- Import new upstream release 4.1.8.

author: Rene Mayrhofer <rene@mayrhofer.eu.org> 2007-10-26 14:24:26 +0000
committer: Rene Mayrhofer <rene@mayrhofer.eu.org> 2007-10-26 14:24:26 +0000
commit: 3168dc628f034e03bb4fab16e8a00da59a5c86e1 (patch)
tree: 663da4d1badc1373ec59d9bdc39f893af0cc8a75 /src/libstrongswan
parent: 1a144d57c8f2f08513b747078d185db688637859 (diff)
download: vyos-strongswan-3168dc628f034e03bb4fab16e8a00da59a5c86e1.tar.gz
vyos-strongswan-3168dc628f034e03bb4fab16e8a00da59a5c86e1.zip
50 files changed, 4491 insertions, 1448 deletions
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index 292abc0a4..e8859ad4c 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -1,6 +1,14 @@
 lib_LTLIBRARIES = libstrongswan.la
 
-libstrongswan_la_SOURCES = \
+if USE_INTEGRITY_TEST
+  libstrongswan_la_SOURCES = \
+  fips/fips_canister_start.c \
+  fips/fips.c fips/fips.h
+else
+  libstrongswan_la_SOURCES =
+endif
+
+libstrongswan_la_SOURCES += \
 credential_store.h \
 library.c library.h \
 chunk.c chunk.h \
@@ -16,15 +24,17 @@ crypto/ca.c crypto/ca.h \
 crypto/certinfo.c crypto/certinfo.h \
 crypto/crl.c crypto/crl.h \
 crypto/crypters/crypter.c crypto/crypters/crypter.h \
-crypto/crypters/aes_cbc_crypter.c  crypto/crypters/aes_cbc_crypter.h\
-crypto/crypters/des_crypter.c  crypto/crypters/des_crypter.h\
+crypto/crypters/aes_cbc_crypter.c crypto/crypters/aes_cbc_crypter.h \
+crypto/crypters/des_crypter.c crypto/crypters/des_crypter.h \
 crypto/diffie_hellman.c crypto/diffie_hellman.h \
 crypto/hashers/hasher.h crypto/hashers/hasher.c \
 crypto/hashers/sha1_hasher.c crypto/hashers/sha1_hasher.h \
 crypto/hashers/sha2_hasher.c crypto/hashers/sha2_hasher.h \
 crypto/hashers/md5_hasher.c  crypto/hashers/md5_hasher.h \
 crypto/hmac.c crypto/hmac.h \
+crypto/ietf_attr_list.c crypto/ietf_attr_list.h \
 crypto/ocsp.c crypto/ocsp.h \
+crypto/pkcs7.c crypto/pkcs7.h \
 crypto/prfs/fips_prf.c crypto/prfs/fips_prf.h \
 crypto/prfs/hmac_prf.c crypto/prfs/hmac_prf.h \
 crypto/prfs/prf.c crypto/prfs/prf.h \
@@ -41,14 +51,18 @@ utils/iterator.h \
 utils/leak_detective.c utils/leak_detective.h \
 utils/lexparser.c utils/lexparser.h \
 utils/linked_list.c utils/linked_list.h \
+utils/enumerator.c utils/enumerator.h \
+utils/optionsfrom.c utils/optionsfrom.h \
 utils/randomizer.c utils/randomizer.h
 
+if USE_INTEGRITY_TEST
+  libstrongswan_la_SOURCES += \
+  fips/fips_canister_end.c
+endif
+
 libstrongswan_la_LIBADD = -lgmp -lpthread
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
-EXTRA_DIST = asn1/oid.txt asn1/oid.pl
-BUILT_SOURCES = asn1/oid.c asn1/oid.h
-MAINTAINERCLEANFILES = asn1/oid.c asn1/oid.h
 
 if USE_LEAK_DETECTIVE
   libstrongswan_la_LIBADD += -ldl
@@ -63,8 +77,26 @@ if USE_LIBLDAP
   libstrongswan_la_LIBADD += -lldap -llber
 endif
 
+EXTRA_DIST = asn1/oid.txt asn1/oid.pl
+BUILT_SOURCES = asn1/oid.c asn1/oid.h
+MAINTAINERCLEANFILES = asn1/oid.c asn1/oid.h
+
 asn1/oid.c :	asn1/oid.txt asn1/oid.pl
 		cd asn1 && $(PERL) oid.pl
 
 asn1/oid.h :	asn1/oid.txt asn1/oid.pl
 		cd asn1 && $(PERL) oid.pl
+
+if USE_INTEGRITY_TEST
+# build fips_signer which in turn builds fips_signature.h
+#########################################################
+noinst_PROGRAMS = fips_signer
+fips_signer_SOURCES = fips/fips_signer.c
+fips_signer_LDADD = libstrongswan.la
+
+BUILT_SOURCES += fips_signature.h
+CLEANFILES = fips_signature.h fips_signer
+
+fips_signature.h : fips_signer
+		   ./fips_signer
+endif
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index f1144144e..75d3dddd4 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.9.6 from Makefile.am.
+# Makefile.in generated by automake 1.10 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -14,15 +14,12 @@
 
 @SET_MAKE@
 
-srcdir = @srcdir@
-top_srcdir = @top_srcdir@
+
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
-top_builddir = ../..
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = @INSTALL@
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -39,6 +36,8 @@ host_triplet = @host@
 @USE_LEAK_DETECTIVE_TRUE@am__append_1 = -ldl
 @USE_LIBCURL_TRUE@am__append_2 = -lcurl
 @USE_LIBLDAP_TRUE@am__append_3 = -lldap -llber
+@USE_INTEGRITY_TEST_TRUE@noinst_PROGRAMS = fips_signer$(EXEEXT)
+@USE_INTEGRITY_TEST_TRUE@am__append_4 = fips_signature.h
 subdir = src/libstrongswan
 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -59,43 +58,106 @@ LTLIBRARIES = $(lib_LTLIBRARIES)
 am__DEPENDENCIES_1 =
 libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
-am_libstrongswan_la_OBJECTS = library.lo chunk.lo debug.lo enum.lo \
-	printf_hook.lo asn1.lo oid.lo pem.lo ttodata.lo ac.lo ca.lo \
-	certinfo.lo crl.lo crypter.lo aes_cbc_crypter.lo \
-	des_crypter.lo diffie_hellman.lo hasher.lo sha1_hasher.lo \
-	sha2_hasher.lo md5_hasher.lo hmac.lo ocsp.lo fips_prf.lo \
-	hmac_prf.lo prf.lo prf_plus.lo rsa_private_key.lo \
-	rsa_public_key.lo hmac_signer.lo signer.lo x509.lo fetcher.lo \
-	host.lo identification.lo leak_detective.lo lexparser.lo \
-	linked_list.lo randomizer.lo
+am__libstrongswan_la_SOURCES_DIST = credential_store.h library.c \
+	library.h chunk.c chunk.h debug.c debug.h enum.c enum.h \
+	printf_hook.c printf_hook.h asn1/asn1.c asn1/asn1.h asn1/oid.c \
+	asn1/oid.h asn1/pem.c asn1/pem.h asn1/ttodata.c asn1/ttodata.h \
+	crypto/ac.c crypto/ac.h crypto/ca.c crypto/ca.h \
+	crypto/certinfo.c crypto/certinfo.h crypto/crl.c crypto/crl.h \
+	crypto/crypters/crypter.c crypto/crypters/crypter.h \
+	crypto/crypters/aes_cbc_crypter.c \
+	crypto/crypters/aes_cbc_crypter.h \
+	crypto/crypters/des_crypter.c crypto/crypters/des_crypter.h \
+	crypto/diffie_hellman.c crypto/diffie_hellman.h \
+	crypto/hashers/hasher.h crypto/hashers/hasher.c \
+	crypto/hashers/sha1_hasher.c crypto/hashers/sha1_hasher.h \
+	crypto/hashers/sha2_hasher.c crypto/hashers/sha2_hasher.h \
+	crypto/hashers/md5_hasher.c crypto/hashers/md5_hasher.h \
+	crypto/hmac.c crypto/hmac.h crypto/ietf_attr_list.c \
+	crypto/ietf_attr_list.h crypto/ocsp.c crypto/ocsp.h \
+	crypto/pkcs7.c crypto/pkcs7.h crypto/prfs/fips_prf.c \
+	crypto/prfs/fips_prf.h crypto/prfs/hmac_prf.c \
+	crypto/prfs/hmac_prf.h crypto/prfs/prf.c crypto/prfs/prf.h \
+	crypto/prf_plus.h crypto/prf_plus.c \
+	crypto/rsa/rsa_private_key.c crypto/rsa/rsa_private_key.h \
+	crypto/rsa/rsa_public_key.h crypto/rsa/rsa_public_key.c \
+	crypto/signers/hmac_signer.c crypto/signers/hmac_signer.h \
+	crypto/signers/signer.c crypto/signers/signer.h crypto/x509.c \
+	crypto/x509.h utils/fetcher.c utils/fetcher.h utils/host.c \
+	utils/host.h utils/identification.c utils/identification.h \
+	utils/iterator.h utils/leak_detective.c utils/leak_detective.h \
+	utils/lexparser.c utils/lexparser.h utils/linked_list.c \
+	utils/linked_list.h utils/enumerator.c utils/enumerator.h \
+	utils/optionsfrom.c utils/optionsfrom.h utils/randomizer.c \
+	utils/randomizer.h fips/fips_canister_start.c fips/fips.c \
+	fips/fips.h fips/fips_canister_end.c
+@USE_INTEGRITY_TEST_FALSE@am_libstrongswan_la_OBJECTS = library.lo \
+@USE_INTEGRITY_TEST_FALSE@	chunk.lo debug.lo enum.lo \
+@USE_INTEGRITY_TEST_FALSE@	printf_hook.lo asn1.lo oid.lo pem.lo \
+@USE_INTEGRITY_TEST_FALSE@	ttodata.lo ac.lo ca.lo certinfo.lo \
+@USE_INTEGRITY_TEST_FALSE@	crl.lo crypter.lo aes_cbc_crypter.lo \
+@USE_INTEGRITY_TEST_FALSE@	des_crypter.lo diffie_hellman.lo \
+@USE_INTEGRITY_TEST_FALSE@	hasher.lo sha1_hasher.lo \
+@USE_INTEGRITY_TEST_FALSE@	sha2_hasher.lo md5_hasher.lo hmac.lo \
+@USE_INTEGRITY_TEST_FALSE@	ietf_attr_list.lo ocsp.lo pkcs7.lo \
+@USE_INTEGRITY_TEST_FALSE@	fips_prf.lo hmac_prf.lo prf.lo \
+@USE_INTEGRITY_TEST_FALSE@	prf_plus.lo rsa_private_key.lo \
+@USE_INTEGRITY_TEST_FALSE@	rsa_public_key.lo hmac_signer.lo \
+@USE_INTEGRITY_TEST_FALSE@	signer.lo x509.lo fetcher.lo host.lo \
+@USE_INTEGRITY_TEST_FALSE@	identification.lo leak_detective.lo \
+@USE_INTEGRITY_TEST_FALSE@	lexparser.lo linked_list.lo \
+@USE_INTEGRITY_TEST_FALSE@	enumerator.lo optionsfrom.lo \
+@USE_INTEGRITY_TEST_FALSE@	randomizer.lo
+@USE_INTEGRITY_TEST_TRUE@am_libstrongswan_la_OBJECTS =  \
+@USE_INTEGRITY_TEST_TRUE@	fips_canister_start.lo fips.lo \
+@USE_INTEGRITY_TEST_TRUE@	library.lo chunk.lo debug.lo enum.lo \
+@USE_INTEGRITY_TEST_TRUE@	printf_hook.lo asn1.lo oid.lo pem.lo \
+@USE_INTEGRITY_TEST_TRUE@	ttodata.lo ac.lo ca.lo certinfo.lo \
+@USE_INTEGRITY_TEST_TRUE@	crl.lo crypter.lo aes_cbc_crypter.lo \
+@USE_INTEGRITY_TEST_TRUE@	des_crypter.lo diffie_hellman.lo \
+@USE_INTEGRITY_TEST_TRUE@	hasher.lo sha1_hasher.lo \
+@USE_INTEGRITY_TEST_TRUE@	sha2_hasher.lo md5_hasher.lo hmac.lo \
+@USE_INTEGRITY_TEST_TRUE@	ietf_attr_list.lo ocsp.lo pkcs7.lo \
+@USE_INTEGRITY_TEST_TRUE@	fips_prf.lo hmac_prf.lo prf.lo \
+@USE_INTEGRITY_TEST_TRUE@	prf_plus.lo rsa_private_key.lo \
+@USE_INTEGRITY_TEST_TRUE@	rsa_public_key.lo hmac_signer.lo \
+@USE_INTEGRITY_TEST_TRUE@	signer.lo x509.lo fetcher.lo host.lo \
+@USE_INTEGRITY_TEST_TRUE@	identification.lo leak_detective.lo \
+@USE_INTEGRITY_TEST_TRUE@	lexparser.lo linked_list.lo \
+@USE_INTEGRITY_TEST_TRUE@	enumerator.lo optionsfrom.lo \
+@USE_INTEGRITY_TEST_TRUE@	randomizer.lo fips_canister_end.lo
 libstrongswan_la_OBJECTS = $(am_libstrongswan_la_OBJECTS)
-DEFAULT_INCLUDES = -I. -I$(srcdir)
+PROGRAMS = $(noinst_PROGRAMS)
+am__fips_signer_SOURCES_DIST = fips/fips_signer.c
+@USE_INTEGRITY_TEST_TRUE@am_fips_signer_OBJECTS =  \
+@USE_INTEGRITY_TEST_TRUE@	fips_signer.$(OBJEXT)
+fips_signer_OBJECTS = $(am_fips_signer_OBJECTS)
+@USE_INTEGRITY_TEST_TRUE@fips_signer_DEPENDENCIES = libstrongswan.la
+DEFAULT_INCLUDES = -I.@am__isrc@
 depcomp = $(SHELL) $(top_srcdir)/depcomp
 am__depfiles_maybe = depfiles
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
 	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) \
-	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
-	$(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
-	$(AM_LDFLAGS) $(LDFLAGS) -o $@
-SOURCES = $(libstrongswan_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_la_SOURCES)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_la_SOURCES) $(fips_signer_SOURCES)
+DIST_SOURCES = $(am__libstrongswan_la_SOURCES_DIST) \
+	$(am__fips_signer_SOURCES_DIST)
 ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
-AMDEP_FALSE = @AMDEP_FALSE@
-AMDEP_TRUE = @AMDEP_TRUE@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
-BUILD_EAP_SIM_FALSE = @BUILD_EAP_SIM_FALSE@
-BUILD_EAP_SIM_TRUE = @BUILD_EAP_SIM_TRUE@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -118,10 +180,13 @@ F77 = @F77@
 FFLAGS = @FFLAGS@
 GPERF = @GPERF@
 GREP = @GREP@
+INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
 INSTALL_PROGRAM = @INSTALL_PROGRAM@
 INSTALL_SCRIPT = @INSTALL_SCRIPT@
 INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
 LDFLAGS = @LDFLAGS@
 LEX = @LEX@
 LEXLIB = @LEXLIB@
@@ -133,6 +198,7 @@ LINUX_HEADERS = @LINUX_HEADERS@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
@@ -148,34 +214,16 @@ SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 STRIP = @STRIP@
-USE_CISCO_QUIRKS_FALSE = @USE_CISCO_QUIRKS_FALSE@
-USE_CISCO_QUIRKS_TRUE = @USE_CISCO_QUIRKS_TRUE@
-USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
-USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
-USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
-USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
-USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@
-USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@
-USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
-USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
-USE_LIBXML_FALSE = @USE_LIBXML_FALSE@
-USE_LIBXML_TRUE = @USE_LIBXML_TRUE@
-USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
-USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
-USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
-USE_SMARTCARD_TRUE = @USE_SMARTCARD_TRUE@
-USE_VENDORID_FALSE = @USE_VENDORID_FALSE@
-USE_VENDORID_TRUE = @USE_VENDORID_TRUE@
 VERSION = @VERSION@
 YACC = @YACC@
 YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_CXX = @ac_ct_CXX@
 ac_ct_F77 = @ac_ct_F77@
-am__fastdepCC_FALSE = @am__fastdepCC_FALSE@
-am__fastdepCC_TRUE = @am__fastdepCC_TRUE@
-am__fastdepCXX_FALSE = @am__fastdepCXX_FALSE@
-am__fastdepCXX_TRUE = @am__fastdepCXX_TRUE@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -188,6 +236,7 @@ build_alias = @build_alias@
 build_cpu = @build_cpu@
 build_os = @build_os@
 build_vendor = @build_vendor@
+builddir = @builddir@
 confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
@@ -225,61 +274,149 @@ program_transform_name = @program_transform_name@
 psdir = @psdir@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 lib_LTLIBRARIES = libstrongswan.la
-libstrongswan_la_SOURCES = \
-credential_store.h \
-library.c library.h \
-chunk.c chunk.h \
-debug.c debug.h \
-enum.c enum.h \
-printf_hook.c printf_hook.h \
-asn1/asn1.c asn1/asn1.h \
-asn1/oid.c asn1/oid.h \
-asn1/pem.c asn1/pem.h \
-asn1/ttodata.c asn1/ttodata.h \
-crypto/ac.c crypto/ac.h \
-crypto/ca.c crypto/ca.h \
-crypto/certinfo.c crypto/certinfo.h \
-crypto/crl.c crypto/crl.h \
-crypto/crypters/crypter.c crypto/crypters/crypter.h \
-crypto/crypters/aes_cbc_crypter.c  crypto/crypters/aes_cbc_crypter.h\
-crypto/crypters/des_crypter.c  crypto/crypters/des_crypter.h\
-crypto/diffie_hellman.c crypto/diffie_hellman.h \
-crypto/hashers/hasher.h crypto/hashers/hasher.c \
-crypto/hashers/sha1_hasher.c crypto/hashers/sha1_hasher.h \
-crypto/hashers/sha2_hasher.c crypto/hashers/sha2_hasher.h \
-crypto/hashers/md5_hasher.c  crypto/hashers/md5_hasher.h \
-crypto/hmac.c crypto/hmac.h \
-crypto/ocsp.c crypto/ocsp.h \
-crypto/prfs/fips_prf.c crypto/prfs/fips_prf.h \
-crypto/prfs/hmac_prf.c crypto/prfs/hmac_prf.h \
-crypto/prfs/prf.c crypto/prfs/prf.h \
-crypto/prf_plus.h crypto/prf_plus.c \
-crypto/rsa/rsa_private_key.c crypto/rsa/rsa_private_key.h \
-crypto/rsa/rsa_public_key.h  crypto/rsa/rsa_public_key.c \
-crypto/signers/hmac_signer.c crypto/signers/hmac_signer.h \
-crypto/signers/signer.c crypto/signers/signer.h \
-crypto/x509.c crypto/x509.h \
-utils/fetcher.c utils/fetcher.h \
-utils/host.c utils/host.h \
-utils/identification.c utils/identification.h \
-utils/iterator.h \
-utils/leak_detective.c utils/leak_detective.h \
-utils/lexparser.c utils/lexparser.h \
-utils/linked_list.c utils/linked_list.h \
-utils/randomizer.c utils/randomizer.h
-
+@USE_INTEGRITY_TEST_FALSE@libstrongswan_la_SOURCES =  \
+@USE_INTEGRITY_TEST_FALSE@	credential_store.h library.c \
+@USE_INTEGRITY_TEST_FALSE@	library.h chunk.c chunk.h debug.c \
+@USE_INTEGRITY_TEST_FALSE@	debug.h enum.c enum.h printf_hook.c \
+@USE_INTEGRITY_TEST_FALSE@	printf_hook.h asn1/asn1.c \
+@USE_INTEGRITY_TEST_FALSE@	asn1/asn1.h asn1/oid.c asn1/oid.h \
+@USE_INTEGRITY_TEST_FALSE@	asn1/pem.c asn1/pem.h asn1/ttodata.c \
+@USE_INTEGRITY_TEST_FALSE@	asn1/ttodata.h crypto/ac.c \
+@USE_INTEGRITY_TEST_FALSE@	crypto/ac.h crypto/ca.c crypto/ca.h \
+@USE_INTEGRITY_TEST_FALSE@	crypto/certinfo.c crypto/certinfo.h \
+@USE_INTEGRITY_TEST_FALSE@	crypto/crl.c crypto/crl.h \
+@USE_INTEGRITY_TEST_FALSE@	crypto/crypters/crypter.c \
+@USE_INTEGRITY_TEST_FALSE@	crypto/crypters/crypter.h \
+@USE_INTEGRITY_TEST_FALSE@	crypto/crypters/aes_cbc_crypter.c \
+@USE_INTEGRITY_TEST_FALSE@	crypto/crypters/aes_cbc_crypter.h \
+@USE_INTEGRITY_TEST_FALSE@	crypto/crypters/des_crypter.c \
+@USE_INTEGRITY_TEST_FALSE@	crypto/crypters/des_crypter.h \
+@USE_INTEGRITY_TEST_FALSE@	crypto/diffie_hellman.c \
+@USE_INTEGRITY_TEST_FALSE@	crypto/diffie_hellman.h \
+@USE_INTEGRITY_TEST_FALSE@	crypto/hashers/hasher.h \
+@USE_INTEGRITY_TEST_FALSE@	crypto/hashers/hasher.c \
+@USE_INTEGRITY_TEST_FALSE@	crypto/hashers/sha1_hasher.c \
+@USE_INTEGRITY_TEST_FALSE@	crypto/hashers/sha1_hasher.h \
+@USE_INTEGRITY_TEST_FALSE@	crypto/hashers/sha2_hasher.c \
+@USE_INTEGRITY_TEST_FALSE@	crypto/hashers/sha2_hasher.h \
+@USE_INTEGRITY_TEST_FALSE@	crypto/hashers/md5_hasher.c \
+@USE_INTEGRITY_TEST_FALSE@	crypto/hashers/md5_hasher.h \
+@USE_INTEGRITY_TEST_FALSE@	crypto/hmac.c crypto/hmac.h \
+@USE_INTEGRITY_TEST_FALSE@	crypto/ietf_attr_list.c \
+@USE_INTEGRITY_TEST_FALSE@	crypto/ietf_attr_list.h \
+@USE_INTEGRITY_TEST_FALSE@	crypto/ocsp.c crypto/ocsp.h \
+@USE_INTEGRITY_TEST_FALSE@	crypto/pkcs7.c crypto/pkcs7.h \
+@USE_INTEGRITY_TEST_FALSE@	crypto/prfs/fips_prf.c \
+@USE_INTEGRITY_TEST_FALSE@	crypto/prfs/fips_prf.h \
+@USE_INTEGRITY_TEST_FALSE@	crypto/prfs/hmac_prf.c \
+@USE_INTEGRITY_TEST_FALSE@	crypto/prfs/hmac_prf.h \
+@USE_INTEGRITY_TEST_FALSE@	crypto/prfs/prf.c crypto/prfs/prf.h \
+@USE_INTEGRITY_TEST_FALSE@	crypto/prf_plus.h crypto/prf_plus.c \
+@USE_INTEGRITY_TEST_FALSE@	crypto/rsa/rsa_private_key.c \
+@USE_INTEGRITY_TEST_FALSE@	crypto/rsa/rsa_private_key.h \
+@USE_INTEGRITY_TEST_FALSE@	crypto/rsa/rsa_public_key.h \
+@USE_INTEGRITY_TEST_FALSE@	crypto/rsa/rsa_public_key.c \
+@USE_INTEGRITY_TEST_FALSE@	crypto/signers/hmac_signer.c \
+@USE_INTEGRITY_TEST_FALSE@	crypto/signers/hmac_signer.h \
+@USE_INTEGRITY_TEST_FALSE@	crypto/signers/signer.c \
+@USE_INTEGRITY_TEST_FALSE@	crypto/signers/signer.h \
+@USE_INTEGRITY_TEST_FALSE@	crypto/x509.c crypto/x509.h \
+@USE_INTEGRITY_TEST_FALSE@	utils/fetcher.c utils/fetcher.h \
+@USE_INTEGRITY_TEST_FALSE@	utils/host.c utils/host.h \
+@USE_INTEGRITY_TEST_FALSE@	utils/identification.c \
+@USE_INTEGRITY_TEST_FALSE@	utils/identification.h \
+@USE_INTEGRITY_TEST_FALSE@	utils/iterator.h \
+@USE_INTEGRITY_TEST_FALSE@	utils/leak_detective.c \
+@USE_INTEGRITY_TEST_FALSE@	utils/leak_detective.h \
+@USE_INTEGRITY_TEST_FALSE@	utils/lexparser.c utils/lexparser.h \
+@USE_INTEGRITY_TEST_FALSE@	utils/linked_list.c \
+@USE_INTEGRITY_TEST_FALSE@	utils/linked_list.h \
+@USE_INTEGRITY_TEST_FALSE@	utils/enumerator.c \
+@USE_INTEGRITY_TEST_FALSE@	utils/enumerator.h \
+@USE_INTEGRITY_TEST_FALSE@	utils/optionsfrom.c \
+@USE_INTEGRITY_TEST_FALSE@	utils/optionsfrom.h \
+@USE_INTEGRITY_TEST_FALSE@	utils/randomizer.c \
+@USE_INTEGRITY_TEST_FALSE@	utils/randomizer.h
+@USE_INTEGRITY_TEST_TRUE@libstrongswan_la_SOURCES =  \
+@USE_INTEGRITY_TEST_TRUE@	fips/fips_canister_start.c \
+@USE_INTEGRITY_TEST_TRUE@	fips/fips.c fips/fips.h \
+@USE_INTEGRITY_TEST_TRUE@	credential_store.h library.c \
+@USE_INTEGRITY_TEST_TRUE@	library.h chunk.c chunk.h debug.c \
+@USE_INTEGRITY_TEST_TRUE@	debug.h enum.c enum.h printf_hook.c \
+@USE_INTEGRITY_TEST_TRUE@	printf_hook.h asn1/asn1.c asn1/asn1.h \
+@USE_INTEGRITY_TEST_TRUE@	asn1/oid.c asn1/oid.h asn1/pem.c \
+@USE_INTEGRITY_TEST_TRUE@	asn1/pem.h asn1/ttodata.c \
+@USE_INTEGRITY_TEST_TRUE@	asn1/ttodata.h crypto/ac.c \
+@USE_INTEGRITY_TEST_TRUE@	crypto/ac.h crypto/ca.c crypto/ca.h \
+@USE_INTEGRITY_TEST_TRUE@	crypto/certinfo.c crypto/certinfo.h \
+@USE_INTEGRITY_TEST_TRUE@	crypto/crl.c crypto/crl.h \
+@USE_INTEGRITY_TEST_TRUE@	crypto/crypters/crypter.c \
+@USE_INTEGRITY_TEST_TRUE@	crypto/crypters/crypter.h \
+@USE_INTEGRITY_TEST_TRUE@	crypto/crypters/aes_cbc_crypter.c \
+@USE_INTEGRITY_TEST_TRUE@	crypto/crypters/aes_cbc_crypter.h \
+@USE_INTEGRITY_TEST_TRUE@	crypto/crypters/des_crypter.c \
+@USE_INTEGRITY_TEST_TRUE@	crypto/crypters/des_crypter.h \
+@USE_INTEGRITY_TEST_TRUE@	crypto/diffie_hellman.c \
+@USE_INTEGRITY_TEST_TRUE@	crypto/diffie_hellman.h \
+@USE_INTEGRITY_TEST_TRUE@	crypto/hashers/hasher.h \
+@USE_INTEGRITY_TEST_TRUE@	crypto/hashers/hasher.c \
+@USE_INTEGRITY_TEST_TRUE@	crypto/hashers/sha1_hasher.c \
+@USE_INTEGRITY_TEST_TRUE@	crypto/hashers/sha1_hasher.h \
+@USE_INTEGRITY_TEST_TRUE@	crypto/hashers/sha2_hasher.c \
+@USE_INTEGRITY_TEST_TRUE@	crypto/hashers/sha2_hasher.h \
+@USE_INTEGRITY_TEST_TRUE@	crypto/hashers/md5_hasher.c \
+@USE_INTEGRITY_TEST_TRUE@	crypto/hashers/md5_hasher.h \
+@USE_INTEGRITY_TEST_TRUE@	crypto/hmac.c crypto/hmac.h \
+@USE_INTEGRITY_TEST_TRUE@	crypto/ietf_attr_list.c \
+@USE_INTEGRITY_TEST_TRUE@	crypto/ietf_attr_list.h crypto/ocsp.c \
+@USE_INTEGRITY_TEST_TRUE@	crypto/ocsp.h crypto/pkcs7.c \
+@USE_INTEGRITY_TEST_TRUE@	crypto/pkcs7.h crypto/prfs/fips_prf.c \
+@USE_INTEGRITY_TEST_TRUE@	crypto/prfs/fips_prf.h \
+@USE_INTEGRITY_TEST_TRUE@	crypto/prfs/hmac_prf.c \
+@USE_INTEGRITY_TEST_TRUE@	crypto/prfs/hmac_prf.h \
+@USE_INTEGRITY_TEST_TRUE@	crypto/prfs/prf.c crypto/prfs/prf.h \
+@USE_INTEGRITY_TEST_TRUE@	crypto/prf_plus.h crypto/prf_plus.c \
+@USE_INTEGRITY_TEST_TRUE@	crypto/rsa/rsa_private_key.c \
+@USE_INTEGRITY_TEST_TRUE@	crypto/rsa/rsa_private_key.h \
+@USE_INTEGRITY_TEST_TRUE@	crypto/rsa/rsa_public_key.h \
+@USE_INTEGRITY_TEST_TRUE@	crypto/rsa/rsa_public_key.c \
+@USE_INTEGRITY_TEST_TRUE@	crypto/signers/hmac_signer.c \
+@USE_INTEGRITY_TEST_TRUE@	crypto/signers/hmac_signer.h \
+@USE_INTEGRITY_TEST_TRUE@	crypto/signers/signer.c \
+@USE_INTEGRITY_TEST_TRUE@	crypto/signers/signer.h crypto/x509.c \
+@USE_INTEGRITY_TEST_TRUE@	crypto/x509.h utils/fetcher.c \
+@USE_INTEGRITY_TEST_TRUE@	utils/fetcher.h utils/host.c \
+@USE_INTEGRITY_TEST_TRUE@	utils/host.h utils/identification.c \
+@USE_INTEGRITY_TEST_TRUE@	utils/identification.h \
+@USE_INTEGRITY_TEST_TRUE@	utils/iterator.h \
+@USE_INTEGRITY_TEST_TRUE@	utils/leak_detective.c \
+@USE_INTEGRITY_TEST_TRUE@	utils/leak_detective.h \
+@USE_INTEGRITY_TEST_TRUE@	utils/lexparser.c utils/lexparser.h \
+@USE_INTEGRITY_TEST_TRUE@	utils/linked_list.c \
+@USE_INTEGRITY_TEST_TRUE@	utils/linked_list.h \
+@USE_INTEGRITY_TEST_TRUE@	utils/enumerator.c utils/enumerator.h \
+@USE_INTEGRITY_TEST_TRUE@	utils/optionsfrom.c \
+@USE_INTEGRITY_TEST_TRUE@	utils/optionsfrom.h \
+@USE_INTEGRITY_TEST_TRUE@	utils/randomizer.c utils/randomizer.h \
+@USE_INTEGRITY_TEST_TRUE@	fips/fips_canister_end.c
 libstrongswan_la_LIBADD = -lgmp -lpthread $(am__append_1) \
 	$(am__append_2) $(am__append_3)
 INCLUDES = -I$(top_srcdir)/src/libstrongswan
+@USE_LEAK_DETECTIVE_TRUE@AM_CFLAGS = -DLEAK_DETECTIVE
 EXTRA_DIST = asn1/oid.txt asn1/oid.pl
-BUILT_SOURCES = asn1/oid.c asn1/oid.h
+BUILT_SOURCES = asn1/oid.c asn1/oid.h $(am__append_4)
 MAINTAINERCLEANFILES = asn1/oid.c asn1/oid.h
-@USE_LEAK_DETECTIVE_TRUE@AM_CFLAGS = -DLEAK_DETECTIVE
+@USE_INTEGRITY_TEST_TRUE@fips_signer_SOURCES = fips/fips_signer.c
+@USE_INTEGRITY_TEST_TRUE@fips_signer_LDADD = libstrongswan.la
+@USE_INTEGRITY_TEST_TRUE@CLEANFILES = fips_signature.h fips_signer
 all: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) all-am
 
@@ -316,7 +453,7 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
 install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 	@$(NORMAL_INSTALL)
-	test -z "$(libdir)" || $(mkdir_p) "$(DESTDIR)$(libdir)"
+	test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)"
 	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
 	  if test -f $$p; then \
 	    f=$(am__strip_dir) \
@@ -327,7 +464,7 @@ install-libLTLIBRARIES: $(lib_LTLIBRARIES)
 
 uninstall-libLTLIBRARIES:
 	@$(NORMAL_UNINSTALL)
-	@set -x; list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+	@list='$(lib_LTLIBRARIES)'; for p in $$list; do \
 	  p=$(am__strip_dir) \
 	  echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \
 	  $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \
@@ -342,7 +479,17 @@ clean-libLTLIBRARIES:
 	  rm -f "$${dir}/so_locations"; \
 	done
 libstrongswan.la: $(libstrongswan_la_OBJECTS) $(libstrongswan_la_DEPENDENCIES) 
-	$(LINK) -rpath $(libdir) $(libstrongswan_la_LDFLAGS) $(libstrongswan_la_OBJECTS) $(libstrongswan_la_LIBADD) $(LIBS)
+	$(LINK) -rpath $(libdir) $(libstrongswan_la_OBJECTS) $(libstrongswan_la_LIBADD) $(LIBS)
+
+clean-noinstPROGRAMS:
+	@list='$(noinst_PROGRAMS)'; for p in $$list; do \
+	  f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+	  echo " rm -f $$p $$f"; \
+	  rm -f $$p $$f ; \
+	done
+fips_signer$(EXEEXT): $(fips_signer_OBJECTS) $(fips_signer_DEPENDENCIES) 
+	@rm -f fips_signer$(EXEEXT)
+	$(LINK) $(fips_signer_OBJECTS) $(fips_signer_LDADD) $(LIBS)
 
 mostlyclean-compile:
 	-rm -f *.$(OBJEXT)
@@ -362,14 +509,20 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/des_crypter.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/diffie_hellman.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/enum.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/enumerator.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fetcher.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_canister_end.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_canister_start.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_prf.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_signer.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hasher.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmac.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmac_prf.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmac_signer.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/host.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/identification.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attr_list.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/leak_detective.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lexparser.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/library.Plo@am__quote@
@@ -377,7 +530,9 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5_hasher.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/oid.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/optionsfrom.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pem.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/prf.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/prf_plus.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/printf_hook.Plo@am__quote@
@@ -391,263 +546,326 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509.Plo@am__quote@
 
 .c.o:
-@am__fastdepCC_TRUE@	if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c $<
 
 .c.obj:
-@am__fastdepCC_TRUE@	if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ `$(CYGPATH_W) '$<'`; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
 
 .c.lo:
-@am__fastdepCC_TRUE@	if $(LTCOMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Plo"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
 
 asn1.lo: asn1/asn1.c
-@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT asn1.lo -MD -MP -MF "$(DEPDIR)/asn1.Tpo" -c -o asn1.lo `test -f 'asn1/asn1.c' || echo '$(srcdir)/'`asn1/asn1.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/asn1.Tpo" "$(DEPDIR)/asn1.Plo"; else rm -f "$(DEPDIR)/asn1.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT asn1.lo -MD -MP -MF $(DEPDIR)/asn1.Tpo -c -o asn1.lo `test -f 'asn1/asn1.c' || echo '$(srcdir)/'`asn1/asn1.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/asn1.Tpo $(DEPDIR)/asn1.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1/asn1.c' object='asn1.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o asn1.lo `test -f 'asn1/asn1.c' || echo '$(srcdir)/'`asn1/asn1.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o asn1.lo `test -f 'asn1/asn1.c' || echo '$(srcdir)/'`asn1/asn1.c
 
 oid.lo: asn1/oid.c
-@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT oid.lo -MD -MP -MF "$(DEPDIR)/oid.Tpo" -c -o oid.lo `test -f 'asn1/oid.c' || echo '$(srcdir)/'`asn1/oid.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/oid.Tpo" "$(DEPDIR)/oid.Plo"; else rm -f "$(DEPDIR)/oid.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT oid.lo -MD -MP -MF $(DEPDIR)/oid.Tpo -c -o oid.lo `test -f 'asn1/oid.c' || echo '$(srcdir)/'`asn1/oid.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/oid.Tpo $(DEPDIR)/oid.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1/oid.c' object='oid.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o oid.lo `test -f 'asn1/oid.c' || echo '$(srcdir)/'`asn1/oid.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o oid.lo `test -f 'asn1/oid.c' || echo '$(srcdir)/'`asn1/oid.c
 
 pem.lo: asn1/pem.c
-@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pem.lo -MD -MP -MF "$(DEPDIR)/pem.Tpo" -c -o pem.lo `test -f 'asn1/pem.c' || echo '$(srcdir)/'`asn1/pem.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/pem.Tpo" "$(DEPDIR)/pem.Plo"; else rm -f "$(DEPDIR)/pem.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pem.lo -MD -MP -MF $(DEPDIR)/pem.Tpo -c -o pem.lo `test -f 'asn1/pem.c' || echo '$(srcdir)/'`asn1/pem.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/pem.Tpo $(DEPDIR)/pem.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1/pem.c' object='pem.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pem.lo `test -f 'asn1/pem.c' || echo '$(srcdir)/'`asn1/pem.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pem.lo `test -f 'asn1/pem.c' || echo '$(srcdir)/'`asn1/pem.c
 
 ttodata.lo: asn1/ttodata.c
-@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ttodata.lo -MD -MP -MF "$(DEPDIR)/ttodata.Tpo" -c -o ttodata.lo `test -f 'asn1/ttodata.c' || echo '$(srcdir)/'`asn1/ttodata.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ttodata.Tpo" "$(DEPDIR)/ttodata.Plo"; else rm -f "$(DEPDIR)/ttodata.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ttodata.lo -MD -MP -MF $(DEPDIR)/ttodata.Tpo -c -o ttodata.lo `test -f 'asn1/ttodata.c' || echo '$(srcdir)/'`asn1/ttodata.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ttodata.Tpo $(DEPDIR)/ttodata.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='asn1/ttodata.c' object='ttodata.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ttodata.lo `test -f 'asn1/ttodata.c' || echo '$(srcdir)/'`asn1/ttodata.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ttodata.lo `test -f 'asn1/ttodata.c' || echo '$(srcdir)/'`asn1/ttodata.c
 
 ac.lo: crypto/ac.c
-@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ac.lo -MD -MP -MF "$(DEPDIR)/ac.Tpo" -c -o ac.lo `test -f 'crypto/ac.c' || echo '$(srcdir)/'`crypto/ac.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ac.Tpo" "$(DEPDIR)/ac.Plo"; else rm -f "$(DEPDIR)/ac.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ac.lo -MD -MP -MF $(DEPDIR)/ac.Tpo -c -o ac.lo `test -f 'crypto/ac.c' || echo '$(srcdir)/'`crypto/ac.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ac.Tpo $(DEPDIR)/ac.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/ac.c' object='ac.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ac.lo `test -f 'crypto/ac.c' || echo '$(srcdir)/'`crypto/ac.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ac.lo `test -f 'crypto/ac.c' || echo '$(srcdir)/'`crypto/ac.c
 
 ca.lo: crypto/ca.c
-@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ca.lo -MD -MP -MF "$(DEPDIR)/ca.Tpo" -c -o ca.lo `test -f 'crypto/ca.c' || echo '$(srcdir)/'`crypto/ca.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ca.Tpo" "$(DEPDIR)/ca.Plo"; else rm -f "$(DEPDIR)/ca.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ca.lo -MD -MP -MF $(DEPDIR)/ca.Tpo -c -o ca.lo `test -f 'crypto/ca.c' || echo '$(srcdir)/'`crypto/ca.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ca.Tpo $(DEPDIR)/ca.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/ca.c' object='ca.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ca.lo `test -f 'crypto/ca.c' || echo '$(srcdir)/'`crypto/ca.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ca.lo `test -f 'crypto/ca.c' || echo '$(srcdir)/'`crypto/ca.c
 
 certinfo.lo: crypto/certinfo.c
-@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT certinfo.lo -MD -MP -MF "$(DEPDIR)/certinfo.Tpo" -c -o certinfo.lo `test -f 'crypto/certinfo.c' || echo '$(srcdir)/'`crypto/certinfo.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/certinfo.Tpo" "$(DEPDIR)/certinfo.Plo"; else rm -f "$(DEPDIR)/certinfo.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT certinfo.lo -MD -MP -MF $(DEPDIR)/certinfo.Tpo -c -o certinfo.lo `test -f 'crypto/certinfo.c' || echo '$(srcdir)/'`crypto/certinfo.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/certinfo.Tpo $(DEPDIR)/certinfo.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/certinfo.c' object='certinfo.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o certinfo.lo `test -f 'crypto/certinfo.c' || echo '$(srcdir)/'`crypto/certinfo.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o certinfo.lo `test -f 'crypto/certinfo.c' || echo '$(srcdir)/'`crypto/certinfo.c
 
 crl.lo: crypto/crl.c
-@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crl.lo -MD -MP -MF "$(DEPDIR)/crl.Tpo" -c -o crl.lo `test -f 'crypto/crl.c' || echo '$(srcdir)/'`crypto/crl.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/crl.Tpo" "$(DEPDIR)/crl.Plo"; else rm -f "$(DEPDIR)/crl.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crl.lo -MD -MP -MF $(DEPDIR)/crl.Tpo -c -o crl.lo `test -f 'crypto/crl.c' || echo '$(srcdir)/'`crypto/crl.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/crl.Tpo $(DEPDIR)/crl.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/crl.c' object='crl.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crl.lo `test -f 'crypto/crl.c' || echo '$(srcdir)/'`crypto/crl.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crl.lo `test -f 'crypto/crl.c' || echo '$(srcdir)/'`crypto/crl.c
 
 crypter.lo: crypto/crypters/crypter.c
-@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypter.lo -MD -MP -MF "$(DEPDIR)/crypter.Tpo" -c -o crypter.lo `test -f 'crypto/crypters/crypter.c' || echo '$(srcdir)/'`crypto/crypters/crypter.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/crypter.Tpo" "$(DEPDIR)/crypter.Plo"; else rm -f "$(DEPDIR)/crypter.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypter.lo -MD -MP -MF $(DEPDIR)/crypter.Tpo -c -o crypter.lo `test -f 'crypto/crypters/crypter.c' || echo '$(srcdir)/'`crypto/crypters/crypter.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/crypter.Tpo $(DEPDIR)/crypter.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/crypters/crypter.c' object='crypter.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypter.lo `test -f 'crypto/crypters/crypter.c' || echo '$(srcdir)/'`crypto/crypters/crypter.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypter.lo `test -f 'crypto/crypters/crypter.c' || echo '$(srcdir)/'`crypto/crypters/crypter.c
 
 aes_cbc_crypter.lo: crypto/crypters/aes_cbc_crypter.c
-@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_cbc_crypter.lo -MD -MP -MF "$(DEPDIR)/aes_cbc_crypter.Tpo" -c -o aes_cbc_crypter.lo `test -f 'crypto/crypters/aes_cbc_crypter.c' || echo '$(srcdir)/'`crypto/crypters/aes_cbc_crypter.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/aes_cbc_crypter.Tpo" "$(DEPDIR)/aes_cbc_crypter.Plo"; else rm -f "$(DEPDIR)/aes_cbc_crypter.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT aes_cbc_crypter.lo -MD -MP -MF $(DEPDIR)/aes_cbc_crypter.Tpo -c -o aes_cbc_crypter.lo `test -f 'crypto/crypters/aes_cbc_crypter.c' || echo '$(srcdir)/'`crypto/crypters/aes_cbc_crypter.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/aes_cbc_crypter.Tpo $(DEPDIR)/aes_cbc_crypter.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/crypters/aes_cbc_crypter.c' object='aes_cbc_crypter.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_cbc_crypter.lo `test -f 'crypto/crypters/aes_cbc_crypter.c' || echo '$(srcdir)/'`crypto/crypters/aes_cbc_crypter.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o aes_cbc_crypter.lo `test -f 'crypto/crypters/aes_cbc_crypter.c' || echo '$(srcdir)/'`crypto/crypters/aes_cbc_crypter.c
 
 des_crypter.lo: crypto/crypters/des_crypter.c
-@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT des_crypter.lo -MD -MP -MF "$(DEPDIR)/des_crypter.Tpo" -c -o des_crypter.lo `test -f 'crypto/crypters/des_crypter.c' || echo '$(srcdir)/'`crypto/crypters/des_crypter.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/des_crypter.Tpo" "$(DEPDIR)/des_crypter.Plo"; else rm -f "$(DEPDIR)/des_crypter.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT des_crypter.lo -MD -MP -MF $(DEPDIR)/des_crypter.Tpo -c -o des_crypter.lo `test -f 'crypto/crypters/des_crypter.c' || echo '$(srcdir)/'`crypto/crypters/des_crypter.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/des_crypter.Tpo $(DEPDIR)/des_crypter.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/crypters/des_crypter.c' object='des_crypter.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o des_crypter.lo `test -f 'crypto/crypters/des_crypter.c' || echo '$(srcdir)/'`crypto/crypters/des_crypter.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o des_crypter.lo `test -f 'crypto/crypters/des_crypter.c' || echo '$(srcdir)/'`crypto/crypters/des_crypter.c
 
 diffie_hellman.lo: crypto/diffie_hellman.c
-@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT diffie_hellman.lo -MD -MP -MF "$(DEPDIR)/diffie_hellman.Tpo" -c -o diffie_hellman.lo `test -f 'crypto/diffie_hellman.c' || echo '$(srcdir)/'`crypto/diffie_hellman.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/diffie_hellman.Tpo" "$(DEPDIR)/diffie_hellman.Plo"; else rm -f "$(DEPDIR)/diffie_hellman.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT diffie_hellman.lo -MD -MP -MF $(DEPDIR)/diffie_hellman.Tpo -c -o diffie_hellman.lo `test -f 'crypto/diffie_hellman.c' || echo '$(srcdir)/'`crypto/diffie_hellman.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/diffie_hellman.Tpo $(DEPDIR)/diffie_hellman.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/diffie_hellman.c' object='diffie_hellman.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o diffie_hellman.lo `test -f 'crypto/diffie_hellman.c' || echo '$(srcdir)/'`crypto/diffie_hellman.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o diffie_hellman.lo `test -f 'crypto/diffie_hellman.c' || echo '$(srcdir)/'`crypto/diffie_hellman.c
 
 hasher.lo: crypto/hashers/hasher.c
-@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hasher.lo -MD -MP -MF "$(DEPDIR)/hasher.Tpo" -c -o hasher.lo `test -f 'crypto/hashers/hasher.c' || echo '$(srcdir)/'`crypto/hashers/hasher.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/hasher.Tpo" "$(DEPDIR)/hasher.Plo"; else rm -f "$(DEPDIR)/hasher.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hasher.lo -MD -MP -MF $(DEPDIR)/hasher.Tpo -c -o hasher.lo `test -f 'crypto/hashers/hasher.c' || echo '$(srcdir)/'`crypto/hashers/hasher.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/hasher.Tpo $(DEPDIR)/hasher.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/hashers/hasher.c' object='hasher.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hasher.lo `test -f 'crypto/hashers/hasher.c' || echo '$(srcdir)/'`crypto/hashers/hasher.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hasher.lo `test -f 'crypto/hashers/hasher.c' || echo '$(srcdir)/'`crypto/hashers/hasher.c
 
 sha1_hasher.lo: crypto/hashers/sha1_hasher.c
-@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha1_hasher.lo -MD -MP -MF "$(DEPDIR)/sha1_hasher.Tpo" -c -o sha1_hasher.lo `test -f 'crypto/hashers/sha1_hasher.c' || echo '$(srcdir)/'`crypto/hashers/sha1_hasher.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/sha1_hasher.Tpo" "$(DEPDIR)/sha1_hasher.Plo"; else rm -f "$(DEPDIR)/sha1_hasher.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha1_hasher.lo -MD -MP -MF $(DEPDIR)/sha1_hasher.Tpo -c -o sha1_hasher.lo `test -f 'crypto/hashers/sha1_hasher.c' || echo '$(srcdir)/'`crypto/hashers/sha1_hasher.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/sha1_hasher.Tpo $(DEPDIR)/sha1_hasher.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/hashers/sha1_hasher.c' object='sha1_hasher.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha1_hasher.lo `test -f 'crypto/hashers/sha1_hasher.c' || echo '$(srcdir)/'`crypto/hashers/sha1_hasher.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha1_hasher.lo `test -f 'crypto/hashers/sha1_hasher.c' || echo '$(srcdir)/'`crypto/hashers/sha1_hasher.c
 
 sha2_hasher.lo: crypto/hashers/sha2_hasher.c
-@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha2_hasher.lo -MD -MP -MF "$(DEPDIR)/sha2_hasher.Tpo" -c -o sha2_hasher.lo `test -f 'crypto/hashers/sha2_hasher.c' || echo '$(srcdir)/'`crypto/hashers/sha2_hasher.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/sha2_hasher.Tpo" "$(DEPDIR)/sha2_hasher.Plo"; else rm -f "$(DEPDIR)/sha2_hasher.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha2_hasher.lo -MD -MP -MF $(DEPDIR)/sha2_hasher.Tpo -c -o sha2_hasher.lo `test -f 'crypto/hashers/sha2_hasher.c' || echo '$(srcdir)/'`crypto/hashers/sha2_hasher.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/sha2_hasher.Tpo $(DEPDIR)/sha2_hasher.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/hashers/sha2_hasher.c' object='sha2_hasher.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha2_hasher.lo `test -f 'crypto/hashers/sha2_hasher.c' || echo '$(srcdir)/'`crypto/hashers/sha2_hasher.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha2_hasher.lo `test -f 'crypto/hashers/sha2_hasher.c' || echo '$(srcdir)/'`crypto/hashers/sha2_hasher.c
 
 md5_hasher.lo: crypto/hashers/md5_hasher.c
-@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT md5_hasher.lo -MD -MP -MF "$(DEPDIR)/md5_hasher.Tpo" -c -o md5_hasher.lo `test -f 'crypto/hashers/md5_hasher.c' || echo '$(srcdir)/'`crypto/hashers/md5_hasher.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/md5_hasher.Tpo" "$(DEPDIR)/md5_hasher.Plo"; else rm -f "$(DEPDIR)/md5_hasher.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT md5_hasher.lo -MD -MP -MF $(DEPDIR)/md5_hasher.Tpo -c -o md5_hasher.lo `test -f 'crypto/hashers/md5_hasher.c' || echo '$(srcdir)/'`crypto/hashers/md5_hasher.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/md5_hasher.Tpo $(DEPDIR)/md5_hasher.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/hashers/md5_hasher.c' object='md5_hasher.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o md5_hasher.lo `test -f 'crypto/hashers/md5_hasher.c' || echo '$(srcdir)/'`crypto/hashers/md5_hasher.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o md5_hasher.lo `test -f 'crypto/hashers/md5_hasher.c' || echo '$(srcdir)/'`crypto/hashers/md5_hasher.c
 
 hmac.lo: crypto/hmac.c
-@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hmac.lo -MD -MP -MF "$(DEPDIR)/hmac.Tpo" -c -o hmac.lo `test -f 'crypto/hmac.c' || echo '$(srcdir)/'`crypto/hmac.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/hmac.Tpo" "$(DEPDIR)/hmac.Plo"; else rm -f "$(DEPDIR)/hmac.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hmac.lo -MD -MP -MF $(DEPDIR)/hmac.Tpo -c -o hmac.lo `test -f 'crypto/hmac.c' || echo '$(srcdir)/'`crypto/hmac.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/hmac.Tpo $(DEPDIR)/hmac.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/hmac.c' object='hmac.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hmac.lo `test -f 'crypto/hmac.c' || echo '$(srcdir)/'`crypto/hmac.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hmac.lo `test -f 'crypto/hmac.c' || echo '$(srcdir)/'`crypto/hmac.c
+
+ietf_attr_list.lo: crypto/ietf_attr_list.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ietf_attr_list.lo -MD -MP -MF $(DEPDIR)/ietf_attr_list.Tpo -c -o ietf_attr_list.lo `test -f 'crypto/ietf_attr_list.c' || echo '$(srcdir)/'`crypto/ietf_attr_list.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ietf_attr_list.Tpo $(DEPDIR)/ietf_attr_list.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/ietf_attr_list.c' object='ietf_attr_list.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attr_list.lo `test -f 'crypto/ietf_attr_list.c' || echo '$(srcdir)/'`crypto/ietf_attr_list.c
 
 ocsp.lo: crypto/ocsp.c
-@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ocsp.lo -MD -MP -MF "$(DEPDIR)/ocsp.Tpo" -c -o ocsp.lo `test -f 'crypto/ocsp.c' || echo '$(srcdir)/'`crypto/ocsp.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/ocsp.Tpo" "$(DEPDIR)/ocsp.Plo"; else rm -f "$(DEPDIR)/ocsp.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ocsp.lo -MD -MP -MF $(DEPDIR)/ocsp.Tpo -c -o ocsp.lo `test -f 'crypto/ocsp.c' || echo '$(srcdir)/'`crypto/ocsp.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/ocsp.Tpo $(DEPDIR)/ocsp.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/ocsp.c' object='ocsp.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ocsp.lo `test -f 'crypto/ocsp.c' || echo '$(srcdir)/'`crypto/ocsp.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ocsp.lo `test -f 'crypto/ocsp.c' || echo '$(srcdir)/'`crypto/ocsp.c
+
+pkcs7.lo: crypto/pkcs7.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pkcs7.lo -MD -MP -MF $(DEPDIR)/pkcs7.Tpo -c -o pkcs7.lo `test -f 'crypto/pkcs7.c' || echo '$(srcdir)/'`crypto/pkcs7.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/pkcs7.Tpo $(DEPDIR)/pkcs7.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/pkcs7.c' object='pkcs7.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pkcs7.lo `test -f 'crypto/pkcs7.c' || echo '$(srcdir)/'`crypto/pkcs7.c
 
 fips_prf.lo: crypto/prfs/fips_prf.c
-@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_prf.lo -MD -MP -MF "$(DEPDIR)/fips_prf.Tpo" -c -o fips_prf.lo `test -f 'crypto/prfs/fips_prf.c' || echo '$(srcdir)/'`crypto/prfs/fips_prf.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/fips_prf.Tpo" "$(DEPDIR)/fips_prf.Plo"; else rm -f "$(DEPDIR)/fips_prf.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_prf.lo -MD -MP -MF $(DEPDIR)/fips_prf.Tpo -c -o fips_prf.lo `test -f 'crypto/prfs/fips_prf.c' || echo '$(srcdir)/'`crypto/prfs/fips_prf.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/fips_prf.Tpo $(DEPDIR)/fips_prf.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/prfs/fips_prf.c' object='fips_prf.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_prf.lo `test -f 'crypto/prfs/fips_prf.c' || echo '$(srcdir)/'`crypto/prfs/fips_prf.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_prf.lo `test -f 'crypto/prfs/fips_prf.c' || echo '$(srcdir)/'`crypto/prfs/fips_prf.c
 
 hmac_prf.lo: crypto/prfs/hmac_prf.c
-@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hmac_prf.lo -MD -MP -MF "$(DEPDIR)/hmac_prf.Tpo" -c -o hmac_prf.lo `test -f 'crypto/prfs/hmac_prf.c' || echo '$(srcdir)/'`crypto/prfs/hmac_prf.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/hmac_prf.Tpo" "$(DEPDIR)/hmac_prf.Plo"; else rm -f "$(DEPDIR)/hmac_prf.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hmac_prf.lo -MD -MP -MF $(DEPDIR)/hmac_prf.Tpo -c -o hmac_prf.lo `test -f 'crypto/prfs/hmac_prf.c' || echo '$(srcdir)/'`crypto/prfs/hmac_prf.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/hmac_prf.Tpo $(DEPDIR)/hmac_prf.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/prfs/hmac_prf.c' object='hmac_prf.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hmac_prf.lo `test -f 'crypto/prfs/hmac_prf.c' || echo '$(srcdir)/'`crypto/prfs/hmac_prf.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hmac_prf.lo `test -f 'crypto/prfs/hmac_prf.c' || echo '$(srcdir)/'`crypto/prfs/hmac_prf.c
 
 prf.lo: crypto/prfs/prf.c
-@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT prf.lo -MD -MP -MF "$(DEPDIR)/prf.Tpo" -c -o prf.lo `test -f 'crypto/prfs/prf.c' || echo '$(srcdir)/'`crypto/prfs/prf.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/prf.Tpo" "$(DEPDIR)/prf.Plo"; else rm -f "$(DEPDIR)/prf.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT prf.lo -MD -MP -MF $(DEPDIR)/prf.Tpo -c -o prf.lo `test -f 'crypto/prfs/prf.c' || echo '$(srcdir)/'`crypto/prfs/prf.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/prf.Tpo $(DEPDIR)/prf.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/prfs/prf.c' object='prf.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o prf.lo `test -f 'crypto/prfs/prf.c' || echo '$(srcdir)/'`crypto/prfs/prf.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o prf.lo `test -f 'crypto/prfs/prf.c' || echo '$(srcdir)/'`crypto/prfs/prf.c
 
 prf_plus.lo: crypto/prf_plus.c
-@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT prf_plus.lo -MD -MP -MF "$(DEPDIR)/prf_plus.Tpo" -c -o prf_plus.lo `test -f 'crypto/prf_plus.c' || echo '$(srcdir)/'`crypto/prf_plus.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/prf_plus.Tpo" "$(DEPDIR)/prf_plus.Plo"; else rm -f "$(DEPDIR)/prf_plus.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT prf_plus.lo -MD -MP -MF $(DEPDIR)/prf_plus.Tpo -c -o prf_plus.lo `test -f 'crypto/prf_plus.c' || echo '$(srcdir)/'`crypto/prf_plus.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/prf_plus.Tpo $(DEPDIR)/prf_plus.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/prf_plus.c' object='prf_plus.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o prf_plus.lo `test -f 'crypto/prf_plus.c' || echo '$(srcdir)/'`crypto/prf_plus.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o prf_plus.lo `test -f 'crypto/prf_plus.c' || echo '$(srcdir)/'`crypto/prf_plus.c
 
 rsa_private_key.lo: crypto/rsa/rsa_private_key.c
-@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rsa_private_key.lo -MD -MP -MF "$(DEPDIR)/rsa_private_key.Tpo" -c -o rsa_private_key.lo `test -f 'crypto/rsa/rsa_private_key.c' || echo '$(srcdir)/'`crypto/rsa/rsa_private_key.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/rsa_private_key.Tpo" "$(DEPDIR)/rsa_private_key.Plo"; else rm -f "$(DEPDIR)/rsa_private_key.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rsa_private_key.lo -MD -MP -MF $(DEPDIR)/rsa_private_key.Tpo -c -o rsa_private_key.lo `test -f 'crypto/rsa/rsa_private_key.c' || echo '$(srcdir)/'`crypto/rsa/rsa_private_key.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/rsa_private_key.Tpo $(DEPDIR)/rsa_private_key.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/rsa/rsa_private_key.c' object='rsa_private_key.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rsa_private_key.lo `test -f 'crypto/rsa/rsa_private_key.c' || echo '$(srcdir)/'`crypto/rsa/rsa_private_key.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rsa_private_key.lo `test -f 'crypto/rsa/rsa_private_key.c' || echo '$(srcdir)/'`crypto/rsa/rsa_private_key.c
 
 rsa_public_key.lo: crypto/rsa/rsa_public_key.c
-@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rsa_public_key.lo -MD -MP -MF "$(DEPDIR)/rsa_public_key.Tpo" -c -o rsa_public_key.lo `test -f 'crypto/rsa/rsa_public_key.c' || echo '$(srcdir)/'`crypto/rsa/rsa_public_key.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/rsa_public_key.Tpo" "$(DEPDIR)/rsa_public_key.Plo"; else rm -f "$(DEPDIR)/rsa_public_key.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rsa_public_key.lo -MD -MP -MF $(DEPDIR)/rsa_public_key.Tpo -c -o rsa_public_key.lo `test -f 'crypto/rsa/rsa_public_key.c' || echo '$(srcdir)/'`crypto/rsa/rsa_public_key.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/rsa_public_key.Tpo $(DEPDIR)/rsa_public_key.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/rsa/rsa_public_key.c' object='rsa_public_key.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rsa_public_key.lo `test -f 'crypto/rsa/rsa_public_key.c' || echo '$(srcdir)/'`crypto/rsa/rsa_public_key.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rsa_public_key.lo `test -f 'crypto/rsa/rsa_public_key.c' || echo '$(srcdir)/'`crypto/rsa/rsa_public_key.c
 
 hmac_signer.lo: crypto/signers/hmac_signer.c
-@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hmac_signer.lo -MD -MP -MF "$(DEPDIR)/hmac_signer.Tpo" -c -o hmac_signer.lo `test -f 'crypto/signers/hmac_signer.c' || echo '$(srcdir)/'`crypto/signers/hmac_signer.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/hmac_signer.Tpo" "$(DEPDIR)/hmac_signer.Plo"; else rm -f "$(DEPDIR)/hmac_signer.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT hmac_signer.lo -MD -MP -MF $(DEPDIR)/hmac_signer.Tpo -c -o hmac_signer.lo `test -f 'crypto/signers/hmac_signer.c' || echo '$(srcdir)/'`crypto/signers/hmac_signer.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/hmac_signer.Tpo $(DEPDIR)/hmac_signer.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/signers/hmac_signer.c' object='hmac_signer.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hmac_signer.lo `test -f 'crypto/signers/hmac_signer.c' || echo '$(srcdir)/'`crypto/signers/hmac_signer.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o hmac_signer.lo `test -f 'crypto/signers/hmac_signer.c' || echo '$(srcdir)/'`crypto/signers/hmac_signer.c
 
 signer.lo: crypto/signers/signer.c
-@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT signer.lo -MD -MP -MF "$(DEPDIR)/signer.Tpo" -c -o signer.lo `test -f 'crypto/signers/signer.c' || echo '$(srcdir)/'`crypto/signers/signer.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/signer.Tpo" "$(DEPDIR)/signer.Plo"; else rm -f "$(DEPDIR)/signer.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT signer.lo -MD -MP -MF $(DEPDIR)/signer.Tpo -c -o signer.lo `test -f 'crypto/signers/signer.c' || echo '$(srcdir)/'`crypto/signers/signer.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/signer.Tpo $(DEPDIR)/signer.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/signers/signer.c' object='signer.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o signer.lo `test -f 'crypto/signers/signer.c' || echo '$(srcdir)/'`crypto/signers/signer.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o signer.lo `test -f 'crypto/signers/signer.c' || echo '$(srcdir)/'`crypto/signers/signer.c
 
 x509.lo: crypto/x509.c
-@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509.lo -MD -MP -MF "$(DEPDIR)/x509.Tpo" -c -o x509.lo `test -f 'crypto/x509.c' || echo '$(srcdir)/'`crypto/x509.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/x509.Tpo" "$(DEPDIR)/x509.Plo"; else rm -f "$(DEPDIR)/x509.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509.lo -MD -MP -MF $(DEPDIR)/x509.Tpo -c -o x509.lo `test -f 'crypto/x509.c' || echo '$(srcdir)/'`crypto/x509.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/x509.Tpo $(DEPDIR)/x509.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='crypto/x509.c' object='x509.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509.lo `test -f 'crypto/x509.c' || echo '$(srcdir)/'`crypto/x509.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509.lo `test -f 'crypto/x509.c' || echo '$(srcdir)/'`crypto/x509.c
 
 fetcher.lo: utils/fetcher.c
-@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fetcher.lo -MD -MP -MF "$(DEPDIR)/fetcher.Tpo" -c -o fetcher.lo `test -f 'utils/fetcher.c' || echo '$(srcdir)/'`utils/fetcher.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/fetcher.Tpo" "$(DEPDIR)/fetcher.Plo"; else rm -f "$(DEPDIR)/fetcher.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fetcher.lo -MD -MP -MF $(DEPDIR)/fetcher.Tpo -c -o fetcher.lo `test -f 'utils/fetcher.c' || echo '$(srcdir)/'`utils/fetcher.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/fetcher.Tpo $(DEPDIR)/fetcher.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/fetcher.c' object='fetcher.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fetcher.lo `test -f 'utils/fetcher.c' || echo '$(srcdir)/'`utils/fetcher.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fetcher.lo `test -f 'utils/fetcher.c' || echo '$(srcdir)/'`utils/fetcher.c
 
 host.lo: utils/host.c
-@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT host.lo -MD -MP -MF "$(DEPDIR)/host.Tpo" -c -o host.lo `test -f 'utils/host.c' || echo '$(srcdir)/'`utils/host.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/host.Tpo" "$(DEPDIR)/host.Plo"; else rm -f "$(DEPDIR)/host.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT host.lo -MD -MP -MF $(DEPDIR)/host.Tpo -c -o host.lo `test -f 'utils/host.c' || echo '$(srcdir)/'`utils/host.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/host.Tpo $(DEPDIR)/host.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/host.c' object='host.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o host.lo `test -f 'utils/host.c' || echo '$(srcdir)/'`utils/host.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o host.lo `test -f 'utils/host.c' || echo '$(srcdir)/'`utils/host.c
 
 identification.lo: utils/identification.c
-@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT identification.lo -MD -MP -MF "$(DEPDIR)/identification.Tpo" -c -o identification.lo `test -f 'utils/identification.c' || echo '$(srcdir)/'`utils/identification.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/identification.Tpo" "$(DEPDIR)/identification.Plo"; else rm -f "$(DEPDIR)/identification.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT identification.lo -MD -MP -MF $(DEPDIR)/identification.Tpo -c -o identification.lo `test -f 'utils/identification.c' || echo '$(srcdir)/'`utils/identification.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/identification.Tpo $(DEPDIR)/identification.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/identification.c' object='identification.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o identification.lo `test -f 'utils/identification.c' || echo '$(srcdir)/'`utils/identification.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o identification.lo `test -f 'utils/identification.c' || echo '$(srcdir)/'`utils/identification.c
 
 leak_detective.lo: utils/leak_detective.c
-@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT leak_detective.lo -MD -MP -MF "$(DEPDIR)/leak_detective.Tpo" -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/leak_detective.Tpo" "$(DEPDIR)/leak_detective.Plo"; else rm -f "$(DEPDIR)/leak_detective.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT leak_detective.lo -MD -MP -MF $(DEPDIR)/leak_detective.Tpo -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/leak_detective.Tpo $(DEPDIR)/leak_detective.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/leak_detective.c' object='leak_detective.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c
 
 lexparser.lo: utils/lexparser.c
-@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT lexparser.lo -MD -MP -MF "$(DEPDIR)/lexparser.Tpo" -c -o lexparser.lo `test -f 'utils/lexparser.c' || echo '$(srcdir)/'`utils/lexparser.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/lexparser.Tpo" "$(DEPDIR)/lexparser.Plo"; else rm -f "$(DEPDIR)/lexparser.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT lexparser.lo -MD -MP -MF $(DEPDIR)/lexparser.Tpo -c -o lexparser.lo `test -f 'utils/lexparser.c' || echo '$(srcdir)/'`utils/lexparser.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/lexparser.Tpo $(DEPDIR)/lexparser.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/lexparser.c' object='lexparser.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o lexparser.lo `test -f 'utils/lexparser.c' || echo '$(srcdir)/'`utils/lexparser.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o lexparser.lo `test -f 'utils/lexparser.c' || echo '$(srcdir)/'`utils/lexparser.c
 
 linked_list.lo: utils/linked_list.c
-@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT linked_list.lo -MD -MP -MF "$(DEPDIR)/linked_list.Tpo" -c -o linked_list.lo `test -f 'utils/linked_list.c' || echo '$(srcdir)/'`utils/linked_list.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/linked_list.Tpo" "$(DEPDIR)/linked_list.Plo"; else rm -f "$(DEPDIR)/linked_list.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT linked_list.lo -MD -MP -MF $(DEPDIR)/linked_list.Tpo -c -o linked_list.lo `test -f 'utils/linked_list.c' || echo '$(srcdir)/'`utils/linked_list.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/linked_list.Tpo $(DEPDIR)/linked_list.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/linked_list.c' object='linked_list.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o linked_list.lo `test -f 'utils/linked_list.c' || echo '$(srcdir)/'`utils/linked_list.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o linked_list.lo `test -f 'utils/linked_list.c' || echo '$(srcdir)/'`utils/linked_list.c
+
+enumerator.lo: utils/enumerator.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT enumerator.lo -MD -MP -MF $(DEPDIR)/enumerator.Tpo -c -o enumerator.lo `test -f 'utils/enumerator.c' || echo '$(srcdir)/'`utils/enumerator.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/enumerator.Tpo $(DEPDIR)/enumerator.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/enumerator.c' object='enumerator.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o enumerator.lo `test -f 'utils/enumerator.c' || echo '$(srcdir)/'`utils/enumerator.c
+
+optionsfrom.lo: utils/optionsfrom.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT optionsfrom.lo -MD -MP -MF $(DEPDIR)/optionsfrom.Tpo -c -o optionsfrom.lo `test -f 'utils/optionsfrom.c' || echo '$(srcdir)/'`utils/optionsfrom.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/optionsfrom.Tpo $(DEPDIR)/optionsfrom.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/optionsfrom.c' object='optionsfrom.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o optionsfrom.lo `test -f 'utils/optionsfrom.c' || echo '$(srcdir)/'`utils/optionsfrom.c
 
 randomizer.lo: utils/randomizer.c
-@am__fastdepCC_TRUE@	if $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT randomizer.lo -MD -MP -MF "$(DEPDIR)/randomizer.Tpo" -c -o randomizer.lo `test -f 'utils/randomizer.c' || echo '$(srcdir)/'`utils/randomizer.c; \
-@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/randomizer.Tpo" "$(DEPDIR)/randomizer.Plo"; else rm -f "$(DEPDIR)/randomizer.Tpo"; exit 1; fi
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT randomizer.lo -MD -MP -MF $(DEPDIR)/randomizer.Tpo -c -o randomizer.lo `test -f 'utils/randomizer.c' || echo '$(srcdir)/'`utils/randomizer.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/randomizer.Tpo $(DEPDIR)/randomizer.Plo
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	source='utils/randomizer.c' object='randomizer.lo' libtool=yes @AMDEPBACKSLASH@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o randomizer.lo `test -f 'utils/randomizer.c' || echo '$(srcdir)/'`utils/randomizer.c
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o randomizer.lo `test -f 'utils/randomizer.c' || echo '$(srcdir)/'`utils/randomizer.c
+
+fips_canister_start.lo: fips/fips_canister_start.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_canister_start.lo -MD -MP -MF $(DEPDIR)/fips_canister_start.Tpo -c -o fips_canister_start.lo `test -f 'fips/fips_canister_start.c' || echo '$(srcdir)/'`fips/fips_canister_start.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/fips_canister_start.Tpo $(DEPDIR)/fips_canister_start.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='fips/fips_canister_start.c' object='fips_canister_start.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_canister_start.lo `test -f 'fips/fips_canister_start.c' || echo '$(srcdir)/'`fips/fips_canister_start.c
+
+fips.lo: fips/fips.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips.lo -MD -MP -MF $(DEPDIR)/fips.Tpo -c -o fips.lo `test -f 'fips/fips.c' || echo '$(srcdir)/'`fips/fips.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/fips.Tpo $(DEPDIR)/fips.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='fips/fips.c' object='fips.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips.lo `test -f 'fips/fips.c' || echo '$(srcdir)/'`fips/fips.c
+
+fips_canister_end.lo: fips/fips_canister_end.c
+@am__fastdepCC_TRUE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_canister_end.lo -MD -MP -MF $(DEPDIR)/fips_canister_end.Tpo -c -o fips_canister_end.lo `test -f 'fips/fips_canister_end.c' || echo '$(srcdir)/'`fips/fips_canister_end.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/fips_canister_end.Tpo $(DEPDIR)/fips_canister_end.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='fips/fips_canister_end.c' object='fips_canister_end.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_canister_end.lo `test -f 'fips/fips_canister_end.c' || echo '$(srcdir)/'`fips/fips_canister_end.c
+
+fips_signer.o: fips/fips_signer.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_signer.o -MD -MP -MF $(DEPDIR)/fips_signer.Tpo -c -o fips_signer.o `test -f 'fips/fips_signer.c' || echo '$(srcdir)/'`fips/fips_signer.c
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/fips_signer.Tpo $(DEPDIR)/fips_signer.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='fips/fips_signer.c' object='fips_signer.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_signer.o `test -f 'fips/fips_signer.c' || echo '$(srcdir)/'`fips/fips_signer.c
+
+fips_signer.obj: fips/fips_signer.c
+@am__fastdepCC_TRUE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_signer.obj -MD -MP -MF $(DEPDIR)/fips_signer.Tpo -c -o fips_signer.obj `if test -f 'fips/fips_signer.c'; then $(CYGPATH_W) 'fips/fips_signer.c'; else $(CYGPATH_W) '$(srcdir)/fips/fips_signer.c'; fi`
+@am__fastdepCC_TRUE@	mv -f $(DEPDIR)/fips_signer.Tpo $(DEPDIR)/fips_signer.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='fips/fips_signer.c' object='fips_signer.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_signer.obj `if test -f 'fips/fips_signer.c'; then $(CYGPATH_W) 'fips/fips_signer.c'; else $(CYGPATH_W) '$(srcdir)/fips/fips_signer.c'; fi`
 
 mostlyclean-libtool:
 	-rm -f *.lo
@@ -655,10 +873,6 @@ mostlyclean-libtool:
 clean-libtool:
 	-rm -rf .libs _libs
 
-distclean-libtool:
-	-rm -f libtool
-uninstall-info-am:
-
 ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
@@ -708,23 +922,21 @@ distclean-tags:
 	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
 
 distdir: $(DISTFILES)
-	$(mkdir_p) $(distdir)/asn1
-	@srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
-	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
-	list='$(DISTFILES)'; for file in $$list; do \
-	  case $$file in \
-	    $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
-	    $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
-	  esac; \
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
 	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
-	  dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
-	  if test "$$dir" != "$$file" && test "$$dir" != "."; then \
-	    dir="/$$dir"; \
-	    $(mkdir_p) "$(distdir)$$dir"; \
-	  else \
-	    dir=''; \
-	  fi; \
 	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
 	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
 	      cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
 	    fi; \
@@ -738,10 +950,10 @@ distdir: $(DISTFILES)
 check-am: all-am
 check: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) check-am
-all-am: Makefile $(LTLIBRARIES)
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS)
 installdirs:
 	for dir in "$(DESTDIR)$(libdir)"; do \
-	  test -z "$$dir" || $(mkdir_p) "$$dir"; \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
 	done
 install: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) install-am
@@ -761,6 +973,7 @@ install-strip:
 mostlyclean-generic:
 
 clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
 
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
@@ -773,13 +986,13 @@ maintainer-clean-generic:
 clean: clean-am
 
 clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \
-	mostlyclean-am
+	clean-noinstPROGRAMS mostlyclean-am
 
 distclean: distclean-am
 	-rm -rf ./$(DEPDIR)
 	-rm -f Makefile
 distclean-am: clean-am distclean-compile distclean-generic \
-	distclean-libtool distclean-tags
+	distclean-tags
 
 dvi: dvi-am
 
@@ -793,12 +1006,20 @@ info-am:
 
 install-data-am:
 
+install-dvi: install-dvi-am
+
 install-exec-am: install-libLTLIBRARIES
 
+install-html: install-html-am
+
 install-info: install-info-am
 
 install-man:
 
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
 installcheck-am:
 
 maintainer-clean: maintainer-clean-am
@@ -819,20 +1040,23 @@ ps: ps-am
 
 ps-am:
 
-uninstall-am: uninstall-info-am uninstall-libLTLIBRARIES
+uninstall-am: uninstall-libLTLIBRARIES
+
+.MAKE: install-am install-strip
 
 .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
-	clean-libLTLIBRARIES clean-libtool ctags distclean \
-	distclean-compile distclean-generic distclean-libtool \
-	distclean-tags distdir dvi dvi-am html html-am info info-am \
-	install install-am install-data install-data-am install-exec \
-	install-exec-am install-info install-info-am \
-	install-libLTLIBRARIES install-man install-strip installcheck \
-	installcheck-am installdirs maintainer-clean \
+	clean-libLTLIBRARIES clean-libtool clean-noinstPROGRAMS ctags \
+	distclean distclean-compile distclean-generic \
+	distclean-libtool distclean-tags distdir dvi dvi-am html \
+	html-am info info-am install install-am install-data \
+	install-data-am install-dvi install-dvi-am install-exec \
+	install-exec-am install-html install-html-am install-info \
+	install-info-am install-libLTLIBRARIES install-man install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
+	installcheck installcheck-am installdirs maintainer-clean \
 	maintainer-clean-generic mostlyclean mostlyclean-compile \
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
-	tags uninstall uninstall-am uninstall-info-am \
-	uninstall-libLTLIBRARIES
+	tags uninstall uninstall-am uninstall-libLTLIBRARIES
 
 
 asn1/oid.c :	asn1/oid.txt asn1/oid.pl
@@ -840,6 +1064,9 @@ asn1/oid.c :	asn1/oid.txt asn1/oid.pl
 
 asn1/oid.h :	asn1/oid.txt asn1/oid.pl
 		cd asn1 && $(PERL) oid.pl
+
+@USE_INTEGRITY_TEST_TRUE@fips_signature.h : fips_signer
+@USE_INTEGRITY_TEST_TRUE@		   ./fips_signer
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c
index 2a0aa4ff6..3191c89bd 100644
--- a/src/libstrongswan/asn1/asn1.c
+++ b/src/libstrongswan/asn1/asn1.c
@@ -11,6 +11,8 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
+ *
+ * RCSID $Id: asn1.c 3299 2007-10-12 19:29:00Z andreas $
  */
 
 #include <stdio.h>
@@ -33,6 +35,13 @@ const chunk_t ASN1_INTEGER_2 = chunk_from_buf(ASN1_INTEGER_2_str);
 
 /* some popular algorithmIdentifiers */
 
+static u_char ASN1_md2_id_str[] = {
+	0x30, 0x0c,
+		  0x06, 0x08,
+				0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x02,
+		  0x05,0x00,
+};
+
 static u_char ASN1_md5_id_str[] = {
 	0x30, 0x0C,
 		  0x06, 0x08,
@@ -47,6 +56,27 @@ static u_char ASN1_sha1_id_str[] = {
 		  0x05, 0x00
 };
 
+static u_char ASN1_sha256_id_str[] = {
+	0x30, 0x0d,
+		  0x06, 0x09,
+				0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
+		  0x05, 0x00
+};
+
+static u_char ASN1_sha384_id_str[] = {
+	0x30, 0x0d,
+		  0x06, 0x09,
+				0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02,
+		  0x05, 0x00
+};
+
+static u_char ASN1_sha512_id_str[] = {
+	0x30, 0x0d,
+		  0x06, 0x09,
+				0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
+		  0x05,0x00
+};
+
 static u_char ASN1_md5WithRSA_id_str[] = {
 	0x30, 0x0D,
 		  0x06, 0x09,
@@ -68,8 +98,12 @@ static u_char ASN1_rsaEncryption_id_str[] = {
 		  0x05, 0x00
 };
 
-const chunk_t ASN1_md5_id = chunk_from_buf(ASN1_md5_id_str);
-const chunk_t ASN1_sha1_id = chunk_from_buf(ASN1_sha1_id_str);
+const chunk_t ASN1_md2_id    = chunk_from_buf(ASN1_md2_id_str);
+const chunk_t ASN1_md5_id    = chunk_from_buf(ASN1_md5_id_str);
+const chunk_t ASN1_sha1_id   = chunk_from_buf(ASN1_sha1_id_str);
+const chunk_t ASN1_sha256_id = chunk_from_buf(ASN1_sha256_id_str);
+const chunk_t ASN1_sha384_id = chunk_from_buf(ASN1_sha384_id_str);
+const chunk_t ASN1_sha512_id = chunk_from_buf(ASN1_sha512_id_str);
 const chunk_t ASN1_rsaEncryption_id = chunk_from_buf(ASN1_rsaEncryption_id_str);
 const chunk_t ASN1_md5WithRSA_id = chunk_from_buf(ASN1_md5WithRSA_id_str);
 const chunk_t ASN1_sha1WithRSA_id = chunk_from_buf(ASN1_sha1WithRSA_id_str);
@@ -279,6 +313,35 @@ time_t asn1totime(const chunk_t *utctime, asn1_t type)
 }
 
 /**
+ *  Convert a date into ASN.1 UTCTIME or GENERALIZEDTIME format
+ */
+chunk_t timetoasn1(const time_t *time, asn1_t type)
+{
+	int offset;
+	const char *format;
+	char buf[BUF_LEN];
+	chunk_t formatted_time;
+	struct tm *t = gmtime(time);
+	
+	if (type == ASN1_GENERALIZEDTIME)
+	{
+		format = "%04d%02d%02d%02d%02d%02dZ";
+		offset = 1900;
+	}
+	else /* ASN1_UTCTIME */
+	{
+		format = "%02d%02d%02d%02d%02d%02dZ";
+		offset = (t->tm_year < 100)? 0 : -100;
+	}
+	snprintf(buf, BUF_LEN, format, t->tm_year + offset, 
+			 t->tm_mon + 1, t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec);
+	formatted_time.ptr = buf;
+	formatted_time.len = strlen(buf);
+	return asn1_simple_object(type, formatted_time);
+}
+
+
+/**
  * Initializes the internal context of the ASN.1 parser
  */
 void asn1_init(asn1_ctx_t *ctx, chunk_t blob, u_int level0,
@@ -396,7 +459,7 @@ bool extract_object(asn1Object_t const *objects, u_int *objectID, chunk_t *objec
 	
 	if (blob->len < 2)
 	{
-		DBG2("L%d - %s:  ASN.1 object smaller than 2 octets", 
+		DBG1("L%d - %s:  ASN.1 object smaller than 2 octets", 
 					*level, obj.name);
 		return FALSE;
 	}
@@ -405,7 +468,7 @@ bool extract_object(asn1Object_t const *objects, u_int *objectID, chunk_t *objec
 	
 	if (blob1->len == ASN1_INVALID_LENGTH || blob->len < blob1->len)
 	{
-		DBG2("L%d - %s:  length of ASN.1 object invalid or too large", 
+		DBG1("L%d - %s:  length of ASN.1 object invalid or too large", 
 					*level, obj.name);
 		return FALSE;
 	}
@@ -698,38 +761,11 @@ chunk_t asn1_integer_from_mpz(const mpz_t value)
 {
 	size_t bits = mpz_sizeinbase(value, 2);  /* size in bits */
 	chunk_t n;
+
 	n.len = 1 + bits / 8;  /* size in bytes */	
 	n.ptr = mpz_export(NULL, NULL, 1, n.len, 1, 0, value);
-	
-	return asn1_wrap(ASN1_INTEGER, "m", n);
-}
 
-/**
- *  convert a date into ASN.1 UTCTIME or GENERALIZEDTIME format
- */
-chunk_t timetoasn1(const time_t *time, asn1_t type)
-{
-	int offset;
-	const char *format;
-	char buf[32];
-	chunk_t formatted_time;
-	struct tm *t = gmtime(time);
-	
-	if (type == ASN1_GENERALIZEDTIME)
-	{
-		format = "%04d%02d%02d%02d%02d%02dZ";
-		offset = 1900;
-	}
-	else /* ASN1_UTCTIME */
-	{
-		format = "%02d%02d%02d%02d%02d%02dZ";
-		offset = (t->tm_year < 100)? 0 : -100;
-	}
-	snprintf(buf, sizeof(buf), format, t->tm_year + offset, 
-			 t->tm_mon + 1, t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec);
-	formatted_time.ptr = buf;
-	formatted_time.len = strlen(buf);
-	return asn1_simple_object(type, formatted_time);
+	return asn1_wrap(ASN1_INTEGER, "m", n);
 }
 
 /**
diff --git a/src/libstrongswan/asn1/asn1.h b/src/libstrongswan/asn1/asn1.h
index 365ccb438..18742d18d 100644
--- a/src/libstrongswan/asn1/asn1.h
+++ b/src/libstrongswan/asn1/asn1.h
@@ -11,6 +11,8 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
+ *
+ * RCSID $Id: asn1.h 3299 2007-10-12 19:29:00Z andreas $
  */
 
 #ifndef _ASN1_H
@@ -23,7 +25,11 @@
 #include <asn1/oid.h>
 
 
-/* Defines some primitive ASN1 types */
+/**
+ * @brief Definition of some primitive ASN1 types
+ *
+ * @ingroup asn1
+ */
 typedef enum {
     ASN1_EOC =				0x00,
     ASN1_BOOLEAN =			0x01,
@@ -109,8 +115,13 @@ extern const chunk_t ASN1_INTEGER_1;
 extern const chunk_t ASN1_INTEGER_2;
 
 /* some popular algorithmIdentifiers */
+extern const chunk_t ASN1_md2_id;
 extern const chunk_t ASN1_md5_id;
 extern const chunk_t ASN1_sha1_id;
+extern const chunk_t ASN1_sha256_id;
+extern const chunk_t ASN1_sha384_id;
+extern const chunk_t ASN1_sha512_id;
+
 extern const chunk_t ASN1_rsaEncryption_id;
 extern const chunk_t ASN1_md5WithRSA_id;
 extern const chunk_t ASN1_sha1WithRSA_id;
@@ -120,6 +131,7 @@ extern int known_oid(chunk_t object);
 extern u_int asn1_length(chunk_t *blob);
 extern bool is_printablestring(chunk_t str);
 extern time_t asn1totime(const chunk_t *utctime, asn1_t type);
+extern chunk_t timetoasn1(const time_t *time, asn1_t type);
 extern void asn1_init(asn1_ctx_t *ctx, chunk_t blob, u_int level0, bool implicit, bool private);
 extern bool extract_object(asn1Object_t const *objects, u_int *objectID, chunk_t *object, u_int *level, asn1_ctx_t *ctx);
 extern bool parse_asn1_simple_object(chunk_t *object, asn1_t type, u_int level, const char* name);
diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c
index 6b16d5a64..28a915433 100644
--- a/src/libstrongswan/asn1/oid.c
+++ b/src/libstrongswan/asn1/oid.c
@@ -10,194 +10,199 @@
 #include "oid.h"
 
 const oid_t oid_names[] = {
-  {0x02,                       7, 1, "ITU-T Administration"   },  /*   0 */
-  {  0x82,                     0, 1, ""                       },  /*   1 */
-  {    0x06,                   0, 1, "Germany ITU-T member"   },  /*   2 */
-  {      0x01,                 0, 1, "Deutsche Telekom AG"    },  /*   3 */
-  {        0x0A,               0, 1, ""                       },  /*   4 */
-  {          0x07,             0, 1, ""                       },  /*   5 */
-  {            0x14,           0, 0, "ND"                     },  /*   6 */
-  {0x09,                      18, 1, "data"                   },  /*   7 */
-  {  0x92,                     0, 1, ""                       },  /*   8 */
-  {    0x26,                   0, 1, ""                       },  /*   9 */
-  {      0x89,                 0, 1, ""                       },  /*  10 */
-  {        0x93,               0, 1, ""                       },  /*  11 */
-  {          0xF2,             0, 1, ""                       },  /*  12 */
-  {            0x2C,           0, 1, ""                       },  /*  13 */
-  {              0x64,         0, 1, "pilot"                  },  /*  14 */
-  {                0x01,       0, 1, "pilotAttributeType"     },  /*  15 */
-  {                  0x01,    17, 0, "UID"                    },  /*  16 */
-  {                  0x19,     0, 0, "DC"                     },  /*  17 */
-  {0x55,                      52, 1, "X.500"                  },  /*  18 */
-  {  0x04,                    36, 1, "X.509"                  },  /*  19 */
-  {    0x03,                  21, 0, "CN"                     },  /*  20 */
-  {    0x04,                  22, 0, "S"                      },  /*  21 */
-  {    0x05,                  23, 0, "SN"                     },  /*  22 */
-  {    0x06,                  24, 0, "C"                      },  /*  23 */
-  {    0x07,                  25, 0, "L"                      },  /*  24 */
-  {    0x08,                  26, 0, "ST"                     },  /*  25 */
-  {    0x0A,                  27, 0, "O"                      },  /*  26 */
-  {    0x0B,                  28, 0, "OU"                     },  /*  27 */
-  {    0x0C,                  29, 0, "T"                      },  /*  28 */
-  {    0x0D,                  30, 0, "D"                      },  /*  29 */
-  {    0x24,                  31, 0, "userCertificate"        },  /*  30 */
-  {    0x29,                  32, 0, "N"                      },  /*  31 */
-  {    0x2A,                  33, 0, "G"                      },  /*  32 */
-  {    0x2B,                  34, 0, "I"                      },  /*  33 */
-  {    0x2D,                  35, 0, "ID"                     },  /*  34 */
-  {    0x48,                   0, 0, "role"                   },  /*  35 */
-  {  0x1D,                     0, 1, "id-ce"                  },  /*  36 */
-  {    0x09,                  38, 0, "subjectDirectoryAttrs"  },  /*  37 */
-  {    0x0E,                  39, 0, "subjectKeyIdentifier"   },  /*  38 */
-  {    0x0F,                  40, 0, "keyUsage"               },  /*  39 */
-  {    0x10,                  41, 0, "privateKeyUsagePeriod"  },  /*  40 */
-  {    0x11,                  42, 0, "subjectAltName"         },  /*  41 */
-  {    0x12,                  43, 0, "issuerAltName"          },  /*  42 */
-  {    0x13,                  44, 0, "basicConstraints"       },  /*  43 */
-  {    0x14,                  45, 0, "crlNumber"              },  /*  44 */
-  {    0x15,                  46, 0, "reasonCode"             },  /*  45 */
-  {    0x1F,                  47, 0, "crlDistributionPoints"  },  /*  46 */
-  {    0x20,                  48, 0, "certificatePolicies"    },  /*  47 */
-  {    0x23,                  49, 0, "authorityKeyIdentifier" },  /*  48 */
-  {    0x25,                  50, 0, "extendedKeyUsage"       },  /*  49 */
-  {    0x37,                  51, 0, "targetInformation"      },  /*  50 */
-  {    0x38,                   0, 0, "noRevAvail"             },  /*  51 */
-  {0x2A,                      94, 1, ""                       },  /*  52 */
-  {  0x86,                     0, 1, ""                       },  /*  53 */
-  {    0x48,                   0, 1, ""                       },  /*  54 */
-  {      0x86,                 0, 1, ""                       },  /*  55 */
-  {        0xF6,              61, 1, ""                       },  /*  56 */
-  {          0x7D,             0, 1, "NortelNetworks"         },  /*  57 */
-  {            0x07,           0, 1, "Entrust"                },  /*  58 */
-  {              0x41,         0, 1, "nsn-ce"                 },  /*  59 */
-  {                0x00,       0, 0, "entrustVersInfo"        },  /*  60 */
-  {        0xF7,               0, 1, ""                       },  /*  61 */
-  {          0x0D,             0, 1, "RSADSI"                 },  /*  62 */
-  {            0x01,          89, 1, "PKCS"                   },  /*  63 */
-  {              0x01,        72, 1, "PKCS-1"                 },  /*  64 */
-  {                0x01,      66, 0, "rsaEncryption"          },  /*  65 */
-  {                0x02,      67, 0, "md2WithRSAEncryption"   },  /*  66 */
-  {                0x04,      68, 0, "md5WithRSAEncryption"   },  /*  67 */
-  {                0x05,      69, 0, "sha-1WithRSAEncryption" },  /*  68 */
-  {                0x0B,      70, 0, "sha256WithRSAEncryption"},  /*  69 */
-  {                0x0C,      71, 0, "sha384WithRSAEncryption"},  /*  70 */
-  {                0x0D,       0, 0, "sha512WithRSAEncryption"},  /*  71 */
-  {              0x07,        79, 1, "PKCS-7"                 },  /*  72 */
-  {                0x01,      74, 0, "data"                   },  /*  73 */
-  {                0x02,      75, 0, "signedData"             },  /*  74 */
-  {                0x03,      76, 0, "envelopedData"          },  /*  75 */
-  {                0x04,      77, 0, "signedAndEnvelopedData" },  /*  76 */
-  {                0x05,      78, 0, "digestedData"           },  /*  77 */
-  {                0x06,       0, 0, "encryptedData"          },  /*  78 */
-  {              0x09,         0, 1, "PKCS-9"                 },  /*  79 */
-  {                0x01,      81, 0, "E"                      },  /*  80 */
-  {                0x02,      82, 0, "unstructuredName"       },  /*  81 */
-  {                0x03,      83, 0, "contentType"            },  /*  82 */
-  {                0x04,      84, 0, "messageDigest"          },  /*  83 */
-  {                0x05,      85, 0, "signingTime"            },  /*  84 */
-  {                0x06,      86, 0, "counterSignature"       },  /*  85 */
-  {                0x07,      87, 0, "challengePassword"      },  /*  86 */
-  {                0x08,      88, 0, "unstructuredAddress"    },  /*  87 */
-  {                0x0E,       0, 0, "extensionRequest"       },  /*  88 */
-  {            0x02,          92, 1, "digestAlgorithm"        },  /*  89 */
-  {              0x02,        91, 0, "md2"                    },  /*  90 */
-  {              0x05,         0, 0, "md5"                    },  /*  91 */
-  {            0x03,           0, 1, "encryptionAlgorithm"    },  /*  92 */
-  {              0x07,         0, 0, "3des-ede-cbc"           },  /*  93 */
-  {0x2B,                     155, 1, ""                       },  /*  94 */
-  {  0x06,                   142, 1, "dod"                    },  /*  95 */
-  {    0x01,                   0, 1, "internet"               },  /*  96 */
-  {      0x04,               111, 1, "private"                },  /*  97 */
-  {        0x01,               0, 1, "enterprise"             },  /*  98 */
-  {          0x82,           104, 1, ""                       },  /*  99 */
-  {            0x37,           0, 1, "Microsoft"              },  /* 100 */
-  {              0x0A,         0, 1, ""                       },  /* 101 */
-  {                0x03,       0, 1, ""                       },  /* 102 */
-  {                  0x03,     0, 0, "msSGC"                  },  /* 103 */
-  {          0x89,             0, 1, ""                       },  /* 104 */
-  {            0x31,           0, 1, ""                       },  /* 105 */
-  {              0x01,         0, 1, ""                       },  /* 106 */
-  {                0x01,       0, 1, ""                       },  /* 107 */
-  {                  0x02,     0, 1, ""                       },  /* 108 */
-  {                    0x02, 110, 0, ""                       },  /* 109 */
-  {                    0x4B,   0, 0, "TCGID"                  },  /* 110 */
-  {      0x05,                 0, 1, "security"               },  /* 111 */
-  {        0x05,               0, 1, "mechanisms"             },  /* 112 */
-  {          0x07,             0, 1, "id-pkix"                },  /* 113 */
-  {            0x01,         116, 1, "id-pe"                  },  /* 114 */
-  {              0x01,         0, 0, "authorityInfoAccess"    },  /* 115 */
-  {            0x03,         126, 1, "id-kp"                  },  /* 116 */
-  {              0x01,       118, 0, "serverAuth"             },  /* 117 */
-  {              0x02,       119, 0, "clientAuth"             },  /* 118 */
-  {              0x03,       120, 0, "codeSigning"            },  /* 119 */
-  {              0x04,       121, 0, "emailProtection"        },  /* 120 */
-  {              0x05,       122, 0, "ipsecEndSystem"         },  /* 121 */
-  {              0x06,       123, 0, "ipsecTunnel"            },  /* 122 */
-  {              0x07,       124, 0, "ipsecUser"              },  /* 123 */
-  {              0x08,       125, 0, "timeStamping"           },  /* 124 */
-  {              0x09,         0, 0, "ocspSigning"            },  /* 125 */
-  {            0x08,         128, 1, "id-otherNames"          },  /* 126 */
-  {              0x05,         0, 0, "xmppAddr"               },  /* 127 */
-  {            0x0A,         133, 1, "id-aca"                 },  /* 128 */
-  {              0x01,       130, 0, "authenticationInfo"     },  /* 129 */
-  {              0x02,       131, 0, "accessIdentity"         },  /* 130 */
-  {              0x03,       132, 0, "chargingIdentity"       },  /* 131 */
-  {              0x04,         0, 0, "group"                  },  /* 132 */
-  {            0x30,           0, 1, "id-ad"                  },  /* 133 */
-  {              0x01,         0, 1, "ocsp"                   },  /* 134 */
-  {                0x01,     136, 0, "basic"                  },  /* 135 */
-  {                0x02,     137, 0, "nonce"                  },  /* 136 */
-  {                0x03,     138, 0, "crl"                    },  /* 137 */
-  {                0x04,     139, 0, "response"               },  /* 138 */
-  {                0x05,     140, 0, "noCheck"                },  /* 139 */
-  {                0x06,     141, 0, "archiveCutoff"          },  /* 140 */
-  {                0x07,       0, 0, "serviceLocator"         },  /* 141 */
-  {  0x0E,                   148, 1, "oiw"                    },  /* 142 */
-  {    0x03,                   0, 1, "secsig"                 },  /* 143 */
-  {      0x02,                 0, 1, "algorithms"             },  /* 144 */
-  {        0x07,             146, 0, "des-cbc"                },  /* 145 */
-  {        0x1A,             147, 0, "sha-1"                  },  /* 146 */
-  {        0x1D,               0, 0, "sha-1WithRSASignature"  },  /* 147 */
-  {  0x24,                     0, 1, "TeleTrusT"              },  /* 148 */
-  {    0x03,                   0, 1, "algorithm"              },  /* 149 */
-  {      0x03,                 0, 1, "signatureAlgorithm"     },  /* 150 */
-  {        0x01,               0, 1, "rsaSignature"           },  /* 151 */
-  {          0x02,           153, 0, "rsaSigWithripemd160"    },  /* 152 */
-  {          0x03,           154, 0, "rsaSigWithripemd128"    },  /* 153 */
-  {          0x04,             0, 0, "rsaSigWithripemd256"    },  /* 154 */
-  {0x60,                       0, 1, ""                       },  /* 155 */
-  {  0x86,                     0, 1, ""                       },  /* 156 */
-  {    0x48,                   0, 1, ""                       },  /* 157 */
-  {      0x01,                 0, 1, "organization"           },  /* 158 */
-  {        0x65,             166, 1, "gov"                    },  /* 159 */
-  {          0x03,             0, 1, "csor"                   },  /* 160 */
-  {            0x04,           0, 1, "nistalgorithm"          },  /* 161 */
-  {              0x02,         0, 1, "hashalgs"               },  /* 162 */
-  {                0x01,     164, 0, "id-SHA-256"             },  /* 163 */
-  {                0x02,     165, 0, "id-SHA-384"             },  /* 164 */
-  {                0x03,       0, 0, "id-SHA-512"             },  /* 165 */
-  {        0x86,               0, 1, ""                       },  /* 166 */
-  {          0xf8,             0, 1, ""                       },  /* 167 */
-  {            0x42,         180, 1, "netscape"               },  /* 168 */
-  {              0x01,       175, 1, ""                       },  /* 169 */
-  {                0x01,     171, 0, "nsCertType"             },  /* 170 */
-  {                0x03,     172, 0, "nsRevocationUrl"        },  /* 171 */
-  {                0x04,     173, 0, "nsCaRevocationUrl"      },  /* 172 */
-  {                0x08,     174, 0, "nsCaPolicyUrl"          },  /* 173 */
-  {                0x0d,       0, 0, "nsComment"              },  /* 174 */
-  {              0x03,       178, 1, "directory"              },  /* 175 */
-  {                0x01,       0, 1, ""                       },  /* 176 */
-  {                  0x03,     0, 0, "employeeNumber"         },  /* 177 */
-  {              0x04,         0, 1, "policy"                 },  /* 178 */
-  {                0x01,       0, 0, "nsSGC"                  },  /* 179 */
-  {            0x45,           0, 1, "verisign"               },  /* 180 */
-  {              0x01,         0, 1, "pki"                    },  /* 181 */
-  {                0x09,       0, 1, "attributes"             },  /* 182 */
-  {                  0x02,   184, 0, "messageType"            },  /* 183 */
-  {                  0x03,   185, 0, "pkiStatus"              },  /* 184 */
-  {                  0x04,   186, 0, "failInfo"               },  /* 185 */
-  {                  0x05,   187, 0, "senderNonce"            },  /* 186 */
-  {                  0x06,   188, 0, "recipientNonce"         },  /* 187 */
-  {                  0x07,   189, 0, "transID"                },  /* 188 */
-  {                  0x08,     0, 0, "extensionReq"           }   /* 189 */
+  {0x02,                       7, 1, "ITU-T Administration"      },  /*   0 */
+  {  0x82,                     0, 1, ""                          },  /*   1 */
+  {    0x06,                   0, 1, "Germany ITU-T member"      },  /*   2 */
+  {      0x01,                 0, 1, "Deutsche Telekom AG"       },  /*   3 */
+  {        0x0A,               0, 1, ""                          },  /*   4 */
+  {          0x07,             0, 1, ""                          },  /*   5 */
+  {            0x14,           0, 0, "ND"                        },  /*   6 */
+  {0x09,                      18, 1, "data"                      },  /*   7 */
+  {  0x92,                     0, 1, ""                          },  /*   8 */
+  {    0x26,                   0, 1, ""                          },  /*   9 */
+  {      0x89,                 0, 1, ""                          },  /*  10 */
+  {        0x93,               0, 1, ""                          },  /*  11 */
+  {          0xF2,             0, 1, ""                          },  /*  12 */
+  {            0x2C,           0, 1, ""                          },  /*  13 */
+  {              0x64,         0, 1, "pilot"                     },  /*  14 */
+  {                0x01,       0, 1, "pilotAttributeType"        },  /*  15 */
+  {                  0x01,    17, 0, "UID"                       },  /*  16 */
+  {                  0x19,     0, 0, "DC"                        },  /*  17 */
+  {0x55,                      52, 1, "X.500"                     },  /*  18 */
+  {  0x04,                    36, 1, "X.509"                     },  /*  19 */
+  {    0x03,                  21, 0, "CN"                        },  /*  20 */
+  {    0x04,                  22, 0, "S"                         },  /*  21 */
+  {    0x05,                  23, 0, "SN"                        },  /*  22 */
+  {    0x06,                  24, 0, "C"                         },  /*  23 */
+  {    0x07,                  25, 0, "L"                         },  /*  24 */
+  {    0x08,                  26, 0, "ST"                        },  /*  25 */
+  {    0x0A,                  27, 0, "O"                         },  /*  26 */
+  {    0x0B,                  28, 0, "OU"                        },  /*  27 */
+  {    0x0C,                  29, 0, "T"                         },  /*  28 */
+  {    0x0D,                  30, 0, "D"                         },  /*  29 */
+  {    0x24,                  31, 0, "userCertificate"           },  /*  30 */
+  {    0x29,                  32, 0, "N"                         },  /*  31 */
+  {    0x2A,                  33, 0, "G"                         },  /*  32 */
+  {    0x2B,                  34, 0, "I"                         },  /*  33 */
+  {    0x2D,                  35, 0, "ID"                        },  /*  34 */
+  {    0x48,                   0, 0, "role"                      },  /*  35 */
+  {  0x1D,                     0, 1, "id-ce"                     },  /*  36 */
+  {    0x09,                  38, 0, "subjectDirectoryAttrs"     },  /*  37 */
+  {    0x0E,                  39, 0, "subjectKeyIdentifier"      },  /*  38 */
+  {    0x0F,                  40, 0, "keyUsage"                  },  /*  39 */
+  {    0x10,                  41, 0, "privateKeyUsagePeriod"     },  /*  40 */
+  {    0x11,                  42, 0, "subjectAltName"            },  /*  41 */
+  {    0x12,                  43, 0, "issuerAltName"             },  /*  42 */
+  {    0x13,                  44, 0, "basicConstraints"          },  /*  43 */
+  {    0x14,                  45, 0, "crlNumber"                 },  /*  44 */
+  {    0x15,                  46, 0, "reasonCode"                },  /*  45 */
+  {    0x1F,                  47, 0, "crlDistributionPoints"     },  /*  46 */
+  {    0x20,                  48, 0, "certificatePolicies"       },  /*  47 */
+  {    0x23,                  49, 0, "authorityKeyIdentifier"    },  /*  48 */
+  {    0x25,                  50, 0, "extendedKeyUsage"          },  /*  49 */
+  {    0x37,                  51, 0, "targetInformation"         },  /*  50 */
+  {    0x38,                   0, 0, "noRevAvail"                },  /*  51 */
+  {0x2A,                      94, 1, ""                          },  /*  52 */
+  {  0x86,                     0, 1, ""                          },  /*  53 */
+  {    0x48,                   0, 1, ""                          },  /*  54 */
+  {      0x86,                 0, 1, ""                          },  /*  55 */
+  {        0xF6,              61, 1, ""                          },  /*  56 */
+  {          0x7D,             0, 1, "NortelNetworks"            },  /*  57 */
+  {            0x07,           0, 1, "Entrust"                   },  /*  58 */
+  {              0x41,         0, 1, "nsn-ce"                    },  /*  59 */
+  {                0x00,       0, 0, "entrustVersInfo"           },  /*  60 */
+  {        0xF7,               0, 1, ""                          },  /*  61 */
+  {          0x0D,             0, 1, "RSADSI"                    },  /*  62 */
+  {            0x01,          89, 1, "PKCS"                      },  /*  63 */
+  {              0x01,        72, 1, "PKCS-1"                    },  /*  64 */
+  {                0x01,      66, 0, "rsaEncryption"             },  /*  65 */
+  {                0x02,      67, 0, "md2WithRSAEncryption"      },  /*  66 */
+  {                0x04,      68, 0, "md5WithRSAEncryption"      },  /*  67 */
+  {                0x05,      69, 0, "sha-1WithRSAEncryption"    },  /*  68 */
+  {                0x0B,      70, 0, "sha256WithRSAEncryption"   },  /*  69 */
+  {                0x0C,      71, 0, "sha384WithRSAEncryption"   },  /*  70 */
+  {                0x0D,       0, 0, "sha512WithRSAEncryption"   },  /*  71 */
+  {              0x07,        79, 1, "PKCS-7"                    },  /*  72 */
+  {                0x01,      74, 0, "data"                      },  /*  73 */
+  {                0x02,      75, 0, "signedData"                },  /*  74 */
+  {                0x03,      76, 0, "envelopedData"             },  /*  75 */
+  {                0x04,      77, 0, "signedAndEnvelopedData"    },  /*  76 */
+  {                0x05,      78, 0, "digestedData"              },  /*  77 */
+  {                0x06,       0, 0, "encryptedData"             },  /*  78 */
+  {              0x09,         0, 1, "PKCS-9"                    },  /*  79 */
+  {                0x01,      81, 0, "E"                         },  /*  80 */
+  {                0x02,      82, 0, "unstructuredName"          },  /*  81 */
+  {                0x03,      83, 0, "contentType"               },  /*  82 */
+  {                0x04,      84, 0, "messageDigest"             },  /*  83 */
+  {                0x05,      85, 0, "signingTime"               },  /*  84 */
+  {                0x06,      86, 0, "counterSignature"          },  /*  85 */
+  {                0x07,      87, 0, "challengePassword"         },  /*  86 */
+  {                0x08,      88, 0, "unstructuredAddress"       },  /*  87 */
+  {                0x0E,       0, 0, "extensionRequest"          },  /*  88 */
+  {            0x02,          92, 1, "digestAlgorithm"           },  /*  89 */
+  {              0x02,        91, 0, "md2"                       },  /*  90 */
+  {              0x05,         0, 0, "md5"                       },  /*  91 */
+  {            0x03,           0, 1, "encryptionAlgorithm"       },  /*  92 */
+  {              0x07,         0, 0, "3des-ede-cbc"              },  /*  93 */
+  {0x2B,                     160, 1, ""                          },  /*  94 */
+  {  0x06,                   147, 1, "dod"                       },  /*  95 */
+  {    0x01,                   0, 1, "internet"                  },  /*  96 */
+  {      0x04,               115, 1, "private"                   },  /*  97 */
+  {        0x01,               0, 1, "enterprise"                },  /*  98 */
+  {          0x82,           108, 1, ""                          },  /*  99 */
+  {            0x37,           0, 1, "Microsoft"                 },  /* 100 */
+  {              0x0A,       105, 1, ""                          },  /* 101 */
+  {                0x03,       0, 1, ""                          },  /* 102 */
+  {                  0x03,   104, 0, "msSGC"                     },  /* 103 */
+  {                  0x04,     0, 0, "msEncryptingFileSystem"    },  /* 104 */
+  {              0x14,         0, 1, "msEnrollmentInfrastructure"},  /* 105 */
+  {                0x02,       0, 1, "msCertificateTypeExtension"},  /* 106 */
+  {                  0x02,     0, 0, "msSmartcardLogon"          },  /* 107 */
+  {          0x89,             0, 1, ""                          },  /* 108 */
+  {            0x31,           0, 1, ""                          },  /* 109 */
+  {              0x01,         0, 1, ""                          },  /* 110 */
+  {                0x01,       0, 1, ""                          },  /* 111 */
+  {                  0x02,     0, 1, ""                          },  /* 112 */
+  {                    0x02, 114, 0, ""                          },  /* 113 */
+  {                    0x4B,   0, 0, "TCGID"                     },  /* 114 */
+  {      0x05,                 0, 1, "security"                  },  /* 115 */
+  {        0x05,               0, 1, "mechanisms"                },  /* 116 */
+  {          0x07,             0, 1, "id-pkix"                   },  /* 117 */
+  {            0x01,         120, 1, "id-pe"                     },  /* 118 */
+  {              0x01,         0, 0, "authorityInfoAccess"       },  /* 119 */
+  {            0x03,         130, 1, "id-kp"                     },  /* 120 */
+  {              0x01,       122, 0, "serverAuth"                },  /* 121 */
+  {              0x02,       123, 0, "clientAuth"                },  /* 122 */
+  {              0x03,       124, 0, "codeSigning"               },  /* 123 */
+  {              0x04,       125, 0, "emailProtection"           },  /* 124 */
+  {              0x05,       126, 0, "ipsecEndSystem"            },  /* 125 */
+  {              0x06,       127, 0, "ipsecTunnel"               },  /* 126 */
+  {              0x07,       128, 0, "ipsecUser"                 },  /* 127 */
+  {              0x08,       129, 0, "timeStamping"              },  /* 128 */
+  {              0x09,         0, 0, "ocspSigning"               },  /* 129 */
+  {            0x08,         132, 1, "id-otherNames"             },  /* 130 */
+  {              0x05,         0, 0, "xmppAddr"                  },  /* 131 */
+  {            0x0A,         137, 1, "id-aca"                    },  /* 132 */
+  {              0x01,       134, 0, "authenticationInfo"        },  /* 133 */
+  {              0x02,       135, 0, "accessIdentity"            },  /* 134 */
+  {              0x03,       136, 0, "chargingIdentity"          },  /* 135 */
+  {              0x04,         0, 0, "group"                     },  /* 136 */
+  {            0x30,           0, 1, "id-ad"                     },  /* 137 */
+  {              0x01,       146, 1, "ocsp"                      },  /* 138 */
+  {                0x01,     140, 0, "basic"                     },  /* 139 */
+  {                0x02,     141, 0, "nonce"                     },  /* 140 */
+  {                0x03,     142, 0, "crl"                       },  /* 141 */
+  {                0x04,     143, 0, "response"                  },  /* 142 */
+  {                0x05,     144, 0, "noCheck"                   },  /* 143 */
+  {                0x06,     145, 0, "archiveCutoff"             },  /* 144 */
+  {                0x07,       0, 0, "serviceLocator"            },  /* 145 */
+  {              0x02,         0, 0, "caIssuers"                 },  /* 146 */
+  {  0x0E,                   153, 1, "oiw"                       },  /* 147 */
+  {    0x03,                   0, 1, "secsig"                    },  /* 148 */
+  {      0x02,                 0, 1, "algorithms"                },  /* 149 */
+  {        0x07,             151, 0, "des-cbc"                   },  /* 150 */
+  {        0x1A,             152, 0, "sha-1"                     },  /* 151 */
+  {        0x1D,               0, 0, "sha-1WithRSASignature"     },  /* 152 */
+  {  0x24,                     0, 1, "TeleTrusT"                 },  /* 153 */
+  {    0x03,                   0, 1, "algorithm"                 },  /* 154 */
+  {      0x03,                 0, 1, "signatureAlgorithm"        },  /* 155 */
+  {        0x01,               0, 1, "rsaSignature"              },  /* 156 */
+  {          0x02,           158, 0, "rsaSigWithripemd160"       },  /* 157 */
+  {          0x03,           159, 0, "rsaSigWithripemd128"       },  /* 158 */
+  {          0x04,             0, 0, "rsaSigWithripemd256"       },  /* 159 */
+  {0x60,                       0, 1, ""                          },  /* 160 */
+  {  0x86,                     0, 1, ""                          },  /* 161 */
+  {    0x48,                   0, 1, ""                          },  /* 162 */
+  {      0x01,                 0, 1, "organization"              },  /* 163 */
+  {        0x65,             171, 1, "gov"                       },  /* 164 */
+  {          0x03,             0, 1, "csor"                      },  /* 165 */
+  {            0x04,           0, 1, "nistalgorithm"             },  /* 166 */
+  {              0x02,         0, 1, "hashalgs"                  },  /* 167 */
+  {                0x01,     169, 0, "id-SHA-256"                },  /* 168 */
+  {                0x02,     170, 0, "id-SHA-384"                },  /* 169 */
+  {                0x03,       0, 0, "id-SHA-512"                },  /* 170 */
+  {        0x86,               0, 1, ""                          },  /* 171 */
+  {          0xf8,             0, 1, ""                          },  /* 172 */
+  {            0x42,         185, 1, "netscape"                  },  /* 173 */
+  {              0x01,       180, 1, ""                          },  /* 174 */
+  {                0x01,     176, 0, "nsCertType"                },  /* 175 */
+  {                0x03,     177, 0, "nsRevocationUrl"           },  /* 176 */
+  {                0x04,     178, 0, "nsCaRevocationUrl"         },  /* 177 */
+  {                0x08,     179, 0, "nsCaPolicyUrl"             },  /* 178 */
+  {                0x0d,       0, 0, "nsComment"                 },  /* 179 */
+  {              0x03,       183, 1, "directory"                 },  /* 180 */
+  {                0x01,       0, 1, ""                          },  /* 181 */
+  {                  0x03,     0, 0, "employeeNumber"            },  /* 182 */
+  {              0x04,         0, 1, "policy"                    },  /* 183 */
+  {                0x01,       0, 0, "nsSGC"                     },  /* 184 */
+  {            0x45,           0, 1, "verisign"                  },  /* 185 */
+  {              0x01,         0, 1, "pki"                       },  /* 186 */
+  {                0x09,       0, 1, "attributes"                },  /* 187 */
+  {                  0x02,   189, 0, "messageType"               },  /* 188 */
+  {                  0x03,   190, 0, "pkiStatus"                 },  /* 189 */
+  {                  0x04,   191, 0, "failInfo"                  },  /* 190 */
+  {                  0x05,   192, 0, "senderNonce"               },  /* 191 */
+  {                  0x06,   193, 0, "recipientNonce"            },  /* 192 */
+  {                  0x07,   194, 0, "transID"                   },  /* 193 */
+  {                  0x08,     0, 0, "extensionReq"              }   /* 194 */
 };
diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h
index a29b1f0a1..5814a3ba0 100644
--- a/src/libstrongswan/asn1/oid.h
+++ b/src/libstrongswan/asn1/oid.h
@@ -49,36 +49,37 @@ extern const oid_t oid_names[];
 #define OID_MD2								90
 #define OID_MD5								91
 #define OID_3DES_EDE_CBC					93
-#define OID_AUTHORITY_INFO_ACCESS			115
-#define OID_OCSP_SIGNING					125
-#define OID_XMPP_ADDR						127
-#define OID_AUTHENTICATION_INFO				129
-#define OID_ACCESS_IDENTITY					130
-#define OID_CHARGING_IDENTITY				131
-#define OID_GROUP							132
-#define OID_OCSP							134
-#define OID_BASIC							135
-#define OID_NONCE							136
-#define OID_CRL								137
-#define OID_RESPONSE						138
-#define OID_NO_CHECK						139
-#define OID_ARCHIVE_CUTOFF					140
-#define OID_SERVICE_LOCATOR					141
-#define OID_DES_CBC							145
-#define OID_SHA1							146
-#define OID_SHA1_WITH_RSA_OIW				147
-#define OID_SHA256							163
-#define OID_SHA384							164
-#define OID_SHA512							165
-#define OID_NS_REVOCATION_URL				171
-#define OID_NS_CA_REVOCATION_URL			172
-#define OID_NS_CA_POLICY_URL				173
-#define OID_NS_COMMENT						174
-#define OID_PKI_MESSAGE_TYPE				183
-#define OID_PKI_STATUS						184
-#define OID_PKI_FAIL_INFO					185
-#define OID_PKI_SENDER_NONCE				186
-#define OID_PKI_RECIPIENT_NONCE				187
-#define OID_PKI_TRANS_ID					188
+#define OID_AUTHORITY_INFO_ACCESS			119
+#define OID_OCSP_SIGNING					129
+#define OID_XMPP_ADDR						131
+#define OID_AUTHENTICATION_INFO				133
+#define OID_ACCESS_IDENTITY					134
+#define OID_CHARGING_IDENTITY				135
+#define OID_GROUP							136
+#define OID_OCSP							138
+#define OID_BASIC							139
+#define OID_NONCE							140
+#define OID_CRL								141
+#define OID_RESPONSE						142
+#define OID_NO_CHECK						143
+#define OID_ARCHIVE_CUTOFF					144
+#define OID_SERVICE_LOCATOR					145
+#define OID_CA_ISSUERS						146
+#define OID_DES_CBC							150
+#define OID_SHA1							151
+#define OID_SHA1_WITH_RSA_OIW				152
+#define OID_SHA256							168
+#define OID_SHA384							169
+#define OID_SHA512							170
+#define OID_NS_REVOCATION_URL				176
+#define OID_NS_CA_REVOCATION_URL			177
+#define OID_NS_CA_POLICY_URL				178
+#define OID_NS_COMMENT						179
+#define OID_PKI_MESSAGE_TYPE				188
+#define OID_PKI_STATUS						189
+#define OID_PKI_FAIL_INFO					190
+#define OID_PKI_SENDER_NONCE				191
+#define OID_PKI_RECIPIENT_NONCE				192
+#define OID_PKI_TRANS_ID					193
 
 #endif /* OID_H_ */
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index bd5a26e43..6ae2dc29a 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -102,6 +102,10 @@
               0x0A           ""
                 0x03         ""
                   0x03       "msSGC"
+                  0x04       "msEncryptingFileSystem"
+              0x14           "msEnrollmentInfrastructure"
+                0x02         "msCertificateTypeExtension"
+                  0x02       "msSmartcardLogon"
           0x89               ""
             0x31             ""
               0x01           ""
@@ -140,6 +144,7 @@
                 0x05         "noCheck"			OID_NO_CHECK
                 0x06         "archiveCutoff"		OID_ARCHIVE_CUTOFF
                 0x07         "serviceLocator"		OID_SERVICE_LOCATOR
+              0x02           "caIssuers"		OID_CA_ISSUERS
   0x0E                       "oiw"
     0x03                     "secsig"
       0x02                   "algorithms"
diff --git a/src/libstrongswan/asn1/pem.c b/src/libstrongswan/asn1/pem.c
index 641805869..b752a97ab 100755
--- a/src/libstrongswan/asn1/pem.c
+++ b/src/libstrongswan/asn1/pem.c
@@ -10,6 +10,8 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
+ *
+ * RCSID $Id: pem.c 3256 2007-10-07 13:42:43Z andreas $
  */
 
 #include <stdio.h>
@@ -40,7 +42,7 @@ static bool present(const char* pattern, chunk_t* ch)
 {
 	u_int pattern_len = strlen(pattern);
 
-	if (ch->len >= pattern_len && strncmp(ch->ptr, pattern, pattern_len) == 0)
+	if (ch->len >= pattern_len && strneq(ch->ptr, pattern, pattern_len))
 	{
 		ch->ptr += pattern_len;
 		ch->len -= pattern_len;
diff --git a/src/libstrongswan/asn1/ttodata.c b/src/libstrongswan/asn1/ttodata.c
index 8114b12c5..125313c2a 100644
--- a/src/libstrongswan/asn1/ttodata.c
+++ b/src/libstrongswan/asn1/ttodata.c
@@ -62,98 +62,123 @@ const char *ttodatav(const char *src, size_t srclen, int base, char *dst, size_t
 	int skipSpace = 0;
 
 	if (srclen == 0)
+	{
 		srclen = strlen(src);
+	}
 	if (dstlen == 0)
+	{
 		dst = buf;	/* point it somewhere valid */
+	}
 	stop = dst + dstlen;
 
-	if (base == 0) {
+	if (base == 0)
+	{
 		if (srclen < 2)
+		{
 			return "input too short to be valid";
+		}
 		if (*src++ != '0')
+		{
 			return "input does not begin with format prefix";
-		switch (*src++) {
-		case 'x':
-		case 'X':
-			base = 16;
+		}
+		switch (*src++)
+		{
+			case 'x':
+			case 'X':
+				base = 16;
+				break;
+			case 's':
+			case 'S':
+				base = 64;
+				break;
+			case 't':
+			case 'T':
+				base = 256;
+				break;
+			default:
+				return "unknown format prefix";
+		}
+		srclen -= 2;
+	}
+	switch (base)
+	{
+		case 16:
+			decode = unhex;
+			underscoreok = 1;
+			ingroup = 2;
 			break;
-		case 's':
-		case 'S':
-			base = 64;
+		case 64:
+			decode = unb64;
+			underscoreok = 0;
+			ingroup = 4;
+			if(flags & TTODATAV_IGNORESPACE)
+			{
+				skipSpace = 1;
+			}
 			break;
-		case 't':
-		case 'T':
-			base = 256;
+		case 256:
+			decode = untext;
+			ingroup = 1;
+			underscoreok = 0;
 			break;
 		default:
-			return "unknown format prefix";
-		}
-		srclen -= 2;
-	}
-	switch (base) {
-	case 16:
-		decode = unhex;
-		underscoreok = 1;
-		ingroup = 2;
-		break;
-	case 64:
-		decode = unb64;
-		underscoreok = 0;
-		ingroup = 4;
-		if(flags & TTODATAV_IGNORESPACE) {
-			skipSpace = 1;
-		}
-		break;
-
-	case 256:
-		decode = untext;
-		ingroup = 1;
-		underscoreok = 0;
-		break;
-	default:
-		return "unknown base";
+			return "unknown base";
 	}
 
 	/* proceed */
 	ndone = 0;
-	while (srclen > 0) {
+	while (srclen > 0)
+	{
 		char stage[4];	/* staging area for group */
 		size_t sl = 0;
 
 		/* Grab ingroup characters into stage,
 		 * squeezing out blanks if we are supposed to ignore them.
 		 */
-		for (sl = 0; sl < ingroup; src++, srclen--) {
+		for (sl = 0; sl < ingroup; src++, srclen--)
+		{
 			if (srclen == 0)
+			{
 				return "input ends in mid-byte, perhaps truncated";
+			}
 			else if (!(skipSpace && (*src == ' ' || *src == '\t')))
+			{
 				stage[sl++] = *src;
+			}
 		}
 		
 		nbytes = (*decode)(stage, buf, sizeof(buf));
-		switch (nbytes) {
-		case BADCH0:
-		case BADCH1:
-		case BADCH2:
-		case BADCH3:
-			return badch(stage, nbytes, errp, errlen);
-		case SHORT:
-			return "internal buffer too short (\"can't happen\")";
-		case BADPAD:
-			return "bad (non-zero) padding at end of base64 input";
+		switch (nbytes)
+		{
+			case BADCH0:
+			case BADCH1:
+			case BADCH2:
+			case BADCH3:
+				return badch(stage, nbytes, errp, errlen);
+			case SHORT:
+				return "internal buffer too short (\"can't happen\")";
+			case BADPAD:
+				return "bad (non-zero) padding at end of base64 input";
 		}
 		if (nbytes <= 0)
+		{
 			return "unknown internal error";
-		for (i = 0; i < nbytes; i++) {
+		}
+		for (i = 0; i < nbytes; i++)
+		{
 			if (dst < stop)
+			{
 				*dst++ = buf[i];
+			}
 			ndone++;
 		}
-		while (srclen >= 1 && skipSpace && (*src == ' ' || *src == '\t')){
+		while (srclen >= 1 && skipSpace && (*src == ' ' || *src == '\t'))
+		{
 			src++;
 			srclen--;
 		}
-		if (underscoreok && srclen > 1 && *src == '_') {
+		if (underscoreok && srclen > 1 && (*src == '_' || *src == ':'))
+		{
 			/* srclen > 1 means not last character */
 			src++;
 			srclen--;
@@ -161,9 +186,13 @@ const char *ttodatav(const char *src, size_t srclen, int base, char *dst, size_t
 	}
 
 	if (ndone == 0)
+	{
 		return "no data bytes specified by input";
+	}
 	if (lenp != NULL)
+	{
 		*lenp = ndone;
+	}
 	return NULL;
 }
 
@@ -201,9 +230,7 @@ size_t atodata(const char *src, size_t srclen, char *dst, size_t dstlen)
 	const char *err;
 
 	err = ttodata(src, srclen, 0, dst, dstlen, &len);
-	if (err != NULL)
-		return 0;
-	return len;
+	return (err)? 0:len;
 }
 
 /**
@@ -231,21 +258,31 @@ static int unhex(const char *src, char *dst, size_t dstlen)
 	static char hex[] = "0123456789abcdef";
 
 	if (dstlen < 1)
+	{
 		return SHORT;
-	
+	}
+
 	p = strchr(hex, *src);
 	if (p == NULL)
+	{
 		p = strchr(hex, tolower(*src));
+	}
 	if (p == NULL)
+	{
 		return BADCH0;
+	}
 	byte = (p - hex) << 4;
 	src++;
 
 	p = strchr(hex, *src);
 	if (p == NULL)
+	{
 		p = strchr(hex, tolower(*src));
+	}
 	if (p == NULL)
+	{
 		return BADCH1;
+	}
 	byte |= (p - hex);
 
 	*dst = byte;
@@ -272,16 +309,20 @@ static int unb64(const char *src, char *dst, size_t dstlen)
 	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
 
 	if (dstlen < 3)
+	{
 		return SHORT;
-
+	}
 	p = strchr(base64, *src++);
 
 	if (p == NULL)
+	{
 		return BADCH0;
+	}
 	byte1 = (p - base64) << 2;	/* first six bits */
 
 	p = strchr(base64, *src++);
-	if (p == NULL) {
+	if (p == NULL)
+	{
 		return BADCH1;
 	}
 
@@ -290,10 +331,14 @@ static int unb64(const char *src, char *dst, size_t dstlen)
 	byte1 = (byte2 & 0xf) << 4;
 
 	p = strchr(base64, *src++);
-	if (p == NULL) {
-		if (*(src-1) == '=' && *src == '=') {
+	if (p == NULL)
+	{
+		if (*(src-1) == '=' && *src == '=')
+		{
 			if (byte1 != 0)		/* bad padding */
+			{
 				return BADPAD;
+			}
 			return 1;
 		}
 		return BADCH2;
@@ -304,10 +349,14 @@ static int unb64(const char *src, char *dst, size_t dstlen)
 	byte1 = (byte2 & 0x3) << 6;
 
 	p = strchr(base64, *src++);
-	if (p == NULL) {
-		if (*(src-1) == '=') {
+	if (p == NULL)
+	{
+		if (*(src-1) == '=')
+		{
 			if (byte1 != 0)		/* bad padding */
+			{
 				return BADPAD;
+			}
 			return 2;
 		}
 		return BADCH3;
@@ -329,8 +378,9 @@ static int unb64(const char *src, char *dst, size_t dstlen)
 static int untext(const char *src, char *dst, size_t dstlen)
 {
 	if (dstlen < 1)
+	{
 		return SHORT;
-
+	}
 	*dst = *src;
 	return 1;
 }
@@ -359,13 +409,18 @@ static const char *badch(const char *src, int errcode, char *errp, size_t errlen
 	char ch;
 
 	if (errp == NULL || errlen < REQD)
+	{
 		return "unknown character in input";
+	}
 	strcpy(errp, pre);
 	ch = *(src + BADOFF(errcode));
-	if (isprint(ch)) {
+	if (isprint(ch))
+	{
 		buf[0] = ch;
 		buf[1] = '\0';
-	} else {
+	}
+	else
+	{
 		buf[0] = '\\';
 		buf[1] = ((ch & 0700) >> 6) + '0';
 		buf[2] = ((ch & 0070) >> 3) + '0';
diff --git a/src/libstrongswan/chunk.c b/src/libstrongswan/chunk.c
index d70e1723f..0d7841641 100644
--- a/src/libstrongswan/chunk.c
+++ b/src/libstrongswan/chunk.c
@@ -28,6 +28,7 @@
 
 #include <debug.h>
 #include <printf_hook.h>
+#include <utils/randomizer.h>
 
 /**
  * Empty chunk.
@@ -247,6 +248,35 @@ bool chunk_write(chunk_t chunk, const char *path, const char *label, mode_t mask
 	}
 }
 
+/** hex conversion digits */
+static char hexdig_upper[] = "0123456789ABCDEF";
+static char hexdig_lower[] = "0123456789abcdef";
+
+/**
+ * Described in header.
+ */
+char *chunk_to_hex(chunk_t chunk, bool uppercase)
+{
+	int i;
+	char *str;
+	char *hexdig = hexdig_lower;
+	
+	if (uppercase)
+	{
+		hexdig = hexdig_upper;
+	}
+	
+	str = malloc(chunk.len * 2 + 1);
+	str[chunk.len * 2] = '\0';
+	
+	for (i = 0; i < chunk.len; i ++)
+	{
+		str[i*2]   = hexdig[(chunk.ptr[i] >> 4) & 0xF];
+		str[i*2+1] = hexdig[(chunk.ptr[i]     ) & 0xF];
+	}
+	return str;
+}
+
 /**
  * Described in header.
  */
@@ -260,6 +290,27 @@ void chunk_free(chunk_t *chunk)
 /**
  * Described in header.
  */
+void chunk_free_randomized(chunk_t *chunk)
+{
+	if (chunk->ptr)
+	{
+		if (chunk->len > 0)
+		{
+			randomizer_t *randomizer = randomizer_create();
+
+			randomizer->get_pseudo_random_bytes(randomizer,
+												chunk->len, chunk->ptr);
+			randomizer->destroy(randomizer);
+		};
+		free(chunk->ptr);
+		chunk->ptr = NULL;
+	}
+	chunk->len = 0;
+}
+
+/**
+ * Described in header.
+ */
 chunk_t chunk_skip(chunk_t chunk, size_t bytes)
 {
 	if (chunk.len > bytes)
@@ -332,10 +383,8 @@ static int print_bytes(FILE *stream, const struct printf_info *info,
 	
 	while (bytes_pos < bytes_roof)
 	{
-		static char hexdig[] = "0123456789ABCDEF";
-		
-		*buffer_pos++ = hexdig[(*bytes_pos >> 4) & 0xF];
-		*buffer_pos++ = hexdig[ *bytes_pos       & 0xF];
+		*buffer_pos++ = hexdig_upper[(*bytes_pos >> 4) & 0xF];
+		*buffer_pos++ = hexdig_upper[ *bytes_pos       & 0xF];
 
 		ascii_buffer[i++] =
 				(*bytes_pos > 31 && *bytes_pos < 127) ? *bytes_pos : '.';
diff --git a/src/libstrongswan/chunk.h b/src/libstrongswan/chunk.h
index a13ccfc22..9c0aabba1 100644
--- a/src/libstrongswan/chunk.h
+++ b/src/libstrongswan/chunk.h
@@ -84,11 +84,21 @@ void chunk_split(chunk_t chunk, const char *mode, ...);
 bool chunk_write(chunk_t chunk, const char *path, const char *label, mode_t mask, bool force);
 
 /**
+ * convert a chunk to an allocated hex string 
+ */
+char *chunk_to_hex(chunk_t chunk, bool uppercase);
+
+/**
  * Free contents of a chunk
  */
 void chunk_free(chunk_t *chunk);
 
 /**
+ * Overwrite the contents of a chunk with pseudo-random bytes and free them
+ */
+void chunk_free_randomized(chunk_t *chunk);
+
+/**
  * Initialize a chunk to point to buffer inspectable by sizeof()
  */
 #define chunk_from_buf(str) { str, sizeof(str) }
diff --git a/src/libstrongswan/credential_store.h b/src/libstrongswan/credential_store.h
index dcbe43f52..62b6ad2d5 100755
--- a/src/libstrongswan/credential_store.h
+++ b/src/libstrongswan/credential_store.h
@@ -88,17 +88,6 @@ struct credential_store_t {
 	rsa_public_key_t* (*get_rsa_public_key) (credential_store_t *this, identification_t *id);
 	
 	/**
-	 * @brief Returns the RSA private key belonging to an RSA public key
-	 * 
-	 * The returned rsa_private_key_t must be destroyed by the caller after usage.
-	 * 
-	 * @param this					calling object
-	 * @param pubkey				public key 
-	 * @return						private key, or NULL if not found
-	 */	
-	rsa_private_key_t* (*get_rsa_private_key) (credential_store_t *this, rsa_public_key_t *pubkey);
-
-	/**
 	 * @brief Is there a matching RSA private key belonging to an RSA public key?
 	 * 
 	 * @param this					calling object
@@ -145,6 +134,20 @@ struct credential_store_t {
 	ca_info_t* (*get_issuer) (credential_store_t *this, x509_t* cert);
 
 	/**
+	 * @brief  RSA private key belonging to an RSA public key
+	 * 
+	 * 
+	 * @param this					calling object
+	 * @param pubkey				public key used to find the matching private key
+	 * @param hash_algorithm		hash algorithm to be used for signature
+	 * @param data					data block to be signed
+	 * @param signature				signature to be returned
+	 * @return						status of the signature process - SUCCESS if successful
+	 */	
+	status_t (*rsa_signature) (credential_store_t *this, rsa_public_key_t *pubkey, hash_algorithm_t hash_algorithm,
+							   chunk_t data, chunk_t *signature);
+
+	/**
 	 * @brief Verify an RSA signature given the ID of the signer
 	 * 
 	 * @param this					calling object
@@ -154,7 +157,8 @@ struct credential_store_t {
 	 * @param issuer_p				issuer of the signer's certificate (if not self-signed).
 	 * @return						status of the verification - SUCCESS if successful
 	 */
-	status_t (*verify_signature) (credential_store_t *this, chunk_t hash, chunk_t sig, identification_t *id, ca_info_t **issuer_p);
+	status_t (*verify_signature) (credential_store_t *this, chunk_t hash, chunk_t sig, identification_t *id,
+								  ca_info_t **issuer_p);
 	
 	/**
 	 * @brief Verify an X.509 certificate up to trust anchor without any status checks
@@ -240,6 +244,14 @@ struct credential_store_t {
 	iterator_t* (*create_cainfo_iterator) (credential_store_t *this);
 
 	/**
+	 * @brief Create an iterator over all attribute certificates.
+	 *
+	 * @param this		calling object
+	 * @return 			iterator
+	 */
+	iterator_t* (*create_acert_iterator) (credential_store_t *this);
+
+	/**
 	 * @brief Loads ca certificates from a default directory.
 	 *
 	 * Certificates in both DER and PEM format are accepted
@@ -288,12 +300,13 @@ struct credential_store_t {
 	/**
 	 * @brief Loads secrets in ipsec.secrets
 	 * 
-	 * Currently, all RSA private key files must be in unencrypted form
-     * either in DER or PEM format.
+	 * RSA private key files can be either in DER or PEM format
+     * Optional encryption with a passphrase supported
 	 * 
 	 * @param this		calling object
+	 * @param reload	are the secrets to be reloaded
 	 */
-	void (*load_secrets) (credential_store_t *this);
+	void (*load_secrets) (credential_store_t *this, bool reload);
 
 	/**
 	 * @brief Destroys a credential_store_t object.
diff --git a/src/libstrongswan/crypto/ac.c b/src/libstrongswan/crypto/ac.c
index 47605e9e1..1367494f8 100644
--- a/src/libstrongswan/crypto/ac.c
+++ b/src/libstrongswan/crypto/ac.c
@@ -19,17 +19,28 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
+ *
+ * RCSID $Id: ac.c 3300 2007-10-12 21:53:18Z andreas $
  */
 
+#include <string.h>
+#include <stdio.h>
+
 #include <library.h>
 #include <debug.h>
 
 #include <asn1/asn1.h>
+#include <asn1/pem.h>
+#include <crypto/x509.h>
+#include <crypto/ietf_attr_list.h>
 #include <utils/identification.h>
 #include <utils/linked_list.h>
+#include <utils/lexparser.h>
 
 #include "ac.h"
 
+#define ACERT_WARNING_INTERVAL	1	/* day */
+
 typedef struct private_x509ac_t private_x509ac_t;
 
 /**
@@ -138,92 +149,6 @@ struct private_x509ac_t {
 };
 
 /**
- * definition of ietfAttribute kinds
- */
-typedef enum {
-	IETF_ATTRIBUTE_OCTETS =	0,
-	IETF_ATTRIBUTE_OID =	1,
-	IETF_ATTRIBUTE_STRING =	2
-} ietfAttribute_t;
-
-/**
- * access structure for an ietfAttribute
- */
-typedef struct ietfAttr_t ietfAttr_t;
-
-struct ietfAttr_t {
-	/**
-	 * IETF attribute kind
-	 */
-	ietfAttribute_t kind;
-
-	/**
-	 * IETF attribute valuse
-	 */
-	chunk_t value;
-
-	/**
-	 * Destroys the ietfAttr_t object.
-	 * 
-	 * @param this			ietfAttr_t to destroy
-	 */
-	void (*destroy) (ietfAttr_t *this);
-};
-
-/**
- * Destroys an ietfAttr_t object
- */
-static void ietfAttr_destroy(ietfAttr_t *this)
-{
-	free(this->value.ptr);
-	free(this);
-}
-
-/**
- * Creates an ietfAttr_t object.
- */
-ietfAttr_t *ietfAttr_create(ietfAttribute_t kind, chunk_t value)
-{
-	ietfAttr_t *this = malloc_thing(ietfAttr_t);
-
-	/* initialize */
-	this->kind = kind;
-	this->value = chunk_clone(value);
-
-	/* function */
-	this->destroy = ietfAttr_destroy;
-	
-	return this;
-}
-
-/**
- * ASN.1 definition of ietfAttrSyntax
- */
-static const asn1Object_t ietfAttrSyntaxObjects[] =
-{
-	{ 0, "ietfAttrSyntax",		ASN1_SEQUENCE,		ASN1_NONE }, /*  0 */
-	{ 1,   "policyAuthority",	ASN1_CONTEXT_C_0,	ASN1_OPT |
-													ASN1_BODY }, /*  1 */
-	{ 1,   "end opt",			ASN1_EOC,			ASN1_END  }, /*  2 */
-	{ 1,   "values",			ASN1_SEQUENCE,		ASN1_LOOP }, /*  3 */
-	{ 2,     "octets",			ASN1_OCTET_STRING,	ASN1_OPT |
-													ASN1_BODY }, /*  4 */
-	{ 2,     "end choice",		ASN1_EOC,			ASN1_END  }, /*  5 */
-	{ 2,     "oid",				ASN1_OID,			ASN1_OPT |
-													ASN1_BODY }, /*  6 */
-	{ 2,     "end choice",		ASN1_EOC,			ASN1_END  }, /*  7 */
-	{ 2,     "string",			ASN1_UTF8STRING,	ASN1_OPT |
-													ASN1_BODY }, /*  8 */
-	{ 2,     "end choice",		ASN1_EOC,			ASN1_END  }, /*  9 */
-	{ 1,   "end loop",			ASN1_EOC,			ASN1_END  }  /* 10 */
-};
-
-#define IETF_ATTR_OCTETS	 4
-#define IETF_ATTR_OID		 6
-#define IETF_ATTR_STRING	 8
-#define IETF_ATTR_ROOF		11
-
-/**
  * ASN.1 definition of roleSyntax
  */
 static const asn1Object_t roleSyntaxObjects[] =
@@ -357,6 +282,23 @@ static err_t is_valid(const private_x509ac_t *this, time_t *until)
 }
 
 /**
+ * Implements x509ac_t.is_newer
+ */
+static bool is_newer(const private_x509ac_t *this, const private_x509ac_t *other)
+{
+	return this->notBefore > other->notBefore;
+}
+
+/**
+ * Implements x509ac_t.equals_holder.
+ */
+static bool equals_holder(const private_x509ac_t *this, const private_x509ac_t *other)
+{
+	return this->holderIssuer->equals(this->holderIssuer, other->holderIssuer)
+		   && chunk_equals(this->holderSerial, other->holderSerial);
+}
+
+/**
  * parses a directoryName
  */
 static bool parse_directoryName(chunk_t blob, int level, bool implicit, identification_t **name)
@@ -364,7 +306,7 @@ static bool parse_directoryName(chunk_t blob, int level, bool implicit, identifi
 	bool has_directoryName;
 	linked_list_t *list = linked_list_create();
 
-	parse_generalNames(blob, level, implicit, list);
+	x509_parse_generalNames(blob, level, implicit, list);
 	has_directoryName = list->get_count(list) > 0;
 
 	if (has_directoryName)
@@ -398,43 +340,6 @@ static bool parse_directoryName(chunk_t blob, int level, bool implicit, identifi
 }
 
 /**
- * parses ietfAttrSyntax
- */
-static void parse_ietfAttrSyntax(chunk_t blob, int level0, linked_list_t *list)
-{
-	asn1_ctx_t ctx;
-	chunk_t object;
-	u_int level;
-	int objectID = 0;
-
-	asn1_init(&ctx, blob, level0, FALSE, FALSE);
-
-	while (objectID < IETF_ATTR_ROOF)
-	{
-		if (!extract_object(ietfAttrSyntaxObjects, &objectID, &object, &level, &ctx))
-		{
-			return;
-		}
-
-		switch (objectID)
-		{
-			case IETF_ATTR_OCTETS:
-			case IETF_ATTR_OID:
-			case IETF_ATTR_STRING:
-				{
-					ietfAttribute_t kind = (objectID - IETF_ATTR_OCTETS) / 2;
-					ietfAttr_t *attr   = ietfAttr_create(kind, object);
-					list->insert_last(list, (void *)attr);
-				}
-				break;
-			default:
-				break;
-		}
-		objectID++;
-	}
-}
-
-/**
  * parses roleSyntax
  */
 static void parse_roleSyntax(chunk_t blob, int level0)
@@ -470,9 +375,9 @@ static bool parse_certificate(chunk_t blob, private_x509ac_t *this)
 	bool critical;
 	chunk_t object;
 	u_int level;
-	u_int type = OID_UNKNOWN;
-	u_int extn_oid = OID_UNKNOWN;
 	int objectID = 0;
+	int type = OID_UNKNOWN;
+	int extn_oid = OID_UNKNOWN;
 
 	asn1_init(&ctx, blob, 0, FALSE, FALSE);
 	while (objectID < AC_OBJ_ROOF)
@@ -549,10 +454,10 @@ static bool parse_certificate(chunk_t blob, private_x509ac_t *this)
 							DBG2("  need to parse accessIdentity");
 							break;
 						case OID_CHARGING_IDENTITY:
-							parse_ietfAttrSyntax(object, level, this->charging);
+							ietfAttr_list_create_from_chunk(object, this->charging, level);
 							break;
 						case OID_GROUP:
-							parse_ietfAttrSyntax(object, level, this->groups);
+							ietfAttr_list_create_from_chunk(object, this->groups, level);
 							break;
 						case OID_ROLE:
 							parse_roleSyntax(object, level);
@@ -577,7 +482,7 @@ static bool parse_certificate(chunk_t blob, private_x509ac_t *this)
 							DBG2("  need to parse crlDistributionPoints");
 							break;
 						case OID_AUTHORITY_KEY_ID:
-							parse_authorityKeyIdentifier(object, level,
+							x509_parse_authorityKeyIdentifier(object, level,
 									&this->authKeyID, &this->authKeySerialNumber);
 							break;
 						case OID_TARGET_INFORMATION:
@@ -603,7 +508,72 @@ static bool parse_certificate(chunk_t blob, private_x509ac_t *this)
 		objectID++;
 	}
 	this->installed = time(NULL);
-	return FALSE;
+	return TRUE;
+}
+
+/**
+ * Implementation of x509ac_t.list.
+ */
+static void list(const private_x509ac_t *this, FILE *out, bool utc)
+{
+	time_t now = time(NULL);
+
+	fprintf(out, "%#T\n", &this->installed, utc);
+
+	if (this->entityName)
+	{
+		fprintf(out, "    holder:    '%D'\n", this->entityName);
+	}
+	if (this->holderIssuer)
+	{
+		fprintf(out, "    hissuer:   '%D'\n", this->holderIssuer);
+	}
+	if (this->holderSerial.ptr)
+	{
+		fprintf(out, "    hserial:    %#B\n", &this->holderSerial);
+	}
+	
+	/* list all group attributes on a single line */
+	fprintf(out, "    groups:     ");
+	ietfAttr_list_list(this->groups, out);
+	fprintf(out, "\n");
+
+	fprintf(out, "    issuer:    '%D'\n", this->issuerName);
+	fprintf(out, "    serial:     %#B\n", &this->serialNumber);
+
+	fprintf(out, "    validity:   not before %#T, ", &this->notBefore, utc);
+	if (now < this->notBefore)
+	{
+		fprintf(out, "not valid yet (valid in %V)\n", &now, &this->notBefore);
+	}
+	else
+	{
+		fprintf(out, "ok\n");
+	}
+	
+	fprintf(out, "                not after  %#T, ", &this->notAfter, utc);
+	if (now > this->notAfter)
+	{
+		fprintf(out, "expired (%V ago)\n", &now, &this->notAfter);
+	}
+	else
+	{
+		fprintf(out, "ok");
+		if (now > this->notAfter - ACERT_WARNING_INTERVAL * 60 * 60 * 24)
+		{
+			fprintf(out, " (expires in %V)", &now, &this->notAfter);
+		}
+		fprintf(out, " \n");
+	}
+
+	if (this->authKeyID.ptr)
+	{
+		fprintf(out, "    authkey:    %#B\n", &this->authKeyID);
+	}
+	if (this->authKeySerialNumber.ptr)
+	{
+		fprintf(out, "    aserial:    %#B\n", &this->authKeySerialNumber);
+	}
 }
 
 /**
@@ -614,10 +584,8 @@ static void destroy(private_x509ac_t *this)
 	DESTROY_IF(this->holderIssuer);
 	DESTROY_IF(this->entityName);
 	DESTROY_IF(this->issuerName);
-	this->charging->destroy_offset(this->charging, 
-							offsetof(ietfAttr_t, destroy));
-	this->groups->destroy_offset(this->groups,
-						  offsetof(ietfAttr_t, destroy));
+	ietfAttr_list_destroy(this->charging);
+	ietfAttr_list_destroy(this->groups);
 	free(this->certificate.ptr);
 	free(this);
 }
@@ -638,6 +606,9 @@ x509ac_t *x509ac_create_from_chunk(chunk_t chunk)
 
 	/* public functions */
 	this->public.is_valid = (err_t (*) (const x509ac_t*,time_t*))is_valid;
+	this->public.is_newer = (bool (*) (const x509ac_t*,const x509ac_t*))is_newer;
+	this->public.equals_holder = (bool (*) (const x509ac_t*,const x509ac_t*))equals_holder;
+	this->public.list = (void (*) (const x509ac_t*,FILE*,bool))list;
 	this->public.destroy = (void (*) (x509ac_t*))destroy;
 
 	if (!parse_certificate(chunk, this))
diff --git a/src/libstrongswan/crypto/ac.h b/src/libstrongswan/crypto/ac.h
index b7fd26c94..8a4ccbd4c 100644
--- a/src/libstrongswan/crypto/ac.h
+++ b/src/libstrongswan/crypto/ac.h
@@ -21,11 +21,15 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
+ *
+ * RCSID $Id: ac.h 3300 2007-10-12 21:53:18Z andreas $
  */
 
 #ifndef AC_H_
 #define AC_H_
 
+#include <library.h>
+
 typedef struct x509ac_t x509ac_t;
 
 /**
@@ -48,6 +52,32 @@ struct x509ac_t {
 	 */
 	err_t (*is_valid) (const x509ac_t *this, time_t *until);
 
+	/** @brief Checks if this attr cert is newer than the other attr cert
+	 * 
+	 * @param this			calling object
+	 * @param other			other attr cert object
+	 * @return				TRUE if this was issued more recently than other
+	 */
+	bool (*is_newer) (const x509ac_t *this, const x509ac_t *other);
+
+	/**
+	 * @brief Checks if two attribute certificates belong to the same holder
+	 *
+	 * @param this			calling attribute certificate
+	 * @param that			other attribute certificate
+	 * @return				TRUE if same holder
+	 */
+	bool (*equals_holder) (const x509ac_t *this, const x509ac_t *other);
+
+	/**
+	 * @brief Log the attribute certificate info to out.
+	 *
+	 * @param this			calling object
+	 * @param out			stream to write to
+	 * @param utc			TRUE for UTC times, FALSE for local time
+	 */
+	void (*list)(const x509ac_t *this, FILE *out, bool utc);
+
 	/**
 	 * @brief Destroys the attribute certificate.
 	 * 
@@ -68,14 +98,13 @@ x509ac_t *x509ac_create_from_chunk(chunk_t chunk);
 
 /**
  * @brief Read a x509 attribute certificate from a DER encoded file.
- * 
+ *
  * @param filename 	file containing DER encoded data
- * @return 			created x509ac_t certificate, or NULL if invalid.
- * 
+ * @return 		created x509ac_t certificate, or NULL if invalid.
+ *
  * @ingroup crypto
  */
 x509ac_t *x509ac_create_from_file(const char *filename);
 
-
 #endif /* AC_H_ */
 
diff --git a/src/libstrongswan/crypto/crl.c b/src/libstrongswan/crypto/crl.c
index b4ae37b2e..d52078ea9 100755
--- a/src/libstrongswan/crypto/crl.c
+++ b/src/libstrongswan/crypto/crl.c
@@ -18,6 +18,8 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
+ *
+ * RCSID $Id: crl.c 3300 2007-10-12 21:53:18Z andreas $
  */
 
 #include <sys/stat.h>
@@ -290,7 +292,8 @@ bool parse_x509crl(chunk_t blob, u_int level0, private_crl_t *crl)
 					}
 					else if (extn_oid == OID_AUTHORITY_KEY_ID)
 					{
-						parse_authorityKeyIdentifier(object, level, &crl->authKeyID, &crl->authKeySerialNumber);
+						x509_parse_authorityKeyIdentifier(object, level,
+								&crl->authKeyID, &crl->authKeySerialNumber);
 					}
 					else if (extn_oid == OID_CRL_NUMBER)
 					{
@@ -304,6 +307,11 @@ bool parse_x509crl(chunk_t blob, u_int level0, private_crl_t *crl)
 				break;
 			case CRL_OBJ_ALGORITHM:
 				crl->algorithm = parse_algorithmIdentifier(object, level, NULL);
+				if (crl->algorithm != crl->sigAlg)
+				{
+					DBG1("  signature algorithms do not agree");
+					return FALSE;
+				}
 				break;
 			case CRL_OBJ_SIGNATURE:
 				crl->signature = object;
@@ -374,7 +382,14 @@ static bool is_newer(const private_crl_t *this, const private_crl_t *other)
  */
 static bool verify(const private_crl_t *this, const rsa_public_key_t *signer)
 {
-	return signer->verify_emsa_pkcs1_signature(signer, this->tbsCertList, this->signature) == SUCCESS;
+	hash_algorithm_t algorithm = hasher_algorithm_from_oid(this->algorithm);
+
+	if (algorithm == HASH_UNKNOWN)
+	{
+		DBG1("  unknown signature algorithm");
+		return FALSE;
+	}
+	return signer->verify_emsa_pkcs1_signature(signer, algorithm, this->tbsCertList, this->signature) == SUCCESS;
 }
 
 /**
diff --git a/src/libstrongswan/crypto/crl.h b/src/libstrongswan/crypto/crl.h
index a367c3aff..bcf031dd4 100755
--- a/src/libstrongswan/crypto/crl.h
+++ b/src/libstrongswan/crypto/crl.h
@@ -18,6 +18,8 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
+ *
+ * RCSID $Id: crl.h 3300 2007-10-12 21:53:18Z andreas $
  */
 
 #ifndef CRL_H_
diff --git a/src/libstrongswan/crypto/diffie_hellman.c b/src/libstrongswan/crypto/diffie_hellman.c
index e4062066c..605892e87 100644
--- a/src/libstrongswan/crypto/diffie_hellman.c
+++ b/src/libstrongswan/crypto/diffie_hellman.c
@@ -8,7 +8,7 @@
 /*
  * Copyright (C) 1998-2002  D. Hugh Redelmeier.
  * Copyright (C) 1999, 2000, 2001  Henry Spencer.
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -24,11 +24,11 @@
  */
 
 #include <gmp.h>
-#include <stdio.h>
 
 #include "diffie_hellman.h"
 
 #include <utils/randomizer.h>
+#include <debug.h>
 
 ENUM_BEGIN(diffie_hellman_group_names, MODP_NONE, MODP_1024_BIT,
 	"MODP_NONE",
@@ -302,12 +302,12 @@ static u_int8_t group18_modulus[] = {
 	0x60,0xC9,0x80,0xDD,0x98,0xED,0xD3,0xDF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
 };
 
-typedef struct modulus_info_entry_t modulus_info_entry_t;
+typedef struct modulus_entry_t modulus_entry_t;
 
 /** 
  * Entry of the modulus list.
  */
-struct modulus_info_entry_t {
+struct modulus_entry_t {
 	/**
 	 * Group number as it is defined in file transform_substructure.h.
 	 */
@@ -321,7 +321,7 @@ struct modulus_info_entry_t {
 	/* 
 	 * Length of modulus in bytes.
 	 */	
-	size_t modulus_length;
+	size_t modulus_len;
 	
 	/* 
 	 * Generator value.
@@ -329,19 +329,18 @@ struct modulus_info_entry_t {
 	u_int16_t generator;
 };
 
-
 /**
  * All supported modulus values.
  */
-static modulus_info_entry_t modulus_info_entries[] = {
-	{MODP_768_BIT,group1_modulus,sizeof(group1_modulus),2},
-	{MODP_1024_BIT,group2_modulus,sizeof(group2_modulus),2},
-	{MODP_1536_BIT,group5_modulus,sizeof(group5_modulus),2},
-	{MODP_2048_BIT,group14_modulus,sizeof(group14_modulus),2},
-	{MODP_3072_BIT,group15_modulus,sizeof(group15_modulus),2},
-	{MODP_4096_BIT,group16_modulus,sizeof(group16_modulus),2},
-	{MODP_6144_BIT,group17_modulus,sizeof(group17_modulus),2},
-	{MODP_8192_BIT,group18_modulus,sizeof(group18_modulus),2},
+static modulus_entry_t modulus_entries[] = {
+	{MODP_768_BIT, group1_modulus, sizeof(group1_modulus), 2},
+	{MODP_1024_BIT, group2_modulus, sizeof(group2_modulus), 2},
+	{MODP_1536_BIT, group5_modulus, sizeof(group5_modulus), 2},
+	{MODP_2048_BIT, group14_modulus, sizeof(group14_modulus), 2},
+	{MODP_3072_BIT, group15_modulus, sizeof(group15_modulus), 2},
+	{MODP_4096_BIT, group16_modulus, sizeof(group16_modulus), 2},
+	{MODP_6144_BIT, group17_modulus, sizeof(group17_modulus), 2},
+	{MODP_8192_BIT, group18_modulus, sizeof(group18_modulus), 2},
 };
 
 typedef struct private_diffie_hellman_t private_diffie_hellman_t;
@@ -359,170 +358,133 @@ struct private_diffie_hellman_t {
 	/**
 	 * Diffie Hellman group number.
 	 */
-	u_int16_t dh_group_number;
-
-	/**
-	 * Modulus.
-	 */
-	mpz_t modulus;
-	
-	/**
-	 * Modulus length.
-	 */
-	size_t modulus_length;
+	u_int16_t group;
 	
 	/* 
 	 * Generator value.
 	 */	
-	u_int16_t generator;
+	mpz_t g;
 
 	/**
-	 * My private value .
+	 * My private value.
 	 */
-	mpz_t my_private_value;
+	mpz_t xa;
 	
 	/**
 	 * My public value.
 	 */
-	mpz_t my_public_value;
+	mpz_t ya;
 
 	/**
 	 * Other public value.
 	 */	
-	mpz_t other_public_value;
+	mpz_t yb;
 	
 	/**
 	 * Shared secret.
 	 */	
-	mpz_t shared_secret;
+	mpz_t zz;
 
 	/**
-	 * True if shared secret is computed and stored in my_public_value.
-	 */
-	bool shared_secret_is_computed;
-	
-	/**
-	 * Sets the modulus for a specific diffie hellman group.
-	 * 
-	 * @param this			calling object
-	 * @return
-	 * 						SUCCESS if modulus could be found
-	 * 						NOT_FOUND if modulus not supported
+	 * Modulus.
 	 */
-	status_t (*set_modulus) (private_diffie_hellman_t *this);
+	mpz_t p;
 	
 	/**
-	 * Makes sure my public value is computed.
-	 * 
-	 * @param this			calling object
+	 * Modulus length.
 	 */
-	void (*compute_public_value) (private_diffie_hellman_t *this);
+	size_t p_len;
 
 	/**
-	 * Computes shared secret (other public value must be available).
-	 * 
-	 * @param this			calling object
+	 * True if shared secret is computed and stored in my_public_value.
 	 */
-	void (*compute_shared_secret) (private_diffie_hellman_t *this);
+	bool computed;
 };
 
 /**
- * Implementation of private_diffie_hellman_t.set_modulus.
+ * Implementation of diffie_hellman_t.set_other_public_value.
  */
-static status_t set_modulus(private_diffie_hellman_t *this)
+static void set_other_public_value(private_diffie_hellman_t *this, chunk_t value)
 {
-	int i;
-	status_t status = NOT_FOUND;
+	mpz_t p_min_1;
+	
+	mpz_init(p_min_1);
+	mpz_sub_ui(p_min_1, this->p, 1);
+	
+	mpz_import(this->yb, value.len, 1, 1, 1, 0, value.ptr);
 	
-	for (i = 0; i < (sizeof(modulus_info_entries) / sizeof(modulus_info_entry_t)); i++)
+	/* check public value: 
+	 * 1. 0 or 1 is invalid as 0^a = 0 and 1^a = 1
+	 * 2. a public value larger or equal the modulus is invalid */
+	if (mpz_cmp_ui(this->yb, 1) > 0 ||
+		mpz_cmp(this->yb, p_min_1) < 0)
 	{
-		if (modulus_info_entries[i].group == this->dh_group_number)
+#ifdef EXTENDED_DH_TEST
+		/* 3. test if y ^ q mod p = 1, where q = (p - 1)/2. */
+		mpz_t q, one;
+		
+		mpz_init(q);
+		mpz_init(one);
+		mpz_fdiv_q_2exp(q, p_min_1, 1);
+		mpz_powm(one, this->yb, q, this->p);
+		mpz_clear(q);
+		if (mpz_cmp_ui(one, 1) == 0)
 		{
-			chunk_t modulus_chunk;
-			modulus_chunk.ptr = modulus_info_entries[i].modulus;
-			modulus_chunk.len = modulus_info_entries[i].modulus_length;
-			mpz_import(this->modulus, modulus_chunk.len, 1, 1, 1, 0, modulus_chunk.ptr);
-			this->modulus_length = modulus_chunk.len;
-			this->generator = modulus_info_entries[i].generator;
-			status = SUCCESS;
-			break;
+			mpz_powm(this->zz, this->yb, this->xa, this->p);
+			this->computed = TRUE;
+		}
+		else
+		{
+			DBG1("public DH value verification failed: y ^ q mod p != 1");
 		}
+		mpz_clear(one);
+#else
+		mpz_powm(this->zz, this->yb, this->xa, this->p);
+		this->computed = TRUE;
+#endif
 	}
-	return status;
-}
-
-/**
- * Implementation of diffie_hellman_t.set_other_public_value.
- */
-static void set_other_public_value(private_diffie_hellman_t *this,chunk_t public_value)
-{
-	mpz_import(this->other_public_value, public_value.len, 1, 1, 1, 0, public_value.ptr);
-	this->compute_shared_secret(this);
+	else
+	{
+		DBG1("public DH value verification failed: y < 2 || y > p - 1 ");
+	}
+	mpz_clear(p_min_1);
 }
 
 /**
  * Implementation of diffie_hellman_t.get_other_public_value.
  */
-static status_t get_other_public_value(private_diffie_hellman_t *this,chunk_t *public_value)
+static status_t get_other_public_value(private_diffie_hellman_t *this, 
+									   chunk_t *value)
 {
-	if (!this->shared_secret_is_computed)
+	if (!this->computed)
 	{
 		return FAILED;
 	}
-	public_value->len = this->modulus_length;
-    public_value->ptr = mpz_export(NULL, NULL, 1, public_value->len, 1, 0, this->other_public_value);
+	value->len = this->p_len;
+    value->ptr = mpz_export(NULL, NULL, 1, value->len, 1, 0, this->yb);
 	return SUCCESS;
 }
 
 /**
- * Implementation of private_diffie_hellman_t.compute_shared_secret.
- */
-static void compute_shared_secret (private_diffie_hellman_t *this)
-{
-	/* initialize my public value */
-	mpz_init(this->shared_secret);
-	/* calculate my public value */
-	mpz_powm(this->shared_secret,this->other_public_value,this->my_private_value,this->modulus);
-	
-	this->shared_secret_is_computed = TRUE;
-}
-
-/**
- * Implementation of private_diffie_hellman_t.compute_public_value.
- */
-static void compute_public_value (private_diffie_hellman_t *this)
-{
-	mpz_t generator;
-	/* initialize generator and set it*/
-	mpz_init_set_ui (generator,this->generator);
-	/* initialize my public value */
-	mpz_init(this->my_public_value);
-	/* calculate my public value */
-	mpz_powm(this->my_public_value,generator,this->my_private_value,this->modulus);
-	/* generator not used anymore */
-	mpz_clear(generator);
-}
-
-/**
  * Implementation of diffie_hellman_t.get_my_public_value.
  */
-static void get_my_public_value(private_diffie_hellman_t *this,chunk_t *public_value)
+static void get_my_public_value(private_diffie_hellman_t *this,chunk_t *value)
 {
-	public_value->len = this->modulus_length;
-    public_value->ptr = mpz_export(NULL, NULL, 1, public_value->len, 1, 0, this->my_public_value);
+	value->len = this->p_len;
+    value->ptr = mpz_export(NULL, NULL, 1, value->len, 1, 0, this->ya);
 }
 
 /**
  * Implementation of diffie_hellman_t.get_shared_secret.
  */
-static status_t get_shared_secret(private_diffie_hellman_t *this,chunk_t *secret)
+static status_t get_shared_secret(private_diffie_hellman_t *this, chunk_t *secret)
 {
-	if (!this->shared_secret_is_computed)
+	if (!this->computed)
 	{
 		return FAILED;
 	}
-	secret->len = this->modulus_length;
-    secret->ptr = mpz_export(NULL, NULL, 1, secret->len, 1, 0, this->shared_secret);
+	secret->len = this->p_len;
+    secret->ptr = mpz_export(NULL, NULL, 1, secret->len, 1, 0, this->zz);
 	return SUCCESS;
 }
 
@@ -531,35 +493,57 @@ static status_t get_shared_secret(private_diffie_hellman_t *this,chunk_t *secret
  */
 static diffie_hellman_group_t get_dh_group(private_diffie_hellman_t *this)
 {
-	return this->dh_group_number;
+	return this->group;
 }
 
 /**
- * Implementation of diffie_hellman_t.destroy.
+ * Lookup the modulus in modulo table
  */
-static void destroy(private_diffie_hellman_t *this)
+static status_t set_modulus(private_diffie_hellman_t *this)
 {
-	mpz_clear(this->modulus);
-	mpz_clear(this->my_private_value);
-	mpz_clear(this->my_public_value);
-	mpz_clear(this->other_public_value);
-
-	if (this->shared_secret_is_computed)
+	int i;
+	status_t status = NOT_FOUND;
+	
+	for (i = 0; i < (sizeof(modulus_entries) / sizeof(modulus_entry_t)); i++)
 	{
-		/* other public value gets initialized together with shared secret */
-		mpz_clear(this->shared_secret);
+		if (modulus_entries[i].group == this->group)
+		{
+			chunk_t chunk;
+			chunk.ptr = modulus_entries[i].modulus;
+			chunk.len = modulus_entries[i].modulus_len;
+			mpz_import(this->p, chunk.len, 1, 1, 1, 0, chunk.ptr);
+			this->p_len = chunk.len;
+			mpz_set_ui(this->g, modulus_entries[i].generator);
+			status = SUCCESS;
+			break;
+		}
 	}
+	return status;
+}
+
+/**
+ * Implementation of diffie_hellman_t.destroy.
+ */
+static void destroy(private_diffie_hellman_t *this)
+{
+	mpz_clear(this->p);
+	mpz_clear(this->xa);
+	mpz_clear(this->ya);
+	mpz_clear(this->yb);
+	mpz_clear(this->zz);
+	mpz_clear(this->g);
 	free(this);
 }
 
 /*
  * Described in header.
  */
-diffie_hellman_t *diffie_hellman_create(diffie_hellman_group_t dh_group_number)
+diffie_hellman_t *diffie_hellman_create(diffie_hellman_group_t group)
 {
 	private_diffie_hellman_t *this = malloc_thing(private_diffie_hellman_t);
 	randomizer_t *randomizer;
-	chunk_t random_bytes;
+	chunk_t random;
+	status_t status;
 
 	/* public functions */
 	this->public.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *)) get_shared_secret;
@@ -569,44 +553,37 @@ diffie_hellman_t *diffie_hellman_create(diffie_hellman_group_t dh_group_number)
 	this->public.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *)) get_dh_group;
 	this->public.destroy = (void (*)(diffie_hellman_t *)) destroy;
 	
-	/* private functions */
-	this->set_modulus = set_modulus;
-	this->compute_public_value = compute_public_value;
-	this->compute_shared_secret = compute_shared_secret;
-	
 	/* private variables */
-	this->dh_group_number = dh_group_number;
-	mpz_init(this->modulus);
-	mpz_init(this->other_public_value);
-	mpz_init(this->my_private_value);
+	this->group = group;
+	mpz_init(this->p);
+	mpz_init(this->yb);
+	mpz_init(this->ya);
+	mpz_init(this->xa);
+	mpz_init(this->zz);
+	mpz_init(this->g);
+	
+	this->computed = FALSE;
 		
-	/* set this->modulus */	
-	if (this->set_modulus(this) != SUCCESS)
+	/* find a modulus according to group */	
+	if (set_modulus(this) != SUCCESS)
 	{
-		free(this);
+		destroy(this);
 		return NULL;
 	}
 	randomizer = randomizer_create();
-	if (randomizer == NULL)
-	{
-		free(this);
-		return NULL;
-	}
-	if (randomizer->allocate_pseudo_random_bytes(randomizer, this->modulus_length, &random_bytes) != SUCCESS)
+	status = randomizer->allocate_pseudo_random_bytes(
+											randomizer, this->p_len, &random);
+	randomizer->destroy(randomizer);
+	if (status != SUCCESS)
 	{
-		randomizer->destroy(randomizer);
-		free(this);
+		destroy(this);
 		return NULL;
 	}
+	mpz_import(this->xa, random.len, 1, 1, 1, 0, random.ptr);
+	chunk_free(&random);
 	
-	mpz_import(this->my_private_value, random_bytes.len, 1, 1, 1, 0, random_bytes.ptr);
-	chunk_free(&random_bytes);
+	mpz_powm(this->ya, this->g, this->xa, this->p);
 	
-	randomizer->destroy(randomizer);
-	
-	this->compute_public_value(this);
-	
-	this->shared_secret_is_computed = FALSE;
-	
-	return &(this->public);
+	return &this->public;
 }
+
diff --git a/src/libstrongswan/crypto/diffie_hellman.h b/src/libstrongswan/crypto/diffie_hellman.h
index 29a2ab45b..8cd06d60e 100644
--- a/src/libstrongswan/crypto/diffie_hellman.h
+++ b/src/libstrongswan/crypto/diffie_hellman.h
@@ -6,7 +6,7 @@
  */
 
 /*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
  *
@@ -36,7 +36,7 @@ typedef struct diffie_hellman_t diffie_hellman_t;
  *
  * See IKEv2 RFC 3.3.2 and RFC 3526.
  *
- * @ingroup transforms
+ * @ingroup crypto
  */
 enum diffie_hellman_group_t {
 	MODP_NONE = 0,
@@ -56,76 +56,74 @@ enum diffie_hellman_group_t {
 extern enum_name_t *diffie_hellman_group_names;
 
 /**
- * @brief Implementation of the widely used Diffie-Hellman algorithm.
+ * @brief Implementation of the Diffie-Hellman algorithm, as in RFC2631.
  * 
  * @b Constructors:
  *  - diffie_hellman_create()
  * 
- * @ingroup transforms
+ * @ingroup crypto
  */
 struct diffie_hellman_t {
 		
 	/**
 	 * @brief Returns the shared secret of this diffie hellman exchange.
 	 * 	
-	 * @warning Space for returned secret is allocated and must be 
+	 * Space for returned secret is allocated and must be 
 	 * freed by the caller.
 	 * 
-	 * @param this 			calling diffie_hellman_t object
-	 * @param[out] secret 	shared secret will be written into this chunk
+	 * @param this 		calling object
+	 * @param secret 	shared secret will be written into this chunk
 	 * @return 				
-	 * 						- SUCCESS
-	 * 						- FAILED if not both DH values are set
+	 * 					- SUCCESS
+	 * 					- FAILED if not both DH values are set
 	 */
 	status_t (*get_shared_secret) (diffie_hellman_t *this, chunk_t *secret);
 	
 	/**
 	 * @brief Sets the public value of partner.
 	 * 	
-	 * chunk gets cloned and can be destroyed afterwards.
+	 * Chunk gets cloned and can be destroyed afterwards.
 	 * 
-	 * @param this 			calling diffie_hellman_t object
-	 * @param public_value 	public value of partner
+	 * @param this 		calling object
+	 * @param value 	public value of partner
 	 */
-	void (*set_other_public_value) (diffie_hellman_t *this, chunk_t public_value);
+	void (*set_other_public_value) (diffie_hellman_t *this, chunk_t value);
 	
 	/**
 	 * @brief Gets the public value of partner.
 	 * 	
-	 * @warning Space for returned chunk is allocated and must be 
-	 * freed by the caller.
+	 * Space for returned chunk is allocated and must be freed by the caller.
 	 * 
-	 * @param this 				calling diffie_hellman_t object
-	 * @param[out] public_value public value of partner is stored at this location
+	 * @param this 		calling object
+	 * @param value 	public value of partner is stored at this location
 	 * @return 				
-	 * 							- SUCCESS
-	 * 							- FAILED if other public value not set
+	 * 					- SUCCESS
+	 * 					- FAILED if other public value not set
 	 */
-	status_t (*get_other_public_value) (diffie_hellman_t *this, chunk_t *public_value);
+	status_t (*get_other_public_value) (diffie_hellman_t *this, chunk_t *value);
 	
 	/**
-	 * @brief Gets the public value of caller
+	 * @brief Gets the own public value to transmit.
 	 * 	
-	 * @warning Space for returned chunk is allocated and must be 
-	 * freed by the caller.
+	 * Space for returned chunk is allocated and must be freed by the caller.
 	 * 
-	 * @param this 				calling diffie_hellman_t object
-	 * @param[out] 				public_value public value of caller is stored at this location
+	 * @param this 		calling object
+	 * @param value		public value of caller is stored at this location
 	 */
-	void (*get_my_public_value) (diffie_hellman_t *this, chunk_t *public_value);
+	void (*get_my_public_value) (diffie_hellman_t *this, chunk_t *value);
 	
 	/**
 	 * @brief Get the DH group used.
 	 * 
-	 * @param this 				calling diffie_hellman_t object
-	 * @return					DH group set in construction
+	 * @param this 		calling object
+	 * @return			DH group set in construction
 	 */
 	diffie_hellman_group_t (*get_dh_group) (diffie_hellman_t *this);
 
 	/**
 	 * @brief Destroys an diffie_hellman_t object.
 	 *
-	 * @param this 				diffie_hellman_t object to destroy
+	 * @param this 		diffie_hellman_t object to destroy
 	 */
 	void (*destroy) (diffie_hellman_t *this);
 };
@@ -133,15 +131,14 @@ struct diffie_hellman_t {
 /**
  * @brief Creates a new diffie_hellman_t object.
  * 
- * The first diffie hellman public value gets automatically created.
- * 
- * @param dh_group_number	Diffie Hellman group number to use
+ * @param group			Diffie Hellman group number to use
  * @return
- * 							- diffie_hellman_t object
- * 							- NULL if dh group not supported
+ * 						- diffie_hellman_t object
+ * 						- NULL if dh group not supported
  * 
- * @ingroup transforms
+ * @ingroup crypto
  */
-diffie_hellman_t *diffie_hellman_create(diffie_hellman_group_t dh_group_number);
+diffie_hellman_t *diffie_hellman_create(diffie_hellman_group_t group);
 
 #endif /*DIFFIE_HELLMAN_H_*/
+
diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c
index 7fa6346d6..14bfb022f 100644
--- a/src/libstrongswan/crypto/hashers/hasher.c
+++ b/src/libstrongswan/crypto/hashers/hasher.c
@@ -19,17 +19,21 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
+ *
+ * RCSID $Id: hasher.c 3304 2007-10-12 23:18:42Z andreas $
  */
 
 
 #include "hasher.h"
 
+#include <asn1/oid.h>
 #include <crypto/hashers/sha1_hasher.h>
 #include <crypto/hashers/sha2_hasher.h>
 #include <crypto/hashers/md5_hasher.h>
 
 
-ENUM(hash_algorithm_names, HASH_MD2, HASH_SHA512,
+ENUM(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA512,
+	"HASH_UNKNOWN",
 	"HASH_MD2",
 	"HASH_MD5",
 	"HASH_SHA1",
@@ -63,3 +67,76 @@ hasher_t *hasher_create(hash_algorithm_t hash_algorithm)
 			return NULL;
 	}
 }
+
+/*
+ * Described in header.
+ */
+hash_algorithm_t hasher_algorithm_from_oid(int oid)
+{
+	hash_algorithm_t algorithm;
+
+	switch (oid)
+	{
+		case OID_MD2:
+		case OID_MD2_WITH_RSA:
+			algorithm = HASH_MD2;
+			break;
+		case OID_MD5:
+		case OID_MD5_WITH_RSA:
+			algorithm = HASH_MD5;
+			break;
+		case OID_SHA1:
+		case OID_SHA1_WITH_RSA:
+			algorithm = HASH_SHA1;
+			break;
+		case OID_SHA256:
+		case OID_SHA256_WITH_RSA:
+			algorithm = HASH_SHA256;
+			break;
+		case OID_SHA384:
+		case OID_SHA384_WITH_RSA:
+			algorithm = HASH_SHA384;
+			break;
+		case OID_SHA512:
+		case OID_SHA512_WITH_RSA:
+			algorithm = HASH_SHA512;
+			break;
+		default:
+			algorithm = HASH_UNKNOWN;
+	}
+	return algorithm;
+}
+
+/*
+ * Described in header.
+ */
+int hasher_signature_algorithm_to_oid(hash_algorithm_t alg)
+{
+	int oid;
+
+	switch (alg)
+	{
+		case HASH_MD2:
+			oid = OID_MD2_WITH_RSA;
+			break;
+		case HASH_MD5:
+			oid = OID_MD5_WITH_RSA;
+			break;
+		case HASH_SHA1:
+			oid = OID_SHA1_WITH_RSA;
+			break;
+		case HASH_SHA256:
+			oid = OID_SHA256_WITH_RSA;
+			break;
+		case HASH_SHA384:
+			oid = OID_SHA384_WITH_RSA;
+			break;
+		case HASH_SHA512:
+			oid = OID_SHA512_WITH_RSA;
+			break;
+		default:
+			oid = OID_UNKNOWN;
+	}
+	return oid;
+}
+
diff --git a/src/libstrongswan/crypto/hashers/hasher.h b/src/libstrongswan/crypto/hashers/hasher.h
index 6c17f892d..48b904576 100644
--- a/src/libstrongswan/crypto/hashers/hasher.h
+++ b/src/libstrongswan/crypto/hashers/hasher.h
@@ -19,6 +19,8 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
+ *
+ * RCSID $Id: hasher.h 3307 2007-10-17 02:56:24Z andreas $
  */
 
 #ifndef HASHER_H_
@@ -42,17 +44,18 @@ typedef struct hasher_t hasher_t;
  * @ingroup hashers
  */
 enum hash_algorithm_t {
-	HASH_MD2 = 0,
+	HASH_UNKNOWN = 0,
+	HASH_MD2 =     1,
 	/** Implemented in class md5_hasher_t */
-	HASH_MD5 = 1,
+	HASH_MD5 =     2,
 	/** Implemented in class sha1_hasher_t */
-	HASH_SHA1 = 2,
+	HASH_SHA1 =    3,
 	/** Implemented in class sha2_hasher_t */
-	HASH_SHA256 = 3,
+	HASH_SHA256 =  4,
 	/** Implemented in class sha2_hasher_t */
-	HASH_SHA384 = 4,
+	HASH_SHA384 =  5,
 	/** Implemented in class sha2_hasher_t */
-	HASH_SHA512 = 5,
+	HASH_SHA512 =  6,
 };
 
 #define HASH_SIZE_MD2		16
@@ -68,7 +71,6 @@ enum hash_algorithm_t {
  */
 extern enum_name_t *hash_algorithm_names;
 
-
 /**
  * @brief Generic interface for all hash functions.
  * 
@@ -82,7 +84,7 @@ struct hasher_t {
 	 * @brief Hash data and write it in the buffer.
 	 * 
 	 * If the parameter hash is NULL, no result is written back
-	 * an more data can be appended to already hashed data.
+	 * and more data can be appended to already hashed data.
 	 * If not, the result is written back and the hasher is reset.
 	 * 
 	 * The hash output parameter must hold at least
@@ -98,7 +100,7 @@ struct hasher_t {
 	 * @brief Hash data and allocate space for the hash.
 	 * 
 	 * If the parameter hash is NULL, no result is written back
-	 * an more data can be appended to already hashed data.
+	 * and more data can be appended to already hashed data.
 	 * If not, the result is written back and the hasher is reset.
 	 * 
 	 * @param this			calling object
@@ -156,4 +158,28 @@ struct hasher_t {
  */
 hasher_t *hasher_create(hash_algorithm_t hash_algorithm);
 
+/**
+ * @brief Conversion of ASN.1 OID to hash algorithm.
+ * 
+ * @param oid				ASN.1 OID
+ * @return
+ * 							- hash algorithm
+ * 							- HASH_UNKNOWN if OID unsuported
+ * 
+ * @ingroup hashers
+ */
+hash_algorithm_t hasher_algorithm_from_oid(int oid);
+
+/**
+ * @brief Conversion of hash signature algorithm ASN.1 OID.
+ * 
+ * @param alg				hash algorithm
+ * @return
+ * 							- ASN.1 OID if known hash algorithm
+ * 							- OID_UNKNOW
+ * 
+ * @ingroup hashers
+ */
+int hasher_signature_algorithm_to_oid(hash_algorithm_t alg);
+
 #endif /* HASHER_H_ */
diff --git a/src/libstrongswan/crypto/hmac.h b/src/libstrongswan/crypto/hmac.h
index d320bc5aa..06b75aaf9 100644
--- a/src/libstrongswan/crypto/hmac.h
+++ b/src/libstrongswan/crypto/hmac.h
@@ -42,7 +42,7 @@ typedef struct hmac_t hmac_t;
  * @b Constructors:
  *  - hmac_create()
  *
- * @ingroup transforms
+ * @ingroup crypto
  */
 struct hmac_t {
 	/**
diff --git a/src/libstrongswan/crypto/ietf_attr_list.c b/src/libstrongswan/crypto/ietf_attr_list.c
new file mode 100644
index 000000000..1ecadf679
--- /dev/null
+++ b/src/libstrongswan/crypto/ietf_attr_list.c
@@ -0,0 +1,405 @@
+/**
+ * @file ietf_attr.c
+ * 
+ * @brief Implementation of ietfAttr_t.
+ * 
+ */
+
+/* 
+ * Copyright (C) 2007 Andreas Steffen, Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+#include <stdio.h>
+
+#include <debug.h>
+#include <asn1/asn1.h>
+#include <utils/lexparser.h>
+
+#include "ietf_attr_list.h"
+
+/**
+ * Private definition of ietfAttribute kinds
+ */
+typedef enum {
+	IETF_ATTRIBUTE_OCTETS =	0,
+	IETF_ATTRIBUTE_OID =	1,
+	IETF_ATTRIBUTE_STRING =	2
+} ietfAttribute_t;
+
+typedef struct ietfAttr_t ietfAttr_t;
+
+/**
+ * Private definition of an ietfAttribute
+ */
+struct ietfAttr_t {
+	/**
+	 * IETF attribute kind
+	 */
+	ietfAttribute_t kind;
+
+	/**
+	 * IETF attribute valuse
+	 */
+	chunk_t value;
+
+	/**
+	 * Compares two ietfAttributes
+	 *	
+	 * return -1 if this is earlier in the alphabet than other
+	 * return  0 if this equals other
+	 * return +1 if this is later in the alphabet than other
+	 *
+	 * @param this		calling object
+	 * @param other		other object
+	 */
+	int (*compare) (const ietfAttr_t *this ,const ietfAttr_t *other);
+
+	/**
+	 * Destroys the ietfAttr_t object.
+	 * 
+	 * @param this			ietfAttr_t to destroy
+	 */
+	void (*destroy) (ietfAttr_t *this);
+};
+
+/**
+ * Implements ietfAttr_t.compare.
+ */
+static int ietfAttr_compare(const ietfAttr_t *this ,const ietfAttr_t *other)
+{
+	int cmp_len, len, cmp_value;
+
+	/* OID attributes are appended after STRING and OCTETS attributes */
+	if (this->kind != IETF_ATTRIBUTE_OID && other->kind == IETF_ATTRIBUTE_OID)
+	{
+		return -1;
+	}
+	if (this->kind == IETF_ATTRIBUTE_OID && other->kind != IETF_ATTRIBUTE_OID)
+	{
+		return 1;
+	}
+	
+    cmp_len = this->value.len - other->value.len;
+    len = (cmp_len < 0)? this->value.len : other->value.len;
+    cmp_value = memcmp(this->value.ptr, other->value.ptr, len);
+
+    return (cmp_value == 0)? cmp_len : cmp_value;
+}
+
+/**
+ * Implements ietfAttr_t.destroy.
+ */
+static void ietfAttr_destroy(ietfAttr_t *this)
+{
+	free(this->value.ptr);
+	free(this);
+}
+
+/**
+ * Creates an ietfAttr_t object.
+ */
+static ietfAttr_t *ietfAttr_create(ietfAttribute_t kind, chunk_t value)
+{
+	ietfAttr_t *this = malloc_thing(ietfAttr_t);
+
+	/* initialize */
+	this->kind = kind;
+	this->value = chunk_clone(value);
+
+	/* function */
+	this->compare = ietfAttr_compare;
+	this->destroy = ietfAttr_destroy;
+
+	return this;
+}
+
+/**
+ * Adds an ietfAttr_t object to a sorted linked list
+ */
+static void ietfAttr_add(linked_list_t *list, ietfAttr_t *attr)
+{
+	iterator_t *iterator = list->create_iterator(list, TRUE);
+	ietfAttr_t *current_attr;
+	bool found = FALSE;
+
+	while (iterator->iterate(iterator, (void **)&current_attr))
+	{
+		int cmp = attr->compare(attr, current_attr);
+
+		if (cmp > 0)
+		{
+			 continue;
+		}
+		if (cmp == 0)
+		{
+			attr->destroy(attr);
+		}
+		else
+		{
+			iterator->insert_before(iterator, attr);
+		}
+		found = TRUE;
+		break;
+	}
+	iterator->destroy(iterator);
+	if (!found)
+	{
+		list->insert_last(list, attr);
+	}
+}
+
+/*
+ * Described in header.
+ */
+bool ietfAttr_list_equals(linked_list_t *list_a, linked_list_t *list_b)
+{
+	 bool result = TRUE;
+
+	/* lists must have the same number of attributes */
+	if (list_a->get_count(list_a) != list_b->get_count(list_b))
+	{
+		return FALSE;
+	}
+	/* empty lists - no attributes */
+	if (list_a->get_count(list_a) == 0)
+	{
+		return TRUE;
+	}
+
+	/* compare two alphabetically-sorted lists */
+	{
+		iterator_t *iterator_a = list_a->create_iterator(list_a, TRUE);
+		iterator_t *iterator_b = list_b->create_iterator(list_b, TRUE);
+		ietfAttr_t *attr_a, *attr_b;
+
+		while (iterator_a->iterate(iterator_a, (void **)&attr_a) &&
+			   iterator_b->iterate(iterator_b, (void **)&attr_b))
+		{
+			if (attr_a->compare(attr_a, attr_b) != 0)
+			{
+				/* we have a mismatch */
+				result = FALSE;
+				break;
+			}
+  		}
+		iterator_a->destroy(iterator_a);
+		iterator_b->destroy(iterator_b);
+	}
+	return result;
+}
+
+/*
+ * Described in header.
+ */
+void ietfAttr_list_list(linked_list_t *list, FILE *out)
+{
+	iterator_t *iterator = list->create_iterator(list, TRUE);
+	ietfAttr_t *attr;
+	bool first = TRUE;
+
+	while (iterator->iterate(iterator, (void **)&attr))
+	{
+		if (first)
+		{
+			first = FALSE;
+		}
+		else
+		{
+			fprintf(out, ", ");
+		}
+
+		switch (attr->kind)
+		{
+			case IETF_ATTRIBUTE_OCTETS:
+			case IETF_ATTRIBUTE_STRING:
+				fprintf(out, "%.*s", (int)attr->value.len, attr->value.ptr);
+				break;
+			case IETF_ATTRIBUTE_OID:
+				{
+					int oid = known_oid(attr->value);
+
+					if (oid == OID_UNKNOWN)
+					{
+						fprintf(out, "0x#B", &attr->value);
+					}
+					else
+					{
+						fprintf(out, "%s", oid_names[oid]);
+					}
+				}
+	    		break;
+			default:
+	    		break;
+  		}
+	}
+	iterator->destroy(iterator);
+}
+
+/*
+ * Described in header.
+ */
+void ietfAttr_list_create_from_string(char *msg, linked_list_t *list)
+{
+	chunk_t line = { msg, strlen(msg) };
+
+	while (eat_whitespace(&line))
+	{
+		chunk_t group;
+
+		/* extract the next comma-separated group attribute */
+		if (!extract_token(&group, ',', &line))
+		{
+			group = line;
+			line.len = 0;
+		}
+
+		/* remove any trailing spaces */
+		while (group.len > 0 && *(group.ptr + group.len - 1) == ' ')
+		{
+			group.len--;
+		}
+
+		/* add the group attribute to the list */
+		if (group.len > 0)
+		{
+			ietfAttr_t *attr = ietfAttr_create(IETF_ATTRIBUTE_STRING, group);
+		
+			ietfAttr_add(list, attr);
+		}
+	}
+}
+
+/**
+ * ASN.1 definition of ietfAttrSyntax
+ */
+static const asn1Object_t ietfAttrSyntaxObjects[] =
+{
+	{ 0, "ietfAttrSyntax",		ASN1_SEQUENCE,		ASN1_NONE }, /*  0 */
+	{ 1,   "policyAuthority",	ASN1_CONTEXT_C_0,	ASN1_OPT |
+													ASN1_BODY }, /*  1 */
+	{ 1,   "end opt",			ASN1_EOC,			ASN1_END  }, /*  2 */
+	{ 1,   "values",			ASN1_SEQUENCE,		ASN1_LOOP }, /*  3 */
+	{ 2,     "octets",			ASN1_OCTET_STRING,	ASN1_OPT |
+													ASN1_BODY }, /*  4 */
+	{ 2,     "end choice",		ASN1_EOC,			ASN1_END  }, /*  5 */
+	{ 2,     "oid",				ASN1_OID,			ASN1_OPT |
+													ASN1_BODY }, /*  6 */
+	{ 2,     "end choice",		ASN1_EOC,			ASN1_END  }, /*  7 */
+	{ 2,     "string",			ASN1_UTF8STRING,	ASN1_OPT |
+													ASN1_BODY }, /*  8 */
+	{ 2,     "end choice",		ASN1_EOC,			ASN1_END  }, /*  9 */
+	{ 1,   "end loop",			ASN1_EOC,			ASN1_END  }  /* 10 */
+};
+
+#define IETF_ATTR_OCTETS	 4
+#define IETF_ATTR_OID		 6
+#define IETF_ATTR_STRING	 8
+#define IETF_ATTR_ROOF		11
+
+/*
+ * Described in header.
+ */
+void ietfAttr_list_create_from_chunk(chunk_t chunk, linked_list_t *list, int level0)
+{
+	asn1_ctx_t ctx;
+	chunk_t object;
+	u_int level;
+	int objectID = 0;
+
+	asn1_init(&ctx, chunk, level0, FALSE, FALSE);
+
+	while (objectID < IETF_ATTR_ROOF)
+	{
+		if (!extract_object(ietfAttrSyntaxObjects, &objectID, &object, &level, &ctx))
+		{
+			return;
+		}
+
+		switch (objectID)
+		{
+			case IETF_ATTR_OCTETS:
+			case IETF_ATTR_OID:
+			case IETF_ATTR_STRING:
+				{
+					ietfAttribute_t kind = (objectID - IETF_ATTR_OCTETS) / 2;
+					ietfAttr_t *attr   = ietfAttr_create(kind, object);
+					ietfAttr_add(list, attr);
+				}
+				break;
+			default:
+				break;
+		}
+		objectID++;
+	}
+}
+
+/*
+ * Described in header.
+ */
+chunk_t ietfAttr_list_encode(linked_list_t *list)
+{
+	chunk_t ietfAttributes;
+	size_t size = 0;
+	u_char *pos;
+	iterator_t *iterator = list->create_iterator(list, TRUE);
+	ietfAttr_t *attr;
+
+	/* precalculate the total size of all values */
+	while (iterator->iterate(iterator, (void **)&attr))
+	{
+		size_t len = attr->value.len;
+
+		size += 1 + (len > 0) + (len >= 128) + (len >= 256) + (len >= 65536) + len;
+	}
+	iterator->destroy(iterator);
+
+	pos = build_asn1_object(&ietfAttributes, ASN1_SEQUENCE, size);
+
+	iterator = list->create_iterator(list, TRUE);
+	while (iterator->iterate(iterator, (void **)&attr))
+	{
+		chunk_t ietfAttribute;
+		asn1_t type = ASN1_NULL;
+
+		switch (attr->kind)
+		{
+			case IETF_ATTRIBUTE_OCTETS:
+				type = ASN1_OCTET_STRING;
+				break;
+			case IETF_ATTRIBUTE_STRING:
+				type = ASN1_UTF8STRING;
+				break;
+			case IETF_ATTRIBUTE_OID:
+				type = ASN1_OID;
+				break;
+		}
+		ietfAttribute = asn1_simple_object(type, attr->value);
+
+		/* copy ietfAttribute into ietfAttributes chunk */
+		memcpy(pos, ietfAttribute.ptr, ietfAttribute.len); 
+		pos += ietfAttribute.len;
+		free(ietfAttribute.ptr);
+	}
+	iterator->destroy(iterator);
+
+	return asn1_wrap(ASN1_SEQUENCE, "m", ietfAttributes);
+}
+
+/*
+ * Described in header.
+ */
+void ietfAttr_list_destroy(linked_list_t *list)
+{
+	list->destroy_offset(list, offsetof(ietfAttr_t, destroy));
+}
diff --git a/src/libstrongswan/crypto/ietf_attr_list.h b/src/libstrongswan/crypto/ietf_attr_list.h
new file mode 100644
index 000000000..75407bbf6
--- /dev/null
+++ b/src/libstrongswan/crypto/ietf_attr_list.h
@@ -0,0 +1,89 @@
+/**
+ * @file ietf_attr_list.h
+ * 
+ * @brief Handling of ietfAttr_t linked lists
+ * 
+ */
+
+/*
+ * Copyright (C) 2007 Andreas Steffen
+ *
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef IETF_ATTR_LIST_H_
+#define IETF_ATTR_LIST_H_
+
+#include <library.h>
+#include <utils/linked_list.h>
+
+
+/**
+ * @brief Compare two linked lists of ietfAttr_t objects for equality
+ *
+ * @param list_a	first alphabetically-sorted list
+ * @param list_b	second alphabetically-sorted list
+ * @return			TRUE if equal	
+ *
+ * @ingroup crypto
+ */
+bool ietfAttr_list_equals(linked_list_t *list_a, linked_list_t *list_b);
+
+/**
+ * @brief Lists a linked list of ietfAttr_t objects
+ *
+ * @param list		alphabetically-sorted linked list of attributes
+   @param out		output file	
+ *
+ * @ingroup crypto
+ */
+void ietfAttr_list_list(linked_list_t *list, FILE *out);
+
+/**
+ * @brief Create a linked list of ietfAttr_t objects from a string
+ *
+ * @param msg		string with comma-separated group names
+ * @param list		alphabetically-sorted linked list of attributes
+ *
+ * @ingroup crypto
+ */
+void ietfAttr_list_create_from_string(char *msg, linked_list_t *list);
+
+/**
+ * @brief Create a linked list of ietfAttr_t objects from an ASN.1-coded chunk
+ *
+ * @param chunk		chunk containing ASN.1-coded attributes
+ * @param list		alphabetically-sorted linked list of attributes
+ * @param level0	parsing level
+ */
+void ietfAttr_list_create_from_chunk(chunk_t chunk, linked_list_t *list, int level0);
+
+/**
+ * @brief Encode a linked list of ietfAttr_t objects into an ASN.1-coded chunk
+ *
+ * @param list		alphabetically-sorted linked list of attributes
+ * @return			chunk containing ASN.1-coded attributes
+ */
+chunk_t ietfAttr_list_encode(linked_list_t *list);
+
+/**
+ * @brief Destroys a linked list of ietfAttr_t objects
+ *
+ * @param list		list to be destroyed
+ *
+ * @ingroup crypto
+ */
+void ietfAttr_list_destroy(linked_list_t *list);
+
+#endif /* IETF_ATTR_LIST_H_ */
+
diff --git a/src/libstrongswan/crypto/ocsp.c b/src/libstrongswan/crypto/ocsp.c
index 0d8093e4a..e4d907188 100644
--- a/src/libstrongswan/crypto/ocsp.c
+++ b/src/libstrongswan/crypto/ocsp.c
@@ -466,11 +466,11 @@ static chunk_t ocsp_build_request(private_ocsp_t *this)
 static bool ocsp_parse_basic_response(chunk_t blob, int level0, response_t *res)
 {
 	u_int level, version;
-	u_int extn_oid = OID_UNKNOWN;
 	asn1_ctx_t ctx;
 	bool critical;
 	chunk_t object;
 	int objectID = 0;
+	int extn_oid = OID_UNKNOWN;
 
 	asn1_init(&ctx, blob, level0, FALSE, FALSE);
 
@@ -546,9 +546,8 @@ static response_status ocsp_parse_response(response_t *res)
 	chunk_t object;
 	u_int level;
 	int objectID = 0;
-
+	int ocspResponseType = OID_UNKNOWN;
 	response_status rStatus = STATUS_INTERNALERROR;
-	u_int ocspResponseType = OID_UNKNOWN;
 
 	asn1_init(&ctx, res->chunk, 0, FALSE, FALSE);
 
@@ -615,6 +614,13 @@ static bool ocsp_valid_response(response_t *res, x509_t *ocsp_cert)
 	rsa_public_key_t *public_key;
 	time_t until = UNDEFINED_TIME;
 	err_t ugh;
+	hash_algorithm_t algorithm = hasher_algorithm_from_oid(res->algorithm);
+
+	if (algorithm == HASH_UNKNOWN)
+	{
+		DBG1("unknown signature algorithm");
+		return FALSE;
+	}
 
 	DBG2("verifying ocsp response signature:");
 	DBG2("signer:  '%D'", ocsp_cert->get_subject(ocsp_cert));
@@ -627,8 +633,8 @@ static bool ocsp_valid_response(response_t *res, x509_t *ocsp_cert)
 		return FALSE;
 	}
 	public_key = ocsp_cert->get_public_key(ocsp_cert);
-
-	return public_key->verify_emsa_pkcs1_signature(public_key, res->tbs, res->signature) == SUCCESS;
+	
+	return public_key->verify_emsa_pkcs1_signature(public_key, algorithm, res->tbs, res->signature) == SUCCESS;
 }
 
 /**
diff --git a/src/libstrongswan/crypto/pkcs7.c b/src/libstrongswan/crypto/pkcs7.c
new file mode 100644
index 000000000..70510471a
--- /dev/null
+++ b/src/libstrongswan/crypto/pkcs7.c
@@ -0,0 +1,710 @@
+/**
+ * @file pkcs7.c
+ *
+ * @brief Implementation of pkcs7_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005 Jan Hutter, Martin Willi
+ * Copyright (C) 2002-2005 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: pkcs7.c 3302 2007-10-12 21:57:20Z andreas $
+ */
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <library.h>
+#include "debug.h"
+
+#include <asn1/asn1.h>
+#include <asn1/oid.h>
+#include <crypto/x509.h>
+#include <crypto/hashers/hasher.h>
+#include <crypto/crypters/crypter.h>
+#include <utils/linked_list.h>
+
+#include "pkcs7.h"
+
+typedef struct private_pkcs7_t private_pkcs7_t;
+
+/**
+ * Private data of a pkcs7_t object.
+ */
+struct private_pkcs7_t {
+	/**
+	 * Public interface for this certificate.
+	 */
+	pkcs7_t public;
+
+	/**
+	 * contentInfo type
+	 */
+	int type;
+
+	/**
+	 * ASN.1 encoded content
+	 */
+	chunk_t content;
+
+	/**
+	 * Has the content already been parsed?
+	 */
+	bool parsed;
+
+	/**
+	 * ASN.1 parsing start level
+	 */
+	u_int level;
+
+	/**
+	 * retrieved data
+	 */
+	chunk_t data;
+
+	/**
+	 * ASN.1 encoded attributes
+	 */
+	chunk_t attributes;
+
+	/**
+	 * Linked list of X.509 certificates
+	 */
+	linked_list_t *certs;
+};
+
+/**
+ * ASN.1 definition of the PKCS#7 ContentInfo type
+ */
+static const asn1Object_t contentInfoObjects[] = {
+	{ 0, "contentInfo",		ASN1_SEQUENCE,		ASN1_NONE }, /*  0 */
+	{ 1,   "contentType",	ASN1_OID,			ASN1_BODY }, /*  1 */
+	{ 1,   "content",		ASN1_CONTEXT_C_0,	ASN1_OPT |
+												ASN1_BODY }, /*  2 */
+	{ 1,   "end opt",		ASN1_EOC,			ASN1_END  }  /*  3 */
+};
+
+#define PKCS7_INFO_TYPE		1
+#define PKCS7_INFO_CONTENT	2
+#define PKCS7_INFO_ROOF		4
+
+/**
+ * ASN.1 definition of the PKCS#7 signedData type
+ */
+static const asn1Object_t signedDataObjects[] = {
+	{ 0, "signedData",						ASN1_SEQUENCE,		ASN1_NONE }, /*  0 */
+	{ 1,   "version",						ASN1_INTEGER,		ASN1_BODY }, /*  1 */
+	{ 1,   "digestAlgorithms",				ASN1_SET,			ASN1_LOOP }, /*  2 */
+	{ 2,     "algorithm",					ASN1_EOC,			ASN1_RAW  }, /*  3 */
+	{ 1,   "end loop",						ASN1_EOC,			ASN1_END  }, /*  4 */
+	{ 1,   "contentInfo",					ASN1_EOC,			ASN1_RAW  }, /*  5 */
+	{ 1,   "certificates",					ASN1_CONTEXT_C_0,	ASN1_OPT |
+																ASN1_LOOP }, /*  6 */
+	{ 2,      "certificate",				ASN1_SEQUENCE,		ASN1_OBJ  }, /*  7 */
+	{ 1,   "end opt or loop",				ASN1_EOC,			ASN1_END  }, /*  8 */
+	{ 1,   "crls",							ASN1_CONTEXT_C_1,	ASN1_OPT |
+																ASN1_LOOP }, /*  9 */
+	{ 2,	    "crl",						ASN1_SEQUENCE,		ASN1_OBJ  }, /* 10 */
+	{ 1,   "end opt or loop",				ASN1_EOC,			ASN1_END  }, /* 11 */
+	{ 1,   "signerInfos",					ASN1_SET,			ASN1_LOOP }, /* 12 */
+	{ 2,     "signerInfo",					ASN1_SEQUENCE,		ASN1_NONE }, /* 13 */
+	{ 3,       "version",					ASN1_INTEGER,		ASN1_BODY }, /* 14 */
+	{ 3,       "issuerAndSerialNumber",		ASN1_SEQUENCE,		ASN1_BODY }, /* 15 */
+	{ 4,         "issuer",					ASN1_SEQUENCE,		ASN1_OBJ  }, /* 16 */
+	{ 4,         "serial",					ASN1_INTEGER,		ASN1_BODY }, /* 17 */
+	{ 3,       "digestAlgorithm",			ASN1_EOC,			ASN1_RAW  }, /* 18 */
+	{ 3,       "authenticatedAttributes",	ASN1_CONTEXT_C_0,	ASN1_OPT |
+																ASN1_OBJ  }, /* 19 */
+	{ 3,       "end opt",					ASN1_EOC,			ASN1_END  }, /* 20 */
+	{ 3,       "digestEncryptionAlgorithm",	ASN1_EOC,			ASN1_RAW  }, /* 21 */
+	{ 3,       "encryptedDigest",			ASN1_OCTET_STRING,	ASN1_BODY }, /* 22 */
+	{ 3,       "unauthenticatedAttributes", ASN1_CONTEXT_C_1,	ASN1_OPT  }, /* 23 */
+	{ 3,       "end opt",					ASN1_EOC,			ASN1_END  }, /* 24 */
+	{ 1,   "end loop",						ASN1_EOC,			ASN1_END  }  /* 25 */
+};
+
+#define PKCS7_DIGEST_ALG	 		 3
+#define PKCS7_SIGNED_CONTENT_INFO	 5
+#define PKCS7_SIGNED_CERT	 		 7
+#define PKCS7_SIGNER_INFO			13
+#define PKCS7_SIGNED_ISSUER			16
+#define PKCS7_SIGNED_SERIAL_NUMBER	17
+#define PKCS7_DIGEST_ALGORITHM		18
+#define PKCS7_AUTH_ATTRIBUTES		19
+#define PKCS7_DIGEST_ENC_ALGORITHM	21
+#define PKCS7_ENCRYPTED_DIGEST		22
+#define PKCS7_SIGNED_ROOF			26
+
+/**
+ * ASN.1 definition of the PKCS#7 envelopedData type
+ */
+static const asn1Object_t envelopedDataObjects[] = {
+	{ 0, "envelopedData",					ASN1_SEQUENCE,		ASN1_NONE }, /*  0 */
+	{ 1,   "version",						ASN1_INTEGER, 		ASN1_BODY }, /*  1 */
+	{ 1,   "recipientInfos",				ASN1_SET,    		ASN1_LOOP }, /*  2 */
+	{ 2,     "recipientInfo",				ASN1_SEQUENCE, 		ASN1_BODY }, /*  3 */
+	{ 3,       "version",					ASN1_INTEGER, 		ASN1_BODY }, /*  4 */
+	{ 3,       "issuerAndSerialNumber",		ASN1_SEQUENCE,		ASN1_BODY }, /*  5 */
+	{ 4,         "issuer",					ASN1_SEQUENCE,		ASN1_OBJ  }, /*  6 */
+	{ 4,         "serial",					ASN1_INTEGER,		ASN1_BODY }, /*  7 */
+	{ 3,       "encryptionAlgorithm",		ASN1_EOC,			ASN1_RAW  }, /*  8 */
+	{ 3,       "encryptedKey",				ASN1_OCTET_STRING,	ASN1_BODY }, /*  9 */
+	{ 1,   "end loop",						ASN1_EOC,			ASN1_END  }, /* 10 */
+	{ 1,   "encryptedContentInfo",			ASN1_SEQUENCE,		ASN1_OBJ  }, /* 11 */
+	{ 2,     "contentType",					ASN1_OID,			ASN1_BODY }, /* 12 */
+	{ 2,     "contentEncryptionAlgorithm",	ASN1_EOC,			ASN1_RAW  }, /* 13 */
+	{ 2,     "encryptedContent",			ASN1_CONTEXT_S_0, 	ASN1_BODY }  /* 14 */
+};
+
+#define PKCS7_ENVELOPED_VERSION			 1
+#define PKCS7_RECIPIENT_INFO_VERSION	 4
+#define PKCS7_ISSUER					 6
+#define PKCS7_SERIAL_NUMBER				 7
+#define PKCS7_ENCRYPTION_ALG			 8
+#define PKCS7_ENCRYPTED_KEY				 9
+#define PKCS7_CONTENT_TYPE				12
+#define PKCS7_CONTENT_ENC_ALGORITHM		13
+#define PKCS7_ENCRYPTED_CONTENT			14
+#define PKCS7_ENVELOPED_ROOF			15
+
+/**
+ * PKCS7 contentInfo OIDs
+ */
+static u_char ASN1_pkcs7_data_oid_str[] = {
+	0x06, 0x09,
+		  0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x01
+};
+
+static u_char ASN1_pkcs7_signed_data_oid_str[] = {
+	0x06, 0x09,
+		  0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02
+};
+
+static u_char ASN1_pkcs7_enveloped_data_oid_str[] = {
+	0x06, 0x09,
+		  0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x03
+};
+
+static u_char ASN1_pkcs7_signed_enveloped_data_oid_str[] = {
+	0x06, 0x09,
+		  0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x04
+};
+
+static u_char ASN1_pkcs7_digested_data_oid_str[] = {
+	0x06, 0x09,
+		  0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x05
+};
+
+static char ASN1_pkcs7_encrypted_data_oid_str[] = {
+	0x06, 0x09,
+		  0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x06
+};
+
+static const chunk_t ASN1_pkcs7_data_oid = 
+						chunk_from_buf(ASN1_pkcs7_data_oid_str);
+static const chunk_t ASN1_pkcs7_signed_data_oid =
+						chunk_from_buf(ASN1_pkcs7_signed_data_oid_str);
+static const chunk_t ASN1_pkcs7_enveloped_data_oid =
+						chunk_from_buf(ASN1_pkcs7_enveloped_data_oid_str);
+static const chunk_t ASN1_pkcs7_signed_enveloped_data_oid = 
+						chunk_from_buf(ASN1_pkcs7_signed_enveloped_data_oid_str);
+static const chunk_t ASN1_pkcs7_digested_data_oid =
+						chunk_from_buf(ASN1_pkcs7_digested_data_oid_str);
+static const chunk_t ASN1_pkcs7_encrypted_data_oid =
+						chunk_from_buf(ASN1_pkcs7_encrypted_data_oid_str);
+
+/**
+ * 3DES and DES encryption OIDs
+ */
+static u_char ASN1_3des_ede_cbc_oid_str[] = {
+	0x06, 0x08,
+		  0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x03, 0x07
+};
+
+static u_char ASN1_des_cbc_oid_str[] = {
+	0x06, 0x05,
+		  0x2B, 0x0E, 0x03, 0x02, 0x07
+};
+
+static const chunk_t ASN1_3des_ede_cbc_oid = 
+						chunk_from_buf(ASN1_3des_ede_cbc_oid_str);
+static const chunk_t ASN1_des_cbc_oid =
+						chunk_from_buf(ASN1_des_cbc_oid_str);
+
+/**
+ * PKCS#7 attribute type OIDs
+ */
+static u_char ASN1_contentType_oid_str[] = {
+	0x06, 0x09,
+		  0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x03
+};
+
+static u_char ASN1_messageDigest_oid_str[] = {
+	0x06, 0x09,
+		  0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x04
+};
+
+static const chunk_t ASN1_contentType_oid =
+						chunk_from_buf(ASN1_contentType_oid_str);
+static const chunk_t ASN1_messageDigest_oid =
+						chunk_from_buf(ASN1_messageDigest_oid_str);
+
+/**
+ * Implements pkcs7_t.is_signedData.
+ */
+static bool is_data(private_pkcs7_t *this)
+{
+	return this->type == OID_PKCS7_DATA;
+}
+
+/**
+ * Implements pkcs7_t.is_signedData.
+ */
+static bool is_signedData(private_pkcs7_t *this)
+{
+	return this->type == OID_PKCS7_SIGNED_DATA;
+}
+
+/**
+ * Implements pkcs7_t.is_signedData.
+ */
+static bool is_envelopedData(private_pkcs7_t *this)
+{
+	return this->type == OID_PKCS7_ENVELOPED_DATA;
+}
+
+/**
+ * Check whether to abort the requested parsing
+ */
+static bool abort_parsing(private_pkcs7_t *this, int type)
+{
+	if (this->type != type)
+	{
+		DBG1("pkcs7 content to be parsed is not of type '%s'",
+			 oid_names[type]);
+		return TRUE;
+	}
+	if (this->parsed)
+	{
+		DBG1("pkcs7 content has already been parsed");
+		return TRUE;
+	}
+	this->parsed = TRUE;
+	return FALSE;
+}
+
+/**
+ * Implements pkcs7_t.parse_data.
+ */
+static bool parse_data(private_pkcs7_t *this)
+{
+	chunk_t data = this->content;
+
+	if (abort_parsing(this, OID_PKCS7_DATA))
+	{
+		return FALSE;
+	}
+	if (parse_asn1_simple_object(&data, ASN1_OCTET_STRING, this->level, "data"))
+	{
+		this->data = chunk_clone(data);
+		return TRUE;
+	}
+	else
+	{
+		return FALSE;
+	}
+}
+
+/**
+ * Parse PKCS#7 signedData content
+ */
+static bool parse_signedData(private_pkcs7_t *this, x509_t *cacert)
+{
+	asn1_ctx_t ctx;
+	chunk_t object;
+	u_int level;
+	int objectID = 0;
+
+	int digest_alg = OID_UNKNOWN;
+	int enc_alg    = OID_UNKNOWN;
+	int signerInfos = 0;
+
+	chunk_t encrypted_digest = chunk_empty;
+
+	if (abort_parsing(this, OID_PKCS7_SIGNED_DATA))
+	{
+		return FALSE;
+	}
+
+	asn1_init(&ctx, this->content, this->level, FALSE, FALSE);
+
+	while (objectID < PKCS7_SIGNED_ROOF)
+	{
+		if (!extract_object(signedDataObjects, &objectID, &object, &level, &ctx))
+		{
+			return FALSE;
+		}
+
+		switch (objectID)
+		{
+			case PKCS7_DIGEST_ALG:
+				digest_alg = parse_algorithmIdentifier(object, level, NULL);
+				break;
+			case PKCS7_SIGNED_CONTENT_INFO:
+				this->data = chunk_clone(object);
+				break;
+			case PKCS7_SIGNED_CERT:
+				{
+					x509_t *cert = x509_create_from_chunk(object, level+1);
+
+					if (cert)
+					{
+						this->certs->insert_last(this->certs, (void*)cert);
+					}
+				}
+				break;
+			case PKCS7_SIGNER_INFO:
+				signerInfos++;
+				DBG2("  signer #%d", signerInfos);
+				break;
+			case PKCS7_SIGNED_ISSUER:
+				{
+					identification_t *issuer;
+
+					issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
+					DBG2("  '%D'", issuer);
+					issuer->destroy(issuer);
+				}
+				break;
+			case PKCS7_AUTH_ATTRIBUTES:
+				this->attributes = object;
+				*this->attributes.ptr = ASN1_SET;
+				break;
+			case PKCS7_DIGEST_ALGORITHM:
+				digest_alg = parse_algorithmIdentifier(object, level, NULL);
+				break;
+			case PKCS7_DIGEST_ENC_ALGORITHM:
+				enc_alg = parse_algorithmIdentifier(object, level, NULL);
+				break;
+			case PKCS7_ENCRYPTED_DIGEST:
+				encrypted_digest = object;
+		}
+		objectID++;
+	}
+
+	/* check the signature only if a cacert is available */
+	if (cacert != NULL)
+	{
+		rsa_public_key_t *signer = cacert->get_public_key(cacert);
+		hash_algorithm_t algorithm = hasher_algorithm_from_oid(digest_alg);
+
+		if (signerInfos == 0)
+		{
+			DBG1("no signerInfo object found");
+			return FALSE;
+		}
+		else if (signerInfos > 1)
+		{
+			DBG1("more than one signerInfo object found");
+			return FALSE;
+		}
+		if (this->attributes.ptr == NULL)
+		{
+			DBG1("no authenticatedAttributes object found");
+			return FALSE;
+		}
+		if (enc_alg != OID_RSA_ENCRYPTION)
+		{
+			DBG1("only RSA digest encryption supported");
+			return FALSE;
+		}
+		if (signer->verify_emsa_pkcs1_signature(signer, algorithm,
+			this->attributes, encrypted_digest) != SUCCESS)
+		{
+			DBG1("invalid digest signature");
+			return FALSE;
+		}
+		else
+		{
+			DBG2("digest signature is valid");
+		}
+	}
+	return TRUE;
+}
+
+/**
+ * Parse PKCS#7 envelopedData content
+ */
+static bool parse_envelopedData(private_pkcs7_t *this, chunk_t serialNumber,
+								rsa_private_key_t *key)
+{
+	asn1_ctx_t ctx;
+	chunk_t object;
+	u_int level;
+	int objectID = 0;
+
+	chunk_t iv                = chunk_empty;
+	chunk_t symmetric_key     = chunk_empty;
+	chunk_t encrypted_content = chunk_empty;
+
+	crypter_t *crypter = NULL;
+
+	if (abort_parsing(this, OID_PKCS7_ENVELOPED_DATA))
+	{
+		return FALSE;
+	}
+
+	asn1_init(&ctx, this->content, this->level, FALSE, FALSE);
+
+	while (objectID < PKCS7_ENVELOPED_ROOF)
+	{
+		if (!extract_object(envelopedDataObjects, &objectID, &object, &level, &ctx))
+		{
+			goto failed;
+		}
+
+		switch (objectID)
+		{
+			case PKCS7_ENVELOPED_VERSION:
+				if (*object.ptr != 0)
+				{
+					DBG1("envelopedData version is not 0");
+					goto failed;
+				}
+				break;
+			case PKCS7_RECIPIENT_INFO_VERSION:
+				if (*object.ptr != 0)
+				{
+					DBG1("recipient info version is not 0");
+					goto failed;
+				}
+				break;
+			case PKCS7_ISSUER:
+				{
+					identification_t *issuer;
+
+					issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
+					DBG2("  '%D'", issuer);
+					issuer->destroy(issuer);
+				}
+				break;
+			case PKCS7_SERIAL_NUMBER:
+				if (!chunk_equals(serialNumber, object))
+				{
+					DBG1("serial numbers do not match");
+					goto failed;
+				}
+				break;
+			case PKCS7_ENCRYPTION_ALG:
+				{
+					int alg = parse_algorithmIdentifier(object, level, NULL);
+
+					if (alg != OID_RSA_ENCRYPTION)
+					{
+						DBG1("only rsa encryption supported");
+						goto failed;
+					}
+				}
+				break;
+			case PKCS7_ENCRYPTED_KEY:
+				if (key->pkcs1_decrypt(key, object, &symmetric_key) != SUCCESS)
+				{
+					DBG1("symmetric key could not be decrypted with rsa");
+					goto failed;
+				}
+				DBG4("symmetric key : %B", &symmetric_key);
+				break;
+			case PKCS7_CONTENT_TYPE:
+				if (known_oid(object) != OID_PKCS7_DATA)
+				{
+					DBG1("encrypted content not of type pkcs7 data");
+		 			goto failed;
+				}
+				break;
+			case PKCS7_CONTENT_ENC_ALGORITHM:
+				{
+					int alg = parse_algorithmIdentifier(object, level, &iv);
+
+					switch (alg)
+					{
+						case OID_DES_CBC:
+							crypter = crypter_create(ENCR_DES, 0);
+							break;
+						case OID_3DES_EDE_CBC:
+							crypter = crypter_create(ENCR_3DES, 0);
+							break;
+						default:
+							DBG1("Only DES and 3DES supported for symmetric encryption");
+							goto failed;
+					}
+					if (symmetric_key.len != crypter->get_key_size(crypter))
+					{
+						DBG1("symmetric key has wrong length");
+						goto failed;
+					}
+					if (!parse_asn1_simple_object(&iv, ASN1_OCTET_STRING, level+1, "IV"))
+					{
+						DBG1("IV could not be parsed");
+						goto failed;
+					}
+					if (iv.len != crypter->get_block_size(crypter))
+					{
+						DBG1("IV has wrong length");
+						goto failed;
+					}
+				}
+				break;
+			case PKCS7_ENCRYPTED_CONTENT:
+				encrypted_content = object;
+				break;
+		}
+		objectID++;
+	}
+
+	/* decrypt the content */
+	crypter->decrypt(crypter, encrypted_content, iv, &this->data);
+	DBG4("decrypted content with padding: %B", &this->data);
+
+	/* remove the padding */
+	{
+		u_char *pos = this->data.ptr + this->data.len - 1;
+		u_char pattern = *pos;
+		size_t padding = pattern;
+
+		if (padding > this->data.len)
+		{
+			DBG1("padding greater than data length");
+			goto failed;
+		}
+		this->data.len -= padding;
+
+		while (padding-- > 0)
+		{
+			if (*pos-- != pattern)
+			{
+				DBG1("wrong padding pattern");
+				goto failed;
+			}
+		}
+	}
+	crypter->destroy(crypter);
+	free(symmetric_key.ptr);
+	return TRUE;
+
+failed:
+	DESTROY_IF(crypter);
+	free(symmetric_key.ptr);
+	chunk_free(&this->data);
+	return FALSE;
+}
+
+/**
+ * Implements pkcs7_t.get_data
+ */
+static chunk_t get_data(private_pkcs7_t *this)
+{
+	return this->data;
+}
+
+/**
+ * Implements pkcs_t.create_crluri_iterator
+ */
+static iterator_t *create_certificate_iterator(const private_pkcs7_t *this)
+{
+	return this->certs->create_iterator(this->certs, TRUE);
+}
+
+/**
+ * Implements pkcs7_t.destroy
+ */
+static void destroy(private_pkcs7_t *this)
+{
+	this->certs->destroy_offset(this->certs, offsetof(x509_t, destroy));
+	free(this->data.ptr);
+	free(this);
+}
+
+/**
+ * Parse PKCS#7 contentInfo object
+ */
+static bool parse_contentInfo(chunk_t blob, u_int level0, private_pkcs7_t *cInfo)
+{
+	asn1_ctx_t ctx;
+	chunk_t object;
+	u_int level;
+	int objectID = 0;
+
+	asn1_init(&ctx, blob, level0, FALSE, FALSE);
+
+	while (objectID < PKCS7_INFO_ROOF)
+	{
+		if (!extract_object(contentInfoObjects, &objectID, &object, &level, &ctx))
+		{
+			return FALSE;
+		}
+
+		if (objectID == PKCS7_INFO_TYPE)
+		{
+			cInfo->type = known_oid(object);
+			if (cInfo->type < OID_PKCS7_DATA
+			||  cInfo->type > OID_PKCS7_ENCRYPTED_DATA)
+			{
+				DBG1("unknown pkcs7 content type");
+				return FALSE;
+			}
+		}
+		else if (objectID == PKCS7_INFO_CONTENT)
+		{
+			cInfo->content = object;
+		}
+		objectID++;
+	}
+	return TRUE;
+}
+
+/*
+ * Described in header.
+ */
+pkcs7_t *pkcs7_create_from_chunk(chunk_t chunk, u_int level)
+{
+	private_pkcs7_t *this = malloc_thing(private_pkcs7_t);
+	
+	/* initialize */
+	this->type = OID_UNKNOWN;
+	this->content = chunk_empty;
+	this->parsed = FALSE;
+	this->level = level + 2;
+	this->data = chunk_empty;
+	this->attributes = chunk_empty;
+	this->certs = linked_list_create();
+
+	/*public functions */
+	this->public.is_data = (bool (*) (pkcs7_t*))is_data;
+	this->public.is_signedData = (bool (*) (pkcs7_t*))is_signedData;
+	this->public.is_envelopedData = (bool (*) (pkcs7_t*))is_envelopedData;
+	this->public.parse_data = (bool (*) (pkcs7_t*))parse_data;
+	this->public.parse_signedData = (bool (*) (pkcs7_t*,x509_t*))parse_signedData;
+	this->public.parse_envelopedData = (bool (*) (pkcs7_t*,chunk_t,rsa_private_key_t*))parse_envelopedData;
+	this->public.get_data = (chunk_t (*) (pkcs7_t*))get_data;
+	this->public.create_certificate_iterator = (iterator_t* (*) (pkcs7_t*))create_certificate_iterator;
+	this->public.destroy = (void (*) (pkcs7_t*))destroy;
+
+	if (!parse_contentInfo(chunk, level, this))
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
diff --git a/src/libstrongswan/crypto/pkcs7.h b/src/libstrongswan/crypto/pkcs7.h
new file mode 100644
index 000000000..c8434225a
--- /dev/null
+++ b/src/libstrongswan/crypto/pkcs7.h
@@ -0,0 +1,132 @@
+/**
+ * @file pkcs7.h
+ * 
+ * @brief Interface of pkcs7_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2005 Jan Hutter, Martin Willi
+ * Copyright (C) 2002-2007 Andreas Steffen
+ *
+ * Hochschule fuer Technik Rapperswil, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: pkcs7.h 3302 2007-10-12 21:57:20Z andreas $
+ */
+
+#ifndef _PKCS7_H
+#define _PKCS7_H
+
+typedef struct pkcs7_t pkcs7_t;
+
+#include <library.h>
+#include <crypto/x509.h>
+#include <crypto/rsa/rsa_private_key.h>
+#include <utils/iterator.h>
+
+/**
+ * @brief PKCS#7 contentInfo object.
+ * 
+ * @b Constructors:
+ *  -pkcs7_create_from_chunk()
+ *
+ * @ingroup crypto
+ */
+struct pkcs7_t {
+	/**
+	 * @brief Check if the PKCS#7 contentType is data
+	 * 
+	 * @param this			calling object
+	 * @return				TRUE if the contentType is data
+	 */
+	bool (*is_data) (pkcs7_t *this);
+
+	/**
+	 * @brief Check if the PKCS#7 contentType is signedData
+	 * 
+	 * @param this			calling object
+	 * @return				TRUE if the contentType is signedData
+	 */
+	bool (*is_signedData) (pkcs7_t *this);
+
+	/**
+	 * @brief Check if the PKCS#7 contentType is envelopedData
+	 * 
+	 * @param this			calling object
+	 * @return				TRUE if the contentType is envelopedData
+	 */
+	bool (*is_envelopedData) (pkcs7_t *this);
+
+	/**
+	 * @brief Parse a PKCS#7 data content.
+	 * 
+	 * @param this			calling object
+	 * @return				TRUE if parsing was successful
+	 */
+	bool (*parse_data) (pkcs7_t *this);
+
+	/**
+	 * @brief Parse a PKCS#7 signedData content.
+	 * 
+	 * @param this			calling object
+	 * @param cacert		cacert used to verify the signature
+	 * @return				TRUE if parsing was successful
+	 */
+	bool (*parse_signedData) (pkcs7_t *this, x509_t *cacert);
+
+	/**
+	 * @brief Parse a PKCS#7 envelopedData content.
+	 * 
+	 * @param this			calling object
+	 * @param serialNumber	serialNumber of the request
+	 * @param key			RSA private key used to decrypt the symmetric key
+	 * @return				TRUE if parsing was successful
+	 */
+	bool (*parse_envelopedData) (pkcs7_t *this, chunk_t serialNumber, rsa_private_key_t *key);
+
+	/**
+	 * @brief Returns the parsed data object
+	 *
+	 * @param this			calling object
+	 * @return				chunk containing the data object
+	 */
+	chunk_t (*get_data) (pkcs7_t *this);
+
+	/**
+	 * @brief Create an iterator for the certificates.
+	 * 
+	 * @param this				calling object
+	 * @return					iterator for the certificates
+	 */
+	iterator_t *(*create_certificate_iterator) (pkcs7_t *this);
+
+	/**
+	 * @brief Destroys the contentInfo object.
+	 *
+	 * @param this			PKCS#7 contentInfo object to destroy
+	 */
+	void (*destroy) (pkcs7_t *this);
+};
+
+/**
+ * @brief Read a PKCS#7 contentInfo object from a DER encoded chunk.
+ * 
+ * @param chunk		chunk containing DER encoded data
+ * @param level		ASN.1 parsing start level
+ * @return 			created pkcs7_contentInfo object, or NULL if invalid.
+ * 
+ * @ingroup crypto
+ */
+pkcs7_t *pkcs7_create_from_chunk(chunk_t chunk, u_int level);
+
+#endif /* _PKCS7_H */
diff --git a/src/libstrongswan/crypto/rsa/rsa_private_key.c b/src/libstrongswan/crypto/rsa/rsa_private_key.c
index 5b1647965..ec2f2fc74 100644
--- a/src/libstrongswan/crypto/rsa/rsa_private_key.c
+++ b/src/libstrongswan/crypto/rsa/rsa_private_key.c
@@ -19,6 +19,8 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
+ *
+ * RCSID $Id: rsa_private_key.c 3306 2007-10-17 02:55:53Z andreas $
  */
 
 #include <gmp.h>
@@ -29,33 +31,21 @@
 #include "rsa_public_key.h"
 #include "rsa_private_key.h"
 
+#include <debug.h>
 #include <asn1/asn1.h>
 #include <asn1/pem.h>
 #include <utils/randomizer.h>
 
 /**
- * OIDs for hash algorithms are defined in rsa_public_key.c.
- */
-extern u_int8_t md2_oid[18];
-extern u_int8_t md5_oid[18];
-extern u_int8_t sha1_oid[15];
-extern u_int8_t sha256_oid[19];
-extern u_int8_t sha384_oid[19];
-extern u_int8_t sha512_oid[19];
-
-
-/**
  * defined in rsa_public_key.c
  */
 extern chunk_t rsa_public_key_info_to_asn1(const mpz_t n, const mpz_t e);
 
-
 /**
  *  Public exponent to use for key generation.
  */
 #define PUBLIC_EXPONENT 0x10001
 
-
 typedef struct private_rsa_private_key_t private_rsa_private_key_t;
 
 /**
@@ -153,23 +143,23 @@ struct private_rsa_private_key_t {
 
 /* ASN.1 definition of a PKCS#1 RSA private key */
 static const asn1Object_t privkey_objects[] = {
-	{ 0, "RSAPrivateKey",		ASN1_SEQUENCE,     ASN1_NONE }, /*  0 */
-	{ 1,   "version",			ASN1_INTEGER,      ASN1_BODY }, /*  1 */
-	{ 1,   "modulus",			ASN1_INTEGER,      ASN1_BODY }, /*  2 */
-	{ 1,   "publicExponent",	ASN1_INTEGER,      ASN1_BODY }, /*  3 */
-	{ 1,   "privateExponent",	ASN1_INTEGER,      ASN1_BODY }, /*  4 */
-	{ 1,   "prime1",			ASN1_INTEGER,      ASN1_BODY }, /*  5 */
-	{ 1,   "prime2",			ASN1_INTEGER,      ASN1_BODY }, /*  6 */
-	{ 1,   "exponent1",			ASN1_INTEGER,      ASN1_BODY }, /*  7 */
-	{ 1,   "exponent2",			ASN1_INTEGER,      ASN1_BODY }, /*  8 */
-	{ 1,   "coefficient",		ASN1_INTEGER,      ASN1_BODY }, /*  9 */
-	{ 1,   "otherPrimeInfos",	ASN1_SEQUENCE,     ASN1_OPT |
-												   ASN1_LOOP }, /* 10 */
-	{ 2,     "otherPrimeInfo",	ASN1_SEQUENCE,     ASN1_NONE }, /* 11 */
-	{ 3,       "prime",			ASN1_INTEGER,      ASN1_BODY }, /* 12 */
-	{ 3,       "exponent",		ASN1_INTEGER,      ASN1_BODY }, /* 13 */
-	{ 3,       "coefficient",	ASN1_INTEGER,      ASN1_BODY }, /* 14 */
-	{ 1,   "end opt or loop",	ASN1_EOC,          ASN1_END  }  /* 15 */
+	{ 0, "RSAPrivateKey",		ASN1_SEQUENCE,	ASN1_NONE }, /*  0 */
+	{ 1,   "version",			ASN1_INTEGER,	ASN1_BODY }, /*  1 */
+	{ 1,   "modulus",			ASN1_INTEGER,	ASN1_BODY }, /*  2 */
+	{ 1,   "publicExponent",	ASN1_INTEGER,	ASN1_BODY }, /*  3 */
+	{ 1,   "privateExponent",	ASN1_INTEGER,	ASN1_BODY }, /*  4 */
+	{ 1,   "prime1",			ASN1_INTEGER,	ASN1_BODY }, /*  5 */
+	{ 1,   "prime2",			ASN1_INTEGER,	ASN1_BODY }, /*  6 */
+	{ 1,   "exponent1",			ASN1_INTEGER,	ASN1_BODY }, /*  7 */
+	{ 1,   "exponent2",			ASN1_INTEGER,	ASN1_BODY }, /*  8 */
+	{ 1,   "coefficient",		ASN1_INTEGER,	ASN1_BODY }, /*  9 */
+	{ 1,   "otherPrimeInfos",	ASN1_SEQUENCE,	ASN1_OPT |
+												ASN1_LOOP }, /* 10 */
+	{ 2,     "otherPrimeInfo",	ASN1_SEQUENCE,	ASN1_NONE }, /* 11 */
+	{ 3,       "prime",			ASN1_INTEGER,	ASN1_BODY }, /* 12 */
+	{ 3,       "exponent",		ASN1_INTEGER,	ASN1_BODY }, /* 13 */
+	{ 3,       "coefficient",	ASN1_INTEGER,	ASN1_BODY }, /* 14 */
+	{ 1,   "end opt or loop",	ASN1_EOC,		ASN1_END  }  /* 15 */
 };
 
 #define PRIV_KEY_VERSION		 1
@@ -186,6 +176,26 @@ static const asn1Object_t privkey_objects[] = {
 static private_rsa_private_key_t *rsa_private_key_create_empty(void);
 
 /**
+ * Auxiliary function overwriting private key material with
+ * pseudo-random bytes before releasing it
+ */
+static void mpz_clear_randomized(mpz_t z)
+{
+	size_t len = mpz_size(z) * GMP_LIMB_BITS / BITS_PER_BYTE;
+	u_int8_t *random_bytes = alloca(len);
+
+	randomizer_t *randomizer = randomizer_create();
+	
+	randomizer->get_pseudo_random_bytes(randomizer, len, random_bytes);
+
+	/* overwrite mpz_t with pseudo-random bytes before clearing it */
+	mpz_import(z, len, 1, 1, 1, 0, random_bytes);
+	mpz_clear(z);
+
+	randomizer->destroy(randomizer);
+}
+
+/**
  * Implementation of private_rsa_private_key_t.compute_prime.
  */
 static status_t compute_prime(private_rsa_private_key_t *this, size_t prime_size, mpz_t *prime)
@@ -216,7 +226,8 @@ static status_t compute_prime(private_rsa_private_key_t *this, size_t prime_size
 		/* get next prime */
 		mpz_nextprime (*prime, *prime);
 		
-		free(random_bytes.ptr);
+		/* free the random_bytes after overwriting them with a pseudo-random sequence */
+		chunk_free_randomized(&random_bytes);
 	}
 	/* check if it isnt too large */
 	while (((mpz_sizeinbase(*prime, 2) + 7) / 8) > prime_size);
@@ -251,59 +262,96 @@ static chunk_t rsadp(private_rsa_private_key_t *this, chunk_t data)
 	decrypted.len = this->k;
 	decrypted.ptr = mpz_export(NULL, NULL, 1, decrypted.len, 1, 0, t1);
 	
-	mpz_clear(t1);
-	mpz_clear(t2);
+	mpz_clear_randomized(t1);
+	mpz_clear_randomized(t2);
 	
 	return decrypted;
 }
 
 /**
- * Implementation of rsa_private_key.build_emsa_signature.
+ * Implementation of rsa_private_key_t.eme_pkcs1_decrypt.
  */
-static status_t build_emsa_pkcs1_signature(private_rsa_private_key_t *this, hash_algorithm_t hash_algorithm, chunk_t data, chunk_t *signature)
+static status_t pkcs1_decrypt(private_rsa_private_key_t *this,
+							  chunk_t in, chunk_t *out)
+{
+	status_t status = FAILED;
+	chunk_t em, em_ori;
+
+	/* decrypt the input data */
+	em = em_ori = this->rsadp(this, in);
+
+	/* PKCS#1 v1.5 EME encryption formatting
+	 * EM = 00 || 02 || PS || 00 || M
+	 * PS = pseudo-random nonzero octets
+	 */
+
+	/* check for magic bytes */
+	if (*(em.ptr) != 0x00 || *(em.ptr+1) != 0x02)
+	{
+		DBG1("incorrect padding - probably wrong RSA key");
+		goto end;
+	}
+	em.ptr += 2;
+	em.len -= 2;
+
+	/* the plaintext data starts after first 0x00 byte */
+	while (em.len-- > 0 && *em.ptr++ != 0x00);
+
+	if (em.len == 0)
+	{
+		DBG1("no plaintext data found");
+		goto end;
+	}
+
+    *out = chunk_clone(em);
+    status = SUCCESS;
+
+end:
+	free(em_ori.ptr);
+	return status;
+}
+
+/**
+ * Implementation of rsa_private_key_t.build_emsa_pkcs1_signature.
+ */
+static status_t build_emsa_pkcs1_signature(private_rsa_private_key_t *this,
+										   hash_algorithm_t hash_algorithm,
+										   chunk_t data, chunk_t *signature)
 {
 	hasher_t *hasher;
-	chunk_t hash;
-	chunk_t em;
-	chunk_t oid;
+	chunk_t em, digestInfo, hash_id, hash;
 	
 	/* get oid string prepended to hash */
 	switch (hash_algorithm)
 	{	
 		case HASH_MD2:
 		{
-			oid.ptr = md2_oid;
-			oid.len = sizeof(md2_oid);
+			hash_id =ASN1_md2_id;
 			break;
 		}
 		case HASH_MD5:
 		{
-			oid.ptr = md5_oid;
-			oid.len = sizeof(md5_oid);
+			hash_id = ASN1_md5_id;
 			break;
 		}
 		case HASH_SHA1:
 		{
-			oid.ptr = sha1_oid;
-			oid.len = sizeof(sha1_oid);
+			hash_id = ASN1_sha1_id;
 			break;
 		}
 		case HASH_SHA256:
 		{
-			oid.ptr = sha256_oid;
-			oid.len = sizeof(sha256_oid);
+			hash_id = ASN1_sha256_id;
 			break;
 		}
 		case HASH_SHA384:
 		{
-			oid.ptr = sha384_oid;
-			oid.len = sizeof(sha384_oid);
+			hash_id = ASN1_sha384_id;
 			break;
 		}
 		case HASH_SHA512:
 		{
-			oid.ptr = sha512_oid;
-			oid.len = sizeof(sha512_oid);
+			hash_id = ASN1_sha512_id;
 			break;
 		}
 		default:
@@ -323,10 +371,17 @@ static status_t build_emsa_pkcs1_signature(private_rsa_private_key_t *this, hash
 	hasher->allocate_hash(hasher, data, &hash);
 	hasher->destroy(hasher);
 	
+	/* build DER-encoded digestInfo */
+	digestInfo = asn1_wrap(ASN1_SEQUENCE, "cm",
+					hash_id,
+					asn1_simple_object(ASN1_OCTET_STRING, hash)
+				  );
+	chunk_free(&hash);
+
 	/* build chunk to rsa-decrypt:
 	 * EM = 0x00 || 0x01 || PS || 0x00 || T. 
 	 * PS = 0xFF padding, with length to fill em
-	 * T = oid || hash
+	 * T = encoded_hash
 	 */
 	em.len = this->k;
 	em.ptr = malloc(em.len);
@@ -336,78 +391,44 @@ static status_t build_emsa_pkcs1_signature(private_rsa_private_key_t *this, hash
 	/* set magic bytes */
 	*(em.ptr) = 0x00;
 	*(em.ptr+1) = 0x01;
-	*(em.ptr + em.len - hash.len - oid.len - 1) = 0x00;
-	/* set hash */
-	memcpy(em.ptr + em.len - hash.len, hash.ptr, hash.len);
-	/* set oid */
-	memcpy(em.ptr + em.len - hash.len - oid.len, oid.ptr, oid.len);
-	
+	*(em.ptr + em.len - digestInfo.len - 1) = 0x00;
+	/* set DER-encoded hash */
+	memcpy(em.ptr + em.len - digestInfo.len, digestInfo.ptr, digestInfo.len);
+
 	/* build signature */
 	*signature = this->rsasp1(this, em);
 	
-	free(hash.ptr);
+	free(digestInfo.ptr);
 	free(em.ptr);
 	
 	return SUCCESS;	
 }
 
 /**
- * Implementation of rsa_private_key.get_key.
+ * Implementation of rsa_private_key_t.pkcs1_write.
  */
-static status_t get_key(private_rsa_private_key_t *this, chunk_t *key)
-{	
-	chunk_t n, e, p, q, d, exp1, exp2, coeff;
-
-	n.len = this->k;
-	n.ptr = mpz_export(NULL, NULL, 1, n.len, 1, 0, this->n);
-	e.len = this->k;
-	e.ptr = mpz_export(NULL, NULL, 1, e.len, 1, 0, this->e);
-	p.len = this->k;
-	p.ptr = mpz_export(NULL, NULL, 1, p.len, 1, 0, this->p);
-	q.len = this->k;
-	q.ptr = mpz_export(NULL, NULL, 1, q.len, 1, 0, this->q);
-	d.len = this->k;
-	d.ptr = mpz_export(NULL, NULL, 1, d.len, 1, 0, this->d);
-	exp1.len = this->k;
-	exp1.ptr = mpz_export(NULL, NULL, 1, exp1.len, 1, 0, this->exp1);
-	exp2.len = this->k;
-	exp2.ptr = mpz_export(NULL, NULL, 1, exp2.len, 1, 0, this->exp2);
-	coeff.len = this->k;
-	coeff.ptr = mpz_export(NULL, NULL, 1, coeff.len, 1, 0, this->coeff);
-	
-	key->len = this->k * 8;
-	key->ptr = malloc(key->len);
-	memcpy(key->ptr + this->k * 0, n.ptr , n.len);
-	memcpy(key->ptr + this->k * 1, e.ptr, e.len);
-	memcpy(key->ptr + this->k * 2, p.ptr, p.len);
-	memcpy(key->ptr + this->k * 3, q.ptr, q.len);
-	memcpy(key->ptr + this->k * 4, d.ptr, d.len);
-	memcpy(key->ptr + this->k * 5, exp1.ptr, exp1.len);
-	memcpy(key->ptr + this->k * 6, exp2.ptr, exp2.len);
-	memcpy(key->ptr + this->k * 7, coeff.ptr, coeff.len);
-	
-	free(n.ptr);
-	free(e.ptr);
-	free(p.ptr);
-	free(q.ptr);
-	free(d.ptr);
-	free(exp1.ptr);
-	free(exp2.ptr);
-	free(coeff.ptr);
-	
-	return SUCCESS;
-}
-
-/**
- * Implementation of rsa_private_key.save_key.
- */
-static status_t save_key(private_rsa_private_key_t *this, char *file)
+static bool pkcs1_write(private_rsa_private_key_t *this, const char *filename, bool force)
 {
-	return NOT_SUPPORTED;
+	bool status;
+
+    chunk_t pkcs1 = asn1_wrap(ASN1_SEQUENCE, "cmmmmmmmm",
+						ASN1_INTEGER_0,
+						asn1_integer_from_mpz(this->n),
+						asn1_integer_from_mpz(this->e),
+						asn1_integer_from_mpz(this->d),
+						asn1_integer_from_mpz(this->p),
+						asn1_integer_from_mpz(this->q),
+						asn1_integer_from_mpz(this->exp1),
+						asn1_integer_from_mpz(this->exp2),
+						asn1_integer_from_mpz(this->coeff));
+
+	status = chunk_write(pkcs1, filename, "pkcs1", 0066, force);
+	chunk_free_randomized(&pkcs1);
+	return status;
 }
 
 /**
- * Implementation of rsa_private_key.get_public_key.
+ * Implementation of rsa_private_key_t.get_public_key.
  */
 rsa_public_key_t *get_public_key(private_rsa_private_key_t *this)
 {
@@ -510,47 +531,26 @@ static status_t check(private_rsa_private_key_t *this)
 		status = FAILED;
 	}
 	
-	mpz_clear(t);
-	mpz_clear(u);
-	mpz_clear(q1);
+	mpz_clear_randomized(t);
+	mpz_clear_randomized(u);
+	mpz_clear_randomized(q1);
 	return status;
 }
 
 /**
- * Implementation of rsa_private_key.clone.
- */
-static rsa_private_key_t* _clone(private_rsa_private_key_t *this)
-{
-	private_rsa_private_key_t *clone = rsa_private_key_create_empty();
-	
-	mpz_init_set(clone->n, this->n);
-	mpz_init_set(clone->e, this->e);
-	mpz_init_set(clone->p, this->p);
-	mpz_init_set(clone->q, this->q);
-	mpz_init_set(clone->d, this->d);
-	mpz_init_set(clone->exp1, this->exp1);
-	mpz_init_set(clone->exp2, this->exp2);
-	mpz_init_set(clone->coeff, this->coeff);
-	clone->keyid = chunk_clone(this->keyid);
-	clone->k = this->k;
-	
-	return &clone->public;
-}
-
-/**
  * Implementation of rsa_private_key.destroy.
  */
 static void destroy(private_rsa_private_key_t *this)
 {
-	mpz_clear(this->n);
-	mpz_clear(this->e);
-	mpz_clear(this->p);
-	mpz_clear(this->q);
-	mpz_clear(this->d);
-	mpz_clear(this->exp1);
-	mpz_clear(this->exp2);
-	mpz_clear(this->coeff);
-	free(this->keyid.ptr);
+	mpz_clear_randomized(this->n);
+	mpz_clear_randomized(this->e);
+	mpz_clear_randomized(this->p);
+	mpz_clear_randomized(this->q);
+	mpz_clear_randomized(this->d);
+	mpz_clear_randomized(this->exp1);
+	mpz_clear_randomized(this->exp2);
+	mpz_clear_randomized(this->coeff);
+	chunk_free_randomized(&this->keyid);
 	free(this);
 }
 
@@ -562,12 +562,11 @@ static private_rsa_private_key_t *rsa_private_key_create_empty(void)
 	private_rsa_private_key_t *this = malloc_thing(private_rsa_private_key_t);
 	
 	/* public functions */
+	this->public.pkcs1_decrypt = (status_t (*) (rsa_private_key_t*,chunk_t,chunk_t*))pkcs1_decrypt;
 	this->public.build_emsa_pkcs1_signature = (status_t (*) (rsa_private_key_t*,hash_algorithm_t,chunk_t,chunk_t*))build_emsa_pkcs1_signature;
-	this->public.get_key = (status_t (*) (rsa_private_key_t*,chunk_t*))get_key;
-	this->public.save_key = (status_t (*) (rsa_private_key_t*,char*))save_key;
-	this->public.get_public_key = (rsa_public_key_t *(*) (rsa_private_key_t*))get_public_key;
+	this->public.pkcs1_write = (bool (*) (rsa_private_key_t*,const char*,bool))pkcs1_write;
+	this->public.get_public_key = (rsa_public_key_t* (*) (rsa_private_key_t*))get_public_key;
 	this->public.belongs_to = (bool (*) (rsa_private_key_t*,rsa_public_key_t*))belongs_to;
-	this->public.clone = (rsa_private_key_t*(*)(rsa_private_key_t*))_clone;
 	this->public.destroy = (void (*) (rsa_private_key_t*))destroy;
 	
 	/* private functions */
@@ -575,6 +574,8 @@ static private_rsa_private_key_t *rsa_private_key_create_empty(void)
 	this->rsasp1 = rsadp; /* same algorithm */
 	this->compute_prime = compute_prime;
 	
+	this->keyid = chunk_empty;
+	
 	return this;
 }
 
@@ -613,9 +614,7 @@ rsa_private_key_t *rsa_private_key_create(size_t key_size)
 	/* Swapping Primes so p is larger then q */
 	if (mpz_cmp(p, q) < 0)
 	{
-		mpz_set(t, p);
-		mpz_set(p, q);
-		mpz_set(q, t);
+		mpz_swap(p, q);
 	}
 	
 	mpz_mul(n, p, q);						/* n = p*q */
@@ -645,9 +644,9 @@ rsa_private_key_t *rsa_private_key_create(size_t key_size)
 		mpz_add(coeff, coeff, p);
 	}
 
-	mpz_clear(q1);
-	mpz_clear(m);
-	mpz_clear(t);
+	mpz_clear_randomized(q1);
+	mpz_clear_randomized(m);
+	mpz_clear_randomized(t);
 
 	/* apply values */
 	*(this->p) = *p;
@@ -733,7 +732,7 @@ rsa_private_key_t *rsa_private_key_create_from_chunk(chunk_t blob)
 		objectID++;
 	}
 	
-	this->k = (mpz_sizeinbase(this->n, 2) + 7) / 8;
+	this->k = (mpz_sizeinbase(this->n, 2) + 7) / BITS_PER_BYTE;
 
 	/* form the keyid as a SHA-1 hash of a publicKeyInfo object */
 	{
@@ -769,6 +768,6 @@ rsa_private_key_t *rsa_private_key_create_from_file(char *filename, chunk_t *pas
 		return NULL;
 
 	key = rsa_private_key_create_from_chunk(chunk);
-	free(chunk.ptr);
+	chunk_free_randomized(&chunk);
 	return key;
 }
diff --git a/src/libstrongswan/crypto/rsa/rsa_private_key.h b/src/libstrongswan/crypto/rsa/rsa_private_key.h
index 9ec07704e..e5cf49810 100644
--- a/src/libstrongswan/crypto/rsa/rsa_private_key.h
+++ b/src/libstrongswan/crypto/rsa/rsa_private_key.h
@@ -19,6 +19,8 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
+ *
+ * RCSID $Id: rsa_private_key.h 3296 2007-10-12 15:23:29Z andreas $
  */
 
 #ifndef RSA_PRIVATE_KEY_H_
@@ -42,13 +44,24 @@ typedef struct rsa_private_key_t rsa_private_key_t;
  * 
  * @see rsa_public_key_t
  *
- * @todo Implement get_key(), save_key(), get_public_key()
- *
  * @ingroup rsa
  */
 struct rsa_private_key_t {
 
 	/**
+	 * @brief Decrypt a data block based on EME-PKCS1 encoding.
+	 * 
+	 * 
+	 * @param this				calling object
+	 * @param data				encrypted input data
+	 * @param out				decrypted output data
+	 * @return
+	 * 							- SUCCESS
+	 * 							- FAILED if padding is not correct
+	 */
+	status_t (*pkcs1_decrypt) (rsa_private_key_t *this, chunk_t in, chunk_t *out);
+
+	/**
 	 * @brief Build a signature over a chunk using EMSA-PKCS1 encoding.
 	 * 
 	 * This signature creates a hash using the specified hash algorithm, concatenates
@@ -67,45 +80,17 @@ struct rsa_private_key_t {
 	status_t (*build_emsa_pkcs1_signature) (rsa_private_key_t *this, hash_algorithm_t hash_algorithm, chunk_t data, chunk_t *signature);
 	
 	/**
-	 * @brief Gets the key.
-	 * 
-	 * UNIMPLEMENTED!
-	 * 
+	 * @brief Writes an RSA private key to a file in PKCS#1 format.
+	 *
 	 * @param this				calling object
-	 * @param key				key (in a propriarity format)
-	 * @return					
-	 * 							- SUCCESS
-	 * 							- INVALID_STATE, if key not set
+	 * @param filename			file to which the key should be written.
+	 * @param force				if TRUE overwrite existing file
+	 * @return					TRUE if successful - FALSE otherwise
 	 */
-	status_t (*get_key) (rsa_private_key_t *this, chunk_t *key);
+	bool (*pkcs1_write) (rsa_private_key_t *this, const char *filename, bool force);
 	
 	/**
-	 * @brief Saves a key to a file.
-	 * 
-	 * Not implemented!
-	 * 
-	 * @param this				calling object
-	 * @param file				file to which the key should be written.
-	 * @return					NOT_SUPPORTED
-	 */
-	status_t (*save_key) (rsa_private_key_t *this, char *file);
-	
-	/**
-	 * @brief Generate a new key.
-	 * 
-	 * Generates a new private_key with specified key size
-	 * 
-	 * @param this				calling object
-	 * @param key_size			size of the key in bits
-	 * @return					
-	 * 							- SUCCESS
-	 * 							- INVALID_ARG if key_size invalid
-	 */
-	status_t (*generate_key) (rsa_private_key_t *this, size_t key_size);
-	
-	/**
-	 * @brief Create a rsa_public_key_t with the public
-	 * parts of the key.
+	 * @brief Create a rsa_public_key_t with the public part of the key.
 	 * 
 	 * @param this				calling object
 	 * @return					public_key
@@ -125,14 +110,6 @@ struct rsa_private_key_t {
 	bool (*belongs_to) (rsa_private_key_t *this, rsa_public_key_t *public);
 	
 	/**
-	 * @brief Clone the private key.
-	 * 
-	 * @param this				private key to clone
-	 * @return					clone of this
-	 */
-	rsa_private_key_t *(*clone) (rsa_private_key_t *this);
-	
-	/**
 	 * @brief Destroys the private key.
 	 * 
 	 * @param this				private key to destroy
diff --git a/src/libstrongswan/crypto/rsa/rsa_public_key.c b/src/libstrongswan/crypto/rsa/rsa_public_key.c
index 38899670f..6f2158d2b 100644
--- a/src/libstrongswan/crypto/rsa/rsa_public_key.c
+++ b/src/libstrongswan/crypto/rsa/rsa_public_key.c
@@ -19,6 +19,8 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
+ *
+ * RCSID $Id: rsa_public_key.c 3303 2007-10-12 22:49:39Z andreas $
  */
  
 #include <gmp.h>
@@ -29,74 +31,13 @@
 
 #include "rsa_public_key.h"
 
+#include <debug.h>
 #include <crypto/hashers/hasher.h>
 #include <asn1/asn1.h>
 #include <asn1/pem.h>
 
-/* 
- * For simplicity, we use these predefined values for hash algorithm OIDs 
- * These also contain the length of the appended hash  
- * These values are also  used in rsa_private_key.c.
- */
-
-const u_int8_t md2_oid[] = {
-	0x30,0x20,
-		 0x30,0x0c,
-			  0x06,0x08,
-				   0x2a,0x86,0x48,0x86,0xf7,0x0d,0x02,0x02,
-			  0x05,0x00,
-		 0x04,0x10
-};
-
-const u_int8_t md5_oid[] = {
-	0x30,0x20,
-		 0x30,0x0c,
-			  0x06,0x08,
-				   0x2a,0x86,0x48,0x86,0xf7,0x0d,0x02,0x05,
-			  0x05,0x00,
-		 0x04,0x10
-};
-
-const u_int8_t sha1_oid[] = {
-	0x30,0x21,
-		 0x30,0x09,
-			  0x06,0x05,
-				   0x2b,0x0e,0x03,0x02,0x1a,
-			  0x05,0x00,
-		 0x04,0x14
-};
-
-const u_int8_t sha256_oid[] = {
-	0x30,0x31,
-		 0x30,0x0d,
-			  0x06,0x09,
-				   0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,
-			  0x05,0x00,
-		 0x04,0x20
-};
-
-const u_int8_t sha384_oid[] = {
-	0x30,0x41,
-		 0x30,0x0d,
-			  0x06,0x09,
-				   0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x02,
-			  0x05,0x00,
-		 0x04,0x30
-};
-
-const u_int8_t sha512_oid[] = {
-	0x30,0x51,
-		 0x30,0x0d,
-			  0x06,0x09,
-				   0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,
-			  0x05,0x00,
-		 0x04,0x40
-};
-
-#define LARGEST_HASH_OID_SIZE sizeof(sha512_oid)
-
-/* ASN.1 definition public key */
-static const asn1Object_t pubkey_objects[] = {
+/* ASN.1 definition of RSApublicKey */
+static const asn1Object_t pubkeyObjects[] = {
 	{ 0, "RSAPublicKey",		ASN1_SEQUENCE,     ASN1_OBJ  }, /*  0 */
 	{ 1,   "modulus",			ASN1_INTEGER,      ASN1_BODY }, /*  1 */
 	{ 1,   "publicExponent",	ASN1_INTEGER,      ASN1_BODY }, /*  2 */
@@ -107,6 +48,18 @@ static const asn1Object_t pubkey_objects[] = {
 #define PUB_KEY_EXPONENT			2
 #define PUB_KEY_ROOF				3
 
+/* ASN.1 definition of digestInfo */
+static const asn1Object_t digestInfoObjects[] = {
+	{ 0, "digestInfo",			ASN1_SEQUENCE,		ASN1_OBJ  }, /*  0 */
+	{ 1,   "digestAlgorithm",	ASN1_EOC,			ASN1_RAW  }, /*  1 */
+	{ 1,   "digest",			ASN1_OCTET_STRING,	ASN1_BODY }, /*  2 */
+};
+
+#define DIGEST_INFO					0
+#define DIGEST_INFO_ALGORITHM		1
+#define DIGEST_INFO_DIGEST			2
+#define DIGEST_INFO_ROOF			3
+
 typedef struct private_rsa_public_key_t private_rsa_public_key_t;
 
 /**
@@ -186,12 +139,11 @@ static chunk_t rsaep(const private_rsa_public_key_t *this, chunk_t data)
 /**
  * Implementation of rsa_public_key.verify_emsa_pkcs1_signature.
  */
-static status_t verify_emsa_pkcs1_signature(const private_rsa_public_key_t *this, chunk_t data, chunk_t signature)
+static status_t verify_emsa_pkcs1_signature(const private_rsa_public_key_t *this,
+											hash_algorithm_t algorithm,
+											chunk_t data, chunk_t signature)
 {
-	hasher_t *hasher = NULL;
-	chunk_t hash;
-	chunk_t em;
-	u_int8_t *pos;
+	chunk_t em_ori, em;
 	status_t res = FAILED;
 	
 	/* remove any preceding 0-bytes from signature */
@@ -207,7 +159,7 @@ static status_t verify_emsa_pkcs1_signature(const private_rsa_public_key_t *this
 	}
 	
 	/* unpack signature */
-	em = this->rsavp1(this, signature);
+	em_ori = em = this->rsavp1(this, signature);
 	
 	/* result should look like this:
 	 * EM = 0x00 || 0x01 || PS || 0x00 || T. 
@@ -216,141 +168,160 @@ static status_t verify_emsa_pkcs1_signature(const private_rsa_public_key_t *this
 	 */
 	
 	/* check magic bytes */
-	if ((*(em.ptr) != 0x00) || (*(em.ptr+1) != 0x01))
+	if (*(em.ptr) != 0x00 || *(em.ptr+1) != 0x01)
 	{
+		DBG2("incorrect padding - probably wrong RSA key");
 		goto end;
 	}
+	em.ptr += 2;
+	em.len -= 2;
 	
 	/* find magic 0x00 */
-	pos = em.ptr + 2;
-	while (pos <= em.ptr + em.len)
+	while (em.len > 0)
 	{
-		if (*pos == 0x00)
+		if (*em.ptr == 0x00)
 		{
 			/* found magic byte, stop */
-			pos++;
+			em.ptr++;
+			em.len--;
 			break;
 		}
-		else if (*pos != 0xFF)
+		else if (*em.ptr != 0xFF)
 		{
 			/* bad padding, decryption failed ?!*/
 			goto end;
 		}
-		pos++;
+		em.ptr++;
+		em.len--;
 	}
 
-	if (pos + LARGEST_HASH_OID_SIZE > em.ptr + em.len)
-	{
-		/* not enought room for oid compare */
-		goto end;
-	}
-	
-	if (memeq(md2_oid, pos, sizeof(md2_oid)))
-	{
-		hasher = hasher_create(HASH_MD2);
-		pos += sizeof(md2_oid);
-	}
-	else if (memeq(md5_oid, pos, sizeof(md5_oid)))
+	if (em.len == 0)
 	{
-		hasher = hasher_create(HASH_MD5);
-		pos += sizeof(md5_oid);
-	}
-	else if (memeq(sha1_oid, pos, sizeof(sha1_oid)))
-	{
-		hasher = hasher_create(HASH_SHA1);
-		pos += sizeof(sha1_oid);
-	}
-	else if (memeq(sha256_oid, pos, sizeof(sha256_oid)))
-	{
-		hasher = hasher_create(HASH_SHA256);
-		pos += sizeof(sha256_oid);
-	}
-	else if (memeq(sha384_oid, pos, sizeof(sha384_oid)))
-	{
-		hasher = hasher_create(HASH_SHA384);
-		pos += sizeof(sha384_oid);
-	}
-	else if (memeq(sha512_oid, pos, sizeof(sha512_oid)))
-	{
-		hasher = hasher_create(HASH_SHA512);
-		pos += sizeof(sha512_oid);
-	}
-	
-	if (hasher == NULL)
-	{
-		/* unsupported hash algorithm */
-		res = NOT_SUPPORTED;;
+		/* no digestInfo found */
 		goto end;
 	}
-	
-	if (pos + hasher->get_hash_size(hasher) != em.ptr + em.len)
+
+	/* parse ASN.1-based digestInfo */
 	{
-		/* bad length */
-		hasher->destroy(hasher);
-		goto end;
+		asn1_ctx_t ctx;
+		chunk_t object;
+		u_int level;
+		int objectID = 0;
+		hash_algorithm_t hash_algorithm = HASH_UNKNOWN;
+
+		asn1_init(&ctx, em, 0, FALSE, FALSE);
+
+		while (objectID < DIGEST_INFO_ROOF)
+		{
+			if (!extract_object(digestInfoObjects, &objectID, &object, &level, &ctx))
+			{
+				goto end;
+			}
+			switch (objectID)
+			{
+				case DIGEST_INFO:
+					if (em.len > object.len)
+					{
+						DBG1("digestInfo field in signature is followed by %u surplus bytes",
+							 em.len - object.len);
+						goto end;
+					}
+					break;
+				case DIGEST_INFO_ALGORITHM:
+					{
+						int hash_oid = parse_algorithmIdentifier(object, level+1, NULL);
+
+						hash_algorithm = hasher_algorithm_from_oid(hash_oid);
+						if (hash_algorithm == HASH_UNKNOWN
+						|| (algorithm != HASH_UNKNOWN && hash_algorithm != algorithm))
+						{
+							DBG1("wrong hash algorithm used in signature");
+							goto end;
+						}
+					}
+					break;
+				case DIGEST_INFO_DIGEST:
+					{
+						chunk_t hash;
+						hasher_t *hasher = hasher_create(hash_algorithm);
+
+						if (object.len != hasher->get_hash_size(hasher))
+						{
+							DBG1("hash size in signature is %u bytes instead of %u bytes",
+								 object.len, hasher->get_hash_size(hasher));
+							hasher->destroy(hasher);
+							goto end;
+						}
+
+						/* build our own hash */
+						hasher->allocate_hash(hasher, data, &hash);
+						hasher->destroy(hasher);
+	
+						/* compare the hashes */
+						res = memeq(object.ptr, hash.ptr, hash.len) ? SUCCESS : FAILED;
+						free(hash.ptr);
+					}
+					break;
+				default:
+					break;
+			}
+			objectID++;
+		}
 	}
-	
-	/* build our own hash */
-	hasher->allocate_hash(hasher, data, &hash);
-	hasher->destroy(hasher);
-	
-	/* compare the hashes */
-	res = memeq(hash.ptr, pos, hash.len) ? SUCCESS : FAILED;
-	free(hash.ptr);
 
 end:
-	free(em.ptr);
+	free(em_ori.ptr);
 	return res;
 }
-	
+
+
 /**
- * Implementation of rsa_public_key.get_key.
+ * Implementation of rsa_public_key_t.get_modulus.
  */
-static status_t get_key(const private_rsa_public_key_t *this, chunk_t *key)
-{	
-	chunk_t n, e;
-
-	n.len = this->k;
-	n.ptr = mpz_export(NULL, NULL, 1, n.len, 1, 0, this->n);
-	e.len = this->k;
-	e.ptr = mpz_export(NULL, NULL, 1, e.len, 1, 0, this->e);
-	
-	key->len = this->k * 2;
-	key->ptr = malloc(key->len);
-	memcpy(key->ptr, n.ptr, n.len);
-	memcpy(key->ptr + n.len, e.ptr, e.len);
-	free(n.ptr);
-	free(e.ptr);
-	
-	return SUCCESS;
+static mpz_t *get_modulus(const private_rsa_public_key_t *this)
+{
+	return (mpz_t*)&this->n;
 }
 
 /**
- * Implementation of rsa_public_key.save_key.
+ * Implementation of rsa_public_key_t.get_keysize.
  */
-static status_t save_key(const private_rsa_public_key_t *this, char *file)
+static size_t get_keysize(const private_rsa_public_key_t *this)
 {
-	return NOT_SUPPORTED;
+	return this->k;
 }
 
 /**
- * Implementation of rsa_public_key.get_modulus.
+ * Build a DER-encoded publicKeyInfo object from an RSA public key.
+ * Also used in rsa_private_key.c.
  */
-static mpz_t *get_modulus(const private_rsa_public_key_t *this)
+chunk_t rsa_public_key_info_to_asn1(const mpz_t n, const mpz_t e)
 {
-	return (mpz_t*)&this->n;
+	chunk_t rawKey = asn1_wrap(ASN1_SEQUENCE, "mm",
+								 asn1_integer_from_mpz(n),
+								 asn1_integer_from_mpz(e));
+	chunk_t publicKey;
+
+	u_char *pos = build_asn1_object(&publicKey, ASN1_BIT_STRING, 1 + rawKey.len);
+
+	*pos++ = 0x00;
+	memcpy(pos, rawKey.ptr, rawKey.len);
+	free(rawKey.ptr);
+
+	return asn1_wrap(ASN1_SEQUENCE, "cm", ASN1_rsaEncryption_id,
+										  publicKey);
 }
 
 /**
- * Implementation of rsa_public_key.get_keysize.
+ * Implementation of rsa_public_key_t.get_publicKeyInfo.
  */
-static size_t get_keysize(const private_rsa_public_key_t *this)
+static chunk_t get_publicKeyInfo(const private_rsa_public_key_t *this)
 {
-	return this->k;
+	return rsa_public_key_info_to_asn1(this->n, this->e);
 }
 
 /**
- * Implementation of rsa_public_key.get_keyid.
+ * Implementation of rsa_public_key_t.get_keyid.
  */
 static chunk_t get_keyid(const private_rsa_public_key_t *this)
 {
@@ -358,7 +329,7 @@ static chunk_t get_keyid(const private_rsa_public_key_t *this)
 }
 
 /**
- * Implementation of rsa_public_key.clone.
+ * Implementation of rsa_public_key_t.clone.
  */
 static rsa_public_key_t* _clone(const private_rsa_public_key_t *this)
 {
@@ -373,7 +344,7 @@ static rsa_public_key_t* _clone(const private_rsa_public_key_t *this)
 }
 
 /**
- * Implementation of rsa_public_key.destroy.
+ * Implementation of rsa_public_key_t.destroy.
  */
 static void destroy(private_rsa_public_key_t *this)
 {
@@ -391,11 +362,10 @@ private_rsa_public_key_t *rsa_public_key_create_empty(void)
 	private_rsa_public_key_t *this = malloc_thing(private_rsa_public_key_t);
 	
 	/* public functions */
-	this->public.verify_emsa_pkcs1_signature = (status_t (*) (const rsa_public_key_t*,chunk_t,chunk_t))verify_emsa_pkcs1_signature;
-	this->public.get_key = (status_t (*) (const rsa_public_key_t*,chunk_t*))get_key;
-	this->public.save_key = (status_t (*) (const rsa_public_key_t*,char*))save_key;
+	this->public.verify_emsa_pkcs1_signature = (status_t (*) (const rsa_public_key_t*,hash_algorithm_t,chunk_t,chunk_t))verify_emsa_pkcs1_signature;
 	this->public.get_modulus = (mpz_t *(*) (const rsa_public_key_t*))get_modulus;
 	this->public.get_keysize = (size_t (*) (const rsa_public_key_t*))get_keysize;
+	this->public.get_publicKeyInfo = (chunk_t (*) (const rsa_public_key_t*))get_publicKeyInfo;
 	this->public.get_keyid = (chunk_t (*) (const rsa_public_key_t*))get_keyid;
 	this->public.clone = (rsa_public_key_t* (*) (const rsa_public_key_t*))_clone;
 	this->public.destroy = (void (*) (rsa_public_key_t*))destroy;
@@ -407,27 +377,6 @@ private_rsa_public_key_t *rsa_public_key_create_empty(void)
 	return this;
 }
 
-/**
- * Build a DER-encoded publicKeyInfo object from an RSA public key.
- * Also used in rsa_private_key.c.
- */
-chunk_t rsa_public_key_info_to_asn1(const mpz_t n, const mpz_t e)
-{
-	chunk_t rawKey = asn1_wrap(ASN1_SEQUENCE, "mm",
-								 asn1_integer_from_mpz(n),
-								 asn1_integer_from_mpz(e));
-	chunk_t publicKey;
-
-	u_char *pos = build_asn1_object(&publicKey, ASN1_BIT_STRING, 1 + rawKey.len);
-
-	*pos++ = 0x00;
-	memcpy(pos, rawKey.ptr, rawKey.len);
-	free(rawKey.ptr);
-
-	return asn1_wrap(ASN1_SEQUENCE, "cm", ASN1_rsaEncryption_id,
-										  publicKey);
-}
-
 /*
  * See header
  */
@@ -447,7 +396,7 @@ rsa_public_key_t *rsa_public_key_create_from_chunk(chunk_t blob)
 	
 	while (objectID < PUB_KEY_ROOF) 
 	{
-		if (!extract_object(pubkey_objects, &objectID, &object, &level, &ctx))
+		if (!extract_object(pubkeyObjects, &objectID, &object, &level, &ctx))
 		{
 			destroy(this);
 			return FALSE;
@@ -489,8 +438,9 @@ rsa_public_key_t *rsa_public_key_create_from_file(char *filename)
 	rsa_public_key_t *pubkey = NULL;
 
 	if (!pem_asn1_load_file(filename, NULL, "public key", &chunk, &pgp))
+	{
 		return NULL;
-
+	}
 	pubkey = rsa_public_key_create_from_chunk(chunk);
 	free(chunk.ptr);
 	return pubkey;
diff --git a/src/libstrongswan/crypto/rsa/rsa_public_key.h b/src/libstrongswan/crypto/rsa/rsa_public_key.h
index 1ee54dcc3..0a40c2204 100644
--- a/src/libstrongswan/crypto/rsa/rsa_public_key.h
+++ b/src/libstrongswan/crypto/rsa/rsa_public_key.h
@@ -19,6 +19,8 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
+ *
+ * RCSID $Id: rsa_public_key.h 3303 2007-10-12 22:49:39Z andreas $
  */
 
 #ifndef RSA_PUBLIC_KEY_H_
@@ -29,6 +31,7 @@ typedef struct rsa_public_key_t rsa_public_key_t;
 #include <gmp.h>
 
 #include <library.h>
+#include <crypto/hashers/hasher.h>
 
 /**
  * @brief RSA public key with associated functions.
@@ -58,6 +61,7 @@ struct rsa_public_key_t {
 	 * 
 	 * @param this				rsa_public_key to use
 	 * @param data				data to sign
+	 # @param algorithm			hash algorithm the signature is based on
 	 * @param signature			signature to verify
 	 * @return
 	 * 							- SUCCESS, if signature ok
@@ -66,34 +70,9 @@ struct rsa_public_key_t {
 	 * 							- INVALID_ARG, if signature is not a signature
 	 * 							- FAILED if signature invalid or unable to verify
 	 */
-	status_t (*verify_emsa_pkcs1_signature) (const rsa_public_key_t *this, chunk_t data, chunk_t signature);
-	
-	/**
-	 * @brief Gets the key.
-	 * 
-	 * Currently uses a proprietary format which is only inteded
-	 * for testing. This should be replaced with a proper
-	 * ASN1 encoded key format, when charon gets the ASN1 
-	 * capabilities.
-	 * 
-	 * @param this				calling object
-	 * @param key				key (in a propriarity format)
-	 * @return					
-	 * 							- SUCCESS
-	 * 							- INVALID_STATE, if key not set
-	 */
-	status_t (*get_key) (const rsa_public_key_t *this, chunk_t *key);
-	
-	/**
-	 * @brief Saves a key to a file.
-	 * 
-	 * Not implemented!
-	 * 
-	 * @param this				calling object
-	 * @param file				file to which the key should be written.
-	 * @return					NOT_SUPPORTED
-	 */
-	status_t (*save_key) (const rsa_public_key_t *this, char *file);
+	status_t (*verify_emsa_pkcs1_signature) (const rsa_public_key_t *this,
+											 hash_algorithm_t algorithm,
+											 chunk_t data, chunk_t signature);
 	
 	/**
 	 * @brief Get the modulus of the key.
@@ -112,6 +91,14 @@ struct rsa_public_key_t {
 	size_t (*get_keysize) (const rsa_public_key_t *this);
 
 	/**
+	 * @brief Get the DER encoded publicKeyInfo object.
+	 * 
+	 * @param this				calling object
+	 * @return					DER encoded publicKeyInfo object
+	 */
+	chunk_t (*get_publicKeyInfo) (const rsa_public_key_t *this);
+
+	/**
 	 * @brief Get the keyid formed as the SHA-1 hash of a publicKeyInfo object.
 	 * 
 	 * @param this				calling object
diff --git a/src/libstrongswan/crypto/signers/hmac_signer.c b/src/libstrongswan/crypto/signers/hmac_signer.c
index 76e1ce50e..ad5b882a6 100644
--- a/src/libstrongswan/crypto/signers/hmac_signer.c
+++ b/src/libstrongswan/crypto/signers/hmac_signer.c
@@ -52,14 +52,19 @@ struct private_hmac_signer_t {
 /**
  * Implementation of signer_t.get_signature.
  */
-static void get_signature (private_hmac_signer_t *this, chunk_t data, u_int8_t *buffer)
+static void get_signature(private_hmac_signer_t *this, chunk_t data, u_int8_t *buffer)
 {
-	u_int8_t full_mac[this->hmac_prf->get_block_size(this->hmac_prf)];
-	
-	this->hmac_prf->get_bytes(this->hmac_prf, data, full_mac);
-
-	/* copy MAC depending on truncation */
-	memcpy(buffer, full_mac, this->block_size);
+	if (buffer == NULL)
+	{	/* append mode */
+		this->hmac_prf->get_bytes(this->hmac_prf, data, NULL);
+	}
+	else
+	{
+		u_int8_t full_mac[this->hmac_prf->get_block_size(this->hmac_prf)];
+		
+		this->hmac_prf->get_bytes(this->hmac_prf, data, full_mac);
+		memcpy(buffer, full_mac, this->block_size);
+	}
 }
 
 /**
@@ -67,18 +72,24 @@ static void get_signature (private_hmac_signer_t *this, chunk_t data, u_int8_t *
  */
 static void allocate_signature (private_hmac_signer_t *this, chunk_t data, chunk_t *chunk)
 {
-	chunk_t signature;
-	u_int8_t full_mac[this->hmac_prf->get_block_size(this->hmac_prf)];
-	
-	this->hmac_prf->get_bytes(this->hmac_prf,data,full_mac);
+	if (chunk == NULL)
+	{	/* append mode */
+		this->hmac_prf->get_bytes(this->hmac_prf, data, NULL);
+	}
+	else
+	{
+		chunk_t signature;
+		u_int8_t full_mac[this->hmac_prf->get_block_size(this->hmac_prf)];
+		
+		this->hmac_prf->get_bytes(this->hmac_prf, data, full_mac);
 
-	signature.ptr = malloc(this->block_size);
-	signature.len = this->block_size;
-	
-	/* copy signature */
-	memcpy(signature.ptr, full_mac, this->block_size);
+		signature.ptr = malloc(this->block_size);
+		signature.len = this->block_size;
+		
+		memcpy(signature.ptr, full_mac, this->block_size);
 
-	*chunk = signature;
+		*chunk = signature;
+	}
 }
 
 /**
diff --git a/src/libstrongswan/crypto/signers/signer.h b/src/libstrongswan/crypto/signers/signer.h
index 0f3709712..4218e4146 100644
--- a/src/libstrongswan/crypto/signers/signer.h
+++ b/src/libstrongswan/crypto/signers/signer.h
@@ -74,6 +74,9 @@ extern enum_name_t *integrity_algorithm_names;
 struct signer_t {
 	/**
 	 * @brief Generate a signature.
+	 *
+	 * If buffer is NULL, data is processed and prepended to a next call until
+	 * buffer is a valid pointer.
 	 * 
 	 * @param this			calling object
 	 * @param data			a chunk containing the data to sign
@@ -83,6 +86,9 @@ struct signer_t {
 	
 	/**
 	 * @brief Generate a signature and allocate space for it.
+	 *
+	 * If chunk is NULL, data is processed and prepended to a next call until
+	 * chunk is a valid chunk pointer.
 	 * 
 	 * @param this			calling object
 	 * @param data			a chunk containing the data to sign
diff --git a/src/libstrongswan/crypto/x509.c b/src/libstrongswan/crypto/x509.c
index 5bf3f26d7..d9093fc62 100755
--- a/src/libstrongswan/crypto/x509.c
+++ b/src/libstrongswan/crypto/x509.c
@@ -23,6 +23,8 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
+ *
+ * RCSID $Id: x509.c 3301 2007-10-12 21:56:30Z andreas $
  */
 
 #include <gmp.h>
@@ -114,7 +116,7 @@ struct private_x509_t {
 	/**
 	 * Signature algorithm
 	 */
-	int sigAlg;
+	int signatureAlgorithm;
 	
 	/**
 	 * ID representing the certificate issuer
@@ -197,11 +199,6 @@ struct private_x509_t {
 	bool isOcspSigner;
 
 	/**
-	 * Signature algorithm (must be identical to sigAlg)
-	 */
-	int algorithm;
-
-	/**
 	 * Signature
 	 */
 	chunk_t signature;
@@ -445,16 +442,15 @@ static bool parse_basicConstraints(chunk_t blob, int level0)
 	return isCA;
 }
 
-/*
+/**
  * extracts an otherName
  */
-static bool
-parse_otherName(chunk_t blob, int level0)
+static bool parse_otherName(chunk_t blob, int level0)
 {
 	asn1_ctx_t ctx;
 	chunk_t object;
-	int objectID = 0;
 	u_int level;
+	int objectID = 0;
 	int oid = OID_UNKNOWN;
 
 	asn1_init(&ctx, blob, level0, FALSE, FALSE);
@@ -484,7 +480,7 @@ parse_otherName(chunk_t blob, int level0)
 	return TRUE;
 }
 
-/*
+/**
  * extracts a generalName
  */
 static identification_t *parse_generalName(chunk_t blob, int level0)
@@ -544,10 +540,10 @@ static identification_t *parse_generalName(chunk_t blob, int level0)
 }
 
 
-/**
- * extracts one or several GNs and puts them into a chained list
+/*
+ * Defined in header.
  */
-void parse_generalNames(chunk_t blob, int level0, bool implicit, linked_list_t *list)
+void x509_parse_generalNames(chunk_t blob, int level0, bool implicit, linked_list_t *list)
 {
 	asn1_ctx_t ctx;
 	chunk_t object;
@@ -589,10 +585,10 @@ static chunk_t parse_keyIdentifier(chunk_t blob, int level0, bool implicit)
 	return object;
 }
 
-/**
- * extracts an authoritykeyIdentifier
+/*
+ * Defined in header.
  */
-void parse_authorityKeyIdentifier(chunk_t blob, int level0 , chunk_t *authKeyID, chunk_t *authKeySerialNumber)
+void x509_parse_authorityKeyIdentifier(chunk_t blob, int level0 , chunk_t *authKeyID, chunk_t *authKeySerialNumber)
 {
 	asn1_ctx_t ctx;
 	chunk_t object;
@@ -639,8 +635,7 @@ static void parse_authorityInfoAccess(chunk_t blob, int level0, linked_list_t *l
 	chunk_t object;
 	u_int level;
 	int objectID = 0;
-	
-	u_int accessMethod = OID_UNKNOWN;
+	int accessMethod = OID_UNKNOWN;
 	
 	asn1_init(&ctx, blob, level0, FALSE, FALSE);
 	while (objectID < AUTH_INFO_ACCESS_ROOF)
@@ -659,15 +654,26 @@ static void parse_authorityInfoAccess(chunk_t blob, int level0, linked_list_t *l
 				switch (accessMethod)
 				{
 					case OID_OCSP:
-						if (*object.ptr == ASN1_CONTEXT_S_6)
+					case OID_CA_ISSUERS:
 						{
 							identification_t *accessLocation;
 
-							if (asn1_length(&object) == ASN1_INVALID_LENGTH)
+							accessLocation = parse_generalName(object, level+1);
+							if (accessLocation == NULL)
+							{
+								/* parsing went wrong - abort */
 								return;
-							DBG2("  '%.*s'",(int)object.len, object.ptr);
-							accessLocation = identification_create_from_encoding(ID_DER_ASN1_GN_URI, object);
-							list->insert_last(list, (void *)accessLocation);
+							}
+							DBG2("  '%D'", accessLocation);
+							if (accessMethod == OID_OCSP)
+							{
+								list->insert_last(list, (void *)accessLocation);
+							}
+							else
+							{
+								/* caIsssuer accessLocation is not used yet */
+								accessLocation->destroy(accessLocation);
+							}
 						}
 						break;
 					default:
@@ -731,7 +737,7 @@ static void parse_crlDistributionPoints(chunk_t blob, int level0, linked_list_t
 		if (objectID == CRL_DIST_POINTS_FULLNAME)
 		{
 			/* append extracted generalNames to existing chained list */
-			parse_generalNames(object, level+1, TRUE, list);
+			x509_parse_generalNames(object, level+1, TRUE, list);
 
 		}
 		objectID++;
@@ -748,8 +754,8 @@ static bool parse_certificate(chunk_t blob, u_int level0, private_x509_t *this)
 	bool critical;
 	chunk_t object;
 	u_int level;
-	u_int extn_oid = OID_UNKNOWN;
 	int objectID = 0;
+	int extn_oid = OID_UNKNOWN;
 	
 	asn1_init(&ctx, blob, level0, FALSE, FALSE);
 	while (objectID < X509_OBJ_ROOF)
@@ -778,7 +784,7 @@ static bool parse_certificate(chunk_t blob, u_int level0, private_x509_t *this)
 				this->serialNumber = object;
 				break;
 			case X509_OBJ_SIG_ALG:
-				this->sigAlg = parse_algorithmIdentifier(object, level, NULL);
+				this->signatureAlgorithm = parse_algorithmIdentifier(object, level, NULL);
 				break;
 			case X509_OBJ_ISSUER:
 				this->issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
@@ -797,7 +803,7 @@ static bool parse_certificate(chunk_t blob, u_int level0, private_x509_t *this)
 			case X509_OBJ_SUBJECT_PUBLIC_KEY_ALGORITHM:
 				if (parse_algorithmIdentifier(object, level, NULL) != OID_RSA_ENCRYPTION)
 				{
-					DBG2("  unsupported public key algorithm");
+					DBG1("  unsupported public key algorithm");
 					return FALSE;
 				}
 				break;
@@ -809,7 +815,7 @@ static bool parse_certificate(chunk_t blob, u_int level0, private_x509_t *this)
 				}
 				else
 				{
-					DBG2("  invalid RSA public key format");
+					DBG1("  invalid RSA public key format");
 					return FALSE;
 				}
 				break;
@@ -831,7 +837,7 @@ static bool parse_certificate(chunk_t blob, u_int level0, private_x509_t *this)
 						this->subjectKeyID = chunk_clone(parse_keyIdentifier(object, level, FALSE));
 						break;
 					case OID_SUBJECT_ALT_NAME:
-						parse_generalNames(object, level, FALSE, this->subjectAltNames);
+						x509_parse_generalNames(object, level, FALSE, this->subjectAltNames);
 						break;
 					case OID_BASIC_CONSTRAINTS:
 						this->isCA = parse_basicConstraints(object, level);
@@ -840,7 +846,8 @@ static bool parse_certificate(chunk_t blob, u_int level0, private_x509_t *this)
 						parse_crlDistributionPoints(object, level, this->crlDistributionPoints);
 						break;
 					case OID_AUTHORITY_KEY_ID:
-						parse_authorityKeyIdentifier(object, level , &this->authKeyID, &this->authKeySerialNumber);
+						x509_parse_authorityKeyIdentifier(object, level,
+							 &this->authKeyID, &this->authKeySerialNumber);
 						break;
 					case OID_AUTHORITY_INFO_ACCESS:
 						parse_authorityInfoAccess(object, level, this->ocspAccessLocations);
@@ -861,7 +868,15 @@ static bool parse_certificate(chunk_t blob, u_int level0, private_x509_t *this)
 				break;
 			}
 			case X509_OBJ_ALGORITHM:
-				this->algorithm = parse_algorithmIdentifier(object, level, NULL);
+				{
+					int alg = parse_algorithmIdentifier(object, level, NULL);
+
+					if (alg != this->signatureAlgorithm)
+					{
+						DBG1("  signature algorithms do not agree");
+						return FALSE;
+					}
+				}
 				break;
 			case X509_OBJ_SIGNATURE:
 				this->signature = object;
@@ -1119,7 +1134,14 @@ static iterator_t *create_ocspuri_iterator(const private_x509_t *this)
  */
 static bool verify(const private_x509_t *this, const rsa_public_key_t *signer)
 {
-	return signer->verify_emsa_pkcs1_signature(signer, this->tbsCertificate, this->signature) == SUCCESS;
+	hash_algorithm_t algorithm = hasher_algorithm_from_oid(this->signatureAlgorithm);
+
+	if (algorithm == HASH_UNKNOWN)
+	{
+		DBG1("  unknown signature algorithm");
+		return FALSE;
+	}
+	return signer->verify_emsa_pkcs1_signature(signer, algorithm, this->tbsCertificate, this->signature) == SUCCESS;
 }
 	
 /**
@@ -1221,6 +1243,101 @@ static void list(private_x509_t *this, FILE *out, bool utc)
 	}
 }
 
+/*
+ * Defined in header.
+ */
+chunk_t x509_build_generalNames(linked_list_t *list)
+{
+	linked_list_t *generalNames = linked_list_create();
+	iterator_t *iterator = list->create_iterator(list, TRUE);
+	identification_t *name;
+	size_t len = 0;
+
+	while (iterator->iterate(iterator, (void**)&name))
+	{
+		asn1_t asn1_type = ASN1_EOC;
+		chunk_t *generalName = malloc_thing(chunk_t);
+
+		switch (name->get_type(name))
+		{
+			case ID_RFC822_ADDR:
+				asn1_type = ASN1_CONTEXT_S_1;
+				break;
+			case ID_FQDN:
+				asn1_type = ASN1_CONTEXT_S_2;
+				break;
+			case ID_DER_ASN1_DN:
+				asn1_type = ASN1_CONTEXT_C_4;
+	    		break;
+			case ID_DER_ASN1_GN_URI:
+				asn1_type = ASN1_CONTEXT_S_6;
+				break;
+			case ID_IPV4_ADDR:
+				asn1_type = ASN1_CONTEXT_S_7;
+				break;
+			default:
+				continue;
+		}
+
+		*generalName = asn1_simple_object(asn1_type, name->get_encoding(name));
+		len += generalName->len;
+		generalNames->insert_last(generalNames, generalName);
+	}
+	iterator->destroy(iterator);
+
+	if (len > 0)
+	{
+		iterator_t *iterator = generalNames->create_iterator(generalNames, TRUE);
+		chunk_t names, *generalName;
+		u_char *pos = build_asn1_object(&names, ASN1_SEQUENCE, len);
+
+		while (iterator->iterate(iterator, (void**)&generalName))
+		{
+			memcpy(pos, generalName->ptr, generalName->len);
+			pos += generalName->len;
+			free(generalName->ptr);
+			free(generalName);
+		}
+		iterator->destroy(iterator);
+		generalNames->destroy(generalNames);
+
+		return asn1_wrap(ASN1_OCTET_STRING, "m", names);
+	}
+	else
+	{
+		return chunk_empty;
+	}
+}
+
+/*
+ * Defined in header.
+ */
+chunk_t x509_build_subjectAltNames(linked_list_t *list)
+{
+	chunk_t generalNames = x509_build_generalNames(list);
+
+	if (generalNames.len)
+	{
+		return asn1_wrap(ASN1_SEQUENCE, "cm",
+					ASN1_subjectAltName_oid,
+					asn1_wrap(ASN1_OCTET_STRING, "m", generalNames)
+				);
+	}
+	else
+	{
+		return chunk_empty;
+	}
+}
+
+/**
+ * Implementation of x509_t.build_encoding.
+ */
+static void build_encoding(private_x509_t *this, hash_algorithm_t alg,
+						   rsa_private_key_t *private_key)
+{
+
+}
+
 /**
  * Implements x509_t.destroy
  */
@@ -1240,10 +1357,10 @@ static void destroy(private_x509_t *this)
 	free(this);
 }
 
-/*
- * Described in header.
+/**
+ * Internal generic constructor
  */
-x509_t *x509_create_from_chunk(chunk_t chunk, u_int level)
+static private_x509_t *x509_create_empty(void)
 {
 	private_x509_t *this = malloc_thing(private_x509_t);
 	
@@ -1290,9 +1407,34 @@ x509_t *x509_create_from_chunk(chunk_t chunk, u_int level)
 	this->public.create_crluri_iterator = (iterator_t* (*) (const x509_t*))create_crluri_iterator;
 	this->public.create_ocspuri_iterator = (iterator_t* (*) (const x509_t*))create_ocspuri_iterator;
 	this->public.verify = (bool (*) (const x509_t*,const rsa_public_key_t*))verify;
-	this->public.list = (void(*)(x509_t*, FILE *out, bool utc))list;
+	this->public.list = (void (*) (x509_t*, FILE *out, bool utc))list;
+	this->public.build_encoding = (void (*) (x509_t*,hash_algorithm_t,rsa_private_key_t*))build_encoding;
 	this->public.destroy = (void (*) (x509_t*))destroy;
 	
+	return this;
+}
+
+/*
+ * Described in header.
+ */
+x509_t *x509_create_(chunk_t serialNumber, identification_t *issuer, identification_t *subject)
+{
+	private_x509_t *this = x509_create_empty();
+
+	this->serialNumber = serialNumber;
+	this->issuer = issuer->clone(issuer);
+	this->subject = subject->clone(subject);
+
+	return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+x509_t *x509_create_from_chunk(chunk_t chunk, u_int level)
+{
+	private_x509_t *this = x509_create_empty();
+
 	if (!parse_certificate(chunk, level, this))
 	{
 		destroy(this);
@@ -1314,8 +1456,15 @@ x509_t *x509_create_from_chunk(chunk_t chunk, u_int level)
 	this->isSelfSigned = FALSE;
 	if (this->subject->equals(this->subject, this->issuer))
 	{
+		hash_algorithm_t algorithm = hasher_algorithm_from_oid(this->signatureAlgorithm);
+
+		if (algorithm == HASH_UNKNOWN)
+		{
+			destroy(this);
+			return NULL;
+		}
 		this->isSelfSigned = this->public_key->verify_emsa_pkcs1_signature(this->public_key,
-							 this->tbsCertificate, this->signature) == SUCCESS;
+							 algorithm, this->tbsCertificate, this->signature) == SUCCESS;
 	}
 	if (this->isSelfSigned)
 	{
diff --git a/src/libstrongswan/crypto/x509.h b/src/libstrongswan/crypto/x509.h
index c6fe148d4..1ab267dac 100755
--- a/src/libstrongswan/crypto/x509.h
+++ b/src/libstrongswan/crypto/x509.h
@@ -23,6 +23,8 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
+ *
+ * RCSID $Id: x509.h 3301 2007-10-12 21:56:30Z andreas $
  */
 
 #ifndef X509_H_
@@ -31,7 +33,8 @@
 typedef struct x509_t x509_t;
 
 #include <library.h>
-#include <crypto/rsa/rsa_public_key.h>
+#include <crypto/rsa/rsa_private_key.h>
+#include <crypto/hashers/hasher.h>
 #include <crypto/certinfo.h>
 #include <crypto/ca.h>
 #include <utils/identification.h>
@@ -49,6 +52,7 @@ typedef struct x509_t x509_t;
  * @brief X.509 certificate.
  * 
  * @b Constructors:
+ *  - x509_create()
  *  - x509_create_from_chunk()
  *  - x509_create_from_file()
  *
@@ -288,9 +292,26 @@ struct x509_t {
 	 * @param out			stream to write to
 	 * @param utc			TRUE for UTC times, FALSE for local time
 	 */
-	void (*list)(x509_t *this, FILE *out, bool utc);
+	void (*list) (x509_t *this, FILE *out, bool utc);
 	
 	/**
+	 * @brief Adds a list of subjectAltNames
+	 * 
+	 * @param this				calling object
+	 * @param subjectAltNames	list of subjectAltNames to be added
+	 */
+	void (*add_subjectAltNames) (x509_t *this, linked_list_t *subjectAltNames);
+
+	/**
+	 * @brief Builds a DER-encoded signed X.509 certificate
+	 * 
+	 * @param this			calling object
+	 * @param alg			hash algorithm used to compute the certificate digest
+	 * @param private_key	RSA private key used to sign the certificate digest
+	 */
+	void (*build_encoding) (x509_t *this, hash_algorithm_t alg, rsa_private_key_t *private_key);
+
+	/**
 	 * @brief Destroys the certificate.
 	 * 
 	 * @param this			certificate to destroy
@@ -299,17 +320,34 @@ struct x509_t {
 };
 
 /**
- * @brief Read a x509 certificate from a DER encoded blob.
- * 
+ * @brief Create a X.509 certificate from its components
+ *
+ * @param serialNumber	chunk containing the serialNumber
+ * @param issuer		issuer distinguished name
+ * @param notBefore		start date of validity
+ * @param notAfter		end date of validity
+ * @param subject		subject distinguished name
+ *
+ * @return				created x509_t certificate, or NULL if invalid.
+ *
+ * @ingroup crypto
+ */
+x509_t *x509_create(chunk_t serialNumber, identification_t *issuer,
+					time_t notBefore, time_t notAfter,
+					identification_t *subject);
+
+/**
+ * @brief Read a X.509 certificate from a DER encoded blob.
+ *
  * @param chunk 	chunk containing DER encoded data
- * @return 			created x509_t certificate, or NULL if invlid.
+ * @return 			created x509_t certificate, or NULL if invalid.
  * 
  * @ingroup crypto
  */
 x509_t *x509_create_from_chunk(chunk_t chunk, u_int level);
 
 /**
- * @brief Read a x509 certificate from a DER encoded file.
+ * @brief Read a X.509 certificate from a DER encoded file.
  * 
  * @param filename 	file containing DER encoded data
  * @param label		label describing kind of certificate
@@ -329,7 +367,7 @@ x509_t *x509_create_from_file(const char *filename, const char *label);
  * 
  * @ingroup crypto
  */
-void parse_authorityKeyIdentifier(chunk_t blob, int level0, chunk_t *authKeyID, chunk_t *authKeySerialNumber);
+void x509_parse_authorityKeyIdentifier(chunk_t blob, int level0, chunk_t *authKeyID, chunk_t *authKeySerialNumber);
 
 /**
  * @brief Parses DER encoded generalNames
@@ -337,10 +375,30 @@ void parse_authorityKeyIdentifier(chunk_t blob, int level0, chunk_t *authKeyID,
  * @param blob 			blob containing DER encoded data
  * @param level0 		indicates the current parsing level
  * @param implicit		implicit coding is used
- * @param list			linked list of decoded generalNames
+ * @param list			list of decoded generalNames
+ * 
+ * @ingroup crypto
+ */
+void x509_parse_generalNames(chunk_t blob, int level0, bool implicit, linked_list_t *list);
+
+/**
+ * @brief Builds a DER encoded list of generalNames
+ * 
+ * @param list			list of generalNames to be encoded
+ * @return				DER encoded list of generalNames
+ * 
+ * @ingroup crypto
+ */
+chunk_t x509_build_generalNames(linked_list_t *list);
+
+/**
+ * @brief Builds a DER encoded list of subjectAltNames
+ * 
+ * @param list			list of subjectAltNames to be encoded
+ * @return				DER encoded list of subjectAltNames
  * 
  * @ingroup crypto
  */
-void parse_generalNames(chunk_t blob, int level0, bool implicit, linked_list_t *list);
+chunk_t x509_build_subjectAltNames(linked_list_t *list);
 
 #endif /* X509_H_ */
diff --git a/src/libstrongswan/debug.c b/src/libstrongswan/debug.c
index 996cae502..a71e978b8 100644
--- a/src/libstrongswan/debug.c
+++ b/src/libstrongswan/debug.c
@@ -28,7 +28,7 @@
 /**
  * default dbg function which printf all to stderr
  */
-static void dbg_stderr(int level, char *fmt, ...)
+void dbg_default(int level, char *fmt, ...)
 {
 	va_list args;
 	
@@ -38,4 +38,4 @@ static void dbg_stderr(int level, char *fmt, ...)
 	va_end(args);
 }
 
-void (*dbg) (int level, char *fmt, ...) = dbg_stderr;
+void (*dbg) (int level, char *fmt, ...) = dbg_default;
diff --git a/src/libstrongswan/debug.h b/src/libstrongswan/debug.h
index c424a1c11..71f2c7dfd 100644
--- a/src/libstrongswan/debug.h
+++ b/src/libstrongswan/debug.h
@@ -57,4 +57,7 @@
 /** dbg function hook, uses stderr logger by default */
 extern void (*dbg) (int level, char *fmt, ...);
 
+/** default logging function, prints to stderr */
+void dbg_default(int level, char *fmt, ...);
+
 #endif /* DEBUG_H_ */
diff --git a/src/libstrongswan/fips/fips.c b/src/libstrongswan/fips/fips.c
new file mode 100644
index 000000000..aba292d81
--- /dev/null
+++ b/src/libstrongswan/fips/fips.c
@@ -0,0 +1,103 @@
+/**
+ * @file fips.c
+ * 
+ * @brief Implementation of the libstrongswan integrity test.
+ * 
+ */
+
+/*
+ * Copyright (C) 2007 Bruno Krieg, Daniel Wydler
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdio.h>
+
+#include <debug.h>
+#include <crypto/signers/hmac_signer.h>
+#include "fips.h"
+
+extern const u_char FIPS_rodata_start[];
+extern const u_char FIPS_rodata_end[];
+extern const void *FIPS_text_start();
+extern const void *FIPS_text_end();
+
+/**
+ * Described in header
+ */
+bool fips_compute_hmac_signature(const char *key, char *signature)
+{
+	u_char *text_start = (u_char *)FIPS_text_start();
+	u_char *text_end   = (u_char *)FIPS_text_end();
+	size_t text_len, rodata_len;
+	signer_t *signer;
+
+	if (text_start > text_end)
+	{
+		DBG1("  TEXT start (%p) > TEXT end (%p",
+				text_start, text_end);
+		return FALSE;
+	}
+	text_len = text_end - text_start;
+    DBG1("  TEXT:   %p + %6d = %p",
+			text_start, (int)text_len, text_end);
+
+	if (FIPS_rodata_start > FIPS_rodata_end)
+	{
+		DBG1("  RODATA start (%p) > RODATA end (%p",
+				FIPS_rodata_start, FIPS_rodata_end);
+		return FALSE;
+	}
+	rodata_len = FIPS_rodata_end - FIPS_rodata_start;
+    DBG1("  RODATA: %p + %6d = %p",
+			FIPS_rodata_start, (int)rodata_len, FIPS_rodata_end);
+
+    signer = (signer_t *)hmac_signer_create(HASH_SHA1, HASH_SIZE_SHA1);
+	if (signer == NULL)
+	{
+	    DBG1("  SHA-1 HMAC signer could not be created");
+		return FALSE;
+	}
+	else
+	{
+		chunk_t hmac_key = { key, strlen(key) };
+		chunk_t text_chunk = { text_start, text_len };
+		chunk_t rodata_chunk = { (u_char *)FIPS_rodata_start, rodata_len };
+		chunk_t signature_chunk = chunk_empty;
+
+		signer->set_key(signer, hmac_key);
+		signer->allocate_signature(signer, text_chunk, NULL);
+		signer->allocate_signature(signer, rodata_chunk, &signature_chunk);
+		signer->destroy(signer);
+
+		sprintf(signature, "%#B", &signature_chunk);
+		DBG1("  SHA-1 HMAC key: %s", key);
+		DBG1("  SHA-1 HMAC sig: %s", signature);
+		free(signature_chunk.ptr);
+		return TRUE;
+	}
+}
+
+/**
+ * Described in header
+ */
+bool fips_verify_hmac_signature(const char *key,
+								const char *signature)
+{
+	char current_signature[BUF_LEN];
+
+	if (!fips_compute_hmac_signature(key, current_signature))
+	{
+		return FALSE;
+	}
+	return streq(signature, current_signature);
+}
diff --git a/src/libstrongswan/fips/fips.h b/src/libstrongswan/fips/fips.h
new file mode 100644
index 000000000..decf73bfd
--- /dev/null
+++ b/src/libstrongswan/fips/fips.h
@@ -0,0 +1,47 @@
+/**
+ * @file fips.h
+ * 
+ * @brief Interface of the libstrongswan integrity test
+ *
+ * @ingroup fips
+ */
+
+/*
+ * Copyright (C) 2007 Bruno Krieg, Daniel Wydler
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef FIPS_H_
+#define FIPS_H_
+
+#include <library.h>
+
+/**
+ * @brief compute HMAC signature over RODATA and TEXT sections of libstrongswan
+ *
+ * @param  key		key used for HMAC signature in ASCII string format
+ * @param  signature	HMAC signature in HEX string format
+ * @return 		TRUE if HMAC signature computation was successful
+ */
+bool fips_compute_hmac_signature(const char *key, char *signature);
+
+/**
+ * @brief verify HMAC signature over RODATA and TEXT sections of libstrongswan
+ *
+ * @param  key		key used for HMAC signature in ASCII string format
+ * @param  signature	signature value from fips_signature.h in HEX string format
+ * @return		TRUE if signatures agree
+ */
+bool fips_verify_hmac_signature(const char *key, const char *signature);
+
+#endif /*FIPS_H_*/
diff --git a/src/libstrongswan/fips/fips_canister_end.c b/src/libstrongswan/fips/fips_canister_end.c
new file mode 100644
index 000000000..46d41a664
--- /dev/null
+++ b/src/libstrongswan/fips/fips_canister_end.c
@@ -0,0 +1,173 @@
+/**
+ * @file fips_canister_end.c
+ * 
+ * @brief Marks the end of TEXT and RODATA.
+ * 
+ */
+
+/* ====================================================================
+ * Copyright (c) 2005 The OpenSSL Project. Rights for redistribution
+ * and usage in source and binary forms are granted according to the
+ * OpenSSL license.
+ */
+
+#include <stdio.h>
+#if defined(__DECC)
+# include <c_asm.h>
+# pragma __nostandard
+#endif
+
+#if !defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION)
+# if	(defined(__sun) && (defined(__sparc) || defined(__sparcv9)))	|| \
+	(defined(__sgi) && (defined(__mips) || defined(mips)))		|| \
+	(defined(__osf__) && defined(__alpha))				|| \
+	(defined(__linux) && (defined(__arm) || defined(__arm__)))	|| \
+	(defined(__i386) || defined(__i386__))				|| \
+	(defined(__x86_64) || defined(__x86_64__))			|| \
+	(defined(vax) || defined(__vax__))
+#  define POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION
+# endif
+#endif
+
+#define FIPS_ref_point FIPS_text_end
+/* Some compilers put string literals into a separate segment. As we
+ * are mostly interested to hash AES tables in .rodata, we declare
+ * reference points accordingly. In case you wonder, the values are
+ * big-endian encoded variable names, just to prevent these arrays
+ * from being merged by linker. */
+const unsigned int FIPS_rodata_end[]=
+	{ 0x46495053, 0x5f726f64, 0x6174615f, 0x656e645b };
+
+
+/*
+ * I declare reference function as static in order to avoid certain
+ * pitfalls in -dynamic linker behaviour...
+ */
+static void *instruction_pointer(void)
+{
+  void *ret = NULL;
+
+/* These are ABI-neutral CPU-specific snippets. ABI-neutrality means
+ * that they are designed to work under any OS running on particular
+ * CPU, which is why you don't find any #ifdef THIS_OR_THAT_OS in
+ * this function. */
+#if	defined(INSTRUCTION_POINTER_IMPLEMENTED)
+    INSTRUCTION_POINTER_IMPLEMENTED(ret);
+#elif	defined(__GNUC__) && __GNUC__>=2
+# if	defined(__alpha) || defined(__alpha__)
+#   define INSTRUCTION_POINTER_IMPLEMENTED
+    __asm __volatile (	"br	%0,1f\n1:" : "=r"(ret) );
+# elif	defined(__i386) || defined(__i386__)
+#   define INSTRUCTION_POINTER_IMPLEMENTED
+    __asm __volatile (	"call 1f\n1:	popl %0" : "=r"(ret) );
+    ret = (void *)((size_t)ret&~3UL); /* align for better performance */
+# elif	defined(__ia64) || defined(__ia64__)
+#   define INSTRUCTION_POINTER_IMPLEMENTED
+    __asm __volatile (	"mov	%0=ip" : "=r"(ret) );
+# elif	defined(__hppa) || defined(__hppa__) || defined(__pa_risc)
+#   define INSTRUCTION_POINTER_IMPLEMENTED
+    __asm __volatile (	"blr	%%r0,%0\n\tnop" : "=r"(ret) );
+    ret = (void *)((size_t)ret&~3UL); /* mask privilege level */
+# elif	defined(__mips) || defined(__mips__)
+#   define INSTRUCTION_POINTER_IMPLEMENTED
+    void *scratch;
+    __asm __volatile (	"move	%1,$31\n\t"	/* save ra */
+			"bal	.+8; nop\n\t"
+			"move	%0,$31\n\t"
+			"move	$31,%1"		/* restore ra */
+			: "=r"(ret),"=r"(scratch) );
+# elif	defined(__ppc__) || defined(__powerpc) || defined(__powerpc__) || \
+	defined(__POWERPC__) || defined(_POWER) || defined(__PPC__) || \
+	defined(__PPC64__) || defined(__powerpc64__)
+#   define INSTRUCTION_POINTER_IMPLEMENTED
+    void *scratch;
+    __asm __volatile (	"mfspr	%1,8\n\t"	/* save lr */
+			"bl	.+4\n\t"
+			"mfspr	%0,8\n\t"	/* mflr ret */
+			"mtspr	8,%1"		/* restore lr */
+			: "=r"(ret),"=r"(scratch) );
+# elif	defined(__sparc) || defined(__sparc__) || defined(__sparcv9)
+#   define INSTRUCTION_POINTER_IMPLEMENTED
+    void *scratch;
+    __asm __volatile (	"mov	%%o7,%1\n\t"
+			"call	.+8; nop\n\t"
+		  	"mov	%%o7,%0\n\t"
+			"mov	%1,%%o7"
+			: "=r"(ret),"=r"(scratch) );
+# elif	defined(__x86_64) || defined(__x86_64__)
+#   define INSTRUCTION_POINTER_IMPLEMENTED
+    __asm __volatile (	"leaq	0(%%rip),%0" : "=r"(ret) );
+    ret = (void *)((size_t)ret&~3UL); /* align for better performance */
+# endif
+#elif	defined(__DECC) && defined(__alpha)
+#   define INSTRUCTION_POINTER_IMPLEMENTED
+    ret = (void *)(size_t)asm("br %v0,1f\n1:");
+#elif   defined(_MSC_VER) && defined(_M_IX86)
+#   undef INSTRUCTION_POINTER_IMPLEMENTED
+    void *scratch;
+    _asm {
+            call    self
+    self:   pop     eax
+            mov     scratch,eax
+         }
+    ret = (void *)((size_t)scratch&~3UL);
+#endif
+  return ret;
+}
+
+/*
+ * This function returns pointer to an instruction in the vicinity of
+ * its entry point, but not outside this object module. This guarantees
+ * that sequestered code is covered...
+ */
+void *FIPS_ref_point()
+{
+#if	defined(INSTRUCTION_POINTER_IMPLEMENTED)
+    return instruction_pointer();
+/* Below we essentially cover vendor compilers which do not support
+ * inline assembler... */
+#elif	defined(_AIX)
+    struct { void *ip,*gp,*env; } *p = (void *)instruction_pointer;
+    return p->ip;
+#elif	defined(_HPUX_SOURCE)
+# if	defined(__hppa) || defined(__hppa__)
+    struct { void *i[4]; } *p = (void *)FIPS_ref_point;
+
+    if (sizeof(p) == 8)	/* 64-bit */
+	return p->i[2];
+    else if ((size_t)p & 2)
+    {	p = (void *)((size_t)p&~3UL);
+	return p->i[0];
+    }
+    else
+	return (void *)p;
+# elif	defined(__ia64) || defined(__ia64__)
+    struct { unsigned long long ip,gp; } *p=(void *)instruction_pointer;
+    return (void *)(size_t)p->ip;
+# endif
+#elif	(defined(__VMS) || defined(VMS)) && !(defined(vax) || defined(__vax__))
+    /* applies to both alpha and ia64 */
+    struct { unsigned __int64 opaque,ip; } *p=(void *)instruction_pointer;
+    return (void *)(size_t)p->ip;
+#elif	defined(__VOS__)
+    /* applies to both pa-risc and ia32 */
+    struct { void *dp,*ip,*gp; } *p = (void *)instruction_pointer;
+    return p->ip;
+#elif	defined(_WIN32)
+# if	defined(_WIN64) && defined(_M_IA64)
+    struct { void *ip,*gp; } *p = (void *)FIPS_ref_point;
+    return p->ip;
+# else
+    return (void *)FIPS_ref_point;
+# endif
+/*
+ * In case you wonder why there is no #ifdef __linux. All Linux targets
+ * are GCC-based and therefore are covered by instruction_pointer above
+ * [well, some are covered by by the one below]...
+ */ 
+#elif	defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION)
+    return (void *)instruction_pointer;
+#else
+    return NULL;
+#endif
+}
diff --git a/src/libstrongswan/fips/fips_canister_start.c b/src/libstrongswan/fips/fips_canister_start.c
new file mode 100644
index 000000000..eaf2571f8
--- /dev/null
+++ b/src/libstrongswan/fips/fips_canister_start.c
@@ -0,0 +1,174 @@
+/**
+ * @file fips_canister_start.c
+ * 
+ * @brief Marks the start of TEXT and RODATA.
+ * 
+ */
+
+/* ====================================================================
+ * Copyright (c) 2005 The OpenSSL Project. Rights for redistribution
+ * and usage in source and binary forms are granted according to the
+ * OpenSSL license.
+ */
+
+#include <stdio.h>
+#if defined(__DECC)
+# include <c_asm.h>
+# pragma __nostandard
+#endif
+
+#if !defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION)
+# if	(defined(__sun) && (defined(__sparc) || defined(__sparcv9)))	|| \
+	(defined(__sgi) && (defined(__mips) || defined(mips)))		|| \
+	(defined(__osf__) && defined(__alpha))				|| \
+	(defined(__linux) && (defined(__arm) || defined(__arm__)))	|| \
+	(defined(__i386) || defined(__i386__))				|| \
+	(defined(__x86_64) || defined(__x86_64__))			|| \
+	(defined(vax) || defined(__vax__))
+#  define POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION
+# endif
+#endif
+
+
+#define FIPS_ref_point FIPS_text_start
+/* Some compilers put string literals into a separate segment. As we
+ * are mostly interested to hash AES tables in .rodata, we declare
+ * reference points accordingly. In case you wonder, the values are
+ * big-endian encoded variable names, just to prevent these arrays
+ * from being merged by linker. */
+const unsigned int FIPS_rodata_start[]=
+	{ 0x46495053, 0x5f726f64, 0x6174615f, 0x73746172 };
+
+
+/*
+ * I declare reference function as static in order to avoid certain
+ * pitfalls in -dynamic linker behaviour...
+ */
+static void *instruction_pointer(void)
+{
+  void *ret = NULL;
+
+/* These are ABI-neutral CPU-specific snippets. ABI-neutrality means
+ * that they are designed to work under any OS running on particular
+ * CPU, which is why you don't find any #ifdef THIS_OR_THAT_OS in
+ * this function. */
+#if	defined(INSTRUCTION_POINTER_IMPLEMENTED)
+    INSTRUCTION_POINTER_IMPLEMENTED(ret);
+#elif	defined(__GNUC__) && __GNUC__>=2
+# if	defined(__alpha) || defined(__alpha__)
+#   define INSTRUCTION_POINTER_IMPLEMENTED
+    __asm __volatile (	"br	%0,1f\n1:" : "=r"(ret) );
+# elif	defined(__i386) || defined(__i386__)
+#   define INSTRUCTION_POINTER_IMPLEMENTED
+    __asm __volatile (	"call 1f\n1:	popl %0" : "=r"(ret) );
+    ret = (void *)((size_t)ret&~3UL); /* align for better performance */
+# elif	defined(__ia64) || defined(__ia64__)
+#   define INSTRUCTION_POINTER_IMPLEMENTED
+    __asm __volatile (	"mov	%0=ip" : "=r"(ret) );
+# elif	defined(__hppa) || defined(__hppa__) || defined(__pa_risc)
+#   define INSTRUCTION_POINTER_IMPLEMENTED
+    __asm __volatile (	"blr	%%r0,%0\n\tnop" : "=r"(ret) );
+    ret = (void *)((size_t)ret&~3UL); /* mask privilege level */
+# elif	defined(__mips) || defined(__mips__)
+#   define INSTRUCTION_POINTER_IMPLEMENTED
+    void *scratch;
+    __asm __volatile (	"move	%1,$31\n\t"	/* save ra */
+			"bal	.+8; nop\n\t"
+			"move	%0,$31\n\t"
+			"move	$31,%1"		/* restore ra */
+			: "=r"(ret),"=r"(scratch) );
+# elif	defined(__ppc__) || defined(__powerpc) || defined(__powerpc__) || \
+	defined(__POWERPC__) || defined(_POWER) || defined(__PPC__) || \
+	defined(__PPC64__) || defined(__powerpc64__)
+#   define INSTRUCTION_POINTER_IMPLEMENTED
+    void *scratch;
+    __asm __volatile (	"mfspr	%1,8\n\t"	/* save lr */
+			"bl	.+4\n\t"
+			"mfspr	%0,8\n\t"	/* mflr ret */
+			"mtspr	8,%1"		/* restore lr */
+			: "=r"(ret),"=r"(scratch) );
+# elif	defined(__sparc) || defined(__sparc__) || defined(__sparcv9)
+#   define INSTRUCTION_POINTER_IMPLEMENTED
+    void *scratch;
+    __asm __volatile (	"mov	%%o7,%1\n\t"
+			"call	.+8; nop\n\t"
+		  	"mov	%%o7,%0\n\t"
+			"mov	%1,%%o7"
+			: "=r"(ret),"=r"(scratch) );
+# elif	defined(__x86_64) || defined(__x86_64__)
+#   define INSTRUCTION_POINTER_IMPLEMENTED
+    __asm __volatile (	"leaq	0(%%rip),%0" : "=r"(ret) );
+    ret = (void *)((size_t)ret&~3UL); /* align for better performance */
+# endif
+#elif	defined(__DECC) && defined(__alpha)
+#   define INSTRUCTION_POINTER_IMPLEMENTED
+    ret = (void *)(size_t)asm("br %v0,1f\n1:");
+#elif   defined(_MSC_VER) && defined(_M_IX86)
+#   undef INSTRUCTION_POINTER_IMPLEMENTED
+    void *scratch;
+    _asm {
+            call    self
+    self:   pop     eax
+            mov     scratch,eax
+         }
+    ret = (void *)((size_t)scratch&~3UL);
+#endif
+  return ret;
+}
+
+/*
+ * This function returns pointer to an instruction in the vicinity of
+ * its entry point, but not outside this object module. This guarantees
+ * that sequestered code is covered...
+ */
+void *FIPS_ref_point()
+{
+#if	defined(INSTRUCTION_POINTER_IMPLEMENTED)
+    return instruction_pointer();
+/* Below we essentially cover vendor compilers which do not support
+ * inline assembler... */
+#elif	defined(_AIX)
+    struct { void *ip,*gp,*env; } *p = (void *)instruction_pointer;
+    return p->ip;
+#elif	defined(_HPUX_SOURCE)
+# if	defined(__hppa) || defined(__hppa__)
+    struct { void *i[4]; } *p = (void *)FIPS_ref_point;
+
+    if (sizeof(p) == 8)	/* 64-bit */
+	return p->i[2];
+    else if ((size_t)p & 2)
+    {	p = (void *)((size_t)p&~3UL);
+	return p->i[0];
+    }
+    else
+	return (void *)p;
+# elif	defined(__ia64) || defined(__ia64__)
+    struct { unsigned long long ip,gp; } *p=(void *)instruction_pointer;
+    return (void *)(size_t)p->ip;
+# endif
+#elif	(defined(__VMS) || defined(VMS)) && !(defined(vax) || defined(__vax__))
+    /* applies to both alpha and ia64 */
+    struct { unsigned __int64 opaque,ip; } *p=(void *)instruction_pointer;
+    return (void *)(size_t)p->ip;
+#elif	defined(__VOS__)
+    /* applies to both pa-risc and ia32 */
+    struct { void *dp,*ip,*gp; } *p = (void *)instruction_pointer;
+    return p->ip;
+#elif	defined(_WIN32)
+# if	defined(_WIN64) && defined(_M_IA64)
+    struct { void *ip,*gp; } *p = (void *)FIPS_ref_point;
+    return p->ip;
+# else
+    return (void *)FIPS_ref_point;
+# endif
+/*
+ * In case you wonder why there is no #ifdef __linux. All Linux targets
+ * are GCC-based and therefore are covered by instruction_pointer above
+ * [well, some are covered by by the one below]...
+ */ 
+#elif	defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION)
+    return (void *)instruction_pointer;
+#else
+    return NULL;
+#endif
+}
diff --git a/src/libstrongswan/fips/fips_signer.c b/src/libstrongswan/fips/fips_signer.c
new file mode 100644
index 000000000..7fb61d5b7
--- /dev/null
+++ b/src/libstrongswan/fips/fips_signer.c
@@ -0,0 +1,63 @@
+/**
+ * @file fips_signer.c
+ * 
+ * @brief Computes a HMAC signature and stores it in fips_signature.h.
+ * 
+ */
+
+/*
+ * Copyright (C) 2007 Bruno Krieg, Daniel Wydler
+ * Hochschule fuer Technik Rapperswil, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdio.h>
+
+#include <crypto/hashers/hasher.h>
+#include "fips.h"
+
+int main(int argc, char* argv[])
+{
+	FILE *f;
+	char *hmac_key = "strongSwan Version " VERSION;
+	char  hmac_signature[BUF_LEN];
+
+	if (!fips_compute_hmac_signature(hmac_key, hmac_signature))
+	{
+		exit(1);
+	}
+	
+	/**
+     * write computed HMAC signature to fips_signature.h
+	 */
+	f = fopen("fips_signature.h", "wt");
+
+	if (f == NULL)
+	{
+		exit(1);
+	}
+	fprintf(f, "/* SHA-1 HMAC signature computed over TEXT and RODATA of libstrongswan\n");
+	fprintf(f, " *\n");
+	fprintf(f, " * This file has been automatically generated by fips_signer\n");
+	fprintf(f, " * Do not edit manually!\n");
+	fprintf(f, " */\n");
+	fprintf(f, "\n");
+	fprintf(f, "#ifndef FIPS_SIGNATURE_H_\n");
+	fprintf(f, "#define FIPS_SIGNATURE_H_\n");
+	fprintf(f, "\n");
+	fprintf(f, "const char *hmac_key = \"%s\";\n", hmac_key);
+	fprintf(f, "const char *hmac_signature = \"%s\";\n", hmac_signature);
+	fprintf(f, "\n");
+	fprintf(f, "#endif /* FIPS_SIGNATURE_H_ */\n");
+	fclose(f);
+	exit(0);
+}
diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h
index 67a05f118..51b72bfce 100644
--- a/src/libstrongswan/library.h
+++ b/src/libstrongswan/library.h
@@ -18,6 +18,8 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
+ *
+ * RCSID $Id: library.h 3255 2007-10-07 13:35:42Z andreas $
  */
 
 #ifndef LIBRARY_H_
@@ -26,13 +28,14 @@
 /**
  * @defgroup libstrongswan libstrongswan
  *
- * libstrongswan: library with various crypto related things.
+ * libstrongswan: library with various cryptographic, X.509 trust chain and
+ * identity management functions.
  */
 
 /**
  * @defgroup asn1 asn1
  *
- * ASN1 definitions, parser and generator functions.
+ * ASN.1 definitions, parser and generator functions.
  *
  * @ingroup libstrongswan
  */
@@ -40,7 +43,7 @@
 /**
  * @defgroup crypto crypto
  *
- * Crypto algorithms of different kind.
+ * Various cryptographic algorithms.
  *
  * @ingroup libstrongswan
  */
@@ -89,6 +92,14 @@
  */
 
 /**
+ * @defgroup fips fips
+ *
+ * Code integrity check of libstrongswan
+ *
+ * @ingroup libstrongswan
+ */
+
+/**
  * @defgroup utils utils
  *
  * Generic helper classes.
@@ -120,6 +131,11 @@
 #define streq(x,y) (strcmp(x, y) == 0)
 
 /**
+ * Macro compares two strings for equality
+ */
+#define strneq(x,y,len) (strncmp(x, y, len) == 0)
+
+/**
  * Macro compares two binary blobs for equality
  */
 #define memeq(x,y,len) (memcmp(x, y, len) == 0)
@@ -135,11 +151,21 @@
 #define min(x,y) ((x) < (y) ? (x):(y))
 
 /**
- * Call destructor of a object if object != NULL
+ * Call destructor of an object, if object != NULL
  */
 #define DESTROY_IF(obj) if (obj) obj->destroy(obj)
 
 /**
+ * Call offset destructor of an object, if object != NULL
+ */
+#define DESTROY_OFFSET_IF(obj, offset) if (obj) obj->destroy_offset(obj, offset);
+
+/**
+ * Call function destructor of an object, if object != NULL
+ */
+#define DESTROY_FUNCTION_IF(obj, fn) if (obj) obj->destroy_function(obj, fn);
+
+/**
  * Debug macro to follow control flow
  */
 #define POS printf("%s, line %d\n", __FILE__, __LINE__)
diff --git a/src/libstrongswan/utils/enumerator.c b/src/libstrongswan/utils/enumerator.c
new file mode 100644
index 000000000..842a2e997
--- /dev/null
+++ b/src/libstrongswan/utils/enumerator.c
@@ -0,0 +1,44 @@
+/**
+ * @file enumerator.c
+ *
+ * @brief Implementation of enumerator_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "enumerator.h"
+
+
+/**
+ * Implementation of enumerator_create_empty().enumerate
+ */
+static bool enumerate_empty(enumerator_t *enumerator, ...)
+{
+	return FALSE;
+}
+
+/**
+ * See header
+ */
+enumerator_t* enumerator_create_empty()
+{
+	enumerator_t *this = malloc_thing(enumerator_t);
+	this->enumerate = enumerate_empty;
+	this->destroy = (void*)free;
+	return this;
+}
+
diff --git a/src/libstrongswan/utils/enumerator.h b/src/libstrongswan/utils/enumerator.h
new file mode 100644
index 000000000..df1d78206
--- /dev/null
+++ b/src/libstrongswan/utils/enumerator.h
@@ -0,0 +1,57 @@
+/**
+ * @file enumerator.h
+ * 
+ * @brief Interface of enumerator_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef ENUMERATOR_H_
+#define ENUMERATOR_H_
+
+#include <library.h>
+
+typedef struct enumerator_t enumerator_t;
+
+/**
+ * @brief Enumerate is simpler, but more flexible than iterator.
+ */
+struct enumerator_t {
+
+	/**
+	 * @brief Enumerate collection.
+	 *
+	 * The enumerate function takes a variable argument list containing 
+	 * pointers where the enumerated values get written.
+	 *
+	 * @param ...	variable list of enumerated items, implementation dependant
+	 * @return		TRUE if pointers returned
+	 */
+	bool (*enumerate)(enumerator_t *this, ...);
+		
+	/**
+     * @brief Destroy a enumerator instance.
+     */
+    void (*destroy)(enumerator_t *this);
+};
+
+/**
+ * @brief Create an enumerator which enumerates over nothing
+ */
+enumerator_t* enumerator_create_empty();
+
+#endif /* ENUMERATOR_H_ */
diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
index ba0a76893..18f6d6824 100644
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -19,6 +19,8 @@
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
+ *
+ * RCSID $Id: identification.c 3256 2007-10-07 13:42:43Z andreas $
  */
 
 #define _GNU_SOURCE
@@ -199,19 +201,6 @@ static void update_chunk(chunk_t *ch, int n)
 }
 
 /**
- * Prints a binary string in hexadecimal form
- */
-void hex_str(chunk_t bin, chunk_t *str)
-{
-	u_int i;
-	update_chunk(str, snprintf(str->ptr,str->len,"0x"));
-	for (i = 0; i < bin.len; i++)
-	{
-		update_chunk(str, snprintf(str->ptr,str->len,"%02X",*bin.ptr++));
-	}
-}
-
-/**
  * Remove any malicious characters from a chunk. We are very restrictive, but
  * whe use these strings only to present it to the user.
  */
@@ -402,9 +391,9 @@ static status_t dntoa(chunk_t dn, chunk_t *str)
 
 		/* print OID */
 		oid_code = known_oid(oid);
-		if (oid_code == OID_UNKNOWN) 
-		{ /* OID not found in list */
-			hex_str(oid, str);
+		if (oid_code == OID_UNKNOWN)
+		{
+			update_chunk(str, snprintf(str->ptr,str->len,"0x#B", &oid));
 		}
 		else
 		{
@@ -467,12 +456,16 @@ static bool same_dn(chunk_t a, chunk_t b)
 		|| (type_a == ASN1_IA5STRING && known_oid(oid_a) == OID_PKCS9_EMAIL)))
 		{
 			if (strncasecmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
+			{
 				return FALSE;
+			}
 		}
 		else
 		{
-			if (strncmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
-				return FALSE;
+			if (!strneq(value_a.ptr, value_b.ptr, value_b.len))
+			{
+				return FALSE;	
+			}
 		}
 	}
 	/* both DNs must have same number of RDNs */
@@ -540,12 +533,16 @@ bool match_dn(chunk_t a, chunk_t b, int *wildcards)
 		|| (type_a == ASN1_IA5STRING && known_oid(oid_a) == OID_PKCS9_EMAIL)))
 		{
 			if (strncasecmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
+			{
 				return FALSE;
+			}
 		}
 		else
 		{
-			if (strncmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
+			if (!strneq(value_a.ptr, value_b.ptr, value_b.len))
+			{
 				return FALSE;
+			}
 		}
 	}
 	/* both DNs must have same number of RDNs */
@@ -931,7 +928,7 @@ static int print(FILE *stream, const struct printf_info *info,
 		case ID_FQDN:
 		{
 			proper = sanitize_chunk(this->encoded);
-			written = fprintf(stream, "@%.*s", proper.len, proper.ptr);
+			written = fprintf(stream, "%.*s", proper.len, proper.ptr);
 			chunk_free(&proper);
 			return written;
 		}
@@ -1071,8 +1068,15 @@ identification_t *identification_create_from_string(char *string)
 				
 				if (inet_pton(AF_INET, string, &address) <= 0)
 				{
-					free(this);
-					return NULL;
+					/* not IPv4, mostly FQDN */
+					this->type = ID_FQDN;
+					this->encoded.ptr = strdup(string);
+					this->encoded.len = strlen(string);
+					this->public.matches = (bool (*) 
+						(identification_t*,identification_t*,int*))matches_string;
+					this->public.equals = (bool (*)
+						(identification_t*,identification_t*))equals_strcasecmp;
+					return &(this->public);
 				}
 				this->encoded = chunk_clone(chunk);
 				this->type = ID_IPV4_ADDR;
@@ -1137,6 +1141,7 @@ identification_t *identification_create_from_string(char *string)
 identification_t *identification_create_from_encoding(id_type_t type, chunk_t encoded)
 {
 	private_identification_t *this = identification_create();
+
 	this->type = type;
 	switch (type)
 	{
diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c
index a28ebba51..dab18fd5c 100644
--- a/src/libstrongswan/utils/leak_detective.c
+++ b/src/libstrongswan/utils/leak_detective.c
@@ -190,7 +190,8 @@ whitelist_t whitelist[] = {
 	{getprotobynumber,			 291},
 	{getservbyport,				 311},
 	{register_printf_function,	 159},
-	{syslog,					  45},
+	{syslog,					  44},
+	{vsyslog,					  41},
 	{dlopen,					 109},
 #	ifdef LIBCURL
 	/* from /usr/lib/libcurl.so.3 */
diff --git a/src/libstrongswan/utils/linked_list.c b/src/libstrongswan/utils/linked_list.c
index de52ea46a..5cd8ffd7a 100644
--- a/src/libstrongswan/utils/linked_list.c
+++ b/src/libstrongswan/utils/linked_list.c
@@ -6,6 +6,7 @@
  */
 
 /*
+ * Copyright (C) 2007 Tobias Brunner
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -140,6 +141,52 @@ struct private_iterator_t {
 	void *hook_param;
 };
 
+typedef struct private_enumerator_t private_enumerator_t;
+
+/**
+ * linked lists enumerator implementation
+ */
+struct private_enumerator_t {
+
+	/**
+	 * implements enumerator interface
+	 */
+	enumerator_t enumerator;
+	
+	/**
+	 * next item to enumerate
+	 */
+	element_t *next;
+};
+
+/**
+ * Implementation of private_enumerator_t.enumerator.enumerate.
+ */
+static bool enumerate(private_enumerator_t *this, void **item)
+{
+	if (this->next == NULL)
+	{
+		return FALSE;
+	}
+	*item = this->next->value;
+	this->next = this->next->next;
+	return TRUE;
+}
+
+/**
+ * Implementation of linked_list_t.create_enumerator.
+ */
+static enumerator_t* create_enumerator(private_linked_list_t *this)
+{
+	private_enumerator_t *enumerator = malloc_thing(private_enumerator_t);
+	
+	enumerator->enumerator.enumerate = (void*)enumerate;
+	enumerator->enumerator.destroy = (void*)free;
+	enumerator->next = this->first;
+	
+	return &enumerator->enumerator;
+}
+
 /**
  * Implementation of iterator_t.get_count.
  */
@@ -630,9 +677,9 @@ static status_t get_last(private_linked_list_t *this, void **item)
 }
 
 /**
- * Implementation of linked_list_t.invoke.
+ * Implementation of linked_list_t.invoke_offset.
  */
-static void invoke(private_linked_list_t *this, size_t offset)
+static void invoke_offset(private_linked_list_t *this, size_t offset)
 {
 	element_t *current = this->first;
 	
@@ -645,13 +692,62 @@ static void invoke(private_linked_list_t *this, size_t offset)
 }
 
 /**
+ * Implementation of linked_list_t.invoke_function.
+ */
+static void invoke_function(private_linked_list_t *this, void(*fn)(void*))
+{
+	element_t *current = this->first;
+	
+	while (current)
+	{
+		fn(current->value);
+		current = current->next;
+	}
+}
+
+/**
+ * Implementation of linked_list_t.clone_offset
+ */
+static linked_list_t *clone_offset(private_linked_list_t *this, size_t offset)
+{
+	linked_list_t *clone = linked_list_create();
+	element_t *current = this->first;
+	
+	while (current)
+	{
+		void* (**method)(void*) = current->value + offset;
+		clone->insert_last(clone, (*method)(current->value));
+		current = current->next;
+	}
+	
+	return clone;
+}
+
+/**
+ * Implementation of linked_list_t.clone_function
+ */
+static linked_list_t *clone_function(private_linked_list_t *this, void* (*fn)(void*))
+{
+	linked_list_t *clone = linked_list_create();
+	element_t *current = this->first;
+	
+	while (current)
+	{
+		clone->insert_last(clone, fn(current->value));
+		current = current->next;
+	}
+	
+	return clone;
+}
+
+/**
  * Implementation of linked_list_t.destroy.
  */
 static void destroy(private_linked_list_t *this)
 {
 	void *value;
 	/* Remove all list items before destroying list */
-	while (this->public.remove_first(&(this->public), &value) == SUCCESS)
+	while (remove_first(this, &value) == SUCCESS)
 	{
 		/* values are not destroyed so memory leaks are possible
 		 * if list is not empty when deleting */
@@ -744,6 +840,7 @@ linked_list_t *linked_list_create()
 	this->public.get_count = (int (*) (linked_list_t *)) get_count;
 	this->public.create_iterator = (iterator_t * (*) (linked_list_t *,bool))create_iterator;
 	this->public.create_iterator_locked = (iterator_t * (*) (linked_list_t *,pthread_mutex_t*))create_iterator_locked;
+	this->public.create_enumerator = (enumerator_t*(*)(linked_list_t*))create_enumerator;
 	this->public.get_first = (status_t (*) (linked_list_t *, void **item))get_first;
 	this->public.get_last = (status_t (*) (linked_list_t *, void **item))get_last;
 	this->public.insert_first = (void (*) (linked_list_t *, void *item))insert_first;
@@ -753,7 +850,10 @@ linked_list_t *linked_list_create()
 	this->public.insert_at_position = (status_t (*) (linked_list_t *,size_t, void *))insert_at_position;
 	this->public.remove_at_position = (status_t (*) (linked_list_t *,size_t, void **))remove_at_position;
 	this->public.get_at_position = (status_t (*) (linked_list_t *,size_t, void **))get_at_position;
-	this->public.invoke = (void (*)(linked_list_t*,size_t))invoke;
+	this->public.invoke_offset = (void (*)(linked_list_t*,size_t))invoke_offset;
+	this->public.invoke_function = (void (*)(linked_list_t*,void(*)(void*)))invoke_function;
+	this->public.clone_offset = (linked_list_t * (*)(linked_list_t*,size_t))clone_offset;
+	this->public.clone_function = (linked_list_t * (*)(linked_list_t*,void*(*)(void*)))clone_function;
 	this->public.destroy = (void (*) (linked_list_t *))destroy;
 	this->public.destroy_offset = (void (*) (linked_list_t *,size_t))destroy_offset;
 	this->public.destroy_function = (void (*)(linked_list_t*,void(*)(void*)))destroy_function;
diff --git a/src/libstrongswan/utils/linked_list.h b/src/libstrongswan/utils/linked_list.h
index 58bcbbdaa..ebe5c187c 100644
--- a/src/libstrongswan/utils/linked_list.h
+++ b/src/libstrongswan/utils/linked_list.h
@@ -6,6 +6,7 @@
  */
 
 /*
+ * Copyright (C) 2007 Tobias Brunner
  * Copyright (C) 2005-2006 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -30,6 +31,7 @@ typedef struct linked_list_t linked_list_t;
 
 #include <library.h>
 #include <utils/iterator.h>
+#include <utils/enumerator.h>
 
 /**
  * @brief Class implementing a double linked list.
@@ -55,6 +57,9 @@ struct linked_list_t {
 	 * @brief Creates a iterator for the given list.
 	 * 
 	 * @warning Created iterator_t object has to get destroyed by the caller.
+	 *
+	 * @deprecated Iterator is obsolete and will disappear, it is too
+	 * complicated to implement. Use enumerator instead.
 	 * 
 	 * @param this 		calling object
 	 * @param forward 	iterator direction (TRUE: front to end)
@@ -74,7 +79,18 @@ struct linked_list_t {
 	 */
 	iterator_t *(*create_iterator_locked) (linked_list_t *this,
 										   pthread_mutex_t *mutex);
-
+	
+	/**
+	 * @brief Create an enumerator over the list.
+	 *
+	 * The enumerator is a "lightweight" iterator. It only has two methods
+	 * and should therefore be much easier to implement.
+	 *
+	 * @param this		calling object
+	 * @return			enumerator over list items
+	 */
+	enumerator_t* (*create_enumerator)(linked_list_t *this);
+	
 	/**
 	 * @brief Inserts a new item at the beginning of the list.
 	 *
@@ -183,7 +199,33 @@ struct linked_list_t {
 	 * @param this 		calling object
 	 * @param offset	offset of the method to invoke on objects
 	 */
-	void (*invoke) (linked_list_t *this, size_t offset);
+	void (*invoke_offset) (linked_list_t *this, size_t offset);
+	
+	/**
+	 * @brief Invoke a function on all of the contained objects.
+	 * 
+	 * @param this 		calling object
+	 * @param offset	offset of the method to invoke on objects
+	 */
+	void (*invoke_function) (linked_list_t *this, void (*)(void*));
+	
+	/**
+	 * @brief Clones a list and its objects using the objects' clone method.
+	 * 
+	 * @param this		calling object
+	 * @param offset	offset ot the objects clone function
+	 * @return			cloned list
+	 */
+	linked_list_t *(*clone_offset) (linked_list_t *this, size_t offset);
+	
+	/**
+	 * @brief Clones a list and its objects using a given function.
+	 * 
+	 * @param this		calling object
+	 * @param function	function that clones an object
+	 * @return			cloned list
+	 */
+	linked_list_t *(*clone_function) (linked_list_t *this, void*(*)(void*));
 	
 	/**
 	 * @brief Destroys a linked_list object.
diff --git a/src/libstrongswan/utils/optionsfrom.c b/src/libstrongswan/utils/optionsfrom.c
new file mode 100644
index 000000000..ffa571b05
--- /dev/null
+++ b/src/libstrongswan/utils/optionsfrom.c
@@ -0,0 +1,148 @@
+/**
+ * @file optionsfrom.c
+ * 
+ * @brief read command line options from a file
+ * 
+ */
+
+/*
+ * Copyright (C) 1998, 1999  Henry Spencer.
+ * 
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Library General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
+ * 
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
+ * License for more details.
+ *
+ */
+
+#include <stdio.h>
+#include <errno.h>
+
+#include <library.h>
+#include <debug.h>
+#include <utils/lexparser.h>
+
+#include "optionsfrom.h"
+
+#define	MAX_USES	 20		/* loop-detection limit */
+#define	SOME_ARGS	 10		/* first guess at how many arguments we'll need */
+
+/*
+ * Defined in header.
+ */
+bool optionsfrom(const char *filename, int *argcp, char **argvp[], int optind)
+{
+	static int nuses = 0;
+	char **newargv;
+	int newargc;
+	int next;			/* place for next argument */
+	int room;			/* how many more new arguments we can hold */
+	size_t bytes;
+	chunk_t chunk, src, line, token;
+	bool good = TRUE;
+	int linepos = 0;
+	FILE *fd;
+
+	/* avoid endless loops with recursive --optionsfrom arguments */
+	nuses++;
+	if (nuses >= MAX_USES)
+	{
+		DBG1("optionsfrom called %d times - looping?", (*argvp)[0], nuses);
+		return FALSE;
+	}
+	
+	fd = fopen(filename, "r");
+	if (fd == NULL)
+	{
+		DBG1("optionsfrom: unable to open file '%s': %s",
+			 filename, strerror(errno));
+		return FALSE;
+	}
+
+	/* determine the file size */
+	fseek(fd, 0, SEEK_END);
+	chunk.len = ftell(fd);
+	rewind(fd);
+
+	/* allocate one byte more just in case of a missing final newline */
+	chunk.ptr = malloc(chunk.len + 1);
+
+	/* read the whole file into a chunk */
+	bytes = fread(chunk.ptr, 1, chunk.len, fd);
+	fclose(fd);
+
+	newargc = *argcp + SOME_ARGS;
+	newargv = malloc((newargc + 1) * sizeof(char *));
+	memcpy(newargv, *argvp, optind * sizeof(char *));
+	room = SOME_ARGS;
+	next = optind;
+	newargv[next] = NULL;
+
+	/* we keep the chunk pointer so that we can still free it */
+	src = chunk;
+
+	while (fetchline(&src, &line) && good)
+	{
+		linepos++;
+		while (eat_whitespace(&line))
+		{
+			if (*line.ptr == '"'|| *line.ptr == '\'')
+			{
+				char delimiter = *line.ptr;
+
+				line.ptr++;
+				line.len--;
+				if (!extract_token(&token, delimiter, &line))
+				{
+					DBG1("optionsfrom: missing terminator at %s:%d",
+						 filename, linepos);
+					good = FALSE;
+					break;
+				}
+			}
+			else
+			{
+				if (!extract_token(&token, ' ', &line))
+				{
+					/* last token in a line */
+					token = line;
+					line.len = 0;
+				}
+			}
+
+			/* do we have to allocate more memory for additional arguments? */
+			if (room == 0)
+			{
+				newargc += SOME_ARGS;
+				newargv = realloc(newargv, (newargc+1) * sizeof(char *));
+				room = SOME_ARGS;
+			}
+
+			/* terminate the token by replacing the delimiter with a null character */
+			*(token.ptr + token.len) = '\0';
+
+			/* assign the token to the next argument */
+			newargv[next] = token.ptr;
+			next++;
+			room--;
+		}
+	}
+
+	if (!good)		/* error of some kind */
+	{
+		free(chunk.ptr);
+		free(newargv);
+		return FALSE;
+	}
+
+	memcpy(newargv + next, *argvp + optind, (*argcp + 1 - optind) * sizeof(char *));
+	*argcp += next - optind;
+	*argvp = newargv;
+	return TRUE;
+}
+
diff --git a/src/libstrongswan/utils/optionsfrom.h b/src/libstrongswan/utils/optionsfrom.h
new file mode 100644
index 000000000..d6b9efde5
--- /dev/null
+++ b/src/libstrongswan/utils/optionsfrom.h
@@ -0,0 +1,37 @@
+/**
+ * @file optionsfrom.h
+ * 
+ * @brief Read command line options from a file
+ * 
+ */
+
+/*
+ * Copyright (C) 1998, 1999  Henry Spencer.
+ * Copyright (C) 2007 Andreas Steffen, Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef OPTIONSFROM_H_
+#define OPTIONSFROM_H_
+
+/**
+ * @brief Pick up more options from a file, in the middle of an option scan
+ * 
+ * @param filename				file containing the options
+ * @param argcp					pointer to argc
+ * @param argvp					pointer to argv[]
+ * @param optind				current optind, number of next argument
+ * @return						TRUE if optionsfrom parsing successful
+ */
+bool optionsfrom(const char *filename, int *argcp, char **argvp[], int optind);
+
+#endif /*OPTIONSFROM_H_*/
author	Rene Mayrhofer <rene@mayrhofer.eu.org>	2007-10-26 14:24:26 +0000
committer	Rene Mayrhofer <rene@mayrhofer.eu.org>	2007-10-26 14:24:26 +0000
commit	3168dc628f034e03bb4fab16e8a00da59a5c86e1 (patch)
tree	663da4d1badc1373ec59d9bdc39f893af0cc8a75 /src/libstrongswan
parent	1a144d57c8f2f08513b747078d185db688637859 (diff)
download	vyos-strongswan-3168dc628f034e03bb4fab16e8a00da59a5c86e1.tar.gz vyos-strongswan-3168dc628f034e03bb4fab16e8a00da59a5c86e1.zip