[svn-upgrade] Integrating new upstream version, strongswan (4.1.1)

15 files changed, 4806 insertions, 0 deletions

diff --git a/src/libstrongswan/utils/fetcher.c b/src/libstrongswan/utils/fetcher.c
new file mode 100644
index 000000000..6165cc1e1
--- /dev/null
+++ b/src/libstrongswan/utils/fetcher.c
@@ -0,0 +1,421 @@
+/**
+ * @file fetcher.c
+ * 
+ * @brief Implementation of fetcher_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2007 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <fetcher://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifdef LIBCURL
+#include <curl/curl.h>
+#endif /* LIBCURL */
+
+#ifdef LIBLDAP
+#include <ldap.h>
+#endif /* LIBLDAP */
+
+#include <library.h>
+#include <debug.h>
+
+#include "fetcher.h"
+
+typedef struct private_fetcher_t private_fetcher_t;
+
+/**
+ * @brief Private Data of a fetcher_t object.
+ */
+struct private_fetcher_t {
+	/**
+	 * Public data
+	 */
+	fetcher_t public;
+
+	/**
+	 * URI of the information source
+	 */
+	const char *uri;
+
+#ifdef LIBCURL
+	/**
+	 * we use libcurl from http://curl.haxx.se/ as a fetcher
+	 */
+	CURL* curl;
+#endif /* LIBCURL */
+	
+#ifdef LIBLDAP
+	/**
+	 * we use libldap from http://www.openssl.org/ as a fetcher
+	 */
+	LDAP *ldap;
+	LDAPURLDesc *lurl;
+#endif /* LIBLDAP */
+};
+
+/**
+ * writes data into a dynamically resizeable chunk_t
+ * needed for libcurl responses
+ */
+static size_t curl_write_buffer(void *ptr, size_t size, size_t nmemb, void *data)
+{
+    size_t realsize = size * nmemb;
+    chunk_t *mem = (chunk_t*)data;
+
+    mem->ptr = (u_char *)realloc(mem->ptr, mem->len + realsize);
+    if (mem->ptr) {
+	memcpy(&(mem->ptr[mem->len]), ptr, realsize);
+	mem->len += realsize;
+    }
+    return realsize;
+}
+
+/**
+ * Implements fetcher_t.get for curl methods
+ */
+static chunk_t curl_get(private_fetcher_t *this)
+{
+	chunk_t response = chunk_empty;
+
+#ifdef LIBCURL
+	if (this->curl)
+	{
+		CURLcode res;
+		chunk_t curl_response = chunk_empty;
+		char curl_error_buffer[CURL_ERROR_SIZE];
+
+		curl_easy_setopt(this->curl, CURLOPT_URL, this->uri);
+		curl_easy_setopt(this->curl, CURLOPT_WRITEFUNCTION, curl_write_buffer);
+		curl_easy_setopt(this->curl, CURLOPT_WRITEDATA, (void *)&curl_response);
+		curl_easy_setopt(this->curl, CURLOPT_ERRORBUFFER, &curl_error_buffer);
+		curl_easy_setopt(this->curl, CURLOPT_FAILONERROR, TRUE);
+		curl_easy_setopt(this->curl, CURLOPT_CONNECTTIMEOUT, FETCHER_TIMEOUT);
+		curl_easy_setopt(this->curl, CURLOPT_NOSIGNAL, TRUE);
+
+		DBG1("sending curl request to '%s'...", this->uri);
+		res = curl_easy_perform(this->curl);
+
+		if (res == CURLE_OK)
+		{
+	    	DBG1("received valid curl response");
+			response = chunk_clone(curl_response);
+		}
+		else
+		{
+	    	DBG1("curl request failed: %s", curl_error_buffer);
+		}
+		curl_free(curl_response.ptr);
+	}
+#else
+	DBG1("warning: libcurl fetching not compiled in");
+#endif  /* LIBCURL */
+	return response;
+}
+
+/**
+ * Implements fetcher_t.post.
+ */
+static chunk_t http_post(private_fetcher_t *this, const char *request_type, chunk_t request)
+{
+	chunk_t response = chunk_empty;
+
+#ifdef LIBCURL
+	if (this->curl)
+	{
+		CURLcode res;
+		struct curl_slist *headers = NULL;
+		chunk_t curl_response = chunk_empty;
+		char curl_error_buffer[CURL_ERROR_SIZE];
+		char content_type[BUF_LEN];
+
+		/* set content type header */
+		snprintf(content_type, BUF_LEN, "Content-Type: %s", request_type);
+		headers = curl_slist_append(headers, content_type);
+
+		/* set options */
+		curl_easy_setopt(this->curl, CURLOPT_HTTPHEADER, headers);
+		curl_easy_setopt(this->curl, CURLOPT_URL, this->uri);
+		curl_easy_setopt(this->curl, CURLOPT_WRITEFUNCTION, curl_write_buffer);
+		curl_easy_setopt(this->curl, CURLOPT_WRITEDATA, (void *)&curl_response);
+		curl_easy_setopt(this->curl, CURLOPT_POSTFIELDS, request.ptr);
+		curl_easy_setopt(this->curl, CURLOPT_POSTFIELDSIZE, request.len);
+		curl_easy_setopt(this->curl, CURLOPT_ERRORBUFFER, &curl_error_buffer);
+		curl_easy_setopt(this->curl, CURLOPT_FAILONERROR, TRUE);
+		curl_easy_setopt(this->curl, CURLOPT_CONNECTTIMEOUT, FETCHER_TIMEOUT);
+		curl_easy_setopt(this->curl, CURLOPT_NOSIGNAL, TRUE);
+
+		DBG1("sending http post request to '%s'...", this->uri);
+		res = curl_easy_perform(this->curl);
+
+		if (res == CURLE_OK)
+		{
+	    	DBG1("received valid http response");
+			response = chunk_clone(curl_response);
+		}
+		else
+		{
+	    	DBG1("http post request using libcurl failed: %s", curl_error_buffer);
+		}
+		curl_slist_free_all(headers);
+		curl_free(curl_response.ptr);
+	}
+#else
+	DBG1("warning: libcurl fetching not compiled in");
+#endif  /* LIBCURL */
+	return response;
+}
+
+#ifdef LIBLDAP
+/**
+ * Parses the result returned by an ldap query
+ */
+static chunk_t ldap_parse(LDAP *ldap, LDAPMessage *result)
+{
+	chunk_t response = chunk_empty;
+	err_t ugh = NULL;
+
+	LDAPMessage *entry = ldap_first_entry(ldap, result);
+
+	if (entry != NULL)
+	{
+		BerElement *ber = NULL;
+		char *attr;
+
+		attr = ldap_first_attribute(ldap, entry, &ber);
+
+		if (attr != NULL)
+		{
+			struct berval **values = ldap_get_values_len(ldap, entry, attr);
+
+			if (values != NULL)
+			{
+				if (values[0] != NULL)
+				{
+					response.len = values[0]->bv_len;
+					response.ptr = malloc(response.len);
+					memcpy(response.ptr, values[0]->bv_val, response.len);
+
+					if (values[1] != NULL)
+					{
+						ugh = "more than one value was fetched - first selected";
+					}
+				}
+				else
+				{
+					ugh = "no values in attribute";
+				}
+				ldap_value_free_len(values);
+			}
+			else
+			{
+				ugh = ldap_err2string(ldap_result2error(ldap, entry, 0));
+			}
+			ldap_memfree(attr);
+		}
+		else
+		{
+			ugh = ldap_err2string(ldap_result2error(ldap, entry, 0));
+		}
+		ber_free(ber, 0);
+	}
+	else
+	{
+		ugh = ldap_err2string(ldap_result2error(ldap, result, 0));
+	}
+	if (ugh)
+	{
+		DBG1("ldap request failed: %s", ugh); 
+	}
+	return response;
+}
+#endif  /* LIBLDAP */
+
+/**
+ * Implements fetcher_t.get for curl methods
+ */
+static chunk_t ldap_get(private_fetcher_t *this)
+{
+	chunk_t response = chunk_empty;
+
+#ifdef LIBLDAP
+	if (this->ldap)
+	{
+		err_t ugh = NULL;
+		int rc;
+		int ldap_version = LDAP_VERSION3;
+
+		struct timeval timeout;
+
+		timeout.tv_sec  = FETCHER_TIMEOUT;
+		timeout.tv_usec = 0;
+
+		ldap_set_option(this->ldap, LDAP_OPT_PROTOCOL_VERSION, &ldap_version);
+		ldap_set_option(this->ldap, LDAP_OPT_NETWORK_TIMEOUT, &timeout);
+
+		DBG1("sending ldap request to '%s'...", this->uri);
+
+		rc = ldap_simple_bind_s(this->ldap, NULL, NULL);
+		if (rc == LDAP_SUCCESS)
+		{
+			LDAPMessage *result;
+
+			timeout.tv_sec = FETCHER_TIMEOUT;
+			timeout.tv_usec = 0;
+
+			rc = ldap_search_st(this->ldap, this->lurl->lud_dn,
+											this->lurl->lud_scope,
+											this->lurl->lud_filter,
+											this->lurl->lud_attrs,
+											0, &timeout, &result);
+
+			if (rc == LDAP_SUCCESS)
+			{
+				response = ldap_parse(this->ldap, result);
+				if (response.ptr)
+				{
+	    			DBG1("received valid ldap response");
+				}
+				ldap_msgfree(result);
+			}
+			else
+			{
+				ugh = ldap_err2string(rc);
+			}
+		}
+		else
+		{
+			ugh = ldap_err2string(rc);
+		}
+		ldap_unbind_s(this->ldap);
+
+		if (ugh)
+		{
+			DBG1("ldap request failed: %s", ugh);
+		}
+	}
+#else   /* !LIBLDAP */
+	DBG1("warning: libldap fetching not compiled in");
+#endif  /* !LIBLDAP */
+    return response;
+}
+
+/**
+ * Implements fetcher_t.destroy
+ */
+static void destroy(private_fetcher_t *this)
+{
+#ifdef LIBCURL
+	if (this->curl)
+	{
+		curl_easy_cleanup(this->curl);
+	}
+#endif /* LIBCURL */
+
+#ifdef LIBLDAP
+	if (this->lurl)
+	{
+		ldap_free_urldesc(this->lurl);
+	}
+#endif /* LIBLDAP */
+
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+fetcher_t *fetcher_create(const char *uri)
+{
+	private_fetcher_t *this = malloc_thing(private_fetcher_t);
+	
+	/* initialize */
+	this->uri = uri;
+
+#ifdef LIBCURL
+	this->curl = NULL;
+#endif /* LIBCURL */
+
+#ifdef LIBLDAP
+		this->lurl = NULL;
+		this->ldap = NULL;
+#endif /* LIBLDAP */
+
+	if (strlen(uri) >= 4 && strncasecmp(uri, "ldap", 4) == 0)
+	{
+#ifdef LIBLDAP
+		int rc = ldap_url_parse(uri, &this->lurl);
+
+		if (rc == LDAP_SUCCESS)
+		{
+			this->ldap = ldap_init(this->lurl->lud_host,
+								   this->lurl->lud_port);
+		}
+		else
+		{
+			DBG1("ldap: %s", ldap_err2string(rc));
+			this->ldap = NULL;
+		}
+#endif /* LIBLDAP */
+		this->public.get = (chunk_t (*) (fetcher_t*))ldap_get;
+	}
+	else
+	{
+#ifdef LIBCURL
+		this->curl = curl_easy_init();
+		if (this->curl == NULL)
+		{
+			DBG1("curl_easy_init_failed()");
+		}
+#endif /* LIBCURL */
+		this->public.get = (chunk_t (*) (fetcher_t*))curl_get;
+	}
+
+	/* public functions */
+	this->public.post = (chunk_t (*) (fetcher_t*,const char*,chunk_t))http_post;
+	this->public.destroy = (void (*) (fetcher_t*))destroy;
+
+	return &this->public;
+}
+
+/**
+ * Described in header.
+ */
+void fetcher_initialize(void)
+{
+#ifdef LIBCURL
+	CURLcode res;
+
+	/* initialize libcurl */
+	DBG1("initializing libcurl");
+	res = curl_global_init(CURL_GLOBAL_NOTHING);
+	if (res != CURLE_OK)
+	{
+		DBG1("libcurl could not be initialized: %s", curl_easy_strerror(res));
+    }
+#endif /* LIBCURL */
+}
+
+/**
+ * Described in header.
+ */
+void fetcher_finalize(void)
+{
+#ifdef LIBCURL
+	/* finalize libcurl */
+	DBG1("finalizing libcurl");
+	curl_global_cleanup();
+#endif /* LIBCURL */
+}
+
diff --git a/src/libstrongswan/utils/fetcher.h b/src/libstrongswan/utils/fetcher.h
new file mode 100644
index 000000000..47b43a0b7
--- /dev/null
+++ b/src/libstrongswan/utils/fetcher.h
@@ -0,0 +1,95 @@
+/**
+ * @file fetcher.h
+ *
+ * @brief Interface of fetcher_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2007 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <fetcher://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef FETCHER_H_
+#define FETCHER_H_
+
+typedef struct fetcher_t fetcher_t;
+
+#include <chunk.h>
+
+#define FETCHER_TIMEOUT	10	/* seconds */
+
+/**
+ * @brief Fetches information from an URI (http, file, ftp, etc.)
+ *
+ * @ingroup utils
+ */
+struct fetcher_t {
+
+	/**
+	 * @brief Get information via a get request.
+	 * 
+	 * @param this				calling object
+	 * @param uri				uri specifying the information source
+	 * @return					chunk_t containing the information
+	 */
+	chunk_t (*get) (fetcher_t *this);
+
+	/**
+	 * @brief Get information via a get request.
+	 * 
+	 * @param this				calling object
+	 * @param uri				uri specifying the information source
+	 * @param type				content type of http post request
+	 * @param request			binary data for http post request
+	 * @return					chunk_t containing the information
+	 */
+	chunk_t (*post) (fetcher_t *this, const char *type, chunk_t request);
+
+	/**
+	 * @brief Destroys the fetcher_t object.
+	 * 
+	 * @param this			fetcher_t to destroy
+	 */
+	void (*destroy) (fetcher_t *this);
+
+};
+
+/**
+ * @brief Create a fetcher_t object.
+ * 
+ * @return 			created fetcher_t object
+ * 
+ * @ingroup utils
+ */
+fetcher_t* fetcher_create(const char *uri);
+
+/**
+ * @brief Initializes the fetcher_t class
+ *
+ * call this function only once in the main program
+ *
+ * @ingroup utils
+ */
+void fetcher_initialize(void);
+
+/**
+ * @brief Finalizes the fetcher_t class
+ *
+ * call this function only once befor exiting the main program
+ *
+ * @ingroup utils
+ */
+void fetcher_finalize(void);
+
+#endif /*FETCHER_H_*/
diff --git a/src/libstrongswan/utils/host.c b/src/libstrongswan/utils/host.c
new file mode 100644
index 000000000..8cbfd6ab8
--- /dev/null
+++ b/src/libstrongswan/utils/host.c
@@ -0,0 +1,526 @@
+/**
+ * @file host.c
+ * 
+ * @brief Implementation of host_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2006-2007 Tobias Brunner
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+#include <printf.h>
+
+#include "host.h"
+
+
+typedef struct private_host_t private_host_t;
+
+/**
+ * @brief Private Data of a host object.
+ */
+struct private_host_t { 	
+	/**
+	 * Public data
+	 */
+	host_t public;
+	
+	/**
+	 * low-lewel structure, wich stores the address
+	 */
+	union {
+		/** generic type */
+		struct sockaddr address;
+		/** maximum sockaddr size */
+		struct sockaddr_storage address_max;
+		/** IPv4 address */
+		struct sockaddr_in address4;
+		/** IPv6 address */
+		struct sockaddr_in6 address6;
+	};
+	/**
+	 * length of address structure
+	 */
+	socklen_t socklen;
+};
+
+
+/**
+ * implements host_t.get_sockaddr
+ */
+static sockaddr_t *get_sockaddr(private_host_t *this)
+{
+	return &(this->address);
+}
+
+/**
+ * implements host_t.get_sockaddr_len
+ */
+static socklen_t *get_sockaddr_len(private_host_t *this)
+{
+	return &(this->socklen);
+}
+
+/**
+ * Implementation of host_t.is_anyaddr.
+ */
+static bool is_anyaddr(private_host_t *this)
+{
+	switch (this->address.sa_family) 
+	{
+		case AF_INET:
+		{
+			u_int8_t default_route[4];
+			memset(default_route, 0, sizeof(default_route));
+			return memeq(default_route, &(this->address4.sin_addr.s_addr),
+						 sizeof(default_route));
+		}
+		case AF_INET6:
+		{
+			u_int8_t default_route[16];
+			memset(default_route, 0, sizeof(default_route));
+			return memeq(default_route, &(this->address6.sin6_addr.s6_addr),
+						 sizeof(default_route));
+		}
+		default:
+		{
+			return FALSE;
+		}	
+	}
+}
+
+/**
+ * output handler in printf()
+ */
+static int print(FILE *stream, const struct printf_info *info,
+				 const void *const *args)
+{
+	private_host_t *this = *((private_host_t**)(args[0]));
+	char buffer[INET6_ADDRSTRLEN];
+	void *address;
+	u_int16_t port;
+	
+	if (this == NULL)
+	{
+		return fprintf(stream, "(null)");
+	}
+	
+	if (is_anyaddr(this))
+	{
+		return fprintf(stream, "%%any");
+	}
+	
+	switch (this->address.sa_family)
+	{
+		case AF_INET:
+			address = &this->address4.sin_addr;
+			port = this->address4.sin_port;
+			break;
+		case AF_INET6:
+			address = &this->address6.sin6_addr;
+			port = this->address6.sin6_port;
+			break;
+		default:
+			return fprintf(stream, "(family not supported)");
+	}
+	
+	if (inet_ntop(this->address.sa_family, address,
+				  buffer, sizeof(buffer)) == NULL)
+	{
+		return fprintf(stream, "(address conversion failed)");
+	}
+	
+	if (info->alt)
+	{
+		return fprintf(stream, "%s[%d]", buffer, ntohs(port));
+	}
+	else
+	{
+		return fprintf(stream, "%s", buffer);
+	}
+}
+
+/**
+ * register printf() handlers
+ */
+static void __attribute__ ((constructor))print_register()
+{
+	register_printf_function(PRINTF_HOST, print, arginfo_ptr);
+}
+
+/**
+ * Implementation of host_t.get_address.
+ */
+static chunk_t get_address(private_host_t *this)
+{
+	chunk_t address = chunk_empty;
+	
+	switch (this->address.sa_family) 
+	{
+		case AF_INET:
+		{
+			address.ptr = (char*)&(this->address4.sin_addr.s_addr);
+			address.len = 4;
+			return address;
+		}
+		case AF_INET6:
+		{
+			address.ptr = (char*)&(this->address6.sin6_addr.s6_addr);
+			address.len = 16;
+			return address;
+		}
+		default:
+		{
+			/* return empty chunk */
+			return address;
+		}
+	}
+}
+
+/**
+ * implements host_t.get_family
+ */
+static int get_family(private_host_t *this)
+{
+	return this->address.sa_family;
+}
+
+/**
+ * implements host_t.get_port
+ */
+static u_int16_t get_port(private_host_t *this)
+{
+	switch (this->address.sa_family) 
+	{
+		case AF_INET:
+		{
+			return ntohs(this->address4.sin_port);
+		}
+		case AF_INET6:
+		{
+			return ntohs(this->address6.sin6_port);
+		}
+		default:
+		{
+			return 0;
+		}
+	}
+}
+
+/**
+ * implements host_t.set_port
+ */
+static void set_port(private_host_t *this, u_int16_t port)
+{
+	switch (this->address.sa_family)
+	{
+		case AF_INET:
+		{
+			this->address4.sin_port = htons(port);
+			break;
+		}
+		case AF_INET6:
+		{
+			this->address6.sin6_port = htons(port);
+			break;
+		}
+		default:
+		{
+			break;
+		}
+	}
+}
+
+/**
+ * Implements host_t.clone.
+ */
+static private_host_t *clone_(private_host_t *this)
+{
+	private_host_t *new = malloc_thing(private_host_t);
+	
+	memcpy(new, this, sizeof(private_host_t));
+	return new;
+}
+
+/**
+ * Impelements host_t.ip_equals
+ */
+static bool ip_equals(private_host_t *this, private_host_t *other)
+{
+	if (this->address.sa_family != other->address.sa_family)
+	{
+		/* 0.0.0.0 and ::0 are equal */
+		if (is_anyaddr(this) && is_anyaddr(other))
+		{
+			return TRUE;
+		}
+		
+		return FALSE;
+	}
+	
+	switch (this->address.sa_family)
+	{
+		case AF_INET:
+		{
+			if (memeq(&this->address4.sin_addr, &other->address4.sin_addr,
+					  sizeof(this->address4.sin_addr)))
+			{
+				return TRUE;
+			}
+			break;
+		}
+		case AF_INET6:
+		{
+			if (memeq(&this->address6.sin6_addr, &other->address6.sin6_addr,
+					  sizeof(this->address6.sin6_addr)))
+			{
+				return TRUE;
+			}
+		}
+		default:
+			break;
+	}
+	return FALSE;
+}
+
+/**
+ * Implements host_t.get_differences
+ */
+static host_diff_t get_differences(host_t *this, host_t *other)
+{
+	host_diff_t ret = HOST_DIFF_NONE;
+	
+	if (!this->ip_equals(this, other))
+	{
+		ret |= HOST_DIFF_ADDR;
+	}
+
+	if (this->get_port(this) != other->get_port(other))
+	{
+		ret |= HOST_DIFF_PORT;
+	}
+	
+	return ret;
+}
+
+/**
+ * Impelements host_t.equals
+ */
+static bool equals(private_host_t *this, private_host_t *other)
+{
+	if (!ip_equals(this, other))
+	{
+		return FAILED;
+	}
+	
+	switch (this->address.sa_family)
+	{
+		case AF_INET:
+		{
+			if (this->address4.sin_port == other->address4.sin_port)
+			{
+				return TRUE;
+			}
+			break;
+		}
+		case AF_INET6:
+		{
+			if (this->address6.sin6_port == other->address6.sin6_port)
+			{
+				return TRUE;
+			}
+			break;
+		}
+		default:
+			break;
+	}
+	return FALSE;
+}
+
+/**
+ * Implements host_t.destroy
+ */
+static void destroy(private_host_t *this)
+{
+	free(this);
+}
+
+/**
+ * Creates an empty host_t object 
+ */
+static private_host_t *host_create_empty(void)
+{
+	private_host_t *this = malloc_thing(private_host_t);
+	
+	this->public.get_sockaddr = (sockaddr_t* (*) (host_t*))get_sockaddr;
+	this->public.get_sockaddr_len = (socklen_t*(*) (host_t*))get_sockaddr_len;
+	this->public.clone = (host_t* (*) (host_t*))clone_;
+	this->public.get_family = (int (*) (host_t*))get_family;
+	this->public.get_address = (chunk_t (*) (host_t *)) get_address;
+	this->public.get_port = (u_int16_t (*) (host_t *))get_port;
+	this->public.set_port = (void (*) (host_t *,u_int16_t))set_port;
+	this->public.get_differences = get_differences;
+	this->public.ip_equals = (bool (*) (host_t *,host_t *)) ip_equals;
+	this->public.equals = (bool (*) (host_t *,host_t *)) equals;
+	this->public.is_anyaddr = (bool (*) (host_t *)) is_anyaddr;
+	this->public.destroy = (void (*) (host_t*))destroy;
+	
+	return this;
+}
+
+/*
+ * Described in header.
+ */
+host_t *host_create_from_string(char *string, u_int16_t port)
+{
+	private_host_t *this = host_create_empty();
+	
+	if (strchr(string, '.'))
+	{
+		this->address.sa_family = AF_INET;
+	}
+	else
+	{
+		this->address.sa_family = AF_INET6;
+	}
+
+	switch (this->address.sa_family)
+	{
+		case AF_INET:
+		{
+			if (inet_pton(AF_INET, string, &this->address4.sin_addr) <=0)
+			{
+				break;
+			}
+			this->address4.sin_port = htons(port);
+			this->socklen = sizeof(struct sockaddr_in);
+			return &this->public;
+		}
+		case AF_INET6:
+		{
+			if (inet_pton(AF_INET6, string, &this->address6.sin6_addr) <=0)
+			{
+				break;
+			}
+			this->address6.sin6_port = htons(port);
+			this->socklen = sizeof(struct sockaddr_in6);
+			return &this->public;
+		}
+		default:
+		{
+			break;
+		}
+	}
+	free(this);
+	return NULL;
+}
+
+/*
+ * Described in header.
+ */
+host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port)
+{
+	private_host_t *this = host_create_empty();
+	
+	this->address.sa_family = family;
+	switch (family)
+	{
+		case AF_INET:
+		{
+			if (address.len != 4)
+			{
+				break;
+			}
+			memcpy(&(this->address4.sin_addr.s_addr), address.ptr,4);
+			this->address4.sin_port = htons(port);
+			this->socklen = sizeof(struct sockaddr_in);
+			return &(this->public);
+		}
+		case AF_INET6:
+		{
+			if (address.len != 16)
+			{
+				break;
+			}
+			memcpy(&(this->address6.sin6_addr.s6_addr), address.ptr, 16);
+			this->address6.sin6_port = htons(port);
+			this->socklen = sizeof(struct sockaddr_in6);
+			return &this->public;
+		}
+		default:
+			break;
+	}
+	free(this);
+	return NULL;
+}
+
+/*
+ * Described in header.
+ */
+host_t *host_create_from_sockaddr(sockaddr_t *sockaddr)
+{
+	private_host_t *this = host_create_empty();
+	
+	switch (sockaddr->sa_family)
+	{
+		case AF_INET:
+		{
+			memcpy(&this->address4, sockaddr, sizeof(struct sockaddr_in));
+			this->socklen = sizeof(struct sockaddr_in);
+			return &this->public;
+		}
+		case AF_INET6:
+		{
+			memcpy(&this->address6, sockaddr, sizeof(struct sockaddr_in6));
+			this->socklen = sizeof(struct sockaddr_in6);
+			return &this->public;
+		}
+		default:
+			break;
+	}
+	free(this);
+	return NULL;
+}
+
+/*
+ * Described in header.
+ */
+host_t *host_create_any(int family)
+{
+	private_host_t *this = host_create_empty();
+	
+	memset(&this->address_max, 0, sizeof(struct sockaddr_storage));
+	this->address.sa_family = family;
+	
+	switch (family)
+	{
+		case AF_INET:
+		{
+			this->socklen = sizeof(struct sockaddr_in);
+			return &(this->public);
+		}
+		case AF_INET6:
+		{
+			this->socklen = sizeof(struct sockaddr_in6);
+			return &this->public;
+		}
+		default:
+			break;
+	}
+	return NULL;
+}
diff --git a/src/libstrongswan/utils/host.h b/src/libstrongswan/utils/host.h
new file mode 100644
index 000000000..ee9aa457f
--- /dev/null
+++ b/src/libstrongswan/utils/host.h
@@ -0,0 +1,231 @@
+/**
+ * @file host.h
+ *
+ * @brief Interface of host_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006-2007 Tobias Brunner
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef HOST_H_
+#define HOST_H_
+
+typedef enum host_diff_t host_diff_t;
+typedef struct host_t host_t;
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <library.h>
+
+/**
+ * Differences between two hosts. They differ in
+ * address, port, or both.
+ */
+enum host_diff_t {
+	HOST_DIFF_NONE = 0,
+	HOST_DIFF_ADDR = 1,
+	HOST_DIFF_PORT = 2,
+};
+
+/**
+ * @brief Representates a Host
+ * 
+ * Host object, identifies a address:port pair and defines some 
+ * useful functions on it.
+ * 
+ * @b Constructors:
+ * - host_create()
+ * - host_create_from_chunk()
+ * - host_create_from_sockaddr()
+ * 
+ * @todo Add IPv6 support
+ * 
+ * @ingroup utils
+ */
+struct host_t {
+	
+	/** 
+	 * @brief Build a clone of this host object.
+	 * 
+	 * @param this			object to clone
+	 * @return				cloned host
+	 */
+	host_t *(*clone) (host_t *this);
+	
+	/** 
+	 * @brief Get a pointer to the internal sockaddr struct.
+	 * 
+	 * This is used for sending and receiving via sockets.
+	 * 
+	 * @param this			object to clone
+	 * @return				pointer to the internal sockaddr structure
+	 */
+	sockaddr_t  *(*get_sockaddr) (host_t *this);
+	
+	/** 
+	 * @brief Get the length of the sockaddr struct.
+	 * 
+	 * Depending on the family, the length of the sockaddr struct
+	 * is different. Use this function to get the length of the sockaddr
+	 * struct returned by get_sock_addr.
+	 * 
+	 * This is used for sending and receiving via sockets.
+	 * 
+	 * @param this			object to clone
+	 * @return				length of the sockaddr struct
+	 */
+	socklen_t *(*get_sockaddr_len) (host_t *this);
+	
+	/**
+	 * @brief Gets the family of the address
+	 * 
+	 * @param this			calling object
+	 * @return				family
+	 */
+	int (*get_family) (host_t *this);
+	
+	/** 
+	 * @brief Checks if the ip address of host is set to default route.
+	 * 
+	 * @param this			calling object
+	 * @return				
+	 * 						- TRUE if host has IP 0.0.0.0 for default route 
+	 * 						- FALSE otherwise
+	 */
+	bool (*is_anyaddr) (host_t *this);
+	
+	/** 
+	 * @brief get the address of this host as chunk_t
+	 * 
+	 * Returned chunk points to internal data.
+	 * 
+	 * @param this			object
+	 * @return				address string, 
+	 */
+	chunk_t (*get_address) (host_t *this);
+		
+	/** 
+	 * @brief get the port of this host
+	 * 
+	 * @param this			object to clone
+	 * @return				port number
+	 */
+	u_int16_t (*get_port) (host_t *this);
+
+	/** 
+	 * @brief set the port of this host
+	 *
+	 * @param this			object to clone
+	 * @param port			port numer
+	 */
+	void (*set_port) (host_t *this, u_int16_t port);
+		
+	/** 
+	 * @brief Compare the ips of two hosts hosts.
+	 * 
+	 * @param this			object to compare
+	 * @param other			the other to compare
+	 * @return				TRUE if addresses are equal.
+	 */
+	bool (*ip_equals) (host_t *this, host_t *other);
+		
+	/** 
+	 * @brief Compare two hosts, with port.
+	 * 
+	 * @param this			object to compare
+	 * @param other			the other to compare
+	 * @return				TRUE if addresses and ports are equal.
+	 */
+	bool (*equals) (host_t *this, host_t *other);
+
+	/** 
+	 * @brief Compare two hosts and return the differences.
+	 *
+	 * @param this			object to compare
+	 * @param other			the other to compare
+	 * @return				differences in a combination of host_diff_t's
+	 */
+	host_diff_t (*get_differences) (host_t *this, host_t *other);
+	
+	/** 
+	 * @brief Destroy this host object
+	 * 
+	 * @param this			calling
+	 * @return				SUCCESS in any case
+	 */
+	void (*destroy) (host_t *this);
+};
+
+/**
+ * @brief Constructor to create a host_t object from an address string.
+ *
+ * @param string		string of an address, such as "152.96.193.130"
+ * @param port			port number
+ * @return 				
+ * 						- host_t object 
+ * 						- NULL, if string not an address.
+ * 
+ * @ingroup network
+ */
+host_t *host_create_from_string(char *string, u_int16_t port);
+
+/**
+ * @brief Constructor to create a host_t object from an address chunk
+ *
+ * @param family 		Address family to use for this object, such as AF_INET or AF_INET6
+ * @param address		address as 4 byte chunk_t in networ order
+ * @param port			port number
+ * @return 				
+ * 						- host_t object 
+ * 						- NULL, if family not supported or chunk_t length not 4 bytes.
+ * 
+ * @ingroup network
+ */
+host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port);
+
+/**
+ * @brief Constructor to create a host_t object from a sockaddr struct
+ *
+ * @param sockaddr		sockaddr struct which contains family, address and port
+ * @return 				
+ * 						- host_t object 
+ * 						- NULL, if family not supported.
+ * 
+ * @ingroup network
+ */
+host_t *host_create_from_sockaddr(sockaddr_t *sockaddr);
+
+/**
+ * @brief Create a host without an address, a "any" host.
+ *
+ * @param family		family of the any host
+ * @return 				
+ * 						- host_t object 
+ * 						- NULL, if family not supported.
+ * 
+ * @ingroup network
+ */
+host_t *host_create_any(int family);
+
+#endif /*HOST_H_*/
diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
new file mode 100644
index 000000000..341af39c0
--- /dev/null
+++ b/src/libstrongswan/utils/identification.c
@@ -0,0 +1,1144 @@
+/**
+ * @file identification.c
+ * 
+ * @brief Implementation of identification_t. 
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <string.h>
+#include <stdio.h>
+#include <ctype.h>
+#include <printf.h>
+
+#include "identification.h"
+
+#include <asn1/asn1.h>
+
+ENUM_BEGIN(id_type_names, ID_ANY, ID_KEY_ID,
+	"ID_ANY",
+	"ID_IPV4_ADDR",
+	"ID_FQDN",
+	"ID_RFC822_ADDR",
+	"ID_IPV4_ADDR_SUBNET",
+	"ID_IPV6_ADDR",
+	"ID_IPV6_ADDR_SUBNET",
+	"ID_IPV4_ADDR_RANGE",
+	"ID_IPV6_ADDR_RANGE",
+	"ID_DER_ASN1_DN",
+	"ID_DER_ASN1_GN",
+	"ID_KEY_ID");
+ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_DER_ASN1_GN_URI, ID_KEY_ID,
+	"ID_DER_ASN1_GN_URI");
+ENUM_END(id_type_names, ID_DER_ASN1_GN_URI);
+
+
+/**
+ * X.501 acronyms for well known object identifiers (OIDs)
+ */
+static u_char oid_ND[]  = {
+	0x02, 0x82, 0x06, 0x01, 0x0A, 0x07, 0x14
+};
+static u_char oid_UID[] = {
+	0x09, 0x92, 0x26, 0x89, 0x93, 0xF2, 0x2C, 0x64, 0x01, 0x01
+};
+static u_char oid_DC[]  = {
+	0x09, 0x92, 0x26, 0x89, 0x93, 0xF2, 0x2C, 0x64, 0x01, 0x19
+};
+static u_char oid_CN[] = {
+	0x55, 0x04, 0x03
+};
+static u_char oid_S[] = {
+	0x55, 0x04, 0x04
+};
+static u_char oid_SN[] = {
+	0x55, 0x04, 0x05
+};
+static u_char oid_C[] = {
+	0x55, 0x04, 0x06
+};
+static u_char oid_L[] = {
+	0x55, 0x04, 0x07
+};
+static u_char oid_ST[] = {
+	0x55, 0x04, 0x08
+};
+static u_char oid_O[] = {
+	0x55, 0x04, 0x0A
+};
+static u_char oid_OU[] = {
+	0x55, 0x04, 0x0B
+};
+static u_char oid_T[] = {
+	0x55, 0x04, 0x0C
+};
+static u_char oid_D[] = {
+	0x55, 0x04, 0x0D
+};
+static u_char oid_N[] = {
+	0x55, 0x04, 0x29
+};
+static u_char oid_G[] = {
+	0x55, 0x04, 0x2A
+};
+static u_char oid_I[] = {
+	0x55, 0x04, 0x2B
+};
+static u_char oid_ID[] = {
+	0x55, 0x04, 0x2D
+};
+static u_char oid_EN[]  = {
+	0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x42, 0x03, 0x01, 0x03
+};
+static u_char oid_E[] = {
+	0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01
+};
+static u_char oid_UN[]  = {
+	0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x02
+};
+static u_char oid_TCGID[] = {
+	0x2B, 0x06, 0x01, 0x04, 0x01, 0x89, 0x31, 0x01, 0x01, 0x02, 0x02, 0x4B
+};
+
+/**
+ * coding of X.501 distinguished name 
+ */
+typedef struct {
+	const u_char *name;
+	chunk_t oid;
+	u_char type;
+} x501rdn_t;
+
+static const x501rdn_t x501rdns[] = {
+	{"ND", 				{oid_ND,     7}, ASN1_PRINTABLESTRING},
+	{"UID", 			{oid_UID,   10}, ASN1_PRINTABLESTRING},
+	{"DC", 				{oid_DC,    10}, ASN1_PRINTABLESTRING},
+	{"CN",				{oid_CN,     3}, ASN1_PRINTABLESTRING},
+	{"S", 				{oid_S,      3}, ASN1_PRINTABLESTRING},
+	{"SN", 				{oid_SN,     3}, ASN1_PRINTABLESTRING},
+	{"serialNumber", 	{oid_SN,     3}, ASN1_PRINTABLESTRING},
+	{"C", 				{oid_C,      3}, ASN1_PRINTABLESTRING},
+	{"L", 				{oid_L,      3}, ASN1_PRINTABLESTRING},
+	{"ST",				{oid_ST,     3}, ASN1_PRINTABLESTRING},
+	{"O", 				{oid_O,      3}, ASN1_PRINTABLESTRING},
+	{"OU", 				{oid_OU,     3}, ASN1_PRINTABLESTRING},
+	{"T", 				{oid_T,      3}, ASN1_PRINTABLESTRING},
+	{"D", 				{oid_D,      3}, ASN1_PRINTABLESTRING},
+	{"N", 				{oid_N,      3}, ASN1_PRINTABLESTRING},
+	{"G", 				{oid_G,      3}, ASN1_PRINTABLESTRING},
+	{"I", 				{oid_I,      3}, ASN1_PRINTABLESTRING},
+	{"ID", 				{oid_ID,     3}, ASN1_PRINTABLESTRING},
+	{"EN", 				{oid_EN,    10}, ASN1_PRINTABLESTRING},
+	{"employeeNumber",	{oid_EN,    10}, ASN1_PRINTABLESTRING},
+	{"E", 				{oid_E,      9}, ASN1_IA5STRING},
+	{"Email", 			{oid_E,      9}, ASN1_IA5STRING},
+	{"emailAddress",	{oid_E,      9}, ASN1_IA5STRING},
+	{"UN", 				{oid_UN,     9}, ASN1_IA5STRING},
+	{"unstructuredName",{oid_UN,     9}, ASN1_IA5STRING},
+	{"TCGID", 			{oid_TCGID, 12}, ASN1_PRINTABLESTRING}
+};
+#define X501_RDN_ROOF   26
+
+/**
+ * maximum number of RDNs in atodn()
+ */
+#define RDN_MAX			20
+
+
+typedef struct private_identification_t private_identification_t;
+
+/**
+ * Private data of an identification_t object.
+ */
+struct private_identification_t {
+	/**
+	 * Public interface.
+	 */
+	identification_t public;
+	
+	/**
+	 * Encoded representation of this ID.
+	 */
+	chunk_t encoded;
+	
+	/**
+	 * Type of this ID.
+	 */
+	id_type_t type;
+};
+
+static private_identification_t *identification_create(void);
+
+/**
+ * updates a chunk (!????)
+ * TODO: We should reconsider this stuff, its not really clear
+ */
+static void update_chunk(chunk_t *ch, int n)
+{
+	n = (n > -1 && n < (int)ch->len)? n : (int)ch->len-1;
+	ch->ptr += n; ch->len -= n;
+}
+
+/**
+ * Prints a binary string in hexadecimal form
+ */
+void hex_str(chunk_t bin, chunk_t *str)
+{
+	u_int i;
+	update_chunk(str, snprintf(str->ptr,str->len,"0x"));
+	for (i = 0; i < bin.len; i++)
+	{
+		update_chunk(str, snprintf(str->ptr,str->len,"%02X",*bin.ptr++));
+	}
+}
+
+/**
+ * Remove any malicious characters from a chunk. We are very restrictive, but
+ * whe use these strings only to present it to the user.
+ */
+static chunk_t sanitize_chunk(chunk_t chunk)
+{
+	char *pos;
+	chunk_t clone = chunk_clone(chunk);
+	
+	for (pos = clone.ptr; pos < (char*)(clone.ptr + clone.len); pos++)
+	{
+		switch (*pos)
+		{
+			case '\0':
+			case ' ':
+			case '*':
+			case '-':
+			case '.':
+			case '/':
+			case '0' ... '9':
+			case ':':
+			case '=':
+			case '@':
+			case 'A' ... 'Z':
+			case '_':
+			case 'a' ... 'z':
+				break;
+			default:
+				*pos = '?';
+		}
+	}
+	return clone;
+}
+
+/**
+ * Pointer is set to the first RDN in a DN
+ */
+static status_t init_rdn(chunk_t dn, chunk_t *rdn, chunk_t *attribute, bool *next)
+{
+	*rdn = chunk_empty;
+	*attribute = chunk_empty;
+	
+	/* a DN is a SEQUENCE OF RDNs */
+	if (*dn.ptr != ASN1_SEQUENCE)
+	{
+		/* DN is not a SEQUENCE */
+		return FAILED;
+	}
+	
+	rdn->len = asn1_length(&dn);
+	
+	if (rdn->len == ASN1_INVALID_LENGTH)
+	{
+		/* Invalid RDN length */
+		return FAILED;
+	}
+	
+	rdn->ptr = dn.ptr;
+	
+	/* are there any RDNs ? */
+	*next = rdn->len > 0;
+	
+	return SUCCESS;
+}
+
+/**
+ * Fetches the next RDN in a DN
+ */
+static status_t get_next_rdn(chunk_t *rdn, chunk_t * attribute, chunk_t *oid, chunk_t *value, asn1_t *type, bool *next)
+{
+	chunk_t body;
+
+	/* initialize return values */
+	*oid   = chunk_empty;
+	*value = chunk_empty;
+
+	/* if all attributes have been parsed, get next rdn */
+	if (attribute->len <= 0)
+	{
+		/* an RDN is a SET OF attributeTypeAndValue */
+		if (*rdn->ptr != ASN1_SET)
+		{
+			/* RDN is not a SET */
+			return FAILED;
+		}
+		attribute->len = asn1_length(rdn);
+		if (attribute->len == ASN1_INVALID_LENGTH)
+		{
+			/* Invalid attribute length */
+			return FAILED;
+		}
+		attribute->ptr = rdn->ptr;
+		/* advance to start of next RDN */
+		rdn->ptr += attribute->len;
+		rdn->len -= attribute->len;
+	}
+	
+	/* an attributeTypeAndValue is a SEQUENCE */
+	if (*attribute->ptr != ASN1_SEQUENCE)
+	{
+		/* attributeTypeAndValue is not a SEQUENCE */
+		return FAILED;
+	}
+	
+	/* extract the attribute body */
+	body.len = asn1_length(attribute);
+	
+	if (body.len == ASN1_INVALID_LENGTH)
+	{
+		/* Invalid attribute body length */
+		return FAILED;
+	}
+	
+	body.ptr = attribute->ptr;
+	
+	/* advance to start of next attribute */
+	attribute->ptr += body.len;
+	attribute->len -= body.len;
+	
+	/* attribute type is an OID */
+	if (*body.ptr != ASN1_OID)
+	{
+		/* attributeType is not an OID */
+		return FAILED;
+	}
+	/* extract OID */
+	oid->len = asn1_length(&body);
+	
+	if (oid->len == ASN1_INVALID_LENGTH)
+	{
+		/* Invalid attribute OID length */
+		return FAILED;
+	}
+	oid->ptr = body.ptr;
+	
+	/* advance to the attribute value */
+	body.ptr += oid->len;
+	body.len -= oid->len;
+
+	/* extract string type */
+	*type = *body.ptr;
+	
+	/* extract string value */
+	value->len = asn1_length(&body);
+	
+	if (value->len == ASN1_INVALID_LENGTH)
+	{
+		/* Invalid attribute string length */
+		return FAILED;
+	}
+	value->ptr = body.ptr;
+	
+	/* are there any RDNs left? */
+	*next = rdn->len > 0 || attribute->len > 0;
+	return SUCCESS;
+}
+
+/**
+ * Parses an ASN.1 distinguished name int its OID/value pairs
+ */
+static status_t dntoa(chunk_t dn, chunk_t *str)
+{
+	chunk_t rdn, oid, attribute, value, proper;
+	asn1_t type;
+	int oid_code;
+	bool next;
+	bool first = TRUE;
+
+	status_t status = init_rdn(dn, &rdn, &attribute, &next);
+
+	if (status != SUCCESS)
+		return status;
+
+	while (next)
+	{
+		status = get_next_rdn(&rdn, &attribute, &oid, &value, &type, &next);
+
+		if (status != SUCCESS)
+			return status;
+
+		if (first) 
+		{ /* first OID/value pair */
+			first = FALSE;
+		}
+		else
+		{ /* separate OID/value pair by a comma */
+			update_chunk(str, snprintf(str->ptr,str->len,", "));
+		}
+
+		/* print OID */
+		oid_code = known_oid(oid);
+		if (oid_code == OID_UNKNOWN) 
+		{ /* OID not found in list */
+			hex_str(oid, str);
+		}
+		else
+		{
+			update_chunk(str, snprintf(str->ptr,str->len,"%s", oid_names[oid_code].name));
+		}
+		/* print value */
+		proper = sanitize_chunk(value);
+		update_chunk(str, snprintf(str->ptr,str->len,"=%.*s", (int)proper.len, proper.ptr));
+		chunk_free(&proper);
+	}
+	return SUCCESS;
+}
+
+/**
+ * compare two distinguished names by
+ * comparing the individual RDNs
+ */
+static bool same_dn(chunk_t a, chunk_t b)
+{
+	chunk_t rdn_a, rdn_b, attribute_a, attribute_b;
+	chunk_t oid_a, oid_b, value_a, value_b;
+	asn1_t type_a, type_b;
+	bool next_a, next_b;
+
+	/* same lengths for the DNs */
+	if (a.len != b.len)
+		return FALSE;
+
+	/* try a binary comparison first */
+	if (memeq(a.ptr, b.ptr, b.len))
+		return TRUE;
+ 
+	/* initialize DN parsing */
+	if (init_rdn(a, &rdn_a, &attribute_a, &next_a) != SUCCESS
+	||	init_rdn(b, &rdn_b, &attribute_b, &next_b) != SUCCESS)
+	{
+		return FALSE;
+	}
+
+	/* fetch next RDN pair */
+	while (next_a && next_b)
+	{
+		/* parse next RDNs and check for errors */
+		if (get_next_rdn(&rdn_a, &attribute_a, &oid_a, &value_a, &type_a, &next_a) != SUCCESS 
+		||  get_next_rdn(&rdn_b, &attribute_b, &oid_b, &value_b, &type_b, &next_b) != SUCCESS)
+		{
+			return FALSE;
+		}
+
+		/* OIDs must agree */
+		if (oid_a.len != oid_b.len || memcmp(oid_a.ptr, oid_b.ptr, oid_b.len) != 0)
+			return FALSE;
+
+		/* same lengths for values */
+		if (value_a.len != value_b.len)
+			return FALSE;
+
+		/* printableStrings and email RDNs require uppercase comparison */
+		if (type_a == type_b && (type_a == ASN1_PRINTABLESTRING
+		|| (type_a == ASN1_IA5STRING && known_oid(oid_a) == OID_PKCS9_EMAIL)))
+		{
+			if (strncasecmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
+				return FALSE;
+		}
+		else
+		{
+			if (strncmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
+				return FALSE;
+		}
+	}
+	/* both DNs must have same number of RDNs */
+	if (next_a || next_b)
+		return FALSE;
+
+	/* the two DNs are equal! */
+	return TRUE;
+}
+
+
+/**
+ * compare two distinguished names by comparing the individual RDNs.
+ * A single'*' character designates a wildcard RDN in DN b.
+ * TODO: Add support for different RDN order in DN !!
+ */
+bool match_dn(chunk_t a, chunk_t b, int *wildcards)
+{
+	chunk_t rdn_a, rdn_b, attribute_a, attribute_b;
+	chunk_t oid_a, oid_b, value_a, value_b;
+	asn1_t type_a,  type_b;
+	bool next_a, next_b;
+
+	/* initialize wildcard counter */
+	if (wildcards)
+	{
+		*wildcards = 0;
+	}
+
+	/* initialize DN parsing */
+	if (init_rdn(a, &rdn_a, &attribute_a, &next_a) != SUCCESS
+	||	init_rdn(b, &rdn_b, &attribute_b, &next_b) != SUCCESS)
+	{
+		return FALSE;
+	}
+
+	/* fetch next RDN pair */
+	while (next_a && next_b)
+	{
+		/* parse next RDNs and check for errors */
+		if (get_next_rdn(&rdn_a, &attribute_a, &oid_a, &value_a, &type_a, &next_a) != SUCCESS
+		||	get_next_rdn(&rdn_b, &attribute_b, &oid_b, &value_b, &type_b, &next_b) != SUCCESS)
+		{
+			return FALSE;
+		}
+		/* OIDs must agree */
+		if (oid_a.len != oid_b.len || memcmp(oid_a.ptr, oid_b.ptr, oid_b.len) != 0)
+			return FALSE;
+
+		/* does rdn_b contain a wildcard? */
+		if (value_b.len == 1 && *value_b.ptr == '*')
+		{
+			if (wildcards)
+			{
+				(*wildcards)++;
+			}
+			continue;
+		}
+		/* same lengths for values */
+		if (value_a.len != value_b.len)
+			return FALSE;
+
+		/* printableStrings and email RDNs require uppercase comparison */
+		if (type_a == type_b && (type_a == ASN1_PRINTABLESTRING
+		|| (type_a == ASN1_IA5STRING && known_oid(oid_a) == OID_PKCS9_EMAIL)))
+		{
+			if (strncasecmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
+				return FALSE;
+		}
+		else
+		{
+			if (strncmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
+				return FALSE;
+		}
+	}
+	/* both DNs must have same number of RDNs */
+	if (next_a || next_b)
+	{
+		return FALSE;
+	}
+
+	/* the two DNs match! */
+	if (wildcards)
+	{
+		*wildcards = min(*wildcards, MAX_WILDCARDS);
+	}
+	return TRUE;
+}
+
+/**
+ * Converts an LDAP-style human-readable ASCII-encoded
+ * ASN.1 distinguished name into binary DER-encoded format
+ */
+static status_t atodn(char *src, chunk_t *dn)
+{
+	/* finite state machine for atodn */
+	typedef enum {
+		SEARCH_OID =	0,
+		READ_OID =		1,
+		SEARCH_NAME =	2,
+		READ_NAME =		3,
+		UNKNOWN_OID =	4
+	} state_t;
+	
+	chunk_t oid  = chunk_empty;
+	chunk_t name = chunk_empty;
+	chunk_t rdns[RDN_MAX];
+	int rdn_count = 0;
+	int dn_len = 0;
+	int whitespace = 0;
+	int i = 0;
+	asn1_t rdn_type;
+	state_t state = SEARCH_OID;
+	status_t status = SUCCESS;
+	
+	do
+	{
+		switch (state)
+		{
+			case SEARCH_OID:
+				if (*src != ' ' && *src != '/' && *src !=  ',')
+				{
+					oid.ptr = src;
+					oid.len = 1;
+					state = READ_OID;
+				}
+				break;
+			case READ_OID:
+				if (*src != ' ' && *src != '=')
+				{
+					oid.len++;
+				}
+				else
+				{
+					for (i = 0; i < X501_RDN_ROOF; i++)
+					{
+						if (strlen(x501rdns[i].name) == oid.len
+						&&  strncasecmp(x501rdns[i].name, oid.ptr, oid.len) == 0)
+						{
+							break; /* found a valid OID */
+						}
+					}
+					if (i == X501_RDN_ROOF)
+					{
+						status = NOT_SUPPORTED;
+						state = UNKNOWN_OID;
+						break;
+					}
+					/* reset oid and change state */
+					oid = chunk_empty;
+					state = SEARCH_NAME;
+				}
+				break;
+			case SEARCH_NAME:
+				if (*src != ' ' && *src != '=')
+				{
+					name.ptr = src;
+					name.len = 1;
+					whitespace = 0;
+					state = READ_NAME;
+				}
+				break;
+			case READ_NAME:
+				if (*src != ',' && *src != '/' && *src != '\0')
+				{
+					name.len++;
+					if (*src == ' ')
+						whitespace++;
+					else
+						whitespace = 0;
+				}
+				else
+				{
+					name.len -= whitespace;
+					rdn_type = (x501rdns[i].type == ASN1_PRINTABLESTRING
+							&& !is_printablestring(name))? ASN1_T61STRING : x501rdns[i].type;
+					
+					if (rdn_count < RDN_MAX)
+					{
+						rdns[rdn_count] = 
+								asn1_wrap(ASN1_SET, "m",
+									asn1_wrap(ASN1_SEQUENCE, "mm",
+										asn1_wrap(ASN1_OID, "c", x501rdns[i].oid),
+										asn1_wrap(rdn_type, "c", name)
+									)
+								);
+						dn_len += rdns[rdn_count++].len;
+					}
+					else
+					{
+						status = OUT_OF_RES;
+					}
+					/* reset name and change state */
+					name = chunk_empty;
+					state = SEARCH_OID;
+				}
+				break;
+			case UNKNOWN_OID:
+				break;
+		}
+	} while (*src++ != '\0');
+
+	/* build the distinguished name sequence */
+   {
+		int i;
+		u_char *pos = build_asn1_object(dn, ASN1_SEQUENCE, dn_len);
+
+		for (i = 0; i < rdn_count; i++)
+		{
+			memcpy(pos, rdns[i].ptr, rdns[i].len); 
+			pos += rdns[i].len;
+			free(rdns[i].ptr);
+		}
+	}
+
+	if (status != SUCCESS)
+	{
+		free(dn->ptr);
+		*dn = chunk_empty;
+	}
+	return status;
+}
+
+/**
+ * Implementation of identification_t.get_encoding.
+ */
+static chunk_t get_encoding(private_identification_t *this)
+{
+	return this->encoded;
+}
+
+/**
+ * Implementation of identification_t.get_type.
+ */
+static id_type_t get_type(private_identification_t *this)
+{
+	return this->type;
+}
+
+/**
+ * Implementation of identification_t.contains_wildcards.
+ */
+static bool contains_wildcards(private_identification_t *this)
+{
+	switch (this->type)
+	{
+		case ID_ANY:
+			return TRUE;
+		case ID_FQDN:
+		case ID_RFC822_ADDR:
+			return memchr(this->encoded.ptr, '*', this->encoded.len) != NULL;
+		case ID_DER_ASN1_DN:
+			/* TODO */
+		default:
+			return FALSE;
+		
+	}
+}
+
+/**
+ * Default implementation of identification_t.equals.
+ * compares encoded chunk for equality.
+ */
+static bool equals_binary(private_identification_t *this, private_identification_t *other)
+{
+	return this->type == other->type && 
+							chunk_equals(this->encoded, other->encoded);
+}
+
+/**
+ * Special implementation of identification_t.equals for ID_DER_ASN1_DN.
+ */
+static bool equals_dn(private_identification_t *this,
+					  private_identification_t *other)
+{
+	return same_dn(this->encoded, other->encoded);
+}
+
+/**
+ * Default implementation of identification_t.matches.
+ */
+static bool matches_binary(private_identification_t *this, 
+						   private_identification_t *other, int *wildcards)
+{
+	if (other->type == ID_ANY)
+	{
+		if (wildcards)
+		{
+			*wildcards = MAX_WILDCARDS;
+		}
+		return TRUE;
+	}
+	if (wildcards)
+	{
+		*wildcards = 0;
+	}
+	return this->type == other->type &&
+							chunk_equals(this->encoded, other->encoded);
+}
+
+/**
+ * Special implementation of identification_t.matches for ID_RFC822_ADDR/ID_FQDN.
+ * Checks for a wildcard in other-string, and compares it against this-string.
+ */
+static bool matches_string(private_identification_t *this,
+						   private_identification_t *other, int *wildcards)
+{
+	u_int len = other->encoded.len;
+	
+	if (other->type == ID_ANY)
+	{
+		if (wildcards)
+		{
+			*wildcards = MAX_WILDCARDS;
+		}
+		return TRUE;
+	}
+	
+	if (this->type != other->type)
+		return FALSE;
+
+	/* try a binary comparison first */
+	if (equals_binary(this, other))
+	{
+		if (wildcards)
+		{
+			*wildcards = 0;
+		}
+		return TRUE;
+	}
+	
+	if (len == 0 || this->encoded.len < len)
+		return FALSE;
+
+	/* check for single wildcard at the head of the string */
+	if (*other->encoded.ptr == '*')
+	{
+		if (wildcards)
+		{
+			*wildcards = 1;
+		}
+
+		/* single asterisk matches any string */
+		if (len-- == 1)
+			return TRUE;
+
+		if (memeq(this->encoded.ptr + this->encoded.len - len, other->encoded.ptr + 1, len))
+			return TRUE;
+	}
+	
+	return FALSE;
+}
+
+/**
+ * Special implementation of identification_t.matches for ID_ANY.
+ * ANY matches only another ANY, but nothing other
+ */
+static bool matches_any(private_identification_t *this,
+						private_identification_t *other, int *wildcards)
+{
+	if (wildcards)
+	{
+		*wildcards = 0;
+	}
+	return other->type == ID_ANY;
+}
+
+/**
+ * Special implementation of identification_t.matches for ID_DER_ASN1_DN.
+ * ANY matches any, even ANY, thats why its there...
+ */
+static bool matches_dn(private_identification_t *this,
+					   private_identification_t *other, int *wildcards)
+{
+	if (other->type == ID_ANY)
+	{
+		if (wildcards)
+		{
+			*wildcards = MAX_WILDCARDS;
+		}
+		return TRUE;
+	}
+	
+	if (this->type == other->type)
+	{
+		return match_dn(this->encoded, other->encoded, wildcards);
+	}
+	return FALSE;
+}
+
+/**
+ * output handler in printf()
+ */
+static int print(FILE *stream, const struct printf_info *info,
+				 const void *const *args)
+{
+	private_identification_t *this = *((private_identification_t**)(args[0]));
+	char buf[BUF_LEN];
+	chunk_t proper, buf_chunk = chunk_from_buf(buf);
+	int written;
+	
+	if (this == NULL)
+	{
+		return fprintf(stream, "(null)");
+	}
+	
+	switch (this->type)
+	{
+		case ID_ANY:
+			return fprintf(stream, "%%any");
+		case ID_IPV4_ADDR:
+			if (this->encoded.len < sizeof(struct in_addr) ||
+				inet_ntop(AF_INET, this->encoded.ptr, buf, sizeof(buf)) == NULL)
+			{
+				return fprintf(stream, "(invalid ID_IPV4_ADDR)");
+			}
+			else
+			{
+				return fprintf(stream, "%s", buf);
+			}
+		case ID_IPV6_ADDR:
+			if (this->encoded.len < sizeof(struct in6_addr) ||
+				inet_ntop(AF_INET6, this->encoded.ptr, buf, INET6_ADDRSTRLEN) == NULL)
+			{
+				return fprintf(stream, "(invalid ID_IPV6_ADDR)");
+			}
+			else
+			{
+				return fprintf(stream, "%s", buf);
+			}
+		case ID_FQDN:
+		{
+			proper = sanitize_chunk(this->encoded);
+			written = fprintf(stream, "@%.*s", proper.len, proper.ptr);
+			chunk_free(&proper);
+			return written;
+		}
+		case ID_RFC822_ADDR:
+		{
+			proper = sanitize_chunk(this->encoded);
+			written = fprintf(stream, "%.*s", proper.len, proper.ptr);
+			chunk_free(&proper);
+			return written;
+		}
+		case ID_DER_ASN1_DN:
+		{
+			snprintf(buf, sizeof(buf), "%.*s", this->encoded.len, this->encoded.ptr);
+			/* TODO: whats returned on failure?*/
+			dntoa(this->encoded, &buf_chunk);
+			return fprintf(stream, "%s", buf);
+		}
+		case ID_DER_ASN1_GN:
+			return fprintf(stream, "(ASN.1 general Name");
+		case ID_KEY_ID:
+			return fprintf(stream, "(KEY_ID)");
+		case ID_DER_ASN1_GN_URI:
+		{
+			proper = sanitize_chunk(this->encoded);
+			written = fprintf(stream, "%.*s", proper.len, proper.ptr);
+			chunk_free(&proper);
+			return written;
+		}
+		default:
+			return fprintf(stream, "(unknown ID type: %d)", this->type);
+	}
+}
+
+/**
+ * register printf() handlers
+ */
+static void __attribute__ ((constructor))print_register()
+{
+	register_printf_function(PRINTF_IDENTIFICATION, print, arginfo_ptr);
+}
+
+/**
+ * Implementation of identification_t.clone.
+ */
+static identification_t *clone_(private_identification_t *this)
+{
+	private_identification_t *clone = identification_create();
+	
+	clone->type = this->type;
+	clone->encoded = chunk_clone(this->encoded);
+	clone->public.equals = this->public.equals;
+	clone->public.matches = this->public.matches;
+	
+	return &clone->public;
+}
+
+/**
+ * Implementation of identification_t.destroy.
+ */
+static void destroy(private_identification_t *this)
+{
+	chunk_free(&this->encoded);
+	free(this);
+}
+
+/**
+ * Generic constructor used for the other constructors.
+ */
+static private_identification_t *identification_create(void)
+{
+	private_identification_t *this = malloc_thing(private_identification_t);
+	
+	this->public.get_encoding = (chunk_t (*) (identification_t*))get_encoding;
+	this->public.get_type = (id_type_t (*) (identification_t*))get_type;
+	this->public.contains_wildcards = (bool (*) (identification_t *this))contains_wildcards;
+	this->public.clone = (identification_t* (*) (identification_t*))clone_;
+	this->public.destroy = (void (*) (identification_t*))destroy;
+	/* we use these as defaults, the may be overloaded for special ID types */
+	this->public.equals = (bool (*) (identification_t*,identification_t*))equals_binary;
+	this->public.matches = (bool (*) (identification_t*,identification_t*,int*))matches_binary;
+	
+	this->encoded = chunk_empty;
+	
+	return this;
+}
+
+/*
+ * Described in header.
+ */
+identification_t *identification_create_from_string(char *string)
+{
+	private_identification_t *this = identification_create();
+
+	if (string == NULL)
+	{
+		string = "%any";
+	}
+	if (strchr(string, '=') != NULL)
+	{
+		/* we interpret this as an ASCII X.501 ID_DER_ASN1_DN.
+		 * convert from LDAP style or openssl x509 -subject style to ASN.1 DN
+		 */
+		if (atodn(string, &this->encoded) != SUCCESS)
+		{
+			free(this);
+			return NULL;
+		}
+		this->type = ID_DER_ASN1_DN;
+		this->public.equals = (bool (*) (identification_t*,identification_t*))equals_dn;
+		this->public.matches = (bool (*) (identification_t*,identification_t*,int*))matches_dn;
+		return &this->public;
+	}
+	else if (strchr(string, '@') == NULL)
+	{
+		if (streq(string, "%any")
+		||	streq(string, "0.0.0.0")
+		||	streq(string, "*")
+		||	streq(string, "::")
+		||	streq(string, "0::0"))
+		{
+			/* any ID will be accepted */
+			this->type = ID_ANY;
+			this->public.matches = (bool (*)
+					(identification_t*,identification_t*,int*))matches_any;
+			return &this->public;
+		}
+		else
+		{
+			if (strchr(string, ':') == NULL)
+			{
+				/* try IPv4 */
+				struct in_addr address;
+				chunk_t chunk = {(void*)&address, sizeof(address)};
+				
+				if (inet_pton(AF_INET, string, &address) <= 0)
+				{
+					free(this);
+					return NULL;
+				}
+				this->encoded = chunk_clone(chunk);
+				this->type = ID_IPV4_ADDR;
+				return &(this->public);
+			}
+			else
+			{
+				/* try IPv6 */
+				struct in6_addr address;
+				chunk_t chunk = {(void*)&address, sizeof(address)};
+				
+				if (inet_pton(AF_INET6, string, &address) <= 0)
+				{
+					free(this);
+					return NULL;
+				}
+				this->encoded = chunk_clone(chunk);
+				this->type = ID_IPV6_ADDR;
+				return &(this->public);
+			}
+		}
+	}
+	else
+	{
+		if (*string == '@')
+		{
+			if (*(string + 1) == '#')
+			{
+				/* TODO: Pluto handles '#' as hex encoded ID_KEY_ID. */
+				free(this);
+				return NULL;
+			}
+			else
+			{
+				this->type = ID_FQDN;
+				this->encoded.ptr = strdup(string + 1);
+				this->encoded.len = strlen(string + 1);
+				this->public.matches = (bool (*) 
+						(identification_t*,identification_t*,int*))matches_string;
+				return &(this->public);
+			}
+		}
+		else
+		{
+			this->type = ID_RFC822_ADDR;
+			this->encoded.ptr = strdup(string);
+			this->encoded.len = strlen(string);
+			this->public.matches = (bool (*) 
+					(identification_t*,identification_t*,int*))matches_string;
+			return &(this->public);
+		}
+	}
+}
+
+/*
+ * Described in header.
+ */
+identification_t *identification_create_from_encoding(id_type_t type, chunk_t encoded)
+{
+	private_identification_t *this = identification_create();
+	this->type = type;
+	switch (type)
+	{
+		case ID_ANY:
+			this->public.matches = (bool (*)
+					(identification_t*,identification_t*,int*))matches_any;
+			break;
+		case ID_FQDN:
+			this->public.matches = (bool (*)
+					(identification_t*,identification_t*,int*))matches_string;
+			break;
+		case ID_RFC822_ADDR:
+			this->public.matches = (bool (*)
+					(identification_t*,identification_t*,int*))matches_string;
+			break;
+		case ID_DER_ASN1_DN:
+			this->public.equals = (bool (*)
+					(identification_t*,identification_t*))equals_dn;
+			this->public.matches = (bool (*)
+					(identification_t*,identification_t*,int*))matches_dn;
+			break;
+		case ID_IPV4_ADDR:
+		case ID_IPV6_ADDR:
+		case ID_DER_ASN1_GN:
+		case ID_KEY_ID:
+		case ID_DER_ASN1_GN_URI:
+		default:
+			break;
+	}
+	
+	/* apply encoded chunk */
+	if (type != ID_ANY)
+	{
+		this->encoded = chunk_clone(encoded);
+	}
+	return &(this->public);
+}
diff --git a/src/libstrongswan/utils/identification.h b/src/libstrongswan/utils/identification.h
new file mode 100644
index 000000000..59c568eaf
--- /dev/null
+++ b/src/libstrongswan/utils/identification.h
@@ -0,0 +1,261 @@
+/**
+ * @file identification.h
+ *
+ * @brief Interface of identification_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+
+#ifndef IDENTIFICATION_H_
+#define IDENTIFICATION_H_
+
+typedef enum id_type_t id_type_t;
+typedef struct identification_t identification_t;
+
+#include <library.h>
+
+#define MAX_WILDCARDS     14
+
+/**
+ * @brief ID Types in a ID payload.
+ *
+ * @ingroup utils
+ */
+enum id_type_t {
+
+	/**
+	 * private type which matches any other id.
+	 */
+	ID_ANY = 0,
+
+	/**
+	 * ID data is a single four (4) octet IPv4 address.
+	 */
+	ID_IPV4_ADDR = 1,
+
+	/**
+	 * ID data is a fully-qualified domain name string.
+	 * An example of a ID_FQDN is "example.com".
+	 * The string MUST not contain any terminators (e.g., NULL, CR, etc.).
+	 */
+	ID_FQDN = 2,
+
+	/**
+	 * ID data is a fully-qualified RFC822 email address string.
+	 * An example of an ID_RFC822_ADDR is "jsmith@example.com".
+	 * The string MUST NOT contain any terminators.
+	 */
+	ID_RFC822_ADDR = 3,
+
+	/**
+	 * ID data is an IPv4 subnet (IKEv1 only)
+	 */
+	ID_IPV4_ADDR_SUBNET = 4,
+
+	/**
+	 * ID data is a single sixteen (16) octet IPv6 address.
+	 */
+	ID_IPV6_ADDR = 5,
+
+	/**
+	 * ID data is an IPv6 subnet (IKEv1 only)
+	 */
+	ID_IPV6_ADDR_SUBNET = 6,
+
+	/**
+	 * ID data is an IPv4 address range (IKEv1 only)
+	 */
+	ID_IPV4_ADDR_RANGE = 7,
+
+	/**
+	 * ID data is an IPv6 address range (IKEv1 only)
+	 */
+	ID_IPV6_ADDR_RANGE = 8,
+
+	/**
+	 * ID data is the binary DER encoding of an ASN.1 X.501 Distinguished Name
+	 */
+	ID_DER_ASN1_DN = 9,
+
+	/**
+	 * ID data is the binary DER encoding of an ASN.1 X.509 GeneralName
+	 */
+	ID_DER_ASN1_GN = 10,
+
+	/**
+	 * ID data is an opaque octet stream which may be used to pass vendor-
+	 * specific information necessary to do certain proprietary
+	 * types of identification.
+	 */
+	ID_KEY_ID = 11,
+
+	/**
+	 * private type which represents a GeneralName of type URI
+	 */
+	ID_DER_ASN1_GN_URI = 201,
+
+};
+
+/**
+ * enum names for id_type_t.
+ */
+extern enum_name_t *id_type_names;
+
+/**
+ * @brief Generic identification, such as used in ID payload.
+ * 
+ * The following types are possible:
+ * - ID_IPV4_ADDR
+ * - ID_FQDN
+ * - ID_RFC822_ADDR
+ * - ID_IPV6_ADDR
+ * - ID_DER_ASN1_DN
+ * - ID_DER_ASN1_GN
+ * - ID_KEY_ID
+ * - ID_DER_ASN1_GN_URI
+ * 
+ * @b Constructors:
+ * - identification_create_from_string()
+ * - identification_create_from_encoding()
+ * 
+ * @todo Support for ID_DER_ASN1_GN is minimal right now. Comparison
+ * between them and ID_IPV4_ADDR/RFC822_ADDR would be nice.
+ *
+ * @ingroup utils
+ */
+struct identification_t {
+	
+	/**
+	 * @brief Get the encoding of this id, to send over
+	 * the network.
+	 * 
+	 * @warning Result points to internal data, do NOT free!
+	 * 
+	 * @param this		the identification_t object
+	 * @return 			a chunk containing the encoded bytes
+	 */
+	chunk_t (*get_encoding) (identification_t *this);
+	
+	/**
+	 * @brief Get the type of this identification.
+	 * 
+	 * @param this		the identification_t object
+	 * @return 			id_type_t
+	 */
+	id_type_t (*get_type) (identification_t *this);
+	
+	/**
+	 * @brief Check if two identification_t objects are equal.
+	 * 
+	 * @param this		the identification_t object
+	 * @param other		other identification_t object
+	 * @return 			TRUE if the IDs are equal
+	 */
+	bool (*equals) (identification_t *this, identification_t *other);
+	
+	/**
+	 * @brief Check if an ID matches a wildcard ID.
+	 * 
+	 * An identification_t may contain wildcards, such as
+	 * *@strongswan.org. This call checks if a given ID
+	 * (e.g. tester@strongswan.org) belongs to a such wildcard
+	 * ID. Returns TRUE if
+	 * - IDs are identical
+	 * - other is of type ID_ANY
+	 * - other contains a wildcard and matches this
+	 * 
+	 * @param this		the ID without wildcard
+	 * @param other		the ID containing a wildcard
+	 * @param wildcards	returns the number of wildcards, may be NULL
+	 * @return 			TRUE if match is found
+	 */
+	bool (*matches) (identification_t *this, identification_t *other, int *wildcards);
+	
+	/**
+	 * @brief Check if an ID is a wildcard ID.
+	 *
+	 * If the ID represents multiple IDs (with wildcards, or
+	 * as the type ID_ANY), TRUE is returned. If it is unique,
+	 * FALSE is returned.
+	 * 
+	 * @param this		identification_t object
+	 * @return 			TRUE if ID contains wildcards
+	 */
+	bool (*contains_wildcards) (identification_t *this);
+	
+	/**
+	 * @brief Clone a identification_t instance.
+	 * 
+	 * @param this		the identification_t object to clone
+	 * @return 			clone of this
+	 */
+	identification_t *(*clone) (identification_t *this);
+
+	/**
+	 * @brief Destroys a identification_t object.
+	 *
+	 * @param this 		identification_t object
+	 */
+	void (*destroy) (identification_t *this);
+};
+
+/**
+ * @brief Creates an identification_t object from a string.
+ * 
+ * @param string	input string, which will be converted
+ * @return
+ * 					- created identification_t object, or
+ * 					- NULL if unsupported string supplied.
+ *
+ * The input string may be e.g. one of the following:
+ * - ID_IPV4_ADDR:		192.168.0.1
+ * - ID_IPV6_ADDR:		2001:0db8:85a3:08d3:1319:8a2e:0370:7345
+ * - ID_FQDN:			@www.strongswan.org (@indicates FQDN)
+ * - ID_RFC822_ADDR:	alice@wonderland.org
+ * - ID_DER_ASN1_DN:	C=CH, O=Linux strongSwan, CN=bob
+ *
+ * In favour of pluto, domainnames are prepended with an @, since
+ * pluto resolves domainnames without an @ to IPv4 addresses. Since
+ * we use a seperate host_t class for addresses, this doesn't
+ * make sense for us.
+ * 
+ * A distinguished name may contain one or more of the following RDNs:
+ * ND, UID, DC, CN, S, SN, serialNumber, C, L, ST, O, OU, T, D,
+ * N, G, I, ID, EN, EmployeeNumber, E, Email, emailAddress, UN, 
+ * unstructuredName, TCGID.
+ *
+ * @ingroup utils
+ */
+identification_t * identification_create_from_string(char *string);
+
+/**
+ * @brief Creates an identification_t object from an encoded chunk.
+ * 
+ * @param type		type of this id, such as ID_IPV4_ADDR
+ * @param encoded	encoded bytes, such as from identification_t.get_encoding
+ * @return			identification_t object
+ *
+ * In contrast to identification_create_from_string(), this constructor never
+ * returns NULL, even when the conversion to a string representation fails.
+ *
+ * @ingroup utils
+ */
+identification_t * identification_create_from_encoding(id_type_t type, chunk_t encoded);
+
+#endif /* IDENTIFICATION_H_ */
diff --git a/src/libstrongswan/utils/iterator.h b/src/libstrongswan/utils/iterator.h
new file mode 100644
index 000000000..02a15c534
--- /dev/null
+++ b/src/libstrongswan/utils/iterator.h
@@ -0,0 +1,166 @@
+/**
+ * @file iterator.h
+ * 
+ * @brief Interface iterator_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef ITERATOR_H_
+#define ITERATOR_H_
+
+#include <library.h>
+
+/**
+ * @brief Iterator hook function prototype.
+ *
+ * @param param		user supplied parameter
+ * @param in		the value the hook receives from the iterator
+ * @param out		the value supplied as a result to the iterator
+ * @return			TRUE to return "out", FALSE to skip this value
+ */
+typedef bool (iterator_hook_t)(void *param, void *in, void **out);
+
+
+typedef struct iterator_t iterator_t;
+
+/**
+ * @brief Iterator interface, allows iteration over collections.
+ *
+ * iterator_t defines an interface for iterating over collections.
+ * It allows searching, deleting, updating and inserting.
+ *
+ * Thanks to JMP for iterator lessons :-)
+ *
+ * @b Constructors:
+ * - via linked_list_t.create_iterator, or
+ * - any other class which supports the iterator_t interface
+ *
+ * @see linked_list_t
+ *
+ * @ingroup utils 
+ */
+struct iterator_t {
+
+	/**
+	 * @brief Return number of list items.
+	 * 
+	 * @param this 			calling object
+	 * @return				number of list items
+	 */
+	int (*get_count) (iterator_t *this);
+	
+	/**
+	 * @brief Iterate over all items.
+	 * 
+	 * The easy way to iterate over items.
+	 * 
+	 * @param this 			calling object
+	 * @param[out] value 	item
+	 * @return
+	 * 						- TRUE, if there was an element available,
+	 * 						- FALSE otherwise
+	 */
+	bool (*iterate) (iterator_t *this, void** value);
+	
+	/**
+	 * @brief Hook a function into the iterator.
+	 *
+	 * Sometimes it is useful to hook in an iterator. The hook function is
+	 * called before any successful return of iterate(). It takes the
+	 * iterator value, may manipulate it (or the references object), and returns
+	 * the value that the iterate() function returns.
+	 * A value of NULL deactivates the iterator hook.
+	 * 
+	 * @param this 			calling object
+	 * @param hook			iterator hook which manipulates the iterated value
+	 * @param param			user supplied parameter to pass back to the hook
+	 */
+	void (*set_iterator_hook) (iterator_t *this, iterator_hook_t *hook,
+							   void *param);
+	
+	/**
+	 * @brief Inserts a new item before the given iterator position.
+	 * 
+	 * The iterator position is not changed after inserting
+	 * 
+	 * @param this 			calling iterator
+	 * @param[in] item 		value to insert in list
+	 */
+	void (*insert_before) (iterator_t *this, void *item);
+
+	/**
+	 * @brief Inserts a new item after the given iterator position.
+	 * 
+	 * The iterator position is not changed after inserting.
+	 * 
+	 * @param this 			calling iterator
+	 * @param[in] item 		value to insert in list
+	 */
+	void (*insert_after) (iterator_t *this, void *item);
+	
+	/**
+	 * @brief Replace the current item at current iterator position.
+	 * 
+	 * The iterator position is not changed after replacing.
+	 * 
+	 * @param this 			calling iterator
+	 * @param[out] old_item	old value will be written here(can be NULL)
+	 * @param[in] new_item  new value
+	 * 
+	 * @return 
+	 * 						- SUCCESS
+	 * 						- FAILED if iterator is on an invalid position
+	 */
+	status_t (*replace) (iterator_t *this, void **old_item, void *new_item);
+
+	/**
+	 * @brief Removes an element from list at the given iterator position.
+	 * 
+	 * The iterator is set the the following position:
+	 * - to the item before, if available
+	 * - it gets reseted, otherwise
+	 * 
+	 * @param this		 	calling object
+	 * @return 
+	 * 						- SUCCESS
+	 * 						- FAILED if iterator is on an invalid position
+	 */
+	status_t (*remove) (iterator_t *this);
+	
+	/**
+	 * @brief Resets the iterator position.
+	 * 
+	 * After reset, the iterator_t objects doesn't point to an element.
+	 * A call to iterator_t.has_next is necessary to do any other operations
+	 * with the resetted iterator.
+	 * 
+	 * @param this 			calling object
+	 */
+	void (*reset) (iterator_t *this);
+
+	/**
+	 * @brief Destroys an iterator.
+	 * 
+	 * @param this 			iterator to destroy
+	 * 
+	 */
+	void (*destroy) (iterator_t *this);
+};
+
+#endif /*ITERATOR_H_*/
diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c
new file mode 100644
index 000000000..b8a023270
--- /dev/null
+++ b/src/libstrongswan/utils/leak_detective.c
@@ -0,0 +1,459 @@
+/**
+ * @file leak_detective.c
+ * 
+ * @brief Allocation hooks to find memory leaks.
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stddef.h>
+#include <string.h>
+#include <stdio.h>
+#include <malloc.h>
+#include <signal.h> 
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <dlfcn.h>
+#include <unistd.h>
+#include <syslog.h>
+#include <pthread.h>
+#include <netdb.h>
+#include <printf.h>
+#ifdef HAVE_BACKTRACE
+# include <execinfo.h>
+#endif /* HAVE_BACKTRACE */
+
+#include "leak_detective.h"
+
+#include <library.h>
+#include <debug.h>
+
+#ifdef LEAK_DETECTIVE
+
+/**
+ * Magic value which helps to detect memory corruption. Yummy!
+ */
+#define MEMORY_HEADER_MAGIC 0x7ac0be11
+
+/**
+ * Pattern which is filled in memory before freeing it
+ */
+#define MEMORY_FREE_PATTERN 0xFF
+
+/**
+ * Pattern which is filled in newly allocated memory
+ */
+#define MEMORY_ALLOC_PATTERN 0xEE
+
+
+static void install_hooks(void);
+static void uninstall_hooks(void);
+static void *malloc_hook(size_t, const void *);
+static void *realloc_hook(void *, size_t, const void *);
+static void free_hook(void*, const void *);
+
+static u_int count_malloc = 0;
+static u_int count_free = 0;
+static u_int count_realloc = 0;
+
+typedef struct memory_header_t memory_header_t;
+
+/**
+ * Header which is prepended to each allocated memory block
+ */
+struct memory_header_t {
+	/**
+	 * Magci byte which must(!) hold MEMORY_HEADER_MAGIC
+	 */
+	u_int32_t magic;
+	
+	/**
+	 * Number of bytes following after the header
+	 */
+	size_t bytes;
+	
+	/**
+	 * Stack frames at the time of allocation
+	 */
+	void *stack_frames[STACK_FRAMES_COUNT];
+	
+	/**
+	 * Number of stacks frames obtained in stack_frames
+	 */
+	int stack_frame_count;
+	
+	/**
+	 * Pointer to previous entry in linked list
+	 */
+	memory_header_t *previous;
+	
+	/**
+	 * Pointer to next entry in linked list
+	 */
+	memory_header_t *next;
+};
+
+/**
+ * first mem header is just a dummy to chain 
+ * the others on it...
+ */
+static memory_header_t first_header = {
+	magic: MEMORY_HEADER_MAGIC,
+	bytes: 0,
+	stack_frame_count: 0,
+	previous: NULL,
+	next: NULL
+};
+
+/**
+ * standard hooks, used to temparily remove hooking
+ */
+static void *old_malloc_hook, *old_realloc_hook, *old_free_hook;
+
+/**
+ * are the hooks currently installed? 
+ */
+static bool installed = FALSE;
+
+/**
+ * Mutex to exclusivly uninstall hooks, access heap list
+ */
+static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+
+
+/**
+ * log stack frames queried by backtrace()
+ * TODO: Dump symbols of static functions. This could be done with
+ * the addr2line utility or the GNU BFD Library...
+ */
+static void log_stack_frames(void **stack_frames, int stack_frame_count)
+{
+#ifdef HAVE_BACKTRACE
+	char **strings;
+	size_t i;
+
+	strings = backtrace_symbols (stack_frames, stack_frame_count);
+
+	DBG1("  dumping %d stack frame addresses", stack_frame_count);
+
+	for (i = 0; i < stack_frame_count; i++)
+	{
+		DBG1("    %s", strings[i]);
+	}
+	free (strings);
+#endif /* HAVE_BACKTRACE */
+}
+
+/**
+ * Whitelist, which contains address ranges in stack frames ignored when leaking.
+ * 
+ * This is necessary, as some function use allocation hacks (static buffers)
+ * and so on, which we want to suppress on leak reports.
+ *
+ * The range_size is calculated using the readelf utility, e.g.:
+ * readelf -s /lib/glibc.so.6
+ * The values are for glibc-2.4 and may or may not be correct on other systems.
+ */
+typedef struct whitelist_t whitelist_t;
+
+struct whitelist_t {
+	void* range_start;
+	size_t range_size;
+};
+
+#ifdef LIBCURL
+/* dummy declaration for whitelisting */
+void *Curl_getaddrinfo(void);
+#endif /* LIBCURL */
+
+whitelist_t whitelist[] = {
+	{pthread_create,			2542},
+	{pthread_setspecific,		 217},
+	{mktime,					  60},
+	{tzset,						 123},
+	{inet_ntoa,					 249},
+	{strerror,					 180},
+	{getprotobynumber,			 291},
+	{getservbyport,				 311},
+	{register_printf_function,	 159},
+	{syslog,					  45},
+	{dlopen,					 109},
+#	ifdef LIBCURL
+	/* from /usr/lib/libcurl.so.3 */
+	{Curl_getaddrinfo,			 480},
+#	endif /* LIBCURL */
+};
+
+/**
+ * Check if this stack frame is whitelisted.
+ */
+static bool is_whitelisted(void **stack_frames, int stack_frame_count)
+{
+	int i, j;
+	
+	for (i=0; i< stack_frame_count; i++)
+	{
+		for (j=0; j<sizeof(whitelist)/sizeof(whitelist_t); j++)
+		{
+			if (stack_frames[i] >= whitelist[j].range_start &&
+				stack_frames[i] <= (whitelist[j].range_start + whitelist[j].range_size))
+			{
+				return TRUE;
+			}
+		}
+	}
+	return FALSE;
+}
+
+/**
+ * Report leaks at library destruction
+ */
+void report_leaks()
+{
+	memory_header_t *hdr;
+	int leaks = 0;
+	
+	for (hdr = first_header.next; hdr != NULL; hdr = hdr->next)
+	{
+		if (!is_whitelisted(hdr->stack_frames, hdr->stack_frame_count))
+		{
+			DBG1("Leak (%d bytes at %p):", hdr->bytes, hdr + 1);
+			log_stack_frames(hdr->stack_frames, hdr->stack_frame_count);
+			leaks++;
+		}
+	}
+		
+	switch (leaks)
+	{
+		case 0:
+			DBG1("No leaks detected");
+			break;
+		case 1:
+			DBG1("One leak detected");
+			break;
+		default:
+			DBG1("%d leaks detected", leaks);
+			break;
+	}
+}
+
+/**
+ * Installs the malloc hooks, enables leak detection
+ */
+static void install_hooks()
+{
+	if (!installed)
+	{
+		old_malloc_hook = __malloc_hook;
+		old_realloc_hook = __realloc_hook;
+		old_free_hook = __free_hook;
+		__malloc_hook = malloc_hook;
+		__realloc_hook = realloc_hook;
+		__free_hook = free_hook;
+		installed = TRUE;
+	}
+}
+
+/**
+ * Uninstalls the malloc hooks, disables leak detection
+ */
+static void uninstall_hooks()
+{
+	if (installed)
+	{
+		__malloc_hook = old_malloc_hook;
+		__free_hook = old_free_hook;
+		__realloc_hook = old_realloc_hook;
+		installed = FALSE;
+	}
+}
+
+/**
+ * Hook function for malloc()
+ */
+void *malloc_hook(size_t bytes, const void *caller)
+{
+	memory_header_t *hdr;
+	
+	pthread_mutex_lock(&mutex);
+	count_malloc++;
+	uninstall_hooks();
+	hdr = malloc(bytes + sizeof(memory_header_t));
+	/* set to something which causes crashes */
+	memset(hdr, MEMORY_ALLOC_PATTERN, bytes + sizeof(memory_header_t));
+	
+	hdr->magic = MEMORY_HEADER_MAGIC;
+	hdr->bytes = bytes;
+	hdr->stack_frame_count = backtrace(hdr->stack_frames, STACK_FRAMES_COUNT);
+	install_hooks();
+	
+	/* insert at the beginning of the list */
+	hdr->next = first_header.next;
+	if (hdr->next)
+	{
+		hdr->next->previous = hdr;
+	}
+	hdr->previous = &first_header;
+	first_header.next = hdr;
+	pthread_mutex_unlock(&mutex);
+	return hdr + 1;
+}
+
+/**
+ * Hook function for free()
+ */
+void free_hook(void *ptr, const void *caller)
+{
+	void *stack_frames[STACK_FRAMES_COUNT];
+	int stack_frame_count;
+	memory_header_t *hdr = ptr - sizeof(memory_header_t);
+	
+	/* allow freeing of NULL */
+	if (ptr == NULL)
+	{
+		return;
+	}
+	
+	pthread_mutex_lock(&mutex);
+	count_free++;
+	uninstall_hooks();
+	if (hdr->magic != MEMORY_HEADER_MAGIC)
+	{
+		DBG1("freeing of invalid memory (%p, MAGIC 0x%x != 0x%x):",
+			 ptr, hdr->magic, MEMORY_HEADER_MAGIC);
+		stack_frame_count = backtrace(stack_frames, STACK_FRAMES_COUNT);
+		log_stack_frames(stack_frames, stack_frame_count);
+		install_hooks();
+		pthread_mutex_unlock(&mutex);
+		return;
+	}
+	
+	/* remove item from list */
+	if (hdr->next)
+	{
+		hdr->next->previous = hdr->previous;
+	}
+	hdr->previous->next = hdr->next;
+	
+	/* clear MAGIC, set mem to something remarkable */
+	memset(hdr, MEMORY_FREE_PATTERN, hdr->bytes + sizeof(memory_header_t));
+	
+	free(hdr);
+	install_hooks();
+	pthread_mutex_unlock(&mutex);
+}
+
+/**
+ * Hook function for realloc()
+ */
+void *realloc_hook(void *old, size_t bytes, const void *caller)
+{
+	memory_header_t *hdr;
+	void *stack_frames[STACK_FRAMES_COUNT];
+	int stack_frame_count;
+	
+	/* allow reallocation of NULL */
+	if (old == NULL)
+	{
+		return malloc_hook(bytes, caller);
+	}
+	
+	hdr = old - sizeof(memory_header_t);
+	
+	pthread_mutex_lock(&mutex);
+	count_realloc++;
+	uninstall_hooks();
+	if (hdr->magic != MEMORY_HEADER_MAGIC)
+	{
+		DBG1("reallocation of invalid memory (%p):", old);
+		stack_frame_count = backtrace(stack_frames, STACK_FRAMES_COUNT);
+		log_stack_frames(stack_frames, stack_frame_count);
+		install_hooks();
+		pthread_mutex_unlock(&mutex);
+		raise(SIGKILL);
+		return NULL;
+	}
+	
+	hdr = realloc(hdr, bytes + sizeof(memory_header_t));
+	
+	/* update statistics */
+	hdr->bytes = bytes;
+	hdr->stack_frame_count = backtrace(hdr->stack_frames, STACK_FRAMES_COUNT);
+	
+	/* update header of linked list neighbours */
+	if (hdr->next)
+	{
+		hdr->next->previous = hdr;
+	}
+	hdr->previous->next = hdr;
+	install_hooks();
+	pthread_mutex_unlock(&mutex);
+	return hdr + 1;
+}
+
+/**
+ * Setup leak detective
+ */
+void __attribute__ ((constructor)) leak_detective_init()
+{
+	install_hooks();
+}
+
+/**
+ * Clean up leak detective
+ */
+void __attribute__ ((destructor)) leak_detective_cleanup()
+{
+	uninstall_hooks();
+	report_leaks();
+}
+
+/**
+ * Log memory allocation statistics
+ */
+void leak_detective_status(FILE *stream)
+{
+	u_int blocks = 0;
+	size_t bytes = 0;
+	memory_header_t *hdr = &first_header;
+	
+	pthread_mutex_lock(&mutex);
+	while ((hdr = hdr->next))
+	{
+		blocks++;
+		bytes += hdr->bytes;
+	}
+	pthread_mutex_unlock(&mutex);
+	
+	fprintf(stream, "allocation statistics:\n");
+	fprintf(stream, "  call stats: malloc: %d, free: %d, realloc: %d\n",
+			count_malloc, count_free, count_realloc);
+	fprintf(stream, "  allocated %d blocks, total size %d bytes (avg. %d bytes)\n",
+			blocks, bytes, bytes/blocks);
+}
+
+#else /* !LEAK_DETECTION */
+
+/**
+ * Dummy when !using LEAK_DETECTIVE
+ */
+void leak_detective_status(FILE *stream)
+{
+
+}
+
+#endif /* LEAK_DETECTION */
diff --git a/src/libstrongswan/utils/leak_detective.h b/src/libstrongswan/utils/leak_detective.h
new file mode 100644
index 000000000..d4016b06e
--- /dev/null
+++ b/src/libstrongswan/utils/leak_detective.h
@@ -0,0 +1,35 @@
+/**
+ * @file leak_detective.h
+ * 
+ * @brief malloc/free hooks to detect leaks.
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef LEAK_DETECTIVE_H_
+#define LEAK_DETECTIVE_H_
+
+/**
+ * Log status information about allocation
+ */
+void leak_detective_status(FILE *stream);
+
+/**
+ * Max number of stack frames to include in a backtrace.
+ */
+#define STACK_FRAMES_COUNT 30
+
+#endif /* LEAK_DETECTIVE_H_ */
diff --git a/src/libstrongswan/utils/lexparser.c b/src/libstrongswan/utils/lexparser.c
new file mode 100644
index 000000000..9d3f06593
--- /dev/null
+++ b/src/libstrongswan/utils/lexparser.c
@@ -0,0 +1,137 @@
+/**
+ * @file lexparser.c
+ * 
+ * @brief lexical parser for text-based configuration files
+ *  
+ */
+
+/*
+ * Copyright (C) 2001-2006 Andreas Steffen, Zuercher Hochschule Winterthur
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+
+#include "lexparser.h"
+
+
+/**
+ * eat whitespace
+ */
+bool eat_whitespace(chunk_t *src)
+{
+	while (src->len > 0 && (*src->ptr == ' ' || *src->ptr == '\t'))
+	{
+		src->ptr++;  src->len--;
+	}
+    return  src->len > 0 && *src->ptr != '#';
+}
+
+/**
+ * compare string with chunk
+ */
+bool match(const char *pattern, const chunk_t *ch)
+{
+	return ch->len == strlen(pattern) && strncmp(pattern, ch->ptr, ch->len) == 0;
+}
+
+/**
+ * extracts a token ending with a given termination symbol
+ */
+bool extract_token(chunk_t *token, const char termination, chunk_t *src)
+{
+	u_char *eot = memchr(src->ptr, termination, src->len);
+	
+	/* initialize empty token */
+	*token = chunk_empty;
+	
+	if (eot == NULL) /* termination symbol not found */
+	{
+		return FALSE;
+	}
+	
+	/* extract token */
+	token->ptr = src->ptr;
+	token->len = (u_int)(eot - src->ptr);
+	
+	/* advance src pointer after termination symbol */
+	src->ptr = eot + 1;
+	src->len -= (token->len + 1);
+	
+	return TRUE;
+}
+
+/**
+ *  fetches a new line terminated by \n or \r\n
+ */
+bool fetchline(chunk_t *src, chunk_t *line)
+{
+	if (src->len == 0) /* end of src reached */
+		return FALSE;
+
+	if (extract_token(line, '\n', src))
+	{
+		if (line->len > 0 && *(line->ptr + line->len -1) == '\r')
+			line->len--;  /* remove optional \r */
+	}
+	else /*last line ends without newline */
+	{
+		*line = *src;
+		src->ptr += src->len;
+		src->len = 0;
+	}
+	return TRUE;
+}
+
+err_t extract_value(chunk_t *value, chunk_t *line)
+{
+	char delimiter = ' ';
+
+	if (!eat_whitespace(line))
+	{
+		*value = chunk_empty;
+		return NULL;
+	}
+	if (*line->ptr == '\'' || *line->ptr == '"')
+	{
+		delimiter = *line->ptr;
+		line->ptr++;  line->len--;
+	}
+	if (!extract_token(value, delimiter, line))
+	{
+		if (delimiter == ' ')
+		{
+			*value = *line;
+			line->len = 0;
+		}
+		else
+		{
+			return "missing second delimiter";
+		}
+	}
+	return NULL;
+}
+
+/**
+ * extracts a parameter: value pair
+ */
+err_t extract_parameter_value(chunk_t *name, chunk_t *value, chunk_t *line)
+{
+	/* extract name */
+	if (!extract_token(name,':', line))
+	{
+		return "missing ':'";
+	}
+
+	/* extract value */
+	return extract_value(value, line);
+}
diff --git a/src/libstrongswan/utils/lexparser.h b/src/libstrongswan/utils/lexparser.h
new file mode 100644
index 000000000..e3c2c4c70
--- /dev/null
+++ b/src/libstrongswan/utils/lexparser.h
@@ -0,0 +1,57 @@
+/**
+ * @file lexparser.h
+ * 
+ * @brief lexical parser for text-based configuration files
+ *  
+ */
+
+/*
+ * Copyright (C) 2001-2006 Andreas Steffen, Zuercher Hochschule Winterthur
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <library.h>
+
+/**
+ * @brief Eats whitespace
+ */
+bool eat_whitespace(chunk_t *src);
+
+/**
+ * @brief Compare null-terminated pattern with chunk
+ */
+bool match(const char *pattern, const chunk_t *ch);
+
+/**
+ * @brief Extracts a token ending with a given termination symbol
+ */
+bool extract_token(chunk_t *token, const char termination, chunk_t *src);
+
+/**
+ *  @brief Fetches a new text line terminated by \n or \r\n
+ */
+bool fetchline(chunk_t *src, chunk_t *line);
+
+/**
+ * @brief Extracts a value that might be single or double quoted
+ */
+err_t extract_value(chunk_t *value, chunk_t *line);
+
+/**
+ * @brief extracts a name: value pair from a text line
+ */
+err_t extract_name_value(chunk_t *name, chunk_t *value, chunk_t *line);
+
+/**
+ * @brief extracts a parameter: value from a text line
+ */
+err_t extract_parameter_value(chunk_t *name, chunk_t *value, chunk_t *line);
diff --git a/src/libstrongswan/utils/linked_list.c b/src/libstrongswan/utils/linked_list.c
new file mode 100644
index 000000000..de043a02e
--- /dev/null
+++ b/src/libstrongswan/utils/linked_list.c
@@ -0,0 +1,763 @@
+/**
+ * @file linked_list.c
+ *
+ * @brief Implementation of linked_list_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+
+#include "linked_list.h"
+
+typedef struct element_t element_t;
+
+/**
+ * This element holds a pointer to the value it represents.
+ */
+struct element_t {
+
+	/**
+	 * Value of a list item.
+	 */
+	void *value;
+
+	/**
+	 * Previous list element.
+	 * 
+	 * NULL if first element in list.
+	 */
+	element_t *previous;
+	
+	/**
+	 * Next list element.
+	 * 
+	 * NULL if last element in list.
+	 */
+	element_t *next;
+};
+
+/**
+ * Creates an empty linked list object.
+ */
+element_t *element_create(void *value)
+{
+	element_t *this = malloc_thing(element_t);
+	
+	this->previous = NULL;
+	this->next = NULL;
+	this->value = value;
+	
+	return (this);
+}
+
+
+typedef struct private_linked_list_t private_linked_list_t;
+
+/**
+ * Private data of a linked_list_t object.
+ *
+ */
+struct private_linked_list_t {
+	/**
+	 * Public part of linked list.
+	 */
+	linked_list_t public;
+
+	/**
+	 * Number of items in the list.
+	 */
+	int count;
+
+	/**
+	 * First element in list.
+	 * NULL if no elements in list.
+	 */
+	element_t *first;
+	
+	/**
+	 * Last element in list.
+	 * NULL if no elements in list.
+	 */
+	element_t *last;
+};
+
+
+typedef struct private_iterator_t private_iterator_t;
+
+/**
+ * Private variables and functions of linked list iterator.
+ */
+struct private_iterator_t {
+	/**
+	 * Public part of linked list iterator.
+	 */
+	iterator_t public;
+
+	/**
+	 * Associated linked list.
+	 */
+	private_linked_list_t * list;
+
+	/**
+	 * Current element of the iterator.
+	 */
+	element_t *current;
+
+	/**
+	 * Direction of iterator.
+	 */
+	bool forward;
+	
+	/**
+	 * Mutex to use to synchronize access
+	 */
+	pthread_mutex_t *mutex;
+	
+	/**
+	 * iteration hook
+	 */
+	iterator_hook_t *hook;
+	
+	/**
+	 * user parameter for iterator hook
+	 */
+	void *hook_param;
+};
+
+/**
+ * Implementation of iterator_t.get_count.
+ */
+static int get_list_count(private_iterator_t *this)
+{
+	return this->list->count;
+}
+
+/**
+ * default iterator hook which does nothing
+ */
+static bool iterator_hook(void *param, void *in, void **out)
+{
+	*out = in;
+	return TRUE;
+}
+
+/**
+ * Implementation of iterator_t.set_iterator_hook.
+ */
+static void set_iterator_hook(private_iterator_t *this, iterator_hook_t *hook,
+							  void* param)
+{
+	if (hook == NULL)
+	{
+		this->hook = iterator_hook;
+		this->hook_param = NULL;
+	}
+	else
+	{
+		this->hook = hook;
+		this->hook_param = param;
+	}
+}
+
+/**
+ * Implementation of iterator_t.iterate.
+ */
+static bool iterate(private_iterator_t *this, void** value)
+{
+	if (this->list->count == 0)
+	{
+		return FALSE;
+	}
+	if (this->current == NULL)
+	{
+		this->current = (this->forward) ? this->list->first : this->list->last;
+		if (!this->hook(this->hook_param, this->current->value, value))
+		{
+			return iterate(this, value);
+		}
+		return TRUE;
+	}
+	if (this->forward)
+	{
+		if (this->current->next == NULL)
+		{
+			return FALSE;
+		}
+		this->current = this->current->next;
+		if (!this->hook(this->hook_param, this->current->value, value))
+		{
+			return iterate(this, value);
+		}
+		return TRUE;
+	}
+	if (this->current->previous == NULL)
+	{
+		return FALSE;
+	}
+	this->current = this->current->previous;
+	if (!this->hook(this->hook_param, this->current->value, value))
+	{
+		return iterate(this, value);
+	}
+	return TRUE;
+}
+
+/**
+ * Implementation of iterator_t.reset.
+ */
+static void iterator_reset(private_iterator_t *this)
+{
+	this->current = NULL;
+}
+
+/**
+ * Implementation of iterator_t.remove.
+ */
+static status_t remove_(private_iterator_t *this)
+{
+	element_t *new_current;
+
+	if (this->current == NULL)
+	{
+		return NOT_FOUND;
+	}
+
+	if (this->list->count == 0)
+	{
+		return NOT_FOUND;
+	}
+	/* find out the new iterator position, depending on iterator direction */
+	if (this->forward && this->current->previous != NULL)
+	{
+		new_current = this->current->previous;
+	}
+	else if (!this->forward && this->current->next != NULL)
+	{
+		new_current = this->current->next;
+	}
+	else
+	{
+		new_current = NULL;
+	}
+
+	/* now delete the entry :-) */
+	if (this->current->previous == NULL)
+	{
+		if (this->current->next == NULL)
+		{
+			this->list->first = NULL;
+			this->list->last = NULL;
+		}
+		else
+		{
+			this->current->next->previous = NULL;
+			this->list->first = this->current->next;
+		}
+	}
+	else if (this->current->next == NULL)
+	{
+		this->current->previous->next = NULL;
+		this->list->last = this->current->previous;
+	}
+	else
+	{
+		this->current->previous->next = this->current->next;
+		this->current->next->previous = this->current->previous;
+	}
+	
+	this->list->count--;
+	free(this->current);
+	/* set the new iterator position */
+	this->current = new_current;
+	return SUCCESS;
+}
+
+/**
+ * Implementation of iterator_t.insert_before.
+ */
+static void insert_before(private_iterator_t * iterator, void *item)
+{
+	if (iterator->current == NULL)
+	{
+		iterator->list->public.insert_first(&(iterator->list->public), item);
+	}
+	
+	element_t *element = element_create(item);
+	if (iterator->current->previous == NULL)
+	{
+		iterator->current->previous = element;
+		element->next = iterator->current;
+		iterator->list->first = element;
+	}
+	else
+	{
+		iterator->current->previous->next = element;
+		element->previous = iterator->current->previous;
+		iterator->current->previous = element;
+		element->next = iterator->current;
+	}
+	iterator->list->count++;
+}
+
+/**
+ * Implementation of iterator_t.replace.
+ */
+static status_t replace(private_iterator_t *this, void **old_item, void *new_item)
+{
+	if (this->current == NULL)
+	{
+		return NOT_FOUND;
+	}
+	if (old_item != NULL)
+	{
+		*old_item = this->current->value;
+	}
+	this->current->value = new_item;
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of iterator_t.insert_after.
+ */
+static void insert_after(private_iterator_t *iterator, void *item)
+{
+	if (iterator->current == NULL)
+	{
+		iterator->list->public.insert_first(&(iterator->list->public),item);
+		return;
+	}
+	
+	element_t *element = element_create(item);
+	if (iterator->current->next == NULL)
+	{
+		iterator->current->next = element;
+		element->previous = iterator->current;
+		iterator->list->last = element;
+	}
+	else
+	{
+		iterator->current->next->previous = element;
+		element->next = iterator->current->next;
+		iterator->current->next = element;
+		element->previous = iterator->current;
+	}
+	iterator->list->count++;
+}
+
+/**
+ * Implementation of iterator_t.destroy.
+ */
+static void iterator_destroy(private_iterator_t *this)
+{
+	if (this->mutex)
+	{
+		pthread_mutex_unlock(this->mutex);
+	}
+	free(this);
+}
+
+/**
+ * Implementation of linked_list_t.get_count.
+ */
+static int get_count(private_linked_list_t *this)
+{
+	return this->count;
+}
+
+/**
+ * Implementation of linked_list_t.insert_first.
+ */
+static void insert_first(private_linked_list_t *this, void *item)
+{
+	element_t *element;
+	
+	element = element_create(item);
+	if (this->count == 0)
+	{
+		/* first entry in list */
+		this->first = element;
+		this->last = element;
+		element->previous = NULL;
+		element->next = NULL;
+	}
+	else
+	{
+		element_t *old_first_element = this->first;
+		element->next = old_first_element;
+		element->previous = NULL;
+		old_first_element->previous = element;
+		this->first = element;
+	}
+	this->count++;
+}
+
+/**
+ * Implementation of linked_list_t.remove_first.
+ */
+static status_t remove_first(private_linked_list_t *this, void **item)
+{
+	element_t *element = this->first;
+	
+	if (element == NULL)
+	{
+		return NOT_FOUND;
+	}
+	if (element->next != NULL)
+	{
+		element->next->previous = NULL;
+	}
+	this->first = element->next;
+	
+	if (item != NULL)
+	{
+		*item = element->value;
+	}
+	if (--this->count == 0)
+	{
+		this->last = NULL;
+	}
+	
+	free(element);
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of linked_list_t.get_first.
+ */
+static status_t get_first(private_linked_list_t *this, void **item)
+{
+	if (this->count == 0)
+	{
+		return NOT_FOUND;
+	}
+	*item = this->first->value;
+	return SUCCESS;
+}
+
+/**
+ * Implementation of linked_list_t.insert_last.
+ */
+static void insert_last(private_linked_list_t *this, void *item)
+{
+	element_t *element = element_create(item);
+	
+	if (this->count == 0)
+	{
+		/* first entry in list */
+		this->first = element;
+		this->last = element;
+		element->previous = NULL;
+		element->next = NULL;
+	}
+	else
+	{
+		element_t *old_last_element = this->last;
+		element->previous = old_last_element;
+		element->next = NULL;
+		old_last_element->next = element;
+		this->last = element;
+	}
+	this->count++;
+}
+
+/**
+ * Implementation of linked_list_t.remove_last.
+ */
+static status_t remove_last(private_linked_list_t *this, void **item)
+{
+	element_t *element = this->last;
+	
+	if (element == NULL)
+	{
+		return NOT_FOUND;
+	}
+	if (element->previous != NULL)
+	{
+		element->previous->next = NULL;
+	}
+	this->last = element->previous;
+	
+	if (item != NULL)
+	{
+		*item = element->value;
+	}
+	if (--this->count == 0)
+	{
+		this->first = NULL;
+	}
+	
+	free(element);
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of linked_list_t.insert_at_position.
+ */
+static status_t insert_at_position (private_linked_list_t *this,size_t position, void *item)
+{
+	element_t *current_element;
+	int i;
+	
+	if (this->count <= position)
+	{
+		return INVALID_ARG;
+	}
+	
+	current_element =  this->first;
+	
+	for (i = 0; i < position;i++)
+	{
+		current_element = current_element->next;
+	}
+	
+	if (current_element == NULL)
+	{
+		this->public.insert_last(&(this->public),item);
+		return SUCCESS;
+	}
+	
+	element_t *element = element_create(item);
+	if (current_element->previous == NULL)
+	{
+		current_element->previous = element;
+		element->next = current_element;
+		this->first = element;
+	}
+	else
+	{
+		current_element->previous->next = element;
+		element->previous = current_element->previous;
+		current_element->previous = element;
+		element->next = current_element;
+	}
+
+
+	this->count++;
+	return SUCCESS;
+}
+	
+/**
+ * Implementation of linked_list_t.remove_at_position.
+ */
+static status_t remove_at_position(private_linked_list_t *this,size_t position, void **item)
+{
+	iterator_t *iterator;
+	int i;
+	
+	if (this->count <= position)
+	{
+		return INVALID_ARG;
+	}
+	
+	iterator = this->public.create_iterator(&(this->public),TRUE);
+	iterator->iterate(iterator, item);
+	for (i = 0; i < position; i++)
+	{
+		if (!iterator->iterate(iterator, item))
+		{
+			iterator->destroy(iterator);
+			return INVALID_ARG;
+		}
+	}
+	iterator->remove(iterator);
+	iterator->destroy(iterator);
+	
+	return SUCCESS;
+}
+
+/**
+ * Implementation of linked_list_t.get_at_position.
+ */
+static status_t get_at_position(private_linked_list_t *this,size_t position, void **item)
+{
+	int i;
+	iterator_t *iterator;
+	
+	if (this->count <= position)
+	{
+		return INVALID_ARG;
+	}
+
+	iterator = this->public.create_iterator(&(this->public),TRUE);
+	iterator->iterate(iterator, item);
+	for (i = 0; i < position; i++)
+	{
+		if (!iterator->iterate(iterator, item))
+		{
+			iterator->destroy(iterator);
+			return INVALID_ARG;
+		}
+	}
+	iterator->destroy(iterator);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of linked_list_t.get_last.
+ */
+static status_t get_last(private_linked_list_t *this, void **item)
+{
+	if (this->count == 0)
+	{
+		return NOT_FOUND;
+	}
+
+	*item = this->last->value;
+
+	return SUCCESS;
+}
+
+/**
+ * Implementation of linked_list_t.invoke.
+ */
+static void invoke(private_linked_list_t *this, size_t offset)
+{
+	element_t *current = this->first;
+	
+	while (current)
+	{
+		void (**method)(void*) = current->value + offset;
+		(*method)(current->value);
+		current = current->next;
+	}
+}
+
+/**
+ * Implementation of linked_list_t.destroy.
+ */
+static void destroy(private_linked_list_t *this)
+{
+	void *value;
+	/* Remove all list items before destroying list */
+	while (this->public.remove_first(&(this->public), &value) == SUCCESS)
+	{
+		/* values are not destroyed so memory leaks are possible
+		 * if list is not empty when deleting */
+	}
+	free(this);
+}
+
+/**
+ * Implementation of linked_list_t.destroy_offset.
+ */
+static void destroy_offset(private_linked_list_t *this, size_t offset)
+{
+	element_t *current = this->first, *next;
+	
+	while (current)
+	{
+		void (**method)(void*) = current->value + offset;
+		(*method)(current->value);
+		next = current->next;
+		free(current);
+		current = next;
+	}
+	free(this);
+}
+
+/**
+ * Implementation of linked_list_t.destroy_function.
+ */
+static void destroy_function(private_linked_list_t *this, void (*fn)(void*))
+{
+	element_t *current = this->first, *next;
+	
+	while (current)
+	{
+		fn(current->value);
+		next = current->next;
+		free(current);
+		current = next;
+	}
+	free(this);
+}
+
+/**
+ * Implementation of linked_list_t.create_iterator.
+ */
+static iterator_t *create_iterator(private_linked_list_t *linked_list, bool forward)
+{
+	private_iterator_t *this = malloc_thing(private_iterator_t);
+	
+	this->public.get_count = (int (*) (iterator_t*)) get_list_count;
+	this->public.iterate = (bool (*) (iterator_t*, void **value)) iterate;
+	this->public.set_iterator_hook = (void(*)(iterator_t*, iterator_hook_t*, void*))set_iterator_hook;
+	this->public.insert_before = (void (*) (iterator_t*, void *item)) insert_before;
+	this->public.insert_after = (void (*) (iterator_t*, void *item)) insert_after;
+	this->public.replace = (status_t (*) (iterator_t*, void **, void *)) replace;
+	this->public.remove = (status_t (*) (iterator_t*)) remove_;
+	this->public.reset = (void (*) (iterator_t*)) iterator_reset;
+	this->public.destroy = (void (*) (iterator_t*)) iterator_destroy;
+	
+	this->forward = forward;
+	this->current = NULL;
+	this->list = linked_list;
+	this->mutex = NULL;
+	this->hook = iterator_hook;
+	
+	return &this->public;
+}
+
+/**
+ * Implementation of linked_list_t.create_iterator_locked.
+ */
+static iterator_t *create_iterator_locked(private_linked_list_t *linked_list,
+										  pthread_mutex_t *mutex)
+{
+	private_iterator_t *this = (private_iterator_t*)create_iterator(linked_list, TRUE);
+	this->mutex = mutex;
+	
+	pthread_mutex_lock(mutex);
+	
+	return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+linked_list_t *linked_list_create()
+{
+	private_linked_list_t *this = malloc_thing(private_linked_list_t);
+
+	this->public.get_count = (int (*) (linked_list_t *)) get_count;
+	this->public.create_iterator = (iterator_t * (*) (linked_list_t *,bool))create_iterator;
+	this->public.create_iterator_locked = (iterator_t * (*) (linked_list_t *,pthread_mutex_t*))create_iterator_locked;
+	this->public.get_first = (status_t (*) (linked_list_t *, void **item))get_first;
+	this->public.get_last = (status_t (*) (linked_list_t *, void **item))get_last;
+	this->public.insert_first = (void (*) (linked_list_t *, void *item))insert_first;
+	this->public.insert_last = (void (*) (linked_list_t *, void *item))insert_last;
+	this->public.remove_first = (status_t (*) (linked_list_t *, void **item))remove_first;
+	this->public.remove_last = (status_t (*) (linked_list_t *, void **item))remove_last;
+	this->public.insert_at_position = (status_t (*) (linked_list_t *,size_t, void *))insert_at_position;
+	this->public.remove_at_position = (status_t (*) (linked_list_t *,size_t, void **))remove_at_position;
+	this->public.get_at_position = (status_t (*) (linked_list_t *,size_t, void **))get_at_position;
+	this->public.invoke = (void (*)(linked_list_t*,size_t))invoke;
+	this->public.destroy = (void (*) (linked_list_t *))destroy;
+	this->public.destroy_offset = (void (*) (linked_list_t *,size_t))destroy_offset;
+	this->public.destroy_function = (void (*)(linked_list_t*,void(*)(void*)))destroy_function;
+
+	this->count = 0;
+	this->first = NULL;
+	this->last = NULL;
+
+	return &this->public;
+}
diff --git a/src/libstrongswan/utils/linked_list.h b/src/libstrongswan/utils/linked_list.h
new file mode 100644
index 000000000..58bcbbdaa
--- /dev/null
+++ b/src/libstrongswan/utils/linked_list.h
@@ -0,0 +1,232 @@
+/**
+ * @file linked_list.h
+ * 
+ * @brief Interface of linked_list_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef LINKED_LIST_H_
+#define LINKED_LIST_H_
+
+typedef struct linked_list_t linked_list_t;
+
+#include <pthread.h>
+
+#include <library.h>
+#include <utils/iterator.h>
+
+/**
+ * @brief Class implementing a double linked list.
+ *
+ * General purpose linked list. This list is not synchronized.
+ *
+ * @b Costructors:
+ * - linked_list_create()
+ *
+ * @ingroup utils
+ */
+struct linked_list_t {
+
+	/**
+	 * @brief Gets the count of items in the list.
+	 * 
+	 * @param this 		calling object
+	 * @return 			number of items in list
+	 */
+	int (*get_count) (linked_list_t *this);
+	
+	/**
+	 * @brief Creates a iterator for the given list.
+	 * 
+	 * @warning Created iterator_t object has to get destroyed by the caller.
+	 * 
+	 * @param this 		calling object
+	 * @param forward 	iterator direction (TRUE: front to end)
+	 * @return			new iterator_t object
+	 */
+	iterator_t *(*create_iterator) (linked_list_t *this, bool forward);
+	
+	/**
+	 * @brief Creates a iterator, locking a mutex.
+	 *
+	 * The supplied mutex is acquired immediately, and released
+	 * when the iterator gets destroyed.
+	 * 
+	 * @param this	 	calling object
+	 * @param mutex 	mutex to use for exclusive access
+	 * @return			new iterator_t object
+	 */
+	iterator_t *(*create_iterator_locked) (linked_list_t *this,
+										   pthread_mutex_t *mutex);
+
+	/**
+	 * @brief Inserts a new item at the beginning of the list.
+	 *
+	 * @param this 		calling object
+	 * @param[in] item	item value to insert in list
+	 */
+	void (*insert_first) (linked_list_t *this, void *item);
+
+	/**
+	 * @brief Removes the first item in the list and returns its value.
+	 * 
+	 * @param this 		calling object
+	 * @param[out] item returned value of first item, or NULL
+	 * @return
+	 * 					- SUCCESS
+	 * 					- NOT_FOUND, if list is empty
+	 */
+	status_t (*remove_first) (linked_list_t *this, void **item);
+
+	/**
+	 * @brief Returns the value of the first list item without removing it.
+	 * 
+	 * @param this	 	calling object
+	 * @param[out] item	returned value of first item
+	 * @return
+	 * 					- SUCCESS
+	 * 					- NOT_FOUND, if list is empty
+	 */
+	status_t (*get_first) (linked_list_t *this, void **item);
+
+	/**
+	 * @brief Inserts a new item at the end of the list.
+	 * 
+	 * @param this 		calling object
+	 * @param[in] item 	value to insert into list
+	 */
+	void (*insert_last) (linked_list_t *this, void *item);
+	
+	/**
+	 * @brief Inserts a new item at a given position in the list.
+	 * 
+	 * @param this		calling object
+	 * @param position	position starting at 0 to insert new entry
+	 * @param[in] item	value to insert into list
+	 * @return
+	 * 					- SUCCESS
+	 * 					- INVALID_ARG if position not existing
+	 */
+	status_t (*insert_at_position) (linked_list_t *this,size_t position, void *item);
+	
+	/**
+	 * @brief Removes an item from a given position in the list.
+	 * 
+	 * @param this	 	calling object
+	 * @param position	position starting at 0 to remove entry from
+	 * @param[out] item removed item will be stored at this location
+	 * @return
+	 * 						- SUCCESS
+	 * 						- INVALID_ARG if position not existing
+	 */
+	status_t (*remove_at_position) (linked_list_t *this, size_t position, void **item);
+
+	/**
+	 * @brief Get an item from a given position in the list.
+	 * 
+	 * @param this	 	calling object
+	 * @param position	position starting at 0 to get entry from
+	 * @param[out] item	item will be stored at this location
+	 * @return
+	 * 						- SUCCESS
+	 * 						- INVALID_ARG if position not existing
+	 */
+	status_t (*get_at_position) (linked_list_t *this, size_t position, void **item);
+
+	/**
+	 * @brief Removes the last item in the list and returns its value.
+	 * 
+	 * @param this	 	calling object
+	 * @param[out] item	returned value of last item, or NULL
+	 * @return
+	 * 						- SUCCESS
+	 * 						- NOT_FOUND if list is empty
+	 */
+	status_t (*remove_last) (linked_list_t *this, void **item);
+
+	/**
+	 * @brief Returns the value of the last list item without removing it.
+	 * 
+	 * @param this 		calling object
+	 * @param[out] item	returned value of last item
+	 * @return
+	 * 					- SUCCESS
+	 * 					- NOT_FOUND if list is empty
+	 */
+	status_t (*get_last) (linked_list_t *this, void **item);
+	
+	/**
+	 * @brief Invoke a method on all of the contained objects.
+	 *
+	 * If a linked list contains objects with function pointers,
+	 * invoke() can call a method on each of the objects. The
+	 * method is specified by an offset of the function pointer,
+	 * which can be evalutated at compile time using the offsetof
+	 * macro, e.g.: list->invoke(list, offsetof(object_t, method));
+	 * 
+	 * @param this 		calling object
+	 * @param offset	offset of the method to invoke on objects
+	 */
+	void (*invoke) (linked_list_t *this, size_t offset);
+	
+	/**
+	 * @brief Destroys a linked_list object.
+	 * 
+	 * @param this		calling object
+	 */
+	void (*destroy) (linked_list_t *this);
+	
+	/**
+	 * @brief Destroys a list and its objects using the destructor.
+	 *
+	 * If a linked list and the contained objects should be destroyed, use
+	 * destroy_offset. The supplied offset specifies the destructor to
+	 * call on each object. The offset may be calculated using the offsetof
+	 * macro, e.g.: list->destroy_offset(list, offsetof(object_t, destroy));
+	 *
+	 * @param this	 	calling object
+	 * @param offset	offset of the objects destructor
+	 */
+	void (*destroy_offset) (linked_list_t *this, size_t offset);
+	
+	/**
+	 * @brief Destroys a list and its contents using a a cleanup function.
+	 * 
+	 * If a linked list and its contents should get destroyed using a specific
+	 * cleanup function, use destroy_function. This is useful when the
+	 * list contains malloc()-ed blocks which should get freed,
+	 * e.g.: list->destroy_function(list, free);
+	 *
+	 * @param this 		calling object
+	 * @param function	function to call on each object
+	 */
+	void (*destroy_function) (linked_list_t *this, void (*)(void*));
+};
+
+/**
+ * @brief Creates an empty linked list object.
+ * 
+ * @return 		linked_list_t object.
+ * 
+ * @ingroup utils
+ */
+linked_list_t *linked_list_create(void);
+
+
+#endif /*LINKED_LIST_H_*/
diff --git a/src/libstrongswan/utils/randomizer.c b/src/libstrongswan/utils/randomizer.c
new file mode 100644
index 000000000..c15d108c7
--- /dev/null
+++ b/src/libstrongswan/utils/randomizer.c
@@ -0,0 +1,165 @@
+/**
+ * @file randomizer.c
+ * 
+ * @brief Implementation of randomizer_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+#include "randomizer.h"
+
+
+typedef struct private_randomizer_t private_randomizer_t;
+
+/**
+ * Private data of an randomizer_t object.
+ */
+struct private_randomizer_t {
+
+	/**
+	 * Public randomizer_t interface.
+	 */
+	randomizer_t public;
+	
+	/**
+	 * @brief Reads a specific number of bytes from random or pseudo random device.
+	 * 
+	 * @param this					calling object
+	 * @param pseudo_random			TRUE, if from pseudo random bytes should be read,
+	 * 								FALSE for true random bytes
+	 * @param bytes					number of bytes to read
+	 * @param[out] buffer			pointer to buffer where to write the data in.
+	 * 								Size of buffer has to be at least bytes.
+	 */
+	status_t (*get_bytes_from_device) (private_randomizer_t *this,bool pseudo_random, size_t bytes, u_int8_t *buffer);
+};
+
+
+/**
+ * Implementation of private_randomizer_t.get_bytes_from_device.
+ */
+static status_t get_bytes_from_device(private_randomizer_t *this,bool pseudo_random, size_t bytes, u_int8_t *buffer)
+{
+	size_t ndone;
+	int device;
+	size_t got;
+	char * device_name;
+
+	device_name = pseudo_random ? DEV_URANDOM : DEV_RANDOM;
+
+	device = open(device_name, 0);
+	if (device < 0) {
+		return FAILED;
+	}
+	ndone = 0;
+	
+	/* read until nbytes are read */
+	while (ndone < bytes)
+	{
+		got = read(device, buffer + ndone, bytes - ndone);
+		if (got <= 0) {
+			close(device);
+			return FAILED;
+		}
+		ndone += got;
+	}
+	close(device);
+	return SUCCESS;
+}
+
+/**
+ * Implementation of randomizer_t.get_random_bytes.
+ */
+static status_t get_random_bytes(private_randomizer_t *this,size_t bytes, u_int8_t *buffer)
+{
+	return this->get_bytes_from_device(this, FALSE, bytes, buffer);
+}
+
+/**
+ * Implementation of randomizer_t.allocate_random_bytes.
+ */
+static status_t allocate_random_bytes(private_randomizer_t *this, size_t bytes, chunk_t *chunk)
+{
+	status_t status;
+	chunk->len = bytes;
+	chunk->ptr = malloc(bytes);
+	status = this->get_bytes_from_device(this, FALSE, bytes, chunk->ptr);
+	if (status != SUCCESS)
+	{
+		free(chunk->ptr);
+	}
+	return status;
+}
+
+/**
+ * Implementation of randomizer_t.get_pseudo_random_bytes.
+ */
+static status_t get_pseudo_random_bytes(private_randomizer_t *this,size_t bytes, u_int8_t *buffer)
+{
+	return (this->get_bytes_from_device(this, TRUE, bytes, buffer));
+}
+
+/**
+ * Implementation of randomizer_t.allocate_pseudo_random_bytes.
+ */
+static status_t allocate_pseudo_random_bytes(private_randomizer_t *this, size_t bytes, chunk_t *chunk)
+{
+	status_t status;
+	chunk->len = bytes;
+	chunk->ptr = malloc(bytes);
+	status = this->get_bytes_from_device(this, TRUE, bytes, chunk->ptr);
+	if (status != SUCCESS)
+	{
+		free(chunk->ptr);
+	}
+	return status;
+}
+
+/**
+ * Implementation of randomizer_t.destroy.
+ */
+static void destroy(private_randomizer_t *this)
+{
+	free(this);
+}
+
+/*
+ * Described in header.
+ */
+randomizer_t *randomizer_create(void)
+{
+	private_randomizer_t *this = malloc_thing(private_randomizer_t);
+
+	/* public functions */
+	this->public.get_random_bytes = (status_t (*) (randomizer_t *,size_t, u_int8_t *)) get_random_bytes;
+	this->public.allocate_random_bytes = (status_t (*) (randomizer_t *,size_t, chunk_t *)) allocate_random_bytes;
+	this->public.get_pseudo_random_bytes = (status_t (*) (randomizer_t *,size_t, u_int8_t *)) get_pseudo_random_bytes;
+	this->public.allocate_pseudo_random_bytes = (status_t (*) (randomizer_t *,size_t, chunk_t *)) allocate_pseudo_random_bytes;
+	this->public.destroy = (void (*) (randomizer_t *))destroy;
+	
+	/* private functions */
+	this->get_bytes_from_device = get_bytes_from_device;
+	
+	return &(this->public);
+}
diff --git a/src/libstrongswan/utils/randomizer.h b/src/libstrongswan/utils/randomizer.h
new file mode 100644
index 000000000..afbade059
--- /dev/null
+++ b/src/libstrongswan/utils/randomizer.h
@@ -0,0 +1,114 @@
+/**
+ * @file randomizer.h
+ * 
+ * @brief Interface of randomizer_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef RANDOMIZER_H_
+#define RANDOMIZER_H_
+
+typedef struct randomizer_t randomizer_t;
+
+#include <library.h>
+
+#ifndef DEV_RANDOM
+/**
+ * Device to read real random bytes
+ */
+# define DEV_RANDOM "/dev/random"
+#endif
+
+#ifndef DEV_URANDOM
+/**
+ * Device to read pseudo random bytes
+ */
+# define DEV_URANDOM "/dev/urandom"
+#endif
+
+/**
+ * @brief Class used to get random and pseudo random values.
+ * 
+ * @b Constructors:
+ *  - randomizer_create()
+ * 
+ * @ingroup utils
+ */
+struct randomizer_t {
+	
+	/**
+	 * @brief Reads a specific number of bytes from random device.
+	 * 
+	 * @param this 					calling randomizer_t object
+	 * @param bytes					number of bytes to read
+	 * @param[out] buffer			pointer to buffer where to write the data in.
+	 * 								Size of buffer has to be at least bytes.
+	 * @return						SUCCESS, or FAILED
+	 */
+	status_t (*get_random_bytes) (randomizer_t *this, size_t bytes, u_int8_t *buffer);
+	
+	/**
+	 * @brief Allocates space and writes in random bytes.
+	 * 
+	 * @param this 					calling randomizer_t object
+	 * @param bytes					number of bytes to allocate
+	 * @param[out] chunk			chunk which will hold the allocated random bytes
+	 * @return						SUCCESS, or FAILED
+	 */	
+	status_t (*allocate_random_bytes) (randomizer_t *this, size_t bytes, chunk_t *chunk);
+	
+	/**
+	 * @brief Reads a specific number of bytes from pseudo random device.
+	 * 
+	 * @param this 					calling randomizer_t object
+	 * @param bytes					number of bytes to read
+	 * @param[out] buffer			pointer to buffer where to write the data in.
+	 * 								size of buffer has to be at least bytes.
+	 * @return						SUCCESS, or FAILED
+	 */
+	status_t (*get_pseudo_random_bytes) (randomizer_t *this,size_t bytes, u_int8_t *buffer);
+	
+	/**
+	 * @brief Allocates space and writes in pseudo random bytes.
+	 * 
+	 * @param this 					calling randomizer_t object
+	 * @param bytes					number of bytes to allocate
+	 * @param[out] chunk			chunk which will hold the allocated random bytes
+	 * @return						SUCCESS, or FAILED
+	 */	
+	status_t (*allocate_pseudo_random_bytes) (randomizer_t *this, size_t bytes, chunk_t *chunk);
+
+	/**
+	 * @brief Destroys a randomizer_t object.
+	 *
+	 * @param this 	randomizer_t object to destroy
+	 */
+	void (*destroy) (randomizer_t *this);
+};
+
+/**
+ * @brief Creates a randomizer_t object.
+ * 
+ * @return	created randomizer_t, or
+ * 
+ * @ingroup utils
+ */
+randomizer_t *randomizer_create(void);
+
+#endif /*RANDOMIZER_H_*/