[svn-upgrade] Integrating new upstream version, strongswan (4.2.4)

26 files changed, 228 insertions, 153 deletions

diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am
index 69902ad8f..156b81018 100644
--- a/src/pluto/Makefile.am
+++ b/src/pluto/Makefile.am
@@ -123,12 +123,19 @@ if USE_NAT_TRANSPORT
 endif
 
 # This compile option activates dynamic URL fetching using libcurl
-if USE_LIBCURL
+if USE_CURL
   pluto_LDADD += -lcurl
+  AM_CFLAGS += -DLIBCURL
 endif
 
 # This compile option activates dynamic LDAP CRL fetching
-if USE_LIBLDAP
+if USE_LDAP
   pluto_LDADD += -lldap -llber
+  AM_CFLAGS += -DLIBLDAP
+endif
+
+# This compile option activates smartcard support
+if USE_SMARTCARD
+  AM_CFLAGS += -DSMARTCARD
 endif
 
diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in
index a9ae01d65..42017641c 100644
--- a/src/pluto/Makefile.in
+++ b/src/pluto/Makefile.in
@@ -1,8 +1,8 @@
-# Makefile.in generated by automake 1.10 from Makefile.am.
+# Makefile.in generated by automake 1.10.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006  Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008  Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -51,10 +51,15 @@ ipsec_PROGRAMS = pluto$(EXEEXT) _pluto_adns$(EXEEXT)
 @USE_NAT_TRANSPORT_TRUE@am__append_4 = -DI_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
 
 # This compile option activates dynamic URL fetching using libcurl
-@USE_LIBCURL_TRUE@am__append_5 = -lcurl
+@USE_CURL_TRUE@am__append_5 = -lcurl
+@USE_CURL_TRUE@am__append_6 = -DLIBCURL
 
 # This compile option activates dynamic LDAP CRL fetching
-@USE_LIBLDAP_TRUE@am__append_6 = -lldap -llber
+@USE_LDAP_TRUE@am__append_7 = -lldap -llber
+@USE_LDAP_TRUE@am__append_8 = -DLIBLDAP
+
+# This compile option activates smartcard support
+@USE_SMARTCARD_TRUE@am__append_9 = -DSMARTCARD
 subdir = src/pluto
 DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \
 	$(srcdir)/Makefile.in TODO
@@ -138,6 +143,7 @@ CXXFLAGS = @CXXFLAGS@
 CYGPATH_W = @CYGPATH_W@
 DEFS = @DEFS@
 DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
 ECHO = @ECHO@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
@@ -167,6 +173,7 @@ LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 MKDIR_P = @MKDIR_P@
+NMEDIT = @NMEDIT@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
 PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
@@ -197,7 +204,6 @@ am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
-backenddir = @backenddir@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -208,12 +214,11 @@ builddir = @builddir@
 confdir = @confdir@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbus_CFLAGS = @dbus_CFLAGS@
-dbus_LIBS = @dbus_LIBS@
 docdir = @docdir@
 dvidir = @dvidir@
-eapdir = @eapdir@
 exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -223,12 +228,12 @@ htmldir = @htmldir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
-interfacedir = @interfacedir@
 ipsecdir = @ipsecdir@
-ipsecgid = @ipsecgid@
-ipsecuid = @ipsecuid@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
 linuxdir = @linuxdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
@@ -241,10 +246,12 @@ plugindir = @plugindir@
 prefix = @prefix@
 program_transform_name = @program_transform_name@
 psdir = @psdir@
+resolv_conf = @resolv_conf@
 sbindir = @sbindir@
 sharedstatedir = @sharedstatedir@
 simreader = @simreader@
 srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 target_alias = @target_alias@
 top_builddir = @top_builddir@
@@ -328,10 +335,11 @@ AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" \
 	-DSHARED_SECRETS_FILE=\"${confdir}/ipsec.secrets\" \
 	-DKERNEL26_SUPPORT -DKERNEL26_HAS_KAME_DUPLICATES -DPLUTO \
 	-DKLIPS -DDEBUG -DTHREADS $(am__append_1) $(am__append_2) \
-	$(am__append_3) $(am__append_4)
+	$(am__append_3) $(am__append_4) $(am__append_6) \
+	$(am__append_8) $(am__append_9)
 pluto_LDADD = oid.o $(LIBFREESWANDIR)/libfreeswan.a \
 	$(LIBCRYPTODIR)/libcrypto.a -lgmp -lresolv -lpthread -ldl \
-	$(am__append_5) $(am__append_6)
+	$(am__append_5) $(am__append_7)
 _pluto_adns_LDADD = \
 $(LIBFREESWANDIR)/libfreeswan.a \
 -lresolv -ldl
@@ -379,8 +387,8 @@ install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	     || test -f $$p1 \
 	  ; then \
 	    f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
-	   echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(ipsecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \
-	   $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(ipsecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(ipsecdir)/$$f" || exit 1; \
+	   echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \
+	   $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(ipsecdir)/$$f" || exit 1; \
 	  else :; fi; \
 	done
 
@@ -681,8 +689,8 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '    { files[$$0] = 1; } \
-	       END { for (i in files) print i; }'`; \
+	  $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	mkid -fID $$unique
 tags: TAGS
 
@@ -694,8 +702,8 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '    { files[$$0] = 1; } \
-	       END { for (i in files) print i; }'`; \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
 	  test -n "$$unique" || unique=$$empty_fix; \
 	  $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
@@ -705,13 +713,12 @@ ctags: CTAGS
 CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 		$(TAGS_FILES) $(LISP)
 	tags=; \
-	here=`pwd`; \
 	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
 	unique=`for i in $$list; do \
 	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
 	  done | \
-	  $(AWK) '    { files[$$0] = 1; } \
-	       END { for (i in files) print i; }'`; \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
 	test -z "$(CTAGS_ARGS)$$tags$$unique" \
 	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
 	     $$tags $$unique
diff --git a/src/pluto/ac.c b/src/pluto/ac.c
index 43ebf91d9..77e0b40bb 100644
--- a/src/pluto/ac.c
+++ b/src/pluto/ac.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: ac.c 3253 2007-10-06 21:39:00Z andreas $
+ * RCSID $Id: ac.c 3686 2008-03-28 11:48:14Z martin $
  */
 
 #include <stdlib.h>
@@ -599,16 +599,6 @@ parse_ac(chunk_t blob, x509acert_t *ac)
 }
 
 /*
- *  compare two X.509 attribute certificates by comparing their signatures
- */
-static bool
-same_x509acert(x509acert_t *a, x509acert_t *b)
-{
-    return a->signature.len == b->signature.len &&
-	memcmp(a->signature.ptr, b->signature.ptr, b->signature.len) == 0;
-}
-
-/*
  *  release an ietfAttribute, free it if count reaches zero
  */
 static void
diff --git a/src/pluto/alg/ike_alg_aes.c b/src/pluto/alg/ike_alg_aes.c
index 44de09b4c..c635af723 100644
--- a/src/pluto/alg/ike_alg_aes.c
+++ b/src/pluto/alg/ike_alg_aes.c
@@ -34,7 +34,7 @@ do_aes(u_int8_t *buf, size_t buf_len, u_int8_t *key, size_t key_size, u_int8_t *
 	memcpy(new_iv=iv_bak, (char*) buf + buf_len - AES_CBC_BLOCK_SIZE
 		, AES_CBC_BLOCK_SIZE);
 
-    AES_cbc_encrypt(&aes_ctx, buf, buf, buf_len, iv, enc);
+    SS_AES_cbc_encrypt(&aes_ctx, buf, buf, buf_len, iv, enc);
 
     if (enc)
 	new_iv = (char*) buf + buf_len-AES_CBC_BLOCK_SIZE;
diff --git a/src/pluto/alg_info.c b/src/pluto/alg_info.c
index 145e492d4..cd02d2358 100644
--- a/src/pluto/alg_info.c
+++ b/src/pluto/alg_info.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  * 
- * RCSID $Id: alg_info.c 3253 2007-10-06 21:39:00Z andreas $
+ * RCSID $Id: alg_info.c 3846 2008-04-18 17:01:45Z andreas $
  */
 
 #include <stddef.h>
@@ -96,8 +96,8 @@ alg_info_esp_sadb2aa(int sadb_aalg)
     int auth = 0;
 
     switch(sadb_aalg) {
-	case SADB_AALG_MD5_HMAC:
-	case SADB_AALG_SHA1_HMAC:
+	case SADB_AALG_MD5HMAC:
+	case SADB_AALG_SHA1HMAC:
 	    auth = sadb_aalg - 1;
 	    break;
 	/* since they are the same ...  :)  */
@@ -195,7 +195,11 @@ aalg_getbyname_esp(const char *const str, int len)
 
     /* interpret 'SHA' as 'SHA1' */
     if (strncasecmp("SHA", str, len) == 0)
-	return enum_search(&auth_alg_names, "AUTH_ALGORITHM_HMAC_SHA1");
+	return AUTH_ALGORITHM_HMAC_SHA1;
+
+    /* interpret 'AESXCBC' as 'AES_XCBC_MAC' */
+    if (strncasecmp("AESXCBC", str, len) == 0)
+	return AUTH_ALGORITHM_AES_XCBC_MAC;
 
     ret = enum_search_prefix(&auth_alg_names,"AUTH_ALGORITHM_HMAC_", str ,len);
     if (ret >= 0)
diff --git a/src/pluto/connections.c b/src/pluto/connections.c
index 8fbf969b6..13a004794 100644
--- a/src/pluto/connections.c
+++ b/src/pluto/connections.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: connections.c 3361 2007-11-21 23:42:27Z andreas $
+ * RCSID $Id: connections.c 3686 2008-03-28 11:48:14Z martin $
  */
 
 #include <string.h>
@@ -2354,7 +2354,7 @@ initiate_opportunistic_body(struct find_oppo_bundle *b
 	 * DNS query (if any).  It also selects the kind of the next step.
 	 * The second chunk initiates the next DNS query (if any).
 	 */
-	enum find_oppo_step next_step;
+	enum find_oppo_step next_step = fos_myid_ip_txt;
 	err_t ugh = ac_ugh;
 	char mycredentialstr[BUF_LEN];
 	char cib[CONN_INST_BUF];
@@ -3279,7 +3279,7 @@ refine_host_connection(const struct state *st, const struct id *peer_id
     struct connection *d;
     struct connection *best_found = NULL;
     u_int16_t auth = st->st_oakley.auth;
-    lset_t auth_policy;
+    lset_t auth_policy = POLICY_PSK;
     const chunk_t *psk = NULL;
     bool wcpip;	/* wildcard Peer IP? */
     int best_prio = PRIO_NO_MATCH_FOUND;
diff --git a/src/pluto/connections.h b/src/pluto/connections.h
index 3000f888a..b11565296 100644
--- a/src/pluto/connections.h
+++ b/src/pluto/connections.h
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: connections.h 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: connections.h 4024 2008-05-29 07:49:47Z andreas $
  */
 
 #ifndef _CONNECTIONS_H
@@ -186,7 +186,7 @@ struct connection {
 
     char              *log_file_name;       /* name of log file */
     FILE              *log_file;            /* possibly open FILE */
-    CIRCLEQ_ENTRY(connection) log_link;     /* linked list of open conns */
+    TAILQ_ENTRY(connection) log_link;     /* linked list of open conns */
     bool               log_file_err;        /* only bitch once */
 
     struct spd_route spd;
diff --git a/src/pluto/constants.c b/src/pluto/constants.c
index 93e430957..ca548afab 100644
--- a/src/pluto/constants.c
+++ b/src/pluto/constants.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: constants.c 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: constants.c 3839 2008-04-18 11:25:37Z andreas $
  */
 
 /*
@@ -377,11 +377,13 @@ static const char *const ah_transform_name[] = {
 	"AH_SHA2_256",
 	"AH_SHA2_384",
 	"AH_SHA2_512",
-	"AH_RIPEMD"
+	"AH_RIPEMD",
+	"AH_AES_XCBC_MAC",
+	"AH_RSA"
     };
 
 enum_names ah_transformid_names =
-    { AH_MD5, AH_RIPEMD, ah_transform_name, NULL };
+    { AH_MD5, AH_RSA, ah_transform_name, NULL };
 
 /* IPsec ESP transform values */
 
@@ -401,7 +403,13 @@ static const char *const esp_transform_name[] = {
 	"ESP_AES-CTR",
 	"ESP_AES-CCM_8",
 	"ESP_AES-CCM_12",
-	"ESP_AES-CCM_16"
+	"ESP_AES-CCM_16",
+	"ESP_UNASSIGNED_17",
+	"ESP_AES_GCM_8",
+	"ESP_AES_GCM_12",
+	"ESP_AES_GCM_16",
+	"ESP_SEED_CBC",
+	"ESP_CAMELLIA"
     };
 
 /*
@@ -417,7 +425,7 @@ enum_names esp_transformid_names_high =
     { ESP_SERPENT, ESP_TWOFISH, esp_transform_name_high, NULL };
 
 enum_names esp_transformid_names =
-    { ESP_DES_IV64, ESP_AES_CCM_16, esp_transform_name, &esp_transformid_names_high };
+    { ESP_DES_IV64, ESP_CAMELLIA, esp_transform_name, &esp_transformid_names_high };
 
 /* IPCOMP transform values */
 
@@ -684,6 +692,8 @@ static const char *const auth_alg_name[] = {
 	"AUTH_ALGORITHM_HMAC_SHA2_384",
 	"AUTH_ALGORITHM_HMAC_SHA2_512",
 	"AUTH_ALGORITHM_HMAC_RIPEMD",
+	"AUTH_ALGORITHM_AES_XCBC_MAC",
+	"AUTH_ALGORITHM_SIG_RSA"
     };
 
 static const char *const extended_auth_alg_name[] = {
@@ -694,7 +704,7 @@ enum_names extended_auth_alg_names =
     { AUTH_ALGORITHM_NULL, AUTH_ALGORITHM_NULL, extended_auth_alg_name, NULL };
 
 enum_names auth_alg_names =
-    { AUTH_ALGORITHM_HMAC_MD5, AUTH_ALGORITHM_HMAC_RIPEMD, auth_alg_name
+    { AUTH_ALGORITHM_HMAC_MD5, AUTH_ALGORITHM_SIG_RSA, auth_alg_name
 	, &extended_auth_alg_names };
 
 /* From draft-beaulieu-ike-xauth */
diff --git a/src/pluto/constants.h b/src/pluto/constants.h
index ddfe76293..e6357164f 100644
--- a/src/pluto/constants.h
+++ b/src/pluto/constants.h
@@ -13,7 +13,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: constants.h 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: constants.h 4051 2008-06-10 09:08:27Z tobias $
  */
 
 #ifndef _CONSTANTS_H
@@ -877,6 +877,7 @@ extern const char *prettypolicy(lset_t policy);
 #define POLICY_BEET		LELEM(22)	/* bound end2end tunnel, IKEv2 */
 #define POLICY_MOBIKE		LELEM(23)	/* enable MOBIKE for IKEv2  */
 #define POLICY_FORCE_ENCAP	LELEM(24)	/* force UDP encapsulation (IKEv2)  */
+#define POLICY_ECDSASIG	LELEM(25)   /* ecdsa signature (IKEv2) */
 
 /* Any IPsec policy?  If not, a connection description
  * is only for ISAKMP SA, not IPSEC SA.  (A pun, I admit.)
@@ -992,6 +993,8 @@ extern enum_names auth_alg_names, extended_auth_alg_names;
 #define AUTH_ALGORITHM_HMAC_SHA2_384	6
 #define AUTH_ALGORITHM_HMAC_SHA2_512	7
 #define AUTH_ALGORITHM_HMAC_RIPEMD	8
+#define AUTH_ALGORITHM_AES_XCBC_MAC	9
+#define AUTH_ALGORITHM_SIG_RSA		10
 #define AUTH_ALGORITHM_NULL		251
 
 /* Oakley Lifetime Type attribute
diff --git a/src/pluto/crl.c b/src/pluto/crl.c
index 8998207c2..6e1093661 100644
--- a/src/pluto/crl.c
+++ b/src/pluto/crl.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: crl.c 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: crl.c 3686 2008-03-28 11:48:14Z martin $
  */
 
 #include <stdlib.h>
@@ -406,7 +406,7 @@ parse_x509crl(chunk_t blob, u_int level0, x509crl_t *crl)
     asn1_ctx_t ctx;
     bool critical;
     chunk_t extnID;
-    chunk_t userCertificate;
+    chunk_t userCertificate = empty_chunk;
     chunk_t object;
     u_int level;
     int objectID = 0;
diff --git a/src/pluto/demux.c b/src/pluto/demux.c
index 9bc889b4b..04728a4a8 100644
--- a/src/pluto/demux.c
+++ b/src/pluto/demux.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: demux.c 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: demux.c 3686 2008-03-28 11:48:14Z martin $
  */
 
 /* Ordering Constraints on Payloads
@@ -2167,7 +2167,7 @@ complete_state_transition(struct msg_digest **mdp, stf_status result)
 
 	    /* Schedule for whatever timeout is specified */
 	    {
-		time_t delay;
+		time_t delay = UNDEFINED_TIME;
 		enum event_type kind = smc->timeout_event;
 		bool agreed_time = FALSE;
 		struct connection *c = st->st_connection;
diff --git a/src/pluto/fetch.c b/src/pluto/fetch.c
index c0bf3fed6..cd8b58df2 100644
--- a/src/pluto/fetch.c
+++ b/src/pluto/fetch.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: fetch.c 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: fetch.c 3686 2008-03-28 11:48:14Z martin $
  */
 
 #include <stdlib.h>
@@ -825,7 +825,9 @@ fetch_thread(void *arg)
 void
 init_fetch(void)
 {
+#if defined(LIBCURL) || defined (THREADS)
     int status;
+#endif
 
 #ifdef LIBCURL
     /* init curl */
diff --git a/src/pluto/ike_alg.c b/src/pluto/ike_alg.c
index 52f2c5c80..6759059fa 100644
--- a/src/pluto/ike_alg.c
+++ b/src/pluto/ike_alg.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: ike_alg.c 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: ike_alg.c 3686 2008-03-28 11:48:14Z martin $
  */
 
 #include <stdio.h>
@@ -521,9 +521,6 @@ ike_alg_test(void)
 
     for (a = ike_alg_base[IKE_ALG_ENCRYPT]; a != NULL; a = a->algo_next)
     {
-	
-        struct encrypt_desc *desc = (struct encrypt_desc*)a;
-
 	plog("  %s self-test not available", enum_name(&oakley_enc_names, a->algo_id));
     }
 
diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c
index 852b2e73e..88536e6d6 100644
--- a/src/pluto/ipsec_doi.c
+++ b/src/pluto/ipsec_doi.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: ipsec_doi.c 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: ipsec_doi.c 3686 2008-03-28 11:48:14Z martin $
  */
 
 #include <stdio.h>
@@ -952,7 +952,6 @@ main_outI1(int whack_sock, struct connection *c, struct state *predecessor
     /* SA out */
     {
 	u_char *sa_start = rbody.cur;
-	lset_t auth_policy = policy & POLICY_ID_AUTH_MASK;
 
 	if (!out_sa(&rbody, &oakley_sadb, st, TRUE
 	, vids_to_send-- ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE))
@@ -2800,7 +2799,7 @@ compute_proto_keymat(struct state *st
 , u_int8_t protoid
 , struct ipsec_proto_info *pi)
 {
-    size_t needed_len; /* bytes of keying material needed */
+    size_t needed_len = 0; /* bytes of keying material needed */
 
     /* Add up the requirements for keying material
      * (It probably doesn't matter if we produce too much!)
@@ -3754,7 +3753,7 @@ main_id_and_auth(struct msg_digest *md
 	    struct key_continuation *nkc
 		= alloc_thing(struct key_continuation, "key continuation");
 	    enum key_oppo_step step_done = kc == NULL? kos_null : kc->step;
-	    err_t ugh;
+	    err_t ugh = NULL;
 
 	    /* Record that state is used by a suspended md */
 	    passert(st->st_suspended_md == NULL);
@@ -4308,7 +4307,7 @@ report_verify_failure(struct verify_oppo_bundle *b, err_t ugh)
     char fgwb[ADDRTOT_BUF]
 	, cb[ADDRTOT_BUF];
     ip_address client;
-    err_t which;
+    err_t which = NULL;
 
     switch (b->step)
     {
@@ -4384,7 +4383,7 @@ quick_inI1_outR1_start_query(struct verify_oppo_bundle *b
 	, *our_id	/* needed for myid playing */
 	, our_id_space;	/* ephemeral: no need for unshare_id_content */
     ip_address client;
-    err_t ugh;
+    err_t ugh = NULL;
 
     /* Record that state is used by a suspended md */
     b->step = next_step;    /* not just vc->b.step */
@@ -4495,7 +4494,7 @@ quick_inI1_outR1_process_answer(struct verify_oppo_bundle *b
 , struct state *p1st)
 {
     struct connection *c = p1st->st_connection;
-    enum verify_oppo_step next_step;
+    enum verify_oppo_step next_step = vos_our_client;
     err_t ugh = NULL;
 
     DBG(DBG_CONTROL,
diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c
index 5f31d5ca3..d42ac3372 100644
--- a/src/pluto/kernel.c
+++ b/src/pluto/kernel.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: kernel.c 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: kernel.c 3846 2008-04-18 17:01:45Z andreas $
  */
 
 #include <stddef.h>
@@ -1827,30 +1827,30 @@ setup_half_ipsec_sa(struct state *st, bool inbound)
 	static const struct esp_info esp_info[] = {
 	    { ESP_NULL, AUTH_ALGORITHM_HMAC_MD5,
 		0, HMAC_MD5_KEY_LEN,
-		SADB_EALG_NULL, SADB_AALG_MD5_HMAC },
+		SADB_EALG_NULL, SADB_AALG_MD5HMAC },
 	    { ESP_NULL, AUTH_ALGORITHM_HMAC_SHA1,
 		0, HMAC_SHA1_KEY_LEN,
-		SADB_EALG_NULL, SADB_AALG_SHA1_HMAC },
+		SADB_EALG_NULL, SADB_AALG_SHA1HMAC },
 
 	    { ESP_DES, AUTH_ALGORITHM_NONE,
 		DES_CBC_BLOCK_SIZE, 0,
-		SADB_EALG_DES_CBC, SADB_AALG_NONE },
+		SADB_EALG_DESCBC, SADB_AALG_NONE },
 	    { ESP_DES, AUTH_ALGORITHM_HMAC_MD5,
 		DES_CBC_BLOCK_SIZE, HMAC_MD5_KEY_LEN,
-		SADB_EALG_DES_CBC, SADB_AALG_MD5_HMAC },
+		SADB_EALG_DESCBC, SADB_AALG_MD5HMAC },
 	    { ESP_DES, AUTH_ALGORITHM_HMAC_SHA1,
 		DES_CBC_BLOCK_SIZE,
-		HMAC_SHA1_KEY_LEN, SADB_EALG_DES_CBC, SADB_AALG_SHA1_HMAC },
+		HMAC_SHA1_KEY_LEN, SADB_EALG_DESCBC, SADB_AALG_SHA1HMAC },
 
 	    { ESP_3DES, AUTH_ALGORITHM_NONE,
 		DES_CBC_BLOCK_SIZE * 3, 0,
-		SADB_EALG_3DES_CBC, SADB_AALG_NONE },
+		SADB_EALG_3DESCBC, SADB_AALG_NONE },
 	    { ESP_3DES, AUTH_ALGORITHM_HMAC_MD5,
 		DES_CBC_BLOCK_SIZE * 3, HMAC_MD5_KEY_LEN,
-		SADB_EALG_3DES_CBC, SADB_AALG_MD5_HMAC },
+		SADB_EALG_3DESCBC, SADB_AALG_MD5HMAC },
 	    { ESP_3DES, AUTH_ALGORITHM_HMAC_SHA1,
 		DES_CBC_BLOCK_SIZE * 3, HMAC_SHA1_KEY_LEN,
-		SADB_EALG_3DES_CBC, SADB_AALG_SHA1_HMAC },
+		SADB_EALG_3DESCBC, SADB_AALG_SHA1HMAC },
 	};
 
 	u_int8_t natt_type = 0;
@@ -1976,11 +1976,11 @@ setup_half_ipsec_sa(struct state *st, bool inbound)
 	switch (st->st_ah.attrs.auth)
 	{
 	case AUTH_ALGORITHM_HMAC_MD5:
-	    authalg = SADB_AALG_MD5_HMAC;
+	    authalg = SADB_AALG_MD5HMAC;
 	    break;
 
 	case AUTH_ALGORITHM_HMAC_SHA1:
-	    authalg = SADB_AALG_SHA1_HMAC;
+	    authalg = SADB_AALG_SHA1HMAC;
 	    break;
 
 	default:
diff --git a/src/pluto/kernel_netlink.c b/src/pluto/kernel_netlink.c
index abdb603de..4269de66e 100644
--- a/src/pluto/kernel_netlink.c
+++ b/src/pluto/kernel_netlink.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: kernel_netlink.c 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: kernel_netlink.c 3850 2008-04-18 20:01:49Z andreas $
  */
 
 #if defined(linux) && defined(KERNEL26_SUPPORT)
@@ -83,12 +83,13 @@ static sparse_names xfrm_type_names = {
 /* Authentication algorithms */
 static sparse_names aalg_list = {
 	{ SADB_X_AALG_NULL, "digest_null" },
-	{ SADB_AALG_MD5_HMAC, "md5" },
-	{ SADB_AALG_SHA1_HMAC, "sha1" },
-	{ SADB_AALG_SHA2_256_HMAC, "sha256" },
-	{ SADB_AALG_SHA2_384_HMAC, "sha384" },
-	{ SADB_AALG_SHA2_512_HMAC, "sha512" },
-	{ SADB_AALG_RIPEMD_160_HMAC, "ripemd160" },
+	{ SADB_AALG_MD5HMAC, "md5" },
+	{ SADB_AALG_SHA1HMAC, "sha1" },
+	{ SADB_X_AALG_SHA2_256HMAC, "sha256" },
+	{ SADB_X_AALG_SHA2_384HMAC, "sha384" },
+	{ SADB_X_AALG_SHA2_512HMAC, "sha512" },
+	{ SADB_X_AALG_RIPEMD160HMAC, "ripemd160" },
+	{ SADB_X_AALG_AES_XCBC_MAC, "xcbc(aes)"},
 	{ SADB_X_AALG_NULL, "null" },
 	{ 0, sparse_end }
 };
@@ -96,14 +97,14 @@ static sparse_names aalg_list = {
 /* Encryption algorithms */
 static sparse_names ealg_list = {
 	{ SADB_EALG_NULL, "cipher_null" },
-	{ SADB_EALG_DES_CBC, "des" },
-	{ SADB_EALG_3DES_CBC, "des3_ede" },
-	{ SADB_EALG_IDEA_CBC, "idea" },
-	{ SADB_EALG_CAST_CBC, "cast128" },
-	{ SADB_EALG_BLOWFISH_CBC, "blowfish" },
-	{ SADB_EALG_AES_CBC, "aes" },
-	{ SADB_X_EALG_SERPENT_CBC, "serpent" },
-	{ SADB_X_EALG_TWOFISH_CBC, "twofish" },
+	{ SADB_EALG_DESCBC, "des" },
+	{ SADB_EALG_3DESCBC, "des3_ede" },
+	{ SADB_X_EALG_CASTCBC, "cast128" },
+	{ SADB_X_EALG_BLOWFISHCBC, "blowfish" },
+	{ SADB_X_EALG_AESCBC, "aes" },
+	{ SADB_X_EALG_CAMELLIACBC, "cbc(camellia)" },
+	{ SADB_X_EALG_SERPENTCBC, "serpent" },
+	{ SADB_X_EALG_TWOFISHCBC, "twofish" },
 	{ 0, sparse_end }
 };
 
diff --git a/src/pluto/keys.c b/src/pluto/keys.c
index eab9dfc4a..1aed7a63f 100644
--- a/src/pluto/keys.c
+++ b/src/pluto/keys.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: keys.c 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: keys.c 3738 2008-04-02 19:04:45Z andreas $
  */
 
 #include <stddef.h>
@@ -83,7 +83,7 @@ static pubkey_t*
 allocate_RSA_public_key(const cert_t cert)
 {
     pubkey_t *pk = alloc_thing(pubkey_t, "pubkey");
-    chunk_t e, n;
+    chunk_t e = empty_chunk, n = empty_chunk;
 
     switch (cert.type)
     {
@@ -335,7 +335,7 @@ get_x509_private_key(const x509cert_t *cert)
 {
     secret_t *s;
     const RSA_private_key_t *pri = NULL;
-    const cert_t c = {CERT_X509_SIGNATURE, {cert}};
+    const cert_t c = {CERT_X509_SIGNATURE, {(x509cert_t*)cert}};
 
     pubkey_t *pubkey = allocate_RSA_public_key(c);
 
@@ -647,7 +647,7 @@ xauth_get_secret(xauth_t *xauth_secret)
  * find a matching secret
  */
 static bool
-xauth_verify_secret(const char *conn_name, const xauth_t *xauth_secret)
+xauth_verify_secret(const xauth_peer_t *peer, const xauth_t *xauth_secret)
 {
     bool found = FALSE;
     secret_t *s;
@@ -1473,7 +1473,7 @@ add_pgp_public_key(pgpcert_t *cert , time_t until
 void
 remove_x509_public_key(const x509cert_t *cert)
 {
-    const cert_t c = {CERT_X509_SIGNATURE, {cert}};
+    const cert_t c = {CERT_X509_SIGNATURE, {(x509cert_t*)cert}};
     pubkey_list_t *p, **pp;
     pubkey_t *revoked_pk;
 
diff --git a/src/pluto/log.c b/src/pluto/log.c
index ca0576b69..0fb5f1d25 100644
--- a/src/pluto/log.c
+++ b/src/pluto/log.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: log.c 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: log.c 4024 2008-05-29 07:49:47Z andreas $
  */
 
 #include <stdio.h>
@@ -65,7 +65,7 @@ const char *base_perpeer_logdir = PERPEERLOGDIR;
 static int perpeer_count = 0;
 
 /* from sys/queue.h */
-static CIRCLEQ_HEAD(,connection) perpeer_list;
+static TAILQ_HEAD(perpeer, connection) perpeer_list;
 
 
 /* Context for logging.
@@ -88,19 +88,19 @@ init_log(const char *program)
     if (log_to_syslog)
 	openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
 
-    CIRCLEQ_INIT(&perpeer_list);
+    TAILQ_INIT(&perpeer_list);
 }
 
 void
 close_peerlog(void)
 {
-    /* end of circular queue is given by pointer to "HEAD"
-     * BUT if the queue is not initialized, this won't be true
-     * so we must guard by test perpeer_list.cqh_first != NULL
-     */
-    if (perpeer_list.cqh_first != NULL)
-	while (perpeer_list.cqh_first != (void *)&perpeer_list)
-	    perpeer_logclose(perpeer_list.cqh_first);
+    /* exit if the queue has not been initialized */
+    if (TAILQ_LAST(&perpeer_list, perpeer) == NULL)
+       return;
+
+    /* end of queue is given by pointer to "HEAD" */
+    while (TAILQ_LAST(&perpeer_list, perpeer) != (void *)&perpeer_list)
+       perpeer_logclose(TAILQ_LAST(&perpeer_list, perpeer));
 }
 
 void
@@ -231,7 +231,7 @@ perpeer_logclose(struct connection *c)
     {
 	passert(perpeer_count > 0);
 
-	CIRCLEQ_REMOVE(&perpeer_list, c, log_link);
+	TAILQ_REMOVE(&perpeer_list, c, log_link);
 	perpeer_count--;
 	fclose(c->log_file);
 	c->log_file=NULL;
@@ -366,13 +366,13 @@ open_peerlog(struct connection *c)
     while (perpeer_count >= MAX_PEERLOG_COUNT)
     {
 	/* can not be NULL because perpeer_count > 0 */
-	passert(perpeer_list.cqh_last != (void *)&perpeer_list);
+	passert(TAILQ_LAST(&perpeer_list, perpeer) != (void *)&perpeer_list);
 
-	perpeer_logclose(perpeer_list.cqh_last);
+	perpeer_logclose(TAILQ_LAST(&perpeer_list, perpeer));
     }
 
     /* insert this into the list */
-    CIRCLEQ_INSERT_HEAD(&perpeer_list, c, log_link);
+    TAILQ_INSERT_HEAD(&perpeer_list, c, log_link);
     passert(c->log_file != NULL);
     perpeer_count++;
 }
@@ -406,8 +406,8 @@ peerlog(const char *prefix, const char *m)
 	fprintf(cur_connection->log_file, "%s %s%s\n", datebuf, prefix, m);
 
 	/* now move it to the front of the list */
-	CIRCLEQ_REMOVE(&perpeer_list, cur_connection, log_link);
-	CIRCLEQ_INSERT_HEAD(&perpeer_list, cur_connection, log_link);
+	TAILQ_REMOVE(&perpeer_list, cur_connection, log_link);
+	TAILQ_INSERT_HEAD(&perpeer_list, cur_connection, log_link);
     }
 }
 
diff --git a/src/pluto/modecfg.c b/src/pluto/modecfg.c
index b7f8aef93..93624588a 100644
--- a/src/pluto/modecfg.c
+++ b/src/pluto/modecfg.c
@@ -14,7 +14,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: modecfg.c 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: modecfg.c 3738 2008-04-02 19:04:45Z andreas $
  *
  * This code originally written by Colubris Networks, Inc.
  * Extraction of patch and porting to 1.99 codebases by Xelerance Corporation
@@ -967,6 +967,12 @@ xauth_inR1(struct msg_digest *md)
     }
     else 
     {
+	xauth_peer_t peer;
+
+	peer.conn_name = st->st_connection->name;
+	addrtot(&md->sender, 0, peer.ip_address, sizeof(peer.ip_address));
+	idtoa(&md->st->st_connection->spd.that.id, peer.id, sizeof(peer.id));
+
 	DBG(DBG_CONTROL,
 	    DBG_log("peer xauth user name is '%.*s'"
 		   , ia.xauth_secret.user_name.len
@@ -977,9 +983,8 @@ xauth_inR1(struct msg_digest *md)
 		   , ia.xauth_secret.user_password.len
 		   , ia.xauth_secret.user_password.ptr)
 	)
-	/* verify the user credentials using a plugn function */
-	st->st_xauth.status = xauth_module.verify_secret(st->st_connection->name
-						       , &ia.xauth_secret);
+	/* verify the user credentials using a plugin function */
+	st->st_xauth.status = xauth_module.verify_secret(&peer, &ia.xauth_secret);
 	plog("extended authentication %s", st->st_xauth.status? "was successful":"failed");
     }
 
diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c
index fccd2e461..5662c5c41 100644
--- a/src/pluto/plutomain.c
+++ b/src/pluto/plutomain.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: plutomain.c 3253 2007-10-06 21:39:00Z andreas $
+ * RCSID $Id: plutomain.c 3914 2008-05-08 10:58:04Z martin $
  */
 
 #include <stdio.h>
@@ -31,6 +31,8 @@
 #include <sys/queue.h>
 #include <linux/capability.h>
 #include <sys/prctl.h>
+#include <pwd.h>
+#include <grp.h>
 
 #include <freeswan.h>
 
@@ -617,19 +619,43 @@ main(int argc, char **argv)
     init_fetch();
 
     /* drop unneeded capabilities and change UID/GID */
+#ifdef _LINUX_CAPABILITY_VERSION_1
+    hdr.version = _LINUX_CAPABILITY_VERSION_1;
+#else
     hdr.version = _LINUX_CAPABILITY_VERSION;
+#endif
     hdr.pid = 0;
     data.inheritable = data.effective = data.permitted = 
 				1<<CAP_NET_ADMIN | 1<<CAP_NET_BIND_SERVICE;
 
     prctl(PR_SET_KEEPCAPS, 1);
+	
+#ifdef IPSEC_GROUP
+    {
+	struct group group, *grp;
+    char buf[1024];
 
-#   if IPSEC_GID
-	setgid(IPSEC_GID);
-#   endif
-#   if IPSEC_UID
-	setuid(IPSEC_UID);
-#   endif
+	if (getgrnam_r(IPSEC_GROUP, &group, buf, sizeof(buf), &grp) != 0 ||
+		grp == NULL || setgid(grp->gr_gid) != 0)
+	{
+	    plog("unable to change daemon group");
+	    abort();
+	}
+    }
+#endif
+#ifdef IPSEC_USER
+    {
+	struct passwd passwd, *pwp;
+    char buf[1024];
+
+	if (getpwnam_r(IPSEC_USER, &passwd, buf, sizeof(buf), &pwp) != 0 ||
+		pwp == NULL || setuid(pwp->pw_uid) != 0)
+	{
+	    plog("unable to change daemon user");
+	    abort();
+	}
+	}
+#endif
     if (capset(&hdr, &data))
     {
 	plog("unable to drop root privileges");
diff --git a/src/pluto/smartcard.c b/src/pluto/smartcard.c
index c46e3cf9a..937c3f93a 100644
--- a/src/pluto/smartcard.c
+++ b/src/pluto/smartcard.c
@@ -18,7 +18,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: smartcard.c 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: smartcard.c 3686 2008-03-28 11:48:14Z martin $
  */
 
 #include <stdio.h>
@@ -701,7 +701,7 @@ void
 scx_init(const char* module, const char *init_args)
 {
 #ifdef SMARTCARD
-    CK_C_INITIALIZE_ARGS args = { .pReserved = init_args, };
+    CK_C_INITIALIZE_ARGS args = { .pReserved = (char *)init_args, };
     CK_RV rv;
 
     if (scx_initialized)
@@ -1442,7 +1442,7 @@ scx_encrypt(smartcard_t *sc, const u_char *in, size_t inlen
 	if (rv == CKR_FUNCTION_NOT_SUPPORTED)
 	{
 	    RSA_public_key_t rsa;
-	    chunk_t plain_text = {in, inlen};
+	    chunk_t plain_text = {(u_char*)in, inlen};
 	    chunk_t cipher_text; 
 
 	    DBG(DBG_CONTROL,
@@ -1496,7 +1496,7 @@ scx_encrypt(smartcard_t *sc, const u_char *in, size_t inlen
     DBG(DBG_CONTROL,
 	DBG_log("doing RSA encryption on smartcard")
     )
-    rv = pkcs11_functions->C_Encrypt(sc->session, in, inlen
+    rv = pkcs11_functions->C_Encrypt(sc->session, (u_char*)in, inlen
 		, out, &len);
     if (rv != CKR_OK)
     {
@@ -1570,7 +1570,7 @@ scx_decrypt(smartcard_t *sc, const u_char *in, size_t inlen
 	return FALSE;
     }
 
-    rv = pkcs11_functions->C_Decrypt(sc->session, in, inlen
+    rv = pkcs11_functions->C_Decrypt(sc->session, (u_char*)in, inlen
 		, out, &len);
     if (rv != CKR_OK)
     {
diff --git a/src/pluto/spdb.c b/src/pluto/spdb.c
index 7003b127a..9d1bf8843 100644
--- a/src/pluto/spdb.c
+++ b/src/pluto/spdb.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: spdb.c 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: spdb.c 3845 2008-04-18 17:00:30Z andreas $
  */
 
 #include <stdio.h>
@@ -296,9 +296,9 @@ out_sa(pb_stream *outs
 	    struct db_prop *p = &pc->props[pn];
 	    pb_stream proposal_pbs;
 	    struct isakmp_proposal proposal;
-	    struct_desc *trans_desc;
-	    struct_desc *attr_desc;
-	    enum_names **attr_val_descs;
+	    struct_desc *trans_desc = NULL;
+	    struct_desc *attr_desc = NULL;
+	    enum_names **attr_val_descs = NULL;
 	    int tn;
 	    bool tunnel_mode;
 
@@ -1166,6 +1166,8 @@ parse_isakmp_sa_body(u_int32_t ipsecdoisit
 	    case OAKLEY_GROUP_ORDER | ISAKMP_ATTR_AF_TLV:
 #endif
 	    default:
+		/* fix compiler warning */
+		memset(&ta, 0, sizeof(ta));
 		ugh = "unsupported OAKLEY attribute";
 		break;
 	    }
@@ -1761,7 +1763,9 @@ parse_ipsec_sa_body(
     {
 	int propno = next_proposal.isap_proposal;
 	pb_stream ah_prop_pbs, esp_prop_pbs, ipcomp_prop_pbs;
-	struct isakmp_proposal ah_proposal, esp_proposal, ipcomp_proposal;
+	struct isakmp_proposal ah_proposal = {0, 0, 0, 0, 0, 0, 0};
+	struct isakmp_proposal esp_proposal = {0, 0, 0, 0, 0, 0, 0};
+	struct isakmp_proposal ipcomp_proposal = {0, 0, 0, 0, 0, 0, 0};
 	ipsec_spi_t ah_spi = 0;
 	ipsec_spi_t esp_spi = 0;
 	ipsec_spi_t ipcomp_cpi = 0;
@@ -2054,7 +2058,7 @@ parse_ipsec_sa_body(
 		/* set default key length for AES encryption */
 		if (!esp_attrs.key_len && esp_attrs.transid == ESP_AES)
 		{
-		    esp_attrs.key_len = 128 / BITS_PER_BYTE;
+		    esp_attrs.key_len = 128; /* bits */
 		}
 
 		if (!kernel_alg_esp_enc_ok(esp_attrs.transid, esp_attrs.key_len
diff --git a/src/pluto/vendor.c b/src/pluto/vendor.c
index c31a4195b..3b779ed24 100644
--- a/src/pluto/vendor.c
+++ b/src/pluto/vendor.c
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: vendor.c 3472 2008-02-14 21:26:21Z andreas $
+ * RCSID $Id: vendor.c 4016 2008-05-25 10:35:39Z andreas $
  */
 
 #include <stdlib.h>
@@ -206,7 +206,12 @@ static struct vid_struct _vid_tab[] = {
 	/*
 	 * strongSwan
 	 */
-	DEC_MD5_VID(STRONGSWAN,       "strongSwan 4.1.11")
+	DEC_MD5_VID(STRONGSWAN,       "strongSwan 4.2.4")
+	DEC_MD5_VID(STRONGSWAN_4_2_3, "strongSwan 4.2.3")
+	DEC_MD5_VID(STRONGSWAN_4_2_2, "strongSwan 4.2.2")
+	DEC_MD5_VID(STRONGSWAN_4_2_1, "strongSwan 4.2.1")
+	DEC_MD5_VID(STRONGSWAN_4_2_0, "strongSwan 4.2.0")
+	DEC_MD5_VID(STRONGSWAN_4_1_11,"strongSwan 4.1.11")
 	DEC_MD5_VID(STRONGSWAN_4_1_10,"strongSwan 4.1.10")
 	DEC_MD5_VID(STRONGSWAN_4_1_9, "strongSwan 4.1.9")
 	DEC_MD5_VID(STRONGSWAN_4_1_8, "strongSwan 4.1.8")
diff --git a/src/pluto/vendor.h b/src/pluto/vendor.h
index 03d2fde77..c1d8870bc 100644
--- a/src/pluto/vendor.h
+++ b/src/pluto/vendor.h
@@ -11,7 +11,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: vendor.h 3413 2007-12-24 18:07:55Z andreas $
+ * RCSID $Id: vendor.h 4016 2008-05-25 10:35:39Z andreas $
  */
 
 #ifndef _VENDOR_H_
@@ -114,17 +114,23 @@ enum known_vendorid {
   VID_STRONGSWAN_4_1_8		= 96,
   VID_STRONGSWAN_4_1_9		= 97,
   VID_STRONGSWAN_4_1_10		= 98,
+  VID_STRONGSWAN_4_1_11		= 99,
+
+  VID_STRONGSWAN_4_2_0		=100,
+  VID_STRONGSWAN_4_2_1		=101,
+  VID_STRONGSWAN_4_2_2		=102,
+  VID_STRONGSWAN_4_2_3		=103,
 
   /* 101 - 200 : NAT-Traversal */
-  VID_NATT_STENBERG_01		=101,
-  VID_NATT_STENBERG_02		=102,
-  VID_NATT_HUTTUNEN		=103,
-  VID_NATT_HUTTUNEN_ESPINUDP	=104,
-  VID_NATT_IETF_00		=105,
-  VID_NATT_IETF_02_N		=106,
-  VID_NATT_IETF_02		=107,
-  VID_NATT_IETF_03		=108,
-  VID_NATT_RFC			=109,
+  VID_NATT_STENBERG_01		=151,
+  VID_NATT_STENBERG_02		=152,
+  VID_NATT_HUTTUNEN		=153,
+  VID_NATT_HUTTUNEN_ESPINUDP	=154,
+  VID_NATT_IETF_00		=155,
+  VID_NATT_IETF_02_N		=156,
+  VID_NATT_IETF_02		=157,
+  VID_NATT_IETF_03		=158,
+  VID_NATT_RFC			=159,
 
   /* 201 - 300 : Misc */
   VID_MISC_XAUTH		=201,
diff --git a/src/pluto/xauth.c b/src/pluto/xauth.c
index 0188b1950..8f4dc2460 100644
--- a/src/pluto/xauth.c
+++ b/src/pluto/xauth.c
@@ -12,7 +12,7 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: xauth.c 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: xauth.c 3738 2008-04-02 19:04:45Z andreas $
  */
 
 #include <dlfcn.h>
@@ -44,7 +44,7 @@ xauth_init(void)
 		DBG_log("xauth module: found get_secret() function");
 	    }
 	)
-	xauth_module.verify_secret = (bool (*) (const char*, const xauth_t*))
+	xauth_module.verify_secret = (bool (*) (const xauth_peer_t*, const xauth_t*))
 			dlsym(xauth_module.handle, "verify_secret");
 	DBG(DBG_CONTROL,
 	    if (xauth_module.verify_secret != NULL)
diff --git a/src/pluto/xauth.h b/src/pluto/xauth.h
index 277340ab0..fd7e5399f 100644
--- a/src/pluto/xauth.h
+++ b/src/pluto/xauth.h
@@ -12,17 +12,26 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: xauth.h 3252 2007-10-06 21:24:50Z andreas $
+ * RCSID $Id: xauth.h 3738 2008-04-02 19:04:45Z andreas $
  */
 
 #ifndef _XAUTH_H
 #define _XAUTH_H
 
+#include <freeswan.h>
+#include "defs.h"
+
 /* XAUTH credentials */
 
 struct chunk_t;
 
 typedef struct {
+    char *conn_name;
+    char id[BUF_LEN];
+    char ip_address[ADDRTOT_BUF];
+} xauth_peer_t;
+
+typedef struct {
     chunk_t user_name;
     chunk_t user_password;
 } xauth_t;
@@ -30,7 +39,7 @@ typedef struct {
 typedef struct {
     void *handle;
     bool (*get_secret) (xauth_t *xauth_secret);
-    bool (*verify_secret) (const char *conn_name, const xauth_t *xauth_secret);
+    bool (*verify_secret) (const xauth_peer_t *peer, const xauth_t *xauth_secret);
 } xauth_module_t;
 
 extern xauth_module_t xauth_module;