Major new upstream release, just ran svn-upgrade for now (and wrote some

debian/changelong entries).

5 files changed, 0 insertions, 2497 deletions

diff --git a/programs/spi/.cvsignore b/programs/spi/.cvsignore
deleted file mode 100644
index c928c4b77..000000000
--- a/programs/spi/.cvsignore
+++ /dev/null
@@ -1 +0,0 @@
-spi
diff --git a/programs/spi/Makefile b/programs/spi/Makefile
deleted file mode 100644
index 10a1eaa9c..000000000
--- a/programs/spi/Makefile
+++ /dev/null
@@ -1,69 +0,0 @@
-# Makefile for the KLIPS interface utilities
-# Copyright (C) 1998, 1999  Henry Spencer.
-# Copyright (C) 1999, 2000, 2001  Richard Guy Briggs
-# 
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-# 
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-#
-# RCSID $Id: Makefile,v 1.2 2004/03/22 21:53:21 as Exp $
-
-FREESWANSRCDIR=../..
-include ${FREESWANSRCDIR}/Makefile.inc
-
-PROGRAM=spi
-EXTRA5PROC=${PROGRAM}.5
-
-LIBS=${FREESWANLIB}
-
-OBJS=constants.o alg_info.o kernel_alg.o
-
-include ../Makefile.program
-
-constants.o : ../pluto/constants.c ../pluto/constants.h
-	$(CC) $(CFLAGS) -c -o $@ $<
-
-alg_info.o : ../pluto/alg_info.c ../pluto/alg_info.h
-	$(CC) $(CFLAGS) -DNO_PLUTO -c -o $@ $<
-
-kernel_alg.o : ../pluto/kernel_alg.c ../pluto/kernel_alg.h
-	$(CC) $(CFLAGS) -DNO_PLUTO -c -o $@ $<
-
-#
-# $Log: Makefile,v $
-# Revision 1.2  2004/03/22 21:53:21  as
-# merged alg-0.8.1 branch with HEAD
-#
-# Revision 1.1.4.1  2004/03/16 09:48:22  as
-# alg-0.8.1rc12 patch merged
-#
-# Revision 1.1  2004/03/15 20:35:31  as
-# added files from freeswan-2.04-x509-1.5.3
-#
-# Revision 1.4  2002/06/03 20:25:31  mcr
-# 	man page for files actually existant in /proc/net changed back to
-# 	ipsec_foo via new EXTRA5PROC process.
-#
-# Revision 1.3  2002/06/02 21:51:41  mcr
-# 	changed TOPDIR->FREESWANSRCDIR in all Makefiles.
-# 	(note that linux/net/ipsec/Makefile uses TOPDIR because this is the
-# 	kernel sense.)
-#
-# Revision 1.2  2002/04/26 01:21:26  mcr
-# 	while tracking down a missing (not installed) /etc/ipsec.conf,
-# 	MCR has decided that it is not okay for each program subdir to have
-# 	some subset (determined with -f) of possible files.
-# 	Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file.
-# 	Optional PROGRAM.5 files have been added to the makefiles.
-#
-# Revision 1.1  2002/04/24 07:55:32  mcr
-# 	#include patches and Makefiles for post-reorg compilation.
-#
-#
-#
diff --git a/programs/spi/spi.5 b/programs/spi/spi.5
deleted file mode 100644
index a8faebee4..000000000
--- a/programs/spi/spi.5
+++ /dev/null
@@ -1,213 +0,0 @@
-.TH IPSEC_SPI 5 "26 Jun 2000"
-.\"
-.\" RCSID $Id: spi.5,v 1.1 2004/03/15 20:35:31 as Exp $
-.\"
-.SH NAME
-ipsec_spi \- list IPSEC Security Associations
-.SH SYNOPSIS
-.B ipsec
-.B spi
-.PP
-.B cat
-.B /proc/net/ipsec_spi
-.PP
-.SH DESCRIPTION
-.I /proc/net/ipsec_spi
-is a read-only file that lists the current IPSEC Security Associations.
-A Security Association (SA) is a transform through which packet contents
-are to be processed before being forwarded.  A transform can be an
-IPv4-in-IPv4 or IPv6-in-IPv6 encapsulation, an IPSEC Authentication Header (authentication
-with no encryption), or an IPSEC Encapsulation Security Payload
-(encryption, possibly including authentication).
-.PP
-When a packet is passed from a higher networking layer through an IPSEC
-virtual interface, a search in the extended routing table (see
-.IR ipsec_eroute (5))
-yields
-a IP protocol number
-,
-a Security Parameters Index (SPI)
-and
-an effective destination address
-.
-When an IPSEC packet arrives from the network,
-its ostensible destination, an SPI and an IP protocol
-specified by its outermost IPSEC header are used.
-The destination/SPI/protocol combination is used to select a relevant SA.
-(See
-.IR ipsec_spigrp (5)
-for discussion of how multiple transforms are combined.)
-.PP
-An
-.I spi ,
-.I proto, 
-.I daddr
-and
-.IR address_family
-arguments specify an SAID.
-.I Proto
-is an ASCII string, "ah", "esp", "comp" or "tun", specifying the IP protocol.
-.I Spi
-is a number, preceded by '.' indicating hexadecimal and IPv4 or by ':' indicating hexadecimal and IPv6,
-where each hexadecimal digit represents 4 bits,
-between
-.B 0x100
-and
-.BR 0xffffffff ;
-values from
-.B 0x0
-to
-.B 0xff
-are reserved.
-.I Daddr
-is a dotted-decimal IPv4 destination address or a coloned hex IPv6 destination address.
-.PP
-An
-.I SAID
-combines the three parameters above, such as: "tun.101@1.2.3.4" for IPv4 or "tun:101@3049:1::1" for IPv6
-.PP
-A table entry consists of:
-.IP + 3
-.BR SAID
-.IP +
-<transform name (proto,encalg,authalg)>:
-.IP +
-direction (dir=)
-.IP +
-source address (src=)
-.IP +
-source and destination addresses and masks for inner header policy check
-addresses (policy=), as dotted-quads or coloned hex, separated by '->',
-for IPv4-in-IPv4 or IPv6-in-IPv6 SAs only
-.IP +
-initialisation vector length and value (iv_bits=, iv=) if non-zero
-.IP +
-out-of-order window size, number of out-of-order errors, sequence
-number, recently received packet bitmask, maximum difference between
-sequence numbers (ooowin=, ooo_errs=, seq=, bit=, max_seq_diff=) if SA
-is AH or ESP and if individual items are non-zero
-.IP +
-extra flags (flags=) if any are set
-.IP +
-authenticator length in bits (alen=) if non-zero
-.IP +
-authentication key length in bits (aklen=) if non-zero
-.IP +
-authentication errors (auth_errs=) if non-zero
-.IP +
-encryption key length in bits (eklen=) if non-zero
-.IP +
-encryption size errors (encr_size_errs=) if non-zero
-.IP +
-encryption padding error warnings (encr_pad_errs=) if non-zero
-.IP +
-lifetimes legend, c=Current status, s=Soft limit when exceeded will
-initiate rekeying, h=Hard limit will cause termination of SA (life(c,s,h)=)
-.IP + 6
-number of connections to which the SA is allocated (c), that will cause a
-rekey (s), that will cause an expiry (h) (alloc=), if any value is non-zero
-.IP +
-number of bytes processesd by this SA (c), that will cause a rekey (s), that
-will cause an expiry (h) (bytes=), if any value is non-zero
-.IP +
-time since the SA was added (c), until rekey (s), until expiry (h), in seconds (add=)
-.IP +
-time since the SA was first used (c), until rekey (s), until expiry (h), in seconds (used=),
-if any value is non-zero
-.IP +
-number of packets processesd by this SA (c), that will cause a rekey (s), that
-will cause an expiry (h) (packets=), if any value is non-zero
-.IP + 3
-time since the last packet was processed, in seconds (idle=), if SA has
-been used
-.IP
-average compression ratio (ratio=)
-.SH EXAMPLES
-.B "tun.12a@192.168.43.1 IPIP: dir=out src=192.168.43.2"
-.br
-.B "      life(c,s,h)=bytes(14073,0,0)add(269,0,0)"
-.br
-.B "      use(149,0,0)packets(14,0,0)"
-.br
-.B "      idle=23
-.LP
-is an outbound IPv4-in-IPv4 (protocol 4) tunnel-mode SA set up between machines
-192.168.43.2 and 192.168.43.1 with an SPI of 12a in hexadecimal that has
-passed about 14 kilobytes of traffic in 14 packets since it was created,
-269 seconds ago, first used 149 seconds ago and has been idle for 23
-seconds.
-.LP
-.B "esp:9a35fc02@3049:1::1 ESP_3DES_HMAC_MD5:"
-.br
-.B "      dir=in src=9a35fc02@3049:1::2"
-.br
-.B "      ooowin=32 seq=7149 bit=0xffffffff"
-.br
-.B "      alen=128 aklen=128 eklen=192"
-.br
-.B "      life(c,s,h)=bytes(1222304,0,0)add(4593,0,0)"
-.br
-.B "      use(3858,0,0)packets(7149,0,0)"
-.br
-.B "      idle=23"
-.LP
-is an inbound Encapsulating Security Payload (protocol 50) SA on machine
-3049:1::1 with an SPI of 9a35fc02 that uses 3DES as the encryption
-cipher, HMAC MD5 as the authentication algorithm, an out-of-order
-window of 32 packets, a present sequence number of 7149, every one of
-the last 32 sequence numbers was received, the authenticator length and
-keys is 128 bits, the encryption key is 192 bits (actually 168 for 3DES
-since 1 of 8 bits is a parity bit), has passed 1.2 Mbytes of data in
-7149 packets, was added 4593 seconds ago, first used
-3858 seconds ago and has been idle for 23 seconds.
-.LP
-.SH FILES
-/proc/net/ipsec_spi, /usr/local/bin/ipsec
-.SH "SEE ALSO"
-ipsec(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_eroute(5),
-ipsec_spigrp(5), ipsec_klipsdebug(5), ipsec_spi(8), ipsec_version(5),
-ipsec_pf_key(5)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Richard Guy Briggs.
-.SH BUGS
-The add and use times are awkward, displayed in seconds since machine
-start.  It would be better to display them in seconds before now for
-human readability.
-.\"
-.\" $Log: spi.5,v $
-.\" Revision 1.1  2004/03/15 20:35:31  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.9  2002/04/24 07:35:39  mcr
-.\" Moved from ./klips/utils/spi.5,v
-.\"
-.\" Revision 1.8  2001/08/01 23:22:44  rgb
-.\" Fix inconsistancies between manpage and output.
-.\"
-.\" Revision 1.7  2000/11/30 16:47:28  rgb
-.\" Added src= to /proc/net/ipsec_spi manpage.
-.\"
-.\" Revision 1.6  2000/09/17 18:56:48  rgb
-.\" Added IPCOMP support.
-.\"
-.\" Revision 1.5  2000/09/13 15:54:32  rgb
-.\" Added Gerhard's ipv6 updates.
-.\"
-.\" Revision 1.4  2000/07/05 17:24:03  rgb
-.\" Updated for relative, rather than absolute values for addtime and
-.\" usetime.
-.\"
-.\" Revision 1.3  2000/06/30 18:21:55  rgb
-.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5)
-.\" and correct FILES sections to no longer refer to /dev/ipsec which has
-.\" been removed since PF_KEY does not use it.
-.\"
-.\" Revision 1.2  2000/06/28 12:44:12  henry
-.\" format touchup
-.\"
-.\" Revision 1.1  2000/06/28 05:43:00  rgb
-.\" Added manpages for all 5 klips utils.
-.\"
-.\"
diff --git a/programs/spi/spi.8 b/programs/spi/spi.8
deleted file mode 100644
index fe6537c07..000000000
--- a/programs/spi/spi.8
+++ /dev/null
@@ -1,525 +0,0 @@
-.TH IPSEC_SPI 8 "23 Oct 2001"
-.\"
-.\" RCSID $Id: spi.8,v 1.1 2004/03/15 20:35:31 as Exp $
-.\"
-.SH NAME
-ipsec spi \- manage IPSEC Security Associations
-.SH SYNOPSIS
-.br
-Note: In the following,
-.br
-.B <SA>
-means:
-.B \-\-af
-(inet | inet6)
-.B \-\-edst
-daddr
-.B \-\-spi
-spi
-.B \-\-proto
-proto OR 
-.B \-\-said
-said,
-.br
-.B <life>
-means:
-.B \-\-life
-(soft | hard)\-(allocations | bytes | addtime | usetime | packets)=value[,...]
-.PP
-.B ipsec
-.B spi
-.PP
-.B ipsec
-.B spi
-.B <SA>
-.B \-\-src
-src
-.B \-\-ah
-.BR hmac-md5-96 | hmac-sha1-96
-[
-.B \-\-replay_window
-replayw ]
-[
-.B <life>
-]
-.B \-\-authkey
-akey
-.PP
-.B ipsec
-.B spi
-.B <SA>
-.B \-\-src
-src
-.B \-\-esp
-.BR 3des
-[
-.B \-\-replay_window
-replayw ]
-[
-.B <life>
-]
-.B \-\-enckey
-ekey
-.PP
-.B ipsec
-.B spi
-.B <SA>
-.B \-\-src
-src
-.B \-\-esp
-.BR 3des-md5-96 | 3des-sha1-96
-[
-.B \-\-replay_window
-replayw ]
-[
-.B <life>
-]
-.B \-\-enckey
-ekey
-.B \-\-authkey
-akey
-.PP
-.B ipsec
-.B spi
-.B <SA>
-.B \-\-src
-src
-.B \-\-comp
-.BR deflate
-.PP
-.B ipsec
-.B spi
-.B <SA>
-.B \-\-ip4
-.B \-\-src
-encap-src
-.B \-\-dst
-encap-dst
-.PP
-.B ipsec
-.B spi
-.B <SA>
-.B \-\-ip6
-.B \-\-src
-encap-src
-.B \-\-dst
-encap-dst
-.PP
-.B ipsec
-.B spi
-.B <SA>
-.B \-\-del
-.PP
-.B ipsec
-.B spi
-.B \-\-help
-.PP
-.B ipsec
-.B spi
-.B \-\-version
-.PP
-.B ipsec
-.B spi
-.B \-\-clear
-.PP
-.SH DESCRIPTION
-.I Spi
-creates and deletes IPSEC Security Associations.
-A Security Association (SA) is a transform through which packet
-contents are to be processed before being forwarded.
-A transform can be an IPv4-in-IPv4 or an IPv6-in-IPv6 encapsulation,
-an IPSEC Authentication Header (authentication with no encryption),
-or an IPSEC Encapsulation Security Payload (encryption, possibly
-including authentication).
-.PP
-When a packet is passed from a higher networking layer
-through an IPSEC virtual interface,
-a search in the extended routing table (see
-.IR ipsec_eroute (8))
-yields an effective destination address, a
-Security Parameters Index (SPI) and a IP protocol number.
-When an IPSEC packet arrives from the network,
-its ostensible destination, an SPI and an IP protocol
-specified by its outermost IPSEC header are used.
-The destination/SPI/protocol combination is used to select a relevant SA.
-(See
-.IR ipsec_spigrp (8)
-for discussion of how multiple transforms are combined.)
-.PP
-The
-.IR af ,
-.IR daddr ,
-.I spi
-and
-.I proto
-arguments specify the SA to be created or deleted.
-.I af
-is the address family (inet for IPv4, inet6 for IPv6).
-.I Daddr
-is a destination address
-in dotted-decimal notation for IPv4 
-or in a coloned hex notation for IPv6.
-.I Spi
-is a number, preceded by '0x' for hexadecimal,
-between
-.B 0x100
-and
-.BR 0xffffffff ;
-values from
-.B 0x0
-to
-.B 0xff
-are reserved.
-.I Proto
-is an ASCII string, "ah", "esp", "comp" or "tun", specifying the IP protocol.
-The protocol must agree with the algorithm selected.
-.PP
-Alternatively, the
-.I said
-argument can also specify an SA to be created or deleted.
-.I Said
-combines the three parameters above, such as: "tun.101@1.2.3.4" or "tun:101@1:2::3:4",
-where the address family is specified by "." for IPv4 and ":" for IPv6. The address
-family indicators substitute the "0x" for hexadecimal.
-.PP
-The source address,
-.IR src ,
-must also be provided for the inbound policy check to
-function.  The source address does not need to be included if inbound
-policy checking has been disabled.
-.PP
-Keys vectors must be entered as hexadecimal or base64 numbers.
-They should be cryptographically strong random numbers.
-.PP
-All hexadecimal numbers are entered as strings of hexadecimal digits
-(0-9 and a-f), without spaces, preceded by '0x', where each hexadecimal
-digit represents 4 bits.
-All base64 numbers are entered as strings of base64 digits
- (0-9, A-Z, a-z, '+' and '/'), without spaces, preceded by '0s',
-where each hexadecimal digit represents 6 bits and '=' is used for padding.
-.PP
-The deletion of an SA which has been grouped will result in the entire chain
-being deleted.
-.PP
-The form with no additional arguments lists the contents of
-/proc/net/ipsec_spi.  The format of /proc/net/ipsec_spi is discussed in
-ipsec_spi(5).
-.PP
-The lifetime severity of
-.B soft
-sets a limit when the key management daemons are asked to rekey the SA.
-The lifetime severity of
-.B hard
-sets a limit when the SA must expire.
-The lifetime type
-.B allocations
-tells the system when to expire the SA because it is being shared by too many
-eroutes (not currently used).  The lifetime type of
-.B bytes
-tells the system to expire the SA after a certain number of bytes have been
-processed with that SA.  The lifetime type of
-.B addtime
-tells the system to expire the SA a certain number of seconds after the SA was
-installed.  The lifetime type of
-.B usetime
-tells the system to expire the SA a certain number of seconds after that SA has
-processed its first packet.  The lifetime type of
-.B packets
-tells the system to expire the SA after a certain number of packets have been
-processed with that SA.
-.SH OPTIONS
-.TP 10
-.B \-\-af
-specifies the address family (inet for IPv4, inet6 for IPv6)
-.TP
-.B \-\-edst
-specifies the effective destination
-.I daddr
-of the Security Association
-.TP
-.B \-\-spi
-specifies the Security Parameters Index
-.I spi
-of the Security Association
-.TP
-.B \-\-proto
-specifies the IP protocol
-.I proto
-of the Security Association
-.TP
-.B \-\-said
-specifies the Security Association in monolithic format
-.TP
-.B \-\-ah
-add an SA for an IPSEC Authentication Header,
-specified by the following transform identifier
-(\c
-.BR hmac-md5-96
-or
-.BR hmac-sha1-96 )
-(RFC2402, obsoletes RFC1826)
-.TP
-.B hmac-md5-96
-transform following the HMAC and MD5 standards,
-using a 128-bit
-.I key
-to produce a 96-bit authenticator (RFC2403)
-.TP
-.B hmac-sha1-96
-transform following the HMAC and SHA1 standards,
-using a 160-bit
-.I key
-to produce a 96-bit authenticator (RFC2404)
-.TP
-.B \-\-esp
-add an SA for an IPSEC Encapsulation Security Payload,
-specified by the following
-transform identifier (\c
-.BR 3des ,
-or
-.BR 3des-md5-96 )
-(RFC2406, obsoletes RFC1827)
-.TP
-.B 3des
-encryption transform following the Triple-DES standard in
-Cipher-Block-Chaining mode using a 64-bit
-.I iv
-(internally generated) and a 192-bit 3DES
-.I ekey
-(RFC2451)
-.TP
-.B 3des-md5-96
-encryption transform following the Triple-DES standard in
-Cipher-Block-Chaining mode with authentication provided by
-HMAC and MD5
-(96-bit authenticator),
-using a 64-bit
-.IR iv
-(internally generated), a 192-bit 3DES
-.I ekey
-and a 128-bit HMAC-MD5
-.I akey
-(RFC2451, RFC2403)
-.TP
-.B 3des-sha1-96
-encryption transform following the Triple-DES standard in
-Cipher-Block-Chaining mode with authentication provided by
-HMAC and SHA1
-(96-bit authenticator),
-using a 64-bit
-.IR iv
-(internally generated), a 192-bit 3DES
-.I ekey
-and a 160-bit HMAC-SHA1
-.I akey
-(RFC2451, RFC2404)
-.TP
-.BR \-\-replay_window " replayw"
-sets the replay window size; valid values are decimal, 1 to 64
-.TP
-.BR \-\-life " life_param[,life_param]"
-sets the lifetime expiry; the format of
-.B life_param
-consists of a comma-separated list of lifetime specifications without spaces;
-a lifetime specification is comprised of a severity of
-.BR soft " or " hard
-followed by a '-', followed by a lifetime type of
-.BR allocations ", " bytes ", " addtime ", " usetime " or " packets
-followed by an '=' and finally by a value
-.TP
-.B \-\-comp
-add an SA for IPSEC IP Compression,
-specified by the following
-transform identifier (\c
-.BR deflate )
-(RFC2393)
-.TP
-.B deflate
-compression transform following the patent-free Deflate compression algorithm
-(RFC2394)
-.TP
-.B \-\-ip4
-add an SA for an IPv4-in-IPv4
-tunnel from
-.I encap-src
-to
-.I encap-dst
-.TP
-.B \-\-ip6
-add an SA for an IPv6-in-IPv6
-tunnel from
-.I encap-src
-to
-.I encap-dst
-.TP
-.B \-\-src
-specify the source end of an IP-in-IP tunnel from
-.I encap-src
-to
-.I encap-dst
-and also specifies the source address of the Security Association to be
-used in inbound policy checking and must be the same address
-family as
-.I af
-and
-.I edst
-.TP
-.B \-\-dst
-specify the destination end of an IP-in-IP tunnel from
-.I encap-src
-to
-.I encap-dst
-.TP
-.B \-\-del
-delete the specified SA
-.TP
-.BR \-\-clear
-clears the table of
-.BR SA s
-.TP
-.BR \-\-help
-display synopsis
-.TP
-.BR \-\-version
-display version information
-.SH EXAMPLES
-To keep line lengths down and reduce clutter,
-some of the long keys in these examples have been abbreviated
-by replacing part of their text with
-.RI `` ... ''.
-Keys used when the programs are actually run must,
-of course, be the full length required for the particular algorithm.
-.LP
-.B "ipsec spi \-\-af inet \-\-edst gw2 \-\-spi 0x125 \-\-proto esp \e"
-.br
-.B "   \-\-src gw1 \e"
-.br
-.B "   \-\-esp 3des\-md5\-96 \e"
-.br
-.BI "\ \ \ \-\-enckey\ 0x6630" "..." "97ce\ \e"
-.br
-.BI "   \-\-authkey 0x9941" "..." "71df"
-.LP
-sets up an SA from
-.BR gw1
-to
-.BR gw2
-with an SPI of 
-.BR 0x125
-and protocol
-.BR ESP
-(50) using
-.BR 3DES
-encryption with integral
-.BR MD5-96
-authentication transform, using an encryption key of
-.BI 0x6630 ... 97ce
-and an authentication key of
-.BI 0x9941 ... 71df
-(see note above about abbreviated keys).
-.LP
-.B "ipsec spi \-\-af inet6 \-\-edst 3049:9::9000:3100 \-\-spi 0x150 \-\-proto ah \e"
-.br
-.B "   \-\-src 3049:9::9000:3101 \e"
-.br
-.B "   \-\-ah hmac\-md5\-96 \e"
-.br
-.BI "\ \ \ \-\-authkey\ 0x1234" "..." "2eda\ \e"
-.LP
-sets up an SA from
-.BR 3049:9::9000:3101
-to
-.BR 3049:9::9000:3100
-with an SPI of 
-.BR 0x150
-and protocol
-.BR AH
-(50) using
-.BR MD5-96
-authentication transform, using an authentication key of
-.BI 0x1234 ... 2eda
-(see note above about abbreviated keys).
-.LP
-.B "ipsec spi \-\-said tun.987@192.168.100.100 \-\-del "
-.LP
-deletes an SA to
-.BR 192.168.100.100
-with an SPI of 
-.BR 0x987
-and protocol
-.BR IPv4-in-IPv4
-(4).
-.LP
-.B "ipsec spi \-\-said tun:500@3049:9::1000:1 \-\-del "
-.LP
-deletes an SA to
-.BR 3049:9::1000:1
-with an SPI of 
-.BR 0x500
-and protocol
-.BR IPv6-in-IPv6
-(4).
-.LP
-.SH FILES
-/proc/net/ipsec_spi, /usr/local/bin/ipsec
-.SH "SEE ALSO"
-ipsec(8), ipsec_manual(8), ipsec_tncfg(8), ipsec_eroute(8),
-ipsec_spigrp(8), ipsec_klipsdebug(8), ipsec_spi(5)
-.SH HISTORY
-Written for the Linux FreeS/WAN project
-<http://www.freeswan.org/>
-by Richard Guy Briggs.
-.SH BUGS
-The syntax is messy and the transform naming needs work.
-.\"
-.\" $Log: spi.8,v $
-.\" Revision 1.1  2004/03/15 20:35:31  as
-.\" added files from freeswan-2.04-x509-1.5.3
-.\"
-.\" Revision 1.32  2002/04/24 07:35:40  mcr
-.\" Moved from ./klips/utils/spi.8,v
-.\"
-.\" Revision 1.31  2001/11/06 20:18:47  rgb
-.\" Added lifetime parameters.
-.\"
-.\" Revision 1.30  2001/10/24 03:23:32  rgb
-.\" Added lifetime option and parameters.
-.\"
-.\" Revision 1.29  2001/05/30 08:14:04  rgb
-.\" Removed vestiges of esp-null transforms.
-.\"
-.\" Revision 1.28  2000/11/29 19:15:20  rgb
-.\" Add --src requirement for inbound policy routing.
-.\"
-.\" Revision 1.27  2000/09/17 18:56:48  rgb
-.\" Added IPCOMP support.
-.\"
-.\" Revision 1.26  2000/09/13 15:54:32  rgb
-.\" Added Gerhard's ipv6 updates.
-.\"
-.\" Revision 1.25  2000/09/12 22:36:45  rgb
-.\" Gerhard's IPv6 support.
-.\"
-.\" Revision 1.24  2000/06/30 18:21:55  rgb
-.\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5)
-.\" and correct FILES sections to no longer refer to /dev/ipsec which has
-.\" been removed since PF_KEY does not use it.
-.\"
-.\" Revision 1.23  2000/06/21 16:54:57  rgb
-.\" Added 'no additional args' text for listing contents of
-.\" /proc/net/ipsec_* files.
-.\"
-.\" Revision 1.22  1999/08/11 08:35:16  rgb
-.\" Update, deleting references to obsolete and insecure algorithms.
-.\"
-.\" Revision 1.21  1999/07/19 18:53:55  henry
-.\" improve font usage in key abbreviations
-.\"
-.\" Revision 1.20  1999/07/19 18:50:09  henry
-.\" fix slightly-misformed comments
-.\" abbreviate long keys to avoid long-line complaints
-.\"
-.\" Revision 1.19  1999/04/06 04:54:38  rgb
-.\" Fix/Add RCSID Id: and Log: bits to make PHMDs happy.  This includes
-.\" patch shell fixes.
-.\"
diff --git a/programs/spi/spi.c b/programs/spi/spi.c
deleted file mode 100644
index 369d556c7..000000000
--- a/programs/spi/spi.c
+++ /dev/null
@@ -1,1689 +0,0 @@
-/*
- * All-in-one program to set Security Association parameters
- * Copyright (C) 1996  John Ioannidis.
- * Copyright (C) 1997, 1998, 1999, 2000, 2001, 2002  Richard Guy Briggs.
- * 
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- * 
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-char spi_c_version[] = "RCSID $Id: spi.c,v 1.7 2004/10/14 20:03:26 as Exp $";
-
-#include <asm/types.h>
-#include <sys/types.h>
-#include <sys/ioctl.h>
-/* #include <linux/netdevice.h> */
-#include <net/if.h>
-/* #include <linux/types.h> */ /* new */
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <string.h>
-#include <errno.h>
-
-/* #include <sys/socket.h> */
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-/* #include <linux/ip.h> */
-#include <netdb.h>
-
-#include <unistd.h>
-#include <getopt.h>
-#include <ctype.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <freeswan.h>
-#if 0
-#include <linux/autoconf.h>    /* CONFIG_IPSEC_PFKEYv2 */
-#endif
-     #include <signal.h>
-     #include <sys/socket.h>
-     #include <pfkeyv2.h>
-     #include <pfkey.h>
-
-#include "freeswan/radij.h"
-#include "freeswan/ipsec_encap.h"
-#include "freeswan/ipsec_xform.h"
-#include "freeswan/ipsec_ipe4.h"
-#include "freeswan/ipsec_ah.h"
-#include "freeswan/ipsec_esp.h"
-#include "freeswan/ipsec_sa.h"  /* IPSEC_SAREF_NULL */
-
-/* 	
- * 	Manual conn support for ipsec_alg (modular algos).
- * 	Rather ugly to include from pluto dir but avoids
- * 	code duplication.
- */
-#ifndef NO_KERNEL_ALG
-#include "../pluto/alg_info.h"
-#include "../pluto/constants.h"
-struct connection;
-#include "../pluto/kernel_alg.h"
-#endif /* NO_KERNEL_ALG */
-
-char *program_name;
-int debug = 0;
-int saref = 0;
-char *command;
-extern char *optarg;
-extern int optind, opterr, optopt;
-char scratch[2];
-char *iv = NULL, *enckey = NULL, *authkey = NULL;
-size_t ivlen = 0, enckeylen = 0, authkeylen = 0;
-ip_address edst, dst, src;
-int address_family = 0;
-unsigned char proto = 0;
-int alg = 0;
-
-#ifndef NO_KERNEL_ALG
-/* 
- * 	Manual connection support for modular algos (ipsec_alg) --Juanjo.
- */
-#define XF_OTHER_ALG (XF_CLR-1)	/* define magic XF_ symbol for alg_info's */
-#include <assert.h>
-const char *alg_string = NULL;	/* algorithm string */
-struct alg_info_esp *alg_info = NULL;	/* algorithm info got from string */
-struct esp_info *esp_info = NULL;	/* esp info from 1st (only) element */
-const char *alg_err;		/* auxiliar for parsing errors */
-int proc_read_ok = 0;		/* /proc/net/pf_key_support read ok */
-#endif /* NO_KERNEL_ALG */
-
-int replay_window = 0;
-char sa[SATOT_BUF];
-
-extern unsigned int pfkey_lib_debug; /* used by libfreeswan/pfkey_v2_build */
-int pfkey_sock;
-fd_set pfkey_socks;
-uint32_t pfkey_seq = 0;
-enum life_severity {
-	life_soft = 0,
-	life_hard = 1,
-	life_maxsever = 2
-};
-enum life_type {
-	life_alloc = 0,
-	life_bytes = 1,
-	life_addtime = 2,
-	life_usetime = 3,
-	life_packets = 4,
-	life_maxtype = 5
-};
-
-#define streql(_a,_b) (!strcmp((_a),(_b)))
-
-static const char *usage_string = "\
-Usage:\n\
-	in the following, <SA> is: --af <inet | inet6> --edst <dstaddr> --spi <spi> --proto <proto>\n\
-                               OR: --said <proto><.|:><spi>@<dstaddr>\n\
-	                  <life> is: --life <soft|hard>-<allocations|bytes|addtime|usetime|packets>=<value>[,...]\n\
-spi --clear\n\
-spi --help\n\
-spi --version\n\
-spi\n\
-spi --del <SA>\n\
-spi --ip4 <SA> --src <encap-src> --dst <encap-dst>\n\
-spi --ip6 <SA> --src <encap-src> --dst <encap-dst>\n\
-spi --ah <algo> <SA> [<life> ][ --replay_window <replay_window> ] --authkey <key>\n\
-	where <algo> is one of:	hmac-md5-96 | hmac-sha1-96\n\
-spi --esp <algo> <SA> [<life> ][ --replay_window <replay-window> ] --enckey <ekey> --authkey <akey>\n\
-	where <algo> is one of:	3des-md5-96 | 3des-sha1-96\n\
-spi --esp <algo> <SA> [<life> ][ --replay_window <replay-window> ] --enckey <ekey>\n\
-	where <algo> is:	3des\n\
-spi --comp <algo> <SA>\n\
-	where <algo> is:	deflate\n\
-[ --debug ] is optional to any spi command.\n\
-[ --label <label> ] is optional to any spi command.\n\
-[ --listenreply ]   is optional, and causes the command to stick\n\
-                    around and listen to what the PF_KEY socket says.\n\
-";
-
-
-static void
-usage(char *s, FILE *f)
-{
-	/* s argument is actually ignored, at present */
-	fprintf(f, "%s:%s", s, usage_string);
-	exit(-1);
-}
-
-int
-parse_life_options(uint32_t life[life_maxsever][life_maxtype],
-		   char *life_opt[life_maxsever][life_maxtype],
-		   char *optarg)
-{
-	char *optargp = optarg;
-	char *endptr;
-	
-	do {
-		int life_severity, life_type;
-		char *optargt = optargp;
-		
-		if(strncmp(optargp, "soft", sizeof("soft")-1) == 0) {
-			life_severity = life_soft;
-			optargp += sizeof("soft")-1;
-		} else if(strncmp(optargp, "hard", sizeof("hard")-1) == 0) {
-			life_severity = life_hard;
-			optargp += sizeof("hard")-1;
-		} else {
-			fprintf(stderr,
-				"%s: missing lifetime severity in %s, optargt=0p%p, optargp=0p%p, sizeof(\"soft\")=%d\n",
-				program_name,
-				optargt,
-				optargt,
-				optargp,
-				(int)sizeof("soft"));
-			usage(program_name, stderr);
-			return(1);
-		}
-		if(debug) {
-			fprintf(stdout,
-				"%s: debug: life_severity=%d, optargt=0p%p=\"%s\", optargp=0p%p=\"%s\", sizeof(\"soft\")=%d\n",
-				program_name,
-				life_severity,
-				optargt,
-				optargt,
-				optargp,
-				optargp,
-				(int)sizeof("soft"));
-		}
-		if(*(optargp++) != '-') {
-			fprintf(stderr,
-				"%s: expected '-' after severity of lifetime parameter to --life option.\n",
-				program_name);
-			usage(program_name, stderr);
-			return(1);
-		}
-		if(debug) {
-			fprintf(stdout,
-				"%s: debug: optargt=0p%p=\"%s\", optargp=0p%p=\"%s\", strlen(optargt)=%d, strlen(optargp)=%d, strncmp(optargp, \"addtime\", sizeof(\"addtime\")-1)=%d\n",
-				program_name,
-				optargt,
-				optargt,
-				optargp,
-				optargp,
-				(int)strlen(optargt),
-				(int)strlen(optargp),
-				strncmp(optargp, "addtime", sizeof("addtime")-1));
-		}
-		if(strncmp(optargp, "allocations", sizeof("allocations")-1) == 0) {
-			life_type = life_alloc;
-			optargp += sizeof("allocations")-1;
-		} else if(strncmp(optargp, "bytes", sizeof("bytes")-1) == 0) {
-			life_type = life_bytes;
-			optargp += sizeof("bytes")-1;
-		} else if(strncmp(optargp, "addtime", sizeof("addtime")-1) == 0) {
-			life_type = life_addtime;
-			optargp += sizeof("addtime")-1;
-		} else if(strncmp(optargp, "usetime", sizeof("usetime")-1) == 0) {
-			life_type = life_usetime;
-			optargp += sizeof("usetime")-1;
-		} else if(strncmp(optargp, "packets", sizeof("packets")-1) == 0) {
-			life_type = life_packets;
-			optargp += sizeof("packets")-1;
-		} else {
-			fprintf(stderr,
-				"%s: missing lifetime type after '-' in %s\n",
-				program_name,
-				optargt);
-			usage(program_name, stderr);
-			return(1);
-		}
-		if(debug) {
-			fprintf(stdout,
-				"%s: debug: life_type=%d\n",
-				program_name,
-				life_type);
-		}
-		if(life_opt[life_severity][life_type] != NULL) {
-			fprintf(stderr,
-				"%s: Error, lifetime parameter redefined:%s, already defined as:0p%p\n",
-				program_name,
-				optargt,
-				life_opt[life_severity][life_type]);
-			return(1);
-		}
-		if(*(optargp++) != '=') {
-			fprintf(stderr,
-				"%s: expected '=' after type of lifetime parameter to --life option.\n",
-				program_name);
-			usage(program_name, stderr);
-			return(1);
-		}
-		if(debug) {
-			fprintf(stdout,
-				"%s: debug: optargt=0p%p, optargt+strlen(optargt)=0p%p, optargp=0p%p, strlen(optargp)=%d\n",
-				program_name,
-				optargt,
-				optargt+strlen(optargt),
-				optargp,
-				(int)strlen(optargp));
-		}
-		if(strlen(optargp) == 0) {
-			fprintf(stderr,
-				"%s: expected value after '=' in --life option. optargt=0p%p, optargt+strlen(optargt)=0p%p, optargp=0p%p\n",
-				program_name,
-				optargt,
-				optargt+strlen(optargt),
-				optargp);
-			usage(program_name, stderr);
-			return(1);
-		}
-		life[life_severity][life_type] = strtoul(optargp, &endptr, 0);
-
-		if(!((endptr == optargp + strlen(optargp)) || (endptr == optargp + strcspn(optargp, ", ")))) {
-			fprintf(stderr,
-				"%s: Invalid character='%c' at offset %d in lifetime option parameter: '%s', parameter string is %d characters long, %d valid value characters found.\n",
-				program_name,
-				*endptr,
-				(int)(endptr - optarg),
-				optarg,
-				(int)strlen(optarg),
-				(int)(strcspn(optargp, ", ") - 1));
-			return(1);
-		}
-		life_opt[life_severity][life_type] = optargt;
-		if(debug) {
-			fprintf(stdout, "%s lifetime %s set to %d.\n",
-				program_name, optargt, life[life_severity][life_type]);
-		}
-		optargp=endptr+1;
-	} while(*endptr==',' || isspace(*endptr));
-	
-	return(0);
-}
-
-int
-pfkey_register(uint8_t satype) {
-	/* for registering SA types that can be negotiated */
-	int error;
-	ssize_t wlen;
-	struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-	struct sadb_msg *pfkey_msg;
-
-	pfkey_extensions_init(extensions);
-	error = pfkey_msg_hdr_build(&extensions[0],
-				    SADB_REGISTER,
-				    satype,
-				    0,
-				    ++pfkey_seq,
-				    getpid());
-	if(error != 0) {
-		fprintf(stderr, "%s: Trouble building message header, error=%d.\n",
-			program_name, error);
-		pfkey_extensions_free(extensions);
-		return(1);
-	}
-
-	error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_IN);
-	if(error != 0) {
-		fprintf(stderr, "%s: Trouble building pfkey message, error=%d.\n",
-			program_name, error);
-		pfkey_extensions_free(extensions);
-		pfkey_msg_free(&pfkey_msg);
-		return(1);
-	}
-	wlen = write(pfkey_sock, pfkey_msg,
-		     pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN);
-	if(wlen != (ssize_t)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) {
-		/* cleanup code here */
-		if(wlen < 0)
-			fprintf(stderr, "%s: Trouble writing to channel PF_KEY: %s\n",
-				program_name,
-				strerror(errno));
-		else
-			fprintf(stderr, "%s: write to channel PF_KEY truncated.\n",
-				program_name);
-		pfkey_extensions_free(extensions);
-		pfkey_msg_free(&pfkey_msg);
-		return(1);
-	}
-	pfkey_extensions_free(extensions);
-	pfkey_msg_free(&pfkey_msg);
-	
-	return(0);
-}
-
-static struct option const longopts[] =
-{
-	{"ah", 1, 0, 'H'},
-	{"esp", 1, 0, 'P'},
-	{"comp", 1, 0, 'Z'},
-	{"ip4", 0, 0, '4'},
-	{"ip6", 0, 0, '6'},
-	{"del", 0, 0, 'd'},
-
-	{"authkey", 1, 0, 'A'},
-	{"enckey", 1, 0, 'E'},
-	{"edst", 1, 0, 'e'},
-	{"spi", 1, 0, 's'},
-	{"proto", 1, 0, 'p'},
-	{"af", 1, 0, 'a'},
-	{"replay_window", 1, 0, 'w'},
-	{"iv", 1, 0, 'i'},
-	{"dst", 1, 0, 'D'},
-	{"src", 1, 0, 'S'},
-	{"said", 1, 0, 'I'},
-
-	{"help", 0, 0, 'h'},
-	{"version", 0, 0, 'v'},
-	{"clear", 0, 0, 'c'},
-	{"label", 1, 0, 'l'},
-	{"debug", 0, 0, 'g'},
-	{"optionsfrom", 1, 0, '+'},
-	{"life", 1, 0, 'f'},
-	{"saref", 0, 0, 'r'},
-	{"listenreply", 0, 0, 'R'},
-	{0, 0, 0, 0}
-};
-
-int
-main(int argc, char *argv[])
-{
-	char *endptr;
-	__u32 spi = 0;
-	int c, previous = -1;
-/*	int ret; */
-	ip_said said;
-	size_t sa_len;
-	const char* error_s;
-	char ipaddr_txt[ADDRTOT_BUF];
-	char ipsaid_txt[SATOT_BUF];
-
-	int error = 0;
-	ssize_t io_error;
-	int argcount = argc;
-	pid_t mypid;
-	int listenreply = 0;
-
-	unsigned char authalg, encryptalg;
-	struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-	struct sadb_msg *pfkey_msg;
-	char *iv_opt, *akey_opt, *ekey_opt, *alg_opt, *edst_opt, *spi_opt, *proto_opt, *af_opt, *said_opt, *dst_opt, *src_opt;
-#if 0
-	ip_address pfkey_address_p_ska;
-	ip_address pfkey_ident_s_ska;
-	ip_address pfkey_ident_d_ska;
-#endif
-	uint32_t life[life_maxsever][life_maxtype];
-	char *life_opt[life_maxsever][life_maxtype];
-	
-	program_name = argv[0];
-	mypid = getpid();
-
-	memset(&said, 0, sizeof(said));
-	iv_opt = akey_opt = ekey_opt = alg_opt = edst_opt = spi_opt = proto_opt = af_opt = said_opt = dst_opt = src_opt = NULL;
-	{
-		int i,j;
-		for(i = 0; i < life_maxsever; i++) {
-			for(j = 0; j < life_maxtype; j++) {
-				life_opt[i][j] = NULL;
-				life[i][j] = 0;
-			}
-		}
-	}
-
-	while((c = getopt_long(argc, argv, ""/*"H:P:Z:46dcA:E:e:s:a:w:i:D:S:hvgl:+:f:"*/, longopts, 0)) != EOF) {
-		switch(c) {
-		case 'g':
-			debug = 1;
-			pfkey_lib_debug = PF_KEY_DEBUG_PARSE_MAX;
-			argcount--;
-			break;
-
-		case 'R':
-			listenreply = 1;
-			argcount--;
-			break;
-
-		case 'r':
-			saref = 1;
-			argcount--;
-			break;
-
-		case 'l':
-			program_name = malloc(strlen(argv[0])
-					      + 10 /* update this when changing the sprintf() */
-					      + strlen(optarg));
-			sprintf(program_name, "%s --label %s",
-				argv[0],
-				optarg);
-			argcount -= 2;
-			break;
-		case 'H':
-			if(alg) {
-				fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear'  options permitted.\n",
-					program_name);
-				exit(1);
-			}
-			if       (!strcmp(optarg, "hmac-md5-96")) {
-				alg = XF_AHHMACMD5;
-			} else if(!strcmp(optarg, "hmac-sha1-96")) {
-				alg = XF_AHHMACSHA1;
-			} else {
-				fprintf(stderr, "%s: Unknown authentication algorithm '%s' follows '--ah' option.\n",
-					program_name, optarg);
-				exit(1);
-			}
-			if(debug) {
-				fprintf(stdout, "%s: Algorithm %d selected.\n",
-					program_name,
-					alg);
-			}
-			alg_opt = optarg;
-			break;
-		case 'P':
-			if(alg) {
-				fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear'  options permitted.\n",
-					program_name);
-				exit(1);
-			}
-			if       (!strcmp(optarg, "3des-md5-96")) {
-				alg = XF_ESP3DESMD596;
-			} else if(!strcmp(optarg, "3des-sha1-96")) {
-				alg = XF_ESP3DESSHA196;
-			} else if(!strcmp(optarg, "3des")) {
-				alg = XF_ESP3DES;
-#ifndef NO_KERNEL_ALG
-			} else if((alg_info=alg_info_esp_create_from_str(optarg, &alg_err))) {
-				int esp_ealg_id, esp_aalg_id;
-				alg = XF_OTHER_ALG;
-				if (alg_info->alg_info_cnt>1) {
-					fprintf(stderr, "%s: Invalid encryption algorithm '%s' "
-						"follows '--esp' option: lead too many(%d) "
-						"transforms\n",
-						program_name, optarg, alg_info->alg_info_cnt);
-					exit(1);
-				}
-				alg_string=optarg;
-				esp_info=&alg_info->esp[0];
-				if (debug) {
-					fprintf(stdout, "%s: alg_info: cnt=%d ealg[0]=%d aalg[0]=%d\n",
-						program_name, 
-						alg_info->alg_info_cnt,
-						esp_info->encryptalg,
-						esp_info->authalg);
-				}
-				esp_ealg_id=esp_info->esp_ealg_id;
-				esp_aalg_id=esp_info->esp_aalg_id;
-				if (kernel_alg_proc_read()==0) {
-					proc_read_ok++;
-					if (!kernel_alg_esp_enc_ok(esp_ealg_id, 0, 0))
-					{
-						fprintf(stderr, "%s: ESP encryptalg=%d (\"%s\") "
-								"not present\n",
-							program_name,
-							esp_ealg_id,
-							enum_name(&esp_transformid_names, esp_ealg_id));
-						exit(1);
-					}
-					if (!kernel_alg_esp_auth_ok(esp_aalg_id, 0))
-					{
-						fprintf(stderr, "%s: ESP authalg=%d (\"%s\")"
-								"not present\n",
-							program_name,
-							esp_aalg_id,
-							enum_name(&auth_alg_names, esp_aalg_id));
-						exit(1);
-					}
-				}
-#endif /* NO_KERNEL_ALG */
-			} else {
-				fprintf(stderr, "%s: Invalid encryption algorithm '%s' follows '--esp' option.\n",
-					program_name, optarg);
-				exit(1);
-			}
-			if(debug) {
-				fprintf(stdout, "%s: Algorithm %d selected.\n",
-					program_name,
-					alg);
-			}
-			alg_opt = optarg;
-			break;
-		case 'Z':
-			if(alg) {
-				fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear'  options permitted.\n",
-					program_name);
-				exit(1);
-			}
-			if       (!strcmp(optarg, "deflate")) {
-				alg = XF_COMPDEFLATE;
-			} else {
-				fprintf(stderr, "%s: Unknown compression algorithm '%s' follows '--comp' option.\n",
-					program_name, optarg);
-				exit(1);
-			}
-			if(debug) {
-				fprintf(stdout, "%s: Algorithm %d selected.\n",
-					program_name,
-					alg);
-			}
-			alg_opt = optarg;
-			break;
-		case '4':
-			if(alg) {
-				fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n",
-					program_name);
-				exit(1);
-			}
-		       	alg = XF_IP4;
-			address_family = AF_INET;
-			if(debug) {
-				fprintf(stdout, "%s: Algorithm %d selected.\n",
-					program_name,
-					alg);
-			}
-			alg_opt = optarg;
-			break;
-		case '6':
-			if(alg) {
-				fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear' options permitted.\n",
-					program_name);
-				exit(1);
-			}
-		       	alg = XF_IP6;
-			address_family = AF_INET6;
-			if(debug) {
-				fprintf(stdout, "%s: Algorithm %d selected.\n",
-					program_name,
-					alg);
-			}
-			alg_opt = optarg;
-			break;
-		case 'd':
-			if(alg) {
-				fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear'  options permitted.\n",
-					program_name);
-				exit(1);
-			}
-			alg = XF_DEL;
-			if(debug) {
-				fprintf(stdout, "%s: Algorithm %d selected.\n",
-					program_name,
-					alg);
-			}
-			alg_opt = optarg;
-			break;
-		case 'c':
-			if(alg) {
-				fprintf(stderr, "%s: Only one of '--ah', '--esp', '--comp', '--ip4', '--ip6', '--del' or '--clear'  options permitted.\n",
-					program_name);
-				exit(1);
-			}
-			alg = XF_CLR;
-			if(debug) {
-				fprintf(stdout, "%s: Algorithm %d selected.\n",
-					program_name,
-					alg);
-			}
-			alg_opt = optarg;
-			break;
-		case 'e':
-			if(said_opt) {
-				fprintf(stderr, "%s: Error, EDST parameter redefined:%s, already defined in SA:%s\n",
-					program_name, optarg, said_opt);
-				exit (1);
-			}				
-			if(edst_opt) {
-				fprintf(stderr, "%s: Error, EDST parameter redefined:%s, already defined as:%s\n",
-					program_name, optarg, edst_opt);
-				exit (1);
-			}
-			error_s = ttoaddr(optarg, 0, address_family, &edst);
-			if(error_s != NULL) {
-				if(error_s) {
-					fprintf(stderr, "%s: Error, %s converting --edst argument:%s\n",
-						program_name, error_s, optarg);
-					exit (1);
-				}
-			}
-			edst_opt = optarg;
-			if(debug) {
-				addrtot(&edst, 0, ipaddr_txt, sizeof(ipaddr_txt));
-				fprintf(stdout, "%s: edst=%s.\n",
-					program_name,
-					ipaddr_txt);
-			}
-			break;
-		case 's':
-			if(said_opt) {
-				fprintf(stderr, "%s: Error, SPI parameter redefined:%s, already defined in SA:%s\n",
-					program_name, optarg, said_opt);
-				exit (1);
-			}				
-			if(spi_opt) {
-				fprintf(stderr, "%s: Error, SPI parameter redefined:%s, already defined as:%s\n",
-					program_name, optarg, spi_opt);
-				exit (1);
-			}				
-			spi = strtoul(optarg, &endptr, 0);
-			if(!(endptr == optarg + strlen(optarg))) {
-				fprintf(stderr, "%s: Invalid character in SPI parameter: %s\n",
-					program_name, optarg);
-				exit (1);
-			}
-			if(spi < 0x100) {
-				fprintf(stderr, "%s: Illegal reserved spi: %s => 0x%x Must be larger than 0x100.\n",
-					program_name, optarg, spi);
-				exit(1);
-			}
-			spi_opt = optarg;
-			break;
-		case 'p':
-			if(said_opt) {
-				fprintf(stderr, "%s: Error, PROTO parameter redefined:%s, already defined in SA:%s\n",
-					program_name, optarg, said_opt);
-				exit (1);
-			}				
-			if(proto_opt) {
-				fprintf(stderr, "%s: Error, PROTO parameter redefined:%s, already defined as:%s\n",
-					program_name, optarg, proto_opt);
-				exit (1);
-			}
-			if(!strcmp(optarg, "ah"))
-				proto = SA_AH;
-			if(!strcmp(optarg, "esp"))
-				proto = SA_ESP;
-			if(!strcmp(optarg, "tun"))
-				proto = SA_IPIP;
-			if(!strcmp(optarg, "comp"))
-				proto = SA_COMP;
-			if(proto == 0) {
-				fprintf(stderr, "%s: Invalid PROTO parameter: %s\n",
-					program_name, optarg);
-				exit (1);
-			}
-			proto_opt = optarg;
-			break;
-		case 'a':
-			if(said_opt) {
-				fprintf(stderr, "%s: Error, ADDRESS FAMILY parameter redefined:%s, already defined in SA:%s\n",
-					program_name, optarg, said_opt);
-				exit (1);
-			}				
-			if(af_opt) {
-				fprintf(stderr, "%s: Error, ADDRESS FAMILY parameter redefined:%s, already defined as:%s\n",
-					program_name, optarg, af_opt);
-				exit (1);
-			}
-			if(strcmp(optarg, "inet") == 0) {
-				address_family = AF_INET;
-				/* currently we ensure that all addresses belong to the same address family */
-				anyaddr(address_family, &dst);
-				anyaddr(address_family, &edst);
-				anyaddr(address_family, &src);
-			}
-			if(strcmp(optarg, "inet6") == 0) {
-				address_family = AF_INET6;
-				/* currently we ensure that all addresses belong to the same address family */
-				anyaddr(address_family, &dst);
-				anyaddr(address_family, &edst);
-				anyaddr(address_family, &src);
-			}
-			if((strcmp(optarg, "inet") != 0) && (strcmp(optarg, "inet6") != 0)) {
-				fprintf(stderr, "%s: Invalid ADDRESS FAMILY parameter: %s.\n",
-					program_name, optarg);
-				exit (1);
-			}
-			af_opt = optarg;
-			break;
-		case 'I':
-			if(said_opt) {
-				fprintf(stderr, "%s: Error, SAID parameter redefined:%s, already defined in SA:%s\n",
-					program_name, optarg, said_opt);
-				exit (1);
-			}				
-			if(proto_opt) {
-				fprintf(stderr, "%s: Error, PROTO parameter redefined in SA:%s, already defined as:%s\n",
-					program_name, optarg, proto_opt);
-				exit (1);
-			}
-			if(edst_opt) {
-				fprintf(stderr, "%s: Error, EDST parameter redefined in SA:%s, already defined as:%s\n",
-					program_name, optarg, edst_opt);
-				exit (1);
-			}
-			if(spi_opt) {
-				fprintf(stderr, "%s: Error, SPI parameter redefined in SA:%s, already defined as:%s\n",
-					program_name, optarg, spi_opt);
-				exit (1);
-			}
-			error_s = ttosa(optarg, 0, &said);
-			if(error_s != NULL) {
-				fprintf(stderr, "%s: Error, %s converting --sa argument:%s\n",
-					program_name, error_s, optarg);
-				exit (1);
-			}
-			if(debug) {
-				satot(&said, 0, ipsaid_txt, sizeof(ipsaid_txt));
-				fprintf(stdout, "%s: said=%s.\n",
-					program_name,
-					ipsaid_txt);
-			}
-			/* init the src and dst with the same address family */
-			if(address_family == 0) {
-				address_family = addrtypeof(&said.dst);
-			} else if(address_family != addrtypeof(&said.dst)) {
-				fprintf(stderr, "%s: Error, specified address family (%d) is different that of SAID: %s\n",
-					program_name, address_family, optarg);
-				exit (1);
-			}
-			anyaddr(address_family, &dst);
-			anyaddr(address_family, &edst);
-			anyaddr(address_family, &src);
-			said_opt = optarg;
-			break;
-		case 'A':
-			if(optarg[0] == '0') {
-				switch(optarg[1]) {
-				case 't':
-				case 'x':
-				case 's':
-					break;
-				default:
-					fprintf(stderr, "%s: Authentication key must have a '0x', '0t' or '0s' prefix to select the format: %s\n",
-						program_name, optarg);
-					exit(1);
-				}
-			}
-			authkeylen = atodata(optarg, 0, NULL, 0);
-			if(!authkeylen) {
-				fprintf(stderr, "%s: unknown format or syntax error in authentication key: %s\n",
-					program_name, optarg);
-				exit (1);
-			}
-			authkey = malloc(authkeylen);
-			if(authkey == NULL) {
-				fprintf(stderr, "%s: Memory allocation error.\n", program_name);
-				exit(1);
-			}
-			memset(authkey, 0, authkeylen);
-			authkeylen = atodata(optarg, 0, authkey, authkeylen);
-			akey_opt = optarg;
-			break;
-		case 'E':
-			if(optarg[0] == '0') {
-				switch(optarg[1]) {
-				case 't':
-				case 'x':
-				case 's':
-					break;
-				default:
-					fprintf(stderr, "%s: Encryption key must have a '0x', '0t' or '0s' prefix to select the format: %s\n",
-						program_name, optarg);
-					exit(1);
-				}
-			}
-			enckeylen = atodata(optarg, 0, NULL, 0);
-			if(!enckeylen) {
-				fprintf(stderr, "%s: unknown format or syntax error in encryption key: %s\n",
-					program_name, optarg);
-				exit (1);
-			}
-			enckey = malloc(enckeylen);
-			if(enckey == NULL) {
-				fprintf(stderr, "%s: Memory allocation error.\n", program_name);
-				exit(1);
-			}
-			memset(enckey, 0, enckeylen);
-			enckeylen = atodata(optarg, 0, enckey, enckeylen);
-			ekey_opt = optarg;
-			break;
-		case 'w':
-			replay_window = strtoul(optarg, &endptr, 0);
-			if(!(endptr == optarg + strlen(optarg))) {
-				fprintf(stderr, "%s: Invalid character in replay_window parameter: %s\n",
-					program_name, optarg);
-				exit (1);
-			}
-			if((replay_window < 0x1) || (replay_window > 64)) {
-				fprintf(stderr, "%s: Failed -- Illegal window size: arg=%s, replay_window=%d, must be 1 <= size <= 64.\n",
-					program_name, optarg, replay_window);
-				exit(1);
-			}
-			break;
-		case 'i':
-			if(optarg[0] == '0') {
-				switch(optarg[1]) {
-				case 't':
-				case 'x':
-				case 's':
-					break;
-				default:
-					fprintf(stderr, "%s: IV must have a '0x', '0t' or '0s' prefix to select the format, found '%c'.\n",
-						program_name, optarg[1]);
-					exit(1);
-				}
-			}
-			ivlen = atodata(optarg, 0, NULL, 0);
-			if(!ivlen) {
-				fprintf(stderr, "%s: unknown format or syntax error in IV: %s\n",
-					program_name, optarg);
-				exit (1);
-			}
-			iv = malloc(ivlen);
-			if(iv == NULL) {
-				fprintf(stderr, "%s: Memory allocation error.\n", program_name);
-				exit(1);
-			}
-			memset(iv, 0, ivlen);
-			ivlen = atodata(optarg, 0, iv, ivlen);
-			iv_opt = optarg;
-			break;
-		case 'D':
-			if(dst_opt) {
-				fprintf(stderr, "%s: Error, DST parameter redefined:%s, already defined as:%s\n",
-					program_name, optarg, dst_opt);
-				exit (1);
-			}				
-			error_s = ttoaddr(optarg, 0, address_family, &dst);
-			if(error_s != NULL) {
-				fprintf(stderr, "%s: Error, %s converting --dst argument:%s\n",
-					program_name, error_s, optarg);
-				exit (1);
-			}
-			dst_opt = optarg;
-			if(debug) {
-				addrtot(&dst, 0, ipaddr_txt, sizeof(ipaddr_txt));
-				fprintf(stdout, "%s: dst=%s.\n",
-					program_name,
-					ipaddr_txt);
-			}
-			break;
-		case 'S':
-			if(src_opt) {
-				fprintf(stderr, "%s: Error, SRC parameter redefined:%s, already defined as:%s\n",
-					program_name, optarg, src_opt);
-				exit (1);
-			}				
-			error_s = ttoaddr(optarg, 0, address_family, &src);
-			if(error_s != NULL) {
-				fprintf(stderr, "%s: Error, %s converting --src argument:%s\n",
-					program_name, error_s, optarg);
-				exit (1);
-			}
-			src_opt = optarg;
-			if(debug) {
-				addrtot(&src, 0, ipaddr_txt, sizeof(ipaddr_txt));
-				fprintf(stdout, "%s: src=%s.\n",
-					program_name,
-					ipaddr_txt);
-			}
-			break;
-		case 'h':
-			usage(program_name, stdout);
-			exit(0);
-		case '?':
-			usage(program_name, stderr);
-			exit(1);
-		case 'v':
-			fprintf(stdout, "%s, %s\n", program_name, spi_c_version);
-			exit(1);
-		case '+': /* optionsfrom */
-			optionsfrom(optarg, &argc, &argv, optind, stderr);
-			/* no return on error */
-			break;
-		case 'f':
-			if(parse_life_options(life,
-					   life_opt,
-					   optarg) != 0) {
-				exit(1);
-			};
-			break;
-		default:
-			fprintf(stderr, "%s: unrecognized option '%c', update option processing.\n",
-				program_name, c);
-			exit(1);
-		}
-		previous = c;
-	}
-	if(debug) {
-		fprintf(stdout, "%s: All options processed.\n",
-				program_name);
-	}
-
-	if(argcount == 1) {
-		system("cat /proc/net/ipsec_spi");
-		exit(0);
-	}
-
-	switch(alg) {
-#ifndef NO_KERNEL_ALG
-	case XF_OTHER_ALG: 
-		/* validate keysizes */
-		if (proc_read_ok) {
-		       const struct sadb_alg *alg_p;
-		       size_t keylen, minbits, maxbits;
-
-		       alg_p=kernel_alg_sadb_alg_get(SADB_SATYPE_ESP,SADB_EXT_SUPPORTED_ENCRYPT, 
-				       esp_info->encryptalg);
-		       assert(alg_p);
-		       keylen=enckeylen * 8;
-
-		       if (alg_p->sadb_alg_id==ESP_3DES || alg_p->sadb_alg_id==ESP_DES) {
-			       maxbits=minbits=alg_p->sadb_alg_minbits * 8 /7;
-		       } else {
-			       minbits=alg_p->sadb_alg_minbits;
-			       maxbits=alg_p->sadb_alg_maxbits;
-		       }
-		       /* 
-			* if explicit keylen told in encrypt algo, eg "aes128"
-			* check actual keylen "equality"
-			*/
-		       if (esp_info->esp_ealg_keylen &&
-			       esp_info->esp_ealg_keylen!=keylen) {
-			       fprintf(stderr, "%s: invalid encryption keylen=%d, "
-					       "required %d by encrypt algo string=\"%s\"\n",
-				       program_name, 
-				       (int)keylen,
-				       (int)esp_info->esp_ealg_keylen,
-				       alg_string);
-			       exit(1);
-
-		       }
-		       /* thanks DES for this sh*t */
-
-		       if (minbits > keylen || maxbits < keylen) {
-			       fprintf(stderr, "%s: invalid encryption keylen=%d, "
-					       "must be between %d and %d bits\n",
-					       program_name, 
-					       (int)keylen, (int)minbits, (int)maxbits);
-			       exit(1);
-		       }
-		       alg_p=kernel_alg_sadb_alg_get(SADB_SATYPE_ESP,SADB_EXT_SUPPORTED_AUTH, 
-				       esp_info->authalg);
-		       assert(alg_p);
-		       keylen=authkeylen * 8;
-		       minbits=alg_p->sadb_alg_minbits;
-		       maxbits=alg_p->sadb_alg_maxbits;
-		       if (minbits > keylen || maxbits < keylen) {
-			       fprintf(stderr, "%s: invalid auth keylen=%d, "
-					       "must be between %d and %d bits\n",
-					       program_name, 
-					       (int)keylen, (int)minbits, (int)maxbits);
-			       exit(1);
-		       }
-
-		}
-#endif /* NO_KERNEL_ALG */
-	case XF_IP4:
-	case XF_IP6:
-	case XF_DEL:
-	case XF_AHHMACMD5:
-	case XF_AHHMACSHA1:
-	case XF_ESP3DESMD596:
-	case XF_ESP3DESSHA196:
-	case XF_ESP3DES:
-	case XF_COMPDEFLATE:
-		if(!said_opt) {
-			if(isanyaddr(&edst)) {
-				fprintf(stderr, "%s: SA destination not specified.\n",
-					program_name);
-				exit(1);
-			}
-			if(!spi) {
-				fprintf(stderr, "%s: SA SPI not specified.\n",
-					program_name);
-				exit(1);
-			}
-			if(!proto) {
-				fprintf(stderr, "%s: SA PROTO not specified.\n",
-					program_name);
-				exit(1);
-			}
-			initsaid(&edst, htonl(spi), proto, &said);
-		} else {
-			proto = said.proto;
-			spi = ntohl(said.spi);
-			edst = said.dst;
-		}
-		if((address_family != 0) && (address_family != addrtypeof(&said.dst))) {
-			fprintf(stderr, "%s: Defined address family and address family of SA missmatch.\n",
-				program_name);
-			exit(1);
-		}
-		sa_len = satot(&said, 0, sa, sizeof(sa));
-
-		if(debug) {
-			fprintf(stdout, "%s: SA valid.\n",
-				program_name);
-		}
-		break;
-	case XF_CLR:
-		break;
-	default:
-		fprintf(stderr, "%s: No action chosen.  See '%s --help' for usage.\n",
-			program_name, program_name);
-		exit(1);
-	}
-
-	switch(alg) {
-	case XF_CLR:
-	case XF_DEL:
-	case XF_IP4:
-	case XF_IP6:
-	case XF_AHHMACMD5:
-	case XF_AHHMACSHA1:
-	case XF_ESP3DESMD596:
-	case XF_ESP3DESSHA196:
-	case XF_ESP3DES:
-	case XF_COMPDEFLATE:
-#ifndef NO_KERNEL_ALG
-	case XF_OTHER_ALG:
-#endif /* NO_KERNEL_ALG */
-		break;
-	default:
-		fprintf(stderr, "%s: No action chosen.  See '%s --help' for usage.\n",
-			program_name, program_name);
-		exit(1);
-	}
-	if(debug) {
-		fprintf(stdout, "%s: Algorithm ok.\n",
-			program_name);
-	}
-
-	if((pfkey_sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2) ) < 0) {
-		fprintf(stderr, "%s: Trouble opening PF_KEY family socket with error: ",
-			program_name);
-		switch(errno) {
-		case ENOENT:
-			fprintf(stderr, "device does not exist.  See FreeS/WAN installation procedure.\n");
-			break;
-		case EACCES:
-			fprintf(stderr, "access denied.  ");
-			if(getuid() == 0) {
-				fprintf(stderr, "Check permissions.  Should be 600.\n");
-			} else {
-				fprintf(stderr, "You must be root to open this file.\n");
-			}
-			break;
-		case EUNATCH:
-			fprintf(stderr, "Netlink not enabled OR KLIPS not loaded.\n");
-			break;
-		case ENODEV:
-			fprintf(stderr, "KLIPS not loaded or enabled.\n");
-			break;
-		case EBUSY:
-			fprintf(stderr, "KLIPS is busy.  Most likely a serious internal error occured in a previous command.  Please report as much detail as possible to development team.\n");
-			break;
-		case EINVAL:
-			fprintf(stderr, "Invalid argument, KLIPS not loaded or check kernel log messages for specifics.\n");
-			break;
-		case ENOBUFS:
-			fprintf(stderr, "No kernel memory to allocate SA.\n");
-			break;
-		case ESOCKTNOSUPPORT:
-			fprintf(stderr, "Algorithm support not available in the kernel.  Please compile in support.\n");
-			break;
-		case EEXIST:
-			fprintf(stderr, "SA already in use.  Delete old one first.\n");
-			break;
-		case ENXIO:
-			fprintf(stderr, "SA does not exist.  Cannot delete.\n");
-			break;
-		case EAFNOSUPPORT:
-			fprintf(stderr, "KLIPS not loaded or enabled.\n");
-			break;
-		default:
-			fprintf(stderr, "Unknown file open error %d.  Please report as much detail as possible to development team.\n", errno);
-		}
-		exit(1);
-	}
-
-#ifdef MANUAL_IS_NOT_ABLE_TO_NEGOTIATE
-	/* for registering SA types that can be negotiated */
-	if(pfkey_register(SADB_SATYPE_AH) != 0) {
-		exit(1);
-	}
-	if(pfkey_register(SADB_SATYPE_ESP) != 0) {
-		exit(1);
-	}
-	if(pfkey_register(SADB_X_SATYPE_IPIP) != 0) {
-		exit(1);
-	}
-	if(pfkey_register(SADB_X_SATYPE_COMP) != 0) {
-		exit(1);
-	}
-#endif /* MANUAL_IS_NOT_ABLE_TO_NEGOTIATE */
-
-	/* Build an SADB_ADD message to send down. */
-	/* It needs <base, SA, address(SD), key(AE)> minimum. */
-	/*   Lifetime(HS) could be added before addresses. */
-	pfkey_extensions_init(extensions);
-	if(debug) {
-		fprintf(stdout, "%s: extensions=0p%p &extensions=0p%p extensions[0]=0p%p &extensions[0]=0p%p cleared.\n",
-			program_name,
-			extensions,
-			&extensions,
-			extensions[0],
-			&extensions[0]);
-	}
-	if((error = pfkey_msg_hdr_build(&extensions[0],
-					(alg == XF_DEL ? SADB_DELETE : alg == XF_CLR ? SADB_FLUSH : SADB_ADD),
-					proto2satype(proto),
-					0,
-					++pfkey_seq,
-					mypid))) {
-		fprintf(stderr, "%s: Trouble building message header, error=%d.\n",
-			program_name, error);
-		pfkey_extensions_free(extensions);
-		exit(1);
-	}
-	if(debug) {
-		fprintf(stdout, "%s: extensions=0p%p &extensions=0p%p extensions[0]=0p%p &extensions[0]=0p%p set w/msghdr.\n",
-			program_name,
-			extensions,
-			&extensions,
-			extensions[0],
-			&extensions[0]);
-	}
-	if(debug) {
-		fprintf(stdout, "%s: base message assembled.\n", program_name);
-	}
-	
-	switch(alg) {
-	case XF_AHHMACMD5:
-	case XF_ESP3DESMD596:
-		authalg = SADB_AALG_MD5_HMAC;
-		break;
-	case XF_AHHMACSHA1:
-	case XF_ESP3DESSHA196:
-		authalg = SADB_AALG_SHA1_HMAC;
-		break;
-#ifndef NO_KERNEL_ALG
-	case XF_OTHER_ALG:
-		authalg= esp_info->authalg;
-		if(debug) {
-			fprintf(stdout, "%s: debug: authalg=%d\n",
-				program_name, authalg);
-		}
-		break;
-#endif /* NO_KERNEL_ALG */
-	case XF_ESP3DESMD5:
-	default:
-		authalg = SADB_AALG_NONE;
-	}
-	switch(alg) {
-	case XF_ESP3DES:
-	case XF_ESP3DESMD596:
-	case XF_ESP3DESSHA196:
-		encryptalg = SADB_EALG_3DES_CBC;
-		break;
-	case XF_COMPDEFLATE:
-		encryptalg = SADB_X_CALG_DEFLATE;
-		break;
-#ifndef NO_KERNEL_ALG
-	case XF_OTHER_ALG:
-		encryptalg= esp_info->encryptalg;
-		if(debug) {
-			fprintf(stdout, "%s: debug: encryptalg=%d\n",
-				program_name, encryptalg);
-		}
-		break;
-#endif /* NO_KERNEL_ALG */
-	default:
-		encryptalg = SADB_EALG_NONE;
-	}
-	if(!(alg == XF_CLR /* IE: pfkey_msg->sadb_msg_type == SADB_FLUSH */)) {
-		if((error = pfkey_sa_build(&extensions[SADB_EXT_SA],
-					   SADB_EXT_SA,
-					   htonl(spi), /* in network order */
-					   replay_window,
-					   SADB_SASTATE_MATURE,
-					   authalg,
-					   encryptalg,
-					   0))) {
-			fprintf(stderr, "%s: Trouble building sa extension, error=%d.\n",
-				program_name, error);
-			pfkey_extensions_free(extensions);
-			exit(1);
-		}
-		if(debug) {
-			fprintf(stdout, "%s: extensions[0]=0p%p previously set with msg_hdr.\n",
-				program_name,
-				extensions[0]);
-		}
-		if(debug) {
-			fprintf(stdout, "%s: assembled SA extension, pfkey msg authalg=%d encalg=%d.\n",
-				program_name,
-				authalg,
-				encryptalg);
-		}
-		
-		if(debug) {
-			int i,j;
-			for(i = 0; i < life_maxsever; i++) {
-				for(j = 0; j < life_maxtype; j++) {
-					fprintf(stdout, "%s: i=%d, j=%d, life_opt[%d][%d]=0p%p, life[%d][%d]=%d\n",
-						program_name,
-						i, j, i, j, life_opt[i][j], i, j, life[i][j]);
-				}
-			}
-		}
-		if(life_opt[life_soft][life_alloc] != NULL ||
-		   life_opt[life_soft][life_bytes] != NULL ||
-		   life_opt[life_soft][life_addtime] != NULL ||
-		   life_opt[life_soft][life_usetime] != NULL ||
-		   life_opt[life_soft][life_packets] != NULL) {
-			if((error = pfkey_lifetime_build(&extensions[SADB_EXT_LIFETIME_SOFT],
-							 SADB_EXT_LIFETIME_SOFT,
-							 life[life_soft][life_alloc],/*-1,*/		/*allocations*/
-							 life[life_soft][life_bytes],/*-1,*/		/*bytes*/
-							 life[life_soft][life_addtime],/*-1,*/		/*addtime*/
-							 life[life_soft][life_usetime],/*-1,*/		/*usetime*/
-							 life[life_soft][life_packets]/*-1*/))) {	/*packets*/
-				fprintf(stderr, "%s: Trouble building lifetime_s extension, error=%d.\n",
-					program_name, error);
-				pfkey_extensions_free(extensions);
-				exit(1);
-			}
-			if(debug) {
-				fprintf(stdout, "%s: lifetime_s extension assembled.\n",
-					program_name);
-			}
-		}
-
-		if(life_opt[life_hard][life_alloc] != NULL ||
-		   life_opt[life_hard][life_bytes] != NULL ||
-		   life_opt[life_hard][life_addtime] != NULL ||
-		   life_opt[life_hard][life_usetime] != NULL ||
-		   life_opt[life_hard][life_packets] != NULL) {
-			if((error = pfkey_lifetime_build(&extensions[SADB_EXT_LIFETIME_HARD],
-							 SADB_EXT_LIFETIME_HARD,
-							 life[life_hard][life_alloc],/*-1,*/		/*allocations*/
-							 life[life_hard][life_bytes],/*-1,*/		/*bytes*/
-							 life[life_hard][life_addtime],/*-1,*/		/*addtime*/
-							 life[life_hard][life_usetime],/*-1,*/		/*usetime*/
-							 life[life_hard][life_packets]/*-1*/))) {	/*packets*/
-				fprintf(stderr, "%s: Trouble building lifetime_h extension, error=%d.\n",
-					program_name, error);
-				pfkey_extensions_free(extensions);
-				exit(1);
-			}
-			if(debug) {
-				fprintf(stdout, "%s: lifetime_h extension assembled.\n",
-					program_name);
-			}
-		}
-		
-		if(debug) {
-                	addrtot(&src, 0, ipaddr_txt, sizeof(ipaddr_txt));
-			fprintf(stdout, "%s: assembling address_s extension (%s).\n",
-				program_name, ipaddr_txt);
-		}
-	
-		if((error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_SRC],
-						SADB_EXT_ADDRESS_SRC,
-						0,
-						0,
-						sockaddrof(&src)))) {
-                	addrtot(&src, 0, ipaddr_txt, sizeof(ipaddr_txt));
-			fprintf(stderr, "%s: Trouble building address_s extension (%s), error=%d.\n",
-				program_name, ipaddr_txt, error);
-			pfkey_extensions_free(extensions);
-			exit(1);
-		}
-		if(debug) {
-			ip_address temp_addr;
-			
-			switch(address_family) {
-				case AF_INET:
-					initaddr((const unsigned char *)&(((struct sockaddr_in*)( ((struct sadb_address*)(extensions[SADB_EXT_ADDRESS_SRC])) + 1))->sin_addr),
-						sockaddrlenof(&src), address_family, &temp_addr);
-					break;
-				case AF_INET6:
-					initaddr((const unsigned char *)&(((struct sockaddr_in6*)( ((struct sadb_address*)(extensions[SADB_EXT_ADDRESS_SRC])) + 1))->sin6_addr),
-						sockaddrlenof(&src), address_family, &temp_addr);
-					break;
-				default:
-					fprintf(stdout, "%s: unknown address family (%d).\n",
-						program_name, address_family);
-					exit(1);
-			}
-                	addrtot(&temp_addr, 0, ipaddr_txt, sizeof(ipaddr_txt));
-			fprintf(stdout, "%s: address_s extension assembled (%s).\n",
-				program_name, ipaddr_txt);
-		}
-	
-		if(debug) {
-                	addrtot(&edst, 0, ipaddr_txt, sizeof(ipaddr_txt));
-			fprintf(stdout, "%s: assembling address_d extension (%s).\n",
-				program_name, ipaddr_txt);
-		}
-	
-		if((error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_DST],
-						SADB_EXT_ADDRESS_DST,
-						0,
-						0,
-						sockaddrof(&edst)))) {
-                	addrtot(&edst, 0, ipaddr_txt, sizeof(ipaddr_txt));
-			fprintf(stderr, "%s: Trouble building address_d extension (%s), error=%d.\n",
-				program_name, ipaddr_txt, error);
-			pfkey_extensions_free(extensions);
-			exit(1);
-		}
-		if(debug) {
-			ip_address temp_addr;
-			switch(address_family) {
-				case AF_INET:
-					initaddr((const unsigned char *)&(((struct sockaddr_in*)( ((struct sadb_address*)(extensions[SADB_EXT_ADDRESS_DST])) + 1))->sin_addr),
-						4, address_family, &temp_addr);
-					break;
-				case AF_INET6:
-					initaddr((const unsigned char *)&(((struct sockaddr_in6*)( ((struct sadb_address*)(extensions[SADB_EXT_ADDRESS_DST])) + 1))->sin6_addr),
-						16, address_family, &temp_addr);
-					break;
-				default:
-					fprintf(stdout, "%s: unknown address family (%d).\n",
-						program_name, address_family);
-					exit(1);
-			}
-                	addrtot(&temp_addr, 0, ipaddr_txt, sizeof(ipaddr_txt));
-			fprintf(stdout, "%s: address_d extension assembled (%s).\n",
-				program_name, ipaddr_txt);
-		}
-
-#if PFKEY_PROXY
-		anyaddr(address_family, &pfkey_address_p_ska);
-		if((error = pfkey_address_build(&extensions[SADB_EXT_ADDRESS_PROXY],
-						SADB_EXT_ADDRESS_PROXY,
-						0,
-						0,
-						sockaddrof(&pfkey_address_p_ska)))) {
-			fprintf(stderr, "%s: Trouble building address_p extension, error=%d.\n",
-				program_name, error);
-			pfkey_extensions_free(extensions);
-			exit(1);
-		}
-		if(debug) {
-			fprintf(stdout, "%s: address_p extension assembled.\n", program_name);
-		}
-#endif /* PFKEY_PROXY */
-		
-		switch(alg) {
-#ifndef NO_KERNEL_ALG
-		/*	Allow no auth ... after all is local root decision 8)  */
-		case XF_OTHER_ALG:
-			if (!authalg)
-				break;
-#endif /* NO_KERNEL_ALG */
-		case XF_AHHMACMD5:
-		case XF_ESP3DESMD596:
-		case XF_AHHMACSHA1:
-		case XF_ESP3DESSHA196:
-			if((error = pfkey_key_build(&extensions[SADB_EXT_KEY_AUTH],
-						    SADB_EXT_KEY_AUTH,
-						    authkeylen * 8,
-						    authkey))) {
-				fprintf(stderr, "%s: Trouble building key_a extension, error=%d.\n",
-					program_name, error);
-				pfkey_extensions_free(extensions);
-				exit(1);
-			}
-			if(debug) {
-				fprintf(stdout, "%s: key_a extension assembled.\n",
-					program_name);
-			}
-			break;
-		default:
-			break;
-		}
-		
-		switch(alg) {
-		case XF_ESP3DES:
-		case XF_ESP3DESMD596:
-		case XF_ESP3DESSHA196:
-#ifndef NO_KERNEL_ALG
-		case XF_OTHER_ALG:
-#endif /* NO_KERNEL_ALG */
-			if((error = pfkey_key_build(&extensions[SADB_EXT_KEY_ENCRYPT],
-						    SADB_EXT_KEY_ENCRYPT,
-						    enckeylen * 8,
-						    enckey))) {
-				fprintf(stderr, "%s: Trouble building key_e extension, error=%d.\n",
-					program_name, error);
-				pfkey_extensions_free(extensions);
-				exit(1);
-			}
-			if(debug) {
-				fprintf(stdout, "%s: key_e extension assembled.\n",
-					program_name);
-			}
-			break;
-		default:
-			break;
-		}
-		
-#ifdef PFKEY_IDENT /* GG: looks wierd, not touched */
-		if((pfkey_ident_build(&extensions[SADB_EXT_IDENTITY_SRC],
-				      SADB_EXT_IDENTITY_SRC,
-				      SADB_IDENTTYPE_PREFIX,
-				      0,
-				      strlen(pfkey_ident_s_ska),
-				      pfkey_ident_s_ska))) {
-			fprintf(stderr, "%s: Trouble building ident_s extension, error=%d.\n",
-				program_name, error);
-			pfkey_extensions_free(extensions);
-			exit(1);
-		}
-		if(subnettoa(addr, mask, format, pfkey_ident_s_ska,
-			     sizeof(pfkey_ident_s_ska) ) !=
-		   sizeof(pfkey_ident_s_ska) ) {
-			exit (1);
-		}
-		
-		if((error = pfkey_ident_build(&extensions[SADB_EXT_IDENTITY_DST],
-					      SADB_EXT_IDENTITY_DST,
-					      SADB_IDENTTYPE_PREFIX,
-					      0,
-					      strlen(pfkey_ident_d_ska),
-					      pfkey_ident_d_ska))) {
-			fprintf(stderr, "%s: Trouble building ident_d extension, error=%d.\n",
-				program_name, error);
-			pfkey_extensions_free(extensions);
-			exit(1);
-		}
-		if(subnettoa(addr, mask, format, pfkey_ident_d_ska,
-			     sizeof(pfkey_ident_d_ska) ) !=
-		   sizeof(pfkey_ident_d_ska) ) {
-			exit (1);
-		}
-
-		if(debug) {
-			fprintf(stdout, "%s: ident extensions assembled.\n",
-				program_name);
-		}
-#endif /* PFKEY_IDENT */
-	}
-	
-	if(debug) {
-		fprintf(stdout, "%s: assembling pfkey msg....\n",
-			program_name);
-	}
-	if((error = pfkey_msg_build(&pfkey_msg, extensions, EXT_BITS_IN))) {
-		fprintf(stderr, "%s: Trouble building pfkey message, error=%d.\n",
-			program_name, error);
-		pfkey_extensions_free(extensions);
-		pfkey_msg_free(&pfkey_msg);
-		exit(1);
-	}
-	if(debug) {
-		fprintf(stdout, "%s: assembled.\n",
-			program_name);
-	}
-	if(debug) {
-		fprintf(stdout, "%s: writing pfkey msg.\n",
-			program_name);
-	}
-	io_error = write(pfkey_sock,
-			 pfkey_msg,
-			 pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN);
-	if(io_error < 0) {
-		fprintf(stderr, "%s: pfkey write failed (errno=%d): ",
-			program_name, errno);
-		pfkey_extensions_free(extensions);
-		pfkey_msg_free(&pfkey_msg);
-		switch(errno) {
-		case EACCES:
-			fprintf(stderr, "access denied.  ");
-			if(getuid() == 0) {
-				fprintf(stderr, "Check permissions.  Should be 600.\n");
-			} else {
-				fprintf(stderr, "You must be root to open this file.\n");
-			}
-			break;
-		case EUNATCH:
-			fprintf(stderr, "Netlink not enabled OR KLIPS not loaded.\n");
-			break;
-		case EBUSY:
-			fprintf(stderr, "KLIPS is busy.  Most likely a serious internal error occured in a previous command.  Please report as much detail as possible to development team.\n");
-			break;
-		case EINVAL:
-			fprintf(stderr, "Invalid argument, check kernel log messages for specifics.\n");
-			break;
-		case ENODEV:
-			fprintf(stderr, "KLIPS not loaded or enabled.\n");
-			fprintf(stderr, "No device?!?\n");
-			break;
-		case ENOBUFS:
-			fprintf(stderr, "No kernel memory to allocate SA.\n");
-			break;
-		case ESOCKTNOSUPPORT:
-			fprintf(stderr, "Algorithm support not available in the kernel.  Please compile in support.\n");
-			break;
-		case EEXIST:
-			fprintf(stderr, "SA already in use.  Delete old one first.\n");
-			break;
-		case ENOENT:
-			fprintf(stderr, "device does not exist.  See FreeS/WAN installation procedure.\n");
-			break;
-		case ENXIO:
-		case ESRCH:
-			fprintf(stderr, "SA does not exist.  Cannot delete.\n");
-			break;
-		case ENOSPC:
-			fprintf(stderr, "no room in kernel SAref table.  Cannot process request.\n");
-			break;
-		case ESPIPE:
-			fprintf(stderr, "kernel SAref table internal error.  Cannot process request.\n");
-			break;
-		default:
-			fprintf(stderr, "Unknown socket write error %d (%s).  Please report as much detail as possible to development team.\n",
-				errno, strerror(errno));
-		}
-		exit(1);
-	} else if (io_error != (ssize_t)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN)) {
-		fprintf(stderr, "%s: pfkey write truncated to %d bytes\n",
-			program_name, (int)io_error);
-		pfkey_extensions_free(extensions);
-		pfkey_msg_free(&pfkey_msg);
-		exit(1);
-	}
-
-	if(debug) {
-		fprintf(stdout, "%s: pfkey command written to socket.\n",
-			program_name);
-	}
-
-	if(pfkey_msg) {
-		pfkey_extensions_free(extensions);
-		pfkey_msg_free(&pfkey_msg);
-	}
-	if(debug) {
-		fprintf(stdout, "%s: pfkey message buffer freed.\n",
-			program_name);
-	}
-	if(authkey) {
-		memset((caddr_t)authkey, 0, authkeylen);
-		free(authkey);
-	}
-	if(enckey) {
-		memset((caddr_t)enckey, 0, enckeylen);
-		free(enckey);
-	}
-	if(iv) {
-		memset((caddr_t)iv, 0, ivlen);
-		free(iv);
-	}
-
-	if(listenreply || saref) {
-		ssize_t readlen;
-		unsigned char pfkey_buf[PFKEYv2_MAX_MSGSIZE];
-		
-		while((readlen = read(pfkey_sock, pfkey_buf, sizeof(pfkey_buf))) > 0) {
-			struct sadb_ext *extensions[SADB_EXT_MAX + 1];
-			pfkey_extensions_init(extensions);
-			pfkey_msg = (struct sadb_msg *)pfkey_buf;
-			
-			/* first, see if we got enough for an sadb_msg */
-			if((size_t)readlen < sizeof(struct sadb_msg)) {
-				if(debug) {
-					printf("%s: runt packet of size: %ld (<%lu)\n",
-					       program_name, (long)readlen, (unsigned long)sizeof(struct sadb_msg));
-				}
-				continue;
-			}
-			
-			/* okay, we got enough for a message, print it out */
-			if(debug) {
-				printf("%s: pfkey v%d msg received. type=%d(%s) seq=%d len=%d pid=%d errno=%d satype=%d(%s)\n",
-				       program_name,
-				       pfkey_msg->sadb_msg_version,
-				       pfkey_msg->sadb_msg_type,
-				       pfkey_v2_sadb_type_string(pfkey_msg->sadb_msg_type),
-				       pfkey_msg->sadb_msg_seq,
-				       pfkey_msg->sadb_msg_len,
-				       pfkey_msg->sadb_msg_pid,
-				       pfkey_msg->sadb_msg_errno,
-				       pfkey_msg->sadb_msg_satype,
-				       satype2name(pfkey_msg->sadb_msg_satype));
-			}
-			
-			if(readlen != (ssize_t)(pfkey_msg->sadb_msg_len * IPSEC_PFKEYv2_ALIGN))
-			{
-				if(debug) {
-					printf("%s: packet size read from socket=%d doesn't equal sadb_msg_len %u * %u; message not decoded\n",
-					       program_name,
-					       (int)readlen, 
-					       (unsigned)pfkey_msg->sadb_msg_len,
-					       (unsigned)IPSEC_PFKEYv2_ALIGN);
-				}
-				continue;
-			}
-			
-			if (pfkey_msg_parse(pfkey_msg, NULL, extensions, EXT_BITS_OUT)) {
-				if(debug) {
-					printf("%s: unparseable PF_KEY message.\n",
-					       program_name);
-				}
-				continue;
-			} else {
-				if(debug) {
-					printf("%s: parseable PF_KEY message.\n",
-					       program_name);
-				}
-			}
-			if((pid_t)pfkey_msg->sadb_msg_pid == mypid) {
-				if(saref) {
-					printf("%s: saref=%d\n",
-					       program_name,
-					       (extensions[SADB_EXT_SA] != NULL)
-					       ? ((struct sadb_sa*)(extensions[SADB_EXT_SA]))->sadb_x_sa_ref
-					       : IPSEC_SAREF_NULL);
-				}
-				break;
-			}
-		}
-	}
-	(void) close(pfkey_sock);  /* close the socket */
-	if(debug || listenreply) {
-		printf("%s: exited normally\n", program_name);
-	}
-	exit(0);
-}