EAP method processing
+	 */
+	eap_method_t *method;
+	
+	/**
+	 * MSK used to build and verify auth payload
+	 */
+	chunk_t msk;
+};
+
+extern chunk_t build_shared_key_signature(chunk_t ike_sa_init, chunk_t nonce,
+								 		  chunk_t secret, identification_t *id,
+										  prf_t *prf_skp, prf_t *prf);
+
+/**
+ * Implementation of authenticator_t.verify.
+ */
+static status_t verify(private_eap_authenticator_t *this, chunk_t ike_sa_init,
+					   chunk_t my_nonce, auth_payload_t *auth_payload)
+{
+	chunk_t auth_data, recv_auth_data;
+	identification_t *other_id = this->ike_sa->get_other_id(this->ike_sa);
+	
+	auth_data = build_shared_key_signature(ike_sa_init, my_nonce, this->msk,
+						other_id, this->ike_sa->get_auth_verify(this->ike_sa),
+						this->ike_sa->get_prf(this->ike_sa));
+	
+	recv_auth_data = auth_payload->get_data(auth_payload);
+	if (!chunk_equals(auth_data, recv_auth_data))
+	{
+		DBG1(DBG_IKE, "verification of AUTH payload created from EAP MSK failed");
+		chunk_free(&auth_data);
+		return FAILED;
+	}
+	chunk_free(&auth_data);
+	
+	DBG1(DBG_IKE, "authentication of '%D' with %N successful",
+		 other_id, auth_method_names, AUTH_EAP);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of authenticator_t.build.
+ */
+static status_t build(private_eap_authenticator_t *this, chunk_t ike_sa_init,
+					  chunk_t other_nonce, auth_payload_t **auth_payload)
+{
+	chunk_t auth_data;
+	identification_t *my_id = this->ike_sa->get_my_id(this->ike_sa);
+	
+	DBG1(DBG_IKE, "authentication of '%D' (myself) with %N",
+		 my_id, auth_method_names, AUTH_EAP);
+	
+	auth_data = build_shared_key_signature(ike_sa_init, other_nonce, this->msk,
+							my_id, this->ike_sa->get_auth_build(this->ike_sa),
+							this->ike_sa->get_prf(this->ike_sa));
+	
+	*auth_payload = auth_payload_create();
+	(*auth_payload)->set_auth_method(*auth_payload, AUTH_PSK);
+	(*auth_payload)->set_data(*auth_payload, auth_data);
+	chunk_free(&auth_data);
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of eap_authenticator_t.initiate
+ */
+static status_t initiate(private_eap_authenticator_t *this, eap_type_t type,
+						 eap_payload_t **out)
+{
+	/* if initiate() is called, role is always server */
+	this->role = EAP_SERVER;
+	
+	if (type == 0)
+	{
+		DBG1(DBG_IKE,
+			 "client requested EAP authentication, but configuration forbids it");
+		*out = eap_payload_create_code(EAP_FAILURE);
+		return FAILED;
+	}
+	
+	DBG1(DBG_IKE, "requesting %N authentication", eap_type_names, type);
+	this->method = eap_method_create(type, this->role,
+									 this->ike_sa->get_my_id(this->ike_sa),
+									 this->ike_sa->get_other_id(this->ike_sa));
+	
+	if (this->method == NULL)
+	{
+		DBG1(DBG_IKE, "configured EAP server method %N not supported, sending %N",
+			 eap_type_names, type, eap_code_names, EAP_FAILURE);
+		*out = eap_payload_create_code(EAP_FAILURE);
+		return FAILED;
+	}
+	if (this->method->initiate(this->method, out) != NEED_MORE)
+	{
+		DBG1(DBG_IKE, "failed to initiate %N, sending %N",
+			 eap_type_names, type, eap_code_names, EAP_FAILURE);
+		*out = eap_payload_create_code(EAP_FAILURE);
+		return FAILED;	
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Processing method for a peer
+ */
+static status_t process_peer(private_eap_authenticator_t *this,
+							 eap_payload_t *in, eap_payload_t **out)
+{
+	eap_type_t type = in->get_type(in);
+	
+	if (type == EAP_IDENTITY)
+	{
+		eap_method_t *method = eap_method_create(type, EAP_PEER,
+									   this->ike_sa->get_other_id(this->ike_sa),
+									   this->ike_sa->get_my_id(this->ike_sa));
+		
+		if (method == NULL || method->process(method, in, out) != SUCCESS)
+		{
+			DBG1(DBG_IKE, "EAP server requested %N, but unable to process",
+				 eap_type_names, type);
+			DESTROY_IF(method);
+			return FAILED;
+		}
+		
+		DBG1(DBG_IKE, "EAP server requested %N, sending IKE identity",
+			 eap_type_names, type);
+			 
+		method->destroy(method);
+		return NEED_MORE;
+	}
+	
+	/* create an eap_method for the first call */
+	if (this->method == NULL)
+	{
+		DBG1(DBG_IKE, "EAP server requested %N authentication",
+			 eap_type_names, type);
+		this->method = eap_method_create(type, EAP_PEER,
+							this->ike_sa->get_other_id(this->ike_sa),
+							this->ike_sa->get_my_id(this->ike_sa));
+		if (this->method == NULL)
+		{
+			DBG1(DBG_IKE, "EAP server requested unsupported "
+				 "EAP method %N, sending EAP_NAK", eap_type_names, type);
+			*out = eap_payload_create_nak();
+			return NEED_MORE;
+		}
+	}
+	
+	switch (this->method->process(this->method, in, out))
+	{
+		case NEED_MORE:
+			return NEED_MORE;
+		case SUCCESS:
+			DBG1(DBG_IKE, "EAP method %N succeded",
+				 eap_type_names, this->method->get_type(this->method));
+			return SUCCESS;
+		case FAILED:
+		default:
+			DBG1(DBG_IKE, "EAP method %N failed",
+				 eap_type_names, this->method->get_type(this->method));
+			return FAILED;
+	}
+}
+
+/**
+ * Processing method for a server
+ */
+static status_t process_server(private_eap_authenticator_t *this,
+							   eap_payload_t *in, eap_payload_t **out)
+{
+	switch (this->method->process(this->method, in, out))
+	{
+		case NEED_MORE:
+			return NEED_MORE;
+		case SUCCESS:
+			if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
+			{
+				DBG1(DBG_IKE, "EAP method %N succeded, MSK established",
+					 eap_type_names, this->method->get_type(this->method));
+				this->msk = chunk_clone(this->msk);
+				*out = eap_payload_create_code(EAP_SUCCESS);
+				return SUCCESS;
+			}
+			DBG1(DBG_IKE, "EAP method %N succeded, but no MSK established",
+				 eap_type_names, this->method->get_type(this->method));
+			*out = eap_payload_create_code(EAP_FAILURE);
+			return FAILED;
+		case FAILED:
+		default:
+			DBG1(DBG_IKE, "EAP method %N failed for peer %D",
+				 eap_type_names, this->method->get_type(this->method),
+				 this->ike_sa->get_other_id(this->ike_sa));
+			*out = eap_payload_create_code(EAP_FAILURE);
+			return FAILED;
+	}
+}
+
+/**
+ * Implementation of eap_authenticator_t.process
+ */
+static status_t process(private_eap_authenticator_t *this, eap_payload_t *in,
+						eap_payload_t **out)
+{
+	eap_code_t code = in->get_code(in);
+	
+	switch (this->role)
+	{
+		case EAP_SERVER:
+		{
+			switch (code)
+			{
+				case EAP_RESPONSE:
+				{
+					return process_server(this, in, out);
+				}
+				default:
+				{
+					DBG1(DBG_IKE, "received %N, sending %N",
+						 eap_code_names, code, eap_code_names, EAP_FAILURE);
+					*out = eap_payload_create_code(EAP_FAILURE);
+					return FAILED;
+				}
+			}
+		}
+		case EAP_PEER:
+		{
+			switch (code)
+			{
+				case EAP_REQUEST:
+				{
+					return process_peer(this, in, out);
+				}
+				case EAP_SUCCESS:
+				{
+					if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
+					{
+						this->msk = chunk_clone(this->msk);
+						return SUCCESS;
+					}
+					DBG1(DBG_IKE, "EAP method %N has no MSK established",
+						 eap_type_names, this->method->get_type(this->method));
+					return FAILED;
+				}
+				case EAP_FAILURE:
+				default:
+				{
+					DBG1(DBG_IKE, "received %N, EAP authentication failed",
+						 eap_code_names, code);
+					return FAILED;
+				}
+			}
+		}
+		default:
+		{
+			return FAILED;
+		}
+	}
+}
+
+/**
+ * Implementation of authenticator_t.is_mutual.
+ */
+static bool is_mutual(private_eap_authenticator_t *this)
+{
+	if (this->method)
+	{
+		return this->method->is_mutual(this->method);
+	}
+	return FALSE;
+}
+
+/**
+ * Implementation of authenticator_t.destroy.
+ */
+static void destroy(private_eap_authenticator_t *this)
+{
+	DESTROY_IF(this->method);
+	chunk_free(&this->msk);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+eap_authenticator_t *eap_authenticator_create(ike_sa_t *ike_sa)
+{
+	private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t);
+	
+	/* public functions */
+	this->public.authenticator_interface.verify = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t*))verify;
+	this->public.authenticator_interface.build = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t**))build;
+	this->public.authenticator_interface.destroy = (void(*)(authenticator_t*))destroy;
+	
+	this->public.is_mutual = (bool(*)(eap_authenticator_t*))is_mutual;
+	this->public.initiate = (status_t(*)(eap_authenticator_t*,eap_type_t,eap_payload_t**))initiate;
+	this->public.process = (status_t(*)(eap_authenticator_t*,eap_payload_t*,eap_payload_t**))process;
+	
+	/* private data */
+	this->ike_sa = ike_sa;
+	this->role = EAP_PEER;
+	this->method = NULL;
+	this->msk = chunk_empty;
+	
+	return &this->public;
+}
diff --git a/src/charon/sa/authenticators/eap_authenticator.h b/src/charon/sa/authenticators/eap_authenticator.h
new file mode 100644
index 000000000..ffa162343
--- /dev/null
+++ b/src/charon/sa/authenticators/eap_authenticator.h
@@ -0,0 +1,156 @@
+/**
+ * @file eap_authenticator.h
+ *
+ * @brief Interface of eap_authenticator_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef EAP_AUTHENTICATOR_H_
+#define EAP_AUTHENTICATOR_H_
+
+typedef struct eap_authenticator_t eap_authenticator_t;
+
+#include <sa/authenticators/authenticator.h>
+#include <encoding/payloads/eap_payload.h>
+
+/**
+ * @brief Implementation of the authenticator_t interface using AUTH_EAP.
+ *
+ * Authentication using EAP involves the most complex authenticator. It stays
+ * alive over multiple ike_auth transactions and handles multiple EAP
+ * messages.
+ * EAP authentication must be clearly distinguished between using
+ * mutual EAP methods and using methods not providing server authentication.
+ * If no mutual authentication is used, the server must prove it's identity
+ * by traditional AUTH methods (RSA, psk). Only when the EAP method is mutual,
+ * the client should accept an EAP-only authentication.
+ * RFC4306 does always use traditional authentiction, EAP only authentication
+ * is described in the internet draft draft-eronen-ipsec-ikev2-eap-auth-05.txt.
+ *
+ * @verbatim
+                          ike_sa_init
+                   ------------------------->
+                   <-------------------------
+                 followed by multiple ike_auth:
+
+     +--------+                                +--------+
+     |  EAP   |    ID, SA, TS, N(EAP_ONLY)     |  EAP   |
+     | client |  --------------------------->  | server |
+     |        |          ID, [AUTH,] EAP       |        |  AUTH payload is
+     |        |  <---------------------------  |        |  only included if
+     |        |              EAP               |        |  authentication
+     |        |  --------------------------->  |        |  is not mutual.
+     |        |              EAP               |        |
+     |        |  <---------------------------  |        |
+     |        |              EAP               |        |
+     |        |  --------------------------->  |        |
+     |        |           EAP(SUCCESS)         |        |
+     |        |  <---------------------------  |        |
+     |        |              AUTH              |        |  If EAP establishes
+     |        |  --------------------------->  |        |  a session key, AUTH
+     |        |          AUTH, SA, TS          |        |  payloads use this
+     |        |  <---------------------------  |        |  key, not SK_pi/pr
+     +--------+                                +--------+
+
+   @endverbatim
+ * @b Constructors:
+ *  - eap_authenticator_create()
+ *  - authenticator_create() using auth_method AUTH_EAP
+ *
+ * @ingroup authenticators
+ */
+struct eap_authenticator_t {
+
+	/**
+	 * Implemented authenticator_t interface.
+	 */
+	authenticator_t authenticator_interface;
+	
+	/**
+	 * @brief Check if the EAP method was/is mutual and secure.
+	 *
+	 * RFC4306 proposes to authenticate the EAP responder (server) by standard
+	 * IKEv2 methods (RSA, psk). Not all, but some EAP methods
+	 * provide mutual authentication, which would result in a redundant
+	 * authentication. If the client supports EAP_ONLY_AUTHENTICATION, and
+	 * the the server provides mutual authentication, authentication using
+	 * RSA/PSK may be omitted. If the server did not include a traditional
+	 * AUTH payload, the client must verify that the server initiated mutual
+	 * EAP authentication before it can trust the server.
+	 *
+	 * @param this	calling object
+	 * @return		TRUE, if no AUTH payload required, FALSE otherwise
+	 */
+	bool (*is_mutual) (eap_authenticator_t* this);
+	
+	/**
+	 * @brief Initiate the EAP exchange.
+	 *
+	 * The server initiates EAP exchanges, so the client never calls
+	 * this method. If initiate() returns NEED_MORE, the EAP authentication
+	 * process started. In any case, a payload is created in "out".
+	 *
+	 * @param this	calling object
+	 * @param type	EAP method to use to authenticate client
+	 * @param out	created initiaal EAP message to send
+	 * @return
+	 *				- FAILED, if initiation failed
+	 *				- NEED_MORE, if more EAP exchanges reqired
+	 */
+	status_t (*initiate) (eap_authenticator_t* this, eap_type_t type,
+						  eap_payload_t **out);
+	
+	/**
+	 * @brief Process an EAP message.
+	 *
+	 * After receiving an EAP message "in", the peer/server processes
+	 * the payload and creates a reply/subsequent request.
+	 * The server side always returns NEED_MORE if another EAP message
+	 * is excepted from the client, SUCCESS if EAP exchange completed and
+	 * "out" is EAP_SUCCES, or FAILED if the EAP exchange failed with
+	 * a EAP_FAILURE payload in "out". Anyway, a payload in "out" is always
+	 * created.
+	 * The peer (client) side only creates a "out" payload if result is
+	 * NEED_MORE, a SUCCESS/FAILED is returned whenever a
+	 * EAP_SUCCESS/EAP_FAILURE message is received in "in".
+	 * If a SUCCESS is returned (on any side), the EAP authentication was
+	 * successful and the AUTH payload can be exchanged.
+	 *
+	 * @param this	calling object
+	 * @param in	received EAP message
+	 * @param out	created EAP message to send
+	 * @return
+	 *				- FAILED, if authentication/EAP exchange failed
+	 *				- SUCCESS, if authentication completed
+	 *				- NEED_MORE, if more EAP exchanges reqired
+	 */
+	status_t (*process) (eap_authenticator_t* this,
+						 eap_payload_t *in, eap_payload_t **out);
+};
+
+/**
+ * @brief Creates an authenticator for AUTH_EAP.
+ *
+ * @param ike_sa		associated ike_sa
+ * @return				eap_authenticator_t object
+ *
+ * @ingroup authenticators
+ */
+eap_authenticator_t *eap_authenticator_create(ike_sa_t *ike_sa);
+
+#endif /* EAP_AUTHENTICATOR_H_ */
diff --git a/src/charon/sa/authenticators/psk_authenticator.c b/src/charon/sa/authenticators/psk_authenticator.c
new file mode 100644
index 000000000..43aec0971
--- /dev/null
+++ b/src/charon/sa/authenticators/psk_authenticator.c
@@ -0,0 +1,204 @@
+/**
+ * @file psk_authenticator.c
+ *
+ * @brief Implementation of psk_authenticator_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include "psk_authenticator.h"
+
+#include <config/policies/policy.h>
+#include <daemon.h>
+
+/**
+ * Key pad for the AUTH method SHARED_KEY_MESSAGE_INTEGRITY_CODE.
+ */
+#define IKEV2_KEY_PAD "Key Pad for IKEv2"
+#define IKEV2_KEY_PAD_LENGTH 17
+
+
+typedef struct private_psk_authenticator_t private_psk_authenticator_t;
+
+/**
+ * Private data of an psk_authenticator_t object.
+ */
+struct private_psk_authenticator_t {
+
+	/**
+	 * Public authenticator_t interface.
+	 */
+	psk_authenticator_t public;
+
+	/**
+	 * Assigned IKE_SA
+	 */
+	ike_sa_t *ike_sa;
+};
+
+/**
+ * Builds the octets to be signed as described in section 2.15 of RFC 4306
+ */
+chunk_t build_tbs_octets(chunk_t ike_sa_init, chunk_t nonce,
+						 identification_t *id, prf_t *prf)
+{
+	u_int8_t id_header_buf[] = {0x00, 0x00, 0x00, 0x00};
+	chunk_t id_header = chunk_from_buf(id_header_buf);
+	chunk_t id_with_header, id_prfd, id_encoding;
+	
+	id_header_buf[0] = id->get_type(id);
+	id_encoding = id->get_encoding(id);
+	
+	id_with_header = chunk_cat("cc", id_header, id_encoding);
+	prf->allocate_bytes(prf, id_with_header, &id_prfd);
+	chunk_free(&id_with_header);
+	
+	return chunk_cat("ccm", ike_sa_init, nonce, id_prfd);
+}
+
+/**
+ * Creates the AUTH data using auth method SHARED_KEY_MESSAGE_INTEGRITY_CODE.
+ */
+chunk_t build_shared_key_signature(chunk_t ike_sa_init, chunk_t nonce,
+								   chunk_t secret, identification_t *id,
+								   prf_t *prf_skp, prf_t *prf)
+{
+	chunk_t key_pad, key, auth_data, octets;
+	
+	octets = build_tbs_octets(ike_sa_init, nonce, id, prf_skp);
+	/* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>) */
+	key_pad.ptr = IKEV2_KEY_PAD;
+	key_pad.len = IKEV2_KEY_PAD_LENGTH;
+	prf->set_key(prf, secret);
+	prf->allocate_bytes(prf, key_pad, &key);
+	prf->set_key(prf, key);
+	prf->allocate_bytes(prf, octets, &auth_data);
+	DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", &octets);
+	DBG3(DBG_IKE, "secret %B", &secret);
+	DBG3(DBG_IKE, "keypad %B", &key_pad);
+	DBG3(DBG_IKE, "prf(secret, keypad) %B", &key);
+	DBG3(DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", &auth_data);
+	chunk_free(&octets);
+	chunk_free(&key);
+	
+	return auth_data;
+}
+
+/**
+ * Implementation of authenticator_t.verify.
+ */
+static status_t verify(private_psk_authenticator_t *this, chunk_t ike_sa_init,
+ 				chunk_t my_nonce, auth_payload_t *auth_payload)
+{
+	status_t status;
+	chunk_t auth_data, recv_auth_data, shared_key;
+	identification_t *my_id, *other_id;
+	
+	my_id = this->ike_sa->get_my_id(this->ike_sa);
+	other_id = this->ike_sa->get_other_id(this->ike_sa);
+	status = charon->credentials->get_shared_key(charon->credentials, my_id,
+												 other_id, &shared_key);
+	if (status != SUCCESS)
+	{
+		DBG1(DBG_IKE, "no shared key found for '%D' - '%D'",  my_id, other_id);
+		return status;
+	}
+	
+	auth_data = build_shared_key_signature(ike_sa_init, my_nonce, shared_key,
+						other_id, this->ike_sa->get_auth_verify(this->ike_sa),
+						this->ike_sa->get_prf(this->ike_sa));
+	chunk_free(&shared_key);
+	
+	recv_auth_data = auth_payload->get_data(auth_payload);
+	if (auth_data.len != recv_auth_data.len ||
+		!memeq(auth_data.ptr, recv_auth_data.ptr, auth_data.len))
+	{
+		DBG1(DBG_IKE, "PSK MAC verification failed");
+		chunk_free(&auth_data);
+		return FAILED;
+	}
+	chunk_free(&auth_data);
+	
+	DBG1(DBG_IKE, "authentication of '%D' with %N successful",
+		 other_id, auth_method_names, AUTH_PSK);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of authenticator_t.build.
+ */
+static status_t build(private_psk_authenticator_t *this, chunk_t ike_sa_init,
+					  chunk_t other_nonce, auth_payload_t **auth_payload)
+{
+	chunk_t shared_key;
+	chunk_t auth_data;
+	status_t status;
+	identification_t *my_id, *other_id;
+	
+	my_id = this->ike_sa->get_my_id(this->ike_sa);
+	other_id = this->ike_sa->get_other_id(this->ike_sa);
+	DBG1(DBG_IKE, "authentication of '%D' (myself) with %N",
+		 my_id, auth_method_names, AUTH_PSK);
+	status = charon->credentials->get_shared_key(charon->credentials, my_id,
+												 other_id, &shared_key);
+	if (status != SUCCESS)
+	{
+		DBG1(DBG_IKE, "no shared key found for '%D' - '%D'", my_id, other_id);
+		return status;
+	}
+			
+	auth_data = build_shared_key_signature(ike_sa_init, other_nonce, shared_key,
+							my_id, this->ike_sa->get_auth_build(this->ike_sa),
+							this->ike_sa->get_prf(this->ike_sa));
+	DBG2(DBG_IKE, "successfully created shared key MAC");
+	chunk_free(&shared_key);
+	*auth_payload = auth_payload_create();
+	(*auth_payload)->set_auth_method(*auth_payload, AUTH_PSK);
+	(*auth_payload)->set_data(*auth_payload, auth_data);
+	
+	chunk_free(&auth_data);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of authenticator_t.destroy.
+ */
+static void destroy(private_psk_authenticator_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+psk_authenticator_t *psk_authenticator_create(ike_sa_t *ike_sa)
+{
+	private_psk_authenticator_t *this = malloc_thing(private_psk_authenticator_t);
+	
+	/* public functions */
+	this->public.authenticator_interface.verify = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t*))verify;
+	this->public.authenticator_interface.build = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t**))build;
+	this->public.authenticator_interface.destroy = (void(*)(authenticator_t*))destroy;
+	
+	/* private data */
+	this->ike_sa = ike_sa;
+	
+	return &this->public;
+}
diff --git a/src/charon/sa/authenticators/psk_authenticator.h b/src/charon/sa/authenticators/psk_authenticator.h
new file mode 100644
index 000000000..c1c5bcaac
--- /dev/null
+++ b/src/charon/sa/authenticators/psk_authenticator.h
@@ -0,0 +1,57 @@
+/**
+ * @file psk_authenticator.h
+ *
+ * @brief Interface of psk_authenticator_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef PSK_AUTHENTICATOR_H_
+#define PSK_AUTHENTICATOR_H_
+
+typedef struct psk_authenticator_t psk_authenticator_t;
+
+#include <sa/authenticators/authenticator.h>
+
+/**
+ * @brief Implementation of the authenticator_t interface using AUTH_PSK.
+ *
+ * @b Constructors:
+ *  - psk_authenticator_create()
+ *  - authenticator_create() using auth_method AUTH_PSK
+ *
+ * @ingroup authenticators
+ */
+struct psk_authenticator_t {
+
+	/**
+	 * Implemented authenticator_t interface.
+	 */
+	authenticator_t authenticator_interface;
+};
+
+/**
+ * @brief Creates an authenticator for AUTH_PSK.
+ *
+ * @param ike_sa		associated ike_sa
+ * @return				psk_authenticator_t object
+ *
+ * @ingroup authenticators
+ */
+psk_authenticator_t *psk_authenticator_create(ike_sa_t *ike_sa);
+
+#endif /* PSK_AUTHENTICATOR_H_ */
diff --git a/src/charon/sa/authenticators/rsa_authenticator.c b/src/charon/sa/authenticators/rsa_authenticator.c
new file mode 100644
index 000000000..dfa01e332
--- /dev/null
+++ b/src/charon/sa/authenticators/rsa_authenticator.c
@@ -0,0 +1,180 @@
+/**
+ * @file rsa_authenticator.c
+ *
+ * @brief Implementation of rsa_authenticator_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include "rsa_authenticator.h"
+
+#include <config/policies/policy.h>
+#include <daemon.h>
+
+
+typedef struct private_rsa_authenticator_t private_rsa_authenticator_t;
+
+/**
+ * Private data of an rsa_authenticator_t object.
+ */
+struct private_rsa_authenticator_t {
+	
+	/**
+	 * Public authenticator_t interface.
+	 */
+	rsa_authenticator_t public;
+	
+	/**
+	 * Assigned IKE_SA
+	 */
+	ike_sa_t *ike_sa;
+};
+
+/**
+ * Function implemented in psk_authenticator.c
+ */
+extern chunk_t build_tbs_octets(chunk_t ike_sa_init, chunk_t nonce,
+								identification_t *id, prf_t *prf);
+
+/**
+ * Implementation of authenticator_t.verify.
+ */
+static status_t verify(private_rsa_authenticator_t *this, chunk_t ike_sa_init,
+ 					   chunk_t my_nonce, auth_payload_t *auth_payload)
+{
+	status_t status;
+	chunk_t auth_data, octets;
+	rsa_public_key_t *public_key;
+	identification_t *other_id;
+	
+	other_id = this->ike_sa->get_other_id(this->ike_sa);
+	
+	if (auth_payload->get_auth_method(auth_payload) != AUTH_RSA)
+	{
+		return INVALID_ARG;
+	}
+	auth_data = auth_payload->get_data(auth_payload);
+	public_key = charon->credentials->get_trusted_public_key(charon->credentials,
+															 other_id);
+	if (public_key == NULL)
+	{
+		DBG1(DBG_IKE, "no RSA public key found for '%D'", other_id);
+		return NOT_FOUND;
+	}
+	octets = build_tbs_octets(ike_sa_init, my_nonce, other_id,
+							  this->ike_sa->get_auth_verify(this->ike_sa));
+	status = public_key->verify_emsa_pkcs1_signature(public_key, octets, auth_data);
+	chunk_free(&octets);
+	
+	if (status != SUCCESS)
+	{
+		DBG1(DBG_IKE, "RSA signature verification failed");
+		return status;
+	}
+	
+	DBG1(DBG_IKE, "authentication of '%D' with %N successful",
+		 other_id, auth_method_names, AUTH_RSA);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of authenticator_t.build.
+ */
+static status_t build(private_rsa_authenticator_t *this, chunk_t ike_sa_init,
+					  chunk_t other_nonce, auth_payload_t **auth_payload)
+{
+	chunk_t chunk;
+	chunk_t octets;
+	chunk_t auth_data;
+	status_t status;
+	rsa_public_key_t *my_pubkey;
+	rsa_private_key_t *my_key;
+	identification_t *my_id;
+
+	my_id = this->ike_sa->get_my_id(this->ike_sa);
+	DBG1(DBG_IKE, "authentication of '%D' (myself) with %N",
+		 my_id, auth_method_names, AUTH_RSA);
+	DBG2(DBG_IKE, "looking for RSA public key belonging to '%D'", my_id);
+
+	my_pubkey = charon->credentials->get_rsa_public_key(charon->credentials, my_id);
+	if (my_pubkey == NULL)
+	{
+		DBG1(DBG_IKE, "no RSA public key found for '%D'", my_id);
+		return NOT_FOUND;
+	}
+	DBG2(DBG_IKE, "matching RSA public key found");
+	chunk = my_pubkey->get_keyid(my_pubkey);
+	DBG2(DBG_IKE, "looking for RSA private key with keyid %#B", &chunk);
+	my_key = charon->credentials->get_rsa_private_key(charon->credentials, my_pubkey);
+	if (my_key == NULL)
+	{
+		DBG1(DBG_IKE, "no RSA private key found with for %D with keyid %#B",
+			 my_id, &chunk);
+		return NOT_FOUND;
+	}
+	DBG2(DBG_IKE, "matching RSA private key found");
+
+	octets = build_tbs_octets(ike_sa_init, other_nonce, my_id,
+							  this->ike_sa->get_auth_build(this->ike_sa));
+	status = my_key->build_emsa_pkcs1_signature(my_key, HASH_SHA1, octets, &auth_data);
+	chunk_free(&octets);
+
+	if (status != SUCCESS)
+	{
+		my_key->destroy(my_key);
+		DBG1(DBG_IKE, "build signature of SHA1 hash failed");
+		return status;
+	}
+	DBG2(DBG_IKE, "successfully signed with RSA private key");
+	
+	*auth_payload = auth_payload_create();
+	(*auth_payload)->set_auth_method(*auth_payload, AUTH_RSA);
+	(*auth_payload)->set_data(*auth_payload, auth_data);
+	
+	my_key->destroy(my_key);
+	chunk_free(&auth_data);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of authenticator_t.destroy.
+ */
+static void destroy(private_rsa_authenticator_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+rsa_authenticator_t *rsa_authenticator_create(ike_sa_t *ike_sa)
+{
+	private_rsa_authenticator_t *this = malloc_thing(private_rsa_authenticator_t);
+	
+	/* public functions */
+	this->public.authenticator_interface.verify = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t*))verify;
+	this->public.authenticator_interface.build = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t**))build;
+	this->public.authenticator_interface.destroy = (void(*)(authenticator_t*))destroy;
+	
+	/* private data */
+	this->ike_sa = ike_sa;
+	
+	return &this->public;
+}
diff --git a/src/charon/sa/authenticators/rsa_authenticator.h b/src/charon/sa/authenticators/rsa_authenticator.h
new file mode 100644
index 000000000..cc5cc0150
--- /dev/null
+++ b/src/charon/sa/authenticators/rsa_authenticator.h
@@ -0,0 +1,57 @@
+/**
+ * @file rsa_authenticator.h
+ *
+ * @brief Interface of rsa_authenticator_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef RSA_AUTHENTICATOR_H_
+#define RSA_AUTHENTICATOR_H_
+
+typedef struct rsa_authenticator_t rsa_authenticator_t;
+
+#include <sa/authenticators/authenticator.h>
+
+/**
+ * @brief Implementation of the authenticator_t interface using AUTH_RSA.
+ *
+ * @b Constructors:
+ *  - rsa_authenticator_create()
+ *  - authenticator_create() using auth_method AUTH_RSA
+ *
+ * @ingroup authenticators
+ */
+struct rsa_authenticator_t {
+
+	/**
+	 * Implemented authenticator_t interface.
+	 */
+	authenticator_t authenticator_interface;
+};
+
+/**
+ * @brief Creates an authenticator for AUTH_RSA.
+ *
+ * @param ike_sa		associated ike_sa
+ * @return				rsa_authenticator_t object
+ *
+ * @ingroup authenticators
+ */
+rsa_authenticator_t *rsa_authenticator_create(ike_sa_t *ike_sa);
+
+#endif /* RSA_AUTHENTICATOR_H_ */
diff --git a/src/charon/sa/child_sa.c b/src/charon/sa/child_sa.c
new file mode 100644
index 000000000..19131389d
--- /dev/null
+++ b/src/charon/sa/child_sa.c
@@ -0,0 +1,1130 @@
+/**
+ * @file child_sa.c
+ *
+ * @brief Implementation of child_sa_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+#include "child_sa.h"
+
+#include <stdio.h>
+#include <string.h>
+#include <printf.h>
+
+#include <daemon.h>
+
+ENUM(child_sa_state_names, CHILD_CREATED, CHILD_DELETING,
+	"CREATED",
+	"ROUTED",
+	"INSTALLED",
+	"REKEYING",
+	"DELETING",
+);
+
+typedef struct sa_policy_t sa_policy_t;
+
+/**
+ * Struct used to store information for a policy. This
+ * is needed since we must provide all this information
+ * for deleting a policy...
+ */
+struct sa_policy_t {
+	/**
+	 * Traffic selector for us
+	 */
+	traffic_selector_t *my_ts;
+	
+	/**
+	 * Traffic selector for other
+	 */
+	traffic_selector_t *other_ts;
+};
+
+typedef struct private_child_sa_t private_child_sa_t;
+
+/**
+ * Private data of a child_sa_t 
bject.
+ */
+struct private_child_sa_t {
+	/**
+	 * Public interface of child_sa_t.
+	 */
+	child_sa_t public;
+	
+	struct {
+		/** address of peer */
+		host_t *addr;
+		/** id of peer */
+		identification_t *id;
+		/** actual used SPI, 0 if unused */
+		u_int32_t spi;
+	} me, other;
+	
+	/**
+	 * Allocated SPI for a ESP proposal candidates
+	 */
+	u_int32_t alloc_esp_spi;
+	
+	/**
+	 * Allocated SPI for a AH proposal candidates
+	 */
+	u_int32_t alloc_ah_spi;
+	
+	/**
+	 * Protocol used to protect this SA, ESP|AH
+	 */
+	protocol_id_t protocol;
+	
+	/**
+	 * List containing sa_policy_t objects 
+	 */
+	linked_list_t *policies;
+	
+	/**
+	 * Seperate list for local traffic selectors
+	 */
+	linked_list_t *my_ts;
+	
+	/**
+	 * Seperate list for remote traffic selectors
+	 */
+	linked_list_t *other_ts;
+	
+	/**
+	 * reqid used for this child_sa
+	 */
+	u_int32_t reqid;
+	
+	/**
+	 * encryption algorithm used for this SA
+	 */
+	algorithm_t encryption;
+	
+	/**
+	 * integrity protection algorithm used for this SA
+	 */
+	algorithm_t integrity;
+	
+	/**
+	 * time, on which SA was installed
+	 */
+	time_t install_time;
+	
+	/**
+	 * absolute time when rekeying is sceduled
+	 */
+	time_t rekey_time;
+	
+	/**
+	 * state of the CHILD_SA
+	 */
+	child_sa_state_t state;
+
+	/**
+	 * Specifies if NAT traversal is used
+	 */
+	bool use_natt;
+	
+	/**
+	 * mode this SA uses, tunnel/transport
+	 */
+	mode_t mode;
+	
+	/**
+	 * virtual IP assinged to local host
+	 */
+	host_t *virtual_ip;
+	
+	/**
+	 * policy used to create this child
+	 */
+	policy_t *policy;
+};
+
+/**
+ * Implementation of child_sa_t.get_name.
+ */
+static char *get_name(private_child_sa_t *this)
+{
+	return this->policy->get_name(this->policy);;
+}
+
+/**
+ * Implements child_sa_t.get_reqid
+ */
+static u_int32_t get_reqid(private_child_sa_t *this)
+{
+	return this->reqid;
+}
+	
+/**
+ * Implements child_sa_t.get_spi
+ */
+u_int32_t get_spi(private_child_sa_t *this, bool inbound)
+{
+	if (inbound)
+	{
+		return this->me.spi;
+	}
+	return this->other.spi;
+}
+
+/**
+ * Implements child_sa_t.get_protocol
+ */
+protocol_id_t get_protocol(private_child_sa_t *this)
+{
+	return this->protocol;
+}
+
+/**
+ * Implements child_sa_t.get_state
+ */
+static child_sa_state_t get_state(private_child_sa_t *this)
+{
+	return this->state;
+}
+
+/**
+ * Implements child_sa_t.get_policy
+ */
+static policy_t* get_policy(private_child_sa_t *this)
+{
+	return this->policy;
+}
+
+/**
+ * Run the up/down script
+ */
+static void updown(private_child_sa_t *this, bool up)
+{
+	sa_policy_t *policy;
+	iterator_t *iterator;
+	char *script;
+	
+	script = this->policy->get_updown(this->policy);
+	
+	if (script == NULL)
+	{
+		return;
+	}
+	
+	iterator = this->policies->create_iterator(this->policies, TRUE);
+	while (iterator->iterate(iterator, (void**)&policy))
+	{
+		char command[1024];
+		char *ifname = NULL;
+		char *my_client, *other_client, *my_client_mask, *other_client_mask;
+		char *pos, *virtual_ip;
+		FILE *shell;
+		
+		/* get subnet/bits from string */
+		asprintf(&my_client, "%R", policy->my_ts);
+		pos = strchr(my_client, '/');
+		*pos = '\0';
+		my_client_mask = pos + 1;
+		pos = strchr(my_client_mask, '[');
+		if (pos)
+		{
+			*pos = '\0';
+		}
+		asprintf(&other_client, "%R", policy->other_ts);
+		pos = strchr(other_client, '/');
+		*pos = '\0';
+		other_client_mask = pos + 1;
+		pos = strchr(other_client_mask, '[');
+		if (pos)
+		{
+			*pos = '\0';
+		}
+
+        if (this->virtual_ip)
+        {
+                asprintf(&virtual_ip, "PLUTO_MY_SOURCEIP='%H' ",
+                		 this->virtual_ip);
+        }
+        else
+        {
+                asprintf(&virtual_ip, "");
+        }
+
+		ifname = charon->kernel_interface->get_interface(charon->kernel_interface, 
+														 this->me.addr);
+		
+		/* build the command with all env variables.
+		 * TODO: PLUTO_PEER_CA and PLUTO_NEXT_HOP are currently missing
+		 */
+		snprintf(command, sizeof(command),
+				 "2>&1 "
+				"PLUTO_VERSION='1.1' "
+				"PLUTO_VERB='%s%s%s' "
+				"PLUTO_CONNECTION='%s' "
+				"PLUTO_INTERFACE='%s' "
+				"PLUTO_REQID='%u' "
+				"PLUTO_ME='%H' "
+				"PLUTO_MY_ID='%D' "
+				"PLUTO_MY_CLIENT='%s/%s' "
+				"PLUTO_MY_CLIENT_NET='%s' "
+				"PLUTO_MY_CLIENT_MASK='%s' "
+				"PLUTO_MY_PORT='%u' "
+				"PLUTO_MY_PROTOCOL='%u' "
+				"PLUTO_PEER='%H' "
+				"PLUTO_PEER_ID='%D' "
+				"PLUTO_PEER_CLIENT='%s/%s' "
+				"PLUTO_PEER_CLIENT_NET='%s' "
+				"PLUTO_PEER_CLIENT_MASK='%s' "
+				"PLUTO_PEER_PORT='%u' "
+				"PLUTO_PEER_PROTOCOL='%u' "
+				"%s"
+				"%s"
+				"%s",
+				 up ? "up" : "down",
+				 policy->my_ts->is_host(policy->my_ts,
+							this->me.addr) ? "-host" : "-client",
+				 this->me.addr->get_family(this->me.addr) == AF_INET ? "" : "-ipv6",
+				 this->policy->get_name(this->policy),
+				 ifname ? ifname : "(unknown)",
+				 this->reqid,
+				 this->me.addr,
+				 this->me.id,
+				 my_client, my_client_mask,
+				 my_client, my_client_mask,
+				 policy->my_ts->get_from_port(policy->my_ts),
+				 policy->my_ts->get_protocol(policy->my_ts),
+				 this->other.addr,
+				 this->other.id,
+				 other_client, other_client_mask,
+				 other_client, other_client_mask,
+				 policy->other_ts->get_from_port(policy->other_ts),
+				 policy->other_ts->get_protocol(policy->other_ts),
+				 virtual_ip,
+				 this->policy->get_hostaccess(this->policy) ?
+				 	"PLUTO_HOST_ACCESS='1' " : "",
+				 script);
+		free(ifname);
+		free(my_client);
+		free(other_client);
+		free(virtual_ip);
+		
+		shell = popen(command, "r");
+
+		if (shell == NULL)
+		{
+			DBG1(DBG_CHD, "could not execute updown script '%s'", script);
+			return;
+		}
+		
+		while (TRUE)
+		{
+			char resp[128];
+			
+			if (fgets(resp, sizeof(resp), shell) == NULL)
+			{
+				if (ferror(shell))
+				{
+					DBG1(DBG_CHD, "error reading output from updown script");
+					return;
+				}
+				else
+				{
+					break;
+				}
+			}
+			else
+			{
+				char *e = resp + strlen(resp);
+				if (e > resp && e[-1] == '\n')
+				{	/* trim trailing '\n' */
+					e[-1] = '\0';
+				}
+				DBG1(DBG_CHD, "updown: %s", resp);
+			}
+		}
+		pclose(shell);
+	}
+	iterator->destroy(iterator);
+}
+
+/**
+ * Implements child_sa_t.set_state
+ */
+static void set_state(private_child_sa_t *this, child_sa_state_t state)
+{
+	this->state = state;
+	if (state == CHILD_INSTALLED)
+	{
+		updown(this, TRUE);
+	}
+}
+
+/**
+ * Allocate SPI for a single proposal
+ */
+static status_t alloc_proposal(private_child_sa_t *this, proposal_t *proposal)
+{
+	protocol_id_t protocol = proposal->get_protocol(proposal);
+		
+	if (protocol == PROTO_AH)
+	{
+		/* get a new spi for AH, if not already done */
+		if (this->alloc_ah_spi == 0)
+		{
+			if (charon->kernel_interface->get_spi(
+						 charon->kernel_interface, 
+						 this->other.addr, this->me.addr,
+						 PROTO_AH, this->reqid,
+						 &this->alloc_ah_spi) != SUCCESS)
+			{
+				return FAILED;
+			}
+		}
+		proposal->set_spi(proposal, this->alloc_ah_spi);
+	}
+	if (protocol == PROTO_ESP)
+	{
+		/* get a new spi for ESP, if not already done */
+		if (this->alloc_esp_spi == 0)
+		{
+			if (charon->kernel_interface->get_spi(
+						 charon->kernel_interface,
+						 this->other.addr, this->me.addr,
+						 PROTO_ESP, this->reqid,
+						 &this->alloc_esp_spi) != SUCCESS)
+			{
+				return FAILED;
+			}
+		}
+		proposal->set_spi(proposal, this->alloc_esp_spi);
+	}
+	return SUCCESS;
+}
+
+
+/**
+ * Implements child_sa_t.alloc
+ */
+static status_t alloc(private_child_sa_t *this, linked_list_t *proposals)
+{
+	iterator_t *iterator;
+	proposal_t *proposal;
+	
+	/* iterator through proposals to update spis */
+	iterator = proposals->create_iterator(proposals, TRUE);
+	while(iterator->iterate(iterator, (void**)&proposal))
+	{
+		if (alloc_proposal(this, proposal) != SUCCESS)
+		{
+			iterator->destroy(iterator);
+			return FAILED;
+		}
+	}
+	iterator->destroy(iterator);
+	return SUCCESS;
+}
+
+static status_t install(private_child_sa_t *this, proposal_t *proposal,
+						mode_t mode, prf_plus_t *prf_plus, bool mine)
+{
+	u_int32_t spi, soft, hard;;
+	algorithm_t *enc_algo, *int_algo;
+	algorithm_t enc_algo_none = {ENCR_UNDEFINED, 0};
+	algorithm_t int_algo_none = {AUTH_UNDEFINED, 0};
+	host_t *src;
+	host_t *dst;
+	natt_conf_t *natt;
+	status_t status;
+	
+	this->protocol = proposal->get_protocol(proposal);
+	
+	/* now we have to decide which spi to use. Use self allocated, if "mine",
+	 * or the one in the proposal, if not "mine" (others). Additionally,
+	 * source and dest host switch depending on the role */
+	if (mine)
+	{
+		/* if we have allocated SPIs for AH and ESP, we must delete the unused
+		 * one. */
+		if (this->protocol == PROTO_ESP)
+		{
+			this->me.spi = this->alloc_esp_spi;
+			if (this->alloc_ah_spi)
+			{
+				charon->kernel_interface->del_sa(charon->kernel_interface, this->me.addr, 
+						this->alloc_ah_spi, PROTO_AH);
+			}
+		}
+		else
+		{
+			this->me.spi = this->alloc_ah_spi;
+			if (this->alloc_esp_spi)
+			{
+				charon->kernel_interface->del_sa(charon->kernel_interface, this->me.addr, 
+						this->alloc_esp_spi, PROTO_ESP);
+			}
+		}
+		spi = this->me.spi;
+		dst = this->me.addr;
+		src = this->other.addr;
+	}
+	else
+	{
+		this->other.spi = proposal->get_spi(proposal);
+		spi = this->other.spi;
+		src = this->me.addr;
+		dst = this->other.addr;
+	}
+	
+	DBG2(DBG_CHD, "adding %s %N SA", mine ? "inbound" : "outbound",
+		 protocol_id_names, this->protocol);
+	
+	/* select encryption algo */
+	if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &enc_algo))
+	{
+		DBG2(DBG_CHD, "  using %N for encryption",
+			 encryption_algorithm_names, enc_algo->algorithm);
+	}
+	else
+	{
+		enc_algo = &enc_algo_none;
+	}
+	
+	/* select integrity algo */
+	if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &int_algo))
+	{
+		DBG2(DBG_CHD, "  using %N for integrity",
+			 integrity_algorithm_names, int_algo->algorithm);
+	}
+	else
+	{
+		int_algo = &int_algo_none;
+	}
+	
+	/* setup nat-t */
+	if (this->use_natt)
+	{
+		natt = alloca(sizeof(natt_conf_t));
+		natt->sport = src->get_port(src);
+		natt->dport = dst->get_port(dst);
+	}
+	else
+	{
+		natt = NULL;
+	}
+	
+	soft = this->policy->get_soft_lifetime(this->policy);
+	hard = this->policy->get_hard_lifetime(this->policy);
+	
+	/* send SA down to the kernel */
+	DBG2(DBG_CHD, "  SPI 0x%.8x, src %H dst %H", ntohl(spi), src, dst);
+	status = charon->kernel_interface->add_sa(charon->kernel_interface,
+											  src, dst, spi, this->protocol,
+											  this->reqid, mine ? soft : 0,
+											  hard, enc_algo, int_algo,
+											  prf_plus, natt, mode, mine);
+	
+	this->encryption = *enc_algo;
+	this->integrity = *int_algo;
+	this->install_time = time(NULL);
+	this->rekey_time = soft;
+	
+	return status;
+}
+
+static status_t add(private_child_sa_t *this, proposal_t *proposal, 
+					mode_t mode, prf_plus_t *prf_plus)
+{
+	u_int32_t outbound_spi, inbound_spi;
+	
+	/* backup outbound spi, as alloc overwrites it */
+	outbound_spi = proposal->get_spi(proposal);
+	
+	/* get SPIs inbound SAs */
+	if (alloc_proposal(this, proposal) != SUCCESS)
+	{
+		return FAILED;
+	}
+	inbound_spi = proposal->get_spi(proposal);
+	
+	/* install inbound SAs */
+	if (install(this, proposal, mode, prf_plus, TRUE) != SUCCESS)
+	{
+		return FAILED;
+	}
+	
+	/* install outbound SAs, restore spi*/
+	proposal->set_spi(proposal, outbound_spi);
+	if (install(this, proposal, mode, prf_plus, FALSE) != SUCCESS)
+	{
+		return FAILED;
+	}
+	proposal->set_spi(proposal, inbound_spi);
+	
+	return SUCCESS;
+}
+
+static status_t update(private_child_sa_t *this, proposal_t *proposal,
+					   mode_t mode, prf_plus_t *prf_plus)
+{
+	u_int32_t inbound_spi;
+	
+	/* backup received spi, as install() overwrites it */
+	inbound_spi = proposal->get_spi(proposal);
+	
+	/* install outbound SAs */
+	if (install(this, proposal, mode, prf_plus, FALSE) != SUCCESS)
+	{
+		return FAILED;
+	}
+	
+	/* restore spi */
+	proposal->set_spi(proposal, inbound_spi);
+	/* install inbound SAs */
+	if (install(this, proposal, mode, prf_plus, TRUE) != SUCCESS)
+	{
+		return FAILED;
+	}
+	
+	return SUCCESS;
+}
+
+static status_t add_policies(private_child_sa_t *this,
+							 linked_list_t *my_ts_list,
+							 linked_list_t *other_ts_list, mode_t mode)
+{
+	iterator_t *my_iter, *other_iter;
+	traffic_selector_t *my_ts, *other_ts;
+	/* use low prio for ROUTED policies */
+	bool high_prio = (this->state != CHILD_CREATED);
+	
+	/* iterate over both lists */
+	my_iter = my_ts_list->create_iterator(my_ts_list, TRUE);
+	other_iter = other_ts_list->create_iterator(other_ts_list, TRUE);
+	while (my_iter->iterate(my_iter, (void**)&my_ts))
+	{
+		other_iter->reset(other_iter);
+		while (other_iter->iterate(other_iter, (void**)&other_ts))
+		{
+			/* set up policies for every entry in my_ts_list to every entry in other_ts_list */
+			status_t status;
+			sa_policy_t *policy;
+			
+			if (my_ts->get_type(my_ts) != other_ts->get_type(other_ts))
+			{
+				DBG2(DBG_CHD,
+					 "CHILD_SA policy uses two different IP families, ignored");
+				continue;
+			}
+			
+			/* only set up policies if protocol matches, or if one is zero (any) */
+			if (my_ts->get_protocol(my_ts) != other_ts->get_protocol(other_ts) &&
+				my_ts->get_protocol(my_ts) && other_ts->get_protocol(other_ts))
+			{
+				DBG2(DBG_CHD,
+					 "CHILD_SA policy uses two different protocols, ignored");
+				continue;
+			}
+			
+			/* install 3 policies: out, in and forward */
+			status = charon->kernel_interface->add_policy(charon->kernel_interface,
+					this->me.addr, this->other.addr, my_ts, other_ts, POLICY_OUT,
+					this->protocol, this->reqid, high_prio, mode, FALSE);
+			
+			status |= charon->kernel_interface->add_policy(charon->kernel_interface,
+					this->other.addr, this->me.addr, other_ts, my_ts, POLICY_IN,
+					this->protocol, this->reqid, high_prio, mode, FALSE);
+			
+			status |= charon->kernel_interface->add_policy(charon->kernel_interface,
+					this->other.addr, this->me.addr, other_ts, my_ts, POLICY_FWD,
+					this->protocol, this->reqid, high_prio, mode, FALSE);
+			
+			if (status != SUCCESS)
+			{
+				my_iter->destroy(my_iter);
+				other_iter->destroy(other_iter);
+				return status;
+			}
+			
+			/* store policy to delete/update them later */
+			policy = malloc_thing(sa_policy_t);
+			policy->my_ts = my_ts->clone(my_ts);
+			policy->other_ts = other_ts->clone(other_ts);
+			this->policies->insert_last(this->policies, (void*)policy);
+			/* add to separate list to query them via get_*_traffic_selectors() */
+			this->my_ts->insert_last(this->my_ts, (void*)policy->my_ts);
+			this->other_ts->insert_last(this->other_ts, (void*)policy->other_ts);
+		}
+	}
+	my_iter->destroy(my_iter);
+	other_iter->destroy(other_iter);
+	
+	/* switch to routed state if no SAD entry set up */
+	if (this->state == CHILD_CREATED)
+	{
+		this->state = CHILD_ROUTED;
+	}
+	/* needed to update hosts */
+	this->mode = mode;
+	return SUCCESS;
+}
+
+/**
+ * Implementation of child_sa_t.get_my_traffic_selectors.
+ */
+static linked_list_t *get_my_traffic_selectors(private_child_sa_t *this)
+{
+	return this->my_ts;
+}
+
+/**
+ * Implementation of child_sa_t.get_my_traffic_selectors.
+ */
+static linked_list_t *get_other_traffic_selectors(private_child_sa_t *this)
+{
+	return this->other_ts;
+}
+
+/**
+ * Implementation of child_sa_t.get_use_time
+ */
+static status_t get_use_time(private_child_sa_t *this, bool inbound, time_t *use_time)
+{
+	iterator_t *iterator;
+	sa_policy_t *policy;
+	status_t status = FAILED;
+	
+	*use_time = UNDEFINED_TIME;
+
+	iterator = this->policies->create_iterator(this->policies, TRUE);
+	while (iterator->iterate(iterator, (void**)&policy))
+	{
+		if (inbound) 
+		{
+			time_t in = UNDEFINED_TIME, fwd = UNDEFINED_TIME;
+			
+			status = charon->kernel_interface->query_policy(
+									charon->kernel_interface,
+									policy->other_ts, policy->my_ts,
+									POLICY_IN, (u_int32_t*)&in);
+			status |= charon->kernel_interface->query_policy(
+									charon->kernel_interface,
+									policy->other_ts, policy->my_ts,
+									POLICY_FWD, (u_int32_t*)&fwd);
+			*use_time = max(in, fwd);
+		}
+		else
+		{
+			status = charon->kernel_interface->query_policy(
+									charon->kernel_interface,
+									policy->my_ts, policy->other_ts, 
+									POLICY_OUT, (u_int32_t*)use_time);
+		}
+	}
+	iterator->destroy(iterator);
+	return status;
+}
+
+/**
+ * output handler in printf()
+ */
+static int print(FILE *stream, const struct printf_info *info,
+				 const void *const *args)
+{
+	private_child_sa_t *this = *((private_child_sa_t**)(args[0]));
+	iterator_t *iterator;
+	sa_policy_t *policy;
+	u_int32_t now, rekeying;
+	u_int32_t use, use_in, use_fwd;
+	status_t status;
+	size_t written = 0;
+	
+	if (this == NULL)
+	{
+		return fprintf(stream, "(null)");
+	}
+	
+	now = time(NULL);
+	
+	written += fprintf(stream, "%12s{%d}:  %N, %N", 
+					   this->policy->get_name(this->policy), this->reqid,
+					   child_sa_state_names, this->state,
+					   mode_names, this->mode);
+	
+	if (this->state == CHILD_INSTALLED)
+	{
+		written += fprintf(stream, ", %N SPIs: 0x%0x_i 0x%0x_o",
+						   protocol_id_names, this->protocol,
+						   htonl(this->me.spi), htonl(this->other.spi));
+		
+		if (info->alt)
+		{
+			written += fprintf(stream, "\n%12s{%d}:  ",
+							   this->policy->get_name(this->policy),
+							   this->reqid);
+			
+			if (this->protocol == PROTO_ESP)
+			{
+				written += fprintf(stream, "%N", encryption_algorithm_names,
+								   this->encryption.algorithm);
+				
+				if (this->encryption.key_size)
+				{
+					written += fprintf(stream, "-%d", this->encryption.key_size);
+				}
+				written += fprintf(stream, "/");
+			}
+			
+			written += fprintf(stream, "%N", integrity_algorithm_names,
+							   this->integrity.algorithm);
+			if (this->integrity.key_size)
+			{
+				written += fprintf(stream, "-%d", this->integrity.key_size);
+			}
+			written += fprintf(stream, ", rekeying ");
+			
+			/* calculate rekey times */
+			if (this->rekey_time)
+			{
+				rekeying = this->install_time + this->rekey_time - now;
+				written += fprintf(stream, "in %ds", rekeying);
+			}
+			else
+			{
+				written += fprintf(stream, "disabled");
+			}
+		}
+	}
+	iterator = this->policies->create_iterator(this->policies, TRUE);
+	while (iterator->iterate(iterator, (void**)&policy))
+	{
+		written += fprintf(stream, "\n%12s{%d}:   %R===%R, last use: ",
+						   this->policy->get_name(this->policy), this->reqid,
+						   policy->my_ts, policy->other_ts);
+		
+		/* query time of last policy use */
+
+		/* inbound: POLICY_IN or POLICY_FWD */
+		status = charon->kernel_interface->query_policy(charon->kernel_interface,
+							policy->other_ts, policy->my_ts, POLICY_IN, &use_in);
+		use_in = (status == SUCCESS)? use_in : 0;
+		status = charon->kernel_interface->query_policy(charon->kernel_interface,
+				policy->other_ts, policy->my_ts, POLICY_FWD, &use_fwd);
+		use_fwd = (status == SUCCESS)? use_fwd : 0;
+		use = max(use_in, use_fwd);
+		if (use)
+		{
+			written += fprintf(stream, "%ds_i ", now - use);
+		}
+		else
+		{
+			written += fprintf(stream, "no_i ");
+		}
+
+		/* outbound: POLICY_OUT */
+		status = charon->kernel_interface->query_policy(charon->kernel_interface,
+							policy->my_ts, policy->other_ts, POLICY_OUT, &use);
+		if (status == SUCCESS && use)
+		{
+			written += fprintf(stream, "%ds_o ", now - use);
+		}
+		else
+		{
+			written += fprintf(stream, "no_o ");
+		}
+	}
+	iterator->destroy(iterator);
+	return written;
+}
+
+/**
+ * register printf() handlers
+ */
+static void __attribute__ ((constructor))print_register()
+{
+	register_printf_function(PRINTF_CHILD_SA, print, arginfo_ptr);
+}
+
+/**
+ * Update the host adress/port of a SA
+ */
+static status_t update_sa_hosts(private_child_sa_t *this, host_t *new_me, host_t *new_other, 
+								int my_changes, int other_changes, bool mine)
+{
+	host_t *src, *dst, *new_src, *new_dst;
+	int src_changes, dst_changes;
+	status_t status;
+	u_int32_t spi;
+	
+	if (mine)
+	{
+		src = this->other.addr;
+		dst = this->me.addr;
+		new_src = new_other;
+		new_dst = new_me;
+		src_changes = other_changes;
+		dst_changes = my_changes;
+		spi = this->other.spi;
+	}
+	else
+	{
+		src = this->me.addr;
+		dst = this->other.addr;
+		new_src = new_me;
+		new_dst = new_other;
+		src_changes = my_changes;
+		dst_changes = other_changes;
+		spi = this->me.spi;
+	}
+	
+	DBG2(DBG_CHD, "updating %N SA 0x%x, from %#H..#H to %#H..%#H",
+		 protocol_id_names, this->protocol, ntohl(spi), src, dst, new_src, new_dst);
+	
+	status = charon->kernel_interface->update_sa(charon->kernel_interface,
+												 dst, spi, this->protocol, 
+												 new_src, new_dst, 
+												 src_changes, dst_changes);
+	
+	if (status != SUCCESS)
+	{
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Update the host adress/port of a policy
+ */
+static status_t update_policy_hosts(private_child_sa_t *this, host_t *new_me, host_t *new_other)
+{
+	iterator_t *iterator;
+	sa_policy_t *policy;
+	status_t status;
+	/* we always use high priorities, as hosts getting updated are INSTALLED */
+	
+	iterator = this->policies->create_iterator(this->policies, TRUE);
+	while (iterator->iterate(iterator, (void**)&policy))
+	{
+		status = charon->kernel_interface->add_policy(
+				charon->kernel_interface,
+				new_me, new_other,
+				policy->my_ts, policy->other_ts,
+				POLICY_OUT, this->protocol, this->reqid, TRUE, this->mode, TRUE);
+		
+		status |= charon->kernel_interface->add_policy(
+				charon->kernel_interface,
+				new_other, new_me,
+				policy->other_ts, policy->my_ts,
+				POLICY_IN, this->protocol, this->reqid, TRUE, this->mode, TRUE);
+		
+		status |= charon->kernel_interface->add_policy(
+				charon->kernel_interface,
+				new_other, new_me,
+				policy->other_ts, policy->my_ts,
+				POLICY_FWD, this->protocol, this->reqid, TRUE, this->mode, TRUE);
+		
+		if (status != SUCCESS)
+		{
+			iterator->destroy(iterator);
+			return FAILED;
+		}
+	}
+	iterator->destroy(iterator);
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of child_sa_t.update_hosts.
+ */
+static status_t update_hosts(private_child_sa_t *this, host_t *new_me, host_t *new_other, 
+							 host_diff_t my_changes, host_diff_t other_changes) 
+{
+	if (!my_changes && !other_changes)
+	{
+		return SUCCESS;
+	}
+
+	/* update our (initator) SAs */
+	if (update_sa_hosts(this, new_me, new_other, my_changes, other_changes, TRUE) != SUCCESS)
+	{
+		return FAILED;
+	}
+
+	/* update his (responder) SAs */
+	if (update_sa_hosts(this, new_me, new_other, my_changes, other_changes, FALSE) != SUCCESS)
+	{
+		return FAILED;
+	}
+	
+	/* update policies */
+	if (my_changes & HOST_DIFF_ADDR || other_changes & HOST_DIFF_ADDR)
+	{
+		if (update_policy_hosts(this, new_me, new_other) != SUCCESS)
+		{
+			return FAILED;
+		}
+	}
+
+	/* update hosts */
+	if (my_changes)
+	{
+		this->me.addr->destroy(this->me.addr);
+		this->me.addr = new_me->clone(new_me);
+	}
+
+	if (other_changes)
+	{
+		this->other.addr->destroy(this->other.addr);
+		this->other.addr = new_other->clone(new_other);
+	}	
+
+	return SUCCESS;
+}
+
+/**
+ * Implementation of child_sa_t.set_virtual_ip.
+ */
+static void set_virtual_ip(private_child_sa_t *this, host_t *ip)
+{
+	this->virtual_ip = ip->clone(ip);
+}
+
+/**
+ * Implementation of child_sa_t.destroy.
+ */
+static void destroy(private_child_sa_t *this)
+{
+	sa_policy_t *policy;
+	
+	if (this->state == CHILD_DELETING || this->state == CHILD_INSTALLED)
+	{
+		updown(this, FALSE);
+	}
+	
+	/* delete SAs in the kernel, if they are set up */
+	if (this->me.spi)
+	{
+		charon->kernel_interface->del_sa(charon->kernel_interface,
+										 this->me.addr, this->me.spi, this->protocol);
+	}
+	if (this->alloc_esp_spi && this->alloc_esp_spi != this->me.spi)
+	{
+		charon->kernel_interface->del_sa(charon->kernel_interface,
+										 this->me.addr, this->alloc_esp_spi, PROTO_ESP);
+	}
+	if (this->alloc_ah_spi && this->alloc_ah_spi != this->me.spi)
+	{
+		charon->kernel_interface->del_sa(charon->kernel_interface,
+										 this->me.addr, this->alloc_ah_spi, PROTO_AH);
+	}
+	if (this->other.spi)
+	{
+		charon->kernel_interface->del_sa(charon->kernel_interface,
+										 this->other.addr, this->other.spi, this->protocol);
+	}
+	
+	/* delete all policies in the kernel */
+	while (this->policies->remove_last(this->policies, (void**)&policy) == SUCCESS)
+	{
+		/* let rekeyed policies, as they are used by another child_sa */
+		charon->kernel_interface->del_policy(charon->kernel_interface,
+											 policy->my_ts, policy->other_ts,
+											 POLICY_OUT);
+		
+		charon->kernel_interface->del_policy(charon->kernel_interface,
+											 policy->other_ts, policy->my_ts,
+											 POLICY_IN);
+		
+		charon->kernel_interface->del_policy(charon->kernel_interface,
+											 policy->other_ts, policy->my_ts,
+											 POLICY_FWD);
+		policy->my_ts->destroy(policy->my_ts);
+		policy->other_ts->destroy(policy->other_ts);
+		free(policy);
+	}
+	this->policies->destroy(this->policies);
+	
+	this->my_ts->destroy(this->my_ts);
+	this->other_ts->destroy(this->other_ts);
+	this->me.addr->destroy(this->me.addr);
+	this->other.addr->destroy(this->other.addr);
+	this->me.id->destroy(this->me.id);
+	this->other.id->destroy(this->other.id);
+	this->policy->destroy(this->policy);
+	DESTROY_IF(this->virtual_ip);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+child_sa_t * child_sa_create(host_t *me, host_t* other,
+							 identification_t *my_id, identification_t *other_id,
+							 policy_t *policy, u_int32_t rekey, bool use_natt)
+{
+	static u_int32_t reqid = 0;
+	private_child_sa_t *this = malloc_thing(private_child_sa_t);
+
+	/* public functions */
+	this->public.get_name = (char*(*)(child_sa_t*))get_name;
+	this->public.get_reqid = (u_int32_t(*)(child_sa_t*))get_reqid;
+	this->public.get_spi = (u_int32_t(*)(child_sa_t*, bool))get_spi;
+	this->public.get_protocol = (protocol_id_t(*)(child_sa_t*))get_protocol;
+	this->public.alloc = (status_t(*)(child_sa_t*,linked_list_t*))alloc;
+	this->public.add = (status_t(*)(child_sa_t*,proposal_t*,mode_t,prf_plus_t*))add;
+	this->public.update = (status_t(*)(child_sa_t*,proposal_t*,mode_t,prf_plus_t*))update;
+	this->public.update_hosts = (status_t (*)(child_sa_t*,host_t*,host_t*,host_diff_t,host_diff_t))update_hosts;
+	this->public.add_policies = (status_t (*)(child_sa_t*, linked_list_t*,linked_list_t*,mode_t))add_policies;
+	this->public.get_my_traffic_selectors = (linked_list_t*(*)(child_sa_t*))get_my_traffic_selectors;
+	this->public.get_other_traffic_selectors = (linked_list_t*(*)(child_sa_t*))get_other_traffic_selectors;
+	this->public.get_use_time = (status_t (*)(child_sa_t*,bool,time_t*))get_use_time;
+	this->public.set_state = (void(*)(child_sa_t*,child_sa_state_t))set_state;
+	this->public.get_state = (child_sa_state_t(*)(child_sa_t*))get_state;
+	this->public.get_policy = (policy_t*(*)(child_sa_t*))get_policy;
+	this->public.set_virtual_ip = (void(*)(child_sa_t*,host_t*))set_virtual_ip;
+	this->public.destroy = (void(*)(child_sa_t*))destroy;
+
+	/* private data */
+	this->me.addr = me->clone(me);
+	this->other.addr = other->clone(other);
+	this->me.id = my_id->clone(my_id);
+	this->other.id = other_id->clone(other_id);
+	this->me.spi = 0;
+	this->other.spi = 0;
+	this->alloc_ah_spi = 0;
+	this->alloc_esp_spi = 0;
+	this->use_natt = use_natt;
+	this->state = CHILD_CREATED;
+	/* reuse old reqid if we are rekeying an existing CHILD_SA */
+	this->reqid = rekey ? rekey : ++reqid;
+	this->encryption.algorithm = ENCR_UNDEFINED;
+	this->encryption.key_size = 0;
+	this->integrity.algorithm = AUTH_UNDEFINED;
+	this->encryption.key_size = 0;
+	this->policies = linked_list_create();
+	this->my_ts = linked_list_create();
+	this->other_ts = linked_list_create();
+	this->protocol = PROTO_NONE;
+	this->mode = MODE_TUNNEL;
+	this->virtual_ip = NULL;
+	this->policy = policy;
+	policy->get_ref(policy);
+	
+	return &this->public;
+}
diff --git a/src/charon/sa/child_sa.h b/src/charon/sa/child_sa.h
new file mode 100644
index 000000000..216e56659
--- /dev/null
+++ b/src/charon/sa/child_sa.h
@@ -0,0 +1,298 @@
+/**
+ * @file child_sa.h
+ *
+ * @brief Interface of child_sa_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006-2007 Martin Willi
+ * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#ifndef CHILD_SA_H_
+#define CHILD_SA_H_
+
+typedef enum child_sa_state_t child_sa_state_t;
+typedef struct child_sa_t child_sa_t;
+
+#include <library.h>
+#include <crypto/prf_plus.h>
+#include <encoding/payloads/proposal_substructure.h>
+#include <config/proposal.h>
+#include <config/policies/policy.h>
+
+/**
+ * Where we should start with reqid enumeration
+ */
+#define REQID_START 2000000000
+
+/**
+ * @brief States of a CHILD_SA
+ */
+enum child_sa_state_t {
+	
+	/**
+	 * Just created, uninstalled CHILD_SA
+	 */
+	CHILD_CREATED,
+	
+	/**
+	 * Installed SPD, but no SAD entries
+	 */
+	CHILD_ROUTED,
+	
+	/**
+	 * Installed an in-use CHILD_SA
+	 */
+	CHILD_INSTALLED,
+	
+	/**
+	 * CHILD_SA which is rekeying
+	 */
+	CHILD_REKEYING,
+	
+	/**
+	 * CHILD_SA in progress of delete
+	 */
+	CHILD_DELETING,
+};
+
+/**
+ * enum strings for child_sa_state_t.
+ */
+extern enum_name_t *child_sa_state_names;
+
+/**
+ * @brief Represents an IPsec SAs between two hosts.
+ * 
+ * A child_sa_t contains two SAs. SAs for both
+ * directions are managed in one child_sa_t object. Both
+ * SAs and the policies have the same reqid.
+ * 
+ * The procedure for child sa setup is as follows:
+ * - A gets SPIs for a proposal via child_sa_t.alloc
+ * - A send the updated proposal to B
+ * - B selects a suitable proposal
+ * - B calls child_sa_t.add to add and update the selected proposal
+ * - B sends the updated proposal to A
+ * - A calls child_sa_t.update to update the already allocated SPIs with the chosen proposal
+ * 
+ * Once SAs are set up, policies can be added using add_policies.
+ * 
+ * 
+ * @b Constructors:
+ *  - child_sa_create()
+ * 
+ * @ingroup sa
+ */
+struct child_sa_t {
+	
+	/**
+	 * @brief Get the name of the policy this CHILD_SA uses.
+	 *
+	 * @param this			calling object
+	 * @return				name
+	 */
+	char* (*get_name) (child_sa_t *this);
+	
+	/**
+	 * @brief Get the reqid of the CHILD SA.
+	 * 
+	 * Every CHILD_SA has a reqid. The kernel uses this ID to
+	 * identify it.
+	 *
+	 * @param this 		calling object
+	 * @return 			reqid of the CHILD SA
+	 */
+	u_int32_t (*get_reqid)(child_sa_t *this);
+	
+	/**
+	 * @brief Get the SPI of this CHILD_SA.
+	 * 
+	 * Set the boolean parameter inbound to TRUE to
+	 * get the SPI for which we receive packets, use
+	 * FALSE to get those we use for sending packets.
+	 *
+	 * @param this 		calling object
+	 * @param inbound	TRUE to get inbound SPI, FALSE for outbound.
+	 * @return 			spi of the CHILD SA
+	 */
+	u_int32_t (*get_spi) (child_sa_t *this, bool inbound);
+	
+	/**
+	 * @brief Get the protocol which this CHILD_SA uses to protect traffic.
+	 *
+	 * @param this 		calling object
+	 * @return 			AH | ESP
+	 */
+	protocol_id_t (*get_protocol) (child_sa_t *this);
+	
+	/**
+	 * @brief Allocate SPIs for given proposals.
+	 * 
+	 * Since the kernel manages SPIs for us, we need
+	 * to allocate them. If a proposal contains more
+	 * than one protocol, for each protocol an SPI is
+	 * allocated. SPIs are stored internally and written
+	 * back to the proposal.
+	 *
+	 * @param this 		calling object
+	 * @param proposals	list of proposals for which SPIs are allocated
+	 */
+	status_t (*alloc)(child_sa_t *this, linked_list_t* proposals);
+	
+	/**
+	 * @brief Install the kernel SAs for a proposal, without previous SPI allocation.
+	 *
+	 * @param this 		calling object
+	 * @param proposal	proposal for which SPIs are allocated
+	 * @param mode		mode for the CHILD_SA
+	 * @param prf_plus	key material to use for key derivation
+	 * @return			SUCCESS or FAILED
+	 */
+	status_t (*add)(child_sa_t *this, proposal_t *proposal, mode_t mode,
+					prf_plus_t *prf_plus);
+	
+	/**
+	 * @brief Install the kernel SAs for a proposal, after SPIs have been allocated.
+	 *
+	 * Updates an SA, for which SPIs are already allocated via alloc().
+	 *
+	 * @param this 		calling object
+	 * @param proposal	proposal for which SPIs are allocated
+	 * @param mode		mode for the CHILD_SA
+	 * @param prf_plus	key material to use for key derivation
+	 * @return			SUCCESS or FAILED
+	 */
+	status_t (*update)(child_sa_t *this, proposal_t *proposal, mode_t mode,
+					   prf_plus_t *prf_plus);
+
+	/**
+	 * @brief Update the hosts in the kernel SAs and policies
+	 *
+	 * @warning only call this after update() has been called.
+	 *
+	 * @param this			calling object
+	 * @param new_me		the new local host
+	 * @param new_other		the new remote host
+	 * @param my_diff		differences to apply for me
+	 * @param other_diff	differences to apply for other
+	 * @return				SUCCESS or FAILED
+	 */
+	status_t (*update_hosts)(child_sa_t *this, host_t *new_me, host_t *new_other,
+							 host_diff_t my_diff, host_diff_t other_diff);
+	
+	/**
+	 * @brief Install the policies using some traffic selectors.
+	 *
+	 * Supplied lists of traffic_selector_t's specify the policies
+	 * to use for this child sa.
+	 *
+	 * @param this 		calling object
+	 * @param my_ts		traffic selectors for local site
+	 * @param other_ts	traffic selectors for remote site
+	 * @param mode		mode for the SA: tunnel/transport
+	 * @return			SUCCESS or FAILED
+	 */	
+	status_t (*add_policies)(child_sa_t *this, linked_list_t *my_ts_list,
+							 linked_list_t *other_ts_list, mode_t mode);
+	
+	/**
+	 * @brief Get the traffic selectors of added policies of local host.
+	 *
+	 * @param this 		calling object
+	 * @return			list of traffic selectors
+	 */	
+	linked_list_t* (*get_my_traffic_selectors) (child_sa_t *this);
+	
+	/**
+	 * @brief Get the traffic selectors of added policies of remote host.
+	 *
+	 * @param this 		calling object
+	 * @return			list of traffic selectors
+	 */	
+	linked_list_t* (*get_other_traffic_selectors) (child_sa_t *this);
+	
+	/**
+	 * @brief Get the time of this child_sa_t's last use (i.e. last use of any of its policies)
+	 * 
+	 * @param this 		calling object
+	 * @param inbound	query for in- or outbound usage
+	 * @param use_time	the time
+	 * @return			SUCCESS or FAILED
+	 */	
+	status_t (*get_use_time) (child_sa_t *this, bool inbound, time_t *use_time);
+	
+	/**
+	 * @brief Get the state of the CHILD_SA.
+	 *
+	 * @param this 		calling object
+	 */	
+	child_sa_state_t (*get_state) (child_sa_t *this);
+	
+	/**
+	 * @brief Set the state of the CHILD_SA.
+	 *
+	 * @param this 		calling object
+	 */	
+	void (*set_state) (child_sa_t *this, child_sa_state_t state);
+	
+	/**
+	 * @brief Get the policy used to set up this child sa.
+	 *
+	 * @param this 		calling object
+	 * @return			policy
+	 */
+	policy_t* (*get_policy) (child_sa_t *this);
+	
+	/**
+	 * @brief Set the virtual IP used received from IRAS.
+	 *
+	 * To allow proper setup of firewall rules, the virtual IP is required
+	 * for filtering.
+	 *
+	 * @param this 		calling object
+	 * @param ip		own virtual IP
+	 */
+	void (*set_virtual_ip) (child_sa_t *this, host_t *ip);
+	
+	/**
+	 * @brief Destroys a child_sa.
+	 *
+	 * @param this 		calling object
+	 */
+	void (*destroy) (child_sa_t *this);
+};
+
+/**
+ * @brief Constructor to create a new child_sa_t.
+ *
+ * @param me			own address
+ * @param other			remote address
+ * @param my_id			id of own peer
+ * @param other_id		id of remote peer
+ * @param policy		policy this CHILD_SA instantiates
+ * @param reqid			reqid of old CHILD_SA when rekeying, 0 otherwise
+ * @param use_natt		TRUE if NAT traversal is used
+ * @return				child_sa_t object
+ * 
+ * @ingroup sa
+ */
+child_sa_t * child_sa_create(host_t *me, host_t *other,
+							 identification_t *my_id, identification_t* other_id,
+							 policy_t *policy, u_int32_t reqid, bool use_natt);
+
+#endif /*CHILD_SA_H_*/
diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c
new file mode 100644
index 000000000..68aba3064
--- /dev/null
+++ b/src/charon/sa/ike_sa.c
@@ -0,0 +1,2032 @@
+/**
+ * @file ike_sa.c
+ *
+ * @brief Implementation of ike_sa_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <sys/time.h>
+#include <string.h>
+#include <printf.h>
+#include <sys/stat.h>
+
+#include "ike_sa.h"
+
+#include <library.h>
+#include <daemon.h>
+#include <utils/linked_list.h>
+#include <utils/lexparser.h>
+#include <crypto/diffie_hellman.h>
+#include <crypto/prf_plus.h>
+#include <crypto/crypters/crypter.h>
+#include <crypto/hashers/hasher.h>
+#include <encoding/payloads/sa_payload.h>
+#include <encoding/payloads/nonce_payload.h>
+#include <encoding/payloads/ke_payload.h>
+#include <encoding/payloads/delete_payload.h>
+#include <encoding/payloads/transform_substructure.h>
+#include <encoding/payloads/transform_attribute.h>
+#include <encoding/payloads/ts_payload.h>
+#include <sa/task_manager.h>
+#include <sa/tasks/ike_init.h>
+#include <sa/tasks/ike_natd.h>
+#include <sa/tasks/ike_auth.h>
+#include <sa/tasks/ike_config.h>
+#include <sa/tasks/ike_cert.h>
+#include <sa/tasks/ike_rekey.h>
+#include <sa/tasks/ike_delete.h>
+#include <sa/tasks/ike_dpd.h>
+#include <sa/tasks/child_create.h>
+#include <sa/tasks/child_delete.h>
+#include <sa/tasks/child_rekey.h>
+#include <queues/jobs/retransmit_job.h>
+#include <queues/jobs/delete_ike_sa_job.h>
+#include <queues/jobs/send_dpd_job.h>
+#include <queues/jobs/send_keepalive_job.h>
+#include <queues/jobs/rekey_ike_sa_job.h>
+#include <queues/jobs/route_job.h>
+#include <queues/jobs/initiate_job.h>
+
+
+#ifndef RESOLV_CONF
+#define RESOLV_CONF "/etc/resolv.conf"
+#endif
+
+ENUM(ike_sa_state_names, IKE_CREATED, IKE_DELETING,
+	"CREATED",
+	"CONNECTING",
+	"ESTABLISHED",
+	"REKEYING",
+	"DELETING",
+);
+
+typedef struct private_ike_sa_t private_ike_sa_t;
+
+/**
+ * Private data of an ike_sa_t object.
+ */
+struct private_ike_sa_t {
+
+	/**
+	 * Public members
+	 */
+	ike_sa_t public;
+
+	/**
+	 * Identifier for the current IKE_SA.
+	 */
+	ike_sa_id_t *ike_sa_id;
+	
+	/**
+	 * unique numerical ID for this IKE_SA.
+	 */
+	u_int32_t unique_id;
+	
+	/**
+	 * Current state of the IKE_SA
+	 */
+	ike_sa_state_t state;	
+	
+	/**
+	 * connection used to establish this IKE_SA.
+	 */
+	connection_t *connection;
+	
+	/**
+	 * Peer and authentication information to establish IKE_SA.
+	 */
+	policy_t *policy;
+	
+	/**
+	 * Juggles tasks to process messages
+	 */
+	task_manager_t *task_manager;
+	
+	/**
+	 * Address of local host
+	 */
+	host_t *my_host;
+	
+	/**
+	 * Address of remote host
+	 */
+	host_t *other_host;
+	
+	/**
+	 * Identification used for us
+	 */
+	identification_t *my_id;
+	
+	/**
+	 * Identification used for other
+	 */
+	identification_t *other_id;
+	
+	/**
+	 * Linked List containing the child sa's of the current IKE_SA.
+	 */
+	linked_list_t *child_sas;
+	
+	/**
+	 * crypter for inbound traffic
+	 */
+	crypter_t *crypter_in;
+	
+	/**
+	 * crypter for outbound traffic
+	 */
+	crypter_t *crypter_out;
+	
+	/**
+	 * Signer for inbound traffic
+	 */
+	signer_t *signer_in;
+	
+	/**
+	 * Signer for outbound traffic
+	 */
+	signer_t *signer_out;
+	
+	/**
+	 * Multi purpose prf, set key, use it, forget it
+	 */
+	prf_t *prf;
+	
+	/**
+	 * Prf function for derivating keymat child SAs
+	 */
+	prf_t *child_prf;
+	
+	/**
+	 * PRF to build outging authentication data
+	 */
+	prf_t *auth_build;
+
+	/**
+	 * PRF to verify incoming authentication data
+	 */
+	prf_t *auth_verify;
+	
+	/**
+	 * NAT status of local host.
+	 */
+	bool nat_here;
+	
+	/**
+	 * NAT status of remote host.
+	 */
+	bool nat_there;
+	
+	/**
+	 * Virtual IP on local host, if any
+	 */
+	host_t *my_virtual_ip;
+	
+	/**
+	 * Virtual IP on remote host, if any
+	 */
+	host_t *other_virtual_ip;
+	
+	/**
+	 * List of DNS servers installed by us
+	 */
+	linked_list_t *dns_servers;
+
+	/**
+	 * Timestamps for this IKE_SA
+	 */
+	struct {
+		/** last IKE message received */
+		u_int32_t inbound;
+		/** last IKE message sent */
+		u_int32_t outbound;
+		/** when IKE_SA became established */
+		u_int32_t established;
+		/** when IKE_SA gets rekeyed */
+		u_int32_t rekey;
+		/** when IKE_SA gets deleted */
+		u_int32_t delete;
+	} time;
+	
+	/**
+	 * how many times we have retried so far (keyingtries)
+	 */
+	u_int32_t keyingtry;
+};
+
+/**
+ * get the time of the latest traffic processed by the kernel
+ */
+static time_t get_use_time(private_ike_sa_t* this, bool inbound)
+{
+	iterator_t *iterator;
+	child_sa_t *child_sa;
+	time_t latest = 0, use_time;
+	
+	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
+	while (iterator->iterate(iterator, (void**)&child_sa))
+	{
+		if (child_sa->get_use_time(child_sa, inbound, &use_time) == SUCCESS)
+		{
+			latest = max(latest, use_time);
+		}
+	}
+	iterator->destroy(iterator);
+	
+	if (inbound)
+	{
+		return max(this->time.inbound, latest);
+	}
+	else
+	{
+		return max(this->time.outbound, latest);
+	}
+}
+
+/**
+ * Implementation of ike_sa_t.get_unique_id
+ */
+static u_int32_t get_unique_id(private_ike_sa_t *this)
+{
+	return this->unique_id;
+}
+
+/**
+ * Implementation of ike_sa_t.get_name.
+ */
+static char *get_name(private_ike_sa_t *this)
+{
+	if (this->connection)
+	{
+		return this->connection->get_name(this->connection);
+	}
+	return "(unnamed)";
+}
+
+/**
+ * Implementation of ike_sa_t.get_connection
+ */
+static connection_t* get_connection(private_ike_sa_t *this)
+{
+	return this->connection;
+}
+
+/**
+ * Implementation of ike_sa_t.set_connection
+ */
+static void set_connection(private_ike_sa_t *this, connection_t *connection)
+{
+	this->connection = connection;
+	connection->get_ref(connection);
+}
+
+/**
+ * Implementation of ike_sa_t.get_policy
+ */
+static policy_t *get_policy(private_ike_sa_t *this)
+{
+	return this->policy;
+}
+
+/**
+ * Implementation of ike_sa_t.set_policy
+ */
+static void set_policy(private_ike_sa_t *this, policy_t *policy)
+{
+	policy->get_ref(policy);
+	this->policy = policy;
+}
+
+/**
+ * Implementation of ike_sa_t.get_my_host.
+ */
+static host_t *get_my_host(private_ike_sa_t *this)
+{
+	return this->my_host;
+}
+
+/**
+ * Implementation of ike_sa_t.set_my_host.
+ */
+static void set_my_host(private_ike_sa_t *this, host_t *me)
+{
+	DESTROY_IF(this->my_host);
+	this->my_host = me;
+}
+
+/**
+ * Implementation of ike_sa_t.get_other_host.
+ */
+static host_t *get_other_host(private_ike_sa_t *this)
+{
+	return this->other_host;
+}
+
+/**
+ * Implementation of ike_sa_t.set_other_host.
+ */
+static void set_other_host(private_ike_sa_t *this, host_t *other)
+{
+	DESTROY_IF(this->other_host);
+	this->other_host = other;
+}
+
+/**
+ * Implementation of ike_sa_t.send_dpd
+ */
+static status_t send_dpd(private_ike_sa_t *this)
+{
+	send_dpd_job_t *job;
+	time_t diff, delay;
+	
+	delay = this->connection->get_dpd_delay(this->connection);
+	
+	if (delay == 0)
+	{
+		/* DPD disabled */
+		return SUCCESS;
+	}
+	
+	if (this->task_manager->busy(this->task_manager))
+	{
+		/* an exchange is in the air, no need to start a DPD check */
+		diff = 0;
+	}
+	else
+	{
+		/* check if there was any inbound traffic */
+		time_t last_in, now;
+		last_in = get_use_time(this, TRUE);
+		now = time(NULL);
+		diff = now - last_in;
+		if (diff >= delay)
+		{
+			/* to long ago, initiate dead peer detection */
+			task_t *task;
+			
+			task = (task_t*)ike_dpd_create(TRUE);
+			diff = 0;
+			DBG1(DBG_IKE, "sending DPD request");
+			
+			this->task_manager->queue_task(this->task_manager, task);
+			this->task_manager->initiate(this->task_manager);
+		}
+	}
+	/* recheck in "interval" seconds */
+	job = send_dpd_job_create(this->ike_sa_id);
+	charon->event_queue->add_relative(charon->event_queue, (job_t*)job,
+									  (delay - diff) * 1000);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of ike_sa_t.send_keepalive
+ */
+static void send_keepalive(private_ike_sa_t *this)
+{
+	send_keepalive_job_t *job;
+	time_t last_out, now, diff, interval;
+	
+	last_out = get_use_time(this, FALSE);
+	now = time(NULL);
+	
+	diff = now - last_out;
+	interval = charon->configuration->get_keepalive_interval(charon->configuration);
+	
+	if (diff >= interval)
+	{
+		packet_t *packet;
+		chunk_t data;
+		
+		packet = packet_create();
+		packet->set_source(packet, this->my_host->clone(this->my_host));
+		packet->set_destination(packet, this->other_host->clone(this->other_host));
+		data.ptr = malloc(1);
+		data.ptr[0] = 0xFF;
+		data.len = 1;
+		packet->set_data(packet, data);
+		charon->sender->send(charon->sender, packet);
+		DBG1(DBG_IKE, "sending keep alive");
+		diff = 0;
+	}
+	job = send_keepalive_job_create(this->ike_sa_id);
+	charon->event_queue->add_relative(charon->event_queue, (job_t*)job,
+									  (interval - diff) * 1000);
+}
+
+/**
+ * Implementation of ike_sa_t.get_state.
+ */
+static ike_sa_state_t get_state(private_ike_sa_t *this)
+{
+	return this->state;
+}
+
+/**
+ * Implementation of ike_sa_t.set_state.
+ */
+static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
+{
+	DBG1(DBG_IKE, "IKE_SA state change: %N => %N",
+		 ike_sa_state_names, this->state,
+		 ike_sa_state_names, state);
+	
+	switch (state)
+	{
+		case IKE_ESTABLISHED:
+		{
+			if (this->state == IKE_CONNECTING)
+			{
+				job_t *job;
+				u_int32_t now = time(NULL);
+				u_int32_t soft, hard;
+				bool reauth;
+			
+				this->time.established = now;
+				/* start DPD checks */
+				send_dpd(this);
+				
+				/* schedule rekeying/reauthentication */
+				soft = this->connection->get_soft_lifetime(this->connection);
+				hard = this->connection->get_hard_lifetime(this->connection);
+				reauth = this->connection->get_reauth(this->connection);
+				DBG1(DBG_IKE, "scheduling %s in %ds, maximum lifetime %ds",
+					 reauth ? "reauthentication": "rekeying", soft, hard);
+					 
+				if (soft)
+				{
+					this->time.rekey = now + soft;
+					job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, reauth);
+					charon->event_queue->add_relative(charon->event_queue, job,
+													  soft * 1000);
+				}
+				
+				if (hard)
+				{
+					this->time.delete = now + hard;
+					job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
+					charon->event_queue->add_relative(charon->event_queue, job,
+													  hard * 1000);
+				}
+			}
+			break;
+		}
+		case IKE_DELETING:
+		{
+			/* delete may fail if a packet gets lost, so set a timeout */
+			job_t *job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
+			charon->event_queue->add_relative(charon->event_queue, job,
+						  charon->configuration->get_half_open_ike_sa_timeout(
+					  									charon->configuration));
+			break;
+		}
+		default:
+			break;
+	}
+	
+	this->state = state;
+}
+
+/**
+ * Implementation of ike_sa_t.reset
+ */
+static void reset(private_ike_sa_t *this)
+{
+	/*  the responder ID is reset, as peer may choose another one */
+	if (this->ike_sa_id->is_initiator(this->ike_sa_id))
+	{
+		this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0);
+	}
+	
+	set_state(this, IKE_CREATED);
+	
+	this->task_manager->reset(this->task_manager);
+}
+
+/**
+ * Update connection host, as addresses may change (NAT)
+ */
+static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other)
+{
+	iterator_t *iterator = NULL;
+	child_sa_t *child_sa = NULL;
+	host_diff_t my_diff, other_diff;
+	
+	if (this->my_host->is_anyaddr(this->my_host) ||
+		this->other_host->is_anyaddr(this->other_host))
+	{
+		/* on first received message */
+		this->my_host->destroy(this->my_host);
+		this->my_host = me->clone(me);
+		this->other_host->destroy(this->other_host);
+		this->other_host = other->clone(other);
+		return;
+	}
+	
+	my_diff = me->get_differences(me, this->my_host);
+	other_diff = other->get_differences(other, this->other_host);
+	
+	if (!my_diff && !other_diff)
+	{
+		return;
+	}
+	
+	if (my_diff)
+	{
+		this->my_host->destroy(this->my_host);
+		this->my_host = me->clone(me);
+	}
+	
+	if (!this->nat_here)
+	{
+		/* update without restrictions if we are not NATted */
+		if (other_diff)
+		{
+			this->other_host->destroy(this->other_host);
+			this->other_host = other->clone(other);
+		}
+	}
+	else
+	{
+		/* if we are natted, only port may change */
+		if (other_diff & HOST_DIFF_ADDR)
+		{
+			return;
+		}
+		else if (other_diff & HOST_DIFF_PORT)
+		{
+			this->other_host->set_port(this->other_host, other->get_port(other));
+		}
+	}
+	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
+	while (iterator->iterate(iterator, (void**)&child_sa))
+	{
+		child_sa->update_hosts(child_sa, this->my_host, this->other_host, 
+							   my_diff, other_diff);
+	}
+	iterator->destroy(iterator);
+}
+
+/**
+ * Implementation of ike_sa_t.generate
+ */
+static status_t generate_message(private_ike_sa_t *this, message_t *message,
+								 packet_t **packet)
+{
+	this->time.outbound = time(NULL);
+	message->set_ike_sa_id(message, this->ike_sa_id);
+	message->set_destination(message, this->other_host->clone(this->other_host));
+	message->set_source(message, this->my_host->clone(this->my_host));
+	return message->generate(message, this->crypter_out, this->signer_out, packet);
+}
+
+/**
+ * send a notify back to the sender
+ */
+static void send_notify_response(private_ike_sa_t *this, message_t *request,
+								 notify_type_t type)
+{
+	message_t *response;
+	packet_t *packet;
+	
+	response = message_create();
+	response->set_exchange_type(response, request->get_exchange_type(request));
+	response->set_request(response, FALSE);
+	response->set_message_id(response, request->get_message_id(request));
+	response->add_notify(response, FALSE, type, chunk_empty);
+	if (this->my_host->is_anyaddr(this->my_host))
+	{
+		this->my_host->destroy(this->my_host);
+		this->my_host = request->get_destination(request);
+		this->my_host = this->my_host->clone(this->my_host);
+	}
+	if (this->other_host->is_anyaddr(this->other_host))
+	{
+		this->other_host->destroy(this->other_host);
+		this->other_host = request->get_source(request);
+		this->other_host = this->other_host->clone(this->other_host);
+	}
+	if (generate_message(this, response, &packet) == SUCCESS)
+	{
+		charon->sender->send(charon->sender, packet);
+	}
+	response->destroy(response);
+}
+
+/**
+ * Implementation of ike_sa_t.process_message.
+ */
+static status_t process_message(private_ike_sa_t *this, message_t *message)
+{
+	status_t status;
+	bool is_request;
+	
+	is_request = message->get_request(message);
+	
+	status = message->parse_body(message, this->crypter_in, this->signer_in);
+	if (status != SUCCESS)
+	{
+		
+		if (is_request)
+		{
+			switch (status)
+			{
+				case NOT_SUPPORTED:
+					DBG1(DBG_IKE, "ciritcal unknown payloads found");
+					if (is_request)
+					{
+						send_notify_response(this, message, UNSUPPORTED_CRITICAL_PAYLOAD);
+					}
+					break;
+				case PARSE_ERROR:
+					DBG1(DBG_IKE, "message parsing failed");
+					if (is_request)
+					{
+						send_notify_response(this, message, INVALID_SYNTAX);
+					}
+					break;
+				case VERIFY_ERROR:
+					DBG1(DBG_IKE, "message verification failed");
+					if (is_request)
+					{
+						send_notify_response(this, message, INVALID_SYNTAX);
+					}
+					break;
+				case FAILED:
+					DBG1(DBG_IKE, "integrity check failed");
+					/* ignored */
+					break;
+				case INVALID_STATE:
+					DBG1(DBG_IKE, "found encrypted message, but no keys available");
+					if (is_request)
+					{
+						send_notify_response(this, message, INVALID_SYNTAX);
+					}
+				default:
+					break;
+			}
+		}
+		DBG1(DBG_IKE, "%N %s with message ID %d processing failed",
+			 exchange_type_names, message->get_exchange_type(message),
+			 message->get_request(message) ? "request" : "response",
+			 message->get_message_id(message));
+		return status;
+	}
+	else
+	{
+		host_t *me, *other;
+		
+		me = message->get_destination(message);
+		other = message->get_source(message);
+	
+		/* if this IKE_SA is virgin, we check for a connection */
+		if (this->connection == NULL)
+		{
+			job_t *job;
+			this->connection = charon->connections->get_connection_by_hosts(
+												charon->connections, me, other);
+			if (this->connection == NULL)
+			{
+				/* no connection found for these hosts, destroy */
+				DBG1(DBG_IKE, "no connection found for %H...%H, sending %N",
+					 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
+				send_notify_response(this, message, NO_PROPOSAL_CHOSEN);
+				return DESTROY_ME;
+			}
+			/* add a timeout if peer does not establish it completely */
+			job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, FALSE);
+			charon->event_queue->add_relative(charon->event_queue, job,
+						  charon->configuration->get_half_open_ike_sa_timeout(
+					  									charon->configuration));
+		}
+	
+		/* check if message is trustworthy, and update connection information */
+		if (this->state == IKE_CREATED ||
+			message->get_exchange_type(message) != IKE_SA_INIT)
+		{
+			update_hosts(this, me, other);
+			this->time.inbound = time(NULL);
+		}
+		return this->task_manager->process_message(this->task_manager, message);
+	}
+}
+
+/**
+ * apply the connection/policy information to this IKE_SA
+ */
+static void apply_config(private_ike_sa_t *this,
+						 connection_t *connection, policy_t *policy)
+{
+	host_t *me, *other;
+	identification_t *my_id, *other_id;
+	
+	if (this->connection == NULL && this->policy == NULL)
+	{
+		this->connection = connection;
+		connection->get_ref(connection);
+		this->policy = policy;
+		policy->get_ref(policy);
+		
+		me = connection->get_my_host(connection);
+		other = connection->get_other_host(connection);
+		my_id = policy->get_my_id(policy);
+		other_id = policy->get_other_id(policy);
+		set_my_host(this, me->clone(me));
+		set_other_host(this, other->clone(other));
+		DESTROY_IF(this->my_id);
+		DESTROY_IF(this->other_id);
+		this->my_id = my_id->clone(my_id);
+		this->other_id = other_id->clone(other_id);
+	}
+}
+
+/**
+ * Implementation of ike_sa_t.initiate.
+ */
+static status_t initiate(private_ike_sa_t *this,
+						 connection_t *connection, policy_t *policy)
+{
+	task_t *task;
+	
+	if (this->state == IKE_CREATED)
+	{
+		/* if we aren't established/establishing, do so */
+		apply_config(this, connection, policy);
+		
+		if (this->other_host->is_anyaddr(this->other_host))
+		{
+			SIG(IKE_UP_START, "initiating IKE_SA");
+			SIG(IKE_UP_FAILED, "unable to initiate to %%any");
+			return DESTROY_ME;
+		}
+		
+		task = (task_t*)ike_init_create(&this->public, TRUE, NULL);
+		this->task_manager->queue_task(this->task_manager, task);
+		task = (task_t*)ike_natd_create(&this->public, TRUE);
+		this->task_manager->queue_task(this->task_manager, task);
+		task = (task_t*)ike_cert_create(&this->public, TRUE);
+		this->task_manager->queue_task(this->task_manager, task);
+		task = (task_t*)ike_auth_create(&this->public, TRUE);
+		this->task_manager->queue_task(this->task_manager, task);
+		task = (task_t*)ike_config_create(&this->public, policy);
+		this->task_manager->queue_task(this->task_manager, task);
+	}
+	
+	task = (task_t*)child_create_create(&this->public, policy);
+	this->task_manager->queue_task(this->task_manager, task);
+	
+	return this->task_manager->initiate(this->task_manager);
+}
+
+/**
+ * Implementation of ike_sa_t.acquire.
+ */
+static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
+{
+	policy_t *policy;
+	iterator_t *iterator;
+	child_sa_t *current, *child_sa = NULL;
+	task_t *task;
+	child_create_t *child_create;
+	
+	if (this->state == IKE_DELETING)
+	{
+		SIG(CHILD_UP_START, "acquiring CHILD_SA on kernel request");
+		SIG(CHILD_UP_FAILED, "acquiring CHILD_SA (reqid %d) failed: "
+			"IKE_SA is deleting", reqid);
+		return FAILED;
+	}
+	
+	/* find CHILD_SA */
+	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		if (current->get_reqid(current) == reqid)
+		{
+			child_sa = current;
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+	if (!child_sa)
+	{
+		SIG(CHILD_UP_START, "acquiring CHILD_SA on kernel request");
+		SIG(CHILD_UP_FAILED, "acquiring CHILD_SA (reqid %d) failed: "
+			"CHILD_SA not found", reqid);
+		return FAILED;
+	}
+	
+	policy = child_sa->get_policy(child_sa);
+	
+	if (this->state == IKE_CREATED)
+	{
+		task = (task_t*)ike_init_create(&this->public, TRUE, NULL);
+		this->task_manager->queue_task(this->task_manager, task);
+		task = (task_t*)ike_natd_create(&this->public, TRUE);
+		this->task_manager->queue_task(this->task_manager, task);
+		task = (task_t*)ike_cert_create(&this->public, TRUE);
+		this->task_manager->queue_task(this->task_manager, task);
+		task = (task_t*)ike_auth_create(&this->public, TRUE);
+		this->task_manager->queue_task(this->task_manager, task);
+		task = (task_t*)ike_config_create(&this->public, policy);
+		this->task_manager->queue_task(this->task_manager, task);
+	}
+	
+	child_create = child_create_create(&this->public, policy);
+	child_create->use_reqid(child_create, reqid);
+	this->task_manager->queue_task(this->task_manager, (task_t*)child_create);
+	
+	return this->task_manager->initiate(this->task_manager);
+}
+
+/**
+ * compare two lists of traffic selectors for equality
+ */
+static bool ts_list_equals(linked_list_t *l1, linked_list_t *l2)
+{
+	bool equals = TRUE;
+	iterator_t *i1, *i2;
+	traffic_selector_t *t1, *t2;
+	
+	if (l1->get_count(l1) != l2->get_count(l2))
+	{
+		return FALSE;
+	}
+	
+	i1 = l1->create_iterator(l1, TRUE);
+	i2 = l2->create_iterator(l2, TRUE);
+	while (i1->iterate(i1, (void**)&t1) && i2->iterate(i2, (void**)&t2))
+	{
+		if (!t1->equals(t1, t2))
+		{
+			equals = FALSE;
+			break;
+		}
+	}
+	i1->destroy(i1);
+	i2->destroy(i2);
+	return equals;
+}
+
+/**
+ * Implementation of ike_sa_t.route.
+ */
+static status_t route(private_ike_sa_t *this, connection_t *connection, policy_t *policy)
+{
+	child_sa_t *child_sa = NULL;
+	iterator_t *iterator;
+	linked_list_t *my_ts, *other_ts;
+	status_t status;
+	
+	SIG(CHILD_ROUTE_START, "routing CHILD_SA");
+	
+	/* check if not already routed*/
+	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
+	while (iterator->iterate(iterator, (void**)&child_sa))
+	{
+		if (child_sa->get_state(child_sa) == CHILD_ROUTED)
+		{
+			linked_list_t *my_ts_conf, *other_ts_conf;
+			
+			my_ts = child_sa->get_my_traffic_selectors(child_sa);
+			other_ts = child_sa->get_other_traffic_selectors(child_sa);
+			
+			my_ts_conf = policy->get_my_traffic_selectors(policy, this->my_host);
+			other_ts_conf = policy->get_other_traffic_selectors(policy, this->other_host);
+			
+			if (ts_list_equals(my_ts, my_ts_conf) &&
+				ts_list_equals(other_ts, other_ts_conf))
+			{
+				iterator->destroy(iterator);
+				my_ts_conf->destroy_offset(my_ts_conf, offsetof(traffic_selector_t, destroy));
+				other_ts_conf->destroy_offset(other_ts_conf, offsetof(traffic_selector_t, destroy));
+				SIG(CHILD_ROUTE_FAILED, "CHILD_SA with such a policy already routed");
+				return FAILED;
+			}
+			my_ts_conf->destroy_offset(my_ts_conf, offsetof(traffic_selector_t, destroy));
+			other_ts_conf->destroy_offset(other_ts_conf, offsetof(traffic_selector_t, destroy));
+		}
+	}
+	iterator->destroy(iterator);
+	
+	switch (this->state)
+	{
+		case IKE_DELETING:
+		case IKE_REKEYING:
+			SIG(CHILD_ROUTE_FAILED,
+				"unable to route CHILD_SA, as its IKE_SA gets deleted");
+			return FAILED;
+		case IKE_CREATED:
+			/* apply connection information, we need it to acquire */
+			apply_config(this, connection, policy);
+			break;
+		case IKE_CONNECTING:
+		case IKE_ESTABLISHED:
+		default:
+			break;
+	}
+
+	/* install kernel policies */
+	child_sa = child_sa_create(this->my_host, this->other_host,
+							   this->my_id, this->other_id, policy, FALSE, 0);
+	
+	my_ts = policy->get_my_traffic_selectors(policy, this->my_host);
+	other_ts = policy->get_other_traffic_selectors(policy, this->other_host);
+	status = child_sa->add_policies(child_sa, my_ts, other_ts,
+									policy->get_mode(policy));
+	my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
+	other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
+	this->child_sas->insert_last(this->child_sas, child_sa);
+	SIG(CHILD_ROUTE_SUCCESS, "CHILD_SA routed");
+	return status;
+}
+
+/**
+ * Implementation of ike_sa_t.unroute.
+ */
+static status_t unroute(private_ike_sa_t *this, policy_t *policy)
+{
+	iterator_t *iterator;
+	child_sa_t *child_sa = NULL;
+	bool found = FALSE;
+	linked_list_t *my_ts, *other_ts, *my_ts_conf, *other_ts_conf;
+	
+	SIG(CHILD_UNROUTE_START, "unrouting CHILD_SA");
+	
+	/* find CHILD_SA in ROUTED state */
+	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
+	while (iterator->iterate(iterator, (void**)&child_sa))
+	{
+		if (child_sa->get_state(child_sa) == CHILD_ROUTED)
+		{
+			my_ts = child_sa->get_my_traffic_selectors(child_sa);
+			other_ts = child_sa->get_other_traffic_selectors(child_sa);
+			
+			my_ts_conf = policy->get_my_traffic_selectors(policy, this->my_host);
+			other_ts_conf = policy->get_other_traffic_selectors(policy, this->other_host);
+			
+			if (ts_list_equals(my_ts, my_ts_conf) &&
+				ts_list_equals(other_ts, other_ts_conf))
+			{
+				iterator->remove(iterator);
+				SIG(CHILD_UNROUTE_SUCCESS, "CHILD_SA unrouted");
+				child_sa->destroy(child_sa);
+				my_ts_conf->destroy_offset(my_ts_conf, offsetof(traffic_selector_t, destroy));
+				other_ts_conf->destroy_offset(other_ts_conf, offsetof(traffic_selector_t, destroy));
+				found = TRUE;
+				break;
+			}
+			my_ts_conf->destroy_offset(my_ts_conf, offsetof(traffic_selector_t, destroy));
+			other_ts_conf->destroy_offset(other_ts_conf, offsetof(traffic_selector_t, destroy));
+		}
+	}
+	iterator->destroy(iterator);
+	
+	if (!found)
+	{
+		SIG(CHILD_UNROUTE_FAILED, "CHILD_SA to unroute not found");
+		return FAILED;
+	}
+	/* if we are not established, and we have no more routed childs, remove whole SA */
+	if (this->state == IKE_CREATED &&
+		this->child_sas->get_count(this->child_sas) == 0)
+	{
+		return DESTROY_ME;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of ike_sa_t.retransmit.
+ */
+static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id)
+{
+	this->time.outbound = time(NULL);
+	if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS)
+	{
+		policy_t *policy;
+		child_sa_t* child_sa;
+		linked_list_t *to_route, *to_restart;
+		iterator_t *iterator;
+		
+		/* send a proper signal to brief interested bus listeners */
+		switch (this->state)
+		{
+			case IKE_CONNECTING:
+			{
+				/* retry IKE_SA_INIT if we have multiple keyingtries */
+				u_int32_t tries = this->connection->get_keyingtries(this->connection);
+				this->keyingtry++;
+				if (tries == 0 || tries > this->keyingtry)
+				{
+					SIG(IKE_UP_FAILED, "peer not responding, trying again "
+						"(%d/%d) in background ", this->keyingtry + 1, tries);
+					reset(this);
+					return this->task_manager->initiate(this->task_manager);
+				}
+				SIG(IKE_UP_FAILED, "establishing IKE_SA failed, peer not responding");
+				break;
+			}
+			case IKE_REKEYING:
+				SIG(IKE_REKEY_FAILED, "rekeying IKE_SA failed, peer not responding");
+				break;
+			case IKE_DELETING:
+				SIG(IKE_DOWN_FAILED, "proper IKE_SA delete failed, peer not responding");
+				break;
+			default:
+				break;
+		}
+		
+		/* summarize how we have to handle each child */
+		to_route = linked_list_create();
+		to_restart = linked_list_create();
+		iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
+		while (iterator->iterate(iterator, (void**)&child_sa))
+		{
+			policy = child_sa->get_policy(child_sa);
+			
+			if (child_sa->get_state(child_sa) == CHILD_ROUTED)
+			{
+				/* reroute routed CHILD_SAs */
+				to_route->insert_last(to_route, policy);
+			}
+			else
+			{
+				/* use DPD action for established CHILD_SAs */
+				switch (policy->get_dpd_action(policy))
+				{
+					case DPD_ROUTE:
+						to_route->insert_last(to_route, policy);
+						break;
+					case DPD_RESTART:
+						to_restart->insert_last(to_restart, policy);
+						break;
+					default:
+						break;
+				}
+			}
+		}
+		iterator->destroy(iterator);
+		
+		/* create a new IKE_SA if we have to route or to restart */
+		if (to_route->get_count(to_route) || to_restart->get_count(to_restart))
+		{
+			private_ike_sa_t *new;
+			task_t *task;
+			
+			new = (private_ike_sa_t*)charon->ike_sa_manager->checkout_new(
+												charon->ike_sa_manager, TRUE);
+			
+			apply_config(new, this->connection, this->policy);
+			/* use actual used host, not the wildcarded one in connection */
+			new->other_host->destroy(new->other_host);
+			new->other_host = this->other_host->clone(this->other_host);
+			
+			/* install routes */
+			while (to_route->remove_last(to_route, (void**)&policy) == SUCCESS)
+			{
+				route(new, new->connection, policy);
+			}
+			
+			/* restart children */
+			if (to_restart->get_count(to_restart))
+			{
+				task = (task_t*)ike_init_create(&new->public, TRUE, NULL);
+				new->task_manager->queue_task(new->task_manager, task);
+				task = (task_t*)ike_natd_create(&new->public, TRUE);
+				new->task_manager->queue_task(new->task_manager, task);
+				task = (task_t*)ike_cert_create(&new->public, TRUE);
+				new->task_manager->queue_task(new->task_manager, task);
+				task = (task_t*)ike_config_create(&new->public, new->policy);
+				new->task_manager->queue_task(new->task_manager, task);
+				task = (task_t*)ike_auth_create(&new->public, TRUE);
+				new->task_manager->queue_task(new->task_manager, task);
+				
+				while (to_restart->remove_last(to_restart, (void**)&policy) == SUCCESS)
+				{
+					task = (task_t*)child_create_create(&new->public, policy);
+					new->task_manager->queue_task(new->task_manager, task);
+				}
+				new->task_manager->initiate(new->task_manager);
+			}
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, &new->public);
+		}
+		to_route->destroy(to_route);
+		to_restart->destroy(to_restart);
+		return DESTROY_ME;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of ike_sa_t.get_prf.
+ */
+static prf_t *get_prf(private_ike_sa_t *this)
+{
+	return this->prf;
+}
+
+/**
+ * Implementation of ike_sa_t.get_prf.
+ */
+static prf_t *get_child_prf(private_ike_sa_t *this)
+{
+	return this->child_prf;
+}
+
+/**
+ * Implementation of ike_sa_t.get_auth_bild
+ */
+static prf_t *get_auth_build(private_ike_sa_t *this)
+{
+	return this->auth_build;
+}
+
+/**
+ * Implementation of ike_sa_t.get_auth_verify
+ */
+static prf_t *get_auth_verify(private_ike_sa_t *this)
+{
+	return this->auth_verify;
+}
+
+/**
+ * Implementation of ike_sa_t.get_id.
+ */
+static ike_sa_id_t* get_id(private_ike_sa_t *this)
+{
+	return this->ike_sa_id;
+}
+
+/**
+ * Implementation of ike_sa_t.get_my_id.
+ */
+static identification_t* get_my_id(private_ike_sa_t *this)
+{
+	return this->my_id;
+}
+
+/**
+ * Implementation of ike_sa_t.set_my_id.
+ */
+static void set_my_id(private_ike_sa_t *this, identification_t *me)
+{
+	DESTROY_IF(this->my_id);
+	this->my_id = me;
+}
+
+/**
+ * Implementation of ike_sa_t.get_other_id.
+ */
+static identification_t* get_other_id(private_ike_sa_t *this)
+{
+	return this->other_id;
+}
+
+/**
+ * Implementation of ike_sa_t.set_other_id.
+ */
+static void set_other_id(private_ike_sa_t *this, identification_t *other)
+{
+	DESTROY_IF(this->other_id);
+	this->other_id = other;
+}
+
+/**
+ * Implementation of ike_sa_t.derive_keys.
+ */
+static status_t derive_keys(private_ike_sa_t *this,
+							proposal_t *proposal, chunk_t secret,
+							chunk_t nonce_i, chunk_t nonce_r,
+							bool initiator, prf_t *child_prf, prf_t *old_prf)
+{
+	prf_plus_t *prf_plus;
+	chunk_t skeyseed, key, nonces, prf_plus_seed;
+	algorithm_t *algo;
+	size_t key_size;
+	crypter_t *crypter_i, *crypter_r;
+	signer_t *signer_i, *signer_r;
+	prf_t *prf_i, *prf_r;
+	u_int8_t spi_i_buf[sizeof(u_int64_t)], spi_r_buf[sizeof(u_int64_t)];
+	chunk_t spi_i = chunk_from_buf(spi_i_buf);
+	chunk_t spi_r = chunk_from_buf(spi_r_buf);
+	
+	/* Create SAs general purpose PRF first, we may use it here */
+	if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo))
+	{
+		DBG1(DBG_IKE, "key derivation failed: no PSEUDO_RANDOM_FUNCTION");;
+		return FAILED;
+	}
+	this->prf = prf_create(algo->algorithm);
+	if (this->prf == NULL)
+	{
+		DBG1(DBG_IKE, "key derivation failed: PSEUDO_RANDOM_FUNCTION "
+			 "%N not supported!", pseudo_random_function_names, algo->algorithm);
+		return FAILED;
+	}
+	
+	DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &secret);
+	nonces = chunk_cat("cc", nonce_i, nonce_r);
+	*((u_int64_t*)spi_i.ptr) = this->ike_sa_id->get_initiator_spi(this->ike_sa_id);
+	*((u_int64_t*)spi_r.ptr) = this->ike_sa_id->get_responder_spi(this->ike_sa_id);
+	prf_plus_seed = chunk_cat("ccc", nonces, spi_i, spi_r);
+	
+	/* KEYMAT = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr) 
+	 *
+	 * if we are rekeying, SKEYSEED is built on another way
+	 */
+	if (child_prf == NULL) /* not rekeying */
+	{
+		/* SKEYSEED = prf(Ni | Nr, g^ir) */
+		this->prf->set_key(this->prf, nonces);
+		this->prf->allocate_bytes(this->prf, secret, &skeyseed);
+		DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
+		this->prf->set_key(this->prf, skeyseed);
+		chunk_free(&skeyseed);
+		chunk_free(&secret);
+		prf_plus = prf_plus_create(this->prf, prf_plus_seed);
+	}
+	else
+	{
+		/* SKEYSEED = prf(SK_d (old), [g^ir (new)] | Ni | Nr) 
+		 * use OLD SAs PRF functions for both prf_plus and prf */
+		secret = chunk_cat("mc", secret, nonces);
+		child_prf->allocate_bytes(child_prf, secret, &skeyseed);
+		DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
+		old_prf->set_key(old_prf, skeyseed);
+		chunk_free(&skeyseed);
+		chunk_free(&secret);
+		prf_plus = prf_plus_create(old_prf, prf_plus_seed);
+	}
+	chunk_free(&nonces);
+	chunk_free(&prf_plus_seed);
+	
+	/* KEYMAT = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr */
+	
+	/* SK_d is used for generating CHILD_SA key mat => child_prf */
+	proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo);
+	this->child_prf = prf_create(algo->algorithm);
+	key_size = this->child_prf->get_key_size(this->child_prf);
+	prf_plus->allocate_bytes(prf_plus, key_size, &key);
+	DBG4(DBG_IKE, "Sk_d secret %B", &key);
+	this->child_prf->set_key(this->child_prf, key);
+	chunk_free(&key);
+	
+	/* SK_ai/SK_ar used for integrity protection => signer_in/signer_out */
+	if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &algo))
+	{
+		DBG1(DBG_IKE, "key derivation failed: no INTEGRITY_ALGORITHM");
+		return FAILED;
+	}
+	signer_i = signer_create(algo->algorithm);
+	signer_r = signer_create(algo->algorithm);
+	if (signer_i == NULL || signer_r == NULL)
+	{
+		DBG1(DBG_IKE, "key derivation failed: INTEGRITY_ALGORITHM "
+			"%N not supported!", integrity_algorithm_names ,algo->algorithm);
+		return FAILED;
+	}
+	key_size = signer_i->get_key_size(signer_i);
+	
+	prf_plus->allocate_bytes(prf_plus, key_size, &key);
+	DBG4(DBG_IKE, "Sk_ai secret %B", &key);
+	signer_i->set_key(signer_i, key);
+	chunk_free(&key);
+	
+	prf_plus->allocate_bytes(prf_plus, key_size, &key);
+	DBG4(DBG_IKE, "Sk_ar secret %B", &key);
+	signer_r->set_key(signer_r, key);
+	chunk_free(&key);
+	
+	if (initiator)
+	{
+		this->signer_in = signer_r;
+		this->signer_out = signer_i;
+	}
+	else
+	{
+		this->signer_in = signer_i;
+		this->signer_out = signer_r;
+	}
+	
+	/* SK_ei/SK_er used for encryption => crypter_in/crypter_out */
+	if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &algo))
+	{
+		DBG1(DBG_IKE, "key derivation failed: no ENCRYPTION_ALGORITHM");
+		return FAILED;
+	}
+	crypter_i = crypter_create(algo->algorithm, algo->key_size / 8);
+	crypter_r = crypter_create(algo->algorithm, algo->key_size / 8);
+	if (crypter_i == NULL || crypter_r == NULL)
+	{
+		DBG1(DBG_IKE, "key derivation failed: ENCRYPTION_ALGORITHM "
+			"%N (key size %d) not supported!",
+			encryption_algorithm_names, algo->algorithm, algo->key_size);
+		return FAILED;
+	}
+	key_size = crypter_i->get_key_size(crypter_i);
+	
+	prf_plus->allocate_bytes(prf_plus, key_size, &key);
+	DBG4(DBG_IKE, "Sk_ei secret %B", &key);
+	crypter_i->set_key(crypter_i, key);
+	chunk_free(&key);
+	
+	prf_plus->allocate_bytes(prf_plus, key_size, &key);
+	DBG4(DBG_IKE, "Sk_er secret %B", &key);
+	crypter_r->set_key(crypter_r, key);
+	chunk_free(&key);
+	
+	if (initiator)
+	{
+		this->crypter_in = crypter_r;
+		this->crypter_out = crypter_i;
+	}
+	else
+	{
+		this->crypter_in = crypter_i;
+		this->crypter_out = crypter_r;
+	}
+	
+	/* SK_pi/SK_pr used for authentication => prf_auth_i, prf_auth_r */	
+	proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo);
+	prf_i = prf_create(algo->algorithm);
+	prf_r = prf_create(algo->algorithm);
+	
+	key_size = prf_i->get_key_size(prf_i);
+	prf_plus->allocate_bytes(prf_plus, key_size, &key);
+	DBG4(DBG_IKE, "Sk_pi secret %B", &key);
+	prf_i->set_key(prf_i, key);
+	chunk_free(&key);
+	
+	prf_plus->allocate_bytes(prf_plus, key_size, &key);
+	DBG4(DBG_IKE, "Sk_pr secret %B", &key);
+	prf_r->set_key(prf_r, key);
+	chunk_free(&key);
+	
+	if (initiator)
+	{
+		this->auth_verify = prf_r;
+		this->auth_build = prf_i;
+	}
+	else
+	{
+		this->auth_verify = prf_i;
+		this->auth_build = prf_r;
+	}
+	
+	/* all done, prf_plus not needed anymore */
+	prf_plus->destroy(prf_plus);
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of ike_sa_t.add_child_sa.
+ */
+static void add_child_sa(private_ike_sa_t *this, child_sa_t *child_sa)
+{
+	this->child_sas->insert_last(this->child_sas, child_sa);
+}
+
+/**
+ * Implementation of ike_sa_t.get_child_sa.
+ */
+static child_sa_t* get_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
+								u_int32_t spi, bool inbound)
+{
+	iterator_t *iterator;
+	child_sa_t *current, *found = NULL;
+	
+	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		if (current->get_spi(current, inbound) == spi &&
+			current->get_protocol(current) == protocol)
+		{
+			found = current;
+		}
+	}
+	iterator->destroy(iterator);
+	return found;
+}
+
+/**
+ * Implementation of ike_sa_t.create_child_sa_iterator.
+ */
+static iterator_t* create_child_sa_iterator(private_ike_sa_t *this)
+{
+	return this->child_sas->create_iterator(this->child_sas, TRUE);
+}
+
+/**
+ * Implementation of ike_sa_t.rekey_child_sa.
+ */
+static status_t rekey_child_sa(private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
+{
+	child_sa_t *child_sa;
+	child_rekey_t *child_rekey;
+	
+	child_sa = get_child_sa(this, protocol, spi, TRUE);
+	if (child_sa)
+	{
+		child_rekey = child_rekey_create(&this->public, child_sa);
+		this->task_manager->queue_task(this->task_manager, &child_rekey->task);
+		return this->task_manager->initiate(this->task_manager);
+	}
+	return FAILED;
+}
+
+/**
+ * Implementation of ike_sa_t.delete_child_sa.
+ */
+static status_t delete_child_sa(private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
+{
+	child_sa_t *child_sa;
+	child_delete_t *child_delete;
+	
+	child_sa = get_child_sa(this, protocol, spi, TRUE);
+	if (child_sa)
+	{
+		child_delete = child_delete_create(&this->public, child_sa);
+		this->task_manager->queue_task(this->task_manager, &child_delete->task);
+		return this->task_manager->initiate(this->task_manager);
+	}
+	return FAILED;
+}
+
+/**
+ * Implementation of ike_sa_t.destroy_child_sa.
+ */
+static status_t destroy_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
+								 u_int32_t spi)
+{
+	iterator_t *iterator;
+	child_sa_t *child_sa;
+	status_t status = NOT_FOUND;
+	
+	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
+	while (iterator->iterate(iterator, (void**)&child_sa))
+	{
+		if (child_sa->get_protocol(child_sa) == protocol &&
+			child_sa->get_spi(child_sa, TRUE) == spi)
+		{
+			child_sa->destroy(child_sa);
+			iterator->remove(iterator);
+			status = SUCCESS;
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+	return status;
+}
+
+/**
+ * Implementation of public_ike_sa_t.delete.
+ */
+static status_t delete_(private_ike_sa_t *this)
+{
+	ike_delete_t *ike_delete;
+
+	switch (this->state)
+	{
+		case IKE_ESTABLISHED:
+			DBG1(DBG_IKE, "deleting IKE_SA");
+			/* do not log when rekeyed */
+		case IKE_REKEYING:
+			ike_delete = ike_delete_create(&this->public, TRUE);
+			this->task_manager->queue_task(this->task_manager, &ike_delete->task);
+			return this->task_manager->initiate(this->task_manager);
+		default:
+			DBG1(DBG_IKE, "destroying IKE_SA in state %N without notification",
+				 ike_sa_state_names, this->state);
+			break;
+	}
+	return DESTROY_ME;
+}
+
+/**
+ * Implementation of ike_sa_t.rekey.
+ */
+static status_t rekey(private_ike_sa_t *this)
+{
+	ike_rekey_t *ike_rekey;
+	
+	ike_rekey = ike_rekey_create(&this->public, TRUE);
+	
+	this->task_manager->queue_task(this->task_manager, &ike_rekey->task);
+	return this->task_manager->initiate(this->task_manager);
+}
+
+/**
+ * Implementation of ike_sa_t.reestablish
+ */
+static void reestablish(private_ike_sa_t *this)
+{
+	private_ike_sa_t *other;
+	iterator_t *iterator;
+	child_sa_t *child_sa;
+	policy_t *policy;
+	task_t *task;
+	job_t *job;
+	
+	other = (private_ike_sa_t*)charon->ike_sa_manager->checkout_new(
+											charon->ike_sa_manager, TRUE);
+	
+	apply_config(other, this->connection, this->policy);
+	other->other_host->destroy(other->other_host);
+	other->other_host = this->other_host->clone(this->other_host);
+		
+	if (this->state == IKE_ESTABLISHED)
+	{
+		task = (task_t*)ike_init_create(&other->public, TRUE, NULL);
+		other->task_manager->queue_task(other->task_manager, task);
+		task = (task_t*)ike_natd_create(&other->public, TRUE);
+		other->task_manager->queue_task(other->task_manager, task);
+		task = (task_t*)ike_cert_create(&other->public, TRUE);
+		other->task_manager->queue_task(other->task_manager, task);
+		task = (task_t*)ike_config_create(&other->public, other->policy);
+		other->task_manager->queue_task(other->task_manager, task);
+		task = (task_t*)ike_auth_create(&other->public, TRUE);
+		other->task_manager->queue_task(other->task_manager, task);
+	}
+	
+	other->task_manager->adopt_tasks(other->task_manager, this->task_manager);
+	
+	/* Create task for established children, adopt routed children directly */
+	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
+	while(iterator->iterate(iterator, (void**)&child_sa))
+	{
+		switch (child_sa->get_state(child_sa))
+		{
+			case CHILD_ROUTED:
+			{
+				iterator->remove(iterator);
+				other->child_sas->insert_first(other->child_sas, child_sa);
+				break;
+			}
+			default:
+			{
+				policy = child_sa->get_policy(child_sa);
+				task = (task_t*)child_create_create(&other->public, policy);
+				other->task_manager->queue_task(other->task_manager, task);
+				break;
+			}
+		}
+	}
+	iterator->destroy(iterator);
+	
+	other->task_manager->initiate(other->task_manager);
+	
+	charon->ike_sa_manager->checkin(charon->ike_sa_manager, &other->public);
+	
+	job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
+	charon->job_queue->add(charon->job_queue, job);
+}
+
+/**
+ * Implementation of ike_sa_t.inherit.
+ */
+static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other)
+{
+	child_sa_t *child_sa;
+	host_t *ip;
+	
+	/* apply hosts and ids */
+	this->my_host->destroy(this->my_host);
+	this->other_host->destroy(this->other_host);
+	this->my_id->destroy(this->my_id);
+	this->other_id->destroy(this->other_id);
+	this->my_host = other->my_host->clone(other->my_host);
+	this->other_host = other->other_host->clone(other->other_host);
+	this->my_id = other->my_id->clone(other->my_id);
+	this->other_id = other->other_id->clone(other->other_id);
+	
+	/* apply virtual assigned IPs... */
+	if (other->my_virtual_ip)
+	{
+		this->my_virtual_ip = other->my_virtual_ip;
+		other->my_virtual_ip = NULL;
+	}
+	if (other->other_virtual_ip)
+	{
+		this->other_virtual_ip = other->other_virtual_ip;
+		other->other_virtual_ip = NULL;
+	}
+	
+	/* ... and DNS servers */
+	while (other->dns_servers->remove_last(other->dns_servers, 
+										   (void**)&ip) == SUCCESS)
+	{
+		this->dns_servers->insert_first(this->dns_servers, ip);
+	}
+	
+	/* adopt all children */
+	while (other->child_sas->remove_last(other->child_sas,
+		   								 (void**)&child_sa) == SUCCESS)
+	{
+		this->child_sas->insert_first(this->child_sas, (void*)child_sa);
+	}
+	
+	/* move pending tasks to the new IKE_SA */
+	this->task_manager->adopt_tasks(this->task_manager, other->task_manager);
+	
+	/* we have to initate here, there may be new tasks to handle */
+	return this->task_manager->initiate(this->task_manager);
+}
+
+/**
+ * Implementation of ike_sa_t.is_natt_enabled.
+ */
+static bool is_natt_enabled(private_ike_sa_t *this)
+{
+	return this->nat_here || this->nat_there;
+}
+
+/**
+ * Implementation of ike_sa_t.enable_natt.
+ */
+static void enable_natt(private_ike_sa_t *this, bool local)
+{
+	if (local)
+	{
+		DBG1(DBG_IKE, "local host is behind NAT, scheduling keep alives");
+		this->nat_here = TRUE;
+		send_keepalive(this);
+	}
+	else
+	{
+		DBG1(DBG_IKE, "remote host is behind NAT");
+		this->nat_there = TRUE;
+	}
+}
+
+/**
+ * Implementation of ike_sa_t.set_virtual_ip
+ */
+static void set_virtual_ip(private_ike_sa_t *this, bool local, host_t *ip)
+{
+	if (local)
+	{
+		DBG1(DBG_IKE, "installing new virtual IP %H", ip);
+		if (this->my_virtual_ip)
+		{
+			DBG1(DBG_IKE, "removing old virtual IP %H", this->my_virtual_ip);
+			charon->kernel_interface->del_ip(charon->kernel_interface,
+											 this->my_virtual_ip,
+											 this->my_host);
+			this->my_virtual_ip->destroy(this->my_virtual_ip);
+		}
+		if (charon->kernel_interface->add_ip(charon->kernel_interface, ip,
+											 this->my_host) == SUCCESS)
+		{
+			this->my_virtual_ip = ip->clone(ip);
+		}
+		else
+		{
+			DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
+			this->my_virtual_ip = NULL;
+		}
+	}
+	else
+	{
+		DESTROY_IF(this->other_virtual_ip);
+		this->other_virtual_ip = ip->clone(ip);
+	}
+}
+
+/**
+ * Implementation of ike_sa_t.get_virtual_ip
+ */
+static host_t* get_virtual_ip(private_ike_sa_t *this, bool local)
+{
+	if (local)
+	{
+		return this->my_virtual_ip;
+	}
+	else
+	{
+		return this->other_virtual_ip;
+	}
+}
+
+/**
+ * Implementation of ike_sa_t.remove_dns_server
+ */
+static void remove_dns_servers(private_ike_sa_t *this)
+{
+	FILE *file;
+	struct stat stats;
+	chunk_t contents, line, orig_line, token;
+	char string[INET6_ADDRSTRLEN];
+	host_t *ip;
+	iterator_t *iterator;
+	
+	if (this->dns_servers->get_count(this->dns_servers) == 0)
+	{
+		/* don't touch anything if we have no nameservers installed */
+		return;
+	}
+	
+	file = fopen(RESOLV_CONF, "r");
+	if (file == NULL || stat(RESOLV_CONF, &stats) != 0)
+	{
+		DBG1(DBG_IKE, "unable to open DNS configuration file %s: %m", RESOLV_CONF);
+		return;
+	}
+	
+	contents = chunk_alloca((size_t)stats.st_size);
+	
+	if (fread(contents.ptr, 1, contents.len, file) != contents.len)
+	{
+		DBG1(DBG_IKE, "unable to read DNS configuration file: %m");
+		fclose(file);
+		return;
+	}
+	
+	fclose(file);
+	file = fopen(RESOLV_CONF, "w");
+	if (file == NULL)
+	{
+		DBG1(DBG_IKE, "unable to open DNS configuration file %s: %m", RESOLV_CONF);
+		return;
+	}
+	
+	iterator = this->dns_servers->create_iterator(this->dns_servers, TRUE);
+	while (fetchline(&contents, &line))
+	{
+		bool found = FALSE;
+		orig_line = line;
+		if (extract_token(&token, ' ', &line) &&
+			strncasecmp(token.ptr, "nameserver", token.len) == 0)
+		{
+			if (!extract_token(&token, ' ', &line))
+			{
+				token = line;
+			}
+			iterator->reset(iterator);
+			while (iterator->iterate(iterator, (void**)&ip))
+			{
+				snprintf(string, sizeof(string), "%H", ip);
+				if (strlen(string) == token.len &&
+					strncmp(token.ptr, string, token.len) == 0)
+				{
+					iterator->remove(iterator);
+					ip->destroy(ip);
+					found = TRUE;
+					break;
+				}
+			}
+		}		
+		
+		if (!found)
+		{	
+			/* write line untouched back to file */
+			fwrite(orig_line.ptr, orig_line.len, 1, file);
+			fprintf(file, "\n");
+		}
+	}
+	iterator->destroy(iterator);
+	fclose(file);
+}
+
+/**
+ * Implementation of ike_sa_t.add_dns_server
+ */
+static void add_dns_server(private_ike_sa_t *this, host_t *dns)
+{
+	FILE *file;
+	struct stat stats;
+	chunk_t contents;
+
+	DBG1(DBG_IKE, "installing DNS server %H", dns);
+	
+	file = fopen(RESOLV_CONF, "a+");
+	if (file == NULL || stat(RESOLV_CONF, &stats) != 0)
+	{
+		DBG1(DBG_IKE, "unable to open DNS configuration file %s: %m", RESOLV_CONF);
+		return;
+	}
+
+	contents = chunk_alloca(stats.st_size);
+	
+	if (fread(contents.ptr, 1, contents.len, file) != contents.len)
+	{
+		DBG1(DBG_IKE, "unable to read DNS configuration file: %m");
+		fclose(file);
+		return;
+	}
+	
+	fclose(file);
+	file = fopen(RESOLV_CONF, "w");
+	if (file == NULL)
+	{
+		DBG1(DBG_IKE, "unable to open DNS configuration file %s: %m", RESOLV_CONF);
+		return;
+	}
+	
+	if (fprintf(file, "nameserver %H   # added by strongSwan, assigned by %D\n",
+		dns, this->other_id) < 0)
+	{
+		DBG1(DBG_IKE, "unable to write DNS configuration: %m");
+	}
+	else
+	{
+		this->dns_servers->insert_last(this->dns_servers, dns->clone(dns));
+	}
+	fwrite(contents.ptr, contents.len, 1, file);
+	
+	fclose(file);	
+}
+
+/**
+ * output handler in printf()
+ */
+static int print(FILE *stream, const struct printf_info *info,
+				 const void *const *args)
+{
+	int written = 0;
+	bool reauth = FALSE;
+	private_ike_sa_t *this = *((private_ike_sa_t**)(args[0]));
+	
+	if (this->connection)
+	{
+		reauth = this->connection->get_reauth(this->connection);
+	}
+	
+	if (this == NULL)
+	{
+		return fprintf(stream, "(null)");
+	}
+	
+	written = fprintf(stream, "%12s[%d]: %N, %H[%D]...%H[%D]", get_name(this),
+					  this->unique_id, ike_sa_state_names, this->state,
+					  this->my_host, this->my_id, this->other_host,
+					  this->other_id);
+	written += fprintf(stream, "\n%12s[%d]: IKE SPIs: %J, %s in %ds",
+					  get_name(this), this->unique_id, this->ike_sa_id, 
+					  this->connection && reauth? "reauthentication":"rekeying",
+					  this->time.rekey - time(NULL));
+
+	if (info->alt)
+	{
+
+	}
+	return written;
+}
+
+/**
+ * register printf() handlers
+ */
+static void __attribute__ ((constructor))print_register()
+{
+	register_printf_function(PRINTF_IKE_SA, print, arginfo_ptr);
+}
+
+/**
+ * Implementation of ike_sa_t.destroy.
+ */
+static void destroy(private_ike_sa_t *this)
+{
+	this->child_sas->destroy_offset(this->child_sas, offsetof(child_sa_t, destroy));
+	
+	DESTROY_IF(this->crypter_in);
+	DESTROY_IF(this->crypter_out);
+	DESTROY_IF(this->signer_in);
+	DESTROY_IF(this->signer_out);
+	DESTROY_IF(this->prf);
+	DESTROY_IF(this->child_prf);
+	DESTROY_IF(this->auth_verify);
+	DESTROY_IF(this->auth_build);
+	
+	if (this->my_virtual_ip)
+	{
+		charon->kernel_interface->del_ip(charon->kernel_interface,
+										 this->my_virtual_ip, this->my_host);
+		this->my_virtual_ip->destroy(this->my_virtual_ip);
+	}
+	DESTROY_IF(this->other_virtual_ip);
+	
+	remove_dns_servers(this);
+	this->dns_servers->destroy_offset(this->dns_servers, offsetof(host_t, destroy));
+	
+	DESTROY_IF(this->my_host);
+	DESTROY_IF(this->other_host);
+	DESTROY_IF(this->my_id);
+	DESTROY_IF(this->other_id);
+	
+	DESTROY_IF(this->connection);
+	DESTROY_IF(this->policy);
+	
+	this->ike_sa_id->destroy(this->ike_sa_id);
+	this->task_manager->destroy(this->task_manager);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
+{
+	private_ike_sa_t *this = malloc_thing(private_ike_sa_t);
+	static u_int32_t unique_id = 0;
+	
+	/* Public functions */
+	this->public.get_state = (ike_sa_state_t(*)(ike_sa_t*)) get_state;
+	this->public.set_state = (void(*)(ike_sa_t*,ike_sa_state_t)) set_state;
+	this->public.get_name = (char*(*)(ike_sa_t*))get_name;
+	this->public.process_message = (status_t(*)(ike_sa_t*, message_t*)) process_message;
+	this->public.initiate = (status_t(*)(ike_sa_t*,connection_t*,policy_t*)) initiate;
+	this->public.route = (status_t(*)(ike_sa_t*,connection_t*,policy_t*)) route;
+	this->public.unroute = (status_t(*)(ike_sa_t*,policy_t*)) unroute;
+	this->public.acquire = (status_t(*)(ike_sa_t*,u_int32_t)) acquire;
+	this->public.get_connection = (connection_t*(*)(ike_sa_t*))get_connection;
+	this->public.set_connection = (void(*)(ike_sa_t*,connection_t*))set_connection;
+	this->public.get_policy = (policy_t*(*)(ike_sa_t*))get_policy;
+	this->public.set_policy = (void(*)(ike_sa_t*,policy_t*))set_policy;
+	this->public.get_id = (ike_sa_id_t*(*)(ike_sa_t*)) get_id;
+	this->public.get_my_host = (host_t*(*)(ike_sa_t*)) get_my_host;
+	this->public.set_my_host = (void(*)(ike_sa_t*,host_t*)) set_my_host;
+	this->public.get_other_host = (host_t*(*)(ike_sa_t*)) get_other_host;
+	this->public.set_other_host = (void(*)(ike_sa_t*,host_t*)) set_other_host;
+	this->public.get_my_id = (identification_t*(*)(ike_sa_t*)) get_my_id;
+	this->public.set_my_id = (void(*)(ike_sa_t*,identification_t*)) set_my_id;
+	this->public.get_other_id = (identification_t*(*)(ike_sa_t*)) get_other_id;
+	this->public.set_other_id = (void(*)(ike_sa_t*,identification_t*)) set_other_id;
+	this->public.retransmit = (status_t (*) (ike_sa_t *, u_int32_t)) retransmit;
+	this->public.delete = (status_t(*)(ike_sa_t*))delete_;
+	this->public.destroy = (void(*)(ike_sa_t*))destroy;
+	this->public.send_dpd = (status_t (*)(ike_sa_t*)) send_dpd;
+	this->public.send_keepalive = (void (*)(ike_sa_t*)) send_keepalive;
+	this->public.get_prf = (prf_t *(*) (ike_sa_t *)) get_prf;
+	this->public.get_child_prf = (prf_t *(*) (ike_sa_t *)) get_child_prf;
+	this->public.get_auth_verify = (prf_t *(*) (ike_sa_t *)) get_auth_verify;
+	this->public.get_auth_build = (prf_t *(*) (ike_sa_t *)) get_auth_build;
+	this->public.derive_keys = (status_t (*) (ike_sa_t *,proposal_t*,chunk_t,chunk_t,chunk_t,bool,prf_t*,prf_t*)) derive_keys;
+	this->public.add_child_sa = (void (*) (ike_sa_t*,child_sa_t*)) add_child_sa;
+	this->public.get_child_sa = (child_sa_t* (*)(ike_sa_t*,protocol_id_t,u_int32_t,bool)) get_child_sa;
+	this->public.create_child_sa_iterator = (iterator_t* (*)(ike_sa_t*)) create_child_sa_iterator;
+	this->public.rekey_child_sa = (status_t(*)(ike_sa_t*,protocol_id_t,u_int32_t)) rekey_child_sa;
+	this->public.delete_child_sa = (status_t(*)(ike_sa_t*,protocol_id_t,u_int32_t)) delete_child_sa;
+	this->public.destroy_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t))destroy_child_sa;
+	this->public.enable_natt = (void(*)(ike_sa_t*, bool)) enable_natt;
+	this->public.is_natt_enabled = (bool(*)(ike_sa_t*)) is_natt_enabled;
+	this->public.rekey = (status_t(*)(ike_sa_t*))rekey;
+	this->public.reestablish = (void(*)(ike_sa_t*))reestablish;
+	this->public.inherit = (status_t(*)(ike_sa_t*,ike_sa_t*))inherit;
+	this->public.generate_message = (status_t(*)(ike_sa_t*,message_t*,packet_t**))generate_message;
+	this->public.reset = (void(*)(ike_sa_t*))reset;
+	this->public.get_unique_id = (u_int32_t(*)(ike_sa_t*))get_unique_id;
+	this->public.set_virtual_ip = (void(*)(ike_sa_t*,bool,host_t*))set_virtual_ip;
+	this->public.get_virtual_ip = (host_t*(*)(ike_sa_t*,bool))get_virtual_ip;
+	this->public.add_dns_server = (void(*)(ike_sa_t*,host_t*))add_dns_server;
+	
+	/* initialize private fields */
+	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
+	this->child_sas = linked_list_create();
+	this->my_host = host_create_any(AF_INET);
+	this->other_host = host_create_any(AF_INET);
+	this->my_id = identification_create_from_encoding(ID_ANY, chunk_empty);
+	this->other_id = identification_create_from_encoding(ID_ANY, chunk_empty);
+	this->crypter_in = NULL;
+	this->crypter_out = NULL;
+	this->signer_in = NULL;
+	this->signer_out = NULL;
+	this->prf = NULL;
+	this->auth_verify = NULL;
+	this->auth_build = NULL;
+ 	this->child_prf = NULL;
+	this->nat_here = FALSE;
+	this->nat_there = FALSE;
+	this->state = IKE_CREATED;
+	this->time.inbound = this->time.outbound = time(NULL);
+	this->time.established = 0;
+	this->time.rekey = 0;
+	this->time.delete = 0;
+	this->connection = NULL;
+	this->policy = NULL;
+	this->task_manager = task_manager_create(&this->public);
+	this->unique_id = ++unique_id;
+	this->my_virtual_ip = NULL;
+	this->other_virtual_ip = NULL;
+	this->dns_servers = linked_list_create();
+	this->keyingtry = 0;
+	
+	return &this->public;
+}
diff --git a/src/charon/sa/ike_sa.h b/src/charon/sa/ike_sa.h
new file mode 100644
index 000000000..604ec94a9
--- /dev/null
+++ b/src/charon/sa/ike_sa.h
@@ -0,0 +1,649 @@
+/**
+ * @file ike_sa.h
+ *
+ * @brief Interface of ike_sa_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef IKE_SA_H_
+#define IKE_SA_H_
+
+typedef enum ike_sa_state_t ike_sa_state_t;
+typedef struct ike_sa_t ike_sa_t;
+
+#include <library.h>
+#include <encoding/message.h>
+#include <encoding/payloads/proposal_substructure.h>
+#include <sa/ike_sa_id.h>
+#include <sa/child_sa.h>
+#include <sa/tasks/task.h>
+#include <config/configuration.h>
+#include <utils/randomizer.h>
+#include <crypto/prfs/prf.h>
+#include <crypto/crypters/crypter.h>
+#include <crypto/signers/signer.h>
+#include <config/connections/connection.h>
+#include <config/policies/policy.h>
+#include <config/proposal.h>
+
+/**
+ * @brief State of an IKE_SA.
+ *
+ * An IKE_SA passes various states in its lifetime. A newly created
+ * SA is in the state CREATED.
+ * @verbatim
+                 +----------------+
+                 ¦   SA_CREATED   ¦
+                 +----------------+
+                         ¦
+    on initiate()--->    ¦   <----- on IKE_SA_INIT received 
+                         V
+                 +----------------+
+                 ¦ SA_CONNECTING  ¦
+                 +----------------+
+                         ¦
+                         ¦   <----- on IKE_AUTH successfully completed
+                         V
+                 +----------------+
+                 ¦ SA_ESTABLISHED ¦-------------------------+ <-- on rekeying
+                 +----------------+                         ¦
+                         ¦                                  V
+    on delete()--->      ¦   <----- on IKE_SA        +-------------+
+                         ¦          delete request   ¦ SA_REKEYING ¦
+                         ¦          received         +-------------+
+                         V                                  ¦
+                 +----------------+                         ¦
+                 ¦  SA_DELETING   ¦<------------------------+ <-- after rekeying
+                 +----------------+
+                         ¦
+                         ¦   <----- after delete() acknowledged
+                         ¦
+                        \V/
+                         X
+                        / \
+   @endverbatim
+ *
+ * @ingroup sa
+ */
+enum ike_sa_state_t {
+	
+	/**
+	 * IKE_SA just got created, but is not initiating nor responding yet.
+	 */
+	IKE_CREATED,
+	
+	/**
+	 * IKE_SA gets initiated actively or passively
+	 */
+	IKE_CONNECTING,
+	
+	/**
+	 * IKE_SA is fully established
+	 */
+	IKE_ESTABLISHED,
+	
+	/**
+	 * IKE_SA rekeying in progress
+	 */
+	IKE_REKEYING,
+	
+	/**
+	 * IKE_SA is in progress of deletion
+	 */
+	IKE_DELETING,
+};
+
+/**
+ * enum names for ike_sa_state_t.
+ */
+extern enum_name_t *ike_sa_state_names;
+
+/**
+ * @brief Class ike_sa_t representing an IKE_SA.
+ *
+ * An IKE_SA contains crypto information related to a connection
+ * with a peer. It contains multiple IPsec CHILD_SA, for which
+ * it is responsible. All traffic is handled by an IKE_SA, using
+ * the task manager and its tasks.
+ *
+ * @b Constructors:
+ * - ike_sa_create()
+ * 
+ * @ingroup sa
+ */
+struct ike_sa_t {
+
+	/**
+	 * @brief Get the id of the SA.
+	 * 
+	 * Returned ike_sa_id_t object is not getting cloned!
+	 *
+	 * @param this 			calling object
+	 * @return 				ike_sa's ike_sa_id_t
+	 */
+	ike_sa_id_t* (*get_id) (ike_sa_t *this);
+	
+	/**
+	 * @brief Get the numerical ID uniquely defining this IKE_SA.
+	 *
+	 * @param this 			calling object
+	 * @return 				unique ID
+	 */
+	u_int32_t (*get_unique_id) (ike_sa_t *this);
+	
+	/**
+	 * @brief Get the state of the IKE_SA.
+	 *
+	 * @param this			calling object
+	 * @return				state of the IKE_SA
+	 */
+	ike_sa_state_t (*get_state) (ike_sa_t *this);
+	
+	/**
+	 * @brief Set the state of the IKE_SA.
+	 *
+	 * @param this			calling object
+	 * @param state			state to set for the IKE_SA
+	 */
+	void (*set_state) (ike_sa_t *this, ike_sa_state_t ike_sa);
+	
+	/**
+	 * @brief Get the name of the connection this IKE_SA uses.
+	 *
+	 * @param this			calling object
+	 * @return				name
+	 */
+	char* (*get_name) (ike_sa_t *this);
+	
+	/**
+	 * @brief Get the own host address.
+	 * 
+	 * @param this 			calling object
+	 * @return				host address
+	 */
+	host_t* (*get_my_host) (ike_sa_t *this);
+	
+	/**
+	 * @brief Set the own host address.
+	 * 
+	 * @param this 			calling object
+	 * @param me			host address
+	 */
+	void (*set_my_host) (ike_sa_t *this, host_t *me);
+	
+	/**
+	 * @brief Get the other peers host address.
+	 * 
+	 * @param this 			calling object
+	 * @return				host address
+	 */
+	host_t* (*get_other_host) (ike_sa_t *this);
+	
+	/**
+	 * @brief Set the others host address.
+	 * 
+	 * @param this 			calling object
+	 * @param other			host address
+	 */
+	void (*set_other_host) (ike_sa_t *this, host_t *other);
+	
+	/**
+	 * @brief Get the own identification.
+	 * 
+	 * @param this 			calling object
+	 * @return				identification
+	 */
+	identification_t* (*get_my_id) (ike_sa_t *this);
+	
+	/**
+	 * @brief Set the own identification.
+	 * 
+	 * @param this 			calling object
+	 * @param me			identification
+	 */
+	void (*set_my_id) (ike_sa_t *this, identification_t *me);
+	
+	/**
+	 * @brief Get the other peers identification.
+	 * 
+	 * @param this 			calling object
+	 * @return				identification
+	 */
+	identification_t* (*get_other_id) (ike_sa_t *this);
+	
+	/**
+	 * @brief Set the other peers identification.
+	 * 
+	 * @param this 			calling object
+	 * @param other			identification
+	 */
+	void (*set_other_id) (ike_sa_t *this, identification_t *other);
+	
+	/**
+	 * @brief Get the connection used by this IKE_SA.
+	 * 
+	 * @param this 			calling object
+	 * @return				connection
+	 */
+	connection_t* (*get_connection) (ike_sa_t *this);
+	
+	/**
+	 * @brief Set the connection to use with this IKE_SA.
+	 * 
+	 * @param this 			calling object
+	 * @param connection	connection to use
+	 */
+	void (*set_connection) (ike_sa_t *this, connection_t* connection);
+
+	/**
+	 * @brief Get the policy used by this IKE_SA.
+	 * 
+	 * @param this 			calling object
+	 * @return				policy
+	 */
+	policy_t* (*get_policy) (ike_sa_t *this);
+	
+	/**
+	 * @brief Set the policy to use with this IKE_SA.
+	 * 
+	 * @param this 			calling object
+	 * @param policy		policy to use
+	 */
+	void (*set_policy) (ike_sa_t *this, policy_t *policy);
+
+	/**
+	 * @brief Initiate a new connection.
+	 *
+	 * The policy/connection is owned by the IKE_SA after the call, so
+	 * do not modify or destroy it.
+	 * 
+	 * @param this 			calling object
+	 * @param connection	connection to initiate
+	 * @param policy		policy to set up
+	 * @return				
+	 * 						- SUCCESS if initialization started
+	 * 						- DESTROY_ME if initialization failed and IKE_SA MUST be deleted
+	 */
+	status_t (*initiate) (ike_sa_t *this, connection_t *connection, policy_t *policy);
+
+	/**
+	 * @brief Route a policy in the kernel.
+	 *
+	 * Installs the policies in the kernel. If traffic matches,
+	 * the kernel requests connection setup from the IKE_SA via acquire().
+	 * 
+	 * @param this 			calling object
+	 * @param connection	connection definition used for routing
+	 * @param policy		policy to route
+	 * @return				
+	 * 						- SUCCESS if routed successfully
+	 * 						- FAILED if routing failed
+	 */
+	status_t (*route) (ike_sa_t *this, connection_t *connection, policy_t *policy);
+
+	/**
+	 * @brief Unroute a policy in the kernel previously routed.
+	 *
+	 * @param this 			calling object
+	 * @param policy		policy to route
+	 * @return				
+	 * 						- SUCCESS if route removed
+	 * 						- DESTROY_ME if last route was removed from
+	 * 						  an IKE_SA which was not established
+	 */
+	status_t (*unroute) (ike_sa_t *this, policy_t *policy);
+	
+	/**
+	 * @brief Acquire connection setup for a policy.
+	 *
+	 * If an installed policy raises an acquire, the kernel calls
+	 * this function to establish the CHILD_SA (and maybe the IKE_SA).
+	 *
+	 * @param this 			calling object
+	 * @param reqid			reqid of the CHILD_SA the policy belongs to.
+	 * @return				
+	 * 						- SUCCESS if initialization started
+	 * 						- DESTROY_ME if initialization failed and IKE_SA MUST be deleted
+	 */
+	status_t (*acquire) (ike_sa_t *this, u_int32_t reqid);
+	
+	/**
+	 * @brief Initiates the deletion of an IKE_SA.
+	 * 
+	 * Sends a delete message to the remote peer and waits for
+	 * its response. If the response comes in, or a timeout occurs,
+	 * the IKE SA gets deleted.
+	 * 
+	 * @param this 			calling object
+	 * @return
+	 * 						- SUCCESS if deletion is initialized
+	 * 						- INVALID_STATE, if the IKE_SA is not in 
+	 * 						  an established state and can not be
+	 * 						  delete (but destroyed).
+	 */
+	status_t (*delete) (ike_sa_t *this);
+	
+	/**
+	 * @brief Processes a incoming IKEv2-Message.
+	 *
+	 * Message processing may fail. If a critical failure occurs, 
+	 * process_message() return DESTROY_ME. Then the caller must 
+	 * destroy the IKE_SA immediatly, as it is unusable.
+	 * 
+	 * @param this 			calling object
+	 * @param message 	message to process
+	 * @return 				
+	 * 						- SUCCESS
+	 * 						- FAILED
+	 * 						- DESTROY_ME if this IKE_SA MUST be deleted
+	 */
+	status_t (*process_message) (ike_sa_t *this, message_t *message);
+	
+	/**
+	 * @brief Generate a IKE message to send it to the peer.
+	 * 
+	 * This method generates all payloads in the message and encrypts/signs
+	 * the packet.
+	 * 
+	 * @param this 			calling object
+	 * @param message 		message to generate
+	 * @param packet		generated output packet
+	 * @return 				
+	 * 						- SUCCESS
+	 * 						- FAILED
+	 * 						- DESTROY_ME if this IKE_SA MUST be deleted
+	 */
+	status_t (*generate_message) (ike_sa_t *this, message_t *message,
+								  packet_t **packet);
+	
+	/**
+	 * @brief Retransmits a request.
+	 * 
+	 * @param this 			calling object
+	 * @param message_id	ID of the request to retransmit
+	 * @return
+	 * 						- SUCCESS
+	 * 						- NOT_FOUND if request doesn't have to be retransmited
+	 */
+	status_t (*retransmit) (ike_sa_t *this, u_int32_t message_id);
+	
+	/**
+	 * @brief Sends a DPD request to the peer.
+	 *
+	 * To check if a peer is still alive, periodic
+	 * empty INFORMATIONAL messages are sent if no
+	 * other traffic was received.
+	 * 
+	 * @param this			calling object
+	 * @return
+	 * 						- SUCCESS
+	 * 						- DESTROY_ME, if peer did not respond
+	 */
+	status_t (*send_dpd) (ike_sa_t *this);
+	
+	/**
+	 * @brief Sends a keep alive packet.
+	 *
+	 * To refresh NAT tables in a NAT router
+	 * between the peers, periodic empty
+	 * UDP packets are sent if no other traffic
+	 * was sent.
+	 *
+	 * @param this			calling object
+	 */
+	void (*send_keepalive) (ike_sa_t *this);
+	
+	/**
+	 * @brief Check if NAT traversal is enabled for this IKE_SA.
+	 *
+	 * @param this 			calling object
+	 * @return 				TRUE if NAT traversal enabled
+	 */
+	bool (*is_natt_enabled) (ike_sa_t *this);
+
+	/**
+	 * @brief Enable NAT detection for this IKE_SA.
+	 *
+	 * If a Network address translation is detected with
+	 * NAT_DETECTION notifys, a SA must switch to ports
+	 * 4500. To enable this behavior, call enable_natt().
+	 * It is relevant which peer is NATted, this is specified
+	 * with the "local" parameter. Call it twice when both
+	 * are NATted.
+	 *
+	 * @param this 			calling object
+	 * @param local			TRUE, if we are NATted, FALSE if other
+	 */
+	void (*enable_natt) (ike_sa_t *this, bool local);
+
+	/**
+	 * @brief Derive all keys and create the transforms for IKE communication.
+	 *
+	 * Keys are derived using the diffie hellman secret, nonces and internal
+	 * stored SPIs.
+	 * Key derivation differs when an IKE_SA is set up to replace an
+	 * existing IKE_SA (rekeying). The SK_d key from the old IKE_SA
+	 * is included in the derivation process.
+	 *
+	 * @param this 			calling object
+	 * @param proposal		proposal which contains algorithms to use
+	 * @param secret		secret derived from DH exchange, gets freed
+	 * @param nonce_i		initiators nonce
+	 * @param nonce_r		responders nonce
+	 * @param initiator		TRUE if initiator, FALSE otherwise
+	 * @param child_prf		PRF with SK_d key when rekeying, NULL otherwise
+	 * @param old_prf		general purpose PRF of old SA when rekeying
+	 */
+	status_t (*derive_keys)(ike_sa_t *this, proposal_t* proposal, chunk_t secret,
+							chunk_t nonce_i, chunk_t nonce_r,
+							bool initiator, prf_t *child_prf, prf_t *old_prf);
+	
+	/**
+	 * @brief Get the multi purpose prf.
+	 * 
+	 * @param this 			calling object
+	 * @return				pointer to prf_t object
+	 */
+	prf_t *(*get_prf) (ike_sa_t *this);
+	
+	/**
+	 * @brief Get the prf-object, which is used to derive keys for child SAs.
+	 * 
+	 * @param this 			calling object
+	 * @return				pointer to prf_t object
+	 */
+	prf_t *(*get_child_prf) (ike_sa_t *this);
+	
+	/**
+	 * @brief Get the prf to build outgoing authentication data.
+	 * 
+	 * @param this 			calling object
+	 * @return				pointer to prf_t object
+	 */
+	prf_t *(*get_auth_build) (ike_sa_t *this);
+	
+	/**
+	 * @brief Get the prf to verify incoming authentication data.
+	 * 
+	 * @param this 			calling object
+	 * @return				pointer to prf_t object
+	 */
+	prf_t *(*get_auth_verify) (ike_sa_t *this);
+	
+	/**
+	 * @brief Associates a child SA to this IKE SA
+	 * 
+	 * @param this 			calling object
+	 * @param child_sa		child_sa to add
+	 */
+	void (*add_child_sa) (ike_sa_t *this, child_sa_t *child_sa);
+	
+	/**
+	 * @brief Get a CHILD_SA identified by protocol and SPI.
+	 * 
+	 * @param this 			calling object
+	 * @param protocol		protocol of the SA
+	 * @param spi			SPI of the CHILD_SA
+	 * @param inbound		TRUE if SPI is inbound, FALSE if outbound
+	 * @return				child_sa, or NULL if none found
+	 */
+	child_sa_t* (*get_child_sa) (ike_sa_t *this, protocol_id_t protocol, 
+								 u_int32_t spi, bool inbound);
+	
+	/**
+	 * @brief Create an iterator over all CHILD_SAs.
+	 * 
+	 * @param this 			calling object
+	 * @return				iterator
+	 */
+	iterator_t* (*create_child_sa_iterator) (ike_sa_t *this);
+	
+	/**
+	 * @brief Rekey the CHILD SA with the specified reqid.
+	 *
+	 * Looks for a CHILD SA owned by this IKE_SA, and start the rekeing.
+	 *
+	 * @param this 			calling object
+	 * @param protocol		protocol of the SA
+	 * @param spi			inbound SPI of the CHILD_SA
+	 * @return
+	 * 						- NOT_FOUND, if IKE_SA has no such CHILD_SA
+	 * 						- SUCCESS, if rekeying initiated
+	 */
+	status_t (*rekey_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
+
+	/**
+	 * @brief Close the CHILD SA with the specified protocol/SPI.
+	 *
+	 * Looks for a CHILD SA owned by this IKE_SA, deletes it and
+	 * notify's the remote peer about the delete. The associated
+	 * states and policies in the kernel get deleted, if they exist.
+	 *
+	 * @param this 			calling object
+	 * @param protocol		protocol of the SA
+	 * @param spi			inbound SPI of the CHILD_SA
+	 * @return
+	 * 						- NOT_FOUND, if IKE_SA has no such CHILD_SA
+	 * 						- SUCCESS, if delete message sent
+	 */
+	status_t (*delete_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
+
+	/**
+	 * @brief Destroy a CHILD SA with the specified protocol/SPI.
+	 *
+	 * Looks for a CHILD SA owned by this IKE_SA and destroys it.
+	 *
+	 * @param this 			calling object
+	 * @param protocol		protocol of the SA
+	 * @param spi			inbound SPI of the CHILD_SA
+	 * @return
+	 * 						- NOT_FOUND, if IKE_SA has no such CHILD_SA
+	 * 						- SUCCESS
+	 */
+	status_t (*destroy_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
+
+	/**
+	 * @brief Rekey the IKE_SA.
+	 *
+	 * Sets up a new IKE_SA, moves all CHILDs to it and deletes this IKE_SA.
+	 *
+	 * @param this 			calling object
+	 * @return				- SUCCESS, if IKE_SA rekeying initiated
+	 */
+	status_t (*rekey) (ike_sa_t *this);
+
+	/**
+	 * @brief Restablish the IKE_SA.
+	 *
+	 * Create a completely new IKE_SA with authentication, recreates all children
+	 * within the IKE_SA, but lets the old IKE_SA untouched.
+	 *
+	 * @param this 			calling object
+	 */
+	void (*reestablish) (ike_sa_t *this);
+	
+	/**
+	 * @brief Set the virtual IP to use for this IKE_SA and its children.
+	 *
+	 * The virtual IP is assigned per IKE_SA, not per CHILD_SA. It has the same
+	 * lifetime as the IKE_SA.
+	 *
+	 * @param this 			calling object
+	 */
+	void (*set_virtual_ip) (ike_sa_t *this, bool local, host_t *ip);
+	
+	/**
+	 * @brief Get the virtual IP configured.
+	 *
+	 * @param this 			calling object
+	 * @param local			TRUE to get local virtual IP, FALSE for remote
+	 */
+	host_t* (*get_virtual_ip) (ike_sa_t *this, bool local);
+	
+	/**
+	 * @brief Add a DNS server to the system.
+	 *
+	 * An IRAS may send a DNS server. To use it, it is installed on the
+	 * system. The DNS entry has a lifetime until the IKE_SA gets closed.
+	 *
+	 * @param this 			calling object
+	 * @param dns			DNS server to install on the system
+	 */
+	void (*add_dns_server) (ike_sa_t *this, host_t *dns);
+	
+	/**
+	 * @brief Inherit all attributes of other to this after rekeying.
+	 *
+	 * When rekeying is completed, all CHILD_SAs, the virtual IP and all
+	 * outstanding tasks are moved from other to this.
+	 * As this call may initiate inherited tasks, a status is returned.
+	 *
+	 * @param this 			calling object
+	 * @param other			other task to inherit from
+	 * @return				DESTROY_ME if initiation of inherited task failed
+	 */
+	status_t (*inherit) (ike_sa_t *this, ike_sa_t *other);
+		
+	/**
+	 * @brief Reset the IKE_SA, useable when initiating fails
+	 *
+	 * @param this 			calling object
+	 */
+	void (*reset) (ike_sa_t *this);
+	
+	/**
+	 * @brief Destroys a ike_sa_t object.
+	 *
+	 * @param this 			calling object
+	 */
+	void (*destroy) (ike_sa_t *this);
+};
+
+/**
+ * @brief Creates an ike_sa_t object with a specific ID.
+ *
+ * @param ike_sa_id 	ike_sa_id_t object to associate with new IKE_SA
+ * @return 				ike_sa_t object
+ * 
+ * @ingroup sa
+ */
+ike_sa_t *ike_sa_create(ike_sa_id_t *ike_sa_id);
+
+#endif /* IKE_SA_H_ */
diff --git a/src/charon/sa/ike_sa_id.c b/src/charon/sa/ike_sa_id.c
new file mode 100644
index 000000000..c143fc0ba
--- /dev/null
+++ b/src/charon/sa/ike_sa_id.c
@@ -0,0 +1,215 @@
+/**
+ * @file ike_sa_id.c
+ *
+ * @brief Implementation of ike_sa_id_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "ike_sa_id.h"
+
+#include <printf.h>
+#include <stdio.h>
+
+
+typedef struct private_ike_sa_id_t private_ike_sa_id_t;
+
+/**
+ * Private data of an ike_sa_id_t object.
+ */
+struct private_ike_sa_id_t {
+	/**
+	 * Public interface of ike_sa_id_t.
+	 */
+	ike_sa_id_t public;
+
+	 /**
+	  * SPI of Initiator.
+	  */
+	u_int64_t initiator_spi;
+
+	 /**
+	  * SPI of Responder.
+	  */
+	u_int64_t responder_spi;
+
+	/**
+	 * Role for specific IKE_SA.
+	 */
+	bool is_initiator_flag;
+};
+
+/**
+ * Implementation of ike_sa_id_t.set_responder_spi.
+ */
+static void set_responder_spi (private_ike_sa_id_t *this, u_int64_t responder_spi)
+{
+	this->responder_spi = responder_spi;
+}
+
+/**
+ * Implementation of ike_sa_id_t.set_initiator_spi.
+ */
+static void set_initiator_spi(private_ike_sa_id_t *this, u_int64_t initiator_spi)
+{
+	this->initiator_spi = initiator_spi;
+}
+
+/**
+ * Implementation of ike_sa_id_t.get_initiator_spi.
+ */
+static u_int64_t get_initiator_spi (private_ike_sa_id_t *this)
+{
+	return this->initiator_spi;
+}
+
+/**
+ * Implementation of ike_sa_id_t.get_responder_spi.
+ */
+static u_int64_t get_responder_spi (private_ike_sa_id_t *this)
+{
+	return this->responder_spi;
+}
+
+/**
+ * Implementation of ike_sa_id_t.equals.
+ */
+static bool equals (private_ike_sa_id_t *this, private_ike_sa_id_t *other)
+{
+	if (other == NULL)
+	{
+		return FALSE;
+	}
+	if ((this->is_initiator_flag == other->is_initiator_flag) &&
+		(this->initiator_spi == other->initiator_spi) &&
+		(this->responder_spi == other->responder_spi))
+	{
+		/* private_ike_sa_id's are equal */
+		return TRUE;
+	}
+	else
+	{
+		/* private_ike_sa_id's are not equal */
+		return FALSE;
+	}
+}
+
+/**
+ * Implementation of ike_sa_id_t.replace_values.
+ */
+static void replace_values(private_ike_sa_id_t *this, private_ike_sa_id_t *other)
+{
+	this->initiator_spi = other->initiator_spi;
+	this->responder_spi = other->responder_spi;
+	this->is_initiator_flag = other->is_initiator_flag;
+}
+
+/**
+ * Implementation of ike_sa_id_t.is_initiator.
+ */
+static bool is_initiator(private_ike_sa_id_t *this)
+{
+	return this->is_initiator_flag;
+}
+
+/**
+ * Implementation of ike_sa_id_t.switch_initiator.
+ */
+static bool switch_initiator(private_ike_sa_id_t *this)
+{
+	if (this->is_initiator_flag)
+	{
+		this->is_initiator_flag = FALSE;
+	}
+	else
+	{
+		this->is_initiator_flag = TRUE;
+	}
+	return this->is_initiator_flag;
+}
+
+/**
+ * Implementation of ike_sa_id_t.clone.
+ */
+static ike_sa_id_t* clone_(private_ike_sa_id_t *this)
+{
+	return ike_sa_id_create(this->initiator_spi, this->responder_spi, this->is_initiator_flag);
+}
+
+/**
+ * output handler in printf()
+ */
+static int print(FILE *stream, const struct printf_info *info,
+				 const void *const *args)
+{
+	private_ike_sa_id_t *this = *((private_ike_sa_id_t**)(args[0]));
+	
+	if (this == NULL)
+	{
+		return fprintf(stream, "(null)");
+	}
+	return fprintf(stream, "0x%0llx_i%s 0x%0llx_r%s",
+				   this->initiator_spi,
+				   this->is_initiator_flag ? "*" : "",
+				   this->responder_spi,
+				   this->is_initiator_flag ? "" : "*");
+}
+
+/**
+ * register printf() handlers
+ */
+static void __attribute__ ((constructor))print_register()
+{
+	register_printf_function(PRINTF_IKE_SA_ID, print, arginfo_ptr);
+}
+
+/**
+ * Implementation of ike_sa_id_t.destroy.
+ */
+static void destroy(private_ike_sa_id_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_sa_id_t * ike_sa_id_create(u_int64_t initiator_spi, u_int64_t responder_spi, bool is_initiator_flag)
+{
+	private_ike_sa_id_t *this = malloc_thing(private_ike_sa_id_t);
+
+	/* public functions */
+	this->public.set_responder_spi = (void(*)(ike_sa_id_t*,u_int64_t)) set_responder_spi;
+	this->public.set_initiator_spi = (void(*)(ike_sa_id_t*,u_int64_t)) set_initiator_spi;
+	this->public.get_responder_spi = (u_int64_t(*)(ike_sa_id_t*)) get_responder_spi;
+	this->public.get_initiator_spi = (u_int64_t(*)(ike_sa_id_t*)) get_initiator_spi;
+	this->public.equals = (bool(*)(ike_sa_id_t*,ike_sa_id_t*)) equals;
+	this->public.replace_values = (void(*)(ike_sa_id_t*,ike_sa_id_t*)) replace_values;
+	this->public.is_initiator = (bool(*)(ike_sa_id_t*)) is_initiator;
+	this->public.switch_initiator = (bool(*)(ike_sa_id_t*)) switch_initiator;
+	this->public.clone = (ike_sa_id_t*(*)(ike_sa_id_t*)) clone_;
+	this->public.destroy = (void(*)(ike_sa_id_t*))destroy;
+
+	/* private data */
+	this->initiator_spi = initiator_spi;
+	this->responder_spi = responder_spi;
+	this->is_initiator_flag = is_initiator_flag;
+
+	return &this->public;
+}
diff --git a/src/charon/sa/ike_sa_id.h b/src/charon/sa/ike_sa_id.h
new file mode 100644
index 000000000..0606b7222
--- /dev/null
+++ b/src/charon/sa/ike_sa_id.h
@@ -0,0 +1,147 @@
+/**
+ * @file ike_sa_id.h
+ *
+ * @brief Interface of ike_sa_id_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#ifndef IKE_SA_ID_H_
+#define IKE_SA_ID_H_
+
+typedef struct ike_sa_id_t ike_sa_id_t;
+
+#include <library.h>
+
+
+/**
+ * @brief An object of type ike_sa_id_t is used to identify an IKE_SA.
+ *
+ * An IKE_SA is identified by its initiator and responder spi's.
+ * Additionaly it contains the role of the actual running IKEv2-Daemon
+ * for the specific IKE_SA (original initiator or responder).
+ * 
+ * @b Constructors:
+ *  - ike_sa_id_create()
+ * 
+ * @ingroup sa
+ */
+struct ike_sa_id_t {
+
+	/**
+	 * @brief Set the SPI of the responder.
+	 *
+	 * This function is called when a request or reply of a IKE_SA_INIT is received.
+	 *
+	 * @param this 				calling object
+	 * @param responder_spi 	SPI of responder to set
+	 */
+	void (*set_responder_spi) (ike_sa_id_t *this, u_int64_t responder_spi);
+
+	/**
+	 * @brief Set the SPI of the initiator.
+	 *
+	 * @param this 				calling object
+	 * @param initiator_spi 	SPI to set
+	 */
+	void (*set_initiator_spi) (ike_sa_id_t *this, u_int64_t initiator_spi);
+
+	/**
+	 * @brief Get the initiator SPI.
+	 *
+	 * @param this 				calling object
+	 * @return 					SPI of the initiator
+	 */
+	u_int64_t (*get_initiator_spi) (ike_sa_id_t *this);
+
+	/**
+	 * @brief Get the responder SPI.
+	 *
+	 * @param this 				calling object
+	 * @return 					SPI of the responder
+	 */
+	u_int64_t (*get_responder_spi) (ike_sa_id_t *this);
+
+	/**
+	 * @brief Check if two ike_sa_id_t objects are equal.
+	 * 
+	 * Two ike_sa_id_t objects are equal if both SPI values and the role matches.
+	 *
+	 * @param this 				calling object
+ 	 * @param other 			ike_sa_id_t object to check if equal
+ 	 * @return 					TRUE if given ike_sa_id_t are equal, FALSE otherwise
+	 */
+	bool (*equals) (ike_sa_id_t *this, ike_sa_id_t *other);
+
+	/**
+	 * @brief Replace all values of a given ike_sa_id_t object with values.
+	 * from another ike_sa_id_t object.
+	 * 
+	 * After calling this function, both objects are equal.
+	 *
+	 * @param this 				calling object
+ 	 * @param other 			ike_sa_id_t object from which values will be taken
+	 */
+	void (*replace_values) (ike_sa_id_t *this, ike_sa_id_t *other);
+
+	/**
+	 * @brief Get the initiator flag.
+	 *
+	 * @param this 				calling object
+	 * @return 					TRUE if we are the original initator
+	 */
+	bool (*is_initiator) (ike_sa_id_t *this);
+
+	/**
+	 * @brief Switche the original initiator flag.
+	 * 
+	 * @param this 				calling object
+	 * @return 					TRUE if we are the original initator after switch, FALSE otherwise
+	 */
+	bool (*switch_initiator) (ike_sa_id_t *this);
+
+	/**
+	 * @brief Clones a given ike_sa_id_t object.
+	 *
+	 * @param this				calling object
+	 * @return 					cloned ike_sa_id_t object
+	 */
+	ike_sa_id_t *(*clone) (ike_sa_id_t *this);
+
+	/**
+	 * @brief Destroys an ike_sa_id_t object.
+	 *
+	 * @param this 				calling object
+	 */
+	void (*destroy) (ike_sa_id_t *this);
+};
+
+/**
+ * @brief Creates an ike_sa_id_t object with specific SPI's and defined role.
+ *
+ * @param initiator_spi			initiators SPI
+ * @param responder_spi			responders SPI
+ * @param is_initiaor			TRUE if we are the original initiator
+ * @return						ike_sa_id_t object
+ * 
+ * @ingroup sa
+ */
+ike_sa_id_t * ike_sa_id_create(u_int64_t initiator_spi, u_int64_t responder_spi, bool is_initiaor);
+
+#endif /*IKE_SA_ID_H_*/
diff --git a/src/charon/sa/ike_sa_manager.c b/src/charon/sa/ike_sa_manager.c
new file mode 100644
index 000000000..791ef805e
--- /dev/null
+++ b/src/charon/sa/ike_sa_manager.c
@@ -0,0 +1,914 @@
+/**
+ * @file ike_sa_manager.c
+ *
+ * @brief Implementation of ike_sa_mananger_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <pthread.h>
+#include <string.h>
+
+#include "ike_sa_manager.h"
+
+#include <daemon.h>
+#include <sa/ike_sa_id.h>
+#include <bus/bus.h>
+#include <utils/linked_list.h>
+
+typedef struct entry_t entry_t;
+
+/**
+ * An entry in the linked list, contains IKE_SA, locking and lookup data.
+ */
+struct entry_t {
+	
+	/**
+	 * Number of threads waiting for this ike_sa_t object.
+	 */
+	int waiting_threads;
+	
+	/**
+	 * Condvar where threads can wait until ike_sa_t object is free for use again.
+	 */
+	pthread_cond_t condvar;
+	
+	/**
+	 * Is this ike_sa currently checked out?
+	 */
+	bool checked_out;
+	
+	/**
+	 * Does this SA drives out new threads?
+	 */
+	bool driveout_new_threads;
+	
+	/**
+	 * Does this SA drives out waiting threads?
+	 */
+	bool driveout_waiting_threads;
+	
+	/**
+	 * Identifiaction of an IKE_SA (SPIs).
+	 */
+	ike_sa_id_t *ike_sa_id;
+	
+	/**
+	 * The contained ike_sa_t object.
+	 */
+	ike_sa_t *ike_sa;
+	
+	/**
+	 * hash of the IKE_SA_INIT message, used to detect retransmissions
+	 */
+	chunk_t init_hash;
+	
+	/**
+	 * message ID currently processing, if any
+	 */
+	u_int32_t message_id;
+};
+
+/**
+ * Implementation of entry_t.destroy.
+ */
+static status_t entry_destroy(entry_t *this)
+{
+	/* also destroy IKE SA */
+	this->ike_sa->destroy(this->ike_sa);
+	this->ike_sa_id->destroy(this->ike_sa_id);
+	chunk_free(&this->init_hash);
+	free(this);
+	return SUCCESS;
+}
+
+/**
+ * Creates a new entry for the ike_sa_t list.
+ */
+static entry_t *entry_create(ike_sa_id_t *ike_sa_id)
+{
+	entry_t *this = malloc_thing(entry_t);
+	
+	this->waiting_threads = 0;
+	pthread_cond_init(&this->condvar, NULL);
+	
+	/* we set checkout flag when we really give it out */
+	this->checked_out = FALSE;
+	this->driveout_new_threads = FALSE;
+	this->driveout_waiting_threads = FALSE;
+	this->message_id = -1;
+	this->init_hash = chunk_empty;
+	
+	/* ike_sa_id is always cloned */
+	this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
+
+	/* create new ike_sa */
+	this->ike_sa = ike_sa_create(ike_sa_id);
+
+	return this;
+}
+
+
+typedef struct private_ike_sa_manager_t private_ike_sa_manager_t;
+
+/**
+ * Additional private members of ike_sa_manager_t.
+ */
+struct private_ike_sa_manager_t {
+	/**
+	 * Public interface of ike_sa_manager_t.
+	 */
+	 ike_sa_manager_t public;
+	
+	 /**
+	  * Lock for exclusivly accessing the manager.
+	  */
+	 pthread_mutex_t mutex;
+
+	 /**
+	  * Linked list with entries for the ike_sa_t objects.
+	  */
+	 linked_list_t *ike_sa_list;
+	 
+	 /**
+	  * A randomizer, to get random SPIs for our side
+	  */
+	 randomizer_t *randomizer;
+	 
+	 /**
+	  * SHA1 hasher for IKE_SA_INIT retransmit detection
+	  */
+	 hasher_t *hasher;
+};
+
+/**
+ * Implementation of private_ike_sa_manager_t.get_entry_by_id.
+ */
+static status_t get_entry_by_id(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id, entry_t **entry)
+{
+	linked_list_t *list = this->ike_sa_list;
+	iterator_t *iterator;
+	entry_t *current;
+	status_t status;
+	
+	/* create iterator over list of ike_sa's */
+	iterator = list->create_iterator(list, TRUE);
+
+	/* default status */
+	status = NOT_FOUND;
+	
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		if (current->ike_sa_id->equals(current->ike_sa_id, ike_sa_id))
+		{
+			DBG2(DBG_MGR,  "found entry by both SPIs");
+			*entry = current;
+			status = SUCCESS;
+			break;
+		}
+		if (ike_sa_id->get_responder_spi(ike_sa_id) == 0 ||
+			current->ike_sa_id->get_responder_spi(current->ike_sa_id) == 0)
+		{
+			/* seems to be a half ready ike_sa */
+			if ((current->ike_sa_id->get_initiator_spi(current->ike_sa_id) ==
+						  ike_sa_id->get_initiator_spi(ike_sa_id)) &&
+				(current->ike_sa_id->is_initiator(ike_sa_id) ==
+						  ike_sa_id->is_initiator(current->ike_sa_id)))
+			{
+				DBG2(DBG_MGR, "found entry by initiator SPI");
+				*entry = current;
+				status = SUCCESS;
+				break;
+			}
+		}
+	}
+	
+	iterator->destroy(iterator);
+	return status;
+}
+
+/**
+ * Implementation of private_ike_sa_manager_t.get_entry_by_sa.
+ */
+static status_t get_entry_by_sa(private_ike_sa_manager_t *this, ike_sa_t *ike_sa, entry_t **entry)
+{
+	linked_list_t *list = this->ike_sa_list;
+	iterator_t *iterator;
+	entry_t *current;
+	status_t status;
+	
+	iterator = list->create_iterator(list, TRUE);
+	
+	/* default status */
+	status = NOT_FOUND;
+	
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		/* only pointers are compared */
+		if (current->ike_sa == ike_sa)
+		{
+			DBG2(DBG_MGR, "found entry by pointer");
+			*entry = current;
+			status = SUCCESS;
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+	
+	return status;
+}
+
+/**
+ * Implementation of private_ike_sa_manager_s.delete_entry.
+ */
+static status_t delete_entry(private_ike_sa_manager_t *this, entry_t *entry)
+{
+	linked_list_t *list = this->ike_sa_list;
+	iterator_t *iterator;
+	entry_t *current;
+	status_t status;
+	
+	iterator = list->create_iterator(list, TRUE);
+
+	status = NOT_FOUND;
+	
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		if (current == entry)
+		{
+			/* mark it, so now new threads can get this entry */
+			entry->driveout_new_threads = TRUE;
+			/* wait until all workers have done their work */
+			while (entry->waiting_threads)
+			{
+				/* wake up all */
+				pthread_cond_broadcast(&(entry->condvar));
+				/* they will wake us again when their work is done */
+				pthread_cond_wait(&(entry->condvar), &(this->mutex));
+			}
+			
+			DBG2(DBG_MGR,  "found entry by pointer, deleting it");
+			iterator->remove(iterator);
+			entry_destroy(entry);
+			status = SUCCESS;
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+	return status;
+}
+
+/**
+ * Wait until no other thread is using an IKE_SA, return FALSE if entry not
+ * acquireable
+ */
+static bool wait_for_entry(private_ike_sa_manager_t *this, entry_t *entry)
+{
+	if (entry->driveout_new_threads)
+	{
+		/* we are not allowed to get this */
+		return FALSE;
+	}
+	while (entry->checked_out && !entry->driveout_waiting_threads)	
+	{
+		/* so wait until we can get it for us.
+		 * we register us as waiting. */
+		entry->waiting_threads++;
+		pthread_cond_wait(&(entry->condvar), &(this->mutex));
+		entry->waiting_threads--;
+	}
+	/* hm, a deletion request forbids us to get this SA, get next one */
+	if (entry->driveout_waiting_threads)
+	{
+		/* we must signal here, others may be waiting on it, too */
+		pthread_cond_signal(&(entry->condvar));
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of private_ike_sa_manager_t.get_next_spi.
+ */
+static u_int64_t get_next_spi(private_ike_sa_manager_t *this)
+{
+	u_int64_t spi;
+	
+	this->randomizer->get_pseudo_random_bytes(this->randomizer, sizeof(spi),
+											  (u_int8_t*)&spi);
+	return spi;
+}
+
+/**
+ * Implementation of of ike_sa_manager.checkout.
+ */
+static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id)
+{
+	ike_sa_t *ike_sa = NULL;
+	entry_t *entry;
+	
+	DBG2(DBG_MGR, "checkout IKE_SA: %J, %d IKE_SAs in manager",
+		 ike_sa_id, this->ike_sa_list->get_count(this->ike_sa_list));
+	
+	pthread_mutex_lock(&(this->mutex));
+	if (get_entry_by_id(this, ike_sa_id, &entry) == SUCCESS)
+	{
+		if (wait_for_entry(this, entry))
+		{
+			DBG2(DBG_MGR, "IKE_SA successfully checked out");
+			entry->checked_out = TRUE;
+			ike_sa = entry->ike_sa;
+		}
+	}
+	pthread_mutex_unlock(&this->mutex);
+	charon->bus->set_sa(charon->bus, ike_sa);
+	return ike_sa;
+}
+
+/**
+ * Implementation of of ike_sa_manager.checkout_new.
+ */
+static ike_sa_t *checkout_new(private_ike_sa_manager_t* this, bool initiator)
+{
+	entry_t *entry;
+	ike_sa_id_t *id;
+	
+	if (initiator)
+	{
+		id = ike_sa_id_create(get_next_spi(this), 0, TRUE);
+	}
+	else
+	{
+		id = ike_sa_id_create(0, get_next_spi(this), FALSE);
+	}
+	entry = entry_create(id);	
+	pthread_mutex_lock(&this->mutex);	
+	this->ike_sa_list->insert_last(this->ike_sa_list, entry);
+	entry->checked_out = TRUE;
+	pthread_mutex_unlock(&this->mutex);	
+	DBG2(DBG_MGR, "created IKE_SA: %J, %d IKE_SAs in manager",
+		 id, this->ike_sa_list->get_count(this->ike_sa_list));
+	return entry->ike_sa;
+}
+
+/**
+ * Implementation of of ike_sa_manager.checkout_by_id.
+ */
+static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this,
+									 message_t *message)
+{
+	entry_t *entry;
+	ike_sa_t *ike_sa = NULL;
+	ike_sa_id_t *id = message->get_ike_sa_id(message);
+	id = id->clone(id);
+	id->switch_initiator(id);
+	
+	DBG2(DBG_MGR, "checkout IKE_SA: %J by message, %d IKE_SAs in manager",
+		 id, this->ike_sa_list->get_count(this->ike_sa_list));
+	
+	if (message->get_request(message) &&
+		message->get_exchange_type(message) == IKE_SA_INIT)
+	{
+		/* IKE_SA_INIT request. Check for an IKE_SA with such a message hash. */
+		iterator_t *iterator;
+		chunk_t data, hash;
+		
+		data = message->get_packet_data(message);
+		this->hasher->allocate_hash(this->hasher, data, &hash);
+		chunk_free(&data);
+		
+		pthread_mutex_lock(&this->mutex);
+		iterator = this->ike_sa_list->create_iterator(this->ike_sa_list, TRUE);
+		while (iterator->iterate(iterator, (void**)&entry))
+		{
+			if (chunk_equals(hash, entry->init_hash))
+			{
+				if (entry->message_id == 0)
+				{
+					iterator->destroy(iterator);
+					pthread_mutex_unlock(&this->mutex);
+					chunk_free(&hash);
+					id->destroy(id);
+					DBG1(DBG_MGR, "ignoring IKE_SA_INIT, already processing");
+					return NULL;
+				}
+				else if (wait_for_entry(this, entry))
+				{
+					DBG2(DBG_MGR, "IKE_SA checked out by hash");
+					entry->checked_out = TRUE;
+					entry->message_id = message->get_message_id(message);
+					ike_sa = entry->ike_sa;
+				}
+				break;
+			}
+		}
+		iterator->destroy(iterator);
+		pthread_mutex_unlock(&this->mutex);
+		
+		if (ike_sa == NULL)
+		{
+			if (id->get_responder_spi(id) == 0 &&
+				message->get_exchange_type(message) == IKE_SA_INIT)
+			{
+				/* no IKE_SA found, create a new one */
+				id->set_responder_spi(id, get_next_spi(this));
+				entry = entry_create(id);
+				
+				pthread_mutex_lock(&this->mutex);
+				this->ike_sa_list->insert_last(this->ike_sa_list, entry);
+				entry->checked_out = TRUE;
+				entry->message_id = message->get_message_id(message);
+				pthread_mutex_unlock(&this->mutex);
+				entry->init_hash = hash;
+				ike_sa = entry->ike_sa;
+			}
+			else
+			{
+				DBG1(DBG_MGR, "ignoring message for %J, no such IKE_SA", id);
+			}
+		}
+		else
+		{
+			chunk_free(&hash);
+		}
+		id->destroy(id);
+		charon->bus->set_sa(charon->bus, ike_sa);
+		return ike_sa;
+	}
+	
+	pthread_mutex_lock(&(this->mutex));
+	if (get_entry_by_id(this, id, &entry) == SUCCESS)
+	{
+		/* only check out if we are not processing this request */
+		if (message->get_request(message) &&
+			message->get_message_id(message) == entry->message_id)
+		{
+			DBG1(DBG_MGR, "ignoring request with ID %d, already processing",
+				 entry->message_id);
+		}
+		else if (wait_for_entry(this, entry))
+		{
+			ike_sa_id_t *ike_id = entry->ike_sa->get_id(entry->ike_sa);
+			DBG2(DBG_MGR, "IKE_SA successfully checked out");
+			entry->checked_out = TRUE;
+			entry->message_id = message->get_message_id(message);
+			if (ike_id->get_responder_spi(ike_id) == 0)
+			{
+				ike_id->set_responder_spi(ike_id, id->get_responder_spi(id));
+			}
+			ike_sa = entry->ike_sa;
+		}
+	}
+	pthread_mutex_unlock(&this->mutex);
+	id->destroy(id);
+	charon->bus->set_sa(charon->bus, ike_sa);
+	return ike_sa;
+}
+
+/**
+ * Implementation of of ike_sa_manager.checkout_by_id.
+ */
+static ike_sa_t* checkout_by_peer(private_ike_sa_manager_t *this,
+								  host_t *my_host, host_t *other_host,
+								  identification_t *my_id,
+								  identification_t *other_id)
+{
+	iterator_t *iterator;
+	entry_t *entry;
+	ike_sa_t *ike_sa = NULL;
+	
+	pthread_mutex_lock(&(this->mutex));
+	
+	iterator = this->ike_sa_list->create_iterator(this->ike_sa_list, TRUE);
+	while (iterator->iterate(iterator, (void**)&entry))
+	{
+		identification_t *found_my_id, *found_other_id;
+		host_t *found_my_host, *found_other_host;
+		int wc;
+		
+		if (!wait_for_entry(this, entry))
+		{
+			continue;
+		}
+		
+		if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING)
+		{
+			/* skip IKE_SA which are not useable */
+			continue;
+		}
+		
+		found_my_id = entry->ike_sa->get_my_id(entry->ike_sa);
+		found_other_id = entry->ike_sa->get_other_id(entry->ike_sa);
+		found_my_host = entry->ike_sa->get_my_host(entry->ike_sa);
+		found_other_host = entry->ike_sa->get_other_host(entry->ike_sa);
+		
+		if (found_my_id->get_type(found_my_id) == ID_ANY &&
+			found_other_id->get_type(found_other_id) == ID_ANY)
+		{
+			/* IKE_SA has no IDs yet, so we can't use it */
+			continue;
+		}
+		
+		/* compare ID and hosts. Supplied ID may contain wildcards, and IP
+		 * may be %any. */
+		if ((found_my_host->is_anyaddr(found_my_host) ||
+			 my_host->ip_equals(my_host, found_my_host)) &&
+			(found_other_host->is_anyaddr(found_other_host) ||
+			 other_host->ip_equals(other_host, found_other_host)) &&
+			found_my_id->matches(found_my_id, my_id, &wc) &&
+			found_other_id->matches(found_other_id, other_id, &wc))
+		{
+			/* looks good, we take this one */
+			DBG2(DBG_MGR, "found an existing IKE_SA for %H[%D]...%H[%D]",
+				 my_host, other_host, my_id, other_id);
+			entry->checked_out = TRUE;
+			ike_sa = entry->ike_sa;
+		}
+	}
+	iterator->destroy(iterator);
+	
+	if (!ike_sa)
+	{
+		u_int64_t initiator_spi;
+		entry_t *new_entry;
+		ike_sa_id_t *new_ike_sa_id;
+		
+		initiator_spi = get_next_spi(this);
+		new_ike_sa_id = ike_sa_id_create(0, 0, TRUE);
+		new_ike_sa_id->set_initiator_spi(new_ike_sa_id, initiator_spi);
+		
+		/* create entry */
+		new_entry = entry_create(new_ike_sa_id);
+		DBG2(DBG_MGR, "created IKE_SA: %J", new_ike_sa_id);
+		new_ike_sa_id->destroy(new_ike_sa_id);
+		
+		this->ike_sa_list->insert_last(this->ike_sa_list, new_entry);
+		
+		/* check ike_sa out */
+		DBG2(DBG_MGR, "new IKE_SA created for IDs [%D]...[%D]", my_id, other_id);
+		new_entry->checked_out = TRUE;
+		ike_sa = new_entry->ike_sa;
+	}
+	pthread_mutex_unlock(&(this->mutex));
+	charon->bus->set_sa(charon->bus, ike_sa);
+	return ike_sa;
+}
+
+/**
+ * Implementation of of ike_sa_manager.checkout_by_id.
+ */
+static ike_sa_t* checkout_by_id(private_ike_sa_manager_t *this, u_int32_t id,
+								bool child)
+{
+	iterator_t *iterator, *children;
+	entry_t *entry;
+	ike_sa_t *ike_sa = NULL;
+	child_sa_t *child_sa;
+	
+	pthread_mutex_lock(&(this->mutex));
+	
+	iterator = this->ike_sa_list->create_iterator(this->ike_sa_list, TRUE);
+	while (iterator->iterate(iterator, (void**)&entry))
+	{
+		if (wait_for_entry(this, entry))
+		{
+			/* look for a child with such a reqid ... */
+			if (child)
+			{
+				children = entry->ike_sa->create_child_sa_iterator(entry->ike_sa);
+				while (children->iterate(children, (void**)&child_sa))
+				{
+					if (child_sa->get_reqid(child_sa) == id)
+					{
+						ike_sa = entry->ike_sa;
+						break;
+					}		
+				}
+				children->destroy(children);
+			}
+			else /* ... or for a IKE_SA with such a unique id */
+			{
+				if (entry->ike_sa->get_unique_id(entry->ike_sa) == id)
+				{
+					ike_sa = entry->ike_sa;
+				}
+			}
+			/* got one, return */
+			if (ike_sa)
+			{
+				entry->checked_out = TRUE;
+				break;
+			}
+		}
+	}
+	iterator->destroy(iterator);
+	pthread_mutex_unlock(&(this->mutex));
+	
+	charon->bus->set_sa(charon->bus, ike_sa);
+	return ike_sa;
+}
+
+/**
+ * Implementation of of ike_sa_manager.checkout_by_name.
+ */
+static ike_sa_t* checkout_by_name(private_ike_sa_manager_t *this, char *name,
+								  bool child)
+{
+	iterator_t *iterator, *children;
+	entry_t *entry;
+	ike_sa_t *ike_sa = NULL;
+	child_sa_t *child_sa;
+	
+	pthread_mutex_lock(&(this->mutex));
+	
+	iterator = this->ike_sa_list->create_iterator(this->ike_sa_list, TRUE);
+	while (iterator->iterate(iterator, (void**)&entry))
+	{
+		if (wait_for_entry(this, entry))
+		{
+			/* look for a child with such a policy name ... */
+			if (child)
+			{
+				children = entry->ike_sa->create_child_sa_iterator(entry->ike_sa);
+				while (children->iterate(children, (void**)&child_sa))
+				{
+					if (streq(child_sa->get_name(child_sa), name))
+					{
+						ike_sa = entry->ike_sa;
+						break;
+					}		
+				}
+				children->destroy(children);
+			}
+			else /* ... or for a IKE_SA with such a connection name */
+			{
+				if (streq(entry->ike_sa->get_name(entry->ike_sa), name))
+				{
+					ike_sa = entry->ike_sa;
+				}
+			}
+			/* got one, return */
+			if (ike_sa)
+			{
+				entry->checked_out = TRUE;
+				break;
+			}
+		}
+	}
+	iterator->destroy(iterator);
+	pthread_mutex_unlock(&(this->mutex));
+	
+	charon->bus->set_sa(charon->bus, ike_sa);
+	return ike_sa;
+}
+
+/**
+ * Iterator hook for iterate, gets ike_sas instead of entries
+ */
+static bool iterator_hook(private_ike_sa_manager_t* this, entry_t *in,
+						  ike_sa_t **out)
+{
+	/* check out entry */
+	if (wait_for_entry(this, in))
+	{
+		*out = in->ike_sa;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Implementation of ike_sa_manager_t.create_iterator.
+ */
+static iterator_t *create_iterator(private_ike_sa_manager_t* this)
+{
+	iterator_t *iterator = this->ike_sa_list->create_iterator_locked(
+											this->ike_sa_list, &this->mutex);
+	/* register hook to iterator over ike_sas, not entries */
+	iterator->set_iterator_hook(iterator, (iterator_hook_t*)iterator_hook, this);
+	return iterator;
+}
+
+/**
+ * Implementation of ike_sa_manager_t.checkin.
+ */
+static status_t checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
+{
+	/* to check the SA back in, we look for the pointer of the ike_sa
+	 * in all entries.
+	 * We can't search by SPI's since the MAY have changed (e.g. on reception
+	 * of a IKE_SA_INIT response). Updating of the SPI MAY be necessary...
+	 */
+	status_t retval;
+	entry_t *entry;
+	ike_sa_id_t *ike_sa_id;
+	
+	ike_sa_id = ike_sa->get_id(ike_sa);
+	
+	DBG2(DBG_MGR, "checkin IKE_SA: %J", ike_sa_id);
+	
+	pthread_mutex_lock(&(this->mutex));
+
+	/* look for the entry */
+	if (get_entry_by_sa(this, ike_sa, &entry) == SUCCESS)
+	{
+		/* ike_sa_id must be updated */
+		entry->ike_sa_id->replace_values(entry->ike_sa_id, ike_sa->get_id(ike_sa));
+		/* signal waiting threads */
+		entry->checked_out = FALSE;
+		entry->message_id = -1;
+		DBG2(DBG_MGR, "check-in of IKE_SA successful.");
+		pthread_cond_signal(&(entry->condvar));
+	 	retval = SUCCESS;
+	}
+	else
+	{
+		DBG2(DBG_MGR, "tried to check in nonexisting IKE_SA");
+		/* this SA is no more, this REALLY should not happen */
+		retval = NOT_FOUND;
+	}
+	
+	DBG2(DBG_MGR, "%d IKE_SAs in manager now",
+		 this->ike_sa_list->get_count(this->ike_sa_list));
+	pthread_mutex_unlock(&(this->mutex));
+	
+	charon->bus->set_sa(charon->bus, NULL);
+	return retval;
+}
+
+
+/**
+ * Implementation of ike_sa_manager_t.checkin_and_destroy.
+ */
+static status_t checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
+{
+	/* deletion is a bit complex, we must garant that no thread is waiting for
+	 * this SA.
+	 * We take this SA from the list, and start signaling while threads
+	 * are in the condvar.
+	 */
+	entry_t *entry;
+	status_t retval;
+	ike_sa_id_t *ike_sa_id;
+	
+	ike_sa_id = ike_sa->get_id(ike_sa);
+	DBG2(DBG_MGR, "checkin and destroy IKE_SA: %J", ike_sa_id);
+
+	pthread_mutex_lock(&(this->mutex));
+
+	if (get_entry_by_sa(this, ike_sa, &entry) == SUCCESS)
+	{
+		/* drive out waiting threads, as we are in hurry */
+		entry->driveout_waiting_threads = TRUE;
+		
+		delete_entry(this, entry);
+		
+		DBG2(DBG_MGR, "check-in and destroy of IKE_SA successful");
+		retval = SUCCESS;
+	}
+	else
+	{
+		DBG2(DBG_MGR, "tried to check-in and delete nonexisting IKE_SA");
+		retval = NOT_FOUND;
+	}
+	
+	pthread_mutex_unlock(&(this->mutex));
+	charon->bus->set_sa(charon->bus, ike_sa);
+	return retval;
+}
+
+/**
+ * Implementation of ike_sa_manager_t.get_half_open_count.
+ */
+static int get_half_open_count(private_ike_sa_manager_t *this, host_t *ip)
+{
+	iterator_t *iterator;
+	entry_t *entry;
+	int count = 0;
+
+	pthread_mutex_lock(&(this->mutex));
+	iterator = this->ike_sa_list->create_iterator(this->ike_sa_list, TRUE);
+	while (iterator->iterate(iterator, (void**)&entry))
+	{
+		/* we check if we have a responder CONNECTING IKE_SA without checkout */
+		if (!entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
+			entry->ike_sa->get_state(entry->ike_sa) == IKE_CONNECTING)
+		{
+			/* if we have a host, we have wait until no other uses the IKE_SA */
+			if (ip)
+			{
+				if (wait_for_entry(this, entry) && ip->ip_equals(ip, 
+								entry->ike_sa->get_other_host(entry->ike_sa)))
+				{
+					count++;
+				}
+			}
+			else
+			{
+				count++;
+			}
+		}
+	}
+	iterator->destroy(iterator);
+	
+	pthread_mutex_unlock(&(this->mutex));
+	return count;
+}
+
+/**
+ * Implementation of ike_sa_manager_t.destroy.
+ */
+static void destroy(private_ike_sa_manager_t *this)
+{
+	/* destroy all list entries */
+	linked_list_t *list = this->ike_sa_list;
+	iterator_t *iterator;
+	entry_t *entry;
+	
+	pthread_mutex_lock(&(this->mutex));
+	DBG2(DBG_MGR, "going to destroy IKE_SA manager and all managed IKE_SA's");
+	/* Step 1: drive out all waiting threads  */
+	DBG2(DBG_MGR, "set driveout flags for all stored IKE_SA's");
+	iterator = list->create_iterator(list, TRUE);
+	while (iterator->iterate(iterator, (void**)&entry))
+	{
+		/* do not accept new threads, drive out waiting threads */
+		entry->driveout_new_threads = TRUE;
+		entry->driveout_waiting_threads = TRUE;	
+	}
+	DBG2(DBG_MGR, "wait for all threads to leave IKE_SA's");
+	/* Step 2: wait until all are gone */
+	iterator->reset(iterator);
+	while (iterator->iterate(iterator, (void**)&entry))
+	{
+		while (entry->waiting_threads)
+		{
+			/* wake up all */
+			pthread_cond_broadcast(&(entry->condvar));
+			/* go sleeping until they are gone */
+			pthread_cond_wait(&(entry->condvar), &(this->mutex));
+		}
+	}
+	DBG2(DBG_MGR, "delete all IKE_SA's");
+	/* Step 3: initiate deletion of all IKE_SAs */
+	iterator->reset(iterator);
+	while (iterator->iterate(iterator, (void**)&entry))
+	{
+		entry->ike_sa->delete(entry->ike_sa);
+	}
+	iterator->destroy(iterator);
+	
+	DBG2(DBG_MGR, "destroy all entries");
+	/* Step 4: destroy all entries */
+	list->destroy_function(list, (void*)entry_destroy);
+	pthread_mutex_unlock(&(this->mutex));
+	
+	this->randomizer->destroy(this->randomizer);
+	this->hasher->destroy(this->hasher);
+	
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_sa_manager_t *ike_sa_manager_create()
+{
+	private_ike_sa_manager_t *this = malloc_thing(private_ike_sa_manager_t);
+
+	/* assign public functions */
+	this->public.destroy = (void(*)(ike_sa_manager_t*))destroy;
+	this->public.checkout = (ike_sa_t*(*)(ike_sa_manager_t*, ike_sa_id_t*))checkout;
+	this->public.checkout_new = (ike_sa_t*(*)(ike_sa_manager_t*,bool))checkout_new;
+	this->public.checkout_by_message = (ike_sa_t*(*)(ike_sa_manager_t*,message_t*))checkout_by_message;
+	this->public.checkout_by_peer = (ike_sa_t*(*)(ike_sa_manager_t*,host_t*,host_t*,identification_t*,identification_t*))checkout_by_peer;
+	this->public.checkout_by_id = (ike_sa_t*(*)(ike_sa_manager_t*,u_int32_t,bool))checkout_by_id;
+	this->public.checkout_by_name = (ike_sa_t*(*)(ike_sa_manager_t*,char*,bool))checkout_by_name;
+	this->public.create_iterator = (iterator_t*(*)(ike_sa_manager_t*))create_iterator;
+	this->public.checkin = (status_t(*)(ike_sa_manager_t*,ike_sa_t*))checkin;
+	this->public.checkin_and_destroy = (status_t(*)(ike_sa_manager_t*,ike_sa_t*))checkin_and_destroy;
+	this->public.get_half_open_count = (int(*)(ike_sa_manager_t*,host_t*))get_half_open_count;
+	
+	/* initialize private variables */
+	this->ike_sa_list = linked_list_create();
+	pthread_mutex_init(&this->mutex, NULL);
+	this->randomizer = randomizer_create();
+	this->hasher = hasher_create(HASH_SHA1);
+	
+	return &this->public;
+}
diff --git a/src/charon/sa/ike_sa_manager.h b/src/charon/sa/ike_sa_manager.h
new file mode 100644
index 000000000..1125e5d16
--- /dev/null
+++ b/src/charon/sa/ike_sa_manager.h
@@ -0,0 +1,231 @@
+/**
+ * @file ike_sa_manager.h
+ * 
+ * @brief Interface of ike_sa_manager_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef IKE_SA_MANAGER_H_
+#define IKE_SA_MANAGER_H_
+
+typedef struct ike_sa_manager_t ike_sa_manager_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <encoding/message.h>
+
+/**
+ * @brief The IKE_SA-Manager is responsible for managing all initiated and responded IKE_SA's.
+ *
+ * To avoid access from multiple threads, IKE_SAs must be checked out from
+ * the manager, and checked in after usage. 
+ * The manager also handles deletion of SAs.
+ *
+ * @todo checking of double-checkouts from the same threads would be nice.
+ * This could be done by comparing thread-ids via pthread_self()...
+ * 
+ * @todo Managing of ike_sa_t objects in a hash table instead of linked list.
+ * 
+ * @b Constructors:
+ * - ike_sa_manager_create()
+ * 
+ * @ingroup sa
+ */
+struct ike_sa_manager_t {
+	
+	/**
+	 * @brief Checkout an existing IKE_SA.
+	 * 
+	 * @param this 				the manager object
+	 * @param ike_sa_id			the SA identifier, will be updated
+	 * @returns 					
+	 * 							- checked out IKE_SA if found
+	 * 							- NULL, if specified IKE_SA is not found.
+	 */
+	ike_sa_t* (*checkout) (ike_sa_manager_t* this, ike_sa_id_t *sa_id);
+	
+	/**
+	 * @brief Create and check out a new IKE_SA.
+	 * 
+	 * @param this 				the manager object
+	 * @param initiator			TRUE for initiator, FALSE otherwise
+	 * @returns 				created andchecked out IKE_SA
+	 */
+	ike_sa_t* (*checkout_new) (ike_sa_manager_t* this, bool initiator);
+	
+	/**
+	 * @brief Checkout an IKE_SA by a message.
+	 * 
+	 * In some situations, it is necessary that the manager knows the
+	 * message to use for the checkout. This has the folloing reasons:
+	 * 
+	 * 1. If the targeted IKE_SA is already processing a message, we do not
+	 *    check it out if the message ID is the same.
+	 * 2. If it is an IKE_SA_INIT request, we have to check if it is a 
+	 *    retransmission. If so, we have to drop the message, we would
+	 *    create another unneded IKE_SA for each retransmitted packet.
+	 *
+	 * A call to checkout_by_message() returns a (maybe new created) IKE_SA.
+	 * If processing the message does not make sense (for the reasons above),
+	 * NULL is returned.
+	 * 
+	 * @param this 				the manager object
+	 * @param ike_sa_id			the SA identifier, will be updated
+	 * @returns 					
+	 * 							- checked out/created IKE_SA
+	 * 							- NULL to not process message further
+	 */
+	ike_sa_t* (*checkout_by_message) (ike_sa_manager_t* this, message_t *message);
+	
+	/**
+	 * @brief Checkout an existing IKE_SA by hosts and identifications.
+	 *
+	 * Allows the lookup of an IKE_SA by user IDs and hosts. It returns the
+	 * first found occurence, if there are multiple candidates. Supplied IDs
+	 * may contain wildcards, hosts may be %any. 
+	 * If no IKE_SA is found, a new one is created. This is also the case when
+	 * the found IKE_SA is in the DELETING state.
+	 *
+	 * @param this			 	the manager object
+	 * @param my_host			address of our host
+	 * @param other_id			address of remote host
+	 * @param my_id				ID used by us
+	 * @param other_id			ID used by remote
+	 * @return					checked out/created IKE_SA
+	 */
+	ike_sa_t* (*checkout_by_peer) (ike_sa_manager_t* this,
+								   host_t *my_host, host_t* other_host,
+								   identification_t *my_id, 
+								   identification_t *other_id);
+	
+	/**
+	 * @brief Check out an IKE_SA a unique ID.
+	 *
+	 * Every IKE_SA and every CHILD_SA is uniquely identified by an ID. 
+	 * These checkout function uses, depending
+	 * on the child parameter, the unique ID of the IKE_SA or the reqid
+	 * of one of a IKE_SAs CHILD_SA.
+	 *
+	 * @param this				the manager object
+	 * @param id				unique ID of the object
+	 * @param child				TRUE to use CHILD, FALSE to use IKE_SA
+	 * @return
+	 * 							- checked out IKE_SA, if found
+	 * 							- NULL, if not found
+	 */
+	ike_sa_t* (*checkout_by_id) (ike_sa_manager_t* this, u_int32_t id,
+								 bool child);
+	
+	/**
+	 * @brief Check out an IKE_SA by the policy/connection name.
+	 *
+	 * Check out the IKE_SA by the connections name or by a CHILD_SAs policy
+	 * name.
+	 *
+	 * @param this				the manager object
+	 * @param name				name of the connection/policy
+	 * @param child				TRUE to use policy name, FALSE to use conn name
+	 * @return
+	 * 							- checked out IKE_SA, if found
+	 * 							- NULL, if not found
+	 */
+	ike_sa_t* (*checkout_by_name) (ike_sa_manager_t* this, char *name,
+								   bool child);
+	
+	/**
+	 * @brief Create an iterator over all stored IKE_SAs.
+	 *
+	 * The avoid synchronization issues, the iterator locks access
+	 * to the manager exclusively, until it gets destroyed.
+	 * This iterator is for reading only! Writing will corrupt the manager.
+	 *
+	 * @param this			 	the manager object
+	 * @return					iterator over all IKE_SAs.
+	 */
+	iterator_t *(*create_iterator) (ike_sa_manager_t* this);
+	
+	/**
+	 * @brief Checkin the SA after usage.
+	 * 
+	 * @warning the SA pointer MUST NOT be used after checkin! 
+	 * The SA must be checked out again!
+	 *  
+	 * @param this			 	the manager object
+	 * @param ike_sa_id			the SA identifier, will be updated
+	 * @param ike_sa			checked out SA
+	 * @returns 				
+	 * 							- SUCCESS if checked in
+	 * 							- NOT_FOUND when not found (shouldn't happen!)
+	 */
+	status_t (*checkin) (ike_sa_manager_t* this, ike_sa_t *ike_sa);
+	
+	/**
+	 * @brief Destroy a checked out SA.
+	 *
+	 * The IKE SA is destroyed without notification of the remote peer.
+	 * Use this only if the other peer doesn't respond or behaves not
+	 * as predicted.
+	 * Checking in and destruction is an atomic operation (for the IKE_SA),
+	 * so this can be called if the SA is in a "unclean" state, without the
+	 * risk that another thread can get the SA.
+	 *
+	 * @param this			 	the manager object
+	 * @param ike_sa			SA to delete
+	 * @returns 				
+	 * 							- SUCCESS if found
+	 * 							- NOT_FOUND when no such SA is available
+	 */
+	status_t (*checkin_and_destroy) (ike_sa_manager_t* this, ike_sa_t *ike_sa);
+	
+	/**
+	 * @brief Get the number of IKE_SAs which are in the connecting state.
+	 *
+	 * To prevent the server from resource exhaustion, cookies and other
+	 * mechanisms are used. The number of half open IKE_SAs is a good
+	 * indicator to see if a peer is flooding the server.
+	 * If a host is supplied, only the number of half open IKE_SAs initiated
+	 * from this IP are counted.
+	 * Only SAs for which we are the responder are counted.
+	 * 
+	 * @param this				the manager object
+	 * @param ip				NULL for all, IP for half open IKE_SAs with IP
+	 * @return					number of half open IKE_SAs
+	 */
+	int (*get_half_open_count) (ike_sa_manager_t *this, host_t *ip);
+	
+	/**
+	 * @brief Destroys the manager with all associated SAs.
+	 * 
+	 * Threads will be driven out, so all SAs can be deleted cleanly.
+	 * 
+	 * @param this				 the manager object
+	 */
+	void (*destroy) (ike_sa_manager_t *this);
+};
+
+/**
+ * @brief Create a manager.
+ * 
+ * @returns 	ike_sa_manager_t object
+ * 
+ * @ingroup sa
+ */
+ike_sa_manager_t *ike_sa_manager_create(void);
+
+#endif /*IKE_SA_MANAGER_H_*/
diff --git a/src/charon/sa/task_manager.c b/src/charon/sa/task_manager.c
new file mode 100644
index 000000000..844300735
--- /dev/null
+++ b/src/charon/sa/task_manager.c
@@ -0,0 +1,854 @@
+/**
+ * @file task_manager.c
+ *
+ * @brief Implementation of task_manager_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "task_manager.h"
+
+#include <daemon.h>
+#include <sa/tasks/ike_init.h>
+#include <sa/tasks/ike_natd.h>
+#include <sa/tasks/ike_auth.h>
+#include <sa/tasks/ike_cert.h>
+#include <sa/tasks/ike_rekey.h>
+#include <sa/tasks/ike_delete.h>
+#include <sa/tasks/ike_config.h>
+#include <sa/tasks/ike_dpd.h>
+#include <sa/tasks/child_create.h>
+#include <sa/tasks/child_rekey.h>
+#include <sa/tasks/child_delete.h>
+#include <encoding/payloads/delete_payload.h>
+#include <queues/jobs/retransmit_job.h>
+
+typedef struct exchange_t exchange_t;
+
+/**
+ * An exchange in the air, used do detect and handle retransmission
+ */
+struct exchange_t {
+
+	/**
+	 * Message ID used for this transaction
+	 */
+	u_int32_t mid;
+
+	/**
+	 * generated packet for retransmission
+	 */
+	packet_t *packet;
+};
+
+typedef struct private_task_manager_t private_task_manager_t;
+
+/**
+ * private data of the task manager
+ */
+struct private_task_manager_t {
+
+	/**
+	 * public functions
+	 */
+	task_manager_t public;
+
+	/**
+	 * associated IKE_SA we are serving
+	 */
+	ike_sa_t *ike_sa;
+
+	/**
+	 * Exchange we are currently handling as responder
+	 */
+	struct {
+		/**
+		 * Message ID of the exchange
+		 */
+		u_int32_t mid;
+
+		/**
+		 * packet for retransmission
+		 */
+		packet_t *packet;
+		
+	} responding;
+
+	/**
+	 * Exchange we are currently handling as initiator
+	 */
+	struct {
+		/**
+		 * Message ID of the exchange
+		 */
+		u_int32_t mid;
+		
+		/**
+		 * how many times we have retransmitted so far
+		 */
+		u_int retransmitted;
+
+		/**
+		 * packet for retransmission
+		 */
+		packet_t *packet;
+		
+		/**
+		 * type of the initated exchange
+		 */
+		exchange_type_t type;
+	
+	} initiating;
+
+	/**
+	 * List of queued tasks not yet in action
+	 */
+	linked_list_t *queued_tasks;
+
+	/**
+	 * List of active tasks, initiated by ourselve
+	 */
+	linked_list_t *active_tasks;
+
+	/**
+	 * List of tasks initiated by peer
+	 */
+	linked_list_t *passive_tasks;
+};
+
+/**
+ * flush all tasks in the task manager
+ */
+static void flush(private_task_manager_t *this)
+{
+	task_t *task;
+	
+	this->queued_tasks->destroy_offset(this->queued_tasks, 
+									   offsetof(task_t, destroy));
+	this->passive_tasks->destroy_offset(this->passive_tasks,
+										offsetof(task_t, destroy));
+	
+	/* emmit outstanding signals for tasks */
+	while (this->active_tasks->remove_last(this->active_tasks,
+										   (void**)&task) == SUCCESS)
+	{
+		switch (task->get_type(task))
+		{
+			case IKE_AUTH:
+				SIG(IKE_UP_FAILED, "establishing IKE_SA failed");
+				break;
+			case IKE_DELETE:
+				SIG(IKE_DOWN_FAILED, "IKE_SA deleted");
+				break;
+			case IKE_REKEY:
+				SIG(IKE_REKEY_FAILED, "rekeying IKE_SA failed");
+				break;
+			case CHILD_CREATE:
+				SIG(CHILD_UP_FAILED, "establishing CHILD_SA failed");
+				break;
+			case CHILD_DELETE:
+				SIG(CHILD_DOWN_FAILED, "deleting CHILD_SA failed");
+				break;
+			case CHILD_REKEY:
+				SIG(IKE_REKEY_FAILED, "rekeying CHILD_SA failed");
+				break;
+			default:
+				break;
+		}
+		task->destroy(task);
+	}
+	this->queued_tasks = linked_list_create();
+	this->passive_tasks = linked_list_create();
+}
+
+/**
+ * move a task of a specific type from the queue to the active list
+ */
+static bool activate_task(private_task_manager_t *this, task_type_t type)
+{
+	iterator_t *iterator;
+	task_t *task;
+	bool found = FALSE;
+	
+	iterator = this->queued_tasks->create_iterator(this->queued_tasks, TRUE);
+	while (iterator->iterate(iterator, (void**)&task))
+	{
+		if (task->get_type(task) == type)
+		{
+			DBG2(DBG_IKE, "  activating %N task", task_type_names, type);
+			iterator->remove(iterator);
+			this->active_tasks->insert_last(this->active_tasks, task);
+			found = TRUE;
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+	return found;
+}
+
+/**
+ * Implementation of task_manager_t.retransmit
+ */
+static status_t retransmit(private_task_manager_t *this, u_int32_t message_id)
+{
+	if (message_id == this->initiating.mid)
+	{
+		u_int32_t timeout;
+		job_t *job;
+
+		timeout = charon->configuration->get_retransmit_timeout(
+						charon->configuration, this->initiating.retransmitted);
+		if (timeout == 0)
+		{
+			DBG1(DBG_IKE, "giving up after %d retransmits",
+				 this->initiating.retransmitted - 1);
+			return DESTROY_ME;
+		}
+		
+		if (this->initiating.retransmitted)
+		{
+			DBG1(DBG_IKE, "retransmit %d of request with message ID %d",
+				 this->initiating.retransmitted, message_id);
+		}
+		this->initiating.retransmitted++;
+		
+		charon->sender->send(charon->sender,
+					this->initiating.packet->clone(this->initiating.packet));
+		job = (job_t*)retransmit_job_create(this->initiating.mid,
+											this->ike_sa->get_id(this->ike_sa));
+		charon->event_queue->add_relative(charon->event_queue, job, timeout);
+	}
+	return SUCCESS;
+}
+
+/**
+ * build a request using the active task list
+ * Implementation of task_manager_t.initiate
+ */
+static status_t build_request(private_task_manager_t *this)
+{
+	iterator_t *iterator;
+	task_t *task;
+	message_t *message;
+	status_t status;
+	exchange_type_t exchange = 0;
+	
+	if (this->initiating.type != EXCHANGE_TYPE_UNDEFINED)
+	{
+		DBG2(DBG_IKE, "delaying task initiation, exchange in progress");
+		/* do not initiate if we already have a message in the air */
+		return SUCCESS;
+	}
+	
+	if (this->active_tasks->get_count(this->active_tasks) == 0)
+	{
+		DBG2(DBG_IKE, "activating new tasks");
+		switch (this->ike_sa->get_state(this->ike_sa))
+		{
+			case IKE_CREATED:
+				if (activate_task(this, IKE_INIT))
+				{
+					exchange = IKE_SA_INIT;
+					activate_task(this, IKE_NATD);
+					activate_task(this, IKE_CERT);
+					activate_task(this, IKE_AUTHENTICATE);
+					activate_task(this, IKE_CONFIG);
+					activate_task(this, CHILD_CREATE);
+				}
+				break;
+			case IKE_ESTABLISHED:
+				if (activate_task(this, CHILD_CREATE))
+				{
+					exchange = CREATE_CHILD_SA;
+					activate_task(this, IKE_CONFIG);
+					break;
+				}
+				if (activate_task(this, CHILD_DELETE))
+				{
+					exchange = INFORMATIONAL;
+					break;
+				}
+				if (activate_task(this, CHILD_REKEY))
+				{
+					exchange = CREATE_CHILD_SA;
+					break;
+				}
+				if (activate_task(this, IKE_DELETE))
+				{
+					exchange = INFORMATIONAL;
+					break;
+				}
+				if (activate_task(this, IKE_REKEY))
+				{
+					exchange = CREATE_CHILD_SA;
+					break;
+				}
+				if (activate_task(this, IKE_DEADPEER))
+				{
+					exchange = INFORMATIONAL;
+					break;
+				}
+			case IKE_REKEYING:
+				if (activate_task(this, IKE_DELETE))
+				{
+					exchange = INFORMATIONAL;
+					break;
+				}
+			case IKE_DELETING:
+			default:
+				break;
+		}
+	}
+	else
+	{
+		DBG2(DBG_IKE, "reinitiating already active tasks");
+		iterator = this->active_tasks->create_iterator(this->active_tasks, TRUE);
+		while (iterator->iterate(iterator, (void**)&task))
+		{
+			DBG2(DBG_IKE, "  %N task", task_type_names, task->get_type(task));
+			switch (task->get_type(task))
+			{
+				case IKE_INIT:
+					exchange = IKE_SA_INIT;
+					break;
+				case IKE_AUTHENTICATE:
+					exchange = IKE_AUTH;
+					break;
+				default:
+					continue;
+			}
+			break;
+		}
+		iterator->destroy(iterator);
+	}
+	
+	if (exchange == 0)
+	{
+		DBG2(DBG_IKE, "nothing to initiate");
+		/* nothing to do yet... */
+		return SUCCESS;
+	}
+	
+	message = message_create();
+	message->set_message_id(message, this->initiating.mid);
+	message->set_exchange_type(message, exchange);
+	this->initiating.type = exchange;
+	this->initiating.retransmitted = 0;
+
+	iterator = this->active_tasks->create_iterator(this->active_tasks, TRUE);
+	while (iterator->iterate(iterator, (void*)&task))
+	{
+	    switch (task->build(task, message))
+	    {
+	        case SUCCESS:
+	            /* task completed, remove it */
+	            iterator->remove(iterator);
+	            task->destroy(task);
+	            break;
+	        case NEED_MORE:
+	            /* processed, but task needs another exchange */
+	            break;
+	        case FAILED:
+	        default:
+	            /* critical failure, destroy IKE_SA */
+	            iterator->destroy(iterator);
+				message->destroy(message);
+				flush(this);
+	            return DESTROY_ME;
+	    }
+	}
+	iterator->destroy(iterator);
+
+	DESTROY_IF(this->initiating.packet);
+	status = this->ike_sa->generate_message(this->ike_sa, message,
+											&this->initiating.packet);
+	message->destroy(message);
+	if (status != SUCCESS)
+	{
+	    /* message generation failed. There is nothing more to do than to
+		 * close the SA */
+		flush(this);
+	    return DESTROY_ME;
+	}						
+	
+	return retransmit(this, this->initiating.mid);
+}
+
+/**
+ * handle an incoming response message
+ */
+static status_t process_response(private_task_manager_t *this,
+								 message_t *message)
+{
+	iterator_t *iterator;
+	task_t *task;
+	
+	if (message->get_exchange_type(message) != this->initiating.type)
+	{
+		DBG1(DBG_IKE, "received %N response, but expected %N",
+			 exchange_type_names, message->get_exchange_type(message),
+			 exchange_type_names, this->initiating.type);
+		return DESTROY_ME;
+	}
+
+	iterator = this->active_tasks->create_iterator(this->active_tasks, TRUE);
+	while (iterator->iterate(iterator, (void*)&task))
+	{
+	    switch (task->process(task, message))
+	    {
+	        case SUCCESS:
+	            /* task completed, remove it */
+	            iterator->remove(iterator);
+	            task->destroy(task);
+	            break;
+	        case NEED_MORE:
+	            /* processed, but task needs another exchange */
+	            break;
+	        case FAILED:
+	        default:
+	            /* critical failure, destroy IKE_SA */
+	            iterator->destroy(iterator);
+	            return DESTROY_ME;
+	    }
+	}
+	iterator->destroy(iterator);
+	
+	this->initiating.mid++;
+	this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
+
+	return build_request(this);
+}
+
+/**
+ * handle exchange collisions
+ */
+static void handle_collisions(private_task_manager_t *this, task_t *task)
+{
+	iterator_t *iterator;
+	task_t *active;
+	task_type_t type;
+	
+	type = task->get_type(task);
+	
+	/* do we have to check  */
+	if (type == IKE_REKEY || type == CHILD_REKEY ||
+		type == CHILD_DELETE || type == IKE_DELETE)
+	{
+	    /* find an exchange collision, and notify these tasks */
+	    iterator = this->active_tasks->create_iterator(this->active_tasks, TRUE);
+	    while (iterator->iterate(iterator, (void**)&active))
+	    {
+	    	switch (active->get_type(active))
+	    	{
+	    		case IKE_REKEY:
+	    			if (type == IKE_REKEY || type == IKE_DELETE)
+	    			{
+	    				ike_rekey_t *rekey = (ike_rekey_t*)active;
+	    				rekey->collide(rekey, task);
+	    				break;
+	    			}
+	    			continue;
+	    		case CHILD_REKEY:
+	    			if (type == CHILD_REKEY || type == CHILD_DELETE)
+	    			{
+	    				child_rekey_t *rekey = (child_rekey_t*)active;
+	    				rekey->collide(rekey, task);
+	    				break;
+	    			}
+	    			continue;
+	    		default:
+	    			continue;
+	    	}
+		    iterator->destroy(iterator);
+	    	return;
+		}
+		iterator->destroy(iterator);
+	}
+	/* destroy task if not registered in any active task */
+	task->destroy(task);
+}
+
+/**
+ * build a response depending on the "passive" task list
+ */
+static status_t build_response(private_task_manager_t *this,
+							   exchange_type_t exchange)
+{
+	iterator_t *iterator;
+	task_t *task;
+	message_t *message;
+	bool delete = FALSE;
+	status_t status;
+
+	message = message_create();
+	message->set_exchange_type(message, exchange);
+	message->set_message_id(message, this->responding.mid);
+	message->set_request(message, FALSE);
+
+	iterator = this->passive_tasks->create_iterator(this->passive_tasks, TRUE);
+	while (iterator->iterate(iterator, (void*)&task))
+	{
+	    switch (task->build(task, message))
+	    {
+	        case SUCCESS:
+	            /* task completed, remove it */
+	            iterator->remove(iterator);
+				handle_collisions(this, task);
+	        case NEED_MORE:
+	            /* processed, but task needs another exchange */
+	            break;
+	        case FAILED:
+	        default:
+	            /* destroy IKE_SA, but SEND response first */
+	            delete = TRUE;
+	            break;
+	    }
+	    if (delete)
+	    {
+	    	break;
+	    }
+	}
+	iterator->destroy(iterator);
+	
+	/* remove resonder SPI if IKE_SA_INIT failed */
+	if (delete && exchange == IKE_SA_INIT)
+	{
+		ike_sa_id_t *id = this->ike_sa->get_id(this->ike_sa);
+		id->set_responder_spi(id, 0);
+	}
+
+	/* message complete, send it */
+	DESTROY_IF(this->responding.packet);
+	status = this->ike_sa->generate_message(this->ike_sa, message,
+											&this->responding.packet);
+	message->destroy(message);
+	if (status != SUCCESS)
+	{
+	    return DESTROY_ME;
+	}
+	
+	charon->sender->send(charon->sender,
+						 this->responding.packet->clone(this->responding.packet));
+	if (delete)
+	{
+		return DESTROY_ME;
+	}
+	return SUCCESS;
+}
+
+/**
+ * handle an incoming request message
+ */
+static status_t process_request(private_task_manager_t *this,
+								message_t *message)
+{
+	iterator_t *iterator;
+	task_t *task = NULL;
+	exchange_type_t exchange;
+	payload_t *payload;
+	notify_payload_t *notify;
+
+	exchange = message->get_exchange_type(message);
+
+	/* create tasks depending on request type */
+	switch (exchange)
+	{
+		case IKE_SA_INIT:
+		{
+			task = (task_t*)ike_init_create(this->ike_sa, FALSE, NULL);
+			this->passive_tasks->insert_last(this->passive_tasks, task);
+			task = (task_t*)ike_natd_create(this->ike_sa, FALSE);
+			this->passive_tasks->insert_last(this->passive_tasks, task);
+			task = (task_t*)ike_cert_create(this->ike_sa, FALSE);
+			this->passive_tasks->insert_last(this->passive_tasks, task);
+			task = (task_t*)ike_auth_create(this->ike_sa, FALSE);
+			this->passive_tasks->insert_last(this->passive_tasks, task);
+			task = (task_t*)ike_config_create(this->ike_sa, NULL);
+			this->passive_tasks->insert_last(this->passive_tasks, task);
+			task = (task_t*)child_create_create(this->ike_sa, NULL);
+			this->passive_tasks->insert_last(this->passive_tasks, task);
+			break;
+		}
+		case CREATE_CHILD_SA:
+		{
+			bool notify_found = FALSE, ts_found = FALSE;
+			iterator = message->get_payload_iterator(message);
+			while (iterator->iterate(iterator, (void**)&payload))
+			{
+				switch (payload->get_type(payload))
+				{
+					case NOTIFY:
+					{
+						/* if we find a rekey notify, its CHILD_SA rekeying */
+						notify = (notify_payload_t*)payload;
+						if (notify->get_notify_type(notify) == REKEY_SA &&
+							(notify->get_protocol_id(notify) == PROTO_AH ||
+							 notify->get_protocol_id(notify) == PROTO_ESP))
+						{
+							notify_found = TRUE;
+						}
+						break;
+					}
+					case TRAFFIC_SELECTOR_INITIATOR:
+					case TRAFFIC_SELECTOR_RESPONDER:
+					{
+						/* if we don't find a TS, its IKE rekeying */
+						ts_found = TRUE;
+						break;
+					}
+					default:
+						break;
+				}
+			}
+			iterator->destroy(iterator);
+		
+			if (ts_found)
+			{
+				if (notify_found)
+				{
+					task = (task_t*)child_rekey_create(this->ike_sa, NULL);
+				}
+				else
+				{
+					task = (task_t*)child_create_create(this->ike_sa, NULL);
+				}
+			}
+			else
+			{
+				task = (task_t*)ike_rekey_create(this->ike_sa, FALSE);
+			}
+			this->passive_tasks->insert_last(this->passive_tasks, task);
+			break;
+		}
+		case INFORMATIONAL:
+		{
+			delete_payload_t *delete;
+			
+			delete = (delete_payload_t*)message->get_payload(message, DELETE);
+			if (delete)
+			{
+				if (delete->get_protocol_id(delete) == PROTO_IKE)
+				{
+					task = (task_t*)ike_delete_create(this->ike_sa, FALSE);
+					this->passive_tasks->insert_last(this->passive_tasks, task);
+				}
+				else
+				{
+					task = (task_t*)child_delete_create(this->ike_sa, NULL);
+					this->passive_tasks->insert_last(this->passive_tasks, task);
+				}
+			}
+			else
+			{
+				task = (task_t*)ike_dpd_create(FALSE);
+				this->passive_tasks->insert_last(this->passive_tasks, task);
+			}
+			break;
+		}
+		default:
+			break;
+	}
+
+	/* let the tasks process the message */
+	iterator = this->passive_tasks->create_iterator(this->passive_tasks, TRUE);
+	while (iterator->iterate(iterator, (void*)&task))
+	{
+	    switch (task->process(task, message))
+	    {
+	        case SUCCESS:
+	            /* task completed, remove it */
+	            iterator->remove(iterator);
+	            task->destroy(task);
+	            break;
+	        case NEED_MORE:
+	            /* processed, but task needs at least another call to build() */
+	            break;
+	        case FAILED:
+	        default:
+	            /* critical failure, destroy IKE_SA */
+	            iterator->destroy(iterator);
+	            return DESTROY_ME;
+	    }
+	}
+	iterator->destroy(iterator);
+
+	return build_response(this, exchange);
+}
+
+/**
+ * Implementation of task_manager_t.process_message
+ */
+static status_t process_message(private_task_manager_t *this, message_t *msg)
+{
+	u_int32_t mid = msg->get_message_id(msg);
+
+	if (msg->get_request(msg))
+	{
+		if (mid == this->responding.mid)
+		{
+			if (process_request(this, msg) != SUCCESS)
+			{
+				flush(this);
+				return DESTROY_ME;
+			}
+			this->responding.mid++;
+		}
+		else if ((mid == this->responding.mid - 1) && this->responding.packet)
+		{
+			DBG1(DBG_IKE, "received retransmit of request with ID %d, "
+			 	 "retransmitting response", mid);
+			charon->sender->send(charon->sender,
+					 this->responding.packet->clone(this->responding.packet));
+		}
+		else
+		{
+			DBG1(DBG_IKE, "received message ID %d, excepted %d. Ignored",
+				 mid, this->responding.mid);
+		}
+	}
+	else
+	{
+		if (mid == this->initiating.mid)
+		{
+			if (process_response(this, msg) != SUCCESS)
+			{
+				flush(this);
+				return DESTROY_ME;
+			}
+		}
+		else
+		{
+			DBG1(DBG_IKE, "received message ID %d, excepted %d. Ignored",
+				 mid, this->initiating.mid);
+			return SUCCESS;
+		}
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of task_manager_t.queue_task
+ */
+static void queue_task(private_task_manager_t *this, task_t *task)
+{
+	DBG2(DBG_IKE, "queueing %N task", task_type_names, task->get_type(task));
+	this->queued_tasks->insert_last(this->queued_tasks, task);
+}
+
+/**
+ * Implementation of task_manager_t.adopt_tasks
+ */
+static void adopt_tasks(private_task_manager_t *this, private_task_manager_t *other)
+{
+	task_t *task;
+
+	/* move queued tasks from other to this */
+	while (other->queued_tasks->remove_last(other->queued_tasks,
+												(void**)&task) == SUCCESS)
+	{
+		DBG2(DBG_IKE, "migrating %N task", task_type_names, task->get_type(task));
+		task->migrate(task, this->ike_sa);
+		this->queued_tasks->insert_first(this->queued_tasks, task);
+	}
+	
+	/* reset active tasks and move them to others queued tasks */
+	while (other->active_tasks->remove_last(other->active_tasks,
+												(void**)&task) == SUCCESS)
+	{
+		DBG2(DBG_IKE, "migrating %N task", task_type_names, task->get_type(task));
+		task->migrate(task, this->ike_sa);
+		this->queued_tasks->insert_first(this->queued_tasks, task);
+	}
+}
+
+/**
+ * Implementation of task_manager_t.busy
+ */
+static bool busy(private_task_manager_t *this)
+{
+	return (this->active_tasks->get_count(this->active_tasks) > 0);
+}
+
+/**
+ * Implementation of task_manager_t.reset
+ */
+static void reset(private_task_manager_t *this)
+{
+	task_t *task;
+	
+	/* reset message counters and retransmit packets */
+	DESTROY_IF(this->responding.packet);
+	DESTROY_IF(this->initiating.packet);
+	this->responding.packet = NULL;
+	this->initiating.packet = NULL;
+	this->responding.mid = 0;
+	this->initiating.mid = -1;
+	this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
+	
+	/* reset active tasks */
+	while (this->active_tasks->remove_last(this->active_tasks,
+										   (void**)&task) == SUCCESS)
+	{
+		task->migrate(task, this->ike_sa);
+		this->queued_tasks->insert_first(this->queued_tasks, task);
+	}
+}
+
+/**
+ * Implementation of task_manager_t.destroy
+ */
+static void destroy(private_task_manager_t *this)
+{
+	flush(this);
+	
+	this->active_tasks->destroy(this->active_tasks);
+	this->queued_tasks->destroy(this->queued_tasks);
+	this->passive_tasks->destroy(this->passive_tasks);
+	
+	DESTROY_IF(this->responding.packet);
+	DESTROY_IF(this->initiating.packet);
+	free(this);
+}
+
+/*
+ * see header file
+ */
+task_manager_t *task_manager_create(ike_sa_t *ike_sa)
+{
+	private_task_manager_t *this = malloc_thing(private_task_manager_t);
+
+	this->public.process_message = (status_t(*)(task_manager_t*,message_t*))process_message;
+	this->public.queue_task = (void(*)(task_manager_t*,task_t*))queue_task;
+	this->public.initiate = (status_t(*)(task_manager_t*))build_request;
+	this->public.retransmit = (status_t(*)(task_manager_t*,u_int32_t))retransmit;
+	this->public.reset = (void(*)(task_manager_t*))reset;
+	this->public.adopt_tasks = (void(*)(task_manager_t*,task_manager_t*))adopt_tasks;
+	this->public.busy = (bool(*)(task_manager_t*))busy;
+	this->public.destroy = (void(*)(task_manager_t*))destroy;
+
+	this->ike_sa = ike_sa;
+	this->responding.packet = NULL;
+	this->initiating.packet = NULL;
+	this->responding.mid = 0;
+	this->initiating.mid = 0;
+	this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
+	this->queued_tasks = linked_list_create();
+	this->active_tasks = linked_list_create();
+	this->passive_tasks = linked_list_create();
+
+	return &this->public;
+}
diff --git a/src/charon/sa/task_manager.h b/src/charon/sa/task_manager.h
new file mode 100644
index 000000000..c766d4a65
--- /dev/null
+++ b/src/charon/sa/task_manager.h
@@ -0,0 +1,144 @@
+/**
+ * @file task_manager.h
+ * 
+ * @brief Interface of task_manager_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef TASK_MANAGER_H_
+#define TASK_MANAGER_H_
+
+typedef struct task_manager_t task_manager_t;
+
+#include <library.h>
+#include <encoding/message.h>
+#include <sa/ike_sa.h>
+#include <sa/tasks/task.h>
+
+/**
+ * @brief The task manager, juggles task and handles message exchanges.
+ *
+ * On incoming requests, the task manager creates new tasks on demand and
+ * juggles the request through all available tasks. Each task inspects the
+ * request and adds payloads as necessary to the response.
+ * On outgoing requests, the task manager delivers the request through the tasks
+ * to build it, the response gets processed by each task to complete.
+ * The task manager has an internal Queue to store task which should get
+ * completed.
+ * For the initial IKE_SA setup, several tasks are queued: One for the
+ * unauthenticated IKE_SA setup, one for authentication, one for CHILD_SA setup
+ * and maybe one for virtual IP assignement.
+ *
+ * @b Constructors:
+ *  - task_manager_create()
+ * 
+ * @ingroup sa
+ */
+struct task_manager_t {
+
+	/**
+	 * @brief Process an incoming message.
+	 * 
+	 * @param this 			calling object
+	 * @param message		message to add payloads to
+	 * @return
+	 * 						- DESTROY_ME if IKE_SA must be closed
+	 *						- SUCCESS otherwise
+	 */
+	status_t (*process_message) (task_manager_t *this, message_t *message);
+
+	/**
+	 * @brief Initiate an exchange with the currently queued tasks.
+	 *
+	 * @param this			calling object
+	 */
+	status_t (*initiate) (task_manager_t *this);
+
+	/**
+	 * @brief Queue a task in the manager.
+	 *
+	 * @param this			calling object
+	 * @param task			task to queue
+	 */
+	void (*queue_task) (task_manager_t *this, task_t *task);
+
+	/**
+	 * @brief Retransmit a request if it hasn't been acknowledged yet.
+	 *
+	 * A return value of INVALID_STATE means that the message was already
+	 * acknowledged and has not to be retransmitted. A return value of SUCCESS
+	 * means retransmission was required and the message has been resent.
+	 * 
+	 * @param this 			calling object
+	 * @param message_id	ID of the message to retransmit
+	 * @return
+	 * 						- INVALID_STATE if retransmission not required
+	 *						- SUCCESS if retransmission sent
+	 */
+	status_t (*retransmit) (task_manager_t *this, u_int32_t message_id);
+
+	/**
+	 * @brief Migrate all tasks from other to this.
+	 *
+	 * To rekey or reestablish an IKE_SA completely, all queued or active
+	 * tasks should get migrated to the new IKE_SA.
+	 * 
+	 * @param this 			manager which gets all tasks
+	 * @param other			manager which gives away its tasks
+	 */
+	void (*adopt_tasks) (task_manager_t *this, task_manager_t *other);
+	
+	/**
+	 * @brief Reset message ID counters of the task manager.
+	 *
+	 * The IKEv2 protocol requires to restart exchanges with message IDs
+	 * reset to zero (INVALID_KE_PAYLOAD, COOKIES, ...). The reset() method
+	 * resets the message IDs and resets all active tasks using the migrate()
+	 * method.
+	 * 
+	 * @param this 			calling object
+	 * @param other			manager which gives away its tasks
+	 */
+	void (*reset) (task_manager_t *this);
+	
+	/**
+	 * @brief Check if we are currently waiting for a reply.
+	 *
+	 * @param this			calling object
+	 * @return				TRUE if we are waiting, FALSE otherwise
+	 */
+	bool (*busy) (task_manager_t *this);
+	
+	/**
+	 * @brief Destroy the task_manager_t.
+	 *
+	 * @param this 			calling object
+	 */
+	void (*destroy) (task_manager_t *this);
+};
+
+/**
+ * @brief Create an instance of the task manager.
+ *
+ * @param ike_sa		IKE_SA to manage.
+ *
+ * @ingroup sa
+ */
+task_manager_t *task_manager_create(ike_sa_t *ike_sa);
+
+#endif /* TASK_MANAGER_H_ */
diff --git a/src/charon/sa/tasks/child_create.c b/src/charon/sa/tasks/child_create.c
new file mode 100644
index 000000000..781d679f2
--- /dev/null
+++ b/src/charon/sa/tasks/child_create.c
@@ -0,0 +1,804 @@
+/**
+ * @file child_create.c
+ *
+ * @brief Implementation of the child_create task.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "child_create.h"
+
+#include <daemon.h>
+#include <crypto/diffie_hellman.h>
+#include <encoding/payloads/sa_payload.h>
+#include <encoding/payloads/ts_payload.h>
+#include <encoding/payloads/nonce_payload.h>
+#include <encoding/payloads/notify_payload.h>
+
+
+typedef struct private_child_create_t private_child_create_t;
+
+/**
+ * Private members of a child_create_t task.
+ */
+struct private_child_create_t {
+	
+	/**
+	 * Public methods and task_t interface.
+	 */
+	child_create_t public;
+	
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+	
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+	
+	/**
+	 * nonce chosen by us
+	 */
+	chunk_t my_nonce;
+	
+	/**
+	 * nonce chosen by peer
+	 */
+	chunk_t other_nonce;
+	
+	/**
+	 * policy to create the CHILD_SA from
+	 */
+	policy_t *policy;
+	
+	/**
+	 * list of proposal candidates
+	 */
+	linked_list_t *proposals;
+	
+	/**
+	 * selected proposal to use for CHILD_SA
+	 */
+	proposal_t *proposal;
+	
+	/**
+	 * traffic selectors for initiators side
+	 */
+	linked_list_t *tsi;
+	
+	/**
+	 * traffic selectors for responders side
+	 */
+	linked_list_t *tsr;
+	
+	/**
+	 * mode the new CHILD_SA uses (transport/tunnel/beet)
+	 */
+	mode_t mode;
+	
+	/**
+	 * reqid to use if we are rekeying
+	 */
+	u_int32_t reqid;
+	
+	/**
+	 * CHILD_SA which gets established
+	 */
+	child_sa_t *child_sa;
+	
+	/**
+	 * successfully established the CHILD?
+	 */
+	bool established;
+};
+
+/**
+ * get the nonce from a message
+ */
+static status_t get_nonce(message_t *message, chunk_t *nonce)
+{
+	nonce_payload_t *payload;
+	
+	payload = (nonce_payload_t*)message->get_payload(message, NONCE);
+	if (payload == NULL)
+	{
+		return FAILED;
+	}
+	*nonce = payload->get_nonce(payload);
+	return NEED_MORE;
+}
+
+/**
+ * generate a new nonce to include in a CREATE_CHILD_SA message
+ */
+static status_t generate_nonce(chunk_t *nonce)
+{
+	status_t status;
+	randomizer_t *randomizer = randomizer_create();
+	
+	status = randomizer->allocate_pseudo_random_bytes(randomizer, NONCE_SIZE,
+													  nonce);
+	randomizer->destroy(randomizer);
+	if (status != SUCCESS)
+	{
+		DBG1(DBG_IKE, "error generating random nonce value");
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Check a list of traffic selectors if any selector belongs to host
+ */
+static bool ts_list_is_host(linked_list_t *list, host_t *host)
+{
+	traffic_selector_t *ts;
+	bool is_host = TRUE;
+	iterator_t *iterator = list->create_iterator(list, TRUE);
+	
+	while (is_host && iterator->iterate(iterator, (void**)&ts))
+	{
+		is_host = is_host && ts->is_host(ts, host);
+	}
+	iterator->destroy(iterator);
+	return is_host;
+}
+
+/**
+ * Install a CHILD_SA for usage
+ */
+static status_t select_and_install(private_child_create_t *this)
+{
+	prf_plus_t *prf_plus;
+	status_t status;
+	chunk_t nonce_i, nonce_r, seed;
+	linked_list_t *my_ts, *other_ts;
+	host_t *me, *other, *other_vip, *my_vip;
+	
+	if (this->proposals == NULL || this->tsi == NULL || this->tsr == NULL)
+	{
+		SIG(CHILD_UP_FAILED, "SA/TS payloads missing in message");
+		return FAILED;
+	}
+	
+	if (this->initiator)
+	{
+		nonce_i = this->my_nonce;
+		nonce_r = this->other_nonce;
+		my_ts = this->tsi;
+		other_ts = this->tsr;
+	}
+	else
+	{
+		nonce_r = this->my_nonce;
+		nonce_i = this->other_nonce;
+		my_ts = this->tsr;
+		other_ts = this->tsi;
+	}
+	
+	me = this->ike_sa->get_my_host(this->ike_sa);
+	other = this->ike_sa->get_other_host(this->ike_sa);
+	my_vip = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
+	other_vip = this->ike_sa->get_virtual_ip(this->ike_sa, FALSE);
+
+	this->proposal = this->policy->select_proposal(this->policy, this->proposals);
+	
+	if (this->proposal == NULL)
+	{
+		SIG(CHILD_UP_FAILED, "no acceptable proposal found");
+		return FAILED;
+	}
+	
+	if (this->initiator && my_vip)
+	{	/* if we have a virtual IP, shorten our TS to the minimum */
+		my_ts = this->policy->select_my_traffic_selectors(this->policy, my_ts,
+											 			  my_vip);
+		/* to setup firewall rules correctly, CHILD_SA needs the virtual IP */
+		this->child_sa->set_virtual_ip(this->child_sa, my_vip);
+	}
+	else
+	{	/* shorten in the host2host case only */
+		my_ts = this->policy->select_my_traffic_selectors(this->policy, 
+															my_ts, me);
+	}
+	if (other_vip)
+	{	/* if other has a virtual IP, shorten it's traffic selectors to it */
+		other_ts = this->policy->select_other_traffic_selectors(this->policy,
+															other_ts, other_vip);
+	}
+	else
+	{	/* use his host for the host2host case */
+		other_ts = this->policy->select_other_traffic_selectors(this->policy,
+															other_ts, other);
+	}
+	this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
+	this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
+	if (this->initiator)
+	{
+		this->tsi = my_ts;
+		this->tsr = other_ts;
+	}
+	else
+	{
+		this->tsr = my_ts;
+		this->tsi = other_ts;
+	}
+	
+	if (this->tsi->get_count(this->tsi) == 0 ||
+		this->tsr->get_count(this->tsr) == 0)
+	{
+		SIG(CHILD_UP_FAILED, "no acceptable traffic selectors found");
+		return FAILED;
+	}
+	
+	if (!this->initiator)
+	{
+		/* check if requested mode is acceptable, downgrade if required */
+		switch (this->mode)
+		{
+			case MODE_TRANSPORT:
+				if (!ts_list_is_host(this->tsi, other) ||
+					!ts_list_is_host(this->tsr, me))
+				{
+					this->mode = MODE_TUNNEL;
+					DBG1(DBG_IKE, "not using tranport mode, not host-to-host");
+				}
+				else if (this->ike_sa->is_natt_enabled(this->ike_sa))
+				{
+					this->mode = MODE_TUNNEL;
+					DBG1(DBG_IKE, "not using tranport mode, connection NATed");
+				}
+				break;
+			case MODE_BEET:
+				if (!ts_list_is_host(this->tsi, NULL) ||
+					!ts_list_is_host(this->tsr, NULL))
+				{
+					this->mode = MODE_TUNNEL;
+					DBG1(DBG_IKE, "not using BEET mode, not host-to-host");
+				}
+				break;
+			default:
+				break;
+		}
+	}
+	
+	seed = chunk_cata("cc", nonce_i, nonce_r);
+	prf_plus = prf_plus_create(this->ike_sa->get_child_prf(this->ike_sa), seed);
+	
+	if (this->initiator)
+	{
+		status = this->child_sa->update(this->child_sa, this->proposal,
+										this->mode, prf_plus);
+	}
+	else
+	{
+		status = this->child_sa->add(this->child_sa, this->proposal,
+									 this->mode, prf_plus);
+	}
+	prf_plus->destroy(prf_plus);
+	
+	if (status != SUCCESS)
+	{
+		SIG(CHILD_UP_FAILED, "unable to install IPsec SA (SAD) in kernel");
+		return status;
+	}
+	
+	status = this->child_sa->add_policies(this->child_sa, my_ts, other_ts,
+										  this->mode);
+										  
+	if (status != SUCCESS)
+	{	
+		SIG(CHILD_UP_FAILED, "unable to install IPsec policies (SPD) in kernel");
+		return status;
+	}
+	/* add to IKE_SA, and remove from task */
+	this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
+	this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
+	this->established = TRUE;
+	return SUCCESS;
+}
+
+/**
+ * build the payloads for the message
+ */
+static void build_payloads(private_child_create_t *this, message_t *message)
+{
+	sa_payload_t *sa_payload;
+	ts_payload_t *ts_payload;
+	nonce_payload_t *nonce_payload;
+
+	/* add SA payload */
+	if (this->initiator)
+	{
+		sa_payload = sa_payload_create_from_proposal_list(this->proposals);
+	}
+	else
+	{
+		sa_payload = sa_payload_create_from_proposal(this->proposal);
+	}
+	message->add_payload(message, (payload_t*)sa_payload);
+	
+	/* add nonce payload if not in IKE_AUTH */
+	if (message->get_exchange_type(message) == CREATE_CHILD_SA)
+	{
+		nonce_payload = nonce_payload_create();
+		nonce_payload->set_nonce(nonce_payload, this->my_nonce);
+		message->add_payload(message, (payload_t*)nonce_payload);
+	}
+	
+	/* add TSi/TSr payloads */
+	ts_payload = ts_payload_create_from_traffic_selectors(TRUE, this->tsi);
+	message->add_payload(message, (payload_t*)ts_payload);
+	ts_payload = ts_payload_create_from_traffic_selectors(FALSE, this->tsr);
+	message->add_payload(message, (payload_t*)ts_payload);
+
+	/* add a notify if we are not in tunnel mode */
+	switch (this->mode)
+	{
+		case MODE_TRANSPORT:
+			message->add_notify(message, FALSE, USE_TRANSPORT_MODE, chunk_empty);
+			break;
+		case MODE_BEET:
+			message->add_notify(message, FALSE, USE_BEET_MODE, chunk_empty);
+			break;
+		default:
+			break;
+	}
+}
+
+/**
+ * Read payloads from message
+ */
+static void process_payloads(private_child_create_t *this, message_t *message)
+{
+	iterator_t *iterator;
+	payload_t *payload;
+	sa_payload_t *sa_payload;
+	ts_payload_t *ts_payload;
+	notify_payload_t *notify_payload;
+	
+	/* defaults to TUNNEL mode */
+	this->mode = MODE_TUNNEL;
+
+	iterator = message->get_payload_iterator(message);
+	while (iterator->iterate(iterator, (void**)&payload))
+	{
+		switch (payload->get_type(payload))
+		{
+			case SECURITY_ASSOCIATION:
+				sa_payload = (sa_payload_t*)payload;
+				this->proposals = sa_payload->get_proposals(sa_payload);
+				break;
+			case TRAFFIC_SELECTOR_INITIATOR:
+				ts_payload = (ts_payload_t*)payload;
+				this->tsi = ts_payload->get_traffic_selectors(ts_payload);
+				break;	
+			case TRAFFIC_SELECTOR_RESPONDER:
+				ts_payload = (ts_payload_t*)payload;
+				this->tsr = ts_payload->get_traffic_selectors(ts_payload);
+				break;
+			case NOTIFY:
+				notify_payload = (notify_payload_t*)payload;
+				switch (notify_payload ->get_notify_type(notify_payload ))
+				{
+					case USE_TRANSPORT_MODE:
+						this->mode = MODE_TRANSPORT;
+						break;
+					case USE_BEET_MODE:
+						this->mode = MODE_BEET;
+						break;
+					default:
+						break;
+				}
+				break;
+			default:
+				break;
+		}
+	}
+	iterator->destroy(iterator);
+}
+
+/**
+ * Implementation of task_t.build for initiator
+ */
+static status_t build_i(private_child_create_t *this, message_t *message)
+{
+	host_t *me, *other, *vip;
+
+	switch (message->get_exchange_type(message))
+	{
+		case IKE_SA_INIT:
+			return get_nonce(message, &this->my_nonce);
+		case CREATE_CHILD_SA:
+			if (generate_nonce(&this->my_nonce) != SUCCESS)
+			{
+				message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
+				return SUCCESS;
+			}
+			break;
+		case IKE_AUTH:
+			if (!message->get_payload(message, ID_INITIATOR))
+			{
+				/* send only in the first request, not in subsequent EAP  */
+				return NEED_MORE;
+			}
+			break;
+		default:
+			break;
+	}
+	
+	SIG(CHILD_UP_START, "establishing CHILD_SA");
+	
+	me = this->ike_sa->get_my_host(this->ike_sa);
+	other = this->ike_sa->get_other_host(this->ike_sa);
+	vip = this->policy->get_virtual_ip(this->policy, NULL);
+	
+	if (vip)
+	{	/* propose a 0.0.0.0/0 subnet when we use virtual ip */
+		this->tsi = this->policy->get_my_traffic_selectors(this->policy, NULL);
+		vip->destroy(vip);
+	}
+	else
+	{	/* but shorten a 0.0.0.0/0 subnet to the actual address if host2host */
+		this->tsi = this->policy->get_my_traffic_selectors(this->policy, me);
+	}
+	this->tsr = this->policy->get_other_traffic_selectors(this->policy, other);
+	this->proposals = this->policy->get_proposals(this->policy);
+	this->mode = this->policy->get_mode(this->policy);
+	
+	this->child_sa = child_sa_create(me, other,
+									 this->ike_sa->get_my_id(this->ike_sa),
+									 this->ike_sa->get_other_id(this->ike_sa),
+									 this->policy, this->reqid,
+									 this->ike_sa->is_natt_enabled(this->ike_sa));
+	
+	if (this->child_sa->alloc(this->child_sa, this->proposals) != SUCCESS)
+	{
+		SIG(CHILD_UP_FAILED, "unable to allocate SPIs from kernel");
+		return FAILED;
+	}
+	
+	build_payloads(this, message);
+	
+	this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
+	this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
+	this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
+	this->tsi = NULL;
+	this->tsr = NULL;
+	this->proposals = NULL;
+	
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_r(private_child_create_t *this, message_t *message)
+{
+	switch (message->get_exchange_type(message))
+	{
+		case IKE_SA_INIT:
+			return get_nonce(message, &this->other_nonce);
+		case CREATE_CHILD_SA:
+			get_nonce(message, &this->other_nonce);
+			break;
+		case IKE_AUTH:
+			if (message->get_payload(message, ID_INITIATOR) == NULL)
+			{
+				/* wait until extensible authentication completed, if used */
+				return NEED_MORE;
+			}
+		default:
+			break;
+	}
+
+	process_payloads(this, message);
+	
+	if (this->tsi == NULL || this->tsr == NULL)
+	{
+		DBG1(DBG_IKE, "TS payload missing in message");
+		return NEED_MORE;
+	}
+		  
+	this->policy = charon->policies->get_policy(charon->policies,
+							this->ike_sa->get_my_id(this->ike_sa),
+							this->ike_sa->get_other_id(this->ike_sa), 
+							this->tsr, this->tsi,
+							this->ike_sa->get_my_host(this->ike_sa),
+							this->ike_sa->get_other_host(this->ike_sa));
+	
+	if (this->policy && this->ike_sa->get_policy(this->ike_sa) == NULL)
+	{
+		this->ike_sa->set_policy(this->ike_sa, this->policy);
+	}
+	
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.build for responder
+ */
+static status_t build_r(private_child_create_t *this, message_t *message)
+{
+	switch (message->get_exchange_type(message))
+	{
+		case IKE_SA_INIT:
+			return get_nonce(message, &this->my_nonce);
+		case CREATE_CHILD_SA:
+			if (generate_nonce(&this->my_nonce) != SUCCESS)
+			{
+				message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
+				return SUCCESS;
+			}
+			break;
+		case IKE_AUTH:
+			if (message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
+			{
+				/* wait until extensible authentication completed, if used */
+				return NEED_MORE;
+			}
+		default:
+			break;
+	}
+	
+	if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING)
+	{
+		SIG(CHILD_UP_FAILED, "unable to create CHILD_SA while rekeying IKE_SA");
+		message->add_notify(message, TRUE, NO_ADDITIONAL_SAS, chunk_empty);
+		return SUCCESS;
+	}
+	
+	if (this->policy == NULL)
+	{
+		SIG(CHILD_UP_FAILED, "no acceptable policy found");
+		message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
+		return SUCCESS;
+	}
+	
+	this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
+									 this->ike_sa->get_other_host(this->ike_sa),
+									 this->ike_sa->get_my_id(this->ike_sa),
+									 this->ike_sa->get_other_id(this->ike_sa),
+									 this->policy, this->reqid,
+									 this->ike_sa->is_natt_enabled(this->ike_sa));
+	
+	if (select_and_install(this) != SUCCESS)
+	{
+		message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
+		return SUCCESS;
+	}
+	
+	build_payloads(this, message);
+	
+	SIG(CHILD_UP_SUCCESS, "established CHILD_SA successfully");
+
+	return SUCCESS;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_i(private_child_create_t *this, message_t *message)
+{
+	iterator_t *iterator;
+	payload_t *payload;
+
+	switch (message->get_exchange_type(message))
+	{
+		case IKE_SA_INIT:
+			return get_nonce(message, &this->other_nonce);
+		case CREATE_CHILD_SA:
+			get_nonce(message, &this->other_nonce);
+			break;
+		case IKE_AUTH:
+			if (message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
+			{
+				/* wait until extensible authentication completed, if used */
+				return NEED_MORE;
+			}
+		default:
+			break;
+	}
+
+	/* check for erronous notifies */
+	iterator = message->get_payload_iterator(message);
+	while (iterator->iterate(iterator, (void**)&payload))
+	{
+		if (payload->get_type(payload) == NOTIFY)
+		{
+			notify_payload_t *notify = (notify_payload_t*)payload;
+			notify_type_t type = notify->get_notify_type(notify);
+			
+			switch (type)
+			{
+				/* handle notify errors related to CHILD_SA only */
+				case NO_PROPOSAL_CHOSEN:
+				case SINGLE_PAIR_REQUIRED:
+				case NO_ADDITIONAL_SAS:
+				case INTERNAL_ADDRESS_FAILURE:
+				case FAILED_CP_REQUIRED:
+				case TS_UNACCEPTABLE:
+				case INVALID_SELECTORS:
+				{
+					SIG(CHILD_UP_FAILED, "received %N notify, no CHILD_SA built",
+						notify_type_names, type);
+					iterator->destroy(iterator);
+					/* an error in CHILD_SA creation is not critical */
+					return SUCCESS;
+				}
+				default:
+					break;
+			}
+		}
+	}
+	iterator->destroy(iterator);
+	
+	process_payloads(this, message);
+	
+	if (select_and_install(this) == SUCCESS)
+	{
+		SIG(CHILD_UP_SUCCESS, "established CHILD_SA successfully");
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of task_t.get_type
+ */
+static task_type_t get_type(private_child_create_t *this)
+{
+	return CHILD_CREATE;
+}
+
+/**
+ * Implementation of child_create_t.use_reqid
+ */
+static void use_reqid(private_child_create_t *this, u_int32_t reqid)
+{
+	this->reqid = reqid;
+}
+
+/**
+ * Implementation of child_create_t.get_child
+ */
+static child_sa_t* get_child(private_child_create_t *this)
+{
+	return this->child_sa;
+}
+
+/**
+ * Implementation of child_create_t.get_lower_nonce
+ */
+static chunk_t get_lower_nonce(private_child_create_t *this)
+{	
+	if (memcmp(this->my_nonce.ptr, this->other_nonce.ptr,
+			   min(this->my_nonce.len, this->other_nonce.len)) < 0)
+	{
+		return this->my_nonce;
+	}
+	else
+	{
+		return this->other_nonce;
+	}
+}
+
+/**
+ * Implementation of task_t.migrate
+ */
+static void migrate(private_child_create_t *this, ike_sa_t *ike_sa)
+{
+	chunk_free(&this->my_nonce);
+	chunk_free(&this->other_nonce);
+	if (this->tsi)
+	{
+		this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
+	}
+	if (this->tsr)
+	{
+		this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
+	}
+	DESTROY_IF(this->child_sa);
+	DESTROY_IF(this->proposal);
+	if (this->proposals)
+	{
+		this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
+	}
+	
+	this->ike_sa = ike_sa;
+	this->proposals = NULL;
+	this->tsi = NULL;
+	this->tsr = NULL;
+	this->child_sa = NULL;
+	this->mode = MODE_TUNNEL;
+	this->reqid = 0;
+	this->established = FALSE;
+}
+
+/**
+ * Implementation of task_t.destroy
+ */
+static void destroy(private_child_create_t *this)
+{
+	chunk_free(&this->my_nonce);
+	chunk_free(&this->other_nonce);
+	if (this->tsi)
+	{
+		this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
+	}
+	if (this->tsr)
+	{
+		this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
+	}
+	if (!this->established)
+	{
+		DESTROY_IF(this->child_sa);
+	}
+	DESTROY_IF(this->proposal);
+	if (this->proposals)
+	{
+		this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
+	}
+	
+	DESTROY_IF(this->policy);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+child_create_t *child_create_create(ike_sa_t *ike_sa, policy_t *policy)
+{
+	private_child_create_t *this = malloc_thing(private_child_create_t);
+
+	this->public.get_child = (child_sa_t*(*)(child_create_t*))get_child;
+	this->public.get_lower_nonce = (chunk_t(*)(child_create_t*))get_lower_nonce;
+	this->public.use_reqid = (void(*)(child_create_t*,u_int32_t))use_reqid;
+	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
+	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
+	this->public.task.destroy = (void(*)(task_t*))destroy;
+	if (policy)
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
+		this->initiator = TRUE;
+		policy->get_ref(policy);
+	}
+	else
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
+		this->initiator = FALSE;
+	}
+	
+	this->ike_sa = ike_sa;
+	this->policy = policy;
+	this->my_nonce = chunk_empty;
+	this->other_nonce = chunk_empty;
+	this->proposals = NULL;
+	this->proposal = NULL;
+	this->tsi = NULL;
+	this->tsr = NULL;
+	this->child_sa = NULL;
+	this->mode = MODE_TUNNEL;
+	this->reqid = 0;
+	this->established = FALSE;
+	
+	return &this->public;
+}
diff --git a/src/charon/sa/tasks/child_create.h b/src/charon/sa/tasks/child_create.h
new file mode 100644
index 000000000..200d37457
--- /dev/null
+++ b/src/charon/sa/tasks/child_create.h
@@ -0,0 +1,88 @@
+/**
+ * @file child_create.h
+ * 
+ * @brief Interface child_create_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef CHILD_CREATE_H_
+#define CHILD_CREATE_H_
+
+typedef struct child_create_t child_create_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/tasks/task.h>
+#include <config/policies/policy.h>
+
+/**
+ * @brief Task of type CHILD_CREATE, established a new CHILD_SA.
+ *
+ * This task may be included in the IKE_AUTH message or in a separate 
+ * CREATE_CHILD_SA exchange.
+ *
+ * @b Constructors:
+ *  - child_create_create()
+ * 
+ * @ingroup tasks
+ */
+struct child_create_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+	
+	/**
+	 * @brief Use a specific reqid for the CHILD_SA.
+	 *
+	 * When this task is used for rekeying, the same reqid is used
+	 * for the new CHILD_SA. 
+	 *
+	 * @param this		calling object
+	 * @param reqid		reqid to use
+	 */
+	void (*use_reqid) (child_create_t *this, u_int32_t reqid);
+	
+	/**
+	 * @brief Get the lower of the two nonces, used for rekey collisions.
+	 *
+	 * @param this		calling object
+	 * @return			lower nonce
+	 */
+	chunk_t (*get_lower_nonce) (child_create_t *this);
+	
+	/**
+	 * @brief Get the CHILD_SA established/establishing by this task.
+	 *
+	 * @param this		calling object
+	 * @return			child_sa
+	 */
+	child_sa_t* (*get_child) (child_create_t *this);
+};
+
+/**
+ * @brief Create a new child_create task.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param policy		policy if task initiator, NULL if responder
+ * @return			 	child_create task to handle by the task_manager
+ */
+child_create_t *child_create_create(ike_sa_t *ike_sa, policy_t *policy);
+
+#endif /* CHILD_CREATE_H_ */
diff --git a/src/charon/sa/tasks/child_delete.c b/src/charon/sa/tasks/child_delete.c
new file mode 100644
index 000000000..23d509de5
--- /dev/null
+++ b/src/charon/sa/tasks/child_delete.c
@@ -0,0 +1,292 @@
+/**
+ * @file child_delete.c
+ *
+ * @brief Implementation of the child_delete task.
+ *
+ */
+
+/*
+ * Copyright (C) 2006-2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "child_delete.h"
+
+#include <daemon.h>
+#include <encoding/payloads/delete_payload.h>
+
+
+typedef struct private_child_delete_t private_child_delete_t;
+
+/**
+ * Private members of a child_delete_t task.
+ */
+struct private_child_delete_t {
+	
+	/**
+	 * Public methods and task_t interface.
+	 */
+	child_delete_t public;
+	
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+	
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+	
+	/**
+	 * CHILD_SAs which get deleted
+	 */
+	linked_list_t *child_sas;
+};
+
+/**
+ * build the delete payloads from the listed child_sas
+ */
+static void build_payloads(private_child_delete_t *this, message_t *message)
+{
+	iterator_t *iterator;
+	delete_payload_t *ah = NULL, *esp = NULL;
+	u_int32_t spi;
+	child_sa_t *child_sa;
+	
+	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
+	while (iterator->iterate(iterator, (void**)&child_sa))
+	{	
+		spi = child_sa->get_spi(child_sa, TRUE);
+		switch (child_sa->get_protocol(child_sa))
+		{
+			case PROTO_ESP:
+				if (esp == NULL)
+				{
+					esp = delete_payload_create(PROTO_ESP);
+					message->add_payload(message, (payload_t*)esp);
+				}
+				esp->add_spi(esp, spi);
+				break;
+			case PROTO_AH:
+				if (ah == NULL)
+				{
+					ah = delete_payload_create(PROTO_AH);
+					message->add_payload(message, (payload_t*)ah);
+				}
+				ah->add_spi(ah, spi);
+				break;
+			default:
+				break;
+		}
+		child_sa->set_state(child_sa, CHILD_DELETING);
+	}
+	iterator->destroy(iterator);
+}
+
+/**
+ * read in payloads and find the children to delete
+ */
+static void process_payloads(private_child_delete_t *this, message_t *message)
+{
+	iterator_t *payloads, *spis;
+	payload_t *payload;
+	delete_payload_t *delete_payload;
+	u_int32_t *spi;
+	protocol_id_t protocol;
+	child_sa_t *child_sa;
+	
+	payloads = message->get_payload_iterator(message);
+	while (payloads->iterate(payloads, (void**)&payload))
+	{
+		if (payload->get_type(payload) == DELETE)
+		{
+			delete_payload = (delete_payload_t*)payload;
+			protocol = delete_payload->get_protocol_id(delete_payload);
+			if (protocol != PROTO_ESP && protocol != PROTO_AH)
+			{
+				continue;
+			}
+			spis = delete_payload->create_spi_iterator(delete_payload);
+			while (spis->iterate(spis, (void**)&spi))
+			{
+				child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol,
+													  *spi, FALSE);
+				if (child_sa == NULL)
+				{
+					DBG1(DBG_IKE, "received DELETE for %N CHILD_SA with SPI 0x%x, "
+						 "but no such SA", protocol_id_names, protocol, ntohl(*spi));
+					continue;
+				}
+				DBG2(DBG_IKE, "received DELETE for %N CHILD_SA with SPI 0x%x", 
+						protocol_id_names, protocol, ntohl(*spi));
+				
+				switch (child_sa->get_state(child_sa))
+				{
+					case CHILD_REKEYING:
+						/* we reply as usual, rekeying will fail */
+						break;
+					case CHILD_DELETING:
+						/* we don't send back a delete if we initiated ourself */
+						if (!this->initiator)
+						{
+							this->ike_sa->destroy_child_sa(this->ike_sa,
+														   protocol, *spi);
+							continue;
+						}
+					default:
+						break;
+				}
+				
+				this->child_sas->insert_last(this->child_sas, child_sa);
+			}
+			spis->destroy(spis);
+		}
+	}
+	payloads->destroy(payloads);
+}
+
+/**
+ * destroy the children listed in this->child_sas
+ */
+static void destroy_children(private_child_delete_t *this)
+{
+	iterator_t *iterator;
+	child_sa_t *child_sa;
+	protocol_id_t protocol;
+	u_int32_t spi;
+	
+	iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
+	while (iterator->iterate(iterator, (void**)&child_sa))
+	{
+		spi = child_sa->get_spi(child_sa, TRUE);
+		protocol = child_sa->get_protocol(child_sa);
+		this->ike_sa->destroy_child_sa(this->ike_sa, protocol, spi);
+	}
+	iterator->destroy(iterator);
+}
+
+/**
+ * Implementation of task_t.build for initiator
+ */
+static status_t build_i(private_child_delete_t *this, message_t *message)
+{
+	build_payloads(this, message);
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_i(private_child_delete_t *this, message_t *message)
+{
+	/* flush the list before adding new SAs */
+	this->child_sas->destroy(this->child_sas);
+	this->child_sas = linked_list_create();
+	
+	process_payloads(this, message);
+	destroy_children(this);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_r(private_child_delete_t *this, message_t *message)
+{
+	process_payloads(this, message);
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.build for responder
+ */
+static status_t build_r(private_child_delete_t *this, message_t *message)
+{
+	/* if we are rekeying, we send an empty informational */
+	if (this->ike_sa->get_state(this->ike_sa) != IKE_REKEYING)
+	{
+		build_payloads(this, message);	
+	}
+	destroy_children(this);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of task_t.get_type
+ */
+static task_type_t get_type(private_child_delete_t *this)
+{
+	return CHILD_DELETE;
+}
+
+/**
+ * Implementation of child_delete_t.get_child
+ */
+static child_sa_t* get_child(private_child_delete_t *this)
+{
+	child_sa_t *child_sa = NULL;
+	this->child_sas->get_first(this->child_sas, (void**)&child_sa);
+	return child_sa;
+}
+
+/**
+ * Implementation of task_t.migrate
+ */
+static void migrate(private_child_delete_t *this, ike_sa_t *ike_sa)
+{
+	this->ike_sa = ike_sa;
+	
+	this->child_sas->destroy(this->child_sas);
+	this->child_sas = linked_list_create();
+}
+
+/**
+ * Implementation of task_t.destroy
+ */
+static void destroy(private_child_delete_t *this)
+{
+	this->child_sas->destroy(this->child_sas);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+child_delete_t *child_delete_create(ike_sa_t *ike_sa, child_sa_t *child_sa)
+{
+	private_child_delete_t *this = malloc_thing(private_child_delete_t);
+
+	this->public.get_child = (child_sa_t*(*)(child_delete_t*))get_child;
+	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
+	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
+	this->public.task.destroy = (void(*)(task_t*))destroy;
+	
+	this->ike_sa = ike_sa;
+	this->child_sas = linked_list_create();
+	
+	if (child_sa != NULL)
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
+		this->initiator = TRUE;
+		this->child_sas->insert_last(this->child_sas, child_sa);
+	}
+	else
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
+		this->initiator = FALSE;
+	}
+	return &this->public;
+}
diff --git a/src/charon/sa/tasks/child_delete.h b/src/charon/sa/tasks/child_delete.h
new file mode 100644
index 000000000..a7e676a50
--- /dev/null
+++ b/src/charon/sa/tasks/child_delete.h
@@ -0,0 +1,66 @@
+/**
+ * @file child_delete.h
+ * 
+ * @brief Interface child_delete_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef CHILD_DELETE_H_
+#define CHILD_DELETE_H_
+
+typedef struct child_delete_t child_delete_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/tasks/task.h>
+#include <sa/child_sa.h>
+
+/**
+ * @brief Task of type child_delete, delete a CHILD_SA.
+ *
+ * @b Constructors:
+ *  - child_delete_create()
+ * 
+ * @ingroup tasks
+ */
+struct child_delete_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+	
+	/**
+	 * @brief Get the CHILD_SA to delete by this task.
+	 *
+	 * @param this		calling object
+	 * @return			child_sa
+	 */
+	child_sa_t* (*get_child) (child_delete_t *this);
+};
+
+/**
+ * @brief Create a new child_delete task.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param child_sa		CHILD_SA to delete, or NULL as responder
+ * @return				child_delete task to handle by the task_manager
+ */
+child_delete_t *child_delete_create(ike_sa_t *ike_sa, child_sa_t *child_sa);
+
+#endif /* CHILD_DELETE_H_ */
diff --git a/src/charon/sa/tasks/child_rekey.c b/src/charon/sa/tasks/child_rekey.c
new file mode 100644
index 000000000..745895dbb
--- /dev/null
+++ b/src/charon/sa/tasks/child_rekey.c
@@ -0,0 +1,346 @@
+/**
+ * @file child_rekey.c
+ *
+ * @brief Implementation of the child_rekey task.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "child_rekey.h"
+
+#include <daemon.h>
+#include <encoding/payloads/notify_payload.h>
+#include <sa/tasks/child_create.h>
+#include <sa/tasks/child_delete.h>
+#include <queues/jobs/rekey_child_sa_job.h>
+
+
+typedef struct private_child_rekey_t private_child_rekey_t;
+
+/**
+ * Private members of a child_rekey_t task.
+ */
+struct private_child_rekey_t {
+	
+	/**
+	 * Public methods and task_t interface.
+	 */
+	child_rekey_t public;
+	
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+	
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+	
+	/**
+	 * the CHILD_CREATE task which is reused to simplify rekeying
+	 */
+	child_create_t *child_create;
+	
+	/**
+	 * CHILD_SA which gets rekeyed
+	 */
+	child_sa_t *child_sa;
+	
+	/**
+	 * colliding task, may be delete or rekey
+	 */
+	task_t *collision;
+};
+
+/**
+ * find a child using the REKEY_SA notify
+ */
+static void find_child(private_child_rekey_t *this, message_t *message)
+{
+	iterator_t *iterator;
+	payload_t *payload;
+	
+	iterator = message->get_payload_iterator(message);
+	while (iterator->iterate(iterator, (void**)&payload))
+	{
+		notify_payload_t *notify;
+		u_int32_t spi;
+		protocol_id_t protocol;
+		
+		if (payload->get_type(payload) != NOTIFY)
+		{
+			continue;
+		}
+		
+		notify = (notify_payload_t*)payload;
+		protocol = notify->get_protocol_id(notify);
+		spi = notify->get_spi(notify);
+		
+		if (protocol != PROTO_ESP && protocol != PROTO_AH)
+		{
+			continue;
+		}
+		this->child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol,
+													spi, FALSE);
+		break;
+			
+	}
+	iterator->destroy(iterator);
+}
+
+/**
+ * Implementation of task_t.build for initiator
+ */
+static status_t build_i(private_child_rekey_t *this, message_t *message)
+{	
+	notify_payload_t *notify;
+	protocol_id_t protocol;
+	u_int32_t spi, reqid;
+	
+	/* we just need the rekey notify ... */
+	protocol = this->child_sa->get_protocol(this->child_sa);
+	spi = this->child_sa->get_spi(this->child_sa, TRUE);
+	notify = notify_payload_create_from_protocol_and_type(protocol, REKEY_SA);
+	notify->set_spi(notify, spi);
+	message->add_payload(message, (payload_t*)notify);
+
+	/* ... our CHILD_CREATE task does the hard work for us. */
+	reqid = this->child_sa->get_reqid(this->child_sa);
+	this->child_create->use_reqid(this->child_create, reqid);
+	this->child_create->task.build(&this->child_create->task, message);
+	
+	this->child_sa->set_state(this->child_sa, CHILD_REKEYING);
+
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_r(private_child_rekey_t *this, message_t *message)
+{
+	/* let the CHILD_CREATE task process the message */
+	this->child_create->task.process(&this->child_create->task, message);
+
+	find_child(this, message);
+	
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.build for responder
+ */
+static status_t build_r(private_child_rekey_t *this, message_t *message)
+{
+	u_int32_t reqid;
+
+	if (this->child_sa == NULL ||
+		this->child_sa->get_state(this->child_sa) == CHILD_DELETING)
+	{
+		DBG1(DBG_IKE, "unable to rekey, CHILD_SA not found");
+		message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
+		return SUCCESS;
+	}
+	
+	/* let the CHILD_CREATE task build the response */
+	reqid = this->child_sa->get_reqid(this->child_sa);
+	this->child_create->use_reqid(this->child_create, reqid);
+	this->child_create->task.build(&this->child_create->task, message);
+	
+	if (message->get_payload(message, SECURITY_ASSOCIATION) == NULL)
+	{
+		/* rekeying failed, reuse old child */
+		this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
+		return SUCCESS;
+	}
+	
+	this->child_sa->set_state(this->child_sa, CHILD_REKEYING);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_i(private_child_rekey_t *this, message_t *message)
+{
+	protocol_id_t protocol;
+	u_int32_t spi;
+	child_sa_t *to_delete;
+	
+	this->child_create->task.process(&this->child_create->task, message);
+	if (message->get_payload(message, SECURITY_ASSOCIATION) == NULL)
+	{
+		/* establishing new child failed, reuse old. but not when we
+		 * recieved a delete in the meantime */
+		if (!(this->collision && 
+			  this->collision->get_type(this->collision) == CHILD_DELETE))
+		{
+			job_t *job;
+			u_int32_t retry = charon->configuration->get_retry_interval(
+								charon->configuration);
+			job = (job_t*)rekey_child_sa_job_create(
+								this->child_sa->get_reqid(this->child_sa),
+								this->child_sa->get_protocol(this->child_sa),
+								this->child_sa->get_spi(this->child_sa, TRUE));
+			DBG1(DBG_IKE, "CHILD_SA rekeying failed, "
+				 				"trying again in %d seconds", retry);
+			this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
+			charon->event_queue->add_relative(charon->event_queue, job, retry * 1000);
+		}
+		return SUCCESS;
+	}
+	
+	to_delete = this->child_sa;
+	
+	/* check for rekey collisions */
+	if (this->collision &&
+		this->collision->get_type(this->collision) == CHILD_REKEY)
+	{
+		chunk_t this_nonce, other_nonce;
+		private_child_rekey_t *other = (private_child_rekey_t*)this->collision;
+		
+		this_nonce = this->child_create->get_lower_nonce(this->child_create);
+		other_nonce = other->child_create->get_lower_nonce(other->child_create);
+		
+		/* if we have the lower nonce, delete rekeyed SA. If not, delete
+		 * the redundant. */
+		if (memcmp(this_nonce.ptr, other_nonce.ptr, 
+				   min(this_nonce.len, other_nonce.len)) < 0)
+		{
+			DBG1(DBG_IKE, "CHILD_SA rekey collision won, deleting rekeyed child");
+		}
+		else
+		{
+			DBG1(DBG_IKE, "CHILD_SA rekey collision lost, deleting redundant child");
+			to_delete = this->child_create->get_child(this->child_create);
+			if (to_delete == NULL)
+			{
+				/* ooops, should not happen, fallback */
+				to_delete = this->child_sa;
+			}
+		}
+	}
+	
+	spi = to_delete->get_spi(to_delete, TRUE);
+	protocol = to_delete->get_protocol(to_delete);
+	if (this->ike_sa->delete_child_sa(this->ike_sa, protocol, spi) != SUCCESS)
+	{
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of task_t.get_type
+ */
+static task_type_t get_type(private_child_rekey_t *this)
+{
+	return CHILD_REKEY;
+}
+
+/**
+ * Implementation of child_rekey_t.collide
+ */
+static void collide(private_child_rekey_t *this, task_t *other)
+{
+	/* the task manager only detects exchange collision, but not if 
+	 * the collision is for the same child. we check it here. */
+	if (other->get_type(other) == CHILD_REKEY)
+	{
+		private_child_rekey_t *rekey = (private_child_rekey_t*)other;
+		if (rekey == NULL || rekey->child_sa != this->child_sa)
+		{
+			/* not the same child => no collision */
+			return;
+		}
+	}
+	else if (other->get_type(other) == CHILD_DELETE)
+	{
+		child_delete_t *del = (child_delete_t*)other;
+		if (del == NULL || del->get_child(del) != this->child_sa)
+		{
+			/* not the same child => no collision */ 
+			return;
+		}
+	}
+	else
+	{
+		/* any other task is not critical for collisisions, ignore */
+		return;
+	}
+	DESTROY_IF(this->collision);
+	this->collision = other;
+}
+
+/**
+ * Implementation of task_t.migrate
+ */
+static void migrate(private_child_rekey_t *this, ike_sa_t *ike_sa)
+{	
+	this->child_create->task.migrate(&this->child_create->task, ike_sa);
+	DESTROY_IF(this->collision);
+
+	this->ike_sa = ike_sa;
+	this->collision = NULL;
+}
+
+/**
+ * Implementation of task_t.destroy
+ */
+static void destroy(private_child_rekey_t *this)
+{
+	this->child_create->task.destroy(&this->child_create->task);
+	DESTROY_IF(this->collision);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, child_sa_t *child_sa)
+{
+	private_child_rekey_t *this = malloc_thing(private_child_rekey_t);
+	policy_t *policy;
+
+	this->public.collide = (void (*)(child_rekey_t*,task_t*))collide;
+	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
+	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
+	this->public.task.destroy = (void(*)(task_t*))destroy;
+	if (child_sa != NULL)
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
+		this->initiator = TRUE;
+		policy = child_sa->get_policy(child_sa);
+		this->child_create = child_create_create(ike_sa, policy);
+	}
+	else
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
+		this->initiator = FALSE;
+		this->child_create = child_create_create(ike_sa, NULL);
+	}
+	
+	this->ike_sa = ike_sa;
+	this->child_sa = child_sa;
+	this->collision = NULL;
+	
+	return &this->public;
+}
diff --git a/src/charon/sa/tasks/child_rekey.h b/src/charon/sa/tasks/child_rekey.h
new file mode 100644
index 000000000..3515f0c3f
--- /dev/null
+++ b/src/charon/sa/tasks/child_rekey.h
@@ -0,0 +1,70 @@
+/**
+ * @file child_rekey.h
+ * 
+ * @brief Interface child_rekey_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef CHILD_REKEY_H_
+#define CHILD_REKEY_H_
+
+typedef struct child_rekey_t child_rekey_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/child_sa.h>
+#include <sa/tasks/task.h>
+
+/**
+ * @brief Task of type CHILD_REKEY, rekey an established CHILD_SA.
+ *
+ * @b Constructors:
+ *  - child_rekey_create()
+ * 
+ * @ingroup tasks
+ */
+struct child_rekey_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+	
+	/**
+	 * @brief Register a rekeying task which collides with this one
+	 *
+	 * If two peers initiate rekeying at the same time, the collision must
+	 * be handled gracefully. The task manager is aware of what exchanges
+	 * are going on and notifies the outgoing task by passing the incoming.
+	 *
+	 * @param this		task initated by us
+	 * @param other		incoming task
+	 */
+	void (*collide)(child_rekey_t* this, task_t *other);
+};
+
+/**
+ * @brief Create a new CHILD_REKEY task.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param child_sa 		child_sa to rekey, NULL if responder
+ * @return			  	child_rekey task to handle by the task_manager
+ */
+child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, child_sa_t *child_sa);
+
+#endif /* CHILD_REKEY_H_ */
diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c
new file mode 100644
index 000000000..541e1bb37
--- /dev/null
+++ b/src/charon/sa/tasks/ike_auth.c
@@ -0,0 +1,750 @@
+/**
+ * @file ike_auth.c
+ *
+ * @brief Implementation of the ike_auth task.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_auth.h"
+
+#include <string.h>
+
+#include <daemon.h>
+#include <crypto/diffie_hellman.h>
+#include <encoding/payloads/id_payload.h>
+#include <encoding/payloads/auth_payload.h>
+#include <encoding/payloads/eap_payload.h>
+#include <encoding/payloads/nonce_payload.h>
+#include <sa/authenticators/eap_authenticator.h>
+
+
+
+typedef struct private_ike_auth_t private_ike_auth_t;
+
+/**
+ * Private members of a ike_auth_t task.
+ */
+struct private_ike_auth_t {
+	
+	/**
+	 * Public methods and task_t interface.
+	 */
+	ike_auth_t public;
+	
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+	
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+	
+	/**
+	 * Nonce chosen by us in ike_init
+	 */
+	chunk_t my_nonce;
+	
+	/**
+	 * Nonce chosen by peer in ike_init
+	 */
+	chunk_t other_nonce;
+	
+	/**
+	 * IKE_SA_INIT message sent by us
+	 */
+	packet_t *my_packet;
+	
+	/**
+	 * IKE_SA_INIT message sent by peer
+	 */
+	packet_t *other_packet;
+	
+	/**
+	 * EAP authenticator when using EAP
+	 */
+	eap_authenticator_t *eap_auth;
+	
+	/**
+	 * EAP payload received and ready to process
+	 */
+	eap_payload_t *eap_payload;
+	
+	/**
+	 * has the peer been authenticated successfully?
+	 */
+	bool peer_authenticated;
+};
+
+/**
+ * build the AUTH payload
+ */
+static status_t build_auth(private_ike_auth_t *this, message_t *message)
+{
+	authenticator_t *auth;
+	auth_payload_t *auth_payload;
+	policy_t *policy;
+	auth_method_t method;
+	status_t status;
+	
+	/* create own authenticator and add auth payload */
+	policy = this->ike_sa->get_policy(this->ike_sa);
+	if (!policy)
+	{
+		SIG(IKE_UP_FAILED, "unable to authenticate, no policy found");
+		return FAILED;
+	}
+	method = policy->get_auth_method(policy);
+	
+	auth = authenticator_create(this->ike_sa, method);
+	if (auth == NULL)
+	{
+		SIG(IKE_UP_FAILED, "configured authentication method %N not supported",
+			auth_method_names, method);
+		return FAILED;
+	}
+	
+	status = auth->build(auth, this->my_packet->get_data(this->my_packet),
+						 this->other_nonce, &auth_payload);
+	auth->destroy(auth);
+	if (status != SUCCESS)
+	{
+		SIG(IKE_UP_FAILED, "generating authentication data failed");
+		return FAILED;
+	}
+	message->add_payload(message, (payload_t*)auth_payload);
+	return SUCCESS;
+}
+
+/**
+ * build ID payload(s)
+ */
+static status_t build_id(private_ike_auth_t *this, message_t *message)
+{
+	identification_t *me, *other;
+	id_payload_t *id;
+	policy_t *policy;
+	
+	me = this->ike_sa->get_my_id(this->ike_sa);
+	other = this->ike_sa->get_other_id(this->ike_sa);
+	policy = this->ike_sa->get_policy(this->ike_sa);
+	
+	if (me->contains_wildcards(me))
+	{
+		me = policy->get_my_id(policy);
+		if (me->contains_wildcards(me))
+		{
+			SIG(IKE_UP_FAILED, "negotiation of own ID failed");
+			return FAILED;
+		}
+		this->ike_sa->set_my_id(this->ike_sa, me->clone(me));
+	}
+	
+	id = id_payload_create_from_identification(this->initiator, me);
+	message->add_payload(message, (payload_t*)id);
+	
+	/* as initiator, include other ID if it does not contain wildcards */
+	if (this->initiator && !other->contains_wildcards(other))
+	{
+		id = id_payload_create_from_identification(FALSE, other);
+		message->add_payload(message, (payload_t*)id);
+	}
+	return SUCCESS;
+}
+
+/**
+ * process AUTH payload
+ */
+static status_t process_auth(private_ike_auth_t *this, message_t *message)
+{
+	auth_payload_t *auth_payload;
+	authenticator_t *auth;
+	auth_method_t auth_method;
+	status_t status;
+	
+	auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
+	
+	if (auth_payload == NULL)
+	{
+		/* AUTH payload is missing, client wants to use EAP authentication */
+		return NOT_FOUND;
+	}
+
+	auth_method = auth_payload->get_auth_method(auth_payload);
+	auth = authenticator_create(this->ike_sa, auth_method);
+
+	if (auth == NULL)
+	{
+		SIG(IKE_UP_FAILED, "authentication method %N used by %D not "
+			"supported", auth_method_names, auth_method,
+			this->ike_sa->get_other_id(this->ike_sa));
+		return NOT_SUPPORTED;
+	}
+	status = auth->verify(auth, this->other_packet->get_data(this->other_packet), 
+						  this->my_nonce, auth_payload);
+	auth->destroy(auth);
+	if (status != SUCCESS)
+	{
+		SIG(IKE_UP_FAILED, "authentication of %D using %N failed",
+			 this->ike_sa->get_other_id(this->ike_sa), 
+			 auth_method_names, auth_method);	
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * process ID payload(s)
+ */
+static status_t process_id(private_ike_auth_t *this, message_t *message)
+{
+	identification_t *id;
+	id_payload_t *idr, *idi;
+
+	idi = (id_payload_t*)message->get_payload(message, ID_INITIATOR);
+	idr = (id_payload_t*)message->get_payload(message, ID_RESPONDER);
+
+	if ((this->initiator && idr == NULL) || (!this->initiator && idi == NULL))
+	{
+		SIG(IKE_UP_FAILED, "ID payload missing in message");
+		return FAILED;
+	}
+	
+	if (this->initiator)
+	{
+		id = idr->get_identification(idr);
+		this->ike_sa->set_other_id(this->ike_sa, id);
+	}
+	else
+	{
+		id = idi->get_identification(idi);
+		this->ike_sa->set_other_id(this->ike_sa, id);
+		if (idr)
+		{
+			id = idr->get_identification(idr);
+			this->ike_sa->set_my_id(this->ike_sa, id);
+		}
+	}
+	return SUCCESS;
+}
+
+/**
+ * collect the needed information in the IKE_SA_INIT exchange from our message
+ */
+static status_t collect_my_init_data(private_ike_auth_t *this, message_t *message)
+{
+	nonce_payload_t *nonce;
+	
+	/* get the nonce that was generated in ike_init */
+	nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
+	if (nonce == NULL)
+	{
+		return FAILED;
+	}
+	this->my_nonce = nonce->get_nonce(nonce);
+	
+	/* pre-generate the message, so we can store it for us */
+	if (this->ike_sa->generate_message(this->ike_sa, message,
+									   &this->my_packet) != SUCCESS)
+	{
+		return FAILED;
+	}
+	return NEED_MORE; 
+}
+
+/**
+ * collect the needed information in the IKE_SA_INIT exchange from others message
+ */
+static status_t collect_other_init_data(private_ike_auth_t *this, message_t *message)
+{
+	/* we collect the needed information in the IKE_SA_INIT exchange */
+	nonce_payload_t *nonce;
+	
+	/* get the nonce that was generated in ike_init */
+	nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
+	if (nonce == NULL)
+	{
+		return FAILED;
+	}
+	this->other_nonce = nonce->get_nonce(nonce);
+	
+	/* pre-generate the message, so we can store it for us */
+	this->other_packet = message->get_packet(message);
+	return NEED_MORE; 
+}
+
+/**
+ * Implementation of task_t.build to create AUTH payload from EAP data
+ */
+static status_t build_auth_eap(private_ike_auth_t *this, message_t *message)
+{
+	authenticator_t *auth;
+	auth_payload_t *auth_payload;
+	
+	auth = (authenticator_t*)this->eap_auth;
+	if (auth->build(auth, this->my_packet->get_data(this->my_packet),
+		this->other_nonce, &auth_payload) != SUCCESS)
+	{
+		SIG(IKE_UP_FAILED, "generating authentication data failed");
+		if (!this->initiator)
+		{
+			message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
+		}
+		return FAILED;
+	}
+	message->add_payload(message, (payload_t*)auth_payload);
+	if (!this->initiator)
+	{
+		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+		SIG(IKE_UP_SUCCESS, "IKE_SA established between %D[%H]...[%H]%D",
+			this->ike_sa->get_my_id(this->ike_sa), 
+			this->ike_sa->get_my_host(this->ike_sa),
+			this->ike_sa->get_other_host(this->ike_sa),
+			this->ike_sa->get_other_id(this->ike_sa));
+		return SUCCESS;
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process to verify AUTH payload after EAP
+ */
+static status_t process_auth_eap(private_ike_auth_t *this, message_t *message)
+{
+	auth_payload_t *auth_payload;
+	authenticator_t *auth;
+
+	auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
+	this->peer_authenticated = FALSE;
+	
+	if (auth_payload)
+	{
+		auth = (authenticator_t*)this->eap_auth;
+		if (auth->verify(auth, this->other_packet->get_data(this->other_packet), 
+						this->my_nonce, auth_payload) == SUCCESS)
+		{
+			this->peer_authenticated = TRUE;
+		}
+	}
+
+	if (!this->peer_authenticated)
+	{
+		SIG(IKE_UP_FAILED, "authentication of %D using %N failed",
+			 this->ike_sa->get_other_id(this->ike_sa), 
+			 auth_method_names, AUTH_EAP);
+		if (this->initiator)
+		{
+			return FAILED;
+		}
+		return NEED_MORE;
+	}
+	if (this->initiator)
+	{
+		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+		SIG(IKE_UP_SUCCESS, "IKE_SA established between %D[%H]...[%H]%D",
+			this->ike_sa->get_my_id(this->ike_sa), 
+			this->ike_sa->get_my_host(this->ike_sa),
+			this->ike_sa->get_other_host(this->ike_sa),
+			this->ike_sa->get_other_id(this->ike_sa));
+		return SUCCESS;
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for EAP exchanges
+ */
+static status_t process_eap_i(private_ike_auth_t *this, message_t *message)
+{
+	eap_payload_t *eap;
+
+	eap = (eap_payload_t*)message->get_payload(message, EXTENSIBLE_AUTHENTICATION);
+	if (eap == NULL)
+	{	
+		SIG(IKE_UP_FAILED, "EAP payload missing");
+		return FAILED;
+	}
+	switch (this->eap_auth->process(this->eap_auth, eap, &eap))
+	{
+		case NEED_MORE:
+			this->eap_payload = eap;
+			return NEED_MORE;
+		case SUCCESS:
+			/* EAP exchange completed, now create and process AUTH */
+			this->eap_payload = NULL;
+			this->public.task.build = (status_t(*)(task_t*,message_t*))build_auth_eap;
+			this->public.task.process = (status_t(*)(task_t*,message_t*))process_auth_eap;
+			return NEED_MORE;
+		default:
+			this->eap_payload = NULL;
+			SIG(IKE_UP_FAILED, "failed to authenticate against %D using EAP",
+				this->ike_sa->get_other_id(this->ike_sa));
+			return FAILED;
+	}
+}
+
+/**
+ * Implementation of task_t.process for EAP exchanges
+ */
+static status_t process_eap_r(private_ike_auth_t *this, message_t *message)
+{
+	this->eap_payload = (eap_payload_t*)message->get_payload(message, 
+													EXTENSIBLE_AUTHENTICATION);
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.build for EAP exchanges
+ */
+static status_t build_eap_i(private_ike_auth_t *this, message_t *message)
+{
+	message->add_payload(message, (payload_t*)this->eap_payload);
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.build for EAP exchanges
+ */
+static status_t build_eap_r(private_ike_auth_t *this, message_t *message)
+{
+	status_t status = NEED_MORE;
+	eap_payload_t *eap;
+		
+	if (this->eap_payload == NULL)
+	{
+		SIG(IKE_UP_FAILED, "EAP payload missing");
+		return FAILED;
+	}
+	
+	switch (this->eap_auth->process(this->eap_auth, this->eap_payload, &eap))
+	{
+		case NEED_MORE:
+			
+			break;
+		case SUCCESS:
+			/* EAP exchange completed, now create and process AUTH */
+			this->public.task.build = (status_t(*)(task_t*,message_t*))build_auth_eap;
+			this->public.task.process = (status_t(*)(task_t*,message_t*))process_auth_eap;
+			break;
+		default:
+			SIG(IKE_UP_FAILED, "authentication of %D using %N failed",
+				this->ike_sa->get_other_id(this->ike_sa),
+				auth_method_names, AUTH_EAP);
+			status = FAILED;
+			break;
+	}
+	message->add_payload(message, (payload_t*)eap);
+	return status;
+}
+
+/**
+ * Implementation of task_t.build for initiator
+ */
+static status_t build_i(private_ike_auth_t *this, message_t *message)
+{
+	policy_t *policy;
+
+	if (message->get_exchange_type(message) == IKE_SA_INIT)
+	{
+		return collect_my_init_data(this, message);
+	}
+		
+	if (build_id(this, message) != SUCCESS)
+	{
+		return FAILED;
+	}
+	
+	policy = this->ike_sa->get_policy(this->ike_sa);
+	if (policy->get_auth_method(policy) == AUTH_EAP)
+	{
+		this->eap_auth = eap_authenticator_create(this->ike_sa);
+	}
+	else
+	{
+		if (build_auth(this, message) != SUCCESS)
+		{
+			return FAILED;
+		}
+	}
+
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_r(private_ike_auth_t *this, message_t *message)
+{	
+	if (message->get_exchange_type(message) == IKE_SA_INIT)
+	{
+		return collect_other_init_data(this, message);
+	}
+	
+	if (process_id(this, message) != SUCCESS)
+	{
+		return NEED_MORE;
+	}
+	
+	switch (process_auth(this, message))
+	{
+		case SUCCESS:
+			this->peer_authenticated = TRUE;
+			break;
+		case NOT_FOUND:
+			/* use EAP if no AUTH payload found */
+			this->eap_auth = eap_authenticator_create(this->ike_sa);
+			break;
+		default:
+			break;
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.build for responder
+ */
+static status_t build_r(private_ike_auth_t *this, message_t *message)
+{
+	policy_t *policy;
+	eap_type_t eap_type;
+	eap_payload_t *eap_payload;
+	status_t status;
+
+	if (message->get_exchange_type(message) == IKE_SA_INIT)
+	{
+		return collect_my_init_data(this, message);
+	}
+	
+	policy = this->ike_sa->get_policy(this->ike_sa);
+	if (policy == NULL)
+	{
+		SIG(IKE_UP_FAILED, "no acceptable policy found");
+		message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
+		return FAILED;
+	}
+	
+	if (build_id(this, message) != SUCCESS ||
+		build_auth(this, message) != SUCCESS)
+	{
+		message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
+		return FAILED;
+	}
+	
+	/* use "traditional" authentication if we could authenticate peer */
+	if (this->peer_authenticated)
+	{
+		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+		SIG(IKE_UP_SUCCESS, "IKE_SA established between %D[%H]...[%H]%D",
+			this->ike_sa->get_my_id(this->ike_sa), 
+			this->ike_sa->get_my_host(this->ike_sa),
+			this->ike_sa->get_other_host(this->ike_sa),
+			this->ike_sa->get_other_id(this->ike_sa));
+		return SUCCESS;
+	}
+	
+	if (this->eap_auth == NULL)
+	{
+		/* peer not authenticated, nor does it want to use EAP */
+		message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
+		return FAILED;
+	}
+		
+	/* initiate EAP authenitcation */
+	eap_type = policy->get_eap_type(policy);
+	status = this->eap_auth->initiate(this->eap_auth, eap_type, &eap_payload);
+	message->add_payload(message, (payload_t*)eap_payload);
+	if (status != NEED_MORE)
+	{
+		SIG(IKE_UP_FAILED, "unable to initiate EAP authentication");
+		return FAILED;
+	}
+	
+	/* switch to EAP methods */
+	this->public.task.build = (status_t(*)(task_t*,message_t*))build_eap_r;
+	this->public.task.process = (status_t(*)(task_t*,message_t*))process_eap_r;
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_i(private_ike_auth_t *this, message_t *message)
+{
+	iterator_t *iterator;
+	payload_t *payload;
+	
+	if (message->get_exchange_type(message) == IKE_SA_INIT)
+	{
+		return collect_other_init_data(this, message);
+	}
+	
+	iterator = message->get_payload_iterator(message);
+	while (iterator->iterate(iterator, (void**)&payload))
+	{
+		if (payload->get_type(payload) == NOTIFY)
+		{
+			notify_payload_t *notify = (notify_payload_t*)payload;
+			notify_type_t type = notify->get_notify_type(notify);
+			
+			switch (type)
+			{
+				case NO_PROPOSAL_CHOSEN:
+				case SINGLE_PAIR_REQUIRED:
+				case NO_ADDITIONAL_SAS:
+				case INTERNAL_ADDRESS_FAILURE:
+				case FAILED_CP_REQUIRED:
+				case TS_UNACCEPTABLE:
+				case INVALID_SELECTORS:
+					/* these are errors, but are not critical as only the
+					 * CHILD_SA won't get build, but IKE_SA establishes anyway */
+					 break;
+				default:
+				{
+					if (type < 16383)
+					{
+						SIG(IKE_UP_FAILED, "received %N notify error",
+							 notify_type_names, type);
+						iterator->destroy(iterator);
+						return FAILED;	
+					}
+					DBG1(DBG_IKE, "received %N notify",
+						notify_type_names, type);
+					break;
+				}
+			}
+		}
+	}
+	iterator->destroy(iterator);
+	
+	if (process_id(this, message) != SUCCESS ||
+		process_auth(this, message) != SUCCESS)
+	{
+		return FAILED;
+	}
+	
+	if (this->eap_auth)
+	{
+		/* switch to EAP authentication methods */
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_eap_i;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_eap_i;
+		return process_eap_i(this, message);
+	}
+	
+	this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+	SIG(IKE_UP_SUCCESS, "IKE_SA established between %D[%H]...[%H]%D",
+		this->ike_sa->get_my_id(this->ike_sa), 
+		this->ike_sa->get_my_host(this->ike_sa),
+		this->ike_sa->get_other_host(this->ike_sa),
+		this->ike_sa->get_other_id(this->ike_sa));
+	return SUCCESS;
+}
+
+/**
+ * Implementation of task_t.get_type
+ */
+static task_type_t get_type(private_ike_auth_t *this)
+{
+	return IKE_AUTHENTICATE;
+}
+
+/**
+ * Implementation of task_t.migrate
+ */
+static void migrate(private_ike_auth_t *this, ike_sa_t *ike_sa)
+{
+	chunk_free(&this->my_nonce);
+	chunk_free(&this->other_nonce);
+	DESTROY_IF(this->my_packet);
+	DESTROY_IF(this->other_packet);
+	if (this->eap_auth)
+	{
+		this->eap_auth->authenticator_interface.destroy(
+									&this->eap_auth->authenticator_interface);
+	}
+	
+	this->my_packet = NULL;
+	this->other_packet = NULL;
+	this->peer_authenticated = FALSE;
+	this->eap_auth = NULL;
+	this->eap_payload = NULL;
+	this->ike_sa = ike_sa;
+	if (this->initiator)
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
+	}
+	else
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
+	}
+}
+
+/**
+ * Implementation of task_t.destroy
+ */
+static void destroy(private_ike_auth_t *this)
+{
+	chunk_free(&this->my_nonce);
+	chunk_free(&this->other_nonce);
+	DESTROY_IF(this->my_packet);
+	DESTROY_IF(this->other_packet);
+	if (this->eap_auth)
+	{
+		this->eap_auth->authenticator_interface.destroy(
+									&this->eap_auth->authenticator_interface);
+	}
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator)
+{
+	private_ike_auth_t *this = malloc_thing(private_ike_auth_t);
+
+	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
+	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
+	this->public.task.destroy = (void(*)(task_t*))destroy;
+	
+	if (initiator)
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
+	}
+	else
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
+	}
+	
+	this->ike_sa = ike_sa;
+	this->initiator = initiator;
+	this->my_nonce = chunk_empty;
+	this->other_nonce = chunk_empty;
+	this->my_packet = NULL;
+	this->other_packet = NULL;
+	this->peer_authenticated = FALSE;
+	this->eap_auth = NULL;
+	this->eap_payload = NULL;
+	
+	return &this->public;
+}
diff --git a/src/charon/sa/tasks/ike_auth.h b/src/charon/sa/tasks/ike_auth.h
new file mode 100644
index 000000000..d7326c988
--- /dev/null
+++ b/src/charon/sa/tasks/ike_auth.h
@@ -0,0 +1,64 @@
+/**
+ * @file ike_auth.h
+ * 
+ * @brief Interface ike_auth_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef IKE_AUTH_H_
+#define IKE_AUTH_H_
+
+typedef struct ike_auth_t ike_auth_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/tasks/task.h>
+
+/**
+ * @brief Task of type ike_auth, authenticates an IKE_SA using authenticators.
+ *
+ * The ike_auth task authenticates the IKE_SA using the IKE_AUTH
+ * exchange. It processes and build IDi and IDr payloads and also
+ * handles AUTH payloads. The AUTH payloads are passed to authenticator_t's,
+ * which do the actual authentication process. If the ike_auth task is used
+ * with EAP authentication, it stays alive over multiple exchanges until
+ * EAP has completed.
+ *
+ * @b Constructors:
+ *  - ike_auth_create()
+ * 
+ * @ingroup tasks
+ */
+struct ike_auth_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+};
+
+/**
+ * @brief Create a new task of type IKE_AUTHENTICATE.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param initiator		TRUE if thask is the initator of an exchange
+ * @return				ike_auth task to handle by the task_manager
+ */
+ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /* IKE_AUTH_H_ */
diff --git a/src/charon/sa/tasks/ike_cert.c b/src/charon/sa/tasks/ike_cert.c
new file mode 100644
index 000000000..160600742
--- /dev/null
+++ b/src/charon/sa/tasks/ike_cert.c
@@ -0,0 +1,370 @@
+/**
+ * @file ike_cert.c
+ *
+ * @brief Implementation of the ike_cert task.
+ *
+ */
+
+/*
+ * Copyright (C) 2006-2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_cert.h"
+
+#include <daemon.h>
+#include <sa/ike_sa.h>
+#include <crypto/hashers/hasher.h>
+#include <encoding/payloads/cert_payload.h>
+#include <encoding/payloads/certreq_payload.h>
+
+
+typedef struct private_ike_cert_t private_ike_cert_t;
+
+/**
+ * Private members of a ike_cert_t task.
+ */
+struct private_ike_cert_t {
+	
+	/**
+	 * Public methods and task_t interface.
+	 */
+	ike_cert_t public;
+	
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+	
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+	
+	/**
+	 * list of CA cert hashes requested, items point to 20 byte chunk
+	 */
+	linked_list_t *cas;
+	
+	/** 
+	 * have we seen a certificate request?
+	 */
+	bool certreq_seen;
+};
+
+/**
+ * read certificate requests 
+ */
+static void process_certreqs(private_ike_cert_t *this, message_t *message)
+{
+	iterator_t *iterator;
+	payload_t *payload;
+	
+	iterator = message->get_payload_iterator(message);
+	while (iterator->iterate(iterator, (void**)&payload))
+	{
+		if (payload->get_type(payload) == CERTIFICATE_REQUEST)
+		{
+			certreq_payload_t *certreq = (certreq_payload_t*)payload;
+			cert_encoding_t encoding;
+			chunk_t keyids, keyid;
+			
+			this->certreq_seen = TRUE;
+			
+			encoding = certreq->get_cert_encoding(certreq);
+			if (encoding != CERT_X509_SIGNATURE)
+			{
+				DBG1(DBG_IKE, "certreq payload %N not supported, ignored",
+					 cert_encoding_names, encoding);
+				continue;
+			}
+
+			keyids = certreq->get_data(certreq);
+					
+			while (keyids.len >= HASH_SIZE_SHA1)
+			{
+				keyid = chunk_create(keyids.ptr, HASH_SIZE_SHA1);
+				keyid = chunk_clone(keyid);
+				this->cas->insert_last(this->cas, keyid.ptr);
+				keyids = chunk_skip(keyids, HASH_SIZE_SHA1);
+			}
+		}
+	}
+	iterator->destroy(iterator);
+}
+
+/**
+ * import certificates
+ */
+static void process_certs(private_ike_cert_t *this, message_t *message)
+{
+	iterator_t *iterator;
+	payload_t *payload;
+	
+	iterator = message->get_payload_iterator(message);
+	while (iterator->iterate(iterator, (void**)&payload))
+	{
+		if (payload->get_type(payload) == CERTIFICATE)
+		{
+			cert_encoding_t encoding;
+			x509_t *cert;
+			chunk_t cert_data;
+			bool found;
+			cert_payload_t *cert_payload = (cert_payload_t*)payload;
+			
+			encoding = cert_payload->get_cert_encoding(cert_payload);
+			if (encoding != CERT_X509_SIGNATURE)
+			{
+				DBG1(DBG_IKE, "certificate payload %N not supported, ignored",
+					 cert_encoding_names, encoding);
+				continue;
+			}
+			
+			cert_data = cert_payload->get_data_clone(cert_payload);
+			cert = x509_create_from_chunk(cert_data, 0);
+			if (cert)
+			{
+				if (charon->credentials->verify(charon->credentials,
+												cert, &found))
+				{
+					DBG2(DBG_IKE, "received end entity certificate is trusted, "
+						 "added to store");
+					if (!found)
+					{
+						charon->credentials->add_end_certificate(
+													charon->credentials, cert);
+					}
+					else
+					{
+						cert->destroy(cert);
+					}
+				}
+				else
+				{
+					DBG1(DBG_IKE, "received end entity certificate is not "
+						 "trusted, discarded");
+					cert->destroy(cert);
+				}
+			}
+			else
+			{
+				DBG1(DBG_IKE, "parsing of received certificate failed, discarded");
+				chunk_free(&cert_data);
+			}
+		}
+	}
+	iterator->destroy(iterator);
+}
+
+/**
+ * build certificate requests
+ */
+static void build_certreqs(private_ike_cert_t *this, message_t *message)
+{
+	connection_t *connection;
+	policy_t *policy;
+	identification_t *ca;
+	certreq_payload_t *certreq;
+	
+	connection = this->ike_sa->get_connection(this->ike_sa);
+	
+	if (connection->get_certreq_policy(connection) != CERT_NEVER_SEND)
+	{	
+		policy = this->ike_sa->get_policy(this->ike_sa);
+		
+		if (policy)
+		{
+			ca = policy->get_other_ca(policy);
+			
+			if (ca && ca->get_type(ca) != ID_ANY)
+			{
+				certreq = certreq_payload_create_from_cacert(ca);
+			}
+			else
+			{
+				certreq = certreq_payload_create_from_cacerts();
+			}
+		}
+		else
+		{
+			certreq = certreq_payload_create_from_cacerts();
+		}
+		
+		if (certreq)
+		{
+			message->add_payload(message, (payload_t*)certreq);
+		}
+	}
+}
+
+/**
+ * add certificates to message
+ */
+static void build_certs(private_ike_cert_t *this, message_t *message)
+{
+	policy_t *policy;
+	connection_t *connection;
+	x509_t *cert;
+	cert_payload_t *payload;
+	
+	policy = this->ike_sa->get_policy(this->ike_sa);
+	connection = this->ike_sa->get_connection(this->ike_sa);
+
+	if (policy && policy->get_auth_method(policy) == AUTH_RSA)
+	{
+		switch (connection->get_cert_policy(connection))
+		{
+			case CERT_NEVER_SEND:
+				break;
+			case CERT_SEND_IF_ASKED:
+				if (!this->certreq_seen)
+				{
+					break;
+				}
+				/* FALL */
+			case CERT_ALWAYS_SEND:
+			{
+				/* TODO: respect CA cert request */
+				cert = charon->credentials->get_certificate(charon->credentials,
+													policy->get_my_id(policy));
+				if (cert)
+				{
+					payload = cert_payload_create_from_x509(cert);
+					message->add_payload(message, (payload_t*)payload);
+				}
+			}	
+		}
+	}
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t build_i(private_ike_cert_t *this, message_t *message)
+{
+	if (message->get_exchange_type(message) == IKE_SA_INIT)
+	{
+		return NEED_MORE;
+	}
+		
+	build_certreqs(this, message);
+	build_certs(this, message);
+	
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for responder
+ */
+static status_t process_r(private_ike_cert_t *this, message_t *message)
+{	
+	if (message->get_exchange_type(message) == IKE_SA_INIT)
+	{
+		return NEED_MORE;
+	}
+	
+	process_certreqs(this, message);
+	process_certs(this, message);
+	
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.build for responder
+ */
+static status_t build_r(private_ike_cert_t *this, message_t *message)
+{
+	if (message->get_exchange_type(message) == IKE_SA_INIT)
+	{
+		build_certreqs(this, message);
+		return NEED_MORE;
+	}
+	
+	build_certs(this, message);
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_i(private_ike_cert_t *this, message_t *message)
+{
+	if (message->get_exchange_type(message) == IKE_SA_INIT)
+	{
+		process_certreqs(this, message);
+		return NEED_MORE;
+	}
+	
+	process_certs(this, message);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of task_t.get_type
+ */
+static task_type_t get_type(private_ike_cert_t *this)
+{
+	return IKE_CERT;
+}
+
+/**
+ * Implementation of task_t.migrate
+ */
+static void migrate(private_ike_cert_t *this, ike_sa_t *ike_sa)
+{
+	this->ike_sa = ike_sa;
+	
+	this->cas->destroy_function(this->cas, free);
+	this->cas = linked_list_create();
+	this->certreq_seen = FALSE;
+}
+
+/**
+ * Implementation of task_t.destroy
+ */
+static void destroy(private_ike_cert_t *this)
+{
+	this->cas->destroy_function(this->cas, free);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_cert_t *ike_cert_create(ike_sa_t *ike_sa, bool initiator)
+{
+	private_ike_cert_t *this = malloc_thing(private_ike_cert_t);
+
+	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
+	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
+	this->public.task.destroy = (void(*)(task_t*))destroy;
+	
+	if (initiator)
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
+	}
+	else
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
+	}
+	
+	this->ike_sa = ike_sa;
+	this->initiator = initiator;
+	this->cas = linked_list_create();
+	this->certreq_seen = FALSE;
+	
+	return &this->public;
+}
diff --git a/src/charon/sa/tasks/ike_cert.h b/src/charon/sa/tasks/ike_cert.h
new file mode 100644
index 000000000..ba0283953
--- /dev/null
+++ b/src/charon/sa/tasks/ike_cert.h
@@ -0,0 +1,61 @@
+/**
+ * @file ike_cert.h
+ * 
+ * @brief Interface ike_cert_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef IKE_CERT_H_
+#define IKE_CERT_H_
+
+typedef struct ike_cert_t ike_cert_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/tasks/task.h>
+
+/**
+ * @brief Task of type ike_cert, exchanges certificates and 
+ * certificate requests.
+ *
+ * @b Constructors:
+ *  - ike_cert_create()
+ * 
+ * @ingroup tasks
+ */
+struct ike_cert_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+};
+
+/**
+ * @brief Create a new ike_cert task.
+ *
+ * The initiator parameter means the original initiator, not the initiator
+ * of the certificate request.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param initiator		TRUE if thask is the original initator
+ * @return			  	ike_cert task to handle by the task_manager
+ */
+ike_cert_t *ike_cert_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /* IKE_CERT_H_ */
diff --git a/src/charon/sa/tasks/ike_config.c b/src/charon/sa/tasks/ike_config.c
new file mode 100644
index 000000000..ce29b9220
--- /dev/null
+++ b/src/charon/sa/tasks/ike_config.c
@@ -0,0 +1,428 @@
+/**
+ * @file ike_config.c
+ *
+ * @brief Implementation of the ike_config task.
+ *
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_config.h"
+
+#include <daemon.h>
+#include <encoding/payloads/cp_payload.h>
+
+typedef struct private_ike_config_t private_ike_config_t;
+
+/**
+ * Private members of a ike_config_t task.
+ */
+struct private_ike_config_t {
+	
+	/**
+	 * Public methods and task_t interface.
+	 */
+	ike_config_t public;
+	
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+	
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+	
+	/**
+	 * associated policy with virtual IP configuration
+	 */
+	policy_t *policy;
+	
+	/**
+	 * virtual ip
+	 */
+	host_t *virtual_ip;
+	
+	/**
+	 * list of DNS servers
+	 */
+	linked_list_t *dns;
+};
+
+/**
+ * build configuration payloads and attributes
+ */
+static void build_payloads(private_ike_config_t *this, message_t *message,
+						   config_type_t type)
+{
+	cp_payload_t *cp;
+	configuration_attribute_t *ca;
+	chunk_t chunk, prefix;
+	
+	if (!this->virtual_ip)
+	{
+		return;
+	}
+
+	cp = cp_payload_create();
+	cp->set_config_type(cp, type);
+
+	ca = configuration_attribute_create();
+	
+	if (this->virtual_ip->get_family(this->virtual_ip) == AF_INET)
+	{
+		ca->set_type(ca, INTERNAL_IP4_ADDRESS);
+		if (this->virtual_ip->is_anyaddr(this->virtual_ip))
+		{
+			chunk = chunk_empty;
+		}
+		else
+		{
+			chunk = this->virtual_ip->get_address(this->virtual_ip);
+		}
+	}
+	else
+	{
+		ca->set_type(ca, INTERNAL_IP6_ADDRESS);
+		if (this->virtual_ip->is_anyaddr(this->virtual_ip))
+		{
+			chunk = chunk_empty;
+		}
+		else
+		{
+			prefix = chunk_alloca(1);
+			*prefix.ptr = 64;
+			chunk = this->virtual_ip->get_address(this->virtual_ip);
+			chunk = chunk_cata("cc", chunk, prefix);
+		}
+	}
+	ca->set_value(ca, chunk);
+	cp->add_configuration_attribute(cp, ca);
+	
+	/* we currently always add a DNS request if we request an IP */
+	if (this->initiator)
+	{
+		ca = configuration_attribute_create();
+		if (this->virtual_ip->get_family(this->virtual_ip) == AF_INET)
+		{
+			ca->set_type(ca, INTERNAL_IP4_DNS);
+		}
+		else
+		{
+			ca->set_type(ca, INTERNAL_IP6_DNS);
+		}
+		cp->add_configuration_attribute(cp, ca);
+	}
+	else
+	{
+		host_t *ip;
+		iterator_t *iterator = this->dns->create_iterator(this->dns, TRUE);
+		while (iterator->iterate(iterator, (void**)&ip))
+		{
+			ca = configuration_attribute_create();
+			if (ip->get_family(ip) == AF_INET)
+			{
+				ca->set_type(ca, INTERNAL_IP4_DNS);
+			}
+			else
+			{
+				ca->set_type(ca, INTERNAL_IP6_DNS);
+			}
+			chunk = ip->get_address(ip);
+			ca->set_value(ca, chunk);
+			cp->add_configuration_attribute(cp, ca);
+		}
+		iterator->destroy(iterator);
+	}
+	message->add_payload(message, (payload_t*)cp);
+}
+
+/**
+ * process a single configuration attribute
+ */
+static void process_attribute(private_ike_config_t *this,
+							  configuration_attribute_t *ca)
+{
+	host_t *ip;
+	chunk_t addr;
+	int family = AF_INET6;
+	
+	switch (ca->get_type(ca))
+	{
+		case INTERNAL_IP4_ADDRESS:
+			family = AF_INET;
+			/* fall */
+		case INTERNAL_IP6_ADDRESS:
+		{
+			addr = ca->get_value(ca);
+			if (addr.len == 0)
+			{
+				ip = host_create_any(family);
+			}
+			else
+			{
+				/* skip prefix byte in IPv6 payload*/
+				if (family == AF_INET6)
+				{
+					addr.len--; 
+				}
+				ip = host_create_from_chunk(family, addr, 0);
+			}
+			if (ip && !this->virtual_ip)
+			{
+				this->virtual_ip = ip;
+			}
+			break;
+		}
+		case INTERNAL_IP4_DNS:
+			family = AF_INET;
+			/* fall */
+		case INTERNAL_IP6_DNS:
+		{
+			addr = ca->get_value(ca);
+			if (addr.len == 0)
+			{
+				ip = host_create_any(family);
+			}
+			else
+			{
+				ip = host_create_from_chunk(family, addr, 0);
+			}
+			if (ip)
+			{
+				this->dns->insert_last(this->dns, ip);
+			}
+			break;
+		}
+		case INTERNAL_IP4_NBNS:
+		case INTERNAL_IP6_NBNS:
+			/* TODO */
+		default:
+			DBG1(DBG_IKE, "ignoring %N config attribute", 
+	 			 configuration_attribute_type_names,
+	 			 ca->get_type(ca));
+			break;
+	}
+}
+
+/**
+ * Scan for configuration payloads and attributes
+ */
+static void process_payloads(private_ike_config_t *this, message_t *message)
+{
+	iterator_t *iterator, *attributes;
+	payload_t *payload;
+	
+	iterator = message->get_payload_iterator(message);
+	while (iterator->iterate(iterator, (void**)&payload))
+	{
+		if (payload->get_type(payload) == CONFIGURATION)
+		{
+			cp_payload_t *cp = (cp_payload_t*)payload;
+			configuration_attribute_t *ca;
+			switch (cp->get_config_type(cp))
+			{
+				case CFG_REQUEST:
+				case CFG_REPLY:
+				{
+					attributes = cp->create_attribute_iterator(cp);
+					while (attributes->iterate(attributes, (void**)&ca))
+					{
+						process_attribute(this, ca);
+					}
+					attributes->destroy(attributes);
+					break;
+				}
+				default:
+					DBG1(DBG_IKE, "ignoring %N config payload", 
+						 config_type_names, cp->get_config_type(cp));
+					break;
+			}
+		}
+	}
+	iterator->destroy(iterator);
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t build_i(private_ike_config_t *this, message_t *message)
+{
+	if (message->get_exchange_type(message) == IKE_AUTH &&
+		message->get_payload(message, ID_INITIATOR))
+	{
+		this->virtual_ip = this->policy->get_virtual_ip(this->policy, NULL);
+		
+		build_payloads(this, message, CFG_REQUEST);
+	}
+	
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for responder
+ */
+static status_t process_r(private_ike_config_t *this, message_t *message)
+{
+	if (message->get_exchange_type(message) == IKE_AUTH &&
+		message->get_payload(message, ID_INITIATOR))
+	{
+		process_payloads(this, message);
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.build for responder
+ */
+static status_t build_r(private_ike_config_t *this, message_t *message)
+{
+	if (message->get_exchange_type(message) == IKE_AUTH &&
+		message->get_payload(message, EXTENSIBLE_AUTHENTICATION) == NULL)
+	{
+		this->policy = this->ike_sa->get_policy(this->ike_sa);
+		
+		if (this->policy && this->virtual_ip)
+		{
+			host_t *ip;
+			
+			DBG1(DBG_IKE, "peer requested virtual IP %H", this->virtual_ip);
+			ip = this->policy->get_virtual_ip(this->policy, this->virtual_ip);
+			if (ip == NULL || ip->is_anyaddr(ip))
+			{
+				DBG1(DBG_IKE, "not assigning a virtual IP to peer");
+				return SUCCESS;
+			}
+			DBG1(DBG_IKE, "assigning virtual IP %H to peer", ip);
+			this->ike_sa->set_virtual_ip(this->ike_sa, FALSE, ip);
+			
+			this->virtual_ip->destroy(this->virtual_ip);
+			this->virtual_ip = ip;
+			
+			/* DNS testing values
+			if (this->dns->remove_last(this->dns, (void**)&ip) == SUCCESS)
+			{
+				ip->destroy(ip);
+				ip = host_create_from_string("10.3.0.1", 0);
+				this->dns->insert_last(this->dns, ip);
+				ip = host_create_from_string("10.3.0.2", 0);
+				this->dns->insert_last(this->dns, ip);
+			} */
+			
+			build_payloads(this, message, CFG_REPLY);
+		}
+		return SUCCESS;
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_i(private_ike_config_t *this, message_t *message)
+{
+	if (message->get_exchange_type(message) == IKE_AUTH &&
+		!message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
+	{
+		host_t *ip;
+		
+		DESTROY_IF(this->virtual_ip);
+		this->virtual_ip = NULL;
+
+		process_payloads(this, message);
+
+		if (this->virtual_ip)
+		{
+			this->ike_sa->set_virtual_ip(this->ike_sa, TRUE, this->virtual_ip);
+			
+			while (this->dns->remove_last(this->dns, (void**)&ip) == SUCCESS)
+			{
+				if (!ip->is_anyaddr(ip))
+				{
+					this->ike_sa->add_dns_server(this->ike_sa, ip);
+				}
+				ip->destroy(ip);
+			}
+		}
+		return SUCCESS;
+	}
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.get_type
+ */
+static task_type_t get_type(private_ike_config_t *this)
+{
+	return IKE_CONFIG;
+}
+
+/**
+ * Implementation of task_t.migrate
+ */
+static void migrate(private_ike_config_t *this, ike_sa_t *ike_sa)
+{
+	DESTROY_IF(this->virtual_ip);
+	this->dns->destroy_offset(this->dns, offsetof(host_t, destroy));
+	
+	this->ike_sa = ike_sa;
+	this->virtual_ip = NULL;
+	this->dns = linked_list_create();
+}
+
+/**
+ * Implementation of task_t.destroy
+ */
+static void destroy(private_ike_config_t *this)
+{
+	DESTROY_IF(this->virtual_ip);
+	this->dns->destroy_offset(this->dns, offsetof(host_t, destroy));
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_config_t *ike_config_create(ike_sa_t *ike_sa, policy_t *policy)
+{
+	private_ike_config_t *this = malloc_thing(private_ike_config_t);
+
+	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
+	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
+	this->public.task.destroy = (void(*)(task_t*))destroy;
+	
+	if (policy)
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
+		this->initiator = TRUE;
+	}
+	else
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
+		this->initiator = FALSE;
+	}
+	
+	this->ike_sa = ike_sa;
+	this->policy = policy;
+	this->virtual_ip = NULL;
+	this->dns = linked_list_create();
+	
+	return &this->public;
+}
diff --git a/src/charon/sa/tasks/ike_config.h b/src/charon/sa/tasks/ike_config.h
new file mode 100644
index 000000000..0c9b961b4
--- /dev/null
+++ b/src/charon/sa/tasks/ike_config.h
@@ -0,0 +1,59 @@
+/**
+ * @file ike_config.h
+ * 
+ * @brief Interface ike_config_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef IKE_CONFIG_H_
+#define IKE_CONFIG_H_
+
+typedef struct ike_config_t ike_config_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/tasks/task.h>
+#include <config/policies/policy.h>
+
+/**
+ * @brief Task of type IKE_CONFIG, sets up a virtual IP and other
+ * configurations for an IKE_SA.
+ *
+ * @b Constructors:
+ *  - ike_config_create()
+ * 
+ * @ingroup tasks
+ */
+struct ike_config_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+};
+
+/**
+ * @brief Create a new ike_config task.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param policy		policy for the initiator, NULL for the responder
+ * @return			  	ike_config task to handle by the task_manager
+ */
+ike_config_t *ike_config_create(ike_sa_t *ike_sa, policy_t *policy);
+
+#endif /* IKE_CONFIG_H_ */
diff --git a/src/charon/sa/tasks/ike_delete.c b/src/charon/sa/tasks/ike_delete.c
new file mode 100644
index 000000000..9c4fdac0e
--- /dev/null
+++ b/src/charon/sa/tasks/ike_delete.c
@@ -0,0 +1,172 @@
+/**
+ * @file ike_delete.c
+ *
+ * @brief Implementation of the ike_delete task.
+ *
+ */
+
+/*
+ * Copyright (C) 2006-2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_delete.h"
+
+#include <daemon.h>
+#include <encoding/payloads/delete_payload.h>
+
+
+typedef struct private_ike_delete_t private_ike_delete_t;
+
+/**
+ * Private members of a ike_delete_t task.
+ */
+struct private_ike_delete_t {
+	
+	/**
+	 * Public methods and task_t interface.
+	 */
+	ike_delete_t public;
+	
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+	
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+	
+	/**
+	 * are we responding to a delete, but have initated our own?
+	 */
+	bool simultaneous;
+};
+
+/**
+ * Implementation of task_t.build for initiator
+ */
+static status_t build_i(private_ike_delete_t *this, message_t *message)
+{
+	delete_payload_t *delete_payload;
+
+	delete_payload = delete_payload_create(PROTO_IKE);
+	message->add_payload(message, (payload_t*)delete_payload);
+	
+	this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
+	
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_i(private_ike_delete_t *this, message_t *message)
+{
+	/* completed, delete IKE_SA by returning FAILED */
+	return FAILED;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_r(private_ike_delete_t *this, message_t *message)
+{
+	/* we don't even scan the payloads, as the message wouldn't have
+	 * come so far without being correct */
+	switch (this->ike_sa->get_state(this->ike_sa))
+	{
+		case IKE_DELETING:
+			this->simultaneous = TRUE;
+			break;
+		case IKE_ESTABLISHED:
+			DBG1(DBG_IKE, "deleting IKE_SA on request");
+			break;
+		case IKE_REKEYING:
+			DBG1(DBG_IKE, "initiated rekeying, but received delete for IKE_SA");
+			break;
+		default:
+			break;
+	}
+	this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.build for responder
+ */
+static status_t build_r(private_ike_delete_t *this, message_t *message)
+{
+	if (this->simultaneous)
+	{
+		/* wait for peers response for our delete request, but set a timeout */
+		return SUCCESS;
+	}
+	/* completed, delete IKE_SA by returning FAILED */
+	return FAILED;
+}
+
+/**
+ * Implementation of task_t.get_type
+ */
+static task_type_t get_type(private_ike_delete_t *this)
+{
+	return IKE_DELETE;
+}
+
+/**
+ * Implementation of task_t.migrate
+ */
+static void migrate(private_ike_delete_t *this, ike_sa_t *ike_sa)
+{
+	this->ike_sa = ike_sa;
+	this->simultaneous = FALSE;
+}
+
+/**
+ * Implementation of task_t.destroy
+ */
+static void destroy(private_ike_delete_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_delete_t *ike_delete_create(ike_sa_t *ike_sa, bool initiator)
+{
+	private_ike_delete_t *this = malloc_thing(private_ike_delete_t);
+
+	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
+	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
+	this->public.task.destroy = (void(*)(task_t*))destroy;
+	
+	if (initiator)
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
+	}
+	else
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
+	}
+	
+	this->ike_sa = ike_sa;
+	this->initiator = initiator;
+	this->simultaneous = FALSE;
+	
+	return &this->public;
+}
diff --git a/src/charon/sa/tasks/ike_delete.h b/src/charon/sa/tasks/ike_delete.h
new file mode 100644
index 000000000..e8ec5ebbe
--- /dev/null
+++ b/src/charon/sa/tasks/ike_delete.h
@@ -0,0 +1,57 @@
+/**
+ * @file ike_delete.h
+ * 
+ * @brief Interface ike_delete_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef IKE_DELETE_H_
+#define IKE_DELETE_H_
+
+typedef struct ike_delete_t ike_delete_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/tasks/task.h>
+
+/**
+ * @brief Task of type ike_delete, delete an IKE_SA.
+ *
+ * @b Constructors:
+ *  - ike_delete_create()
+ * 
+ * @ingroup tasks
+ */
+struct ike_delete_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+};
+
+/**
+ * @brief Create a new ike_delete task.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param initiator		TRUE if we initiate the delete
+ * @return				ike_delete task to handle by the task_manager
+ */
+ike_delete_t *ike_delete_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /* IKE_DELETE_H_ */
diff --git a/src/charon/sa/tasks/ike_dpd.c b/src/charon/sa/tasks/ike_dpd.c
new file mode 100644
index 000000000..1cb05c45c
--- /dev/null
+++ b/src/charon/sa/tasks/ike_dpd.c
@@ -0,0 +1,106 @@
+/**
+ * @file ike_dpd.c
+ *
+ * @brief Implementation of the ike_dpd task.
+ *
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_dpd.h"
+
+#include <daemon.h>
+
+
+typedef struct private_ike_dpd_t private_ike_dpd_t;
+
+/**
+ * Private members of a ike_dpd_t task.
+ */
+struct private_ike_dpd_t {
+	
+	/**
+	 * Public methods and task_t interface.
+	 */
+	ike_dpd_t public;
+};
+
+/**
+ * Implementation of task_t.build for initiator
+ * Implementation of task_t.process for responder
+ */
+static status_t return_need_more(private_ike_dpd_t *this, message_t *message)
+{
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ * Implementation of task_t.build for responder
+ */
+static status_t return_success(private_ike_dpd_t *this, message_t *message)
+{
+	return SUCCESS;
+}
+
+/**
+ * Implementation of task_t.get_type
+ */
+static task_type_t get_type(private_ike_dpd_t *this)
+{
+	return IKE_DEADPEER;
+}
+
+/**
+ * Implementation of task_t.migrate
+ */
+static void migrate(private_ike_dpd_t *this, ike_sa_t *ike_sa)
+{
+
+}
+
+/**
+ * Implementation of task_t.destroy
+ */
+static void destroy(private_ike_dpd_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_dpd_t *ike_dpd_create(bool initiator)
+{
+	private_ike_dpd_t *this = malloc_thing(private_ike_dpd_t);
+
+	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
+	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
+	this->public.task.destroy = (void(*)(task_t*))destroy;
+	
+	if (initiator)
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))return_need_more;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))return_success;
+	}
+	else
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))return_success;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))return_need_more;
+	}
+	
+	return &this->public;
+}
diff --git a/src/charon/sa/tasks/ike_dpd.h b/src/charon/sa/tasks/ike_dpd.h
new file mode 100644
index 000000000..531b0502d
--- /dev/null
+++ b/src/charon/sa/tasks/ike_dpd.h
@@ -0,0 +1,58 @@
+/**
+ * @file ike_dpd.h
+ * 
+ * @brief Interface ike_dpd_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef IKE_DPD_H_
+#define IKE_DPD_H_
+
+typedef struct ike_dpd_t ike_dpd_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/tasks/task.h>
+
+/**
+ * @brief Task of type ike_dpd, detects dead peers.
+ *
+ * The DPD task actually does nothing, as a DPD has no associated payloads.
+ *
+ * @b Constructors:
+ *  - ike_dpd_create()
+ * 
+ * @ingroup tasks
+ */
+struct ike_dpd_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+};
+
+/**
+ * @brief Create a new ike_dpd task.
+ *
+ * @param initiator		TRUE if thask is the original initator
+ * @return				ike_dpd task to handle by the task_manager
+ */
+ike_dpd_t *ike_dpd_create(bool initiator);
+
+#endif /* IKE_DPD_H_ */
diff --git a/src/charon/sa/tasks/ike_init.c b/src/charon/sa/tasks/ike_init.c
new file mode 100644
index 000000000..0b493666a
--- /dev/null
+++ b/src/charon/sa/tasks/ike_init.c
@@ -0,0 +1,598 @@
+/**
+ * @file ike_init.c
+ *
+ * @brief Implementation of the ike_init task.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_init.h"
+
+#include <string.h>
+
+#include <daemon.h>
+#include <crypto/diffie_hellman.h>
+#include <encoding/payloads/sa_payload.h>
+#include <encoding/payloads/ke_payload.h>
+#include <encoding/payloads/nonce_payload.h>
+
+/** maximum retries to do with cookies/other dh groups */
+#define MAX_RETRIES 5
+
+typedef struct private_ike_init_t private_ike_init_t;
+
+/**
+ * Private members of a ike_init_t task.
+ */
+struct private_ike_init_t {
+	
+	/**
+	 * Public methods and task_t interface.
+	 */
+	ike_init_t public;
+	
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+	
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+	
+	/**
+	 * Connection established by this IKE_SA
+	 */
+	connection_t *connection;
+	
+	/**
+	 * diffie hellman group to use
+	 */
+	diffie_hellman_group_t dh_group;
+	
+	/**
+	 * Diffie hellman object used to generate public DH value.
+	 */
+	diffie_hellman_t *diffie_hellman;
+	
+	/**
+	 * nonce chosen by us
+	 */
+	chunk_t my_nonce;
+	
+	/**
+	 * nonce chosen by peer
+	 */
+	chunk_t other_nonce;
+	
+	/**
+	 * Negotiated proposal used for IKE_SA
+	 */
+	proposal_t *proposal;
+	
+	/**
+	 * Old IKE_SA which gets rekeyed
+	 */
+	ike_sa_t *old_sa;
+	
+	/**
+	 * cookie received from responder
+	 */
+	chunk_t cookie;
+	
+	/**
+	 * retries done so far after failure (cookie or bad dh group)
+	 */
+	u_int retry;
+};
+
+/**
+ * build the payloads for the message
+ */
+static void build_payloads(private_ike_init_t *this, message_t *message)
+{
+	sa_payload_t *sa_payload;
+	ke_payload_t *ke_payload;
+	nonce_payload_t *nonce_payload;
+	linked_list_t *proposal_list;
+	ike_sa_id_t *id;
+	proposal_t *proposal;
+	iterator_t *iterator;
+	
+	id = this->ike_sa->get_id(this->ike_sa);
+	
+	this->connection = this->ike_sa->get_connection(this->ike_sa);
+
+	if (this->initiator)
+	{
+		proposal_list = this->connection->get_proposals(this->connection);
+		if (this->old_sa)
+		{	
+			/* include SPI of new IKE_SA when we are rekeying */
+			iterator = proposal_list->create_iterator(proposal_list, TRUE);
+			while (iterator->iterate(iterator, (void**)&proposal))
+			{
+				proposal->set_spi(proposal, id->get_initiator_spi(id));
+			}
+			iterator->destroy(iterator);
+		}
+		
+		sa_payload = sa_payload_create_from_proposal_list(proposal_list);
+		proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy));
+	}
+	else
+	{
+		if (this->old_sa)
+		{
+			/* include SPI of new IKE_SA when we are rekeying */
+			this->proposal->set_spi(this->proposal, id->get_responder_spi(id));
+		}
+		sa_payload = sa_payload_create_from_proposal(this->proposal);
+	}
+	message->add_payload(message, (payload_t*)sa_payload);
+	
+	nonce_payload = nonce_payload_create();
+	nonce_payload->set_nonce(nonce_payload, this->my_nonce);
+	message->add_payload(message, (payload_t*)nonce_payload);
+	
+	ke_payload = ke_payload_create_from_diffie_hellman(this->diffie_hellman);
+	message->add_payload(message, (payload_t*)ke_payload);
+}
+
+/**
+ * Read payloads from message
+ */
+static void process_payloads(private_ike_init_t *this, message_t *message)
+{
+	iterator_t *iterator;
+	payload_t *payload;
+
+	iterator = message->get_payload_iterator(message);
+	while (iterator->iterate(iterator, (void**)&payload))
+	{
+		switch (payload->get_type(payload))
+		{
+			case SECURITY_ASSOCIATION:
+			{
+				sa_payload_t *sa_payload = (sa_payload_t*)payload;
+				linked_list_t *proposal_list;
+	
+				proposal_list = sa_payload->get_proposals(sa_payload);
+				this->proposal = this->connection->select_proposal(
+											  this->connection, proposal_list);
+				proposal_list->destroy_offset(proposal_list, 
+											  offsetof(proposal_t, destroy));
+				break;
+			}
+			case KEY_EXCHANGE:
+			{
+				ke_payload_t *ke_payload = (ke_payload_t*)payload;
+				diffie_hellman_group_t dh_group;
+				chunk_t key_data;
+				
+				dh_group = ke_payload->get_dh_group_number(ke_payload);
+				
+				if (this->initiator)
+				{
+					if (dh_group != this->dh_group)
+					{
+						DBG1(DBG_IKE, "received a DH group not requested (%N)",
+							 diffie_hellman_group_names, dh_group);
+						break;
+					}
+				}
+				else
+				{
+					this->dh_group = dh_group;
+					if (!this->connection->check_dh_group(this->connection, 
+														  dh_group))
+					{
+						break;
+					}
+					this->diffie_hellman = diffie_hellman_create(dh_group);
+				}
+				if (this->diffie_hellman)
+				{
+					key_data = ke_payload->get_key_exchange_data(ke_payload);
+					this->diffie_hellman->set_other_public_value(this->diffie_hellman, key_data);
+				}
+				break;
+			}
+			case NONCE:
+			{
+				nonce_payload_t *nonce_payload = (nonce_payload_t*)payload;
+				this->other_nonce = nonce_payload->get_nonce(nonce_payload);
+				break;
+			}
+			default:
+				break;
+		}
+	}
+	iterator->destroy(iterator);
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t build_i(private_ike_init_t *this, message_t *message)
+{
+	randomizer_t *randomizer;
+	status_t status;
+	
+	this->connection = this->ike_sa->get_connection(this->ike_sa);
+	SIG(IKE_UP_START, "initiating IKE_SA to %H",
+		this->connection->get_other_host(this->connection));
+	this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
+	
+	if (this->retry++ >= MAX_RETRIES)
+	{
+		SIG(IKE_UP_FAILED, "giving up after %d retries", MAX_RETRIES);
+		return FAILED;
+	}
+
+	/* if the DH group is set via use_dh_group(), we already have a DH object */
+	if (!this->diffie_hellman)
+	{
+		this->dh_group = this->connection->get_dh_group(this->connection);
+		this->diffie_hellman = diffie_hellman_create(this->dh_group);
+		if (this->diffie_hellman == NULL)
+		{
+			SIG(IKE_UP_FAILED, "configured DH group %N not supported",
+				diffie_hellman_group_names, this->dh_group);
+			return FAILED;
+		}
+	}
+	
+	/* generate nonce only when we are trying the first time */
+	if (this->my_nonce.ptr == NULL)
+	{
+		randomizer = randomizer_create();
+		status = randomizer->allocate_pseudo_random_bytes(randomizer, NONCE_SIZE,
+														  &this->my_nonce);
+		randomizer->destroy(randomizer);
+		if (status != SUCCESS)
+		{
+			SIG(IKE_UP_FAILED, "error generating random nonce value");
+			return FAILED;
+		}
+	}
+	
+	if (this->cookie.ptr)
+	{
+		message->add_notify(message, FALSE, COOKIE, this->cookie);
+	}
+	
+	build_payloads(this, message);
+	
+	
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_r(private_ike_init_t *this, message_t *message)
+{	
+	randomizer_t *randomizer;
+	
+	this->connection = this->ike_sa->get_connection(this->ike_sa);
+	SIG(IKE_UP_FAILED, "%H is initiating an IKE_SA",
+		message->get_source(message));
+	this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
+
+	randomizer = randomizer_create();
+	if (randomizer->allocate_pseudo_random_bytes(randomizer, NONCE_SIZE,
+												 &this->my_nonce) != SUCCESS)
+	{
+		DBG1(DBG_IKE, "error generating random nonce value");
+	}
+	randomizer->destroy(randomizer);
+	
+	process_payloads(this, message);
+	
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.build for responder
+ */
+static status_t build_r(private_ike_init_t *this, message_t *message)
+{
+	chunk_t secret;
+	status_t status;
+
+	/* check if we have everything we need */
+	if (this->proposal == NULL ||
+		this->other_nonce.len == 0 || this->my_nonce.len == 0)
+	{
+		SIG(IKE_UP_FAILED, "received proposals inacceptable");
+		message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
+		return FAILED;
+	}
+	
+	if (this->diffie_hellman == NULL ||
+		this->diffie_hellman->get_shared_secret(this->diffie_hellman,
+												&secret) != SUCCESS)
+	{
+		chunk_t chunk;
+		u_int16_t dh_enc;
+		
+		SIG(IKE_UP_FAILED, "received inacceptable DH group (%N)",
+			 diffie_hellman_group_names, this->dh_group);
+		this->dh_group = this->connection->get_dh_group(this->connection);
+		dh_enc = htons(this->dh_group);
+		chunk.ptr = (u_int8_t*)&dh_enc;
+		chunk.len = sizeof(dh_enc);
+		message->add_notify(message, TRUE, INVALID_KE_PAYLOAD, chunk);
+		DBG1(DBG_IKE, "requesting DH group %N",
+			 diffie_hellman_group_names, this->dh_group);
+		return FAILED;
+	}
+
+	
+	if (this->old_sa)
+	{
+		ike_sa_id_t *id;
+		prf_t *prf, *child_prf;
+				
+		/* Apply SPI if we are rekeying */
+		id = this->ike_sa->get_id(this->ike_sa);
+		id->set_initiator_spi(id, this->proposal->get_spi(this->proposal));
+	
+		/* setup crypto keys for the rekeyed SA */
+		prf = this->old_sa->get_prf(this->old_sa);
+		child_prf = this->old_sa->get_child_prf(this->old_sa);
+		status = this->ike_sa->derive_keys(this->ike_sa, this->proposal, secret, 
+										   this->other_nonce, this->my_nonce,
+										   FALSE, child_prf, prf);
+	}
+	else
+	{
+		/* setup crypto keys */
+		status =  this->ike_sa->derive_keys(this->ike_sa, this->proposal, secret, 
+										    this->other_nonce, this->my_nonce,
+										    FALSE, NULL, NULL);
+	}
+	if (status != SUCCESS)
+	{
+		SIG(IKE_UP_FAILED, "key derivation failed");
+		message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
+		return FAILED;
+	}
+	
+	build_payloads(this, message);
+
+	return SUCCESS;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_i(private_ike_init_t *this, message_t *message)
+{
+	chunk_t secret;
+	status_t status;
+	iterator_t *iterator;
+	payload_t *payload;
+
+	/* check for erronous notifies */
+	iterator = message->get_payload_iterator(message);
+	while (iterator->iterate(iterator, (void**)&payload))
+	{
+		if (payload->get_type(payload) == NOTIFY)
+		{
+			notify_payload_t *notify = (notify_payload_t*)payload;
+			notify_type_t type = notify->get_notify_type(notify);
+			
+			switch (type)
+			{
+				case INVALID_KE_PAYLOAD:
+				{
+					chunk_t data;
+					diffie_hellman_group_t old_dh_group;
+					
+					old_dh_group = this->dh_group;
+					data = notify->get_notification_data(notify);
+					this->dh_group = ntohs(*((u_int16_t*)data.ptr));
+					
+					DBG1(DBG_IKE, "peer didn't accept DH group %N, it requested"
+						 " %N", diffie_hellman_group_names, old_dh_group,
+						 diffie_hellman_group_names, this->dh_group);
+					if (!this->connection->check_dh_group(this->connection,
+														  this->dh_group))
+					{
+						DBG1(DBG_IKE, "requested DH group %N not acceptable, "
+							"giving up", diffie_hellman_group_names,
+							this->dh_group);
+						iterator->destroy(iterator);
+						return FAILED;
+					}
+					
+					this->ike_sa->reset(this->ike_sa);
+					
+					iterator->destroy(iterator);
+					return NEED_MORE;
+				}
+				case NAT_DETECTION_SOURCE_IP:
+				case NAT_DETECTION_DESTINATION_IP:
+					/* skip, handled in ike_natd_t */
+					break;
+				case COOKIE:
+				{
+					chunk_free(&this->cookie);
+					this->cookie = chunk_clone(notify->get_notification_data(notify));
+					this->ike_sa->reset(this->ike_sa);
+					iterator->destroy(iterator);
+					DBG1(DBG_IKE, "received %N notify", notify_type_names, type);
+					return NEED_MORE;
+				}
+				default:
+				{
+					if (type < 16383)
+					{
+						SIG(IKE_UP_FAILED, "received %N notify error",
+							 notify_type_names, type);
+						iterator->destroy(iterator);
+						return FAILED;	
+					}
+					DBG1(DBG_IKE, "received %N notify",
+						notify_type_names, type);
+					break;
+				}
+			}
+		}
+	}
+	iterator->destroy(iterator);
+	
+	process_payloads(this, message);
+
+	/* check if we have everything */
+	if (this->proposal == NULL ||
+		this->other_nonce.len == 0 || this->my_nonce.len == 0)
+	{
+		SIG(IKE_UP_FAILED, "peers proposal selection invalid");
+		return FAILED;
+	}
+	
+	if (this->diffie_hellman == NULL ||
+		this->diffie_hellman->get_shared_secret(this->diffie_hellman,
+												&secret) != SUCCESS)
+	{
+		SIG(IKE_UP_FAILED, "peers DH group selection invalid");
+		return FAILED;
+	}
+	
+	/* Apply SPI if we are rekeying */
+	if (this->old_sa)
+	{
+		ike_sa_id_t *id;
+		prf_t *prf, *child_prf;
+		
+		id = this->ike_sa->get_id(this->ike_sa);
+		id->set_responder_spi(id, this->proposal->get_spi(this->proposal));
+		
+		/* setup crypto keys for the rekeyed SA */
+		prf = this->old_sa->get_prf(this->old_sa);
+		child_prf = this->old_sa->get_child_prf(this->old_sa);
+		status = this->ike_sa->derive_keys(this->ike_sa, this->proposal, secret, 
+										    this->my_nonce, this->other_nonce,
+										    TRUE, child_prf, prf);
+	}
+	else
+	{
+		/* setup crypto keys for a new SA */
+		status = this->ike_sa->derive_keys(this->ike_sa, this->proposal, secret, 
+										   this->my_nonce, this->other_nonce,
+										   TRUE, NULL, NULL);
+	}
+	if (status != SUCCESS)
+	{
+		SIG(IKE_UP_FAILED, "key derivation failed");
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of task_t.get_type
+ */
+static task_type_t get_type(private_ike_init_t *this)
+{
+	return IKE_INIT;
+}
+
+/**
+ * Implementation of task_t.get_type
+ */
+static chunk_t get_lower_nonce(private_ike_init_t *this)
+{
+	if (memcmp(this->my_nonce.ptr, this->other_nonce.ptr,
+			   min(this->my_nonce.len, this->other_nonce.len)) < 0)
+	{
+		return this->my_nonce;
+	}
+	else
+	{
+		return this->other_nonce;
+	}
+}
+
+/**
+ * Implementation of task_t.migrate
+ */
+static void migrate(private_ike_init_t *this, ike_sa_t *ike_sa)
+{
+	DESTROY_IF(this->proposal);
+	DESTROY_IF(this->diffie_hellman);
+	chunk_free(&this->other_nonce);
+	
+	this->ike_sa = ike_sa;
+	this->proposal = NULL;
+	this->diffie_hellman = diffie_hellman_create(this->dh_group);
+}
+
+/**
+ * Implementation of task_t.destroy
+ */
+static void destroy(private_ike_init_t *this)
+{
+	DESTROY_IF(this->proposal);
+	DESTROY_IF(this->diffie_hellman);
+	chunk_free(&this->my_nonce);
+	chunk_free(&this->other_nonce);
+	chunk_free(&this->cookie);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa)
+{
+	private_ike_init_t *this = malloc_thing(private_ike_init_t);
+
+	this->public.get_lower_nonce = (chunk_t(*)(ike_init_t*))get_lower_nonce;
+	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
+	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
+	this->public.task.destroy = (void(*)(task_t*))destroy;
+	if (initiator)
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
+	}
+	else
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
+	}
+	
+	this->ike_sa = ike_sa;
+	this->initiator = initiator;
+	this->dh_group = MODP_NONE;
+	this->diffie_hellman = NULL;
+	this->my_nonce = chunk_empty;
+	this->other_nonce = chunk_empty;
+	this->cookie = chunk_empty;
+	this->proposal = NULL;
+	this->connection = NULL;
+	this->old_sa = old_sa;
+	this->retry = 0;
+	
+	return &this->public;
+}
diff --git a/src/charon/sa/tasks/ike_init.h b/src/charon/sa/tasks/ike_init.h
new file mode 100644
index 000000000..f60c096e8
--- /dev/null
+++ b/src/charon/sa/tasks/ike_init.h
@@ -0,0 +1,68 @@
+/**
+ * @file ike_init.h
+ * 
+ * @brief Interface ike_init_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef IKE_INIT_H_
+#define IKE_INIT_H_
+
+typedef struct ike_init_t ike_init_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/tasks/task.h>
+
+/**
+ * @brief Task of type IKE_INIT, creates an IKE_SA without authentication.
+ *
+ * The authentication of is handle in the ike_auth task.
+ *
+ * @b Constructors:
+ *  - ike_init_create()
+ * 
+ * @ingroup tasks
+ */
+struct ike_init_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+	
+	/**
+	 * @brief Get the lower of the two nonces, used for rekey collisions.
+	 *
+	 * @param this		calling object
+	 * @return			lower nonce
+	 */
+	chunk_t (*get_lower_nonce) (ike_init_t *this);
+};
+
+/**
+ * @brief Create a new IKE_INIT task.
+ *
+ * @param ike_sa		IKE_SA this task works for (new one when rekeying)
+ * @param initiator		TRUE if thask is the original initator
+ * @param old_sa		old IKE_SA when we are rekeying
+ * @return				ike_init task to handle by the task_manager
+ */
+ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa);
+
+#endif /* IKE_INIT_H_ */
diff --git a/src/charon/sa/tasks/ike_natd.c b/src/charon/sa/tasks/ike_natd.c
new file mode 100644
index 000000000..50b5d652b
--- /dev/null
+++ b/src/charon/sa/tasks/ike_natd.c
@@ -0,0 +1,371 @@
+/**
+ * @file ike_natd.c
+ *
+ * @brief Implementation of the ike_natd task.
+ *
+ */
+
+/*
+ * Copyright (C) 2006-2007 Martin Willi
+ * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_natd.h"
+
+#include <string.h>
+
+#include <daemon.h>
+#include <crypto/hashers/hasher.h>
+#include <encoding/payloads/notify_payload.h>
+
+
+typedef struct private_ike_natd_t private_ike_natd_t;
+
+/**
+ * Private members of a ike_natd_t task.
+ */
+struct private_ike_natd_t {
+	
+	/**
+	 * Public methods and task_t interface.
+	 */
+	ike_natd_t public;
+	
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+	
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+	
+	/**
+	 * Hasher used to build NAT detection hashes
+	 */
+	hasher_t *hasher;
+	
+	/**
+	 * Did we process any NAT detection notifys for a source address?
+	 */
+	bool src_seen;
+	
+	/**
+	 * Did we process any NAT detection notifys for a destination address?
+	 */
+	bool dst_seen;
+	
+	/**
+	 * Have we found a matching source address NAT hash?
+	 */
+	bool src_matched;
+	
+	/**
+	 * Have we found a matching destination address NAT hash?
+	 */
+	bool dst_matched;
+};
+
+
+/**
+ * Build NAT detection hash for a host
+ */
+static chunk_t generate_natd_hash(private_ike_natd_t *this,
+								  ike_sa_id_t *ike_sa_id, host_t *host)
+{
+	chunk_t natd_chunk, spi_i_chunk, spi_r_chunk, addr_chunk, port_chunk;
+	chunk_t natd_hash;
+	u_int64_t spi_i, spi_r;
+	u_int16_t port;
+	
+	/* prepare all requred chunks */
+	spi_i = ike_sa_id->get_initiator_spi(ike_sa_id);
+	spi_r = ike_sa_id->get_responder_spi(ike_sa_id);
+	spi_i_chunk.ptr = (void*)&spi_i;
+	spi_i_chunk.len = sizeof(spi_i);
+	spi_r_chunk.ptr = (void*)&spi_r;
+	spi_r_chunk.len = sizeof(spi_r);
+	port = htons(host->get_port(host));
+	port_chunk.ptr = (void*)&port;
+	port_chunk.len = sizeof(port);
+	addr_chunk = host->get_address(host);
+		
+	/*  natd_hash = SHA1( spi_i | spi_r | address | port ) */
+	natd_chunk = chunk_cat("cccc", spi_i_chunk, spi_r_chunk, addr_chunk, port_chunk);
+	this->hasher->allocate_hash(this->hasher, natd_chunk, &natd_hash);
+	DBG3(DBG_IKE, "natd_chunk %B", &natd_chunk);
+	DBG3(DBG_IKE, "natd_hash %B", &natd_hash);
+	
+	chunk_free(&natd_chunk);
+	return natd_hash;
+}
+
+/**
+ * Build a NAT detection notify payload.
+ */
+static notify_payload_t *build_natd_payload(private_ike_natd_t *this,
+											notify_type_t type, host_t *host)
+{
+	chunk_t hash;
+	notify_payload_t *notify;	
+	ike_sa_id_t *ike_sa_id;	
+	
+	ike_sa_id = this->ike_sa->get_id(this->ike_sa);
+	notify = notify_payload_create();
+	notify->set_notify_type(notify, type);
+	hash = generate_natd_hash(this, ike_sa_id, host);
+	notify->set_notification_data(notify, hash);
+	chunk_free(&hash);
+	
+	return notify;
+}
+
+/**
+ * read notifys from message and evaluate them
+ */
+static void process_payloads(private_ike_natd_t *this, message_t *message)
+{
+	iterator_t *iterator;
+	payload_t *payload;
+	notify_payload_t *notify;
+	chunk_t hash, src_hash, dst_hash;
+	ike_sa_id_t *ike_sa_id;
+	host_t *me, *other;
+	
+	/* Precompute NAT-D hashes for incoming NAT notify comparison */
+	ike_sa_id = message->get_ike_sa_id(message);
+	me = this->ike_sa->get_my_host(this->ike_sa);
+	other = this->ike_sa->get_other_host(this->ike_sa);
+	dst_hash = generate_natd_hash(this, ike_sa_id, me);
+	src_hash = generate_natd_hash(this, ike_sa_id, other);
+	
+	DBG3(DBG_IKE, "precalculated src_hash %B", &src_hash);
+	DBG3(DBG_IKE, "precalculated dst_hash %B", &dst_hash);
+	
+	iterator = message->get_payload_iterator(message);
+	while (iterator->iterate(iterator, (void**)&payload))
+	{
+		if (payload->get_type(payload) != NOTIFY)
+		{
+			continue;
+		}
+		notify = (notify_payload_t*)payload;
+		switch (notify->get_notify_type(notify))
+		{
+			case NAT_DETECTION_DESTINATION_IP:
+			{
+				this->dst_seen = TRUE;
+				if (!this->dst_matched)
+				{
+					hash = notify->get_notification_data(notify);
+					DBG3(DBG_IKE, "received dst_hash %B", &hash);
+					if (chunk_equals(hash, dst_hash))
+					{
+						this->dst_matched = TRUE;
+					}
+				}
+				break;
+			}
+			case NAT_DETECTION_SOURCE_IP:
+			{
+				this->src_seen = TRUE;
+				if (!this->src_matched)
+				{
+					hash = notify->get_notification_data(notify);
+					DBG3(DBG_IKE, "received src_hash %B", &hash);
+					if (chunk_equals(hash, src_hash))
+					{
+						this->src_matched = TRUE;
+					}
+				}
+				break;
+			}
+			default:
+				break;
+		}
+	}
+	iterator->destroy(iterator);
+	
+	chunk_free(&src_hash);
+	chunk_free(&dst_hash);
+	
+	if (this->src_seen && this->dst_seen)
+	{
+		if (!this->dst_matched)
+		{
+			this->ike_sa->enable_natt(this->ike_sa, TRUE);
+		}
+		if (!this->src_matched)
+		{
+			this->ike_sa->enable_natt(this->ike_sa, FALSE);
+		}
+	}
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_i(private_ike_natd_t *this, message_t *message)
+{
+	process_payloads(this, message);
+
+	if (this->ike_sa->is_natt_enabled(this->ike_sa))
+	{
+		host_t *me, *other;
+	
+		me = this->ike_sa->get_my_host(this->ike_sa);
+		me->set_port(me, IKEV2_NATT_PORT);
+		other = this->ike_sa->get_other_host(this->ike_sa);
+		other->set_port(other, IKEV2_NATT_PORT);
+	}
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t build_i(private_ike_natd_t *this, message_t *message)
+{
+	notify_payload_t *notify;
+	linked_list_t *list;
+	host_t *host;
+	
+	/* include one notify if our address is defined, all addresses otherwise */
+	host = this->ike_sa->get_my_host(this->ike_sa);
+	if (host->is_anyaddr(host))
+	{
+		/* TODO: we could get the src address from netlink!? */
+		list = charon->kernel_interface->create_address_list(charon->kernel_interface);
+		while (list->remove_first(list, (void**)&host) == SUCCESS)
+		{
+			notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, host);
+			host->destroy(host);
+			message->add_payload(message, (payload_t*)notify);
+		}
+		list->destroy(list);
+	}
+	else
+	{
+		notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, host);
+		message->add_payload(message, (payload_t*)notify);
+	}
+	
+	host = this->ike_sa->get_other_host(this->ike_sa);
+	notify = build_natd_payload(this, NAT_DETECTION_DESTINATION_IP, host);
+	message->add_payload(message, (payload_t*)notify);
+	
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.build for responder
+ */
+static status_t build_r(private_ike_natd_t *this, message_t *message)
+{
+	notify_payload_t *notify;
+	host_t *me, *other;
+	
+	/* only add notifies on successfull responses. */
+	if (message->get_payload(message, SECURITY_ASSOCIATION) == NULL)
+	{
+		return SUCCESS;
+	}
+
+	if (this->src_seen && this->dst_seen)
+	{
+		/* initiator seems to support NAT detection, add response */
+		me = this->ike_sa->get_my_host(this->ike_sa);
+		notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, me);
+		message->add_payload(message, (payload_t*)notify);
+		
+		other = this->ike_sa->get_other_host(this->ike_sa);
+		notify = build_natd_payload(this, NAT_DETECTION_DESTINATION_IP, other);
+		message->add_payload(message, (payload_t*)notify);
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of task_t.process for responder
+ */
+static status_t process_r(private_ike_natd_t *this, message_t *message)
+{	
+	process_payloads(this, message);
+	
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.get_type
+ */
+static task_type_t get_type(private_ike_natd_t *this)
+{
+	return IKE_NATD;
+}
+
+/**
+ * Implementation of task_t.migrate
+ */
+static void migrate(private_ike_natd_t *this, ike_sa_t *ike_sa)
+{
+	this->ike_sa = ike_sa;
+	this->src_seen = FALSE;
+	this->dst_seen = FALSE;
+	this->src_matched = FALSE;
+	this->dst_matched = FALSE;
+}
+
+/**
+ * Implementation of task_t.destroy
+ */
+static void destroy(private_ike_natd_t *this)
+{
+	this->hasher->destroy(this->hasher);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_natd_t *ike_natd_create(ike_sa_t *ike_sa, bool initiator)
+{
+	private_ike_natd_t *this = malloc_thing(private_ike_natd_t);
+
+	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
+	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
+	this->public.task.destroy = (void(*)(task_t*))destroy;
+	
+	if (initiator)
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
+	}
+	else
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
+	}
+	
+	this->ike_sa = ike_sa;
+	this->initiator = initiator;
+	this->hasher = hasher_create(HASH_SHA1);
+	this->src_seen = FALSE;
+	this->dst_seen = FALSE;
+	this->src_matched = FALSE;
+	this->dst_matched = FALSE;
+	
+	return &this->public;
+}
diff --git a/src/charon/sa/tasks/ike_natd.h b/src/charon/sa/tasks/ike_natd.h
new file mode 100644
index 000000000..8d0cb58b4
--- /dev/null
+++ b/src/charon/sa/tasks/ike_natd.h
@@ -0,0 +1,57 @@
+/**
+ * @file ike_natd.h
+ * 
+ * @brief Interface ike_natd_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef IKE_NATD_H_
+#define IKE_NATD_H_
+
+typedef struct ike_natd_t ike_natd_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/tasks/task.h>
+
+/**
+ * @brief Task of type ike_natd, detects NAT situation in IKE_SA_INIT exchange.
+ *
+ * @b Constructors:
+ *  - ike_natd_create()
+ * 
+ * @ingroup tasks
+ */
+struct ike_natd_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+};
+
+/**
+ * @brief Create a new ike_natd task.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param initiator		TRUE if thask is the original initator
+ * @return			  ike_natd task to handle by the task_manager
+ */
+ike_natd_t *ike_natd_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /* IKE_NATD_H_ */
diff --git a/src/charon/sa/tasks/ike_rekey.c b/src/charon/sa/tasks/ike_rekey.c
new file mode 100644
index 000000000..a33e7ee34
--- /dev/null
+++ b/src/charon/sa/tasks/ike_rekey.c
@@ -0,0 +1,329 @@
+/**
+ * @file ike_rekey.c
+ *
+ * @brief Implementation of the ike_rekey task.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_rekey.h"
+
+#include <daemon.h>
+#include <encoding/payloads/notify_payload.h>
+#include <sa/tasks/ike_init.h>
+#include <queues/jobs/delete_ike_sa_job.h>
+#include <queues/jobs/rekey_ike_sa_job.h>
+
+
+typedef struct private_ike_rekey_t private_ike_rekey_t;
+
+/**
+ * Private members of a ike_rekey_t task.
+ */
+struct private_ike_rekey_t {
+	
+	/**
+	 * Public methods and task_t interface.
+	 */
+	ike_rekey_t public;
+	
+	/**
+	 * Assigned IKE_SA.
+	 */
+	ike_sa_t *ike_sa;
+	
+	/**
+	 * New IKE_SA which replaces the current one
+	 */
+	ike_sa_t *new_sa;
+	
+	/**
+	 * Are we the initiator?
+	 */
+	bool initiator;
+	
+	/**
+	 * the IKE_INIT task which is reused to simplify rekeying
+	 */
+	ike_init_t *ike_init;
+	
+	/**
+	 * colliding task detected by the task manager
+	 */
+	task_t *collision;
+};
+
+/**
+ * Implementation of task_t.build for initiator
+ */
+static status_t build_i(private_ike_rekey_t *this, message_t *message)
+{
+	connection_t *connection;
+	policy_t *policy;
+	
+	this->new_sa = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
+														TRUE);
+	
+	connection = this->ike_sa->get_connection(this->ike_sa);
+	policy = this->ike_sa->get_policy(this->ike_sa);
+	this->new_sa->set_connection(this->new_sa, connection);
+	this->new_sa->set_policy(this->new_sa, policy);
+
+	this->ike_init = ike_init_create(this->new_sa, TRUE, this->ike_sa);
+	this->ike_init->task.build(&this->ike_init->task, message);
+	
+	this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
+
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_r(private_ike_rekey_t *this, message_t *message)
+{
+	connection_t *connection;
+	policy_t *policy;
+	iterator_t *iterator;
+	child_sa_t *child_sa;
+	
+	if (this->ike_sa->get_state(this->ike_sa) == IKE_DELETING)
+	{
+		DBG1(DBG_IKE, "peer initiated rekeying, but we are deleting");
+		return NEED_MORE;
+	}
+
+	iterator = this->ike_sa->create_child_sa_iterator(this->ike_sa);
+	while (iterator->iterate(iterator, (void**)&child_sa))
+	{
+		switch (child_sa->get_state(child_sa))
+		{
+			case CHILD_CREATED:
+			case CHILD_REKEYING:
+			case CHILD_DELETING:
+				/* we do not allow rekeying while we have children in-progress */
+				DBG1(DBG_IKE, "peer initiated rekeying, but a child is half-open");
+				iterator->destroy(iterator);
+				return NEED_MORE;
+			default:
+				break;
+		}
+	}
+	iterator->destroy(iterator);
+	
+	this->new_sa = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
+														FALSE);
+	
+	connection = this->ike_sa->get_connection(this->ike_sa);
+	policy = this->ike_sa->get_policy(this->ike_sa);
+	this->new_sa->set_connection(this->new_sa, connection);
+	this->new_sa->set_policy(this->new_sa, policy);
+	
+	this->ike_init = ike_init_create(this->new_sa, FALSE, this->ike_sa);
+	this->ike_init->task.process(&this->ike_init->task, message);
+	
+	return NEED_MORE;
+}
+
+/**
+ * Implementation of task_t.build for responder
+ */
+static status_t build_r(private_ike_rekey_t *this, message_t *message)
+{
+	if (this->new_sa == NULL)
+	{
+		/* IKE_SA/a CHILD_SA is in an inacceptable state, deny rekeying */
+		message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
+		return SUCCESS;
+	}
+
+	if (this->ike_init->task.build(&this->ike_init->task, message) == FAILED)
+	{
+		return SUCCESS;
+	}
+	
+	this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
+	this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of task_t.process for initiator
+ */
+static status_t process_i(private_ike_rekey_t *this, message_t *message)
+{
+	job_t *job;
+	ike_sa_id_t *to_delete;
+
+	if (this->ike_init->task.process(&this->ike_init->task, message) == FAILED)
+	{
+		/* rekeying failed, fallback to old SA */
+		if (!(this->collision &&
+			this->collision->get_type(this->collision) == IKE_DELETE))
+		{
+			job_t *job;
+			u_int32_t retry = charon->configuration->get_retry_interval(
+									charon->configuration);
+			job = (job_t*)rekey_ike_sa_job_create(
+									this->ike_sa->get_id(this->ike_sa), FALSE);
+			DBG1(DBG_IKE, "IKE_SA rekeying failed, "
+				 					"trying again in %d seconds", retry);
+			this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+			charon->event_queue->add_relative(charon->event_queue, job, retry * 1000);
+		}
+		return SUCCESS;
+	}
+
+	this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
+	to_delete = this->ike_sa->get_id(this->ike_sa);
+	
+	/* check for collisions */
+	if (this->collision &&
+		this->collision->get_type(this->collision) == IKE_REKEY)
+	{
+		chunk_t this_nonce, other_nonce;
+		host_t *host;
+		private_ike_rekey_t *other = (private_ike_rekey_t*)this->collision;
+		
+		this_nonce = this->ike_init->get_lower_nonce(this->ike_init);
+		other_nonce = other->ike_init->get_lower_nonce(other->ike_init);
+		
+		/* if we have the lower nonce, delete rekeyed SA. If not, delete
+		 * the redundant. */
+		if (memcmp(this_nonce.ptr, other_nonce.ptr, 
+				   min(this_nonce.len, other_nonce.len)) < 0)
+		{
+			DBG1(DBG_IKE, "IKE_SA rekey collision won, deleting rekeyed IKE_SA");
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, other->new_sa);
+		}
+		else
+		{
+			DBG1(DBG_IKE, "IKE_SA rekey collision lost, deleting redundant IKE_SA");
+			/* apply host for a proper delete */
+			host = this->ike_sa->get_my_host(this->ike_sa);
+			this->new_sa->set_my_host(this->new_sa, host->clone(host));
+			host = this->ike_sa->get_other_host(this->ike_sa);
+			this->new_sa->set_other_host(this->new_sa, host->clone(host));
+			this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+			to_delete = this->new_sa->get_id(this->new_sa);
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, this->new_sa);
+			/* inherit to other->new_sa in destroy() */
+			this->new_sa = other->new_sa;
+			other->new_sa = NULL;
+		}
+	}
+	
+	job = (job_t*)delete_ike_sa_job_create(to_delete, TRUE);
+	charon->job_queue->add(charon->job_queue, job);	
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of task_t.get_type
+ */
+static task_type_t get_type(private_ike_rekey_t *this)
+{
+	return IKE_REKEY;
+}
+
+static void collide(private_ike_rekey_t* this, task_t *other)
+{
+	DESTROY_IF(this->collision);
+	this->collision = other;
+}
+
+/**
+ * Implementation of task_t.migrate
+ */
+static void migrate(private_ike_rekey_t *this, ike_sa_t *ike_sa)
+{
+	if (this->ike_init)
+	{
+		this->ike_init->task.destroy(&this->ike_init->task);
+	}
+	if (this->new_sa)
+	{
+		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
+													this->new_sa);
+	}
+	DESTROY_IF(this->collision);
+
+	this->collision = NULL;
+	this->ike_sa = ike_sa;
+	this->new_sa = NULL;
+	this->ike_init = NULL;
+}
+
+/**
+ * Implementation of task_t.destroy
+ */
+static void destroy(private_ike_rekey_t *this)
+{
+	if (this->new_sa)
+	{
+		if (this->new_sa->get_state(this->new_sa) == IKE_ESTABLISHED &&
+			this->new_sa->inherit(this->new_sa, this->ike_sa) != DESTROY_ME)
+		{
+			charon->ike_sa_manager->checkin(charon->ike_sa_manager, this->new_sa);
+		}
+		else
+		{
+			charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
+														this->new_sa);
+		}
+	}
+	if (this->ike_init)
+	{
+		this->ike_init->task.destroy(&this->ike_init->task);
+	}
+	DESTROY_IF(this->collision);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_rekey_t *ike_rekey_create(ike_sa_t *ike_sa, bool initiator)
+{
+	private_ike_rekey_t *this = malloc_thing(private_ike_rekey_t);
+
+	this->public.collide = (void(*)(ike_rekey_t*,task_t*))collide;
+	this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
+	this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
+	this->public.task.destroy = (void(*)(task_t*))destroy;
+	if (initiator)
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
+	}
+	else
+	{
+		this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
+		this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
+	}
+	
+	this->ike_sa = ike_sa;
+	this->new_sa = NULL;
+	this->ike_init = NULL;
+	this->initiator = initiator;
+	this->collision = NULL;
+	
+	return &this->public;
+}
diff --git a/src/charon/sa/tasks/ike_rekey.h b/src/charon/sa/tasks/ike_rekey.h
new file mode 100644
index 000000000..125422efd
--- /dev/null
+++ b/src/charon/sa/tasks/ike_rekey.h
@@ -0,0 +1,69 @@
+/**
+ * @file ike_rekey.h
+ * 
+ * @brief Interface ike_rekey_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef IKE_REKEY_H_
+#define IKE_REKEY_H_
+
+typedef struct ike_rekey_t ike_rekey_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/tasks/task.h>
+
+/**
+ * @brief Task of type IKE_REKEY, rekey an established IKE_SA.
+ *
+ * @b Constructors:
+ *  - ike_rekey_create()
+ * 
+ * @ingroup tasks
+ */
+struct ike_rekey_t {
+
+	/**
+	 * Implements the task_t interface
+	 */
+	task_t task;
+	
+	/**
+	 * @brief Register a rekeying task which collides with this one.
+	 *
+	 * If two peers initiate rekeying at the same time, the collision must
+	 * be handled gracefully. The task manager is aware of what exchanges
+	 * are going on and notifies the outgoing task by passing the incoming.
+	 *
+	 * @param this		task initated by us
+	 * @param other		incoming task
+	 */
+	void (*collide)(ike_rekey_t* this, task_t *other);
+};
+
+/**
+ * @brief Create a new IKE_REKEY task.
+ *
+ * @param ike_sa		IKE_SA this task works for
+ * @param initiator		TRUE for initiator, FALSE for responder
+ * @return			  	IKE_REKEY task to handle by the task_manager
+ */
+ike_rekey_t *ike_rekey_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /* IKE_REKEY_H_ */
diff --git a/src/charon/sa/tasks/task.c b/src/charon/sa/tasks/task.c
new file mode 100644
index 000000000..68d8ebf0c
--- /dev/null
+++ b/src/charon/sa/tasks/task.c
@@ -0,0 +1,38 @@
+/**
+ * @file task.c
+ * 
+ * @brief Enum values for task types
+ * 
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "task.h"
+
+ENUM(task_type_names, IKE_INIT, CHILD_REKEY,
+	"IKE_INIT",
+	"IKE_NATD",
+	"IKE_AUTHENTICATE",
+	"IKE_CERT",
+	"IKE_CONFIG",
+	"IKE_DPD",
+	"IKE_REKEY",
+	"IKE_DELETE",
+	"IKE_DEADPEER",
+	"CHILD_CREATE",
+	"CHILD_DELETE",
+	"CHILD_REKEY",
+);
diff --git a/src/charon/sa/tasks/task.h b/src/charon/sa/tasks/task.h
new file mode 100644
index 000000000..128d7db4a
--- /dev/null
+++ b/src/charon/sa/tasks/task.h
@@ -0,0 +1,151 @@
+/**
+ * @file task.h
+ * 
+ * @brief Interface task_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef TASK_H_
+#define TASK_H_
+
+typedef enum task_type_t task_type_t;
+typedef struct task_t task_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <encoding/message.h>
+
+/**
+ * @brief Different kinds of tasks.
+ * 
+ * @ingroup tasks
+ */
+enum task_type_t {
+	/** establish an unauthenticated IKE_SA */
+	IKE_INIT,
+	/** detect NAT situation */
+	IKE_NATD,
+	/** authenticate the initiated IKE_SA */
+	IKE_AUTHENTICATE,
+	/** exchange certificates and requests */
+	IKE_CERT,
+	/** Configuration payloads, virtual IP and such */
+	IKE_CONFIG,
+	/** DPD detection */
+	IKE_DEADPEER,
+	/** rekey an IKE_SA */
+	IKE_REKEY,
+	/** delete an IKE_SA */
+	IKE_DELETE,
+	/** liveness check */
+	IKE_DPD,
+	/** establish a CHILD_SA within an IKE_SA */
+	CHILD_CREATE,
+	/** delete an established CHILD_SA */
+	CHILD_DELETE,
+	/** rekey an CHILD_SA */
+	CHILD_REKEY,
+};
+
+/**
+ * enum names for task_type_t.
+ */
+extern enum_name_t *task_type_names;
+
+/**
+ * @brief Interface for a task, an operation handled within exchanges.
+ *
+ * A task is an elemantary operation. It may be handled by a single or by
+ * multiple exchanges. An exchange may even complete multiple tasks.
+ * A task has a build() and an process() operation. The build() operation 
+ * creates payloads and adds it to the message. The process() operation
+ * inspects a message and handles its payloads. An initiator of an exchange
+ * first calls build() to build the request, and processes the response message
+ * with the process() method.
+ * A responder does the opposite; it calls process() first to handle an incoming
+ * request and secondly calls build() to build an appropriate response.
+ * Both methods return either SUCCESS, NEED_MORE or FAILED. A SUCCESS indicates
+ * that the task completed, even when the task completed unsuccesfully. The
+ * manager then removes the task from the list. A NEED_MORE is returned when
+ * the task needs further build()/process() calls to complete, the manager
+ * leaves the taks in the queue. A returned FAILED indicates a critical failure.
+ * The manager closes the IKE_SA whenever a task returns FAILED.
+ *
+ * @b Constructors:
+ *  - None, use implementations specific constructors
+ * 
+ * @ingroup tasks
+ */
+struct task_t {
+
+	/**
+	 * @brief Build a request or response message for this task.
+	 * 
+	 * @param this 			calling object
+	 * @param message		message to add payloads to
+	 * @return
+	 * 						- FAILED if a critical error occured
+	 *						- NEED_MORE if another call to build/process needed
+	 *						- SUCCESS if task completed
+	 */
+	status_t (*build) (task_t *this, message_t *message);
+
+	/**
+	 * @brief Process a request or response message for this task.
+	 * 
+	 * @param this 			calling object
+	 * @param message		message to read payloads from
+	 * @return
+	 * 						- FAILED if a critical error occured
+	 *						- NEED_MORE if another call to build/process needed
+	 *						- SUCCESS if task completed
+	 */
+	status_t (*process) (task_t *this, message_t *message);
+
+	/**
+	 * @brief Get the type of the task implementation.
+	 * 
+	 * @param this 			calling object
+	 */
+	task_type_t (*get_type) (task_t *this);
+	
+	/**
+	 * @brief Migrate a task to a new IKE_SA.
+	 *
+	 * After migrating a task, it goes back to a state where it can be
+	 * used again to initate an exchange. This is useful when a task
+	 * has to get migrated to a new IKE_SA.
+	 * A special usage is when a INVALID_KE_PAYLOAD is received. A call
+	 * to reset resets the task, but uses another DH group for the next
+	 * try.
+	 * The ike_sa is the new IKE_SA this task belongs to and operates on.
+	 *
+	 * @param this 			calling object
+	 * @param ike_sa		new IKE_SA this task works for
+	 */
+	void (*migrate) (task_t *this, ike_sa_t *ike_sa);
+	
+	/**
+	 * @brief Destroys a task_t object.
+	 *
+	 * @param this 			calling object
+	 */
+	void (*destroy) (task_t *this);
+};
+
+#endif /* TASK_H_ */
diff --git a/src/charon/threads/kernel_interface.c b/src/charon/threads/kernel_interface.c
new file mode 100644
index 000000000..4a70d2ecf
--- /dev/null
+++ b/src/charon/threads/kernel_interface.c
@@ -0,0 +1,1964 @@
+/**
+ * @file kernel_interface.c
+ *
+ * @brief Implementation of kernel_interface_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2006-2007 Tobias Brunner
+ * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2003 Herbert Xu.
+ * 
+ * Based on xfrm code from pluto.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <linux/netlink.h>
+#include <linux/rtnetlink.h>
+#include <linux/xfrm.h>
+#include <linux/udp.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <string.h>
+#include <net/if.h>
+#include <sys/ioctl.h>
+
+#include "kernel_interface.h"
+
+#include <daemon.h>
+#include <utils/linked_list.h>
+#include <queues/jobs/delete_child_sa_job.h>
+#include <queues/jobs/rekey_child_sa_job.h>
+#include <queues/jobs/acquire_job.h>
+
+/** kernel level protocol identifiers */
+#define KERNEL_ESP 50
+#define KERNEL_AH 51
+
+/** default priority of installed policies */
+#define PRIO_LOW 3000
+#define PRIO_HIGH 2000
+
+#define BUFFER_SIZE 1024
+
+/**
+ * returns a pointer to the first rtattr following the nlmsghdr *nlh and the 
+ * 'usual' netlink data x like 'struct xfrm_usersa_info' 
+ */
+#define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x))))
+/**
+ * returns a pointer to the next rtattr following rta.
+ * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!!
+ */
+#define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len)))
+/**
+ * returns the total size of attached rta data 
+ * (after 'usual' netlink data x like 'struct xfrm_usersa_info') 
+ */
+#define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x))
+
+typedef struct kernel_algorithm_t kernel_algorithm_t;
+
+/**
+ * Mapping from the algorithms defined in IKEv2 to
+ * kernel level algorithm names and their key length
+ */
+struct kernel_algorithm_t {
+	/**
+	 * Identifier specified in IKEv2
+	 */
+	int ikev2_id;
+	
+	/**
+	 * Name of the algorithm, as used as kernel identifier
+	 */
+	char *name;
+	
+	/**
+	 * Key length in bits, if fixed size
+	 */
+	u_int key_size;
+};
+#define END_OF_LIST -1
+
+/**
+ * Algorithms for encryption
+ */
+kernel_algorithm_t encryption_algs[] = {
+/*	{ENCR_DES_IV64, 	"***", 			0}, */
+	{ENCR_DES, 			"des", 			64},
+	{ENCR_3DES, 		"des3_ede",		192},
+/*	{ENCR_RC5, 			"***", 			0}, */
+/*	{ENCR_IDEA, 		"***",			0}, */
+	{ENCR_CAST, 		"cast128",		0},
+	{ENCR_BLOWFISH, 	"blowfish",		0},
+/*	{ENCR_3IDEA, 		"***",			0}, */
+/*	{ENCR_DES_IV32, 	"***",			0}, */
+	{ENCR_NULL, 		"cipher_null",	0},
+	{ENCR_AES_CBC, 		"aes",			0},
+/*	{ENCR_AES_CTR, 		"***",			0}, */
+	{END_OF_LIST, 		NULL,			0},
+};
+
+/**
+ * Algorithms for integrity protection
+ */
+kernel_algorithm_t integrity_algs[] = {
+	{AUTH_HMAC_MD5_96, 			"md5",			128},
+	{AUTH_HMAC_SHA1_96,			"sha1",			160},
+	{AUTH_HMAC_SHA2_256_128,	"sha256",		256},
+	{AUTH_HMAC_SHA2_384_192,	"sha384",		384},
+	{AUTH_HMAC_SHA2_512_256,	"sha512",		512},
+/*	{AUTH_DES_MAC,				"***",			0}, */
+/*	{AUTH_KPDK_MD5,				"***",			0}, */
+/*	{AUTH_AES_XCBC_96,			"***",			0}, */
+	{END_OF_LIST, 				NULL,			0},
+};
+
+/**
+ * Look up a kernel algorithm name and its key size
+ */
+char* lookup_algorithm(kernel_algorithm_t *kernel_algo, 
+					   algorithm_t *ikev2_algo, u_int *key_size)
+{
+	while (kernel_algo->ikev2_id != END_OF_LIST)
+	{
+		if (ikev2_algo->algorithm == kernel_algo->ikev2_id)
+		{
+			/* match, evaluate key length */
+			if (ikev2_algo->key_size)
+			{	/* variable length */
+				*key_size = ikev2_algo->key_size;
+			}
+			else
+			{	/* fixed length */
+				*key_size = kernel_algo->key_size;
+			}
+			return kernel_algo->name;
+		}
+		kernel_algo++;
+	}
+	return NULL;	
+}
+
+typedef struct route_entry_t route_entry_t;
+
+/**
+ * installed routing entry
+ */
+struct route_entry_t {
+
+	/** Index of the interface the route is bound to */
+	int if_index;
+
+	/** Source ip of the route */
+	host_t *src_ip;
+
+	/** Destination net */
+	chunk_t dst_net;
+
+	/** Destination net prefixlen */
+	u_int8_t prefixlen;
+};
+
+/**
+ * destroy an route_entry_t object
+ */
+static void route_entry_destroy(route_entry_t *this)
+{
+	this->src_ip->destroy(this->src_ip);
+	chunk_free(&this->dst_net);
+	free(this);
+}
+
+typedef struct policy_entry_t policy_entry_t;
+
+/**
+ * installed kernel policy.
+ */
+struct policy_entry_t {
+	
+	/** direction of this policy: in, out, forward */
+	u_int8_t direction;
+	
+	/** reqid of the policy */
+	u_int32_t reqid;
+	
+	/** parameters of installed policy */
+	struct xfrm_selector sel;
+	
+	/** associated route installed for this policy */
+	route_entry_t *route;
+	
+	/** by how many CHILD_SA's this policy is used */
+	u_int refcount;
+};
+
+typedef struct vip_entry_t vip_entry_t;
+
+/**
+ * Installed virtual ip
+ */
+struct vip_entry_t {
+	/** Index of the interface the ip is bound to */
+	u_int8_t if_index;
+	
+	/** The ip address */
+	host_t *ip;
+	
+	/** Number of times this IP is used */
+	u_int refcount;
+};
+
+/**
+ * destroy a vip_entry_t object
+ */
+static void vip_entry_destroy(vip_entry_t *this)
+{
+	this->ip->destroy(this->ip);
+	free(this);
+}
+
+typedef struct address_entry_t address_entry_t;
+
+/**
+ * an address found on the system, containg address and interface info 
+ */
+struct address_entry_t {
+
+	/** address of this entry */
+	host_t *host;
+	
+	/** interface index */
+	int ifindex;
+	
+	/** name of the index */
+	char ifname[IFNAMSIZ];
+};
+
+/**
+ * destroy an address entry
+ */
+static void address_entry_destroy(address_entry_t *this)
+{
+	this->host->destroy(this->host);
+	free(this);
+}
+
+typedef struct private_kernel_interface_t private_kernel_interface_t;
+
+/**
+ * Private variables and functions of kernel_interface class.
+ */
+struct private_kernel_interface_t {
+	/**
+	 * Public part of the kernel_interface_t object.
+	 */
+	kernel_interface_t public;
+	
+	/**
+	 * List of installed policies (kernel_entry_t)
+	 */
+	linked_list_t *policies;
+	
+	/**
+	 * Mutex locks access to policies
+	 */
+	pthread_mutex_t policies_mutex;
+	
+	/**
+	 * List of installed virtual IPs. (vip_entry_t)
+	 */
+	linked_list_t *vips;
+	
+	/**
+	 * Mutex to lock access to vips.
+	 */
+	pthread_mutex_t vips_mutex;
+	
+	/**
+	 * netlink xfrm socket to receive acquire and expire events
+	 */
+	int socket_xfrm_events;
+	
+	/**
+	 * Netlink xfrm socket (IPsec)
+	 */
+	int socket_xfrm;
+	
+	/**
+	 * Netlink rt socket (routing)
+	 */
+	int socket_rt;
+	
+	/**
+	 * Thread receiving events from kernel
+	 */
+	pthread_t event_thread;
+};
+
+/**
+ * convert a host_t to a struct xfrm_address
+ */
+static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
+{
+	chunk_t chunk = host->get_address(host);
+	memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t)));	
+}
+
+/**
+ * convert a traffic selector address range to subnet and its mask.
+ */
+static void ts2subnet(traffic_selector_t* ts, 
+					  xfrm_address_t *net, u_int8_t *mask)
+{
+	/* there is no way to do this cleanly, as the address range may
+	 * be anything else but a subnet. We use from_addr as subnet 
+	 * and try to calculate a usable subnet mask.
+	 */
+	int byte, bit;
+	bool found = FALSE;
+	chunk_t from, to;
+	size_t size = (ts->get_type(ts) == TS_IPV4_ADDR_RANGE) ? 4 : 16;
+	
+	from = ts->get_from_address(ts);
+	to = ts->get_to_address(ts);
+	
+	*mask = (size * 8);
+	/* go trough all bits of the addresses, beginning in the front.
+	 * as long as they are equal, the subnet gets larger
+	 */
+	for (byte = 0; byte < size; byte++)
+	{
+		for (bit = 7; bit >= 0; bit--)
+		{
+			if ((1<<bit & from.ptr[byte]) != (1<<bit & to.ptr[byte]))
+			{
+				*mask = ((7 - bit) + (byte * 8));
+				found = TRUE;
+				break;
+			}
+		}
+		if (found)
+		{
+			break;
+		}
+	}
+	memcpy(net, from.ptr, from.len);
+	chunk_free(&from);
+	chunk_free(&to);
+}
+
+/**
+ * convert a traffic selector port range to port/portmask
+ */
+static void ts2ports(traffic_selector_t* ts, 
+					 u_int16_t *port, u_int16_t *mask)
+{
+	/* linux does not seem to accept complex portmasks. Only
+	 * any or a specific port is allowed. We set to any, if we have
+	 * a port range, or to a specific, if we have one port only.
+	 */
+	u_int16_t from, to;
+	
+	from = ts->get_from_port(ts);
+	to = ts->get_to_port(ts);
+	
+	if (from == to)
+	{
+		*port = htons(from);
+		*mask = ~0;
+	}
+	else
+	{
+		*port = 0;
+		*mask = 0;
+	}
+}
+
+/**
+ * convert a pair of traffic_selectors to a xfrm_selector
+ */
+static struct xfrm_selector ts2selector(traffic_selector_t *src, 
+										traffic_selector_t *dst)
+{
+	struct xfrm_selector sel;
+
+	memset(&sel, 0, sizeof(sel));
+	sel.family = src->get_type(src) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
+	/* src or dest proto may be "any" (0), use more restrictive one */
+	sel.proto = max(src->get_protocol(src), dst->get_protocol(dst));
+	ts2subnet(dst, &sel.daddr, &sel.prefixlen_d);
+	ts2subnet(src, &sel.saddr, &sel.prefixlen_s);
+	ts2ports(dst, &sel.dport, &sel.dport_mask);
+	ts2ports(src, &sel.sport, &sel.sport_mask);
+	sel.ifindex = 0;
+	sel.user = 0;
+	
+	return sel;
+}
+
+/**
+ * Creates an rtattr and adds it to the netlink message
+ */
+static void add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data,
+						  size_t buflen)
+{
+	struct rtattr *rta;
+	
+	if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(data.len) > buflen)
+	{
+		DBG1(DBG_KNL, "unable to add attribute, buffer too small");
+		return;
+	}
+	
+	rta = (struct rtattr*)(((char*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len));
+	rta->rta_type = rta_type;
+	rta->rta_len = RTA_LENGTH(data.len);
+	memcpy(RTA_DATA(rta), data.ptr, data.len);
+	hdr->nlmsg_len = NLMSG_ALIGN(hdr->nlmsg_len) + rta->rta_len;
+}
+
+/**
+ * Receives events from kernel
+ */
+static void receive_events(private_kernel_interface_t *this)
+{
+	while(TRUE) 
+	{
+		unsigned char response[512];
+		struct nlmsghdr *hdr;
+		struct sockaddr_nl addr;
+		socklen_t addr_len = sizeof(addr);
+		int len;
+		
+		hdr = (struct nlmsghdr*)response;
+		len = recvfrom(this->socket_xfrm_events, response, sizeof(response),
+					   0, (struct sockaddr*)&addr, &addr_len);
+		if (len < 0)
+		{
+			if (errno == EINTR)
+			{
+				/* interrupted, try again */
+				continue;
+			}
+			charon->kill(charon, "unable to receive netlink events");
+		}
+		
+		if (!NLMSG_OK(hdr, len))
+		{
+			/* bad netlink message */
+			continue;
+		}
+
+		if (addr.nl_pid != 0)
+		{
+			/* not from kernel. not interested, try another one */
+			continue;
+		}
+		
+		/* we handle ACQUIRE and EXPIRE messages directly */
+		if (hdr->nlmsg_type == XFRM_MSG_ACQUIRE)
+		{
+			u_int32_t reqid = 0;
+			job_t *job;
+			struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_user_acquire);
+			size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_user_tmpl);
+			if (RTA_OK(rtattr, rtsize))
+			{
+				if (rtattr->rta_type == XFRMA_TMPL)
+				{
+					struct xfrm_user_tmpl* tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rtattr);
+					reqid = tmpl->reqid;
+				}
+			}
+			if (reqid == 0)
+			{
+				DBG1(DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found");
+			}
+			else
+			{
+				DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE");
+				DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid %d",
+					 reqid);
+				job = (job_t*)acquire_job_create(reqid);
+				charon->job_queue->add(charon->job_queue, job);
+			}
+		}
+		else if (hdr->nlmsg_type == XFRM_MSG_EXPIRE)
+		{
+			job_t *job;
+			protocol_id_t protocol;
+			u_int32_t spi, reqid;
+			struct xfrm_user_expire *expire;
+			
+			expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr);
+			protocol = expire->state.id.proto == KERNEL_ESP ?
+														PROTO_ESP : PROTO_AH;
+			spi = expire->state.id.spi;
+			reqid = expire->state.reqid;
+			
+			DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
+			DBG1(DBG_KNL, "creating %s job for %N CHILD_SA 0x%x (reqid %d)",
+				 expire->hard ? "delete" : "rekey",  protocol_id_names,
+				 protocol, ntohl(spi), reqid);
+			if (expire->hard)
+			{
+				job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi);
+			}
+			else
+			{
+				job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi);
+			}
+			charon->job_queue->add(charon->job_queue, job);
+		}
+	}
+}
+
+/**
+ * send a netlink message and wait for a reply
+ */
+static status_t netlink_send(int socket, struct nlmsghdr *in,
+							 struct nlmsghdr **out, size_t *out_len)
+{
+	int len, addr_len;
+	struct sockaddr_nl addr;
+	chunk_t result = chunk_empty, tmp;
+	struct nlmsghdr *msg, peek;
+	
+	static int seq = 200;
+	static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+	
+	
+	pthread_mutex_lock(&mutex);
+	
+	in->nlmsg_seq = ++seq;
+	in->nlmsg_pid = getpid();
+	
+	memset(&addr, 0, sizeof(addr));
+	addr.nl_family = AF_NETLINK;
+	addr.nl_pid = 0;
+	addr.nl_groups = 0;
+
+	while (TRUE)
+	{
+		len = sendto(socket, in, in->nlmsg_len, 0, 
+					 (struct sockaddr*)&addr, sizeof(addr));
+		
+		if (len != in->nlmsg_len)
+		{	
+			if (errno == EINTR)
+			{
+				/* interrupted, try again */
+				continue;
+			}
+			pthread_mutex_unlock(&mutex);
+			DBG1(DBG_KNL, "error sending to netlink socket: %m");
+			return FAILED;
+		}
+		break;
+	}
+	
+	while (TRUE)
+	{	
+		char buf[1024];
+		tmp.len = sizeof(buf);
+		tmp.ptr = buf;
+		msg = (struct nlmsghdr*)tmp.ptr;
+		
+		memset(&addr, 0, sizeof(addr));
+		addr.nl_family = AF_NETLINK;
+		addr.nl_pid = getpid();
+		addr.nl_groups = 0;
+		addr_len = sizeof(addr);
+		
+		len = recvfrom(socket, tmp.ptr, tmp.len, 0,
+					   (struct sockaddr*)&addr, &addr_len);
+		
+		if (len < 0)
+		{
+			if (errno == EINTR)
+			{
+				DBG1(DBG_IKE, "got interrupted");
+				/* interrupted, try again */
+				continue;
+			}
+			DBG1(DBG_IKE, "error reading from netlink socket: %m");
+			pthread_mutex_unlock(&mutex);
+			return FAILED;
+		}
+		if (!NLMSG_OK(msg, len))
+		{
+			DBG1(DBG_IKE, "received corrupted netlink message");
+			pthread_mutex_unlock(&mutex);
+			return FAILED;
+		}
+		if (msg->nlmsg_seq != seq)
+		{
+			DBG1(DBG_IKE, "received invalid netlink sequence number");
+			if (msg->nlmsg_seq < seq)
+			{
+				continue;
+			}
+			pthread_mutex_unlock(&mutex);
+			return FAILED;
+		}
+		
+		tmp.len = len;
+		result = chunk_cata("cc", result, tmp);
+		
+		/* NLM_F_MULTI flag does not seem to be set correctly, we use sequence
+		 * numbers to detect multi header messages */
+		len = recvfrom(socket, &peek, sizeof(peek), MSG_PEEK | MSG_DONTWAIT,
+					   (struct sockaddr*)&addr, &addr_len);
+		
+		if (len == sizeof(peek) && peek.nlmsg_seq == seq)
+		{
+			/* seems to be multipart */
+			continue;
+		}
+		break;
+	}
+	
+	*out_len = result.len;
+	*out = (struct nlmsghdr*)clalloc(result.ptr, result.len);
+	
+	pthread_mutex_unlock(&mutex);
+	
+	return SUCCESS;
+}
+
+/**
+ * send a netlink message and wait for its acknowlegde
+ */
+static status_t netlink_send_ack(int socket, struct nlmsghdr *in)
+{
+	struct nlmsghdr *out, *hdr;
+	size_t len;
+
+	if (netlink_send(socket, in, &out, &len) != SUCCESS)
+	{
+		return FAILED;
+	}
+	hdr = out;
+	while (NLMSG_OK(hdr, len))
+	{
+		switch (hdr->nlmsg_type)
+		{
+			case NLMSG_ERROR:
+			{
+				struct nlmsgerr* err = (struct nlmsgerr*)NLMSG_DATA(hdr);
+				
+				if (err->error)
+				{
+					DBG1(DBG_KNL, "received netlink error: %s (%d)",
+						 strerror(-err->error), -err->error);
+					free(out);
+					return FAILED;
+				}
+				free(out);
+				return SUCCESS;
+			}
+			default:
+				hdr = NLMSG_NEXT(hdr, len);
+				continue;
+			case NLMSG_DONE:
+				break;
+		}
+		break;
+	}
+	DBG1(DBG_KNL, "netlink request not acknowlegded");
+	free(out);
+	return FAILED;
+}
+	
+/**
+ * Create a list of local addresses.
+ */
+static linked_list_t *create_address_list(private_kernel_interface_t *this)
+{
+	char request[BUFFER_SIZE];
+	struct nlmsghdr *out, *hdr;
+	struct rtgenmsg *msg;
+	size_t len;
+	linked_list_t *list;
+	
+	DBG2(DBG_IKE, "getting local address list");
+	
+	list = linked_list_create();
+	
+	memset(&request, 0, sizeof(request));
+
+	hdr = (struct nlmsghdr*)&request;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg));
+	hdr->nlmsg_type = RTM_GETADDR;
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT;
+	msg = (struct rtgenmsg*)NLMSG_DATA(hdr);
+	msg->rtgen_family = AF_UNSPEC;
+		
+	if (netlink_send(this->socket_rt, hdr, &out, &len) == SUCCESS)
+	{
+		hdr = out;
+		while (NLMSG_OK(hdr, len))
+		{
+			switch (hdr->nlmsg_type)
+			{
+				case RTM_NEWADDR:
+				{
+					struct ifaddrmsg* msg = (struct ifaddrmsg*)(NLMSG_DATA(hdr));
+	      			struct rtattr *rta = IFA_RTA(msg);
+	     			size_t rtasize = IFA_PAYLOAD (hdr);
+					host_t *host = NULL;
+					char *name = NULL;
+					chunk_t local = chunk_empty, address = chunk_empty;
+	     			
+					while(RTA_OK(rta, rtasize))
+					{
+						switch (rta->rta_type)
+						{
+							case IFA_LOCAL:
+								local.ptr = RTA_DATA(rta);
+								local.len = RTA_PAYLOAD(rta);
+								break;
+							case IFA_ADDRESS:
+								address.ptr = RTA_DATA(rta);
+								address.len = RTA_PAYLOAD(rta);
+								break;
+							case IFA_LABEL:
+								name = RTA_DATA(rta);
+								break;
+						}
+						rta = RTA_NEXT(rta, rtasize);
+					}
+					
+					/* For PPP interfaces, we need the IFA_LOCAL address,
+					 * IFA_ADDRESS is the peers address. But IFA_LOCAL is
+					 * not included in all cases, so fallback to IFA_ADDRESS. */
+					if (local.ptr)
+					{
+						host = host_create_from_chunk(msg->ifa_family, local, 0);
+					}
+					else if (address.ptr)
+					{
+						host = host_create_from_chunk(msg->ifa_family, address, 0);
+					}
+					
+					if (host)
+					{
+						address_entry_t *entry;
+						
+						entry = malloc_thing(address_entry_t);
+						entry->host = host;
+						entry->ifindex = msg->ifa_index;
+						if (name)
+						{
+							memcpy(entry->ifname, name, IFNAMSIZ);
+						}
+						else
+						{
+							strcpy(entry->ifname, "(unknown)");
+						}
+						list->insert_last(list, entry);
+					}
+					hdr = NLMSG_NEXT(hdr, len);
+					continue;
+				}
+				default:
+					hdr = NLMSG_NEXT(hdr, len);
+					continue;
+				case NLMSG_DONE:
+					break;
+			}
+			break;
+		}
+		free(out);
+	}
+	else
+	{
+		DBG1(DBG_IKE, "unable to get local address list");
+	}
+
+	return list;
+}
+
+/**
+ * Implements kernel_interface_t.create_address_list.
+ */
+static linked_list_t *create_address_list_public(private_kernel_interface_t *this)
+{
+	linked_list_t *result, *list;
+	address_entry_t *entry;
+	
+	result = linked_list_create();
+	list = create_address_list(this);
+	while (list->remove_last(list, (void**)&entry) == SUCCESS)
+	{
+		result->insert_last(result, entry->host);
+		free(entry);
+	}
+	list->destroy(list);
+	
+	return result;
+}
+
+/**
+ * implementation of kernel_interface_t.get_interface_name
+ */
+static char *get_interface_name(private_kernel_interface_t *this, host_t* ip)
+{
+	linked_list_t *list;
+	address_entry_t *entry;
+	char *name = NULL;
+	
+	DBG2(DBG_IKE, "getting interface name for %H", ip);
+	
+	list = create_address_list(this);
+	while (!name && list->remove_last(list, (void**)&entry) == SUCCESS)
+	{
+		if (ip->ip_equals(ip, entry->host))
+		{
+			name = strdup(entry->ifname);
+		}
+		address_entry_destroy(entry);
+	}
+	list->destroy_function(list, (void*)address_entry_destroy);
+	
+	if (name)
+	{
+		DBG2(DBG_IKE, "%H is on interface %s", ip, name);
+	}
+	else
+	{
+		DBG2(DBG_IKE, "%H is not a local address", ip);
+	}
+	return name;
+}
+
+/**
+ * Tries to find an ip address of a local interface that is included in the
+ * supplied traffic selector.
+ */
+static status_t get_address_by_ts(private_kernel_interface_t *this,
+								  traffic_selector_t *ts, host_t **ip)
+{
+	address_entry_t *entry;
+	host_t *host;
+	int family;
+	linked_list_t *list;
+	bool found = FALSE;
+	
+	DBG2(DBG_IKE, "getting a local address in traffic selector %R", ts);
+	
+	/* if we have a family which includes localhost, we do not
+	 * search for an IP, we use the default */
+	family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
+	
+	if (family == AF_INET)
+	{
+		host = host_create_from_string("127.0.0.1", 0);
+	}
+	else
+	{
+		host = host_create_from_string("::1", 0);
+	}
+	
+	if (ts->includes(ts, host))
+	{
+		*ip = host_create_any(family);
+		host->destroy(host);
+		DBG2(DBG_IKE, "using host %H", *ip);
+		return SUCCESS;
+	}
+	host->destroy(host);
+	
+	list = create_address_list(this);
+	while (!found && list->remove_last(list, (void**)&entry) == SUCCESS)
+	{
+		if (ts->includes(ts, entry->host))
+		{
+			found = TRUE;
+			*ip = entry->host->clone(entry->host);
+		}
+		address_entry_destroy(entry);
+	}
+	list->destroy_function(list, (void*)address_entry_destroy);
+	
+	if (!found)
+	{
+		DBG1(DBG_IKE, "no local address found in traffic selector %R", ts);
+		return FAILED;
+	}
+	DBG2(DBG_IKE, "using host %H", *ip);
+	return SUCCESS;
+}
+
+/**
+ * get the interface of a local address
+ */
+static int get_interface_index(private_kernel_interface_t *this, host_t* ip)
+{
+	linked_list_t *list;
+	address_entry_t *entry;
+	int ifindex = 0;
+	
+	DBG2(DBG_IKE, "getting iface for %H", ip);
+	
+	list = create_address_list(this);
+	while (!ifindex && list->remove_last(list, (void**)&entry) == SUCCESS)
+	{
+		if (ip->ip_equals(ip, entry->host))
+		{
+			ifindex = entry->ifindex;
+		}
+		address_entry_destroy(entry);
+	}
+	list->destroy_function(list, (void*)address_entry_destroy);
+	
+	if (ifindex == 0)
+	{
+		DBG1(DBG_IKE, "unable to get interface for %H", ip);
+	}
+	return ifindex;
+}
+
+/**
+ * Manages the creation and deletion of ip addresses on an interface.
+ * By setting the appropriate nlmsg_type, the ip will be set or unset.
+ */
+static status_t manage_ipaddr(private_kernel_interface_t *this, int nlmsg_type,
+							  int flags, int if_index, host_t *ip)
+{
+	unsigned char request[BUFFER_SIZE];
+	struct nlmsghdr *hdr;
+	struct ifaddrmsg *msg;
+	chunk_t chunk;
+	
+	memset(&request, 0, sizeof(request));
+	
+	chunk = ip->get_address(ip);
+    
+    hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
+	hdr->nlmsg_type = nlmsg_type; 
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg));
+	
+	msg = (struct ifaddrmsg*)NLMSG_DATA(hdr);
+    msg->ifa_family = ip->get_family(ip);
+    msg->ifa_flags = 0;
+    msg->ifa_prefixlen = 8 * chunk.len;
+    msg->ifa_scope = RT_SCOPE_UNIVERSE;
+    msg->ifa_index = if_index;
+	
+	add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request));
+
+	return netlink_send_ack(this->socket_rt, hdr);
+}
+
+/**
+ * Manages source routes in the routing table.
+ * By setting the appropriate nlmsg_type, the route added or r.
+ */
+static status_t manage_srcroute(private_kernel_interface_t *this, int nlmsg_type,
+								int flags, route_entry_t *route)
+{
+	unsigned char request[BUFFER_SIZE];
+	struct nlmsghdr *hdr;
+	struct rtmsg *msg;
+	chunk_t chunk;
+	
+	/* if route is 0.0.0.0/0, we can't install it, as it would
+	 * overwrite the default route. Instead, we add two routes:
+	 * 0.0.0.0/1 and 128.0.0.0/1 
+	 * TODO: use metrics instead */
+	if (route->prefixlen == 0)
+	{
+		route_entry_t half;
+		status_t status;
+		
+		half.dst_net = chunk_alloca(route->dst_net.len);
+		memset(half.dst_net.ptr, 0, half.dst_net.len);
+		half.src_ip = route->src_ip;
+		half.if_index = route->if_index;
+		half.prefixlen = 1;
+		
+		status = manage_srcroute(this, nlmsg_type, flags, &half);
+		half.dst_net.ptr[0] |= 0x80;
+		status = manage_srcroute(this, nlmsg_type, flags, &half);
+		return status;
+	}
+	
+	memset(&request, 0, sizeof(request));
+
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags;
+	hdr->nlmsg_type = nlmsg_type;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
+
+	msg = (struct rtmsg*)NLMSG_DATA(hdr);
+	msg->rtm_family = route->src_ip->get_family(route->src_ip);
+	msg->rtm_dst_len = route->prefixlen;
+	msg->rtm_table = RT_TABLE_MAIN;
+	msg->rtm_protocol = RTPROT_STATIC;
+	msg->rtm_type = RTN_UNICAST;
+	msg->rtm_scope = RT_SCOPE_UNIVERSE;
+	
+	add_attribute(hdr, RTA_DST, route->dst_net, sizeof(request));
+	chunk = route->src_ip->get_address(route->src_ip);
+	add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
+	chunk.ptr = (char*)&route->if_index;
+	chunk.len = sizeof(route->if_index);
+	add_attribute(hdr, RTA_OIF, chunk, sizeof(request));
+
+	return netlink_send_ack(this->socket_rt, hdr);
+}
+
+
+/**
+ * Implementation of kernel_interface_t.add_ip.
+ */
+static status_t add_ip(private_kernel_interface_t *this, 
+						host_t *virtual_ip, host_t *iface_ip)
+{
+	int targetif;
+	vip_entry_t *listed;
+	iterator_t *iterator;
+
+	DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip);
+
+	targetif = get_interface_index(this, iface_ip);
+	if (targetif == 0)
+	{
+		DBG1(DBG_KNL, "unable to add virtual IP %H, no iface found for %H",
+			 virtual_ip, iface_ip);
+		return FAILED;
+	}
+
+	/* beware of deadlocks (e.g. send/receive packets while holding the lock) */
+	iterator = this->vips->create_iterator_locked(this->vips, &(this->vips_mutex));
+	while (iterator->iterate(iterator, (void**)&listed))
+	{
+		if (listed->if_index == targetif &&
+			virtual_ip->ip_equals(virtual_ip, listed->ip))
+		{
+			listed->refcount++;
+			iterator->destroy(iterator);
+			DBG2(DBG_KNL, "virtual IP %H already added to iface %d reusing it",
+				 virtual_ip, targetif);
+			return SUCCESS;
+		}
+	}
+	iterator->destroy(iterator);
+
+	if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
+					  targetif, virtual_ip) == SUCCESS)
+	{
+		listed = malloc_thing(vip_entry_t);
+		listed->ip = virtual_ip->clone(virtual_ip);
+		listed->if_index = targetif;
+		listed->refcount = 1;
+		this->vips->insert_last(this->vips, listed);
+		DBG2(DBG_KNL, "virtual IP %H added to iface %d",
+				 virtual_ip, targetif);
+		return SUCCESS;
+	}
+	
+	DBG2(DBG_KNL, "unable to add virtual IP %H to iface %d",
+		 virtual_ip, targetif);
+	return FAILED;
+}
+
+/**
+ * Implementation of kernel_interface_t.del_ip.
+ */
+static status_t del_ip(private_kernel_interface_t *this,
+						host_t *virtual_ip, host_t *iface_ip)
+{
+	int targetif;
+	vip_entry_t *listed;
+	iterator_t *iterator;
+
+	DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip);
+
+	targetif = get_interface_index(this, iface_ip);
+	if (targetif == 0)
+	{
+		DBG1(DBG_KNL, "unable to delete virtual IP %H, no iface found for %H",
+			 virtual_ip, iface_ip);
+		return FAILED;
+	}
+
+	/* beware of deadlocks (e.g. send/receive packets while holding the lock) */
+	iterator = this->vips->create_iterator_locked(this->vips, &(this->vips_mutex));
+	while (iterator->iterate(iterator, (void**)&listed))
+	{
+		if (listed->if_index == targetif &&
+			virtual_ip->ip_equals(virtual_ip, listed->ip))
+		{
+			listed->refcount--;
+			if (listed->refcount == 0)
+			{
+				iterator->remove(iterator);
+				vip_entry_destroy(listed);
+				iterator->destroy(iterator);
+				return manage_ipaddr(this, RTM_DELADDR, 0, targetif, virtual_ip);
+			}
+			iterator->destroy(iterator);
+			DBG2(DBG_KNL, "virtual IP %H used by other SAs, not deleting",
+		 		 virtual_ip);
+			return SUCCESS;
+		}
+	}
+	iterator->destroy(iterator);
+ 
+	DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip);
+	return FAILED;
+}
+
+/**
+ * Implementation of kernel_interface_t.get_spi.
+ */
+static status_t get_spi(private_kernel_interface_t *this, 
+						host_t *src, host_t *dst, 
+						protocol_id_t protocol, u_int32_t reqid,
+						u_int32_t *spi)
+{
+	unsigned char request[BUFFER_SIZE];
+	struct nlmsghdr *hdr, *out;
+	struct xfrm_userspi_info *userspi;
+	u_int32_t received_spi = 0;
+	size_t len;
+	
+	memset(&request, 0, sizeof(request));
+	
+	DBG2(DBG_KNL, "getting SPI for reqid %d", reqid);
+	
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST;
+	hdr->nlmsg_type = XFRM_MSG_ALLOCSPI;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info));
+
+	userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr);
+	host2xfrm(src, &userspi->info.saddr);
+	host2xfrm(dst, &userspi->info.id.daddr);
+	userspi->info.id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
+	userspi->info.mode = TRUE; /* tunnel mode */
+	userspi->info.reqid = reqid;
+	userspi->info.family = src->get_family(src);
+	userspi->min = 0xc0000000;
+	userspi->max = 0xcFFFFFFF;
+	
+	if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
+	{
+		hdr = out;
+		while (NLMSG_OK(hdr, len))
+		{
+			switch (hdr->nlmsg_type)
+			{
+				case XFRM_MSG_NEWSA:
+				{
+					struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr);
+					received_spi = usersa->id.spi;
+					break;
+				}
+				case NLMSG_ERROR:
+				{
+					struct nlmsgerr *err = NLMSG_DATA(hdr);
+					
+					DBG1(DBG_KNL, "allocating SPI failed: %s (%d)",
+						 strerror(-err->error), -err->error);
+					break;
+				}
+				default:
+					hdr = NLMSG_NEXT(hdr, len);
+					continue;
+				case NLMSG_DONE:
+					break;
+			}
+			break;
+		}
+		free(out);
+	}
+	
+	if (received_spi == 0)
+	{
+		DBG1(DBG_KNL, "unable to get SPI for reqid %d", reqid);
+		return FAILED;
+	}
+	
+	DBG2(DBG_KNL, "got SPI 0x%x for reqid %d", received_spi, reqid);
+	
+	*spi = received_spi;
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.add_sa.
+ */
+static status_t add_sa(private_kernel_interface_t *this,
+					   host_t *src, host_t *dst, u_int32_t spi,
+					   protocol_id_t protocol, u_int32_t reqid,
+					   u_int64_t expire_soft, u_int64_t expire_hard,
+					   algorithm_t *enc_alg, algorithm_t *int_alg,
+					   prf_plus_t *prf_plus, natt_conf_t *natt, mode_t mode,
+					   bool replace)
+{
+	unsigned char request[BUFFER_SIZE];
+	char *alg_name;
+	u_int key_size;
+	struct nlmsghdr *hdr;
+	struct xfrm_usersa_info *sa;
+	
+	memset(&request, 0, sizeof(request));
+	
+	DBG2(DBG_KNL, "adding SAD entry with SPI 0x%x", spi);
+
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+	hdr->nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
+	
+	sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
+	host2xfrm(src, &sa->saddr);
+	host2xfrm(dst, &sa->id.daddr);
+	sa->id.spi = spi;
+	sa->id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
+	sa->family = src->get_family(src);
+	sa->mode = mode;
+	sa->replay_window = 32;
+	sa->reqid = reqid;
+	/* we currently do not expire SAs by volume/packet count */
+	sa->lft.soft_byte_limit = XFRM_INF;
+	sa->lft.hard_byte_limit = XFRM_INF;
+	sa->lft.soft_packet_limit = XFRM_INF;
+	sa->lft.hard_packet_limit = XFRM_INF;
+	/* we use lifetimes since added, not since used */
+	sa->lft.soft_add_expires_seconds = expire_soft;
+	sa->lft.hard_add_expires_seconds = expire_hard;
+	sa->lft.soft_use_expires_seconds = 0;
+	sa->lft.hard_use_expires_seconds = 0;
+	
+	struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info);
+	
+	if (enc_alg->algorithm != ENCR_UNDEFINED)
+	{
+		rthdr->rta_type = XFRMA_ALG_CRYPT;
+		alg_name = lookup_algorithm(encryption_algs, enc_alg, &key_size);
+		if (alg_name == NULL)
+		{
+			DBG1(DBG_KNL, "algorithm %N not supported by kernel!",
+				 encryption_algorithm_names, enc_alg->algorithm);
+			return FAILED;
+		}
+		DBG2(DBG_KNL, "  using encryption algorithm %N with key size %d",
+			 encryption_algorithm_names, enc_alg->algorithm, key_size);
+		
+		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size);
+		hdr->nlmsg_len += rthdr->rta_len;
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return FAILED;
+		}
+		
+		struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
+		algo->alg_key_len = key_size;
+		strcpy(algo->alg_name, alg_name);
+		prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key);
+		
+		rthdr = XFRM_RTA_NEXT(rthdr);
+	}
+	
+	if (int_alg->algorithm  != AUTH_UNDEFINED)
+	{
+		rthdr->rta_type = XFRMA_ALG_AUTH;
+		alg_name = lookup_algorithm(integrity_algs, int_alg, &key_size);
+		if (alg_name == NULL)
+		{
+			DBG1(DBG_KNL, "algorithm %N not supported by kernel!", 
+				 integrity_algorithm_names, int_alg->algorithm);
+			return FAILED;
+		}
+		DBG2(DBG_KNL, "  using integrity algorithm %N with key size %d",
+			 integrity_algorithm_names, int_alg->algorithm, key_size);
+		
+		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size);
+		hdr->nlmsg_len += rthdr->rta_len;
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return FAILED;
+		}
+		
+		struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
+		algo->alg_key_len = key_size;
+		strcpy(algo->alg_name, alg_name);
+		prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key);
+		
+		rthdr = XFRM_RTA_NEXT(rthdr);
+	}
+	
+	/* TODO: add IPComp here */
+	
+	if (natt)
+	{
+		rthdr->rta_type = XFRMA_ENCAP;
+		rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl));
+
+		hdr->nlmsg_len += rthdr->rta_len;
+		if (hdr->nlmsg_len > sizeof(request))
+		{
+			return FAILED;
+		}
+
+		struct xfrm_encap_tmpl* encap = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr);
+		encap->encap_type = UDP_ENCAP_ESPINUDP;
+		encap->encap_sport = htons(natt->sport);
+		encap->encap_dport = htons(natt->dport);
+		memset(&encap->encap_oa, 0, sizeof (xfrm_address_t));
+		/* encap_oa could probably be derived from the 
+		 * traffic selectors [rfc4306, p39]. In the netlink kernel implementation 
+		 * pluto does the same as we do here but it uses encap_oa in the 
+		 * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates 
+		 * the kernel ignores it anyway
+		 *   -> does that mean that NAT-T encap doesn't work in transport mode?
+		 * No. The reason the kernel ignores NAT-OA is that it recomputes 
+		 * (or, rather, just ignores) the checksum. If packets pass
+		 * the IPsec checks it marks them "checksum ok" so OA isn't needed. */
+		rthdr = XFRM_RTA_NEXT(rthdr);
+	}
+	
+	if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unalbe to add SAD entry with SPI 0x%x", spi);
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.update_sa.
+ */
+static status_t update_sa(private_kernel_interface_t *this,
+						  host_t *src, host_t *dst, 
+						  host_t *new_src, host_t *new_dst, 
+						  host_diff_t src_changes, host_diff_t dst_changes,
+						  u_int32_t spi, protocol_id_t protocol)
+{
+	unsigned char request[BUFFER_SIZE];
+	struct nlmsghdr *hdr, *out = NULL;
+	struct xfrm_usersa_id *sa_id;
+	struct xfrm_usersa_info *sa = NULL;
+	size_t len;
+	
+	memset(&request, 0, sizeof(request));
+	
+	DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x", spi);
+
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST;
+	hdr->nlmsg_type = XFRM_MSG_GETSA;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
+
+	sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
+	host2xfrm(dst, &sa_id->daddr);
+	sa_id->spi = spi;
+	sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
+	sa_id->family = dst->get_family(dst);
+	
+	if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
+	{
+		hdr = out;
+		while (NLMSG_OK(hdr, len))
+		{
+			switch (hdr->nlmsg_type)
+			{
+				case XFRM_MSG_NEWSA:
+				{
+					sa = NLMSG_DATA(hdr);
+					break;
+				}
+				case NLMSG_ERROR:
+				{
+					struct nlmsgerr *err = NLMSG_DATA(hdr);
+					DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
+						 strerror(-err->error), -err->error);
+					break;
+				}
+				default:
+					hdr = NLMSG_NEXT(hdr, len);
+					continue;
+				case NLMSG_DONE:
+					break;
+			}
+			break;
+		}
+	}
+	if (sa == NULL)
+	{
+		DBG1(DBG_KNL, "unable to update SAD entry with SPI 0x%x", spi);
+		free(out);
+		return FAILED;
+	}
+	
+	DBG2(DBG_KNL, "updating SAD entry with SPI 0x%x", spi);
+	
+	hdr = out;
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;	
+	hdr->nlmsg_type = XFRM_MSG_UPDSA;
+	
+	if (src_changes & HOST_DIFF_ADDR)
+	{
+		host2xfrm(new_src, &sa->saddr);
+	}
+
+	if (dst_changes & HOST_DIFF_ADDR)
+	{
+		hdr->nlmsg_type = XFRM_MSG_NEWSA;
+		host2xfrm(new_dst, &sa->id.daddr);
+	}
+	
+	if (src_changes & HOST_DIFF_PORT || dst_changes & HOST_DIFF_PORT)
+	{
+		struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_usersa_info);
+		size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_usersa_info);
+		while (RTA_OK(rtattr, rtsize))
+		{
+			if (rtattr->rta_type == XFRMA_ENCAP)
+			{
+				struct xfrm_encap_tmpl* encap;
+				encap = (struct xfrm_encap_tmpl*)RTA_DATA(rtattr);
+				encap->encap_sport = ntohs(new_src->get_port(new_src));
+				encap->encap_dport = ntohs(new_dst->get_port(new_dst));
+				break;
+			}
+			rtattr = RTA_NEXT(rtattr, rtsize);
+		}
+	}
+	if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unalbe to update SAD entry with SPI 0x%x", spi);
+		free(out);
+		return FAILED;
+	}
+	free(out);
+	
+	if (dst_changes & HOST_DIFF_ADDR)
+	{
+		return this->public.del_sa(&this->public, dst, spi, protocol);
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.query_sa.
+ */
+static status_t query_sa(private_kernel_interface_t *this, host_t *dst,
+						 u_int32_t spi, protocol_id_t protocol,
+						 u_int32_t *use_time)
+{
+	unsigned char request[BUFFER_SIZE];
+	struct nlmsghdr *out = NULL, *hdr;
+	struct xfrm_usersa_id *sa_id;
+	struct xfrm_usersa_info *sa = NULL;
+	size_t len;
+	
+	DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x", spi);
+	memset(&request, 0, sizeof(request));
+	
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST;
+	hdr->nlmsg_type = XFRM_MSG_GETSA;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
+
+	sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
+	host2xfrm(dst, &sa_id->daddr);
+	sa_id->spi = spi;
+	sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
+	sa_id->family = dst->get_family(dst);
+	
+	if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
+	{
+		hdr = out;
+		while (NLMSG_OK(hdr, len))
+		{
+			switch (hdr->nlmsg_type)
+			{
+				case XFRM_MSG_NEWSA:
+				{
+					sa = NLMSG_DATA(hdr);
+					break;
+				}
+				case NLMSG_ERROR:
+				{
+					struct nlmsgerr *err = NLMSG_DATA(hdr);
+					DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)",
+						 strerror(-err->error), -err->error);
+					break;
+				}
+				default:
+					hdr = NLMSG_NEXT(hdr, len);
+					continue;
+				case NLMSG_DONE:
+					break;
+			}
+			break;
+		}
+	}
+	
+	if (sa == NULL)
+	{
+		DBG1(DBG_KNL, "unable to query SAD entry with SPI 0x%x", spi);
+		free(out);
+		return FAILED;
+	}
+	
+	*use_time = sa->curlft.use_time;
+	free (out);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.del_sa.
+ */
+static status_t del_sa(private_kernel_interface_t *this, host_t *dst,
+					   u_int32_t spi, protocol_id_t protocol)
+{
+	unsigned char request[BUFFER_SIZE];
+	struct nlmsghdr *hdr;
+	struct xfrm_usersa_id *sa_id;
+	
+	memset(&request, 0, sizeof(request));
+	
+	DBG2(DBG_KNL, "deleting SAD entry with SPI 0x%x", spi);
+	
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+	hdr->nlmsg_type = XFRM_MSG_DELSA;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
+	
+	sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
+	host2xfrm(dst, &sa_id->daddr);
+	sa_id->spi = spi;
+	sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH;
+	sa_id->family = dst->get_family(dst);
+	
+	if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unalbe to delete SAD entry with SPI 0x%x", spi);
+		return FAILED;
+	}
+	DBG2(DBG_KNL, "deleted SAD entry with SPI 0x%x", spi);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.add_policy.
+ */
+static status_t add_policy(private_kernel_interface_t *this, 
+						   host_t *src, host_t *dst,
+						   traffic_selector_t *src_ts,
+						   traffic_selector_t *dst_ts,
+						   policy_dir_t direction, protocol_id_t protocol,
+						   u_int32_t reqid, bool high_prio, mode_t mode,
+						   bool update)
+{
+	iterator_t *iterator;
+	policy_entry_t *current, *policy;
+	bool found = FALSE;
+	unsigned char request[BUFFER_SIZE];
+	struct xfrm_userpolicy_info *policy_info;
+	struct nlmsghdr *hdr;
+	
+	/* create a policy */
+	policy = malloc_thing(policy_entry_t);
+	memset(policy, 0, sizeof(policy_entry_t));
+	policy->sel = ts2selector(src_ts, dst_ts);
+	policy->direction = direction;
+	
+	/* find the policy, which matches EXACTLY */
+	pthread_mutex_lock(&this->policies_mutex);
+	iterator = this->policies->create_iterator(this->policies, TRUE);
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		if (memcmp(&current->sel, &policy->sel, sizeof(struct xfrm_selector)) == 0 &&
+			policy->direction == current->direction)
+		{
+			/* use existing policy */
+			if (!update)
+			{
+				current->refcount++;
+				DBG2(DBG_KNL, "policy %R===%R already exists, increasing ",
+					 "refcount", src_ts, dst_ts);
+			}
+			free(policy);
+			policy = current;
+			found = TRUE;
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+	if (!found)
+	{	/* apply the new one, if we have no such policy */
+		this->policies->insert_last(this->policies, policy);
+		policy->refcount = 1;
+	}
+	
+	DBG2(DBG_KNL, "adding policy %R===%R", src_ts, dst_ts);
+	
+	memset(&request, 0, sizeof(request));
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+	hdr->nlmsg_type = XFRM_MSG_UPDPOLICY;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
+
+	policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
+	policy_info->sel = policy->sel;
+	policy_info->dir = policy->direction;
+	/* calculate priority based on source selector size, small size = high prio */
+	policy_info->priority = high_prio ? PRIO_HIGH : PRIO_LOW;
+	policy_info->priority -= policy->sel.prefixlen_s * 10;
+	policy_info->priority -= policy->sel.proto ? 2 : 0;
+	policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
+	policy_info->action = XFRM_POLICY_ALLOW;
+	policy_info->share = XFRM_SHARE_ANY;
+	pthread_mutex_unlock(&this->policies_mutex);
+	
+	/* policies don't expire */
+	policy_info->lft.soft_byte_limit = XFRM_INF;
+	policy_info->lft.soft_packet_limit = XFRM_INF;
+	policy_info->lft.hard_byte_limit = XFRM_INF;
+	policy_info->lft.hard_packet_limit = XFRM_INF;
+	policy_info->lft.soft_add_expires_seconds = 0;
+	policy_info->lft.hard_add_expires_seconds = 0;
+	policy_info->lft.soft_use_expires_seconds = 0;
+	policy_info->lft.hard_use_expires_seconds = 0;
+	
+	struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info);
+	rthdr->rta_type = XFRMA_TMPL;
+
+	rthdr->rta_len = sizeof(struct xfrm_user_tmpl);
+	rthdr->rta_len = RTA_LENGTH(rthdr->rta_len);
+
+	hdr->nlmsg_len += rthdr->rta_len;
+	if (hdr->nlmsg_len > sizeof(request))
+	{
+		return FAILED;
+	}
+	
+	struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr);
+	tmpl->reqid = reqid;
+	tmpl->id.proto = (protocol == PROTO_AH) ? KERNEL_AH : KERNEL_ESP;
+	tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
+	tmpl->mode = mode;
+	tmpl->family = src->get_family(src);
+	
+	host2xfrm(src, &tmpl->saddr);
+	host2xfrm(dst, &tmpl->id.daddr);
+	
+	if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to add policy %R===%R", src_ts, dst_ts);
+		return FAILED;
+	}
+	
+	/* install a route, if:
+	 * - we are NOT updating a policy
+	 * - this is a forward policy (to just get one for each child)
+	 * - we are in tunnel mode
+	 * - we are not using IPv6 (does not work correctly yet!)
+	 */
+	if (policy->route == NULL && direction == POLICY_FWD &&
+		mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6)
+	{
+		policy->route = malloc_thing(route_entry_t);
+		if (get_address_by_ts(this, dst_ts, &policy->route->src_ip) == SUCCESS)
+		{
+			policy->route->if_index = get_interface_index(this, dst);
+			policy->route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16);
+			memcpy(policy->route->dst_net.ptr, &policy->sel.saddr, policy->route->dst_net.len);
+			policy->route->prefixlen = policy->sel.prefixlen_s;
+			
+			if (manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
+								policy->route) != SUCCESS)
+			{
+				DBG1(DBG_KNL, "unable to install source route for %H",
+					 policy->route->src_ip);
+				route_entry_destroy(policy->route);
+				policy->route = NULL;
+			}
+		}
+		else
+		{
+			free(policy->route);
+			policy->route = NULL;
+		}
+	}
+
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.query_policy.
+ */
+static status_t query_policy(private_kernel_interface_t *this,
+							 traffic_selector_t *src_ts, 
+							 traffic_selector_t *dst_ts,
+							 policy_dir_t direction, u_int32_t *use_time)
+{
+	unsigned char request[BUFFER_SIZE];
+	struct nlmsghdr *out = NULL, *hdr;
+	struct xfrm_userpolicy_id *policy_id;
+	struct xfrm_userpolicy_info *policy = NULL;
+	size_t len;
+	
+	memset(&request, 0, sizeof(request));
+	
+	DBG2(DBG_KNL, "querying policy %R===%R", src_ts, dst_ts);
+
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST;
+	hdr->nlmsg_type = XFRM_MSG_GETPOLICY;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
+
+	policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
+	policy_id->sel = ts2selector(src_ts, dst_ts);
+	policy_id->dir = direction;
+	
+	if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
+	{
+		hdr = out;
+		while (NLMSG_OK(hdr, len))
+		{
+			switch (hdr->nlmsg_type)
+			{
+				case XFRM_MSG_NEWPOLICY:
+				{
+					policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
+					break;
+				}
+				case NLMSG_ERROR:
+				{
+					struct nlmsgerr *err = NLMSG_DATA(hdr);
+					DBG1(DBG_KNL, "querying policy failed: %s (%d)",
+						 strerror(-err->error), -err->error);
+					break;
+				}
+				default:
+					hdr = NLMSG_NEXT(hdr, len);
+					continue;
+				case NLMSG_DONE:
+					break;
+			}
+			break;
+		}
+	}
+	
+	if (policy == NULL)
+	{
+		DBG2(DBG_KNL, "unable to query policy %R===%R", src_ts, dst_ts);
+		free(out);
+		return FAILED;
+	}
+	*use_time = (time_t)policy->curlft.use_time;
+	
+	free(out);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.del_policy.
+ */
+static status_t del_policy(private_kernel_interface_t *this,
+						   traffic_selector_t *src_ts, 
+						   traffic_selector_t *dst_ts,
+						   policy_dir_t direction)
+{
+	policy_entry_t *current, policy, *to_delete = NULL;
+	route_entry_t *route;
+	unsigned char request[BUFFER_SIZE];
+	struct nlmsghdr *hdr;
+	struct xfrm_userpolicy_id *policy_id;
+	iterator_t *iterator;
+	
+	DBG2(DBG_KNL, "deleting policy %R===%R", src_ts, dst_ts);
+	
+	/* create a policy */
+	memset(&policy, 0, sizeof(policy_entry_t));
+	policy.sel = ts2selector(src_ts, dst_ts);
+	policy.direction = direction;
+	
+	/* find the policy */
+	pthread_mutex_lock(&this->policies_mutex);
+	iterator = this->policies->create_iterator(this->policies, TRUE);
+	while (iterator->iterate(iterator, (void**)&current))
+	{
+		if (memcmp(&current->sel, &policy.sel, sizeof(struct xfrm_selector)) == 0 &&
+			policy.direction == current->direction)
+		{
+			to_delete = current;
+			if (--to_delete->refcount > 0)
+			{
+				/* is used by more SAs, keep in kernel */
+				DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
+				iterator->destroy(iterator);
+				pthread_mutex_unlock(&this->policies_mutex);
+				return SUCCESS;
+			}
+			/* remove if last reference */
+			iterator->remove(iterator);
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+	pthread_mutex_unlock(&this->policies_mutex);
+	if (!to_delete)
+	{
+		DBG1(DBG_KNL, "deleting policy %R===%R failed, not found", src_ts, dst_ts);
+		return NOT_FOUND;
+	}
+	
+	memset(&request, 0, sizeof(request));
+	
+	hdr = (struct nlmsghdr*)request;
+	hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+	hdr->nlmsg_type = XFRM_MSG_DELPOLICY;
+	hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
+
+	policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr);
+	policy_id->sel = to_delete->sel;
+	policy_id->dir = direction;
+	
+	route = to_delete->route;
+	free(to_delete);
+	
+	if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS)
+	{
+		DBG1(DBG_KNL, "unable to delete policy %R===%R", src_ts, dst_ts);
+		return FAILED;
+	}
+
+	if (route)
+	{
+		if (manage_srcroute(this, RTM_DELROUTE, 0, route) != SUCCESS)
+		{
+			DBG1(DBG_KNL, "error uninstalling route installed with "
+				 "policy %R===%R", src_ts, dst_ts);
+		}		
+		route_entry_destroy(route);
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_interface_t.destroy.
+ */
+static void destroy(private_kernel_interface_t *this)
+{
+	pthread_cancel(this->event_thread);
+	pthread_join(this->event_thread, NULL);
+	close(this->socket_xfrm_events);
+	close(this->socket_xfrm);
+	close(this->socket_rt);
+	this->vips->destroy(this->vips);
+	this->policies->destroy(this->policies);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+kernel_interface_t *kernel_interface_create()
+{
+	private_kernel_interface_t *this = malloc_thing(private_kernel_interface_t);
+	struct sockaddr_nl addr;
+	
+	/* public functions */
+	this->public.get_spi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi;
+	this->public.add_sa  = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,algorithm_t*,algorithm_t*,prf_plus_t*,natt_conf_t*,mode_t,bool))add_sa;
+	this->public.update_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_diff_t,host_diff_t))update_sa;
+	this->public.query_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t*))query_sa;
+	this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
+	this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,mode_t,bool))add_policy;
+	this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
+	this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
+
+	this->public.get_interface = (char*(*)(kernel_interface_t*,host_t*))get_interface_name;
+	this->public.create_address_list = (linked_list_t*(*)(kernel_interface_t*))create_address_list_public;
+	this->public.add_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) add_ip;
+	this->public.del_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) del_ip;
+	this->public.destroy = (void(*)(kernel_interface_t*)) destroy;
+
+	/* private members */
+	this->vips = linked_list_create();
+	this->policies = linked_list_create();
+	pthread_mutex_init(&this->policies_mutex,NULL);
+	pthread_mutex_init(&this->vips_mutex,NULL);
+	
+	addr.nl_family = AF_NETLINK;
+	addr.nl_pid = 0;
+	addr.nl_groups = 0;
+	
+	/* create and bind XFRM socket */
+	this->socket_xfrm = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
+	if (this->socket_xfrm <= 0)
+	{
+		charon->kill(charon, "unable to create XFRM netlink socket");
+	}
+	
+	if (bind(this->socket_xfrm, (struct sockaddr*)&addr, sizeof(addr)))
+	{
+		charon->kill(charon, "unable to bind XFRM netlink socket");
+	}
+	
+	/* create and bind RT socket */
+	this->socket_rt = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
+	if (this->socket_rt <= 0)
+	{
+		charon->kill(charon, "unable to create RT netlink socket");
+	}
+	
+	if (bind(this->socket_rt, (struct sockaddr*)&addr, sizeof(addr)))
+	{
+		charon->kill(charon, "unable to bind RT netlink socket");
+	}
+	
+	/* create and bind XFRM socket for ACQUIRE & EXPIRE */
+	addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE;
+	this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM);
+	if (this->socket_xfrm_events <= 0)
+	{
+		charon->kill(charon, "unable to create XFRM event socket");
+	}
+	
+	if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr)))
+	{
+		charon->kill(charon, "unable to bind XFRM event socket");
+	}
+	
+	/* create a thread receiving ACQUIRE & EXPIRE events */
+	if (pthread_create(&this->event_thread, NULL,
+					   (void*(*)(void*))receive_events, this))
+	{
+		charon->kill(charon, "unable to create xfrm event dispatcher thread");
+	}
+	
+	return &this->public;
+}
+
+/* vim: set ts=4 sw=4 noet: */
diff --git a/src/charon/threads/kernel_interface.h b/src/charon/threads/kernel_interface.h
new file mode 100644
index 000000000..34b06f594
--- /dev/null
+++ b/src/charon/threads/kernel_interface.h
@@ -0,0 +1,331 @@
+/**
+ * @file kernel_interface.h
+ *
+ * @brief Interface of kernel_interface_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef KERNEL_INTERFACE_H_
+#define KERNEL_INTERFACE_H_
+
+typedef struct natt_conf_t natt_conf_t;
+typedef enum policy_dir_t policy_dir_t;
+typedef struct kernel_interface_t kernel_interface_t;
+
+#include <utils/host.h>
+#include <crypto/prf_plus.h>
+#include <encoding/payloads/proposal_substructure.h>
+
+/**
+ * Configuration for NAT-T
+ */
+struct natt_conf_t {
+	/** source port to use for UDP-encapsulated packets */
+	u_int16_t sport;
+	/** dest port to use for UDP-encapsulated packets */
+	u_int16_t dport;
+};
+
+/**
+ * Direction of a policy. These are equal to those
+ * defined in xfrm.h, but we want to stay implementation
+ * neutral here.
+ */
+enum policy_dir_t {
+	/** Policy for inbound traffic */
+	POLICY_IN = 0,
+	/** Policy for outbound traffic */
+	POLICY_OUT = 1,
+	/** Policy for forwarded traffic */
+	POLICY_FWD = 2,
+};
+
+/**
+ * @brief Interface to the kernel.
+ * 
+ * The kernel interface handles the communication with the kernel
+ * for SA and policy management. It allows setup of these, and provides 
+ * further the handling of kernel events.
+ * Policy information are cached in the interface. This is necessary to do
+ * reference counting. The Linux kernel does not allow the same policy
+ * installed twice, but we need this as CHILD_SA exist multiple times
+ * when rekeying. Thats why we do reference counting of policies.
+ *
+ * @b Constructors:
+ *  - kernel_interface_create()
+ *
+ * @ingroup threads
+ */
+struct kernel_interface_t {
+
+	/**
+	 * @brief Get a SPI from the kernel.
+	 *
+	 * @warning get_spi() implicitely creates an SA with
+	 * the allocated SPI, therefore the replace flag
+	 * in add_sa() must be set when installing this SA.
+	 * 
+	 * @param this		calling object
+	 * @param src		source address of SA
+	 * @param dst		destination address of SA
+	 * @param protocol	protocol for SA (ESP/AH)
+	 * @param reqid		unique ID for this SA
+	 * @param[out] spi	allocated spi
+	 * @return
+	 * 					- SUCCESS
+	 * 					- FAILED if kernel comm failed
+	 */
+	status_t (*get_spi)(kernel_interface_t *this, host_t *src, host_t *dst, 
+						protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi);
+	
+	/**
+	 * @brief Add an SA to the SAD.
+	 * 
+	 * add_sa() may update an already allocated
+	 * SPI (via get_spi). In this case, the replace
+	 * flag must be set.
+	 * This function does install a single SA for a
+	 * single protocol in one direction. The kernel-interface
+	 * gets the keys itself from the PRF, as we don't know
+	 * his algorithms and key sizes.
+	 * 
+	 * @param this			calling object
+	 * @param src			source address for this SA
+	 * @param dst			destination address for this SA
+	 * @param spi			SPI allocated by us or remote peer
+	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @param reqid			unique ID for this SA
+	 * @param expire_soft	lifetime in seconds before rekeying
+	 * @param expire_hard	lieftime in seconds before delete
+	 * @param enc_alg		Algorithm to use for encryption (ESP only)
+	 * @param int_alg		Algorithm to use for integrity protection
+	 * @param prf_plus		PRF to derive keys from
+	 * @param natt			NAT-T Configuration, or NULL of no NAT-T used
+	 * @param mode			mode of the SA (tunnel, transport)
+	 * @param replace		Should an already installed SA be updated?
+	 * @return
+	 * 						- SUCCESS
+	 * 						- FAILED if kernel comm failed
+	 */
+	status_t (*add_sa) (kernel_interface_t *this,
+						host_t *src, host_t *dst, u_int32_t spi,
+						protocol_id_t protocol, u_int32_t reqid,
+						u_int64_t expire_soft, u_int64_t expire_hard,
+						algorithm_t *enc_alg, algorithm_t *int_alg,
+						prf_plus_t *prf_plus, natt_conf_t *natt,
+						mode_t mode, bool update);
+	
+	/**
+	 * @brief Update the hosts on an installed SA.
+	 *
+	 * We cannot directly update the destination address as the kernel
+	 * requires the spi, the protocol AND the destination address (and family)
+	 * to identify SAs. Therefore if the destination address changed we
+	 * create a new SA and delete the old one.
+	 *
+	 * @param this			calling object
+	 * @param dst			destination address for this SA
+	 * @param spi			SPI of the SA
+	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @param new_src		new source address for this SA
+	 * @param new_dst		new destination address for this SA
+	 * @param src_changes	changes in src
+	 * @param dst_changes	changes in dst
+	 * @return
+	 * 						- SUCCESS
+	 * 						- FAILED if kernel comm failed
+	 */
+	status_t (*update_sa)(kernel_interface_t *this, host_t *dst, u_int32_t spi,
+						  protocol_id_t protocol,
+						  host_t *new_src, host_t *new_dst,
+						  host_diff_t src_changes, host_diff_t dst_changes);
+	
+	/**
+	 * @brief Query the use time of an SA.
+	 *
+	 * The use time of an SA is not the time of the last usage, but 
+	 * the time of the first usage of the SA.
+	 * 
+	 * @param this			calling object
+	 * @param dst			destination address for this SA
+	 * @param spi			SPI allocated by us or remote peer
+	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @param[out] use_time	the time of this SA's last use
+	 * @return
+	 * 						- SUCCESS
+	 * 						- FAILED if kernel comm failed
+	 */
+	status_t (*query_sa) (kernel_interface_t *this, host_t *dst, u_int32_t spi, 
+						  protocol_id_t protocol, u_int32_t *use_time);
+	
+	/**
+	 * @brief Delete a previusly installed SA from the SAD.
+	 * 
+	 * @param this			calling object
+	 * @param dst			destination address for this SA
+	 * @param spi			SPI allocated by us or remote peer
+	 * @param protocol		protocol for this SA (ESP/AH)
+	 * @return
+	 * 						- SUCCESS
+	 * 						- FAILED if kernel comm failed
+	 */
+	status_t (*del_sa) (kernel_interface_t *this, host_t *dst, u_int32_t spi,
+						protocol_id_t protocol);
+	
+	/**
+	 * @brief Add a policy to the SPD.
+	 * 
+	 * A policy is always associated to an SA. Traffic which matches a
+	 * policy is handled by the SA with the same reqid.
+	 * If the update flag is set, the policy is updated with the new
+	 * src/dst addresses.
+	 * If the update flag is not set, but a such policy is already in the
+	 * kernel, the reference count to this policy is increased.
+	 * 
+	 * @param this			calling object
+	 * @param src			source address of SA
+	 * @param dst			dest address of SA
+	 * @param src_ts		traffic selector to match traffic source
+	 * @param dst_ts		traffic selector to match traffic dest
+	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
+	 * @param protocol		protocol to use to protect traffic (AH/ESP)
+	 * @param reqid			uniqe ID of an SA to use to enforce policy
+	 * @param high_prio		if TRUE, uses a higher priority than any with FALSE
+	 * @param mode			mode of SA (tunnel, transport)
+	 * @param update		update an existing policy, if TRUE
+	 * @return
+	 * 						- SUCCESS
+	 * 						- FAILED if kernel comm failed
+	 */
+	status_t (*add_policy) (kernel_interface_t *this,
+							host_t *src, host_t *dst,
+							traffic_selector_t *src_ts,
+							traffic_selector_t *dst_ts,
+							policy_dir_t direction, protocol_id_t protocol,
+							u_int32_t reqid, bool high_prio, 
+							mode_t mode, bool update);
+	
+	/**
+	 * @brief Query the use time of a policy.
+	 *
+	 * The use time of a policy is the time the policy was used
+	 * for the last time.
+	 * 
+	 * @param this			calling object
+	 * @param src_ts		traffic selector to match traffic source
+	 * @param dst_ts		traffic selector to match traffic dest
+	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
+	 * @param[out] use_time	the time of this SA's last use
+	 * @return
+	 * 						- SUCCESS
+	 * 						- FAILED if kernel comm failed
+	 */
+	status_t (*query_policy) (kernel_interface_t *this,
+							  traffic_selector_t *src_ts, 
+							  traffic_selector_t *dst_ts,
+							  policy_dir_t direction, u_int32_t *use_time);
+	
+	/**
+	 * @brief Remove a policy from the SPD.
+	 *
+	 * The kernel interface implements reference counting for policies.
+	 * If the same policy is installed multiple times (in the case of rekeying),
+	 * the reference counter is increased. del_policy() decreases the ref counter
+	 * and removes the policy only when no more references are available.
+	 *
+	 * @param this			calling object
+	 * @param src_ts		traffic selector to match traffic source
+	 * @param dst_ts		traffic selector to match traffic dest
+	 * @param direction		direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
+	 * @return
+	 * 						- SUCCESS
+	 * 						- FAILED if kernel comm failed
+	 */
+	status_t (*del_policy) (kernel_interface_t *this,
+							traffic_selector_t *src_ts, 
+							traffic_selector_t *dst_ts,
+							policy_dir_t direction);
+	
+	/**
+	 * @brief Get the interface name of a local address.
+	 *
+	 * @param this			calling object
+	 * @param host			address to get interface name from
+	 * @return 				allocated interface name, or NULL if not found
+	 */
+	char* (*get_interface) (kernel_interface_t *this, host_t *host);
+	
+	/**
+	 * @brief Creates a list of all local addresses.
+	 *
+	 * @param this			calling object
+	 * @return 				allocated list with host_t objects
+	 */
+	linked_list_t *(*create_address_list) (kernel_interface_t *this);
+	
+	/**
+	 * @brief Add a virtual IP to an interface.
+	 *
+	 * Virtual IPs are attached to an interface. If an IP is added multiple
+	 * times, the IP is refcounted and not removed until del_ip() was called
+	 * as many times as add_ip().
+	 * The virtual IP is attached to the interface where the iface_ip is found.
+	 *
+	 * @param this			calling object
+	 * @param virtual_ip	virtual ip address to assign
+	 * @param iface_ip		IP of an interface to attach virtual IP
+	 * @return
+	 * 						- SUCCESS
+	 * 						- FAILED if kernel comm failed
+	 */
+	status_t (*add_ip) (kernel_interface_t *this, host_t *virtual_ip,
+						host_t *iface_ip);
+	
+	/**
+	 * @brief Remove a virtual IP from an interface.
+	 *
+	 * The kernel interface uses refcounting, see add_ip().
+	 *
+	 * @param this			calling object
+	 * @param virtual_ip	virtual ip address to assign
+	 * @param iface_ip		IP of an interface to remove virtual IP from
+	 * @return
+	 * 						- SUCCESS
+	 * 						- FAILED if kernel comm failed
+	 */
+	status_t (*del_ip) (kernel_interface_t *this, host_t *virtual_ip,
+						host_t *iface_ip);
+	
+	/**
+	 * @brief Destroys a kernel_interface object.
+	 *
+	 * @param kernel_interface_t 	calling object
+	 */
+	void (*destroy) (kernel_interface_t *kernel_interface);
+};
+
+/**
+ * @brief Creates an object of type kernel_interface_t.
+ * 
+ * @ingroup threads
+ */
+kernel_interface_t *kernel_interface_create(void);
+
+#endif /*KERNEL_INTERFACE_H_*/
diff --git a/src/charon/threads/receiver.c b/src/charon/threads/receiver.c
new file mode 100644
index 000000000..7195c162d
--- /dev/null
+++ b/src/charon/threads/receiver.c
@@ -0,0 +1,372 @@
+/**
+ * @file receiver.c
+ *
+ * @brief Implementation of receiver_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+#include <pthread.h>
+
+#include "receiver.h"
+
+#include <daemon.h>
+#include <network/socket.h>
+#include <network/packet.h>
+#include <queues/job_queue.h>
+#include <queues/jobs/job.h>
+#include <queues/jobs/process_message_job.h>
+
+/** length of the full cookie, including time (u_int32_t + SHA1()) */
+#define COOKIE_LENGTH 24
+/** lifetime of a cookie, in seconds */
+#define COOKIE_LIFETIME 10
+/** how many times to reuse the secret */
+#define COOKIE_REUSE 10000
+/** require cookies after half open IKE_SAs */
+#define COOKIE_TRESHOLD 10
+/** how many half open IKE_SAs per peer before blocking */
+#define BLOCK_TRESHOLD 5
+/** length of the secret to use for cookie calculation */
+#define SECRET_LENGTH 16
+
+typedef struct private_receiver_t private_receiver_t;
+
+/**
+ * Private data of a receiver_t object.
+ */
+struct private_receiver_t {
+	/**
+	 * Public part of a receiver_t object.
+	 */
+	 receiver_t public;
+
+	 /**
+	  * Assigned thread.
+	  */
+	 pthread_t assigned_thread;
+	 
+ 	/**
+ 	 * current secret to use for cookie calculation
+ 	 */
+ 	char secret[SECRET_LENGTH];
+ 	
+ 	/**
+ 	 * previous secret used to verify older cookies
+ 	 */
+ 	char secret_old[SECRET_LENGTH];
+ 	
+ 	/**
+ 	 * how many times we have used "secret" so far
+ 	 */
+ 	u_int32_t secret_used;
+ 	
+ 	/**
+ 	 * time we did the cookie switch
+ 	 */
+ 	u_int32_t secret_switch;
+ 	
+ 	/**
+ 	 * time offset to use, hides our system time
+ 	 */
+ 	u_int32_t secret_offset;
+ 	
+ 	/**
+ 	 * the randomizer to use for secret generation
+ 	 */
+ 	randomizer_t *randomizer;
+ 	
+ 	/**
+ 	 * hasher to use for cookie calculation
+ 	 */
+ 	hasher_t *hasher;
+};
+
+/**
+ * send a notify back to the sender
+ */
+static void send_notify(message_t *request, notify_type_t type, chunk_t data)
+{
+	if (request->get_request(request) &&
+		request->get_exchange_type(request) == IKE_SA_INIT)
+	{
+		message_t *response;
+		host_t *src, *dst;
+		packet_t *packet;
+		ike_sa_id_t *ike_sa_id;
+		
+		response = message_create();
+		dst = request->get_source(request);
+		src = request->get_destination(request);
+		response->set_source(response, src->clone(src));
+		response->set_destination(response, dst->clone(dst));
+		response->set_exchange_type(response, request->get_exchange_type(request));
+		response->set_request(response, FALSE);
+		response->set_message_id(response, 0);
+		ike_sa_id = request->get_ike_sa_id(request);
+		ike_sa_id->switch_initiator(ike_sa_id);
+		response->set_ike_sa_id(response, ike_sa_id);
+		response->add_notify(response, FALSE, type, data);
+		if (response->generate(response, NULL, NULL, &packet) == SUCCESS)
+		{
+			charon->sender->send(charon->sender, packet);
+			response->destroy(response);
+		}
+	}
+}
+
+/**
+ * build a cookie
+ */
+static chunk_t cookie_build(private_receiver_t *this, message_t *message,
+							u_int32_t t, chunk_t secret)
+{
+	u_int64_t spi = message->get_initiator_spi(message);
+	host_t *ip = message->get_source(message);
+	chunk_t input, hash = chunk_alloca(this->hasher->get_hash_size(this->hasher));
+	
+	/* COOKIE = t | sha1( IPi | SPIi | t | secret ) */
+	input = chunk_cata("cccc", ip->get_address(ip), chunk_from_thing(spi),
+					  chunk_from_thing(t), secret);
+	this->hasher->get_hash(this->hasher, input, hash.ptr);
+	return chunk_cat("cc", chunk_from_thing(t), hash);
+}
+
+/**
+ * verify a received cookie
+ */
+static bool cookie_verify(private_receiver_t *this, message_t *message,
+						  chunk_t cookie)
+{
+	u_int32_t t, now;
+	chunk_t reference;
+	chunk_t secret;
+
+	now = time(NULL);
+	t = *(u_int32_t*)cookie.ptr;
+
+	if (cookie.len != COOKIE_LENGTH || 
+		t < now - this->secret_offset - COOKIE_LIFETIME)
+	{
+		DBG2(DBG_NET, "received cookie lifetime expired, rejecting");
+		return FALSE;	
+	}
+	
+	/* check if cookie is derived from old_secret */
+	if (t + this->secret_offset > this->secret_switch)
+	{
+		secret = chunk_from_thing(this->secret);
+	}
+	else
+	{
+		secret = chunk_from_thing(this->secret_old);
+	}
+	
+	/* compare own calculation against received */
+	reference = cookie_build(this, message, t, secret);
+	if (chunk_equals(reference, cookie))
+	{
+		chunk_free(&reference);
+		return TRUE;
+	}
+	chunk_free(&reference);
+	return FALSE;
+}
+
+/**
+ * check if cookies are required, and if so, a valid cookie is included
+ */
+static bool cookie_required(private_receiver_t *this, message_t *message)
+{
+	bool failed = FALSE;
+		
+	if (charon->ike_sa_manager->get_half_open_count(charon->ike_sa_manager,
+													NULL) >= COOKIE_TRESHOLD)
+	{
+		/* check for a cookie. We don't use our parser here and do it
+		 * quick and dirty for performance reasons. 
+		 * we assume to cookie is the first payload (which is a MUST), and 
+		 * the cookies SPI length is zero. */
+		packet_t *packet = message->get_packet(message);
+		chunk_t data = packet->get_data(packet);
+		if (data.len < 
+			 IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH + COOKIE_LENGTH ||
+			*(data.ptr + 16) != NOTIFY || 
+			*(u_int16_t*)(data.ptr + IKE_HEADER_LENGTH + 6) != htons(COOKIE))
+		{
+			/* no cookie found */
+			failed = TRUE;
+		}
+		else
+		{
+			data.ptr += IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH;
+			data.len = COOKIE_LENGTH;
+			if (!cookie_verify(this, message, data))
+			{
+				DBG2(DBG_NET, "found cookie, but content invalid");
+				failed = TRUE;
+			}
+		}
+		packet->destroy(packet);
+	}
+	return failed;
+}
+
+/**
+ * check if peer has to many half open IKE_SAs
+ */
+static bool peer_to_aggressive(private_receiver_t *this, message_t *message)
+{
+	if (charon->ike_sa_manager->get_half_open_count(charon->ike_sa_manager,
+								message->get_source(message)) >= BLOCK_TRESHOLD)
+	{
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * Implementation of receiver_t.receive_packets.
+ */
+static void receive_packets(private_receiver_t *this)
+{
+	packet_t *packet;
+	message_t *message;
+	job_t *job;
+	
+	pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL);
+	DBG1(DBG_NET, "receiver thread running, thread_ID: %06u", 
+		 (int)pthread_self());
+	
+	while (TRUE)
+	{
+		/* read in a packet */
+		if (charon->socket->receive(charon->socket, &packet) != SUCCESS)
+		{
+			DBG1(DBG_NET, "receiving from socket failed!");
+			continue;
+		}
+		
+		/* parse message header */
+		message = message_create_from_packet(packet);
+		if (message->parse_header(message) != SUCCESS)
+		{
+			DBG1(DBG_NET, "received invalid IKE header from %H, ignored",
+				 packet->get_source(packet));
+			message->destroy(message);
+			continue;
+		}
+		
+		/* check IKE major version */
+		if (message->get_major_version(message) != IKE_MAJOR_VERSION)
+		{
+			DBG1(DBG_NET, "received unsupported IKE version %d.%d from %H, "
+				 "sending INVALID_MAJOR_VERSION", message->get_major_version(message), 
+				 message->get_minor_version(message), packet->get_source(packet));
+			send_notify(message, INVALID_MAJOR_VERSION, chunk_empty);
+			message->destroy(message);
+			continue;
+		}
+		
+		if (message->get_request(message) &&
+			message->get_exchange_type(message) == IKE_SA_INIT)
+		{
+			/* check for cookies */
+			if (cookie_required(this, message))
+			{
+				u_int32_t now = time(NULL);
+				chunk_t cookie = cookie_build(this, message, now - this->secret_offset,
+											  chunk_from_thing(this->secret));	
+				
+				DBG2(DBG_NET, "received packet from: %#H to %#H",
+					 message->get_source(message),
+					 message->get_destination(message));
+				DBG2(DBG_NET, "sending COOKIE notify to %H",
+					 message->get_source(message));
+				send_notify(message, COOKIE, cookie);
+				chunk_free(&cookie);
+				if (++this->secret_used > COOKIE_REUSE)
+				{
+					/* create new cookie */
+					DBG1(DBG_NET, "generating new cookie secret after %d uses",
+						 this->secret_used);
+					memcpy(this->secret_old, this->secret, SECRET_LENGTH);	
+					this->randomizer->get_pseudo_random_bytes(this->randomizer,
+													SECRET_LENGTH, this->secret);
+					this->secret_switch = now;
+					this->secret_used = 0;
+				}
+				message->destroy(message);
+				continue;
+			}
+			
+			/* check if peer has not too many IKE_SAs half open */
+			if (peer_to_aggressive(this, message))
+			{
+				DBG1(DBG_NET, "ignoring IKE_SA setup from %H, "
+					 "peer to aggressive", message->get_source(message));
+				message->destroy(message);
+				continue;
+			}
+		}
+		job = (job_t *)process_message_job_create(message);
+		charon->job_queue->add(charon->job_queue, job);
+	}
+}
+
+/**
+ * Implementation of receiver_t.destroy.
+ */
+static void destroy(private_receiver_t *this)
+{
+	pthread_cancel(this->assigned_thread);
+	pthread_join(this->assigned_thread, NULL);
+	this->randomizer->destroy(this->randomizer);
+	this->hasher->destroy(this->hasher);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+receiver_t *receiver_create()
+{
+	private_receiver_t *this = malloc_thing(private_receiver_t);
+	u_int32_t now = time(NULL);
+
+	this->public.destroy = (void(*)(receiver_t*)) destroy;
+	
+	this->randomizer = randomizer_create();
+	this->hasher = hasher_create(HASH_SHA1);
+	this->secret_switch = now;
+	this->secret_offset = random() % now;
+	this->secret_used = 0;
+	this->randomizer->get_pseudo_random_bytes(this->randomizer, SECRET_LENGTH,
+											  this->secret);
+	memcpy(this->secret_old, this->secret, SECRET_LENGTH);
+
+	if (pthread_create(&this->assigned_thread, NULL,
+					   (void*)receive_packets, this) != 0)
+	{
+		free(this);
+		charon->kill(charon, "unable to create receiver thread");
+	}
+	
+	return &this->public;
+}
diff --git a/src/charon/threads/receiver.h b/src/charon/threads/receiver.h
new file mode 100644
index 000000000..68d9136c0
--- /dev/null
+++ b/src/charon/threads/receiver.h
@@ -0,0 +1,81 @@
+/**
+ * @file receiver.h
+ *
+ * @brief Interface of receiver_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef RECEIVER_H_
+#define RECEIVER_H_
+
+typedef struct receiver_t receiver_t;
+
+#include <library.h>
+#include <utils/host.h>
+
+/**
+ * @brief Receives packets from the socket and adds them to the job queue.
+ * 
+ * The receiver starts a thread, wich reads on the blocking socket. A received
+ * packet is preparsed and a process_message_job is queued in the job queue.
+ *
+ * To endure DoS attacks, cookies are enabled when to many IKE_SAs are half
+ * open. The calculation of cookies is slightly different from the proposed
+ * method in RFC4306. We do not include a nonce, because we think the advantage
+ * we gain does not justify the overhead to parse the whole message.
+ * Instead of VersionIdOfSecret, we include a timestamp. This allows us to
+ * find out wich key was used for cookie creation. Further, we can set a
+ * lifetime for the cookie, which allows us to reuse the secret for a longer
+ * time.
+ *         COOKIE = time | sha1( IPi | SPIi | time | secret )
+ *
+ * The secret is changed after a certain amount of cookies sent. The old
+ * secret is stored to allow a clean migration between secret changes.
+ * 
+ * Further, the number of half-initiated IKE_SAs is limited per peer. This
+ * mades it impossible for a peer to flood the server with its real IP address.
+ * 
+ * @b Constructors:
+ *  - receiver_create()
+ * 
+ * @ingroup threads
+ */
+struct receiver_t {
+	
+	/**
+	 * @brief Destroys a receiver_t object.
+	 *
+	 * @param receiver 	receiver object
+	 */
+	void (*destroy) (receiver_t *receiver);
+};
+
+/**
+ * @brief Create a receiver_t object.
+ * 
+ * The receiver thread will start working, get data
+ * from the socket and add those packets to the job queue.
+ * 
+ * @return	receiver_t object
+ * 
+ * @ingroup threads
+ */
+receiver_t * receiver_create(void);
+
+#endif /*RECEIVER_H_*/
diff --git a/src/charon/threads/scheduler.c b/src/charon/threads/scheduler.c
new file mode 100644
index 000000000..74091e3a3
--- /dev/null
+++ b/src/charon/threads/scheduler.c
@@ -0,0 +1,102 @@
+/**
+ * @file scheduler.c
+ *
+ * @brief Implementation of scheduler_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+#include <pthread.h>
+
+#include "scheduler.h"
+
+#include <daemon.h>
+#include <queues/job_queue.h>
+
+
+typedef struct private_scheduler_t private_scheduler_t;
+
+/**
+ * Private data of a scheduler_t object.
+ */
+struct private_scheduler_t {
+	/**
+	 * Public part of a scheduler_t object.
+	 */
+	 scheduler_t public;
+
+	/**
+	 * Assigned thread.
+	 */
+	pthread_t assigned_thread;
+};
+
+/**
+ * Implementation of private_scheduler_t.get_events.
+ */
+static void get_events(private_scheduler_t * this)
+{
+	job_t *current_job;
+	
+	/* cancellation disabled by default */
+	pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL);
+	
+	DBG1(DBG_JOB, "scheduler thread running, thread_ID: %06u", 
+		 (int)pthread_self());
+
+	while (TRUE)
+	{
+		DBG2(DBG_JOB, "waiting for next event...");
+		/* get a job, this block until one is available */
+		current_job = charon->event_queue->get(charon->event_queue);
+		/* queue the job in the job queue, workers will eat them */
+		DBG2(DBG_JOB, "got event, adding job %N to job-queue",
+			 job_type_names, current_job->get_type(current_job));
+		charon->job_queue->add(charon->job_queue, current_job);
+	}
+}
+
+/**
+ * Implementation of scheduler_t.destroy.
+ */
+static void destroy(private_scheduler_t *this)
+{
+	pthread_cancel(this->assigned_thread);
+	pthread_join(this->assigned_thread, NULL);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+scheduler_t * scheduler_create()
+{
+	private_scheduler_t *this = malloc_thing(private_scheduler_t);
+	
+	this->public.destroy = (void(*)(scheduler_t*)) destroy;
+	
+	if (pthread_create(&(this->assigned_thread), NULL, (void*(*)(void*))get_events, this) != 0)
+	{
+		/* thread could not be created  */
+		free(this);
+		charon->kill(charon, "unable to create scheduler thread");
+	}
+	
+	return &(this->public);
+}
diff --git a/src/charon/threads/scheduler.h b/src/charon/threads/scheduler.h
new file mode 100644
index 000000000..daecce3c6
--- /dev/null
+++ b/src/charon/threads/scheduler.h
@@ -0,0 +1,68 @@
+/**
+ * @file scheduler.h
+ * 
+ * @brief Interface of scheduler_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef SCHEDULER_H_
+#define SCHEDULER_H_
+
+typedef struct scheduler_t scheduler_t;
+
+#include <library.h>
+
+/**
+ * @brief The scheduler thread is responsible for timed events.
+ *
+ * The scheduler thread takes out jobs from the event-queue and adds them
+ * to the job-queue.
+ *
+ * Starts a thread which does the work, since event-queue is blocking.
+ *
+ * @b Constructors:
+ *  - scheduler_create()
+ *
+ * @ingroup threads
+ */
+struct scheduler_t { 	
+
+	/**
+	 * @brief Destroys a scheduler object.
+	 * 
+	 * @param scheduler 	calling object
+	 */
+	void (*destroy) (scheduler_t *scheduler);
+};
+
+/**
+ * @brief Create a scheduler with its associated thread.
+ * 
+ * The thread will start to get jobs form the event queue 
+ * and adds them to the job queue.
+ * 
+ * @return 
+ * 				- scheduler_t object
+ * 				- NULL if thread could not be started
+ * 
+ * @ingroup threads
+ */
+scheduler_t * scheduler_create(void);
+
+#endif /*SCHEDULER_H_*/
diff --git a/src/charon/threads/sender.c b/src/charon/threads/sender.c
new file mode 100644
index 000000000..c1cd0a68c
--- /dev/null
+++ b/src/charon/threads/sender.c
@@ -0,0 +1,149 @@
+/**
+ * @file sender.c
+ *
+ * @brief Implementation of sender_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+#include <pthread.h>
+
+#include "sender.h"
+
+#include <daemon.h>
+#include <network/socket.h>
+
+
+typedef struct private_sender_t private_sender_t;
+
+/**
+ * Private data of a sender_t object.
+ */
+struct private_sender_t {
+	/**
+	 * Public part of a sender_t object.
+	 */
+	 sender_t public;
+
+	 /**
+	  * Assigned thread.
+	  */
+	 pthread_t assigned_thread;
+	 
+	/**
+	 * The packets are stored in a linked list
+	 */
+	linked_list_t *list;
+
+	/**
+	 * mutex to synchronize access to list
+	 */
+	pthread_mutex_t mutex;
+
+	/**
+	 * condvar to signal for packets in list
+	 */
+	pthread_cond_t condvar;
+};
+
+/**
+ * implements sender_t.send
+ */
+static void send_(private_sender_t *this, packet_t *packet)
+{
+	host_t *src, *dst;
+	
+	src = packet->get_source(packet);
+	dst = packet->get_destination(packet);
+	DBG1(DBG_NET, "sending packet: from %#H to %#H", src, dst);
+	
+	pthread_mutex_lock(&this->mutex);
+	this->list->insert_last(this->list, packet);
+	pthread_mutex_unlock(&this->mutex);
+	pthread_cond_signal(&this->condvar);
+}
+
+/**
+ * Implementation of private_sender_t.send_packets.
+ */
+static void send_packets(private_sender_t * this)
+{
+	
+	/* cancellation disabled by default */
+	pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL);
+	DBG1(DBG_NET, "sender thread running, thread_ID: %06u", (int)pthread_self());
+
+	while (TRUE)
+	{
+		packet_t *packet;
+		int oldstate;
+	
+		pthread_mutex_lock(&this->mutex);
+		/* go to wait while no packets available */
+		while (this->list->get_count(this->list) == 0)
+		{
+			/* add cleanup handler, wait for packet, remove cleanup handler */
+			pthread_cleanup_push((void(*)(void*))pthread_mutex_unlock, (void*)&this->mutex);
+			pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+			pthread_cond_wait(&this->condvar, &this->mutex);
+			
+			pthread_setcancelstate(oldstate, NULL);
+			pthread_cleanup_pop(0);
+		}
+		this->list->remove_first(this->list, (void**)&packet);
+		pthread_mutex_unlock(&this->mutex);
+		
+		charon->socket->send(charon->socket, packet);
+		packet->destroy(packet);
+	}
+}
+
+/**
+ * Implementation of sender_t.destroy.
+ */
+static void destroy(private_sender_t *this)
+{
+	pthread_cancel(this->assigned_thread);
+	pthread_join(this->assigned_thread, NULL);
+	this->list->destroy_offset(this->list, offsetof(packet_t, destroy));
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+sender_t * sender_create()
+{
+	private_sender_t *this = malloc_thing(private_sender_t);
+
+	this->public.send = (void(*)(sender_t*,packet_t*))send_;
+	this->public.destroy = (void(*)(sender_t*)) destroy;
+
+	this->list = linked_list_create();
+	pthread_mutex_init(&this->mutex, NULL);
+	pthread_cond_init(&this->condvar, NULL);
+
+	if (pthread_create(&this->assigned_thread, NULL,
+					   (void*)send_packets, this) != 0)
+	{
+		charon->kill(charon, "unable to create sender thread");
+	}
+
+	return &(this->public);
+}
diff --git a/src/charon/threads/sender.h b/src/charon/threads/sender.h
new file mode 100644
index 000000000..4f42f6f9e
--- /dev/null
+++ b/src/charon/threads/sender.h
@@ -0,0 +1,74 @@
+/**
+ * @file sender.h
+ *
+ * @brief Interface of sender_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef SENDER_H_
+#define SENDER_H_
+
+typedef struct sender_t sender_t;
+
+#include <library.h>
+#include <network/packet.h>
+
+/**
+ * @brief Thread responsible for sending packets over the socket.
+ * 
+ * @b Constructors:
+ *  - sender_create()
+ * 
+ * @ingroup threads
+ */
+struct sender_t {
+	
+	/**
+	 * @brief Send a packet over the network.
+	 *
+	 * This function is non blocking and adds the packet to a queue.
+	 * Whenever the sender thread things it's good to send the packet,
+	 * it'll do so.
+	 *
+	 * @param this		calling object
+ 	 * @param packet	packet to send
+	 */
+	void (*send) (sender_t *this, packet_t *packet);
+	
+	/**
+	 * @brief Destroys a sender object.
+	 *
+	 * @param this	 	calling object
+	 */
+	void (*destroy) (sender_t *this);
+};
+
+/**
+ * @brief Create the sender thread.
+ * 
+ * The thread will start to work, getting packets
+ * from its queue and sends them out.
+ * 
+ * @return		created sender object
+ * 
+ * @ingroup threads
+ */
+sender_t * sender_create(void);
+
+#endif /*SENDER_H_*/
diff --git a/src/charon/threads/stroke_interface.c b/src/charon/threads/stroke_interface.c
new file mode 100755
index 000000000..a9074debb
--- /dev/null
+++ b/src/charon/threads/stroke_interface.c
@@ -0,0 +1,1456 @@
+/**
+ * @file stroke.c
+ * 
+ * @brief Implementation of stroke_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <sys/fcntl.h>
+#include <unistd.h>
+#include <dirent.h>
+#include <errno.h>
+#include <pthread.h>
+#include <signal.h>
+
+#include "stroke_interface.h"
+
+#include <library.h>
+#include <stroke.h>
+#include <daemon.h>
+#include <crypto/x509.h>
+#include <crypto/ca.h>
+#include <crypto/crl.h>
+#include <queues/jobs/initiate_job.h>
+#include <queues/jobs/route_job.h>
+#include <utils/leak_detective.h>
+
+#define IKE_PORT	500
+#define PATH_BUF	256
+
+
+struct sockaddr_un socket_addr = { AF_UNIX, STROKE_SOCKET};
+
+
+typedef struct private_stroke_t private_stroke_t;
+
+/**
+ * Private data of an stroke_t object.
+ */
+struct private_stroke_t {
+
+	/**
+	 * Public part of stroke_t object.
+	 */
+	stroke_t public;
+	
+	/**
+	 * Output stream (stroke console)
+	 */
+	FILE *out;
+		
+	/**
+	 * Unix socket to listen for strokes
+	 */
+	int socket;
+	
+	/**
+	 * Thread which reads from the Socket
+	 */
+	pthread_t assigned_thread;
+};
+
+/**
+ * Helper function which corrects the string pointers
+ * in a stroke_msg_t. Strings in a stroke_msg sent over "wire"
+ * contains RELATIVE addresses (relative to the beginning of the
+ * stroke_msg). They must be corrected if they reach our address
+ * space...
+ */
+static void pop_string(stroke_msg_t *msg, char **string)
+{
+	if (*string == NULL)
+		return;
+
+	/* check for sanity of string pointer and string */
+	if (string < (char**)msg
+	||	string > (char**)msg + sizeof(stroke_msg_t)
+	|| (unsigned long)*string < (unsigned long)((char*)msg->buffer - (char*)msg)
+	|| (unsigned long)*string > msg->length)
+	{
+		*string = "(invalid pointer in stroke msg)";
+	}
+	else
+	{
+		*string = (char*)msg + (unsigned long)*string;
+	}
+}
+
+/**
+ * Load end entitity certificate
+ */
+static x509_t* load_end_certificate(const char *filename, identification_t **idp)
+{
+	char path[PATH_BUF];
+	x509_t *cert;
+
+	if (*filename == '/')
+	{
+		/* absolute path name */
+		snprintf(path, sizeof(path), "%s", filename);
+	}
+	else
+	{
+		/* relative path name */
+		snprintf(path, sizeof(path), "%s/%s", CERTIFICATE_DIR, filename);
+	}
+
+	cert = x509_create_from_file(path, "end entity");
+
+	if (cert)
+	{
+		identification_t *id = *idp;
+		identification_t *subject = cert->get_subject(cert);
+
+		err_t ugh = cert->is_valid(cert, NULL);
+
+		if (ugh != NULL)	
+		{
+			DBG1(DBG_CFG, "warning: certificate %s", ugh);
+		}
+		if (!id->equals(id, subject) && !cert->equals_subjectAltName(cert, id))
+		{
+			id->destroy(id);
+			id = subject;
+			*idp = id->clone(id);
+		}
+		return charon->credentials->add_end_certificate(charon->credentials, cert);
+	}
+	return NULL;
+}
+
+/**
+ * Load ca certificate
+ */
+static x509_t* load_ca_certificate(const char *filename)
+{
+	char path[PATH_BUF];
+	x509_t *cert;
+
+	if (*filename == '/')
+	{
+		/* absolute path name */
+		snprintf(path, sizeof(path), "%s", filename);
+	}
+	else
+	{
+		/* relative path name */
+		snprintf(path, sizeof(path), "%s/%s", CA_CERTIFICATE_DIR, filename);
+	}
+
+	cert = x509_create_from_file(path, "ca");
+
+	if (cert)
+	{
+		if (cert->is_ca(cert))
+		{
+			return charon->credentials->add_auth_certificate(charon->credentials, cert, AUTH_CA);
+		}
+		else
+		{
+			DBG1(DBG_CFG, "  CA basic constraints flag not set, cert discarded");
+			cert->destroy(cert);
+		}
+	}
+	return NULL;
+}
+
+/**
+ * Add a connection to the configuration list
+ */
+static void stroke_add_conn(stroke_msg_t *msg, FILE *out)
+{
+	connection_t *connection;
+	policy_t *policy;
+	identification_t *my_id, *other_id;
+	identification_t *my_ca = NULL;
+	identification_t *other_ca = NULL;
+	bool my_ca_same = FALSE;
+	bool other_ca_same =FALSE;
+	host_t *my_host, *other_host, *my_subnet, *other_subnet;
+	host_t *my_vip = NULL, *other_vip = NULL;
+	proposal_t *proposal;
+	traffic_selector_t *my_ts, *other_ts;
+	char *interface;
+	
+	pop_string(msg, &msg->add_conn.name);
+	pop_string(msg, &msg->add_conn.me.address);
+	pop_string(msg, &msg->add_conn.other.address);
+	pop_string(msg, &msg->add_conn.me.subnet);
+	pop_string(msg, &msg->add_conn.other.subnet);
+	pop_string(msg, &msg->add_conn.me.sourceip);
+	pop_string(msg, &msg->add_conn.other.sourceip);
+	pop_string(msg, &msg->add_conn.me.id);
+	pop_string(msg, &msg->add_conn.other.id);
+	pop_string(msg, &msg->add_conn.me.cert);
+	pop_string(msg, &msg->add_conn.other.cert);
+	pop_string(msg, &msg->add_conn.me.ca);
+	pop_string(msg, &msg->add_conn.other.ca);
+	pop_string(msg, &msg->add_conn.me.updown);
+	pop_string(msg, &msg->add_conn.other.updown);
+	pop_string(msg, &msg->add_conn.algorithms.ike);
+	pop_string(msg, &msg->add_conn.algorithms.esp);
+	
+	DBG1(DBG_CFG, "received stroke: add connection '%s'", msg->add_conn.name);
+	
+	DBG2(DBG_CFG, "conn %s", msg->add_conn.name);
+	DBG2(DBG_CFG, "  left=%s", msg->add_conn.me.address);
+	DBG2(DBG_CFG, "  right=%s", msg->add_conn.other.address);
+	DBG2(DBG_CFG, "  leftsubnet=%s", msg->add_conn.me.subnet);
+	DBG2(DBG_CFG, "  rightsubnet=%s", msg->add_conn.other.subnet);
+	DBG2(DBG_CFG, "  leftsourceip=%s", msg->add_conn.me.sourceip);
+	DBG2(DBG_CFG, "  rightsourceip=%s", msg->add_conn.other.sourceip);
+	DBG2(DBG_CFG, "  leftid=%s", msg->add_conn.me.id);
+	DBG2(DBG_CFG, "  rightid=%s", msg->add_conn.other.id);
+	DBG2(DBG_CFG, "  leftcert=%s", msg->add_conn.me.cert);
+	DBG2(DBG_CFG, "  rightcert=%s", msg->add_conn.other.cert);
+	DBG2(DBG_CFG, "  leftca=%s", msg->add_conn.me.ca);
+	DBG2(DBG_CFG, "  rightca=%s", msg->add_conn.other.ca);
+	DBG2(DBG_CFG, "  ike=%s", msg->add_conn.algorithms.ike);
+	DBG2(DBG_CFG, "  esp=%s", msg->add_conn.algorithms.esp);
+	
+	my_host = msg->add_conn.me.address?
+			  host_create_from_string(msg->add_conn.me.address, IKE_PORT) : NULL;
+	if (my_host == NULL)
+	{
+		DBG1(DBG_CFG, "invalid host: %s\n", msg->add_conn.me.address);
+		return;
+	}
+
+	other_host = msg->add_conn.other.address ?
+			host_create_from_string(msg->add_conn.other.address, IKE_PORT) : NULL;
+	if (other_host == NULL)
+	{
+		DBG1(DBG_CFG, "invalid host: %s\n", msg->add_conn.other.address);
+		my_host->destroy(my_host);
+		return;
+	}
+	
+	interface = charon->kernel_interface->get_interface(charon->kernel_interface, 
+														other_host);
+	if (interface)
+	{
+		stroke_end_t tmp_end;
+		host_t *tmp_host;
+
+		DBG2(DBG_CFG, "left is other host, swapping ends\n");
+
+		tmp_host = my_host;
+		my_host = other_host;
+		other_host = tmp_host;
+
+		tmp_end = msg->add_conn.me;
+		msg->add_conn.me = msg->add_conn.other;
+		msg->add_conn.other = tmp_end;
+		free(interface);
+	}
+	if (!interface)
+	{
+		interface = charon->kernel_interface->get_interface(
+											charon->kernel_interface, my_host);
+		if (!interface)
+		{
+			DBG1(DBG_CFG, "left nor right host is our side, aborting\n");
+			goto destroy_hosts;
+		}
+		free(interface);
+	}
+
+	my_id = identification_create_from_string(msg->add_conn.me.id ?
+						msg->add_conn.me.id : msg->add_conn.me.address);
+	if (my_id == NULL)
+	{
+		DBG1(DBG_CFG, "invalid ID: %s\n", msg->add_conn.me.id);
+		goto destroy_hosts;
+	}
+
+	other_id = identification_create_from_string(msg->add_conn.other.id ?
+						msg->add_conn.other.id : msg->add_conn.other.address);
+	if (other_id == NULL)
+	{
+		DBG1(DBG_CFG, "invalid ID: %s\n", msg->add_conn.other.id);
+		my_id->destroy(my_id);
+		goto destroy_hosts;
+	}
+	
+	my_subnet = host_create_from_string(msg->add_conn.me.subnet ?
+					msg->add_conn.me.subnet : msg->add_conn.me.address, IKE_PORT);
+	if (my_subnet == NULL)
+	{
+		DBG1(DBG_CFG, "invalid subnet: %s\n", msg->add_conn.me.subnet);
+		goto destroy_ids;
+	}
+	
+	other_subnet = host_create_from_string(msg->add_conn.other.subnet ?
+					msg->add_conn.other.subnet : msg->add_conn.other.address, IKE_PORT);
+	if (other_subnet == NULL)
+	{
+		DBG1(DBG_CFG, "invalid subnet: %s\n", msg->add_conn.me.subnet);
+		my_subnet->destroy(my_subnet);
+		goto destroy_ids;
+	}
+	
+	if (msg->add_conn.me.virtual_ip)
+	{
+		my_vip = host_create_from_string(msg->add_conn.me.sourceip, 0);
+	}
+	other_vip = host_create_from_string(msg->add_conn.other.sourceip, 0);
+	
+	if (msg->add_conn.me.tohost)
+	{
+		my_ts = traffic_selector_create_dynamic(msg->add_conn.me.protocol,
+					my_host->get_family(my_host) == AF_INET ?
+						TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE,
+					msg->add_conn.me.port ? msg->add_conn.me.port : 0,
+					msg->add_conn.me.port ? msg->add_conn.me.port : 65535);
+	}
+	else
+	{
+		my_ts = traffic_selector_create_from_subnet(my_subnet,
+				msg->add_conn.me.subnet ?  msg->add_conn.me.subnet_mask : 0,
+				msg->add_conn.me.protocol, msg->add_conn.me.port);
+	}
+	my_subnet->destroy(my_subnet);
+	
+	if (msg->add_conn.other.tohost)
+	{
+		other_ts = traffic_selector_create_dynamic(msg->add_conn.other.protocol,
+					other_host->get_family(other_host) == AF_INET ?
+						TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE,
+					msg->add_conn.other.port ? msg->add_conn.other.port : 0,
+					msg->add_conn.other.port ? msg->add_conn.other.port : 65535);
+	}
+	else
+	{
+		other_ts = traffic_selector_create_from_subnet(other_subnet, 
+				msg->add_conn.other.subnet ?  msg->add_conn.other.subnet_mask : 0,
+				msg->add_conn.other.protocol, msg->add_conn.other.port);
+	}
+	other_subnet->destroy(other_subnet);
+
+	if (msg->add_conn.me.ca)
+	{
+		if (streq(msg->add_conn.me.ca, "%same"))
+		{
+			my_ca_same = TRUE;
+		}
+		else
+		{
+			my_ca = identification_create_from_string(msg->add_conn.me.ca);
+		}
+	}
+	if (msg->add_conn.other.ca)
+	{
+		if (streq(msg->add_conn.other.ca, "%same"))
+		{
+			other_ca_same = TRUE;
+		}
+		else
+		{
+			other_ca = identification_create_from_string(msg->add_conn.other.ca);
+		}
+	}
+	if (msg->add_conn.me.cert)
+	{
+		x509_t *cert = load_end_certificate(msg->add_conn.me.cert, &my_id);
+
+		if (my_ca == NULL && !my_ca_same && cert)
+		{
+			identification_t *issuer = cert->get_issuer(cert);
+
+			my_ca = issuer->clone(issuer);
+		}
+	}
+	if (msg->add_conn.other.cert)
+	{
+		x509_t *cert = load_end_certificate(msg->add_conn.other.cert, &other_id);
+
+		if (other_ca == NULL && !other_ca_same && cert)
+		{
+			identification_t *issuer = cert->get_issuer(cert);
+
+			other_ca = issuer->clone(issuer);
+		}
+	}
+	if (other_ca_same && my_ca)
+	{
+		other_ca = my_ca->clone(my_ca);
+	}
+	else if (my_ca_same && other_ca)
+	{
+		my_ca = other_ca->clone(other_ca);
+	}
+	if (my_ca == NULL)
+	{
+		my_ca = identification_create_from_string("%any");
+	}
+	if (other_ca == NULL)
+	{
+		other_ca = identification_create_from_string("%any");
+	}
+	DBG2(DBG_CFG, "  my ca:   '%D'", my_ca);
+	DBG2(DBG_CFG, "  other ca:'%D'", other_ca);
+	DBG2(DBG_CFG, "  updown: '%s'", msg->add_conn.me.updown);
+
+	connection = connection_create(msg->add_conn.name,
+								   msg->add_conn.ikev2,
+								   msg->add_conn.me.sendcert,
+								   msg->add_conn.other.sendcert,
+								   my_host, other_host,
+								   msg->add_conn.dpd.delay,
+								   msg->add_conn.rekey.reauth,
+								   msg->add_conn.rekey.tries,
+								   msg->add_conn.rekey.ike_lifetime,
+								   msg->add_conn.rekey.ike_lifetime - msg->add_conn.rekey.margin,
+								   msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100);
+
+	if (msg->add_conn.algorithms.ike)
+	{
+		char *proposal_string;
+		char *strict = msg->add_conn.algorithms.ike + strlen(msg->add_conn.algorithms.ike) - 1;
+
+		if (*strict == '!')
+			*strict = '\0';
+		else
+			strict = NULL;
+
+		while ((proposal_string = strsep(&msg->add_conn.algorithms.ike, ",")))
+		{
+			proposal = proposal_create_from_string(PROTO_IKE, proposal_string);
+			if (proposal == NULL)
+			{
+				DBG1(DBG_CFG, "invalid IKE proposal string: %s", proposal_string);
+				my_id->destroy(my_id);
+				other_id->destroy(other_id);
+				my_ts->destroy(my_ts);
+				other_ts->destroy(other_ts);
+				my_ca->destroy(my_ca);
+				other_ca->destroy(other_ca);
+				connection->destroy(connection);
+				return;
+			}
+			connection->add_proposal(connection, proposal);
+		}
+		if (!strict)
+		{
+			proposal = proposal_create_default(PROTO_IKE);
+			connection->add_proposal(connection, proposal);
+		}
+	}
+	else
+	{
+		proposal = proposal_create_default(PROTO_IKE);
+		connection->add_proposal(connection, proposal);
+	}
+	
+	policy = policy_create(msg->add_conn.name, my_id, other_id, my_vip, other_vip,
+						   msg->add_conn.auth_method, msg->add_conn.eap_type,
+						   msg->add_conn.rekey.ipsec_lifetime,
+						   msg->add_conn.rekey.ipsec_lifetime - msg->add_conn.rekey.margin,
+						   msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100, 
+						   msg->add_conn.me.updown, msg->add_conn.me.hostaccess,
+						   msg->add_conn.mode, msg->add_conn.dpd.action);
+	policy->add_my_traffic_selector(policy, my_ts);
+	policy->add_other_traffic_selector(policy, other_ts);
+	policy->add_authorities(policy, my_ca, other_ca);
+	
+	if (msg->add_conn.algorithms.esp)
+	{
+		char *proposal_string;
+		char *strict = msg->add_conn.algorithms.esp + strlen(msg->add_conn.algorithms.esp) - 1;
+
+		if (*strict == '!')
+			*strict = '\0';
+		else
+			strict = NULL;
+		
+		while ((proposal_string = strsep(&msg->add_conn.algorithms.esp, ",")))
+		{
+			proposal = proposal_create_from_string(PROTO_ESP, proposal_string);
+			if (proposal == NULL)
+			{
+				DBG1(DBG_CFG, "invalid ESP proposal string: %s", proposal_string);
+				policy->destroy(policy);
+				connection->destroy(connection);
+				return;
+			}
+			policy->add_proposal(policy, proposal);
+		}
+		if (!strict)
+		{
+			proposal = proposal_create_default(PROTO_ESP);
+			policy->add_proposal(policy, proposal);
+		}
+	}
+	else
+	{
+		proposal = proposal_create_default(PROTO_ESP);
+		policy->add_proposal(policy, proposal);
+	}
+	
+	/* add to global connection list */
+	charon->connections->add_connection(charon->connections, connection);
+	DBG1(DBG_CFG, "added connection '%s': %H[%D]...%H[%D]",
+		 msg->add_conn.name, my_host, my_id, other_host, other_id);
+	/* add to global policy list */
+	charon->policies->add_policy(charon->policies, policy);
+	
+	return;
+
+	/* mopping up after parsing errors */
+
+destroy_ids:
+	my_id->destroy(my_id);
+	other_id->destroy(other_id);
+
+destroy_hosts:
+	my_host->destroy(my_host);
+	other_host->destroy(other_host);
+}
+
+/**
+ * Delete a connection from the list
+ */
+static void stroke_del_conn(stroke_msg_t *msg, FILE *out)
+{
+	status_t status;
+	
+	pop_string(msg, &(msg->del_conn.name));
+	DBG1(DBG_CFG, "received stroke: delete connection '%s'", msg->del_conn.name);
+	
+	status = charon->connections->delete_connection(charon->connections, 
+													msg->del_conn.name);
+	charon->policies->delete_policy(charon->policies, msg->del_conn.name);
+	if (status == SUCCESS)
+	{
+		fprintf(out, "deleted connection '%s'\n", msg->del_conn.name);
+	}
+	else
+	{
+		fprintf(out, "no connection named '%s'\n", msg->del_conn.name);
+	}
+}
+
+/**
+ * initiate a connection by name
+ */
+static void stroke_initiate(stroke_msg_t *msg, FILE *out)
+{
+	initiate_job_t *job;
+	connection_t *connection;
+	policy_t *policy;
+	ike_sa_t *init_ike_sa = NULL;
+	signal_t signal;
+	
+	pop_string(msg, &(msg->initiate.name));
+	DBG1(DBG_CFG, "received stroke: initiate '%s'", msg->initiate.name);
+	
+	connection = charon->connections->get_connection_by_name(charon->connections,
+															 msg->initiate.name);
+	if (connection == NULL)
+	{
+		if (msg->output_verbosity >= 0)
+		{
+			fprintf(out, "no connection named '%s'\n", msg->initiate.name);
+		}
+		return;
+	}
+	if (!connection->is_ikev2(connection))
+	{
+		connection->destroy(connection);
+		return;
+	}
+	
+	policy = charon->policies->get_policy_by_name(charon->policies, 
+												  msg->initiate.name);
+	if (policy == NULL)
+	{
+		if (msg->output_verbosity >= 0)
+		{
+			fprintf(out, "no policy named '%s'\n", msg->initiate.name);
+		}
+		connection->destroy(connection);
+		return;
+	}
+	
+	job = initiate_job_create(connection, policy);
+	charon->bus->set_listen_state(charon->bus, TRUE);
+	charon->job_queue->add(charon->job_queue, (job_t*)job);
+	while (TRUE)
+	{
+		level_t level;
+		int thread;
+		ike_sa_t *ike_sa;
+		char* format;
+		va_list args;
+		
+		signal = charon->bus->listen(charon->bus, &level, &thread, &ike_sa, &format, &args);
+		
+		if ((init_ike_sa == NULL || ike_sa == init_ike_sa) &&
+			level <= msg->output_verbosity)
+		{
+			if (vfprintf(out, format, args) < 0 ||
+				fprintf(out, "\n") < 0 ||
+				fflush(out))
+			{
+				charon->bus->set_listen_state(charon->bus, FALSE);
+				break;
+			}
+		}
+		
+		switch (signal)
+		{
+			case CHILD_UP_SUCCESS:
+			case CHILD_UP_FAILED:
+			case IKE_UP_FAILED:
+				if (ike_sa == init_ike_sa)
+				{
+					charon->bus->set_listen_state(charon->bus, FALSE);
+					return;
+				}
+				continue;
+			case CHILD_UP_START:
+			case IKE_UP_START:
+				if (init_ike_sa == NULL)
+				{
+					init_ike_sa = ike_sa;
+				}
+				continue;
+			default:
+				continue;
+		}
+	}
+}
+
+/**
+ * route/unroute a policy (install SPD entries)
+ */
+static void stroke_route(stroke_msg_t *msg, FILE *out, bool route)
+{
+	route_job_t *job;
+	connection_t *connection;
+	policy_t *policy;
+	
+	pop_string(msg, &(msg->route.name));
+	DBG1(DBG_CFG, "received stroke: %s '%s'",
+		 route ? "route" : "unroute", msg->route.name);
+	
+	/* we wouldn't need a connection, but we only want to route policies
+	 * whose connections are keyexchange=ikev2. */
+	connection = charon->connections->get_connection_by_name(charon->connections,
+															 msg->route.name);
+	if (connection == NULL)
+	{
+		fprintf(out, "no connection named '%s'\n", msg->route.name);
+		return;
+	}
+	if (!connection->is_ikev2(connection))
+	{
+		connection->destroy(connection);
+		return;
+	}
+		
+	policy = charon->policies->get_policy_by_name(charon->policies, 
+												  msg->route.name);
+	if (policy == NULL)
+	{
+		fprintf(out, "no policy named '%s'\n", msg->route.name);
+		connection->destroy(connection);
+		return;
+	}
+	fprintf(out, "%s policy '%s'\n",
+			route ? "routing" : "unrouting", msg->route.name);
+	job = route_job_create(connection, policy, route);
+	charon->job_queue->add(charon->job_queue, (job_t*)job);
+}
+
+/**
+ * terminate a connection by name
+ */
+static void stroke_terminate(stroke_msg_t *msg, FILE *out)
+{
+	char *string, *pos = NULL, *name = NULL;
+	u_int32_t id = 0;
+	bool child;
+	int len;
+	status_t status = SUCCESS;;
+	ike_sa_t *ike_sa;
+	
+	pop_string(msg, &(msg->terminate.name));
+	string = msg->terminate.name;
+	DBG1(DBG_CFG, "received stroke: terminate '%s'", string);
+	
+	len = strlen(string);
+	if (len < 1)
+	{
+		DBG1(DBG_CFG, "error parsing string");
+		return;
+	}
+	switch (string[len-1])
+	{
+		case '}':
+			child = TRUE;
+			pos = strchr(string, '{');
+			break;
+		case ']':
+			child = FALSE;
+			pos = strchr(string, '[');
+			break;
+		default:
+			name = string;
+			child = FALSE;
+			break;
+	}
+	
+	if (name)
+	{	/* must be a single name */
+		DBG1(DBG_CFG, "check out by single name '%s'", name);
+		ike_sa = charon->ike_sa_manager->checkout_by_name(charon->ike_sa_manager,
+														  name, child);
+	}
+	else if (pos == string + len - 2)
+	{	/* must be name[] or name{} */
+		string[len-2] = '\0';
+		DBG1(DBG_CFG, "check out by name '%s'", string);
+		ike_sa = charon->ike_sa_manager->checkout_by_name(charon->ike_sa_manager,
+														  string, child);
+	}
+	else
+	{	/* must be name[123] or name{23} */
+		string[len-1] = '\0';
+		id = atoi(pos + 1);
+		if (id == 0)
+		{
+			DBG1(DBG_CFG, "error parsing string");
+			return;
+		}
+		DBG1(DBG_CFG, "check out by id '%d'", id);
+		ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
+														id, child);
+	}
+	if (ike_sa == NULL)
+	{
+		DBG1(DBG_CFG, "no such IKE_SA found");
+		return;
+	}
+	
+	if (!child)
+	{
+		status = ike_sa->delete(ike_sa);
+	}
+	else
+	{
+		child_sa_t *child_sa;
+		iterator_t *iterator = ike_sa->create_child_sa_iterator(ike_sa);
+		while (iterator->iterate(iterator, (void**)&child_sa))
+		{
+			if ((id && id == child_sa->get_reqid(child_sa)) ||
+				(string && streq(string, child_sa->get_name(child_sa))))
+			{
+				u_int32_t spi = child_sa->get_spi(child_sa, TRUE);
+				protocol_id_t proto = child_sa->get_protocol(child_sa);
+				
+				status = ike_sa->delete_child_sa(ike_sa, proto, spi);
+				break;
+			}
+		}
+		iterator->destroy(iterator);
+	}
+	if (status == DESTROY_ME)
+	{
+		charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
+													ike_sa);
+		return;
+	}
+	charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+}
+
+/**
+ * Add a ca information record to the cainfo list
+ */
+static void stroke_add_ca(stroke_msg_t *msg, FILE *out)
+{
+	x509_t *cacert;
+	ca_info_t *ca_info;
+
+	pop_string(msg, &msg->add_ca.name);
+	pop_string(msg, &msg->add_ca.cacert);
+	pop_string(msg, &msg->add_ca.crluri);
+	pop_string(msg, &msg->add_ca.crluri2);
+	pop_string(msg, &msg->add_ca.ocspuri);
+	pop_string(msg, &msg->add_ca.ocspuri2);
+	
+	DBG1(DBG_CFG, "received stroke: add ca '%s'", msg->add_ca.name);
+	
+	DBG2(DBG_CFG, "ca %s",        msg->add_ca.name);
+	DBG2(DBG_CFG, "  cacert=%s",  msg->add_ca.cacert);
+	DBG2(DBG_CFG, "  crluri=%s",  msg->add_ca.crluri);
+	DBG2(DBG_CFG, "  crluri2=%s", msg->add_ca.crluri2);
+	DBG2(DBG_CFG, "  ocspuri=%s", msg->add_ca.ocspuri);
+	DBG2(DBG_CFG, "  ocspuri2=%s", msg->add_ca.ocspuri2);
+
+	if (msg->add_ca.cacert == NULL)
+	{
+		DBG1(DBG_CFG, "missing cacert parameter\n");
+		return;
+	}
+
+	cacert = load_ca_certificate(msg->add_ca.cacert);
+
+	if (cacert == NULL)
+	{
+		return;
+	}
+	ca_info = ca_info_create(msg->add_ca.name, cacert);
+
+	if (msg->add_ca.crluri)
+	{
+		chunk_t uri = { msg->add_ca.crluri, strlen(msg->add_ca.crluri) };
+		
+		ca_info->add_crluri(ca_info, uri);
+	}
+	if (msg->add_ca.crluri2)
+	{
+		chunk_t uri = { msg->add_ca.crluri2, strlen(msg->add_ca.crluri2) };
+		
+		ca_info->add_crluri(ca_info, uri);
+	}
+	if (msg->add_ca.ocspuri)
+	{
+		chunk_t uri = { msg->add_ca.ocspuri, strlen(msg->add_ca.ocspuri) };
+		
+		ca_info->add_ocspuri(ca_info, uri);
+	}
+	if (msg->add_ca.ocspuri2)
+	{
+		chunk_t uri = { msg->add_ca.ocspuri2, strlen(msg->add_ca.ocspuri2) };
+		
+		ca_info->add_ocspuri(ca_info, uri);
+	}
+	charon->credentials->add_ca_info(charon->credentials, ca_info);
+	DBG1(DBG_CFG, "added ca '%s'", msg->add_ca.name);
+
+}
+
+/**
+ * Delete a ca information record from the cainfo list
+ */
+static void stroke_del_ca(stroke_msg_t *msg, FILE *out)
+{
+	status_t status;
+	
+	pop_string(msg, &(msg->del_ca.name));
+	DBG1(DBG_CFG, "received stroke: delete ca '%s'", msg->del_ca.name);
+	
+	status = charon->credentials->release_ca_info(charon->credentials,
+												  msg->del_ca.name);
+
+	if (status == SUCCESS)
+	{
+		fprintf(out, "deleted ca '%s'\n", msg->del_ca.name);
+	}
+	else
+	{
+		fprintf(out, "no ca named '%s'\n", msg->del_ca.name);
+	}
+}
+
+/**
+ * show status of daemon
+ */
+static void stroke_statusall(stroke_msg_t *msg, FILE *out)
+{
+	iterator_t *iterator;
+	linked_list_t *list;
+	host_t *host;
+	connection_t *connection;
+	policy_t *policy;
+	ike_sa_t *ike_sa;
+	char *name = NULL;
+
+	leak_detective_status(out);
+	
+	fprintf(out, "Performance:\n");
+	fprintf(out, "  worker threads: %d idle of %d,",
+			charon->thread_pool->get_idle_threads(charon->thread_pool),
+			charon->thread_pool->get_pool_size(charon->thread_pool));
+	fprintf(out, " job queue load: %d,",
+			charon->job_queue->get_count(charon->job_queue));
+	fprintf(out, " scheduled events: %d\n",
+			charon->event_queue->get_count(charon->event_queue));
+	list = charon->kernel_interface->create_address_list(charon->kernel_interface);
+
+	fprintf(out, "Listening on %d IP addresses:\n", list->get_count(list));
+	while (list->remove_first(list, (void**)&host) == SUCCESS)
+	{
+		fprintf(out, "  %H\n", host);
+		host->destroy(host);
+	}
+	list->destroy(list);
+	
+	if (msg->status.name)
+	{
+		pop_string(msg, &(msg->status.name));
+		name = msg->status.name;
+	}
+	
+	iterator = charon->connections->create_iterator(charon->connections);
+	if (iterator->get_count(iterator) > 0)
+	{
+		fprintf(out, "Connections:\n");
+	}
+	while (iterator->iterate(iterator, (void**)&connection))
+	{
+		if (connection->is_ikev2(connection)
+		&& (name == NULL || streq(name, connection->get_name(connection))))
+		{
+			fprintf(out, "%12s:  %H...%H\n",
+					connection->get_name(connection),
+					connection->get_my_host(connection),
+					connection->get_other_host(connection));
+		}
+	}
+	iterator->destroy(iterator);
+	
+	iterator = charon->policies->create_iterator(charon->policies);
+	if (iterator->get_count(iterator) > 0)
+	{
+		fprintf(out, "Policies:\n");
+	}
+	while (iterator->iterate(iterator, (void**)&policy))
+	{
+		if (name == NULL || streq(name, policy->get_name(policy)))
+		{
+			fprintf(out, "%12s:  '%D'...'%D'\n",
+					policy->get_name(policy),
+					policy->get_my_id(policy),
+					policy->get_other_id(policy));
+		}
+	}
+	iterator->destroy(iterator);
+	
+	iterator = charon->ike_sa_manager->create_iterator(charon->ike_sa_manager);
+	if (iterator->get_count(iterator) > 0)
+	{
+		fprintf(out, "Security Associations:\n");
+	}
+	while (iterator->iterate(iterator, (void**)&ike_sa))
+	{
+		bool ike_sa_printed = FALSE;
+		child_sa_t *child_sa;
+		iterator_t *children = ike_sa->create_child_sa_iterator(ike_sa);
+
+		/* print IKE_SA */
+		if (name == NULL || strncmp(name, ike_sa->get_name(ike_sa), strlen(name)) == 0)
+		{
+			fprintf(out, "%#K\n", ike_sa);
+			ike_sa_printed = TRUE;
+		}
+
+		while (children->iterate(children, (void**)&child_sa))
+		{
+			bool child_sa_match = name == NULL ||
+								  strncmp(name, child_sa->get_name(child_sa), strlen(name)) == 0;
+
+			/* print IKE_SA if its name differs from the CHILD_SA's name */
+			if (!ike_sa_printed && child_sa_match)
+			{
+				fprintf(out, "%#K\n", ike_sa);
+				ike_sa_printed = TRUE;
+			}
+
+			/* print CHILD_SA */
+			if (child_sa_match)
+			{
+				fprintf(out, "%#P\n", child_sa);
+			}
+		}
+		children->destroy(children);
+	}
+	iterator->destroy(iterator);
+}
+
+/**
+ * show status of daemon
+ */
+static void stroke_status(stroke_msg_t *msg, FILE *out)
+{
+	iterator_t *iterator;
+	ike_sa_t *ike_sa;
+	char *name = NULL;
+	
+	if (msg->status.name)
+	{
+		pop_string(msg, &(msg->status.name));
+		name = msg->status.name;
+	}
+	
+	iterator = charon->ike_sa_manager->create_iterator(charon->ike_sa_manager);
+	while (iterator->iterate(iterator, (void**)&ike_sa))
+	{
+		bool ike_sa_printed = FALSE;
+		child_sa_t *child_sa;
+		iterator_t *children = ike_sa->create_child_sa_iterator(ike_sa);
+
+		/* print IKE_SA */
+		if (name == NULL || strncmp(name, ike_sa->get_name(ike_sa), strlen(name)) == 0)
+		{
+			fprintf(out, "%K\n", ike_sa);
+			ike_sa_printed = TRUE;
+		}
+
+		while (children->iterate(children, (void**)&child_sa))
+		{
+			bool child_sa_match = name == NULL ||
+								  strncmp(name, child_sa->get_name(child_sa), strlen(name)) == 0;
+
+			/* print IKE_SA if its name differs from the CHILD_SA's name */
+			if (!ike_sa_printed && child_sa_match)
+			{
+				fprintf(out, "%K\n", ike_sa);
+				ike_sa_printed = TRUE;
+			}
+
+			/* print CHILD_SA */
+			if (child_sa_match)
+			{
+				fprintf(out, "%P\n", child_sa);
+			}
+		}
+		children->destroy(children);
+	}
+	iterator->destroy(iterator);
+}
+
+/**
+ * list all authority certificates matching a specified flag 
+ */
+static void list_auth_certificates(u_int flag, const char *label, bool utc, FILE *out)
+{
+	bool first = TRUE;
+	x509_t *cert;
+	
+	iterator_t *iterator = charon->credentials->create_auth_cert_iterator(charon->credentials);
+
+	while (iterator->iterate(iterator, (void**)&cert))
+	{
+		if (cert->has_authority_flag(cert, flag))
+		{
+			if (first)
+			{
+				fprintf(out, "\n");
+				fprintf(out, "List of X.509 %s Certificates:\n", label);
+				fprintf(out, "\n");
+				first = FALSE;
+			}
+			fprintf(out, "%#Q\n", cert, utc);
+		}
+	}
+	iterator->destroy(iterator);
+}
+
+/**
+ * list various information
+ */
+static void stroke_list(stroke_msg_t *msg, FILE *out)
+{
+	iterator_t *iterator;
+	
+	if (msg->list.flags & LIST_CERTS)
+	{
+		x509_t *cert;
+		
+		iterator = charon->credentials->create_cert_iterator(charon->credentials);
+		if (iterator->get_count(iterator))
+		{
+			fprintf(out, "\n");
+			fprintf(out, "List of X.509 End Entity Certificates:\n");
+			fprintf(out, "\n");
+		}
+		while (iterator->iterate(iterator, (void**)&cert))
+		{
+			fprintf(out, "%#Q", cert, msg->list.utc);
+			if (charon->credentials->has_rsa_private_key(
+					charon->credentials, cert->get_public_key(cert)))
+			{
+				fprintf(out, ", has private key");
+			}
+			fprintf(out, "\n");
+			
+		}
+		iterator->destroy(iterator);
+	}
+	if (msg->list.flags & LIST_CACERTS)
+	{
+		list_auth_certificates(AUTH_CA, "CA", msg->list.utc, out);
+	}
+	if (msg->list.flags & LIST_CAINFOS)
+	{
+		ca_info_t *ca_info;
+
+		iterator = charon->credentials->create_cainfo_iterator(charon->credentials);
+		if (iterator->get_count(iterator))
+		{
+			fprintf(out, "\n");
+			fprintf(out, "List of X.509 CA Information Records:\n");
+			fprintf(out, "\n");
+		}
+		while (iterator->iterate(iterator, (void**)&ca_info))
+		{
+			fprintf(out, "%#W", ca_info, msg->list.utc);
+		}
+		iterator->destroy(iterator);
+	}
+	if (msg->list.flags & LIST_CRLS)
+	{
+		ca_info_t *ca_info;
+		bool first = TRUE;
+
+		iterator = charon->credentials->create_cainfo_iterator(charon->credentials);
+
+		while (iterator->iterate(iterator, (void **)&ca_info))
+		{
+			if (ca_info->has_crl(ca_info))
+			{
+				if (first)
+				{
+					fprintf(out, "\n");
+					fprintf(out, "List of X.509 CRLs:\n");
+					fprintf(out, "\n");
+					first = FALSE;
+				}
+				ca_info->list_crl(ca_info, out, msg->list.utc);
+			}
+		}
+		iterator->destroy(iterator);
+	}
+	if (msg->list.flags & LIST_OCSPCERTS)
+	{
+		list_auth_certificates(AUTH_OCSP, "OCSP", msg->list.utc, out);
+	}
+	if (msg->list.flags & LIST_OCSP)
+	{
+		ca_info_t *ca_info;
+		bool first = TRUE;
+
+		iterator = charon->credentials->create_cainfo_iterator(charon->credentials);
+
+		while (iterator->iterate(iterator, (void **)&ca_info))
+		{
+			if (ca_info->has_certinfos(ca_info))
+			{
+				if (first)
+				{
+					fprintf(out, "\n");
+					fprintf(out, "List of OCSP responses:\n");
+					first = FALSE;
+				}
+				fprintf(out, "\n");
+				ca_info->list_certinfos(ca_info, out, msg->list.utc);
+			}
+		}
+		iterator->destroy(iterator);
+	}
+}
+
+/**
+ * reread various information
+ */
+static void stroke_reread(stroke_msg_t *msg, FILE *out)
+{
+	if (msg->reread.flags & REREAD_CACERTS)
+	{
+		charon->credentials->load_ca_certificates(charon->credentials);
+	}
+	if (msg->reread.flags & REREAD_OCSPCERTS)
+	{
+		charon->credentials->load_ocsp_certificates(charon->credentials);
+	}
+	if (msg->reread.flags & REREAD_CRLS)
+	{
+		charon->credentials->load_crls(charon->credentials);
+	}
+}
+
+/**
+ * purge various information
+ */
+static void stroke_purge(stroke_msg_t *msg, FILE *out)
+{
+	if (msg->purge.flags & PURGE_OCSP)
+	{
+		iterator_t *iterator = charon->credentials->create_cainfo_iterator(charon->credentials);
+		ca_info_t *ca_info;
+
+		while (iterator->iterate(iterator, (void**)&ca_info))
+		{
+			ca_info->purge_ocsp(ca_info);
+		}
+		iterator->destroy(iterator);
+	}
+}
+
+signal_t get_signal_from_logtype(char *type)
+{
+	if      (strcasecmp(type, "any") == 0) return SIG_ANY;
+	else if (strcasecmp(type, "mgr") == 0) return DBG_MGR;
+	else if (strcasecmp(type, "ike") == 0) return DBG_IKE;
+	else if (strcasecmp(type, "chd") == 0) return DBG_CHD;
+	else if (strcasecmp(type, "job") == 0) return DBG_JOB;
+	else if (strcasecmp(type, "cfg") == 0) return DBG_CFG;
+	else if (strcasecmp(type, "knl") == 0) return DBG_KNL;
+	else if (strcasecmp(type, "net") == 0) return DBG_NET;
+	else if (strcasecmp(type, "enc") == 0) return DBG_ENC;
+	else if (strcasecmp(type, "lib") == 0) return DBG_LIB;
+	else return -1;
+}
+
+/**
+ * set the verbosity debug output
+ */
+static void stroke_loglevel(stroke_msg_t *msg, FILE *out)
+{
+	signal_t signal;
+	
+	pop_string(msg, &(msg->loglevel.type));
+	DBG1(DBG_CFG, "received stroke: loglevel %d for %s",
+		 msg->loglevel.level, msg->loglevel.type);
+	
+	signal = get_signal_from_logtype(msg->loglevel.type);
+	if (signal < 0)
+	{
+		fprintf(out, "invalid type (%s)!\n", msg->loglevel.type);
+		return;
+	}
+	
+	charon->outlog->set_level(charon->outlog, signal, msg->loglevel.level);
+	charon->syslog->set_level(charon->syslog, signal, msg->loglevel.level);
+}
+
+/**
+ * process a stroke request from the socket pointed by "fd"
+ */
+static void stroke_process(int *fd)
+{
+	stroke_msg_t *msg;
+	u_int16_t msg_length;
+	ssize_t bytes_read;
+	FILE *out;
+	int strokefd = *fd;
+	
+	/* peek the length */
+	bytes_read = recv(strokefd, &msg_length, sizeof(msg_length), MSG_PEEK);
+	if (bytes_read != sizeof(msg_length))
+	{
+		DBG1(DBG_CFG, "reading length of stroke message failed");
+		close(strokefd);
+		return;
+	}
+	
+	/* read message */
+	msg = malloc(msg_length);
+	bytes_read = recv(strokefd, msg, msg_length, 0);
+	if (bytes_read != msg_length)
+	{
+		DBG1(DBG_CFG, "reading stroke message failed: %m");
+		close(strokefd);
+		return;
+	}
+	
+	out = fdopen(dup(strokefd), "w");
+	if (out == NULL)
+	{
+		DBG1(DBG_CFG, "opening stroke output channel failed: %m");
+		close(strokefd);
+		free(msg);
+		return;
+	}
+	
+	DBG3(DBG_CFG, "stroke message %b", (void*)msg, msg_length);
+	
+	switch (msg->type)
+	{
+		case STR_INITIATE:
+			stroke_initiate(msg, out);
+			break;
+		case STR_ROUTE:
+			stroke_route(msg, out, TRUE);
+			break;
+		case STR_UNROUTE:
+			stroke_route(msg, out, FALSE);
+			break;
+		case STR_TERMINATE:
+			stroke_terminate(msg, out);
+			break;
+		case STR_STATUS:
+			stroke_status(msg, out);
+			break;
+		case STR_STATUS_ALL:
+			stroke_statusall(msg, out);
+			break;
+		case STR_ADD_CONN:
+			stroke_add_conn(msg, out);
+			break;
+		case STR_DEL_CONN:
+			stroke_del_conn(msg, out);
+			break;
+		case STR_ADD_CA:
+			stroke_add_ca(msg, out);
+			break;
+		case STR_DEL_CA:
+			stroke_del_ca(msg, out);
+			break;
+		case STR_LOGLEVEL:
+			stroke_loglevel(msg, out);
+			break;
+		case STR_LIST:
+			stroke_list(msg, out);
+			break;
+		case STR_REREAD:
+			stroke_reread(msg, out);
+			break;
+		case STR_PURGE:
+			stroke_purge(msg, out);
+			break;
+		default:
+			DBG1(DBG_CFG, "received unknown stroke");
+	}
+	fclose(out);
+	close(strokefd);
+	free(msg);
+}
+
+/**
+ * Implementation of private_stroke_t.stroke_receive.
+ */
+static void stroke_receive(private_stroke_t *this)
+{
+	struct sockaddr_un strokeaddr;
+	int strokeaddrlen = sizeof(strokeaddr);
+	int strokefd;
+	int oldstate;
+	pthread_t thread;
+	
+	/* ignore sigpipe. writing over the pipe back to the console
+	 * only fails if SIGPIPE is ignored. */
+	signal(SIGPIPE, SIG_IGN);
+	
+	/* disable cancellation by default */
+	pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL);
+	
+	while (TRUE)
+	{
+		/* wait for connections, but allow thread to terminate */
+		pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+		strokefd = accept(this->socket, (struct sockaddr *)&strokeaddr, &strokeaddrlen);
+		pthread_setcancelstate(oldstate, NULL);
+		
+		if (strokefd < 0)
+		{
+			DBG1(DBG_CFG, "accepting stroke connection failed: %m");
+			continue;
+		}
+		
+		/* handle request asynchronously */
+		if (pthread_create(&thread, NULL, (void*(*)(void*))stroke_process, (void*)&strokefd) != 0)
+		{		
+			DBG1(DBG_CFG, "failed to spawn stroke thread: %m");
+		}
+		/* detach so the thread terminates cleanly */
+		pthread_detach(thread);
+	}
+}
+
+/**
+ * Implementation of stroke_t.destroy.
+ */
+static void destroy(private_stroke_t *this)
+{
+	pthread_cancel(this->assigned_thread);
+	pthread_join(this->assigned_thread, NULL);
+
+	close(this->socket);
+	unlink(socket_addr.sun_path);
+	free(this);
+}
+
+/*
+ * Described in header-file
+ */
+stroke_t *stroke_create()
+{
+	private_stroke_t *this = malloc_thing(private_stroke_t);
+	mode_t old;
+
+	/* public functions */
+	this->public.destroy = (void (*)(stroke_t*))destroy;
+	
+	/* set up unix socket */
+	this->socket = socket(AF_UNIX, SOCK_STREAM, 0);
+	if (this->socket == -1)
+	{
+		DBG1(DBG_CFG, "could not create whack socket");
+		free(this);
+		return NULL;
+	}
+	
+	old = umask(~S_IRWXU);
+	if (bind(this->socket, (struct sockaddr *)&socket_addr, sizeof(socket_addr)) < 0)
+	{
+		DBG1(DBG_CFG, "could not bind stroke socket: %m");
+		close(this->socket);
+		free(this);
+		return NULL;
+	}
+	umask(old);
+	
+	if (listen(this->socket, 0) < 0)
+	{
+		DBG1(DBG_CFG, "could not listen on stroke socket: %m");
+		close(this->socket);
+		unlink(socket_addr.sun_path);
+		free(this);
+		return NULL;
+	}
+	
+	/* start a thread reading from the socket */
+	if (pthread_create(&(this->assigned_thread), NULL, (void*(*)(void*))stroke_receive, this) != 0)
+	{
+		DBG1(DBG_CFG, "could not spawn stroke thread");
+		close(this->socket);
+		unlink(socket_addr.sun_path);
+		free(this);
+		return NULL;
+	}
+	
+	return (&this->public);
+}
diff --git a/src/charon/threads/stroke_interface.h b/src/charon/threads/stroke_interface.h
new file mode 100644
index 000000000..0def5167e
--- /dev/null
+++ b/src/charon/threads/stroke_interface.h
@@ -0,0 +1,61 @@
+/**
+ * @file stroke.h
+ *
+ * @brief Interface of stroke_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef STROKE_INTERFACE_H_
+#define STROKE_INTERFACE_H_
+
+typedef struct stroke_t stroke_t;
+
+/**
+ * @brief Stroke is a configuration and control interface which
+ * allows other processes to modify charons behavior.
+ * 
+ * stroke_t allows config manipulation (as whack in pluto). 
+ * Messages of type stroke_msg_t's are sent over a unix socket
+ * (/var/run/charon.ctl).
+ * 
+ * @b Constructors:
+ * - stroke_create()
+ * 
+ * @ingroup threads
+ */
+struct stroke_t {
+	
+	/**
+	 * @brief Destroy a stroke_t instance.
+	 * 
+	 * @param this		stroke_t objec to destroy
+	 */
+	void (*destroy) (stroke_t *this);
+};
+
+
+/**
+ * @brief Create the stroke interface and listen on the socket.
+ * 
+ * @return stroke_t object
+ * 
+ * @ingroup threads
+ */
+stroke_t *stroke_create(void);
+
+#endif /* STROKE_INTERFACE_H_ */
diff --git a/src/charon/threads/thread_pool.c b/src/charon/threads/thread_pool.c
new file mode 100644
index 000000000..052b5aab9
--- /dev/null
+++ b/src/charon/threads/thread_pool.c
@@ -0,0 +1,181 @@
+/**
+ * @file thread_pool.c
+ *
+ * @brief Implementation of thread_pool_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+ 
+#include <stdlib.h>
+#include <pthread.h>
+#include <string.h>
+#include <errno.h>
+
+#include "thread_pool.h"
+
+#include <daemon.h>
+#include <queues/job_queue.h>
+
+
+typedef struct private_thread_pool_t private_thread_pool_t;
+
+/**
+ * @brief Private data of thread_pool_t class.
+ */
+struct private_thread_pool_t {
+	/**
+	 * Public thread_pool_t interface.
+	 */
+	thread_pool_t public;
+
+	/**
+	 * Number of running threads.
+	 */
+	u_int pool_size;
+	
+	/**
+	 * Number of threads waiting for work
+	 */
+	u_int idle_threads;
+	
+	/**
+	 * Array of thread ids.
+	 */
+	pthread_t *threads;
+} ;
+
+/**
+ * Implementation of private_thread_pool_t.process_jobs.
+ */
+static void process_jobs(private_thread_pool_t *this)
+{
+	job_t *job;
+	status_t status;
+	
+	/* cancellation disabled by default */
+	pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL);
+	
+	DBG1(DBG_JOB, "worker thread running, thread_ID: %06u",
+		 (int)pthread_self());
+	
+	while (TRUE)
+	{
+		/* TODO: should be atomic, but is not mission critical */
+		this->idle_threads++;
+		job = charon->job_queue->get(charon->job_queue);
+		this->idle_threads--;
+		
+		status = job->execute(job);
+		
+		if (status == DESTROY_ME)
+		{
+			job->destroy(job);
+		}
+	}
+}
+
+/**
+ * Implementation of thread_pool_t.get_pool_size.
+ */
+static u_int get_pool_size(private_thread_pool_t *this)
+{
+	return this->pool_size;
+}
+
+/**
+ * Implementation of thread_pool_t.get_idle_threads.
+ */
+static u_int get_idle_threads(private_thread_pool_t *this)
+{
+	return this->idle_threads;
+}
+
+/**
+ * Implementation of thread_pool_t.destroy.
+ */
+static void destroy(private_thread_pool_t *this)
+{	
+	int current;
+	/* flag thread for termination */
+	for (current = 0; current < this->pool_size; current++)
+	{
+		DBG1(DBG_JOB, "cancelling worker thread #%d", current+1);
+		pthread_cancel(this->threads[current]);
+	}
+	
+	/* wait for all threads */
+	for (current = 0; current < this->pool_size; current++) {
+		if (pthread_join(this->threads[current], NULL) == 0)
+		{
+			DBG1(DBG_JOB, "worker thread #%d terminated", current+1);
+		}
+		else
+		{
+			DBG1(DBG_JOB, "could not terminate worker thread #%d", current+1);
+		}
+	}
+	
+	/* free mem */
+	free(this->threads);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+thread_pool_t *thread_pool_create(size_t pool_size)
+{
+	int current;
+	private_thread_pool_t *this = malloc_thing(private_thread_pool_t);
+	
+	/* fill in public fields */
+	this->public.destroy = (void(*)(thread_pool_t*))destroy;
+	this->public.get_pool_size = (u_int(*)(thread_pool_t*))get_pool_size;
+	this->public.get_idle_threads = (u_int(*)(thread_pool_t*))get_idle_threads;
+	
+	/* initialize member */
+	this->pool_size = pool_size;
+	this->idle_threads = 0;
+	this->threads = malloc(sizeof(pthread_t) * pool_size);
+	
+	/* try to create as many threads as possible, up to pool_size */
+	for (current = 0; current < pool_size; current++)
+	{
+		if (pthread_create(&(this->threads[current]), NULL,
+						   (void*(*)(void*))process_jobs, this) == 0)
+		{
+			DBG1(DBG_JOB, "created worker thread #%d", current+1);
+		}
+		else
+		{
+			/* creation failed, is it the first one? */	
+			if (current == 0)
+			{
+				free(this->threads);
+				free(this);
+				charon->kill(charon, "could not create any worker threads");
+			}
+			/* not all threads could be created, but at least one :-/ */
+			DBG1(DBG_JOB, "could only create %d from requested %d threads!",
+				 current, pool_size);
+			this->pool_size = current;
+			break;
+		}
+	}
+	return (thread_pool_t*)this;
+}
diff --git a/src/charon/threads/thread_pool.h b/src/charon/threads/thread_pool.h
new file mode 100644
index 000000000..8e1989bda
--- /dev/null
+++ b/src/charon/threads/thread_pool.h
@@ -0,0 +1,87 @@
+/**
+ * @file thread_pool.h
+ * 
+ * @brief Interface of thread_pool_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef THREAD_POOL_H_
+#define THREAD_POOL_H_
+
+typedef struct thread_pool_t thread_pool_t;
+
+#include <stdlib.h>
+
+#include <library.h>
+
+/**
+ * @brief A thread_pool consists of a pool of threads processing jobs from the job queue.
+ *
+ * Current implementation uses as many threads as specified in constructor.
+ * A more improved version would dynamically increase thread count if necessary.
+ *
+ * @b Constructors:
+ *  - thread_pool_create()
+ *
+ * @todo Add support for dynamic thread handling
+ * 
+ * @ingroup threads
+ */
+struct thread_pool_t {
+	
+	/**
+	 * @brief Return currently instanciated thread count.
+	 *
+	 * @param thread_pool	calling object		
+	 * @return				size of thread pool
+	 */
+	u_int (*get_pool_size) (thread_pool_t *thread_pool);
+	
+	/**
+	 * @brief Get the number of threads currently waiting for work.
+	 *
+	 * @param thread_pool	calling object		
+	 * @return				number of idle threads
+	 */
+	u_int (*get_idle_threads) (thread_pool_t *thread_pool);
+	
+	/**
+	 * @brief Destroy a thread_pool_t object.
+	 * 
+	 * Sends cancellation request to all threads and AWAITS their termination.
+	 * 
+	 * @param thread_pool	calling object
+	 */
+	void (*destroy) (thread_pool_t *thread_pool);
+};
+
+/**
+ * @brief Create the thread pool using using pool_size of threads.
+ * 
+ * @param pool_size			desired pool size
+ * @return
+ *							- thread_pool_t object if one ore more threads could be started, or
+ *							- NULL if no threads could be created
+ *
+ * @ingroup threads
+ */
+thread_pool_t *thread_pool_create(size_t pool_size);
+
+
+#endif /*THREAD_POOL_H_*/
diff --git a/src/ipsec/Makefile.am b/src/ipsec/Makefile.am
new file mode 100644
index 000000000..44964e041
--- /dev/null
+++ b/src/ipsec/Makefile.am
@@ -0,0 +1,16 @@
+sbin_SCRIPTS = ipsec
+CLEANFILES = ipsec
+dist_man8_MANS = ipsec.8
+EXTRA_DIST = ipsec.in
+
+ipsec : ipsec.in
+	sed \
+	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
+	-e "s:@IPSEC_NAME@:$(PACKAGE_NAME):" \
+	-e "s:@IPSEC_DISTRO@::" \
+	-e "s:@IPSEC_DIR@:$(ipsecdir):" \
+	-e "s:@IPSEC_SBINDIR@:$(sbindir):" \
+	-e "s:@IPSEC_CONFDIR@:$(confdir):" \
+	-e "s:@IPSEC_PIDDIR@:$(piddir):" \
+	$< > $@
+	chmod +x $@
diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in
new file mode 100644
index 000000000..eaf0e9d79
--- /dev/null
+++ b/src/ipsec/Makefile.in
@@ -0,0 +1,434 @@
+# Makefile.in generated by automake 1.9.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+top_builddir = ../..
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+INSTALL = @INSTALL@
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/ipsec
+DIST_COMMON = $(dist_man8_MANS) $(srcdir)/Makefile.am \
+	$(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"
+sbinSCRIPT_INSTALL = $(INSTALL_SCRIPT)
+SCRIPTS = $(sbin_SCRIPTS)
+SOURCES =
+DIST_SOURCES =
+man8dir = $(mandir)/man8
+NROFF = nroff
+MANS = $(dist_man8_MANS)
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMDEP_FALSE = @AMDEP_FALSE@
+AMDEP_TRUE = @AMDEP_TRUE@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BUILD_EAP_SIM_FALSE = @BUILD_EAP_SIM_FALSE@
+BUILD_EAP_SIM_TRUE = @BUILD_EAP_SIM_TRUE@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+USE_CISCO_QUIRKS_FALSE = @USE_CISCO_QUIRKS_FALSE@
+USE_CISCO_QUIRKS_TRUE = @USE_CISCO_QUIRKS_TRUE@
+USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
+USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
+USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
+USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
+USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
+USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
+USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
+USE_SMARTCARD_TRUE = @USE_SMARTCARD_TRUE@
+USE_VENDORID_FALSE = @USE_VENDORID_FALSE@
+USE_VENDORID_TRUE = @USE_VENDORID_TRUE@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__fastdepCC_FALSE = @am__fastdepCC_FALSE@
+am__fastdepCC_TRUE = @am__fastdepCC_TRUE@
+am__fastdepCXX_FALSE = @am__fastdepCXX_FALSE@
+am__fastdepCXX_TRUE = @am__fastdepCXX_TRUE@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+eapdir = @eapdir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+sbin_SCRIPTS = ipsec
+CLEANFILES = ipsec
+dist_man8_MANS = ipsec.8
+EXTRA_DIST = ipsec.in
+all: all-am
+
+.SUFFIXES:
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/ipsec/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/ipsec/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-sbinSCRIPTS: $(sbin_SCRIPTS)
+	@$(NORMAL_INSTALL)
+	test -z "$(sbindir)" || $(mkdir_p) "$(DESTDIR)$(sbindir)"
+	@list='$(sbin_SCRIPTS)'; for p in $$list; do \
+	  if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+	  if test -f $$d$$p; then \
+	    f=`echo "$$p" | sed 's|^.*/||;$(transform)'`; \
+	    echo " $(sbinSCRIPT_INSTALL) '$$d$$p' '$(DESTDIR)$(sbindir)/$$f'"; \
+	    $(sbinSCRIPT_INSTALL) "$$d$$p" "$(DESTDIR)$(sbindir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-sbinSCRIPTS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(sbin_SCRIPTS)'; for p in $$list; do \
+	  f=`echo "$$p" | sed 's|^.*/||;$(transform)'`; \
+	  echo " rm -f '$(DESTDIR)$(sbindir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(sbindir)/$$f"; \
+	done
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+	-rm -f libtool
+uninstall-info-am:
+install-man8: $(man8_MANS) $(man_MANS)
+	@$(NORMAL_INSTALL)
+	test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)"
+	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    8*) ;; \
+	    *) ext='8' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
+	  $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \
+	done
+uninstall-man8:
+	@$(NORMAL_UNINSTALL)
+	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    8*) ;; \
+	    *) ext='8' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \
+	  rm -f "$(DESTDIR)$(man8dir)/$$inst"; \
+	done
+tags: TAGS
+TAGS:
+
+ctags: CTAGS
+CTAGS:
+
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
+	list='$(DISTFILES)'; for file in $$list; do \
+	  case $$file in \
+	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
+	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
+	  esac; \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
+	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
+	    dir="/$$dir"; \
+	    $(mkdir_p) "$(distdir)$$dir"; \
+	  else \
+	    dir=''; \
+	  fi; \
+	  if test -d $$d/$$file; then \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(SCRIPTS) $(MANS)
+installdirs:
+	for dir in "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"; do \
+	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic distclean-libtool
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-man
+
+install-exec-am: install-sbinSCRIPTS
+
+install-info: install-info-am
+
+install-man: install-man8
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-info-am uninstall-man uninstall-sbinSCRIPTS
+
+uninstall-man: uninstall-man8
+
+.PHONY: all all-am check check-am clean clean-generic clean-libtool \
+	distclean distclean-generic distclean-libtool distdir dvi \
+	dvi-am html html-am info info-am install install-am \
+	install-data install-data-am install-exec install-exec-am \
+	install-info install-info-am install-man install-man8 \
+	install-sbinSCRIPTS install-strip installcheck installcheck-am \
+	installdirs maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
+	ps ps-am uninstall uninstall-am uninstall-info-am \
+	uninstall-man uninstall-man8 uninstall-sbinSCRIPTS
+
+
+ipsec : ipsec.in
+	sed \
+	-e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \
+	-e "s:@IPSEC_NAME@:$(PACKAGE_NAME):" \
+	-e "s:@IPSEC_DISTRO@::" \
+	-e "s:@IPSEC_DIR@:$(ipsecdir):" \
+	-e "s:@IPSEC_SBINDIR@:$(sbindir):" \
+	-e "s:@IPSEC_CONFDIR@:$(confdir):" \
+	-e "s:@IPSEC_PIDDIR@:$(piddir):" \
+	$< > $@
+	chmod +x $@
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/programs/ipsec/ipsec.8 b/src/ipsec/ipsec.8
index 823289372..b37ac2c3a 100644
--- a/programs/ipsec/ipsec.8
+++ b/src/ipsec/ipsec.8
@@ -313,10 +313,16 @@ The
 command sets them if they are not already set.
 .nf
 .na
-IPSEC_EXECDIR	directory containing published commands
-IPSEC_LIBDIR	directory containing internal executables
-IPSEC_SBINDIR	directory containing \fBipsec\fP command
-IPSEC_CONFS	directory containing configuration files
+
+IPSEC_DIR 		directory containing ipsec programs and utilities
+IPSEC_SBINDIR		directory containing \fBipsec\fP command
+IPSEC_CONFDIR 		directory containing configuration files
+IPSEC_PIDDIR		directory containing PID files
+IPSEC_NAME 		name of ipsec distribution
+IPSEC_VERSION 		version numer of ipsec userland and kernel
+IPSEC_STARTER_PID 	PID file for ipsec starter
+IPSEC_PLUTO_PID 	PID file for IKEv1 keying daemon
+IPSEC_CHARON_PID	PID file for IKEv2 keying daemon
 .ad
 .fi
 .SH SEE ALSO
diff --git a/programs/ipsec/ipsec.in b/src/ipsec/ipsec.in
index 1c657b9e7..bd74b6f16 100755
--- a/programs/ipsec/ipsec.in
+++ b/src/ipsec/ipsec.in
@@ -1,6 +1,8 @@
 #! /bin/sh
 # prefix command to run stuff from our programs directory
 # Copyright (C) 1998-2002  Henry Spencer.
+# Copyright (C) 2006 Andreas Steffen
+# Copyright (C) 2006 Martin Willi 
 # 
 # This program is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by the
@@ -12,58 +14,30 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 #
-# RCSID $Id: ipsec.in,v 1.14 2006/05/25 11:52:03 as Exp $
+# RCSID $Id: ipsec.in,v 1.13 2006/03/09 20:09:33 as Exp $
 
-IPSEC_NAME=strongSwan
+# name and version of the ipsec implementation
+IPSEC_NAME="@IPSEC_NAME@"
+IPSEC_VERSION="U@IPSEC_VERSION@/K`uname -r`"
 
 # where the private directory and the config files are
-IPSEC_EXECDIR="${IPSEC_EXECDIR-@IPSEC_EXECDIR@}"
-IPSEC_LIBDIR="${IPSEC_LIBDIR-@IPSEC_LIBDIR@}"
-IPSEC_SBINDIR="${IPSEC_SBINDIR-@IPSEC_SBINDIR@}"
-IPSEC_CONFS="${IPSEC_CONFS-@IPSEC_CONFS@}"
+IPSEC_DIR="@IPSEC_DIR@"
+IPSEC_SBINDIR="@IPSEC_SBINDIR@"
+IPSEC_CONFDIR="@IPSEC_CONFDIR@"
+IPSEC_PIDDIR="@IPSEC_PIDDIR@"
 
-IPSEC_DIR="$IPSEC_LIBDIR"
-export IPSEC_DIR IPSEC_CONFS IPSEC_LIBDIR IPSEC_EXECDIR
+IPSEC_STARTER_PID="${IPSEC_PIDDIR}/starter.pid"
+IPSEC_PLUTO_PID="${IPSEC_PIDDIR}/pluto.pid"
+IPSEC_CHARON_PID="${IPSEC_PIDDIR}/charon.pid"
 
-IPSEC_STARTER_PID="/var/run/starter.pid"
+IPSEC_WHACK="${IPSEC_DIR}/whack"
+IPSEC_STROKE="${IPSEC_DIR}/stroke"
+IPSEC_STARTER="${IPSEC_DIR}/starter"
 
-# standardize PATH, and export it for everything else's benefit
-PATH="${IPSEC_SBINDIR}":/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin
-export PATH
+export IPSEC_DIR IPSEC_SBINDIR IPSEC_CONFDIR IPSEC_PIDDIR IPSEC_VERSION IPSEC_NAME IPSEC_STARTER_PID IPSEC_PLUTO_PID IPSEC_CHARON_PID
 
-# things not to be listed in --help command list
-DONTMENTION='^(ipsec|_.*|.*\.old|.*~)$'
-
-# version numbering (details filled in by build)
-# Possibly should call a C program to invoke the version_code() function
-# instead, but for performance's sake, we inline it here (and only here).
-version="xxx"
-
-# export the version information
-IPSEC_VERSION="$version"
-export IPSEC_VERSION
-
-# function for the funky user/kernel version stuff
-fixversion() {
-	if test -f /proc/net/ipsec_version
-	then
-	stack=" (KLIPS)"
-	kv="`awk '{print $NF}' /proc/net/ipsec_version`"
-	else
-                if test -f /proc/net/pfkey
-                then
-			stack=" (native)"
-                        kv="`uname -r`"
-                else
-                        kv="(no kernel code presently loaded)"
-                fi
-	fi
-	if test " $kv" != " $version"
-	then
-	version="U$version/K$kv"
-	fi
-	version="$version$stack"
-}
+IPSEC_DISTRO="Institute for Internet Technologies and Applications\n
+              University of Applied Sciences Rapperswil, Switzerland"
 
 case "$1" in
 '')
@@ -99,13 +73,13 @@ case "$1" in
 	echo "	starter"
 	echo "	version"
 	echo "	whack"
+	echo "	stoke"
 	echo
 	echo "Some of these functions have their own manual pages, e.g. ipsec_scepclient(8)."
 	exit 0
 	;;
 --versioncode)
-	fixversion
-	echo "$version"
+	echo "$IPSEC_VERSION"
 	exit 0
 	;;
 --copyright)
@@ -117,7 +91,7 @@ case "$1" in
 	exit 0
 	;;
 --confdir)
-	echo "$IPSEC_CONFS"
+	echo "$IPSEC_CONFDIR"
 	exit 0
 	;;
 down)
@@ -127,23 +101,50 @@ down)
 	    echo "Usage: ipsec down <connection name>"
 	    exit 1
 	fi
-	$IPSEC_EXECDIR/whack --name "$1" --terminate
+	if test -e $IPSEC_PLUTO_PID
+	then
+		$IPSEC_WHACK --name "$1" --terminate
+	fi
+	if test -e $IPSEC_CHARON_PID
+	then
+		$IPSEC_STROKE down "$1"
+	fi
 	exit 0
 	;;
-listalgs|listpubkeys|listcerts|listcacerts|\
-listaacerts|listocspcerts|listacerts|listgroups|\
-listcainfos|listcrls|listocsp|listcards|\
-listall|purgeocsp|rereadsecrets|rereadgroups|\
-rereadcacerts|rereadaacerts|rereadocspcerts|\
-rereadacerts|rereadcrls|rereadall)
+listalgs|listpubkeys|listaacerts|\
+listacerts|listgroups|\listcards|\
+rereadsecrets|rereadgroups|\
+rereadaacerts|rereadacerts)
 	op="$1"
 	shift
-        $IPSEC_EXECDIR/whack "$@" "--$op"
+	if test -e $IPSEC_PLUTO_PID
+	then
+		$IPSEC_WHACK "$@" "--$op"
+	fi
+	exit 0
+	;;
+listcerts|listcacerts|listocspcerts|\
+listcainfos|listcrls|listocsp|listall|\
+rereadcacerts|rereadocspcerts|rereadcrls|\
+rereadall|purgeocsp)
+	op="$1"
+	shift
+	if test -e $IPSEC_PLUTO_PID
+	then
+		$IPSEC_WHACK "$@" "--$op"
+	fi
+	if test -e $IPSEC_CHARON_PID
+	then
+		$IPSEC_STROKE "$op" "$@"
+	fi
 	exit 0
 	;;
 ready)
 	shift
-	$IPSEC_EXECDIR/whack --listen
+	if test -e $IPSEC_PLUTO_PID
+	then
+		$IPSEC_WHACK --listen
+	fi
 	exit 0
 	;;
 reload)
@@ -171,27 +172,58 @@ route|unroute)
 	    echo "Usage: ipsec $op <connection name>"
 	    exit 1
 	fi
-	$IPSEC_EXECDIR/whack --name "$1" "--$op"
+	if test -e $IPSEC_PLUTO_PID
+	then
+		$IPSEC_WHACK --name "$1" "--$op"
+	fi
+	if test -e $IPSEC_CHARON_PID
+	then
+		$IPSEC_STROKE "$op" "$1"
+	fi
 	exit 0
 	;;
 scencrypt|scdecrypt)
 	op="$1"
 	shift
-        $IPSEC_EXECDIR/whack "--$op" "$@"
+	if test -e $IPSEC_PLUTO_PID
+	then
+		$IPSEC_WHACK "--$op" "$@"
+	fi
+	exit 0
+	;;
+secrets)
+	if test -e $IPSEC_PLUTO_PID
+	then
+		$IPSEC_WHACK --rereadsecrets
+	fi
 	exit 0
 	;;
 start)
 	shift
-	exec $IPSEC_EXECDIR/starter "$@"
+	exec $IPSEC_STARTER "$@"
 	;;
 status|statusall)
 	op="$1"
 	shift
 	if test $# -eq 0
 	then
-	    $IPSEC_EXECDIR/whack "--$op"
+		if test -e $IPSEC_PLUTO_PID
+		then
+			$IPSEC_WHACK "--$op"
+		fi
+		if test -e $IPSEC_CHARON_PID
+		then
+			$IPSEC_STROKE "$op"
+		fi
 	else
-	    $IPSEC_EXECDIR/whack --name "$1" "--$op"
+		if test -e $IPSEC_PLUTO_PID
+		then
+			$IPSEC_WHACK --name "$1" "--$op"
+		fi
+		if test -e $IPSEC_CHARON_PID
+		then
+			$IPSEC_STROKE "$op" "$1"
+		fi
 	fi
 	exit 0
 	;;
@@ -212,27 +244,30 @@ up)
 	    echo "Usage: ipsec up <connection name>"
 	    exit 1
 	fi
-	$IPSEC_EXECDIR/whack --name "$1" --initiate
+	if test -e $IPSEC_PLUTO_PID
+	then
+		$IPSEC_WHACK --name "$1" --initiate
+	fi
+	if test -e $IPSEC_CHARON_PID
+	then
+	    $IPSEC_STROKE up "$1"
+	fi
 	exit 0
 	;;
 update)
 	if test -e $IPSEC_STARTER_PID 
 	then
-	    echo "Updating strongSwan IPsec configuration..." >&2
-	    kill -s HUP `cat $IPSEC_STARTER_PID`
+		echo "Updating strongSwan IPsec configuration..." >&2
+		kill -s HUP `cat $IPSEC_STARTER_PID`
 	else
-	    echo "ipsec starter is not running" >&2
+		echo "ipsec starter is not running" >&2
 	fi
 	exit 0
 	;;
 version|--version)
-	fixversion
-	echo "Linux $IPSEC_NAME $version"
+	echo "Linux $IPSEC_NAME $IPSEC_VERSION"
 	echo "See \`ipsec --copyright' for copyright information."
-	if [ -f $IPSEC_LIBDIR/distro.txt ]
-	then
-	    cat $IPSEC_LIBDIR/distro.txt
-	fi
+	echo $IPSEC_DISTRO
 	exit 0
 	;;
 --*)
@@ -244,11 +279,11 @@ esac
 cmd="$1"
 shift
 
-path="$IPSEC_EXECDIR/$cmd"
+path="$IPSEC_DIR/$cmd"
 
 if test ! -x "$path" 
 then
-    path="$IPSEC_LIBDIR/$cmd"
+    path="$IPSEC_DIR/$cmd"
     if test ! -x "$path"
     then
 	echo "$0: unknown IPsec command \`$cmd' (\`ipsec --help' for list)" >&2
diff --git a/src/libcrypto/Makefile.am b/src/libcrypto/Makefile.am
new file mode 100644
index 000000000..23066033d
--- /dev/null
+++ b/src/libcrypto/Makefile.am
@@ -0,0 +1,11 @@
+noinst_LIBRARIES = libcrypto.a
+libcrypto_a_SOURCES = \
+libaes/aes_xcbc_mac.c libaes/aes_cbc.c libaes/aes_xcbc_mac.h libaes/aes_cbc.h libaes/aes.c libaes/aes.h \
+include/md32_common.h include/cbc_generic.h include/hmac_generic.h libblowfish/bf_skey.c libblowfish/blowfish.h \
+libblowfish/bf_pi.h libblowfish/bf_locl.h libblowfish/bf_enc.c libsha2/hmac_sha2.c libsha2/sha2.h libsha2/hmac_sha2.h \
+libsha2/sha2.c libserpent/serpent_cbc.c libserpent/serpent_cbc.h libserpent/serpent.c libserpent/serpent.h \
+libtwofish/twofish_cbc.h libtwofish/twofish_cbc.c libtwofish/twofish.c libtwofish/twofish.h libdes/des_enc.c \
+libdes/podd.h libdes/sk.h libdes/set_key.c libdes/speed.c libdes/fcrypt_b.c libdes/fcrypt.c libdes/destest.c \
+libdes/spr.h libdes/cbc_enc.c libdes/ecb_enc.c libdes/des_opts.c libdes/des_locl.h libdes/des_ver.h libdes/des.h
+
+INCLUDES = -I$(top_srcdir)/src/libcrypto/include
diff --git a/src/libcrypto/Makefile.in b/src/libcrypto/Makefile.in
new file mode 100644
index 000000000..63b7d4907
--- /dev/null
+++ b/src/libcrypto/Makefile.in
@@ -0,0 +1,761 @@
+# Makefile.in generated by automake 1.9.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+top_builddir = ../..
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+INSTALL = @INSTALL@
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcrypto
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+LIBRARIES = $(noinst_LIBRARIES)
+ARFLAGS = cru
+libcrypto_a_AR = $(AR) $(ARFLAGS)
+libcrypto_a_LIBADD =
+am_libcrypto_a_OBJECTS = aes_xcbc_mac.$(OBJEXT) aes_cbc.$(OBJEXT) \
+	aes.$(OBJEXT) bf_skey.$(OBJEXT) bf_enc.$(OBJEXT) \
+	hmac_sha2.$(OBJEXT) sha2.$(OBJEXT) serpent_cbc.$(OBJEXT) \
+	serpent.$(OBJEXT) twofish_cbc.$(OBJEXT) twofish.$(OBJEXT) \
+	des_enc.$(OBJEXT) set_key.$(OBJEXT) speed.$(OBJEXT) \
+	fcrypt_b.$(OBJEXT) fcrypt.$(OBJEXT) destest.$(OBJEXT) \
+	cbc_enc.$(OBJEXT) ecb_enc.$(OBJEXT) des_opts.$(OBJEXT)
+libcrypto_a_OBJECTS = $(am_libcrypto_a_OBJECTS)
+DEFAULT_INCLUDES = -I. -I$(srcdir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+SOURCES = $(libcrypto_a_SOURCES)
+DIST_SOURCES = $(libcrypto_a_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMDEP_FALSE = @AMDEP_FALSE@
+AMDEP_TRUE = @AMDEP_TRUE@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BUILD_EAP_SIM_FALSE = @BUILD_EAP_SIM_FALSE@
+BUILD_EAP_SIM_TRUE = @BUILD_EAP_SIM_TRUE@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+USE_CISCO_QUIRKS_FALSE = @USE_CISCO_QUIRKS_FALSE@
+USE_CISCO_QUIRKS_TRUE = @USE_CISCO_QUIRKS_TRUE@
+USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
+USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
+USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
+USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
+USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
+USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
+USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
+USE_SMARTCARD_TRUE = @USE_SMARTCARD_TRUE@
+USE_VENDORID_FALSE = @USE_VENDORID_FALSE@
+USE_VENDORID_TRUE = @USE_VENDORID_TRUE@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__fastdepCC_FALSE = @am__fastdepCC_FALSE@
+am__fastdepCC_TRUE = @am__fastdepCC_TRUE@
+am__fastdepCXX_FALSE = @am__fastdepCXX_FALSE@
+am__fastdepCXX_TRUE = @am__fastdepCXX_TRUE@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+eapdir = @eapdir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+noinst_LIBRARIES = libcrypto.a
+libcrypto_a_SOURCES = \
+libaes/aes_xcbc_mac.c libaes/aes_cbc.c libaes/aes_xcbc_mac.h libaes/aes_cbc.h libaes/aes.c libaes/aes.h \
+include/md32_common.h include/cbc_generic.h include/hmac_generic.h libblowfish/bf_skey.c libblowfish/blowfish.h \
+libblowfish/bf_pi.h libblowfish/bf_locl.h libblowfish/bf_enc.c libsha2/hmac_sha2.c libsha2/sha2.h libsha2/hmac_sha2.h \
+libsha2/sha2.c libserpent/serpent_cbc.c libserpent/serpent_cbc.h libserpent/serpent.c libserpent/serpent.h \
+libtwofish/twofish_cbc.h libtwofish/twofish_cbc.c libtwofish/twofish.c libtwofish/twofish.h libdes/des_enc.c \
+libdes/podd.h libdes/sk.h libdes/set_key.c libdes/speed.c libdes/fcrypt_b.c libdes/fcrypt.c libdes/destest.c \
+libdes/spr.h libdes/cbc_enc.c libdes/ecb_enc.c libdes/des_opts.c libdes/des_locl.h libdes/des_ver.h libdes/des.h
+
+INCLUDES = -I$(top_srcdir)/src/libcrypto/include
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libcrypto/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/libcrypto/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+clean-noinstLIBRARIES:
+	-test -z "$(noinst_LIBRARIES)" || rm -f $(noinst_LIBRARIES)
+libcrypto.a: $(libcrypto_a_OBJECTS) $(libcrypto_a_DEPENDENCIES) 
+	-rm -f libcrypto.a
+	$(libcrypto_a_AR) libcrypto.a $(libcrypto_a_OBJECTS) $(libcrypto_a_LIBADD)
+	$(RANLIB) libcrypto.a
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes_cbc.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes_xcbc_mac.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bf_enc.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bf_skey.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cbc_enc.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/des_enc.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/des_opts.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/destest.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ecb_enc.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fcrypt.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fcrypt_b.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmac_sha2.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/serpent.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/serpent_cbc.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/set_key.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha2.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/speed.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/twofish.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/twofish_cbc.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ `$(CYGPATH_W) '$<'`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	if $(LTCOMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Plo"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+aes_xcbc_mac.o: libaes/aes_xcbc_mac.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_xcbc_mac.o -MD -MP -MF "$(DEPDIR)/aes_xcbc_mac.Tpo" -c -o aes_xcbc_mac.o `test -f 'libaes/aes_xcbc_mac.c' || echo '$(srcdir)/'`libaes/aes_xcbc_mac.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/aes_xcbc_mac.Tpo" "$(DEPDIR)/aes_xcbc_mac.Po"; else rm -f "$(DEPDIR)/aes_xcbc_mac.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libaes/aes_xcbc_mac.c' object='aes_xcbc_mac.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_xcbc_mac.o `test -f 'libaes/aes_xcbc_mac.c' || echo '$(srcdir)/'`libaes/aes_xcbc_mac.c
+
+aes_xcbc_mac.obj: libaes/aes_xcbc_mac.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_xcbc_mac.obj -MD -MP -MF "$(DEPDIR)/aes_xcbc_mac.Tpo" -c -o aes_xcbc_mac.obj `if test -f 'libaes/aes_xcbc_mac.c'; then $(CYGPATH_W) 'libaes/aes_xcbc_mac.c'; else $(CYGPATH_W) '$(srcdir)/libaes/aes_xcbc_mac.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/aes_xcbc_mac.Tpo" "$(DEPDIR)/aes_xcbc_mac.Po"; else rm -f "$(DEPDIR)/aes_xcbc_mac.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libaes/aes_xcbc_mac.c' object='aes_xcbc_mac.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_xcbc_mac.obj `if test -f 'libaes/aes_xcbc_mac.c'; then $(CYGPATH_W) 'libaes/aes_xcbc_mac.c'; else $(CYGPATH_W) '$(srcdir)/libaes/aes_xcbc_mac.c'; fi`
+
+aes_cbc.o: libaes/aes_cbc.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_cbc.o -MD -MP -MF "$(DEPDIR)/aes_cbc.Tpo" -c -o aes_cbc.o `test -f 'libaes/aes_cbc.c' || echo '$(srcdir)/'`libaes/aes_cbc.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/aes_cbc.Tpo" "$(DEPDIR)/aes_cbc.Po"; else rm -f "$(DEPDIR)/aes_cbc.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libaes/aes_cbc.c' object='aes_cbc.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_cbc.o `test -f 'libaes/aes_cbc.c' || echo '$(srcdir)/'`libaes/aes_cbc.c
+
+aes_cbc.obj: libaes/aes_cbc.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_cbc.obj -MD -MP -MF "$(DEPDIR)/aes_cbc.Tpo" -c -o aes_cbc.obj `if test -f 'libaes/aes_cbc.c'; then $(CYGPATH_W) 'libaes/aes_cbc.c'; else $(CYGPATH_W) '$(srcdir)/libaes/aes_cbc.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/aes_cbc.Tpo" "$(DEPDIR)/aes_cbc.Po"; else rm -f "$(DEPDIR)/aes_cbc.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libaes/aes_cbc.c' object='aes_cbc.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_cbc.obj `if test -f 'libaes/aes_cbc.c'; then $(CYGPATH_W) 'libaes/aes_cbc.c'; else $(CYGPATH_W) '$(srcdir)/libaes/aes_cbc.c'; fi`
+
+aes.o: libaes/aes.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes.o -MD -MP -MF "$(DEPDIR)/aes.Tpo" -c -o aes.o `test -f 'libaes/aes.c' || echo '$(srcdir)/'`libaes/aes.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/aes.Tpo" "$(DEPDIR)/aes.Po"; else rm -f "$(DEPDIR)/aes.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libaes/aes.c' object='aes.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes.o `test -f 'libaes/aes.c' || echo '$(srcdir)/'`libaes/aes.c
+
+aes.obj: libaes/aes.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes.obj -MD -MP -MF "$(DEPDIR)/aes.Tpo" -c -o aes.obj `if test -f 'libaes/aes.c'; then $(CYGPATH_W) 'libaes/aes.c'; else $(CYGPATH_W) '$(srcdir)/libaes/aes.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/aes.Tpo" "$(DEPDIR)/aes.Po"; else rm -f "$(DEPDIR)/aes.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libaes/aes.c' object='aes.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes.obj `if test -f 'libaes/aes.c'; then $(CYGPATH_W) 'libaes/aes.c'; else $(CYGPATH_W) '$(srcdir)/libaes/aes.c'; fi`
+
+bf_skey.o: libblowfish/bf_skey.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT bf_skey.o -MD -MP -MF "$(DEPDIR)/bf_skey.Tpo" -c -o bf_skey.o `test -f 'libblowfish/bf_skey.c' || echo '$(srcdir)/'`libblowfish/bf_skey.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/bf_skey.Tpo" "$(DEPDIR)/bf_skey.Po"; else rm -f "$(DEPDIR)/bf_skey.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libblowfish/bf_skey.c' object='bf_skey.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o bf_skey.o `test -f 'libblowfish/bf_skey.c' || echo '$(srcdir)/'`libblowfish/bf_skey.c
+
+bf_skey.obj: libblowfish/bf_skey.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT bf_skey.obj -MD -MP -MF "$(DEPDIR)/bf_skey.Tpo" -c -o bf_skey.obj `if test -f 'libblowfish/bf_skey.c'; then $(CYGPATH_W) 'libblowfish/bf_skey.c'; else $(CYGPATH_W) '$(srcdir)/libblowfish/bf_skey.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/bf_skey.Tpo" "$(DEPDIR)/bf_skey.Po"; else rm -f "$(DEPDIR)/bf_skey.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libblowfish/bf_skey.c' object='bf_skey.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o bf_skey.obj `if test -f 'libblowfish/bf_skey.c'; then $(CYGPATH_W) 'libblowfish/bf_skey.c'; else $(CYGPATH_W) '$(srcdir)/libblowfish/bf_skey.c'; fi`
+
+bf_enc.o: libblowfish/bf_enc.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT bf_enc.o -MD -MP -MF "$(DEPDIR)/bf_enc.Tpo" -c -o bf_enc.o `test -f 'libblowfish/bf_enc.c' || echo '$(srcdir)/'`libblowfish/bf_enc.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/bf_enc.Tpo" "$(DEPDIR)/bf_enc.Po"; else rm -f "$(DEPDIR)/bf_enc.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libblowfish/bf_enc.c' object='bf_enc.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o bf_enc.o `test -f 'libblowfish/bf_enc.c' || echo '$(srcdir)/'`libblowfish/bf_enc.c
+
+bf_enc.obj: libblowfish/bf_enc.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT bf_enc.obj -MD -MP -MF "$(DEPDIR)/bf_enc.Tpo" -c -o bf_enc.obj `if test -f 'libblowfish/bf_enc.c'; then $(CYGPATH_W) 'libblowfish/bf_enc.c'; else $(CYGPATH_W) '$(srcdir)/libblowfish/bf_enc.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/bf_enc.Tpo" "$(DEPDIR)/bf_enc.Po"; else rm -f "$(DEPDIR)/bf_enc.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libblowfish/bf_enc.c' object='bf_enc.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o bf_enc.obj `if test -f 'libblowfish/bf_enc.c'; then $(CYGPATH_W) 'libblowfish/bf_enc.c'; else $(CYGPATH_W) '$(srcdir)/libblowfish/bf_enc.c'; fi`
+
+hmac_sha2.o: libsha2/hmac_sha2.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hmac_sha2.o -MD -MP -MF "$(DEPDIR)/hmac_sha2.Tpo" -c -o hmac_sha2.o `test -f 'libsha2/hmac_sha2.c' || echo '$(srcdir)/'`libsha2/hmac_sha2.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/hmac_sha2.Tpo" "$(DEPDIR)/hmac_sha2.Po"; else rm -f "$(DEPDIR)/hmac_sha2.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libsha2/hmac_sha2.c' object='hmac_sha2.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hmac_sha2.o `test -f 'libsha2/hmac_sha2.c' || echo '$(srcdir)/'`libsha2/hmac_sha2.c
+
+hmac_sha2.obj: libsha2/hmac_sha2.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hmac_sha2.obj -MD -MP -MF "$(DEPDIR)/hmac_sha2.Tpo" -c -o hmac_sha2.obj `if test -f 'libsha2/hmac_sha2.c'; then $(CYGPATH_W) 'libsha2/hmac_sha2.c'; else $(CYGPATH_W) '$(srcdir)/libsha2/hmac_sha2.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/hmac_sha2.Tpo" "$(DEPDIR)/hmac_sha2.Po"; else rm -f "$(DEPDIR)/hmac_sha2.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libsha2/hmac_sha2.c' object='hmac_sha2.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hmac_sha2.obj `if test -f 'libsha2/hmac_sha2.c'; then $(CYGPATH_W) 'libsha2/hmac_sha2.c'; else $(CYGPATH_W) '$(srcdir)/libsha2/hmac_sha2.c'; fi`
+
+sha2.o: libsha2/sha2.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha2.o -MD -MP -MF "$(DEPDIR)/sha2.Tpo" -c -o sha2.o `test -f 'libsha2/sha2.c' || echo '$(srcdir)/'`libsha2/sha2.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/sha2.Tpo" "$(DEPDIR)/sha2.Po"; else rm -f "$(DEPDIR)/sha2.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libsha2/sha2.c' object='sha2.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha2.o `test -f 'libsha2/sha2.c' || echo '$(srcdir)/'`libsha2/sha2.c
+
+sha2.obj: libsha2/sha2.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha2.obj -MD -MP -MF "$(DEPDIR)/sha2.Tpo" -c -o sha2.obj `if test -f 'libsha2/sha2.c'; then $(CYGPATH_W) 'libsha2/sha2.c'; else $(CYGPATH_W) '$(srcdir)/libsha2/sha2.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/sha2.Tpo" "$(DEPDIR)/sha2.Po"; else rm -f "$(DEPDIR)/sha2.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libsha2/sha2.c' object='sha2.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha2.obj `if test -f 'libsha2/sha2.c'; then $(CYGPATH_W) 'libsha2/sha2.c'; else $(CYGPATH_W) '$(srcdir)/libsha2/sha2.c'; fi`
+
+serpent_cbc.o: libserpent/serpent_cbc.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT serpent_cbc.o -MD -MP -MF "$(DEPDIR)/serpent_cbc.Tpo" -c -o serpent_cbc.o `test -f 'libserpent/serpent_cbc.c' || echo '$(srcdir)/'`libserpent/serpent_cbc.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/serpent_cbc.Tpo" "$(DEPDIR)/serpent_cbc.Po"; else rm -f "$(DEPDIR)/serpent_cbc.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libserpent/serpent_cbc.c' object='serpent_cbc.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o serpent_cbc.o `test -f 'libserpent/serpent_cbc.c' || echo '$(srcdir)/'`libserpent/serpent_cbc.c
+
+serpent_cbc.obj: libserpent/serpent_cbc.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT serpent_cbc.obj -MD -MP -MF "$(DEPDIR)/serpent_cbc.Tpo" -c -o serpent_cbc.obj `if test -f 'libserpent/serpent_cbc.c'; then $(CYGPATH_W) 'libserpent/serpent_cbc.c'; else $(CYGPATH_W) '$(srcdir)/libserpent/serpent_cbc.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/serpent_cbc.Tpo" "$(DEPDIR)/serpent_cbc.Po"; else rm -f "$(DEPDIR)/serpent_cbc.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libserpent/serpent_cbc.c' object='serpent_cbc.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o serpent_cbc.obj `if test -f 'libserpent/serpent_cbc.c'; then $(CYGPATH_W) 'libserpent/serpent_cbc.c'; else $(CYGPATH_W) '$(srcdir)/libserpent/serpent_cbc.c'; fi`
+
+serpent.o: libserpent/serpent.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT serpent.o -MD -MP -MF "$(DEPDIR)/serpent.Tpo" -c -o serpent.o `test -f 'libserpent/serpent.c' || echo '$(srcdir)/'`libserpent/serpent.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/serpent.Tpo" "$(DEPDIR)/serpent.Po"; else rm -f "$(DEPDIR)/serpent.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libserpent/serpent.c' object='serpent.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o serpent.o `test -f 'libserpent/serpent.c' || echo '$(srcdir)/'`libserpent/serpent.c
+
+serpent.obj: libserpent/serpent.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT serpent.obj -MD -MP -MF "$(DEPDIR)/serpent.Tpo" -c -o serpent.obj `if test -f 'libserpent/serpent.c'; then $(CYGPATH_W) 'libserpent/serpent.c'; else $(CYGPATH_W) '$(srcdir)/libserpent/serpent.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/serpent.Tpo" "$(DEPDIR)/serpent.Po"; else rm -f "$(DEPDIR)/serpent.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libserpent/serpent.c' object='serpent.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o serpent.obj `if test -f 'libserpent/serpent.c'; then $(CYGPATH_W) 'libserpent/serpent.c'; else $(CYGPATH_W) '$(srcdir)/libserpent/serpent.c'; fi`
+
+twofish_cbc.o: libtwofish/twofish_cbc.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT twofish_cbc.o -MD -MP -MF "$(DEPDIR)/twofish_cbc.Tpo" -c -o twofish_cbc.o `test -f 'libtwofish/twofish_cbc.c' || echo '$(srcdir)/'`libtwofish/twofish_cbc.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/twofish_cbc.Tpo" "$(DEPDIR)/twofish_cbc.Po"; else rm -f "$(DEPDIR)/twofish_cbc.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libtwofish/twofish_cbc.c' object='twofish_cbc.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o twofish_cbc.o `test -f 'libtwofish/twofish_cbc.c' || echo '$(srcdir)/'`libtwofish/twofish_cbc.c
+
+twofish_cbc.obj: libtwofish/twofish_cbc.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT twofish_cbc.obj -MD -MP -MF "$(DEPDIR)/twofish_cbc.Tpo" -c -o twofish_cbc.obj `if test -f 'libtwofish/twofish_cbc.c'; then $(CYGPATH_W) 'libtwofish/twofish_cbc.c'; else $(CYGPATH_W) '$(srcdir)/libtwofish/twofish_cbc.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/twofish_cbc.Tpo" "$(DEPDIR)/twofish_cbc.Po"; else rm -f "$(DEPDIR)/twofish_cbc.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libtwofish/twofish_cbc.c' object='twofish_cbc.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o twofish_cbc.obj `if test -f 'libtwofish/twofish_cbc.c'; then $(CYGPATH_W) 'libtwofish/twofish_cbc.c'; else $(CYGPATH_W) '$(srcdir)/libtwofish/twofish_cbc.c'; fi`
+
+twofish.o: libtwofish/twofish.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT twofish.o -MD -MP -MF "$(DEPDIR)/twofish.Tpo" -c -o twofish.o `test -f 'libtwofish/twofish.c' || echo '$(srcdir)/'`libtwofish/twofish.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/twofish.Tpo" "$(DEPDIR)/twofish.Po"; else rm -f "$(DEPDIR)/twofish.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libtwofish/twofish.c' object='twofish.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o twofish.o `test -f 'libtwofish/twofish.c' || echo '$(srcdir)/'`libtwofish/twofish.c
+
+twofish.obj: libtwofish/twofish.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT twofish.obj -MD -MP -MF "$(DEPDIR)/twofish.Tpo" -c -o twofish.obj `if test -f 'libtwofish/twofish.c'; then $(CYGPATH_W) 'libtwofish/twofish.c'; else $(CYGPATH_W) '$(srcdir)/libtwofish/twofish.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/twofish.Tpo" "$(DEPDIR)/twofish.Po"; else rm -f "$(DEPDIR)/twofish.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libtwofish/twofish.c' object='twofish.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o twofish.obj `if test -f 'libtwofish/twofish.c'; then $(CYGPATH_W) 'libtwofish/twofish.c'; else $(CYGPATH_W) '$(srcdir)/libtwofish/twofish.c'; fi`
+
+des_enc.o: libdes/des_enc.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT des_enc.o -MD -MP -MF "$(DEPDIR)/des_enc.Tpo" -c -o des_enc.o `test -f 'libdes/des_enc.c' || echo '$(srcdir)/'`libdes/des_enc.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/des_enc.Tpo" "$(DEPDIR)/des_enc.Po"; else rm -f "$(DEPDIR)/des_enc.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/des_enc.c' object='des_enc.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o des_enc.o `test -f 'libdes/des_enc.c' || echo '$(srcdir)/'`libdes/des_enc.c
+
+des_enc.obj: libdes/des_enc.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT des_enc.obj -MD -MP -MF "$(DEPDIR)/des_enc.Tpo" -c -o des_enc.obj `if test -f 'libdes/des_enc.c'; then $(CYGPATH_W) 'libdes/des_enc.c'; else $(CYGPATH_W) '$(srcdir)/libdes/des_enc.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/des_enc.Tpo" "$(DEPDIR)/des_enc.Po"; else rm -f "$(DEPDIR)/des_enc.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/des_enc.c' object='des_enc.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o des_enc.obj `if test -f 'libdes/des_enc.c'; then $(CYGPATH_W) 'libdes/des_enc.c'; else $(CYGPATH_W) '$(srcdir)/libdes/des_enc.c'; fi`
+
+set_key.o: libdes/set_key.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_key.o -MD -MP -MF "$(DEPDIR)/set_key.Tpo" -c -o set_key.o `test -f 'libdes/set_key.c' || echo '$(srcdir)/'`libdes/set_key.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/set_key.Tpo" "$(DEPDIR)/set_key.Po"; else rm -f "$(DEPDIR)/set_key.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/set_key.c' object='set_key.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_key.o `test -f 'libdes/set_key.c' || echo '$(srcdir)/'`libdes/set_key.c
+
+set_key.obj: libdes/set_key.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_key.obj -MD -MP -MF "$(DEPDIR)/set_key.Tpo" -c -o set_key.obj `if test -f 'libdes/set_key.c'; then $(CYGPATH_W) 'libdes/set_key.c'; else $(CYGPATH_W) '$(srcdir)/libdes/set_key.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/set_key.Tpo" "$(DEPDIR)/set_key.Po"; else rm -f "$(DEPDIR)/set_key.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/set_key.c' object='set_key.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_key.obj `if test -f 'libdes/set_key.c'; then $(CYGPATH_W) 'libdes/set_key.c'; else $(CYGPATH_W) '$(srcdir)/libdes/set_key.c'; fi`
+
+speed.o: libdes/speed.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT speed.o -MD -MP -MF "$(DEPDIR)/speed.Tpo" -c -o speed.o `test -f 'libdes/speed.c' || echo '$(srcdir)/'`libdes/speed.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/speed.Tpo" "$(DEPDIR)/speed.Po"; else rm -f "$(DEPDIR)/speed.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/speed.c' object='speed.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o speed.o `test -f 'libdes/speed.c' || echo '$(srcdir)/'`libdes/speed.c
+
+speed.obj: libdes/speed.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT speed.obj -MD -MP -MF "$(DEPDIR)/speed.Tpo" -c -o speed.obj `if test -f 'libdes/speed.c'; then $(CYGPATH_W) 'libdes/speed.c'; else $(CYGPATH_W) '$(srcdir)/libdes/speed.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/speed.Tpo" "$(DEPDIR)/speed.Po"; else rm -f "$(DEPDIR)/speed.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/speed.c' object='speed.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o speed.obj `if test -f 'libdes/speed.c'; then $(CYGPATH_W) 'libdes/speed.c'; else $(CYGPATH_W) '$(srcdir)/libdes/speed.c'; fi`
+
+fcrypt_b.o: libdes/fcrypt_b.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fcrypt_b.o -MD -MP -MF "$(DEPDIR)/fcrypt_b.Tpo" -c -o fcrypt_b.o `test -f 'libdes/fcrypt_b.c' || echo '$(srcdir)/'`libdes/fcrypt_b.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/fcrypt_b.Tpo" "$(DEPDIR)/fcrypt_b.Po"; else rm -f "$(DEPDIR)/fcrypt_b.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/fcrypt_b.c' object='fcrypt_b.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fcrypt_b.o `test -f 'libdes/fcrypt_b.c' || echo '$(srcdir)/'`libdes/fcrypt_b.c
+
+fcrypt_b.obj: libdes/fcrypt_b.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fcrypt_b.obj -MD -MP -MF "$(DEPDIR)/fcrypt_b.Tpo" -c -o fcrypt_b.obj `if test -f 'libdes/fcrypt_b.c'; then $(CYGPATH_W) 'libdes/fcrypt_b.c'; else $(CYGPATH_W) '$(srcdir)/libdes/fcrypt_b.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/fcrypt_b.Tpo" "$(DEPDIR)/fcrypt_b.Po"; else rm -f "$(DEPDIR)/fcrypt_b.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/fcrypt_b.c' object='fcrypt_b.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fcrypt_b.obj `if test -f 'libdes/fcrypt_b.c'; then $(CYGPATH_W) 'libdes/fcrypt_b.c'; else $(CYGPATH_W) '$(srcdir)/libdes/fcrypt_b.c'; fi`
+
+fcrypt.o: libdes/fcrypt.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fcrypt.o -MD -MP -MF "$(DEPDIR)/fcrypt.Tpo" -c -o fcrypt.o `test -f 'libdes/fcrypt.c' || echo '$(srcdir)/'`libdes/fcrypt.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/fcrypt.Tpo" "$(DEPDIR)/fcrypt.Po"; else rm -f "$(DEPDIR)/fcrypt.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/fcrypt.c' object='fcrypt.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fcrypt.o `test -f 'libdes/fcrypt.c' || echo '$(srcdir)/'`libdes/fcrypt.c
+
+fcrypt.obj: libdes/fcrypt.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fcrypt.obj -MD -MP -MF "$(DEPDIR)/fcrypt.Tpo" -c -o fcrypt.obj `if test -f 'libdes/fcrypt.c'; then $(CYGPATH_W) 'libdes/fcrypt.c'; else $(CYGPATH_W) '$(srcdir)/libdes/fcrypt.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/fcrypt.Tpo" "$(DEPDIR)/fcrypt.Po"; else rm -f "$(DEPDIR)/fcrypt.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/fcrypt.c' object='fcrypt.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fcrypt.obj `if test -f 'libdes/fcrypt.c'; then $(CYGPATH_W) 'libdes/fcrypt.c'; else $(CYGPATH_W) '$(srcdir)/libdes/fcrypt.c'; fi`
+
+destest.o: libdes/destest.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT destest.o -MD -MP -MF "$(DEPDIR)/destest.Tpo" -c -o destest.o `test -f 'libdes/destest.c' || echo '$(srcdir)/'`libdes/destest.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/destest.Tpo" "$(DEPDIR)/destest.Po"; else rm -f "$(DEPDIR)/destest.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/destest.c' object='destest.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o destest.o `test -f 'libdes/destest.c' || echo '$(srcdir)/'`libdes/destest.c
+
+destest.obj: libdes/destest.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT destest.obj -MD -MP -MF "$(DEPDIR)/destest.Tpo" -c -o destest.obj `if test -f 'libdes/destest.c'; then $(CYGPATH_W) 'libdes/destest.c'; else $(CYGPATH_W) '$(srcdir)/libdes/destest.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/destest.Tpo" "$(DEPDIR)/destest.Po"; else rm -f "$(DEPDIR)/destest.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/destest.c' object='destest.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o destest.obj `if test -f 'libdes/destest.c'; then $(CYGPATH_W) 'libdes/destest.c'; else $(CYGPATH_W) '$(srcdir)/libdes/destest.c'; fi`
+
+cbc_enc.o: libdes/cbc_enc.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cbc_enc.o -MD -MP -MF "$(DEPDIR)/cbc_enc.Tpo" -c -o cbc_enc.o `test -f 'libdes/cbc_enc.c' || echo '$(srcdir)/'`libdes/cbc_enc.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/cbc_enc.Tpo" "$(DEPDIR)/cbc_enc.Po"; else rm -f "$(DEPDIR)/cbc_enc.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/cbc_enc.c' object='cbc_enc.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cbc_enc.o `test -f 'libdes/cbc_enc.c' || echo '$(srcdir)/'`libdes/cbc_enc.c
+
+cbc_enc.obj: libdes/cbc_enc.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cbc_enc.obj -MD -MP -MF "$(DEPDIR)/cbc_enc.Tpo" -c -o cbc_enc.obj `if test -f 'libdes/cbc_enc.c'; then $(CYGPATH_W) 'libdes/cbc_enc.c'; else $(CYGPATH_W) '$(srcdir)/libdes/cbc_enc.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/cbc_enc.Tpo" "$(DEPDIR)/cbc_enc.Po"; else rm -f "$(DEPDIR)/cbc_enc.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/cbc_enc.c' object='cbc_enc.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cbc_enc.obj `if test -f 'libdes/cbc_enc.c'; then $(CYGPATH_W) 'libdes/cbc_enc.c'; else $(CYGPATH_W) '$(srcdir)/libdes/cbc_enc.c'; fi`
+
+ecb_enc.o: libdes/ecb_enc.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ecb_enc.o -MD -MP -MF "$(DEPDIR)/ecb_enc.Tpo" -c -o ecb_enc.o `test -f 'libdes/ecb_enc.c' || echo '$(srcdir)/'`libdes/ecb_enc.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ecb_enc.Tpo" "$(DEPDIR)/ecb_enc.Po"; else rm -f "$(DEPDIR)/ecb_enc.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/ecb_enc.c' object='ecb_enc.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ecb_enc.o `test -f 'libdes/ecb_enc.c' || echo '$(srcdir)/'`libdes/ecb_enc.c
+
+ecb_enc.obj: libdes/ecb_enc.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ecb_enc.obj -MD -MP -MF "$(DEPDIR)/ecb_enc.Tpo" -c -o ecb_enc.obj `if test -f 'libdes/ecb_enc.c'; then $(CYGPATH_W) 'libdes/ecb_enc.c'; else $(CYGPATH_W) '$(srcdir)/libdes/ecb_enc.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ecb_enc.Tpo" "$(DEPDIR)/ecb_enc.Po"; else rm -f "$(DEPDIR)/ecb_enc.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/ecb_enc.c' object='ecb_enc.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ecb_enc.obj `if test -f 'libdes/ecb_enc.c'; then $(CYGPATH_W) 'libdes/ecb_enc.c'; else $(CYGPATH_W) '$(srcdir)/libdes/ecb_enc.c'; fi`
+
+des_opts.o: libdes/des_opts.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT des_opts.o -MD -MP -MF "$(DEPDIR)/des_opts.Tpo" -c -o des_opts.o `test -f 'libdes/des_opts.c' || echo '$(srcdir)/'`libdes/des_opts.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/des_opts.Tpo" "$(DEPDIR)/des_opts.Po"; else rm -f "$(DEPDIR)/des_opts.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/des_opts.c' object='des_opts.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o des_opts.o `test -f 'libdes/des_opts.c' || echo '$(srcdir)/'`libdes/des_opts.c
+
+des_opts.obj: libdes/des_opts.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT des_opts.obj -MD -MP -MF "$(DEPDIR)/des_opts.Tpo" -c -o des_opts.obj `if test -f 'libdes/des_opts.c'; then $(CYGPATH_W) 'libdes/des_opts.c'; else $(CYGPATH_W) '$(srcdir)/libdes/des_opts.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/des_opts.Tpo" "$(DEPDIR)/des_opts.Po"; else rm -f "$(DEPDIR)/des_opts.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='libdes/des_opts.c' object='des_opts.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o des_opts.obj `if test -f 'libdes/des_opts.c'; then $(CYGPATH_W) 'libdes/des_opts.c'; else $(CYGPATH_W) '$(srcdir)/libdes/des_opts.c'; fi`
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+	-rm -f libtool
+uninstall-info-am:
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
+	list='$(DISTFILES)'; for file in $$list; do \
+	  case $$file in \
+	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
+	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
+	  esac; \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
+	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
+	    dir="/$$dir"; \
+	    $(mkdir_p) "$(distdir)$$dir"; \
+	  else \
+	    dir=''; \
+	  fi; \
+	  if test -d $$d/$$file; then \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LIBRARIES)
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-libtool distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-exec-am:
+
+install-info: install-info-am
+
+install-man:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-info-am
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-exec \
+	install-exec-am install-info install-info-am install-man \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-info-am
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/lib/libcrypto/include/cbc_generic.h b/src/libcrypto/include/cbc_generic.h
index 0dd3a77d6..0dd3a77d6 100644
--- a/lib/libcrypto/include/cbc_generic.h
+++ b/src/libcrypto/include/cbc_generic.h
diff --git a/lib/libcrypto/include/hmac_generic.h b/src/libcrypto/include/hmac_generic.h
index a749228e3..a749228e3 100644
--- a/lib/libcrypto/include/hmac_generic.h
+++ b/src/libcrypto/include/hmac_generic.h
diff --git a/lib/libcrypto/include/md32_common.h b/src/libcrypto/include/md32_common.h
index 1a404a458..1a404a458 100644
--- a/lib/libcrypto/include/md32_common.h
+++ b/src/libcrypto/include/md32_common.h
diff --git a/lib/libcrypto/libaes/aes.c b/src/libcrypto/libaes/aes.c
index 1748119ac..1748119ac 100644
--- a/lib/libcrypto/libaes/aes.c
+++ b/src/libcrypto/libaes/aes.c
diff --git a/lib/libcrypto/libaes/aes.h b/src/libcrypto/libaes/aes.h
index 4f1e3b335..4f1e3b335 100644
--- a/lib/libcrypto/libaes/aes.h
+++ b/src/libcrypto/libaes/aes.h
diff --git a/lib/libcrypto/libaes/aes_cbc.c b/src/libcrypto/libaes/aes_cbc.c
index 962dd1a35..962dd1a35 100644
--- a/lib/libcrypto/libaes/aes_cbc.c
+++ b/src/libcrypto/libaes/aes_cbc.c
diff --git a/lib/libcrypto/libaes/aes_cbc.h b/src/libcrypto/libaes/aes_cbc.h
index 92f5d77f5..92f5d77f5 100644
--- a/lib/libcrypto/libaes/aes_cbc.h
+++ b/src/libcrypto/libaes/aes_cbc.h
diff --git a/lib/libcrypto/libaes/aes_xcbc_mac.c b/src/libcrypto/libaes/aes_xcbc_mac.c
index 89d7bc067..89d7bc067 100644
--- a/lib/libcrypto/libaes/aes_xcbc_mac.c
+++ b/src/libcrypto/libaes/aes_xcbc_mac.c
diff --git a/lib/libcrypto/libaes/aes_xcbc_mac.h b/src/libcrypto/libaes/aes_xcbc_mac.h
index baf438cd4..baf438cd4 100644
--- a/lib/libcrypto/libaes/aes_xcbc_mac.h
+++ b/src/libcrypto/libaes/aes_xcbc_mac.h
diff --git a/lib/libcrypto/libblowfish/bf_enc.c b/src/libcrypto/libblowfish/bf_enc.c
index aa6c79812..aa6c79812 100644
--- a/lib/libcrypto/libblowfish/bf_enc.c
+++ b/src/libcrypto/libblowfish/bf_enc.c
diff --git a/lib/libcrypto/libblowfish/bf_locl.h b/src/libcrypto/libblowfish/bf_locl.h
index 283bf4c43..283bf4c43 100644
--- a/lib/libcrypto/libblowfish/bf_locl.h
+++ b/src/libcrypto/libblowfish/bf_locl.h
diff --git a/lib/libcrypto/libblowfish/bf_pi.h b/src/libcrypto/libblowfish/bf_pi.h
index 9949513c6..9949513c6 100644
--- a/lib/libcrypto/libblowfish/bf_pi.h
+++ b/src/libcrypto/libblowfish/bf_pi.h
diff --git a/lib/libcrypto/libblowfish/bf_skey.c b/src/libcrypto/libblowfish/bf_skey.c
index 8cdbbd283..8cdbbd283 100644
--- a/lib/libcrypto/libblowfish/bf_skey.c
+++ b/src/libcrypto/libblowfish/bf_skey.c
diff --git a/lib/libcrypto/libblowfish/blowfish.h b/src/libcrypto/libblowfish/blowfish.h
index ccb97e272..ccb97e272 100644
--- a/lib/libcrypto/libblowfish/blowfish.h
+++ b/src/libcrypto/libblowfish/blowfish.h
diff --git a/linux/crypto/ciphers/des/cbc_enc.c b/src/libcrypto/libdes/cbc_enc.c
index a06f9f99e..a06f9f99e 100644
--- a/linux/crypto/ciphers/des/cbc_enc.c
+++ b/src/libcrypto/libdes/cbc_enc.c
diff --git a/linux/include/crypto/des.h b/src/libcrypto/libdes/des.h
index baddf8647..baddf8647 100644
--- a/linux/include/crypto/des.h
+++ b/src/libcrypto/libdes/des.h
diff --git a/linux/crypto/ciphers/des/des_enc.c b/src/libcrypto/libdes/des_enc.c
index 1e1906d25..1e1906d25 100644
--- a/linux/crypto/ciphers/des/des_enc.c
+++ b/src/libcrypto/libdes/des_enc.c
diff --git a/linux/crypto/ciphers/des/des_locl.h b/src/libcrypto/libdes/des_locl.h
index 020d6b7ca..4e0b3662f 100644
--- a/linux/crypto/ciphers/des/des_locl.h
+++ b/src/libcrypto/libdes/des_locl.h
@@ -73,7 +73,7 @@
 #endif
 #endif
 
-#include "crypto/des.h"
+#include "des.h"
 
 #ifndef DES_DEFAULT_OPTIONS
 /* the following is tweaked from a config script, that is why it is a
diff --git a/linux/crypto/ciphers/des/des_opts.c b/src/libcrypto/libdes/des_opts.c
index b6693c405..b6693c405 100644
--- a/linux/crypto/ciphers/des/des_opts.c
+++ b/src/libcrypto/libdes/des_opts.c
diff --git a/linux/crypto/ciphers/des/des_ver.h b/src/libcrypto/libdes/des_ver.h
index 98352bc0d..98352bc0d 100644
--- a/linux/crypto/ciphers/des/des_ver.h
+++ b/src/libcrypto/libdes/des_ver.h
diff --git a/linux/crypto/ciphers/des/destest.c b/src/libcrypto/libdes/destest.c
index ae896499e..ae896499e 100644
--- a/linux/crypto/ciphers/des/destest.c
+++ b/src/libcrypto/libdes/destest.c
diff --git a/linux/crypto/ciphers/des/ecb_enc.c b/src/libcrypto/libdes/ecb_enc.c
index 0b7afcf3a..0b7afcf3a 100644
--- a/linux/crypto/ciphers/des/ecb_enc.c
+++ b/src/libcrypto/libdes/ecb_enc.c
diff --git a/linux/crypto/ciphers/des/fcrypt.c b/src/libcrypto/libdes/fcrypt.c
index 8b9d0495b..8b9d0495b 100644
--- a/linux/crypto/ciphers/des/fcrypt.c
+++ b/src/libcrypto/libdes/fcrypt.c
diff --git a/linux/crypto/ciphers/des/fcrypt_b.c b/src/libcrypto/libdes/fcrypt_b.c
index 5900645e7..5900645e7 100644
--- a/linux/crypto/ciphers/des/fcrypt_b.c
+++ b/src/libcrypto/libdes/fcrypt_b.c
diff --git a/linux/crypto/ciphers/des/podd.h b/src/libcrypto/libdes/podd.h
index c00cd6ba0..c00cd6ba0 100644
--- a/linux/crypto/ciphers/des/podd.h
+++ b/src/libcrypto/libdes/podd.h
diff --git a/linux/crypto/ciphers/des/set_key.c b/src/libcrypto/libdes/set_key.c
index 99ac27348..99ac27348 100644
--- a/linux/crypto/ciphers/des/set_key.c
+++ b/src/libcrypto/libdes/set_key.c
diff --git a/linux/crypto/ciphers/des/sk.h b/src/libcrypto/libdes/sk.h
index 240703070..240703070 100644
--- a/linux/crypto/ciphers/des/sk.h
+++ b/src/libcrypto/libdes/sk.h
diff --git a/linux/crypto/ciphers/des/speed.c b/src/libcrypto/libdes/speed.c
index e3d753b2e..e3d753b2e 100644
--- a/linux/crypto/ciphers/des/speed.c
+++ b/src/libcrypto/libdes/speed.c
diff --git a/linux/crypto/ciphers/des/spr.h b/src/libcrypto/libdes/spr.h
index a84d6a723..a84d6a723 100644
--- a/linux/crypto/ciphers/des/spr.h
+++ b/src/libcrypto/libdes/spr.h
diff --git a/lib/libcrypto/libserpent/serpent.c b/src/libcrypto/libserpent/serpent.c
index f2cea250e..f2cea250e 100644
--- a/lib/libcrypto/libserpent/serpent.c
+++ b/src/libcrypto/libserpent/serpent.c
diff --git a/lib/libcrypto/libserpent/serpent.h b/src/libcrypto/libserpent/serpent.h
index 6357f5bfa..6357f5bfa 100644
--- a/lib/libcrypto/libserpent/serpent.h
+++ b/src/libcrypto/libserpent/serpent.h
diff --git a/lib/libcrypto/libserpent/serpent_cbc.c b/src/libcrypto/libserpent/serpent_cbc.c
index 3b546278a..3b546278a 100644
--- a/lib/libcrypto/libserpent/serpent_cbc.c
+++ b/src/libcrypto/libserpent/serpent_cbc.c
diff --git a/lib/libcrypto/libserpent/serpent_cbc.h b/src/libcrypto/libserpent/serpent_cbc.h
index 3064fa3bc..3064fa3bc 100644
--- a/lib/libcrypto/libserpent/serpent_cbc.h
+++ b/src/libcrypto/libserpent/serpent_cbc.h
diff --git a/lib/libcrypto/libsha2/hmac_sha2.c b/src/libcrypto/libsha2/hmac_sha2.c
index ad107eb62..ad107eb62 100644
--- a/lib/libcrypto/libsha2/hmac_sha2.c
+++ b/src/libcrypto/libsha2/hmac_sha2.c
diff --git a/lib/libcrypto/libsha2/hmac_sha2.h b/src/libcrypto/libsha2/hmac_sha2.h
index b7f8c747c..b7f8c747c 100644
--- a/lib/libcrypto/libsha2/hmac_sha2.h
+++ b/src/libcrypto/libsha2/hmac_sha2.h
diff --git a/lib/libcrypto/libsha2/sha2.c b/src/libcrypto/libsha2/sha2.c
index 4debdad67..4debdad67 100644
--- a/lib/libcrypto/libsha2/sha2.c
+++ b/src/libcrypto/libsha2/sha2.c
diff --git a/lib/libcrypto/libsha2/sha2.h b/src/libcrypto/libsha2/sha2.h
index 2dc03cfa8..2dc03cfa8 100644
--- a/lib/libcrypto/libsha2/sha2.h
+++ b/src/libcrypto/libsha2/sha2.h
diff --git a/lib/libcrypto/libtwofish/twofish.c b/src/libcrypto/libtwofish/twofish.c
index 0e01a92d2..0e01a92d2 100644
--- a/lib/libcrypto/libtwofish/twofish.c
+++ b/src/libcrypto/libtwofish/twofish.c
diff --git a/lib/libcrypto/libtwofish/twofish.h b/src/libcrypto/libtwofish/twofish.h
index 9b289f265..9b289f265 100644
--- a/lib/libcrypto/libtwofish/twofish.h
+++ b/src/libcrypto/libtwofish/twofish.h
diff --git a/lib/libcrypto/libtwofish/twofish_cbc.c b/src/libcrypto/libtwofish/twofish_cbc.c
index 6e5cf9025..6e5cf9025 100644
--- a/lib/libcrypto/libtwofish/twofish_cbc.c
+++ b/src/libcrypto/libtwofish/twofish_cbc.c
diff --git a/lib/libcrypto/libtwofish/twofish_cbc.h b/src/libcrypto/libtwofish/twofish_cbc.h
index 9fdea3526..9fdea3526 100644
--- a/lib/libcrypto/libtwofish/twofish_cbc.h
+++ b/src/libcrypto/libtwofish/twofish_cbc.h
diff --git a/src/libfreeswan/Makefile.am b/src/libfreeswan/Makefile.am
new file mode 100644
index 000000000..d916fca17
--- /dev/null
+++ b/src/libfreeswan/Makefile.am
@@ -0,0 +1,19 @@
+noinst_LIBRARIES = libfreeswan.a
+libfreeswan_a_SOURCES = addrtoa.c addrtot.c addrtypeof.c anyaddr.c atoaddr.c atoasr.c \
+			atosa.c atosubnet.c atoul.c copyright.c datatot.c freeswan.h \
+			goodmask.c initaddr.c initsaid.c initsubnet.c internal.h ipcomp.h \
+			ipsec_ah.h ipsec_alg.h ipsec_encap.h ipsec_eroute.h ipsec_errs.h \
+			ipsec_esp.h ipsec_ipe4.h ipsec_kversion.h ipsec_life.h ipsec_md5h.h \
+			ipsec_param.h ipsec_policy.h ipsec_proto.h ipsec_radij.h ipsec_rcv.h \
+			ipsec_sa.h ipsec_sha1.h ipsec_stats.h ipsec_tunnel.h ipsec_xform.h \
+			ipsec_xmit.h  keyblobtoid.c optionsfrom.c pfkey_v2_build.c pfkey_v2_debug.c \
+			pfkey_v2_ext_bits.c pfkey_v2_parse.c portof.c prng.c radij.h rangetoa.c \
+			pfkey.h pfkeyv2.h rangetosubnet.c sameaddr.c satoa.c \
+			satot.c subnetof.c subnettoa.c subnettot.c \
+			subnettypeof.c ttoaddr.c ttodata.c ttoprotoport.c ttosa.c ttosubnet.c ttoul.c \
+			ultoa.c ultot.c version.c
+INCLUDES = -I$(top_srcdir)/src/pluto
+dist_man3_MANS = anyaddr.3 atoaddr.3 atoasr.3 atosa.3 atoul.3 goodmask.3 initaddr.3 initsubnet.3 \
+                 keyblobtoid.3 optionsfrom.3 portof.3 prng.3 rangetosubnet.3 sameaddr.3 subnetof.3 \
+                 ttoaddr.3 ttodata.3 ttosa.3 ttoul.3 version.3
+
diff --git a/src/libfreeswan/Makefile.in b/src/libfreeswan/Makefile.in
new file mode 100644
index 000000000..97b53d7c0
--- /dev/null
+++ b/src/libfreeswan/Makefile.in
@@ -0,0 +1,574 @@
+# Makefile.in generated by automake 1.9.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+top_builddir = ../..
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+INSTALL = @INSTALL@
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libfreeswan
+DIST_COMMON = $(dist_man3_MANS) $(srcdir)/Makefile.am \
+	$(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+LIBRARIES = $(noinst_LIBRARIES)
+ARFLAGS = cru
+libfreeswan_a_AR = $(AR) $(ARFLAGS)
+libfreeswan_a_LIBADD =
+am_libfreeswan_a_OBJECTS = addrtoa.$(OBJEXT) addrtot.$(OBJEXT) \
+	addrtypeof.$(OBJEXT) anyaddr.$(OBJEXT) atoaddr.$(OBJEXT) \
+	atoasr.$(OBJEXT) atosa.$(OBJEXT) atosubnet.$(OBJEXT) \
+	atoul.$(OBJEXT) copyright.$(OBJEXT) datatot.$(OBJEXT) \
+	goodmask.$(OBJEXT) initaddr.$(OBJEXT) initsaid.$(OBJEXT) \
+	initsubnet.$(OBJEXT) keyblobtoid.$(OBJEXT) \
+	optionsfrom.$(OBJEXT) pfkey_v2_build.$(OBJEXT) \
+	pfkey_v2_debug.$(OBJEXT) pfkey_v2_ext_bits.$(OBJEXT) \
+	pfkey_v2_parse.$(OBJEXT) portof.$(OBJEXT) prng.$(OBJEXT) \
+	rangetoa.$(OBJEXT) rangetosubnet.$(OBJEXT) sameaddr.$(OBJEXT) \
+	satoa.$(OBJEXT) satot.$(OBJEXT) subnetof.$(OBJEXT) \
+	subnettoa.$(OBJEXT) subnettot.$(OBJEXT) subnettypeof.$(OBJEXT) \
+	ttoaddr.$(OBJEXT) ttodata.$(OBJEXT) ttoprotoport.$(OBJEXT) \
+	ttosa.$(OBJEXT) ttosubnet.$(OBJEXT) ttoul.$(OBJEXT) \
+	ultoa.$(OBJEXT) ultot.$(OBJEXT) version.$(OBJEXT)
+libfreeswan_a_OBJECTS = $(am_libfreeswan_a_OBJECTS)
+DEFAULT_INCLUDES = -I. -I$(srcdir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+SOURCES = $(libfreeswan_a_SOURCES)
+DIST_SOURCES = $(libfreeswan_a_SOURCES)
+man3dir = $(mandir)/man3
+am__installdirs = "$(DESTDIR)$(man3dir)"
+NROFF = nroff
+MANS = $(dist_man3_MANS)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMDEP_FALSE = @AMDEP_FALSE@
+AMDEP_TRUE = @AMDEP_TRUE@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BUILD_EAP_SIM_FALSE = @BUILD_EAP_SIM_FALSE@
+BUILD_EAP_SIM_TRUE = @BUILD_EAP_SIM_TRUE@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+USE_CISCO_QUIRKS_FALSE = @USE_CISCO_QUIRKS_FALSE@
+USE_CISCO_QUIRKS_TRUE = @USE_CISCO_QUIRKS_TRUE@
+USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
+USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
+USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
+USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
+USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
+USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
+USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
+USE_SMARTCARD_TRUE = @USE_SMARTCARD_TRUE@
+USE_VENDORID_FALSE = @USE_VENDORID_FALSE@
+USE_VENDORID_TRUE = @USE_VENDORID_TRUE@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__fastdepCC_FALSE = @am__fastdepCC_FALSE@
+am__fastdepCC_TRUE = @am__fastdepCC_TRUE@
+am__fastdepCXX_FALSE = @am__fastdepCXX_FALSE@
+am__fastdepCXX_TRUE = @am__fastdepCXX_TRUE@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+eapdir = @eapdir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+noinst_LIBRARIES = libfreeswan.a
+libfreeswan_a_SOURCES = addrtoa.c addrtot.c addrtypeof.c anyaddr.c atoaddr.c atoasr.c \
+			atosa.c atosubnet.c atoul.c copyright.c datatot.c freeswan.h \
+			goodmask.c initaddr.c initsaid.c initsubnet.c internal.h ipcomp.h \
+			ipsec_ah.h ipsec_alg.h ipsec_encap.h ipsec_eroute.h ipsec_errs.h \
+			ipsec_esp.h ipsec_ipe4.h ipsec_kversion.h ipsec_life.h ipsec_md5h.h \
+			ipsec_param.h ipsec_policy.h ipsec_proto.h ipsec_radij.h ipsec_rcv.h \
+			ipsec_sa.h ipsec_sha1.h ipsec_stats.h ipsec_tunnel.h ipsec_xform.h \
+			ipsec_xmit.h  keyblobtoid.c optionsfrom.c pfkey_v2_build.c pfkey_v2_debug.c \
+			pfkey_v2_ext_bits.c pfkey_v2_parse.c portof.c prng.c radij.h rangetoa.c \
+			pfkey.h pfkeyv2.h rangetosubnet.c sameaddr.c satoa.c \
+			satot.c subnetof.c subnettoa.c subnettot.c \
+			subnettypeof.c ttoaddr.c ttodata.c ttoprotoport.c ttosa.c ttosubnet.c ttoul.c \
+			ultoa.c ultot.c version.c
+
+INCLUDES = -I$(top_srcdir)/src/pluto
+dist_man3_MANS = anyaddr.3 atoaddr.3 atoasr.3 atosa.3 atoul.3 goodmask.3 initaddr.3 initsubnet.3 \
+                 keyblobtoid.3 optionsfrom.3 portof.3 prng.3 rangetosubnet.3 sameaddr.3 subnetof.3 \
+                 ttoaddr.3 ttodata.3 ttosa.3 ttoul.3 version.3
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libfreeswan/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/libfreeswan/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+clean-noinstLIBRARIES:
+	-test -z "$(noinst_LIBRARIES)" || rm -f $(noinst_LIBRARIES)
+libfreeswan.a: $(libfreeswan_a_OBJECTS) $(libfreeswan_a_DEPENDENCIES) 
+	-rm -f libfreeswan.a
+	$(libfreeswan_a_AR) libfreeswan.a $(libfreeswan_a_OBJECTS) $(libfreeswan_a_LIBADD)
+	$(RANLIB) libfreeswan.a
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/addrtoa.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/addrtot.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/addrtypeof.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/anyaddr.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/atoaddr.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/atoasr.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/atosa.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/atosubnet.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/atoul.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/copyright.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/datatot.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/goodmask.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initaddr.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initsaid.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initsubnet.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keyblobtoid.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/optionsfrom.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pfkey_v2_build.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pfkey_v2_debug.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pfkey_v2_ext_bits.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pfkey_v2_parse.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/portof.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/prng.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rangetoa.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rangetosubnet.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sameaddr.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/satoa.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/satot.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/subnetof.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/subnettoa.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/subnettot.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/subnettypeof.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ttoaddr.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ttodata.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ttoprotoport.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ttosa.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ttosubnet.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ttoul.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ultoa.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ultot.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/version.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ `$(CYGPATH_W) '$<'`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	if $(LTCOMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Plo"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+	-rm -f libtool
+uninstall-info-am:
+install-man3: $(man3_MANS) $(man_MANS)
+	@$(NORMAL_INSTALL)
+	test -z "$(man3dir)" || $(mkdir_p) "$(DESTDIR)$(man3dir)"
+	@list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.3*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    3*) ;; \
+	    *) ext='3' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man3dir)/$$inst'"; \
+	  $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man3dir)/$$inst"; \
+	done
+uninstall-man3:
+	@$(NORMAL_UNINSTALL)
+	@list='$(man3_MANS) $(dist_man3_MANS) $(nodist_man3_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.3*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    3*) ;; \
+	    *) ext='3' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f '$(DESTDIR)$(man3dir)/$$inst'"; \
+	  rm -f "$(DESTDIR)$(man3dir)/$$inst"; \
+	done
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
+	list='$(DISTFILES)'; for file in $$list; do \
+	  case $$file in \
+	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
+	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
+	  esac; \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
+	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
+	    dir="/$$dir"; \
+	    $(mkdir_p) "$(distdir)$$dir"; \
+	  else \
+	    dir=''; \
+	  fi; \
+	  if test -d $$d/$$file; then \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LIBRARIES) $(MANS)
+installdirs:
+	for dir in "$(DESTDIR)$(man3dir)"; do \
+	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-libtool distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-man
+
+install-exec-am:
+
+install-info: install-info-am
+
+install-man: install-man3
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-info-am uninstall-man
+
+uninstall-man: uninstall-man3
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-noinstLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-exec \
+	install-exec-am install-info install-info-am install-man \
+	install-man3 install-strip installcheck installcheck-am \
+	installdirs maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \
+	uninstall-am uninstall-info-am uninstall-man uninstall-man3
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/linux/lib/libfreeswan/addrtoa.c b/src/libfreeswan/addrtoa.c
index b1cc038ed..b1cc038ed 100644
--- a/linux/lib/libfreeswan/addrtoa.c
+++ b/src/libfreeswan/addrtoa.c
diff --git a/linux/lib/libfreeswan/addrtot.c b/src/libfreeswan/addrtot.c
index f229789f0..f229789f0 100644
--- a/linux/lib/libfreeswan/addrtot.c
+++ b/src/libfreeswan/addrtot.c
diff --git a/linux/lib/libfreeswan/addrtypeof.c b/src/libfreeswan/addrtypeof.c
index e63509911..e63509911 100644
--- a/linux/lib/libfreeswan/addrtypeof.c
+++ b/src/libfreeswan/addrtypeof.c
diff --git a/linux/lib/libfreeswan/anyaddr.3 b/src/libfreeswan/anyaddr.3
index 4594a9ff9..4594a9ff9 100644
--- a/linux/lib/libfreeswan/anyaddr.3
+++ b/src/libfreeswan/anyaddr.3
diff --git a/linux/lib/libfreeswan/anyaddr.c b/src/libfreeswan/anyaddr.c
index 08aae6334..08aae6334 100644
--- a/linux/lib/libfreeswan/anyaddr.c
+++ b/src/libfreeswan/anyaddr.c
diff --git a/linux/lib/libfreeswan/atoaddr.3 b/src/libfreeswan/atoaddr.3
index a7dc8dca3..a7dc8dca3 100644
--- a/linux/lib/libfreeswan/atoaddr.3
+++ b/src/libfreeswan/atoaddr.3
diff --git a/linux/lib/libfreeswan/atoaddr.c b/src/libfreeswan/atoaddr.c
index 0c787b10d..0c787b10d 100644
--- a/linux/lib/libfreeswan/atoaddr.c
+++ b/src/libfreeswan/atoaddr.c
diff --git a/linux/lib/libfreeswan/atoasr.3 b/src/libfreeswan/atoasr.3
index 1bd805db1..1bd805db1 100644
--- a/linux/lib/libfreeswan/atoasr.3
+++ b/src/libfreeswan/atoasr.3
diff --git a/linux/lib/libfreeswan/atoasr.c b/src/libfreeswan/atoasr.c
index a68409bfb..a68409bfb 100644
--- a/linux/lib/libfreeswan/atoasr.c
+++ b/src/libfreeswan/atoasr.c
diff --git a/linux/lib/libfreeswan/atosa.3 b/src/libfreeswan/atosa.3
index 116483a73..116483a73 100644
--- a/linux/lib/libfreeswan/atosa.3
+++ b/src/libfreeswan/atosa.3
diff --git a/linux/lib/libfreeswan/atosa.c b/src/libfreeswan/atosa.c
index cc3b055d0..cc3b055d0 100644
--- a/linux/lib/libfreeswan/atosa.c
+++ b/src/libfreeswan/atosa.c
diff --git a/linux/lib/libfreeswan/atosubnet.c b/src/libfreeswan/atosubnet.c
index 9300c2895..9300c2895 100644
--- a/linux/lib/libfreeswan/atosubnet.c
+++ b/src/libfreeswan/atosubnet.c
diff --git a/linux/lib/libfreeswan/atoul.3 b/src/libfreeswan/atoul.3
index a606fa4a9..a606fa4a9 100644
--- a/linux/lib/libfreeswan/atoul.3
+++ b/src/libfreeswan/atoul.3
diff --git a/linux/lib/libfreeswan/atoul.c b/src/libfreeswan/atoul.c
index e32a8cdab..e32a8cdab 100644
--- a/linux/lib/libfreeswan/atoul.c
+++ b/src/libfreeswan/atoul.c
diff --git a/linux/lib/libfreeswan/copyright.c b/src/libfreeswan/copyright.c
index 0e836f6c2..0e836f6c2 100644
--- a/linux/lib/libfreeswan/copyright.c
+++ b/src/libfreeswan/copyright.c
diff --git a/linux/lib/libfreeswan/datatot.c b/src/libfreeswan/datatot.c
index fbeb35fa9..fbeb35fa9 100644
--- a/linux/lib/libfreeswan/datatot.c
+++ b/src/libfreeswan/datatot.c
diff --git a/linux/include/freeswan.h b/src/libfreeswan/freeswan.h
index 4ef948b0a..b1bca870d 100644
--- a/linux/include/freeswan.h
+++ b/src/libfreeswan/freeswan.h
@@ -43,7 +43,7 @@
 
 #endif /* __KERNEL__ */
 
-#include <freeswan/ipsec_param.h>
+#include <ipsec_param.h>
 
 
 /*
@@ -75,15 +75,8 @@
 #  define DEBUG_NO_STATIC static
 #endif /* CONFIG_IPSEC_DEBUG */
 
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL /* KERNEL ifdef */
-#ifndef NAT_TRAVERSAL
-#define NAT_TRAVERSAL
-#endif
-#endif
-#ifdef NAT_TRAVERSAL
 #define ESPINUDP_WITH_NON_IKE   1  /* draft-ietf-ipsec-nat-t-ike-00/01 */
 #define ESPINUDP_WITH_NON_ESP   2  /* draft-ietf-ipsec-nat-t-ike-02    */
-#endif
 
 /*
  * Basic data types for the address-handling functions.
diff --git a/linux/lib/libfreeswan/goodmask.3 b/src/libfreeswan/goodmask.3
index 4a573e51e..4a573e51e 100644
--- a/linux/lib/libfreeswan/goodmask.3
+++ b/src/libfreeswan/goodmask.3
diff --git a/linux/lib/libfreeswan/goodmask.c b/src/libfreeswan/goodmask.c
index fe7a42335..fe7a42335 100644
--- a/linux/lib/libfreeswan/goodmask.c
+++ b/src/libfreeswan/goodmask.c
diff --git a/linux/lib/libfreeswan/initaddr.3 b/src/libfreeswan/initaddr.3
index b963f21cc..b963f21cc 100644
--- a/linux/lib/libfreeswan/initaddr.3
+++ b/src/libfreeswan/initaddr.3
diff --git a/linux/lib/libfreeswan/initaddr.c b/src/libfreeswan/initaddr.c
index c215f6bdf..c215f6bdf 100644
--- a/linux/lib/libfreeswan/initaddr.c
+++ b/src/libfreeswan/initaddr.c
diff --git a/linux/lib/libfreeswan/initsaid.c b/src/libfreeswan/initsaid.c
index 4790f6981..4790f6981 100644
--- a/linux/lib/libfreeswan/initsaid.c
+++ b/src/libfreeswan/initsaid.c
diff --git a/linux/lib/libfreeswan/initsubnet.3 b/src/libfreeswan/initsubnet.3
index 670f71778..670f71778 100644
--- a/linux/lib/libfreeswan/initsubnet.3
+++ b/src/libfreeswan/initsubnet.3
diff --git a/linux/lib/libfreeswan/initsubnet.c b/src/libfreeswan/initsubnet.c
index 75ca72f36..75ca72f36 100644
--- a/linux/lib/libfreeswan/initsubnet.c
+++ b/src/libfreeswan/initsubnet.c
diff --git a/linux/lib/libfreeswan/internal.h b/src/libfreeswan/internal.h
index 16ad78da0..16ad78da0 100644
--- a/linux/lib/libfreeswan/internal.h
+++ b/src/libfreeswan/internal.h
diff --git a/linux/include/freeswan/ipcomp.h b/src/libfreeswan/ipcomp.h
index ed8095517..ed8095517 100644
--- a/linux/include/freeswan/ipcomp.h
+++ b/src/libfreeswan/ipcomp.h
diff --git a/linux/include/freeswan/ipsec_ah.h b/src/libfreeswan/ipsec_ah.h
index e088288d3..e088288d3 100644
--- a/linux/include/freeswan/ipsec_ah.h
+++ b/src/libfreeswan/ipsec_ah.h
diff --git a/linux/include/freeswan/ipsec_alg.h b/src/libfreeswan/ipsec_alg.h
index a393784b1..a393784b1 100644
--- a/linux/include/freeswan/ipsec_alg.h
+++ b/src/libfreeswan/ipsec_alg.h
diff --git a/linux/include/freeswan/ipsec_encap.h b/src/libfreeswan/ipsec_encap.h
index 17cd69269..17cd69269 100644
--- a/linux/include/freeswan/ipsec_encap.h
+++ b/src/libfreeswan/ipsec_encap.h
diff --git a/linux/include/freeswan/ipsec_eroute.h b/src/libfreeswan/ipsec_eroute.h
index 2ee2a10b8..2ee2a10b8 100644
--- a/linux/include/freeswan/ipsec_eroute.h
+++ b/src/libfreeswan/ipsec_eroute.h
diff --git a/linux/include/freeswan/ipsec_errs.h b/src/libfreeswan/ipsec_errs.h
index f14b5e675..f14b5e675 100644
--- a/linux/include/freeswan/ipsec_errs.h
+++ b/src/libfreeswan/ipsec_errs.h
diff --git a/linux/include/freeswan/ipsec_esp.h b/src/libfreeswan/ipsec_esp.h
index c7d5ea15d..c7d5ea15d 100644
--- a/linux/include/freeswan/ipsec_esp.h
+++ b/src/libfreeswan/ipsec_esp.h
diff --git a/linux/include/freeswan/ipsec_ipe4.h b/src/libfreeswan/ipsec_ipe4.h
index 73b6ae899..73b6ae899 100644
--- a/linux/include/freeswan/ipsec_ipe4.h
+++ b/src/libfreeswan/ipsec_ipe4.h
diff --git a/linux/include/freeswan/ipsec_kversion.h b/src/libfreeswan/ipsec_kversion.h
index 7bf56ac7f..7bf56ac7f 100644
--- a/linux/include/freeswan/ipsec_kversion.h
+++ b/src/libfreeswan/ipsec_kversion.h
diff --git a/linux/include/freeswan/ipsec_life.h b/src/libfreeswan/ipsec_life.h
index 4cf270272..4cf270272 100644
--- a/linux/include/freeswan/ipsec_life.h
+++ b/src/libfreeswan/ipsec_life.h
diff --git a/linux/include/freeswan/ipsec_md5h.h b/src/libfreeswan/ipsec_md5h.h
index 3fc54bc82..3fc54bc82 100644
--- a/linux/include/freeswan/ipsec_md5h.h
+++ b/src/libfreeswan/ipsec_md5h.h
diff --git a/linux/include/freeswan/ipsec_param.h b/src/libfreeswan/ipsec_param.h
index 02b36e6a3..02b36e6a3 100644
--- a/linux/include/freeswan/ipsec_param.h
+++ b/src/libfreeswan/ipsec_param.h
diff --git a/linux/include/freeswan/ipsec_policy.h b/src/libfreeswan/ipsec_policy.h
index 90b58ad52..671919e4b 100644
--- a/linux/include/freeswan/ipsec_policy.h
+++ b/src/libfreeswan/ipsec_policy.h
@@ -149,10 +149,10 @@ enum ipsec_id_type {
  * RFC 2408 ISAKMP, chapter 3.9
  */
 enum ipsec_cert_type {
-  CERT_NONE=			0,  
-  CERT_PKCS7_WRAPPED_X509=	1,  /* self-signed certificate from disk */
+  CERT_NONE=			0,
+  CERT_PKCS7_WRAPPED_X509=	1,
   CERT_PGP=			2,
-  CERT_DNS_SIGNED_KEY=		3,  /* KEY RR from DNS */
+  CERT_DNS_SIGNED_KEY=		3,
   CERT_X509_SIGNATURE=		4,
   CERT_X509_KEY_EXCHANGE=	5,
   CERT_KERBEROS_TOKENS=		6,
@@ -160,7 +160,7 @@ enum ipsec_cert_type {
   CERT_ARL=			8,
   CERT_SPKI=			9,
   CERT_X509_ATTRIBUTE=		10,
-  CERT_RAW_RSA=                 11, /* raw RSA from config file */ 
+  CERT_RAW_RSA_KEY=             11
 };
 
 /* a SIG record in ASCII */
diff --git a/linux/include/freeswan/ipsec_proto.h b/src/libfreeswan/ipsec_proto.h
index 55f947512..55f947512 100644
--- a/linux/include/freeswan/ipsec_proto.h
+++ b/src/libfreeswan/ipsec_proto.h
diff --git a/linux/include/freeswan/ipsec_radij.h b/src/libfreeswan/ipsec_radij.h
index 7776dd8e4..7776dd8e4 100644
--- a/linux/include/freeswan/ipsec_radij.h
+++ b/src/libfreeswan/ipsec_radij.h
diff --git a/linux/include/freeswan/ipsec_rcv.h b/src/libfreeswan/ipsec_rcv.h
index 3ae239bf9..3ae239bf9 100644
--- a/linux/include/freeswan/ipsec_rcv.h
+++ b/src/libfreeswan/ipsec_rcv.h
diff --git a/linux/include/freeswan/ipsec_sa.h b/src/libfreeswan/ipsec_sa.h
index 555df42d3..555df42d3 100644
--- a/linux/include/freeswan/ipsec_sa.h
+++ b/src/libfreeswan/ipsec_sa.h
diff --git a/linux/include/freeswan/ipsec_sha1.h b/src/libfreeswan/ipsec_sha1.h
index 116170e6b..116170e6b 100644
--- a/linux/include/freeswan/ipsec_sha1.h
+++ b/src/libfreeswan/ipsec_sha1.h
diff --git a/linux/include/freeswan/ipsec_stats.h b/src/libfreeswan/ipsec_stats.h
index e4be11d29..e4be11d29 100644
--- a/linux/include/freeswan/ipsec_stats.h
+++ b/src/libfreeswan/ipsec_stats.h
diff --git a/linux/include/freeswan/ipsec_tunnel.h b/src/libfreeswan/ipsec_tunnel.h
index 3b25e95e1..3b25e95e1 100644
--- a/linux/include/freeswan/ipsec_tunnel.h
+++ b/src/libfreeswan/ipsec_tunnel.h
diff --git a/linux/include/freeswan/ipsec_xform.h b/src/libfreeswan/ipsec_xform.h
index 1dc6b6083..1dc6b6083 100644
--- a/linux/include/freeswan/ipsec_xform.h
+++ b/src/libfreeswan/ipsec_xform.h
diff --git a/linux/include/freeswan/ipsec_xmit.h b/src/libfreeswan/ipsec_xmit.h
index 033984886..033984886 100644
--- a/linux/include/freeswan/ipsec_xmit.h
+++ b/src/libfreeswan/ipsec_xmit.h
diff --git a/linux/lib/libfreeswan/keyblobtoid.3 b/src/libfreeswan/keyblobtoid.3
index be381531a..be381531a 100644
--- a/linux/lib/libfreeswan/keyblobtoid.3
+++ b/src/libfreeswan/keyblobtoid.3
diff --git a/linux/lib/libfreeswan/keyblobtoid.c b/src/libfreeswan/keyblobtoid.c
index 7798601cf..7798601cf 100644
--- a/linux/lib/libfreeswan/keyblobtoid.c
+++ b/src/libfreeswan/keyblobtoid.c
diff --git a/linux/lib/libfreeswan/optionsfrom.3 b/src/libfreeswan/optionsfrom.3
index e270475bd..e270475bd 100644
--- a/linux/lib/libfreeswan/optionsfrom.3
+++ b/src/libfreeswan/optionsfrom.3
diff --git a/linux/lib/libfreeswan/optionsfrom.c b/src/libfreeswan/optionsfrom.c
index d96a3124d..d96a3124d 100644
--- a/linux/lib/libfreeswan/optionsfrom.c
+++ b/src/libfreeswan/optionsfrom.c
diff --git a/linux/include/pfkey.h b/src/libfreeswan/pfkey.h
index f858cd95e..afa5ce032 100644
--- a/linux/include/pfkey.h
+++ b/src/libfreeswan/pfkey.h
@@ -242,12 +242,12 @@ pfkey_ident_build(struct sadb_ext**	pfkey_ext,
 		  uint8_t               ident_len,
 		  char*			ident_string);
 
-#ifdef NAT_TRAVERSAL
 #ifdef __KERNEL__
 extern int pfkey_nat_t_new_mapping(struct ipsec_sa *, struct sockaddr *, __u16);
 extern int pfkey_x_nat_t_type_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr);
 extern int pfkey_x_nat_t_port_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr);
 #endif /* __KERNEL__ */
+
 int
 pfkey_x_nat_t_type_build(struct sadb_ext**  pfkey_ext,
             uint8_t         type);
@@ -255,7 +255,6 @@ int
 pfkey_x_nat_t_port_build(struct sadb_ext**  pfkey_ext,
             uint16_t         exttype,
             uint16_t         port);
-#endif
 
 int
 pfkey_sens_build(struct sadb_ext**	pfkey_ext,
@@ -267,7 +266,8 @@ pfkey_sens_build(struct sadb_ext**	pfkey_ext,
 		 uint8_t		integ_len,
 		 uint64_t*		integ_bitmap);
 
-int pfkey_x_protocol_build(struct sadb_ext **, uint8_t);
+int
+pfkey_x_protocol_build(struct sadb_ext **, uint8_t);
 
 
 int
diff --git a/linux/lib/libfreeswan/pfkey_v2_build.c b/src/libfreeswan/pfkey_v2_build.c
index be58c552f..340c12cfe 100644
--- a/linux/lib/libfreeswan/pfkey_v2_build.c
+++ b/src/libfreeswan/pfkey_v2_build.c
@@ -87,7 +87,7 @@ void (*pfkey_debug_func)(const char *message, ...) PRINTF_LIKE(1);
          KLIPS_PRINT(debug_pfkey, "klips_debug:" args)
 #endif /* __KERNEL__ */
 
-#include "freeswan/ipsec_sa.h"  /* IPSEC_SAREF_NULL, IPSEC_SA_REF_TABLE_IDX_WIDTH */
+#include "ipsec_sa.h"  /* IPSEC_SAREF_NULL, IPSEC_SA_REF_TABLE_IDX_WIDTH */
 
 #define SENDERR(_x) do { error = -(_x); goto errlab; } while (0)
 
@@ -454,9 +454,7 @@ pfkey_address_build(struct sadb_ext**	pfkey_ext,
 	case SADB_X_EXT_ADDRESS_DST_FLOW:
 	case SADB_X_EXT_ADDRESS_SRC_MASK:
 	case SADB_X_EXT_ADDRESS_DST_MASK:
-#ifdef NAT_TRAVERSAL
 	case SADB_X_EXT_NAT_T_OA:
-#endif	
 		break;
 	default:
 		DEBUGGING( 
@@ -1164,7 +1162,6 @@ errlab:
 	return error;
 }
 
-#ifdef NAT_TRAVERSAL
 int
 pfkey_x_nat_t_type_build(struct sadb_ext**	pfkey_ext,
 		    uint8_t         type)
@@ -1208,6 +1205,7 @@ pfkey_x_nat_t_type_build(struct sadb_ext**	pfkey_ext,
 errlab:
 	return error;
 }
+
 int
 pfkey_x_nat_t_port_build(struct sadb_ext**	pfkey_ext,
 		    uint16_t         exttype,
@@ -1261,7 +1259,6 @@ pfkey_x_nat_t_port_build(struct sadb_ext**	pfkey_ext,
 errlab:
 	return error;
 }
-#endif
 
 int pfkey_x_protocol_build(struct sadb_ext **pfkey_ext,
 			   uint8_t protocol)
diff --git a/linux/lib/libfreeswan/pfkey_v2_debug.c b/src/libfreeswan/pfkey_v2_debug.c
index 2f2ddd3b1..8430766aa 100644
--- a/linux/lib/libfreeswan/pfkey_v2_debug.c
+++ b/src/libfreeswan/pfkey_v2_debug.c
@@ -80,12 +80,10 @@ static char *pfkey_sadb_ext_strings[]={
   "X-source-mask",                /* SADB_X_EXT_ADDRESS_SRC_MASK   23 */
   "X-dest-mask",                  /* SADB_X_EXT_ADDRESS_DST_MASK   24 */
   "X-set-debug",                  /* SADB_X_EXT_DEBUG              25 */
-#ifdef NAT_TRAVERSAL
   "X-NAT-T-type",                 /* SADB_X_EXT_NAT_T_TYPE         26 */
   "X-NAT-T-sport",                /* SADB_X_EXT_NAT_T_SPORT        27 */
   "X-NAT-T-dport",                /* SADB_X_EXT_NAT_T_DPORT        28 */
   "X-NAT-T-OA",                   /* SADB_X_EXT_NAT_T_OA           29 */
-#endif  
 };
 
 const char *
diff --git a/linux/lib/libfreeswan/pfkey_v2_ext_bits.c b/src/libfreeswan/pfkey_v2_ext_bits.c
index fe3f45306..b41941848 100644
--- a/linux/lib/libfreeswan/pfkey_v2_ext_bits.c
+++ b/src/libfreeswan/pfkey_v2_ext_bits.c
@@ -89,10 +89,8 @@ unsigned int extensions_bitmaps[2/*in/out*/][2/*perm/req*/][SADB_MAX + 1/*ext*/]
 | 1<<SADB_EXT_IDENTITY_SRC
 | 1<<SADB_EXT_IDENTITY_DST
 | 1<<SADB_EXT_SENSITIVITY
-#ifdef NAT_TRAVERSAL
 | 1<<SADB_X_EXT_NAT_T_SPORT
 | 1<<SADB_X_EXT_NAT_T_DPORT
-#endif
 ,
 /* SADB_ADD */
 1<<SADB_EXT_RESERVED
@@ -107,12 +105,10 @@ unsigned int extensions_bitmaps[2/*in/out*/][2/*perm/req*/][SADB_MAX + 1/*ext*/]
 | 1<<SADB_EXT_IDENTITY_SRC
 | 1<<SADB_EXT_IDENTITY_DST
 | 1<<SADB_EXT_SENSITIVITY
-#ifdef NAT_TRAVERSAL
 | 1<<SADB_X_EXT_NAT_T_TYPE
 | 1<<SADB_X_EXT_NAT_T_SPORT
 | 1<<SADB_X_EXT_NAT_T_DPORT
 | 1<<SADB_X_EXT_NAT_T_OA
-#endif
 ,
 /* SADB_DELETE */
 1<<SADB_EXT_RESERVED
@@ -229,7 +225,6 @@ unsigned int extensions_bitmaps[2/*in/out*/][2/*perm/req*/][SADB_MAX + 1/*ext*/]
 /* SADB_X_DEBUG */
 1<<SADB_EXT_RESERVED
 | 1<<SADB_X_EXT_DEBUG
-#ifdef NAT_TRAVERSAL
 ,
 /* SADB_X_NAT_T_NEW_MAPPING */
 1<<SADB_EXT_RESERVED
@@ -238,7 +233,6 @@ unsigned int extensions_bitmaps[2/*in/out*/][2/*perm/req*/][SADB_MAX + 1/*ext*/]
 | 1<<SADB_EXT_ADDRESS_DST
 | 1<<SADB_X_EXT_NAT_T_SPORT
 | 1<<SADB_X_EXT_NAT_T_DPORT
-#endif
 },
 
 /* REQUIRED IN */
@@ -374,7 +368,6 @@ unsigned int extensions_bitmaps[2/*in/out*/][2/*perm/req*/][SADB_MAX + 1/*ext*/]
 /* SADB_X_DEBUG */
 1<<SADB_EXT_RESERVED
 | 1<<SADB_X_EXT_DEBUG
-#ifdef NAT_TRAVERSAL
 ,
 /* SADB_X_NAT_T_NEW_MAPPING */
 1<<SADB_EXT_RESERVED
@@ -383,7 +376,6 @@ unsigned int extensions_bitmaps[2/*in/out*/][2/*perm/req*/][SADB_MAX + 1/*ext*/]
 | 1<<SADB_EXT_ADDRESS_DST
 | 1<<SADB_X_EXT_NAT_T_SPORT
 | 1<<SADB_X_EXT_NAT_T_DPORT
-#endif
 }
 
 },
@@ -425,12 +417,10 @@ unsigned int extensions_bitmaps[2/*in/out*/][2/*perm/req*/][SADB_MAX + 1/*ext*/]
 | 1<<SADB_EXT_IDENTITY_SRC
 | 1<<SADB_EXT_IDENTITY_DST
 | 1<<SADB_EXT_SENSITIVITY
-#ifdef NAT_TRAVERSAL
 | 1<<SADB_X_EXT_NAT_T_TYPE
 | 1<<SADB_X_EXT_NAT_T_SPORT
 | 1<<SADB_X_EXT_NAT_T_DPORT
 | 1<<SADB_X_EXT_NAT_T_OA
-#endif
 ,
 /* SADB_DELETE */
 1<<SADB_EXT_RESERVED
@@ -572,7 +562,6 @@ unsigned int extensions_bitmaps[2/*in/out*/][2/*perm/req*/][SADB_MAX + 1/*ext*/]
 /* SADB_X_DEBUG */
 1<<SADB_EXT_RESERVED
 | 1<<SADB_X_EXT_DEBUG
-#ifdef NAT_TRAVERSAL
 ,
 /* SADB_X_NAT_T_NEW_MAPPING */
 1<<SADB_EXT_RESERVED
@@ -581,7 +570,6 @@ unsigned int extensions_bitmaps[2/*in/out*/][2/*perm/req*/][SADB_MAX + 1/*ext*/]
 | 1<<SADB_EXT_ADDRESS_DST
 | 1<<SADB_X_EXT_NAT_T_SPORT
 | 1<<SADB_X_EXT_NAT_T_DPORT
-#endif
 },
 
 /* REQUIRED OUT */
@@ -723,7 +711,6 @@ unsigned int extensions_bitmaps[2/*in/out*/][2/*perm/req*/][SADB_MAX + 1/*ext*/]
 /* SADB_X_DEBUG */
 1<<SADB_EXT_RESERVED
 | 1<<SADB_X_EXT_DEBUG
-#ifdef NAT_TRAVERSAL
 ,
 /* SADB_X_NAT_T_NEW_MAPPING */
 1<<SADB_EXT_RESERVED
@@ -732,7 +719,6 @@ unsigned int extensions_bitmaps[2/*in/out*/][2/*perm/req*/][SADB_MAX + 1/*ext*/]
 | 1<<SADB_EXT_ADDRESS_DST
 | 1<<SADB_X_EXT_NAT_T_SPORT
 | 1<<SADB_X_EXT_NAT_T_DPORT
-#endif
 }
 }
 };
diff --git a/linux/lib/libfreeswan/pfkey_v2_parse.c b/src/libfreeswan/pfkey_v2_parse.c
index bb6962fa8..440aa8c1d 100644
--- a/linux/lib/libfreeswan/pfkey_v2_parse.c
+++ b/src/libfreeswan/pfkey_v2_parse.c
@@ -49,9 +49,9 @@ char pfkey_v2_parse_c_version[] = "$Id: pfkey_v2_parse.c,v 1.4 2004/06/13 20:35:
 # endif /* if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) */
 extern int debug_pfkey;
 
-# include <freeswan.h>
+#include "freeswan.h"
 
-#include "freeswan/ipsec_encap.h"
+#include "ipsec_encap.h"
 
 #else /* __KERNEL__ */
 
@@ -60,9 +60,9 @@ extern int debug_pfkey;
 # include <linux/errno.h>
 
 # include <freeswan.h>
-# include "programs/pluto/constants.h" 
-# include "programs/pluto/defs.h"  /* for PRINTF_LIKE */
-# include "programs/pluto/log.h"  /* for debugging and DBG_log */
+# include <constants.h>
+# include <defs.h>  /* for PRINTF_LIKE */
+# include <log.h>  /* for debugging and DBG_log */
 
 /* #define PLUTO */
 
@@ -86,7 +86,7 @@ extern int sysctl_ipsec_debug_verbose;
 		 || (sysctl_ipsec_debug_verbose && (debug_pfkey & level & PF_KEY_DEBUG_PARSE_FLOW))) \
  		, "klips_debug:" args)
 #endif /* __KERNEL__ */
-#include "freeswan/ipsec_sa.h"  /* IPSEC_SAREF_NULL, IPSEC_SA_REF_TABLE_IDX_WIDTH */
+#include "ipsec_sa.h"  /* IPSEC_SAREF_NULL, IPSEC_SA_REF_TABLE_IDX_WIDTH */
 
 
 #define SENDERR(_x) do { error = -(_x); goto errlab; } while (0)
@@ -387,9 +387,7 @@ pfkey_address_parse(struct sadb_ext *pfkey_ext)
 	case SADB_X_EXT_ADDRESS_DST_FLOW:
 	case SADB_X_EXT_ADDRESS_SRC_MASK:
 	case SADB_X_EXT_ADDRESS_DST_MASK:
-#ifdef NAT_TRAVERSAL
 	case SADB_X_EXT_NAT_T_OA:
-#endif
 		break;
 	default:
 		DEBUGGING(PF_KEY_DEBUG_PARSE_PROBLEM, 
@@ -1156,18 +1154,17 @@ pfkey_x_ext_protocol_parse(struct sadb_ext *pfkey_ext)
 	return error;
 }
 
-#ifdef NAT_TRAVERSAL
 DEBUG_NO_STATIC int
 pfkey_x_ext_nat_t_type_parse(struct sadb_ext *pfkey_ext)
 {
 	return 0;
 }
+
 DEBUG_NO_STATIC int
 pfkey_x_ext_nat_t_port_parse(struct sadb_ext *pfkey_ext)
 {
 	return 0;
 }
-#endif
 
 #define DEFINEPARSER(NAME) static struct pf_key_ext_parsers_def NAME##_def={NAME, #NAME};
 
@@ -1184,10 +1181,8 @@ DEFINEPARSER(pfkey_x_kmprivate_parse);
 DEFINEPARSER(pfkey_x_satype_parse);
 DEFINEPARSER(pfkey_x_ext_debug_parse);
 DEFINEPARSER(pfkey_x_ext_protocol_parse);
-#ifdef NAT_TRAVERSAL
 DEFINEPARSER(pfkey_x_ext_nat_t_type_parse);
 DEFINEPARSER(pfkey_x_ext_nat_t_port_parse);
-#endif
 
 struct pf_key_ext_parsers_def *ext_default_parsers[]=
 {
@@ -1217,14 +1212,11 @@ struct pf_key_ext_parsers_def *ext_default_parsers[]=
 	&pfkey_address_parse_def,
 	&pfkey_address_parse_def,
 	&pfkey_x_ext_debug_parse_def,
-	&pfkey_x_ext_protocol_parse_def
-#ifdef NAT_TRAVERSAL
-	,
+	&pfkey_x_ext_protocol_parse_def	,
 	&pfkey_x_ext_nat_t_type_parse_def,
 	&pfkey_x_ext_nat_t_port_parse_def,
 	&pfkey_x_ext_nat_t_port_parse_def,
 	&pfkey_address_parse_def
-#endif	
 };
 
 int
diff --git a/linux/include/pfkeyv2.h b/src/libfreeswan/pfkeyv2.h
index 48579e27a..07126f1b8 100644
--- a/linux/include/pfkeyv2.h
+++ b/src/libfreeswan/pfkeyv2.h
@@ -19,29 +19,25 @@ you leave this credit intact on any copies of this file.
 #define PF_KEY_V2 2
 #define PFKEYV2_REVISION        199806L
 
-#define SADB_RESERVED    0
-#define SADB_GETSPI      1
-#define SADB_UPDATE      2
-#define SADB_ADD         3
-#define SADB_DELETE      4
-#define SADB_GET         5
-#define SADB_ACQUIRE     6
-#define SADB_REGISTER    7
-#define SADB_EXPIRE      8
-#define SADB_FLUSH       9
-#define SADB_DUMP       10
-#define SADB_X_PROMISC  11
-#define SADB_X_PCHANGE  12
-#define SADB_X_GRPSA    13
-#define SADB_X_ADDFLOW	14
-#define SADB_X_DELFLOW	15
-#define SADB_X_DEBUG	16
-#ifdef NAT_TRAVERSAL
-#define SADB_X_NAT_T_NEW_MAPPING  17
-#define SADB_MAX                  17
-#else
-#define SADB_MAX        16
-#endif
+#define SADB_RESERVED             0
+#define SADB_GETSPI               1
+#define SADB_UPDATE               2
+#define SADB_ADD                  3
+#define SADB_DELETE               4
+#define SADB_GET                  5
+#define SADB_ACQUIRE              6
+#define SADB_REGISTER             7
+#define SADB_EXPIRE               8
+#define SADB_FLUSH                9
+#define SADB_DUMP                10
+#define SADB_X_PROMISC           11
+#define SADB_X_PCHANGE           12
+#define SADB_X_GRPSA             13
+#define SADB_X_ADDFLOW           14
+#define SADB_X_DELFLOW           15
+#define SADB_X_DEBUG             16
+#define SADB_X_NAT_T_NEW_MAPPING 17
+#define SADB_MAX                 17
 
 struct sadb_msg {
   uint8_t sadb_msg_version;
@@ -219,7 +215,6 @@ struct sadb_x_debug {
   uint8_t sadb_x_debug_reserved[4];
 };
 
-#ifdef NAT_TRAVERSAL
 struct sadb_x_nat_t_type {
   uint16_t sadb_x_nat_t_type_len;
   uint16_t sadb_x_nat_t_type_exttype;
@@ -232,8 +227,7 @@ struct sadb_x_nat_t_port {
   uint16_t sadb_x_nat_t_port_port;
   uint16_t sadb_x_nat_t_port_reserved;
 };
-#endif
-  
+
 /*
  * A protocol structure for passing through the transport level
  * protocol.  It contains more fields than are actually used/needed
@@ -279,15 +273,11 @@ struct sadb_protocol {
 #define SADB_X_EXT_ADDRESS_DST_MASK   24
 #define SADB_X_EXT_DEBUG              25
 #define SADB_X_EXT_PROTOCOL           26
-#ifdef NAT_TRAVERSAL
 #define SADB_X_EXT_NAT_T_TYPE         27
 #define SADB_X_EXT_NAT_T_SPORT        28
 #define SADB_X_EXT_NAT_T_DPORT        29
 #define SADB_X_EXT_NAT_T_OA           30
 #define SADB_EXT_MAX                  30
-#else
-#define SADB_EXT_MAX                  26
-#endif
 
 /* SADB_X_DELFLOW required over and above SADB_X_SAFLAGS_CLEARFLOW */
 #define SADB_X_EXT_ADDRESS_DELFLOW \
diff --git a/linux/lib/libfreeswan/portof.3 b/src/libfreeswan/portof.3
index fac0d8bc3..fac0d8bc3 100644
--- a/linux/lib/libfreeswan/portof.3
+++ b/src/libfreeswan/portof.3
diff --git a/linux/lib/libfreeswan/portof.c b/src/libfreeswan/portof.c
index d028ea034..d028ea034 100644
--- a/linux/lib/libfreeswan/portof.c
+++ b/src/libfreeswan/portof.c
diff --git a/linux/lib/libfreeswan/prng.3 b/src/libfreeswan/prng.3
index 51f19364f..51f19364f 100644
--- a/linux/lib/libfreeswan/prng.3
+++ b/src/libfreeswan/prng.3
diff --git a/linux/lib/libfreeswan/prng.c b/src/libfreeswan/prng.c
index e31836783..e31836783 100644
--- a/linux/lib/libfreeswan/prng.c
+++ b/src/libfreeswan/prng.c
diff --git a/linux/include/freeswan/radij.h b/src/libfreeswan/radij.h
index 2a66093a0..2a66093a0 100644
--- a/linux/include/freeswan/radij.h
+++ b/src/libfreeswan/radij.h
diff --git a/linux/lib/libfreeswan/rangetoa.c b/src/libfreeswan/rangetoa.c
index e63b432f8..e63b432f8 100644
--- a/linux/lib/libfreeswan/rangetoa.c
+++ b/src/libfreeswan/rangetoa.c
diff --git a/linux/lib/libfreeswan/rangetosubnet.3 b/src/libfreeswan/rangetosubnet.3
index 7d707545e..7d707545e 100644
--- a/linux/lib/libfreeswan/rangetosubnet.3
+++ b/src/libfreeswan/rangetosubnet.3
diff --git a/linux/lib/libfreeswan/rangetosubnet.c b/src/libfreeswan/rangetosubnet.c
index 048b10556..048b10556 100644
--- a/linux/lib/libfreeswan/rangetosubnet.c
+++ b/src/libfreeswan/rangetosubnet.c
diff --git a/linux/lib/libfreeswan/sameaddr.3 b/src/libfreeswan/sameaddr.3
index 71be10761..71be10761 100644
--- a/linux/lib/libfreeswan/sameaddr.3
+++ b/src/libfreeswan/sameaddr.3
diff --git a/linux/lib/libfreeswan/sameaddr.c b/src/libfreeswan/sameaddr.c
index efc40796e..efc40796e 100644
--- a/linux/lib/libfreeswan/sameaddr.c
+++ b/src/libfreeswan/sameaddr.c
diff --git a/linux/lib/libfreeswan/satoa.c b/src/libfreeswan/satoa.c
index 410fb8437..410fb8437 100644
--- a/linux/lib/libfreeswan/satoa.c
+++ b/src/libfreeswan/satoa.c
diff --git a/linux/lib/libfreeswan/satot.c b/src/libfreeswan/satot.c
index 927f4ca1f..927f4ca1f 100644
--- a/linux/lib/libfreeswan/satot.c
+++ b/src/libfreeswan/satot.c
diff --git a/linux/lib/libfreeswan/subnetof.3 b/src/libfreeswan/subnetof.3
index 1911e499f..1911e499f 100644
--- a/linux/lib/libfreeswan/subnetof.3
+++ b/src/libfreeswan/subnetof.3
diff --git a/linux/lib/libfreeswan/subnetof.c b/src/libfreeswan/subnetof.c
index 1b288c591..1b288c591 100644
--- a/linux/lib/libfreeswan/subnetof.c
+++ b/src/libfreeswan/subnetof.c
diff --git a/linux/lib/libfreeswan/subnettoa.c b/src/libfreeswan/subnettoa.c
index 36cad8b88..36cad8b88 100644
--- a/linux/lib/libfreeswan/subnettoa.c
+++ b/src/libfreeswan/subnettoa.c
diff --git a/linux/lib/libfreeswan/subnettot.c b/src/libfreeswan/subnettot.c
index 0385d25e5..0385d25e5 100644
--- a/linux/lib/libfreeswan/subnettot.c
+++ b/src/libfreeswan/subnettot.c
diff --git a/linux/lib/libfreeswan/subnettypeof.c b/src/libfreeswan/subnettypeof.c
index 6f44b2e4b..6f44b2e4b 100644
--- a/linux/lib/libfreeswan/subnettypeof.c
+++ b/src/libfreeswan/subnettypeof.c
diff --git a/linux/lib/libfreeswan/ttoaddr.3 b/src/libfreeswan/ttoaddr.3
index 5bf48d4b2..5bf48d4b2 100644
--- a/linux/lib/libfreeswan/ttoaddr.3
+++ b/src/libfreeswan/ttoaddr.3
diff --git a/linux/lib/libfreeswan/ttoaddr.c b/src/libfreeswan/ttoaddr.c
index efcb33e9f..efcb33e9f 100644
--- a/linux/lib/libfreeswan/ttoaddr.c
+++ b/src/libfreeswan/ttoaddr.c
diff --git a/linux/lib/libfreeswan/ttodata.3 b/src/libfreeswan/ttodata.3
index 98bbe4ab3..98bbe4ab3 100644
--- a/linux/lib/libfreeswan/ttodata.3
+++ b/src/libfreeswan/ttodata.3
diff --git a/linux/lib/libfreeswan/ttodata.c b/src/libfreeswan/ttodata.c
index e1bf7606a..e1bf7606a 100644
--- a/linux/lib/libfreeswan/ttodata.c
+++ b/src/libfreeswan/ttodata.c
diff --git a/linux/lib/libfreeswan/ttoprotoport.c b/src/libfreeswan/ttoprotoport.c
index 46321838c..46321838c 100644
--- a/linux/lib/libfreeswan/ttoprotoport.c
+++ b/src/libfreeswan/ttoprotoport.c
diff --git a/linux/lib/libfreeswan/ttosa.3 b/src/libfreeswan/ttosa.3
index bf918e108..bf918e108 100644
--- a/linux/lib/libfreeswan/ttosa.3
+++ b/src/libfreeswan/ttosa.3
diff --git a/linux/lib/libfreeswan/ttosa.c b/src/libfreeswan/ttosa.c
index aa2283694..aa2283694 100644
--- a/linux/lib/libfreeswan/ttosa.c
+++ b/src/libfreeswan/ttosa.c
diff --git a/linux/lib/libfreeswan/ttosubnet.c b/src/libfreeswan/ttosubnet.c
index 7f5cddb82..7f5cddb82 100644
--- a/linux/lib/libfreeswan/ttosubnet.c
+++ b/src/libfreeswan/ttosubnet.c
diff --git a/linux/lib/libfreeswan/ttoul.3 b/src/libfreeswan/ttoul.3
index 67d4bd34f..67d4bd34f 100644
--- a/linux/lib/libfreeswan/ttoul.3
+++ b/src/libfreeswan/ttoul.3
diff --git a/linux/lib/libfreeswan/ttoul.c b/src/libfreeswan/ttoul.c
index 9c6193c68..9c6193c68 100644
--- a/linux/lib/libfreeswan/ttoul.c
+++ b/src/libfreeswan/ttoul.c
diff --git a/linux/lib/libfreeswan/ultoa.c b/src/libfreeswan/ultoa.c
index 2c2644826..2c2644826 100644
--- a/linux/lib/libfreeswan/ultoa.c
+++ b/src/libfreeswan/ultoa.c
diff --git a/linux/lib/libfreeswan/ultot.c b/src/libfreeswan/ultot.c
index edffa4a2d..edffa4a2d 100644
--- a/linux/lib/libfreeswan/ultot.c
+++ b/src/libfreeswan/ultot.c
diff --git a/linux/lib/libfreeswan/version.3 b/src/libfreeswan/version.3
index 06c5f01e3..06c5f01e3 100644
--- a/linux/lib/libfreeswan/version.3
+++ b/src/libfreeswan/version.3
diff --git a/linux/lib/libfreeswan/version.in.c b/src/libfreeswan/version.c
index b3556f721..3a947b1b9 100644
--- a/linux/lib/libfreeswan/version.in.c
+++ b/src/libfreeswan/version.c
@@ -21,9 +21,8 @@
 
 #include "freeswan.h"
 
-#define	V	"xxx"		/* substituted in by Makefile */
-static const char strongswan_number[] = V;
-static const char strongswan_string[] = "Linux strongSwan " V;
+static const char strongswan_number[] = VERSION;
+static const char strongswan_string[] = "Linux strongSwan " VERSION;
 
 /*
  - ipsec_version_code - return IPsec version number/code, as string
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
new file mode 100644
index 000000000..b103be193
--- /dev/null
+++ b/src/libstrongswan/Makefile.am
@@ -0,0 +1,69 @@
+lib_LTLIBRARIES = libstrongswan.la
+
+libstrongswan_la_SOURCES = \
+credential_store.h \
+library.c library.h \
+chunk.c chunk.h \
+debug.c debug.h \
+enum.c enum.h \
+printf_hook.c printf_hook.h \
+asn1/asn1.c asn1/asn1.h \
+asn1/oid.c asn1/oid.h \
+asn1/pem.c asn1/pem.h \
+asn1/ttodata.c asn1/ttodata.h \
+crypto/ca.c crypto/ca.h \
+crypto/certinfo.c crypto/certinfo.h \
+crypto/crl.c crypto/crl.h \
+crypto/crypters/crypter.c crypto/crypters/crypter.h \
+crypto/crypters/aes_cbc_crypter.c  crypto/crypters/aes_cbc_crypter.h\
+crypto/crypters/des_crypter.c  crypto/crypters/des_crypter.h\
+crypto/diffie_hellman.c crypto/diffie_hellman.h \
+crypto/hashers/hasher.h crypto/hashers/hasher.c \
+crypto/hashers/sha1_hasher.c crypto/hashers/sha1_hasher.h \
+crypto/hashers/sha2_hasher.c crypto/hashers/sha2_hasher.h \
+crypto/hashers/md5_hasher.c  crypto/hashers/md5_hasher.h \
+crypto/hmac.c crypto/hmac.h \
+crypto/ocsp.c crypto/ocsp.h \
+crypto/prfs/fips_prf.c crypto/prfs/fips_prf.h \
+crypto/prfs/hmac_prf.c crypto/prfs/hmac_prf.h \
+crypto/prfs/prf.c crypto/prfs/prf.h \
+crypto/prf_plus.h crypto/prf_plus.c \
+crypto/rsa/rsa_private_key.c crypto/rsa/rsa_private_key.h \
+crypto/rsa/rsa_public_key.h  crypto/rsa/rsa_public_key.c \
+crypto/signers/hmac_signer.c crypto/signers/hmac_signer.h \
+crypto/signers/signer.c crypto/signers/signer.h \
+crypto/x509.c crypto/x509.h \
+utils/fetcher.c utils/fetcher.h \
+utils/host.c utils/host.h \
+utils/identification.c utils/identification.h \
+utils/iterator.h \
+utils/leak_detective.c utils/leak_detective.h \
+utils/lexparser.c utils/lexparser.h \
+utils/linked_list.c utils/linked_list.h \
+utils/randomizer.c utils/randomizer.h
+
+libstrongswan_la_LIBADD = -lgmp -lpthread
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+EXTRA_DIST = asn1/oid.txt asn1/oid.pl
+BUILT_SOURCES = asn1/oid.c asn1/oid.h
+MAINTAINERCLEANFILES = asn1/oid.c asn1/oid.h
+
+if USE_LEAK_DETECTIVE
+  libstrongswan_la_LIBADD += -ldl
+  AM_CFLAGS = -DLEAK_DETECTIVE
+endif
+
+if USE_LIBCURL
+  libstrongswan_la_LIBADD += -lcurl
+endif
+
+if USE_LIBLDAP
+  libstrongswan_la_LIBADD += -lldap -llber
+endif
+
+asn1/oid.c :	asn1/oid.txt asn1/oid.pl
+		cd asn1 && $(PERL) oid.pl
+
+asn1/oid.h :	asn1/oid.txt asn1/oid.pl
+		cd asn1 && $(PERL) oid.pl
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
new file mode 100644
index 000000000..e5c5c758e
--- /dev/null
+++ b/src/libstrongswan/Makefile.in
@@ -0,0 +1,820 @@
+# Makefile.in generated by automake 1.9.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+top_builddir = ../..
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+INSTALL = @INSTALL@
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+@USE_LEAK_DETECTIVE_TRUE@am__append_1 = -ldl
+@USE_LIBCURL_TRUE@am__append_2 = -lcurl
+@USE_LIBLDAP_TRUE@am__append_3 = -lldap -llber
+subdir = src/libstrongswan
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(libdir)"
+libLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(lib_LTLIBRARIES)
+am__DEPENDENCIES_1 =
+libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
+am_libstrongswan_la_OBJECTS = library.lo chunk.lo debug.lo enum.lo \
+	printf_hook.lo asn1.lo oid.lo pem.lo ttodata.lo ca.lo \
+	certinfo.lo crl.lo crypter.lo aes_cbc_crypter.lo \
+	des_crypter.lo diffie_hellman.lo hasher.lo sha1_hasher.lo \
+	sha2_hasher.lo md5_hasher.lo hmac.lo ocsp.lo fips_prf.lo \
+	hmac_prf.lo prf.lo prf_plus.lo rsa_private_key.lo \
+	rsa_public_key.lo hmac_signer.lo signer.lo x509.lo fetcher.lo \
+	host.lo identification.lo leak_detective.lo lexparser.lo \
+	linked_list.lo randomizer.lo
+libstrongswan_la_OBJECTS = $(am_libstrongswan_la_OBJECTS)
+DEFAULT_INCLUDES = -I. -I$(srcdir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMDEP_FALSE = @AMDEP_FALSE@
+AMDEP_TRUE = @AMDEP_TRUE@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BUILD_EAP_SIM_FALSE = @BUILD_EAP_SIM_FALSE@
+BUILD_EAP_SIM_TRUE = @BUILD_EAP_SIM_TRUE@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+USE_CISCO_QUIRKS_FALSE = @USE_CISCO_QUIRKS_FALSE@
+USE_CISCO_QUIRKS_TRUE = @USE_CISCO_QUIRKS_TRUE@
+USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
+USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
+USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
+USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
+USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
+USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
+USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
+USE_SMARTCARD_TRUE = @USE_SMARTCARD_TRUE@
+USE_VENDORID_FALSE = @USE_VENDORID_FALSE@
+USE_VENDORID_TRUE = @USE_VENDORID_TRUE@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__fastdepCC_FALSE = @am__fastdepCC_FALSE@
+am__fastdepCC_TRUE = @am__fastdepCC_TRUE@
+am__fastdepCXX_FALSE = @am__fastdepCXX_FALSE@
+am__fastdepCXX_TRUE = @am__fastdepCXX_TRUE@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+eapdir = @eapdir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+lib_LTLIBRARIES = libstrongswan.la
+libstrongswan_la_SOURCES = \
+credential_store.h \
+library.c library.h \
+chunk.c chunk.h \
+debug.c debug.h \
+enum.c enum.h \
+printf_hook.c printf_hook.h \
+asn1/asn1.c asn1/asn1.h \
+asn1/oid.c asn1/oid.h \
+asn1/pem.c asn1/pem.h \
+asn1/ttodata.c asn1/ttodata.h \
+crypto/ca.c crypto/ca.h \
+crypto/certinfo.c crypto/certinfo.h \
+crypto/crl.c crypto/crl.h \
+crypto/crypters/crypter.c crypto/crypters/crypter.h \
+crypto/crypters/aes_cbc_crypter.c  crypto/crypters/aes_cbc_crypter.h\
+crypto/crypters/des_crypter.c  crypto/crypters/des_crypter.h\
+crypto/diffie_hellman.c crypto/diffie_hellman.h \
+crypto/hashers/hasher.h crypto/hashers/hasher.c \
+crypto/hashers/sha1_hasher.c crypto/hashers/sha1_hasher.h \
+crypto/hashers/sha2_hasher.c crypto/hashers/sha2_hasher.h \
+crypto/hashers/md5_hasher.c  crypto/hashers/md5_hasher.h \
+crypto/hmac.c crypto/hmac.h \
+crypto/ocsp.c crypto/ocsp.h \
+crypto/prfs/fips_prf.c crypto/prfs/fips_prf.h \
+crypto/prfs/hmac_prf.c crypto/prfs/hmac_prf.h \
+crypto/prfs/prf.c crypto/prfs/prf.h \
+crypto/prf_plus.h crypto/prf_plus.c \
+crypto/rsa/rsa_private_key.c crypto/rsa/rsa_private_key.h \
+crypto/rsa/rsa_public_key.h  crypto/rsa/rsa_public_key.c \
+crypto/signers/hmac_signer.c crypto/signers/hmac_signer.h \
+crypto/signers/signer.c crypto/signers/signer.h \
+crypto/x509.c crypto/x509.h \
+utils/fetcher.c utils/fetcher.h \
+utils/host.c utils/host.h \
+utils/identification.c utils/identification.h \
+utils/iterator.h \
+utils/leak_detective.c utils/leak_detective.h \
+utils/lexparser.c utils/lexparser.h \
+utils/linked_list.c utils/linked_list.h \
+utils/randomizer.c utils/randomizer.h
+
+libstrongswan_la_LIBADD = -lgmp -lpthread $(am__append_1) \
+	$(am__append_2) $(am__append_3)
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+EXTRA_DIST = asn1/oid.txt asn1/oid.pl
+BUILT_SOURCES = asn1/oid.c asn1/oid.h
+MAINTAINERCLEANFILES = asn1/oid.c asn1/oid.h
+@USE_LEAK_DETECTIVE_TRUE@AM_CFLAGS = -DLEAK_DETECTIVE
+all: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/libstrongswan/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/libstrongswan/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-libLTLIBRARIES: $(lib_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	test -z "$(libdir)" || $(mkdir_p) "$(DESTDIR)$(libdir)"
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f=$(am__strip_dir) \
+	    echo " $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \
+	    $(LIBTOOL) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \
+	  else :; fi; \
+	done
+
+uninstall-libLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@set -x; list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  p=$(am__strip_dir) \
+	  echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \
+	  $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \
+	done
+
+clean-libLTLIBRARIES:
+	-test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libstrongswan.la: $(libstrongswan_la_OBJECTS) $(libstrongswan_la_DEPENDENCIES) 
+	$(LINK) -rpath $(libdir) $(libstrongswan_la_LDFLAGS) $(libstrongswan_la_OBJECTS) $(libstrongswan_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/aes_cbc_crypter.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ca.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certinfo.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/chunk.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crl.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypter.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/debug.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/des_crypter.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/diffie_hellman.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/enum.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fetcher.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_prf.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hasher.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmac.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmac_prf.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmac_signer.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/host.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/identification.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/leak_detective.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lexparser.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/library.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/linked_list.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5_hasher.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/oid.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pem.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/prf.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/prf_plus.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/printf_hook.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/randomizer.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rsa_private_key.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rsa_public_key.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha1_hasher.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha2_hasher.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/signer.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ttodata.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ `$(CYGPATH_W) '$<'`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	if $(LTCOMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Plo"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+asn1.lo: asn1/asn1.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT asn1.lo -MD -MP -MF "$(DEPDIR)/asn1.Tpo" -c -o asn1.lo `test -f 'asn1/asn1.c' || echo '$(srcdir)/'`asn1/asn1.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/asn1.Tpo" "$(DEPDIR)/asn1.Plo"; else rm -f "$(DEPDIR)/asn1.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1/asn1.c' object='asn1.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o asn1.lo `test -f 'asn1/asn1.c' || echo '$(srcdir)/'`asn1/asn1.c
+
+oid.lo: asn1/oid.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT oid.lo -MD -MP -MF "$(DEPDIR)/oid.Tpo" -c -o oid.lo `test -f 'asn1/oid.c' || echo '$(srcdir)/'`asn1/oid.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/oid.Tpo" "$(DEPDIR)/oid.Plo"; else rm -f "$(DEPDIR)/oid.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1/oid.c' object='oid.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o oid.lo `test -f 'asn1/oid.c' || echo '$(srcdir)/'`asn1/oid.c
+
+pem.lo: asn1/pem.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pem.lo -MD -MP -MF "$(DEPDIR)/pem.Tpo" -c -o pem.lo `test -f 'asn1/pem.c' || echo '$(srcdir)/'`asn1/pem.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/pem.Tpo" "$(DEPDIR)/pem.Plo"; else rm -f "$(DEPDIR)/pem.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1/pem.c' object='pem.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pem.lo `test -f 'asn1/pem.c' || echo '$(srcdir)/'`asn1/pem.c
+
+ttodata.lo: asn1/ttodata.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ttodata.lo -MD -MP -MF "$(DEPDIR)/ttodata.Tpo" -c -o ttodata.lo `test -f 'asn1/ttodata.c' || echo '$(srcdir)/'`asn1/ttodata.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ttodata.Tpo" "$(DEPDIR)/ttodata.Plo"; else rm -f "$(DEPDIR)/ttodata.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1/ttodata.c' object='ttodata.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ttodata.lo `test -f 'asn1/ttodata.c' || echo '$(srcdir)/'`asn1/ttodata.c
+
+ca.lo: crypto/ca.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ca.lo -MD -MP -MF "$(DEPDIR)/ca.Tpo" -c -o ca.lo `test -f 'crypto/ca.c' || echo '$(srcdir)/'`crypto/ca.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ca.Tpo" "$(DEPDIR)/ca.Plo"; else rm -f "$(DEPDIR)/ca.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/ca.c' object='ca.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ca.lo `test -f 'crypto/ca.c' || echo '$(srcdir)/'`crypto/ca.c
+
+certinfo.lo: crypto/certinfo.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT certinfo.lo -MD -MP -MF "$(DEPDIR)/certinfo.Tpo" -c -o certinfo.lo `test -f 'crypto/certinfo.c' || echo '$(srcdir)/'`crypto/certinfo.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/certinfo.Tpo" "$(DEPDIR)/certinfo.Plo"; else rm -f "$(DEPDIR)/certinfo.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/certinfo.c' object='certinfo.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o certinfo.lo `test -f 'crypto/certinfo.c' || echo '$(srcdir)/'`crypto/certinfo.c
+
+crl.lo: crypto/crl.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crl.lo -MD -MP -MF "$(DEPDIR)/crl.Tpo" -c -o crl.lo `test -f 'crypto/crl.c' || echo '$(srcdir)/'`crypto/crl.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/crl.Tpo" "$(DEPDIR)/crl.Plo"; else rm -f "$(DEPDIR)/crl.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/crl.c' object='crl.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crl.lo `test -f 'crypto/crl.c' || echo '$(srcdir)/'`crypto/crl.c
+
+crypter.lo: crypto/crypters/crypter.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypter.lo -MD -MP -MF "$(DEPDIR)/crypter.Tpo" -c -o crypter.lo `test -f 'crypto/crypters/crypter.c' || echo '$(srcdir)/'`crypto/crypters/crypter.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/crypter.Tpo" "$(DEPDIR)/crypter.Plo"; else rm -f "$(DEPDIR)/crypter.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/crypters/crypter.c' object='crypter.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypter.lo `test -f 'crypto/crypters/crypter.c' || echo '$(srcdir)/'`crypto/crypters/crypter.c
+
+aes_cbc_crypter.lo: crypto/crypters/aes_cbc_crypter.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_cbc_crypter.lo -MD -MP -MF "$(DEPDIR)/aes_cbc_crypter.Tpo" -c -o aes_cbc_crypter.lo `test -f 'crypto/crypters/aes_cbc_crypter.c' || echo '$(srcdir)/'`crypto/crypters/aes_cbc_crypter.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/aes_cbc_crypter.Tpo" "$(DEPDIR)/aes_cbc_crypter.Plo"; else rm -f "$(DEPDIR)/aes_cbc_crypter.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/crypters/aes_cbc_crypter.c' object='aes_cbc_crypter.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_cbc_crypter.lo `test -f 'crypto/crypters/aes_cbc_crypter.c' || echo '$(srcdir)/'`crypto/crypters/aes_cbc_crypter.c
+
+des_crypter.lo: crypto/crypters/des_crypter.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT des_crypter.lo -MD -MP -MF "$(DEPDIR)/des_crypter.Tpo" -c -o des_crypter.lo `test -f 'crypto/crypters/des_crypter.c' || echo '$(srcdir)/'`crypto/crypters/des_crypter.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/des_crypter.Tpo" "$(DEPDIR)/des_crypter.Plo"; else rm -f "$(DEPDIR)/des_crypter.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/crypters/des_crypter.c' object='des_crypter.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o des_crypter.lo `test -f 'crypto/crypters/des_crypter.c' || echo '$(srcdir)/'`crypto/crypters/des_crypter.c
+
+diffie_hellman.lo: crypto/diffie_hellman.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT diffie_hellman.lo -MD -MP -MF "$(DEPDIR)/diffie_hellman.Tpo" -c -o diffie_hellman.lo `test -f 'crypto/diffie_hellman.c' || echo '$(srcdir)/'`crypto/diffie_hellman.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/diffie_hellman.Tpo" "$(DEPDIR)/diffie_hellman.Plo"; else rm -f "$(DEPDIR)/diffie_hellman.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/diffie_hellman.c' object='diffie_hellman.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o diffie_hellman.lo `test -f 'crypto/diffie_hellman.c' || echo '$(srcdir)/'`crypto/diffie_hellman.c
+
+hasher.lo: crypto/hashers/hasher.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hasher.lo -MD -MP -MF "$(DEPDIR)/hasher.Tpo" -c -o hasher.lo `test -f 'crypto/hashers/hasher.c' || echo '$(srcdir)/'`crypto/hashers/hasher.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/hasher.Tpo" "$(DEPDIR)/hasher.Plo"; else rm -f "$(DEPDIR)/hasher.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/hashers/hasher.c' object='hasher.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hasher.lo `test -f 'crypto/hashers/hasher.c' || echo '$(srcdir)/'`crypto/hashers/hasher.c
+
+sha1_hasher.lo: crypto/hashers/sha1_hasher.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha1_hasher.lo -MD -MP -MF "$(DEPDIR)/sha1_hasher.Tpo" -c -o sha1_hasher.lo `test -f 'crypto/hashers/sha1_hasher.c' || echo '$(srcdir)/'`crypto/hashers/sha1_hasher.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/sha1_hasher.Tpo" "$(DEPDIR)/sha1_hasher.Plo"; else rm -f "$(DEPDIR)/sha1_hasher.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/hashers/sha1_hasher.c' object='sha1_hasher.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha1_hasher.lo `test -f 'crypto/hashers/sha1_hasher.c' || echo '$(srcdir)/'`crypto/hashers/sha1_hasher.c
+
+sha2_hasher.lo: crypto/hashers/sha2_hasher.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha2_hasher.lo -MD -MP -MF "$(DEPDIR)/sha2_hasher.Tpo" -c -o sha2_hasher.lo `test -f 'crypto/hashers/sha2_hasher.c' || echo '$(srcdir)/'`crypto/hashers/sha2_hasher.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/sha2_hasher.Tpo" "$(DEPDIR)/sha2_hasher.Plo"; else rm -f "$(DEPDIR)/sha2_hasher.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/hashers/sha2_hasher.c' object='sha2_hasher.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha2_hasher.lo `test -f 'crypto/hashers/sha2_hasher.c' || echo '$(srcdir)/'`crypto/hashers/sha2_hasher.c
+
+md5_hasher.lo: crypto/hashers/md5_hasher.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT md5_hasher.lo -MD -MP -MF "$(DEPDIR)/md5_hasher.Tpo" -c -o md5_hasher.lo `test -f 'crypto/hashers/md5_hasher.c' || echo '$(srcdir)/'`crypto/hashers/md5_hasher.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/md5_hasher.Tpo" "$(DEPDIR)/md5_hasher.Plo"; else rm -f "$(DEPDIR)/md5_hasher.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/hashers/md5_hasher.c' object='md5_hasher.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o md5_hasher.lo `test -f 'crypto/hashers/md5_hasher.c' || echo '$(srcdir)/'`crypto/hashers/md5_hasher.c
+
+hmac.lo: crypto/hmac.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hmac.lo -MD -MP -MF "$(DEPDIR)/hmac.Tpo" -c -o hmac.lo `test -f 'crypto/hmac.c' || echo '$(srcdir)/'`crypto/hmac.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/hmac.Tpo" "$(DEPDIR)/hmac.Plo"; else rm -f "$(DEPDIR)/hmac.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/hmac.c' object='hmac.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hmac.lo `test -f 'crypto/hmac.c' || echo '$(srcdir)/'`crypto/hmac.c
+
+ocsp.lo: crypto/ocsp.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ocsp.lo -MD -MP -MF "$(DEPDIR)/ocsp.Tpo" -c -o ocsp.lo `test -f 'crypto/ocsp.c' || echo '$(srcdir)/'`crypto/ocsp.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ocsp.Tpo" "$(DEPDIR)/ocsp.Plo"; else rm -f "$(DEPDIR)/ocsp.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/ocsp.c' object='ocsp.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ocsp.lo `test -f 'crypto/ocsp.c' || echo '$(srcdir)/'`crypto/ocsp.c
+
+fips_prf.lo: crypto/prfs/fips_prf.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_prf.lo -MD -MP -MF "$(DEPDIR)/fips_prf.Tpo" -c -o fips_prf.lo `test -f 'crypto/prfs/fips_prf.c' || echo '$(srcdir)/'`crypto/prfs/fips_prf.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/fips_prf.Tpo" "$(DEPDIR)/fips_prf.Plo"; else rm -f "$(DEPDIR)/fips_prf.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/prfs/fips_prf.c' object='fips_prf.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_prf.lo `test -f 'crypto/prfs/fips_prf.c' || echo '$(srcdir)/'`crypto/prfs/fips_prf.c
+
+hmac_prf.lo: crypto/prfs/hmac_prf.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hmac_prf.lo -MD -MP -MF "$(DEPDIR)/hmac_prf.Tpo" -c -o hmac_prf.lo `test -f 'crypto/prfs/hmac_prf.c' || echo '$(srcdir)/'`crypto/prfs/hmac_prf.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/hmac_prf.Tpo" "$(DEPDIR)/hmac_prf.Plo"; else rm -f "$(DEPDIR)/hmac_prf.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/prfs/hmac_prf.c' object='hmac_prf.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hmac_prf.lo `test -f 'crypto/prfs/hmac_prf.c' || echo '$(srcdir)/'`crypto/prfs/hmac_prf.c
+
+prf.lo: crypto/prfs/prf.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT prf.lo -MD -MP -MF "$(DEPDIR)/prf.Tpo" -c -o prf.lo `test -f 'crypto/prfs/prf.c' || echo '$(srcdir)/'`crypto/prfs/prf.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/prf.Tpo" "$(DEPDIR)/prf.Plo"; else rm -f "$(DEPDIR)/prf.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/prfs/prf.c' object='prf.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o prf.lo `test -f 'crypto/prfs/prf.c' || echo '$(srcdir)/'`crypto/prfs/prf.c
+
+prf_plus.lo: crypto/prf_plus.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT prf_plus.lo -MD -MP -MF "$(DEPDIR)/prf_plus.Tpo" -c -o prf_plus.lo `test -f 'crypto/prf_plus.c' || echo '$(srcdir)/'`crypto/prf_plus.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/prf_plus.Tpo" "$(DEPDIR)/prf_plus.Plo"; else rm -f "$(DEPDIR)/prf_plus.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/prf_plus.c' object='prf_plus.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o prf_plus.lo `test -f 'crypto/prf_plus.c' || echo '$(srcdir)/'`crypto/prf_plus.c
+
+rsa_private_key.lo: crypto/rsa/rsa_private_key.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rsa_private_key.lo -MD -MP -MF "$(DEPDIR)/rsa_private_key.Tpo" -c -o rsa_private_key.lo `test -f 'crypto/rsa/rsa_private_key.c' || echo '$(srcdir)/'`crypto/rsa/rsa_private_key.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/rsa_private_key.Tpo" "$(DEPDIR)/rsa_private_key.Plo"; else rm -f "$(DEPDIR)/rsa_private_key.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/rsa/rsa_private_key.c' object='rsa_private_key.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rsa_private_key.lo `test -f 'crypto/rsa/rsa_private_key.c' || echo '$(srcdir)/'`crypto/rsa/rsa_private_key.c
+
+rsa_public_key.lo: crypto/rsa/rsa_public_key.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rsa_public_key.lo -MD -MP -MF "$(DEPDIR)/rsa_public_key.Tpo" -c -o rsa_public_key.lo `test -f 'crypto/rsa/rsa_public_key.c' || echo '$(srcdir)/'`crypto/rsa/rsa_public_key.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/rsa_public_key.Tpo" "$(DEPDIR)/rsa_public_key.Plo"; else rm -f "$(DEPDIR)/rsa_public_key.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/rsa/rsa_public_key.c' object='rsa_public_key.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rsa_public_key.lo `test -f 'crypto/rsa/rsa_public_key.c' || echo '$(srcdir)/'`crypto/rsa/rsa_public_key.c
+
+hmac_signer.lo: crypto/signers/hmac_signer.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hmac_signer.lo -MD -MP -MF "$(DEPDIR)/hmac_signer.Tpo" -c -o hmac_signer.lo `test -f 'crypto/signers/hmac_signer.c' || echo '$(srcdir)/'`crypto/signers/hmac_signer.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/hmac_signer.Tpo" "$(DEPDIR)/hmac_signer.Plo"; else rm -f "$(DEPDIR)/hmac_signer.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/signers/hmac_signer.c' object='hmac_signer.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hmac_signer.lo `test -f 'crypto/signers/hmac_signer.c' || echo '$(srcdir)/'`crypto/signers/hmac_signer.c
+
+signer.lo: crypto/signers/signer.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT signer.lo -MD -MP -MF "$(DEPDIR)/signer.Tpo" -c -o signer.lo `test -f 'crypto/signers/signer.c' || echo '$(srcdir)/'`crypto/signers/signer.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/signer.Tpo" "$(DEPDIR)/signer.Plo"; else rm -f "$(DEPDIR)/signer.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/signers/signer.c' object='signer.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o signer.lo `test -f 'crypto/signers/signer.c' || echo '$(srcdir)/'`crypto/signers/signer.c
+
+x509.lo: crypto/x509.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509.lo -MD -MP -MF "$(DEPDIR)/x509.Tpo" -c -o x509.lo `test -f 'crypto/x509.c' || echo '$(srcdir)/'`crypto/x509.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/x509.Tpo" "$(DEPDIR)/x509.Plo"; else rm -f "$(DEPDIR)/x509.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/x509.c' object='x509.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509.lo `test -f 'crypto/x509.c' || echo '$(srcdir)/'`crypto/x509.c
+
+fetcher.lo: utils/fetcher.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fetcher.lo -MD -MP -MF "$(DEPDIR)/fetcher.Tpo" -c -o fetcher.lo `test -f 'utils/fetcher.c' || echo '$(srcdir)/'`utils/fetcher.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/fetcher.Tpo" "$(DEPDIR)/fetcher.Plo"; else rm -f "$(DEPDIR)/fetcher.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/fetcher.c' object='fetcher.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fetcher.lo `test -f 'utils/fetcher.c' || echo '$(srcdir)/'`utils/fetcher.c
+
+host.lo: utils/host.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT host.lo -MD -MP -MF "$(DEPDIR)/host.Tpo" -c -o host.lo `test -f 'utils/host.c' || echo '$(srcdir)/'`utils/host.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/host.Tpo" "$(DEPDIR)/host.Plo"; else rm -f "$(DEPDIR)/host.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/host.c' object='host.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o host.lo `test -f 'utils/host.c' || echo '$(srcdir)/'`utils/host.c
+
+identification.lo: utils/identification.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT identification.lo -MD -MP -MF "$(DEPDIR)/identification.Tpo" -c -o identification.lo `test -f 'utils/identification.c' || echo '$(srcdir)/'`utils/identification.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/identification.Tpo" "$(DEPDIR)/identification.Plo"; else rm -f "$(DEPDIR)/identification.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/identification.c' object='identification.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o identification.lo `test -f 'utils/identification.c' || echo '$(srcdir)/'`utils/identification.c
+
+leak_detective.lo: utils/leak_detective.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT leak_detective.lo -MD -MP -MF "$(DEPDIR)/leak_detective.Tpo" -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/leak_detective.Tpo" "$(DEPDIR)/leak_detective.Plo"; else rm -f "$(DEPDIR)/leak_detective.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/leak_detective.c' object='leak_detective.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c
+
+lexparser.lo: utils/lexparser.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT lexparser.lo -MD -MP -MF "$(DEPDIR)/lexparser.Tpo" -c -o lexparser.lo `test -f 'utils/lexparser.c' || echo '$(srcdir)/'`utils/lexparser.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/lexparser.Tpo" "$(DEPDIR)/lexparser.Plo"; else rm -f "$(DEPDIR)/lexparser.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/lexparser.c' object='lexparser.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o lexparser.lo `test -f 'utils/lexparser.c' || echo '$(srcdir)/'`utils/lexparser.c
+
+linked_list.lo: utils/linked_list.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT linked_list.lo -MD -MP -MF "$(DEPDIR)/linked_list.Tpo" -c -o linked_list.lo `test -f 'utils/linked_list.c' || echo '$(srcdir)/'`utils/linked_list.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/linked_list.Tpo" "$(DEPDIR)/linked_list.Plo"; else rm -f "$(DEPDIR)/linked_list.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/linked_list.c' object='linked_list.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o linked_list.lo `test -f 'utils/linked_list.c' || echo '$(srcdir)/'`utils/linked_list.c
+
+randomizer.lo: utils/randomizer.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT randomizer.lo -MD -MP -MF "$(DEPDIR)/randomizer.Tpo" -c -o randomizer.lo `test -f 'utils/randomizer.c' || echo '$(srcdir)/'`utils/randomizer.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/randomizer.Tpo" "$(DEPDIR)/randomizer.Plo"; else rm -f "$(DEPDIR)/randomizer.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/randomizer.c' object='randomizer.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o randomizer.lo `test -f 'utils/randomizer.c' || echo '$(srcdir)/'`utils/randomizer.c
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+	-rm -f libtool
+uninstall-info-am:
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	$(mkdir_p) $(distdir)/asn1
+	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
+	list='$(DISTFILES)'; for file in $$list; do \
+	  case $$file in \
+	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
+	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
+	  esac; \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
+	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
+	    dir="/$$dir"; \
+	    $(mkdir_p) "$(distdir)$$dir"; \
+	  else \
+	    dir=''; \
+	  fi; \
+	  if test -d $$d/$$file; then \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(libdir)"; do \
+	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	done
+install: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+	-test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)
+	-test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES)
+clean: clean-am
+
+clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-libtool distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-exec-am: install-libLTLIBRARIES
+
+install-info: install-info-am
+
+install-man:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-info-am uninstall-libLTLIBRARIES
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libLTLIBRARIES clean-libtool ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-exec \
+	install-exec-am install-info install-info-am \
+	install-libLTLIBRARIES install-man install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-info-am \
+	uninstall-libLTLIBRARIES
+
+
+asn1/oid.c :	asn1/oid.txt asn1/oid.pl
+		cd asn1 && $(PERL) oid.pl
+
+asn1/oid.h :	asn1/oid.txt asn1/oid.pl
+		cd asn1 && $(PERL) oid.pl
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c
new file mode 100644
index 000000000..91a6621d4
--- /dev/null
+++ b/src/libstrongswan/asn1/asn1.c
@@ -0,0 +1,733 @@
+/* Simple ASN.1 parser
+ * Copyright (C) 2000-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+ * Copyright (C) 2006 Martin Will, Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+
+#include "asn1.h"
+
+#include <library.h>
+#include <debug.h>
+
+/* some common prefabricated ASN.1 constants */
+static u_char ASN1_INTEGER_0_str[] = { 0x02, 0x00 };
+static u_char ASN1_INTEGER_1_str[] = { 0x02, 0x01, 0x01 };
+static u_char ASN1_INTEGER_2_str[] = { 0x02, 0x01, 0x02 };
+
+const chunk_t ASN1_INTEGER_0 = chunk_from_buf(ASN1_INTEGER_0_str);
+const chunk_t ASN1_INTEGER_1 = chunk_from_buf(ASN1_INTEGER_1_str);
+const chunk_t ASN1_INTEGER_2 = chunk_from_buf(ASN1_INTEGER_2_str);
+
+/* some popular algorithmIdentifiers */
+
+static u_char ASN1_md5_id_str[] = {
+	0x30, 0x0C,
+		  0x06, 0x08,
+				0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05,
+		  0x05, 0x00
+};
+
+static u_char ASN1_sha1_id_str[] = {
+	0x30, 0x09,
+		  0x06, 0x05,
+				0x2B, 0x0E,0x03, 0x02, 0x1A,
+		  0x05, 0x00
+};
+
+static u_char ASN1_md5WithRSA_id_str[] = {
+	0x30, 0x0D,
+		  0x06, 0x09,
+				0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x04,
+		  0x05, 0x00
+};
+
+static u_char ASN1_sha1WithRSA_id_str[] = {
+	0x30, 0x0D,
+		  0x06, 0x09,
+				0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x05,
+		  0x05, 0x00
+};
+
+static u_char ASN1_rsaEncryption_id_str[] = {
+	0x30, 0x0D,
+		  0x06, 0x09,
+				0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01,
+		  0x05, 0x00
+};
+
+const chunk_t ASN1_md5_id = chunk_from_buf(ASN1_md5_id_str);
+const chunk_t ASN1_sha1_id = chunk_from_buf(ASN1_sha1_id_str);
+const chunk_t ASN1_rsaEncryption_id = chunk_from_buf(ASN1_rsaEncryption_id_str);
+const chunk_t ASN1_md5WithRSA_id = chunk_from_buf(ASN1_md5WithRSA_id_str);
+const chunk_t ASN1_sha1WithRSA_id = chunk_from_buf(ASN1_sha1WithRSA_id_str);
+
+/* ASN.1 definiton of an algorithmIdentifier */
+static const asn1Object_t algorithmIdentifierObjects[] = {
+	{ 0, "algorithmIdentifier",	ASN1_SEQUENCE,	ASN1_NONE }, /* 0 */
+	{ 1,   "algorithm",			ASN1_OID,		ASN1_BODY }, /* 1 */
+	{ 1,   "parameters",		ASN1_EOC,		ASN1_RAW  }  /* 2 */
+};
+
+#define ALGORITHM_ID_ALG		1
+#define ALGORITHM_ID_PARAMETERS	2
+#define ALGORITHM_ID_ROOF		3
+
+/**
+ * return the ASN.1 encoded algorithm identifier
+ */
+chunk_t asn1_algorithmIdentifier(int oid)
+{
+	switch (oid)
+	{
+		case OID_RSA_ENCRYPTION:
+			return ASN1_rsaEncryption_id;
+		case OID_MD5_WITH_RSA:
+			return ASN1_md5WithRSA_id;
+		case OID_SHA1_WITH_RSA:
+			return ASN1_sha1WithRSA_id;
+		case OID_MD5:
+			return ASN1_md5_id;
+		case OID_SHA1:
+			return ASN1_sha1_id;
+		default:
+			return chunk_empty;
+	}
+}
+
+/**
+ * If the oid is listed in the oid_names table then the corresponding
+ * position in the oid_names table is returned otherwise -1 is returned
+ */
+int known_oid(chunk_t object)
+{
+	int oid = 0;
+	
+	while (object.len)
+	{
+		if (oid_names[oid].octet == *object.ptr)
+		{
+			if (--object.len == 0 || oid_names[oid].down == 0)
+			{
+				return oid;          /* found terminal symbol */
+			}
+			else
+			{
+				object.ptr++; oid++; /* advance to next hex octet */
+			}
+		}
+		else
+		{
+			if (oid_names[oid].next)
+				oid = oid_names[oid].next;
+			else
+				return OID_UNKNOWN;
+		}
+	}
+	return -1;
+}
+
+/**
+ * Decodes the length in bytes of an ASN.1 object
+ */
+u_int asn1_length(chunk_t *blob)
+{
+	u_char n;
+	size_t len;
+	
+	/* advance from tag field on to length field */
+	blob->ptr++;
+	blob->len--;
+	
+	/* read first octet of length field */
+	n = *blob->ptr++;
+	blob->len--;
+	
+	if ((n & 0x80) == 0) 
+	{/* single length octet */
+		return n;
+	}
+	
+	/* composite length, determine number of length octets */
+	n &= 0x7f;
+	
+	if (n > blob->len)
+	{
+		DBG2("number of length octets is larger than ASN.1 object");
+		return ASN1_INVALID_LENGTH;
+	}
+	
+	if (n > sizeof(len))
+	{
+		DBG2("number of length octets is larger than limit of %d octets", 
+			 (int)sizeof(len));
+		return ASN1_INVALID_LENGTH;
+	}
+	
+	len = 0;
+	
+	while (n-- > 0)
+	{
+		len = 256*len + *blob->ptr++;
+		blob->len--;
+	}
+	return len;
+}
+
+/**
+ * determines if a character string is of type ASN.1 printableString
+ */
+bool is_printablestring(chunk_t str)
+{
+	const char printablestring_charset[] =
+		"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 '()+,-./:=?";
+	u_int i;
+	
+	for (i = 0; i < str.len; i++)
+	{
+		if (strchr(printablestring_charset, str.ptr[i]) == NULL)
+			return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Converts ASN.1 UTCTIME or GENERALIZEDTIME into calender time
+ */
+time_t asn1totime(const chunk_t *utctime, asn1_t type)
+{
+	struct tm t;
+	time_t tz_offset;
+	u_char *eot = NULL;
+	
+	if ((eot = memchr(utctime->ptr, 'Z', utctime->len)) != NULL)
+	{
+		tz_offset = 0; /* Zulu time with a zero time zone offset */
+	}
+	else if ((eot = memchr(utctime->ptr, '+', utctime->len)) != NULL)
+	{
+		int tz_hour, tz_min;
+	
+		sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
+		tz_offset = 3600*tz_hour + 60*tz_min;  /* positive time zone offset */
+	}
+	else if ((eot = memchr(utctime->ptr, '-', utctime->len)) != NULL)
+	{
+		int tz_hour, tz_min;
+	
+		sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
+		tz_offset = -3600*tz_hour - 60*tz_min;  /* negative time zone offset */
+	}
+	else
+	{
+		return 0; /* error in time format */
+	}
+	
+	{
+	const char* format = (type == ASN1_UTCTIME)? "%2d%2d%2d%2d%2d":
+			"%4d%2d%2d%2d%2d";
+	
+	sscanf(utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday,
+		   &t.tm_hour, &t.tm_min);
+	}
+	
+	/* is there a seconds field? */
+	if ((eot - utctime->ptr) == ((type == ASN1_UTCTIME)?12:14))
+	{
+		sscanf(eot-2, "%2d", &t.tm_sec);
+	}
+	else
+	{
+		t.tm_sec = 0;
+	}
+	
+	/* representation of year */
+	if (t.tm_year >= 1900)
+	{
+		t.tm_year -= 1900;
+	}
+	else if (t.tm_year >= 100)
+	{
+		return 0;
+	}
+	else if (t.tm_year < 50)
+	{
+		t.tm_year += 100;
+	}
+	
+	/* representation of month 0..11*/
+	t.tm_mon--;
+	
+	/* set daylight saving time to off */
+	t.tm_isdst = 0;
+	
+	/* compensate timezone */
+	
+	return mktime(&t) - timezone - tz_offset;
+}
+
+/**
+ * Initializes the internal context of the ASN.1 parser
+ */
+void asn1_init(asn1_ctx_t *ctx, chunk_t blob, u_int level0,
+			   bool implicit, bool private)
+{
+	ctx->blobs[0] = blob;
+	ctx->level0   = level0;
+	ctx->implicit = implicit;
+    ctx->private  = private;
+	memset(ctx->loopAddr, '\0', sizeof(ctx->loopAddr));
+}
+
+/**
+ * print the value of an ASN.1 simple object
+ */
+static void debug_asn1_simple_object(chunk_t object, asn1_t type, bool private)
+{
+	int oid;
+	
+	switch (type)
+	{
+		case ASN1_OID:
+			oid = known_oid(object);
+			if (oid != OID_UNKNOWN)
+			{
+				DBG2("  '%s'", oid_names[oid].name);
+				return;
+			}
+			break;
+		case ASN1_UTF8STRING:
+		case ASN1_IA5STRING:
+		case ASN1_PRINTABLESTRING:
+		case ASN1_T61STRING:
+		case ASN1_VISIBLESTRING:
+			DBG2("  '%.*s'", (int)object.len, object.ptr);
+			return;
+		case ASN1_UTCTIME:
+		case ASN1_GENERALIZEDTIME:
+			{
+				time_t time = asn1totime(&object, type);
+
+				DBG2("  '%T'", &time);
+			}
+			return;
+		default:
+			break;
+	}
+	if (private)
+	{
+		DBG4("%B", &object);
+	}
+	else
+	{
+		DBG3("%B", &object);
+	}
+}
+
+/**
+ * Parses and extracts the next ASN.1 object
+ */
+bool extract_object(asn1Object_t const *objects, u_int *objectID, chunk_t *object, u_int *level, asn1_ctx_t *ctx)
+{
+	asn1Object_t obj = objects[*objectID];
+	chunk_t *blob;
+	chunk_t *blob1;
+	u_char *start_ptr;
+	
+	*object = chunk_empty;
+	
+	if (obj.flags & ASN1_END)  /* end of loop or option found */
+	{
+		if (ctx->loopAddr[obj.level] && ctx->blobs[obj.level+1].len > 0)
+		{
+			*objectID = ctx->loopAddr[obj.level]; /* another iteration */
+			obj = objects[*objectID];
+		}
+		else
+		{
+			ctx->loopAddr[obj.level] = 0;         /* exit loop or option*/
+			return TRUE;
+		}
+	}
+	
+	*level = ctx->level0 + obj.level;
+	blob = ctx->blobs + obj.level;
+	blob1 = blob + 1;
+	start_ptr = blob->ptr;
+	
+	/* handle ASN.1 defaults values */
+	if ((obj.flags & ASN1_DEF) && (blob->len == 0 || *start_ptr != obj.type) )
+	{
+		/* field is missing */
+		DBG2("L%d - %s:", *level, obj.name);
+		if (obj.type & ASN1_CONSTRUCTED)
+		{
+			(*objectID)++ ;  /* skip context-specific tag */
+		}
+		return TRUE;
+	}
+	
+	/* handle ASN.1 options */
+	
+	if ((obj.flags & ASN1_OPT)
+			&& (blob->len == 0 || *start_ptr != obj.type))
+	{
+		/* advance to end of missing option field */
+		do
+			(*objectID)++;
+		while (!((objects[*objectID].flags & ASN1_END)
+						&& (objects[*objectID].level == obj.level)));
+		return TRUE;
+	}
+		
+	/* an ASN.1 object must possess at least a tag and length field */
+	
+	if (blob->len < 2)
+	{
+		DBG2("L%d - %s:  ASN.1 object smaller than 2 octets", 
+					*level, obj.name);
+		return FALSE;
+	}
+	
+	blob1->len = asn1_length(blob);
+	
+	if (blob1->len == ASN1_INVALID_LENGTH || blob->len < blob1->len)
+	{
+		DBG2("L%d - %s:  length of ASN.1 object invalid or too large", 
+					*level, obj.name);
+		return FALSE;
+	}
+	
+	blob1->ptr = blob->ptr;
+	blob->ptr += blob1->len;
+	blob->len -= blob1->len;
+	
+	/* return raw ASN.1 object without prior type checking */
+	
+	if (obj.flags & ASN1_RAW)
+	{
+		DBG2("L%d - %s:", *level, obj.name);
+		object->ptr = start_ptr;
+		object->len = (size_t)(blob->ptr - start_ptr);
+		return TRUE;
+	}
+
+	if (*start_ptr != obj.type && !(ctx->implicit && *objectID == 0))
+	{
+		DBG1("L%d - %s: ASN1 tag 0x%02x expected, but is 0x%02x",
+					*level, obj.name, obj.type, *start_ptr);
+		DBG3("%b", start_ptr, (u_int)(blob->ptr - start_ptr));
+		return FALSE;
+	}
+	
+	DBG2("L%d - %s:", ctx->level0+obj.level, obj.name);
+	
+	/* In case of "SEQUENCE OF" or "SET OF" start a loop */	
+	if (obj.flags & ASN1_LOOP)
+	{
+		if (blob1->len > 0)
+		{
+			/* at least one item, start the loop */
+			ctx->loopAddr[obj.level] = *objectID + 1;
+		}
+		else
+		{
+			/* no items, advance directly to end of loop */
+			do
+				(*objectID)++;
+			while (!((objects[*objectID].flags & ASN1_END)
+							   && (objects[*objectID].level == obj.level)));
+			return TRUE;
+		}
+	}
+
+	if (obj.flags & ASN1_OBJ)
+	{
+		object->ptr = start_ptr;
+		object->len = (size_t)(blob->ptr - start_ptr);
+		if (ctx->private)
+		{
+			DBG4("%B", object);
+		}
+		else
+		{
+			DBG3("%B", object);
+		}
+	}
+	else if (obj.flags & ASN1_BODY)
+	{
+		*object = *blob1;
+		debug_asn1_simple_object(*object, obj.type, ctx->private);
+	}
+	return TRUE;
+}
+
+/**
+ * parse an ASN.1 simple type
+ */
+bool parse_asn1_simple_object(chunk_t *object, asn1_t type, u_int level, const char* name)
+{
+	size_t len;
+	
+	/* an ASN.1 object must possess at least a tag and length field */
+	if (object->len < 2)
+	{
+		DBG2("L%d - %s:  ASN.1 object smaller than 2 octets", level, name);
+		return FALSE;
+	}
+	
+	if (*object->ptr != type)
+	{
+		DBG2("L%d - %s: ASN1 tag 0x%02x expected, but is 0x%02x",
+			 level, name, type, *object->ptr);
+		return FALSE;
+	}
+	
+	len = asn1_length(object);
+	
+	if (len == ASN1_INVALID_LENGTH || object->len < len)
+	{
+		DBG2("L%d - %s:  length of ASN.1 object invalid or too large",
+			 level, name);
+		return FALSE;
+	}
+	
+	DBG2("L%d - %s:", level, name);
+	debug_asn1_simple_object(*object, type, FALSE);
+	return TRUE;
+}
+
+/**
+ * extracts an algorithmIdentifier
+ */
+int parse_algorithmIdentifier(chunk_t blob, int level0, chunk_t *parameters)
+{
+	asn1_ctx_t ctx;
+	chunk_t object;
+	u_int level;
+	int alg = OID_UNKNOWN;
+	int objectID = 0;
+	
+	asn1_init(&ctx, blob, level0, FALSE, FALSE);
+	
+	while (objectID < ALGORITHM_ID_ROOF)
+	{
+		if (!extract_object(algorithmIdentifierObjects, &objectID, &object, &level, &ctx))
+			return OID_UNKNOWN;
+		
+		switch (objectID)
+		{
+			case ALGORITHM_ID_ALG:
+				alg = known_oid(object);
+				break;
+			case ALGORITHM_ID_PARAMETERS:
+				if (parameters != NULL)
+					*parameters = object;
+				break;
+			default:
+				break;
+		}
+		objectID++;
+	}
+	return alg;
+ }
+
+/*
+ *  tests if a blob contains a valid ASN.1 set or sequence
+ */
+bool is_asn1(chunk_t blob)
+{
+	u_int len;
+	u_char tag = *blob.ptr;
+
+	if (tag != ASN1_SEQUENCE && tag != ASN1_SET)
+	{
+		DBG2("  file content is not binary ASN.1");
+		return FALSE;
+	}
+	len = asn1_length(&blob);
+	if (len != blob.len)
+	{
+		DBG2("  file size does not match ASN.1 coded length");
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * codes ASN.1 lengths up to a size of 16'777'215 bytes
+ */
+void code_asn1_length(size_t length, chunk_t *code)
+{
+	if (length < 128)
+	{
+		code->ptr[0] = length;
+		code->len = 1;
+	}
+	else if (length < 256)
+	{
+		code->ptr[0] = 0x81;
+		code->ptr[1] = (u_char) length;
+		code->len = 2;
+	}
+	else if (length < 65536)
+	{
+		code->ptr[0] = 0x82;
+		code->ptr[1] = length >> 8;
+		code->ptr[2] = length & 0x00ff;
+		code->len = 3;
+	}
+	else
+	{
+		code->ptr[0] = 0x83;
+		code->ptr[1] = length >> 16;
+		code->ptr[2] = (length >> 8) & 0x00ff;
+		code->ptr[3] = length & 0x0000ff;
+		code->len = 4;
+	}
+}
+
+/**
+ * build an empty asn.1 object with tag and length fields already filled in
+ */
+u_char* build_asn1_object(chunk_t *object, asn1_t type, size_t datalen)
+{
+	u_char length_buf[4];
+	chunk_t length = { length_buf, 0 };
+	u_char *pos;
+	
+	/* code the asn.1 length field */
+	code_asn1_length(datalen, &length);
+	
+	/* allocate memory for the asn.1 TLV object */
+	object->len = 1 + length.len + datalen;
+	object->ptr = malloc(object->len);
+	
+	/* set position pointer at the start of the object */
+	pos = object->ptr;
+	
+	/* copy the asn.1 tag field and advance the pointer */
+	*pos++ = type;
+	
+	/* copy the asn.1 length field and advance the pointer */
+	memcpy(pos, length.ptr, length.len); 
+	pos += length.len;
+	
+	return pos;
+}
+
+/**
+ * build a simple ASN.1 object
+ */
+chunk_t asn1_simple_object(asn1_t tag, chunk_t content)
+{
+	chunk_t object;
+	
+	u_char *pos = build_asn1_object(&object, tag, content.len);
+	memcpy(pos, content.ptr, content.len); 
+	pos += content.len;
+	
+	return object;
+}
+
+/**
+ * Build an ASN.1 object from a variable number of individual chunks.
+ * Depending on the mode, chunks either are moved ('m') or copied ('c').
+ */
+chunk_t asn1_wrap(asn1_t type, const char *mode, ...)
+{
+	chunk_t construct;
+	va_list chunks;
+	u_char *pos;
+	int i;
+	int count = strlen(mode);
+	
+	/* sum up lengths of individual chunks */ 
+	va_start(chunks, mode);
+	construct.len = 0;
+	for (i = 0; i < count; i++)
+	{
+		chunk_t ch = va_arg(chunks, chunk_t);
+		construct.len += ch.len;
+	}
+	va_end(chunks);
+	
+	/* allocate needed memory for construct */
+	pos = build_asn1_object(&construct, type, construct.len);
+	
+	/* copy or move the chunks */
+	va_start(chunks, mode);
+	for (i = 0; i < count; i++)
+	{
+		chunk_t ch = va_arg(chunks, chunk_t);
+		
+		switch (*mode++)
+		{
+			case 'm':
+				memcpy(pos, ch.ptr, ch.len); 
+				pos += ch.len;
+				free(ch.ptr);
+				break;
+			case 'c':
+			default:
+				memcpy(pos, ch.ptr, ch.len); 
+				pos += ch.len;
+		}
+	}
+	va_end(chunks);
+	
+	return construct;
+}
+
+/**
+ * convert a MP integer into a DER coded ASN.1 object
+ */
+chunk_t asn1_integer_from_mpz(const mpz_t value)
+{
+	size_t bits = mpz_sizeinbase(value, 2);  /* size in bits */
+	chunk_t n;
+	n.len = 1 + bits / 8;  /* size in bytes */	
+	n.ptr = mpz_export(NULL, NULL, 1, n.len, 1, 0, value);
+	
+	return asn1_wrap(ASN1_INTEGER, "m", n);
+}
+
+/**
+ *  convert a date into ASN.1 UTCTIME or GENERALIZEDTIME format
+ */
+chunk_t timetoasn1(const time_t *time, asn1_t type)
+{
+	int offset;
+	const char *format;
+	char buf[32];
+	chunk_t formatted_time;
+	struct tm *t = gmtime(time);
+	
+	if (type == ASN1_GENERALIZEDTIME)
+	{
+		format = "%04d%02d%02d%02d%02d%02dZ";
+		offset = 1900;
+	}
+	else /* ASN1_UTCTIME */
+	{
+		format = "%02d%02d%02d%02d%02d%02dZ";
+		offset = (t->tm_year < 100)? 0 : -100;
+	}
+	snprintf(buf, sizeof(buf), format, t->tm_year + offset, 
+			 t->tm_mon + 1, t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec);
+	formatted_time.ptr = buf;
+	formatted_time.len = strlen(buf);
+	return asn1_simple_object(type, formatted_time);
+}
diff --git a/src/libstrongswan/asn1/asn1.h b/src/libstrongswan/asn1/asn1.h
new file mode 100644
index 000000000..5ab519ec8
--- /dev/null
+++ b/src/libstrongswan/asn1/asn1.h
@@ -0,0 +1,135 @@
+/* Simple ASN.1 parser
+ * Copyright (C) 2000-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+ * Copyright (C) 2006 Martin Will, Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef _ASN1_H
+#define _ASN1_H
+
+#include <stdarg.h>
+#include <gmp.h>
+
+#include <library.h>
+#include <asn1/oid.h>
+
+
+/* Defines some primitive ASN1 types */
+typedef enum {
+    ASN1_EOC =				0x00,
+    ASN1_BOOLEAN =			0x01,
+    ASN1_INTEGER =			0x02,
+    ASN1_BIT_STRING =		0x03,
+    ASN1_OCTET_STRING = 	0x04,
+    ASN1_NULL = 			0x05,
+    ASN1_OID =				0x06,
+    ASN1_ENUMERATED =		0x0A,
+    ASN1_UTF8STRING =		0x0C,
+    ASN1_NUMERICSTRING =	0x12,
+    ASN1_PRINTABLESTRING =	0x13,
+    ASN1_T61STRING =		0x14,
+    ASN1_VIDEOTEXSTRING =	0x15,
+    ASN1_IA5STRING =		0x16,
+    ASN1_UTCTIME =			0x17,
+    ASN1_GENERALIZEDTIME =	0x18,
+    ASN1_GRAPHICSTRING =	0x19,
+    ASN1_VISIBLESTRING = 	0x1A,
+    ASN1_GENERALSTRING =	0x1B,
+    ASN1_UNIVERSALSTRING =	0x1C,
+    ASN1_BMPSTRING =		0x1E,
+
+    ASN1_CONSTRUCTED =		0x20,
+
+    ASN1_SEQUENCE =			0x30,
+
+    ASN1_SET =				0x31,
+
+    ASN1_CONTEXT_S_0 =		0x80,
+    ASN1_CONTEXT_S_1 =		0x81,
+    ASN1_CONTEXT_S_2 =		0x82,
+    ASN1_CONTEXT_S_3 =		0x83,
+    ASN1_CONTEXT_S_4 =		0x84,
+    ASN1_CONTEXT_S_5 =		0x85,
+    ASN1_CONTEXT_S_6 =		0x86,
+    ASN1_CONTEXT_S_7 =		0x87,
+    ASN1_CONTEXT_S_8 =		0x88,
+
+    ASN1_CONTEXT_C_0 =		0xA0,
+    ASN1_CONTEXT_C_1 =		0xA1,
+    ASN1_CONTEXT_C_2 =		0xA2,
+    ASN1_CONTEXT_C_3 =		0xA3,
+    ASN1_CONTEXT_C_4 =		0xA4,
+    ASN1_CONTEXT_C_5 =		0xA5
+} asn1_t;
+
+/* Definition of ASN1 flags */
+
+#define ASN1_NONE	0x00
+#define ASN1_DEF	0x01
+#define ASN1_OPT	0x02
+#define ASN1_LOOP	0x04
+#define ASN1_END	0x08
+#define ASN1_OBJ	0x10
+#define ASN1_BODY	0x20
+#define ASN1_RAW	0x40
+
+#define ASN1_INVALID_LENGTH	0xffffffff
+
+/* definition of an ASN.1 object */
+
+typedef struct {
+	u_int   level;
+	const u_char  *name;
+	asn1_t  type;
+	u_char  flags;
+} asn1Object_t;
+
+#define ASN1_MAX_LEVEL	10
+
+typedef struct {
+	bool  implicit;
+	bool  private;
+	u_int level0;
+	u_int loopAddr[ASN1_MAX_LEVEL+1];
+	chunk_t  blobs[ASN1_MAX_LEVEL+2];
+} asn1_ctx_t;
+
+/* some common prefabricated ASN.1 constants */
+extern const chunk_t ASN1_INTEGER_0;
+extern const chunk_t ASN1_INTEGER_1;
+extern const chunk_t ASN1_INTEGER_2;
+
+/* some popular algorithmIdentifiers */
+extern const chunk_t ASN1_md5_id;
+extern const chunk_t ASN1_sha1_id;
+extern const chunk_t ASN1_rsaEncryption_id;
+extern const chunk_t ASN1_md5WithRSA_id;
+extern const chunk_t ASN1_sha1WithRSA_id;
+
+extern chunk_t asn1_algorithmIdentifier(int oid);
+extern int known_oid(chunk_t object);
+extern u_int asn1_length(chunk_t *blob);
+extern bool is_printablestring(chunk_t str);
+extern time_t asn1totime(const chunk_t *utctime, asn1_t type);
+extern void asn1_init(asn1_ctx_t *ctx, chunk_t blob, u_int level0, bool implicit, bool private);
+extern bool extract_object(asn1Object_t const *objects, u_int *objectID, chunk_t *object, u_int *level, asn1_ctx_t *ctx);
+extern bool parse_asn1_simple_object(chunk_t *object, asn1_t type, u_int level, const char* name);
+extern int parse_algorithmIdentifier(chunk_t blob, int level0, chunk_t *parameters);
+extern bool is_asn1(chunk_t blob);
+
+extern void code_asn1_length(size_t length, chunk_t *code);
+extern u_char* build_asn1_object(chunk_t *object, asn1_t type, size_t datalen);
+extern chunk_t asn1_integer_from_mpz(const mpz_t value);
+extern chunk_t asn1_simple_object(asn1_t tag, chunk_t content);
+extern chunk_t asn1_wrap(asn1_t type, const char *mode, ...);
+
+#endif /* _ASN1_H */
diff --git a/programs/pluto/oid.c b/src/libstrongswan/asn1/oid.c
index 4b0632de2..4b0632de2 100644
--- a/programs/pluto/oid.c
+++ b/src/libstrongswan/asn1/oid.c
diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h
new file mode 100644
index 000000000..f85997159
--- /dev/null
+++ b/src/libstrongswan/asn1/oid.h
@@ -0,0 +1,80 @@
+/* Object identifiers (OIDs) used by FreeS/WAN
+ * Copyright (C) 2003-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+ * 
+ * This file has been automatically generated by the script oid.pl
+ * Do not edit manually!
+ */
+
+#ifndef OID_H_
+#define OID_H_
+
+typedef struct {
+    u_char octet;
+    u_int  next;
+    u_int  down;
+    const u_char *name;
+} oid_t;
+
+extern const oid_t oid_names[];
+
+#define OID_UNKNOWN			-1
+#define OID_ROLE							35
+#define OID_SUBJECT_KEY_ID					38
+#define OID_SUBJECT_ALT_NAME				41
+#define OID_BASIC_CONSTRAINTS				43
+#define OID_CRL_REASON_CODE					44
+#define OID_CRL_DISTRIBUTION_POINTS			45
+#define OID_AUTHORITY_KEY_ID				47
+#define OID_EXTENDED_KEY_USAGE				48
+#define OID_TARGET_INFORMATION				49
+#define OID_NO_REV_AVAIL					50
+#define OID_RSA_ENCRYPTION					59
+#define OID_MD2_WITH_RSA					60
+#define OID_MD5_WITH_RSA					61
+#define OID_SHA1_WITH_RSA					62
+#define OID_SHA256_WITH_RSA					63
+#define OID_SHA384_WITH_RSA					64
+#define OID_SHA512_WITH_RSA					65
+#define OID_PKCS7_DATA						67
+#define OID_PKCS7_SIGNED_DATA				68
+#define OID_PKCS7_ENVELOPED_DATA			69
+#define OID_PKCS7_SIGNED_ENVELOPED_DATA		70
+#define OID_PKCS7_DIGESTED_DATA				71
+#define OID_PKCS7_ENCRYPTED_DATA			72
+#define OID_PKCS9_EMAIL						74
+#define OID_PKCS9_CONTENT_TYPE				76
+#define OID_PKCS9_MESSAGE_DIGEST			77
+#define OID_PKCS9_SIGNING_TIME				78
+#define OID_MD2								84
+#define OID_MD5								85
+#define OID_3DES_EDE_CBC					87
+#define OID_AUTHORITY_INFO_ACCESS			109
+#define OID_OCSP_SIGNING					119
+#define OID_XMPP_ADDR						121
+#define OID_AUTHENTICATION_INFO				123
+#define OID_ACCESS_IDENTITY					124
+#define OID_CHARGING_IDENTITY				125
+#define OID_GROUP							126
+#define OID_OCSP							128
+#define OID_BASIC							129
+#define OID_NONCE							130
+#define OID_CRL								131
+#define OID_RESPONSE						132
+#define OID_NO_CHECK						133
+#define OID_ARCHIVE_CUTOFF					134
+#define OID_SERVICE_LOCATOR					135
+#define OID_DES_CBC							139
+#define OID_SHA1							140
+#define OID_SHA1_WITH_RSA_OIW				141
+#define OID_NS_REVOCATION_URL				165
+#define OID_NS_CA_REVOCATION_URL			166
+#define OID_NS_CA_POLICY_URL				167
+#define OID_NS_COMMENT						168
+#define OID_PKI_MESSAGE_TYPE				177
+#define OID_PKI_STATUS						178
+#define OID_PKI_FAIL_INFO					179
+#define OID_PKI_SENDER_NONCE				180
+#define OID_PKI_RECIPIENT_NONCE				181
+#define OID_PKI_TRANS_ID					182
+
+#endif /* OID_H_ */
diff --git a/src/libstrongswan/asn1/oid.pl b/src/libstrongswan/asn1/oid.pl
new file mode 100644
index 000000000..5db619755
--- /dev/null
+++ b/src/libstrongswan/asn1/oid.pl
@@ -0,0 +1,127 @@
+#!/usr/bin/perl
+# Generates oid.h and oid.c out of oid.txt
+# Copyright (C) 2003-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+
+$copyright="Copyright (C) 2003-2004 Andreas Steffen, Zuercher Hochschule Winterthur";
+$automatic="This file has been automatically generated by the script oid.pl";
+$warning="Do not edit manually!";
+
+print "oid.pl generating oid.h and oid.c\n";
+
+# Generate oid.h
+
+open(OID_H,  ">oid.h")
+    or die "could not open 'oid.h': $!";
+
+print OID_H "/* Object identifiers (OIDs) used by FreeS/WAN\n",
+	    " * ", $copyright, "\n",
+	    " * \n",
+	    " * ", $automatic, "\n",
+	    " * ", $warning, "\n",
+	    " */\n\n",
+	    "#ifndef OID_H_\n",
+	    "#define OID_H_\n\n",
+	    "typedef struct {\n",
+	    "    u_char octet;\n",
+	    "    u_int  next;\n",
+	    "    u_int  down;\n",
+	    "    const u_char *name;\n",
+	    "} oid_t;\n",
+	    "\n",
+            "extern const oid_t oid_names[];\n",
+	    "\n",
+	    "#define OID_UNKNOWN			-1\n";
+
+# parse oid.txt
+
+open(SRC,  "<oid.txt")
+    or die "could not open 'oid.txt': $!";
+
+$counter = 0;
+$max_name = 0;
+$max_order = 0;
+
+while ($line = <SRC>)
+{
+    $line =~ m/( *?)(0x\w{2})\s+(".*?")[ \t]*?([\w_]*?)\Z/;
+
+    @order[$counter] = length($1);
+    @octet[$counter] = $2;
+    @name[$counter] = $3;
+
+    if (length($1) > $max_order)
+    {
+	$max_order = length($1);
+    }
+    if (length($3) > $max_name)
+    {
+	$max_name = length($3);
+    }
+    if (length($4) > 0)
+    {
+	printf OID_H "#define %s%s%d\n", $4, "\t" x ((39-length($4))/4), $counter;
+    }
+    $counter++;
+}
+
+print OID_H "\n#endif /* OID_H_ */\n";
+
+close SRC;
+close OID_H;
+
+# Generate oid.c
+
+open(OID_C, ">oid.c")
+    or die "could not open 'oid.c': $!";
+
+print OID_C "/* List of some useful object identifiers (OIDs)\n",
+            " * ", $copyright, "\n",
+	    " * \n",
+	    " * ", $automatic, "\n",
+	    " * ", $warning, "\n",
+	    " */\n",
+	    "\n",
+	    "#include <stdlib.h>\n",
+	    "\n",
+	    "#include \"oid.h\"\n",
+	    "\n",
+            "const oid_t oid_names[] = {\n";
+
+for ($c = 0; $c < $counter; $c++)
+{
+    $next = 0;
+
+    for ($d = $c+1; $d < $counter && @order[$d] >= @order[$c]; $d++)
+    {
+	if (@order[$d] == @order[$c])
+	{
+	    @next[$c] = $d;
+	    last;
+	}
+    }
+
+    printf OID_C "  {%s%s,%s%3d, %d, %s%s}%s  /* %3d */\n"
+	,' '  x @order[$c]
+	, @octet[$c]
+	, ' ' x (1 + $max_order - @order[$c])
+	, @next[$c]
+	, @order[$c+1] > @order[$c]
+	, @name[$c]
+	, ' ' x ($max_name - length(@name[$c]))
+	, $c != $counter-1 ? "," : " "
+	, $c;
+}
+
+print OID_C "};\n" ;
+close OID_C;
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
new file mode 100644
index 000000000..eed46d59d
--- /dev/null
+++ b/src/libstrongswan/asn1/oid.txt
@@ -0,0 +1,184 @@
+0x02                         "ITU-T Administration"
+  0x82                       ""
+    0x06                     "Germany ITU-T member"
+      0x01                   "Deutsche Telekom AG"
+        0x0A                 ""
+          0x07               ""
+            0x14             "ND"
+0x09                         "data"
+  0x92                       ""
+    0x26                     ""
+      0x89                   ""
+        0x93                 ""
+          0xF2               ""
+            0x2C             ""
+              0x64           "pilot"
+                0x01         "pilotAttributeType"
+                  0x01       "UID"
+                  0x19       "DC"
+0x55                         "X.500"
+  0x04                       "X.509"
+    0x03                     "CN"
+    0x04                     "S"
+    0x05                     "SN"
+    0x06                     "C"
+    0x07                     "L"
+    0x08                     "ST"
+    0x0A                     "O"
+    0x0B                     "OU"
+    0x0C                     "T"
+    0x0D                     "D"
+    0x24                     "userCertificate"
+    0x29                     "N"
+    0x2A                     "G"
+    0x2B                     "I"
+    0x2D                     "ID"
+    0x48                     "role"			OID_ROLE
+  0x1D                       "id-ce"
+    0x09                     "subjectDirectoryAttrs"
+    0x0E                     "subjectKeyIdentifier"	OID_SUBJECT_KEY_ID
+    0x0F                     "keyUsage"
+    0x10                     "privateKeyUsagePeriod"
+    0x11                     "subjectAltName"		OID_SUBJECT_ALT_NAME
+    0x12                     "issuerAltName"
+    0x13                     "basicConstraints"		OID_BASIC_CONSTRAINTS
+    0x15                     "reasonCode"		OID_CRL_REASON_CODE
+    0x1F                     "crlDistributionPoints"	OID_CRL_DISTRIBUTION_POINTS
+    0x20                     "certificatePolicies"
+    0x23                     "authorityKeyIdentifier"	OID_AUTHORITY_KEY_ID
+    0x25                     "extendedKeyUsage"		OID_EXTENDED_KEY_USAGE
+    0x37                     "targetInformation"	OID_TARGET_INFORMATION
+    0x38                     "noRevAvail"		OID_NO_REV_AVAIL
+0x2A                         ""
+  0x86                       ""
+    0x48                     ""
+      0x86                   ""
+        0xF7                 ""
+          0x0D               "RSADSI"
+            0x01             "PKCS"
+              0x01           "PKCS-1"
+                0x01         "rsaEncryption"		OID_RSA_ENCRYPTION
+                0x02         "md2WithRSAEncryption"	OID_MD2_WITH_RSA
+                0x04         "md5WithRSAEncryption"	OID_MD5_WITH_RSA
+                0x05         "sha-1WithRSAEncryption"	OID_SHA1_WITH_RSA
+                0x0B         "sha256WithRSAEncryption"	OID_SHA256_WITH_RSA
+                0x0C         "sha384WithRSAEncryption"	OID_SHA384_WITH_RSA
+                0x0D         "sha512WithRSAEncryption"	OID_SHA512_WITH_RSA
+              0x07           "PKCS-7"
+                0x01         "data"			OID_PKCS7_DATA
+                0x02         "signedData"		OID_PKCS7_SIGNED_DATA
+                0x03         "envelopedData"		OID_PKCS7_ENVELOPED_DATA
+                0x04         "signedAndEnvelopedData"	OID_PKCS7_SIGNED_ENVELOPED_DATA
+                0x05         "digestedData"		OID_PKCS7_DIGESTED_DATA
+                0x06         "encryptedData"		OID_PKCS7_ENCRYPTED_DATA
+              0x09           "PKCS-9"
+                0x01         "E"			OID_PKCS9_EMAIL
+                0x02         "unstructuredName"
+                0x03         "contentType"		OID_PKCS9_CONTENT_TYPE
+                0x04         "messageDigest"		OID_PKCS9_MESSAGE_DIGEST
+                0x05         "signingTime"		OID_PKCS9_SIGNING_TIME
+                0x06         "counterSignature"
+                0x07         "challengePassword"
+                0x08         "unstructuredAddress"
+                0x0E         "extensionRequest"
+            0x02             "digestAlgorithm"
+              0x02           "md2"			OID_MD2
+              0x05           "md5"			OID_MD5
+            0x03             "encryptionAlgorithm"
+              0x07           "3des-ede-cbc"		OID_3DES_EDE_CBC
+0x2B                         ""
+  0x06                       "dod"
+    0x01                     "internet"
+      0x04                   "private"
+        0x01                 "enterprise"
+          0x82               ""
+            0x37             "Microsoft"
+              0x0A           ""
+                0x03         ""
+                  0x03       "msSGC"
+          0x89               ""
+            0x31             ""
+              0x01           ""
+                0x01         ""
+                  0x02       ""
+                    0x02     ""
+                    0x4B     "TCGID"
+      0x05                   "security"
+        0x05                 "mechanisms"
+          0x07               "id-pkix"
+            0x01             "id-pe"
+              0x01           "authorityInfoAccess"	OID_AUTHORITY_INFO_ACCESS
+            0x03             "id-kp"
+              0x01           "serverAuth"
+              0x02           "clientAuth"
+              0x03           "codeSigning"
+              0x04           "emailProtection"
+              0x05           "ipsecEndSystem"
+              0x06           "ipsecTunnel"
+              0x07           "ipsecUser"
+              0x08           "timeStamping"
+              0x09           "ocspSigning"		OID_OCSP_SIGNING
+            0x08             "id-otherNames"
+              0x05           "xmppAddr"			OID_XMPP_ADDR
+            0x0A             "id-aca"
+              0x01           "authenticationInfo"	OID_AUTHENTICATION_INFO
+              0x02           "accessIdentity"		OID_ACCESS_IDENTITY
+              0x03           "chargingIdentity"		OID_CHARGING_IDENTITY
+              0x04           "group"			OID_GROUP
+            0x30             "id-ad"
+              0x01           "ocsp"			OID_OCSP
+                0x01         "basic"			OID_BASIC
+                0x02         "nonce"			OID_NONCE
+                0x03         "crl"			OID_CRL
+                0x04         "response"			OID_RESPONSE
+                0x05         "noCheck"			OID_NO_CHECK
+                0x06         "archiveCutoff"		OID_ARCHIVE_CUTOFF
+                0x07         "serviceLocator"		OID_SERVICE_LOCATOR
+  0x0E                       "oiw"
+    0x03                     "secsig"
+      0x02                   "algorithms"
+        0x07                 "des-cbc"			OID_DES_CBC
+        0x1A                 "sha-1"			OID_SHA1
+        0x1D                 "sha-1WithRSASignature"	OID_SHA1_WITH_RSA_OIW
+  0x24                       "TeleTrusT"
+    0x03                     "algorithm"
+      0x03                   "signatureAlgorithm"
+        0x01                 "rsaSignature"
+          0x02               "rsaSigWithripemd160"
+          0x03               "rsaSigWithripemd128"
+          0x04               "rsaSigWithripemd256"
+0x60                         ""
+  0x86                       ""
+    0x48                     ""
+      0x01                   "organization"
+        0x65                 "gov"
+          0x03               "csor"
+            0x04             "nistalgorithm"
+              0x02           "hashalgs"
+                0x01         "id-SHA-256"
+                0x02         "id-SHA-384"
+                0x03         "id-SHA-512"
+        0x86                 ""
+          0xf8               ""
+            0x42             "netscape"
+              0x01           ""
+                0x01         "nsCertType"
+                0x03         "nsRevocationUrl"		OID_NS_REVOCATION_URL
+                0x04         "nsCaRevocationUrl"	OID_NS_CA_REVOCATION_URL
+                0x08         "nsCaPolicyUrl"		OID_NS_CA_POLICY_URL
+                0x0d         "nsComment"		OID_NS_COMMENT
+              0x03           "directory"
+                0x01         ""
+                  0x03       "employeeNumber"
+              0x04           "policy"
+                0x01         "nsSGC"
+            0x45             "verisign"
+              0x01           "pki"
+                0x09         "attributes"
+                  0x02       "messageType"		OID_PKI_MESSAGE_TYPE
+                  0x03       "pkiStatus"		OID_PKI_STATUS
+                  0x04       "failInfo"			OID_PKI_FAIL_INFO
+                  0x05       "senderNonce"		OID_PKI_SENDER_NONCE
+                  0x06       "recipientNonce"		OID_PKI_RECIPIENT_NONCE
+                  0x07       "transID"			OID_PKI_TRANS_ID
+                  0x08       "extensionReq"
diff --git a/src/libstrongswan/asn1/pem.c b/src/libstrongswan/asn1/pem.c
new file mode 100755
index 000000000..e88db249d
--- /dev/null
+++ b/src/libstrongswan/asn1/pem.c
@@ -0,0 +1,366 @@
+/*
+ * Copyright (C) 2001-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
+#include <string.h>
+#include <stddef.h>
+#include <sys/types.h>
+
+#include "pem.h"
+
+#include <library.h>
+#include <debug.h>
+#include <asn1/asn1.h>
+#include <asn1/ttodata.h>
+
+#include <utils/lexparser.h>
+#include <crypto/hashers/hasher.h>
+#include <crypto/crypters/crypter.h>
+
+#define PKCS5_SALT_LEN	8	/* bytes */
+
+/**
+ * check the presence of a pattern in a character string
+ */
+static bool present(const char* pattern, chunk_t* ch)
+{
+	u_int pattern_len = strlen(pattern);
+
+	if (ch->len >= pattern_len && strncmp(ch->ptr, pattern, pattern_len) == 0)
+	{
+		ch->ptr += pattern_len;
+		ch->len -= pattern_len;
+		return TRUE;
+	}
+	return FALSE;
+}
+
+/**
+ * find a boundary of the form -----tag name-----
+ */
+static bool find_boundary(const char* tag, chunk_t *line)
+{
+	chunk_t name = chunk_empty;
+
+	if (!present("-----", line))
+		return FALSE;
+	if (!present(tag, line))
+		return FALSE;
+	if (*line->ptr != ' ')
+		return FALSE;
+	line->ptr++;  line->len--;
+	
+	/* extract name */
+	name.ptr = line->ptr;
+	while (line->len > 0)
+	{
+		if (present("-----", line))
+		{
+			DBG2("  -----%s %.*s-----", tag, (int)name.len, name.ptr);
+			return TRUE;
+		}
+		line->ptr++;  line->len--;  name.len++;
+	}
+	return FALSE;
+}
+
+/*
+ * decrypts a passphrase protected encrypted data block
+ */
+static err_t pem_decrypt(chunk_t *blob, encryption_algorithm_t alg, size_t key_size,
+						 chunk_t *iv, chunk_t *passphrase)
+{
+	hasher_t *hasher;
+	crypter_t *crypter;
+	chunk_t salt = { iv->ptr, PKCS5_SALT_LEN };
+	chunk_t hash;
+	chunk_t decrypted;
+	chunk_t key = {alloca(key_size), key_size};
+	u_int8_t padding, *last_padding_pos, *first_padding_pos;
+	
+	if (passphrase == NULL || passphrase->len == 0)
+		return "missing passphrase";
+
+	/* build key from passphrase and IV */
+	hasher = hasher_create(HASH_MD5);
+	hash.len = hasher->get_hash_size(hasher);
+	hash.ptr = alloca(hash.len);
+	hasher->get_hash(hasher, *passphrase, NULL);
+	hasher->get_hash(hasher, salt, hash.ptr);
+	memcpy(key.ptr, hash.ptr, hash.len);
+
+	if (key.len > hash.len)
+	{
+		hasher->get_hash(hasher, hash, NULL);
+		hasher->get_hash(hasher, *passphrase, NULL);
+		hasher->get_hash(hasher, salt, hash.ptr);	
+		memcpy(key.ptr + hash.len, hash.ptr, key.len - hash.len);
+	}	
+	hasher->destroy(hasher);
+	
+	/* decrypt blob */
+	crypter = crypter_create(alg, key_size);
+	crypter->set_key(crypter, key);
+	if (crypter->decrypt(crypter, *blob, *iv, &decrypted) != SUCCESS)
+	{
+		return "data size is not multiple of block size";
+	}
+	memcpy(blob->ptr, decrypted.ptr, blob->len);
+	chunk_free(&decrypted);
+	
+	/* determine amount of padding */
+	last_padding_pos = blob->ptr + blob->len - 1;
+	padding = *last_padding_pos;
+	first_padding_pos = (padding > blob->len) ? blob->ptr : last_padding_pos - padding;
+
+	/* check the padding pattern */
+	while (--last_padding_pos > first_padding_pos)
+	{
+		if (*last_padding_pos != padding)
+			return "invalid passphrase";
+	}
+	/* remove padding */
+	blob->len -= padding;
+	return NULL;
+}
+
+/*  Converts a PEM encoded file into its binary form
+ *
+ *  RFC 1421 Privacy Enhancement for Electronic Mail, February 1993
+ *  RFC 934 Message Encapsulation, January 1985
+ */
+err_t pem_to_bin(chunk_t *blob, chunk_t *passphrase, bool *pgp)
+{
+	typedef enum {
+		PEM_PRE    = 0,
+		PEM_MSG    = 1,
+		PEM_HEADER = 2,
+		PEM_BODY   = 3,
+		PEM_POST   = 4,
+		PEM_ABORT  = 5
+	} state_t;
+
+	encryption_algorithm_t alg = ENCR_UNDEFINED;
+	size_t key_size = 0;
+
+	bool encrypted = FALSE;
+
+	state_t state  = PEM_PRE;
+
+	chunk_t src    = *blob;
+	chunk_t dst    = *blob;
+	chunk_t line   = chunk_empty;
+	chunk_t iv     = chunk_empty;
+
+	u_char iv_buf[16]; /* MD5 digest size */
+
+	/* zero size of converted blob */
+	dst.len = 0;
+
+	/* zero size of IV */
+	iv.ptr = iv_buf;
+	iv.len = 0;
+
+	while (fetchline(&src, &line))
+	{
+		if (state == PEM_PRE)
+		{
+			if (find_boundary("BEGIN", &line))
+			{
+				state = PEM_MSG;
+			}
+			continue;
+		}
+		else
+		{
+			if (find_boundary("END", &line))
+			{
+				state = PEM_POST;
+				break;
+			}
+			if (state == PEM_MSG)
+			{
+				state = (memchr(line.ptr, ':', line.len) == NULL) ? PEM_BODY : PEM_HEADER;
+			}
+			if (state == PEM_HEADER)
+			{
+				err_t ugh = NULL;
+				chunk_t name  = chunk_empty;
+				chunk_t value = chunk_empty;
+
+				/* an empty line separates HEADER and BODY */
+				if (line.len == 0)
+				{
+					state = PEM_BODY;
+					continue;
+				}
+
+				/* we are looking for a parameter: value pair */
+				DBG2("  %.*s", (int)line.len, line.ptr);
+				ugh = extract_parameter_value(&name, &value, &line);
+				if (ugh != NULL)
+					continue;
+
+				if (match("Proc-Type", &name) && *value.ptr == '4')
+					encrypted = TRUE;
+				else if (match("DEK-Info", &name))
+				{
+					size_t len = 0;
+					chunk_t dek;
+
+					if (!extract_token(&dek, ',', &value))
+						dek = value;
+
+					if (match("DES-EDE3-CBC", &dek))
+					{
+						alg = ENCR_3DES;
+						key_size = 24;
+					}
+					else if (match("AES-128-CBC", &dek))
+					{
+						alg = ENCR_AES_CBC;
+						key_size = 16;
+					}
+					else if (match("AES-192-CBC", &dek))
+					{
+						alg = ENCR_AES_CBC;
+						key_size = 24;
+					}
+					else if (match("AES-256-CBC", &dek))
+					{
+						alg = ENCR_AES_CBC;
+						key_size = 32;
+					}
+					else
+					{
+						return "encryption algorithm not supported";
+					}
+
+					eat_whitespace(&value);
+					ugh = ttodata(value.ptr, value.len, 16, iv.ptr, 16, &len);
+					if (ugh)
+						return "error in IV";
+
+					iv.len = len;
+				}
+			}
+			else /* state is PEM_BODY */
+			{
+				const char *ugh = NULL;
+				size_t len = 0;
+				chunk_t data;
+				
+				/* remove any trailing whitespace */
+				if (!extract_token(&data ,' ', &line))
+				{
+					data = line;
+				}
+				
+				/* check for PGP armor checksum */
+				if (*data.ptr == '=')
+				{
+					*pgp = TRUE;
+					data.ptr++;
+					data.len--;
+					DBG2("  Armor checksum: %.*s", (int)data.len, data.ptr);
+		    		continue;
+				}
+
+				ugh = ttodata(data.ptr, data.len, 64, dst.ptr, blob->len - dst.len, &len);
+				if (ugh)
+				{
+					state = PEM_ABORT;
+					break;
+				}
+				else
+				{
+					dst.ptr += len;
+					dst.len += len;
+				}
+			}
+		}
+	}
+	/* set length to size of binary blob */
+	blob->len = dst.len;
+
+	if (state != PEM_POST)
+		return "file coded in unknown format, discarded";
+
+	return (encrypted)? pem_decrypt(blob, alg, key_size, &iv, passphrase) : NULL;
+}
+
+/* load a coded key or certificate file with autodetection
+ * of binary DER or base64 PEM ASN.1 formats and armored PGP format
+ */
+bool pem_asn1_load_file(const char *filename, chunk_t *passphrase,
+						const char *type, chunk_t *blob, bool *pgp)
+{
+	err_t ugh = NULL;
+
+	FILE *fd = fopen(filename, "r");
+
+	if (fd)
+	{
+		int bytes;
+		fseek(fd, 0, SEEK_END );
+		blob->len = ftell(fd);
+		rewind(fd);
+		blob->ptr = malloc(blob->len);
+		bytes = fread(blob->ptr, 1, blob->len, fd);
+		fclose(fd);
+		DBG1("  loading %s file '%s' (%d bytes)", type, filename, bytes);
+
+		*pgp = FALSE;
+
+		/* try DER format */
+		if (is_asn1(*blob))
+		{
+			DBG2("  file coded in DER format");
+			return TRUE;
+		}
+
+		if (passphrase != NULL)
+			DBG4("  passphrase:", passphrase->ptr, passphrase->len);
+
+		/* try PEM format */
+		ugh = pem_to_bin(blob, passphrase, pgp);
+
+		if (ugh == NULL)
+		{
+			if (*pgp)
+			{
+				DBG2("  file coded in armored PGP format");
+				return TRUE;
+			}
+			if (is_asn1(*blob))
+			{
+				DBG2("  file coded in PEM format");
+				return TRUE;
+			}
+			ugh = "file coded in unknown format, discarded";
+		}
+
+		/* a conversion error has occured */
+		DBG1("  %s", ugh);
+		chunk_free(blob);
+	}
+	else
+	{
+		DBG1("  could not open %s file '%s'", type, filename);
+	}
+	return FALSE;
+}
diff --git a/src/libstrongswan/asn1/pem.h b/src/libstrongswan/asn1/pem.h
new file mode 100755
index 000000000..0f4b7202c
--- /dev/null
+++ b/src/libstrongswan/asn1/pem.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) 2001-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef PEM_H_
+#define PEM_H_
+
+#include <stdio.h>
+
+#include <library.h>
+
+err_t pem_to_bin(chunk_t *blob, chunk_t *passphrase, bool *pgp);
+
+bool pem_asn1_load_file(const char *filename, chunk_t *passphrase,
+						const char *type, chunk_t *blob, bool *pgp);
+
+#endif /*PEM_H_*/
diff --git a/src/libstrongswan/asn1/ttodata.c b/src/libstrongswan/asn1/ttodata.c
new file mode 100644
index 000000000..8114b12c5
--- /dev/null
+++ b/src/libstrongswan/asn1/ttodata.c
@@ -0,0 +1,378 @@
+/*
+ * convert from text form of arbitrary data (e.g., keys) to binary
+ * Copyright (C) 2000  Henry Spencer.
+ * 
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Library General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
+ * 
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
+ * License for more details.
+ */
+
+#include "ttodata.h"
+
+#include <string.h>
+#include <ctype.h>
+
+/* converters and misc */
+static int unhex(const char *, char *, size_t);
+static int unb64(const char *, char *, size_t);
+static int untext(const char *, char *, size_t);
+static const char *badch(const char *, int, char *, size_t);
+
+/* internal error codes for converters */
+#define	SHORT	(-2)		/* internal buffer too short */
+#define	BADPAD	(-3)		/* bad base64 padding */
+#define	BADCH0	(-4)		/* invalid character 0 */
+#define	BADCH1	(-5)		/* invalid character 1 */
+#define	BADCH2	(-6)		/* invalid character 2 */
+#define	BADCH3	(-7)		/* invalid character 3 */
+#define	BADOFF(code) (BADCH0-(code))
+
+/**
+ * @brief convert text to data, with verbose error reports
+ * 
+ * If some of this looks slightly odd, it's because it has changed
+ * repeatedly (from the original atodata()) without a major rewrite.
+ *
+ * @param src
+ * @param srclen	0 means apply strlen()
+ * @param base 		0 means figure it out
+ * @param dst 		need not be valid if dstlen is 0
+ * @param dstlen	
+ * @param lenp		where to record length (NULL is nowhere)
+ * @param errp		error buffer
+ * @param flags
+ * @return			NULL on success, else literal or errp
+ */
+const char *ttodatav(const char *src, size_t srclen, int base, char *dst, size_t dstlen, size_t *lenp, char *errp, size_t errlen, unsigned int flags)
+{
+	size_t ingroup;	/* number of input bytes converted at once */
+	char buf[4];		/* output from conversion */
+	int nbytes;		/* size of output */
+	int (*decode)(const char *, char *, size_t);
+	char *stop;
+	int ndone;
+	int i;
+	int underscoreok;
+	int skipSpace = 0;
+
+	if (srclen == 0)
+		srclen = strlen(src);
+	if (dstlen == 0)
+		dst = buf;	/* point it somewhere valid */
+	stop = dst + dstlen;
+
+	if (base == 0) {
+		if (srclen < 2)
+			return "input too short to be valid";
+		if (*src++ != '0')
+			return "input does not begin with format prefix";
+		switch (*src++) {
+		case 'x':
+		case 'X':
+			base = 16;
+			break;
+		case 's':
+		case 'S':
+			base = 64;
+			break;
+		case 't':
+		case 'T':
+			base = 256;
+			break;
+		default:
+			return "unknown format prefix";
+		}
+		srclen -= 2;
+	}
+	switch (base) {
+	case 16:
+		decode = unhex;
+		underscoreok = 1;
+		ingroup = 2;
+		break;
+	case 64:
+		decode = unb64;
+		underscoreok = 0;
+		ingroup = 4;
+		if(flags & TTODATAV_IGNORESPACE) {
+			skipSpace = 1;
+		}
+		break;
+
+	case 256:
+		decode = untext;
+		ingroup = 1;
+		underscoreok = 0;
+		break;
+	default:
+		return "unknown base";
+	}
+
+	/* proceed */
+	ndone = 0;
+	while (srclen > 0) {
+		char stage[4];	/* staging area for group */
+		size_t sl = 0;
+
+		/* Grab ingroup characters into stage,
+		 * squeezing out blanks if we are supposed to ignore them.
+		 */
+		for (sl = 0; sl < ingroup; src++, srclen--) {
+			if (srclen == 0)
+				return "input ends in mid-byte, perhaps truncated";
+			else if (!(skipSpace && (*src == ' ' || *src == '\t')))
+				stage[sl++] = *src;
+		}
+		
+		nbytes = (*decode)(stage, buf, sizeof(buf));
+		switch (nbytes) {
+		case BADCH0:
+		case BADCH1:
+		case BADCH2:
+		case BADCH3:
+			return badch(stage, nbytes, errp, errlen);
+		case SHORT:
+			return "internal buffer too short (\"can't happen\")";
+		case BADPAD:
+			return "bad (non-zero) padding at end of base64 input";
+		}
+		if (nbytes <= 0)
+			return "unknown internal error";
+		for (i = 0; i < nbytes; i++) {
+			if (dst < stop)
+				*dst++ = buf[i];
+			ndone++;
+		}
+		while (srclen >= 1 && skipSpace && (*src == ' ' || *src == '\t')){
+			src++;
+			srclen--;
+		}
+		if (underscoreok && srclen > 1 && *src == '_') {
+			/* srclen > 1 means not last character */
+			src++;
+			srclen--;
+		}
+	}
+
+	if (ndone == 0)
+		return "no data bytes specified by input";
+	if (lenp != NULL)
+		*lenp = ndone;
+	return NULL;
+}
+
+/**
+ * @brief ttodata - convert text to data
+ * 
+ * @param src
+ * @param srclen	0 means apply strlen()
+ * @param base		0 means figure it out
+ * @param dst		need not be valid if dstlen is 0
+ * @param dstlen
+ * @param lenp		where to record length (NULL is nowhere)
+ * @return			NULL on success, else literal
+ */
+const char *ttodata(const char *src, size_t srclen, int base, char *dst, size_t dstlen, size_t *lenp)
+{
+	return ttodatav(src, srclen, base, dst, dstlen, lenp, (char *)NULL,
+			(size_t)0, TTODATAV_SPACECOUNTS);
+}
+
+/**
+ * @brief atodata - convert ASCII to data
+ * 
+ * backward-compatibility interface
+ * 
+ * @param src
+ * @param srclen
+ * @param dst
+ * @param dstlen
+ * @return 			0 for failure, true length for success
+ */
+size_t atodata(const char *src, size_t srclen, char *dst, size_t dstlen)
+{
+	size_t len;
+	const char *err;
+
+	err = ttodata(src, srclen, 0, dst, dstlen, &len);
+	if (err != NULL)
+		return 0;
+	return len;
+}
+
+/**
+ * @brief  atobytes - convert ASCII to data bytes
+ *
+ * another backward-compatibility interface
+ */
+const char *atobytes(const char *src, size_t srclen, char *dst, size_t dstlen, size_t *lenp)
+{
+	return ttodata(src, srclen, 0, dst, dstlen, lenp);
+}
+
+/**
+ * @brief unhex - convert two ASCII hex digits to byte
+ * 
+ * @param src 		known to be full length
+ * @param dstnumber of result bytes, or error code
+ * @param dstlen	not large enough is a failure
+ * @return			
+ */
+static int unhex(const char *src, char *dst, size_t dstlen)
+{
+	char *p;
+	unsigned byte;
+	static char hex[] = "0123456789abcdef";
+
+	if (dstlen < 1)
+		return SHORT;
+	
+	p = strchr(hex, *src);
+	if (p == NULL)
+		p = strchr(hex, tolower(*src));
+	if (p == NULL)
+		return BADCH0;
+	byte = (p - hex) << 4;
+	src++;
+
+	p = strchr(hex, *src);
+	if (p == NULL)
+		p = strchr(hex, tolower(*src));
+	if (p == NULL)
+		return BADCH1;
+	byte |= (p - hex);
+
+	*dst = byte;
+	return 1;
+}
+
+/**
+ * @brief unb64 - convert four ASCII base64 digits to three bytes
+ *
+ * Note that a base64 digit group is padded out with '=' if it represents
+ * less than three bytes:  one byte is dd==, two is ddd=, three is dddd.
+ *
+ * @param src		known to be full length 
+ * @param dst		
+ * @param dstlen	
+ * @return			number of result bytes, or error code
+ */
+static int unb64(const char *src, char *dst, size_t dstlen)
+{
+	char *p;
+	unsigned byte1;
+	unsigned byte2;
+	static char base64[] =
+	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+
+	if (dstlen < 3)
+		return SHORT;
+
+	p = strchr(base64, *src++);
+
+	if (p == NULL)
+		return BADCH0;
+	byte1 = (p - base64) << 2;	/* first six bits */
+
+	p = strchr(base64, *src++);
+	if (p == NULL) {
+		return BADCH1;
+	}
+
+	byte2 = p - base64;		/* next six:  two plus four */
+	*dst++ = byte1 | (byte2 >> 4);
+	byte1 = (byte2 & 0xf) << 4;
+
+	p = strchr(base64, *src++);
+	if (p == NULL) {
+		if (*(src-1) == '=' && *src == '=') {
+			if (byte1 != 0)		/* bad padding */
+				return BADPAD;
+			return 1;
+		}
+		return BADCH2;
+	}
+
+	byte2 = p - base64;		/* next six:  four plus two */
+	*dst++ = byte1 | (byte2 >> 2);
+	byte1 = (byte2 & 0x3) << 6;
+
+	p = strchr(base64, *src++);
+	if (p == NULL) {
+		if (*(src-1) == '=') {
+			if (byte1 != 0)		/* bad padding */
+				return BADPAD;
+			return 2;
+		}
+		return BADCH3;
+	}
+	byte2 = p - base64;		/* last six */
+	*dst++ = byte1 | byte2;
+
+	return 3;
+}
+
+/**
+ * @brief untext - convert one ASCII character to byte
+ * 
+ * @param src		known to be full length
+ * @param dst		
+ * @param dstlen	not large enough is a failure
+ * @return 			number of result bytes, or error code
+ */
+static int untext(const char *src, char *dst, size_t dstlen)
+{
+	if (dstlen < 1)
+		return SHORT;
+
+	*dst = *src;
+	return 1;
+}
+
+/**
+ * @brief badch - produce a nice complaint about an unknown character
+ *
+ * If the compiler complains that the array bigenough[] has a negative
+ * size, that means the TTODATAV_BUF constant has been set too small.
+ * 
+ * @param src		
+ * @param errcode	
+ * @param errp		might be NULL
+ * @param errlen	
+ * @return			literal or errp
+ */
+static const char *badch(const char *src, int errcode, char *errp, size_t errlen)
+{
+	static const char pre[] = "unknown character (`";
+	static const char suf[] = "') in input";
+	char buf[5];
+#	define	REQD	(sizeof(pre) - 1 + sizeof(buf) - 1 + sizeof(suf))
+	struct sizecheck {
+		char bigenough[TTODATAV_BUF - REQD];	/* see above */
+	};
+	char ch;
+
+	if (errp == NULL || errlen < REQD)
+		return "unknown character in input";
+	strcpy(errp, pre);
+	ch = *(src + BADOFF(errcode));
+	if (isprint(ch)) {
+		buf[0] = ch;
+		buf[1] = '\0';
+	} else {
+		buf[0] = '\\';
+		buf[1] = ((ch & 0700) >> 6) + '0';
+		buf[2] = ((ch & 0070) >> 3) + '0';
+		buf[3] = ((ch & 0007) >> 0) + '0';
+		buf[4] = '\0';
+	}
+	strcat(errp, buf);
+	strcat(errp, suf);
+	return (const char *)errp;
+}
diff --git a/src/libstrongswan/asn1/ttodata.h b/src/libstrongswan/asn1/ttodata.h
new file mode 100644
index 000000000..6125c6b82
--- /dev/null
+++ b/src/libstrongswan/asn1/ttodata.h
@@ -0,0 +1,28 @@
+/*
+ * convert from text form of arbitrary data (e.g., keys) to binary
+ * Copyright (C) 2000  Henry Spencer.
+ * 
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Library General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
+ * 
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
+ * License for more details.
+ */
+
+#ifndef TTODATA_H_
+#define TTODATA_H_
+
+#include <library.h>
+
+#define	TTODATAV_BUF	40	/* ttodatav's largest non-literal message */
+#define TTODATAV_IGNORESPACE  (1<<1)  /* ignore spaces in base64 encodings*/
+#define TTODATAV_SPACECOUNTS  0       /* do not ignore spaces in base64   */
+
+err_t ttodata(const char *src, size_t srclen, int base, char *buf, size_t buflen, size_t *needed);
+
+
+#endif /* TTODATA_H_ */
diff --git a/src/libstrongswan/chunk.c b/src/libstrongswan/chunk.c
new file mode 100644
index 000000000..cba823c22
--- /dev/null
+++ b/src/libstrongswan/chunk.c
@@ -0,0 +1,410 @@
+/**
+ * @file chunk.c
+ *
+ * @brief Pointer/lenght abstraction and its functions.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdio.h>
+
+#include "chunk.h"
+
+#include <debug.h>
+#include <printf_hook.h>
+
+/**
+ * Empty chunk.
+ */
+chunk_t chunk_empty = { NULL, 0 };
+
+/**
+ * Described in header.
+ */
+chunk_t chunk_create(u_char *ptr, size_t len)
+{
+	chunk_t chunk = {ptr, len};
+	return chunk;
+}
+
+/**
+ * Described in header.
+ */
+chunk_t chunk_create_clone(u_char *ptr, chunk_t chunk)
+{
+	chunk_t clone = chunk_empty;
+	
+	if (chunk.ptr && chunk.len > 0)
+	{
+		clone.ptr = ptr;
+		clone.len = chunk.len;
+		memcpy(clone.ptr, chunk.ptr, chunk.len);
+	}
+	
+	return clone;
+}
+
+/**
+ * Decribed in header.
+ */
+size_t chunk_length(const char* mode, ...)
+{
+	va_list chunks;
+	size_t length = 0;
+	
+	va_start(chunks, mode);
+	while (TRUE)
+	{
+		switch (*mode++)
+		{
+			case 'm':
+			case 'c':
+			{
+				chunk_t ch = va_arg(chunks, chunk_t);
+				length += ch.len;
+				continue;
+			}
+			default:
+				break;
+		}
+		break;
+	}
+	va_end(chunks);
+	return length;
+}
+
+/**
+ * Decribed in header.
+ */
+chunk_t chunk_create_cat(u_char *ptr, const char* mode, ...)
+{
+	va_list chunks;
+	chunk_t construct = chunk_create(ptr, 0);
+	
+	va_start(chunks, mode);
+	while (TRUE)
+	{
+		bool free_chunk = FALSE;
+		switch (*mode++)
+		{
+			case 'm':
+			{
+				free_chunk = TRUE;
+			}
+			case 'c':
+			{
+				chunk_t ch = va_arg(chunks, chunk_t);
+				memcpy(ptr, ch.ptr, ch.len); 
+				ptr += ch.len;
+				construct.len += ch.len;
+				if (free_chunk)
+				{
+					free(ch.ptr);
+				}
+				continue;
+			}
+			default:
+				break;
+		}
+		break;
+	}
+	va_end(chunks);
+	
+	return construct;
+}
+
+/**
+ * Decribed in header.
+ */
+void chunk_split(chunk_t chunk, const char *mode, ...)
+{
+	va_list chunks;
+	size_t len;
+	chunk_t *ch;
+	
+	va_start(chunks, mode);
+	while (TRUE)
+	{
+		if (*mode == '\0')
+		{
+			break;
+		}
+		len = va_arg(chunks, size_t);
+		ch = va_arg(chunks, chunk_t*);
+		/* a null chunk means skip len bytes */
+		if (ch == NULL)
+		{
+			chunk = chunk_skip(chunk, len);
+			continue;
+		}
+		switch (*mode++)
+		{
+			case 'm':
+			{
+				ch->len = min(chunk.len, len);
+				if (ch->len)
+				{
+					ch->ptr = chunk.ptr;
+				}
+				else
+				{
+					ch->ptr = NULL;
+				}
+				chunk = chunk_skip(chunk, ch->len);
+				continue;
+			}
+			case 'a':
+			{
+				ch->len = min(chunk.len, len);
+				if (ch->len)
+				{
+					ch->ptr = malloc(ch->len);
+					memcpy(ch->ptr, chunk.ptr, ch->len);
+				}
+				else
+				{
+					ch->ptr = NULL;
+				}
+				chunk = chunk_skip(chunk, ch->len);
+				continue;
+			}
+			case 'c':
+			{
+				ch->len = min(ch->len, chunk.len);
+				ch->len = min(ch->len, len);
+				if (ch->len)
+				{
+					memcpy(ch->ptr, chunk.ptr, ch->len);
+				}
+				else
+				{
+					ch->ptr = NULL;
+				}
+				chunk = chunk_skip(chunk, ch->len);
+				continue;
+			}
+			default:
+				break;
+		}
+		break;
+	}
+	va_end(chunks);
+}
+
+/**
+ * Described in header.
+ */
+bool chunk_write(chunk_t chunk, const char *path, const char *label, mode_t mask, bool force)
+{
+	mode_t oldmask;
+	FILE *fd;
+
+	if (!force)
+	{
+		fd = fopen(path, "r");
+		if (fd)
+		{
+			fclose(fd);
+			DBG1("  %s file '%s' already exists", label, path);
+			return FALSE;
+		}
+	}
+
+	/* set umask */
+	oldmask = umask(mask);
+
+	fd = fopen(path, "w");
+
+	if (fd)
+	{
+		fwrite(chunk.ptr, sizeof(u_char), chunk.len, fd);
+		fclose(fd);
+		DBG1("  written %s file '%s' (%u bytes)", label, path, chunk.len);
+		umask(oldmask);
+		return TRUE;
+	}
+	else
+	{
+		DBG1("  could not open %s file '%s' for writing", label, path);
+		umask(oldmask);
+		return FALSE;
+	}
+}
+
+/**
+ * Described in header.
+ */
+void chunk_free(chunk_t *chunk)
+{
+	free(chunk->ptr);
+	chunk->ptr = NULL;
+	chunk->len = 0;
+}
+
+/**
+ * Described in header.
+ */
+chunk_t chunk_skip(chunk_t chunk, size_t bytes)
+{
+	if (chunk.len > bytes)
+	{
+		chunk.ptr += bytes;
+		chunk.len -= bytes;
+		return chunk;
+	}
+	return chunk_empty;
+}
+
+/**
+ * Described in header.
+ */
+int chunk_compare(chunk_t a, chunk_t b)
+{
+	int compare_len = a.len - b.len;
+	int len = (compare_len < 0)? a.len : b.len;
+
+	if (compare_len != 0 || len == 0)
+	{
+		return compare_len;
+	}
+	return memcmp(a.ptr, b.ptr, len);
+};
+
+/**
+ * Described in header.
+ */
+bool chunk_equals(chunk_t a, chunk_t b)
+{
+	return a.ptr != NULL  && b.ptr != NULL &&
+			a.len == b.len && memeq(a.ptr, b.ptr, a.len);
+}
+
+/**
+ * Described in header.
+ */
+bool chunk_equals_or_null(chunk_t a, chunk_t b)
+{
+	if (a.ptr == NULL || b.ptr == NULL)
+		return TRUE;
+	return a.len == b.len && memeq(a.ptr, b.ptr, a.len);
+}
+
+/**
+ * Number of bytes per line to dump raw data
+ */
+#define BYTES_PER_LINE 16
+
+/**
+ * output handler in printf() for byte ranges
+ */
+static int print_bytes(FILE *stream, const struct printf_info *info,
+					   const void *const *args)
+{
+	char *bytes = *((void**)(args[0]));
+	int len = *((size_t*)(args[1]));
+	
+	char buffer[BYTES_PER_LINE * 3];
+	char ascii_buffer[BYTES_PER_LINE + 1];
+	char *buffer_pos = buffer;
+	char *bytes_pos  = bytes;
+	char *bytes_roof = bytes + len;
+	int line_start = 0;
+	int i = 0;
+	int written = 0;
+	
+	written += fprintf(stream, "=> %d bytes @ %p", len, bytes);
+	
+	while (bytes_pos < bytes_roof)
+	{
+		static char hexdig[] = "0123456789ABCDEF";
+		
+		*buffer_pos++ = hexdig[(*bytes_pos >> 4) & 0xF];
+		*buffer_pos++ = hexdig[ *bytes_pos       & 0xF];
+
+		ascii_buffer[i++] =
+				(*bytes_pos > 31 && *bytes_pos < 127) ? *bytes_pos : '.';
+
+		if (++bytes_pos == bytes_roof || i == BYTES_PER_LINE) 
+		{
+			int padding = 3 * (BYTES_PER_LINE - i);
+			int written;
+			
+			while (padding--)
+			{
+				*buffer_pos++ = ' ';
+			}
+			*buffer_pos++ = '\0';
+			ascii_buffer[i] = '\0';
+			
+			written += fprintf(stream, "\n%4d: %s  %s",
+							   line_start, buffer, ascii_buffer);
+
+			
+			buffer_pos = buffer;
+			line_start += BYTES_PER_LINE;
+			i = 0;
+		}
+		else
+		{
+			*buffer_pos++ = ' ';
+		}
+	}
+	return written;
+}
+
+/**
+ * output handler in printf() for chunks
+ */
+static int print_chunk(FILE *stream, const struct printf_info *info,
+					   const void *const *args)
+{
+	chunk_t *chunk = *((chunk_t**)(args[0]));
+	bool first = TRUE;
+	chunk_t copy = *chunk;
+	int written = 0;
+	
+	if (!info->alt)
+	{
+		const void *new_args[] = {&chunk->ptr, &chunk->len};
+		return print_bytes(stream, info, new_args);
+	}
+	
+	while (copy.len > 0)
+	{
+		if (first)
+		{
+			first = FALSE;
+		}
+		else
+		{
+			written += fprintf(stream, ":");
+		}
+		written += fprintf(stream, "%02x", *copy.ptr++);
+		copy.len--;
+	}
+	return written;
+}
+
+/**
+ * register printf() handlers
+ */
+static void __attribute__ ((constructor))print_register()
+{
+	register_printf_function(PRINTF_CHUNK, print_chunk, arginfo_ptr);
+	register_printf_function(PRINTF_BYTES, print_bytes, arginfo_ptr_int);
+}
diff --git a/src/libstrongswan/chunk.h b/src/libstrongswan/chunk.h
new file mode 100644
index 000000000..a13ccfc22
--- /dev/null
+++ b/src/libstrongswan/chunk.h
@@ -0,0 +1,154 @@
+/**
+ * @file chunk.h
+ *
+ * @brief Pointer/length abstraction and its functions.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef CHUNK_H_
+#define CHUNK_H_
+
+#include <string.h>
+#include <stdarg.h>
+
+#include <library.h>
+
+typedef struct chunk_t chunk_t;
+
+/**
+ * General purpose pointer/length abstraction.
+ */
+struct chunk_t {
+	/** Pointer to start of data */
+	u_char *ptr;
+	/** Length of data in bytes */
+	size_t len;
+};
+
+/**
+ * A { NULL, 0 }-chunk handy for initialization.
+ */
+extern chunk_t chunk_empty;
+
+/**
+ * Create a new chunk pointing to "ptr" with length "len"
+ */
+chunk_t chunk_create(u_char *ptr, size_t len);
+
+/**
+ * Create a clone of a chunk pointing to "ptr"
+ */
+chunk_t chunk_create_clone(u_char *ptr, chunk_t chunk);
+
+/**
+ * Calculate length of multiple chunks
+ */
+size_t chunk_length(const char *mode, ...);
+
+/**
+ * Concatenate chunks into a chunk pointing to "ptr",
+ * "mode" is a string of "c" (copy) and "m" (move), which says
+ * how to handle to chunks in "..."
+ */
+chunk_t chunk_create_cat(u_char *ptr, const char* mode, ...);
+
+/**
+ * Split up a chunk into parts, "mode" is a string of "a" (alloc),
+ * "c" (copy) and "m" (move). Each letter say for the corresponding chunk if
+ * it should get allocated on heap, copied into existing chunk, or the chunk
+ * should point into "chunk". The length of each part is an argument before
+ * each target chunk. E.g.:
+ * chunk_split(chunk, "mcac", 3, &a, 7, &b, 5, &c, d.len, &d);
+ */
+void chunk_split(chunk_t chunk, const char *mode, ...);
+
+/**
+  * Write the binary contents of a chunk_t to a file
+  */
+bool chunk_write(chunk_t chunk, const char *path, const char *label, mode_t mask, bool force);
+
+/**
+ * Free contents of a chunk
+ */
+void chunk_free(chunk_t *chunk);
+
+/**
+ * Initialize a chunk to point to buffer inspectable by sizeof()
+ */
+#define chunk_from_buf(str) { str, sizeof(str) }
+
+/**
+ * Initialize a chunk to point to a thing
+ */
+#define chunk_from_thing(thing) chunk_create((char*)&(thing), sizeof(thing))
+
+/**
+ * Allocate a chunk on the heap
+ */
+#define chunk_alloc(bytes) chunk_create(malloc(bytes), bytes)
+
+/**
+ * Allocate a chunk on the stack
+ */
+#define chunk_alloca(bytes) chunk_create(alloca(bytes), bytes)
+
+/**
+ * Clone a chunk on heap
+ */
+#define chunk_clone(chunk) chunk_create_clone(malloc(chunk.len), chunk)
+
+/**
+ * Clone a chunk on stack
+ */
+#define chunk_clonea(chunk) chunk_create_clone(alloca(chunk.len), chunk)
+
+/**
+ * Concatenate chunks into a chunk on heap
+ */
+#define chunk_cat(mode, ...) chunk_create_cat(malloc(chunk_length(mode, __VA_ARGS__)), mode, __VA_ARGS__)
+
+/**
+ * Concatenate chunks into a chunk on stack
+ */
+#define chunk_cata(mode, ...) chunk_create_cat(alloca(chunk_length(mode, __VA_ARGS__)), mode, __VA_ARGS__)
+
+/**
+ * Skip n bytes in chunk (forward pointer, shorten length)
+ */
+chunk_t chunk_skip(chunk_t chunk, size_t bytes);
+
+/**
+ *  Compare two chunks, returns zero if a equals b
+ *  or negative/positive if a is small/greater than b
+ */
+int chunk_compare(chunk_t a, chunk_t b);
+
+/**
+ * Compare two chunks for equality,
+ * NULL chunks are never equal.
+ */
+bool chunk_equals(chunk_t a, chunk_t b);
+
+/**
+ * Compare two chunks for equality,
+ * NULL chunks are always equal.
+ */
+bool chunk_equals_or_null(chunk_t a, chunk_t b);
+
+#endif /* CHUNK_H_ */
diff --git a/src/libstrongswan/credential_store.h b/src/libstrongswan/credential_store.h
new file mode 100755
index 000000000..5d51981ec
--- /dev/null
+++ b/src/libstrongswan/credential_store.h
@@ -0,0 +1,294 @@
+/**
+ * @file credential_store.h
+ * 
+ * @brief Interface credential_store_t.
+ *  
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef CREDENTIAL_STORE_H_
+#define CREDENTIAL_STORE_H_
+
+typedef struct credential_store_t credential_store_t;
+
+#include <library.h>
+#include <crypto/x509.h>
+#include <crypto/ca.h>
+#include <crypto/rsa/rsa_private_key.h>
+#include <crypto/rsa/rsa_public_key.h>
+#include <utils/identification.h>
+
+
+/**
+ * @brief The interface for a credential_store backend.
+ *
+ * @b Constructors:
+ *  - stroke_create()
+ *
+ * @ingroup config
+ */
+struct credential_store_t { 
+
+	/**
+	 * @brief Returns the secret shared by two specific IDs.
+	 * 
+	 * The returned chunk must be destroyed by the caller after usage.
+	 * 
+	 * @param this					calling object
+	 * @param my_id					my ID identifiying the secret.
+	 * @param other_id				peer ID identifying the secret.
+	 * @param[out] secret			the pre-shared secret will be written there.
+	 * @return
+	 * 								- NOT_FOUND	if no preshared secrets for specific ID could be found
+	 * 								- SUCCESS
+	 *
+	 */	
+	status_t (*get_shared_key) (credential_store_t *this, identification_t *my_id,
+								identification_t *other_id, chunk_t *shared_key);
+	
+	/**
+	 * @brief Returns the EAP secret for two specified IDs.
+	 * 
+	 * The returned chunk must be destroyed by the caller after usage.
+	 * 
+	 * @param this					calling object
+	 * @param my_id					my ID identifiying the secret.
+	 * @param other_id				peer ID identifying the secret.
+	 * @param[out] eap_key			the EAP secret will be written here
+	 * @return
+	 * 								- NOT_FOUND	if no preshared secrets for specific ID could be found
+	 * 								- SUCCESS
+	 *
+	 */	
+	status_t (*get_eap_key) (credential_store_t *this, identification_t *my_id,
+							 identification_t *other_id, chunk_t *eap_key);
+	
+	/**
+	 * @brief Returns the RSA public key of a specific ID.
+	 * 
+	 * @param this					calling object
+	 * @param id					identification_t object identifiying the key.
+	 * @return						public key, or NULL if not found
+	 */
+	rsa_public_key_t* (*get_rsa_public_key) (credential_store_t *this, identification_t *id);
+	
+	/**
+	 * @brief Returns the RSA public key of a specific ID if is trusted
+	 * 
+	 * @param this					calling object
+	 * @param id					identification_t object identifiying the key.
+	 * @return						public key, or NULL if not found or not trusted
+	 */
+	rsa_public_key_t* (*get_trusted_public_key) (credential_store_t *this, identification_t *id);
+	
+	/**
+	 * @brief Returns the RSA private key belonging to an RSA public key
+	 * 
+	 * The returned rsa_private_key_t must be destroyed by the caller after usage.
+	 * 
+	 * @param this					calling object
+	 * @param pubkey				public key 
+	 * @return						private key, or NULL if not found
+	 */	
+	rsa_private_key_t* (*get_rsa_private_key) (credential_store_t *this, rsa_public_key_t *pubkey);
+
+	/**
+	 * @brief Is there a matching RSA private key belonging to an RSA public key?
+	 * 
+	 * @param this					calling object
+	 * @param pubkey				public key 
+	 * @return						TRUE if matching private key was found 
+	 */	
+	bool (*has_rsa_private_key) (credential_store_t *this, rsa_public_key_t *pubkey);
+
+	/**
+	 * @brief Returns the certificate of a specific ID.
+	 * 
+	 * @param this					calling object
+	 * @param id					identification_t object identifiying the cert.
+	 * @return						certificate, or NULL if not found
+	 */
+	x509_t* (*get_certificate) (credential_store_t *this, identification_t *id);
+	
+	/**
+	 * @brief Returns the auth certificate of a specific subject distinguished name.
+	 * 
+	 * @param this					calling object
+	 * @param auth_flags			set of allowed authority types
+	 * @param id					identification_t object identifiying the cacert.
+	 * @return						certificate, or NULL if not found
+	 */
+	x509_t* (*get_auth_certificate) (credential_store_t *this, u_int auth_flags, identification_t *id);
+	
+	/**
+	 * @brief Returns the ca certificate of a specific keyID.
+	 * 
+	 * @param this					calling object
+	 * @param keyid					identification_t object identifiying the cacert.
+	 * @return						certificate, or NULL if not found
+	 */
+	x509_t* (*get_ca_certificate_by_keyid) (credential_store_t *this, chunk_t keyid);
+	
+	/**
+	 * @brief Returns the issuing ca of a given certificate.
+	 * 
+	 * @param this					calling object
+	 * @param cert					certificate for which issuer ca info is required
+	 * @return						ca info, or NULL if not found
+	 */
+	ca_info_t* (*get_issuer) (credential_store_t *this, const x509_t* cert);
+
+	/**
+	 * @brief Verify an X.509 certificate up to trust anchor without any status checks
+	 *
+	 * @param this		calling object
+	 * @param cert		certificate to be verified
+	 * @return			TRUE if trusted
+	 */
+	bool (*is_trusted) (credential_store_t *this, x509_t *cert);
+
+	/**
+	 * @brief Verify an X.509 certificate up to trust anchor including status checks
+	 *
+	 * @param this		calling object
+	 * @param cert		certificate to be verified
+	 * @param found		found a certificate copy in the credential store
+	 * @return			TRUE if valid, trusted, and current status is good
+	 */
+	bool (*verify) (credential_store_t *this, x509_t *cert, bool *found);
+
+	/**
+	 * @brief If an end certificate does not already exists in the credential store then add it.
+	 *
+	 * @param this		calling object
+	 * @param cert		certificate to be added
+	 * @return			pointer to the added or already existing certificate
+	 */
+	x509_t* (*add_end_certificate) (credential_store_t *this, x509_t *cert);
+
+	/**
+	 * @brief If an authority certificate does not already exists in the credential store then add it.
+	 *
+	 * @param this			calling object
+	 * @param cert			authority certificate to be added
+	 * @param auth_flag		authority flags to add to the certificate
+	 * @return				pointer to the added or already existing certificate
+	 */
+	x509_t* (*add_auth_certificate) (credential_store_t *this, x509_t *cert, u_int auth_flag);
+
+	/**
+	 * @brief If a ca info record does not already exists in the credential store then add it.
+	 *
+	 * @param this		calling object
+	 * @param ca_info	ca info record to be added
+	 */
+	void (*add_ca_info) (credential_store_t *this, ca_info_t *ca_info);
+
+	/**
+	 * @brief Release a ca info record with a given name.
+	 *
+	 * @param this		calling object
+	 * @param name		name of the ca info record to be released
+	 * @return
+	 * 							- SUCCESS, or
+	 * 							- NOT_FOUND
+	 */
+	status_t (*release_ca_info) (credential_store_t *this, const char *name);
+
+	/**
+	 * @brief Create an iterator over all end certificates.
+	 *
+	 * @param this		calling object
+	 * @return 			iterator
+	 */
+	iterator_t* (*create_cert_iterator) (credential_store_t *this);
+
+	/**
+	 * @brief Create an iterator over all authority certificates.
+	 *
+	 * @param this		calling object
+	 * @return 			iterator
+	 */
+	iterator_t* (*create_auth_cert_iterator) (credential_store_t *this);
+
+	/**
+	 * @brief Create an iterator over all CA info records
+	 *
+	 * @param this		calling object
+	 * @return 			iterator
+	 */
+	iterator_t* (*create_cainfo_iterator) (credential_store_t *this);
+
+	/**
+	 * @brief Loads ca certificates from a default directory.
+	 *
+	 * Certificates in both DER and PEM format are accepted
+	 *
+	 * @param this		calling object
+	 */
+	void (*load_ca_certificates) (credential_store_t *this);
+	
+	/**
+	 * @brief Loads ocsp certificates from a default directory.
+	 *
+	 * Certificates in both DER and PEM format are accepted
+	 *
+	 * @param this		calling object
+	 */
+	void (*load_ocsp_certificates) (credential_store_t *this);
+	
+	/**
+	 * @brief Loads CRLs from a default directory.
+	 *
+	 * Certificates in both DER and PEM format are accepted
+	 *
+	 * @param this		calling object
+	 * @param path		directory to load crls from 
+	 */
+	void (*load_crls) (credential_store_t *this);
+	
+	/**
+	 * @brief Loads secrets in ipsec.secrets
+	 * 
+	 * Currently, all RSA private key files must be in unencrypted form
+     * either in DER or PEM format.
+	 * 
+	 * @param this		calling object
+	 */
+	void (*load_secrets) (credential_store_t *this);
+
+	/**
+	 * @brief Destroys a credential_store_t object.
+	 * 
+	 * @param this 		calling object
+	 */
+	void (*destroy) (credential_store_t *this);
+};
+
+/**
+ * @brief Creates a credential_store_t instance.
+ *
+ * @param  strict		enforce a strict crl policy
+ * @return 				credential store instance.
+ * 
+ * @ingroup config
+ */
+credential_store_t *credential_store_create(bool strict);
+
+
+#endif /*CREDENTIAL_STORE_H_*/
diff --git a/src/libstrongswan/crypto/ca.c b/src/libstrongswan/crypto/ca.c
new file mode 100644
index 000000000..1f566a098
--- /dev/null
+++ b/src/libstrongswan/crypto/ca.c
@@ -0,0 +1,788 @@
+/**
+ * @file ca.c
+ * 
+ * @brief Implementation of ca_info_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2007 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <sys/stat.h>
+#include <unistd.h>
+#include <string.h>
+#include <stdio.h>
+#include <pthread.h>
+
+#include "x509.h"
+#include "crl.h"
+#include "ca.h"
+#include "certinfo.h"
+#include "ocsp.h"
+
+#include <library.h>
+#include <debug.h>
+#include <utils/linked_list.h>
+#include <utils/identification.h>
+#include <utils/fetcher.h>
+
+typedef struct private_ca_info_t private_ca_info_t;
+
+/**
+ * Private data of a ca_info_t object.
+ */
+struct private_ca_info_t {
+	/**
+	 * Public interface for this ca info record
+	 */
+	ca_info_t public;
+	
+	/**
+	 * Name of the ca info record
+	 */
+	char *name;
+
+	/**
+	 * Time when ca info record was installed
+	 */
+	time_t installed;
+
+	/**
+	 * Distinguished Name of the CA
+	 */
+	x509_t *cacert;
+	
+	/**
+	 * List of crl URIs
+	 */
+	linked_list_t *crluris;
+
+	/**
+	 * List of ocsp URIs
+	 */
+	linked_list_t *ocspuris;
+
+	/**
+	 * CRL issued by this ca
+	 */
+	crl_t *crl;
+
+	/**
+	 * List of certificate info records
+	 */
+	linked_list_t *certinfos;
+
+	/**
+	 * mutex controls access to the elements:
+	 * name, crluris, ocspuris, crl, and certinfos
+	 */
+	pthread_mutex_t mutex;
+};
+
+/**
+ * static options set by ca_info_set_options()
+ */
+static bool cache_crls = FALSE;
+static u_int crl_check_interval = 0;
+
+/**
+ * Implements ca_info_t.equals
+ */
+static bool equals(const private_ca_info_t *this, const private_ca_info_t *that)
+{
+	return chunk_equals(this->cacert->get_keyid(this->cacert),
+						that->cacert->get_keyid(that->cacert));
+}
+
+/**
+ * Implements ca_info_t.equals_name_release_info
+ */
+static bool equals_name_release_info(private_ca_info_t *this, const char *name)
+{
+	bool found;
+
+	pthread_mutex_lock(&(this->mutex));
+	found = this->name != NULL && streq(this->name, name);
+
+	if (found)
+	{
+		this->crluris->destroy_offset(this->crluris,
+									  offsetof(identification_t, destroy));
+		this->crluris = linked_list_create();
+
+		this->ocspuris->destroy_offset(this->ocspuris,
+									   offsetof(identification_t, destroy));
+		this->ocspuris = linked_list_create();
+
+		free(this->name);
+		this->name = NULL;
+	}
+
+	pthread_mutex_unlock(&(this->mutex));
+	return found;
+}
+
+/**
+ * Implements ca_info_t.is_crl_issuer
+ */
+static bool is_cert_issuer(private_ca_info_t *this, const x509_t *cert)
+{
+	return cert->is_issuer(cert, this->cacert);
+}
+
+/**
+ * Implements ca_info_t.is_crl_issuer
+ */
+static bool is_crl_issuer(private_ca_info_t *this, const crl_t *crl)
+{
+	return crl->is_issuer(crl, this->cacert);
+}
+
+/**
+ * Implements ca_info_t.has_crl
+ */
+static bool has_crl(private_ca_info_t *this)
+{
+	bool found;
+
+	pthread_mutex_lock(&(this->mutex));
+	found = this->crl != NULL;
+	pthread_mutex_unlock(&(this->mutex));
+
+	return found;
+}
+
+/**
+ * Implements ca_info_t.has_certinfos
+ */
+static bool has_certinfos(private_ca_info_t *this)
+{
+	bool found;
+
+	pthread_mutex_lock(&(this->mutex));
+	found = this->certinfos->get_count(this->certinfos) > 0;
+	pthread_mutex_unlock(&(this->mutex));
+
+	return found;
+}
+
+/**
+ * Implements ca_info_t.add_crl
+ */
+static void add_crl(private_ca_info_t *this, crl_t *crl)
+{
+	pthread_mutex_lock(&(this->mutex));
+
+	if (this->crl)
+	{
+		if (crl->is_newer(crl, this->crl))
+		{
+			this->crl->destroy(this->crl);
+			this->crl = crl;
+			DBG1("  this crl is newer - existing crl replaced");
+		}
+		else
+		{
+			crl->destroy(crl);
+			DBG1("  this crl is not newer - existing crl retained");
+		}
+	}
+	else
+	{
+		this->crl = crl;
+		DBG2("  crl added");
+	}
+
+	pthread_mutex_unlock(&(this->mutex));
+}
+
+/**
+ * Implements ca_info_t.list_crl
+ */
+static void list_crl(private_ca_info_t *this, FILE *out, bool utc)
+{
+	pthread_mutex_lock(&(this->mutex));
+
+	fprintf(out, "%#U\n", this->crl, utc);
+
+	pthread_mutex_unlock(&(this->mutex));
+}
+
+/**
+ * Implements ca_info_t.list_certinfos
+ */
+static void list_certinfos(private_ca_info_t *this, FILE *out, bool utc)
+{
+	pthread_mutex_lock(&(this->mutex));
+
+	fprintf(out,"    authname:  '%D'\n", this->cacert->get_subject(this->cacert));
+	{
+		chunk_t authkey = this->cacert->get_subjectKeyID(this->cacert);
+
+		fprintf(out,"    authkey:    %#B\n", &authkey);
+	}
+	{
+		iterator_t *iterator = this->certinfos->create_iterator(this->certinfos, TRUE);
+		certinfo_t *certinfo;
+
+		while (iterator->iterate(iterator, (void**)&certinfo))
+		{
+			fprintf(out, "%#Y\n", certinfo, utc);
+		}
+		iterator->destroy(iterator);
+	}
+
+	pthread_mutex_unlock(&(this->mutex));
+}
+
+/**
+ * Find an exact copy of an identification in a linked list
+ */
+static identification_t* find_identification(linked_list_t *list, identification_t *id)
+{
+	identification_t *found_id = NULL, *current_id;
+
+	iterator_t *iterator = list->create_iterator(list, TRUE);
+
+	while (iterator->iterate(iterator, (void**)&current_id))
+	{
+		if (id->equals(id, current_id))
+		{
+			found_id = current_id;
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+
+	return found_id;
+}
+
+/**
+ * Add a unique identification to a linked list
+ */
+static identification_t *add_identification(linked_list_t *list, identification_t *id)
+{
+	identification_t *found_id = find_identification(list, id);
+
+	if (found_id)
+	{
+		id->destroy(id);
+		return found_id;
+	}
+	else
+	{
+		list->insert_last(list, (void*)id);
+		return id;
+	}
+}
+
+/**
+ * Implements ca_info_t.add_crluri
+ */
+static void add_crluri(private_ca_info_t *this, chunk_t uri)
+{
+	if (uri.len < 6 ||
+	   (strncasecmp(uri.ptr, "http", 4) != 0  &&
+		strncasecmp(uri.ptr, "ldap", 4) != 0  &&
+		strncasecmp(uri.ptr, "file", 4) != 0  &&
+		strncasecmp(uri.ptr, "ftp",  3) != 0))
+	{
+		DBG1("  invalid crl uri '%#B'", uri);
+		return;
+	}
+	else
+	{
+		identification_t *crluri = identification_create_from_encoding(ID_DER_ASN1_GN_URI, uri);
+
+		pthread_mutex_lock(&(this->mutex));
+		add_identification(this->crluris, crluri);
+		pthread_mutex_unlock(&(this->mutex));
+	}
+}
+
+/**
+ * Implements ca_info_t.add_ocspuri
+ */
+static void add_ocspuri(private_ca_info_t *this, chunk_t uri)
+{
+	if (uri.len < 7 || strncasecmp(uri.ptr, "http", 4) != 0)
+	{
+		DBG1("  invalid ocsp uri '%.*s'", uri.len, uri.ptr);
+		return;
+	}
+	else
+	{
+		identification_t *ocspuri = identification_create_from_encoding(ID_DER_ASN1_GN_URI, uri);
+
+		pthread_mutex_lock(&(this->mutex));
+		add_identification(this->ocspuris, ocspuri);
+		pthread_mutex_unlock(&(this->mutex));
+	}
+}
+
+/**
+ * Implements ca_info_t.add_info.
+ */
+void add_info (private_ca_info_t *this, const private_ca_info_t *that)
+{
+	pthread_mutex_lock(&(this->mutex));
+
+	if (this->name == NULL && that->name != NULL)
+	{
+		this->name = strdup(that->name);
+	}
+
+	pthread_mutex_unlock(&(this->mutex));
+
+	{
+		identification_t *uri;
+
+		iterator_t *iterator = that->crluris->create_iterator(that->crluris, TRUE);
+
+		while (iterator->iterate(iterator, (void**)&uri))
+		{
+			add_crluri(this, uri->get_encoding(uri));
+		}
+		iterator->destroy(iterator);
+	}
+
+	{
+		identification_t *uri;
+
+		iterator_t *iterator = that->ocspuris->create_iterator(that->ocspuris, TRUE);
+
+		while (iterator->iterate(iterator, (void**)&uri))
+		{
+			add_ocspuri(this, uri->get_encoding(uri));
+		}
+		iterator->destroy(iterator);
+	}
+}
+
+/**
+ *  Implements ca_info_t.get_certificate.
+ */
+static x509_t* get_certificate(private_ca_info_t* this)
+{
+	return this->cacert;
+}
+
+/**
+ * caches a crl by saving it to a given crl directory
+ */
+void cache_crl(private_ca_info_t* this, const char *crl_dir, crl_t *crl)
+{
+	char buffer[BUF_LEN];
+	char *path;
+	char *pos = buffer;
+	int len = BUF_LEN;
+	int n;
+
+	chunk_t authKeyID = this->cacert->get_subjectKeyID(this->cacert);
+	chunk_t uri;
+
+	uri.ptr = buffer;
+	uri.len = 7 + strlen(crl_dir) + 1 + 2*authKeyID.len + 4;
+
+	if (uri.len >= BUF_LEN)	
+	{
+		DBG1("file uri exceeds buffer length of %d bytes - crl not saved", BUF_LEN);
+		return;
+	}
+
+	/* print the file uri prefix */
+	n = snprintf(pos, len, "file://");
+	pos += n;  len -= n;
+
+	/* remember the start of the path string */
+	path = pos;
+
+	/* print the default crl directory path */
+	n = snprintf(pos, len, "%s/", crl_dir);
+	pos += n;  len -= n;
+
+	/* create and print a unique crl filename derived from the authKeyID */
+	while (authKeyID.len-- > 0)
+	{
+		n = snprintf(pos, len, "%02x", *authKeyID.ptr++);
+		pos += n; len -= n;
+	}
+
+	/* add the file suffix */
+	n = snprintf(pos, len, ".crl");
+
+	if (crl->write_to_file(crl, path, 0022, TRUE))
+	{
+		identification_t *crluri = identification_create_from_encoding(ID_DER_ASN1_GN_URI, uri);
+
+		add_identification(this->crluris, crluri);
+	}
+}
+
+/**
+ *  Implements ca_info_t.verify_by_crl.
+ */
+static cert_status_t verify_by_crl(private_ca_info_t* this, certinfo_t *certinfo,
+								   const char *crl_dir)
+{
+	rsa_public_key_t *issuer_public_key = this->cacert->get_public_key(this->cacert);
+	bool stale;
+
+	pthread_mutex_lock(&(this->mutex));
+	if (this->crl == NULL)
+	{
+		stale = TRUE;
+		DBG1("no crl is locally available");
+	}
+	else
+	{
+		stale = !this->crl->is_valid(this->crl);
+		DBG1("crl is %s", stale? "stale":"valid");
+	}
+
+	if (stale && crl_check_interval > 0)
+	{
+		iterator_t *iterator = this->crluris->create_iterator(this->crluris, TRUE);
+		identification_t *uri;
+		
+		while (iterator->iterate(iterator, (void**)&uri))
+		{
+			fetcher_t *fetcher;
+			char uri_string[BUF_LEN];
+			chunk_t uri_chunk = uri->get_encoding(uri);
+			chunk_t response_chunk;
+
+			snprintf(uri_string, BUF_LEN, "%.*s", uri_chunk.len, uri_chunk.ptr);
+			fetcher = fetcher_create(uri_string);
+			
+			response_chunk = fetcher->get(fetcher);
+			fetcher->destroy(fetcher);
+			if (response_chunk.ptr != NULL)
+			{
+				crl_t *crl = crl_create_from_chunk(response_chunk);
+		
+				if (crl == NULL)
+				{
+					free(response_chunk.ptr);
+					continue;
+				}
+				if (!is_crl_issuer(this, crl))
+				{
+					DBG1("  fetched crl has wrong issuer");
+					crl->destroy(crl);
+					continue;
+				}
+				if (!crl->verify(crl, issuer_public_key))
+				{
+					DBG1("fetched crl signature is invalid");
+					crl->destroy(crl);
+					continue;
+				}
+				DBG2("fetched crl signature is valid");
+
+				if (this->crl == NULL)
+				{
+					this->crl = crl;
+				}
+				else if (crl->is_newer(crl, this->crl))
+				{
+					this->crl->destroy(this->crl);
+					this->crl = crl;
+					DBG1("this crl is newer - existing crl replaced");
+				}
+				else
+				{
+					crl->destroy(crl);
+					DBG1("this crl is not newer - existing crl retained");
+					continue;
+				}
+				if (crl->is_valid(crl))
+				{
+					if (cache_crls && strncasecmp(uri_string, "file", 4) != 0)
+					{
+						cache_crl(this, crl_dir, crl);
+					}
+					/* we found a valid crl and therefore exit the fetch loop */
+					break;
+				}
+				else
+				{
+					DBG1("fetched crl is stale");
+				}
+			}
+		}
+		iterator->destroy(iterator);
+	}
+
+	if (this->crl)
+	{
+		if (!this->crl->verify(this->crl, issuer_public_key))
+		{
+			DBG1("crl signature is invalid");
+			goto ret;
+		}
+		DBG2("crl signature is valid");
+
+		this->crl->get_status(this->crl, certinfo);
+	}
+
+ret:
+	pthread_mutex_unlock(&(this->mutex));
+	return certinfo->get_status(certinfo);
+}
+
+/**
+  * Implements ca_info_t.verify_by_ocsp.
+  */
+static cert_status_t verify_by_ocsp(private_ca_info_t* this,
+									certinfo_t *certinfo,
+									credential_store_t *credentials)
+{
+	bool stale;
+	iterator_t *iterator;
+	certinfo_t *cached_certinfo = NULL;
+	int comparison = 1;
+
+	pthread_mutex_lock(&(this->mutex));
+
+	/* do we support OCSP at all? */
+	if (this->ocspuris->get_count(this->ocspuris) == 0)
+	{
+		goto ret;
+	}
+
+	iterator = this->certinfos->create_iterator(this->certinfos, TRUE);
+
+	/* find the list insertion point in alphabetical order */
+	while(iterator->iterate(iterator, (void**)&cached_certinfo))
+	{
+		comparison = certinfo->compare_serialNumber(certinfo, cached_certinfo);
+
+		if (comparison <= 0)
+		{
+			break;
+		}
+	}
+
+	/* do we have a valid certinfo_t for this serial number in our cache? */
+	if (comparison == 0)
+	{	
+		stale = cached_certinfo->get_nextUpdate(cached_certinfo) < time(NULL);
+		DBG1("ocsp status in cache is %s", stale ? "stale":"fresh");
+	}
+	else
+	{
+		stale = TRUE;
+		DBG1("ocsp status is not in cache");
+	}
+
+	if (stale)
+	{
+		ocsp_t *ocsp;
+
+		ocsp = ocsp_create(this->cacert, this->ocspuris);
+		ocsp->fetch(ocsp, certinfo, credentials);
+		if (certinfo->get_status(certinfo) != CERT_UNDEFINED)
+		{
+			if (comparison != 0)
+			{
+				cached_certinfo = certinfo_create(certinfo->get_serialNumber(certinfo));
+
+				if (comparison > 0)
+				{
+					iterator->insert_after(iterator, (void *)cached_certinfo);
+				}
+				else
+				{
+					iterator->insert_before(iterator, (void *)cached_certinfo);
+				}
+			}
+			cached_certinfo->update(cached_certinfo, certinfo);
+		}
+		ocsp->destroy(ocsp);
+	}
+	else
+	{
+		certinfo->update(certinfo, cached_certinfo);
+	}
+
+	iterator->destroy(iterator);
+
+ret:
+	pthread_mutex_unlock(&(this->mutex));
+	return certinfo->get_status(certinfo);
+}
+
+/**
+ * Implements ca_info_t.purge_ocsp
+ */
+static void purge_ocsp(private_ca_info_t *this)
+{
+	pthread_mutex_lock(&(this->mutex));
+
+	this->certinfos->destroy_offset(this->certinfos,
+									offsetof(certinfo_t, destroy));
+	this->certinfos = linked_list_create();
+
+	pthread_mutex_unlock(&(this->mutex));
+}
+
+/**
+ * Implements ca_info_t.destroy
+ */
+static void destroy(private_ca_info_t *this)
+{
+	this->crluris->destroy_offset(this->crluris,
+								  offsetof(identification_t, destroy));
+	this->ocspuris->destroy_offset(this->ocspuris,
+								   offsetof(identification_t, destroy));
+	this->certinfos->destroy_offset(this->certinfos,
+								   offsetof(certinfo_t, destroy));
+	DESTROY_IF(this->crl);
+	free(this->name);
+	free(this);
+}
+
+/**
+ * output handler in printf()
+ */
+static int print(FILE *stream, const struct printf_info *info,
+				 const void *const *args)
+{
+	private_ca_info_t *this = *((private_ca_info_t**)(args[0]));
+	bool utc = TRUE;
+	int written = 0;
+	const x509_t *cacert;
+	
+	if (info->alt)
+	{
+		utc = *((bool*)args[1]);
+	}
+	if (this == NULL)
+	{
+		return fprintf(stream, "(null)");
+	}
+
+	pthread_mutex_lock(&(this->mutex));
+	written += fprintf(stream, "%#T", &this->installed, utc);
+
+	if (this->name)
+	{
+		written += fprintf(stream, ", \"%s\"\n", this->name);
+	}
+	else
+	{
+		written += fprintf(stream, "\n");
+	}
+
+	cacert = this->cacert;
+	written += fprintf(stream, "    authname:  '%D'\n", cacert->get_subject(cacert));
+	{
+		chunk_t authkey = cacert->get_subjectKeyID(cacert);
+
+		written += fprintf(stream, "    authkey:    %#B\n", &authkey);
+	}
+	{
+		chunk_t keyid = cacert->get_keyid(cacert);
+
+		written += fprintf(stream, "    keyid:      %#B\n", &keyid);
+	}
+	{
+		identification_t *crluri;
+		iterator_t *iterator = this->crluris->create_iterator(this->crluris, TRUE);
+		bool first = TRUE;
+
+		while (iterator->iterate(iterator, (void**)&crluri))
+		{
+			written += fprintf(stream, "    %s   '%D'\n",
+							   first? "crluris:":"        ", crluri);
+			first = FALSE;
+		}
+		iterator->destroy(iterator);
+	}
+	{
+		identification_t *ocspuri;
+		iterator_t *iterator = this->ocspuris->create_iterator(this->ocspuris, TRUE);
+		bool first = TRUE;
+
+		while (iterator->iterate(iterator, (void**)&ocspuri))
+		{
+			written += fprintf(stream, "    %s  '%D'\n",
+							   first? "ocspuris:":"         ", ocspuri);
+			first = FALSE;
+		}
+		iterator->destroy(iterator);
+	}
+	pthread_mutex_unlock(&(this->mutex));
+	return written;
+}
+
+/**
+ * register printf() handlers
+ */
+static void __attribute__ ((constructor))print_register()
+{
+	register_printf_function(PRINTF_CAINFO, print, arginfo_ptr_alt_ptr_int);
+}
+
+/*
+ * Described in header.
+ */
+void ca_info_set_options(bool cache, u_int interval)
+{
+	cache_crls = cache;
+	crl_check_interval = interval;
+}
+
+/*
+ * Described in header.
+ */
+ca_info_t *ca_info_create(const char *name, x509_t *cacert)
+{
+	private_ca_info_t *this = malloc_thing(private_ca_info_t);
+	
+	/* initialize */
+	this->installed = time(NULL);
+	this->name = (name == NULL)? NULL:strdup(name);
+	this->cacert = cacert;
+	this->crluris = linked_list_create();
+	this->ocspuris = linked_list_create();
+	this->certinfos = linked_list_create();
+	this->crl = NULL;
+	
+	/* initialize the mutex */
+	pthread_mutex_init(&(this->mutex), NULL);
+
+	/* public functions */
+	this->public.equals = (bool (*) (const ca_info_t*,const ca_info_t*))equals;
+	this->public.equals_name_release_info = (bool (*) (ca_info_t*,const char*))equals_name_release_info;
+	this->public.is_cert_issuer = (bool (*) (ca_info_t*,const x509_t*))is_cert_issuer;
+	this->public.is_crl_issuer = (bool (*) (ca_info_t*,const crl_t*))is_crl_issuer;
+	this->public.add_info = (void (*) (ca_info_t*,const ca_info_t*))add_info;
+	this->public.add_crl = (void (*) (ca_info_t*,crl_t*))add_crl;
+	this->public.has_crl = (bool (*) (ca_info_t*))has_crl;
+	this->public.has_certinfos = (bool (*) (ca_info_t*))has_certinfos;
+	this->public.list_crl = (void (*) (ca_info_t*,FILE*,bool))list_crl;
+	this->public.list_certinfos = (void (*) (ca_info_t*,FILE*,bool))list_certinfos;
+	this->public.add_crluri = (void (*) (ca_info_t*,chunk_t))add_crluri;
+	this->public.add_ocspuri = (void (*) (ca_info_t*,chunk_t))add_ocspuri;
+	this->public.get_certificate = (x509_t* (*) (ca_info_t*))get_certificate;
+	this->public.verify_by_crl = (cert_status_t (*) (ca_info_t*,certinfo_t*, const char*))verify_by_crl;
+	this->public.verify_by_ocsp = (cert_status_t (*) (ca_info_t*,certinfo_t*,credential_store_t*))verify_by_ocsp;
+	this->public.purge_ocsp = (void (*) (ca_info_t*))purge_ocsp;
+	this->public.destroy = (void (*) (ca_info_t*))destroy;
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/crypto/ca.h b/src/libstrongswan/crypto/ca.h
new file mode 100644
index 000000000..c494a4468
--- /dev/null
+++ b/src/libstrongswan/crypto/ca.h
@@ -0,0 +1,215 @@
+/**
+ * @file ca.h
+ * 
+ * @brief Interface of ca_info_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2007 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef CA_H_
+#define CA_H_
+
+typedef struct ca_info_t ca_info_t;
+
+#include <library.h>
+#include <chunk.h>
+
+#include <credential_store.h>
+
+#include "x509.h"
+#include "crl.h"
+
+/**
+ * @brief X.509 certification authority information record
+ * 
+ * @b Constructors:
+ *  - ca_info_create()
+ * 
+ * @ingroup transforms
+ */
+struct ca_info_t {
+
+	/**
+	 * @brief Compare two ca info records
+	 *
+	 * Comparison is done via the keyid of the ca certificate
+     *
+	 * @param this			first ca info object
+	 * @param that			second ca info objct
+	 * @return				TRUE if a match is found
+	 */
+	bool (*equals) (const ca_info_t *this, const ca_info_t* that);
+
+	/**
+	 * @brief If the ca info record has the same name then release the name and URIs
+	 * 
+	 * @param this			ca info object
+	 * @return				TRUE if a match is found
+	 */
+	bool (*equals_name_release_info) (ca_info_t *this, const char *name);
+
+	/**
+	 * @brief Checks if a certificate was issued by this ca
+	 * 
+	 * @param this			ca info object
+	 * @param cert			certificate to be checked
+	 * @return				TRUE if the issuing ca has been found
+	 */
+	bool (*is_cert_issuer) (ca_info_t *this, const x509_t *cert);
+
+	/**
+	 * @brief Checks if a crl was issued by this ca
+	 * 
+	 * @param this			ca info object
+	 * @param crl			crl to be checked
+	 * @return				TRUE if the issuing ca has been found
+	 */
+	bool (*is_crl_issuer) (ca_info_t *this, const crl_t *crl);
+
+	/**
+	 * @brief Merges info from a secondary ca info object
+	 * 
+	 * @param this			primary ca info object
+	 * @param that			secondary ca info object
+	 */
+	void (*add_info) (ca_info_t *this, const ca_info_t *that);
+
+	/**
+	 * @brief Adds a new or replaces an obsoleted CRL
+	 * 
+	 * @param this			ca info object
+	 * @param crl			crl to be added
+	 */
+	void (*add_crl) (ca_info_t *this, crl_t *crl);
+
+	/**
+	 * @brief Does the CA have a CRL?
+	 * 
+	 * @param this			ca info object
+	 * @return				TRUE if crl is available
+	 */
+	bool (*has_crl) (ca_info_t *this);
+
+	/**
+	 * @brief Does the CA have OCSP certinfos?
+	 * 
+	 * @param this			ca info object
+	 * @return				TRUE if there are any certinfos
+	 */
+	bool (*has_certinfos) (ca_info_t *this);
+
+	/**
+	 * @brief List the CRL onto the console
+	 * 
+	 * @param this			ca info object
+	 * @param out			output stream
+	 * @param utc			TRUE -  utc
+							FALSE - local time
+	 */
+	void (*list_crl) (ca_info_t *this, FILE *out, bool utc);
+
+	/**
+	 * @brief List the OCSP certinfos onto the console
+	 * 
+	 * @param this			ca info object
+	 * @param out			output stream
+	 * @param utc			TRUE -  utc
+							FALSE - local time
+	 */
+	void (*list_certinfos) (ca_info_t *this, FILE *out, bool utc);
+
+	/**
+	 * @brief Adds a CRL URI to a list
+	 * 
+	 * @param this			ca info object
+	 * @param uri			crl uri to be added
+	 */
+	void (*add_crluri) (ca_info_t *this, chunk_t uri);
+
+	/**
+	 * @brief Adds a OCSP URI to a list
+	 * 
+	 * @param this			ca info object
+	 * @param uri			ocsp uri to be added
+	 */
+	void (*add_ocspuri) (ca_info_t *this, chunk_t uri);
+
+	/**
+	 * @brief Get the ca certificate
+	 * 
+	 * @param this			ca info object
+	 * @return				ca certificate
+	 */
+	x509_t* (*get_certificate) (ca_info_t *this);
+
+	/**
+	 * @brief Verify the status of a certificate by CRL
+	 * 
+	 * @param this			ca info object
+	 * @param certinfo		detailed certificate status information
+	 * @param crl_dir		directory where fetched crls should be stored
+	 * @return				certificate status
+	 */
+	cert_status_t (*verify_by_crl) (ca_info_t *this, certinfo_t *certinfo, const char *crl_dir);
+
+	/**
+	 * @brief Verify the status of a certificate by OCSP
+	 * 
+	 * @param this			ca info object
+	 * @param certinfo		detailed certificate status information
+	 * @param credentials	credential store needed for trust path verification
+	 * @return				certificate status
+	 */
+	cert_status_t (*verify_by_ocsp) (ca_info_t* this, certinfo_t* certinfo, credential_store_t* credentials);
+
+	/**
+	 * @brief Purge the OCSP certinfos of a ca info record
+	 * 
+	 * @param this			ca info object
+	 */
+	void (*purge_ocsp) (ca_info_t *this);
+
+	/**
+	 * @brief Destroys a ca info record
+	 * 
+	 * @param this			ca info to destroy
+	 */
+	void (*destroy) (ca_info_t *this);
+};
+
+/**
+ * @brief Set ca info options
+ * 
+ * @param cache		TRUE if crls shall be cached by storing them
+ * @param interval	crl_check_interval to be set in seconds
+ * 
+ * @ingroup crypto
+ */
+void ca_info_set_options(bool cache, u_int interval);
+
+/**
+ * @brief Create a ca info record
+ * 
+ * @param name 		name of the ca info record
+ * @param cacert	path to the ca certificate
+ * @return 			created ca_info_t, or NULL if invalid.
+ * 
+ * @ingroup crypto
+ */
+ca_info_t *ca_info_create(const char *name, x509_t *cacert);
+
+#endif /* CA_H_ */
diff --git a/src/libstrongswan/crypto/certinfo.c b/src/libstrongswan/crypto/certinfo.c
new file mode 100644
index 000000000..654e4c2bd
--- /dev/null
+++ b/src/libstrongswan/crypto/certinfo.c
@@ -0,0 +1,305 @@
+/**
+ * @file certinfo.c
+ * 
+ * @brief Implementation of certinfo_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2006 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <time.h>
+#include <stdio.h>
+
+#include <library.h>
+
+#include "certinfo.h"
+
+typedef struct private_certinfo_t private_certinfo_t;
+
+/**
+ * Private data of a certinfo_t object.
+ */
+struct private_certinfo_t {
+	/**
+	 * Public interface for this certificate status information object.
+	 */
+	certinfo_t public;
+	
+	/**
+	 * Serial number of the certificate
+	 */
+	chunk_t serialNumber;
+
+	/**
+	 * Certificate status
+	 */
+	cert_status_t status;
+
+	/**
+	 * Certificate status is for one-time use only
+	 */
+	bool once;
+
+	/**
+	 * Time when the certificate status info was generated
+	 */
+	time_t thisUpdate;
+
+	/**
+	 * Time when an updated certifcate status info will be available
+	 */
+	time_t nextUpdate;
+
+	/**
+	 * Time of certificate revocation
+	 */
+    time_t revocationTime;
+
+	/**
+	 * Reason of certificate revocation
+	 */
+    crl_reason_t revocationReason;
+};
+
+ENUM(cert_status_names, CERT_GOOD, CERT_UNTRUSTED,
+	"good",
+	"revoked",
+	"unknown",
+	"unknown",
+	"untrusted",
+);
+
+ENUM(crl_reason_names, REASON_UNSPECIFIED, REASON_REMOVE_FROM_CRL,
+	"unspecified",
+	"key compromise",
+	"ca compromise",
+	"affiliation changed",
+	"superseded",
+	"cessation of operation",
+	"certificate hold",
+	"reason #7",
+	"remove from crl",
+);
+
+/**
+ * Implements certinfo_t.compare_serialNumber
+ */
+static int compare_serialNumber(const private_certinfo_t *this, const private_certinfo_t *that)
+{
+	return chunk_compare(this->serialNumber, that->serialNumber);
+}
+
+/**
+ * Implements certinfo_t.equals_serialNumber
+ */
+static bool equals_serialNumber(const private_certinfo_t *this, const private_certinfo_t *that)
+{
+	return chunk_equals(this->serialNumber, that->serialNumber);
+}
+
+/**
+ * Implements certinfo_t.get_serialNumber
+ */
+static chunk_t get_serialNumber(const private_certinfo_t *this)
+{
+	return this->serialNumber;
+}
+
+/**
+ * Implements certinfo_t.set_status
+ */
+static void set_status(private_certinfo_t *this, cert_status_t status)
+{
+	this->status = status;
+}
+
+/**
+ * Implements certinfo_t.get_status
+ */
+static cert_status_t get_status(const private_certinfo_t *this)
+{
+	return this->status;
+}
+
+/**
+ * Implements certinfo_t.set_thisUpdate
+ */
+static void set_thisUpdate(private_certinfo_t *this, time_t thisUpdate)
+{
+	this->thisUpdate = thisUpdate;
+}
+
+/**
+ * Implements certinfo_t.get_thisUpdate
+ */
+static time_t get_thisUpdate(const private_certinfo_t *this)
+{
+	return this->thisUpdate;
+}
+
+/**
+ * Implements certinfo_t.set_nextUpdate
+ */
+static void set_nextUpdate(private_certinfo_t *this, time_t nextUpdate)
+{
+	this->nextUpdate = nextUpdate;
+}
+
+/**
+ * Implements certinfo_t.get_nextUpdate
+ */
+static time_t get_nextUpdate(const private_certinfo_t *this)
+{
+	return this->nextUpdate;
+}
+
+/**
+ * Implements certinfo_t.set_revocationTime
+ */
+static void set_revocationTime(private_certinfo_t *this, time_t revocationTime)
+{
+	this->revocationTime = revocationTime;
+}
+
+/**
+ * Implements certinfo_t.get_revocationTime
+ */
+static time_t get_revocationTime(const private_certinfo_t *this)
+{
+	return this->revocationTime;
+}
+
+/**
+ * Implements certinfo_t.set_revocationReason
+ */
+static void set_revocationReason(private_certinfo_t *this, crl_reason_t reason)
+{
+	this->revocationReason = reason;
+}
+
+/**
+ * Implements certinfo_t.get_revocationReason
+ */
+static crl_reason_t get_revocationReason(const private_certinfo_t *this)
+{
+	return this->revocationReason;
+}
+
+/**
+ * Implements certinfo_t.update
+ */
+static void update(private_certinfo_t *this, const private_certinfo_t *that)
+{
+	if (equals_serialNumber(this, that))
+	{
+		chunk_t this_serialNumber = this->serialNumber;
+
+		*this = *that;
+		this->serialNumber = this_serialNumber;
+	}
+}
+
+/**
+ * Implements certinfo_t.destroy
+ */
+static void destroy(private_certinfo_t *this)
+{
+	free(this->serialNumber.ptr);
+	free(this);
+}
+
+/**
+ * output handler in printf()
+ */
+static int print(FILE *stream, const struct printf_info *info,
+				 const void *const *args)
+{
+	private_certinfo_t *this = *((private_certinfo_t**)(args[0]));
+	bool utc = TRUE;
+	int written = 0;
+	time_t now;
+	
+	if (info->alt)
+	{
+		utc = *((bool*)args[1]);
+	}
+	
+	if (this == NULL)
+	{
+		return fprintf(stream, "(null)");
+	}
+	
+	now = time(NULL);
+	
+	written += fprintf(stream, "%#T, until %#T, ",
+					   &this->thisUpdate, utc,
+					   &this->nextUpdate, utc);
+	if (now > this->nextUpdate)
+	{
+		written += fprintf(stream, "expired (%V ago)\n", &now, &this->nextUpdate);
+	}
+	else
+	{
+		written += fprintf(stream, "ok (expires in %V)\n", &now, &this->nextUpdate);
+	}
+	written += fprintf(stream, "    serial:     %#B, %N",
+					   &this->serialNumber,
+					   cert_status_names, this->status);
+	return written;
+}
+
+/**
+ * register printf() handlers
+ */
+static void __attribute__ ((constructor))print_register()
+{
+	register_printf_function(PRINTF_CERTINFO, print, arginfo_ptr_alt_ptr_int);
+}
+
+/*
+ * Described in header.
+ */
+certinfo_t *certinfo_create(chunk_t serial)
+{
+	private_certinfo_t *this = malloc_thing(private_certinfo_t);
+	
+	/* initialize */
+	this->serialNumber = chunk_clone(serial);
+	this->status = CERT_UNDEFINED;
+	this->thisUpdate = UNDEFINED_TIME;
+	this->nextUpdate = UNDEFINED_TIME;
+	this->revocationTime = UNDEFINED_TIME;
+	this->revocationReason = REASON_UNSPECIFIED;
+
+	/* public functions */
+	this->public.compare_serialNumber = (int (*) (const certinfo_t*,const certinfo_t*))compare_serialNumber;
+	this->public.equals_serialNumber = (bool (*) (const certinfo_t*,const certinfo_t*))equals_serialNumber;
+	this->public.get_serialNumber = (chunk_t (*) (const certinfo_t*))get_serialNumber;
+	this->public.set_status = (void (*) (certinfo_t*,cert_status_t))set_status;
+	this->public.get_status = (cert_status_t (*) (const certinfo_t*))get_status;
+	this->public.set_thisUpdate = (void (*) (certinfo_t*,time_t))set_thisUpdate;
+	this->public.get_thisUpdate = (time_t (*) (const certinfo_t*))get_thisUpdate;
+	this->public.set_nextUpdate = (void (*) (certinfo_t*,time_t))set_nextUpdate;
+	this->public.get_nextUpdate = (time_t (*) (const certinfo_t*))get_nextUpdate;
+	this->public.set_revocationTime = (void (*) (certinfo_t*,time_t))set_revocationTime;
+	this->public.get_revocationTime = (time_t (*) (const certinfo_t*))get_revocationTime;
+	this->public.set_revocationReason = (void (*) (certinfo_t*, crl_reason_t))set_revocationReason;
+	this->public.get_revocationReason = (crl_reason_t(*) (const certinfo_t*))get_revocationReason;
+	this->public.update = (void (*) (certinfo_t*, const certinfo_t*))update;
+	this->public.destroy = (void (*) (certinfo_t*))destroy;
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/crypto/certinfo.h b/src/libstrongswan/crypto/certinfo.h
new file mode 100644
index 000000000..476befda8
--- /dev/null
+++ b/src/libstrongswan/crypto/certinfo.h
@@ -0,0 +1,203 @@
+/**
+ * @file certinfo.h
+ * 
+ * @brief Interface of certinfo_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2006 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef CERTINFO_H_
+#define CERTINFO_H_
+
+typedef enum cert_status_t cert_status_t;
+typedef enum crl_reason_t crl_reason_t;
+typedef struct certinfo_t certinfo_t;
+
+#include <library.h>
+
+/**
+ * RFC 2560 OCSP - certificate status
+ */
+enum cert_status_t {
+	CERT_GOOD = 		0,
+	CERT_REVOKED = 		1,
+	CERT_UNKNOWN = 		2,
+	CERT_UNDEFINED =	3,
+	CERT_UNTRUSTED =	4  /* private use */
+};
+
+extern enum_name_t *cert_status_names;
+
+/**
+ * RFC 2459 CRL reason codes
+ */
+enum crl_reason_t {
+    REASON_UNSPECIFIED =			0,
+    REASON_KEY_COMPROMISE = 		1,
+    REASON_CA_COMPROMISE = 			2,
+    REASON_AFFILIATION_CHANGED =	3,
+    REASON_SUPERSEDED =				4,
+    REASON_CESSATION_OF_OPERATON =	5,
+    REASON_CERTIFICATE_HOLD =		6,
+    REASON_REMOVE_FROM_CRL =		8
+};
+
+extern enum_name_t *crl_reason_names;
+
+/**
+ * @brief X.509 certificate status information
+ *
+ * @ingroup transforms
+ */
+struct certinfo_t {
+
+	/**
+	 * @brief Check if both certinfo objects have the same serialNumber.
+	 * 
+	 * @param this				calling object
+	 * @param that				second certinfo_t object
+	 * @return					TRUE if the same serialNumber
+	 */
+	bool (*equals_serialNumber) (const certinfo_t *this, const certinfo_t *that);
+
+	/**
+	 * @brief Compares two serial numbers.
+	 * 
+	 * @param this				calling object
+	 * @param that				second certinfo_t object
+	 * @return					negative if this is smaller than that
+	 *							zero if this equals that
+	 *							positive if this is greater than that
+	 */
+	int (*compare_serialNumber) (const certinfo_t *this, const certinfo_t *that);
+
+	/**
+	 * @brief Get serial number.
+	 *
+	 * @param this				calling object
+	 * @return					serialNumber
+	 */
+	chunk_t (*get_serialNumber) (const certinfo_t *this);
+
+	/**
+	 * @brief Set certificate status.
+	 *
+	 * @param this				calling object
+	 * @param status			status
+	 */
+	void (*set_status) (certinfo_t *this, cert_status_t status);
+
+	/**
+	 * @brief Get certificate status.
+	 *
+	 * @param this				calling object
+	 * @return					status
+	 */
+	cert_status_t (*get_status) (const certinfo_t *this);
+
+	/**
+	 * @brief Set thisUpdate.
+	 *
+	 * @param this				calling object
+	 * @param thisUpdate		thisUpdate
+	 */
+	void (*set_thisUpdate) (certinfo_t *this, time_t thisUpdate);
+
+	/**
+	 * @brief Get thisUpdate.
+	 *
+	 * @param this				calling object
+	 * @return					thisUpdate
+	 */
+	time_t (*get_thisUpdate) (const certinfo_t *this);
+
+	/**
+	 * @brief Set nextUpdate.
+	 *
+	 * @param this				calling object
+	 * @param					nextUpdate
+	 */
+	void (*set_nextUpdate) (certinfo_t *this, time_t nextUpdate);
+
+	/**
+	 * @brief Get nextUpdate.
+	 *
+	 * @param this				calling object
+	 * @return					nextUpdate
+	 */
+	time_t (*get_nextUpdate) (const certinfo_t *this);
+
+	/**
+	 * @brief Set revocationTime.
+	 *
+	 * @param this				calling object
+	 * @param revocationTime	revocationTime
+	 */
+	void (*set_revocationTime) (certinfo_t *this, time_t revocationTime);
+
+	/**
+	 * @brief Get revocationTime.
+	 *
+	 * @param this				calling object
+	 * @return					revocationTime
+	 */
+	time_t (*get_revocationTime) (const certinfo_t *this);
+
+	/**
+	 * @brief Set revocationReason.
+	 *
+	 * @param this				calling object
+	 * @param reason			revocationReason
+	 */
+	void (*set_revocationReason) (certinfo_t *this, crl_reason_t reason);
+
+	/**
+	 * @brief Get revocationReason.
+	 *
+	 * @param this				calling object
+	 * @return					revocationReason
+	 */
+	crl_reason_t (*get_revocationReason) (const certinfo_t *this);
+
+	/**
+	 * @brief Set revocationReason.
+	 *
+	 * @param this				calling object to be updated
+	 * @param that				object containing updated information
+	 */
+	void (*update) (certinfo_t *this, const certinfo_t *that);
+
+	/**
+	 * @brief Destroys the certinfo_t object.
+	 * 
+	 * @param this			certinfo_t to destroy
+	 */
+	void (*destroy) (certinfo_t *this);
+
+};
+
+/**
+ * @brief Create a certinfo_t object.
+ * 
+ * @param serial 	chunk serial number of the certificate
+ * @return 			created certinfo_t object
+ * 
+ * @ingroup transforms
+ */
+certinfo_t *certinfo_create(chunk_t serial);
+
+#endif /* CERTINFO_H_ */
diff --git a/src/libstrongswan/crypto/crl.c b/src/libstrongswan/crypto/crl.c
new file mode 100755
index 000000000..00d6a3ac3
--- /dev/null
+++ b/src/libstrongswan/crypto/crl.c
@@ -0,0 +1,533 @@
+/**
+ * @file crl.c
+ * 
+ * @brief Implementation of crl_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2006 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <sys/stat.h>
+#include <unistd.h>
+#include <string.h>
+#include <stdio.h>
+
+#include <library.h>
+#include <debug.h>
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <asn1/pem.h>
+#include <utils/linked_list.h>
+#include <utils/identification.h>
+
+#include "certinfo.h"
+#include "x509.h"
+#include "crl.h"
+
+#define CRL_WARNING_INTERVAL	7	/* days */
+
+extern char* check_expiry(time_t expiration_date, int warning_interval, bool strict);
+extern time_t parse_time(chunk_t blob, int level0);
+extern void parse_authorityKeyIdentifier(chunk_t blob, int level0 , chunk_t *authKeyID, chunk_t *authKeySerialNumber);
+
+/* access structure for a revoked certificate */
+
+typedef struct revokedCert_t revokedCert_t;
+
+struct revokedCert_t {
+	chunk_t       userCertificate;
+	time_t	      revocationDate;
+	crl_reason_t  revocationReason;
+};
+
+typedef struct private_crl_t private_crl_t;
+
+/**
+ * Private data of a crl_t object.
+ */
+struct private_crl_t {
+	/**
+	 * Public interface for this crl.
+	 */
+	crl_t public;
+	
+	/**
+	 * Time when crl was installed
+	 */
+	time_t installed;
+
+	/**
+	 * List of crlDistributionPoints
+	 */
+	linked_list_t *crlDistributionPoints;
+
+	/**
+	 * X.509 crl in DER format
+	 */
+	chunk_t certificateList;
+
+	/**
+	 * X.509 crl body over which signature is computed
+	 */
+	chunk_t tbsCertList;
+
+	/**
+	 * Version of the X.509 crl
+	 */
+	u_int version;
+	
+	/**
+	 * Signature algorithm
+	 */
+	int sigAlg;
+	
+	/**
+	 * ID representing the crl issuer
+	 */
+	identification_t *issuer;
+	
+	/**
+	 * Time when the crl was generated
+	 */
+	time_t thisUpdate;
+
+	/**
+	 * Time when an update crl will be available
+	 */
+	time_t nextUpdate;
+
+	/**
+	 * List of identification_t's representing subjectAltNames
+	 */
+	linked_list_t *revokedCertificates;
+	
+	/**
+	 * Authority Key Identifier
+	 */
+	chunk_t authKeyID;
+
+	/**
+	 * Authority Key Serial Number
+	 */
+	chunk_t authKeySerialNumber;
+	
+	/**
+	 * Signature algorithm (must be identical to sigAlg)
+	 */
+	int algorithm;
+	
+	/**
+	 * Signature
+	 */
+	chunk_t signature;
+};
+
+/**
+  * ASN.1 definition of an X.509 certificate revocation list
+ */
+static const asn1Object_t crlObjects[] = {
+	{ 0, "certificateList",				ASN1_SEQUENCE,     ASN1_OBJ  }, /*  0 */
+	{ 1,   "tbsCertList",				ASN1_SEQUENCE,     ASN1_OBJ  }, /*  1 */
+	{ 2,     "version",					ASN1_INTEGER,      ASN1_OPT |
+														   ASN1_BODY }, /*  2 */
+	{ 2,     "end opt",					ASN1_EOC,          ASN1_END  }, /*  3 */
+	{ 2,     "signature",				ASN1_EOC,          ASN1_RAW  }, /*  4 */	
+	{ 2,     "issuer",					ASN1_SEQUENCE,     ASN1_OBJ  }, /*  5 */
+	{ 2,     "thisUpdate",				ASN1_EOC,          ASN1_RAW  }, /*  6 */
+	{ 2,     "nextUpdate",				ASN1_EOC,          ASN1_RAW  }, /*  7 */
+	{ 2,     "revokedCertificates",		ASN1_SEQUENCE,     ASN1_OPT |
+														   ASN1_LOOP }, /*  8 */
+	{ 3,       "certList",				ASN1_SEQUENCE,     ASN1_NONE }, /*  9 */
+	{ 4,         "userCertificate",		ASN1_INTEGER,      ASN1_BODY }, /* 10 */
+	{ 4,         "revocationDate",		ASN1_EOC,          ASN1_RAW  }, /* 11 */
+	{ 4,         "crlEntryExtensions",  ASN1_SEQUENCE,     ASN1_OPT |
+							   							   ASN1_LOOP }, /* 12 */
+	{ 5,           "extension",			ASN1_SEQUENCE,	   ASN1_NONE }, /* 13 */
+	{ 6,             "extnID",			ASN1_OID,          ASN1_BODY }, /* 14 */
+	{ 6,             "critical",		ASN1_BOOLEAN,      ASN1_DEF |
+														   ASN1_BODY }, /* 15 */
+	{ 6,             "extnValue",		ASN1_OCTET_STRING, ASN1_BODY }, /* 16 */
+	{ 4,         "end opt or loop",		ASN1_EOC,          ASN1_END  }, /* 17 */
+	{ 2,     "end opt or loop",			ASN1_EOC,          ASN1_END  }, /* 18 */
+	{ 2,     "optional extensions",		ASN1_CONTEXT_C_0,  ASN1_OPT  }, /* 19 */
+	{ 3,       "crlExtensions",			ASN1_SEQUENCE,     ASN1_LOOP }, /* 20 */
+	{ 4,         "extension",			ASN1_SEQUENCE,     ASN1_NONE }, /* 21 */
+	{ 5,           "extnID",			ASN1_OID,          ASN1_BODY }, /* 22 */
+	{ 5,           "critical",			ASN1_BOOLEAN,      ASN1_DEF |
+														   ASN1_BODY }, /* 23 */
+	{ 5,           "extnValue",			ASN1_OCTET_STRING, ASN1_BODY }, /* 24 */
+	{ 3,       "end loop",				ASN1_EOC,          ASN1_END  }, /* 25 */
+	{ 2,     "end opt",					ASN1_EOC,          ASN1_END  }, /* 26 */
+	{ 1,   "signatureAlgorithm",		ASN1_EOC,          ASN1_RAW  }, /* 27 */
+	{ 1,   "signatureValue",			ASN1_BIT_STRING,   ASN1_BODY }  /* 28 */
+ };
+
+#define CRL_OBJ_CERTIFICATE_LIST		 0
+#define CRL_OBJ_TBS_CERT_LIST			 1
+#define CRL_OBJ_VERSION					 2
+#define CRL_OBJ_SIG_ALG					 4
+#define CRL_OBJ_ISSUER					 5
+#define CRL_OBJ_THIS_UPDATE				 6
+#define CRL_OBJ_NEXT_UPDATE				 7
+#define CRL_OBJ_USER_CERTIFICATE		10
+#define CRL_OBJ_REVOCATION_DATE			11
+#define CRL_OBJ_CRL_ENTRY_EXTN_ID		14
+#define CRL_OBJ_CRL_ENTRY_CRITICAL		15
+#define CRL_OBJ_CRL_ENTRY_EXTN_VALUE	16
+#define CRL_OBJ_EXTN_ID					22
+#define CRL_OBJ_CRITICAL				23
+#define CRL_OBJ_EXTN_VALUE				24
+#define CRL_OBJ_ALGORITHM				27
+#define CRL_OBJ_SIGNATURE				28
+#define CRL_OBJ_ROOF					29
+
+/**
+ * Parses a CRL revocation reason code
+ */
+static crl_reason_t parse_crl_reasonCode(chunk_t object)
+{
+	crl_reason_t reason = REASON_UNSPECIFIED;
+
+	if (*object.ptr == ASN1_ENUMERATED && asn1_length(&object) == 1)
+	{
+		reason = *object.ptr;
+	}
+	DBG2("  '%N'", crl_reason_names, reason);
+
+	return reason;
+}
+
+/**
+ *  Parses an X.509 Certificate Revocation List (CRL)
+ */
+bool parse_x509crl(chunk_t blob, u_int level0, private_crl_t *crl)
+{
+	asn1_ctx_t ctx;
+	bool critical;
+	chunk_t extnID;
+	chunk_t userCertificate = chunk_empty;
+	revokedCert_t *revokedCert = NULL;
+	chunk_t object;
+	u_int level;
+	int objectID = 0;
+
+	asn1_init(&ctx, blob, level0, FALSE, FALSE);
+
+	while (objectID < CRL_OBJ_ROOF)
+	{
+		if (!extract_object(crlObjects, &objectID, &object, &level, &ctx))
+			return FALSE;
+
+		/* those objects which will parsed further need the next higher level */
+		level++;
+
+		switch (objectID)
+		{
+			case CRL_OBJ_CERTIFICATE_LIST:
+			crl->certificateList = object;
+				break;
+			case CRL_OBJ_TBS_CERT_LIST:
+				crl->tbsCertList = object;
+				break;
+			case CRL_OBJ_VERSION:
+				crl->version = (object.len) ? (1+(u_int)*object.ptr) : 1;
+				DBG2("  v%d", crl->version);
+				break;
+			case CRL_OBJ_SIG_ALG:
+				crl->sigAlg = parse_algorithmIdentifier(object, level, NULL);
+				break;
+			case CRL_OBJ_ISSUER:
+				crl->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
+				DBG2("  '%D'", crl->issuer);
+				break;
+			case CRL_OBJ_THIS_UPDATE:
+				crl->thisUpdate = parse_time(object, level);
+				break;
+			case CRL_OBJ_NEXT_UPDATE:
+				crl->nextUpdate = parse_time(object, level);
+				break;
+			case CRL_OBJ_USER_CERTIFICATE:
+				userCertificate = object;
+				break;
+			case CRL_OBJ_REVOCATION_DATE:
+				revokedCert = malloc_thing(revokedCert_t);
+				revokedCert->userCertificate = userCertificate;
+				revokedCert->revocationDate = parse_time(object, level);
+				revokedCert->revocationReason = REASON_UNSPECIFIED;
+				crl->revokedCertificates->insert_last(crl->revokedCertificates, (void *)revokedCert);
+				break;
+			case CRL_OBJ_CRL_ENTRY_EXTN_ID:
+			case CRL_OBJ_EXTN_ID:
+				extnID = object;
+				break;
+			case CRL_OBJ_CRL_ENTRY_CRITICAL:
+			case CRL_OBJ_CRITICAL:
+				critical = object.len && *object.ptr;
+				DBG2("  %s",(critical)?"TRUE":"FALSE");
+				break;
+			case CRL_OBJ_CRL_ENTRY_EXTN_VALUE:
+			case CRL_OBJ_EXTN_VALUE:
+				{
+					int extn_oid = known_oid(extnID);
+
+					if (revokedCert && extn_oid == OID_CRL_REASON_CODE)
+					{
+						revokedCert->revocationReason = parse_crl_reasonCode(object);
+					}
+					else if (extn_oid == OID_AUTHORITY_KEY_ID)
+					{
+						parse_authorityKeyIdentifier(object, level, &crl->authKeyID, &crl->authKeySerialNumber);
+					}
+				}
+				break;
+			case CRL_OBJ_ALGORITHM:
+				crl->algorithm = parse_algorithmIdentifier(object, level, NULL);
+				break;
+			case CRL_OBJ_SIGNATURE:
+				crl->signature = object;
+				break;
+			default:
+				break;
+		}
+		objectID++;
+	}
+	time(&crl->installed);
+	return TRUE;
+}
+
+/**
+ * Implements crl_t.is_valid
+ */
+static bool is_valid(const private_crl_t *this)
+{
+	time_t current_time = time(NULL);
+	
+	DBG2("  this update : %T", &this->thisUpdate);
+	DBG2("  current time: %T", &current_time);
+	DBG2("  next update:  %T", &this->nextUpdate);
+
+	return current_time < this->nextUpdate;
+}
+
+/**
+ * Implements crl_t.get_issuer
+ */
+static identification_t *get_issuer(const private_crl_t *this)
+{
+	return this->issuer;
+}
+
+/**
+ * Implements crl_t.equals_issuer
+ */
+static bool equals_issuer(const private_crl_t *this, const private_crl_t *other)
+{
+	return (this->authKeyID.ptr)
+			? chunk_equals(this->authKeyID, other->authKeyID)
+			: (this->issuer->equals(this->issuer, other->issuer)
+			   && chunk_equals_or_null(this->authKeySerialNumber, other->authKeySerialNumber));
+}
+
+/**
+ * Implements crl_t.is_issuer
+ */
+static bool is_issuer(const private_crl_t *this, const x509_t *issuer)
+{
+	return (this->authKeyID.ptr)
+			? chunk_equals(this->authKeyID, issuer->get_subjectKeyID(issuer))
+			: (this->issuer->equals(this->issuer, issuer->get_subject(issuer))
+			   && chunk_equals_or_null(this->authKeySerialNumber, issuer->get_serialNumber(issuer)));
+}
+
+/**
+ * Implements crl_t.is_newer
+ */
+static bool is_newer(const private_crl_t *this, const private_crl_t *other)
+{
+	return (this->nextUpdate > other->nextUpdate);
+}
+
+/**
+ * Implements crl_t.verify
+ */
+static bool verify(const private_crl_t *this, const rsa_public_key_t *signer)
+{
+	return signer->verify_emsa_pkcs1_signature(signer, this->tbsCertList, this->signature) == SUCCESS;
+}
+
+/**
+ * Implements crl_t.get_status
+ */
+static void get_status(const private_crl_t *this, certinfo_t *certinfo)
+{
+	chunk_t serialNumber = certinfo->get_serialNumber(certinfo);
+	iterator_t *iterator;
+	revokedCert_t *revokedCert;
+	
+	certinfo->set_nextUpdate(certinfo, this->nextUpdate);
+	certinfo->set_status(certinfo, CERT_GOOD);
+	
+	iterator = this->revokedCertificates->create_iterator(this->revokedCertificates, TRUE);
+	while (iterator->iterate(iterator, (void**)&revokedCert))
+	{
+		if (chunk_equals(serialNumber, revokedCert->userCertificate))
+		{
+			certinfo->set_status(certinfo, CERT_REVOKED);
+			certinfo->set_revocationTime(certinfo, revokedCert->revocationDate);
+			certinfo->set_revocationReason(certinfo, revokedCert->revocationReason);
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+}
+
+/**
+ * Implements crl_t.write_to_file.
+ */
+static bool write_to_file(private_crl_t *this, const char *path, mode_t mask, bool force)
+{
+	return chunk_write(this->certificateList, path, "crl", mask, force);
+}
+
+/**
+ * Implements crl_t.destroy
+ */
+static void destroy(private_crl_t *this)
+{
+	this->revokedCertificates->destroy_function(this->revokedCertificates, free);
+	this->crlDistributionPoints->destroy_offset(this->crlDistributionPoints,
+												offsetof(identification_t, destroy));
+	DESTROY_IF(this->issuer);
+	free(this->certificateList.ptr);
+	free(this);
+}
+
+/**
+ * output handler in printf()
+ */
+static int print(FILE *stream, const struct printf_info *info,
+				 const void *const *args)
+{
+	private_crl_t *this = *((private_crl_t**)(args[0]));
+	bool utc = TRUE;
+	int written = 0;
+	time_t now;
+	
+	if (info->alt)
+	{
+		utc = *((bool*)args[1]);
+	}
+	
+	if (this == NULL)
+	{
+		return fprintf(stream, "(null)");
+	}
+	
+	now = time(NULL);
+	
+	written += fprintf(stream, "%#T, revoked certs: %d\n", &this->installed, utc,
+					   this->revokedCertificates->get_count(this->revokedCertificates));
+	written += fprintf(stream, "    issuer:    '%D'\n", this->issuer);
+	written += fprintf(stream, "    updates:    this %#T\n", &this->thisUpdate, utc);
+	written += fprintf(stream, "                next %#T ",  &this->nextUpdate, utc);
+	if (this->nextUpdate == UNDEFINED_TIME)
+	{
+		written += fprintf(stream, "ok (expires never)");
+	}
+	else if (now > this->nextUpdate)
+	{
+		written += fprintf(stream, "expired (%V ago)", &now, &this->nextUpdate);
+	}
+	else if (now > this->nextUpdate - CRL_WARNING_INTERVAL * 60 * 60 * 24)
+	{
+		written += fprintf(stream, "ok (expires in %V)", &now, &this->nextUpdate);
+	}
+	else
+	{
+		written += fprintf(stream, "ok");
+	}
+	if (this->authKeyID.ptr)
+	{
+		written += fprintf(stream, "\n    authkey:    %#B", &this->authKeyID);
+	}
+	if (this->authKeySerialNumber.ptr)
+	{
+		written += fprintf(stream, "\n    aserial:    %#B", &this->authKeySerialNumber);
+	}
+	return written;
+}
+
+/**
+ * register printf() handlers
+ */
+static void __attribute__ ((constructor))print_register()
+{
+	register_printf_function(PRINTF_CRL, print, arginfo_ptr_alt_ptr_int);
+}
+
+/*
+ * Described in header.
+ */
+crl_t *crl_create_from_chunk(chunk_t chunk)
+{
+	private_crl_t *this = malloc_thing(private_crl_t);
+	
+	/* initialize */
+	this->crlDistributionPoints = linked_list_create();
+	this->tbsCertList = chunk_empty;
+	this->issuer = NULL;
+	this->revokedCertificates = linked_list_create();
+	this->authKeyID = chunk_empty;
+	this->authKeySerialNumber = chunk_empty;
+	
+	/* public functions */
+	this->public.get_issuer = (identification_t* (*) (const crl_t*))get_issuer;
+	this->public.equals_issuer = (bool (*) (const crl_t*,const crl_t*))equals_issuer;
+	this->public.is_issuer = (bool (*) (const crl_t*,const x509_t*))is_issuer;
+	this->public.is_valid = (bool (*) (const crl_t*))is_valid;
+	this->public.is_newer = (bool (*) (const crl_t*,const crl_t*))is_newer;
+	this->public.verify = (bool (*) (const crl_t*,const rsa_public_key_t*))verify;
+	this->public.get_status = (void (*) (const crl_t*,certinfo_t*))get_status;
+	this->public.write_to_file = (bool (*) (const crl_t*,const char*,mode_t,bool))write_to_file;
+	this->public.destroy = (void (*) (crl_t*))destroy;
+	
+	if (!parse_x509crl(chunk, 0, this))
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+crl_t *crl_create_from_file(const char *filename)
+{
+	bool pgp = FALSE;
+	chunk_t chunk = chunk_empty;
+	crl_t *crl = NULL;
+
+	if (!pem_asn1_load_file(filename, NULL, "crl", &chunk, &pgp))
+		return NULL;
+
+	crl = crl_create_from_chunk(chunk);
+
+	if (crl == NULL)
+		free(chunk.ptr);
+	return crl;
+}
diff --git a/src/libstrongswan/crypto/crl.h b/src/libstrongswan/crypto/crl.h
new file mode 100755
index 000000000..8a11fc390
--- /dev/null
+++ b/src/libstrongswan/crypto/crl.h
@@ -0,0 +1,147 @@
+/**
+ * @file crl.h
+ * 
+ * @brief Interface of crl_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2006 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef CRL_H_
+#define CRL_H_
+
+typedef struct crl_t crl_t;
+
+#include <library.h>
+#include <crypto/rsa/rsa_public_key.h>
+#include <crypto/certinfo.h>
+#include <utils/identification.h>
+#include <utils/iterator.h>
+
+/**
+ * @brief X.509 certificate revocation list
+ * 
+ * @b Constructors:
+ *  - crl_create_from_chunk()
+ *  - crl_create_from_file()
+ * 
+ * @ingroup transforms
+ */
+struct crl_t {
+
+	/**
+	 * @brief Get the crl's issuer ID.
+	 * 
+	 * The resulting ID is always a identification_t
+	 * of type ID_DER_ASN1_DN.
+	 * 
+	 * @param this				calling object
+	 * @return					issuers ID
+	 */
+	identification_t *(*get_issuer) (const crl_t *this);
+
+	/**
+	 * @brief Check if both crls have the same issuer.
+	 * 
+	 * @param this				calling object
+	 * @param other				other crl
+	 * @return					TRUE if the same issuer
+	 */
+	bool (*equals_issuer) (const crl_t *this, const crl_t *other);
+
+	/**
+	 * @brief Check if ia candidate cert is the issuer of the crl
+	 * 
+	 * @param this				calling object
+	 * @param issuer			candidate issuer of the crl
+	 * @return					TRUE if issuer
+	 */
+	bool (*is_issuer) (const crl_t *this, const x509_t *issuer);
+
+	/**
+	 * @brief Checks the validity interval of the crl
+	 * 
+	 * @param this			calling object
+	 * @return				TRUE if the crl is valid
+	 */
+	bool (*is_valid) (const crl_t *this);
+	
+	/**
+	 * @brief Checks if this crl is newer (thisUpdate) than the other crl
+	 * 
+	 * @param this			calling object
+	 * @param other			other crl object
+	 * @return				TRUE if this was issued more recently than other
+	 */
+	bool (*is_newer) (const crl_t *this, const crl_t *other);
+	
+	/**
+	 * @brief Check if a crl is trustworthy.
+	 * 
+	 * @param this			calling object
+	 * @param signer		signer's RSA public key
+	 * @return				TRUE if crl is trustworthy
+	 */
+	bool (*verify) (const crl_t *this, const rsa_public_key_t *signer);
+
+	/**
+	 * @brief Get the certificate status
+	 * 
+	 * @param this			calling object
+	 * @param certinfo		certinfo is updated
+	 */
+	void (*get_status) (const crl_t *this, certinfo_t *certinfo);
+
+	/**
+	 * @brief Write a der-encoded crl to a file
+	 * 
+	 * @param this			calling object
+	 * @param path			path where the file is to be stored
+	 * @param mask			file access control rights
+	 * @param force			overwrite the file if it already exists
+	 * @return				TRUE if successfully written
+	 */
+	bool (*write_to_file) (const crl_t *this, const char *path, mode_t mask, bool force);
+
+	/**
+	 * @brief Destroys the crl.
+	 * 
+	 * @param this			crl to destroy
+	 */
+	void (*destroy) (crl_t *this);
+};
+
+/**
+ * @brief Read a x509 crl from a DER encoded blob.
+ * 
+ * @param chunk 	chunk containing DER encoded data
+ * @return 			created crl_t, or NULL if invalid.
+ * 
+ * @ingroup transforms
+ */
+crl_t *crl_create_from_chunk(chunk_t chunk);
+
+/**
+ * @brief Read a x509 crl from a DER encoded file.
+ * 
+ * @param filename 	file containing DER encoded data
+ * @return 			created crl_t, or NULL if invalid.
+ * 
+ * @ingroup transforms
+ */
+crl_t *crl_create_from_file(const char *filename);
+
+#endif /* CRL_H_ */
diff --git a/src/libstrongswan/crypto/crypters/aes_cbc_crypter.c b/src/libstrongswan/crypto/crypters/aes_cbc_crypter.c
new file mode 100644
index 000000000..947188af3
--- /dev/null
+++ b/src/libstrongswan/crypto/crypters/aes_cbc_crypter.c
@@ -0,0 +1,1620 @@
+/**
+ * @file aes_cbc_crypter.c
+ * 
+ * @brief Implementation of aes_cbc_crypter_t
+ * 
+ */
+ 
+ /*
+ * Copyright (C) 2001 Dr B. R. Gladman <brg@gladman.uk.net>
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+ 
+#include "aes_cbc_crypter.h"
+
+
+
+/*
+ * The number of key schedule words for different block and key lengths
+ * allowing for method of computation which requires the length to be a
+ * multiple of the key length. This version of AES implementation supports
+ * all three keylengths 16, 24 and 32 bytes!
+ *
+ * Nk =       4   6   8
+ *        -------------
+ * Nb = 4 |  60  60  64
+ *      6 |  96  90  96
+ *      8 | 120 120 120
+ */
+#define AES_KS_LENGTH   120
+#define AES_RC_LENGTH    29
+
+#define AES_BLOCK_SIZE 16
+
+typedef struct private_aes_cbc_crypter_t private_aes_cbc_crypter_t;
+
+/**
+ * @brief Class implementing the AES symmetric encryption algorithm.
+ * 
+ * @ingroup crypters
+ */
+struct private_aes_cbc_crypter_t {
+	
+	/**
+	 * Public part of this class.
+	 */
+	aes_cbc_crypter_t public;
+	
+	/**
+	 * Number of words in the key input block.
+	 */
+	u_int32_t    aes_Nkey;
+	
+	/**
+	 * The number of cipher rounds.
+	 */
+	u_int32_t    aes_Nrnd;
+	
+	/**
+	* The encryption key schedule.
+	*/
+	u_int32_t    aes_e_key[AES_KS_LENGTH];
+
+	/**
+	* The decryption key schedule.
+	*/
+	u_int32_t    aes_d_key[AES_KS_LENGTH];
+	
+	/**
+	* Key size of this AES cypher object.
+	*/
+	u_int32_t    key_size;
+	
+	/**
+	* Decrypts a block.
+	* 
+	* No memory gets allocated.
+	* 
+	* @param this			calling object
+	* @param[in] in_blk	block to decrypt
+	* @param[out] out_blk	decrypted data are written to this location
+	*/
+	void (*decrypt_block) (const private_aes_cbc_crypter_t *this, const unsigned char in_blk[], unsigned char out_blk[]);
+	
+	/**
+	* Encrypts a block.
+	* 
+	* No memory gets allocated.
+	* 
+	* @param this			calling object
+	* @param[in] in_blk	block to encrypt
+	* @param[out] out_blk	encrypted data are written to this location
+	*/
+	void (*encrypt_block) (const private_aes_cbc_crypter_t *this, const unsigned char in_blk[], unsigned char out_blk[]);
+};
+
+
+/* ugly macro stuff */
+
+/* 1.  Define UNROLL for full loop unrolling in encryption and decryption.
+ * 2.  Define PARTIAL_UNROLL to unroll two loops in encryption and decryption.
+ * 3.  Define FIXED_TABLES for compiled rather than dynamic tables.
+ * 4.  Define FF_TABLES to use tables for field multiplies and inverses.
+ *     Do not enable this without understanding stack space requirements.
+ * 5.  Define ARRAYS to use arrays to hold the local state block. If this
+ *     is not defined, individually declared 32-bit words are used.
+ * 6.  Define FAST_VARIABLE if a high speed variable block implementation
+ *     is needed (essentially three separate fixed block size code sequences)
+ * 7.  Define either ONE_TABLE or FOUR_TABLES for a fast table driven 
+ *     version using 1 table (2 kbytes of table space) or 4 tables (8
+ *     kbytes of table space) for higher speed.
+ * 8.  Define either ONE_LR_TABLE or FOUR_LR_TABLES for a further speed 
+ *     increase by using tables for the last rounds but with more table
+ *     space (2 or 8 kbytes extra).
+ * 9.  If neither ONE_TABLE nor FOUR_TABLES is defined, a compact but 
+ *     slower version is provided.
+ * 10. If fast decryption key scheduling is needed define ONE_IM_TABLE
+ *     or FOUR_IM_TABLES for higher speed (2 or 8 kbytes extra).
+ */
+
+#define UNROLL
+//#define PARTIAL_UNROLL
+
+#define FIXED_TABLES
+//#define FF_TABLES
+//#define ARRAYS
+#define FAST_VARIABLE
+
+//#define ONE_TABLE
+#define FOUR_TABLES
+
+//#define ONE_LR_TABLE
+#define FOUR_LR_TABLES
+
+//#define ONE_IM_TABLE
+#define FOUR_IM_TABLES
+
+#if defined(UNROLL) && defined (PARTIAL_UNROLL)
+#error both UNROLL and PARTIAL_UNROLL are defined
+#endif
+
+#if defined(ONE_TABLE) && defined (FOUR_TABLES)
+#error both ONE_TABLE and FOUR_TABLES are defined
+#endif
+
+#if defined(ONE_LR_TABLE) && defined (FOUR_LR_TABLES)
+#error both ONE_LR_TABLE and FOUR_LR_TABLES are defined
+#endif
+
+#if defined(ONE_IM_TABLE) && defined (FOUR_IM_TABLES)
+#error both ONE_IM_TABLE and FOUR_IM_TABLES are defined
+#endif
+
+#if defined(AES_BLOCK_SIZE) && AES_BLOCK_SIZE != 16 && AES_BLOCK_SIZE != 24 && AES_BLOCK_SIZE != 32
+#error an illegal block size has been specified
+#endif  
+
+/**
+ * Rotates bytes within words by n positions, moving bytes 
+ * to higher index positions with wrap around into low positions.
+ */ 
+#define upr(x,n)        (((x) << 8 * (n)) | ((x) >> (32 - 8 * (n))))
+/**
+ * Moves bytes by n positions to higher index positions in 
+ * words but without wrap around.
+ */ 
+#define ups(x,n)        ((x) << 8 * (n))
+
+/**
+ * Extracts a byte from a word.
+ */
+#define bval(x,n)       ((unsigned char)((x) >> 8 * (n)))
+#define bytes2word(b0, b1, b2, b3)  \
+        ((u_int32_t)(b3) << 24 | (u_int32_t)(b2) << 16 | (u_int32_t)(b1) << 8 | (b0))
+
+
+/* little endian processor without data alignment restrictions: AES_LE_OK */
+/* original code: i386 */
+#if defined(i386) || defined(_I386) || defined(__i386__) || defined(__i386) 
+#define	AES_LE_OK 1
+/* added (tested): alpha  --jjo */
+#elif defined(__alpha__)|| defined (__alpha)
+#define AES_LE_OK 1
+/* added (tested): ia64  --jjo */
+#elif defined(__ia64__)|| defined (__ia64)
+#define AES_LE_OK 1
+#endif
+
+#ifdef AES_LE_OK
+/* little endian processor without data alignment restrictions */
+#define word_in(x)      *(u_int32_t*)(x)
+#define const_word_in(x)      *(const u_int32_t*)(x)
+#define word_out(x,v)   *(u_int32_t*)(x) = (v)
+#define const_word_out(x,v)   *(const u_int32_t*)(x) = (v)
+#else
+/* slower but generic big endian or with data alignment restrictions */
+/* some additional "const" touches to stop "gcc -Wcast-qual" complains --jjo */
+#define word_in(x)      ((u_int32_t)(((unsigned char *)(x))[0])|((u_int32_t)(((unsigned char *)(x))[1])<<8)|((u_int32_t)(((unsigned char *)(x))[2])<<16)|((u_int32_t)(((unsigned char *)(x))[3])<<24))
+#define const_word_in(x)      ((const u_int32_t)(((const unsigned char *)(x))[0])|((const u_int32_t)(((const unsigned char *)(x))[1])<<8)|((const u_int32_t)(((const unsigned char *)(x))[2])<<16)|((const u_int32_t)(((const unsigned char *)(x))[3])<<24))
+#define word_out(x,v)   ((unsigned char *)(x))[0]=(v),((unsigned char *)(x))[1]=((v)>>8),((unsigned char *)(x))[2]=((v)>>16),((unsigned char *)(x))[3]=((v)>>24)
+#define const_word_out(x,v)   ((const unsigned char *)(x))[0]=(v),((const unsigned char *)(x))[1]=((v)>>8),((const unsigned char *)(x))[2]=((v)>>16),((const unsigned char *)(x))[3]=((v)>>24)
+#endif
+
+// Disable at least some poor combinations of options
+
+#if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
+#define FIXED_TABLES
+#undef  UNROLL
+#undef  ONE_LR_TABLE
+#undef  FOUR_LR_TABLES
+#undef  ONE_IM_TABLE
+#undef  FOUR_IM_TABLES
+#elif !defined(FOUR_TABLES)
+#ifdef  FOUR_LR_TABLES
+#undef  FOUR_LR_TABLES
+#define ONE_LR_TABLE
+#endif
+#ifdef  FOUR_IM_TABLES
+#undef  FOUR_IM_TABLES
+#define ONE_IM_TABLE
+#endif
+#elif !defined(AES_BLOCK_SIZE)
+#if defined(UNROLL)
+#define PARTIAL_UNROLL
+#undef UNROLL
+#endif
+#endif
+
+// the finite field modular polynomial and elements
+
+#define ff_poly 0x011b
+#define ff_hi   0x80
+
+// multiply four bytes in GF(2^8) by 'x' {02} in parallel
+
+#define m1  0x80808080
+#define m2  0x7f7f7f7f
+#define m3  0x0000001b
+#define FFmulX(x)  ((((x) & m2) << 1) ^ ((((x) & m1) >> 7) * m3))
+
+// The following defines provide alternative definitions of FFmulX that might
+// give improved performance if a fast 32-bit multiply is not available. Note
+// that a temporary variable u needs to be defined where FFmulX is used.
+
+// #define FFmulX(x) (u = (x) & m1, u |= (u >> 1), ((x) & m2) << 1) ^ ((u >> 3) | (u >> 6)) 
+// #define m4  0x1b1b1b1b
+// #define FFmulX(x) (u = (x) & m1, ((x) & m2) << 1) ^ ((u - (u >> 7)) & m4) 
+
+// perform column mix operation on four bytes in parallel
+
+#define fwd_mcol(x) (f2 = FFmulX(x), f2 ^ upr(x ^ f2,3) ^ upr(x,2) ^ upr(x,1))
+
+#if defined(FIXED_TABLES)
+
+// the S-Box table
+
+static const unsigned char s_box[256] =
+{
+    0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5,
+    0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
+    0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0,
+    0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
+    0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc,
+    0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
+    0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a,
+    0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
+    0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0,
+    0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
+    0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b,
+    0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
+    0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85,
+    0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
+    0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5,
+    0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
+    0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17,
+    0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
+    0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88,
+    0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
+    0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c,
+    0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
+    0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9,
+    0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
+    0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6,
+    0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
+    0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e,
+    0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
+    0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94,
+    0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
+    0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68,
+    0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16
+};
+
+// the inverse S-Box table
+
+static const unsigned char inv_s_box[256] =
+{
+    0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38,
+    0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
+    0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87,
+    0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb,
+    0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d,
+    0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,
+    0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2,
+    0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25,
+    0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16,
+    0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92,
+    0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda,
+    0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84,
+    0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a,
+    0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06,
+    0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02,
+    0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b,
+    0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea,
+    0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73,
+    0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85,
+    0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e,
+    0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89,
+    0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b,
+    0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20,
+    0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4,
+    0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31,
+    0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f,
+    0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d,
+    0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef,
+    0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0,
+    0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
+    0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26,
+    0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d
+};
+
+#define w0(p)          0x000000##p
+
+// Number of elements required in this table for different
+// block and key lengths is:
+//
+// Nk =      4  6  8
+//        ----------
+// Nb = 4 | 10  8  7
+//      6 | 19 12 11
+//      8 | 29 19 14
+//
+// this table can be a table of bytes if the key schedule
+// code is adjusted accordingly
+
+static const u_int32_t rcon_tab[29] =
+{
+    w0(01), w0(02), w0(04), w0(08),
+    w0(10), w0(20), w0(40), w0(80),
+    w0(1b), w0(36), w0(6c), w0(d8),
+    w0(ab), w0(4d), w0(9a), w0(2f),
+    w0(5e), w0(bc), w0(63), w0(c6),
+    w0(97), w0(35), w0(6a), w0(d4),
+    w0(b3), w0(7d), w0(fa), w0(ef),
+    w0(c5)
+};
+
+#undef  w0
+
+#define r0(p,q,r,s) 0x##p##q##r##s
+#define r1(p,q,r,s) 0x##q##r##s##p
+#define r2(p,q,r,s) 0x##r##s##p##q
+#define r3(p,q,r,s) 0x##s##p##q##r
+#define w0(p)          0x000000##p
+#define w1(p)        0x0000##p##00
+#define w2(p)        0x00##p##0000
+#define w3(p)        0x##p##000000
+
+#if defined(FIXED_TABLES) && (defined(ONE_TABLE) || defined(FOUR_TABLES)) 
+
+//  data for forward tables (other than last round)
+
+#define f_table \
+    r(a5,63,63,c6), r(84,7c,7c,f8), r(99,77,77,ee), r(8d,7b,7b,f6),\
+    r(0d,f2,f2,ff), r(bd,6b,6b,d6), r(b1,6f,6f,de), r(54,c5,c5,91),\
+    r(50,30,30,60), r(03,01,01,02), r(a9,67,67,ce), r(7d,2b,2b,56),\
+    r(19,fe,fe,e7), r(62,d7,d7,b5), r(e6,ab,ab,4d), r(9a,76,76,ec),\
+    r(45,ca,ca,8f), r(9d,82,82,1f), r(40,c9,c9,89), r(87,7d,7d,fa),\
+    r(15,fa,fa,ef), r(eb,59,59,b2), r(c9,47,47,8e), r(0b,f0,f0,fb),\
+    r(ec,ad,ad,41), r(67,d4,d4,b3), r(fd,a2,a2,5f), r(ea,af,af,45),\
+    r(bf,9c,9c,23), r(f7,a4,a4,53), r(96,72,72,e4), r(5b,c0,c0,9b),\
+    r(c2,b7,b7,75), r(1c,fd,fd,e1), r(ae,93,93,3d), r(6a,26,26,4c),\
+    r(5a,36,36,6c), r(41,3f,3f,7e), r(02,f7,f7,f5), r(4f,cc,cc,83),\
+    r(5c,34,34,68), r(f4,a5,a5,51), r(34,e5,e5,d1), r(08,f1,f1,f9),\
+    r(93,71,71,e2), r(73,d8,d8,ab), r(53,31,31,62), r(3f,15,15,2a),\
+    r(0c,04,04,08), r(52,c7,c7,95), r(65,23,23,46), r(5e,c3,c3,9d),\
+    r(28,18,18,30), r(a1,96,96,37), r(0f,05,05,0a), r(b5,9a,9a,2f),\
+    r(09,07,07,0e), r(36,12,12,24), r(9b,80,80,1b), r(3d,e2,e2,df),\
+    r(26,eb,eb,cd), r(69,27,27,4e), r(cd,b2,b2,7f), r(9f,75,75,ea),\
+    r(1b,09,09,12), r(9e,83,83,1d), r(74,2c,2c,58), r(2e,1a,1a,34),\
+    r(2d,1b,1b,36), r(b2,6e,6e,dc), r(ee,5a,5a,b4), r(fb,a0,a0,5b),\
+    r(f6,52,52,a4), r(4d,3b,3b,76), r(61,d6,d6,b7), r(ce,b3,b3,7d),\
+    r(7b,29,29,52), r(3e,e3,e3,dd), r(71,2f,2f,5e), r(97,84,84,13),\
+    r(f5,53,53,a6), r(68,d1,d1,b9), r(00,00,00,00), r(2c,ed,ed,c1),\
+    r(60,20,20,40), r(1f,fc,fc,e3), r(c8,b1,b1,79), r(ed,5b,5b,b6),\
+    r(be,6a,6a,d4), r(46,cb,cb,8d), r(d9,be,be,67), r(4b,39,39,72),\
+    r(de,4a,4a,94), r(d4,4c,4c,98), r(e8,58,58,b0), r(4a,cf,cf,85),\
+    r(6b,d0,d0,bb), r(2a,ef,ef,c5), r(e5,aa,aa,4f), r(16,fb,fb,ed),\
+    r(c5,43,43,86), r(d7,4d,4d,9a), r(55,33,33,66), r(94,85,85,11),\
+    r(cf,45,45,8a), r(10,f9,f9,e9), r(06,02,02,04), r(81,7f,7f,fe),\
+    r(f0,50,50,a0), r(44,3c,3c,78), r(ba,9f,9f,25), r(e3,a8,a8,4b),\
+    r(f3,51,51,a2), r(fe,a3,a3,5d), r(c0,40,40,80), r(8a,8f,8f,05),\
+    r(ad,92,92,3f), r(bc,9d,9d,21), r(48,38,38,70), r(04,f5,f5,f1),\
+    r(df,bc,bc,63), r(c1,b6,b6,77), r(75,da,da,af), r(63,21,21,42),\
+    r(30,10,10,20), r(1a,ff,ff,e5), r(0e,f3,f3,fd), r(6d,d2,d2,bf),\
+    r(4c,cd,cd,81), r(14,0c,0c,18), r(35,13,13,26), r(2f,ec,ec,c3),\
+    r(e1,5f,5f,be), r(a2,97,97,35), r(cc,44,44,88), r(39,17,17,2e),\
+    r(57,c4,c4,93), r(f2,a7,a7,55), r(82,7e,7e,fc), r(47,3d,3d,7a),\
+    r(ac,64,64,c8), r(e7,5d,5d,ba), r(2b,19,19,32), r(95,73,73,e6),\
+    r(a0,60,60,c0), r(98,81,81,19), r(d1,4f,4f,9e), r(7f,dc,dc,a3),\
+    r(66,22,22,44), r(7e,2a,2a,54), r(ab,90,90,3b), r(83,88,88,0b),\
+    r(ca,46,46,8c), r(29,ee,ee,c7), r(d3,b8,b8,6b), r(3c,14,14,28),\
+    r(79,de,de,a7), r(e2,5e,5e,bc), r(1d,0b,0b,16), r(76,db,db,ad),\
+    r(3b,e0,e0,db), r(56,32,32,64), r(4e,3a,3a,74), r(1e,0a,0a,14),\
+    r(db,49,49,92), r(0a,06,06,0c), r(6c,24,24,48), r(e4,5c,5c,b8),\
+    r(5d,c2,c2,9f), r(6e,d3,d3,bd), r(ef,ac,ac,43), r(a6,62,62,c4),\
+    r(a8,91,91,39), r(a4,95,95,31), r(37,e4,e4,d3), r(8b,79,79,f2),\
+    r(32,e7,e7,d5), r(43,c8,c8,8b), r(59,37,37,6e), r(b7,6d,6d,da),\
+    r(8c,8d,8d,01), r(64,d5,d5,b1), r(d2,4e,4e,9c), r(e0,a9,a9,49),\
+    r(b4,6c,6c,d8), r(fa,56,56,ac), r(07,f4,f4,f3), r(25,ea,ea,cf),\
+    r(af,65,65,ca), r(8e,7a,7a,f4), r(e9,ae,ae,47), r(18,08,08,10),\
+    r(d5,ba,ba,6f), r(88,78,78,f0), r(6f,25,25,4a), r(72,2e,2e,5c),\
+    r(24,1c,1c,38), r(f1,a6,a6,57), r(c7,b4,b4,73), r(51,c6,c6,97),\
+    r(23,e8,e8,cb), r(7c,dd,dd,a1), r(9c,74,74,e8), r(21,1f,1f,3e),\
+    r(dd,4b,4b,96), r(dc,bd,bd,61), r(86,8b,8b,0d), r(85,8a,8a,0f),\
+    r(90,70,70,e0), r(42,3e,3e,7c), r(c4,b5,b5,71), r(aa,66,66,cc),\
+    r(d8,48,48,90), r(05,03,03,06), r(01,f6,f6,f7), r(12,0e,0e,1c),\
+    r(a3,61,61,c2), r(5f,35,35,6a), r(f9,57,57,ae), r(d0,b9,b9,69),\
+    r(91,86,86,17), r(58,c1,c1,99), r(27,1d,1d,3a), r(b9,9e,9e,27),\
+    r(38,e1,e1,d9), r(13,f8,f8,eb), r(b3,98,98,2b), r(33,11,11,22),\
+    r(bb,69,69,d2), r(70,d9,d9,a9), r(89,8e,8e,07), r(a7,94,94,33),\
+    r(b6,9b,9b,2d), r(22,1e,1e,3c), r(92,87,87,15), r(20,e9,e9,c9),\
+    r(49,ce,ce,87), r(ff,55,55,aa), r(78,28,28,50), r(7a,df,df,a5),\
+    r(8f,8c,8c,03), r(f8,a1,a1,59), r(80,89,89,09), r(17,0d,0d,1a),\
+    r(da,bf,bf,65), r(31,e6,e6,d7), r(c6,42,42,84), r(b8,68,68,d0),\
+    r(c3,41,41,82), r(b0,99,99,29), r(77,2d,2d,5a), r(11,0f,0f,1e),\
+    r(cb,b0,b0,7b), r(fc,54,54,a8), r(d6,bb,bb,6d), r(3a,16,16,2c)
+
+//  data for inverse tables (other than last round)
+
+#define i_table \
+    r(50,a7,f4,51), r(53,65,41,7e), r(c3,a4,17,1a), r(96,5e,27,3a),\
+    r(cb,6b,ab,3b), r(f1,45,9d,1f), r(ab,58,fa,ac), r(93,03,e3,4b),\
+    r(55,fa,30,20), r(f6,6d,76,ad), r(91,76,cc,88), r(25,4c,02,f5),\
+    r(fc,d7,e5,4f), r(d7,cb,2a,c5), r(80,44,35,26), r(8f,a3,62,b5),\
+    r(49,5a,b1,de), r(67,1b,ba,25), r(98,0e,ea,45), r(e1,c0,fe,5d),\
+    r(02,75,2f,c3), r(12,f0,4c,81), r(a3,97,46,8d), r(c6,f9,d3,6b),\
+    r(e7,5f,8f,03), r(95,9c,92,15), r(eb,7a,6d,bf), r(da,59,52,95),\
+    r(2d,83,be,d4), r(d3,21,74,58), r(29,69,e0,49), r(44,c8,c9,8e),\
+    r(6a,89,c2,75), r(78,79,8e,f4), r(6b,3e,58,99), r(dd,71,b9,27),\
+    r(b6,4f,e1,be), r(17,ad,88,f0), r(66,ac,20,c9), r(b4,3a,ce,7d),\
+    r(18,4a,df,63), r(82,31,1a,e5), r(60,33,51,97), r(45,7f,53,62),\
+    r(e0,77,64,b1), r(84,ae,6b,bb), r(1c,a0,81,fe), r(94,2b,08,f9),\
+    r(58,68,48,70), r(19,fd,45,8f), r(87,6c,de,94), r(b7,f8,7b,52),\
+    r(23,d3,73,ab), r(e2,02,4b,72), r(57,8f,1f,e3), r(2a,ab,55,66),\
+    r(07,28,eb,b2), r(03,c2,b5,2f), r(9a,7b,c5,86), r(a5,08,37,d3),\
+    r(f2,87,28,30), r(b2,a5,bf,23), r(ba,6a,03,02), r(5c,82,16,ed),\
+    r(2b,1c,cf,8a), r(92,b4,79,a7), r(f0,f2,07,f3), r(a1,e2,69,4e),\
+    r(cd,f4,da,65), r(d5,be,05,06), r(1f,62,34,d1), r(8a,fe,a6,c4),\
+    r(9d,53,2e,34), r(a0,55,f3,a2), r(32,e1,8a,05), r(75,eb,f6,a4),\
+    r(39,ec,83,0b), r(aa,ef,60,40), r(06,9f,71,5e), r(51,10,6e,bd),\
+    r(f9,8a,21,3e), r(3d,06,dd,96), r(ae,05,3e,dd), r(46,bd,e6,4d),\
+    r(b5,8d,54,91), r(05,5d,c4,71), r(6f,d4,06,04), r(ff,15,50,60),\
+    r(24,fb,98,19), r(97,e9,bd,d6), r(cc,43,40,89), r(77,9e,d9,67),\
+    r(bd,42,e8,b0), r(88,8b,89,07), r(38,5b,19,e7), r(db,ee,c8,79),\
+    r(47,0a,7c,a1), r(e9,0f,42,7c), r(c9,1e,84,f8), r(00,00,00,00),\
+    r(83,86,80,09), r(48,ed,2b,32), r(ac,70,11,1e), r(4e,72,5a,6c),\
+    r(fb,ff,0e,fd), r(56,38,85,0f), r(1e,d5,ae,3d), r(27,39,2d,36),\
+    r(64,d9,0f,0a), r(21,a6,5c,68), r(d1,54,5b,9b), r(3a,2e,36,24),\
+    r(b1,67,0a,0c), r(0f,e7,57,93), r(d2,96,ee,b4), r(9e,91,9b,1b),\
+    r(4f,c5,c0,80), r(a2,20,dc,61), r(69,4b,77,5a), r(16,1a,12,1c),\
+    r(0a,ba,93,e2), r(e5,2a,a0,c0), r(43,e0,22,3c), r(1d,17,1b,12),\
+    r(0b,0d,09,0e), r(ad,c7,8b,f2), r(b9,a8,b6,2d), r(c8,a9,1e,14),\
+    r(85,19,f1,57), r(4c,07,75,af), r(bb,dd,99,ee), r(fd,60,7f,a3),\
+    r(9f,26,01,f7), r(bc,f5,72,5c), r(c5,3b,66,44), r(34,7e,fb,5b),\
+    r(76,29,43,8b), r(dc,c6,23,cb), r(68,fc,ed,b6), r(63,f1,e4,b8),\
+    r(ca,dc,31,d7), r(10,85,63,42), r(40,22,97,13), r(20,11,c6,84),\
+    r(7d,24,4a,85), r(f8,3d,bb,d2), r(11,32,f9,ae), r(6d,a1,29,c7),\
+    r(4b,2f,9e,1d), r(f3,30,b2,dc), r(ec,52,86,0d), r(d0,e3,c1,77),\
+    r(6c,16,b3,2b), r(99,b9,70,a9), r(fa,48,94,11), r(22,64,e9,47),\
+    r(c4,8c,fc,a8), r(1a,3f,f0,a0), r(d8,2c,7d,56), r(ef,90,33,22),\
+    r(c7,4e,49,87), r(c1,d1,38,d9), r(fe,a2,ca,8c), r(36,0b,d4,98),\
+    r(cf,81,f5,a6), r(28,de,7a,a5), r(26,8e,b7,da), r(a4,bf,ad,3f),\
+    r(e4,9d,3a,2c), r(0d,92,78,50), r(9b,cc,5f,6a), r(62,46,7e,54),\
+    r(c2,13,8d,f6), r(e8,b8,d8,90), r(5e,f7,39,2e), r(f5,af,c3,82),\
+    r(be,80,5d,9f), r(7c,93,d0,69), r(a9,2d,d5,6f), r(b3,12,25,cf),\
+    r(3b,99,ac,c8), r(a7,7d,18,10), r(6e,63,9c,e8), r(7b,bb,3b,db),\
+    r(09,78,26,cd), r(f4,18,59,6e), r(01,b7,9a,ec), r(a8,9a,4f,83),\
+    r(65,6e,95,e6), r(7e,e6,ff,aa), r(08,cf,bc,21), r(e6,e8,15,ef),\
+    r(d9,9b,e7,ba), r(ce,36,6f,4a), r(d4,09,9f,ea), r(d6,7c,b0,29),\
+    r(af,b2,a4,31), r(31,23,3f,2a), r(30,94,a5,c6), r(c0,66,a2,35),\
+    r(37,bc,4e,74), r(a6,ca,82,fc), r(b0,d0,90,e0), r(15,d8,a7,33),\
+    r(4a,98,04,f1), r(f7,da,ec,41), r(0e,50,cd,7f), r(2f,f6,91,17),\
+    r(8d,d6,4d,76), r(4d,b0,ef,43), r(54,4d,aa,cc), r(df,04,96,e4),\
+    r(e3,b5,d1,9e), r(1b,88,6a,4c), r(b8,1f,2c,c1), r(7f,51,65,46),\
+    r(04,ea,5e,9d), r(5d,35,8c,01), r(73,74,87,fa), r(2e,41,0b,fb),\
+    r(5a,1d,67,b3), r(52,d2,db,92), r(33,56,10,e9), r(13,47,d6,6d),\
+    r(8c,61,d7,9a), r(7a,0c,a1,37), r(8e,14,f8,59), r(89,3c,13,eb),\
+    r(ee,27,a9,ce), r(35,c9,61,b7), r(ed,e5,1c,e1), r(3c,b1,47,7a),\
+    r(59,df,d2,9c), r(3f,73,f2,55), r(79,ce,14,18), r(bf,37,c7,73),\
+    r(ea,cd,f7,53), r(5b,aa,fd,5f), r(14,6f,3d,df), r(86,db,44,78),\
+    r(81,f3,af,ca), r(3e,c4,68,b9), r(2c,34,24,38), r(5f,40,a3,c2),\
+    r(72,c3,1d,16), r(0c,25,e2,bc), r(8b,49,3c,28), r(41,95,0d,ff),\
+    r(71,01,a8,39), r(de,b3,0c,08), r(9c,e4,b4,d8), r(90,c1,56,64),\
+    r(61,84,cb,7b), r(70,b6,32,d5), r(74,5c,6c,48), r(42,57,b8,d0)
+
+// generate the required tables in the desired endian format
+
+#undef  r
+#define r   r0
+
+#if defined(ONE_TABLE)
+static const u_int32_t ft_tab[256] =
+    {   f_table };
+#elif defined(FOUR_TABLES)
+static const u_int32_t ft_tab[4][256] =
+{   {   f_table },
+#undef  r
+#define r   r1
+    {   f_table },
+#undef  r
+#define r   r2
+    {   f_table },
+#undef  r
+#define r   r3
+    {   f_table }
+};
+#endif
+
+#undef  r
+#define r   r0
+#if defined(ONE_TABLE)
+static const u_int32_t it_tab[256] =
+    {   i_table };
+#elif defined(FOUR_TABLES)
+static const u_int32_t it_tab[4][256] =
+{   {   i_table },
+#undef  r
+#define r   r1
+    {   i_table },
+#undef  r
+#define r   r2
+    {   i_table },
+#undef  r
+#define r   r3
+    {   i_table }
+};
+#endif
+
+#endif
+
+#if defined(FIXED_TABLES) && (defined(ONE_LR_TABLE) || defined(FOUR_LR_TABLES)) 
+
+//  data for inverse tables (last round)
+
+#define li_table    \
+    w(52), w(09), w(6a), w(d5), w(30), w(36), w(a5), w(38),\
+    w(bf), w(40), w(a3), w(9e), w(81), w(f3), w(d7), w(fb),\
+    w(7c), w(e3), w(39), w(82), w(9b), w(2f), w(ff), w(87),\
+    w(34), w(8e), w(43), w(44), w(c4), w(de), w(e9), w(cb),\
+    w(54), w(7b), w(94), w(32), w(a6), w(c2), w(23), w(3d),\
+    w(ee), w(4c), w(95), w(0b), w(42), w(fa), w(c3), w(4e),\
+    w(08), w(2e), w(a1), w(66), w(28), w(d9), w(24), w(b2),\
+    w(76), w(5b), w(a2), w(49), w(6d), w(8b), w(d1), w(25),\
+    w(72), w(f8), w(f6), w(64), w(86), w(68), w(98), w(16),\
+    w(d4), w(a4), w(5c), w(cc), w(5d), w(65), w(b6), w(92),\
+    w(6c), w(70), w(48), w(50), w(fd), w(ed), w(b9), w(da),\
+    w(5e), w(15), w(46), w(57), w(a7), w(8d), w(9d), w(84),\
+    w(90), w(d8), w(ab), w(00), w(8c), w(bc), w(d3), w(0a),\
+    w(f7), w(e4), w(58), w(05), w(b8), w(b3), w(45), w(06),\
+    w(d0), w(2c), w(1e), w(8f), w(ca), w(3f), w(0f), w(02),\
+    w(c1), w(af), w(bd), w(03), w(01), w(13), w(8a), w(6b),\
+    w(3a), w(91), w(11), w(41), w(4f), w(67), w(dc), w(ea),\
+    w(97), w(f2), w(cf), w(ce), w(f0), w(b4), w(e6), w(73),\
+    w(96), w(ac), w(74), w(22), w(e7), w(ad), w(35), w(85),\
+    w(e2), w(f9), w(37), w(e8), w(1c), w(75), w(df), w(6e),\
+    w(47), w(f1), w(1a), w(71), w(1d), w(29), w(c5), w(89),\
+    w(6f), w(b7), w(62), w(0e), w(aa), w(18), w(be), w(1b),\
+    w(fc), w(56), w(3e), w(4b), w(c6), w(d2), w(79), w(20),\
+    w(9a), w(db), w(c0), w(fe), w(78), w(cd), w(5a), w(f4),\
+    w(1f), w(dd), w(a8), w(33), w(88), w(07), w(c7), w(31),\
+    w(b1), w(12), w(10), w(59), w(27), w(80), w(ec), w(5f),\
+    w(60), w(51), w(7f), w(a9), w(19), w(b5), w(4a), w(0d),\
+    w(2d), w(e5), w(7a), w(9f), w(93), w(c9), w(9c), w(ef),\
+    w(a0), w(e0), w(3b), w(4d), w(ae), w(2a), w(f5), w(b0),\
+    w(c8), w(eb), w(bb), w(3c), w(83), w(53), w(99), w(61),\
+    w(17), w(2b), w(04), w(7e), w(ba), w(77), w(d6), w(26),\
+    w(e1), w(69), w(14), w(63), w(55), w(21), w(0c), w(7d),
+
+// generate the required tables in the desired endian format
+
+#undef  r
+#define r(p,q,r,s)  w0(q)
+#if defined(ONE_LR_TABLE)
+static const u_int32_t fl_tab[256] =
+    {   f_table     };
+#elif defined(FOUR_LR_TABLES)
+static const u_int32_t fl_tab[4][256] =
+{   {   f_table    },
+#undef  r
+#define r(p,q,r,s)   w1(q)
+    {   f_table    },
+#undef  r
+#define r(p,q,r,s)   w2(q)
+    {   f_table    },
+#undef  r
+#define r(p,q,r,s)   w3(q)
+    {   f_table    }
+};
+#endif
+
+#undef  w
+#define w   w0
+#if defined(ONE_LR_TABLE)
+static const u_int32_t il_tab[256] =
+    {   li_table    };
+#elif defined(FOUR_LR_TABLES)
+static const u_int32_t il_tab[4][256] =
+{   {   li_table    },
+#undef  w
+#define w   w1
+    {   li_table    },
+#undef  w
+#define w   w2
+    {   li_table    },
+#undef  w
+#define w   w3
+    {   li_table    }
+};
+#endif
+
+#endif
+
+#if defined(FIXED_TABLES) && (defined(ONE_IM_TABLE) || defined(FOUR_IM_TABLES)) 
+
+#define m_table \
+    r(00,00,00,00), r(0b,0d,09,0e), r(16,1a,12,1c), r(1d,17,1b,12),\
+    r(2c,34,24,38), r(27,39,2d,36), r(3a,2e,36,24), r(31,23,3f,2a),\
+    r(58,68,48,70), r(53,65,41,7e), r(4e,72,5a,6c), r(45,7f,53,62),\
+    r(74,5c,6c,48), r(7f,51,65,46), r(62,46,7e,54), r(69,4b,77,5a),\
+    r(b0,d0,90,e0), r(bb,dd,99,ee), r(a6,ca,82,fc), r(ad,c7,8b,f2),\
+    r(9c,e4,b4,d8), r(97,e9,bd,d6), r(8a,fe,a6,c4), r(81,f3,af,ca),\
+    r(e8,b8,d8,90), r(e3,b5,d1,9e), r(fe,a2,ca,8c), r(f5,af,c3,82),\
+    r(c4,8c,fc,a8), r(cf,81,f5,a6), r(d2,96,ee,b4), r(d9,9b,e7,ba),\
+    r(7b,bb,3b,db), r(70,b6,32,d5), r(6d,a1,29,c7), r(66,ac,20,c9),\
+    r(57,8f,1f,e3), r(5c,82,16,ed), r(41,95,0d,ff), r(4a,98,04,f1),\
+    r(23,d3,73,ab), r(28,de,7a,a5), r(35,c9,61,b7), r(3e,c4,68,b9),\
+    r(0f,e7,57,93), r(04,ea,5e,9d), r(19,fd,45,8f), r(12,f0,4c,81),\
+    r(cb,6b,ab,3b), r(c0,66,a2,35), r(dd,71,b9,27), r(d6,7c,b0,29),\
+    r(e7,5f,8f,03), r(ec,52,86,0d), r(f1,45,9d,1f), r(fa,48,94,11),\
+    r(93,03,e3,4b), r(98,0e,ea,45), r(85,19,f1,57), r(8e,14,f8,59),\
+    r(bf,37,c7,73), r(b4,3a,ce,7d), r(a9,2d,d5,6f), r(a2,20,dc,61),\
+    r(f6,6d,76,ad), r(fd,60,7f,a3), r(e0,77,64,b1), r(eb,7a,6d,bf),\
+    r(da,59,52,95), r(d1,54,5b,9b), r(cc,43,40,89), r(c7,4e,49,87),\
+    r(ae,05,3e,dd), r(a5,08,37,d3), r(b8,1f,2c,c1), r(b3,12,25,cf),\
+    r(82,31,1a,e5), r(89,3c,13,eb), r(94,2b,08,f9), r(9f,26,01,f7),\
+    r(46,bd,e6,4d), r(4d,b0,ef,43), r(50,a7,f4,51), r(5b,aa,fd,5f),\
+    r(6a,89,c2,75), r(61,84,cb,7b), r(7c,93,d0,69), r(77,9e,d9,67),\
+    r(1e,d5,ae,3d), r(15,d8,a7,33), r(08,cf,bc,21), r(03,c2,b5,2f),\
+    r(32,e1,8a,05), r(39,ec,83,0b), r(24,fb,98,19), r(2f,f6,91,17),\
+    r(8d,d6,4d,76), r(86,db,44,78), r(9b,cc,5f,6a), r(90,c1,56,64),\
+    r(a1,e2,69,4e), r(aa,ef,60,40), r(b7,f8,7b,52), r(bc,f5,72,5c),\
+    r(d5,be,05,06), r(de,b3,0c,08), r(c3,a4,17,1a), r(c8,a9,1e,14),\
+    r(f9,8a,21,3e), r(f2,87,28,30), r(ef,90,33,22), r(e4,9d,3a,2c),\
+    r(3d,06,dd,96), r(36,0b,d4,98), r(2b,1c,cf,8a), r(20,11,c6,84),\
+    r(11,32,f9,ae), r(1a,3f,f0,a0), r(07,28,eb,b2), r(0c,25,e2,bc),\
+    r(65,6e,95,e6), r(6e,63,9c,e8), r(73,74,87,fa), r(78,79,8e,f4),\
+    r(49,5a,b1,de), r(42,57,b8,d0), r(5f,40,a3,c2), r(54,4d,aa,cc),\
+    r(f7,da,ec,41), r(fc,d7,e5,4f), r(e1,c0,fe,5d), r(ea,cd,f7,53),\
+    r(db,ee,c8,79), r(d0,e3,c1,77), r(cd,f4,da,65), r(c6,f9,d3,6b),\
+    r(af,b2,a4,31), r(a4,bf,ad,3f), r(b9,a8,b6,2d), r(b2,a5,bf,23),\
+    r(83,86,80,09), r(88,8b,89,07), r(95,9c,92,15), r(9e,91,9b,1b),\
+    r(47,0a,7c,a1), r(4c,07,75,af), r(51,10,6e,bd), r(5a,1d,67,b3),\
+    r(6b,3e,58,99), r(60,33,51,97), r(7d,24,4a,85), r(76,29,43,8b),\
+    r(1f,62,34,d1), r(14,6f,3d,df), r(09,78,26,cd), r(02,75,2f,c3),\
+    r(33,56,10,e9), r(38,5b,19,e7), r(25,4c,02,f5), r(2e,41,0b,fb),\
+    r(8c,61,d7,9a), r(87,6c,de,94), r(9a,7b,c5,86), r(91,76,cc,88),\
+    r(a0,55,f3,a2), r(ab,58,fa,ac), r(b6,4f,e1,be), r(bd,42,e8,b0),\
+    r(d4,09,9f,ea), r(df,04,96,e4), r(c2,13,8d,f6), r(c9,1e,84,f8),\
+    r(f8,3d,bb,d2), r(f3,30,b2,dc), r(ee,27,a9,ce), r(e5,2a,a0,c0),\
+    r(3c,b1,47,7a), r(37,bc,4e,74), r(2a,ab,55,66), r(21,a6,5c,68),\
+    r(10,85,63,42), r(1b,88,6a,4c), r(06,9f,71,5e), r(0d,92,78,50),\
+    r(64,d9,0f,0a), r(6f,d4,06,04), r(72,c3,1d,16), r(79,ce,14,18),\
+    r(48,ed,2b,32), r(43,e0,22,3c), r(5e,f7,39,2e), r(55,fa,30,20),\
+    r(01,b7,9a,ec), r(0a,ba,93,e2), r(17,ad,88,f0), r(1c,a0,81,fe),\
+    r(2d,83,be,d4), r(26,8e,b7,da), r(3b,99,ac,c8), r(30,94,a5,c6),\
+    r(59,df,d2,9c), r(52,d2,db,92), r(4f,c5,c0,80), r(44,c8,c9,8e),\
+    r(75,eb,f6,a4), r(7e,e6,ff,aa), r(63,f1,e4,b8), r(68,fc,ed,b6),\
+    r(b1,67,0a,0c), r(ba,6a,03,02), r(a7,7d,18,10), r(ac,70,11,1e),\
+    r(9d,53,2e,34), r(96,5e,27,3a), r(8b,49,3c,28), r(80,44,35,26),\
+    r(e9,0f,42,7c), r(e2,02,4b,72), r(ff,15,50,60), r(f4,18,59,6e),\
+    r(c5,3b,66,44), r(ce,36,6f,4a), r(d3,21,74,58), r(d8,2c,7d,56),\
+    r(7a,0c,a1,37), r(71,01,a8,39), r(6c,16,b3,2b), r(67,1b,ba,25),\
+    r(56,38,85,0f), r(5d,35,8c,01), r(40,22,97,13), r(4b,2f,9e,1d),\
+    r(22,64,e9,47), r(29,69,e0,49), r(34,7e,fb,5b), r(3f,73,f2,55),\
+    r(0e,50,cd,7f), r(05,5d,c4,71), r(18,4a,df,63), r(13,47,d6,6d),\
+    r(ca,dc,31,d7), r(c1,d1,38,d9), r(dc,c6,23,cb), r(d7,cb,2a,c5),\
+    r(e6,e8,15,ef), r(ed,e5,1c,e1), r(f0,f2,07,f3), r(fb,ff,0e,fd),\
+    r(92,b4,79,a7), r(99,b9,70,a9), r(84,ae,6b,bb), r(8f,a3,62,b5),\
+    r(be,80,5d,9f), r(b5,8d,54,91), r(a8,9a,4f,83), r(a3,97,46,8d)
+
+#undef r
+#define r   r0
+
+#if defined(ONE_IM_TABLE)
+static const u_int32_t im_tab[256] =
+    {   m_table };
+#elif defined(FOUR_IM_TABLES)
+static const u_int32_t im_tab[4][256] =
+{   {   m_table },
+#undef  r
+#define r   r1
+    {   m_table },
+#undef  r
+#define r   r2
+    {   m_table },
+#undef  r
+#define r   r3
+    {   m_table }
+};
+#endif
+
+#endif
+
+#else
+
+static int tab_gen = 0;
+
+static unsigned char  s_box[256];            // the S box
+static unsigned char  inv_s_box[256];        // the inverse S box
+static u_int32_t  rcon_tab[AES_RC_LENGTH];   // table of round constants
+
+#if defined(ONE_TABLE)
+static u_int32_t  ft_tab[256];
+static u_int32_t  it_tab[256];
+#elif defined(FOUR_TABLES)
+static u_int32_t  ft_tab[4][256];
+static u_int32_t  it_tab[4][256];
+#endif
+
+#if defined(ONE_LR_TABLE)
+static u_int32_t  fl_tab[256];
+static u_int32_t  il_tab[256];
+#elif defined(FOUR_LR_TABLES)
+static u_int32_t  fl_tab[4][256];
+static u_int32_t  il_tab[4][256];
+#endif
+
+#if defined(ONE_IM_TABLE)
+static u_int32_t  im_tab[256];
+#elif defined(FOUR_IM_TABLES)
+static u_int32_t  im_tab[4][256];
+#endif
+
+// Generate the tables for the dynamic table option
+
+#if !defined(FF_TABLES)
+
+// It will generally be sensible to use tables to compute finite 
+// field multiplies and inverses but where memory is scarse this 
+// code might sometimes be better.
+
+// return 2 ^ (n - 1) where n is the bit number of the highest bit
+// set in x with x in the range 1 < x < 0x00000200.   This form is
+// used so that locals within FFinv can be bytes rather than words
+
+static unsigned char hibit(const u_int32_t x)
+{   unsigned char r = (unsigned char)((x >> 1) | (x >> 2));
+    
+    r |= (r >> 2);
+    r |= (r >> 4);
+    return (r + 1) >> 1;
+}
+
+// return the inverse of the finite field element x
+
+static unsigned char FFinv(const unsigned char x)
+{   unsigned char    p1 = x, p2 = 0x1b, n1 = hibit(x), n2 = 0x80, v1 = 1, v2 = 0;
+
+    if(x < 2) return x;
+
+    for(;;)
+    {
+        if(!n1) return v1;
+
+        while(n2 >= n1)
+        {   
+            n2 /= n1; p2 ^= p1 * n2; v2 ^= v1 * n2; n2 = hibit(p2);
+        }
+        
+        if(!n2) return v2;
+
+        while(n1 >= n2)
+        {   
+            n1 /= n2; p1 ^= p2 * n1; v1 ^= v2 * n1; n1 = hibit(p1);
+        }
+    }
+}
+
+// define the finite field multiplies required for Rijndael
+
+#define FFmul02(x)  ((((x) & 0x7f) << 1) ^ ((x) & 0x80 ? 0x1b : 0))
+#define FFmul03(x)  ((x) ^ FFmul02(x))
+#define FFmul09(x)  ((x) ^ FFmul02(FFmul02(FFmul02(x))))
+#define FFmul0b(x)  ((x) ^ FFmul02((x) ^ FFmul02(FFmul02(x))))
+#define FFmul0d(x)  ((x) ^ FFmul02(FFmul02((x) ^ FFmul02(x))))
+#define FFmul0e(x)  FFmul02((x) ^ FFmul02((x) ^ FFmul02(x)))
+
+#else
+
+#define FFinv(x)    ((x) ? pow[255 - log[x]]: 0)
+
+#define FFmul02(x) (x ? pow[log[x] + 0x19] : 0)
+#define FFmul03(x) (x ? pow[log[x] + 0x01] : 0)
+#define FFmul09(x) (x ? pow[log[x] + 0xc7] : 0)
+#define FFmul0b(x) (x ? pow[log[x] + 0x68] : 0)
+#define FFmul0d(x) (x ? pow[log[x] + 0xee] : 0)
+#define FFmul0e(x) (x ? pow[log[x] + 0xdf] : 0)
+
+#endif
+
+// The forward and inverse affine transformations used in the S-box
+
+#define fwd_affine(x) \
+    (w = (u_int32_t)x, w ^= (w<<1)^(w<<2)^(w<<3)^(w<<4), 0x63^(unsigned char)(w^(w>>8)))
+
+#define inv_affine(x) \
+    (w = (u_int32_t)x, w = (w<<1)^(w<<3)^(w<<6), 0x05^(unsigned char)(w^(w>>8)))
+
+static void gen_tabs(void)
+{   u_int32_t  i, w;
+
+#if defined(FF_TABLES)
+
+    unsigned char  pow[512], log[256];
+
+    // log and power tables for GF(2^8) finite field with
+    // 0x011b as modular polynomial - the simplest primitive
+    // root is 0x03, used here to generate the tables
+
+    i = 0; w = 1; 
+    do
+    {   
+        pow[i] = (unsigned char)w;
+        pow[i + 255] = (unsigned char)w;
+        log[w] = (unsigned char)i++;
+        w ^=  (w << 1) ^ (w & ff_hi ? ff_poly : 0);
+    }
+    while (w != 1);
+
+#endif
+
+    for(i = 0, w = 1; i < AES_RC_LENGTH; ++i)
+    {
+        rcon_tab[i] = bytes2word(w, 0, 0, 0);
+        w = (w << 1) ^ (w & ff_hi ? ff_poly : 0);
+    }
+
+    for(i = 0; i < 256; ++i)
+    {   unsigned char    b;
+
+        s_box[i] = b = fwd_affine(FFinv((unsigned char)i));
+
+        w = bytes2word(b, 0, 0, 0);
+#if defined(ONE_LR_TABLE)
+        fl_tab[i] = w;
+#elif defined(FOUR_LR_TABLES)
+        fl_tab[0][i] = w;
+        fl_tab[1][i] = upr(w,1);
+        fl_tab[2][i] = upr(w,2);
+        fl_tab[3][i] = upr(w,3);
+#endif
+        w = bytes2word(FFmul02(b), b, b, FFmul03(b));
+#if defined(ONE_TABLE)
+        ft_tab[i] = w;
+#elif defined(FOUR_TABLES)
+        ft_tab[0][i] = w;
+        ft_tab[1][i] = upr(w,1);
+        ft_tab[2][i] = upr(w,2);
+        ft_tab[3][i] = upr(w,3);
+#endif
+        inv_s_box[i] = b = FFinv(inv_affine((unsigned char)i));
+
+        w = bytes2word(b, 0, 0, 0);
+#if defined(ONE_LR_TABLE)
+        il_tab[i] = w;
+#elif defined(FOUR_LR_TABLES)
+        il_tab[0][i] = w;
+        il_tab[1][i] = upr(w,1);
+        il_tab[2][i] = upr(w,2);
+        il_tab[3][i] = upr(w,3);
+#endif
+        w = bytes2word(FFmul0e(b), FFmul09(b), FFmul0d(b), FFmul0b(b));
+#if defined(ONE_TABLE)
+        it_tab[i] = w;
+#elif defined(FOUR_TABLES)
+        it_tab[0][i] = w;
+        it_tab[1][i] = upr(w,1);
+        it_tab[2][i] = upr(w,2);
+        it_tab[3][i] = upr(w,3);
+#endif
+#if defined(ONE_IM_TABLE)
+        im_tab[b] = w;
+#elif defined(FOUR_IM_TABLES)
+        im_tab[0][b] = w;
+        im_tab[1][b] = upr(w,1);
+        im_tab[2][b] = upr(w,2);
+        im_tab[3][b] = upr(w,3);
+#endif
+
+    }
+}
+
+#endif
+
+#define no_table(x,box,vf,rf,c) bytes2word( \
+    box[bval(vf(x,0,c),rf(0,c))], \
+    box[bval(vf(x,1,c),rf(1,c))], \
+    box[bval(vf(x,2,c),rf(2,c))], \
+    box[bval(vf(x,3,c),rf(3,c))])
+
+#define one_table(x,op,tab,vf,rf,c) \
+ (     tab[bval(vf(x,0,c),rf(0,c))] \
+  ^ op(tab[bval(vf(x,1,c),rf(1,c))],1) \
+  ^ op(tab[bval(vf(x,2,c),rf(2,c))],2) \
+  ^ op(tab[bval(vf(x,3,c),rf(3,c))],3))
+
+#define four_tables(x,tab,vf,rf,c) \
+ (  tab[0][bval(vf(x,0,c),rf(0,c))] \
+  ^ tab[1][bval(vf(x,1,c),rf(1,c))] \
+  ^ tab[2][bval(vf(x,2,c),rf(2,c))] \
+  ^ tab[3][bval(vf(x,3,c),rf(3,c))])
+
+#define vf1(x,r,c)  (x)
+#define rf1(r,c)    (r)
+#define rf2(r,c)    ((r-c)&3)
+
+#if defined(FOUR_LR_TABLES)
+#define ls_box(x,c)     four_tables(x,fl_tab,vf1,rf2,c)
+#elif defined(ONE_LR_TABLE)
+#define ls_box(x,c)     one_table(x,upr,fl_tab,vf1,rf2,c)
+#else
+#define ls_box(x,c)     no_table(x,s_box,vf1,rf2,c)
+#endif
+
+#if defined(FOUR_IM_TABLES)
+#define inv_mcol(x)     four_tables(x,im_tab,vf1,rf1,0)
+#elif defined(ONE_IM_TABLE)
+#define inv_mcol(x)     one_table(x,upr,im_tab,vf1,rf1,0)
+#else
+#define inv_mcol(x) \
+    (f9 = (x),f2 = FFmulX(f9), f4 = FFmulX(f2), f8 = FFmulX(f4), f9 ^= f8, \
+    f2 ^= f4 ^ f8 ^ upr(f2 ^ f9,3) ^ upr(f4 ^ f9,2) ^ upr(f9,1))
+#endif
+
+#define nc   (AES_BLOCK_SIZE/4)
+
+// Initialise the key schedule from the user supplied key. The key
+// length is now specified in bytes - 16, 24 or 32 as appropriate.
+// This corresponds to bit lengths of 128, 192 and 256 bits, and
+// to Nk values of 4, 6 and 8 respectively.
+
+#define mx(t,f) (*t++ = inv_mcol(*f),f++)
+#define cp(t,f) *t++ = *f++
+
+#if   AES_BLOCK_SIZE == 16
+#define cpy(d,s)    cp(d,s); cp(d,s); cp(d,s); cp(d,s)
+#define mix(d,s)    mx(d,s); mx(d,s); mx(d,s); mx(d,s)
+#elif AES_BLOCK_SIZE == 24
+#define cpy(d,s)    cp(d,s); cp(d,s); cp(d,s); cp(d,s); \
+                    cp(d,s); cp(d,s)
+#define mix(d,s)    mx(d,s); mx(d,s); mx(d,s); mx(d,s); \
+                    mx(d,s); mx(d,s)
+#elif AES_BLOCK_SIZE == 32
+#define cpy(d,s)    cp(d,s); cp(d,s); cp(d,s); cp(d,s); \
+                    cp(d,s); cp(d,s); cp(d,s); cp(d,s)
+#define mix(d,s)    mx(d,s); mx(d,s); mx(d,s); mx(d,s); \
+                    mx(d,s); mx(d,s); mx(d,s); mx(d,s)
+#else
+
+#define cpy(d,s) \
+switch(nc) \
+{   case 8: cp(d,s); cp(d,s); \
+    case 6: cp(d,s); cp(d,s); \
+    case 4: cp(d,s); cp(d,s); \
+            cp(d,s); cp(d,s); \
+}
+
+#define mix(d,s) \
+switch(nc) \
+{   case 8: mx(d,s); mx(d,s); \
+    case 6: mx(d,s); mx(d,s); \
+    case 4: mx(d,s); mx(d,s); \
+            mx(d,s); mx(d,s); \
+}
+
+#endif
+
+// y = output word, x = input word, r = row, c = column
+// for r = 0, 1, 2 and 3 = column accessed for row r
+
+#if defined(ARRAYS)
+#define s(x,c) x[c]
+#else
+#define s(x,c) x##c
+#endif
+
+// I am grateful to Frank Yellin for the following constructions
+// which, given the column (c) of the output state variable that
+// is being computed, return the input state variables which are
+// needed for each row (r) of the state
+
+// For the fixed block size options, compilers reduce these two 
+// expressions to fixed variable references. For variable block 
+// size code conditional clauses will sometimes be returned
+
+#define unused  77  // Sunset Strip
+
+#define fwd_var(x,r,c) \
+ ( r==0 ?			\
+    ( c==0 ? s(x,0) \
+    : c==1 ? s(x,1) \
+    : c==2 ? s(x,2) \
+    : c==3 ? s(x,3) \
+    : c==4 ? s(x,4) \
+    : c==5 ? s(x,5) \
+    : c==6 ? s(x,6) \
+    : s(x,7))		\
+ : r==1 ?			\
+    ( c==0 ? s(x,1) \
+    : c==1 ? s(x,2) \
+    : c==2 ? s(x,3) \
+    : c==3 ? nc==4 ? s(x,0) : s(x,4) \
+    : c==4 ? s(x,5) \
+    : c==5 ? nc==8 ? s(x,6) : s(x,0) \
+    : c==6 ? s(x,7) \
+    : s(x,0))		\
+ : r==2 ?			\
+    ( c==0 ? nc==8 ? s(x,3) : s(x,2) \
+    : c==1 ? nc==8 ? s(x,4) : s(x,3) \
+    : c==2 ? nc==4 ? s(x,0) : nc==8 ? s(x,5) : s(x,4) \
+    : c==3 ? nc==4 ? s(x,1) : nc==8 ? s(x,6) : s(x,5) \
+    : c==4 ? nc==8 ? s(x,7) : s(x,0) \
+    : c==5 ? nc==8 ? s(x,0) : s(x,1) \
+    : c==6 ? s(x,1) \
+    : s(x,2))		\
+ :					\
+    ( c==0 ? nc==8 ? s(x,4) : s(x,3) \
+    : c==1 ? nc==4 ? s(x,0) : nc==8 ? s(x,5) : s(x,4) \
+    : c==2 ? nc==4 ? s(x,1) : nc==8 ? s(x,6) : s(x,5) \
+    : c==3 ? nc==4 ? s(x,2) : nc==8 ? s(x,7) : s(x,0) \
+    : c==4 ? nc==8 ? s(x,0) : s(x,1) \
+    : c==5 ? nc==8 ? s(x,1) : s(x,2) \
+    : c==6 ? s(x,2) \
+    : s(x,3)))
+
+#define inv_var(x,r,c) \
+ ( r==0 ?			\
+    ( c==0 ? s(x,0) \
+    : c==1 ? s(x,1) \
+    : c==2 ? s(x,2) \
+    : c==3 ? s(x,3) \
+    : c==4 ? s(x,4) \
+    : c==5 ? s(x,5) \
+    : c==6 ? s(x,6) \
+    : s(x,7))		\
+ : r==1 ?			\
+    ( c==0 ? nc==4 ? s(x,3) : nc==8 ? s(x,7) : s(x,5) \
+    : c==1 ? s(x,0) \
+    : c==2 ? s(x,1) \
+    : c==3 ? s(x,2) \
+    : c==4 ? s(x,3) \
+    : c==5 ? s(x,4) \
+    : c==6 ? s(x,5) \
+    : s(x,6))		\
+ : r==2 ?			\
+    ( c==0 ? nc==4 ? s(x,2) : nc==8 ? s(x,5) : s(x,4) \
+    : c==1 ? nc==4 ? s(x,3) : nc==8 ? s(x,6) : s(x,5) \
+    : c==2 ? nc==8 ? s(x,7) : s(x,0) \
+    : c==3 ? nc==8 ? s(x,0) : s(x,1) \
+    : c==4 ? nc==8 ? s(x,1) : s(x,2) \
+    : c==5 ? nc==8 ? s(x,2) : s(x,3) \
+    : c==6 ? s(x,3) \
+    : s(x,4))		\
+ :					\
+    ( c==0 ? nc==4 ? s(x,1) : nc==8 ? s(x,4) : s(x,3) \
+    : c==1 ? nc==4 ? s(x,2) : nc==8 ? s(x,5) : s(x,4) \
+    : c==2 ? nc==4 ? s(x,3) : nc==8 ? s(x,6) : s(x,5) \
+    : c==3 ? nc==8 ? s(x,7) : s(x,0) \
+    : c==4 ? nc==8 ? s(x,0) : s(x,1) \
+    : c==5 ? nc==8 ? s(x,1) : s(x,2) \
+    : c==6 ? s(x,2) \
+    : s(x,3)))
+
+#define si(y,x,k,c) s(y,c) = const_word_in(x + 4 * c) ^ k[c]
+#define so(y,x,c)   word_out(y + 4 * c, s(x,c))
+
+#if defined(FOUR_TABLES)
+#define fwd_rnd(y,x,k,c)    s(y,c)= (k)[c] ^ four_tables(x,ft_tab,fwd_var,rf1,c)
+#define inv_rnd(y,x,k,c)    s(y,c)= (k)[c] ^ four_tables(x,it_tab,inv_var,rf1,c)
+#elif defined(ONE_TABLE)
+#define fwd_rnd(y,x,k,c)    s(y,c)= (k)[c] ^ one_table(x,upr,ft_tab,fwd_var,rf1,c)
+#define inv_rnd(y,x,k,c)    s(y,c)= (k)[c] ^ one_table(x,upr,it_tab,inv_var,rf1,c)
+#else
+#define fwd_rnd(y,x,k,c)    s(y,c) = fwd_mcol(no_table(x,s_box,fwd_var,rf1,c)) ^ (k)[c]
+#define inv_rnd(y,x,k,c)    s(y,c) = inv_mcol(no_table(x,inv_s_box,inv_var,rf1,c) ^ (k)[c])
+#endif
+
+#if defined(FOUR_LR_TABLES)
+#define fwd_lrnd(y,x,k,c)   s(y,c)= (k)[c] ^ four_tables(x,fl_tab,fwd_var,rf1,c)
+#define inv_lrnd(y,x,k,c)   s(y,c)= (k)[c] ^ four_tables(x,il_tab,inv_var,rf1,c)
+#elif defined(ONE_LR_TABLE)
+#define fwd_lrnd(y,x,k,c)   s(y,c)= (k)[c] ^ one_table(x,ups,fl_tab,fwd_var,rf1,c)
+#define inv_lrnd(y,x,k,c)   s(y,c)= (k)[c] ^ one_table(x,ups,il_tab,inv_var,rf1,c)
+#else
+#define fwd_lrnd(y,x,k,c)   s(y,c) = no_table(x,s_box,fwd_var,rf1,c) ^ (k)[c]
+#define inv_lrnd(y,x,k,c)   s(y,c) = no_table(x,inv_s_box,inv_var,rf1,c) ^ (k)[c]
+#endif
+
+#if AES_BLOCK_SIZE == 16
+
+#if defined(ARRAYS)
+#define locals(y,x)     x[4],y[4]
+#else
+#define locals(y,x)     x##0,x##1,x##2,x##3,y##0,y##1,y##2,y##3
+// the following defines prevent the compiler requiring the declaration
+// of generated but unused variables in the fwd_var and inv_var macros
+#define b04 unused
+#define b05 unused
+#define b06 unused
+#define b07 unused
+#define b14 unused
+#define b15 unused
+#define b16 unused
+#define b17 unused
+#endif
+#define l_copy(y, x)    s(y,0) = s(x,0); s(y,1) = s(x,1); \
+                        s(y,2) = s(x,2); s(y,3) = s(x,3);
+#define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); si(y,x,k,3)
+#define state_out(y,x)  so(y,x,0); so(y,x,1); so(y,x,2); so(y,x,3)
+#define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); rm(y,x,k,3)
+
+#elif AES_BLOCK_SIZE == 24
+
+#if defined(ARRAYS)
+#define locals(y,x)     x[6],y[6]
+#else
+#define locals(y,x)     x##0,x##1,x##2,x##3,x##4,x##5, \
+                        y##0,y##1,y##2,y##3,y##4,y##5
+#define b06 unused
+#define b07 unused
+#define b16 unused
+#define b17 unused
+#endif
+#define l_copy(y, x)    s(y,0) = s(x,0); s(y,1) = s(x,1); \
+                        s(y,2) = s(x,2); s(y,3) = s(x,3); \
+                        s(y,4) = s(x,4); s(y,5) = s(x,5);
+#define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); \
+                        si(y,x,k,3); si(y,x,k,4); si(y,x,k,5)
+#define state_out(y,x)  so(y,x,0); so(y,x,1); so(y,x,2); \
+                        so(y,x,3); so(y,x,4); so(y,x,5)
+#define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); \
+                        rm(y,x,k,3); rm(y,x,k,4); rm(y,x,k,5)
+#else
+
+#if defined(ARRAYS)
+#define locals(y,x)     x[8],y[8]
+#else
+#define locals(y,x)     x##0,x##1,x##2,x##3,x##4,x##5,x##6,x##7, \
+                        y##0,y##1,y##2,y##3,y##4,y##5,y##6,y##7
+#endif
+#define l_copy(y, x)    s(y,0) = s(x,0); s(y,1) = s(x,1); \
+                        s(y,2) = s(x,2); s(y,3) = s(x,3); \
+                        s(y,4) = s(x,4); s(y,5) = s(x,5); \
+                        s(y,6) = s(x,6); s(y,7) = s(x,7);
+
+#if AES_BLOCK_SIZE == 32
+
+#define state_in(y,x,k) si(y,x,k,0); si(y,x,k,1); si(y,x,k,2); si(y,x,k,3); \
+                        si(y,x,k,4); si(y,x,k,5); si(y,x,k,6); si(y,x,k,7)
+#define state_out(y,x)  so(y,x,0); so(y,x,1); so(y,x,2); so(y,x,3); \
+                        so(y,x,4); so(y,x,5); so(y,x,6); so(y,x,7)
+#define round(rm,y,x,k) rm(y,x,k,0); rm(y,x,k,1); rm(y,x,k,2); rm(y,x,k,3); \
+                        rm(y,x,k,4); rm(y,x,k,5); rm(y,x,k,6); rm(y,x,k,7)
+#else
+
+#define state_in(y,x,k) \
+switch(nc) \
+{   case 8: si(y,x,k,7); si(y,x,k,6); \
+    case 6: si(y,x,k,5); si(y,x,k,4); \
+    case 4: si(y,x,k,3); si(y,x,k,2); \
+            si(y,x,k,1); si(y,x,k,0); \
+}
+
+#define state_out(y,x) \
+switch(nc) \
+{   case 8: so(y,x,7); so(y,x,6); \
+    case 6: so(y,x,5); so(y,x,4); \
+    case 4: so(y,x,3); so(y,x,2); \
+            so(y,x,1); so(y,x,0); \
+}
+
+#if defined(FAST_VARIABLE)
+
+#define round(rm,y,x,k) \
+switch(nc) \
+{   case 8: rm(y,x,k,7); rm(y,x,k,6); \
+            rm(y,x,k,5); rm(y,x,k,4); \
+            rm(y,x,k,3); rm(y,x,k,2); \
+            rm(y,x,k,1); rm(y,x,k,0); \
+            break; \
+    case 6: rm(y,x,k,5); rm(y,x,k,4); \
+            rm(y,x,k,3); rm(y,x,k,2); \
+            rm(y,x,k,1); rm(y,x,k,0); \
+            break; \
+    case 4: rm(y,x,k,3); rm(y,x,k,2); \
+            rm(y,x,k,1); rm(y,x,k,0); \
+            break; \
+}
+#else
+
+#define round(rm,y,x,k) \
+switch(nc) \
+{   case 8: rm(y,x,k,7); rm(y,x,k,6); \
+    case 6: rm(y,x,k,5); rm(y,x,k,4); \
+    case 4: rm(y,x,k,3); rm(y,x,k,2); \
+            rm(y,x,k,1); rm(y,x,k,0); \
+}
+
+#endif
+
+#endif
+#endif
+
+/**
+ * Implementation of private_aes_cbc_crypter_t.encrypt_block.
+ */
+static void encrypt_block(const private_aes_cbc_crypter_t *this, const unsigned char in_blk[], unsigned char out_blk[])
+{   u_int32_t        locals(b0, b1);
+    const u_int32_t  *kp = this->aes_e_key;
+
+#if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
+    u_int32_t        f2;
+#endif
+
+    state_in(b0, in_blk, kp); kp += nc;
+
+#if defined(UNROLL)
+
+    switch(this->aes_Nrnd)
+    {
+    case 14:    round(fwd_rnd,  b1, b0, kp         ); 
+                round(fwd_rnd,  b0, b1, kp + nc    ); kp += 2 * nc;
+    case 12:    round(fwd_rnd,  b1, b0, kp         ); 
+                round(fwd_rnd,  b0, b1, kp + nc    ); kp += 2 * nc;
+    case 10:    round(fwd_rnd,  b1, b0, kp         );             
+                round(fwd_rnd,  b0, b1, kp +     nc);
+                round(fwd_rnd,  b1, b0, kp + 2 * nc); 
+                round(fwd_rnd,  b0, b1, kp + 3 * nc);
+                round(fwd_rnd,  b1, b0, kp + 4 * nc); 
+                round(fwd_rnd,  b0, b1, kp + 5 * nc);
+                round(fwd_rnd,  b1, b0, kp + 6 * nc); 
+                round(fwd_rnd,  b0, b1, kp + 7 * nc);
+                round(fwd_rnd,  b1, b0, kp + 8 * nc);
+                round(fwd_lrnd, b0, b1, kp + 9 * nc);
+    }
+
+#elif defined(PARTIAL_UNROLL)
+    {   u_int32_t    rnd;
+
+        for(rnd = 0; rnd < (this->aes_Nrnd >> 1) - 1; ++rnd)
+        {
+            round(fwd_rnd, b1, b0, kp); 
+            round(fwd_rnd, b0, b1, kp + nc); kp += 2 * nc;
+        }
+
+        round(fwd_rnd,  b1, b0, kp);
+        round(fwd_lrnd, b0, b1, kp + nc);
+    }
+#else
+    {   u_int32_t    rnd;
+
+        for(rnd = 0; rnd < this->aes_Nrnd - 1; ++rnd)
+        {
+            round(fwd_rnd, b1, b0, kp); 
+            l_copy(b0, b1); kp += nc;
+        }
+
+        round(fwd_lrnd, b0, b1, kp);
+    }
+#endif
+
+    state_out(out_blk, b0);
+}
+
+/**
+ * Implementation of private_aes_cbc_crypter_t.decrypt_block.
+ */
+static void decrypt_block(const private_aes_cbc_crypter_t *this, const unsigned char in_blk[], unsigned char out_blk[])
+{   u_int32_t        locals(b0, b1);
+    const u_int32_t  *kp = this->aes_d_key;
+
+#if !defined(ONE_TABLE) && !defined(FOUR_TABLES)
+    u_int32_t        f2, f4, f8, f9; 
+#endif
+
+    state_in(b0, in_blk, kp); kp += nc;
+
+#if defined(UNROLL)
+
+    switch(this->aes_Nrnd)
+    {
+    case 14:    round(inv_rnd,  b1, b0, kp         );
+                round(inv_rnd,  b0, b1, kp + nc    ); kp += 2 * nc;
+    case 12:    round(inv_rnd,  b1, b0, kp         );
+                round(inv_rnd,  b0, b1, kp + nc    ); kp += 2 * nc;
+    case 10:    round(inv_rnd,  b1, b0, kp         );             
+                round(inv_rnd,  b0, b1, kp +     nc);
+                round(inv_rnd,  b1, b0, kp + 2 * nc); 
+                round(inv_rnd,  b0, b1, kp + 3 * nc);
+                round(inv_rnd,  b1, b0, kp + 4 * nc); 
+                round(inv_rnd,  b0, b1, kp + 5 * nc);
+                round(inv_rnd,  b1, b0, kp + 6 * nc); 
+                round(inv_rnd,  b0, b1, kp + 7 * nc);
+                round(inv_rnd,  b1, b0, kp + 8 * nc);
+                round(inv_lrnd, b0, b1, kp + 9 * nc);
+    }
+
+#elif defined(PARTIAL_UNROLL)
+    {   u_int32_t    rnd;
+
+        for(rnd = 0; rnd < (this->aes_Nrnd >> 1) - 1; ++rnd)
+        {
+            round(inv_rnd, b1, b0, kp); 
+            round(inv_rnd, b0, b1, kp + nc); kp += 2 * nc;
+        }
+
+        round(inv_rnd,  b1, b0, kp);
+        round(inv_lrnd, b0, b1, kp + nc);
+    }
+#else
+    {   u_int32_t    rnd;
+
+        for(rnd = 0; rnd < this->aes_Nrnd - 1; ++rnd)
+        {
+            round(inv_rnd, b1, b0, kp); 
+            l_copy(b0, b1); kp += nc;
+        }
+
+        round(inv_lrnd, b0, b1, kp);
+    }
+#endif
+
+    state_out(out_blk, b0);
+}
+
+/**
+ * Implementation of crypter_t.decrypt.
+ */
+static status_t decrypt (private_aes_cbc_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted)
+{
+	int ret, pos;
+	const u_int32_t *iv_i;
+	u_int8_t *in, *out;
+	
+	ret = data.len;
+	if (((data.len) % 16) != 0)
+	{
+		/* data length must be padded to a multiple of blocksize */
+		return INVALID_ARG;
+	}
+	
+	decrypted->ptr = malloc(data.len);
+	if (decrypted->ptr == NULL)
+	{
+		return OUT_OF_RES;
+	}
+	decrypted->len = data.len;
+
+	in = data.ptr;
+	out = decrypted->ptr;
+	
+	pos=data.len-16;
+	in+=pos;
+	out+=pos;
+	while(pos>=0) {
+		this->decrypt_block(this,in,out);
+		if (pos==0)
+			iv_i=(const u_int32_t*) (iv.ptr);
+		else
+			iv_i=(const u_int32_t*) (in-16);
+		*((u_int32_t *)(&out[ 0])) ^= iv_i[0];
+		*((u_int32_t *)(&out[ 4])) ^= iv_i[1];
+		*((u_int32_t *)(&out[ 8])) ^= iv_i[2];
+		*((u_int32_t *)(&out[12])) ^= iv_i[3];
+		in-=16;
+		out-=16;
+		pos-=16;
+	}
+	
+	return SUCCESS;
+}
+
+
+/**
+ * Implementation of crypter_t.decrypt.
+ */
+static status_t encrypt (private_aes_cbc_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *encrypted)
+{
+	int ret, pos;
+	const u_int32_t *iv_i;
+	u_int8_t *in, *out;
+	
+	ret = data.len;
+	if (((data.len) % 16) != 0)
+	{
+		/* data length must be padded to a multiple of blocksize */
+		return INVALID_ARG;
+	}
+	
+	encrypted->ptr = malloc(data.len);
+	if (encrypted->ptr == NULL)
+	{
+		return OUT_OF_RES;
+	}
+	encrypted->len = data.len;
+
+	in = data.ptr;
+	out = encrypted->ptr;
+	
+	pos=0;
+	while(pos<data.len)
+	{
+		if (pos==0)
+			iv_i=(const u_int32_t*) iv.ptr;
+		else
+			iv_i=(const u_int32_t*) (out-16);
+		*((u_int32_t *)(&out[ 0])) = iv_i[0]^*((const u_int32_t *)(&in[ 0]));
+		*((u_int32_t *)(&out[ 4])) = iv_i[1]^*((const u_int32_t *)(&in[ 4]));
+		*((u_int32_t *)(&out[ 8])) = iv_i[2]^*((const u_int32_t *)(&in[ 8]));
+		*((u_int32_t *)(&out[12])) = iv_i[3]^*((const u_int32_t *)(&in[12]));
+		this->encrypt_block(this,out,out);
+		in+=16;
+		out+=16;
+		pos+=16;
+	}
+	return SUCCESS;
+}
+
+/**
+ * Implementation of crypter_t.get_block_size.
+ */
+static size_t get_block_size (private_aes_cbc_crypter_t *this)
+{
+	return AES_BLOCK_SIZE;
+}
+
+/**
+ * Implementation of crypter_t.get_key_size.
+ */
+static size_t get_key_size (private_aes_cbc_crypter_t *this)
+{
+	return this->key_size;
+}
+
+/**
+ * Implementation of crypter_t.set_key.
+ */
+static status_t set_key (private_aes_cbc_crypter_t *this, chunk_t key)
+{
+	u_int32_t    *kf, *kt, rci, f = 0;
+	u_int8_t *in_key = key.ptr;
+	
+	if (key.len != this->key_size)
+	{
+		return INVALID_ARG;
+	}
+	
+	this->aes_Nrnd = (this->aes_Nkey > (nc) ? this->aes_Nkey : (nc)) + 6; 
+	
+	this->aes_e_key[0] = const_word_in(in_key     );
+	this->aes_e_key[1] = const_word_in(in_key +  4);
+	this->aes_e_key[2] = const_word_in(in_key +  8);
+	this->aes_e_key[3] = const_word_in(in_key + 12);
+	
+	kf = this->aes_e_key; 
+	kt = kf + nc * (this->aes_Nrnd + 1) - this->aes_Nkey; 
+	rci = 0;
+	
+	switch(this->aes_Nkey)
+	{
+	case 4: do
+			{   kf[4] = kf[0] ^ ls_box(kf[3],3) ^ rcon_tab[rci++];
+				kf[5] = kf[1] ^ kf[4];
+				kf[6] = kf[2] ^ kf[5];
+				kf[7] = kf[3] ^ kf[6];
+				kf += 4;
+			}
+			while(kf < kt);
+			break;
+	
+	case 6: this->aes_e_key[4] = const_word_in(in_key + 16);
+			this->aes_e_key[5] = const_word_in(in_key + 20);
+			do
+			{   kf[ 6] = kf[0] ^ ls_box(kf[5],3) ^ rcon_tab[rci++];
+				kf[ 7] = kf[1] ^ kf[ 6];
+				kf[ 8] = kf[2] ^ kf[ 7];
+				kf[ 9] = kf[3] ^ kf[ 8];
+				kf[10] = kf[4] ^ kf[ 9];
+				kf[11] = kf[5] ^ kf[10];
+				kf += 6;
+			}
+			while(kf < kt);
+			break;
+
+	case 8: this->aes_e_key[4] = const_word_in(in_key + 16);
+			this->aes_e_key[5] = const_word_in(in_key + 20);
+			this->aes_e_key[6] = const_word_in(in_key + 24);
+			this->aes_e_key[7] = const_word_in(in_key + 28);
+			do
+			{   kf[ 8] = kf[0] ^ ls_box(kf[7],3) ^ rcon_tab[rci++];
+				kf[ 9] = kf[1] ^ kf[ 8];
+				kf[10] = kf[2] ^ kf[ 9];
+				kf[11] = kf[3] ^ kf[10];
+				kf[12] = kf[4] ^ ls_box(kf[11],0);
+				kf[13] = kf[5] ^ kf[12];
+				kf[14] = kf[6] ^ kf[13];
+				kf[15] = kf[7] ^ kf[14];
+				kf += 8;
+			}
+			while (kf < kt);
+			break;
+	}
+	
+	if(!f)
+    {
+		u_int32_t    i;
+
+		kt = this->aes_d_key + nc * this->aes_Nrnd;
+		kf = this->aes_e_key;
+		
+		cpy(kt, kf); kt -= 2 * nc;
+		
+		for(i = 1; i < this->aes_Nrnd; ++i)
+		{ 
+#if defined(ONE_TABLE) || defined(FOUR_TABLES)
+#if !defined(ONE_IM_TABLE) && !defined(FOUR_IM_TABLES)
+			u_int32_t    f2, f4, f8, f9;
+#endif
+			mix(kt, kf);
+#else
+			cpy(kt, kf);
+#endif
+			kt -= 2 * nc;
+        }
+		cpy(kt, kf);
+    }
+
+	return SUCCESS;
+}
+
+/**
+ * Implementation of crypter_t.destroy and aes_cbc_crypter_t.destroy.
+ */
+static void destroy (private_aes_cbc_crypter_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+aes_cbc_crypter_t *aes_cbc_crypter_create(size_t key_size)
+{
+	private_aes_cbc_crypter_t *this = malloc_thing(private_aes_cbc_crypter_t);
+	
+	#if !defined(FIXED_TABLES)
+	if(!tab_gen) { gen_tabs(); tab_gen = 1; }
+	#endif
+	
+	this->key_size = key_size;
+	switch(key_size) {
+	case 32:        /* bytes */
+		this->aes_Nkey = 8;
+		break;
+	case 24:        /* bytes */
+		this->aes_Nkey = 6;
+		break;
+	case 16:        /* bytes */
+		this->aes_Nkey = 4;
+		break;
+	default:
+		free(this);
+		return NULL;
+	}
+	
+	/* functions of crypter_t interface */	
+	this->public.crypter_interface.encrypt = (status_t (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
+	this->public.crypter_interface.decrypt = (status_t (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
+	this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
+	this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
+	this->public.crypter_interface.set_key = (status_t (*) (crypter_t *,chunk_t)) set_key;
+	this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
+	
+	/* private functions */
+	this->decrypt_block = decrypt_block;
+	this->encrypt_block = encrypt_block;
+	
+	return &(this->public);
+}
diff --git a/src/libstrongswan/crypto/crypters/aes_cbc_crypter.h b/src/libstrongswan/crypto/crypters/aes_cbc_crypter.h
new file mode 100644
index 000000000..5da248b8c
--- /dev/null
+++ b/src/libstrongswan/crypto/crypters/aes_cbc_crypter.h
@@ -0,0 +1,61 @@
+/**
+ * @file aes_cbc_crypter.h
+ * 
+ * @brief Interface of aes_cbc_crypter_t
+ * 
+ */
+
+/*
+ * Copyright (C) 2001 Dr B. R. Gladman <brg@gladman.uk.net>
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef AES_CBC_CRYPTER_H_
+#define AES_CBC_CRYPTER_H_
+
+typedef struct aes_cbc_crypter_t aes_cbc_crypter_t;
+
+#include <crypto/crypters/crypter.h>
+
+/**
+ * @brief Class implementing the AES symmetric encryption algorithm.
+ *
+ * @b Constructors:
+ *  - aes_cbc_crypter_create()
+ *
+ * @ingroup crypters
+ */
+struct aes_cbc_crypter_t {
+	
+	/**
+	 * The crypter_t interface.
+	 */
+	crypter_t crypter_interface;
+};
+
+/**
+ * @brief Constructor to create aes_cbc_crypter_t objects.
+ * 
+ * Supported key sizes are: 16, 24 or 32. 
+ * 
+ * @param key_size		key size in bytes
+ * @return				
+ * 						- aes_cbc_crypter_t object
+ * 						- NULL if key size not supported
+ */
+aes_cbc_crypter_t *aes_cbc_crypter_create(size_t key_size);
+
+
+#endif /* AES_CBC_CRYPTER_H_ */
diff --git a/src/libstrongswan/crypto/crypters/crypter.c b/src/libstrongswan/crypto/crypters/crypter.c
new file mode 100644
index 000000000..7f62741a7
--- /dev/null
+++ b/src/libstrongswan/crypto/crypters/crypter.c
@@ -0,0 +1,68 @@
+/**
+ * @file crypter.c
+ * 
+ * @brief Generic constructor for crypter_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "crypter.h"
+
+#include <crypto/crypters/aes_cbc_crypter.h>
+#include <crypto/crypters/des_crypter.h>
+
+
+ENUM_BEGIN(encryption_algorithm_names, ENCR_UNDEFINED, ENCR_UNDEFINED,
+	"UNDEFINED");
+ENUM_NEXT(encryption_algorithm_names, ENCR_DES_IV64, ENCR_DES_IV32, ENCR_UNDEFINED,
+	"DES_IV64",
+	"DES",
+	"3DES",
+	"RC5",
+	"IDEA",
+	"CAST",
+	"BLOWFISH",
+	"3IDEA",
+	"DES_IV32");
+ENUM_NEXT(encryption_algorithm_names, ENCR_NULL, ENCR_AES_CTR, ENCR_DES_IV32,
+	"NULL",
+	"AES_CBC",
+	"AES_CTR");
+ENUM_END(encryption_algorithm_names, ENCR_AES_CTR);
+
+/*
+ * Described in header.
+ */
+crypter_t *crypter_create(encryption_algorithm_t encryption_algorithm, size_t key_size)
+{
+	switch (encryption_algorithm)
+	{
+		case ENCR_AES_CBC:
+		{
+			return (crypter_t*)aes_cbc_crypter_create(key_size);
+		}
+		case ENCR_DES:
+		case ENCR_3DES:
+		{
+			return (crypter_t*)des_crypter_create(encryption_algorithm);
+		}
+		default:
+			return NULL;
+	}
+}
diff --git a/src/libstrongswan/crypto/crypters/crypter.h b/src/libstrongswan/crypto/crypters/crypter.h
new file mode 100644
index 000000000..46d94ce93
--- /dev/null
+++ b/src/libstrongswan/crypto/crypters/crypter.h
@@ -0,0 +1,155 @@
+/**
+ * @file crypter.h
+ * 
+ * @brief Interface crypter_t
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef CRYPTER_H_
+#define CRYPTER_H_
+
+typedef enum encryption_algorithm_t encryption_algorithm_t;
+typedef struct crypter_t crypter_t;
+
+#include <library.h>
+
+/**
+ * @brief Encryption algorithm, as in IKEv2 RFC 3.3.2.
+ *
+ * Currently only the following algorithms are implemented:
+ * - ENCR_AES_CBC
+ * - ENCR_DES
+ * - ENCR_3DES
+ *
+ * @ingroup crypters
+ */
+enum encryption_algorithm_t {
+	ENCR_UNDEFINED = 1024,
+	ENCR_DES_IV64 = 1,
+	/** Implemented in class des_crypter_t */
+	ENCR_DES = 2,
+	/** Implemented in class des_crypter_t */
+	ENCR_3DES = 3,
+	ENCR_RC5 = 4,
+	ENCR_IDEA = 5,
+	ENCR_CAST = 6,
+	ENCR_BLOWFISH = 7,
+	ENCR_3IDEA = 8,
+	ENCR_DES_IV32 = 9,
+	ENCR_NULL = 11,
+	/** Implemented in class aes_cbc_crypter_t */
+	ENCR_AES_CBC = 12,
+	ENCR_AES_CTR = 13
+};
+
+/**
+ * enum name for encryption_algorithm_t.
+ */
+extern enum_name_t *encryption_algorithm_names;
+
+/**
+ * @brief Generic interface for symmetric encryption algorithms.
+ *
+ * @b Constructors:
+ *  - crypter_create()
+ *
+ * @ingroup crypters
+ */
+struct crypter_t {
+	
+	/**
+	 * @brief Encrypt a chunk of data and allocate space for the encrypted value.
+	 *
+	 * @param this				calling object
+	 * @param data				data to encrypt
+	 * @param iv				initializing vector
+	 * @param[out] encrypted	pointer where the encrypted bytes will be written
+	 * @return
+	 * 							- SUCCESS
+	 * 							- INVALID_ARG if data size not a multiple of block size
+	 */
+	status_t (*encrypt) (crypter_t *this, chunk_t data, chunk_t iv, chunk_t *encrypted);
+	
+	/**
+	 * @brief Decrypt a chunk of data and allocate space for the decrypted value.
+	 * 
+	 * @param this				calling object
+	 * @param data				data to decrypt
+	 * @param iv				initializing vector
+	 * @param[out] encrypted	pointer where the decrypted bytes will be written
+	 * @return
+	 * 							- SUCCESS
+	 * 							- INVALID_ARG if data size not a multiple of block size
+	 */
+	status_t (*decrypt) (crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted);
+
+	/**
+	 * @brief Get the block size of this crypter_t object.
+	 * 
+	 * @param this				calling object
+	 * @return					block size in bytes
+	 */
+	size_t (*get_block_size) (crypter_t *this);
+
+	/**
+	 * @brief Get the key size of this crypter_t object.
+	 * 
+	 * @param this				calling object
+	 * @return					key size in bytes
+	 */
+	size_t (*get_key_size) (crypter_t *this);
+	
+	/**
+	 * @brief Set the key for this crypter_t object.
+	 * 
+	 * @param this				calling object
+	 * @param key				key to set
+	 * @return
+	 * 							- SUCCESS
+	 * 							- INVALID_ARG if key length invalid
+	 */
+	status_t (*set_key) (crypter_t *this, chunk_t key);
+	
+	/**
+	 * @brief Destroys a crypter_t object.
+	 *
+	 * @param this 				calling object
+	 */
+	void (*destroy) (crypter_t *this);
+};
+
+/**
+ * @brief Generic constructor for crypter_t objects.
+ * 
+ * Currently only the following algorithms are implemented:
+ * - ENCR_AES_CBC
+ * - ENCR_DES
+ * - ENCR_3DES
+ * 
+ * The key_size is ignored for algorithms with fixed key size.
+ * 
+ * @param encryption_algorithm	Algorithm to use for crypter
+ * @param key_size 				size of the key in bytes
+ * @return
+ * 								- crypter_t object
+ * 								- NULL if encryption algorithm/key_size is not supported
+ */
+crypter_t *crypter_create(encryption_algorithm_t encryption_algorithm, size_t key_size);
+
+#endif /*CRYPTER_H_*/
diff --git a/src/libstrongswan/crypto/crypters/des_crypter.c b/src/libstrongswan/crypto/crypters/des_crypter.c
new file mode 100644
index 000000000..dc5a8ff55
--- /dev/null
+++ b/src/libstrongswan/crypto/crypters/des_crypter.c
@@ -0,0 +1,1535 @@
+/**
+ * @file des_crypter.c
+ *
+ * @brief Implementation of des_crypter_t
+ *
+ */
+
+/* Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * Derived from Plutos DES library by Eric Young.
+ *
+ * Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include "des_crypter.h"
+
+typedef u_char des_cblock[8];
+
+typedef struct des_ks_struct {
+	des_cblock _;
+} des_key_schedule[16];
+
+
+typedef struct private_des_crypter_t private_des_crypter_t;
+
+/**
+ * Private data for des_crypter_t
+ */
+struct private_des_crypter_t {
+	
+	/**
+	 * Public part of this class.
+	 */
+	des_crypter_t public;
+	
+	/**
+	 * Key size, depends on algoritm...
+	 */
+	size_t key_size;
+	
+	union {
+		/** key schedule for single des */
+		des_key_schedule ks;
+		/** key schedule for 3des */
+		des_key_schedule ks3[3];
+	};
+};
+
+
+#define DES_ENCRYPT 1
+#define DES_DECRYPT 0
+
+#define DES_LONG u_int32_t
+
+#if defined(WIN32) || defined(WIN16)
+#ifndef MSDOS
+#define MSDOS
+#endif
+#endif
+
+#ifndef DES_DEFAULT_OPTIONS
+/* the following is tweaked from a config script, that is why it is a
+ * protected undef/define */
+#ifndef DES_PTR
+#define DES_PTR
+#endif
+
+/* This helps C compiler generate the correct code for multiple functional
+ * units.  It reduces register dependancies at the expense of 2 more
+ * registers */
+#ifndef DES_RISC1
+#define DES_RISC1
+#endif
+
+#ifndef DES_RISC2
+#undef DES_RISC2
+#endif
+
+#if defined(DES_RISC1) && defined(DES_RISC2)
+YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
+#endif
+
+/* Unroll the inner loop, this sometimes helps, sometimes hinders.
+ * Very mucy CPU dependant */
+#ifndef DES_UNROLL
+#define DES_UNROLL
+#endif
+
+/* These default values were supplied by
+ * Peter Gutman <pgut001@cs.auckland.ac.nz>
+ * They are only used if nothing else has been defined */
+#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL)
+/* Special defines which change the way the code is built depending on the
+   CPU and OS.  For SGI machines you can use _MIPS_SZLONG (32 or 64) to find
+   even newer MIPS CPU's, but at the moment one size fits all for
+   optimization options.  Older Sparc's work better with only UNROLL, but
+   there's no way to tell at compile time what it is you're running on */
+ 
+#if defined( sun )		/* Newer Sparc's */
+#define DES_PTR
+#define DES_RISC1
+#define DES_UNROLL
+#elif defined( __ultrix )	/* Older MIPS */
+#define DES_PTR
+#define DES_RISC2
+#define DES_UNROLL
+#elif defined( __osf1__ )	/* Alpha */
+#define DES_PTR
+#define DES_RISC2
+#elif defined ( _AIX )		/* RS6000 */
+  /* Unknown */
+#elif defined( __hpux )		/* HP-PA */
+  /* Unknown */
+#elif defined( __aux )		/* 68K */
+  /* Unknown */
+#elif defined( __dgux )		/* 88K (but P6 in latest boxes) */
+#define DES_UNROLL
+#elif defined( __sgi )		/* Newer MIPS */
+#define DES_PTR
+#define DES_RISC2
+#define DES_UNROLL
+#elif defined( i386 )		/* x86 boxes, should be gcc */
+#define DES_PTR
+#define DES_RISC1
+#define DES_UNROLL
+#endif /* Systems-specific speed defines */
+#endif
+
+#endif /* DES_DEFAULT_OPTIONS */
+
+#ifdef MSDOS		/* Visual C++ 2.1 (Windows NT/95) */
+#include <stdlib.h>
+#include <errno.h>
+#include <time.h>
+#include <io.h>
+#ifndef RAND
+#define RAND
+#endif
+#undef NOPROTO
+#endif
+
+#if defined(__STDC__) || defined(VMS) || defined(M_XENIX) || defined(MSDOS)
+#ifndef __KERNEL__
+#include <string.h>
+#else
+#include <linux/string.h>
+#endif
+#endif
+
+#ifndef RAND
+#define RAND
+#endif
+
+#ifdef linux
+#undef RAND
+#endif
+
+#ifdef MSDOS
+#define getpid() 2
+#define RAND
+#undef NOPROTO
+#endif
+
+#if defined(NOCONST)
+#define const
+#endif
+
+#ifdef __STDC__
+#undef NOPROTO
+#endif
+
+#ifdef RAND
+#define srandom(s) srand(s)
+#define random rand
+#endif
+
+#define ITERATIONS 16
+#define HALF_ITERATIONS 8
+
+/* used in des_read and des_write */
+#define MAXWRITE	(1024*16)
+#define BSIZE		(MAXWRITE+4)
+
+#define c2l(c,l)	(l =((DES_LONG)(*((c)++)))    , \
+			 l|=((DES_LONG)(*((c)++)))<< 8L, \
+			 l|=((DES_LONG)(*((c)++)))<<16L, \
+			 l|=((DES_LONG)(*((c)++)))<<24L)
+
+/* NOTE - c is not incremented as per c2l */
+#define c2ln(c,l1,l2,n)	{ \
+			c+=n; \
+			l1=l2=0; \
+			switch (n) { \
+			case 8: l2 =((DES_LONG)(*(--(c))))<<24L; \
+			case 7: l2|=((DES_LONG)(*(--(c))))<<16L; \
+			case 6: l2|=((DES_LONG)(*(--(c))))<< 8L; \
+			case 5: l2|=((DES_LONG)(*(--(c))));     \
+			case 4: l1 =((DES_LONG)(*(--(c))))<<24L; \
+			case 3: l1|=((DES_LONG)(*(--(c))))<<16L; \
+			case 2: l1|=((DES_LONG)(*(--(c))))<< 8L; \
+			case 1: l1|=((DES_LONG)(*(--(c))));     \
+} \
+}
+
+#define l2c(l,c)	(*((c)++)=(unsigned char)(((l)     )&0xff), \
+			 *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>24L)&0xff))
+
+/* replacements for htonl and ntohl since I have no idea what to do
+ * when faced with machines with 8 byte longs. */
+#define HDRSIZE 4
+
+#define n2l(c,l)	(l =((DES_LONG)(*((c)++)))<<24L, \
+			 l|=((DES_LONG)(*((c)++)))<<16L, \
+			 l|=((DES_LONG)(*((c)++)))<< 8L, \
+			 l|=((DES_LONG)(*((c)++))))
+
+#define l2n(l,c)	(*((c)++)=(unsigned char)(((l)>>24L)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>16L)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
+			 *((c)++)=(unsigned char)(((l)     )&0xff))
+
+/* NOTE - c is not incremented as per l2c */
+#define l2cn(l1,l2,c,n)	{ \
+			c+=n; \
+			switch (n) { \
+			case 8: *(--(c))=(unsigned char)(((l2)>>24L)&0xff); \
+			case 7: *(--(c))=(unsigned char)(((l2)>>16L)&0xff); \
+			case 6: *(--(c))=(unsigned char)(((l2)>> 8L)&0xff); \
+			case 5: *(--(c))=(unsigned char)(((l2)     )&0xff); \
+			case 4: *(--(c))=(unsigned char)(((l1)>>24L)&0xff); \
+			case 3: *(--(c))=(unsigned char)(((l1)>>16L)&0xff); \
+			case 2: *(--(c))=(unsigned char)(((l1)>> 8L)&0xff); \
+			case 1: *(--(c))=(unsigned char)(((l1)     )&0xff); \
+} \
+}
+
+#if defined(WIN32)
+#define	ROTATE(a,n)	(_lrotr(a,n))
+#else
+#define	ROTATE(a,n)	(((a)>>(n))+((a)<<(32-(n))))
+#endif
+
+/* Don't worry about the LOAD_DATA() stuff, that is used by
+ * fcrypt() to add it's little bit to the front */
+
+#ifdef DES_FCRYPT
+
+#define LOAD_DATA_tmp(R,S,u,t,E0,E1) \
+{ DES_LONG tmp; LOAD_DATA(R,S,u,t,E0,E1,tmp); }
+
+#define LOAD_DATA(R,S,u,t,E0,E1,tmp) \
+	t=R^(R>>16L); \
+	u=t&E0; t&=E1; \
+	tmp=(u<<16); u^=R^s[S  ]; u^=tmp; \
+	tmp=(t<<16); t^=R^s[S+1]; t^=tmp
+#else
+#define LOAD_DATA_tmp(a,b,c,d,e,f) LOAD_DATA(a,b,c,d,e,f,g)
+#define LOAD_DATA(R,S,u,t,E0,E1,tmp) \
+	u=R^s[S  ]; \
+	t=R^s[S+1]
+#endif
+
+/* The changes to this macro may help or hinder, depending on the
+ * compiler and the achitecture.  gcc2 always seems to do well :-).
+ * Inspired by Dana How <how@isl.stanford.edu>
+ * DO NOT use the alternative version on machines with 8 byte longs.
+ * It does not seem to work on the Alpha, even when DES_LONG is 4
+ * bytes, probably an issue of accessing non-word aligned objects :-( */
+#ifdef DES_PTR
+
+/* It recently occured to me that 0^0^0^0^0^0^0 == 0, so there
+ * is no reason to not xor all the sub items together.  This potentially
+ * saves a register since things can be xored directly into L */
+
+#if defined(DES_RISC1) || defined(DES_RISC2)
+#ifdef DES_RISC1
+#define D_ENCRYPT(LL,R,S) { \
+	unsigned int u1,u2,u3; \
+	LOAD_DATA(R,S,u,t,E0,E1,u1); \
+	u2=(int)u>>8L; \
+	u1=(int)u&0xfc; \
+	u2&=0xfc; \
+	t=ROTATE(t,4); \
+	u>>=16L; \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP      +u1); \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x200+u2); \
+	u3=(int)(u>>8L); \
+	u1=(int)u&0xfc; \
+	u3&=0xfc; \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x400+u1); \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x600+u3); \
+	u2=(int)t>>8L; \
+	u1=(int)t&0xfc; \
+	u2&=0xfc; \
+	t>>=16L; \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x100+u1); \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x300+u2); \
+	u3=(int)t>>8L; \
+	u1=(int)t&0xfc; \
+	u3&=0xfc; \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x500+u1); \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x700+u3); }
+#endif
+#ifdef DES_RISC2
+#define D_ENCRYPT(LL,R,S) { \
+	unsigned int u1,u2,s1,s2; \
+	LOAD_DATA(R,S,u,t,E0,E1,u1); \
+	u2=(int)u>>8L; \
+	u1=(int)u&0xfc; \
+	u2&=0xfc; \
+	t=ROTATE(t,4); \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP      +u1); \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x200+u2); \
+	s1=(int)(u>>16L); \
+	s2=(int)(u>>24L); \
+	s1&=0xfc; \
+	s2&=0xfc; \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x400+s1); \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x600+s2); \
+	u2=(int)t>>8L; \
+	u1=(int)t&0xfc; \
+	u2&=0xfc; \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x100+u1); \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x300+u2); \
+	s1=(int)(t>>16L); \
+	s2=(int)(t>>24L); \
+	s1&=0xfc; \
+	s2&=0xfc; \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x500+s1); \
+	LL^= *(DES_LONG *)((unsigned char *)des_SP+0x700+s2); }
+#endif
+#else
+#define D_ENCRYPT(LL,R,S) { \
+	LOAD_DATA_tmp(R,S,u,t,E0,E1); \
+	t=ROTATE(t,4); \
+	LL^= \
+	*(DES_LONG *)((unsigned char *)des_SP      +((u     )&0xfc))^ \
+	*(DES_LONG *)((unsigned char *)des_SP+0x200+((u>> 8L)&0xfc))^ \
+	*(DES_LONG *)((unsigned char *)des_SP+0x400+((u>>16L)&0xfc))^ \
+	*(DES_LONG *)((unsigned char *)des_SP+0x600+((u>>24L)&0xfc))^ \
+	*(DES_LONG *)((unsigned char *)des_SP+0x100+((t     )&0xfc))^ \
+	*(DES_LONG *)((unsigned char *)des_SP+0x300+((t>> 8L)&0xfc))^ \
+	*(DES_LONG *)((unsigned char *)des_SP+0x500+((t>>16L)&0xfc))^ \
+	*(DES_LONG *)((unsigned char *)des_SP+0x700+((t>>24L)&0xfc)); }
+#endif
+
+#else /* original version */
+
+#if defined(DES_RISC1) || defined(DES_RISC2)
+#ifdef DES_RISC1
+#define D_ENCRYPT(LL,R,S) {\
+	unsigned int u1,u2,u3; \
+	LOAD_DATA(R,S,u,t,E0,E1,u1); \
+	u>>=2L; \
+	t=ROTATE(t,6); \
+	u2=(int)u>>8L; \
+	u1=(int)u&0x3f; \
+	u2&=0x3f; \
+	u>>=16L; \
+	LL^=des_SPtrans[0][u1]; \
+	LL^=des_SPtrans[2][u2]; \
+	u3=(int)u>>8L; \
+	u1=(int)u&0x3f; \
+	u3&=0x3f; \
+	LL^=des_SPtrans[4][u1]; \
+	LL^=des_SPtrans[6][u3]; \
+	u2=(int)t>>8L; \
+	u1=(int)t&0x3f; \
+	u2&=0x3f; \
+	t>>=16L; \
+	LL^=des_SPtrans[1][u1]; \
+	LL^=des_SPtrans[3][u2]; \
+	u3=(int)t>>8L; \
+	u1=(int)t&0x3f; \
+	u3&=0x3f; \
+	LL^=des_SPtrans[5][u1]; \
+	LL^=des_SPtrans[7][u3]; }
+#endif
+#ifdef DES_RISC2
+#define D_ENCRYPT(LL,R,S) {\
+	unsigned int u1,u2,s1,s2; \
+	LOAD_DATA(R,S,u,t,E0,E1,u1); \
+	u>>=2L; \
+	t=ROTATE(t,6); \
+	u2=(int)u>>8L; \
+	u1=(int)u&0x3f; \
+	u2&=0x3f; \
+	LL^=des_SPtrans[0][u1]; \
+	LL^=des_SPtrans[2][u2]; \
+	s1=(int)u>>16L; \
+	s2=(int)u>>24L; \
+	s1&=0x3f; \
+	s2&=0x3f; \
+	LL^=des_SPtrans[4][s1]; \
+	LL^=des_SPtrans[6][s2]; \
+	u2=(int)t>>8L; \
+	u1=(int)t&0x3f; \
+	u2&=0x3f; \
+	LL^=des_SPtrans[1][u1]; \
+	LL^=des_SPtrans[3][u2]; \
+	s1=(int)t>>16; \
+	s2=(int)t>>24L; \
+	s1&=0x3f; \
+	s2&=0x3f; \
+	LL^=des_SPtrans[5][s1]; \
+	LL^=des_SPtrans[7][s2]; }
+#endif
+
+#else
+
+#define D_ENCRYPT(LL,R,S) {\
+	LOAD_DATA_tmp(R,S,u,t,E0,E1); \
+	t=ROTATE(t,4); \
+	LL^=\
+		des_SPtrans[0][(u>> 2L)&0x3f]^ \
+		des_SPtrans[2][(u>>10L)&0x3f]^ \
+		des_SPtrans[4][(u>>18L)&0x3f]^ \
+		des_SPtrans[6][(u>>26L)&0x3f]^ \
+		des_SPtrans[1][(t>> 2L)&0x3f]^ \
+		des_SPtrans[3][(t>>10L)&0x3f]^ \
+		des_SPtrans[5][(t>>18L)&0x3f]^ \
+		des_SPtrans[7][(t>>26L)&0x3f]; }
+#endif
+#endif
+
+	/* IP and FP
+	 * The problem is more of a geometric problem that random bit fiddling.
+	 0  1  2  3  4  5  6  7      62 54 46 38 30 22 14  6
+	 8  9 10 11 12 13 14 15      60 52 44 36 28 20 12  4
+	16 17 18 19 20 21 22 23      58 50 42 34 26 18 10  2
+	24 25 26 27 28 29 30 31  to  56 48 40 32 24 16  8  0
+
+	32 33 34 35 36 37 38 39      63 55 47 39 31 23 15  7
+	40 41 42 43 44 45 46 47      61 53 45 37 29 21 13  5
+	48 49 50 51 52 53 54 55      59 51 43 35 27 19 11  3
+	56 57 58 59 60 61 62 63      57 49 41 33 25 17  9  1
+
+	The output has been subject to swaps of the form
+	0 1 -> 3 1 but the odd and even bits have been put into
+	2 3    2 0
+	different words.  The main trick is to remember that
+	t=((l>>size)^r)&(mask);
+	r^=t;
+	l^=(t<<size);
+	can be used to swap and move bits between words.
+
+	So l =  0  1  2  3  r = 16 17 18 19
+	        4  5  6  7      20 21 22 23
+	        8  9 10 11      24 25 26 27
+	       12 13 14 15      28 29 30 31
+	becomes (for size == 2 and mask == 0x3333)
+	   t =   2^16  3^17 -- --   l =  0  1 16 17  r =  2  3 18 19
+		 6^20  7^21 -- --        4  5 20 21       6  7 22 23
+		10^24 11^25 -- --        8  9 24 25      10 11 24 25
+		14^28 15^29 -- --       12 13 28 29      14 15 28 29
+
+	Thanks for hints from Richard Outerbridge - he told me IP&FP
+	could be done in 15 xor, 10 shifts and 5 ands.
+	When I finally started to think of the problem in 2D
+	I first got ~42 operations without xors.  When I remembered
+	how to use xors :-) I got it to its final state.
+	*/
+#define PERM_OP(a,b,t,n,m) ((t)=((((a)>>(n))^(b))&(m)),\
+	(b)^=(t),\
+	(a)^=((t)<<(n)))
+
+#define IP(l,r) \
+{ \
+	register DES_LONG tt; \
+	PERM_OP(r,l,tt, 4,0x0f0f0f0fL); \
+	PERM_OP(l,r,tt,16,0x0000ffffL); \
+	PERM_OP(r,l,tt, 2,0x33333333L); \
+	PERM_OP(l,r,tt, 8,0x00ff00ffL); \
+	PERM_OP(r,l,tt, 1,0x55555555L); \
+}
+
+#define FP(l,r) \
+{ \
+	register DES_LONG tt; \
+	PERM_OP(l,r,tt, 1,0x55555555L); \
+	PERM_OP(r,l,tt, 8,0x00ff00ffL); \
+	PERM_OP(l,r,tt, 2,0x33333333L); \
+	PERM_OP(r,l,tt,16,0x0000ffffL); \
+	PERM_OP(l,r,tt, 4,0x0f0f0f0fL); \
+}
+
+#ifndef NOPROTO
+void fcrypt_body(DES_LONG *out,des_key_schedule ks,
+				 DES_LONG Eswap0, DES_LONG Eswap1);
+#else
+void fcrypt_body();
+#endif
+
+static const DES_LONG des_skb[8][64]={
+	{	/* for C bits (numbered as per FIPS 46) 1 2 3 4 5 6 */
+		0x00000000L,0x00000010L,0x20000000L,0x20000010L,
+		0x00010000L,0x00010010L,0x20010000L,0x20010010L,
+		0x00000800L,0x00000810L,0x20000800L,0x20000810L,
+		0x00010800L,0x00010810L,0x20010800L,0x20010810L,
+		0x00000020L,0x00000030L,0x20000020L,0x20000030L,
+		0x00010020L,0x00010030L,0x20010020L,0x20010030L,
+		0x00000820L,0x00000830L,0x20000820L,0x20000830L,
+		0x00010820L,0x00010830L,0x20010820L,0x20010830L,
+		0x00080000L,0x00080010L,0x20080000L,0x20080010L,
+		0x00090000L,0x00090010L,0x20090000L,0x20090010L,
+		0x00080800L,0x00080810L,0x20080800L,0x20080810L,
+		0x00090800L,0x00090810L,0x20090800L,0x20090810L,
+		0x00080020L,0x00080030L,0x20080020L,0x20080030L,
+		0x00090020L,0x00090030L,0x20090020L,0x20090030L,
+		0x00080820L,0x00080830L,0x20080820L,0x20080830L,
+		0x00090820L,0x00090830L,0x20090820L,0x20090830L,
+	},
+	{	/* for C bits (numbered as per FIPS 46) 7 8 10 11 12 13 */
+		0x00000000L,0x02000000L,0x00002000L,0x02002000L,
+		0x00200000L,0x02200000L,0x00202000L,0x02202000L,
+		0x00000004L,0x02000004L,0x00002004L,0x02002004L,
+		0x00200004L,0x02200004L,0x00202004L,0x02202004L,
+		0x00000400L,0x02000400L,0x00002400L,0x02002400L,
+		0x00200400L,0x02200400L,0x00202400L,0x02202400L,
+		0x00000404L,0x02000404L,0x00002404L,0x02002404L,
+		0x00200404L,0x02200404L,0x00202404L,0x02202404L,
+		0x10000000L,0x12000000L,0x10002000L,0x12002000L,
+		0x10200000L,0x12200000L,0x10202000L,0x12202000L,
+		0x10000004L,0x12000004L,0x10002004L,0x12002004L,
+		0x10200004L,0x12200004L,0x10202004L,0x12202004L,
+		0x10000400L,0x12000400L,0x10002400L,0x12002400L,
+		0x10200400L,0x12200400L,0x10202400L,0x12202400L,
+		0x10000404L,0x12000404L,0x10002404L,0x12002404L,
+		0x10200404L,0x12200404L,0x10202404L,0x12202404L,
+	},
+	{	/* for C bits (numbered as per FIPS 46) 14 15 16 17 19 20 */
+		0x00000000L,0x00000001L,0x00040000L,0x00040001L,
+		0x01000000L,0x01000001L,0x01040000L,0x01040001L,
+		0x00000002L,0x00000003L,0x00040002L,0x00040003L,
+		0x01000002L,0x01000003L,0x01040002L,0x01040003L,
+		0x00000200L,0x00000201L,0x00040200L,0x00040201L,
+		0x01000200L,0x01000201L,0x01040200L,0x01040201L,
+		0x00000202L,0x00000203L,0x00040202L,0x00040203L,
+		0x01000202L,0x01000203L,0x01040202L,0x01040203L,
+		0x08000000L,0x08000001L,0x08040000L,0x08040001L,
+		0x09000000L,0x09000001L,0x09040000L,0x09040001L,
+		0x08000002L,0x08000003L,0x08040002L,0x08040003L,
+		0x09000002L,0x09000003L,0x09040002L,0x09040003L,
+		0x08000200L,0x08000201L,0x08040200L,0x08040201L,
+		0x09000200L,0x09000201L,0x09040200L,0x09040201L,
+		0x08000202L,0x08000203L,0x08040202L,0x08040203L,
+		0x09000202L,0x09000203L,0x09040202L,0x09040203L,
+	},
+	{	/* for C bits (numbered as per FIPS 46) 21 23 24 26 27 28 */
+		0x00000000L,0x00100000L,0x00000100L,0x00100100L,
+		0x00000008L,0x00100008L,0x00000108L,0x00100108L,
+		0x00001000L,0x00101000L,0x00001100L,0x00101100L,
+		0x00001008L,0x00101008L,0x00001108L,0x00101108L,
+		0x04000000L,0x04100000L,0x04000100L,0x04100100L,
+		0x04000008L,0x04100008L,0x04000108L,0x04100108L,
+		0x04001000L,0x04101000L,0x04001100L,0x04101100L,
+		0x04001008L,0x04101008L,0x04001108L,0x04101108L,
+		0x00020000L,0x00120000L,0x00020100L,0x00120100L,
+		0x00020008L,0x00120008L,0x00020108L,0x00120108L,
+		0x00021000L,0x00121000L,0x00021100L,0x00121100L,
+		0x00021008L,0x00121008L,0x00021108L,0x00121108L,
+		0x04020000L,0x04120000L,0x04020100L,0x04120100L,
+		0x04020008L,0x04120008L,0x04020108L,0x04120108L,
+		0x04021000L,0x04121000L,0x04021100L,0x04121100L,
+		0x04021008L,0x04121008L,0x04021108L,0x04121108L,
+	},
+	{	/* for D bits (numbered as per FIPS 46) 1 2 3 4 5 6 */
+		0x00000000L,0x10000000L,0x00010000L,0x10010000L,
+		0x00000004L,0x10000004L,0x00010004L,0x10010004L,
+		0x20000000L,0x30000000L,0x20010000L,0x30010000L,
+		0x20000004L,0x30000004L,0x20010004L,0x30010004L,
+		0x00100000L,0x10100000L,0x00110000L,0x10110000L,
+		0x00100004L,0x10100004L,0x00110004L,0x10110004L,
+		0x20100000L,0x30100000L,0x20110000L,0x30110000L,
+		0x20100004L,0x30100004L,0x20110004L,0x30110004L,
+		0x00001000L,0x10001000L,0x00011000L,0x10011000L,
+		0x00001004L,0x10001004L,0x00011004L,0x10011004L,
+		0x20001000L,0x30001000L,0x20011000L,0x30011000L,
+		0x20001004L,0x30001004L,0x20011004L,0x30011004L,
+		0x00101000L,0x10101000L,0x00111000L,0x10111000L,
+		0x00101004L,0x10101004L,0x00111004L,0x10111004L,
+		0x20101000L,0x30101000L,0x20111000L,0x30111000L,
+		0x20101004L,0x30101004L,0x20111004L,0x30111004L,
+	},
+	{	/* for D bits (numbered as per FIPS 46) 8 9 11 12 13 14 */
+		0x00000000L,0x08000000L,0x00000008L,0x08000008L,
+		0x00000400L,0x08000400L,0x00000408L,0x08000408L,
+		0x00020000L,0x08020000L,0x00020008L,0x08020008L,
+		0x00020400L,0x08020400L,0x00020408L,0x08020408L,
+		0x00000001L,0x08000001L,0x00000009L,0x08000009L,
+		0x00000401L,0x08000401L,0x00000409L,0x08000409L,
+		0x00020001L,0x08020001L,0x00020009L,0x08020009L,
+		0x00020401L,0x08020401L,0x00020409L,0x08020409L,
+		0x02000000L,0x0A000000L,0x02000008L,0x0A000008L,
+		0x02000400L,0x0A000400L,0x02000408L,0x0A000408L,
+		0x02020000L,0x0A020000L,0x02020008L,0x0A020008L,
+		0x02020400L,0x0A020400L,0x02020408L,0x0A020408L,
+		0x02000001L,0x0A000001L,0x02000009L,0x0A000009L,
+		0x02000401L,0x0A000401L,0x02000409L,0x0A000409L,
+		0x02020001L,0x0A020001L,0x02020009L,0x0A020009L,
+		0x02020401L,0x0A020401L,0x02020409L,0x0A020409L,
+	},
+	{	/* for D bits (numbered as per FIPS 46) 16 17 18 19 20 21 */
+		0x00000000L,0x00000100L,0x00080000L,0x00080100L,
+		0x01000000L,0x01000100L,0x01080000L,0x01080100L,
+		0x00000010L,0x00000110L,0x00080010L,0x00080110L,
+		0x01000010L,0x01000110L,0x01080010L,0x01080110L,
+		0x00200000L,0x00200100L,0x00280000L,0x00280100L,
+		0x01200000L,0x01200100L,0x01280000L,0x01280100L,
+		0x00200010L,0x00200110L,0x00280010L,0x00280110L,
+		0x01200010L,0x01200110L,0x01280010L,0x01280110L,
+		0x00000200L,0x00000300L,0x00080200L,0x00080300L,
+		0x01000200L,0x01000300L,0x01080200L,0x01080300L,
+		0x00000210L,0x00000310L,0x00080210L,0x00080310L,
+		0x01000210L,0x01000310L,0x01080210L,0x01080310L,
+		0x00200200L,0x00200300L,0x00280200L,0x00280300L,
+		0x01200200L,0x01200300L,0x01280200L,0x01280300L,
+		0x00200210L,0x00200310L,0x00280210L,0x00280310L,
+		0x01200210L,0x01200310L,0x01280210L,0x01280310L,
+	},
+	{	/* for D bits (numbered as per FIPS 46) 22 23 24 25 27 28 */
+		0x00000000L,0x04000000L,0x00040000L,0x04040000L,
+		0x00000002L,0x04000002L,0x00040002L,0x04040002L,
+		0x00002000L,0x04002000L,0x00042000L,0x04042000L,
+		0x00002002L,0x04002002L,0x00042002L,0x04042002L,
+		0x00000020L,0x04000020L,0x00040020L,0x04040020L,
+		0x00000022L,0x04000022L,0x00040022L,0x04040022L,
+		0x00002020L,0x04002020L,0x00042020L,0x04042020L,
+		0x00002022L,0x04002022L,0x00042022L,0x04042022L,
+		0x00000800L,0x04000800L,0x00040800L,0x04040800L,
+		0x00000802L,0x04000802L,0x00040802L,0x04040802L,
+		0x00002800L,0x04002800L,0x00042800L,0x04042800L,
+		0x00002802L,0x04002802L,0x00042802L,0x04042802L,
+		0x00000820L,0x04000820L,0x00040820L,0x04040820L,
+		0x00000822L,0x04000822L,0x00040822L,0x04040822L,
+		0x00002820L,0x04002820L,0x00042820L,0x04042820L,
+		0x00002822L,0x04002822L,0x00042822L,0x04042822L,
+	}
+};
+
+const DES_LONG des_SPtrans[8][64]={
+	{
+		/* nibble 0 */
+		0x02080800L, 0x00080000L, 0x02000002L, 0x02080802L,
+		0x02000000L, 0x00080802L, 0x00080002L, 0x02000002L,
+		0x00080802L, 0x02080800L, 0x02080000L, 0x00000802L,
+		0x02000802L, 0x02000000L, 0x00000000L, 0x00080002L,
+		0x00080000L, 0x00000002L, 0x02000800L, 0x00080800L,
+		0x02080802L, 0x02080000L, 0x00000802L, 0x02000800L,
+		0x00000002L, 0x00000800L, 0x00080800L, 0x02080002L,
+		0x00000800L, 0x02000802L, 0x02080002L, 0x00000000L,
+		0x00000000L, 0x02080802L, 0x02000800L, 0x00080002L,
+		0x02080800L, 0x00080000L, 0x00000802L, 0x02000800L,
+		0x02080002L, 0x00000800L, 0x00080800L, 0x02000002L,
+		0x00080802L, 0x00000002L, 0x02000002L, 0x02080000L,
+		0x02080802L, 0x00080800L, 0x02080000L, 0x02000802L,
+		0x02000000L, 0x00000802L, 0x00080002L, 0x00000000L,
+		0x00080000L, 0x02000000L, 0x02000802L, 0x02080800L,
+		0x00000002L, 0x02080002L, 0x00000800L, 0x00080802L,
+	},
+	{	/* nibble 1 */
+		0x40108010L, 0x00000000L, 0x00108000L, 0x40100000L,
+		0x40000010L, 0x00008010L, 0x40008000L, 0x00108000L,
+		0x00008000L, 0x40100010L, 0x00000010L, 0x40008000L,
+		0x00100010L, 0x40108000L, 0x40100000L, 0x00000010L,
+		0x00100000L, 0x40008010L, 0x40100010L, 0x00008000L,
+		0x00108010L, 0x40000000L, 0x00000000L, 0x00100010L,
+		0x40008010L, 0x00108010L, 0x40108000L, 0x40000010L,
+		0x40000000L, 0x00100000L, 0x00008010L, 0x40108010L,
+		0x00100010L, 0x40108000L, 0x40008000L, 0x00108010L,
+		0x40108010L, 0x00100010L, 0x40000010L, 0x00000000L,
+		0x40000000L, 0x00008010L, 0x00100000L, 0x40100010L,
+		0x00008000L, 0x40000000L, 0x00108010L, 0x40008010L,
+		0x40108000L, 0x00008000L, 0x00000000L, 0x40000010L,
+		0x00000010L, 0x40108010L, 0x00108000L, 0x40100000L,
+		0x40100010L, 0x00100000L, 0x00008010L, 0x40008000L,
+		0x40008010L, 0x00000010L, 0x40100000L, 0x00108000L,
+	},
+	{	/* nibble 2 */
+		0x04000001L, 0x04040100L, 0x00000100L, 0x04000101L,
+		0x00040001L, 0x04000000L, 0x04000101L, 0x00040100L,
+		0x04000100L, 0x00040000L, 0x04040000L, 0x00000001L,
+		0x04040101L, 0x00000101L, 0x00000001L, 0x04040001L,
+		0x00000000L, 0x00040001L, 0x04040100L, 0x00000100L,
+		0x00000101L, 0x04040101L, 0x00040000L, 0x04000001L,
+		0x04040001L, 0x04000100L, 0x00040101L, 0x04040000L,
+		0x00040100L, 0x00000000L, 0x04000000L, 0x00040101L,
+		0x04040100L, 0x00000100L, 0x00000001L, 0x00040000L,
+		0x00000101L, 0x00040001L, 0x04040000L, 0x04000101L,
+		0x00000000L, 0x04040100L, 0x00040100L, 0x04040001L,
+		0x00040001L, 0x04000000L, 0x04040101L, 0x00000001L,
+		0x00040101L, 0x04000001L, 0x04000000L, 0x04040101L,
+		0x00040000L, 0x04000100L, 0x04000101L, 0x00040100L,
+		0x04000100L, 0x00000000L, 0x04040001L, 0x00000101L,
+		0x04000001L, 0x00040101L, 0x00000100L, 0x04040000L,
+	},
+	{	/* nibble 3 */
+		0x00401008L, 0x10001000L, 0x00000008L, 0x10401008L,
+		0x00000000L, 0x10400000L, 0x10001008L, 0x00400008L,
+		0x10401000L, 0x10000008L, 0x10000000L, 0x00001008L,
+		0x10000008L, 0x00401008L, 0x00400000L, 0x10000000L,
+		0x10400008L, 0x00401000L, 0x00001000L, 0x00000008L,
+		0x00401000L, 0x10001008L, 0x10400000L, 0x00001000L,
+		0x00001008L, 0x00000000L, 0x00400008L, 0x10401000L,
+		0x10001000L, 0x10400008L, 0x10401008L, 0x00400000L,
+		0x10400008L, 0x00001008L, 0x00400000L, 0x10000008L,
+		0x00401000L, 0x10001000L, 0x00000008L, 0x10400000L,
+		0x10001008L, 0x00000000L, 0x00001000L, 0x00400008L,
+		0x00000000L, 0x10400008L, 0x10401000L, 0x00001000L,
+		0x10000000L, 0x10401008L, 0x00401008L, 0x00400000L,
+		0x10401008L, 0x00000008L, 0x10001000L, 0x00401008L,
+		0x00400008L, 0x00401000L, 0x10400000L, 0x10001008L,
+		0x00001008L, 0x10000000L, 0x10000008L, 0x10401000L,
+	},
+	{	/* nibble 4 */
+		0x08000000L, 0x00010000L, 0x00000400L, 0x08010420L,
+		0x08010020L, 0x08000400L, 0x00010420L, 0x08010000L,
+		0x00010000L, 0x00000020L, 0x08000020L, 0x00010400L,
+		0x08000420L, 0x08010020L, 0x08010400L, 0x00000000L,
+		0x00010400L, 0x08000000L, 0x00010020L, 0x00000420L,
+		0x08000400L, 0x00010420L, 0x00000000L, 0x08000020L,
+		0x00000020L, 0x08000420L, 0x08010420L, 0x00010020L,
+		0x08010000L, 0x00000400L, 0x00000420L, 0x08010400L,
+		0x08010400L, 0x08000420L, 0x00010020L, 0x08010000L,
+		0x00010000L, 0x00000020L, 0x08000020L, 0x08000400L,
+		0x08000000L, 0x00010400L, 0x08010420L, 0x00000000L,
+		0x00010420L, 0x08000000L, 0x00000400L, 0x00010020L,
+		0x08000420L, 0x00000400L, 0x00000000L, 0x08010420L,
+		0x08010020L, 0x08010400L, 0x00000420L, 0x00010000L,
+		0x00010400L, 0x08010020L, 0x08000400L, 0x00000420L,
+		0x00000020L, 0x00010420L, 0x08010000L, 0x08000020L,
+	},
+	{	/* nibble 5 */
+		0x80000040L, 0x00200040L, 0x00000000L, 0x80202000L,
+		0x00200040L, 0x00002000L, 0x80002040L, 0x00200000L,
+		0x00002040L, 0x80202040L, 0x00202000L, 0x80000000L,
+		0x80002000L, 0x80000040L, 0x80200000L, 0x00202040L,
+		0x00200000L, 0x80002040L, 0x80200040L, 0x00000000L,
+		0x00002000L, 0x00000040L, 0x80202000L, 0x80200040L,
+		0x80202040L, 0x80200000L, 0x80000000L, 0x00002040L,
+		0x00000040L, 0x00202000L, 0x00202040L, 0x80002000L,
+		0x00002040L, 0x80000000L, 0x80002000L, 0x00202040L,
+		0x80202000L, 0x00200040L, 0x00000000L, 0x80002000L,
+		0x80000000L, 0x00002000L, 0x80200040L, 0x00200000L,
+		0x00200040L, 0x80202040L, 0x00202000L, 0x00000040L,
+		0x80202040L, 0x00202000L, 0x00200000L, 0x80002040L,
+		0x80000040L, 0x80200000L, 0x00202040L, 0x00000000L,
+		0x00002000L, 0x80000040L, 0x80002040L, 0x80202000L,
+		0x80200000L, 0x00002040L, 0x00000040L, 0x80200040L,
+	},
+	{	/* nibble 6 */
+		0x00004000L, 0x00000200L, 0x01000200L, 0x01000004L,
+		0x01004204L, 0x00004004L, 0x00004200L, 0x00000000L,
+		0x01000000L, 0x01000204L, 0x00000204L, 0x01004000L,
+		0x00000004L, 0x01004200L, 0x01004000L, 0x00000204L,
+		0x01000204L, 0x00004000L, 0x00004004L, 0x01004204L,
+		0x00000000L, 0x01000200L, 0x01000004L, 0x00004200L,
+		0x01004004L, 0x00004204L, 0x01004200L, 0x00000004L,
+		0x00004204L, 0x01004004L, 0x00000200L, 0x01000000L,
+		0x00004204L, 0x01004000L, 0x01004004L, 0x00000204L,
+		0x00004000L, 0x00000200L, 0x01000000L, 0x01004004L,
+		0x01000204L, 0x00004204L, 0x00004200L, 0x00000000L,
+		0x00000200L, 0x01000004L, 0x00000004L, 0x01000200L,
+		0x00000000L, 0x01000204L, 0x01000200L, 0x00004200L,
+		0x00000204L, 0x00004000L, 0x01004204L, 0x01000000L,
+		0x01004200L, 0x00000004L, 0x00004004L, 0x01004204L,
+		0x01000004L, 0x01004200L, 0x01004000L, 0x00004004L,
+	},
+	{	/* nibble 7 */
+		0x20800080L, 0x20820000L, 0x00020080L, 0x00000000L,
+		0x20020000L, 0x00800080L, 0x20800000L, 0x20820080L,
+		0x00000080L, 0x20000000L, 0x00820000L, 0x00020080L,
+		0x00820080L, 0x20020080L, 0x20000080L, 0x20800000L,
+		0x00020000L, 0x00820080L, 0x00800080L, 0x20020000L,
+		0x20820080L, 0x20000080L, 0x00000000L, 0x00820000L,
+		0x20000000L, 0x00800000L, 0x20020080L, 0x20800080L,
+		0x00800000L, 0x00020000L, 0x20820000L, 0x00000080L,
+		0x00800000L, 0x00020000L, 0x20000080L, 0x20820080L,
+		0x00020080L, 0x20000000L, 0x00000000L, 0x00820000L,
+		0x20800080L, 0x20020080L, 0x20020000L, 0x00800080L,
+		0x20820000L, 0x00000080L, 0x00800080L, 0x20020000L,
+		0x20820080L, 0x00800000L, 0x20800000L, 0x20000080L,
+		0x00820000L, 0x00020080L, 0x20020080L, 0x20800000L,
+		0x00000080L, 0x20820000L, 0x00820080L, 0x00000000L,
+		0x20000000L, 0x20800080L, 0x00020000L, 0x00820080L,
+	}
+};
+
+#define HPERM_OP(a,t,n,m) ((t)=((((a)<<(16-(n)))^(a))&(m)),\
+	(a)=(a)^(t)^(t>>(16-(n))))
+
+static const unsigned char odd_parity[256]={
+	1,  1,  2,  2,  4,  4,  7,  7,  8,  8, 11, 11, 13, 13, 14, 14,
+	16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31,
+	32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47,
+	49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62,
+	64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79,
+	81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94,
+	97, 97, 98, 98,100,100,103,103,104,104,107,107,109,109,110,110,
+	112,112,115,115,117,117,118,118,121,121,122,122,124,124,127,127,
+	128,128,131,131,133,133,134,134,137,137,138,138,140,140,143,143,
+	145,145,146,146,148,148,151,151,152,152,155,155,157,157,158,158,
+	161,161,162,162,164,164,167,167,168,168,171,171,173,173,174,174,
+	176,176,179,179,181,181,182,182,185,185,186,186,188,188,191,191,
+	193,193,194,194,196,196,199,199,200,200,203,203,205,205,206,206,
+	208,208,211,211,213,213,214,214,217,217,218,218,220,220,223,223,
+	224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239,
+	241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254
+};
+
+/**
+ * Create key schedule for a single DES 64Bit key
+ */
+static int des_set_key(des_cblock *key, des_key_schedule *schedule)
+{
+	static int shifts2[16] = {0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0};
+	register DES_LONG c,d,t,s,t2;
+	register unsigned char *in;
+	register DES_LONG *k;
+	register int i;
+
+	for (i = 0; i < sizeof(des_cblock); i++)
+	{
+		(*key)[i] = odd_parity[(*key)[i]];
+	}
+
+	k=(DES_LONG *)schedule;
+	in=(unsigned char *)key;
+
+	c2l(in,c);
+	c2l(in,d);
+
+	/* do PC1 in 60 simple operations */ 
+/*	PERM_OP(d,c,t,4,0x0f0f0f0fL);
+	HPERM_OP(c,t,-2, 0xcccc0000L);
+	HPERM_OP(c,t,-1, 0xaaaa0000L);
+	HPERM_OP(c,t, 8, 0x00ff0000L);
+	HPERM_OP(c,t,-1, 0xaaaa0000L);
+	HPERM_OP(d,t,-8, 0xff000000L);
+	HPERM_OP(d,t, 8, 0x00ff0000L);
+	HPERM_OP(d,t, 2, 0x33330000L);
+	d=((d&0x00aa00aaL)<<7L)|((d&0x55005500L)>>7L)|(d&0xaa55aa55L);
+	d=(d>>8)|((c&0xf0000000L)>>4);
+	c&=0x0fffffffL; */
+
+	/* I now do it in 47 simple operations :-)
+	* Thanks to John Fletcher (john_fletcher@lccmail.ocf.llnl.gov)
+	* for the inspiration. :-) */
+	PERM_OP (d,c,t,4,0x0f0f0f0fL);
+	HPERM_OP(c,t,-2,0xcccc0000L);
+	HPERM_OP(d,t,-2,0xcccc0000L);
+	PERM_OP (d,c,t,1,0x55555555L);
+	PERM_OP (c,d,t,8,0x00ff00ffL);
+	PERM_OP (d,c,t,1,0x55555555L);
+	d=	(((d&0x000000ffL)<<16L)| (d&0x0000ff00L)     |
+			((d&0x00ff0000L)>>16L)|((c&0xf0000000L)>>4L));
+	c&=0x0fffffffL;
+
+	for (i=0; i<ITERATIONS; i++)
+	{
+		if (shifts2[i])
+		{ c=((c>>2L)|(c<<26L)); d=((d>>2L)|(d<<26L)); }
+		else
+		{ c=((c>>1L)|(c<<27L)); d=((d>>1L)|(d<<27L)); }
+		c&=0x0fffffffL;
+		d&=0x0fffffffL;
+		/* could be a few less shifts but I am to lazy at this
+		* point in time to investigate */
+		s=	des_skb[0][ (c    )&0x3f                ]|
+				des_skb[1][((c>> 6)&0x03)|((c>> 7L)&0x3c)]|
+				des_skb[2][((c>>13)&0x0f)|((c>>14L)&0x30)]|
+				des_skb[3][((c>>20)&0x01)|((c>>21L)&0x06) |
+				((c>>22L)&0x38)];
+		t=	des_skb[4][ (d    )&0x3f                ]|
+				des_skb[5][((d>> 7L)&0x03)|((d>> 8L)&0x3c)]|
+				des_skb[6][ (d>>15L)&0x3f                ]|
+				des_skb[7][((d>>21L)&0x0f)|((d>>22L)&0x30)];
+
+		/* table contained 0213 4657 */
+		t2=((t<<16L)|(s&0x0000ffffL))&0xffffffffL;
+		*(k++)=ROTATE(t2,30)&0xffffffffL;
+
+		t2=((s>>16L)|(t&0xffff0000L));
+		*(k++)=ROTATE(t2,26)&0xffffffffL;
+	}
+	return(0);
+}
+
+
+static void des_encrypt(DES_LONG *data, des_key_schedule ks, int enc)
+{
+	register DES_LONG l,r,t,u;
+#ifdef DES_PTR
+	register unsigned char *des_SP=(unsigned char *)des_SPtrans;
+#endif
+#ifndef DES_UNROLL
+	register int i;
+#endif
+	register DES_LONG *s;
+
+	r=data[0];
+	l=data[1];
+
+	IP(r,l);
+	/* Things have been modified so that the initial rotate is
+	* done outside the loop.  This required the
+	* des_SPtrans values in sp.h to be rotated 1 bit to the right.
+	* One perl script later and things have a 5% speed up on a sparc2.
+	* Thanks to Richard Outerbridge <71755.204@CompuServe.COM>
+	* for pointing this out. */
+	/* clear the top bits on machines with 8byte longs */
+	/* shift left by 2 */
+	r=ROTATE(r,29)&0xffffffffL;
+	l=ROTATE(l,29)&0xffffffffL;
+
+	s=(DES_LONG *)ks;
+	/* I don't know if it is worth the effort of loop unrolling the
+	* inner loop */
+	if (enc)
+	{
+#ifdef DES_UNROLL
+		D_ENCRYPT(l,r, 0); /*  1 */
+		D_ENCRYPT(r,l, 2); /*  2 */
+		D_ENCRYPT(l,r, 4); /*  3 */
+		D_ENCRYPT(r,l, 6); /*  4 */
+		D_ENCRYPT(l,r, 8); /*  5 */
+		D_ENCRYPT(r,l,10); /*  6 */
+		D_ENCRYPT(l,r,12); /*  7 */
+		D_ENCRYPT(r,l,14); /*  8 */
+		D_ENCRYPT(l,r,16); /*  9 */
+		D_ENCRYPT(r,l,18); /*  10 */
+		D_ENCRYPT(l,r,20); /*  11 */
+		D_ENCRYPT(r,l,22); /*  12 */
+		D_ENCRYPT(l,r,24); /*  13 */
+		D_ENCRYPT(r,l,26); /*  14 */
+		D_ENCRYPT(l,r,28); /*  15 */
+		D_ENCRYPT(r,l,30); /*  16 */
+#else
+		for (i=0; i<32; i+=8)
+{
+	D_ENCRYPT(l,r,i+0); /*  1 */
+	D_ENCRYPT(r,l,i+2); /*  2 */
+	D_ENCRYPT(l,r,i+4); /*  3 */
+	D_ENCRYPT(r,l,i+6); /*  4 */
+}
+#endif
+	}
+	else
+{
+#ifdef DES_UNROLL
+		D_ENCRYPT(l,r,30); /* 16 */
+		D_ENCRYPT(r,l,28); /* 15 */
+		D_ENCRYPT(l,r,26); /* 14 */
+		D_ENCRYPT(r,l,24); /* 13 */
+		D_ENCRYPT(l,r,22); /* 12 */
+		D_ENCRYPT(r,l,20); /* 11 */
+		D_ENCRYPT(l,r,18); /* 10 */
+		D_ENCRYPT(r,l,16); /*  9 */
+		D_ENCRYPT(l,r,14); /*  8 */
+		D_ENCRYPT(r,l,12); /*  7 */
+		D_ENCRYPT(l,r,10); /*  6 */
+		D_ENCRYPT(r,l, 8); /*  5 */
+		D_ENCRYPT(l,r, 6); /*  4 */
+		D_ENCRYPT(r,l, 4); /*  3 */
+		D_ENCRYPT(l,r, 2); /*  2 */
+		D_ENCRYPT(r,l, 0); /*  1 */
+#else
+		for (i=30; i>0; i-=8)
+{
+	D_ENCRYPT(l,r,i-0); /* 16 */
+	D_ENCRYPT(r,l,i-2); /* 15 */
+	D_ENCRYPT(l,r,i-4); /* 14 */
+	D_ENCRYPT(r,l,i-6); /* 13 */
+}
+#endif
+}
+
+	/* rotate and clear the top bits on machines with 8byte longs */
+	l=ROTATE(l,3)&0xffffffffL;
+	r=ROTATE(r,3)&0xffffffffL;
+
+	FP(r,l);
+	data[0]=l;
+	data[1]=r;
+	l=r=t=u=0;
+}
+
+/**
+ * DES CBC encrypt decrypt routine
+ */
+static void des_cbc_encrypt(des_cblock *input, des_cblock *output, long length, 
+						    des_key_schedule schedule, des_cblock *ivec, int enc)
+{
+	register DES_LONG tin0,tin1;
+	register DES_LONG tout0,tout1,xor0,xor1;
+	register unsigned char *in,*out;
+	register long l=length;
+	DES_LONG tin[2];
+	unsigned char *iv;
+
+	in=(unsigned char *)input;
+	out=(unsigned char *)output;
+	iv=(unsigned char *)ivec;
+
+	if (enc)
+	{
+		c2l(iv,tout0);
+		c2l(iv,tout1);
+		for (l-=8; l>=0; l-=8)
+		{
+			c2l(in,tin0);
+			c2l(in,tin1);
+			tin0^=tout0; tin[0]=tin0;
+			tin1^=tout1; tin[1]=tin1;
+			des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT);
+			tout0=tin[0]; l2c(tout0,out);
+			tout1=tin[1]; l2c(tout1,out);
+		}
+		if (l != -8)
+		{
+			c2ln(in,tin0,tin1,l+8);
+			tin0^=tout0; tin[0]=tin0;
+			tin1^=tout1; tin[1]=tin1;
+			des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT);
+			tout0=tin[0]; l2c(tout0,out);
+			tout1=tin[1]; l2c(tout1,out);
+		}
+	}
+	else
+	{
+		c2l(iv,xor0);
+		c2l(iv,xor1);
+		for (l-=8; l>=0; l-=8)
+		{
+			c2l(in,tin0); tin[0]=tin0;
+			c2l(in,tin1); tin[1]=tin1;
+			des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT);
+			tout0=tin[0]^xor0;
+			tout1=tin[1]^xor1;
+			l2c(tout0,out);
+			l2c(tout1,out);
+			xor0=tin0;
+			xor1=tin1;
+		}
+		if (l != -8)
+		{
+			c2l(in,tin0); tin[0]=tin0;
+			c2l(in,tin1); tin[1]=tin1;
+			des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT);
+			tout0=tin[0]^xor0;
+			tout1=tin[1]^xor1;
+			l2cn(tout0,tout1,out,l+8);
+		/*	xor0=tin0;
+			xor1=tin1; */
+		}
+	}
+	tin0=tin1=tout0=tout1=xor0=xor1=0;
+	tin[0]=tin[1]=0;
+}
+
+static void des_encrypt2(DES_LONG *data, des_key_schedule ks, int enc)
+{
+	register DES_LONG l,r,t,u;
+#ifdef DES_PTR
+	register unsigned char *des_SP=(unsigned char *)des_SPtrans;
+#endif
+#ifndef DES_UNROLL
+	register int i;
+#endif
+	register DES_LONG *s;
+
+	r=data[0];
+	l=data[1];
+
+	/* Things have been modified so that the initial rotate is
+	 * done outside the loop.  This required the
+	 * des_SPtrans values in sp.h to be rotated 1 bit to the right.
+	 * One perl script later and things have a 5% speed up on a sparc2.
+	 * Thanks to Richard Outerbridge <71755.204@CompuServe.COM>
+	 * for pointing this out.
+	 * clear the top bits on machines with 8byte longs */
+	r=ROTATE(r,29)&0xffffffffL;
+	l=ROTATE(l,29)&0xffffffffL;
+
+	s=(DES_LONG *)ks;
+	/* I don't know if it is worth the effort of loop unrolling the
+	* inner loop */
+	if (enc)
+	{
+#ifdef DES_UNROLL
+		D_ENCRYPT(l,r, 0); /*  1 */
+		D_ENCRYPT(r,l, 2); /*  2 */
+		D_ENCRYPT(l,r, 4); /*  3 */
+		D_ENCRYPT(r,l, 6); /*  4 */
+		D_ENCRYPT(l,r, 8); /*  5 */
+		D_ENCRYPT(r,l,10); /*  6 */
+		D_ENCRYPT(l,r,12); /*  7 */
+		D_ENCRYPT(r,l,14); /*  8 */
+		D_ENCRYPT(l,r,16); /*  9 */
+		D_ENCRYPT(r,l,18); /*  10 */
+		D_ENCRYPT(l,r,20); /*  11 */
+		D_ENCRYPT(r,l,22); /*  12 */
+		D_ENCRYPT(l,r,24); /*  13 */
+		D_ENCRYPT(r,l,26); /*  14 */
+		D_ENCRYPT(l,r,28); /*  15 */
+		D_ENCRYPT(r,l,30); /*  16 */
+#else
+		for (i=0; i<32; i+=8)
+{
+	D_ENCRYPT(l,r,i+0); /*  1 */
+	D_ENCRYPT(r,l,i+2); /*  2 */
+	D_ENCRYPT(l,r,i+4); /*  3 */
+	D_ENCRYPT(r,l,i+6); /*  4 */
+}
+#endif
+	}
+	else
+{
+#ifdef DES_UNROLL
+		D_ENCRYPT(l,r,30); /* 16 */
+		D_ENCRYPT(r,l,28); /* 15 */
+		D_ENCRYPT(l,r,26); /* 14 */
+		D_ENCRYPT(r,l,24); /* 13 */
+		D_ENCRYPT(l,r,22); /* 12 */
+		D_ENCRYPT(r,l,20); /* 11 */
+		D_ENCRYPT(l,r,18); /* 10 */
+		D_ENCRYPT(r,l,16); /*  9 */
+		D_ENCRYPT(l,r,14); /*  8 */
+		D_ENCRYPT(r,l,12); /*  7 */
+		D_ENCRYPT(l,r,10); /*  6 */
+		D_ENCRYPT(r,l, 8); /*  5 */
+		D_ENCRYPT(l,r, 6); /*  4 */
+		D_ENCRYPT(r,l, 4); /*  3 */
+		D_ENCRYPT(l,r, 2); /*  2 */
+		D_ENCRYPT(r,l, 0); /*  1 */
+#else
+		for (i=30; i>0; i-=8)
+{
+	D_ENCRYPT(l,r,i-0); /* 16 */
+	D_ENCRYPT(r,l,i-2); /* 15 */
+	D_ENCRYPT(l,r,i-4); /* 14 */
+	D_ENCRYPT(r,l,i-6); /* 13 */
+}
+#endif
+}
+	/* rotate and clear the top bits on machines with 8byte longs */
+	data[0]=ROTATE(l,3)&0xffffffffL;
+	data[1]=ROTATE(r,3)&0xffffffffL;
+	l=r=t=u=0;
+}
+
+/**
+ * Single block 3DES EDE encrypt routine
+ */
+static void des_encrypt3(DES_LONG *data, des_key_schedule ks1, 
+						 des_key_schedule ks2, des_key_schedule ks3)
+{
+	register DES_LONG l,r;
+
+	l=data[0];
+	r=data[1];
+	IP(l,r);
+	data[0]=l;
+	data[1]=r;
+	des_encrypt2((DES_LONG *)data,ks1,DES_ENCRYPT);
+	des_encrypt2((DES_LONG *)data,ks2,DES_DECRYPT);
+	des_encrypt2((DES_LONG *)data,ks3,DES_ENCRYPT);
+	l=data[0];
+	r=data[1];
+	FP(r,l);
+	data[0]=l;
+	data[1]=r;
+}
+
+/**
+ * Single block 3DES EDE decrypt routine
+ */
+static void des_decrypt3(DES_LONG *data, des_key_schedule ks1, 
+						 des_key_schedule ks2, des_key_schedule ks3)
+{
+	register DES_LONG l,r;
+
+	l=data[0];
+	r=data[1];
+	IP(l,r);
+	data[0]=l;
+	data[1]=r;
+	des_encrypt2((DES_LONG *)data,ks3,DES_DECRYPT);
+	des_encrypt2((DES_LONG *)data,ks2,DES_ENCRYPT);
+	des_encrypt2((DES_LONG *)data,ks1,DES_DECRYPT);
+	l=data[0];
+	r=data[1];
+	FP(r,l);
+	data[0]=l;
+	data[1]=r;
+}
+
+/**
+ * 3DES EDE CBC encrypt/decrypt routine
+ */
+static void des_ede3_cbc_encrypt(des_cblock *input, des_cblock *output, long length,
+								 des_key_schedule ks1, des_key_schedule ks2,
+								 des_key_schedule ks3, des_cblock *ivec, int enc)
+{
+	register DES_LONG tin0,tin1;
+	register DES_LONG tout0,tout1,xor0,xor1;
+	register unsigned char *in,*out;
+	register long l=length;
+	DES_LONG tin[2];
+	unsigned char *iv;
+
+	in=(unsigned char *)input;
+	out=(unsigned char *)output;
+	iv=(unsigned char *)ivec;
+
+	if (enc)
+	{
+		c2l(iv,tout0);
+		c2l(iv,tout1);
+		for (l-=8; l>=0; l-=8)
+		{
+			c2l(in,tin0);
+			c2l(in,tin1);
+			tin0^=tout0;
+			tin1^=tout1;
+
+			tin[0]=tin0;
+			tin[1]=tin1;
+			des_encrypt3((DES_LONG *)tin,ks1,ks2,ks3);
+			tout0=tin[0];
+			tout1=tin[1];
+
+			l2c(tout0,out);
+			l2c(tout1,out);
+		}
+		if (l != -8)
+		{
+			c2ln(in,tin0,tin1,l+8);
+			tin0^=tout0;
+			tin1^=tout1;
+
+			tin[0]=tin0;
+			tin[1]=tin1;
+			des_encrypt3((DES_LONG *)tin,ks1,ks2,ks3);
+			tout0=tin[0];
+			tout1=tin[1];
+
+			l2c(tout0,out);
+			l2c(tout1,out);
+		}
+		iv=(unsigned char *)ivec;
+		l2c(tout0,iv);
+		l2c(tout1,iv);
+	}
+	else
+	{
+		register DES_LONG t0,t1;
+
+		c2l(iv,xor0);
+		c2l(iv,xor1);
+		for (l-=8; l>=0; l-=8)
+		{
+			c2l(in,tin0);
+			c2l(in,tin1);
+
+			t0=tin0;
+			t1=tin1;
+
+			tin[0]=tin0;
+			tin[1]=tin1;
+			des_decrypt3((DES_LONG *)tin,ks1,ks2,ks3);
+			tout0=tin[0];
+			tout1=tin[1];
+
+			tout0^=xor0;
+			tout1^=xor1;
+			l2c(tout0,out);
+			l2c(tout1,out);
+			xor0=t0;
+			xor1=t1;
+		}
+		if (l != -8)
+		{
+			c2l(in,tin0);
+			c2l(in,tin1);
+			
+			t0=tin0;
+			t1=tin1;
+
+			tin[0]=tin0;
+			tin[1]=tin1;
+			des_decrypt3((DES_LONG *)tin,ks1,ks2,ks3);
+			tout0=tin[0];
+			tout1=tin[1];
+		
+			tout0^=xor0;
+			tout1^=xor1;
+			l2cn(tout0,tout1,out,l+8);
+			xor0=t0;
+			xor1=t1;
+		}
+
+		iv=(unsigned char *)ivec;
+		l2c(xor0,iv);
+		l2c(xor1,iv);
+	}
+	tin0=tin1=tout0=tout1=xor0=xor1=0;
+	tin[0]=tin[1]=0;
+}
+
+/**
+ * Implementation of crypter_t.decrypt for DES.
+ */
+static status_t decrypt(private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted)
+{
+	des_cblock ivb;
+	
+	if (data.len % sizeof(des_cblock) != 0 ||
+		iv.len != sizeof(des_cblock))
+	{
+		return INVALID_ARG;
+	}
+	
+	*decrypted = chunk_alloc(data.len);
+	memcpy(&ivb, iv.ptr, sizeof(des_cblock));
+	des_cbc_encrypt((des_cblock*)(data.ptr), (des_cblock*)(decrypted->ptr),
+					 data.len, this->ks, &ivb, DES_DECRYPT);
+	return SUCCESS;
+}
+
+
+/**
+ * Implementation of crypter_t.decrypt for DES.
+ */
+static status_t encrypt(private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *encrypted)
+{
+	des_cblock ivb;
+	
+	if (data.len % sizeof(des_cblock) != 0 ||
+		iv.len != sizeof(des_cblock))
+	{
+		return INVALID_ARG;
+	}
+	
+	*encrypted = chunk_alloc(data.len);
+	memcpy(&ivb, iv.ptr, sizeof(des_cblock));
+	des_cbc_encrypt((des_cblock*)(data.ptr), (des_cblock*)(encrypted->ptr),
+					 data.len, this->ks, &ivb, DES_ENCRYPT);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of crypter_t.decrypt for 3DES.
+ */
+static status_t decrypt3(private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *decrypted)
+{
+	des_cblock ivb;
+	
+	if (data.len % sizeof(des_cblock) != 0 ||
+		iv.len != sizeof(des_cblock))
+	{
+		return INVALID_ARG;
+	}
+	
+	*decrypted = chunk_alloc(data.len);
+	memcpy(&ivb, iv.ptr, sizeof(des_cblock));
+	des_ede3_cbc_encrypt((des_cblock*)(data.ptr), (des_cblock*)(decrypted->ptr),
+						 data.len, this->ks3[0], this->ks3[1], this->ks3[2],
+						 &ivb, DES_DECRYPT);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of crypter_t.decrypt for 3DES.
+ */
+static status_t encrypt3(private_des_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *encrypted)
+{
+	des_cblock ivb;
+	
+	if (data.len % sizeof(des_cblock) != 0 ||
+		iv.len != sizeof(des_cblock))
+	{
+		return INVALID_ARG;
+	}
+	
+	*encrypted = chunk_alloc(data.len);
+	memcpy(&ivb, iv.ptr, sizeof(des_cblock));
+	des_ede3_cbc_encrypt((des_cblock*)(data.ptr), (des_cblock*)(encrypted->ptr),
+						  data.len, this->ks3[0], this->ks3[1], this->ks3[2],
+						  &ivb, DES_ENCRYPT);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of crypter_t.get_block_size.
+ */
+static size_t get_block_size (private_des_crypter_t *this)
+{
+	return sizeof(des_cblock);
+}
+
+/**
+ * Implementation of crypter_t.get_key_size.
+ */
+static size_t get_key_size (private_des_crypter_t *this)
+{
+	return this->key_size;
+}
+
+/**
+ * Implementation of crypter_t.set_key for DES.
+ */
+static status_t set_key(private_des_crypter_t *this, chunk_t key)
+{
+	if (key.len != sizeof(des_cblock))
+	{
+		return INVALID_ARG;
+	}
+	
+	des_set_key((des_cblock*)(key.ptr), &this->ks);
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of crypter_t.set_key for 3DES.
+ */
+static status_t set_key3(private_des_crypter_t *this, chunk_t key)
+{
+	if (key.len != 3 * sizeof(des_cblock))
+	{
+		return INVALID_ARG;
+	}
+	
+	des_set_key((des_cblock*)(key.ptr) + 0, &this->ks3[0]);
+	des_set_key((des_cblock*)(key.ptr) + 1, &this->ks3[1]);
+	des_set_key((des_cblock*)(key.ptr) + 2, &this->ks3[2]);
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of crypter_t.destroy and des_crypter_t.destroy.
+ */
+static void destroy(private_des_crypter_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+des_crypter_t *des_crypter_create(encryption_algorithm_t algo)
+{
+	private_des_crypter_t *this = malloc_thing(private_des_crypter_t);
+	
+	/* functions of crypter_t interface */	
+	this->public.crypter_interface.get_block_size = (size_t (*) (crypter_t *)) get_block_size;
+	this->public.crypter_interface.get_key_size = (size_t (*) (crypter_t *)) get_key_size;
+	this->public.crypter_interface.destroy = (void (*) (crypter_t *)) destroy;
+	
+	/* use functions depending on algorithm */
+	switch (algo)
+	{
+		case ENCR_DES:
+			this->key_size = sizeof(des_cblock);
+			this->public.crypter_interface.set_key = (status_t (*) (crypter_t *,chunk_t)) set_key;
+			this->public.crypter_interface.encrypt = (status_t (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt;
+			this->public.crypter_interface.decrypt = (status_t (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt;
+			break;
+		case ENCR_3DES:
+			this->key_size = 3 * sizeof(des_cblock);
+			this->public.crypter_interface.set_key = (status_t (*) (crypter_t *,chunk_t)) set_key3;
+			this->public.crypter_interface.encrypt = (status_t (*) (crypter_t *, chunk_t,chunk_t, chunk_t *)) encrypt3;
+			this->public.crypter_interface.decrypt = (status_t (*) (crypter_t *, chunk_t , chunk_t, chunk_t *)) decrypt3;
+			break;
+		default:
+			free(this);
+			return NULL;
+	}
+	return &(this->public);
+}
diff --git a/src/libstrongswan/crypto/crypters/des_crypter.h b/src/libstrongswan/crypto/crypters/des_crypter.h
new file mode 100644
index 000000000..0c87b0a9c
--- /dev/null
+++ b/src/libstrongswan/crypto/crypters/des_crypter.h
@@ -0,0 +1,58 @@
+/**
+ * @file des_crypter.h
+ * 
+ * @brief Interface of des_crypter_t
+ * 
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef DES_CRYPTER_H_
+#define DES_CRYPTER_H_
+
+typedef struct des_crypter_t des_crypter_t;
+
+#include <crypto/crypters/crypter.h>
+
+
+/**
+ * @brief Class implementing the DES and 3DES encryption algorithms.
+ * 
+ * @b Constructors:
+ *  - des_crypter_create()
+ * 
+ * @ingroup crypters
+ */
+struct des_crypter_t {
+	
+	/**
+	 * The crypter_t interface.
+	 */
+	crypter_t crypter_interface;
+};
+
+/**
+ * @brief Constructor to create des_crypter_t objects.
+ * 
+ * @param algo		ENCR_DES for single DES, ENCR_3DES for triple DES
+ * @return				
+ * 					- des_crypter_t object
+ * 					- NULL if algo not supported
+ */
+des_crypter_t *des_crypter_create(encryption_algorithm_t algo);
+
+
+#endif /* DES_CRYPTER_H_ */
diff --git a/src/libstrongswan/crypto/diffie_hellman.c b/src/libstrongswan/crypto/diffie_hellman.c
new file mode 100644
index 000000000..e4062066c
--- /dev/null
+++ b/src/libstrongswan/crypto/diffie_hellman.c
@@ -0,0 +1,612 @@
+/**
+ * @file diffie_hellman.c
+ * 
+ * @brief Implementation of diffie_hellman_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 1998-2002  D. Hugh Redelmeier.
+ * Copyright (C) 1999, 2000, 2001  Henry Spencer.
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <gmp.h>
+#include <stdio.h>
+
+#include "diffie_hellman.h"
+
+#include <utils/randomizer.h>
+
+ENUM_BEGIN(diffie_hellman_group_names, MODP_NONE, MODP_1024_BIT,
+	"MODP_NONE",
+	"MODP_768_BIT",
+	"MODP_1024_BIT");
+ENUM_NEXT(diffie_hellman_group_names, MODP_1536_BIT, MODP_1536_BIT, MODP_1024_BIT,
+	"MODP_1536_BIT");
+ENUM_NEXT(diffie_hellman_group_names, MODP_2048_BIT, MODP_8192_BIT, MODP_1536_BIT,
+	"MODP_2048_BIT",
+	"MODP_3072_BIT",
+	"MODP_4096_BIT",
+	"MODP_6144_BIT",
+	"MODP_8192_BIT");
+ENUM_END(diffie_hellman_group_names, MODP_8192_BIT);
+
+
+/**
+ * Modulus of Group 1 (MODP_768_BIT).
+ */
+static u_int8_t group1_modulus[] = {
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
+	0xC4,0xC6,0x62,0x8B,0x80	,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
+	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
+	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
+	0xF4,0x4C,0x42,0xE9,0xA6,0x3A,0x36,0x20,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
+};
+
+/**
+ * Modulus of Group 2 (MODP_1024_BIT).
+ */
+static u_int8_t group2_modulus[] = {
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
+	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
+	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
+	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
+	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
+	0x49,0x28,0x66,0x51,0xEC,0xE6,0x53,0x81,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
+};
+
+/**
+ * Modulus of Group 5 (MODP_1536_BIT).
+ */
+static u_int8_t group5_modulus[] = {
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
+	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
+	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
+	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
+	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
+	0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
+	0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
+	0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
+	0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
+	0xF1,0x74,0x6C,0x08,0xCA,0x23,0x73,0x27,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
+};
+/**
+ * Modulus of Group 14 (MODP_2048_BIT).
+ */
+static u_int8_t group14_modulus[] = {
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
+	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
+	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
+	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
+	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
+	0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
+	0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
+	0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
+	0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
+	0xF1,0x74,0x6C,0x08,0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
+	0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,0xEC,0x07,0xA2,0x8F,
+	0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,
+	0x39,0x95,0x49,0x7C,0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
+	0x15,0x72,0x8E,0x5A,0x8A,0xAC,0xAA,0x68,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
+};
+
+/**
+ * Modulus of Group 15 (MODP_3072_BIT).
+ */
+static u_int8_t group15_modulus[] = {
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
+	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
+	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
+	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
+	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
+	0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
+	0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
+	0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
+	0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
+	0xF1,0x74,0x6C,0x08,0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
+	0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,0xEC,0x07,0xA2,0x8F,
+	0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,
+	0x39,0x95,0x49,0x7C,0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
+	0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,0x04,0x50,0x7A,0x33,
+	0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,
+	0x8A,0xEA,0x71,0x57,0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
+	0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,0x4A,0x25,0x61,0x9D,
+	0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,
+	0xD8,0x76,0x02,0x73,0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
+	0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,0xBA,0xD9,0x46,0xE2,
+	0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,
+	0x4B,0x82,0xD1,0x20,0xA9,0x3A,0xD2,0xCA,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
+};
+
+/**
+ * Modulus of Group 16 (MODP_4096_BIT).
+ */
+static u_int8_t group16_modulus[] = {
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
+	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
+	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
+	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
+	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
+	0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
+	0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
+	0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
+	0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
+	0xF1,0x74,0x6C,0x08,0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
+	0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,0xEC,0x07,0xA2,0x8F,
+	0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,
+	0x39,0x95,0x49,0x7C,0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
+	0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,0x04,0x50,0x7A,0x33,
+	0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,
+	0x8A,0xEA,0x71,0x57,0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
+	0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,0x4A,0x25,0x61,0x9D,
+	0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,
+	0xD8,0x76,0x02,0x73,0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
+	0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,0xBA,0xD9,0x46,0xE2,
+	0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,
+	0x4B,0x82,0xD1,0x20,0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7,
+	0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18,0x6A,0xF4,0xE2,0x3C,
+	0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA,0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,
+	0xDB,0xBB,0xC2,0xDB,0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6,
+	0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F,0xA0,0x90,0xC3,0xA2,
+	0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED,0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,
+	0xB8,0x1B,0xDD,0x76,0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9,
+	0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC,0x90,0xA6,0xC0,0x8F,
+	0x4D,0xF4,0x35,0xC9,0x34,0x06,0x31,0x99,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
+};
+
+/**
+ * Modulus of Group 17 (MODP_6144_BIT).
+ */
+static u_int8_t group17_modulus[] = {
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
+	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
+	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
+	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
+	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
+	0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
+	0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
+	0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
+	0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
+	0xF1,0x74,0x6C,0x08,0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
+	0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,0xEC,0x07,0xA2,0x8F,
+	0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,
+	0x39,0x95,0x49,0x7C,0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
+	0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,0x04,0x50,0x7A,0x33,
+	0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,
+	0x8A,0xEA,0x71,0x57,0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
+	0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,0x4A,0x25,0x61,0x9D,
+	0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,
+	0xD8,0x76,0x02,0x73,0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
+	0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,0xBA,0xD9,0x46,0xE2,
+	0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,
+	0x4B,0x82,0xD1,0x20,0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7,
+	0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18,0x6A,0xF4,0xE2,0x3C,
+	0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA,0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,
+	0xDB,0xBB,0xC2,0xDB,0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6,
+	0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F,0xA0,0x90,0xC3,0xA2,
+	0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED,0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,
+	0xB8,0x1B,0xDD,0x76,0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9,
+	0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC,0x90,0xA6,0xC0,0x8F,
+	0x4D,0xF4,0x35,0xC9,0x34,0x02,0x84,0x92,0x36,0xC3,0xFA,0xB4,0xD2,0x7C,0x70,0x26,
+	0xC1,0xD4,0xDC,0xB2,0x60,0x26,0x46,0xDE,0xC9,0x75,0x1E,0x76,0x3D,0xBA,0x37,0xBD,
+	0xF8,0xFF,0x94,0x06,0xAD,0x9E,0x53,0x0E,0xE5,0xDB,0x38,0x2F,0x41,0x30,0x01,0xAE,
+	0xB0,0x6A,0x53,0xED,0x90,0x27,0xD8,0x31,0x17,0x97,0x27,0xB0,0x86,0x5A,0x89,0x18,
+	0xDA,0x3E,0xDB,0xEB,0xCF,0x9B,0x14,0xED,0x44,0xCE,0x6C,0xBA,0xCE,0xD4,0xBB,0x1B,
+	0xDB,0x7F,0x14,0x47,0xE6,0xCC,0x25,0x4B,0x33,0x20,0x51,0x51,0x2B,0xD7,0xAF,0x42,
+	0x6F,0xB8,0xF4,0x01,0x37,0x8C,0xD2,0xBF,0x59,0x83,0xCA,0x01,0xC6,0x4B,0x92,0xEC,
+	0xF0,0x32,0xEA,0x15,0xD1,0x72,0x1D,0x03,0xF4,0x82,0xD7,0xCE,0x6E,0x74,0xFE,0xF6,
+	0xD5,0x5E,0x70,0x2F,0x46,0x98,0x0C,0x82,0xB5,0xA8,0x40,0x31,0x90,0x0B,0x1C,0x9E,
+	0x59,0xE7,0xC9,0x7F,0xBE,0xC7,0xE8,0xF3,0x23,0xA9,0x7A,0x7E,0x36,0xCC,0x88,0xBE,
+	0x0F,0x1D,0x45,0xB7,0xFF,0x58,0x5A,0xC5,0x4B,0xD4,0x07,0xB2,0x2B,0x41,0x54,0xAA,
+	0xCC,0x8F,0x6D,0x7E,0xBF,0x48,0xE1,0xD8,0x14,0xCC,0x5E,0xD2,0x0F,0x80,0x37,0xE0,
+	0xA7,0x97,0x15,0xEE,0xF2,0x9B,0xE3,0x28,0x06,0xA1,0xD5,0x8B,0xB7,0xC5,0xDA,0x76,
+	0xF5,0x50,0xAA,0x3D,0x8A,0x1F,0xBF,0xF0,0xEB,0x19,0xCC,0xB1,0xA3,0x13,0xD5,0x5C,
+	0xDA,0x56,0xC9,0xEC,0x2E,0xF2,0x96,0x32,0x38,0x7F,0xE8,0xD7,0x6E,0x3C,0x04,0x68,
+	0x04,0x3E,0x8F,0x66,0x3F,0x48,0x60,0xEE,0x12,0xBF,0x2D,0x5B,0x0B,0x74,0x74,0xD6,
+	0xE6,0x94,0xF9,0x1E,0x6D,0xCC,0x40,0x24,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF
+};
+
+/**
+ * Modulus of Group 18 (MODP_8192_BIT).
+ */
+static u_int8_t group18_modulus[] = {
+	0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,0x21,0x68,0xC2,0x34,
+	0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,
+	0x02,0x0B,0xBE,0xA6,0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
+	0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,0xF2,0x5F,0x14,0x37,
+	0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,
+	0xF4,0x4C,0x42,0xE9,0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
+	0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,0x7C,0x4B,0x1F,0xE6,
+	0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,
+	0x98,0xDA,0x48,0x36,0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
+	0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,0x20,0x85,0x52,0xBB,
+	0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,
+	0xF1,0x74,0x6C,0x08,0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
+	0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,0xEC,0x07,0xA2,0x8F,
+	0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,
+	0x39,0x95,0x49,0x7C,0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
+	0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,0x04,0x50,0x7A,0x33,
+	0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,
+	0x8A,0xEA,0x71,0x57,0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
+	0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,0x4A,0x25,0x61,0x9D,
+	0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,
+	0xD8,0x76,0x02,0x73,0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
+	0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,0xBA,0xD9,0x46,0xE2,
+	0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,
+	0x4B,0x82,0xD1,0x20,0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7,
+	0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18,0x6A,0xF4,0xE2,0x3C,
+	0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA,0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,
+	0xDB,0xBB,0xC2,0xDB,0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6,
+	0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F,0xA0,0x90,0xC3,0xA2,
+	0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED,0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,
+	0xB8,0x1B,0xDD,0x76,0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9,
+	0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC,0x90,0xA6,0xC0,0x8F,
+	0x4D,0xF4,0x35,0xC9,0x34,0x02,0x84,0x92,0x36,0xC3,0xFA,0xB4,0xD2,0x7C,0x70,0x26,
+	0xC1,0xD4,0xDC,0xB2,0x60,0x26,0x46,0xDE,0xC9,0x75,0x1E,0x76,0x3D,0xBA,0x37,0xBD,
+	0xF8,0xFF,0x94,0x06,0xAD,0x9E,0x53,0x0E,0xE5,0xDB,0x38,0x2F,0x41,0x30,0x01,0xAE,
+	0xB0,0x6A,0x53,0xED,0x90,0x27,0xD8,0x31,0x17,0x97,0x27,0xB0,0x86,0x5A,0x89,0x18,
+	0xDA,0x3E,0xDB,0xEB,0xCF,0x9B,0x14,0xED,0x44,0xCE,0x6C,0xBA,0xCE,0xD4,0xBB,0x1B,
+	0xDB,0x7F,0x14,0x47,0xE6,0xCC,0x25,0x4B,0x33,0x20,0x51,0x51,0x2B,0xD7,0xAF,0x42,
+	0x6F,0xB8,0xF4,0x01,0x37,0x8C,0xD2,0xBF,0x59,0x83,0xCA,0x01,0xC6,0x4B,0x92,0xEC,
+	0xF0,0x32,0xEA,0x15,0xD1,0x72,0x1D,0x03,0xF4,0x82,0xD7,0xCE,0x6E,0x74,0xFE,0xF6,
+	0xD5,0x5E,0x70,0x2F,0x46,0x98,0x0C,0x82,0xB5,0xA8,0x40,0x31,0x90,0x0B,0x1C,0x9E,
+	0x59,0xE7,0xC9,0x7F,0xBE,0xC7,0xE8,0xF3,0x23,0xA9,0x7A,0x7E,0x36,0xCC,0x88,0xBE,
+	0x0F,0x1D,0x45,0xB7,0xFF,0x58,0x5A,0xC5,0x4B,0xD4,0x07,0xB2,0x2B,0x41,0x54,0xAA,
+	0xCC,0x8F,0x6D,0x7E,0xBF,0x48,0xE1,0xD8,0x14,0xCC,0x5E,0xD2,0x0F,0x80,0x37,0xE0,
+	0xA7,0x97,0x15,0xEE,0xF2,0x9B,0xE3,0x28,0x06,0xA1,0xD5,0x8B,0xB7,0xC5,0xDA,0x76,
+	0xF5,0x50,0xAA,0x3D,0x8A,0x1F,0xBF,0xF0,0xEB,0x19,0xCC,0xB1,0xA3,0x13,0xD5,0x5C,
+	0xDA,0x56,0xC9,0xEC,0x2E,0xF2,0x96,0x32,0x38,0x7F,0xE8,0xD7,0x6E,0x3C,0x04,0x68,
+	0x04,0x3E,0x8F,0x66,0x3F,0x48,0x60,0xEE,0x12,0xBF,0x2D,0x5B,0x0B,0x74,0x74,0xD6,
+	0xE6,0x94,0xF9,0x1E,0x6D,0xBE,0x11,0x59,0x74,0xA3,0x92,0x6F,0x12,0xFE,0xE5,0xE4,
+	0x38,0x77,0x7C,0xB6,0xA9,0x32,0xDF,0x8C,0xD8,0xBE,0xC4,0xD0,0x73,0xB9,0x31,0xBA,
+	0x3B,0xC8,0x32,0xB6,0x8D,0x9D,0xD3,0x00,0x74,0x1F,0xA7,0xBF,0x8A,0xFC,0x47,0xED,
+	0x25,0x76,0xF6,0x93,0x6B,0xA4,0x24,0x66,0x3A,0xAB,0x63,0x9C,0x5A,0xE4,0xF5,0x68,
+	0x34,0x23,0xB4,0x74,0x2B,0xF1,0xC9,0x78,0x23,0x8F,0x16,0xCB,0xE3,0x9D,0x65,0x2D,
+	0xE3,0xFD,0xB8,0xBE,0xFC,0x84,0x8A,0xD9,0x22,0x22,0x2E,0x04,0xA4,0x03,0x7C,0x07,
+	0x13,0xEB,0x57,0xA8,0x1A,0x23,0xF0,0xC7,0x34,0x73,0xFC,0x64,0x6C,0xEA,0x30,0x6B,
+	0x4B,0xCB,0xC8,0x86,0x2F,0x83,0x85,0xDD,0xFA,0x9D,0x4B,0x7F,0xA2,0xC0,0x87,0xE8,
+	0x79,0x68,0x33,0x03,0xED,0x5B,0xDD,0x3A,0x06,0x2B,0x3C,0xF5,0xB3,0xA2,0x78,0xA6,
+	0x6D,0x2A,0x13,0xF8,0x3F,0x44,0xF8,0x2D,0xDF,0x31,0x0E,0xE0,0x74,0xAB,0x6A,0x36,
+	0x45,0x97,0xE8,0x99,0xA0,0x25,0x5D,0xC1,0x64,0xF3,0x1C,0xC5,0x08,0x46,0x85,0x1D,
+	0xF9,0xAB,0x48,0x19,0x5D,0xED,0x7E,0xA1,0xB1,0xD5,0x10,0xBD,0x7E,0xE7,0x4D,0x73,
+	0xFA,0xF3,0x6B,0xC3,0x1E,0xCF,0xA2,0x68,0x35,0x90,0x46,0xF4,0xEB,0x87,0x9F,0x92,
+	0x40,0x09,0x43,0x8B,0x48,0x1C,0x6C,0xD7,0x88,0x9A,0x00,0x2E,0xD5,0xEE,0x38,0x2B,
+	0xC9,0x19,0x0D,0xA6,0xFC,0x02,0x6E,0x47,0x95,0x58,0xE4,0x47,0x56,0x77,0xE9,0xAA,
+	0x9E,0x30,0x50,0xE2,0x76,0x56,0x94,0xDF,0xC8,0x1F,0x56,0xE8,0x80,0xB9,0x6E,0x71,
+	0x60,0xC9,0x80,0xDD,0x98,0xED,0xD3,0xDF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
+};
+
+typedef struct modulus_info_entry_t modulus_info_entry_t;
+
+/** 
+ * Entry of the modulus list.
+ */
+struct modulus_info_entry_t {
+	/**
+	 * Group number as it is defined in file transform_substructure.h.
+	 */
+	diffie_hellman_group_t group;
+	
+	/**
+	 * Pointer to first byte of modulus (network order).
+	 */
+	u_int8_t *modulus;
+	
+	/* 
+	 * Length of modulus in bytes.
+	 */	
+	size_t modulus_length;
+	
+	/* 
+	 * Generator value.
+	 */	
+	u_int16_t generator;
+};
+
+
+/**
+ * All supported modulus values.
+ */
+static modulus_info_entry_t modulus_info_entries[] = {
+	{MODP_768_BIT,group1_modulus,sizeof(group1_modulus),2},
+	{MODP_1024_BIT,group2_modulus,sizeof(group2_modulus),2},
+	{MODP_1536_BIT,group5_modulus,sizeof(group5_modulus),2},
+	{MODP_2048_BIT,group14_modulus,sizeof(group14_modulus),2},
+	{MODP_3072_BIT,group15_modulus,sizeof(group15_modulus),2},
+	{MODP_4096_BIT,group16_modulus,sizeof(group16_modulus),2},
+	{MODP_6144_BIT,group17_modulus,sizeof(group17_modulus),2},
+	{MODP_8192_BIT,group18_modulus,sizeof(group18_modulus),2},
+};
+
+typedef struct private_diffie_hellman_t private_diffie_hellman_t;
+
+/**
+ * Private data of an diffie_hellman_t object.
+ * 
+ */
+struct private_diffie_hellman_t {
+	/**
+	 * Public diffie_hellman_t interface.
+	 */
+	diffie_hellman_t public;
+	
+	/**
+	 * Diffie Hellman group number.
+	 */
+	u_int16_t dh_group_number;
+
+	/**
+	 * Modulus.
+	 */
+	mpz_t modulus;
+	
+	/**
+	 * Modulus length.
+	 */
+	size_t modulus_length;
+	
+	/* 
+	 * Generator value.
+	 */	
+	u_int16_t generator;
+
+	/**
+	 * My private value .
+	 */
+	mpz_t my_private_value;
+	
+	/**
+	 * My public value.
+	 */
+	mpz_t my_public_value;
+
+	/**
+	 * Other public value.
+	 */	
+	mpz_t other_public_value;
+	
+	/**
+	 * Shared secret.
+	 */	
+	mpz_t shared_secret;
+
+	/**
+	 * True if shared secret is computed and stored in my_public_value.
+	 */
+	bool shared_secret_is_computed;
+	
+	/**
+	 * Sets the modulus for a specific diffie hellman group.
+	 * 
+	 * @param this			calling object
+	 * @return
+	 * 						SUCCESS if modulus could be found
+	 * 						NOT_FOUND if modulus not supported
+	 */
+	status_t (*set_modulus) (private_diffie_hellman_t *this);
+	
+	/**
+	 * Makes sure my public value is computed.
+	 * 
+	 * @param this			calling object
+	 */
+	void (*compute_public_value) (private_diffie_hellman_t *this);
+
+	/**
+	 * Computes shared secret (other public value must be available).
+	 * 
+	 * @param this			calling object
+	 */
+	void (*compute_shared_secret) (private_diffie_hellman_t *this);
+};
+
+/**
+ * Implementation of private_diffie_hellman_t.set_modulus.
+ */
+static status_t set_modulus(private_diffie_hellman_t *this)
+{
+	int i;
+	status_t status = NOT_FOUND;
+	
+	for (i = 0; i < (sizeof(modulus_info_entries) / sizeof(modulus_info_entry_t)); i++)
+	{
+		if (modulus_info_entries[i].group == this->dh_group_number)
+		{
+			chunk_t modulus_chunk;
+			modulus_chunk.ptr = modulus_info_entries[i].modulus;
+			modulus_chunk.len = modulus_info_entries[i].modulus_length;
+			mpz_import(this->modulus, modulus_chunk.len, 1, 1, 1, 0, modulus_chunk.ptr);
+			this->modulus_length = modulus_chunk.len;
+			this->generator = modulus_info_entries[i].generator;
+			status = SUCCESS;
+			break;
+		}
+	}
+	return status;
+}
+
+/**
+ * Implementation of diffie_hellman_t.set_other_public_value.
+ */
+static void set_other_public_value(private_diffie_hellman_t *this,chunk_t public_value)
+{
+	mpz_import(this->other_public_value, public_value.len, 1, 1, 1, 0, public_value.ptr);
+	this->compute_shared_secret(this);
+}
+
+/**
+ * Implementation of diffie_hellman_t.get_other_public_value.
+ */
+static status_t get_other_public_value(private_diffie_hellman_t *this,chunk_t *public_value)
+{
+	if (!this->shared_secret_is_computed)
+	{
+		return FAILED;
+	}
+	public_value->len = this->modulus_length;
+    public_value->ptr = mpz_export(NULL, NULL, 1, public_value->len, 1, 0, this->other_public_value);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of private_diffie_hellman_t.compute_shared_secret.
+ */
+static void compute_shared_secret (private_diffie_hellman_t *this)
+{
+	/* initialize my public value */
+	mpz_init(this->shared_secret);
+	/* calculate my public value */
+	mpz_powm(this->shared_secret,this->other_public_value,this->my_private_value,this->modulus);
+	
+	this->shared_secret_is_computed = TRUE;
+}
+
+/**
+ * Implementation of private_diffie_hellman_t.compute_public_value.
+ */
+static void compute_public_value (private_diffie_hellman_t *this)
+{
+	mpz_t generator;
+	/* initialize generator and set it*/
+	mpz_init_set_ui (generator,this->generator);
+	/* initialize my public value */
+	mpz_init(this->my_public_value);
+	/* calculate my public value */
+	mpz_powm(this->my_public_value,generator,this->my_private_value,this->modulus);
+	/* generator not used anymore */
+	mpz_clear(generator);
+}
+
+/**
+ * Implementation of diffie_hellman_t.get_my_public_value.
+ */
+static void get_my_public_value(private_diffie_hellman_t *this,chunk_t *public_value)
+{
+	public_value->len = this->modulus_length;
+    public_value->ptr = mpz_export(NULL, NULL, 1, public_value->len, 1, 0, this->my_public_value);
+}
+
+/**
+ * Implementation of diffie_hellman_t.get_shared_secret.
+ */
+static status_t get_shared_secret(private_diffie_hellman_t *this,chunk_t *secret)
+{
+	if (!this->shared_secret_is_computed)
+	{
+		return FAILED;
+	}
+	secret->len = this->modulus_length;
+    secret->ptr = mpz_export(NULL, NULL, 1, secret->len, 1, 0, this->shared_secret);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of diffie_hellman_t.get_dh_group.
+ */
+static diffie_hellman_group_t get_dh_group(private_diffie_hellman_t *this)
+{
+	return this->dh_group_number;
+}
+
+/**
+ * Implementation of diffie_hellman_t.destroy.
+ */
+static void destroy(private_diffie_hellman_t *this)
+{
+	mpz_clear(this->modulus);
+	mpz_clear(this->my_private_value);
+	mpz_clear(this->my_public_value);
+	mpz_clear(this->other_public_value);
+
+	if (this->shared_secret_is_computed)
+	{
+		/* other public value gets initialized together with shared secret */
+		mpz_clear(this->shared_secret);
+	}
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+diffie_hellman_t *diffie_hellman_create(diffie_hellman_group_t dh_group_number)
+{
+	private_diffie_hellman_t *this = malloc_thing(private_diffie_hellman_t);
+	randomizer_t *randomizer;
+	chunk_t random_bytes;
+
+	/* public functions */
+	this->public.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
+	this->public.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t )) set_other_public_value;
+	this->public.get_other_public_value = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_other_public_value;
+	this->public.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *)) get_my_public_value;
+	this->public.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
+	this->public.destroy = (void (*)(diffie_hellman_t *)) destroy;
+	
+	/* private functions */
+	this->set_modulus = set_modulus;
+	this->compute_public_value = compute_public_value;
+	this->compute_shared_secret = compute_shared_secret;
+	
+	/* private variables */
+	this->dh_group_number = dh_group_number;
+	mpz_init(this->modulus);
+	mpz_init(this->other_public_value);
+	mpz_init(this->my_private_value);
+		
+	/* set this->modulus */	
+	if (this->set_modulus(this) != SUCCESS)
+	{
+		free(this);
+		return NULL;
+	}
+	randomizer = randomizer_create();
+	if (randomizer == NULL)
+	{
+		free(this);
+		return NULL;
+	}
+	if (randomizer->allocate_pseudo_random_bytes(randomizer, this->modulus_length, &random_bytes) != SUCCESS)
+	{
+		randomizer->destroy(randomizer);
+		free(this);
+		return NULL;
+	}
+	
+	mpz_import(this->my_private_value, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr);
+	chunk_free(&random_bytes);
+	
+	randomizer->destroy(randomizer);
+	
+	this->compute_public_value(this);
+	
+	this->shared_secret_is_computed = FALSE;
+	
+	return &(this->public);
+}
diff --git a/src/libstrongswan/crypto/diffie_hellman.h b/src/libstrongswan/crypto/diffie_hellman.h
new file mode 100644
index 000000000..29a2ab45b
--- /dev/null
+++ b/src/libstrongswan/crypto/diffie_hellman.h
@@ -0,0 +1,147 @@
+/**
+ * @file diffie_hellman.h
+ * 
+ * @brief Interface of diffie_hellman_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef DIFFIE_HELLMAN_H_
+#define DIFFIE_HELLMAN_H_
+
+typedef enum diffie_hellman_group_t diffie_hellman_group_t;
+typedef struct diffie_hellman_t diffie_hellman_t;
+
+#include <library.h>
+
+/**
+ * @brief Diffie-Hellman group.
+ *
+ * The modulus (or group) to use for a Diffie-Hellman calculation.
+ *
+ * See IKEv2 RFC 3.3.2 and RFC 3526.
+ *
+ * @ingroup transforms
+ */
+enum diffie_hellman_group_t {
+	MODP_NONE = 0,
+	MODP_768_BIT = 1,
+	MODP_1024_BIT = 2,
+	MODP_1536_BIT = 5,
+	MODP_2048_BIT = 14,
+	MODP_3072_BIT = 15,
+	MODP_4096_BIT = 16,
+	MODP_6144_BIT = 17,
+	MODP_8192_BIT = 18
+};
+
+/**
+ * enum name for diffie_hellman_group_t.
+ */
+extern enum_name_t *diffie_hellman_group_names;
+
+/**
+ * @brief Implementation of the widely used Diffie-Hellman algorithm.
+ * 
+ * @b Constructors:
+ *  - diffie_hellman_create()
+ * 
+ * @ingroup transforms
+ */
+struct diffie_hellman_t {
+		
+	/**
+	 * @brief Returns the shared secret of this diffie hellman exchange.
+	 * 	
+	 * @warning Space for returned secret is allocated and must be 
+	 * freed by the caller.
+	 * 
+	 * @param this 			calling diffie_hellman_t object
+	 * @param[out] secret 	shared secret will be written into this chunk
+	 * @return 				
+	 * 						- SUCCESS
+	 * 						- FAILED if not both DH values are set
+	 */
+	status_t (*get_shared_secret) (diffie_hellman_t *this, chunk_t *secret);
+	
+	/**
+	 * @brief Sets the public value of partner.
+	 * 	
+	 * chunk gets cloned and can be destroyed afterwards.
+	 * 
+	 * @param this 			calling diffie_hellman_t object
+	 * @param public_value 	public value of partner
+	 */
+	void (*set_other_public_value) (diffie_hellman_t *this, chunk_t public_value);
+	
+	/**
+	 * @brief Gets the public value of partner.
+	 * 	
+	 * @warning Space for returned chunk is allocated and must be 
+	 * freed by the caller.
+	 * 
+	 * @param this 				calling diffie_hellman_t object
+	 * @param[out] public_value public value of partner is stored at this location
+	 * @return 				
+	 * 							- SUCCESS
+	 * 							- FAILED if other public value not set
+	 */
+	status_t (*get_other_public_value) (diffie_hellman_t *this, chunk_t *public_value);
+	
+	/**
+	 * @brief Gets the public value of caller
+	 * 	
+	 * @warning Space for returned chunk is allocated and must be 
+	 * freed by the caller.
+	 * 
+	 * @param this 				calling diffie_hellman_t object
+	 * @param[out] 				public_value public value of caller is stored at this location
+	 */
+	void (*get_my_public_value) (diffie_hellman_t *this, chunk_t *public_value);
+	
+	/**
+	 * @brief Get the DH group used.
+	 * 
+	 * @param this 				calling diffie_hellman_t object
+	 * @return					DH group set in construction
+	 */
+	diffie_hellman_group_t (*get_dh_group) (diffie_hellman_t *this);
+
+	/**
+	 * @brief Destroys an diffie_hellman_t object.
+	 *
+	 * @param this 				diffie_hellman_t object to destroy
+	 */
+	void (*destroy) (diffie_hellman_t *this);
+};
+
+/**
+ * @brief Creates a new diffie_hellman_t object.
+ * 
+ * The first diffie hellman public value gets automatically created.
+ * 
+ * @param dh_group_number	Diffie Hellman group number to use
+ * @return
+ * 							- diffie_hellman_t object
+ * 							- NULL if dh group not supported
+ * 
+ * @ingroup transforms
+ */
+diffie_hellman_t *diffie_hellman_create(diffie_hellman_group_t dh_group_number);
+
+#endif /*DIFFIE_HELLMAN_H_*/
diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c
new file mode 100644
index 000000000..7fa6346d6
--- /dev/null
+++ b/src/libstrongswan/crypto/hashers/hasher.c
@@ -0,0 +1,65 @@
+/**
+ * @file hasher.c
+ * 
+ * @brief Generic constructor for hasher_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "hasher.h"
+
+#include <crypto/hashers/sha1_hasher.h>
+#include <crypto/hashers/sha2_hasher.h>
+#include <crypto/hashers/md5_hasher.h>
+
+
+ENUM(hash_algorithm_names, HASH_MD2, HASH_SHA512,
+	"HASH_MD2",
+	"HASH_MD5",
+	"HASH_SHA1",
+	"HASH_SHA256",
+	"HASH_SHA384",
+	"HASH_SHA512"
+);
+
+/*
+ * Described in header.
+ */
+hasher_t *hasher_create(hash_algorithm_t hash_algorithm)
+{
+	switch (hash_algorithm)
+	{
+		case HASH_SHA1:
+		{
+			return (hasher_t*)sha1_hasher_create();
+		}
+		case HASH_SHA256:
+		case HASH_SHA384:
+		case HASH_SHA512:
+		{
+			return (hasher_t*)sha2_hasher_create(hash_algorithm);
+		}
+		case HASH_MD5:
+		{
+			return (hasher_t*)md5_hasher_create();
+		}
+		default:
+			return NULL;
+	}
+}
diff --git a/src/libstrongswan/crypto/hashers/hasher.h b/src/libstrongswan/crypto/hashers/hasher.h
new file mode 100644
index 000000000..6c17f892d
--- /dev/null
+++ b/src/libstrongswan/crypto/hashers/hasher.h
@@ -0,0 +1,159 @@
+/**
+ * @file hasher.h
+ * 
+ * @brief Interface hasher_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef HASHER_H_
+#define HASHER_H_
+
+typedef enum hash_algorithm_t hash_algorithm_t;
+typedef struct hasher_t hasher_t;
+
+#include <library.h>
+
+/**
+ * @brief Algorithms to use for hashing.
+ *
+ * Currently only the following algorithms are implemented:
+ * - HASH_MD5
+ * - HASH_SHA1
+ * - HASH_SHA256
+ * - HASH_SHA384
+ * - HASH_SHA512
+ *
+ * @ingroup hashers
+ */
+enum hash_algorithm_t {
+	HASH_MD2 = 0,
+	/** Implemented in class md5_hasher_t */
+	HASH_MD5 = 1,
+	/** Implemented in class sha1_hasher_t */
+	HASH_SHA1 = 2,
+	/** Implemented in class sha2_hasher_t */
+	HASH_SHA256 = 3,
+	/** Implemented in class sha2_hasher_t */
+	HASH_SHA384 = 4,
+	/** Implemented in class sha2_hasher_t */
+	HASH_SHA512 = 5,
+};
+
+#define HASH_SIZE_MD2		16
+#define HASH_SIZE_MD5		16
+#define HASH_SIZE_SHA1		20
+#define HASH_SIZE_SHA256	32
+#define HASH_SIZE_SHA384	48
+#define HASH_SIZE_SHA512	64
+#define HASH_SIZE_MAX		64
+
+/**
+ * enum names for hash_algorithm_t.
+ */
+extern enum_name_t *hash_algorithm_names;
+
+
+/**
+ * @brief Generic interface for all hash functions.
+ * 
+ * @b Constructors:
+ *  - hasher_create()
+ * 
+ * @ingroup hashers
+ */
+struct hasher_t {
+	/**
+	 * @brief Hash data and write it in the buffer.
+	 * 
+	 * If the parameter hash is NULL, no result is written back
+	 * an more data can be appended to already hashed data.
+	 * If not, the result is written back and the hasher is reset.
+	 * 
+	 * The hash output parameter must hold at least
+	 * hash_t.get_block_size() bytes.
+	 * 
+	 * @param this			calling object
+	 * @param data			data to hash
+	 * @param[out] hash		pointer where the hash will be written
+	 */
+	void (*get_hash) (hasher_t *this, chunk_t data, u_int8_t *hash);
+	
+	/**
+	 * @brief Hash data and allocate space for the hash.
+	 * 
+	 * If the parameter hash is NULL, no result is written back
+	 * an more data can be appended to already hashed data.
+	 * If not, the result is written back and the hasher is reset.
+	 * 
+	 * @param this			calling object
+	 * @param data			chunk with data to hash
+	 * @param[out] hash		chunk which will hold allocated hash
+	 */
+	void (*allocate_hash) (hasher_t *this, chunk_t data, chunk_t *hash);
+	
+	/**
+	 * @brief Get the size of the resulting hash.
+	 * 
+	 * @param this			calling object
+	 * @return				hash size in bytes
+	 */
+	size_t (*get_hash_size) (hasher_t *this);
+	
+	/**
+	 * @brief Resets the hashers state.
+	 * 
+	 * @param this			calling object
+	 */
+	void (*reset) (hasher_t *this);
+	
+	/**
+	 * @brief Get the state of the hasher.
+	 *
+	 * A hasher stores internal state information. This state may be
+	 * manipulated to include a "seed" into the hashing operation. It used by
+	 * some exotic protocols (such as AKA).
+	 * The data pointed by chunk may be manipulated, but not replaced nor freed.
+	 * This is more a hack than a feature. The hasher's state may be byte
+	 * order dependant; use with care.
+	 *
+	 * @param this			calling object
+	 */
+	chunk_t (*get_state) (hasher_t *this);
+	
+	/**
+	 * @brief Destroys a hasher object.
+	 *
+	 * @param this 			calling object
+	 */
+	void (*destroy) (hasher_t *this);
+};
+
+/**
+ * @brief Generic interface to create a hasher_t.
+ * 
+ * @param hash_algorithm	Algorithm to use for hashing
+ * @return
+ * 							- hasher_t object
+ * 							- NULL if algorithm not supported
+ * 
+ * @ingroup hashers
+ */
+hasher_t *hasher_create(hash_algorithm_t hash_algorithm);
+
+#endif /* HASHER_H_ */
diff --git a/src/libstrongswan/crypto/hashers/md5_hasher.c b/src/libstrongswan/crypto/hashers/md5_hasher.c
new file mode 100644
index 000000000..d4dde3693
--- /dev/null
+++ b/src/libstrongswan/crypto/hashers/md5_hasher.c
@@ -0,0 +1,405 @@
+/**
+ * @file md5_hasher.c
+ * 
+ * @brief Implementation of md5_hasher_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 1991-1992, RSA Data Security, Inc. Created 1991. 
+ * All rights reserved.
+ * 
+ * Derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm.
+ * Ported to fulfill hasher_t interface.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include "md5_hasher.h"
+
+
+/* Constants for MD5Transform routine. */
+#define S11 7
+#define S12 12
+#define S13 17
+#define S14 22
+#define S21 5
+#define S22 9
+#define S23 14
+#define S24 20
+#define S31 4
+#define S32 11
+#define S33 16
+#define S34 23
+#define S41 6
+#define S42 10
+#define S43 15
+#define S44 21
+
+static u_int8_t PADDING[64] = {
+  0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+};
+
+/*
+ * ugly macro stuff
+ */ 
+/* F, G, H and I are basic MD5 functions.
+ */
+#define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
+#define G(x, y, z) (((x) & (z)) | ((y) & (~z)))
+#define H(x, y, z) ((x) ^ (y) ^ (z))
+#define I(x, y, z) ((y) ^ ((x) | (~z)))
+
+/* ROTATE_LEFT rotates x left n bits.
+ */
+#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
+
+/* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4.
+Rotation is separate from addition to prevent recomputation.
+ */
+#define FF(a, b, c, d, x, s, ac) { \
+ (a) += F ((b), (c), (d)) + (x) + (u_int32_t)(ac); \
+ (a) = ROTATE_LEFT ((a), (s)); \
+ (a) += (b); \
+  }
+#define GG(a, b, c, d, x, s, ac) { \
+ (a) += G ((b), (c), (d)) + (x) + (u_int32_t)(ac); \
+ (a) = ROTATE_LEFT ((a), (s)); \
+ (a) += (b); \
+  }
+#define HH(a, b, c, d, x, s, ac) { \
+ (a) += H ((b), (c), (d)) + (x) + (u_int32_t)(ac); \
+ (a) = ROTATE_LEFT ((a), (s)); \
+ (a) += (b); \
+  }
+#define II(a, b, c, d, x, s, ac) { \
+ (a) += I ((b), (c), (d)) + (x) + (u_int32_t)(ac); \
+ (a) = ROTATE_LEFT ((a), (s)); \
+ (a) += (b); \
+  }
+
+
+
+typedef struct private_md5_hasher_t private_md5_hasher_t;
+
+/**
+ * Private data structure with hasing context.
+ */
+struct private_md5_hasher_t {
+	/**
+	 * Public interface for this hasher.
+	 */
+	md5_hasher_t public;
+	
+	/*
+	 * State of the hasher.
+	 */
+	u_int32_t state[5];
+    u_int32_t count[2];
+    u_int8_t buffer[64];
+};
+
+
+#if BYTE_ORDER != LITTLE_ENDIAN
+
+/* Encodes input (u_int32_t) into output (u_int8_t). Assumes len is
+ * a multiple of 4.
+ */
+static void Encode (u_int8_t *output, u_int32_t *input, size_t len)
+{
+	size_t i, j;
+
+	for (i = 0, j = 0; j < len; i++, j += 4) 
+	{
+		output[j] = (u_int8_t)(input[i] & 0xff);
+		output[j+1] = (u_int8_t)((input[i] >> 8) & 0xff);
+		output[j+2] = (u_int8_t)((input[i] >> 16) & 0xff);
+		output[j+3] = (u_int8_t)((input[i] >> 24) & 0xff);
+	}
+}
+
+/* Decodes input (u_int8_t) into output (u_int32_t). Assumes len is
+ * a multiple of 4.
+ */
+static void Decode(u_int32_t *output, u_int8_t *input, size_t len)
+{
+	size_t i, j;
+
+	for (i = 0, j = 0; j < len; i++, j += 4)
+	{
+ 		output[i] = ((u_int32_t)input[j]) | (((u_int32_t)input[j+1]) << 8) |
+		(((u_int32_t)input[j+2]) << 16) | (((u_int32_t)input[j+3]) << 24);
+	}
+}
+
+#elif BYTE_ORDER == LITTLE_ENDIAN
+ #define Encode memcpy
+ #define Decode memcpy
+#endif
+
+/* MD5 basic transformation. Transforms state based on block.
+ */
+static void MD5Transform(u_int32_t state[4], u_int8_t block[64])
+{
+	u_int32_t a = state[0], b = state[1], c = state[2], d = state[3], x[16];
+
+	Decode(x, block, 64);
+
+	/* Round 1 */
+	FF (a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */
+	FF (d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */
+	FF (c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */
+	FF (b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */
+	FF (a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */
+	FF (d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */
+	FF (c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */
+	FF (b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */
+	FF (a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */
+	FF (d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */
+	FF (c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */
+	FF (b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */
+	FF (a, b, c, d, x[12], S11, 0x6b901122); /* 13 */
+	FF (d, a, b, c, x[13], S12, 0xfd987193); /* 14 */
+	FF (c, d, a, b, x[14], S13, 0xa679438e); /* 15 */
+	FF (b, c, d, a, x[15], S14, 0x49b40821); /* 16 */
+
+	/* Round 2 */
+	GG (a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */
+	GG (d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */
+	GG (c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */
+	GG (b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */
+	GG (a, b, c, d, x[ 5], S21, 0xd62f105d); /* 21 */
+	GG (d, a, b, c, x[10], S22,  0x2441453); /* 22 */
+	GG (c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */
+	GG (b, c, d, a, x[ 4], S24, 0xe7d3fbc8); /* 24 */
+	GG (a, b, c, d, x[ 9], S21, 0x21e1cde6); /* 25 */
+	GG (d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */
+	GG (c, d, a, b, x[ 3], S23, 0xf4d50d87); /* 27 */
+	GG (b, c, d, a, x[ 8], S24, 0x455a14ed); /* 28 */
+	GG (a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */
+	GG (d, a, b, c, x[ 2], S22, 0xfcefa3f8); /* 30 */
+	GG (c, d, a, b, x[ 7], S23, 0x676f02d9); /* 31 */
+	GG (b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */
+
+	/* Round 3 */
+	HH (a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */
+	HH (d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */
+	HH (c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */
+	HH (b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */
+	HH (a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */
+	HH (d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */
+	HH (c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */
+	HH (b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */
+	HH (a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */
+	HH (d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */
+	HH (c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */
+	HH (b, c, d, a, x[ 6], S34,  0x4881d05); /* 44 */
+	HH (a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */
+	HH (d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */
+	HH (c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */
+	HH (b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 */
+
+	/* Round 4 */
+	II (a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */
+	II (d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */
+	II (c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */
+	II (b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */
+	II (a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */
+	II (d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */
+	II (c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */
+	II (b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */
+	II (a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */
+	II (d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */
+	II (c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */
+	II (b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */
+	II (a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */
+	II (d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */
+	II (c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */
+	II (b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */
+
+	state[0] += a;
+	state[1] += b;
+	state[2] += c;
+	state[3] += d;
+}
+
+/* MD5 block update operation. Continues an MD5 message-digest
+ * operation, processing another message block, and updating the
+ * context.
+ */
+static void MD5Update(private_md5_hasher_t *this, u_int8_t *input, size_t inputLen)
+{
+	u_int32_t i;
+	size_t index, partLen;
+
+	/* Compute number of bytes mod 64 */
+	index = (u_int8_t)((this->count[0] >> 3) & 0x3F);
+
+	/* Update number of bits */
+	if ((this->count[0] += (inputLen << 3)) < (inputLen << 3))
+	{
+		this->count[1]++;
+	}
+	this->count[1] += (inputLen >> 29);
+
+	partLen = 64 - index;
+
+	/* Transform as many times as possible. */
+	if (inputLen >= partLen) 
+	{
+		memcpy(&this->buffer[index], input, partLen);
+		MD5Transform (this->state, this->buffer);
+
+		for (i = partLen; i + 63 < inputLen; i += 64)
+		{
+	    	MD5Transform (this->state, &input[i]);
+		}
+		index = 0;
+	}
+	else
+	{
+		i = 0;
+	}
+
+	/* Buffer remaining input */
+	memcpy(&this->buffer[index], &input[i], inputLen-i);
+}
+
+/* MD5 finalization. Ends an MD5 message-digest operation, writing the
+ * the message digest and zeroizing the context.
+ */
+static void MD5Final (private_md5_hasher_t *this, u_int8_t digest[16])
+{
+	u_int8_t bits[8];
+	size_t index, padLen;
+
+	/* Save number of bits */
+	Encode (bits, this->count, 8);
+
+	/* Pad out to 56 mod 64. */
+	index = (size_t)((this->count[0] >> 3) & 0x3f);
+	padLen = (index < 56) ? (56 - index) : (120 - index);
+	MD5Update (this, PADDING, padLen);
+
+	/* Append length (before padding) */
+	MD5Update (this, bits, 8);
+
+	if (digest != NULL)			/* Bill Simpson's padding */
+	{
+		/* store state in digest */
+		Encode (digest, this->state, 16);
+	}
+}
+
+
+
+/**
+ * Implementation of hasher_t.get_hash.
+ */
+static void get_hash(private_md5_hasher_t *this, chunk_t chunk, u_int8_t *buffer)
+{
+	MD5Update(this, chunk.ptr, chunk.len);
+	if (buffer != NULL)
+	{
+		MD5Final(this, buffer);
+		this->public.hasher_interface.reset(&(this->public.hasher_interface));
+	}
+}
+
+
+/**
+ * Implementation of hasher_t.allocate_hash.
+ */
+static void allocate_hash(private_md5_hasher_t *this, chunk_t chunk, chunk_t *hash)
+{
+	chunk_t allocated_hash;
+	
+	MD5Update(this, chunk.ptr, chunk.len);
+	if (hash != NULL)
+	{
+		allocated_hash.ptr = malloc(HASH_SIZE_MD5);
+		allocated_hash.len = HASH_SIZE_MD5;
+
+		MD5Final(this, allocated_hash.ptr);
+		this->public.hasher_interface.reset(&(this->public.hasher_interface));
+		
+		*hash = allocated_hash;
+	}
+}
+	
+/**
+ * Implementation of hasher_t.get_hash_size.
+ */
+static size_t get_hash_size(private_md5_hasher_t *this)
+{
+	return HASH_SIZE_MD5;
+}
+
+/**
+ * Implementation of hasher_t.reset.
+ */
+static void reset(private_md5_hasher_t *this)
+{
+	this->state[0] = 0x67452301;
+	this->state[1] = 0xefcdab89;
+	this->state[2] = 0x98badcfe;
+	this->state[3] = 0x10325476;
+	this->count[0] = 0;
+	this->count[1] = 0;
+}
+
+/**
+ * Implementation of hasher_t.get_state
+ */
+static chunk_t get_state(private_md5_hasher_t *this)
+{
+	chunk_t chunk;
+	
+	chunk.ptr = (u_char*)&this->state[0];
+	chunk.len = sizeof(this->state);
+	
+	return chunk;
+}
+
+/**
+ * Implementation of hasher_t.destroy.
+ */
+static void destroy(private_md5_hasher_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+md5_hasher_t *md5_hasher_create(void)
+{
+	private_md5_hasher_t *this = malloc_thing(private_md5_hasher_t);
+
+	this->public.hasher_interface.get_hash = (void (*) (hasher_t*, chunk_t, u_int8_t*))get_hash;
+	this->public.hasher_interface.allocate_hash = (void (*) (hasher_t*, chunk_t, chunk_t*))allocate_hash;
+	this->public.hasher_interface.get_hash_size = (size_t (*) (hasher_t*))get_hash_size;
+	this->public.hasher_interface.reset = (void (*) (hasher_t*))reset;
+	this->public.hasher_interface.get_state = (chunk_t (*) (hasher_t*))get_state;
+	this->public.hasher_interface.destroy = (void (*) (hasher_t*))destroy;
+	
+	/* initialize */
+	reset(this);
+	
+	return &(this->public);
+}
diff --git a/src/libstrongswan/crypto/hashers/md5_hasher.h b/src/libstrongswan/crypto/hashers/md5_hasher.h
new file mode 100644
index 000000000..715f11663
--- /dev/null
+++ b/src/libstrongswan/crypto/hashers/md5_hasher.h
@@ -0,0 +1,60 @@
+/**
+ * @file md5_hasher.h
+ * 
+ * @brief Interface for md5_hasher_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef MD5_HASHER_H_
+#define MD5_HASHER_H_
+
+typedef struct md5_hasher_t md5_hasher_t;
+
+#include <crypto/hashers/hasher.h>
+
+/**
+ * @brief Implementation of hasher_t interface using the
+ * MD5 algorithm.
+ *
+ * @b Constructors:
+ * - hasher_create() using HASH_MD5 as algorithm
+ * - md5_hasher_create()
+ *
+ * @see hasher_t
+ *
+ * @ingroup hashers
+ */
+struct md5_hasher_t {
+	
+	/**
+	 * Generic hasher_t interface for this hasher.
+	 */
+	hasher_t hasher_interface;
+};
+
+/**
+ * @brief Creates a new md5_hasher_t.
+ * 
+ * @return	md5_hasher_t object
+ * 
+ * @ingroup hashers
+ */
+md5_hasher_t *md5_hasher_create(void);
+
+#endif /*MD5_HASHER_H_*/
diff --git a/src/libstrongswan/crypto/hashers/sha1_hasher.c b/src/libstrongswan/crypto/hashers/sha1_hasher.c
new file mode 100644
index 000000000..6a86937ae
--- /dev/null
+++ b/src/libstrongswan/crypto/hashers/sha1_hasher.c
@@ -0,0 +1,280 @@
+/**
+ * @file sha1_hasher.c
+ * 
+ * @brief Implementation of hasher_sha_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ * 
+ * Ported from Steve Reid's <steve@edmweb.com> implementation
+ * "SHA1 in C" found in strongSwan.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include "sha1_hasher.h"
+
+/*
+ * ugly macro stuff
+ */ 
+#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
+
+#if BYTE_ORDER == LITTLE_ENDIAN
+ #define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) |(rol(block->l[i],8)&0x00FF00FF))
+#elif BYTE_ORDER == BIG_ENDIAN
+ #define blk0(i) block->l[i]
+#else
+ #error "Endianness not defined!"
+#endif
+#define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] ^block->l[(i+2)&15]^block->l[i&15],1))
+
+/* (R0+R1), R2, R3, R4 are the different operations used in SHA1 */
+#define R0(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk0(i)+0x5A827999+rol(v,5);w=rol(w,30);
+#define R1(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk(i)+0x5A827999+rol(v,5);w=rol(w,30);
+#define R2(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0x6ED9EBA1+rol(v,5);w=rol(w,30);
+#define R3(v,w,x,y,z,i) z+=(((w|x)&y)|(w&x))+blk(i)+0x8F1BBCDC+rol(v,5);w=rol(w,30);
+#define R4(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0xCA62C1D6+rol(v,5);w=rol(w,30);
+
+
+typedef struct private_sha1_hasher_t private_sha1_hasher_t;
+
+/**
+ * Private data structure with hasing context.
+ */
+struct private_sha1_hasher_t {
+	/**
+	 * Public interface for this hasher.
+	 */
+	sha1_hasher_t public;
+	
+	/*
+	 * State of the hasher.
+	 */
+	u_int32_t state[5];
+    u_int32_t count[2];
+    u_int8_t buffer[64];
+};
+
+/* 
+ * Hash a single 512-bit block. This is the core of the algorithm. *
+ */
+static void SHA1Transform(u_int32_t state[5], const unsigned char buffer[64])
+{
+	u_int32_t a, b, c, d, e;
+	typedef union {
+    	u_int8_t c[64];
+    	u_int32_t l[16];
+	} CHAR64LONG16;
+	CHAR64LONG16 block[1];  /* use array to appear as a pointer */
+    memcpy(block, buffer, 64);
+
+    /* Copy context->state[] to working vars */
+    a = state[0];
+    b = state[1];
+    c = state[2];
+    d = state[3];
+    e = state[4];
+    /* 4 rounds of 20 operations each. Loop unrolled. */
+    R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
+    R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
+    R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
+    R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
+    R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
+    R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
+    R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
+    R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
+    R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
+    R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
+    R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
+    R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
+    R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
+    R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
+    R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
+    R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
+    R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
+    R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
+    R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
+    R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
+    /* Add the working vars back into context.state[] */
+    state[0] += a;
+    state[1] += b;
+    state[2] += c;
+    state[3] += d;
+    state[4] += e;
+    /* Wipe variables */
+    a = b = c = d = e = 0;
+    memset(block, '\0', sizeof(block));
+}
+
+/* 
+ * Run your data through this. 
+ */
+static void SHA1Update(private_sha1_hasher_t* this, u_int8_t *data, u_int32_t len)
+{
+	u_int32_t i;
+	u_int32_t j;
+
+    j = this->count[0];
+    if ((this->count[0] += len << 3) < j)
+    {
+		this->count[1]++;
+    }
+    this->count[1] += (len>>29);
+    j = (j >> 3) & 63;
+    if ((j + len) > 63) 
+    {
+        memcpy(&this->buffer[j], data, (i = 64-j));
+        SHA1Transform(this->state, this->buffer);
+        for ( ; i + 63 < len; i += 64) 
+        {
+            SHA1Transform(this->state, &data[i]);
+        }
+        j = 0;
+    }
+    else 
+    {
+    	i = 0;
+    }
+    memcpy(&this->buffer[j], &data[i], len - i);
+}
+
+
+/* 
+ * Add padding and return the message digest. 
+ */
+static void SHA1Final(private_sha1_hasher_t *this, u_int8_t *digest)
+{
+	u_int32_t i;
+	u_int8_t finalcount[8];
+	u_int8_t c;
+
+    for (i = 0; i < 8; i++) 
+    {
+        finalcount[i] = (u_int8_t)((this->count[(i >= 4 ? 0 : 1)]
+         >> ((3-(i & 3)) * 8) ) & 255);  /* Endian independent */
+    }
+    c = 0200;
+    SHA1Update(this, &c, 1);
+    while ((this->count[0] & 504) != 448) 
+    {
+		c = 0000;
+        SHA1Update(this, &c, 1);
+    }
+    SHA1Update(this, finalcount, 8);  /* Should cause a SHA1Transform() */
+    for (i = 0; i < 20; i++) 
+    {
+        digest[i] = (u_int8_t)((this->state[i>>2] >> ((3-(i & 3)) * 8) ) & 255);
+    }
+}
+
+
+/**
+ * Implementation of hasher_t.get_hash.
+ */
+static void get_hash(private_sha1_hasher_t *this, chunk_t chunk, u_int8_t *buffer)
+{
+	SHA1Update(this, chunk.ptr, chunk.len);
+	if (buffer != NULL)
+	{
+		SHA1Final(this, buffer);
+		this->public.hasher_interface.reset(&(this->public.hasher_interface));
+	}
+}
+
+
+/**
+ * Implementation of hasher_t.allocate_hash.
+ */
+static void allocate_hash(private_sha1_hasher_t *this, chunk_t chunk, chunk_t *hash)
+{
+	chunk_t allocated_hash;
+	
+	SHA1Update(this, chunk.ptr, chunk.len);
+	if (hash != NULL)
+	{	
+		allocated_hash.ptr = malloc(HASH_SIZE_SHA1);
+		allocated_hash.len = HASH_SIZE_SHA1;
+		
+		SHA1Final(this, allocated_hash.ptr);
+		this->public.hasher_interface.reset(&(this->public.hasher_interface));
+		
+		*hash = allocated_hash;
+	}
+}
+	
+/**
+ * Implementation of hasher_t.get_hash_size.
+ */
+static size_t get_hash_size(private_sha1_hasher_t *this)
+{
+	return HASH_SIZE_SHA1;
+}
+
+/**
+ * Implementation of hasher_t.reset.
+ */
+static void reset(private_sha1_hasher_t *this)
+{
+	this->state[0] = 0x67452301;
+    this->state[1] = 0xEFCDAB89;
+    this->state[2] = 0x98BADCFE;
+    this->state[3] = 0x10325476;
+    this->state[4] = 0xC3D2E1F0;
+    this->count[0] = 0;
+    this->count[1] = 0;
+}
+
+/**
+ * Implementation of hasher_t.get_state
+ */
+static chunk_t get_state(private_sha1_hasher_t *this)
+{
+	chunk_t chunk;
+	
+	chunk.ptr = (u_char*)&this->state[0];
+	chunk.len = sizeof(this->state);
+	
+	return chunk;
+}
+
+/**
+ * Implementation of hasher_t.destroy.
+ */
+static void destroy(private_sha1_hasher_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+sha1_hasher_t *sha1_hasher_create(void)
+{
+	private_sha1_hasher_t *this = malloc_thing(private_sha1_hasher_t);
+	
+	this->public.hasher_interface.get_hash = (void (*) (hasher_t*, chunk_t, u_int8_t*))get_hash;
+	this->public.hasher_interface.allocate_hash = (void (*) (hasher_t*, chunk_t, chunk_t*))allocate_hash;
+	this->public.hasher_interface.get_hash_size = (size_t (*) (hasher_t*))get_hash_size;
+	this->public.hasher_interface.reset = (void (*) (hasher_t*))reset;
+	this->public.hasher_interface.get_state = (chunk_t (*) (hasher_t*))get_state;
+	this->public.hasher_interface.destroy = (void (*) (hasher_t*))destroy;
+	
+	/* initialize */
+	reset(this);
+	
+	return &(this->public);
+}
diff --git a/src/libstrongswan/crypto/hashers/sha1_hasher.h b/src/libstrongswan/crypto/hashers/sha1_hasher.h
new file mode 100644
index 000000000..380fa9845
--- /dev/null
+++ b/src/libstrongswan/crypto/hashers/sha1_hasher.h
@@ -0,0 +1,60 @@
+/**
+ * @file sha1_hasher.h
+ * 
+ * @brief Interface of sha1_hasher_t
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef SHA1_HASHER_H_
+#define SHA1_HASHER_H_
+
+typedef struct sha1_hasher_t sha1_hasher_t;
+
+#include <crypto/hashers/hasher.h>
+
+/**
+ * @brief Implementation of hasher_t interface using the
+ * SHA1 algorithm.
+ * 
+ * @b Constructors:
+ * - hasher_create() using HASH_SHA1 as algorithm
+ * - sha1_hasher_create()
+ * 
+ * @see hasher_t
+ * 
+ * @ingroup hashers
+ */
+struct sha1_hasher_t {
+	
+	/**
+	 * Generic hasher_t interface for this hasher.
+	 */
+	hasher_t hasher_interface;
+};
+
+/**
+ * @brief Creates a new sha1_hasher_t.
+ * 
+ * @return	sha1_hasher_t object
+ * 
+ * @ingroup hashers
+ */
+sha1_hasher_t *sha1_hasher_create(void);
+
+#endif /*SHA1_HASHER_H_*/
diff --git a/src/libstrongswan/crypto/hashers/sha2_hasher.c b/src/libstrongswan/crypto/hashers/sha2_hasher.c
new file mode 100644
index 000000000..b68972cec
--- /dev/null
+++ b/src/libstrongswan/crypto/hashers/sha2_hasher.c
@@ -0,0 +1,672 @@
+/**
+ * @file sha2_hasher.c
+ * 
+ * @brief Implementation of hasher_sha_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2001 Jari Ruusu.
+ *
+ * Ported from strongSwans implementation written by Jari Ruusu.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include "sha2_hasher.h"
+
+
+typedef struct private_sha512_hasher_t private_sha512_hasher_t;
+
+/**
+ * Private data structure with hasing context for SHA384 and SHA512
+ */
+struct private_sha512_hasher_t {
+	/**
+	 * Public interface for this hasher.
+	 */
+	sha2_hasher_t public;
+	
+	unsigned char   sha_out[128];   /* results are here, bytes 0..47/0..63 */
+	u_int64_t       sha_H[8];
+	u_int64_t       sha_blocks;
+	u_int64_t       sha_blocksMSB;
+	int             sha_bufCnt;
+};
+
+
+typedef struct private_sha256_hasher_t private_sha256_hasher_t;
+
+/**
+ * Private data structure with hasing context for SHA256
+ */
+struct private_sha256_hasher_t {
+	/**
+	 * Public interface for this hasher.
+	 */
+	sha2_hasher_t public;
+	
+	unsigned char   sha_out[64];    /* results are here, bytes 0...31 */
+	u_int32_t       sha_H[8];
+	u_int64_t       sha_blocks;
+	int             sha_bufCnt;
+};
+
+
+static const u_int32_t sha256_hashInit[8] = {
+	0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c,
+	0x1f83d9ab, 0x5be0cd19
+};
+
+static const u_int32_t sha256_K[64] = {
+	0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1,
+	0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
+	0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786,
+	0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
+	0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,
+	0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
+	0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b,
+	0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
+	0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a,
+	0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
+	0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
+};
+
+static const u_int64_t sha512_hashInit[8] = {
+	0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL, 0x3c6ef372fe94f82bULL,
+	0xa54ff53a5f1d36f1ULL, 0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL,
+	0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL
+};
+
+static const u_int64_t sha384_hashInit[8] = {
+	0xcbbb9d5dc1059ed8ULL, 0x629a292a367cd507ULL, 0x9159015a3070dd17ULL,
+	0x152fecd8f70e5939ULL, 0x67332667ffc00b31ULL, 0x8eb44a8768581511ULL,
+	0xdb0c2e0d64f98fa7ULL, 0x47b5481dbefa4fa4ULL
+};
+
+static const u_int64_t sha512_K[80] = {
+	0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 0xb5c0fbcfec4d3b2fULL,
+	0xe9b5dba58189dbbcULL, 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
+	0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, 0xd807aa98a3030242ULL,
+	0x12835b0145706fbeULL, 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
+	0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 0x9bdc06a725c71235ULL,
+	0xc19bf174cf692694ULL, 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
+	0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, 0x2de92c6f592b0275ULL,
+	0x4a7484aa6ea6e483ULL, 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
+	0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 0xb00327c898fb213fULL,
+	0xbf597fc7beef0ee4ULL, 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
+	0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, 0x27b70a8546d22ffcULL,
+	0x2e1b21385c26c926ULL, 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
+	0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 0x81c2c92e47edaee6ULL,
+	0x92722c851482353bULL, 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
+	0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, 0xd192e819d6ef5218ULL,
+	0xd69906245565a910ULL, 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
+	0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 0x2748774cdf8eeb99ULL,
+	0x34b0bcb5e19b48a8ULL, 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
+	0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, 0x748f82ee5defb2fcULL,
+	0x78a5636f43172f60ULL, 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
+	0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 0xbef9a3f7b2c67915ULL,
+	0xc67178f2e372532bULL, 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
+	0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, 0x06f067aa72176fbaULL,
+	0x0a637dc5a2c898a6ULL, 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
+	0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 0x3c9ebe0a15c9bebcULL,
+	0x431d67c49c100d4cULL, 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
+	0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
+};
+
+
+/* set macros for SHA256 */
+#define Ch(x,y,z)   (((x) & (y)) ^ ((~(x)) & (z)))
+#define Maj(x,y,z)  (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
+#define R(x,y)      ((y) >> (x))
+
+#define S(x,y)      (((y) >> (x)) | ((y) << (32 - (x))))
+#define uSig0(x)    ((S(2,(x))) ^ (S(13,(x))) ^ (S(22,(x))))
+#define uSig1(x)    ((S(6,(x))) ^ (S(11,(x))) ^ (S(25,(x))))
+#define lSig0(x)    ((S(7,(x))) ^ (S(18,(x))) ^ (R(3,(x))))
+#define lSig1(x)    ((S(17,(x))) ^ (S(19,(x))) ^ (R(10,(x))))
+
+/**
+ * Single block SHA256 transformation
+ */
+static void sha256_transform(private_sha256_hasher_t *ctx, 
+							 const unsigned char *datap)
+{
+	register int    j;
+	u_int32_t       a, b, c, d, e, f, g, h;
+	u_int32_t       T1, T2, W[64], Wm2, Wm15;
+
+	/* read the data, big endian byte order */
+	j = 0;
+	do {
+		W[j] = (((u_int32_t)(datap[0]))<<24) | (((u_int32_t)(datap[1]))<<16) |
+				(((u_int32_t)(datap[2]))<<8 ) | ((u_int32_t)(datap[3]));
+		datap += 4;
+	} while(++j < 16);
+
+	/* initialize variables a...h */
+	a = ctx->sha_H[0];
+	b = ctx->sha_H[1];
+	c = ctx->sha_H[2];
+	d = ctx->sha_H[3];
+	e = ctx->sha_H[4];
+	f = ctx->sha_H[5];
+	g = ctx->sha_H[6];
+	h = ctx->sha_H[7];
+
+	/* apply compression function */
+	j = 0;
+	do
+	{
+		if(j >= 16) 
+		{
+			Wm2 = W[j - 2];
+			Wm15 = W[j - 15];
+			W[j] = lSig1(Wm2) + W[j - 7] + lSig0(Wm15) + W[j - 16];
+		}
+		T1 = h + uSig1(e) + Ch(e,f,g) + sha256_K[j] + W[j];
+		T2 = uSig0(a) + Maj(a,b,c);
+		h = g; g = f; f = e;
+		e = d + T1;
+		d = c; c = b; b = a;
+		a = T1 + T2;
+	} while(++j < 64);
+
+	/* compute intermediate hash value */
+	ctx->sha_H[0] += a;
+	ctx->sha_H[1] += b;
+	ctx->sha_H[2] += c;
+	ctx->sha_H[3] += d;
+	ctx->sha_H[4] += e;
+	ctx->sha_H[5] += f;
+	ctx->sha_H[6] += g;
+	ctx->sha_H[7] += h;
+
+	ctx->sha_blocks++;
+}
+
+/**
+ * Update SHA256 hash
+ */
+static void sha256_write(private_sha256_hasher_t *ctx, 
+						 const unsigned char *datap, int length)
+{
+	while(length > 0)
+	{
+		if(!ctx->sha_bufCnt)
+		{
+			while(length >= sizeof(ctx->sha_out))
+			{
+				sha256_transform(ctx, datap);
+				datap += sizeof(ctx->sha_out);
+				length -= sizeof(ctx->sha_out);
+			}
+			if(!length) return;
+		}
+		ctx->sha_out[ctx->sha_bufCnt] = *datap++;
+		length--;
+		if(++ctx->sha_bufCnt == sizeof(ctx->sha_out))
+		{
+			sha256_transform(ctx, &ctx->sha_out[0]);
+			ctx->sha_bufCnt = 0;
+		}
+	}
+}
+
+/**
+ * finalize SHA256 hash
+ */
+static void sha256_final(private_sha256_hasher_t *ctx)
+{
+	register int    j;
+	u_int64_t       bitLength;
+	u_int32_t       i;
+	unsigned char   padByte, *datap;
+
+	bitLength = (ctx->sha_blocks << 9) | (ctx->sha_bufCnt << 3);
+	padByte = 0x80;
+	sha256_write(ctx, &padByte, 1);
+
+	/* pad extra space with zeroes */
+	padByte = 0;
+	while(ctx->sha_bufCnt != 56)
+	{
+		sha256_write(ctx, &padByte, 1);
+	}
+	
+	/* write bit length, big endian byte order */
+	ctx->sha_out[56] = bitLength >> 56;
+	ctx->sha_out[57] = bitLength >> 48;
+	ctx->sha_out[58] = bitLength >> 40;
+	ctx->sha_out[59] = bitLength >> 32;
+	ctx->sha_out[60] = bitLength >> 24;
+	ctx->sha_out[61] = bitLength >> 16;
+	ctx->sha_out[62] = bitLength >> 8;
+	ctx->sha_out[63] = bitLength;
+	sha256_transform(ctx, &ctx->sha_out[0]);
+	
+	/* return results in ctx->sha_out[0...31] */
+	datap = &ctx->sha_out[0];
+	j = 0;
+	do {
+		i = ctx->sha_H[j];
+		datap[0] = i >> 24;
+		datap[1] = i >> 16;
+		datap[2] = i >> 8;
+		datap[3] = i;
+		datap += 4;
+	} while(++j < 8);
+}
+
+/* update macros for SHA512 */
+#undef S
+#undef uSig0
+#undef uSig1
+#undef lSig0
+#undef lSig1
+#define S(x,y)      (((y) >> (x)) | ((y) << (64 - (x))))
+#define uSig0(x)    ((S(28,(x))) ^ (S(34,(x))) ^ (S(39,(x))))
+#define uSig1(x)    ((S(14,(x))) ^ (S(18,(x))) ^ (S(41,(x))))
+#define lSig0(x)    ((S(1,(x))) ^ (S(8,(x))) ^ (R(7,(x))))
+#define lSig1(x)    ((S(19,(x))) ^ (S(61,(x))) ^ (R(6,(x))))
+
+/**
+ * Single block SHA384/SHA512 transformation
+ */
+static void sha512_transform(private_sha512_hasher_t *ctx, 
+							 const unsigned char *datap)
+{
+	register int    j;
+	u_int64_t       a, b, c, d, e, f, g, h;
+	u_int64_t       T1, T2, W[80], Wm2, Wm15;
+
+	/* read the data, big endian byte order */
+	j = 0;
+	do {
+		W[j] = (((u_int64_t)(datap[0]))<<56) | (((u_int64_t)(datap[1]))<<48) |
+				(((u_int64_t)(datap[2]))<<40) | (((u_int64_t)(datap[3]))<<32) |
+				(((u_int64_t)(datap[4]))<<24) | (((u_int64_t)(datap[5]))<<16) |
+				(((u_int64_t)(datap[6]))<<8 ) | ((u_int64_t)(datap[7]));
+		datap += 8;
+	} while(++j < 16);
+
+	/* initialize variables a...h */
+	a = ctx->sha_H[0];
+	b = ctx->sha_H[1];
+	c = ctx->sha_H[2];
+	d = ctx->sha_H[3];
+	e = ctx->sha_H[4];
+	f = ctx->sha_H[5];
+	g = ctx->sha_H[6];
+	h = ctx->sha_H[7];
+
+	/* apply compression function */
+	j = 0;
+	do {
+		if(j >= 16) {
+			Wm2 = W[j - 2];
+			Wm15 = W[j - 15];
+			W[j] = lSig1(Wm2) + W[j - 7] + lSig0(Wm15) + W[j - 16];
+		}
+		T1 = h + uSig1(e) + Ch(e,f,g) + sha512_K[j] + W[j];
+		T2 = uSig0(a) + Maj(a,b,c);
+		h = g; g = f; f = e;
+		e = d + T1;
+		d = c; c = b; b = a;
+		a = T1 + T2;
+	} while(++j < 80);
+
+	/* compute intermediate hash value */
+	ctx->sha_H[0] += a;
+	ctx->sha_H[1] += b;
+	ctx->sha_H[2] += c;
+	ctx->sha_H[3] += d;
+	ctx->sha_H[4] += e;
+	ctx->sha_H[5] += f;
+	ctx->sha_H[6] += g;
+	ctx->sha_H[7] += h;
+
+	ctx->sha_blocks++;
+	if(!ctx->sha_blocks) ctx->sha_blocksMSB++;
+}
+
+/**
+ * Update a SHA384/SHA512 hash
+ */
+static void sha512_write(private_sha512_hasher_t *ctx, 
+						 const unsigned char *datap, int length)
+{
+	while(length > 0) 
+	{
+		if(!ctx->sha_bufCnt) 
+		{
+			while(length >= sizeof(ctx->sha_out)) 
+			{
+				sha512_transform(ctx, datap);
+				datap += sizeof(ctx->sha_out);
+				length -= sizeof(ctx->sha_out);
+			}
+			if(!length) return;
+		}
+		ctx->sha_out[ctx->sha_bufCnt] = *datap++;
+		length--;
+		if(++ctx->sha_bufCnt == sizeof(ctx->sha_out)) 
+		{
+			sha512_transform(ctx, &ctx->sha_out[0]);
+			ctx->sha_bufCnt = 0;
+		}
+	}
+}
+
+/**
+ * Finalize a SHA384/SHA512 hash
+ */
+static void sha512_final(private_sha512_hasher_t *ctx)
+{
+	register int    j;
+	u_int64_t       bitLength, bitLengthMSB;
+	u_int64_t       i;
+	unsigned char   padByte, *datap;
+
+	bitLength = (ctx->sha_blocks << 10) | (ctx->sha_bufCnt << 3);
+	bitLengthMSB = (ctx->sha_blocksMSB << 10) | (ctx->sha_blocks >> 54);
+	padByte = 0x80;
+	sha512_write(ctx, &padByte, 1);
+
+	/* pad extra space with zeroes */
+	padByte = 0;
+	while(ctx->sha_bufCnt != 112) 
+	{
+		sha512_write(ctx, &padByte, 1);
+	}
+
+	/* write bit length, big endian byte order */
+	ctx->sha_out[112] = bitLengthMSB >> 56;
+	ctx->sha_out[113] = bitLengthMSB >> 48;
+	ctx->sha_out[114] = bitLengthMSB >> 40;
+	ctx->sha_out[115] = bitLengthMSB >> 32;
+	ctx->sha_out[116] = bitLengthMSB >> 24;
+	ctx->sha_out[117] = bitLengthMSB >> 16;
+	ctx->sha_out[118] = bitLengthMSB >> 8;
+	ctx->sha_out[119] = bitLengthMSB;
+	ctx->sha_out[120] = bitLength >> 56;
+	ctx->sha_out[121] = bitLength >> 48;
+	ctx->sha_out[122] = bitLength >> 40;
+	ctx->sha_out[123] = bitLength >> 32;
+	ctx->sha_out[124] = bitLength >> 24;
+	ctx->sha_out[125] = bitLength >> 16;
+	ctx->sha_out[126] = bitLength >> 8;
+	ctx->sha_out[127] = bitLength;
+	sha512_transform(ctx, &ctx->sha_out[0]);
+	
+	/* return results in ctx->sha_out[0...63] */
+	datap = &ctx->sha_out[0];
+	j = 0;
+	do {
+		i = ctx->sha_H[j];
+		datap[0] = i >> 56;
+		datap[1] = i >> 48;
+		datap[2] = i >> 40;
+		datap[3] = i >> 32;
+		datap[4] = i >> 24;
+		datap[5] = i >> 16;
+		datap[6] = i >> 8;
+		datap[7] = i;
+		datap += 8;
+	} while(++j < 8);
+}
+
+/**
+ * Implementation of hasher_t.get_hash for SHA256.
+ */
+static void get_hash256(private_sha256_hasher_t *this, 
+						chunk_t chunk, u_int8_t *buffer)
+{
+	sha256_write(this, chunk.ptr, chunk.len);
+	if (buffer != NULL)
+	{
+		sha256_final(this);
+		memcpy(buffer, this->sha_out, HASH_SIZE_SHA256);
+		this->public.hasher_interface.reset(&(this->public.hasher_interface));
+	}
+}
+
+/**
+ * Implementation of hasher_t.get_hash for SHA384.
+ */
+static void get_hash384(private_sha512_hasher_t *this,
+						chunk_t chunk, u_int8_t *buffer)
+{
+	sha512_write(this, chunk.ptr, chunk.len);
+	if (buffer != NULL)
+	{
+		sha512_final(this);
+		memcpy(buffer, this->sha_out, HASH_SIZE_SHA384);
+		this->public.hasher_interface.reset(&(this->public.hasher_interface));
+	}
+}
+
+/**
+ * Implementation of hasher_t.get_hash for SHA512.
+ */
+static void get_hash512(private_sha512_hasher_t *this,
+						chunk_t chunk, u_int8_t *buffer)
+{
+	sha512_write(this, chunk.ptr, chunk.len);
+	if (buffer != NULL)
+	{
+		sha512_final(this);
+		memcpy(buffer, this->sha_out, HASH_SIZE_SHA512);
+		this->public.hasher_interface.reset(&(this->public.hasher_interface));
+	}
+}
+
+/**
+ * Implementation of hasher_t.allocate_hash for SHA256.
+ */
+static void allocate_hash256(private_sha256_hasher_t *this, 
+							 chunk_t chunk, chunk_t *hash)
+{
+	chunk_t allocated_hash;
+	
+	sha256_write(this, chunk.ptr, chunk.len);
+	if (hash != NULL)
+	{
+		sha256_final(this);
+		allocated_hash = chunk_alloc(HASH_SIZE_SHA256);
+		memcpy(allocated_hash.ptr, this->sha_out, HASH_SIZE_SHA256);
+		this->public.hasher_interface.reset(&(this->public.hasher_interface));
+		*hash = allocated_hash;
+	}
+}
+
+/**
+ * Implementation of hasher_t.allocate_hash for SHA384.
+ */
+static void allocate_hash384(private_sha512_hasher_t *this, 
+							 chunk_t chunk, chunk_t *hash)
+{
+	chunk_t allocated_hash;
+	
+	sha512_write(this, chunk.ptr, chunk.len);
+	if (hash != NULL)
+	{
+		sha512_final(this);
+		allocated_hash = chunk_alloc(HASH_SIZE_SHA384);
+		memcpy(allocated_hash.ptr, this->sha_out, HASH_SIZE_SHA384);
+		this->public.hasher_interface.reset(&(this->public.hasher_interface));
+		*hash = allocated_hash;
+	}
+}
+
+/**
+ * Implementation of hasher_t.allocate_hash for SHA512.
+ */
+static void allocate_hash512(private_sha512_hasher_t *this, 
+							 chunk_t chunk, chunk_t *hash)
+{
+	chunk_t allocated_hash;
+	
+	sha512_write(this, chunk.ptr, chunk.len);
+	if (hash != NULL)
+	{
+		sha512_final(this);
+		allocated_hash = chunk_alloc(HASH_SIZE_SHA512);
+		memcpy(allocated_hash.ptr, this->sha_out, HASH_SIZE_SHA512);
+		this->public.hasher_interface.reset(&(this->public.hasher_interface));
+		*hash = allocated_hash;
+	}
+}
+
+/**
+ * Implementation of hasher_t.get_hash_size for SHA256.
+ */
+static size_t get_hash_size256(private_sha256_hasher_t *this)
+{
+	return HASH_SIZE_SHA256;
+}
+	
+/**
+ * Implementation of hasher_t.get_hash_size for SHA384.
+ */
+static size_t get_hash_size384(private_sha512_hasher_t *this)
+{
+	return HASH_SIZE_SHA384;
+}
+	
+/**
+ * Implementation of hasher_t.get_hash_size for SHA512.
+ */
+static size_t get_hash_size512(private_sha512_hasher_t *this)
+{
+	return HASH_SIZE_SHA512;
+}
+
+/**
+ * Implementation of hasher_t.reset for SHA256
+ */
+static void reset256(private_sha256_hasher_t *ctx)
+{
+	memcpy(&ctx->sha_H[0], &sha256_hashInit[0], sizeof(ctx->sha_H));
+	ctx->sha_blocks = 0;
+	ctx->sha_bufCnt = 0;
+}
+
+/**
+ * Implementation of hasher_t.reset for SHA384
+ */
+static void reset384(private_sha512_hasher_t *ctx)
+{
+	memcpy(&ctx->sha_H[0], &sha384_hashInit[0], sizeof(ctx->sha_H));
+	ctx->sha_blocks = 0;
+	ctx->sha_blocksMSB = 0;
+	ctx->sha_bufCnt = 0;
+}
+
+/**
+ * Implementation of hasher_t.reset for SHA512
+ */
+static void reset512(private_sha512_hasher_t *ctx)
+{
+	memcpy(&ctx->sha_H[0], &sha512_hashInit[0], sizeof(ctx->sha_H));
+	ctx->sha_blocks = 0;
+	ctx->sha_blocksMSB = 0;
+	ctx->sha_bufCnt = 0;
+}
+
+/**
+ * Implementation of hasher_t.get_state for SHA256
+ */
+static chunk_t get_state256(private_sha256_hasher_t *ctx)
+{
+	chunk_t chunk;
+	chunk.ptr = (u_char*)&ctx->sha_H[0];
+	chunk.len = HASH_SIZE_SHA256;
+	return chunk;
+}
+
+/**
+ * Implementation of hasher_t.get_state for SHA384
+ */
+static chunk_t get_state384(private_sha512_hasher_t *ctx)
+{
+	chunk_t chunk;
+	chunk.ptr = (u_char*)&ctx->sha_H[0];
+	chunk.len = HASH_SIZE_SHA384;
+	return chunk;
+}
+/**
+ * Implementation of hasher_t.get_state for SHA512
+ */
+static chunk_t get_state512(private_sha512_hasher_t *ctx)
+{
+	chunk_t chunk;
+	chunk.ptr = (u_char*)&ctx->sha_H[0];
+	chunk.len = HASH_SIZE_SHA512;
+	return chunk;
+}
+
+/**
+ * Implementation of hasher_t.destroy.
+ */
+static void destroy(sha2_hasher_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+sha2_hasher_t *sha2_hasher_create(hash_algorithm_t algorithm)
+{
+	sha2_hasher_t *this;
+	
+	switch (algorithm)
+	{
+		case HASH_SHA256:
+			this = (sha2_hasher_t*)malloc_thing(private_sha256_hasher_t);
+			this->hasher_interface.reset = (void(*)(hasher_t*))reset256;
+			this->hasher_interface.get_state = (chunk_t(*)(hasher_t*))get_state256;
+			this->hasher_interface.get_hash_size = (size_t(*)(hasher_t*))get_hash_size256;
+			this->hasher_interface.get_hash = (void(*)(hasher_t*,chunk_t,u_int8_t*))get_hash256;
+			this->hasher_interface.allocate_hash = (void(*)(hasher_t*,chunk_t,chunk_t*))allocate_hash256;
+			break;
+		case HASH_SHA384:
+			/* uses SHA512 data structure */
+			this = (sha2_hasher_t*)malloc_thing(private_sha512_hasher_t);
+			this->hasher_interface.reset = (void(*)(hasher_t*))reset384;
+			this->hasher_interface.get_state = (chunk_t(*)(hasher_t*))get_state384;
+			this->hasher_interface.get_hash_size = (size_t(*)(hasher_t*))get_hash_size384;
+			this->hasher_interface.get_hash = (void(*)(hasher_t*,chunk_t,u_int8_t*))get_hash384;
+			this->hasher_interface.allocate_hash = (void(*)(hasher_t*,chunk_t,chunk_t*))allocate_hash384;
+			break;
+		case HASH_SHA512:
+			this = (sha2_hasher_t*)malloc_thing(private_sha512_hasher_t);
+			this->hasher_interface.reset = (void(*)(hasher_t*))reset512;
+			this->hasher_interface.get_state = (chunk_t(*)(hasher_t*))get_state512;
+			this->hasher_interface.get_hash_size = (size_t(*)(hasher_t*))get_hash_size512;
+			this->hasher_interface.get_hash = (void(*)(hasher_t*,chunk_t,u_int8_t*))get_hash512;
+			this->hasher_interface.allocate_hash = (void(*)(hasher_t*,chunk_t,chunk_t*))allocate_hash512;
+			break;
+		default:
+			return NULL;
+	}
+	this->hasher_interface.destroy = (void(*)(hasher_t*))destroy;
+	
+	/* initialize */
+	this->hasher_interface.reset(&this->hasher_interface);
+	
+	return this;
+}
diff --git a/src/libstrongswan/crypto/hashers/sha2_hasher.h b/src/libstrongswan/crypto/hashers/sha2_hasher.h
new file mode 100644
index 000000000..91e82fedb
--- /dev/null
+++ b/src/libstrongswan/crypto/hashers/sha2_hasher.h
@@ -0,0 +1,62 @@
+/**
+ * @file sha2_hasher.h
+ * 
+ * @brief Interface of sha2_hasher_t
+ * 
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef SHA2_HASHER_H_
+#define SHA2_HASHER_H_
+
+typedef struct sha2_hasher_t sha2_hasher_t;
+
+#include <crypto/hashers/hasher.h>
+
+/**
+ * @brief Implementation of hasher_t interface using the SHA2 algorithms.
+ *
+ * SHA2 is an other name for the SHA-256, SHA-384 and SHA-512 variants of
+ * the SHA hash algorithm.
+ *
+ * @b Constructors:
+ * - hasher_create() using HASH_SHA256, HASH_SHA384 or HASH_SHA512 as algorithm
+ * - sha2_hasher_create()
+ *
+ * @see hasher_t
+ * 
+ * @ingroup hashers
+ */
+struct sha2_hasher_t {
+	
+	/**
+	 * Generic hasher_t interface for this hasher.
+	 */
+	hasher_t hasher_interface;
+};
+
+/**
+ * @brief Creates a new sha2_hasher_t.
+ * 
+ * @param	algorithm	HASH_SHA256, HASH_SHA384 or HASH_SHA512
+ * @return				sha2_hasher_t object
+ * 
+ * @ingroup hashers
+ */
+sha2_hasher_t *sha2_hasher_create(hash_algorithm_t algorithm);
+
+#endif /* SHA2_HASHER_H_ */
diff --git a/src/libstrongswan/crypto/hmac.c b/src/libstrongswan/crypto/hmac.c
new file mode 100644
index 000000000..df4f90bc8
--- /dev/null
+++ b/src/libstrongswan/crypto/hmac.c
@@ -0,0 +1,215 @@
+/**
+ * @file hmac.c
+ * 
+ * @brief Implementation of hmac_t.
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General hmac License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General hmac License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include "hmac.h"
+
+
+typedef struct private_hmac_t private_hmac_t;
+
+/**
+ * Private data of a hmac_t object.
+ * 
+ * The variable names are the same as in the RFC.
+ */
+struct private_hmac_t {
+	/**
+	 * Public hmac_t interface.
+	 */
+	hmac_t hmac;
+	
+	/**
+	 * Block size, as in RFC.
+	 */
+	u_int8_t b;
+	
+	/**
+	 * Hash function.
+	 */
+	hasher_t *h;
+	
+	/**
+	 * Previously xor'ed key using opad.
+	 */
+	chunk_t opaded_key;
+	
+	/**
+	 * Previously xor'ed key using ipad.
+	 */
+	chunk_t ipaded_key;
+};
+
+/**
+ * Implementation of hmac_t.get_mac.
+ */
+static void get_mac(private_hmac_t *this, chunk_t data, u_int8_t *out)
+{
+	/* H(K XOR opad, H(K XOR ipad, text)) 
+	 * 
+	 * if out is NULL, we append text to the inner hash.
+	 * else, we complete the inner and do the outer.
+	 * 
+	 */
+	
+	u_int8_t buffer[this->h->get_hash_size(this->h)];
+	chunk_t inner;
+	
+	if (out == NULL)
+	{
+		/* append data to inner */
+		this->h->get_hash(this->h, data, NULL);
+	}
+	else
+	{
+		/* append and do outer hash */
+		inner.ptr = buffer;
+		inner.len = this->h->get_hash_size(this->h);
+		
+		/* complete inner */
+		this->h->get_hash(this->h, data, buffer);
+		
+		/* do outer */
+		this->h->get_hash(this->h, this->opaded_key, NULL);
+		this->h->get_hash(this->h, inner, out);
+		
+		/* reinit for next call */
+		this->h->get_hash(this->h, this->ipaded_key, NULL);
+	}
+}
+
+/**
+ * Implementation of hmac_t.allocate_mac.
+ */
+static void allocate_mac(private_hmac_t *this, chunk_t data, chunk_t *out)
+{
+	/* allocate space and use get_mac */
+	if (out == NULL)
+	{
+		/* append mode */
+		this->hmac.get_mac(&(this->hmac), data, NULL);
+	}
+	else
+	{
+		out->len = this->h->get_hash_size(this->h);
+		out->ptr = malloc(out->len);
+		this->hmac.get_mac(&(this->hmac), data, out->ptr);
+	}
+}
+	
+/**
+ * Implementation of hmac_t.get_block_size.
+ */
+static size_t get_block_size(private_hmac_t *this)
+{
+	return this->h->get_hash_size(this->h);
+}
+
+/**
+ * Implementation of hmac_t.set_key.
+ */
+static void set_key(private_hmac_t *this, chunk_t key)
+{
+	int i;
+	u_int8_t buffer[this->b];
+	
+	memset(buffer, 0, this->b);
+	
+	if (key.len > this->b)
+	{	
+		/* if key is too long, it will be hashed */
+		this->h->get_hash(this->h, key, buffer);
+	}
+	else
+	{	
+		/* if not, just copy it in our pre-padded k */
+		memcpy(buffer, key.ptr, key.len);	
+	}
+			
+	/* apply ipad and opad to key */
+	for (i = 0; i < this->b; i++)
+	{
+		this->ipaded_key.ptr[i] = buffer[i] ^ 0x36;
+		this->opaded_key.ptr[i] = buffer[i] ^ 0x5C;
+	}
+	
+	/* begin hashing of inner pad */
+	this->h->reset(this->h);
+	this->h->get_hash(this->h, this->ipaded_key, NULL);
+}
+
+/**
+ * Implementation of hmac_t.destroy.
+ */
+static void destroy(private_hmac_t *this)
+{
+	this->h->destroy(this->h);
+	free(this->opaded_key.ptr);
+	free(this->ipaded_key.ptr);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+hmac_t *hmac_create(hash_algorithm_t hash_algorithm)
+{
+	private_hmac_t *this;
+	
+	this = malloc_thing(private_hmac_t);
+
+	/* set hmac_t methods */
+	this->hmac.get_mac = (void (*)(hmac_t *,chunk_t,u_int8_t*))get_mac;
+	this->hmac.allocate_mac = (void (*)(hmac_t *,chunk_t,chunk_t*))allocate_mac;
+	this->hmac.get_block_size = (size_t (*)(hmac_t *))get_block_size;
+	this->hmac.set_key = (void (*)(hmac_t *,chunk_t))set_key;
+	this->hmac.destroy = (void (*)(hmac_t *))destroy;
+	
+	/* set b, according to hasher */
+	switch (hash_algorithm)
+	{
+		case HASH_SHA1:
+		case HASH_MD5:
+		case HASH_SHA256:
+			this->b = 64;
+			break;
+		case HASH_SHA384:
+		case HASH_SHA512:
+			this->b = 128;
+			break;
+		default:
+			free(this);
+			return NULL;	
+	}
+		
+	/* build the hasher */
+	this->h = hasher_create(hash_algorithm);
+
+	/* build ipad and opad */
+	this->opaded_key.ptr = malloc(this->b);
+	this->opaded_key.len = this->b;
+
+	this->ipaded_key.ptr = malloc(this->b);
+	this->ipaded_key.len = this->b;
+
+	return &(this->hmac);
+}
diff --git a/src/libstrongswan/crypto/hmac.h b/src/libstrongswan/crypto/hmac.h
new file mode 100644
index 000000000..d320bc5aa
--- /dev/null
+++ b/src/libstrongswan/crypto/hmac.h
@@ -0,0 +1,117 @@
+/**
+ * @file hmac.h
+ * 
+ * @brief Interface of hmac_t.
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef HMAC_H_
+#define HMAC_H_
+
+typedef struct hmac_t hmac_t;
+
+#include <crypto/hashers/hasher.h>
+
+/**
+ * @brief Message authentication using hash functions.
+ *
+ * This class implements the message authenticaion algorithm
+ * described in RFC2104. It uses a hash function, wich must
+ * be implemented as a hasher_t class.
+ *
+ * See http://www.faqs.org/rfcs/rfc2104.html for RFC.
+ * @see 	
+ * 			- hasher_t
+ * 			- prf_hmac_t
+ *
+ * @b Constructors:
+ *  - hmac_create()
+ *
+ * @ingroup transforms
+ */
+struct hmac_t {
+	/**
+	 * @brief Generate message authentication code.
+	 * 
+	 * If buffer is NULL, no result is given back. A next call will
+	 * append the data to already supplied data. If buffer is not NULL, 
+	 * the mac of all apended data is calculated, returned and the
+	 * state of the hmac_t is reseted.
+	 * 
+	 * @param this			calling object
+	 * @param data			chunk of data to authenticate
+	 * @param[out] buffer	pointer where the generated bytes will be written
+	 */
+	void (*get_mac) (hmac_t *this, chunk_t data, u_int8_t *buffer);
+	
+	/**
+	 * @brief Generates message authentication code and 
+	 * allocate space for them.
+	 * 
+	 * If chunk is NULL, no result is given back. A next call will
+	 * append the data to already supplied. If chunk is not NULL, 
+	 * the mac of all apended data is calculated, returned and the
+	 * state of the hmac_t reset;
+	 * 
+	 * @param this			calling object
+	 * @param data			chunk of data to authenticate
+	 * @param[out] chunk	chunk which will hold generated bytes
+	 */
+	void (*allocate_mac) (hmac_t *this, chunk_t data, chunk_t *chunk);
+	
+	/**
+	 * @brief Get the block size of this hmac_t object.
+	 * 
+	 * @param this			calling object
+	 * @return				block size in bytes
+	 */
+	size_t (*get_block_size) (hmac_t *this);	
+	
+	/**
+	 * @brief Set the key for this hmac_t object.
+	 * 
+	 * Any key length is accepted.
+	 * 
+	 * @param this			calling object
+	 * @param key			key to set
+	 */
+	void (*set_key) (hmac_t *this, chunk_t key);
+	
+	/**
+	 * @brief Destroys a hmac_t object.
+	 *
+	 * @param this 			calling object
+	 */
+	void (*destroy) (hmac_t *this);
+};
+
+/**
+ * @brief Creates a new hmac_t object.
+ * 
+ * Creates a hasher_t object internally.
+ * 
+ * @param hash_algorithm		hash algorithm to use
+ * @return
+ *								- hmac_t object
+ *								- NULL if hash algorithm is not supported
+ * 
+ * @ingroup transforms
+ */
+hmac_t *hmac_create(hash_algorithm_t hash_algorithm);
+
+#endif /*HMAC_H_*/
diff --git a/src/libstrongswan/crypto/ocsp.c b/src/libstrongswan/crypto/ocsp.c
new file mode 100644
index 000000000..471996c8e
--- /dev/null
+++ b/src/libstrongswan/crypto/ocsp.c
@@ -0,0 +1,924 @@
+/**
+ * @file ocsp.c
+ * 
+ * @brief Implementation of ocsp_t.
+ * 
+ */
+
+/* Support of the Online Certificate Status Protocol (OCSP)
+ * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
+ * Zuercher Hochschule Winterthur
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ */
+
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <utils/identification.h>
+#include <utils/randomizer.h>
+#include <utils/fetcher.h>
+#include <debug.h>
+
+#include "hashers/hasher.h"
+#include "rsa/rsa_public_key.h"
+#include "certinfo.h"
+#include "x509.h"
+#include "ocsp.h"
+
+#define NONCE_LENGTH		16
+
+typedef struct private_ocsp_t private_ocsp_t;
+
+/**
+ * Private data of a ocsp_t object.
+ */
+struct private_ocsp_t {
+	/**
+	 * Public interface for this ocsp object.
+	 */
+	ocsp_t public;
+
+	/**
+	 * CA certificate.
+	 */
+	x509_t *cacert;
+
+	/**
+	 * Requestor certificate
+	 */
+	x509_t *requestor_cert;
+
+	/**
+	 * Linked list of ocsp uris
+	 */
+	linked_list_t *uris;
+
+	/**
+	 * Linked list of certinfos to be requested
+	 */
+	linked_list_t *certinfos;
+
+	/**
+	 * Nonce required for ocsp request and response
+	 */
+	chunk_t nonce;
+
+	/**
+	 * SHA-1 hash over issuer distinguished name
+	 */
+	chunk_t authNameID;
+
+	/**
+	 * SHA-1 hash over issuer public key
+	 */
+	chunk_t authKeyID;
+};
+
+ENUM(response_status_names, STATUS_SUCCESSFUL, STATUS_UNAUTHORIZED,
+	"successful",
+	"malformed request",
+	"internal error",
+	"try later",
+	"signature required",
+	"unauthorized"
+);
+
+/* response container */
+typedef struct response_t response_t;
+
+struct response_t {
+	chunk_t           chunk;
+	chunk_t           tbs;
+	identification_t *responder_id_name;
+	chunk_t           responder_id_key;
+	time_t            produced_at;
+	chunk_t           responses;
+	chunk_t           nonce;
+	int               algorithm;
+	chunk_t           signature;
+	x509_t           *responder_cert;
+
+	/**
+	 * @brief Destroys the response_t object
+	 * 
+	 * @param this		response_t to destroy
+	 */
+	void (*destroy) (response_t *this);
+};
+
+/**
+ * Implements response_t.destroy.
+ */
+static void response_destroy(response_t *this)
+{
+	DESTROY_IF(this->responder_id_name);
+	DESTROY_IF(this->responder_cert);
+	free(this->chunk.ptr);
+	free(this);
+}
+
+/**
+ * Creates a response_t object
+ */
+static response_t* response_create_from_chunk(chunk_t chunk)
+{
+	response_t *this = malloc_thing(response_t);
+
+	this->chunk             = chunk;
+	this->tbs               = chunk_empty;
+	this->responder_id_name = NULL;
+	this->responder_id_key  = chunk_empty;
+	this->produced_at       = UNDEFINED_TIME;
+	this->responses         = chunk_empty;
+	this->nonce             = chunk_empty;
+	this->algorithm         = OID_UNKNOWN;
+	this->signature         = chunk_empty;
+	this->responder_cert    = NULL;
+
+	this->destroy = (void (*) (response_t*))response_destroy;
+
+	return this;
+}
+
+/* some OCSP specific prefabricated ASN.1 constants */
+
+static u_char ASN1_nonce_oid_str[] = {
+	0x06, 0x09,
+		  0x2B, 0x06,
+				0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x02
+};
+
+static u_char ASN1_response_oid_str[] = {
+	0x06, 0x09,
+		  0x2B, 0x06,
+				0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x04
+};
+
+static u_char ASN1_response_content_str[] = {
+	0x04, 0x0D,
+		  0x30, 0x0B,
+				0x06, 0x09,
+				0x2B, 0x06,
+				0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
+};
+
+static const chunk_t ASN1_nonce_oid = chunk_from_buf(ASN1_nonce_oid_str);
+static const chunk_t ASN1_response_oid = chunk_from_buf(ASN1_response_oid_str);
+static const chunk_t ASN1_response_content = chunk_from_buf(ASN1_response_content_str);
+
+/* asn.1 definitions for parsing */
+
+static const asn1Object_t ocspResponseObjects[] = {
+	{ 0, "OCSPResponse",			ASN1_SEQUENCE,		ASN1_NONE }, /*  0 */
+	{ 1,   "responseStatus",		ASN1_ENUMERATED,	ASN1_BODY }, /*  1 */
+	{ 1,   "responseBytesContext",	ASN1_CONTEXT_C_0,	ASN1_OPT  }, /*  2 */
+	{ 2,     "responseBytes",		ASN1_SEQUENCE,		ASN1_NONE }, /*  3 */
+	{ 3,       "responseType",		ASN1_OID,			ASN1_BODY }, /*  4 */
+	{ 3,       "response",			ASN1_OCTET_STRING,	ASN1_BODY }, /*  5 */
+	{ 1,   "end opt",				ASN1_EOC,			ASN1_END  }  /*  6 */
+};
+
+#define OCSP_RESPONSE_STATUS	1
+#define OCSP_RESPONSE_TYPE		4
+#define OCSP_RESPONSE			5
+#define OCSP_RESPONSE_ROOF		7
+
+static const asn1Object_t basicResponseObjects[] = {
+	{ 0, "BasicOCSPResponse",				ASN1_SEQUENCE,			ASN1_NONE }, /*  0 */
+	{ 1,   "tbsResponseData",				ASN1_SEQUENCE,			ASN1_OBJ  }, /*  1 */
+	{ 2,     "versionContext",				ASN1_CONTEXT_C_0,		ASN1_NONE |
+																	ASN1_DEF  }, /*  2 */
+	{ 3,       "version",					ASN1_INTEGER,			ASN1_BODY }, /*  3 */
+	{ 2,     "responderIdContext",			ASN1_CONTEXT_C_1,		ASN1_OPT  }, /*  4 */
+	{ 3,       "responderIdByName",			ASN1_SEQUENCE,			ASN1_OBJ  }, /*  5 */
+	{ 2,     "end choice",					ASN1_EOC,				ASN1_END  }, /*  6 */
+	{ 2,     "responderIdContext",			ASN1_CONTEXT_C_2,		ASN1_OPT  }, /*  7 */
+	{ 3,       "responderIdByKey",			ASN1_OCTET_STRING,		ASN1_BODY }, /*  8 */
+	{ 2,     "end choice",					ASN1_EOC,				ASN1_END  }, /*  9 */
+	{ 2,     "producedAt",					ASN1_GENERALIZEDTIME,	ASN1_BODY }, /* 10 */
+	{ 2,     "responses",					ASN1_SEQUENCE,			ASN1_OBJ  }, /* 11 */
+	{ 2,     "responseExtensionsContext",	ASN1_CONTEXT_C_1,		ASN1_OPT  }, /* 12 */
+	{ 3,       "responseExtensions",		ASN1_SEQUENCE,			ASN1_LOOP }, /* 13 */
+	{ 4,         "extension",				ASN1_SEQUENCE,			ASN1_NONE }, /* 14 */
+	{ 5,           "extnID",				ASN1_OID,				ASN1_BODY }, /* 15 */
+	{ 5,           "critical",				ASN1_BOOLEAN,			ASN1_BODY |
+																	ASN1_DEF  }, /* 16 */
+	{ 5,           "extnValue",				ASN1_OCTET_STRING,		ASN1_BODY }, /* 17 */
+	{ 4,         "end loop",				ASN1_EOC,				ASN1_END  }, /* 18 */
+	{ 2,     "end opt",						ASN1_EOC,				ASN1_END  }, /* 19 */
+	{ 1,   "signatureAlgorithm",			ASN1_EOC,				ASN1_RAW  }, /* 20 */
+	{ 1,   "signature",						ASN1_BIT_STRING,		ASN1_BODY }, /* 21 */
+	{ 1,   "certsContext",					ASN1_CONTEXT_C_0,		ASN1_OPT  }, /* 22 */
+	{ 2,     "certs",						ASN1_SEQUENCE,			ASN1_LOOP }, /* 23 */
+	{ 3,       "certificate",				ASN1_SEQUENCE,			ASN1_RAW  }, /* 24 */
+	{ 2,     "end loop",					ASN1_EOC,				ASN1_END  }, /* 25 */
+	{ 1,   "end opt",						ASN1_EOC,				ASN1_END  }  /* 26 */
+};
+
+#define BASIC_RESPONSE_TBS_DATA		 1
+#define BASIC_RESPONSE_VERSION		 3
+#define BASIC_RESPONSE_ID_BY_NAME	 5
+#define BASIC_RESPONSE_ID_BY_KEY	 8
+#define BASIC_RESPONSE_PRODUCED_AT	10
+#define BASIC_RESPONSE_RESPONSES	11
+#define BASIC_RESPONSE_EXT_ID		15
+#define BASIC_RESPONSE_CRITICAL		16
+#define BASIC_RESPONSE_EXT_VALUE	17
+#define BASIC_RESPONSE_ALGORITHM	20
+#define BASIC_RESPONSE_SIGNATURE	21
+#define BASIC_RESPONSE_CERTIFICATE	24
+#define BASIC_RESPONSE_ROOF			27
+
+static const asn1Object_t responsesObjects[] = {
+	{ 0, "responses",			ASN1_SEQUENCE,	ASN1_LOOP }, /*  0 */
+	{ 1,   "singleResponse",	ASN1_EOC,		ASN1_RAW  }, /*  1 */
+	{ 0, "end loop",			ASN1_EOC,		ASN1_END  }  /*  2 */
+};
+
+#define RESPONSES_SINGLE_RESPONSE	1
+#define RESPONSES_ROOF				3
+
+static const asn1Object_t singleResponseObjects[] = {
+	{ 0, "singleResponse",				ASN1_SEQUENCE,			ASN1_BODY }, /*  0 */
+	{ 1,   "certID",					ASN1_SEQUENCE,			ASN1_NONE }, /*  1 */
+	{ 2,     "algorithm",				ASN1_EOC,				ASN1_RAW  }, /*  2 */
+	{ 2,     "issuerNameHash",			ASN1_OCTET_STRING,		ASN1_BODY }, /*  3 */
+	{ 2,     "issuerKeyHash",			ASN1_OCTET_STRING,		ASN1_BODY }, /*  4 */
+	{ 2,     "serialNumber",			ASN1_INTEGER,			ASN1_BODY }, /*  5 */
+	{ 1,   "certStatusGood",			ASN1_CONTEXT_S_0,		ASN1_OPT  }, /*  6 */
+	{ 1,   "end opt",					ASN1_EOC,				ASN1_END  }, /*  7 */
+	{ 1,   "certStatusRevoked",			ASN1_CONTEXT_C_1,		ASN1_OPT  }, /*  8 */
+	{ 2,     "revocationTime",			ASN1_GENERALIZEDTIME,	ASN1_BODY }, /*  9 */
+	{ 2,     "revocationReason",		ASN1_CONTEXT_C_0,		ASN1_OPT  }, /* 10 */
+	{ 3,       "crlReason",				ASN1_ENUMERATED,		ASN1_BODY }, /* 11 */
+	{ 2,     "end opt",					ASN1_EOC,				ASN1_END  }, /* 12 */
+	{ 1,   "end opt",					ASN1_EOC,				ASN1_END  }, /* 13 */
+	{ 1,   "certStatusUnknown",			ASN1_CONTEXT_S_2,		ASN1_OPT  }, /* 14 */
+	{ 1,   "end opt",					ASN1_EOC,				ASN1_END  }, /* 15 */
+	{ 1,   "thisUpdate",				ASN1_GENERALIZEDTIME,	ASN1_BODY }, /* 16 */
+	{ 1,   "nextUpdateContext",			ASN1_CONTEXT_C_0,		ASN1_OPT  }, /* 17 */
+	{ 2,     "nextUpdate",				ASN1_GENERALIZEDTIME,	ASN1_BODY }, /* 18 */
+	{ 1,   "end opt",					ASN1_EOC,				ASN1_END  }, /* 19 */
+	{ 1,   "singleExtensionsContext",	ASN1_CONTEXT_C_1,		ASN1_OPT  }, /* 20 */
+	{ 2,     "singleExtensions",		ASN1_SEQUENCE,			ASN1_LOOP }, /* 21 */
+	{ 3,       "extension",				ASN1_SEQUENCE,			ASN1_NONE }, /* 22 */
+	{ 4,         "extnID",				ASN1_OID,				ASN1_BODY }, /* 23 */
+	{ 4,         "critical",			ASN1_BOOLEAN,			ASN1_BODY |
+																ASN1_DEF  }, /* 24 */
+	{ 4,         "extnValue",			ASN1_OCTET_STRING,		ASN1_BODY }, /* 25 */
+	{ 2,     "end loop",				ASN1_EOC,				ASN1_END  }, /* 26 */
+	{ 1,   "end opt",					ASN1_EOC,				ASN1_END  }  /* 27 */
+};
+
+#define SINGLE_RESPONSE_ALGORITHM					 2
+#define SINGLE_RESPONSE_ISSUER_NAME_HASH			 3
+#define SINGLE_RESPONSE_ISSUER_KEY_HASH				 4
+#define SINGLE_RESPONSE_SERIAL_NUMBER				 5
+#define SINGLE_RESPONSE_CERT_STATUS_GOOD			 6
+#define SINGLE_RESPONSE_CERT_STATUS_REVOKED			 8
+#define SINGLE_RESPONSE_CERT_STATUS_REVOCATION_TIME	 9
+#define SINGLE_RESPONSE_CERT_STATUS_CRL_REASON		11
+#define SINGLE_RESPONSE_CERT_STATUS_UNKNOWN			14
+#define SINGLE_RESPONSE_THIS_UPDATE					16
+#define SINGLE_RESPONSE_NEXT_UPDATE					18
+#define SINGLE_RESPONSE_EXT_ID						23
+#define SINGLE_RESPONSE_CRITICAL					24
+#define SINGLE_RESPONSE_EXT_VALUE					25
+#define SINGLE_RESPONSE_ROOF						28
+
+/**
+ * build requestorName (into TBSRequest)
+ */
+static chunk_t build_requestor_name(private_ocsp_t *this)
+{
+	identification_t *requestor_name = this->requestor_cert->get_subject(this->requestor_cert);
+
+	return asn1_wrap(ASN1_CONTEXT_C_1, "m",
+				asn1_simple_object(ASN1_CONTEXT_C_4,
+					requestor_name->get_encoding(requestor_name)));
+}
+
+/**
+ * build request (into requestList)
+ * no singleRequestExtensions used
+ */
+static chunk_t build_request(private_ocsp_t *this, certinfo_t *certinfo)
+{
+	chunk_t serialNumber = certinfo->get_serialNumber(certinfo);
+
+	chunk_t reqCert = asn1_wrap(ASN1_SEQUENCE, "cmmm",
+		ASN1_sha1_id,
+		asn1_simple_object(ASN1_OCTET_STRING, this->authNameID),
+		asn1_simple_object(ASN1_OCTET_STRING, this->authKeyID),
+		asn1_simple_object(ASN1_INTEGER, serialNumber));
+
+	return asn1_wrap(ASN1_SEQUENCE, "m", reqCert);
+}
+
+/**
+ * build requestList (into TBSRequest)
+ */
+static chunk_t build_request_list(private_ocsp_t *this)
+{
+	chunk_t requestList;
+	size_t datalen = 0;
+	linked_list_t *request_list = linked_list_create();
+
+	{
+		iterator_t *iterator = this->certinfos->create_iterator(this->certinfos, TRUE);
+		certinfo_t *certinfo;
+
+		while (iterator->iterate(iterator, (void**)&certinfo))
+		{
+			chunk_t *request = malloc_thing(chunk_t);
+
+ 			*request = build_request(this, certinfo);
+			request_list->insert_last(request_list, (void*)request);
+			datalen += request->len;
+		}
+		iterator->destroy(iterator);
+	}
+	{
+		iterator_t *iterator = request_list->create_iterator(request_list, TRUE);
+		chunk_t *request;
+
+    	u_char *pos = build_asn1_object(&requestList, ASN1_SEQUENCE, datalen);
+
+		while (iterator->iterate(iterator, (void**)&request))
+		{
+			memcpy(pos, request->ptr, request->len); 
+			pos += request->len;
+			free(request->ptr);
+			free(request);
+		}
+		iterator->destroy(iterator);
+		request_list->destroy(request_list);
+	}
+	return requestList;
+}
+
+/**
+ * build nonce extension (into requestExtensions)
+ */
+static chunk_t build_nonce_extension(private_ocsp_t *this)
+{
+	randomizer_t *randomizer = randomizer_create();
+
+    /* generate a random nonce */
+	randomizer->allocate_pseudo_random_bytes(randomizer, NONCE_LENGTH, &this->nonce);
+	randomizer->destroy(randomizer);
+
+    return asn1_wrap(ASN1_SEQUENCE, "cm",
+		ASN1_nonce_oid,
+		asn1_simple_object(ASN1_OCTET_STRING, this->nonce));
+}
+
+/**
+ * build requestExtensions (into TBSRequest)
+ */
+static chunk_t build_request_ext(private_ocsp_t *this)
+{
+    return asn1_wrap(ASN1_CONTEXT_C_2, "m",
+		asn1_wrap(ASN1_SEQUENCE, "mm",
+			build_nonce_extension(this),
+		    asn1_wrap(ASN1_SEQUENCE, "cc",
+				ASN1_response_oid,
+				ASN1_response_content
+			)
+		)
+	);
+}
+
+/**
+ * build TBSRequest (into OCSPRequest)
+ */
+static chunk_t build_tbs_request(private_ocsp_t *this, bool has_requestor_cert)
+{
+	/* version is skipped since the default is ok */
+	return asn1_wrap(ASN1_SEQUENCE, "mmm",
+		(has_requestor_cert)? build_requestor_name(this): chunk_empty,
+		build_request_list(this),
+		build_request_ext(this));
+}
+
+/**
+ * build signature into ocsp request
+ * gets built only if a request cert with a corresponding private key is found
+ */
+static chunk_t build_signature(private_ocsp_t *this, chunk_t tbsRequest)
+{
+	/* TODO */
+	return chunk_empty;
+}
+
+/**
+ * assembles an ocsp request and sets the nonce field in private_ocsp_t to the sent nonce
+ */
+static chunk_t ocsp_build_request(private_ocsp_t *this)
+{
+	bool has_requestor_cert;
+	chunk_t keyid = this->cacert->get_keyid(this->cacert);
+	chunk_t tbsRequest, signature;
+
+	DBG2("assembling ocsp request");
+	DBG2("issuer: '%D'", this->cacert->get_subject(this->cacert));
+	DBG2("keyid:   %#B", &keyid);
+
+	/* looks for requestor cert and matching private key */
+	has_requestor_cert = FALSE;
+
+    /* TODO has_requestor_cert = get_ocsp_requestor_cert(location); */
+
+	/* build content */
+	tbsRequest = build_tbs_request(this, has_requestor_cert);
+
+	/* sign tbsReuqest */
+	signature = (has_requestor_cert)? build_signature(this, tbsRequest): chunk_empty;
+
+	return asn1_wrap(ASN1_SEQUENCE, "mm",
+		tbsRequest,
+		signature);
+
+	return signature;
+}
+
+/**
+ * parse a basic OCSP response
+ */
+static bool ocsp_parse_basic_response(chunk_t blob, int level0, response_t *res)
+{
+	u_int level, version;
+	u_int extn_oid = OID_UNKNOWN;
+	asn1_ctx_t ctx;
+	bool critical;
+	chunk_t object;
+	int objectID = 0;
+
+	asn1_init(&ctx, blob, level0, FALSE, FALSE);
+
+	while (objectID < BASIC_RESPONSE_ROOF)
+	{
+		if (!extract_object(basicResponseObjects, &objectID, &object, &level, &ctx))
+		{
+			return FALSE;
+		}
+
+		switch (objectID)
+		{
+			case BASIC_RESPONSE_TBS_DATA:
+				res->tbs = object;
+				break;
+			case BASIC_RESPONSE_VERSION:
+				version = (object.len)? (1 + (u_int)*object.ptr) : 1;
+				if (version != OCSP_BASIC_RESPONSE_VERSION)
+				{
+					DBG1("wrong ocsp basic response version (version= %i)",  version);
+					return FALSE;
+				}
+				break;
+			case BASIC_RESPONSE_ID_BY_NAME:
+				res->responder_id_name = identification_create_from_encoding(ID_DER_ASN1_DN, object);
+				DBG2("  '%D'", res->responder_id_name);
+				break;
+			case BASIC_RESPONSE_ID_BY_KEY:
+				res->responder_id_key = object;
+				break;
+			case BASIC_RESPONSE_PRODUCED_AT:
+				res->produced_at = asn1totime(&object, ASN1_GENERALIZEDTIME);
+				break;
+			case BASIC_RESPONSE_RESPONSES:
+				res->responses = object;
+				break;
+			case BASIC_RESPONSE_EXT_ID:
+				extn_oid = known_oid(object);
+				break;
+			case BASIC_RESPONSE_CRITICAL:
+				critical = object.len && *object.ptr;
+				DBG2("  %s", critical? "TRUE" : "FALSE");
+				break;
+			case BASIC_RESPONSE_EXT_VALUE:
+				if (extn_oid == OID_NONCE)
+					res->nonce = object;
+				break;
+			case BASIC_RESPONSE_ALGORITHM:
+				res->algorithm = parse_algorithmIdentifier(object, level+1, NULL);
+				break;
+			case BASIC_RESPONSE_SIGNATURE:
+				res->signature = object;
+				break;
+			case BASIC_RESPONSE_CERTIFICATE:
+				{
+					chunk_t blob = chunk_clone(object);
+
+					res->responder_cert = x509_create_from_chunk(blob, level+1);
+				}
+				break;
+		}
+		objectID++;
+	}
+	return TRUE;
+}
+
+/**
+ * parse an ocsp response and return the result as a response_t struct
+ */
+static response_status ocsp_parse_response(response_t *res)
+{
+	asn1_ctx_t ctx;
+	chunk_t object;
+	u_int level;
+	int objectID = 0;
+
+	response_status rStatus = STATUS_INTERNALERROR;
+	u_int ocspResponseType = OID_UNKNOWN;
+
+	asn1_init(&ctx, res->chunk, 0, FALSE, FALSE);
+
+	while (objectID < OCSP_RESPONSE_ROOF)
+	{
+		if (!extract_object(ocspResponseObjects, &objectID, &object, &level, &ctx))
+		{
+	    	return STATUS_INTERNALERROR;
+		}
+
+		switch (objectID)
+		{
+			case OCSP_RESPONSE_STATUS:
+				rStatus = (response_status) *object.ptr;
+				DBG2("  '%N'", response_status_names, rStatus);
+ 
+				switch (rStatus)
+	    		{
+	    			case STATUS_SUCCESSFUL:
+						break;
+					case STATUS_MALFORMEDREQUEST:
+					case STATUS_INTERNALERROR:
+					case STATUS_TRYLATER:
+					case STATUS_SIGREQUIRED:
+					case STATUS_UNAUTHORIZED:
+						DBG1("unsuccessful ocsp response: server said '%N'",
+							 response_status_names, rStatus);
+						return rStatus;
+					default:
+						return STATUS_INTERNALERROR;
+				}
+	    		break;
+			case OCSP_RESPONSE_TYPE:
+				ocspResponseType = known_oid(object);
+				break;
+			case OCSP_RESPONSE:
+				{
+					switch (ocspResponseType)
+					{
+						case OID_BASIC:
+							if (!ocsp_parse_basic_response(object, level+1, res))
+							{
+								return STATUS_INTERNALERROR;
+							}
+							break;
+						default:
+							DBG1("ocsp response is not of type BASIC");
+							DBG1("ocsp response OID: %#B", &object);
+							return STATUS_INTERNALERROR;
+					}
+				}
+				break;
+		}
+		objectID++;
+	}
+	return rStatus;
+}
+
+/**
+ * Check if the OCSP response has a valid signature
+ */
+static bool ocsp_valid_response(response_t *res, x509_t *ocsp_cert)
+{
+	rsa_public_key_t *public_key;
+	time_t until = UNDEFINED_TIME;
+	err_t ugh;
+
+	DBG2("verifying ocsp response signature:");
+	DBG2("signer:  '%D'", ocsp_cert->get_subject(ocsp_cert));
+	DBG2("issuer:  '%D'", ocsp_cert->get_issuer(ocsp_cert));
+
+	ugh = ocsp_cert->is_valid(ocsp_cert, &until);
+	if (ugh != NULL)
+	{
+		DBG1("ocsp signer certificate %s", ugh);
+		return FALSE;
+	}
+	public_key = ocsp_cert->get_public_key(ocsp_cert);
+
+	return public_key->verify_emsa_pkcs1_signature(public_key, res->tbs, res->signature) == SUCCESS;
+}
+
+/**
+ * parse a single OCSP response
+ */
+static bool ocsp_parse_single_response(private_ocsp_t *this, chunk_t blob, int level0)
+{
+	u_int level, extn_oid;
+	asn1_ctx_t ctx;
+	bool critical;
+	chunk_t object;
+	int objectID = 0;
+
+	certinfo_t *certinfo = NULL;
+
+	asn1_init(&ctx, blob, level0, FALSE, FALSE);
+
+	while (objectID < SINGLE_RESPONSE_ROOF)
+	{
+		if (!extract_object(singleResponseObjects, &objectID, &object, &level, &ctx))
+		{
+			return FALSE;
+		}
+
+		switch (objectID)
+		{
+			case SINGLE_RESPONSE_ALGORITHM:
+				if (parse_algorithmIdentifier(object, level+1, NULL) != OID_SHA1)
+				{
+					DBG1("only sha-1 hash supported in ocsp single response");
+					return FALSE;
+				}
+				break;
+			case SINGLE_RESPONSE_ISSUER_NAME_HASH:
+    			if (!chunk_equals(object, this->authNameID))
+				{
+					DBG1("ocsp single response has wrong issuer name hash");
+					return FALSE;
+				}
+				break;
+			case SINGLE_RESPONSE_ISSUER_KEY_HASH:
+    			if (!chunk_equals(object, this->authKeyID))
+				{
+					DBG1("ocsp single response has wrong issuer key hash");
+					return FALSE;
+				}
+				break;
+			case SINGLE_RESPONSE_SERIAL_NUMBER:
+				{
+					iterator_t *iterator = this->certinfos->create_iterator(this->certinfos, TRUE);
+					certinfo_t *current_certinfo;
+
+					while (iterator->iterate(iterator, (void**)&current_certinfo))
+					{
+						if (chunk_equals(object, current_certinfo->get_serialNumber(current_certinfo)))
+						{
+							certinfo = current_certinfo;
+						}
+					}
+					iterator->destroy(iterator);
+					if (certinfo == NULL)
+					{
+						DBG1("unrequested serial number in ocsp single response");
+						return FALSE;
+					}
+				}
+				break;
+			case SINGLE_RESPONSE_CERT_STATUS_GOOD:
+				certinfo->set_status(certinfo, CERT_GOOD);
+				break;
+			case SINGLE_RESPONSE_CERT_STATUS_REVOKED:
+				certinfo->set_status(certinfo, CERT_REVOKED);
+				break;
+			case SINGLE_RESPONSE_CERT_STATUS_REVOCATION_TIME:
+				certinfo->set_revocationTime(certinfo,
+								 asn1totime(&object, ASN1_GENERALIZEDTIME));
+				break;
+			case SINGLE_RESPONSE_CERT_STATUS_CRL_REASON:
+				certinfo->set_revocationReason(certinfo,
+								(object.len == 1) ? *object.ptr : REASON_UNSPECIFIED);
+	    		break;
+			case SINGLE_RESPONSE_CERT_STATUS_UNKNOWN:
+				certinfo->set_status(certinfo, CERT_UNKNOWN);
+				break;
+			case SINGLE_RESPONSE_THIS_UPDATE:
+				certinfo->set_thisUpdate(certinfo,
+								asn1totime(&object, ASN1_GENERALIZEDTIME));
+				break;
+			case SINGLE_RESPONSE_NEXT_UPDATE:
+				certinfo->set_nextUpdate(certinfo,
+								asn1totime(&object, ASN1_GENERALIZEDTIME));
+	    		break;
+			case SINGLE_RESPONSE_EXT_ID:
+				extn_oid = known_oid(object);
+				break;
+			case SINGLE_RESPONSE_CRITICAL:
+				critical = object.len && *object.ptr;
+				DBG2("  %s", critical ? "TRUE" : "FALSE");
+			case SINGLE_RESPONSE_EXT_VALUE:
+				break;
+		}
+		objectID++;
+	}
+	return TRUE;
+}
+
+/**
+ *  verify and process ocsp response and update the ocsp cache
+ */
+static void ocsp_process_response(private_ocsp_t *this, response_t *res, credential_store_t *credentials)
+{
+	x509_t *ocsp_cert = NULL;
+
+	/* parse the ocsp response without looking at the single responses yet */
+	response_status status = ocsp_parse_response(res);
+
+	if (status != STATUS_SUCCESSFUL)
+	{
+		DBG1("error in ocsp response");
+		return;
+	}
+
+	/* check if there was a nonce in the request */
+	if (this->nonce.ptr != NULL && res->nonce.ptr == NULL)
+	{
+		DBG1("ocsp response contains no nonce, replay attack possible");
+	}
+
+	/* check if the nonces are identical */
+	if (res->nonce.ptr != NULL && !chunk_equals(res->nonce, this->nonce))
+    {
+		DBG1("invalid nonce in ocsp response");
+		return;
+	}
+
+	/* check if we received a trusted responder certificate */
+	if (res->responder_cert)
+	{
+		if (res->responder_cert->is_ocsp_signer(res->responder_cert))
+		{
+			DBG2("received certificate is ocsp signer");
+			if (credentials->is_trusted(credentials, res->responder_cert))
+			{
+				DBG1("received ocsp signer certificate is trusted");
+				ocsp_cert = credentials->add_auth_certificate(credentials,
+									res->responder_cert, AUTH_OCSP);
+				res->responder_cert = NULL;
+			}
+			else
+			{
+				DBG1("received ocsp signer certificate is not trusted - rejected");
+			}
+		}
+		else
+		{
+			DBG1("received certificate is no ocsp signer - rejected");
+		}
+	}
+
+	/* if we didn't receive a trusted responder cert, search the credential store */
+	if (ocsp_cert == NULL)
+	{
+		ocsp_cert = credentials->get_auth_certificate(credentials,
+							AUTH_OCSP|AUTH_CA, res->responder_id_name);
+		if (ocsp_cert == NULL)
+		{
+			DBG1("no ocsp signer certificate found");
+			return;
+		}
+	}
+
+	/* check the response signature */
+	if (!ocsp_valid_response(res, ocsp_cert))
+	{
+		DBG1("ocsp response signature is invalid");
+		return;
+	}
+	DBG2("ocsp response signature is valid");
+
+    /* now parse the single responses one at a time */
+    {
+		u_int level;
+		asn1_ctx_t ctx;
+		chunk_t object;
+		int objectID = 0;
+
+		asn1_init(&ctx, res->responses, 0, FALSE, FALSE);
+
+		while (objectID < RESPONSES_ROOF)
+		{
+			if (!extract_object(responsesObjects, &objectID, &object, &level, &ctx))
+			{
+				return;
+			}
+			if (objectID == RESPONSES_SINGLE_RESPONSE)
+			{
+				ocsp_parse_single_response(this, object, level+1);
+			}
+			objectID++;
+		}
+	}
+}
+
+/**
+ * Implements ocsp_t.fetch.
+ */
+static void fetch(private_ocsp_t *this, certinfo_t *certinfo, credential_store_t *credentials)
+{
+	chunk_t request;
+	response_t *response = NULL;
+
+	if (this->uris->get_count(this->uris) == 0)
+	{
+		return;
+	}
+	this->certinfos->insert_last(this->certinfos, (void*)certinfo);
+
+	request = ocsp_build_request(this);
+	DBG3("ocsp request: %B", &request);
+	{
+		iterator_t *iterator = this->uris->create_iterator(this->uris, TRUE);
+		identification_t *uri;
+		
+		while (iterator->iterate(iterator, (void**)&uri))
+		{
+			fetcher_t *fetcher;
+			char uri_string[BUF_LEN];
+			chunk_t uri_chunk = uri->get_encoding(uri);
+			chunk_t response_chunk;
+
+			snprintf(uri_string, BUF_LEN, "%.*s", uri_chunk.len, uri_chunk.ptr);
+			fetcher = fetcher_create(uri_string);
+			
+			response_chunk = fetcher->post(fetcher, "application/ocsp-request", request);
+			fetcher->destroy(fetcher);
+			if (response_chunk.ptr != NULL)
+			{
+				response = response_create_from_chunk(response_chunk);
+				break;
+			}
+		}
+		iterator->destroy(iterator);
+	}
+	free(request.ptr);
+
+	if (response == NULL)
+	{
+		return;
+	}
+	DBG3("ocsp response: %B", &response->chunk);
+	ocsp_process_response(this, response, credentials);
+	response->destroy(response);
+}
+
+/**
+ * Implements ocsp_t.destroy.
+ */
+static void destroy(private_ocsp_t *this)
+{
+	this->certinfos->destroy(this->certinfos);
+	free(this->authNameID.ptr);
+	free(this->nonce.ptr);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+ocsp_t *ocsp_create(x509_t *cacert, linked_list_t *uris)
+{
+	private_ocsp_t *this = malloc_thing(private_ocsp_t);
+
+	/* initialize */
+	this->cacert = cacert;
+	this->uris = uris;
+	this->certinfos = linked_list_create();
+	this->nonce = chunk_empty;
+	this->authKeyID = cacert->get_subjectKeyID(cacert);
+	{
+		hasher_t *hasher = hasher_create(HASH_SHA1);
+		identification_t *issuer = cacert->get_subject(cacert);
+
+		hasher->allocate_hash(hasher, issuer->get_encoding(issuer),
+									  &this->authNameID);
+		hasher->destroy(hasher);
+	}
+
+	/* public functions */
+	this->public.fetch = (void (*) (ocsp_t*,certinfo_t*,credential_store_t*))fetch;
+	this->public.destroy = (void (*) (ocsp_t*))destroy;
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/crypto/ocsp.h b/src/libstrongswan/crypto/ocsp.h
new file mode 100644
index 000000000..42059e1c6
--- /dev/null
+++ b/src/libstrongswan/crypto/ocsp.h
@@ -0,0 +1,86 @@
+/**
+ * @file ocsp.h
+ * 
+ * @brief Interface of ocsp_t
+ * 
+ */
+
+/* Support of the Online Certificate Status Protocol (OCSP) Support
+ * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
+ * Copyright (C) 2007 Andreas Steffen
+ *                    Hochschule fuer Technik Rapperswil, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ */
+
+#ifndef OCSP_H_
+#define OCSP_H_
+
+typedef struct ocsp_t ocsp_t;
+
+#include <credential_store.h>
+#include <utils/linked_list.h>
+
+#include "certinfo.h"
+
+/* constants */
+#define OCSP_BASIC_RESPONSE_VERSION	1
+#define OCSP_DEFAULT_VALID_TIME		120  /* validity of one-time response in seconds */
+#define OCSP_WARNING_INTERVAL		2    /* days */
+
+/* OCSP response status */
+typedef enum {
+	STATUS_SUCCESSFUL =			0,
+	STATUS_MALFORMEDREQUEST =	1,
+	STATUS_INTERNALERROR =		2,
+	STATUS_TRYLATER =			3,
+	STATUS_SIGREQUIRED =		5,
+	STATUS_UNAUTHORIZED=		6
+} response_status;
+
+/**
+ * @brief Online Certficate Status Protocol (OCSP)
+ *
+ * @ingroup transforms
+ */
+struct ocsp_t {
+
+	/**
+	 * @brief Fetches the actual certificate status via OCSP
+	 * 
+	 * @param uris				linked list of ocsp uris
+	 * @param certinfo			certificate status info to be updated
+	 * @param credentials		credential store needed for trust path verification
+	 */
+	void (*fetch) (ocsp_t *this, certinfo_t *certinfo, credential_store_t *credentials);
+
+	/**
+	 * @brief Destroys the ocsp_t object.
+	 * 
+	 * @param this			ocsp object to destroy
+	 */
+	void (*destroy) (ocsp_t *this);
+
+};
+
+/**
+ * @brief Create an ocsp_t object.
+ * 
+ * @param cacert 	ca certificate
+ * @param uris	 	linked list of ocsp uris
+ * @return 			created ocsp_t object
+ * 
+ * @ingroup transforms
+ */
+ocsp_t *ocsp_create(x509_t *cacert, linked_list_t *uris);
+
+#endif /* OCSP_H_ */
diff --git a/src/libstrongswan/crypto/prf_plus.c b/src/libstrongswan/crypto/prf_plus.c
new file mode 100644
index 000000000..6bd444b1f
--- /dev/null
+++ b/src/libstrongswan/crypto/prf_plus.c
@@ -0,0 +1,156 @@
+/**
+ * @file prf_plus.c
+ * 
+ * @brief Implementation of prf_plus_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include "prf_plus.h"
+
+typedef struct private_prf_plus_t private_prf_plus_t;
+
+/**
+ * Private data of an prf_plus_t object.
+ * 
+ */
+struct private_prf_plus_t {
+	/**
+	 * Public interface of prf_plus_t.
+	 */
+	prf_plus_t public;
+	
+	/**
+	 * PRF to use.
+	 */
+	prf_t *prf;
+	
+	/**
+	 * Initial seed.
+	 */
+	chunk_t seed;
+	
+	/**
+	 * Buffer to store current PRF result.
+	 */
+	chunk_t buffer;
+		
+	/**
+	 * Already given out bytes in current buffer.
+	 */
+	size_t given_out;
+	
+	/**
+	 * Octet which will be appended to the seed.
+	 */
+	u_int8_t appending_octet;
+};
+
+/**
+ * Implementation of prf_plus_t.get_bytes.
+ */
+static void get_bytes(private_prf_plus_t *this, size_t length, u_int8_t *buffer)
+{	
+	chunk_t appending_chunk;
+	size_t bytes_in_round;
+	size_t total_bytes_written = 0;
+	
+	appending_chunk.ptr = &(this->appending_octet);
+	appending_chunk.len = 1;
+	
+	while (length > 0)
+	{	/* still more to do... */
+		if (this->buffer.len == this->given_out)
+		{	/* no bytes left in buffer, get next*/	
+			this->prf->get_bytes(this->prf, this->buffer, NULL);
+			this->prf->get_bytes(this->prf, this->seed, NULL);
+			this->prf->get_bytes(this->prf, appending_chunk, this->buffer.ptr);
+			this->given_out = 0;
+			this->appending_octet++;
+		}
+		/* how many bytes can we write in this round ? */
+		bytes_in_round = min(length, this->buffer.len - this->given_out);
+		/* copy bytes from buffer with offset */
+		memcpy(buffer + total_bytes_written, this->buffer.ptr + this->given_out, bytes_in_round);
+		
+		length -= bytes_in_round;
+		this->given_out += bytes_in_round;
+		total_bytes_written += bytes_in_round;
+	}
+}
+
+/**
+ * Implementation of prf_plus_t.allocate_bytes.
+ */	
+static void allocate_bytes(private_prf_plus_t *this, size_t length, chunk_t *chunk)
+{
+	chunk->ptr = malloc(length);
+	chunk->len = length;
+	this->public.get_bytes(&(this->public), length, chunk->ptr);
+}
+
+/**
+ * Implementation of prf_plus_t.destroy.
+ */
+static void destroy(private_prf_plus_t *this)
+{
+	free(this->buffer.ptr);
+	free(this->seed.ptr);
+	free(this);
+}
+
+/*
+ * Description in header.
+ */
+prf_plus_t *prf_plus_create(prf_t *prf, chunk_t seed)
+{
+	private_prf_plus_t *this;
+	chunk_t appending_chunk;
+	
+	this = malloc_thing(private_prf_plus_t);
+
+	/* set public methods */
+	this->public.get_bytes = (void (*)(prf_plus_t *,size_t,u_int8_t*))get_bytes;
+	this->public.allocate_bytes = (void (*)(prf_plus_t *,size_t,chunk_t*))allocate_bytes;
+	this->public.destroy = (void (*)(prf_plus_t *))destroy;
+	
+	/* take over prf */
+	this->prf = prf;
+	
+	/* allocate buffer for prf output */
+	this->buffer.len = prf->get_block_size(prf);
+	this->buffer.ptr = malloc(this->buffer.len);
+
+	this->appending_octet = 0x01;
+	
+	/* clone seed */
+	this->seed.ptr = clalloc(seed.ptr, seed.len);
+	this->seed.len = seed.len;
+
+	/* do the first run */
+	appending_chunk.ptr = &(this->appending_octet);
+	appending_chunk.len = 1;
+	this->prf->get_bytes(this->prf, this->seed, NULL);
+	this->prf->get_bytes(this->prf, appending_chunk, this->buffer.ptr);
+	this->given_out = 0;
+	this->appending_octet++;
+	
+	return &(this->public);
+}
diff --git a/src/libstrongswan/crypto/prf_plus.h b/src/libstrongswan/crypto/prf_plus.h
new file mode 100644
index 000000000..90f9ce2eb
--- /dev/null
+++ b/src/libstrongswan/crypto/prf_plus.h
@@ -0,0 +1,92 @@
+/**
+ * @file prf_plus.h
+ * 
+ * @brief Interface for prf_plus.h.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef PRF_PLUS_H_
+#define PRF_PLUS_H_
+
+typedef struct prf_plus_t prf_plus_t;
+
+#include <crypto/prfs/prf.h>
+
+/**
+ * @brief Implementation of the prf+ function described in IKEv2 RFC.
+ *
+ * This class implements the prf+ algorithm. Internally it uses a pseudo random
+ * function, which implements the prf_t interface.
+ * 
+ * See IKEv2 RFC 2.13.
+ * 
+ * @b Constructors:
+ *  - prf_plus_create()
+ * 
+ * @ingroup transforms
+ */
+struct prf_plus_t {
+	/**
+	 * @brief Get pseudo random bytes.
+	 * 
+	 * Get the next few bytes of the prf+ output. Space
+	 * must be allocated by the caller.
+	 * 
+	 * @param this			calling object
+	 * @param length		number of bytes to get
+	 * @param[out] buffer	pointer where the generated bytes will be written
+	 */
+	void (*get_bytes) (prf_plus_t *this, size_t length, u_int8_t *buffer);
+	
+	/**
+	 * @brief Allocate pseudo random bytes.
+	 * 
+	 * Get the next few bytes of the prf+ output. This function
+	 * will allocate the required space.
+	 * 
+	 * @param this			calling object
+	 * @param length		number of bytes to get
+	 * @param[out] chunk	chunk which will hold generated bytes
+	 */
+	void (*allocate_bytes) (prf_plus_t *this, size_t length, chunk_t *chunk);
+	
+	/**
+	 * @brief Destroys a prf_plus_t object.
+	 *
+	 * @param this 			calling object
+	 */
+	void (*destroy) (prf_plus_t *this);
+};
+
+/**
+ * @brief Creates a new prf_plus_t object.
+ * 
+ * Seed will be cloned. prf will
+ * not be cloned, must be destroyed outside after
+ * prf_plus_t usage.
+ * 
+ * @param prf				prf object to use
+ * @param seed				input seed for prf
+ * @return					prf_plus_t object
+ * 
+ * @ingroup transforms
+ */
+prf_plus_t *prf_plus_create(prf_t *prf, chunk_t seed);
+
+#endif /*PRF_PLUS_H_*/
diff --git a/src/libstrongswan/crypto/prfs/fips_prf.c b/src/libstrongswan/crypto/prfs/fips_prf.c
new file mode 100644
index 000000000..0ab80b089
--- /dev/null
+++ b/src/libstrongswan/crypto/prfs/fips_prf.c
@@ -0,0 +1,258 @@
+/**
+ * @file fips_prf.c
+ * 
+ * @brief Implementation for fips_prf_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "fips_prf.h"
+
+#include <arpa/inet.h>
+
+#include <debug.h>
+
+typedef struct private_fips_prf_t private_fips_prf_t;
+
+/**
+ * Private data of a fips_prf_t object.
+ */
+struct private_fips_prf_t {
+	/**
+	 * Public fips_prf_t interface.
+	 */
+	fips_prf_t public;
+	
+	/**
+	 * key of prf function, "b" long
+	 */
+	u_int8_t *key;
+	
+	/**
+	 * size of "b" in bytes
+	 */
+	size_t b;
+	
+	/**
+	 * G function, either SHA1 or DES
+	 */
+	void (*g)(u_int8_t t[], chunk_t c, u_int8_t res[]);
+};
+
+/**
+ * t used in G(), equals to initial SHA1 value
+ */
+static u_int8_t t[] = {
+	0x67,0x45,0x23,0x01,0xEF,0xCD,0xAB,0x89,0x98,0xBA,
+	0xDC,0xFE,0x10,0x32,0x54,0x76,0xC3,0xD2,0xE1,0xF0,
+};
+
+/**
+ * sum = (a + b) mod 2 ^ (length * 8)
+ */
+static void add_mod(size_t length, u_int8_t a[], u_int8_t b[], u_int8_t sum[])
+{
+	int i, c = 0;
+	
+	for(i = length - 1; i >= 0; i--)
+	{
+		u_int32_t tmp;
+		
+		tmp = a[i] + b[i] + c;
+		sum[i] = 0xff & tmp;
+		c = tmp >> 8;
+	}
+}
+
+/**
+ * calculate "chunk mod 2^(length*8)" and save it into buffer
+ */
+static void chunk_mod(size_t length, chunk_t chunk, u_int8_t buffer[])
+{
+	if (chunk.len < length)
+	{
+		/* apply seed as least significant bits, others are zero */
+		memset(buffer, 0, length - chunk.len);
+		memcpy(buffer + length - chunk.len, chunk.ptr, chunk.len);
+	}
+	else
+	{
+		/* use least significant bytes from seed, as we use mod 2^b */
+		memcpy(buffer, chunk.ptr + chunk.len - length, length);
+	}
+}
+
+/**
+ * Implementation of prf_t.get_bytes.
+ *
+ * Test vector:
+ *
+ * key:
+ * 0xbd, 0x02, 0x9b, 0xbe, 0x7f, 0x51, 0x96, 0x0b,
+ * 0xcf, 0x9e, 0xdb, 0x2b, 0x61, 0xf0, 0x6f, 0x0f,
+ * 0xeb, 0x5a, 0x38, 0xb6
+ *
+ * seed:
+ * 0x00
+ *
+ * result:
+ * 0x20, 0x70, 0xb3, 0x22, 0x3d, 0xba, 0x37, 0x2f,
+ * 0xde, 0x1c, 0x0f, 0xfc, 0x7b, 0x2e, 0x3b, 0x49,
+ * 0x8b, 0x26, 0x06, 0x14, 0x3c, 0x6c, 0x18, 0xba,
+ * 0xcb, 0x0f, 0x6c, 0x55, 0xba, 0xbb, 0x13, 0x78,
+ * 0x8e, 0x20, 0xd7, 0x37, 0xa3, 0x27, 0x51, 0x16
+ */
+static void get_bytes(private_fips_prf_t *this, chunk_t seed, u_int8_t w[])
+{
+	int i;
+	u_int8_t xval[this->b];
+	u_int8_t xseed[this->b];
+	u_int8_t sum[this->b];
+	u_int8_t *xkey = this->key;
+	u_int8_t one[this->b];
+	chunk_t xval_chunk = chunk_from_buf(xval);
+	
+	memset(one, 0, this->b);
+	one[this->b - 1] = 0x01;
+	
+	/* 3.1 */
+	chunk_mod(this->b, seed, xseed);
+	
+	/* 3.2 */
+	for (i = 0; i < 2; i++) /* twice */
+	{
+		/* a. XVAL = (XKEY + XSEED j) mod 2^b */
+		add_mod(this->b, xkey, xseed, xval);
+		DBG3("XVAL %b", xval, this->b);
+		/* b. wi = G(t, XVAL ) */
+		this->g(t, xval_chunk, &w[i * this->b]);
+		DBG3("w[%d] %b", i, &w[i * this->b], this->b);
+		/* c. XKEY = (1 + XKEY + wi) mod 2b */
+		add_mod(this->b, xkey, &w[i * this->b], sum);
+		add_mod(this->b, sum, one, xkey);
+		DBG3("XKEY %b", xkey, this->b);
+	}
+	
+	/* 3.3 done already, mod q not used */
+}
+
+/**
+ * Implementation of prf_t.get_block_size.
+ */
+static size_t get_block_size(private_fips_prf_t *this)
+{
+	return 2 * this->b;
+}
+/**
+ * Implementation of prf_t.allocate_bytes.
+ */
+static void allocate_bytes(private_fips_prf_t *this, chunk_t seed, chunk_t *chunk)
+{
+	*chunk = chunk_alloc(get_block_size(this));
+	get_bytes(this, seed, chunk->ptr);
+}
+
+/**
+ * Implementation of prf_t.get_key_size.
+ */
+static size_t get_key_size(private_fips_prf_t *this)
+{
+	return this->b;
+}
+
+/**
+ * Implementation of prf_t.set_key.
+ */
+static void set_key(private_fips_prf_t *this, chunk_t key)
+{
+	/* save key as "key mod 2^b" */
+	chunk_mod(this->b, key, this->key);
+}
+
+/**
+ * Implementation of the G() function based on SHA1
+ */
+void g_sha1(u_int8_t t[], chunk_t c, u_int8_t res[])
+{
+	hasher_t *hasher;
+	u_int8_t buf[64];
+	chunk_t state_chunk;
+	u_int32_t *state, *iv, *hash;
+	
+	if (c.len < sizeof(buf))
+	{
+		/* pad c with zeros */
+		memset(buf, 0, sizeof(buf));
+		memcpy(buf, c.ptr, c.len);
+		c.ptr = buf;
+		c.len = sizeof(buf);
+	}
+	else
+	{
+		/* not more than 512 bits can be G()-ed */
+		c.len = sizeof(buf);
+	}
+	
+	/* our SHA1 hasher's state is 32-Bit integers in host order. We must
+	 * convert them */
+	hasher = hasher_create(HASH_SHA1);
+	state_chunk = hasher->get_state(hasher);
+	state = (u_int32_t*)state_chunk.ptr;
+	iv = (u_int32_t*)t;
+	hash = (u_int32_t*)res;
+	state[0] = htonl(iv[0]);
+	state[1] = htonl(iv[1]);
+	state[2] = htonl(iv[2]);
+	state[3] = htonl(iv[3]);
+	hasher->get_hash(hasher, c, NULL);
+	hash[0] = htonl(state[0]);
+	hash[1] = htonl(state[1]);
+	hash[2] = htonl(state[2]);
+	hash[3] = htonl(state[3]);
+	hash[4] = htonl(state[4]);
+	hasher->destroy(hasher);
+}
+
+/**
+ * Implementation of prf_t.destroy.
+ */
+static void destroy(private_fips_prf_t *this)
+{
+	free(this->key);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+fips_prf_t *fips_prf_create(size_t b, void(*g)(u_int8_t[],chunk_t,u_int8_t[]))
+{
+	private_fips_prf_t *this = malloc_thing(private_fips_prf_t);
+	
+	this->public.prf_interface.get_bytes = (void (*) (prf_t *,chunk_t,u_int8_t*))get_bytes;
+	this->public.prf_interface.allocate_bytes = (void (*) (prf_t*,chunk_t,chunk_t*))allocate_bytes;
+	this->public.prf_interface.get_block_size = (size_t (*) (prf_t*))get_block_size;
+	this->public.prf_interface.get_key_size = (size_t (*) (prf_t*))get_key_size;
+	this->public.prf_interface.set_key = (void (*) (prf_t *,chunk_t))set_key;
+	this->public.prf_interface.destroy = (void (*) (prf_t *))destroy;
+	
+	this->g = g;
+	this->b = b;
+	this->key = malloc(b);
+	
+	return &(this->public);
+}
diff --git a/src/libstrongswan/crypto/prfs/fips_prf.h b/src/libstrongswan/crypto/prfs/fips_prf.h
new file mode 100644
index 000000000..283ee1f61
--- /dev/null
+++ b/src/libstrongswan/crypto/prfs/fips_prf.h
@@ -0,0 +1,80 @@
+/**
+ * @file fips_prf.h
+ * 
+ * @brief Interface of fips_prf_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef FIPS_PRF_H_
+#define FIPS_PRF_H_
+
+typedef struct fips_prf_t fips_prf_t;
+
+#include <library.h>
+#include <crypto/prfs/prf.h>
+#include <crypto/hashers/hasher.h>
+
+/**
+ * @brief Implementation of prf_t using the FIPS 186-2-change1 standard.
+ *
+ * FIPS defines a "General Purpose Random Number Generator" (Revised
+ * Algorithm for Computing m values of x (Appendix 3.1 of FIPS 186-2)). This
+ * implementation is not intended for private key generation and therefore does
+ * not include the "mod q" operation (see FIPS 186-2-change1 p74).
+ * The FIPS PRF is stateful; the key changes every time when bytes are acquired.
+ *
+ * @b Constructors:
+ *  - fips_prf_create()
+ *  - prf_create() using one of the FIPS algorithms
+ * 
+ * @ingroup prfs
+ */
+struct fips_prf_t {
+	
+	/**
+	 * Generic prf_t interface for this fips_prf_t class.
+	 */
+	prf_t prf_interface;
+};
+
+/**
+ * @brief Creates a new fips_prf_t object.
+ * 
+ * FIPS 186-2 defines G() functions used in the PRF function. It can
+ * be implemented either based on SHA1 or DES.
+ *
+ * @param b		size of b (in bytes, not bits)
+ * @param g		G() function to use (e.g. g_sha1)
+ * @return
+ *				- fips_prf_t object
+ *				- NULL if b invalid not supported
+ * 
+ * @ingroup prfs
+ */
+fips_prf_t *fips_prf_create(size_t b, void(*g)(u_int8_t[],chunk_t,u_int8_t[]));
+
+/**
+ * @brief Implementation of the G() function based on SHA1.
+ *
+ * @param t		initialization vector for SHA1 hasher, 20 bytes long
+ * @param c		value to hash, not longer than 512 bit
+ * @param res	result of G(), requries 20 bytes
+ */
+void g_sha1(u_int8_t t[], chunk_t c, u_int8_t res[]);
+
+#endif /* FIPS_PRF_H_ */
diff --git a/src/libstrongswan/crypto/prfs/hmac_prf.c b/src/libstrongswan/crypto/prfs/hmac_prf.c
new file mode 100644
index 000000000..f315f880d
--- /dev/null
+++ b/src/libstrongswan/crypto/prfs/hmac_prf.c
@@ -0,0 +1,118 @@
+/**
+ * @file hmac_prf.c
+ * 
+ * @brief Implementation for hmac_prf_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "hmac_prf.h"
+
+#include <crypto/hmac.h>
+
+
+typedef struct private_hmac_prf_t private_hmac_prf_t;
+
+/**
+ * Private data of a hma_prf_t object.
+ */
+struct private_hmac_prf_t {
+	/**
+	 * Public hmac_prf_t interface.
+	 */
+	hmac_prf_t public;	
+	
+	/**
+	 * Hmac to use for generation.
+	 */
+	hmac_t *hmac;
+};
+
+/**
+ * Implementation of prf_t.get_bytes.
+ */
+static void get_bytes(private_hmac_prf_t *this, chunk_t seed, u_int8_t *buffer)
+{
+	this->hmac->get_mac(this->hmac, seed, buffer);
+}
+
+/**
+ * Implementation of prf_t.allocate_bytes.
+ */
+static void allocate_bytes(private_hmac_prf_t *this, chunk_t seed, chunk_t *chunk)
+{
+	this->hmac->allocate_mac(this->hmac, seed, chunk);
+}
+
+/**
+ * Implementation of prf_t.get_block_size.
+ */
+static size_t get_block_size(private_hmac_prf_t *this)
+{
+	return this->hmac->get_block_size(this->hmac);
+}
+
+/**
+ * Implementation of prf_t.get_block_size.
+ */
+static size_t get_key_size(private_hmac_prf_t *this)
+{
+	/* for HMAC prfs, IKEv2 uses block size as key size */
+	return this->hmac->get_block_size(this->hmac);
+}
+
+/**
+ * Implementation of prf_t.set_key.
+ */
+static void set_key(private_hmac_prf_t *this, chunk_t key)
+{
+	this->hmac->set_key(this->hmac, key);
+}
+
+/**
+ * Implementation of prf_t.destroy.
+ */
+static void destroy(private_hmac_prf_t *this)
+{
+	this->hmac->destroy(this->hmac);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+hmac_prf_t *hmac_prf_create(hash_algorithm_t hash_algorithm)
+{
+	private_hmac_prf_t *this = malloc_thing(private_hmac_prf_t);
+	
+	this->public.prf_interface.get_bytes = (void (*) (prf_t *,chunk_t,u_int8_t*))get_bytes;
+	this->public.prf_interface.allocate_bytes = (void (*) (prf_t*,chunk_t,chunk_t*))allocate_bytes;
+	this->public.prf_interface.get_block_size = (size_t (*) (prf_t*))get_block_size;
+	this->public.prf_interface.get_key_size = (size_t (*) (prf_t*))get_key_size;
+	this->public.prf_interface.set_key = (void (*) (prf_t *,chunk_t))set_key;
+	this->public.prf_interface.destroy = (void (*) (prf_t *))destroy;
+	
+	this->hmac = hmac_create(hash_algorithm);
+	if (this->hmac == NULL)
+	{
+		free(this);
+		return NULL;	
+	}
+	
+	return &(this->public);
+}
diff --git a/src/libstrongswan/crypto/prfs/hmac_prf.h b/src/libstrongswan/crypto/prfs/hmac_prf.h
new file mode 100644
index 000000000..9b06ee3a2
--- /dev/null
+++ b/src/libstrongswan/crypto/prfs/hmac_prf.h
@@ -0,0 +1,65 @@
+/**
+ * @file hmac_prf.h
+ * 
+ * @brief Interface of hmac_prf_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef PRF_HMAC_H_
+#define PRF_HMAC_H_
+
+typedef struct hmac_prf_t hmac_prf_t;
+
+#include <library.h>
+#include <crypto/prfs/prf.h>
+#include <crypto/hashers/hasher.h>
+
+/**
+ * @brief Implementation of prf_t interface using the
+ * HMAC algorithm.
+ * 
+ * This simply wraps a hmac_t in a prf_t. More a question of
+ * interface matching.
+ * 
+ * @b Constructors:
+ *  - hmac_prf_create()
+ * 
+ * @ingroup prfs
+ */
+struct hmac_prf_t {
+	
+	/**
+	 * Generic prf_t interface for this hmac_prf_t class.
+	 */
+	prf_t prf_interface;
+};
+
+/**
+ * @brief Creates a new hmac_prf_t object.
+ * 
+ * @param hash_algorithm	hmac's hash algorithm
+ * @return
+ * 							- hmac_prf_t object
+ * 							- NULL if hash not supported
+ * 
+ * @ingroup prfs
+ */
+hmac_prf_t *hmac_prf_create(hash_algorithm_t hash_algorithm);
+
+#endif /*PRF_HMAC_SHA1_H_*/
diff --git a/src/libstrongswan/crypto/prfs/prf.c b/src/libstrongswan/crypto/prfs/prf.c
new file mode 100644
index 000000000..f803829af
--- /dev/null
+++ b/src/libstrongswan/crypto/prfs/prf.c
@@ -0,0 +1,70 @@
+/**
+ * @file prf.c
+ * 
+ * @brief Generic constructor for all prf_t
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "prf.h"
+
+#include <crypto/hashers/hasher.h>
+#include <crypto/prfs/hmac_prf.h>
+#include <crypto/prfs/fips_prf.h>
+
+ENUM_BEGIN(pseudo_random_function_names, PRF_UNDEFINED, PRF_FIPS_DES,
+	"PRF_UNDEFINED",
+	"PRF_FIPS_SHA1_160",
+	"PRF_FIPS_DES");
+ENUM_NEXT(pseudo_random_function_names, PRF_HMAC_MD5, PRF_HMAC_SHA2_512, PRF_FIPS_DES,
+	"PRF_HMAC_MD5",
+	"PRF_HMAC_SHA1",
+	"PRF_HMAC_TIGER",
+	"PRF_AES128_CBC",
+	"PRF_HMAC_SHA2_256",
+	"PRF_HMAC_SHA2_384",
+	"PRF_HMAC_SHA2_512");
+ENUM_END(pseudo_random_function_names, PRF_HMAC_SHA2_512);
+
+/*
+ * Described in header.
+ */
+prf_t *prf_create(pseudo_random_function_t pseudo_random_function)
+{
+	switch (pseudo_random_function)
+	{
+		case PRF_HMAC_SHA1:
+			return (prf_t*)hmac_prf_create(HASH_SHA1);
+		case PRF_HMAC_MD5:
+			return (prf_t*)hmac_prf_create(HASH_MD5);
+		case PRF_HMAC_SHA2_256:
+			return (prf_t*)hmac_prf_create(HASH_SHA256);
+		case PRF_HMAC_SHA2_384:
+			return (prf_t*)hmac_prf_create(HASH_SHA384);
+		case PRF_HMAC_SHA2_512:
+			return (prf_t*)hmac_prf_create(HASH_SHA512);
+		case PRF_FIPS_SHA1_160:
+			return (prf_t*)fips_prf_create(20, g_sha1);
+		case PRF_FIPS_DES:
+		case PRF_HMAC_TIGER:
+		case PRF_AES128_CBC:
+		default:
+			return NULL;
+	}
+}
diff --git a/src/libstrongswan/crypto/prfs/prf.h b/src/libstrongswan/crypto/prfs/prf.h
new file mode 100644
index 000000000..8560a4a9c
--- /dev/null
+++ b/src/libstrongswan/crypto/prfs/prf.h
@@ -0,0 +1,142 @@
+/**
+ * @file prf.h
+ * 
+ * @brief Interface prf_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef PRF_H_
+#define PRF_H_
+
+typedef enum pseudo_random_function_t pseudo_random_function_t;
+typedef struct prf_t prf_t;
+
+#include <library.h>
+
+/**
+ * @brief Pseudo random function, as in IKEv2 RFC 3.3.2.
+ *
+ * PRF algorithms not defined in IKEv2 are allocated in "private use"
+ * space.
+ *
+ * @ingroup prfs
+ */
+enum pseudo_random_function_t {
+	PRF_UNDEFINED = 1024,
+	/** Implemented via hmac_prf_t. */
+	PRF_HMAC_MD5 = 1,
+	/** Implemented via hmac_prf_t. */
+	PRF_HMAC_SHA1 = 2,
+	PRF_HMAC_TIGER = 3,
+	PRF_AES128_CBC = 4,
+	/** Implemented via hmac_prf_t. */
+	PRF_HMAC_SHA2_256 = 5,
+	/** Implemented via hmac_prf_t. */
+	PRF_HMAC_SHA2_384 = 6,
+	/** Implemented via hmac_prf_t. */
+	PRF_HMAC_SHA2_512 = 7,
+	/** Implemented via fips_prf_t, other output sizes would be possible */
+	PRF_FIPS_SHA1_160 = 1025,
+	/** Could be implemented via fips_prf_t, uses fixed output size of 160bit */
+	PRF_FIPS_DES = 1026,
+};
+
+/**
+ * enum name for encryption_algorithm_t.
+ */
+extern enum_name_t *pseudo_random_function_names;
+
+/**
+ * @brief Generic interface for pseudo-random-functions.
+ * 
+ * @b Constructors:
+ *  - prf_create()
+ *  - hmac_prf_create()
+ * 
+ * @todo Implement more prf algorithms
+ * 
+ * @ingroup prfs
+ */
+struct prf_t {
+	/**
+	 * @brief Generates pseudo random bytes and writes them in the buffer.
+	 *
+	 * @param this			calling object
+	 * @param seed			a chunk containing the seed for the next bytes
+	 * @param[out] buffer	pointer where the generated bytes will be written
+	 */
+	void (*get_bytes) (prf_t *this, chunk_t seed, u_int8_t *buffer);
+	
+	/**
+	 * @brief Generates pseudo random bytes and allocate space for them.
+	 * 
+	 * @param this			calling object
+	 * @param seed			a chunk containing the seed for the next bytes
+	 * @param[out] chunk	chunk which will hold generated bytes
+	 */
+	void (*allocate_bytes) (prf_t *this, chunk_t seed, chunk_t *chunk);
+	
+	/**
+	 * @brief Get the block size of this prf_t object.
+	 * 
+	 * @param this			calling object
+	 * @return				block size in bytes
+	 */
+	size_t (*get_block_size) (prf_t *this);
+	
+	/**
+	 * @brief Get the key size of this prf_t object.
+	 *
+	 * This is a suggestion only, all implemented PRFs accept variable key
+	 * length.
+	 * 
+	 * @param this			calling object
+	 * @return				key size in bytes
+	 */
+	size_t (*get_key_size) (prf_t *this);
+	
+	/**
+	 * @brief Set the key for this prf_t object.
+	 * 
+	 * @param this			calling object
+	 * @param key			key to set
+	 */
+	void (*set_key) (prf_t *this, chunk_t key);
+	
+	/**
+	 * @brief Destroys a prf object.
+	 *
+	 * @param this 			calling object
+	 */
+	void (*destroy) (prf_t *this);
+};
+
+/**
+ * @brief Generic constructor for a prf_t oject.
+ * 
+ * @param pseudo_random_function	Algorithm to use
+ * @return
+ * 									- prf_t object
+ * 									- NULL if prf algorithm not supported
+ *
+ * @ingroup prfs
+ */
+prf_t *prf_create(pseudo_random_function_t pseudo_random_function);
+
+#endif /*PRF_H_*/
diff --git a/src/libstrongswan/crypto/rsa/rsa_private_key.c b/src/libstrongswan/crypto/rsa/rsa_private_key.c
new file mode 100644
index 000000000..5b1647965
--- /dev/null
+++ b/src/libstrongswan/crypto/rsa/rsa_private_key.c
@@ -0,0 +1,774 @@
+/**
+ * @file rsa_private_key.c
+ * 
+ * @brief Implementation of rsa_private_key_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <gmp.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <string.h>
+
+#include "rsa_public_key.h"
+#include "rsa_private_key.h"
+
+#include <asn1/asn1.h>
+#include <asn1/pem.h>
+#include <utils/randomizer.h>
+
+/**
+ * OIDs for hash algorithms are defined in rsa_public_key.c.
+ */
+extern u_int8_t md2_oid[18];
+extern u_int8_t md5_oid[18];
+extern u_int8_t sha1_oid[15];
+extern u_int8_t sha256_oid[19];
+extern u_int8_t sha384_oid[19];
+extern u_int8_t sha512_oid[19];
+
+
+/**
+ * defined in rsa_public_key.c
+ */
+extern chunk_t rsa_public_key_info_to_asn1(const mpz_t n, const mpz_t e);
+
+
+/**
+ *  Public exponent to use for key generation.
+ */
+#define PUBLIC_EXPONENT 0x10001
+
+
+typedef struct private_rsa_private_key_t private_rsa_private_key_t;
+
+/**
+ * Private data of a rsa_private_key_t object.
+ */
+struct private_rsa_private_key_t {
+	/**
+	 * Public interface for this signer.
+	 */
+	rsa_private_key_t public;
+	
+	/**
+	 * Version of key, as encoded in PKCS#1
+	 */
+	u_int version;
+	
+	/**
+	 * Public modulus.
+	 */
+	mpz_t n;
+	
+	/**
+	 * Public exponent.
+	 */
+	mpz_t e;
+	
+	/**
+	 * Private prime 1.
+	 */
+	mpz_t p;
+	
+	/**
+	 * Private Prime 2.
+	 */
+	mpz_t q;
+	
+	/**
+	 * Private exponent.
+	 */
+	mpz_t d;
+	
+	/**
+	 * Private exponent 1.
+	 */
+	mpz_t exp1;
+	
+	/**
+	 * Private exponent 2.
+	 */
+	mpz_t exp2;
+	
+	/**
+	 * Private coefficient.
+	 */
+	mpz_t coeff;
+	
+	/**
+	 * Keysize in bytes.
+	 */
+	size_t k;
+
+	/**
+	 * Keyid formed as a SHA-1 hash of a publicKeyInfo object
+	 */
+	chunk_t keyid;
+
+	
+	/**
+	 * @brief Implements the RSADP algorithm specified in PKCS#1.
+	 * 
+	 * @param this		calling object
+	 * @param data		data to process
+	 * @return			processed data
+	 */
+	chunk_t (*rsadp) (private_rsa_private_key_t *this, chunk_t data);
+		
+	/**
+	 * @brief Implements the RSASP1 algorithm specified in PKCS#1.
+	 * @param this		calling object
+	 * @param data		data to process
+	 * @return			processed data
+	 */
+	chunk_t (*rsasp1) (private_rsa_private_key_t *this, chunk_t data);
+	
+	/**
+	 * @brief Generate a prime value.
+	 * 
+	 * @param this		calling object
+	 * @param prime_size size of the prime, in bytes
+	 * @param[out] prime uninitialized mpz
+	 */
+	status_t (*compute_prime) (private_rsa_private_key_t *this, size_t prime_size, mpz_t *prime);
+	
+};
+
+/* ASN.1 definition of a PKCS#1 RSA private key */
+static const asn1Object_t privkey_objects[] = {
+	{ 0, "RSAPrivateKey",		ASN1_SEQUENCE,     ASN1_NONE }, /*  0 */
+	{ 1,   "version",			ASN1_INTEGER,      ASN1_BODY }, /*  1 */
+	{ 1,   "modulus",			ASN1_INTEGER,      ASN1_BODY }, /*  2 */
+	{ 1,   "publicExponent",	ASN1_INTEGER,      ASN1_BODY }, /*  3 */
+	{ 1,   "privateExponent",	ASN1_INTEGER,      ASN1_BODY }, /*  4 */
+	{ 1,   "prime1",			ASN1_INTEGER,      ASN1_BODY }, /*  5 */
+	{ 1,   "prime2",			ASN1_INTEGER,      ASN1_BODY }, /*  6 */
+	{ 1,   "exponent1",			ASN1_INTEGER,      ASN1_BODY }, /*  7 */
+	{ 1,   "exponent2",			ASN1_INTEGER,      ASN1_BODY }, /*  8 */
+	{ 1,   "coefficient",		ASN1_INTEGER,      ASN1_BODY }, /*  9 */
+	{ 1,   "otherPrimeInfos",	ASN1_SEQUENCE,     ASN1_OPT |
+												   ASN1_LOOP }, /* 10 */
+	{ 2,     "otherPrimeInfo",	ASN1_SEQUENCE,     ASN1_NONE }, /* 11 */
+	{ 3,       "prime",			ASN1_INTEGER,      ASN1_BODY }, /* 12 */
+	{ 3,       "exponent",		ASN1_INTEGER,      ASN1_BODY }, /* 13 */
+	{ 3,       "coefficient",	ASN1_INTEGER,      ASN1_BODY }, /* 14 */
+	{ 1,   "end opt or loop",	ASN1_EOC,          ASN1_END  }  /* 15 */
+};
+
+#define PRIV_KEY_VERSION		 1
+#define PRIV_KEY_MODULUS		 2
+#define PRIV_KEY_PUB_EXP		 3
+#define PRIV_KEY_PRIV_EXP		 4
+#define PRIV_KEY_PRIME1			 5
+#define PRIV_KEY_PRIME2			 6
+#define PRIV_KEY_EXP1			 7
+#define PRIV_KEY_EXP2			 8
+#define PRIV_KEY_COEFF			 9
+#define PRIV_KEY_ROOF			16
+
+static private_rsa_private_key_t *rsa_private_key_create_empty(void);
+
+/**
+ * Implementation of private_rsa_private_key_t.compute_prime.
+ */
+static status_t compute_prime(private_rsa_private_key_t *this, size_t prime_size, mpz_t *prime)
+{
+	randomizer_t *randomizer;
+	chunk_t random_bytes;
+	status_t status;
+	
+	randomizer = randomizer_create();
+	mpz_init(*prime);
+	
+	do
+	{
+		status = randomizer->allocate_random_bytes(randomizer, prime_size, &random_bytes);
+		if (status != SUCCESS)
+		{
+			randomizer->destroy(randomizer);
+			mpz_clear(*prime);
+			return FAILED;
+		}
+		
+		/* make sure most significant bit is set */
+		random_bytes.ptr[0] = random_bytes.ptr[0] | 0x80;
+		
+		/* convert chunk to mpz value */
+		mpz_import(*prime, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr);
+		
+		/* get next prime */
+		mpz_nextprime (*prime, *prime);
+		
+		free(random_bytes.ptr);
+	}
+	/* check if it isnt too large */
+	while (((mpz_sizeinbase(*prime, 2) + 7) / 8) > prime_size);
+	
+	randomizer->destroy(randomizer);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of private_rsa_private_key_t.rsadp and private_rsa_private_key_t.rsasp1.
+ */
+static chunk_t rsadp(private_rsa_private_key_t *this, chunk_t data)
+{
+	mpz_t t1, t2;
+	chunk_t decrypted;
+	
+	mpz_init(t1);
+	mpz_init(t2);
+	
+	mpz_import(t1, data.len, 1, 1, 1, 0, data.ptr);
+	
+	mpz_powm(t2, t1, this->exp1, this->p);	/* m1 = c^dP mod p */
+	mpz_powm(t1, t1, this->exp2, this->q);	/* m2 = c^dQ mod Q */
+	mpz_sub(t2, t2, t1);					/* h = qInv (m1 - m2) mod p */
+	mpz_mod(t2, t2, this->p);
+	mpz_mul(t2, t2, this->coeff);
+	mpz_mod(t2, t2, this->p);
+	
+	mpz_mul(t2, t2, this->q);				/* m = m2 + h q */
+	mpz_add(t1, t1, t2);
+	
+	decrypted.len = this->k;
+	decrypted.ptr = mpz_export(NULL, NULL, 1, decrypted.len, 1, 0, t1);
+	
+	mpz_clear(t1);
+	mpz_clear(t2);
+	
+	return decrypted;
+}
+
+/**
+ * Implementation of rsa_private_key.build_emsa_signature.
+ */
+static status_t build_emsa_pkcs1_signature(private_rsa_private_key_t *this, hash_algorithm_t hash_algorithm, chunk_t data, chunk_t *signature)
+{
+	hasher_t *hasher;
+	chunk_t hash;
+	chunk_t em;
+	chunk_t oid;
+	
+	/* get oid string prepended to hash */
+	switch (hash_algorithm)
+	{	
+		case HASH_MD2:
+		{
+			oid.ptr = md2_oid;
+			oid.len = sizeof(md2_oid);
+			break;
+		}
+		case HASH_MD5:
+		{
+			oid.ptr = md5_oid;
+			oid.len = sizeof(md5_oid);
+			break;
+		}
+		case HASH_SHA1:
+		{
+			oid.ptr = sha1_oid;
+			oid.len = sizeof(sha1_oid);
+			break;
+		}
+		case HASH_SHA256:
+		{
+			oid.ptr = sha256_oid;
+			oid.len = sizeof(sha256_oid);
+			break;
+		}
+		case HASH_SHA384:
+		{
+			oid.ptr = sha384_oid;
+			oid.len = sizeof(sha384_oid);
+			break;
+		}
+		case HASH_SHA512:
+		{
+			oid.ptr = sha512_oid;
+			oid.len = sizeof(sha512_oid);
+			break;
+		}
+		default:
+		{
+			return NOT_SUPPORTED;	
+		}
+	}
+	
+	/* get hasher */
+	hasher = hasher_create(hash_algorithm);
+	if (hasher == NULL)
+	{
+		return NOT_SUPPORTED;	
+	}
+	
+	/* build hash */
+	hasher->allocate_hash(hasher, data, &hash);
+	hasher->destroy(hasher);
+	
+	/* build chunk to rsa-decrypt:
+	 * EM = 0x00 || 0x01 || PS || 0x00 || T. 
+	 * PS = 0xFF padding, with length to fill em
+	 * T = oid || hash
+	 */
+	em.len = this->k;
+	em.ptr = malloc(em.len);
+	
+	/* fill em with padding */
+	memset(em.ptr, 0xFF, em.len);
+	/* set magic bytes */
+	*(em.ptr) = 0x00;
+	*(em.ptr+1) = 0x01;
+	*(em.ptr + em.len - hash.len - oid.len - 1) = 0x00;
+	/* set hash */
+	memcpy(em.ptr + em.len - hash.len, hash.ptr, hash.len);
+	/* set oid */
+	memcpy(em.ptr + em.len - hash.len - oid.len, oid.ptr, oid.len);
+	
+	/* build signature */
+	*signature = this->rsasp1(this, em);
+	
+	free(hash.ptr);
+	free(em.ptr);
+	
+	return SUCCESS;	
+}
+
+/**
+ * Implementation of rsa_private_key.get_key.
+ */
+static status_t get_key(private_rsa_private_key_t *this, chunk_t *key)
+{	
+	chunk_t n, e, p, q, d, exp1, exp2, coeff;
+
+	n.len = this->k;
+	n.ptr = mpz_export(NULL, NULL, 1, n.len, 1, 0, this->n);
+	e.len = this->k;
+	e.ptr = mpz_export(NULL, NULL, 1, e.len, 1, 0, this->e);
+	p.len = this->k;
+	p.ptr = mpz_export(NULL, NULL, 1, p.len, 1, 0, this->p);
+	q.len = this->k;
+	q.ptr = mpz_export(NULL, NULL, 1, q.len, 1, 0, this->q);
+	d.len = this->k;
+	d.ptr = mpz_export(NULL, NULL, 1, d.len, 1, 0, this->d);
+	exp1.len = this->k;
+	exp1.ptr = mpz_export(NULL, NULL, 1, exp1.len, 1, 0, this->exp1);
+	exp2.len = this->k;
+	exp2.ptr = mpz_export(NULL, NULL, 1, exp2.len, 1, 0, this->exp2);
+	coeff.len = this->k;
+	coeff.ptr = mpz_export(NULL, NULL, 1, coeff.len, 1, 0, this->coeff);
+	
+	key->len = this->k * 8;
+	key->ptr = malloc(key->len);
+	memcpy(key->ptr + this->k * 0, n.ptr , n.len);
+	memcpy(key->ptr + this->k * 1, e.ptr, e.len);
+	memcpy(key->ptr + this->k * 2, p.ptr, p.len);
+	memcpy(key->ptr + this->k * 3, q.ptr, q.len);
+	memcpy(key->ptr + this->k * 4, d.ptr, d.len);
+	memcpy(key->ptr + this->k * 5, exp1.ptr, exp1.len);
+	memcpy(key->ptr + this->k * 6, exp2.ptr, exp2.len);
+	memcpy(key->ptr + this->k * 7, coeff.ptr, coeff.len);
+	
+	free(n.ptr);
+	free(e.ptr);
+	free(p.ptr);
+	free(q.ptr);
+	free(d.ptr);
+	free(exp1.ptr);
+	free(exp2.ptr);
+	free(coeff.ptr);
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of rsa_private_key.save_key.
+ */
+static status_t save_key(private_rsa_private_key_t *this, char *file)
+{
+	return NOT_SUPPORTED;
+}
+
+/**
+ * Implementation of rsa_private_key.get_public_key.
+ */
+rsa_public_key_t *get_public_key(private_rsa_private_key_t *this)
+{
+	return NULL;
+}
+
+/**
+ * Implementation of rsa_private_key.belongs_to.
+ */
+static bool belongs_to(private_rsa_private_key_t *this, rsa_public_key_t *public)
+{
+	return chunk_equals(this->keyid, public->get_keyid(public));
+}
+
+/**
+ * Check the loaded key if it is valid and usable
+ * TODO: Log errors
+ */
+static status_t check(private_rsa_private_key_t *this)
+{
+	mpz_t t, u, q1;
+	status_t status = SUCCESS;
+	
+	/* PKCS#1 1.5 section 6 requires modulus to have at least 12 octets.
+	* We actually require more (for security).
+	*/
+	if (this->k < 512/8)
+	{
+		return FAILED;
+	}
+	
+	/* we picked a max modulus size to simplify buffer allocation */
+	if (this->k > 8192/8)
+	{
+		return FAILED;
+	}
+	
+	mpz_init(t);
+	mpz_init(u);
+	mpz_init(q1);
+	
+	/* check that n == p * q */
+	mpz_mul(u, this->p, this->q);
+	if (mpz_cmp(u, this->n) != 0)
+	{
+		status = FAILED;
+	}
+	
+	/* check that e divides neither p-1 nor q-1 */
+	mpz_sub_ui(t, this->p, 1);
+	mpz_mod(t, t, this->e);
+	if (mpz_cmp_ui(t, 0) == 0)
+	{
+		status = FAILED;
+	}
+	
+	mpz_sub_ui(t, this->q, 1);
+	mpz_mod(t, t, this->e);
+	if (mpz_cmp_ui(t, 0) == 0)
+	{
+		status = FAILED;
+	}
+	
+	/* check that d is e^-1 (mod lcm(p-1, q-1)) */
+	/* see PKCS#1v2, aka RFC 2437, for the "lcm" */
+	mpz_sub_ui(q1, this->q, 1);
+	mpz_sub_ui(u, this->p, 1);
+	mpz_gcd(t, u, q1);		/* t := gcd(p-1, q-1) */
+	mpz_mul(u, u, q1);		/* u := (p-1) * (q-1) */
+	mpz_divexact(u, u, t);	/* u := lcm(p-1, q-1) */
+	
+	mpz_mul(t, this->d, this->e);
+	mpz_mod(t, t, u);
+	if (mpz_cmp_ui(t, 1) != 0)
+	{
+		status = FAILED;
+	}
+	
+	/* check that exp1 is d mod (p-1) */
+	mpz_sub_ui(u, this->p, 1);
+	mpz_mod(t, this->d, u);
+	if (mpz_cmp(t, this->exp1) != 0)
+	{
+		status = FAILED;
+	}
+	
+	/* check that exp2 is d mod (q-1) */
+	mpz_sub_ui(u, this->q, 1);
+	mpz_mod(t, this->d, u);
+	if (mpz_cmp(t, this->exp2) != 0)
+	{
+		status = FAILED;
+	}
+	
+	/* check that coeff is (q^-1) mod p */
+	mpz_mul(t, this->coeff, this->q);
+	mpz_mod(t, t, this->p);
+	if (mpz_cmp_ui(t, 1) != 0)
+	{
+		status = FAILED;
+	}
+	
+	mpz_clear(t);
+	mpz_clear(u);
+	mpz_clear(q1);
+	return status;
+}
+
+/**
+ * Implementation of rsa_private_key.clone.
+ */
+static rsa_private_key_t* _clone(private_rsa_private_key_t *this)
+{
+	private_rsa_private_key_t *clone = rsa_private_key_create_empty();
+	
+	mpz_init_set(clone->n, this->n);
+	mpz_init_set(clone->e, this->e);
+	mpz_init_set(clone->p, this->p);
+	mpz_init_set(clone->q, this->q);
+	mpz_init_set(clone->d, this->d);
+	mpz_init_set(clone->exp1, this->exp1);
+	mpz_init_set(clone->exp2, this->exp2);
+	mpz_init_set(clone->coeff, this->coeff);
+	clone->keyid = chunk_clone(this->keyid);
+	clone->k = this->k;
+	
+	return &clone->public;
+}
+
+/**
+ * Implementation of rsa_private_key.destroy.
+ */
+static void destroy(private_rsa_private_key_t *this)
+{
+	mpz_clear(this->n);
+	mpz_clear(this->e);
+	mpz_clear(this->p);
+	mpz_clear(this->q);
+	mpz_clear(this->d);
+	mpz_clear(this->exp1);
+	mpz_clear(this->exp2);
+	mpz_clear(this->coeff);
+	free(this->keyid.ptr);
+	free(this);
+}
+
+/**
+ * Internal generic constructor
+ */
+static private_rsa_private_key_t *rsa_private_key_create_empty(void)
+{
+	private_rsa_private_key_t *this = malloc_thing(private_rsa_private_key_t);
+	
+	/* public functions */
+	this->public.build_emsa_pkcs1_signature = (status_t (*) (rsa_private_key_t*,hash_algorithm_t,chunk_t,chunk_t*))build_emsa_pkcs1_signature;
+	this->public.get_key = (status_t (*) (rsa_private_key_t*,chunk_t*))get_key;
+	this->public.save_key = (status_t (*) (rsa_private_key_t*,char*))save_key;
+	this->public.get_public_key = (rsa_public_key_t *(*) (rsa_private_key_t*))get_public_key;
+	this->public.belongs_to = (bool (*) (rsa_private_key_t*,rsa_public_key_t*))belongs_to;
+	this->public.clone = (rsa_private_key_t*(*)(rsa_private_key_t*))_clone;
+	this->public.destroy = (void (*) (rsa_private_key_t*))destroy;
+	
+	/* private functions */
+	this->rsadp = rsadp;
+	this->rsasp1 = rsadp; /* same algorithm */
+	this->compute_prime = compute_prime;
+	
+	return this;
+}
+
+/*
+ * See header
+ */
+rsa_private_key_t *rsa_private_key_create(size_t key_size)
+{
+	mpz_t p, q, n, e, d, exp1, exp2, coeff;
+	mpz_t m, q1, t;
+	private_rsa_private_key_t *this;
+	
+	this = rsa_private_key_create_empty();
+	key_size = key_size / 8;
+	
+	/* Get values of primes p and q  */
+	if (this->compute_prime(this, key_size/2, &p) != SUCCESS)
+	{
+		free(this);
+		return NULL;
+	}	
+	if (this->compute_prime(this, key_size/2, &q) != SUCCESS)
+	{
+		mpz_clear(p);
+		free(this);
+		return NULL;
+	}
+	
+	mpz_init(t);	
+	mpz_init(n);
+	mpz_init(d);
+	mpz_init(exp1);
+	mpz_init(exp2);
+	mpz_init(coeff);
+	
+	/* Swapping Primes so p is larger then q */
+	if (mpz_cmp(p, q) < 0)
+	{
+		mpz_set(t, p);
+		mpz_set(p, q);
+		mpz_set(q, t);
+	}
+	
+	mpz_mul(n, p, q);						/* n = p*q */
+	mpz_init_set_ui(e, PUBLIC_EXPONENT);	/* assign public exponent */
+	mpz_init_set(m, p); 					/* m = p */
+	mpz_sub_ui(m, m, 1);					/* m = m -1 */
+	mpz_init_set(q1, q);					/* q1 = q */
+	mpz_sub_ui(q1, q1, 1);					/* q1 = q1 -1 */
+	mpz_gcd(t, m, q1);						/* t = gcd(p-1, q-1) */
+	mpz_mul(m, m, q1);						/* m = (p-1)*(q-1) */
+	mpz_divexact(m, m, t);					/* m = m / t */
+	mpz_gcd(t, m, e);						/* t = gcd(m, e) (greatest common divisor) */
+
+	mpz_invert(d, e, m);					/* e has an inverse mod m */
+	if (mpz_cmp_ui(d, 0) < 0)				/* make sure d is positive */
+	{
+		mpz_add(d, d, m);
+	}
+	mpz_sub_ui(t, p, 1);					/* t = p-1 */
+	mpz_mod(exp1, d, t);					/* exp1 = d mod p-1 */
+	mpz_sub_ui(t, q, 1);					/* t = q-1 */
+	mpz_mod(exp2, d, t);					/* exp2 = d mod q-1 */
+	
+	mpz_invert(coeff, q, p);				/* coeff = q^-1 mod p */
+	if (mpz_cmp_ui(coeff, 0) < 0)			/* make coeff d is positive */
+	{
+		mpz_add(coeff, coeff, p);
+	}
+
+	mpz_clear(q1);
+	mpz_clear(m);
+	mpz_clear(t);
+
+	/* apply values */
+	*(this->p) = *p;
+	*(this->q) = *q;
+	*(this->n) = *n;
+	*(this->e) = *e;
+	*(this->d) = *d;
+	*(this->exp1) = *exp1;
+	*(this->exp2) = *exp2;
+	*(this->coeff) = *coeff;
+	
+	/* set key size in bytes */
+	this->k = key_size;
+	
+	return &this->public;
+}
+
+/*
+ * see header
+ */
+rsa_private_key_t *rsa_private_key_create_from_chunk(chunk_t blob)
+{
+	asn1_ctx_t ctx;
+	chunk_t object;
+	u_int level;
+	int objectID = 0;
+	private_rsa_private_key_t *this;
+	
+	this = rsa_private_key_create_empty();
+	
+	mpz_init(this->n);
+	mpz_init(this->e);
+	mpz_init(this->p);
+	mpz_init(this->q);
+	mpz_init(this->d);
+	mpz_init(this->exp1);
+	mpz_init(this->exp2);
+	mpz_init(this->coeff);
+	
+	asn1_init(&ctx, blob, 0, FALSE, TRUE);
+	
+	while (objectID < PRIV_KEY_ROOF) 
+	{
+		if (!extract_object(privkey_objects, &objectID, &object, &level, &ctx))
+		{
+			destroy(this);
+			return FALSE;
+		}
+		switch (objectID)
+		{
+			case PRIV_KEY_VERSION:
+				if (object.len > 0 && *object.ptr != 0)
+				{
+					destroy(this);
+					return NULL;
+				}
+				break;
+			case PRIV_KEY_MODULUS:
+				mpz_import(this->n, object.len, 1, 1, 1, 0, object.ptr);
+				break;
+			case PRIV_KEY_PUB_EXP:
+				mpz_import(this->e, object.len, 1, 1, 1, 0, object.ptr);
+				break;
+			case PRIV_KEY_PRIV_EXP:
+				mpz_import(this->d, object.len, 1, 1, 1, 0, object.ptr);
+				break;
+			case PRIV_KEY_PRIME1:
+				mpz_import(this->p, object.len, 1, 1, 1, 0, object.ptr);
+				break;
+			case PRIV_KEY_PRIME2:
+				mpz_import(this->q, object.len, 1, 1, 1, 0, object.ptr);
+				break;
+			case PRIV_KEY_EXP1:
+				mpz_import(this->exp1, object.len, 1, 1, 1, 0, object.ptr);
+				break;
+			case PRIV_KEY_EXP2:
+				mpz_import(this->exp2, object.len, 1, 1, 1, 0, object.ptr);
+				break;
+			case PRIV_KEY_COEFF:
+				mpz_import(this->coeff, object.len, 1, 1, 1, 0, object.ptr);
+				break;
+		}
+		objectID++;
+	}
+	
+	this->k = (mpz_sizeinbase(this->n, 2) + 7) / 8;
+
+	/* form the keyid as a SHA-1 hash of a publicKeyInfo object */
+	{
+		chunk_t publicKeyInfo = rsa_public_key_info_to_asn1(this->n, this->e);
+		hasher_t *hasher = hasher_create(HASH_SHA1);
+
+		hasher->allocate_hash(hasher, publicKeyInfo, &this->keyid);
+		hasher->destroy(hasher);
+		free(publicKeyInfo.ptr);
+	}
+	
+	if (check(this) != SUCCESS)
+	{
+		destroy(this);
+		return NULL;
+	}
+	else
+	{
+		return &this->public;
+	}
+}
+
+/*
+ * see header
+ */
+rsa_private_key_t *rsa_private_key_create_from_file(char *filename, chunk_t *passphrase)
+{
+	bool pgp = FALSE;
+	chunk_t chunk = chunk_empty;
+	rsa_private_key_t *key = NULL;
+
+	if (!pem_asn1_load_file(filename, passphrase, "private key", &chunk, &pgp))
+		return NULL;
+
+	key = rsa_private_key_create_from_chunk(chunk);
+	free(chunk.ptr);
+	return key;
+}
diff --git a/src/libstrongswan/crypto/rsa/rsa_private_key.h b/src/libstrongswan/crypto/rsa/rsa_private_key.h
new file mode 100644
index 000000000..9ec07704e
--- /dev/null
+++ b/src/libstrongswan/crypto/rsa/rsa_private_key.h
@@ -0,0 +1,184 @@
+/**
+ * @file rsa_private_key.h
+ * 
+ * @brief Interface of rsa_private_key_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef RSA_PRIVATE_KEY_H_
+#define RSA_PRIVATE_KEY_H_
+
+typedef struct rsa_private_key_t rsa_private_key_t;
+
+#include <library.h>
+#include <crypto/rsa/rsa_public_key.h>
+#include <crypto/hashers/hasher.h>
+
+/**
+ * @brief RSA private key with associated functions.
+ *
+ * Currently only supports signing using EMSA encoding.
+ *
+ * @b Constructors:
+ *  - rsa_private_key_create()
+ *  - rsa_private_key_create_from_chunk()
+ *  - rsa_private_key_create_from_file()
+ * 
+ * @see rsa_public_key_t
+ *
+ * @todo Implement get_key(), save_key(), get_public_key()
+ *
+ * @ingroup rsa
+ */
+struct rsa_private_key_t {
+
+	/**
+	 * @brief Build a signature over a chunk using EMSA-PKCS1 encoding.
+	 * 
+	 * This signature creates a hash using the specified hash algorithm, concatenates
+	 * it with an ASN1-OID of the hash algorithm and runs the RSASP1 function
+	 * on it.
+	 * 
+	 * @param this				calling object
+	 * @param hash_algorithm	hash algorithm to use for hashing
+	 * @param data				data to sign
+	 * @param[out] signature	allocated signature
+	 * @return
+	 * 							- SUCCESS
+	 * 							- INVALID_STATE, if key not set
+	 * 							- NOT_SUPPORTED, if hash algorithm not supported
+	 */
+	status_t (*build_emsa_pkcs1_signature) (rsa_private_key_t *this, hash_algorithm_t hash_algorithm, chunk_t data, chunk_t *signature);
+	
+	/**
+	 * @brief Gets the key.
+	 * 
+	 * UNIMPLEMENTED!
+	 * 
+	 * @param this				calling object
+	 * @param key				key (in a propriarity format)
+	 * @return					
+	 * 							- SUCCESS
+	 * 							- INVALID_STATE, if key not set
+	 */
+	status_t (*get_key) (rsa_private_key_t *this, chunk_t *key);
+	
+	/**
+	 * @brief Saves a key to a file.
+	 * 
+	 * Not implemented!
+	 * 
+	 * @param this				calling object
+	 * @param file				file to which the key should be written.
+	 * @return					NOT_SUPPORTED
+	 */
+	status_t (*save_key) (rsa_private_key_t *this, char *file);
+	
+	/**
+	 * @brief Generate a new key.
+	 * 
+	 * Generates a new private_key with specified key size
+	 * 
+	 * @param this				calling object
+	 * @param key_size			size of the key in bits
+	 * @return					
+	 * 							- SUCCESS
+	 * 							- INVALID_ARG if key_size invalid
+	 */
+	status_t (*generate_key) (rsa_private_key_t *this, size_t key_size);
+	
+	/**
+	 * @brief Create a rsa_public_key_t with the public
+	 * parts of the key.
+	 * 
+	 * @param this				calling object
+	 * @return					public_key
+	 */
+	rsa_public_key_t *(*get_public_key) (rsa_private_key_t *this);
+	
+	/**
+	 * @brief Check if a private key belongs to a public key.
+	 * 
+	 * Compares the public part of the private key with the
+	 * public key, return TRUE if it equals.
+	 * 
+	 * @param this				private key
+	 * @param public			public key
+	 * @return					TRUE, if keys belong together
+	 */
+	bool (*belongs_to) (rsa_private_key_t *this, rsa_public_key_t *public);
+	
+	/**
+	 * @brief Clone the private key.
+	 * 
+	 * @param this				private key to clone
+	 * @return					clone of this
+	 */
+	rsa_private_key_t *(*clone) (rsa_private_key_t *this);
+	
+	/**
+	 * @brief Destroys the private key.
+	 * 
+	 * @param this				private key to destroy
+	 */
+	void (*destroy) (rsa_private_key_t *this);
+};
+
+/**
+ * @brief Generate a new RSA key with specified key length.
+ * 
+ * @param key_size			size of the key in bits
+ * @return 					generated rsa_private_key_t.
+ * 
+ * @ingroup rsa
+ */
+rsa_private_key_t *rsa_private_key_create(size_t key_size);
+
+/**
+ * @brief Load an RSA private key from a chunk.
+ * 
+ * Load a key from a chunk, encoded as described in PKCS#1
+ * (ASN1 DER encoded).
+ * 
+ * @param chunk				chunk containing the DER encoded key
+ * @return 					loaded rsa_private_key_t, or NULL
+ * 
+ * @ingroup rsa
+ */
+rsa_private_key_t *rsa_private_key_create_from_chunk(chunk_t chunk);
+
+/**
+ * @brief Load an RSA private key from a file.
+ * 
+ * Load a key from a file, which is either in a unencrypted binary
+ * format (DER), or in a (encrypted) PEM format. The supplied 
+ * passphrase is used to decrypt an ecrypted key.
+ * 
+ * @param filename			filename which holds the key
+ * @param passphrase		optional passphase for decryption, can be NULL
+ * @return 					loaded rsa_private_key_t, or NULL
+ * 
+ * @todo Implement PEM file loading
+ * @todo Implement key decryption
+ * 
+ * @ingroup rsa
+ */
+rsa_private_key_t *rsa_private_key_create_from_file(char *filename, chunk_t *passphrase);
+
+#endif /*RSA_PRIVATE_KEY_H_*/
diff --git a/src/libstrongswan/crypto/rsa/rsa_public_key.c b/src/libstrongswan/crypto/rsa/rsa_public_key.c
new file mode 100644
index 000000000..38899670f
--- /dev/null
+++ b/src/libstrongswan/crypto/rsa/rsa_public_key.c
@@ -0,0 +1,497 @@
+/**
+ * @file rsa_public_key.c
+ * 
+ * @brief Implementation of rsa_public_key_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+ 
+#include <gmp.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "rsa_public_key.h"
+
+#include <crypto/hashers/hasher.h>
+#include <asn1/asn1.h>
+#include <asn1/pem.h>
+
+/* 
+ * For simplicity, we use these predefined values for hash algorithm OIDs 
+ * These also contain the length of the appended hash  
+ * These values are also  used in rsa_private_key.c.
+ */
+
+const u_int8_t md2_oid[] = {
+	0x30,0x20,
+		 0x30,0x0c,
+			  0x06,0x08,
+				   0x2a,0x86,0x48,0x86,0xf7,0x0d,0x02,0x02,
+			  0x05,0x00,
+		 0x04,0x10
+};
+
+const u_int8_t md5_oid[] = {
+	0x30,0x20,
+		 0x30,0x0c,
+			  0x06,0x08,
+				   0x2a,0x86,0x48,0x86,0xf7,0x0d,0x02,0x05,
+			  0x05,0x00,
+		 0x04,0x10
+};
+
+const u_int8_t sha1_oid[] = {
+	0x30,0x21,
+		 0x30,0x09,
+			  0x06,0x05,
+				   0x2b,0x0e,0x03,0x02,0x1a,
+			  0x05,0x00,
+		 0x04,0x14
+};
+
+const u_int8_t sha256_oid[] = {
+	0x30,0x31,
+		 0x30,0x0d,
+			  0x06,0x09,
+				   0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,
+			  0x05,0x00,
+		 0x04,0x20
+};
+
+const u_int8_t sha384_oid[] = {
+	0x30,0x41,
+		 0x30,0x0d,
+			  0x06,0x09,
+				   0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x02,
+			  0x05,0x00,
+		 0x04,0x30
+};
+
+const u_int8_t sha512_oid[] = {
+	0x30,0x51,
+		 0x30,0x0d,
+			  0x06,0x09,
+				   0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,
+			  0x05,0x00,
+		 0x04,0x40
+};
+
+#define LARGEST_HASH_OID_SIZE sizeof(sha512_oid)
+
+/* ASN.1 definition public key */
+static const asn1Object_t pubkey_objects[] = {
+	{ 0, "RSAPublicKey",		ASN1_SEQUENCE,     ASN1_OBJ  }, /*  0 */
+	{ 1,   "modulus",			ASN1_INTEGER,      ASN1_BODY }, /*  1 */
+	{ 1,   "publicExponent",	ASN1_INTEGER,      ASN1_BODY }, /*  2 */
+};
+
+#define PUB_KEY_RSA_PUBLIC_KEY		0
+#define PUB_KEY_MODULUS				1
+#define PUB_KEY_EXPONENT			2
+#define PUB_KEY_ROOF				3
+
+typedef struct private_rsa_public_key_t private_rsa_public_key_t;
+
+/**
+ * Private data structure with signing context.
+ */
+struct private_rsa_public_key_t {
+	/**
+	 * Public interface for this signer.
+	 */
+	rsa_public_key_t public;
+	
+	/**
+	 * Public modulus.
+	 */
+	mpz_t n;
+	
+	/**
+	 * Public exponent.
+	 */
+	mpz_t e;
+	
+	/**
+	 * Keysize in bytes.
+	 */
+	size_t k;
+	
+	/**
+	 * Keyid formed as a SHA-1 hash of a publicKeyInfo object
+	 */
+	chunk_t keyid;
+
+	/**
+	 * @brief Implements the RSAEP algorithm specified in PKCS#1.
+	 * 
+	 * @param this		calling object
+	 * @param data		data to process
+	 * @return			processed data
+	 */
+	chunk_t (*rsaep) (const private_rsa_public_key_t *this, chunk_t data);
+		
+	/**
+	 * @brief Implements the RSASVP1 algorithm specified in PKCS#1.
+	 * 
+	 * @param this		calling object
+	 * @param data		data to process
+	 * @return			processed data
+	 */
+	chunk_t (*rsavp1) (const private_rsa_public_key_t *this, chunk_t data);
+};
+
+private_rsa_public_key_t *rsa_public_key_create_empty(void);
+
+/**
+ * Implementation of private_rsa_public_key_t.rsaep and private_rsa_public_key_t.rsavp1
+ */
+static chunk_t rsaep(const private_rsa_public_key_t *this, chunk_t data)
+{
+	mpz_t m, c;
+	chunk_t encrypted;
+	
+	mpz_init(c);
+	mpz_init(m);
+	
+	mpz_import(m, data.len, 1, 1, 1, 0, data.ptr);
+	
+	mpz_powm(c, m, this->e, this->n);
+
+    encrypted.len = this->k;
+    encrypted.ptr = mpz_export(NULL, NULL, 1, encrypted.len, 1, 0, c);
+	
+	mpz_clear(c);
+	mpz_clear(m);	
+	
+	return encrypted;
+}
+
+/**
+ * Implementation of rsa_public_key.verify_emsa_pkcs1_signature.
+ */
+static status_t verify_emsa_pkcs1_signature(const private_rsa_public_key_t *this, chunk_t data, chunk_t signature)
+{
+	hasher_t *hasher = NULL;
+	chunk_t hash;
+	chunk_t em;
+	u_int8_t *pos;
+	status_t res = FAILED;
+	
+	/* remove any preceding 0-bytes from signature */
+	while (signature.len && *(signature.ptr) == 0x00)
+	{
+		signature.len -= 1;
+		signature.ptr++;
+	}
+	
+	if (signature.len > this->k)
+	{
+		return INVALID_ARG;
+	}
+	
+	/* unpack signature */
+	em = this->rsavp1(this, signature);
+	
+	/* result should look like this:
+	 * EM = 0x00 || 0x01 || PS || 0x00 || T. 
+	 * PS = 0xFF padding, with length to fill em
+	 * T = oid || hash
+	 */
+	
+	/* check magic bytes */
+	if ((*(em.ptr) != 0x00) || (*(em.ptr+1) != 0x01))
+	{
+		goto end;
+	}
+	
+	/* find magic 0x00 */
+	pos = em.ptr + 2;
+	while (pos <= em.ptr + em.len)
+	{
+		if (*pos == 0x00)
+		{
+			/* found magic byte, stop */
+			pos++;
+			break;
+		}
+		else if (*pos != 0xFF)
+		{
+			/* bad padding, decryption failed ?!*/
+			goto end;
+		}
+		pos++;
+	}
+
+	if (pos + LARGEST_HASH_OID_SIZE > em.ptr + em.len)
+	{
+		/* not enought room for oid compare */
+		goto end;
+	}
+	
+	if (memeq(md2_oid, pos, sizeof(md2_oid)))
+	{
+		hasher = hasher_create(HASH_MD2);
+		pos += sizeof(md2_oid);
+	}
+	else if (memeq(md5_oid, pos, sizeof(md5_oid)))
+	{
+		hasher = hasher_create(HASH_MD5);
+		pos += sizeof(md5_oid);
+	}
+	else if (memeq(sha1_oid, pos, sizeof(sha1_oid)))
+	{
+		hasher = hasher_create(HASH_SHA1);
+		pos += sizeof(sha1_oid);
+	}
+	else if (memeq(sha256_oid, pos, sizeof(sha256_oid)))
+	{
+		hasher = hasher_create(HASH_SHA256);
+		pos += sizeof(sha256_oid);
+	}
+	else if (memeq(sha384_oid, pos, sizeof(sha384_oid)))
+	{
+		hasher = hasher_create(HASH_SHA384);
+		pos += sizeof(sha384_oid);
+	}
+	else if (memeq(sha512_oid, pos, sizeof(sha512_oid)))
+	{
+		hasher = hasher_create(HASH_SHA512);
+		pos += sizeof(sha512_oid);
+	}
+	
+	if (hasher == NULL)
+	{
+		/* unsupported hash algorithm */
+		res = NOT_SUPPORTED;;
+		goto end;
+	}
+	
+	if (pos + hasher->get_hash_size(hasher) != em.ptr + em.len)
+	{
+		/* bad length */
+		hasher->destroy(hasher);
+		goto end;
+	}
+	
+	/* build our own hash */
+	hasher->allocate_hash(hasher, data, &hash);
+	hasher->destroy(hasher);
+	
+	/* compare the hashes */
+	res = memeq(hash.ptr, pos, hash.len) ? SUCCESS : FAILED;
+	free(hash.ptr);
+
+end:
+	free(em.ptr);
+	return res;
+}
+	
+/**
+ * Implementation of rsa_public_key.get_key.
+ */
+static status_t get_key(const private_rsa_public_key_t *this, chunk_t *key)
+{	
+	chunk_t n, e;
+
+	n.len = this->k;
+	n.ptr = mpz_export(NULL, NULL, 1, n.len, 1, 0, this->n);
+	e.len = this->k;
+	e.ptr = mpz_export(NULL, NULL, 1, e.len, 1, 0, this->e);
+	
+	key->len = this->k * 2;
+	key->ptr = malloc(key->len);
+	memcpy(key->ptr, n.ptr, n.len);
+	memcpy(key->ptr + n.len, e.ptr, e.len);
+	free(n.ptr);
+	free(e.ptr);
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of rsa_public_key.save_key.
+ */
+static status_t save_key(const private_rsa_public_key_t *this, char *file)
+{
+	return NOT_SUPPORTED;
+}
+
+/**
+ * Implementation of rsa_public_key.get_modulus.
+ */
+static mpz_t *get_modulus(const private_rsa_public_key_t *this)
+{
+	return (mpz_t*)&this->n;
+}
+
+/**
+ * Implementation of rsa_public_key.get_keysize.
+ */
+static size_t get_keysize(const private_rsa_public_key_t *this)
+{
+	return this->k;
+}
+
+/**
+ * Implementation of rsa_public_key.get_keyid.
+ */
+static chunk_t get_keyid(const private_rsa_public_key_t *this)
+{
+	return this->keyid;
+}
+
+/**
+ * Implementation of rsa_public_key.clone.
+ */
+static rsa_public_key_t* _clone(const private_rsa_public_key_t *this)
+{
+	private_rsa_public_key_t *clone = rsa_public_key_create_empty();
+	
+	mpz_init_set(clone->n, this->n);
+	mpz_init_set(clone->e, this->e);
+	clone->keyid = chunk_clone(this->keyid);
+	clone->k = this->k;
+	
+	return &clone->public;
+}
+
+/**
+ * Implementation of rsa_public_key.destroy.
+ */
+static void destroy(private_rsa_public_key_t *this)
+{
+	mpz_clear(this->n);
+	mpz_clear(this->e);
+	free(this->keyid.ptr);
+	free(this);
+}
+
+/**
+ * Generic private constructor
+ */
+private_rsa_public_key_t *rsa_public_key_create_empty(void)
+{
+	private_rsa_public_key_t *this = malloc_thing(private_rsa_public_key_t);
+	
+	/* public functions */
+	this->public.verify_emsa_pkcs1_signature = (status_t (*) (const rsa_public_key_t*,chunk_t,chunk_t))verify_emsa_pkcs1_signature;
+	this->public.get_key = (status_t (*) (const rsa_public_key_t*,chunk_t*))get_key;
+	this->public.save_key = (status_t (*) (const rsa_public_key_t*,char*))save_key;
+	this->public.get_modulus = (mpz_t *(*) (const rsa_public_key_t*))get_modulus;
+	this->public.get_keysize = (size_t (*) (const rsa_public_key_t*))get_keysize;
+	this->public.get_keyid = (chunk_t (*) (const rsa_public_key_t*))get_keyid;
+	this->public.clone = (rsa_public_key_t* (*) (const rsa_public_key_t*))_clone;
+	this->public.destroy = (void (*) (rsa_public_key_t*))destroy;
+	
+	/* private functions */
+	this->rsaep = rsaep;
+	this->rsavp1 = rsaep; /* same algorithm */
+	
+	return this;
+}
+
+/**
+ * Build a DER-encoded publicKeyInfo object from an RSA public key.
+ * Also used in rsa_private_key.c.
+ */
+chunk_t rsa_public_key_info_to_asn1(const mpz_t n, const mpz_t e)
+{
+	chunk_t rawKey = asn1_wrap(ASN1_SEQUENCE, "mm",
+								 asn1_integer_from_mpz(n),
+								 asn1_integer_from_mpz(e));
+	chunk_t publicKey;
+
+	u_char *pos = build_asn1_object(&publicKey, ASN1_BIT_STRING, 1 + rawKey.len);
+
+	*pos++ = 0x00;
+	memcpy(pos, rawKey.ptr, rawKey.len);
+	free(rawKey.ptr);
+
+	return asn1_wrap(ASN1_SEQUENCE, "cm", ASN1_rsaEncryption_id,
+										  publicKey);
+}
+
+/*
+ * See header
+ */
+rsa_public_key_t *rsa_public_key_create_from_chunk(chunk_t blob)
+{
+	asn1_ctx_t ctx;
+	chunk_t object;
+	u_int level;
+	int objectID = 0;
+
+	private_rsa_public_key_t *this = rsa_public_key_create_empty();
+
+	mpz_init(this->n);
+	mpz_init(this->e);
+	
+	asn1_init(&ctx, blob, 0, FALSE, FALSE);
+	
+	while (objectID < PUB_KEY_ROOF) 
+	{
+		if (!extract_object(pubkey_objects, &objectID, &object, &level, &ctx))
+		{
+			destroy(this);
+			return FALSE;
+		}
+		switch (objectID)
+		{
+			case PUB_KEY_MODULUS:
+				mpz_import(this->n, object.len, 1, 1, 1, 0, object.ptr);
+				break;
+			case PUB_KEY_EXPONENT:
+				mpz_import(this->e, object.len, 1, 1, 1, 0, object.ptr);
+				break;
+		}
+		objectID++;
+	}
+	
+	this->k = (mpz_sizeinbase(this->n, 2) + 7) / 8;
+	
+	/* form the keyid as a SHA-1 hash of a publicKeyInfo object */
+	{
+		chunk_t publicKeyInfo = rsa_public_key_info_to_asn1(this->n, this->e);
+		hasher_t *hasher = hasher_create(HASH_SHA1);
+
+		hasher->allocate_hash(hasher, publicKeyInfo, &this->keyid);
+		hasher->destroy(hasher);
+		free(publicKeyInfo.ptr);
+	}
+
+	return &this->public;
+}
+
+/*
+ * See header
+ */
+rsa_public_key_t *rsa_public_key_create_from_file(char *filename)
+{
+	bool pgp = FALSE;
+	chunk_t chunk = chunk_empty;
+	rsa_public_key_t *pubkey = NULL;
+
+	if (!pem_asn1_load_file(filename, NULL, "public key", &chunk, &pgp))
+		return NULL;
+
+	pubkey = rsa_public_key_create_from_chunk(chunk);
+	free(chunk.ptr);
+	return pubkey;
+}
diff --git a/src/libstrongswan/crypto/rsa/rsa_public_key.h b/src/libstrongswan/crypto/rsa/rsa_public_key.h
new file mode 100644
index 000000000..1ee54dcc3
--- /dev/null
+++ b/src/libstrongswan/crypto/rsa/rsa_public_key.h
@@ -0,0 +1,164 @@
+/**
+ * @file rsa_public_key.h
+ * 
+ * @brief Interface of rsa_public_key_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef RSA_PUBLIC_KEY_H_
+#define RSA_PUBLIC_KEY_H_
+
+typedef struct rsa_public_key_t rsa_public_key_t;
+
+#include <gmp.h>
+
+#include <library.h>
+
+/**
+ * @brief RSA public key with associated functions.
+ * 
+ * Currently only supports signature verification using
+ * the EMSA encoding (see PKCS1)
+ * 
+ * @b Constructors:
+ * - rsa_public_key_create_from_chunk()
+ * - rsa_public_key_create_from_file()
+ * - rsa_private_key_t.get_public_key()
+ * 
+ * @see rsa_private_key_t
+ * 
+ * @todo Implement getkey() and savekey()
+ * 
+ * @ingroup rsa
+ */
+struct rsa_public_key_t {
+
+	/**
+	 * @brief Verify a EMSA-PKCS1 encodined signature.
+	 * 
+	 * Processes the supplied signature with the RSAVP1 function,
+	 * selects the hash algorithm form the resultign ASN1-OID and
+	 * verifies the hash against the supplied data.
+	 * 
+	 * @param this				rsa_public_key to use
+	 * @param data				data to sign
+	 * @param signature			signature to verify
+	 * @return
+	 * 							- SUCCESS, if signature ok
+	 * 							- INVALID_STATE, if key not set
+	 * 							- NOT_SUPPORTED, if hash algorithm not supported
+	 * 							- INVALID_ARG, if signature is not a signature
+	 * 							- FAILED if signature invalid or unable to verify
+	 */
+	status_t (*verify_emsa_pkcs1_signature) (const rsa_public_key_t *this, chunk_t data, chunk_t signature);
+	
+	/**
+	 * @brief Gets the key.
+	 * 
+	 * Currently uses a proprietary format which is only inteded
+	 * for testing. This should be replaced with a proper
+	 * ASN1 encoded key format, when charon gets the ASN1 
+	 * capabilities.
+	 * 
+	 * @param this				calling object
+	 * @param key				key (in a propriarity format)
+	 * @return					
+	 * 							- SUCCESS
+	 * 							- INVALID_STATE, if key not set
+	 */
+	status_t (*get_key) (const rsa_public_key_t *this, chunk_t *key);
+	
+	/**
+	 * @brief Saves a key to a file.
+	 * 
+	 * Not implemented!
+	 * 
+	 * @param this				calling object
+	 * @param file				file to which the key should be written.
+	 * @return					NOT_SUPPORTED
+	 */
+	status_t (*save_key) (const rsa_public_key_t *this, char *file);
+	
+	/**
+	 * @brief Get the modulus of the key.
+	 * 
+	 * @param this				calling object
+	 * @return					modulus (n) of the key
+	 */
+	mpz_t *(*get_modulus) (const rsa_public_key_t *this);
+	
+	/**
+	 * @brief Get the size of the modulus in bytes.
+	 * 
+	 * @param this				calling object
+	 * @return					size of the modulus (n) in bytes
+	 */
+	size_t (*get_keysize) (const rsa_public_key_t *this);
+
+	/**
+	 * @brief Get the keyid formed as the SHA-1 hash of a publicKeyInfo object.
+	 * 
+	 * @param this				calling object
+	 * @return					keyid in the form of a SHA-1 hash
+	 */
+	chunk_t (*get_keyid) (const rsa_public_key_t *this);
+
+	/**
+	 * @brief Clone the public key.
+	 * 
+	 * @param this				public key to clone
+	 * @return					clone of this
+	 */
+	rsa_public_key_t *(*clone) (const rsa_public_key_t *this);
+	
+	/**
+	 * @brief Destroys the public key.
+	 * 
+	 * @param this				public key to destroy
+	 */
+	void (*destroy) (rsa_public_key_t *this);
+};
+
+/**
+ * @brief Load an RSA public key from a chunk.
+ * 
+ * Load a key from a chunk, encoded in the more frequently
+ * used publicKeyInfo object (ASN1 DER encoded).
+ * 
+ * @param chunk				chunk containing the DER encoded key
+ * @return 					loaded rsa_public_key_t, or NULL
+  * 
+ * @ingroup rsa
+ */
+rsa_public_key_t *rsa_public_key_create_from_chunk(chunk_t chunk);
+
+/**
+ * @brief Load an RSA public key from a file.
+ * 
+ * Load a key from a file, which is either in binary
+ * format (DER), or in PEM format. 
+ * 
+ * @param filename			filename which holds the key
+ * @return 					loaded rsa_public_key_t, or NULL
+ * 
+ * @ingroup rsa
+ */
+rsa_public_key_t *rsa_public_key_create_from_file(char *filename);
+
+#endif /*RSA_PUBLIC_KEY_H_*/
diff --git a/src/libstrongswan/crypto/signers/hmac_signer.c b/src/libstrongswan/crypto/signers/hmac_signer.c
new file mode 100644
index 000000000..76e1ce50e
--- /dev/null
+++ b/src/libstrongswan/crypto/signers/hmac_signer.c
@@ -0,0 +1,174 @@
+/**
+ * @file hmac_signer.c
+ * 
+ * @brief Implementation of hmac_signer_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include "hmac_signer.h"
+
+#include <crypto/prfs/hmac_prf.h>
+
+typedef struct private_hmac_signer_t private_hmac_signer_t;
+
+/**
+ * Private data structure with signing context.
+ */
+struct private_hmac_signer_t {
+	/**
+	 * Public interface of hmac_signer_t.
+	 */
+	hmac_signer_t public;
+	
+	/**
+	 * Assigned hmac function.
+	 */
+	prf_t *hmac_prf;
+	
+	/**
+	 * Block size (truncation of HMAC Hash)
+	 */
+	size_t block_size;
+};
+
+/**
+ * Implementation of signer_t.get_signature.
+ */
+static void get_signature (private_hmac_signer_t *this, chunk_t data, u_int8_t *buffer)
+{
+	u_int8_t full_mac[this->hmac_prf->get_block_size(this->hmac_prf)];
+	
+	this->hmac_prf->get_bytes(this->hmac_prf, data, full_mac);
+
+	/* copy MAC depending on truncation */
+	memcpy(buffer, full_mac, this->block_size);
+}
+
+/**
+ * Implementation of signer_t.allocate_signature.
+ */
+static void allocate_signature (private_hmac_signer_t *this, chunk_t data, chunk_t *chunk)
+{
+	chunk_t signature;
+	u_int8_t full_mac[this->hmac_prf->get_block_size(this->hmac_prf)];
+	
+	this->hmac_prf->get_bytes(this->hmac_prf,data,full_mac);
+
+	signature.ptr = malloc(this->block_size);
+	signature.len = this->block_size;
+	
+	/* copy signature */
+	memcpy(signature.ptr, full_mac, this->block_size);
+
+	*chunk = signature;
+}
+
+/**
+ * Implementation of signer_t.verify_signature.
+ */
+static bool verify_signature(private_hmac_signer_t *this, chunk_t data, chunk_t signature)
+{
+	u_int8_t full_mac[this->hmac_prf->get_block_size(this->hmac_prf)];
+	
+	this->hmac_prf->get_bytes(this->hmac_prf, data, full_mac);
+	
+	if (signature.len != this->block_size)
+	{
+		return FALSE;
+	}
+	
+	/* compare mac aka signature :-) */
+	if (memcmp(signature.ptr, full_mac, this->block_size) == 0)
+	{
+		return TRUE;
+	}
+	else
+	{
+		return FALSE;
+	}
+}
+
+/**
+ * Implementation of signer_t.get_key_size.
+ */
+static size_t get_key_size(private_hmac_signer_t *this)
+{
+	/* for HMAC signer, IKEv2 uses block size as key size */
+	return this->hmac_prf->get_block_size(this->hmac_prf);
+}
+
+/**
+ * Implementation of signer_t.get_block_size.
+ */
+static size_t get_block_size(private_hmac_signer_t *this)
+{
+	return this->block_size;
+}
+
+/**
+ * Implementation of signer_t.set_key.
+ */
+static void set_key(private_hmac_signer_t *this, chunk_t key)
+{
+	this->hmac_prf->set_key(this->hmac_prf, key);
+}
+
+/**
+ * Implementation of signer_t.destroy.
+ */
+static status_t destroy(private_hmac_signer_t *this)
+{
+	this->hmac_prf->destroy(this->hmac_prf);
+	free(this);
+	return SUCCESS;
+}
+
+/*
+ * Described in header
+ */
+hmac_signer_t *hmac_signer_create(hash_algorithm_t hash_algoritm, size_t block_size)
+{
+	size_t hmac_block_size;
+	private_hmac_signer_t *this = malloc_thing(private_hmac_signer_t);
+
+	this->hmac_prf = (prf_t *) hmac_prf_create(hash_algoritm);
+	if (this->hmac_prf == NULL)
+	{
+		/* algorithm not supported */
+		free(this);
+		return NULL;
+	}
+	
+	/* prevent invalid truncation */
+	hmac_block_size = this->hmac_prf->get_block_size(this->hmac_prf);
+	this->block_size = min(block_size, hmac_block_size);
+	
+	/* interface functions */
+	this->public.signer_interface.get_signature = (void (*) (signer_t*, chunk_t, u_int8_t*))get_signature;
+	this->public.signer_interface.allocate_signature = (void (*) (signer_t*, chunk_t, chunk_t*))allocate_signature;
+	this->public.signer_interface.verify_signature = (bool (*) (signer_t*, chunk_t, chunk_t))verify_signature;
+	this->public.signer_interface.get_key_size = (size_t (*) (signer_t*))get_key_size;
+	this->public.signer_interface.get_block_size = (size_t (*) (signer_t*))get_block_size;
+	this->public.signer_interface.set_key = (void (*) (signer_t*,chunk_t))set_key;
+	this->public.signer_interface.destroy = (void (*) (signer_t*))destroy;
+	
+	return &(this->public);
+}
diff --git a/src/libstrongswan/crypto/signers/hmac_signer.h b/src/libstrongswan/crypto/signers/hmac_signer.h
new file mode 100644
index 000000000..2449069bd
--- /dev/null
+++ b/src/libstrongswan/crypto/signers/hmac_signer.h
@@ -0,0 +1,68 @@
+/**
+ * @file hmac_signer.h
+ * 
+ * @brief Interface of hmac_signer_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef HMAC_SIGNER_H_
+#define HMAC_SIGNER_H_
+
+typedef struct hmac_signer_t hmac_signer_t;
+
+#include <crypto/signers/signer.h>
+#include <crypto/hashers/hasher.h>
+
+/**
+ * @brief Implementation of signer_t interface using HMAC.
+ *
+ * HMAC uses a standard hash function implemented in a hasher_t to build
+ * a MAC.
+ *
+ * @ingroup signers
+ */
+struct hmac_signer_t {
+	
+	/**
+	 * generic signer_t interface for this signer
+	 */
+	signer_t signer_interface;
+};
+
+/**
+ * @brief Creates a new hmac_signer_t.
+ *
+ * HMAC signatures are often truncated to shorten them to a more usable, but
+ * still secure enough length.
+ * Block size must be equal or smaller then the hash algorithms
+ * hash.
+ *
+ * @param hash_algoritm		Hash algorithm to use with signer
+ * @param block_size		Size of resulting signature (truncated to block_size)
+ * @return					
+ * 							- hmac_signer_t
+ * 							- NULL if hash algorithm not supported
+ * 
+ * @ingroup signers
+ */
+hmac_signer_t *hmac_signer_create(hash_algorithm_t hash_algoritm,
+								  size_t block_size);
+
+
+#endif /*HMAC_SIGNER_H_*/
diff --git a/src/libstrongswan/crypto/signers/signer.c b/src/libstrongswan/crypto/signers/signer.c
new file mode 100644
index 000000000..747bc5efa
--- /dev/null
+++ b/src/libstrongswan/crypto/signers/signer.c
@@ -0,0 +1,65 @@
+/**
+ * @file signer.c
+ * 
+ * @brief Implementation of generic signer_t constructor.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "signer.h"
+
+#include <crypto/signers/hmac_signer.h>
+
+ENUM_BEGIN(integrity_algorithm_names, AUTH_UNDEFINED, AUTH_HMAC_SHA1_128,
+	"UNDEFINED",
+	"AUTH_HMAC_SHA1_128");
+ENUM_NEXT(integrity_algorithm_names, AUTH_HMAC_MD5_96, AUTH_AES_XCBC_96, AUTH_HMAC_SHA1_128,
+	"HMAC_MD5_96",
+	"HMAC_SHA1_96",
+	"DES_MAC",
+	"KPDK_MD5",
+	"AES_XCBC_96");
+ENUM_NEXT(integrity_algorithm_names, AUTH_HMAC_SHA2_256_128, AUTH_HMAC_SHA2_512_256, AUTH_AES_XCBC_96,
+	"AUTH_HMAC_SHA2_256_128",
+	"AUTH_HMAC_SHA2_384_192",
+	"AUTH_HMAC_SHA2_512_256");
+ENUM_END(integrity_algorithm_names, AUTH_HMAC_SHA2_512_256);
+
+/*
+ * Described in header.
+ */
+signer_t *signer_create(integrity_algorithm_t integrity_algorithm)
+{
+	switch(integrity_algorithm)
+	{
+		case AUTH_HMAC_SHA1_96:
+			return (signer_t *)hmac_signer_create(HASH_SHA1, 12);
+		case AUTH_HMAC_SHA1_128:
+			return (signer_t *)hmac_signer_create(HASH_SHA1, 16);
+		case AUTH_HMAC_MD5_96:
+			return (signer_t *)hmac_signer_create(HASH_MD5, 12);
+		case AUTH_HMAC_SHA2_256_128:
+			return (signer_t *)hmac_signer_create(HASH_SHA256, 16);
+		case AUTH_HMAC_SHA2_384_192:
+			return (signer_t *)hmac_signer_create(HASH_SHA384, 24);
+		case AUTH_HMAC_SHA2_512_256:
+			return (signer_t *)hmac_signer_create(HASH_SHA512, 32);
+		default:
+			return NULL;
+	}
+}
diff --git a/src/libstrongswan/crypto/signers/signer.h b/src/libstrongswan/crypto/signers/signer.h
new file mode 100644
index 000000000..0f3709712
--- /dev/null
+++ b/src/libstrongswan/crypto/signers/signer.h
@@ -0,0 +1,147 @@
+/**
+ * @file signer.h
+ * 
+ * @brief Interface for signer_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef SIGNER_H_
+#define SIGNER_H_
+
+typedef enum integrity_algorithm_t integrity_algorithm_t;
+typedef struct signer_t signer_t;
+
+#include <library.h>
+
+/**
+ * @brief Integrity algorithm, as in IKEv2 RFC 3.3.2.
+ *
+ * Algorithms not specified in IKEv2 are allocated in private use space.
+ *
+ * @ingroup signers
+ */
+enum integrity_algorithm_t {
+	AUTH_UNDEFINED = 1024,
+	/** Implemented via hmac_signer_t */
+	AUTH_HMAC_MD5_96 = 1,
+	/** Implemented via hmac_signer_t */
+	AUTH_HMAC_SHA1_96 = 2,
+	AUTH_DES_MAC = 3,
+	AUTH_KPDK_MD5 = 4,
+	AUTH_AES_XCBC_96 = 5,
+	/** Implemented via hmac_signer_t */
+	AUTH_HMAC_SHA2_256_128 = 12,
+	/** Implemented via hmac_signer_t */
+	AUTH_HMAC_SHA2_384_192 = 13,
+	/** Implemented via hmac_signer_t */
+	AUTH_HMAC_SHA2_512_256 = 14,
+	/** Implemented via hmac_signer_t */
+	AUTH_HMAC_SHA1_128 = 1025,
+};
+
+/**
+ * enum names for integrity_algorithm_t.
+ */
+extern enum_name_t *integrity_algorithm_names;
+
+/**
+ * @brief Generig interface for a symmetric signature algorithm.
+ *
+ * @b Constructors:
+ *  - signer_create()
+ *  - hmac_signer_create()
+ *
+ * @todo Implement more integrity algorithms
+ *
+ * @ingroup signers
+ */
+struct signer_t {
+	/**
+	 * @brief Generate a signature.
+	 * 
+	 * @param this			calling object
+	 * @param data			a chunk containing the data to sign
+	 * @param[out] buffer	pointer where the signature will be written
+	 */
+	void (*get_signature) (signer_t *this, chunk_t data, u_int8_t *buffer);
+	
+	/**
+	 * @brief Generate a signature and allocate space for it.
+	 * 
+	 * @param this			calling object
+	 * @param data			a chunk containing the data to sign
+	 * @param[out] chunk	chunk which will hold the allocated signature
+	 */
+	void (*allocate_signature) (signer_t *this, chunk_t data, chunk_t *chunk);
+	
+	/**
+	 * @brief Verify a signature.
+	 * 
+	 * @param this			calling object
+	 * @param data			a chunk containing the data to verify
+	 * @param signature		a chunk containing the signature
+	 * @return				TRUE, if signature is valid, FALSE otherwise
+	 */
+	bool (*verify_signature) (signer_t *this, chunk_t data, chunk_t signature);
+	
+	/**
+	 * @brief Get the block size of this signature algorithm.
+	 * 
+	 * @param this			calling object
+	 * @return				block size in bytes
+	 */
+	size_t (*get_block_size) (signer_t *this);
+	
+	/**
+	 * @brief Get the key size of the signature algorithm.
+	 * 
+	 * @param this			calling object
+	 * @return				key size in bytes
+	 */
+	size_t (*get_key_size) (signer_t *this);
+	
+	/**
+	 * @brief Set the key for this object.
+	 * 
+	 * @param this			calling object
+	 * @param key			key to set
+	 */
+	void (*set_key) (signer_t *this, chunk_t key);
+	
+	/**
+	 * @brief Destroys a signer_t object.
+	 *
+	 * @param this			calling object
+	 */
+	void (*destroy) (signer_t *this);
+};
+
+/**
+ * @brief Creates a new signer_t object.
+ * 
+ * @param integrity_algorithm	Algorithm to use for signing and verifying.
+ * @return
+ * 								- signer_t object
+ * 								- NULL if signer not supported
+ * 
+ * @ingroup signers
+ */
+signer_t *signer_create(integrity_algorithm_t integrity_algorithm);
+
+#endif /*SIGNER_H_*/
diff --git a/src/libstrongswan/crypto/x509.c b/src/libstrongswan/crypto/x509.c
new file mode 100755
index 000000000..58fcff16d
--- /dev/null
+++ b/src/libstrongswan/crypto/x509.c
@@ -0,0 +1,1354 @@
+/**
+ * @file x509.c
+ * 
+ * @brief Implementation of x509_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <gmp.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <string.h>
+#include <stdio.h>
+
+#include "x509.h"
+#include "hashers/hasher.h"
+#include <library.h>
+#include <debug.h>
+#include <asn1/oid.h>
+#include <asn1/asn1.h>
+#include <asn1/pem.h>
+#include <utils/linked_list.h>
+#include <utils/identification.h>
+
+#define CERT_WARNING_INTERVAL	30	/* days */
+
+/**
+ * Different kinds of generalNames
+ */
+typedef enum generalNames_t generalNames_t;
+
+enum generalNames_t {
+	GN_OTHER_NAME =		0,
+	GN_RFC822_NAME =	1,
+	GN_DNS_NAME =		2,
+	GN_X400_ADDRESS =	3,
+	GN_DIRECTORY_NAME =	4,
+	GN_EDI_PARTY_NAME = 5,
+	GN_URI =			6,
+	GN_IP_ADDRESS =		7,
+	GN_REGISTERED_ID =	8,
+};
+
+typedef struct private_x509_t private_x509_t;
+
+/**
+ * Private data of a x509_t object.
+ */
+struct private_x509_t {
+	/**
+	 * Public interface for this certificate.
+	 */
+	x509_t public;
+	
+	/**
+	 * Time when certificate was installed
+	 */
+	time_t installed;
+
+	/**
+	 * Time until certificate can be trusted
+	 */
+	time_t until;
+
+	/**
+	 * Certificate status
+	 */
+	cert_status_t status;
+
+	/**
+	 * Authority flags
+	 */
+	 u_int authority_flags;
+
+	/**
+	 * X.509 Certificate in DER format
+	 */
+	chunk_t certificate;
+
+	/**
+	 * X.509 certificate body over which signature is computed
+	 */
+	chunk_t tbsCertificate;
+
+	/**
+	 * Version of the X.509 certificate
+	 */
+	u_int version;
+	
+	/**
+	 * Serial number of the X.509 certificate
+	 */
+	chunk_t serialNumber;
+
+	/**
+	 * Signature algorithm
+	 */
+	int sigAlg;
+	
+	/**
+	 * ID representing the certificate issuer
+	 */
+	identification_t *issuer;
+	
+	/**
+	 * Start time of certificate validity
+	 */
+	time_t notBefore;
+
+	/**
+	 * End time of certificate validity
+	 */
+	time_t notAfter;
+
+	/**
+	 * ID representing the certificate subject
+	 */
+	identification_t *subject;
+	
+	/**
+	 * List of identification_t's representing subjectAltNames
+	 */
+	linked_list_t *subjectAltNames;
+	
+	/**
+	 * List of identification_t's representing crlDistributionPoints
+	 */
+	linked_list_t *crlDistributionPoints;
+
+	/**
+	 * List of identification_t's representing ocspAccessLocations
+	 */
+	linked_list_t *ocspAccessLocations;
+
+	/**
+	 * Subject public key
+	 */
+	chunk_t subjectPublicKey;
+
+	/**
+	 * Subject RSA public key, if subjectPublicKeyAlgorithm == RSA
+	 */
+	rsa_public_key_t *public_key;
+	
+	/**
+	 * Subject Key Identifier
+	 */
+	chunk_t subjectKeyID;
+
+	/**
+	 * Authority Key Identifier
+	 */
+	chunk_t authKeyID;
+
+	/**
+	 * Authority Key Serial Number
+	 */
+	chunk_t authKeySerialNumber;
+	
+	/**
+	 * CA basic constraints flag
+	 */
+	bool isCA;
+
+	/**
+	 * OCSPSigner extended key usage flag
+	 */
+	bool isOcspSigner;
+
+	/**
+	 * Signature algorithm (must be identical to sigAlg)
+	 */
+	int algorithm;
+
+	/**
+	 * Signature
+	 */
+	chunk_t signature;
+
+};
+
+/**
+ * ASN.1 definition of generalName 
+ */
+static const asn1Object_t generalNameObjects[] = {
+	{ 0,   "otherName",		ASN1_CONTEXT_C_0,  ASN1_OPT|ASN1_BODY	}, /*  0 */
+	{ 0,   "end choice",	ASN1_EOC,          ASN1_END				}, /*  1 */
+	{ 0,   "rfc822Name",	ASN1_CONTEXT_S_1,  ASN1_OPT|ASN1_BODY	}, /*  2 */
+	{ 0,   "end choice",	ASN1_EOC,          ASN1_END 			}, /*  3 */
+	{ 0,   "dnsName",		ASN1_CONTEXT_S_2,  ASN1_OPT|ASN1_BODY	}, /*  4 */
+	{ 0,   "end choice",	ASN1_EOC,          ASN1_END				}, /*  5 */
+	{ 0,   "x400Address",	ASN1_CONTEXT_S_3,  ASN1_OPT|ASN1_BODY	}, /*  6 */
+	{ 0,   "end choice",	ASN1_EOC,          ASN1_END				}, /*  7 */
+	{ 0,   "directoryName",	ASN1_CONTEXT_C_4,  ASN1_OPT|ASN1_BODY	}, /*  8 */
+	{ 0,   "end choice",	ASN1_EOC,          ASN1_END				}, /*  9 */
+	{ 0,   "ediPartyName",	ASN1_CONTEXT_C_5,  ASN1_OPT|ASN1_BODY	}, /* 10 */
+	{ 0,   "end choice",	ASN1_EOC,          ASN1_END				}, /* 11 */
+	{ 0,   "URI",			ASN1_CONTEXT_S_6,  ASN1_OPT|ASN1_BODY	}, /* 12 */
+	{ 0,   "end choice",	ASN1_EOC,          ASN1_END				}, /* 13 */
+	{ 0,   "ipAddress",		ASN1_CONTEXT_S_7,  ASN1_OPT|ASN1_BODY	}, /* 14 */
+	{ 0,   "end choice",	ASN1_EOC,          ASN1_END				}, /* 15 */
+	{ 0,   "registeredID",	ASN1_CONTEXT_S_8,  ASN1_OPT|ASN1_BODY	}, /* 16 */
+	{ 0,   "end choice",	ASN1_EOC,          ASN1_END				}  /* 17 */
+};
+#define GN_OBJ_OTHER_NAME	 	 0
+#define GN_OBJ_RFC822_NAME	 	 2
+#define GN_OBJ_DNS_NAME		 	 4
+#define GN_OBJ_X400_ADDRESS	 	 6
+#define GN_OBJ_DIRECTORY_NAME	 8
+#define GN_OBJ_EDI_PARTY_NAME	10
+#define GN_OBJ_URI				12
+#define GN_OBJ_IP_ADDRESS		14
+#define GN_OBJ_REGISTERED_ID	16
+#define GN_OBJ_ROOF				18
+
+/**
+ * ASN.1 definition of otherName 
+ */
+static const asn1Object_t otherNameObjects[] = {
+	{0, "type-id",	ASN1_OID,			ASN1_BODY	}, /*  0 */
+	{0, "value",	ASN1_CONTEXT_C_0,	ASN1_BODY	}  /*  1 */
+};
+#define ON_OBJ_ID_TYPE		0
+#define ON_OBJ_VALUE		1
+#define ON_OBJ_ROOF			2
+/**
+ * ASN.1 definition of a basicConstraints extension 
+ */
+static const asn1Object_t basicConstraintsObjects[] = {
+	{ 0, "basicConstraints",	ASN1_SEQUENCE,	ASN1_NONE			}, /*  0 */
+	{ 1,   "CA",				ASN1_BOOLEAN,	ASN1_DEF|ASN1_BODY	}, /*  1 */
+	{ 1,   "pathLenConstraint",	ASN1_INTEGER,	ASN1_OPT|ASN1_BODY	}, /*  2 */
+	{ 1,   "end opt",			ASN1_EOC,		ASN1_END  			}  /*  3 */
+};
+#define BASIC_CONSTRAINTS_CA	1
+#define BASIC_CONSTRAINTS_ROOF	4
+
+/**
+ * ASN.1 definition of time
+ */
+static const asn1Object_t timeObjects[] = {
+	{ 0,   "utcTime",		ASN1_UTCTIME,			ASN1_OPT|ASN1_BODY 	}, /*  0 */
+	{ 0,   "end opt",		ASN1_EOC,				ASN1_END  			}, /*  1 */
+	{ 0,   "generalizeTime",ASN1_GENERALIZEDTIME,	ASN1_OPT|ASN1_BODY 	}, /*  2 */
+	{ 0,   "end opt",		ASN1_EOC,				ASN1_END  			}  /*  3 */
+};
+#define TIME_UTC			0
+#define TIME_GENERALIZED	2
+#define TIME_ROOF			4
+
+/** 
+ * ASN.1 definition of a keyIdentifier 
+ */
+static const asn1Object_t keyIdentifierObjects[] = {
+	{ 0,   "keyIdentifier",	ASN1_OCTET_STRING,	ASN1_BODY }  /*  0 */
+};
+
+/**
+ * ASN.1 definition of a authorityKeyIdentifier extension 
+ */
+static const asn1Object_t authorityKeyIdentifierObjects[] = {
+	{ 0,   "authorityKeyIdentifier",	ASN1_SEQUENCE,		ASN1_NONE 			}, /*  0 */
+	{ 1,     "keyIdentifier",			ASN1_CONTEXT_S_0,	ASN1_OPT|ASN1_OBJ	}, /*  1 */
+	{ 1,     "end opt",					ASN1_EOC,			ASN1_END  			}, /*  2 */
+	{ 1,     "authorityCertIssuer",		ASN1_CONTEXT_C_1,	ASN1_OPT|ASN1_OBJ	}, /*  3 */
+	{ 1,     "end opt",					ASN1_EOC,			ASN1_END  			}, /*  4 */
+	{ 1,     "authorityCertSerialNumber",ASN1_CONTEXT_S_2,  ASN1_OPT|ASN1_BODY	}, /*  5 */
+	{ 1,     "end opt",					ASN1_EOC,			ASN1_END  			}  /*  6 */
+};
+#define AUTH_KEY_ID_KEY_ID			1
+#define AUTH_KEY_ID_CERT_ISSUER		3
+#define AUTH_KEY_ID_CERT_SERIAL		5
+#define AUTH_KEY_ID_ROOF			7
+
+/**
+ * ASN.1 definition of a authorityInfoAccess extension 
+ */
+static const asn1Object_t authorityInfoAccessObjects[] = {
+	{ 0,   "authorityInfoAccess",	ASN1_SEQUENCE,	ASN1_LOOP }, /*  0 */
+	{ 1,     "accessDescription",	ASN1_SEQUENCE,	ASN1_NONE }, /*  1 */
+	{ 2,       "accessMethod",		ASN1_OID,		ASN1_BODY }, /*  2 */
+	{ 2,       "accessLocation",	ASN1_EOC,		ASN1_RAW  }, /*  3 */
+	{ 0,   "end loop",				ASN1_EOC,		ASN1_END  }  /*  4 */
+};
+#define AUTH_INFO_ACCESS_METHOD		2
+#define AUTH_INFO_ACCESS_LOCATION	3
+#define AUTH_INFO_ACCESS_ROOF		5
+
+/**
+ * ASN.1 definition of a extendedKeyUsage extension
+ */
+static const asn1Object_t extendedKeyUsageObjects[] = {
+	{ 0, "extendedKeyUsage",	ASN1_SEQUENCE,	ASN1_LOOP }, /*  0 */
+	{ 1,   "keyPurposeID",		ASN1_OID,		ASN1_BODY }, /*  1 */
+	{ 0, "end loop",			ASN1_EOC,		ASN1_END  }, /*  2 */
+};
+
+#define EXT_KEY_USAGE_PURPOSE_ID	1
+#define EXT_KEY_USAGE_ROOF			3
+
+/**
+ * ASN.1 definition of generalNames 
+ */
+static const asn1Object_t generalNamesObjects[] = {
+	{ 0, "generalNames",	ASN1_SEQUENCE,	ASN1_LOOP }, /*  0 */
+	{ 1,   "generalName",	ASN1_EOC,		ASN1_RAW  }, /*  1 */
+	{ 0, "end loop",		ASN1_EOC,		ASN1_END  }  /*  2 */
+};
+#define GENERAL_NAMES_GN	1
+#define GENERAL_NAMES_ROOF	3
+
+
+/**
+ * ASN.1 definition of crlDistributionPoints
+ */
+static const asn1Object_t crlDistributionPointsObjects[] = {
+	{ 0, "crlDistributionPoints",	ASN1_SEQUENCE,		ASN1_LOOP			}, /*  0 */
+	{ 1,   "DistributionPoint",		ASN1_SEQUENCE,		ASN1_NONE			}, /*  1 */
+	{ 2,     "distributionPoint",	ASN1_CONTEXT_C_0,	ASN1_OPT|ASN1_LOOP	}, /*  2 */
+	{ 3,       "fullName",			ASN1_CONTEXT_C_0,	ASN1_OPT|ASN1_OBJ	}, /*  3 */
+	{ 3,       "end choice",		ASN1_EOC,			ASN1_END			}, /*  4 */
+	{ 3,       "nameRelToCRLIssuer",ASN1_CONTEXT_C_1,	ASN1_OPT|ASN1_BODY	}, /*  5 */
+	{ 3,       "end choice",		ASN1_EOC,			ASN1_END			}, /*  6 */
+	{ 2,     "end opt",				ASN1_EOC,			ASN1_END			}, /*  7 */
+	{ 2,     "reasons",				ASN1_CONTEXT_C_1,	ASN1_OPT|ASN1_BODY	}, /*  8 */
+	{ 2,     "end opt",				ASN1_EOC,			ASN1_END			}, /*  9 */
+	{ 2,     "crlIssuer",			ASN1_CONTEXT_C_2,	ASN1_OPT|ASN1_BODY	}, /* 10 */
+	{ 2,     "end opt",				ASN1_EOC,			ASN1_END			}, /* 11 */
+	{ 0, "end loop",				ASN1_EOC,			ASN1_END			}, /* 12 */
+};
+#define CRL_DIST_POINTS_FULLNAME	 3
+#define CRL_DIST_POINTS_ROOF		13
+
+/**
+ * ASN.1 definition of an X.509v3 x509
+ */
+static const asn1Object_t certObjects[] = {
+	{ 0, "x509",					ASN1_SEQUENCE,		ASN1_OBJ			}, /*  0 */
+	{ 1,   "tbsCertificate",		ASN1_SEQUENCE,		ASN1_OBJ			}, /*  1 */
+	{ 2,     "DEFAULT v1",			ASN1_CONTEXT_C_0,	ASN1_DEF			}, /*  2 */
+	{ 3,       "version",			ASN1_INTEGER,		ASN1_BODY			}, /*  3 */
+	{ 2,     "serialNumber",		ASN1_INTEGER,		ASN1_BODY			}, /*  4 */
+	{ 2,     "signature",			ASN1_EOC,			ASN1_RAW			}, /*  5 */
+	{ 2,     "issuer",				ASN1_SEQUENCE,		ASN1_OBJ			}, /*  6 */
+	{ 2,     "validity",			ASN1_SEQUENCE,		ASN1_NONE			}, /*  7 */
+	{ 3,       "notBefore",			ASN1_EOC,			ASN1_RAW			}, /*  8 */
+	{ 3,       "notAfter",			ASN1_EOC,			ASN1_RAW			}, /*  9 */
+	{ 2,     "subject",				ASN1_SEQUENCE,		ASN1_OBJ			}, /* 10 */
+	{ 2,     "subjectPublicKeyInfo",ASN1_SEQUENCE,		ASN1_NONE			}, /* 11 */
+	{ 3,       "algorithm",			ASN1_EOC,			ASN1_RAW			}, /* 12 */
+	{ 3,       "subjectPublicKey",	ASN1_BIT_STRING,	ASN1_NONE			}, /* 13 */
+	{ 4,         "RSAPublicKey",	ASN1_SEQUENCE,		ASN1_RAW			}, /* 14 */
+	{ 2,     "issuerUniqueID",		ASN1_CONTEXT_C_1,	ASN1_OPT			}, /* 15 */
+	{ 2,     "end opt",				ASN1_EOC,			ASN1_END			}, /* 16 */
+	{ 2,     "subjectUniqueID",		ASN1_CONTEXT_C_2,	ASN1_OPT			}, /* 17 */
+	{ 2,     "end opt",				ASN1_EOC,			ASN1_END			}, /* 18 */
+	{ 2,     "optional extensions",	ASN1_CONTEXT_C_3,	ASN1_OPT			}, /* 19 */
+	{ 3,       "extensions",		ASN1_SEQUENCE,		ASN1_LOOP			}, /* 20 */
+	{ 4,         "extension",		ASN1_SEQUENCE,		ASN1_NONE			}, /* 21 */
+	{ 5,           "extnID",		ASN1_OID,			ASN1_BODY			}, /* 22 */
+	{ 5,           "critical",		ASN1_BOOLEAN,		ASN1_DEF|ASN1_BODY	}, /* 23 */
+	{ 5,           "extnValue",		ASN1_OCTET_STRING,	ASN1_BODY			}, /* 24 */
+	{ 3,       "end loop",			ASN1_EOC,			ASN1_END			}, /* 25 */
+	{ 2,     "end opt",				ASN1_EOC,			ASN1_END			}, /* 26 */
+	{ 1,   "signatureAlgorithm",	ASN1_EOC,			ASN1_RAW			}, /* 27 */
+	{ 1,   "signatureValue",		ASN1_BIT_STRING,	ASN1_BODY			}  /* 28 */
+};
+#define X509_OBJ_CERTIFICATE					 0
+#define X509_OBJ_TBS_CERTIFICATE				 1
+#define X509_OBJ_VERSION						 3
+#define X509_OBJ_SERIAL_NUMBER					 4
+#define X509_OBJ_SIG_ALG						 5
+#define X509_OBJ_ISSUER 						 6
+#define X509_OBJ_NOT_BEFORE						 8
+#define X509_OBJ_NOT_AFTER						 9
+#define X509_OBJ_SUBJECT						10
+#define X509_OBJ_SUBJECT_PUBLIC_KEY_ALGORITHM	12
+#define X509_OBJ_SUBJECT_PUBLIC_KEY				13
+#define X509_OBJ_RSA_PUBLIC_KEY					14
+#define X509_OBJ_EXTN_ID						22
+#define X509_OBJ_CRITICAL						23
+#define X509_OBJ_EXTN_VALUE						24
+#define X509_OBJ_ALGORITHM						27
+#define X509_OBJ_SIGNATURE						28
+#define X509_OBJ_ROOF							29
+
+
+static u_char ASN1_subjectAltName_oid_str[] = {
+	0x06, 0x03, 0x55, 0x1D, 0x11
+};
+
+static const chunk_t ASN1_subjectAltName_oid = chunk_from_buf(ASN1_subjectAltName_oid_str);
+
+
+/**
+ * compare two X.509 x509s by comparing their signatures
+ */
+static bool equals(const private_x509_t *this, const private_x509_t *other)
+{
+	return chunk_equals(this->signature, other->signature);
+}
+
+/**
+ * extracts the basicConstraints extension
+ */
+static bool parse_basicConstraints(chunk_t blob, int level0)
+{
+	asn1_ctx_t ctx;
+	chunk_t object;
+	u_int level;
+	int objectID = 0;
+	bool isCA = FALSE;
+
+	asn1_init(&ctx, blob, level0, FALSE, FALSE);
+
+	while (objectID < BASIC_CONSTRAINTS_ROOF) {
+
+		if (!extract_object(basicConstraintsObjects, &objectID, &object,&level, &ctx))
+		{
+			break;
+		}
+		if (objectID == BASIC_CONSTRAINTS_CA)
+		{
+			isCA = object.len && *object.ptr;
+			DBG2("  %s", isCA ? "TRUE" : "FALSE");
+		}
+		objectID++;
+	}
+	return isCA;
+}
+
+/*
+ * extracts an otherName
+ */
+static bool
+parse_otherName(chunk_t blob, int level0)
+{
+	asn1_ctx_t ctx;
+	chunk_t object;
+	int objectID = 0;
+	u_int level;
+	int oid = OID_UNKNOWN;
+
+	asn1_init(&ctx, blob, level0, FALSE, FALSE);
+
+	while (objectID < ON_OBJ_ROOF)
+	{
+		if (!extract_object(otherNameObjects, &objectID, &object, &level, &ctx))
+			return FALSE;
+
+		switch (objectID)
+		{
+			case ON_OBJ_ID_TYPE:
+				oid = known_oid(object);
+				break;
+			case ON_OBJ_VALUE:
+				if (oid == OID_XMPP_ADDR)
+				{
+					if (!parse_asn1_simple_object(&object, ASN1_UTF8STRING, level + 1, "xmppAddr"))
+						return FALSE;
+				}
+				break;
+			default:
+				break;
+		}
+		objectID++;
+	}
+	return TRUE;
+}
+
+/*
+ * extracts a generalName
+ */
+static identification_t *parse_generalName(chunk_t blob, int level0)
+{
+	asn1_ctx_t ctx;
+	chunk_t object;
+	int objectID = 0;
+	u_int level;
+
+	asn1_init(&ctx, blob, level0, FALSE, FALSE);
+
+	while (objectID < GN_OBJ_ROOF)
+	{
+		id_type_t id_type = ID_ANY;
+	
+		if (!extract_object(generalNameObjects, &objectID, &object, &level, &ctx))
+			return NULL;
+
+		switch (objectID)
+		{
+			case GN_OBJ_RFC822_NAME:
+				id_type = ID_RFC822_ADDR;
+				break;
+			case GN_OBJ_DNS_NAME:
+				id_type = ID_FQDN;
+				break;
+			case GN_OBJ_URI:
+				id_type = ID_DER_ASN1_GN_URI;
+				break;
+			case GN_OBJ_DIRECTORY_NAME:
+				id_type = ID_DER_ASN1_DN;
+	    		break;
+			case GN_OBJ_IP_ADDRESS:
+				id_type = ID_IPV4_ADDR;
+				break;
+			case GN_OBJ_OTHER_NAME:
+				if (!parse_otherName(object, level + 1))
+					return NULL;
+				break;
+			case GN_OBJ_X400_ADDRESS:
+			case GN_OBJ_EDI_PARTY_NAME:
+			case GN_OBJ_REGISTERED_ID:
+				break;
+			default:
+				break;
+		}
+
+		if (id_type != ID_ANY)
+		{
+			identification_t *gn = identification_create_from_encoding(id_type, object);
+			DBG2("  '%D'", gn);
+			return gn;
+        }
+		objectID++;
+    }
+    return NULL;
+}
+
+
+/**
+ * extracts one or several GNs and puts them into a chained list
+ */
+static void parse_generalNames(chunk_t blob, int level0, bool implicit, linked_list_t *list)
+{
+	asn1_ctx_t ctx;
+	chunk_t object;
+	u_int level;
+	int objectID = 0;
+
+	asn1_init(&ctx, blob, level0, implicit, FALSE);
+
+	while (objectID < GENERAL_NAMES_ROOF)
+	{
+		if (!extract_object(generalNamesObjects, &objectID, &object, &level, &ctx))
+			return;
+		
+		if (objectID == GENERAL_NAMES_GN)
+		{
+			identification_t *gn = parse_generalName(object, level+1);
+
+			if (gn != NULL)
+				list->insert_last(list, (void *)gn);
+		}
+		objectID++;
+	}
+	return;
+}
+
+/**
+ * extracts and converts a UTCTIME or GENERALIZEDTIME object
+ */
+time_t parse_time(chunk_t blob, int level0)
+{
+	asn1_ctx_t ctx;
+	chunk_t object;
+	u_int level;
+	int objectID = 0;
+	
+	asn1_init(&ctx, blob, level0, FALSE, FALSE);
+	
+	while (objectID < TIME_ROOF)
+	{
+		if (!extract_object(timeObjects, &objectID, &object, &level, &ctx))
+			return 0;
+		
+		if (objectID == TIME_UTC || objectID == TIME_GENERALIZED)
+		{
+			return asn1totime(&object, (objectID == TIME_UTC)
+					? ASN1_UTCTIME : ASN1_GENERALIZEDTIME);
+		}
+		objectID++;
+	}
+	return 0;
+}
+
+/**
+ * extracts a keyIdentifier
+ */
+static chunk_t parse_keyIdentifier(chunk_t blob, int level0, bool implicit)
+{
+	asn1_ctx_t ctx;
+	chunk_t object;
+	u_int level;
+	int objectID = 0;
+	
+	asn1_init(&ctx, blob, level0, implicit, FALSE);
+	
+	extract_object(keyIdentifierObjects, &objectID, &object, &level, &ctx);
+	return object;
+}
+
+/**
+ * extracts an authoritykeyIdentifier
+ */
+void parse_authorityKeyIdentifier(chunk_t blob, int level0 , chunk_t *authKeyID, chunk_t *authKeySerialNumber)
+{
+	asn1_ctx_t ctx;
+	chunk_t object;
+	u_int level;
+	int objectID = 0;
+	
+	asn1_init(&ctx, blob, level0, FALSE, FALSE);
+	while (objectID < AUTH_KEY_ID_ROOF)
+	{
+		if (!extract_object(authorityKeyIdentifierObjects, &objectID, &object, &level, &ctx))
+		{
+			return;
+		}
+		switch (objectID) 
+		{
+			case AUTH_KEY_ID_KEY_ID:
+				*authKeyID = parse_keyIdentifier(object, level+1, TRUE);
+				break;
+			case AUTH_KEY_ID_CERT_ISSUER:
+			{
+				/* TODO: parse_generalNames(object, level+1, TRUE); */
+				break;
+			}
+			case AUTH_KEY_ID_CERT_SERIAL:
+				*authKeySerialNumber = object;
+				break;
+			default:
+				break;
+		}
+		objectID++;
+	}
+}
+
+/**
+ * extracts an authorityInfoAcess location
+ */
+static void parse_authorityInfoAccess(chunk_t blob, int level0, linked_list_t *list)
+{
+	asn1_ctx_t ctx;
+	chunk_t object;
+	u_int level;
+	int objectID = 0;
+	
+	u_int accessMethod = OID_UNKNOWN;
+	
+	asn1_init(&ctx, blob, level0, FALSE, FALSE);
+	while (objectID < AUTH_INFO_ACCESS_ROOF)
+	{
+		if (!extract_object(authorityInfoAccessObjects, &objectID, &object, &level, &ctx))
+		{
+			return;
+		}
+		switch (objectID) 
+		{
+			case AUTH_INFO_ACCESS_METHOD:
+				accessMethod = known_oid(object);
+				break;
+			case AUTH_INFO_ACCESS_LOCATION:
+			{
+				switch (accessMethod)
+				{
+					case OID_OCSP:
+						if (*object.ptr == ASN1_CONTEXT_S_6)
+						{
+							identification_t *accessLocation;
+
+							if (asn1_length(&object) == ASN1_INVALID_LENGTH)
+								return;
+							DBG2("  '%.*s'",(int)object.len, object.ptr);
+							accessLocation = identification_create_from_encoding(ID_DER_ASN1_GN_URI, object);
+							list->insert_last(list, (void *)accessLocation);
+						}
+						break;
+					default:
+						/* unkown accessMethod, ignoring */
+						break;
+				}
+				break;
+			}
+			default:
+				break;
+		}
+		objectID++;
+	}
+}
+
+/**
+ * extracts extendedKeyUsage OIDs
+ */
+static bool parse_extendedKeyUsage(chunk_t blob, int level0)
+{
+	asn1_ctx_t ctx;
+	chunk_t object;
+	u_int level;
+	int objectID = 0;
+	
+	asn1_init(&ctx, blob, level0, FALSE, FALSE);
+	while (objectID < EXT_KEY_USAGE_ROOF)
+	{
+		if (!extract_object(extendedKeyUsageObjects, &objectID, &object, &level, &ctx))
+		{
+			return FALSE;
+		}
+		if (objectID == EXT_KEY_USAGE_PURPOSE_ID && 
+			known_oid(object) == OID_OCSP_SIGNING)
+		{
+			return TRUE;
+		}
+		objectID++;
+	}
+	return FALSE;
+}
+
+/**
+ * extracts one or several crlDistributionPoints and puts them into
+ * a chained list
+ */
+static void parse_crlDistributionPoints(chunk_t blob, int level0, linked_list_t *list)
+{
+	asn1_ctx_t ctx;
+	chunk_t object;
+	u_int level;
+	int objectID = 0;
+	
+	asn1_init(&ctx, blob, level0, FALSE, FALSE);
+	while (objectID < CRL_DIST_POINTS_ROOF)
+	{
+		if (!extract_object(crlDistributionPointsObjects, &objectID, &object, &level, &ctx))
+		{
+			return;
+		}
+		if (objectID == CRL_DIST_POINTS_FULLNAME)
+		{
+			/* append extracted generalNames to existing chained list */
+			parse_generalNames(object, level+1, TRUE, list);
+
+		}
+		objectID++;
+	}
+}
+
+
+/**
+ * Parses an X.509v3 certificate
+ */
+static bool parse_certificate(chunk_t blob, u_int level0, private_x509_t *cert)
+{
+	asn1_ctx_t ctx;
+	bool critical;
+	chunk_t object;
+	u_int level;
+	u_int extn_oid = OID_UNKNOWN;
+	int objectID = 0;
+	
+	asn1_init(&ctx, blob, level0, FALSE, FALSE);
+	while (objectID < X509_OBJ_ROOF)
+	{
+		if (!extract_object(certObjects, &objectID, &object, &level, &ctx))
+		{
+			return FALSE;
+		}
+		/* those objects which will parsed further need the next higher level */
+		level++;
+		switch (objectID) {
+			case X509_OBJ_CERTIFICATE:
+				cert->certificate = object;
+				break;
+			case X509_OBJ_TBS_CERTIFICATE:
+				cert->tbsCertificate = object;
+				break;
+			case X509_OBJ_VERSION:
+				cert->version = (object.len) ? (1+(u_int)*object.ptr) : 1;
+				DBG2("  v%d", cert->version);
+				break;
+			case X509_OBJ_SERIAL_NUMBER:
+				cert->serialNumber = object;
+				break;
+			case X509_OBJ_SIG_ALG:
+				cert->sigAlg = parse_algorithmIdentifier(object, level, NULL);
+				break;
+			case X509_OBJ_ISSUER:
+				cert->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
+				DBG2("  '%D'", cert->issuer);
+				break;
+			case X509_OBJ_NOT_BEFORE:
+				cert->notBefore = parse_time(object, level);
+				break;
+			case X509_OBJ_NOT_AFTER:
+				cert->notAfter = parse_time(object, level);
+				break;
+			case X509_OBJ_SUBJECT:
+				cert->subject = identification_create_from_encoding(ID_DER_ASN1_DN, object);
+				DBG2("  '%D'", cert->subject);
+				break;
+			case X509_OBJ_SUBJECT_PUBLIC_KEY_ALGORITHM:
+				if (parse_algorithmIdentifier(object, level, NULL) != OID_RSA_ENCRYPTION)
+				{
+					DBG2("  unsupported public key algorithm");
+					return FALSE;
+				}
+				break;
+			case X509_OBJ_SUBJECT_PUBLIC_KEY:
+				if (ctx.blobs[4].len > 0 && *ctx.blobs[4].ptr == 0x00)
+				{
+					/* skip initial bit string octet defining 0 unused bits */
+					ctx.blobs[4].ptr++; ctx.blobs[4].len--;
+				}
+				else
+				{
+					DBG2("  invalid RSA public key format");
+					return FALSE;
+				}
+				break;
+			case X509_OBJ_RSA_PUBLIC_KEY:
+				cert->subjectPublicKey = object;
+				break;
+			case X509_OBJ_EXTN_ID:
+				extn_oid = known_oid(object);
+				break;
+			case X509_OBJ_CRITICAL:
+				critical = object.len && *object.ptr;
+				DBG2("  %s", critical ? "TRUE" : "FALSE");
+				break;
+			case X509_OBJ_EXTN_VALUE:
+			{
+				switch (extn_oid) {
+					case OID_SUBJECT_KEY_ID:
+						cert->subjectKeyID = chunk_clone(parse_keyIdentifier(object, level, FALSE));
+						break;
+					case OID_SUBJECT_ALT_NAME:
+						parse_generalNames(object, level, FALSE, cert->subjectAltNames);
+						break;
+					case OID_BASIC_CONSTRAINTS:
+						cert->isCA = parse_basicConstraints(object, level);
+						break;
+					case OID_CRL_DISTRIBUTION_POINTS:
+						parse_crlDistributionPoints(object, level, cert->crlDistributionPoints);
+						break;
+					case OID_AUTHORITY_KEY_ID:
+						parse_authorityKeyIdentifier(object, level , &cert->authKeyID, &cert->authKeySerialNumber);
+						break;
+					case OID_AUTHORITY_INFO_ACCESS:
+						parse_authorityInfoAccess(object, level, cert->ocspAccessLocations);
+						break;
+					case OID_EXTENDED_KEY_USAGE:
+						cert->isOcspSigner = parse_extendedKeyUsage(object, level);
+						break;
+					case OID_NS_REVOCATION_URL:
+					case OID_NS_CA_REVOCATION_URL:
+					case OID_NS_CA_POLICY_URL:
+					case OID_NS_COMMENT:
+						if (!parse_asn1_simple_object(&object, ASN1_IA5STRING , level, oid_names[extn_oid].name))
+							return FALSE;
+						break;
+					default:
+						break;
+				}
+				break;
+			}
+			case X509_OBJ_ALGORITHM:
+				cert->algorithm = parse_algorithmIdentifier(object, level, NULL);
+				break;
+			case X509_OBJ_SIGNATURE:
+				cert->signature = object;
+				break;
+			default:
+				break;
+		}
+		objectID++;
+	}
+
+	if (cert->subjectKeyID.ptr == NULL)
+	{
+		hasher_t *hasher = hasher_create(HASH_SHA1);
+
+		hasher->allocate_hash(hasher, cert->subjectPublicKey, &cert->subjectKeyID);
+		hasher->destroy(hasher);
+	}
+
+	time(&cert->installed);
+	return TRUE;
+}
+
+/**
+ * Implements x509_t.is_valid
+ */
+static err_t is_valid(const private_x509_t *this, time_t *until)
+{
+	time_t current_time = time(NULL);
+	
+	DBG2("  not before  : %T", &this->notBefore);
+	DBG2("  current time: %T", &current_time);
+	DBG2("  not after   : %T", &this->notAfter);
+
+	if (until != NULL &&
+		(*until == UNDEFINED_TIME || this->notAfter < *until))
+	{
+		*until = this->notAfter;
+	}
+	if (current_time < this->notBefore)
+	{
+		return "is not valid yet";
+	}
+	if (current_time > this->notAfter)
+	{
+		return "has expired";
+	}
+	DBG2("  certificate is valid");
+	return NULL;
+}
+
+/**
+ * Implements x509_t.is_ca
+ */
+static bool is_ca(const private_x509_t *this)
+{
+	return this->isCA;
+}
+
+/**
+ * Implements x509_t.is_ocsp_signer
+ */
+static bool is_ocsp_signer(const private_x509_t *this)
+{
+	return this->isOcspSigner;
+}
+
+/**
+ * Implements x509_t.is_self_signed
+ */
+static bool is_self_signed(const private_x509_t *this)
+{
+	return this->subject->equals(this->subject, this->issuer);
+}
+
+/**
+ * Implements x509_t.equals_subjectAltName
+ */
+static bool equals_subjectAltName(const private_x509_t *this, identification_t *id)
+{
+	bool found = FALSE;
+	identification_t *subjectAltName;
+	iterator_t *iterator;
+	
+	iterator = this->subjectAltNames->create_iterator(this->subjectAltNames, TRUE);
+	while (iterator->iterate(iterator, (void**)&subjectAltName))
+	{
+		if (id->equals(id, subjectAltName))
+		{
+			found = TRUE;
+			break;
+		}
+	}
+	iterator->destroy(iterator);
+	return found;
+}
+
+/**
+ * Implements x509_t.is_issuer
+ */
+static bool is_issuer(const private_x509_t *this, const private_x509_t *issuer)
+{
+	return (this->authKeyID.ptr)
+			? chunk_equals(this->authKeyID, issuer->subjectKeyID)
+			: (this->issuer->equals(this->issuer, issuer->subject)
+			   && chunk_equals_or_null(this->authKeySerialNumber, issuer->serialNumber));
+}
+
+/**
+ * Implements x509_t.get_certificate
+ */
+static chunk_t get_certificate(const private_x509_t *this)
+{
+	return this->certificate;
+}
+
+/**
+ * Implements x509_t.get_public_key
+ */
+static rsa_public_key_t *get_public_key(const private_x509_t *this)
+{
+	return this->public_key;
+}
+
+/**
+ * Implements x509_t.get_serialNumber
+ */
+static chunk_t get_serialNumber(const private_x509_t *this)
+{
+	return this->serialNumber;
+}
+
+/**
+ * Implements x509_t.get_subjectKeyID
+ */
+static chunk_t get_subjectKeyID(const private_x509_t *this)
+{
+	return this->subjectKeyID;
+}
+
+/**
+ * Implements x509_t.get_keyid
+ */
+static chunk_t get_keyid(const private_x509_t *this)
+{
+	return this->public_key->get_keyid(this->public_key);
+}
+
+/**
+ * Implements x509_t.get_issuer
+ */
+static identification_t *get_issuer(const private_x509_t *this)
+{
+	return this->issuer;
+}
+
+/**
+ * Implements x509_t.get_subject
+ */
+static identification_t *get_subject(const private_x509_t *this)
+{
+	return this->subject;
+}
+
+/**
+ * Implements x509_t.set_until
+ */
+static void set_until(private_x509_t *this, time_t until)
+{
+	this->until = until;
+}
+
+/**
+ * Implements x509_t.get_until
+ */
+static time_t get_until(const private_x509_t *this)
+{
+	return this->until;
+}
+
+/**
+ * Implements x509_t.set_status
+ */
+static void set_status(private_x509_t *this, cert_status_t status)
+{
+	this->status = status;
+}
+
+/**
+ * Implements x509_t.get_status
+ */
+static cert_status_t get_status(const private_x509_t *this)
+{
+	return this->status;
+}
+
+/**
+ * Implements x509_t.add_authority_flags
+ */
+static void add_authority_flags(private_x509_t *this, u_int flags)
+{
+	this->authority_flags |= flags;
+}
+
+/**
+ * Implements x509_t.add_authority_flags
+ */
+static u_int get_authority_flags(private_x509_t *this)
+{
+	return this->authority_flags;
+}
+
+/**
+ * Implements x509_t.has_authority_flag
+ */
+static bool has_authority_flag(private_x509_t *this, u_int flags)
+{
+	return (this->authority_flags & flags) != AUTH_NONE;
+}
+
+/**
+ * Implements x509_t.create_crluri_iterator
+ */
+static iterator_t *create_crluri_iterator(const private_x509_t *this)
+{
+	return this->crlDistributionPoints->create_iterator(this->crlDistributionPoints, TRUE);
+}
+
+/**
+ * Implements x509_t.create_crluri_iterator
+ */
+static iterator_t *create_ocspuri_iterator(const private_x509_t *this)
+{
+	return this->ocspAccessLocations->create_iterator(this->ocspAccessLocations, TRUE);
+}
+
+/**
+ * Implements x509_t.verify
+ */
+static bool verify(const private_x509_t *this, const rsa_public_key_t *signer)
+{
+	return signer->verify_emsa_pkcs1_signature(signer, this->tbsCertificate, this->signature) == SUCCESS;
+}
+
+/**
+ * output handler in printf()
+ */
+static int print(FILE *stream, const struct printf_info *info,
+				 const void *const *args)
+{
+	private_x509_t *this = *((private_x509_t**)(args[0]));
+	iterator_t *iterator;
+	bool utc = TRUE;
+	int written = 0;
+	
+	if (info->alt)
+	{
+		utc = *((bool*)(args[1]));
+	}
+	
+	if (this == NULL)
+	{
+		return fprintf(stream, "(null)");
+	}
+	
+	/* determine the current time */
+	time_t now = time(NULL);
+
+	written += fprintf(stream, "%#T\n", &this->installed, utc);
+
+	if (this->subjectAltNames->get_count(this->subjectAltNames))
+	{
+		identification_t *subjectAltName;
+		bool first = TRUE;
+
+		written += fprintf(stream, "    altNames:  ");
+		iterator = this->subjectAltNames->create_iterator(this->subjectAltNames, TRUE);
+		while (iterator->iterate(iterator, (void**)&subjectAltName))
+		{
+			if (first)
+			{
+				first = FALSE;
+			}
+			else
+			{
+				written += fprintf(stream, ", ");
+			}
+			written += fprintf(stream, "'%D'", subjectAltName);
+		}
+		iterator->destroy(iterator);
+		written += fprintf(stream, "\n");
+	}
+	written += fprintf(stream, "    subject:   '%D'\n", this->subject);
+	written += fprintf(stream, "    issuer:    '%D'\n", this->issuer);
+	written += fprintf(stream, "    serial:     %#B\n", &this->serialNumber);
+	written += fprintf(stream, "    validity:   not before %#T, ", &this->notBefore, utc);
+	if (now < this->notBefore)
+	{
+		written += fprintf(stream, "not valid yet (valid in %V)\n", &now, &this->notBefore);
+	}
+	else
+	{
+		written += fprintf(stream, "ok\n");
+	}
+	
+	written += fprintf(stream, "                not after  %#T, ", &this->notAfter, utc);
+	if (now > this->notAfter)
+	{
+		written += fprintf(stream, "expired (%V ago)\n", &now, &this->notAfter);
+	}
+	else
+	{
+		written += fprintf(stream, "ok");
+		if (now > this->notAfter - CERT_WARNING_INTERVAL * 60 * 60 * 24)
+		{
+			written += fprintf(stream, " (expires in %V)", &now, &this->notAfter);
+		}
+		written += fprintf(stream, " \n");
+	}
+	
+	{
+		chunk_t keyid = this->public_key->get_keyid(this->public_key);
+		written += fprintf(stream, "    keyid:      %#B\n", &keyid);
+	}
+
+	if (this->subjectKeyID.ptr)
+	{
+		written += fprintf(stream, "    subjkey:    %#B\n", &this->subjectKeyID);
+	}
+	if (this->authKeyID.ptr)
+	{
+		written += fprintf(stream, "    authkey:    %#B\n", &this->authKeyID);
+	}
+	if (this->authKeySerialNumber.ptr)
+	{
+		written += fprintf(stream, "    aserial:    %#B\n", &this->authKeySerialNumber);
+	}
+	
+	written += fprintf(stream, "    pubkey:     RSA %d bits", BITS_PER_BYTE *
+					   this->public_key->get_keysize(this->public_key));
+	written += fprintf(stream, ", status %N",
+					   cert_status_names, this->status);
+	
+	switch (this->status)
+	{
+		case CERT_GOOD:
+			written += fprintf(stream, " until %#T", &this->until, utc);
+			break;
+		case CERT_REVOKED:
+			written += fprintf(stream, " on %#T", &this->until, utc);
+			break;
+		case CERT_UNKNOWN:
+		case CERT_UNDEFINED:
+		case CERT_UNTRUSTED:
+		default:
+			break;
+	}
+	return written;
+}
+
+/**
+ * register printf() handlers
+ */
+static void __attribute__ ((constructor))print_register()
+{
+	register_printf_function(PRINTF_X509, print, arginfo_ptr_alt_ptr_int);
+}
+
+/**
+ * Implements x509_t.destroy
+ */
+static void destroy(private_x509_t *this)
+{
+	this->subjectAltNames->destroy_offset(this->subjectAltNames,
+								offsetof(identification_t, destroy));
+	this->crlDistributionPoints->destroy_offset(this->crlDistributionPoints,
+								offsetof(identification_t, destroy));
+	this->ocspAccessLocations->destroy_offset(this->ocspAccessLocations,
+								offsetof(identification_t, destroy));
+	DESTROY_IF(this->issuer);
+	DESTROY_IF(this->subject);
+	DESTROY_IF(this->public_key);
+	free(this->subjectKeyID.ptr);
+	free(this->certificate.ptr);
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+x509_t *x509_create_from_chunk(chunk_t chunk, u_int level)
+{
+	private_x509_t *this = malloc_thing(private_x509_t);
+	
+	/* initialize */
+	this->subjectPublicKey = chunk_empty;
+	this->public_key = NULL;
+	this->subject = NULL;
+	this->issuer = NULL;
+	this->subjectAltNames = linked_list_create();
+	this->crlDistributionPoints = linked_list_create();
+	this->ocspAccessLocations = linked_list_create();
+	this->subjectKeyID = chunk_empty;
+	this->authKeyID = chunk_empty;
+	this->authKeySerialNumber = chunk_empty;
+	this->authority_flags = AUTH_NONE;
+	
+	/* public functions */
+	this->public.equals = (bool (*) (const x509_t*,const x509_t*))equals;
+	this->public.equals_subjectAltName = (bool (*) (const x509_t*,identification_t*))equals_subjectAltName;
+	this->public.is_issuer = (bool (*) (const x509_t*,const x509_t*))is_issuer;
+	this->public.is_valid = (err_t (*) (const x509_t*,time_t*))is_valid;
+	this->public.is_ca = (bool (*) (const x509_t*))is_ca;
+	this->public.is_self_signed = (bool (*) (const x509_t*))is_self_signed;
+	this->public.is_ocsp_signer = (bool (*) (const x509_t*))is_ocsp_signer;
+	this->public.get_certificate = (chunk_t (*) (const x509_t*))get_certificate;
+	this->public.get_public_key = (rsa_public_key_t* (*) (const x509_t*))get_public_key;
+	this->public.get_serialNumber = (chunk_t (*) (const x509_t*))get_serialNumber;
+	this->public.get_subjectKeyID = (chunk_t (*) (const x509_t*))get_subjectKeyID;
+	this->public.get_keyid = (chunk_t (*) (const x509_t*))get_keyid;
+	this->public.get_issuer = (identification_t* (*) (const x509_t*))get_issuer;
+	this->public.get_subject = (identification_t* (*) (const x509_t*))get_subject;
+	this->public.set_until = (void (*) (x509_t*,time_t))set_until;
+	this->public.get_until = (time_t (*) (const x509_t*))get_until;
+	this->public.set_status = (void (*) (x509_t*,cert_status_t))set_status;
+	this->public.get_status = (cert_status_t (*) (const x509_t*))get_status;
+	this->public.add_authority_flags = (void (*) (x509_t*,u_int))add_authority_flags;
+	this->public.get_authority_flags = (u_int (*) (x509_t*))get_authority_flags;
+	this->public.has_authority_flag = (bool (*) (x509_t*,u_int))has_authority_flag;
+	this->public.create_crluri_iterator = (iterator_t* (*) (const x509_t*))create_crluri_iterator;
+	this->public.create_ocspuri_iterator = (iterator_t* (*) (const x509_t*))create_ocspuri_iterator;
+	this->public.verify = (bool (*) (const x509_t*,const rsa_public_key_t*))verify;
+	this->public.destroy = (void (*) (x509_t*))destroy;
+	
+	if (!parse_certificate(chunk, level, this))
+	{
+		destroy(this);
+		return NULL;
+	}
+
+	/* extract public key from certificate */
+	this->public_key = rsa_public_key_create_from_chunk(this->subjectPublicKey);
+	if (this->public_key == NULL)
+	{
+		destroy(this);
+		return NULL;
+	}
+	/* set trusted lifetime of public key to notAfter */
+	this->status = is_self_signed(this)? CERT_GOOD:CERT_UNDEFINED;
+	this->until = this->notAfter;
+	return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+x509_t *x509_create_from_file(const char *filename, const char *label)
+{
+	bool pgp = FALSE;
+	chunk_t chunk = chunk_empty;
+	x509_t *cert = NULL;
+	char cert_label[BUF_LEN];
+
+	snprintf(cert_label, BUF_LEN, "%s certificate", label);
+
+	if (!pem_asn1_load_file(filename, NULL, cert_label, &chunk, &pgp))
+		return NULL;
+
+	cert = x509_create_from_chunk(chunk, 0);
+
+	if (cert == NULL)
+		free(chunk.ptr);
+	return cert;
+}
diff --git a/src/libstrongswan/crypto/x509.h b/src/libstrongswan/crypto/x509.h
new file mode 100755
index 000000000..a949d99d2
--- /dev/null
+++ b/src/libstrongswan/crypto/x509.h
@@ -0,0 +1,290 @@
+/**
+ * @file x509.h
+ * 
+ * @brief Interface of x509_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi, Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef X509_H_
+#define X509_H_
+
+typedef struct x509_t x509_t;
+
+#include <library.h>
+#include <crypto/rsa/rsa_public_key.h>
+#include <crypto/certinfo.h>
+#include <utils/identification.h>
+#include <utils/iterator.h>
+
+/* authority flags */
+
+#define AUTH_NONE	0x00	/* no authorities */
+#define AUTH_CA		0x01	/* certification authority */
+#define AUTH_AA		0x02	/* authorization authority */
+#define AUTH_OCSP	0x04	/* ocsp signing authority */
+
+/**
+ * @brief X.509 certificate.
+ * 
+ * @b Constructors:
+ *  - x509_create_from_chunk()
+ *  - x509_create_from_file()
+ * 
+ * @todo more code cleanup needed!
+ * @todo fix unimplemented functions...
+ * @todo handle memory management
+ *
+ * @ingroup transforms
+ */
+struct x509_t {
+
+	/**
+	 * @brief Set trusted public key life.
+	 * 
+	 * @param this				calling object
+	 * @param until				time until public key is trusted
+	 */
+	void (*set_until) (x509_t *this, time_t until);
+
+	/**
+	 * @brief Get trusted public key life.
+	 * 
+	 * @param this				calling object
+	 * @return					time until public key is trusted
+	 */
+	time_t (*get_until) (const x509_t *this);
+
+	/**
+	 * @brief Set the certificate status
+	 * 
+	 * @param this				calling object
+	 * @param status			certificate status
+	 */
+	void (*set_status) (x509_t *this, cert_status_t status);
+
+	/**
+	 * @brief Get the certificate status
+	 * 
+	 * @param this				calling object
+	 * @return					certificate status
+	 */
+	cert_status_t (*get_status) (const x509_t *this);
+
+	/**
+	 * @brief Add authority flags
+	 * 
+	 * @param this				calling object
+	 * @param flag				flags to be added
+	 */
+	void (*add_authority_flags) (x509_t *this, u_int flags);
+
+	/**
+	 * @brief Get authority flags
+	 * 
+	 * @param this				calling object
+	 * @return					authority flags
+	 */
+	u_int (*get_authority_flags) (x509_t *this);
+
+	/**
+	 * @brief Check a specific authority flag
+	 * 
+	 * @param this				calling object
+	 * @param flag				flag to be checked
+	 * @return					TRUE if flag is present
+	 */
+	bool (*has_authority_flag) (x509_t *this, u_int flag);
+
+	/**
+	 * @brief Get the DER-encoded X.509 certificate body
+	 * 
+	 * @param this				calling object
+	 * @return					DER-encoded X.509 certificate
+	 */
+	chunk_t (*get_certificate) (const x509_t *this);
+
+	/**
+	 * @brief Get the RSA public key from the certificate.
+	 * 
+	 * @param this				calling object
+	 * @return					public_key
+	 */
+	rsa_public_key_t *(*get_public_key) (const x509_t *this);
+
+	/**
+	 * @brief Get serial number from the certificate.
+	 * 
+	 * @param this				calling object
+	 * @return					serialNumber
+	 */
+	chunk_t (*get_serialNumber) (const x509_t *this);
+		
+	/**
+	 * @brief Get subjectKeyID from the certificate.
+	 * 
+	 * @param this				calling object
+	 * @return					subjectKeyID
+	 */
+	chunk_t (*get_subjectKeyID) (const x509_t *this);
+
+	/**
+	 * @brief Get keyid from the certificate's public key.
+	 * 
+	 * @param this				calling object
+	 * @return					keyid
+	 */
+	chunk_t (*get_keyid) (const x509_t *this);
+
+	/**
+	 * @brief Get the certificate issuer's ID.
+	 * 
+	 * The resulting ID is always a identification_t
+	 * of type ID_DER_ASN1_DN.
+	 * 
+	 * @param this				calling object
+	 * @return					issuers ID
+	 */
+	identification_t *(*get_issuer) (const x509_t *this);
+
+	/**
+	 * @brief Get the subjectDistinguisheName.
+	 * 
+	 * The resulting ID is always a identification_t
+	 * of type ID_DER_ASN1_DN. 
+	 * 
+	 * @param this				calling object
+	 * @return					subjects ID
+	 */
+	identification_t *(*get_subject) (const x509_t *this);
+
+	/**
+	 * @brief Create an iterator for the crlDistributionPoints.
+	 * 
+	 * @param this				calling object
+	 * @return					iterator for crlDistributionPoints
+	 */
+	iterator_t *(*create_crluri_iterator) (const x509_t *this);
+
+	/**
+	 * @brief Create an iterator for the ocspAccessLocations.
+	 * 
+	 * @param this				calling object
+	 * @return					iterator for ocspAccessLocations
+	 */
+	iterator_t *(*create_ocspuri_iterator) (const x509_t *this);
+
+	/**
+	 * @brief Check if a certificate is trustworthy
+	 * 
+	 * @param this			calling object
+	 * @param signer		signer's RSA public key
+	 */
+	bool (*verify) (const x509_t *this, const rsa_public_key_t *signer);
+
+	/**
+	 * @brief Compare two certificates.
+	 * 
+	 * Comparison is done via the certificates signature.
+	 * 
+	 * @param this			first cert for compare
+	 * @param other			second cert for compare
+	 * @return				TRUE if signature is equal
+	 */
+	bool (*equals) (const x509_t *this, const x509_t *that);
+
+	/**
+	 * @brief Checks if the certificate contains a subjectAltName equal to id.
+	 * 
+	 * @param this			certificate being examined
+	 * @param id			id which is being compared to the subjectAltNames
+	 * @return				TRUE if a match is found
+	 */
+	bool (*equals_subjectAltName) (const x509_t *this, identification_t *id);
+
+	/**
+	 * @brief Checks if the subject of the other cert is the issuer of this cert.
+	 * 
+	 * @param this			certificate
+	 * @param issuer		potential issuer certificate
+	 * @return				TRUE if issuer is found
+	 */
+	bool (*is_issuer) (const x509_t *this, const x509_t *issuer);
+
+	/**
+	 * @brief Checks the validity interval of the certificate
+	 * 
+	 * @param this			certificate being examined
+	 * @param until			until = min(until, notAfter)
+	 * @return				NULL if the certificate is valid
+	 */
+	err_t (*is_valid) (const x509_t *this, time_t *until);
+
+	/**
+	 * @brief Returns the CA basic constraints flag
+	 * 
+	 * @param this			certificate being examined
+	 * @return				TRUE if the CA flag is set
+	 */
+	bool (*is_ca) (const x509_t *this);
+
+	/**
+	 * @brief Returns the OCSPSigner extended key usage flag
+	 * 
+	 * @param this			certificate being examined
+	 * @return				TRUE if the OCSPSigner flag is set
+	 */
+	bool (*is_ocsp_signer) (const x509_t *this);
+
+	/**
+	 * @brief Checks if the certificate is self-signed (subject equals issuer)
+	 * 
+	 * @param this			certificate being examined
+	 * @return				TRUE if self-signed
+	 */
+	bool (*is_self_signed) (const x509_t *this);
+
+	/**
+	 * @brief Destroys the certificate.
+	 * 
+	 * @param this			certificate to destroy
+	 */
+	void (*destroy) (x509_t *this);
+};
+
+/**
+ * @brief Read a x509 certificate from a DER encoded blob.
+ * 
+ * @param chunk 	chunk containing DER encoded data
+ * @return 			created x509_t certificate, or NULL if inv
lid.
+ * 
+ * @ingroup transforms
+ */
+x509_t *x509_create_from_chunk(chunk_t chunk, u_int level);
+
+/**
+ * @brief Read a x509 certificate from a DER encoded file.
+ * 
+ * @param filename 	file containing DER encoded data
+ * @param label		label describing kind of certificate
+ * @return 			created x509_t certificate, or NULL if invalid.
+ * 
+ * @ingroup transforms
+ */
+x509_t *x509_create_from_file(const char *filename, const char *label);
+
+#endif /* X509_H_ */
diff --git a/src/libstrongswan/debug.c b/src/libstrongswan/debug.c
new file mode 100644
index 000000000..996cae502
--- /dev/null
+++ b/src/libstrongswan/debug.c
@@ -0,0 +1,41 @@
+/**
+ * @file library.c
+ *
+ * @brief Logging functions for the library.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdarg.h>
+#include <stdio.h>
+
+#include "debug.h"
+
+/**
+ * default dbg function which printf all to stderr
+ */
+static void dbg_stderr(int level, char *fmt, ...)
+{
+	va_list args;
+	
+	va_start(args, fmt);
+	vfprintf(stderr, fmt, args);
+	fprintf(stderr, "\n");
+	va_end(args);
+}
+
+void (*dbg) (int level, char *fmt, ...) = dbg_stderr;
diff --git a/src/libstrongswan/debug.h b/src/libstrongswan/debug.h
new file mode 100644
index 000000000..c424a1c11
--- /dev/null
+++ b/src/libstrongswan/debug.h
@@ -0,0 +1,60 @@
+/**
+ * @file log.h
+ *
+ * @brief Logging functions for the library.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef DEBUG_H_
+#define DEBUG_H_
+
+#ifndef DEBUG_LEVEL
+# define DEBUG_LEVEL 4
+#endif /* DEBUG_LEVEL */
+
+/** debug macros, they call the dbg function hook */
+#if DEBUG_LEVEL >= 1
+# define DBG1(fmt, ...) dbg(1, fmt, ##__VA_ARGS__)
+#endif /* DEBUG_LEVEL */
+#if DEBUG_LEVEL >= 2
+# define DBG2(fmt, ...) dbg(2, fmt, ##__VA_ARGS__)
+#endif /* DEBUG_LEVEL */
+#if DEBUG_LEVEL >= 3
+# define DBG3(fmt, ...) dbg(3, fmt, ##__VA_ARGS__)
+#endif /* DEBUG_LEVEL */
+#if DEBUG_LEVEL >= 4
+# define DBG4(fmt, ...) dbg(4, fmt, ##__VA_ARGS__)
+#endif /* DEBUG_LEVEL */
+
+#ifndef DBG1
+# define DBG1(...) {}
+#endif
+#ifndef DBG2
+# define DBG2(...) {}
+#endif
+#ifndef DBG3
+# define DBG3(...) {}
+#endif
+#ifndef DBG4
+# define DBG4(...) {}
+#endif
+
+/** dbg function hook, uses stderr logger by default */
+extern void (*dbg) (int level, char *fmt, ...);
+
+#endif /* DEBUG_H_ */
diff --git a/src/libstrongswan/enum.c b/src/libstrongswan/enum.c
new file mode 100644
index 000000000..ade7c16a1
--- /dev/null
+++ b/src/libstrongswan/enum.c
@@ -0,0 +1,73 @@
+/**
+ * @file library.c
+ *
+ * @brief enum value to string conversion functions.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+#include <stdio.h>
+
+#include "enum.h"
+
+#include <printf_hook.h>
+
+/**
+ * get the name of an enum value in a enum_name_t list
+ */
+static char *enum_name(enum_name_t *e, int val)
+{
+	do
+	{
+		if (val >= e->first && val <= e->last)
+		{
+			return e->names[val - e->first];
+		}
+	}
+	while ((e = e->next));
+	return NULL;
+}
+
+/**
+ * output handler in printf() for enum names
+ */
+static int print_enum(FILE *stream, const struct printf_info *info,
+					  const void *const *args)
+{
+	enum_name_t *ed = *((enum_name_t**)(args[0]));
+	int val = *((int*)(args[1]));
+
+	char *name = enum_name(ed, val);
+
+	if (name == NULL)
+	{
+		return fprintf(stream, "(%d)", val);
+	}
+	else
+	{
+		return fprintf(stream, "%s", name);
+	}
+}
+
+/**
+ * register printf() handlers
+ */
+static void __attribute__ ((constructor))print_register()
+{
+	register_printf_function(PRINTF_ENUM, print_enum, arginfo_ptr_int);
+}
diff --git a/src/libstrongswan/enum.h b/src/libstrongswan/enum.h
new file mode 100644
index 000000000..cd06e424b
--- /dev/null
+++ b/src/libstrongswan/enum.h
@@ -0,0 +1,106 @@
+/**
+ * @file enum.h
+ *
+ * @brief enum value to string conversion functions.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef ENUM_H_
+#define ENUM_H_
+
+typedef struct enum_name_t enum_name_t;
+
+/**
+ * @brief Struct to store names for enums.
+ *
+ * To print the string representation of enumeration values, the strings
+ * are stored in these structures. Every enum_name contains a range
+ * of strings, multiple ranges are linked together.
+ * Use the convenience macros to define these linked ranges.
+ *
+ * For a single range, use:
+ * ENUM(name, first, last, string1, string2, ...)
+ *
+ * For multiple linked ranges, use:
+ * ENUM_BEGIN(name, first, last, string1, string2, ...)
+ *   ENUM_NEXT(name, first, last, last_from_previous, string3, ...)
+ *   ENUM_NEXT(name, first, last, last_from_previous, string4, ...)
+ * ENUM_END(name, last_from_previous)
+ *
+ * The ENUM and the ENUM_END define a enum_name_t pointer with the name supplied
+ * in "name".
+ *
+ * Resolving of enum names is done using a printf hook. A printf fromat
+ * character %N is replaced by the enum string. Printf needs two arguments to
+ * resolve a %N, the enum_name_t* (the defined name in ENUM_BEGIN) followed
+ * by the numerical enum value.
+ */
+struct enum_name_t {
+	/** value of the first enum string */
+	int first;
+	/** value of the last enum string */
+	int last;
+	/** next enum_name_t in list */
+	enum_name_t *next;
+	/** array of strings containing names from first to last */
+	char *names[];
+};
+
+/**
+ * @brief Begin a new enum_name list.
+ *
+ * @param name	name of the enum_name list
+ * @param first	enum value of the first enum string
+ * @param last	enum value of the last enum string
+ * @param ...	a list of strings
+ */
+#define ENUM_BEGIN(name, first, last, ...) static enum_name_t name##last = {first, last, NULL, { __VA_ARGS__ }}
+
+/**
+ * @brief Continue a enum name list startetd with ENUM_BEGIN.
+ *
+ * @param name	name of the enum_name list
+ * @param first	enum value of the first enum string
+ * @param last	enum value of the last enum string
+ * @param prev	enum value of the "last" defined in ENUM_BEGIN/previous ENUM_NEXT
+ * @param ...	a list of strings
+ */
+#define ENUM_NEXT(name, first, last, prev, ...) static enum_name_t name##last = {first, last, &name##prev, { __VA_ARGS__ }}
+
+/**
+ * @brief Complete enum name list started with ENUM_BEGIN.
+ *
+ * @param name	name of the enum_name list
+ * @param prev	enum value of the "last" defined in ENUM_BEGIN/previous ENUM_NEXT
+ */
+#define ENUM_END(name, prev) enum_name_t *name = &name##prev;
+
+/**
+ * @brief Define a enum name with only one range.
+ *
+ * This is a convenience macro to use when a enum_name list contains only
+ * one range, and is equal as defining ENUM_BEGIN followed by ENUM_END.
+ * 
+ * @param name	name of the enum_name list
+ * @param first	enum value of the first enum string
+ * @param last	enum value of the last enum string
+ * @param ...	a list of strings
+ */
+#define ENUM(name, first, last, ...) ENUM_BEGIN(name, first, last, __VA_ARGS__); ENUM_END(name, last)
+
+#endif /* ENUM_H_ */
diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c
new file mode 100644
index 000000000..9f96d119c
--- /dev/null
+++ b/src/libstrongswan/library.c
@@ -0,0 +1,184 @@
+/**
+ * @file library.c
+ *
+ * @brief Helper functions and definitions.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+#include <time.h>
+#include <stdio.h>
+#include <stdarg.h>
+#include <pthread.h>
+
+#include "library.h"
+
+#include <printf_hook.h>
+
+ENUM(status_names, SUCCESS, DESTROY_ME,
+	"SUCCESS",
+	"FAILED",
+	"OUT_OF_RES",
+	"ALREADY_DONE",
+	"NOT_SUPPORTED",
+	"INVALID_ARG",
+	"NOT_FOUND",
+	"PARSE_ERROR",
+	"VERIFY_ERROR",
+	"INVALID_STATE",
+	"DESTROY_ME",
+	"NEED_MORE",
+);
+
+/**
+ * Described in header.
+ */
+void *clalloc(void * pointer, size_t size)
+{
+	void *data;
+	data = malloc(size);
+	
+	memcpy(data, pointer,size);
+	
+	return (data);
+}
+
+/**
+ * Described in header.
+ */
+void memxor(u_int8_t dest[], u_int8_t src[], size_t n)
+{
+	size_t i;
+	for (i = 0; i < n; i++)
+	{
+		dest[i] ^= src[i];
+	}
+}
+
+/**
+ * We use a single mutex for all refcount variables. This
+ * is not optimal for performance, but the critical section
+ * is not that long...
+ * TODO: Consider to include a mutex in each refcount_t variable.
+ */
+static pthread_mutex_t ref_mutex = PTHREAD_MUTEX_INITIALIZER;
+
+/**
+ * Described in header.
+ * 
+ * TODO: May be implemented with atomic CPU instructions
+ * instead of a mutex.
+ */
+void ref_get(refcount_t *ref)
+{
+	pthread_mutex_lock(&ref_mutex);
+	(*ref)++;
+	pthread_mutex_unlock(&ref_mutex);
+}
+
+/**
+ * Described in header.
+ * 
+ * TODO: May be implemented with atomic CPU instructions
+ * instead of a mutex.
+ */
+bool ref_put(refcount_t *ref)
+{
+	bool more_refs;
+	
+	pthread_mutex_lock(&ref_mutex);
+	more_refs = --(*ref);
+	pthread_mutex_unlock(&ref_mutex);
+	return !more_refs;
+}
+
+/**
+ * output handler in printf() for time_t
+ */
+static int print_time(FILE *stream, const struct printf_info *info,
+					  const void *const *args)
+{
+	static const char* months[] = {
+		"Jan", "Feb", "Mar", "Apr", "May", "Jun",
+		"Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
+	};
+	time_t *time = *((time_t**)(args[0]));
+	bool utc = TRUE;
+	struct tm t;
+	
+	if (info->alt)
+	{
+		utc = *((bool*)(args[1]));
+	}
+	if (time == UNDEFINED_TIME)
+	{
+		return fprintf(stream, "--- -- --:--:--%s----",
+					   info->alt ? " UTC " : " ");
+	}
+	if (utc)
+	{
+		gmtime_r(time, &t);
+	}
+	else
+	{
+		localtime_r(time, &t);
+	}
+	return fprintf(stream, "%s %02d %02d:%02d:%02d%s%04d",
+				   months[t.tm_mon], t.tm_mday, t.tm_hour, t.tm_min,
+				   t.tm_sec, utc ? " UTC " : " ", t.tm_year + 1900);
+}
+
+/**
+ * output handler in printf() for time deltas
+ */
+static int print_time_delta(FILE *stream, const struct printf_info *info,
+							const void *const *args)
+{
+	time_t *start = *((time_t**)(args[0]));
+	time_t *end   = *((time_t**)(args[1]));
+	u_int delta   = abs(*end - *start);
+
+	char* unit = "second";
+
+	if (delta > 2 * 60 * 60 * 24)
+	{
+		delta /= 60 * 60 * 24;
+		unit = "day";
+	}
+	else if (delta > 2 * 60 * 60)
+	{
+		delta /= 60 * 60;
+		unit = "hour";
+	}
+	else if (delta > 2 * 60)
+	{
+		delta /= 60;
+		unit = "minute";
+	}
+	return fprintf(stream, "%d %s%s", delta, unit, (delta == 1)? "":"s");
+}
+
+/**
+ * register printf() handlers for time_t
+ */
+static void __attribute__ ((constructor))print_register()
+{
+	register_printf_function(PRINTF_TIME, print_time, arginfo_ptr_alt_ptr_int);
+	register_printf_function(PRINTF_TIME_DELTA, print_time_delta, arginfo_ptr_ptr);
+}
diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h
new file mode 100644
index 000000000..7c7f087f0
--- /dev/null
+++ b/src/libstrongswan/library.h
@@ -0,0 +1,301 @@
+/**
+ * @file library.h
+ *
+ * @brief Helper functions and definitions.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef LIBRARY_H_
+#define LIBRARY_H_
+
+/**
+ * @defgroup libstrongswan libstrongswan
+ *
+ * libstrongswan: library with various crypto related things.
+ */
+
+/**
+ * @defgroup asn1 asn1
+ *
+ * ASN1 definitions, parser and generator functions.
+ *
+ * @ingroup libstrongswan
+ */
+
+/**
+ * @defgroup crypto crypto
+ *
+ * Crypto algorithms of different kind.
+ *
+ * @ingroup libstrongswan
+ */
+
+/**
+ * @defgroup crypters crypters
+ *
+ * Symmetric encryption algorithms, used for
+ * encryption and decryption.
+ *
+ * @ingroup crypto
+ */
+
+/**
+ * @defgroup hashers hashers
+ *
+ * Hashing algorithms, such as MD5 or SHA1
+ *
+ * @ingroup crypto
+ */
+
+/**
+ * @defgroup prfs prfs
+ *
+ * Pseudo random functions, used to generate 
+ * pseude random byte sequences.
+ *
+ * @ingroup crypto
+ */
+
+/**
+ * @defgroup rsa rsa
+ *
+ * RSA private/public key algorithm.
+ *
+ * @ingroup crypto
+ */
+
+/**
+ * @defgroup signers signers
+ *
+ * Symmetric signing algorithms, 
+ * used to ensure message integrity.
+ *
+ * @ingroup crypto
+ */
+
+/**
+ * @defgroup utils utils
+ *
+ * Generic helper classes.
+ *
+ * @ingroup libstrongswan
+ */
+
+#include <gmp.h>
+#include <sys/types.h>
+#include <stdlib.h>
+#include <stddef.h>
+#include <printf.h>
+
+#include <enum.h>
+
+/**
+ * Number of bits in a byte
+ */
+#define BITS_PER_BYTE 8
+
+/**
+ * Default length for various auxiliary text buffers
+ */
+#define BUF_LEN 512
+
+/**
+ * Macro compares two strings for equality
+ */
+#define streq(x,y) (strcmp(x, y) == 0)
+
+/**
+ * Macro compares two binary blobs for equality
+ */
+#define memeq(x,y,len) (memcmp(x, y, len) == 0)
+
+/**
+ * Macro gives back larger of two values.
+ */
+#define max(x,y) ((x) > (y) ? (x):(y))
+
+/**
+ * Macro gives back smaller of two values.
+ */
+#define min(x,y) ((x) < (y) ? (x):(y))
+
+/**
+ * Call destructor of a object if object != NULL
+ */
+#define DESTROY_IF(obj) if (obj) obj->destroy(obj)
+
+/**
+ * Debug macro to follow control flow
+ */
+#define POS printf("%s, line %d\n", __FILE__, __LINE__)
+
+/**
+ * Macro to allocate a sized type.
+ */
+#define malloc_thing(thing) ((thing*)malloc(sizeof(thing)))
+
+/**
+ * Assign a function as a class method
+ */
+#define ASSIGN(method, function) (method = (typeof(method))function)
+
+/**
+ * time_t not defined
+ */
+#define UNDEFINED_TIME 0
+
+/**
+ * General purpose boolean type.
+ */
+typedef int bool;
+#define FALSE 0
+#define TRUE  1
+
+typedef enum status_t status_t;
+
+/**
+ * Return values of function calls.
+ */
+enum status_t {
+	/**
+	 * Call succeeded.
+	 */
+	SUCCESS,
+	
+	/**
+	 * Call failed.
+	 */
+	FAILED,
+	
+	/**
+	 * Out of resources.
+	 */
+	OUT_OF_RES,
+	
+	/**
+	 * The suggested operation is already done
+	 */
+	ALREADY_DONE,
+	
+	/**
+	 * Not supported.
+	 */
+	NOT_SUPPORTED,
+	
+	/**
+	 * One of the arguments is invalid.
+	 */
+	INVALID_ARG,
+	
+	/**
+	 * Something could not be found.
+	 */
+	NOT_FOUND,
+	
+	/**
+	 * Error while parsing.
+	 */
+	PARSE_ERROR,
+	
+	/**
+	 * Error while verifying.
+	 */
+	VERIFY_ERROR,
+	
+	/**
+	 * Object in invalid state.
+	 */
+	INVALID_STATE,
+	
+	/**
+	 * Destroy object which called method belongs to.
+	 */
+	DESTROY_ME,
+	
+	/**
+	 * Another call to the method is required.
+	 */
+	NEED_MORE,
+};
+
+/**
+ * enum_names for type status_t.
+ */
+extern enum_name_t *status_names;
+
+/**
+ * deprecated pluto style return value:
+ * error message, NULL for success
+ */
+typedef const char *err_t;
+
+/**
+ * Handle struct timeval like an own type.
+ */
+typedef struct timeval timeval_t;
+
+/**
+ * Handle struct timespec like an own type.
+ */
+typedef struct timespec timespec_t;
+
+/**
+ * Handle struct chunk_t like an own type.
+ */
+typedef struct sockaddr sockaddr_t;
+
+/**
+ * Clone a data to a newly allocated buffer
+ */
+void *clalloc(void *pointer, size_t size);
+
+/**
+ * Same as memcpy, but XORs src into dst instead of copy
+ */
+void memxor(u_int8_t dest[], u_int8_t src[], size_t n);
+
+/**
+ * Special type to count references
+ */
+typedef volatile u_int refcount_t;
+
+/**
+ * @brief Get a new reference.
+ *
+ * Increments the reference counter atomic.
+ *
+ * @param ref	pointer to ref counter
+ */
+void ref_get(refcount_t *ref);
+
+/**
+ * @brief Put back a unused reference.
+ *
+ * Decrements the reference counter atomic and 
+ * says if more references available.
+ *
+ * @param ref	pointer to ref counter
+ * @return		TRUE if no more references counted
+ */
+bool ref_put(refcount_t *ref);
+
+
+#include <chunk.h>
+#include <printf_hook.h>
+
+#endif /* LIBRARY_H_ */
diff --git a/src/libstrongswan/printf_hook.c b/src/libstrongswan/printf_hook.c
new file mode 100644
index 000000000..0407e8c82
--- /dev/null
+++ b/src/libstrongswan/printf_hook.c
@@ -0,0 +1,118 @@
+/**
+ * @file printf_hook.c
+ *
+ * @brief Printf hook definitions and arginfo functions.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "printf_hook.h"
+
+/**
+ * arginfo handler in printf() pointer
+ */
+int arginfo_ptr(const struct printf_info *info, size_t n, int *argtypes)
+{
+	if (n > 0)
+	{
+		argtypes[0] = PA_POINTER;
+	}
+	return 1;
+}
+
+/**
+ * arginfo handler for two prt arguments
+ */
+int arginfo_ptr_ptr(const struct printf_info *info, size_t n, int *argtypes)
+{
+	if (n > 1)
+	{
+		argtypes[0] = PA_POINTER;
+		argtypes[1] = PA_POINTER;
+	}
+	return 2;
+}
+
+/**
+ * arginfo handler for one ptr, one int
+ */
+int arginfo_ptr_int(const struct printf_info *info, size_t n, int *argtypes)
+{
+	if (n > 1)
+	{
+		argtypes[0] = PA_POINTER;
+		argtypes[1] = PA_INT;
+	}
+	return 2;
+}
+
+/**
+ * arginfo handler for two int arguments
+ */
+int arginfo_int_int(const struct printf_info *info, size_t n, int *argtypes)
+{
+	if (n > 1)
+	{
+		argtypes[0] = PA_INT;
+		argtypes[1] = PA_INT;
+	}
+	return 2;
+}
+
+/**
+ * special arginfo handler respecting alt flag
+ */
+int arginfo_int_alt_int_int(const struct printf_info *info, size_t n, int *argtypes)
+{
+	if (info->alt)
+	{
+		if (n > 1)
+		{
+			argtypes[0] = PA_INT;
+			argtypes[1] = PA_INT;
+		}
+		return 2;
+	}
+	
+	if (n > 0)
+	{
+		argtypes[0] = PA_INT;
+	}
+	return 1;
+}
+
+/**
+ * special arginfo handler respecting alt flag
+ */
+int arginfo_ptr_alt_ptr_int(const struct printf_info *info, size_t n, int *argtypes)
+{
+	if (info->alt)
+	{
+		if (n > 1)
+		{
+			argtypes[0] = PA_POINTER;
+			argtypes[1] = PA_INT;
+		}
+		return 2;
+	}
+	
+	if (n > 0)
+	{
+		argtypes[0] = PA_POINTER;
+	}
+	return 1;
+}
diff --git a/src/libstrongswan/printf_hook.h b/src/libstrongswan/printf_hook.h
new file mode 100644
index 000000000..45184a8f0
--- /dev/null
+++ b/src/libstrongswan/printf_hook.h
@@ -0,0 +1,76 @@
+/**
+ * @file printf_hook.h
+ *
+ * @brief Printf hook definitions and arginfo functions.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef PRINTF_HOOK_H_
+#define PRINTF_HOOK_H_
+
+#include <printf.h>
+
+/**
+ * Printf() hook characters.
+ * We define all characters here to have them on a central place.
+ */
+
+/** 2 arguments: u_char *buffer, int size */
+#define PRINTF_BYTES			'b'
+/** 1 argument: chunk_t *chunk; use #-modifier to print inline */
+#define PRINTF_CHUNK			'B'
+/** 1 argument: identification_t *id */
+#define PRINTF_IDENTIFICATION	'D'
+/** 1 argumnet: host_t *host; use #-modifier to include port number */
+#define PRINTF_HOST				'H'
+/** 1 argument: ike_sa_id_t *id */
+#define PRINTF_IKE_SA_ID		'J'
+/** 1 argument: ike_sa_t *ike_sa */
+#define PRINTF_IKE_SA			'K'
+/** 1 argument: message_t *message */
+#define PRINTF_MESSAGE			'M'
+/** 2 arguments: enum_name_t *name, long value */
+#define PRINTF_ENUM				'N'
+/** 1 argument: child_sa_t *child_sa */
+#define PRINTF_CHILD_SA			'P'
+/** 1 argument: traffic_selector_t *ts */
+#define PRINTF_TRAFFIC_SELECTOR	'R'
+/** 1 argument: time_t *time; with #-modifier 2 arguments: time_t *time, bool utc */
+#define PRINTF_TIME				'T'
+/** 1 argument: x509_t *cert; with #-modifier 2 arguments: x509_t *cert, bool utc */
+#define PRINTF_X509				'Q'
+/** 1 argument: crl_t *crl; with #-modifier 2 arguments: crl_t *crl, bool utc */
+#define PRINTF_CRL				'U'
+/** 2 arguments: time_t *begin, time_t *end */
+#define PRINTF_TIME_DELTA		'V'
+/** 1 argument: ca_info_t *ca_info; with #-modifier 2 arguments: ca_info_t *ca_info, bool utc */
+#define PRINTF_CAINFO			'W'
+/** 1 argument: certinfo_t *certinfo; with #-modifier 2 arguments: certinfo_t *certinfo, bool utc */
+#define PRINTF_CERTINFO			'Y'
+
+/**
+ * Generic arginfo handlers for printf() hooks
+ */
+int arginfo_ptr(const struct printf_info *info, size_t n, int *argtypes);
+int arginfo_ptr_ptr(const struct printf_info *info, size_t n, int *argtypes);
+int arginfo_ptr_int(const struct printf_info *info, size_t n, int *argtypes);
+int arginfo_int_int(const struct printf_info *info, size_t n, int *argtypes);
+int arginfo_ptr_alt_ptr_int(const struct printf_info *info, size_t n, int *argtypes);
+int arginfo_int_alt_int_int(const struct printf_info *info, size_t n, int *argtypes);
+
+#endif /* PRINTF_HOOK_H_ */
diff --git a/src/libstrongswan/utils/fetcher.c b/src/libstrongswan/utils/fetcher.c
new file mode 100644
index 000000000..6165cc1e1
--- /dev/null
+++ b/src/libstrongswan/utils/fetcher.c
@@ -0,0 +1,421 @@
+/**
+ * @file fetcher.c
+ * 
+ * @brief Implementation of fetcher_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2007 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <fetcher://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifdef LIBCURL
+#include <curl/curl.h>
+#endif /* LIBCURL */
+
+#ifdef LIBLDAP
+#include <ldap.h>
+#endif /* LIBLDAP */
+
+#include <library.h>
+#include <debug.h>
+
+#include "fetcher.h"
+
+typedef struct private_fetcher_t private_fetcher_t;
+
+/**
+ * @brief Private Data of a fetcher_t object.
+ */
+struct private_fetcher_t {
+	/**
+	 * Public data
+	 */
+	fetcher_t public;
+
+	/**
+	 * URI of the information source
+	 */
+	const char *uri;
+
+#ifdef LIBCURL
+	/**
+	 * we use libcurl from http://curl.haxx.se/ as a fetcher
+	 */
+	CURL* curl;
+#endif /* LIBCURL */
+	
+#ifdef LIBLDAP
+	/**
+	 * we use libldap from http://www.openssl.org/ as a fetcher
+	 */
+	LDAP *ldap;
+	LDAPURLDesc *lurl;
+#endif /* LIBLDAP */
+};
+
+/**
+ * writes data into a dynamically resizeable chunk_t
+ * needed for libcurl responses
+ */
+static size_t curl_write_buffer(void *ptr, size_t size, size_t nmemb, void *data)
+{
+    size_t realsize = size * nmemb;
+    chunk_t *mem = (chunk_t*)data;
+
+    mem->ptr = (u_char *)realloc(mem->ptr, mem->len + realsize);
+    if (mem->ptr) {
+	memcpy(&(mem->ptr[mem->len]), ptr, realsize);
+	mem->len += realsize;
+    }
+    return realsize;
+}
+
+/**
+ * Implements fetcher_t.get for curl methods
+ */
+static chunk_t curl_get(private_fetcher_t *this)
+{
+	chunk_t response = chunk_empty;
+
+#ifdef LIBCURL
+	if (this->curl)
+	{
+		CURLcode res;
+		chunk_t curl_response = chunk_empty;
+		char curl_error_buffer[CURL_ERROR_SIZE];
+
+		curl_easy_setopt(this->curl, CURLOPT_URL, this->uri);
+		curl_easy_setopt(this->curl, CURLOPT_WRITEFUNCTION, curl_write_buffer);
+		curl_easy_setopt(this->curl, CURLOPT_WRITEDATA, (void *)&curl_response);
+		curl_easy_setopt(this->curl, CURLOPT_ERRORBUFFER, &curl_error_buffer);
+		curl_easy_setopt(this->curl, CURLOPT_FAILONERROR, TRUE);
+		curl_easy_setopt(this->curl, CURLOPT_CONNECTTIMEOUT, FETCHER_TIMEOUT);
+		curl_easy_setopt(this->curl, CURLOPT_NOSIGNAL, TRUE);
+
+		DBG1("sending curl request to '%s'...", this->uri);
+		res = curl_easy_perform(this->curl);
+
+		if (res == CURLE_OK)
+		{
+	    	DBG1("received valid curl response");
+			response = chunk_clone(curl_response);
+		}
+		else
+		{
+	    	DBG1("curl request failed: %s", curl_error_buffer);
+		}
+		curl_free(curl_response.ptr);
+	}
+#else
+	DBG1("warning: libcurl fetching not compiled in");
+#endif  /* LIBCURL */
+	return response;
+}
+
+/**
+ * Implements fetcher_t.post.
+ */
+static chunk_t http_post(private_fetcher_t *this, const char *request_type, chunk_t request)
+{
+	chunk_t response = chunk_empty;
+
+#ifdef LIBCURL
+	if (this->curl)
+	{
+		CURLcode res;
+		struct curl_slist *headers = NULL;
+		chunk_t curl_response = chunk_empty;
+		char curl_error_buffer[CURL_ERROR_SIZE];
+		char content_type[BUF_LEN];
+
+		/* set content type header */
+		snprintf(content_type, BUF_LEN, "Content-Type: %s", request_type);
+		headers = curl_slist_append(headers, content_type);
+
+		/* set options */
+		curl_easy_setopt(this->curl, CURLOPT_HTTPHEADER, headers);
+		curl_easy_setopt(this->curl, CURLOPT_URL, this->uri);
+		curl_easy_setopt(this->curl, CURLOPT_WRITEFUNCTION, curl_write_buffer);
+		curl_easy_setopt(this->curl, CURLOPT_WRITEDATA, (void *)&curl_response);
+		curl_easy_setopt(this->curl, CURLOPT_POSTFIELDS, request.ptr);
+		curl_easy_setopt(this->curl, CURLOPT_POSTFIELDSIZE, request.len);
+		curl_easy_setopt(this->curl, CURLOPT_ERRORBUFFER, &curl_error_buffer);
+		curl_easy_setopt(this->curl, CURLOPT_FAILONERROR, TRUE);
+		curl_easy_setopt(this->curl, CURLOPT_CONNECTTIMEOUT, FETCHER_TIMEOUT);
+		curl_easy_setopt(this->curl, CURLOPT_NOSIGNAL, TRUE);
+
+		DBG1("sending http post request to '%s'...", this->uri);
+		res = curl_easy_perform(this->curl);
+
+		if (res == CURLE_OK)
+		{
+	    	DBG1("received valid http response");
+			response = chunk_clone(curl_response);
+		}
+		else
+		{
+	    	DBG1("http post request using libcurl failed: %s", curl_error_buffer);
+		}
+		curl_slist_free_all(headers);
+		curl_free(curl_response.ptr);
+	}
+#else
+	DBG1("warning: libcurl fetching not compiled in");
+#endif  /* LIBCURL */
+	return response;
+}
+
+#ifdef LIBLDAP
+/**
+ * Parses the result returned by an ldap query
+ */
+static chunk_t ldap_parse(LDAP *ldap, LDAPMessage *result)
+{
+	chunk_t response = chunk_empty;
+	err_t ugh = NULL;
+
+	LDAPMessage *entry = ldap_first_entry(ldap, result);
+
+	if (entry != NULL)
+	{
+		BerElement *ber = NULL;
+		char *attr;
+
+		attr = ldap_first_attribute(ldap, entry, &ber);
+
+		if (attr != NULL)
+		{
+			struct berval **values = ldap_get_values_len(ldap, entry, attr);
+
+			if (values != NULL)
+			{
+				if (values[0] != NULL)
+				{
+					response.len = values[0]->bv_len;
+					response.ptr = malloc(response.len);
+					memcpy(response.ptr, values[0]->bv_val, response.len);
+
+					if (values[1] != NULL)
+					{
+						ugh = "more than one value was fetched - first selected";
+					}
+				}
+				else
+				{
+					ugh = "no values in attribute";
+				}
+				ldap_value_free_len(values);
+			}
+			else
+			{
+				ugh = ldap_err2string(ldap_result2error(ldap, entry, 0));
+			}
+			ldap_memfree(attr);
+		}
+		else
+		{
+			ugh = ldap_err2string(ldap_result2error(ldap, entry, 0));
+		}
+		ber_free(ber, 0);
+	}
+	else
+	{
+		ugh = ldap_err2string(ldap_result2error(ldap, result, 0));
+	}
+	if (ugh)
+	{
+		DBG1("ldap request failed: %s", ugh); 
+	}
+	return response;
+}
+#endif  /* LIBLDAP */
+
+/**
+ * Implements fetcher_t.get for curl methods
+ */
+static chunk_t ldap_get(private_fetcher_t *this)
+{
+	chunk_t response = chunk_empty;
+
+#ifdef LIBLDAP
+	if (this->ldap)
+	{
+		err_t ugh = NULL;
+		int rc;
+		int ldap_version = LDAP_VERSION3;
+
+		struct timeval timeout;
+
+		timeout.tv_sec  = FETCHER_TIMEOUT;
+		timeout.tv_usec = 0;
+
+		ldap_set_option(this->ldap, LDAP_OPT_PROTOCOL_VERSION, &ldap_version);
+		ldap_set_option(this->ldap, LDAP_OPT_NETWORK_TIMEOUT, &timeout);
+
+		DBG1("sending ldap request to '%s'...", this->uri);
+
+		rc = ldap_simple_bind_s(this->ldap, NULL, NULL);
+		if (rc == LDAP_SUCCESS)
+		{
+			LDAPMessage *result;
+
+			timeout.tv_sec = FETCHER_TIMEOUT;
+			timeout.tv_usec = 0;
+
+			rc = ldap_search_st(this->ldap, this->lurl->lud_dn,
+											this->lurl->lud_scope,
+											this->lurl->lud_filter,
+											this->lurl->lud_attrs,
+											0, &timeout, &result);
+
+			if (rc == LDAP_SUCCESS)
+			{
+				response = ldap_parse(this->ldap, result);
+				if (response.ptr)
+				{
+	    			DBG1("received valid ldap response");
+				}
+				ldap_msgfree(result);
+			}
+			else
+			{
+				ugh = ldap_err2string(rc);
+			}
+		}
+		else
+		{
+			ugh = ldap_err2string(rc);
+		}
+		ldap_unbind_s(this->ldap);
+
+		if (ugh)
+		{
+			DBG1("ldap request failed: %s", ugh);
+		}
+	}
+#else   /* !LIBLDAP */
+	DBG1("warning: libldap fetching not compiled in");
+#endif  /* !LIBLDAP */
+    return response;
+}
+
+/**
+ * Implements fetcher_t.destroy
+ */
+static void destroy(private_fetcher_t *this)
+{
+#ifdef LIBCURL
+	if (this->curl)
+	{
+		curl_easy_cleanup(this->curl);
+	}
+#endif /* LIBCURL */
+
+#ifdef LIBLDAP
+	if (this->lurl)
+	{
+		ldap_free_urldesc(this->lurl);
+	}
+#endif /* LIBLDAP */
+
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+fetcher_t *fetcher_create(const char *uri)
+{
+	private_fetcher_t *this = malloc_thing(private_fetcher_t);
+	
+	/* initialize */
+	this->uri = uri;
+
+#ifdef LIBCURL
+	this->curl = NULL;
+#endif /* LIBCURL */
+
+#ifdef LIBLDAP
+		this->lurl = NULL;
+		this->ldap = NULL;
+#endif /* LIBLDAP */
+
+	if (strlen(uri) >= 4 && strncasecmp(uri, "ldap", 4) == 0)
+	{
+#ifdef LIBLDAP
+		int rc = ldap_url_parse(uri, &this->lurl);
+
+		if (rc == LDAP_SUCCESS)
+		{
+			this->ldap = ldap_init(this->lurl->lud_host,
+								   this->lurl->lud_port);
+		}
+		else
+		{
+			DBG1("ldap: %s", ldap_err2string(rc));
+			this->ldap = NULL;
+		}
+#endif /* LIBLDAP */
+		this->public.get = (chunk_t (*) (fetcher_t*))ldap_get;
+	}
+	else
+	{
+#ifdef LIBCURL
+		this->curl = curl_easy_init();
+		if (this->curl == NULL)
+		{
+			DBG1("curl_easy_init_failed()");
+		}
+#endif /* LIBCURL */
+		this->public.get = (chunk_t (*) (fetcher_t*))curl_get;
+	}
+
+	/* public functions */
+	this->public.post = (chunk_t (*) (fetcher_t*,const char*,chunk_t))http_post;
+	this->public.destroy = (void (*) (fetcher_t*))destroy;
+
+	return &this->public;
+}
+
+/**
+ * Described in header.
+ */
+void fetcher_initialize(void)
+{
+#ifdef LIBCURL
+	CURLcode res;
+
+	/* initialize libcurl */
+	DBG1("initializing libcurl");
+	res = curl_global_init(CURL_GLOBAL_NOTHING);
+	if (res != CURLE_OK)
+	{
+		DBG1("libcurl could not be initialized: %s", curl_easy_strerror(res));
+    }
+#endif /* LIBCURL */
+}
+
+/**
+ * Described in header.
+ */
+void fetcher_finalize(void)
+{
+#ifdef LIBCURL
+	/* finalize libcurl */
+	DBG1("finalizing libcurl");
+	curl_global_cleanup();
+#endif /* LIBCURL */
+}
+
diff --git a/src/libstrongswan/utils/fetcher.h b/src/libstrongswan/utils/fetcher.h
new file mode 100644
index 000000000..47b43a0b7
--- /dev/null
+++ b/src/libstrongswan/utils/fetcher.h
@@ -0,0 +1,95 @@
+/**
+ * @file fetcher.h
+ *
+ * @brief Interface of fetcher_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2007 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <fetcher://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef FETCHER_H_
+#define FETCHER_H_
+
+typedef struct fetcher_t fetcher_t;
+
+#include <chunk.h>
+
+#define FETCHER_TIMEOUT	10	/* seconds */
+
+/**
+ * @brief Fetches information from an URI (http, file, ftp, etc.)
+ *
+ * @ingroup utils
+ */
+struct fetcher_t {
+
+	/**
+	 * @brief Get information via a get request.
+	 * 
+	 * @param this				calling object
+	 * @param uri				uri specifying the information source
+	 * @return					chunk_t containing the information
+	 */
+	chunk_t (*get) (fetcher_t *this);
+
+	/**
+	 * @brief Get information via a get request.
+	 * 
+	 * @param this				calling object
+	 * @param uri				uri specifying the information source
+	 * @param type				content type of http post request
+	 * @param request			binary data for http post request
+	 * @return					chunk_t containing the information
+	 */
+	chunk_t (*post) (fetcher_t *this, const char *type, chunk_t request);
+
+	/**
+	 * @brief Destroys the fetcher_t object.
+	 * 
+	 * @param this			fetcher_t to destroy
+	 */
+	void (*destroy) (fetcher_t *this);
+
+};
+
+/**
+ * @brief Create a fetcher_t object.
+ * 
+ * @return 			created fetcher_t object
+ * 
+ * @ingroup utils
+ */
+fetcher_t* fetcher_create(const char *uri);
+
+/**
+ * @brief Initializes the fetcher_t class
+ *
+ * call this function only once in the main program
+ *
+ * @ingroup utils
+ */
+void fetcher_initialize(void);
+
+/**
+ * @brief Finalizes the fetcher_t class
+ *
+ * call this function only once befor exiting the main program
+ *
+ * @ingroup utils
+ */
+void fetcher_finalize(void);
+
+#endif /*FETCHER_H_*/
diff --git a/src/libstrongswan/utils/host.c b/src/libstrongswan/utils/host.c
new file mode 100644
index 000000000..8cbfd6ab8
--- /dev/null
+++ b/src/libstrongswan/utils/host.c
@@ -0,0 +1,526 @@
+/**
+ * @file host.c
+ * 
+ * @brief Implementation of host_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2006-2007 Tobias Brunner
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+#include <printf.h>
+
+#include "host.h"
+
+
+typedef struct private_host_t private_host_t;
+
+/**
+ * @brief Private Data of a host object.
+ */
+struct private_host_t { 	
+	/**
+	 * Public data
+	 */
+	host_t public;
+	
+	/**
+	 * low-lewel structure, wich stores the address
+	 */
+	union {
+		/** generic type */
+		struct sockaddr address;
+		/** maximum sockaddr size */
+		struct sockaddr_storage address_max;
+		/** IPv4 address */
+		struct sockaddr_in address4;
+		/** IPv6 address */
+		struct sockaddr_in6 address6;
+	};
+	/**
+	 * length of address structure
+	 */
+	socklen_t socklen;
+};
+
+
+/**
+ * implements host_t.get_sockaddr
+ */
+static sockaddr_t *get_sockaddr(private_host_t *this)
+{
+	return &(this->address);
+}
+
+/**
+ * implements host_t.get_sockaddr_len
+ */
+static socklen_t *get_sockaddr_len(private_host_t *this)
+{
+	return &(this->socklen);
+}
+
+/**
+ * Implementation of host_t.is_anyaddr.
+ */
+static bool is_anyaddr(private_host_t *this)
+{
+	switch (this->address.sa_family) 
+	{
+		case AF_INET:
+		{
+			u_int8_t default_route[4];
+			memset(default_route, 0, sizeof(default_route));
+			return memeq(default_route, &(this->address4.sin_addr.s_addr),
+						 sizeof(default_route));
+		}
+		case AF_INET6:
+		{
+			u_int8_t default_route[16];
+			memset(default_route, 0, sizeof(default_route));
+			return memeq(default_route, &(this->address6.sin6_addr.s6_addr),
+						 sizeof(default_route));
+		}
+		default:
+		{
+			return FALSE;
+		}	
+	}
+}
+
+/**
+ * output handler in printf()
+ */
+static int print(FILE *stream, const struct printf_info *info,
+				 const void *const *args)
+{
+	private_host_t *this = *((private_host_t**)(args[0]));
+	char buffer[INET6_ADDRSTRLEN];
+	void *address;
+	u_int16_t port;
+	
+	if (this == NULL)
+	{
+		return fprintf(stream, "(null)");
+	}
+	
+	if (is_anyaddr(this))
+	{
+		return fprintf(stream, "%%any");
+	}
+	
+	switch (this->address.sa_family)
+	{
+		case AF_INET:
+			address = &this->address4.sin_addr;
+			port = this->address4.sin_port;
+			break;
+		case AF_INET6:
+			address = &this->address6.sin6_addr;
+			port = this->address6.sin6_port;
+			break;
+		default:
+			return fprintf(stream, "(family not supported)");
+	}
+	
+	if (inet_ntop(this->address.sa_family, address,
+				  buffer, sizeof(buffer)) == NULL)
+	{
+		return fprintf(stream, "(address conversion failed)");
+	}
+	
+	if (info->alt)
+	{
+		return fprintf(stream, "%s[%d]", buffer, ntohs(port));
+	}
+	else
+	{
+		return fprintf(stream, "%s", buffer);
+	}
+}
+
+/**
+ * register printf() handlers
+ */
+static void __attribute__ ((constructor))print_register()
+{
+	register_printf_function(PRINTF_HOST, print, arginfo_ptr);
+}
+
+/**
+ * Implementation of host_t.get_address.
+ */
+static chunk_t get_address(private_host_t *this)
+{
+	chunk_t address = chunk_empty;
+	
+	switch (this->address.sa_family) 
+	{
+		case AF_INET:
+		{
+			address.ptr = (char*)&(this->address4.sin_addr.s_addr);
+			address.len = 4;
+			return address;
+		}
+		case AF_INET6:
+		{
+			address.ptr = (char*)&(this->address6.sin6_addr.s6_addr);
+			address.len = 16;
+			return address;
+		}
+		default:
+		{
+			/* return empty chunk */
+			return address;
+		}
+	}
+}
+
+/**
+ * implements host_t.get_family
+ */
+static int get_family(private_host_t *this)
+{
+	return this->address.sa_family;
+}
+
+/**
+ * implements host_t.get_port
+ */
+static u_int16_t get_port(private_host_t *this)
+{
+	switch (this->address.sa_family) 
+	{
+		case AF_INET:
+		{
+			return ntohs(this->address4.sin_port);
+		}
+		case AF_INET6:
+		{
+			return ntohs(this->address6.sin6_port);
+		}
+		default:
+		{
+			return 0;
+		}
+	}
+}
+
+/**
+ * implements host_t.set_port
+ */
+static void set_port(private_host_t *this, u_int16_t port)
+{
+	switch (this->address.sa_family)
+	{
+		case AF_INET:
+		{
+			this->address4.sin_port = htons(port);
+			break;
+		}
+		case AF_INET6:
+		{
+			this->address6.sin6_port = htons(port);
+			break;
+		}
+		default:
+		{
+			break;
+		}
+	}
+}
+
+/**
+ * Implements host_t.clone.
+ */
+static private_host_t *clone_(private_host_t *this)
+{
+	private_host_t *new = malloc_thing(private_host_t);
+	
+	memcpy(new, this, sizeof(private_host_t));
+	return new;
+}
+
+/**
+ * Impelements host_t.ip_equals
+ */
+static bool ip_equals(private_host_t *this, private_host_t *other)
+{
+	if (this->address.sa_family != other->address.sa_family)
+	{
+		/* 0.0.0.0 and ::0 are equal */
+		if (is_anyaddr(this) && is_anyaddr(other))
+		{
+			return TRUE;
+		}
+		
+		return FALSE;
+	}
+	
+	switch (this->address.sa_family)
+	{
+		case AF_INET:
+		{
+			if (memeq(&this->address4.sin_addr, &other->address4.sin_addr,
+					  sizeof(this->address4.sin_addr)))
+			{
+				return TRUE;
+			}
+			break;
+		}
+		case AF_INET6:
+		{
+			if (memeq(&this->address6.sin6_addr, &other->address6.sin6_addr,
+					  sizeof(this->address6.sin6_addr)))
+			{
+				return TRUE;
+			}
+		}
+		default:
+			break;
+	}
+	return FALSE;
+}
+
+/**
+ * Implements host_t.get_differences
+ */
+static host_diff_t get_differences(host_t *this, host_t *other)
+{
+	host_diff_t ret = HOST_DIFF_NONE;
+	
+	if (!this->ip_equals(this, other))
+	{
+		ret |= HOST_DIFF_ADDR;
+	}
+
+	if (this->get_port(this) != other->get_port(other))
+	{
+		ret |= HOST_DIFF_PORT;
+	}
+	
+	return ret;
+}
+
+/**
+ * Impelements host_t.equals
+ */
+static bool equals(private_host_t *this, private_host_t *other)
+{
+	if (!ip_equals(this, other))
+	{
+		return FAILED;
+	}
+	
+	switch (this->address.sa_family)
+	{
+		case AF_INET:
+		{
+			if (this->address4.sin_port == other->address4.sin_port)
+			{
+				return TRUE;
+			}
+			break;
+		}
+		case AF_INET6:
+		{
+			if (this->address6.sin6_port == other->address6.sin6_port)
+			{
+				return TRUE;
+			}
+			break;
+		}
+		default:
+			break;
+	}
+	return FALSE;
+}
+
+/**
+ * Implements host_t.destroy
+ */
+static void destroy(private_host_t *this)
+{
+	free(this);
+}
+
+/**
+ * Creates an empty host_t object 
+ */
+static private_host_t *host_create_empty(void)
+{
+	private_host_t *this = malloc_thing(private_host_t);
+	
+	this->public.get_sockaddr = (sockaddr_t* (*) (host_t*))get_sockaddr;
+	this->public.get_sockaddr_len = (socklen_t*(*) (host_t*))get_sockaddr_len;
+	this->public.clone = (host_t* (*) (host_t*))clone_;
+	this->public.get_family = (int (*) (host_t*))get_family;
+	this->public.get_address = (chunk_t (*) (host_t *)) get_address;
+	this->public.get_port = (u_int16_t (*) (host_t *))get_port;
+	this->public.set_port = (void (*) (host_t *,u_int16_t))set_port;
+	this->public.get_differences = get_differences;
+	this->public.ip_equals = (bool (*) (host_t *,host_t *)) ip_equals;
+	this->public.equals = (bool (*) (host_t *,host_t *)) equals;
+	this->public.is_anyaddr = (bool (*) (host_t *)) is_anyaddr;
+	this->public.destroy = (void (*) (host_t*))destroy;
+	
+	return this;
+}
+
+/*
+ * Described in header.
+ */
+host_t *host_create_from_string(char *string, u_int16_t port)
+{
+	private_host_t *this = host_create_empty();
+	
+	if (strchr(string, '.'))
+	{
+		this->address.sa_family = AF_INET;
+	}
+	else
+	{
+		this->address.sa_family = AF_INET6;
+	}
+
+	switch (this->address.sa_family)
+	{
+		case AF_INET:
+		{
+			if (inet_pton(AF_INET, string, &this->address4.sin_addr) <=0)
+			{
+				break;
+			}
+			this->address4.sin_port = htons(port);
+			this->socklen = sizeof(struct sockaddr_in);
+			return &this->public;
+		}
+		case AF_INET6:
+		{
+			if (inet_pton(AF_INET6, string, &this->address6.sin6_addr) <=0)
+			{
+				break;
+			}
+			this->address6.sin6_port = htons(port);
+			this->socklen = sizeof(struct sockaddr_in6);
+			return &this->public;
+		}
+		default:
+		{
+			break;
+		}
+	}
+	free(this);
+	return NULL;
+}
+
+/*
+ * Described in header.
+ */
+host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port)
+{
+	private_host_t *this = host_create_empty();
+	
+	this->address.sa_family = family;
+	switch (family)
+	{
+		case AF_INET:
+		{
+			if (address.len != 4)
+			{
+				break;
+			}
+			memcpy(&(this->address4.sin_addr.s_addr), address.ptr,4);
+			this->address4.sin_port = htons(port);
+			this->socklen = sizeof(struct sockaddr_in);
+			return &(this->public);
+		}
+		case AF_INET6:
+		{
+			if (address.len != 16)
+			{
+				break;
+			}
+			memcpy(&(this->address6.sin6_addr.s6_addr), address.ptr, 16);
+			this->address6.sin6_port = htons(port);
+			this->socklen = sizeof(struct sockaddr_in6);
+			return &this->public;
+		}
+		default:
+			break;
+	}
+	free(this);
+	return NULL;
+}
+
+/*
+ * Described in header.
+ */
+host_t *host_create_from_sockaddr(sockaddr_t *sockaddr)
+{
+	private_host_t *this = host_create_empty();
+	
+	switch (sockaddr->sa_family)
+	{
+		case AF_INET:
+		{
+			memcpy(&this->address4, sockaddr, sizeof(struct sockaddr_in));
+			this->socklen = sizeof(struct sockaddr_in);
+			return &this->public;
+		}
+		case AF_INET6:
+		{
+			memcpy(&this->address6, sockaddr, sizeof(struct sockaddr_in6));
+			this->socklen = sizeof(struct sockaddr_in6);
+			return &this->public;
+		}
+		default:
+			break;
+	}
+	free(this);
+	return NULL;
+}
+
+/*
+ * Described in header.
+ */
+host_t *host_create_any(int family)
+{
+	private_host_t *this = host_create_empty();
+	
+	memset(&this->address_max, 0, sizeof(struct sockaddr_storage));
+	this->address.sa_family = family;
+	
+	switch (family)
+	{
+		case AF_INET:
+		{
+			this->socklen = sizeof(struct sockaddr_in);
+			return &(this->public);
+		}
+		case AF_INET6:
+		{
+			this->socklen = sizeof(struct sockaddr_in6);
+			return &this->public;
+		}
+		default:
+			break;
+	}
+	return NULL;
+}
diff --git a/src/libstrongswan/utils/host.h b/src/libstrongswan/utils/host.h
new file mode 100644
index 000000000..ee9aa457f
--- /dev/null
+++ b/src/libstrongswan/utils/host.h
@@ -0,0 +1,231 @@
+/**
+ * @file host.h
+ *
+ * @brief Interface of host_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006-2007 Tobias Brunner
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef HOST_H_
+#define HOST_H_
+
+typedef enum host_diff_t host_diff_t;
+typedef struct host_t host_t;
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <library.h>
+
+/**
+ * Differences between two hosts. They differ in
+ * address, port, or both.
+ */
+enum host_diff_t {
+	HOST_DIFF_NONE = 0,
+	HOST_DIFF_ADDR = 1,
+	HOST_DIFF_PORT = 2,
+};
+
+/**
+ * @brief Representates a Host
+ * 
+ * Host object, identifies a address:port pair and defines some 
+ * useful functions on it.
+ * 
+ * @b Constructors:
+ * - host_create()
+ * - host_create_from_chunk()
+ * - host_create_from_sockaddr()
+ * 
+ * @todo Add IPv6 support
+ * 
+ * @ingroup utils
+ */
+struct host_t {
+	
+	/** 
+	 * @brief Build a clone of this host object.
+	 * 
+	 * @param this			object to clone
+	 * @return				cloned host
+	 */
+	host_t *(*clone) (host_t *this);
+	
+	/** 
+	 * @brief Get a pointer to the internal sockaddr struct.
+	 * 
+	 * This is used for sending and receiving via sockets.
+	 * 
+	 * @param this			object to clone
+	 * @return				pointer to the internal sockaddr structure
+	 */
+	sockaddr_t  *(*get_sockaddr) (host_t *this);
+	
+	/** 
+	 * @brief Get the length of the sockaddr struct.
+	 * 
+	 * Depending on the family, the length of the sockaddr struct
+	 * is different. Use this function to get the length of the sockaddr
+	 * struct returned by get_sock_addr.
+	 * 
+	 * This is used for sending and receiving via sockets.
+	 * 
+	 * @param this			object to clone
+	 * @return				length of the sockaddr struct
+	 */
+	socklen_t *(*get_sockaddr_len) (host_t *this);
+	
+	/**
+	 * @brief Gets the family of the address
+	 * 
+	 * @param this			calling object
+	 * @return				family
+	 */
+	int (*get_family) (host_t *this);
+	
+	/** 
+	 * @brief Checks if the ip address of host is set to default route.
+	 * 
+	 * @param this			calling object
+	 * @return				
+	 * 						- TRUE if host has IP 0.0.0.0 for default route 
+	 * 						- FALSE otherwise
+	 */
+	bool (*is_anyaddr) (host_t *this);
+	
+	/** 
+	 * @brief get the address of this host as chunk_t
+	 * 
+	 * Returned chunk points to internal data.
+	 * 
+	 * @param this			object
+	 * @return				address string, 
+	 */
+	chunk_t (*get_address) (host_t *this);
+		
+	/** 
+	 * @brief get the port of this host
+	 * 
+	 * @param this			object to clone
+	 * @return				port number
+	 */
+	u_int16_t (*get_port) (host_t *this);
+
+	/** 
+	 * @brief set the port of this host
+	 *
+	 * @param this			object to clone
+	 * @param port			port numer
+	 */
+	void (*set_port) (host_t *this, u_int16_t port);
+		
+	/** 
+	 * @brief Compare the ips of two hosts hosts.
+	 * 
+	 * @param this			object to compare
+	 * @param other			the other to compare
+	 * @return				TRUE if addresses are equal.
+	 */
+	bool (*ip_equals) (host_t *this, host_t *other);
+		
+	/** 
+	 * @brief Compare two hosts, with port.
+	 * 
+	 * @param this			object to compare
+	 * @param other			the other to compare
+	 * @return				TRUE if addresses and ports are equal.
+	 */
+	bool (*equals) (host_t *this, host_t *other);
+
+	/** 
+	 * @brief Compare two hosts and return the differences.
+	 *
+	 * @param this			object to compare
+	 * @param other			the other to compare
+	 * @return				differences in a combination of host_diff_t's
+	 */
+	host_diff_t (*get_differences) (host_t *this, host_t *other);
+	
+	/** 
+	 * @brief Destroy this host object
+	 * 
+	 * @param this			calling
+	 * @return				SUCCESS in any case
+	 */
+	void (*destroy) (host_t *this);
+};
+
+/**
+ * @brief Constructor to create a host_t object from an address string.
+ *
+ * @param string		string of an address, such as "152.96.193.130"
+ * @param port			port number
+ * @return 				
+ * 						- host_t object 
+ * 						- NULL, if string not an address.
+ * 
+ * @ingroup network
+ */
+host_t *host_create_from_string(char *string, u_int16_t port);
+
+/**
+ * @brief Constructor to create a host_t object from an address chunk
+ *
+ * @param family 		Address family to use for this object, such as AF_INET or AF_INET6
+ * @param address		address as 4 byte chunk_t in networ order
+ * @param port			port number
+ * @return 				
+ * 						- host_t object 
+ * 						- NULL, if family not supported or chunk_t length not 4 bytes.
+ * 
+ * @ingroup network
+ */
+host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port);
+
+/**
+ * @brief Constructor to create a host_t object from a sockaddr struct
+ *
+ * @param sockaddr		sockaddr struct which contains family, address and port
+ * @return 				
+ * 						- host_t object 
+ * 						- NULL, if family not supported.
+ * 
+ * @ingroup network
+ */
+host_t *host_create_from_sockaddr(sockaddr_t *sockaddr);
+
+/**
+ * @brief Create a host without an address, a "any" host.
+ *
+ * @param family		family of the any host
+ * @return 				
+ * 						- host_t object 
+ * 						- NULL, if family not supported.
+ * 
+ * @ingroup network
+ */
+host_t *host_create_any(int family);
+
+#endif /*HOST_H_*/
diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
new file mode 100644
index 000000000..341af39c0
--- /dev/null
+++ b/src/libstrongswan/utils/identification.c
@@ -0,0 +1,1144 @@
+/**
+ * @file identification.c
+ * 
+ * @brief Implementation of identification_t. 
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <string.h>
+#include <stdio.h>
+#include <ctype.h>
+#include <printf.h>
+
+#include "identification.h"
+
+#include <asn1/asn1.h>
+
+ENUM_BEGIN(id_type_names, ID_ANY, ID_KEY_ID,
+	"ID_ANY",
+	"ID_IPV4_ADDR",
+	"ID_FQDN",
+	"ID_RFC822_ADDR",
+	"ID_IPV4_ADDR_SUBNET",
+	"ID_IPV6_ADDR",
+	"ID_IPV6_ADDR_SUBNET",
+	"ID_IPV4_ADDR_RANGE",
+	"ID_IPV6_ADDR_RANGE",
+	"ID_DER_ASN1_DN",
+	"ID_DER_ASN1_GN",
+	"ID_KEY_ID");
+ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_DER_ASN1_GN_URI, ID_KEY_ID,
+	"ID_DER_ASN1_GN_URI");
+ENUM_END(id_type_names, ID_DER_ASN1_GN_URI);
+
+
+/**
+ * X.501 acronyms for well known object identifiers (OIDs)
+ */
+static u_char oid_ND[]  = {
+	0x02, 0x82, 0x06, 0x01, 0x0A, 0x07, 0x14
+};
+static u_char oid_UID[] = {
+	0x09, 0x92, 0x26, 0x89, 0x93, 0xF2, 0x2C, 0x64, 0x01, 0x01
+};
+static u_char oid_DC[]  = {
+	0x09, 0x92, 0x26, 0x89, 0x93, 0xF2, 0x2C, 0x64, 0x01, 0x19
+};
+static u_char oid_CN[] = {
+	0x55, 0x04, 0x03
+};
+static u_char oid_S[] = {
+	0x55, 0x04, 0x04
+};
+static u_char oid_SN[] = {
+	0x55, 0x04, 0x05
+};
+static u_char oid_C[] = {
+	0x55, 0x04, 0x06
+};
+static u_char oid_L[] = {
+	0x55, 0x04, 0x07
+};
+static u_char oid_ST[] = {
+	0x55, 0x04, 0x08
+};
+static u_char oid_O[] = {
+	0x55, 0x04, 0x0A
+};
+static u_char oid_OU[] = {
+	0x55, 0x04, 0x0B
+};
+static u_char oid_T[] = {
+	0x55, 0x04, 0x0C
+};
+static u_char oid_D[] = {
+	0x55, 0x04, 0x0D
+};
+static u_char oid_N[] = {
+	0x55, 0x04, 0x29
+};
+static u_char oid_G[] = {
+	0x55, 0x04, 0x2A
+};
+static u_char oid_I[] = {
+	0x55, 0x04, 0x2B
+};
+static u_char oid_ID[] = {
+	0x55, 0x04, 0x2D
+};
+static u_char oid_EN[]  = {
+	0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x42, 0x03, 0x01, 0x03
+};
+static u_char oid_E[] = {
+	0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01
+};
+static u_char oid_UN[]  = {
+	0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x02
+};
+static u_char oid_TCGID[] = {
+	0x2B, 0x06, 0x01, 0x04, 0x01, 0x89, 0x31, 0x01, 0x01, 0x02, 0x02, 0x4B
+};
+
+/**
+ * coding of X.501 distinguished name 
+ */
+typedef struct {
+	const u_char *name;
+	chunk_t oid;
+	u_char type;
+} x501rdn_t;
+
+static const x501rdn_t x501rdns[] = {
+	{"ND", 				{oid_ND,     7}, ASN1_PRINTABLESTRING},
+	{"UID", 			{oid_UID,   10}, ASN1_PRINTABLESTRING},
+	{"DC", 				{oid_DC,    10}, ASN1_PRINTABLESTRING},
+	{"CN",				{oid_CN,     3}, ASN1_PRINTABLESTRING},
+	{"S", 				{oid_S,      3}, ASN1_PRINTABLESTRING},
+	{"SN", 				{oid_SN,     3}, ASN1_PRINTABLESTRING},
+	{"serialNumber", 	{oid_SN,     3}, ASN1_PRINTABLESTRING},
+	{"C", 				{oid_C,      3}, ASN1_PRINTABLESTRING},
+	{"L", 				{oid_L,      3}, ASN1_PRINTABLESTRING},
+	{"ST",				{oid_ST,     3}, ASN1_PRINTABLESTRING},
+	{"O", 				{oid_O,      3}, ASN1_PRINTABLESTRING},
+	{"OU", 				{oid_OU,     3}, ASN1_PRINTABLESTRING},
+	{"T", 				{oid_T,      3}, ASN1_PRINTABLESTRING},
+	{"D", 				{oid_D,      3}, ASN1_PRINTABLESTRING},
+	{"N", 				{oid_N,      3}, ASN1_PRINTABLESTRING},
+	{"G", 				{oid_G,      3}, ASN1_PRINTABLESTRING},
+	{"I", 				{oid_I,      3}, ASN1_PRINTABLESTRING},
+	{"ID", 				{oid_ID,     3}, ASN1_PRINTABLESTRING},
+	{"EN", 				{oid_EN,    10}, ASN1_PRINTABLESTRING},
+	{"employeeNumber",	{oid_EN,    10}, ASN1_PRINTABLESTRING},
+	{"E", 				{oid_E,      9}, ASN1_IA5STRING},
+	{"Email", 			{oid_E,      9}, ASN1_IA5STRING},
+	{"emailAddress",	{oid_E,      9}, ASN1_IA5STRING},
+	{"UN", 				{oid_UN,     9}, ASN1_IA5STRING},
+	{"unstructuredName",{oid_UN,     9}, ASN1_IA5STRING},
+	{"TCGID", 			{oid_TCGID, 12}, ASN1_PRINTABLESTRING}
+};
+#define X501_RDN_ROOF   26
+
+/**
+ * maximum number of RDNs in atodn()
+ */
+#define RDN_MAX			20
+
+
+typedef struct private_identification_t private_identification_t;
+
+/**
+ * Private data of an identification_t object.
+ */
+struct private_identification_t {
+	/**
+	 * Public interface.
+	 */
+	identification_t public;
+	
+	/**
+	 * Encoded representation of this ID.
+	 */
+	chunk_t encoded;
+	
+	/**
+	 * Type of this ID.
+	 */
+	id_type_t type;
+};
+
+static private_identification_t *identification_create(void);
+
+/**
+ * updates a chunk (!????)
+ * TODO: We should reconsider this stuff, its not really clear
+ */
+static void update_chunk(chunk_t *ch, int n)
+{
+	n = (n > -1 && n < (int)ch->len)? n : (int)ch->len-1;
+	ch->ptr += n; ch->len -= n;
+}
+
+/**
+ * Prints a binary string in hexadecimal form
+ */
+void hex_str(chunk_t bin, chunk_t *str)
+{
+	u_int i;
+	update_chunk(str, snprintf(str->ptr,str->len,"0x"));
+	for (i = 0; i < bin.len; i++)
+	{
+		update_chunk(str, snprintf(str->ptr,str->len,"%02X",*bin.ptr++));
+	}
+}
+
+/**
+ * Remove any malicious characters from a chunk. We are very restrictive, but
+ * whe use these strings only to present it to the user.
+ */
+static chunk_t sanitize_chunk(chunk_t chunk)
+{
+	char *pos;
+	chunk_t clone = chunk_clone(chunk);
+	
+	for (pos = clone.ptr; pos < (char*)(clone.ptr + clone.len); pos++)
+	{
+		switch (*pos)
+		{
+			case '\0':
+			case ' ':
+			case '*':
+			case '-':
+			case '.':
+			case '/':
+			case '0' ... '9':
+			case ':':
+			case '=':
+			case '@':
+			case 'A' ... 'Z':
+			case '_':
+			case 'a' ... 'z':
+				break;
+			default:
+				*pos = '?';
+		}
+	}
+	return clone;
+}
+
+/**
+ * Pointer is set to the first RDN in a DN
+ */
+static status_t init_rdn(chunk_t dn, chunk_t *rdn, chunk_t *attribute, bool *next)
+{
+	*rdn = chunk_empty;
+	*attribute = chunk_empty;
+	
+	/* a DN is a SEQUENCE OF RDNs */
+	if (*dn.ptr != ASN1_SEQUENCE)
+	{
+		/* DN is not a SEQUENCE */
+		return FAILED;
+	}
+	
+	rdn->len = asn1_length(&dn);
+	
+	if (rdn->len == ASN1_INVALID_LENGTH)
+	{
+		/* Invalid RDN length */
+		return FAILED;
+	}
+	
+	rdn->ptr = dn.ptr;
+	
+	/* are there any RDNs ? */
+	*next = rdn->len > 0;
+	
+	return SUCCESS;
+}
+
+/**
+ * Fetches the next RDN in a DN
+ */
+static status_t get_next_rdn(chunk_t *rdn, chunk_t * attribute, chunk_t *oid, chunk_t *value, asn1_t *type, bool *next)
+{
+	chunk_t body;
+
+	/* initialize return values */
+	*oid   = chunk_empty;
+	*value = chunk_empty;
+
+	/* if all attributes have been parsed, get next rdn */
+	if (attribute->len <= 0)
+	{
+		/* an RDN is a SET OF attributeTypeAndValue */
+		if (*rdn->ptr != ASN1_SET)
+		{
+			/* RDN is not a SET */
+			return FAILED;
+		}
+		attribute->len = asn1_length(rdn);
+		if (attribute->len == ASN1_INVALID_LENGTH)
+		{
+			/* Invalid attribute length */
+			return FAILED;
+		}
+		attribute->ptr = rdn->ptr;
+		/* advance to start of next RDN */
+		rdn->ptr += attribute->len;
+		rdn->len -= attribute->len;
+	}
+	
+	/* an attributeTypeAndValue is a SEQUENCE */
+	if (*attribute->ptr != ASN1_SEQUENCE)
+	{
+		/* attributeTypeAndValue is not a SEQUENCE */
+		return FAILED;
+	}
+	
+	/* extract the attribute body */
+	body.len = asn1_length(attribute);
+	
+	if (body.len == ASN1_INVALID_LENGTH)
+	{
+		/* Invalid attribute body length */
+		return FAILED;
+	}
+	
+	body.ptr = attribute->ptr;
+	
+	/* advance to start of next attribute */
+	attribute->ptr += body.len;
+	attribute->len -= body.len;
+	
+	/* attribute type is an OID */
+	if (*body.ptr != ASN1_OID)
+	{
+		/* attributeType is not an OID */
+		return FAILED;
+	}
+	/* extract OID */
+	oid->len = asn1_length(&body);
+	
+	if (oid->len == ASN1_INVALID_LENGTH)
+	{
+		/* Invalid attribute OID length */
+		return FAILED;
+	}
+	oid->ptr = body.ptr;
+	
+	/* advance to the attribute value */
+	body.ptr += oid->len;
+	body.len -= oid->len;
+
+	/* extract string type */
+	*type = *body.ptr;
+	
+	/* extract string value */
+	value->len = asn1_length(&body);
+	
+	if (value->len == ASN1_INVALID_LENGTH)
+	{
+		/* Invalid attribute string length */
+		return FAILED;
+	}
+	value->ptr = body.ptr;
+	
+	/* are there any RDNs left? */
+	*next = rdn->len > 0 || attribute->len > 0;
+	return SUCCESS;
+}
+
+/**
+ * Parses an ASN.1 distinguished name int its OID/value pairs
+ */
+static status_t dntoa(chunk_t dn, chunk_t *str)
+{
+	chunk_t rdn, oid, attribute, value, proper;
+	asn1_t type;
+	int oid_code;
+	bool next;
+	bool first = TRUE;
+
+	status_t status = init_rdn(dn, &rdn, &attribute, &next);
+
+	if (status != SUCCESS)
+		return status;
+
+	while (next)
+	{
+		status = get_next_rdn(&rdn, &attribute, &oid, &value, &type, &next);
+
+		if (status != SUCCESS)
+			return status;
+
+		if (first) 
+		{ /* first OID/value pair */
+			first = FALSE;
+		}
+		else
+		{ /* separate OID/value pair by a comma */
+			update_chunk(str, snprintf(str->ptr,str->len,", "));
+		}
+
+		/* print OID */
+		oid_code = known_oid(oid);
+		if (oid_code == OID_UNKNOWN) 
+		{ /* OID not found in list */
+			hex_str(oid, str);
+		}
+		else
+		{
+			update_chunk(str, snprintf(str->ptr,str->len,"%s", oid_names[oid_code].name));
+		}
+		/* print value */
+		proper = sanitize_chunk(value);
+		update_chunk(str, snprintf(str->ptr,str->len,"=%.*s", (int)proper.len, proper.ptr));
+		chunk_free(&proper);
+	}
+	return SUCCESS;
+}
+
+/**
+ * compare two distinguished names by
+ * comparing the individual RDNs
+ */
+static bool same_dn(chunk_t a, chunk_t b)
+{
+	chunk_t rdn_a, rdn_b, attribute_a, attribute_b;
+	chunk_t oid_a, oid_b, value_a, value_b;
+	asn1_t type_a, type_b;
+	bool next_a, next_b;
+
+	/* same lengths for the DNs */
+	if (a.len != b.len)
+		return FALSE;
+
+	/* try a binary comparison first */
+	if (memeq(a.ptr, b.ptr, b.len))
+		return TRUE;
+ 
+	/* initialize DN parsing */
+	if (init_rdn(a, &rdn_a, &attribute_a, &next_a) != SUCCESS
+	||	init_rdn(b, &rdn_b, &attribute_b, &next_b) != SUCCESS)
+	{
+		return FALSE;
+	}
+
+	/* fetch next RDN pair */
+	while (next_a && next_b)
+	{
+		/* parse next RDNs and check for errors */
+		if (get_next_rdn(&rdn_a, &attribute_a, &oid_a, &value_a, &type_a, &next_a) != SUCCESS 
+		||  get_next_rdn(&rdn_b, &attribute_b, &oid_b, &value_b, &type_b, &next_b) != SUCCESS)
+		{
+			return FALSE;
+		}
+
+		/* OIDs must agree */
+		if (oid_a.len != oid_b.len || memcmp(oid_a.ptr, oid_b.ptr, oid_b.len) != 0)
+			return FALSE;
+
+		/* same lengths for values */
+		if (value_a.len != value_b.len)
+			return FALSE;
+
+		/* printableStrings and email RDNs require uppercase comparison */
+		if (type_a == type_b && (type_a == ASN1_PRINTABLESTRING
+		|| (type_a == ASN1_IA5STRING && known_oid(oid_a) == OID_PKCS9_EMAIL)))
+		{
+			if (strncasecmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
+				return FALSE;
+		}
+		else
+		{
+			if (strncmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
+				return FALSE;
+		}
+	}
+	/* both DNs must have same number of RDNs */
+	if (next_a || next_b)
+		return FALSE;
+
+	/* the two DNs are equal! */
+	return TRUE;
+}
+
+
+/**
+ * compare two distinguished names by comparing the individual RDNs.
+ * A single'*' character designates a wildcard RDN in DN b.
+ * TODO: Add support for different RDN order in DN !!
+ */
+bool match_dn(chunk_t a, chunk_t b, int *wildcards)
+{
+	chunk_t rdn_a, rdn_b, attribute_a, attribute_b;
+	chunk_t oid_a, oid_b, value_a, value_b;
+	asn1_t type_a,  type_b;
+	bool next_a, next_b;
+
+	/* initialize wildcard counter */
+	if (wildcards)
+	{
+		*wildcards = 0;
+	}
+
+	/* initialize DN parsing */
+	if (init_rdn(a, &rdn_a, &attribute_a, &next_a) != SUCCESS
+	||	init_rdn(b, &rdn_b, &attribute_b, &next_b) != SUCCESS)
+	{
+		return FALSE;
+	}
+
+	/* fetch next RDN pair */
+	while (next_a && next_b)
+	{
+		/* parse next RDNs and check for errors */
+		if (get_next_rdn(&rdn_a, &attribute_a, &oid_a, &value_a, &type_a, &next_a) != SUCCESS
+		||	get_next_rdn(&rdn_b, &attribute_b, &oid_b, &value_b, &type_b, &next_b) != SUCCESS)
+		{
+			return FALSE;
+		}
+		/* OIDs must agree */
+		if (oid_a.len != oid_b.len || memcmp(oid_a.ptr, oid_b.ptr, oid_b.len) != 0)
+			return FALSE;
+
+		/* does rdn_b contain a wildcard? */
+		if (value_b.len == 1 && *value_b.ptr == '*')
+		{
+			if (wildcards)
+			{
+				(*wildcards)++;
+			}
+			continue;
+		}
+		/* same lengths for values */
+		if (value_a.len != value_b.len)
+			return FALSE;
+
+		/* printableStrings and email RDNs require uppercase comparison */
+		if (type_a == type_b && (type_a == ASN1_PRINTABLESTRING
+		|| (type_a == ASN1_IA5STRING && known_oid(oid_a) == OID_PKCS9_EMAIL)))
+		{
+			if (strncasecmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
+				return FALSE;
+		}
+		else
+		{
+			if (strncmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
+				return FALSE;
+		}
+	}
+	/* both DNs must have same number of RDNs */
+	if (next_a || next_b)
+	{
+		return FALSE;
+	}
+
+	/* the two DNs match! */
+	if (wildcards)
+	{
+		*wildcards = min(*wildcards, MAX_WILDCARDS);
+	}
+	return TRUE;
+}
+
+/**
+ * Converts an LDAP-style human-readable ASCII-encoded
+ * ASN.1 distinguished name into binary DER-encoded format
+ */
+static status_t atodn(char *src, chunk_t *dn)
+{
+	/* finite state machine for atodn */
+	typedef enum {
+		SEARCH_OID =	0,
+		READ_OID =		1,
+		SEARCH_NAME =	2,
+		READ_NAME =		3,
+		UNKNOWN_OID =	4
+	} state_t;
+	
+	chunk_t oid  = chunk_empty;
+	chunk_t name = chunk_empty;
+	chunk_t rdns[RDN_MAX];
+	int rdn_count = 0;
+	int dn_len = 0;
+	int whitespace = 0;
+	int i = 0;
+	asn1_t rdn_type;
+	state_t state = SEARCH_OID;
+	status_t status = SUCCESS;
+	
+	do
+	{
+		switch (state)
+		{
+			case SEARCH_OID:
+				if (*src != ' ' && *src != '/' && *src !=  ',')
+				{
+					oid.ptr = src;
+					oid.len = 1;
+					state = READ_OID;
+				}
+				break;
+			case READ_OID:
+				if (*src != ' ' && *src != '=')
+				{
+					oid.len++;
+				}
+				else
+				{
+					for (i = 0; i < X501_RDN_ROOF; i++)
+					{
+						if (strlen(x501rdns[i].name) == oid.len
+						&&  strncasecmp(x501rdns[i].name, oid.ptr, oid.len) == 0)
+						{
+							break; /* found a valid OID */
+						}
+					}
+					if (i == X501_RDN_ROOF)
+					{
+						status = NOT_SUPPORTED;
+						state = UNKNOWN_OID;
+						break;
+					}
+					/* reset oid and change state */
+					oid = chunk_empty;
+					state = SEARCH_NAME;
+				}
+				break;
+			case SEARCH_NAME:
+				if (*src != ' ' && *src != '=')
+				{
+					name.ptr = src;
+					name.len = 1;
+					whitespace = 0;
+					state = READ_NAME;
+				}
+				break;
+			case READ_NAME:
+				if (*src != ',' && *src != '/' && *src != '\0')
+				{
+					name.len++;
+					if (*src == ' ')
+						whitespace++;
+					else
+						whitespace = 0;
+				}
+				else
+				{
+					name.len -= whitespace;
+					rdn_type = (x501rdns[i].type == ASN1_PRINTABLESTRING
+							&& !is_printablestring(name))? ASN1_T61STRING : x501rdns[i].type;
+					
+					if (rdn_count < RDN_MAX)
+					{
+						rdns[rdn_count] = 
+								asn1_wrap(ASN1_SET, "m",
+									asn1_wrap(ASN1_SEQUENCE, "mm",
+										asn1_wrap(ASN1_OID, "c", x501rdns[i].oid),
+										asn1_wrap(rdn_type, "c", name)
+									)
+								);
+						dn_len += rdns[rdn_count++].len;
+					}
+					else
+					{
+						status = OUT_OF_RES;
+					}
+					/* reset name and change state */
+					name = chunk_empty;
+					state = SEARCH_OID;
+				}
+				break;
+			case UNKNOWN_OID:
+				break;
+		}
+	} while (*src++ != '\0');
+
+	/* build the distinguished name sequence */
+   {
+		int i;
+		u_char *pos = build_asn1_object(dn, ASN1_SEQUENCE, dn_len);
+
+		for (i = 0; i < rdn_count; i++)
+		{
+			memcpy(pos, rdns[i].ptr, rdns[i].len); 
+			pos += rdns[i].len;
+			free(rdns[i].ptr);
+		}
+	}
+
+	if (status != SUCCESS)
+	{
+		free(dn->ptr);
+		*dn = chunk_empty;
+	}
+	return status;
+}
+
+/**
+ * Implementation of identification_t.get_encoding.
+ */
+static chunk_t get_encoding(private_identification_t *this)
+{
+	return this->encoded;
+}
+
+/**
+ * Implementation of identification_t.get_type.
+ */
+static id_type_t get_type(private_identification_t *this)
+{
+	return this->type;
+}
+
+/**
+ * Implementation of identification_t.contains_wildcards.
+ */
+static bool contains_wildcards(private_identification_t *this)
+{
+	switch (this->type)
+	{
+		case ID_ANY:
+			return TRUE;
+		case ID_FQDN:
+		case ID_RFC822_ADDR:
+			return memchr(this->encoded.ptr, '*', this->encoded.len) != NULL;
+		case ID_DER_ASN1_DN:
+			/* TODO */
+		default:
+			return FALSE;
+		
+	}
+}
+
+/**
+ * Default implementation of identification_t.equals.
+ * compares encoded chunk for equality.
+ */
+static bool equals_binary(private_identification_t *this, private_identification_t *other)
+{
+	return this->type == other->type && 
+							chunk_equals(this->encoded, other->encoded);
+}
+
+/**
+ * Special implementation of identification_t.equals for ID_DER_ASN1_DN.
+ */
+static bool equals_dn(private_identification_t *this,
+					  private_identification_t *other)
+{
+	return same_dn(this->encoded, other->encoded);
+}
+
+/**
+ * Default implementation of identification_t.matches.
+ */
+static bool matches_binary(private_identification_t *this, 
+						   private_identification_t *other, int *wildcards)
+{
+	if (other->type == ID_ANY)
+	{
+		if (wildcards)
+		{
+			*wildcards = MAX_WILDCARDS;
+		}
+		return TRUE;
+	}
+	if (wildcards)
+	{
+		*wildcards = 0;
+	}
+	return this->type == other->type &&
+							chunk_equals(this->encoded, other->encoded);
+}
+
+/**
+ * Special implementation of identification_t.matches for ID_RFC822_ADDR/ID_FQDN.
+ * Checks for a wildcard in other-string, and compares it against this-string.
+ */
+static bool matches_string(private_identification_t *this,
+						   private_identification_t *other, int *wildcards)
+{
+	u_int len = other->encoded.len;
+	
+	if (other->type == ID_ANY)
+	{
+		if (wildcards)
+		{
+			*wildcards = MAX_WILDCARDS;
+		}
+		return TRUE;
+	}
+	
+	if (this->type != other->type)
+		return FALSE;
+
+	/* try a binary comparison first */
+	if (equals_binary(this, other))
+	{
+		if (wildcards)
+		{
+			*wildcards = 0;
+		}
+		return TRUE;
+	}
+	
+	if (len == 0 || this->encoded.len < len)
+		return FALSE;
+
+	/* check for single wildcard at the head of the string */
+	if (*other->encoded.ptr == '*')
+	{
+		if (wildcards)
+		{
+			*wildcards = 1;
+		}
+
+		/* single asterisk matches any string */
+		if (len-- == 1)
+			return TRUE;
+
+		if (memeq(this->encoded.ptr + this->encoded.len - len, other->encoded.ptr + 1, len))
+			return TRUE;
+	}
+	
+	return FALSE;
+}
+
+/**
+ * Special implementation of identification_t.matches for ID_ANY.
+ * ANY matches only another ANY, but nothing other
+ */
+static bool matches_any(private_identification_t *this,
+						private_identification_t *other, int *wildcards)
+{
+	if (wildcards)
+	{
+		*wildcards = 0;
+	}
+	return other->type == ID_ANY;
+}
+
+/**
+ * Special implementation of identification_t.matches for ID_DER_ASN1_DN.
+ * ANY matches any, even ANY, thats why its there...
+ */
+static bool matches_dn(private_identification_t *this,
+					   private_identification_t *other, int *wildcards)
+{
+	if (other->type == ID_ANY)
+	{
+		if (wildcards)
+		{
+			*wildcards = MAX_WILDCARDS;
+		}
+		return TRUE;
+	}
+	
+	if (this->type == other->type)
+	{
+		return match_dn(this->encoded, other->encoded, wildcards);
+	}
+	return FALSE;
+}
+
+/**
+ * output handler in printf()
+ */
+static int print(FILE *stream, const struct printf_info *info,
+				 const void *const *args)
+{
+	private_identification_t *this = *((private_identification_t**)(args[0]));
+	char buf[BUF_LEN];
+	chunk_t proper, buf_chunk = chunk_from_buf(buf);
+	int written;
+	
+	if (this == NULL)
+	{
+		return fprintf(stream, "(null)");
+	}
+	
+	switch (this->type)
+	{
+		case ID_ANY:
+			return fprintf(stream, "%%any");
+		case ID_IPV4_ADDR:
+			if (this->encoded.len < sizeof(struct in_addr) ||
+				inet_ntop(AF_INET, this->encoded.ptr, buf, sizeof(buf)) == NULL)
+			{
+				return fprintf(stream, "(invalid ID_IPV4_ADDR)");
+			}
+			else
+			{
+				return fprintf(stream, "%s", buf);
+			}
+		case ID_IPV6_ADDR:
+			if (this->encoded.len < sizeof(struct in6_addr) ||
+				inet_ntop(AF_INET6, this->encoded.ptr, buf, INET6_ADDRSTRLEN) == NULL)
+			{
+				return fprintf(stream, "(invalid ID_IPV6_ADDR)");
+			}
+			else
+			{
+				return fprintf(stream, "%s", buf);
+			}
+		case ID_FQDN:
+		{
+			proper = sanitize_chunk(this->encoded);
+			written = fprintf(stream, "@%.*s", proper.len, proper.ptr);
+			chunk_free(&proper);
+			return written;
+		}
+		case ID_RFC822_ADDR:
+		{
+			proper = sanitize_chunk(this->encoded);
+			written = fprintf(stream, "%.*s", proper.len, proper.ptr);
+			chunk_free(&proper);
+			return written;
+		}
+		case ID_DER_ASN1_DN:
+		{
+			snprintf(buf, sizeof(buf), "%.*s", this->encoded.len, this->encoded.ptr);
+			/* TODO: whats returned on failure?*/
+			dntoa(this->encoded, &buf_chunk);
+			return fprintf(stream, "%s", buf);
+		}
+		case ID_DER_ASN1_GN:
+			return fprintf(stream, "(ASN.1 general Name");
+		case ID_KEY_ID:
+			return fprintf(stream, "(KEY_ID)");
+		case ID_DER_ASN1_GN_URI:
+		{
+			proper = sanitize_chunk(this->encoded);
+			written = fprintf(stream, "%.*s", proper.len, proper.ptr);
+			chunk_free(&proper);
+			return written;
+		}
+		default:
+			return fprintf(stream, "(unknown ID type: %d)", this->type);
+	}
+}
+
+/**
+ * register printf() handlers
+ */
+static void __attribute__ ((constructor))print_register()
+{
+	register_printf_function(PRINTF_IDENTIFICATION, print, arginfo_ptr);
+}
+
+/**
+ * Implementation of identification_t.clone.
+ */
+static identification_t *clone_(private_identification_t *this)
+{
+	private_identification_t *clone = identification_create();
+	
+	clone->type = this->type;
+	clone->encoded = chunk_clone(this->encoded);
+	clone->public.equals = this->public.equals;
+	clone->public.matches = this->public.matches;
+	
+	return &clone->public;
+}
+
+/**
+ * Implementation of identification_t.destroy.
+ */
+static void destroy(private_identification_t *this)
+{
+	chunk_free(&this->encoded);
+	free(this);
+}
+
+/**
+ * Generic constructor used for the other constructors.
+ */
+static private_identification_t *identification_create(void)
+{
+	private_identification_t *this = malloc_thing(private_identification_t);
+	
+	this->public.get_encoding = (chunk_t (*) (identification_t*))get_encoding;
+	this->public.get_type = (id_type_t (*) (identification_t*))get_type;
+	this->public.contains_wildcards = (bool (*) (identification_t *this))contains_wildcards;
+	this->public.clone = (identification_t* (*) (identification_t*))clone_;
+	this->public.destroy = (void (*) (identification_t*))destroy;
+	/* we use these as defaults, the may be overloaded for special ID types */
+	this->public.equals = (bool (*) (identification_t*,identification_t*))equals_binary;
+	this->public.matches = (bool (*) (identification_t*,identification_t*,int*))matches_binary;
+	
+	this->encoded = chunk_empty;
+	
+	return this;
+}
+
+/*
+ * Described in header.
+ */
+identification_t *identification_create_from_string(char *string)
+{
+	private_identification_t *this = identification_create();
+
+	if (string == NULL)
+	{
+		string = "%any";
+	}
+	if (strchr(string, '=') != NULL)
+	{
+		/* we interpret this as an ASCII X.501 ID_DER_ASN1_DN.
+		 * convert from LDAP style or openssl x509 -subject style to ASN.1 DN
+		 */
+		if (atodn(string, &this->encoded) != SUCCESS)
+		{
+			free(this);
+			return NULL;
+		}
+		this->type = ID_DER_ASN1_DN;
+		this->public.equals = (bool (*) (identification_t*,identification_t*))equals_dn;
+		this->public.matches = (bool (*) (identification_t*,identification_t*,int*))matches_dn;
+		return &this->public;
+	}
+	else if (strchr(string, '@') == NULL)
+	{
+		if (streq(string, "%any")
+		||	streq(string, "0.0.0.0")
+		||	streq(string, "*")
+		||	streq(string, "::")
+		||	streq(string, "0::0"))
+		{
+			/* any ID will be accepted */
+			this->type = ID_ANY;
+			this->public.matches = (bool (*)
+					(identification_t*,identification_t*,int*))matches_any;
+			return &this->public;
+		}
+		else
+		{
+			if (strchr(string, ':') == NULL)
+			{
+				/* try IPv4 */
+				struct in_addr address;
+				chunk_t chunk = {(void*)&address, sizeof(address)};
+				
+				if (inet_pton(AF_INET, string, &address) <= 0)
+				{
+					free(this);
+					return NULL;
+				}
+				this->encoded = chunk_clone(chunk);
+				this->type = ID_IPV4_ADDR;
+				return &(this->public);
+			}
+			else
+			{
+				/* try IPv6 */
+				struct in6_addr address;
+				chunk_t chunk = {(void*)&address, sizeof(address)};
+				
+				if (inet_pton(AF_INET6, string, &address) <= 0)
+				{
+					free(this);
+					return NULL;
+				}
+				this->encoded = chunk_clone(chunk);
+				this->type = ID_IPV6_ADDR;
+				return &(this->public);
+			}
+		}
+	}
+	else
+	{
+		if (*string == '@')
+		{
+			if (*(string + 1) == '#')
+			{
+				/* TODO: Pluto handles '#' as hex encoded ID_KEY_ID. */
+				free(this);
+				return NULL;
+			}
+			else
+			{
+				this->type = ID_FQDN;
+				this->encoded.ptr = strdup(string + 1);
+				this->encoded.len = strlen(string + 1);
+				this->public.matches = (bool (*) 
+						(identification_t*,identification_t*,int*))matches_string;
+				return &(this->public);
+			}
+		}
+		else
+		{
+			this->type = ID_RFC822_ADDR;
+			this->encoded.ptr = strdup(string);
+			this->encoded.len = strlen(string);
+			this->public.matches = (bool (*) 
+					(identification_t*,identification_t*,int*))matches_string;
+			return &(this->public);
+		}
+	}
+}
+
+/*
+ * Described in header.
+ */
+identification_t *identification_create_from_encoding(id_type_t type, chunk_t encoded)
+{
+	private_identification_t *this = identification_create();
+	this->type = type;
+	switch (type)
+	{
+		case ID_ANY:
+			this->public.matches = (bool (*)
+					(identification_t*,identification_t*,int*))matches_any;
+			break;
+		case ID_FQDN:
+			this->public.matches = (bool (*)
+					(identification_t*,identification_t*,int*))matches_string;
+			break;
+		case ID_RFC822_ADDR:
+			this->public.matches = (bool (*)
+					(identification_t*,identification_t*,int*))matches_string;
+			break;
+		case ID_DER_ASN1_DN:
+			this->public.equals = (bool (*)
+					(identification_t*,identification_t*))equals_dn;
+			this->public.matches = (bool (*)
+					(identification_t*,identification_t*,int*))matches_dn;
+			break;
+		case ID_IPV4_ADDR:
+		case ID_IPV6_ADDR:
+		case ID_DER_ASN1_GN:
+		case ID_KEY_ID:
+		case ID_DER_ASN1_GN_URI:
+		default:
+			break;
+	}
+	
+	/* apply encoded chunk */
+	if (type != ID_ANY)
+	{
+		this->encoded = chunk_clone(encoded);
+	}
+	return &(this->public);
+}
diff --git a/src/libstrongswan/utils/identification.h b/src/libstrongswan/utils/identification.h
new file mode 100644
index 000000000..59c568eaf
--- /dev/null
+++ b/src/libstrongswan/utils/identification.h
@@ -0,0 +1,261 @@
+/**
+ * @file identification.h
+ *
+ * @brief Interface of identification_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#ifndef IDENTIFICATION_H_
+#define IDENTIFICATION_H_
+
+typedef enum id_type_t id_type_t;
+typedef struct identification_t identification_t;
+
+#include <library.h>
+
+#define MAX_WILDCARDS     14
+
+/**
+ * @brief ID Types in a ID payload.
+ *
+ * @ingroup utils
+ */
+enum id_type_t {
+
+	/**
+	 * private type which matches any other id.
+	 */
+	ID_ANY = 0,
+
+	/**
+	 * ID data is a single four (4) octet IPv4 address.
+	 */
+	ID_IPV4_ADDR = 1,
+
+	/**
+	 * ID data is a fully-qualified domain name string.
+	 * An example of a ID_FQDN is "example.com".
+	 * The string MUST not contain any terminators (e.g., NULL, CR, etc.).
+	 */
+	ID_FQDN = 2,
+
+	/**
+	 * ID data is a fully-qualified RFC822 email address string.
+	 * An example of an ID_RFC822_ADDR is "jsmith@example.com".
+	 * The string MUST NOT contain any terminators.
+	 */
+	ID_RFC822_ADDR = 3,
+
+	/**
+	 * ID data is an IPv4 subnet (IKEv1 only)
+	 */
+	ID_IPV4_ADDR_SUBNET = 4,
+
+	/**
+	 * ID data is a single sixteen (16) octet IPv6 address.
+	 */
+	ID_IPV6_ADDR = 5,
+
+	/**
+	 * ID data is an IPv6 subnet (IKEv1 only)
+	 */
+	ID_IPV6_ADDR_SUBNET = 6,
+
+	/**
+	 * ID data is an IPv4 address range (IKEv1 only)
+	 */
+	ID_IPV4_ADDR_RANGE = 7,
+
+	/**
+	 * ID data is an IPv6 address range (IKEv1 only)
+	 */
+	ID_IPV6_ADDR_RANGE = 8,
+
+	/**
+	 * ID data is the binary DER encoding of an ASN.1 X.501 Distinguished Name
+	 */
+	ID_DER_ASN1_DN = 9,
+
+	/**
+	 * ID data is the binary DER encoding of an ASN.1 X.509 GeneralName
+	 */
+	ID_DER_ASN1_GN = 10,
+
+	/**
+	 * ID data is an opaque octet stream which may be used to pass vendor-
+	 * specific information necessary to do certain proprietary
+	 * types of identification.
+	 */
+	ID_KEY_ID = 11,
+
+	/**
+	 * private type which represents a GeneralName of type URI
+	 */
+	ID_DER_ASN1_GN_URI = 201,
+
+};
+
+/**
+ * enum names for id_type_t.
+ */
+extern enum_name_t *id_type_names;
+
+/**
+ * @brief Generic identification, such as used in ID payload.
+ * 
+ * The following types are possible:
+ * - ID_IPV4_ADDR
+ * - ID_FQDN
+ * - ID_RFC822_ADDR
+ * - ID_IPV6_ADDR
+ * - ID_DER_ASN1_DN
+ * - ID_DER_ASN1_GN
+ * - ID_KEY_ID
+ * - ID_DER_ASN1_GN_URI
+ * 
+ * @b Constructors:
+ * - identification_create_from_string()
+ * - identification_create_from_encoding()
+ * 
+ * @todo Support for ID_DER_ASN1_GN is minimal right now. Comparison
+ * between them and ID_IPV4_ADDR/RFC822_ADDR would be nice.
+ *
+ * @ingroup utils
+ */
+struct identification_t {
+	
+	/**
+	 * @brief Get the encoding of this id, to send over
+	 * the network.
+	 * 
+	 * @warning Result points to internal data, do NOT free!
+	 * 
+	 * @param this		the identification_t object
+	 * @return 			a chunk containing the encoded bytes
+	 */
+	chunk_t (*get_encoding) (identification_t *this);
+	
+	/**
+	 * @brief Get the type of this identification.
+	 * 
+	 * @param this		the identification_t object
+	 * @return 			id_type_t
+	 */
+	id_type_t (*get_type) (identification_t *this);
+	
+	/**
+	 * @brief Check if two identification_t objects are equal.
+	 * 
+	 * @param this		the identification_t object
+	 * @param other		other identification_t object
+	 * @return 			TRUE if the IDs are equal
+	 */
+	bool (*equals) (identification_t *this, identification_t *other);
+	
+	/**
+	 * @brief Check if an ID matches a wildcard ID.
+	 * 
+	 * An identification_t may contain wildcards, such as
+	 * *@strongswan.org. This call checks if a given ID
+	 * (e.g. tester@strongswan.org) belongs to a such wildcard
+	 * ID. Returns TRUE if
+	 * - IDs are identical
+	 * - other is of type ID_ANY
+	 * - other contains a wildcard and matches this
+	 * 
+	 * @param this		the ID without wildcard
+	 * @param other		the ID containing a wildcard
+	 * @param wildcards	returns the number of wildcards, may be NULL
+	 * @return 			TRUE if match is found
+	 */
+	bool (*matches) (identification_t *this, identification_t *other, int *wildcards);
+	
+	/**
+	 * @brief Check if an ID is a wildcard ID.
+	 *
+	 * If the ID represents multiple IDs (with wildcards, or
+	 * as the type ID_ANY), TRUE is returned. If it is unique,
+	 * FALSE is returned.
+	 * 
+	 * @param this		identification_t object
+	 * @return 			TRUE if ID contains wildcards
+	 */
+	bool (*contains_wildcards) (identification_t *this);
+	
+	/**
+	 * @brief Clone a identification_t instance.
+	 * 
+	 * @param this		the identification_t object to clone
+	 * @return 			clone of this
+	 */
+	identification_t *(*clone) (identification_t *this);
+
+	/**
+	 * @brief Destroys a identification_t object.
+	 *
+	 * @param this 		identification_t object
+	 */
+	void (*destroy) (identification_t *this);
+};
+
+/**
+ * @brief Creates an identification_t object from a string.
+ * 
+ * @param string	input string, which will be converted
+ * @return
+ * 					- created identification_t object, or
+ * 					- NULL if unsupported string supplied.
+ *
+ * The input string may be e.g. one of the following:
+ * - ID_IPV4_ADDR:		192.168.0.1
+ * - ID_IPV6_ADDR:		2001:0db8:85a3:08d3:1319:8a2e:0370:7345
+ * - ID_FQDN:			@www.strongswan.org (@indicates FQDN)
+ * - ID_RFC822_ADDR:	alice@wonderland.org
+ * - ID_DER_ASN1_DN:	C=CH, O=Linux strongSwan, CN=bob
+ *
+ * In favour of pluto, domainnames are prepended with an @, since
+ * pluto resolves domainnames without an @ to IPv4 addresses. Since
+ * we use a seperate host_t class for addresses, this doesn't
+ * make sense for us.
+ * 
+ * A distinguished name may contain one or more of the following RDNs:
+ * ND, UID, DC, CN, S, SN, serialNumber, C, L, ST, O, OU, T, D,
+ * N, G, I, ID, EN, EmployeeNumber, E, Email, emailAddress, UN, 
+ * unstructuredName, TCGID.
+ *
+ * @ingroup utils
+ */
+identification_t * identification_create_from_string(char *string);
+
+/**
+ * @brief Creates an identification_t object from an encoded chunk.
+ * 
+ * @param type		type of this id, such as ID_IPV4_ADDR
+ * @param encoded	encoded bytes, such as from identification_t.get_encoding
+ * @return			identification_t object
+ *
+ * In contrast to identification_create_from_string(), this constructor never
+ * returns NULL, even when the conversion to a string representation fails.
+ *
+ * @ingroup utils
+ */
+identification_t * identification_create_from_encoding(id_type_t type, chunk_t encoded);
+
+#endif /* IDENTIFICATION_H_ */
diff --git a/src/libstrongswan/utils/iterator.h b/src/libstrongswan/utils/iterator.h
new file mode 100644
index 000000000..02a15c534
--- /dev/null
+++ b/src/libstrongswan/utils/iterator.h
@@ -0,0 +1,166 @@
+/**
+ * @file iterator.h
+ * 
+ * @brief Interface iterator_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef ITERATOR_H_
+#define ITERATOR_H_
+
+#include <library.h>
+
+/**
+ * @brief Iterator hook function prototype.
+ *
+ * @param param		user supplied parameter
+ * @param in		the value the hook receives from the iterator
+ * @param out		the value supplied as a result to the iterator
+ * @return			TRUE to return "out", FALSE to skip this value
+ */
+typedef bool (iterator_hook_t)(void *param, void *in, void **out);
+
+
+typedef struct iterator_t iterator_t;
+
+/**
+ * @brief Iterator interface, allows iteration over collections.
+ *
+ * iterator_t defines an interface for iterating over collections.
+ * It allows searching, deleting, updating and inserting.
+ *
+ * Thanks to JMP for iterator lessons :-)
+ *
+ * @b Constructors:
+ * - via linked_list_t.create_iterator, or
+ * - any other class which supports the iterator_t interface
+ *
+ * @see linked_list_t
+ *
+ * @ingroup utils 
+ */
+struct iterator_t {
+
+	/**
+	 * @brief Return number of list items.
+	 * 
+	 * @param this 			calling object
+	 * @return				number of list items
+	 */
+	int (*get_count) (iterator_t *this);
+	
+	/**
+	 * @brief Iterate over all items.
+	 * 
+	 * The easy way to iterate over items.
+	 * 
+	 * @param this 			calling object
+	 * @param[out] value 	item
+	 * @return
+	 * 						- TRUE, if there was an element available,
+	 * 						- FALSE otherwise
+	 */
+	bool (*iterate) (iterator_t *this, void** value);
+	
+	/**
+	 * @brief Hook a function into the iterator.
+	 *
+	 * Sometimes it is useful to hook in an iterator. The hook function is
+	 * called before any successful return of iterate(). It takes the
+	 * iterator value, may manipulate it (or the references object), and returns
+	 * the value that the iterate() function returns.
+	 * A value of NULL deactivates the iterator hook.
+	 * 
+	 * @param this 			calling object
+	 * @param hook			iterator hook which manipulates the iterated value
+	 * @param param			user supplied parameter to pass back to the hook
+	 */
+	void (*set_iterator_hook) (iterator_t *this, iterator_hook_t *hook,
+							   void *param);
+	
+	/**
+	 * @brief Inserts a new item before the given iterator position.
+	 * 
+	 * The iterator position is not changed after inserting
+	 * 
+	 * @param this 			calling iterator
+	 * @param[in] item 		value to insert in list
+	 */
+	void (*insert_before) (iterator_t *this, void *item);
+
+	/**
+	 * @brief Inserts a new item after the given iterator position.
+	 * 
+	 * The iterator position is not changed after inserting.
+	 * 
+	 * @param this 			calling iterator
+	 * @param[in] item 		value to insert in list
+	 */
+	void (*insert_after) (iterator_t *this, void *item);
+	
+	/**
+	 * @brief Replace the current item at current iterator position.
+	 * 
+	 * The iterator position is not changed after replacing.
+	 * 
+	 * @param this 			calling iterator
+	 * @param[out] old_item	old value will be written here(can be NULL)
+	 * @param[in] new_item  new value
+	 * 
+	 * @return 
+	 * 						- SUCCESS
+	 * 						- FAILED if iterator is on an invalid position
+	 */
+	status_t (*replace) (iterator_t *this, void **old_item, void *new_item);
+
+	/**
+	 * @brief Removes an element from list at the given iterator position.
+	 * 
+	 * The iterator is set the the following position:
+	 * - to the item before, if available
+	 * - it gets reseted, otherwise
+	 * 
+	 * @param this		 	calling object
+	 * @return 
+	 * 						- SUCCESS
+	 * 						- FAILED if iterator is on an invalid position
+	 */
+	status_t (*remove) (iterator_t *this);
+	
+	/**
+	 * @brief Resets the iterator position.
+	 * 
+	 * After reset, the iterator_t objects doesn't point to an element.
+	 * A call to iterator_t.has_next is necessary to do any other operations
+	 * with the resetted iterator.
+	 * 
+	 * @param this 			calling object
+	 */
+	void (*reset) (iterator_t *this);
+
+	/**
+	 * @brief Destroys an iterator.
+	 * 
+	 * @param this 			iterator to destroy
+	 * 
+	 */
+	void (*destroy) (iterator_t *this);
+};
+
+#endif /*ITERATOR_H_*/
diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c
new file mode 100644
index 000000000..b8a023270
--- /dev/null
+++ b/src/libstrongswan/utils/leak_detective.c
@@ -0,0 +1,459 @@
+/**
+ * @file leak_detective.c
+ * 
+ * @brief Allocation hooks to find memory leaks.
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+#include <string.h>
+#include <stdio.h>
+#include <malloc.h>
+#include <signal.h> 
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <dlfcn.h>
+#include <unistd.h>
+#include <syslog.h>
+#include <pthread.h>
+#include <netdb.h>
+#include <printf.h>
+#ifdef HAVE_BACKTRACE
+# include <execinfo.h>
+#endif /* HAVE_BACKTRACE */
+
+#include "leak_detective.h"
+
+#include <library.h>
+#include <debug.h>
+
+#ifdef LEAK_DETECTIVE
+
+/**
+ * Magic value which helps to detect memory corruption. Yummy!
+ */
+#define MEMORY_HEADER_MAGIC 0x7ac0be11
+
+/**
+ * Pattern which is filled in memory before freeing it
+ */
+#define MEMORY_FREE_PATTERN 0xFF
+
+/**
+ * Pattern which is filled in newly allocated memory
+ */
+#define MEMORY_ALLOC_PATTERN 0xEE
+
+
+static void install_hooks(void);
+static void uninstall_hooks(void);
+static void *malloc_hook(size_t, const void *);
+static void *realloc_hook(void *, size_t, const void *);
+static void free_hook(void*, const void *);
+
+static u_int count_malloc = 0;
+static u_int count_free = 0;
+static u_int count_realloc = 0;
+
+typedef struct memory_header_t memory_header_t;
+
+/**
+ * Header which is prepended to each allocated memory block
+ */
+struct memory_header_t {
+	/**
+	 * Magci byte which must(!) hold MEMORY_HEADER_MAGIC
+	 */
+	u_int32_t magic;
+	
+	/**
+	 * Number of bytes following after the header
+	 */
+	size_t bytes;
+	
+	/**
+	 * Stack frames at the time of allocation
+	 */
+	void *stack_frames[STACK_FRAMES_COUNT];
+	
+	/**
+	 * Number of stacks frames obtained in stack_frames
+	 */
+	int stack_frame_count;
+	
+	/**
+	 * Pointer to previous entry in linked list
+	 */
+	memory_header_t *previous;
+	
+	/**
+	 * Pointer to next entry in linked list
+	 */
+	memory_header_t *next;
+};
+
+/**
+ * first mem header is just a dummy to chain 
+ * the others on it...
+ */
+static memory_header_t first_header = {
+	magic: MEMORY_HEADER_MAGIC,
+	bytes: 0,
+	stack_frame_count: 0,
+	previous: NULL,
+	next: NULL
+};
+
+/**
+ * standard hooks, used to temparily remove hooking
+ */
+static void *old_malloc_hook, *old_realloc_hook, *old_free_hook;
+
+/**
+ * are the hooks currently installed? 
+ */
+static bool installed = FALSE;
+
+/**
+ * Mutex to exclusivly uninstall hooks, access heap list
+ */
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+
+
+/**
+ * log stack frames queried by backtrace()
+ * TODO: Dump symbols of static functions. This could be done with
+ * the addr2line utility or the GNU BFD Library...
+ */
+static void log_stack_frames(void **stack_frames, int stack_frame_count)
+{
+#ifdef HAVE_BACKTRACE
+	char **strings;
+	size_t i;
+
+	strings = backtrace_symbols (stack_frames, stack_frame_count);
+
+	DBG1("  dumping %d stack frame addresses", stack_frame_count);
+
+	for (i = 0; i < stack_frame_count; i++)
+	{
+		DBG1("    %s", strings[i]);
+	}
+	free (strings);
+#endif /* HAVE_BACKTRACE */
+}
+
+/**
+ * Whitelist, which contains address ranges in stack frames ignored when leaking.
+ * 
+ * This is necessary, as some function use allocation hacks (static buffers)
+ * and so on, which we want to suppress on leak reports.
+ *
+ * The range_size is calculated using the readelf utility, e.g.:
+ * readelf -s /lib/glibc.so.6
+ * The values are for glibc-2.4 and may or may not be correct on other systems.
+ */
+typedef struct whitelist_t whitelist_t;
+
+struct whitelist_t {
+	void* range_start;
+	size_t range_size;
+};
+
+#ifdef LIBCURL
+/* dummy declaration for whitelisting */
+void *Curl_getaddrinfo(void);
+#endif /* LIBCURL */
+
+whitelist_t whitelist[] = {
+	{pthread_create,			2542},
+	{pthread_setspecific,		 217},
+	{mktime,					  60},
+	{tzset,						 123},
+	{inet_ntoa,					 249},
+	{strerror,					 180},
+	{getprotobynumber,			 291},
+	{getservbyport,				 311},
+	{register_printf_function,	 159},
+	{syslog,					  45},
+	{dlopen,					 109},
+#	ifdef LIBCURL
+	/* from /usr/lib/libcurl.so.3 */
+	{Curl_getaddrinfo,			 480},
+#	endif /* LIBCURL */
+};
+
+/**
+ * Check if this stack frame is whitelisted.
+ */
+static bool is_whitelisted(void **stack_frames, int stack_frame_count)
+{
+	int i, j;
+	
+	for (i=0; i< stack_frame_count; i++)
+	{
+		for (j=0; j<sizeof(whitelist)/sizeof(whitelist_t); j++)
+		{
+			if (stack_frames[i] >= whitelist[j].range_start &&
+				stack_frames[i] <= (whitelist[j].range_start + whitelist[j].range_size))
+			{
+				return TRUE;
+			}
+		}
+	}
+	return FALSE;
+}
+
+/**
+ * Report leaks at library destruction
+ */
+void report_leaks()
+{
+	memory_header_t *hdr;
+	int leaks = 0;
+	
+	for (hdr = first_header.next; hdr != NULL; hdr = hdr->next)
+	{
+		if (!is_whitelisted(hdr->stack_frames, hdr->stack_frame_count))
+		{
+			DBG1("Leak (%d bytes at %p):", hdr->bytes, hdr + 1);
+			log_stack_frames(hdr->stack_frames, hdr->stack_frame_count);
+			leaks++;
+		}
+	}
+		
+	switch (leaks)
+	{
+		case 0:
+			DBG1("No leaks detected");
+			break;
+		case 1:
+			DBG1("One leak detected");
+			break;
+		default:
+			DBG1("%d leaks detected", leaks);
+			break;
+	}
+}
+
+/**
+ * Installs the malloc hooks, enables leak detection
+ */
+static void install_hooks()
+{
+	if (!installed)
+	{
+		old_malloc_hook = __malloc_hook;
+		old_realloc_hook = __realloc_hook;
+		old_free_hook = __free_hook;
+		__malloc_hook = malloc_hook;
+		__realloc_hook = realloc_hook;
+		__free_hook = free_hook;
+		installed = TRUE;
+	}
+}
+
+/**
+ * Uninstalls the malloc hooks, disables leak detection
+ */
+static void uninstall_hooks()
+{
+	if (installed)
+	{
+		__malloc_hook = old_malloc_hook;
+		__free_hook = old_free_hook;
+		__realloc_hook = old_realloc_hook;
+		installed = FALSE;
+	}
+}
+
+/**
+ * Hook function for malloc()
+ */
+void *malloc_hook(size_t bytes, const void *caller)
+{
+	memory_header_t *hdr;
+	
+	pthread_mutex_lock(&mutex);
+	count_malloc++;
+	uninstall_hooks();
+	hdr = malloc(bytes + sizeof(memory_header_t));
+	/* set to something which causes crashes */
+	memset(hdr, MEMORY_ALLOC_PATTERN, bytes + sizeof(memory_header_t));
+	
+	hdr->magic = MEMORY_HEADER_MAGIC;
+	hdr->bytes = bytes;
+	hdr->stack_frame_count = backtrace(hdr->stack_frames, STACK_FRAMES_COUNT);
+	install_hooks();
+	
+	/* insert at the beginning of the list */
+	hdr->next = first_header.next;
+	if (hdr->next)
+	{
+		hdr->next->previous = hdr;
+	}
+	hdr->previous = &first_header;
+	first_header.next = hdr;
+	pthread_mutex_unlock(&mutex);
+	return hdr + 1;
+}
+
+/**
+ * Hook function for free()
+ */
+void free_hook(void *ptr, const void *caller)
+{
+	void *stack_frames[STACK_FRAMES_COUNT];
+	int stack_frame_count;
+	memory_header_t *hdr = ptr - sizeof(memory_header_t);
+	
+	/* allow freeing of NULL */
+	if (ptr == NULL)
+	{
+		return;
+	}
+	
+	pthread_mutex_lock(&mutex);
+	count_free++;
+	uninstall_hooks();
+	if (hdr->magic != MEMORY_HEADER_MAGIC)
+	{
+		DBG1("freeing of invalid memory (%p, MAGIC 0x%x != 0x%x):",
+			 ptr, hdr->magic, MEMORY_HEADER_MAGIC);
+		stack_frame_count = backtrace(stack_frames, STACK_FRAMES_COUNT);
+		log_stack_frames(stack_frames, stack_frame_count);
+		install_hooks();
+		pthread_mutex_unlock(&mutex);
+		return;
+	}
+	
+	/* remove item from list */
+	if (hdr->next)
+	{
+		hdr->next->previous = hdr->previous;
+	}
+	hdr->previous->next = hdr->next;
+	
+	/* clear MAGIC, set mem to something remarkable */
+	memset(hdr, MEMORY_FREE_PATTERN, hdr->bytes + sizeof(memory_header_t));
+	
+	free(hdr);
+	install_hooks();
+	pthread_mutex_unlock(&mutex);
+}
+
+/**
+ * Hook function for realloc()
+ */
+void *realloc_hook(void *old, size_t bytes, const void *caller)
+{
+	memory_header_t *hdr;
+	void *stack_frames[STACK_FRAMES_COUNT];
+	int stack_frame_count;
+	
+	/* allow reallocation of NULL */
+	if (old == NULL)
+	{
+		return malloc_hook(bytes, caller);
+	}
+	
+	hdr = old - sizeof(memory_header_t);
+	
+	pthread_mutex_lock(&mutex);
+	count_realloc++;
+	uninstall_hooks();
+	if (hdr->magic != MEMORY_HEADER_MAGIC)
+	{
+		DBG1("reallocation of invalid memory (%p):", old);
+		stack_frame_count = backtrace(stack_frames, STACK_FRAMES_COUNT);
+		log_stack_frames(stack_frames, stack_frame_count);
+		install_hooks();
+		pthread_mutex_unlock(&mutex);
+		raise(SIGKILL);
+		return NULL;
+	}
+	
+	hdr = realloc(hdr, bytes + sizeof(memory_header_t));
+	
+	/* update statistics */
+	hdr->bytes = bytes;
+	hdr->stack_frame_count = backtrace(hdr->stack_frames, STACK_FRAMES_COUNT);
+	
+	/* update header of linked list neighbours */
+	if (hdr->next)
+	{
+		hdr->next->previous = hdr;
+	}
+	hdr->previous->next = hdr;
+	install_hooks();
+	pthread_mutex_unlock(&mutex);
+	return hdr + 1;
+}
+
+/**
+ * Setup leak detective
+ */
+void __attribute__ ((constructor)) leak_detective_init()
+{
+	install_hooks();
+}
+
+/**
+ * Clean up leak detective
+ */
+void __attribute__ ((destructor)) leak_detective_cleanup()
+{
+	uninstall_hooks();
+	report_leaks();
+}
+
+/**
+ * Log memory allocation statistics
+ */
+void leak_detective_status(FILE *stream)
+{
+	u_int blocks = 0;
+	size_t bytes = 0;
+	memory_header_t *hdr = &first_header;
+	
+	pthread_mutex_lock(&mutex);
+	while ((hdr = hdr->next))
+	{
+		blocks++;
+		bytes += hdr->bytes;
+	}
+	pthread_mutex_unlock(&mutex);
+	
+	fprintf(stream, "allocation statistics:\n");
+	fprintf(stream, "  call stats: malloc: %d, free: %d, realloc: %d\n",
+			count_malloc, count_free, count_realloc);
+	fprintf(stream, "  allocated %d blocks, total size %d bytes (avg. %d bytes)\n",
+			blocks, bytes, bytes/blocks);
+}
+
+#else /* !LEAK_DETECTION */
+
+/**
+ * Dummy when !using LEAK_DETECTIVE
+ */
+void leak_detective_status(FILE *stream)
+{
+
+}
+
+#endif /* LEAK_DETECTION */
diff --git a/src/libstrongswan/utils/leak_detective.h b/src/libstrongswan/utils/leak_detective.h
new file mode 100644
index 000000000..d4016b06e
--- /dev/null
+++ b/src/libstrongswan/utils/leak_detective.h
@@ -0,0 +1,35 @@
+/**
+ * @file leak_detective.h
+ * 
+ * @brief malloc/free hooks to detect leaks.
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef LEAK_DETECTIVE_H_
+#define LEAK_DETECTIVE_H_
+
+/**
+ * Log status information about allocation
+ */
+void leak_detective_status(FILE *stream);
+
+/**
+ * Max number of stack frames to include in a backtrace.
+ */
+#define STACK_FRAMES_COUNT 30
+
+#endif /* LEAK_DETECTIVE_H_ */
diff --git a/src/libstrongswan/utils/lexparser.c b/src/libstrongswan/utils/lexparser.c
new file mode 100644
index 000000000..9d3f06593
--- /dev/null
+++ b/src/libstrongswan/utils/lexparser.c
@@ -0,0 +1,137 @@
+/**
+ * @file lexparser.c
+ * 
+ * @brief lexical parser for text-based configuration files
+ *  
+ */
+
+/*
+ * Copyright (C) 2001-2006 Andreas Steffen, Zuercher Hochschule Winterthur
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include "lexparser.h"
+
+
+/**
+ * eat whitespace
+ */
+bool eat_whitespace(chunk_t *src)
+{
+	while (src->len > 0 && (*src->ptr == ' ' || *src->ptr == '\t'))
+	{
+		src->ptr++;  src->len--;
+	}
+    return  src->len > 0 && *src->ptr != '#';
+}
+
+/**
+ * compare string with chunk
+ */
+bool match(const char *pattern, const chunk_t *ch)
+{
+	return ch->len == strlen(pattern) && strncmp(pattern, ch->ptr, ch->len) == 0;
+}
+
+/**
+ * extracts a token ending with a given termination symbol
+ */
+bool extract_token(chunk_t *token, const char termination, chunk_t *src)
+{
+	u_char *eot = memchr(src->ptr, termination, src->len);
+	
+	/* initialize empty token */
+	*token = chunk_empty;
+	
+	if (eot == NULL) /* termination symbol not found */
+	{
+		return FALSE;
+	}
+	
+	/* extract token */
+	token->ptr = src->ptr;
+	token->len = (u_int)(eot - src->ptr);
+	
+	/* advance src pointer after termination symbol */
+	src->ptr = eot + 1;
+	src->len -= (token->len + 1);
+	
+	return TRUE;
+}
+
+/**
+ *  fetches a new line terminated by \n or \r\n
+ */
+bool fetchline(chunk_t *src, chunk_t *line)
+{
+	if (src->len == 0) /* end of src reached */
+		return FALSE;
+
+	if (extract_token(line, '\n', src))
+	{
+		if (line->len > 0 && *(line->ptr + line->len -1) == '\r')
+			line->len--;  /* remove optional \r */
+	}
+	else /*last line ends without newline */
+	{
+		*line = *src;
+		src->ptr += src->len;
+		src->len = 0;
+	}
+	return TRUE;
+}
+
+err_t extract_value(chunk_t *value, chunk_t *line)
+{
+	char delimiter = ' ';
+
+	if (!eat_whitespace(line))
+	{
+		*value = chunk_empty;
+		return NULL;
+	}
+	if (*line->ptr == '\'' || *line->ptr == '"')
+	{
+		delimiter = *line->ptr;
+		line->ptr++;  line->len--;
+	}
+	if (!extract_token(value, delimiter, line))
+	{
+		if (delimiter == ' ')
+		{
+			*value = *line;
+			line->len = 0;
+		}
+		else
+		{
+			return "missing second delimiter";
+		}
+	}
+	return NULL;
+}
+
+/**
+ * extracts a parameter: value pair
+ */
+err_t extract_parameter_value(chunk_t *name, chunk_t *value, chunk_t *line)
+{
+	/* extract name */
+	if (!extract_token(name,':', line))
+	{
+		return "missing ':'";
+	}
+
+	/* extract value */
+	return extract_value(value, line);
+}
diff --git a/src/libstrongswan/utils/lexparser.h b/src/libstrongswan/utils/lexparser.h
new file mode 100644
index 000000000..e3c2c4c70
--- /dev/null
+++ b/src/libstrongswan/utils/lexparser.h
@@ -0,0 +1,57 @@
+/**
+ * @file lexparser.h
+ * 
+ * @brief lexical parser for text-based configuration files
+ *  
+ */
+
+/*
+ * Copyright (C) 2001-2006 Andreas Steffen, Zuercher Hochschule Winterthur
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+
+/**
+ * @brief Eats whitespace
+ */
+bool eat_whitespace(chunk_t *src);
+
+/**
+ * @brief Compare null-terminated pattern with chunk
+ */
+bool match(const char *pattern, const chunk_t *ch);
+
+/**
+ * @brief Extracts a token ending with a given termination symbol
+ */
+bool extract_token(chunk_t *token, const char termination, chunk_t *src);
+
+/**
+ *  @brief Fetches a new text line terminated by \n or \r\n
+ */
+bool fetchline(chunk_t *src, chunk_t *line);
+
+/**
+ * @brief Extracts a value that might be single or double quoted
+ */
+err_t extract_value(chunk_t *value, chunk_t *line);
+
+/**
+ * @brief extracts a name: value pair from a text line
+ */
+err_t extract_name_value(chunk_t *name, chunk_t *value, chunk_t *line);
+
+/**
+ * @brief extracts a parameter: value from a text line
+ */
+err_t extract_parameter_value(chunk_t *name, chunk_t *value, chunk_t *line);
diff --git a/src/libstrongswan/utils/linked_list.c b/src/libstrongswan/utils/linked_list.c
new file mode 100644
index 000000000..de043a02e
--- /dev/null
+++ b/src/libstrongswan/utils/linked_list.c
@@ -0,0 +1,763 @@
+/**
+ * @file linked_list.c
+ *
+ * @brief Implementation of linked_list_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+
+#include "linked_list.h"
+
+typedef struct element_t element_t;
+
+/**
+ * This element holds a pointer to the value it represents.
+ */
+struct element_t {
+
+	/**
+	 * Value of a list item.
+	 */
+	void *value;
+
+	/**
+	 * Previous list element.
+	 * 
+	 * NULL if first element in list.
+	 */
+	element_t *previous;
+	
+	/**
+	 * Next list element.
+	 * 
+	 * NULL if last element in list.
+	 */
+	element_t *next;
+};
+
+/**
+ * Creates an empty linked list object.
+ */
+element_t *element_create(void *value)
+{
+	element_t *this = malloc_thing(element_t);
+	
+	this->previous = NULL;
+	this->next = NULL;
+	this->value = value;
+	
+	return (this);
+}
+
+
+typedef struct private_linked_list_t private_linked_list_t;
+
+/**
+ * Private data of a linked_list_t object.
+ *
+ */
+struct private_linked_list_t {
+	/**
+	 * Public part of linked list.
+	 */
+	linked_list_t public;
+
+	/**
+	 * Number of items in the list.
+	 */
+	int count;
+
+	/**
+	 * First element in list.
+	 * NULL if no elements in list.
+	 */
+	element_t *first;
+	
+	/**
+	 * Last element in list.
+	 * NULL if no elements in list.
+	 */
+	element_t *last;
+};
+
+
+typedef struct private_iterator_t private_iterator_t;
+
+/**
+ * Private variables and functions of linked list iterator.
+ */
+struct private_iterator_t {
+	/**
+	 * Public part of linked list iterator.
+	 */
+	iterator_t public;
+
+	/**
+	 * Associated linked list.
+	 */
+	private_linked_list_t * list;
+
+	/**
+	 * Current element of the iterator.
+	 */
+	element_t *current;
+
+	/**
+	 * Direction of iterator.
+	 */
+	bool forward;
+	
+	/**
+	 * Mutex to use to synchronize access
+	 */
+	pthread_mutex_t *mutex;
+	
+	/**
+	 * iteration hook
+	 */
+	iterator_hook_t *hook;
+	
+	/**
+	 * user parameter for iterator hook
+	 */
+	void *hook_param;
+};
+
+/**
+ * Implementation of iterator_t.get_count.
+ */
+static int get_list_count(private_iterator_t *this)
+{
+	return this->list->count;
+}
+
+/**
+ * default iterator hook which does nothing
+ */
+static bool iterator_hook(void *param, void *in, void **out)
+{
+	*out = in;
+	return TRUE;
+}
+
+/**
+ * Implementation of iterator_t.set_iterator_hook.
+ */
+static void set_iterator_hook(private_iterator_t *this, iterator_hook_t *hook,
+							  void* param)
+{
+	if (hook == NULL)
+	{
+		this->hook = iterator_hook;
+		this->hook_param = NULL;
+	}
+	else
+	{
+		this->hook = hook;
+		this->hook_param = param;
+	}
+}
+
+/**
+ * Implementation of iterator_t.iterate.
+ */
+static bool iterate(private_iterator_t *this, void** value)
+{
+	if (this->list->count == 0)
+	{
+		return FALSE;
+	}
+	if (this->current == NULL)
+	{
+		this->current = (this->forward) ? this->list->first : this->list->last;
+		if (!this->hook(this->hook_param, this->current->value, value))
+		{
+			return iterate(this, value);
+		}
+		return TRUE;
+	}
+	if (this->forward)
+	{
+		if (this->current->next == NULL)
+		{
+			return FALSE;
+		}
+		this->current = this->current->next;
+		if (!this->hook(this->hook_param, this->current->value, value))
+		{
+			return iterate(this, value);
+		}
+		return TRUE;
+	}
+	if (this->current->previous == NULL)
+	{
+		return FALSE;
+	}
+	this->current = this->current->previous;
+	if (!this->hook(this->hook_param, this->current->value, value))
+	{
+		return iterate(this, value);
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of iterator_t.reset.
+ */
+static void iterator_reset(private_iterator_t *this)
+{
+	this->current = NULL;
+}
+
+/**
+ * Implementation of iterator_t.remove.
+ */
+static status_t remove_(private_iterator_t *this)
+{
+	element_t *new_current;
+
+	if (this->current == NULL)
+	{
+		return NOT_FOUND;
+	}
+
+	if (this->list->count == 0)
+	{
+		return NOT_FOUND;
+	}
+	/* find out the new iterator position, depending on iterator direction */
+	if (this->forward && this->current->previous != NULL)
+	{
+		new_current = this->current->previous;
+	}
+	else if (!this->forward && this->current->next != NULL)
+	{
+		new_current = this->current->next;
+	}
+	else
+	{
+		new_current = NULL;
+	}
+
+	/* now delete the entry :-) */
+	if (this->current->previous == NULL)
+	{
+		if (this->current->next == NULL)
+		{
+			this->list->first = NULL;
+			this->list->last = NULL;
+		}
+		else
+		{
+			this->current->next->previous = NULL;
+			this->list->first = this->current->next;
+		}
+	}
+	else if (this->current->next == NULL)
+	{
+		this->current->previous->next = NULL;
+		this->list->last = this->current->previous;
+	}
+	else
+	{
+		this->current->previous->next = this->current->next;
+		this->current->next->previous = this->current->previous;
+	}
+	
+	this->list->count--;
+	free(this->current);
+	/* set the new iterator position */
+	this->current = new_current;
+	return SUCCESS;
+}
+
+/**
+ * Implementation of iterator_t.insert_before.
+ */
+static void insert_before(private_iterator_t * iterator, void *item)
+{
+	if (iterator->current == NULL)
+	{
+		iterator->list->public.insert_first(&(iterator->list->public), item);
+	}
+	
+	element_t *element = element_create(item);
+	if (iterator->current->previous == NULL)
+	{
+		iterator->current->previous = element;
+		element->next = iterator->current;
+		iterator->list->first = element;
+	}
+	else
+	{
+		iterator->current->previous->next = element;
+		element->previous = iterator->current->previous;
+		iterator->current->previous = element;
+		element->next = iterator->current;
+	}
+	iterator->list->count++;
+}
+
+/**
+ * Implementation of iterator_t.replace.
+ */
+static status_t replace(private_iterator_t *this, void **old_item, void *new_item)
+{
+	if (this->current == NULL)
+	{
+		return NOT_FOUND;
+	}
+	if (old_item != NULL)
+	{
+		*old_item = this->current->value;
+	}
+	this->current->value = new_item;
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of iterator_t.insert_after.
+ */
+static void insert_after(private_iterator_t *iterator, void *item)
+{
+	if (iterator->current == NULL)
+	{
+		iterator->list->public.insert_first(&(iterator->list->public),item);
+		return;
+	}
+	
+	element_t *element = element_create(item);
+	if (iterator->current->next == NULL)
+	{
+		iterator->current->next = element;
+		element->previous = iterator->current;
+		iterator->list->last = element;
+	}
+	else
+	{
+		iterator->current->next->previous = element;
+		element->next = iterator->current->next;
+		iterator->current->next = element;
+		element->previous = iterator->current;
+	}
+	iterator->list->count++;
+}
+
+/**
+ * Implementation of iterator_t.destroy.
+ */
+static void iterator_destroy(private_iterator_t *this)
+{
+	if (this->mutex)
+	{
+		pthread_mutex_unlock(this->mutex);
+	}
+	free(this);
+}
+
+/**
+ * Implementation of linked_list_t.get_count.
+ */
+static int get_count(private_linked_list_t *this)
+{
+	return this->count;
+}
+
+/**
+ * Implementation of linked_list_t.insert_first.
+ */
+static void insert_first(private_linked_list_t *this, void *item)
+{
+	element_t *element;
+	
+	element = element_create(item);
+	if (this->count == 0)
+	{
+		/* first entry in list */
+		this->first = element;
+		this->last = element;
+		element->previous = NULL;
+		element->next = NULL;
+	}
+	else
+	{
+		element_t *old_first_element = this->first;
+		element->next = old_first_element;
+		element->previous = NULL;
+		old_first_element->previous = element;
+		this->first = element;
+	}
+	this->count++;
+}
+
+/**
+ * Implementation of linked_list_t.remove_first.
+ */
+static status_t remove_first(private_linked_list_t *this, void **item)
+{
+	element_t *element = this->first;
+	
+	if (element == NULL)
+	{
+		return NOT_FOUND;
+	}
+	if (element->next != NULL)
+	{
+		element->next->previous = NULL;
+	}
+	this->first = element->next;
+	
+	if (item != NULL)
+	{
+		*item = element->value;
+	}
+	if (--this->count == 0)
+	{
+		this->last = NULL;
+	}
+	
+	free(element);
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of linked_list_t.get_first.
+ */
+static status_t get_first(private_linked_list_t *this, void **item)
+{
+	if (this->count == 0)
+	{
+		return NOT_FOUND;
+	}
+	*item = this->first->value;
+	return SUCCESS;
+}
+
+/**
+ * Implementation of linked_list_t.insert_last.
+ */
+static void insert_last(private_linked_list_t *this, void *item)
+{
+	element_t *element = element_create(item);
+	
+	if (this->count == 0)
+	{
+		/* first entry in list */
+		this->first = element;
+		this->last = element;
+		element->previous = NULL;
+		element->next = NULL;
+	}
+	else
+	{
+		element_t *old_last_element = this->last;
+		element->previous = old_last_element;
+		element->next = NULL;
+		old_last_element->next = element;
+		this->last = element;
+	}
+	this->count++;
+}
+
+/**
+ * Implementation of linked_list_t.remove_last.
+ */
+static status_t remove_last(private_linked_list_t *this, void **item)
+{
+	element_t *element = this->last;
+	
+	if (element == NULL)
+	{
+		return NOT_FOUND;
+	}
+	if (element->previous != NULL)
+	{
+		element->previous->next = NULL;
+	}
+	this->last = element->previous;
+	
+	if (item != NULL)
+	{
+		*item = element->value;
+	}
+	if (--this->count == 0)
+	{
+		this->first = NULL;
+	}
+	
+	free(element);
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of linked_list_t.insert_at_position.
+ */
+static status_t insert_at_position (private_linked_list_t *this,size_t position, void *item)
+{
+	element_t *current_element;
+	int i;
+	
+	if (this->count <= position)
+	{
+		return INVALID_ARG;
+	}
+	
+	current_element =  this->first;
+	
+	for (i = 0; i < position;i++)
+	{
+		current_element = current_element->next;
+	}
+	
+	if (current_element == NULL)
+	{
+		this->public.insert_last(&(this->public),item);
+		return SUCCESS;
+	}
+	
+	element_t *element = element_create(item);
+	if (current_element->previous == NULL)
+	{
+		current_element->previous = element;
+		element->next = current_element;
+		this->first = element;
+	}
+	else
+	{
+		current_element->previous->next = element;
+		element->previous = current_element->previous;
+		current_element->previous = element;
+		element->next = current_element;
+	}
+
+
+	this->count++;
+	return SUCCESS;
+}
+	
+/**
+ * Implementation of linked_list_t.remove_at_position.
+ */
+static status_t remove_at_position(private_linked_list_t *this,size_t position, void **item)
+{
+	iterator_t *iterator;
+	int i;
+	
+	if (this->count <= position)
+	{
+		return INVALID_ARG;
+	}
+	
+	iterator = this->public.create_iterator(&(this->public),TRUE);
+	iterator->iterate(iterator, item);
+	for (i = 0; i < position; i++)
+	{
+		if (!iterator->iterate(iterator, item))
+		{
+			iterator->destroy(iterator);
+			return INVALID_ARG;
+		}
+	}
+	iterator->remove(iterator);
+	iterator->destroy(iterator);
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of linked_list_t.get_at_position.
+ */
+static status_t get_at_position(private_linked_list_t *this,size_t position, void **item)
+{
+	int i;
+	iterator_t *iterator;
+	
+	if (this->count <= position)
+	{
+		return INVALID_ARG;
+	}
+
+	iterator = this->public.create_iterator(&(this->public),TRUE);
+	iterator->iterate(iterator, item);
+	for (i = 0; i < position; i++)
+	{
+		if (!iterator->iterate(iterator, item))
+		{
+			iterator->destroy(iterator);
+			return INVALID_ARG;
+		}
+	}
+	iterator->destroy(iterator);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of linked_list_t.get_last.
+ */
+static status_t get_last(private_linked_list_t *this, void **item)
+{
+	if (this->count == 0)
+	{
+		return NOT_FOUND;
+	}
+
+	*item = this->last->value;
+
+	return SUCCESS;
+}
+
+/**
+ * Implementation of linked_list_t.invoke.
+ */
+static void invoke(private_linked_list_t *this, size_t offset)
+{
+	element_t *current = this->first;
+	
+	while (current)
+	{
+		void (**method)(void*) = current->value + offset;
+		(*method)(current->value);
+		current = current->next;
+	}
+}
+
+/**
+ * Implementation of linked_list_t.destroy.
+ */
+static void destroy(private_linked_list_t *this)
+{
+	void *value;
+	/* Remove all list items before destroying list */
+	while (this->public.remove_first(&(this->public), &value) == SUCCESS)
+	{
+		/* values are not destroyed so memory leaks are possible
+		 * if list is not empty when deleting */
+	}
+	free(this);
+}
+
+/**
+ * Implementation of linked_list_t.destroy_offset.
+ */
+static void destroy_offset(private_linked_list_t *this, size_t offset)
+{
+	element_t *current = this->first, *next;
+	
+	while (current)
+	{
+		void (**method)(void*) = current->value + offset;
+		(*method)(current->value);
+		next = current->next;
+		free(current);
+		current = next;
+	}
+	free(this);
+}
+
+/**
+ * Implementation of linked_list_t.destroy_function.
+ */
+static void destroy_function(private_linked_list_t *this, void (*fn)(void*))
+{
+	element_t *current = this->first, *next;
+	
+	while (current)
+	{
+		fn(current->value);
+		next = current->next;
+		free(current);
+		current = next;
+	}
+	free(this);
+}
+
+/**
+ * Implementation of linked_list_t.create_iterator.
+ */
+static iterator_t *create_iterator(private_linked_list_t *linked_list, bool forward)
+{
+	private_iterator_t *this = malloc_thing(private_iterator_t);
+	
+	this->public.get_count = (int (*) (iterator_t*)) get_list_count;
+	this->public.iterate = (bool (*) (iterator_t*, void **value)) iterate;
+	this->public.set_iterator_hook = (void(*)(iterator_t*, iterator_hook_t*, void*))set_iterator_hook;
+	this->public.insert_before = (void (*) (iterator_t*, void *item)) insert_before;
+	this->public.insert_after = (void (*) (iterator_t*, void *item)) insert_after;
+	this->public.replace = (status_t (*) (iterator_t*, void **, void *)) replace;
+	this->public.remove = (status_t (*) (iterator_t*)) remove_;
+	this->public.reset = (void (*) (iterator_t*)) iterator_reset;
+	this->public.destroy = (void (*) (iterator_t*)) iterator_destroy;
+	
+	this->forward = forward;
+	this->current = NULL;
+	this->list = linked_list;
+	this->mutex = NULL;
+	this->hook = iterator_hook;
+	
+	return &this->public;
+}
+
+/**
+ * Implementation of linked_list_t.create_iterator_locked.
+ */
+static iterator_t *create_iterator_locked(private_linked_list_t *linked_list,
+										  pthread_mutex_t *mutex)
+{
+	private_iterator_t *this = (private_iterator_t*)create_iterator(linked_list, TRUE);
+	this->mutex = mutex;
+	
+	pthread_mutex_lock(mutex);
+	
+	return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+linked_list_t *linked_list_create()
+{
+	private_linked_list_t *this = malloc_thing(private_linked_list_t);
+
+	this->public.get_count = (int (*) (linked_list_t *)) get_count;
+	this->public.create_iterator = (iterator_t * (*) (linked_list_t *,bool))create_iterator;
+	this->public.create_iterator_locked = (iterator_t * (*) (linked_list_t *,pthread_mutex_t*))create_iterator_locked;
+	this->public.get_first = (status_t (*) (linked_list_t *, void **item))get_first;
+	this->public.get_last = (status_t (*) (linked_list_t *, void **item))get_last;
+	this->public.insert_first = (void (*) (linked_list_t *, void *item))insert_first;
+	this->public.insert_last = (void (*) (linked_list_t *, void *item))insert_last;
+	this->public.remove_first = (status_t (*) (linked_list_t *, void **item))remove_first;
+	this->public.remove_last = (status_t (*) (linked_list_t *, void **item))remove_last;
+	this->public.insert_at_position = (status_t (*) (linked_list_t *,size_t, void *))insert_at_position;
+	this->public.remove_at_position = (status_t (*) (linked_list_t *,size_t, void **))remove_at_position;
+	this->public.get_at_position = (status_t (*) (linked_list_t *,size_t, void **))get_at_position;
+	this->public.invoke = (void (*)(linked_list_t*,size_t))invoke;
+	this->public.destroy = (void (*) (linked_list_t *))destroy;
+	this->public.destroy_offset = (void (*) (linked_list_t *,size_t))destroy_offset;
+	this->public.destroy_function = (void (*)(linked_list_t*,void(*)(void*)))destroy_function;
+
+	this->count = 0;
+	this->first = NULL;
+	this->last = NULL;
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/utils/linked_list.h b/src/libstrongswan/utils/linked_list.h
new file mode 100644
index 000000000..58bcbbdaa
--- /dev/null
+++ b/src/libstrongswan/utils/linked_list.h
@@ -0,0 +1,232 @@
+/**
+ * @file linked_list.h
+ * 
+ * @brief Interface of linked_list_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef LINKED_LIST_H_
+#define LINKED_LIST_H_
+
+typedef struct linked_list_t linked_list_t;
+
+#include <pthread.h>
+
+#include <library.h>
+#include <utils/iterator.h>
+
+/**
+ * @brief Class implementing a double linked list.
+ *
+ * General purpose linked list. This list is not synchronized.
+ *
+ * @b Costructors:
+ * - linked_list_create()
+ *
+ * @ingroup utils
+ */
+struct linked_list_t {
+
+	/**
+	 * @brief Gets the count of items in the list.
+	 * 
+	 * @param this 		calling object
+	 * @return 			number of items in list
+	 */
+	int (*get_count) (linked_list_t *this);
+	
+	/**
+	 * @brief Creates a iterator for the given list.
+	 * 
+	 * @warning Created iterator_t object has to get destroyed by the caller.
+	 * 
+	 * @param this 		calling object
+	 * @param forward 	iterator direction (TRUE: front to end)
+	 * @return			new iterator_t object
+	 */
+	iterator_t *(*create_iterator) (linked_list_t *this, bool forward);
+	
+	/**
+	 * @brief Creates a iterator, locking a mutex.
+	 *
+	 * The supplied mutex is acquired immediately, and released
+	 * when the iterator gets destroyed.
+	 * 
+	 * @param this	 	calling object
+	 * @param mutex 	mutex to use for exclusive access
+	 * @return			new iterator_t object
+	 */
+	iterator_t *(*create_iterator_locked) (linked_list_t *this,
+										   pthread_mutex_t *mutex);
+
+	/**
+	 * @brief Inserts a new item at the beginning of the list.
+	 *
+	 * @param this 		calling object
+	 * @param[in] item	item value to insert in list
+	 */
+	void (*insert_first) (linked_list_t *this, void *item);
+
+	/**
+	 * @brief Removes the first item in the list and returns its value.
+	 * 
+	 * @param this 		calling object
+	 * @param[out] item returned value of first item, or NULL
+	 * @return
+	 * 					- SUCCESS
+	 * 					- NOT_FOUND, if list is empty
+	 */
+	status_t (*remove_first) (linked_list_t *this, void **item);
+
+	/**
+	 * @brief Returns the value of the first list item without removing it.
+	 * 
+	 * @param this	 	calling object
+	 * @param[out] item	returned value of first item
+	 * @return
+	 * 					- SUCCESS
+	 * 					- NOT_FOUND, if list is empty
+	 */
+	status_t (*get_first) (linked_list_t *this, void **item);
+
+	/**
+	 * @brief Inserts a new item at the end of the list.
+	 * 
+	 * @param this 		calling object
+	 * @param[in] item 	value to insert into list
+	 */
+	void (*insert_last) (linked_list_t *this, void *item);
+	
+	/**
+	 * @brief Inserts a new item at a given position in the list.
+	 * 
+	 * @param this		calling object
+	 * @param position	position starting at 0 to insert new entry
+	 * @param[in] item	value to insert into list
+	 * @return
+	 * 					- SUCCESS
+	 * 					- INVALID_ARG if position not existing
+	 */
+	status_t (*insert_at_position) (linked_list_t *this,size_t position, void *item);
+	
+	/**
+	 * @brief Removes an item from a given position in the list.
+	 * 
+	 * @param this	 	calling object
+	 * @param position	position starting at 0 to remove entry from
+	 * @param[out] item removed item will be stored at this location
+	 * @return
+	 * 						- SUCCESS
+	 * 						- INVALID_ARG if position not existing
+	 */
+	status_t (*remove_at_position) (linked_list_t *this, size_t position, void **item);
+
+	/**
+	 * @brief Get an item from a given position in the list.
+	 * 
+	 * @param this	 	calling object
+	 * @param position	position starting at 0 to get entry from
+	 * @param[out] item	item will be stored at this location
+	 * @return
+	 * 						- SUCCESS
+	 * 						- INVALID_ARG if position not existing
+	 */
+	status_t (*get_at_position) (linked_list_t *this, size_t position, void **item);
+
+	/**
+	 * @brief Removes the last item in the list and returns its value.
+	 * 
+	 * @param this	 	calling object
+	 * @param[out] item	returned value of last item, or NULL
+	 * @return
+	 * 						- SUCCESS
+	 * 						- NOT_FOUND if list is empty
+	 */
+	status_t (*remove_last) (linked_list_t *this, void **item);
+
+	/**
+	 * @brief Returns the value of the last list item without removing it.
+	 * 
+	 * @param this 		calling object
+	 * @param[out] item	returned value of last item
+	 * @return
+	 * 					- SUCCESS
+	 * 					- NOT_FOUND if list is empty
+	 */
+	status_t (*get_last) (linked_list_t *this, void **item);
+	
+	/**
+	 * @brief Invoke a method on all of the contained objects.
+	 *
+	 * If a linked list contains objects with function pointers,
+	 * invoke() can call a method on each of the objects. The
+	 * method is specified by an offset of the function pointer,
+	 * which can be evalutated at compile time using the offsetof
+	 * macro, e.g.: list->invoke(list, offsetof(object_t, method));
+	 * 
+	 * @param this 		calling object
+	 * @param offset	offset of the method to invoke on objects
+	 */
+	void (*invoke) (linked_list_t *this, size_t offset);
+	
+	/**
+	 * @brief Destroys a linked_list object.
+	 * 
+	 * @param this		calling object
+	 */
+	void (*destroy) (linked_list_t *this);
+	
+	/**
+	 * @brief Destroys a list and its objects using the destructor.
+	 *
+	 * If a linked list and the contained objects should be destroyed, use
+	 * destroy_offset. The supplied offset specifies the destructor to
+	 * call on each object. The offset may be calculated using the offsetof
+	 * macro, e.g.: list->destroy_offset(list, offsetof(object_t, destroy));
+	 *
+	 * @param this	 	calling object
+	 * @param offset	offset of the objects destructor
+	 */
+	void (*destroy_offset) (linked_list_t *this, size_t offset);
+	
+	/**
+	 * @brief Destroys a list and its contents using a a cleanup function.
+	 * 
+	 * If a linked list and its contents should get destroyed using a specific
+	 * cleanup function, use destroy_function. This is useful when the
+	 * list contains malloc()-ed blocks which should get freed,
+	 * e.g.: list->destroy_function(list, free);
+	 *
+	 * @param this 		calling object
+	 * @param function	function to call on each object
+	 */
+	void (*destroy_function) (linked_list_t *this, void (*)(void*));
+};
+
+/**
+ * @brief Creates an empty linked list object.
+ * 
+ * @return 		linked_list_t object.
+ * 
+ * @ingroup utils
+ */
+linked_list_t *linked_list_create(void);
+
+
+#endif /*LINKED_LIST_H_*/
diff --git a/src/libstrongswan/utils/randomizer.c b/src/libstrongswan/utils/randomizer.c
new file mode 100644
index 000000000..c15d108c7
--- /dev/null
+++ b/src/libstrongswan/utils/randomizer.c
@@ -0,0 +1,165 @@
+/**
+ * @file randomizer.c
+ * 
+ * @brief Implementation of randomizer_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+#include "randomizer.h"
+
+
+typedef struct private_randomizer_t private_randomizer_t;
+
+/**
+ * Private data of an randomizer_t object.
+ */
+struct private_randomizer_t {
+
+	/**
+	 * Public randomizer_t interface.
+	 */
+	randomizer_t public;
+	
+	/**
+	 * @brief Reads a specific number of bytes from random or pseudo random device.
+	 * 
+	 * @param this					calling object
+	 * @param pseudo_random			TRUE, if from pseudo random bytes should be read,
+	 * 								FALSE for true random bytes
+	 * @param bytes					number of bytes to read
+	 * @param[out] buffer			pointer to buffer where to write the data in.
+	 * 								Size of buffer has to be at least bytes.
+	 */
+	status_t (*get_bytes_from_device) (private_randomizer_t *this,bool pseudo_random, size_t bytes, u_int8_t *buffer);
+};
+
+
+/**
+ * Implementation of private_randomizer_t.get_bytes_from_device.
+ */
+static status_t get_bytes_from_device(private_randomizer_t *this,bool pseudo_random, size_t bytes, u_int8_t *buffer)
+{
+	size_t ndone;
+	int device;
+	size_t got;
+	char * device_name;
+
+	device_name = pseudo_random ? DEV_URANDOM : DEV_RANDOM;
+
+	device = open(device_name, 0);
+	if (device < 0) {
+		return FAILED;
+	}
+	ndone = 0;
+	
+	/* read until nbytes are read */
+	while (ndone < bytes)
+	{
+		got = read(device, buffer + ndone, bytes - ndone);
+		if (got <= 0) {
+			close(device);
+			return FAILED;
+		}
+		ndone += got;
+	}
+	close(device);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of randomizer_t.get_random_bytes.
+ */
+static status_t get_random_bytes(private_randomizer_t *this,size_t bytes, u_int8_t *buffer)
+{
+	return this->get_bytes_from_device(this, FALSE, bytes, buffer);
+}
+
+/**
+ * Implementation of randomizer_t.allocate_random_bytes.
+ */
+static status_t allocate_random_bytes(private_randomizer_t *this, size_t bytes, chunk_t *chunk)
+{
+	status_t status;
+	chunk->len = bytes;
+	chunk->ptr = malloc(bytes);
+	status = this->get_bytes_from_device(this, FALSE, bytes, chunk->ptr);
+	if (status != SUCCESS)
+	{
+		free(chunk->ptr);
+	}
+	return status;
+}
+
+/**
+ * Implementation of randomizer_t.get_pseudo_random_bytes.
+ */
+static status_t get_pseudo_random_bytes(private_randomizer_t *this,size_t bytes, u_int8_t *buffer)
+{
+	return (this->get_bytes_from_device(this, TRUE, bytes, buffer));
+}
+
+/**
+ * Implementation of randomizer_t.allocate_pseudo_random_bytes.
+ */
+static status_t allocate_pseudo_random_bytes(private_randomizer_t *this, size_t bytes, chunk_t *chunk)
+{
+	status_t status;
+	chunk->len = bytes;
+	chunk->ptr = malloc(bytes);
+	status = this->get_bytes_from_device(this, TRUE, bytes, chunk->ptr);
+	if (status != SUCCESS)
+	{
+		free(chunk->ptr);
+	}
+	return status;
+}
+
+/**
+ * Implementation of randomizer_t.destroy.
+ */
+static void destroy(private_randomizer_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+randomizer_t *randomizer_create(void)
+{
+	private_randomizer_t *this = malloc_thing(private_randomizer_t);
+
+	/* public functions */
+	this->public.get_random_bytes = (status_t (*) (randomizer_t *,size_t, u_int8_t *)) get_random_bytes;
+	this->public.allocate_random_bytes = (status_t (*) (randomizer_t *,size_t, chunk_t *)) allocate_random_bytes;
+	this->public.get_pseudo_random_bytes = (status_t (*) (randomizer_t *,size_t, u_int8_t *)) get_pseudo_random_bytes;
+	this->public.allocate_pseudo_random_bytes = (status_t (*) (randomizer_t *,size_t, chunk_t *)) allocate_pseudo_random_bytes;
+	this->public.destroy = (void (*) (randomizer_t *))destroy;
+	
+	/* private functions */
+	this->get_bytes_from_device = get_bytes_from_device;
+	
+	return &(this->public);
+}
diff --git a/src/libstrongswan/utils/randomizer.h b/src/libstrongswan/utils/randomizer.h
new file mode 100644
index 000000000..afbade059
--- /dev/null
+++ b/src/libstrongswan/utils/randomizer.h
@@ -0,0 +1,114 @@
+/**
+ * @file randomizer.h
+ * 
+ * @brief Interface of randomizer_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef RANDOMIZER_H_
+#define RANDOMIZER_H_
+
+typedef struct randomizer_t randomizer_t;
+
+#include <library.h>
+
+#ifndef DEV_RANDOM
+/**
+ * Device to read real random bytes
+ */
+# define DEV_RANDOM "/dev/random"
+#endif
+
+#ifndef DEV_URANDOM
+/**
+ * Device to read pseudo random bytes
+ */
+# define DEV_URANDOM "/dev/urandom"
+#endif
+
+/**
+ * @brief Class used to get random and pseudo random values.
+ * 
+ * @b Constructors:
+ *  - randomizer_create()
+ * 
+ * @ingroup utils
+ */
+struct randomizer_t {
+	
+	/**
+	 * @brief Reads a specific number of bytes from random device.
+	 * 
+	 * @param this 					calling randomizer_t object
+	 * @param bytes					number of bytes to read
+	 * @param[out] buffer			pointer to buffer where to write the data in.
+	 * 								Size of buffer has to be at least bytes.
+	 * @return						SUCCESS, or FAILED
+	 */
+	status_t (*get_random_bytes) (randomizer_t *this, size_t bytes, u_int8_t *buffer);
+	
+	/**
+	 * @brief Allocates space and writes in random bytes.
+	 * 
+	 * @param this 					calling randomizer_t object
+	 * @param bytes					number of bytes to allocate
+	 * @param[out] chunk			chunk which will hold the allocated random bytes
+	 * @return						SUCCESS, or FAILED
+	 */	
+	status_t (*allocate_random_bytes) (randomizer_t *this, size_t bytes, chunk_t *chunk);
+	
+	/**
+	 * @brief Reads a specific number of bytes from pseudo random device.
+	 * 
+	 * @param this 					calling randomizer_t object
+	 * @param bytes					number of bytes to read
+	 * @param[out] buffer			pointer to buffer where to write the data in.
+	 * 								size of buffer has to be at least bytes.
+	 * @return						SUCCESS, or FAILED
+	 */
+	status_t (*get_pseudo_random_bytes) (randomizer_t *this,size_t bytes, u_int8_t *buffer);
+	
+	/**
+	 * @brief Allocates space and writes in pseudo random bytes.
+	 * 
+	 * @param this 					calling randomizer_t object
+	 * @param bytes					number of bytes to allocate
+	 * @param[out] chunk			chunk which will hold the allocated random bytes
+	 * @return						SUCCESS, or FAILED
+	 */	
+	status_t (*allocate_pseudo_random_bytes) (randomizer_t *this, size_t bytes, chunk_t *chunk);
+
+	/**
+	 * @brief Destroys a randomizer_t object.
+	 *
+	 * @param this 	randomizer_t object to destroy
+	 */
+	void (*destroy) (randomizer_t *this);
+};
+
+/**
+ * @brief Creates a randomizer_t object.
+ * 
+ * @return	created randomizer_t, or
+ * 
+ * @ingroup utils
+ */
+randomizer_t *randomizer_create(void);
+
+#endif /*RANDOMIZER_H_*/
diff --git a/src/openac/Makefile.am b/src/openac/Makefile.am
new file mode 100644
index 000000000..c1e2a593a
--- /dev/null
+++ b/src/openac/Makefile.am
@@ -0,0 +1,98 @@
+ipsec_PROGRAMS = openac
+openac_SOURCES = openac.c build.c build.h loglite.c
+
+INCLUDES = \
+-I$(top_srcdir)/src/libfreeswan \
+-I$(top_srcdir)/src/pluto \
+-I$(top_srcdir)/src/libcrypto \
+-I$(top_srcdir)/src/whack
+
+AM_CFLAGS = -DDEBUG -DNO_PLUTO -DIPSEC_CONFDIR=\"${confdir}\"
+openac_LDADD = ac.o asn1.o ca.o certs.o constants.o crl.o defs.o mp_defs.o fetch.o id.o keys.o lex.o \
+               md2.o md5.o ocsp.o oid.o pem.o pgp.o pkcs1.o rnd.o sha1.o smartcard.o x509.o \
+               $(top_srcdir)/src/libfreeswan/libfreeswan.a $(top_srcdir)/src/libcrypto/libcrypto.a \
+               -lgmp
+
+# This compile option activates dynamic URL fetching using libcurl
+if USE_LIBCURL
+  openac_LDADD += -lcurl
+endif
+
+# This compile option activates smartcard support
+if USE_SMARTCARD
+  openac_LDADD += -ldl
+endif
+
+dist_man_MANS = openac.8
+
+PLUTODIR=$(top_srcdir)/src/pluto
+
+ac.o :		$(PLUTODIR)/ac.c $(PLUTODIR)/ac.h
+		$(COMPILE) -c -o $@ $<
+
+asn1.o :	$(PLUTODIR)/asn1.c $(PLUTODIR)/asn1.h
+		$(COMPILE) -c -o $@ $<
+
+ca.o :		$(PLUTODIR)/ca.c $(PLUTODIR)/ca.h
+		$(COMPILE) -c -o $@ $<
+
+certs.o :	$(PLUTODIR)/certs.c $(PLUTODIR)/certs.h
+		$(COMPILE) -c -o $@ $<
+
+constants.o :	$(PLUTODIR)/constants.c $(PLUTODIR)/constants.h
+		$(COMPILE) -c -o $@ $<
+
+crl.o : 	$(PLUTODIR)/crl.c $(PLUTODIR)/crl.h
+		$(COMPILE) -c -o $@ $<
+
+defs.o : 	$(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
+		$(COMPILE) -c -o $@ $<
+
+mp_defs.o :	$(PLUTODIR)/mp_defs.c $(PLUTODIR)/mp_defs.h
+		$(COMPILE) -c -o $@ $<
+
+fetch.o : 	$(PLUTODIR)/fetch.c $(PLUTODIR)/fetch.h
+		$(COMPILE) -c -o $@ $<
+
+id.o : 		$(PLUTODIR)/id.c $(PLUTODIR)/id.h
+		$(COMPILE) -c -o $@ $<
+
+keys.o :	$(PLUTODIR)/keys.c $(PLUTODIR)/keys.h
+		$(COMPILE) -c -o $@ $<
+
+lex.o :		$(PLUTODIR)/lex.c $(PLUTODIR)/lex.h
+		$(COMPILE) -c -o $@ $<
+
+md2.o :		$(PLUTODIR)/md2.c $(PLUTODIR)/md2.h
+		$(COMPILE) -c -o $@ $<
+
+md5.o :		$(PLUTODIR)/md5.c $(PLUTODIR)/md5.h
+		$(COMPILE) -c -o $@ $<
+
+ocsp.o :	$(PLUTODIR)/ocsp.c $(PLUTODIR)/ocsp.h
+		$(COMPILE) -c -o $@ $<
+
+oid.o :		$(PLUTODIR)/oid.c $(PLUTODIR)/oid.h
+		$(COMPILE) -c -o $@ $<
+
+pem.o :		$(PLUTODIR)/pem.c $(PLUTODIR)/pem.h
+		$(COMPILE) -c -o $@ $<
+
+pgp.o :		$(PLUTODIR)/pgp.c $(PLUTODIR)/pgp.h
+		$(COMPILE) -c -o $@ $<
+
+pkcs1.o :	$(PLUTODIR)/pkcs1.c $(PLUTODIR)/pkcs1.h
+		$(COMPILE) -c -o $@ $<
+
+rnd.o :		$(PLUTODIR)/rnd.c $(PLUTODIR)/rnd.h
+		$(COMPILE) -c -o $@ $<
+
+sha1.o :	$(PLUTODIR)/sha1.c $(PLUTODIR)/sha1.h
+		$(COMPILE) -c -o $@ $<
+
+smartcard.o :	$(PLUTODIR)/smartcard.c $(PLUTODIR)/smartcard.h
+		$(COMPILE) -c -o $@ $<
+
+x509.o :	$(PLUTODIR)/x509.c $(PLUTODIR)/x509.h
+		$(COMPILE) -c -o $@ $<
+
diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in
new file mode 100644
index 000000000..8a2bee51f
--- /dev/null
+++ b/src/openac/Makefile.in
@@ -0,0 +1,624 @@
+# Makefile.in generated by automake 1.9.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+top_builddir = ../..
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+INSTALL = @INSTALL@
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+ipsec_PROGRAMS = openac$(EXEEXT)
+
+# This compile option activates dynamic URL fetching using libcurl
+@USE_LIBCURL_TRUE@am__append_1 = -lcurl
+
+# This compile option activates smartcard support
+@USE_SMARTCARD_TRUE@am__append_2 = -ldl
+subdir = src/openac
+DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \
+	$(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
+ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
+PROGRAMS = $(ipsec_PROGRAMS)
+am_openac_OBJECTS = openac.$(OBJEXT) build.$(OBJEXT) loglite.$(OBJEXT)
+openac_OBJECTS = $(am_openac_OBJECTS)
+am__DEPENDENCIES_1 =
+openac_DEPENDENCIES = ac.o asn1.o ca.o certs.o constants.o crl.o \
+	defs.o mp_defs.o fetch.o id.o keys.o lex.o md2.o md5.o ocsp.o \
+	oid.o pem.o pgp.o pkcs1.o rnd.o sha1.o smartcard.o x509.o \
+	$(top_srcdir)/src/libfreeswan/libfreeswan.a \
+	$(top_srcdir)/src/libcrypto/libcrypto.a $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1)
+DEFAULT_INCLUDES = -I. -I$(srcdir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+SOURCES = $(openac_SOURCES)
+DIST_SOURCES = $(openac_SOURCES)
+man8dir = $(mandir)/man8
+NROFF = nroff
+MANS = $(dist_man_MANS)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMDEP_FALSE = @AMDEP_FALSE@
+AMDEP_TRUE = @AMDEP_TRUE@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BUILD_EAP_SIM_FALSE = @BUILD_EAP_SIM_FALSE@
+BUILD_EAP_SIM_TRUE = @BUILD_EAP_SIM_TRUE@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+USE_CISCO_QUIRKS_FALSE = @USE_CISCO_QUIRKS_FALSE@
+USE_CISCO_QUIRKS_TRUE = @USE_CISCO_QUIRKS_TRUE@
+USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
+USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
+USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
+USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
+USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
+USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
+USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
+USE_SMARTCARD_TRUE = @USE_SMARTCARD_TRUE@
+USE_VENDORID_FALSE = @USE_VENDORID_FALSE@
+USE_VENDORID_TRUE = @USE_VENDORID_TRUE@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__fastdepCC_FALSE = @am__fastdepCC_FALSE@
+am__fastdepCC_TRUE = @am__fastdepCC_TRUE@
+am__fastdepCXX_FALSE = @am__fastdepCXX_FALSE@
+am__fastdepCXX_TRUE = @am__fastdepCXX_TRUE@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+eapdir = @eapdir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+openac_SOURCES = openac.c build.c build.h loglite.c
+INCLUDES = \
+-I$(top_srcdir)/src/libfreeswan \
+-I$(top_srcdir)/src/pluto \
+-I$(top_srcdir)/src/libcrypto \
+-I$(top_srcdir)/src/whack
+
+AM_CFLAGS = -DDEBUG -DNO_PLUTO -DIPSEC_CONFDIR=\"${confdir}\"
+openac_LDADD = ac.o asn1.o ca.o certs.o constants.o crl.o defs.o \
+	mp_defs.o fetch.o id.o keys.o lex.o md2.o md5.o ocsp.o oid.o \
+	pem.o pgp.o pkcs1.o rnd.o sha1.o smartcard.o x509.o \
+	$(top_srcdir)/src/libfreeswan/libfreeswan.a \
+	$(top_srcdir)/src/libcrypto/libcrypto.a -lgmp $(am__append_1) \
+	$(am__append_2)
+dist_man_MANS = openac.8
+PLUTODIR = $(top_srcdir)/src/pluto
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/openac/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/openac/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	test -z "$(ipsecdir)" || $(mkdir_p) "$(DESTDIR)$(ipsecdir)"
+	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
+	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  if test -f $$p \
+	     || test -f $$p1 \
+	  ; then \
+	    f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
+	   echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(ipsecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \
+	   $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(ipsecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(ipsecdir)/$$f" || exit 1; \
+	  else :; fi; \
+	done
+
+uninstall-ipsecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
+	  f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
+	  echo " rm -f '$(DESTDIR)$(ipsecdir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(ipsecdir)/$$f"; \
+	done
+
+clean-ipsecPROGRAMS:
+	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
+	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  echo " rm -f $$p $$f"; \
+	  rm -f $$p $$f ; \
+	done
+openac$(EXEEXT): $(openac_OBJECTS) $(openac_DEPENDENCIES) 
+	@rm -f openac$(EXEEXT)
+	$(LINK) $(openac_LDFLAGS) $(openac_OBJECTS) $(openac_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/build.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/loglite.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openac.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ `$(CYGPATH_W) '$<'`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	if $(LTCOMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Plo"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+	-rm -f libtool
+uninstall-info-am:
+install-man8: $(man8_MANS) $(man_MANS)
+	@$(NORMAL_INSTALL)
+	test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)"
+	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    8*) ;; \
+	    *) ext='8' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
+	  $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \
+	done
+uninstall-man8:
+	@$(NORMAL_UNINSTALL)
+	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    8*) ;; \
+	    *) ext='8' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \
+	  rm -f "$(DESTDIR)$(man8dir)/$$inst"; \
+	done
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
+	list='$(DISTFILES)'; for file in $$list; do \
+	  case $$file in \
+	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
+	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
+	  esac; \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
+	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
+	    dir="/$$dir"; \
+	    $(mkdir_p) "$(distdir)$$dir"; \
+	  else \
+	    dir=''; \
+	  fi; \
+	  if test -d $$d/$$file; then \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(PROGRAMS) $(MANS)
+installdirs:
+	for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"; do \
+	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-libtool distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-ipsecPROGRAMS install-man
+
+install-exec-am:
+
+install-info: install-info-am
+
+install-man: install-man8
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-info-am uninstall-ipsecPROGRAMS uninstall-man
+
+uninstall-man: uninstall-man8
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-ipsecPROGRAMS clean-libtool ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-exec \
+	install-exec-am install-info install-info-am \
+	install-ipsecPROGRAMS install-man install-man8 install-strip \
+	installcheck installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-info-am \
+	uninstall-ipsecPROGRAMS uninstall-man uninstall-man8
+
+
+ac.o :		$(PLUTODIR)/ac.c $(PLUTODIR)/ac.h
+		$(COMPILE) -c -o $@ $<
+
+asn1.o :	$(PLUTODIR)/asn1.c $(PLUTODIR)/asn1.h
+		$(COMPILE) -c -o $@ $<
+
+ca.o :		$(PLUTODIR)/ca.c $(PLUTODIR)/ca.h
+		$(COMPILE) -c -o $@ $<
+
+certs.o :	$(PLUTODIR)/certs.c $(PLUTODIR)/certs.h
+		$(COMPILE) -c -o $@ $<
+
+constants.o :	$(PLUTODIR)/constants.c $(PLUTODIR)/constants.h
+		$(COMPILE) -c -o $@ $<
+
+crl.o : 	$(PLUTODIR)/crl.c $(PLUTODIR)/crl.h
+		$(COMPILE) -c -o $@ $<
+
+defs.o : 	$(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
+		$(COMPILE) -c -o $@ $<
+
+mp_defs.o :	$(PLUTODIR)/mp_defs.c $(PLUTODIR)/mp_defs.h
+		$(COMPILE) -c -o $@ $<
+
+fetch.o : 	$(PLUTODIR)/fetch.c $(PLUTODIR)/fetch.h
+		$(COMPILE) -c -o $@ $<
+
+id.o : 		$(PLUTODIR)/id.c $(PLUTODIR)/id.h
+		$(COMPILE) -c -o $@ $<
+
+keys.o :	$(PLUTODIR)/keys.c $(PLUTODIR)/keys.h
+		$(COMPILE) -c -o $@ $<
+
+lex.o :		$(PLUTODIR)/lex.c $(PLUTODIR)/lex.h
+		$(COMPILE) -c -o $@ $<
+
+md2.o :		$(PLUTODIR)/md2.c $(PLUTODIR)/md2.h
+		$(COMPILE) -c -o $@ $<
+
+md5.o :		$(PLUTODIR)/md5.c $(PLUTODIR)/md5.h
+		$(COMPILE) -c -o $@ $<
+
+ocsp.o :	$(PLUTODIR)/ocsp.c $(PLUTODIR)/ocsp.h
+		$(COMPILE) -c -o $@ $<
+
+oid.o :		$(PLUTODIR)/oid.c $(PLUTODIR)/oid.h
+		$(COMPILE) -c -o $@ $<
+
+pem.o :		$(PLUTODIR)/pem.c $(PLUTODIR)/pem.h
+		$(COMPILE) -c -o $@ $<
+
+pgp.o :		$(PLUTODIR)/pgp.c $(PLUTODIR)/pgp.h
+		$(COMPILE) -c -o $@ $<
+
+pkcs1.o :	$(PLUTODIR)/pkcs1.c $(PLUTODIR)/pkcs1.h
+		$(COMPILE) -c -o $@ $<
+
+rnd.o :		$(PLUTODIR)/rnd.c $(PLUTODIR)/rnd.h
+		$(COMPILE) -c -o $@ $<
+
+sha1.o :	$(PLUTODIR)/sha1.c $(PLUTODIR)/sha1.h
+		$(COMPILE) -c -o $@ $<
+
+smartcard.o :	$(PLUTODIR)/smartcard.c $(PLUTODIR)/smartcard.h
+		$(COMPILE) -c -o $@ $<
+
+x509.o :	$(PLUTODIR)/x509.c $(PLUTODIR)/x509.h
+		$(COMPILE) -c -o $@ $<
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/programs/openac/build.c b/src/openac/build.c
index bd3df6fee..bd3df6fee 100644
--- a/programs/openac/build.c
+++ b/src/openac/build.c
diff --git a/programs/openac/build.h b/src/openac/build.h
index deeddda04..deeddda04 100644
--- a/programs/openac/build.h
+++ b/src/openac/build.h
diff --git a/programs/openac/loglite.c b/src/openac/loglite.c
index b1763cc9f..4219eb707 100644
--- a/programs/openac/loglite.c
+++ b/src/openac/loglite.c
@@ -30,10 +30,10 @@
 
 #include <freeswan.h>
 
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/log.h"
-#include "../pluto/whack.h"
+#include <constants.h>
+#include <defs.h>
+#include <log.h>
+#include <whack.h>
 
 bool
     log_to_stderr = FALSE,	/* should log go to stderr? */
diff --git a/programs/openac/openac.8 b/src/openac/openac.8
index 8e609a1b1..8e609a1b1 100644
--- a/programs/openac/openac.8
+++ b/src/openac/openac.8
diff --git a/programs/openac/openac.c b/src/openac/openac.c
index 524a302d7..00f287b3a 100755
--- a/programs/openac/openac.c
+++ b/src/openac/openac.c
@@ -40,8 +40,8 @@
 
 #include "build.h"
 
-#define OPENAC_PATH	"/etc/openac"
-#define OPENAC_SERIAL	"/etc/openac/serial"
+#define OPENAC_PATH   IPSEC_CONFDIR "/openac"
+#define OPENAC_SERIAL IPSEC_CONFDIR "/openac/serial"
 
 const char openac_version[] = "openac 0.3";
 
diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am
new file mode 100644
index 000000000..b1b848c76
--- /dev/null
+++ b/src/pluto/Makefile.am
@@ -0,0 +1,140 @@
+# Makefile.am was ported from the old Makefile the most
+# painless way. Only the most important options are included,
+# further work may be necessary here...
+
+ipsec_PROGRAMS = pluto _pluto_adns
+
+pluto_SOURCES = \
+ac.c ac.h \
+alg_info.c alg_info.h \
+asn1.c asn1.h \
+ca.c ca.h \
+certs.c certs.h \
+connections.c connections.h \
+constants.c constants.h \
+cookie.c cookie.h \
+crl.c crl.h \
+crypto.c crypto.h \
+db_ops.c db_ops.h \
+defs.c defs.h \
+demux.c demux.h \
+dnskey.c dnskey.h \
+dsa.c dsa.h \
+elgamal.c elgamal.h \
+fetch.c fetch.h \
+foodgroups.c foodgroups.h \
+gcryptfix.c gcryptfix.h \
+id.c id.h \
+ike_alg.c ike_alg.h \
+ipsec_doi.c ipsec_doi.h \
+kameipsec.h \
+kernel.c kernel.h \
+kernel_alg.c kernel_alg.h \
+kernel_netlink.c kernel_netlink.h \
+kernel_noklips.c kernel_noklips.h \
+kernel_pfkey.c kernel_pfkey.h \
+keys.c keys.h \
+lex.c lex.h \
+log.c log.h \
+md2.c md2.h \
+md5.c md5.h \
+modecfg.c modecfg.h \
+mp_defs.c mp_defs.h \
+nat_traversal.c nat_traversal.h \
+ocsp.c ocsp.h \
+oid.c oid.h \
+packet.c packet.h \
+pem.c pem.h \
+pgp.c pgp.h \
+pkcs1.c pkcs1.h \
+pkcs7.c pkcs7.h \
+plutomain.c \
+primegen.c smallprime.c \
+rcv_whack.c rcv_whack.h \
+rnd.c rnd.h \
+server.c server.h \
+sha1.c sha1.h \
+smartcard.c smartcard.h \
+spdb.c spdb.h \
+state.c state.h \
+timer.c timer.h \
+vendor.c vendor.h \
+virtual.c virtual.h \
+xauth.c xauth.h \
+x509.c x509.h \
+alg/ike_alg_aes.c alg/ike_alg_blowfish.c alg/ike_alg_twofish.c \
+alg/ike_alg_serpent.c alg/ike_alg_sha2.c alg/ike_alginit.c \
+linux26/netlink.h linux26/rtnetlink.h linux26/xfrm.h \
+rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h
+
+_pluto_adns_SOURCES = adns.c adns.h
+
+INCLUDES = \
+-I$(top_srcdir)/src/libfreeswan \
+-I$(top_srcdir)/src/libcrypto \
+-I$(top_srcdir)/src/whack
+
+AM_CFLAGS = \
+-DIPSEC_DIR=\"${ipsecdir}\" \
+-DIPSEC_CONFDIR=\"${confdir}\" \
+-DIPSEC_PIDDIR=\"${piddir}\" \
+-DSHARED_SECRETS_FILE=\"${confdir}/ipsec.secrets\" \
+-DKERNEL26_SUPPORT -DKERNEL26_HAS_KAME_DUPLICATES \
+-DPLUTO -DKLIPS -DDEBUG -DTHREADS
+
+pluto_LDADD = \
+$(top_srcdir)/src/libfreeswan/libfreeswan.a \
+$(top_srcdir)/src/libcrypto/libcrypto.a \
+-lgmp -lresolv -lpthread -ldl
+
+_pluto_adns_LDADD = \
+$(top_srcdir)/src/libfreeswan/libfreeswan.a \
+-lresolv -ldl
+
+dist_man_MANS = pluto.8 ipsec.secrets.5
+EXTRA_DIST = oid.pl oid.txt
+BUILT_SOURCES = oid.c oid.h
+MAINTAINERCLEANFILES = oid.c oid.h
+
+oid.c:	oid.txt oid.pl
+	$(PERL) oid.pl
+
+oid.h:	oid.txt oid.pl
+	$(PERL) oid.pl
+
+# This compile option activates the sending of a strongSwan VID
+if USE_VENDORID
+  AM_CFLAGS += -DVENDORID
+endif
+
+# This compile option activates the support of the Cisco VPN client
+if USE_CISCO_QUIRKS
+  AM_CFLAGS += -DCISCO_QUIRKS
+endif
+
+# This compile option activates NAT traversal with IPSec transport mode
+if USE_NAT_TRANSPORT
+  AM_CFLAGS += -DI_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
+endif
+
+# This compile option activates dynamic URL fetching using libcurl
+if USE_LIBCURL
+  pluto_LDADD += -lcurl
+endif
+
+# This compile option activates dynamic LDAP CRL fetching
+if USE_LIBLDAP
+  pluto_LDADD += -lldap -llber
+endif
+
+install-exec-local :
+	mkdir -p -m 755 $(confdir)/ipsec.d
+	mkdir -p -m 755 $(confdir)/ipsec.d/cacerts
+	mkdir -p -m 755 $(confdir)/ipsec.d/ocspcerts
+	mkdir -p -m 755 $(confdir)/ipsec.d/certs
+	mkdir -p -m 755 $(confdir)/ipsec.d/acerts
+	mkdir -p -m 755 $(confdir)/ipsec.d/aacerts
+	mkdir -p -m 755 $(confdir)/ipsec.d/crls
+	mkdir -p -m 755 $(confdir)/ipsec.d/reqs
+	mkdir -p -m 700 $(confdir)/ipsec.d/private
+
diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in
new file mode 100644
index 000000000..1f996a065
--- /dev/null
+++ b/src/pluto/Makefile.in
@@ -0,0 +1,878 @@
+# Makefile.in generated by automake 1.9.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+# Makefile.am was ported from the old Makefile the most
+# painless way. Only the most important options are included,
+# further work may be necessary here...
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+top_builddir = ../..
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+INSTALL = @INSTALL@
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+ipsec_PROGRAMS = pluto$(EXEEXT) _pluto_adns$(EXEEXT)
+
+# This compile option activates the sending of a strongSwan VID
+@USE_VENDORID_TRUE@am__append_1 = -DVENDORID
+
+# This compile option activates the support of the Cisco VPN client
+@USE_CISCO_QUIRKS_TRUE@am__append_2 = -DCISCO_QUIRKS
+
+# This compile option activates NAT traversal with IPSec transport mode
+@USE_NAT_TRANSPORT_TRUE@am__append_3 = -DI_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
+
+# This compile option activates dynamic URL fetching using libcurl
+@USE_LIBCURL_TRUE@am__append_4 = -lcurl
+
+# This compile option activates dynamic LDAP CRL fetching
+@USE_LIBLDAP_TRUE@am__append_5 = -lldap -llber
+subdir = src/pluto
+DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \
+	$(srcdir)/Makefile.in TODO
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)" \
+	"$(DESTDIR)$(man8dir)"
+ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
+PROGRAMS = $(ipsec_PROGRAMS)
+am__pluto_adns_OBJECTS = adns.$(OBJEXT)
+_pluto_adns_OBJECTS = $(am__pluto_adns_OBJECTS)
+_pluto_adns_DEPENDENCIES =  \
+	$(top_srcdir)/src/libfreeswan/libfreeswan.a
+am_pluto_OBJECTS = ac.$(OBJEXT) alg_info.$(OBJEXT) asn1.$(OBJEXT) \
+	ca.$(OBJEXT) certs.$(OBJEXT) connections.$(OBJEXT) \
+	constants.$(OBJEXT) cookie.$(OBJEXT) crl.$(OBJEXT) \
+	crypto.$(OBJEXT) db_ops.$(OBJEXT) defs.$(OBJEXT) \
+	demux.$(OBJEXT) dnskey.$(OBJEXT) dsa.$(OBJEXT) \
+	elgamal.$(OBJEXT) fetch.$(OBJEXT) foodgroups.$(OBJEXT) \
+	gcryptfix.$(OBJEXT) id.$(OBJEXT) ike_alg.$(OBJEXT) \
+	ipsec_doi.$(OBJEXT) kernel.$(OBJEXT) kernel_alg.$(OBJEXT) \
+	kernel_netlink.$(OBJEXT) kernel_noklips.$(OBJEXT) \
+	kernel_pfkey.$(OBJEXT) keys.$(OBJEXT) lex.$(OBJEXT) \
+	log.$(OBJEXT) md2.$(OBJEXT) md5.$(OBJEXT) modecfg.$(OBJEXT) \
+	mp_defs.$(OBJEXT) nat_traversal.$(OBJEXT) ocsp.$(OBJEXT) \
+	oid.$(OBJEXT) packet.$(OBJEXT) pem.$(OBJEXT) pgp.$(OBJEXT) \
+	pkcs1.$(OBJEXT) pkcs7.$(OBJEXT) plutomain.$(OBJEXT) \
+	primegen.$(OBJEXT) smallprime.$(OBJEXT) rcv_whack.$(OBJEXT) \
+	rnd.$(OBJEXT) server.$(OBJEXT) sha1.$(OBJEXT) \
+	smartcard.$(OBJEXT) spdb.$(OBJEXT) state.$(OBJEXT) \
+	timer.$(OBJEXT) vendor.$(OBJEXT) virtual.$(OBJEXT) \
+	xauth.$(OBJEXT) x509.$(OBJEXT) ike_alg_aes.$(OBJEXT) \
+	ike_alg_blowfish.$(OBJEXT) ike_alg_twofish.$(OBJEXT) \
+	ike_alg_serpent.$(OBJEXT) ike_alg_sha2.$(OBJEXT) \
+	ike_alginit.$(OBJEXT)
+pluto_OBJECTS = $(am_pluto_OBJECTS)
+am__DEPENDENCIES_1 =
+pluto_DEPENDENCIES = $(top_srcdir)/src/libfreeswan/libfreeswan.a \
+	$(top_srcdir)/src/libcrypto/libcrypto.a $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1)
+DEFAULT_INCLUDES = -I. -I$(srcdir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+SOURCES = $(_pluto_adns_SOURCES) $(pluto_SOURCES)
+DIST_SOURCES = $(_pluto_adns_SOURCES) $(pluto_SOURCES)
+man5dir = $(mandir)/man5
+man8dir = $(mandir)/man8
+NROFF = nroff
+MANS = $(dist_man_MANS)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMDEP_FALSE = @AMDEP_FALSE@
+AMDEP_TRUE = @AMDEP_TRUE@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BUILD_EAP_SIM_FALSE = @BUILD_EAP_SIM_FALSE@
+BUILD_EAP_SIM_TRUE = @BUILD_EAP_SIM_TRUE@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+USE_CISCO_QUIRKS_FALSE = @USE_CISCO_QUIRKS_FALSE@
+USE_CISCO_QUIRKS_TRUE = @USE_CISCO_QUIRKS_TRUE@
+USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
+USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
+USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
+USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
+USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
+USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
+USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
+USE_SMARTCARD_TRUE = @USE_SMARTCARD_TRUE@
+USE_VENDORID_FALSE = @USE_VENDORID_FALSE@
+USE_VENDORID_TRUE = @USE_VENDORID_TRUE@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__fastdepCC_FALSE = @am__fastdepCC_FALSE@
+am__fastdepCC_TRUE = @am__fastdepCC_TRUE@
+am__fastdepCXX_FALSE = @am__fastdepCXX_FALSE@
+am__fastdepCXX_TRUE = @am__fastdepCXX_TRUE@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+eapdir = @eapdir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+pluto_SOURCES = \
+ac.c ac.h \
+alg_info.c alg_info.h \
+asn1.c asn1.h \
+ca.c ca.h \
+certs.c certs.h \
+connections.c connections.h \
+constants.c constants.h \
+cookie.c cookie.h \
+crl.c crl.h \
+crypto.c crypto.h \
+db_ops.c db_ops.h \
+defs.c defs.h \
+demux.c demux.h \
+dnskey.c dnskey.h \
+dsa.c dsa.h \
+elgamal.c elgamal.h \
+fetch.c fetch.h \
+foodgroups.c foodgroups.h \
+gcryptfix.c gcryptfix.h \
+id.c id.h \
+ike_alg.c ike_alg.h \
+ipsec_doi.c ipsec_doi.h \
+kameipsec.h \
+kernel.c kernel.h \
+kernel_alg.c kernel_alg.h \
+kernel_netlink.c kernel_netlink.h \
+kernel_noklips.c kernel_noklips.h \
+kernel_pfkey.c kernel_pfkey.h \
+keys.c keys.h \
+lex.c lex.h \
+log.c log.h \
+md2.c md2.h \
+md5.c md5.h \
+modecfg.c modecfg.h \
+mp_defs.c mp_defs.h \
+nat_traversal.c nat_traversal.h \
+ocsp.c ocsp.h \
+oid.c oid.h \
+packet.c packet.h \
+pem.c pem.h \
+pgp.c pgp.h \
+pkcs1.c pkcs1.h \
+pkcs7.c pkcs7.h \
+plutomain.c \
+primegen.c smallprime.c \
+rcv_whack.c rcv_whack.h \
+rnd.c rnd.h \
+server.c server.h \
+sha1.c sha1.h \
+smartcard.c smartcard.h \
+spdb.c spdb.h \
+state.c state.h \
+timer.c timer.h \
+vendor.c vendor.h \
+virtual.c virtual.h \
+xauth.c xauth.h \
+x509.c x509.h \
+alg/ike_alg_aes.c alg/ike_alg_blowfish.c alg/ike_alg_twofish.c \
+alg/ike_alg_serpent.c alg/ike_alg_sha2.c alg/ike_alginit.c \
+linux26/netlink.h linux26/rtnetlink.h linux26/xfrm.h \
+rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h
+
+_pluto_adns_SOURCES = adns.c adns.h
+INCLUDES = \
+-I$(top_srcdir)/src/libfreeswan \
+-I$(top_srcdir)/src/libcrypto \
+-I$(top_srcdir)/src/whack
+
+AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" \
+	-DIPSEC_PIDDIR=\"${piddir}\" \
+	-DSHARED_SECRETS_FILE=\"${confdir}/ipsec.secrets\" \
+	-DKERNEL26_SUPPORT -DKERNEL26_HAS_KAME_DUPLICATES -DPLUTO \
+	-DKLIPS -DDEBUG -DTHREADS $(am__append_1) $(am__append_2) \
+	$(am__append_3)
+pluto_LDADD = $(top_srcdir)/src/libfreeswan/libfreeswan.a \
+	$(top_srcdir)/src/libcrypto/libcrypto.a -lgmp -lresolv \
+	-lpthread -ldl $(am__append_4) $(am__append_5)
+_pluto_adns_LDADD = \
+$(top_srcdir)/src/libfreeswan/libfreeswan.a \
+-lresolv -ldl
+
+dist_man_MANS = pluto.8 ipsec.secrets.5
+EXTRA_DIST = oid.pl oid.txt
+BUILT_SOURCES = oid.c oid.h
+MAINTAINERCLEANFILES = oid.c oid.h
+all: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/pluto/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/pluto/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	test -z "$(ipsecdir)" || $(mkdir_p) "$(DESTDIR)$(ipsecdir)"
+	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
+	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  if test -f $$p \
+	     || test -f $$p1 \
+	  ; then \
+	    f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
+	   echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(ipsecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \
+	   $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(ipsecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(ipsecdir)/$$f" || exit 1; \
+	  else :; fi; \
+	done
+
+uninstall-ipsecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
+	  f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
+	  echo " rm -f '$(DESTDIR)$(ipsecdir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(ipsecdir)/$$f"; \
+	done
+
+clean-ipsecPROGRAMS:
+	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
+	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  echo " rm -f $$p $$f"; \
+	  rm -f $$p $$f ; \
+	done
+_pluto_adns$(EXEEXT): $(_pluto_adns_OBJECTS) $(_pluto_adns_DEPENDENCIES) 
+	@rm -f _pluto_adns$(EXEEXT)
+	$(LINK) $(_pluto_adns_LDFLAGS) $(_pluto_adns_OBJECTS) $(_pluto_adns_LDADD) $(LIBS)
+pluto$(EXEEXT): $(pluto_OBJECTS) $(pluto_DEPENDENCIES) 
+	@rm -f pluto$(EXEEXT)
+	$(LINK) $(pluto_LDFLAGS) $(pluto_OBJECTS) $(pluto_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ac.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/adns.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/alg_info.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ca.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certs.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/connections.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/constants.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cookie.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crl.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypto.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/db_ops.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/defs.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/demux.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dnskey.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dsa.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/elgamal.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fetch.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/foodgroups.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gcryptfix.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/id.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_alg.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_alg_aes.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_alg_blowfish.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_alg_serpent.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_alg_sha2.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_alg_twofish.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_alginit.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipsec_doi.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_alg.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_noklips.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfkey.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keys.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lex.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/log.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md2.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/modecfg.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mp_defs.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nat_traversal.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/oid.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/packet.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pem.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pgp.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs1.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/plutomain.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/primegen.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rcv_whack.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rnd.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/server.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha1.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/smallprime.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/smartcard.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/spdb.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/state.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/timer.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vendor.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/virtual.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ `$(CYGPATH_W) '$<'`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	if $(LTCOMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Plo"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+ike_alg_aes.o: alg/ike_alg_aes.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alg_aes.o -MD -MP -MF "$(DEPDIR)/ike_alg_aes.Tpo" -c -o ike_alg_aes.o `test -f 'alg/ike_alg_aes.c' || echo '$(srcdir)/'`alg/ike_alg_aes.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_alg_aes.Tpo" "$(DEPDIR)/ike_alg_aes.Po"; else rm -f "$(DEPDIR)/ike_alg_aes.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='alg/ike_alg_aes.c' object='ike_alg_aes.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alg_aes.o `test -f 'alg/ike_alg_aes.c' || echo '$(srcdir)/'`alg/ike_alg_aes.c
+
+ike_alg_aes.obj: alg/ike_alg_aes.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alg_aes.obj -MD -MP -MF "$(DEPDIR)/ike_alg_aes.Tpo" -c -o ike_alg_aes.obj `if test -f 'alg/ike_alg_aes.c'; then $(CYGPATH_W) 'alg/ike_alg_aes.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alg_aes.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_alg_aes.Tpo" "$(DEPDIR)/ike_alg_aes.Po"; else rm -f "$(DEPDIR)/ike_alg_aes.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='alg/ike_alg_aes.c' object='ike_alg_aes.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alg_aes.obj `if test -f 'alg/ike_alg_aes.c'; then $(CYGPATH_W) 'alg/ike_alg_aes.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alg_aes.c'; fi`
+
+ike_alg_blowfish.o: alg/ike_alg_blowfish.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alg_blowfish.o -MD -MP -MF "$(DEPDIR)/ike_alg_blowfish.Tpo" -c -o ike_alg_blowfish.o `test -f 'alg/ike_alg_blowfish.c' || echo '$(srcdir)/'`alg/ike_alg_blowfish.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_alg_blowfish.Tpo" "$(DEPDIR)/ike_alg_blowfish.Po"; else rm -f "$(DEPDIR)/ike_alg_blowfish.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='alg/ike_alg_blowfish.c' object='ike_alg_blowfish.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alg_blowfish.o `test -f 'alg/ike_alg_blowfish.c' || echo '$(srcdir)/'`alg/ike_alg_blowfish.c
+
+ike_alg_blowfish.obj: alg/ike_alg_blowfish.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alg_blowfish.obj -MD -MP -MF "$(DEPDIR)/ike_alg_blowfish.Tpo" -c -o ike_alg_blowfish.obj `if test -f 'alg/ike_alg_blowfish.c'; then $(CYGPATH_W) 'alg/ike_alg_blowfish.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alg_blowfish.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_alg_blowfish.Tpo" "$(DEPDIR)/ike_alg_blowfish.Po"; else rm -f "$(DEPDIR)/ike_alg_blowfish.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='alg/ike_alg_blowfish.c' object='ike_alg_blowfish.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alg_blowfish.obj `if test -f 'alg/ike_alg_blowfish.c'; then $(CYGPATH_W) 'alg/ike_alg_blowfish.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alg_blowfish.c'; fi`
+
+ike_alg_twofish.o: alg/ike_alg_twofish.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alg_twofish.o -MD -MP -MF "$(DEPDIR)/ike_alg_twofish.Tpo" -c -o ike_alg_twofish.o `test -f 'alg/ike_alg_twofish.c' || echo '$(srcdir)/'`alg/ike_alg_twofish.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_alg_twofish.Tpo" "$(DEPDIR)/ike_alg_twofish.Po"; else rm -f "$(DEPDIR)/ike_alg_twofish.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='alg/ike_alg_twofish.c' object='ike_alg_twofish.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alg_twofish.o `test -f 'alg/ike_alg_twofish.c' || echo '$(srcdir)/'`alg/ike_alg_twofish.c
+
+ike_alg_twofish.obj: alg/ike_alg_twofish.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alg_twofish.obj -MD -MP -MF "$(DEPDIR)/ike_alg_twofish.Tpo" -c -o ike_alg_twofish.obj `if test -f 'alg/ike_alg_twofish.c'; then $(CYGPATH_W) 'alg/ike_alg_twofish.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alg_twofish.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_alg_twofish.Tpo" "$(DEPDIR)/ike_alg_twofish.Po"; else rm -f "$(DEPDIR)/ike_alg_twofish.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='alg/ike_alg_twofish.c' object='ike_alg_twofish.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alg_twofish.obj `if test -f 'alg/ike_alg_twofish.c'; then $(CYGPATH_W) 'alg/ike_alg_twofish.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alg_twofish.c'; fi`
+
+ike_alg_serpent.o: alg/ike_alg_serpent.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alg_serpent.o -MD -MP -MF "$(DEPDIR)/ike_alg_serpent.Tpo" -c -o ike_alg_serpent.o `test -f 'alg/ike_alg_serpent.c' || echo '$(srcdir)/'`alg/ike_alg_serpent.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_alg_serpent.Tpo" "$(DEPDIR)/ike_alg_serpent.Po"; else rm -f "$(DEPDIR)/ike_alg_serpent.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='alg/ike_alg_serpent.c' object='ike_alg_serpent.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alg_serpent.o `test -f 'alg/ike_alg_serpent.c' || echo '$(srcdir)/'`alg/ike_alg_serpent.c
+
+ike_alg_serpent.obj: alg/ike_alg_serpent.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alg_serpent.obj -MD -MP -MF "$(DEPDIR)/ike_alg_serpent.Tpo" -c -o ike_alg_serpent.obj `if test -f 'alg/ike_alg_serpent.c'; then $(CYGPATH_W) 'alg/ike_alg_serpent.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alg_serpent.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_alg_serpent.Tpo" "$(DEPDIR)/ike_alg_serpent.Po"; else rm -f "$(DEPDIR)/ike_alg_serpent.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='alg/ike_alg_serpent.c' object='ike_alg_serpent.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alg_serpent.obj `if test -f 'alg/ike_alg_serpent.c'; then $(CYGPATH_W) 'alg/ike_alg_serpent.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alg_serpent.c'; fi`
+
+ike_alg_sha2.o: alg/ike_alg_sha2.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alg_sha2.o -MD -MP -MF "$(DEPDIR)/ike_alg_sha2.Tpo" -c -o ike_alg_sha2.o `test -f 'alg/ike_alg_sha2.c' || echo '$(srcdir)/'`alg/ike_alg_sha2.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_alg_sha2.Tpo" "$(DEPDIR)/ike_alg_sha2.Po"; else rm -f "$(DEPDIR)/ike_alg_sha2.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='alg/ike_alg_sha2.c' object='ike_alg_sha2.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alg_sha2.o `test -f 'alg/ike_alg_sha2.c' || echo '$(srcdir)/'`alg/ike_alg_sha2.c
+
+ike_alg_sha2.obj: alg/ike_alg_sha2.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alg_sha2.obj -MD -MP -MF "$(DEPDIR)/ike_alg_sha2.Tpo" -c -o ike_alg_sha2.obj `if test -f 'alg/ike_alg_sha2.c'; then $(CYGPATH_W) 'alg/ike_alg_sha2.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alg_sha2.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_alg_sha2.Tpo" "$(DEPDIR)/ike_alg_sha2.Po"; else rm -f "$(DEPDIR)/ike_alg_sha2.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='alg/ike_alg_sha2.c' object='ike_alg_sha2.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alg_sha2.obj `if test -f 'alg/ike_alg_sha2.c'; then $(CYGPATH_W) 'alg/ike_alg_sha2.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alg_sha2.c'; fi`
+
+ike_alginit.o: alg/ike_alginit.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alginit.o -MD -MP -MF "$(DEPDIR)/ike_alginit.Tpo" -c -o ike_alginit.o `test -f 'alg/ike_alginit.c' || echo '$(srcdir)/'`alg/ike_alginit.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_alginit.Tpo" "$(DEPDIR)/ike_alginit.Po"; else rm -f "$(DEPDIR)/ike_alginit.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='alg/ike_alginit.c' object='ike_alginit.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alginit.o `test -f 'alg/ike_alginit.c' || echo '$(srcdir)/'`alg/ike_alginit.c
+
+ike_alginit.obj: alg/ike_alginit.c
+@am__fastdepCC_TRUE@	if $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_alginit.obj -MD -MP -MF "$(DEPDIR)/ike_alginit.Tpo" -c -o ike_alginit.obj `if test -f 'alg/ike_alginit.c'; then $(CYGPATH_W) 'alg/ike_alginit.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alginit.c'; fi`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ike_alginit.Tpo" "$(DEPDIR)/ike_alginit.Po"; else rm -f "$(DEPDIR)/ike_alginit.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='alg/ike_alginit.c' object='ike_alginit.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_alginit.obj `if test -f 'alg/ike_alginit.c'; then $(CYGPATH_W) 'alg/ike_alginit.c'; else $(CYGPATH_W) '$(srcdir)/alg/ike_alginit.c'; fi`
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+	-rm -f libtool
+uninstall-info-am:
+install-man5: $(man5_MANS) $(man_MANS)
+	@$(NORMAL_INSTALL)
+	test -z "$(man5dir)" || $(mkdir_p) "$(DESTDIR)$(man5dir)"
+	@list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.5*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    5*) ;; \
+	    *) ext='5' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \
+	  $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst"; \
+	done
+uninstall-man5:
+	@$(NORMAL_UNINSTALL)
+	@list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.5*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    5*) ;; \
+	    *) ext='5' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f '$(DESTDIR)$(man5dir)/$$inst'"; \
+	  rm -f "$(DESTDIR)$(man5dir)/$$inst"; \
+	done
+install-man8: $(man8_MANS) $(man_MANS)
+	@$(NORMAL_INSTALL)
+	test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)"
+	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    8*) ;; \
+	    *) ext='8' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
+	  $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \
+	done
+uninstall-man8:
+	@$(NORMAL_UNINSTALL)
+	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    8*) ;; \
+	    *) ext='8' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \
+	  rm -f "$(DESTDIR)$(man8dir)/$$inst"; \
+	done
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
+	list='$(DISTFILES)'; for file in $$list; do \
+	  case $$file in \
+	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
+	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
+	  esac; \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
+	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
+	    dir="/$$dir"; \
+	    $(mkdir_p) "$(distdir)$$dir"; \
+	  else \
+	    dir=''; \
+	  fi; \
+	  if test -d $$d/$$file; then \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) check-am
+all-am: Makefile $(PROGRAMS) $(MANS)
+installdirs:
+	for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)"; do \
+	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	done
+install: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+	-test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)
+	-test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES)
+clean: clean-am
+
+clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-libtool distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-ipsecPROGRAMS install-man
+
+install-exec-am: install-exec-local
+
+install-info: install-info-am
+
+install-man: install-man5 install-man8
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-info-am uninstall-ipsecPROGRAMS uninstall-man
+
+uninstall-man: uninstall-man5 uninstall-man8
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-ipsecPROGRAMS clean-libtool ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-exec \
+	install-exec-am install-exec-local install-info \
+	install-info-am install-ipsecPROGRAMS install-man install-man5 \
+	install-man8 install-strip installcheck installcheck-am \
+	installdirs maintainer-clean maintainer-clean-generic \
+	mostlyclean mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \
+	uninstall-am uninstall-info-am uninstall-ipsecPROGRAMS \
+	uninstall-man uninstall-man5 uninstall-man8
+
+
+oid.c:	oid.txt oid.pl
+	$(PERL) oid.pl
+
+oid.h:	oid.txt oid.pl
+	$(PERL) oid.pl
+
+install-exec-local :
+	mkdir -p -m 755 $(confdir)/ipsec.d
+	mkdir -p -m 755 $(confdir)/ipsec.d/cacerts
+	mkdir -p -m 755 $(confdir)/ipsec.d/ocspcerts
+	mkdir -p -m 755 $(confdir)/ipsec.d/certs
+	mkdir -p -m 755 $(confdir)/ipsec.d/acerts
+	mkdir -p -m 755 $(confdir)/ipsec.d/aacerts
+	mkdir -p -m 755 $(confdir)/ipsec.d/crls
+	mkdir -p -m 755 $(confdir)/ipsec.d/reqs
+	mkdir -p -m 700 $(confdir)/ipsec.d/private
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/programs/pluto/TODO b/src/pluto/TODO
index 7db4a9ebc..7db4a9ebc 100644
--- a/programs/pluto/TODO
+++ b/src/pluto/TODO
diff --git a/programs/pluto/ac.c b/src/pluto/ac.c
index bcf5f80d1..bcf5f80d1 100644
--- a/programs/pluto/ac.c
+++ b/src/pluto/ac.c
diff --git a/programs/pluto/ac.h b/src/pluto/ac.h
index 3913d745d..3913d745d 100644
--- a/programs/pluto/ac.h
+++ b/src/pluto/ac.h
diff --git a/programs/pluto/adns.c b/src/pluto/adns.c
index c5977d23c..c5977d23c 100644
--- a/programs/pluto/adns.c
+++ b/src/pluto/adns.c
diff --git a/programs/pluto/adns.h b/src/pluto/adns.h
index 00fc4ad07..00fc4ad07 100644
--- a/programs/pluto/adns.h
+++ b/src/pluto/adns.h
diff --git a/programs/pluto/alg/ike_alg_aes.c b/src/pluto/alg/ike_alg_aes.c
index 44de09b4c..44de09b4c 100644
--- a/programs/pluto/alg/ike_alg_aes.c
+++ b/src/pluto/alg/ike_alg_aes.c
diff --git a/programs/pluto/alg/ike_alg_blowfish.c b/src/pluto/alg/ike_alg_blowfish.c
index 2bbef051b..2bbef051b 100644
--- a/programs/pluto/alg/ike_alg_blowfish.c
+++ b/src/pluto/alg/ike_alg_blowfish.c
diff --git a/programs/pluto/alg/ike_alg_serpent.c b/src/pluto/alg/ike_alg_serpent.c
index fb01caa41..fb01caa41 100644
--- a/programs/pluto/alg/ike_alg_serpent.c
+++ b/src/pluto/alg/ike_alg_serpent.c
diff --git a/programs/pluto/alg/ike_alg_sha2.c b/src/pluto/alg/ike_alg_sha2.c
index 6b7c8438c..6b7c8438c 100644
--- a/programs/pluto/alg/ike_alg_sha2.c
+++ b/src/pluto/alg/ike_alg_sha2.c
diff --git a/programs/pluto/alg/ike_alg_twofish.c b/src/pluto/alg/ike_alg_twofish.c
index 1788bc394..1788bc394 100644
--- a/programs/pluto/alg/ike_alg_twofish.c
+++ b/src/pluto/alg/ike_alg_twofish.c
diff --git a/src/pluto/alg/ike_alginit.c b/src/pluto/alg/ike_alginit.c
new file mode 100644
index 000000000..8784bf31b
--- /dev/null
+++ b/src/pluto/alg/ike_alginit.c
@@ -0,0 +1,7 @@
+extern int ike_alg_init(void); 		int ike_alg_init(void) {
+{ extern int ike_alg_aes_init (void); ike_alg_aes_init();}
+{ extern int ike_alg_blowfish_init (void); ike_alg_blowfish_init();}
+{ extern int ike_alg_serpent_init (void); ike_alg_serpent_init();}
+{ extern int ike_alg_sha2_init (void); ike_alg_sha2_init();}
+{ extern int ike_alg_twofish_init (void); ike_alg_twofish_init();}
+return 0;}
diff --git a/programs/pluto/alg_info.c b/src/pluto/alg_info.c
index af2753312..ac5d1672f 100644
--- a/programs/pluto/alg_info.c
+++ b/src/pluto/alg_info.c
@@ -2,7 +2,7 @@
  * Algorithm info parsing and creation functions
  * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
  *
- * $Id: alg_info.c,v 1.6 2006/08/03 10:18:21 as Exp $
+ * $Id: alg_info.c,v 1.5 2004/09/29 22:42:49 as Exp $
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -26,7 +26,7 @@
 
 #include <ctype.h>
 #include <freeswan.h>
-#include <freeswan/ipsec_policy.h>
+#include <ipsec_policy.h>
 #include <pfkeyv2.h>
 
 #include "alg_info.h"
diff --git a/programs/pluto/alg_info.h b/src/pluto/alg_info.h
index cd2011dcc..cd2011dcc 100644
--- a/programs/pluto/alg_info.h
+++ b/src/pluto/alg_info.h
diff --git a/programs/pluto/asn1.c b/src/pluto/asn1.c
index 0663bc490..0663bc490 100644
--- a/programs/pluto/asn1.c
+++ b/src/pluto/asn1.c
diff --git a/programs/pluto/asn1.h b/src/pluto/asn1.h
index 2a3fb3e9e..2a3fb3e9e 100644
--- a/programs/pluto/asn1.h
+++ b/src/pluto/asn1.h
diff --git a/programs/pluto/ca.c b/src/pluto/ca.c
index c1e0261d8..d1be22e2f 100644
--- a/programs/pluto/ca.c
+++ b/src/pluto/ca.c
@@ -23,7 +23,7 @@
 #include <sys/types.h>
 
 #include <freeswan.h>
-#include <freeswan/ipsec_policy.h>
+#include <ipsec_policy.h>
 
 #include "constants.h"
 #include "defs.h"
diff --git a/programs/pluto/ca.h b/src/pluto/ca.h
index 8d4602dc6..8d4602dc6 100644
--- a/programs/pluto/ca.h
+++ b/src/pluto/ca.h
diff --git a/programs/pluto/certs.c b/src/pluto/certs.c
index 92b40605f..779646a98 100644
--- a/programs/pluto/certs.c
+++ b/src/pluto/certs.c
@@ -19,7 +19,7 @@
 #include <string.h>
 
 #include <freeswan.h>
-#include <freeswan/ipsec_policy.h>
+#include <ipsec_policy.h>
 
 #include "constants.h"
 #include "defs.h"
diff --git a/programs/pluto/certs.h b/src/pluto/certs.h
index cca128965..ca5acd35a 100644
--- a/programs/pluto/certs.h
+++ b/src/pluto/certs.h
@@ -24,14 +24,14 @@
 /* path definitions for private keys, end certs,
  * cacerts, attribute certs and crls
  */
-#define PRIVATE_KEY_PATH  "/etc/ipsec.d/private"
-#define HOST_CERT_PATH    "/etc/ipsec.d/certs"
-#define CA_CERT_PATH	  "/etc/ipsec.d/cacerts"
-#define A_CERT_PATH	  "/etc/ipsec.d/acerts"
-#define AA_CERT_PATH	  "/etc/ipsec.d/aacerts"
-#define OCSP_CERT_PATH	  "/etc/ipsec.d/ocspcerts"
-#define CRL_PATH	  "/etc/ipsec.d/crls"
-#define REQ_PATH	  "/etc/ipsec.d/reqs"
+#define PRIVATE_KEY_PATH  IPSEC_CONFDIR "/ipsec.d/private"
+#define HOST_CERT_PATH    IPSEC_CONFDIR "/ipsec.d/certs"
+#define CA_CERT_PATH	  IPSEC_CONFDIR "/ipsec.d/cacerts"
+#define A_CERT_PATH	  IPSEC_CONFDIR "/ipsec.d/acerts"
+#define AA_CERT_PATH	  IPSEC_CONFDIR "/ipsec.d/aacerts"
+#define OCSP_CERT_PATH	  IPSEC_CONFDIR "/ipsec.d/ocspcerts"
+#define CRL_PATH	  IPSEC_CONFDIR "/ipsec.d/crls"
+#define REQ_PATH	  IPSEC_CONFDIR "/ipsec.d/reqs"
 
 /* advance warning of imminent expiry of
  * cacerts, public keys, and crls
diff --git a/programs/pluto/connections.c b/src/pluto/connections.c
index 93b3bd2b6..0d02b979c 100644
--- a/programs/pluto/connections.c
+++ b/src/pluto/connections.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: connections.c,v 1.47 2007/01/10 00:36:19 as Exp $
+ * RCSID $Id: connections.c,v 1.43 2006/04/29 18:16:02 as Exp $
  */
 
 #include <string.h>
@@ -29,7 +29,7 @@
 #include <sys/queue.h>
 
 #include <freeswan.h>
-#include <freeswan/ipsec_policy.h>
+#include <ipsec_policy.h>
 #include "kameipsec.h"
 
 #include "constants.h"
@@ -58,14 +58,8 @@
 #include "whack.h"
 #include "alg_info.h"
 #include "ike_alg.h"
-#include "kernel_alg.h"
-#ifdef NAT_TRAVERSAL
 #include "nat_traversal.h"
-#endif
-
-#ifdef VIRTUAL_IP
 #include "virtual.h"
-#endif
 
 static void flush_pending_by_connection(struct connection *c);	/* forward */
 
@@ -115,7 +109,6 @@ find_host_pair(const ip_address *myaddr, u_int16_t myport
     if (hisaddr == NULL)
 	hisaddr = aftoinfo(addrtypeof(myaddr))->any;
 	
-#ifdef NAT_TRAVERSAL
     if (nat_traversal_enabled)
     {
 	/**
@@ -125,7 +118,6 @@ find_host_pair(const ip_address *myaddr, u_int16_t myport
 	myport = pluto_port;
 	hisport = pluto_port;
     }
-#endif
 
     for (prev = NULL, p = host_pairs; p != NULL; prev = p, p = p->next)
     {
@@ -151,19 +143,17 @@ find_host_pair_connections(const ip_address *myaddr, u_int16_t myport
 {
     struct host_pair *hp = find_host_pair(myaddr, myport, hisaddr, hisport);
 
-#ifdef NAT_TRAVERSAL
     if (nat_traversal_enabled && hp && hisaddr)
     {
 	struct connection *c;
+
 	for (c = hp->connections; c != NULL; c = c->hp_next)
 	{
-	    if ((c->spd.this.host_port==myport) && (c->spd.that.host_port==hisport))
+	    if (c->spd.this.host_port == myport && c->spd.that.host_port == hisport)
 		return c;
 	}
 	return NULL;
     }
-#endif
-
     return hp == NULL? NULL : hp->connections;
 }
 
@@ -181,13 +171,8 @@ connect_to_host_pair(struct connection *c)
 	    hp = alloc_thing(struct host_pair, "host_pair");
 	    hp->me.addr = c->spd.this.host_addr;
 	    hp->him.addr = c->spd.that.host_addr;
-#ifdef NAT_TRAVERSAL
 	    hp->me.port = nat_traversal_enabled ? pluto_port : c->spd.this.host_port;
 	    hp->him.port = nat_traversal_enabled ? pluto_port : c->spd.that.host_port;
-#else
-	    hp->me.port = c->spd.this.host_port;
- 	    hp->him.port = c->spd.that.host_port;
-#endif    
 	    hp->initial_connection_sent = FALSE;
 	    hp->connections = NULL;
 	    hp->pending = NULL;
@@ -314,7 +299,8 @@ delete_connection(struct connection *c, bool relations)
     /* find and delete c from the host pair list */
     if (c->host_pair == NULL)
     {
-	list_rm(struct connection, hp_next, c, unoriented_connections);
+	if (c->ikev1)
+	    list_rm(struct connection, hp_next, c, unoriented_connections);
     }
     else
     {
@@ -336,9 +322,8 @@ delete_connection(struct connection *c, bool relations)
 	}
     }
 
-#ifdef VIRTUAL_IP
-    if (c->kind != CK_GOING_AWAY) pfreeany(c->spd.that.virt);
-#endif
+    if (c->kind != CK_GOING_AWAY)
+	pfreeany(c->spd.that.virt);
 
 #ifdef DEBUG
     cur_debugging = old_cur_debugging;
@@ -354,7 +339,7 @@ delete_connection(struct connection *c, bool relations)
     free_ietfAttrList(c->spd.that.groups);
     free_generalNames(c->requested_ca, TRUE);
     gw_delref(&c->gw_info);
-    
+
     lock_certs_and_keys("delete_connection");
     release_cert(c->spd.this.cert);
     scx_release(c->spd.this.sc);
@@ -364,7 +349,7 @@ delete_connection(struct connection *c, bool relations)
 
     alg_info_delref((struct alg_info **)&c->alg_info_esp);
     alg_info_delref((struct alg_info **)&c->alg_info_ike);
-    
+
     pfree(c);
 }
 
@@ -576,12 +561,10 @@ format_end(char *buf
 
     client[0] = '\0';
 
-#ifdef VIRTUAL_IP
     if (is_virtual_end(this) && isanyaddr(&this->host_addr))
     {
 	host = "%virtual";
     }
-#endif
 
     /* [client===] */
     if (this->has_client)
@@ -920,14 +903,14 @@ check_connection_end(const whack_end_t *this, const whack_end_t *that
 	    return FALSE;
 	}
     }
-#ifdef VIRTUAL_IP
+
     if (this->virt && (!isanyaddr(&this->host_addr) || this->has_client))
     {
 	loglog(RC_CLASH,
 	    "virtual IP must only be used with %%any and without client");
 	return FALSE;
     }
-#endif
+
     return TRUE;	/* happy */
 }
 
@@ -984,8 +967,8 @@ add_connection(const whack_message_t *wm)
 	bool same_rightca, same_leftca;
 	struct connection *c = alloc_thing(struct connection, "struct connection");
 
-	c->name = wm->name;
-
+	c->name   = wm->name;
+	c->ikev1  = wm->ikev1;
 	c->policy = wm->policy;
 
 	if ((c->policy & POLICY_COMPRESS) && !can_do_IPcomp)
@@ -1060,10 +1043,10 @@ add_connection(const whack_message_t *wm)
 	c->sa_keying_tries = wm->sa_keying_tries;
 
 	/* RFC 3706 DPD */
-        c->dpd_delay = wm->dpd_delay;
-        c->dpd_timeout = wm->dpd_timeout;
-        c->dpd_action = wm->dpd_action;
-	
+	c->dpd_delay = wm->dpd_delay;
+	c->dpd_timeout = wm->dpd_timeout;
+	c->dpd_action = wm->dpd_action;
+
 	c->addr_family = wm->addr_family;
 	c->tunnel_addr_family = wm->tunnel_addr_family;
 
@@ -1130,7 +1113,6 @@ add_connection(const whack_message_t *wm)
 
 	c->gw_info = NULL;
 
-#ifdef VIRTUAL_IP
 	passert(!(wm->left.virt && wm->right.virt));
 	if (wm->left.virt || wm->right.virt)
 	{
@@ -1140,11 +1122,12 @@ add_connection(const whack_message_t *wm)
 	    if (c->spd.that.virt)
 		c->spd.that.has_client = TRUE;
 	}
-#endif
 
 	unshare_connection_strings(c);
 	(void)orient(c);
-	connect_to_host_pair(c);
+
+	if (c->ikev1)
+	    connect_to_host_pair(c);
 
 	/* log all about this connection */
 	plog("added connection description \"%s\"", c->name);
@@ -1223,13 +1206,11 @@ add_group_instance(struct connection *group, const ip_subnet *target)
 
 	t->spd.reqid = gen_reqid();
 
-#ifdef VIRTUAL_IP
 	if (t->spd.that.virt)
 	{
 	    DBG_log("virtual_ip not supported in group instance");
 	    t->spd.that.virt = NULL;	
 	}
-#endif
 
 	/* add to connections list */
 	t->ac_next = connections;
@@ -1271,9 +1252,7 @@ remove_group_instance(const struct connection *group USED_BY_DEBUG
  */
 static struct connection *
 instantiate(struct connection *c, const ip_address *him
-#ifdef NAT_TRAVERSAL
 , u_int16_t his_port
-#endif
 , const struct id *his_id)
 {
     struct connection *d;
@@ -1298,9 +1277,9 @@ instantiate(struct connection *c, const ip_address *him
     passert(oriented(*d));
     d->spd.that.host_addr = *him;
     setportof(htons(c->spd.that.port), &d->spd.that.host_addr);
-#ifdef NAT_TRAVERSAL
+
     if (his_port) d->spd.that.host_port = his_port;
-#endif    
+
     default_end(&d->spd.that, &d->spd.this.host_addr);
 
     /* We cannot guess what our next_hop should be, but if it was
@@ -1330,23 +1309,11 @@ instantiate(struct connection *c, const ip_address *him
 }
 
 struct connection *
-rw_instantiate(struct connection *c
-, const ip_address *him
-#ifdef NAT_TRAVERSAL
-, u_int16_t his_port
-#endif
-#ifdef VIRTUAL_IP
-, const ip_subnet *his_net
-#endif
-, const struct id *his_id)
+rw_instantiate(struct connection *c, const ip_address *him, u_int16_t his_port
+, const ip_subnet *his_net, const struct id *his_id)
 {
-#ifdef NAT_TRAVERSAL
     struct connection *d = instantiate(c, him, his_port, his_id);
-#else
-    struct connection *d = instantiate(c, him, his_id);
-#endif
 
-#ifdef VIRTUAL_IP
     if (d && his_net && is_virtual_connection(c))
     {
 	d->spd.that.client = *his_net;
@@ -1354,7 +1321,6 @@ rw_instantiate(struct connection *c
 	if (subnetishost(his_net) && addrinsubnet(him, his_net))
 	    d->spd.that.has_client = FALSE;
     }
-#endif
 
     if (d->policy & POLICY_OPPO)
     {
@@ -1377,11 +1343,7 @@ oppo_instantiate(struct connection *c
 , const ip_address *our_client USED_BY_DEBUG
 , const ip_address *peer_client)
 {
-#ifdef NAT_TRAVERSAL
     struct connection *d = instantiate(c, him, 0, his_id);
-#else
-    struct connection *d = instantiate(c, him, his_id);
-#endif	
 
     passert(d->spd.next == NULL);
 
@@ -1513,13 +1475,12 @@ fmt_conn_instance(const struct connection *c, char buf[CONN_INST_BUF])
 	{
 	    *p++ = ' ';
 	    addrtot(&c->spd.that.host_addr, 0, p, ADDRTOT_BUF);
-#ifdef NAT_TRAVERSAL
+#
 	    if (c->spd.that.host_port != pluto_port)
 	    {
 		p += strlen(p);
 		sprintf(p, ":%d", c->spd.that.host_port);
 	    }
-#endif	    
 	}
     }
 }
@@ -1778,9 +1739,9 @@ orient(struct connection *c)
 	     */
 	    for (p = interfaces; p != NULL; p = p->next)
 	    {
-#ifdef NAT_TRAVERSAL
-		if (p->ike_float) continue;
-#endif	    	
+		if (p->ike_float)
+		    continue;
+
 		for (;;)
 		{
 		    /* check if this interface matches this end */
@@ -1830,7 +1791,7 @@ initiate_connection(const char *name, int whackfd)
 {
     struct connection *c = con_by_name(name, TRUE);
 
-    if (c != NULL)
+    if (c != NULL && c->ikev1)
     {
 	set_cur_connection(c);
 	if (!oriented(*c))
@@ -2990,11 +2951,15 @@ terminate_connection(const char *nm)
     /* Loop because more than one may match (master and instances)
      * But at least one is required (enforced by con_by_name).
      */
-    struct connection *c, *n;
+    struct connection *c = con_by_name(nm, TRUE);
+
+    if (c == NULL || !c->ikev1)
+	return;
 
-    for (c = con_by_name(nm, TRUE); c != NULL; c = n)
+    do
     {
-	n = c->ac_next;	/* grab this before c might disappear */
+	struct connection *n = c->ac_next;  /* grab this before c might disappear */
+
 	if (streq(c->name, nm)
 	&& c->kind >= CK_PERMANENT
 	&& !NEVER_NEGOTIATE(c->policy))
@@ -3006,7 +2971,8 @@ terminate_connection(const char *nm)
 	    delete_states_by_connection(c, FALSE);
 	    reset_cur_connection();
 	}
-    }
+	c = n;
+    } while (c != NULL);
 }
 
 /* check nexthop safety
@@ -3082,18 +3048,11 @@ ISAKMP_SA_established(struct connection *c, so_serial_t serial)
 	{
 	    struct connection *next = d->ac_next;	/* might move underneath us */
 
-#ifdef NAT_TRAVERSAL
 	    if (d->kind >= CK_PERMANENT 
 	    && same_id(&c->spd.this.id, &d->spd.this.id)
 	    && same_id(&c->spd.that.id, &d->spd.that.id)
 	    && (!sameaddr(&c->spd.that.host_addr, &d->spd.that.host_addr) ||
-	    (c->spd.that.host_port != d->spd.that.host_port)))
-#else
-	    if (d->kind >= CK_PERMANENT
-	    && same_id(&c->spd.this.id, &d->spd.this.id)
-	    && same_id(&c->spd.that.id, &d->spd.that.id)
-	    && !sameaddr(&c->spd.that.host_addr, &d->spd.that.host_addr))
-#endif
+	       (c->spd.that.host_port != d->spd.that.host_port)))
 	    {
 		release_connection(d, FALSE);
 	    }
@@ -3434,11 +3393,11 @@ refine_host_connection(const struct state *st, const struct id *peer_id
 	    if (d->policy & POLICY_GROUP)
 		continue;
 
-#ifdef NAT_TRAVERSAL
 	    if (c->spd.that.host_port != d->spd.that.host_port
 	    && d->kind == CK_INSTANCE)
+	    {
 		continue;
-#endif
+	    }
 
 	    switch (auth)
 	    {
@@ -3506,7 +3465,6 @@ refine_host_connection(const struct state *st, const struct id *peer_id
     }
 }
 
-#ifdef VIRTUAL_IP
 /**
  * With virtual addressing, we must not allow someone to use an already
  * used (by another id) addr/net.
@@ -3544,7 +3502,6 @@ is_virtual_net_used(const ip_subnet *peer_net, const struct id *peer_id)
     }
     return FALSE; /* you can safely use it */
 }
-#endif
 
 /* find_client_connection: given a connection suitable for ISAKMP
  * (i.e. the hosts match), find a one suitable for IPSEC
@@ -3662,18 +3619,12 @@ fc_try(const struct connection *c
 		}
 		else
 		{
-#ifdef VIRTUAL_IP
-		    if ((!samesubnet(&sr->that.client, peer_net)) && (!is_virtual_connection(d)))
-#else
-		    if (!samesubnet(&sr->that.client, peer_net))
-#endif
+		    if (!samesubnet(&sr->that.client, peer_net) && !is_virtual_connection(d))
 			continue;
-#ifdef VIRTUAL_IP
 		    if (is_virtual_connection(d)
-		    && ( (!is_virtual_net_allowed(d, peer_net, &c->spd.that.host_addr))
+		    && (!is_virtual_net_allowed(d, peer_net, &c->spd.that.host_addr)
 		        || is_virtual_net_used(peer_net, peer_id?peer_id:&c->spd.that.id)))
 			    continue;
-#endif
 		}
 	    }
 	    else
@@ -4030,7 +3981,7 @@ show_connections_status(bool all, const char *name)
     count = 0;
     for (c = connections; c != NULL; c = c->ac_next)
     {
-	if (name == NULL || streq(c->name, name))
+	if (c->ikev1 && (name == NULL || streq(c->name, name)))
 	    count++;
     }
     array = alloc_bytes(sizeof(struct connection *)*count, "connection array");
@@ -4038,7 +3989,7 @@ show_connections_status(bool all, const char *name)
     count=0;
     for (c = connections; c != NULL; c = c->ac_next)
     {
-	if (name == NULL || streq(c->name, name))
+	if (c->ikev1 && (name == NULL || streq(c->name, name)))
 	    array[count++]=c;
     }
 
@@ -4312,14 +4263,12 @@ update_pending(struct state *os, struct state *ns)
     {
 	if (p->isakmp_sa == os)
 	    p->isakmp_sa = ns;
-#ifdef NAT_TRAVERSAL
 	if (p->connection->spd.this.host_port != ns->st_connection->spd.this.host_port)
 	{
 	    p->connection->spd.this.host_port = ns->st_connection->spd.this.host_port;
 	    p->connection->spd.that.host_port = ns->st_connection->spd.that.host_port;
 	}
-#endif
-    }	    
+    }
 }
 
 /* a Main Mode negotiation has failed; discard any pending */
diff --git a/programs/pluto/connections.h b/src/pluto/connections.h
index 33fbc3fea..df3af9dd4 100644
--- a/programs/pluto/connections.h
+++ b/src/pluto/connections.h
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: connections.h,v 1.19 2006/10/19 15:38:27 as Exp $
+ * RCSID $Id: connections.h,v 1.18 2006/04/22 21:59:20 as Exp $
  */
 
 #ifndef _CONNECTIONS_H
@@ -126,9 +126,7 @@ typedef unsigned long policy_prio_t;
 #define POLICY_PRIO_BUF	(3+1+3+1)
 extern void fmt_policy_prio(policy_prio_t pp, char buf[POLICY_PRIO_BUF]);
 
-#ifdef VIRTUAL_IP
 struct virtual_t;
-#endif
 
 struct end {
     struct id id;
@@ -152,9 +150,7 @@ struct end {
     chunk_t ca;			/* CA distinguished name */
     struct ietfAttrList *groups;/* access control groups */
     smartcard_t *sc;		/* smartcard reader and key info */
-#ifdef VIRTUAL_IP
     struct virtual_t *virt;
-#endif 
     bool modecfg;		/* this end: request local address from server */
 				/* that end: give local addresses to clients */
     bool hostaccess;		/* allow access to host via iptables INPUT/OUTPUT */
@@ -173,6 +169,8 @@ struct spd_route {
 
 struct connection {
     char *name;
+    bool ikev1;
+
     lset_t policy;
     time_t sa_ike_life_seconds;
     time_t sa_ipsec_life_seconds;
@@ -304,12 +302,8 @@ struct gw_info;	/* forward declaration of tag (defined in dnskey.h) */
 struct alg_info;	/* forward declaration of tag (defined in alg_info.h) */
 extern struct connection *rw_instantiate(struct connection *c
 					 , const ip_address *him
-#ifdef NAT_TRAVERSAL
 					 , u_int16_t his_port
-#endif
-#ifdef VIRTUAL_IP
 					 , const ip_subnet *his_net
-#endif					 
 					 , const struct id *his_id);
 
 extern struct connection *oppo_instantiate(struct connection *c
@@ -365,12 +359,9 @@ extern struct connection *eclipsed(struct connection *c, struct spd_route **);
 
 extern void show_connections_status(bool all, const char *name);
 extern int  connection_compare(const struct connection *ca
-			       , const struct connection *cb);
-#ifdef NAT_TRAVERSAL
-void
-update_host_pair(const char *why, struct connection *c,
-       const ip_address *myaddr, u_int16_t myport ,
-       const ip_address *hisaddr, u_int16_t hisport);
-#endif /* NAT_TRAVERSAL */
+    , const struct connection *cb);
+extern void update_host_pair(const char *why, struct connection *c
+    , const ip_address *myaddr, u_int16_t myport
+    , const ip_address *hisaddr, u_int16_t hisport);
 
 #endif /* _CONNECTIONS_H */
diff --git a/programs/pluto/constants.c b/src/pluto/constants.c
index 322de74ac..e7d7216ee 100644
--- a/programs/pluto/constants.c
+++ b/src/pluto/constants.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: constants.c,v 1.24 2007/01/21 08:35:47 as Exp $
+ * RCSID $Id: constants.c,v 1.21 2006/03/27 07:38:59 as Exp $
  */
 
 /*
@@ -25,7 +25,7 @@
 #include <netinet/in.h>
 
 #include <freeswan.h>
-#include <freeswan/ipsec_policy.h>
+#include <ipsec_policy.h>
 
 #include "constants.h"
 #include "defs.h"
@@ -41,12 +41,8 @@ const char compile_time_interop_options[] = ""
 #ifdef LIBCURL
 	" LIBCURL"
 #endif
-#ifdef LDAP_VER
-#if LDAP_VER == 2
-	" LDAP_V2"
-#else
-	" LDAP_V3"
-#endif
+#ifdef LIBLDAP
+	" LIBLDAP"
 #endif
 #ifdef SMARTCARD
 	" SMARTCARD"
@@ -510,6 +506,7 @@ const char *const sa_policy_bit_names[] = {
 	"XAUTHPSK",
 	"XAUTHRSASIG",
 	"XAUTHSERVER",
+	"DONTREAUTH",
 	NULL
     };
 
diff --git a/programs/pluto/constants.h b/src/pluto/constants.h
index 1fbfad1da..3ab10be61 100644
--- a/programs/pluto/constants.h
+++ b/src/pluto/constants.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: constants.h,v 1.28 2007/02/21 14:21:48 as Exp $
+ * RCSID $Id: constants.h,v 1.20 2006/02/28 19:13:33 as Exp $
  */
 
 #ifndef _CONSTANTS_H
@@ -64,9 +64,11 @@ typedef unsigned long long lset_t;
 #define LDISJOINT(a, b)  (((a) & (b)) == LEMPTY)
 
 /* Control and lock pathnames */
-
+#ifndef IPSEC_PIDDIR
+# define IPSEC_PIDDIR "/var/run"
+#endif
 #ifndef DEFAULT_CTLBASE
-# define DEFAULT_CTLBASE "/var/run/pluto"
+# define DEFAULT_CTLBASE IPSEC_PIDDIR "/pluto"
 #endif
 
 #define CTL_SUFFIX ".ctl"	/* for UNIX domain socket pathname */
@@ -293,7 +295,7 @@ extern const char sparse_end[];
 #define SHA2_256_DIGEST_SIZE	(256 / BITS_PER_BYTE)
 #define SHA2_384_DIGEST_SIZE	(384 / BITS_PER_BYTE)
 #define SHA2_512_DIGEST_SIZE	(512 / BITS_PER_BYTE)
-  
+
 #define MD5_BLOCK_SIZE		(512 / BITS_PER_BYTE)
 #define SHA1_BLOCK_SIZE		(512 / BITS_PER_BYTE)
 #define SHA2_256_BLOCK_SIZE	(512 / BITS_PER_BYTE)
@@ -666,6 +668,7 @@ extern enum_names attr_msg_type_names;
 #define    SUPPORTED_ATTRIBUTES       14
 #define    INTERNAL_IP6_SUBNET        15
 
+
 extern enum_names modecfg_attr_names;
 
 /* XAUTH attribute values */
@@ -870,6 +873,8 @@ extern const char *prettypolicy(lset_t policy);
 #define POLICY_XAUTH_PSK	LELEM(18)	/* do we support XAUTH????PreShared? */
 #define POLICY_XAUTH_RSASIG	LELEM(19)	/* do we support XAUTH????RSA? */
 #define POLICY_XAUTH_SERVER	LELEM(20)	/* are we an XAUTH server? */
+#define POLICY_DONT_REAUTH	LELEM(21)	/* don't reauthenticate on rekeying, IKEv2 only */
+#define POLICY_BEET		LELEM(22)	/* bound end2end tunnel, IKEv2 */
 
 /* Any IPsec policy?  If not, a connection description
  * is only for ISAKMP SA, not IPSEC SA.  (A pun, I admit.)
diff --git a/programs/pluto/cookie.c b/src/pluto/cookie.c
index 458120e46..458120e46 100644
--- a/programs/pluto/cookie.c
+++ b/src/pluto/cookie.c
diff --git a/programs/pluto/cookie.h b/src/pluto/cookie.h
index f5b0e64d1..f5b0e64d1 100644
--- a/programs/pluto/cookie.h
+++ b/src/pluto/cookie.h
diff --git a/programs/pluto/crl.c b/src/pluto/crl.c
index 8d4b3bd7b..05e8d1402 100644
--- a/programs/pluto/crl.c
+++ b/src/pluto/crl.c
@@ -23,7 +23,7 @@
 #include <sys/types.h>
 
 #include <freeswan.h>
-#include <freeswan/ipsec_policy.h>
+#include <ipsec_policy.h>
 
 #include "constants.h"
 #include "defs.h"
diff --git a/programs/pluto/crl.h b/src/pluto/crl.h
index 9f985b6cd..9f985b6cd 100644
--- a/programs/pluto/crl.h
+++ b/src/pluto/crl.h
diff --git a/programs/pluto/crypto.c b/src/pluto/crypto.c
index 63a53ad5c..f1b7c3f5f 100644
--- a/programs/pluto/crypto.c
+++ b/src/pluto/crypto.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: crypto.c,v 1.6 2007/02/21 14:21:48 as Exp $
+ * RCSID $Id: crypto.c,v 1.5 2005/12/06 22:51:34 as Exp $
  */
 
 #include <stdio.h>
@@ -22,7 +22,7 @@
 
 #include <freeswan.h>
 #define HEADER_DES_LOCL_H   /* stupid trick to force prototype decl in <des.h> */
-#include <crypto/des.h>
+#include <libdes/des.h>
 
 #include <errno.h>
 
diff --git a/programs/pluto/crypto.h b/src/pluto/crypto.h
index fa3af3a8b..48c983349 100644
--- a/programs/pluto/crypto.h
+++ b/src/pluto/crypto.h
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: crypto.h,v 1.7 2007/02/21 14:21:48 as Exp $
+ * RCSID $Id: crypto.h,v 1.6 2005/04/07 20:13:30 as Exp $
  */
 
 #include <gmp.h>    /* GNU MP library */
diff --git a/programs/pluto/db_ops.c b/src/pluto/db_ops.c
index bbcd7918f..bbcd7918f 100644
--- a/programs/pluto/db_ops.c
+++ b/src/pluto/db_ops.c
diff --git a/programs/pluto/db_ops.h b/src/pluto/db_ops.h
index 433e75280..433e75280 100644
--- a/programs/pluto/db_ops.h
+++ b/src/pluto/db_ops.h
diff --git a/programs/pluto/defs.c b/src/pluto/defs.c
index 16f6a3949..9ae32a480 100644
--- a/programs/pluto/defs.c
+++ b/src/pluto/defs.c
@@ -215,7 +215,7 @@ concatenate_paths(const char *a, const char *b)
 /*  compare two chunks, returns zero if a equals b
  *  negative/positive if a is earlier/later in the alphabet than b
  */
-bool
+int
 cmp_chunk(chunk_t a, chunk_t b)
 {
     int cmp_len, len, cmp_value;
diff --git a/programs/pluto/defs.h b/src/pluto/defs.h
index 3fe5053d1..3bfb29a22 100644
--- a/programs/pluto/defs.h
+++ b/src/pluto/defs.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: defs.h,v 1.11 2007/01/09 21:59:06 as Exp $
+ * RCSID $Id: defs.h,v 1.10 2006/01/04 21:00:43 as Exp $
  */
 
 #ifndef _DEFS_H
@@ -90,7 +90,7 @@ extern const char* concatenate_paths(const char *a, const char *b);
 extern const chunk_t empty_chunk;
 
 /* compare two chunks */
-extern bool cmp_chunk(chunk_t a, chunk_t b);
+extern int cmp_chunk(chunk_t a, chunk_t b);
 
 /* move a chunk to a memory position and free it after insertion */
 extern void mv_chunk(u_char **pos, chunk_t content);
diff --git a/programs/pluto/demux.c b/src/pluto/demux.c
index 71aa771c7..7e59b184d 100644
--- a/programs/pluto/demux.c
+++ b/src/pluto/demux.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: demux.c,v 1.18 2007/01/29 08:27:53 as Exp $
+ * RCSID $Id: demux.c,v 1.14 2006/06/22 11:58:25 as Exp $
  */
 
 /* Ordering Constraints on Payloads
@@ -142,9 +142,7 @@
 #include "timer.h"
 #include "whack.h"	/* requires connections.h */
 #include "server.h"
-#ifdef NAT_TRAVERSAL
 #include "nat_traversal.h"
-#endif
 #include "vendor.h"
 #include "modecfg.h"
 
@@ -273,11 +271,7 @@ static const struct state_microcode state_microcode_table[] = {
      */
     { STATE_MAIN_R1, STATE_MAIN_R2
     , SMF_PSK_AUTH | SMF_DS_AUTH | SMF_REPLY
-#ifdef NAT_TRAVERSAL
     , P(KE) | P(NONCE), P(VID) | P(CR) | P(NATD_RFC), PT(KE)
-#else
-    , P(KE) | P(NONCE), P(VID) | P(CR), PT(KE)
-#endif    
     , EVENT_RETRANSMIT, main_inI2_outR2 },
 
     { STATE_MAIN_R1, STATE_UNDEFINED
@@ -302,11 +296,7 @@ static const struct state_microcode state_microcode_table[] = {
      */
     { STATE_MAIN_I2, STATE_MAIN_I3
     , SMF_PSK_AUTH | SMF_DS_AUTH | SMF_INITIATOR | SMF_OUTPUT_ENCRYPTED | SMF_REPLY
-#ifdef NAT_TRAVERSAL
     , P(KE) | P(NONCE), P(VID) | P(CR) | P(NATD_RFC), PT(ID)
-#else
-    , P(KE) | P(NONCE), P(VID) | P(CR), PT(ID)
-#endif    
     , EVENT_RETRANSMIT, main_inR2_outI3 },
 
     { STATE_MAIN_I2, STATE_UNDEFINED
@@ -397,11 +387,7 @@ static const struct state_microcode state_microcode_table[] = {
      */
     { STATE_QUICK_R0, STATE_QUICK_R1
     , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY
-#ifdef NAT_TRAVERSAL
     , P(HASH) | P(SA) | P(NONCE), /* P(SA) | */ P(KE) | P(ID) | P(NATOA_RFC), PT(NONE)
-#else
-    , P(HASH) | P(SA) | P(NONCE), /* P(SA) | */ P(KE) | P(ID), PT(NONE)
-#endif
     , EVENT_RETRANSMIT, quick_inI1_outR1 },
 
     /* STATE_QUICK_I1:
@@ -412,11 +398,7 @@ static const struct state_microcode state_microcode_table[] = {
      */
     { STATE_QUICK_I1, STATE_QUICK_I2
     , SMF_ALL_AUTH | SMF_INITIATOR | SMF_ENCRYPTED | SMF_REPLY
-#ifdef NAT_TRAVERSAL
     , P(HASH) | P(SA) | P(NONCE), /* P(SA) | */ P(KE) | P(ID) | P(NATOA_RFC), PT(HASH)
-#else
-    , P(HASH) | P(SA) | P(NONCE), /* P(SA) | */ P(KE) | P(ID), PT(HASH)
-#endif
     , EVENT_SA_REPLACE, quick_inR1_outI2 },
 
     /* STATE_QUICK_R1: HDR*, HASH(3) --> done
@@ -790,7 +772,6 @@ check_msg_errqueue(const struct iface *ifp, short interest)
 		    /* note dirty trick to suppress ~ at start of format
 		     * if we know what state to blame.
 		     */
-#ifdef NAT_TRAVERSAL
 		    if ((packet_len == 1) && (buffer[0] = 0xff)
 #ifdef DEBUG
 			&& ((cur_debugging & DBG_NATT) == 0)
@@ -801,7 +782,6 @@ check_msg_errqueue(const struct iface *ifp, short interest)
 			     */
 		    }
 		    else
-#endif		     
 		    plog((sender != NULL) + "~"
 			"ERROR: asynchronous network error report on %s"
 			"%s"
@@ -839,24 +819,19 @@ check_msg_errqueue(const struct iface *ifp, short interest)
 #endif /* defined(IP_RECVERR) && defined(MSG_ERRQUEUE) */
 
 bool
-#ifdef NAT_TRAVERSAL
-_send_packet(struct state *st, const char *where, bool verbose)
-#else
 send_packet(struct state *st, const char *where)
-#endif
 {
     struct connection *c = st->st_connection;
     int port_buf;
     bool err;
-
-#ifdef NAT_TRAVERSAL
     u_int8_t ike_pkt[MAX_OUTPUT_UDP_SIZE];
     u_int8_t *ptr;
     unsigned long len;
 
-    if ((c->interface->ike_float == TRUE) && (st->st_tpacket.len != 1)) {
-	if ((unsigned long) st->st_tpacket.len >
-	    (MAX_OUTPUT_UDP_SIZE-sizeof(u_int32_t))) {
+    if (c->interface->ike_float && st->st_tpacket.len != 1)
+    {
+	if ((unsigned long) st->st_tpacket.len > (MAX_OUTPUT_UDP_SIZE-sizeof(u_int32_t)))
+	{
 	    DBG_log("send_packet(): really too big");
 	    return FALSE;
 	}
@@ -867,11 +842,11 @@ send_packet(struct state *st, const char *where)
 	    (unsigned long)st->st_tpacket.len);
 	len = (unsigned long) st->st_tpacket.len + sizeof(u_int32_t);
     }
-    else {
+    else
+    {
 	ptr = st->st_tpacket.ptr;
 	len = (unsigned long) st->st_tpacket.len;
     }
-#endif
 
     DBG(DBG_RAW,
 	{
@@ -896,28 +871,19 @@ send_packet(struct state *st, const char *where)
     (void) check_msg_errqueue(c->interface, POLLOUT);
 #endif /* defined(IP_RECVERR) && defined(MSG_ERRQUEUE) */
 
-#ifdef NAT_TRAVERSAL
     err = sendto(c->interface->fd
     	, ptr, len, 0
     	, sockaddrof(&c->spd.that.host_addr)
     	, sockaddrlenof(&c->spd.that.host_addr)) != (ssize_t)len;
-#else
-    err = sendto(c->interface->fd
-    	, st->st_tpacket.ptr, st->st_tpacket.len, 0
-    	, sockaddrof(&c->spd.that.host_addr)
-    	, sockaddrlenof(&c->spd.that.host_addr)) != (ssize_t)st->st_tpacket.len;
-#endif
 
     /* restore port */
     setportof(port_buf, &c->spd.that.host_addr);
 
     if (err)
     {
-#ifdef NAT_TRAVERSAL
-        /* do not log NAT-T Keep Alive packets */
-        if (!verbose)
-	    return FALSE;
-#endif
+       /* do not log NAT-T Keep Alive packets */
+        if (streq(where, "NAT-T Keep Alive"))
+ 	    return FALSE;
 	log_errno((e, "sendto on %s to %s:%u failed in %s"
 	    , c->interface->rname
 	    , ip_str(&c->spd.that.host_addr)
@@ -1187,16 +1153,19 @@ read_packet(struct msg_digest *md)
     cur_from = &md->sender;
     cur_from_port = md->sender_port;
 
-#ifdef NAT_TRAVERSAL
-    if (ifp->ike_float == TRUE) {
+    if (ifp->ike_float == TRUE)
+    {
 	u_int32_t non_esp;
-	if (packet_len < (int)sizeof(u_int32_t)) {
+
+	if (packet_len < (int)sizeof(u_int32_t))
+	{
 	    plog("recvfrom %s:%u too small packet (%d)"
 		, ip_str(cur_from), (unsigned) cur_from_port, packet_len);
 	    return FALSE;
 	}
 	memcpy(&non_esp, buffer, sizeof(u_int32_t));
-	if (non_esp != 0) {
+	if (non_esp != 0)
+	{
 	    plog("recvfrom %s:%u has no Non-ESP marker"
 		, ip_str(cur_from), (unsigned) cur_from_port);
 	    return FALSE;
@@ -1207,7 +1176,6 @@ read_packet(struct msg_digest *md)
 	pfree(buffer);
 	buffer = buffer_nat;
     }
-#endif
 
     /* Clone actual message contents
      * and set up md->packet_pbs to describe it.
@@ -1226,21 +1194,33 @@ read_packet(struct msg_digest *md)
     DBG(DBG_RAW,
 	DBG_dump("", md->packet_pbs.start, pbs_room(&md->packet_pbs)));
 
-#ifdef NAT_TRAVERSAL
-	if ((pbs_room(&md->packet_pbs)==1) && (md->packet_pbs.start[0]==0xff)) {
-		/**
-		 * NAT-T Keep-alive packets should be discared by kernel ESPinUDP
-		 * layer. But boggus keep-alive packets (sent with a non-esp marker)
-		 * can reach this point. Complain and discard them.
-		 */
-		DBG(DBG_NATT,
-			DBG_log("NAT-T keep-alive (boggus ?) should not reach this point. "
-				"Ignored. Sender: %s:%u", ip_str(cur_from),
-				(unsigned) cur_from_port);
-			);
-		return FALSE;
+	if ((pbs_room(&md->packet_pbs)==1) && (md->packet_pbs.start[0]==0xff))
+	{
+	    /**
+	     * NAT-T Keep-alive packets should be discared by kernel ESPinUDP
+	     * layer. But boggus keep-alive packets (sent with a non-esp marker)
+	     * can reach this point. Complain and discard them.
+	     */
+	    DBG(DBG_NATT,
+		DBG_log("NAT-T keep-alive (boggus ?) should not reach this point. "
+			"Ignored. Sender: %s:%u", ip_str(cur_from),
+			(unsigned) cur_from_port);
+	    )
+	    return FALSE;
 	}
-#endif
+
+#define IKEV2_VERSION_OFFSET	17
+#define IKEV2_VERSION		0x20
+
+    /* ignore IKEv2 packets - they will be handled by charon */
+    if (pbs_room(&md->packet_pbs) > IKEV2_VERSION_OFFSET
+    &&  md->packet_pbs.start[IKEV2_VERSION_OFFSET] == IKEV2_VERSION)
+    {
+	DBG(DBG_CONTROLMORE,
+	    DBG_log("  ignoring IKEv2 packet")
+	)
+	return FALSE;
+    }
 
     return TRUE;
 }
@@ -1877,12 +1857,12 @@ process_packet(struct msg_digest **mdp)
 		return;
 	    }
 
-#ifdef NAT_TRAVERSAL
 	    switch (np)
 	    {
 		case ISAKMP_NEXT_NATD_RFC:
 		case ISAKMP_NEXT_NATOA_RFC:
-		    if ((!st) || (!(st->nat_traversal & NAT_T_WITH_RFC_VALUES))) {
+		    if (!st || !(st->nat_traversal & NAT_T_WITH_RFC_VALUES))
+		    {
 			/*
 			 * don't accept NAT-D/NAT-OA reloc directly in message, unless
 			 * we're using NAT-T RFC
@@ -1891,7 +1871,6 @@ process_packet(struct msg_digest **mdp)
 		    }
 		    break;
 	    }
-#endif
 
 	    if (sd == NULL)
 	    {
@@ -1902,7 +1881,6 @@ process_packet(struct msg_digest **mdp)
 		    sd = IS_PHASE1(from_state)
 			? &isakmp_identification_desc : &isakmp_ipsec_identification_desc;
 		    break;
-#ifdef NAT_TRAVERSAL
 		case ISAKMP_NEXT_NATD_DRAFTS:
 		    np = ISAKMP_NEXT_NATD_RFC;  /* NAT-D relocated */
 		    sd = payload_descs[np];
@@ -1911,7 +1889,6 @@ process_packet(struct msg_digest **mdp)
 		    np = ISAKMP_NEXT_NATOA_RFC;  /* NAT-OA relocated */
 		    sd = payload_descs[np];
 		    break;
-#endif		    
 		default:
 		    loglog(RC_LOG_SERIOUS, "%smessage ignored because it contains an unknown or"
 			" unexpected payload type (%s) at the outermost level"
@@ -2177,10 +2154,8 @@ complete_state_transition(struct msg_digest **mdp, stf_status result)
 		clonetochunk(st->st_tpacket, md->reply.start
 		    , pbs_offset(&md->reply), "reply packet");
 
-#ifdef NAT_TRAVERSAL
 		if (nat_traversal_enabled)
 		    nat_traversal_change_port_lookup(md, md->st);
-#endif
 
 		/* actually send the packet
 		 * Note: this is a great place to implement "impairments"
@@ -2363,7 +2338,6 @@ complete_state_transition(struct msg_digest **mdp, stf_status result)
 		    /* advance b to end of string */
 		    b = b + strlen(b);
 
-#ifdef NAT_TRAVERSAL
 		    if (st->nat_traversal)
 		    {
 			char oa[ADDRTOT_BUF];
@@ -2374,7 +2348,6 @@ complete_state_transition(struct msg_digest **mdp, stf_status result)
 			ini = " ";
 			fin = "}";
 		    }
-#endif
 
 		    /* advance b to end of string */
 		    b = b + strlen(b);
diff --git a/programs/pluto/demux.h b/src/pluto/demux.h
index dc38e4cfc..373dd6315 100644
--- a/programs/pluto/demux.h
+++ b/src/pluto/demux.h
@@ -11,19 +11,14 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: demux.h,v 1.5 2007/01/11 05:44:02 as Exp $
+ * RCSID $Id: demux.h,v 1.4 2004/07/22 22:57:25 as Exp $
  */
 
 #include "packet.h"
 
 struct state;	/* forward declaration of tag */
 extern void init_demux(void);
-#ifdef NAT_TRAVERSAL
-#define send_packet(st,wh) _send_packet(st,wh,TRUE)
-extern bool _send_packet(struct state *st, const char *where, bool verbose);
-#else
 extern bool send_packet(struct state *st, const char *where);
-#endif
 extern void comm_handle(const struct iface *ifp);
 
 extern u_int8_t reply_buffer[MAX_OUTPUT_UDP_SIZE];
@@ -74,9 +69,7 @@ struct msg_digest {
 	digest[PAYLIMIT],
 	*digest_roof,
 	*chain[ISAKMP_NEXT_ROOF];
-#ifdef NAT_TRAVERSAL
 	unsigned short nat_traversal_vid;
-#endif	
 };
 
 extern void release_md(struct msg_digest *md);
diff --git a/programs/pluto/dnskey.c b/src/pluto/dnskey.c
index 9aca1938d..23863b0a2 100644
--- a/programs/pluto/dnskey.c
+++ b/src/pluto/dnskey.c
@@ -30,7 +30,7 @@
 #include <sys/queue.h>
 
 #include <freeswan.h>
-#include <freeswan/ipsec_policy.h>
+#include <ipsec_policy.h>
 
 #include "constants.h"
 #include "adns.h"	/* needs <resolv.h> */
diff --git a/programs/pluto/dnskey.h b/src/pluto/dnskey.h
index 0b9f0ee33..0b9f0ee33 100644
--- a/programs/pluto/dnskey.h
+++ b/src/pluto/dnskey.h
diff --git a/programs/pluto/dsa.c b/src/pluto/dsa.c
index c5982fbf4..c5982fbf4 100644
--- a/programs/pluto/dsa.c
+++ b/src/pluto/dsa.c
diff --git a/programs/pluto/dsa.h b/src/pluto/dsa.h
index 1456d65b6..1456d65b6 100644
--- a/programs/pluto/dsa.h
+++ b/src/pluto/dsa.h
diff --git a/programs/pluto/elgamal.c b/src/pluto/elgamal.c
index 0c099bb90..0c099bb90 100644
--- a/programs/pluto/elgamal.c
+++ b/src/pluto/elgamal.c
diff --git a/programs/pluto/elgamal.h b/src/pluto/elgamal.h
index f104c2a52..f104c2a52 100644
--- a/programs/pluto/elgamal.h
+++ b/src/pluto/elgamal.h
diff --git a/programs/pluto/fetch.c b/src/pluto/fetch.c
index 4bfb6031b..e3e56d3a8 100644
--- a/programs/pluto/fetch.c
+++ b/src/pluto/fetch.c
@@ -31,7 +31,7 @@
 
 #include <freeswan.h>
 
-#ifdef LDAP_VER
+#ifdef LIBLDAP
 #include <ldap.h>
 #endif
 
@@ -347,7 +347,7 @@ fetch_curl(char *url, chunk_t *blob)
 #endif  /* !LIBCURL */
 }
 
-#ifdef LDAP_VER
+#ifdef LIBLDAP
 /*
  * parses the result returned by an ldap query
  */
@@ -428,7 +428,7 @@ fetch_ldap_url(char *url, chunk_t *blob)
 
 	if (ldap != NULL)
 	{
-	    int ldap_version = (LDAP_VER == 2)? LDAP_VERSION2 : LDAP_VERSION3;
+	    int ldap_version = LDAP_VERSION3;
 	    struct timeval timeout;
 
 	    timeout.tv_sec  = FETCH_CMD_TIMEOUT;
@@ -479,13 +479,13 @@ fetch_ldap_url(char *url, chunk_t *blob)
     }
     return ugh;
 }
-#else   /* !LDAP_VER */
+#else   /* !LIBLDAP */
 static err_t
 fetch_ldap_url(char *url, chunk_t *blob)
 {
     return "LDAP URL fetching not activated in pluto source code";
 }
-#endif  /* !LDAP_VER */
+#endif  /* !LIBLDAP */
 
 /*
  * fetch an ASN.1 blob coded in PEM or DER format from a URL
@@ -701,7 +701,7 @@ fetch_ocsp_status(ocsp_location_t* location)
 
 	curl_easy_setopt(curl, CURLOPT_URL, uri);
 	curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_buffer);
-	curl_easy_setopt(curl, CURLOPT_FILE, (void *)&response);
+	curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void *)&response);
 	curl_easy_setopt(curl, CURLOPT_POSTFIELDS, request.ptr);
 	curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, request.len);
 	curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, &errorbuffer);
@@ -827,7 +827,7 @@ init_fetch(void)
 #ifdef LIBCURL
     /* init curl */
     status = curl_global_init(CURL_GLOBAL_NOTHING);
-    if (status != 0)
+    if (status != CURLE_OK)
     {
 	plog("libcurl could not be initialized, status = %d", status);
     }
diff --git a/programs/pluto/fetch.h b/src/pluto/fetch.h
index 6303f37e4..6303f37e4 100644
--- a/programs/pluto/fetch.h
+++ b/src/pluto/fetch.h
diff --git a/programs/pluto/foodgroups.c b/src/pluto/foodgroups.c
index 52e32f0fb..c92bdb3d4 100644
--- a/programs/pluto/foodgroups.c
+++ b/src/pluto/foodgroups.c
@@ -35,7 +35,7 @@
 /* Food group config files are found in directory fg_path */
 
 #ifndef POLICYGROUPSDIR
-#define POLICYGROUPSDIR "/etc/ipsec.d/policies"
+#define POLICYGROUPSDIR IPSEC_CONFDIR "/ipsec.d/policies"
 #endif
 
 const char *policygroups_dir = POLICYGROUPSDIR;
diff --git a/programs/pluto/foodgroups.h b/src/pluto/foodgroups.h
index 7cbbccc44..7cbbccc44 100644
--- a/programs/pluto/foodgroups.h
+++ b/src/pluto/foodgroups.h
diff --git a/programs/pluto/gcryptfix.c b/src/pluto/gcryptfix.c
index 1ebacdcf6..1ebacdcf6 100644
--- a/programs/pluto/gcryptfix.c
+++ b/src/pluto/gcryptfix.c
diff --git a/programs/pluto/gcryptfix.h b/src/pluto/gcryptfix.h
index 637ecbc8d..637ecbc8d 100644
--- a/programs/pluto/gcryptfix.h
+++ b/src/pluto/gcryptfix.h
diff --git a/programs/pluto/id.c b/src/pluto/id.c
index 4e306d3a7..4e75ec2e9 100644
--- a/programs/pluto/id.c
+++ b/src/pluto/id.c
@@ -28,7 +28,7 @@
 #include <sys/queue.h>
 
 #include <freeswan.h>
-#include <freeswan/ipsec_policy.h>
+#include <ipsec_policy.h>
 
 #include "constants.h"
 #include "defs.h"
diff --git a/programs/pluto/id.h b/src/pluto/id.h
index 4fe9ef227..4fe9ef227 100644
--- a/programs/pluto/id.h
+++ b/src/pluto/id.h
diff --git a/programs/pluto/ike_alg.c b/src/pluto/ike_alg.c
index e090ebed3..1c6514b4b 100644
--- a/programs/pluto/ike_alg.c
+++ b/src/pluto/ike_alg.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: ike_alg.c,v 1.9 2007/02/21 14:21:48 as Exp $
+ * RCSID $Id: ike_alg.c,v 1.6 2004/09/17 21:29:50 as Exp $
  */
 
 #include <stdio.h>
@@ -21,7 +21,7 @@
 #include <sys/queue.h>
 
 #include <freeswan.h>
-#include <freeswan/ipsec_policy.h>
+#include <ipsec_policy.h>
 
 #include "constants.h"
 #include "defs.h"
diff --git a/programs/pluto/ike_alg.h b/src/pluto/ike_alg.h
index 32f6e8be0..19e2e591c 100644
--- a/programs/pluto/ike_alg.h
+++ b/src/pluto/ike_alg.h
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: ike_alg.h,v 1.4 2007/02/21 14:21:48 as Exp $
+ * RCSID $Id: ike_alg.h,v 1.3 2004/09/16 23:22:22 as Exp $
  */
  
 #ifndef _IKE_ALG_H
diff --git a/programs/pluto/ipsec.secrets.5 b/src/pluto/ipsec.secrets.5
index 3cce4d3f8..3cce4d3f8 100644
--- a/programs/pluto/ipsec.secrets.5
+++ b/src/pluto/ipsec.secrets.5
diff --git a/programs/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c
index f4ec22301..1c22b299b 100644
--- a/programs/pluto/ipsec_doi.c
+++ b/src/pluto/ipsec_doi.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: ipsec_doi.c,v 1.43 2007/02/21 14:21:48 as Exp $
+ * RCSID $Id: ipsec_doi.c,v 1.39 2006/04/22 21:59:20 as Exp $
  */
 
 #include <stdio.h>
@@ -29,7 +29,7 @@
 #include <sys/time.h>		/* for gettimeofday */
 
 #include <freeswan.h>
-#include <freeswan/ipsec_policy.h>
+#include <ipsec_policy.h>
 
 #include "constants.h"
 #include "defs.h"
@@ -67,12 +67,8 @@
 #include "alg_info.h"
 #include "ike_alg.h"
 #include "kernel_alg.h"
-#ifdef NAT_TRAVERSAL
 #include "nat_traversal.h"
-#endif
-#ifdef VIRTUAL_IP
 #include "virtual.h"
-#endif
 
 /*
  * are we sending Pluto's Vendor ID?
@@ -457,9 +453,11 @@ send_notification_from_state(struct state *st, enum state_kind state,
     if (state == STATE_UNDEFINED)
 	state = st->st_state;
 
-    if (IS_QUICK(state)) {
+    if (IS_QUICK(state))
+    {
 	p1st = find_phase1_state(st->st_connection, ISAKMP_SA_ESTABLISHED_STATES);
-	if ((p1st == NULL) || (!IS_ISAKMP_SA_ESTABLISHED(p1st->st_state))) {
+	if ((p1st == NULL) || (!IS_ISAKMP_SA_ESTABLISHED(p1st->st_state)))
+	{
 	    loglog(RC_LOG_SERIOUS,
 		"no Phase1 state for Quick mode notification");
 	    return;
@@ -467,11 +465,13 @@ send_notification_from_state(struct state *st, enum state_kind state,
 	send_notification(st, type, p1st, generate_msgid(p1st),
 	    st->st_icookie, st->st_rcookie, NULL, 0, PROTO_ISAKMP);
     }
-    else if (IS_ISAKMP_ENCRYPTED(state)) {
+    else if (IS_ISAKMP_ENCRYPTED(state) && st->st_enc_key.ptr != NULL)
+    {
 	send_notification(st, type, st, generate_msgid(st),
 	    st->st_icookie, st->st_rcookie, NULL, 0, PROTO_ISAKMP);
     }
-    else {
+    else
+    {
 	/* no ISAKMP SA established - don't encrypt notification */
 	send_notification(st, type, NULL, 0,
 	    st->st_icookie, st->st_rcookie, NULL, 0, PROTO_ISAKMP);
@@ -769,10 +769,10 @@ accept_delete(struct state *st, struct msg_digest *md, struct payload_digest *p)
 		
 		oldc = cur_connection;
 		set_cur_connection(dst->st_connection);
-#ifdef NAT_TRAVERSAL
+
 		if (nat_traversal_enabled)
 		    nat_traversal_change_port_lookup(md, dst);
-#endif
+
 		loglog(RC_LOG_SERIOUS, "received Delete SA payload: "
 		    "deleting ISAKMP State #%lu", dst->st_serialno);
 		delete_state(dst);
@@ -806,10 +806,9 @@ accept_delete(struct state *st, struct msg_digest *md, struct payload_digest *p)
 		oldc = cur_connection;
 		set_cur_connection(rc);
 
-#ifdef NAT_TRAVERSAL
 		if (nat_traversal_enabled)
 		    nat_traversal_change_port_lookup(md, dst);
-#endif
+
 		if (rc->newest_ipsec_sa == dst->st_serialno
 		&& (rc->policy & POLICY_UP))
 		    {
@@ -904,10 +903,8 @@ main_outI1(int whack_sock, struct connection *c, struct state *predecessor
 	vids_to_send++;
     /* always send DPD Vendor ID */
 	vids_to_send++;
-#ifdef NAT_TRAVERSAL
     if (nat_traversal_enabled)
 	vids_to_send++;
-#endif
 
    get_cookie(TRUE, st->st_icookie, COOKIE_SIZE, &c->spd.that.host_addr);
 
@@ -1013,7 +1010,6 @@ main_outI1(int whack_sock, struct connection *c, struct state *predecessor
 	}
     }
 
-#ifdef NAT_TRAVERSAL
     if (nat_traversal_enabled)
     {
 	/* Add supported NAT-Traversal VID */
@@ -1024,7 +1020,6 @@ main_outI1(int whack_sock, struct connection *c, struct state *predecessor
 	    return STF_INTERNAL_ERROR;
 	}
     }
-#endif
 
     close_message(&rbody);
     close_output_pbs(&reply);
@@ -2056,7 +2051,6 @@ quick_outI1(int whack_sock
 	     , replacing
 	     , isakmp_sa->st_serialno);
 
-#ifdef NAT_TRAVERSAL
     if (isakmp_sa->nat_traversal & NAT_T_DETECTED)
     {
 	/* Duplicate nat_traversal status in new state */
@@ -2079,7 +2073,6 @@ quick_outI1(int whack_sock
 	np = (st->nat_traversal & NAT_T_WITH_RFC_VALUES) ?
 		  ISAKMP_NEXT_NATOA_RFC : ISAKMP_NEXT_NATOA_DRAFTS;
     }
-#endif
 
     /* set up reply */
     init_pbs(&reply, reply_buffer, sizeof(reply_buffer), "reply packet");
@@ -2175,7 +2168,6 @@ quick_outI1(int whack_sock
 	}
     }
 
-#ifdef NAT_TRAVERSAL
     /* Send NAT-OA if our address is NATed */
     if (send_natoa)
     {
@@ -2185,7 +2177,6 @@ quick_outI1(int whack_sock
 	    return STF_INTERNAL_ERROR;
 	}
     }
-#endif
 
     /* finish computing  HASH(1), inserting it in output */
     (void) quick_mode_hash12(r_hashval, r_hash_start, rbody.cur
@@ -2354,7 +2345,6 @@ decode_peer_id(struct msg_digest *md, struct id *peer)
      * Besides, there is no good reason for allowing these to be
      * other than 0 in Phase 1.
      */
-#ifdef NAT_TRAVERSAL
     if ((st->nat_traversal & NAT_T_WITH_PORT_FLOATING)
     &&	 id->isaid_doi_specific_a == IPPROTO_UDP
     &&  (id->isaid_doi_specific_b == 0 || id->isaid_doi_specific_b == NAT_T_IKE_FLOAT_PORT))
@@ -2363,10 +2353,8 @@ decode_peer_id(struct msg_digest *md, struct id *peer)
 		"accepted with port_floating NAT-T",
 		id->isaid_doi_specific_a, id->isaid_doi_specific_b);
     }
-    else
-#endif
-    if (!(id->isaid_doi_specific_a == 0 && id->isaid_doi_specific_b == 0)
-    &&  !(id->isaid_doi_specific_a == IPPROTO_UDP && id->isaid_doi_specific_b == IKE_UDP_PORT))
+    else if (!(id->isaid_doi_specific_a == 0 && id->isaid_doi_specific_b == 0)
+	 &&  !(id->isaid_doi_specific_a == IPPROTO_UDP && id->isaid_doi_specific_b == IKE_UDP_PORT))
     {
 	loglog(RC_LOG_SERIOUS, "protocol/port in Phase 1 ID Payload must be 0/0 or %d/%d"
 	    " but are %d/%d"
@@ -2540,14 +2528,8 @@ switch_connection(struct msg_digest *md, struct id *peer, bool initiator)
 	    if (r->kind == CK_TEMPLATE)
 	    {
 		/* instantiate it, filling in peer's ID */
-		r = rw_instantiate(r, &c->spd.that.host_addr,
-#ifdef NAT_TRAVERSAL
-			c->spd.that.host_port,
-#endif
-#ifdef VIRTUAL_IP
-			NULL,
-#endif
-			peer);
+		r = rw_instantiate(r, &c->spd.that.host_addr
+			, c->spd.that.host_port, NULL, peer);
 	    }
 
 	    /* copy certificate request info */
@@ -3010,13 +2992,11 @@ main_inI1_outR1(struct msg_digest *md)
     c = find_host_connection(&md->iface->addr, pluto_port
 			   , &md->sender, md->sender_port, policy);
 
-#ifdef NAT_TRAVERSAL
     if (c == NULL && md->iface->ike_float)
     {
 	c = find_host_connection(&md->iface->addr, NAT_T_IKE_FLOAT_PORT
-			       , &md->sender, md->sender_port, policy);
+		, &md->sender, md->sender_port, policy);
     }
-#endif
 
     if (c == NULL)
     {
@@ -3082,14 +3062,7 @@ main_inI1_outR1(struct msg_digest *md)
 	    /* Create a temporary connection that is a copy of this one.
 	     * His ID isn't declared yet.
 	     */
-	    c = rw_instantiate(c, &md->sender,
-#ifdef NAT_TRAVERSAL
-			md->sender_port,
-#endif
-#ifdef VIRTUAL_IP
-			NULL,
-#endif
-			NULL);
+	    c = rw_instantiate(c, &md->sender, md->sender_port, NULL, NULL);
 	}
     }
     else if (c->kind == CK_TEMPLATE)
@@ -3145,10 +3118,8 @@ main_inI1_outR1(struct msg_digest *md)
 	vids_to_send++;
     /* always send DPD Vendor ID */
 	vids_to_send++;
-#ifdef NAT_TRAVERSAL
     if (md->nat_traversal_vid && nat_traversal_enabled)
 	vids_to_send++;
-#endif
 
     /* HDR out.
      * We can't leave this to comm_handle() because we must
@@ -3224,11 +3195,6 @@ main_inI1_outR1(struct msg_digest *md)
 	return STF_INTERNAL_ERROR;
     }
 
-#ifdef NAT_TRAVERSAL
-    DBG(DBG_CONTROLMORE,
-	DBG_log("sender checking NAT-t: %d and %d"
-		, nat_traversal_enabled, md->nat_traversal_vid)
-    )
     if (md->nat_traversal_vid && nat_traversal_enabled)
     {
 	/* reply if NAT-Traversal draft is supported */
@@ -3241,7 +3207,6 @@ main_inI1_outR1(struct msg_digest *md)
 	    return STF_INTERNAL_ERROR;
 	}
     }
-#endif
 
     close_message(&md->rbody);
 
@@ -3287,11 +3252,6 @@ main_inR1_outI2(struct msg_digest *md)
 	    , &proposal_pbs, &proposal, NULL, st, TRUE));
     }
 
-#ifdef NAT_TRAVERSAL
-    DBG(DBG_CONTROLMORE,
-	DBG_log("sender checking NAT-t: %d and %d"
-		, nat_traversal_enabled, md->nat_traversal_vid)
-    )
     if (nat_traversal_enabled && md->nat_traversal_vid)
     {
 	st->nat_traversal = nat_traversal_vid_to_method(md->nat_traversal_vid);
@@ -3303,7 +3263,6 @@ main_inR1_outI2(struct msg_digest *md)
 	np = (st->nat_traversal & NAT_T_WITH_RFC_VALUES) ?
 		ISAKMP_NEXT_NATD_RFC : ISAKMP_NEXT_NATD_DRAFTS;
     }
- #endif
 
     /**************** build output packet HDR;KE;Ni ****************/
 
@@ -3341,13 +3300,11 @@ main_inR1_outI2(struct msg_digest *md)
 	return STF_INTERNAL_ERROR;
 #endif
 
-#ifdef NAT_TRAVERSAL
     if (st->nat_traversal & NAT_T_WITH_NATD)
     {
 	if (!nat_traversal_add_natd(ISAKMP_NEXT_NONE, &md->rbody, md))
 	    return STF_INTERNAL_ERROR;
     }
-#endif
 
     /* finish message */
     close_message(&md->rbody);
@@ -3390,11 +3347,6 @@ main_inI2_outR2(struct msg_digest *md)
     /* Ni in */
     RETURN_STF_FAILURE(accept_nonce(md, &st->st_ni, "Ni"));
 
-#ifdef NAT_TRAVERSAL
-    DBG(DBG_CONTROLMORE,
-	DBG_log("inI2: checking NAT-t: %d and %d"
-		, nat_traversal_enabled, st->nat_traversal)
-    )
     if (st->nat_traversal & NAT_T_WITH_NATD)
     {
        nat_traversal_natd_lookup(md);
@@ -3410,7 +3362,6 @@ main_inI2_outR2(struct msg_digest *md)
     {
        nat_traversal_new_ka_event();
     }
-#endif
 
     /* decode certificate requests */
     st->st_connection->got_certrequest = FALSE;
@@ -3486,14 +3437,12 @@ main_inI2_outR2(struct msg_digest *md)
 	    }
 	}
     }
-    
-#ifdef NAT_TRAVERSAL
+
     if (st->nat_traversal & NAT_T_WITH_NATD)
     {
        if (!nat_traversal_add_natd(ISAKMP_NEXT_NONE, &md->rbody, md))
 	   return STF_INTERNAL_ERROR;
     }
-#endif
 
     /* finish message */
     close_message(&md->rbody);
@@ -3564,22 +3513,22 @@ main_inR2_outI3(struct msg_digest *md)
     send_cr = !no_cr_send && send_cert && !has_preloaded_public_key(st);
 
     /* done parsing; initialize crypto  */
-
     compute_dh_shared(st, st->st_gr, st->st_oakley.group);
     if (!generate_skeyids_iv(st))
 	return STF_FAIL + AUTHENTICATION_FAILED;
 
-#ifdef NAT_TRAVERSAL
-	if (st->nat_traversal & NAT_T_WITH_NATD) {
-	    nat_traversal_natd_lookup(md);
-	}
-	if (st->nat_traversal) {
-	    nat_traversal_show_result(st->nat_traversal, md->sender_port);
-	}
-	if (st->nat_traversal & NAT_T_WITH_KA) {
-	    nat_traversal_new_ka_event();
-	}
-#endif
+    if (st->nat_traversal & NAT_T_WITH_NATD)
+    {
+	nat_traversal_natd_lookup(md);
+    }
+    if (st->nat_traversal)
+    {
+	nat_traversal_show_result(st->nat_traversal, md->sender_port);
+    }
+    if (st->nat_traversal & NAT_T_WITH_KA)
+    {
+	nat_traversal_new_ka_event();
+    }
 
     /*************** build output packet HDR*;IDii;HASH/SIG_I ***************/
     /* ??? NOTE: this is almost the same as main_inI3_outR3's code */
@@ -4819,14 +4768,8 @@ quick_inI1_outR1_tail(struct verify_oppo_bundle *b
 		    /* Plain Road Warrior:
 		     * instantiate, carrying over authenticated peer ID
 		     */
-		    p = rw_instantiate(p, &c->spd.that.host_addr,
-#ifdef NAT_TRAVERSAL
-			        md->sender_port,
-#endif
-#ifdef VIRTUAL_IP
-				his_net, 
-#endif
-				&c->spd.that.id);
+		    p = rw_instantiate(p, &c->spd.that.host_addr, md->sender_port
+				, his_net, &c->spd.that.id);
 		}
 	    }
 #ifdef DEBUG
@@ -4849,8 +4792,6 @@ quick_inI1_outR1_tail(struct verify_oppo_bundle *b
 	    p->spd.that.client = *his_net;
 	    p->spd.that.has_client_wildcard = FALSE;
 	}
-
-#ifdef VIRTUAL_IP
 	else if (is_virtual_connection(c))
 	{
 	    c->spd.that.client = *his_net;
@@ -4858,7 +4799,6 @@ quick_inI1_outR1_tail(struct verify_oppo_bundle *b
 	    if (subnetishost(his_net) && addrinsubnet(&c->spd.that.host_addr, his_net))
 		c->spd.that.has_client = FALSE;
 	}
-#endif
 
 	/* fill in the client's true port */
 	if (p->spd.that.has_port_wildcard)
@@ -4917,7 +4857,6 @@ quick_inI1_outR1_tail(struct verify_oppo_bundle *b
 	st->st_policy = (p1st->st_policy & POLICY_ISAKMP_MASK)
 	    | (c->policy & ~POLICY_ISAKMP_MASK);
 
-#ifdef NAT_TRAVERSAL
 	if (p1st->nat_traversal & NAT_T_DETECTED)
 	{
 	    st->nat_traversal = p1st->nat_traversal;
@@ -4927,12 +4866,11 @@ quick_inI1_outR1_tail(struct verify_oppo_bundle *b
 	{
 	    st->nat_traversal = 0;
 	}
-	if ((st->nat_traversal & NAT_T_DETECTED) &&
-	    (st->nat_traversal & NAT_T_WITH_NATOA))
+	if ((st->nat_traversal & NAT_T_DETECTED)
+	&&  (st->nat_traversal & NAT_T_WITH_NATOA))
 	{
 	    nat_traversal_natoa_lookup(md);
 	}
-#endif
 
 	/* Start the output packet.
 	 *
@@ -5020,7 +4958,6 @@ quick_inI1_outR1_tail(struct verify_oppo_bundle *b
 	    p->isaiid_np = ISAKMP_NEXT_NONE;
 	}
 
-#ifdef NAT_TRAVERSAL
 	if ((st->nat_traversal & NAT_T_WITH_NATOA)
 	&& (st->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME))
 	&& (st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TRANSPORT))
@@ -5039,7 +4976,6 @@ quick_inI1_outR1_tail(struct verify_oppo_bundle *b
 	    addrtosubnet(&c->spd.that.host_addr, &c->spd.that.client);
 	    c->spd.that.has_client = FALSE;
 	}
-#endif
 
 	/* Compute reply HASH(2) and insert in output */
 	(void)quick_mode_hash12(r_hashval, r_hash_start, md->rbody.cur
@@ -5179,13 +5115,11 @@ quick_inR1_outI2(struct msg_digest *md)
 	}
     }
 
-#ifdef NAT_TRAVERSAL
 	if ((st->nat_traversal & NAT_T_DETECTED)
 	&&  (st->nat_traversal & NAT_T_WITH_NATOA))
 	{
 	    nat_traversal_natoa_lookup(md);
 	}
-#endif
 
     /* ??? We used to copy the accepted proposal into the state, but it was
      * never used.  From sa_pd->pbs.start, length pbs_room(&sa_pd->pbs).
diff --git a/programs/pluto/ipsec_doi.h b/src/pluto/ipsec_doi.h
index 80b12c31d..80b12c31d 100644
--- a/programs/pluto/ipsec_doi.h
+++ b/src/pluto/ipsec_doi.h
diff --git a/programs/pluto/kameipsec.h b/src/pluto/kameipsec.h
index 5f08c7d38..5f08c7d38 100644
--- a/programs/pluto/kameipsec.h
+++ b/src/pluto/kameipsec.h
diff --git a/programs/pluto/kernel.c b/src/pluto/kernel.c
index d2070c0d4..663fa7230 100644
--- a/programs/pluto/kernel.c
+++ b/src/pluto/kernel.c
@@ -31,7 +31,7 @@
 #include <arpa/inet.h>
 
 #include <freeswan.h>
-#include <freeswan/ipsec_policy.h>
+#include <ipsec_policy.h>
 
 #ifdef KLIPS
 #include <signal.h>
@@ -58,12 +58,7 @@
 #include "server.h"
 #include "whack.h"	/* for RC_LOG_SERIOUS */
 #include "keys.h"
-
-#ifdef NAT_TRAVERSAL
-#include "packet.h"  /* for pb_stream in nat_traversal.h */
 #include "nat_traversal.h"
-#endif
-
 #include "alg_info.h"
 #include "kernel_alg.h"
 
@@ -686,9 +681,7 @@ could_route(struct connection *c)
 
     /* if routing would affect IKE messages, reject */
     if (!no_klips
-#ifdef NAT_TRAVERSAL
     && c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT
-#endif
     && c->spd.this.host_port != IKE_UDP_PORT
     && addrinsubnet(&c->spd.that.host_addr, &c->spd.that.client))
     {
@@ -1860,19 +1853,19 @@ setup_half_ipsec_sa(struct state *st, bool inbound)
 		SADB_EALG_3DES_CBC, SADB_AALG_SHA1_HMAC },
 	};
 
-#ifdef NAT_TRAVERSAL
 	u_int8_t natt_type = 0;
-	u_int16_t natt_sport = 0, natt_dport = 0;
+	u_int16_t natt_sport = 0;
+	u_int16_t natt_dport = 0;
 	ip_address natt_oa;
 
-	if (st->nat_traversal & NAT_T_DETECTED) {
+	if (st->nat_traversal & NAT_T_DETECTED)
+	{
 	    natt_type = (st->nat_traversal & NAT_T_WITH_PORT_FLOATING) ?
 		ESPINUDP_WITH_NON_ESP : ESPINUDP_WITH_NON_IKE;
 	    natt_sport = inbound? c->spd.that.host_port : c->spd.this.host_port;
 	    natt_dport = inbound? c->spd.this.host_port : c->spd.that.host_port;
 	    natt_oa = st->nat_oa;
 	}
-#endif
 
 	for (ei = esp_info; ; ei++)
 	{
@@ -1903,34 +1896,38 @@ setup_half_ipsec_sa(struct state *st, bool inbound)
 	}
 
 	key_len = st->st_esp.attrs.key_len/8;
-	if (key_len) {
-		/* XXX: must change to check valid _range_ key_len */
-		if (key_len > ei->enckeylen) {
-			loglog(RC_LOG_SERIOUS, "ESP transform %s passed key_len=%d > %d",
-			enum_name(&esp_transformid_names, st->st_esp.attrs.transid),
-			(int)key_len, (int)ei->enckeylen);
-			goto fail;
-		}
-	} else {
-		key_len = ei->enckeylen;
+	if (key_len)
+	{
+	    /* XXX: must change to check valid _range_ key_len */
+	    if (key_len > ei->enckeylen)
+	    {
+		loglog(RC_LOG_SERIOUS, "ESP transform %s passed key_len=%d > %d",
+		    enum_name(&esp_transformid_names, st->st_esp.attrs.transid),
+		    (int)key_len, (int)ei->enckeylen);
+		goto fail;
+	    }
+	}
+	else
+	{
+	    key_len = ei->enckeylen;
 	}
 	/* Grrrrr.... f*cking 7 bits jurassic algos  */
 
 	/* 168 bits in kernel, need 192 bits for keymat_len */
 	if (ei->transid == ESP_3DES && key_len == 21) 
-		key_len = 24;
+	    key_len = 24;
 
 	/* 56 bits in kernel, need 64 bits for keymat_len */
 	if (ei->transid == ESP_DES && key_len == 7) 
-		key_len = 8;
+	    key_len = 8;
 
 	/* divide up keying material */
 	/* passert(st->st_esp.keymat_len == ei->enckeylen + ei->authkeylen); */
 	DBG(DBG_KLIPS|DBG_CONTROL|DBG_PARSING, 
-		if(st->st_esp.keymat_len != key_len + ei->authkeylen)
-			DBG_log("keymat_len=%d key_len=%d authkeylen=%d",
-				st->st_esp.keymat_len, (int)key_len, (int)ei->authkeylen);
-	);
+	    if(st->st_esp.keymat_len != key_len + ei->authkeylen)
+		DBG_log("keymat_len=%d key_len=%d authkeylen=%d",
+			st->st_esp.keymat_len, (int)key_len, (int)ei->authkeylen);
+	)
 	passert(st->st_esp.keymat_len == key_len + ei->authkeylen);
 
 	set_text_said(text_said, &dst.addr, esp_spi, SA_ESP);
@@ -1952,13 +1949,11 @@ setup_half_ipsec_sa(struct state *st, bool inbound)
 	said_next->enckey = esp_dst_keymat;
 	said_next->encapsulation = encapsulation;
 	said_next->reqid = c->spd.reqid + 1;
-#ifdef NAT_TRAVERSAL
 	said_next->natt_sport = natt_sport;
 	said_next->natt_dport = natt_dport;
 	said_next->transid = st->st_esp.attrs.transid;
 	said_next->natt_type = natt_type;
 	said_next->natt_oa = &natt_oa;
-#endif	
 	said_next->text_said = text_said;
 
 	if (!kernel_ops->add_sa(said_next, replace))
@@ -2826,68 +2821,69 @@ delete_ipsec_sa(struct state *st USED_BY_KLIPS, bool inbound_only USED_BY_KLIPS)
     DBG(DBG_CONTROL, DBG_log("if I knew how, I'd eroute() and teardown_ipsec_sa()"));
 #endif /* !KLIPS */
 }
-#ifdef NAT_TRAVERSAL
+
 #ifdef KLIPS
 static bool update_nat_t_ipsec_esp_sa (struct state *st, bool inbound)
 {
-	struct connection *c = st->st_connection;
-	char text_said[SATOT_BUF];
-	struct kernel_sa sa;	
-	ip_address
-		src = inbound? c->spd.that.host_addr : c->spd.this.host_addr,
-		dst = inbound? c->spd.this.host_addr : c->spd.that.host_addr;
-		
+    struct connection *c = st->st_connection;
+    char text_said[SATOT_BUF];
+    struct kernel_sa sa;	
+    ip_address
+	src = inbound? c->spd.that.host_addr : c->spd.this.host_addr,
+	dst = inbound? c->spd.this.host_addr : c->spd.that.host_addr;
 
-	ipsec_spi_t esp_spi = inbound? st->st_esp.our_spi : st->st_esp.attrs.spi;
+    ipsec_spi_t esp_spi = inbound? st->st_esp.our_spi : st->st_esp.attrs.spi;
 
-	u_int16_t
-		natt_sport = inbound? c->spd.that.host_port : c->spd.this.host_port,
-		natt_dport = inbound? c->spd.this.host_port : c->spd.that.host_port;
-
-	set_text_said(text_said, &dst, esp_spi, SA_ESP);
-		
-	memset(&sa, 0, sizeof(sa));
-	sa.spi = esp_spi;
-	sa.src = &src;
-	sa.dst = &dst;
-	sa.text_said = text_said;
-	sa.authalg = alg_info_esp_aa2sadb(st->st_esp.attrs.auth);
-	sa.natt_sport = natt_sport;
-	sa.natt_dport = natt_dport;
-	sa.transid = st->st_esp.attrs.transid;
-	
-        return kernel_ops->add_sa(&sa, TRUE);
+    u_int16_t
+	natt_sport = inbound? c->spd.that.host_port : c->spd.this.host_port,
+	natt_dport = inbound? c->spd.this.host_port : c->spd.that.host_port;
+
+    set_text_said(text_said, &dst, esp_spi, SA_ESP);
 
+    memset(&sa, 0, sizeof(sa));
+    sa.spi = esp_spi;
+    sa.src = &src;
+    sa.dst = &dst;
+    sa.text_said = text_said;
+    sa.authalg = alg_info_esp_aa2sadb(st->st_esp.attrs.auth);
+    sa.natt_sport = natt_sport;
+    sa.natt_dport = natt_dport;
+    sa.transid = st->st_esp.attrs.transid;
+
+    return kernel_ops->add_sa(&sa, TRUE);
 }
 #endif
 
 bool update_ipsec_sa (struct state *st USED_BY_KLIPS)
 {
 #ifdef KLIPS
-	if (IS_IPSEC_SA_ESTABLISHED(st->st_state)) {
-		if ((st->st_esp.present) && (
-			(!update_nat_t_ipsec_esp_sa (st, TRUE)) ||
-			(!update_nat_t_ipsec_esp_sa (st, FALSE)))) {
-			return FALSE;
-		}
-	}
-	else if (IS_ONLY_INBOUND_IPSEC_SA_ESTABLISHED(st->st_state)) {
-		if ((st->st_esp.present) && (!update_nat_t_ipsec_esp_sa (st, FALSE))) {
-			return FALSE;
-		}
+    if (IS_IPSEC_SA_ESTABLISHED(st->st_state))
+    {
+	if (st->st_esp.present && (
+	   (!update_nat_t_ipsec_esp_sa (st, TRUE)) ||
+	   (!update_nat_t_ipsec_esp_sa (st, FALSE))))
+	{
+	    return FALSE;
 	}
-	else {
-		DBG_log("assert failed at %s:%d st_state=%d", __FILE__, __LINE__,
-			st->st_state);
-		return FALSE;
+    }
+    else if (IS_ONLY_INBOUND_IPSEC_SA_ESTABLISHED(st->st_state))
+    {
+	if (st->st_esp.present && !update_nat_t_ipsec_esp_sa (st, FALSE))
+	{
+	    return FALSE;
 	}
-	return TRUE;
+    }
+    else
+    {
+	DBG_log("assert failed at %s:%d st_state=%d", __FILE__, __LINE__, st->st_state);
+	return FALSE;
+    }
+    return TRUE;
 #else /* !KLIPS */
     DBG(DBG_CONTROL, DBG_log("if I knew how, I'd update_ipsec_sa()"));
     return TRUE;
 #endif /* !KLIPS */
 }
-#endif
 
 /* Check if there was traffic on given SA during the last idle_max
  * seconds. If TRUE, the SA was idle and DPD exchange should be performed.
diff --git a/programs/pluto/kernel.h b/src/pluto/kernel.h
index c01ff31f9..e7ff08c7b 100644
--- a/programs/pluto/kernel.h
+++ b/src/pluto/kernel.h
@@ -69,11 +69,11 @@ struct kernel_sa {
 	unsigned compalg;
 
 	int encapsulation;
-#ifdef NAT_TRAVERSAL
+
 	u_int16_t natt_sport, natt_dport;
 	u_int8_t transid, natt_type;
 	ip_address *natt_oa;
-#endif
+
 	const char *text_said;
 };
 
@@ -195,6 +195,4 @@ extern bool was_eroute_idle(struct state *st, time_t idle_max
 extern bool get_sa_info(struct state *st, bool inbound, u_int *bytes
     , time_t *use_time);
 
-#ifdef NAT_TRAVERSAL
 extern bool update_ipsec_sa(struct state *st);
-#endif
diff --git a/programs/pluto/kernel_alg.c b/src/pluto/kernel_alg.c
index 920a879d7..91dfaff59 100644
--- a/programs/pluto/kernel_alg.c
+++ b/src/pluto/kernel_alg.c
@@ -27,7 +27,7 @@
 #include <pfkey.h>
 
 #include <freeswan.h>
-#include <freeswan/ipsec_policy.h>
+#include <ipsec_policy.h>
 
 #include "constants.h"
 #include "defs.h"
diff --git a/programs/pluto/kernel_alg.h b/src/pluto/kernel_alg.h
index 483e97da1..483e97da1 100644
--- a/programs/pluto/kernel_alg.h
+++ b/src/pluto/kernel_alg.h
diff --git a/programs/pluto/kernel_netlink.c b/src/pluto/kernel_netlink.c
index fd43c4653..1947ddbac 100644
--- a/programs/pluto/kernel_netlink.c
+++ b/src/pluto/kernel_netlink.c
@@ -677,7 +677,6 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace)
 	attr = (struct rtattr *)((char *)attr + attr->rta_len);
     }
 
-#ifdef NAT_TRAVERSAL
     if (sa->natt_type)
     {
 	struct xfrm_encap_tmpl natt;
@@ -695,7 +694,6 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace)
 	req.n.nlmsg_len += attr->rta_len;
 	attr = (struct rtattr *)((char *)attr + attr->rta_len);
     }
-#endif
 
     return send_netlink_msg(&req.n, NULL, 0, "Add SA", sa->text_said);
 }
diff --git a/programs/pluto/kernel_netlink.h b/src/pluto/kernel_netlink.h
index 1b5f42e48..1b5f42e48 100644
--- a/programs/pluto/kernel_netlink.h
+++ b/src/pluto/kernel_netlink.h
diff --git a/programs/pluto/kernel_noklips.c b/src/pluto/kernel_noklips.c
index 570bb0470..570bb0470 100644
--- a/programs/pluto/kernel_noklips.c
+++ b/src/pluto/kernel_noklips.c
diff --git a/programs/pluto/kernel_noklips.h b/src/pluto/kernel_noklips.h
index fe4e77ec4..fe4e77ec4 100644
--- a/programs/pluto/kernel_noklips.h
+++ b/src/pluto/kernel_noklips.h
diff --git a/programs/pluto/kernel_pfkey.c b/src/pluto/kernel_pfkey.c
index 76bfbaf9a..ced7a1453 100644
--- a/programs/pluto/kernel_pfkey.c
+++ b/src/pluto/kernel_pfkey.c
@@ -41,11 +41,8 @@
 #include "kernel_pfkey.h"
 #include "log.h"
 #include "whack.h"	/* for RC_LOG_SERIOUS */
-#ifdef NAT_TRAVERSAL
 #include "demux.h"
 #include "nat_traversal.h"
-#endif
-
 #include "alg_info.h"
 #include "kernel_alg.h"
 
@@ -77,9 +74,7 @@ static sparse_names pfkey_type_names = {
 	NE(SADB_X_ADDFLOW),
 	NE(SADB_X_DELFLOW),
 	NE(SADB_X_DEBUG),
-#ifdef NAT_TRAVERSAL
 	NE(SADB_X_NAT_T_NEW_MAPPING),
-#endif
 	NE(SADB_MAX),	
 	{ 0, sparse_end }
 };
@@ -250,10 +245,7 @@ pfkey_get(pfkey_buf *buf)
 	else if (!(buf->msg.sadb_msg_pid == (unsigned)pid
 	|| (buf->msg.sadb_msg_pid == 0 && buf->msg.sadb_msg_type == SADB_ACQUIRE)
 	|| (buf->msg.sadb_msg_type == SADB_REGISTER)
-#ifdef NAT_TRAVERSAL
-	|| (buf->msg.sadb_msg_pid == 0 && buf->msg.sadb_msg_type == SADB_X_NAT_T_NEW_MAPPING)
-#endif
-	))
+	|| (buf->msg.sadb_msg_pid == 0 && buf->msg.sadb_msg_type == SADB_X_NAT_T_NEW_MAPPING)))
 	{
 	    /* not for us: ignore */
 	    DBG(DBG_KLIPS,
@@ -435,11 +427,9 @@ pfkey_async(pfkey_buf *buf)
 	    /* to simulate loss of ACQUIRE, delete this call */
 	    process_pfkey_acquire(buf, extensions);
 	    break;
-#ifdef NAT_TRAVERSAL
 	case SADB_X_NAT_T_NEW_MAPPING:
 	    process_pfkey_nat_t_new_mapping(&(buf->msg), extensions);
 	    break;
-#endif
 	default:
 	    /* ignored */
 	    break;
@@ -821,8 +811,7 @@ pfkey_add_sa(const struct kernel_sa *sa, bool replace)
 		, SADB_EXT_KEY_ENCRYPT, sa->enckeylen * BITS_PER_BYTE
 		, sa->enckey)
 	    , "pfkey_key_e Add SA", sa->text_said, extensions))
-        
-#ifdef NAT_TRAVERSAL
+
     && (sa->natt_type == 0
 	|| pfkey_build(pfkey_x_nat_t_type_build(
 		&extensions[SADB_X_EXT_NAT_T_TYPE], sa->natt_type),
@@ -840,10 +829,9 @@ pfkey_add_sa(const struct kernel_sa *sa, bool replace)
     && (sa->natt_type == 0 || isanyaddr(sa->natt_oa)
 	|| pfkeyext_address(SADB_X_EXT_NAT_T_OA, sa->natt_oa
 	    , "pfkey_nat_t_oa Add ESP SA", sa->text_said, extensions))
-#endif
 
     && finish_pfkey_msg(extensions, "Add SA", sa->text_said, NULL);
-    
+
 }
 
 static bool
diff --git a/programs/pluto/kernel_pfkey.h b/src/pluto/kernel_pfkey.h
index 9dbcdd341..9dbcdd341 100644
--- a/programs/pluto/kernel_pfkey.h
+++ b/src/pluto/kernel_pfkey.h
diff --git a/programs/pluto/keys.c b/src/pluto/keys.c
index 39726f424..eed81230f 100644
--- a/programs/pluto/keys.c
+++ b/src/pluto/keys.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: keys.c,v 1.26 2007/01/10 00:36:19 as Exp $
+ * RCSID $Id: keys.c,v 1.24 2006/01/27 08:59:40 as Exp $
  */
 
 #include <stddef.h>
@@ -34,7 +34,7 @@
 #endif
 
 #include <freeswan.h>
-#include <freeswan/ipsec_policy.h>
+#include <ipsec_policy.h>
 
 #include "constants.h"
 #include "defs.h"
@@ -182,7 +182,6 @@ get_secret(const struct connection *c, enum PrivateKeyKind kind, bool asym)
 	happy(anyaddr(addrtypeof(&c->spd.that.host_addr), &rw_id.ip_addr));
 	his_id = &rw_id;
     }
-#ifdef NAT_TRAVERSAL
     else if (kind == PPK_PSK
     && (c->policy & (POLICY_PSK | POLICY_XAUTH_PSK))
     && ((c->kind == CK_TEMPLATE && c->spd.that.id.kind == ID_NONE) ||
@@ -193,7 +192,6 @@ get_secret(const struct connection *c, enum PrivateKeyKind kind, bool asym)
 	happy(anyaddr(addrtypeof(&c->spd.that.host_addr), &rw_id.ip_addr));
 	his_id = &rw_id;
     }
-#endif
 
     for (s = secrets; s != NULL; s = s->next)
     {
diff --git a/programs/pluto/keys.h b/src/pluto/keys.h
index 2f6216b93..415bdc3c1 100644
--- a/programs/pluto/keys.h
+++ b/src/pluto/keys.h
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: keys.h,v 1.8 2007/01/10 00:36:19 as Exp $
+ * RCSID $Id: keys.h,v 1.7 2006/01/26 20:10:34 as Exp $
  */
 
 #ifndef _KEYS_H
@@ -23,7 +23,7 @@
 #include "certs.h"
 
 #ifndef SHARED_SECRETS_FILE
-# define SHARED_SECRETS_FILE  "/etc/ipsec.secrets"
+# define SHARED_SECRETS_FILE  IPSEC_CONFDIR "/ipsec.secrets"
 #endif
 
 const char *shared_secrets_file;
@@ -89,7 +89,6 @@ extern void delete_public_keys(const struct id *id, enum pubkey_alg alg
 extern pubkey_t *reference_key(pubkey_t *pk);
 extern void unreference_key(pubkey_t **pkp);
 
-
 extern err_t add_public_key(const struct id *id
     , enum dns_auth_level dns_auth_level
     , enum pubkey_alg alg
@@ -110,5 +109,5 @@ extern void transfer_to_public_keys(struct gw_info *gateways_from_dns
     , pubkey_list_t **keys
 #endif /* USE_KEYRR */
     );
-    
+
 #endif /* _KEYS_H */
diff --git a/programs/pluto/lex.c b/src/pluto/lex.c
index 5c811725a..5c811725a 100644
--- a/programs/pluto/lex.c
+++ b/src/pluto/lex.c
diff --git a/programs/pluto/lex.h b/src/pluto/lex.h
index fb6c15236..fb6c15236 100644
--- a/programs/pluto/lex.h
+++ b/src/pluto/lex.h
diff --git a/programs/pluto/linux26/netlink.h b/src/pluto/linux26/netlink.h
index 6b0896da6..6b0896da6 100644
--- a/programs/pluto/linux26/netlink.h
+++ b/src/pluto/linux26/netlink.h
diff --git a/programs/pluto/linux26/rtnetlink.h b/src/pluto/linux26/rtnetlink.h
index 341bc1f86..341bc1f86 100644
--- a/programs/pluto/linux26/rtnetlink.h
+++ b/src/pluto/linux26/rtnetlink.h
diff --git a/programs/pluto/linux26/xfrm.h b/src/pluto/linux26/xfrm.h
index 4269ae29b..4269ae29b 100644
--- a/programs/pluto/linux26/xfrm.h
+++ b/src/pluto/linux26/xfrm.h
diff --git a/programs/pluto/log.c b/src/pluto/log.c
index aef93ff3c..36997122c 100644
--- a/programs/pluto/log.c
+++ b/src/pluto/log.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: log.c,v 1.9 2006/10/17 10:30:54 as Exp $
+ * RCSID $Id: log.c,v 1.8 2006/04/29 18:16:02 as Exp $
  */
 
 #include <stdio.h>
diff --git a/programs/pluto/log.h b/src/pluto/log.h
index 0bf8219aa..a4eae9d1c 100644
--- a/programs/pluto/log.h
+++ b/src/pluto/log.h
@@ -18,8 +18,8 @@
 
 #define LOG_WIDTH   1024    /* roof of number of chars in log line */
 
-#ifndef PERPERRLOGDIR
-#define PERPERRLOGDIR "/var/log/pluto/peer"
+#ifndef PERPEERLOGDIR
+#define PERPEERLOGDIR "/var/log/pluto/peer"
 #endif
 
 /* our versions of assert: log result */
diff --git a/programs/pluto/md2.c b/src/pluto/md2.c
index d6465477d..d6465477d 100644
--- a/programs/pluto/md2.c
+++ b/src/pluto/md2.c
diff --git a/programs/pluto/md2.h b/src/pluto/md2.h
index b3b48dd92..b3b48dd92 100644
--- a/programs/pluto/md2.h
+++ b/src/pluto/md2.h
diff --git a/programs/pluto/md5.c b/src/pluto/md5.c
index 5d75e38a4..5d75e38a4 100644
--- a/programs/pluto/md5.c
+++ b/src/pluto/md5.c
diff --git a/programs/pluto/md5.h b/src/pluto/md5.h
index 9b29bc46e..9b29bc46e 100644
--- a/programs/pluto/md5.h
+++ b/src/pluto/md5.h
diff --git a/programs/pluto/modecfg.c b/src/pluto/modecfg.c
index 620c595fb..ab44a113e 100644
--- a/programs/pluto/modecfg.c
+++ b/src/pluto/modecfg.c
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: modecfg.c,v 1.16 2007/01/29 08:27:54 as Exp $
+ * RCSID $Id: modecfg.c,v 1.6 2006/04/24 20:44:57 as Exp $
  *
  * This code originally written by Colubris Networks, Inc.
  * Extraction of patch and porting to 1.99 codebases by Xelerance Corporation
diff --git a/programs/pluto/modecfg.h b/src/pluto/modecfg.h
index 4fce75aef..68b7ef446 100644
--- a/programs/pluto/modecfg.h
+++ b/src/pluto/modecfg.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: modecfg.h,v 1.4 2007/01/10 00:36:19 as Exp $
+ * RCSID $Id: modecfg.h,v 1.1 2005/01/06 22:10:15 as Exp $
  */
 
 #ifndef _MODECFG_H
diff --git a/programs/pluto/mp_defs.c b/src/pluto/mp_defs.c
index 7ad896751..7ad896751 100644
--- a/programs/pluto/mp_defs.c
+++ b/src/pluto/mp_defs.c
diff --git a/programs/pluto/mp_defs.h b/src/pluto/mp_defs.h
index 744a028d1..744a028d1 100644
--- a/programs/pluto/mp_defs.h
+++ b/src/pluto/mp_defs.h
diff --git a/programs/pluto/nat_traversal.c b/src/pluto/nat_traversal.c
index 2f5ba3cb4..4a52cc107 100644
--- a/programs/pluto/nat_traversal.c
+++ b/src/pluto/nat_traversal.c
@@ -14,8 +14,6 @@
  * RCSID $Id: nat_traversal.c,v 1.8 2005/01/06 22:36:58 as Exp $
  */
 
-#ifdef NAT_TRAVERSAL
-
 #include <stdio.h>
 #include <stdlib.h>
 #include <ctype.h>
@@ -28,9 +26,10 @@
 #include <sys/queue.h>
 
 #include <freeswan.h>
-#include <freeswan/ipsec_policy.h>
+#include <ipsec_policy.h>
 #include <pfkeyv2.h>
 #include <pfkey.h>
+
 #include "constants.h"
 #include "defs.h"
 #include "log.h"
@@ -42,8 +41,6 @@
 #include "kernel.h"
 #include "whack.h"
 #include "timer.h"
-
-
 #include "cookie.h"
 #include "sha1.h"
 #include "md5.h"
@@ -176,7 +173,9 @@ bool nat_traversal_add_vid(u_int8_t np, pb_stream *outs)
 	if (r)
 	    r = out_vendorid(ISAKMP_NEXT_VID, outs, VID_NATT_IETF_03);
 	if (r)
-	    r = out_vendorid(last_np, outs, VID_NATT_IETF_02);
+	    r = out_vendorid(ISAKMP_NEXT_VID, outs, VID_NATT_IETF_02);
+	if (r)
+	    r = out_vendorid(last_np, outs, VID_NATT_IETF_02_N);
     }
     if (nat_traversal_support_non_ike)
     {
@@ -580,7 +579,7 @@ static void nat_traversal_send_ka (struct state *st)
 
     /* send keep alive */
     setchunk(st->st_tpacket, &ka_payload, 1);
-    _send_packet(st, "NAT-T Keep Alive", FALSE);
+    send_packet(st, "NAT-T Keep Alive");
 
     /* restore state chunk */
     setchunk(st->st_tpacket, sav.ptr, sav.len);
@@ -865,5 +864,3 @@ void process_pfkey_nat_t_new_mapping(
 	plog("SADB_X_NAT_T_NEW_MAPPING message from KLIPS malformed: %s", ugh);
 }
 
-#endif
-
diff --git a/programs/pluto/nat_traversal.h b/src/pluto/nat_traversal.h
index 71222c54c..71222c54c 100644
--- a/programs/pluto/nat_traversal.h
+++ b/src/pluto/nat_traversal.h
diff --git a/programs/pluto/ocsp.c b/src/pluto/ocsp.c
index f31b96c7f..a338be446 100644
--- a/programs/pluto/ocsp.c
+++ b/src/pluto/ocsp.c
@@ -23,7 +23,7 @@
 #include <fcntl.h>
 
 #include <freeswan.h>
-#include <freeswan/ipsec_policy.h>
+#include <ipsec_policy.h>
 
 #include "constants.h"
 #include "defs.h"
diff --git a/programs/pluto/ocsp.h b/src/pluto/ocsp.h
index 49e1026ec..49e1026ec 100644
--- a/programs/pluto/ocsp.h
+++ b/src/pluto/ocsp.h
diff --git a/src/pluto/oid.c b/src/pluto/oid.c
new file mode 100644
index 000000000..4b0632de2
--- /dev/null
+++ b/src/pluto/oid.c
@@ -0,0 +1,197 @@
+/* List of some useful object identifiers (OIDs)
+ * Copyright (C) 2003-2004 Andreas Steffen, Zuercher Hochschule Winterthur
+ * 
+ * This file has been automatically generated by the script oid.pl
+ * Do not edit manually!
+ */
+
+#include <stdlib.h>
+
+#include "oid.h"
+
+const oid_t oid_names[] = {
+  {0x02,                       7, 1, "ITU-T Administration"   },  /*   0 */
+  {  0x82,                     0, 1, ""                       },  /*   1 */
+  {    0x06,                   0, 1, "Germany ITU-T member"   },  /*   2 */
+  {      0x01,                 0, 1, "Deutsche Telekom AG"    },  /*   3 */
+  {        0x0A,               0, 1, ""                       },  /*   4 */
+  {          0x07,             0, 1, ""                       },  /*   5 */
+  {            0x14,           0, 0, "ND"                     },  /*   6 */
+  {0x09,                      18, 1, "data"                   },  /*   7 */
+  {  0x92,                     0, 1, ""                       },  /*   8 */
+  {    0x26,                   0, 1, ""                       },  /*   9 */
+  {      0x89,                 0, 1, ""                       },  /*  10 */
+  {        0x93,               0, 1, ""                       },  /*  11 */
+  {          0xF2,             0, 1, ""                       },  /*  12 */
+  {            0x2C,           0, 1, ""                       },  /*  13 */
+  {              0x64,         0, 1, "pilot"                  },  /*  14 */
+  {                0x01,       0, 1, "pilotAttributeType"     },  /*  15 */
+  {                  0x01,    17, 0, "UID"                    },  /*  16 */
+  {                  0x19,     0, 0, "DC"                     },  /*  17 */
+  {0x55,                      51, 1, "X.500"                  },  /*  18 */
+  {  0x04,                    36, 1, "X.509"                  },  /*  19 */
+  {    0x03,                  21, 0, "CN"                     },  /*  20 */
+  {    0x04,                  22, 0, "S"                      },  /*  21 */
+  {    0x05,                  23, 0, "SN"                     },  /*  22 */
+  {    0x06,                  24, 0, "C"                      },  /*  23 */
+  {    0x07,                  25, 0, "L"                      },  /*  24 */
+  {    0x08,                  26, 0, "ST"                     },  /*  25 */
+  {    0x0A,                  27, 0, "O"                      },  /*  26 */
+  {    0x0B,                  28, 0, "OU"                     },  /*  27 */
+  {    0x0C,                  29, 0, "T"                      },  /*  28 */
+  {    0x0D,                  30, 0, "D"                      },  /*  29 */
+  {    0x24,                  31, 0, "userCertificate"        },  /*  30 */
+  {    0x29,                  32, 0, "N"                      },  /*  31 */
+  {    0x2A,                  33, 0, "G"                      },  /*  32 */
+  {    0x2B,                  34, 0, "I"                      },  /*  33 */
+  {    0x2D,                  35, 0, "ID"                     },  /*  34 */
+  {    0x48,                   0, 0, "role"                   },  /*  35 */
+  {  0x1D,                     0, 1, "id-ce"                  },  /*  36 */
+  {    0x09,                  38, 0, "subjectDirectoryAttrs"  },  /*  37 */
+  {    0x0E,                  39, 0, "subjectKeyIdentifier"   },  /*  38 */
+  {    0x0F,                  40, 0, "keyUsage"               },  /*  39 */
+  {    0x10,                  41, 0, "privateKeyUsagePeriod"  },  /*  40 */
+  {    0x11,                  42, 0, "subjectAltName"         },  /*  41 */
+  {    0x12,                  43, 0, "issuerAltName"          },  /*  42 */
+  {    0x13,                  44, 0, "basicConstraints"       },  /*  43 */
+  {    0x15,                  45, 0, "reasonCode"             },  /*  44 */
+  {    0x1F,                  46, 0, "crlDistributionPoints"  },  /*  45 */
+  {    0x20,                  47, 0, "certificatePolicies"    },  /*  46 */
+  {    0x23,                  48, 0, "authorityKeyIdentifier" },  /*  47 */
+  {    0x25,                  49, 0, "extendedKeyUsage"       },  /*  48 */
+  {    0x37,                  50, 0, "targetInformation"      },  /*  49 */
+  {    0x38,                   0, 0, "noRevAvail"             },  /*  50 */
+  {0x2A,                      88, 1, ""                       },  /*  51 */
+  {  0x86,                     0, 1, ""                       },  /*  52 */
+  {    0x48,                   0, 1, ""                       },  /*  53 */
+  {      0x86,                 0, 1, ""                       },  /*  54 */
+  {        0xF7,               0, 1, ""                       },  /*  55 */
+  {          0x0D,             0, 1, "RSADSI"                 },  /*  56 */
+  {            0x01,          83, 1, "PKCS"                   },  /*  57 */
+  {              0x01,        66, 1, "PKCS-1"                 },  /*  58 */
+  {                0x01,      60, 0, "rsaEncryption"          },  /*  59 */
+  {                0x02,      61, 0, "md2WithRSAEncryption"   },  /*  60 */
+  {                0x04,      62, 0, "md5WithRSAEncryption"   },  /*  61 */
+  {                0x05,      63, 0, "sha-1WithRSAEncryption" },  /*  62 */
+  {                0x0B,      64, 0, "sha256WithRSAEncryption"},  /*  63 */
+  {                0x0C,      65, 0, "sha384WithRSAEncryption"},  /*  64 */
+  {                0x0D,       0, 0, "sha512WithRSAEncryption"},  /*  65 */
+  {              0x07,        73, 1, "PKCS-7"                 },  /*  66 */
+  {                0x01,      68, 0, "data"                   },  /*  67 */
+  {                0x02,      69, 0, "signedData"             },  /*  68 */
+  {                0x03,      70, 0, "envelopedData"          },  /*  69 */
+  {                0x04,      71, 0, "signedAndEnvelopedData" },  /*  70 */
+  {                0x05,      72, 0, "digestedData"           },  /*  71 */
+  {                0x06,       0, 0, "encryptedData"          },  /*  72 */
+  {              0x09,         0, 1, "PKCS-9"                 },  /*  73 */
+  {                0x01,      75, 0, "E"                      },  /*  74 */
+  {                0x02,      76, 0, "unstructuredName"       },  /*  75 */
+  {                0x03,      77, 0, "contentType"            },  /*  76 */
+  {                0x04,      78, 0, "messageDigest"          },  /*  77 */
+  {                0x05,      79, 0, "signingTime"            },  /*  78 */
+  {                0x06,      80, 0, "counterSignature"       },  /*  79 */
+  {                0x07,      81, 0, "challengePassword"      },  /*  80 */
+  {                0x08,      82, 0, "unstructuredAddress"    },  /*  81 */
+  {                0x0E,       0, 0, "extensionRequest"       },  /*  82 */
+  {            0x02,          86, 1, "digestAlgorithm"        },  /*  83 */
+  {              0x02,        85, 0, "md2"                    },  /*  84 */
+  {              0x05,         0, 0, "md5"                    },  /*  85 */
+  {            0x03,           0, 1, "encryptionAlgorithm"    },  /*  86 */
+  {              0x07,         0, 0, "3des-ede-cbc"           },  /*  87 */
+  {0x2B,                     149, 1, ""                       },  /*  88 */
+  {  0x06,                   136, 1, "dod"                    },  /*  89 */
+  {    0x01,                   0, 1, "internet"               },  /*  90 */
+  {      0x04,               105, 1, "private"                },  /*  91 */
+  {        0x01,               0, 1, "enterprise"             },  /*  92 */
+  {          0x82,            98, 1, ""                       },  /*  93 */
+  {            0x37,           0, 1, "Microsoft"              },  /*  94 */
+  {              0x0A,         0, 1, ""                       },  /*  95 */
+  {                0x03,       0, 1, ""                       },  /*  96 */
+  {                  0x03,     0, 0, "msSGC"                  },  /*  97 */
+  {          0x89,             0, 1, ""                       },  /*  98 */
+  {            0x31,           0, 1, ""                       },  /*  99 */
+  {              0x01,         0, 1, ""                       },  /* 100 */
+  {                0x01,       0, 1, ""                       },  /* 101 */
+  {                  0x02,     0, 1, ""                       },  /* 102 */
+  {                    0x02, 104, 0, ""                       },  /* 103 */
+  {                    0x4B,   0, 0, "TCGID"                  },  /* 104 */
+  {      0x05,                 0, 1, "security"               },  /* 105 */
+  {        0x05,               0, 1, "mechanisms"             },  /* 106 */
+  {          0x07,             0, 1, "id-pkix"                },  /* 107 */
+  {            0x01,         110, 1, "id-pe"                  },  /* 108 */
+  {              0x01,         0, 0, "authorityInfoAccess"    },  /* 109 */
+  {            0x03,         120, 1, "id-kp"                  },  /* 110 */
+  {              0x01,       112, 0, "serverAuth"             },  /* 111 */
+  {              0x02,       113, 0, "clientAuth"             },  /* 112 */
+  {              0x03,       114, 0, "codeSigning"            },  /* 113 */
+  {              0x04,       115, 0, "emailProtection"        },  /* 114 */
+  {              0x05,       116, 0, "ipsecEndSystem"         },  /* 115 */
+  {              0x06,       117, 0, "ipsecTunnel"            },  /* 116 */
+  {              0x07,       118, 0, "ipsecUser"              },  /* 117 */
+  {              0x08,       119, 0, "timeStamping"           },  /* 118 */
+  {              0x09,         0, 0, "ocspSigning"            },  /* 119 */
+  {            0x08,         122, 1, "id-otherNames"          },  /* 120 */
+  {              0x05,         0, 0, "xmppAddr"               },  /* 121 */
+  {            0x0A,         127, 1, "id-aca"                 },  /* 122 */
+  {              0x01,       124, 0, "authenticationInfo"     },  /* 123 */
+  {              0x02,       125, 0, "accessIdentity"         },  /* 124 */
+  {              0x03,       126, 0, "chargingIdentity"       },  /* 125 */
+  {              0x04,         0, 0, "group"                  },  /* 126 */
+  {            0x30,           0, 1, "id-ad"                  },  /* 127 */
+  {              0x01,         0, 1, "ocsp"                   },  /* 128 */
+  {                0x01,     130, 0, "basic"                  },  /* 129 */
+  {                0x02,     131, 0, "nonce"                  },  /* 130 */
+  {                0x03,     132, 0, "crl"                    },  /* 131 */
+  {                0x04,     133, 0, "response"               },  /* 132 */
+  {                0x05,     134, 0, "noCheck"                },  /* 133 */
+  {                0x06,     135, 0, "archiveCutoff"          },  /* 134 */
+  {                0x07,       0, 0, "serviceLocator"         },  /* 135 */
+  {  0x0E,                   142, 1, "oiw"                    },  /* 136 */
+  {    0x03,                   0, 1, "secsig"                 },  /* 137 */
+  {      0x02,                 0, 1, "algorithms"             },  /* 138 */
+  {        0x07,             140, 0, "des-cbc"                },  /* 139 */
+  {        0x1A,             141, 0, "sha-1"                  },  /* 140 */
+  {        0x1D,               0, 0, "sha-1WithRSASignature"  },  /* 141 */
+  {  0x24,                     0, 1, "TeleTrusT"              },  /* 142 */
+  {    0x03,                   0, 1, "algorithm"              },  /* 143 */
+  {      0x03,                 0, 1, "signatureAlgorithm"     },  /* 144 */
+  {        0x01,               0, 1, "rsaSignature"           },  /* 145 */
+  {          0x02,           147, 0, "rsaSigWithripemd160"    },  /* 146 */
+  {          0x03,           148, 0, "rsaSigWithripemd128"    },  /* 147 */
+  {          0x04,             0, 0, "rsaSigWithripemd256"    },  /* 148 */
+  {0x60,                       0, 1, ""                       },  /* 149 */
+  {  0x86,                     0, 1, ""                       },  /* 150 */
+  {    0x48,                   0, 1, ""                       },  /* 151 */
+  {      0x01,                 0, 1, "organization"           },  /* 152 */
+  {        0x65,             160, 1, "gov"                    },  /* 153 */
+  {          0x03,             0, 1, "csor"                   },  /* 154 */
+  {            0x04,           0, 1, "nistalgorithm"          },  /* 155 */
+  {              0x02,         0, 1, "hashalgs"               },  /* 156 */
+  {                0x01,     158, 0, "id-SHA-256"             },  /* 157 */
+  {                0x02,     159, 0, "id-SHA-384"             },  /* 158 */
+  {                0x03,       0, 0, "id-SHA-512"             },  /* 159 */
+  {        0x86,               0, 1, ""                       },  /* 160 */
+  {          0xf8,             0, 1, ""                       },  /* 161 */
+  {            0x42,         174, 1, "netscape"               },  /* 162 */
+  {              0x01,       169, 1, ""                       },  /* 163 */
+  {                0x01,     165, 0, "nsCertType"             },  /* 164 */
+  {                0x03,     166, 0, "nsRevocationUrl"        },  /* 165 */
+  {                0x04,     167, 0, "nsCaRevocationUrl"      },  /* 166 */
+  {                0x08,     168, 0, "nsCaPolicyUrl"          },  /* 167 */
+  {                0x0d,       0, 0, "nsComment"              },  /* 168 */
+  {              0x03,       172, 1, "directory"              },  /* 169 */
+  {                0x01,       0, 1, ""                       },  /* 170 */
+  {                  0x03,     0, 0, "employeeNumber"         },  /* 171 */
+  {              0x04,         0, 1, "policy"                 },  /* 172 */
+  {                0x01,       0, 0, "nsSGC"                  },  /* 173 */
+  {            0x45,           0, 1, "verisign"               },  /* 174 */
+  {              0x01,         0, 1, "pki"                    },  /* 175 */
+  {                0x09,       0, 1, "attributes"             },  /* 176 */
+  {                  0x02,   178, 0, "messageType"            },  /* 177 */
+  {                  0x03,   179, 0, "pkiStatus"              },  /* 178 */
+  {                  0x04,   180, 0, "failInfo"               },  /* 179 */
+  {                  0x05,   181, 0, "senderNonce"            },  /* 180 */
+  {                  0x06,   182, 0, "recipientNonce"         },  /* 181 */
+  {                  0x07,   183, 0, "transID"                },  /* 182 */
+  {                  0x08,     0, 0, "extensionReq"           }   /* 183 */
+};
diff --git a/programs/pluto/oid.h b/src/pluto/oid.h
index ccdfb2954..ccdfb2954 100644
--- a/programs/pluto/oid.h
+++ b/src/pluto/oid.h
diff --git a/programs/pluto/oid.pl b/src/pluto/oid.pl
index 52ac8eae0..52ac8eae0 100644
--- a/programs/pluto/oid.pl
+++ b/src/pluto/oid.pl
diff --git a/programs/pluto/oid.txt b/src/pluto/oid.txt
index e8750024e..e8750024e 100644
--- a/programs/pluto/oid.txt
+++ b/src/pluto/oid.txt
diff --git a/programs/pluto/packet.c b/src/pluto/packet.c
index 9f04c8bb2..9f04c8bb2 100644
--- a/programs/pluto/packet.c
+++ b/src/pluto/packet.c
diff --git a/programs/pluto/packet.h b/src/pluto/packet.h
index 676a5e6cd..676a5e6cd 100644
--- a/programs/pluto/packet.h
+++ b/src/pluto/packet.h
diff --git a/programs/pluto/pem.c b/src/pluto/pem.c
index e8d381741..db6d0d7e3 100644
--- a/programs/pluto/pem.c
+++ b/src/pluto/pem.c
@@ -28,7 +28,7 @@
 
 #include <freeswan.h>
 #define HEADER_DES_LOCL_H   /* stupid trick to force prototype decl in <des.h> */
-#include <crypto/des.h>
+#include <libdes/des.h>
 
 #include "constants.h"
 #include "defs.h"
diff --git a/programs/pluto/pem.h b/src/pluto/pem.h
index 815b5d85b..815b5d85b 100644
--- a/programs/pluto/pem.h
+++ b/src/pluto/pem.h
diff --git a/programs/pluto/pgp.c b/src/pluto/pgp.c
index 015319aaf..307303f6b 100644
--- a/programs/pluto/pgp.c
+++ b/src/pluto/pgp.c
@@ -19,7 +19,7 @@
 #include <time.h>
 
 #include <freeswan.h>
-#include <freeswan/ipsec_policy.h>
+#include <ipsec_policy.h>
 
 #include "constants.h"
 #include "defs.h"
diff --git a/programs/pluto/pgp.h b/src/pluto/pgp.h
index 4f34debc9..4f34debc9 100644
--- a/programs/pluto/pgp.h
+++ b/src/pluto/pgp.h
diff --git a/programs/pluto/pkcs1.c b/src/pluto/pkcs1.c
index b3c0face9..ade5fdd94 100644
--- a/programs/pluto/pkcs1.c
+++ b/src/pluto/pkcs1.c
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: pkcs1.c,v 1.18 2007/02/21 14:21:05 as Exp $
+ * RCSID $Id: pkcs1.c,v 1.17 2006/01/04 21:00:43 as Exp $
  */
 
 #include <stddef.h>
diff --git a/programs/pluto/pkcs1.h b/src/pluto/pkcs1.h
index c927db0f8..c927db0f8 100644
--- a/programs/pluto/pkcs1.h
+++ b/src/pluto/pkcs1.h
diff --git a/programs/pluto/pkcs7.c b/src/pluto/pkcs7.c
index 0691a80d6..3068c0c94 100644
--- a/programs/pluto/pkcs7.c
+++ b/src/pluto/pkcs7.c
@@ -18,7 +18,7 @@
 
 #include <stdlib.h>
 #include <string.h>
-#include <crypto/des.h>
+#include <libdes/des.h>
 
 #include <freeswan.h>
 
diff --git a/programs/pluto/pkcs7.h b/src/pluto/pkcs7.h
index 38c633f4e..38c633f4e 100644
--- a/programs/pluto/pkcs7.h
+++ b/src/pluto/pkcs7.h
diff --git a/programs/pluto/pluto.8 b/src/pluto/pluto.8
index b80d13772..b80d13772 100644
--- a/programs/pluto/pluto.8
+++ b/src/pluto/pluto.8
diff --git a/programs/pluto/plutomain.c b/src/pluto/plutomain.c
index d7e9d8a2c..e235ff765 100644
--- a/programs/pluto/plutomain.c
+++ b/src/pluto/plutomain.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: plutomain.c,v 1.19 2007/01/29 08:27:19 as Exp $
+ * RCSID $Id: plutomain.c,v 1.16 2005/09/25 21:30:52 as Exp $
  */
 
 #include <stdio.h>
@@ -58,18 +58,11 @@
 #include "crl.h"
 #include "fetch.h"
 #include "xauth.h"
-
 #include "sha1.h"
 #include "md5.h"
 #include "crypto.h"	/* requires sha1.h and md5.h */
-
-#ifdef VIRTUAL_IP
-#include "virtual.h"
-#endif
-
-#ifdef NAT_TRAVERSAL
 #include "nat_traversal.h"
-#endif
+#include "virtual.h"
 
 static void
 usage(const char *mess)
@@ -88,7 +81,7 @@ usage(const char *mess)
 	    " [--nocrsend]"
 	    " \\\n\t"
 	    "[--strictcrlpolicy]"
-	    " [--crlcheckinterval]"
+	    " [--crlcheckinterval <interval>]"
 	    " [--cachecrls]"
 	    " [--uniqueids]"
 	    " \\\n\t"
@@ -124,17 +117,13 @@ usage(const char *mess)
 	    " [--debug-controlmore]"
 	    " [--debug-private]"
 #endif
-#ifdef NAT_TRAVERSAL
 	    " [ --debug-natt]"
 	    " \\\n\t"
 	    "[--nat_traversal] [--keep_alive <delay_sec>]"
 	    " \\\n\t"
 	    "[--force_keepalive] [--disable_port_floating]"
-#endif
-#ifdef VIRTUAL_IP
 	   " \\\n\t"
 	   "[--virtual_private <network_list>]"
-#endif
 	    "\n"
 	"strongSwan %s\n"
 	, ipsec_version_code());
@@ -226,15 +215,11 @@ main(int argc, char **argv)
 {
     bool fork_desired = TRUE;
     bool log_to_stderr_desired = FALSE;
-#ifdef NAT_TRAVERSAL
     bool nat_traversal = FALSE;
     bool nat_t_spf = TRUE;  /* support port floating */
     unsigned int keep_alive = 0;
     bool force_keepalive = FALSE;
-#endif
-#ifdef VIRTUAL_IP
     char *virtual_private = NULL;
-#endif
     int lockfd;
 
     /* handle arguments */
@@ -270,20 +255,15 @@ main(int argc, char **argv)
 	    { "pkcs11module", required_argument, NULL, 'm' },
 	    { "pkcs11keepstate", no_argument, NULL, 'k' },
 	    { "pkcs11proxy", no_argument, NULL, 'y' },
-#ifdef NAT_TRAVERSAL
 	    { "nat_traversal", no_argument, NULL, '1' },
 	    { "keep_alive", required_argument, NULL, '2' },
 	    { "force_keepalive", no_argument, NULL, '3' },
 	    { "disable_port_floating", no_argument, NULL, '4' },
 	    { "debug-natt", no_argument, NULL, '5' },
-#endif
-#ifdef VIRTUAL_IP
 	    { "virtual_private", required_argument, NULL, '6' },
-#endif
 #ifdef DEBUG
 	    { "debug-none", no_argument, NULL, 'N' },
 	    { "debug-all", no_argument, NULL, 'A' },
-
 	    { "debug-raw", no_argument, NULL, DBG_RAW + DBG_OFFSET },
 	    { "debug-crypt", no_argument, NULL, DBG_CRYPT + DBG_OFFSET },
 	    { "debug-parsing", no_argument, NULL, DBG_PARSING + DBG_OFFSET },
@@ -461,7 +441,6 @@ main(int argc, char **argv)
 	    log_to_perpeer = TRUE;
 	    continue;
 
-#ifdef NAT_TRAVERSAL
 	case '1':	/* --nat_traversal */
 	    nat_traversal = TRUE;
 	    continue;
@@ -477,12 +456,9 @@ main(int argc, char **argv)
 	case '5':	/* --debug-nat_t */
 	    base_debugging |= DBG_NATT;
 	    continue;
-#endif
-#ifdef VIRTUAL_IP
 	case '6':	/* --virtual_private */
 	    virtual_private = optarg;
 	    continue;
-#endif
 
 	default:
 #ifdef DEBUG
@@ -606,13 +582,8 @@ main(int argc, char **argv)
 	, ipsec_version_code()
 	, compile_time_interop_options);
 
-#ifdef NAT_TRAVERSAL
     init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf);
-#endif
-
-#ifdef VIRTUAL_IP
     init_virtual_ip(virtual_private);
-#endif
     scx_init(pkcs11_module_path);   /* load and initialize PKCS #11 module */
     xauth_init();		    /* load and initialize XAUTH module */
     init_rnd_pool();
diff --git a/programs/pluto/primegen.c b/src/pluto/primegen.c
index 159490345..159490345 100644
--- a/programs/pluto/primegen.c
+++ b/src/pluto/primegen.c
diff --git a/programs/pluto/rcv_whack.c b/src/pluto/rcv_whack.c
index 99c377765..6a39e7c1f 100644
--- a/programs/pluto/rcv_whack.c
+++ b/src/pluto/rcv_whack.c
@@ -321,28 +321,24 @@ whack_handle(int whackctlfd)
 	|| !unpack_str(&msg.left.ca)		/* string  4 */
 	|| !unpack_str(&msg.left.groups)	/* string  5 */
 	|| !unpack_str(&msg.left.updown)	/* string  6 */
-#ifdef VIRTUAL_IP
-	|| !unpack_str(&msg.left.virt)
-#endif
-	|| !unpack_str(&msg.right.id)		/* string  7 */
-	|| !unpack_str(&msg.right.cert)		/* string  8 */
-	|| !unpack_str(&msg.right.ca)		/* string  9 */
-	|| !unpack_str(&msg.right.groups)	/* string 10 */
-	|| !unpack_str(&msg.right.updown)	/* string 11 */
-#ifdef VIRTUAL_IP
-	|| !unpack_str(&msg.right.virt)
-#endif
-	|| !unpack_str(&msg.keyid)		/* string 12 */
-	|| !unpack_str(&msg.myid)		/* string 13 */
-	|| !unpack_str(&msg.cacert)		/* string 14 */
-	|| !unpack_str(&msg.ldaphost)		/* string 15 */
-	|| !unpack_str(&msg.ldapbase)		/* string 16 */
-	|| !unpack_str(&msg.crluri)		/* string 17 */
-	|| !unpack_str(&msg.crluri2)		/* string 18 */
-	|| !unpack_str(&msg.ocspuri)		/* string 19 */
-	|| !unpack_str(&msg.ike)		/* string 20 */
-	|| !unpack_str(&msg.esp)		/* string 21 */
-	|| !unpack_str(&msg.sc_data)		/* string 22 */
+	|| !unpack_str(&msg.left.virt)		/* string  7 */
+	|| !unpack_str(&msg.right.id)		/* string  8 */
+	|| !unpack_str(&msg.right.cert)		/* string  9 */
+	|| !unpack_str(&msg.right.ca)		/* string 10 */
+	|| !unpack_str(&msg.right.groups)	/* string 11 */
+	|| !unpack_str(&msg.right.updown)	/* string 12 */
+	|| !unpack_str(&msg.right.virt)		/* string 13 */
+	|| !unpack_str(&msg.keyid)		/* string 14 */
+	|| !unpack_str(&msg.myid)		/* string 15 */
+	|| !unpack_str(&msg.cacert)		/* string 16 */
+	|| !unpack_str(&msg.ldaphost)		/* string 17 */
+	|| !unpack_str(&msg.ldapbase)		/* string 18 */
+	|| !unpack_str(&msg.crluri)		/* string 19 */
+	|| !unpack_str(&msg.crluri2)		/* string 20 */
+	|| !unpack_str(&msg.ocspuri)		/* string 21 */
+	|| !unpack_str(&msg.ike)		/* string 22 */
+	|| !unpack_str(&msg.esp)		/* string 23 */
+	|| !unpack_str(&msg.sc_data)		/* string 24 */
 	|| str_roof - next_str != (ptrdiff_t)msg.keyval.len)	/* check chunk */
 	{
 	    ugh = "message from whack contains bad string";
@@ -569,7 +565,7 @@ whack_handle(int whackctlfd)
 	{
 	    struct connection *c = con_by_name(msg.name, TRUE);
 
-	    if (c != NULL)
+	    if (c != NULL && c->ikev1)
 	    {
 		set_cur_connection(c);
 		if (!oriented(*c))
@@ -595,7 +591,7 @@ whack_handle(int whackctlfd)
 	{
 	    struct connection *c = con_by_name(msg.name, TRUE);
 
-	    if (c != NULL)
+	    if (c != NULL && c->ikev1)
 	    {
 		struct spd_route *sr;
 		int fail = 0;
diff --git a/programs/pluto/rcv_whack.h b/src/pluto/rcv_whack.h
index f42761c51..f42761c51 100644
--- a/programs/pluto/rcv_whack.h
+++ b/src/pluto/rcv_whack.h
diff --git a/programs/pluto/rnd.c b/src/pluto/rnd.c
index da72cc8ff..812882c6b 100644
--- a/programs/pluto/rnd.c
+++ b/src/pluto/rnd.c
@@ -69,7 +69,7 @@
 
 #ifdef linux
 # define USE_DEV_RANDOM	1
-# define RANDOM_PATH    "/dev/urandom"
+# define RANDOM_PATH    DEV_URANDOM
 #else
 # ifdef __OpenBSD__
 #  define USE_ARC4RANDOM
diff --git a/programs/pluto/rnd.h b/src/pluto/rnd.h
index 0bd168039..0bd168039 100644
--- a/programs/pluto/rnd.h
+++ b/src/pluto/rnd.h
diff --git a/programs/pluto/rsaref/pkcs11.h b/src/pluto/rsaref/pkcs11.h
index 9261e1e4c..9261e1e4c 100644
--- a/programs/pluto/rsaref/pkcs11.h
+++ b/src/pluto/rsaref/pkcs11.h
diff --git a/programs/pluto/rsaref/pkcs11f.h b/src/pluto/rsaref/pkcs11f.h
index dec6315dd..dec6315dd 100644
--- a/programs/pluto/rsaref/pkcs11f.h
+++ b/src/pluto/rsaref/pkcs11f.h
diff --git a/programs/pluto/rsaref/pkcs11t.h b/src/pluto/rsaref/pkcs11t.h
index 3da20b215..3da20b215 100644
--- a/programs/pluto/rsaref/pkcs11t.h
+++ b/src/pluto/rsaref/pkcs11t.h
diff --git a/programs/pluto/rsaref/unix.h b/src/pluto/rsaref/unix.h
index 2e7eb6663..2e7eb6663 100644
--- a/programs/pluto/rsaref/unix.h
+++ b/src/pluto/rsaref/unix.h
diff --git a/programs/pluto/server.c b/src/pluto/server.c
index 17b70eba4..1cc221515 100644
--- a/programs/pluto/server.c
+++ b/src/pluto/server.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: server.c,v 1.10 2007/01/29 08:27:19 as Exp $
+ * RCSID $Id: server.c,v 1.9 2005/09/09 14:15:35 as Exp $
  */
 
 #include <stdio.h>
@@ -62,10 +62,7 @@
 #include <pfkeyv2.h>
 #include <pfkey.h>
 #include "kameipsec.h"
-
-#ifdef NAT_TRAVERSAL
 #include "nat_traversal.h"
-#endif
 
 /*
  *  Server main loop and socket initialization routines.
@@ -658,13 +655,11 @@ add_entry:
 		    if (fd < 0)
 			break;
 
-#ifdef NAT_TRAVERSAL
 		    if (nat_traversal_support_non_ike
 		    && addrtypeof(&ifp->addr) == AF_INET)
 		    {
 			nat_traversal_espinudp_socket(fd, ESPINUDP_WITH_NON_IKE);
 		    }
-#endif
 
 		    q = alloc_thing(struct iface, "struct iface");
 		    q->rname = clone_str(ifp->name, "real device name");
@@ -676,7 +671,7 @@ add_entry:
 		    interfaces = q;
 		    plog("adding interface %s/%s %s:%d"
 			, q->vname, q->rname, ip_str(&q->addr), pluto_port);
-#ifdef NAT_TRAVERSAL
+
 		    if (nat_traversal_support_port_floating
 		    && addrtypeof(&ifp->addr) == AF_INET)
 		    {
@@ -698,7 +693,6 @@ add_entry:
 			plog("adding interface %s/%s %s:%d",
 			q->vname, q->rname, ip_str(&q->addr), NAT_T_IKE_FLOAT_PORT);
 		    }
-#endif
 		    break;
 		}
 
@@ -709,16 +703,17 @@ add_entry:
 		{
 		    /* matches -- rejuvinate old entry */
 		    q->change = IFN_KEEP;
-#ifdef NAT_TRAVERSAL
+
 		    /* look for other interfaces to keep (due to NAT-T) */
-		    for (q = q->next ; q ; q = q->next) {
+		    for (q = q->next ; q ; q = q->next)
+		    {
 			if (streq(q->rname, ifp->name)
-			    && streq(q->vname, v->name)
-			    && sameaddr(&q->addr, &ifp->addr)) {
-				q->change = IFN_KEEP;
+			&& streq(q->vname, v->name)
+			&& sameaddr(&q->addr, &ifp->addr))
+			{
+			    q->change = IFN_KEEP;
 			}
 		    }
-#endif
 		    break;
 		}
 
diff --git a/programs/pluto/server.h b/src/pluto/server.h
index aa14d5aaa..d90e47c8f 100644
--- a/programs/pluto/server.h
+++ b/src/pluto/server.h
@@ -40,9 +40,7 @@ struct iface {
     ip_address addr;	/* interface IP address */
     int fd;	/* file descriptor of socket for IKE UDP messages */
     struct iface *next;
-#ifdef NAT_TRAVERSAL
     bool ike_float;
-#endif
     enum { IFN_ADD, IFN_KEEP, IFN_DELETE } change;
 };
 
diff --git a/programs/pluto/sha1.c b/src/pluto/sha1.c
index bbf062876..bbf062876 100644
--- a/programs/pluto/sha1.c
+++ b/src/pluto/sha1.c
diff --git a/programs/pluto/sha1.h b/src/pluto/sha1.h
index 64b3d2f5d..64b3d2f5d 100644
--- a/programs/pluto/sha1.h
+++ b/src/pluto/sha1.h
diff --git a/programs/pluto/smallprime.c b/src/pluto/smallprime.c
index 87497d096..87497d096 100644
--- a/programs/pluto/smallprime.c
+++ b/src/pluto/smallprime.c
diff --git a/programs/pluto/smartcard.c b/src/pluto/smartcard.c
index f1994f1cf..744f8a6f3 100644
--- a/programs/pluto/smartcard.c
+++ b/src/pluto/smartcard.c
@@ -30,7 +30,7 @@
 #include <dlfcn.h>
 
 #include <freeswan.h>
-#include <freeswan/ipsec_policy.h>
+#include <ipsec_policy.h>
 
 #include "constants.h"
 
diff --git a/programs/pluto/smartcard.h b/src/pluto/smartcard.h
index c004ca7dd..c004ca7dd 100644
--- a/programs/pluto/smartcard.h
+++ b/src/pluto/smartcard.h
diff --git a/programs/pluto/spdb.c b/src/pluto/spdb.c
index ab976511e..996585135 100644
--- a/programs/pluto/spdb.c
+++ b/src/pluto/spdb.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: spdb.c,v 1.10 2007/01/10 00:36:19 as Exp $
+ * RCSID $Id: spdb.c,v 1.9 2006/04/22 21:59:20 as Exp $
  */
 
 #include <stdio.h>
@@ -23,7 +23,7 @@
 #include <sys/queue.h>
 
 #include <freeswan.h>
-#include <freeswan/ipsec_policy.h>
+#include <ipsec_policy.h>
 
 #include "constants.h"
 #include "defs.h"
@@ -35,23 +35,19 @@
 #include "kernel.h"
 #include "log.h"
 #include "spdb.h"
-#include "whack.h"	/* for RC_LOG_SERIOUS */
-
+#include "whack.h"
 #include "sha1.h"
 #include "md5.h"
 #include "crypto.h" /* requires sha1.h and md5.h */
-
 #include "alg_info.h"
 #include "kernel_alg.h"
 #include "ike_alg.h"
 #include "db_ops.h"
+#include "nat_traversal.h"
+
 #define AD(x) x, elemsof(x)	/* Array Description */
 #define AD_NULL NULL, 0
 
-#ifdef NAT_TRAVERSAL
-#include "nat_traversal.h"
-#endif
-
 /**************** Oakely (main mode) SA database ****************/
 
 /* array of proposals to be conjoined (can only be one for Oakley) */
@@ -524,7 +520,6 @@ out_sa(pb_stream *outs
 		    if (p->protoid != PROTO_IPCOMP
 		    || st->st_policy & POLICY_TUNNEL)
 		    {
-#ifdef NAT_TRAVERSAL
 #ifndef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
 			if ((st->nat_traversal & NAT_T_DETECTED)
 			&& !(st->st_policy & POLICY_TUNNEL))
@@ -537,22 +532,16 @@ out_sa(pb_stream *outs
 				"using Tunnel mode");
 			}
 #endif
-#endif
 			out_attr(ENCAPSULATION_MODE
-#ifdef NAT_TRAVERSAL
 #ifdef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
-			    , NAT_T_ENCAPSULATION_MODE(st,st->st_policy)
+			    , NAT_T_ENCAPSULATION_MODE(st, st->st_policy)
 #else
 				/* If NAT-T is detected, use UDP_TUNNEL as long as Transport
 				 * Mode has security concerns.
 				 *
 				 * User has been informed of that
 				 */
-			    , NAT_T_ENCAPSULATION_MODE(st,POLICY_TUNNEL)
-#endif
-#else /* ! NAT_TRAVERSAL */
-			    , st->st_policy & POLICY_TUNNEL
-			      ? ENCAPSULATION_MODE_TUNNEL : ENCAPSULATION_MODE_TRANSPORT
+			    , NAT_T_ENCAPSULATION_MODE(st, POLICY_TUNNEL)
 #endif
 			    , attr_desc, attr_val_descs
 			    , &trans_pbs);
@@ -1484,7 +1473,6 @@ parse_ipsec_transform(struct isakmp_transform *trans
 		break;
 	    case ENCAPSULATION_MODE | ISAKMP_ATTR_AF_TV:
 		ipcomp_inappropriate = FALSE;
-#ifdef NAT_TRAVERSAL
 		switch (val)
 		{
 		case ENCAPSULATION_MODE_TUNNEL:
@@ -1569,9 +1557,6 @@ parse_ipsec_transform(struct isakmp_transform *trans
 			    , "unknown ENCAPSULATION_MODE %d in IPSec SA", val);
 			return FALSE;
 		}
-#else
-		attrs->encapsulation = val;
-#endif
 		break;
 	    case AUTH_ALGORITHM | ISAKMP_ATTR_AF_TV:
 		attrs->auth = val;
diff --git a/programs/pluto/spdb.h b/src/pluto/spdb.h
index 6cb92f036..0df488841 100644
--- a/programs/pluto/spdb.h
+++ b/src/pluto/spdb.h
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: spdb.h,v 1.5 2007/01/10 00:36:19 as Exp $
+ * RCSID $Id: spdb.h,v 1.4 2006/04/22 21:59:20 as Exp $
  */
 
 #ifndef _SPDB_H
diff --git a/programs/pluto/state.c b/src/pluto/state.c
index 8181c34b4..80c3156b1 100644
--- a/programs/pluto/state.c
+++ b/src/pluto/state.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: state.c,v 1.15 2006/10/20 15:02:23 as Exp $
+ * RCSID $Id: state.c,v 1.13 2006/04/29 18:16:02 as Exp $
  */
 
 #include <stdio.h>
diff --git a/programs/pluto/state.h b/src/pluto/state.h
index d885d145d..d3a980564 100644
--- a/programs/pluto/state.h
+++ b/src/pluto/state.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: state.h,v 1.13 2007/01/10 00:36:19 as Exp $
+ * RCSID $Id: state.h,v 1.11 2006/03/08 22:12:37 as Exp $
  */
 
 #include <sys/types.h>
@@ -201,7 +201,7 @@ struct state
     unsigned int       st_iv_len;
     unsigned int       st_new_iv_len;
     unsigned int       st_ph1_iv_len;
-    
+
     chunk_t            st_enc_key;             /* Oakley Encryption key */
 
     struct event      *st_event;               /* backpointer for certain events */
@@ -219,10 +219,8 @@ struct state
 	bool status;
     } st_xauth;
 
-#ifdef NAT_TRAVERSAL
     u_int32_t         nat_traversal;
     ip_address        nat_oa;
-#endif
 
     /* RFC 3706 Dead Peer Detection */
     bool                st_dpd;			/* Peer supports DPD */
diff --git a/programs/pluto/timer.c b/src/pluto/timer.c
index 4d9ef8fab..9d3f90ce3 100644
--- a/programs/pluto/timer.c
+++ b/src/pluto/timer.c
@@ -38,10 +38,7 @@
 #include "rnd.h"
 #include "timer.h"
 #include "whack.h"
-
-#ifdef NAT_TRAVERSAL
 #include "nat_traversal.h"
-#endif
 
 /* monotonic version of time(3) */
 time_t
@@ -427,11 +424,9 @@ handle_timer_event(void)
 	case EVENT_DPD_TIMEOUT:
 	    dpd_timeout(st);
 	    break;
-#ifdef NAT_TRAVERSAL
 	case EVENT_NAT_T_KEEPALIVE:
 	    nat_traversal_ka_event();
 	    break;
-#endif
 	default:
 	    loglog(RC_LOG_SERIOUS, "INTERNAL ERROR: ignoring unknown expiring event %s"
 		, enum_show(&timer_event_names, type));
diff --git a/programs/pluto/timer.h b/src/pluto/timer.h
index 92464192c..92464192c 100644
--- a/programs/pluto/timer.h
+++ b/src/pluto/timer.h
diff --git a/programs/pluto/vendor.c b/src/pluto/vendor.c
index 6d1137c09..e888d5e16 100644
--- a/programs/pluto/vendor.c
+++ b/src/pluto/vendor.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: vendor.c,v 1.46 2007/02/21 14:20:25 as Exp $
+ * RCSID $Id: vendor.c,v 1.35 2006/04/12 16:44:28 as Exp $
  */
 
 #include <stdlib.h>
@@ -30,10 +30,7 @@
 #include "whack.h"
 #include "vendor.h"
 #include "kernel.h"
-
-#ifdef NAT_TRAVERSAL
 #include "nat_traversal.h"
-#endif
 
 /**
  * Unknown/Special VID:
@@ -198,19 +195,29 @@ static struct vid_struct _vid_tab[] = {
 	    "\xc6\xf5\x7a\xc3\x98\xf4\x93\x20\x81\x45\xb7\x58", 12},
 	{ VID_NCP_CLIENT, VID_KEEP | VID_SUBSTRING_MATCH, NULL, "NCP Client",
 	    "\xeb\x4c\x1b\x78\x8a\xfd\x4a\x9c\xb7\x73\x0a\x68", 12},
+
+	/*
+	 * Windows Vista (and Longhorn?)
+	 */
+	DEC_MD5_VID(VISTA_AUTHIP, "MS-Negotiation Discovery Capable")
+	DEC_MD5_VID(VISTA_AUTHIP2, "IKE CGA version 1")
+
 	/*
 	 * strongSwan
 	 */
-	DEC_MD5_VID(STRONGSWAN_4_0_0, "strongSwan 4.0.0")
-	DEC_MD5_VID(STRONGSWAN_4_0_1, "strongSwan 4.0.1")
-	DEC_MD5_VID(STRONGSWAN_4_0_2, "strongSwan 4.0.2")
-	DEC_MD5_VID(STRONGSWAN_4_0_3, "strongSwan 4.0.3")
-	DEC_MD5_VID(STRONGSWAN_4_0_4, "strongSwan 4.0.4")
-	DEC_MD5_VID(STRONGSWAN_4_0_5, "strongSwan 4.0.5")
-	DEC_MD5_VID(STRONGSWAN_4_0_6, "strongSwan 4.0.6")
+	DEC_MD5_VID(STRONGSWAN,       "strongSwan 4.1.1")
+	DEC_MD5_VID(STRONGSWAN_4_1_0, "strongSwan 4.1.0")
 	DEC_MD5_VID(STRONGSWAN_4_0_7, "strongSwan 4.0.7")
+	DEC_MD5_VID(STRONGSWAN_4_0_6, "strongSwan 4.0.6")
+	DEC_MD5_VID(STRONGSWAN_4_0_5, "strongSwan 4.0.5")
+	DEC_MD5_VID(STRONGSWAN_4_0_4, "strongSwan 4.0.4")
+	DEC_MD5_VID(STRONGSWAN_4_0_3, "strongSwan 4.0.3")
+	DEC_MD5_VID(STRONGSWAN_4_0_2, "strongSwan 4.0.2")
+	DEC_MD5_VID(STRONGSWAN_4_0_1, "strongSwan 4.0.1")
+	DEC_MD5_VID(STRONGSWAN_4_0_0, "strongSwan 4.0.0")
 
-	DEC_MD5_VID(STRONGSWAN,       "strongSwan 2.8.3")
+	DEC_MD5_VID(STRONGSWAN_2_8_4, "strongSwan 2.8.4")
+	DEC_MD5_VID(STRONGSWAN_2_8_3, "strongSwan 2.8.3")
 	DEC_MD5_VID(STRONGSWAN_2_8_2, "strongSwan 2.8.2")
 	DEC_MD5_VID(STRONGSWAN_2_8_1, "strongSwan 2.8.1")
 	DEC_MD5_VID(STRONGSWAN_2_8_0, "strongSwan 2.8.0")
@@ -366,7 +373,7 @@ handle_known_vendorid (struct msg_digest *md
 	md->openpgp = TRUE;
 	vid_useful = TRUE;
 	break;
-#ifdef NAT_TRAVERSAL
+
     /*
      * Use most recent supported NAT-Traversal method and ignore the
      * other ones (implementations will send all supported methods but
@@ -394,7 +401,7 @@ handle_known_vendorid (struct msg_digest *md
 	    vid_useful = TRUE;
 	}
 	break;
-#endif
+
     /* Remote side would like to do DPD with us on this connection */
     case VID_MISC_DPD:
 	md->dpd = TRUE;
diff --git a/programs/pluto/vendor.h b/src/pluto/vendor.h
index 69d98cd38..8e0444f4d 100644
--- a/programs/pluto/vendor.h
+++ b/src/pluto/vendor.h
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: vendor.h,v 1.41 2007/02/21 14:20:25 as Exp $
+ * RCSID $Id: vendor.h,v 1.30 2006/04/12 16:44:28 as Exp $
  */
 
 #ifndef _VENDOR_H_
@@ -52,38 +52,43 @@ enum known_vendorid {
   VID_OPENSWAN2			= 31,
   VID_NCP_SERVER		= 32,
   VID_NCP_CLIENT		= 33,
-  VID_STRONGSWAN		= 34,
-  VID_STRONGSWAN_2_2_0		= 35,
-  VID_STRONGSWAN_2_2_1		= 36,
-  VID_STRONGSWAN_2_2_2		= 37,
-  VID_STRONGSWAN_2_3_0		= 38,
-  VID_STRONGSWAN_2_3_1		= 39,
-  VID_STRONGSWAN_2_3_2		= 40,
-  VID_STRONGSWAN_2_4_0		= 41,
-  VID_STRONGSWAN_2_4_1		= 42,
-  VID_STRONGSWAN_2_4_2		= 43,
-  VID_STRONGSWAN_2_4_3		= 44,
-  VID_STRONGSWAN_2_4_4		= 45,
-  VID_STRONGSWAN_2_5_0		= 46,
-  VID_STRONGSWAN_2_5_1		= 47,
-  VID_STRONGSWAN_2_5_2		= 48,
-  VID_STRONGSWAN_2_5_3		= 49,
-  VID_STRONGSWAN_2_5_4		= 50,
-  VID_STRONGSWAN_2_5_5		= 51,
-  VID_STRONGSWAN_2_5_6		= 52,
-  VID_STRONGSWAN_2_5_7		= 53,
-  VID_STRONGSWAN_2_6_0		= 54,
-  VID_STRONGSWAN_2_6_1		= 55,
-  VID_STRONGSWAN_2_6_2		= 56,
-  VID_STRONGSWAN_2_6_3		= 57,
-  VID_STRONGSWAN_2_6_4		= 58,
-  VID_STRONGSWAN_2_7_0		= 59,
-  VID_STRONGSWAN_2_7_1		= 60,
-  VID_STRONGSWAN_2_7_2		= 61,
-  VID_STRONGSWAN_2_7_3		= 62,
-  VID_STRONGSWAN_2_8_0		= 63,
-  VID_STRONGSWAN_2_8_1		= 64,
-  VID_STRONGSWAN_2_8_2		= 65,
+  VID_VISTA_AUTHIP		= 34,
+  VID_VISTA_AUTHIP2		= 35,
+
+  VID_STRONGSWAN		= 36,
+  VID_STRONGSWAN_2_2_0		= 37,
+  VID_STRONGSWAN_2_2_1		= 38,
+  VID_STRONGSWAN_2_2_2		= 39,
+  VID_STRONGSWAN_2_3_0		= 40,
+  VID_STRONGSWAN_2_3_1		= 41,
+  VID_STRONGSWAN_2_3_2		= 42,
+  VID_STRONGSWAN_2_4_0		= 43,
+  VID_STRONGSWAN_2_4_1		= 44,
+  VID_STRONGSWAN_2_4_2		= 45,
+  VID_STRONGSWAN_2_4_3		= 46,
+  VID_STRONGSWAN_2_4_4		= 47,
+  VID_STRONGSWAN_2_5_0		= 48,
+  VID_STRONGSWAN_2_5_1		= 49,
+  VID_STRONGSWAN_2_5_2		= 50,
+  VID_STRONGSWAN_2_5_3		= 51,
+  VID_STRONGSWAN_2_5_4		= 52,
+  VID_STRONGSWAN_2_5_5		= 53,
+  VID_STRONGSWAN_2_5_6		= 54,
+  VID_STRONGSWAN_2_5_7		= 55,
+  VID_STRONGSWAN_2_6_0		= 56,
+  VID_STRONGSWAN_2_6_1		= 57,
+  VID_STRONGSWAN_2_6_2		= 58,
+  VID_STRONGSWAN_2_6_3		= 59,
+  VID_STRONGSWAN_2_6_4		= 60,
+  VID_STRONGSWAN_2_7_0		= 61,
+  VID_STRONGSWAN_2_7_1		= 62,
+  VID_STRONGSWAN_2_7_2		= 63,
+  VID_STRONGSWAN_2_7_3		= 64,
+  VID_STRONGSWAN_2_8_0		= 65,
+  VID_STRONGSWAN_2_8_1		= 66,
+  VID_STRONGSWAN_2_8_2		= 67,
+  VID_STRONGSWAN_2_8_3		= 68,
+  VID_STRONGSWAN_2_8_4		= 69,
 
   VID_STRONGSWAN_4_0_0		= 70,
   VID_STRONGSWAN_4_0_1		= 71,
@@ -93,6 +98,7 @@ enum known_vendorid {
   VID_STRONGSWAN_4_0_5		= 75,
   VID_STRONGSWAN_4_0_6		= 76,
   VID_STRONGSWAN_4_0_7		= 77,
+  VID_STRONGSWAN_4_1_0		= 78,
 
   /* 101 - 200 : NAT-Traversal */
   VID_NATT_STENBERG_01		=101,
diff --git a/programs/pluto/virtual.c b/src/pluto/virtual.c
index 58487c1e8..d1553364e 100644
--- a/programs/pluto/virtual.c
+++ b/src/pluto/virtual.c
@@ -14,8 +14,6 @@
  * RCSID $Id: virtual.c,v 1.4 2004/04/02 10:38:52 as Exp $
  */
 
-#ifdef VIRTUAL_IP
-
 #include <freeswan.h>
 
 #include <stdlib.h>
@@ -334,5 +332,3 @@ is_virtual_net_allowed(const struct connection *c, const ip_subnet *peer_net,
     return FALSE;
 }
 
-#endif
-
diff --git a/programs/pluto/virtual.h b/src/pluto/virtual.h
index 2d5bf27ae..2d5bf27ae 100644
--- a/programs/pluto/virtual.h
+++ b/src/pluto/virtual.h
diff --git a/programs/pluto/x509.c b/src/pluto/x509.c
index c1b4cb6e3..2521244f7 100644
--- a/programs/pluto/x509.c
+++ b/src/pluto/x509.c
@@ -26,7 +26,7 @@
 #include <sys/types.h>
 
 #include <freeswan.h>
-#include <freeswan/ipsec_policy.h>
+#include <ipsec_policy.h>
 
 #include "constants.h"
 #include "defs.h"
diff --git a/programs/pluto/x509.h b/src/pluto/x509.h
index d15b3da53..d15b3da53 100644
--- a/programs/pluto/x509.h
+++ b/src/pluto/x509.h
diff --git a/programs/pluto/xauth.c b/src/pluto/xauth.c
index c33ad9b3d..3d30ad227 100644
--- a/programs/pluto/xauth.c
+++ b/src/pluto/xauth.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: xauth.c,v 1.1 2007/01/11 21:48:41 as Exp $
+ * RCSID $Id: xauth.c,v 1.1 2005/01/06 22:10:15 as Exp $
  */
 
 #include <dlfcn.h>
@@ -61,6 +61,7 @@ xauth_init(void)
 void
 xauth_finalize(void)
 {
+#ifdef XAUTH_DEFAULT_LIB
     if (xauth_module.handle != NULL)
     {
 	if (dlclose(xauth_module.handle))
@@ -74,4 +75,5 @@ xauth_finalize(void)
 	    )
 	}
     }
+#endif
 }
diff --git a/programs/pluto/xauth.h b/src/pluto/xauth.h
index 371e443ef..1f06aefd9 100644
--- a/programs/pluto/xauth.h
+++ b/src/pluto/xauth.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: xauth.h,v 1.1 2007/01/11 21:48:41 as Exp $
+ * RCSID $Id: xauth.h,v 1.1 2005/01/06 22:10:15 as Exp $
  */
 
 #ifndef _XAUTH_H
diff --git a/src/scepclient/Makefile.am b/src/scepclient/Makefile.am
new file mode 100644
index 000000000..a4de3bc58
--- /dev/null
+++ b/src/scepclient/Makefile.am
@@ -0,0 +1,103 @@
+ipsec_PROGRAMS = scepclient
+scepclient_SOURCES = rsakey.c rsakey.h pkcs10.c pkcs10.h scep.c scep.h scepclient.c
+
+INCLUDES = \
+-I$(top_srcdir)/src/libfreeswan \
+-I$(top_srcdir)/src/pluto \
+-I$(top_srcdir)/src/whack \
+-I$(top_srcdir)/src/libcrypto
+
+AM_CFLAGS = -DDEBUG -DNO_PLUTO -DIPSEC_CONFDIR=\"${confdir}\"
+scepclient_LDADD = asn1.o ca.o crl.o certs.o constants.o defs.o fetch.o id.o \
+                   keys.o lex.o md2.o md5.o mp_defs.o ocsp.o oid.o pem.o pgp.o \
+                   pkcs1.o pkcs7.o rnd.o sha1.o smartcard.o x509.o loglite.o \
+                   $(top_srcdir)/src/libfreeswan/libfreeswan.a $(top_srcdir)/src/libcrypto/libcrypto.a \
+                   -lgmp
+
+# This compile option activates dynamic URL fetching using libcurl
+if USE_LIBCURL
+  scepclient_LDADD += -lcurl
+endif
+
+# This compile option activates smartcard support
+if USE_SMARTCARD
+  scepclient_LDADD += -ldl
+endif
+
+dist_man_MANS = scepclient.8
+
+PLUTODIR=$(top_srcdir)/src/pluto
+OPENACDIR=$(top_srcdir)/src/openac
+
+
+loglite.o:	$(OPENACDIR)/loglite.c $(PLUTODIR)/log.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+asn1.o :	$(PLUTODIR)/asn1.c $(PLUTODIR)/asn1.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+ca.o :		$(PLUTODIR)/ca.c $(PLUTODIR)/ca.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+certs.o :	$(PLUTODIR)/certs.c $(PLUTODIR)/certs.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+constants.o :	$(PLUTODIR)/constants.c $(PLUTODIR)/constants.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+crl.o : 	$(PLUTODIR)/crl.c $(PLUTODIR)/crl.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+defs.o : 	$(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+mp_defs.o :	$(PLUTODIR)/mp_defs.c $(PLUTODIR)/mp_defs.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+fetch.o : 	$(PLUTODIR)/fetch.c $(PLUTODIR)/fetch.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+id.o : 		$(PLUTODIR)/id.c $(PLUTODIR)/id.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+keys.o :	$(PLUTODIR)/keys.c $(PLUTODIR)/keys.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+lex.o :		$(PLUTODIR)/lex.c $(PLUTODIR)/lex.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+md2.o :		$(PLUTODIR)/md2.c $(PLUTODIR)/md2.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+md5.o :		$(PLUTODIR)/md5.c $(PLUTODIR)/md5.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+ocsp.o :	$(PLUTODIR)/ocsp.c $(PLUTODIR)/ocsp.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+oid.o :		$(PLUTODIR)/oid.c $(PLUTODIR)/oid.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+pem.o :		$(PLUTODIR)/pem.c $(PLUTODIR)/pem.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+pgp.o :		$(PLUTODIR)/pgp.c $(PLUTODIR)/pgp.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+pkcs1.o :	$(PLUTODIR)/pkcs1.c $(PLUTODIR)/pkcs1.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+pkcs7.o :	$(PLUTODIR)/pkcs7.c $(PLUTODIR)/pkcs7.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+rnd.o :		$(PLUTODIR)/rnd.c $(PLUTODIR)/rnd.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+sha1.o :	$(PLUTODIR)/sha1.c $(PLUTODIR)/sha1.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+smartcard.o :	$(PLUTODIR)/smartcard.c $(PLUTODIR)/smartcard.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+x509.o :	$(PLUTODIR)/x509.c $(PLUTODIR)/x509.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in
new file mode 100644
index 000000000..b21b9bf05
--- /dev/null
+++ b/src/scepclient/Makefile.in
@@ -0,0 +1,630 @@
+# Makefile.in generated by automake 1.9.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+top_builddir = ../..
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+INSTALL = @INSTALL@
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+ipsec_PROGRAMS = scepclient$(EXEEXT)
+
+# This compile option activates dynamic URL fetching using libcurl
+@USE_LIBCURL_TRUE@am__append_1 = -lcurl
+
+# This compile option activates smartcard support
+@USE_SMARTCARD_TRUE@am__append_2 = -ldl
+subdir = src/scepclient
+DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \
+	$(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
+ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
+PROGRAMS = $(ipsec_PROGRAMS)
+am_scepclient_OBJECTS = rsakey.$(OBJEXT) pkcs10.$(OBJEXT) \
+	scep.$(OBJEXT) scepclient.$(OBJEXT)
+scepclient_OBJECTS = $(am_scepclient_OBJECTS)
+am__DEPENDENCIES_1 =
+scepclient_DEPENDENCIES = asn1.o ca.o crl.o certs.o constants.o defs.o \
+	fetch.o id.o keys.o lex.o md2.o md5.o mp_defs.o ocsp.o oid.o \
+	pem.o pgp.o pkcs1.o pkcs7.o rnd.o sha1.o smartcard.o x509.o \
+	loglite.o $(top_srcdir)/src/libfreeswan/libfreeswan.a \
+	$(top_srcdir)/src/libcrypto/libcrypto.a $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1)
+DEFAULT_INCLUDES = -I. -I$(srcdir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+SOURCES = $(scepclient_SOURCES)
+DIST_SOURCES = $(scepclient_SOURCES)
+man8dir = $(mandir)/man8
+NROFF = nroff
+MANS = $(dist_man_MANS)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMDEP_FALSE = @AMDEP_FALSE@
+AMDEP_TRUE = @AMDEP_TRUE@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BUILD_EAP_SIM_FALSE = @BUILD_EAP_SIM_FALSE@
+BUILD_EAP_SIM_TRUE = @BUILD_EAP_SIM_TRUE@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+USE_CISCO_QUIRKS_FALSE = @USE_CISCO_QUIRKS_FALSE@
+USE_CISCO_QUIRKS_TRUE = @USE_CISCO_QUIRKS_TRUE@
+USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
+USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
+USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
+USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
+USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
+USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
+USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
+USE_SMARTCARD_TRUE = @USE_SMARTCARD_TRUE@
+USE_VENDORID_FALSE = @USE_VENDORID_FALSE@
+USE_VENDORID_TRUE = @USE_VENDORID_TRUE@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__fastdepCC_FALSE = @am__fastdepCC_FALSE@
+am__fastdepCC_TRUE = @am__fastdepCC_TRUE@
+am__fastdepCXX_FALSE = @am__fastdepCXX_FALSE@
+am__fastdepCXX_TRUE = @am__fastdepCXX_TRUE@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+eapdir = @eapdir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+scepclient_SOURCES = rsakey.c rsakey.h pkcs10.c pkcs10.h scep.c scep.h scepclient.c
+INCLUDES = \
+-I$(top_srcdir)/src/libfreeswan \
+-I$(top_srcdir)/src/pluto \
+-I$(top_srcdir)/src/whack \
+-I$(top_srcdir)/src/libcrypto
+
+AM_CFLAGS = -DDEBUG -DNO_PLUTO -DIPSEC_CONFDIR=\"${confdir}\"
+scepclient_LDADD = asn1.o ca.o crl.o certs.o constants.o defs.o \
+	fetch.o id.o keys.o lex.o md2.o md5.o mp_defs.o ocsp.o oid.o \
+	pem.o pgp.o pkcs1.o pkcs7.o rnd.o sha1.o smartcard.o x509.o \
+	loglite.o $(top_srcdir)/src/libfreeswan/libfreeswan.a \
+	$(top_srcdir)/src/libcrypto/libcrypto.a -lgmp $(am__append_1) \
+	$(am__append_2)
+dist_man_MANS = scepclient.8
+PLUTODIR = $(top_srcdir)/src/pluto
+OPENACDIR = $(top_srcdir)/src/openac
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/scepclient/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/scepclient/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	test -z "$(ipsecdir)" || $(mkdir_p) "$(DESTDIR)$(ipsecdir)"
+	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
+	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  if test -f $$p \
+	     || test -f $$p1 \
+	  ; then \
+	    f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
+	   echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(ipsecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \
+	   $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(ipsecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(ipsecdir)/$$f" || exit 1; \
+	  else :; fi; \
+	done
+
+uninstall-ipsecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
+	  f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
+	  echo " rm -f '$(DESTDIR)$(ipsecdir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(ipsecdir)/$$f"; \
+	done
+
+clean-ipsecPROGRAMS:
+	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
+	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  echo " rm -f $$p $$f"; \
+	  rm -f $$p $$f ; \
+	done
+scepclient$(EXEEXT): $(scepclient_OBJECTS) $(scepclient_DEPENDENCIES) 
+	@rm -f scepclient$(EXEEXT)
+	$(LINK) $(scepclient_LDFLAGS) $(scepclient_OBJECTS) $(scepclient_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs10.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rsakey.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scep.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scepclient.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ `$(CYGPATH_W) '$<'`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	if $(LTCOMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Plo"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+	-rm -f libtool
+uninstall-info-am:
+install-man8: $(man8_MANS) $(man_MANS)
+	@$(NORMAL_INSTALL)
+	test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)"
+	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    8*) ;; \
+	    *) ext='8' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
+	  $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \
+	done
+uninstall-man8:
+	@$(NORMAL_UNINSTALL)
+	@list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    8*) ;; \
+	    *) ext='8' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \
+	  rm -f "$(DESTDIR)$(man8dir)/$$inst"; \
+	done
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
+	list='$(DISTFILES)'; for file in $$list; do \
+	  case $$file in \
+	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
+	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
+	  esac; \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
+	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
+	    dir="/$$dir"; \
+	    $(mkdir_p) "$(distdir)$$dir"; \
+	  else \
+	    dir=''; \
+	  fi; \
+	  if test -d $$d/$$file; then \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(PROGRAMS) $(MANS)
+installdirs:
+	for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"; do \
+	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-libtool distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-ipsecPROGRAMS install-man
+
+install-exec-am:
+
+install-info: install-info-am
+
+install-man: install-man8
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-info-am uninstall-ipsecPROGRAMS uninstall-man
+
+uninstall-man: uninstall-man8
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-ipsecPROGRAMS clean-libtool ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-exec \
+	install-exec-am install-info install-info-am \
+	install-ipsecPROGRAMS install-man install-man8 install-strip \
+	installcheck installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-info-am \
+	uninstall-ipsecPROGRAMS uninstall-man uninstall-man8
+
+
+loglite.o:	$(OPENACDIR)/loglite.c $(PLUTODIR)/log.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+asn1.o :	$(PLUTODIR)/asn1.c $(PLUTODIR)/asn1.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+ca.o :		$(PLUTODIR)/ca.c $(PLUTODIR)/ca.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+certs.o :	$(PLUTODIR)/certs.c $(PLUTODIR)/certs.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+constants.o :	$(PLUTODIR)/constants.c $(PLUTODIR)/constants.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+crl.o : 	$(PLUTODIR)/crl.c $(PLUTODIR)/crl.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+defs.o : 	$(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+mp_defs.o :	$(PLUTODIR)/mp_defs.c $(PLUTODIR)/mp_defs.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+fetch.o : 	$(PLUTODIR)/fetch.c $(PLUTODIR)/fetch.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+id.o : 		$(PLUTODIR)/id.c $(PLUTODIR)/id.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+keys.o :	$(PLUTODIR)/keys.c $(PLUTODIR)/keys.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+lex.o :		$(PLUTODIR)/lex.c $(PLUTODIR)/lex.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+md2.o :		$(PLUTODIR)/md2.c $(PLUTODIR)/md2.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+md5.o :		$(PLUTODIR)/md5.c $(PLUTODIR)/md5.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+ocsp.o :	$(PLUTODIR)/ocsp.c $(PLUTODIR)/ocsp.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+oid.o :		$(PLUTODIR)/oid.c $(PLUTODIR)/oid.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+pem.o :		$(PLUTODIR)/pem.c $(PLUTODIR)/pem.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+pgp.o :		$(PLUTODIR)/pgp.c $(PLUTODIR)/pgp.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+pkcs1.o :	$(PLUTODIR)/pkcs1.c $(PLUTODIR)/pkcs1.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+pkcs7.o :	$(PLUTODIR)/pkcs7.c $(PLUTODIR)/pkcs7.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+rnd.o :		$(PLUTODIR)/rnd.c $(PLUTODIR)/rnd.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+sha1.o :	$(PLUTODIR)/sha1.c $(PLUTODIR)/sha1.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+smartcard.o :	$(PLUTODIR)/smartcard.c $(PLUTODIR)/smartcard.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+
+x509.o :	$(PLUTODIR)/x509.c $(PLUTODIR)/x509.h
+		$(COMPILE) $(INCLUDES) -c -o $@ $<
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/programs/scepclient/pkcs10.c b/src/scepclient/pkcs10.c
index de3f06e18..de3f06e18 100644
--- a/programs/scepclient/pkcs10.c
+++ b/src/scepclient/pkcs10.c
diff --git a/programs/scepclient/pkcs10.h b/src/scepclient/pkcs10.h
index c2a4c1b92..c2a4c1b92 100644
--- a/programs/scepclient/pkcs10.h
+++ b/src/scepclient/pkcs10.h
diff --git a/programs/scepclient/rsakey.c b/src/scepclient/rsakey.c
index c4f26b286..a7c6321f5 100644
--- a/programs/scepclient/rsakey.c
+++ b/src/scepclient/rsakey.c
@@ -47,8 +47,8 @@
 /* Public exponent used for signature key generation */
 #define PUBLIC_EXPONENT		0x10001
 
-#ifndef RANDOM_DEVICE
-#define	RANDOM_DEVICE	"/dev/random"
+#ifndef DEV_RANDOM
+#define	DEV_RANDOM	"/dev/random"
 #endif
 
 
@@ -66,9 +66,9 @@ get_true_random_bytes(size_t nbytes, char *buf)
 {
     size_t ndone;
     size_t got;
-    char *device = RANDOM_DEVICE;
+    char *device = DEV_RANDOM;
 
-    int dev = open(RANDOM_DEVICE, 0);
+    int dev = open(DEV_RANDOM, 0);
 
     if (dev < 0)
     {
diff --git a/programs/scepclient/rsakey.h b/src/scepclient/rsakey.h
index 3e3156d81..3e3156d81 100644
--- a/programs/scepclient/rsakey.h
+++ b/src/scepclient/rsakey.h
diff --git a/programs/scepclient/scep.c b/src/scepclient/scep.c
index 577191787..577191787 100644
--- a/programs/scepclient/scep.c
+++ b/src/scepclient/scep.c
diff --git a/programs/scepclient/scep.h b/src/scepclient/scep.h
index 81e5d1a4b..81e5d1a4b 100644
--- a/programs/scepclient/scep.h
+++ b/src/scepclient/scep.h
diff --git a/programs/scepclient/scepclient.8 b/src/scepclient/scepclient.8
index 0d6364ef2..0d6364ef2 100644
--- a/programs/scepclient/scepclient.8
+++ b/src/scepclient/scepclient.8
diff --git a/programs/scepclient/scepclient.c b/src/scepclient/scepclient.c
index bde460844..bde460844 100644
--- a/programs/scepclient/scepclient.c
+++ b/src/scepclient/scepclient.c
diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am
new file mode 100644
index 000000000..7d5a4b69a
--- /dev/null
+++ b/src/starter/Makefile.am
@@ -0,0 +1,37 @@
+ipsec_PROGRAMS = starter
+starter_SOURCES = y.tab.c netkey.c y.tab.h parser.h args.h netkey.h \
+starterwhack.c starterwhack.h starterstroke.c invokepluto.c confread.c \
+starterstroke.h interfaces.c invokepluto.h confread.h  interfaces.h args.c \
+keywords.c files.h keywords.h cmp.c starter.c cmp.h exec.c invokecharon.c \
+exec.h invokecharon.h lex.yy.c
+
+INCLUDES = -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/pluto -I$(top_srcdir)/src/whack -I$(top_srcdir)/src/stroke
+AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\" -DDEBUG
+starter_LDADD = loglite.o defs.o $(top_srcdir)/src/libfreeswan/libfreeswan.a
+EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf
+dist_man_MANS = ipsec.conf.5
+MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c
+
+PLUTODIR=$(top_srcdir)/src/pluto
+OPENACDIR=$(top_srcdir)/src/openac
+
+lex.yy.c:	y.tab.c parser.l parser.y parser.h
+		$(LEX) parser.l
+
+y.tab.c:	parser.l parser.y parser.h
+		$(YACC) -v -d parser.y
+
+y.tab.h:	parser.l parser.y parser.h
+		$(YACC) -v -d parser.y
+
+keywords.c:	keywords.txt keywords.h
+		$(GPERF) -C -G -t < keywords.txt > keywords.c
+
+loglite.o:	$(OPENACDIR)/loglite.c $(PLUTODIR)/log.h
+		$(COMPILE) -c -o $@ $<
+
+defs.o:		$(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
+		$(COMPILE) -c -o $@ $<
+
+install-exec-local :
+		test -e "$(sysconfdir)/ipsec.conf" || $(INSTALL) ipsec.conf $(sysconfdir)/ipsec.conf
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
new file mode 100644
index 000000000..80410a205
--- /dev/null
+++ b/src/starter/Makefile.in
@@ -0,0 +1,581 @@
+# Makefile.in generated by automake 1.9.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+top_builddir = ../..
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+INSTALL = @INSTALL@
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+ipsec_PROGRAMS = starter$(EXEEXT)
+subdir = src/starter
+DIST_COMMON = README $(dist_man_MANS) $(srcdir)/Makefile.am \
+	$(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)"
+ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
+PROGRAMS = $(ipsec_PROGRAMS)
+am_starter_OBJECTS = y.tab.$(OBJEXT) netkey.$(OBJEXT) \
+	starterwhack.$(OBJEXT) starterstroke.$(OBJEXT) \
+	invokepluto.$(OBJEXT) confread.$(OBJEXT) interfaces.$(OBJEXT) \
+	args.$(OBJEXT) keywords.$(OBJEXT) cmp.$(OBJEXT) \
+	starter.$(OBJEXT) exec.$(OBJEXT) invokecharon.$(OBJEXT) \
+	lex.yy.$(OBJEXT)
+starter_OBJECTS = $(am_starter_OBJECTS)
+starter_DEPENDENCIES = loglite.o defs.o \
+	$(top_srcdir)/src/libfreeswan/libfreeswan.a
+DEFAULT_INCLUDES = -I. -I$(srcdir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+SOURCES = $(starter_SOURCES)
+DIST_SOURCES = $(starter_SOURCES)
+man5dir = $(mandir)/man5
+NROFF = nroff
+MANS = $(dist_man_MANS)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMDEP_FALSE = @AMDEP_FALSE@
+AMDEP_TRUE = @AMDEP_TRUE@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BUILD_EAP_SIM_FALSE = @BUILD_EAP_SIM_FALSE@
+BUILD_EAP_SIM_TRUE = @BUILD_EAP_SIM_TRUE@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+USE_CISCO_QUIRKS_FALSE = @USE_CISCO_QUIRKS_FALSE@
+USE_CISCO_QUIRKS_TRUE = @USE_CISCO_QUIRKS_TRUE@
+USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
+USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
+USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
+USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
+USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
+USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
+USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
+USE_SMARTCARD_TRUE = @USE_SMARTCARD_TRUE@
+USE_VENDORID_FALSE = @USE_VENDORID_FALSE@
+USE_VENDORID_TRUE = @USE_VENDORID_TRUE@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__fastdepCC_FALSE = @am__fastdepCC_FALSE@
+am__fastdepCC_TRUE = @am__fastdepCC_TRUE@
+am__fastdepCXX_FALSE = @am__fastdepCXX_FALSE@
+am__fastdepCXX_TRUE = @am__fastdepCXX_TRUE@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+eapdir = @eapdir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+starter_SOURCES = y.tab.c netkey.c y.tab.h parser.h args.h netkey.h \
+starterwhack.c starterwhack.h starterstroke.c invokepluto.c confread.c \
+starterstroke.h interfaces.c invokepluto.h confread.h  interfaces.h args.c \
+keywords.c files.h keywords.h cmp.c starter.c cmp.h exec.c invokecharon.c \
+exec.h invokecharon.h lex.yy.c
+
+INCLUDES = -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/pluto -I$(top_srcdir)/src/whack -I$(top_srcdir)/src/stroke
+AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\" -DDEBUG
+starter_LDADD = loglite.o defs.o $(top_srcdir)/src/libfreeswan/libfreeswan.a
+EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf
+dist_man_MANS = ipsec.conf.5
+MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c
+PLUTODIR = $(top_srcdir)/src/pluto
+OPENACDIR = $(top_srcdir)/src/openac
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/starter/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/starter/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	test -z "$(ipsecdir)" || $(mkdir_p) "$(DESTDIR)$(ipsecdir)"
+	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
+	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  if test -f $$p \
+	     || test -f $$p1 \
+	  ; then \
+	    f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
+	   echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(ipsecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \
+	   $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(ipsecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(ipsecdir)/$$f" || exit 1; \
+	  else :; fi; \
+	done
+
+uninstall-ipsecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
+	  f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
+	  echo " rm -f '$(DESTDIR)$(ipsecdir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(ipsecdir)/$$f"; \
+	done
+
+clean-ipsecPROGRAMS:
+	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
+	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  echo " rm -f $$p $$f"; \
+	  rm -f $$p $$f ; \
+	done
+starter$(EXEEXT): $(starter_OBJECTS) $(starter_DEPENDENCIES) 
+	@rm -f starter$(EXEEXT)
+	$(LINK) $(starter_LDFLAGS) $(starter_OBJECTS) $(starter_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/args.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cmp.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/confread.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/exec.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/interfaces.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/invokecharon.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/invokepluto.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keywords.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lex.yy.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/netkey.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/starter.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/starterstroke.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/starterwhack.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/y.tab.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ `$(CYGPATH_W) '$<'`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	if $(LTCOMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Plo"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+	-rm -f libtool
+uninstall-info-am:
+install-man5: $(man5_MANS) $(man_MANS)
+	@$(NORMAL_INSTALL)
+	test -z "$(man5dir)" || $(mkdir_p) "$(DESTDIR)$(man5dir)"
+	@list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.5*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    5*) ;; \
+	    *) ext='5' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \
+	  $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst"; \
+	done
+uninstall-man5:
+	@$(NORMAL_UNINSTALL)
+	@list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \
+	l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+	for i in $$l2; do \
+	  case "$$i" in \
+	    *.5*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  case "$$ext" in \
+	    5*) ;; \
+	    *) ext='5' ;; \
+	  esac; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f '$(DESTDIR)$(man5dir)/$$inst'"; \
+	  rm -f "$(DESTDIR)$(man5dir)/$$inst"; \
+	done
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
+	list='$(DISTFILES)'; for file in $$list; do \
+	  case $$file in \
+	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
+	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
+	  esac; \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
+	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
+	    dir="/$$dir"; \
+	    $(mkdir_p) "$(distdir)$$dir"; \
+	  else \
+	    dir=''; \
+	  fi; \
+	  if test -d $$d/$$file; then \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(PROGRAMS) $(MANS)
+installdirs:
+	for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)"; do \
+	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+	-test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES)
+clean: clean-am
+
+clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-libtool distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-ipsecPROGRAMS install-man
+
+install-exec-am: install-exec-local
+
+install-info: install-info-am
+
+install-man: install-man5
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-info-am uninstall-ipsecPROGRAMS uninstall-man
+
+uninstall-man: uninstall-man5
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-ipsecPROGRAMS clean-libtool ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-exec \
+	install-exec-am install-exec-local install-info \
+	install-info-am install-ipsecPROGRAMS install-man install-man5 \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+	pdf pdf-am ps ps-am tags uninstall uninstall-am \
+	uninstall-info-am uninstall-ipsecPROGRAMS uninstall-man \
+	uninstall-man5
+
+
+lex.yy.c:	y.tab.c parser.l parser.y parser.h
+		$(LEX) parser.l
+
+y.tab.c:	parser.l parser.y parser.h
+		$(YACC) -v -d parser.y
+
+y.tab.h:	parser.l parser.y parser.h
+		$(YACC) -v -d parser.y
+
+keywords.c:	keywords.txt keywords.h
+		$(GPERF) -C -G -t < keywords.txt > keywords.c
+
+loglite.o:	$(OPENACDIR)/loglite.c $(PLUTODIR)/log.h
+		$(COMPILE) -c -o $@ $<
+
+defs.o:		$(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
+		$(COMPILE) -c -o $@ $<
+
+install-exec-local :
+		test -e "$(sysconfdir)/ipsec.conf" || $(INSTALL) ipsec.conf $(sysconfdir)/ipsec.conf
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/programs/starter/README b/src/starter/README
index 12a60a11d..12a60a11d 100644
--- a/programs/starter/README
+++ b/src/starter/README
diff --git a/programs/starter/args.c b/src/starter/args.c
index 9dece2dfb..82e957f59 100644
--- a/programs/starter/args.c
+++ b/src/starter/args.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: args.c,v 1.11 2007/01/11 21:27:27 as Exp $
+ * RCSID $Id: args.c,v 1.9 2006/04/17 10:32:36 as Exp $
  */
 
 #include <stddef.h>
@@ -86,6 +86,8 @@ static const char *LST_packetdefault[] = {
 
 static const char *LST_keyexchange[] = {
     "ike",
+    "ikev1",
+    "ikev2",
      NULL
 };
 
@@ -146,9 +148,12 @@ static const token_info_t token_info[] =
     /* config setup keywords */
     { ARG_LST,  offsetof(starter_config_t, setup.interfaces), NULL                 },
     { ARG_STR,  offsetof(starter_config_t, setup.dumpdir), NULL                    },
+    { ARG_ENUM, offsetof(starter_config_t, setup.charonstart), LST_bool            },
+    { ARG_ENUM, offsetof(starter_config_t, setup.plutostart), LST_bool             },
 
-    /* pluto keywords */
+    /* pluto/charon keywords */
     { ARG_LST,  offsetof(starter_config_t, setup.plutodebug), LST_plutodebug       },
+    { ARG_STR,  offsetof(starter_config_t, setup.charondebug),  NULL               },
     { ARG_STR,  offsetof(starter_config_t, setup.prepluto), NULL                   },
     { ARG_STR,  offsetof(starter_config_t, setup.postpluto), NULL                  },
     { ARG_ENUM, offsetof(starter_config_t, setup.uniqueids), LST_bool              },
@@ -160,6 +165,7 @@ static const token_info_t token_info[] =
     { ARG_ENUM, offsetof(starter_config_t, setup.nat_traversal), LST_bool          },
     { ARG_TIME, offsetof(starter_config_t, setup.keep_alive), NULL                 },
     { ARG_STR,  offsetof(starter_config_t, setup.virtual_private), NULL            },
+    { ARG_STR,  offsetof(starter_config_t, setup.eapdir), NULL                     },
     { ARG_STR,  offsetof(starter_config_t, setup.pkcs11module), NULL               },
     { ARG_ENUM, offsetof(starter_config_t, setup.pkcs11keepstate), LST_bool        },
     { ARG_ENUM, offsetof(starter_config_t, setup.pkcs11proxy), LST_bool            },
@@ -179,12 +185,14 @@ static const token_info_t token_info[] =
     { ARG_MISC, 0, NULL  /* KW_COMPRESS */                                         },
     { ARG_MISC, 0, NULL  /* KW_AUTH */                                             },
     { ARG_MISC, 0, NULL  /* KW_AUTHBY */                                           },
+    { ARG_MISC, 0, NULL  /* KW_EAP */                                              },
     { ARG_TIME, offsetof(starter_conn_t, sa_ike_life_seconds), NULL                },
     { ARG_TIME, offsetof(starter_conn_t, sa_ipsec_life_seconds), NULL              },
     { ARG_TIME, offsetof(starter_conn_t, sa_rekey_margin), NULL                    },
     { ARG_ULNG, offsetof(starter_conn_t, sa_keying_tries), NULL                    },
     { ARG_PCNT, offsetof(starter_conn_t, sa_rekey_fuzz), NULL                      },
     { ARG_MISC, 0, NULL  /* KW_REKEY */                                            },
+    { ARG_MISC, 0, NULL  /* KW_REAUTH */                                           },
     { ARG_STR,  offsetof(starter_conn_t, ike), NULL                                },
     { ARG_STR,  offsetof(starter_conn_t, esp), NULL                                },
     { ARG_STR,  offsetof(starter_conn_t, pfsgroup), LST_pfsgroup                   },
@@ -203,6 +211,7 @@ static const token_info_t token_info[] =
     { ARG_STR,  offsetof(starter_ca_t, crluri), NULL                               },
     { ARG_STR,  offsetof(starter_ca_t, crluri2), NULL                              },
     { ARG_STR,  offsetof(starter_ca_t, ocspuri), NULL                              },
+    { ARG_STR,  offsetof(starter_ca_t, ocspuri2), NULL                             },
 
     /* end keywords */
     { ARG_MISC, 0, NULL  /* KW_HOST */                                             },
diff --git a/programs/starter/args.h b/src/starter/args.h
index 302e9bb7b..302e9bb7b 100644
--- a/programs/starter/args.h
+++ b/src/starter/args.h
diff --git a/programs/starter/cmp.c b/src/starter/cmp.c
index 9222bf58f..9222bf58f 100644
--- a/programs/starter/cmp.c
+++ b/src/starter/cmp.c
diff --git a/programs/starter/cmp.h b/src/starter/cmp.h
index ca355e9eb..ca355e9eb 100644
--- a/programs/starter/cmp.h
+++ b/src/starter/cmp.h
diff --git a/src/starter/confread.c b/src/starter/confread.c
new file mode 100644
index 000000000..e7a4789a9
--- /dev/null
+++ b/src/starter/confread.c
@@ -0,0 +1,936 @@
+/* strongSwan IPsec config file parser
+ * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: confread.c,v 1.37 2006/04/17 19:35:07 as Exp $
+ */
+
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+
+#include <freeswan.h>
+
+#include "../pluto/constants.h"
+#include "../pluto/defs.h"
+#include "../pluto/log.h"
+
+#include "keywords.h"
+#include "parser.h"
+#include "confread.h"
+#include "args.h"
+#include "interfaces.h"
+
+/* strings containing a colon are interpreted as an IPv6 address */
+#define ip_version(string)	(strchr(string, ':') != NULL)? AF_INET6 : AF_INET;
+
+static const char ike_defaults[] = "aes128-sha-modp2048";
+static const char esp_defaults[] = "aes128-sha1, 3des-md5";
+
+static const char firewall_defaults[] = "ipsec _updown iptables";
+
+static void default_values(starter_config_t *cfg)
+{
+	if (cfg == NULL)
+		return;
+
+	memset(cfg, 0, sizeof(struct starter_config));
+
+    /* is there enough space for all seen flags? */
+	assert(KW_SETUP_LAST - KW_SETUP_FIRST <
+		sizeof(cfg->setup.seen) * BITS_PER_BYTE);
+	assert(KW_CONN_LAST  - KW_CONN_FIRST <
+		sizeof(cfg->conn_default.seen) * BITS_PER_BYTE);
+	assert(KW_END_LAST - KW_END_FIRST <
+		sizeof(cfg->conn_default.right.seen) * BITS_PER_BYTE);
+	assert(KW_CA_LAST - KW_CA_FIRST <
+		sizeof(cfg->ca_default.seen) * BITS_PER_BYTE);
+
+	cfg->setup.seen        = LEMPTY;
+	cfg->setup.fragicmp    = TRUE;
+	cfg->setup.hidetos     = TRUE;
+	cfg->setup.uniqueids   = TRUE;
+	cfg->setup.interfaces  = new_list("%defaultroute");
+	cfg->setup.charonstart = TRUE;
+	cfg->setup.plutostart  = TRUE;
+
+	cfg->conn_default.seen    = LEMPTY;
+	cfg->conn_default.startup = STARTUP_NO;
+	cfg->conn_default.state   = STATE_IGNORE;
+	cfg->conn_default.policy  = POLICY_ENCRYPT | POLICY_TUNNEL | POLICY_RSASIG | POLICY_PFS ;
+
+	cfg->conn_default.ike                   = clone_str(ike_defaults, "ike_defaults");
+	cfg->conn_default.esp                   = clone_str(esp_defaults, "esp_defaults");
+	cfg->conn_default.sa_ike_life_seconds   = OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT;
+	cfg->conn_default.sa_ipsec_life_seconds = PLUTO_SA_LIFE_DURATION_DEFAULT;
+	cfg->conn_default.sa_rekey_margin       = SA_REPLACEMENT_MARGIN_DEFAULT;
+	cfg->conn_default.sa_rekey_fuzz         = SA_REPLACEMENT_FUZZ_DEFAULT;
+	cfg->conn_default.sa_keying_tries       = SA_REPLACEMENT_RETRIES_DEFAULT;
+	cfg->conn_default.addr_family           = AF_INET;
+	cfg->conn_default.tunnel_addr_family    = AF_INET;
+
+	cfg->conn_default.left.seen  = LEMPTY;
+	cfg->conn_default.right.seen = LEMPTY;
+
+	cfg->conn_default.left.sendcert  = CERT_SEND_IF_ASKED;
+	cfg->conn_default.right.sendcert = CERT_SEND_IF_ASKED;
+
+	anyaddr(AF_INET, &cfg->conn_default.left.addr);
+	anyaddr(AF_INET, &cfg->conn_default.left.nexthop);
+	anyaddr(AF_INET, &cfg->conn_default.left.srcip);
+	anyaddr(AF_INET, &cfg->conn_default.right.addr);
+	anyaddr(AF_INET, &cfg->conn_default.right.nexthop);
+	anyaddr(AF_INET, &cfg->conn_default.right.srcip);
+
+	cfg->ca_default.seen = LEMPTY;
+}
+
+#define KW_POLICY_FLAG(sy, sn, fl) \
+		if (streq(kw->value, sy)) { conn->policy |= fl; } \
+		else if (streq(kw->value, sn)) { conn->policy &= ~fl; } \
+		else { plog("# bad policy value: %s=%s", kw->entry->name, kw->value); cfg->err++; }
+
+static void
+load_setup(starter_config_t *cfg, config_parsed_t *cfgp)
+{
+	kw_list_t *kw;
+
+	DBG(DBG_CONTROL,
+		DBG_log("Loading config setup")
+    )
+
+	for (kw = cfgp->config_setup; kw; kw = kw->next)
+	{
+		bool assigned = FALSE;
+
+		kw_token_t token = kw->entry->token;
+ 
+		if (token < KW_SETUP_FIRST || token > KW_SETUP_LAST)
+		{
+			plog("# unsupported keyword '%s' in config setup", kw->entry->name);
+			cfg->err++;
+			continue;
+		}
+
+		if (!assign_arg(token, KW_SETUP_FIRST, kw, (char *)cfg, &assigned))
+		{
+			plog("  bad argument value in config setup");
+			cfg->err++;
+			continue;
+		}
+	}
+}
+
+static void
+kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token
+    , kw_list_t *kw, char *conn_name, starter_config_t *cfg)
+{
+	err_t ugh = NULL;
+	bool assigned = FALSE;
+	int has_port_wildcard;        /* set if port is %any */
+
+	char *name  = kw->entry->name;
+	char *value = kw->value;
+
+	if (!assign_arg(token, KW_END_FIRST, kw, (char *)end, &assigned))
+		goto err;
+
+	if (token == KW_SENDCERT)
+	{
+		if (end->sendcert == CERT_YES_SEND)
+			end->sendcert = CERT_ALWAYS_SEND;
+		else if (end->sendcert == CERT_NO_SEND)
+			end->sendcert = CERT_NEVER_SEND;
+	}
+
+	if (assigned)
+		return;
+
+	switch (token)
+	{
+	case KW_HOST:
+		if (streq(value, "%defaultroute"))
+		{
+			if (cfg->defaultroute.defined)
+			{
+				end->addr    = cfg->defaultroute.addr;
+				end->nexthop = cfg->defaultroute.nexthop;
+			}
+			else
+			{
+				plog("# default route not known: %s=%s", name, value);
+				goto err;
+			}
+		}
+		else if (streq(value, "%any"))
+		{
+			anyaddr(conn->addr_family, &end->addr);
+		}
+		else if (streq(value, "%any6"))
+		{
+			conn->addr_family = AF_INET6;
+			anyaddr(conn->addr_family, &end->addr);
+		}
+		else
+		{
+			conn->addr_family = ip_version(value);
+			ugh = ttoaddr(value, 0, conn->addr_family, &end->addr);
+			if (ugh != NULL)
+			{
+				plog("# bad addr: %s=%s [%s]", name, value, ugh);
+				goto err;
+			}
+		}
+		break;
+	case KW_NEXTHOP:
+		if (streq(value, "%defaultroute"))
+		{
+			if (cfg->defaultroute.defined)
+				end->nexthop = cfg->defaultroute.nexthop;
+			else
+			{
+				plog("# default route not known: %s=%s", name, value);
+				goto err;
+			}
+		}
+		else if (streq(value, "%direct"))
+		{
+			ugh = anyaddr(conn->addr_family, &end->nexthop);
+		}
+		else
+		{
+			conn->addr_family = ip_version(value);
+			ugh = ttoaddr(value, 0, conn->addr_family, &end->nexthop);
+		}
+		if (ugh != NULL)
+		{
+			plog("# bad addr: %s=%s [%s]", name, value, ugh);
+			goto err;
+		}
+		break;
+	case KW_SUBNET:
+		if ((strlen(value) >= 6 && strncmp(value,"vhost:",6) == 0)
+		||  (strlen(value) >= 5 && strncmp(value,"vnet:",5) == 0))
+		{
+			end->virt = clone_str(value, "virt");
+		}
+		else
+		{
+			end->has_client = TRUE;
+			conn->tunnel_addr_family = ip_version(value);
+			ugh = ttosubnet(value, 0, conn->tunnel_addr_family, &end->subnet);
+			if (ugh != NULL)
+			{
+				plog("# bad subnet: %s=%s [%s]", name, value, ugh);
+				goto err;
+			}
+		}
+		break;
+	case KW_SUBNETWITHIN:
+		end->has_client = TRUE;
+		end->has_client_wildcard = TRUE;
+		conn->tunnel_addr_family = ip_version(value);
+		ugh = ttosubnet(value, 0, conn->tunnel_addr_family, &end->subnet);
+		break;
+	case KW_PROTOPORT:
+		ugh = ttoprotoport(value, 0, &end->protocol, &end->port, &has_port_wildcard);
+		end->has_port_wildcard = has_port_wildcard;
+		break;
+	case KW_SOURCEIP:
+		if (end->has_natip)
+		{
+			plog("# natip and sourceip cannot be defined at the same time");
+			goto err;
+		}
+		if (streq(value, "%modeconfig") || streq(value, "%modecfg") ||
+			streq(value, "%config") || streq(value, "%cfg"))
+		{
+			end->modecfg = TRUE;
+		}
+		else
+		{
+			conn->tunnel_addr_family = ip_version(value);
+			ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &end->srcip);
+			if (ugh != NULL)
+			{
+				plog("# bad addr: %s=%s [%s]", name, value, ugh);
+				goto err;
+			}
+			end->has_srcip = TRUE;
+		}
+		conn->policy |= POLICY_TUNNEL;
+		break;
+	case KW_NATIP:
+		if (end->has_srcip)
+		{
+			plog("# natip and sourceip cannot be defined at the same time");
+			goto err;
+		}
+		if (streq(value, "%defaultroute"))
+		{
+			if (cfg->defaultroute.defined)
+			{
+				end->srcip    = cfg->defaultroute.addr;
+			}
+			else
+			{
+				plog("# default route not known: %s=%s", name, value);
+				goto err;
+			}
+		}
+		else
+		{
+			conn->tunnel_addr_family = ip_version(value);
+			ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &end->srcip);
+			if (ugh != NULL)
+			{
+				plog("# bad addr: %s=%s [%s]", name, value, ugh);
+				goto err;
+			}
+		}
+		end->has_natip = TRUE;
+		conn->policy |= POLICY_TUNNEL;
+		break;
+	default:
+		break;
+	}
+	return;
+
+err:
+	plog("  bad argument value in conn '%s'", conn_name);
+	cfg->err++;
+}
+
+/*
+ * handles left|rightfirewall and left|rightupdown parameters
+ */
+static void
+handle_firewall( const char *label, starter_end_t *end, starter_config_t *cfg)
+{
+	if (end->firewall && (end->seen & LELEM(KW_FIREWALL - KW_END_FIRST)))
+	{
+		if (end->updown != NULL)
+		{
+			plog("# cannot have both %sfirewall and %supdown", label, label);
+			cfg->err++;
+		}
+		else
+		{
+			end->updown = clone_str(firewall_defaults, "firewall_defaults");
+			end->firewall = FALSE;
+		}
+	}
+}
+
+/*
+ * parse a conn section
+ */
+static void
+load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg)
+{
+	char *conn_name = (conn->name == NULL)? "%default":conn->name;
+
+	for ( ; kw; kw = kw->next)
+	{
+		bool assigned = FALSE;
+
+		kw_token_t token = kw->entry->token;
+
+		if (token >= KW_LEFT_FIRST && token <= KW_LEFT_LAST)
+		{
+			kw_end(conn, &conn->left, token - KW_LEFT_FIRST + KW_END_FIRST
+				,  kw, conn_name, cfg);
+			continue;
+		}
+		else if (token >= KW_RIGHT_FIRST && token <= KW_RIGHT_LAST)
+		{
+			kw_end(conn, &conn->right, token - KW_RIGHT_FIRST + KW_END_FIRST
+				 , kw, conn_name, cfg);
+			continue;
+		}
+
+		if (token == KW_AUTO)
+		{
+			token = KW_CONN_SETUP;
+		}
+		else if (token == KW_ALSO)
+		{
+			if (cfg->parse_also)
+			{
+				also_t *also = alloc_thing(also_t, "also_t");
+
+				also->name = clone_str(kw->value, "also");
+				also->next = conn->also;
+				conn->also = also;
+
+				DBG(DBG_CONTROL,
+					DBG_log("  also=%s", kw->value)
+				)
+			}
+			continue;
+		}
+
+		if (token < KW_CONN_FIRST || token > KW_CONN_LAST)
+		{
+			plog("# unsupported keyword '%s' in conn '%s'"
+				, kw->entry->name, conn_name);
+			cfg->err++;
+			continue;
+		}
+
+		if (!assign_arg(token, KW_CONN_FIRST, kw, (char *)conn, &assigned))
+		{
+			plog("  bad argument value in conn '%s'", conn_name);
+			cfg->err++;
+			continue;
+		}
+
+		if (assigned)
+			continue;
+
+		switch (token)
+		{
+		case KW_TYPE:
+			conn->policy &= ~(POLICY_TUNNEL | POLICY_SHUNT_MASK);
+			if (streq(kw->value, "tunnel"))
+				conn->policy |= POLICY_TUNNEL;
+			else if (streq(kw->value, "beet"))
+				conn->policy |= POLICY_BEET;
+			else if (streq(kw->value, "passthrough") || streq(kw->value, "pass"))
+				conn->policy |= POLICY_SHUNT_PASS;
+			else if (streq(kw->value, "drop"))
+				conn->policy |= POLICY_SHUNT_DROP;
+			else if (streq(kw->value, "reject"))
+				conn->policy |= POLICY_SHUNT_REJECT;
+			else if (strcmp(kw->value, "transport") != 0)
+			{
+				plog("# bad policy value: %s=%s", kw->entry->name, kw->value);
+				cfg->err++;
+			}
+			break;
+		case KW_PFS:
+			KW_POLICY_FLAG("yes", "no", POLICY_PFS)
+			break;
+		case KW_COMPRESS:
+			KW_POLICY_FLAG("yes", "no", POLICY_COMPRESS)
+			break; 
+		case KW_AUTH:
+			KW_POLICY_FLAG("ah", "esp", POLICY_AUTHENTICATE)
+			break; 
+		case KW_AUTHBY:
+			conn->policy &= ~(POLICY_ID_AUTH_MASK | POLICY_ENCRYPT);
+
+			if (!(streq(kw->value, "never") || streq(kw->value, "eap")))
+			{
+				char *value = kw->value;
+				char *second = strchr(kw->value, '|');
+
+				if (second != NULL)
+					*second = '\0';
+
+				/* also handles the cases secret|rsasig and rsasig|secret */
+				for (;;)
+				{
+					if (streq(value, "rsasig"))
+						conn->policy |= POLICY_RSASIG | POLICY_ENCRYPT;
+					else if (streq(value, "secret") || streq(value, "psk"))
+						conn->policy |= POLICY_PSK | POLICY_ENCRYPT;
+					else if (streq(value, "xauthrsasig"))
+						conn->policy |= POLICY_XAUTH_RSASIG | POLICY_ENCRYPT;
+					else if (streq(value, "xauthpsk"))
+						conn->policy |= POLICY_XAUTH_PSK | POLICY_ENCRYPT;
+					else
+					{
+						plog("# bad policy value: %s=%s", kw->entry->name, kw->value);
+						cfg->err++;
+						break;
+					}
+					if (second == NULL)
+						break;
+					value = second;
+					second = NULL; /* traverse the loop no more than twice */
+				}
+			}
+			break;
+		case KW_EAP:
+			/* TODO: a gperf function for all EAP types */
+			if (streq(kw->value, "aka"))
+				conn->eap = 23;
+			else if (streq(kw->value, "sim"))
+			{
+				conn->eap = 18;
+			
+			}
+			else
+			{
+				conn->eap = atoi(kw->value);
+				if (conn->eap == 0)
+				{
+					plog("# unknown EAP type: %s=%s", kw->entry->name, kw->value);
+					cfg->err++;
+				}
+			}
+			break;
+		case KW_REKEY:
+			KW_POLICY_FLAG("no", "yes", POLICY_DONT_REKEY)
+			break;
+		case KW_REAUTH:
+			KW_POLICY_FLAG("no", "yes", POLICY_DONT_REAUTH)
+			break;
+		case KW_MODECONFIG:
+			KW_POLICY_FLAG("push", "pull", POLICY_MODECFG_PUSH)
+			break;
+		case KW_XAUTH:
+			KW_POLICY_FLAG("server", "client", POLICY_XAUTH_SERVER)
+			break;
+		default:
+			break;
+		}
+	}
+	handle_firewall("left", &conn->left, cfg);
+	handle_firewall("right", &conn->right, cfg);
+}
+
+/*
+ * initialize a conn object with the default conn
+ */
+static void
+conn_default(char *name, starter_conn_t *conn, starter_conn_t *def)
+{
+	memcpy(conn, def, sizeof(starter_conn_t));
+	conn->name = clone_str(name, "conn name");
+
+	clone_args(KW_CONN_FIRST, KW_CONN_LAST, (char *)conn, (char *)def);
+	clone_args(KW_END_FIRST, KW_END_LAST, (char *)&conn->left, (char *)&def->left);
+	clone_args(KW_END_FIRST, KW_END_LAST, (char *)&conn->right, (char *)&def->right);
+}
+
+/*
+ * parse a ca section
+ */
+static void
+load_ca(starter_ca_t *ca, kw_list_t *kw, starter_config_t *cfg)
+{
+	char *ca_name = (ca->name == NULL)? "%default":ca->name;
+
+	for ( ; kw; kw = kw->next)
+	{
+		bool assigned = FALSE;
+
+		kw_token_t token = kw->entry->token;
+
+		if (token == KW_AUTO)
+		{
+			token = KW_CA_SETUP;
+		}
+		else if (token == KW_ALSO)
+		{
+			if (cfg->parse_also)
+			{
+				also_t *also = alloc_thing(also_t, "also_t");
+
+				also->name = clone_str(kw->value, "also");
+				also->next = ca->also;
+				ca->also = also;
+
+				DBG(DBG_CONTROL,
+					DBG_log("  also=%s", kw->value)
+				)
+	    	}
+			continue;
+		}
+
+		if (token < KW_CA_FIRST || token > KW_CA_LAST)
+		{
+			plog("# unsupported keyword '%s' in ca '%s'", kw->entry->name, ca_name);
+			cfg->err++;
+			continue;
+		}
+
+		if (!assign_arg(token, KW_CA_FIRST, kw, (char *)ca, &assigned))
+		{
+			plog("  bad argument value in ca '%s'", ca_name);
+			cfg->err++;
+		}
+	}
+
+	/* treat 'route' and 'start' as 'add' */
+	if (ca->startup != STARTUP_NO)
+		ca->startup = STARTUP_ADD;
+}
+
+/*
+ * initialize a ca object with the default ca
+ */
+static void
+ca_default(char *name, starter_ca_t *ca, starter_ca_t *def)
+{
+	memcpy(ca, def, sizeof(starter_ca_t));
+	ca->name = clone_str(name, "ca name");
+
+	clone_args(KW_CA_FIRST, KW_CA_LAST, (char *)ca, (char *)def);
+}
+
+static kw_list_t*
+find_also_conn(const char* name, starter_conn_t *conn, starter_config_t *cfg);
+
+static void
+load_also_conns(starter_conn_t *conn, also_t *also, starter_config_t *cfg)
+{
+	while (also != NULL)
+	{
+		kw_list_t *kw = find_also_conn(also->name, conn, cfg);
+
+		if (kw == NULL)
+		{
+			plog("  conn '%s' cannot include '%s'", conn->name, also->name);
+		}
+		else
+		{
+			DBG(DBG_CONTROL,
+				DBG_log("conn '%s' includes '%s'", conn->name, also->name)
+			)
+			/* only load if no error occurred in the first round */
+			if (cfg->err == 0)
+				load_conn(conn, kw, cfg);
+		}
+		also = also->next;
+	}
+}
+
+/*
+ * find a conn included by also
+ */
+static kw_list_t*
+find_also_conn(const char* name, starter_conn_t *conn, starter_config_t *cfg)
+{
+	starter_conn_t *c = cfg->conn_first;
+
+	while (c != NULL)
+	{
+		if (streq(name, c->name))
+		{
+			if (conn->visit == c->visit)
+			{
+				plog("# detected also loop");
+				cfg->err++;
+				return NULL;
+			}
+			c->visit = conn->visit;
+			load_also_conns(conn, c->also, cfg);
+			return c->kw;
+		}
+		c = c->next;
+	}
+
+	plog("# also '%s' not found", name);
+	cfg->err++;
+	return NULL;
+}
+
+static kw_list_t*
+find_also_ca(const char* name, starter_ca_t *ca, starter_config_t *cfg);
+
+static void
+load_also_cas(starter_ca_t *ca, also_t *also, starter_config_t *cfg)
+{
+	while (also != NULL)
+	{
+		kw_list_t *kw = find_also_ca(also->name, ca, cfg);
+
+		if (kw == NULL)
+		{
+			plog("  ca '%s' cannot include '%s'", ca->name, also->name);
+		}
+		else
+		{
+			DBG(DBG_CONTROL,
+				DBG_log("ca '%s' includes '%s'", ca->name, also->name)
+			)
+			/* only load if no error occurred in the first round */
+			if (cfg->err == 0)
+			load_ca(ca, kw, cfg);
+		}
+		also = also->next;
+	}
+}
+
+/*
+ * find a ca included by also
+ */
+static kw_list_t*
+find_also_ca(const char* name, starter_ca_t *ca, starter_config_t *cfg)
+{
+	starter_ca_t *c = cfg->ca_first;
+
+	while (c != NULL)
+	{
+		if (streq(name, c->name))
+		{
+			if (ca->visit == c->visit)
+			{
+				plog("# detected also loop");
+				cfg->err++;
+				return NULL;
+			}
+			c->visit = ca->visit;
+			load_also_cas(ca, c->also, cfg);
+			return c->kw;
+		}
+		c = c->next;
+	}
+
+	plog("# also '%s' not found", name);
+	cfg->err++;
+	return NULL;
+}
+
+
+
+/*
+ * load and parse an IPsec configuration file
+ */
+starter_config_t *
+confread_load(const char *file)
+{
+	starter_config_t *cfg = NULL;
+	config_parsed_t  *cfgp;
+	section_list_t   *sconn, *sca;
+	starter_conn_t   *conn;
+	starter_ca_t     *ca;
+
+	u_int visit	= 0;
+
+	/* load IPSec configuration file  */
+	cfgp = parser_load_conf(file);
+	if (!cfgp)
+		return NULL;
+
+	cfg = (starter_config_t *)alloc_thing(starter_config_t, "starter_config_t");
+
+	/* set default values */
+	default_values(cfg);
+
+	/* determine default route */
+	get_defaultroute(&cfg->defaultroute);
+
+	/* load config setup section */
+	load_setup(cfg, cfgp);
+
+	/* in the first round parse also statements */
+	cfg->parse_also = TRUE;
+
+	/* find %default ca section */
+	for (sca = cfgp->ca_first; sca; sca = sca->next)
+	{
+		if (streq(sca->name, "%default"))
+		{
+			DBG(DBG_CONTROL,
+				DBG_log("Loading ca %%default")
+			)
+			load_ca(&cfg->ca_default, sca->kw, cfg);
+		}
+	}
+
+	/* parameters defined in ca %default sections can be overloads */
+	cfg->ca_default.seen = LEMPTY;
+
+	/* load other ca sections */
+	for (sca = cfgp->ca_first; sca; sca = sca->next)
+	{
+		/* skip %default ca section */
+		if (streq(sca->name, "%default"))
+			continue;
+
+		DBG(DBG_CONTROL,
+			DBG_log("Loading ca '%s'", sca->name)
+		)
+		ca = (starter_ca_t *)alloc_thing(starter_ca_t, "starter_ca_t");
+
+		ca_default(sca->name, ca, &cfg->ca_default);
+		ca->kw =  sca->kw;
+		ca->next = NULL;
+
+		if (cfg->ca_last)
+			cfg->ca_last->next = ca;
+		cfg->ca_last = ca;
+		if (!cfg->ca_first)
+			cfg->ca_first = ca;
+
+		load_ca(ca, ca->kw, cfg);
+	}
+
+	for (ca = cfg->ca_first; ca; ca = ca->next)
+	{
+		also_t *also = ca->also;
+	
+		while (also != NULL)
+		{
+			kw_list_t *kw = find_also_ca(also->name, cfg->ca_first, cfg);
+
+			load_ca(ca, kw, cfg);
+			also = also->next;
+		}
+
+		if (ca->startup != STARTUP_NO)
+			ca->state = STATE_TO_ADD;
+	}
+
+	/* find %default conn sections */
+	for (sconn = cfgp->conn_first; sconn; sconn = sconn->next)
+	{
+		if (streq(sconn->name, "%default"))
+		{
+			DBG(DBG_CONTROL,
+				DBG_log("Loading conn %%default")
+			)
+			load_conn(&cfg->conn_default, sconn->kw, cfg);
+		}
+	}
+
+	/* parameter defined in conn %default sections can be overloaded */
+	cfg->conn_default.seen       = LEMPTY;
+	cfg->conn_default.right.seen = LEMPTY;
+	cfg->conn_default.left.seen  = LEMPTY;
+
+	/* load other conn sections */
+	for (sconn = cfgp->conn_first; sconn; sconn = sconn->next)
+	{
+		/* skip %default conn section */
+		if (streq(sconn->name, "%default"))
+			continue;
+
+		DBG(DBG_CONTROL,
+			DBG_log("Loading conn '%s'", sconn->name)
+		)
+		conn = (starter_conn_t *)alloc_thing(starter_conn_t, "starter_conn_t");
+
+		conn_default(sconn->name, conn, &cfg->conn_default);
+		conn->kw =  sconn->kw;
+		conn->next = NULL;
+
+		if (cfg->conn_last)
+			cfg->conn_last->next = conn;
+		cfg->conn_last = conn;
+		if (!cfg->conn_first)
+			cfg->conn_first = conn;
+
+		load_conn(conn, conn->kw, cfg);
+	}
+
+	/* in the second round do not parse also statements */
+	cfg->parse_also = FALSE;
+
+	for (ca = cfg->ca_first; ca; ca = ca->next)
+	{
+		ca->visit = ++visit;
+		load_also_cas(ca, ca->also, cfg);
+
+		if (ca->startup != STARTUP_NO)
+			ca->state = STATE_TO_ADD;
+	}
+
+	for (conn = cfg->conn_first; conn; conn = conn->next)
+	{
+		conn->visit = ++visit;
+		load_also_conns(conn, conn->also, cfg);
+
+		if (conn->startup != STARTUP_NO)
+			conn->state = STATE_TO_ADD;
+	}
+
+	parser_free_conf(cfgp);
+
+	if (cfg->err)
+	{
+		plog("### %d parsing error%s ###", cfg->err, (cfg->err > 1)?"s":"");
+		confread_free(cfg);
+		cfg = NULL;
+	}
+
+	return cfg;
+}
+
+/*
+ * free the memory used by also_t objects
+ */
+static void
+free_also(also_t *head)
+{
+	while (head != NULL)
+	{
+		also_t *also = head;
+
+		head = also->next;
+		pfree(also->name);
+		pfree(also);
+	}
+}
+
+/*
+ * free the memory used by a starter_conn_t object
+ */
+static void
+confread_free_conn(starter_conn_t *conn)
+{
+	free_args(KW_END_FIRST, KW_END_LAST,  (char *)&conn->left);
+	free_args(KW_END_FIRST, KW_END_LAST,  (char *)&conn->right);
+	free_args(KW_CONN_NAME, KW_CONN_LAST, (char *)conn);
+	free_also(conn->also);
+}
+
+/*
+ * free the memory used by a starter_ca_t object
+ */
+static void
+confread_free_ca(starter_ca_t *ca)
+{
+	free_args(KW_CA_NAME, KW_CA_LAST, (char *)ca);
+	free_also(ca->also);
+}
+
+/*
+ * free the memory used by a starter_config_t object
+ */
+void 
+confread_free(starter_config_t *cfg)
+{
+	starter_conn_t *conn = cfg->conn_first;
+	starter_ca_t   *ca   = cfg->ca_first;
+
+	free_args(KW_SETUP_FIRST, KW_SETUP_LAST, (char *)cfg);
+
+	confread_free_conn(&cfg->conn_default);
+
+	while (conn != NULL)
+	{
+		starter_conn_t *conn_aux = conn;
+
+		conn = conn->next;
+		confread_free_conn(conn_aux);
+		pfree(conn_aux);
+	}
+
+	confread_free_ca(&cfg->ca_default);
+
+	while (ca != NULL)
+	{
+		starter_ca_t *ca_aux = ca;
+
+		ca = ca->next;
+		confread_free_ca(ca_aux);
+		pfree(ca_aux);
+	}
+
+	pfree(cfg);
+}
diff --git a/programs/starter/confread.h b/src/starter/confread.h
index 052f5d527..e0de68376 100644
--- a/programs/starter/confread.h
+++ b/src/starter/confread.h
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: confread.h,v 1.24 2006/10/19 15:01:05 as Exp $
+ * RCSID $Id: confread.h,v 1.23 2006/04/17 10:32:36 as Exp $
  */
 
 #ifndef _IPSEC_CONFREAD_H_
@@ -40,6 +40,12 @@ typedef enum {
 	STATE_INVALID
 } starter_state_t;
 
+typedef enum {
+	KEY_EXCHANGE_IKE,
+	KEY_EXCHANGE_IKEV1,
+	KEY_EXCHANGE_IKEV2
+} keyexchange_t;
+
 typedef struct starter_end starter_end_t;
 
 struct starter_end {
@@ -66,9 +72,7 @@ struct starter_end {
 	char 		*updown;
 	u_int16_t	port;
 	u_int8_t	protocol;
-#ifdef VIRTUAL_IP
 	char		*virt;
-#endif
 };
 
 typedef struct also also_t;
@@ -90,7 +94,8 @@ struct starter_conn {
 	startup_t	startup;
 	starter_state_t	state;
 
-	int		keyexchange;
+	keyexchange_t	keyexchange;
+	int			eap;
 	lset_t 		policy;
 	time_t 		sa_ike_life_seconds;
 	time_t		sa_ipsec_life_seconds;
@@ -133,6 +138,7 @@ struct starter_ca {
 	char		*crluri;
 	char		*crluri2;
 	char		*ocspuri;
+	char		*ocspuri2;
 
 	bool		strict;
 
@@ -146,9 +152,12 @@ struct starter_config {
 		lset_t	seen;
 		char	**interfaces;
 		char	*dumpdir;
+		bool	charonstart;
+		bool	plutostart;
 
-		/* pluto keywords */
+		/* pluto/charon keywords */
 		char	**plutodebug;
+		char	*charondebug;
 		char	*prepluto;
 		char	*postpluto;
 		bool	uniqueids;
@@ -160,6 +169,7 @@ struct starter_config {
 		bool	nat_traversal;
 		u_int	keep_alive;
 		char	*virtual_private;
+		char	*eapdir;
 		char	*pkcs11module;
 		bool	pkcs11keepstate;
 		bool	pkcs11proxy;
diff --git a/programs/starter/exec.c b/src/starter/exec.c
index 98541db75..98541db75 100644
--- a/programs/starter/exec.c
+++ b/src/starter/exec.c
diff --git a/programs/starter/exec.h b/src/starter/exec.h
index d4be931dd..d4be931dd 100644
--- a/programs/starter/exec.h
+++ b/src/starter/exec.h
diff --git a/programs/starter/files.h b/src/starter/files.h
index 286cdf105..88b670d94 100644
--- a/programs/starter/files.h
+++ b/src/starter/files.h
@@ -17,31 +17,24 @@
 #ifndef _STARTER_FILES_H_
 #define _STARTER_FILES_H_
 
-#ifndef DEFAULT_CTLBASE
-#define DEFAULT_CTLBASE "/var/run/pluto"
-#endif
-#define CTL_SUFFIX      ".ctl"
-#define PID_SUFFIX      ".pid"
+#define STARTER_PID_FILE IPSEC_PIDDIR "/starter.pid"
 
-#define MY_PID_FILE     "/var/run/starter.pid"
+#define PROC_NETKEY	"/proc/net/pfkey"
+#define PROC_MODULES	"/proc/modules"
 
-#define DEV_RANDOM      "/dev/random"
-#define DEV_URANDOM     "/dev/urandom"
+#define CONFIG_FILE     IPSEC_CONFDIR "/ipsec.conf"
+#define SECRETS_FILE	IPSEC_CONFDIR "/ipsec.secrets"
 
-#define PROC_NETKEY         "/proc/net/pfkey"
-#define PROC_IPSECVERSION   "/proc/net/ipsec_version"
-#define PROC_SYSFLAGS       "/proc/sys/net/ipsec"
-#define PROC_MODULES        "/proc/modules"
+#define PLUTO_CMD       IPSEC_DIR "/pluto"
+#define PLUTO_CTL_FILE  IPSEC_PIDDIR "/pluto.ctl"
+#define PLUTO_PID_FILE  IPSEC_PIDDIR "/pluto.pid"
 
-#define CONFIG_FILE     IPSEC_CONFDIR"/ipsec.conf"
-#define SECRETS_FILE	IPSEC_CONFDIR"/ipsec.secrets"
+#define CHARON_CMD	IPSEC_DIR "/charon"
+#define CHARON_CTL_FILE IPSEC_PIDDIR "/charon.ctl"
+#define CHARON_PID_FILE IPSEC_PIDDIR "/charon.pid"
 
-#define PLUTO_CMD       IPSEC_EXECDIR"/pluto"
-#define CTL_FILE        DEFAULT_CTLBASE CTL_SUFFIX
-#define PID_FILE        DEFAULT_CTLBASE PID_SUFFIX
-
-#define DYNIP_DIR       "/var/run/dynip"
-#define INFO_FILE       "/var/run/ipsec.info"
+#define DYNIP_DIR       IPSEC_PIDDIR "/dynip"
+#define INFO_FILE       IPSEC_PIDDIR "/ipsec.info"
 
 #endif /* _STARTER_FILES_H_ */
 
diff --git a/programs/starter/interfaces.c b/src/starter/interfaces.c
index 3b24e2faf..a7c8efd44 100644
--- a/programs/starter/interfaces.c
+++ b/src/starter/interfaces.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: interfaces.c,v 1.16 2006/05/25 12:10:15 as Exp $
+ * RCSID $Id: interfaces.c,v 1.15 2006/02/05 10:51:55 as Exp $
  */
 
 #include <sys/socket.h>
@@ -23,11 +23,11 @@
 #include <errno.h>
 
 #include <freeswan.h>
-#include <freeswan/ipsec_tunnel.h>
+#include <ipsec_tunnel.h>
 
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/log.h"
+#include <constants.h>
+#include <defs.h>
+#include <log.h>
 
 #include "interfaces.h"
 #include "exec.h"
@@ -192,6 +192,9 @@ _iface_up (int sock,  struct st_ipsec_if *iface, char *phys
     struct ipsectunnelconf *shc=(struct ipsectunnelconf *)&req.ifr_data;
     short phys_flags;
     int ret = 0;
+    /* sscholz@astaro.com: for network mask 32 bit
+    struct sockaddr_in *inp;
+    */
 
     strncpy(req.ifr_name, phys, IFNAMSIZ);
     if (ioctl(sock, SIOCGIFFLAGS, &req) !=0 )
@@ -236,6 +239,13 @@ _iface_up (int sock,  struct st_ipsec_if *iface, char *phys
     if (ioctl(sock, SIOCGIFNETMASK, &req) == 0)
     {
 	strncpy(req.ifr_name, iface->name, IFNAMSIZ);
+	/* sscholz@astaro.com: changed netmask to 32 bit
+	 * in order to prevent network routes from being created
+
+	inp = (struct sockaddr_in *)&req.ifr_addr;
+	inp->sin_addr.s_addr = 0xFFFFFFFFL;
+
+         */
 	ioctl(sock, SIOCSIFNETMASK, &req);
     }
 
@@ -243,7 +253,8 @@ _iface_up (int sock,  struct st_ipsec_if *iface, char *phys
     strncpy(req.ifr_name, iface->name, IFNAMSIZ);
     if (ioctl(sock, SIOCGIFFLAGS, &req)==0)
     {
-	if (phys_flags & IFF_POINTOPOINT)
+/* removed by sscholz@astaro.com (caused trouble with DSL/ppp0) */
+/*	if (phys_flags & IFF_POINTOPOINT)
 	{
 	    req.ifr_flags |= IFF_POINTOPOINT;
 	    req.ifr_flags &= ~IFF_BROADCAST;
@@ -255,7 +266,9 @@ _iface_up (int sock,  struct st_ipsec_if *iface, char *phys
 		ioctl(sock, SIOCSIFDSTADDR, &req);
 	    }
 	}
-	else if (phys_flags & IFF_BROADCAST)
+	else
+ */
+	if (phys_flags & IFF_BROADCAST)
 	{
 	    req.ifr_flags &= ~IFF_POINTOPOINT;
 	    req.ifr_flags |= IFF_BROADCAST;
diff --git a/programs/starter/interfaces.h b/src/starter/interfaces.h
index 9898c0516..9898c0516 100644
--- a/programs/starter/interfaces.h
+++ b/src/starter/interfaces.h
diff --git a/src/starter/invokecharon.c b/src/starter/invokecharon.c
new file mode 100644
index 000000000..e97c8388b
--- /dev/null
+++ b/src/starter/invokecharon.c
@@ -0,0 +1,251 @@
+/* strongSwan charon launcher
+ * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
+ * Copyright (C) 2006 Martin Willi - Hochschule fuer Technik Rapperswil
+ *
+ * Ported from invokepluto.c to fit charons needs.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: invokecharon.c $
+ */
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <signal.h>
+#include <string.h>
+#include <stdlib.h>
+#include <errno.h>
+
+#include <freeswan.h>
+
+#include "../pluto/constants.h"
+#include "../pluto/defs.h"
+#include "../pluto/log.h"
+
+#include "confread.h"
+#include "invokecharon.h"
+#include "files.h"
+
+static int _charon_pid = 0;
+static int _stop_requested;
+
+pid_t
+starter_charon_pid(void)
+{
+    return _charon_pid;
+}
+
+void
+starter_charon_sigchild(pid_t pid)
+{
+	if (pid == _charon_pid)
+    {
+		_charon_pid = 0;
+	if (!_stop_requested)
+	{
+	    plog("charon has died -- restart scheduled (%dsec)"
+		, CHARON_RESTART_DELAY);
+	    alarm(CHARON_RESTART_DELAY);   // restart in 5 sec
+	}
+	unlink(CHARON_PID_FILE);
+    }
+}
+
+int
+starter_stop_charon (void)
+{
+    pid_t pid;
+    int i;
+
+    pid = _charon_pid;
+    if (pid)
+    {
+	_stop_requested = 1;
+
+	/* be more and more aggressive */
+	for (i = 0; i < 20 && (pid = _charon_pid) != 0; i++)
+	{
+		if (i == 0)
+			kill(pid, SIGINT);
+	    else if (i < 10)
+			kill(pid, SIGTERM);
+	    else
+			kill(pid, SIGKILL);
+	    usleep(20000);
+	}
+	if (_charon_pid == 0)
+	    return 0;
+	plog("starter_stop_charon(): can't stop charon !!!");
+	return -1;
+    }
+    else
+    {
+	plog("stater_stop_charon(): charon is not started...");
+    }
+    return -1;
+}
+
+
+int
+starter_start_charon (starter_config_t *cfg, bool debug)
+{
+    int pid, i;
+    struct stat stb;
+    int argc = 1;
+    char *arg[] = {
+	CHARON_CMD, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
+	NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
+	NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
+	NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
+    };
+
+    if (!debug)
+    {
+	arg[argc++] = "--use-syslog";
+    }
+    if (cfg->setup.strictcrlpolicy)
+    {
+	arg[argc++] = "--strictcrlpolicy";
+    }
+    if (cfg->setup.cachecrls)
+    {
+	arg[argc++] = "--cachecrls";
+    }
+    if (cfg->setup.crlcheckinterval > 0)
+    {
+	char buffer[BUF_LEN];
+
+	snprintf(buffer, BUF_LEN, "%u", cfg->setup.crlcheckinterval);
+	arg[argc++] = "--crlcheckinterval";
+	arg[argc++] = buffer;
+    }
+    if (cfg->setup.eapdir)
+    {
+	arg[argc++] = "--eapdir";
+	arg[argc++] = cfg->setup.eapdir;
+    }
+
+    {   /* parse debug string */
+    	char *pos, *level, *buf_pos, type[4], buffer[BUF_LEN];
+	pos = cfg->setup.charondebug;
+	buf_pos = buffer;
+	while (pos && sscanf(pos, "%4s %d,", type, &level) == 2)
+	{
+	    snprintf(buf_pos, buffer + sizeof(buffer) - buf_pos, "--debug-%s", type);
+	    arg[argc++] = buf_pos;
+	    buf_pos += strlen(buf_pos) + 1;
+	    if (buf_pos >= buffer + sizeof(buffer))
+	    {
+		break;
+	    }
+	    snprintf(buf_pos, buffer + sizeof(buffer) - buf_pos, "%d", level);
+	    arg[argc++] = buf_pos;
+	    buf_pos += strlen(buf_pos) + 1;
+	    if (buf_pos >= buffer + sizeof(buffer))
+	    {
+		break;
+	    }
+	
+	    /* get next */
+	    pos = strchr(pos, ',');
+	    if (pos)
+	    {
+		pos++;
+	    }
+	}
+    }
+
+    if (_charon_pid)
+    {
+	plog("starter_start_charon(): charon already started...");
+	return -1;
+    }
+    else
+    {
+	unlink(CHARON_CTL_FILE);
+	_stop_requested = 0;
+
+	/* if ipsec.secrets file is missing then generate RSA default key pair */
+	if (stat(SECRETS_FILE, &stb) != 0)
+	{
+	    mode_t oldmask;
+	    FILE *f;
+
+	    plog("no %s file, generating RSA key", SECRETS_FILE);
+	    system("ipsec scepclient --out pkcs1 --out cert-self --quiet");
+
+	    /* ipsec.secrets is root readable only */
+	    oldmask = umask(0066);
+
+	    f = fopen(SECRETS_FILE, "w");
+	    if (f)
+	    {
+		fprintf(f, "# /etc/ipsec.secrets - strongSwan IPsec secrets file\n");
+		fprintf(f, "\n");
+		fprintf(f, ": RSA myKey.der\n");
+		fclose(f);
+	    }
+	    umask(oldmask);
+	}
+
+	pid = fork();
+	switch (pid)
+	{
+	case -1:
+	    plog("can't fork(): %s", strerror(errno));
+	    return -1;
+	case 0:
+	    /* child */
+	    setsid();
+	    sigprocmask(SIG_SETMASK, 0, NULL);
+	    execv(arg[0], arg);
+	    plog("can't execv(%s,...): %s", arg[0], strerror(errno));
+	    exit(1);
+	default:
+	    /* father */
+		_charon_pid = pid;
+		for (i = 0; i < 50 && _charon_pid; i++)
+	    {
+		/* wait for charon */
+		usleep(20000);
+		if (stat(CHARON_PID_FILE, &stb) == 0)
+		{
+		    DBG(DBG_CONTROL,
+			DBG_log("charon (%d) started", _charon_pid)
+		    )
+		    return 0;
+		}
+	    }
+	    if (_charon_pid)
+	    {
+		/* If charon is started but with no ctl file, stop it */
+		plog("charon too long to start... - kill kill");
+		for (i = 0; i < 20 && (pid = _charon_pid) != 0; i++)
+		{
+			if (i == 0)
+			kill(pid, SIGINT);
+		    else if (i < 10)
+			kill(pid, SIGTERM);
+		    else
+			kill(pid, SIGKILL);
+		    usleep(20000);
+		}
+	    }
+	    else
+	    {
+		plog("charon refused to be started");
+	    }
+	    return -1;
+	}
+    }
+    return -1;
+}
diff --git a/src/starter/invokecharon.h b/src/starter/invokecharon.h
new file mode 100644
index 000000000..b18dba362
--- /dev/null
+++ b/src/starter/invokecharon.h
@@ -0,0 +1,31 @@
+/* strongSwan charon launcher
+ * Copyright (C) 2001-2002 Mathieu Lafon - Arkoon Network Security
+ * Copyright (C) 2006 Martin Willi - Hochschule fuer Technik Rapperswil
+ *
+ * Ported from invokepluto.h to fit charons needs.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: invokecharon.h $
+ */
+
+#ifndef _STARTER_CHARON_H_
+#define _STARTER_CHARON_H_
+
+#define CHARON_RESTART_DELAY    5
+
+extern void starter_charon_sigchild (pid_t pid);
+extern pid_t starter_charon_pid (void);
+extern int starter_stop_charon (void);
+extern int starter_start_charon(struct starter_config *cfg, bool debug);
+
+#endif /* _STARTER_CHARON_H_ */
+
diff --git a/programs/starter/invokepluto.c b/src/starter/invokepluto.c
index 70376e380..1b11b4a10 100644
--- a/programs/starter/invokepluto.c
+++ b/src/starter/invokepluto.c
@@ -54,7 +54,7 @@ starter_pluto_sigchild(pid_t pid)
 		, PLUTO_RESTART_DELAY);
 	    alarm(PLUTO_RESTART_DELAY);   // restart in 5 sec
 	}
-	unlink(PID_FILE);
+	unlink(PLUTO_PID_FILE);
     }
 }
 
@@ -203,7 +203,7 @@ starter_start_pluto (starter_config_t *cfg, bool debug)
     }
     else
     {
-	unlink(CTL_FILE);
+	unlink(PLUTO_CTL_FILE);
 	_stop_requested = 0;
 
 	if (cfg->setup.prepluto)
@@ -220,7 +220,7 @@ starter_start_pluto (starter_config_t *cfg, bool debug)
 
 	    /* ipsec.secrets is root readable only */
 	    oldmask = umask(0066);
-	    
+
 	    f = fopen(SECRETS_FILE, "w");
 	    if (f)
 	    {
@@ -252,7 +252,7 @@ starter_start_pluto (starter_config_t *cfg, bool debug)
 	    {
 		/* wait for pluto */
 		usleep(20000);
-		if (stat(CTL_FILE, &stb) == 0)
+		if (stat(PLUTO_CTL_FILE, &stb) == 0)
 		{
 		    DBG(DBG_CONTROL,
 			DBG_log("pluto (%d) started", _pluto_pid)
diff --git a/programs/starter/invokepluto.h b/src/starter/invokepluto.h
index 26858f9b2..26858f9b2 100644
--- a/programs/starter/invokepluto.h
+++ b/src/starter/invokepluto.h
diff --git a/programs/_confread/ipsec.conf.in b/src/starter/ipsec.conf
index 296986459..76b85b23a 100644
--- a/programs/_confread/ipsec.conf.in
+++ b/src/starter/ipsec.conf
@@ -1,8 +1,6 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
+# ipsec.conf - strongSwan IPsec configuration file
 
-# RCSID $Id: ipsec.conf.in,v 1.7 2006/01/31 13:09:10 as Exp $
-
-# Manual:    ipsec.conf.5
+# Manual:    man 5 ipsec.conf
 # Help:      http://www.strongswan.org/docs/readme.htm
 
 version	2.0	# conforms to second version of ipsec.conf specification
@@ -16,9 +14,8 @@ config setup
 	# strictcrlpolicy=yes
 	# cachecrls=yes
 	# nat_traversal=yes
-
-# Uncomment to activate Opportunistic Encryption (OE)
-# include /etc/ipsec.d/examples/oe.conf
+	# charonstart=no
+	# plutostart=no
 
 # Add connections here.
 
@@ -41,4 +38,5 @@ config setup
 #      right=192.168.0.2
 #      rightsubnet=10.2.0.0/16
 #      rightid="C=CH, O=Linux strongSwan CN=peer name"
+#      keyexchange=ikev2
 #      auto=start
diff --git a/programs/_confread/ipsec.conf.5 b/src/starter/ipsec.conf.5
index af6fae6bd..3e59190e3 100644
--- a/programs/_confread/ipsec.conf.5
+++ b/src/starter/ipsec.conf.5
@@ -11,14 +11,7 @@ strongSwan IPsec subsystem.
 (The major exception is secrets for authentication;
 see
 .IR ipsec.secrets (5).)
-Its contents are not security-sensitive
-.I unless
-manual keying is being done for more than just testing,
-in which case the encryption/authentication keys in the
-descriptions for the manually-keyed connections are very sensitive
-(and those connection descriptions
-are probably best kept in a separate file,
-via the include facility described below).
+Its contents are not security-sensitive.
 .PP
 The file is a text file, consisting of one or more
 .IR sections .
@@ -57,11 +50,6 @@ Note also the
 parameter (described below) which permits splitting a single logical
 section (e.g. a connection description) into several actual sections.
 .PP
-The first significant line of the file must specify the version
-of this specification that it conforms to:
-.PP
-\fBversion 2\fP
-.PP
 A section
 begins with a line of the form:
 .PP
@@ -125,30 +113,6 @@ and there may be more than one
 .B also
 in a single section,
 although it is forbidden to append the same section more than once.)
-This allows, for example, keeping the encryption keys
-for a connection in a separate file
-from the rest of the description, by using both an
-.B also
-parameter and an
-.B include
-line.
-.PP
-Parameter names beginning with
-.B x-
-(or
-.BR X- ,
-or
-.BR x_ ,
-or
-.BR X_ )
-are reserved for user extensions and will never be assigned meanings
-by IPsec.
-Parameters with such names must still observe the syntax rules
-(limits on characters used in the name;
-no white space in a non-quoted value;
-no newlines or double quotes within the value).
-All other as-yet-unused parameter names are reserved for future IPsec
-improvements.
 .PP
 A section with name
 .B %default
@@ -186,10 +150,7 @@ A
 section contains a
 .IR "connection specification" ,
 defining a network connection to be made using IPsec.
-The name given is arbitrary, and is used to identify the connection to
-.IR ipsec_auto (8)
-and
-.IR ipsec_manual (8).
+The name given is arbitrary, and is used to identify the connection.
 Here's a simple example:
 .PP
 .ne 10
@@ -207,14 +168,15 @@ conn snt
 .ft
 .fi
 .PP
-A note on terminology...
-In automatic keying, there are two kinds of communications going on:
+A note on terminology: There are two kinds of communications going on:
 transmission of user IP packets, and gateway-to-gateway negotiations for
 keying, rekeying, and general control.
-The data path (a set of ``IPsec SAs'') used for user packets is herein
-referred to as the ``connection'';
-the path used for negotiations (built with ``ISAKMP SAs'') is referred to as
-the ``keying channel''.
+The path to control the connection is called 'ISAKMP SA' in IKEv1 and
+'IKE SA' in the IKEv2 protocol. That what is beeing negotiated, the kernel
+level data path, is called 'IPsec SA'.
+strongSwan currently uses two separate keying daemons. Pluto handles
+all IKEv1 connections, Charon is the new daemon supporting the IKEv2 protocol.
+Charon does not support all keywords yet.
 .PP
 To avoid trivial editing of the configuration file to suit it to each system
 involved in a connection,
@@ -252,13 +214,9 @@ and
 .B right
 reversed.
 .PP
-Parameters are optional unless marked ``(required)'';
-a parameter required for manual keying need not be included for
-a connection which will use only automatic keying, and vice versa.
-.SS "CONN PARAMETERS:  GENERAL"
-The following parameters are relevant to both automatic and manual keying.
-Unless otherwise noted,
-for a connection to work,
+Parameters are optional unless marked '(required)'.
+.SS "CONN PARAMETERS"
+Unless otherwise noted, for a connection to work,
 in general it is necessary for the two ends to agree exactly
 on the values of these parameters.
 .TP 14
@@ -276,6 +234,11 @@ signifying that no IPsec processing should be done at all;
 signifying that packets should be discarded; and
 .BR reject ,
 signifying that packets should be discarded and a diagnostic ICMP returned.
+Charon currently supports only 
+.BR tunnel
+and
+.BR transport
+connection types.
 .TP
 .B left
 (required)
@@ -309,22 +272,6 @@ The value
 .B %any
 signifies an address to be filled in (by automatic keying) during
 negotiation.
-The value
-.B %opportunistic
-signifies that both
-.B left
-and
-.B leftnexthop
-are to be filled in (by automatic keying) from DNS data for
-.BR left 's
-client.
-The values
-.B %group
-and
-.B %opportunisticgroup
-makes this a policy group conn: one that will be instantiated
-into a regular or opportunistic conn for each CIDR block listed in the
-policy group file with the same name as the conn.
 .TP
 .B leftsubnet
 private subnet behind the left participant, expressed as
@@ -332,7 +279,9 @@ private subnet behind the left participant, expressed as
 (actually, any form acceptable to
 .IR ipsec_ttosubnet (3));
 if omitted, essentially assumed to be \fIleft\fB/32\fR,
-signifying that the left end of the connection goes to the left participant only
+signifying that the left end of the connection goes to the left participant
+only. When using IKEv2, the configured subnet of the peers may differ, the
+protocol narrows it to the greates common subnet.
 .TP
 .B leftnexthop
 next-hop gateway IP address for the left participant's connection
@@ -364,7 +313,8 @@ The magic value
 .B %direct
 signifies a value to be filled in (by automatic keying)
 with the peer's address.
-Relevant only locally, other end need not agree on it.
+Relevant only locally, other end need not agree on it. Currently not supported
+in IKEv2.
 .TP
 .B leftupdown
 what ``updown'' script to run to adjust routing and/or firewalling
@@ -377,7 +327,9 @@ including shell metacharacters is unwise.
 See
 .IR ipsec_pluto (8)
 for details.
-Relevant only locally, other end need not agree on it.
+Relevant only locally, other end need not agree on it. IKEv2 uses the updown
+script to insert firewall rules only. Routing is not support and will be
+implemented directly into Charon.
 .TP
 .B leftfirewall
 whether the left participant is doing forwarding-firewalling
@@ -395,7 +347,7 @@ Implemented as a parameter to the default
 script.
 See notes below.
 Relevant only locally, other end need not agree on it.
-.PP
+
 If one or both security gateways are doing forwarding firewalling
 (possibly including masquerading),
 and this is specified using the firewall parameters,
@@ -407,51 +359,37 @@ This is done by the default
 .I updown
 script (see
 .IR ipsec_pluto (8)).
-.PP
-The implementation of this makes certain assumptions about firewall setup,
-notably the use of the old
-.I ipfwadm
-interface to the firewall.
+
 In situations calling for more control,
 it may be preferable for the user to supply his own
 .I updown
 script,
 which makes the appropriate adjustments for his system.
-.SS "CONN PARAMETERS:  AUTOMATIC KEYING"
-The following parameters are relevant only to automatic keying,
-and are ignored in manual keying.
-Unless otherwise noted,
-for a connection to work,
-in general it is necessary for the two ends to agree exactly
-on the values of these parameters.
-.TP 14
+.TP
 .B auto
 what operation, if any, should be done automatically at IPsec startup;
 currently-accepted values are
 .B add
-(signifying an
-.B ipsec auto
-.BR \-\-add ),
+,
 .B route
-(signifying that plus an
-.B ipsec auto
-.BR \-\-route ),
+,
 .B start
-(signifying that plus an
-.B ipsec auto
-.BR \-\-up ),
-.B manual
-(signifying an
-.B ipsec
-.B manual
-.BR \-\-up ),
 and
 .B ignore
-(also the default) (signifying no automatic startup operation).
-See the
-.B config
-.B setup
-discussion below.
+.
+.B add
+loads a connection without starting it.
+.B route
+loads a connection and installs kernel traps. If traffic is detected between
+.B leftsubnet
+and
+.B rightsubnet
+, a connection is established.
+.B start
+loads a connection and brings it up immediatly.
+.B ignore
+ignores the connection. This is equal to delete a connection from the config
+file. 
 Relevant only locally, other end need not agree on it
 (but in general, for an intended-to-be-permanent connection,
 both ends should use
@@ -465,6 +403,7 @@ acceptable values are
 .B esp
 (the default) and
 .BR ah .
+The IKEv2 daemon currently supports only ESP.
 .TP
 .B authby
 how the two security gateways should authenticate each other;
@@ -477,7 +416,13 @@ for RSA digital signatures (the default),
 for either, and
 .B never
 if negotiation is never to be attempted or accepted (useful for shunt-only conns).
-Digital signatures are superior in every way to shared secrets.
+Digital signatures are superior in every way to shared secrets. In IKEv2, the
+two ends must not agree on this parameter, it is relevant for the own
+authentication method only. IKEv2 additionally supports the value
+.B eap,
+which indicates an initiator to request EAP authentication. The EAP method to 
+use is selected by the server (see
+.B eap).
 .TP
 .B compress
 whether IPComp compression of content is proposed on the connection
@@ -487,9 +432,7 @@ acceptable values are
 .B yes
 and
 .B no
-(the default).
-The two ends need not agree.
-A value of
+(the default). A value of
 .B yes
 causes IPsec to propose both compressed and uncompressed,
 and prefer compressed.
@@ -497,28 +440,13 @@ A value of
 .B no
 prevents IPsec from proposing compression;
 a proposal to compress will still be accepted.
-.TP
-.B disablearrivalcheck
-whether KLIPS's normal tunnel-exit check
-(that a packet emerging from a tunnel has plausible addresses in its header)
-should be disabled;
-acceptable values are
-.B yes
-and
-.B no
-(the default).
-Tunnel-exit checks improve security and do not break any normal configuration.
-Relevant only locally, other end need not agree on it.
+IKEv2 does not support IP compression yet.
 .TP
 .B dpdaction
 controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where
-R_U_THERE IKE notification messages are periodically sent in order to check the
-liveliness of the IPsec peer. The default is..
-.B none
-which disables the active sending of R_U_THERE notifications.
-Nevertheless pluto will always send the DPD Vendor ID during connection set up
-in order to signal the readiness to act passively as a responder if the peer
-wants to use DPD. The values
+R_U_THERE notification messages (IKEv1) or empty INFORMATIONAL messages (IKEv2)
+are periodically sent in order to check the
+liveliness of the IPsec peer. The values
 .B clear
 and
 .B hold
@@ -527,14 +455,31 @@ are stopped and unrouted (
 .B clear
 ) or put in the hold state (
 .B hold
+). For
+.B IKEv1
+, the default is
+.B none
+which disables the active sending of R_U_THERE notifications.
+Nevertheless pluto will always send the DPD Vendor ID during connection set up
+in order to signal the readiness to act passively as a responder if the peer
+wants to use DPD. For
+.B IKEv2, none
+does't make sense, as all messages are used to detect dead peers. If specified,
+it has the same meaning as the default (
+.B clear
 ).
 .TP
 .B dpddelay
-defines the period time interval with which R_U_THERE messages are sent to the peer.
+defines the period time interval with which R_U_THERE messages/INFORMATIONAL
+exchanges are sent to the peer. These are only sent if no other traffic is
+received. In IKEv2, a value of 0 sends no additional INFORMATIONAL
+messages and uses only standard messages (such as those to rekey) to detect
+dead peers.
 .TP
 .B dpdtimeout
 defines the timeout interval, after which all connections to a peer are deleted
-in case of inactivity.
+in case of inactivity. This only applies to IKEv1, in IKEv2 the default
+retransmission timeout applies, as every exchange is used to detect dead peers.
 .TP
 .B failureshunt
 what to do with packets when negotiation fails.
@@ -545,26 +490,25 @@ no shunt;
 .BR drop ,
 and
 .B reject
-have the obvious meanings.
+have the obvious meanings. Has no effect in IKEv2 yet.
 .TP
 .B ikelifetime
-how long the keying channel of a connection (buzzphrase:  ``ISAKMP SA'')
-should last before being renegotiated;
-acceptable values as for
+how long the keying channel of a connection ('ISAKMP/IKE SA')
+should last before being renegotiated.
+.TP
 .B keyexchange
 method of key exchange;
-the default and currently the only accepted value is
+which protocol should be used to initialize the connection. Connections marked with
+.B ikev1
+are initiated with pluto, those marked with
+.B ikev2
+with charon. An incoming request from the remote peer is handled by the correct 
+daemon, unaffected from the 
+.B keyexchange
+setting. The default value
 .B ike
-.TP
-.B keylife
-(default set by
-.IR ipsec_pluto (8),
-currently
-.BR 3h ,
-maximum
-.BR 24h ).
-The two-ends-disagree case is similar to that of
-.BR keylife .
+currently behaves exactly as
+.B ikev1.
 .TP
 .B keyingtries
 how many attempts (a whole number or \fB%forever\fP) should be made to
@@ -572,7 +516,7 @@ negotiate a connection, or a replacement for one, before giving up
 (default
 .BR %forever ).
 The value \fB%forever\fP
-means ``never give up'' (obsolete: this can be written \fB0\fP).
+means 'never give up'.
 Relevant only locally, other end need not agree on it.
 .TP
 .B keylife
@@ -629,7 +573,7 @@ parameter is present then the peer must be a member of at least one
 of the groups defined by the parameter. Group membership must be certified
 by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts\fP thas has been
 issued to the peer by a trusted Authorization Authority stored in
-\fI/etc/ipsec.d/aacerts\fP.
+\fI/etc/ipsec.d/aacerts\fP. Attribute certificates are not supported in IKEv2 yet.
 .TP
 .B leftid
 how
@@ -650,57 +594,16 @@ This is set in \fBconfig setup\fP or by \fIipsec_whack\fP(8)), or, if not set,
 it is the IP address in \fB%defaultroute\fP (if that is supported by a TXT record in its reverse domain), or otherwise
 it is the system's hostname (if that is supported by a TXT record in its forward domain), or otherwise it is undefined.
 .TP
-.B leftrsasigkey
-the left participant's
-public key for RSA signature authentication,
-in RFC 2537 format using
-.IR ipsec_ttodata (3)
-encoding.
-The magic value
-.B %none
-means the same as not specifying a value (useful to override a default).
-The value
-.B %cert
-(the default)
-means that the key is extracted from a certificate.
-The value
-.B %dnsondemand
-means the key is to be fetched from DNS at the time it is needed.
-The value
-.B %dnsonload
-means the key is to be fetched from DNS at the time
-the connection description is read from
-.IR ipsec.conf ;
-currently this will be treated as
-.B %none
-if
-.B right=%any
-or
-.BR right=%opportunistic .
-The value
-.B %dns
-is currently treated as
-.B %dnsonload
-but will change to
-.B %dnsondemand
-in the future.
-The identity used for the left participant
-must be a specific host, not
-.B %any
-or another magic value.
-.B Caution:
-if two connection descriptions
-specify different public keys for the same
-.BR leftid ,
-confusion and madness will ensue.
-.TP
-.B leftrsasigkey2
-if present, a second public key.
-Either key can authenticate the signature, allowing for key rollover.
-.TP
 .B leftsourceip
+The internal source IP to use in a tunnel, also known as virtual IP. If the
+value is
+.B %modeconfig
+or
+.B %config,
+an address is requested from the peer.
 .TP
 .B leftsubnetwithin
+Not relevant for IKEv2, as subnets are narrowed.
 .TP
 .B pfs
 whether Perfect Forward Secrecy of keys is desired on the connection's
@@ -711,7 +614,9 @@ acceptable values are
 .B yes
 (the default)
 and
-.BR no .
+.BR no
+. IKEv2 always uses PFS for IKE_SA rekeying. PFS for rekeying IPsec SAs is
+currently not supported.
 .TP
 .B rekey
 whether a connection should be renegotiated when it is about to expire;
@@ -723,12 +628,21 @@ and
 The two ends need not agree,
 but while a value of
 .B no
-prevents Pluto from requesting renegotiation,
+prevents Pluto/Charon from requesting renegotiation,
 it does not prevent responding to renegotiation requested from the other end,
 so
 .B no
 will be largely ineffective unless both ends agree on it.
 .TP
+.B reauth
+whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1,
+reauthentication is always done. In IKEv2, a value of
+.B no
+rekeys without uninstalling the IPsec SAs, a value of
+.B yes
+(the default) creates a new IKE_SA from scratch and tries to recreate
+all IPsec SAs.
+.TP
 .B rekeyfuzz
 maximum percentage by which
 .B rekeymargin
@@ -760,155 +674,26 @@ begin; acceptable values as for
 (default
 .BR 9m ).
 Relevant only locally, other end need not agree on it.
-.SS "CONN PARAMETERS:  MANUAL KEYING"
-The following parameters are relevant only to manual keying,
-and are ignored in automatic keying.
-Unless otherwise noted,
-for a connection to work,
-in general it is necessary for the two ends to agree exactly
-on the values of these parameters.
-A manually-keyed
-connection must specify at least one of AH or ESP.
-.TP 14
-.B spi
-(this or
-.B spibase
-required for manual keying)
-the SPI number to be used for the connection (see
-.IR ipsec_manual (8));
-must be of the form \fB0x\fIhex\fB\fR,
-where
-.I hex
-is one or more hexadecimal digits
-(note, it will generally be necessary to make
-.I spi
-at least
-.B 0x100
-to be acceptable to KLIPS,
-and use of SPIs in the range
-.BR 0x100 - 0xfff
-is recommended)
-.TP 14
-.B spibase
-(this or
-.B spi
-required for manual keying)
-the base number for the SPIs to be used for the connection (see
-.IR ipsec_manual (8));
-must be of the form \fB0x\fIhex\fB0\fR,
-where
-.I hex
-is one or more hexadecimal digits
-(note, it will generally be necessary to make
-.I spibase
-at least
-.B 0x100
-for the resulting SPIs
-to be acceptable to KLIPS,
-and use of numbers in the range
-.BR 0x100 - 0xff0
-is recommended)
+.TP
+.B ike
+IKE/ISAKMP SA encryption/authentication algorithm to be used, e.g.
+.B aes128-sha1-modp2048
+(encryption-integrity-dhgroup).
 .TP
 .B esp
 ESP encryption/authentication algorithm to be used
 for the connection, e.g.
-.B 3des-md5-96
-(must be suitable as a value of
-.IR ipsec_spi (8)'s
-.B \-\-esp
-option);
-default is not to use ESP
-.TP
-.B espenckey
-ESP encryption key
-(must be suitable as a value of
-.IR ipsec_spi (8)'s
-.B \-\-enckey
-option)
-(may be specified separately for each direction using
-.B leftespenckey
-(leftward SA)
-and
-.B rightespenckey
-parameters)
-.TP
-.B espauthkey
-ESP authentication key
-(must be suitable as a value of
-.IR ipsec_spi (8)'s
-.B \-\-authkey
-option)
-(may be specified separately for each direction using
-.B leftespauthkey
-(leftward SA)
-and
-.B rightespauthkey
-parameters)
-.TP
-.B espreplay_window
-ESP replay-window setting,
-an integer from
-.B 0
-(the
-.IR ipsec_manual
-default, which turns off replay protection) to
-.BR 64 ;
-relevant only if ESP authentication is being used
-.TP
-.B leftespspi
-SPI to be used for the leftward ESP SA, overriding
-automatic assignment using
-.B spi
-or
-.BR spibase ;
-typically a hexadecimal number beginning with
-.B 0x
+.B 3des-md5
+(encryption-integrity).
 .TP
 .B ah
 AH authentication algorithm to be used
 for the connection, e.g.
-.B hmac-md5-96
-(must be suitable as a value of
-.IR ipsec_spi (8)'s
-.B \-\-ah
-option);
-default is not to use AH
-.TP
-.B ahkey
-(required if
-.B ah
-is present) AH authentication key
-(must be suitable as a value of
-.IR ipsec_spi (8)'s
-.B \-\-authkey
-option)
-(may be specified separately for each direction using
-.B leftahkey
-(leftward SA)
-and
-.B rightahkey
-parameters)
-.TP
-.B ahreplay_window
-AH replay-window setting,
-an integer from
-.B 0
-(the
-.I ipsec_manual
-default, which turns off replay protection) to
-.B 64
-.TP
-.B leftahspi
-SPI to be used for the leftward AH SA, overriding
-automatic assignment using
-.B spi
-or
-.BR spibase ;
-typically a hexadecimal number beginning with
-.B 0x
+.B hmac-md5.
 .SH "CA SECTIONS"
 This are optional sections that can be used to assign special
-parameters to a Certification Authority (CA).
+parameters to a Certification Authority (CA). These parameters are not 
+supported in IKEv2 yet.
 .TP 10
 .B auto
 currently can have either the value
@@ -1035,20 +820,6 @@ startup/shutdown log messages,
 default
 .BR daemon.error .
 .TP
-.B klipsdebug
-how much KLIPS debugging output should be logged.
-An empty value,
-or the magic value
-.BR none ,
-means no debugging output (the default).
-The magic value
-.B all
-means full output.
-Otherwise only the specified types of output
-(a quoted list, names separated by white space) are enabled;
-for details on available debugging types, see
-.IR ipsec_klipsdebug (8).
-.TP
 .B plutodebug
 how much Pluto debugging output should be logged.
 An empty value,
@@ -1066,6 +837,17 @@ separated by white space) are enabled;
 for details on available debugging types, see
 .IR ipsec_pluto (8).
 .TP
+.B charondebug
+how much Charon debugging output should be logged.
+A comma separated list containing type level/pairs may
+be specified, e.g:
+.B dmn 3, ike 1, net -1.
+Acceptable values for types are
+.B dmn, mgr, ike, chd, job, cfg, knl, net, enc, lib
+and the level is one of
+.B -1, 0, 1, 2, 3, 4
+(for silent, audit, control, controlmore, raw, private)
+.TP
 .B plutoopts
 additional options to pass to pluto upon startup. See
 .IR ipsec_pluto (8).
@@ -1082,13 +864,6 @@ dump core?
 The empty value (the default) means they are not
 allowed to.
 .TP
-.B manualstart
-which manually-keyed connections to set up at startup
-(empty, a name, or a quoted list of names separated by white space);
-see
-.IR ipsec_manual (8).
-Default is none.
-.TP
 .B pluto
 whether to start Pluto or not;
 Values are
@@ -1214,7 +989,8 @@ Written  for  the  FreeS/WAN project
 <http://www.freeswan.org>
 by Henry Spencer.  Extended for the strongSwan project
 <http://www.strongswan.org>
-by Andreas Steffen.
+by Andreas Steffen. Updated to respect IKEv2 specific configuration
+by Martin Willi.
 .SH BUGS
 .PP
 When
diff --git a/programs/starter/keywords.c b/src/starter/keywords.c
index b06ee3c0c..215b95ad6 100644
--- a/programs/starter/keywords.c
+++ b/src/starter/keywords.c
@@ -1,6 +1,6 @@
 /* C code produced by gperf version 3.0.1 */
-/* Command-line: gperf -C -G -t  */
-/* Computed positions: -k'3,$' */
+/* Command-line: /usr/bin/gperf -C -G -t  */
+/* Computed positions: -k'1-2,$' */
 
 #if !((' ' == 32) && ('!' == 33) && ('"' == 34) && ('#' == 35) \
       && ('%' == 37) && ('&' == 38) && ('\'' == 39) && ('(' == 40) \
@@ -44,7 +44,7 @@ error "gperf generated tables don't work with this execution character set. Plea
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: keywords.c,v 1.9 2007/01/11 21:29:28 as Exp $
+ * RCSID $Id: keywords.txt,v 1.6 2006/04/17 10:30:27 as Exp $
  */
 
 #include <string.h>
@@ -56,12 +56,12 @@ struct kw_entry {
     kw_token_t token;
 };
 
-#define TOTAL_KEYWORDS 81
+#define TOTAL_KEYWORDS 90
 #define MIN_WORD_LENGTH 3
 #define MAX_WORD_LENGTH 17
-#define MIN_HASH_VALUE 9
-#define MAX_HASH_VALUE 156
-/* maximum key range = 148, duplicates = 0 */
+#define MIN_HASH_VALUE 15
+#define MAX_HASH_VALUE 188
+/* maximum key range = 174, duplicates = 0 */
 
 #ifdef __GNUC__
 __inline
@@ -77,149 +77,164 @@ hash (str, len)
 {
   static const unsigned char asso_values[] =
     {
-      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
-      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
-      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
-      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
-      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
-       25, 157, 157, 157, 157, 157, 157, 157, 157, 157,
-      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
-      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
-      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
-      157, 157, 157, 157, 157, 157, 157,  90, 157,  60,
-       50,  25,   0,  10,  30,  65, 157,  65,  70,   5,
-        0,  75,  35, 157,  10,  20,   5,  70, 157, 157,
-      157,  55,   0, 157, 157, 157, 157, 157, 157, 157,
-      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
-      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
-      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
-      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
-      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
-      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
-      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
-      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
-      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
-      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
-      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
-      157, 157, 157, 157, 157, 157, 157, 157, 157, 157,
-      157, 157, 157, 157, 157, 157
+      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
+      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
+      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
+      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
+      189, 189, 189, 189, 189, 189, 189, 189, 189,  40,
+       10, 189, 189, 189, 189, 189, 189, 189, 189, 189,
+      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
+      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
+      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
+      189, 189, 189, 189, 189, 189, 189,  80, 189,  20,
+       75,   5,  95,   0,  30,   0, 189,  55,   0,  45,
+        0,  35,  20, 189,  15,  70,  40,  15,  20, 189,
+        0,  25,   0, 189, 189, 189, 189, 189, 189, 189,
+      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
+      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
+      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
+      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
+      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
+      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
+      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
+      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
+      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
+      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
+      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
+      189, 189, 189, 189, 189, 189, 189, 189, 189, 189,
+      189, 189, 189, 189, 189, 189
     };
-  return len + asso_values[(unsigned char)str[2]] + asso_values[(unsigned char)str[len - 1]];
+  return len + asso_values[(unsigned char)str[1]] + asso_values[(unsigned char)str[0]] + asso_values[(unsigned char)str[len - 1]];
 }
 
 static const struct kw_entry wordlist[] =
   {
     {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
-    {"left",              KW_LEFT},
+    {""}, {""}, {""}, {""}, {""}, {""},
     {"leftupdown",        KW_LEFTUPDOWN},
-    {""}, {""},
-    {"leftcert",          KW_LEFTCERT,},
     {""},
-    {"leftsubnet",        KW_LEFTSUBNET},
+    {"leftfirewall",      KW_LEFTFIREWALL},
+    {""}, {""}, {""},
     {"leftsubnetwithin",  KW_LEFTSUBNETWITHIN},
-    {"leftsendcert",      KW_LEFTSENDCERT},
-    {"leftprotoport",     KW_LEFTPROTOPORT},
-    {""},
-    {"right",             KW_RIGHT},
+    {""}, {""}, {""}, {""},
     {"rightupdown",       KW_RIGHTUPDOWN},
-    {"dumpdir",           KW_DUMPDIR},
-    {""},
-    {"rightcert",         KW_RIGHTCERT},
     {""},
-    {"rightsubnet",       KW_RIGHTSUBNET},
+    {"rightfirewall",     KW_RIGHTFIREWALL},
+    {"rekeyfuzz",         KW_REKEYFUZZ},
+    {"plutodebug",        KW_PLUTODEBUG},
+    {"rekeymargin",       KW_REKEYMARGIN},
     {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN},
-    {"rightsendcert",     KW_RIGHTSENDCERT},
-    {"rightprotoport",    KW_RIGHTPROTOPORT},
-    {"leftgroups",        KW_LEFTGROUPS},
-    {""}, {""},
-    {"compress",          KW_COMPRESS},
-    {"lefthostaccess",    KW_LEFTHOSTACCESS},
-    {"interfaces",        KW_INTERFACES},
-    {""}, {""}, {""},
-    {"auth",              KW_AUTH},
-    {""},
-    {"rightgroups",       KW_RIGHTGROUPS},
     {""},
-    {"pfs",               KW_PFS},
     {"leftnatip",         KW_LEFTNATIP},
-    {"righthostaccess",   KW_RIGHTHOSTACCESS},
+    {""},
     {"leftnexthop",       KW_LEFTNEXTHOP},
     {"leftsourceip",      KW_LEFTSOURCEIP},
     {""}, {""},
     {"virtual_private",   KW_VIRTUAL_PRIVATE},
-    {""}, {""},
-    {"ike",               KW_IKE},
-    {""},
-    {"rightnatip",        KW_RIGHTNATIP},
-    {"leftid",            KW_LEFTID},
-    {"rightnexthop",      KW_RIGHTNEXTHOP},
-    {"rightsourceip",     KW_RIGHTSOURCEIP},
-    {"dpdaction",         KW_DPDACTION},
-    {"keep_alive",        KW_KEEP_ALIVE},
-    {"ikelifetime",       KW_IKELIFETIME},
+    {"crluri",            KW_CRLURI},
     {""},
-    {"pfsgroup",          KW_PFSGROUP},
-    {"type",              KW_TYPE},
-    {"dpdtimeout",        KW_DPDTIMEOUT},
-    {"authby",            KW_AUTHBY},
-    {"rightid",           KW_RIGHTID},
     {"leftrsasigkey",     KW_LEFTRSASIGKEY},
     {""},
-    {"modeconfig",        KW_MODECONFIG},
-    {"cacert",            KW_CACERT},
-    {""},
-    {"esp",               KW_ESP},
-    {"rekeyfuzz",         KW_REKEYFUZZ},
+    {"rightnatip",        KW_RIGHTNATIP},
     {""},
-    {"rekeymargin",       KW_REKEYMARGIN},
-    {"hidetos",           KW_HIDETOS},
-    {"packetdefault",     KW_PACKETDEFAULT},
+    {"rightnexthop",      KW_RIGHTNEXTHOP},
+    {"rightsourceip",     KW_RIGHTSOURCEIP},
+    {"left",              KW_LEFT},
+    {"rekey",             KW_REKEY},
+    {"crlcheckinterval",  KW_CRLCHECKINTERVAL},
+    {"crluri2",           KW_CRLURI2},
+    {"leftcert",          KW_LEFTCERT,},
     {"rightrsasigkey",    KW_RIGHTRSASIGKEY},
-    {"strictcrlpolicy",   KW_STRICTCRLPOLICY},
-    {""},
-    {"leftfirewall",      KW_LEFTFIREWALL},
+    {"leftsubnet",        KW_LEFTSUBNET},
+    {"reauth",            KW_REAUTH},
+    {"leftsendcert",      KW_LEFTSENDCERT},
+    {"leftprotoport",     KW_LEFTPROTOPORT},
     {""},
-    {"auto",              KW_AUTO},
+    {"right",             KW_RIGHT},
+    {"charondebug",       KW_CHARONDEBUG},
+    {"ocspuri",           KW_OCSPURI},
+    {"ike",               KW_IKE},
+    {"rightcert",         KW_RIGHTCERT},
     {"klipsdebug",        KW_KLIPSDEBUG},
-    {"keyingtries",       KW_KEYINGTRIES},
+    {"rightsubnet",       KW_RIGHTSUBNET},
+    {""},
+    {"rightsendcert",     KW_RIGHTSENDCERT},
+    {"rightprotoport",    KW_RIGHTPROTOPORT},
+    {"plutostart",        KW_PLUTOSTART},
+    {"ikelifetime",       KW_IKELIFETIME},
     {"keylife",           KW_KEYLIFE},
-    {"nat_traversal",     KW_NAT_TRAVERSAL},
-    {"cachecrls",         KW_CACHECRLS},
-    {"plutodebug",        KW_PLUTODEBUG},
+    {"ocspuri2",          KW_OCSPURI2},
+    {"type",              KW_TYPE},
+    {"keep_alive",        KW_KEEP_ALIVE},
     {"keyexchange",       KW_KEYEXCHANGE},
-    {"ocspuri",           KW_OCSPURI},
-    {"rightfirewall",     KW_RIGHTFIREWALL},
-    {"uniqueids",         KW_UNIQUEIDS},
     {""},
+    {"prepluto",          KW_PREPLUTO},
+    {""},
+    {"interfaces",        KW_INTERFACES},
+    {"overridemtu",       KW_OVERRIDEMTU},
+    {"crluri1",           KW_CRLURI},
+    {""}, {""},
+    {"leftgroups",        KW_LEFTGROUPS},
+    {"leftid",            KW_LEFTID},
+    {""},
+    {"ldapbase",          KW_LDAPBASE},
+    {"lefthostaccess",    KW_LEFTHOSTACCESS},
+    {"modeconfig",        KW_MODECONFIG},
     {"leftca",            KW_LEFTCA},
     {"pkcs11module",      KW_PKCS11MODULE},
-    {""},
-    {"also",              KW_ALSO},
+    {"nat_traversal",     KW_NAT_TRAVERSAL},
+    {"uniqueids",         KW_UNIQUEIDS},
     {"pkcs11keepstate",   KW_PKCS11KEEPSTATE},
-    {""},
-    {"crluri2",           KW_CRLURI2},
-    {"ldaphost",          KW_LDAPHOST},
+    {"rightgroups",       KW_RIGHTGROUPS},
+    {"rightid",           KW_RIGHTID},
+    {"esp",               KW_ESP},
     {"postpluto",         KW_POSTPLUTO},
-    {"xauth",             KW_XAUTH},
-    {"overridemtu",       KW_OVERRIDEMTU},
+    {"righthostaccess",   KW_RIGHTHOSTACCESS},
+    {"charonstart",       KW_CHARONSTART},
     {"rightca",           KW_RIGHTCA},
-    {"prepluto",          KW_PREPLUTO},
-    {""}, {""}, {""}, {""},
-    {"dpddelay",          KW_DPDDELAY},
-    {""}, {""}, {""}, {""},
-    {"nocrsend",          KW_NOCRSEND},
-    {""}, {""}, {""}, {""},
-    {"ldapbase",          KW_LDAPBASE},
+    {"ocspuri1",          KW_OCSPURI},
+    {"dpdaction",         KW_DPDACTION},
     {""},
-    {"rekey",             KW_REKEY},
+    {"eapdir",            KW_EAPDIR},
+    {"hidetos",           KW_HIDETOS},
+    {"eap",               KW_EAP},
+    {""}, {""},
     {"pkcs11proxy",       KW_PKCS11PROXY},
-    {""}, {""}, {""}, {""}, {""}, {""},
+    {"dumpdir",           KW_DUMPDIR},
+    {""}, {""},
+    {"xauth",             KW_XAUTH},
+    {""}, {""},
+    {"nocrsend",          KW_NOCRSEND},
+    {"also",              KW_ALSO},
+    {""}, {""}, {""},
+    {"ldaphost",          KW_LDAPHOST},
+    {""}, {""},
+    {"authby",            KW_AUTHBY},
+    {""},
+    {"dpddelay",          KW_DPDDELAY},
+    {"auth",              KW_AUTH},
+    {""}, {""}, {""},
+    {"compress",          KW_COMPRESS},
+    {"auto",              KW_AUTO},
+    {""}, {""}, {""},
     {"fragicmp",          KW_FRAGICMP},
-    {""}, {""}, {""}, {""}, {""}, {""}, {""},
-    {"crluri",            KW_CRLURI},
+    {""}, {""},
+    {"keyingtries",       KW_KEYINGTRIES},
+    {""},
+    {"pfsgroup",          KW_PFSGROUP},
+    {""},
+    {"dpdtimeout",        KW_DPDTIMEOUT},
+    {"cacert",            KW_CACERT},
+    {""}, {""}, {""},
+    {"strictcrlpolicy",   KW_STRICTCRLPOLICY},
+    {""}, {""},
+    {"packetdefault",     KW_PACKETDEFAULT},
+    {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
     {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
-    {""}, {""}, {""}, {""}, {""},
-    {"crlcheckinterval",  KW_CRLCHECKINTERVAL}
+    {""}, {""}, {""}, {""}, {""}, {""}, {""},
+    {"cachecrls",         KW_CACHECRLS},
+    {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""},
+    {"pfs",               KW_PFS}
   };
 
 #ifdef __GNUC__
diff --git a/programs/starter/keywords.h b/src/starter/keywords.h
index 4356b4947..08d50fea0 100644
--- a/programs/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: keywords.h,v 1.10 2007/01/11 21:27:27 as Exp $
+ * RCSID $Id: keywords.h,v 1.8 2006/04/17 10:30:27 as Exp $
  */
 
 #ifndef _KEYWORDS_H_
@@ -22,9 +22,12 @@ typedef enum {
     /* config setup keywords */
     KW_INTERFACES,
     KW_DUMPDIR,
+    KW_CHARONSTART,
+    KW_PLUTOSTART,
 
-    /* pluto keywords */
+	/* pluto/charon keywords */
     KW_PLUTODEBUG,
+	KW_CHARONDEBUG,
     KW_PREPLUTO,
     KW_POSTPLUTO,
     KW_UNIQUEIDS,
@@ -36,6 +39,7 @@ typedef enum {
     KW_NAT_TRAVERSAL,
     KW_KEEP_ALIVE,
     KW_VIRTUAL_PRIVATE,
+    KW_EAPDIR,
     KW_PKCS11MODULE,
     KW_PKCS11KEEPSTATE,
     KW_PKCS11PROXY,
@@ -64,12 +68,14 @@ typedef enum {
     KW_COMPRESS,
     KW_AUTH,
     KW_AUTHBY,
+    KW_EAP,
     KW_IKELIFETIME,
     KW_KEYLIFE,
     KW_REKEYMARGIN,
     KW_KEYINGTRIES,
     KW_REKEYFUZZ,
     KW_REKEY,
+    KW_REAUTH,
     KW_IKE,
     KW_ESP,
     KW_PFSGROUP,
@@ -91,9 +97,10 @@ typedef enum {
     KW_CRLURI,
     KW_CRLURI2,
     KW_OCSPURI,
+    KW_OCSPURI2,
 
 #define KW_CA_FIRST	KW_CA_SETUP
-#define KW_CA_LAST	KW_OCSPURI
+#define KW_CA_LAST	KW_OCSPURI2
 
    /* end keywords */
     KW_HOST,
diff --git a/programs/starter/keywords.txt b/src/starter/keywords.txt
index 6ad2d5fce..0f943fc3c 100644
--- a/programs/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: keywords.txt,v 1.8 2007/01/11 21:27:51 as Exp $
+ * RCSID $Id: keywords.txt,v 1.6 2006/04/17 10:30:27 as Exp $
  */
 
 #include <string.h>
@@ -27,9 +27,12 @@ struct kw_entry {
 };
 %%
 interfaces,        KW_INTERFACES
+dumpdir,           KW_DUMPDIR
+charonstart,       KW_CHARONSTART
+plutostart,        KW_PLUTOSTART
 klipsdebug,        KW_KLIPSDEBUG
 plutodebug,        KW_PLUTODEBUG
-dumpdir,           KW_DUMPDIR
+charondebug,       KW_CHARONDEBUG
 prepluto,          KW_PREPLUTO
 postpluto,         KW_POSTPLUTO
 fragicmp,          KW_FRAGICMP
@@ -44,6 +47,8 @@ nocrsend,          KW_NOCRSEND
 nat_traversal,     KW_NAT_TRAVERSAL
 keep_alive,        KW_KEEP_ALIVE
 virtual_private,   KW_VIRTUAL_PRIVATE
+eap,               KW_EAP
+eapdir,            KW_EAPDIR
 pkcs11module,      KW_PKCS11MODULE
 pkcs11keepstate,   KW_PKCS11KEEPSTATE
 pkcs11proxy,       KW_PKCS11PROXY
@@ -59,6 +64,7 @@ ikelifetime,       KW_IKELIFETIME
 keyingtries,       KW_KEYINGTRIES
 rekeyfuzz,         KW_REKEYFUZZ
 rekey,             KW_REKEY
+reauth,            KW_REAUTH
 esp,               KW_ESP
 ike,               KW_IKE
 pfsgroup,          KW_PFSGROUP
@@ -71,8 +77,11 @@ cacert,            KW_CACERT
 ldaphost,          KW_LDAPHOST
 ldapbase,          KW_LDAPBASE
 crluri,            KW_CRLURI
+crluri1,           KW_CRLURI
 crluri2,           KW_CRLURI2
 ocspuri,           KW_OCSPURI
+ocspuri1,          KW_OCSPURI
+ocspuri2,          KW_OCSPURI2
 left,              KW_LEFT
 leftnexthop,       KW_LEFTNEXTHOP
 leftsubnet,        KW_LEFTSUBNET
diff --git a/programs/starter/lex.yy.c b/src/starter/lex.yy.c
index 2c0dd040a..f8e6569f1 100644
--- a/programs/starter/lex.yy.c
+++ b/src/starter/lex.yy.c
@@ -497,14 +497,14 @@ char *yytext;
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: lex.yy.c,v 1.6 2007/01/14 18:37:25 as Exp $
+ * RCSID $Id: parser.l,v 1.5 2006/03/28 22:32:33 as Exp $
  */
 
 #include <string.h>
 #include <stdlib.h>
 #include <glob.h>
 
-#include "parser.tab.h"
+#include "y.tab.h"
 
 #define MAX_INCLUDE_DEPTH  20
 
@@ -928,7 +928,7 @@ return INCLUDE;
 case 10:
 YY_RULE_SETUP
 #line 169 "parser.l"
-return VERSION;
+return FILE_VERSION;
 	YY_BREAK
 case 11:
 YY_RULE_SETUP
diff --git a/programs/starter/netkey.c b/src/starter/netkey.c
index d0b8e0a2c..d0b8e0a2c 100644
--- a/programs/starter/netkey.c
+++ b/src/starter/netkey.c
diff --git a/programs/starter/netkey.h b/src/starter/netkey.h
index ff8989d34..ff8989d34 100644
--- a/programs/starter/netkey.h
+++ b/src/starter/netkey.h
diff --git a/programs/starter/parser.h b/src/starter/parser.h
index 61bdea974..61bdea974 100644
--- a/programs/starter/parser.h
+++ b/src/starter/parser.h
diff --git a/programs/starter/parser.l b/src/starter/parser.l
index 8d1cc4c31..1469f94bc 100644
--- a/programs/starter/parser.l
+++ b/src/starter/parser.l
@@ -19,7 +19,7 @@
 #include <stdlib.h>
 #include <glob.h>
 
-#include "parser.tab.h"
+#include "y.tab.h"
 
 #define MAX_INCLUDE_DEPTH  20
 
@@ -166,7 +166,7 @@ setup			return SETUP;
 conn			return CONN;
 ca			return CA;
 include			return INCLUDE;
-version			return VERSION;
+version			return FILE_VERSION;
 
 [^\"= \t\n]+	{
 					yylval.s = strdup(yytext);
diff --git a/programs/starter/parser.y b/src/starter/parser.y
index 159bbc651..db984fae3 100644
--- a/programs/starter/parser.y
+++ b/src/starter/parser.y
@@ -54,7 +54,7 @@ extern kw_entry_t *in_word_set (char *str, unsigned int len);
 %}
 
 %union { char *s; };
-%token EQUAL FIRST_SPACES EOL CONFIG SETUP CONN CA INCLUDE VERSION
+%token EQUAL FIRST_SPACES EOL CONFIG SETUP CONN CA INCLUDE FILE_VERSION
 %token <s> STRING
 
 %%
@@ -69,7 +69,7 @@ config_file:
     ;
 
 section_or_include:
-    VERSION STRING EOL
+    FILE_VERSION STRING EOL
     {
 	free($2);
     }
diff --git a/programs/starter/starter.c b/src/starter/starter.c
index 0b2c83369..0bf1d7a71 100644
--- a/programs/starter/starter.c
+++ b/src/starter/starter.c
@@ -36,8 +36,9 @@
 #include "confread.h"
 #include "files.h"
 #include "starterwhack.h"
+#include "starterstroke.h"
 #include "invokepluto.h"
-#include "klips.h"
+#include "invokecharon.h"
 #include "netkey.h"
 #include "cmp.h"
 #include "interfaces.h"
@@ -47,6 +48,7 @@
 #define FLAG_ACTION_RELOAD        0x04
 #define FLAG_ACTION_QUIT          0x08
 #define FLAG_ACTION_LISTEN        0x10
+#define FLAG_ACTION_START_CHARON  0x20
 
 static unsigned int _action_ = 0;
 
@@ -55,7 +57,7 @@ fsig(int signal)
 {
     switch (signal)
     {
-    case SIGCHLD:
+	case SIGCHLD:
 	{
 	    int status;
 	    pid_t pid;
@@ -65,58 +67,62 @@ fsig(int signal)
 	    {
 		if (pid == starter_pluto_pid())
 		    name = " (Pluto)";
+		if (pid == starter_charon_pid())
+		    name = " (Charon)";
 		if (WIFSIGNALED(status))
 		    DBG(DBG_CONTROL,
 			DBG_log("child %d%s has been killed by sig %d\n",
 				pid, name?name:"", WTERMSIG(status))
-		    )
+		       )
 		else if (WIFSTOPPED(status))
 		    DBG(DBG_CONTROL,
 			DBG_log("child %d%s has been stopped by sig %d\n",
 				pid, name?name:"", WSTOPSIG(status))
-		    )
+		       )
 		else if (WIFEXITED(status))
 		    DBG(DBG_CONTROL,
 			DBG_log("child %d%s has quit (exit code %d)\n",
 				pid, name?name:"", WEXITSTATUS(status))
-		    )
+		       )
 		else
 		    DBG(DBG_CONTROL,
 			DBG_log("child %d%s has quit", pid, name?name:"")
-		    )
-
+		       )
 		if (pid == starter_pluto_pid())
 		    starter_pluto_sigchild(pid);
+		if (pid == starter_charon_pid())
+		    starter_charon_sigchild(pid);
 	    }
 	}
 	break;
 
-    case SIGPIPE:
-	/** ignore **/
-	break;
+	case SIGPIPE:
+	    /** ignore **/
+	    break;
 
-    case SIGALRM:
-	_action_ |= FLAG_ACTION_START_PLUTO;
-	break;
+	case SIGALRM:
+	    _action_ |= FLAG_ACTION_START_PLUTO;
+	    _action_ |= FLAG_ACTION_START_CHARON;
+	    break;
 
-    case SIGHUP:
-	_action_ |= FLAG_ACTION_UPDATE;
-	break;
+	case SIGHUP:
+	    _action_ |= FLAG_ACTION_UPDATE;
+	    break;
 
-    case SIGTERM:
-    case SIGQUIT:
-    case SIGINT:
-	_action_ |= FLAG_ACTION_QUIT;
-	break;
+	case SIGTERM:
+	case SIGQUIT:
+	case SIGINT:
+	    _action_ |= FLAG_ACTION_QUIT;
+	    break;
 
-    case SIGUSR1:
-	_action_ |= FLAG_ACTION_RELOAD;
-	_action_ |= FLAG_ACTION_UPDATE;
-	break;
+	case SIGUSR1:
+	    _action_ |= FLAG_ACTION_RELOAD;
+	    _action_ |= FLAG_ACTION_UPDATE;
+	    break;
 
-    default:
-	plog("fsig(): unknown signal %d -- investigate", signal);
-	break;
+	default:
+	    plog("fsig(): unknown signal %d -- investigate", signal);
+	    break;
     }
 }
 
@@ -124,7 +130,7 @@ static void
 usage(char *name)
 {
     fprintf(stderr, "Usage: starter [--nofork] [--auto-update <sec>] "
-		    "[--debug|--debug-more|--debug-all]\n");
+	    "[--debug|--debug-more|--debug-all]\n");
     exit(1);
 }
 
@@ -143,7 +149,6 @@ int main (int argc, char **argv)
     struct timeval tv;
     unsigned long auto_update = 0;
     time_t last_reload;
-    bool has_netkey;
     bool no_fork = FALSE;
 
     /* global variables defined in log.h */
@@ -177,7 +182,7 @@ int main (int argc, char **argv)
 	}
 	else
 	{
-	   usage(argv[0]);
+	    usage(argv[0]);
 	}
     }
 
@@ -194,6 +199,8 @@ int main (int argc, char **argv)
     signal(SIGALRM, fsig);
     signal(SIGUSR1, fsig);
 
+    plog("Starting strongSwan %s IPsec [starter]...", ipsec_version_code());
+
     /* verify that we can start */
     if (getuid() != 0)
     {
@@ -201,12 +208,22 @@ int main (int argc, char **argv)
 	exit(1);
     }
 
-    if (stat(PID_FILE, &stb) == 0)
+    if (stat(PLUTO_PID_FILE, &stb) == 0)
     {
-	plog("pluto is already running (%s exists) -- aborting", PID_FILE);
-	exit(1);
+	plog("pluto is already running (%s exists) -- skipping pluto start", PLUTO_PID_FILE);
+    }
+    else
+    {
+	_action_ |= FLAG_ACTION_START_PLUTO;
+    }
+    if (stat(CHARON_PID_FILE, &stb) == 0)
+    {
+	plog("charon is already running (%s exists) -- skipping charon start", CHARON_PID_FILE);
+    }
+    else
+    {
+	_action_ |= FLAG_ACTION_START_CHARON;
     }
-
     if (stat(DEV_RANDOM, &stb) != 0)
     {
 	plog("unable to start strongSwan IPsec -- no %s!", DEV_RANDOM);
@@ -227,27 +244,19 @@ int main (int argc, char **argv)
     }
 
     /* determine if we have a native netkey IPsec stack */
-    has_netkey = starter_netkey_init();
-
-    if (!has_netkey)
+    if (!starter_netkey_init())
     {
-	/* determine if we have a KLIPS IPsec stack instead */
-	if (starter_klips_init())
-	{
-	    starter_klips_set_config(cfg);
-	    starter_ifaces_init();
-	    starter_ifaces_clear();
-	}
-	else
-	{
-	    plog("neither netkey nor KLIPS IPSec stack detected");
-	    exit(1);
-	}
+	plog("no netkey IPSec stack detected");
+	exit(1);
     }
 
     last_reload = time(NULL);
 
-    plog("Starting strongSwan IPsec %s [starter]...", ipsec_version_code());
+    if (stat(STARTER_PID_FILE, &stb) == 0)
+    {
+	plog("starter is already running (%s exists) -- no fork done", STARTER_PID_FILE);
+	exit(0);
+    }
 
     /* fork if we're not debugging stuff */
     if (!no_fork)
@@ -256,7 +265,7 @@ int main (int argc, char **argv)
 
 	switch (fork())
 	{
-	case 0:
+	    case 0:
 	    {
 		int fnull = open("/dev/null", O_RDWR);
 
@@ -269,17 +278,17 @@ int main (int argc, char **argv)
 		}
 	    }
 	    break;
-	case -1:
-	    plog("can't fork: %s", strerror(errno));
-	    break;
-	default:
-	    exit(0);
+	    case -1:
+		plog("can't fork: %s", strerror(errno));
+		break;
+	    default:
+		exit(0);
 	}
     }
 
     /* save pid file in /var/run/starter.pid */
     {
-	FILE *fd = fopen(MY_PID_FILE, "w");
+	FILE *fd = fopen(STARTER_PID_FILE, "w");
 
 	if (fd)
 	{
@@ -288,34 +297,20 @@ int main (int argc, char **argv)
 	}
     }
 
-    if (!has_netkey)
-    {
-	starter_ifaces_load(cfg->setup.interfaces
-		      , cfg->setup.overridemtu
-		      , cfg->setup.nat_traversal
-		      , &cfg->defaultroute);
-    }
-
-    _action_ = FLAG_ACTION_START_PLUTO;
-
     for (;;)
     {
 	/*
-	 * Stop pluto (if started) and exit
-         */
+	 * Stop pluto/charon (if started) and exit
+	 */
 	if (_action_ & FLAG_ACTION_QUIT)
 	{
 	    if (starter_pluto_pid())
 		starter_stop_pluto();
-	    if (has_netkey)
-		starter_netkey_cleanup();
-	    else
-	    {
-	        starter_ifaces_clear();
-		starter_klips_cleanup();
-	    }
+	    if (starter_charon_pid())
+		starter_stop_charon();
+	    starter_netkey_cleanup();
 	    confread_free(cfg);
-	    unlink(MY_PID_FILE);
+	    unlink(STARTER_PID_FILE);
 	    unlink(INFO_FILE);
 #ifdef LEAK_DETECTIVE
 	    report_leaks();
@@ -330,13 +325,20 @@ int main (int argc, char **argv)
 	 */
 	if (_action_ & FLAG_ACTION_RELOAD)
 	{
-	    if (starter_pluto_pid())
+	    if (starter_pluto_pid() || starter_charon_pid())
 	    {
 		for (conn = cfg->conn_first; conn; conn = conn->next)
 		{
 		    if (conn->state == STATE_ADDED)
 		    {
-			starter_whack_del_conn(conn);
+			if (starter_charon_pid())
+			{
+			    starter_stroke_del_conn(conn);
+			}
+			if (starter_pluto_pid())
+			{
+			    starter_whack_del_conn(conn);
+			}
 			conn->state = STATE_TO_ADD;
 		    }
 		}
@@ -344,7 +346,14 @@ int main (int argc, char **argv)
 		{
 		    if (ca->state == STATE_ADDED)
 		    {
-			starter_whack_del_ca(ca);
+			if (starter_charon_pid())
+			{
+			    starter_stroke_del_ca(ca);
+			}
+			if (starter_pluto_pid())
+			{
+			    starter_whack_del_ca(ca);
+			}
 			ca->state = STATE_TO_ADD;
 		    }
 		}
@@ -360,35 +369,16 @@ int main (int argc, char **argv)
 	    err = NULL;
 	    DBG(DBG_CONTROL,
 		DBG_log("Reloading config...")
-	    )
+	       );
 	    new_cfg = confread_load(CONFIG_FILE);
 
 	    if (new_cfg)
 	    {
 		/* Switch to new config. New conn will be loaded below */
-		if (has_netkey)
-		{
-		    if (!starter_cmp_defaultroute(&new_cfg->defaultroute
-						, &cfg->defaultroute))
-		    {
-			_action_ |= FLAG_ACTION_LISTEN;
-		    }
-		}
-		else
+		if (!starter_cmp_defaultroute(&new_cfg->defaultroute
+				   , &cfg->defaultroute))
 		{
-		    if (!starter_cmp_klips(cfg, new_cfg))
-		    {
-			plog("KLIPS has changed");
-			starter_klips_set_config(new_cfg);
-		    }
-
-		    if (starter_ifaces_load(new_cfg->setup.interfaces
-					  , new_cfg->setup.overridemtu
-				          , new_cfg->setup.nat_traversal
-				          , &new_cfg->defaultroute))
-		    {
-			_action_ |= FLAG_ACTION_LISTEN;
-		    }
+		    _action_ |= FLAG_ACTION_LISTEN;
 		}
 
 		if (!starter_cmp_pluto(cfg, new_cfg)) 
@@ -410,8 +400,7 @@ int main (int argc, char **argv)
 			{
 			    for (conn2 = new_cfg->conn_first; conn2; conn2 = conn2->next)
 			    {
-				if (conn2->state == STATE_TO_ADD
-				&& starter_cmp_conn(conn, conn2))
+				if (conn2->state == STATE_TO_ADD && starter_cmp_conn(conn, conn2))
 				{
 				    conn->state = STATE_REPLACED;
 				    conn2->state = STATE_ADDED;
@@ -426,7 +415,16 @@ int main (int argc, char **argv)
 		    for (conn = cfg->conn_first; conn; conn = conn->next)
 		    {
 			if (conn->state == STATE_ADDED)
-			    starter_whack_del_conn(conn);
+			{
+			    if (starter_charon_pid())
+			    {
+				starter_stroke_del_conn(conn);
+			    }
+			    if (starter_pluto_pid())
+			    {
+				starter_whack_del_conn(conn);
+			    }
+			}
 		    }
 
 		    /* Look for new ca sections that are already loaded */
@@ -436,8 +434,7 @@ int main (int argc, char **argv)
 			{
 			    for (ca2 = new_cfg->ca_first; ca2; ca2 = ca2->next)
 			    {
-				if (ca2->state == STATE_TO_ADD
-				&& starter_cmp_ca(ca, ca2))
+				if (ca2->state == STATE_TO_ADD && starter_cmp_ca(ca, ca2))
 				{
 				    ca->state = STATE_REPLACED;
 				    ca2->state = STATE_ADDED;
@@ -451,7 +448,16 @@ int main (int argc, char **argv)
 		    for (ca = cfg->ca_first; ca; ca = ca->next)
 		    {
 			if (ca->state == STATE_ADDED)
-			    starter_whack_del_ca(ca);
+			{
+			    if (starter_charon_pid())
+			    {
+				starter_stroke_del_ca(ca);
+			    }
+			    if (starter_pluto_pid())
+			    {
+				starter_whack_del_ca(ca);
+			    }
+			}
 		    }
 		}
 		confread_free(cfg);
@@ -470,13 +476,11 @@ int main (int argc, char **argv)
 	 */
 	if (_action_ & FLAG_ACTION_START_PLUTO)
 	{
-	    if (starter_pluto_pid() == 0)
+	    if (cfg->setup.plutostart && !starter_pluto_pid())
 	    {
 		DBG(DBG_CONTROL,
 		    DBG_log("Attempting to start pluto...")
-		)
-		if (!has_netkey)
-		    starter_klips_clear();
+		   );
 
 		if (starter_start_pluto(cfg, no_fork) == 0)
 		{
@@ -502,26 +506,55 @@ int main (int argc, char **argv)
 		    conn->state = STATE_TO_ADD;
 	    }
 	}
+	
+	/*
+	 * Start charon
+	 */
+	if (_action_ & FLAG_ACTION_START_CHARON)
+	{
+	    if (cfg->setup.charonstart && !starter_charon_pid())
+	    {
+		DBG(DBG_CONTROL,
+		    DBG_log("Attempting to start charon...")
+		   );
+		if (starter_start_charon(cfg, no_fork))
+		{
+		    /* schedule next try */
+		    alarm(PLUTO_RESTART_DELAY);
+		}
+	    }
+	    _action_ &= ~FLAG_ACTION_START_CHARON;
+	}
 
 	/*
 	 * Tell pluto to reread its interfaces
 	 */
 	if (_action_ & FLAG_ACTION_LISTEN)
 	{
-	    starter_whack_listen();
-	    _action_ &= ~FLAG_ACTION_LISTEN;
+	    if (starter_pluto_pid())
+	    {
+		starter_whack_listen();
+		_action_ &= ~FLAG_ACTION_LISTEN;
+	    }
 	}
 
 	/*
 	 * Add stale conn and ca sections
 	 */
-	if (starter_pluto_pid() != 0)
+	if (starter_pluto_pid() || starter_charon_pid())
 	{
 	    for (ca = cfg->ca_first; ca; ca = ca->next)
 	    {
 		if (ca->state == STATE_TO_ADD)
 		{
-		    starter_whack_add_ca(ca);
+		    if (starter_charon_pid())
+		    {
+			starter_stroke_add_ca(ca);
+		    }
+		    if (starter_pluto_pid())
+		    {
+			starter_whack_add_ca(ca);
+		    }
 		    ca->state = STATE_ADDED;
 		}
 	    }
@@ -535,12 +568,50 @@ int main (int argc, char **argv)
 			/* affect new unique id */
 			conn->id = id++;
 		    }
-		    starter_whack_add_conn(conn);
+		    if (starter_charon_pid())
+		    {
+			starter_stroke_add_conn(conn);
+		    }
+		    if (starter_pluto_pid())
+		    {
+			starter_whack_add_conn(conn);
+		    }
 		    conn->state = STATE_ADDED;
+
 		    if (conn->startup == STARTUP_START)
-			starter_whack_initiate_conn(conn);
+		    {
+			if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
+			{
+			    if (starter_charon_pid())
+			    {
+				starter_stroke_initiate_conn(conn);
+			    }
+			}
+			else
+			{
+			    if (starter_pluto_pid())
+			    {
+				starter_whack_initiate_conn(conn);
+			    }
+			}
+		    }
 		    else if (conn->startup == STARTUP_ROUTE)
-			starter_whack_route_conn(conn);
+		    {
+			if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
+			{
+			    if (starter_charon_pid())
+			    {
+				starter_stroke_route_conn(conn);
+			    }
+			}
+			else
+			{
+			    if (starter_pluto_pid())
+			    {
+				starter_whack_route_conn(conn);
+			    }
+			}
+		    }
 		}
 	    }
 	}
@@ -551,8 +622,9 @@ int main (int argc, char **argv)
 	if (auto_update)
 	{
 	    time_t now = time(NULL);
+
 	    tv.tv_sec = (now < last_reload + auto_update)
-			? (last_reload + auto_update-now) : 0;
+		    ? (last_reload + auto_update-now) : 0;
 	    tv.tv_usec = 0;
 	}
 
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
new file mode 100644
index 000000000..fb8e74b8c
--- /dev/null
+++ b/src/starter/starterstroke.c
@@ -0,0 +1,295 @@
+/* Stroke for charon is the counterpart to whack from pluto
+ * Copyright (C) 2006 Martin Willi - Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: starterstroke.c $
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <stddef.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <freeswan.h>
+
+#include <constants.h>
+#include <defs.h>
+#include <log.h>
+
+#include <stroke.h>
+
+#include "starterstroke.h"
+#include "confread.h"
+#include "files.h"
+
+/**
+ * Authentication mehtods, must be the same values as in charon
+ */
+enum auth_method_t {
+	AUTH_RSA = 1,
+	AUTH_PSK = 2,
+	AUTH_DSS = 3,
+	AUTH_EAP = 201,
+};
+
+static char* push_string(stroke_msg_t *msg, char *string)
+{
+	unsigned long string_start = msg->length;
+
+	if (string == NULL || msg->length + strlen(string) >= sizeof(stroke_msg_t))
+	{
+		return NULL;
+	}
+	else
+	{
+		msg->length += strlen(string) + 1;
+		strcpy((char*)msg + string_start, string);
+		return (char*)string_start;
+	}
+}
+
+static int send_stroke_msg (stroke_msg_t *msg)
+{
+	struct sockaddr_un ctl_addr = { AF_UNIX, CHARON_CTL_FILE };
+	int byte_count;
+	char buffer[64];
+	
+	/* starter is not called from commandline, and therefore absolutely silent */
+	msg->output_verbosity = -1;
+
+	int sock = socket(AF_UNIX, SOCK_STREAM, 0);
+
+	if (sock < 0)
+	{
+		plog("socket() failed: %s", strerror(errno));
+		return -1;
+	}
+	if (connect(sock, (struct sockaddr *)&ctl_addr, offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0)
+	{
+		plog("connect(charon_ctl) failed: %s", strerror(errno));
+		close(sock);
+		return -1;
+	}
+
+	/* send message */
+	if (write(sock, msg, msg->length) != msg->length)
+	{
+		plog("write(charon_ctl) failed: %s", strerror(errno));
+		close(sock);
+		return -1;
+	}
+	while ((byte_count = read(sock, buffer, sizeof(buffer)-1)) > 0)
+	{
+		buffer[byte_count] = '\0';
+		plog("%s", buffer);
+	}
+	if (byte_count < 0)
+	{
+		plog("read() failed: %s", strerror(errno));
+	}
+
+	close(sock);
+	return 0;
+}
+
+static char* connection_name(starter_conn_t *conn)
+{
+	 /* if connection name is '%auto', create a new name like conn_xxxxx */
+	static char buf[32];
+
+	if (streq(conn->name, "%auto"))
+	{
+		sprintf(buf, "conn_%ld", conn->id);
+		return buf;
+	}
+	return conn->name;
+}
+
+static void ip_address2string(ip_address *addr, char *buffer, size_t len)
+{
+	switch (((struct sockaddr*)addr)->sa_family)
+	{
+		case AF_INET:
+		{
+			struct sockaddr_in* sin = (struct sockaddr_in*)addr;
+			if (inet_ntop(AF_INET, &sin->sin_addr, buffer, len))
+			{
+				return;
+			}
+			break;
+		}
+		case AF_INET6:
+		{
+			struct sockaddr_in6* sin6 = (struct sockaddr_in6*)addr;
+			if (inet_ntop(AF_INET6, &sin6->sin6_addr, buffer, len))
+			{
+				return;
+			}
+			break;
+		}
+		default:
+			break;
+	}
+	/* failed */
+	snprintf(buffer, len, "0.0.0.0");
+}
+
+
+static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, starter_end_t *conn_end)
+{
+	char buffer[INET6_ADDRSTRLEN];
+	
+	msg_end->id = push_string(msg, conn_end->id);
+	msg_end->cert = push_string(msg, conn_end->cert);
+	msg_end->ca = push_string(msg, conn_end->ca);
+	msg_end->updown = push_string(msg, conn_end->updown);
+	ip_address2string(&conn_end->addr, buffer, sizeof(buffer));
+	msg_end->address = push_string(msg, buffer);
+	ip_address2string(&conn_end->subnet.addr, buffer, sizeof(buffer));
+	msg_end->subnet = push_string(msg, buffer);
+	msg_end->subnet_mask = conn_end->subnet.maskbits;
+	msg_end->sendcert = conn_end->sendcert;
+	msg_end->hostaccess = conn_end->hostaccess;
+	msg_end->tohost = !conn_end->has_client;
+	msg_end->protocol = conn_end->protocol;
+	msg_end->port = conn_end->port;
+	msg_end->virtual_ip = conn_end->modecfg;
+	ip_address2string(&conn_end->srcip, buffer, sizeof(buffer));
+	msg_end->sourceip = push_string(msg, buffer);
+}
+
+int starter_stroke_add_conn(starter_conn_t *conn)
+{
+	stroke_msg_t msg;
+
+	msg.type = STR_ADD_CONN;
+	msg.length = offsetof(stroke_msg_t, buffer);
+	msg.add_conn.ikev2 = conn->keyexchange == KEY_EXCHANGE_IKEV2;
+	msg.add_conn.name = push_string(&msg, connection_name(conn));
+	
+	/* RSA is preferred before PSK and EAP */
+	if (conn->policy & POLICY_RSASIG)
+	{
+		msg.add_conn.auth_method = AUTH_RSA;
+	}
+	else if (conn->policy & POLICY_PSK)
+	{
+		msg.add_conn.auth_method = AUTH_PSK;
+	}
+	else
+	{
+		msg.add_conn.auth_method = AUTH_EAP;
+	}
+	msg.add_conn.eap_type = conn->eap;
+	
+	if (conn->policy & POLICY_TUNNEL)
+	{
+		msg.add_conn.mode = 1; /* XFRM_MODE_TRANSPORT */
+	}
+	else if (conn->policy & POLICY_BEET)
+	{
+		msg.add_conn.mode = 4; /* XFRM_MODE_BEET */
+	}
+	else
+	{
+		msg.add_conn.mode = 0; /* XFRM_MODE_TUNNEL */
+	}
+ 
+	if (conn->policy & POLICY_DONT_REKEY)
+	{
+		msg.add_conn.rekey.ipsec_lifetime = 0;
+		msg.add_conn.rekey.ike_lifetime = 0;
+		msg.add_conn.rekey.margin = 0;
+		msg.add_conn.rekey.tries = 0;
+		msg.add_conn.rekey.fuzz = 0;
+	}
+	else
+	{
+		msg.add_conn.rekey.reauth = (conn->policy & POLICY_DONT_REAUTH) == LEMPTY;
+		msg.add_conn.rekey.ipsec_lifetime = conn->sa_ipsec_life_seconds;
+		msg.add_conn.rekey.ike_lifetime = conn->sa_ike_life_seconds;
+		msg.add_conn.rekey.margin = conn->sa_rekey_margin;
+		msg.add_conn.rekey.tries = conn->sa_keying_tries;
+		msg.add_conn.rekey.fuzz = conn->sa_rekey_fuzz;
+	}
+	msg.add_conn.algorithms.ike = push_string(&msg, conn->ike);
+	msg.add_conn.algorithms.esp = push_string(&msg, conn->esp);
+	msg.add_conn.dpd.delay = conn->dpd_delay;
+	msg.add_conn.dpd.action = conn->dpd_action;
+
+	starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left);
+	starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right);
+
+	return send_stroke_msg(&msg);
+}
+
+int starter_stroke_del_conn(starter_conn_t *conn)
+{
+	stroke_msg_t msg;
+
+	msg.type = STR_DEL_CONN;
+	msg.length = offsetof(stroke_msg_t, buffer);
+	msg.del_conn.name = push_string(&msg, connection_name(conn));
+	return send_stroke_msg(&msg);
+}
+
+int starter_stroke_route_conn(starter_conn_t *conn)
+{
+	stroke_msg_t msg;
+
+	msg.type = STR_ROUTE;
+	msg.length = offsetof(stroke_msg_t, buffer);
+	msg.route.name = push_string(&msg, connection_name(conn));
+	return send_stroke_msg(&msg);
+}
+
+int starter_stroke_initiate_conn(starter_conn_t *conn)
+{
+	stroke_msg_t msg;
+
+	msg.type = STR_INITIATE;
+	msg.length = offsetof(stroke_msg_t, buffer);
+	msg.initiate.name = push_string(&msg, connection_name(conn));
+	return send_stroke_msg(&msg);
+}
+
+int starter_stroke_add_ca(starter_ca_t *ca)
+{
+	stroke_msg_t msg;
+
+	msg.type = STR_ADD_CA;
+	msg.length = offsetof(stroke_msg_t, buffer);
+	msg.add_ca.name =     push_string(&msg, ca->name);
+	msg.add_ca.cacert =   push_string(&msg, ca->cacert);
+	msg.add_ca.crluri =   push_string(&msg, ca->crluri);
+	msg.add_ca.crluri2 =  push_string(&msg, ca->crluri2);
+	msg.add_ca.ocspuri =  push_string(&msg, ca->ocspuri);
+	msg.add_ca.ocspuri2 = push_string(&msg, ca->ocspuri2);
+	return send_stroke_msg(&msg);
+}
+
+int starter_stroke_del_ca(starter_ca_t *ca)
+{
+	stroke_msg_t msg;
+
+	msg.type = STR_DEL_CA;
+	msg.length = offsetof(stroke_msg_t, buffer);
+	msg.del_ca.name = push_string(&msg, ca->name);
+	return send_stroke_msg(&msg);
+}
+
+
diff --git a/src/starter/starterstroke.h b/src/starter/starterstroke.h
new file mode 100644
index 000000000..95c37094e
--- /dev/null
+++ b/src/starter/starterstroke.h
@@ -0,0 +1,29 @@
+/* Stroke for charon is the counterpart to whack from pluto
+ * Copyright (C) 2006 Martin Willi - Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: starterstroke.h $
+ */
+
+#ifndef _STARTER_STROKE_H_
+#define _STARTER_STROKE_H_
+
+#include "confread.h"
+
+extern int starter_stroke_add_conn(starter_conn_t *conn);
+extern int starter_stroke_del_conn(starter_conn_t *conn);
+extern int starter_stroke_route_conn(starter_conn_t *conn);
+extern int starter_stroke_initiate_conn(starter_conn_t *conn);
+extern int starter_stroke_add_ca(starter_ca_t *ca);
+extern int starter_stroke_del_ca(starter_ca_t *ca);
+
+#endif /* _STARTER_STROKE_H_ */
diff --git a/programs/starter/starterwhack.c b/src/starter/starterwhack.c
index cb3e02172..42328849a 100644
--- a/programs/starter/starterwhack.c
+++ b/src/starter/starterwhack.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: starterwhack.c,v 1.20 2007/01/18 21:16:45 as Exp $
+ * RCSID $Id: starterwhack.c,v 1.17 2006/04/17 10:32:36 as Exp $
  */
 
 #include <sys/types.h>
@@ -23,10 +23,10 @@
 
 #include <freeswan.h>
 
-#include "../pluto/constants.h"
-#include "../pluto/defs.h"
-#include "../pluto/log.h"
-#include "../pluto/whack.h"
+#include <constants.h>
+#include <defs.h>
+#include <log.h>
+#include <whack.h>
 
 #include "starterwhack.h"
 #include "confread.h"
@@ -54,7 +54,7 @@ pack_str (char **p, char **next, char **roof)
 static int
 send_whack_msg (whack_message_t *msg)
 {
-    struct sockaddr_un ctl_addr = { AF_UNIX, CTL_FILE };
+    struct sockaddr_un ctl_addr = { AF_UNIX, PLUTO_CTL_FILE };
     int sock;
     ssize_t len;
     char *str_next, *str_roof;
@@ -69,17 +69,13 @@ send_whack_msg (whack_message_t *msg)
     ||  !pack_str(&msg->left.ca,      &str_next, &str_roof)
     ||  !pack_str(&msg->left.groups,  &str_next, &str_roof)
     ||  !pack_str(&msg->left.updown,  &str_next, &str_roof)
-#ifdef VIRTUAL_IP
     ||  !pack_str(&msg->left.virt,    &str_next, &str_roof)
-#endif
     ||  !pack_str(&msg->right.id,     &str_next, &str_roof)
     ||  !pack_str(&msg->right.cert,   &str_next, &str_roof)
     ||  !pack_str(&msg->right.ca,     &str_next, &str_roof)
     ||  !pack_str(&msg->right.groups, &str_next, &str_roof)
     ||  !pack_str(&msg->right.updown, &str_next, &str_roof)
-#ifdef VIRTUAL_IP
     || !pack_str(&msg->right.virt,    &str_next, &str_roof)
-#endif
     || !pack_str(&msg->keyid,         &str_next, &str_roof)
     || !pack_str(&msg->myid,          &str_next, &str_roof)
     || !pack_str(&msg->cacert,        &str_next, &str_roof)
@@ -239,6 +235,7 @@ starter_whack_add_conn(starter_conn_t *conn)
     msg.whack_connection = TRUE;
     msg.name = connection_name(conn);
 
+    msg.ikev1                 = conn->keyexchange != KEY_EXCHANGE_IKEV2;
     msg.addr_family           = conn->addr_family;
     msg.tunnel_addr_family    = conn->tunnel_addr_family;
     msg.sa_ike_life_seconds   = conn->sa_ike_life_seconds;
diff --git a/programs/starter/starterwhack.h b/src/starter/starterwhack.h
index 2e79c0715..2e79c0715 100644
--- a/programs/starter/starterwhack.h
+++ b/src/starter/starterwhack.h
diff --git a/programs/starter/parser.tab.c b/src/starter/y.tab.c
index 6e0061f89..11a0373e9 100644
--- a/programs/starter/parser.tab.c
+++ b/src/starter/y.tab.c
@@ -74,7 +74,7 @@
      CONN = 263,
      CA = 264,
      INCLUDE = 265,
-     VERSION = 266,
+     FILE_VERSION = 266,
      STRING = 267
    };
 #endif
@@ -87,7 +87,7 @@
 #define CONN 263
 #define CA 264
 #define INCLUDE 265
-#define VERSION 266
+#define FILE_VERSION 266
 #define STRING 267
 
 
@@ -109,7 +109,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: parser.tab.c,v 1.7 2007/01/14 18:37:25 as Exp $
+ * RCSID $Id: parser.y,v 1.6 2006/01/17 23:43:36 as Exp $
  */
 
 #include <stdio.h>
@@ -173,7 +173,7 @@ typedef union YYSTYPE
 #line 56 "parser.y"
 { char *s; }
 /* Line 193 of yacc.c.  */
-#line 177 "parser.tab.c"
+#line 177 "y.tab.c"
 	YYSTYPE;
 # define yystype YYSTYPE /* obsolescent; will be withdrawn */
 # define YYSTYPE_IS_DECLARED 1
@@ -186,7 +186,7 @@ typedef union YYSTYPE
 
 
 /* Line 216 of yacc.c.  */
-#line 190 "parser.tab.c"
+#line 190 "y.tab.c"
 
 #ifdef short
 # undef short
@@ -485,7 +485,7 @@ static const yytype_uint8 yyrline[] =
 static const char *const yytname[] =
 {
   "$end", "error", "$undefined", "EQUAL", "FIRST_SPACES", "EOL", "CONFIG",
-  "SETUP", "CONN", "CA", "INCLUDE", "VERSION", "STRING", "$accept",
+  "SETUP", "CONN", "CA", "INCLUDE", "FILE_VERSION", "STRING", "$accept",
   "config_file", "section_or_include", "@1", "@2", "@3", "@4",
   "kw_section", "statement_kw", 0
 };
@@ -1396,7 +1396,7 @@ yyreduce:
 #line 73 "parser.y"
     {
 	free((yyvsp[(2) - (3)].s));
-    ;}
+    }
     break;
 
   case 5:
@@ -1404,7 +1404,7 @@ yyreduce:
     {
 	_parser_kw = &(_parser_cfg->config_setup);
 	_parser_kw_last = NULL;
-    ;}
+    }
     break;
 
   case 7:
@@ -1424,7 +1424,7 @@ yyreduce:
 	_parser_cfg->conn_last = section;
 	_parser_kw_last = NULL;
 	free((yyvsp[(2) - (3)].s));
-    ;}
+    }
     break;
 
   case 9:
@@ -1443,7 +1443,7 @@ yyreduce:
 	_parser_cfg->ca_last = section;
 	_parser_kw_last = NULL;
 	free((yyvsp[(2) - (3)].s));
-    ;}
+    }
     break;
 
   case 11:
@@ -1452,7 +1452,7 @@ yyreduce:
 	extern void _parser_y_include (const char *f);
 	_parser_y_include((yyvsp[(2) - (2)].s));
 	free((yyvsp[(2) - (2)].s));
-    ;}
+    }
     break;
 
   case 16:
@@ -1480,19 +1480,19 @@ yyreduce:
 	}
 	free((yyvsp[(1) - (3)].s));
 	free((yyvsp[(3) - (3)].s));
-    ;}
+    }
     break;
 
   case 17:
 #line 155 "parser.y"
     {
 	free((yyvsp[(1) - (2)].s));
-      ;}
+      }
     break;
 
 
 /* Line 1267 of yacc.c.  */
-#line 1496 "parser.tab.c"
+#line 1496 "y.tab.c"
       default: break;
     }
   YY_SYMBOL_PRINT ("-> $$ =", yyr1[yyn], &yyval, &yyloc);
diff --git a/programs/starter/parser.tab.h b/src/starter/y.tab.h
index b6a810f51..4b55cb005 100644
--- a/programs/starter/parser.tab.h
+++ b/src/starter/y.tab.h
@@ -47,7 +47,7 @@
      CONN = 263,
      CA = 264,
      INCLUDE = 265,
-     VERSION = 266,
+     FILE_VERSION = 266,
      STRING = 267
    };
 #endif
@@ -60,7 +60,7 @@
 #define CONN 263
 #define CA 264
 #define INCLUDE 265
-#define VERSION 266
+#define FILE_VERSION 266
 #define STRING 267
 
 
@@ -71,7 +71,7 @@ typedef union YYSTYPE
 #line 56 "parser.y"
 { char *s; }
 /* Line 1528 of yacc.c.  */
-#line 75 "parser.tab.h"
+#line 75 "y.tab.h"
 	YYSTYPE;
 # define yystype YYSTYPE /* obsolescent; will be withdrawn */
 # define YYSTYPE_IS_DECLARED 1
diff --git a/src/stroke/Makefile.am b/src/stroke/Makefile.am
new file mode 100644
index 000000000..6ea64753c
--- /dev/null
+++ b/src/stroke/Makefile.am
@@ -0,0 +1,9 @@
+ipsec_PROGRAMS = stroke
+
+stroke_SOURCES = stroke.c stroke.h stroke_keywords.c stroke_keywords.h
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+EXTRA_DIST = stroke_keywords.txt
+MAINTAINERCLEANFILES = stroke_keywords.c
+
+stroke_keywords.c:	stroke_keywords.txt stroke_keywords.h
+		$(GPERF) -C -G -t < stroke_keywords.txt > stroke_keywords.c
diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in
new file mode 100644
index 000000000..179bca750
--- /dev/null
+++ b/src/stroke/Makefile.in
@@ -0,0 +1,483 @@
+# Makefile.in generated by automake 1.9.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+top_builddir = ../..
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+INSTALL = @INSTALL@
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+ipsec_PROGRAMS = stroke$(EXEEXT)
+subdir = src/stroke
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__installdirs = "$(DESTDIR)$(ipsecdir)"
+ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
+PROGRAMS = $(ipsec_PROGRAMS)
+am_stroke_OBJECTS = stroke.$(OBJEXT) stroke_keywords.$(OBJEXT)
+stroke_OBJECTS = $(am_stroke_OBJECTS)
+stroke_LDADD = $(LDADD)
+DEFAULT_INCLUDES = -I. -I$(srcdir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+SOURCES = $(stroke_SOURCES)
+DIST_SOURCES = $(stroke_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMDEP_FALSE = @AMDEP_FALSE@
+AMDEP_TRUE = @AMDEP_TRUE@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BUILD_EAP_SIM_FALSE = @BUILD_EAP_SIM_FALSE@
+BUILD_EAP_SIM_TRUE = @BUILD_EAP_SIM_TRUE@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+USE_CISCO_QUIRKS_FALSE = @USE_CISCO_QUIRKS_FALSE@
+USE_CISCO_QUIRKS_TRUE = @USE_CISCO_QUIRKS_TRUE@
+USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
+USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
+USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
+USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
+USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
+USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
+USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
+USE_SMARTCARD_TRUE = @USE_SMARTCARD_TRUE@
+USE_VENDORID_FALSE = @USE_VENDORID_FALSE@
+USE_VENDORID_TRUE = @USE_VENDORID_TRUE@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__fastdepCC_FALSE = @am__fastdepCC_FALSE@
+am__fastdepCC_TRUE = @am__fastdepCC_TRUE@
+am__fastdepCXX_FALSE = @am__fastdepCXX_FALSE@
+am__fastdepCXX_TRUE = @am__fastdepCXX_TRUE@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+eapdir = @eapdir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+stroke_SOURCES = stroke.c stroke.h stroke_keywords.c stroke_keywords.h
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+EXTRA_DIST = stroke_keywords.txt
+MAINTAINERCLEANFILES = stroke_keywords.c
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/stroke/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/stroke/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	test -z "$(ipsecdir)" || $(mkdir_p) "$(DESTDIR)$(ipsecdir)"
+	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
+	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  if test -f $$p \
+	     || test -f $$p1 \
+	  ; then \
+	    f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
+	   echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(ipsecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \
+	   $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(ipsecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(ipsecdir)/$$f" || exit 1; \
+	  else :; fi; \
+	done
+
+uninstall-ipsecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
+	  f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
+	  echo " rm -f '$(DESTDIR)$(ipsecdir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(ipsecdir)/$$f"; \
+	done
+
+clean-ipsecPROGRAMS:
+	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
+	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  echo " rm -f $$p $$f"; \
+	  rm -f $$p $$f ; \
+	done
+stroke$(EXEEXT): $(stroke_OBJECTS) $(stroke_DEPENDENCIES) 
+	@rm -f stroke$(EXEEXT)
+	$(LINK) $(stroke_LDFLAGS) $(stroke_OBJECTS) $(stroke_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_keywords.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ `$(CYGPATH_W) '$<'`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	if $(LTCOMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Plo"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+	-rm -f libtool
+uninstall-info-am:
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
+	list='$(DISTFILES)'; for file in $$list; do \
+	  case $$file in \
+	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
+	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
+	  esac; \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
+	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
+	    dir="/$$dir"; \
+	    $(mkdir_p) "$(distdir)$$dir"; \
+	  else \
+	    dir=''; \
+	  fi; \
+	  if test -d $$d/$$file; then \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(PROGRAMS)
+installdirs:
+	for dir in "$(DESTDIR)$(ipsecdir)"; do \
+	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+	-test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES)
+clean: clean-am
+
+clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-libtool distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-ipsecPROGRAMS
+
+install-exec-am:
+
+install-info: install-info-am
+
+install-man:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-info-am uninstall-ipsecPROGRAMS
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-ipsecPROGRAMS clean-libtool ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-exec \
+	install-exec-am install-info install-info-am \
+	install-ipsecPROGRAMS install-man install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-info-am \
+	uninstall-ipsecPROGRAMS
+
+
+stroke_keywords.c:	stroke_keywords.txt stroke_keywords.h
+		$(GPERF) -C -G -t < stroke_keywords.txt > stroke_keywords.c
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c
new file mode 100644
index 000000000..5d3fd6e77
--- /dev/null
+++ b/src/stroke/stroke.c
@@ -0,0 +1,421 @@
+/* Stroke for charon is the counterpart to whack from pluto
+ * Copyright (C) 2006 Martin Willi - Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <sys/fcntl.h>
+#include <unistd.h>
+#include <dirent.h>
+#include <errno.h>
+#include <stdio.h>
+#include <stddef.h>
+
+#include "stroke.h"
+#include "stroke_keywords.h"
+
+struct stroke_token {
+    char *name;
+    stroke_keyword_t kw;
+};
+
+static char* push_string(stroke_msg_t *msg, char *string)
+{
+	unsigned long string_start = msg->length;
+
+	if (string == NULL ||  msg->length + strlen(string) >= sizeof(stroke_msg_t))
+	{
+		return NULL;
+	}
+	else
+	{
+		msg->length += strlen(string) + 1;
+		strcpy((char*)msg + string_start, string);
+		return (char*)string_start;
+	}
+}
+
+static int send_stroke_msg (stroke_msg_t *msg)
+{
+	struct sockaddr_un ctl_addr = { AF_UNIX, STROKE_SOCKET };
+	int sock;
+	char buffer[64];
+	int byte_count;
+	
+	msg->output_verbosity = 1; /* CONTROL */
+	
+	sock = socket(AF_UNIX, SOCK_STREAM, 0);
+	if (sock < 0)
+	{
+		fprintf(stderr, "Opening unix socket %s: %s\n", STROKE_SOCKET, strerror(errno));
+		return -1;
+	}
+	if (connect(sock, (struct sockaddr *)&ctl_addr,
+				offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0)
+	{
+		fprintf(stderr, "Connect to socket failed: %s\n", strerror(errno));
+		close(sock);
+		return -1;
+	}
+	
+	/* send message */
+	if (write(sock, msg, msg->length) != msg->length)
+	{
+		fprintf(stderr, "writing to socket failed: %s\n", strerror(errno));
+		close(sock);
+		return -1;
+	}
+	
+	while ((byte_count = read(sock, buffer, sizeof(buffer)-1)) > 0)
+	{
+		buffer[byte_count] = '\0';
+		printf("%s", buffer);
+	}
+	if (byte_count < 0)
+	{
+		fprintf(stderr, "reading from socket failed: %s\n", strerror(errno));
+	}
+	
+	close(sock);
+	return 0;
+}
+
+static int add_connection(char *name,
+						  char *my_id, char *other_id, 
+						  char *my_addr, char *other_addr,
+						  char *my_net, char *other_net,
+						  u_int my_netmask, u_int other_netmask)
+{
+	stroke_msg_t msg;
+	
+	msg.length = offsetof(stroke_msg_t, buffer);
+	msg.type = STR_ADD_CONN;
+	
+	msg.add_conn.name = push_string(&msg, name);
+	msg.add_conn.ikev2 = 1;
+	msg.add_conn.auth_method = 2;
+	msg.add_conn.eap_type = 0;
+	msg.add_conn.mode = 1;
+	
+	msg.add_conn.rekey.reauth = 0;
+	msg.add_conn.rekey.ipsec_lifetime = 0;
+	msg.add_conn.rekey.ike_lifetime = 0;
+	msg.add_conn.rekey.margin = 0;
+	msg.add_conn.rekey.tries = 0;
+	msg.add_conn.rekey.fuzz = 0;
+	
+	msg.add_conn.algorithms.ike = NULL;
+	msg.add_conn.algorithms.esp = NULL;
+	
+	msg.add_conn.dpd.delay = 0;
+	msg.add_conn.dpd.action = 1;
+	
+	msg.add_conn.me.id = push_string(&msg, my_id);
+	msg.add_conn.me.address = push_string(&msg, my_addr);
+	msg.add_conn.me.subnet = push_string(&msg, my_net);
+	msg.add_conn.me.subnet_mask = my_netmask;
+	msg.add_conn.me.sourceip = NULL;
+	msg.add_conn.me.virtual_ip = 0;
+	msg.add_conn.me.cert = NULL;
+	msg.add_conn.me.ca = NULL;
+	msg.add_conn.me.sendcert = 1;
+	msg.add_conn.me.hostaccess = 0;
+	msg.add_conn.me.tohost = 0;
+	msg.add_conn.me.protocol = 0;
+	msg.add_conn.me.port = 0;
+	
+	msg.add_conn.other.id = push_string(&msg, other_id);
+	msg.add_conn.other.address = push_string(&msg, other_addr);
+	msg.add_conn.other.subnet = push_string(&msg, other_net);
+	msg.add_conn.other.subnet_mask = other_netmask;
+	msg.add_conn.other.sourceip = NULL;
+	msg.add_conn.other.virtual_ip = 0;
+	msg.add_conn.other.cert = NULL;
+	msg.add_conn.other.ca = NULL;
+	msg.add_conn.other.sendcert = 1;
+	msg.add_conn.other.hostaccess = 0;
+	msg.add_conn.other.tohost = 0;
+	msg.add_conn.other.protocol = 0;
+	msg.add_conn.other.port = 0;
+	
+	return send_stroke_msg(&msg);
+}
+
+static int del_connection(char *name)
+{
+	stroke_msg_t msg;
+	
+	msg.length = offsetof(stroke_msg_t, buffer);
+	msg.type = STR_DEL_CONN;
+	msg.initiate.name = push_string(&msg, name);
+	return send_stroke_msg(&msg);
+}
+
+static int initiate_connection(char *name)
+{
+	stroke_msg_t msg;
+	
+	msg.length = offsetof(stroke_msg_t, buffer);
+	msg.type = STR_INITIATE;
+	msg.initiate.name = push_string(&msg, name);
+	return send_stroke_msg(&msg);
+}
+
+static int terminate_connection(char *name)
+{
+	stroke_msg_t msg;
+	
+	msg.type = STR_TERMINATE;
+	msg.length = offsetof(stroke_msg_t, buffer);
+	msg.initiate.name = push_string(&msg, name);
+	return send_stroke_msg(&msg);
+}
+
+static int route_connection(char *name)
+{
+	stroke_msg_t msg;
+	
+	msg.type = STR_ROUTE;
+	msg.length = offsetof(stroke_msg_t, buffer);
+	msg.route.name = push_string(&msg, name);
+	return send_stroke_msg(&msg);
+}
+
+static int unroute_connection(char *name)
+{
+	stroke_msg_t msg;
+	
+	msg.type = STR_UNROUTE;
+	msg.length = offsetof(stroke_msg_t, buffer);
+	msg.unroute.name = push_string(&msg, name);
+	return send_stroke_msg(&msg);
+}
+
+static int show_status(stroke_keyword_t kw, char *connection)
+{
+	stroke_msg_t msg;
+	
+	msg.type = (kw == STROKE_STATUS)? STR_STATUS:STR_STATUS_ALL;
+	msg.length = offsetof(stroke_msg_t, buffer);
+	msg.status.name = push_string(&msg, connection);
+	return send_stroke_msg(&msg);
+}
+
+static int list_flags[] = {
+	LIST_CERTS,
+	LIST_CACERTS,
+	LIST_OCSPCERTS,
+	LIST_CAINFOS,
+	LIST_CRLS,
+	LIST_OCSP,
+	LIST_ALL
+};
+
+static int list(stroke_keyword_t kw, int utc)
+{
+	stroke_msg_t msg;
+	
+	msg.type = STR_LIST;
+	msg.length = offsetof(stroke_msg_t, buffer);
+	msg.list.utc = utc;
+	msg.list.flags = list_flags[kw - STROKE_LIST_FIRST];
+	return send_stroke_msg(&msg);
+}
+
+static int reread_flags[] = {
+	REREAD_CACERTS,
+	REREAD_OCSPCERTS,
+	REREAD_CRLS,
+	REREAD_ALL
+};
+
+static int reread(stroke_keyword_t kw)
+{
+	stroke_msg_t msg;
+	
+	msg.type = STR_REREAD;
+	msg.length = offsetof(stroke_msg_t, buffer);
+	msg.reread.flags = reread_flags[kw - STROKE_REREAD_FIRST];
+	return send_stroke_msg(&msg);
+}
+
+static int purge_flags[] = {
+	PURGE_OCSP
+};
+
+static int purge(stroke_keyword_t kw)
+{
+	stroke_msg_t msg;
+	
+	msg.type = STR_PURGE;
+	msg.length = offsetof(stroke_msg_t, buffer);
+	msg.purge.flags = purge_flags[kw - STROKE_PURGE_FIRST];
+	return send_stroke_msg(&msg);
+}
+
+static int set_loglevel(char *type, u_int level)
+{
+	stroke_msg_t msg;
+	
+	msg.type = STR_LOGLEVEL;
+	msg.length = offsetof(stroke_msg_t, buffer);
+	msg.loglevel.type = push_string(&msg, type);
+	msg.loglevel.level = level;
+	return send_stroke_msg(&msg);
+}
+
+static void exit_error(char *error)
+{
+	if (error)
+	{
+		fprintf(stderr, "%s\n", error);
+	}
+	exit(-1);
+}
+
+static void exit_usage(char *error)
+{
+	printf("Usage:\n");
+	printf("  Add a connection:\n");
+	printf("    stroke add NAME MY_ID OTHER_ID MY_ADDR OTHER_ADDR\\\n");
+	printf("           MY_NET OTHER_NET MY_NETBITS OTHER_NETBITS\n");
+	printf("    where: ID is any IKEv2 ID \n");
+	printf("           ADDR is a IPv4 address\n");
+	printf("           NET is a IPv4 address of the subnet to tunnel\n");
+	printf("           NETBITS is the size of the subnet, as the \"24\" in 192.168.0.0/24\n");
+	printf("  Delete a connection:\n");
+	printf("    stroke delete NAME\n");
+	printf("    where: NAME is a connection name added with \"stroke add\"\n");
+	printf("  Initiate a connection:\n");
+	printf("    stroke up NAME\n");
+	printf("    where: NAME is a connection name added with \"stroke add\"\n");
+	printf("  Terminate a connection:\n");
+	printf("    stroke down NAME\n");
+	printf("    where: NAME is a connection name added with \"stroke add\"\n");
+	printf("  Set loglevel for a logging type:\n");
+	printf("    stroke loglevel TYPE LEVEL\n");
+	printf("    where: TYPE is any|dmn|mgr|ike|chd|job|cfg|knl|net|enc|lib\n");
+	printf("           LEVEL is -1|0|1|2|3|4\n");
+	printf("  Show connection status:\n");
+	printf("    stroke status\n");
+	printf("  Show list of locally loaded certificates and crls:\n");
+	printf("    stroke listcerts|listcacerts|listocspcerts|listcainfos|listcrls|listocsp|listall\n");
+	printf("  Reload ca certificates and crls:\n");
+	printf("    stroke rereadcacerts|rereadcrls|rereadall\n");
+	printf("  Purge ocsp cache entries:\n");
+	printf("    stroke purgeocsp\n");
+	exit_error(error);
+}
+
+int main(int argc, char *argv[])
+{
+	const stroke_token_t *token;
+	int res = 0;
+
+	if (argc < 2)
+	{
+		exit_usage(NULL);
+	}
+	
+	token = in_word_set(argv[1], strlen(argv[1]));
+
+	if (token == NULL)
+	{
+		exit_usage("unknown keyword");
+	}
+
+	switch (token->kw)
+	{
+		case STROKE_ADD:
+			if (argc < 11)
+			{
+				exit_usage("\"add\" needs more parameters...");
+			}
+			res = add_connection(argv[2],
+								 argv[3], argv[4], 
+								 argv[5], argv[6], 
+								 argv[7], argv[8], 
+								 atoi(argv[9]), atoi(argv[10]));
+			break;
+		case STROKE_DELETE:
+		case STROKE_DEL:
+			if (argc < 3)
+			{
+				exit_usage("\"delete\" needs a connection name");
+			}
+			res = del_connection(argv[2]);
+			break;
+		case STROKE_UP:
+			if (argc < 3)
+			{
+				exit_usage("\"up\" needs a connection name");
+			}
+			res = initiate_connection(argv[2]);
+			break;
+		case STROKE_DOWN:
+			if (argc < 3)
+			{
+				exit_usage("\"down\" needs a connection name");
+			}
+			res = terminate_connection(argv[2]);
+			break;
+		case STROKE_ROUTE:
+			if (argc < 3)
+			{
+				exit_usage("\"route\" needs a connection name");
+			}
+			res = route_connection(argv[2]);
+			break;
+		case STROKE_UNROUTE:
+			if (argc < 3)
+			{
+				exit_usage("\"unroute\" needs a connection name");
+			}
+			res = unroute_connection(argv[2]);
+			break;
+		case STROKE_LOGLEVEL:
+			if (argc < 4)
+			{
+				exit_usage("\"logtype\" needs more parameters...");
+			}
+			res = set_loglevel(argv[2], atoi(argv[3])); 
+			break;
+		case STROKE_STATUS:
+		case STROKE_STATUSALL:
+			res = show_status(token->kw, argc > 2 ? argv[2] : NULL);
+			break;
+		case STROKE_LIST_CERTS:
+		case STROKE_LIST_CACERTS:
+		case STROKE_LIST_OCSPCERTS:
+		case STROKE_LIST_CAINFOS:
+		case STROKE_LIST_CRLS:
+		case STROKE_LIST_OCSP:
+		case STROKE_LIST_ALL:
+			res = list(token->kw, argc > 2 && strcmp(argv[2], "--utc") == 0);
+			break;
+		case STROKE_REREAD_CACERTS:
+		case STROKE_REREAD_CRLS:
+		case STROKE_REREAD_ALL:
+			res = reread(token->kw);
+			break;
+		case STROKE_PURGE_OCSP:
+			res = purge(token->kw);
+			break;
+		default:
+			exit_usage(NULL);
+	}
+	return res;
+}
diff --git a/src/stroke/stroke.h b/src/stroke/stroke.h
new file mode 100644
index 000000000..2eefb36c4
--- /dev/null
+++ b/src/stroke/stroke.h
@@ -0,0 +1,226 @@
+/**
+ * @file stroke.h
+ *
+ * @brief Definition of stroke_msg_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef STROKE_H_
+#define STROKE_H_
+
+#include <sys/types.h>
+
+/**
+ * Socket which is used to communicate between charon and stroke
+ */
+#define STROKE_SOCKET "/var/run/charon.ctl"
+
+#define STROKE_BUF_LEN		2048
+
+typedef enum list_flag_t list_flag_t;
+
+/**
+ * Definition of the LIST flags, used for
+ * the various stroke list* commands.
+ */
+enum list_flag_t {
+	/** don't list anything */
+	LIST_NONE =			0x0000,
+	/** list all host/user certs */
+	LIST_CERTS =		0x0001,
+	/** list all ca certs */
+	LIST_CACERTS =		0x0002,
+	/** list all ocsp signer certs */
+	LIST_OCSPCERTS =	0x0004,
+	/** list all ca information records */
+	LIST_CAINFOS =		0x0008,
+	/** list all crls */
+	LIST_CRLS =			0x0010,
+	/** list all ocsp cache entries */
+	LIST_OCSP =			0x0020,
+	/** all list options */
+	LIST_ALL =			0x003F,
+};
+
+typedef enum reread_flag_t reread_flag_t;
+
+/**
+ * Definition of the REREAD flags, used for
+ * the various stroke reread* commands.
+ */
+enum reread_flag_t {
+	/** don't reread anything */
+	REREAD_NONE =		0x0000,
+	/** reread all ca certs */
+	REREAD_CACERTS =	0x0001,
+	/** reread all ocsp signer certs */
+	REREAD_OCSPCERTS =	0x0002,
+	/** reread all crls */
+	REREAD_CRLS =		0x0004,
+	/** all reread options */
+	REREAD_ALL =		0x0007,
+};
+
+typedef enum purge_flag_t purge_flag_t;
+
+/**
+ * Definition of the PURGE flags, currently used for
+ * the stroke purgeocsp command.
+ */
+enum purge_flag_t {
+	/** don't purge anything */
+	PURGE_NONE =		0x0000,
+	/** purge ocsp cache entries */
+	PURGE_OCSP =		0x0001,
+};
+
+typedef struct stroke_end_t stroke_end_t;
+
+/**
+ * definition of a peer in a stroke message
+ */
+struct stroke_end_t {
+	char *id;
+	char *cert;
+	char *ca;
+	char *updown;
+	char *address;
+	char *sourceip;
+	u_int8_t virtual_ip;
+	char *subnet;
+	int subnet_mask;
+	int sendcert;
+	int hostaccess;
+	int tohost;
+	u_int8_t protocol;
+	u_int16_t port;
+};
+
+typedef struct stroke_msg_t stroke_msg_t;
+
+/**
+ * @brief A stroke message sent over the unix socket.
+ */
+struct stroke_msg_t {
+	/* length of this message with all strings */
+	u_int16_t length;
+
+	/* type of the message */
+	enum {
+		/* initiate a connection */
+		STR_INITIATE,
+		/* install SPD entries for a policy */
+		STR_ROUTE,
+		/* uninstall SPD entries for a policy */
+		STR_UNROUTE,
+		/* add a connection */
+		STR_ADD_CONN,
+		/* delete a connection */
+		STR_DEL_CONN,
+		/* terminate connection */
+		STR_TERMINATE,
+		/* show connection status */
+		STR_STATUS,
+		/* show verbose connection status */
+		STR_STATUS_ALL,
+		/* add a ca information record */
+		STR_ADD_CA,
+		/* delete ca information record */
+		STR_DEL_CA,
+		/* set a log type to log/not log */
+		STR_LOGLEVEL,
+		/* list various objects */
+		STR_LIST,
+		/* reread various objects */
+		STR_REREAD,
+		/* purge various objects */
+		STR_PURGE
+		/* more to come */
+	} type;
+	
+	/* verbosity of output returned from charon (-from -1=silent to 4=private)*/
+	int output_verbosity;
+
+	union {
+		/* data for STR_INITIATE, STR_ROUTE, STR_UP, STR_DOWN, ... */
+		struct {
+			char *name;
+		} initiate, route, unroute, terminate, status, del_conn, del_ca;
+
+		/* data for STR_ADD_CONN */
+		struct {
+			char *name;
+			int ikev2;
+			int auth_method;
+			int eap_type;
+			int mode;
+			struct {
+				char *ike;
+				char *esp;
+			} algorithms;
+			struct {
+				int reauth;
+				time_t ipsec_lifetime;
+				time_t ike_lifetime;
+				time_t margin;
+				unsigned long tries;
+				unsigned long fuzz;
+			} rekey;
+			struct {
+				time_t delay;
+				int action;
+			} dpd;
+			stroke_end_t me, other;
+		} add_conn;
+
+		/* data for STR_ADD_CA */
+		struct {
+			char *name;
+			char *cacert;
+			char *crluri;
+			char *crluri2;
+			char *ocspuri;
+			char *ocspuri2;
+		} add_ca;
+
+		/* data for STR_LOGLEVEL */
+		struct {
+			char *type;
+			int level;
+		} loglevel;
+
+		/* data for STR_LIST */
+		struct {
+			list_flag_t flags;
+			int utc;
+		} list;
+
+		/* data for STR_REREAD */
+		struct {
+			reread_flag_t flags;
+		} reread;
+
+		/* data for STR_PURGE */
+		struct {
+			purge_flag_t flags;
+		} purge;
+	};
+	char buffer[STROKE_BUF_LEN];
+};
+
+#endif /* STROKE_H_ */
diff --git a/src/stroke/stroke_keywords.c b/src/stroke/stroke_keywords.c
new file mode 100644
index 000000000..71d99ecad
--- /dev/null
+++ b/src/stroke/stroke_keywords.c
@@ -0,0 +1,179 @@
+/* C code produced by gperf version 3.0.1 */
+/* Command-line: /usr/bin/gperf -C -G -t  */
+/* Computed positions: -k'2,7' */
+
+#if !((' ' == 32) && ('!' == 33) && ('"' == 34) && ('#' == 35) \
+      && ('%' == 37) && ('&' == 38) && ('\'' == 39) && ('(' == 40) \
+      && (')' == 41) && ('*' == 42) && ('+' == 43) && (',' == 44) \
+      && ('-' == 45) && ('.' == 46) && ('/' == 47) && ('0' == 48) \
+      && ('1' == 49) && ('2' == 50) && ('3' == 51) && ('4' == 52) \
+      && ('5' == 53) && ('6' == 54) && ('7' == 55) && ('8' == 56) \
+      && ('9' == 57) && (':' == 58) && (';' == 59) && ('<' == 60) \
+      && ('=' == 61) && ('>' == 62) && ('?' == 63) && ('A' == 65) \
+      && ('B' == 66) && ('C' == 67) && ('D' == 68) && ('E' == 69) \
+      && ('F' == 70) && ('G' == 71) && ('H' == 72) && ('I' == 73) \
+      && ('J' == 74) && ('K' == 75) && ('L' == 76) && ('M' == 77) \
+      && ('N' == 78) && ('O' == 79) && ('P' == 80) && ('Q' == 81) \
+      && ('R' == 82) && ('S' == 83) && ('T' == 84) && ('U' == 85) \
+      && ('V' == 86) && ('W' == 87) && ('X' == 88) && ('Y' == 89) \
+      && ('Z' == 90) && ('[' == 91) && ('\\' == 92) && (']' == 93) \
+      && ('^' == 94) && ('_' == 95) && ('a' == 97) && ('b' == 98) \
+      && ('c' == 99) && ('d' == 100) && ('e' == 101) && ('f' == 102) \
+      && ('g' == 103) && ('h' == 104) && ('i' == 105) && ('j' == 106) \
+      && ('k' == 107) && ('l' == 108) && ('m' == 109) && ('n' == 110) \
+      && ('o' == 111) && ('p' == 112) && ('q' == 113) && ('r' == 114) \
+      && ('s' == 115) && ('t' == 116) && ('u' == 117) && ('v' == 118) \
+      && ('w' == 119) && ('x' == 120) && ('y' == 121) && ('z' == 122) \
+      && ('{' == 123) && ('|' == 124) && ('}' == 125) && ('~' == 126))
+/* The character set is not based on ISO-646.  */
+error "gperf generated tables don't work with this execution character set. Please report a bug to <bug-gnu-gperf@gnu.org>."
+#endif
+
+
+/* stroke keywords
+ * Copyright (C) 2006 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: keywords.txt,v 1.6 2006/04/17 10:30:27 as Exp $
+ */
+
+#include <string.h>
+
+#include "stroke_keywords.h"
+
+struct stroke_token {
+    char *name;
+    stroke_keyword_t kw;
+};
+
+#define TOTAL_KEYWORDS 22
+#define MIN_WORD_LENGTH 2
+#define MAX_WORD_LENGTH 15
+#define MIN_HASH_VALUE 2
+#define MAX_HASH_VALUE 33
+/* maximum key range = 32, duplicates = 0 */
+
+#ifdef __GNUC__
+__inline
+#else
+#ifdef __cplusplus
+inline
+#endif
+#endif
+static unsigned int
+hash (str, len)
+     register const char *str;
+     register unsigned int len;
+{
+  static const unsigned char asso_values[] =
+    {
+      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
+      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
+      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
+      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
+      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
+      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
+      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
+      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
+      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
+      34, 34, 34, 34, 34, 34, 34,  0, 34,  0,
+      30,  0, 34, 34, 34,  5, 34, 34, 15, 34,
+       0,  0,  0, 34, 10,  5,  5, 10, 34, 34,
+      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
+      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
+      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
+      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
+      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
+      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
+      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
+      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
+      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
+      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
+      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
+      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
+      34, 34, 34, 34, 34, 34, 34, 34, 34, 34,
+      34, 34, 34, 34, 34, 34
+    };
+  register int hval = len;
+
+  switch (hval)
+    {
+      default:
+        hval += asso_values[(unsigned char)str[6]];
+      /*FALLTHROUGH*/
+      case 6:
+      case 5:
+      case 4:
+      case 3:
+      case 2:
+        hval += asso_values[(unsigned char)str[1]];
+        break;
+    }
+  return hval;
+}
+
+static const struct stroke_token wordlist[] =
+  {
+    {""}, {""},
+    {"up",              STROKE_UP},
+    {"del",             STROKE_DEL},
+    {"down",            STROKE_DOWN},
+    {"route",           STROKE_ROUTE},
+    {"delete",          STROKE_DELETE},
+    {"unroute",         STROKE_UNROUTE},
+    {"loglevel",        STROKE_LOGLEVEL},
+    {"rereadall",       STROKE_REREAD_ALL},
+    {"rereadcrls",      STROKE_REREAD_CRLS},
+    {"status",          STROKE_STATUS},
+    {""},
+    {"rereadcacerts",   STROKE_REREAD_CACERTS},
+    {"statusall",       STROKE_STATUSALL},
+    {"rereadocspcerts", STROKE_REREAD_OCSPCERTS},
+    {"listcacerts",     STROKE_LIST_CACERTS},
+    {""},
+    {"listocsp",        STROKE_LIST_OCSP},
+    {"purgeocsp",       STROKE_PURGE_OCSP},
+    {""},
+    {"listcainfos",     STROKE_LIST_CAINFOS},
+    {""},
+    {"listocspcerts",   STROKE_LIST_OCSPCERTS},
+    {"listcerts",       STROKE_LIST_CERTS},
+    {""}, {""},
+    {"listall",         STROKE_LIST_ALL},
+    {"listcrls",        STROKE_LIST_CRLS},
+    {""}, {""}, {""}, {""},
+    {"add",             STROKE_ADD}
+  };
+
+#ifdef __GNUC__
+__inline
+#endif
+const struct stroke_token *
+in_word_set (str, len)
+     register const char *str;
+     register unsigned int len;
+{
+  if (len <= MAX_WORD_LENGTH && len >= MIN_WORD_LENGTH)
+    {
+      register int key = hash (str, len);
+
+      if (key <= MAX_HASH_VALUE && key >= 0)
+        {
+          register const char *s = wordlist[key].name;
+
+          if (*str == *s && !strcmp (str + 1, s + 1))
+            return &wordlist[key];
+        }
+    }
+  return 0;
+}
diff --git a/src/stroke/stroke_keywords.h b/src/stroke/stroke_keywords.h
new file mode 100644
index 000000000..2e7d7c385
--- /dev/null
+++ b/src/stroke/stroke_keywords.h
@@ -0,0 +1,55 @@
+/* stroke keywords
+ * Copyright (C) 2006 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: keywords.h,v 1.8 2006/04/17 10:30:27 as Exp $
+ */
+
+#ifndef _STROKE_KEYWORDS_H_
+#define _STROKE_KEYWORDS_H_
+
+typedef enum {
+	STROKE_ADD,
+	STROKE_DEL,
+	STROKE_DELETE,
+	STROKE_ROUTE,
+	STROKE_UNROUTE,
+	STROKE_UP,
+	STROKE_DOWN,
+	STROKE_LOGLEVEL,
+	STROKE_STATUS,
+	STROKE_STATUSALL,
+	STROKE_LIST_CERTS,
+	STROKE_LIST_CACERTS,
+	STROKE_LIST_OCSPCERTS,
+	STROKE_LIST_CAINFOS,
+	STROKE_LIST_CRLS,
+	STROKE_LIST_OCSP,
+	STROKE_LIST_ALL,
+	STROKE_REREAD_CACERTS,
+	STROKE_REREAD_OCSPCERTS,
+	STROKE_REREAD_CRLS,
+	STROKE_REREAD_ALL,
+	STROKE_PURGE_OCSP
+} stroke_keyword_t;
+
+#define STROKE_LIST_FIRST		STROKE_LIST_CERTS
+#define STROKE_REREAD_FIRST		STROKE_REREAD_CACERTS
+#define STROKE_PURGE_FIRST		STROKE_PURGE_OCSP
+
+typedef struct stroke_token stroke_token_t;
+
+extern const stroke_token_t* in_word_set(register const char *str, register unsigned int len);
+
+#endif /* _STROKE_KEYWORDS_H_ */
+
diff --git a/src/stroke/stroke_keywords.txt b/src/stroke/stroke_keywords.txt
new file mode 100644
index 000000000..1e8afe19e
--- /dev/null
+++ b/src/stroke/stroke_keywords.txt
@@ -0,0 +1,50 @@
+%{
+/* stroke keywords
+ * Copyright (C) 2006 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: keywords.txt,v 1.6 2006/04/17 10:30:27 as Exp $
+ */
+
+#include <string.h>
+
+#include "stroke_keywords.h"
+
+%}
+struct stroke_token {
+    char *name;
+    stroke_keyword_t kw;
+};
+%%
+add,             STROKE_ADD
+del,             STROKE_DEL
+delete,          STROKE_DELETE
+route,           STROKE_ROUTE
+unroute,         STROKE_UNROUTE
+up,              STROKE_UP
+down,            STROKE_DOWN
+loglevel,        STROKE_LOGLEVEL
+status,          STROKE_STATUS
+statusall,       STROKE_STATUSALL
+listcerts,       STROKE_LIST_CERTS
+listcacerts,     STROKE_LIST_CACERTS
+listocspcerts,   STROKE_LIST_OCSPCERTS
+listcainfos,     STROKE_LIST_CAINFOS
+listcrls,        STROKE_LIST_CRLS
+listocsp,        STROKE_LIST_OCSP
+listall,         STROKE_LIST_ALL
+rereadcacerts,   STROKE_REREAD_CACERTS
+rereadocspcerts, STROKE_REREAD_OCSPCERTS
+rereadcrls,      STROKE_REREAD_CRLS
+rereadall,       STROKE_REREAD_ALL
+purgeocsp,       STROKE_PURGE_OCSP
diff --git a/src/whack/Makefile.am b/src/whack/Makefile.am
new file mode 100644
index 000000000..985245026
--- /dev/null
+++ b/src/whack/Makefile.am
@@ -0,0 +1,8 @@
+ipsec_PROGRAMS = whack
+
+whack_SOURCES = whack.c whack.h
+INCLUDES = -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/pluto
+whack_LDADD = $(top_builddir)/src/libfreeswan/libfreeswan.a
+
+AM_CFLAGS = -DDEBUG
+
diff --git a/src/whack/Makefile.in b/src/whack/Makefile.in
new file mode 100644
index 000000000..d14f5e8ed
--- /dev/null
+++ b/src/whack/Makefile.in
@@ -0,0 +1,478 @@
+# Makefile.in generated by automake 1.9.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+top_builddir = ../..
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+INSTALL = @INSTALL@
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+ipsec_PROGRAMS = whack$(EXEEXT)
+subdir = src/whack
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__installdirs = "$(DESTDIR)$(ipsecdir)"
+ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
+PROGRAMS = $(ipsec_PROGRAMS)
+am_whack_OBJECTS = whack.$(OBJEXT)
+whack_OBJECTS = $(am_whack_OBJECTS)
+whack_DEPENDENCIES = $(top_builddir)/src/libfreeswan/libfreeswan.a
+DEFAULT_INCLUDES = -I. -I$(srcdir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+SOURCES = $(whack_SOURCES)
+DIST_SOURCES = $(whack_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMDEP_FALSE = @AMDEP_FALSE@
+AMDEP_TRUE = @AMDEP_TRUE@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BUILD_EAP_SIM_FALSE = @BUILD_EAP_SIM_FALSE@
+BUILD_EAP_SIM_TRUE = @BUILD_EAP_SIM_TRUE@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+USE_CISCO_QUIRKS_FALSE = @USE_CISCO_QUIRKS_FALSE@
+USE_CISCO_QUIRKS_TRUE = @USE_CISCO_QUIRKS_TRUE@
+USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
+USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
+USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
+USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
+USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
+USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
+USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
+USE_SMARTCARD_TRUE = @USE_SMARTCARD_TRUE@
+USE_VENDORID_FALSE = @USE_VENDORID_FALSE@
+USE_VENDORID_TRUE = @USE_VENDORID_TRUE@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__fastdepCC_FALSE = @am__fastdepCC_FALSE@
+am__fastdepCC_TRUE = @am__fastdepCC_TRUE@
+am__fastdepCXX_FALSE = @am__fastdepCXX_FALSE@
+am__fastdepCXX_TRUE = @am__fastdepCXX_TRUE@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+eapdir = @eapdir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+whack_SOURCES = whack.c whack.h
+INCLUDES = -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/pluto
+whack_LDADD = $(top_builddir)/src/libfreeswan/libfreeswan.a
+AM_CFLAGS = -DDEBUG
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+		&& exit 0; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu  src/whack/Makefile'; \
+	cd $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu  src/whack/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	test -z "$(ipsecdir)" || $(mkdir_p) "$(DESTDIR)$(ipsecdir)"
+	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
+	  p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  if test -f $$p \
+	     || test -f $$p1 \
+	  ; then \
+	    f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
+	   echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(ipsecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \
+	   $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(ipsecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(ipsecdir)/$$f" || exit 1; \
+	  else :; fi; \
+	done
+
+uninstall-ipsecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
+	  f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
+	  echo " rm -f '$(DESTDIR)$(ipsecdir)/$$f'"; \
+	  rm -f "$(DESTDIR)$(ipsecdir)/$$f"; \
+	done
+
+clean-ipsecPROGRAMS:
+	@list='$(ipsec_PROGRAMS)'; for p in $$list; do \
+	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  echo " rm -f $$p $$f"; \
+	  rm -f $$p $$f ; \
+	done
+whack$(EXEEXT): $(whack_OBJECTS) $(whack_DEPENDENCIES) 
+	@rm -f whack$(EXEEXT)
+	$(LINK) $(whack_LDFLAGS) $(whack_OBJECTS) $(whack_LDADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/whack.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ `$(CYGPATH_W) '$<'`; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	if $(LTCOMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Plo"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+	-rm -f libtool
+uninstall-info-am:
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	    $$tags $$unique; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(CTAGS_ARGS)$$tags$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$tags $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
+	list='$(DISTFILES)'; for file in $$list; do \
+	  case $$file in \
+	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
+	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
+	  esac; \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
+	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
+	    dir="/$$dir"; \
+	    $(mkdir_p) "$(distdir)$$dir"; \
+	  else \
+	    dir=''; \
+	  fi; \
+	  if test -d $$d/$$file; then \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+	    fi; \
+	    cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(PROGRAMS)
+installdirs:
+	for dir in "$(DESTDIR)$(ipsecdir)"; do \
+	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	  install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	  `test -z '$(STRIP)' || \
+	    echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-libtool distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-ipsecPROGRAMS
+
+install-exec-am:
+
+install-info: install-info-am
+
+install-man:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-info-am uninstall-ipsecPROGRAMS
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-ipsecPROGRAMS clean-libtool ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-exec \
+	install-exec-am install-info install-info-am \
+	install-ipsecPROGRAMS install-man install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-info-am \
+	uninstall-ipsecPROGRAMS
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/programs/pluto/whack.c b/src/whack/whack.c
index a3b983771..92ebd01ef 100644
--- a/programs/pluto/whack.c
+++ b/src/whack/whack.c
@@ -846,6 +846,9 @@ main(int argc, char **argv)
     msg.ike = NULL;
     msg.pfsgroup = NULL;
 
+   /* if a connection is added via whack then we assume IKEv1 */
+    msg.ikev1 = TRUE;
+
     msg.sa_ike_life_seconds = OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT;
     msg.sa_ipsec_life_seconds = PLUTO_SA_LIFE_DURATION_DEFAULT;
     msg.sa_rekey_margin = SA_REPLACEMENT_MARGIN_DEFAULT;
@@ -1334,7 +1337,6 @@ main(int argc, char **argv)
 	    if (end_seen & LELEM(END_CLIENTWITHIN - END_FIRST))
 		diag("--client conflicts with --clientwithin");
 	    tunnel_af_used_by = long_opts[long_index].name;
-#ifdef VIRTUAL_IP
 	    if ((strlen(optarg) >= 6 && strncmp(optarg,"vhost:",6) == 0)
 	    ||  (strlen(optarg) >= 5 && strncmp(optarg,"vnet:",5) == 0))
 	    {
@@ -1345,10 +1347,6 @@ main(int argc, char **argv)
 		diagq(ttosubnet(optarg, 0, msg.tunnel_addr_family, &msg.right.client), optarg);
 		msg.right.has_client = TRUE;
 	    }
-#else
-	    diagq(ttosubnet(optarg, 0, msg.tunnel_addr_family, &msg.right.client), optarg);
-	    msg.right.has_client = TRUE;
-#endif
 	    msg.policy |= POLICY_TUNNEL;	/* client => tunnel */
 	    continue;
 
@@ -1744,28 +1742,24 @@ main(int argc, char **argv)
     || !pack_str(&msg.left.ca)		/* string  4 */
     || !pack_str(&msg.left.groups)	/* string  5 */
     || !pack_str(&msg.left.updown)	/* string  6 */
-#ifdef VIRTUAL_IP
-    || !pack_str(&msg.left.virt)
-#endif
-    || !pack_str(&msg.right.id)		/* string  7 */
-    || !pack_str(&msg.right.cert)	/* string  8 */
-    || !pack_str(&msg.right.ca)		/* string  9 */
-    || !pack_str(&msg.right.groups)	/* string 10 */
-    || !pack_str(&msg.right.updown)	/* string 11 */
-#ifdef VIRTUAL_IP
-    || !pack_str(&msg.right.virt)
-#endif
-    || !pack_str(&msg.keyid)		/* string 12 */
-    || !pack_str(&msg.myid)		/* string 13 */
-    || !pack_str(&msg.cacert)		/* string 14 */
-    || !pack_str(&msg.ldaphost)		/* string 15 */
-    || !pack_str(&msg.ldapbase)		/* string 16 */
-    || !pack_str(&msg.crluri)		/* string 17 */
-    || !pack_str(&msg.crluri2)		/* string 18 */
-    || !pack_str(&msg.ocspuri)		/* string 19 */
-    || !pack_str(&msg.ike)		/* string 20 */
-    || !pack_str(&msg.esp)		/* string 21 */
-    || !pack_str(&msg.sc_data)		/* string 22 */
+    || !pack_str(&msg.left.virt)	/* string  7 */
+    || !pack_str(&msg.right.id)		/* string  8 */
+    || !pack_str(&msg.right.cert)	/* string  9 */
+    || !pack_str(&msg.right.ca)		/* string 10 */
+    || !pack_str(&msg.right.groups)	/* string 11 */
+    || !pack_str(&msg.right.updown)	/* string 12 */
+    || !pack_str(&msg.right.virt)	/* string 13 */
+    || !pack_str(&msg.keyid)		/* string 14 */
+    || !pack_str(&msg.myid)		/* string 15 */
+    || !pack_str(&msg.cacert)		/* string 16 */
+    || !pack_str(&msg.ldaphost)		/* string 17 */
+    || !pack_str(&msg.ldapbase)		/* string 18 */
+    || !pack_str(&msg.crluri)		/* string 19 */
+    || !pack_str(&msg.crluri2)		/* string 20 */
+    || !pack_str(&msg.ocspuri)		/* string 21 */
+    || !pack_str(&msg.ike)		/* string 22 */
+    || !pack_str(&msg.esp)		/* string 23 */
+    || !pack_str(&msg.sc_data)		/* string 24 */
     || str_roof - next_str < (ptrdiff_t)msg.keyval.len)    /* chunk (sort of string 5) */
 	diag("too many bytes of strings to fit in message to pluto");
 
diff --git a/programs/pluto/whack.h b/src/whack/whack.h
index 755918a2c..49ef67995 100644
--- a/programs/pluto/whack.h
+++ b/src/whack/whack.h
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: whack.h,v 1.17 2006/10/19 15:18:43 as Exp $
+ * RCSID $Id: whack.h,v 1.16 2006/04/17 10:39:14 as Exp $
  */
 
 #ifndef _WHACK_H
@@ -19,7 +19,7 @@
 
 #include <freeswan.h>
 
-#include "smartcard.h"
+#include <smartcard.h>
 
 /* Since the message remains on one host, native representation is used.
  * Think of this as horizontal microcode: all selected operations are
@@ -70,9 +70,7 @@ struct whack_end {
     u_int16_t host_port;	/* host order */
     u_int16_t port;		/* host order */
     u_int8_t protocol;
-#ifdef VIRTUAL_IP
     char *virt;
-#endif
  };
 
 typedef struct whack_message whack_message_t;
@@ -106,6 +104,7 @@ struct whack_message {
 
     bool whack_connection;
     bool whack_async;
+    bool ikev1;
 
     lset_t policy;
     time_t sa_ike_life_seconds;
diff --git a/testing/INSTALL b/testing/INSTALL
index 7f2fb70cd..e11b7302e 100644
--- a/testing/INSTALL
+++ b/testing/INSTALL
@@ -53,7 +53,7 @@ are required for the strongSwan testing environment:
     * A vanilla Linux kernel on which the UML kernel will be based on.
       We recommend the use of
 
-      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.20.1.tar.bz2
+      http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.20.3.tar.bz2
 
     * Starting with Linux kernel 2.6.9 no patch must be applied any more in order
       to make the vanilla kernel UML-capable. For older kernels you'll find
@@ -71,7 +71,7 @@ are required for the strongSwan testing environment:
 
     * The latest strongSwan distribution
 
-      http://download.strongswan.org/strongswan-2.8.3.tar.gz
+      http://download.strongswan.org/strongswan-4.1.0.tar.gz
 
 
 3. Creating the environment
@@ -146,5 +146,5 @@ README document.
 
 -----------------------------------------------------------------------------
 
-This file is RCSID $Id: INSTALL,v 1.46 2007/02/21 22:17:52 as Exp $
+This file is RCSID $Id: INSTALL,v 1.39 2006/04/24 16:58:03 as Exp $
 
diff --git a/testing/do-tests b/testing/do-tests
index 6119d37d4..fd11a6324 100755
--- a/testing/do-tests
+++ b/testing/do-tests
@@ -14,7 +14,7 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 #
-# RCSID $Id: do-tests,v 1.21 2006/10/19 21:12:43 as Exp $
+# RCSID $Id: do-tests,v 1.20 2006/02/08 21:27:59 as Exp $
 
 DIR=`dirname $0`
 
@@ -45,6 +45,7 @@ TESTDATE=`date +%Y%m%d-%H%M`
 TODAYDIR=$TESTRESULTSDIR/$TESTDATE
 mkdir $TODAYDIR
 TESTRESULTSHTML=$TODAYDIR/index.html
+ALLHTML=$TODAYDIR/all.html
 DEFAULTTESTSDIR=$UMLTESTDIR/testing/tests
 
 testnumber="0"
@@ -58,9 +59,6 @@ passed_cnt="0"
 
 TESTSDIR=$BUILDDIR/tests
 [ -d $TESTSDIR ] || mkdir $TESTSDIR
-rm -rf $TESTSDIR/*
-cp -rfp $DEFAULTTESTSDIR/* $TESTSDIR
-
 
 ##############################################################################
 # assign IP for each host to hostname
@@ -68,44 +66,38 @@ cp -rfp $DEFAULTTESTSDIR/* $TESTSDIR
 
 for host in $STRONGSWANHOSTS
 do
-    eval ip_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
+    eval ipv4_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
+    eval ipv6_${host}="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
 
     case $host in
     moon)
-        eval ip1_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        searchandreplace PH_IP_MOON $ip_moon $TESTSDIR
-        searchandreplace PH_IP1_MOON $ip1_moon $TESTSDIR
+        eval ipv4_moon1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+        eval ipv6_moon1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
         ;;
     sun)
-        eval ip1_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        searchandreplace PH_IP_SUN $ip_sun $TESTSDIR
-        searchandreplace PH_IP1_SUN $ip1_sun $TESTSDIR
+        eval ipv4_sun1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+        eval ipv6_sun1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
         ;;
     alice)
-        searchandreplace PH_IP_ALICE $ip_alice $TESTSDIR
         ;;
     venus)
-        searchandreplace PH_IP_VENUS $ip_venus $TESTSDIR
         ;;
     bob)
-        searchandreplace PH_IP_BOB $ip_bob $TESTSDIR
         ;;
     carol)
-        eval ip1_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        searchandreplace PH_IP_CAROL $ip_carol $TESTSDIR
-        searchandreplace PH_IP1_CAROL $ip1_carol $TESTSDIR
-        ;;
+        eval ipv4_carol1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+        eval ipv6_carol1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+         ;;
     dave)
-        eval ip1_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
-        searchandreplace PH_IP_DAVE $ip_dave $TESTSDIR
-        searchandreplace PH_IP1_DAVE $ip1_dave $TESTSDIR
+        eval ipv4_dave1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+        eval ipv6_dave1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
         ;;
     winnetou)
-        searchandreplace PH_IP_WINNETOU $ip_winnetou $TESTSDIR
         ;;
     esac
 done
 
+
 ##############################################################################
 # create header for the results html file
 #
@@ -131,6 +123,21 @@ cat > $TESTRESULTSHTML <<@EOF
     <thead align="left"><th>Number</th><th>Test</th><th>Result</th></thead>
 @EOF
 
+cat > $ALLHTML <<@EOF
+<html>
+<head>
+  <title>strongSwan UML Testing</title>
+</head>
+<body>
+  <h2>strongSwan UML Testing</h2>
+  <table border="0" cellspacing="2">
+    <tr><td><b>Host:</b></td><td>`uname -a`</td></tr>
+    <tr><td><b>UML kernel: &nbsp;</b></td><td>$KERNEL_VERSION</td></tr>
+    <tr><td><b>IPsec:</b></td><td>$IPSEC_VERSION</td></tr>
+    <tr><td><b>Date:</b></td><td>$TESTDATE</td></tr>
+    <tr><td colspan="2">&nbsp;</td></tr>
+@EOF
+
 cecho "UML kernel: $KERNEL_VERSION"
 cecho "IPsec:      $IPSEC_VERSION"
 cecho "Date:       $TESTDATE"
@@ -150,143 +157,217 @@ then
     TESTS=$SELECTEDTESTS
 else
     # set internal field seperator
-    TESTS="`ls $TESTSDIR`"
+    TESTS="`ls $DEFAULTTESTSDIR`"
 fi
 
-for testname in $TESTS
+for SUBDIR in $TESTS
 do
-    let "testnumber += 1"
-    cecho-n " $testnumber $testname.."
-    
-    if [ ! -d $TESTSDIR/${testname} ]
+    SUBTESTS="`basename $SUBDIR`"
+
+    if [ $SUBTESTS = $SUBDIR ]
     then
-	cecho "is missing..skipped"
-	continue
+	SUBTESTS="`ls $DEFAULTTESTSDIR/$SUBDIR`"
+    else
+	SUBDIR="`dirname $SUBDIR`"
     fi
 
-    [ -f $TESTSDIR/${testname}/description.txt ] || die "!! File 'description.txt' is missing"
-    [ -f $TESTSDIR/${testname}/test.conf ]       || die "!! File 'test.conf' is missing"
-    [ -f $TESTSDIR/${testname}/pretest.dat ]     || die "!! File 'pretest.dat' is missing"
-    [ -f $TESTSDIR/${testname}/posttest.dat ]    || die "!! File 'posttest.dat' is missing"
-    [ -f $TESTSDIR/${testname}/evaltest.dat ]    || die "!! File 'evaltest.dat' is missing"
+    if [ ! -d $TODAYDIR/$SUBDIR ]
+    then
+	mkdir $TODAYDIR/$SUBDIR
+	echo "<tr><td>&nbsp;</td><td><a href=\"$SUBDIR\">$SUBDIR</a></td>" >> $ALLHTML
+    fi
 
-    TESTRESULTDIR=$TODAYDIR/$testname
-    mkdir $TESTRESULTDIR
-    CONSOLE_LOG=$TESTRESULTDIR/console.log
-    touch $CONSOLE_LOG
+    for name in $SUBTESTS
+    do
+	let "testnumber += 1"
+	testname=$SUBDIR/$name
+	cecho-n " $testnumber $testname.."
+
+	if [ ! -d $DEFAULTTESTSDIR/${testname} ]
+	then
+	    cecho "is missing..skipped"
+	    continue
+	fi
 
+	[ -f $DEFAULTTESTSDIR/${testname}/description.txt ] || die "!! File 'description.txt' is missing"
+	[ -f $DEFAULTTESTSDIR/${testname}/test.conf ]       || die "!! File 'test.conf' is missing"
+	[ -f $DEFAULTTESTSDIR/${testname}/pretest.dat ]     || die "!! File 'pretest.dat' is missing"
+	[ -f $DEFAULTTESTSDIR/${testname}/posttest.dat ]    || die "!! File 'posttest.dat' is missing"
+	[ -f $DEFAULTTESTSDIR/${testname}/evaltest.dat ]    || die "!! File 'evaltest.dat' is missing"
 
-    ##########################################################################
-    # copy test specific configurations to uml hosts and clear auth.log files
-    #
+	TESTRESULTDIR=$TODAYDIR/$testname
+	mkdir -p $TESTRESULTDIR
+	CONSOLE_LOG=$TESTRESULTDIR/console.log
+	touch $CONSOLE_LOG
 
-    $DIR/scripts/load-testconfig $testname
-    source $TESTSDIR/$testname/test.conf
+	TESTDIR=$TESTSDIR/${testname}
+	rm -rf $TESTDIR
+	mkdir -p $TESTDIR
+	cp -rfp $DEFAULTTESTSDIR/${testname}/* $TESTDIR
 
-    
-    ##########################################################################
-    # run tcpdump in the background
-    #
 
-    if [ "$TCPDUMPHOSTS" != "" ]
-    then
-        echo -e "TCPDUMP\n" >> $CONSOLE_LOG 2>&1
-
-        for host_iface in $TCPDUMPHOSTS
-        do
-	    host=`echo $host_iface | awk -F ":" '{print $1}'`
-	    iface=`echo $host_iface | awk -F ":" '{if ($2 != "") { print $2 } else { printf("eth0") }}'`
-	    tcpdump_cmd="tcpdump -i $iface not port ssh and not port domain and not arp > /tmp/tcpdump.log 2>&1 &"
-            echo "${host}# $tcpdump_cmd" >> $CONSOLE_LOG
-            ssh root@`eval echo \\\$ip_$host '$tcpdump_cmd'`
-	    eval TDUP_${host}="true"
-        done
-    fi
+	##############################################################################
+	# replace IP wildcards with actual IPv4 and IPv6 addresses
+	#
 
-    ##########################################################################
-    # execute pre-test commands
-    #
+	for host in $STRONGSWANHOSTS
+	do
+	    case $host in
+	    moon)
+		searchandreplace PH_IP_MOON1     $ipv4_moon1 $TESTDIR
+		searchandreplace PH_IP_MOON      $ipv4_moon  $TESTDIR
+		searchandreplace PH_IP6_MOON1    $ipv6_moon1 $TESTDIR
+		searchandreplace PH_IP6_MOON     $ipv6_moon  $TESTDIR
+		;;
+	    sun)
+		searchandreplace PH_IP_SUN1      $ipv4_sun1 $TESTDIR
+		searchandreplace PH_IP_SUN       $ipv4_sun  $TESTDIR
+		searchandreplace PH_IP6_SUN1     $ipv6_sun1 $TESTDIR
+		searchandreplace PH_IP6_SUN      $ipv6_sun  $TESTDIR
+		;;
+	    alice)
+		searchandreplace PH_IP_ALICE     $ipv4_alice $TESTDIR
+		searchandreplace PH_IP6_ALICE    $ipv6_alice $TESTDIR
+		;;
+	    venus)
+		searchandreplace PH_IP_VENUS     $ipv4_venus $TESTDIR
+		searchandreplace PH_IP6_VENUS    $ipv6_venus $TESTDIR
+		;;
+	    bob)
+		searchandreplace PH_IP_BOB       $ipv4_bob $TESTDIR
+		searchandreplace PH_IPV6_BOB     $ipv6_bob $TESTDIR
+		;;
+	    carol)
+		searchandreplace PH_IP_CAROL1    $ipv4_carol1 $TESTDIR
+		searchandreplace PH_IP_CAROL     $ipv4_carol  $TESTDIR
+		searchandreplace PH_IP6_CAROL1   $ipv6_carol1 $TESTDIR
+		searchandreplace PH_IP6_CAROL    $ipv6_carol  $TESTDIR
+		;;
+	    dave)
+		searchandreplace PH_IP_DAVE1     $ipv4_dave1 $TESTDIR
+		searchandreplace PH_IP_DAVE      $ipv4_dave  $TESTDIR
+		searchandreplace PH_IP6_DAVE1    $ipv6_dave1 $TESTDIR
+		searchandreplace PH_IP6_DAVE     $ipv6_dave  $TESTDIR
+		;;
+	    winnetou)
+		searchandreplace PH_IP_WINNETOU  $ipv4_winnetou $TESTDIR
+		searchandreplace PH_IP6_WINNETOU $ipv6_winnetou $TESTDIR
+		;;
+	    esac
+	done
 
-    cecho-n "pre.."
-    echo -e "\nPRE-TEST\n" >> $CONSOLE_LOG 2>&1
 
-    eval `awk -F "::" '{
-	if ($2 != "")
-	{
-	    printf("echo \"%s# %s\"; ", $1, $2)
-	    printf("ssh root@\044ip_%s \"%s\"; ", $1, $2)
-	    printf("echo;\n")
-	}
-    }' $TESTSDIR/${testname}/pretest.dat` >> $CONSOLE_LOG 2>&1
+	##########################################################################
+	# copy test specific configurations to uml hosts and clear auth.log files
+	#
 
+	$DIR/scripts/load-testconfig $testname
+	source $TESTDIR/test.conf
 
-    ##########################################################################
-    # stop tcpdump
-    #
 
-    function stop_tcpdump {
-        echo "${1}# killall tcpdump" >> $CONSOLE_LOG
-        eval ssh root@\$ip_${1} killall tcpdump
-        eval TDUP_${1}="false"
-	echo ""
-    }
+	##########################################################################
+	# run tcpdump in the background
+	#
 
+	if [ "$TCPDUMPHOSTS" != "" ]
+	then
+	    echo -e "TCPDUMP\n" >> $CONSOLE_LOG 2>&1
+
+	    for host_iface in $TCPDUMPHOSTS
+	    do
+		host=`echo $host_iface | awk -F ":" '{print $1}'`
+		iface=`echo $host_iface | awk -F ":" '{if ($2 != "") { print $2 } else { printf("eth0") }}'`
+		tcpdump_cmd="tcpdump -i $iface not port ssh and not port domain and not arp > /tmp/tcpdump.log 2>&1 &"
+		echo "${host}# $tcpdump_cmd" >> $CONSOLE_LOG
+		ssh root@`eval echo \\\$ipv4_$host '$tcpdump_cmd'`
+		eval TDUP_${host}="true"
+	    done
+	fi
 
-    ##########################################################################
-    # get and evaluate test results
-    #
 
-    cecho-n "test.."
-    echo -e "\nTEST\n" >> $CONSOLE_LOG 2>&1
+	##########################################################################
+	# execute pre-test commands
+	#
 
-    STATUS="passed"
+	cecho-n "pre.."
+	echo -e "\nPRE-TEST\n" >> $CONSOLE_LOG 2>&1
 
-    eval `awk -F "::" '{
-	host=$1
-	command=$2
-	pattern=$3
-	hit=$4
-	if (command != "")
-	{
-	    if (command == "tcpdump")
-	    {
-		printf("if [ \044TDUP_%s == \"true\" ]; then stop_tcpdump %s; fi; \n", host, host)
-		printf("echo \"%s# cat /tmp/tcpdump.log | grep \047%s\047  [%s]\"; ", host, pattern, hit)
-		printf("ssh root@\044ip_%s cat /tmp/tcpdump.log | grep \"%s\"; ", host, pattern)
-	    }
-	    else
+	eval `awk -F "::" '{
+	    if ($2 != "")
 	    {
-		printf("echo \"%s# %s | grep \047%s\047  [%s]\"; ", host, command, pattern, hit)
-		printf("ssh root@\044ip_%s %s | grep \"%s\"; ",  host, command, pattern)
+		printf("echo \"%s# %s\"; ", $1, $2)
+		printf("ssh root@\044ipv4_%s \"%s\"; ", $1, $2)
+		printf("echo;\n")
 	    }
-	    printf("cmd_exit=\044?; ")
-	    printf("echo; ")
-	    printf("if [ \044cmd_exit -eq 0 -a \"%s\" = \"NO\"  ] ", hit)
-	    printf("|| [ \044cmd_exit -ne 0 -a \"%s\" = \"YES\" ] ", hit)
-	    printf("; then STATUS=\"failed\"; fi; \n")
+	}' $TESTDIR/pretest.dat` >> $CONSOLE_LOG 2>&1
+
+
+	##########################################################################
+	# stop tcpdump
+	#
 
+	function stop_tcpdump {
+	    echo "${1}# killall tcpdump" >> $CONSOLE_LOG
+	    eval ssh root@\$ipv4_${1} killall tcpdump
+	    eval TDUP_${1}="false"
+	    echo ""
 	}
-    }' $TESTSDIR/${testname}/evaltest.dat` >> $CONSOLE_LOG 2>&1
 
 
-    ##########################################################################
-    # set counters
-    #
+	##########################################################################
+	# get and evaluate test results
+	#
 
-    if [ $STATUS = "failed" ]
-    then
-        let "failed_cnt += 1"
-    else
-        let "passed_cnt += 1"
-    fi
+	cecho-n "test.."
+	echo -e "\nTEST\n" >> $CONSOLE_LOG 2>&1
 
+	STATUS="passed"
+
+	eval `awk -F "::" '{
+	    host=$1
+	    command=$2
+	    pattern=$3
+	    hit=$4
+	    if (command != "")
+	    {
+		if (command == "tcpdump")
+		{
+		    printf("if [ \044TDUP_%s == \"true\" ]; then stop_tcpdump %s; fi; \n", host, host)
+		    printf("echo \"%s# cat /tmp/tcpdump.log | grep \047%s\047  [%s]\"; ", host, pattern, hit)
+		    printf("ssh root@\044ipv4_%s cat /tmp/tcpdump.log | grep \"%s\"; ", host, pattern)
+		}
+		else
+		{
+		    printf("echo \"%s# %s | grep \047%s\047  [%s]\"; ", host, command, pattern, hit)
+		    printf("ssh root@\044ipv4_%s %s | grep \"%s\"; ",  host, command, pattern)
+		}
+		printf("cmd_exit=\044?; ")
+		printf("echo; ")
+		printf("if [ \044cmd_exit -eq 0 -a \"%s\" = \"NO\"  ] ", hit)
+		printf("|| [ \044cmd_exit -ne 0 -a \"%s\" = \"YES\" ] ", hit)
+		printf("; then STATUS=\"failed\"; fi; \n")
+	    }
+	}' $TESTDIR/evaltest.dat` >> $CONSOLE_LOG 2>&1
+
+
+	##########################################################################
+	# set counters
+	#
+
+	if [ $STATUS = "failed" ]
+	then
+	    let "failed_cnt += 1"
+	else
+	    let "passed_cnt += 1"
+	fi
 
-    ##########################################################################
-    # log statusall and listall output
-    # get copies of ipsec.conf, ipsec.secrets
-    # create index.html for the given test case
 
-    cat > $TESTRESULTDIR/index.html <<@EOF
+	##########################################################################
+	# log statusall and listall output
+	# get copies of ipsec.conf, ipsec.secrets
+	# create index.html for the given test case
+
+	cat > $TESTRESULTDIR/index.html <<@EOF
 <html>
 <head>
   <title>Test $testname</title>
@@ -298,46 +379,62 @@ do
     <h3>Description</h3>
 @EOF
 
-    cat $TESTSDIR/${testname}/description.txt >> $TESTRESULTDIR/index.html
+	cat $TESTDIR/description.txt >> $TESTRESULTDIR/index.html
 
-    cat >> $TESTRESULTDIR/index.html <<@EOF
+	cat >> $TESTRESULTDIR/index.html <<@EOF
     <ul>
       <li><a href="console.log">console.log</a></li>
     </ul>
-    <img src="../images/$DIAGRAM" alt="$UMLHOSTS">
+    <img src="../../images/$DIAGRAM" alt="$UMLHOSTS">
 @EOF
 
-
-    for host in $IPSECHOSTS
-    do
-	eval HOSTLOGIN=root@\$ip_${host}
-
-	for command in statusall listall
-	do
-	    ssh $HOSTLOGIN ipsec $command \
-		> $TESTRESULTDIR/${host}.$command 2>/dev/null
-	done
-
-	for file in ipsec.conf ipsec.secrets
+	for host in $IPSECHOSTS
 	do
-	    scp $HOSTLOGIN:/etc/$file \
-		$TESTRESULTDIR/${host}.$file  > /dev/null 2>&1
-	done
-
-	cat >> $TESTRESULTDIR/index.html <<@EOF
+	    eval HOSTLOGIN=root@\$ipv4_${host}
+
+	    for command in statusall listall
+	    do
+		ssh $HOSTLOGIN ipsec $command \
+		    > $TESTRESULTDIR/${host}.$command 2>/dev/null
+	    done
+
+	    for file in ipsec.conf ipsec.secrets
+	    do
+		scp $HOSTLOGIN:/etc/$file \
+		    $TESTRESULTDIR/${host}.$file  > /dev/null 2>&1
+	    done
+
+	    ssh $HOSTLOGIN ip route list \
+		    > $TESTRESULTDIR/${host}.iproute 2>/dev/null
+	    ssh $HOSTLOGIN iptables -v -n -L \
+		    > $TESTRESULTDIR/${host}.iptables 2>/dev/null
+	    cat >> $TESTRESULTDIR/index.html <<@EOF
     <h3>$host</h3>
-    <ul>
-      <li><a href="$host.ipsec.conf">ipsec.conf</a></li>
-      <li><a href="$host.ipsec.secrets">ipsec.secrets</a></li>
-      <li><a href="$host.statusall">ipsec statusall</a></li>
-      <li><a href="$host.listall">ipsec listall</a></li>
-      <li><a href="$host.auth.log">auth.log</a></li>
-    </ul>
+      <table border="0" cellspacing="0" width="400">
+      <tr>
+	<td>
+	  <ul>
+	    <li><a href="$host.ipsec.conf">ipsec.conf</a></li>
+	    <li><a href="$host.ipsec.secrets">ipsec.secrets</a></li>
+	    <li><a href="$host.statusall">ipsec statusall</a></li>
+	    <li><a href="$host.listall">ipsec listall</a></li>
+	  </ul>
+	</td>
+	<td>
+	  <ul>
+	    <li><a href="$host.auth.log">auth.log</a></li>
+	    <li><a href="$host.daemon.log">daemon.log</a></li>
+	    <li><a href="$host.iproute">ip route list</a></li>
+	    <li><a href="$host.iptables">iptables -L</a></li>
+	</ul>
+      </td>
+    </tr>
+    </table>
 @EOF
 
-    done
+	done
 
-    cat >> $TESTRESULTDIR/index.html <<@EOF
+	cat >> $TESTRESULTDIR/index.html <<@EOF
   </td></tr>
   <tr><td align="right">
     <b><a href="../index.html">Back</a></b>
@@ -348,70 +445,88 @@ do
 @EOF
 
 
-    ##########################################################################
-    # execute post-test commands
-    #
+	##########################################################################
+	# execute post-test commands
+	#
 
-    cecho-n "post.."
-    echo -e "\nPOST-TEST\n" >> $CONSOLE_LOG 2>&1
+	cecho-n "post.."
+	echo -e "\nPOST-TEST\n" >> $CONSOLE_LOG 2>&1
 
-    eval `awk -F "::" '{
-	if ($2 != "")
-	{
-	    printf("echo \"%s# %s\"; ", $1, $2)
-	    printf("ssh root@\044ip_%s \"%s\"; ", $1, $2)
-	    printf("echo;\n")
-	}
-    }' $TESTSDIR/${testname}/posttest.dat` >> $CONSOLE_LOG 2>&1
+	eval `awk -F "::" '{
+	    if ($2 != "")
+	    {
+		printf("echo \"%s# %s\"; ", $1, $2)
+		printf("ssh root@\044ipv4_%s \"%s\"; ", $1, $2)
+		printf("echo;\n")
+	    }
+	}' $TESTDIR/posttest.dat` >> $CONSOLE_LOG 2>&1
 
 
-    ##########################################################################
-    # get a copy of /var/log/auth.log
-    #
+	##########################################################################
+	# get a copy of /var/log/auth.log
+	#
 
-    for host in $IPSECHOSTS
-    do
-	eval HOSTLOGIN=root@\$ip_${host}
-	ssh $HOSTLOGIN grep pluto /var/log/auth.log \
-	    > $TESTRESULTDIR/${host}.auth.log
-    done
+	for host in $IPSECHOSTS
+	do
+	    eval HOSTLOGIN=root@\$ipv4_${host}
+	    ssh $HOSTLOGIN grep pluto /var/log/auth.log \
+		> $TESTRESULTDIR/${host}.auth.log
+	    echo >> $TESTRESULTDIR/${host}.auth.log
+	    ssh $HOSTLOGIN grep charon /var/log/auth.log \
+		>> $TESTRESULTDIR/${host}.auth.log
+	done
 
 
-    ##########################################################################
-    # stop tcpdump if necessary
-    #
+	##########################################################################
+	# get a copy of /var/log/daemon.log
+	#
 
-    for host in $TCPDUMPHOSTS
-    do
-	if [ "`eval echo \\\$TDUP_${host}`" = "true" ]
-	then
-	    echo "${host}# killall tcpdump" >> $CONSOLE_LOG
-	    eval ssh root@\$ip_$host killall tcpdump
-	    eval TDUP_${host}="false"
-	fi
-    done
+	for host in $IPSECHOSTS
+	do
+	    eval HOSTLOGIN=root@\$ipv4_${host}
+	    ssh $HOSTLOGIN grep pluto /var/log/daemon.log \
+		> $TESTRESULTDIR/${host}.daemon.log
+	    echo >> $TESTRESULTDIR/${host}.daemon.log
+	    ssh $HOSTLOGIN grep charon /var/log/daemon.log \
+		>> $TESTRESULTDIR/${host}.daemon.log
+	done
 
 
-    ##########################################################################
-    # copy default host config back if necessary
-    #
+	##########################################################################
+	# stop tcpdump if necessary
+	#
 
-    $DIR/scripts/restore-defaults $testname
+	for host in $TCPDUMPHOSTS
+	do
+	    if [ "`eval echo \\\$TDUP_${host}`" = "true" ]
+	    then
+		echo "${host}# killall tcpdump" >> $CONSOLE_LOG
+		eval ssh root@\$ipv4_$host killall tcpdump
+		eval TDUP_${host}="false"
+	    fi
+	done
 
 
-    ##########################################################################
-    # write test status to html file
-    #
+	##########################################################################
+	# copy default host config back if necessary
+	#
 
-    cecho "$STATUS"
-    if [ $STATUS = "passed" ]
-    then
-        COLOR="green"
-    else
-        COLOR="red"
-    fi
+	$DIR/scripts/restore-defaults $testname
 
-    cat >> $TESTRESULTSHTML << @EOF
+
+	##########################################################################
+	# write test status to html file
+	#
+
+	cecho "$STATUS"
+	if [ $STATUS = "passed" ]
+	then
+	    COLOR="green"
+	else
+	    COLOR="red"
+	fi
+
+	cat >> $TESTRESULTSHTML << @EOF
   <tr>
     <td>$testnumber</td>
     <td><a href="$testname/">$testname</a></td>
@@ -419,6 +534,7 @@ do
   </tr>
 @EOF
 
+    done
 done
 
 
@@ -436,6 +552,12 @@ cat >> $TESTRESULTSHTML << @EOF
 </html>
 @EOF
 
+cat >> $ALLHTML << @EOF
+  </table>
+</body>
+</html>
+@EOF
+
 cecho ""
 cecho "Passed:   $passed_cnt"
 cecho "Failed:   $failed_cnt"
@@ -449,10 +571,10 @@ cecho ""
 HTDOCS="/var/www/localhost/htdocs"
 
 cecho-n "Copying test results to winnetou.."
-ssh root@${ip_winnetou} mkdir -p $HTDOCS/testresults > /dev/null 2>&1
-scp -r $TODAYDIR root@${ip_winnetou}:$HTDOCS/testresults > /dev/null 2>&1
-ssh root@${ip_winnetou} ln -s $HTDOCS/images $HTDOCS/testresults/$TESTDATE/images > /dev/null 2>&1
+ssh root@${ipv4_winnetou} mkdir -p $HTDOCS/testresults > /dev/null 2>&1
+scp -r $TODAYDIR root@${ipv4_winnetou}:$HTDOCS/testresults > /dev/null 2>&1
+ssh root@${ipv4_winnetou} ln -s $HTDOCS/images $HTDOCS/testresults/$TESTDATE/images > /dev/null 2>&1
 cecho "done"
 cecho ""
 cecho "The results are available in $TODAYDIR"
-cecho "or via the link http://$ip_winnetou/testresults/$TESTDATE"
+cecho "or via the link http://$ipv4_winnetou/testresults/$TESTDATE"
diff --git a/testing/hosts/alice/etc/ipsec.conf b/testing/hosts/alice/etc/ipsec.conf
index 4e525d929..312cadb8f 100755
--- a/testing/hosts/alice/etc/ipsec.conf
+++ b/testing/hosts/alice/etc/ipsec.conf
@@ -5,6 +5,7 @@ config setup
 	crlcheckinterval=180
 	strictcrlpolicy=no
 	nat_traversal=yes
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/hosts/bob/etc/ipsec.conf b/testing/hosts/bob/etc/ipsec.conf
index 9040fc25d..0172c043b 100755
--- a/testing/hosts/bob/etc/ipsec.conf
+++ b/testing/hosts/bob/etc/ipsec.conf
@@ -5,6 +5,7 @@ config setup
 	crlcheckinterval=180
 	strictcrlpolicy=no
 	nat_traversal=yes
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/hosts/carol/etc/ipsec.conf b/testing/hosts/carol/etc/ipsec.conf
index 43deae00f..6f1097e9e 100755
--- a/testing/hosts/carol/etc/ipsec.conf
+++ b/testing/hosts/carol/etc/ipsec.conf
@@ -4,6 +4,7 @@ config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/hosts/dave/etc/ipsec.conf b/testing/hosts/dave/etc/ipsec.conf
index 5fc5eef46..16e5299ce 100755
--- a/testing/hosts/dave/etc/ipsec.conf
+++ b/testing/hosts/dave/etc/ipsec.conf
@@ -4,6 +4,7 @@ config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/hosts/moon/etc/ipsec.conf b/testing/hosts/moon/etc/ipsec.conf
index c7d7dc2ed..b26f81911 100755
--- a/testing/hosts/moon/etc/ipsec.conf
+++ b/testing/hosts/moon/etc/ipsec.conf
@@ -4,6 +4,7 @@ config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/hosts/moon/etc/ipsec.secrets b/testing/hosts/moon/etc/ipsec.secrets
index c90b4c4a3..e86d6aa5c 100644
--- a/testing/hosts/moon/etc/ipsec.secrets
+++ b/testing/hosts/moon/etc/ipsec.secrets
@@ -1,7 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
 : RSA moonKey.pem
-
-
-
-
diff --git a/testing/hosts/sun/etc/ipsec.conf b/testing/hosts/sun/etc/ipsec.conf
index 1106ded6f..77d3fb183 100755
--- a/testing/hosts/sun/etc/ipsec.conf
+++ b/testing/hosts/sun/etc/ipsec.conf
@@ -5,6 +5,7 @@ config setup
 	crlcheckinterval=180
 	strictcrlpolicy=no
 	nat_traversal=yes
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/hosts/venus/etc/ipsec.conf b/testing/hosts/venus/etc/ipsec.conf
index 8e4e47459..524640cda 100755
--- a/testing/hosts/venus/etc/ipsec.conf
+++ b/testing/hosts/venus/etc/ipsec.conf
@@ -5,6 +5,7 @@ config setup
 	crlcheckinterval=180
 	strictcrlpolicy=no
 	nat_traversal=yes
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/hosts/winnetou/etc/apache2/httpd.conf b/testing/hosts/winnetou/etc/apache2/httpd.conf
new file mode 100644
index 000000000..41c74453a
--- /dev/null
+++ b/testing/hosts/winnetou/etc/apache2/httpd.conf
@@ -0,0 +1,1103 @@
+#
+#  This is a modification of the default Apache 2 configuration
+#  file by Gentoo Linux.  .... [insert more]
+#  
+#  Support:
+#     http://www.gentoo.org/main/en/lists.xml    [mailing lists]
+#     http://forums.gentoo.org/                  [web forums]
+#
+#  Bug Reports:
+#     http://bugs.gentoo.org/      [gentoo related bugs]
+#     http://bugs.apache.org/      [apache httpd related bugs]
+
+#
+#
+#
+# Based upon the NCSA server configuration files originally by Rob McCool.
+#
+# This is the main Apache server configuration file.  It contains the
+# configuration directives that give the server its instructions.
+# See <URL:http://httpd.apache.org/docs/2.0/> for detailed information about
+# the directives.
+#
+# Do NOT simply read the instructions in here without understanding
+# what they do.  They're here only as hints or reminders.  If you are unsure
+# consult the online docs. You have been warned.  
+#
+# The configuration directives are grouped into three basic sections:
+#  1. Directives that control the operation of the Apache server process as a
+#     whole (the 'global environment').
+#  2. Directives that define the parameters of the 'main' or 'default' server,
+#     which responds to requests that aren't handled by a virtual host.
+#     These directives also provide default values for the settings
+#     of all virtual hosts.
+#  3. Settings for virtual hosts, which allow Web requests to be sent to
+#     different IP addresses or hostnames and have them handled by the
+#     same Apache server process.
+#
+# Configuration and logfile names: If the filenames you specify for many
+# of the server's control files begin with "/" (or "drive:/" for Win32), the
+# server will use that explicit path.  If the filenames do *not* begin
+# with "/", the value of ServerRoot is prepended -- so "logs/foo.log"
+# with ServerRoot set to "/usr/lib/apache2" will be interpreted by the
+# server as "/usr/lib/apache2/logs/foo.log".
+#
+
+### Section 1: Global Environment
+#
+# The directives in this section affect the overall operation of Apache,
+# such as the number of concurrent requests it can handle or where it
+# can find its configuration files.
+#
+
+#
+# ServerRoot: The top of the directory tree under which the server's
+# configuration, error, and log files are kept.
+#
+# NOTE!  If you intend to place this on an NFS (or otherwise network)
+# mounted filesystem then please read the LockFile documentation (available
+# at <URL:http://httpd.apache.org/docs/2.0/mod/mpm_common.html#lockfile>);
+# you will save yourself a lot of trouble.
+#
+# Do NOT add a slash at the end of the directory path.
+#
+ServerRoot "/usr/lib/apache2"
+
+#
+# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
+#
+#LockFile "/var/run/apache2.lock"
+
+#
+# ScoreBoardFile: File used to store internal server process information.
+# If unspecified (the default), the scoreboard will be stored in an
+# anonymous shared memory segment, and will be unavailable to third-party
+# applications.
+# If specified, ensure that no two invocations of Apache share the same
+# scoreboard file. The scoreboard file MUST BE STORED ON A LOCAL DISK.
+#
+<IfModule !perchild.c>
+    #ScoreBoardFile /var/run/apache2_runtime_status
+</IfModule>
+
+
+#
+# PidFile: The file in which the server should record its process
+# identification number when it starts.
+#
+PidFile "/var/run/apache2.pid"
+
+#
+# Timeout: The number of seconds before receives and sends time out.
+#
+Timeout 300
+
+#
+# KeepAlive: Whether or not to allow persistent connections (more than
+# one request per connection). Set to "Off" to deactivate.
+#
+KeepAlive On
+
+#
+# MaxKeepAliveRequests: The maximum number of requests to allow
+# during a persistent connection. Set to 0 to allow an unlimited amount.
+# We recommend you leave this number high, for maximum performance.
+#
+MaxKeepAliveRequests 100
+
+#
+# KeepAliveTimeout: Number of seconds to wait for the next request from the
+# same client on the same connection.
+#
+KeepAliveTimeout 15
+
+##
+## Server-Pool Size Regulation (MPM specific)
+## 
+
+# prefork MPM [DEFAULT IF USE=-threads]
+# StartServers: number of server processes to start
+# MinSpareServers: minimum number of server processes which are kept spare
+# MaxSpareServers: maximum number of server processes which are kept spare
+# MaxClients: maximum number of server processes allowed to start
+# MaxRequestsPerChild: maximum number of requests a server process serves
+<IfModule prefork.c>
+    StartServers         5
+    MinSpareServers      5
+    MaxSpareServers     10
+    MaxClients         150
+    MaxRequestsPerChild  0
+</IfModule>
+
+# worker MPM [DEFAULT IF USE=threads]
+# StartServers: initial number of server processes to start
+# MaxClients: maximum number of simultaneous client connections
+# MinSpareThreads: minimum number of worker threads which are kept spare
+# MaxSpareThreads: maximum number of worker threads which are kept spare
+# ThreadsPerChild: constant number of worker threads in each server process
+# MaxRequestsPerChild: maximum number of requests a server process serves
+<IfModule worker.c>
+    StartServers         2
+    MaxClients         150
+    MinSpareThreads     25
+    MaxSpareThreads     75 
+    ThreadsPerChild     25
+    MaxRequestsPerChild  0
+</IfModule>
+
+# perchild MPM [THIS MPM IS NOT SUPPORTED]
+# NumServers: constant number of server processes
+# StartThreads: initial number of worker threads in each server process
+# MinSpareThreads: minimum number of worker threads which are kept spare
+# MaxSpareThreads: maximum number of worker threads which are kept spare
+# MaxThreadsPerChild: maximum number of worker threads in each server process
+# MaxRequestsPerChild: maximum number of connections per server process
+<IfModule perchild.c>
+    NumServers           5
+    StartThreads         5
+    MinSpareThreads      5
+    MaxSpareThreads     10
+    MaxThreadsPerChild  20
+    MaxRequestsPerChild  0
+</IfModule>
+
+# peruser MPM [THIS MPM IS NOT SUPPORTED]
+# MinSpareServers - Minimum number of idle children, to handle request spikes 
+# MaxClients - Maximum number of children alive at the same time 
+# MaxProcessors - Maximum number of processors per vhost
+# Multiplexer - Specify an Multiplexer Child configuration.
+# Processor - Specify a User and Group for a specific child process.
+# ServerEnvironment - Specify the server environment for this virtual host.
+<IfModule peruser.c>
+    ServerLimit          256
+    MaxClients           256
+    MinSpareProcessors     2
+    MaxProcessors         10
+    MaxRequestsPerChild 1000
+    
+    # kill off idle processors after this many seconds
+    # set to 0 to disable
+    ExpireTimeout       1800
+    
+    Multiplexer nobody nobody
+    
+    Processor apache apache
+    
+    # chroot dir is optional:
+    # Processor user group /path/to/chroot
+</IfModule>
+
+# itk MPM [THIS MPM IS NOT SUPPORTED]
+# StartServers: number of server processes to start
+# MinSpareServers: minimum number of server processes which are kept spare
+# MaxSpareServers: maximum number of server processes which are kept spare
+# MaxClients: maximum number of server processes allowed to start
+# MaxRequestsPerChild: maximum number of requests a server process serves
+<IfModule itk.c>
+    StartServers           5
+    MinSpareServers        2
+    MaxSpareServers       10
+    MaxClients           150
+    MaxRequestsPerChild 1000
+</IfModule>
+
+#
+# Listen: Allows you to bind Apache to specific IP addresses and/or
+# ports, instead of the default. See also the <VirtualHost>
+# directive.
+#
+# Change this to Listen on specific IP addresses as shown below to 
+# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
+#
+#Listen 12.34.56.78:80
+Listen 80
+Listen 8880
+Listen 8881
+Listen 8882
+
+#
+# Dynamic Shared Object (DSO) Support
+#
+# To be able to use the functionality of a module which was built as a DSO you
+# have to place corresponding `LoadModule' lines at this location so the
+# directives contained in it are actually available _before_ they are used.
+# Statically compiled modules (those listed by `httpd -l') do not need
+# to be loaded here.
+#
+# The following modules are considered as the default configuration.
+# If you wish to disable one of them, you may have to alter other 
+# configuration directives.
+#
+# You should always leave these three, as they are needed for normal use.
+# mod_access (Order, Allow, etc..)
+# mod_log_config (Transferlog, etc..)
+# mod_mime (AddType, etc...)
+#
+# Example:
+# LoadModule foo_module modules/mod_foo.so
+
+
+# Authentication Modules
+#
+# These modules provide authentication and authorization for
+# clients. They should not normally be disabled.
+#
+LoadModule access_module                 modules/mod_access.so
+LoadModule auth_module                   modules/mod_auth.so
+LoadModule auth_anon_module              modules/mod_auth_anon.so
+LoadModule auth_dbm_module               modules/mod_auth_dbm.so
+LoadModule auth_digest_module            modules/mod_auth_digest.so
+
+#
+# Metadata Modules
+# 
+# These modules provide extra data to clients about
+# a file, such as the mime-type or charset.
+#
+LoadModule charset_lite_module           modules/mod_charset_lite.so
+LoadModule env_module                    modules/mod_env.so
+LoadModule expires_module                modules/mod_expires.so
+LoadModule headers_module                modules/mod_headers.so
+LoadModule mime_module                   modules/mod_mime.so
+LoadModule negotiation_module            modules/mod_negotiation.so
+LoadModule setenvif_module               modules/mod_setenvif.so
+
+#
+# Logging Modules
+# 
+# These modules provide logging services for Apache
+#
+LoadModule log_config_module             modules/mod_log_config.so
+LoadModule logio_module                  modules/mod_logio.so
+
+
+#
+# CGI Modules
+#
+# These modules provide the ability to execute CGI Scripts.
+#
+LoadModule cgi_module                    modules/mod_cgi.so
+LoadModule cgid_module                   modules/mod_cgid.so
+
+
+#
+# This `suexec` module provides the ability to exeucte CGI scripts under
+# a different user than apache is run.
+#
+LoadModule suexec_module                 modules/mod_suexec.so
+
+
+#
+# Mappers
+#
+# These Modules provide URL mappings or translations.
+LoadModule alias_module                  modules/mod_alias.so
+LoadModule rewrite_module                modules/mod_rewrite.so
+<IfDefine USERDIR>
+    LoadModule userdir_module            modules/mod_userdir.so
+</IfDefine>
+
+
+#
+# Handlers
+#
+# These modules create content for a client.
+#
+<IfDefine INFO>
+    LoadModule info_module               modules/mod_info.so
+    LoadModule status_module             modules/mod_status.so
+</IfDefine>
+LoadModule actions_module                modules/mod_actions.so
+LoadModule autoindex_module              modules/mod_autoindex.so
+LoadModule dir_module                    modules/mod_dir.so
+
+#
+# Filters
+#
+# These modules provide filters for Apache.
+# They preform common tasks like gzip encoding or SSI
+#
+#
+LoadModule ext_filter_module             modules/mod_ext_filter.so
+LoadModule deflate_module                modules/mod_deflate.so
+LoadModule include_module                modules/mod_include.so
+
+
+#
+# Cache Modules
+#
+# The following modules are used for storing a cache of
+# generated or proxied content.
+#
+#LoadModule cache_module                  modules/mod_cache.so
+#LoadModule disk_cache_module             modules/mod_disk_cache.so
+#LoadModule mem_cache_module              modules/mod_mem_cache.so
+#LoadModule file_cache_module             modules/mod_file_cache.so
+
+#
+# Proxy Modules
+# 
+# The following modules are only needed if you are running
+# Apache as a Forward or Reverse Proxy.
+# 
+# WARNING: Enabling these modules can be dangerous! 
+#   READ THE DOCUMENTATION FIRST:
+#   http://httpd.apache.org/docs/2.0/mod/mod_proxy.html
+<IfDefine PROXY>
+    LoadModule proxy_module                  modules/mod_proxy.so
+    LoadModule proxy_connect_module          modules/mod_proxy_connect.so
+    LoadModule proxy_ftp_module              modules/mod_proxy_ftp.so
+    LoadModule proxy_http_module             modules/mod_proxy_http.so
+</IfDefine>
+
+#
+# Uncommon Modules
+#
+# The following Modules are not commonly loaded for Apache
+#
+#LoadModule case_filter_module            modules/mod_case_filter.so
+#LoadModule case_filter_in_module         modules/mod_case_filter_in.so
+#LoadModule echo_module                   modules/mod_echo.so
+#LoadModule mime_magic_module             modules/mod_mime_magic.so
+#LoadModule speling_module                modules/mod_speling.so
+#LoadModule unique_id_module              modules/mod_unique_id.so
+#LoadModule vhost_alias_module            modules/mod_vhost_alias.so
+
+#
+# Obsolete Modules
+# 
+# The Following modules are not commonly needed and use 
+# obsolete technologies.
+#
+#LoadModule cern_meta_module              modules/mod_cern_meta.so
+#LoadModule imap_module                   modules/mod_imap.so
+#LoadModule usertrack_module              modules/mod_usertrack.so
+#LoadModule asis_module                   modules/mod_asis.so
+
+
+#
+# Extra Modules
+#
+# We Include extra .conf files from /etc/apache2/modules.d
+# This is used to load things like PHP and mod_ssl.
+#
+Include /etc/apache2/modules.d/*.conf
+
+### Section 2: 'Main' server configuration
+#
+# The directives in this section set up the values used by the 'main'
+# server, which responds to any requests that aren't handled by a
+# <VirtualHost> definition.  These values also provide defaults for
+# any <VirtualHost> containers you may define later in the file.
+#
+# All of these directives may appear inside <VirtualHost> containers,
+# in which case these default settings will be overridden for the
+# virtual host being defined.
+#
+
+#
+# If you wish httpd to run as a different user or group, you must run
+# httpd as root initially and it will switch.  
+#
+# User/Group: The name (or #number) of the user/group to run httpd as.
+#  . On SCO (ODT 3) use "User nouser" and "Group nogroup".
+#  . On HPUX you may not be able to use shared memory as nobody, and the
+#    suggested workaround is to create a user www and use that user.
+#  NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
+#  when the value of (unsigned)Group is above 60000; 
+#  don't use Group #-1 on these systems!
+#
+User apache
+Group apache
+
+#
+# ServerAdmin: Your address, where problems with the server should be
+# e-mailed.  This address appears on some server-generated pages, such
+# as error documents.  e.g. admin@your-domain.com
+#
+ServerAdmin root@localhost
+
+#
+# ServerName gives the name and port that the server uses to identify itself.
+# This can often be determined automatically, but we recommend you specify
+# it explicitly to prevent problems during startup.
+#
+# If this is not set to valid DNS name for your host, server-generated
+# redirections will not work.  See also the UseCanonicalName directive.
+#
+# If your host doesn't have a registered DNS name, enter its IP address here.
+# You will have to access it by its address anyway, and this will make 
+# redirections work in a sensible way.
+#
+#ServerName localhost
+
+#
+# UseCanonicalName: Determines how Apache constructs self-referencing 
+# URLs and the SERVER_NAME and SERVER_PORT variables.
+# When set "Off", Apache will use the Hostname and Port supplied
+# by the client.  When set "On", Apache will use the value of the
+# ServerName directive.
+#
+UseCanonicalName Off
+
+
+#
+# Each directory to which Apache has access can be configured with respect
+# to which services and features are allowed and/or disabled in that
+# directory (and its subdirectories). 
+#
+# First, we configure the "default" to be a very restrictive set of 
+# features.  
+#
+<Directory />
+    Options FollowSymLinks
+    AllowOverride None
+</Directory>
+
+#
+# Note that from this point forward you must specifically allow
+# particular features to be enabled - so if something's not working as
+# you might expect, make sure that you have specifically enabled it
+# below.
+#
+
+#
+# UserDir: The name of the directory that is appended onto a user's home
+# directory if a ~user request is received.
+# enable by adding -D USERDIR to /etc/conf.d/apache2
+#
+<IfModule mod_userdir.c>
+    UserDir public_html
+
+#
+# Control access to UserDir directories.  The following is an example
+# for a site where these directories are restricted to read-only.
+#
+    <Directory /home/*/public_html>
+        AllowOverride FileInfo AuthConfig Limit Indexes
+        Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
+        <Limit GET POST OPTIONS PROPFIND>
+            Order allow,deny
+            Allow from all
+       </Limit>
+       <LimitExcept GET POST OPTIONS PROPFIND>
+            Order deny,allow
+            Deny from all
+       </LimitExcept>
+    </Directory>
+
+
+# Enable this additional section if you would like to make use of a
+# suexec-enabled cgi-bin directory on a per-user basis.
+#
+#<Directory /home/*/public_html/cgi-bin>
+#    Options ExecCGI
+#    SetHandler cgi-script
+#</Directory>
+
+</IfModule>
+
+
+#
+# DirectoryIndex: sets the file that Apache will serve if a directory
+# is requested.
+#
+# The index.html.var file (a type-map) is used to deliver content-
+# negotiated documents.  The MultiViews Option can be used for the 
+# same purpose, but it is much slower.
+#
+DirectoryIndex index.html ocsp.cgi
+
+#
+# AccessFileName: The name of the file to look for in each directory
+# for additional configuration directives.  See also the AllowOverride 
+# directive.
+#
+AccessFileName .htaccess
+
+#
+# The following lines prevent .htaccess and .htpasswd files from being 
+# viewed by Web clients. 
+#
+<FilesMatch "^\.ht">
+    Order allow,deny
+    Deny from all
+</FilesMatch>
+
+#
+# TypesConfig describes where the mime.types file (or equivalent) is
+# to be found.
+#
+TypesConfig /etc/mime.types
+
+#
+# DefaultType is the default MIME type the server will use for a document
+# if it cannot otherwise determine one, such as from filename extensions.
+# If your server contains mostly text or HTML documents, "text/plain" is
+# a good value.  If most of your content is binary, such as applications
+# or images, you may want to use "application/octet-stream" instead to
+# keep browsers from trying to display binary files as though they are
+# text.
+#
+DefaultType text/plain
+
+#
+# The mod_mime_magic module allows the server to use various hints from the
+# contents of the file itself to determine its type.  The MIMEMagicFile
+# directive tells the module where the hint definitions are located.
+#
+<IfModule mod_mime_magic.c>
+    MIMEMagicFile /etc/apache2/magic
+</IfModule>
+
+#
+# HostnameLookups: Log the names of clients or just their IP addresses
+# e.g., www.apache.org (on) or 204.62.129.132 (off).
+# The default is off because it'd be overall better for the net if people
+# had to knowingly turn this feature on, since enabling it means that
+# each client request will result in AT LEAST one lookup request to the
+# nameserver.
+#
+HostnameLookups Off
+
+#
+# EnableMMAP: Control whether memory-mapping is used to deliver
+# files (assuming that the underlying OS supports it).
+# The default is on; turn this off if you serve from NFS-mounted 
+# filesystems.  On some systems, turning it off (regardless of
+# filesystem) can improve performance; for details, please see
+# http://httpd.apache.org/docs/2.0/mod/core.html#enablemmap
+#
+#EnableMMAP off
+
+#
+# EnableSendfile: Control whether the sendfile kernel support is 
+# used  to deliver files (assuming that the OS supports it).
+# The default is on; turn this off if you serve from NFS-mounted 
+# filesystems.  Please see
+# http://httpd.apache.org/docs/2.0/mod/core.html#enablesendfile
+#
+#EnableSendfile off
+
+#
+# ErrorLog: The location of the error log file.
+# If you do not specify an ErrorLog directive within a <VirtualHost>
+# container, error messages relating to that virtual host will be
+# logged here.  If you *do* define an error logfile for a <VirtualHost>
+# container, that host's errors will be logged there and not here.
+#
+ErrorLog logs/error_log
+
+#
+# LogLevel: Control the number of messages logged to the error_log.
+# Possible values include: debug, info, notice, warn, error, crit,
+# alert, emerg.
+#
+LogLevel warn
+
+#
+# The following directives define some format nicknames for use with
+# a CustomLog directive (see below).
+#
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+LogFormat "%h %l %u %t \"%r\" %>s %b" common
+LogFormat "%{Referer}i -> %U" referer
+LogFormat "%{User-agent}i" agent
+LogFormat "%v %h %l %u %t \"%r\" %>s %b %T" script
+LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" VLOG=%{VLOG}e" vhost
+
+# You need to enable mod_logio.c to use %I and %O
+#LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
+
+#
+# The location and format of the access logfile (Common Logfile Format).
+# If you do not define any access logfiles within a <VirtualHost>
+# container, they will be logged here.  Contrariwise, if you *do*
+# define per-<VirtualHost> access logfiles, transactions will be
+# logged therein and *not* in this file.
+#
+CustomLog logs/access_log common
+
+#
+# If you would like to have agent and referer logfiles, uncomment the
+# following directives.
+#
+#CustomLog logs/referer_log referer
+#CustomLog logs/agent_log agent
+
+#
+# If you prefer a single logfile with access, agent, and referer information
+# (Combined Logfile Format) you can use the following directive.
+#
+#CustomLog logs/access_log combined
+
+#
+# ServerTokens
+# This directive configures what you return as the Server HTTP response
+# Header. The default is 'Full' which sends information about the OS-Type
+# and compiled in modules.
+# Set to one of:  Full | OS | Minor | Minimal | Major | Prod
+# where Full conveys the most information, and Prod the least.
+#
+ServerTokens Prod
+
+#
+# Optionally add a line containing the server version and virtual host
+# name to server-generated pages (internal error documents, FTP directory 
+# listings, mod_status and mod_info output etc., but not CGI generated 
+# documents or custom error documents).
+# Set to "EMail" to also include a mailto: link to the ServerAdmin.
+# Set to one of:  On | Off | EMail
+#
+ServerSignature On
+
+#
+# Aliases: Add here as many aliases as you need (with no limit). The format is 
+# Alias fakename realname
+#
+# Note that if you include a trailing / on fakename then the server will
+# require it to be present in the URL.  So "/icons" isn't aliased in this
+# example, only "/icons/".  If the fakename is slash-terminated, then the 
+# realname must also be slash terminated, and if the fakename omits the 
+# trailing slash, the realname must also omit it.
+#
+# We include the /icons/ alias for FancyIndexed directory listings.  If you
+# do not use FancyIndexing, you may comment this out.
+#
+Alias /icons/ "/var/www/localhost/icons/"
+
+<Directory "/var/www/localhost/icons/">
+    Options Indexes MultiViews
+    AllowOverride None
+    Order allow,deny
+    Allow from all
+</Directory>
+
+#
+# ScriptAlias: This controls which directories contain server scripts.
+# ScriptAliases are essentially the same as Aliases, except that
+# documents in the realname directory are treated as applications and
+# run by the server when requested rather than as documents sent to the client.
+# The same rules about trailing "/" apply to ScriptAlias directives as to
+# Alias.
+#
+ScriptAlias /cgi-bin/ /var/www/localhost/cgi-bin/
+
+<IfModule mod_cgid.c>
+    #
+    # Additional to mod_cgid.c settings, mod_cgid has Scriptsock <path>
+    # for setting UNIX socket for communicating with cgid.
+    #
+    #Scriptsock            /var/run/cgisock
+</IfModule>
+
+#
+# "/var/www/localhost/cgi-bin/" should be changed to whatever your ScriptAliased
+# CGI directory exists, if you have that configured.
+#
+<Directory "/var/www/localhost/cgi-bin/">
+    AllowOverride None
+    Options None
+    Order allow,deny
+    Allow from all
+</Directory>
+
+#
+# Redirect allows you to tell clients about documents which used to exist in
+# your server's namespace, but do not anymore. This allows you to tell the
+# clients where to look for the relocated document.
+# Example:
+# Redirect permanent /foo http://www.example.com/bar
+
+#
+# Directives controlling the display of server-generated directory listings.
+#
+<IfModule mod_autoindex.c>
+    #
+    # IndexOptions: Controls the appearance of server-generated directory
+    # listings.
+    #
+    IndexOptions FancyIndexing VersionSort
+
+    #
+    # AddIcon* directives tell the server which icon to show for different
+    # files or filename extensions.  These are only displayed for
+    # FancyIndexed directories.
+    #
+    AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
+
+    AddIconByType (TXT,/icons/text.gif) text/*
+    AddIconByType (IMG,/icons/image2.gif) image/*
+    AddIconByType (SND,/icons/sound2.gif) audio/*
+    AddIconByType (VID,/icons/movie.gif) video/*
+
+    AddIcon /icons/binary.gif .bin .exe
+    AddIcon /icons/binhex.gif .hqx
+    AddIcon /icons/tar.gif .tar
+    AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
+    AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
+    AddIcon /icons/a.gif .ps .ai .eps
+    AddIcon /icons/layout.gif .html .shtml .htm .pdf
+    AddIcon /icons/text.gif .txt
+    AddIcon /icons/c.gif .c
+    AddIcon /icons/p.gif .pl .py
+    AddIcon /icons/f.gif .for
+    AddIcon /icons/dvi.gif .dvi
+    AddIcon /icons/uuencoded.gif .uu
+    AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
+    AddIcon /icons/tex.gif .tex
+    AddIcon /icons/bomb.gif core
+
+    AddIcon /icons/back.gif ..
+    AddIcon /icons/hand.right.gif README
+    AddIcon /icons/folder.gif ^^DIRECTORY^^
+    AddIcon /icons/blank.gif ^^BLANKICON^^
+
+    #
+    # DefaultIcon is which icon to show for files which do not have an icon
+    # explicitly set.
+    #
+    DefaultIcon /icons/unknown.gif
+
+    #
+    # AddDescription allows you to place a short description after a file in
+    # server-generated indexes.  These are only displayed for FancyIndexed
+    # directories.
+    # Format: AddDescription "description" filename
+    #
+    #AddDescription "GZIP compressed document" .gz
+    #AddDescription "tar archive" .tar
+    #AddDescription "GZIP compressed tar archive" .tgz
+
+    #
+    # ReadmeName is the name of the README file the server will look for by
+    # default, and append to directory listings.
+    #
+    # HeaderName is the name of a file which should be prepended to
+    # directory indexes. 
+    ReadmeName README.html
+    HeaderName HEADER.html
+
+    #
+    # IndexIgnore is a set of filenames which directory indexing should ignore
+    # and not include in the listing.  Shell-style wildcarding is permitted.
+    #
+    IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t .svn
+</IfModule>
+
+#
+# DefaultLanguage and AddLanguage allows you to specify the language of 
+# a document. You can then use content negotiation to give a browser a 
+# file in a language the user can understand.
+#
+# Specify a default language. This means that all data
+# going out without a specific language tag (see below) will 
+# be marked with this one. You probably do NOT want to set
+# this unless you are sure it is correct for all cases.
+#
+# * It is generally better to not mark a page as 
+# * being a certain language than marking it with the wrong
+# * language!
+#
+# DefaultLanguage nl
+#
+# Note 1: The suffix does not have to be the same as the language
+# keyword --- those with documents in Polish (whose net-standard
+# language code is pl) may wish to use "AddLanguage pl .po" to
+# avoid the ambiguity with the common suffix for perl scripts.
+#
+# Note 2: The example entries below illustrate that in some cases 
+# the two character 'Language' abbreviation is not identical to 
+# the two character 'Country' code for its country,
+# E.g. 'Danmark/dk' versus 'Danish/da'.
+#
+# Note 3: In the case of 'ltz' we violate the RFC by using a three char
+# specifier. There is 'work in progress' to fix this and get
+# the reference data for rfc1766 cleaned up.
+#
+# Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl)
+# English (en) - Esperanto (eo) - Estonian (et) - French (fr) - German (de)
+# Greek-Modern (el) - Hebrew (he) - Italian (it) - Japanese (ja)
+# Korean (ko) - Luxembourgeois* (ltz) - Norwegian Nynorsk (nn)
+# Norwegian (no) - Polish (pl) - Portugese (pt)
+# Brazilian Portuguese (pt-BR) - Russian (ru) - Swedish (sv)
+# Simplified Chinese (zh-CN) - Spanish (es) - Traditional Chinese (zh-TW)
+#
+AddLanguage ca .ca
+AddLanguage cs .cz .cs
+AddLanguage da .dk
+AddLanguage de .de
+AddLanguage el .el
+AddLanguage en .en
+AddLanguage eo .eo
+AddLanguage es .es
+AddLanguage et .et
+AddLanguage fr .fr
+AddLanguage he .he
+AddLanguage hr .hr
+AddLanguage it .it
+AddLanguage ja .ja
+AddLanguage ko .ko
+AddLanguage ltz .ltz
+AddLanguage nl .nl
+AddLanguage nn .nn
+AddLanguage no .no
+AddLanguage pl .po
+AddLanguage pt .pt
+AddLanguage pt-BR .pt-br
+AddLanguage ru .ru
+AddLanguage sv .sv
+AddLanguage zh-CN .zh-cn
+AddLanguage zh-TW .zh-tw
+
+#
+# LanguagePriority allows you to give precedence to some languages
+# in case of a tie during content negotiation.
+#
+# Just list the languages in decreasing order of preference. We have
+# more or less alphabetized them here. You probably want to change this.
+#
+LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW
+
+#
+# ForceLanguagePriority allows you to serve a result page rather than
+# MULTIPLE CHOICES (Prefer) [in case of a tie] or NOT ACCEPTABLE (Fallback)
+# [in case no accepted languages matched the available variants]
+#
+ForceLanguagePriority Prefer Fallback
+
+#
+# Commonly used filename extensions to character sets. You probably
+# want to avoid clashes with the language extensions, unless you
+# are good at carefully testing your setup after each change.
+# See http://www.iana.org/assignments/character-sets for the
+# official list of charset names and their respective RFCs.
+#
+AddCharset ISO-8859-1  .iso8859-1  .latin1
+AddCharset ISO-8859-2  .iso8859-2  .latin2 .cen
+AddCharset ISO-8859-3  .iso8859-3  .latin3
+AddCharset ISO-8859-4  .iso8859-4  .latin4
+AddCharset ISO-8859-5  .iso8859-5  .latin5 .cyr .iso-ru
+AddCharset ISO-8859-6  .iso8859-6  .latin6 .arb
+AddCharset ISO-8859-7  .iso8859-7  .latin7 .grk
+AddCharset ISO-8859-8  .iso8859-8  .latin8 .heb
+AddCharset ISO-8859-9  .iso8859-9  .latin9 .trk
+AddCharset ISO-2022-JP .iso2022-jp .jis
+AddCharset ISO-2022-KR .iso2022-kr .kis
+AddCharset ISO-2022-CN .iso2022-cn .cis
+AddCharset Big5        .Big5       .big5
+# For russian, more than one charset is used (depends on client, mostly):
+AddCharset WINDOWS-1251 .cp-1251   .win-1251
+AddCharset CP866       .cp866
+AddCharset KOI8-r      .koi8-r .koi8-ru
+AddCharset KOI8-ru     .koi8-uk .ua
+AddCharset ISO-10646-UCS-2 .ucs2
+AddCharset ISO-10646-UCS-4 .ucs4
+AddCharset UTF-8       .utf8
+
+# The set below does not map to a specific (iso) standard
+# but works on a fairly wide range of browsers. Note that
+# capitalization actually matters (it should not, but it
+# does for some browsers).
+#
+# See http://www.iana.org/assignments/character-sets
+# for a list of sorts. But browsers support few.
+#
+AddCharset GB2312      .gb2312 .gb 
+AddCharset utf-7       .utf7
+AddCharset utf-8       .utf8
+AddCharset big5        .big5 .b5
+AddCharset EUC-TW      .euc-tw
+AddCharset EUC-JP      .euc-jp
+AddCharset EUC-KR      .euc-kr
+AddCharset shift_jis   .sjis
+
+#
+# AddType allows you to add to or override the MIME configuration
+# file mime.types for specific file types.
+#
+#AddType application/x-tar .tgz
+#
+# AddEncoding allows you to have certain browsers uncompress
+# information on the fly. Note: Not all browsers support this.
+# Despite the name similarity, the following Add* directives have nothing
+# to do with the FancyIndexing customization directives above.
+#
+#AddEncoding x-compress .Z
+#AddEncoding x-gzip .gz .tgz
+#
+# If the AddEncoding directives above are commented-out, then you
+# probably should define those extensions to indicate media types:
+#
+AddType application/x-compress .Z
+AddType application/x-gzip .gz .tgz
+
+#
+# AddHandler allows you to map certain file extensions to "handlers":
+# actions unrelated to filetype. These can be either built into the server
+# or added with the Action directive (see below)
+#
+# To use CGI scripts outside of ScriptAliased directories:
+# (You will also need to add "ExecCGI" to the "Options" directive.)
+#
+AddHandler cgi-script .cgi
+
+#
+# For files that include their own HTTP headers:
+#
+#AddHandler send-as-is asis
+
+#
+# For server-parsed imagemap files:
+#
+#AddHandler imap-file map
+
+#
+# For type maps (negotiated resources):
+# (This is enabled by default to allow the Apache "It Worked" page
+#  to be distributed in multiple languages.)
+#
+AddHandler type-map var
+
+#
+# Filters allow you to process content before it is sent to the client.
+#
+# To parse .shtml files for server-side includes (SSI):
+# (You will also need to add "Includes" to the "Options" directive.)
+#
+#AddType text/html .shtml
+#AddOutputFilter INCLUDES .shtml
+
+#
+# Action lets you define media types that will execute a script whenever
+# a matching file is called. This eliminates the need for repeated URL
+# pathnames for oft-used CGI file processors.
+# Format: Action media/type /cgi-script/location
+# Format: Action handler-name /cgi-script/location
+#
+
+#
+# Customizable error responses come in three flavors:
+# 1) plain text 2) local redirects 3) external redirects
+#
+# Some examples:
+#ErrorDocument 500 "The server made a boo boo."
+#ErrorDocument 404 /missing.html
+#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
+#ErrorDocument 402 http://www.example.com/subscription_info.html
+#
+
+#
+# Putting this all together, we can internationalize error responses.
+#
+# We use Alias to redirect any /error/HTTP_<error>.html.var response to
+# our collection of by-error message multi-language collections.  We use 
+# includes to substitute the appropriate text.
+#
+# You can modify the messages' appearance without changing any of the
+# default HTTP_<error>.html.var files by adding the line:
+#
+#   Alias /error/include/ "/your/include/path/"
+#
+# which allows you to create your own set of files by starting with the
+# /var/www/localhost/error/include files and copying them to /your/includepath/ 
+# even on a per-VirtualHost basis.  The default include files will display
+# your Apache version number and your ServerAdmin email address regardless
+# of the setting of ServerSignature.
+#
+# The internationalized error documents require mod_alias, mod_include
+# and mod_negotiation.  To activate them, uncomment the following 30 lines.
+
+#    Alias /error/ "/var/www/localhost/error/"
+#
+#    <Directory "/var/www/localhost/error">
+#        AllowOverride None
+#        Options IncludesNoExec
+#        AddOutputFilter Includes html
+#        AddHandler type-map var
+#        Order allow,deny
+#        Allow from all
+#        LanguagePriority en cs de es fr it nl sv pt-br ro
+#        ForceLanguagePriority Prefer Fallback
+#    </Directory>
+#
+#    ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
+#    ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
+#    ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
+#    ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
+#    ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
+#    ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
+#    ErrorDocument 410 /error/HTTP_GONE.html.var
+#    ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
+#    ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
+#    ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
+#    ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
+#    ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
+#    ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var
+#    ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
+#    ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
+#    ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
+#    ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var
+
+
+#
+# The following directives modify normal HTTP response behavior to
+# handle known problems with browser implementations.
+#
+BrowserMatch "Mozilla/2" nokeepalive
+BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
+BrowserMatch "RealPlayer 4\.0" force-response-1.0
+BrowserMatch "Java/1\.0" force-response-1.0
+BrowserMatch "JDK/1\.0" force-response-1.0
+
+#
+# The following directive disables redirects on non-GET requests for
+# a directory that does not include the trailing slash.  This fixes a 
+# problem with Microsoft WebFolders which does not appropriately handle 
+# redirects for folders with DAV methods.
+# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
+#
+BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
+BrowserMatch "MS FrontPage" redirect-carefully
+BrowserMatch "^WebDrive" redirect-carefully
+BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
+BrowserMatch "^gnome-vfs" redirect-carefully
+BrowserMatch "^XML Spy" redirect-carefully
+BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
+
+#
+# Allow server status reports generated by mod_status,
+# with the URL of http://servername/server-status
+# Change the ".example.com" to match your domain to enable.
+#
+<IfDefine INFO>
+    ExtendedStatus On
+    <Location /server-status>
+        SetHandler server-status
+        Order deny,allow
+        Deny from all
+        Allow from localhost
+    </Location>
+</IfDefine>
+
+#
+# Allow remote server configuration reports, with the URL of
+#  http://localhost/server-info (This is useful for debugging)
+#
+<IfDefine INFO>
+    <Location /server-info>
+       SetHandler server-info
+       Order deny,allow
+       Deny from all
+       Allow from localhost
+    </Location>
+</IfDefine>
+
+
+#
+# Gentoo VHosts
+# 
+# For Gentoo we include External Virtual Hosts Files.
+# Please see vhosts.d/00_default_vhost.conf for the default virtual host.
+#
+Include /etc/apache2/vhosts.d/*.conf
diff --git a/testing/hosts/winnetou/etc/apache2/vhosts.d/01_ocsp_vhost.conf b/testing/hosts/winnetou/etc/apache2/vhosts.d/01_ocsp_vhost.conf
new file mode 100644
index 000000000..c97c30936
--- /dev/null
+++ b/testing/hosts/winnetou/etc/apache2/vhosts.d/01_ocsp_vhost.conf
@@ -0,0 +1,37 @@
+# OCSP Server
+
+<VirtualHost *:8880>
+    ServerAdmin  root@strongswan.org
+    DocumentRoot /etc/openssl/ocsp
+    ServerName   ocsp.strongswan.org
+    ServerAlias	 192.168.0.150
+    <Directory "/etc/openssl/ocsp">
+       Options      +ExecCGI
+   </Directory>
+   ErrorLog     /var/log/apache2/ocsp/error_log
+   CustomLog    /var/log/apache2/ocsp/access_log combined
+</VirtualHost>
+
+<VirtualHost *:8881>
+    ServerAdmin  root@research.strongswan.org
+    DocumentRoot /etc/openssl/research/ocsp
+    ServerName   ocsp.research.strongswan.org
+    ServerAlias	 ocsp.strongswan.org 192.168.0.150
+    <Directory "/etc/openssl/research/ocsp">
+       Options      +ExecCGI
+   </Directory>
+   ErrorLog     /var/log/apache2/ocsp/error_log
+   CustomLog    /var/log/apache2/ocsp/access_log combined
+</VirtualHost>
+
+<VirtualHost *:8882>
+    ServerAdmin  root@sales.strongswan.org
+    DocumentRoot /etc/openssl/sales/ocsp
+    ServerName   ocsp.sales.strongswan.org
+    ServerAlias	 ocsp.strongswan.org 192.168.0.150
+    <Directory "/etc/openssl/sales/ocsp">
+       Options      +ExecCGI
+   </Directory>
+   ErrorLog     /var/log/apache2/ocsp/error_log
+   CustomLog    /var/log/apache2/ocsp/access_log combined
+</VirtualHost>
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt b/testing/hosts/winnetou/etc/openssl/index.txt
index 9e744674d..12025d75c 100644
--- a/testing/hosts/winnetou/etc/openssl/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/index.txt
@@ -16,3 +16,4 @@ V	100620195806Z		0F	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
 V	111007105811Z		10	unknown	/C=CH/O=Linux strongSwan/OU=SHA-256/CN=moon.strongswan.org
 V	111007121250Z		11	unknown	/C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol@strongswan.org
 V	111007122112Z		12	unknown	/C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave@strongswan.org
+V	120224075857Z		13	unknown	/C=CH/O=Linux strongSwan/OU=OCSP/CN=carol@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt.old b/testing/hosts/winnetou/etc/openssl/index.txt.old
index 4d7201a35..9e744674d 100644
--- a/testing/hosts/winnetou/etc/openssl/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/index.txt.old
@@ -15,3 +15,4 @@ V	100607191714Z		0E	unknown	/C=CH/O=Linux strongSwan/CN=winnetou.strongswan.org
 V	100620195806Z		0F	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
 V	111007105811Z		10	unknown	/C=CH/O=Linux strongSwan/OU=SHA-256/CN=moon.strongswan.org
 V	111007121250Z		11	unknown	/C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol@strongswan.org
+V	111007122112Z		12	unknown	/C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/13.pem b/testing/hosts/winnetou/etc/openssl/newcerts/13.pem
new file mode 100644
index 000000000..aeca7e1db
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/13.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEWzCCA0OgAwIBAgIBEzANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA3MDIyNTA3NTg1N1oXDTEyMDIyNDA3NTg1N1owVjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDTALBgNVBAsTBE9DU1Ax
+HTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAyO4WxrPomcQSspX+ZnPit3t+tzYE/wi1E8rH3h5aO3e5
+vVZX3YxNvBqge2RPB3oQHrWwWT8vKmqzZNjJUx4bRIqd1JdTRI7L0f6XJHjnrRv8
+G7M2uHe+JbHQKPRT7IefJ4PZ1FEA8SCwKfWs5vk1/w/cabM6DVzzjtWTV9DXKD6J
+5rRlvXtJDbhAvI2w8pCC1Gt6H8qjVSb7ItJ+SD3BlW3tq3nBsYFJRL24TyQg+Kdt
+kkCRQYirog29q+J59SErjolse59dte+MhNTv+SnVFgpQE9IGEo6yaKMAWLSTv0If
+pPr/QaEV9rcsYFmR3RtHc+QaaP0hvDAPMaKdhQMIUwIDAQABo4IBQzCCAT8wCQYD
+VR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDRTWKccFIi95BslK3U92mIQ
+2rWGMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYD
+VQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ry
+b25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4u
+b3JnMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL29jc3Auc3Ry
+b25nc3dhbi5vcmc6ODg4MDA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0
+cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQAc
+1bBYLYcc+js3UsHVk7W17Nr/qoNFzQZJ5Er3RjhNAgzAX1wOTrNgKXztwZde1Alj
+o05ZLXUFkB4coQwl7xo7I3EMJPUmSdHoyYyG7c7AgfcL/wwnzz4rWQl74WIZjySc
+ON0Ny9vrzbVboktYof/9Yp/+HgeKopfsaIiuNCAwmAWxiYqvDmlxxn16oOXeJFV8
+pFzZMirQ5l7QRD9iuabOdcnBp8ASH+5AbD4KjFQjo5RBVg92LwOkJo3Pf1twI57s
+pObrcM4JbHVohDornYQYfr9ymkMxJbqqkEgD8oIip0NFSbziam4ZkwgUlRIMUMU1
+/xsH+BXYZtKJbYjlnyc8
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
new file mode 100755
index 000000000..cb585ed08
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+cd /etc/openssl
+
+echo "Content-type: application/ocsp-response"
+echo ""
+
+/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+                      -rkey ocspKey.pem -rsigner ocspCert.pem \
+		      -nmin 5 \
+		      -reqin /dev/stdin -respout /dev/stdout
diff --git a/testing/hosts/winnetou/etc/openssl/ocspCert-self.pem b/testing/hosts/winnetou/etc/openssl/ocspCert-self.pem
new file mode 100644
index 000000000..77f5bde52
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/ocspCert-self.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEbjCCA1agAwIBAgIJALN2wqyLTIzfMA0GCSqGSIb3DQEBBQUAMGsxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMSMwIQYDVQQLExpPQ1NQ
+IFNlbGYtU2lnbmVkIEF1dGhvcml0eTEcMBoGA1UEAxMTb2NzcC5zdHJvbmdzd2Fu
+Lm9yZzAeFw0wNzAzMTQxMjM0MDNaFw0xMjAzMTIxMjM0MDNaMGsxCzAJBgNVBAYT
+AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMSMwIQYDVQQLExpPQ1NQIFNl
+bGYtU2lnbmVkIEF1dGhvcml0eTEcMBoGA1UEAxMTb2NzcC5zdHJvbmdzd2FuLm9y
+ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgSOFeDdWxYKGPUSUhM
+BFAELGmHKfg2R25aWlE8ju//I0ByaoIsm8BPapSiiiwTdho/JPP44/nvHcDQu828
+P3uY5XbSPZpiiBgFoo8BC2/Y/rxY/skjEzqoHEXjg/vO1bA0tqjVn5a0jpkai7pD
+mUyBrmn1ArOjhR/HAupCHsIb7sAL+IEXByMcZQK6bvNL9PMTYI1T72+t/9cZAAEJ
+DfEhyJZMxQKgmT1SNzLwyszy1M1HF95D59gBok4PaRWWsLdwzplfTKh61CeGCYqb
+UP3qpMKrJ8Y7uv+e1vVzuYbJg5DR+bF1IGIc9QRyJlTkhZco+zTCQYxpvsNO18yr
+4qcCAwEAAaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgECMB0GA1UdDgQW
+BBQHqEiJbwUSQJDtrfhopkda0nXrLTCBnQYDVR0jBIGVMIGSgBQHqEiJbwUSQJDt
+rfhopkda0nXrLaFvpG0wazELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0
+cm9uZ1N3YW4xIzAhBgNVBAsTGk9DU1AgU2VsZi1TaWduZWQgQXV0aG9yaXR5MRww
+GgYDVQQDExNvY3NwLnN0cm9uZ3N3YW4ub3JnggkAs3bCrItMjN8wHgYDVR0RBBcw
+FYITb2NzcC5zdHJvbmdzd2FuLm9yZzAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCTAN
+BgkqhkiG9w0BAQUFAAOCAQEAi//I0DOlUXNHxzLuuxyr6k5gO55zMCmHUcVfjVFZ
+9e+UpLLFZY+qbxOfzVLpKyDch6dKDIA/H+SzX1GZ+uW4FFQ1wYlHcK1Sio9hOgqI
+zeWdY5uHF6iERVYgOU/xp0+0LS5l4ezCvOKVkYJEFWe2eyn9rd4PGLW4/lTQiK1V
+14YzPyAhB7n8Sln5LBxAeY7U7Y8jEMLXZ+VF21mjH2sxZzWV/qWZdNWVUNaLZTYL
+lTqyzqsk40v5BTrjSvAWHN+c1WzydMvatFDzghlPnvR8dufRN2bnlj10J8sizn+v
+1iDtM6uYi8+Yn26yMGjCP+RYW+bwKQ927Gr43UkqqGsbCg==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ocspKey-self.pem b/testing/hosts/winnetou/etc/openssl/ocspKey-self.pem
new file mode 100644
index 000000000..1af5ecdb9
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/ocspKey-self.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAyBI4V4N1bFgoY9RJSEwEUAQsaYcp+DZHblpaUTyO7/8jQHJq
+giybwE9qlKKKLBN2Gj8k8/jj+e8dwNC7zbw/e5jldtI9mmKIGAWijwELb9j+vFj+
+ySMTOqgcReOD+87VsDS2qNWflrSOmRqLukOZTIGuafUCs6OFH8cC6kIewhvuwAv4
+gRcHIxxlArpu80v08xNgjVPvb63/1xkAAQkN8SHIlkzFAqCZPVI3MvDKzPLUzUcX
+3kPn2AGiTg9pFZawt3DOmV9MqHrUJ4YJiptQ/eqkwqsnxju6/57W9XO5hsmDkNH5
+sXUgYhz1BHImVOSFlyj7NMJBjGm+w07XzKvipwIDAQABAoIBABXLPk3yKQFjXQr6
+3fy9Ix8gRUI9kgnSx9cyinIc+akVDt7/V7DUcSbyv7ZvOkPw3sWfKURWUWcxb/lI
+A502q2eoUR6vajx+DTsoqfuP7pIBfkZAH4kDhB24oFPQo9jzP/3Q0DD2DEtbYck1
+xhDFOlbGLZynLuMopeC/SgcAqt8UAIe5AHoUdkPUZH3MqJppH+PCjhkMzreaY9wc
+mEh7tjKuItdGYt0ZmdrnQboyklMhOikn3nKOQWVINtzTLD4AsOcExPmO3m5j4m+n
+h0AGDFyxUvY/l/DH2xC1C5qu13yumesJ1irURShdwO05nrWUzqT0BH4VyJCvcZiC
+TnLhELkCgYEA6vmBxHXbh58VpJEfnXl8D01ZI7YgXHaNPb43j4GA26pd8JVYkPcQ
+TBRZYRGEYL9CT7mfssJ6yie1ZLdGn+vkKyT2LWXxbO8kvfX5lG93sFmE1oauEuug
+zau/eEh1k5fzlm6KClvFGnmMHqqxy0YMUVkAdT0Kb7PG36Bd9tDMLjsCgYEA2fkw
+p8JVIAwyWF99iubxIL9sNnjJgq2j4Rj4zjtT45ZA1LCe7L1EGhQGsP/0u5u+miX6
+GdMSzwehHVBtTl/Gkg/IjWUQbL/jILeFQM2i6hdo8BCmi8k4f6ZF/Pf+m7ZRcLb/
+opJhvhhelnxfNwxHrshohCvGpGVGvSS8xtXzuoUCgYEAmxeuwHauPNkTFvk27eD2
+sr7x/DFFMOKLHVrFH3JyFAtiT96zg5OfbSftSrWeM6Fp6mdx8jKNi4skHmMeOYYg
+px2RY6uq66T5Em0dnAzq6jpcBKEGmrRuAfK/wWvKN24POJajhGzIL05U3xT5n1sP
+3E2rkLaGge4ecRJPkw6EBmsCgYBQWhL8lJ/Ku5RHjZP7A106JDag8e/e02HJFeqK
+I8at6/KkNSOww6h6MI2y6/fsvOILcxp6MJwLY5WZ988DiDzsFRNqRCpE3Iu+wMhH
+dkarIswVSx4KA7hnHgVI1qauAgyNj3g3Ft0fNV6Q/PIgmc9G+CvHJVgJvCfSi9tn
+NPGu/QKBgExju7N5hrJUlfylwydp7X7jymHJGAac9J2+VhqWIhveCnTYrlwTcuJ6
+NqQDdBvDT0F+7fMxQ9wRglMadfnrwWh0Y7BGybzhlR4NDAAZk1GoxegWOR7HnacT
+bbHir6keeWggJgWHsRew3Yxckzqvi+vn/v3MF/wfRijzXzSAenNl
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/openssl/openssl.cnf b/testing/hosts/winnetou/etc/openssl/openssl.cnf
index dbe31abbd..165d8bbeb 100644
--- a/testing/hosts/winnetou/etc/openssl/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/openssl.cnf
@@ -43,7 +43,7 @@ crl_extensions	= crl_ext  		  # The extentions to add to the CRL
 
 default_days    = 1825                    # how long to certify for
 default_crl_days= 30			  # how long before next CRL
-default_md      = md5                     # which md to use.
+default_md      = sha1                    # which md to use.
 preserve        = no                      # keep passed DN ordering
 email_in_dn	= no			  # allow/forbid EMail in DN
 
@@ -146,7 +146,7 @@ keyUsage 			= digitalSignature, keyEncipherment, keyAgreement
 subjectKeyIdentifier            = hash
 authorityKeyIdentifier          = keyid, issuer:always
 subjectAltName			= DNS:$ENV::COMMON_NAME
-#extendedKeyUsage		= OCSPSigner
+#extendedKeyUsage		= OCSPSigning
 crlDistributionPoints          	= URI:http://crl.strongswan.org/strongswan.crl
 
 ####################################################################
@@ -158,6 +158,7 @@ keyUsage                        = digitalSignature, keyEncipherment, keyAgreemen
 subjectKeyIdentifier            = hash
 authorityKeyIdentifier          = keyid, issuer:always
 subjectAltName                  = email:$ENV::COMMON_NAME 
+#authorityInfoAccess		= OCSP;URI:http://ocsp.strongswan.org:8880
 crlDistributionPoints          	= URI:http://crl.strongswan.org/strongswan.crl
 
 ####################################################################
diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt b/testing/hosts/winnetou/etc/openssl/research/index.txt
index 4bd650072..2ccf6489c 100644
--- a/testing/hosts/winnetou/etc/openssl/research/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/research/index.txt
@@ -1,2 +1,3 @@
 V	100322070423Z		01	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
 V	100615195710Z		02	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
+V	120323210330Z		03	unknown	/C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt.old b/testing/hosts/winnetou/etc/openssl/research/index.txt.old
index 148bab7d6..4bd650072 100644
--- a/testing/hosts/winnetou/etc/openssl/research/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/research/index.txt.old
@@ -1 +1,2 @@
 V	100322070423Z		01	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
+V	100615195710Z		02	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
diff --git a/testing/hosts/winnetou/etc/openssl/research/newcerts/03.pem b/testing/hosts/winnetou/etc/openssl/research/newcerts/03.pem
new file mode 100644
index 000000000..279b4191d
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/newcerts/03.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEaDCCA1CgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA3MDMyNTIxMDMzMFoXDTEyMDMyMzIxMDMz
+MFoweTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xKDAm
+BgNVBAsTH1Jlc2VhcmNoIE9DU1AgU2lnbmluZyBBdXRob3JpdHkxJTAjBgNVBAMT
+HG9jc3AucmVzZWFyY2guc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQCuXf1wGjBk5wthfyJcNgYu5uVdK9fqB7k5Qswy76M2JjZ2
+ECv8JZMvGDC9ciKwEqL3QkN+E90RusdCqgabAl2K3AvbR4VOpaCdy31pdPaKfRXA
+TazIH0GG8T/BImWTuweFt0XmsCl65ShoVul0DHWTli4jOAgHIj6eoYlQpRI6CbZs
+qdcGZJRWzZMPa86Q3i2nKAsOiWh7jg04uLFsWu+2uBYmsPSbKqZe76FY5m+PgAwo
+h0bFJI9qy4aryvNZiFT1+t3hd/wt/ZXnqYX4WsZcGlPOlKZoiDlmXzU1K1YY71io
+HUiH7QOYBYY+8+Mc5kwt/ropYEbfLfAENC7WV+8tAgMBAAGjggEhMIIBHTAJBgNV
+HRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU8xU4ukLOgkIafc7zHp5HlANw
+5/4wbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
+bmdTd2FuIFJvb3QgQ0GCAQ8wJwYDVR0RBCAwHoIcb2NzcC5yZXNlYXJjaC5zdHJv
+bmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTA3BgNVHR8EMDAuMCygKqAo
+hiZodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG
+9w0BAQUFAAOCAQEADH13ce0I8nXd5rjnDWck3JdBOgFMu2Wl8zpKIeLVYZnUc/Sn
+l0sULX6AIdMzKVsPh78CgsQf4tggdVCdbTURMp3SdLO5TDNlqPVMnjHjajWR+C0D
+4TQWnBz/bEg3aXGjjJlu00eXWx8kRLrOP/wMWba+SEwYDqANgmUgxpcBeg8/0Q78
+d7xEJPOPDXlO5Nh3zeVIXaDT+y2ENzgyTx9YGoAURxl5eTpBNI7dJm5fjXdGlbwj
+1vO+UprMEU6rB9BDFSfyXaXcQoIgRr0oZqvAUS/cF9LQRf4iUXCpr8Th7Wddqi2r
+qiwDZt4o+3EYtCcMEK9zKJK3KMZc9A9HPCE+RA==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/research/ocsp/ocsp.cgi b/testing/hosts/winnetou/etc/openssl/research/ocsp/ocsp.cgi
new file mode 100755
index 000000000..c193e8779
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/ocsp/ocsp.cgi
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+cd /etc/openssl/research
+
+echo "Content-type: application/ocsp-response"
+echo ""
+
+/usr/bin/openssl ocsp -index index.txt -CA researchCert.pem \
+                      -rkey ocspKey.pem -rsigner ocspCert.pem \
+		      -nmin 5 \
+		      -reqin /dev/stdin -respout /dev/stdout
diff --git a/testing/hosts/winnetou/etc/openssl/research/ocspCert.pem b/testing/hosts/winnetou/etc/openssl/research/ocspCert.pem
new file mode 100644
index 000000000..279b4191d
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/ocspCert.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEaDCCA1CgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA3MDMyNTIxMDMzMFoXDTEyMDMyMzIxMDMz
+MFoweTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xKDAm
+BgNVBAsTH1Jlc2VhcmNoIE9DU1AgU2lnbmluZyBBdXRob3JpdHkxJTAjBgNVBAMT
+HG9jc3AucmVzZWFyY2guc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQCuXf1wGjBk5wthfyJcNgYu5uVdK9fqB7k5Qswy76M2JjZ2
+ECv8JZMvGDC9ciKwEqL3QkN+E90RusdCqgabAl2K3AvbR4VOpaCdy31pdPaKfRXA
+TazIH0GG8T/BImWTuweFt0XmsCl65ShoVul0DHWTli4jOAgHIj6eoYlQpRI6CbZs
+qdcGZJRWzZMPa86Q3i2nKAsOiWh7jg04uLFsWu+2uBYmsPSbKqZe76FY5m+PgAwo
+h0bFJI9qy4aryvNZiFT1+t3hd/wt/ZXnqYX4WsZcGlPOlKZoiDlmXzU1K1YY71io
+HUiH7QOYBYY+8+Mc5kwt/ropYEbfLfAENC7WV+8tAgMBAAGjggEhMIIBHTAJBgNV
+HRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU8xU4ukLOgkIafc7zHp5HlANw
+5/4wbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
+bmdTd2FuIFJvb3QgQ0GCAQ8wJwYDVR0RBCAwHoIcb2NzcC5yZXNlYXJjaC5zdHJv
+bmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTA3BgNVHR8EMDAuMCygKqAo
+hiZodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG
+9w0BAQUFAAOCAQEADH13ce0I8nXd5rjnDWck3JdBOgFMu2Wl8zpKIeLVYZnUc/Sn
+l0sULX6AIdMzKVsPh78CgsQf4tggdVCdbTURMp3SdLO5TDNlqPVMnjHjajWR+C0D
+4TQWnBz/bEg3aXGjjJlu00eXWx8kRLrOP/wMWba+SEwYDqANgmUgxpcBeg8/0Q78
+d7xEJPOPDXlO5Nh3zeVIXaDT+y2ENzgyTx9YGoAURxl5eTpBNI7dJm5fjXdGlbwj
+1vO+UprMEU6rB9BDFSfyXaXcQoIgRr0oZqvAUS/cF9LQRf4iUXCpr8Th7Wddqi2r
+qiwDZt4o+3EYtCcMEK9zKJK3KMZc9A9HPCE+RA==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/research/ocspKey.pem b/testing/hosts/winnetou/etc/openssl/research/ocspKey.pem
new file mode 100644
index 000000000..adbfe0f92
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/ocspKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEArl39cBowZOcLYX8iXDYGLublXSvX6ge5OULMMu+jNiY2dhAr
+/CWTLxgwvXIisBKi90JDfhPdEbrHQqoGmwJditwL20eFTqWgnct9aXT2in0VwE2s
+yB9BhvE/wSJlk7sHhbdF5rApeuUoaFbpdAx1k5YuIzgIByI+nqGJUKUSOgm2bKnX
+BmSUVs2TD2vOkN4tpygLDoloe44NOLixbFrvtrgWJrD0myqmXu+hWOZvj4AMKIdG
+xSSPasuGq8rzWYhU9frd4Xf8Lf2V56mF+FrGXBpTzpSmaIg5Zl81NStWGO9YqB1I
+h+0DmAWGPvPjHOZMLf66KWBG3y3wBDQu1lfvLQIDAQABAoIBAEx5LnknE0h9yJEH
+GEPG8elKHRhC7VxX7NV/RV2lmjhahBI9v3zD4gyKmH3N/Aaq9cxpxH4cKh3nhBLp
+zSHY5LvNDGossPuwSoRKRgOlZ6ePeqWvq3LNuoh7cFG9Sz2CjqcHnWGyq06aCKHS
+VGswN7T17eBGZ8bxLvOVt0qmSxsmg2A2tmZQCAhc6IkEe3L4sqtS4N1y+8J1GSuu
+KlIuT9NtReDiXXQNxr48QJeddj6RE+5xgInUEUGPUrOnv+lllxN42u0Yrqnnci7M
+SNuxiCkYmvUm47zem3mUKrTJnr4uyKSVnzY5wKcbjebnjlaJmWefM6L7wTKYGbbF
+KsXXwOUCgYEA5cXCD09Oeb888dwgvOaVgZqfJaCex2wZ2Wgu8dm3y2YcrNHbrj13
+PU+1fBp29AE4cNowUitL0rHPE232WyKPCsvEt4H/ioucWvXUc9rzNlo+2H4J6ZMI
+4GQp2WXQZeqEAAI35qdcRwIDMRJdsDlg9fAwKAGJAYLhL4fZewmPb8cCgYEAwkU3
+ynMCj1XMvZzhPNS9bACD1euSLTopdAzlASX9bVnDGJ5/KeWl2PqJjrmV3LCjX/4t
+WnGsP5bgv6IGVRpTcjeJSebF2kEA/pwYEZJezwh304JUqsqg4K4QF1ra5v3Wp06e
+Y+sMdUphzTQFAvGzWTSQweSVlXHgrW+VWxdIEWsCgYApwL7b01h6TSMA/DRCv0/p
+pjRHPSG9MUqdNA5bymlYn6yURuo5hlfVn1dmPtTg0Bv2fd+L/uwfVEpByJicxPHj
+T1Xm1sud3HLEIKnDh8TsWofTBUw90ocpZ2onZBXzfyMPcVfBJSZijN4Rm7nEnRie
+eE/35ReFW8gZwADoF7ul3wKBgELkXo+BBnKgUn0/lXbCse6MRtjT4mNcUYW6IuhA
+UoDilYDWomakwnRx4Aea83UoBTk6ZhdsaKkEpKKXgaKwC+eaI9Wkdp/uHg+NY+Q5
+CBg1jDzx9YFRgA+dH8FK8XD0GoNFWNiCyKliUUa9ELSw0NZ4eReqQ69PpNNTRpQ0
+8gW9AoGBAIUpz52BrP0XcIEE+f9ONKGJq+cr1cRXDZlgHBE90GA/b5hfMiAmvaGm
+SVdBXfUzIwEv6fHRqFjXsGqRI1qD6my69khnoObu3H+DR4Dsk/3iwxDMEpK63dfM
+p2fp/wc8G/s/5YVQeAOW0NpPY7qyGDoXN5UcHfLjJw23gbkUJD58
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/openssl/research/openssl.cnf b/testing/hosts/winnetou/etc/openssl/research/openssl.cnf
index b5afd3d2e..706a52635 100644
--- a/testing/hosts/winnetou/etc/openssl/research/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/research/openssl.cnf
@@ -145,7 +145,7 @@ keyUsage 			= digitalSignature, keyEncipherment, keyAgreement
 subjectKeyIdentifier            = hash
 authorityKeyIdentifier          = keyid, issuer:always
 subjectAltName			= DNS:$ENV::COMMON_NAME
-#extendedKeyUsage		= OCSPSigner
+#extendedKeyUsage		= OCSPSigning
 crlDistributionPoints          	= URI:http://crl.strongswan.org/research.crl
 
 ####################################################################
diff --git a/testing/hosts/winnetou/etc/openssl/research/serial b/testing/hosts/winnetou/etc/openssl/research/serial
index 75016ea36..64969239d 100644
--- a/testing/hosts/winnetou/etc/openssl/research/serial
+++ b/testing/hosts/winnetou/etc/openssl/research/serial
@@ -1 +1 @@
-03
+04
diff --git a/testing/hosts/winnetou/etc/openssl/research/serial.old b/testing/hosts/winnetou/etc/openssl/research/serial.old
index 9e22bcb8e..75016ea36 100644
--- a/testing/hosts/winnetou/etc/openssl/research/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/research/serial.old
@@ -1 +1 @@
-02
+03
diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt b/testing/hosts/winnetou/etc/openssl/sales/index.txt
index 5093b34e9..ab3c06416 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt
@@ -1,2 +1,3 @@
 V	100322071017Z		01	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org
 V	100615195536Z		02	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
+V	120323211811Z		03	unknown	/C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt.old b/testing/hosts/winnetou/etc/openssl/sales/index.txt.old
index 7378ebb8a..5093b34e9 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt.old
@@ -1 +1,2 @@
 V	100322071017Z		01	unknown	/C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org
+V	100615195536Z		02	unknown	/C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
diff --git a/testing/hosts/winnetou/etc/openssl/sales/newcerts/03.pem b/testing/hosts/winnetou/etc/openssl/sales/newcerts/03.pem
new file mode 100644
index 000000000..ce2ff7b9d
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sales/newcerts/03.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEVjCCAz6gAwIBAgIBAzANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
+BAMTCFNhbGVzIENBMB4XDTA3MDMyNTIxMTgxMVoXDTEyMDMyMzIxMTgxMVowczEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xJTAjBgNVBAsT
+HFNhbGVzIE9DU1AgU2lnbmluZyBBdXRob3JpdHkxIjAgBgNVBAMTGW9jc3Auc2Fs
+ZXMuc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQDGgB20WTzEVUNGDU/iwxN/eybmYAQ2rUytxoyKUHoN8Q7tATg7bwH3HrMdc5JV
+AA4uiWFdrNw7GGu+QJVrYi+7jdt76ffcck6eQjLmmVsGp4T16U900ZzFh6zLnhs9
+K/Sw8yiGMQcYncblST4Sl3Yd6XdiY/fZHscsbFjxVpPGxwebZPPirukeWDFLUwVO
+yc5A7pdqNlvmfy5tiO5Ds8hQMQyVqpmlDYwTQz3yZS2+X4In8GrgvBnUZ/etGzq8
+N+309wX/g2WvcKYDpWLqu3KxkwL+QTTYhIM6NvQXtPGCf3M5yBtoNqPzgIqXveuT
+oMwJwF+uDZddBWjAeI1G+J8BAgMBAAGjggEbMIIBFzAJBgNVHRMEAjAAMAsGA1Ud
+DwQEAwIDqDAdBgNVHQ4EFgQUY33heVHJfDUOz5Va8B1VPepgam4wbQYDVR0jBGYw
+ZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg
+Q0GCAQ0wJAYDVR0RBB0wG4IZb2NzcC5zYWxlcy5zdHJvbmdzd2FuLm9yZzATBgNV
+HSUEDDAKBggrBgEFBQcDCTA0BgNVHR8ELTArMCmgJ6AlhiNodHRwOi8vY3JsLnN0
+cm9uZ3N3YW4ub3JnL3NhbGVzLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAXvU0ucW8
+DUgNkNdzIYtL48d44e+vDRuVZ6BmuovHqZuuWXfmxtM0q8zPUgrtXwX50nhVg8Y3
+csLLa4o7WOmDTMftvzuh9+T9CV8WIX6vioI7zS550ZwUwB0V08JTfrCiRaCql7Eg
+pDEZDfKXJCaq+I/FAH1Q03vXsDk+wTtJSeqoWCt7IiEYePwFLQ0ANjPhK6BbbcyH
+XkqZE2hYmroGele+UGwflRL9CP6F8UTFdg2LefeiZmZiSkgO2a0i4ik0ShQAPyIl
+is5KBiKuvsqkbMTCxdk0gdRqcTF0YUHcOCY0gHMiApsNC157fokP0Mg6rBDRCJkH
+kiJdzc42Apd8uw==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/sales/ocsp/ocsp.cgi b/testing/hosts/winnetou/etc/openssl/sales/ocsp/ocsp.cgi
new file mode 100755
index 000000000..c53cb9a76
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sales/ocsp/ocsp.cgi
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+cd /etc/openssl/sales
+
+echo "Content-type: application/ocsp-response"
+echo ""
+
+/usr/bin/openssl ocsp -index index.txt -CA salesCert.pem \
+                      -rkey ocspKey.pem -rsigner ocspCert.pem \
+		      -nmin 5 \
+		      -reqin /dev/stdin -respout /dev/stdout
diff --git a/testing/hosts/winnetou/etc/openssl/sales/ocspCert.pem b/testing/hosts/winnetou/etc/openssl/sales/ocspCert.pem
new file mode 100644
index 000000000..ce2ff7b9d
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sales/ocspCert.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEVjCCAz6gAwIBAgIBAzANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
+BAMTCFNhbGVzIENBMB4XDTA3MDMyNTIxMTgxMVoXDTEyMDMyMzIxMTgxMVowczEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xJTAjBgNVBAsT
+HFNhbGVzIE9DU1AgU2lnbmluZyBBdXRob3JpdHkxIjAgBgNVBAMTGW9jc3Auc2Fs
+ZXMuc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQDGgB20WTzEVUNGDU/iwxN/eybmYAQ2rUytxoyKUHoN8Q7tATg7bwH3HrMdc5JV
+AA4uiWFdrNw7GGu+QJVrYi+7jdt76ffcck6eQjLmmVsGp4T16U900ZzFh6zLnhs9
+K/Sw8yiGMQcYncblST4Sl3Yd6XdiY/fZHscsbFjxVpPGxwebZPPirukeWDFLUwVO
+yc5A7pdqNlvmfy5tiO5Ds8hQMQyVqpmlDYwTQz3yZS2+X4In8GrgvBnUZ/etGzq8
+N+309wX/g2WvcKYDpWLqu3KxkwL+QTTYhIM6NvQXtPGCf3M5yBtoNqPzgIqXveuT
+oMwJwF+uDZddBWjAeI1G+J8BAgMBAAGjggEbMIIBFzAJBgNVHRMEAjAAMAsGA1Ud
+DwQEAwIDqDAdBgNVHQ4EFgQUY33heVHJfDUOz5Va8B1VPepgam4wbQYDVR0jBGYw
+ZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg
+Q0GCAQ0wJAYDVR0RBB0wG4IZb2NzcC5zYWxlcy5zdHJvbmdzd2FuLm9yZzATBgNV
+HSUEDDAKBggrBgEFBQcDCTA0BgNVHR8ELTArMCmgJ6AlhiNodHRwOi8vY3JsLnN0
+cm9uZ3N3YW4ub3JnL3NhbGVzLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAXvU0ucW8
+DUgNkNdzIYtL48d44e+vDRuVZ6BmuovHqZuuWXfmxtM0q8zPUgrtXwX50nhVg8Y3
+csLLa4o7WOmDTMftvzuh9+T9CV8WIX6vioI7zS550ZwUwB0V08JTfrCiRaCql7Eg
+pDEZDfKXJCaq+I/FAH1Q03vXsDk+wTtJSeqoWCt7IiEYePwFLQ0ANjPhK6BbbcyH
+XkqZE2hYmroGele+UGwflRL9CP6F8UTFdg2LefeiZmZiSkgO2a0i4ik0ShQAPyIl
+is5KBiKuvsqkbMTCxdk0gdRqcTF0YUHcOCY0gHMiApsNC157fokP0Mg6rBDRCJkH
+kiJdzc42Apd8uw==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/sales/ocspKey.pem b/testing/hosts/winnetou/etc/openssl/sales/ocspKey.pem
new file mode 100644
index 000000000..5d10a3467
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/sales/ocspKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAxoAdtFk8xFVDRg1P4sMTf3sm5mAENq1MrcaMilB6DfEO7QE4
+O28B9x6zHXOSVQAOLolhXazcOxhrvkCVa2Ivu43be+n33HJOnkIy5plbBqeE9elP
+dNGcxYesy54bPSv0sPMohjEHGJ3G5Uk+Epd2Hel3YmP32R7HLGxY8VaTxscHm2Tz
+4q7pHlgxS1MFTsnOQO6XajZb5n8ubYjuQ7PIUDEMlaqZpQ2ME0M98mUtvl+CJ/Bq
+4LwZ1Gf3rRs6vDft9PcF/4Nlr3CmA6Vi6rtysZMC/kE02ISDOjb0F7Txgn9zOcgb
+aDaj84CKl73rk6DMCcBfrg2XXQVowHiNRvifAQIDAQABAoIBAQCUOZL02zYfPbPw
+mXwvzo++wA16NfSvh5UcpojHt/SMeJc2r5R3/Rqwl8IUmfqJcnMkmP2V38DMeB3s
+gXmSKE2QdguRalLl0I2Ya8Jqo9VvEKSepMvqZaP1dKy5l6SrdylPASQfoHi2Dws4
+qAqsA2H2UCIP3Kp0/SCpsXZxML9EzIWtYtvrqJ0p0EI9ZzEn5uFok91qTYqD9c3T
+v142OyfmHlwICLy7UlFkmawrV4PIIP2RGTRgr2b16Vis7mAkRC7blsFXUEBb8hwE
+SmISdZYXc+NCesonXYGeRhln8PPLI3/T+HHH8G2eFhyQISHgE0CbjK+zvFcAddvD
+BbeceDPhAoGBAOkXwIklHvzSj4QoCi572QNkNIkxlIa6PL3I2ygJczeB1vj9kvVc
+CV2onhvBL3FGy0BJrQI7UBySW59/GdSs+WJFQWlIwI9QglDS8itAQK6+9zeyg69U
+NbGw784NGn5cP3F4P3QCGEUg5Oj8t0iE8gKbljz6rlSjO5uhXYOYf0rtAoGBANoC
+E0noRtG4QloEbIiHjLbnNAjabOO9KNm9FLZZFnGvTHQ1690i+GBOXC/cbP3jo6tz
+07+Ob/+IKhXhEj9opGu8ZvEfarHmBEWxj6TdvFmlaHEcEFD0LqGu5ssSfW3S3AEB
+Z3rBLkEeJYUYQqCU+vgZHEbrLWeBt33AIeB1nN3lAoGAL0LJnwUPy2NGBh24MsSZ
+s75ViJus6cRJHJHlHbEM02xYEhQX//exTnQp2qbI38bi3x4RHiq4i5KBUU2MBzsr
+NWmlYZuGr4g7Y/fhcjOM6eF+bqSbXqlMWcLuXHD7tjMuCeu/sd3a3elVgIf9AY8z
+IqQ5ShPp1O9j3qJRO6Vn6eECgYBIu9KFoOonxArXD4zKTDcFOsPghEc5//0mD/Be
+GgDj8vFWADtt7uHg96PIEAmI9y6+4Ajwauww29P2sr2szBO3IgdSQQIO0kfwnJnp
+DlVtr0LWId/LsnvwU3MKo2OXhXcDGt3UValB7nXkHsDz5GCK743Al2vxkZSPbs+e
+nH62hQKBgQC8AouEwXXXQD8+MnW+qcIbaAzVMirc94sI3fQH1AnfiZHH6aMCOh/4
+xoh/RzylotQlOk1xjCOB4O/Hhd+MAnlH9ZawCnRdvB/4usxd4j2AYr0Np7Q+VUyx
+EFejvkdm20j1dh29jfSbiXHd2RCoFimX0Dr3weiRqffqi9aV2tdqLQ==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf
index adb204bc2..687956d60 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf
@@ -145,7 +145,7 @@ keyUsage 			= digitalSignature, keyEncipherment, keyAgreement
 subjectKeyIdentifier            = hash
 authorityKeyIdentifier          = keyid, issuer:always
 subjectAltName			= DNS:$ENV::COMMON_NAME
-#extendedKeyUsage		= OCSPSigner
+#extendedKeyUsage		= OCSPSigning
 crlDistributionPoints          	= URI:http://crl.strongswan.org/sales.crl
 
 ####################################################################
diff --git a/testing/hosts/winnetou/etc/openssl/sales/serial b/testing/hosts/winnetou/etc/openssl/sales/serial
index 75016ea36..64969239d 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/serial
+++ b/testing/hosts/winnetou/etc/openssl/sales/serial
@@ -1 +1 @@
-03
+04
diff --git a/testing/hosts/winnetou/etc/openssl/sales/serial.old b/testing/hosts/winnetou/etc/openssl/sales/serial.old
index 9e22bcb8e..75016ea36 100644
--- a/testing/hosts/winnetou/etc/openssl/sales/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/sales/serial.old
@@ -1 +1 @@
-02
+03
diff --git a/testing/hosts/winnetou/etc/openssl/serial b/testing/hosts/winnetou/etc/openssl/serial
index b1bd38b62..8351c1939 100644
--- a/testing/hosts/winnetou/etc/openssl/serial
+++ b/testing/hosts/winnetou/etc/openssl/serial
@@ -1 +1 @@
-13
+14
diff --git a/testing/hosts/winnetou/etc/openssl/serial.old b/testing/hosts/winnetou/etc/openssl/serial.old
index 48082f72f..b1bd38b62 100644
--- a/testing/hosts/winnetou/etc/openssl/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/serial.old
@@ -1 +1 @@
-12
+13
diff --git a/testing/hosts/winnetou/etc/openssl/start-ocsp b/testing/hosts/winnetou/etc/openssl/start-ocsp
deleted file mode 100755
index bdc5dab38..000000000
--- a/testing/hosts/winnetou/etc/openssl/start-ocsp
+++ /dev/null
@@ -1,20 +0,0 @@
-#! /bin/sh
-# start an OpenSSL-based OCSP server
-#
-# Copyright (C) 2004  Andreas Steffen
-# Zuercher Hochschule Winterthur
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: start-ocsp,v 1.3 2005/01/01 18:12:14 as Exp $
-
-cd /etc/openssl
-openssl ocsp -index index.txt -CA strongswanCert.pem -port 8880 -rkey ocspKey.pem -rsigner ocspCert.pem -nmin 5 < /dev/null > /dev/null 2>&1 &
diff --git a/testing/scripts/build-hostconfig b/testing/scripts/build-hostconfig
index 28b321a70..1dd268719 100755
--- a/testing/scripts/build-hostconfig
+++ b/testing/scripts/build-hostconfig
@@ -14,7 +14,7 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 #
-# RCSID $Id: build-hostconfig,v 1.4 2006/10/19 21:38:45 as Exp $
+# RCSID $Id: build-hostconfig,v 1.3 2005/02/08 10:40:48 as Exp $
 
 DIR=`dirname $0`
 
diff --git a/testing/scripts/build-sshkeys b/testing/scripts/build-sshkeys
index 2faa3963d..23f62e005 100755
--- a/testing/scripts/build-sshkeys
+++ b/testing/scripts/build-sshkeys
@@ -14,7 +14,7 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 #
-# RCSID $Id: build-sshkeys,v 1.3 2006/10/19 21:38:45 as Exp $
+# RCSID $Id: build-sshkeys,v 1.2 2005/02/15 14:12:16 as Exp $
 
 DIR=`dirname $0`
 
diff --git a/testing/scripts/build-umlhostfs b/testing/scripts/build-umlhostfs
index e77bfc025..69ad9fe02 100755
--- a/testing/scripts/build-umlhostfs
+++ b/testing/scripts/build-umlhostfs
@@ -68,6 +68,7 @@ do
     cp -rfp $BUILDDIR/hosts/${host}/etc $LOOPDIR
     if [ "$host" = "winnetou" ]
     then
+    	mkdir $LOOPDIR/var/log/apache2/ocsp
 	cp -rfp $UMLTESTDIR/testing/images $LOOPDIR/var/www/localhost/htdocs
         chroot $LOOPDIR /etc/openssl/generate-crl >> $LOGFILE 2>&1
     fi
diff --git a/testing/scripts/build-umlrootfs b/testing/scripts/build-umlrootfs
index 1d534c81b..f839e3e8e 100755
--- a/testing/scripts/build-umlrootfs
+++ b/testing/scripts/build-umlrootfs
@@ -14,7 +14,7 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 #
-# RCSID $Id: build-umlrootfs,v 1.12 2006/10/20 14:26:05 as Exp $
+# RCSID $Id: build-umlrootfs,v 1.11 2006/01/08 22:29:56 as Exp $
 
 DIR=`dirname $0`
 
@@ -89,7 +89,6 @@ mount -o loop gentoo-fs $LOOPDIR >> $LOGFILE 2>&1
 tar xjpf $ROOTFS -C $LOOPDIR     >> $LOGFILE 2>&1
 cecho "done"
 
-
 ######################################################
 # remove /etc/resolv.conf
 #
@@ -102,14 +101,21 @@ rm -f $LOOPDIR/etc/resolv.conf
 cecho " * Copying '$HOSTCONFIGDIR/default/etc/hosts' to the root filesystem"
 cp -fp $HOSTCONFIGDIR/default/etc/hosts $LOOPDIR/etc/hosts
 
-#
 #####################################################
 # extracting strongSwan into the root filesystem
 #
-
 cecho " * Extracting strongSwan into the root filesystem"
 tar xjf $STRONGSWAN -C $LOOPDIR/root >> $LOGFILE 2>&1
 
+######################################################
+# setting up mountpoint for shared source tree
+#
+if [ "${SHAREDTREE+set}" = "set" ]; then
+    cecho " * setting up shared strongswan tree at '$SHAREDTREE'"
+    mkdir $LOOPDIR/root/strongswan-shared
+    echo "" >> $LOOPDIR/etc/fstab
+    echo "none /root/strongswan-shared hostfs $SHAREDTREE" >> $LOOPDIR/etc/fstab
+fi
 
 ######################################################
 # installing strongSwan and setting the local timezone
@@ -120,20 +126,27 @@ INSTALLSHELL=${LOOPDIR}/install.sh
 cecho " * Preparing strongSwan installation script"
 echo "ln -sf /usr/share/zoneinfo/${TZUML} /etc/localtime" >> $INSTALLSHELL
 
+echo "cd /root/${STRONGSWANVERSION}" >> $INSTALLSHELL
+echo -n "./configure --sysconfdir=/etc" >> $INSTALLSHELL
+echo -n " --with-random-device=/dev/urandom" >> $INSTALLSHELL
 if [ "$USE_LIBCURL" = "yes" ]
 then
-    echo "export USE_LIBCURL=true" >> $INSTALLSHELL
+    echo -n " --enable-http" >> $INSTALLSHELL
 fi
 
 if [ "$USE_LDAP" = "yes" ]
 then
-    echo "export USE_LDAP=true" >> $INSTALLSHELL
+    echo -n " --enable-ldap" >> $INSTALLSHELL
 fi
 
-echo "export USERCOMPILE=\'-DRANDOM_DEVICE=\\\"/dev/urandom\\\"\'" >> $INSTALLSHELL
-echo "cd /root/${STRONGSWANVERSION}" >> $INSTALLSHELL
-echo "make programs" >> $INSTALLSHELL
+if [ "$USE_LEAK_DETECTIVE" = "yes" ]
+then
+    echo -n " --enable-leak-detective" >> $INSTALLSHELL
+fi
+echo "" >> $INSTALLSHELL
+echo "make" >> $INSTALLSHELL
 echo "make install" >> $INSTALLSHELL
+echo "ldconfig" >> $INSTALLSHELL
 
 cecho-n " * Compiling $STRONGSWANVERSION within the root file system as chroot.."
 chroot $LOOPDIR /bin/bash /install.sh >> $LOGFILE 2>&1
@@ -159,7 +172,7 @@ cp $LOOPDIR/etc/ssh/ssh_host_rsa_key $LOOPDIR/root/.ssh/id_rsa
 
 for host in $STRONGSWANHOSTS
 do
-    eval ip="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
+    eval ip="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F- '{ print $1 }' | awk '{ print $1 }'`"
     echo "$host,$ip `cat $HOSTCONFIGDIR/ssh_host_rsa_key.pub`" >> $LOOPDIR/root/.ssh/known_hosts
     echo "`cat $HOSTCONFIGDIR/ssh_host_rsa_key.pub` root@$host" >> $LOOPDIR/root/.ssh/authorized_keys
 done
diff --git a/testing/scripts/install-shared b/testing/scripts/install-shared
new file mode 100755
index 000000000..4cfac9e77
--- /dev/null
+++ b/testing/scripts/install-shared
@@ -0,0 +1,38 @@
+#!/bin/bash
+# Install strongSwan from mounted strongswan-shared tree
+#
+# Copyright (C) 2006 Martin Willi
+# Hochschule fuer Technik Rapperswil
+# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
+# Zuercher Hochschule Winterthur
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+
+DIR=`dirname $0`
+
+source $DIR/function.sh
+
+[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found"
+
+source $DIR/../testing.conf
+
+cecho "installing strongSwan from shared tree"
+cecho-n "  on: "
+
+for host in $STRONGSWANHOSTS
+do
+    eval HOSTLOGIN="root@`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
+    cecho-n "$host... "
+    ssh $HOSTLOGIN 'cd ~/strongswan-shared && make install' > /dev/null
+done
+
+cecho
diff --git a/testing/scripts/kstart-umls b/testing/scripts/kstart-umls
index 21baee52c..8379438c8 100755
--- a/testing/scripts/kstart-umls
+++ b/testing/scripts/kstart-umls
@@ -14,7 +14,7 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 #
-# RCSID $Id: kstart-umls,v 1.7 2007/01/11 20:32:01 as Exp $
+# RCSID $Id: kstart-umls,v 1.6 2005/08/30 22:13:12 as Exp $
 
 DIR=`dirname $0`
 
diff --git a/testing/scripts/load-testconfig b/testing/scripts/load-testconfig
index 9c0477e54..6558018c2 100755
--- a/testing/scripts/load-testconfig
+++ b/testing/scripts/load-testconfig
@@ -14,7 +14,7 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 #
-# RCSID $Id: load-testconfig,v 1.3 2006/10/19 21:38:45 as Exp $
+# RCSID $Id: load-testconfig,v 1.2 2004/12/13 21:02:42 as Exp $
 
 DIR=`dirname $0`
 
@@ -53,12 +53,12 @@ fi
 
 
 ##########################################################################
-# clear the auth.log where IKE messages are logged
+# clear auth.log and daemon.log where IKE messages are logged
 #
 
 for host in $IPSECHOSTS
 do
     eval HOSTLOGIN="root@`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-    ssh $HOSTLOGIN 'rm -f /var/log/auth.log; \
+    ssh $HOSTLOGIN 'rm -f /var/log/auth.log /var/log/daemon.log; \
 		    kill -SIGHUP `cat /var/run/syslogd.pid`' > /dev/null 2>&1
 done
diff --git a/testing/scripts/restore-defaults b/testing/scripts/restore-defaults
index 03f723e82..b1dae1ea2 100755
--- a/testing/scripts/restore-defaults
+++ b/testing/scripts/restore-defaults
@@ -14,7 +14,7 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 #
-# RCSID $Id: restore-defaults,v 1.3 2006/10/19 21:40:27 as Exp $
+# RCSID $Id: restore-defaults,v 1.2 2004/12/20 07:56:33 as Exp $
 
 DIR=`dirname $0`
 
diff --git a/testing/scripts/shutdown-umls b/testing/scripts/shutdown-umls
new file mode 100755
index 000000000..e71e46602
--- /dev/null
+++ b/testing/scripts/shutdown-umls
@@ -0,0 +1,38 @@
+#!/bin/bash
+# Install strongSwan from mounted strongswan-shared tree
+#
+# Copyright (C) 2006 Martin Willi
+# Hochschule fuer Technik Rapperswil
+# Copyright (C) 2004  Eric Marchionni, Patrik Rayo
+# Zuercher Hochschule Winterthur
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+#
+
+DIR=`dirname $0`
+
+source $DIR/function.sh
+
+[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found"
+
+source $DIR/../testing.conf
+
+cecho "shutting down"
+cecho-n "  "
+
+for host in $STRONGSWANHOSTS
+do
+    eval HOSTLOGIN="root@`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
+    cecho-n "$host... "
+    ssh $HOSTLOGIN 'shutdown now -h' > /dev/null
+done
+
+cecho
diff --git a/testing/scripts/start-switches b/testing/scripts/start-switches
index c90c9f86d..82433babe 100755
--- a/testing/scripts/start-switches
+++ b/testing/scripts/start-switches
@@ -31,7 +31,7 @@ do
 	cecho " * Great, umlswitch$n is already running!"
     else
 	cecho-n " * Starting umlswitch$n.."
-	uml_switch -tap tap$n -unix /tmp/umlswitch$n >/dev/null </dev/null &
+	uml_switch -hub -tap tap$n -unix /tmp/umlswitch$n >/dev/null </dev/null &
 	sleep 2
 	eval ifconfig "tap$n \$IFCONFIG_$n up"
 	cecho "done"
diff --git a/testing/scripts/start-umls b/testing/scripts/start-umls
index 89d9e0d81..1b875a696 100755
--- a/testing/scripts/start-umls
+++ b/testing/scripts/start-umls
@@ -14,7 +14,7 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 #
-# RCSID $Id: start-umls,v 1.6 2007/01/11 20:32:01 as Exp $
+# RCSID $Id: start-umls,v 1.5 2005/08/30 22:13:12 as Exp $
 
 DIR=`dirname $0`
 
diff --git a/testing/scripts/xstart-umls b/testing/scripts/xstart-umls
index 5983d405f..9efbd1497 100755
--- a/testing/scripts/xstart-umls
+++ b/testing/scripts/xstart-umls
@@ -14,7 +14,7 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 #
-# RCSID $Id: xstart-umls,v 1.7 2007/01/11 20:32:01 as Exp $
+# RCSID $Id: xstart-umls,v 1.6 2005/08/30 22:13:12 as Exp $
 
 DIR=`dirname $0`
 
diff --git a/testing/start-testing b/testing/start-testing
index 375a82be5..28f9c3bf5 100755
--- a/testing/start-testing
+++ b/testing/start-testing
@@ -47,6 +47,10 @@ case $UMLSTARTMODE in
 	cecho "Start the uml instances  (scripts/kstart-umls)"
 	$DIR/scripts/kstart-umls $HOSTS
 	;;
+    gnome-terminal)
+	cecho "Start the uml instances  (scripts/gstart-umls)"
+	$DIR/scripts/gstart-umls $HOSTS
+	;;
     xterm)
 	cecho "Start the uml instances  (scripts/xstart-umls)"
 	$DIR/scripts/xstart-umls $HOSTS
diff --git a/testing/testing.conf b/testing/testing.conf
index 32169d985..d4d6767c9 100755
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -14,14 +14,14 @@
 # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 # for more details.
 #
-# RCSID $Id: testing.conf,v 1.60 2007/02/21 22:17:52 as Exp $
+# RCSID $Id: testing.conf,v 1.52 2006/04/24 16:58:03 as Exp $
 
 # Root directory of testing
-UMLTESTDIR=~/strongswan-testing
+UMLTESTDIR=/home/strongswan-testing
 
 # Bzipped kernel sources
 # (file extension .tar.bz2 required)
-KERNEL=$UMLTESTDIR/linux-2.6.20.1.tar.bz2
+KERNEL=$UMLTESTDIR/linux-2.6.20.3.tar.bz2
 
 # Extract kernel version
 KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
@@ -30,15 +30,15 @@ KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
 KERNELCONFIG=$UMLTESTDIR/.config-2.6.20
 
 # Bzipped uml patch for kernel
-# (not needed anymore for 2.6.9 kernel or higher)
 UMLPATCH=$UMLTESTDIR/uml_jmpbuf-2.6.18.patch.bz2
 
 # Bzipped source of strongSwan
-STRONGSWAN=$UMLTESTDIR/strongswan-2.8.3.tar.bz2
+STRONGSWAN=$UMLTESTDIR/strongswan-4.1.0.tar.bz2
 
 # strongSwan compile options (use "yes" or "no")
 USE_LIBCURL="yes"
 USE_LDAP="yes"
+USE_LEAK_DETECTIVE="no"
 
 # Gentoo linux root filesystem
 ROOTFS=$UMLTESTDIR/gentoo-fs-20061006.tar.bz2
@@ -49,17 +49,22 @@ ROOTFSSIZE=544
 # Amount of Memory to use per UML [MB].
 # If "auto" is stated 1/12 of total host ram will be used.
 # Examples: MEM=64, MEM="128", MEM="auto"
-MEM=64
+MEM=96
 
 # Directory where the UML kernels and file system will be built
 BUILDDIR=$UMLTESTDIR/umlbuild
 
 # Filename of the built UML Kernel
-UMLKERNEL=$BUILDDIR/linux-uml-$KERNELVERSION
+UMLKERNEL=$UMLTESTDIR/linux
 
 # Directory where test results will be stored
 TESTRESULTSDIR=$UMLTESTDIR/testresults
 
+# Path to a full strongswan tree on the host system, which is
+# mounted into /root/strongswan-shared. This gives us an easy
+# way to apply and test changes instantly.
+SHAREDTREE=/home/martin/strongswan/trunk
+
 # Timezone for the UMLs, look in /usr/share/zoneinfo!
 TZUML="Europe/Zurich"
 
@@ -67,22 +72,22 @@ TZUML="Europe/Zurich"
 # Enable particular steps in the make-testing and
 # start-testing scripts
 #
-ENABLE_BUILD_UMLKERNEL="yes"
+ENABLE_BUILD_UMLKERNEL="no"
 ENABLE_BUILD_SSHKEYS="yes"
 ENABLE_BUILD_HOSTCONFIG="yes"
 ENABLE_BUILD_UMLROOTFS="yes"
 ENABLE_BUILD_UMLHOSTFS="yes"
-ENABLE_START_TESTING="yes"
-ENABLE_DO_TESTS="yes"
+ENABLE_START_TESTING="no"
+ENABLE_DO_TESTS="no"
 ENABLE_STOP_TESTING="no"
 
 ##############################################################
 # How to start the UMLs?
 #
 # Start the UML instance in KDE konsole (requires KDE)
-UMLSTARTMODE="konsole"
+#UMLSTARTMODE="gnome-terminal"
 # Start the UML instance in an xterm (requires X11R6)
-# UMLSTARTMODE="xterm"
+UMLSTARTMODE="xterm"
 # Start the UML instance without a terminal window
 # but screen -r <host> can open a window anytime
 # UMLSTARTMODE="screen"
@@ -95,7 +100,7 @@ SELECTEDTESTSONLY="no"
 
 # Tests to do if $SELECTEDTESTSONLY is set "yes".
 #
-SELECTEDTESTS="net2net-cert"
+SELECTEDTESTS="ikev2-net2net ikev2-rw"
 
 ##############################################################
 # hostname and corresponding IPv4 and IPv6 addresses
@@ -158,3 +163,7 @@ SWITCH_dave="eth0=daemon,fe:fd:c0:a8:00:c8,unix,/tmp/umlswitch0"
 SWITCH_sun="eth0=daemon,fe:fd:c0:a8:00:02,unix,/tmp/umlswitch0 \
             eth1=daemon,fe:fd:0a:02:00:01,unix,/tmp/umlswitch2"
 SWITCH_bob="eth0=daemon,fe:fd:0a:02:00:0a,unix,/tmp/umlswitch2"
+
+
+
+
diff --git a/testing/tests/compress/hosts/carol/etc/ipsec.conf b/testing/tests/compress/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 9462ba5e6..000000000
--- a/testing/tests/compress/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-version	2.0	# conforms to second version of ipsec.conf specification
-
-config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	compress=yes
-
-conn home
-	left=PH_IP_CAROL
-	leftnexthop=%direct
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index ae8d2b772..000000000
--- a/testing/tests/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-version	2.0	# conforms to second version of ipsec.conf specification
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	ike=3des-sha
-	esp=3des-sha1
-conn home
-	left=PH_IP_CAROL
-	leftnexthop=%direct
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index ae8d2b772..000000000
--- a/testing/tests/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-version	2.0	# conforms to second version of ipsec.conf specification
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	ike=3des-sha
-	esp=3des-sha1
-conn home
-	left=PH_IP_CAROL
-	leftnexthop=%direct
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ike/rw-cert/description.txt b/testing/tests/ike/rw-cert/description.txt
new file mode 100644
index 000000000..b48a89026
--- /dev/null
+++ b/testing/tests/ike/rw-cert/description.txt
@@ -0,0 +1,5 @@
+Roadwarrior <b>carol</b> sets up an IKEv1 connection and roadwarrior <b>dave</b>
+an IKEv2 tunnel, respectively, to the gateway <b>moon</b>.
+In order to test the established tunnels, both roadwarriors ping the client <b>alice</b>
+in the subnet behind gateway <b>moon</b>.
+.
diff --git a/testing/tests/ike/rw-cert/evaltest.dat b/testing/tests/ike/rw-cert/evaltest.dat
new file mode 100644
index 000000000..71496d2f2
--- /dev/null
+++ b/testing/tests/ike/rw-cert/evaltest.dat
@@ -0,0 +1,11 @@
+moon::ipsec statusall::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec statusall::rw.*ESTABLISHED::YES
+carol::ipsec statusall::home.*STATE_QUICK_I2.*IPsec SA established::YES
+dave::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ike/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ike/rw-cert/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..5d78605e9
--- /dev/null
+++ b/testing/tests/ike/rw-cert/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_DAVE
+	leftnexthop=%direct
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ike/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ike/rw-cert/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..841a67491
--- /dev/null
+++ b/testing/tests/ike/rw-cert/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn rw
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/rw-psk-rsa-mixed/posttest.dat b/testing/tests/ike/rw-cert/posttest.dat
index ed530f6d9..ed530f6d9 100644
--- a/testing/tests/rw-psk-rsa-mixed/posttest.dat
+++ b/testing/tests/ike/rw-cert/posttest.dat
diff --git a/testing/tests/ike/rw-cert/pretest.dat b/testing/tests/ike/rw-cert/pretest.dat
new file mode 100644
index 000000000..587b6aeed
--- /dev/null
+++ b/testing/tests/ike/rw-cert/pretest.dat
@@ -0,0 +1,8 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1 
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ike/rw-cert/test.conf b/testing/tests/ike/rw-cert/test.conf
new file mode 100644
index 000000000..845a6dcd7
--- /dev/null
+++ b/testing/tests/ike/rw-cert/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+ 
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ike/rw_v1-net_v2/description.txt b/testing/tests/ike/rw_v1-net_v2/description.txt
new file mode 100644
index 000000000..292e09d40
--- /dev/null
+++ b/testing/tests/ike/rw_v1-net_v2/description.txt
@@ -0,0 +1,7 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b>
+is set up using the IKEv2 key exchange protocol whereas the roadwarrior <b>carol</b>
+negotiates the connection via the IKEv1 protocol.
+In order to test the established tunnels, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b> and roadwarrior <b>carol</b>
+pings the client <b>alice</b> behind <b>moon</b>.
+.
diff --git a/testing/tests/ike/rw_v1-net_v2/evaltest.dat b/testing/tests/ike/rw_v1-net_v2/evaltest.dat
new file mode 100644
index 000000000..4eace50b7
--- /dev/null
+++ b/testing/tests/ike/rw_v1-net_v2/evaltest.dat
@@ -0,0 +1,10 @@
+moon::ipsec statusall::net-net.*ESTABLISHED::YES
+sun::ipsec statusall::net-net.*ESTABLISHED::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/ipsec.conf b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..b72a3e939
--- /dev/null
+++ b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,28 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+
+conn net-net
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	keyexchange=ikev2
+	auto=add
+
+conn rw
+	right=%any
+	rightid=carol@strongswan.org
+	keyexchange=ikev1
+	auto=add
+
diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/ipsec.conf b/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..e5a9fe396
--- /dev/null
+++ b/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,15 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn net-net 
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ocsp-strict/posttest.dat b/testing/tests/ike/rw_v1-net_v2/posttest.dat
index 117f625f6..0980371a5 100644
--- a/testing/tests/ocsp-strict/posttest.dat
+++ b/testing/tests/ike/rw_v1-net_v2/posttest.dat
@@ -1,3 +1,3 @@
-moon::ipsec stop
 carol::ipsec stop
-winnetou::killall openssl
+moon::ipsec stop
+sun::ipsec stop
diff --git a/testing/tests/ike/rw_v1-net_v2/pretest.dat b/testing/tests/ike/rw_v1-net_v2/pretest.dat
new file mode 100644
index 000000000..03b8dc218
--- /dev/null
+++ b/testing/tests/ike/rw_v1-net_v2/pretest.dat
@@ -0,0 +1,9 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::ipsec start
+sun::ipsec start
+carol::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
+carol::ipsec up home
+moon::sleep 1
diff --git a/testing/tests/ike/rw_v1-net_v2/test.conf b/testing/tests/ike/rw_v1-net_v2/test.conf
new file mode 100644
index 000000000..983881e5d
--- /dev/null
+++ b/testing/tests/ike/rw_v1-net_v2/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="carol moon sun"
diff --git a/testing/tests/alg-blowfish/description.txt b/testing/tests/ikev1/alg-blowfish/description.txt
index cff0a1915..cff0a1915 100644
--- a/testing/tests/alg-blowfish/description.txt
+++ b/testing/tests/ikev1/alg-blowfish/description.txt
diff --git a/testing/tests/alg-blowfish/evaltest.dat b/testing/tests/ikev1/alg-blowfish/evaltest.dat
index a9c9b803a..a9c9b803a 100644
--- a/testing/tests/alg-blowfish/evaltest.dat
+++ b/testing/tests/ikev1/alg-blowfish/evaltest.dat
diff --git a/testing/tests/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf
index fa68c9d3d..04d5b977b 100755
--- a/testing/tests/alg-blowfish/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug="control crypt"
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf
index 39916a7ba..80163ffcd 100755
--- a/testing/tests/alg-blowfish/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug="control crypt"
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/alg-blowfish/posttest.dat b/testing/tests/ikev1/alg-blowfish/posttest.dat
index c6d6235f9..c6d6235f9 100644
--- a/testing/tests/alg-blowfish/posttest.dat
+++ b/testing/tests/ikev1/alg-blowfish/posttest.dat
diff --git a/testing/tests/alg-blowfish/pretest.dat b/testing/tests/ikev1/alg-blowfish/pretest.dat
index 6d2eeb5f9..6d2eeb5f9 100644
--- a/testing/tests/alg-blowfish/pretest.dat
+++ b/testing/tests/ikev1/alg-blowfish/pretest.dat
diff --git a/testing/tests/alg-blowfish/test.conf b/testing/tests/ikev1/alg-blowfish/test.conf
index a6c8f026c..a6c8f026c 100644
--- a/testing/tests/alg-blowfish/test.conf
+++ b/testing/tests/ikev1/alg-blowfish/test.conf
diff --git a/testing/tests/alg-serpent/description.txt b/testing/tests/ikev1/alg-serpent/description.txt
index f49c0a1c0..f49c0a1c0 100644
--- a/testing/tests/alg-serpent/description.txt
+++ b/testing/tests/ikev1/alg-serpent/description.txt
diff --git a/testing/tests/alg-serpent/evaltest.dat b/testing/tests/ikev1/alg-serpent/evaltest.dat
index 6b792538b..6b792538b 100644
--- a/testing/tests/alg-serpent/evaltest.dat
+++ b/testing/tests/ikev1/alg-serpent/evaltest.dat
diff --git a/testing/tests/alg-serpent/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
index 5d2369924..09cd583b4 100755
--- a/testing/tests/alg-serpent/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug="control crypt"
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/alg-serpent/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
index 7bdddf008..ca1eb7b19 100755
--- a/testing/tests/alg-serpent/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
@@ -1,12 +1,11 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug="control crypt"
 	crlcheckinterval=180
 	strictcrlpolicy=no
-
+	charonstart=no
+       
 conn %default
 	ikelifetime=60m
 	keylife=20m
diff --git a/testing/tests/alg-serpent/posttest.dat b/testing/tests/ikev1/alg-serpent/posttest.dat
index c6d6235f9..c6d6235f9 100644
--- a/testing/tests/alg-serpent/posttest.dat
+++ b/testing/tests/ikev1/alg-serpent/posttest.dat
diff --git a/testing/tests/alg-serpent/pretest.dat b/testing/tests/ikev1/alg-serpent/pretest.dat
index 6d2eeb5f9..6d2eeb5f9 100644
--- a/testing/tests/alg-serpent/pretest.dat
+++ b/testing/tests/ikev1/alg-serpent/pretest.dat
diff --git a/testing/tests/alg-serpent/test.conf b/testing/tests/ikev1/alg-serpent/test.conf
index a6c8f026c..a6c8f026c 100644
--- a/testing/tests/alg-serpent/test.conf
+++ b/testing/tests/ikev1/alg-serpent/test.conf
diff --git a/testing/tests/alg-sha-equals-sha1/description.txt b/testing/tests/ikev1/alg-sha-equals-sha1/description.txt
index aeb2e1a88..aeb2e1a88 100644
--- a/testing/tests/alg-sha-equals-sha1/description.txt
+++ b/testing/tests/ikev1/alg-sha-equals-sha1/description.txt
diff --git a/testing/tests/alg-sha-equals-sha1/evaltest.dat b/testing/tests/ikev1/alg-sha-equals-sha1/evaltest.dat
index c3656c690..c3656c690 100644
--- a/testing/tests/alg-sha-equals-sha1/evaltest.dat
+++ b/testing/tests/ikev1/alg-sha-equals-sha1/evaltest.dat
diff --git a/testing/tests/alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf
index c7328faae..7c1ee3bb5 100755
--- a/testing/tests/alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug="control crypt"
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -24,3 +23,4 @@ conn home
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
 	auto=add
+
diff --git a/testing/tests/alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf
index 398c07fa9..7d00b538f 100755
--- a/testing/tests/alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug="control crypt"
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -24,3 +23,4 @@ conn rw
 	right=%any
 	rightid=carol@strongswan.org
 	auto=add
+
diff --git a/testing/tests/alg-sha-equals-sha1/posttest.dat b/testing/tests/ikev1/alg-sha-equals-sha1/posttest.dat
index c6d6235f9..c6d6235f9 100644
--- a/testing/tests/alg-sha-equals-sha1/posttest.dat
+++ b/testing/tests/ikev1/alg-sha-equals-sha1/posttest.dat
diff --git a/testing/tests/alg-sha-equals-sha1/pretest.dat b/testing/tests/ikev1/alg-sha-equals-sha1/pretest.dat
index 7d077c126..7d077c126 100644
--- a/testing/tests/alg-sha-equals-sha1/pretest.dat
+++ b/testing/tests/ikev1/alg-sha-equals-sha1/pretest.dat
diff --git a/testing/tests/alg-sha-equals-sha1/test.conf b/testing/tests/ikev1/alg-sha-equals-sha1/test.conf
index a6c8f026c..a6c8f026c 100644
--- a/testing/tests/alg-sha-equals-sha1/test.conf
+++ b/testing/tests/ikev1/alg-sha-equals-sha1/test.conf
diff --git a/testing/tests/alg-sha2_256/description.txt b/testing/tests/ikev1/alg-sha2_256/description.txt
index 900fcf017..900fcf017 100644
--- a/testing/tests/alg-sha2_256/description.txt
+++ b/testing/tests/ikev1/alg-sha2_256/description.txt
diff --git a/testing/tests/alg-sha2_256/evaltest.dat b/testing/tests/ikev1/alg-sha2_256/evaltest.dat
index 9b4caa278..9b4caa278 100644
--- a/testing/tests/alg-sha2_256/evaltest.dat
+++ b/testing/tests/ikev1/alg-sha2_256/evaltest.dat
diff --git a/testing/tests/alg-sha2_256/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha2_256/hosts/carol/etc/ipsec.conf
index c55ae8ab1..b10fb08b9 100755
--- a/testing/tests/alg-sha2_256/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha2_256/hosts/carol/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug="control crypt"
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/alg-sha2_256/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha2_256/hosts/moon/etc/ipsec.conf
index 748b1b85c..de832729b 100755
--- a/testing/tests/alg-sha2_256/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha2_256/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug="control crypt"
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/alg-sha2_256/posttest.dat b/testing/tests/ikev1/alg-sha2_256/posttest.dat
index c6d6235f9..c6d6235f9 100644
--- a/testing/tests/alg-sha2_256/posttest.dat
+++ b/testing/tests/ikev1/alg-sha2_256/posttest.dat
diff --git a/testing/tests/alg-sha2_256/pretest.dat b/testing/tests/ikev1/alg-sha2_256/pretest.dat
index 7d077c126..7d077c126 100644
--- a/testing/tests/alg-sha2_256/pretest.dat
+++ b/testing/tests/ikev1/alg-sha2_256/pretest.dat
diff --git a/testing/tests/alg-sha2_256/test.conf b/testing/tests/ikev1/alg-sha2_256/test.conf
index a6c8f026c..a6c8f026c 100644
--- a/testing/tests/alg-sha2_256/test.conf
+++ b/testing/tests/ikev1/alg-sha2_256/test.conf
diff --git a/testing/tests/alg-twofish/description.txt b/testing/tests/ikev1/alg-twofish/description.txt
index 0015561ee..0015561ee 100644
--- a/testing/tests/alg-twofish/description.txt
+++ b/testing/tests/ikev1/alg-twofish/description.txt
diff --git a/testing/tests/alg-twofish/evaltest.dat b/testing/tests/ikev1/alg-twofish/evaltest.dat
index 0568eec6e..0568eec6e 100644
--- a/testing/tests/alg-twofish/evaltest.dat
+++ b/testing/tests/ikev1/alg-twofish/evaltest.dat
diff --git a/testing/tests/alg-twofish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
index 8e3037a3b..95ddeb2b8 100755
--- a/testing/tests/alg-twofish/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug="control crypt"
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/alg-twofish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
index 01004e94e..2d7904563 100755
--- a/testing/tests/alg-twofish/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug="control crypt"
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/alg-twofish/posttest.dat b/testing/tests/ikev1/alg-twofish/posttest.dat
index c6d6235f9..c6d6235f9 100644
--- a/testing/tests/alg-twofish/posttest.dat
+++ b/testing/tests/ikev1/alg-twofish/posttest.dat
diff --git a/testing/tests/alg-twofish/pretest.dat b/testing/tests/ikev1/alg-twofish/pretest.dat
index 7d077c126..7d077c126 100644
--- a/testing/tests/alg-twofish/pretest.dat
+++ b/testing/tests/ikev1/alg-twofish/pretest.dat
diff --git a/testing/tests/alg-twofish/test.conf b/testing/tests/ikev1/alg-twofish/test.conf
index a6c8f026c..a6c8f026c 100644
--- a/testing/tests/alg-twofish/test.conf
+++ b/testing/tests/ikev1/alg-twofish/test.conf
diff --git a/testing/tests/attr-cert/description.txt b/testing/tests/ikev1/attr-cert/description.txt
index b7f809c36..b7f809c36 100644
--- a/testing/tests/attr-cert/description.txt
+++ b/testing/tests/ikev1/attr-cert/description.txt
diff --git a/testing/tests/attr-cert/evaltest.dat b/testing/tests/ikev1/attr-cert/evaltest.dat
index 59f6eb76a..59f6eb76a 100644
--- a/testing/tests/attr-cert/evaltest.dat
+++ b/testing/tests/ikev1/attr-cert/evaltest.dat
diff --git a/testing/tests/attr-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf
index 62fc49868..eae669641 100755
--- a/testing/tests/attr-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/attr-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf
index 9d932dc54..989784124 100755
--- a/testing/tests/attr-cert/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/attr-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf
index bd72715ff..6c16db587 100755
--- a/testing/tests/attr-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/attr-cert/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem b/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem
index 3c5c5d91d..3c5c5d91d 100644
--- a/testing/tests/attr-cert/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem
+++ b/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem
diff --git a/testing/tests/attr-cert/hosts/moon/etc/openac/aaKey.pem b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/aaKey.pem
index 209b48f3a..209b48f3a 100644
--- a/testing/tests/attr-cert/hosts/moon/etc/openac/aaKey.pem
+++ b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/aaKey.pem
diff --git a/testing/tests/attr-cert/hosts/moon/etc/openac/carolCert.pem b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/carolCert.pem
index 8492fbd45..8492fbd45 100644
--- a/testing/tests/attr-cert/hosts/moon/etc/openac/carolCert.pem
+++ b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/carolCert.pem
diff --git a/testing/tests/attr-cert/hosts/moon/etc/openac/daveCert.pem b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/daveCert.pem
index abd1554e5..abd1554e5 100644
--- a/testing/tests/attr-cert/hosts/moon/etc/openac/daveCert.pem
+++ b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/daveCert.pem
diff --git a/testing/tests/attr-cert/hosts/moon/etc/openac/default.conf b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/default.conf
index 134218eec..134218eec 100644
--- a/testing/tests/attr-cert/hosts/moon/etc/openac/default.conf
+++ b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/default.conf
diff --git a/testing/tests/attr-cert/posttest.dat b/testing/tests/ikev1/attr-cert/posttest.dat
index a59c3ff63..a59c3ff63 100644
--- a/testing/tests/attr-cert/posttest.dat
+++ b/testing/tests/ikev1/attr-cert/posttest.dat
diff --git a/testing/tests/attr-cert/pretest.dat b/testing/tests/ikev1/attr-cert/pretest.dat
index b3fecaf3c..b3fecaf3c 100644
--- a/testing/tests/attr-cert/pretest.dat
+++ b/testing/tests/ikev1/attr-cert/pretest.dat
diff --git a/testing/tests/attr-cert/test.conf b/testing/tests/ikev1/attr-cert/test.conf
index 08e5cc145..08e5cc145 100644
--- a/testing/tests/attr-cert/test.conf
+++ b/testing/tests/ikev1/attr-cert/test.conf
diff --git a/testing/tests/compress/description.txt b/testing/tests/ikev1/compress/description.txt
index 47829839d..47829839d 100644
--- a/testing/tests/compress/description.txt
+++ b/testing/tests/ikev1/compress/description.txt
diff --git a/testing/tests/compress/evaltest.dat b/testing/tests/ikev1/compress/evaltest.dat
index ff72e1762..ff72e1762 100644
--- a/testing/tests/compress/evaltest.dat
+++ b/testing/tests/ikev1/compress/evaltest.dat
diff --git a/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..abf3049d8
--- /dev/null
+++ b/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug="control crypt"
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	compress=yes
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/compress/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf
index b8dfae646..855718f5d 100755
--- a/testing/tests/compress/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug="control crypt"
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/compress/posttest.dat b/testing/tests/ikev1/compress/posttest.dat
index c6d6235f9..c6d6235f9 100644
--- a/testing/tests/compress/posttest.dat
+++ b/testing/tests/ikev1/compress/posttest.dat
diff --git a/testing/tests/compress/pretest.dat b/testing/tests/ikev1/compress/pretest.dat
index 7d077c126..7d077c126 100644
--- a/testing/tests/compress/pretest.dat
+++ b/testing/tests/ikev1/compress/pretest.dat
diff --git a/testing/tests/compress/test.conf b/testing/tests/ikev1/compress/test.conf
index fd33cfb57..fd33cfb57 100644
--- a/testing/tests/compress/test.conf
+++ b/testing/tests/ikev1/compress/test.conf
diff --git a/testing/tests/crl-from-cache/description.txt b/testing/tests/ikev1/crl-from-cache/description.txt
index 17866f572..17866f572 100644
--- a/testing/tests/crl-from-cache/description.txt
+++ b/testing/tests/ikev1/crl-from-cache/description.txt
diff --git a/testing/tests/crl-from-cache/evaltest.dat b/testing/tests/ikev1/crl-from-cache/evaltest.dat
index dd200c8ef..dd200c8ef 100644
--- a/testing/tests/crl-from-cache/evaltest.dat
+++ b/testing/tests/ikev1/crl-from-cache/evaltest.dat
diff --git a/testing/tests/crl-from-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf
index 93c4d7956..59cbe67ba 100755
--- a/testing/tests/crl-from-cache/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf
@@ -1,12 +1,11 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=yes
 	cachecrls=yes
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/crl-from-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf
index ef9237518..9a2efb73d 100755
--- a/testing/tests/crl-from-cache/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf
@@ -1,12 +1,11 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=yes
 	cachecrls=yes
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/crl-from-cache/posttest.dat b/testing/tests/ikev1/crl-from-cache/posttest.dat
index be17847c1..be17847c1 100644
--- a/testing/tests/crl-from-cache/posttest.dat
+++ b/testing/tests/ikev1/crl-from-cache/posttest.dat
diff --git a/testing/tests/crl-from-cache/pretest.dat b/testing/tests/ikev1/crl-from-cache/pretest.dat
index acdb265ed..acdb265ed 100644
--- a/testing/tests/crl-from-cache/pretest.dat
+++ b/testing/tests/ikev1/crl-from-cache/pretest.dat
diff --git a/testing/tests/crl-from-cache/test.conf b/testing/tests/ikev1/crl-from-cache/test.conf
index 2b240d895..2b240d895 100644
--- a/testing/tests/crl-from-cache/test.conf
+++ b/testing/tests/ikev1/crl-from-cache/test.conf
diff --git a/testing/tests/crl-ldap/description.txt b/testing/tests/ikev1/crl-ldap/description.txt
index 02dc0cbbe..02dc0cbbe 100644
--- a/testing/tests/crl-ldap/description.txt
+++ b/testing/tests/ikev1/crl-ldap/description.txt
diff --git a/testing/tests/crl-ldap/evaltest.dat b/testing/tests/ikev1/crl-ldap/evaltest.dat
index 2b98e086a..2b98e086a 100644
--- a/testing/tests/crl-ldap/evaltest.dat
+++ b/testing/tests/ikev1/crl-ldap/evaltest.dat
diff --git a/testing/tests/crl-ldap/hosts/carol/etc/init.d/iptables b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/init.d/iptables
index 571459bae..571459bae 100755
--- a/testing/tests/crl-ldap/hosts/carol/etc/init.d/iptables
+++ b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/init.d/iptables
diff --git a/testing/tests/crl-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf
index 669a47d06..40e32f14a 100755
--- a/testing/tests/crl-ldap/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf
@@ -1,12 +1,11 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=yes
 	cachecrls=yes
+	charonstart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
index 75e8b0959..75e8b0959 100644
--- a/testing/tests/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
+++ b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
diff --git a/testing/tests/crl-ldap/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/init.d/iptables
index 8de514a2e..8de514a2e 100755
--- a/testing/tests/crl-ldap/hosts/moon/etc/init.d/iptables
+++ b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/init.d/iptables
diff --git a/testing/tests/crl-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf
index d5c0dd163..eaaaa3f42 100755
--- a/testing/tests/crl-ldap/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf
@@ -1,12 +1,11 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=yes
 	cachecrls=yes
+	charonstart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
index 75e8b0959..75e8b0959 100644
--- a/testing/tests/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
+++ b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
diff --git a/testing/tests/crl-ldap/posttest.dat b/testing/tests/ikev1/crl-ldap/posttest.dat
index 04f762331..bddd87424 100644
--- a/testing/tests/crl-ldap/posttest.dat
+++ b/testing/tests/ikev1/crl-ldap/posttest.dat
@@ -1,5 +1,3 @@
-moon::iptables -v -n -L
-carol::iptables -v -n -L
 moon::ipsec stop
 carol::ipsec stop
 winnetou::/etc/init.d/slapd stop
diff --git a/testing/tests/crl-ldap/pretest.dat b/testing/tests/ikev1/crl-ldap/pretest.dat
index 64fa8116b..64fa8116b 100644
--- a/testing/tests/crl-ldap/pretest.dat
+++ b/testing/tests/ikev1/crl-ldap/pretest.dat
diff --git a/testing/tests/crl-ldap/test.conf b/testing/tests/ikev1/crl-ldap/test.conf
index 2b240d895..2b240d895 100644
--- a/testing/tests/crl-ldap/test.conf
+++ b/testing/tests/ikev1/crl-ldap/test.conf
diff --git a/testing/tests/crl-revoked/description.txt b/testing/tests/ikev1/crl-revoked/description.txt
index 780068ce6..780068ce6 100644
--- a/testing/tests/crl-revoked/description.txt
+++ b/testing/tests/ikev1/crl-revoked/description.txt
diff --git a/testing/tests/crl-revoked/evaltest.dat b/testing/tests/ikev1/crl-revoked/evaltest.dat
index 0fd1cae8c..0fd1cae8c 100644
--- a/testing/tests/crl-revoked/evaltest.dat
+++ b/testing/tests/ikev1/crl-revoked/evaltest.dat
diff --git a/testing/tests/crl-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf
index 5a1d246a6..6b4650fb8 100755
--- a/testing/tests/crl-revoked/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=yes
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
index 5b742fc9e..5b742fc9e 100644
--- a/testing/tests/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
+++ b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
diff --git a/testing/tests/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
index 8aefcc5a6..8aefcc5a6 100644
--- a/testing/tests/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
+++ b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
diff --git a/testing/tests/crl-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.secrets
index 8e31be4cb..8e31be4cb 100644
--- a/testing/tests/crl-revoked/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/crl-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf
index a8953f557..143bace9a 100755
--- a/testing/tests/crl-revoked/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=yes
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/crl-revoked/posttest.dat b/testing/tests/ikev1/crl-revoked/posttest.dat
index d742e8410..d742e8410 100644
--- a/testing/tests/crl-revoked/posttest.dat
+++ b/testing/tests/ikev1/crl-revoked/posttest.dat
diff --git a/testing/tests/crl-revoked/pretest.dat b/testing/tests/ikev1/crl-revoked/pretest.dat
index d92333d86..d92333d86 100644
--- a/testing/tests/crl-revoked/pretest.dat
+++ b/testing/tests/ikev1/crl-revoked/pretest.dat
diff --git a/testing/tests/crl-revoked/test.conf b/testing/tests/ikev1/crl-revoked/test.conf
index 2b240d895..2b240d895 100644
--- a/testing/tests/crl-revoked/test.conf
+++ b/testing/tests/ikev1/crl-revoked/test.conf
diff --git a/testing/tests/crl-strict/description.txt b/testing/tests/ikev1/crl-strict/description.txt
index 97011482e..97011482e 100644
--- a/testing/tests/crl-strict/description.txt
+++ b/testing/tests/ikev1/crl-strict/description.txt
diff --git a/testing/tests/crl-strict/evaltest.dat b/testing/tests/ikev1/crl-strict/evaltest.dat
index 1d7adb05e..1d7adb05e 100644
--- a/testing/tests/crl-strict/evaltest.dat
+++ b/testing/tests/ikev1/crl-strict/evaltest.dat
diff --git a/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf
index 6d0aee86a..93bd80758 100755
--- a/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=yes
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/crl-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf
index a8953f557..143bace9a 100755
--- a/testing/tests/crl-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=yes
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/crl-strict/posttest.dat b/testing/tests/ikev1/crl-strict/posttest.dat
index c6d6235f9..c6d6235f9 100644
--- a/testing/tests/crl-strict/posttest.dat
+++ b/testing/tests/ikev1/crl-strict/posttest.dat
diff --git a/testing/tests/crl-strict/pretest.dat b/testing/tests/ikev1/crl-strict/pretest.dat
index d92333d86..d92333d86 100644
--- a/testing/tests/crl-strict/pretest.dat
+++ b/testing/tests/ikev1/crl-strict/pretest.dat
diff --git a/testing/tests/crl-strict/test.conf b/testing/tests/ikev1/crl-strict/test.conf
index 2b240d895..2b240d895 100644
--- a/testing/tests/crl-strict/test.conf
+++ b/testing/tests/ikev1/crl-strict/test.conf
diff --git a/testing/tests/crl-to-cache/description.txt b/testing/tests/ikev1/crl-to-cache/description.txt
index 9f542e73d..9f542e73d 100644
--- a/testing/tests/crl-to-cache/description.txt
+++ b/testing/tests/ikev1/crl-to-cache/description.txt
diff --git a/testing/tests/crl-to-cache/evaltest.dat b/testing/tests/ikev1/crl-to-cache/evaltest.dat
index be7737185..be7737185 100644
--- a/testing/tests/crl-to-cache/evaltest.dat
+++ b/testing/tests/ikev1/crl-to-cache/evaltest.dat
diff --git a/testing/tests/crl-to-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf
index 955f08b1f..e64a8fb5a 100755
--- a/testing/tests/crl-to-cache/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	cachecrls=yes
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/crl-to-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf
index 885354ab5..666fc0698 100755
--- a/testing/tests/crl-to-cache/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	cachecrls=yes
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/crl-to-cache/posttest.dat b/testing/tests/ikev1/crl-to-cache/posttest.dat
index be17847c1..be17847c1 100644
--- a/testing/tests/crl-to-cache/posttest.dat
+++ b/testing/tests/ikev1/crl-to-cache/posttest.dat
diff --git a/testing/tests/crl-to-cache/pretest.dat b/testing/tests/ikev1/crl-to-cache/pretest.dat
index d92333d86..d92333d86 100644
--- a/testing/tests/crl-to-cache/pretest.dat
+++ b/testing/tests/ikev1/crl-to-cache/pretest.dat
diff --git a/testing/tests/crl-to-cache/test.conf b/testing/tests/ikev1/crl-to-cache/test.conf
index 2b240d895..2b240d895 100644
--- a/testing/tests/crl-to-cache/test.conf
+++ b/testing/tests/ikev1/crl-to-cache/test.conf
diff --git a/testing/tests/default-keys/description.txt b/testing/tests/ikev1/default-keys/description.txt
index 639e909da..639e909da 100644
--- a/testing/tests/default-keys/description.txt
+++ b/testing/tests/ikev1/default-keys/description.txt
diff --git a/testing/tests/self-signed/evaltest.dat b/testing/tests/ikev1/default-keys/evaltest.dat
index f190d7066..a18e3997e 100644
--- a/testing/tests/self-signed/evaltest.dat
+++ b/testing/tests/ikev1/default-keys/evaltest.dat
@@ -1,3 +1,5 @@
+carol::cat /var/log/auth.log::scepclient::YES
+moon::cat /var/log/auth.log::scepclient::YES
 carol::cat /var/log/auth.log::we have a cert but are not sending it::YES
 moon::cat /var/log/auth.log::we have a cert but are not sending it::YES
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
diff --git a/testing/tests/default-keys/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf
index c4bb10a65..0ec9d47ed 100755
--- a/testing/tests/default-keys/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf
@@ -1,12 +1,11 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=0
 	strictcrlpolicy=no
 	nocrsend=yes
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/default-keys/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/default-keys/hosts/moon/etc/init.d/iptables
index 13ad3063f..13ad3063f 100755
--- a/testing/tests/default-keys/hosts/moon/etc/init.d/iptables
+++ b/testing/tests/ikev1/default-keys/hosts/moon/etc/init.d/iptables
diff --git a/testing/tests/default-keys/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf
index eeeec645b..ed1b40549 100755
--- a/testing/tests/default-keys/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf
@@ -1,12 +1,11 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=0
 	strictcrlpolicy=no
 	nocrsend=yes
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -15,7 +14,7 @@ conn %default
 	keyingtries=1
 
 conn carol
-	left=192.168.0.1
+	left=PH_IP_MOON
 	leftnexthop=%direct
 	leftcert=selfCert.der
 	leftsendcert=never
diff --git a/testing/tests/default-keys/posttest.dat b/testing/tests/ikev1/default-keys/posttest.dat
index 52b48b9ef..8cada5e7e 100644
--- a/testing/tests/default-keys/posttest.dat
+++ b/testing/tests/ikev1/default-keys/posttest.dat
@@ -1,5 +1,3 @@
-moon::iptables -v -n -L
-carol::iptables -v -n -L
 moon::ipsec stop
 carol::ipsec stop
 moon::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/default-keys/pretest.dat b/testing/tests/ikev1/default-keys/pretest.dat
index 54f70cbe9..88f9a2ca9 100644
--- a/testing/tests/default-keys/pretest.dat
+++ b/testing/tests/ikev1/default-keys/pretest.dat
@@ -10,7 +10,7 @@ moon::rm /etc/ipsec.d/private/*
 moon::rm /etc/ipsec.d/certs/*
 moon::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
-moon::sleep 4 
+moon::sleep 5 
 moon::scp /etc/ipsec.d/certs/selfCert.der carol:/etc/ipsec.d/certs/peerCert.der
 moon::scp carol:/etc/ipsec.d/certs/selfCert.der /etc/ipsec.d/certs/peerCert.der
 moon::ipsec reload 
diff --git a/testing/tests/default-keys/test.conf b/testing/tests/ikev1/default-keys/test.conf
index 0baa48d90..0baa48d90 100644
--- a/testing/tests/default-keys/test.conf
+++ b/testing/tests/ikev1/default-keys/test.conf
diff --git a/testing/tests/double-nat-net/description.txt b/testing/tests/ikev1/double-nat-net/description.txt
index ff09155f6..ff09155f6 100644
--- a/testing/tests/double-nat-net/description.txt
+++ b/testing/tests/ikev1/double-nat-net/description.txt
diff --git a/testing/tests/double-nat-net/evaltest.dat b/testing/tests/ikev1/double-nat-net/evaltest.dat
index 41eba6501..d00613c07 100644
--- a/testing/tests/double-nat-net/evaltest.dat
+++ b/testing/tests/ikev1/double-nat-net/evaltest.dat
@@ -1,5 +1,5 @@
 alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
 bob::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP1_SUN::64 bytes from PH_IP1_SUN: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_seq=1::YES
 moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
 moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/double-nat-net/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf
index 395e62e7c..5c0763734 100755
--- a/testing/tests/double-nat-net/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf
@@ -1,12 +1,11 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
 	nat_traversal=yes
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/double-nat-net/hosts/bob/etc/ipsec.conf b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf
index 6927a5ce4..e79b2ca35 100755
--- a/testing/tests/double-nat-net/hosts/bob/etc/ipsec.conf
+++ b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf
@@ -1,12 +1,11 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
 	nat_traversal=yes
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/double-nat-net/posttest.dat b/testing/tests/ikev1/double-nat-net/posttest.dat
index 0eb2c0d6c..484297418 100644
--- a/testing/tests/double-nat-net/posttest.dat
+++ b/testing/tests/ikev1/double-nat-net/posttest.dat
@@ -1,9 +1,9 @@
-alice::iptables -v -n -L
-bob::iptables -v -n -L
 bob::ipsec stop
 alice::ipsec stop
 alice::/etc/init.d/iptables stop 2> /dev/null
 bob::/etc/init.d/iptables stop 2> /dev/null
 moon::iptables -t nat -F
 sun::iptables -t nat -F
+moon::conntrack -F
+sun::conntrack -F
 sun::ip route del 10.1.0.0/16 via PH_IP_BOB
diff --git a/testing/tests/double-nat-net/pretest.dat b/testing/tests/ikev1/double-nat-net/pretest.dat
index 84bc15092..84bc15092 100644
--- a/testing/tests/double-nat-net/pretest.dat
+++ b/testing/tests/ikev1/double-nat-net/pretest.dat
diff --git a/testing/tests/double-nat-net/test.conf b/testing/tests/ikev1/double-nat-net/test.conf
index 1ca2ffe5a..1ca2ffe5a 100644
--- a/testing/tests/double-nat-net/test.conf
+++ b/testing/tests/ikev1/double-nat-net/test.conf
diff --git a/testing/tests/double-nat/description.txt b/testing/tests/ikev1/double-nat/description.txt
index ce7de0e56..ce7de0e56 100644
--- a/testing/tests/double-nat/description.txt
+++ b/testing/tests/ikev1/double-nat/description.txt
diff --git a/testing/tests/double-nat/evaltest.dat b/testing/tests/ikev1/double-nat/evaltest.dat
index 05e751422..05e751422 100644
--- a/testing/tests/double-nat/evaltest.dat
+++ b/testing/tests/ikev1/double-nat/evaltest.dat
diff --git a/testing/tests/double-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf
index 5b3cddb63..3533c3f8b 100755
--- a/testing/tests/double-nat/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf
@@ -1,12 +1,11 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
 	nat_traversal=yes
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/double-nat/posttest.dat b/testing/tests/ikev1/double-nat/posttest.dat
index 07f22d07d..5d39e406d 100644
--- a/testing/tests/double-nat/posttest.dat
+++ b/testing/tests/ikev1/double-nat/posttest.dat
@@ -1,8 +1,8 @@
-alice::iptables -v -n -L
-bob::iptables -v -n -L
 bob::ipsec stop
 alice::ipsec stop
 alice::/etc/init.d/iptables stop 2> /dev/null
 bob::/etc/init.d/iptables stop 2> /dev/null
 moon::iptables -t nat -F
 sun::iptables -t nat -F
+moon::conntrack -F
+sun::conntrack -F
diff --git a/testing/tests/double-nat/pretest.dat b/testing/tests/ikev1/double-nat/pretest.dat
index cf495b778..cf495b778 100644
--- a/testing/tests/double-nat/pretest.dat
+++ b/testing/tests/ikev1/double-nat/pretest.dat
diff --git a/testing/tests/double-nat/test.conf b/testing/tests/ikev1/double-nat/test.conf
index 1ca2ffe5a..1ca2ffe5a 100644
--- a/testing/tests/double-nat/test.conf
+++ b/testing/tests/ikev1/double-nat/test.conf
diff --git a/testing/tests/dpd-clear/description.txt b/testing/tests/ikev1/dpd-clear/description.txt
index f76b2d741..f76b2d741 100644
--- a/testing/tests/dpd-clear/description.txt
+++ b/testing/tests/ikev1/dpd-clear/description.txt
diff --git a/testing/tests/dpd-clear/evaltest.dat b/testing/tests/ikev1/dpd-clear/evaltest.dat
index da3567d3e..98d5b146b 100644
--- a/testing/tests/dpd-clear/evaltest.dat
+++ b/testing/tests/ikev1/dpd-clear/evaltest.dat
@@ -1,6 +1,5 @@
 carol::ipsec status::STATE_MAIN_I4 (ISAKMP SA established)::YES
 carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
-moon::ipsec statusall::DPD active::YES
 moon::sleep 50::no output expected::NO
 moon::cat /var/log/auth.log::inserting event EVENT_DPD::YES
 moon::cat /var/log/auth.log::DPD: No response from peer - declaring peer dead::YES
diff --git a/testing/tests/dpd-clear/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf
index cac521c8f..281293545 100755
--- a/testing/tests/dpd-clear/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/dpd-clear/posttest.dat b/testing/tests/ikev1/dpd-clear/posttest.dat
index 931db4272..931db4272 100644
--- a/testing/tests/dpd-clear/posttest.dat
+++ b/testing/tests/ikev1/dpd-clear/posttest.dat
diff --git a/testing/tests/dpd-clear/pretest.dat b/testing/tests/ikev1/dpd-clear/pretest.dat
index 14ed95322..14ed95322 100644
--- a/testing/tests/dpd-clear/pretest.dat
+++ b/testing/tests/ikev1/dpd-clear/pretest.dat
diff --git a/testing/tests/dpd-clear/test.conf b/testing/tests/ikev1/dpd-clear/test.conf
index 2b240d895..2b240d895 100644
--- a/testing/tests/dpd-clear/test.conf
+++ b/testing/tests/ikev1/dpd-clear/test.conf
diff --git a/testing/tests/esp-ah-transport/description.txt b/testing/tests/ikev1/esp-ah-transport/description.txt
index c7918fa38..c7918fa38 100644
--- a/testing/tests/esp-ah-transport/description.txt
+++ b/testing/tests/ikev1/esp-ah-transport/description.txt
diff --git a/testing/tests/esp-ah-transport/evaltest.dat b/testing/tests/ikev1/esp-ah-transport/evaltest.dat
index 7c498ad83..7c498ad83 100644
--- a/testing/tests/esp-ah-transport/evaltest.dat
+++ b/testing/tests/ikev1/esp-ah-transport/evaltest.dat
diff --git a/testing/tests/esp-ah-transport/hosts/carol/etc/init.d/iptables b/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/init.d/iptables
index 8c8817539..8c8817539 100755
--- a/testing/tests/esp-ah-transport/hosts/carol/etc/init.d/iptables
+++ b/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/init.d/iptables
diff --git a/testing/tests/esp-ah-transport/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf
index 13ab3e07f..21f56705c 100755
--- a/testing/tests/esp-ah-transport/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/esp-ah-transport/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/init.d/iptables
index 3e8922581..3e8922581 100755
--- a/testing/tests/esp-ah-transport/hosts/moon/etc/init.d/iptables
+++ b/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/init.d/iptables
diff --git a/testing/tests/esp-ah-transport/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf
index 809f3c74b..274a1aa18 100755
--- a/testing/tests/esp-ah-transport/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/esp-ah-transport/posttest.dat b/testing/tests/ikev1/esp-ah-transport/posttest.dat
index 26848212b..94a400606 100644
--- a/testing/tests/esp-ah-transport/posttest.dat
+++ b/testing/tests/ikev1/esp-ah-transport/posttest.dat
@@ -1,5 +1,3 @@
-moon::iptables -v -n -L
-carol::iptables -v -n -L
 moon::ipsec stop
 carol::ipsec stop
 moon::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/esp-ah-transport/pretest.dat b/testing/tests/ikev1/esp-ah-transport/pretest.dat
index bd68efb0b..bd68efb0b 100644
--- a/testing/tests/esp-ah-transport/pretest.dat
+++ b/testing/tests/ikev1/esp-ah-transport/pretest.dat
diff --git a/testing/tests/esp-ah-transport/test.conf b/testing/tests/ikev1/esp-ah-transport/test.conf
index fd33cfb57..fd33cfb57 100644
--- a/testing/tests/esp-ah-transport/test.conf
+++ b/testing/tests/ikev1/esp-ah-transport/test.conf
diff --git a/testing/tests/esp-ah-tunnel/description.txt b/testing/tests/ikev1/esp-ah-tunnel/description.txt
index 809f28c57..809f28c57 100644
--- a/testing/tests/esp-ah-tunnel/description.txt
+++ b/testing/tests/ikev1/esp-ah-tunnel/description.txt
diff --git a/testing/tests/esp-ah-tunnel/evaltest.dat b/testing/tests/ikev1/esp-ah-tunnel/evaltest.dat
index 8f4a99641..8f4a99641 100644
--- a/testing/tests/esp-ah-tunnel/evaltest.dat
+++ b/testing/tests/ikev1/esp-ah-tunnel/evaltest.dat
diff --git a/testing/tests/esp-ah-tunnel/hosts/carol/etc/init.d/iptables b/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/init.d/iptables
index 8c8817539..8c8817539 100755
--- a/testing/tests/esp-ah-tunnel/hosts/carol/etc/init.d/iptables
+++ b/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/init.d/iptables
diff --git a/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..8c72a7b7f
--- /dev/null
+++ b/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	auth=ah
+	ike=aes128-sha
+	esp=aes128-sha1
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/esp-ah-tunnel/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/init.d/iptables
index 3e8922581..3e8922581 100755
--- a/testing/tests/esp-ah-tunnel/hosts/moon/etc/init.d/iptables
+++ b/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/init.d/iptables
diff --git a/testing/tests/esp-ah-tunnel/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf
index 7f976376d..ccf8e91fa 100755
--- a/testing/tests/esp-ah-tunnel/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/esp-ah-tunnel/posttest.dat b/testing/tests/ikev1/esp-ah-tunnel/posttest.dat
index 26848212b..94a400606 100644
--- a/testing/tests/esp-ah-tunnel/posttest.dat
+++ b/testing/tests/ikev1/esp-ah-tunnel/posttest.dat
@@ -1,5 +1,3 @@
-moon::iptables -v -n -L
-carol::iptables -v -n -L
 moon::ipsec stop
 carol::ipsec stop
 moon::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/esp-ah-tunnel/pretest.dat b/testing/tests/ikev1/esp-ah-tunnel/pretest.dat
index bd68efb0b..bd68efb0b 100644
--- a/testing/tests/esp-ah-tunnel/pretest.dat
+++ b/testing/tests/ikev1/esp-ah-tunnel/pretest.dat
diff --git a/testing/tests/esp-ah-tunnel/test.conf b/testing/tests/ikev1/esp-ah-tunnel/test.conf
index fd33cfb57..fd33cfb57 100644
--- a/testing/tests/esp-ah-tunnel/test.conf
+++ b/testing/tests/ikev1/esp-ah-tunnel/test.conf
diff --git a/testing/tests/esp-alg-des/description.txt b/testing/tests/ikev1/esp-alg-des/description.txt
index 9546569dd..9546569dd 100644
--- a/testing/tests/esp-alg-des/description.txt
+++ b/testing/tests/ikev1/esp-alg-des/description.txt
diff --git a/testing/tests/esp-alg-des/evaltest.dat b/testing/tests/ikev1/esp-alg-des/evaltest.dat
index 8e06392f1..8e06392f1 100644
--- a/testing/tests/esp-alg-des/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-des/evaltest.dat
diff --git a/testing/tests/esp-alg-weak/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf
index b4f067b6d..b8ef03cfe 100755
--- a/testing/tests/esp-alg-weak/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug="control crypt"
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/esp-alg-des/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf
index 9513f810d..3ac0bf4cf 100755
--- a/testing/tests/esp-alg-des/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug="control crypt"
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/esp-alg-des/posttest.dat b/testing/tests/ikev1/esp-alg-des/posttest.dat
index c6d6235f9..c6d6235f9 100644
--- a/testing/tests/esp-alg-des/posttest.dat
+++ b/testing/tests/ikev1/esp-alg-des/posttest.dat
diff --git a/testing/tests/esp-alg-des/pretest.dat b/testing/tests/ikev1/esp-alg-des/pretest.dat
index 7d077c126..7d077c126 100644
--- a/testing/tests/esp-alg-des/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-des/pretest.dat
diff --git a/testing/tests/esp-alg-des/test.conf b/testing/tests/ikev1/esp-alg-des/test.conf
index a6c8f026c..a6c8f026c 100644
--- a/testing/tests/esp-alg-des/test.conf
+++ b/testing/tests/ikev1/esp-alg-des/test.conf
diff --git a/testing/tests/esp-alg-null/description.txt b/testing/tests/ikev1/esp-alg-null/description.txt
index 7880a799c..7880a799c 100644
--- a/testing/tests/esp-alg-null/description.txt
+++ b/testing/tests/ikev1/esp-alg-null/description.txt
diff --git a/testing/tests/esp-alg-null/evaltest.dat b/testing/tests/ikev1/esp-alg-null/evaltest.dat
index de2f2a571..de2f2a571 100644
--- a/testing/tests/esp-alg-null/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-null/evaltest.dat
diff --git a/testing/tests/esp-alg-null/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf
index b732eba93..7a8ae37c9 100755
--- a/testing/tests/esp-alg-null/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/esp-alg-null/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf
index af11591a1..187a3fb17 100755
--- a/testing/tests/esp-alg-null/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/esp-alg-null/posttest.dat b/testing/tests/ikev1/esp-alg-null/posttest.dat
index c6d6235f9..c6d6235f9 100644
--- a/testing/tests/esp-alg-null/posttest.dat
+++ b/testing/tests/ikev1/esp-alg-null/posttest.dat
diff --git a/testing/tests/esp-alg-weak/pretest.dat b/testing/tests/ikev1/esp-alg-null/pretest.dat
index 7d077c126..7d077c126 100644
--- a/testing/tests/esp-alg-weak/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-null/pretest.dat
diff --git a/testing/tests/esp-alg-null/test.conf b/testing/tests/ikev1/esp-alg-null/test.conf
index a6c8f026c..a6c8f026c 100644
--- a/testing/tests/esp-alg-null/test.conf
+++ b/testing/tests/ikev1/esp-alg-null/test.conf
diff --git a/testing/tests/esp-alg-strict-fail/description.txt b/testing/tests/ikev1/esp-alg-strict-fail/description.txt
index 03c655480..03c655480 100644
--- a/testing/tests/esp-alg-strict-fail/description.txt
+++ b/testing/tests/ikev1/esp-alg-strict-fail/description.txt
diff --git a/testing/tests/esp-alg-strict-fail/evaltest.dat b/testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat
index 6f2024ff9..6f2024ff9 100644
--- a/testing/tests/esp-alg-strict-fail/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..4ed2fb645
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	ike=3des-sha
+	esp=3des-sha1
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf
index 2dd1c763a..f8c27ad7c 100755
--- a/testing/tests/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/esp-alg-strict-fail/posttest.dat b/testing/tests/ikev1/esp-alg-strict-fail/posttest.dat
index c6d6235f9..c6d6235f9 100644
--- a/testing/tests/esp-alg-strict-fail/posttest.dat
+++ b/testing/tests/ikev1/esp-alg-strict-fail/posttest.dat
diff --git a/testing/tests/esp-alg-null/pretest.dat b/testing/tests/ikev1/esp-alg-strict-fail/pretest.dat
index f5aa989fe..f5aa989fe 100644
--- a/testing/tests/esp-alg-null/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-strict-fail/pretest.dat
diff --git a/testing/tests/esp-alg-strict-fail/test.conf b/testing/tests/ikev1/esp-alg-strict-fail/test.conf
index 2b240d895..2b240d895 100644
--- a/testing/tests/esp-alg-strict-fail/test.conf
+++ b/testing/tests/ikev1/esp-alg-strict-fail/test.conf
diff --git a/testing/tests/esp-alg-strict/description.txt b/testing/tests/ikev1/esp-alg-strict/description.txt
index b4fc08253..b4fc08253 100644
--- a/testing/tests/esp-alg-strict/description.txt
+++ b/testing/tests/ikev1/esp-alg-strict/description.txt
diff --git a/testing/tests/esp-alg-strict/evaltest.dat b/testing/tests/ikev1/esp-alg-strict/evaltest.dat
index d5dd12d4e..d5dd12d4e 100644
--- a/testing/tests/esp-alg-strict/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-strict/evaltest.dat
diff --git a/testing/tests/esp-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf
index 5a14de070..da86d14df 100755
--- a/testing/tests/esp-alg-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/esp-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf
index 2dd1c763a..f8c27ad7c 100755
--- a/testing/tests/esp-alg-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/esp-alg-strict/posttest.dat b/testing/tests/ikev1/esp-alg-strict/posttest.dat
index c6d6235f9..c6d6235f9 100644
--- a/testing/tests/esp-alg-strict/posttest.dat
+++ b/testing/tests/ikev1/esp-alg-strict/posttest.dat
diff --git a/testing/tests/esp-alg-strict-fail/pretest.dat b/testing/tests/ikev1/esp-alg-strict/pretest.dat
index f5aa989fe..f5aa989fe 100644
--- a/testing/tests/esp-alg-strict-fail/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-strict/pretest.dat
diff --git a/testing/tests/esp-alg-strict/test.conf b/testing/tests/ikev1/esp-alg-strict/test.conf
index a6c8f026c..a6c8f026c 100644
--- a/testing/tests/esp-alg-strict/test.conf
+++ b/testing/tests/ikev1/esp-alg-strict/test.conf
diff --git a/testing/tests/esp-alg-weak/description.txt b/testing/tests/ikev1/esp-alg-weak/description.txt
index ffb6882f5..ffb6882f5 100644
--- a/testing/tests/esp-alg-weak/description.txt
+++ b/testing/tests/ikev1/esp-alg-weak/description.txt
diff --git a/testing/tests/esp-alg-weak/evaltest.dat b/testing/tests/ikev1/esp-alg-weak/evaltest.dat
index 72b14e805..72b14e805 100644
--- a/testing/tests/esp-alg-weak/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-weak/evaltest.dat
diff --git a/testing/tests/esp-alg-des/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf
index b4f067b6d..b8ef03cfe 100755
--- a/testing/tests/esp-alg-des/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug="control crypt"
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/esp-alg-weak/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf
index 3f07213ae..691b6b74f 100755
--- a/testing/tests/esp-alg-weak/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug="control crypt"
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/esp-alg-weak/posttest.dat b/testing/tests/ikev1/esp-alg-weak/posttest.dat
index c6d6235f9..c6d6235f9 100644
--- a/testing/tests/esp-alg-weak/posttest.dat
+++ b/testing/tests/ikev1/esp-alg-weak/posttest.dat
diff --git a/testing/tests/ike-alg-sha2_512/pretest.dat b/testing/tests/ikev1/esp-alg-weak/pretest.dat
index 7d077c126..7d077c126 100644
--- a/testing/tests/ike-alg-sha2_512/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-weak/pretest.dat
diff --git a/testing/tests/esp-alg-weak/test.conf b/testing/tests/ikev1/esp-alg-weak/test.conf
index a6c8f026c..a6c8f026c 100644
--- a/testing/tests/esp-alg-weak/test.conf
+++ b/testing/tests/ikev1/esp-alg-weak/test.conf
diff --git a/testing/tests/host2host-cert/description.txt b/testing/tests/ikev1/host2host-cert/description.txt
index 6be21bf8f..6be21bf8f 100644
--- a/testing/tests/host2host-cert/description.txt
+++ b/testing/tests/ikev1/host2host-cert/description.txt
diff --git a/testing/tests/host2host-cert/evaltest.dat b/testing/tests/ikev1/host2host-cert/evaltest.dat
index d19f970f2..d19f970f2 100644
--- a/testing/tests/host2host-cert/evaltest.dat
+++ b/testing/tests/ikev1/host2host-cert/evaltest.dat
diff --git a/testing/tests/host2host-transport/posttest.dat b/testing/tests/ikev1/host2host-cert/posttest.dat
index 52979508d..5a9150bc8 100644
--- a/testing/tests/host2host-transport/posttest.dat
+++ b/testing/tests/ikev1/host2host-cert/posttest.dat
@@ -1,5 +1,3 @@
-moon::iptables -v -n -L
-sun::iptables -v -n -L
 moon::ipsec stop
 sun::ipsec stop
 moon::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/host2host-cert/pretest.dat b/testing/tests/ikev1/host2host-cert/pretest.dat
index 3536fd886..3536fd886 100644
--- a/testing/tests/host2host-cert/pretest.dat
+++ b/testing/tests/ikev1/host2host-cert/pretest.dat
diff --git a/testing/tests/host2host-cert/test.conf b/testing/tests/ikev1/host2host-cert/test.conf
index cf2e704fd..cf2e704fd 100644
--- a/testing/tests/host2host-cert/test.conf
+++ b/testing/tests/ikev1/host2host-cert/test.conf
diff --git a/testing/tests/host2host-swapped/description.txt b/testing/tests/ikev1/host2host-swapped/description.txt
index 34cfe43cc..34cfe43cc 100644
--- a/testing/tests/host2host-swapped/description.txt
+++ b/testing/tests/ikev1/host2host-swapped/description.txt
diff --git a/testing/tests/host2host-swapped/evaltest.dat b/testing/tests/ikev1/host2host-swapped/evaltest.dat
index d19f970f2..d19f970f2 100644
--- a/testing/tests/host2host-swapped/evaltest.dat
+++ b/testing/tests/ikev1/host2host-swapped/evaltest.dat
diff --git a/testing/tests/host2host-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf
index 4b66a5ecb..10597bc58 100755
--- a/testing/tests/host2host-swapped/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/host2host-swapped/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf
index a58894b33..45121d967 100755
--- a/testing/tests/host2host-swapped/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf
@@ -1,12 +1,11 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
 	nat_traversal=yes
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/net2net-cert/posttest.dat b/testing/tests/ikev1/host2host-swapped/posttest.dat
index 52979508d..5a9150bc8 100644
--- a/testing/tests/net2net-cert/posttest.dat
+++ b/testing/tests/ikev1/host2host-swapped/posttest.dat
@@ -1,5 +1,3 @@
-moon::iptables -v -n -L
-sun::iptables -v -n -L
 moon::ipsec stop
 sun::ipsec stop
 moon::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/host2host-swapped/pretest.dat b/testing/tests/ikev1/host2host-swapped/pretest.dat
index e2d98f2eb..e2d98f2eb 100644
--- a/testing/tests/host2host-swapped/pretest.dat
+++ b/testing/tests/ikev1/host2host-swapped/pretest.dat
diff --git a/testing/tests/host2host-swapped/test.conf b/testing/tests/ikev1/host2host-swapped/test.conf
index cf2e704fd..cf2e704fd 100644
--- a/testing/tests/host2host-swapped/test.conf
+++ b/testing/tests/ikev1/host2host-swapped/test.conf
diff --git a/testing/tests/host2host-transport/description.txt b/testing/tests/ikev1/host2host-transport/description.txt
index fe3482c96..fe3482c96 100644
--- a/testing/tests/host2host-transport/description.txt
+++ b/testing/tests/ikev1/host2host-transport/description.txt
diff --git a/testing/tests/host2host-transport/evaltest.dat b/testing/tests/ikev1/host2host-transport/evaltest.dat
index d19f970f2..d19f970f2 100644
--- a/testing/tests/host2host-transport/evaltest.dat
+++ b/testing/tests/ikev1/host2host-transport/evaltest.dat
diff --git a/testing/tests/host2host-transport/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf
index af5000fa8..44ac885ce 100755
--- a/testing/tests/host2host-transport/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/host2host-transport/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf
index 10bea9847..a89e799bd 100755
--- a/testing/tests/host2host-transport/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/host2host-cert/posttest.dat b/testing/tests/ikev1/host2host-transport/posttest.dat
index 52979508d..5a9150bc8 100644
--- a/testing/tests/host2host-cert/posttest.dat
+++ b/testing/tests/ikev1/host2host-transport/posttest.dat
@@ -1,5 +1,3 @@
-moon::iptables -v -n -L
-sun::iptables -v -n -L
 moon::ipsec stop
 sun::ipsec stop
 moon::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/host2host-transport/pretest.dat b/testing/tests/ikev1/host2host-transport/pretest.dat
index e2d98f2eb..e2d98f2eb 100644
--- a/testing/tests/host2host-transport/pretest.dat
+++ b/testing/tests/ikev1/host2host-transport/pretest.dat
diff --git a/testing/tests/host2host-transport/test.conf b/testing/tests/ikev1/host2host-transport/test.conf
index cf2e704fd..cf2e704fd 100644
--- a/testing/tests/host2host-transport/test.conf
+++ b/testing/tests/ikev1/host2host-transport/test.conf
diff --git a/testing/tests/ike-alg-sha2_384/description.txt b/testing/tests/ikev1/ike-alg-sha2_384/description.txt
index a347a3fed..a347a3fed 100644
--- a/testing/tests/ike-alg-sha2_384/description.txt
+++ b/testing/tests/ikev1/ike-alg-sha2_384/description.txt
diff --git a/testing/tests/ike-alg-sha2_384/evaltest.dat b/testing/tests/ikev1/ike-alg-sha2_384/evaltest.dat
index 31959f53a..31959f53a 100644
--- a/testing/tests/ike-alg-sha2_384/evaltest.dat
+++ b/testing/tests/ikev1/ike-alg-sha2_384/evaltest.dat
diff --git a/testing/tests/ike-alg-sha2_384/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-sha2_384/hosts/carol/etc/ipsec.conf
index 027ad4fd2..2bf2f8740 100755
--- a/testing/tests/ike-alg-sha2_384/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-sha2_384/hosts/carol/etc/ipsec.conf
@@ -4,6 +4,7 @@ config setup
 	plutodebug="control crypt"
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ike-alg-sha2_384/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-sha2_384/hosts/moon/etc/ipsec.conf
index 46742d8fb..5baf8f1d9 100755
--- a/testing/tests/ike-alg-sha2_384/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-sha2_384/hosts/moon/etc/ipsec.conf
@@ -4,6 +4,7 @@ config setup
 	plutodebug="control crypt"
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ike-alg-sha2_384/posttest.dat b/testing/tests/ikev1/ike-alg-sha2_384/posttest.dat
index c6d6235f9..c6d6235f9 100644
--- a/testing/tests/ike-alg-sha2_384/posttest.dat
+++ b/testing/tests/ikev1/ike-alg-sha2_384/posttest.dat
diff --git a/testing/tests/ike-alg-sha2_384/pretest.dat b/testing/tests/ikev1/ike-alg-sha2_384/pretest.dat
index 87e219e73..7d077c126 100644
--- a/testing/tests/ike-alg-sha2_384/pretest.dat
+++ b/testing/tests/ikev1/ike-alg-sha2_384/pretest.dat
@@ -1,5 +1,5 @@
 moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 moon::ipsec start
-carol::sleep 3 
+carol::sleep 2
 carol::ipsec up home
diff --git a/testing/tests/ike-alg-sha2_384/test.conf b/testing/tests/ikev1/ike-alg-sha2_384/test.conf
index a6c8f026c..a6c8f026c 100644
--- a/testing/tests/ike-alg-sha2_384/test.conf
+++ b/testing/tests/ikev1/ike-alg-sha2_384/test.conf
diff --git a/testing/tests/ike-alg-sha2_512/description.txt b/testing/tests/ikev1/ike-alg-sha2_512/description.txt
index 1bec4b8c6..1bec4b8c6 100644
--- a/testing/tests/ike-alg-sha2_512/description.txt
+++ b/testing/tests/ikev1/ike-alg-sha2_512/description.txt
diff --git a/testing/tests/ike-alg-sha2_512/evaltest.dat b/testing/tests/ikev1/ike-alg-sha2_512/evaltest.dat
index dbd35429c..dbd35429c 100644
--- a/testing/tests/ike-alg-sha2_512/evaltest.dat
+++ b/testing/tests/ikev1/ike-alg-sha2_512/evaltest.dat
diff --git a/testing/tests/ike-alg-sha2_512/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-sha2_512/hosts/carol/etc/ipsec.conf
index 1f73cdc21..8b1052f91 100755
--- a/testing/tests/ike-alg-sha2_512/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-sha2_512/hosts/carol/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug="control crypt"
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ike-alg-sha2_512/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-sha2_512/hosts/moon/etc/ipsec.conf
index 90911997e..62b93c428 100755
--- a/testing/tests/ike-alg-sha2_512/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-sha2_512/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug="control crypt"
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ike-alg-sha2_512/posttest.dat b/testing/tests/ikev1/ike-alg-sha2_512/posttest.dat
index c6d6235f9..c6d6235f9 100644
--- a/testing/tests/ike-alg-sha2_512/posttest.dat
+++ b/testing/tests/ikev1/ike-alg-sha2_512/posttest.dat
diff --git a/testing/tests/ikev1/ike-alg-sha2_512/pretest.dat b/testing/tests/ikev1/ike-alg-sha2_512/pretest.dat
new file mode 100644
index 000000000..7d077c126
--- /dev/null
+++ b/testing/tests/ikev1/ike-alg-sha2_512/pretest.dat
@@ -0,0 +1,5 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ike-alg-sha2_512/test.conf b/testing/tests/ikev1/ike-alg-sha2_512/test.conf
index a6c8f026c..a6c8f026c 100644
--- a/testing/tests/ike-alg-sha2_512/test.conf
+++ b/testing/tests/ikev1/ike-alg-sha2_512/test.conf
diff --git a/testing/tests/ike-alg-strict-fail/description.txt b/testing/tests/ikev1/ike-alg-strict-fail/description.txt
index 03c655480..03c655480 100644
--- a/testing/tests/ike-alg-strict-fail/description.txt
+++ b/testing/tests/ikev1/ike-alg-strict-fail/description.txt
diff --git a/testing/tests/ike-alg-strict-fail/evaltest.dat b/testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat
index 931b8855a..931b8855a 100644
--- a/testing/tests/ike-alg-strict-fail/evaltest.dat
+++ b/testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..4ed2fb645
--- /dev/null
+++ b/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	ike=3des-sha
+	esp=3des-sha1
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ike-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf
index 85cd235dc..1a8b0b966 100755
--- a/testing/tests/ike-alg-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ike-alg-strict-fail/posttest.dat b/testing/tests/ikev1/ike-alg-strict-fail/posttest.dat
index c6d6235f9..c6d6235f9 100644
--- a/testing/tests/ike-alg-strict-fail/posttest.dat
+++ b/testing/tests/ikev1/ike-alg-strict-fail/posttest.dat
diff --git a/testing/tests/esp-alg-strict/pretest.dat b/testing/tests/ikev1/ike-alg-strict-fail/pretest.dat
index f5aa989fe..f5aa989fe 100644
--- a/testing/tests/esp-alg-strict/pretest.dat
+++ b/testing/tests/ikev1/ike-alg-strict-fail/pretest.dat
diff --git a/testing/tests/ike-alg-strict-fail/test.conf b/testing/tests/ikev1/ike-alg-strict-fail/test.conf
index 7e7848831..7e7848831 100644
--- a/testing/tests/ike-alg-strict-fail/test.conf
+++ b/testing/tests/ikev1/ike-alg-strict-fail/test.conf
diff --git a/testing/tests/ike-alg-strict/description.txt b/testing/tests/ikev1/ike-alg-strict/description.txt
index 35d266e20..35d266e20 100644
--- a/testing/tests/ike-alg-strict/description.txt
+++ b/testing/tests/ikev1/ike-alg-strict/description.txt
diff --git a/testing/tests/ike-alg-strict/evaltest.dat b/testing/tests/ikev1/ike-alg-strict/evaltest.dat
index 46140be8a..46140be8a 100644
--- a/testing/tests/ike-alg-strict/evaltest.dat
+++ b/testing/tests/ikev1/ike-alg-strict/evaltest.dat
diff --git a/testing/tests/ike-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf
index 5a14de070..da86d14df 100755
--- a/testing/tests/ike-alg-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf
index 85cd235dc..1a8b0b966 100755
--- a/testing/tests/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ike-alg-strict/posttest.dat b/testing/tests/ikev1/ike-alg-strict/posttest.dat
index c6d6235f9..c6d6235f9 100644
--- a/testing/tests/ike-alg-strict/posttest.dat
+++ b/testing/tests/ikev1/ike-alg-strict/posttest.dat
diff --git a/testing/tests/ike-alg-strict-fail/pretest.dat b/testing/tests/ikev1/ike-alg-strict/pretest.dat
index f5aa989fe..f5aa989fe 100644
--- a/testing/tests/ike-alg-strict-fail/pretest.dat
+++ b/testing/tests/ikev1/ike-alg-strict/pretest.dat
diff --git a/testing/tests/ike-alg-strict/test.conf b/testing/tests/ikev1/ike-alg-strict/test.conf
index 2b240d895..2b240d895 100644
--- a/testing/tests/ike-alg-strict/test.conf
+++ b/testing/tests/ikev1/ike-alg-strict/test.conf
diff --git a/testing/tests/mode-config-push/description.txt b/testing/tests/ikev1/mode-config-push/description.txt
index 387c3b409..387c3b409 100644
--- a/testing/tests/mode-config-push/description.txt
+++ b/testing/tests/ikev1/mode-config-push/description.txt
diff --git a/testing/tests/mode-config-push/evaltest.dat b/testing/tests/ikev1/mode-config-push/evaltest.dat
index 7de32d681..7de32d681 100644
--- a/testing/tests/mode-config-push/evaltest.dat
+++ b/testing/tests/ikev1/mode-config-push/evaltest.dat
diff --git a/testing/tests/mode-config-push/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf
index d66c4d329..db8cfd5c4 100755
--- a/testing/tests/mode-config-push/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf
@@ -1,18 +1,16 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	modeconfig=push
 
 conn home
 	left=PH_IP_CAROL
@@ -24,6 +22,7 @@ conn home
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
+	modeconfig=push
 	auto=add
 
 
diff --git a/testing/tests/mode-config-push/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf
index bf2625148..cc330b47f 100755
--- a/testing/tests/mode-config-push/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf
@@ -1,18 +1,16 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	modeconfig=push
 
 conn home
 	left=PH_IP_DAVE
@@ -24,6 +22,7 @@ conn home
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
+	modeconfig=push
 	auto=add
 
 
diff --git a/testing/tests/mode-config-push/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf
index 3416c5d68..3de856642 100755
--- a/testing/tests/mode-config-push/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -15,7 +14,7 @@ conn %default
 	modeconfig=push
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
-	leftsourceip=PH_IP1_MOON
+	leftsourceip=PH_IP_MOON1
 	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
@@ -24,11 +23,11 @@ conn %default
 conn rw-carol
 	right=%any
 	rightid=carol@strongswan.org
-	rightsourceip=PH_IP1_CAROL
+	rightsourceip=PH_IP_CAROL1
 	auto=add
 
 conn rw-dave
 	right=%any
 	rightid=dave@strongswan.org
-	rightsourceip=PH_IP1_DAVE
+	rightsourceip=PH_IP_DAVE1
 	auto=add
diff --git a/testing/tests/ikev1/mode-config-push/posttest.dat b/testing/tests/ikev1/mode-config-push/posttest.dat
new file mode 100644
index 000000000..42fa8359b
--- /dev/null
+++ b/testing/tests/ikev1/mode-config-push/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+carol::ip addr del PH_IP_CAROL1/32 dev eth0
+dave::ip addr del PH_IP_DAVE1/32 dev eth0
diff --git a/testing/tests/mode-config-swapped/pretest.dat b/testing/tests/ikev1/mode-config-push/pretest.dat
index 1e45f00fd..bb222992e 100644
--- a/testing/tests/mode-config-swapped/pretest.dat
+++ b/testing/tests/ikev1/mode-config-push/pretest.dat
@@ -7,3 +7,4 @@ moon::ipsec start
 carol::sleep 2
 carol::ipsec up home
 dave::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/mode-config-push/test.conf b/testing/tests/ikev1/mode-config-push/test.conf
index 1a8f2a4e0..1a8f2a4e0 100644
--- a/testing/tests/mode-config-push/test.conf
+++ b/testing/tests/ikev1/mode-config-push/test.conf
diff --git a/testing/tests/mode-config-swapped/description.txt b/testing/tests/ikev1/mode-config-swapped/description.txt
index e29e6f654..e29e6f654 100644
--- a/testing/tests/mode-config-swapped/description.txt
+++ b/testing/tests/ikev1/mode-config-swapped/description.txt
diff --git a/testing/tests/mode-config/evaltest.dat b/testing/tests/ikev1/mode-config-swapped/evaltest.dat
index 7de32d681..9d60cf7b0 100644
--- a/testing/tests/mode-config/evaltest.dat
+++ b/testing/tests/ikev1/mode-config-swapped/evaltest.dat
@@ -1,7 +1,7 @@
-carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES
+carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.2::YES
+dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES
 dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::ipsec status::rw-carol.*STATE_QUICK_R2.*IPsec SA established::YES
diff --git a/testing/tests/mode-config-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf
index bee23f4df..3bcc0ff25 100755
--- a/testing/tests/mode-config-swapped/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/mode-config-swapped/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf
index 698cd9673..7933ef15a 100755
--- a/testing/tests/mode-config-swapped/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/mode-config-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf
index b9e401080..53b81a534 100755
--- a/testing/tests/mode-config-swapped/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -14,7 +13,7 @@ conn %default
 	keyingtries=1
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
-	rightsourceip=PH_IP1_MOON
+	rightsourceip=PH_IP_MOON1
 	rightnexthop=%direct
 	rightcert=moonCert.pem
 	rightid=@moon.strongswan.org
@@ -23,11 +22,11 @@ conn %default
 conn rw-carol
 	left=%any
 	leftid=carol@strongswan.org
-	leftsourceip=PH_IP1_CAROL
+	leftsourceip=PH_IP_CAROL1
 	auto=add
 
 conn rw-dave
 	left=%any
 	leftid=dave@strongswan.org
-	leftsourceip=PH_IP1_DAVE
+	leftsourceip=PH_IP_DAVE1
 	auto=add
diff --git a/testing/tests/ikev1/mode-config-swapped/posttest.dat b/testing/tests/ikev1/mode-config-swapped/posttest.dat
new file mode 100644
index 000000000..42fa8359b
--- /dev/null
+++ b/testing/tests/ikev1/mode-config-swapped/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+carol::ip addr del PH_IP_CAROL1/32 dev eth0
+dave::ip addr del PH_IP_DAVE1/32 dev eth0
diff --git a/testing/tests/mode-config-push/pretest.dat b/testing/tests/ikev1/mode-config-swapped/pretest.dat
index 1e45f00fd..1e45f00fd 100644
--- a/testing/tests/mode-config-push/pretest.dat
+++ b/testing/tests/ikev1/mode-config-swapped/pretest.dat
diff --git a/testing/tests/mode-config-swapped/test.conf b/testing/tests/ikev1/mode-config-swapped/test.conf
index 1a8f2a4e0..1a8f2a4e0 100644
--- a/testing/tests/mode-config-swapped/test.conf
+++ b/testing/tests/ikev1/mode-config-swapped/test.conf
diff --git a/testing/tests/mode-config/description.txt b/testing/tests/ikev1/mode-config/description.txt
index 3e67f83f1..3e67f83f1 100644
--- a/testing/tests/mode-config/description.txt
+++ b/testing/tests/ikev1/mode-config/description.txt
diff --git a/testing/tests/starter-includes/evaltest.dat b/testing/tests/ikev1/mode-config/evaltest.dat
index 7de32d681..9d60cf7b0 100644
--- a/testing/tests/starter-includes/evaltest.dat
+++ b/testing/tests/ikev1/mode-config/evaltest.dat
@@ -1,7 +1,7 @@
-carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES
+carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.2::YES
+dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES
 dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::ipsec status::rw-carol.*STATE_QUICK_R2.*IPsec SA established::YES
diff --git a/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..2fd734579
--- /dev/null
+++ b/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=%modeconfig
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
+
+
+
+
diff --git a/testing/tests/starter-includes/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf
index da601389c..128c4aa29 100755
--- a/testing/tests/starter-includes/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf
index 49333e217..3367544eb 100755
--- a/testing/tests/mode-config/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -14,7 +13,7 @@ conn %default
 	keyingtries=1
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
-	leftsourceip=PH_IP1_MOON
+	leftsourceip=PH_IP_MOON1
 	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
@@ -23,11 +22,11 @@ conn %default
 conn rw-carol
 	right=%any
 	rightid=carol@strongswan.org
-	rightsourceip=PH_IP1_CAROL
+	rightsourceip=PH_IP_CAROL1
 	auto=add
 
 conn rw-dave
 	right=%any
 	rightid=dave@strongswan.org
-	rightsourceip=PH_IP1_DAVE
+	rightsourceip=PH_IP_DAVE1
 	auto=add
diff --git a/testing/tests/ikev1/mode-config/posttest.dat b/testing/tests/ikev1/mode-config/posttest.dat
new file mode 100644
index 000000000..42fa8359b
--- /dev/null
+++ b/testing/tests/ikev1/mode-config/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+carol::ip addr del PH_IP_CAROL1/32 dev eth0
+dave::ip addr del PH_IP_DAVE1/32 dev eth0
diff --git a/testing/tests/mode-config/pretest.dat b/testing/tests/ikev1/mode-config/pretest.dat
index 1e45f00fd..bb222992e 100644
--- a/testing/tests/mode-config/pretest.dat
+++ b/testing/tests/ikev1/mode-config/pretest.dat
@@ -7,3 +7,4 @@ moon::ipsec start
 carol::sleep 2
 carol::ipsec up home
 dave::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/mode-config/test.conf b/testing/tests/ikev1/mode-config/test.conf
index 1a8f2a4e0..1a8f2a4e0 100644
--- a/testing/tests/mode-config/test.conf
+++ b/testing/tests/ikev1/mode-config/test.conf
diff --git a/testing/tests/multi-level-ca-ldap/description.txt b/testing/tests/ikev1/multi-level-ca-ldap/description.txt
index 18fb88840..18fb88840 100644
--- a/testing/tests/multi-level-ca-ldap/description.txt
+++ b/testing/tests/ikev1/multi-level-ca-ldap/description.txt
diff --git a/testing/tests/multi-level-ca-ldap/evaltest.dat b/testing/tests/ikev1/multi-level-ca-ldap/evaltest.dat
index f504706e2..f504706e2 100644
--- a/testing/tests/multi-level-ca-ldap/evaltest.dat
+++ b/testing/tests/ikev1/multi-level-ca-ldap/evaltest.dat
diff --git a/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
index 222c3cf67..2917edd8a 100755
--- a/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 ca strongswan
         cacert=strongswanCert.pem
diff --git a/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 2990d6a12..2990d6a12 100644
--- a/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem
diff --git a/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem
index b91f9bf81..b91f9bf81 100644
--- a/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem
diff --git a/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.secrets
index fac55d63b..fac55d63b 100644
--- a/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
index bfa0ebba3..3c8227f19 100755
--- a/testing/tests/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem
index b76032480..b76032480 100644
--- a/testing/tests/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem
diff --git a/testing/tests/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem
index 022436de4..022436de4 100644
--- a/testing/tests/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem
diff --git a/testing/tests/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables
index 8de514a2e..8de514a2e 100755
--- a/testing/tests/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables
diff --git a/testing/tests/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
index e2b60589b..9b1d03320 100755
--- a/testing/tests/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=yes
+	charonstart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
index 154cff654..154cff654 100644
--- a/testing/tests/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
diff --git a/testing/tests/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
index e50477872..e50477872 100644
--- a/testing/tests/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
diff --git a/testing/tests/multi-level-ca-ldap/posttest.dat b/testing/tests/ikev1/multi-level-ca-ldap/posttest.dat
index e618fc419..ec4ba6e10 100644
--- a/testing/tests/multi-level-ca-ldap/posttest.dat
+++ b/testing/tests/ikev1/multi-level-ca-ldap/posttest.dat
@@ -1,4 +1,3 @@
-moon::iptables -v -n -L
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
diff --git a/testing/tests/multi-level-ca-ldap/pretest.dat b/testing/tests/ikev1/multi-level-ca-ldap/pretest.dat
index 322f42102..322f42102 100644
--- a/testing/tests/multi-level-ca-ldap/pretest.dat
+++ b/testing/tests/ikev1/multi-level-ca-ldap/pretest.dat
diff --git a/testing/tests/multi-level-ca-ldap/test.conf b/testing/tests/ikev1/multi-level-ca-ldap/test.conf
index 08e5cc145..08e5cc145 100644
--- a/testing/tests/multi-level-ca-ldap/test.conf
+++ b/testing/tests/ikev1/multi-level-ca-ldap/test.conf
diff --git a/testing/tests/multi-level-ca-loop/description.txt b/testing/tests/ikev1/multi-level-ca-loop/description.txt
index 9b63c2c66..9b63c2c66 100644
--- a/testing/tests/multi-level-ca-loop/description.txt
+++ b/testing/tests/ikev1/multi-level-ca-loop/description.txt
diff --git a/testing/tests/multi-level-ca-loop/evaltest.dat b/testing/tests/ikev1/multi-level-ca-loop/evaltest.dat
index 781a7b4ac..781a7b4ac 100644
--- a/testing/tests/multi-level-ca-loop/evaltest.dat
+++ b/testing/tests/ikev1/multi-level-ca-loop/evaltest.dat
diff --git a/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
index c56678b59..2c645ead6 100755
--- a/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 2990d6a12..2990d6a12 100644
--- a/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem
diff --git a/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem
index b91f9bf81..b91f9bf81 100644
--- a/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem
diff --git a/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.secrets
index fac55d63b..fac55d63b 100644
--- a/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/multi-level-ca-loop/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
index 343042f15..dcf3c94c7 100755
--- a/testing/tests/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=yes
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem
index efb939e3a..efb939e3a 100644
--- a/testing/tests/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem
diff --git a/testing/tests/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem
index 90e207c4b..90e207c4b 100644
--- a/testing/tests/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem
diff --git a/testing/tests/multi-level-ca-loop/posttest.dat b/testing/tests/ikev1/multi-level-ca-loop/posttest.dat
index 076f51f4d..076f51f4d 100644
--- a/testing/tests/multi-level-ca-loop/posttest.dat
+++ b/testing/tests/ikev1/multi-level-ca-loop/posttest.dat
diff --git a/testing/tests/multi-level-ca-loop/pretest.dat b/testing/tests/ikev1/multi-level-ca-loop/pretest.dat
index 0a0ec22bf..0a0ec22bf 100644
--- a/testing/tests/multi-level-ca-loop/pretest.dat
+++ b/testing/tests/ikev1/multi-level-ca-loop/pretest.dat
diff --git a/testing/tests/multi-level-ca-loop/test.conf b/testing/tests/ikev1/multi-level-ca-loop/test.conf
index 3189fdfc7..3189fdfc7 100644
--- a/testing/tests/multi-level-ca-loop/test.conf
+++ b/testing/tests/ikev1/multi-level-ca-loop/test.conf
diff --git a/testing/tests/multi-level-ca-revoked/description.txt b/testing/tests/ikev1/multi-level-ca-revoked/description.txt
index c91ac285b..c91ac285b 100644
--- a/testing/tests/multi-level-ca-revoked/description.txt
+++ b/testing/tests/ikev1/multi-level-ca-revoked/description.txt
diff --git a/testing/tests/multi-level-ca-revoked/evaltest.dat b/testing/tests/ikev1/multi-level-ca-revoked/evaltest.dat
index 0fd1cae8c..0fd1cae8c 100644
--- a/testing/tests/multi-level-ca-revoked/evaltest.dat
+++ b/testing/tests/ikev1/multi-level-ca-revoked/evaltest.dat
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..93bd80758
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+
+conn home
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 2990d6a12..2990d6a12 100644
--- a/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem
diff --git a/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem
index b91f9bf81..b91f9bf81 100644
--- a/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem
diff --git a/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.secrets
index fac55d63b..fac55d63b 100644
--- a/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
index 39a298de9..ab336c3c8 100755
--- a/testing/tests/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=yes
+	charonstart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
index c380a5110..c380a5110 100644
--- a/testing/tests/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
diff --git a/testing/tests/multi-level-ca-revoked/posttest.dat b/testing/tests/ikev1/multi-level-ca-revoked/posttest.dat
index f84b7e37b..f84b7e37b 100644
--- a/testing/tests/multi-level-ca-revoked/posttest.dat
+++ b/testing/tests/ikev1/multi-level-ca-revoked/posttest.dat
diff --git a/testing/tests/multi-level-ca-revoked/pretest.dat b/testing/tests/ikev1/multi-level-ca-revoked/pretest.dat
index d92333d86..d92333d86 100644
--- a/testing/tests/multi-level-ca-revoked/pretest.dat
+++ b/testing/tests/ikev1/multi-level-ca-revoked/pretest.dat
diff --git a/testing/tests/multi-level-ca-revoked/test.conf b/testing/tests/ikev1/multi-level-ca-revoked/test.conf
index 2b240d895..2b240d895 100644
--- a/testing/tests/multi-level-ca-revoked/test.conf
+++ b/testing/tests/ikev1/multi-level-ca-revoked/test.conf
diff --git a/testing/tests/multi-level-ca-strict/description.txt b/testing/tests/ikev1/multi-level-ca-strict/description.txt
index 32413e3de..32413e3de 100644
--- a/testing/tests/multi-level-ca-strict/description.txt
+++ b/testing/tests/ikev1/multi-level-ca-strict/description.txt
diff --git a/testing/tests/multi-level-ca-strict/evaltest.dat b/testing/tests/ikev1/multi-level-ca-strict/evaltest.dat
index 5a181a62d..5a181a62d 100644
--- a/testing/tests/multi-level-ca-strict/evaltest.dat
+++ b/testing/tests/ikev1/multi-level-ca-strict/evaltest.dat
diff --git a/testing/tests/wildcards/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf
index de179c565..d6d32a39d 100755
--- a/testing/tests/wildcards/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 2990d6a12..2990d6a12 100644
--- a/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem
diff --git a/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem
index b91f9bf81..b91f9bf81 100644
--- a/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem
diff --git a/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.secrets
index fac55d63b..fac55d63b 100644
--- a/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/wildcards/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf
index 2fb6a301e..6156fadba 100755
--- a/testing/tests/wildcards/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem
index b76032480..b76032480 100644
--- a/testing/tests/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem
diff --git a/testing/tests/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem
index 022436de4..022436de4 100644
--- a/testing/tests/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem
diff --git a/testing/tests/multi-level-ca-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf
index 6ed262d20..6b4e37b35 100755
--- a/testing/tests/multi-level-ca-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=yes
+	charonstart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
index 154cff654..154cff654 100644
--- a/testing/tests/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
diff --git a/testing/tests/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
index e50477872..e50477872 100644
--- a/testing/tests/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
diff --git a/testing/tests/multi-level-ca-strict/posttest.dat b/testing/tests/ikev1/multi-level-ca-strict/posttest.dat
index 1646d5ed2..1646d5ed2 100644
--- a/testing/tests/multi-level-ca-strict/posttest.dat
+++ b/testing/tests/ikev1/multi-level-ca-strict/posttest.dat
diff --git a/testing/tests/multi-level-ca-strict/pretest.dat b/testing/tests/ikev1/multi-level-ca-strict/pretest.dat
index 67c50c2ef..67c50c2ef 100644
--- a/testing/tests/multi-level-ca-strict/pretest.dat
+++ b/testing/tests/ikev1/multi-level-ca-strict/pretest.dat
diff --git a/testing/tests/multi-level-ca-strict/test.conf b/testing/tests/ikev1/multi-level-ca-strict/test.conf
index 08e5cc145..08e5cc145 100644
--- a/testing/tests/multi-level-ca-strict/test.conf
+++ b/testing/tests/ikev1/multi-level-ca-strict/test.conf
diff --git a/testing/tests/multi-level-ca/description.txt b/testing/tests/ikev1/multi-level-ca/description.txt
index 64825cb30..64825cb30 100644
--- a/testing/tests/multi-level-ca/description.txt
+++ b/testing/tests/ikev1/multi-level-ca/description.txt
diff --git a/testing/tests/multi-level-ca/evaltest.dat b/testing/tests/ikev1/multi-level-ca/evaltest.dat
index 72f620b8e..72f620b8e 100644
--- a/testing/tests/multi-level-ca/evaltest.dat
+++ b/testing/tests/ikev1/multi-level-ca/evaltest.dat
diff --git a/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf
index e851a82f0..316cdaecc 100755
--- a/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 2990d6a12..2990d6a12 100644
--- a/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem
diff --git a/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem
index b91f9bf81..b91f9bf81 100644
--- a/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem
diff --git a/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.secrets
index fac55d63b..fac55d63b 100644
--- a/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/multi-level-ca/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf
index 458a4ca5e..5838f5f2f 100755
--- a/testing/tests/multi-level-ca/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem
index b76032480..b76032480 100644
--- a/testing/tests/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem
diff --git a/testing/tests/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem
index 022436de4..022436de4 100644
--- a/testing/tests/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem
diff --git a/testing/tests/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf
index e60bbc016..e47d453e4 100755
--- a/testing/tests/multi-level-ca/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
index 154cff654..154cff654 100644
--- a/testing/tests/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
+++ b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
diff --git a/testing/tests/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
index e50477872..e50477872 100644
--- a/testing/tests/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
+++ b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
diff --git a/testing/tests/multi-level-ca/posttest.dat b/testing/tests/ikev1/multi-level-ca/posttest.dat
index 1646d5ed2..1646d5ed2 100644
--- a/testing/tests/multi-level-ca/posttest.dat
+++ b/testing/tests/ikev1/multi-level-ca/posttest.dat
diff --git a/testing/tests/multi-level-ca/pretest.dat b/testing/tests/ikev1/multi-level-ca/pretest.dat
index 67c50c2ef..67c50c2ef 100644
--- a/testing/tests/multi-level-ca/pretest.dat
+++ b/testing/tests/ikev1/multi-level-ca/pretest.dat
diff --git a/testing/tests/multi-level-ca/test.conf b/testing/tests/ikev1/multi-level-ca/test.conf
index 08e5cc145..08e5cc145 100644
--- a/testing/tests/multi-level-ca/test.conf
+++ b/testing/tests/ikev1/multi-level-ca/test.conf
diff --git a/testing/tests/ikev1/nat-before-esp/description.txt b/testing/tests/ikev1/nat-before-esp/description.txt
new file mode 100644
index 000000000..e42ace476
--- /dev/null
+++ b/testing/tests/ikev1/nat-before-esp/description.txt
@@ -0,0 +1,6 @@
+An IPsec tunnel connecting the gateway <b>moon</b> with the subnet behind
+gateway <b>sun</b> is set up. This host-to-net connection can also be
+used by the clients <b>alice</b> and <b>venus</b> via the trick of NAT-ing
+them to the outer IP address of gateway <b>moon</b> prior to tunnelling.
+The IPsec tunnel is first tested by <b>moon</b> pinging <b>bob</b> and vice versa,
+followed by the NAT-ed clients <b>alice</b> and <b>venus</b> pinging <b>bob</b>.
diff --git a/testing/tests/ikev1/nat-before-esp/evaltest.dat b/testing/tests/ikev1/nat-before-esp/evaltest.dat
new file mode 100644
index 000000000..d466038ed
--- /dev/null
+++ b/testing/tests/ikev1/nat-before-esp/evaltest.dat
@@ -0,0 +1,9 @@
+moon::ipsec status::host-net.*STATE_QUICK_I2.*IPsec SA established::YES
+sun::ipsec status::host-net.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+bob::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+bob::tcpdump::ICMP::YES
diff --git a/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..f87ec0e58
--- /dev/null
+++ b/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,83 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# NAT traffic from 10.1.0.0/16
+	iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -j MASQUERADE
+	
+	# forward traffic from 10.1.0.0/16 to POSTROUTING chain
+	iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16 -d 10.2.0.0/16 -j ACCEPT
+	iptables -A FORWARD -o eth1 -i eth0 -d 10.1.0.0/16 -s 10.2.0.0/16 -j ACCEPT
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..9637dcf06
--- /dev/null
+++ b/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn host-net
+	left=192.168.0.1
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=192.168.0.2
+	rightsubnet=10.2.0.0/16
+	rightid=@sun.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/nat-before-esp/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/nat-before-esp/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..506417867
--- /dev/null
+++ b/testing/tests/ikev1/nat-before-esp/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	nat_traversal=yes
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn host-net
+	left=192.168.0.2
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftfirewall=yes
+	leftsubnet=10.2.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/host2host-swapped/posttest.dat b/testing/tests/ikev1/nat-before-esp/posttest.dat
index 52979508d..307b96888 100644
--- a/testing/tests/host2host-swapped/posttest.dat
+++ b/testing/tests/ikev1/nat-before-esp/posttest.dat
@@ -1,5 +1,4 @@
-moon::iptables -v -n -L
-sun::iptables -v -n -L
+moon::iptables -t nat -v -n -L
 moon::ipsec stop
 sun::ipsec stop
 moon::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/nat-before-esp/pretest.dat b/testing/tests/ikev1/nat-before-esp/pretest.dat
new file mode 100644
index 000000000..75565540a
--- /dev/null
+++ b/testing/tests/ikev1/nat-before-esp/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2
+moon::ipsec up host-net
diff --git a/testing/tests/ikev1/nat-before-esp/test.conf b/testing/tests/ikev1/nat-before-esp/test.conf
new file mode 100644
index 000000000..4234eaf63
--- /dev/null
+++ b/testing/tests/ikev1/nat-before-esp/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun bob"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/nat-one-rw/description.txt b/testing/tests/ikev1/nat-one-rw/description.txt
index c3b9bb820..c3b9bb820 100644
--- a/testing/tests/nat-one-rw/description.txt
+++ b/testing/tests/ikev1/nat-one-rw/description.txt
diff --git a/testing/tests/nat-one-rw/evaltest.dat b/testing/tests/ikev1/nat-one-rw/evaltest.dat
index bc193963d..bc193963d 100644
--- a/testing/tests/nat-one-rw/evaltest.dat
+++ b/testing/tests/ikev1/nat-one-rw/evaltest.dat
diff --git a/testing/tests/nat-one-rw/posttest.dat b/testing/tests/ikev1/nat-one-rw/posttest.dat
index af8e00575..cd0d4df25 100644
--- a/testing/tests/nat-one-rw/posttest.dat
+++ b/testing/tests/ikev1/nat-one-rw/posttest.dat
@@ -1,8 +1,6 @@
-alice::iptables -v -n -L
-sun::iptables -v -n -L
 alice::ipsec stop
 sun::ipsec stop
 alice::/etc/init.d/iptables stop 2> /dev/null
 sun::/etc/init.d/iptables stop 2> /dev/null
 moon::iptables -t nat -F
-
+moon::conntrack -F
diff --git a/testing/tests/nat-one-rw/pretest.dat b/testing/tests/ikev1/nat-one-rw/pretest.dat
index 9dacc672c..9dacc672c 100644
--- a/testing/tests/nat-one-rw/pretest.dat
+++ b/testing/tests/ikev1/nat-one-rw/pretest.dat
diff --git a/testing/tests/nat-one-rw/test.conf b/testing/tests/ikev1/nat-one-rw/test.conf
index d84149aaf..d84149aaf 100644
--- a/testing/tests/nat-one-rw/test.conf
+++ b/testing/tests/ikev1/nat-one-rw/test.conf
diff --git a/testing/tests/ikev1/nat-two-rw-psk/description.txt b/testing/tests/ikev1/nat-two-rw-psk/description.txt
new file mode 100644
index 000000000..c74897d9a
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-psk/description.txt
@@ -0,0 +1,6 @@
+The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
+tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
+Both roadwarriors share the same Pre-Shared Key (PSK) with the gateway <b>sun</b>.
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
+the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
+ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev1/nat-two-rw-psk/evaltest.dat b/testing/tests/ikev1/nat-two-rw-psk/evaltest.dat
new file mode 100644
index 000000000..e8aaf0b5f
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-psk/evaltest.dat
@@ -0,0 +1,9 @@
+alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
+venus::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
+sun::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES
+sun::ipsec status::nat-t.*\[PH_IP_ALICE\]::YES
+sun::ipsec status::nat-t.*\[PH_IP_VENUS\]::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.conf
new file mode 100755
index 000000000..e8576f0e7
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	nat_traversal=yes
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	authby=secret
+		
+conn nat-t
+	left=%defaultroute
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/rw-rsa-no-policy/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.secrets
index e8c151f05..e8c151f05 100644
--- a/testing/tests/rw-rsa-no-policy/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.secrets
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..573069f75
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	nat_traversal=yes
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	authby=secret
+	leftnexthop=%direct
+	
+conn nat-t
+	left=PH_IP_SUN
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	right=%any
+	rightsubnetwithin=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.secrets
new file mode 100644
index 000000000..e8c151f05
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.conf
new file mode 100755
index 000000000..e8576f0e7
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	nat_traversal=yes
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	authby=secret
+		
+conn nat-t
+	left=%defaultroute
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.secrets b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.secrets
new file mode 100644
index 000000000..e8c151f05
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
diff --git a/testing/tests/nat-two-rw/posttest.dat b/testing/tests/ikev1/nat-two-rw-psk/posttest.dat
index f019842ed..52572ece8 100644
--- a/testing/tests/nat-two-rw/posttest.dat
+++ b/testing/tests/ikev1/nat-two-rw-psk/posttest.dat
@@ -1,6 +1,3 @@
-alice::iptables -v -n -L
-venus::iptables -v -n -L
-sun::iptables -v -n -L
 sun::ipsec stop
 alice::ipsec stop
 venus::ipsec stop
@@ -8,4 +5,4 @@ alice::/etc/init.d/iptables stop 2> /dev/null
 venus::/etc/init.d/iptables stop 2> /dev/null
 sun::/etc/init.d/iptables stop 2> /dev/null
 moon::iptables -t nat -F
-
+moon::conntrack -F
diff --git a/testing/tests/ikev1/nat-two-rw-psk/pretest.dat b/testing/tests/ikev1/nat-two-rw-psk/pretest.dat
new file mode 100644
index 000000000..6172bd088
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw-psk/pretest.dat
@@ -0,0 +1,16 @@
+alice::/etc/init.d/iptables start 2> /dev/null
+venus::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+alice::rm /etc/ipsec.d/cacerts/*
+venus::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
+alice::ipsec start
+venus::ipsec start
+sun::ipsec start
+alice::sleep 5 
+alice::ipsec up nat-t
+venus::sleep 5 
+venus::ipsec up nat-t
diff --git a/testing/tests/nat-two-rw/test.conf b/testing/tests/ikev1/nat-two-rw-psk/test.conf
index 84317fd70..84317fd70 100644
--- a/testing/tests/nat-two-rw/test.conf
+++ b/testing/tests/ikev1/nat-two-rw-psk/test.conf
diff --git a/testing/tests/nat-two-rw/description.txt b/testing/tests/ikev1/nat-two-rw/description.txt
index dcf4b94bd..dcf4b94bd 100644
--- a/testing/tests/nat-two-rw/description.txt
+++ b/testing/tests/ikev1/nat-two-rw/description.txt
diff --git a/testing/tests/nat-two-rw/evaltest.dat b/testing/tests/ikev1/nat-two-rw/evaltest.dat
index b1a7d59ee..b1a7d59ee 100644
--- a/testing/tests/nat-two-rw/evaltest.dat
+++ b/testing/tests/ikev1/nat-two-rw/evaltest.dat
diff --git a/testing/tests/ikev1/nat-two-rw/posttest.dat b/testing/tests/ikev1/nat-two-rw/posttest.dat
new file mode 100644
index 000000000..52572ece8
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw/posttest.dat
@@ -0,0 +1,8 @@
+sun::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
+alice::/etc/init.d/iptables stop 2> /dev/null
+venus::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables -t nat -F
+moon::conntrack -F
diff --git a/testing/tests/nat-two-rw/pretest.dat b/testing/tests/ikev1/nat-two-rw/pretest.dat
index dd5259936..dd5259936 100644
--- a/testing/tests/nat-two-rw/pretest.dat
+++ b/testing/tests/ikev1/nat-two-rw/pretest.dat
diff --git a/testing/tests/ikev1/nat-two-rw/test.conf b/testing/tests/ikev1/nat-two-rw/test.conf
new file mode 100644
index 000000000..84317fd70
--- /dev/null
+++ b/testing/tests/ikev1/nat-two-rw/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/net2net-cert/description.txt b/testing/tests/ikev1/net2net-cert/description.txt
index 7eea9192f..7eea9192f 100644
--- a/testing/tests/net2net-cert/description.txt
+++ b/testing/tests/ikev1/net2net-cert/description.txt
diff --git a/testing/tests/net2net-cert/evaltest.dat b/testing/tests/ikev1/net2net-cert/evaltest.dat
index 7cbf92687..7cbf92687 100644
--- a/testing/tests/net2net-cert/evaltest.dat
+++ b/testing/tests/ikev1/net2net-cert/evaltest.dat
diff --git a/testing/tests/ikev1/net2net-cert/posttest.dat b/testing/tests/ikev1/net2net-cert/posttest.dat
new file mode 100644
index 000000000..5a9150bc8
--- /dev/null
+++ b/testing/tests/ikev1/net2net-cert/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/net2net-cert/pretest.dat b/testing/tests/ikev1/net2net-cert/pretest.dat
index 9f60760c6..9f60760c6 100644
--- a/testing/tests/net2net-cert/pretest.dat
+++ b/testing/tests/ikev1/net2net-cert/pretest.dat
diff --git a/testing/tests/net2net-cert/test.conf b/testing/tests/ikev1/net2net-cert/test.conf
index d9a61590f..d9a61590f 100644
--- a/testing/tests/net2net-cert/test.conf
+++ b/testing/tests/ikev1/net2net-cert/test.conf
diff --git a/testing/tests/net2net-pgp/description.txt b/testing/tests/ikev1/net2net-pgp/description.txt
index c85f2e5d0..c85f2e5d0 100644
--- a/testing/tests/net2net-pgp/description.txt
+++ b/testing/tests/ikev1/net2net-pgp/description.txt
diff --git a/testing/tests/net2net-pgp/evaltest.dat b/testing/tests/ikev1/net2net-pgp/evaltest.dat
index 7cbf92687..7cbf92687 100644
--- a/testing/tests/net2net-pgp/evaltest.dat
+++ b/testing/tests/ikev1/net2net-pgp/evaltest.dat
diff --git a/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.conf
index e7de6cf0b..eb72ed85f 100755
--- a/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,9 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	nocrsend=yes
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/certs/moonCert.asc
index 135cfaec0..135cfaec0 100644
--- a/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.d/certs/moonCert.asc
+++ b/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/certs/moonCert.asc
diff --git a/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/certs/sunCert.asc
index 32f204b10..32f204b10 100644
--- a/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.d/certs/sunCert.asc
+++ b/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/certs/sunCert.asc
diff --git a/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.d/private/moonKey.asc b/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/private/moonKey.asc
index 6524773e0..6524773e0 100644
--- a/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.d/private/moonKey.asc
+++ b/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/private/moonKey.asc
diff --git a/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.secrets
index afb1ff927..afb1ff927 100644
--- a/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.conf
index 5dd8a8587..205f235c8 100755
--- a/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.conf
@@ -1,10 +1,9 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	nocrsend=yes
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/certs/moonCert.asc
index 135cfaec0..135cfaec0 100644
--- a/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.d/certs/moonCert.asc
+++ b/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/certs/moonCert.asc
diff --git a/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/certs/sunCert.asc
index 32f204b10..32f204b10 100644
--- a/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.d/certs/sunCert.asc
+++ b/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/certs/sunCert.asc
diff --git a/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.d/private/sunKey.asc b/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/private/sunKey.asc
index de2393649..de2393649 100644
--- a/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.d/private/sunKey.asc
+++ b/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/private/sunKey.asc
diff --git a/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.secrets
index ee98b1611..ee98b1611 100644
--- a/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.secrets
+++ b/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.secrets
diff --git a/testing/tests/net2net-pgp/posttest.dat b/testing/tests/ikev1/net2net-pgp/posttest.dat
index 80e765dfc..fafcde975 100644
--- a/testing/tests/net2net-pgp/posttest.dat
+++ b/testing/tests/ikev1/net2net-pgp/posttest.dat
@@ -1,5 +1,3 @@
-moon::iptables -v -n -L
-sun::iptables -v -n -L
 moon::ipsec stop
 sun::ipsec stop
 moon::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/net2net-pgp/pretest.dat b/testing/tests/ikev1/net2net-pgp/pretest.dat
index 9e40684ab..9e40684ab 100644
--- a/testing/tests/net2net-pgp/pretest.dat
+++ b/testing/tests/ikev1/net2net-pgp/pretest.dat
diff --git a/testing/tests/net2net-pgp/test.conf b/testing/tests/ikev1/net2net-pgp/test.conf
index f74d0f7d6..f74d0f7d6 100644
--- a/testing/tests/net2net-pgp/test.conf
+++ b/testing/tests/ikev1/net2net-pgp/test.conf
diff --git a/testing/tests/net2net-psk-fail/description.txt b/testing/tests/ikev1/net2net-psk-fail/description.txt
index 5a794bd17..5a794bd17 100644
--- a/testing/tests/net2net-psk-fail/description.txt
+++ b/testing/tests/ikev1/net2net-psk-fail/description.txt
diff --git a/testing/tests/net2net-psk-fail/evaltest.dat b/testing/tests/ikev1/net2net-psk-fail/evaltest.dat
index 7f7cb9726..7f7cb9726 100644
--- a/testing/tests/net2net-psk-fail/evaltest.dat
+++ b/testing/tests/ikev1/net2net-psk-fail/evaltest.dat
diff --git a/testing/tests/net2net-psk-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf
index 87396e455..e095c0b7b 100755
--- a/testing/tests/net2net-psk-fail/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,8 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/net2net-psk-fail/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets
index be95c4d99..be95c4d99 100644
--- a/testing/tests/net2net-psk-fail/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/net2net-psk-fail/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf
index 7e102b25c..b21f863f5 100755
--- a/testing/tests/net2net-psk-fail/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,8 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/net2net-psk-fail/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.secrets
index b53577e1d..b53577e1d 100644
--- a/testing/tests/net2net-psk-fail/hosts/sun/etc/ipsec.secrets
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.secrets
diff --git a/testing/tests/net2net-psk-fail/posttest.dat b/testing/tests/ikev1/net2net-psk-fail/posttest.dat
index dff181797..dff181797 100644
--- a/testing/tests/net2net-psk-fail/posttest.dat
+++ b/testing/tests/ikev1/net2net-psk-fail/posttest.dat
diff --git a/testing/tests/net2net-psk-fail/pretest.dat b/testing/tests/ikev1/net2net-psk-fail/pretest.dat
index aa8e332e0..aa8e332e0 100644
--- a/testing/tests/net2net-psk-fail/pretest.dat
+++ b/testing/tests/ikev1/net2net-psk-fail/pretest.dat
diff --git a/testing/tests/net2net-psk-fail/test.conf b/testing/tests/ikev1/net2net-psk-fail/test.conf
index f6e064e7d..f6e064e7d 100644
--- a/testing/tests/net2net-psk-fail/test.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/test.conf
diff --git a/testing/tests/net2net-psk/description.txt b/testing/tests/ikev1/net2net-psk/description.txt
index 02cddbb83..02cddbb83 100644
--- a/testing/tests/net2net-psk/description.txt
+++ b/testing/tests/ikev1/net2net-psk/description.txt
diff --git a/testing/tests/net2net-psk/evaltest.dat b/testing/tests/ikev1/net2net-psk/evaltest.dat
index 7cbf92687..7cbf92687 100644
--- a/testing/tests/net2net-psk/evaltest.dat
+++ b/testing/tests/ikev1/net2net-psk/evaltest.dat
diff --git a/testing/tests/net2net-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf
index 51c53a505..a3536e2b2 100755
--- a/testing/tests/net2net-psk/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,8 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/net2net-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.secrets
index be95c4d99..be95c4d99 100644
--- a/testing/tests/net2net-psk/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/net2net-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf
index 9c3695178..12e38962e 100755
--- a/testing/tests/net2net-psk/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,8 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/net2net-psk/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.secrets
index be95c4d99..be95c4d99 100644
--- a/testing/tests/net2net-psk/hosts/sun/etc/ipsec.secrets
+++ b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.secrets
diff --git a/testing/tests/ikev1/net2net-psk/posttest.dat b/testing/tests/ikev1/net2net-psk/posttest.dat
new file mode 100644
index 000000000..5a9150bc8
--- /dev/null
+++ b/testing/tests/ikev1/net2net-psk/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/net2net-psk/pretest.dat b/testing/tests/ikev1/net2net-psk/pretest.dat
index 9e40684ab..9e40684ab 100644
--- a/testing/tests/net2net-psk/pretest.dat
+++ b/testing/tests/ikev1/net2net-psk/pretest.dat
diff --git a/testing/tests/net2net-psk/test.conf b/testing/tests/ikev1/net2net-psk/test.conf
index f74d0f7d6..f74d0f7d6 100644
--- a/testing/tests/net2net-psk/test.conf
+++ b/testing/tests/ikev1/net2net-psk/test.conf
diff --git a/testing/tests/net2net-route/description.txt b/testing/tests/ikev1/net2net-route/description.txt
index 323f09555..323f09555 100644
--- a/testing/tests/net2net-route/description.txt
+++ b/testing/tests/ikev1/net2net-route/description.txt
diff --git a/testing/tests/net2net-route/evaltest.dat b/testing/tests/ikev1/net2net-route/evaltest.dat
index 38d589e5a..38d589e5a 100644
--- a/testing/tests/net2net-route/evaltest.dat
+++ b/testing/tests/ikev1/net2net-route/evaltest.dat
diff --git a/testing/tests/net2net-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf
index 4063ae05f..466235099 100755
--- a/testing/tests/net2net-route/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/net2net-route/posttest.dat b/testing/tests/ikev1/net2net-route/posttest.dat
new file mode 100644
index 000000000..5a9150bc8
--- /dev/null
+++ b/testing/tests/ikev1/net2net-route/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/net2net-route/pretest.dat b/testing/tests/ikev1/net2net-route/pretest.dat
index 2eef7de19..2eef7de19 100644
--- a/testing/tests/net2net-route/pretest.dat
+++ b/testing/tests/ikev1/net2net-route/pretest.dat
diff --git a/testing/tests/net2net-route/test.conf b/testing/tests/ikev1/net2net-route/test.conf
index d9a61590f..d9a61590f 100644
--- a/testing/tests/net2net-route/test.conf
+++ b/testing/tests/ikev1/net2net-route/test.conf
diff --git a/testing/tests/net2net-rsa/description.txt b/testing/tests/ikev1/net2net-rsa/description.txt
index a23fae8c3..a23fae8c3 100644
--- a/testing/tests/net2net-rsa/description.txt
+++ b/testing/tests/ikev1/net2net-rsa/description.txt
diff --git a/testing/tests/net2net-rsa/evaltest.dat b/testing/tests/ikev1/net2net-rsa/evaltest.dat
index 7cbf92687..7cbf92687 100644
--- a/testing/tests/net2net-rsa/evaltest.dat
+++ b/testing/tests/ikev1/net2net-rsa/evaltest.dat
diff --git a/testing/tests/net2net-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf
index 772762321..e4c0614a1 100755
--- a/testing/tests/net2net-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,8 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/net2net-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.secrets
index 9859ae8ed..9859ae8ed 100644
--- a/testing/tests/net2net-rsa/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/net2net-rsa/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf
index 9626ef168..d0c8752a3 100755
--- a/testing/tests/net2net-rsa/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,8 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/net2net-rsa/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.secrets
index bf976a8d3..bf976a8d3 100644
--- a/testing/tests/net2net-rsa/hosts/sun/etc/ipsec.secrets
+++ b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.secrets
diff --git a/testing/tests/ikev1/net2net-rsa/posttest.dat b/testing/tests/ikev1/net2net-rsa/posttest.dat
new file mode 100644
index 000000000..5a9150bc8
--- /dev/null
+++ b/testing/tests/ikev1/net2net-rsa/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/net2net-rsa/pretest.dat b/testing/tests/ikev1/net2net-rsa/pretest.dat
index 9e40684ab..9e40684ab 100644
--- a/testing/tests/net2net-rsa/pretest.dat
+++ b/testing/tests/ikev1/net2net-rsa/pretest.dat
diff --git a/testing/tests/net2net-rsa/test.conf b/testing/tests/ikev1/net2net-rsa/test.conf
index f74d0f7d6..f74d0f7d6 100644
--- a/testing/tests/net2net-rsa/test.conf
+++ b/testing/tests/ikev1/net2net-rsa/test.conf
diff --git a/testing/tests/net2net-start/description.txt b/testing/tests/ikev1/net2net-start/description.txt
index f5320685e..f5320685e 100644
--- a/testing/tests/net2net-start/description.txt
+++ b/testing/tests/ikev1/net2net-start/description.txt
diff --git a/testing/tests/net2net-start/evaltest.dat b/testing/tests/ikev1/net2net-start/evaltest.dat
index 7cbf92687..7cbf92687 100644
--- a/testing/tests/net2net-start/evaltest.dat
+++ b/testing/tests/ikev1/net2net-start/evaltest.dat
diff --git a/testing/tests/net2net-start/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf
index 677955bc1..95abd046a 100755
--- a/testing/tests/net2net-start/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/net2net-start/posttest.dat b/testing/tests/ikev1/net2net-start/posttest.dat
new file mode 100644
index 000000000..5a9150bc8
--- /dev/null
+++ b/testing/tests/ikev1/net2net-start/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/net2net-start/pretest.dat b/testing/tests/ikev1/net2net-start/pretest.dat
index ed8f39316..ed8f39316 100644
--- a/testing/tests/net2net-start/pretest.dat
+++ b/testing/tests/ikev1/net2net-start/pretest.dat
diff --git a/testing/tests/net2net-start/test.conf b/testing/tests/ikev1/net2net-start/test.conf
index d9a61590f..d9a61590f 100644
--- a/testing/tests/net2net-start/test.conf
+++ b/testing/tests/ikev1/net2net-start/test.conf
diff --git a/testing/tests/no-priv-key/description.txt b/testing/tests/ikev1/no-priv-key/description.txt
index 21b8eccb1..21b8eccb1 100644
--- a/testing/tests/no-priv-key/description.txt
+++ b/testing/tests/ikev1/no-priv-key/description.txt
diff --git a/testing/tests/no-priv-key/evaltest.dat b/testing/tests/ikev1/no-priv-key/evaltest.dat
index 9bd85ba12..9bd85ba12 100644
--- a/testing/tests/no-priv-key/evaltest.dat
+++ b/testing/tests/ikev1/no-priv-key/evaltest.dat
diff --git a/testing/tests/no-priv-key/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/no-priv-key/hosts/carol/etc/ipsec.secrets
index 23b311aa6..23b311aa6 100644
--- a/testing/tests/no-priv-key/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/no-priv-key/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/no-priv-key/posttest.dat b/testing/tests/ikev1/no-priv-key/posttest.dat
index c6d6235f9..c6d6235f9 100644
--- a/testing/tests/no-priv-key/posttest.dat
+++ b/testing/tests/ikev1/no-priv-key/posttest.dat
diff --git a/testing/tests/no-priv-key/pretest.dat b/testing/tests/ikev1/no-priv-key/pretest.dat
index d92333d86..d92333d86 100644
--- a/testing/tests/no-priv-key/pretest.dat
+++ b/testing/tests/ikev1/no-priv-key/pretest.dat
diff --git a/testing/tests/no-priv-key/test.conf b/testing/tests/ikev1/no-priv-key/test.conf
index 2b240d895..2b240d895 100644
--- a/testing/tests/no-priv-key/test.conf
+++ b/testing/tests/ikev1/no-priv-key/test.conf
diff --git a/testing/tests/ocsp-revoked/description.txt b/testing/tests/ikev1/ocsp-revoked/description.txt
index cbdd1305a..cbdd1305a 100644
--- a/testing/tests/ocsp-revoked/description.txt
+++ b/testing/tests/ikev1/ocsp-revoked/description.txt
diff --git a/testing/tests/ocsp-revoked/evaltest.dat b/testing/tests/ikev1/ocsp-revoked/evaltest.dat
index f5286cb61..f5286cb61 100644
--- a/testing/tests/ocsp-revoked/evaltest.dat
+++ b/testing/tests/ikev1/ocsp-revoked/evaltest.dat
diff --git a/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf
index 7d4384767..5b32ef007 100755
--- a/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=yes
+	charonstart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
index 5b742fc9e..5b742fc9e 100644
--- a/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
+++ b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
diff --git a/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
index 8aefcc5a6..8aefcc5a6 100644
--- a/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
+++ b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
diff --git a/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.secrets
index 8e31be4cb..8e31be4cb 100644
--- a/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ocsp-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf
index 7134b6ee9..d9da3f78a 100755
--- a/testing/tests/ocsp-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=yes
+	charonstart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ocsp-revoked/posttest.dat b/testing/tests/ikev1/ocsp-revoked/posttest.dat
index d883459e7..d742e8410 100644
--- a/testing/tests/ocsp-revoked/posttest.dat
+++ b/testing/tests/ikev1/ocsp-revoked/posttest.dat
@@ -1,5 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-winnetou::killall openssl
 carol::rm /etc/ipsec.d/private/*
 carol::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/xauth-rsa-nosecret/pretest.dat b/testing/tests/ikev1/ocsp-revoked/pretest.dat
index f5aa989fe..d92333d86 100644
--- a/testing/tests/xauth-rsa-nosecret/pretest.dat
+++ b/testing/tests/ikev1/ocsp-revoked/pretest.dat
@@ -1,4 +1,4 @@
-carol::ipsec start
 moon::ipsec start
+carol::ipsec start
 carol::sleep 2
 carol::ipsec up home
diff --git a/testing/tests/ocsp-revoked/test.conf b/testing/tests/ikev1/ocsp-revoked/test.conf
index 2b240d895..2b240d895 100644
--- a/testing/tests/ocsp-revoked/test.conf
+++ b/testing/tests/ikev1/ocsp-revoked/test.conf
diff --git a/testing/tests/ocsp-strict/description.txt b/testing/tests/ikev1/ocsp-strict/description.txt
index 7cb983140..7cb983140 100644
--- a/testing/tests/ocsp-strict/description.txt
+++ b/testing/tests/ikev1/ocsp-strict/description.txt
diff --git a/testing/tests/ocsp-strict/evaltest.dat b/testing/tests/ikev1/ocsp-strict/evaltest.dat
index 66b27aaac..66b27aaac 100644
--- a/testing/tests/ocsp-strict/evaltest.dat
+++ b/testing/tests/ikev1/ocsp-strict/evaltest.dat
diff --git a/testing/tests/ocsp-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf
index b34719401..fd950ecd5 100755
--- a/testing/tests/ocsp-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=yes
+	charonstart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ocsp-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf
index 7134b6ee9..d9da3f78a 100755
--- a/testing/tests/ocsp-revoked/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=yes
+	charonstart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/rw-psk-no-policy/posttest.dat b/testing/tests/ikev1/ocsp-strict/posttest.dat
index c6d6235f9..c6d6235f9 100644
--- a/testing/tests/rw-psk-no-policy/posttest.dat
+++ b/testing/tests/ikev1/ocsp-strict/posttest.dat
diff --git a/testing/tests/ocsp-revoked/pretest.dat b/testing/tests/ikev1/ocsp-strict/pretest.dat
index d5516fd3b..d92333d86 100644
--- a/testing/tests/ocsp-revoked/pretest.dat
+++ b/testing/tests/ikev1/ocsp-strict/pretest.dat
@@ -1,4 +1,3 @@
-winnetou::/etc/openssl/start-ocsp
 moon::ipsec start
 carol::ipsec start
 carol::sleep 2
diff --git a/testing/tests/ocsp-strict/test.conf b/testing/tests/ikev1/ocsp-strict/test.conf
index 2b240d895..2b240d895 100644
--- a/testing/tests/ocsp-strict/test.conf
+++ b/testing/tests/ikev1/ocsp-strict/test.conf
diff --git a/testing/tests/protoport-dual/description.txt b/testing/tests/ikev1/protoport-dual/description.txt
index 7bed8b959..7bed8b959 100644
--- a/testing/tests/protoport-dual/description.txt
+++ b/testing/tests/ikev1/protoport-dual/description.txt
diff --git a/testing/tests/protoport-dual/evaltest.dat b/testing/tests/ikev1/protoport-dual/evaltest.dat
index 625c8c54c..11c34929f 100644
--- a/testing/tests/protoport-dual/evaltest.dat
+++ b/testing/tests/ikev1/protoport-dual/evaltest.dat
@@ -1,7 +1,7 @@
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP1_MOON::64 bytes from PH_IP1_MOON: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
 carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/protoport-dual/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf
index 9e05ecf61..0dc25b7bb 100755
--- a/testing/tests/protoport-dual/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/protoport-dual/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf
index 84b9b0ba3..3b01128c2 100755
--- a/testing/tests/protoport-dual/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/protoport-pass/posttest.dat b/testing/tests/ikev1/protoport-dual/posttest.dat
index 26848212b..94a400606 100644
--- a/testing/tests/protoport-pass/posttest.dat
+++ b/testing/tests/ikev1/protoport-dual/posttest.dat
@@ -1,5 +1,3 @@
-moon::iptables -v -n -L
-carol::iptables -v -n -L
 moon::ipsec stop
 carol::ipsec stop
 moon::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/protoport-dual/pretest.dat b/testing/tests/ikev1/protoport-dual/pretest.dat
index d3d0061c3..d3d0061c3 100644
--- a/testing/tests/protoport-dual/pretest.dat
+++ b/testing/tests/ikev1/protoport-dual/pretest.dat
diff --git a/testing/tests/protoport-dual/test.conf b/testing/tests/ikev1/protoport-dual/test.conf
index 9cd583b16..9cd583b16 100644
--- a/testing/tests/protoport-dual/test.conf
+++ b/testing/tests/ikev1/protoport-dual/test.conf
diff --git a/testing/tests/protoport-pass/description.txt b/testing/tests/ikev1/protoport-pass/description.txt
index 63744fa47..63744fa47 100644
--- a/testing/tests/protoport-pass/description.txt
+++ b/testing/tests/ikev1/protoport-pass/description.txt
diff --git a/testing/tests/protoport-pass/evaltest.dat b/testing/tests/ikev1/protoport-pass/evaltest.dat
index 625c8c54c..11c34929f 100644
--- a/testing/tests/protoport-pass/evaltest.dat
+++ b/testing/tests/ikev1/protoport-pass/evaltest.dat
@@ -1,7 +1,7 @@
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP1_MOON::64 bytes from PH_IP1_MOON: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
 carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/protoport-pass/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf
index ade7308f6..093f9b1fc 100755
--- a/testing/tests/protoport-pass/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/protoport-pass/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf
index fd67e2b4b..e64b3be7a 100755
--- a/testing/tests/protoport-pass/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/protoport-dual/posttest.dat b/testing/tests/ikev1/protoport-pass/posttest.dat
index 26848212b..94a400606 100644
--- a/testing/tests/protoport-dual/posttest.dat
+++ b/testing/tests/ikev1/protoport-pass/posttest.dat
@@ -1,5 +1,3 @@
-moon::iptables -v -n -L
-carol::iptables -v -n -L
 moon::ipsec stop
 carol::ipsec stop
 moon::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/protoport-pass/pretest.dat b/testing/tests/ikev1/protoport-pass/pretest.dat
index 13b4ad4a0..13b4ad4a0 100644
--- a/testing/tests/protoport-pass/pretest.dat
+++ b/testing/tests/ikev1/protoport-pass/pretest.dat
diff --git a/testing/tests/protoport-pass/test.conf b/testing/tests/ikev1/protoport-pass/test.conf
index 9cd583b16..9cd583b16 100644
--- a/testing/tests/protoport-pass/test.conf
+++ b/testing/tests/ikev1/protoport-pass/test.conf
diff --git a/testing/tests/protoport-route/description.txt b/testing/tests/ikev1/protoport-route/description.txt
index ec7ec69b0..ec7ec69b0 100644
--- a/testing/tests/protoport-route/description.txt
+++ b/testing/tests/ikev1/protoport-route/description.txt
diff --git a/testing/tests/protoport-route/evaltest.dat b/testing/tests/ikev1/protoport-route/evaltest.dat
index 8f3eb208f..759295675 100644
--- a/testing/tests/protoport-route/evaltest.dat
+++ b/testing/tests/ikev1/protoport-route/evaltest.dat
@@ -1,5 +1,5 @@
 carol::ping -c 2 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq::YES
-carol::ping -c 2 PH_IP1_MOON::64 bytes from PH_IP1_MOON: icmp_seq::YES
+carol::ping -c 2 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq::YES
 carol::ssh PH_IP_ALICE hostname::alice::YES
 carol::cat /var/log/auth.log::initiate on demand::YES
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
diff --git a/testing/tests/protoport-route/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf
index 31c25c12f..99b410c32 100755
--- a/testing/tests/protoport-route/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/protoport-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf
index 84b9b0ba3..3b01128c2 100755
--- a/testing/tests/protoport-route/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/protoport-route/posttest.dat b/testing/tests/ikev1/protoport-route/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev1/protoport-route/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/protoport-route/pretest.dat b/testing/tests/ikev1/protoport-route/pretest.dat
index f233ad48f..f233ad48f 100644
--- a/testing/tests/protoport-route/pretest.dat
+++ b/testing/tests/ikev1/protoport-route/pretest.dat
diff --git a/testing/tests/protoport-route/test.conf b/testing/tests/ikev1/protoport-route/test.conf
index 9cd583b16..9cd583b16 100644
--- a/testing/tests/protoport-route/test.conf
+++ b/testing/tests/ikev1/protoport-route/test.conf
diff --git a/testing/tests/req-pkcs10/description.txt b/testing/tests/ikev1/req-pkcs10/description.txt
index a958cb8e8..a958cb8e8 100644
--- a/testing/tests/req-pkcs10/description.txt
+++ b/testing/tests/ikev1/req-pkcs10/description.txt
diff --git a/testing/tests/req-pkcs10/evaltest.dat b/testing/tests/ikev1/req-pkcs10/evaltest.dat
index c7657801e..c7657801e 100644
--- a/testing/tests/req-pkcs10/evaltest.dat
+++ b/testing/tests/ikev1/req-pkcs10/evaltest.dat
diff --git a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..e32aca0b9
--- /dev/null
+++ b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,28 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=myCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
+
+
+
+
diff --git a/testing/tests/req-pkcs10/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.secrets
index 167d743df..167d743df 100644
--- a/testing/tests/req-pkcs10/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/req-pkcs10/hosts/carol/etc/scepclient.conf b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/scepclient.conf
index 6afd3fa11..6afd3fa11 100644
--- a/testing/tests/req-pkcs10/hosts/carol/etc/scepclient.conf
+++ b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/scepclient.conf
diff --git a/testing/tests/req-pkcs10/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/ipsec.secrets
index b9ec17dbc..b9ec17dbc 100644
--- a/testing/tests/req-pkcs10/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/req-pkcs10/hosts/moon/etc/scepclient.conf b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/scepclient.conf
index da8177348..da8177348 100644
--- a/testing/tests/req-pkcs10/hosts/moon/etc/scepclient.conf
+++ b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/scepclient.conf
diff --git a/testing/tests/req-pkcs10/hosts/winnetou/etc/openssl/yy.txt b/testing/tests/ikev1/req-pkcs10/hosts/winnetou/etc/openssl/yy.txt
index 9b48ee4cf..9b48ee4cf 100644
--- a/testing/tests/req-pkcs10/hosts/winnetou/etc/openssl/yy.txt
+++ b/testing/tests/ikev1/req-pkcs10/hosts/winnetou/etc/openssl/yy.txt
diff --git a/testing/tests/req-pkcs10/posttest.dat b/testing/tests/ikev1/req-pkcs10/posttest.dat
index 534e3af20..933b4b6c4 100644
--- a/testing/tests/req-pkcs10/posttest.dat
+++ b/testing/tests/ikev1/req-pkcs10/posttest.dat
@@ -1,5 +1,3 @@
-moon::iptables -v -n -L
-carol::iptables -v -n -L
 moon::ipsec stop
 carol::ipsec stop
 moon::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/req-pkcs10/pretest.dat b/testing/tests/ikev1/req-pkcs10/pretest.dat
index 18b8b16e6..18b8b16e6 100644
--- a/testing/tests/req-pkcs10/pretest.dat
+++ b/testing/tests/ikev1/req-pkcs10/pretest.dat
diff --git a/testing/tests/req-pkcs10/test.conf b/testing/tests/ikev1/req-pkcs10/test.conf
index 9cd583b16..9cd583b16 100644
--- a/testing/tests/req-pkcs10/test.conf
+++ b/testing/tests/ikev1/req-pkcs10/test.conf
diff --git a/testing/tests/rw-cert/description.txt b/testing/tests/ikev1/rw-cert/description.txt
index 8df6b1c0d..8df6b1c0d 100644
--- a/testing/tests/rw-cert/description.txt
+++ b/testing/tests/ikev1/rw-cert/description.txt
diff --git a/testing/tests/rw-cert/evaltest.dat b/testing/tests/ikev1/rw-cert/evaltest.dat
index c7657801e..c7657801e 100644
--- a/testing/tests/rw-cert/evaltest.dat
+++ b/testing/tests/ikev1/rw-cert/evaltest.dat
diff --git a/testing/tests/ikev1/rw-cert/posttest.dat b/testing/tests/ikev1/rw-cert/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/virtual-ip-swapped/pretest.dat b/testing/tests/ikev1/rw-cert/pretest.dat
index 4fe0ee90b..4fe0ee90b 100644
--- a/testing/tests/virtual-ip-swapped/pretest.dat
+++ b/testing/tests/ikev1/rw-cert/pretest.dat
diff --git a/testing/tests/rw-cert/test.conf b/testing/tests/ikev1/rw-cert/test.conf
index 9cd583b16..9cd583b16 100644
--- a/testing/tests/rw-cert/test.conf
+++ b/testing/tests/ikev1/rw-cert/test.conf
diff --git a/testing/tests/rw-psk-fqdn-named/description.txt b/testing/tests/ikev1/rw-psk-fqdn-named/description.txt
index adfab2f4d..adfab2f4d 100644
--- a/testing/tests/rw-psk-fqdn-named/description.txt
+++ b/testing/tests/ikev1/rw-psk-fqdn-named/description.txt
diff --git a/testing/tests/rw-psk-fqdn-named/evaltest.dat b/testing/tests/ikev1/rw-psk-fqdn-named/evaltest.dat
index c7657801e..c7657801e 100644
--- a/testing/tests/rw-psk-fqdn-named/evaltest.dat
+++ b/testing/tests/ikev1/rw-psk-fqdn-named/evaltest.dat
diff --git a/testing/tests/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf
index da5e198a8..1e9a27129 100755
--- a/testing/tests/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,8 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/rw-psk-fqdn-named/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.secrets
index db3884e57..db3884e57 100644
--- a/testing/tests/rw-psk-fqdn-named/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf
index c32dfaf9b..05d209c44 100755
--- a/testing/tests/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,8 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/rw-psk-fqdn-named/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.secrets
index 6281340ae..6281340ae 100644
--- a/testing/tests/rw-psk-fqdn-named/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/posttest.dat b/testing/tests/ikev1/rw-psk-fqdn-named/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-fqdn-named/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/rw-psk-fqdn-named/pretest.dat b/testing/tests/ikev1/rw-psk-fqdn-named/pretest.dat
index dbf03f552..dbf03f552 100644
--- a/testing/tests/rw-psk-fqdn-named/pretest.dat
+++ b/testing/tests/ikev1/rw-psk-fqdn-named/pretest.dat
diff --git a/testing/tests/rw-psk-fqdn-named/test.conf b/testing/tests/ikev1/rw-psk-fqdn-named/test.conf
index 9cd583b16..9cd583b16 100644
--- a/testing/tests/rw-psk-fqdn-named/test.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn-named/test.conf
diff --git a/testing/tests/rw-psk-fqdn/description.txt b/testing/tests/ikev1/rw-psk-fqdn/description.txt
index d6c79afb2..d6c79afb2 100644
--- a/testing/tests/rw-psk-fqdn/description.txt
+++ b/testing/tests/ikev1/rw-psk-fqdn/description.txt
diff --git a/testing/tests/rw-psk-fqdn/evaltest.dat b/testing/tests/ikev1/rw-psk-fqdn/evaltest.dat
index c7657801e..c7657801e 100644
--- a/testing/tests/rw-psk-fqdn/evaltest.dat
+++ b/testing/tests/ikev1/rw-psk-fqdn/evaltest.dat
diff --git a/testing/tests/rw-psk-fqdn/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
index da5e198a8..1e9a27129 100755
--- a/testing/tests/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,8 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets
index db3884e57..db3884e57 100644
--- a/testing/tests/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/rw-psk-fqdn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
index 9a894806c..beda12b3c 100755
--- a/testing/tests/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,8 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets
index 6281340ae..661168fb5 100644
--- a/testing/tests/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets
@@ -1,7 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
 @moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-
-
-
diff --git a/testing/tests/ikev1/rw-psk-fqdn/posttest.dat b/testing/tests/ikev1/rw-psk-fqdn/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-fqdn/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/rw-psk-fqdn/pretest.dat b/testing/tests/ikev1/rw-psk-fqdn/pretest.dat
index dbf03f552..dbf03f552 100644
--- a/testing/tests/rw-psk-fqdn/pretest.dat
+++ b/testing/tests/ikev1/rw-psk-fqdn/pretest.dat
diff --git a/testing/tests/rw-psk-fqdn/test.conf b/testing/tests/ikev1/rw-psk-fqdn/test.conf
index 9cd583b16..9cd583b16 100644
--- a/testing/tests/rw-psk-fqdn/test.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/test.conf
diff --git a/testing/tests/rw-psk-ipv4/description.txt b/testing/tests/ikev1/rw-psk-ipv4/description.txt
index b3a0bc192..b3a0bc192 100644
--- a/testing/tests/rw-psk-ipv4/description.txt
+++ b/testing/tests/ikev1/rw-psk-ipv4/description.txt
diff --git a/testing/tests/rw-psk-ipv4/evaltest.dat b/testing/tests/ikev1/rw-psk-ipv4/evaltest.dat
index c7657801e..c7657801e 100644
--- a/testing/tests/rw-psk-ipv4/evaltest.dat
+++ b/testing/tests/ikev1/rw-psk-ipv4/evaltest.dat
diff --git a/testing/tests/rw-psk-ipv4/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
index 2c0227b7a..8e27a9ecd 100755
--- a/testing/tests/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,8 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets
index 69313b289..69313b289 100644
--- a/testing/tests/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/rw-psk-ipv4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
index a75d4e222..f8ce5569c 100755
--- a/testing/tests/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,8 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets
index a8e367950..a8e367950 100644
--- a/testing/tests/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev1/rw-psk-ipv4/posttest.dat b/testing/tests/ikev1/rw-psk-ipv4/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-ipv4/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/rw-psk-ipv4/pretest.dat b/testing/tests/ikev1/rw-psk-ipv4/pretest.dat
index dbf03f552..dbf03f552 100644
--- a/testing/tests/rw-psk-ipv4/pretest.dat
+++ b/testing/tests/ikev1/rw-psk-ipv4/pretest.dat
diff --git a/testing/tests/rw-psk-ipv4/test.conf b/testing/tests/ikev1/rw-psk-ipv4/test.conf
index 9cd583b16..9cd583b16 100644
--- a/testing/tests/rw-psk-ipv4/test.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/test.conf
diff --git a/testing/tests/rw-psk-no-policy/description.txt b/testing/tests/ikev1/rw-psk-no-policy/description.txt
index 0e359414f..0e359414f 100644
--- a/testing/tests/rw-psk-no-policy/description.txt
+++ b/testing/tests/ikev1/rw-psk-no-policy/description.txt
diff --git a/testing/tests/rw-psk-no-policy/evaltest.dat b/testing/tests/ikev1/rw-psk-no-policy/evaltest.dat
index a28377dbd..a28377dbd 100644
--- a/testing/tests/rw-psk-no-policy/evaltest.dat
+++ b/testing/tests/ikev1/rw-psk-no-policy/evaltest.dat
diff --git a/testing/tests/rw-psk-no-policy/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf
index 413eff762..c62605bd0 100755
--- a/testing/tests/rw-psk-no-policy/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,8 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/rw-psk-no-policy/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.secrets
index 1b721dc58..1b721dc58 100644
--- a/testing/tests/rw-psk-no-policy/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/rw-psk-no-policy/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf
index ac63abdc9..4584e1408 100755
--- a/testing/tests/rw-psk-no-policy/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,8 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/rw-rsa-no-policy/posttest.dat b/testing/tests/ikev1/rw-psk-no-policy/posttest.dat
index c6d6235f9..c6d6235f9 100644
--- a/testing/tests/rw-rsa-no-policy/posttest.dat
+++ b/testing/tests/ikev1/rw-psk-no-policy/posttest.dat
diff --git a/testing/tests/rw-psk-no-policy/pretest.dat b/testing/tests/ikev1/rw-psk-no-policy/pretest.dat
index 3a7804ddd..3a7804ddd 100644
--- a/testing/tests/rw-psk-no-policy/pretest.dat
+++ b/testing/tests/ikev1/rw-psk-no-policy/pretest.dat
diff --git a/testing/tests/rw-psk-no-policy/test.conf b/testing/tests/ikev1/rw-psk-no-policy/test.conf
index f622c18b7..f622c18b7 100644
--- a/testing/tests/rw-psk-no-policy/test.conf
+++ b/testing/tests/ikev1/rw-psk-no-policy/test.conf
diff --git a/testing/tests/rw-psk-rsa-mixed/description.txt b/testing/tests/ikev1/rw-psk-rsa-mixed/description.txt
index b99a8e5b3..b99a8e5b3 100644
--- a/testing/tests/rw-psk-rsa-mixed/description.txt
+++ b/testing/tests/ikev1/rw-psk-rsa-mixed/description.txt
diff --git a/testing/tests/rw-psk-rsa-mixed/evaltest.dat b/testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat
index 9e1354121..9e1354121 100644
--- a/testing/tests/rw-psk-rsa-mixed/evaltest.dat
+++ b/testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat
diff --git a/testing/tests/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
index 69e13b538..b142c75bb 100755
--- a/testing/tests/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,8 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets
index 1b721dc58..1b721dc58 100644
--- a/testing/tests/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
index b23248b5b..5916d8fd8 100755
--- a/testing/tests/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,8 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets
index fd33507a7..fd33507a7 100644
--- a/testing/tests/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/wildcards/posttest.dat b/testing/tests/ikev1/rw-psk-rsa-mixed/posttest.dat
index ed530f6d9..ed530f6d9 100644
--- a/testing/tests/wildcards/posttest.dat
+++ b/testing/tests/ikev1/rw-psk-rsa-mixed/posttest.dat
diff --git a/testing/tests/rw-psk-rsa-mixed/pretest.dat b/testing/tests/ikev1/rw-psk-rsa-mixed/pretest.dat
index 35797b589..35797b589 100644
--- a/testing/tests/rw-psk-rsa-mixed/pretest.dat
+++ b/testing/tests/ikev1/rw-psk-rsa-mixed/pretest.dat
diff --git a/testing/tests/rw-psk-rsa-mixed/test.conf b/testing/tests/ikev1/rw-psk-rsa-mixed/test.conf
index 699b88e88..699b88e88 100644
--- a/testing/tests/rw-psk-rsa-mixed/test.conf
+++ b/testing/tests/ikev1/rw-psk-rsa-mixed/test.conf
diff --git a/testing/tests/rw-rsa-no-policy/description.txt b/testing/tests/ikev1/rw-rsa-no-policy/description.txt
index c3336b769..c3336b769 100644
--- a/testing/tests/rw-rsa-no-policy/description.txt
+++ b/testing/tests/ikev1/rw-rsa-no-policy/description.txt
diff --git a/testing/tests/rw-rsa-no-policy/evaltest.dat b/testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat
index 188b7bbb5..188b7bbb5 100644
--- a/testing/tests/rw-rsa-no-policy/evaltest.dat
+++ b/testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat
diff --git a/testing/tests/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf
index b9318c058..2abe3c147 100755
--- a/testing/tests/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 
diff --git a/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e8c151f05
--- /dev/null
+++ b/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
diff --git a/testing/tests/xauth-rsa-fail/posttest.dat b/testing/tests/ikev1/rw-rsa-no-policy/posttest.dat
index c6d6235f9..c6d6235f9 100644
--- a/testing/tests/xauth-rsa-fail/posttest.dat
+++ b/testing/tests/ikev1/rw-rsa-no-policy/posttest.dat
diff --git a/testing/tests/rw-rsa-no-policy/pretest.dat b/testing/tests/ikev1/rw-rsa-no-policy/pretest.dat
index 0d2a0dd1f..0d2a0dd1f 100644
--- a/testing/tests/rw-rsa-no-policy/pretest.dat
+++ b/testing/tests/ikev1/rw-rsa-no-policy/pretest.dat
diff --git a/testing/tests/rw-rsa-no-policy/test.conf b/testing/tests/ikev1/rw-rsa-no-policy/test.conf
index f622c18b7..f622c18b7 100644
--- a/testing/tests/rw-rsa-no-policy/test.conf
+++ b/testing/tests/ikev1/rw-rsa-no-policy/test.conf
diff --git a/testing/tests/self-signed/description.txt b/testing/tests/ikev1/self-signed/description.txt
index 2d7bfc2bf..2d7bfc2bf 100644
--- a/testing/tests/self-signed/description.txt
+++ b/testing/tests/ikev1/self-signed/description.txt
diff --git a/testing/tests/default-keys/evaltest.dat b/testing/tests/ikev1/self-signed/evaltest.dat
index f190d7066..f190d7066 100644
--- a/testing/tests/default-keys/evaltest.dat
+++ b/testing/tests/ikev1/self-signed/evaltest.dat
diff --git a/testing/tests/self-signed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf
index fcf7a1754..93ea3a80e 100755
--- a/testing/tests/self-signed/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf
@@ -1,12 +1,11 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=0
 	strictcrlpolicy=no
 	nocrsend=yes
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/self-signed/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.secrets
index 167d743df..167d743df 100644
--- a/testing/tests/self-signed/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/self-signed/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/self-signed/hosts/moon/etc/init.d/iptables
index 13ad3063f..13ad3063f 100755
--- a/testing/tests/self-signed/hosts/moon/etc/init.d/iptables
+++ b/testing/tests/ikev1/self-signed/hosts/moon/etc/init.d/iptables
diff --git a/testing/tests/self-signed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf
index 7d7f42b06..98b0030d8 100755
--- a/testing/tests/self-signed/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf
@@ -1,12 +1,11 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=0
 	strictcrlpolicy=no
 	nocrsend=yes
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -15,7 +14,7 @@ conn %default
 	keyingtries=1
 
 conn carol
-	left=192.168.0.1
+	left=PH_IP_MOON
 	leftnexthop=%direct
 	leftcert=moonCert.der
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/self-signed/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.secrets
index b9ec17dbc..b9ec17dbc 100644
--- a/testing/tests/self-signed/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/self-signed/hosts/moon/etc/scepclient.conf b/testing/tests/ikev1/self-signed/hosts/moon/etc/scepclient.conf
index b84f3e131..b84f3e131 100644
--- a/testing/tests/self-signed/hosts/moon/etc/scepclient.conf
+++ b/testing/tests/ikev1/self-signed/hosts/moon/etc/scepclient.conf
diff --git a/testing/tests/self-signed/posttest.dat b/testing/tests/ikev1/self-signed/posttest.dat
index 52b48b9ef..8cada5e7e 100644
--- a/testing/tests/self-signed/posttest.dat
+++ b/testing/tests/ikev1/self-signed/posttest.dat
@@ -1,5 +1,3 @@
-moon::iptables -v -n -L
-carol::iptables -v -n -L
 moon::ipsec stop
 carol::ipsec stop
 moon::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/self-signed/pretest.dat b/testing/tests/ikev1/self-signed/pretest.dat
index a7cddf677..a7cddf677 100644
--- a/testing/tests/self-signed/pretest.dat
+++ b/testing/tests/ikev1/self-signed/pretest.dat
diff --git a/testing/tests/self-signed/test.conf b/testing/tests/ikev1/self-signed/test.conf
index 0baa48d90..0baa48d90 100644
--- a/testing/tests/self-signed/test.conf
+++ b/testing/tests/ikev1/self-signed/test.conf
diff --git a/testing/tests/starter-also-loop/description.txt b/testing/tests/ikev1/starter-also-loop/description.txt
index 7451f4e12..7451f4e12 100644
--- a/testing/tests/starter-also-loop/description.txt
+++ b/testing/tests/ikev1/starter-also-loop/description.txt
diff --git a/testing/tests/starter-also-loop/evaltest.dat b/testing/tests/ikev1/starter-also-loop/evaltest.dat
index 161772f8e..161772f8e 100644
--- a/testing/tests/starter-also-loop/evaltest.dat
+++ b/testing/tests/ikev1/starter-also-loop/evaltest.dat
diff --git a/testing/tests/starter-also-loop/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf
index e1d210253..b58d1deb7 100755
--- a/testing/tests/starter-also-loop/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -30,7 +29,7 @@ conn rw
 	auto=add
 
 conn moon
-	left=192.168.0.1
+	left=PH_IP_MOON
         leftnexthop=%direct
         leftcert=moonCert.pem
         leftid=@moon.strongswan.org
@@ -41,7 +40,7 @@ conn moon-net
 	leftsubnet=10.1.0.0/16
 
 conn sun
-	right=192.168.0.2
+	right=PH_IP_SUN
 	rightid=@sun.strongswan.org
 
 conn sun-net
diff --git a/testing/tests/starter-also-loop/posttest.dat b/testing/tests/ikev1/starter-also-loop/posttest.dat
index e69de29bb..e69de29bb 100644
--- a/testing/tests/starter-also-loop/posttest.dat
+++ b/testing/tests/ikev1/starter-also-loop/posttest.dat
diff --git a/testing/tests/starter-also-loop/pretest.dat b/testing/tests/ikev1/starter-also-loop/pretest.dat
index b135b12c3..b135b12c3 100644
--- a/testing/tests/starter-also-loop/pretest.dat
+++ b/testing/tests/ikev1/starter-also-loop/pretest.dat
diff --git a/testing/tests/starter-also-loop/test.conf b/testing/tests/ikev1/starter-also-loop/test.conf
index e7735308f..e7735308f 100644
--- a/testing/tests/starter-also-loop/test.conf
+++ b/testing/tests/ikev1/starter-also-loop/test.conf
diff --git a/testing/tests/starter-also/description.txt b/testing/tests/ikev1/starter-also/description.txt
index 3d4ff7dbf..3d4ff7dbf 100644
--- a/testing/tests/starter-also/description.txt
+++ b/testing/tests/ikev1/starter-also/description.txt
diff --git a/testing/tests/starter-also/evaltest.dat b/testing/tests/ikev1/starter-also/evaltest.dat
index c7657801e..c7657801e 100644
--- a/testing/tests/starter-also/evaltest.dat
+++ b/testing/tests/ikev1/starter-also/evaltest.dat
diff --git a/testing/tests/starter-also/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf
index 74d009cfa..09f3bb94d 100755
--- a/testing/tests/starter-also/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -30,7 +29,7 @@ conn rw
 	auto=add
 
 conn moon
-	left=192.168.0.1
+	left=PH_IP_MOON
         leftnexthop=%direct
         leftcert=moonCert.pem
         leftid=@moon.strongswan.org
@@ -40,7 +39,7 @@ conn moon-net
 	leftsubnet=10.1.0.0/16
 
 conn sun
-	right=192.168.0.2
+	right=PH_IP_SUN
 	rightid=@sun.strongswan.org
 
 conn sun-net
diff --git a/testing/tests/ikev1/starter-also/posttest.dat b/testing/tests/ikev1/starter-also/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev1/starter-also/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/starter-also/pretest.dat b/testing/tests/ikev1/starter-also/pretest.dat
index 4f96e61df..4f96e61df 100644
--- a/testing/tests/starter-also/pretest.dat
+++ b/testing/tests/ikev1/starter-also/pretest.dat
diff --git a/testing/tests/starter-also/test.conf b/testing/tests/ikev1/starter-also/test.conf
index 9cd583b16..9cd583b16 100644
--- a/testing/tests/starter-also/test.conf
+++ b/testing/tests/ikev1/starter-also/test.conf
diff --git a/testing/tests/starter-includes/description.txt b/testing/tests/ikev1/starter-includes/description.txt
index 6a05c0cca..6a05c0cca 100644
--- a/testing/tests/starter-includes/description.txt
+++ b/testing/tests/ikev1/starter-includes/description.txt
diff --git a/testing/tests/mode-config-swapped/evaltest.dat b/testing/tests/ikev1/starter-includes/evaltest.dat
index 7de32d681..7de32d681 100644
--- a/testing/tests/mode-config-swapped/evaltest.dat
+++ b/testing/tests/ikev1/starter-includes/evaltest.dat
diff --git a/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..2fd734579
--- /dev/null
+++ b/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=%modeconfig
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
+
+
+
+
diff --git a/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..128c4aa29
--- /dev/null
+++ b/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_DAVE
+	leftsourceip=%modeconfig
+	leftnexthop=%direct
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
+
+
+
+
diff --git a/testing/tests/starter-includes/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.conf
index aa9116252..4e7bfc1b4 100755
--- a/testing/tests/starter-includes/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,9 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 include /etc/ipsec.connections
diff --git a/testing/tests/starter-includes/hosts/moon/etc/ipsec.connections b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.connections
index 7cd938628..7cd938628 100644
--- a/testing/tests/starter-includes/hosts/moon/etc/ipsec.connections
+++ b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.connections
diff --git a/testing/tests/starter-includes/hosts/moon/etc/ipsec.host b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.host
index e84e5cdc6..acf753cc0 100755
--- a/testing/tests/starter-includes/hosts/moon/etc/ipsec.host
+++ b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.host
@@ -3,7 +3,7 @@
 conn %default
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
-	leftsourceip=PH_IP1_MOON
+	leftsourceip=PH_IP_MOON1
 	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.carol b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.carol
index 9212a9e96..84bedfef6 100644
--- a/testing/tests/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.carol
+++ b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.carol
@@ -3,6 +3,6 @@
 conn rw-carol
 	right=%any
 	rightid=carol@strongswan.org
-	rightsourceip=PH_IP1_CAROL
+	rightsourceip=PH_IP_CAROL1
 	auto=add
 
diff --git a/testing/tests/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.dave b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.dave
index 482d15a21..ee021c9be 100644
--- a/testing/tests/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.dave
+++ b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.dave
@@ -3,6 +3,6 @@
 conn rw-dave
 	right=%any
 	rightid=dave@strongswan.org
-	rightsourceip=PH_IP1_DAVE
+	rightsourceip=PH_IP_DAVE1
 	auto=add
 
diff --git a/testing/tests/starter-includes/posttest.dat b/testing/tests/ikev1/starter-includes/posttest.dat
index 121aa8aea..ebf7525ef 100644
--- a/testing/tests/starter-includes/posttest.dat
+++ b/testing/tests/ikev1/starter-includes/posttest.dat
@@ -1,13 +1,10 @@
-moon::iptables -v -n -L
-carol::iptables -v -n -L
-dave::iptables -v -n -L
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
 moon::/etc/init.d/iptables stop 2> /dev/null
 carol::/etc/init.d/iptables stop 2> /dev/null
 dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP1_CAROL/32 dev eth0
-dave::ip addr del PH_IP1_DAVE/32 dev eth0
+carol::ip addr del PH_IP_CAROL1/32 dev eth0
+dave::ip addr del PH_IP_DAVE1/32 dev eth0
 moon::rm /etc/ipsec.connections /etc/ipsec.host
 moon::rm -r /etc/ipsec.peers
diff --git a/testing/tests/starter-includes/pretest.dat b/testing/tests/ikev1/starter-includes/pretest.dat
index 0af79a6d2..b034a0c03 100644
--- a/testing/tests/starter-includes/pretest.dat
+++ b/testing/tests/ikev1/starter-includes/pretest.dat
@@ -8,3 +8,4 @@ moon::ipsec start --debug-all
 carol::sleep 2
 carol::ipsec up home
 dave::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/starter-includes/test.conf b/testing/tests/ikev1/starter-includes/test.conf
index 1a8f2a4e0..1a8f2a4e0 100644
--- a/testing/tests/starter-includes/test.conf
+++ b/testing/tests/ikev1/starter-includes/test.conf
diff --git a/testing/tests/strong-certs/description.txt b/testing/tests/ikev1/strong-certs/description.txt
index 22b58668d..22b58668d 100644
--- a/testing/tests/strong-certs/description.txt
+++ b/testing/tests/ikev1/strong-certs/description.txt
diff --git a/testing/tests/strong-certs/evaltest.dat b/testing/tests/ikev1/strong-certs/evaltest.dat
index 2fe4de76f..2fe4de76f 100644
--- a/testing/tests/strong-certs/evaltest.dat
+++ b/testing/tests/ikev1/strong-certs/evaltest.dat
diff --git a/testing/tests/strong-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf
index 6ab379636..81d1ae8b6 100755
--- a/testing/tests/strong-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf
@@ -4,6 +4,7 @@ config setup
 	plutodebug=control
 	strictcrlpolicy=no
 	crlcheckinterval=180
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/strong-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem
index d4b532323..d4b532323 100644
--- a/testing/tests/strong-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem
+++ b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem
diff --git a/testing/tests/strong-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
index f719e4455..f719e4455 100644
--- a/testing/tests/strong-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
diff --git a/testing/tests/strong-certs/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.secrets
index fac55d63b..fac55d63b 100644
--- a/testing/tests/strong-certs/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/strong-certs/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf
index 90cee47c2..468be8afb 100755
--- a/testing/tests/strong-certs/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf
@@ -4,6 +4,7 @@ config setup
 	plutodebug=control
 	strictcrlpolicy=no
 	crlcheckinterval=180
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/strong-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem
index 73088cd1d..73088cd1d 100644
--- a/testing/tests/strong-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem
+++ b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem
diff --git a/testing/tests/strong-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
index a4a8a4f22..a4a8a4f22 100644
--- a/testing/tests/strong-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
diff --git a/testing/tests/strong-certs/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.secrets
index 9031f323a..9031f323a 100644
--- a/testing/tests/strong-certs/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/strong-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf
index 76c89aa6b..7aed142a4 100755
--- a/testing/tests/strong-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf
@@ -4,6 +4,7 @@ config setup
 	plutodebug=control
 	strictcrlpolicy=no
 	crlcheckinterval=180
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/strong-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha256.pem b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha256.pem
index 307f4953e..307f4953e 100644
--- a/testing/tests/strong-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha256.pem
+++ b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha256.pem
diff --git a/testing/tests/strong-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
index 58ddc1525..58ddc1525 100644
--- a/testing/tests/strong-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
diff --git a/testing/tests/strong-certs/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.secrets
index e86d6aa5c..e86d6aa5c 100644
--- a/testing/tests/strong-certs/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/strong-certs/posttest.dat b/testing/tests/ikev1/strong-certs/posttest.dat
index 12b540b53..fc0fbeb38 100644
--- a/testing/tests/strong-certs/posttest.dat
+++ b/testing/tests/ikev1/strong-certs/posttest.dat
@@ -1,6 +1,3 @@
-moon::iptables -v -n -L
-carol::iptables -v -n -L
-dave::iptables -v -n -L
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
diff --git a/testing/tests/strong-certs/pretest.dat b/testing/tests/ikev1/strong-certs/pretest.dat
index de51ccdfa..de51ccdfa 100644
--- a/testing/tests/strong-certs/pretest.dat
+++ b/testing/tests/ikev1/strong-certs/pretest.dat
diff --git a/testing/tests/strong-certs/test.conf b/testing/tests/ikev1/strong-certs/test.conf
index 70416826e..70416826e 100644
--- a/testing/tests/strong-certs/test.conf
+++ b/testing/tests/ikev1/strong-certs/test.conf
diff --git a/testing/tests/virtual-ip-swapped/description.txt b/testing/tests/ikev1/virtual-ip-swapped/description.txt
index 230906c5d..230906c5d 100644
--- a/testing/tests/virtual-ip-swapped/description.txt
+++ b/testing/tests/ikev1/virtual-ip-swapped/description.txt
diff --git a/testing/tests/virtual-ip/evaltest.dat b/testing/tests/ikev1/virtual-ip-swapped/evaltest.dat
index bf3965727..23e109838 100644
--- a/testing/tests/virtual-ip/evaltest.dat
+++ b/testing/tests/ikev1/virtual-ip-swapped/evaltest.dat
@@ -1,8 +1,8 @@
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP1_MOON::64 bytes from PH_IP1_MOON: icmp_seq=1::YES
-moon::ping -c 1 PH_IP1_CAROL::64 bytes from PH_IP1_CAROL: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+moon::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
diff --git a/testing/tests/virtual-ip-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf
index 0e239b707..f4f2dedd0 100755
--- a/testing/tests/virtual-ip-swapped/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -15,7 +14,7 @@ conn %default
 
 conn home
 	right=PH_IP_CAROL
-	rightsourceip=PH_IP1_CAROL
+	rightsourceip=PH_IP_CAROL1
 	rightnexthop=%direct
 	rightcert=carolCert.pem
 	rightid=carol@strongswan.org
diff --git a/testing/tests/virtual-ip-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf
index db6effbac..de7f07eb9 100755
--- a/testing/tests/virtual-ip-swapped/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -15,7 +14,7 @@ conn %default
 
 conn rw
 	right=PH_IP_MOON
-	rightsourceip=PH_IP1_MOON
+	rightsourceip=PH_IP_MOON1
 	rightnexthop=%direct
 	rightcert=moonCert.pem
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/virtual-ip-swapped/posttest.dat b/testing/tests/ikev1/virtual-ip-swapped/posttest.dat
new file mode 100644
index 000000000..2116e86e0
--- /dev/null
+++ b/testing/tests/ikev1/virtual-ip-swapped/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+carol::ip addr del PH_IP_CAROL1/32 dev eth0
diff --git a/testing/tests/virtual-ip/pretest.dat b/testing/tests/ikev1/virtual-ip-swapped/pretest.dat
index 4fe0ee90b..4fe0ee90b 100644
--- a/testing/tests/virtual-ip/pretest.dat
+++ b/testing/tests/ikev1/virtual-ip-swapped/pretest.dat
diff --git a/testing/tests/virtual-ip-swapped/test.conf b/testing/tests/ikev1/virtual-ip-swapped/test.conf
index f106524e2..f106524e2 100644
--- a/testing/tests/virtual-ip-swapped/test.conf
+++ b/testing/tests/ikev1/virtual-ip-swapped/test.conf
diff --git a/testing/tests/virtual-ip/description.txt b/testing/tests/ikev1/virtual-ip/description.txt
index 4ec6021ea..4ec6021ea 100644
--- a/testing/tests/virtual-ip/description.txt
+++ b/testing/tests/ikev1/virtual-ip/description.txt
diff --git a/testing/tests/virtual-ip-swapped/evaltest.dat b/testing/tests/ikev1/virtual-ip/evaltest.dat
index bf3965727..23e109838 100644
--- a/testing/tests/virtual-ip-swapped/evaltest.dat
+++ b/testing/tests/ikev1/virtual-ip/evaltest.dat
@@ -1,8 +1,8 @@
 carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
 moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP1_MOON::64 bytes from PH_IP1_MOON: icmp_seq=1::YES
-moon::ping -c 1 PH_IP1_CAROL::64 bytes from PH_IP1_CAROL: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+moon::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
diff --git a/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..a863df33e
--- /dev/null
+++ b/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=PH_IP_CAROL1
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
+
+
+
+
diff --git a/testing/tests/virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf
index 1cd8aab25..c0310692a 100755
--- a/testing/tests/virtual-ip/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -15,7 +14,7 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftsourceip=PH_IP1_MOON
+	leftsourceip=PH_IP_MOON1
 	leftnexthop=%direct
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/virtual-ip/posttest.dat b/testing/tests/ikev1/virtual-ip/posttest.dat
new file mode 100644
index 000000000..2116e86e0
--- /dev/null
+++ b/testing/tests/ikev1/virtual-ip/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+carol::ip addr del PH_IP_CAROL1/32 dev eth0
diff --git a/testing/tests/rw-cert/pretest.dat b/testing/tests/ikev1/virtual-ip/pretest.dat
index bd68efb0b..0b2ae8d2b 100644
--- a/testing/tests/rw-cert/pretest.dat
+++ b/testing/tests/ikev1/virtual-ip/pretest.dat
@@ -2,5 +2,6 @@ moon::/etc/init.d/iptables start 2> /dev/null
 carol::/etc/init.d/iptables start 2> /dev/null
 carol::ipsec start
 moon::ipsec start
-sleep 2
+carol::sleep 2
 carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/virtual-ip/test.conf b/testing/tests/ikev1/virtual-ip/test.conf
index f106524e2..f106524e2 100644
--- a/testing/tests/virtual-ip/test.conf
+++ b/testing/tests/ikev1/virtual-ip/test.conf
diff --git a/testing/tests/wildcards/description.txt b/testing/tests/ikev1/wildcards/description.txt
index e485f7066..e485f7066 100644
--- a/testing/tests/wildcards/description.txt
+++ b/testing/tests/ikev1/wildcards/description.txt
diff --git a/testing/tests/wildcards/evaltest.dat b/testing/tests/ikev1/wildcards/evaltest.dat
index cbc94b75a..cbc94b75a 100644
--- a/testing/tests/wildcards/evaltest.dat
+++ b/testing/tests/ikev1/wildcards/evaltest.dat
diff --git a/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf
index de179c565..d6d32a39d 100755
--- a/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/multi-level-ca-strict/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf
index 2fb6a301e..6156fadba 100755
--- a/testing/tests/multi-level-ca-strict/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/wildcards/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf
index ee7bc8115..162e22c43 100755
--- a/testing/tests/wildcards/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -22,10 +21,9 @@ conn alice
 	right=%any
 	rightid="C=CH, O=Linux strongSwan, OU=Research, CN=*"
 	auto=add
-	
+
 conn venus
 	leftsubnet=PH_IP_VENUS/32
 	right=%any
 	rightid="C=CH, O=Linux strongSwan, OU=Accounting, CN=*"
 	auto=add
-	
diff --git a/testing/tests/ikev1/wildcards/posttest.dat b/testing/tests/ikev1/wildcards/posttest.dat
new file mode 100644
index 000000000..ed530f6d9
--- /dev/null
+++ b/testing/tests/ikev1/wildcards/posttest.dat
@@ -0,0 +1,3 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
diff --git a/testing/tests/wildcards/pretest.dat b/testing/tests/ikev1/wildcards/pretest.dat
index 67c50c2ef..67c50c2ef 100644
--- a/testing/tests/wildcards/pretest.dat
+++ b/testing/tests/ikev1/wildcards/pretest.dat
diff --git a/testing/tests/wildcards/test.conf b/testing/tests/ikev1/wildcards/test.conf
index 08e5cc145..08e5cc145 100644
--- a/testing/tests/wildcards/test.conf
+++ b/testing/tests/ikev1/wildcards/test.conf
diff --git a/testing/tests/wlan/description.txt b/testing/tests/ikev1/wlan/description.txt
index e018148bd..e018148bd 100644
--- a/testing/tests/wlan/description.txt
+++ b/testing/tests/ikev1/wlan/description.txt
diff --git a/testing/tests/wlan/evaltest.dat b/testing/tests/ikev1/wlan/evaltest.dat
index 1936c93a3..079ac4429 100644
--- a/testing/tests/wlan/evaltest.dat
+++ b/testing/tests/ikev1/wlan/evaltest.dat
@@ -3,7 +3,7 @@ venus::ipsec status::wlan.*STATE_QUICK_I2.*IPsec SA established::YES
 moon::ipsec status::alice.*STATE_QUICK_R2.*IPsec SA established::YES
 moon::ipsec status::venus.*STATE_QUICK_R2.*IPsec SA established::YES
 alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-alice::ping -c 1 PH_IP1_MOON::64 bytes from PH_IP1_MOON: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
 alice::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
 alice::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
 venus::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
diff --git a/testing/tests/wlan/hosts/alice/etc/init.d/iptables b/testing/tests/ikev1/wlan/hosts/alice/etc/init.d/iptables
index 86a76e2db..86a76e2db 100755
--- a/testing/tests/wlan/hosts/alice/etc/init.d/iptables
+++ b/testing/tests/ikev1/wlan/hosts/alice/etc/init.d/iptables
diff --git a/testing/tests/wlan/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf
index a658e4fe8..665ce592f 100755
--- a/testing/tests/wlan/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf
@@ -1,12 +1,11 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
 	nat_traversal=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -30,7 +29,7 @@ conn wlan
 	leftcert=aliceCert.pem
 	leftid=alice@strongswan.org
 	leftfirewall=yes
-	right=PH_IP1_MOON
+	right=PH_IP_MOON1
 	rightid=@moon.strongswan.org
 	rightsubnet=0.0.0.0/0
 	auto=add
diff --git a/testing/tests/wlan/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/wlan/hosts/moon/etc/init.d/iptables
index e95ef44c6..e95ef44c6 100755
--- a/testing/tests/wlan/hosts/moon/etc/init.d/iptables
+++ b/testing/tests/ikev1/wlan/hosts/moon/etc/init.d/iptables
diff --git a/testing/tests/wlan/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf
index f873479e8..44f980422 100755
--- a/testing/tests/wlan/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf
@@ -1,12 +1,11 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
 	nat_traversal=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -27,7 +26,7 @@ conn venus
 	auto=add
 
 conn wlan
-        left=PH_IP1_MOON
+        left=PH_IP_MOON1
 	leftnexthop=%direct
 	leftsubnet=0.0.0.0/0
 	leftcert=moonCert.pem
diff --git a/testing/tests/wlan/hosts/venus/etc/init.d/iptables b/testing/tests/ikev1/wlan/hosts/venus/etc/init.d/iptables
index 6f95e7576..6f95e7576 100755
--- a/testing/tests/wlan/hosts/venus/etc/init.d/iptables
+++ b/testing/tests/ikev1/wlan/hosts/venus/etc/init.d/iptables
diff --git a/testing/tests/wlan/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf
index 742c1dbce..5d861548d 100755
--- a/testing/tests/wlan/hosts/venus/etc/ipsec.conf
+++ b/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf
@@ -1,12 +1,11 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
 	nat_traversal=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -30,7 +29,7 @@ conn wlan
 	leftcert=venusCert.pem
 	leftid=@venus.strongswan.org
 	leftfirewall=yes
-	right=PH_IP1_MOON
+	right=PH_IP_MOON1
 	rightid=@moon.strongswan.org
 	rightsubnet=0.0.0.0/0
 	auto=add
diff --git a/testing/tests/wlan/posttest.dat b/testing/tests/ikev1/wlan/posttest.dat
index cc873d1ff..6bd2379d8 100644
--- a/testing/tests/wlan/posttest.dat
+++ b/testing/tests/ikev1/wlan/posttest.dat
@@ -1,10 +1,8 @@
-alice::iptables -v -n -L
-venus::iptables -v -n -L
 moon::iptables -t nat -v -n -L POSTROUTING
-moon::iptables -v -n -L
 moon::ipsec stop
 alice::ipsec stop
 venus::ipsec stop
 alice::/etc/init.d/iptables stop 2> /dev/null
 venus::/etc/init.d/iptables stop 2> /dev/null
 moon::/etc/init.d/iptables stop 2> /dev/null
+moon::conntrack -F
diff --git a/testing/tests/wlan/pretest.dat b/testing/tests/ikev1/wlan/pretest.dat
index de4a6ad31..de4a6ad31 100644
--- a/testing/tests/wlan/pretest.dat
+++ b/testing/tests/ikev1/wlan/pretest.dat
diff --git a/testing/tests/wlan/test.conf b/testing/tests/ikev1/wlan/test.conf
index b141c4f1b..b141c4f1b 100644
--- a/testing/tests/wlan/test.conf
+++ b/testing/tests/ikev1/wlan/test.conf
diff --git a/testing/tests/xauth-psk-mode-config/description.txt b/testing/tests/ikev1/xauth-psk-mode-config/description.txt
index 9abe6298c..9abe6298c 100644
--- a/testing/tests/xauth-psk-mode-config/description.txt
+++ b/testing/tests/ikev1/xauth-psk-mode-config/description.txt
diff --git a/testing/tests/xauth-psk-mode-config/evaltest.dat b/testing/tests/ikev1/xauth-psk-mode-config/evaltest.dat
index 15dd054a0..15dd054a0 100644
--- a/testing/tests/xauth-psk-mode-config/evaltest.dat
+++ b/testing/tests/ikev1/xauth-psk-mode-config/evaltest.dat
diff --git a/testing/tests/xauth-psk-mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.conf
index ff1628fb0..3fd0ebf85 100644
--- a/testing/tests/xauth-psk-mode-config/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.conf
@@ -4,6 +4,7 @@ config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/xauth-psk-mode-config/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.secrets
index 70ea1dab6..70ea1dab6 100644
--- a/testing/tests/xauth-psk-mode-config/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/xauth-psk-mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.conf
index 65c8d534e..8d20a5d20 100644
--- a/testing/tests/xauth-psk-mode-config/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.conf
@@ -4,6 +4,7 @@ config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/xauth-psk-mode-config/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.secrets
index 0690d9cde..0690d9cde 100644
--- a/testing/tests/xauth-psk-mode-config/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/xauth-psk-mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.conf
index 1e543b2fe..66f705e79 100644
--- a/testing/tests/xauth-psk-mode-config/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.conf
@@ -4,6 +4,7 @@ config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -22,8 +23,8 @@ conn %default
 
 conn carol
 	rightid=carol@strongswan.org
-	rightsourceip=PH_IP1_CAROL
+	rightsourceip=PH_IP_CAROL1
 
 conn dave
 	rightid=dave@strongswan.org
-	rightsourceip=PH_IP1_DAVE
+	rightsourceip=PH_IP_DAVE1
diff --git a/testing/tests/xauth-psk-mode-config/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.secrets
index 1ea69f998..1ea69f998 100644
--- a/testing/tests/xauth-psk-mode-config/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev1/xauth-psk-mode-config/posttest.dat b/testing/tests/ikev1/xauth-psk-mode-config/posttest.dat
new file mode 100644
index 000000000..42fa8359b
--- /dev/null
+++ b/testing/tests/ikev1/xauth-psk-mode-config/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+carol::ip addr del PH_IP_CAROL1/32 dev eth0
+dave::ip addr del PH_IP_DAVE1/32 dev eth0
diff --git a/testing/tests/xauth-psk-mode-config/pretest.dat b/testing/tests/ikev1/xauth-psk-mode-config/pretest.dat
index 95a6be131..95a6be131 100644
--- a/testing/tests/xauth-psk-mode-config/pretest.dat
+++ b/testing/tests/ikev1/xauth-psk-mode-config/pretest.dat
diff --git a/testing/tests/xauth-psk-mode-config/test.conf b/testing/tests/ikev1/xauth-psk-mode-config/test.conf
index 75510b295..75510b295 100644
--- a/testing/tests/xauth-psk-mode-config/test.conf
+++ b/testing/tests/ikev1/xauth-psk-mode-config/test.conf
diff --git a/testing/tests/xauth-psk/description.txt b/testing/tests/ikev1/xauth-psk/description.txt
index 0ac2043c2..0ac2043c2 100644
--- a/testing/tests/xauth-psk/description.txt
+++ b/testing/tests/ikev1/xauth-psk/description.txt
diff --git a/testing/tests/xauth-psk/evaltest.dat b/testing/tests/ikev1/xauth-psk/evaltest.dat
index e1dc6b5b0..e1dc6b5b0 100644
--- a/testing/tests/xauth-psk/evaltest.dat
+++ b/testing/tests/ikev1/xauth-psk/evaltest.dat
diff --git a/testing/tests/xauth-psk/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf
index b9af32c65..3e8ddf0fe 100644
--- a/testing/tests/xauth-psk/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf
@@ -4,6 +4,7 @@ config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/xauth-psk/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.secrets
index 70ea1dab6..70ea1dab6 100644
--- a/testing/tests/xauth-psk/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/xauth-psk/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf
index f392a3e66..9aee88cfe 100644
--- a/testing/tests/xauth-psk/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf
@@ -4,6 +4,7 @@ config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/xauth-psk/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.secrets
index 0690d9cde..0690d9cde 100644
--- a/testing/tests/xauth-psk/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/xauth-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf
index 4c423b017..dfaa44521 100644
--- a/testing/tests/xauth-psk/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf
@@ -4,6 +4,7 @@ config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/xauth-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.secrets
index 047d6c235..047d6c235 100644
--- a/testing/tests/xauth-psk/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/xauth-psk-mode-config/posttest.dat b/testing/tests/ikev1/xauth-psk/posttest.dat
index 530cfc7b9..7cebd7f25 100644
--- a/testing/tests/xauth-psk-mode-config/posttest.dat
+++ b/testing/tests/ikev1/xauth-psk/posttest.dat
@@ -1,6 +1,3 @@
-moon::iptables -v -n -L
-carol::iptables -v -n -L
-dave::iptables -v -n -L
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
diff --git a/testing/tests/xauth-psk/pretest.dat b/testing/tests/ikev1/xauth-psk/pretest.dat
index 95a6be131..95a6be131 100644
--- a/testing/tests/xauth-psk/pretest.dat
+++ b/testing/tests/ikev1/xauth-psk/pretest.dat
diff --git a/testing/tests/xauth-psk/test.conf b/testing/tests/ikev1/xauth-psk/test.conf
index 70416826e..70416826e 100644
--- a/testing/tests/xauth-psk/test.conf
+++ b/testing/tests/ikev1/xauth-psk/test.conf
diff --git a/testing/tests/xauth-rsa-fail/description.txt b/testing/tests/ikev1/xauth-rsa-fail/description.txt
index 83e9d2726..83e9d2726 100644
--- a/testing/tests/xauth-rsa-fail/description.txt
+++ b/testing/tests/ikev1/xauth-rsa-fail/description.txt
diff --git a/testing/tests/xauth-rsa-fail/evaltest.dat b/testing/tests/ikev1/xauth-rsa-fail/evaltest.dat
index 0bcef388d..0bcef388d 100644
--- a/testing/tests/xauth-rsa-fail/evaltest.dat
+++ b/testing/tests/ikev1/xauth-rsa-fail/evaltest.dat
diff --git a/testing/tests/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf
index bfee72421..d49bc1490 100755
--- a/testing/tests/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf
@@ -4,6 +4,7 @@ config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/xauth-rsa-fail/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.secrets
index 24506be09..24506be09 100644
--- a/testing/tests/xauth-rsa-fail/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf
index f7cf06fae..6a48cf6ee 100755
--- a/testing/tests/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf
@@ -4,6 +4,7 @@ config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/xauth-rsa-fail/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.secrets
index a18e885f8..a18e885f8 100644
--- a/testing/tests/xauth-rsa-fail/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/xauth-rsa-nosecret/posttest.dat b/testing/tests/ikev1/xauth-rsa-fail/posttest.dat
index c6d6235f9..c6d6235f9 100644
--- a/testing/tests/xauth-rsa-nosecret/posttest.dat
+++ b/testing/tests/ikev1/xauth-rsa-fail/posttest.dat
diff --git a/testing/tests/xauth-rsa-fail/pretest.dat b/testing/tests/ikev1/xauth-rsa-fail/pretest.dat
index 1b8fc3b79..1b8fc3b79 100644
--- a/testing/tests/xauth-rsa-fail/pretest.dat
+++ b/testing/tests/ikev1/xauth-rsa-fail/pretest.dat
diff --git a/testing/tests/xauth-rsa-fail/test.conf b/testing/tests/ikev1/xauth-rsa-fail/test.conf
index 5442565f8..5442565f8 100644
--- a/testing/tests/xauth-rsa-fail/test.conf
+++ b/testing/tests/ikev1/xauth-rsa-fail/test.conf
diff --git a/testing/tests/xauth-rsa-mode-config/description.txt b/testing/tests/ikev1/xauth-rsa-mode-config/description.txt
index aa2b31542..aa2b31542 100644
--- a/testing/tests/xauth-rsa-mode-config/description.txt
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/description.txt
diff --git a/testing/tests/xauth-rsa-mode-config/evaltest.dat b/testing/tests/ikev1/xauth-rsa-mode-config/evaltest.dat
index 15dd054a0..15dd054a0 100644
--- a/testing/tests/xauth-rsa-mode-config/evaltest.dat
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/evaltest.dat
diff --git a/testing/tests/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf
index 751c2a29d..90539650f 100644
--- a/testing/tests/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf
@@ -4,6 +4,7 @@ config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/xauth-rsa-mode-config/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.secrets
index 48fd260c1..48fd260c1 100644
--- a/testing/tests/xauth-rsa-mode-config/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf
index c97e815df..19618145d 100644
--- a/testing/tests/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf
@@ -4,6 +4,7 @@ config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/xauth-rsa-mode-config/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.secrets
index 14f088501..14f088501 100644
--- a/testing/tests/xauth-rsa-mode-config/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf
index e3b2219c4..eccdc2b70 100644
--- a/testing/tests/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf
@@ -4,6 +4,7 @@ config setup
 	plutodebug="control"
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -23,8 +24,8 @@ conn %default
 
 conn rw-carol
 	rightid=carol@strongswan.org
-	rightsourceip=PH_IP1_CAROL
+	rightsourceip=PH_IP_CAROL1
 
 conn rw-dave
 	rightid=dave@strongswan.org
-	rightsourceip=PH_IP1_DAVE
+	rightsourceip=PH_IP_DAVE1
diff --git a/testing/tests/xauth-rsa-mode-config/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.secrets
index 8d41919fc..8d41919fc 100644
--- a/testing/tests/xauth-rsa-mode-config/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/posttest.dat b/testing/tests/ikev1/xauth-rsa-mode-config/posttest.dat
new file mode 100644
index 000000000..42fa8359b
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+carol::ip addr del PH_IP_CAROL1/32 dev eth0
+dave::ip addr del PH_IP_DAVE1/32 dev eth0
diff --git a/testing/tests/xauth-rsa-mode-config/pretest.dat b/testing/tests/ikev1/xauth-rsa-mode-config/pretest.dat
index 78e2d57f8..78e2d57f8 100644
--- a/testing/tests/xauth-rsa-mode-config/pretest.dat
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/pretest.dat
diff --git a/testing/tests/xauth-rsa-mode-config/test.conf b/testing/tests/ikev1/xauth-rsa-mode-config/test.conf
index 75510b295..75510b295 100644
--- a/testing/tests/xauth-rsa-mode-config/test.conf
+++ b/testing/tests/ikev1/xauth-rsa-mode-config/test.conf
diff --git a/testing/tests/xauth-rsa-nosecret/description.txt b/testing/tests/ikev1/xauth-rsa-nosecret/description.txt
index ffbb47c04..ffbb47c04 100644
--- a/testing/tests/xauth-rsa-nosecret/description.txt
+++ b/testing/tests/ikev1/xauth-rsa-nosecret/description.txt
diff --git a/testing/tests/xauth-rsa-nosecret/evaltest.dat b/testing/tests/ikev1/xauth-rsa-nosecret/evaltest.dat
index ddbb3ae2d..ddbb3ae2d 100644
--- a/testing/tests/xauth-rsa-nosecret/evaltest.dat
+++ b/testing/tests/ikev1/xauth-rsa-nosecret/evaltest.dat
diff --git a/testing/tests/xauth-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf
index bfee72421..d49bc1490 100644..100755
--- a/testing/tests/xauth-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf
@@ -4,6 +4,7 @@ config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/xauth-rsa-nosecret/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.secrets
index 6a2aea811..6a2aea811 100644
--- a/testing/tests/xauth-rsa-nosecret/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/xauth-rsa-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf
index f7cf06fae..6a48cf6ee 100755
--- a/testing/tests/xauth-rsa-fail/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf
@@ -4,6 +4,7 @@ config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/xauth-rsa-nosecret/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.secrets
index a18e885f8..a18e885f8 100644
--- a/testing/tests/xauth-rsa-nosecret/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/posttest.dat b/testing/tests/ikev1/xauth-rsa-nosecret/posttest.dat
new file mode 100644
index 000000000..c6d6235f9
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-nosecret/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/ike-alg-strict/pretest.dat b/testing/tests/ikev1/xauth-rsa-nosecret/pretest.dat
index f5aa989fe..f5aa989fe 100644
--- a/testing/tests/ike-alg-strict/pretest.dat
+++ b/testing/tests/ikev1/xauth-rsa-nosecret/pretest.dat
diff --git a/testing/tests/xauth-rsa-nosecret/test.conf b/testing/tests/ikev1/xauth-rsa-nosecret/test.conf
index 5442565f8..5442565f8 100644
--- a/testing/tests/xauth-rsa-nosecret/test.conf
+++ b/testing/tests/ikev1/xauth-rsa-nosecret/test.conf
diff --git a/testing/tests/xauth-rsa/description.txt b/testing/tests/ikev1/xauth-rsa/description.txt
index 0cdaba1c5..0cdaba1c5 100644
--- a/testing/tests/xauth-rsa/description.txt
+++ b/testing/tests/ikev1/xauth-rsa/description.txt
diff --git a/testing/tests/xauth-rsa/evaltest.dat b/testing/tests/ikev1/xauth-rsa/evaltest.dat
index e1dc6b5b0..e1dc6b5b0 100644
--- a/testing/tests/xauth-rsa/evaltest.dat
+++ b/testing/tests/ikev1/xauth-rsa/evaltest.dat
diff --git a/testing/tests/xauth-rsa-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf
index bfee72421..d49bc1490 100755..100644
--- a/testing/tests/xauth-rsa-fail/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf
@@ -4,6 +4,7 @@ config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/xauth-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.secrets
index 48fd260c1..48fd260c1 100644
--- a/testing/tests/xauth-rsa/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/xauth-rsa/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf
index 0f34a209a..5c1de3372 100644
--- a/testing/tests/xauth-rsa/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf
@@ -4,6 +4,7 @@ config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/xauth-rsa/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.secrets
index 14f088501..14f088501 100644
--- a/testing/tests/xauth-rsa/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/xauth-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf
index f7cf06fae..a997fb73f 100644
--- a/testing/tests/xauth-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
+	plutodebug="control"
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/xauth-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.secrets
index 8d41919fc..8d41919fc 100644
--- a/testing/tests/xauth-rsa/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/xauth-psk/posttest.dat b/testing/tests/ikev1/xauth-rsa/posttest.dat
index 530cfc7b9..7cebd7f25 100644
--- a/testing/tests/xauth-psk/posttest.dat
+++ b/testing/tests/ikev1/xauth-rsa/posttest.dat
@@ -1,6 +1,3 @@
-moon::iptables -v -n -L
-carol::iptables -v -n -L
-dave::iptables -v -n -L
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
diff --git a/testing/tests/xauth-rsa/pretest.dat b/testing/tests/ikev1/xauth-rsa/pretest.dat
index 78e2d57f8..78e2d57f8 100644
--- a/testing/tests/xauth-rsa/pretest.dat
+++ b/testing/tests/ikev1/xauth-rsa/pretest.dat
diff --git a/testing/tests/xauth-rsa/test.conf b/testing/tests/ikev1/xauth-rsa/test.conf
index 70416826e..70416826e 100644
--- a/testing/tests/xauth-rsa/test.conf
+++ b/testing/tests/ikev1/xauth-rsa/test.conf
diff --git a/testing/tests/ikev2/config-payload-swapped/description.txt b/testing/tests/ikev2/config-payload-swapped/description.txt
new file mode 100644
index 000000000..2160e6b92
--- /dev/null
+++ b/testing/tests/ikev2/config-payload-swapped/description.txt
@@ -0,0 +1,3 @@
+Same scenario as test <a href="../config-payload/"><b>mode-config</b></a> but with
+swapped end definitions:  <b>right</b> denotes the <b>local</b> side whereas
+<b>left</b> stands for the <b>remote</b> peer.
diff --git a/testing/tests/ikev2/config-payload-swapped/evaltest.dat b/testing/tests/ikev2/config-payload-swapped/evaltest.dat
new file mode 100644
index 000000000..40cb4339b
--- /dev/null
+++ b/testing/tests/ikev2/config-payload-swapped/evaltest.dat
@@ -0,0 +1,20 @@
+carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
+carol::ip addr list dev eth0::PH_IP_CAROL1::YES
+carol::ip route list dev eth0::10.1.0.0/16.*src PH_IP_CAROL1::YES
+carol::ipsec status::home.*INSTALLED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave::ip addr list dev eth0::PH_IP_DAVE1::YES
+dave::ip route list dev eth0::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave::ipsec status::home.*INSTALLED::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::ipsec status::rw-carol.*INSTALLED::YES
+moon::ipsec status::rw-dave.*INSTALLED::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..6e2cbd153
--- /dev/null
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	right=PH_IP_CAROL
+	rightsourceip=%config
+	rightnexthop=%direct
+	rightcert=carolCert.pem
+	rightid=carol@strongswan.org
+	rightfirewall=yes
+	righthostaccess=yes
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..f148757db
--- /dev/null
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	right=PH_IP_DAVE
+	rightsourceip=%config
+	rightnexthop=%direct
+	rightcert=daveCert.pem
+	rightid=dave@strongswan.org
+	rightfirewall=yes
+	righthostaccess=yes
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/esp-ah-tunnel/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf
index 98cdaab7a..5cb49cfc8 100755
--- a/testing/tests/esp-ah-tunnel/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf
@@ -1,28 +1,32 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
-	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	plutostart=no
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	auth=ah
-	ike=aes128-sha
-	esp=aes128-sha1
-
-conn home
-	left=PH_IP_CAROL
-	leftnexthop=%direct
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
+	keyexchange=ikev2
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
+	rightsourceip=PH_IP_MOON1
+	rightnexthop=%direct
+	rightcert=moonCert.pem
 	rightid=@moon.strongswan.org
+	rightfirewall=yes
+
+conn rw-carol
+	left=%any
+	leftid=carol@strongswan.org
+	leftsourceip=PH_IP_CAROL1
+	auto=add
+
+conn rw-dave
+	left=%any
+	leftid=dave@strongswan.org
+	leftsourceip=PH_IP_DAVE1
 	auto=add
diff --git a/testing/tests/xauth-rsa-mode-config/posttest.dat b/testing/tests/ikev2/config-payload-swapped/posttest.dat
index 530cfc7b9..7cebd7f25 100644
--- a/testing/tests/xauth-rsa-mode-config/posttest.dat
+++ b/testing/tests/ikev2/config-payload-swapped/posttest.dat
@@ -1,6 +1,3 @@
-moon::iptables -v -n -L
-carol::iptables -v -n -L
-dave::iptables -v -n -L
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
diff --git a/testing/tests/ikev2/config-payload-swapped/pretest.dat b/testing/tests/ikev2/config-payload-swapped/pretest.dat
new file mode 100644
index 000000000..014e80517
--- /dev/null
+++ b/testing/tests/ikev2/config-payload-swapped/pretest.dat
@@ -0,0 +1,10 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2 
+carol::ipsec up home
+dave::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/config-payload-swapped/test.conf b/testing/tests/ikev2/config-payload-swapped/test.conf
new file mode 100644
index 000000000..1a8f2a4e0
--- /dev/null
+++ b/testing/tests/ikev2/config-payload-swapped/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/config-payload/description.txt b/testing/tests/ikev2/config-payload/description.txt
new file mode 100644
index 000000000..7690e7dce
--- /dev/null
+++ b/testing/tests/ikev2/config-payload/description.txt
@@ -0,0 +1,7 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload
+by using the <b>leftsourceip=%config</b> parameter. <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the
+tunnels, <b>carol</b> and <b>dave</b> then ping the client <b>alice</b> behind the gateway
+<b>moon</b>. The source IP addresses of the two pings will be the virtual IPs <b>carol1</b>
+and <b>dave1</b>, respectively.
diff --git a/testing/tests/ikev2/config-payload/evaltest.dat b/testing/tests/ikev2/config-payload/evaltest.dat
new file mode 100644
index 000000000..40cb4339b
--- /dev/null
+++ b/testing/tests/ikev2/config-payload/evaltest.dat
@@ -0,0 +1,20 @@
+carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
+carol::ip addr list dev eth0::PH_IP_CAROL1::YES
+carol::ip route list dev eth0::10.1.0.0/16.*src PH_IP_CAROL1::YES
+carol::ipsec status::home.*INSTALLED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave::ip addr list dev eth0::PH_IP_DAVE1::YES
+dave::ip route list dev eth0::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave::ipsec status::home.*INSTALLED::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::ipsec status::rw-carol.*INSTALLED::YES
+moon::ipsec status::rw-dave.*INSTALLED::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/config-payload/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/config-payload/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..4ea2b22f7
--- /dev/null
+++ b/testing/tests/ikev2/config-payload/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=%config
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/config-payload/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/config-payload/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..dad3f3440
--- /dev/null
+++ b/testing/tests/ikev2/config-payload/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftsourceip=%config
+	leftnexthop=%direct
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..a4c4b3553
--- /dev/null
+++ b/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,32 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftsourceip=PH_IP_MOON1
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+
+conn rw-carol
+	right=%any
+	rightid=carol@strongswan.org
+	rightsourceip=PH_IP_CAROL1
+	auto=add
+
+conn rw-dave
+	right=%any
+	rightid=dave@strongswan.org
+	rightsourceip=PH_IP_DAVE1
+	auto=add
diff --git a/testing/tests/xauth-rsa/posttest.dat b/testing/tests/ikev2/config-payload/posttest.dat
index 530cfc7b9..7cebd7f25 100644
--- a/testing/tests/xauth-rsa/posttest.dat
+++ b/testing/tests/ikev2/config-payload/posttest.dat
@@ -1,6 +1,3 @@
-moon::iptables -v -n -L
-carol::iptables -v -n -L
-dave::iptables -v -n -L
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
diff --git a/testing/tests/ikev2/config-payload/pretest.dat b/testing/tests/ikev2/config-payload/pretest.dat
new file mode 100644
index 000000000..014e80517
--- /dev/null
+++ b/testing/tests/ikev2/config-payload/pretest.dat
@@ -0,0 +1,10 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2 
+carol::ipsec up home
+dave::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/config-payload/test.conf b/testing/tests/ikev2/config-payload/test.conf
new file mode 100644
index 000000000..1a8f2a4e0
--- /dev/null
+++ b/testing/tests/ikev2/config-payload/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/crl-from-cache/description.txt b/testing/tests/ikev2/crl-from-cache/description.txt
new file mode 100644
index 000000000..17866f572
--- /dev/null
+++ b/testing/tests/ikev2/crl-from-cache/description.txt
@@ -0,0 +1,5 @@
+By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
+both roadwarrior <b>carol</b> and gateway <b>moon</b>. When <b>carol</b> initiates
+an IPsec connection to <b>moon</b>, both VPN endpoints find a cached CRL in
+their <b>/etc/ipsec.d/crls/</b> directories which allows them to immediately verify
+the certificate received from their peer.
diff --git a/testing/tests/ikev2/crl-from-cache/evaltest.dat b/testing/tests/ikev2/crl-from-cache/evaltest.dat
new file mode 100644
index 000000000..9aa53fb64
--- /dev/null
+++ b/testing/tests/ikev2/crl-from-cache/evaltest.dat
@@ -0,0 +1,8 @@
+moon::cat /var/log/daemon.log::loading crl file::YES
+carol::cat /var/log/daemon.log::loading crl file::YES
+moon::ipsec status::rw.*ESTABLISHED::YES
+carol::ipsec status::home.*ESTABLISHED::YES
+moon::cat /var/log/auth.log::written crl file::NO
+carol::cat /var/log/auth.log::written crl file::NO
+moon::ipsec listcrls:: ok::YES
+carol::ipsec listcrls:: ok::YES
diff --git a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..cea581bc2
--- /dev/null
+++ b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	cachecrls=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..fe2179885
--- /dev/null
+++ b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	cachecrls=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/crl-from-cache/posttest.dat b/testing/tests/ikev2/crl-from-cache/posttest.dat
new file mode 100644
index 000000000..be17847c1
--- /dev/null
+++ b/testing/tests/ikev2/crl-from-cache/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::rm /etc/ipsec.d/crls/*
+carol::rm /etc/ipsec.d/crls/*
diff --git a/testing/tests/ikev2/crl-from-cache/pretest.dat b/testing/tests/ikev2/crl-from-cache/pretest.dat
new file mode 100644
index 000000000..acdb265ed
--- /dev/null
+++ b/testing/tests/ikev2/crl-from-cache/pretest.dat
@@ -0,0 +1,8 @@
+moon::wget -q http://crl.strongswan.org/strongswan.crl
+moon::mv strongswan.crl /etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
+carol::wget -q http://crl.strongswan.org/strongswan.crl
+carol::mv strongswan.crl /etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev2/crl-from-cache/test.conf b/testing/tests/ikev2/crl-from-cache/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/ikev2/crl-from-cache/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/crl-ldap/description.txt b/testing/tests/ikev2/crl-ldap/description.txt
new file mode 100644
index 000000000..d7ed591cc
--- /dev/null
+++ b/testing/tests/ikev2/crl-ldap/description.txt
@@ -0,0 +1,6 @@
+By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
+both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates
+the connection and only an expired CRL cache file in <b>/etc/ipsec.d/crls</b> is
+availabl, an ldap fetch to get the CRL from the LDAP server <b>winnetou</b> is
+successfully started and the IKE authentication completes. The new CRL is again
+cached locally as a file in <b>/etc/ipsec.d/crls</b> due to the <b>cachecrls=yes</b> option.
diff --git a/testing/tests/ikev2/crl-ldap/evaltest.dat b/testing/tests/ikev2/crl-ldap/evaltest.dat
new file mode 100644
index 000000000..05e818e21
--- /dev/null
+++ b/testing/tests/ikev2/crl-ldap/evaltest.dat
@@ -0,0 +1,12 @@
+moon::cat /var/log/daemon.log::loading crl file::YES
+carol::cat /var/log/daemon.log::loading crl file::YES
+moon::cat /var/log/daemon.log::crl is stale::YES
+carol::cat /var/log/daemon.log::crl is stale::YES
+moon::cat /var/log/daemon.log::sending ldap request::YES
+carol::cat /var/log/daemon.log::sending ldap request::YES
+moon::ipsec status::rw.*ESTABLISHED::YES
+carol::ipsec status::home.*ESTABLISHED::YES
+moon::cat /var/log/daemon.log::written crl file::YES
+carol::cat /var/log/daemon.log::written crl file::YES
+moon::ipsec listcrls:: ok::YES
+carol::ipsec listcrls:: ok::YES
diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/init.d/iptables b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/init.d/iptables
new file mode 100755
index 000000000..571459bae
--- /dev/null
+++ b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/init.d/iptables
@@ -0,0 +1,73 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow ldap crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..8b37ec6b8
--- /dev/null
+++ b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,31 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	cachecrls=yes
+	plutostart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
+	auto=add
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=2
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
+
diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
new file mode 100644
index 000000000..75e8b0959
--- /dev/null
+++ b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..8de514a2e
--- /dev/null
+++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,76 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow ldap crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..3b1fbabb8
--- /dev/null
+++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	cachecrls=yes
+	plutostart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	crluri="ldap://ldap1.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
+	auto=add
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=2
+	keyexchange=ikev2
+
+conn rw
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
new file mode 100644
index 000000000..75e8b0959
--- /dev/null
+++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
diff --git a/testing/tests/ikev2/crl-ldap/posttest.dat b/testing/tests/ikev2/crl-ldap/posttest.dat
new file mode 100644
index 000000000..bddd87424
--- /dev/null
+++ b/testing/tests/ikev2/crl-ldap/posttest.dat
@@ -0,0 +1,7 @@
+moon::ipsec stop
+carol::ipsec stop
+winnetou::/etc/init.d/slapd stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+moon::rm /etc/ipsec.d/crls/*
+carol::rm /etc/ipsec.d/crls/*
diff --git a/testing/tests/ikev2/crl-ldap/pretest.dat b/testing/tests/ikev2/crl-ldap/pretest.dat
new file mode 100644
index 000000000..64fa8116b
--- /dev/null
+++ b/testing/tests/ikev2/crl-ldap/pretest.dat
@@ -0,0 +1,8 @@
+winnetou::/etc/init.d/slapd start
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home
+carol::sleep 3 
diff --git a/testing/tests/ikev2/crl-ldap/test.conf b/testing/tests/ikev2/crl-ldap/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/ikev2/crl-ldap/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/crl-revoked/description.txt b/testing/tests/ikev2/crl-revoked/description.txt
new file mode 100644
index 000000000..b39c59c97
--- /dev/null
+++ b/testing/tests/ikev2/crl-revoked/description.txt
@@ -0,0 +1,4 @@
+By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
+both roadwarrior <b>carol</b> and gateway <b>moon</b>. The remote host <b>carol</b>
+initiates the connection and presents a certificate that has been revoked by the
+current CRL causing the IKE negotiation to fail. 
diff --git a/testing/tests/ikev2/crl-revoked/evaltest.dat b/testing/tests/ikev2/crl-revoked/evaltest.dat
new file mode 100644
index 000000000..3d6cf72bb
--- /dev/null
+++ b/testing/tests/ikev2/crl-revoked/evaltest.dat
@@ -0,0 +1,6 @@
+moon::cat /var/log/daemon.log::certificate was revoked::YES
+moon::cat /var/log/daemon.log::end entity certificate is not trusted::YES
+carol::cat /var/log/daemon.log::AUTHENTICATION_FAILED::YES
+moon::ipsec listcrls:: ok::YES
+moon::ipsec status::rw.*ESTABLISHED::NO
+carol::ipsec status::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..29b3c2a65
--- /dev/null
+++ b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolRevokedCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
new file mode 100644
index 000000000..5b742fc9e
--- /dev/null
+++ b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAwqgAwIBAgIBBzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMjU0OFoXDTA5MDkwOTExMjU0OFowWjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAM5413q1B2EF3spcYD1u0ce9AtIHdxmU3+1E0hqV
+mLqpIQtyp4SLbrRunxpoVUuEpHWXgLb3C/ljjlKCMWWmhw4wja1rBTjMNJLPj6Bo
+5Qn4Oeuqm7/kLHPGbveQGtcSsJCk6iLqFTbq0wsji5Ogq7kmjWgQv0nM2jpofHLv
+VOAtWVSj+x2b3OHdl/WpgTgTw1HHjYo7/NOkARdTcZ2/wxxM3z1Abp9iylc45GLN
+IL/OzHkT8b5pdokdMvVijz8IslkkewJYXrVQaCNMZg/ydlXOOAEKz0YqnvXQaYs5
+K+s8XvQ2RFCr5oO0fRT2VbiI9TgHnbcnfUi25iHl6txsXg0CAwEAAaOCAQYwggEC
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTbA2TH3ca8tgCGkYy9
+OV/MqUTHAzBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
+d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQC9acuCUPEBOrWB
+56vS8N9bksQwv/XcYIFYqV73kFBAzOPLX2a9igFGvBPdCxFu/t8JCswzE6to4LFM
+2+6Z2QJf442CLPcJKxITahrjJXSxGbzMlmaDvZ5wFCJAlyin+yuInpTwl8rMZe/Q
+O5JeJjzGDgWJtnGdkLUk/l2r6sZ/Cmk5rZpuO0hcUHVztMLQYPzqTpuMvC5p4JzL
+LWGWhKRhJs53NmxXXodck/ZgaqiTWuQFYlbamJRvzVBfX7c1SWHRJvxSSOPKGIg3
+wphkO2naj/SQD+BNuWTRmZ9YCiLOQ64ybLpJzRZISETdqtLBPKsIqosUZwkxlR1N
+9IcgYi5x
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
new file mode 100644
index 000000000..8aefcc5a6
--- /dev/null
+++ b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAznjXerUHYQXeylxgPW7Rx70C0gd3GZTf7UTSGpWYuqkhC3Kn
+hItutG6fGmhVS4SkdZeAtvcL+WOOUoIxZaaHDjCNrWsFOMw0ks+PoGjlCfg566qb
+v+Qsc8Zu95Aa1xKwkKTqIuoVNurTCyOLk6CruSaNaBC/SczaOmh8cu9U4C1ZVKP7
+HZvc4d2X9amBOBPDUceNijv806QBF1Nxnb/DHEzfPUBun2LKVzjkYs0gv87MeRPx
+vml2iR0y9WKPPwiyWSR7AlhetVBoI0xmD/J2Vc44AQrPRiqe9dBpizkr6zxe9DZE
+UKvmg7R9FPZVuIj1OAedtyd9SLbmIeXq3GxeDQIDAQABAoIBAAUdyXko8z3cP2EU
+WO4syNYCQQejV7gykDn48pvmCRrXBhKajLwkGGIwO5ET9MkiSFEBqBbgmFNdvDEf
+OMokDkSzv08Ez+RQax0YN57p+oL8u7KzT5i5tsBHsog/8epSdD2hWIv08QGjYAdu
+og7OdHLqGabyg0r44I+B91OBysCjU51rDdkhz59AmURdEIJV5xhuGojFM68jaNm2
+MUxDfDuCsRIydjAP0VTUTAUxD4/S5I+jt/GK9aRsEeRH9Q3011iTGMR9viAUBhq/
+khkWNltg9lkOqO7LpnNku4sSv3v4CWge7/T+4RR2vZgv1oSs4ox2UKYoqIqiYIfx
+uUcnqQECgYEA+LPiRMoXvlssQWlaFc2k4xga0efs+mWeLglDdc3R3fBEibP/AU07
+a576AgvUJtkI50/WNGKT73O+VtxcXn/N646m/8OtqNXuVKKjsxxNOZEKdO8aOdbt
+7lM5WepNiQeaKAFudUxpUiZQx8LCKSsNDiJZKWBu6xAG2O5X32VMZvUCgYEA1Ie+
+rNa490PSC1ym7WbmdAjvGmSOn2GOBfO7BECsPZstccU7D5pZl/89fTfn1TDKP49Y
+ScVOuFz7f/u6UJpb/WzI71RXEQOdojLWmF2HDx5osRi3hXEJa20fbPq6DQXCJ8pf
+IF37AEqAY4UNSNic0Cw+rGHdWPQhDNXhFWpdu7kCgYEAmv4oNmyoDXbuhrlsbggi
+CXE9TbG3a3mm8dPOGf2yHBmf7R2i/6GtNW33Kw1KIwfBV77WpQEGZwWACsv8ONx3
+baUSiHTfpkfk5xQQ5w/tRMISfTuB4agD0jJFnLa7qXl2ZhY2S53aSVsdntDOhi+R
+TEy1umah2Za8Xbd0RgHwcn0CgYEAl9Hgg9dfikMIaNVm6W/4cCtxoojy2Sf3LIlP
+r1oDsH6JmBwsdJjuJ4ZNhoXJNqID2COuDgTEly7U+jf4gFvEGuT7JPw6tgy/Ln7i
+jTVCpaozX08oykpVUEhDirYQ8fyLFaGbEqQQCcUusej59G/IlW0F2F6QoFrEwUaH
+46R4EQECgYBEZ7edMkj3dmJH1wxQjp5GJNbrJkS8IKvzza0mDTJdz33CgEX9Oyva
+o2iEkDVpvj2SEy28ewt22IRptWKH/3bQfxSCcRV6JFNt3+LongMshRYqq1leqrKa
+9fnQVtfTIbIVXwjTZap6BL8R66OeFtexsSFRfDF/8P4n2oF4zmn4qA==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..8e31be4cb
--- /dev/null
+++ b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolRevokedKey.pem
diff --git a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..a1a9587dd
--- /dev/null
+++ b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn rw
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ikev2/crl-revoked/posttest.dat b/testing/tests/ikev2/crl-revoked/posttest.dat
new file mode 100644
index 000000000..d742e8410
--- /dev/null
+++ b/testing/tests/ikev2/crl-revoked/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+carol::rm /etc/ipsec.d/private/*
+carol::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev2/crl-revoked/pretest.dat b/testing/tests/ikev2/crl-revoked/pretest.dat
new file mode 100644
index 000000000..8984dcbcf
--- /dev/null
+++ b/testing/tests/ikev2/crl-revoked/pretest.dat
@@ -0,0 +1,4 @@
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
diff --git a/testing/tests/ikev2/crl-revoked/test.conf b/testing/tests/ikev2/crl-revoked/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/ikev2/crl-revoked/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/crl-strict/description.txt b/testing/tests/ikev2/crl-strict/description.txt
new file mode 100644
index 000000000..b2b70906f
--- /dev/null
+++ b/testing/tests/ikev2/crl-strict/description.txt
@@ -0,0 +1,2 @@
+By setting <b>strictcrlpolicy=yes</b>, a <b>strict CRL policy</b> is enforced on
+both roadwarrior <b>carol</b> and gateway <b>moon</b>.
diff --git a/testing/tests/ikev2/crl-strict/evaltest.dat b/testing/tests/ikev2/crl-strict/evaltest.dat
new file mode 100644
index 000000000..ac70750c5
--- /dev/null
+++ b/testing/tests/ikev2/crl-strict/evaltest.dat
@@ -0,0 +1,4 @@
+moon::ipsec statusall::rw.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+moon::ipsec listcrls:: ok::YES
+carol::ipsec listcrls:: ok::YES
diff --git a/testing/tests/crl-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-strict/hosts/carol/etc/ipsec.conf
index 6d0aee86a..52e5c291d 100755
--- a/testing/tests/crl-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-strict/hosts/carol/etc/ipsec.conf
@@ -1,17 +1,16 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
-	plutodebug=control
-	crlcheckinterval=180
+        crlcheckinterval=180
 	strictcrlpolicy=yes
+	plutostart=no
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev2
 	left=PH_IP_CAROL
 	leftnexthop=%direct
 	leftcert=carolCert.pem
diff --git a/testing/tests/ikev2/crl-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-strict/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..a9f6a4bb4
--- /dev/null
+++ b/testing/tests/ikev2/crl-strict/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,34 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+
+conn net-net
+	leftsubnet=10.1.0.0/16
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	rightid=@sun.strongswan.org
+	auto=add
+        
+conn host-host
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	auto=add
+
+conn rw
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/crl-strict/posttest.dat b/testing/tests/ikev2/crl-strict/posttest.dat
new file mode 100644
index 000000000..c6d6235f9
--- /dev/null
+++ b/testing/tests/ikev2/crl-strict/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/ikev2/crl-strict/pretest.dat b/testing/tests/ikev2/crl-strict/pretest.dat
new file mode 100644
index 000000000..8984dcbcf
--- /dev/null
+++ b/testing/tests/ikev2/crl-strict/pretest.dat
@@ -0,0 +1,4 @@
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
diff --git a/testing/tests/ikev2/crl-strict/test.conf b/testing/tests/ikev2/crl-strict/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/ikev2/crl-strict/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/crl-to-cache/description.txt b/testing/tests/ikev2/crl-to-cache/description.txt
new file mode 100644
index 000000000..9f542e73d
--- /dev/null
+++ b/testing/tests/ikev2/crl-to-cache/description.txt
@@ -0,0 +1,6 @@
+By setting <b>cachecrls=yes</b> in ipsec.conf, a copy of the CRL fetched
+via http from the web server <b>winnetou</b> is saved locally in the
+directory <b>/etc/ipsec.d/crls</b> on both the roadwarrior <b>carol</b>
+and the gateway <b>moon</b> when the IPsec connection is set up. The
+<b>subjectKeyIdentifier</b> of the issuing CA plus the suffix <b>.crl</b>
+is used as a unique filename for the cached CRL. 
diff --git a/testing/tests/ikev2/crl-to-cache/evaltest.dat b/testing/tests/ikev2/crl-to-cache/evaltest.dat
new file mode 100644
index 000000000..14edd946f
--- /dev/null
+++ b/testing/tests/ikev2/crl-to-cache/evaltest.dat
@@ -0,0 +1,4 @@
+moon::ipsec status::rw.*ESTABLISHED::YES
+carol::ipsec status::home.*ESTABLISHED::YES
+moon::cat /var/log/daemon.log::written crl file.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
+carol::cat /var/log/daemon.log::written crl file.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
diff --git a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..cea581bc2
--- /dev/null
+++ b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	cachecrls=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..fe2179885
--- /dev/null
+++ b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	cachecrls=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/crl-to-cache/posttest.dat b/testing/tests/ikev2/crl-to-cache/posttest.dat
new file mode 100644
index 000000000..be17847c1
--- /dev/null
+++ b/testing/tests/ikev2/crl-to-cache/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::rm /etc/ipsec.d/crls/*
+carol::rm /etc/ipsec.d/crls/*
diff --git a/testing/tests/ocsp-strict/pretest.dat b/testing/tests/ikev2/crl-to-cache/pretest.dat
index d5516fd3b..d92333d86 100644
--- a/testing/tests/ocsp-strict/pretest.dat
+++ b/testing/tests/ikev2/crl-to-cache/pretest.dat
@@ -1,4 +1,3 @@
-winnetou::/etc/openssl/start-ocsp
 moon::ipsec start
 carol::ipsec start
 carol::sleep 2
diff --git a/testing/tests/ikev2/crl-to-cache/test.conf b/testing/tests/ikev2/crl-to-cache/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/ikev2/crl-to-cache/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/default-keys/description.txt b/testing/tests/ikev2/default-keys/description.txt
new file mode 100644
index 000000000..639e909da
--- /dev/null
+++ b/testing/tests/ikev2/default-keys/description.txt
@@ -0,0 +1,8 @@
+Because of the missing <b>/etc/ipsec.secrets</b> file, roadwarrior <b>carol</b>
+and gateway <b>moon</b> each automatically generate a PKCS#1 RSA private key
+and a self-signed X.509 certificate. Because the UML testing environment does
+not offer enough entropy, the non-blocking /dev/urandom device is used in place
+of /dev/random for generating the random primes.
+<p>
+The self-signed certificates are then distributed to the peers via scp
+and are used to set up a road warrior connection initiated by <b>carol</b> 
diff --git a/testing/tests/ikev2/default-keys/evaltest.dat b/testing/tests/ikev2/default-keys/evaltest.dat
new file mode 100644
index 000000000..2c1e11c97
--- /dev/null
+++ b/testing/tests/ikev2/default-keys/evaltest.dat
@@ -0,0 +1,7 @@
+carol::cat /var/log/auth.log::scepclient::YES
+moon::cat /var/log/auth.log::scepclient::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+moon::ipsec statusall::carol.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..a4668d9ae
--- /dev/null
+++ b/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=selfCert.der
+	leftsendcert=never
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightcert=peerCert.der
+	rightsendcert=never
+	auto=add
diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/default-keys/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..13ad3063f
--- /dev/null
+++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,78 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A INPUT  -p tcp --sport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..b6a0e4990
--- /dev/null
+++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn carol
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=selfCert.der
+	leftsendcert=never
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	rightcert=peerCert.der
+	rightsendcert=never
+	auto=add
diff --git a/testing/tests/ikev2/default-keys/posttest.dat b/testing/tests/ikev2/default-keys/posttest.dat
new file mode 100644
index 000000000..8cada5e7e
--- /dev/null
+++ b/testing/tests/ikev2/default-keys/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+carol::rm /etc/ipsec.d/private/*
+carol::rm /etc/ipsec.d/certs/*
+moon::rm /etc/ipsec.d/private/*
+moon::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev2/default-keys/pretest.dat b/testing/tests/ikev2/default-keys/pretest.dat
new file mode 100644
index 000000000..fe68be4b5
--- /dev/null
+++ b/testing/tests/ikev2/default-keys/pretest.dat
@@ -0,0 +1,18 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+carol::rm /etc/ipsec.secrets
+carol::rm /etc/ipsec.d/private/*
+carol::rm /etc/ipsec.d/certs/*
+carol::rm /etc/ipsec.d/cacerts/*
+carol::ipsec start
+moon::rm /etc/ipsec.secrets
+moon::rm /etc/ipsec.d/private/*
+moon::rm /etc/ipsec.d/certs/*
+moon::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
+moon::sleep 3 
+moon::scp /etc/ipsec.d/certs/selfCert.der carol:/etc/ipsec.d/certs/peerCert.der
+moon::scp carol:/etc/ipsec.d/certs/selfCert.der /etc/ipsec.d/certs/peerCert.der
+moon::ipsec reload 
+carol::ipsec reload 
+carol::ipsec up home
diff --git a/testing/tests/ikev2/default-keys/test.conf b/testing/tests/ikev2/default-keys/test.conf
new file mode 100644
index 000000000..0baa48d90
--- /dev/null
+++ b/testing/tests/ikev2/default-keys/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/double-nat-net/description.txt b/testing/tests/ikev2/double-nat-net/description.txt
new file mode 100644
index 000000000..ff09155f6
--- /dev/null
+++ b/testing/tests/ikev2/double-nat-net/description.txt
@@ -0,0 +1,7 @@
+The roadwarrior <b>alice</b> sitting behind the NAT router <b>moon</b> sets up a
+tunnel to the subnet hiding behind the NAT router <b>sun</b>. All IKE and ESP traffic
+directed to the router <b>sun</b> is forwarded to the VPN gateway <b>bob</b>
+using destination NAT.  UDP encapsulation is used to traverse the NAT routers.
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that
+let pass the tunneled traffic. In order to test the double NAT-ed IPsec
+tunnel <b>alice</b> pings the inner IP address of the router <b>sun</b>.
diff --git a/testing/tests/ikev2/double-nat-net/evaltest.dat b/testing/tests/ikev2/double-nat-net/evaltest.dat
new file mode 100644
index 000000000..aa69dabfa
--- /dev/null
+++ b/testing/tests/ikev2/double-nat-net/evaltest.dat
@@ -0,0 +1,5 @@
+alice::ipsec statusall::nat-t.*INSTALLED::YES
+bob::ipsec statusall::nat-t.*INSTALLED::YES
+alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_seq=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/ipsec.conf
new file mode 100755
index 000000000..c8aa460cf
--- /dev/null
+++ b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+		
+conn nat-t
+	left=%defaultroute
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=bob@strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/ipsec.conf b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/ipsec.conf
new file mode 100755
index 000000000..f0c5b6f15
--- /dev/null
+++ b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn nat-t
+	left=%defaultroute
+	leftsubnet=10.2.0.0/16
+	leftcert=bobCert.pem
+	leftid=bob@strongswan.org
+	leftfirewall=yes
+	right=%any
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/double-nat-net/posttest.dat b/testing/tests/ikev2/double-nat-net/posttest.dat
new file mode 100644
index 000000000..484297418
--- /dev/null
+++ b/testing/tests/ikev2/double-nat-net/posttest.dat
@@ -0,0 +1,9 @@
+bob::ipsec stop
+alice::ipsec stop
+alice::/etc/init.d/iptables stop 2> /dev/null
+bob::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables -t nat -F
+sun::iptables -t nat -F
+moon::conntrack -F
+sun::conntrack -F
+sun::ip route del 10.1.0.0/16 via PH_IP_BOB
diff --git a/testing/tests/ikev2/double-nat-net/pretest.dat b/testing/tests/ikev2/double-nat-net/pretest.dat
new file mode 100644
index 000000000..41b69aed6
--- /dev/null
+++ b/testing/tests/ikev2/double-nat-net/pretest.dat
@@ -0,0 +1,15 @@
+alice::/etc/init.d/iptables start 2> /dev/null
+bob::/etc/init.d/iptables start 2> /dev/null
+bob::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100
+sun::iptables -t nat -A PREROUTING -i eth0 -s PH_IP_MOON -p udp -j DNAT --to-destination PH_IP_BOB
+sun::ip route add 10.1.0.0/16 via PH_IP_BOB
+alice::ipsec start
+bob::ipsec start
+alice::sleep 2
+alice::ipsec up nat-t
+alice::sleep 1
diff --git a/testing/tests/ikev2/double-nat-net/test.conf b/testing/tests/ikev2/double-nat-net/test.conf
new file mode 100644
index 000000000..1ca2ffe5a
--- /dev/null
+++ b/testing/tests/ikev2/double-nat-net/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice bob"
diff --git a/testing/tests/ikev2/double-nat/description.txt b/testing/tests/ikev2/double-nat/description.txt
new file mode 100644
index 000000000..ce7de0e56
--- /dev/null
+++ b/testing/tests/ikev2/double-nat/description.txt
@@ -0,0 +1,5 @@
+The roadwarrior <b>alice</b> sitting behind the NAT router <b>moon</b> sets up a tunnel to
+the peer <b>bob</b> hiding behind the NAT router <b>sun</b>. UDP encapsulation is used to
+traverse the NAT routers. <b>leftfirewall=yes</b> automatically inserts iptables-based
+firewall rules that let pass the tunneled traffic. In order to test the double NAT-ed IPsec
+tunnel <b>alice</b> pings <b>bob</b>.
diff --git a/testing/tests/ikev2/double-nat/evaltest.dat b/testing/tests/ikev2/double-nat/evaltest.dat
new file mode 100644
index 000000000..77deea2a7
--- /dev/null
+++ b/testing/tests/ikev2/double-nat/evaltest.dat
@@ -0,0 +1,5 @@
+alice::ipsec statusall::nat-t.*INSTALLED::YES
+bob::ipsec statusall::nat-t.*INSTALLED::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/double-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/double-nat/hosts/alice/etc/ipsec.conf
new file mode 100755
index 000000000..26830f390
--- /dev/null
+++ b/testing/tests/ikev2/double-nat/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+		
+conn nat-t
+	left=%defaultroute
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=bob@strongswan.org
+	rightsubnet=PH_IP_BOB/32
+	auto=add
diff --git a/testing/tests/ikev2/double-nat/hosts/bob/etc/ipsec.conf b/testing/tests/ikev2/double-nat/hosts/bob/etc/ipsec.conf
new file mode 100755
index 000000000..b4a24cb1f
--- /dev/null
+++ b/testing/tests/ikev2/double-nat/hosts/bob/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn nat-t
+	left=%defaultroute
+	leftcert=bobCert.pem
+	leftid=bob@strongswan.org
+	leftfirewall=yes
+	right=%any
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/double-nat/posttest.dat b/testing/tests/ikev2/double-nat/posttest.dat
new file mode 100644
index 000000000..5d39e406d
--- /dev/null
+++ b/testing/tests/ikev2/double-nat/posttest.dat
@@ -0,0 +1,8 @@
+bob::ipsec stop
+alice::ipsec stop
+alice::/etc/init.d/iptables stop 2> /dev/null
+bob::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables -t nat -F
+sun::iptables -t nat -F
+moon::conntrack -F
+sun::conntrack -F
diff --git a/testing/tests/ikev2/double-nat/pretest.dat b/testing/tests/ikev2/double-nat/pretest.dat
new file mode 100644
index 000000000..10ba6d735
--- /dev/null
+++ b/testing/tests/ikev2/double-nat/pretest.dat
@@ -0,0 +1,13 @@
+alice::/etc/init.d/iptables start 2> /dev/null
+bob::/etc/init.d/iptables start 2> /dev/null
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100
+sun::iptables -t nat -A PREROUTING -i eth0 -s PH_IP_MOON -p udp -j DNAT --to-destination PH_IP_BOB
+alice::ipsec start
+bob::ipsec start
+alice::sleep 2
+alice::ipsec up nat-t
+alice::sleep 1
diff --git a/testing/tests/ikev2/double-nat/test.conf b/testing/tests/ikev2/double-nat/test.conf
new file mode 100644
index 000000000..1ca2ffe5a
--- /dev/null
+++ b/testing/tests/ikev2/double-nat/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice bob"
diff --git a/testing/tests/ikev2/dpd-clear/description.txt b/testing/tests/ikev2/dpd-clear/description.txt
new file mode 100644
index 000000000..7f62dc576
--- /dev/null
+++ b/testing/tests/ikev2/dpd-clear/description.txt
@@ -0,0 +1,5 @@
+The roadwarrior <b>carol</b> sets up an IPsec tunnel connection to the gateway <b>moon</b>
+which in turn activates <b>Dead Peer Detection</b> (DPD) with a polling interval of 10 s.
+When the network connectivity between <b>carol</b> and <b>moon</b> is forcefully disrupted,
+<b>moon</b> clears the connection after 4 unsuccessful retransmits.
+
diff --git a/testing/tests/ikev2/dpd-clear/evaltest.dat b/testing/tests/ikev2/dpd-clear/evaltest.dat
new file mode 100644
index 000000000..86c0227bd
--- /dev/null
+++ b/testing/tests/ikev2/dpd-clear/evaltest.dat
@@ -0,0 +1,6 @@
+carol::ipsec statusall::home.*INSTALLED::YES
+carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
+moon::sleep 180::no output expected::NO
+moon::cat /var/log/daemon.log::sending DPD request::YES
+moon::cat /var/log/daemon.log::retransmit.*of request::YES
+moon::cat /var/log/daemon.log::giving up after 5 retransmits::YES
diff --git a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..e5d9ad476
--- /dev/null
+++ b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..97b5411bd
--- /dev/null
+++ b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	leftnexthop=%direct
+	keyexchange=ikev2
+	dpdaction=clear
+	dpddelay=10
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/dpd-clear/posttest.dat b/testing/tests/ikev2/dpd-clear/posttest.dat
new file mode 100644
index 000000000..931db4272
--- /dev/null
+++ b/testing/tests/ikev2/dpd-clear/posttest.dat
@@ -0,0 +1,3 @@
+carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/ikev2/dpd-clear/pretest.dat b/testing/tests/ikev2/dpd-clear/pretest.dat
new file mode 100644
index 000000000..14ed95322
--- /dev/null
+++ b/testing/tests/ikev2/dpd-clear/pretest.dat
@@ -0,0 +1,4 @@
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2 
+carol::ipsec up home
diff --git a/testing/tests/ikev2/dpd-clear/test.conf b/testing/tests/ikev2/dpd-clear/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/ikev2/dpd-clear/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/dpd-hold/description.txt b/testing/tests/ikev2/dpd-hold/description.txt
new file mode 100644
index 000000000..405e67cb9
--- /dev/null
+++ b/testing/tests/ikev2/dpd-hold/description.txt
@@ -0,0 +1,7 @@
+The roadwarrior <b>carol</b> sets up an IPsec tunnel connection to the gateway
+<b>moon</b>. Both end points activate <b>Dead Peer Detection</b> (DPD) with a
+polling interval of 10 s. When the network connectivity between <b>carol</b>
+and <b>moon</b> is forcefully disrupted for a duration of 100 s, <b>moon</b>
+clears the connection after 4 unsuccessful retransmits whereas <b>carol</b>
+also takes down the connection but installs a route which triggers when
+<b>carol</b> sends a ping to client <b>alice</b> behind gateway <b>moon</b>.
diff --git a/testing/tests/ikev2/dpd-hold/evaltest.dat b/testing/tests/ikev2/dpd-hold/evaltest.dat
new file mode 100644
index 000000000..2cf063762
--- /dev/null
+++ b/testing/tests/ikev2/dpd-hold/evaltest.dat
@@ -0,0 +1,14 @@
+carol::ipsec statusall::home.*INSTALLED::YES
+moon::ipsec statusall::rw.*INSTALLED::YES
+moon::iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
+carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
+carol::sleep 180::no output expected::NO
+carol::cat /var/log/daemon.log::sending DPD request::YES
+carol::cat /var/log/daemon.log::retransmit.*of request::YES
+carol::cat /var/log/daemon.log::giving up after 5 retransmits::YES
+carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
+moon::iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
+carol::ping -c 1 PH_IP_ALICE::trigger route::NO
+carol::sleep 2::no output expected::NO
+carol::ipsec statusall::home.*INSTALLED::YES
+moon::ipsec statusall::rw.*INSTALLED::YES
diff --git a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..dff90e563
--- /dev/null
+++ b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	dpdaction=hold
+	dpddelay=10
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..97b5411bd
--- /dev/null
+++ b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	leftnexthop=%direct
+	keyexchange=ikev2
+	dpdaction=clear
+	dpddelay=10
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/dpd-hold/posttest.dat b/testing/tests/ikev2/dpd-hold/posttest.dat
new file mode 100644
index 000000000..c6d6235f9
--- /dev/null
+++ b/testing/tests/ikev2/dpd-hold/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/ikev2/dpd-hold/pretest.dat b/testing/tests/ikev2/dpd-hold/pretest.dat
new file mode 100644
index 000000000..14ed95322
--- /dev/null
+++ b/testing/tests/ikev2/dpd-hold/pretest.dat
@@ -0,0 +1,4 @@
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2 
+carol::ipsec up home
diff --git a/testing/tests/ikev2/dpd-hold/test.conf b/testing/tests/ikev2/dpd-hold/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/ikev2/dpd-hold/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/dpd-restart/description.txt b/testing/tests/ikev2/dpd-restart/description.txt
new file mode 100644
index 000000000..410d3d636
--- /dev/null
+++ b/testing/tests/ikev2/dpd-restart/description.txt
@@ -0,0 +1,7 @@
+The roadwarrior <b>carol</b> sets up an IPsec tunnel connection to the gateway
+<b>moon</b>. Both end points activate <b>Dead Peer Detection</b> (DPD) with a
+polling interval of 10 s. When the network connectivity between <b>carol</b>
+and <b>moon</b> is forcefully disrupted for a duration of 100 s, <b>moon</b>
+clears the connection after 4 unsuccessful retransmits whereas <b>carol</b>
+also takes down the connection but immediately tries to reconnect which succeeds
+as soon as the connection becomes available again.
diff --git a/testing/tests/ikev2/dpd-restart/evaltest.dat b/testing/tests/ikev2/dpd-restart/evaltest.dat
new file mode 100644
index 000000000..28edd4823
--- /dev/null
+++ b/testing/tests/ikev2/dpd-restart/evaltest.dat
@@ -0,0 +1,13 @@
+carol::ipsec statusall::home.*INSTALLED::YES
+moon::ipsec statusall::rw.*INSTALLED::YES
+moon::iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
+carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
+carol::sleep 180::no output expected::NO
+carol::cat /var/log/daemon.log::sending DPD request::YES
+carol::cat /var/log/daemon.log::retransmit.*of request::YES
+carol::cat /var/log/daemon.log::giving up after 5 retransmits::YES
+carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
+moon::iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
+carol::sleep 10::no output expected::NO
+carol::ipsec statusall::home.*INSTALLED::YES
+moon::ipsec statusall::rw.*INSTALLED::YES
diff --git a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..7c5b88a2c
--- /dev/null
+++ b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	dpdaction=restart
+	dpddelay=10
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..97b5411bd
--- /dev/null
+++ b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	leftnexthop=%direct
+	keyexchange=ikev2
+	dpdaction=clear
+	dpddelay=10
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/dpd-restart/posttest.dat b/testing/tests/ikev2/dpd-restart/posttest.dat
new file mode 100644
index 000000000..c6d6235f9
--- /dev/null
+++ b/testing/tests/ikev2/dpd-restart/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/ikev2/dpd-restart/pretest.dat b/testing/tests/ikev2/dpd-restart/pretest.dat
new file mode 100644
index 000000000..14ed95322
--- /dev/null
+++ b/testing/tests/ikev2/dpd-restart/pretest.dat
@@ -0,0 +1,4 @@
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2 
+carol::ipsec up home
diff --git a/testing/tests/ikev2/dpd-restart/test.conf b/testing/tests/ikev2/dpd-restart/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/ikev2/dpd-restart/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/host2host-cert/description.txt b/testing/tests/ikev2/host2host-cert/description.txt
new file mode 100644
index 000000000..6be21bf8f
--- /dev/null
+++ b/testing/tests/ikev2/host2host-cert/description.txt
@@ -0,0 +1,4 @@
+A connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up.
+The authentication is based on X.509 certificates. <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test the host-to-host tunnel <b>moon</b> pings <b>sun</b>.
diff --git a/testing/tests/ikev2/host2host-cert/evaltest.dat b/testing/tests/ikev2/host2host-cert/evaltest.dat
new file mode 100644
index 000000000..8d5d8167a
--- /dev/null
+++ b/testing/tests/ikev2/host2host-cert/evaltest.dat
@@ -0,0 +1,5 @@
+moon::ipsec statusall::host-host.*ESTABLISHED::YES
+sun::ipsec statusall::host-host.*ESTABLISHED::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..2d41690cc
--- /dev/null
+++ b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn host-host
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..7ffbf64ac
--- /dev/null
+++ b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn host-host
+	left=PH_IP_SUN
+	leftnexthop=%direct
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/host2host-cert/posttest.dat b/testing/tests/ikev2/host2host-cert/posttest.dat
new file mode 100644
index 000000000..5a9150bc8
--- /dev/null
+++ b/testing/tests/ikev2/host2host-cert/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/host2host-cert/pretest.dat b/testing/tests/ikev2/host2host-cert/pretest.dat
new file mode 100644
index 000000000..1fa70177c
--- /dev/null
+++ b/testing/tests/ikev2/host2host-cert/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up host-host
diff --git a/testing/tests/ikev2/host2host-cert/test.conf b/testing/tests/ikev2/host2host-cert/test.conf
new file mode 100644
index 000000000..305a67316
--- /dev/null
+++ b/testing/tests/ikev2/host2host-cert/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+ 
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/host2host-swapped/description.txt b/testing/tests/ikev2/host2host-swapped/description.txt
new file mode 100644
index 000000000..34cfe43cc
--- /dev/null
+++ b/testing/tests/ikev2/host2host-swapped/description.txt
@@ -0,0 +1,3 @@
+Same scenario as test <a href="../host2host-cert/"><b>host2host-cert</b></a> but with
+swapped end definitions:  <b>right</b> denotes the <b>local</b> side whereas
+<b>left</b> stands for the <b>remote</b> peer.
diff --git a/testing/tests/ikev2/host2host-swapped/evaltest.dat b/testing/tests/ikev2/host2host-swapped/evaltest.dat
new file mode 100644
index 000000000..8d5d8167a
--- /dev/null
+++ b/testing/tests/ikev2/host2host-swapped/evaltest.dat
@@ -0,0 +1,5 @@
+moon::ipsec statusall::host-host.*ESTABLISHED::YES
+sun::ipsec statusall::host-host.*ESTABLISHED::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..0c3dd7abe
--- /dev/null
+++ b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn host-host
+	right=PH_IP_MOON
+	rightnexthop=%direct
+	rightcert=moonCert.pem
+	rightid=@moon.strongswan.org
+	rightfirewall=yes
+	left=PH_IP_SUN
+	leftid=@sun.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..bd510cc73
--- /dev/null
+++ b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn host-host
+	right=PH_IP_SUN
+	rightnexthop=%direct
+	rightcert=sunCert.pem
+	rightid=@sun.strongswan.org
+	rightfirewall=yes
+	left=PH_IP_MOON
+	leftid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/host2host-swapped/posttest.dat b/testing/tests/ikev2/host2host-swapped/posttest.dat
new file mode 100644
index 000000000..5a9150bc8
--- /dev/null
+++ b/testing/tests/ikev2/host2host-swapped/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/host2host-swapped/pretest.dat b/testing/tests/ikev2/host2host-swapped/pretest.dat
new file mode 100644
index 000000000..1fa70177c
--- /dev/null
+++ b/testing/tests/ikev2/host2host-swapped/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up host-host
diff --git a/testing/tests/ikev2/host2host-swapped/test.conf b/testing/tests/ikev2/host2host-swapped/test.conf
new file mode 100644
index 000000000..305a67316
--- /dev/null
+++ b/testing/tests/ikev2/host2host-swapped/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+ 
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/host2host-transport/description.txt b/testing/tests/ikev2/host2host-transport/description.txt
new file mode 100644
index 000000000..fe3482c96
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport/description.txt
@@ -0,0 +1,4 @@
+An IPsec <b>transport-mode</b> connection between the hosts <b>moon</b> and <b>sun</b> is
+successfully set up. <b>leftfirewall=yes</b> automatically inserts iptables-based firewall
+rules that let pass the decrypted IP packets. In order to test the host-to-host connection
+<b>moon</b> pings <b>sun</b>.
diff --git a/testing/tests/ikev2/host2host-transport/evaltest.dat b/testing/tests/ikev2/host2host-transport/evaltest.dat
new file mode 100644
index 000000000..a46e4e4e4
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport/evaltest.dat
@@ -0,0 +1,5 @@
+moon::ipsec status::host-host.*INSTALLED.*TRANSPORT::YES
+sun::ipsec status::host-host.*INSTALLED.*TRANSPORT::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..f957e5fb3
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn host-host
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	type=transport
+	auto=add
diff --git a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..52b605024
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn host-host
+	left=PH_IP_SUN
+	leftnexthop=%direct
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	type=transport
+	auto=add
diff --git a/testing/tests/ikev2/host2host-transport/posttest.dat b/testing/tests/ikev2/host2host-transport/posttest.dat
new file mode 100644
index 000000000..5a9150bc8
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/host2host-transport/pretest.dat b/testing/tests/ikev2/host2host-transport/pretest.dat
new file mode 100644
index 000000000..e2d98f2eb
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2
+moon::ipsec up host-host
diff --git a/testing/tests/ikev2/host2host-transport/test.conf b/testing/tests/ikev2/host2host-transport/test.conf
new file mode 100644
index 000000000..cf2e704fd
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon winnetou sun"
+ 
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/nat-double-snat/description.txt b/testing/tests/ikev2/nat-double-snat/description.txt
new file mode 100644
index 000000000..e0708898b
--- /dev/null
+++ b/testing/tests/ikev2/nat-double-snat/description.txt
@@ -0,0 +1,6 @@
+The roadwarrior <b>alice</b> sets up a connection to host <b>bob</b> using IKEv2. The hosts
+sit behind NAT router <b>moon</b> (SNAT) and <b>sun</b> (SNAT) respectively.
+UDP encapsulation is used to traverse the NAT router.
+The authentication is based on locally loaded <b>X.509 certificates</b>.
+In order to test the tunnel the NAT-ed host <b>alice</b> pings the host
+<b>bob</b>.
diff --git a/testing/tests/ikev2/nat-double-snat/evaltest.dat b/testing/tests/ikev2/nat-double-snat/evaltest.dat
new file mode 100644
index 000000000..7a3dede42
--- /dev/null
+++ b/testing/tests/ikev2/nat-double-snat/evaltest.dat
@@ -0,0 +1,5 @@
+bob::ipsec statusall::rw-alice.*ESTABLISHED::YES
+alice::ipsec statusall::home.*ESTABLISHED::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::tcpdumpcount::IP moon.strongswan.org.* > bob.strongswan.org.ipsec-nat-t: UDP::2
+moon::tcpdumpcount::IP bob.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::2
diff --git a/testing/tests/ikev2/nat-double-snat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-double-snat/hosts/alice/etc/ipsec.conf
new file mode 100644
index 000000000..30a067bc9
--- /dev/null
+++ b/testing/tests/ikev2/nat-double-snat/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,16 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutostart=no
+
+conn home
+	left=PH_IP_ALICE
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	right=PH_IP_BOB
+	rightcert=bobCert.pem
+	rightid=bob@strongswan.org
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ikev2/nat-double-snat/hosts/alice/etc/ipsec.d/certs/bobCert.pem b/testing/tests/ikev2/nat-double-snat/hosts/alice/etc/ipsec.d/certs/bobCert.pem
new file mode 100644
index 000000000..199d3eee2
--- /dev/null
+++ b/testing/tests/ikev2/nat-double-snat/hosts/alice/etc/ipsec.d/certs/bobCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEHjCCAwagAwIBAgIBBjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMjUzNFoXDTA5MDkwOTExMjUzNFowWDELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMRswGQYDVQQDFBJib2JAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDAJaejS3/lJfQHgw0nzvotgSQS8ey/6tvbx7s5RsWY
+27x9K5xd44aPrvP2Qpyq34IXRY6uPlIqeUTQN7EKpLrWCxMOT36x5N0Co9J5UWRB
+fJC141D+8+1RwJ9/baEIecpCvb0GfDOX0GXN5ltcJk82hZjE4y1yHC1FN7V3zdRg
+xmloupPuon+X3bTmyMQ93NKkg48CQGtqtfwQ0MqPiOWu8MBhdztfOyu6aW3EgviF
+ithLc02SeNzlpqB3M8GDfX+mr3OVDhhhC2OI+VRlZzz7KxJ13DUR2KkvLZR8Ak4E
+5lRjkUnTYd/f3OQYxfjC8idUmj5ojR6Fb0x1tsV/glzXAgMBAAGjggEEMIIBADAJ
+BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUaLN5EPOkOkVU3J1Ud0sl
++27OOHswbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ
+BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz
+dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHQYDVR0RBBYwFIESYm9iQHN0cm9uZ3N3YW4u
+b3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcv
+c3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEEBQADggEBAIyQLLxdeO8clplzRW9z
+TRR3J0zSedvi2XlIZ/XCsv0ZVfoBLLWcDp3QrxNiVZXvXXtzjPsDs+DAveZF9LGq
+0tIw1uT3JorbgNNrmWvxBvJoQTtSw4LQBuV7vF27jrposx3Hi5qtUXUDS6wVnDUI
+5iORqsrddnoDuMN+Jt7oRcvKfYSNwTV+m0ZAHdB5a/ARWO5UILOrxEA/N72NcDYN
+NdAd+bLaB38SbkSbh1xj/AGnrHxdJBF4h4mx4btc9gtBSh+dwBHOsn4TheqJ6bbw
+7FlXBowQDCJIswKNhWfnIepQlM1KEzmq5YX43uZO2b7amRaIKqy2vNE7+UNFYBpE
+Mto=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/nat-double-snat/hosts/bob/etc/ipsec.conf b/testing/tests/ikev2/nat-double-snat/hosts/bob/etc/ipsec.conf
new file mode 100644
index 000000000..eaec3d642
--- /dev/null
+++ b/testing/tests/ikev2/nat-double-snat/hosts/bob/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutostart=no
+
+conn %default
+	left=PH_IP_BOB
+	leftcert=bobCert.pem
+	leftid=bob@strongswan.org
+	leftsubnet=10.2.0.10/32
+	keyexchange=ikev2
+	
+conn rw-alice
+	right=%any
+	rightcert=aliceCert.pem
+	rightid=alice@strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/nat-double-snat/hosts/bob/etc/ipsec.d/certs/aliceCert.pem b/testing/tests/ikev2/nat-double-snat/hosts/bob/etc/ipsec.d/certs/aliceCert.pem
new file mode 100644
index 000000000..e99ae8ec7
--- /dev/null
+++ b/testing/tests/ikev2/nat-double-snat/hosts/bob/etc/ipsec.d/certs/aliceCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEHzCCAwegAwIBAgIBBTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMjQzOVoXDTA5MDkwOTExMjQzOVowVzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
+MR0wGwYDVQQDFBRhbGljZUBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAK7FyvkE18/oujCaTd8GXBNOH+Cvoy0ibJ8j2sNsBrer
+GS1lgxRs8zaVfK9fosadu0UZeWIHsOKkew5469sPvkKK2SGGH+pu+x+xO/vuaEG4
+FlkAu8iGFWLQycLt6BJfcqw7FT8rwNuD18XXBXmP7hRavi/TEElbVYHbO7lm8T5W
+6hTr/sYddiSB7X9/ba7JBy6lxmBcUAx5bjiiHLaW/llefkqyhc6dw5nvPZ2DchvH
+v/HWvLF9bsvxbBkHU0/z/CEsRuMBI7EPEL4rx3UqmuCUAqiMJTS3IrDaIlfJOLWc
+KlbsnE6hHpwmt9oDB9iWBY9WeZUSAtJGFw4b7FCZvQ0CAwEAAaOCAQYwggECMAkG
+A1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRZmh0JtiNTjBsQsfD7ECNa
+60iG2jBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkG
+A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0
+cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRhbGljZUBzdHJvbmdzd2Fu
+Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn
+L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQADdQIlJkFtmHEjtuyo
+2aIcrsUx98FtvVgB7RpQB8JZlly7UEjvX0CIIvW/7Al5/8h9s1rhrRffX7nXQKAQ
+AmPnvD2Pp47obDnHqm/L109S1fcL5BiPN1AlgsseUBwzdqBpyRncPXZoAuBh/BU5
+D/1Dip0hXgB/X6+QymSzRJoSKfpeXVICj1kYH1nIkn0YXthYF3BTrCheCzBlKn0S
+CixbCUYsUjtSqld0nG76jyGb/gnWntNettH+RXWe1gm6qREJwfEFdeYviTqx2Uxi
+6sBKG/XjNAcMArXb7V6w0YAwCyjwCl49B+mLZaFH+9izzBJ7NyVqhH8ToB1gt0re
+JGhV
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/nat-double-snat/posttest.dat b/testing/tests/ikev2/nat-double-snat/posttest.dat
new file mode 100644
index 000000000..8ad7df96c
--- /dev/null
+++ b/testing/tests/ikev2/nat-double-snat/posttest.dat
@@ -0,0 +1,8 @@
+alice::ipsec stop
+bob::ipsec stop
+alice::rm /etc/ipsec.d/certs/*
+bob::rm /etc/ipsec.d/certs/*
+moon::route del -net 10.2.0.0/16
+sun::route del -net 10.1.0.0/16
+moon::iptables -t nat -F
+sun::iptables -t nat -F
diff --git a/testing/tests/ikev2/nat-double-snat/pretest.dat b/testing/tests/ikev2/nat-double-snat/pretest.dat
new file mode 100644
index 000000000..da1d43c4e
--- /dev/null
+++ b/testing/tests/ikev2/nat-double-snat/pretest.dat
@@ -0,0 +1,11 @@
+sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+sun::route add -net 10.1.0.0/16 gw PH_IP_MOON
+sun::iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -p udp -j SNAT --to-source PH_IP_SUN1:4024-4100
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::route add -net 10.2.0.0/16 gw PH_IP_SUN
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+bob::ipsec start
+alice::ipsec start
+alice::sleep 1
+alice::ipsec up home
+alice::sleep 1 
diff --git a/testing/tests/ikev2/nat-double-snat/test.conf b/testing/tests/ikev2/nat-double-snat/test.conf
new file mode 100644
index 000000000..1ca2ffe5a
--- /dev/null
+++ b/testing/tests/ikev2/nat-double-snat/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice bob"
diff --git a/testing/tests/ikev2/nat-one-rw/description.txt b/testing/tests/ikev2/nat-one-rw/description.txt
new file mode 100644
index 000000000..c3b9bb820
--- /dev/null
+++ b/testing/tests/ikev2/nat-one-rw/description.txt
@@ -0,0 +1,5 @@
+The roadwarrior <b>alice</b> sitting behind the NAT router <b>moon</b> sets up a tunnel to
+gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
+the tunneled traffic. In order to test the tunnel, the NAT-ed host <b>alice</b> pings the
+client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/nat-one-rw/evaltest.dat b/testing/tests/ikev2/nat-one-rw/evaltest.dat
new file mode 100644
index 000000000..7395e5571
--- /dev/null
+++ b/testing/tests/ikev2/nat-one-rw/evaltest.dat
@@ -0,0 +1,5 @@
+alice::ipsec statusall::nat-t.*INSTALLED::YES
+sun::ipsec statusall::nat-t.*INSTALLED::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/ipsec.conf
new file mode 100755
index 000000000..8db43213f
--- /dev/null
+++ b/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn nat-t
+	left=%defaultroute
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..a2c168601
--- /dev/null
+++ b/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,35 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftfirewall=yes
+
+conn net-net
+	leftsubnet=10.2.0.0/16
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
+
+conn host-host
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	auto=add
+
+conn nat-t
+	leftsubnet=10.2.0.0/16
+	right=%any
+	rightsubnet=10.1.0.10/32
+	auto=add
diff --git a/testing/tests/ikev2/nat-one-rw/posttest.dat b/testing/tests/ikev2/nat-one-rw/posttest.dat
new file mode 100644
index 000000000..cd0d4df25
--- /dev/null
+++ b/testing/tests/ikev2/nat-one-rw/posttest.dat
@@ -0,0 +1,6 @@
+alice::ipsec stop
+sun::ipsec stop
+alice::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables -t nat -F
+moon::conntrack -F
diff --git a/testing/tests/ikev2/nat-one-rw/pretest.dat b/testing/tests/ikev2/nat-one-rw/pretest.dat
new file mode 100644
index 000000000..ebd0c19e2
--- /dev/null
+++ b/testing/tests/ikev2/nat-one-rw/pretest.dat
@@ -0,0 +1,11 @@
+alice::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+alice::ipsec start
+sun::ipsec start
+alice::sleep 4
+alice::ipsec up nat-t
+alice::sleep 1 
+
diff --git a/testing/tests/ikev2/nat-one-rw/test.conf b/testing/tests/ikev2/nat-one-rw/test.conf
new file mode 100644
index 000000000..d84149aaf
--- /dev/null
+++ b/testing/tests/ikev2/nat-one-rw/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice sun"
diff --git a/testing/tests/ikev2/nat-pf/description.txt b/testing/tests/ikev2/nat-pf/description.txt
new file mode 100644
index 000000000..bb38af458
--- /dev/null
+++ b/testing/tests/ikev2/nat-pf/description.txt
@@ -0,0 +1,4 @@
+The roadwarrior <b>carol</b> sets up a connection to host <b>alice</b> sitting behind the NAT router <b>moon</b>
+using IKEv2. Port Forwarding is used to publish host <b>alice</b>. UDP encapsulation is used to traverse the NAT router.
+The authentication is based on locally loaded <b>X.509 certificates</b>.
+In order to test the tunnel the roadwarrior <b>carol</b> pings the host <b>alice</b>.
diff --git a/testing/tests/ikev2/nat-pf/evaltest.dat b/testing/tests/ikev2/nat-pf/evaltest.dat
new file mode 100644
index 000000000..4d2950521
--- /dev/null
+++ b/testing/tests/ikev2/nat-pf/evaltest.dat
@@ -0,0 +1,5 @@
+alice::ipsec statusall::rw-carol.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdumpcount::IP carol.strongswan.org.* > moon.strongswan.org.ipsec-nat-t: UDP::2
+moon::tcpdumpcount::IP moon.strongswan.org.ipsec-nat-t > carol.strongswan.org.*: UDP::2
diff --git a/testing/tests/ikev2/nat-pf/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-pf/hosts/alice/etc/ipsec.conf
new file mode 100644
index 000000000..836379494
--- /dev/null
+++ b/testing/tests/ikev2/nat-pf/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutostart=no
+
+conn %default
+	left=PH_IP_ALICE
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftsubnet=10.1.0.10/32
+	keyexchange=ikev2
+	
+conn rw-carol
+	right=%any
+	rightcert=carolCert.pem
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/nat-pf/hosts/alice/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/nat-pf/hosts/alice/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..8492fbd45
--- /dev/null
+++ b/testing/tests/ikev2/nat-pf/hosts/alice/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAwqgAwIBAgIBCjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDEwMTIxNDMxOFoXDTA5MTIzMTIxNDMxOFowWjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALgbhJIECOCGyNJ4060un/wBuJ6MQjthK5CAEPgX
+T/lvZynoSxhfuW5geDCCxQes6dZPeb6wJS4F5fH3qJoLM+Z4n13rZlCEyyMBkcFl
+vK0aNFY+ARs0m7arUX8B7Pfi9N6WHTYgO4XpeBHLJrZQz9AU0V3S0rce/WVuVjii
+S/cJhrgSi7rl87Qo1jYOA9P06BZQLj0dFNcWWrGpKp/hXvBF1OSP9b15jsgMlCCW
+LJqXmLVKDtKgDPLJZR19mILhgcHvaxxD7craL9GR4QmWLb0m84oAIIwaw+0npZJM
+YDMMeYeOtcepCWCmRy+XmsqcWu4rtNCu05W1RsXjYZEKBjcCAwEAAaOCAQYwggEC
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRVNeym66J5uu+IfxhD
+j9InsWdG0TBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
+d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCxMEp+Zdclc0aI
+U+jO3TmL81gcwea0BUucjZfDyvCSkDXcXidOez+l/vUueGC7Bqq1ukDF8cpVgGtM
+2HPxM97ZSLPInMgWIeLq3uX8iTtIo05EYqRasJxBIAkY9o6ja6v6z0CZqjSbi2WE
+HrHkFrkOTrRi7deGzbAAhWVjOnAfzSxBaujkdUxb6jGBc2F5qpAeVSbE+sAxzmSd
+hRyF3tUUwl4yabBzmoedJzlQ4anqg0G14QScBxgXkq032gKuzNVVxWRp6OFannKG
+C1INvsBWYtN62wjXlXXhM/M4sBFhmPpftVb+Amgr1jSspTX2dQsNqhI/WtNvLmfK
+omBYfxqp
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/nat-pf/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/nat-pf/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..52345af7c
--- /dev/null
+++ b/testing/tests/ikev2/nat-pf/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,17 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutostart=no
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightcert=aliceCert.pem
+	rightid=alice@strongswan.org
+	rightsubnet=10.1.0.0/24
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ikev2/nat-pf/hosts/carol/etc/ipsec.d/certs/aliceCert.pem b/testing/tests/ikev2/nat-pf/hosts/carol/etc/ipsec.d/certs/aliceCert.pem
new file mode 100644
index 000000000..e99ae8ec7
--- /dev/null
+++ b/testing/tests/ikev2/nat-pf/hosts/carol/etc/ipsec.d/certs/aliceCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEHzCCAwegAwIBAgIBBTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMjQzOVoXDTA5MDkwOTExMjQzOVowVzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
+MR0wGwYDVQQDFBRhbGljZUBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAK7FyvkE18/oujCaTd8GXBNOH+Cvoy0ibJ8j2sNsBrer
+GS1lgxRs8zaVfK9fosadu0UZeWIHsOKkew5469sPvkKK2SGGH+pu+x+xO/vuaEG4
+FlkAu8iGFWLQycLt6BJfcqw7FT8rwNuD18XXBXmP7hRavi/TEElbVYHbO7lm8T5W
+6hTr/sYddiSB7X9/ba7JBy6lxmBcUAx5bjiiHLaW/llefkqyhc6dw5nvPZ2DchvH
+v/HWvLF9bsvxbBkHU0/z/CEsRuMBI7EPEL4rx3UqmuCUAqiMJTS3IrDaIlfJOLWc
+KlbsnE6hHpwmt9oDB9iWBY9WeZUSAtJGFw4b7FCZvQ0CAwEAAaOCAQYwggECMAkG
+A1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRZmh0JtiNTjBsQsfD7ECNa
+60iG2jBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkG
+A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0
+cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRhbGljZUBzdHJvbmdzd2Fu
+Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn
+L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQADdQIlJkFtmHEjtuyo
+2aIcrsUx98FtvVgB7RpQB8JZlly7UEjvX0CIIvW/7Al5/8h9s1rhrRffX7nXQKAQ
+AmPnvD2Pp47obDnHqm/L109S1fcL5BiPN1AlgsseUBwzdqBpyRncPXZoAuBh/BU5
+D/1Dip0hXgB/X6+QymSzRJoSKfpeXVICj1kYH1nIkn0YXthYF3BTrCheCzBlKn0S
+CixbCUYsUjtSqld0nG76jyGb/gnWntNettH+RXWe1gm6qREJwfEFdeYviTqx2Uxi
+6sBKG/XjNAcMArXb7V6w0YAwCyjwCl49B+mLZaFH+9izzBJ7NyVqhH8ToB1gt0re
+JGhV
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/nat-pf/posttest.dat b/testing/tests/ikev2/nat-pf/posttest.dat
new file mode 100644
index 000000000..bed4ae1b7
--- /dev/null
+++ b/testing/tests/ikev2/nat-pf/posttest.dat
@@ -0,0 +1,5 @@
+carol::ipsec stop
+alice::ipsec stop
+carol::rm /etc/ipsec.d/certs/*
+alice::rm /etc/ipsec.d/certs/*
+moon::iptables -t nat -F
diff --git a/testing/tests/ikev2/nat-pf/pretest.dat b/testing/tests/ikev2/nat-pf/pretest.dat
new file mode 100644
index 000000000..fdb3de711
--- /dev/null
+++ b/testing/tests/ikev2/nat-pf/pretest.dat
@@ -0,0 +1,7 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::iptables -m multiport -t nat -A PREROUTING -i eth0 -p udp --dports 500,4500 -j DNAT --to 10.1.0.10
+alice::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
+carol::sleep 1 
diff --git a/testing/tests/ikev2/nat-pf/test.conf b/testing/tests/ikev2/nat-pf/test.conf
new file mode 100644
index 000000000..21bece8e6
--- /dev/null
+++ b/testing/tests/ikev2/nat-pf/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice carol"
diff --git a/testing/tests/ikev2/nat-portswitch/description.txt b/testing/tests/ikev2/nat-portswitch/description.txt
new file mode 100644
index 000000000..93b779ee1
--- /dev/null
+++ b/testing/tests/ikev2/nat-portswitch/description.txt
@@ -0,0 +1,6 @@
+The roadwarrior <b>alice</b> sitting behind the NAT router <b>moon</b> sets up a connection 
+to gateway <b>sun</b> using IKEv2. UDP encapsulation is used to traverse the NAT router.
+The authentication is based on locally loaded <b>X.509 certificates</b>.
+After the IPsec Setup NAT router moon "crashes" (i.e. flushes its conntrack
+table) and with the next dpd sent from <b>alice</b> a dynamical address update
+should occur in gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/nat-portswitch/evaltest.dat b/testing/tests/ikev2/nat-portswitch/evaltest.dat
new file mode 100644
index 000000000..75b01a551
--- /dev/null
+++ b/testing/tests/ikev2/nat-portswitch/evaltest.dat
@@ -0,0 +1,10 @@
+sun::ipsec statusall::rw-alice.*ESTABLISHED::YES
+alice::ipsec statusall::home.*ESTABLISHED::YES
+moon::cmd::iptables -t nat -F::YES
+moon::cmd::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:3024-3100::YES
+moon::cmd::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:4000-4100::YES
+moon::cmd::conntrack -F::YES
+alice::cmd::sleep 75::YES
+bob::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP, length: 132::YES
+moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP, length: 132::YES
diff --git a/testing/tests/ikev2/nat-portswitch/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-portswitch/hosts/alice/etc/ipsec.conf
new file mode 100644
index 000000000..cd9de533a
--- /dev/null
+++ b/testing/tests/ikev2/nat-portswitch/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,17 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutostart=no
+
+conn home
+	left=PH_IP_ALICE
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	right=PH_IP_SUN
+	rightcert=sunCert.pem
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ikev2/nat-portswitch/hosts/alice/etc/ipsec.d/certs/sunCert.pem b/testing/tests/ikev2/nat-portswitch/hosts/alice/etc/ipsec.d/certs/sunCert.pem
new file mode 100644
index 000000000..e7825e3db
--- /dev/null
+++ b/testing/tests/ikev2/nat-portswitch/hosts/alice/etc/ipsec.d/certs/sunCert.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIECzCCAvOgAwIBAgIBAjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMTU1M1oXDTA5MDkwOTExMTU1M1owRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN1bi5z
+dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOQ8
+foB9h5BZ92gA5JkQTJNuoF6FAzoq91Gh7To27/g74p01+SUnsSaBfPmNfGp4avdS
+Ewy2dWMA/7uj0Dbe8MEKssNztp0JQubp2s7n8mrrQLGsqB6YAS09l75XDjS3yqTC
+AtH1kD4zAl/j/AyeQBuLR4CyJEmC/rqD3/a+pr42CaljuFBgBRpCTUpU4mlslZSe
+zv9wu61PwTFxb8VDlBHUd/lwkXThKgU3uEhWRxLahpSldEGmiTTmx30k/XbOMF2n
+HObEHt5EY9uWRGGbj81ZRWiNk0dNtbpneUHv/NvdWLc591M8cEGEQdWW2XTVbL2G
+N67q8hdzGgIvb7QJPMcCAwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQD
+AgOoMB0GA1UdDgQWBBQ9xLkyCBbyQmRet0vvV1Fg6z5q2DBtBgNVHSMEZjBkgBRd
+p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT
+EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB
+ADAdBgNVHREEFjAUghJzdW4uc3Ryb25nc3dhbi5vcmcwOQYDVR0fBDIwMDAuoCyg
+KoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuLmNybDANBgkq
+hkiG9w0BAQQFAAOCAQEAGQQroiAa0SwwhJprGd7OM+rfBJAGbsa3DPzFCfHX1R7i
+ZyDs9aph1DK+IgUa377Ev1U7oB0EldpmOoJJugCjtNLfpW3t1RXBERL/QfpO2+VP
+Wt3SfZ0Oq48jiqB1MVLMZRPCICZEQjT4sJ3HYs5ZuucuvoxeMx3rQ4HxUtHtMD3S
+5JNMwFFiOXAjyIyrTlb7YuRJTT5hE+Rms8GUQ5Xnt7zKZ7yfoSLFzy0/cLFPdQvE
+JA7w8crODCZpDgEKVHVyUWuyt1O46N3ydUfDcnKJoQ9HWHm3xCbDex5MHTnvm1lk
+Stx71CGM7TE6VPy028UlrSw0JqEwCVwstei2cMzwgA==
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/nat-portswitch/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-portswitch/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..a7722142f
--- /dev/null
+++ b/testing/tests/ikev2/nat-portswitch/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutostart=no
+
+conn %default
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	keyexchange=ikev2
+	
+conn rw-alice
+	right=%any
+	rightcert=aliceCert.pem
+	rightid=alice@strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/nat-portswitch/hosts/sun/etc/ipsec.d/certs/aliceCert.pem b/testing/tests/ikev2/nat-portswitch/hosts/sun/etc/ipsec.d/certs/aliceCert.pem
new file mode 100644
index 000000000..e99ae8ec7
--- /dev/null
+++ b/testing/tests/ikev2/nat-portswitch/hosts/sun/etc/ipsec.d/certs/aliceCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEHzCCAwegAwIBAgIBBTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMjQzOVoXDTA5MDkwOTExMjQzOVowVzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
+MR0wGwYDVQQDFBRhbGljZUBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAK7FyvkE18/oujCaTd8GXBNOH+Cvoy0ibJ8j2sNsBrer
+GS1lgxRs8zaVfK9fosadu0UZeWIHsOKkew5469sPvkKK2SGGH+pu+x+xO/vuaEG4
+FlkAu8iGFWLQycLt6BJfcqw7FT8rwNuD18XXBXmP7hRavi/TEElbVYHbO7lm8T5W
+6hTr/sYddiSB7X9/ba7JBy6lxmBcUAx5bjiiHLaW/llefkqyhc6dw5nvPZ2DchvH
+v/HWvLF9bsvxbBkHU0/z/CEsRuMBI7EPEL4rx3UqmuCUAqiMJTS3IrDaIlfJOLWc
+KlbsnE6hHpwmt9oDB9iWBY9WeZUSAtJGFw4b7FCZvQ0CAwEAAaOCAQYwggECMAkG
+A1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRZmh0JtiNTjBsQsfD7ECNa
+60iG2jBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkG
+A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0
+cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRhbGljZUBzdHJvbmdzd2Fu
+Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn
+L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQADdQIlJkFtmHEjtuyo
+2aIcrsUx98FtvVgB7RpQB8JZlly7UEjvX0CIIvW/7Al5/8h9s1rhrRffX7nXQKAQ
+AmPnvD2Pp47obDnHqm/L109S1fcL5BiPN1AlgsseUBwzdqBpyRncPXZoAuBh/BU5
+D/1Dip0hXgB/X6+QymSzRJoSKfpeXVICj1kYH1nIkn0YXthYF3BTrCheCzBlKn0S
+CixbCUYsUjtSqld0nG76jyGb/gnWntNettH+RXWe1gm6qREJwfEFdeYviTqx2Uxi
+6sBKG/XjNAcMArXb7V6w0YAwCyjwCl49B+mLZaFH+9izzBJ7NyVqhH8ToB1gt0re
+JGhV
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/nat-portswitch/posttest.dat b/testing/tests/ikev2/nat-portswitch/posttest.dat
new file mode 100644
index 000000000..3b9f53e9b
--- /dev/null
+++ b/testing/tests/ikev2/nat-portswitch/posttest.dat
@@ -0,0 +1,6 @@
+sun::ipsec stop
+alice::ipsec stop
+sun::rm /etc/ipsec.d/certs/*
+alice::rm /etc/ipsec.d/certs/*
+moon::iptables -t nat -F
+moon::conntrack -F
diff --git a/testing/tests/ikev2/nat-portswitch/pretest.dat b/testing/tests/ikev2/nat-portswitch/pretest.dat
new file mode 100644
index 000000000..17cc4b070
--- /dev/null
+++ b/testing/tests/ikev2/nat-portswitch/pretest.dat
@@ -0,0 +1,9 @@
+sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+sun::ipsec start
+alice::ipsec start
+alice::sleep 1
+alice::ipsec up home
+alice::sleep 1 
diff --git a/testing/tests/ikev2/nat-portswitch/test.conf b/testing/tests/ikev2/nat-portswitch/test.conf
new file mode 100644
index 000000000..d84149aaf
--- /dev/null
+++ b/testing/tests/ikev2/nat-portswitch/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice sun"
diff --git a/testing/tests/ikev2/nat-rw-mixed/description.txt b/testing/tests/ikev2/nat-rw-mixed/description.txt
new file mode 100644
index 000000000..511a1a874
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-mixed/description.txt
@@ -0,0 +1,6 @@
+The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> 
+set up a connection to gateway <b>sun</b>. <b>alice</b> uses the IKEv2 key exchange protocol 
+whereas <b>venus</b> negotiates the connection via the IKEv1 protocol.
+UDP encapsulation is used to traverse the NAT router.
+In order to test the tunnel the NAT-ed hosts <b>alice</b> and <b>venus</b> ping the client
+<b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/nat-rw-mixed/evaltest.dat b/testing/tests/ikev2/nat-rw-mixed/evaltest.dat
new file mode 100644
index 000000000..685c1b43f
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-mixed/evaltest.dat
@@ -0,0 +1,9 @@
+sun::ipsec statusall::rw-alice.*ESTABLISHED::YES
+sun::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES
+sun::ipsec status::nat-t.*@venus.strongswan.org::YES
+alice::ipsec statusall::home.*ESTABLISHED::YES
+sun::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/nat-rw-mixed/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-rw-mixed/hosts/alice/etc/ipsec.conf
new file mode 100644
index 000000000..cd9de533a
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-mixed/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,17 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutostart=no
+
+conn home
+	left=PH_IP_ALICE
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	right=PH_IP_SUN
+	rightcert=sunCert.pem
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ikev2/nat-rw-mixed/hosts/alice/etc/ipsec.d/certs/sunCert.pem b/testing/tests/ikev2/nat-rw-mixed/hosts/alice/etc/ipsec.d/certs/sunCert.pem
new file mode 100644
index 000000000..e7825e3db
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-mixed/hosts/alice/etc/ipsec.d/certs/sunCert.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIECzCCAvOgAwIBAgIBAjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMTU1M1oXDTA5MDkwOTExMTU1M1owRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN1bi5z
+dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOQ8
+foB9h5BZ92gA5JkQTJNuoF6FAzoq91Gh7To27/g74p01+SUnsSaBfPmNfGp4avdS
+Ewy2dWMA/7uj0Dbe8MEKssNztp0JQubp2s7n8mrrQLGsqB6YAS09l75XDjS3yqTC
+AtH1kD4zAl/j/AyeQBuLR4CyJEmC/rqD3/a+pr42CaljuFBgBRpCTUpU4mlslZSe
+zv9wu61PwTFxb8VDlBHUd/lwkXThKgU3uEhWRxLahpSldEGmiTTmx30k/XbOMF2n
+HObEHt5EY9uWRGGbj81ZRWiNk0dNtbpneUHv/NvdWLc591M8cEGEQdWW2XTVbL2G
+N67q8hdzGgIvb7QJPMcCAwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQD
+AgOoMB0GA1UdDgQWBBQ9xLkyCBbyQmRet0vvV1Fg6z5q2DBtBgNVHSMEZjBkgBRd
+p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT
+EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB
+ADAdBgNVHREEFjAUghJzdW4uc3Ryb25nc3dhbi5vcmcwOQYDVR0fBDIwMDAuoCyg
+KoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuLmNybDANBgkq
+hkiG9w0BAQQFAAOCAQEAGQQroiAa0SwwhJprGd7OM+rfBJAGbsa3DPzFCfHX1R7i
+ZyDs9aph1DK+IgUa377Ev1U7oB0EldpmOoJJugCjtNLfpW3t1RXBERL/QfpO2+VP
+Wt3SfZ0Oq48jiqB1MVLMZRPCICZEQjT4sJ3HYs5ZuucuvoxeMx3rQ4HxUtHtMD3S
+5JNMwFFiOXAjyIyrTlb7YuRJTT5hE+Rms8GUQ5Xnt7zKZ7yfoSLFzy0/cLFPdQvE
+JA7w8crODCZpDgEKVHVyUWuyt1O46N3ydUfDcnKJoQ9HWHm3xCbDex5MHTnvm1lk
+Stx71CGM7TE6VPy028UlrSw0JqEwCVwstei2cMzwgA==
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..b85bd607b
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,31 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+version	2.0	# conforms to second version of ipsec.conf specification
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180	
+	nat_traversal=yes
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+
+conn rw-alice
+	right=%any
+	rightcert=aliceCert.pem
+	rightid=alice@strongswan.org
+	rightsubnet=10.1.0.0/16
+	keyexchange=ikev2
+	auto=add
+
+conn nat-t
+	leftsubnet=10.2.0.0/16
+	right=%any
+	rightsubnetwithin=10.1.0.0/16
+	keyexchange=ikev1
+	auto=add
diff --git a/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.d/certs/aliceCert.pem b/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.d/certs/aliceCert.pem
new file mode 100644
index 000000000..e99ae8ec7
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.d/certs/aliceCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEHzCCAwegAwIBAgIBBTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMjQzOVoXDTA5MDkwOTExMjQzOVowVzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
+MR0wGwYDVQQDFBRhbGljZUBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBAK7FyvkE18/oujCaTd8GXBNOH+Cvoy0ibJ8j2sNsBrer
+GS1lgxRs8zaVfK9fosadu0UZeWIHsOKkew5469sPvkKK2SGGH+pu+x+xO/vuaEG4
+FlkAu8iGFWLQycLt6BJfcqw7FT8rwNuD18XXBXmP7hRavi/TEElbVYHbO7lm8T5W
+6hTr/sYddiSB7X9/ba7JBy6lxmBcUAx5bjiiHLaW/llefkqyhc6dw5nvPZ2DchvH
+v/HWvLF9bsvxbBkHU0/z/CEsRuMBI7EPEL4rx3UqmuCUAqiMJTS3IrDaIlfJOLWc
+KlbsnE6hHpwmt9oDB9iWBY9WeZUSAtJGFw4b7FCZvQ0CAwEAAaOCAQYwggECMAkG
+A1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRZmh0JtiNTjBsQsfD7ECNa
+60iG2jBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkG
+A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0
+cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRhbGljZUBzdHJvbmdzd2Fu
+Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn
+L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQADdQIlJkFtmHEjtuyo
+2aIcrsUx98FtvVgB7RpQB8JZlly7UEjvX0CIIvW/7Al5/8h9s1rhrRffX7nXQKAQ
+AmPnvD2Pp47obDnHqm/L109S1fcL5BiPN1AlgsseUBwzdqBpyRncPXZoAuBh/BU5
+D/1Dip0hXgB/X6+QymSzRJoSKfpeXVICj1kYH1nIkn0YXthYF3BTrCheCzBlKn0S
+CixbCUYsUjtSqld0nG76jyGb/gnWntNettH+RXWe1gm6qREJwfEFdeYviTqx2Uxi
+6sBKG/XjNAcMArXb7V6w0YAwCyjwCl49B+mLZaFH+9izzBJ7NyVqhH8ToB1gt0re
+JGhV
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.d/certs/venusCert.pem b/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.d/certs/venusCert.pem
new file mode 100644
index 000000000..25a6941b0
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.d/certs/venusCert.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEDzCCAvegAwIBAgIBBDANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMTgyNloXDTA5MDkwOTExMTgyNlowRzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHTAbBgNVBAMTFHZlbnVz
+LnN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+mlQ2s9J7bw73onkw0ZwwcM2JDJuU3KmmuzETlmLdtg7m8yFCdhoDg6cxrsIvPAWy
+Gs++1e+1qzy7LTnNHckaHHFwJQf0JoIGE1bbUrJidX8B1T3sDdvZFbyfmQTWSEyJ
+thrdqdPS92VJW/9XQOPeEhudIHr+NtWQfCm3OQFKDXGCEkHOjpVNHn3BPUiL99ON
+FiLZX3gZy6vTERpEE8ga66fHtpM3RJfIxYoUQUdRw8iIa8iOvRGtJa/MfOWX6L/H
+wquRv3SuCl4iMSph7e/VE+z5xx3OyKSAki914DgRFnQITKjyGxw1lORlDQlZy2w/
+nu0BAbXS1pb/2AiF8jDpbQIDAQABo4IBBjCCAQIwCQYDVR0TBAIwADALBgNVHQ8E
+BAMCA6gwHQYDVR0OBBYEFEqPlXBYJh1knX0Q61HMcn9LOZ6sMG0GA1UdIwRmMGSA
+FF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UE
+ChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENB
+ggEAMB8GA1UdEQQYMBaCFHZlbnVzLnN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAw
+LqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmww
+DQYJKoZIhvcNAQEEBQADggEBAEx3kXh2Z5CMH+tX6cJPyi6gSeOgXy7NBiNsEdXN
+rwGp4DwN6uiSog4EYZJA203oqE3eaoYdBXKiOGvjW4vyigvpDr8H+MeW2HsNuMKX
+PFpY4NucV0fJlzFhtkp31zTLHNESCgTqNIwGj+CbN0rxhHGE6502krnu+C12nJ7B
+fdMzml1RmVp4JlZC5yfiTy0F2s/aH+8xQ2x509UoD+boNM9GR+IlWS2dDypISGid
+hbM4rpiMLBj2riWD8HiuljkKQ6LemBXeZQXuIPlusl7cH/synNkHk8iiALM8xfGh
+wTEmdo5Tp5sDI3cj3LVvhcsTxjiOA81her1F0itlxpEA/gA=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/nat-rw-mixed/posttest.dat b/testing/tests/ikev2/nat-rw-mixed/posttest.dat
new file mode 100644
index 000000000..0a8ce2bbc
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-mixed/posttest.dat
@@ -0,0 +1,6 @@
+sun::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
+sun::rm /etc/ipsec.d/certs/*
+alice::rm /etc/ipsec.d/certs/*
+moon::iptables -t nat -F
diff --git a/testing/tests/ikev2/nat-rw-mixed/pretest.dat b/testing/tests/ikev2/nat-rw-mixed/pretest.dat
new file mode 100644
index 000000000..d2c5c7df2
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-mixed/pretest.dat
@@ -0,0 +1,11 @@
+sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+sun::ipsec start
+alice::ipsec start
+venus::ipsec start
+alice::sleep 1
+venus::ipsec up nat-t
+alice::ipsec up home
+alice::sleep 1 
diff --git a/testing/tests/ikev2/nat-rw-mixed/test.conf b/testing/tests/ikev2/nat-rw-mixed/test.conf
new file mode 100644
index 000000000..84317fd70
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-mixed/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev2/nat-two-rw-psk/description.txt b/testing/tests/ikev2/nat-two-rw-psk/description.txt
new file mode 100644
index 000000000..c74897d9a
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw-psk/description.txt
@@ -0,0 +1,6 @@
+The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
+tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
+Both roadwarriors share the same Pre-Shared Key (PSK) with the gateway <b>sun</b>.
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
+the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
+ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/nat-two-rw-psk/evaltest.dat b/testing/tests/ikev2/nat-two-rw-psk/evaltest.dat
new file mode 100644
index 000000000..2cab168f0
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw-psk/evaltest.dat
@@ -0,0 +1,9 @@
+alice::ipsec statusall::nat-t.*INSTALLED::YES
+venus::ipsec statusall::nat-t.*INSTALLED::YES
+sun::ipsec statusall::nat-t.*INSTALLED::YES
+sun::ipsec status::nat-t.*\[PH_IP_ALICE\]::YES
+sun::ipsec status::nat-t.*\[PH_IP_VENUS\]::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/ipsec.conf
new file mode 100755
index 000000000..e0ccbb812
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	authby=secret
+		
+conn nat-t
+	left=%defaultroute
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/ipsec.secrets b/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/ipsec.secrets
new file mode 100644
index 000000000..d61e3eb48
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+PH_IP_ALICE : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..c76e7ce92
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	authby=secret
+	
+conn nat-t
+	left=PH_IP_SUN
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	leftnexthop=%direct
+	right=%any
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/ipsec.secrets
new file mode 100644
index 000000000..5f2955503
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/ipsec.secrets
@@ -0,0 +1,5 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+PH_IP_ALICE : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+
+PH_IP_VENUS : PSK 0s8PjpI8z+Ym5A9zPvh7+opyyV9NcZp8Br
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/ipsec.conf
new file mode 100755
index 000000000..e0ccbb812
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	authby=secret
+		
+conn nat-t
+	left=%defaultroute
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/ipsec.secrets b/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/ipsec.secrets
new file mode 100644
index 000000000..9cd66b1df
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+PH_IP_VENUS : PSK 0s8PjpI8z+Ym5A9zPvh7+opyyV9NcZp8Br
diff --git a/testing/tests/ikev2/nat-two-rw-psk/posttest.dat b/testing/tests/ikev2/nat-two-rw-psk/posttest.dat
new file mode 100644
index 000000000..52572ece8
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw-psk/posttest.dat
@@ -0,0 +1,8 @@
+sun::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
+alice::/etc/init.d/iptables stop 2> /dev/null
+venus::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables -t nat -F
+moon::conntrack -F
diff --git a/testing/tests/ikev2/nat-two-rw-psk/pretest.dat b/testing/tests/ikev2/nat-two-rw-psk/pretest.dat
new file mode 100644
index 000000000..5e23259bb
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw-psk/pretest.dat
@@ -0,0 +1,17 @@
+alice::/etc/init.d/iptables start 2> /dev/null
+venus::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+alice::rm /etc/ipsec.d/cacerts/*
+venus::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
+alice::ipsec start
+venus::ipsec start
+sun::ipsec start
+alice::sleep 2 
+alice::ipsec up nat-t
+venus::sleep 2 
+venus::ipsec up nat-t
+venus::sleep 2
diff --git a/testing/tests/ikev2/nat-two-rw-psk/test.conf b/testing/tests/ikev2/nat-two-rw-psk/test.conf
new file mode 100644
index 000000000..84317fd70
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw-psk/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev2/nat-two-rw/description.txt b/testing/tests/ikev2/nat-two-rw/description.txt
new file mode 100644
index 000000000..dcf4b94bd
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw/description.txt
@@ -0,0 +1,5 @@
+The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
+tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
+the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
+ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/nat-two-rw/evaltest.dat b/testing/tests/ikev2/nat-two-rw/evaltest.dat
new file mode 100644
index 000000000..28d5b5289
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw/evaltest.dat
@@ -0,0 +1,9 @@
+alice::ipsec statusall::nat-t.*INSTALLED::YES
+venus::ipsec statusall::nat-t.*INSTALLED::YES
+sun::ipsec statusall::nat-t.*INSTALLED::YES
+sun::ipsec status::alice@strongswan.org::YES
+sun::ipsec status::@venus.strongswan.org::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/ipsec.conf
new file mode 100755
index 000000000..3da2fcf86
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+		
+conn nat-t
+	left=%defaultroute
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..d8b426318
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,35 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftfirewall=yes
+
+conn net-net
+	leftsubnet=10.2.0.0/16
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
+
+conn host-host
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	auto=add
+
+conn nat-t
+	leftsubnet=10.2.0.0/16
+	right=%any
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/ipsec.conf
new file mode 100755
index 000000000..3a70b3434
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn nat-t
+	left=%defaultroute
+	leftcert=venusCert.pem
+	leftid=@venus.strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/nat-two-rw/posttest.dat b/testing/tests/ikev2/nat-two-rw/posttest.dat
new file mode 100644
index 000000000..52572ece8
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw/posttest.dat
@@ -0,0 +1,8 @@
+sun::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
+alice::/etc/init.d/iptables stop 2> /dev/null
+venus::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables -t nat -F
+moon::conntrack -F
diff --git a/testing/tests/ikev2/nat-two-rw/pretest.dat b/testing/tests/ikev2/nat-two-rw/pretest.dat
new file mode 100644
index 000000000..e365ff5c5
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw/pretest.dat
@@ -0,0 +1,14 @@
+alice::/etc/init.d/iptables start 2> /dev/null
+venus::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+alice::ipsec start
+venus::ipsec start
+sun::ipsec start
+alice::sleep 2 
+alice::ipsec up nat-t
+venus::sleep 2 
+venus::ipsec up nat-t
+venus::sleep 2
diff --git a/testing/tests/ikev2/nat-two-rw/test.conf b/testing/tests/ikev2/nat-two-rw/test.conf
new file mode 100644
index 000000000..84317fd70
--- /dev/null
+++ b/testing/tests/ikev2/nat-two-rw/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev2/net2net-cert/description.txt b/testing/tests/ikev2/net2net-cert/description.txt
new file mode 100644
index 000000000..7eea9192f
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert/description.txt
@@ -0,0 +1,6 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b>. Upon the successful
+establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-cert/evaltest.dat b/testing/tests/ikev2/net2net-cert/evaltest.dat
new file mode 100644
index 000000000..e67c39a08
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert/evaltest.dat
@@ -0,0 +1,5 @@
+moon::ipsec statusall::net-net.*ESTABLISHED::YES
+sun::ipsec statusall::net-net.*ESTABLISHED::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..e86ed4f72
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn net-net 
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..ea55d2edb
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev2
+
+conn net-net 
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/net2net-cert/posttest.dat b/testing/tests/ikev2/net2net-cert/posttest.dat
new file mode 100644
index 000000000..a4c96e10f
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+
diff --git a/testing/tests/ikev2/net2net-cert/pretest.dat b/testing/tests/ikev2/net2net-cert/pretest.dat
new file mode 100644
index 000000000..2d7a78acb
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-cert/test.conf b/testing/tests/ikev2/net2net-cert/test.conf
new file mode 100644
index 000000000..d9a61590f
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-psk/description.txt b/testing/tests/ikev2/net2net-psk/description.txt
new file mode 100644
index 000000000..02cddbb83
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk/description.txt
@@ -0,0 +1,6 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>Preshared Keys</b> (PSK). Upon the successful
+establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-psk/evaltest.dat b/testing/tests/ikev2/net2net-psk/evaltest.dat
new file mode 100644
index 000000000..e67c39a08
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk/evaltest.dat
@@ -0,0 +1,5 @@
+moon::ipsec statusall::net-net.*ESTABLISHED::YES
+sun::ipsec statusall::net-net.*ESTABLISHED::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..da51fa46a
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	authby=secret
+	keyexchange=ikev2
+	
+conn net-net
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	leftnexthop=%direct
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	rightid=@sun.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..cbdddfb18
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,12 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+
+@moon.strongswan.org %any : PSK 0x45a30759df97dc26a15b88ff 
+
+@sun.strongswan.org : PSK "This is a strong password"  
+
+: PSK 'My "home" is my "castle"!'
+
+192.168.0.1 : PSK   "Andi's home"
+
diff --git a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..bea0eeb08
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	authby=secret
+	keyexchange=ikev2
+	
+conn net-net
+	left=PH_IP_SUN
+	leftsubnet=10.2.0.0/16
+	leftid=@sun.strongswan.org
+	leftfirewall=yes
+	leftnexthop=%direct
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.secrets
new file mode 100644
index 000000000..be95c4d99
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.secrets
@@ -0,0 +1,7 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+
+
+
+
diff --git a/testing/tests/ikev2/net2net-psk/posttest.dat b/testing/tests/ikev2/net2net-psk/posttest.dat
new file mode 100644
index 000000000..5a9150bc8
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/net2net-psk/pretest.dat b/testing/tests/ikev2/net2net-psk/pretest.dat
new file mode 100644
index 000000000..976a196db
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk/pretest.dat
@@ -0,0 +1,8 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-psk/test.conf b/testing/tests/ikev2/net2net-psk/test.conf
new file mode 100644
index 000000000..f74d0f7d6
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-route/description.txt b/testing/tests/ikev2/net2net-route/description.txt
new file mode 100644
index 000000000..323f09555
--- /dev/null
+++ b/testing/tests/ikev2/net2net-route/description.txt
@@ -0,0 +1,9 @@
+A tunnel that will connect the subnets behind the gateways <b>moon</b>
+and <b>sun</b>, respectively, is preconfigured by installing a %trap eroute
+on gateway <b>moon</b> by means of the setting <b>auto=route</b> in ipsec.conf.
+A subsequent ping issued by client <b>alice</b> behind gateway <b>moon</b> to
+<b>bob</b> located behind gateway <b>sun</b> triggers the %trap eroute and
+leads to the automatic establishment of the subnet-to-subnet tunnel.
+<p>
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules
+that let pass the tunneled traffic.
diff --git a/testing/tests/ikev2/net2net-route/evaltest.dat b/testing/tests/ikev2/net2net-route/evaltest.dat
new file mode 100644
index 000000000..d5350467e
--- /dev/null
+++ b/testing/tests/ikev2/net2net-route/evaltest.dat
@@ -0,0 +1,6 @@
+moon::cat /var/log/daemon.log::creating acquire job for CHILD_SA::YES
+moon::ipsec statusall::net-net.*INSTALLED::YES
+sun::ipsec statusall::net-net.*INSTALLED::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..8b8548815
--- /dev/null
+++ b/testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	leftnexthop=%direct
+	keyexchange=ikev2
+
+conn net-net
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	rightid=@sun.strongswan.org
+	auto=route
diff --git a/testing/tests/ikev2/net2net-route/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-route/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..ea55d2edb
--- /dev/null
+++ b/testing/tests/ikev2/net2net-route/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev2
+
+conn net-net 
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/net2net-route/posttest.dat b/testing/tests/ikev2/net2net-route/posttest.dat
new file mode 100644
index 000000000..5a9150bc8
--- /dev/null
+++ b/testing/tests/ikev2/net2net-route/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/net2net-route/pretest.dat b/testing/tests/ikev2/net2net-route/pretest.dat
new file mode 100644
index 000000000..2eef7de19
--- /dev/null
+++ b/testing/tests/ikev2/net2net-route/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2 
+alice::ping -c 10 PH_IP_BOB
diff --git a/testing/tests/ikev2/net2net-route/test.conf b/testing/tests/ikev2/net2net-route/test.conf
new file mode 100644
index 000000000..d9a61590f
--- /dev/null
+++ b/testing/tests/ikev2/net2net-route/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-start/description.txt b/testing/tests/ikev2/net2net-start/description.txt
new file mode 100644
index 000000000..f5320685e
--- /dev/null
+++ b/testing/tests/ikev2/net2net-start/description.txt
@@ -0,0 +1,8 @@
+A tunnel connecting the subnets behind the gateways <b>moon</b> and <b>sun</b>,
+respectively, is automatically established by means of the setting
+<b>auto=start</b> in ipsec.conf. The connection is tested by client <b>alice</b>
+behind gateway <b>moon</b> pinging the client <b>bob</b> located behind
+gateway <b>sun</b>.
+<p>
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules
+that let pass the tunneled traffic.
diff --git a/testing/tests/ikev2/net2net-start/evaltest.dat b/testing/tests/ikev2/net2net-start/evaltest.dat
new file mode 100644
index 000000000..244dec5bf
--- /dev/null
+++ b/testing/tests/ikev2/net2net-start/evaltest.dat
@@ -0,0 +1,5 @@
+moon::ipsec statusall::net-net.*INSTALLED::YES
+sun::ipsec statusall::net-net.*INSTALLED::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..091871e49
--- /dev/null
+++ b/testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn net-net
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	rightid=@sun.strongswan.org
+	auto=start
diff --git a/testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..b2e41894c
--- /dev/null
+++ b/testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev2
+
+conn net-net 
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftnexthop=%direct
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/net2net-start/posttest.dat b/testing/tests/ikev2/net2net-start/posttest.dat
new file mode 100644
index 000000000..5a9150bc8
--- /dev/null
+++ b/testing/tests/ikev2/net2net-start/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/net2net-start/pretest.dat b/testing/tests/ikev2/net2net-start/pretest.dat
new file mode 100644
index 000000000..6e41d5245
--- /dev/null
+++ b/testing/tests/ikev2/net2net-start/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+sun::ipsec start
+sun::sleep 2
+moon::ipsec start
+alice::sleep 3 
diff --git a/testing/tests/ikev2/net2net-start/test.conf b/testing/tests/ikev2/net2net-start/test.conf
new file mode 100644
index 000000000..d9a61590f
--- /dev/null
+++ b/testing/tests/ikev2/net2net-start/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/ocsp-local-cert/description.txt b/testing/tests/ikev2/ocsp-local-cert/description.txt
new file mode 100644
index 000000000..61f7d9957
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-local-cert/description.txt
@@ -0,0 +1,9 @@
+By setting <b>strictcrlpolicy=yes</b>, a <b>strict</b> CRL policy is enforced on
+both roadwarrior <b>carol</b> and gateway <b>moon</b>. The online certificate status
+is checked via the OCSP server <b>winnetou</b> which possesses a <b>self-signed</b>
+OCSP signer certificate that must be imported locally by the peers into 
+<b>/etc/ipsec.d/ocspcerts/</b>.  A strongswan <b>ca</b> section in ipsec.conf
+defines an <b>OCSP URI</b> pointing to <b>winnetou</b>.
+<p>
+<b>carol</b> can successfully initiate an IPsec connection to <b>moon</b> since
+the status of both certificates is <b>good</b>.
diff --git a/testing/tests/ikev2/ocsp-local-cert/evaltest.dat b/testing/tests/ikev2/ocsp-local-cert/evaltest.dat
new file mode 100644
index 000000000..6b849b811
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-local-cert/evaltest.dat
@@ -0,0 +1,8 @@
+moon::cat /var/log/daemon.log::received valid http response::YES
+carol::cat /var/log/daemon.log::received valid http response::YES
+moon::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES
+carol::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES
+moon::cat /var/log/daemon.log::certificate is good::YES
+carol::cat /var/log/daemon.log::certificate is good::YES
+moon::ipsec status::rw.*ESTABLISHED::YES
+carol::ipsec status::home.*ESTABLISHED::YES
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..0209111ba
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,28 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	ocspuri=http://ocsp.strongswan.org:8880
+	auto=add
+
+conn %default
+	keyexchange=ikev2
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.d/ocspcerts/ocspCert-self.pem b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.d/ocspcerts/ocspCert-self.pem
new file mode 100644
index 000000000..77f5bde52
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.d/ocspcerts/ocspCert-self.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEbjCCA1agAwIBAgIJALN2wqyLTIzfMA0GCSqGSIb3DQEBBQUAMGsxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMSMwIQYDVQQLExpPQ1NQ
+IFNlbGYtU2lnbmVkIEF1dGhvcml0eTEcMBoGA1UEAxMTb2NzcC5zdHJvbmdzd2Fu
+Lm9yZzAeFw0wNzAzMTQxMjM0MDNaFw0xMjAzMTIxMjM0MDNaMGsxCzAJBgNVBAYT
+AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMSMwIQYDVQQLExpPQ1NQIFNl
+bGYtU2lnbmVkIEF1dGhvcml0eTEcMBoGA1UEAxMTb2NzcC5zdHJvbmdzd2FuLm9y
+ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgSOFeDdWxYKGPUSUhM
+BFAELGmHKfg2R25aWlE8ju//I0ByaoIsm8BPapSiiiwTdho/JPP44/nvHcDQu828
+P3uY5XbSPZpiiBgFoo8BC2/Y/rxY/skjEzqoHEXjg/vO1bA0tqjVn5a0jpkai7pD
+mUyBrmn1ArOjhR/HAupCHsIb7sAL+IEXByMcZQK6bvNL9PMTYI1T72+t/9cZAAEJ
+DfEhyJZMxQKgmT1SNzLwyszy1M1HF95D59gBok4PaRWWsLdwzplfTKh61CeGCYqb
+UP3qpMKrJ8Y7uv+e1vVzuYbJg5DR+bF1IGIc9QRyJlTkhZco+zTCQYxpvsNO18yr
+4qcCAwEAAaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgECMB0GA1UdDgQW
+BBQHqEiJbwUSQJDtrfhopkda0nXrLTCBnQYDVR0jBIGVMIGSgBQHqEiJbwUSQJDt
+rfhopkda0nXrLaFvpG0wazELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0
+cm9uZ1N3YW4xIzAhBgNVBAsTGk9DU1AgU2VsZi1TaWduZWQgQXV0aG9yaXR5MRww
+GgYDVQQDExNvY3NwLnN0cm9uZ3N3YW4ub3JnggkAs3bCrItMjN8wHgYDVR0RBBcw
+FYITb2NzcC5zdHJvbmdzd2FuLm9yZzAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCTAN
+BgkqhkiG9w0BAQUFAAOCAQEAi//I0DOlUXNHxzLuuxyr6k5gO55zMCmHUcVfjVFZ
+9e+UpLLFZY+qbxOfzVLpKyDch6dKDIA/H+SzX1GZ+uW4FFQ1wYlHcK1Sio9hOgqI
+zeWdY5uHF6iERVYgOU/xp0+0LS5l4ezCvOKVkYJEFWe2eyn9rd4PGLW4/lTQiK1V
+14YzPyAhB7n8Sln5LBxAeY7U7Y8jEMLXZ+VF21mjH2sxZzWV/qWZdNWVUNaLZTYL
+lTqyzqsk40v5BTrjSvAWHN+c1WzydMvatFDzghlPnvR8dufRN2bnlj10J8sizn+v
+1iDtM6uYi8+Yn26yMGjCP+RYW+bwKQ927Gr43UkqqGsbCg==
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..21b48ef0c
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+ca strongswan-ca
+	cacert=strongswanCert.pem
+	ocspuri=http://ocsp.strongswan.org:8880
+	auto=add
+
+conn %default
+	keyexchange=ikev2
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn rw
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.d/ocspcerts/ocspCert-self.pem b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.d/ocspcerts/ocspCert-self.pem
new file mode 100644
index 000000000..77f5bde52
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.d/ocspcerts/ocspCert-self.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEbjCCA1agAwIBAgIJALN2wqyLTIzfMA0GCSqGSIb3DQEBBQUAMGsxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMSMwIQYDVQQLExpPQ1NQ
+IFNlbGYtU2lnbmVkIEF1dGhvcml0eTEcMBoGA1UEAxMTb2NzcC5zdHJvbmdzd2Fu
+Lm9yZzAeFw0wNzAzMTQxMjM0MDNaFw0xMjAzMTIxMjM0MDNaMGsxCzAJBgNVBAYT
+AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMSMwIQYDVQQLExpPQ1NQIFNl
+bGYtU2lnbmVkIEF1dGhvcml0eTEcMBoGA1UEAxMTb2NzcC5zdHJvbmdzd2FuLm9y
+ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgSOFeDdWxYKGPUSUhM
+BFAELGmHKfg2R25aWlE8ju//I0ByaoIsm8BPapSiiiwTdho/JPP44/nvHcDQu828
+P3uY5XbSPZpiiBgFoo8BC2/Y/rxY/skjEzqoHEXjg/vO1bA0tqjVn5a0jpkai7pD
+mUyBrmn1ArOjhR/HAupCHsIb7sAL+IEXByMcZQK6bvNL9PMTYI1T72+t/9cZAAEJ
+DfEhyJZMxQKgmT1SNzLwyszy1M1HF95D59gBok4PaRWWsLdwzplfTKh61CeGCYqb
+UP3qpMKrJ8Y7uv+e1vVzuYbJg5DR+bF1IGIc9QRyJlTkhZco+zTCQYxpvsNO18yr
+4qcCAwEAAaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgECMB0GA1UdDgQW
+BBQHqEiJbwUSQJDtrfhopkda0nXrLTCBnQYDVR0jBIGVMIGSgBQHqEiJbwUSQJDt
+rfhopkda0nXrLaFvpG0wazELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0
+cm9uZ1N3YW4xIzAhBgNVBAsTGk9DU1AgU2VsZi1TaWduZWQgQXV0aG9yaXR5MRww
+GgYDVQQDExNvY3NwLnN0cm9uZ3N3YW4ub3JnggkAs3bCrItMjN8wHgYDVR0RBBcw
+FYITb2NzcC5zdHJvbmdzd2FuLm9yZzAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCTAN
+BgkqhkiG9w0BAQUFAAOCAQEAi//I0DOlUXNHxzLuuxyr6k5gO55zMCmHUcVfjVFZ
+9e+UpLLFZY+qbxOfzVLpKyDch6dKDIA/H+SzX1GZ+uW4FFQ1wYlHcK1Sio9hOgqI
+zeWdY5uHF6iERVYgOU/xp0+0LS5l4ezCvOKVkYJEFWe2eyn9rd4PGLW4/lTQiK1V
+14YzPyAhB7n8Sln5LBxAeY7U7Y8jEMLXZ+VF21mjH2sxZzWV/qWZdNWVUNaLZTYL
+lTqyzqsk40v5BTrjSvAWHN+c1WzydMvatFDzghlPnvR8dufRN2bnlj10J8sizn+v
+1iDtM6uYi8+Yn26yMGjCP+RYW+bwKQ927Gr43UkqqGsbCg==
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
new file mode 100755
index 000000000..dda793f44
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+cd /etc/openssl
+
+echo "Content-type: application/ocsp-response"
+echo ""
+
+/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+                      -rkey ocspKey-self.pem -rsigner ocspCert-self.pem \
+		      -resp_no_certs -nmin 5 \
+		      -reqin /dev/stdin -respout /dev/stdout
diff --git a/testing/tests/ikev2/ocsp-local-cert/posttest.dat b/testing/tests/ikev2/ocsp-local-cert/posttest.dat
new file mode 100644
index 000000000..0c05c16a1
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-local-cert/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::rm /etc/ipsec.d/ocspcerts/*
+carol::rm /etc/ipsec.d/ocspcerts/*
diff --git a/testing/tests/ikev2/ocsp-local-cert/pretest.dat b/testing/tests/ikev2/ocsp-local-cert/pretest.dat
new file mode 100644
index 000000000..d92333d86
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-local-cert/pretest.dat
@@ -0,0 +1,4 @@
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev2/ocsp-local-cert/test.conf b/testing/tests/ikev2/ocsp-local-cert/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-local-cert/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-multi-level/description.txt b/testing/tests/ikev2/ocsp-multi-level/description.txt
new file mode 100644
index 000000000..cd0ecf162
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-multi-level/description.txt
@@ -0,0 +1,10 @@
+The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
+<b>venus</b> by means of two different Intermediate CAs. Access to
+<b>alice</b> is granted to users presenting a certificate issued by the Research CA
+whereas <b>venus</b> can only be reached with a certificate issued by the
+Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from
+the Research CA and Sales CA, respectively. Therefore <b>carol</b> can access
+<b>alice</b> and <b>dave</b> can reach <b>venus</b>.
+<p>
+By setting <b>strictcrlpolicy=yes</b>, the certificate status from the strongSwan, Research and
+Sales OCSP servers must be fetched first, before the connection setups can be successfully completed.
diff --git a/testing/tests/ikev2/ocsp-multi-level/evaltest.dat b/testing/tests/ikev2/ocsp-multi-level/evaltest.dat
new file mode 100644
index 000000000..911c209a5
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-multi-level/evaltest.dat
@@ -0,0 +1,10 @@
+moon::ipsec listocspcerts::altNames.*ocsp.*strongswan.org::YES
+carol::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES
+dave::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES
+moon::cat /var/log/daemon.log::certificate is good::YES
+carol::cat /var/log/daemon.log::certificate is good::YES
+dave::cat /var/log/daemon.log::certificate is good::YES
+moon::ipsec status::ESTABLISHED.*carol::YES
+moon::ipsec status::ESTABLISHED.*dave::YES
+carol::ipsec status::alice.*ESTABLISHED::YES
+dave::ipsec status::venus.*ESTABLISHED::YES
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..89a4f2ce9
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,31 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	ocspuri=http://ocsp.strongswan.org:8880
+	auto=add
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+
+conn alice
+	rightsubnet=PH_IP_ALICE/32
+	auto=add
+	
+conn venus
+	rightsubnet=PH_IP_VENUS/32
+	auto=add
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..2990d6a12
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy
+M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR
+dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO
+dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u
+57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw
+5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI
+hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC
+AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL
+qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj
+YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
+LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA
+FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N
+Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp
+7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G
++OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm
+wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/
+MWjwPJs52qVJ3Ph++EF6bw==
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..b91f9bf81
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi
+65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq
+8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6
+VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY
+hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu
+y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz
+0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX
+FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH
+gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z
+PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D
+nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El
+U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF
+mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm
+MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB
+UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy
+G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz
+Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY
+hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu
+PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah
+tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr
+s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy
+uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J
+ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu
+LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx
+Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..fac55d63b
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey.pem
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..45b6efcc8
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,31 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	ocspuri=http://ocsp.strongswan.org:8880
+	auto=add
+	
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_DAVE
+	leftnexthop=%direct
+	leftcert=daveCert.pem
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+
+conn alice
+	rightsubnet=PH_IP_ALICE/32
+	auto=add
+	
+conn venus
+	rightsubnet=PH_IP_VENUS/32
+	auto=add
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.d/certs/daveCert.pem
new file mode 100644
index 000000000..b76032480
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
+BAMTCFNhbGVzIENBMB4XDTA1MDMyMzA3MTAxN1oXDTEwMDMyMjA3MTAxN1owVjEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT
+BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS
+zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+
+1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN
+P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+
++eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP
+aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4H/MIH8
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57rUdNRbytUkRGY
+GjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3
+YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v
+cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQB+BknSxFKaDhbRVobOAU2P
+p9cirkVCitoZrvK2QIS/7WRoqy85RQ+zorJb3jyTxQl4Pu9Qrap9Zn0H8GQXGlQw
+ZJqdDqRaIa4nCc57qP5DsuQKIQRxc1QMCiWyIRAESn+r8IbxLbjvEd7ZXNsieip6
+Q15uUZldjTveHVi89i9oFWS1nWo4SV+tJaEqPBvsTZZKBPAEu6+7lRzbJ4ukzRsA
+DjuvmaPNUTyf21fD66I4sgrwgxoPhZ7r6qsqISJ5f0EzTXgYNi1yk/TXoAaot3c/
+Gu5+iyO/espV6kPADSOzPSFwsGHYG4kXi1VY0Z7x6UnjQSdEelOBplJ5XYDzEn4+
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.d/private/daveKey.pem
new file mode 100644
index 000000000..022436de4
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GSzZwo/q4AE4v6
+OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+1V42Qkh61VJW
+1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJNP3p8wUpfwReI
+mAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1++eTSMvLXSkQe
+ujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSPaSRhuz0gubuM
+pr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABAoIBAHKaRFoVpa6Ynpu0
+mVwYUqdFSaVsEgsSRC9HiEuIllsteNeVZSqX4BGhAXYDmttvGauIF9IAVNpF939c
+JwjCg1S2r3aFbLOXq16R0vYFOjUVH3xF/NysX3LQywv6AS1Z8wZiOKIU9eBij8nz
+0tygQFZf2iUeIuB8HFzH1B8iHSuI7qn6hh1Y9Zgx4kWYL9I+WYefbR906xveHVGq
+8VrgHtBAn1WeWg7FoN1VURW0s1bxkiWtpF9x9OMmwK4qR8HSCilss59V1eJrAAR0
+3FGdWwbbGg9hW0adnyDCtoaYW3r0WcXwqklyas4C+dClOpUInn8kZisoghQYT92u
+U2QeDzECgYEA5Rv7+rP9HX1pNd9NQwOyIHztv4jfx60gybioogtCeRZUwPQ3GtXJ
+Q0ouBxCVLdyCImIKcvd2q2b9HZE8tvOHBA/YxofH4miEN5GWA4aL+LcGrxIbxPWs
+MEkxgQwsyK7lWH47fG7eW86LMx0VikFXS1EeeZZS3f3Avaww1uRtXecCgYEA4mhS
+sAClZamGVWQ7VXCHuS4xHn/gPA4TCyoR5l9g9pwregGKxsROQVIFQCDMd9eTtS6B
+oqoUTHdg0TlujHVUojdwHtgDaqDMTk+RXD9qy2Wob9HQVBlIwgijoLb+OjwdoAj7
+1OQx8FmMjAlMmlyJ50e1FnbNJFEJ1EMgV5QxtxkCgYEArdUeyehYy1BFTJ/CIm+i
+bm37gdDbYchlUUivgkuiwvcDlWd2jADbdRfKdofJeIOPpYDXxsUmIATDVfTFqVZ7
+AcT4SCHrskh00SjANqqWdz5/bsQBl96DKBvQ2MYhEJ9K2mrkvZPtWKENEtolZsIO
+9tF0mvJIq7CF1iPY5qNoq88CgYEAoZhELErJwl3U+22my7ydopZNiK9MpJCHFxjX
+3c2Fr36XqWUgX+4MzKJ2DOdcCM1dJ5wh+q/Z/RnXiH2tYaL83SskY19aUOij6eDw
+px68YqAUMHtYbi39uD/iSftSSM5PdsHyvGiDHEFOB0U735Dc/K45mecBVEJi+ZVP
+qDKlqUECgYA1DcGOWM3P3XdB7zKy47LcankMtFZozEOLTUdGJRlmWrLdcRlZPKjt
+/ALripehesp1++VtmttWQJX7uI3gveD07/tSKeMHmIoKappjRTrcaA7Pa5+z/xS/
+UhRmZUFOJwNLzy3jdv5f2c/5SIz6o4Ae3I+Zb+IapHL+lBv146/I5g==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..98a0e9b81
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,44 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	ocspuri=http://ocsp.strongswan.org:8880
+	auto=add
+
+ca research
+	cacert=researchCert.pem
+	ocspuri=http://ocsp.strongswan.org:8881
+	auto=add
+
+ca sales
+	cacert=salesCert.pem
+	ocspuri=http://ocsp.strongswan.org:8882
+	auto=add
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+
+conn alice
+	leftsubnet=PH_IP_ALICE/32
+	right=%any
+	rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
+	auto=add
+	
+conn venus
+	leftsubnet=PH_IP_VENUS/32
+	right=%any
+	rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA"
+	auto=add
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
new file mode 100644
index 000000000..154cff654
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
+FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU
+zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO
+/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0
+C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E
+BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
+VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg
+Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX
+fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq
+3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa
+0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1
+IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW
+Tfcyi+M=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
new file mode 100644
index 000000000..e50477872
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
+MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP
+GoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq4JI87exSen1ggmCV
+Eib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6XL9DKcRk3TxZtv9S
+uDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562kDtfQdwezat0LAyO
+sVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAjgbBRI1A3iqoU3Nq1
+vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/
+MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD
+VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI
+MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu
+IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV
+8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ
+9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr
+iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU
+uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv
+xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-multi-level/posttest.dat b/testing/tests/ikev2/ocsp-multi-level/posttest.dat
new file mode 100644
index 000000000..1646d5ed2
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-multi-level/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::rm /etc/ipsec.d/cacerts/*
+
diff --git a/testing/tests/ikev2/ocsp-multi-level/pretest.dat b/testing/tests/ikev2/ocsp-multi-level/pretest.dat
new file mode 100644
index 000000000..f15265e32
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-multi-level/pretest.dat
@@ -0,0 +1,7 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up alice
+dave::ipsec up venus
diff --git a/testing/tests/ikev2/ocsp-multi-level/test.conf b/testing/tests/ikev2/ocsp-multi-level/test.conf
new file mode 100644
index 000000000..08e5cc145
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-multi-level/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/ocsp-revoked/description.txt b/testing/tests/ikev2/ocsp-revoked/description.txt
new file mode 100644
index 000000000..73d072549
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-revoked/description.txt
@@ -0,0 +1,9 @@
+By setting <b>strictcrlpolicy=yes</b>, a <b>strict</b> CRL policy is enforced on
+both roadwarrior <b>carol</b> and gateway <b>moon</b>. The online certificate status
+is checked via the OCSP server <b>winnetou</b> which possesses an OCSP signer certificate
+issued by the strongSwan CA. This certificate contains an <b>OCSPSigning</b>
+extended key usage flag. A strongswan <b>ca</b> section in ipsec.conf defines an
+<b>OCSP URI</b> pointing to <b>winnetou</b>.
+<p>
+<b>carol</b> tries to initiate an IPsec connection to <b>moon</b> but fails 
+because <b>carol</b>'s certificate has been <b>revoked</b>.
diff --git a/testing/tests/ikev2/ocsp-revoked/evaltest.dat b/testing/tests/ikev2/ocsp-revoked/evaltest.dat
new file mode 100644
index 000000000..eacb70c40
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-revoked/evaltest.dat
@@ -0,0 +1,7 @@
+moon::cat /var/log/daemon.log::received valid http response::YES
+moon::cat /var/log/daemon.log::received ocsp signer certificate is trusted::YES
+moon::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES
+carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
+moon::ipsec status::rw.*ESTABLISHED::NO
+carol::ipsec status::home.*ESTABLISHED::NO
+
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..be15f6ec5
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,28 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	ocspuri=http://ocsp.strongswan.org:8880
+	auto=add
+
+conn %default
+	keyexchange=ikev2
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert-revoked.pem
+	leftid=carol@strongswan.org
+
+conn home
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolCert-revoked.pem b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolCert-revoked.pem
new file mode 100644
index 000000000..5b742fc9e
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolCert-revoked.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIjCCAwqgAwIBAgIBBzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA0MDkxMDExMjU0OFoXDTA5MDkwOTExMjU0OFowWjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAM5413q1B2EF3spcYD1u0ce9AtIHdxmU3+1E0hqV
+mLqpIQtyp4SLbrRunxpoVUuEpHWXgLb3C/ljjlKCMWWmhw4wja1rBTjMNJLPj6Bo
+5Qn4Oeuqm7/kLHPGbveQGtcSsJCk6iLqFTbq0wsji5Ogq7kmjWgQv0nM2jpofHLv
+VOAtWVSj+x2b3OHdl/WpgTgTw1HHjYo7/NOkARdTcZ2/wxxM3z1Abp9iylc45GLN
+IL/OzHkT8b5pdokdMvVijz8IslkkewJYXrVQaCNMZg/ydlXOOAEKz0YqnvXQaYs5
+K+s8XvQ2RFCr5oO0fRT2VbiI9TgHnbcnfUi25iHl6txsXg0CAwEAAaOCAQYwggEC
+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTbA2TH3ca8tgCGkYy9
+OV/MqUTHAzBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
+EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
+d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQC9acuCUPEBOrWB
+56vS8N9bksQwv/XcYIFYqV73kFBAzOPLX2a9igFGvBPdCxFu/t8JCswzE6to4LFM
+2+6Z2QJf442CLPcJKxITahrjJXSxGbzMlmaDvZ5wFCJAlyin+yuInpTwl8rMZe/Q
+O5JeJjzGDgWJtnGdkLUk/l2r6sZ/Cmk5rZpuO0hcUHVztMLQYPzqTpuMvC5p4JzL
+LWGWhKRhJs53NmxXXodck/ZgaqiTWuQFYlbamJRvzVBfX7c1SWHRJvxSSOPKGIg3
+wphkO2naj/SQD+BNuWTRmZ9YCiLOQ64ybLpJzRZISETdqtLBPKsIqosUZwkxlR1N
+9IcgYi5x
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolKey-revoked.pem b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolKey-revoked.pem
new file mode 100644
index 000000000..8aefcc5a6
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolKey-revoked.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAznjXerUHYQXeylxgPW7Rx70C0gd3GZTf7UTSGpWYuqkhC3Kn
+hItutG6fGmhVS4SkdZeAtvcL+WOOUoIxZaaHDjCNrWsFOMw0ks+PoGjlCfg566qb
+v+Qsc8Zu95Aa1xKwkKTqIuoVNurTCyOLk6CruSaNaBC/SczaOmh8cu9U4C1ZVKP7
+HZvc4d2X9amBOBPDUceNijv806QBF1Nxnb/DHEzfPUBun2LKVzjkYs0gv87MeRPx
+vml2iR0y9WKPPwiyWSR7AlhetVBoI0xmD/J2Vc44AQrPRiqe9dBpizkr6zxe9DZE
+UKvmg7R9FPZVuIj1OAedtyd9SLbmIeXq3GxeDQIDAQABAoIBAAUdyXko8z3cP2EU
+WO4syNYCQQejV7gykDn48pvmCRrXBhKajLwkGGIwO5ET9MkiSFEBqBbgmFNdvDEf
+OMokDkSzv08Ez+RQax0YN57p+oL8u7KzT5i5tsBHsog/8epSdD2hWIv08QGjYAdu
+og7OdHLqGabyg0r44I+B91OBysCjU51rDdkhz59AmURdEIJV5xhuGojFM68jaNm2
+MUxDfDuCsRIydjAP0VTUTAUxD4/S5I+jt/GK9aRsEeRH9Q3011iTGMR9viAUBhq/
+khkWNltg9lkOqO7LpnNku4sSv3v4CWge7/T+4RR2vZgv1oSs4ox2UKYoqIqiYIfx
+uUcnqQECgYEA+LPiRMoXvlssQWlaFc2k4xga0efs+mWeLglDdc3R3fBEibP/AU07
+a576AgvUJtkI50/WNGKT73O+VtxcXn/N646m/8OtqNXuVKKjsxxNOZEKdO8aOdbt
+7lM5WepNiQeaKAFudUxpUiZQx8LCKSsNDiJZKWBu6xAG2O5X32VMZvUCgYEA1Ie+
+rNa490PSC1ym7WbmdAjvGmSOn2GOBfO7BECsPZstccU7D5pZl/89fTfn1TDKP49Y
+ScVOuFz7f/u6UJpb/WzI71RXEQOdojLWmF2HDx5osRi3hXEJa20fbPq6DQXCJ8pf
+IF37AEqAY4UNSNic0Cw+rGHdWPQhDNXhFWpdu7kCgYEAmv4oNmyoDXbuhrlsbggi
+CXE9TbG3a3mm8dPOGf2yHBmf7R2i/6GtNW33Kw1KIwfBV77WpQEGZwWACsv8ONx3
+baUSiHTfpkfk5xQQ5w/tRMISfTuB4agD0jJFnLa7qXl2ZhY2S53aSVsdntDOhi+R
+TEy1umah2Za8Xbd0RgHwcn0CgYEAl9Hgg9dfikMIaNVm6W/4cCtxoojy2Sf3LIlP
+r1oDsH6JmBwsdJjuJ4ZNhoXJNqID2COuDgTEly7U+jf4gFvEGuT7JPw6tgy/Ln7i
+jTVCpaozX08oykpVUEhDirYQ8fyLFaGbEqQQCcUusej59G/IlW0F2F6QoFrEwUaH
+46R4EQECgYBEZ7edMkj3dmJH1wxQjp5GJNbrJkS8IKvzza0mDTJdz33CgEX9Oyva
+o2iEkDVpvj2SEy28ewt22IRptWKH/3bQfxSCcRV6JFNt3+LongMshRYqq1leqrKa
+9fnQVtfTIbIVXwjTZap6BL8R66OeFtexsSFRfDF/8P4n2oF4zmn4qA==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..22f06e662
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey-revoked.pem
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..21b48ef0c
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+ca strongswan-ca
+	cacert=strongswanCert.pem
+	ocspuri=http://ocsp.strongswan.org:8880
+	auto=add
+
+conn %default
+	keyexchange=ikev2
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn rw
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/ocsp-revoked/posttest.dat b/testing/tests/ikev2/ocsp-revoked/posttest.dat
new file mode 100644
index 000000000..d742e8410
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-revoked/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+carol::rm /etc/ipsec.d/private/*
+carol::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev2/ocsp-revoked/pretest.dat b/testing/tests/ikev2/ocsp-revoked/pretest.dat
new file mode 100644
index 000000000..d92333d86
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-revoked/pretest.dat
@@ -0,0 +1,4 @@
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev2/ocsp-revoked/test.conf b/testing/tests/ikev2/ocsp-revoked/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-revoked/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-root-cert/description.txt b/testing/tests/ikev2/ocsp-root-cert/description.txt
new file mode 100644
index 000000000..9574aa5b1
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-root-cert/description.txt
@@ -0,0 +1,8 @@
+By setting <b>strictcrlpolicy=yes</b>, a <b>strict</b> CRL policy is enforced on
+both roadwarrior <b>carol</b> and gateway <b>moon</b>. The online certificate status
+is checked via the OCSP server <b>winnetou</b> which uses the <b>strongSwan CA</b>'s
+private key to sign OCSP responses. A <b>strongswan ca</b> section in ipsec.conf
+defines an <b>OCSP URI</b> pointing to <b>winnetou</b>.
+<p>
+<b>carol</b> can successfully initiate an IPsec connection to <b>moon</b> since
+the status of both certificates is <b>good</b>.
diff --git a/testing/tests/ikev2/ocsp-root-cert/evaltest.dat b/testing/tests/ikev2/ocsp-root-cert/evaltest.dat
new file mode 100644
index 000000000..a3a1df194
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-root-cert/evaltest.dat
@@ -0,0 +1,6 @@
+moon::cat /var/log/daemon.log::received valid http response::YES
+carol::cat /var/log/daemon.log::received valid http response::YES
+moon::cat /var/log/daemon.log::certificate is good::YES
+carol::cat /var/log/daemon.log::certificate is good::YES
+moon::ipsec status::rw.*ESTABLISHED::YES
+carol::ipsec status::home.*ESTABLISHED::YES
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..0209111ba
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,28 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	ocspuri=http://ocsp.strongswan.org:8880
+	auto=add
+
+conn %default
+	keyexchange=ikev2
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..21b48ef0c
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+ca strongswan-ca
+	cacert=strongswanCert.pem
+	ocspuri=http://ocsp.strongswan.org:8880
+	auto=add
+
+conn %default
+	keyexchange=ikev2
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn rw
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
new file mode 100755
index 000000000..e998b6ad0
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+cd /etc/openssl
+
+echo "Content-type: application/ocsp-response"
+echo ""
+
+/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+                      -rkey strongswanKey.pem -rsigner strongswanCert.pem \
+		      -resp_no_certs -nmin 5 \
+		      -reqin /dev/stdin -respout /dev/stdout
diff --git a/testing/tests/ikev2/ocsp-root-cert/posttest.dat b/testing/tests/ikev2/ocsp-root-cert/posttest.dat
new file mode 100644
index 000000000..c6d6235f9
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-root-cert/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/ikev2/ocsp-root-cert/pretest.dat b/testing/tests/ikev2/ocsp-root-cert/pretest.dat
new file mode 100644
index 000000000..d92333d86
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-root-cert/pretest.dat
@@ -0,0 +1,4 @@
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev2/ocsp-root-cert/test.conf b/testing/tests/ikev2/ocsp-root-cert/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-root-cert/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-signer-cert/description.txt b/testing/tests/ikev2/ocsp-signer-cert/description.txt
new file mode 100644
index 000000000..492a9882b
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-signer-cert/description.txt
@@ -0,0 +1,10 @@
+By setting <b>strictcrlpolicy=yes</b>, a <b>strict</b> CRL policy is enforced on
+both roadwarrior <b>carol</b> and gateway <b>moon</b>. The online certificate status
+is checked via the OCSP server <b>winnetou</b> which possesses an OCSP signer certificate
+issued by the strongSwan CA. This certificate contains an <b>OCSPSigning</b>
+extended key usage flag. <b>carol</b>'s certificate includes an <b>OCSP URI</b>
+in an authority information access extension pointing to <b>winnetou</b>. 
+Therefore no special ca section information is needed in ipsec.conf.
+<p>
+<b>carol</b> can successfully initiate an IPsec connection to <b>moon</b> since
+the status of both certificates is <b>good</b>.
diff --git a/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat
new file mode 100644
index 000000000..4a8ffd412
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat
@@ -0,0 +1,13 @@
+moon::ipsec listcainfos::ocspuris.*http://ocsp.strongswan.org::YES
+carol::ipsec listcainfos::ocspuris.*http://ocsp.strongswan.org::YES
+moon::cat /var/log/daemon.log::received valid http response::YES
+carol::cat /var/log/daemon.log::received valid http response::YES
+moon::cat /var/log/daemon.log::received ocsp signer certificate is trusted::YES
+carol::cat /var/log/daemon.log::received ocsp signer certificate is trusted::YES
+moon::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES
+carol::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES
+moon::cat /var/log/daemon.log::certificate is good::YES
+carol::cat /var/log/daemon.log::certificate is good::YES
+moon::ipsec status::rw.*ESTABLISHED::YES
+carol::ipsec status::home.*ESTABLISHED::YES
+
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..f49fa9204
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	keyexchange=ikev2
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert-ocsp.pem
+	leftid=carol@strongswan.org
+
+conn home
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/certs/carolCert-ocsp.pem b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/certs/carolCert-ocsp.pem
new file mode 100644
index 000000000..aeca7e1db
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/certs/carolCert-ocsp.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEWzCCA0OgAwIBAgIBEzANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA3MDIyNTA3NTg1N1oXDTEyMDIyNDA3NTg1N1owVjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDTALBgNVBAsTBE9DU1Ax
+HTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAyO4WxrPomcQSspX+ZnPit3t+tzYE/wi1E8rH3h5aO3e5
+vVZX3YxNvBqge2RPB3oQHrWwWT8vKmqzZNjJUx4bRIqd1JdTRI7L0f6XJHjnrRv8
+G7M2uHe+JbHQKPRT7IefJ4PZ1FEA8SCwKfWs5vk1/w/cabM6DVzzjtWTV9DXKD6J
+5rRlvXtJDbhAvI2w8pCC1Gt6H8qjVSb7ItJ+SD3BlW3tq3nBsYFJRL24TyQg+Kdt
+kkCRQYirog29q+J59SErjolse59dte+MhNTv+SnVFgpQE9IGEo6yaKMAWLSTv0If
+pPr/QaEV9rcsYFmR3RtHc+QaaP0hvDAPMaKdhQMIUwIDAQABo4IBQzCCAT8wCQYD
+VR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDRTWKccFIi95BslK3U92mIQ
+2rWGMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYD
+VQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ry
+b25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4u
+b3JnMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL29jc3Auc3Ry
+b25nc3dhbi5vcmc6ODg4MDA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0
+cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQAc
+1bBYLYcc+js3UsHVk7W17Nr/qoNFzQZJ5Er3RjhNAgzAX1wOTrNgKXztwZde1Alj
+o05ZLXUFkB4coQwl7xo7I3EMJPUmSdHoyYyG7c7AgfcL/wwnzz4rWQl74WIZjySc
+ON0Ny9vrzbVboktYof/9Yp/+HgeKopfsaIiuNCAwmAWxiYqvDmlxxn16oOXeJFV8
+pFzZMirQ5l7QRD9iuabOdcnBp8ASH+5AbD4KjFQjo5RBVg92LwOkJo3Pf1twI57s
+pObrcM4JbHVohDornYQYfr9ymkMxJbqqkEgD8oIip0NFSbziam4ZkwgUlRIMUMU1
+/xsH+BXYZtKJbYjlnyc8
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/private/carolKey-ocsp.pem b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/private/carolKey-ocsp.pem
new file mode 100644
index 000000000..603f071d0
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/private/carolKey-ocsp.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAyO4WxrPomcQSspX+ZnPit3t+tzYE/wi1E8rH3h5aO3e5vVZX
+3YxNvBqge2RPB3oQHrWwWT8vKmqzZNjJUx4bRIqd1JdTRI7L0f6XJHjnrRv8G7M2
+uHe+JbHQKPRT7IefJ4PZ1FEA8SCwKfWs5vk1/w/cabM6DVzzjtWTV9DXKD6J5rRl
+vXtJDbhAvI2w8pCC1Gt6H8qjVSb7ItJ+SD3BlW3tq3nBsYFJRL24TyQg+KdtkkCR
+QYirog29q+J59SErjolse59dte+MhNTv+SnVFgpQE9IGEo6yaKMAWLSTv0IfpPr/
+QaEV9rcsYFmR3RtHc+QaaP0hvDAPMaKdhQMIUwIDAQABAoIBAFTGd5+gmpv96TGm
+LW8Gp/poRX+BcDw2bUgLf6aMwd9jVV+4RVw5bTbXOSy2ls19x71dRSlyijDoUgZT
+nSXPhwu1PIBM1JoRcZeJRjXiOUWFkCoTxBuykeyPiFcvNxWN5y2h6M822iHie9FI
+UYomTYzvIT0LnIu00yJJpGAhwhW9BcL+Mo9lfWmhv4I1hXC9RTqZZ4rjPojDeFvL
+maZNCk3kX2pxIJ1kG41/PJjg3JD2uEVrvV7SRuOknM+7f3SDtY60/Wnqx8dfBtjJ
+hEdIxG+XXEOafdqwEPmmM++6V76uD8Rs1eFrrI4rfK6/H2PjppJCYtQeryug0q+0
+UN2u00kCgYEA5qJOcDSzb7CQAi58yYicYc3ShEbaL75V7G5rlnFg4/G1axU19hXQ
+wEPDf87So9hnVroCMewjyDiNgI/OyYK2cv1TABUGAEFAHPzj99jtBT0/R0kX+Jd2
+kPwCU4/T2cHrezwNobrJf010JAvwc52b+U3lWtHxBWeq5KALUVT+BhcCgYEA3wdx
+OwVxTf+OBOBcxPPGUcfsKbf9uVTcXFLNRSBbjzRIOR/bIVgUQaBXem2fJJTm1mWN
+Yl/U14G5orv9693GKgE5IDAMMrDF7mOsX808o3pcXM04MTAyGmQEDDEO8tgmWzWo
+nrYzxe9uBR1tej9IsiEPlD9ZLtWix9C2uV7EcSUCgYBKOrDuMjgSWYxv91BYeOyE
+Gf+IbVlqBmOXPg7Ik+MwWioetevxMSJHz0eLyiBHda4E3sc4FB2MIo+AckiG2Ngp
++FiPbTTKPjYJXmds7NeUWRsVsXPSocUactG43VC9BEnrFu/4Pqr9mwsnUuRoAbEi
+syx/Z5SgPbZl8RDTc3xyrwKBgBFpB1HQLvQjyvZefV9ymDyyGqF3F3tsQHeEjzmi
+OQOI1UqATh7gPVSSK8IG5LF6XjrGWq8fRAI+wjsN6diLy3hj+A2nMoySeCEP7tjb
+sKwiVSt5abWNSZv9ysMY4U3bycK9AZjCKHB/LFuB3JX6crZVFl5AQ7oAO2DVzi3S
+VAtxAoGALzFZH7o1ZvVJGa23dW7p96G5vgop6Ulp2DLz4Qg6NYIeatZhwX3lls2J
+P7ZxmHiECC7zR67xwv5QKjKfg6t/sOKU/bsyp6c3hOWQjcFbWU3AwlO1TeVX9TMG
+SmPYcKM+KQ969qKD3aP9MQ+t4FERvlQcBAr0Qun3quN2i3eDkDo=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..a89065443
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey-ocsp.pem
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..a8a9f1e30
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	keyexchange=ikev2
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn rw
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/ocsp-signer-cert/posttest.dat b/testing/tests/ikev2/ocsp-signer-cert/posttest.dat
new file mode 100644
index 000000000..220bc2c1d
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-signer-cert/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+carol::rm /etc/ipsec.d/certs/*
+carol::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev2/ocsp-signer-cert/pretest.dat b/testing/tests/ikev2/ocsp-signer-cert/pretest.dat
new file mode 100644
index 000000000..d92333d86
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-signer-cert/pretest.dat
@@ -0,0 +1,4 @@
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev2/ocsp-signer-cert/test.conf b/testing/tests/ikev2/ocsp-signer-cert/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-signer-cert/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/description.txt b/testing/tests/ikev2/ocsp-timeouts-good/description.txt
new file mode 100644
index 000000000..9ee5db95b
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-timeouts-good/description.txt
@@ -0,0 +1,10 @@
+This scenario is based on <a href="../ocsp-signer-cert">ikev2/ocsp-signer-cert</a>
+and tests the timeouts of the <b>libcurl</b> library used for http-based OCSP fetching
+by adding an ocspuri2 in <b>moon</b>'s strongswan ca section that cannot be resolved by
+<b>DNS</b> and an ocspuri2 in <b>carol</b>'s strongswan ca section on which no
+OCSP server is listening. Thanks to timeouts the connection can nevertheless
+be established successfully by contacting a valid OCSP URI contained in
+<b>carol</b>'s certificate.
+<p>
+As an additional test the OCSP response is delayed by 5 seconds in order to check
+the correct handling of retransmitted IKE_AUTH messages.
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat b/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat
new file mode 100644
index 000000000..4c4059810
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat
@@ -0,0 +1,9 @@
+moon::cat /var/log/daemon.log::http post request using libcurl failed::YES
+carol::cat /var/log/daemon.log::http post request using libcurl failed::YES
+moon::cat /var/log/daemon.log::received valid http response::YES
+carol::cat /var/log/daemon.log::received valid http response::YES
+moon::cat /var/log/daemon.log::certificate is good::YES
+carol::cat /var/log/daemon.log::certificate is good::YES
+moon::ipsec status::rw.*ESTABLISHED::YES
+carol::ipsec status::home.*ESTABLISHED::YES
+
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..b53de16e4
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,28 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+ca strongswan-ca
+	cacert=strongswanCert.pem
+        ocspuri2=http://bob.strongswan.org:8800
+	auto=add
+			
+conn %default
+	keyexchange=ikev2
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert-ocsp.pem
+	leftid=carol@strongswan.org
+
+conn home
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/certs/carolCert-ocsp.pem b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/certs/carolCert-ocsp.pem
new file mode 100644
index 000000000..aeca7e1db
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/certs/carolCert-ocsp.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEWzCCA0OgAwIBAgIBEzANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA3MDIyNTA3NTg1N1oXDTEyMDIyNDA3NTg1N1owVjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDTALBgNVBAsTBE9DU1Ax
+HTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAyO4WxrPomcQSspX+ZnPit3t+tzYE/wi1E8rH3h5aO3e5
+vVZX3YxNvBqge2RPB3oQHrWwWT8vKmqzZNjJUx4bRIqd1JdTRI7L0f6XJHjnrRv8
+G7M2uHe+JbHQKPRT7IefJ4PZ1FEA8SCwKfWs5vk1/w/cabM6DVzzjtWTV9DXKD6J
+5rRlvXtJDbhAvI2w8pCC1Gt6H8qjVSb7ItJ+SD3BlW3tq3nBsYFJRL24TyQg+Kdt
+kkCRQYirog29q+J59SErjolse59dte+MhNTv+SnVFgpQE9IGEo6yaKMAWLSTv0If
+pPr/QaEV9rcsYFmR3RtHc+QaaP0hvDAPMaKdhQMIUwIDAQABo4IBQzCCAT8wCQYD
+VR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDRTWKccFIi95BslK3U92mIQ
+2rWGMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYD
+VQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ry
+b25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4u
+b3JnMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL29jc3Auc3Ry
+b25nc3dhbi5vcmc6ODg4MDA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0
+cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQAc
+1bBYLYcc+js3UsHVk7W17Nr/qoNFzQZJ5Er3RjhNAgzAX1wOTrNgKXztwZde1Alj
+o05ZLXUFkB4coQwl7xo7I3EMJPUmSdHoyYyG7c7AgfcL/wwnzz4rWQl74WIZjySc
+ON0Ny9vrzbVboktYof/9Yp/+HgeKopfsaIiuNCAwmAWxiYqvDmlxxn16oOXeJFV8
+pFzZMirQ5l7QRD9iuabOdcnBp8ASH+5AbD4KjFQjo5RBVg92LwOkJo3Pf1twI57s
+pObrcM4JbHVohDornYQYfr9ymkMxJbqqkEgD8oIip0NFSbziam4ZkwgUlRIMUMU1
+/xsH+BXYZtKJbYjlnyc8
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/private/carolKey-ocsp.pem b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/private/carolKey-ocsp.pem
new file mode 100644
index 000000000..603f071d0
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/private/carolKey-ocsp.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAyO4WxrPomcQSspX+ZnPit3t+tzYE/wi1E8rH3h5aO3e5vVZX
+3YxNvBqge2RPB3oQHrWwWT8vKmqzZNjJUx4bRIqd1JdTRI7L0f6XJHjnrRv8G7M2
+uHe+JbHQKPRT7IefJ4PZ1FEA8SCwKfWs5vk1/w/cabM6DVzzjtWTV9DXKD6J5rRl
+vXtJDbhAvI2w8pCC1Gt6H8qjVSb7ItJ+SD3BlW3tq3nBsYFJRL24TyQg+KdtkkCR
+QYirog29q+J59SErjolse59dte+MhNTv+SnVFgpQE9IGEo6yaKMAWLSTv0IfpPr/
+QaEV9rcsYFmR3RtHc+QaaP0hvDAPMaKdhQMIUwIDAQABAoIBAFTGd5+gmpv96TGm
+LW8Gp/poRX+BcDw2bUgLf6aMwd9jVV+4RVw5bTbXOSy2ls19x71dRSlyijDoUgZT
+nSXPhwu1PIBM1JoRcZeJRjXiOUWFkCoTxBuykeyPiFcvNxWN5y2h6M822iHie9FI
+UYomTYzvIT0LnIu00yJJpGAhwhW9BcL+Mo9lfWmhv4I1hXC9RTqZZ4rjPojDeFvL
+maZNCk3kX2pxIJ1kG41/PJjg3JD2uEVrvV7SRuOknM+7f3SDtY60/Wnqx8dfBtjJ
+hEdIxG+XXEOafdqwEPmmM++6V76uD8Rs1eFrrI4rfK6/H2PjppJCYtQeryug0q+0
+UN2u00kCgYEA5qJOcDSzb7CQAi58yYicYc3ShEbaL75V7G5rlnFg4/G1axU19hXQ
+wEPDf87So9hnVroCMewjyDiNgI/OyYK2cv1TABUGAEFAHPzj99jtBT0/R0kX+Jd2
+kPwCU4/T2cHrezwNobrJf010JAvwc52b+U3lWtHxBWeq5KALUVT+BhcCgYEA3wdx
+OwVxTf+OBOBcxPPGUcfsKbf9uVTcXFLNRSBbjzRIOR/bIVgUQaBXem2fJJTm1mWN
+Yl/U14G5orv9693GKgE5IDAMMrDF7mOsX808o3pcXM04MTAyGmQEDDEO8tgmWzWo
+nrYzxe9uBR1tej9IsiEPlD9ZLtWix9C2uV7EcSUCgYBKOrDuMjgSWYxv91BYeOyE
+Gf+IbVlqBmOXPg7Ik+MwWioetevxMSJHz0eLyiBHda4E3sc4FB2MIo+AckiG2Ngp
++FiPbTTKPjYJXmds7NeUWRsVsXPSocUactG43VC9BEnrFu/4Pqr9mwsnUuRoAbEi
+syx/Z5SgPbZl8RDTc3xyrwKBgBFpB1HQLvQjyvZefV9ymDyyGqF3F3tsQHeEjzmi
+OQOI1UqATh7gPVSSK8IG5LF6XjrGWq8fRAI+wjsN6diLy3hj+A2nMoySeCEP7tjb
+sKwiVSt5abWNSZv9ysMY4U3bycK9AZjCKHB/LFuB3JX6crZVFl5AQ7oAO2DVzi3S
+VAtxAoGALzFZH7o1ZvVJGa23dW7p96G5vgop6Ulp2DLz4Qg6NYIeatZhwX3lls2J
+P7ZxmHiECC7zR67xwv5QKjKfg6t/sOKU/bsyp6c3hOWQjcFbWU3AwlO1TeVX9TMG
+SmPYcKM+KQ969qKD3aP9MQ+t4FERvlQcBAr0Qun3quN2i3eDkDo=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..a89065443
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey-ocsp.pem
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..f3b19d292
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+ca strongswan-ca
+	cacert=strongswanCert.pem
+	ocspuri2=http://ocsp2.strongswan.org:8880
+	auto=add
+
+conn %default
+	keyexchange=ikev2
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn rw
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
new file mode 100755
index 000000000..92aa920aa
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+cd /etc/openssl
+
+echo "Content-type: application/ocsp-response"
+echo ""
+
+# simulate a delayed response
+sleep 5 
+
+/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+                      -rkey ocspKey.pem -rsigner ocspCert.pem \
+		      -nmin 5 \
+		      -reqin /dev/stdin -respout /dev/stdout
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/posttest.dat b/testing/tests/ikev2/ocsp-timeouts-good/posttest.dat
new file mode 100644
index 000000000..220bc2c1d
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-timeouts-good/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+carol::rm /etc/ipsec.d/certs/*
+carol::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/pretest.dat b/testing/tests/ikev2/ocsp-timeouts-good/pretest.dat
new file mode 100644
index 000000000..d92333d86
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-timeouts-good/pretest.dat
@@ -0,0 +1,4 @@
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/test.conf b/testing/tests/ikev2/ocsp-timeouts-good/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-timeouts-good/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/description.txt b/testing/tests/ikev2/ocsp-timeouts-unknown/description.txt
new file mode 100644
index 000000000..d17534b1b
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/description.txt
@@ -0,0 +1,7 @@
+This scenario is based on <a href="../ocsp-signer-cert">ikev2/ocsp-signer-cert</a>
+and tests the timeouts of the <b>libcurl</b> library used for http-based OCSP fetching
+by adding an ocspuri1 in <b>moon</b>'s strongswan ca section on which no OCSP
+server is listening and an ocspuri2 that cannot be resolved by <b>DNS</b>.
+Since the certificate status is <b>unknown</b> the connection setup is aborted by
+<b>moon</b> with an <b>AUTHORIZATION_FAILED</b> notification sent to <b>carol</b>.
+
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat b/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat
new file mode 100644
index 000000000..c9c09a72f
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat
@@ -0,0 +1,6 @@
+moon::cat /var/log/daemon.log::http post request using libcurl failed::YES
+moon::cat /var/log/daemon.log::certificate status unknown::YES
+carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED::YES
+moon::ipsec status::rw.*ESTABLISHED::NO
+carol::ipsec status::home.*ESTABLISHED::NO
+
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..cdc1560ae
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+ca strongswan-ca
+	cacert=strongswanCert.pem
+	ocspuri1=http://bob.strongswan.org:8800
+        ocspuri2=http://ocsp2.strongswan.org:8880
+	auto=add
+			
+conn %default
+	keyexchange=ikev2
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+
+conn home
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..e759d1d79
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,28 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+ca strongswan-ca
+	cacert=strongswanCert.pem
+	ocspuri1=http://bob.strongswan.org:8800
+	ocspuri2=http://ocsp2.strongswan.org:8880
+	auto=add
+
+conn %default
+	keyexchange=ikev2
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn rw
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/posttest.dat b/testing/tests/ikev2/ocsp-timeouts-unknown/posttest.dat
new file mode 100644
index 000000000..cf72480d4
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::iptables -F OUTPUT
+carol::iptables -F OUTPUT
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/pretest.dat b/testing/tests/ikev2/ocsp-timeouts-unknown/pretest.dat
new file mode 100644
index 000000000..7d9d600ff
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j DROP
+carol::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j DROP
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/test.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/description.txt b/testing/tests/ikev2/ocsp-untrusted-cert/description.txt
new file mode 100644
index 000000000..f581dd319
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/description.txt
@@ -0,0 +1,9 @@
+By setting <b>strictcrlpolicy=yes</b>, a <b>strict</b> CRL policy is enforced on
+both roadwarrior <b>carol</b> and gateway <b>moon</b>. The online certificate status
+is checked via the OCSP server <b>winnetou</b> which is sending its <b>self-signed</b>
+OCSP signer certificate. A strongswan <b>ca</b> section in ipsec.conf
+defines an <b>OCSP URI</b> pointing to <b>winnetou</b>.
+<p>
+<b>carol</b> cannot successfully initiate an IPsec connection to <b>moon</b> since
+the self-signed certificate contained in the OCSP response will not be
+accepted by <b>moon</b>.
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
new file mode 100644
index 000000000..a0b6d681f
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
@@ -0,0 +1,5 @@
+moon::cat /var/log/daemon.log::received valid http response::YES
+moon::cat /var/log/daemon.log::received ocsp signer certificate is not trusted - rejected::YES
+moon::cat /var/log/daemon.log::certificate status unknown::YES
+moon::ipsec status::rw.*ESTABLISHED::NO
+carol::ipsec status::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..3c685a839
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=yes
+	plutostart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	ocspuri=http://ocsp.strongswan.org:8880
+	auto=add
+
+conn %default
+	keyexchange=ikev2
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..e2fabe0f5
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=yes
+	plutostart=no
+
+ca strongswan-ca
+	cacert=strongswanCert.pem
+	ocspuri=http://ocsp.strongswan.org:8880
+	auto=add
+
+conn %default
+	keyexchange=ikev2
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn rw
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
new file mode 100755
index 000000000..20c4b2a22
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+cd /etc/openssl
+
+echo "Content-type: application/ocsp-response"
+echo ""
+
+/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+                      -rkey ocspKey-self.pem -rsigner ocspCert-self.pem \
+		      -nmin 5 \
+		      -reqin /dev/stdin -respout /dev/stdout
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat
new file mode 100644
index 000000000..c6d6235f9
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+carol::ipsec stop
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat
new file mode 100644
index 000000000..d92333d86
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat
@@ -0,0 +1,4 @@
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/test.conf b/testing/tests/ikev2/ocsp-untrusted-cert/test.conf
new file mode 100644
index 000000000..2b240d895
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/protoport-dual/description.txt b/testing/tests/ikev2/protoport-dual/description.txt
new file mode 100644
index 000000000..7bed8b959
--- /dev/null
+++ b/testing/tests/ikev2/protoport-dual/description.txt
@@ -0,0 +1,6 @@
+Using the <b>left|rightprotoport</b> selectors, two IPsec tunnels 
+between the roadwarrior <b>carol</b> and the gateway <b>moon</b> are
+defined. The first IPsec SA is restricted to ICMP packets and the second
+covers TCP-based SSH connections. The established tunnels are tested
+by <b>carol</b> by first pinging <b>alice</b> behind <b>moon</b> and
+then setting up an SSH session to the same client.
diff --git a/testing/tests/ikev2/protoport-dual/evaltest.dat b/testing/tests/ikev2/protoport-dual/evaltest.dat
new file mode 100644
index 000000000..bd24b911c
--- /dev/null
+++ b/testing/tests/ikev2/protoport-dual/evaltest.dat
@@ -0,0 +1,9 @@
+carol::ipsec statusall::home-icmp.*INSTALLED::YES
+carol::ipsec statusall::home-ssh.*INSTALLED::YES
+moon::ipsec statusall::rw-icmp.*INSTALLED::YES
+moon::ipsec statusall::rw-ssh.*INSTALLED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/ipsec.conf
index 598997b45..eda0ddf38 100755
--- a/testing/tests/mode-config/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/ipsec.conf
@@ -1,21 +1,17 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
-	plutodebug=control
-	crlcheckinterval=180
+        crlcheckinterval=180
 	strictcrlpolicy=no
+	plutostart=no
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-
-conn home
+	keyexchange=ikev2
 	left=PH_IP_CAROL
-	leftsourceip=%modeconfig
 	leftnexthop=%direct
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
@@ -24,7 +20,11 @@ conn home
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
 	auto=add
-
-
-
-
+	
+conn home-icmp
+	leftprotoport=icmp
+	rightprotoport=icmp
+
+conn home-ssh
+	leftprotoport=tcp
+	rightprotoport=tcp/ssh
diff --git a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..0bc03380b
--- /dev/null
+++ b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,30 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
+
+conn rw-icmp
+	lefthostaccess=yes
+	leftprotoport=icmp
+	rightprotoport=icmp
+
+conn rw-ssh
+	leftprotoport=tcp/ssh
+	rightprotoport=tcp
diff --git a/testing/tests/ikev2/protoport-dual/posttest.dat b/testing/tests/ikev2/protoport-dual/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev2/protoport-dual/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/protoport-dual/pretest.dat b/testing/tests/ikev2/protoport-dual/pretest.dat
new file mode 100644
index 000000000..d3d0061c3
--- /dev/null
+++ b/testing/tests/ikev2/protoport-dual/pretest.dat
@@ -0,0 +1,7 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home-icmp
+carol::ipsec up home-ssh
diff --git a/testing/tests/ikev2/protoport-dual/test.conf b/testing/tests/ikev2/protoport-dual/test.conf
new file mode 100644
index 000000000..9cd583b16
--- /dev/null
+++ b/testing/tests/ikev2/protoport-dual/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/protoport-route/description.txt b/testing/tests/ikev2/protoport-route/description.txt
new file mode 100644
index 000000000..ec7ec69b0
--- /dev/null
+++ b/testing/tests/ikev2/protoport-route/description.txt
@@ -0,0 +1,8 @@
+Using the <b>left|rightprotoport</b> selectors, two IPsec tunnels 
+between the roadwarrior <b>carol</b> and the gateway <b>moon</b> are
+defined. The first IPsec SA is restricted to ICMP packets and the second
+covers TCP-based SSH connections. Using <b>add=route</b> %trap
+eroutes for these IPsec SAs are prepared on <b>carol</b>. By sending
+a ping to the client <b>alice</b> behind <b>moon</b>, the ICMP eroute
+is triggered and the corresponding IPsec tunnel is set up. In the same
+way an ssh session to <b>alice</b> over the second IPsec SA is established.
diff --git a/testing/tests/ikev2/protoport-route/evaltest.dat b/testing/tests/ikev2/protoport-route/evaltest.dat
new file mode 100644
index 000000000..d6ce409f5
--- /dev/null
+++ b/testing/tests/ikev2/protoport-route/evaltest.dat
@@ -0,0 +1,10 @@
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq::YES
+carol::ssh PH_IP_ALICE hostname::alice::YES
+carol::cat /var/log/daemon.log::creating acquire job for CHILD_SA::YES
+carol::ipsec statusall::home-icmp.*INSTALLED::YES
+carol::ipsec statusall::home-ssh.*INSTALLED::YES
+moon::ipsec statusall::rw-icmp.*INSTALLED::YES
+moon::ipsec statusall::rw-ssh.*INSTALLED::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/protoport-route/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/protoport-route/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..7f4e37bc2
--- /dev/null
+++ b/testing/tests/ikev2/protoport-route/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,30 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=route
+	
+conn home-icmp
+	leftprotoport=icmp
+	rightprotoport=icmp
+
+conn home-ssh
+	leftprotoport=tcp
+	rightprotoport=tcp/ssh
diff --git a/testing/tests/ikev2/protoport-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/protoport-route/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..0bc03380b
--- /dev/null
+++ b/testing/tests/ikev2/protoport-route/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,30 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
+
+conn rw-icmp
+	lefthostaccess=yes
+	leftprotoport=icmp
+	rightprotoport=icmp
+
+conn rw-ssh
+	leftprotoport=tcp/ssh
+	rightprotoport=tcp
diff --git a/testing/tests/ikev2/protoport-route/posttest.dat b/testing/tests/ikev2/protoport-route/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev2/protoport-route/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/protoport-route/pretest.dat b/testing/tests/ikev2/protoport-route/pretest.dat
new file mode 100644
index 000000000..0aded0f4d
--- /dev/null
+++ b/testing/tests/ikev2/protoport-route/pretest.dat
@@ -0,0 +1,8 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ssh PH_IP_ALICE hostname
+carol::ping -c 1 PH_IP_ALICE > /dev/null
+carol::sleep 2
diff --git a/testing/tests/ikev2/protoport-route/test.conf b/testing/tests/ikev2/protoport-route/test.conf
new file mode 100644
index 000000000..9cd583b16
--- /dev/null
+++ b/testing/tests/ikev2/protoport-route/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-cert/description.txt b/testing/tests/ikev2/rw-cert/description.txt
new file mode 100644
index 000000000..15b3822b5
--- /dev/null
+++ b/testing/tests/ikev2/rw-cert/description.txt
@@ -0,0 +1,6 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev2/rw-cert/evaltest.dat b/testing/tests/ikev2/rw-cert/evaltest.dat
new file mode 100644
index 000000000..06a0f8cda
--- /dev/null
+++ b/testing/tests/ikev2/rw-cert/evaltest.dat
@@ -0,0 +1,10 @@
+moon::ipsec statusall::rw.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..e5d9ad476
--- /dev/null
+++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..3c0014965
--- /dev/null
+++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_DAVE
+	leftnexthop=%direct
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..b8bc990cd
--- /dev/null
+++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn rw
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ikev2/rw-cert/posttest.dat b/testing/tests/ikev2/rw-cert/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/rw-cert/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-cert/pretest.dat b/testing/tests/ikev2/rw-cert/pretest.dat
new file mode 100644
index 000000000..42e9d7c24
--- /dev/null
+++ b/testing/tests/ikev2/rw-cert/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev2/rw-cert/test.conf b/testing/tests/ikev2/rw-cert/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/ikev2/rw-cert/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-psk-fqdn/description.txt b/testing/tests/ikev2/rw-psk-fqdn/description.txt
new file mode 100644
index 000000000..d4a7c3878
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-fqdn/description.txt
@@ -0,0 +1,6 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b>
+and fully qualified domain names. Upon the successful establishment of the IPsec tunnels,
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that
+let pass the tunneled traffic. In order to test both tunnel and firewall, both
+<b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev2/rw-psk-fqdn/evaltest.dat b/testing/tests/ikev2/rw-psk-fqdn/evaltest.dat
new file mode 100644
index 000000000..06a0f8cda
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-fqdn/evaltest.dat
@@ -0,0 +1,10 @@
+moon::ipsec statusall::rw.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..9a5087fff
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	authby=secret
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..47e31ca21
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..7b6e448b3
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	authby=secret
+
+conn home
+	left=PH_IP_DAVE
+	leftnexthop=%direct
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..f6c1a22ef
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org  : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..a6270a67e
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	authby=secret
+
+conn rw
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e6c7420c9
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,5 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+
+dave@strongswan.org  : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/ikev2/rw-psk-fqdn/posttest.dat b/testing/tests/ikev2/rw-psk-fqdn/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-fqdn/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-psk-fqdn/pretest.dat b/testing/tests/ikev2/rw-psk-fqdn/pretest.dat
new file mode 100644
index 000000000..282b2aec0
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-fqdn/pretest.dat
@@ -0,0 +1,12 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::rm /etc/ipsec.d/cacerts/*
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev2/rw-psk-fqdn/test.conf b/testing/tests/ikev2/rw-psk-fqdn/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-fqdn/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-psk-ipv4/description.txt b/testing/tests/ikev2/rw-psk-ipv4/description.txt
new file mode 100644
index 000000000..4eb66c540
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-ipv4/description.txt
@@ -0,0 +1,6 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b>
+and IPv4 addresses. Upon the successful establishment of the IPsec tunnels,
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that
+let pass the tunneled traffic. In order to test both tunnel and firewall, both
+<b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev2/rw-psk-ipv4/evaltest.dat b/testing/tests/ikev2/rw-psk-ipv4/evaltest.dat
new file mode 100644
index 000000000..06a0f8cda
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-ipv4/evaltest.dat
@@ -0,0 +1,10 @@
+moon::ipsec statusall::rw.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..0e3fe6962
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	authby=secret
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..18a074472
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+192.168.0.100 : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..368c3c6fb
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	authby=secret
+
+conn home
+	left=PH_IP_DAVE
+	leftnexthop=%direct
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..e989540e9
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+192.168.0.200  : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..c38a2a59b
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	authby=secret
+
+conn rw
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..ab3fb129b
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,5 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+192.168.0.100 : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+
+192.168.0.200 : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/ikev2/rw-psk-ipv4/posttest.dat b/testing/tests/ikev2/rw-psk-ipv4/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-ipv4/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-psk-ipv4/pretest.dat b/testing/tests/ikev2/rw-psk-ipv4/pretest.dat
new file mode 100644
index 000000000..282b2aec0
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-ipv4/pretest.dat
@@ -0,0 +1,12 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::rm /etc/ipsec.d/cacerts/*
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev2/rw-psk-ipv4/test.conf b/testing/tests/ikev2/rw-psk-ipv4/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-ipv4/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-psk-no-idr/description.txt b/testing/tests/ikev2/rw-psk-no-idr/description.txt
new file mode 100644
index 000000000..51286f123
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-no-idr/description.txt
@@ -0,0 +1,6 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b>
+and fully qualified domain names. By setting the wildcard <b>rightid=@*.strongswan.org</b>
+on <b>carol</b> and <b>dave</b>, no <b>IDr</b> payloads are sent by the roadwarriors.
+In order to test the tunnel,
+both <b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev2/rw-psk-no-idr/evaltest.dat b/testing/tests/ikev2/rw-psk-no-idr/evaltest.dat
new file mode 100644
index 000000000..06a0f8cda
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-no-idr/evaltest.dat
@@ -0,0 +1,10 @@
+moon::ipsec statusall::rw.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..b23046668
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	authby=secret
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@*.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..47e31ca21
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..66734b543
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	authby=secret
+
+conn home
+	left=PH_IP_DAVE
+	leftnexthop=%direct
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@*.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..f6c1a22ef
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org  : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..a6270a67e
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	authby=secret
+
+conn rw
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e6c7420c9
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,5 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+
+dave@strongswan.org  : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/ikev2/rw-psk-no-idr/posttest.dat b/testing/tests/ikev2/rw-psk-no-idr/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-no-idr/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-psk-no-idr/pretest.dat b/testing/tests/ikev2/rw-psk-no-idr/pretest.dat
new file mode 100644
index 000000000..282b2aec0
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-no-idr/pretest.dat
@@ -0,0 +1,12 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::rm /etc/ipsec.d/cacerts/*
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev2/rw-psk-no-idr/test.conf b/testing/tests/ikev2/rw-psk-no-idr/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-no-idr/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/description.txt b/testing/tests/ikev2/rw-psk-rsa-mixed/description.txt
new file mode 100644
index 000000000..f190cae4b
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/description.txt
@@ -0,0 +1,6 @@
+The roadwarriors <b>carol</b> and <b>dave</b> each set up a connection to gateway <b>moon</b>.
+<b>carol</b>'s authentication is based on a Pre-Shared Key (<b>PSK</b>) whereas <b>dave</b>'s
+is based on an RSA signature (<b>RSASIG</b>). Gateway <b>moon</b> supports both authentication modes
+and selects the correct roadwarrior connection definition based on the gateway ID
+requested by the roadwarrior.
+
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat b/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat
new file mode 100644
index 000000000..f7f9dc51d
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat
@@ -0,0 +1,15 @@
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES
+moon::cat /var/log/daemon.log::authentication of 'PH_IP_MOON' (myself) with pre-shared key::YES
+moon::ipsec statusall::rw-psk.*INSTALLED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES
+moon::cat /var/log/daemon.log::authentication of '@moon.strongswan.org' (myself) with RSA signature::YES
+moon::ipsec statusall::rw-rsasig.*INSTALLED::YES
+dave::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..10eeee9c1
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	authby=secret
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightsendcert=never
+	auto=add
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..47e31ca21
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..ac99ac66c
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+        crlcheckinterval=180
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_DAVE
+	leftnexthop=%direct
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..7419be98a
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,30 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+        left=PH_IP_MOON
+	leftnexthop=%direct
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+        right=%any
+
+conn rw-rsasig
+	authby=rsasig
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	auto=add
+
+conn rw-psk
+	authby=secret
+	leftid=PH_IP_MOON
+	auto=add
+
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..508d3a941
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,7 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+
+dave@strongswan.org  : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/posttest.dat b/testing/tests/ikev2/rw-psk-rsa-mixed/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat b/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat
new file mode 100644
index 000000000..e48d11e42
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat
@@ -0,0 +1,10 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+carol::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/test.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/description.txt b/testing/tests/ikev2/rw-psk-rsa-split/description.txt
new file mode 100644
index 000000000..b601deea8
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-rsa-split/description.txt
@@ -0,0 +1,8 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The roadwarriors' authentication is based on
+<ib>Pre-Shared Keys</b> (PSK) whereas the gateway uses an <b>RSA signature</b>
+(RSASIG) certified by an X.509 certificate.
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat b/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat
new file mode 100644
index 000000000..c0fd8b16b
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat
@@ -0,0 +1,12 @@
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES
+moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with pre-shared key successful::YES
+moon::cat /var/log/daemon.log::authentication of '@moon.strongswan.org' (myself) with RSA signature::YES
+moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..6a8253dc4
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	authby=secret
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..47e31ca21
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..3c9e9a009
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	authby=secret
+
+conn home
+	left=PH_IP_DAVE
+	leftnexthop=%direct
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..f6c1a22ef
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org  : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..b62ab4156
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	rightsendcert=never
+	auto=add
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..508d3a941
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,7 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+
+dave@strongswan.org  : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/posttest.dat b/testing/tests/ikev2/rw-psk-rsa-split/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-rsa-split/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat b/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat
new file mode 100644
index 000000000..42e9d7c24
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/test.conf b/testing/tests/ikev2/rw-psk-rsa-split/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/ikev2/rw-psk-rsa-split/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/strong-keys-certs/description.txt b/testing/tests/ikev2/strong-keys-certs/description.txt
new file mode 100644
index 000000000..9d0ca5528
--- /dev/null
+++ b/testing/tests/ikev2/strong-keys-certs/description.txt
@@ -0,0 +1,7 @@
+This scenario is derived from <a href="../rw-cert"><b>ikev2/rw-cert</b></a>.
+The gateway <b>moon</b> uses a 2048 bit RSA private key protected by <b>AES-128</b>
+encryption whereas the roadwarriors <b>carol</b> and <b>dave</b> have an
+<b>AES-192</b> and <b>AES-256</b> envelope, respectively. 
+The X.509 certificate of the gateway <b>moon</b> uses a <b>SHA-256</b> hash in
+its signature whereas the certificates of the roadwarriors <b>carol</b>
+and <b>dave</b> use <b>SHA-384</b> and <b>SHA-512</b>, respectively.
diff --git a/testing/tests/ikev2/strong-keys-certs/evaltest.dat b/testing/tests/ikev2/strong-keys-certs/evaltest.dat
new file mode 100644
index 000000000..06a0f8cda
--- /dev/null
+++ b/testing/tests/ikev2/strong-keys-certs/evaltest.dat
@@ -0,0 +1,10 @@
+moon::ipsec statusall::rw.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..4ddd99280
--- /dev/null
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert-sha384.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem
new file mode 100644
index 000000000..d4b532323
--- /dev/null
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEITCCAwmgAwIBAgIBETANBgkqhkiG9w0BAQwFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA2MTAwODEyMTI1MFoXDTExMTAwNzEyMTI1MFowWTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS0z
+ODQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAtCwjB6Yni4jSTbPJ4GX0kM06nr2tDBdU0PH6dZra
+IXNaNiBthBNPNDeCYAQDG/ouwuywAJ6L2Lt0GYEhJSwfXMm87fYSG8qRP+C/nlKz
+3fCfsuZ8yOAo5NAp2kgvbFVdB5cMeOtid21UqUvDxkncjFRDgpERtrjSthalUFYu
+ObIcSMPdlcDho73jzq6zVK5XDJ4l1LHUQLbS4SzyrphCYKekTIoDy3YwRUys6Pdm
+4QlFBIXuBwOYHjclvVu0HQVNSM4nWAJd+204KUm/+8neO0kn1Yakv9yoa47o3KGP
+3XjtmcgY9SqBbuF+8yDcZQ7+5zUBjc0J+d8txdPoIjLi7wIDAQABo4IBBjCCAQIw
+CQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFIUlEfDm3V0eDmRrpIvj
+4FiPpGlpMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQsw
+CQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMS
+c3Ryb25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3
+YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v
+cmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEMBQADggEBAL5ZmFmy8lW4Vdwq
+hWB6qTtLLa1wwCvTXwbV9V+F8dK39AvHj6CHFqTiFhAbGIq/Ryt9cg2XGy1TDjVj
+hQEua7mjp8XH2j2NLY2SiFTMjchbHmMylFk2FrHy2ZnmlRCiH83TAw+EnUWsQKj+
+gL+7Of9SpiaaIblrl+aCiBVktRuXcFSaxjYWTVXOeTCwnxQdF2SNtUKDoCuVPk1J
+XCrs86mj575xL/FGjyN4SVbjTEZ4lm1emxrf/RblZOhCKp7mUic8KyP0kf7o6X8E
+MXXjq9fDQVrSDG/q62uhZu7CyInnBpWnoUKiMImSxRn/cs0r7RUspC5DtJyhE33Y
+DW2BzIc=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.d/private/carolKey-aes192.pem b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.d/private/carolKey-aes192.pem
new file mode 100644
index 000000000..979740525
--- /dev/null
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.d/private/carolKey-aes192.pem
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-192-CBC,3127472197F76F3E81FF26DCD894FE6F
+
+ixCdabns1DD2EVjOUQYbxes+mSU6WmfUnRPBthTw1K3X7/jYEVRrApZlPoRxfitg
+7aHdqsV70elT48ucP4z410jupq80OI5/3I31zHiqDpmUNXr0ZGs69dC2g01op98Q
+IWfbHygALh0PDjhczHWhDBOx+gJDN58qgMfCI2hUDqpcYD9gvEpkkdM/R3Ggwgiq
+f+HBD4rQHcpvuKCPIOBVAR/4cXE3D8pcls3FJALwNGf03yIm24hEG2mTz5cDIVTw
+m0Bjk5Hbiym4LBreUoVQUF04wDXsuDtz7m1IPkw4GsYpeiomqRyAs7bKUJhbKwaK
+/l2MKoQ06Ofx0kc20CG7/qoboiqUgDEOsNd/qdMVOXcqinONW2v2T8+mEi/iLZDJ
+B6WXoV15PBkHXfaKeA66oFfF8EqggF4gLoPwekz1jvz5hbeTNYCiuFsMV9ntTxoE
+opohFNBvY2ZbJUmmkecgSJcmmByR2cahukh91PjssfZUjMOJjoTpuB3OXF9J6g9U
+RKWYxgcyT1n0e0MbYxe4TXHxxUDa5UBkquELQ2gcmJDO5GFuXF40mcvcz3Bse6I7
+GTRvhSL3hmRvbODE3JVI2dISHJ60Fethjxo5JNmCuBqnSkc2KPvsS7ulqANMnnNE
+5u2g9RMAtYKfkwscLY8zByouCZTS2pAI+LQd/eTm3/TAZWDJx/Z2UA5peFm2At4n
+aerRYP20TeaAI4tcnqsrOpBj0ouphgkGUTGAbBhjR3c2rSoOHxmjQXJOAc59vjgG
+zBl2F9M1xtjuTFZxFLMbnx15W1l5rmhZmSTdDY8C5ePBcjn6umxl6QdwvPjbkMIL
+MoeyM6w1Eqweg+m25CFOCWrFnglZNM6lcsR3X88oz+gzmHOs/VtAQn7vCA2Ukc5m
+RuLro/1juBjMrXd63Mqvxml/0lcSrXH1/ZiTdrdakU5rHNk9554tSL14rBSD86tQ
+u7unnobiXTmE0l/fDVuRYzW/Y8GGEr5S2t7SOuNFnU+tXTdavftJD0D7F8v4/bTf
+ObDe5qJ/7Y7X/8i6L+va1cm5rXNDI1qrBgwmNv7FbY1G0qBIP80ie7FbcsCpXauE
+T5HWTOdJX+xpTVCHXnBriMhlFHXAIKUVdAZqbzgRFWPCOYpzpztgny4l83qP0OLw
+vYxvU7RSGFAamRz05t3vHXy3X8n7JulleE8laBFpwx9Xq/bEAkwwmZq1Y6tbksae
+4G9aJ6Tdr4SA7BsH+FrtLtwFUkzgmKg+MqDGXamFSx0rvhksl3u67tMpGh0Il8KS
+xGfpPXRKaeQwZ18AA1xfPVl01Ajuxhnmmr/ng8WR+DfBpx7uK3lSpUX37Gh06DP5
+Of9oPHpc+Z0Asx/k6XWYGP9G15azUXP5ejebl19QQdZex/wP0MkKNlZ/BH0xJO+a
+FLOkg4OhtTppIA0dOhj/v/WCLC+pdl+78pBOQO7dpuJeYrcVvhiQKMhEJdYiYLXY
+ZcbN+E0Ta8I9fX1D6qgIEhL0NOczEYT9kYYQZJf2LW9k+dxICPV/0hEjaRNyMrei
+C9ZP1k9cEhNMSVRVV2jm2PhOW3nvOFUNkG8OIfFhCri8dXWaGVS/DMb18rpSoB+B
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..4c9a601ca
--- /dev/null
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey-aes192.pem "ITP/H4lSHqGpUGmCpgNDklbzTNV+swjA"
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..2b5407387
--- /dev/null
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftnexthop=%direct
+	leftcert=daveCert-sha512.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem
new file mode 100644
index 000000000..73088cd1d
--- /dev/null
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEHzCCAwegAwIBAgIBEjANBgkqhkiG9w0BAQ0FADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA2MTAwODEyMjExMloXDTExMTAwNzEyMjExMlowWDELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS01
+MTIxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDL4+PsltDM0QCCS08tkefhll5Q0nb2VEdRZotBIdt6
+XEY1kmDlw0yQOp0XUznnIhcrxXpKeWpLqJdbo56jSxMaUB3Mod1u+aKvVhCgkOT8
+uQa7gIdcNMuXnfnch7yYYS6YxVfzdr/qXBxmVYNbR9sXy48vAD6glZLEVjDITHJO
+a6tEVSrAOMyeuA9XTYJiGw5loj63YbUr6Ikp6W9SncPCtfX6G2Amk38MTuITu93W
+Pd/bGB06ra6gmMQGAhXuGs14n3QZfQz9PWTp9TPsQNqQZdEjQyNdfeAKtPuz5jnO
+cnZuhvVR0q4sxWuy64vkyZ57luTZAXyxdInBeBOp7sC3AgMBAAGjggEFMIIBATAJ
+BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU0wvMMeoe59mocM/RiYnD
+iw9NUm0wbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ
+BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz
+dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdzd2Fu
+Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn
+L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBDQUAA4IBAQC/uKe2O9elbSFgpKP5
+7ZjJrCkYu493iH/PDm5G4D76q6WkRvZDqTgGDSIrXrt1xRLIsVJES+HERxfED0DB
+yXNe22p1jR8iZdCesZxmEsKYyLh9XmeixKCfnLvStWCVs0+vqwhJlIkyEAveZ4HR
+Yq121khdmCDDUugpjEl/nU7CLvCRVgFrlhDm1QLs2rYqxwQrJ2SH4/1W0YRdkY2R
+vKZ2ngjLBNjBfXWNXSOpEAG367nVam5lFAepUC0wZTshyCUXt1NzClTnxWABm6M6
+x2Qwg4D6Qt5iXSjR8+DGVh+LaBL/alQi1YYcjkxufdFHnko294c0HsZcTZ3KRghk
+ue1F
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.d/private/daveKey-aes256.pem b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.d/private/daveKey-aes256.pem
new file mode 100644
index 000000000..e2a1ccb26
--- /dev/null
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.d/private/daveKey-aes256.pem
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-256-CBC,088DA49D259D5876324277FE7C38F22B
+
+fChe2r3NjWQnfK3tFIUHtrnYsU+CzbGKmWE1T8ARaLeVC7XtPN99odBYTBOzJj98
+REHk41NWHlVjcY+2ACedniTsQcvuuN3bMHGvyikQeLmg7tc54pQrc85BHfdGrU49
+5Bzhxn29kqY33Dt2aeAMyP3k/b5HyZlCGuQUJx71uPsaEl1so5QE0aIBLaCutIUz
+zZcAAa6ahFhw2oOcU2kj8ACGzXrJvBhVU97/yZTdfqrTJauoPXL/WQ+ScfMBhQ0x
+vaJbaVy8On1SXTMH2K1ehszjpeFTeRVgndkWuUipwm/xlyzoubs8L4BhJZNzV23r
+04ZGYxwSQ0rZBEt+TqopVpc/iMx/vg33P8PHrI45DeoztvjHpD6Fgj5Yh2kGgU5R
+cKD1ejgX3FMwTSI5xumUi8mQ+N2pUIK9polS146dpQRoM8F9hsXkYoK/l9Em5jJA
+V4vBBbVr6E9G0fVyHboqIzAHgFiC3xnCvVC/Cnyit4zD7D0E86pktR0y4Imtxten
+3WUV4rNAVkLR0D5Hoslk9nsqEaOxDBzUVU/zfG8GXItpWQgug5sb6RjcrK0b4Fit
+iHsEO5qLZ09cM+1hoddgibUQd0G+iZDPfPc++SCdZVjcvdSOOtcUCJwQGjOdGi9U
+I30gjh1Vtql67CnykRmk38duTFFNpL3zLNGfiA+kUeHDr0C4zeD2NsK4v/4nLAO1
+OWSYYFGrhbU5C96q3rgczdh+TurgIhM+ktBUJ/7yYV2eTRlRT35Wk03O7STBLinV
+jaXuDBOKb/NAYgA+xtOeBqd1c4cSdOxJEv80G9hhXxxNgf1W1OHDNY6+qXhnLZJU
+o1kbF6QNI+R+ip8643GwdLEcz5s49V7x53TDcCGnW2TwzVVHvj+63u5RPcfu8b9e
+gz0ey++z6OWvEIt/7NiTzA0dZdmiNLY24uHDHvQ5XmMs4XVM1r5wSFXvs/tDuUpK
+/a9zMbr12RDsObVcXXr07FD5Zyh/y2mBEB7xRFXKk5tt++Hvlzbgqxypgq9t5+m8
+PBddV4GarMuZw8bRjMHJ2CVY1VyRGIx+StsHehVMWdfzZTm/Uizq/yPaxqbQE8wY
+Vcm6wgYRekAga6I9XsHZ0TBfKtfZqXf0kXX0A+ymQYbfyUm2MqWV5avOKtBRIqcW
+B9jCKxah7rjQNlI7vzwZ/whePHU2sL4D23aGGZa373Ql2CmB3AetxYtkRGTSILw9
+aT+ZNgh+BGq6lcdlyks29fFuWRlE+NyJIAwmIVEisZGFijFe5WXBhKWsvEt2JT1v
+3qW9lMimOgpkClroPSdb9gQMt1yXDR6z1ty+B41kgy5qSxUiL8z8EUCWPEBPrz5+
++3KGi1cU5BsfptnkFYCSnVSyRxARh310mruQ2Mb6ipIXX95ejQPSskz5P4u26Olt
+UHyS0lgDc8hZTwJUchE5wqj4bAJs12mKbIbapjYv83OAEW8ybGz8R6QVMp3pAad3
+O2WGef6evGrbGKHI6ACMEHaz8fP8GIMjhbJkPxsXYGRsHbUsqYcSmew3EYW51qSA
+xMhrzZ6e9ow4PYDuNnUc4bFeV0BIVl6kH7KscT1LBtJVJkXDDoddxFiEhcRjOLDr
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..b4b1c6249
--- /dev/null
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA daveKey-aes256.pem "MeFnDN7VUbj+qU/bkgRIFvbCketIk2wrrs5Ii8297N2v"
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..9c0a14c9b
--- /dev/null
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert-sha256.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha256.pem b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha256.pem
new file mode 100644
index 000000000..307f4953e
--- /dev/null
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha256.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEHzCCAwegAwIBAgIBEDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA2MTAwODEwNTgxMVoXDTExMTAwNzEwNTgxMVowWDELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS0y
+NTYxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDzXHm8D8sY1lmX7o1KK0jt/M+UzAI2Ifpx7nAqoviH
+XQIPe56BOAm4zHhEIlojEMFd1nncplXvDDGjuV/2F0KK1bFxbNtom88Ix1jrRWtk
+FLopYwj3ERC2970OhNO3nuPLrnEAzj6k3XPGMTA3drGnpRf162f7mHAdmYIRXtWm
+mfaecs4wGFs8BFGdeDfo6SPhQXZSBwZqjzQxvk1PA7E1qifgR5IGNZkNQRQ9IZD0
+86xzjmZgg5DaJcQKw45elpiVKQN6OkdWTngR3uUBfseWNeRGP5UxCUbDnPijWUbA
+6ZAdEfFXLgSpSoXHLNttvGg+SWm0kgKTpHYWYhvpflKNAgMBAAGjggEFMIIBATAJ
+BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU0gL3aEo/H8c/Ld/GkBTb
+W9Ma+nUwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ
+BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz
+dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2Fu
+Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn
+L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCItzRn3TNWUzczBd8z
+MtdPEsRl5Oi4fV3UecQxhjxAmJDLsEZT5I4uNa1XoLkJm6jVdSL7k+bjzjmpNJ1H
+uL49cqia2yTdGP4IU0K8dTGaflg3ccaLLGGXTWU/NtgdI1o6yuZTwb6a9ZL7wWZT
+x21BAsvyPTzCpUS1yCK4bFeYOxOYDphUGcwb0JTuRxx2/710b+p64BYiCfVkQJxT
+eF1ZtjSW6nJgzMRg5n2zNpdrdXMMCPI6Nl7V6wxbs3Cphmz5qx3lijwi7nZt+jE5
+qK5gphph1MkKIhnA7MF66KEcx5Rknao68yLBBDIA/AISZ3bCIj8R1SGgl/tMYfep
+sbRF
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.d/private/moonKey-aes128.pem b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.d/private/moonKey-aes128.pem
new file mode 100644
index 000000000..bc9ed38c8
--- /dev/null
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.d/private/moonKey-aes128.pem
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,381AA672F615E55CD044FB981754FDA6
+
+whvkSUJ2sAIH4EOu8vT9LHcKKKG6W9hl/hO++/awU2AVtHn6mYlkkAqDRJiOZbbT
+vo0ndy+0B0tCoTyKZbiMRNc6bzHPNgS17cVa2wXrzzMo64xRcElzdN14L8UGA7Cc
+Wu3aD0zmzawU9uRZjaQ4qA46FPz/S9/REImZ02QSALIzZJSIIDoUbznBitaHYFve
+eLl7e/0vMS/s03FaRNKrVhids3Z3q7lQoF/z5BzBaKNBaDYDLhMeScjNF6QZnDUe
+k+++/l54pozl+RvQI6RljPhOzutIC5D627zfordITsBRYEhv6KPShy673H4McaRz
+tx2zkflsDyPWDWmRLxA0GfD5jQvbS7aZU1R3iyi/TDXacHXlR92bzVu4AHZClOSn
+fypT1h2YnUQOMMw9XlVKklHCWvgpWbVmjiBbnsIh1WjORLgSielrGP/iXVemgzEI
+kaTErf7B7sx1pIMyQ8IFdniFryUSuGDvOV4Dt/PZhxh2oKIBIaVYwrl3jQvYlyNv
+vpBD6MU2wXU4iP7kt9SN63RjzQoYk7TA7f9JlfXlBrjjwSjPYB1R+MoEfovvEr4j
+PHghYnwtwZ4Ok3kR+zxR/M37iJ252IDkOwTuqEXWQMlOlxIeESlh1OYKVLptZwgB
+0mFzzx4JapkHP34c4ntsFc3AbUh8uSt67zLJ7JDFhSQ6ltNu1/92nOjXh5tzwGvo
+ak5lrUpi2zrgyxSgF7fxOxjXr604f7yxOcoWfXQd354dUXdxrMZigh3ajwsGwXxh
+o5Zv+EVXaIpnHnUYmupJwrKQR1ffdVCPlvys99/BlGnvsBzLx+hmut1pjnFwQCPf
+aj8Z3NhSdWspQiUzWm+DXpqPKt+4CL5mdxcjyye9ATOPf+30iuY25WvwelT4rgGt
+NS0iVMJSHnPVMlcibCwVtCl8hvjzq2TYHGo6cCKDaYJ4+Hy6MjgNrHA011HkJ9iC
+P4Ysyq04/OiFPrl0RS+om29By+4/O+w1t0HpuZIFTm6oRg7zWcXtDWkfrhu9WY7e
+m7FI8O2f3ezPoMbiRJmdEi0RFsgyqkTdQLOUUF1ad5ZHEAVghsgvaPG5aRLhXQin
+gqNvHlDmpekOTDLbEn9cyDf5po45LrUgGOBp6DK+AGb6SymjonNxczlG/eNYHtch
+AXBdz5A/n6uP1DXfmGVyI6kZKU+Fotsly5Iov6SLcEicLcfA2oKHK6AIJL+IWGGL
+kkShWx0Dv/2UbEkKDjFl36Z0oD5wSW6fyYeslD4IFCjXwkdgWd7l4nreisW9YTl/
+PdnVOBq6yQxfK0WlAxfGzAabmknIXkSE/BlTb5y8q92U3tR3YFLFQ1hPaSPIokIu
+Op51DMXOfrbnd1iBrybduktdljoxlcAGmg5Dfz+s9fdkESQfw6oNOP5cHxfctAy9
+k21dKvkI/PqWkgwVv94wX8bWx0LgC0aV3F62qM+Y7/r5N4ZsD76GY7VFIFeSoPKx
+Fn9yZOl8JzszvlWNtG7G6DwBL+ZyHS0rM7UEyTwWp8mLasEO96V6dYxD8LqWNbo4
+hY/6xsZOtNDsPdW/Os7MBD+Wf2fL/gzrD7QJyqcy41K8Oxhn2W+Aso3s9DnJ4eSt
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..9d298e183
--- /dev/null
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey-aes128.pem "gOQHdrSWeFuiZtYPetWuyzHW"
diff --git a/testing/tests/ikev2/strong-keys-certs/posttest.dat b/testing/tests/ikev2/strong-keys-certs/posttest.dat
new file mode 100644
index 000000000..9ccbaa1c2
--- /dev/null
+++ b/testing/tests/ikev2/strong-keys-certs/posttest.dat
@@ -0,0 +1,13 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+moon::rm /etc/ipsec.d/private/*
+carol::rm /etc/ipsec.d/private/*
+dave::rm /etc/ipsec.d/private/*
+moon::rm /etc/ipsec.d/certs/*
+carol::rm /etc/ipsec.d/certs/*
+dave::rm /etc/ipsec.d/certs/*
+
diff --git a/testing/tests/ikev2/strong-keys-certs/pretest.dat b/testing/tests/ikev2/strong-keys-certs/pretest.dat
new file mode 100644
index 000000000..de51ccdfa
--- /dev/null
+++ b/testing/tests/ikev2/strong-keys-certs/pretest.dat
@@ -0,0 +1,10 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+carol::sleep 1 
diff --git a/testing/tests/ikev2/strong-keys-certs/test.conf b/testing/tests/ikev2/strong-keys-certs/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/ikev2/strong-keys-certs/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/wildcards/description.txt b/testing/tests/ikev2/wildcards/description.txt
new file mode 100644
index 000000000..e485f7066
--- /dev/null
+++ b/testing/tests/ikev2/wildcards/description.txt
@@ -0,0 +1,8 @@
+The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
+<b>venus</b> by means of wildcard parameters that must match the subject
+<b>Distinguished Name</b> contained in the peer's X.509 certificate. Access to
+<b>alice</b> is granted for DNs containing a OU=Research field whereas <b>venus</b>
+can only be reached with a DN containing OU=Accounting. The roadwarriors
+<b>carol</b> and <b>dave</b> belong to the departments 'Research' and 'Accounting',
+respectively. Therefore <b>carol</b> can access <b>alice</b> and <b>dave</b>
+can reach <b>venus</b>.
diff --git a/testing/tests/ikev2/wildcards/evaltest.dat b/testing/tests/ikev2/wildcards/evaltest.dat
new file mode 100644
index 000000000..2bc83eacd
--- /dev/null
+++ b/testing/tests/ikev2/wildcards/evaltest.dat
@@ -0,0 +1,8 @@
+carol::ipsec status::alice.*PH_IP_CAROL.*PH_IP_ALICE::YES
+moon::ipsec status::alice.*PH_IP_ALICE.*PH_IP_CAROL::YES
+carol::ipsec status::venus.*PH_IP_CAROL.*PH_IP_VENUS::NO
+moon::ipsec status::venus.*PH_IP_VENUS.*PH_IP_CAROL::NO
+dave::ipsec status::venus.*PH_IP_DAVE.*PH_IP_VENUS::YES
+moon::ipsec status::venus.*PH_IP_VENUS.*PH_IP_DAVE::YES
+dave::ipsec status::alice.*PH_IP_DAVE.*PH_IP_ALICE::NO
+moon::ipsec status::alice.*PH_IP_ALICE.*PH_IP_DAVE::NO
diff --git a/testing/tests/ikev2/wildcards/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/wildcards/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..59d41eb27
--- /dev/null
+++ b/testing/tests/ikev2/wildcards/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftcert=carolCert.pem
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+
+conn alice
+	rightsubnet=PH_IP_ALICE/32
+	auto=add
+	
+conn venus
+	rightsubnet=PH_IP_VENUS/32
+	auto=add
diff --git a/testing/tests/ikev2/wildcards/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/wildcards/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..81e86e823
--- /dev/null
+++ b/testing/tests/ikev2/wildcards/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_DAVE
+	leftnexthop=%direct
+	leftcert=daveCert.pem
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+
+conn alice
+	rightsubnet=PH_IP_ALICE/32
+	auto=add
+	
+conn venus
+	rightsubnet=PH_IP_VENUS/32
+	auto=add
diff --git a/testing/tests/ikev2/wildcards/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/wildcards/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..366e1fa9a
--- /dev/null
+++ b/testing/tests/ikev2/wildcards/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,30 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	left=PH_IP_MOON
+	leftnexthop=%direct
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+
+conn alice
+	leftsubnet=PH_IP_ALICE/32
+	right=%any
+	rightid="C=CH, O=Linux strongSwan, OU=Research, CN=*"
+	auto=add
+	
+conn venus
+	leftsubnet=PH_IP_VENUS/32
+	right=%any
+	rightid="C=CH, O=Linux strongSwan, OU=Accounting, CN=*"
+	auto=add
+	
diff --git a/testing/tests/ikev2/wildcards/posttest.dat b/testing/tests/ikev2/wildcards/posttest.dat
new file mode 100644
index 000000000..ed530f6d9
--- /dev/null
+++ b/testing/tests/ikev2/wildcards/posttest.dat
@@ -0,0 +1,3 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
diff --git a/testing/tests/ikev2/wildcards/pretest.dat b/testing/tests/ikev2/wildcards/pretest.dat
new file mode 100644
index 000000000..e3da87520
--- /dev/null
+++ b/testing/tests/ikev2/wildcards/pretest.dat
@@ -0,0 +1,9 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 1 
+carol::ipsec up alice
+carol::ipsec up venus
+dave::ipsec up venus
+dave::ipsec up alice
diff --git a/testing/tests/ikev2/wildcards/test.conf b/testing/tests/ikev2/wildcards/test.conf
new file mode 100644
index 000000000..08e5cc145
--- /dev/null
+++ b/testing/tests/ikev2/wildcards/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/host2host-ikev1/description.txt b/testing/tests/ipv6/host2host-ikev1/description.txt
new file mode 100644
index 000000000..c59b32acb
--- /dev/null
+++ b/testing/tests/ipv6/host2host-ikev1/description.txt
@@ -0,0 +1,3 @@
+An IPv6 ESP connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up.
+The authentication is based on X.509 certificates. In order to test the host-to-host tunnel
+<b>moon</b> sends an IPv6 ICMP request to <b>sun</b> using the ping6 command.
diff --git a/testing/tests/ipv6/host2host-ikev1/evaltest.dat b/testing/tests/ipv6/host2host-ikev1/evaltest.dat
new file mode 100644
index 000000000..62fc85953
--- /dev/null
+++ b/testing/tests/ipv6/host2host-ikev1/evaltest.dat
@@ -0,0 +1,5 @@
+moon::ipsec status::host-host.*STATE_QUICK_I2.*IPsec SA established::YES
+sun::ipsec status::host-host.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
+sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
+sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..9499140c5
--- /dev/null
+++ b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,30 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutodebug=control
+	crlcheckinterval=180
+	strictcrlpolicy=no
+	charonstart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn net-net
+	also=host-host
+	leftsubnet=fec1::0/16
+	rightsubnet=fec2::0/16
+
+conn host-host
+	left=PH_IP6_MOON
+	leftnexthop=0::0
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=PH_IP6_SUN
+	rightnexthop=0::0
+	rightid=@sun.strongswan.org
+	auto=add
+
diff --git a/testing/tests/req-pkcs10/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf
index 58e2f1e5b..c64904a6e 100755
--- a/testing/tests/req-pkcs10/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf
@@ -1,11 +1,10 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
 	plutodebug=control
 	crlcheckinterval=180
 	strictcrlpolicy=no
+	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -13,17 +12,18 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 
-conn home
-	left=PH_IP_CAROL
-	leftnexthop=%direct
-	leftcert=myCert.pem
-	leftid=carol@strongswan.org
+conn net-net
+	also=host-host
+	leftsubnet=fec2::0/16
+	rightsubnet=fec1::0/16
+
+conn host-host
+	left=PH_IP6_SUN
+	leftnexthop=0::0
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
 	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
+	right=PH_IP6_MOON
+	rightnexthop=0::0
 	rightid=@moon.strongswan.org
 	auto=add
-
-
-
-
diff --git a/testing/tests/ipv6/host2host-ikev1/posttest.dat b/testing/tests/ipv6/host2host-ikev1/posttest.dat
new file mode 100644
index 000000000..dff181797
--- /dev/null
+++ b/testing/tests/ipv6/host2host-ikev1/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+sun::ipsec stop
diff --git a/testing/tests/ipv6/host2host-ikev1/pretest.dat b/testing/tests/ipv6/host2host-ikev1/pretest.dat
new file mode 100644
index 000000000..4707af077
--- /dev/null
+++ b/testing/tests/ipv6/host2host-ikev1/pretest.dat
@@ -0,0 +1,4 @@
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2 
+moon::ipsec up host-host
diff --git a/testing/tests/ipv6/host2host-ikev1/test.conf b/testing/tests/ipv6/host2host-ikev1/test.conf
new file mode 100644
index 000000000..cf2e704fd
--- /dev/null
+++ b/testing/tests/ipv6/host2host-ikev1/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon winnetou sun"
+ 
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/host2host-ikev2/description.txt b/testing/tests/ipv6/host2host-ikev2/description.txt
new file mode 100644
index 000000000..c59b32acb
--- /dev/null
+++ b/testing/tests/ipv6/host2host-ikev2/description.txt
@@ -0,0 +1,3 @@
+An IPv6 ESP connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up.
+The authentication is based on X.509 certificates. In order to test the host-to-host tunnel
+<b>moon</b> sends an IPv6 ICMP request to <b>sun</b> using the ping6 command.
diff --git a/testing/tests/ipv6/host2host-ikev2/evaltest.dat b/testing/tests/ipv6/host2host-ikev2/evaltest.dat
new file mode 100644
index 000000000..8b5ee4f6c
--- /dev/null
+++ b/testing/tests/ipv6/host2host-ikev2/evaltest.dat
@@ -0,0 +1,5 @@
+moon::ipsec status::host-host.*ESTABLISHED::YES
+sun::ipsec status::ESTABLISHED::YES
+moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
+sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
+sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..44c85068e
--- /dev/null
+++ b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn net-net
+	also=host-host
+	leftsubnet=fec1::0/16
+	rightsubnet=fec2::0/16
+
+conn host-host
+	left=PH_IP6_MOON
+	leftnexthop=0::0
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=PH_IP6_SUN
+	rightnexthop=0::0
+	rightid=@sun.strongswan.org
+	auto=add
+
diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..8b3858b30
--- /dev/null
+++ b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,28 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn net-net
+	also=host-host
+	leftsubnet=fec2::0/16
+	rightsubnet=fec1::0/16
+
+conn host-host
+	left=PH_IP6_SUN
+	leftnexthop=0::0
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftfirewall=yes
+	right=PH_IP6_MOON
+	rightnexthop=0::0
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ipv6/host2host-ikev2/posttest.dat b/testing/tests/ipv6/host2host-ikev2/posttest.dat
new file mode 100644
index 000000000..dff181797
--- /dev/null
+++ b/testing/tests/ipv6/host2host-ikev2/posttest.dat
@@ -0,0 +1,2 @@
+moon::ipsec stop
+sun::ipsec stop
diff --git a/testing/tests/ipv6/host2host-ikev2/pretest.dat b/testing/tests/ipv6/host2host-ikev2/pretest.dat
new file mode 100644
index 000000000..4707af077
--- /dev/null
+++ b/testing/tests/ipv6/host2host-ikev2/pretest.dat
@@ -0,0 +1,4 @@
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2 
+moon::ipsec up host-host
diff --git a/testing/tests/ipv6/host2host-ikev2/test.conf b/testing/tests/ipv6/host2host-ikev2/test.conf
new file mode 100644
index 000000000..cf2e704fd
--- /dev/null
+++ b/testing/tests/ipv6/host2host-ikev2/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="moon winnetou sun"
+ 
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/mode-config-push/posttest.dat b/testing/tests/mode-config-push/posttest.dat
deleted file mode 100644
index 932b319a7..000000000
--- a/testing/tests/mode-config-push/posttest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::iptables -v -n -L
-carol::iptables -v -n -L
-dave::iptables -v -n -L
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP1_CAROL/32 dev eth0
-dave::ip addr del PH_IP1_DAVE/32 dev eth0
diff --git a/testing/tests/mode-config-swapped/posttest.dat b/testing/tests/mode-config-swapped/posttest.dat
deleted file mode 100644
index 932b319a7..000000000
--- a/testing/tests/mode-config-swapped/posttest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::iptables -v -n -L
-carol::iptables -v -n -L
-dave::iptables -v -n -L
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP1_CAROL/32 dev eth0
-dave::ip addr del PH_IP1_DAVE/32 dev eth0
diff --git a/testing/tests/mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/mode-config/hosts/dave/etc/ipsec.conf
deleted file mode 100755
index da601389c..000000000
--- a/testing/tests/mode-config/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,30 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-version	2.0	# conforms to second version of ipsec.conf specification
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-
-conn home
-	left=PH_IP_DAVE
-	leftsourceip=%modeconfig
-	leftnexthop=%direct
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
-
-
-
-
diff --git a/testing/tests/mode-config/posttest.dat b/testing/tests/mode-config/posttest.dat
deleted file mode 100644
index 932b319a7..000000000
--- a/testing/tests/mode-config/posttest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::iptables -v -n -L
-carol::iptables -v -n -L
-dave::iptables -v -n -L
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP1_CAROL/32 dev eth0
-dave::ip addr del PH_IP1_DAVE/32 dev eth0
diff --git a/testing/tests/net2net-psk/posttest.dat b/testing/tests/net2net-psk/posttest.dat
deleted file mode 100644
index 52979508d..000000000
--- a/testing/tests/net2net-psk/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::iptables -v -n -L
-sun::iptables -v -n -L
-moon::ipsec stop
-sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/net2net-route/posttest.dat b/testing/tests/net2net-route/posttest.dat
deleted file mode 100644
index 52979508d..000000000
--- a/testing/tests/net2net-route/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::iptables -v -n -L
-sun::iptables -v -n -L
-moon::ipsec stop
-sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/net2net-rsa/posttest.dat b/testing/tests/net2net-rsa/posttest.dat
deleted file mode 100644
index 52979508d..000000000
--- a/testing/tests/net2net-rsa/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::iptables -v -n -L
-sun::iptables -v -n -L
-moon::ipsec stop
-sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/net2net-start/posttest.dat b/testing/tests/net2net-start/posttest.dat
deleted file mode 100644
index 52979508d..000000000
--- a/testing/tests/net2net-start/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::iptables -v -n -L
-sun::iptables -v -n -L
-moon::ipsec stop
-sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/protoport-route/posttest.dat b/testing/tests/protoport-route/posttest.dat
deleted file mode 100644
index 26848212b..000000000
--- a/testing/tests/protoport-route/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::iptables -v -n -L
-carol::iptables -v -n -L
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/rw-cert/posttest.dat b/testing/tests/rw-cert/posttest.dat
deleted file mode 100644
index 26848212b..000000000
--- a/testing/tests/rw-cert/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::iptables -v -n -L
-carol::iptables -v -n -L
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/rw-psk-fqdn-named/posttest.dat b/testing/tests/rw-psk-fqdn-named/posttest.dat
deleted file mode 100644
index 26848212b..000000000
--- a/testing/tests/rw-psk-fqdn-named/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::iptables -v -n -L
-carol::iptables -v -n -L
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/rw-psk-fqdn/posttest.dat b/testing/tests/rw-psk-fqdn/posttest.dat
deleted file mode 100644
index 26848212b..000000000
--- a/testing/tests/rw-psk-fqdn/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::iptables -v -n -L
-carol::iptables -v -n -L
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/rw-psk-ipv4/posttest.dat b/testing/tests/rw-psk-ipv4/posttest.dat
deleted file mode 100644
index 26848212b..000000000
--- a/testing/tests/rw-psk-ipv4/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::iptables -v -n -L
-carol::iptables -v -n -L
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/starter-also/posttest.dat b/testing/tests/starter-also/posttest.dat
deleted file mode 100644
index 26848212b..000000000
--- a/testing/tests/starter-also/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::iptables -v -n -L
-carol::iptables -v -n -L
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/starter-includes/hosts/carol/etc/ipsec.conf b/testing/tests/starter-includes/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 598997b45..000000000
--- a/testing/tests/starter-includes/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,30 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-version	2.0	# conforms to second version of ipsec.conf specification
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-
-conn home
-	left=PH_IP_CAROL
-	leftsourceip=%modeconfig
-	leftnexthop=%direct
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
-
-
-
-
diff --git a/testing/tests/virtual-ip-swapped/posttest.dat b/testing/tests/virtual-ip-swapped/posttest.dat
deleted file mode 100644
index ac5c7dd82..000000000
--- a/testing/tests/virtual-ip-swapped/posttest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::iptables -v -n -L
-carol::iptables -v -n -L
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP1_CAROL/32 dev eth0
diff --git a/testing/tests/virtual-ip/hosts/carol/etc/ipsec.conf b/testing/tests/virtual-ip/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 2f1170a6b..000000000
--- a/testing/tests/virtual-ip/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,30 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-version	2.0	# conforms to second version of ipsec.conf specification
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-
-conn home
-	left=PH_IP_CAROL
-	leftsourceip=PH_IP1_CAROL
-	leftnexthop=%direct
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
-
-
-
-
diff --git a/testing/tests/virtual-ip/posttest.dat b/testing/tests/virtual-ip/posttest.dat
deleted file mode 100644
index ac5c7dd82..000000000
--- a/testing/tests/virtual-ip/posttest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::iptables -v -n -L
-carol::iptables -v -n -L
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP1_CAROL/32 dev eth0